[Trustedjava-support] "Unable to open TPM device" error with aik_create

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hello,

>JTpmTools simulates a full AIK cycle, not only keys but also with
certificates.

>case a) JTSS contains EK cert handling
>case b) JTssWrapper does not (because TrouSerS does not)

Yes. I've seen a note on this somewhere in the code  :-)

>a) works because JTpmTools looks for an EK cert on-chip and
>if you don't have one builds a fake one on-the-fly.
>
>b) does not work because JTpmTools does not know which stack version is
>running (remember, the top level API is the same). JTT tries to fetch
>the certificate from the chip, but this method only exists in a native
>version (=JTSS code), but running both obviously conflicts with usage of
/dev/tpm.

Yes. This is what I concluded as well... albeit after hours of going through
the code...lol

>So the solution for the JTssWrapper case is to tell JTT to have faith
>that the stack already has an EK cert loaded, or as the command-line docu
says:
>
> --noek                ... EK certificate is already known by TSS (e.g. via
tcsd.conf
>                           of TrouSerS)

I have tried to specify an "ek.cert" file either through jtt "--ekfile"
option or through
 tcsd.conf (and chosing --noek for jtt) but both give this error:

------------------------------------------------------------------------------------------------------------------
11:38:54:485 [WARN] PrivacyCa::<clinit> (86):    could not load CLIENT
PrivacyCA
default certificate (ok on server)
iaik.tc.tss.api.exceptions.tcs.TcTpmException:

TSS Error:
error layer:                0x00 (TPM)
error code (without layer): 0x22
error code (full):          0x22
error message: An invalid handle was used.

        at iaik.tc.tss.impl.jni.tsp.TcBaseObject.handleRetCode(
TcBaseObject.java:104)
11:38:54:681 [ERROR] AikCreate::execute (345):    client:
CollateIdentityRequest failed
        at iaik.tc.tss.impl.jni.tsp.TcTpm.collateIdentityRequest(TcTpm.java
:1071)
        at iaik.tc.apps.jtt.aik.Client.collateIdentityReq(Client.java:110)
        at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:341)
        at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:80)
        at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:52)
        at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)
        at com.test.CommandTool.main(CommandTool.java:27)
-----------------------------------------------------------------------------------------------------------------------
I am guessing this is an issue with my certificate file. I have created this
using the
examples of TcCerts (with TcCerts) but I'm not sure if this is correct.

Many thanks,

Nektarios