Menu
▾
▴
Re: [Trustedjava-support] Exception in pki-server
|
From: Carolin L. <car...@un...> - 2008-01-18 13:37:01
|
Hi all. Finally..... it works! :-) Yes I know, it was a looong way :-) I just forgot to copy my certificates to the client machine... Thanks for the help! I have one last question (for the moment :-P ): How to you identify the private key on the TPM? If I want to use the AIK for authentication, how do I access the private key? Thanks again! Carolin Martin Pirker wrote: > Carolin Latze wrote: > >> I had to add iaik_jtss_tcs.jar to the classpath in pki_server.sh ( I do >> not understand, why I have to add iaik_jtss_tsp.jar to the system's >> classpath and iaik_jtss_tcs.jar to the temporary classpath.... but that >> doesn't matter as long as there is a working solution). >> > > Yes, this is strange, adding the .jars in the server start script should do. > > The server side does not need a TPM so should be fine with just TSP which > is needed for some data structures and helper functions. This works with > jTSS 0.1. That TCS is also required with jTSS 0.2 is an unfortunate bug. > Sorry about that, but our manpower is limited and we cannot > test all functions with all combinations of packages.... > > >> If I ask my server for an EK certificate, the answer is: >> >> Validating XKMS message signature using certificate: >> CN=IAIK OpenTC XKMS Test Responder,OU=IAIK trusted computing >> labs,O=Graz University of Technology,C=AT >> XKMS Result message signature is INVALID. >> >> received EK certificate #20080118133421135 >> exported to file: tybble_ek.cert >> >> That does not happen with your server. >> > > Our server uses the certificate chains available from: > http://opentc.iaik.tugraz.at/index.php?item=certs > Also, the release package of JTpmTools is preloaded with the > proper certificates, see PCA README, section 2.4.2, last paragraph. > > If you setup your own PCA you have to generate new certificates. > The server signs every answer with the XKMS private key. It is expected > JTpmTools has access to the proper certificate with the public key, then > "result message signature" will validate ok. > > >> I think, the following server error is a consequence from the one above: >> >> javax.crypto.BadPaddingException: Invalid PKCS#1 padding: no leading zero! >> at iaik.pkcs.pkcs1.b.b(Unknown Source) >> at iaik.pkcs.pkcs1.RSACipher.a(Unknown Source) >> at iaik.pkcs.pkcs1.RSACipher.engineDoFinal(Unknown Source) >> at javax.crypto.Cipher.doFinal(DashoA13*..) >> at iaik.tc.apps.jtt.aik.PrivacyCa.decryptIdentityReqBlob(PrivacyCa.java:246) >> > > The PCA server fails on decryption of the request blob. JTpmTools encrypts the > request blob (as per specification) with the public key contained in the > PCA certificate. If you did not replace the PCA certificate shipped > originally with JTpmTools it will not decrypt.... > > >> at iaik.tc.apps.jtt.aik.PrivacyCa.processRequest(PrivacyCa.java:163) >> at iaik.tc.apps.pki.server.cmd.RPRegisterCreateAIK.process(RPRegisterCreateAIK.java:64) >> at iaik.xkms.server.handler.AbstractHandler.handleRequest(AbstractHandler.java:122) >> at iaik.xkms.server.handler.HTTPHandler.run(HTTPHandler.java:139) >> > > >> Regards and thanks for the help! >> > > One day this will all be plug'n'play.... ;-) > > Martin > -- Carolin Latze Research Assistant Department of Computer Science Boulevard de Pérolles 90 CH-1700 Fribourg phone: +41 26 300 83 30 |
