Menu
▾
▴
Re: [TrouSerS-users] Question on TPM_IDENTITY_PROOF
|
From: starfish T. <luc...@ya...> - 2009-03-11 06:35:10
|
Hi Hal, Yes I have revised your replies and successfully did the following Tspi_TPM_ActivateIdentity and Tspi_Context_RegisterKey functions with no errors as refer to [http://privacyca.com/identity.c] line 391 and 399. However, there is an error in function d2i_X509 [line 413] where it is unable to parse the returned credential. To my understand, this function will convert the successfully created credential in binary to X509 format. For your information, the AIK credential is created using OpenSSL and converted to byte using i2d_X509 function and later is decrypted with the hardware TPM's Endorsement Key. Is there anything wrong that I did? Please advice. Thank you. ________________________________ From: Hal Finney <hal...@gm...> To: starfish Trousers <luc...@ya...> Sent: Tuesday, March 10, 2009 2:16:43 PM Subject: Re: Question on TPM_IDENTITY_PROOF On Mon, Mar 9, 2009 at 8:14 PM, starfish Trousers <luc...@ya...> wrote: > Hi Hal, > > Can you please advice me on the next step after I run the command > TPM_ActivateIdentity that return SUCCESS? How do I get back the AIK > Credential? The way it is supposed to work is this. You run Tspi_TPM_CollateIdentityRequest. This creates an identity key and also outputs a request for an AIK credential. You send this request to a Privacy CA. The Privacy CA creates your AIK credential but encrypts it to your TPM's Endorsement Key. It sends you the encrypted AIK credential. You have it, but you can't read it, because it is encrypted. You run Tspi_TPM_ActivateIdentity, which decrypts the encrypted value using your TPM's Endorsement Key, and decrypts the AIK credential. The decrypted credential is returned as the last parameter from Tspi_TPM_ActivateIdentity. I don't know whether you are trying to use a Privacy CA which is creating an AIK credential for you. Someone has to create it. All Tspi_TPM_ActivateIdentity can do is to decrypt an AIK credential which has already been created. > In addition, do you familiar with Recover TPM Identity as suggested in the > TCPA Specification? I don't know what you are talking about here, could you send me a specific section number and document name from the many TCG (TCPA) specifications? Hal |