Re: [Trustedjava-support] Error in perfoming "Seal" command [Error code: 0x24 - Invalid Key Usage]

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi

On 4/25/07, Nektarios Ioannides <ine...@gm...> wrote:
> Hello,
>
> Yes, I understand. Well the reason I wanted to do that was because I was
> trying to "simulate" the signing of the PCR-values with an AIK by copying
> the PCR-values given by the "pcr_read" jTPMTools command and manually
> copying them into a text file and then signing that textfile with some key !
> Since the textfile is just an ordinary data file only the storage key seemed
> to work. (right?)

you want to sign PCR values, i assume you would not need to sign all
16/24 PCRs.. only required ones. so better not convert it into text
file. and specify the pcr-index you want to  use in tpm_quote
operation.

>
> Assuming I am... is there a way to sign the ACTUAL PCR-values from the TPM
> with an AIK that I have created?  Does this already exist somewhere in the
> jTSSWrapper source code?

this process is tpm_quote and yes it exist in trustedjava suite. For
tpm_quote, look at the junit tests which comes with the jTssWrapper
package. it has a testquote.java file.

>
> The reason I am asking all these questions is that ultimately, I would like
> to be able to implement a small java application in which a Client manages
> to attest its self to a Challenger before the Challenger allows it to
> perform some other operation. That is, I would like to perform a full
> Attestation procedure (or as full as it is currently possible).
>
> If I'm not mistaken, from what I've understood from the jTSSWrapper source
> code, when creating an AIK key, some steps of an Attestation procedure are
> included as well. (i.e. the "create_aik" command from jTPMTools does not
> only create an AIK key pair but also assumes that a PrivacyCA has certified
> the AIK as well. Is this correct?

yes. instead of assuming, it simulates a PrivacyCA and do that.
i would recommend you to look the source code of jTpmtools package,
which is inside the respective jar file. codes are well documented and
self explanatory. you will get the answer of all your ques.

>
> Since I am interested in performing an attestation procedure, I would also
> need to know, Is there a way to extract the Storage Measurement Log (SML)
> from the TPM through jTSSWrapper code?

i do not think there is any method to do that. but if you are using
Linux-IMA kernel you can easily check the measurement list.

>
> Also is the AIK certificate that has been signed by the PrivacyCA (and will
> have to be verified by the Challenger afterwards) the aik-uuid<some
> numbers>.cert file that appears on disk after I run a successful
> "create_aik" command?
>
yes. file creation on disk is the last step in the above command implementation.

somewhile ago, i was at the same position where you are.
I made a java app, which is running on top of JTSS libraries, and to
complete the attestation procedure, i used the following steps:

- call aik_create with appropriate values(aik,owner,srk passwords , ini files)
- after the aik_keys are activated, i use them to quote desired PCR values.

--------------
best
saurabh