private ProtectedPasswordStorage RaiseRequestSecret(HMACKeyInfo keyInfo)
{
if (_requestSecret == null)
{
return(null);
}
return(_requestSecret(keyInfo));
}
public ProtectedPasswordStorage AsyncSecretRequestCallback(HMACKeyInfo keyInfo)
{
_logger.DebugFormat("Async requesting secret '{0}'", keyInfo.KeyType);
SecretRequest request = new SecretRequest(keyInfo);
AddSecretRequest(request);
request.PasswordReady.WaitOne();
return(request.ProtectedPassword);
}
public static ProtectedPasswordStorage mycallback(HMACKeyInfo keyInfo)
{
// We use the empty string as password ...
ProtectedPasswordStorage pws = new ProtectedPasswordStorage();
pws.AppendPasswordChar('i');
pws.AppendPasswordChar('a');
pws.AppendPasswordChar('i');
pws.AppendPasswordChar('k');
return(pws);
}
static ProtectedPasswordStorage RequestSecret(HMACKeyInfo keyInfo)
{
if (keyInfo.KeyType == HMACKeyInfo.HMACKeyType.SrkSecret)
{
ProtectedPasswordStorage secret = new ProtectedPasswordStorage();
secret.WellKnown();
return(secret);
}
return(ConsoleUtils.ReadPassword(String.Format("Please enter Passwd for key {0}: ",
keyInfo.Parameters.GetValueOf <string>("identifier"))));
}
/// <summary>
/// Reserves the number of session slots the given command requires on the tpm.
/// </summary>
/// <remarks>
/// If the command supports OIAP auth handles, it is also possible for the AuthHandleManager to recycle
/// existing OIAP AuthHandles.
///
/// If the command needs OSAP auth handles the AuthHandleManager always creates new sessions, because OSAP is
/// used for auth data insertion, so nothing happens in here for OSAP
/// </remarks>
/// <param name="cmd"></param>
/// <param name="tpmSession"></param>
public void ReserveAuthHandleSlots(IAuthorizableCommand cmd)
{
using (new LockContext(_authHandles, string.Format("AuthHandleManager::ReserveAuthHandleSlots {0}", cmd)))
{
foreach (AuthSessionNum authSession in new AuthSessionNum[] { AuthSessionNum.Auth1, AuthSessionNum.Auth2 })
{
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSession);
if (keyInfo == null)
{
continue;
}
bool useOIAP = false;
if (cmd.SupportsAuthType(AuthHandle.AuthType.OIAP))
{
useOIAP = true;
}
if (FindReservedHandle(cmd, authSession) != null)
{
continue;
}
//We only cache OIAP sessions, so maybe there is a free
//OIAP session we can use
if (useOIAP)
{
AuthHandleItem handle = FindFreeAuthHandle(AuthHandleItem.AuthHandleStatus.SwappedIn);
if (handle == null)
{
handle = FindFreeAuthHandle(AuthHandleItem.AuthHandleStatus.SwappedOut);
}
if (handle != null)
{
handle.AssociatedCommand = new KeyValuePair <AuthSessionNum, IAuthorizableCommand>(authSession, cmd);
}
}
}
}
}
static ProtectedPasswordStorage RequestSecret(HMACKeyInfo keyInfo)
{
if (keyInfo.KeyType == HMACKeyInfo.HMACKeyType.SrkSecret)
{
ProtectedPasswordStorage secret = new ProtectedPasswordStorage();
secret.WellKnown();
return(secret);
}
ProtectedPasswordStorage pws = new ProtectedPasswordStorage();
pws.AppendPasswordChar('I');
pws.AppendPasswordChar('A');
pws.AppendPasswordChar('I');
pws.AppendPasswordChar('K');
return(pws);
}
public override void Read(Stream src)
{
base.Read(src);
_keyInfo = new HMACKeyInfo(src);
int count = StreamHelper.ReadInt32(src);
_hmacDataProviders = new HashDataProvider[count];
for (int i = 0; i < count; i++)
{
_hmacDataProviders[i] = StreamHelper.ReadTypedStreamSerializable <HashDataProvider>(src);
}
// _authHandle = new AuthHandle(src);
// _digest = StreamHelper.ReadBytesSafe(src);
// _continueAuthSession = StreamHelper.ReadBool(src);
}
public static ResponseAuthHandleInfo[] ReadAuthHandleInfos(IAuthorizableCommand cmd, TPMBlob blob)
{
long currentIndex = blob.Length;
List <ResponseAuthHandleInfo> responseAuthHandles = new List <ResponseAuthHandleInfo>();
foreach (AuthSessionNum authSession in new AuthSessionNum[] { AuthSessionNum.Auth2, AuthSessionNum.Auth1 })
{
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSession);
if (keyInfo != null)
{
currentIndex -= SINGLE_AUTH_HANDLE_SIZE;
responseAuthHandles.Add(new ResponseAuthHandleInfoCore(blob, currentIndex));
}
}
responseAuthHandles.Reverse();
return(responseAuthHandles.ToArray());
}
/// <summary>
/// Assures that the shared secret for the specified authorization handle has been
/// calculated, if not it gets calculated. If no OSAP session exists, create it
/// </summary>
/// <param name="cmd"></param>
/// <param name="sessionNum"></param>
/// <returns></returns>
public AuthHandle AssureOSAPSharedSecret(IAuthorizableCommand cmd, AuthSessionNum authSessionNum)
{
// using(AcquireLock())
// {
// //Must not be called for OSAP at the moment because OSAP session are not cached
// _tpmContext.AuthHandleManager.ReserveAuthHandleSlots(cmd);
// }
//
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum);
if (keyInfo == null)
{
return(null);
}
AuthHandle authHandle;
using (AcquireLock())
{
authHandle = _tpmContext.AuthHandleManager.GetAuthHandle(cmd, authSessionNum);
}
// If shared secret has not yet been generated, do it
if (authHandle.SharedSecret == null)
{
GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest(
_ctx,
new HashByteDataProvider(authHandle.NonceEvenOSAP),
new HashByteDataProvider(authHandle.NonceOddOSAP)
);
request.TpmSessionIdentifier = _tpmSessionIdentifier;
Parameters paramsSharedSecret = new Parameters();
if (cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_KEYHANDLE ||
cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_SRK)
{
if (cmd.GetHandle(authSessionNum) == KeyHandle.KEY_SRK)
{
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters());
}
else
{
paramsSharedSecret.AddPrimitiveType("identifier", cmd.GetHandle(authSessionNum));
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, paramsSharedSecret);
}
}
else if (cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_OWNER)
{
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.OwnerSecret, new Parameters());
}
else
{
throw new NotSupportedException(string.Format("CommandAuthorizationHelper does not support entity type '{0}'",
cmd.GetEntityType(authSessionNum)));
}
GenerateHMACResponse response = request.TypedExecute();
response.AssertResponse();
authHandle.SharedSecret = response.TpmAuthData;
}
return(authHandle);
}
public AuthorizationInfo[] GenerateResponseAuthData(IAuthorizableCommand cmd)
{
List <AuthorizationInfo> authorizationInfos = new List <AuthorizationInfo>();
List <ResponseAuthHandleInfo> responseAuthHandleInfos = new List <ResponseAuthHandleInfo>(cmd.ResponseAuthHandleInfos);
responseAuthHandleInfos.Reverse();
List <AuthorizationInfo> localAuthorizationInfos = new List <AuthorizationInfo>(cmd.AuthorizationInfos);
localAuthorizationInfos.Reverse();
Stack <ResponseAuthHandleInfo> responseAuthHandles = new Stack <ResponseAuthHandleInfo>(responseAuthHandleInfos);
Stack <AuthorizationInfo> authorizationInfoQueue = new Stack <AuthorizationInfo>(localAuthorizationInfos);
foreach (AuthSessionNum authSessionNum in new AuthSessionNum[] { AuthSessionNum.Auth1, AuthSessionNum.Auth2 })
{
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum);
if (keyInfo == null)
{
continue;
}
ResponseAuthHandleInfo currentResponseAuthHandleInfo = responseAuthHandles.Pop();
AuthorizationInfo currentAuthorizationInfo = authorizationInfoQueue.Pop();
if (currentAuthorizationInfo.Handle.HandleAuthType == AuthHandle.AuthType.OIAP)
{
GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest
(_ctx,
new HashByteDataProvider(cmd.ResponseDigest),
new HashByteDataProvider(currentResponseAuthHandleInfo.NonceEven),
new HashByteDataProvider(currentAuthorizationInfo.Handle.NonceOdd),
new HashPrimitiveDataProvider(currentResponseAuthHandleInfo.ContinueAuthSession)
);
request.TpmSessionIdentifier = _tpmSessionIdentifier;
request.KeyInfo = keyInfo;
GenerateHMACResponse response = request.TypedExecute();
response.AssertResponse();
authorizationInfos.Add(new AuthorizationInfo(null, currentResponseAuthHandleInfo.ContinueAuthSession, response.TpmAuthData));
}
else if (currentAuthorizationInfo.Handle.HandleAuthType == AuthHandle.AuthType.OSAP)
{
byte[] tpmAuth = new HMACProvider(currentAuthorizationInfo.Handle.SharedSecret).Hash(
new HashByteDataProvider(cmd.ResponseDigest),
new HashByteDataProvider(currentResponseAuthHandleInfo.NonceEven),
new HashByteDataProvider(currentAuthorizationInfo.Handle.NonceOdd),
new HashPrimitiveDataProvider(currentResponseAuthHandleInfo.ContinueAuthSession));
authorizationInfos.Add(new AuthorizationInfo(null, currentResponseAuthHandleInfo.ContinueAuthSession, tpmAuth));
}
}
return(authorizationInfos.ToArray());
}
/// <summary>
/// Authorizes the command and returns the necessary authorization info
/// Blocks till the user has entered the credentials
/// </summary>
/// <param name="cmd">Command to authorize</param>
/// <returns></returns>
public AuthorizationInfo[] AuthorizeCommand(IAuthorizableCommand cmd)
{
List <AuthorizationInfo> authorizationInfos = new List <AuthorizationInfo>();
using (AcquireLock())
{
_tpmContext.AuthHandleManager.ReserveAuthHandleSlots(cmd);
}
foreach (AuthSessionNum authSessionNum in new AuthSessionNum[] { AuthSessionNum.Auth1, AuthSessionNum.Auth2 })
{
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum);
if (keyInfo == null)
{
continue;
}
AuthHandle authHandle;
using (AcquireLock())
{
authHandle = _tpmContext.AuthHandleManager.GetAuthHandle(cmd, authSessionNum);
}
//Generates the new nonceOdd before the client generates the auth data
authHandle.NewNonceOdd();
if (authHandle.HandleAuthType == AuthHandle.AuthType.OIAP)
{
GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest
(_ctx,
new HashByteDataProvider(cmd.Digest),
new HashByteDataProvider(authHandle.NonceEven),
new HashByteDataProvider(authHandle.NonceOdd),
new HashPrimitiveDataProvider(true)
);
request.TpmSessionIdentifier = _tpmSessionIdentifier;
request.KeyInfo = keyInfo;
GenerateHMACResponse response = request.TypedExecute();
response.AssertResponse();
authorizationInfos.Add(new AuthorizationInfo(authHandle, true, response.TpmAuthData));
}
else if (authHandle.HandleAuthType == AuthHandle.AuthType.OSAP)
{
AssureOSAPSharedSecret(cmd, authSessionNum);
byte[] hmac = new HMACProvider(authHandle.SharedSecret).Hash(
new HashByteDataProvider(cmd.Digest),
new HashByteDataProvider(authHandle.NonceEven),
new HashByteDataProvider(authHandle.NonceOdd),
new HashPrimitiveDataProvider(false));
// GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest
// (_ctx,
// new HashByteDataProvider(cmd.Digest),
// new HashByteDataProvider(authHandle.NonceEven),
// new HashByteDataProvider(authHandle.NonceOdd),
// new HashPrimitiveDataProvider(false)
// );
//
//
// request.TpmSessionIdentifier = _tpmSessionIdentifier;
// request.KeyInfo = keyInfo;
//
//
// GenerateHMACResponse response = request.TypedExecute ();
// response.AssertResponse();
//
authorizationInfos.Add(new AuthorizationInfo(authHandle, false, hmac));
}
}
return(authorizationInfos.ToArray());
}
/// <summary>
/// If not cached, the desired secret is requested from the user
/// </summary>
/// <param name="keyInfo"></param>
/// <returns></returns>
public ProtectedPasswordStorage RequestSecret(HMACKeyInfo keyInfo)
{
string dictKey = null;
if (keyInfo.KeyType == HMACKeyInfo.HMACKeyType.OwnerSecret)
{
dictKey = PARAM_AUTH_OWNER;
}
else if (keyInfo.KeyType == HMACKeyInfo.HMACKeyType.SrkSecret)
{
dictKey = PARAM_AUTH_SRK;
}
else if (keyInfo.KeyType == HMACKeyInfo.HMACKeyType.KeyUsageSecret)
{
string friendlyName = keyInfo.Parameters.GetValueOf <string>("identifier");
bool identifierIsFriendlyName = keyInfo.Parameters.GetValueOf <bool>("identifierIsFriendlyName", false);
if (!identifierIsFriendlyName)
{
if (_keystore.ContainsIdentifier(friendlyName) == false)
{
throw new ArgumentException(string.Format("Requests for secret for key not in keystore! identifier: {0}",
friendlyName));
}
friendlyName = _keystore.IdentifierToFriendlyName(friendlyName);
}
dictKey = "usage_" + friendlyName;
}
else if (keyInfo.KeyType == HMACKeyInfo.HMACKeyType.SealAuth)
{
string friendlyName = keyInfo.Parameters.GetValueOf <string>("identifier");
bool identifierIsFriendlyName = keyInfo.Parameters.GetValueOf <bool>("identifierIsFriendlyName", false);
if (!identifierIsFriendlyName)
{
if (_keystore.ContainsIdentifier(friendlyName) == false)
{
throw new ArgumentException(string.Format("Requests for secret for key not in keystore! identifier: {0}",
friendlyName));
}
friendlyName = _keystore.IdentifierToFriendlyName(friendlyName);
}
dictKey = "seal_" + friendlyName;
}
else if (keyInfo.KeyType == HMACKeyInfo.HMACKeyType.CounterSecret)
{
dictKey = "counter";
}
else
{
throw new NotSupportedException(string.Format("The key type '{0}' is not supported", keyInfo.KeyType));
}
ProtectedPasswordStorage pw = GetValue <ProtectedPasswordStorage>("secret_" + dictKey, null);
if (pw == null)
{
_logger.DebugFormat("Secret for dictkey '{0}' was not found in cache, requesting from user", dictKey);
ProtectedPasswordStorage password = RaiseRequestSecret(keyInfo);
SetValue("secret_" + dictKey, password);
return(password);
}
else
{
_logger.DebugFormat("Secret for dictkey '{0}' was found in cache", dictKey);
return(pw);
}
}
public override void Execute(string[] commandline)
{
if (commandline.Length < 2)
{
_console.Out.WriteLine("Error: [local_session_alias] not specified");
return;
}
else if (commandline.Length < 3)
{
_console.Out.WriteLine("Error: [command] not specified");
return;
}
ClientContext ctx = _console.GetValue <ClientContext> ("client_context", null);
if (ctx == null)
{
_console.Out.WriteLine("No active connection was found");
return;
}
string localAlias = commandline[1];
string keyCommand = commandline[2];
IDictionary <string, TPMSession> tpmSessions = _console.GetValue <IDictionary <string, TPMSession> > ("tpm_sessions", null);
if (tpmSessions == null || tpmSessions.ContainsKey(localAlias) == false)
{
_console.Out.WriteLine("Error: Specified local alias was not found");
return;
}
if (keyCommand == "clear")
{
List <string> toRemove = new List <string>();
foreach (string key in tpmSessions[localAlias].ListValueKeys())
{
if (key.StartsWith("secret_"))
{
toRemove.Add(key);
}
}
foreach (string key in toRemove)
{
tpmSessions[localAlias].ClearValue(key);
}
}
else if (keyCommand == "remove")
{
IDictionary <string, string> arguments = null;
if (commandline.Length >= 4)
{
arguments = _console.SplitArguments(commandline[3], 0);
}
if (commandline.Length < 4 || arguments.ContainsKey("type") == false)
{
_console.Out.WriteLine("Error: No type to remove specified");
return;
}
tpmSessions[localAlias].ClearValue("secret_" + arguments["type"]);
}
else if (keyCommand == "add")
{
if (commandline.Length < 4)
{
_console.Out.WriteLine("Error: No arguments specified");
return;
}
IDictionary <string, string> arguments = _console.SplitArguments(commandline[3], 0);
if (arguments.ContainsKey("type") == false)
{
_console.Out.WriteLine("Error: No type specified");
return;
}
string dictKey = arguments["type"];
HMACKeyInfo keyInfo;
Parameters hmacKeyInfoParams = new Parameters();
if (dictKey == "owner")
{
dictKey = TPMSession.PARAM_AUTH_OWNER;
keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.OwnerSecret, hmacKeyInfoParams);
}
else if (dictKey == "srk")
{
dictKey = TPMSession.PARAM_AUTH_SRK;
keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, hmacKeyInfoParams);
}
else if (dictKey == "key_usage")
{
if (arguments.ContainsKey("name") == false)
{
_console.Out.WriteLine("Error: key_usage requires name of key");
return;
}
dictKey = "usage_" + arguments["name"];
hmacKeyInfoParams.AddPrimitiveType("identifier", arguments["name"]);
keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, hmacKeyInfoParams);
}
else if (dictKey == "seal")
{
if (arguments.ContainsKey("name") == false)
{
_console.Out.WriteLine("Error: seal requires name of key");
return;
}
dictKey = "seal_" + arguments["name"];
hmacKeyInfoParams.AddPrimitiveType("identifier", arguments["name"]);
keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SealAuth, hmacKeyInfoParams);
}
else if (dictKey == "counter")
{
dictKey = "counter";
keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.CounterSecret, new Parameters());
}
else
{
_console.Out.WriteLine("Error: Unknown secret type");
return;
}
ProtectedPasswordStorage pw;
if (arguments.ContainsKey("secret"))
{
pw = new ProtectedPasswordStorage();
foreach (char c in arguments["secret"])
{
pw.AppendPasswordChar(c);
}
}
else
{
tpmSessions[localAlias].ClearValue("secret_" + dictKey);
pw = tpmSessions[localAlias].RequestSecret(keyInfo);
}
pw.Hash();
tpmSessions[localAlias].SetValue("secret_" + dictKey, pw);
}
else
{
_console.Out.WriteLine("Error, unknown command '{0}'", commandline[2]);
}
}
public SecretRequest(string customHintText)
{
_keyInfo = null;
_customHintText = customHintText;
}
public SecretRequest(HMACKeyInfo keyInfo)
{
_keyInfo = keyInfo;
_customHintText = null;
}
