[Trustedjava-support] R: info about privacy ca

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thank you for your response, sorry but maybe i didn't explain very =
well!!
this is my code  that is as your code in the tool, at the client side:

try {
            aikCertificate =3D new =
X509Certificate(aikCredential.asByteArray());
           =20
        } catch (CertificateException ex) {
            ex.printStackTrace();
        }
        Log.info("received AIK certificate with IdLabel: '" + =
AIKCertificate.getTPMLabelID(aikCertificate) + "'");

as you do in the verifyAndPrintAikLabel function.

to the remote host i send the aikCredential (returned by the =
activateIdentity), but the remote host has to verify the correctness of =
the aik certificate.
how can it do?

i encapsulate it in an x509Certificate and i do the verify function.
Also i get the aik key from this certificate using the proper function =
of iaik-jce.

aikCert =3D new X509Certificate(aikCredential.asByteArray());
aikCert.getPublicKey()

Sorry if i am boring. I understand if you will not want to answer me.

Thank you again

A.F.

-----Messaggio originale-----
Da: Martin Pirker [mailto:Mar...@ia...]
Inviato: gio 13/09/2007 9.48
A: cas...@al...
Cc: tru...@li...
Oggetto: Re: [Trustedjava-support] info about privacy ca
=20
cas...@al... wrote:
> i have done a privacy ca emulating your privacy ca in jtpmtools =
(client and privacy ca are local).
> after i have done the activateidentity at the client side i create a =
x509certificate
> using iaik-jce as you do in your tool with the aik credential.

If you look at AikCreate.java in JTpmTools...
  aikCredential =3D client.activateIdentity(symCaAttestationEncrypted, =
asymCaContentsEncrypted, srkSecret, srkSecretMode);
...the goal of the PCA cycle is to create a certificate for the identity =
key in the TPM,
activateidentity at the client extracts the certificate from the PCA =
answer.

Creating a AIK certificate after activateidentity ignores the PCA =
concept - I don't
understand why you would do that.

> when the remote host performs the x509certificate.verify it gives an =
error of bad padding,
> exactly: java.security.SignatureException: Signature decryption error: =
javax.crypto.BadPaddingException:
> Maybe is the certificate without something important?

Maybe .verify does just what it says in the IAIK-JCE documentation, =
namely check the
signature of a self signed certificate - which I don't understand why =
you would want
to do that here.

> have i to do other operations after the creation of the certificate =
with aik credential
> or is it enough to send it to a remote host that has to verify it?

Please find someone explaining public key infrastructures (PKI)
with X509 certificates to you. You seem to be not sure what you want
to achieve (and why).

HTH

--=20
Martin Pirker
IAIK, TU Graz