Re: [Trustedjava-support] R: info about privacy ca

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

cas...@al... wrote:
> this is my code that is as your code in the tool, at the client side:
> 
> try {
>         aikCertificate = new X509Certificate(aikCredential.asByteArray());
>             
>         } catch (CertificateException ex) {
>             ex.printStackTrace();
>         }
>         Log.info("received AIK certificate with IdLabel: '" + AIKCertificate.getTPMLabelID(aikCertificate) + "'");
> 
> as you do in the verifyAndPrintAikLabel function.

This is quick test code that the received result is not complete crap:
a) if certificate instantiation from the passed byte array does not
   fail it probably is a real X509 certificate.
b) if there is a TCG certificate extension holding an AIK label it
   probably is a real AIK certificate.

Nothing more checked here.

> to the remote host i send the aikCredential (returned by the activateIdentity),
> but the remote host has to verify the correctness of the aik certificate.
> how can it do?

If you trust your issueing entity to always issue correctly assembled
and signed AIK certificates you do a basic PKI signature chain check:
 aikcert.verify(aikcacert.getPublicKey());
and if that's ok you trust the content. Or, a chain validation, see
ServerPCA.java, method verifyCredentials in the PrivacyCA package.

If not, you have to examine every part of the certificate to be
as described by the TCG credential profiles document.

HTH

-- 
Martin Pirker
IAIK, TU Graz