trousers

Hi Hal, 

You did mentioned that the AIK in included in TPM_IDENTITY_PROOF structure. We did tried to print the value of EK credential from the structure but failed. We get zero value. We use TPM Infinion and was successfully get the EK credential using the code that you posted previously. Is there any data in the structure actually, or I just did something wrong somewhere.

Please advice. 

Many Thanks.

Re: [TrouSerS-users] Question on TPM_IDENTITY_PROOF From: Hal Finney <hal.finney@gm...> - 2009-02-26 17:43 Hi starfish - You have to tell Trousers where your endorsement credential is. Save it in a file (in binary form) and edit the Trousers tcsd.conf file (probably in /usr/local/etc or some such place) to change the line # endorsement_cred = to something like endorsement_cred = /usr/local/etc/Endorsement.cert or whereever you put the EK certificate file. Hal On Wed, Feb 25, 2009 at 10:45 PM, starfish Trousers <lucyantie_trousers@...> wrote: > Hi Hal, > > You did mentioned that the AIK in included in TPM_IDENTITY_PROOF structure. > We did tried to print the value of EK credential from the structure but > failed. We get zero value. We use TPM Infinion and was successfully get the > EK credential using the code that you posted previously. Is there any data > in the structure actually, or I just did something wrong somewhere. > > Please advice. > > Many Thanks. > >

Re: [TrouSerS-users] Question on TPM_IDENTITY_PROOF From: starfish Trousers <lucyantie_trousers@ya...> - 2009-03-11 06:35 Attachments: Message as HTML      Hi Hal, Yes I have revised your replies and successfully did the following Tspi_TPM_ActivateIdentity and Tspi_Context_RegisterKey functions with no errors as refer to [http://privacyca.com/identity.c] line 391 and 399. However, there is an error in function d2i_X509 [line 413] where it is unable to parse the returned credential. To my understand, this function will convert the successfully created credential in binary to X509 format. For your information, the AIK credential is created using OpenSSL and converted to byte using i2d_X509 function and later is decrypted with the hardware TPM's Endorsement Key. Is there anything wrong that I did? Please advice. Thank you. ________________________________ From: Hal Finney <hal.finney@...> To: starfish Trousers <lucyantie_trousers@...> Sent: Tuesday, March 10, 2009 2:16:43 PM Subject: Re: Question on TPM_IDENTITY_PROOF On Mon, Mar 9, 2009 at 8:14 PM, starfish Trousers <lucyantie_trousers@...> wrote: > Hi Hal, > > Can you please advice me on the next step after I run the command > TPM_ActivateIdentity that return SUCCESS? How do I get back the AIK > Credential? The way it is supposed to work is this. You run Tspi_TPM_CollateIdentityRequest. This creates an identity key and also outputs a request for an AIK credential. You send this request to a Privacy CA. The Privacy CA creates your AIK credential but encrypts it to your TPM's Endorsement Key. It sends you the encrypted AIK credential. You have it, but you can't read it, because it is encrypted. You run Tspi_TPM_ActivateIdentity, which decrypts the encrypted value using your TPM's Endorsement Key, and decrypts the AIK credential. The decrypted credential is returned as the last parameter from Tspi_TPM_ActivateIdentity. I don't know whether you are trying to use a Privacy CA which is creating an AIK credential for you. Someone has to create it. All Tspi_TPM_ActivateIdentity can do is to decrypt an AIK credential which has already been created. > In addition, do you familiar with Recover TPM Identity as suggested in the > TCPA Specification? I don't know what you are talking about here, could you send me a specific section number and document name from the many TCG (TCPA) specifications? Hal

2 messages have been excluded from this view by a project administrator.