Menu
▾
▴
Re: [Trustedjava-support] Problem with CertifyKey on a TPM Emulator
|
From: Ronald T. <ron...@ia...> - 2008-10-01 13:16:56
|
Hi John,
Thanks for the detailed report. Also thank you for debugging it up into
the decoding step, which usually is not fun. :-)
We did not encounter this specific problem before (checking this out
took some time as I was out of office and had issues with remote access).
The behaviour you describe indicated that the authenticated command
session is not properly continued by the TPM Emulator (i.e. outdata=0).
Our experience with the TPM Emulator is that the commands associated
with key certification are rather incomplete and buggy. Also, based on
experience, the Infineon implementations usually get things right (with
exceptions of course).
Perhaps the best idea is to report this to the Emulator developers.
Ronald
John Lyle wrote:
> Hi,
>
> I'm having some problems using the Java TSS and the CertifyKey
> operation. I'm not entirely sure where the problem lies (it may be with
> the JTSS or TPM Emulator) but I hoping you can help me to narrow it down.
>
> I'm creating a key bound to certain PCR values. My code (largely copied
> from the examples) is included at the end. This works very well on a
> Infineon 1.2 TPM on a HP nc6320 laptop. However, when using the exact
> same code with a tpm emulator, running on a vmware linux image on an
> iMac, it fails with a null pointer.
>
> The error is normally about line 3252 in
> TcTspInternal.TspCertifyKey_Internal:
>
> ...
> TcBlobData[] blob1Hout = { // 1H
> blobUINT32(resultCode), // 1S
> blobUINT32(ordinal), // 2S
> certifyInfoBlob, // 3S
> blobUINT32(outData.getLengthAsLong()), // 4S
> outData }; // 5S
> ...
>
> Having debugged the code for a while and comparing with the working
> version, I've found the problem to be that the outData object is null.
> This seems to be because of the following lines:
>
> TcTpmCmdCrypto.TpmCertifyKey(TcIStreamDest, long, long, TcTpmNonce,
> TcTcsAuth, TcTcsAuth) line: 422
> ...
> long outDataSize = outBlob.decodeUINT32();
> TcBlobData outData = outBlob.decodeBytes(outDataSize);
> ...
>
> In the above method the return from decodeUINT32() is an extremely large
> number, and so decodeBytes fails. This isn't a problem with the laptop,
> where the return is always 256. Going deeper, this seems to be a
> problem with:
>
> TcBasicTypeDecoder.decodeUINT32() line 111:
> ...
> short[] elements = blob_.getRangeAsShortArray(offset_, len);
> ...
>
> Which is using the wrong offset. On the laptop, where this works, the
> offset is always 134 and the elements returned tend to be [0, 0, 1, 0].
> This makes the decoding behave as expected. Using the TPM Emulator on
> the Mac, the offset is 149, which returns an array filled with much
> larger elements. The rest of the decodeUINT32 method then obviously
> calculates the wrong value. Interestingly, the outData blob data
> lengths are also slightly different.
>
> If you have any suggestions as to how this problem could be solved, that
> would be greatly appreciated. Is this more likely to be a problem with
> the TPM emulator?
>
> Many thanks,
>
> John
>
>
>
>
>
> My code:
> ----------------------------
>
> // create a key
> TcIRsaKey key1 = getContext().createRsaKeyObject(
> TcTssConstants.TSS_KEY_TYPE_LEGACY);
>
> key1.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO,
> TcTssConstants.TSS_TSPATTRIB_KEYINFO_ENCSCHEME,
> TcTssConstants.TSS_ES_RSAESPKCSV15);
>
> // assign key usage policies
> keyUsgPolicy.assignToObject(key1);
> keyMigPolicy.assignToObject(key1);
>
> // create a PcrComposite, connecting with all the PCR values.
> TcIPcrComposite pcrComp = getContext().createPcrCompositeObject(0);
> for (int pcr : pcrs) {
> pcrComp.setPcrValue(pcr, getContext().getTpmObject().pcrRead(pcr));
> }
>
> key1.createKey(srk, pcrComp);
>
> key1.loadKey(srk);
>
> TcTssValidation validation = key1.certifyKey(aik, null);
>
> ---------------------------
>
>
--
Dipl.-Ing. Ronald Tögl phone +43 316/873-5502
Trusted Computing Labs fax +43 316/873-5520
IAIK ron...@ia...
Graz University of Technology http://www.iaik.tugraz.at
|
