我正在与使用 AES-CCM 加密的设备通信,我需要使用 ECDH 派生的密钥进行设置。我的机器证书在 TPM 中有一个 ECC 私钥。
我对此有些陌生,所以请多多包涵。
这是我现在正在查看的代码。这是用我的证书签署密钥的正确方法吗?
//this will actually be loaded by another method. Only here for demo purposes;
X509Certificate2 masterEndEntityCert;
//we are using the NST p-256 curve
using (var ecdh = new ECDiffieHellmanCng(ECCurve.NamedCurves.nistP256))
{
//our HKDF should be HMAC
ecdh.KeyDerivationFunction = ECDiffieHellmanKeyDerivationFunction.Hmac;
ecdh.HashAlgorithm = CngAlgorithm.Sha256;
//get the ephemeral key to send to the other device
var ephemeralKey = ecdh.PublicKey.ToByteArray();
//get the ecdsa private key from my cert for signing
using (var alg = masterEndEntityCert.GetECDsaPrivateKey() as ECDsaCng)
{
//sign the sha256 hash of the key
var sig = alg.SignData(ephemeralKey, HashAlgorithmName.SHA256);
//concat the ephemeral key and the signed hash together for transmission
this.SignedEphemeralPublicKey = ephemeralKey.Concat(sig).ToArray();
}
}