private AuthHandleItem FindReservedHandle(IAuthorizableCommand cmd, AuthSessionNum authSession)
{
foreach (AuthHandleItem handle in _authHandles.FindAuthHandles(AuthHandleItem.AuthHandleStatus.SwappedIn))
{
if (handle.AssociatedCommand == null)
{
continue;
}
if (handle.AssociatedCommand.Value.Key == authSession &&
handle.AssociatedCommand.Value.Value == cmd)
{
return(handle);
}
}
foreach (AuthHandleItem handle in _authHandles.FindAuthHandles(AuthHandleItem.AuthHandleStatus.SwappedOut))
{
if (handle.AssociatedCommand == null)
{
continue;
}
if (handle.AssociatedCommand.Value.Key == authSession &&
handle.AssociatedCommand.Value.Value == cmd)
{
return(handle);
}
}
return(null);
}
public void LoadAuthHandle(AuthHandle authHandle)
{
using (new LockContext(_authHandles, "AuthHandleManager::LoadAuthHandle"))
{
List <AuthHandleItem> myAuthHandles = _authHandles.FindAuthHandles(AuthHandleItem.AuthHandleStatus.SwappedOut);
_logger.DebugFormat("LoadAuthHandle: #{0}", myAuthHandles.Count);
foreach (AuthHandleItem handleItem in myAuthHandles)
{
_logger.DebugFormat("LoadAuthHandles: Found auth handle {0} with status {1}", handleItem.AuthHandle, handleItem.Status);
if (handleItem.AuthHandle == authHandle &&
handleItem.Status != AuthHandleItem.AuthHandleStatus.SwappedIn)
{
//If we have an OSAP auth handle, make sure that the corresponding resource is loaded
AuthSessionNum authSession = handleItem.AssociatedCommand.Value.Key;
IAuthorizableCommand cmd = handleItem.AssociatedCommand.Value.Value;
KeyHandle newKeyHandle;
if (cmd.GetEntityType(authSession) == TPMEntityTypeLSB.TPM_ET_KEYHANDLE && cmd.GetHandle(authSession) != KeyHandle.KEY_SRK)
{
cmd.KeyManager.LoadKey(cmd.GetHandle(authSession));
newKeyHandle = cmd.KeyManager.IdentifierToHandle(cmd.GetHandle(authSession));
if (handleItem.AuthHandle.EntityValue != newKeyHandle.Handle)
{
throw new ArgumentException(string.Format("OSAP with entity type={0}, entity value={1} could not be restored", handleItem.AuthHandle.EntityType, handleItem.AuthHandle.EntityValue));
}
}
SwapIn(handleItem);
_logger.DebugFormat("LoadAuthHandles: Swapped in {0}", handleItem.AuthHandle);
}
}
}
}
private AuthHandleItem[] FindReservedHandles(IAuthorizableCommand cmd)
{
List <AuthHandleItem> returnValues = new List <AuthHandleItem>();
foreach (AuthHandleItem handle in _authHandles.FindAuthHandles(AuthHandleItem.AuthHandleStatus.SwappedIn))
{
if (handle.AssociatedCommand == null)
{
continue;
}
if (handle.AssociatedCommand.Value.Value == cmd)
{
returnValues.Add(handle);
}
}
foreach (AuthHandleItem handle in _authHandles.FindAuthHandles(AuthHandleItem.AuthHandleStatus.SwappedOut))
{
if (handle.AssociatedCommand == null)
{
continue;
}
if (handle.AssociatedCommand.Value.Value == cmd)
{
returnValues.Add(handle);
}
}
return(returnValues.ToArray());
}
/// <summary>
/// Assures that the shared secret for the specified authorization handle has been
/// calculated, if not it gets calculated. If no OSAP session exists, create it
/// </summary>
/// <param name="cmd"></param>
/// <param name="sessionNum"></param>
/// <returns></returns>
public AuthHandle AssureOSAPSharedSecret(IAuthorizableCommand cmd, AuthSessionNum authSessionNum)
{
// using(AcquireLock())
// {
// //Must not be called for OSAP at the moment because OSAP session are not cached
// _tpmContext.AuthHandleManager.ReserveAuthHandleSlots(cmd);
// }
//
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum);
if(keyInfo == null)
return null;
AuthHandle authHandle;
using(AcquireLock())
{
authHandle = _tpmContext.AuthHandleManager.GetAuthHandle(cmd, authSessionNum);
}
// If shared secret has not yet been generated, do it
if(authHandle.SharedSecret == null)
{
GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest(
_ctx,
new HashByteDataProvider(authHandle.NonceEvenOSAP),
new HashByteDataProvider(authHandle.NonceOddOSAP)
);
request.TpmSessionIdentifier = _tpmSessionIdentifier;
Parameters paramsSharedSecret = new Parameters();
if(cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_KEYHANDLE ||
cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_SRK)
{
if(cmd.GetHandle(authSessionNum) == KeyHandle.KEY_SRK)
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters());
else
{
paramsSharedSecret.AddPrimitiveType("identifier", cmd.GetHandle(authSessionNum));
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, paramsSharedSecret);
}
}
else if(cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_OWNER)
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.OwnerSecret, new Parameters());
else
throw new NotSupportedException(string.Format("CommandAuthorizationHelper does not support entity type '{0}'",
cmd.GetEntityType(authSessionNum)));
GenerateHMACResponse response = request.TypedExecute ();
response.AssertResponse();
authHandle.SharedSecret = response.TpmAuthData;
}
return authHandle;
}
public void RemoveAuthHandles(IAuthorizableCommand cmd)
{
using (new LockContext(_authHandles, "AuthHandleManager::RemoveAuthHandles"))
{
foreach (AuthHandleItem handle in FindReservedHandles(cmd))
{
InternalRemoveAuthHandle(handle);
}
}
}
public void ReleaseAuthHandles(IAuthorizableCommand cmd)
{
using (new LockContext(_authHandles, "AuthHandleManager::ReleaseAuthHandles"))
{
foreach (AuthHandleItem handle in FindReservedHandles(cmd))
{
handle.AssociatedCommand = null;
}
}
}
/// <summary>
/// Reserves the number of session slots the given command requires on the tpm.
/// </summary>
/// <remarks>
/// If the command supports OIAP auth handles, it is also possible for the AuthHandleManager to recycle
/// existing OIAP AuthHandles.
///
/// If the command needs OSAP auth handles the AuthHandleManager always creates new sessions, because OSAP is
/// used for auth data insertion, so nothing happens in here for OSAP
/// </remarks>
/// <param name="cmd"></param>
/// <param name="tpmSession"></param>
public void ReserveAuthHandleSlots(IAuthorizableCommand cmd)
{
using (new LockContext(_authHandles, string.Format("AuthHandleManager::ReserveAuthHandleSlots {0}", cmd)))
{
foreach (AuthSessionNum authSession in new AuthSessionNum[] { AuthSessionNum.Auth1, AuthSessionNum.Auth2 })
{
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSession);
if (keyInfo == null)
{
continue;
}
bool useOIAP = false;
if (cmd.SupportsAuthType(AuthHandle.AuthType.OIAP))
{
useOIAP = true;
}
if (FindReservedHandle(cmd, authSession) != null)
{
continue;
}
//We only cache OIAP sessions, so maybe there is a free
//OIAP session we can use
if (useOIAP)
{
AuthHandleItem handle = FindFreeAuthHandle(AuthHandleItem.AuthHandleStatus.SwappedIn);
if (handle == null)
{
handle = FindFreeAuthHandle(AuthHandleItem.AuthHandleStatus.SwappedOut);
}
if (handle != null)
{
handle.AssociatedCommand = new KeyValuePair <AuthSessionNum, IAuthorizableCommand>(authSession, cmd);
}
}
}
}
}
public AuthHandle GetAuthHandle(IAuthorizableCommand cmd, AuthSessionNum authSession)
{
AuthHandleItem reservedHandle = null;
using (new LockContext(_authHandles, string.Format("AuthHandleManager::GetAuthHandle {0}", cmd)))
{
reservedHandle = FindReservedHandle(cmd, authSession);
// No reserved auth handle was found, create a new one
if (reservedHandle == null)
{
reservedHandle = CreateAuthHandle(cmd, authSession);
}
}
return(reservedHandle.AuthHandle);
}
public void DestroyAuthHandles(IAuthorizableCommand cmd)
{
try
{
using (new LockContext(_authHandles, "AuthHandleManager::DestroyAuthHandles"))
{
foreach (AuthHandleItem item in FindReservedHandles(cmd))
{
InternalDestroyHandle(item);
}
}
}
catch (Exception ex)
{
_logger.FatalFormat("ERROR: destroyAuthHandles {0}", ex);
throw;
}
}
public void DestroyAuthHandles(IAuthorizableCommand cmd, params AuthHandle[] authHandles)
{
using (new LockContext(_authHandles, "AuthHandleManager::DestroyAuthHandles2"))
{
foreach (AuthHandle authHandle in authHandles)
{
AuthHandleItem item = FindAuthHandleItem(authHandle);
if (item == null)
{
continue;
}
if (item.AssociatedCommand != null && item.AssociatedCommand.Value.Value == cmd)
{
InternalDestroyHandle(item);
}
}
}
}
public static ResponseAuthHandleInfo[] ReadAuthHandleInfos(IAuthorizableCommand cmd, TPMBlob blob)
{
long currentIndex = blob.Length;
List<ResponseAuthHandleInfo> responseAuthHandles = new List<ResponseAuthHandleInfo>();
foreach(AuthSessionNum authSession in new AuthSessionNum[]{AuthSessionNum.Auth2, AuthSessionNum.Auth1})
{
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSession);
if(keyInfo != null)
{
currentIndex -= SINGLE_AUTH_HANDLE_SIZE;
responseAuthHandles.Add(new ResponseAuthHandleInfoCore(blob, currentIndex));
}
}
responseAuthHandles.Reverse();
return responseAuthHandles.ToArray();
}
public static ResponseAuthHandleInfo[] ReadAuthHandleInfos(IAuthorizableCommand cmd, TPMBlob blob)
{
long currentIndex = blob.Length;
List <ResponseAuthHandleInfo> responseAuthHandles = new List <ResponseAuthHandleInfo>();
foreach (AuthSessionNum authSession in new AuthSessionNum[] { AuthSessionNum.Auth2, AuthSessionNum.Auth1 })
{
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSession);
if (keyInfo != null)
{
currentIndex -= SINGLE_AUTH_HANDLE_SIZE;
responseAuthHandles.Add(new ResponseAuthHandleInfoCore(blob, currentIndex));
}
}
responseAuthHandles.Reverse();
return(responseAuthHandles.ToArray());
}
public void RemoveAuthHandles(IAuthorizableCommand cmd, AuthHandle authHandle)
{
using (new LockContext(_authHandles, "AuthHandleManager::RemoveAuthHandles2"))
{
AuthHandleItem item = FindAuthHandleItem(authHandle);
if (item == null)
{
return;
}
if (item.AssociatedCommand != null && item.AssociatedCommand.Value.Value == cmd)
{
InternalRemoveAuthHandle(item);
}
else
{
return;
}
}
}
public void DestroyAuthorizationHandle(IAuthorizableCommand cmd, AuthHandle handle)
{
_tpmContext.AuthHandleManager.DestroyAuthHandles(cmd, handle);
}
public void ReleaseAuthorizationHandles(IAuthorizableCommand cmd)
{
_tpmContext.AuthHandleManager.ReleaseAuthHandles(cmd);
}
public AuthorizationInfo[] GenerateResponseAuthData(IAuthorizableCommand cmd)
{
List <AuthorizationInfo> authorizationInfos = new List <AuthorizationInfo>();
List <ResponseAuthHandleInfo> responseAuthHandleInfos = new List <ResponseAuthHandleInfo>(cmd.ResponseAuthHandleInfos);
responseAuthHandleInfos.Reverse();
List <AuthorizationInfo> localAuthorizationInfos = new List <AuthorizationInfo>(cmd.AuthorizationInfos);
localAuthorizationInfos.Reverse();
Stack <ResponseAuthHandleInfo> responseAuthHandles = new Stack <ResponseAuthHandleInfo>(responseAuthHandleInfos);
Stack <AuthorizationInfo> authorizationInfoQueue = new Stack <AuthorizationInfo>(localAuthorizationInfos);
foreach (AuthSessionNum authSessionNum in new AuthSessionNum[] { AuthSessionNum.Auth1, AuthSessionNum.Auth2 })
{
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum);
if (keyInfo == null)
{
continue;
}
ResponseAuthHandleInfo currentResponseAuthHandleInfo = responseAuthHandles.Pop();
AuthorizationInfo currentAuthorizationInfo = authorizationInfoQueue.Pop();
if (currentAuthorizationInfo.Handle.HandleAuthType == AuthHandle.AuthType.OIAP)
{
GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest
(_ctx,
new HashByteDataProvider(cmd.ResponseDigest),
new HashByteDataProvider(currentResponseAuthHandleInfo.NonceEven),
new HashByteDataProvider(currentAuthorizationInfo.Handle.NonceOdd),
new HashPrimitiveDataProvider(currentResponseAuthHandleInfo.ContinueAuthSession)
);
request.TpmSessionIdentifier = _tpmSessionIdentifier;
request.KeyInfo = keyInfo;
GenerateHMACResponse response = request.TypedExecute();
response.AssertResponse();
authorizationInfos.Add(new AuthorizationInfo(null, currentResponseAuthHandleInfo.ContinueAuthSession, response.TpmAuthData));
}
else if (currentAuthorizationInfo.Handle.HandleAuthType == AuthHandle.AuthType.OSAP)
{
byte[] tpmAuth = new HMACProvider(currentAuthorizationInfo.Handle.SharedSecret).Hash(
new HashByteDataProvider(cmd.ResponseDigest),
new HashByteDataProvider(currentResponseAuthHandleInfo.NonceEven),
new HashByteDataProvider(currentAuthorizationInfo.Handle.NonceOdd),
new HashPrimitiveDataProvider(currentResponseAuthHandleInfo.ContinueAuthSession));
authorizationInfos.Add(new AuthorizationInfo(null, currentResponseAuthHandleInfo.ContinueAuthSession, tpmAuth));
}
}
return(authorizationInfos.ToArray());
}
/// <summary>
/// Authorizes the command and returns the necessary authorization info
/// Blocks till the user has entered the credentials
/// </summary>
/// <param name="cmd">Command to authorize</param>
/// <returns></returns>
public AuthorizationInfo[] AuthorizeCommand(IAuthorizableCommand cmd)
{
List <AuthorizationInfo> authorizationInfos = new List <AuthorizationInfo>();
using (AcquireLock())
{
_tpmContext.AuthHandleManager.ReserveAuthHandleSlots(cmd);
}
foreach (AuthSessionNum authSessionNum in new AuthSessionNum[] { AuthSessionNum.Auth1, AuthSessionNum.Auth2 })
{
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum);
if (keyInfo == null)
{
continue;
}
AuthHandle authHandle;
using (AcquireLock())
{
authHandle = _tpmContext.AuthHandleManager.GetAuthHandle(cmd, authSessionNum);
}
//Generates the new nonceOdd before the client generates the auth data
authHandle.NewNonceOdd();
if (authHandle.HandleAuthType == AuthHandle.AuthType.OIAP)
{
GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest
(_ctx,
new HashByteDataProvider(cmd.Digest),
new HashByteDataProvider(authHandle.NonceEven),
new HashByteDataProvider(authHandle.NonceOdd),
new HashPrimitiveDataProvider(true)
);
request.TpmSessionIdentifier = _tpmSessionIdentifier;
request.KeyInfo = keyInfo;
GenerateHMACResponse response = request.TypedExecute();
response.AssertResponse();
authorizationInfos.Add(new AuthorizationInfo(authHandle, true, response.TpmAuthData));
}
else if (authHandle.HandleAuthType == AuthHandle.AuthType.OSAP)
{
AssureOSAPSharedSecret(cmd, authSessionNum);
byte[] hmac = new HMACProvider(authHandle.SharedSecret).Hash(
new HashByteDataProvider(cmd.Digest),
new HashByteDataProvider(authHandle.NonceEven),
new HashByteDataProvider(authHandle.NonceOdd),
new HashPrimitiveDataProvider(false));
// GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest
// (_ctx,
// new HashByteDataProvider(cmd.Digest),
// new HashByteDataProvider(authHandle.NonceEven),
// new HashByteDataProvider(authHandle.NonceOdd),
// new HashPrimitiveDataProvider(false)
// );
//
//
// request.TpmSessionIdentifier = _tpmSessionIdentifier;
// request.KeyInfo = keyInfo;
//
//
// GenerateHMACResponse response = request.TypedExecute ();
// response.AssertResponse();
//
authorizationInfos.Add(new AuthorizationInfo(authHandle, false, hmac));
}
}
return(authorizationInfos.ToArray());
}
private AuthHandleItem CreateAuthHandle(IAuthorizableCommand cmd, AuthSessionNum authSession)
{
if (cmd.SupportsAuthType(AuthHandle.AuthType.OIAP))
{
TPMCommandRequest oiapRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_OIAP, new Parameters());
TPMCommandResponse oiapResponse = _tpmContext.TPM.Process(oiapRequest, cmd.CommandAuthHelper, cmd.KeyManager);
if (oiapResponse.Status == false)
{
throw new TPMRequestException("Unknown error while creating oiap auth handle");
}
AuthHandle newAuthHandle = oiapResponse.Parameters.GetValueOf <AuthHandle>("auth_handle");
AuthHandleItem authHandleItem = new AuthHandleItem(newAuthHandle, AuthHandleItem.AuthHandleStatus.SwappedIn);
authHandleItem.AssociatedCommand = new KeyValuePair <AuthSessionNum, IAuthorizableCommand>(authSession, cmd);
using (new LockContext(_authHandles, "CreateAuthHandle OIAP"))
{
_authHandles.AddAuthHandle(authHandleItem);
AddNewItem(authHandleItem);
}
return(authHandleItem);
}
else if (cmd.SupportsAuthType(AuthHandle.AuthType.OSAP))
{
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("entity_msb", TPMEntityTypeMSB.TPM_ET_XOR);
parameters.AddPrimitiveType("entity_lsb", cmd.GetEntityType(authSession));
string identifier = cmd.GetHandle(authSession);
if (identifier == null)
{
throw new TPMRequestException("Missing entity value for OSAP session");
}
parameters.AddPrimitiveType("entity_value", identifier);
TPMCommandRequest osapRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_OSAP, parameters);
TPMCommandResponse osapResponse = _tpmContext.TPM.Process(osapRequest, cmd.CommandAuthHelper, cmd.KeyManager);
if (osapResponse.Status == false)
{
throw new TPMRequestException("Unknown error while creating osap auth handle");
}
AuthHandle newAuthHandle = osapResponse.Parameters.GetValueOf <AuthHandle>("auth_handle");
AuthHandleItem authHandleItem = new AuthHandleItem(newAuthHandle, AuthHandleItem.AuthHandleStatus.SwappedIn);
authHandleItem.AssociatedCommand = new KeyValuePair <AuthSessionNum, IAuthorizableCommand>(authSession, cmd);
using (new LockContext(_authHandles, "CreateAuthHandle OSAP"))
{
_authHandles.AddAuthHandle(authHandleItem);
AddNewItem(authHandleItem);
}
return(authHandleItem);
}
else
{
throw new NotSupportedException("Command does not support a suitable AuthType");
}
}
public void RemoveAuthorizationHandle(IAuthorizableCommand cmd, AuthHandle handle)
{
_tpmContext.AuthHandleManager.RemoveAuthHandles(cmd, handle);
}
public void ReleaseAuthorizationHandles(IAuthorizableCommand cmd)
{
_tpmContext.AuthHandleManager.ReleaseAuthHandles(cmd);
}
public AuthorizationInfo[] GenerateResponseAuthData(IAuthorizableCommand cmd)
{
List<AuthorizationInfo> authorizationInfos = new List<AuthorizationInfo>();
List<ResponseAuthHandleInfo> responseAuthHandleInfos = new List<ResponseAuthHandleInfo>(cmd.ResponseAuthHandleInfos);
responseAuthHandleInfos.Reverse();
List<AuthorizationInfo> localAuthorizationInfos = new List<AuthorizationInfo>(cmd.AuthorizationInfos);
localAuthorizationInfos.Reverse();
Stack<ResponseAuthHandleInfo> responseAuthHandles = new Stack<ResponseAuthHandleInfo>(responseAuthHandleInfos);
Stack<AuthorizationInfo> authorizationInfoQueue = new Stack<AuthorizationInfo>(localAuthorizationInfos);
foreach(AuthSessionNum authSessionNum in new AuthSessionNum[]{AuthSessionNum.Auth1, AuthSessionNum.Auth2})
{
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum);
if(keyInfo == null)
continue;
ResponseAuthHandleInfo currentResponseAuthHandleInfo = responseAuthHandles.Pop();
AuthorizationInfo currentAuthorizationInfo = authorizationInfoQueue.Pop();
if(currentAuthorizationInfo.Handle.HandleAuthType == AuthHandle.AuthType.OIAP)
{
GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest
(_ctx,
new HashByteDataProvider(cmd.ResponseDigest),
new HashByteDataProvider(currentResponseAuthHandleInfo.NonceEven),
new HashByteDataProvider(currentAuthorizationInfo.Handle.NonceOdd),
new HashPrimitiveDataProvider(currentResponseAuthHandleInfo.ContinueAuthSession)
);
request.TpmSessionIdentifier = _tpmSessionIdentifier;
request.KeyInfo = keyInfo;
GenerateHMACResponse response = request.TypedExecute ();
response.AssertResponse();
authorizationInfos.Add(new AuthorizationInfo(null, currentResponseAuthHandleInfo.ContinueAuthSession, response.TpmAuthData));
}
else if(currentAuthorizationInfo.Handle.HandleAuthType == AuthHandle.AuthType.OSAP)
{
byte[] tpmAuth = new HMACProvider(currentAuthorizationInfo.Handle.SharedSecret).Hash(
new HashByteDataProvider(cmd.ResponseDigest),
new HashByteDataProvider(currentResponseAuthHandleInfo.NonceEven),
new HashByteDataProvider(currentAuthorizationInfo.Handle.NonceOdd),
new HashPrimitiveDataProvider(currentResponseAuthHandleInfo.ContinueAuthSession));
authorizationInfos.Add(new AuthorizationInfo(null, currentResponseAuthHandleInfo.ContinueAuthSession, tpmAuth));
}
}
return authorizationInfos.ToArray();
}
public void DestroyAuthorizationHandles(IAuthorizableCommand cmd)
{
_tpmContext.AuthHandleManager.DestroyAuthHandles(cmd);
}
public void RemoveAuthorizationHandle(IAuthorizableCommand cmd, AuthHandle handle)
{
_tpmContext.AuthHandleManager.RemoveAuthHandles(cmd, handle);
}
/// <summary>
/// Assures that the shared secret for the specified authorization handle has been
/// calculated, if not it gets calculated. If no OSAP session exists, create it
/// </summary>
/// <param name="cmd"></param>
/// <param name="sessionNum"></param>
/// <returns></returns>
public AuthHandle AssureOSAPSharedSecret(IAuthorizableCommand cmd, AuthSessionNum authSessionNum)
{
// using(AcquireLock())
// {
// //Must not be called for OSAP at the moment because OSAP session are not cached
// _tpmContext.AuthHandleManager.ReserveAuthHandleSlots(cmd);
// }
//
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum);
if (keyInfo == null)
{
return(null);
}
AuthHandle authHandle;
using (AcquireLock())
{
authHandle = _tpmContext.AuthHandleManager.GetAuthHandle(cmd, authSessionNum);
}
// If shared secret has not yet been generated, do it
if (authHandle.SharedSecret == null)
{
GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest(
_ctx,
new HashByteDataProvider(authHandle.NonceEvenOSAP),
new HashByteDataProvider(authHandle.NonceOddOSAP)
);
request.TpmSessionIdentifier = _tpmSessionIdentifier;
Parameters paramsSharedSecret = new Parameters();
if (cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_KEYHANDLE ||
cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_SRK)
{
if (cmd.GetHandle(authSessionNum) == KeyHandle.KEY_SRK)
{
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters());
}
else
{
paramsSharedSecret.AddPrimitiveType("identifier", cmd.GetHandle(authSessionNum));
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, paramsSharedSecret);
}
}
else if (cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_OWNER)
{
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.OwnerSecret, new Parameters());
}
else
{
throw new NotSupportedException(string.Format("CommandAuthorizationHelper does not support entity type '{0}'",
cmd.GetEntityType(authSessionNum)));
}
GenerateHMACResponse response = request.TypedExecute();
response.AssertResponse();
authHandle.SharedSecret = response.TpmAuthData;
}
return(authHandle);
}
/// <summary>
/// Authorizes the command and returns the necessary authorization info
/// Blocks till the user has entered the credentials
/// </summary>
/// <param name="cmd">Command to authorize</param>
/// <returns></returns>
public AuthorizationInfo[] AuthorizeCommand(IAuthorizableCommand cmd)
{
List<AuthorizationInfo> authorizationInfos = new List<AuthorizationInfo>();
using(AcquireLock())
{
_tpmContext.AuthHandleManager.ReserveAuthHandleSlots(cmd);
}
foreach(AuthSessionNum authSessionNum in new AuthSessionNum[]{AuthSessionNum.Auth1, AuthSessionNum.Auth2})
{
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum);
if(keyInfo == null)
continue;
AuthHandle authHandle;
using(AcquireLock())
{
authHandle = _tpmContext.AuthHandleManager.GetAuthHandle(cmd, authSessionNum);
}
//Generates the new nonceOdd before the client generates the auth data
authHandle.NewNonceOdd();
if(authHandle.HandleAuthType == AuthHandle.AuthType.OIAP)
{
GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest
(_ctx,
new HashByteDataProvider(cmd.Digest),
new HashByteDataProvider(authHandle.NonceEven),
new HashByteDataProvider(authHandle.NonceOdd),
new HashPrimitiveDataProvider(true)
);
request.TpmSessionIdentifier = _tpmSessionIdentifier;
request.KeyInfo = keyInfo;
GenerateHMACResponse response = request.TypedExecute ();
response.AssertResponse();
authorizationInfos.Add(new AuthorizationInfo(authHandle, true, response.TpmAuthData));
}
else if(authHandle.HandleAuthType == AuthHandle.AuthType.OSAP)
{
AssureOSAPSharedSecret(cmd, authSessionNum);
byte[] hmac = new HMACProvider(authHandle.SharedSecret).Hash(
new HashByteDataProvider(cmd.Digest),
new HashByteDataProvider(authHandle.NonceEven),
new HashByteDataProvider(authHandle.NonceOdd),
new HashPrimitiveDataProvider(false));
// GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest
// (_ctx,
// new HashByteDataProvider(cmd.Digest),
// new HashByteDataProvider(authHandle.NonceEven),
// new HashByteDataProvider(authHandle.NonceOdd),
// new HashPrimitiveDataProvider(false)
// );
//
//
// request.TpmSessionIdentifier = _tpmSessionIdentifier;
// request.KeyInfo = keyInfo;
//
//
// GenerateHMACResponse response = request.TypedExecute ();
// response.AssertResponse();
//
authorizationInfos.Add(new AuthorizationInfo(authHandle, false, hmac));
}
}
return authorizationInfos.ToArray();
}
