Re: [Trustedjava-support] Exception in pki-server

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Carolin Latze wrote:
> I had to add iaik_jtss_tcs.jar to the classpath in pki_server.sh ( I do
> not understand, why I have to add iaik_jtss_tsp.jar to the system's
> classpath and iaik_jtss_tcs.jar to the temporary classpath.... but that
> doesn't matter as long as there is a working solution).

Yes, this is strange, adding the .jars in the server start script should do.

The server side does not need a TPM so should be fine with just TSP which
is needed for some data structures and helper functions. This works with
jTSS 0.1. That TCS is also required with jTSS 0.2 is an unfortunate bug.
Sorry about that, but our manpower is limited and we cannot
test all functions with all combinations of packages....

> If I ask my server for an EK certificate, the answer is:
> 
> Validating XKMS message signature using certificate:
>   CN=IAIK OpenTC XKMS Test Responder,OU=IAIK trusted computing
> labs,O=Graz University of Technology,C=AT
> XKMS Result message signature is INVALID.
> 
> received EK certificate #20080118133421135
> exported to file: tybble_ek.cert
> 
> That does not happen with your server.

Our server uses the certificate chains available from:
http://opentc.iaik.tugraz.at/index.php?item=certs
Also, the release package of JTpmTools is preloaded with the
proper certificates, see PCA README, section 2.4.2, last paragraph.

If you setup your own PCA you have to generate new certificates.
The server signs every answer with the XKMS private key. It is expected
JTpmTools has access to the proper certificate with the public key, then
"result message signature" will validate ok.

> I think, the following server error is a consequence from the one above:
> 
> javax.crypto.BadPaddingException: Invalid PKCS#1 padding: no leading zero!
>         at iaik.pkcs.pkcs1.b.b(Unknown Source)
>         at iaik.pkcs.pkcs1.RSACipher.a(Unknown Source)
>         at iaik.pkcs.pkcs1.RSACipher.engineDoFinal(Unknown Source)
>         at javax.crypto.Cipher.doFinal(DashoA13*..)
>         at iaik.tc.apps.jtt.aik.PrivacyCa.decryptIdentityReqBlob(PrivacyCa.java:246)

The PCA server fails on decryption of the request blob. JTpmTools encrypts the
request blob (as per specification) with the public key contained in the
PCA certificate. If you did not replace the PCA certificate shipped
originally with JTpmTools it will not decrypt....

>         at iaik.tc.apps.jtt.aik.PrivacyCa.processRequest(PrivacyCa.java:163)
>         at iaik.tc.apps.pki.server.cmd.RPRegisterCreateAIK.process(RPRegisterCreateAIK.java:64)
>         at iaik.xkms.server.handler.AbstractHandler.handleRequest(AbstractHandler.java:122)
>         at iaik.xkms.server.handler.HTTPHandler.run(HTTPHandler.java:139)

> Regards and thanks for the help!

One day this will all be plug'n'play.... ;-)

Martin