/// <summary>
/// Gets the identifier of the device
/// </summary>
/// <returns></returns>
public string GetHardwareDeviceId()
{
TpmHandle srkHandle = new TpmHandle(TPM_20_SRK_HANDLE);
try
{
string hardwareDeviceId;
// Open the TPM
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
using (var tpm = new Tpm2(tpmDevice))
{
// Read the URI from the TPM
TpmPublic srk = tpm.ReadPublic(srkHandle, out byte[] name, out byte[] qualifiedName);
// Calculate the hardware device id for this logical device
byte[] deviceId = CryptoLib.HashData(TpmAlgId.Sha256, BitConverter.GetBytes(logicalDeviceId), name);
// Produce the output string
hardwareDeviceId = string.Join(string.Empty, deviceId.Select(b => b.ToString("x2")));
}
return(hardwareDeviceId);
}
catch { }
return(string.Empty);
}
internal static TpmHandle CreateEncryptionDecryptionKey(Tpm2 tpm, TpmHandle parent)
{
var sensCreate = new SensitiveCreate(null, null);
var sym = new SymDefObject(TpmAlgId.Aes, 128, TpmAlgId.Cfb);
var pub = new TpmPublic(TpmAlgId.Sha256,
ObjectAttr.Decrypt | ObjectAttr.UserWithAuth,
null,
sym,
new Tpm2bDigestSymcipher());
TssObject swKey = TssObject.Create(pub);
var innerWrapKey = sym == null ? null : SymCipher.Create(sym);
byte[] name, qname;
TpmPublic pubParent = tpm.ReadPublic(parent, out name, out qname);
byte[] encSecret;
TpmPrivate dupBlob = swKey.GetDuplicationBlob(pubParent, innerWrapKey, out encSecret);
TpmPrivate privImp = tpm.Import(parent, innerWrapKey, swKey.Public, dupBlob,
encSecret, sym ?? new SymDefObject());
TpmHandle hKey = tpm.Load(parent, privImp, swKey.Public)
.SetAuth(swKey.Sensitive.authValue);
return(hKey);
}
} //NVCounter
internal static void CreateTwoPrimaries(Tpm2 tpm)
{
var data = Encoding.UTF8.GetBytes("hello world");
var handle1 = KeyHelpers.CreatePrimaryRsaKey(tpm, null, null, null, out TpmPublic key);
IAsymSchemeUnion decScheme = new SchemeOaep(TpmAlgId.Sha1);
var cipher = tpm.RsaEncrypt(handle1, data, decScheme, null);
byte[] decrypted1 = tpm.RsaDecrypt(handle1, cipher, decScheme, null);
var decyyptedData = Encoding.UTF8.GetString(decrypted1);
var pub = tpm.ReadPublic(handle1, out byte[] name, out byte[] qn);
var enc = KeyHelpers.CreateEncryptionDecryptionKey(tpm, handle1);
tpm._ExpectResponses(TpmRc.Success, TpmRc.TbsCommandBlocked);
var cipher2 = tpm.EncryptDecrypt(enc, 1, TpmAlgId.None, data, data, out byte[] test2);
tpm.FlushContext(handle1);
var handle2 = KeyHelpers.CreatePrimary(tpm, out TpmPublic key3); //, seed: new byte[] { 22, 123, 22, 1, 33 });
tpm.FlushContext(handle2);
}
private static void DumpStorageRootKey(Tpm2 tpm)
{
byte[] name;
byte[] qualifiedName;
var storageRootKey = tpm.ReadPublic(new TpmHandle(TPM2_SRK_HANDLE), out name, out qualifiedName);
var srk = storageRootKey.GetTpm2BRepresentation();
Console.WriteLine($"Public Storage Root Key (SRK): {ToHexString(srk)}");
}
private static void DumpEndorsementKey(Tpm2 tpm)
{
byte[] name;
byte[] qualifiedName;
var endorcementKey = tpm.ReadPublic(new TpmHandle(TPM2_EK_HANDLE), out name, out qualifiedName);
var ek = endorcementKey.GetTpm2BRepresentation();
Console.WriteLine($"Public Endorcement Key (EK): {ToHexString(ek)}");
}
public static SchemeEcdaa PrepareEcdaaScheme(Tpm2 tpm, TpmHandle signKey,
ISigSchemeUnion scheme)
{
var schemeEcdaa = scheme as SchemeEcdaa;
if (schemeEcdaa != null)
{
byte[] name, qualName;
var keyPub = tpm.ReadPublic(signKey, out name, out qualName);
ushort counter = 0;
EccPoint l, E;
EccPoint PP = keyPub.unique as EccPoint;
tpm.Commit(signKey, PP, null, null, out l, out E, out counter);
schemeEcdaa.count = counter;
}
return(schemeEcdaa);
}
public string GetHardwareDeviceId()
{
TpmHandle srkHandle = new TpmHandle(SRK_HANDLE);
string hardwareDeviceId = "";
Byte[] name;
Byte[] qualifiedName;
try
{
// Open the TPM
Tpm2Device tpmDevice = new TbsDevice();
tpmDevice.Connect();
var tpm = new Tpm2(tpmDevice);
// Read the URI from the TPM
TpmPublic srk = tpm.ReadPublic(srkHandle, out name, out qualifiedName);
// Dispose of the TPM
tpm.Dispose();
}
catch
{
return(hardwareDeviceId);
}
// Calculate the hardware device id for this logical device
byte[] deviceId = CryptoLib.HashData(TpmAlgId.Sha256, BitConverter.GetBytes(logicalDeviceId), name);
// Produce the output string
foreach (byte n in deviceId)
{
hardwareDeviceId += n.ToString("x2");
}
return(hardwareDeviceId);
}
public static TpmPublic ReadPublic(Tpm2 tpm, TpmHandle h)
{
byte[] name, qualName;
return(tpm.ReadPublic(h, out name, out qualName));
}
/// <summary>
/// Performs the following operations:
/// - Generates in software (using TSS.net helpers) a key with the given template,
/// - Creates TPM-compatible dupliction blob for the given TPM based parent key,
/// - Import the duplication blob into TPM
/// - Loads the imported key into the TPM
/// - Makes sure that the imported key works.
/// </summary>
/// <param name="tpm">TPM instance to use</param>
/// <param name="keyPub">Template for the software generated key.</param>
/// <param name="hParent">Intended TPM based parent key for the software generated key.</param>
/// <param name="innerSymDef">Specification of the optional inner wrapper for the duplication blob.</param>
static void GenerateAndImport(Tpm2 tpm, TpmPublic keyPub, TpmHandle hParent,
SymDefObject innerSymDef = null)
{
//
// Create a software key with the given template
//
// Generate a random auth value for the key to be created (though we could
// use an empty buffer, too).
var keyAuth = AuthValue.FromRandom(CryptoLib.DigestSize(keyPub.nameAlg));
// Generate the key
TssObject swKey = TssObject.Create(keyPub, keyAuth);
//
// Create duplication blob for the new key with the SRK as the new parent
//
// Create a symmetric software key if an inner wrapper is requested.
var innerWrapKey = innerSymDef == null ? null : SymCipher.Create(innerSymDef);
// Retrieve the public area of the intended parent key from the TPM
// We do not need the name (and qualified name) of the key here, but
// the TPM command returns them anyway.
// NOTE - Alternatively we could get the public area from the overloaded
// form of the CreateRsaPrimaryStorageKey() helper used to create the parent
// key, as all TPM key creation commands (TPM2_CreatePrimary(), TPM2_Create()
// and TPM2_CreateLoaded()) return it.
byte[] name, qname;
TpmPublic pubParent = tpm.ReadPublic(hParent, out name, out qname);
byte[] encSecret;
TpmPrivate dupBlob = swKey.GetDuplicationBlob(pubParent, innerWrapKey, out encSecret);
// Import the duplication blob into the TPM
TpmPrivate privImp = tpm.Import(hParent, innerWrapKey, swKey.Public, dupBlob,
encSecret, innerSymDef ?? new SymDefObject());
// Load the imported key ...
TpmHandle hKey = tpm.Load(hParent, privImp, swKey.Public)
.SetAuth(swKey.Sensitive.authValue);
// ... and validate that it works
byte[] message = Globs.GetRandomBytes(32);
if (keyPub.objectAttributes.HasFlag(ObjectAttr.Decrypt))
{
// Encrypt something
if (keyPub.type == TpmAlgId.Symcipher)
{
// Only need software symcypher here to query IV size.
// Normally, when you use a fixed algorithm, you can hardcode it.
var swSym = SymCipher.Create(keyPub.parameters as SymDefObject);
byte[] ivIn = Globs.GetRandomBytes(swSym.IVSize),
ivOut = null;
byte[] cipher = swKey.Encrypt(message, ref ivIn, out ivOut);
// Not all TPMs implement TPM2_EncryptDecrypt() command
tpm._ExpectResponses(TpmRc.Success, TpmRc.TbsCommandBlocked);
byte[] decrypted = tpm.EncryptDecrypt(hKey, 1, TpmAlgId.Null, ivIn,
cipher, out ivOut);
if (tpm._LastCommandSucceeded())
{
bool decOk = Globs.ArraysAreEqual(message, decrypted);
Console.WriteLine("Imported symmetric key validation {0}",
decOk ? "SUCCEEDED" : "FAILED");
}
}
}
else
{
// Sign something (works for both asymmetric and MAC keys)
string keyType = keyPub.type == TpmAlgId.Rsa ? "RSA"
: keyPub.type == TpmAlgId.Keyedhash ? "HMAC"
: "UNKNOWN"; // Should not happen in this sample
TpmAlgId sigHashAlg = GetSchemeHash(keyPub);
TpmHash toSign = TpmHash.FromData(sigHashAlg, message);
var proofx = new TkHashcheck(TpmRh.Null, null);
ISignatureUnion sig = tpm.Sign(hKey, toSign, null, proofx);
bool sigOk = swKey.VerifySignatureOverHash(toSign, sig);
Console.WriteLine("Imported {0} key validation {1}", keyType,
sigOk ? "SUCCEEDED" : "FAILED");
}
// Free TPM resources taken by the loaded imported key
tpm.FlushContext(hKey);
} // GenerateAndImport
