private ProtectedPasswordStorage RaiseRequestSecret(HMACKeyInfo keyInfo) { if (_requestSecret == null) { return(null); } return(_requestSecret(keyInfo)); }
public ProtectedPasswordStorage AsyncSecretRequestCallback(HMACKeyInfo keyInfo) { _logger.DebugFormat("Async requesting secret '{0}'", keyInfo.KeyType); SecretRequest request = new SecretRequest(keyInfo); AddSecretRequest(request); request.PasswordReady.WaitOne(); return(request.ProtectedPassword); }
public static ProtectedPasswordStorage mycallback(HMACKeyInfo keyInfo) { // We use the empty string as password ... ProtectedPasswordStorage pws = new ProtectedPasswordStorage(); pws.AppendPasswordChar('i'); pws.AppendPasswordChar('a'); pws.AppendPasswordChar('i'); pws.AppendPasswordChar('k'); return(pws); }
static ProtectedPasswordStorage RequestSecret(HMACKeyInfo keyInfo) { if (keyInfo.KeyType == HMACKeyInfo.HMACKeyType.SrkSecret) { ProtectedPasswordStorage secret = new ProtectedPasswordStorage(); secret.WellKnown(); return(secret); } return(ConsoleUtils.ReadPassword(String.Format("Please enter Passwd for key {0}: ", keyInfo.Parameters.GetValueOf <string>("identifier")))); }
/// <summary> /// Reserves the number of session slots the given command requires on the tpm. /// </summary> /// <remarks> /// If the command supports OIAP auth handles, it is also possible for the AuthHandleManager to recycle /// existing OIAP AuthHandles. /// /// If the command needs OSAP auth handles the AuthHandleManager always creates new sessions, because OSAP is /// used for auth data insertion, so nothing happens in here for OSAP /// </remarks> /// <param name="cmd"></param> /// <param name="tpmSession"></param> public void ReserveAuthHandleSlots(IAuthorizableCommand cmd) { using (new LockContext(_authHandles, string.Format("AuthHandleManager::ReserveAuthHandleSlots {0}", cmd))) { foreach (AuthSessionNum authSession in new AuthSessionNum[] { AuthSessionNum.Auth1, AuthSessionNum.Auth2 }) { HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSession); if (keyInfo == null) { continue; } bool useOIAP = false; if (cmd.SupportsAuthType(AuthHandle.AuthType.OIAP)) { useOIAP = true; } if (FindReservedHandle(cmd, authSession) != null) { continue; } //We only cache OIAP sessions, so maybe there is a free //OIAP session we can use if (useOIAP) { AuthHandleItem handle = FindFreeAuthHandle(AuthHandleItem.AuthHandleStatus.SwappedIn); if (handle == null) { handle = FindFreeAuthHandle(AuthHandleItem.AuthHandleStatus.SwappedOut); } if (handle != null) { handle.AssociatedCommand = new KeyValuePair <AuthSessionNum, IAuthorizableCommand>(authSession, cmd); } } } } }
static ProtectedPasswordStorage RequestSecret(HMACKeyInfo keyInfo) { if (keyInfo.KeyType == HMACKeyInfo.HMACKeyType.SrkSecret) { ProtectedPasswordStorage secret = new ProtectedPasswordStorage(); secret.WellKnown(); return(secret); } ProtectedPasswordStorage pws = new ProtectedPasswordStorage(); pws.AppendPasswordChar('I'); pws.AppendPasswordChar('A'); pws.AppendPasswordChar('I'); pws.AppendPasswordChar('K'); return(pws); }
public override void Read(Stream src) { base.Read(src); _keyInfo = new HMACKeyInfo(src); int count = StreamHelper.ReadInt32(src); _hmacDataProviders = new HashDataProvider[count]; for (int i = 0; i < count; i++) { _hmacDataProviders[i] = StreamHelper.ReadTypedStreamSerializable <HashDataProvider>(src); } // _authHandle = new AuthHandle(src); // _digest = StreamHelper.ReadBytesSafe(src); // _continueAuthSession = StreamHelper.ReadBool(src); }
public static ResponseAuthHandleInfo[] ReadAuthHandleInfos(IAuthorizableCommand cmd, TPMBlob blob) { long currentIndex = blob.Length; List <ResponseAuthHandleInfo> responseAuthHandles = new List <ResponseAuthHandleInfo>(); foreach (AuthSessionNum authSession in new AuthSessionNum[] { AuthSessionNum.Auth2, AuthSessionNum.Auth1 }) { HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSession); if (keyInfo != null) { currentIndex -= SINGLE_AUTH_HANDLE_SIZE; responseAuthHandles.Add(new ResponseAuthHandleInfoCore(blob, currentIndex)); } } responseAuthHandles.Reverse(); return(responseAuthHandles.ToArray()); }
/// <summary> /// Assures that the shared secret for the specified authorization handle has been /// calculated, if not it gets calculated. If no OSAP session exists, create it /// </summary> /// <param name="cmd"></param> /// <param name="sessionNum"></param> /// <returns></returns> public AuthHandle AssureOSAPSharedSecret(IAuthorizableCommand cmd, AuthSessionNum authSessionNum) { // using(AcquireLock()) // { // //Must not be called for OSAP at the moment because OSAP session are not cached // _tpmContext.AuthHandleManager.ReserveAuthHandleSlots(cmd); // } // HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum); if (keyInfo == null) { return(null); } AuthHandle authHandle; using (AcquireLock()) { authHandle = _tpmContext.AuthHandleManager.GetAuthHandle(cmd, authSessionNum); } // If shared secret has not yet been generated, do it if (authHandle.SharedSecret == null) { GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest( _ctx, new HashByteDataProvider(authHandle.NonceEvenOSAP), new HashByteDataProvider(authHandle.NonceOddOSAP) ); request.TpmSessionIdentifier = _tpmSessionIdentifier; Parameters paramsSharedSecret = new Parameters(); if (cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_KEYHANDLE || cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_SRK) { if (cmd.GetHandle(authSessionNum) == KeyHandle.KEY_SRK) { request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters()); } else { paramsSharedSecret.AddPrimitiveType("identifier", cmd.GetHandle(authSessionNum)); request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, paramsSharedSecret); } } else if (cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_OWNER) { request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.OwnerSecret, new Parameters()); } else { throw new NotSupportedException(string.Format("CommandAuthorizationHelper does not support entity type '{0}'", cmd.GetEntityType(authSessionNum))); } GenerateHMACResponse response = request.TypedExecute(); response.AssertResponse(); authHandle.SharedSecret = response.TpmAuthData; } return(authHandle); }
public AuthorizationInfo[] GenerateResponseAuthData(IAuthorizableCommand cmd) { List <AuthorizationInfo> authorizationInfos = new List <AuthorizationInfo>(); List <ResponseAuthHandleInfo> responseAuthHandleInfos = new List <ResponseAuthHandleInfo>(cmd.ResponseAuthHandleInfos); responseAuthHandleInfos.Reverse(); List <AuthorizationInfo> localAuthorizationInfos = new List <AuthorizationInfo>(cmd.AuthorizationInfos); localAuthorizationInfos.Reverse(); Stack <ResponseAuthHandleInfo> responseAuthHandles = new Stack <ResponseAuthHandleInfo>(responseAuthHandleInfos); Stack <AuthorizationInfo> authorizationInfoQueue = new Stack <AuthorizationInfo>(localAuthorizationInfos); foreach (AuthSessionNum authSessionNum in new AuthSessionNum[] { AuthSessionNum.Auth1, AuthSessionNum.Auth2 }) { HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum); if (keyInfo == null) { continue; } ResponseAuthHandleInfo currentResponseAuthHandleInfo = responseAuthHandles.Pop(); AuthorizationInfo currentAuthorizationInfo = authorizationInfoQueue.Pop(); if (currentAuthorizationInfo.Handle.HandleAuthType == AuthHandle.AuthType.OIAP) { GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest (_ctx, new HashByteDataProvider(cmd.ResponseDigest), new HashByteDataProvider(currentResponseAuthHandleInfo.NonceEven), new HashByteDataProvider(currentAuthorizationInfo.Handle.NonceOdd), new HashPrimitiveDataProvider(currentResponseAuthHandleInfo.ContinueAuthSession) ); request.TpmSessionIdentifier = _tpmSessionIdentifier; request.KeyInfo = keyInfo; GenerateHMACResponse response = request.TypedExecute(); response.AssertResponse(); authorizationInfos.Add(new AuthorizationInfo(null, currentResponseAuthHandleInfo.ContinueAuthSession, response.TpmAuthData)); } else if (currentAuthorizationInfo.Handle.HandleAuthType == AuthHandle.AuthType.OSAP) { byte[] tpmAuth = new HMACProvider(currentAuthorizationInfo.Handle.SharedSecret).Hash( new HashByteDataProvider(cmd.ResponseDigest), new HashByteDataProvider(currentResponseAuthHandleInfo.NonceEven), new HashByteDataProvider(currentAuthorizationInfo.Handle.NonceOdd), new HashPrimitiveDataProvider(currentResponseAuthHandleInfo.ContinueAuthSession)); authorizationInfos.Add(new AuthorizationInfo(null, currentResponseAuthHandleInfo.ContinueAuthSession, tpmAuth)); } } return(authorizationInfos.ToArray()); }
/// <summary> /// Authorizes the command and returns the necessary authorization info /// Blocks till the user has entered the credentials /// </summary> /// <param name="cmd">Command to authorize</param> /// <returns></returns> public AuthorizationInfo[] AuthorizeCommand(IAuthorizableCommand cmd) { List <AuthorizationInfo> authorizationInfos = new List <AuthorizationInfo>(); using (AcquireLock()) { _tpmContext.AuthHandleManager.ReserveAuthHandleSlots(cmd); } foreach (AuthSessionNum authSessionNum in new AuthSessionNum[] { AuthSessionNum.Auth1, AuthSessionNum.Auth2 }) { HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum); if (keyInfo == null) { continue; } AuthHandle authHandle; using (AcquireLock()) { authHandle = _tpmContext.AuthHandleManager.GetAuthHandle(cmd, authSessionNum); } //Generates the new nonceOdd before the client generates the auth data authHandle.NewNonceOdd(); if (authHandle.HandleAuthType == AuthHandle.AuthType.OIAP) { GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest (_ctx, new HashByteDataProvider(cmd.Digest), new HashByteDataProvider(authHandle.NonceEven), new HashByteDataProvider(authHandle.NonceOdd), new HashPrimitiveDataProvider(true) ); request.TpmSessionIdentifier = _tpmSessionIdentifier; request.KeyInfo = keyInfo; GenerateHMACResponse response = request.TypedExecute(); response.AssertResponse(); authorizationInfos.Add(new AuthorizationInfo(authHandle, true, response.TpmAuthData)); } else if (authHandle.HandleAuthType == AuthHandle.AuthType.OSAP) { AssureOSAPSharedSecret(cmd, authSessionNum); byte[] hmac = new HMACProvider(authHandle.SharedSecret).Hash( new HashByteDataProvider(cmd.Digest), new HashByteDataProvider(authHandle.NonceEven), new HashByteDataProvider(authHandle.NonceOdd), new HashPrimitiveDataProvider(false)); // GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest // (_ctx, // new HashByteDataProvider(cmd.Digest), // new HashByteDataProvider(authHandle.NonceEven), // new HashByteDataProvider(authHandle.NonceOdd), // new HashPrimitiveDataProvider(false) // ); // // // request.TpmSessionIdentifier = _tpmSessionIdentifier; // request.KeyInfo = keyInfo; // // // GenerateHMACResponse response = request.TypedExecute (); // response.AssertResponse(); // authorizationInfos.Add(new AuthorizationInfo(authHandle, false, hmac)); } } return(authorizationInfos.ToArray()); }
/// <summary> /// If not cached, the desired secret is requested from the user /// </summary> /// <param name="keyInfo"></param> /// <returns></returns> public ProtectedPasswordStorage RequestSecret(HMACKeyInfo keyInfo) { string dictKey = null; if (keyInfo.KeyType == HMACKeyInfo.HMACKeyType.OwnerSecret) { dictKey = PARAM_AUTH_OWNER; } else if (keyInfo.KeyType == HMACKeyInfo.HMACKeyType.SrkSecret) { dictKey = PARAM_AUTH_SRK; } else if (keyInfo.KeyType == HMACKeyInfo.HMACKeyType.KeyUsageSecret) { string friendlyName = keyInfo.Parameters.GetValueOf <string>("identifier"); bool identifierIsFriendlyName = keyInfo.Parameters.GetValueOf <bool>("identifierIsFriendlyName", false); if (!identifierIsFriendlyName) { if (_keystore.ContainsIdentifier(friendlyName) == false) { throw new ArgumentException(string.Format("Requests for secret for key not in keystore! identifier: {0}", friendlyName)); } friendlyName = _keystore.IdentifierToFriendlyName(friendlyName); } dictKey = "usage_" + friendlyName; } else if (keyInfo.KeyType == HMACKeyInfo.HMACKeyType.SealAuth) { string friendlyName = keyInfo.Parameters.GetValueOf <string>("identifier"); bool identifierIsFriendlyName = keyInfo.Parameters.GetValueOf <bool>("identifierIsFriendlyName", false); if (!identifierIsFriendlyName) { if (_keystore.ContainsIdentifier(friendlyName) == false) { throw new ArgumentException(string.Format("Requests for secret for key not in keystore! identifier: {0}", friendlyName)); } friendlyName = _keystore.IdentifierToFriendlyName(friendlyName); } dictKey = "seal_" + friendlyName; } else if (keyInfo.KeyType == HMACKeyInfo.HMACKeyType.CounterSecret) { dictKey = "counter"; } else { throw new NotSupportedException(string.Format("The key type '{0}' is not supported", keyInfo.KeyType)); } ProtectedPasswordStorage pw = GetValue <ProtectedPasswordStorage>("secret_" + dictKey, null); if (pw == null) { _logger.DebugFormat("Secret for dictkey '{0}' was not found in cache, requesting from user", dictKey); ProtectedPasswordStorage password = RaiseRequestSecret(keyInfo); SetValue("secret_" + dictKey, password); return(password); } else { _logger.DebugFormat("Secret for dictkey '{0}' was found in cache", dictKey); return(pw); } }
public override void Execute(string[] commandline) { if (commandline.Length < 2) { _console.Out.WriteLine("Error: [local_session_alias] not specified"); return; } else if (commandline.Length < 3) { _console.Out.WriteLine("Error: [command] not specified"); return; } ClientContext ctx = _console.GetValue <ClientContext> ("client_context", null); if (ctx == null) { _console.Out.WriteLine("No active connection was found"); return; } string localAlias = commandline[1]; string keyCommand = commandline[2]; IDictionary <string, TPMSession> tpmSessions = _console.GetValue <IDictionary <string, TPMSession> > ("tpm_sessions", null); if (tpmSessions == null || tpmSessions.ContainsKey(localAlias) == false) { _console.Out.WriteLine("Error: Specified local alias was not found"); return; } if (keyCommand == "clear") { List <string> toRemove = new List <string>(); foreach (string key in tpmSessions[localAlias].ListValueKeys()) { if (key.StartsWith("secret_")) { toRemove.Add(key); } } foreach (string key in toRemove) { tpmSessions[localAlias].ClearValue(key); } } else if (keyCommand == "remove") { IDictionary <string, string> arguments = null; if (commandline.Length >= 4) { arguments = _console.SplitArguments(commandline[3], 0); } if (commandline.Length < 4 || arguments.ContainsKey("type") == false) { _console.Out.WriteLine("Error: No type to remove specified"); return; } tpmSessions[localAlias].ClearValue("secret_" + arguments["type"]); } else if (keyCommand == "add") { if (commandline.Length < 4) { _console.Out.WriteLine("Error: No arguments specified"); return; } IDictionary <string, string> arguments = _console.SplitArguments(commandline[3], 0); if (arguments.ContainsKey("type") == false) { _console.Out.WriteLine("Error: No type specified"); return; } string dictKey = arguments["type"]; HMACKeyInfo keyInfo; Parameters hmacKeyInfoParams = new Parameters(); if (dictKey == "owner") { dictKey = TPMSession.PARAM_AUTH_OWNER; keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.OwnerSecret, hmacKeyInfoParams); } else if (dictKey == "srk") { dictKey = TPMSession.PARAM_AUTH_SRK; keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, hmacKeyInfoParams); } else if (dictKey == "key_usage") { if (arguments.ContainsKey("name") == false) { _console.Out.WriteLine("Error: key_usage requires name of key"); return; } dictKey = "usage_" + arguments["name"]; hmacKeyInfoParams.AddPrimitiveType("identifier", arguments["name"]); keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, hmacKeyInfoParams); } else if (dictKey == "seal") { if (arguments.ContainsKey("name") == false) { _console.Out.WriteLine("Error: seal requires name of key"); return; } dictKey = "seal_" + arguments["name"]; hmacKeyInfoParams.AddPrimitiveType("identifier", arguments["name"]); keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SealAuth, hmacKeyInfoParams); } else if (dictKey == "counter") { dictKey = "counter"; keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.CounterSecret, new Parameters()); } else { _console.Out.WriteLine("Error: Unknown secret type"); return; } ProtectedPasswordStorage pw; if (arguments.ContainsKey("secret")) { pw = new ProtectedPasswordStorage(); foreach (char c in arguments["secret"]) { pw.AppendPasswordChar(c); } } else { tpmSessions[localAlias].ClearValue("secret_" + dictKey); pw = tpmSessions[localAlias].RequestSecret(keyInfo); } pw.Hash(); tpmSessions[localAlias].SetValue("secret_" + dictKey, pw); } else { _console.Out.WriteLine("Error, unknown command '{0}'", commandline[2]); } }
public SecretRequest(string customHintText) { _keyInfo = null; _customHintText = customHintText; }
public SecretRequest(HMACKeyInfo keyInfo) { _keyInfo = keyInfo; _customHintText = null; }