我想用TPM加密和解密我的消息。我使用微软的TSS库。文档(包括示例(可在此处找到:https://github.com/microsoft/TSS.MSR/tree/master/TSS.NET
这是我的代码段:
public byte[] encryptData(byte[] message)
{
TpmHandle handle = new TpmHandle();
byte[] keyAuth = new byte[] { 1, 2, 3 };
SigSchemeRsassa scheme = new SigSchemeRsassa(TpmAlgId.Rsa);
byte[] label = Encoding.Unicode.GetBytes("Label");
return Tpm[keyAuth].RsaEncrypt(handle, message, scheme,label);
}
错误为:
为命令RsaEncrypt返回错误{Value}。详细信息:[代码=TpmRc.值],[原始代码=0x184388][ErrorEntity=Handle],[ParmNum=1]
我修改了签名方法中的代码(位于示例中(。我刚刚添加了我自己的SignatureData类,它存储CreatePrimary((的输出信息:(我在这个方法中也遇到过同样的错误,使用了错误的authValue,但现在它可以工作了(
public void Sign(string message)
{
AuthValue ownerAuth = new AuthValue();
signatureData = new TpmSignatureData();
//Transform Message in byte-form
signatureData.ByteMessage = Encoding.Unicode.GetBytes(message);
//create keyTepmplate
TpmPublic keyTemplate = new TpmPublic(TpmAlgId.Sha1, ObjectAttr.UserWithAuth | ObjectAttr.Sign |
ObjectAttr.FixedParent | ObjectAttr.FixedTPM | ObjectAttr.SensitiveDataOrigin, null, // No policy
new RsaParms(new SymDefObject(), new SchemeRsassa(TpmAlgId.Sha1), 2048, 0), new Tpm2bPublicKeyRsa());
byte[] keyAuth = new byte[] { 1, 2, 3 };
#region Temporary Variables
TpmPublic tpmPublic;
CreationData creationData;
byte[] creationHash;
TkCreation creationTicket;
#endregion
//Create keyHandle based on keyTemplate
TpmHandle keyHandl = Tpm[ownerAuth].CreatePrimary(
TpmRh.Owner, // In the owner-hierarchy
new SensitiveCreate(keyAuth, null), // With this auth-value
keyTemplate, // Describes key
null, // Extra data for creation ticket
new PcrSelection[0], // Non-PCR-bound
out tpmPublic, // PubKey and attributes
out creationData, out creationHash, out creationTicket); // Not used here
//create Hash to be signed
TpmHash digestToSign = TpmHash.FromData(TpmAlgId.Sha1, signatureData.ByteMessage);
//Sign the hash-Value
signatureData.signature = Tpm[keyAuth].Sign(keyHandl, digestToSign, null, TpmHashCheck.Null()) as SignatureRsassa;
}
还有另一种方法可以加密它。你也可以使用EncryptDecrypt方法,但对我来说不起作用。我是错过了一些简单的东西,还是需要彻底更改我的代码。我想我的主要问题是TpmHandle。我不知道该怎么处理。任何帮助都会很好。提前感谢。
与此同时,我自己找到了解决方案。问题出在手柄上。如果我理解正确,您需要创建一个rsa主句柄,然后修改该句柄。以下是两种必要的方法:
public static TpmHandle CreateRsaPrimaryKey(Tpm2 tpm)
{
var sensCreate = new SensitiveCreate(new byte[] { 0xa, 0xb, 0xc }, null);
TpmPublic parms = new TpmPublic(
TpmAlgId.Sha1,
ObjectAttr.Restricted | ObjectAttr.Decrypt | ObjectAttr.FixedParent | ObjectAttr.FixedTPM
| ObjectAttr.UserWithAuth | ObjectAttr.SensitiveDataOrigin,
null,
new RsaParms(
new SymDefObject(TpmAlgId.Aes, 128, TpmAlgId.Cfb),
new NullAsymScheme(),
2048,
0),
new Tpm2bPublicKeyRsa());
byte[] outsideInfo = Globs.GetRandomBytes(8);
var creationPcr = new PcrSelection(TpmAlgId.Sha1, new uint[] { 0, 1, 2 });
TpmPublic pubCreated;
CreationData creationData;
TkCreation creationTicket;
byte[] creationHash;
TpmHandle h = tpm.CreatePrimary(TpmRh.Owner, sensCreate, parms, outsideInfo, new PcrSelection[] { creationPcr },
out pubCreated, out creationData, out creationHash, out creationTicket);
return h;
}
public static TpmHandle CreateSigningDecryptionKey(Tpm2 tpm, TpmHandle primHandle, out TpmPublic keyPublic)
{
TpmPublic keyInPublic = new TpmPublic(
TpmAlgId.Sha1,
ObjectAttr.Decrypt | ObjectAttr.Sign | ObjectAttr.FixedParent | ObjectAttr.FixedTPM
| ObjectAttr.UserWithAuth | ObjectAttr.SensitiveDataOrigin,
null,
new RsaParms(
new SymDefObject(),
new NullAsymScheme(),
2048, 0),
new Tpm2bPublicKeyRsa());
SensitiveCreate sensCreate = new SensitiveCreate(new byte[] { 1, 2, 3 }, null);
CreationData keyCreationData;
TkCreation creationTicket;
byte[] creationHash;
Console.WriteLine("Automatic authorization of a primary storage key.");
//
// An auth session is added automatically to authorize access to primHandle.
//
TpmPrivate keyPrivate = tpm.Create(primHandle,
sensCreate,
keyInPublic,
null,
new PcrSelection[0],
out keyPublic,
out keyCreationData,
out creationHash,
out creationTicket);
TpmHandle keyHandle = null;
Console.WriteLine("Strict mode.");
//
// Switch TPM object to the strict mode. (Note that this is a TSS.Net
// specific piece of functionality, not a part of TPM 2.0 specification).
//
tpm._Behavior.Strict = true;
//
// No auth session is added automatically when TPM object is in strict mode.
//
tpm._ExpectError(TpmRc.AuthMissing)
.Load(primHandle, keyPrivate, keyPublic);
//
// Now explicitly request an auth session of a desired type.
// The actual auth value will be supplied by TSS.Net implicitly.
//
keyHandle = tpm[Auth.Default].Load(primHandle, keyPrivate, keyPublic);
Console.WriteLine("Signing decryption key created.");
//
// Switch TPM object back to the normal mode.
//
tpm._Behavior.Strict = false;
return keyHandle;
}
我这样调用构造函数中的方法:
handle = CreateSigningDecryptionKey(Tpm, CreateRsaPrimaryKey(Tpm), out keyPublic);
之后加密和解密非常容易
加密:
return Tpm.RsaEncrypt(handle, data, new SchemeOaep(TpmAlgId.Sha1), null);
解密:
return Tpm.RsaDecrypt(handle, ciphertext, new SchemeOaep(TpmAlgId.Sha1), null);