[英]How do I encrypt my message with Microsofts TPM-Library in .net
我想用 TPM 加密和解密我的消息。 我使用微軟的 TSS-Library。 可以在此處找到文檔(包括示例): https://github.com/microsoft/TSS.MSR/tree/master/TSS.NET
這是我的代碼片段:
public byte[] encryptData(byte[] message)
{
TpmHandle handle = new TpmHandle();
byte[] keyAuth = new byte[] { 1, 2, 3 };
SigSchemeRsassa scheme = new SigSchemeRsassa(TpmAlgId.Rsa);
byte[] label = Encoding.Unicode.GetBytes("Label");
return Tpm[keyAuth].RsaEncrypt(handle, message, scheme,label);
}
錯誤是:
命令 RsaEncrypt 返回錯誤 {Value}。 詳細信息:[Code=TpmRc.Value]、[RawCode=0x184,388] [ErrorEntity=Handle]、[ParmNum=1]
我從我的簽名方法(在樣本中找到)修改了我的代碼。 我剛剛添加了我自己的 SignatureData 類,它存儲來自 CreatePrimary() 的 output 信息:(我在這個方法中遇到了同樣的錯誤以及錯誤的 authValue,但現在它工作了)
public void Sign(string message)
{
AuthValue ownerAuth = new AuthValue();
signatureData = new TpmSignatureData();
//Transform Message in byte-form
signatureData.ByteMessage = Encoding.Unicode.GetBytes(message);
//create keyTepmplate
TpmPublic keyTemplate = new TpmPublic(TpmAlgId.Sha1, ObjectAttr.UserWithAuth | ObjectAttr.Sign |
ObjectAttr.FixedParent | ObjectAttr.FixedTPM | ObjectAttr.SensitiveDataOrigin, null, // No policy
new RsaParms(new SymDefObject(), new SchemeRsassa(TpmAlgId.Sha1), 2048, 0), new Tpm2bPublicKeyRsa());
byte[] keyAuth = new byte[] { 1, 2, 3 };
#region Temporary Variables
TpmPublic tpmPublic;
CreationData creationData;
byte[] creationHash;
TkCreation creationTicket;
#endregion
//Create keyHandle based on keyTemplate
TpmHandle keyHandl = Tpm[ownerAuth].CreatePrimary(
TpmRh.Owner, // In the owner-hierarchy
new SensitiveCreate(keyAuth, null), // With this auth-value
keyTemplate, // Describes key
null, // Extra data for creation ticket
new PcrSelection[0], // Non-PCR-bound
out tpmPublic, // PubKey and attributes
out creationData, out creationHash, out creationTicket); // Not used here
//create Hash to be signed
TpmHash digestToSign = TpmHash.FromData(TpmAlgId.Sha1, signatureData.ByteMessage);
//Sign the hash-Value
signatureData.signature = Tpm[keyAuth].Sign(keyHandl, digestToSign, null, TpmHashCheck.Null()) as SignatureRsassa;
}
還有另一種加密方法。 您也可以使用 EncryptDecrypt-Method,但對我也不起作用。 我是否遺漏了一些簡單的東西,或者我是否需要完全更改我的代碼。 我想我的主要問題是 TpmHandle。 我不確定如何處理它。 任何幫助都會很棒。 提前致謝。
與此同時,我自己找到了解決方案。 問題是手柄。 如果我理解正確,您需要創建一個 rsa-primary-handle 然后修改句柄。 下面是兩個必要的方法:
public static TpmHandle CreateRsaPrimaryKey(Tpm2 tpm)
{
var sensCreate = new SensitiveCreate(new byte[] { 0xa, 0xb, 0xc }, null);
TpmPublic parms = new TpmPublic(
TpmAlgId.Sha1,
ObjectAttr.Restricted | ObjectAttr.Decrypt | ObjectAttr.FixedParent | ObjectAttr.FixedTPM
| ObjectAttr.UserWithAuth | ObjectAttr.SensitiveDataOrigin,
null,
new RsaParms(
new SymDefObject(TpmAlgId.Aes, 128, TpmAlgId.Cfb),
new NullAsymScheme(),
2048,
0),
new Tpm2bPublicKeyRsa());
byte[] outsideInfo = Globs.GetRandomBytes(8);
var creationPcr = new PcrSelection(TpmAlgId.Sha1, new uint[] { 0, 1, 2 });
TpmPublic pubCreated;
CreationData creationData;
TkCreation creationTicket;
byte[] creationHash;
TpmHandle h = tpm.CreatePrimary(TpmRh.Owner, sensCreate, parms, outsideInfo, new PcrSelection[] { creationPcr },
out pubCreated, out creationData, out creationHash, out creationTicket);
return h;
}
public static TpmHandle CreateSigningDecryptionKey(Tpm2 tpm, TpmHandle primHandle, out TpmPublic keyPublic)
{
TpmPublic keyInPublic = new TpmPublic(
TpmAlgId.Sha1,
ObjectAttr.Decrypt | ObjectAttr.Sign | ObjectAttr.FixedParent | ObjectAttr.FixedTPM
| ObjectAttr.UserWithAuth | ObjectAttr.SensitiveDataOrigin,
null,
new RsaParms(
new SymDefObject(),
new NullAsymScheme(),
2048, 0),
new Tpm2bPublicKeyRsa());
SensitiveCreate sensCreate = new SensitiveCreate(new byte[] { 1, 2, 3 }, null);
CreationData keyCreationData;
TkCreation creationTicket;
byte[] creationHash;
Console.WriteLine("Automatic authorization of a primary storage key.");
//
// An auth session is added automatically to authorize access to primHandle.
//
TpmPrivate keyPrivate = tpm.Create(primHandle,
sensCreate,
keyInPublic,
null,
new PcrSelection[0],
out keyPublic,
out keyCreationData,
out creationHash,
out creationTicket);
TpmHandle keyHandle = null;
Console.WriteLine("Strict mode.");
//
// Switch TPM object to the strict mode. (Note that this is a TSS.Net
// specific piece of functionality, not a part of TPM 2.0 specification).
//
tpm._Behavior.Strict = true;
//
// No auth session is added automatically when TPM object is in strict mode.
//
tpm._ExpectError(TpmRc.AuthMissing)
.Load(primHandle, keyPrivate, keyPublic);
//
// Now explicitly request an auth session of a desired type.
// The actual auth value will be supplied by TSS.Net implicitly.
//
keyHandle = tpm[Auth.Default].Load(primHandle, keyPrivate, keyPublic);
Console.WriteLine("Signing decryption key created.");
//
// Switch TPM object back to the normal mode.
//
tpm._Behavior.Strict = false;
return keyHandle;
}
我這樣調用構造函數中的方法:
handle = CreateSigningDecryptionKey(Tpm, CreateRsaPrimaryKey(Tpm), out keyPublic);
之后加密解密就很容易了。
加密:
return Tpm.RsaEncrypt(handle, data, new SchemeOaep(TpmAlgId.Sha1), null);
解密:
return Tpm.RsaDecrypt(handle, ciphertext, new SchemeOaep(TpmAlgId.Sha1), null);
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.