/// <summary> /// Verify a TPM signature structure of the hash of some data (caller hashes /// the data that will be verified). /// </summary> /// <param name="digest"></param> /// <param name="sig"></param> /// <returns></returns> public bool VerifySignatureOverHash(byte[] digest, ISignatureUnion sig) { if (Public.type == TpmAlgId.Keyedhash) { byte[] hmacKey = (Sensitive.sensitive as Tpm2bSensitiveData).buffer; return(CryptoLib.VerifyHmac(CryptoLib.SchemeHash(sig), hmacKey, digest, (TpmHash)sig)); } else { return(Public.VerifySignatureOverHash(digest, sig)); } }
internal byte[] ParmEncrypt(byte[] parm, Direction inOrOut) { if (Symmetric == null) { throw new Exception("parameter encryption cipher not defined"); } if (Symmetric.Algorithm == TpmAlgId.Null) { return(parm); } byte[] nonceNewer, nonceOlder; if (inOrOut == Direction.Command) { nonceNewer = NonceCaller; nonceOlder = NonceTpm; } else { nonceNewer = NonceTpm; nonceOlder = NonceCaller; } byte[] encKey = (AuthHandle != null && AuthHandle.Auth != null) ? SessionKey.Concat(AuthHandle.Auth).ToArray() : SessionKey; if (Symmetric.Algorithm == TpmAlgId.Xor) { return(CryptoLib.KdfThenXor(AuthHash, encKey, nonceNewer, nonceOlder, parm)); } int keySize = (Symmetric.KeyBits + 7) / 8, blockSize = SymmCipher.GetBlockSize(Symmetric), bytesRequired = keySize + blockSize; byte[] keyInfo = KDF.KDFa(AuthHash, encKey, "CFB", nonceNewer, nonceOlder, (uint)(bytesRequired * 8)); var key = new byte[keySize]; Array.Copy(keyInfo, 0, key, 0, keySize); var iv = new byte[blockSize]; Array.Copy(keyInfo, keySize, iv, 0, blockSize); // Make a new SymmCipher from the key and IV and do the encryption. using (SymmCipher s = SymmCipher.Create(Symmetric, key, iv)) { return(inOrOut == Direction.Command ? s.CFBEncrypt(parm) : s.CFBDecrypt(parm)); } }
/// <summary> /// Calculate the qualified name of an object presumed loaded under the provided ancestral chain /// in a given hierarchy. /// </summary> /// <param name="hierarchyHandle"></param> /// <param name="children"></param> /// <returns></returns> public static byte[] GetQualifiedName(TpmHandle hierarchyHandle, TpmPublic[] children) { byte[] runningName = Marshaller.GetTpmRepresentation(hierarchyHandle); foreach (TpmPublic pub in children) { byte[] thisName = pub.GetName(); runningName = Globs.Concatenate ( Marshaller.GetTpmRepresentation(pub.nameAlg), CryptoLib.HashData(pub.nameAlg, new[] { runningName, thisName }) ); } return(runningName); }
TkVerified SignApproval(Tpm2 tpm, byte[] approvedPolicy, byte[] policyRef, TpmHandle hSigKey, ISigSchemeUnion scheme = null) { byte[] name, qname; TpmPublic pub = tpm.ReadPublic(hSigKey, out name, out qname); byte[] dataToSign = Globs.Concatenate(approvedPolicy, policyRef); byte[] aHash = CryptoLib.HashData(pub.nameAlg, dataToSign); // Create an authorization certificate for the "approvedPolicy" var sig = tpm.Sign(hSigKey, aHash, scheme, new TkHashcheck()); return(tpm.VerifySignature(hSigKey, aHash, sig)); }
internal override void ToHost(Marshaller m) { var id = (TpmAlgId)m.Get(typeof(TpmAlgId), "HashAlg"); if (id == TpmAlgId.Null) { _HashAlg = id; HashData = new byte[0]; return; } _HashAlg = id; int hashLength = CryptoLib.DigestSize(id); HashData = m.GetArray <byte>(hashLength, "HashData"); }
/// <summary> /// Creates a *software* key. The key will be random (not created from /// a seed). The key can be used as the root of a software hierarchy that /// can be translated into a duplication blob ready for import into a TPM. /// Depending on the type of key, the software root key can be a parent for /// other root keys that can comprise a migration group. The caller should /// specify necessary key parameters in Public. /// /// Parameter keyData is used only with symmetric or HMAC keys. If non-null /// on entry, it contains the key bytes supplied by the caller, otherwise the /// key will be randomly generated. For asymmetric keys keyData must be null. /// /// Parameter authVal specifies the authorization value associated with the key. /// If it is null, then an random value will be used. /// </summary> /// <param name="pub"></param> /// <param name="authVal"></param> /// <param name="keyData"></param> /// <returns></returns> public static TssObject Create(TpmPublic pub, AuthValue authVal = null, byte[] keyData = null) { var newKey = new TssObject(); // Create a new key from the supplied parameters IPublicIdUnion publicId; var sensData = CreateSensitiveComposite(pub, ref keyData, out publicId); var nameSize = CryptoLib.DigestSize(pub.nameAlg); // Create the associated seed value byte[] seed = Globs.GetRandomBytes(nameSize); // Fill in the fields for the symmetric private-part of the asymmetric key var sens = new Sensitive(authVal ?? AuthValue.FromRandom(nameSize), seed, sensData); newKey.Sensitive = sens; newKey.Private = new TpmPrivate(sens.GetTpm2BRepresentation()); // fill in the public data newKey.Public = pub.Copy(); if (pub.type == TpmAlgId.Keyedhash || pub.type == TpmAlgId.Symcipher) { byte[] unique = null; if (pub.objectAttributes.HasFlag(ObjectAttr.Restricted | ObjectAttr.Decrypt)) { unique = CryptoLib.Hmac(pub.nameAlg, seed, keyData); } else { unique = CryptoLib.HashData(pub.nameAlg, seed, keyData); } newKey.Public.unique = pub.type == TpmAlgId.Keyedhash ? new Tpm2bDigestKeyedhash(unique) as IPublicIdUnion : new Tpm2bDigestSymcipher(unique); } else { newKey.Public.unique = publicId; } // And return the new key return(newKey); }
internal override TpmHash GetPolicyDigest(TpmAlgId hashAlg) { var m = new Marshaller(); m.Put(OperandB, "operandB"); m.Put(Offset, "offset"); m.Put(Operation, "operation"); byte[] args = CryptoLib.HashData(hashAlg, m.GetBytes()); m = new Marshaller(); m.Put(TpmCc.PolicyNV, "ord"); m.Put(args, "args"); m.Put(IndexName, "name"); return(GetNextAcePolicyDigest(hashAlg).Extend(m.GetBytes())); }
internal override TpmHash GetPolicyDigest(TpmAlgId hashAlg) { var m = new Marshaller(); m.Put(OperandB, "operandB"); m.Put(Offset, "offset"); m.Put(Operation, "operation"); byte[] toHash = m.GetBytes(); byte[] args = CryptoLib.HashData(hashAlg, toHash); m = new Marshaller(); m.Put(TpmCc.PolicyCounterTimer, "cc"); m.Put(args, "args"); return(GetNextAcePolicyDigest(hashAlg).Extend(m.GetBytes())); }
/// <summary> /// Calculate and return the auth-hmac (or plaintext auth if it is a policy session with PlaintextAuth set) /// based on the current session parms. /// </summary> /// <param name="parmHash"></param> /// <param name="direction"></param> /// <param name="nonceDec"></param> /// <param name="nonceEnc"></param> /// <returns></returns> internal byte[] GetAuthHmac(byte[] parmHash, Direction direction, byte[] nonceDec = null, byte[] nonceEnc = null) { // special case. If this is a policy session and the session includes PolicyPassword the // TPM expects and assumes that the HMAC field will have the plaintext entity field as in // a PWAP session (the related PolicyAuthValue demands an HMAC as usual) if (PlaintextAuth) { return(Handle.Auth ?? AuthHandle.Auth); } byte[] nonceNewer, nonceOlder; if (direction == Direction.Command) { nonceNewer = NonceCaller; nonceOlder = NonceTpm; } else { nonceNewer = NonceTpm; nonceOlder = NonceCaller; } byte[] sessionAttrs = Marshaller.GetTpmRepresentation(Attrs); byte[] auth = Handle.Auth; if (AuthHandle != null && Handle != TpmRh.TpmRsPw && auth == null && ((SessionType != TpmSe.Policy && BindObject != AuthHandle) || (SessionType == TpmSe.Policy && SessIncludesAuth))) { auth = Globs.TrimTrailingZeros(AuthHandle.Auth); } byte[] hmacKey = Globs.Concatenate(SessionKey, auth); byte[] bufToHmac = Globs.Concatenate(new[] { parmHash, nonceNewer, nonceOlder, nonceDec, nonceEnc, sessionAttrs }); byte[] hmac = CryptoLib.Hmac(AuthHash, hmacKey, bufToHmac); #if false Console.WriteLine(Globs.FormatBytesCompact("hmacKey: ", hmacKey)); Console.WriteLine(Globs.FormatBytesCompact("nonceNewer: ", nonceNewer)); Console.WriteLine(Globs.FormatBytesCompact("nonceOlder: ", nonceOlder)); Console.WriteLine(Globs.FormatBytesCompact("nonceDec: ", nonceDec)); Console.WriteLine(Globs.FormatBytesCompact("nonceEnc: ", nonceEnc)); Console.WriteLine(Globs.FormatBytesCompact("attrs: ", sessionAttrs)); Console.WriteLine(Globs.FormatBytesCompact("HMAC: ", hmac)); #endif return(hmac); }
/// <summary> /// Create an enveloped (encrypted and integrity protected) private area from a provided sensitive. /// </summary> /// <param name="iv"></param> /// <param name="sens"></param> /// <param name="nameHash"></param> /// <param name="publicName"></param> /// <param name="symWrappingAlg"></param> /// <param name="symKey"></param> /// <param name="parentNameAlg"></param> /// <param name="parentSeed"></param> /// <param name="f"></param> /// <returns></returns> public static byte[] CreatePrivateFromSensitive( SymDefObject symWrappingAlg, byte[] symKey, byte[] iv, Sensitive sens, TpmAlgId nameHash, byte[] publicName, TpmAlgId parentNameAlg, byte[] parentSeed, TssObject.Transformer f = null) { // ReSharper disable once InconsistentNaming byte[] tpm2bIv = Marshaller.ToTpm2B(iv); Transform(tpm2bIv, f); byte[] sensitive = sens.GetTpmRepresentation(); Transform(sensitive, f); // ReSharper disable once InconsistentNaming byte[] tpm2bSensitive = Marshaller.ToTpm2B(sensitive); Transform(tpm2bSensitive, f); byte[] encSensitive = SymCipher.Encrypt(symWrappingAlg, symKey, iv, tpm2bSensitive); Transform(encSensitive, f); byte[] decSensitive = SymCipher.Decrypt(symWrappingAlg, symKey, iv, encSensitive); Debug.Assert(f != null || Globs.ArraysAreEqual(decSensitive, tpm2bSensitive)); var hmacKeyBits = CryptoLib.DigestSize(parentNameAlg) * 8; byte[] hmacKey = KDF.KDFa(parentNameAlg, parentSeed, "INTEGRITY", new byte[0], new byte[0], hmacKeyBits); Transform(hmacKey, f); byte[] dataToHmac = Marshaller.GetTpmRepresentation(tpm2bIv, encSensitive, publicName); Transform(dataToHmac, f); byte[] outerHmac = CryptoLib.Hmac(parentNameAlg, hmacKey, dataToHmac); Transform(outerHmac, f); byte[] priv = Marshaller.GetTpmRepresentation(Marshaller.ToTpm2B(outerHmac), tpm2bIv, encSensitive); Transform(priv, f); return(priv); }
/// <summary> /// Get the hash of the concatenation of the values in the array order defined by the PcrSelection[] /// returned from GetPcrSelectionArray. /// </summary> /// <param name="hashAlg"></param> /// <returns></returns> public TpmHash GetSelectionHash(TpmAlgId hashAlg) { var m = new Marshaller(); PcrSelection[] selections = GetPcrSelectionArray(); foreach (PcrSelection sel in selections) { uint[] pcrIndices = sel.GetSelectedPcrs(); foreach (uint index in pcrIndices) { PcrValue v = GetSpecificValue(sel.hash, index); m.Put(v.value.HashData, "hash"); } } var valueHash = new TpmHash(hashAlg, CryptoLib.HashData(hashAlg, m.GetBytes())); return(valueHash); }
/// <summary> /// De-envelope inner-wrapped duplication blob. /// TODO: Move this to TpmPublic and make it fully general /// </summary> /// <param name="exportedPrivate"></param> /// <param name="encAlg"></param> /// <param name="encKey"></param> /// <param name="nameAlg"></param> /// <param name="name"></param> /// <returns></returns> public static Sensitive SensitiveFromDupBlob(TpmPrivate exportedPrivate, SymDefObject encAlg, byte[] encKey, TpmAlgId nameAlg, byte[] name) { byte[] dupBlob = exportedPrivate.buffer; byte[] sensNoLen = null; using (SymCipher c = Create(encAlg, encKey)) { byte[] innerObject = null; if (c == null) { if (encAlg.Algorithm != TpmAlgId.Null) { return(null); } else { return(Marshaller.FromTpmRepresentation <Sensitive>(Marshaller.Tpm2BToBuffer(dupBlob))); } } innerObject = c.Decrypt(dupBlob); byte[] innerIntegrity, sensitive; KDF.Split(innerObject, 16 + CryptoLib.DigestSize(nameAlg) * 8, out innerIntegrity, 8 * (innerObject.Length - CryptoLib.DigestSize(nameAlg) - 2), out sensitive); byte[] expectedInnerIntegrity = Marshaller.ToTpm2B( CryptoLib.HashData(nameAlg, sensitive, name)); if (!Globs.ArraysAreEqual(expectedInnerIntegrity, innerIntegrity)) { Globs.Throw("SensitiveFromDupBlob: Bad inner integrity"); } sensNoLen = Marshaller.Tpm2BToBuffer(sensitive); } var sens = Marshaller.FromTpmRepresentation <Sensitive>(sensNoLen); return(sens); }
// ReSharper disable once InconsistentNaming public static byte[] KDFa(TpmAlgId hmacHash, byte[] hmacKey, string label, byte[] contextU, byte[] contextV, uint numBitsRequired) { int bitsPerLoop = CryptoLib.DigestSize(hmacHash) * 8; long numLoops = (numBitsRequired + bitsPerLoop - 1) / bitsPerLoop; var kdfStream = new byte[numLoops * bitsPerLoop / 8]; for (int j = 0; j < numLoops; j++) { byte[] toHmac = Globs.Concatenate(new[] { Globs.HostToNet(j + 1), Encoding.UTF8.GetBytes(label), Globs.HostToNet((byte)0), contextU, contextV, Globs.HostToNet(numBitsRequired) }); byte[] fragment = CryptoLib.HmacData(hmacHash, hmacKey, toHmac); Array.Copy(fragment, 0, kdfStream, j * bitsPerLoop / 8, fragment.Length); } return(Globs.ShiftRight(kdfStream, (int)(bitsPerLoop * numLoops - numBitsRequired))); }
internal override TpmHash GetPolicyDigest(TpmAlgId hashAlg) { int numBranches = PolicyBranches.Count; if (numBranches < 2 || numBranches > 8) { Globs.Throw("GetPolicyDigest: Must have between 2 and 8 branches in a PolicyOr"); } var m = new Marshaller(); m.Put(TpmHash.ZeroHash(hashAlg).HashData, "zero"); m.Put(TpmCc.PolicyOR, "ordinal"); foreach (PolicyAce branch in PolicyBranches) { TpmHash branchPolicyHash = branch.GetPolicyDigest(hashAlg); m.Put(branchPolicyHash.HashData, "h"); } byte[] polVal = CryptoLib.HashData(hashAlg, m.GetBytes()); return(new TpmHash(hashAlg, polVal)); }
/// <summary> /// Creates a *software* root key. The key will be random (not created from a seed). The key can be used /// as the root of a software hierarchy that can be translated into a duplication blob ready for import into /// a TPM. Depending on the type of key, the software root key can be a parent for other root keys that can /// comprise a migration group. The caller should specify necessary key parameters in Public. /// </summary> /// <returns></returns> public static TssObject CreateStorageParent(TpmPublic keyParameters, AuthValue authVal) { var newKey = new TssObject(); // Create a new asymmetric key from the supplied parameters IPublicIdUnion publicId; ISensitiveCompositeUnion sensitiveData = CreateSensitiveComposite(keyParameters, out publicId); // fill in the public data newKey.publicPart = keyParameters.Copy(); newKey.publicPart.unique = publicId; // Create the associated symmetric key byte[] symmKey = Globs.GetRandomBytes(CryptoLib.DigestSize(keyParameters.nameAlg)); // Fill in the fields for the symmetric private-part of the asymmetric key var sens = new Sensitive(authVal.AuthVal, symmKey, sensitiveData); newKey.sensitivePart = sens; // And return the new key return(newKey); }
/// <summary> /// Create an enveloped (encrypted and integrity protected) private area from a provided sensitive. /// </summary> /// <param name="iv"></param> /// <param name="sens"></param> /// <param name="nameHash"></param> /// <param name="publicName"></param> /// <param name="symWrappingAlg"></param> /// <param name="symKey"></param> /// <param name="parentNameAlg"></param> /// <param name="parentSeed"></param> /// <param name="f"></param> /// <returns></returns> public static byte[] CreatePrivateFromSensitive( SymDefObject symWrappingAlg, byte[] symKey, byte[] iv, Sensitive sens, TpmAlgId nameHash, byte[] publicName, TpmAlgId parentNameAlg, byte[] parentSeed) { // ReSharper disable once InconsistentNaming byte[] tpm2bIv = Marshaller.ToTpm2B(iv); byte[] sensitive = sens.GetTpmRepresentation(); // ReSharper disable once InconsistentNaming byte[] tpm2bSensitive = Marshaller.ToTpm2B(sensitive); byte[] encSensitive = SymmCipher.Encrypt(symWrappingAlg, symKey, iv, tpm2bSensitive); byte[] decSensitive = SymmCipher.Decrypt(symWrappingAlg, symKey, iv, encSensitive); var hmacKeyBits = CryptoLib.DigestSize(parentNameAlg) * 8; byte[] hmacKey = KDF.KDFa(parentNameAlg, parentSeed, "INTEGRITY", new byte[0], new byte[0], hmacKeyBits); byte[] dataToHmac = Marshaller.GetTpmRepresentation(tpm2bIv, encSensitive, publicName); byte[] outerHmac = CryptoLib.HmacData(parentNameAlg, hmacKey, dataToHmac); byte[] priv = Marshaller.GetTpmRepresentation(Marshaller.ToTpm2B(outerHmac), tpm2bIv, encSensitive); return(priv); }
public static bool OaepDecode(byte[] eMx, byte[] encodingParms, TpmAlgId hashAlg, out byte[] decoded) { decoded = new byte[0]; var em = new byte[eMx.Length + 1]; Array.Copy(eMx, 0, em, 1, eMx.Length); int hLen = CryptoLib.DigestSize(hashAlg); int k = em.Length; // a. byte[] lHash = CryptoLib.HashData(hashAlg, encodingParms); // b. byte y = em[0]; byte[] maskedSeed = Globs.CopyData(em, 1, hLen); byte[] maskedDB = Globs.CopyData(em, 1 + hLen); // c. byte[] seedMask = CryptoLib.MGF(maskedDB, hLen, hashAlg); // d. byte[] seed = XorEngine.Xor(maskedSeed, seedMask); // e. byte[] dbMask = CryptoLib.MGF(seed, k - hLen - 1, hashAlg); // f. byte[] db = XorEngine.Xor(maskedDB, dbMask); // g. byte[] lHashPrime = Globs.CopyData(db, 0, hLen); // Look for the zero.. int j; for (j = hLen; j < db.Length; j++) { if (db[j] == 0) { continue; } if (db[j] == 1) { break; } return(false); } if (j == db.Length - 1) { return(false); } byte[] m = Globs.CopyData(db, j + 1); if (y != 0) { return(false); } if (!Globs.ArraysAreEqual(lHash, lHashPrime)) { return(false); } decoded = m; return(true); }
/// <summary> /// EME-OAEP PKCS1.2, section 9.1.1.1. /// </summary> /// <param name="message"></param> /// <param name="encodingParameters"></param> /// <param name="hashAlg"></param> /// <param name="modulusNumBytes"></param> /// <returns></returns> public static byte[] OaepEncode(byte[] message, byte[] encodingParameters, TpmAlgId hashAlg, int modulusNumBytes) { int encodedMessageLength = modulusNumBytes - 1; int messageLength = message.Length; int hashLength = CryptoLib.DigestSize(hashAlg); // 1 (Step numbers from RSA labs spec.) // Ignore the ParametersLength limitation // 2 if (messageLength > encodedMessageLength - 2 * hashLength - 1) { if (Tpm2._TssBehavior.Passthrough) { return(new byte[0]); } else { throw new ArgumentException("input message too long"); } } int psLen = encodedMessageLength - messageLength - 2 * hashLength - 1; var ps = new byte[psLen]; // 3 (Not needed.) for (int j = 0; j < psLen; j++) { ps[j] = 0; } // 4 byte[] pHash = CryptoLib.HashData(hashAlg, encodingParameters); // 5 var db = new byte[hashLength + psLen + 1 + messageLength]; var one = new byte[1]; one[0] = 1; pHash.CopyTo(db, 0); ps.CopyTo(db, pHash.Length); one.CopyTo(db, pHash.Length + ps.Length); message.CopyTo(db, pHash.Length + ps.Length + 1); // 6 byte[] seed = Globs.GetRandomBytes(hashLength); // 7 byte[] dbMask = CryptoLib.MGF(seed, encodedMessageLength - hashLength, hashAlg); // 8 byte[] maskedDb = XorEngine.Xor(db, dbMask); // 9 byte[] seedMask = CryptoLib.MGF(maskedDb, hashLength, hashAlg); // 10 byte[] maskedSeed = XorEngine.Xor(seed, seedMask); //11 var encodedMessage = new byte[maskedSeed.Length + maskedDb.Length]; maskedSeed.CopyTo(encodedMessage, 0); maskedDb.CopyTo(encodedMessage, maskedSeed.Length); // 12 return(encodedMessage); }
public override int GetHashCode() { byte[] objectData = GetTpmRepresentation(); return(BitConverter.ToInt32(objectData.Length <= sizeof(int) ? objectData : CryptoLib.HashData(TpmAlgId.Sha1, objectData), 0)); }
/// <summary> /// Implements unmarshaling logic for most of the TPM object types. /// Can be overridden if a custom unmarshaling logic is required (e.g. /// when unmarshaling of a field depends on other field's value). /// </summary> /// <param name="m"></param> /// <returns></returns> internal virtual void ToHost(Marshaller m) { dbg.Indent(); var members = GetFieldsToMarshal(true); uint mshlStartPos = m.GetGetPos(); for (int i = 0; i < members.Length; ++i) { TpmStructMemberInfo memInfo = members[i]; Type memType = Globs.GetMemberType(memInfo); var wireType = memInfo.WireType; int size = -1; switch (wireType) { case MarshalType.Union: { dbg.Trace("Union " + memType.Name + " with selector " + memInfo.Tag.Value); var elt = UnionElementFromSelector(memType, memInfo.Tag.Value); memInfo.Value = m.Get(elt, memType.Name); break; } case MarshalType.FixedLengthArray: { object arr = Globs.GetMember(memInfo, this); memInfo.Value = m.GetArray(memType.GetElementType(), (arr as Array).Length, memInfo.Name); break; } case MarshalType.SpecialVariableLengthArray: { size = CryptoLib.DigestSize((TpmAlgId)members[i - 1].Value); UnmarshalArray(m, memInfo, memType, size); break; } case MarshalType.VariableLengthArray: { size = m.GetSizeTag(memInfo.SizeLength, memInfo.SizeName); UnmarshalArray(m, memInfo, memType, size); break; } case MarshalType.EncryptedVariableLengthArray: { uint unmarshaled = m.GetGetPos() - mshlStartPos; size = m.SizedStructLen[m.SizedStructLen.Count - 1] - (int)unmarshaled; UnmarshalArray(m, memInfo, memType, size); break; } case MarshalType.SizedStruct: { size = m.GetSizeTag(memInfo.SizeLength, memInfo.SizeName); if (size == 0) { break; } m.SizedStructLen.Add(size); memInfo.Value = m.Get(memType, memInfo.Name); int unmSize = Marshaller.GetTpmRepresentation(memInfo.Value).Length; if (unmSize != size) { if (unmSize < size && memType.Name == "TpmPublic") { var pub = memInfo.Value as TpmPublic; var label = Marshaller.GetTpmRepresentation(pub.unique); var context = m.GetArray(typeof(byte), size - unmSize, "") as byte[]; pub.unique = new TpmDerive(label, context); } else { var msg = string.Format("Invalid size {0} (instead of " + "{1}) for unmarshaled {2}.{3}", unmSize, size, this.GetType(), memInfo.Name); throw new TssException(msg); } } m.SizedStructLen.RemoveAt(m.SizedStructLen.Count - 1); break; } default: // Only attempt unmarshaling a field, if it is not sized or // if its size is non-zero. if (memInfo.Tag == null || memInfo.Tag.GetValueAsUInt() != 0) { memInfo.Value = m.Get(memType, memInfo.Name); } break; } dbg.Trace((i + 1) + ": " + wireType + " " + memInfo.Name + (size != -1 ? " of size " + size : "")); // Some property values are dynamically obtained from their linked fields. // Correspondingly, they do not have a setter, so we bypass them here. Debug.Assert(wireType != MarshalType.LengthOfStruct && wireType != MarshalType.ArrayCount); if (wireType != MarshalType.UnionSelector) { Globs.SetMember(memInfo, this, memInfo.Value); } } dbg.Unindent(); }
int IEqualityComparer <byte[]> .GetHashCode(byte[] obj) { return(BitConverter.ToInt32(CryptoLib.HashData(TpmAlgId.Sha1, obj as byte[]), 0)); }
CreateSensitiveComposite(TpmPublic pub, ref byte[] keyData, out IPublicIdUnion publicId) { ISensitiveCompositeUnion newSens = null; publicId = null; if (pub.type == TpmAlgId.Rsa) { if (keyData != null) { Globs.Throw <ArgumentException>("Cannot specify key data for an RSA key"); return(null); } var newKeyPair = new RawRsa((pub.parameters as RsaParms).keyBits); // Put the key bits into the required structure envelopes newSens = new Tpm2bPrivateKeyRsa(newKeyPair.Private); publicId = new Tpm2bPublicKeyRsa(newKeyPair.Public); } else if (pub.type == TpmAlgId.Symcipher) { var symDef = (SymDefObject)pub.parameters; if (symDef.Algorithm != TpmAlgId.Aes) { Globs.Throw <ArgumentException>("Unsupported symmetric algorithm"); return(null); } int keySize = (symDef.KeyBits + 7) / 8; if (keyData == null) { keyData = Globs.GetRandomBytes(keySize); } else if (keyData.Length != keySize) { keyData = Globs.CopyData(keyData); } else { Globs.Throw <ArgumentException>("Wrong symmetric key length"); return(null); } newSens = new Tpm2bSymKey(keyData); } else if (pub.type == TpmAlgId.Keyedhash) { var scheme = (pub.parameters as KeyedhashParms).scheme; TpmAlgId hashAlg = scheme is SchemeHash ? (scheme as SchemeHash).hashAlg : scheme is SchemeXor ? (scheme as SchemeXor).hashAlg : pub.nameAlg; var digestSize = CryptoLib.DigestSize(hashAlg); if (keyData == null) { keyData = Globs.GetRandomBytes(digestSize); } else if (keyData.Length <= CryptoLib.BlockSize(hashAlg)) { keyData = Globs.CopyData(keyData); } else { Globs.Throw <ArgumentException>("HMAC key is too big"); return(null); } newSens = new Tpm2bSensitiveData(keyData); } else { Globs.Throw <ArgumentException>("Unsupported key type"); } return(newSens); }
/// <summary> /// Return the hash function block size in bytes /// </summary> /// <param name="hashAlg"></param> /// <returns></returns> public static ushort BlockSize(TpmAlgId hashAlg) { return((ushort)CryptoLib.BlockSize(hashAlg)); }
/// <summary> /// Return the length of the output of the hash function in bytes /// </summary> /// <param name="hashAlg"></param> /// <returns></returns> public static ushort DigestSize(TpmAlgId hashAlg) { return((ushort)CryptoLib.DigestSize(hashAlg)); }
/// <summary> /// Replace the hash value with the hash of the concatenation of the current value and the TPM representation /// of objectToExtend /// </summary> /// <param name="objectToExtend"></param> /// <returns></returns> public TpmHash Extend(Object objectToExtend) { byte[] temp = Marshaller.GetTpmRepresentation(objectToExtend); HashData = CryptoLib.HashData(HashAlg, HashData, temp); return(this); }
/// <summary> /// Replace the hash value with the hash of the concatenation of the current hash value and DataToExtend /// </summary> /// <param name="dataToExtend"></param> /// <returns></returns> public TpmHash Event(byte[] dataToExtend) { HashData = CryptoLib.HashData(HashAlg, HashData, CryptoLib.HashData(HashAlg, dataToExtend)); return(this); }
/// <summary> /// Create activation blobs that can be passed to ActivateCredential. Two /// blobs are returned: /// 1) encryptedSecret - symmetric key cfb-symmetrically encrypted with the /// enveloping key; /// 2) credentialBlob - the enveloping key OEAP (RSA) encrypted by the public /// part of this key. This is the return value of this /// function /// </summary> /// <param name="secret"></param> /// <param name="nameOfKeyToBeActivated"></param> /// <param name="encryptedSecret"></param> /// <returns>CredentialBlob (</returns> public IdObject CreateActivationCredentials(byte[] secret, byte[] nameOfKeyToBeActivated, out byte[] encryptedSecret) { byte[] seed, encSecret; switch (type) { case TpmAlgId.Rsa: // The seed should be the same size as the name algorithmdigest seed = Globs.GetRandomBytes(CryptoLib.DigestSize(nameAlg)); encSecret = EncryptOaep(seed, ActivateEncodingParms); break; case TpmAlgId.Ecc: EccPoint ephemPubPt; seed = EcdhGetKeyExchangeKey(ActivateEncodingParms, out ephemPubPt); encSecret = Marshaller.GetTpmRepresentation(ephemPubPt); break; default: Globs.Throw <NotImplementedException>( "CreateActivationCredentials: Unsupported algorithm"); encryptedSecret = new byte[0]; return(null); } Transform(seed); Transform(encSecret); var cvx = new Tpm2bDigest(secret); byte[] cvTpm2B = Marshaller.GetTpmRepresentation(cvx); Transform(cvTpm2B); SymDefObject symDef = TssObject.GetSymDef(this); byte[] symKey = KDF.KDFa(nameAlg, seed, "STORAGE", nameOfKeyToBeActivated, new byte[0], symDef.KeyBits); Transform(symKey); byte[] encIdentity; // TPM only uses CFB mode in its command implementations var sd = symDef.Copy(); sd.Mode = TpmAlgId.Cfb; using (var sym = SymCipher.Create(sd, symKey)) { // Not all keys specs are supported by SW crypto if (sym == null) { encryptedSecret = null; return(null); } encIdentity = sym.Encrypt(cvTpm2B); } Transform(encIdentity); var hmacKeyBits = CryptoLib.DigestSize(nameAlg); byte[] hmacKey = KDF.KDFa(nameAlg, seed, "INTEGRITY", new byte[0], new byte[0], hmacKeyBits * 8); Transform(hmacKey); byte[] outerHmac = CryptoLib.Hmac(nameAlg, hmacKey, Globs.Concatenate(encIdentity, nameOfKeyToBeActivated)); Transform(outerHmac); encryptedSecret = encSecret; return(new IdObject(outerHmac, encIdentity)); }
/// <summary> /// PSS verify. Note: we expect the caller to do the hash. /// </summary> /// <param name="m"></param> /// <param name="em"></param> /// <param name="sLen"></param> /// <param name="emBits"></param> /// <param name="hashAlg"></param> /// <returns></returns> public static bool PssVerify(byte[] m, byte[] em, int sLen, int emBits, TpmAlgId hashAlg) { var emLen = (int)Math.Ceiling(1.0 * emBits / 8); int hLen = CryptoLib.DigestSize(hashAlg); // 1 - Skip // 2 byte[] mHash = TpmHash.FromData(hashAlg, m); // 3 if (emLen < hLen + sLen + 2) { return(false); } // 4 if (em[em.Length - 1] != 0xbc) { return(false); } // 5 byte[] maskedDB = Globs.CopyData(em, 0, emLen - hLen - 1); byte[] h = Globs.CopyData(em, emLen - hLen - 1, hLen); // 6 int numZeroBits = 8 * emLen - emBits; // First numZero bits is zero in mask byte mask = GetByteMask(numZeroBits); if ((maskedDB[0] & mask) != maskedDB[0]) { return(false); } // 7 byte[] dbMask = CryptoLib.MGF(h, emLen - hLen - 1, hashAlg); // 8 byte[] db = XorEngine.Xor(maskedDB, dbMask); // 9 int numZeroBits2 = 8 * emLen - emBits; byte mask2 = GetByteMask(numZeroBits2); db[0] &= mask2; // 10 for (int j = 0; j < emLen - hLen - sLen - 2; j++) { if (db[j] != 0) { return(false); } } if (db[emLen - hLen - sLen - 1 - 1] != 1) { return(false); } // 11 byte[] salt = Globs.CopyData(db, db.Length - sLen); // 12 byte[] mPrime = Globs.Concatenate(new[] { Globs.ByteArray(8, 0), mHash, salt }); // 13 byte[] hPrime = TpmHash.FromData(hashAlg, mPrime); // 14 bool match = Globs.ArraysAreEqual(h, hPrime); if (match == false) { return(false); } return(true); }
/// <summary> /// The TPM always signs hash-sized data. This version of the VerifySignature /// performs the necessary hashing operation over arbitrarily-length data and /// verifies that the hash is properly signed. /// </summary> /// <param name="data"></param> /// <param name="sig"></param> /// <returns></returns> public bool VerifySignatureOverData(byte[] data, ISignatureUnion sig) { byte[] digest = CryptoLib.HashData(CryptoLib.SchemeHash(sig), data); return(VerifySignatureOverHash(digest, sig)); }
/// <summary> /// Creates a duplication blob for the current key that can be Imported as a child /// of newParent. Three forms are possible. GetPlaintextDuplicationBlob() allows /// plaintext-import. This function enables duplication with and without an /// inner wrapper (depending on whether innerWrapper is null) /// </summary> /// <param name="newParent"></param> /// <param name="innerWrapper"></param> /// <param name="encSecret"></param> /// <returns></returns> public TpmPrivate GetDuplicationBlob( TpmPublic pubNewParent, SymCipher innerWrapper, out byte[] encSecret) { byte[] encSensitive; if (innerWrapper == null) { // No inner wrapper encSensitive = Marshaller.ToTpm2B(Sensitive.GetTpmRepresentation()); Transform(encSensitive); } else { byte[] sens = Marshaller.ToTpm2B(Sensitive.GetTpmRepresentation()); byte[] toHash = Globs.Concatenate(sens, GetName()); Transform(toHash); byte[] innerIntegrity = Marshaller.ToTpm2B(CryptoLib.HashData( Public.nameAlg, toHash)); byte[] innerData = Globs.Concatenate(innerIntegrity, sens); Transform(innerData); encSensitive = innerWrapper.Encrypt(innerData); Transform(encSensitive); } byte[] seed; SymDefObject symDef = GetSymDef(pubNewParent).Copy(); // TPM duplication procedures always use CFB mode symDef.Mode = TpmAlgId.Cfb; using (var swNewParent = AsymCryptoSystem.CreateFrom(pubNewParent)) { switch (pubNewParent.type) { case TpmAlgId.Rsa: // The seed should be the same size as the scheme hash LastSeed = seed = Globs.GetRandomBytes( CryptoLib.DigestSize(swNewParent.OaepHash)); encSecret = swNewParent.EncryptOaep(seed, DuplicateEncodingParms); break; case TpmAlgId.Ecc: EccPoint pubEphem; seed = swNewParent.EcdhGetKeyExchangeKey(DuplicateEncodingParms, pubNewParent.nameAlg, out pubEphem); encSecret = Marshaller.GetTpmRepresentation(pubEphem); break; default: Globs.Throw <NotImplementedException>( "GetDuplicationBlob: Unsupported algorithm"); encSecret = new byte[0]; return(new TpmPrivate()); } } Transform(seed); Transform(encSecret); byte[] symKey = KDF.KDFa(pubNewParent.nameAlg, seed, "STORAGE", Public.GetName(), new byte[0], symDef.KeyBits); Transform(symKey); byte[] dupSensitive; using (SymCipher enc2 = SymCipher.Create(symDef, symKey)) { if (enc2 == null) { return(null); } dupSensitive = enc2.Encrypt(encSensitive); } Transform(dupSensitive); var npNameNumBits = CryptoLib.DigestSize(pubNewParent.nameAlg) * 8; byte[] hmacKey = KDF.KDFa(pubNewParent.nameAlg, seed, "INTEGRITY", new byte[0], new byte[0], npNameNumBits); byte[] outerDataToHmac = Globs.Concatenate(dupSensitive, Public.GetName()); Transform(outerDataToHmac); byte[] outerHmac = Marshaller.ToTpm2B(CryptoLib.Hmac(pubNewParent.nameAlg, hmacKey, outerDataToHmac)); Transform(outerHmac); byte[] dupBlob = Globs.Concatenate(outerHmac, dupSensitive); Transform(dupBlob); return(new TpmPrivate(dupBlob)); }