private static AuthHandle EstablishOIAP(TPMWrapper tpm)
{
ILog log = LogManager.GetLogger("EstablishOIAP");
for (int i = 0; i < 2; i++)
{
TPMCommandRequest request = new TPMCommandRequest(TPMCommandNames.TPM_CMD_OIAP, new Parameters());
TPMCommandResponse response = tpm.Process(request);
AuthHandle myAuthHandle = response.Parameters.GetValueOf <AuthHandle> ("auth_handle");
// Parameters parameters = new Parameters ();
// parameters.AddValue ("handle", myAuthHandle);
// TPMCommandRequest requestFlush = new TPMCommandRequest (TPMCommandNames.TPM_CMD_FLUSH_SPECIFIC, parameters);
// tpm.Process (requestFlush);
//return myAuthHandle;
}
Parameters listHandlesParameters = new Parameters();
listHandlesParameters.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE);
listHandlesParameters.AddPrimitiveType("handle_type", TPMResourceType.TPM_RT_AUTH);
TPMCommandRequest listHandlesRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetCapability, listHandlesParameters);
TPMCommandResponse listHandlesResponse = tpm.Process(listHandlesRequest);
HandleList loadedKeyHandles = listHandlesResponse.Parameters.GetValueOf <HandleList> ("handles");
return(null);
}
private static void ReadPCRs(TPMWrapper tpm)
{
uint i = 0;
ILog log = LogManager.GetLogger("ReadPCRs");
Parameters param = new Parameters();
param.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY);
param.AddPrimitiveType("subCap", CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_PCR);
TPMCommandRequest request = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetCapability, param);
TPMCommandResponse response = tpm.Process(request);
uint maxPcrs = response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_PCR);
for (i = 0; i < maxPcrs; ++i)
{
param = new Parameters();
param.AddPrimitiveType("pcrnum", i);
TPMCommandRequest req = new TPMCommandRequest(TPMCommandNames.TPM_CMD_PCRRead, param);
TPMCommandResponse resp = tpm.Process(req);
byte[] val = resp.Parameters.GetValueOf <byte[]>("value");
log.InfoFormat("Answer for PCR {0} is: 0x{1}", resp.Parameters.GetValueOf <UInt32>("pcrnum"),
ByteHelper.ByteArrayToHexString(val));
}
// TPMCommandRequest req = new TPMCommandRequest(TPMCommandNames.TPM_CMD_PCRRead, null);
// TPMCommand com = TPMCommandFactory.Create(req);
// com.Init(param, tpm);
// com.Process();
//Console.WriteLine ("Hello World!");
}
/// <summary>
/// Seals data to the specified pcr selection,
/// create a valid pcr selection with session.CreateEmptyPCRSelection
/// </summary>
/// <param name="pcrSelection"></param>
/// <param name="data">Data to seal</param>
/// <returns></returns>
public byte[] Seal(TPMPCRSelection pcrSelection, byte[] data)
{
Parameters paramsSeal = new Parameters();
paramsSeal.AddPrimitiveType("in_data", data);
paramsSeal.AddPrimitiveType("key", _keyIdentifier);
paramsSeal.AddValue("pcr_selection", pcrSelection);
Parameters paramsSecret = new Parameters();
paramsSecret.AddPrimitiveType("identifier", KeyIdentifier);
ProtectedPasswordStorage authSeal = _tpmSession.RequestSecret(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SealAuth, paramsSecret));
if (authSeal.Hashed == false)
{
authSeal.Hash();
}
authSeal.DecryptHash();
paramsSeal.AddPrimitiveType("data_auth", authSeal.HashValue);
try
{
TPMCommandResponse sealResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Seal, paramsSeal);
return(sealResponse.Parameters.GetValueOf <byte[]>("data"));
}
finally
{
if (authSeal != null)
{
authSeal.ClearHash();
}
}
}
/// <summary>
/// Creates a new counter if possible.
/// Creating a counter requires the owner password and also the secret_counter secret
/// </summary>
/// <param name="label">4 bytes to label the counter</param>
/// <returns></returns>
public CounterContext CreateCounter(byte[] label)
{
if (label.Length != 4)
{
throw new ArgumentException("label needs to be of size 4");
}
ProtectedPasswordStorage counterSecret = _tpmSession.RequestSecret(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.CounterSecret, new Parameters()));
if (counterSecret.Hashed == false)
{
counterSecret.Hash();
}
counterSecret.DecryptHash();
Parameters createCounterParams = new Parameters();
createCounterParams.AddPrimitiveType("secret", counterSecret.HashValue);
createCounterParams.AddPrimitiveType("label", label);
return(new CounterContext(_tpmSession,
_tpmSession.DoTPMCommandRequest(new TPMCommandRequest(TPMCommandNames.TPM_CMD_CreateCounter, createCounterParams))
.Parameters.GetValueOf <uint>("counter_id")
));
}
/// <summary>
/// Reads the configured tpm devices from the configuration and
/// sets up the corresponding tpm contexts
/// </summary>
private void SetupTPMContexts()
{
IConnectionsConfiguration connectionConfig = (IConnectionsConfiguration)ConfigurationManager.GetSection("connections");
foreach (Iaik.Tc.TPM.Configuration.DotNetConfiguration.TPMDevice device in connectionConfig.TpmDevices)
{
try
{
_logger.InfoFormat("Setting up tpm context '{0}'", device.TPMName);
TPMWrapper tpmDevice = new TPMWrapper();
tpmDevice.Init(device.TPMType, device.Parameters);
TPMContext tpmContext = new TPMContext(device.TPMName, tpmDevice);
_tpmContexts.Add(device.TPMName, tpmContext);
_logger.InfoFormat("Flushing device '{0}'", device.TPMName);
foreach (TPMResourceType resourceType in new TPMResourceType[] {
TPMResourceType.TPM_RT_AUTH, TPMResourceType.TPM_RT_KEY
})
{
Parameters listLoadedHandlesParameters = new Parameters();
listLoadedHandlesParameters.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE);
listLoadedHandlesParameters.AddPrimitiveType("handle_type", resourceType);
TPMCommandRequest listLoadedHandlesRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetCapability,
listLoadedHandlesParameters);
TPMCommandResponse response = tpmDevice.Process(listLoadedHandlesRequest);
if (response.Status == false)
{
throw new Exception("An unknown tpm exception while flushing occured");
}
foreach (uint handle in response.Parameters.GetValueOf <HandleList> ("handles"))
{
Parameters flushParameters = new Parameters();
flushParameters.AddValue("handle", HandleFactory.Create(resourceType, handle));
TPMCommandRequest flushRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_FlushSpecific, flushParameters);
TPMCommandResponse flushResponse = tpmDevice.Process(flushRequest);
if (flushResponse.Status == false)
{
throw new Exception("Something went wrong while flushing");
}
}
}
_logger.InfoFormat("Successfully setup tpm context '{0}' with type '{1}'", device.TPMName, device.TPMType);
}
catch (Exception ex)
{
_logger.FatalFormat("Error setting up tpm device '{0}', the device will not be available ({1})", device.TPMName, ex);
}
///Set the Assembly search order for incoming Parameters so that core classes are always at first
Parameters.AssemblySearchOrder = new Assembly[] {
typeof(TPMWrapper).Assembly, //lib core
typeof(ITypedParameter).Assembly
}; //lib common
}
}
/// <summary>
/// The maximum number of keys the tpm can load at once
/// </summary>
/// <returns></returns>
public uint GetMaxKeys()
{
Parameters parameters = new Parameters ();
parameters.AddPrimitiveType ("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY);
parameters.AddPrimitiveType ("subCap", CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_KEYS);
return this.BuildDoVerifyRequest (TPMCommandNames.TPM_CMD_GetCapability, parameters).Parameters.GetValueOf<uint> (CapabilityData.PARAM_PROP_MAX_KEYS);
}
/// <summary>
/// The maximum number of keys the tpm can load at once
/// </summary>
/// <returns></returns>
public uint GetMaxKeys()
{
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY);
parameters.AddPrimitiveType("subCap", CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_KEYS);
return(this.BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_GetCapability, parameters).Parameters.GetValueOf <uint> (CapabilityData.PARAM_PROP_MAX_KEYS));
}
/// <summary>
/// Retrieves Version information of the TPM
/// </summary>
public CapabilityData.TPMCapVersionInfo GetTPMVersion()
{
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_VERSION_VAL);
parameters.AddPrimitiveType("subCap", new byte[0]);
return(BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_GetCapability, parameters).Parameters.GetValueOf <CapabilityData.TPMCapVersionInfo> (CapabilityData.PARAM_TPM_VERSION_INFO));
}
/// <summary>
/// Extends the specified pcr by the specified digest
/// </summary>
/// <param name="pcrIndex">The pcr to be extended</param>
/// <param name="digest"></param>
/// <returns>Returns the new value of the extended pcr</returns>
public byte[] Extend(uint pcrIndex, byte[] digest)
{
Parameters extendParameters = new Parameters();
extendParameters.AddPrimitiveType("pcr", pcrIndex);
extendParameters.AddPrimitiveType("digest", digest);
return BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Extend, extendParameters)
.Parameters.GetValueOf<byte[]>("pcr_value");
}
/// <summary>
/// Signs the specified data, but the data is already in the format the signature format (Attached to the key) requires it to be.
/// </summary>
/// <remarks>
/// Use this for large amount of data, or use the <see>CreateSigner</see> method
/// </remarks>
/// <param name="data"></param>
/// <returns></returns>
public byte[] SignWithProperFormat(byte[] data)
{
Parameters signParameters = new Parameters();
signParameters.AddPrimitiveType("key", _keyIdentifier);
signParameters.AddPrimitiveType("areaToSign", data);
return(BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Sign, signParameters).Parameters.GetValueOf <byte[]>("sig"));
}
/// <summary>
/// Extends the specified pcr by the specified digest
/// </summary>
/// <param name="pcrIndex">The pcr to be extended</param>
/// <param name="digest"></param>
/// <returns>Returns the new value of the extended pcr</returns>
public byte[] Extend(uint pcrIndex, byte[] digest)
{
Parameters extendParameters = new Parameters();
extendParameters.AddPrimitiveType("pcr", pcrIndex);
extendParameters.AddPrimitiveType("digest", digest);
return(BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Extend, extendParameters)
.Parameters.GetValueOf <byte[]>("pcr_value"));
}
/// <summary>
/// Returns if the specified sizeIfSelect (= pcrcount / 8) is supported.
/// This is used to create valid PCRSelection objects for this tpm
/// </summary>
/// <param name="size">
/// A <see cref="System.UInt16"/>
/// </param>
/// <returns>
/// A <see cref="System.Boolean"/>
/// </returns>
public bool SupportsSizeOfPcr(ushort size)
{
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_SELECT_SIZE);
parameters.AddPrimitiveType(CapabilityData.PARAM_PROP_SELECT_SIZE, size);
return(this.BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_GetCapability, parameters)
.Parameters.GetValueOf <bool>(CapabilityData.PARAM_PROP_SELECT_SIZE));
}
/// <summary>
/// Unbinds the specified data, the encrypted data needs to be
/// of type TPMBoundData
/// </summary>
/// <param name="data"></param>
/// <returns>Returns the decrypted data</returns>
public byte[] Unbind(byte[] data)
{
Parameters paramsUnbind = new Parameters();
paramsUnbind.AddPrimitiveType("in_data", data);
paramsUnbind.AddPrimitiveType("key", _keyIdentifier);
TPMCommandResponse unbindResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Unbind, paramsUnbind);
return(unbindResponse.Parameters.GetValueOf <byte[]>("data"));
}
private static void ReadCapabilities(TPMWrapper tpm)
{
ILog log = LogManager.GetLogger("ReadCapabilities");
// Read out each capability property
foreach (CapabilityData.TPMSubCapProperty subCap in Enum.GetValues(typeof(CapabilityData.TPMSubCapProperty)))
{
Parameters param = new Parameters();
param.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_PROPERTY);
param.AddPrimitiveType("subCap", subCap);
TPMCommandRequest request = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetCapability, param);
TPMCommandResponse response = tpm.Process(request);
switch (subCap)
{
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_PCR:
log.InfoFormat("Number of PCRs is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_PCR));
break;
//case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_DIR:
// log.InfoFormat("Number of DIR is {0} and should be 1 because command is deprecated", response.Parameters.GetValueOf<uint>(CapabilityData.PARAM_PROP_DIR));
// break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MANUFACTURER:
log.InfoFormat("Manufacturer ID is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_MANUFACTURER));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_KEYS:
log.InfoFormat("Number of free keyslots is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_KEYS));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_AUTHSESS:
log.InfoFormat("Number of max Auth Sessions is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_MAX_AUTHSESS));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_TRANSESS:
log.InfoFormat("Number of max Trans Sessions is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_MAX_TRANSESS));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_KEYS:
log.InfoFormat("Number of max keys (without EK and SRK) is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_MAX_KEYS));
break;
case CapabilityData.TPMSubCapProperty.TPM_CAP_PROP_MAX_SESSIONS:
log.InfoFormat("Number of max Sessions is {0}", response.Parameters.GetValueOf <uint>(CapabilityData.PARAM_PROP_MAX_SESSIONS));
break;
default:
throw new NotSupportedException("Defined cap or subcap are not supported");
}
}
}
/// <summary>
/// Retrieves the index of the specified pcr
/// </summary>
/// <param name="pcrIndex"></param>
/// <returns></returns>
public byte[] PCRValue(uint pcrIndex)
{
Parameters pcrParams = new Parameters();
pcrParams.AddPrimitiveType("pcrnum", pcrIndex);
return BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_PCRRead, pcrParams).Parameters.GetValueOf<byte[]>("value");
}
/// <summary>
/// Invalidates the counter
/// </summary>
public void Release()
{
Parameters releaseCounterParams = new Parameters();
releaseCounterParams.AddPrimitiveType("counter_id", _counterId);
_tpmSession.DoTPMCommandRequest(new TPMCommandRequest(TPMCommandNames.TPM_CMD_ReleaseCounter, releaseCounterParams));
}
/// <summary>
/// Performs the actual swap-in operation
/// </summary>
/// <param name="item"></param>
protected override void SwappedIn(AuthHandleItem item)
{
//uint oldHandle = item.AuthHandle.Handle;
if (item.Status != AuthHandleItem.AuthHandleStatus.SwappedOut)
{
throw new ArgumentException("Invalid auth handle state for swap in operation");
}
using (new LockContext(_authHandles, "AuthHandleManager::SwappedIn"))
{
if (AvailableSessionSlots <= LoadedSessions)
{
SwapOut();
}
Parameters swapInParameters = new Parameters();
swapInParameters.AddValue("handle", item.AuthHandle);
swapInParameters.AddPrimitiveType("context_blob", item.AuthHandle.ContextBlob);
TPMCommandRequest swapInRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_LoadContext, swapInParameters);
TPMCommandResponse swapInResponse = _tpmContext.TPM.Process(swapInRequest);
if (swapInResponse.Status == false)
{
throw new TPMRequestException("Unknown error while swap in operation");
}
item.AuthHandle.Handle = swapInResponse.Parameters.GetValueOf <ITPMHandle>("handle").Handle;
item.Status = AuthHandleItem.AuthHandleStatus.SwappedIn;
}
}
/// <summary>
/// Unseals the specified data
/// </summary>
/// <param name="data">Data to seal</param>
/// <returns></returns>
public byte[] Unseal(byte[] data)
{
Parameters paramsSeal = new Parameters();
paramsSeal.AddPrimitiveType("in_data", data);
paramsSeal.AddPrimitiveType("key", _keyIdentifier);
Parameters paramsSecret = new Parameters();
paramsSecret.AddPrimitiveType("identifier", KeyIdentifier);
TPMCommandResponse unsealResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Unseal, paramsSeal);
return(unsealResponse.Parameters.GetValueOf <byte[]>("data"));
}
/// <summary>
/// Performs the actual swap-in operation
/// </summary>
/// <param name="item"></param>
protected override void SwappedIn(KeyHandleItem item)
{
if (item.Status != KeyHandleItem.KeyHandleStatus.SwappedOut)
{
throw new ArgumentException("Invalid key handle state for swap in operation");
}
if (AvailableKeySlots <= LoadedKeys)
{
SwapOut();
}
Parameters swapInParameters = new Parameters();
swapInParameters.AddValue("handle", item.KeyHandle);
swapInParameters.AddPrimitiveType("context_blob", item.KeyHandle.ContextBlob);
TPMCommandRequest swapInRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_LoadContext, swapInParameters);
TPMCommandResponse swapInResponse = _tpmContext.TPM.Process(swapInRequest);
if (swapInResponse.Status == false)
{
throw new TPMRequestException("Keymanager: Unknown error while swap in operation");
}
item.KeyHandle.Handle = swapInResponse.Parameters.GetValueOf <ITPMHandle>("handle").Handle;
}
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum)
{
if (authSessionNum == AuthSessionNum.Auth1)
{
string keyIdentifier = _params.GetValueOf <string>("key");
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("identifier", keyIdentifier);
return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, parameters));
}
else if (authSessionNum == AuthSessionNum.Auth2)
{
string identifier = _params.GetValueOf <string>("key");
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("identifier", identifier);
return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SealAuth, parameters));
}
else
{
return(null);
}
}
public override TPMCommandResponse Process()
{
//We don't have any meaningful labeldata we could include,
//so generate some random
byte[] labelData = new byte[16];
Random r = new Random();
r.NextBytes(labelData);
if(_params.IsDefined<ITPMHandle>("handle") == false)
return new TPMCommandResponse(false, TPMCommandNames.TPM_CMD_SaveContext, new Parameters());
ITPMHandle handle = _params.GetValueOf<ITPMHandle>("handle");
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_SaveContext);
requestBlob.WriteUInt32(handle.Handle);
requestBlob.WriteUInt32((uint)handle.ResourceType);
requestBlob.Write(labelData, 0, labelData.Length);
TPMBlob responseBlob = TransmitMe(requestBlob);
responseBlob.SkipHeader();
uint blobSize = responseBlob.ReadUInt32();
byte[] contextBlob = responseBlob.ReadBytes((int)blobSize);
Parameters responseParams = new Parameters();
responseParams.AddPrimitiveType("context_blob", contextBlob);
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_SaveContext, responseParams);
}
/// <summary>
/// Retrieves the index of the specified pcr
/// </summary>
/// <param name="pcrIndex"></param>
/// <returns></returns>
public byte[] PCRValue(uint pcrIndex)
{
Parameters pcrParams = new Parameters();
pcrParams.AddPrimitiveType("pcrnum", pcrIndex);
return(BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_PCRRead, pcrParams).Parameters.GetValueOf <byte[]>("value"));
}
/// <summary>
/// Cryptographically reports the selected PCR values and returns
/// the TPMPCRComposite and the generated signature. If no
/// external data is supplied a random nonce is generated on the server.
/// The length of externalData is defined by the hashing algorithm used by the TPM
/// </summary>
/// <param name="pcrs"></param>
/// <param name="externalData">Nonce used for the quoting operation,
/// use CreateCompatibleHashAlgorithm or CreateCompatibleHashProvider to generate a hash value
/// with the correct length</param>
/// <returns></returns>
public QuoteResponse Quote(TPMPCRSelection pcrs, byte[] externalData)
{
Parameters quoteParameters = new Parameters();
quoteParameters.AddPrimitiveType("key", _keyIdentifier);
quoteParameters.AddValue("targetPCR", pcrs);
if (externalData != null)
{
quoteParameters.AddPrimitiveType("externalData", externalData);
}
TPMCommandResponse response = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Quote, quoteParameters);
return(new QuoteResponse(response.Parameters.GetValueOf <TPMPCRComposite>("pcrData"),
response.Parameters.GetValueOf <byte[]>("sig")));
}
/// <summary>
/// Increments the current counter value and returns the new counter value
/// </summary>
/// <returns></returns>
public uint Increment()
{
Parameters incCounterParams = new Parameters();
incCounterParams.AddPrimitiveType("counter_id", _counterId);
return(_tpmSession.DoTPMCommandRequest(new TPMCommandRequest(TPMCommandNames.TPM_CMD_IncrementCounter, incCounterParams))
.Parameters.GetValueOf <TPMCounterValue>("counter_value").CounterValue);
}
public override TPMCommandResponse Process()
{
TPMBlob requestBlob = new TPMBlob ();
requestBlob.WriteCmdHeader (TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_PcrRead);
requestBlob.WriteUInt32 ((uint)_register);
requestBlob.WriteCmdSize ();
TPMBlob responseBlob = TransmitMe (requestBlob);
Parameters responseParam = new Parameters();
byte[] val = responseBlob.ReadBytes(20);
responseParam.AddPrimitiveType("pcrnum", _register);
responseParam.AddPrimitiveType("value", val);
TPMCommandResponse response = new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_PCRRead, responseParam);
return response;
}
/// <summary>
/// Creates a new counter if possible.
/// Creating a counter requires the owner password and also the secret_counter secret
/// </summary>
/// <param name="label">4 bytes to label the counter</param>
/// <returns></returns>
public CounterContext CreateCounter(byte[] label)
{
if(label.Length != 4)
throw new ArgumentException("label needs to be of size 4");
ProtectedPasswordStorage counterSecret = _tpmSession.RequestSecret(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.CounterSecret, new Parameters()));
if(counterSecret.Hashed == false)
counterSecret.Hash();
counterSecret.DecryptHash();
Parameters createCounterParams = new Parameters();
createCounterParams.AddPrimitiveType("secret", counterSecret.HashValue);
createCounterParams.AddPrimitiveType("label", label);
return new CounterContext(_tpmSession,
_tpmSession.DoTPMCommandRequest(new TPMCommandRequest(TPMCommandNames.TPM_CMD_CreateCounter, createCounterParams))
.Parameters.GetValueOf<uint>("counter_id")
);
}
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum)
{
if (authSessionNum != AuthSessionNum.Auth1)
{
return(null);
}
Parameters hmacKeyInfoParams = new Parameters();
hmacKeyInfoParams.AddPrimitiveType("identifier", _params.GetValueOf <string>("key"));
return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, hmacKeyInfoParams));
}
public override TPMCommandResponse Process()
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_PcrRead);
requestBlob.WriteUInt32((uint)_register);
requestBlob.WriteCmdSize();
TPMBlob responseBlob = TransmitMe(requestBlob);
Parameters responseParam = new Parameters();
byte[] val = responseBlob.ReadBytes(20);
responseParam.AddPrimitiveType("pcrnum", _register);
responseParam.AddPrimitiveType("value", val);
TPMCommandResponse response = new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_PCRRead, responseParam);
return(response);
}
protected override TPMCommandResponse InternalProcess()
{
// Unencrypted authorization values, they need to be XOR-Encrypted with
// XOR(auth, SHA-1(OSAP shared secret | session nonce))
//
// OSAP_shared_secret = HMAC(key=usage secret of key handle, nonce even osap | nonce odd osap)
AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1);
_encAuth = _params.GetValueOf <byte[]> ("data_auth");
byte[] xorKey = new HashProvider().Hash(
new HashByteDataProvider(auth1OSAP.SharedSecret),
new HashByteDataProvider(auth1OSAP.NonceEven));
ByteHelper.XORBytes(_encAuth, xorKey);
//Load parent key if not loaded
_keyManager.LoadKey(_params.GetValueOf <string>("key"));
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Seal);
//key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.Write(_encAuth, 0, 20);
TPMBlobWriteableHelper.WriteITPMBlobWritableWithUIntSize(requestBlob, _pcrInfo);
requestBlob.WriteUInt32((uint)_inData.Length);
requestBlob.Write(_inData, 0, _inData.Length);
AuthorizeMe(requestBlob);
using (_keyManager.AcquireLock())
{
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf <string>("key")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMStoredDataCore sealedData = TPMStoredDataCore.CreateFromTPMBlob(_responseBlob);
Parameters responseParams = new Parameters();
responseParams.AddPrimitiveType("data", ByteHelper.SerializeToBytes(sealedData));
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Seal, responseParams));
}
protected override TPMCommandResponse InternalProcess()
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_LoadKey2);
//If not loaded load now
if (_params.GetValueOf <bool>("parent_key_srk") == false)
{
_keyManager.LoadKey(_params.GetValueOf <string>("parent_identifier"));
}
//To be inserted later
requestBlob.WriteUInt32(0);
_tpmKey.WriteToTpmBlob(requestBlob);
//Blocking authorize, blocks till the user has entered the authorization data
AuthorizeMe(requestBlob);
using (_keyManager.AcquireLock())
{
_keyManager.EnsureFreeSlot();
uint tpmKeyHandle;
if (_params.GetValueOf <bool>("parent_key_srk"))
{
tpmKeyHandle = (uint)TPMKeyHandles.TPM_KH_SRK;
}
else
{
tpmKeyHandle = _keyManager.IdentifierToHandle(_params.GetValueOf <string>("parent_identifier")).Handle;
}
//Write key handle to the first position after the header
requestBlob.SkipHeader();
requestBlob.WriteUInt32(tpmKeyHandle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
uint loadedTpmHandle = _responseBlob.ReadUInt32();
KeyHandle loadedHandle = new KeyHandle(_params.GetValueOf <string>("key_identifier"), loadedTpmHandle);
_responseParameters = new Parameters();
_responseParameters.AddPrimitiveType("handle", loadedHandle);
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_LoadKey2, _responseParameters));
}
public void TakeOwnership(ProtectedPasswordStorage ownerSecret, ProtectedPasswordStorage srkSecret)
{
_tpmSession.SetValue("secret_" + TPMSession.PARAM_AUTH_OWNER, ownerSecret);
_tpmSession.SetValue("secret_" + TPMSession.PARAM_AUTH_SRK, srkSecret);
IAsymmetricBlockCipher ekEncryptor = _tpmSession.EndorsementKeyHandling.PublicKey.CreateRSAEncrypter();
ownerSecret.DecryptHash();
byte[] encOwnerSecret = ekEncryptor.ProcessBlock(ownerSecret.HashValue, 0, ownerSecret.HashValue.Length);
ownerSecret.ClearHash();
srkSecret.DecryptHash();
byte[] encSrkSecret = ekEncryptor.ProcessBlock(srkSecret.HashValue, 0, srkSecret.HashValue.Length);
srkSecret.ClearHash();
Parameters parameters = new Parameters();
parameters.AddPrimitiveType(PARAM_OWNERAUTH, encOwnerSecret);
parameters.AddPrimitiveType(PARAM_SRKAUTH, encSrkSecret);
/*TPMCommandResponse response = */ BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_TakeOwnership, parameters);
}
public void Init(bool forEncryption, ICipherParameters parameters)
{
_forEncryption = forEncryption;
if (forEncryption)
{
_encryptor = _keyHandle.PublicKey.CreateRSAEncrypter();
Parameters bindParameters = new Parameters();
bindParameters.AddPrimitiveType("type", "request_prefix");
TPMCommandRequest bindPrefixRequest = new TPMCommandRequest(
TPMCommandNames.TPM_CMD_Bind, bindParameters);
_prefix = _session.DoTPMCommandRequest(bindPrefixRequest).Parameters.GetValueOf <byte[]>("prefix");
}
}
public override TPMCommandResponse Process()
{
using(TPMBlob requestBlob = new TPMBlob())
{
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_GetRandom);
requestBlob.WriteUInt32(_params.GetValueOf<uint>("bytes_requested"));
_responseBlob = TransmitMe(requestBlob);
}
_responseBlob.SkipHeader();
uint responseByteSize = _responseBlob.ReadUInt32();
_responseParameters = new Parameters();
_responseParameters.AddPrimitiveType("data", _responseBlob.ReadBytes((int)responseByteSize));
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_GetRandom, _responseParameters);
}
public override TPMCommandResponse Process()
{
using (TPMBlob requestBlob = new TPMBlob())
{
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_GetRandom);
requestBlob.WriteUInt32(_params.GetValueOf <uint>("bytes_requested"));
_responseBlob = TransmitMe(requestBlob);
}
_responseBlob.SkipHeader();
uint responseByteSize = _responseBlob.ReadUInt32();
_responseParameters = new Parameters();
_responseParameters.AddPrimitiveType("data", _responseBlob.ReadBytes((int)responseByteSize));
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_GetRandom, _responseParameters));
}
public override TPMCommandResponse Process()
{
using(TPMBlob requestBlob = new TPMBlob())
{
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_ReadCounter);
requestBlob.WriteUInt32(_params.GetValueOf<uint>("counter_id"));
_responseBlob = TransmitMe(requestBlob);
}
_responseBlob.SkipHeader();
_responseParameters = new Parameters();
_responseParameters.AddPrimitiveType("counter_id", _params.GetValueOf<uint>("counter_id"));
_responseParameters.AddValue("counter_value", TPMCounterValueCore.CreateFromTPMBlob(_responseBlob));
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_ReadCounter, _responseParameters);
}
public override TPMCommandResponse Process()
{
using (TPMBlob requestBlob = new TPMBlob())
{
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_ReadCounter);
requestBlob.WriteUInt32(_params.GetValueOf <uint>("counter_id"));
_responseBlob = TransmitMe(requestBlob);
}
_responseBlob.SkipHeader();
_responseParameters = new Parameters();
_responseParameters.AddPrimitiveType("counter_id", _params.GetValueOf <uint>("counter_id"));
_responseParameters.AddValue("counter_value", TPMCounterValueCore.CreateFromTPMBlob(_responseBlob));
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_ReadCounter, _responseParameters));
}
protected override TPMCommandResponse InternalProcess()
{
using (TPMBlob requestBlob = new TPMBlob())
{
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_IncrementCounter);
requestBlob.WriteUInt32(_params.GetValueOf <uint>("counter_id"));
_responseBlob = AuthorizeMeAndTransmit(requestBlob);
}
_responseBlob.SkipHeader();
_responseParameters = new Parameters();
_responseParameters.AddPrimitiveType("counter_id", _responseBlob.ReadUInt32());
_responseParameters.AddValue("counter_value", TPMCounterValueCore.CreateFromTPMBlob(_responseBlob));
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateCounter, _responseParameters));
}
public override TPMCommandResponse Process()
{
if(_params.GetValueOf<string>("type", "") == "request_prefix")
{
TPMBoundDataCore boundData = TPMBoundDataCore.Encapsulate(new byte[0]);
_responseParameters = new Parameters();
using(TPMBlob blob = new TPMBlob())
{
boundData.WriteToTpmBlob(blob);
_responseParameters.AddPrimitiveType("prefix", blob.ToArray());
}
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Bind, _responseParameters);
}
else
throw new ArgumentException("TPM_Bind: did not find valid type");
}
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum)
{
if (authSessionNum != AuthSessionNum.Auth1)
{
return(null);
}
if (_params.GetValueOf <bool>("parent_key_srk"))
{
return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters()));
}
else
{
Parameters hmacKeyInfoParams = new Parameters();
hmacKeyInfoParams.AddPrimitiveType("identifier", _params.GetValueOf <string>("parent_identifier"));
return(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, hmacKeyInfoParams));
}
}
public override TPMCommandResponse Process()
{
using(TPMBlob requestBlob = new TPMBlob())
{
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_Extend);
requestBlob.WriteUInt32(_params.GetValueOf<uint>("pcr"));
byte[] digest = _params.GetValueOf<byte[]>("digest");
if(digest.Length != 20)
throw new ArgumentException("Digest needs to be of length '20'");
requestBlob.Write(digest, 0, digest.Length);
_responseBlob = TransmitMe(requestBlob);
}
_responseBlob.SkipHeader();
_responseParameters = new Parameters();
_responseParameters.AddPrimitiveType("pcr_value", _responseBlob.ReadBytes(20));
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Extend, _responseParameters);
}
protected override double Sample()
{
Parameters getRandomParameters = new Parameters();
getRandomParameters.AddPrimitiveType("bytes_requested", (uint)4);
byte[] randomBytes = _tpmSession.DoTPMCommandRequest(new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetRandom, getRandomParameters))
.Parameters.GetValueOf<byte[]>("data");
byte[] realData;
if(randomBytes.Length <4)
{
Console.WriteLine("Requested 4 received {0}", randomBytes.Length);
realData = new byte[4];
Array.Copy(randomBytes, 0, realData, 0, randomBytes.Length);
}
else
realData = randomBytes;
UInt32 randomVal = BitConverter.ToUInt32(realData, 0);
return (double)randomVal/(double)UInt32.MaxValue;
}
protected override TPMCommandResponse InternalProcess()
{
//Load parent key if not loaded
_keyManager.LoadKey(_params.GetValueOf<string>("key"));
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_UnBind);
//key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.WriteUInt32((uint)_inData.Length);
requestBlob.Write(_inData, 0, _inData.Length);
AuthorizeMe(requestBlob);
using(_keyManager.AcquireLock())
{
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("key")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
uint dataSize = _responseBlob.ReadUInt32();
byte[] responseData = new byte[dataSize];
_responseBlob.Read(responseData, 0, responseData.Length);
Parameters responseParams = new Parameters();
responseParams.AddPrimitiveType("data", responseData);
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Unbind, responseParams);
}
protected override TPMCommandResponse InternalProcess()
{
// Unencrypted authorization values, they need to be XOR-Encrypted with
// XOR(auth, SHA-1(OSAP shared secret | session nonce))
//
// OSAP_shared_secret = HMAC(key=usage secret of key handle, nonce even osap | nonce odd osap)
AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1);
_usageAuth = _params.GetValueOf<byte[]> ("usage_auth");
_migrationAuth = _params.GetValueOf<byte[]> ("migration_auth");
byte[] xorKey = new HashProvider().Hash(
new HashByteDataProvider(auth1OSAP.SharedSecret),
new HashByteDataProvider(auth1OSAP.NonceEven));
ByteHelper.XORBytes(_usageAuth, xorKey);
ByteHelper.XORBytes(_migrationAuth, xorKey);
//Load parent key if not loaded
_keyManager.LoadKey(_params.GetValueOf<string>("parent"));
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_CreateWrapKey);
//parent key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.Write(_usageAuth, 0, 20);
requestBlob.Write(_migrationAuth, 0, 20);
_tpmKey.WriteToTpmBlob(requestBlob);
using(_keyManager.AcquireLock())
{
AuthorizeMe(requestBlob);
requestBlob.SkipHeader();
if(_params.GetValueOf<string>("parent") == KeyHandle.KEY_SRK)
requestBlob.WriteUInt32((uint)TPMKeyHandles.TPM_KH_SRK);
else
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("parent")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMKeyCore newKey = new TPMKeyCore(_responseBlob);
_responseParameters = new Parameters();
//Build and save the key identifier
//The key identifier is the hex-string representation of the hash of the newly created key
_responseParameters.AddPrimitiveType("key_identifier",
ByteHelper.ByteArrayToHexString(
new HashProvider().Hash(
new HashByteDataProvider(
ByteHelper.SerializeToBytes(newKey)
)
),
""));
_responseParameters.AddPrimitiveType("key_data", ByteHelper.SerializeToBytes(newKey));
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateWrapKey, _responseParameters);
}
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum)
{
if(authSessionNum != AuthSessionNum.Auth1)
return null;
string parentIdentifier = _params.GetValueOf<string>("parent");
if(parentIdentifier == KeyHandle.KEY_SRK)
return new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters());
else
{
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("identifier", parentIdentifier);
return new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, parameters);
}
}
/// <summary>
/// Cryptographically reports the selected PCR values and returns
/// the TPMPCRComposite and the generated signature. If no
/// external data is supplied a random nonce is generated on the server.
/// The length of externalData is defined by the hashing algorithm used by the TPM
/// </summary>
/// <param name="pcrs"></param>
/// <param name="externalData">Nonce used for the quoting operation,
/// use CreateCompatibleHashAlgorithm or CreateCompatibleHashProvider to generate a hash value
/// with the correct length</param>
/// <returns></returns>
public QuoteResponse Quote(TPMPCRSelection pcrs, byte[] externalData)
{
Parameters quoteParameters = new Parameters();
quoteParameters.AddPrimitiveType("key", _keyIdentifier);
quoteParameters.AddValue("targetPCR", pcrs);
if(externalData != null)
quoteParameters.AddPrimitiveType("externalData", externalData);
TPMCommandResponse response = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Quote, quoteParameters);
return new QuoteResponse(response.Parameters.GetValueOf<TPMPCRComposite>("pcrData"),
response.Parameters.GetValueOf<byte[]>("sig"));
}
public ClientKeyHandle CreateKey(string friendlyName, uint keyLength, TPMKeyUsage keyUsage, TPMKeyFlags keyFlags)
{
Parameters paramsCreateWrapKey = new Parameters();
paramsCreateWrapKey.AddPrimitiveType("parent", KeyIdentifier);
paramsCreateWrapKey.AddPrimitiveType("key_usage", keyUsage);
paramsCreateWrapKey.AddPrimitiveType("key_flags", keyFlags);
paramsCreateWrapKey.AddPrimitiveType("key_length", keyLength);
paramsCreateWrapKey.AddPrimitiveType("exponent", new byte[0]);
paramsCreateWrapKey.AddPrimitiveType("num_primes", (uint)0);
if (keyUsage == TPMKeyUsage.TPM_KEY_SIGNING)
{
paramsCreateWrapKey.AddPrimitiveType("enc_scheme", TPMEncScheme.TPM_ES_NONE);
paramsCreateWrapKey.AddPrimitiveType("sig_scheme", TPMSigScheme.TPM_SS_RSASSAPKCS1v15_SHA1);
}
else
{
paramsCreateWrapKey.AddPrimitiveType("enc_scheme", TPMEncScheme.TPM_ES_RSAESOAEP_SHA1_MGF1);
paramsCreateWrapKey.AddPrimitiveType("sig_scheme", TPMSigScheme.TPM_SS_NONE);
}
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("identifierIsFriendlyName", true);
parameters.AddPrimitiveType("identifier", friendlyName);
ProtectedPasswordStorage authUsage = _tpmSession.RequestSecret(
new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, parameters));
if(authUsage.Hashed == false)
authUsage.Hash();
authUsage.DecryptHash();
paramsCreateWrapKey.AddPrimitiveType("usage_auth", authUsage.HashValue);
ProtectedPasswordStorage authMigration = null;
if((keyFlags & TPMKeyFlags.Migratable) == TPMKeyFlags.Migratable)
{
authMigration = _tpmSession.RequestSecret(
new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyMigrationSecret, parameters));
authMigration.DecryptHash();
paramsCreateWrapKey.AddPrimitiveType("migration_auth", authMigration.HashValue);
}
else
paramsCreateWrapKey.AddPrimitiveType("migration_auth", new byte[20]);
try
{
TPMCommandResponse responseCreateWrapKey =
BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_CreateWrapKey, paramsCreateWrapKey);
_tpmSession.Keystore.AddKey(
friendlyName,
responseCreateWrapKey.Parameters.GetValueOf<string>("key_identifier"),
this.FriendlyName,
responseCreateWrapKey.Parameters.GetValueOf<byte[]>("key_data"));
return new ClientKeyHandle(friendlyName, responseCreateWrapKey.Parameters.GetValueOf<string>("key_identifier"), _tpmSession);
}
finally
{
if(authMigration != null)
authMigration.ClearHash();
if(authUsage != null)
authUsage.ClearHash();
}
}
/// <summary>
/// Unseals the specified data
/// </summary>
/// <param name="data">Data to seal</param>
/// <returns></returns>
public byte[] Unseal(byte[] data)
{
Parameters paramsSeal = new Parameters();
paramsSeal.AddPrimitiveType("in_data", data);
paramsSeal.AddPrimitiveType("key", _keyIdentifier);
Parameters paramsSecret = new Parameters();
paramsSecret.AddPrimitiveType("identifier", KeyIdentifier);
TPMCommandResponse unsealResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Unseal, paramsSeal);
return unsealResponse.Parameters.GetValueOf<byte[]>("data");
}
protected override TPMCommandResponse InternalProcess()
{
using(TPMBlob requestBlob = new TPMBlob())
{
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_IncrementCounter);
requestBlob.WriteUInt32(_params.GetValueOf<uint>("counter_id"));
_responseBlob = AuthorizeMeAndTransmit(requestBlob);
}
_responseBlob.SkipHeader();
_responseParameters = new Parameters();
_responseParameters.AddPrimitiveType("counter_id", _responseBlob.ReadUInt32());
_responseParameters.AddValue("counter_value", TPMCounterValueCore.CreateFromTPMBlob(_responseBlob));
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateCounter, _responseParameters);
}
protected override TPMCommandResponse InternalProcess()
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Quote);
//key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.Write(_nonce, 0, 20);
_pcrSelection.WriteToTpmBlob(requestBlob);
_keyManager.LoadKey(_params.GetValueOf<string>("key"));
AuthorizeMe(requestBlob);
using(_keyManager.AcquireLock())
{
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("key")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMPCRCompositeCore pcrComposite = TPMPCRCompositeCore.CreateFromTPMBlob(_responseBlob);
uint sigSize = _responseBlob.ReadUInt32();
byte[] signature = _responseBlob.ReadBytes((int)sigSize);
// Do signature verification
TPMQuoteInfoCore quoteInfo = TPMQuoteInfoCore.Create(new HashProvider().Hash(new HashTPMBlobWritableDataProvider(pcrComposite)), _nonce);
byte[] signingData;
using (TPMBlob blob = new TPMBlob())
{
quoteInfo.WriteToTpmBlob(blob);
signingData = blob.ToArray();
}
Parameters pubKeyParams = new Parameters();
pubKeyParams.AddPrimitiveType("key", _params.GetValueOf<string>("key"));
TPMCommandRequest pubKeyRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetPubKey, pubKeyParams);
TPMCommandResponse pubKeyResponse = _tpmWrapper.Process(pubKeyRequest,
_commandAuthHelper, _keyManager);
if (pubKeyResponse.Status == false)
{
_log.FatalFormat("TPM_Quote: Could not retrieve pubkey of key");
return new TPMCommandResponse(false, TPMCommandNames.TPM_CMD_Quote, new Parameters());
}
TPMKey keyInfo = TPMKeyCore.CreateFromBytes(_keyManager.GetKeyBlob(_params.GetValueOf<string>("key")));
TPMPubkey pubkey = pubKeyResponse.Parameters.GetValueOf<TPMPubkey>("pubkey");
if (SignatureVerification.VerifySignature(keyInfo, pubkey, signingData, signature) == false)
{
throw new ArgumentException("The TPM_Quote signature could not be verified");
}
Parameters responseParams = new Parameters();
responseParams.AddValue("pcrData", pcrComposite);
responseParams.AddPrimitiveType("sig", signature);
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Quote, responseParams);
}
/// <summary>
/// Retrieves Version information of the TPM
/// </summary>
public CapabilityData.TPMCapVersionInfo GetTPMVersion()
{
Parameters parameters = new Parameters ();
parameters.AddPrimitiveType ("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_VERSION_VAL);
parameters.AddPrimitiveType ("subCap", new byte[0]);
return BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_GetCapability, parameters).Parameters.GetValueOf<CapabilityData.TPMCapVersionInfo> (CapabilityData.PARAM_TPM_VERSION_INFO);
}
public override void Execute(string[] commandline)
{
if (commandline.Length < 2)
{
_console.Out.WriteLine ("Error: [local_session_alias] not specified");
return;
}
else if (commandline.Length < 3)
{
_console.Out.WriteLine ("Error: [command] not specified");
return;
}
ClientContext ctx = _console.GetValue<ClientContext> ("client_context", null);
if (ctx == null)
{
_console.Out.WriteLine ("No active connection was found");
return;
}
string localAlias = commandline[1];
string keyCommand = commandline[2];
IDictionary<string, TPMSession> tpmSessions = _console.GetValue<IDictionary<string, TPMSession>> ("tpm_sessions", null);
if (tpmSessions == null || tpmSessions.ContainsKey (localAlias) == false)
{
_console.Out.WriteLine ("Error: Specified local alias was not found");
return;
}
if (keyCommand == "clear")
{
List<string> toRemove = new List<string>();
foreach(string key in tpmSessions[localAlias].ListValueKeys())
{
if(key.StartsWith("secret_"))
toRemove.Add(key);
}
foreach(string key in toRemove)
{
tpmSessions[localAlias].ClearValue(key);
}
}
else if (keyCommand == "remove")
{
IDictionary<string, string> arguments = null;
if(commandline.Length >= 4)
arguments = _console.SplitArguments(commandline[3], 0);
if(commandline.Length < 4 || arguments.ContainsKey("type") == false)
{
_console.Out.WriteLine("Error: No type to remove specified");
return;
}
tpmSessions[localAlias].ClearValue("secret_" + arguments["type"]);
}
else if(keyCommand == "add")
{
if(commandline.Length < 4)
{
_console.Out.WriteLine("Error: No arguments specified");
return;
}
IDictionary<string, string> arguments = _console.SplitArguments(commandline[3], 0);
if(arguments.ContainsKey("type") == false)
{
_console.Out.WriteLine("Error: No type specified");
return;
}
string dictKey = arguments["type"];
HMACKeyInfo keyInfo;
Parameters hmacKeyInfoParams = new Parameters();
if(dictKey == "owner")
{
dictKey = TPMSession.PARAM_AUTH_OWNER;
keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.OwnerSecret, hmacKeyInfoParams);
}
else if(dictKey == "srk")
{
dictKey = TPMSession.PARAM_AUTH_SRK;
keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, hmacKeyInfoParams);
}
else if(dictKey == "key_usage")
{
if(arguments.ContainsKey("name") == false)
{
_console.Out.WriteLine("Error: key_usage requires name of key");
return;
}
dictKey = "usage_" + arguments["name"];
hmacKeyInfoParams.AddPrimitiveType("identifier", arguments["name"]);
keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, hmacKeyInfoParams);
}
else if(dictKey == "seal")
{
if(arguments.ContainsKey("name") == false)
{
_console.Out.WriteLine("Error: seal requires name of key");
return;
}
dictKey = "seal_" + arguments["name"];
hmacKeyInfoParams.AddPrimitiveType("identifier", arguments["name"]);
keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SealAuth, hmacKeyInfoParams);
}
else if(dictKey == "counter")
{
dictKey = "counter";
keyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.CounterSecret, new Parameters());
}
else
{
_console.Out.WriteLine("Error: Unknown secret type");
return;
}
ProtectedPasswordStorage pw;
if(arguments.ContainsKey("secret"))
{
pw = new ProtectedPasswordStorage();
foreach(char c in arguments["secret"])
pw.AppendPasswordChar(c);
}
else
{
tpmSessions[localAlias].ClearValue("secret_" + dictKey);
pw = tpmSessions[localAlias].RequestSecret(keyInfo);
}
pw.Hash();
tpmSessions[localAlias].SetValue("secret_" + dictKey, pw);
}
else
_console.Out.WriteLine ("Error, unknown command '{0}'", commandline[2]);
}
/// <summary>
/// Unbinds the specified data, the encrypted data needs to be
/// of type TPMBoundData
/// </summary>
/// <param name="data"></param>
/// <returns>Returns the decrypted data</returns>
public byte[] Unbind(byte[] data)
{
Parameters paramsUnbind = new Parameters();
paramsUnbind.AddPrimitiveType("in_data", data);
paramsUnbind.AddPrimitiveType("key", _keyIdentifier);
TPMCommandResponse unbindResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Unbind, paramsUnbind);
return unbindResponse.Parameters.GetValueOf<byte[]>("data");
}
/// <summary>
/// Signs the specified data, but the data is already in the format the signature format (Attached to the key) requires it to be.
/// </summary>
/// <remarks>
/// Use this for large amount of data, or use the <see>CreateSigner</see> method
/// </remarks>
/// <param name="data"></param>
/// <returns></returns>
public byte[] SignWithProperFormat(byte[] data)
{
Parameters signParameters = new Parameters();
signParameters.AddPrimitiveType("key", _keyIdentifier);
signParameters.AddPrimitiveType("areaToSign", data);
return BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Sign, signParameters).Parameters.GetValueOf<byte[]>("sig");
}
/// <summary>
/// Seals data to the specified pcr selection,
/// create a valid pcr selection with session.CreateEmptyPCRSelection
/// </summary>
/// <param name="pcrSelection"></param>
/// <param name="data">Data to seal</param>
/// <returns></returns>
public byte[] Seal(TPMPCRSelection pcrSelection, byte[] data)
{
Parameters paramsSeal = new Parameters();
paramsSeal.AddPrimitiveType("in_data", data);
paramsSeal.AddPrimitiveType("key", _keyIdentifier);
paramsSeal.AddValue("pcr_selection", pcrSelection);
Parameters paramsSecret = new Parameters();
paramsSecret.AddPrimitiveType("identifier", KeyIdentifier);
ProtectedPasswordStorage authSeal = _tpmSession.RequestSecret(new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SealAuth, paramsSecret));
if(authSeal.Hashed == false)
authSeal.Hash();
authSeal.DecryptHash();
paramsSeal.AddPrimitiveType("data_auth", authSeal.HashValue);
try
{
TPMCommandResponse sealResponse = BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_Seal, paramsSeal);
return sealResponse.Parameters.GetValueOf<byte[]>("data");
}
finally
{
if(authSeal != null)
authSeal.ClearHash();
}
}
/// <summary>
/// Assures that the shared secret for the specified authorization handle has been
/// calculated, if not it gets calculated. If no OSAP session exists, create it
/// </summary>
/// <param name="cmd"></param>
/// <param name="sessionNum"></param>
/// <returns></returns>
public AuthHandle AssureOSAPSharedSecret(IAuthorizableCommand cmd, AuthSessionNum authSessionNum)
{
// using(AcquireLock())
// {
// //Must not be called for OSAP at the moment because OSAP session are not cached
// _tpmContext.AuthHandleManager.ReserveAuthHandleSlots(cmd);
// }
//
HMACKeyInfo keyInfo = cmd.GetKeyInfo(authSessionNum);
if(keyInfo == null)
return null;
AuthHandle authHandle;
using(AcquireLock())
{
authHandle = _tpmContext.AuthHandleManager.GetAuthHandle(cmd, authSessionNum);
}
// If shared secret has not yet been generated, do it
if(authHandle.SharedSecret == null)
{
GenerateHMACRequest request = GenerateHMACRequest.CreateGenerateHMACRequest(
_ctx,
new HashByteDataProvider(authHandle.NonceEvenOSAP),
new HashByteDataProvider(authHandle.NonceOddOSAP)
);
request.TpmSessionIdentifier = _tpmSessionIdentifier;
Parameters paramsSharedSecret = new Parameters();
if(cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_KEYHANDLE ||
cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_SRK)
{
if(cmd.GetHandle(authSessionNum) == KeyHandle.KEY_SRK)
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.SrkSecret, new Parameters());
else
{
paramsSharedSecret.AddPrimitiveType("identifier", cmd.GetHandle(authSessionNum));
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, paramsSharedSecret);
}
}
else if(cmd.GetEntityType(authSessionNum) == TPMEntityTypeLSB.TPM_ET_OWNER)
request.KeyInfo = new HMACKeyInfo(HMACKeyInfo.HMACKeyType.OwnerSecret, new Parameters());
else
throw new NotSupportedException(string.Format("CommandAuthorizationHelper does not support entity type '{0}'",
cmd.GetEntityType(authSessionNum)));
GenerateHMACResponse response = request.TypedExecute ();
response.AssertResponse();
authHandle.SharedSecret = response.TpmAuthData;
}
return authHandle;
}
/// <summary>
/// Returns if the specified sizeIfSelect (= pcrcount / 8) is supported.
/// This is used to create valid PCRSelection objects for this tpm
/// </summary>
/// <param name="size">
/// A <see cref="System.UInt16"/>
/// </param>
/// <returns>
/// A <see cref="System.Boolean"/>
/// </returns>
public bool SupportsSizeOfPcr(ushort size)
{
Parameters parameters = new Parameters ();
parameters.AddPrimitiveType ("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_SELECT_SIZE);
parameters.AddPrimitiveType(CapabilityData.PARAM_PROP_SELECT_SIZE, size);
return this.BuildDoVerifyRequest(TPMCommandNames.TPM_CMD_GetCapability, parameters)
.Parameters.GetValueOf<bool>(CapabilityData.PARAM_PROP_SELECT_SIZE);
}
public override HMACKeyInfo GetKeyInfo(AuthSessionNum authSessionNum)
{
if(authSessionNum != AuthSessionNum.Auth1)
return null;
string keyIdentifier = _params.GetValueOf<string>("key");
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("identifier", keyIdentifier);
return new HMACKeyInfo(HMACKeyInfo.HMACKeyType.KeyUsageSecret, parameters);
}
public override void Init(Parameters param, TPMProvider tpmProvider, TPMWrapper tpmWrapper)
{
base.Init (param, tpmProvider, tpmWrapper);
_digest = null;
_responseDigest = null;
_inData = param.GetValueOf<byte[]>("in_data");
_pcrInfo = new TPMPCRInfoCore(new TPMPCRSelectionCore(param.GetValueOf<TPMPCRSelection>("pcr_selection")));
_pcrInfo.CalculateDigests((TPMPCRInfoCore.GetPCRValueDelegate)delegate(uint pcrNum)
{
//TODO: Use TPM_Quote to determine pcr values once it's available
Parameters pcrParams = new Parameters();
pcrParams.AddPrimitiveType("pcrnum", pcrNum);
TPMCommandResponse pcrResponse = _tpmWrapper.Process(new TPMCommandRequest(TPMCommandNames.TPM_CMD_PCRRead, pcrParams));
if(!pcrResponse.Status)
throw new TPMResponseException("An unknown error occured on performing pcrread");
return pcrResponse.Parameters.GetValueOf<byte[]>("value");
});
}
/// <summary>
/// Reads the configured tpm devices from the configuration and
/// sets up the corresponding tpm contexts
/// </summary>
private void SetupTPMContexts()
{
IConnectionsConfiguration connectionConfig = (IConnectionsConfiguration)ConfigurationManager.GetSection ("connections");
foreach (Iaik.Tc.TPM.Configuration.DotNetConfiguration.TPMDevice device in connectionConfig.TpmDevices)
{
try
{
_logger.InfoFormat ("Setting up tpm context '{0}'", device.TPMName);
TPMWrapper tpmDevice = new TPMWrapper ();
tpmDevice.Init (device.TPMType, device.Parameters);
TPMContext tpmContext = new TPMContext (device.TPMName, tpmDevice);
_tpmContexts.Add (device.TPMName, tpmContext);
_logger.InfoFormat ("Flushing device '{0}'", device.TPMName);
foreach (TPMResourceType resourceType in new TPMResourceType[] {
TPMResourceType.TPM_RT_AUTH, TPMResourceType.TPM_RT_KEY})
{
Parameters listLoadedHandlesParameters = new Parameters ();
listLoadedHandlesParameters.AddPrimitiveType ("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE);
listLoadedHandlesParameters.AddPrimitiveType ("handle_type", resourceType);
TPMCommandRequest listLoadedHandlesRequest = new TPMCommandRequest (TPMCommandNames.TPM_CMD_GetCapability,
listLoadedHandlesParameters);
TPMCommandResponse response = tpmDevice.Process (listLoadedHandlesRequest);
if (response.Status == false)
throw new Exception ("An unknown tpm exception while flushing occured");
foreach (uint handle in response.Parameters.GetValueOf<HandleList> ("handles"))
{
Parameters flushParameters = new Parameters ();
flushParameters.AddValue ("handle", HandleFactory.Create (resourceType, handle));
TPMCommandRequest flushRequest = new TPMCommandRequest (TPMCommandNames.TPM_CMD_FlushSpecific, flushParameters);
TPMCommandResponse flushResponse = tpmDevice.Process (flushRequest);
if (flushResponse.Status == false)
throw new Exception ("Something went wrong while flushing");
}
}
_logger.InfoFormat ("Successfully setup tpm context '{0}' with type '{1}'", device.TPMName, device.TPMType);
}
catch (Exception ex)
{
_logger.FatalFormat ("Error setting up tpm device '{0}', the device will not be available ({1})", device.TPMName, ex);
}
///Set the Assembly search order for incoming Parameters so that core classes are always at first
Parameters.AssemblySearchOrder = new Assembly[]{
typeof(TPMWrapper).Assembly, //lib core
typeof(ITypedParameter).Assembly}; //lib common
}
}
protected override TPMCommandResponse InternalProcess()
{
// Unencrypted authorization values, they need to be XOR-Encrypted with
// XOR(auth, SHA-1(OSAP shared secret | session nonce))
//
// OSAP_shared_secret = HMAC(key=usage secret of key handle, nonce even osap | nonce odd osap)
AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1);
_encAuth = _params.GetValueOf<byte[]> ("data_auth");
byte[] xorKey = new HashProvider().Hash(
new HashByteDataProvider(auth1OSAP.SharedSecret),
new HashByteDataProvider(auth1OSAP.NonceEven));
ByteHelper.XORBytes(_encAuth, xorKey);
//Load parent key if not loaded
_keyManager.LoadKey(_params.GetValueOf<string>("key"));
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Seal);
//key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.Write(_encAuth, 0, 20);
TPMBlobWriteableHelper.WriteITPMBlobWritableWithUIntSize(requestBlob, _pcrInfo);
requestBlob.WriteUInt32((uint)_inData.Length);
requestBlob.Write(_inData, 0, _inData.Length);
AuthorizeMe(requestBlob);
using(_keyManager.AcquireLock())
{
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf<string>("key")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMStoredDataCore sealedData = TPMStoredDataCore.CreateFromTPMBlob(_responseBlob);
Parameters responseParams = new Parameters();
responseParams.AddPrimitiveType("data", ByteHelper.SerializeToBytes(sealedData));
return new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Seal, responseParams);
}
