Re: [Trustedjava-support] Creating EKCertificate

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello,

thanks, that helped.

Another question:
I embedded your apki client into my source and i was able to get the 
ekcredential and the aikcredential. I was also able to verify them. That 
works great!

I would like to attest to another party that my signingKey belongs to a 
tpm, by signing the certificate for the signingKey through the aik.
This operation leads me to an error:

    creating the certificate ....
    cert.setSignatureAlgorithm(AlgorithmID.sha1WithRSAEncryption);
    byte[] toBeSignedCertificate = cert.getTBSCertificate();
    TcBlobData data = TcBlobData.newByteArray(toBeSignedCertificate);
    TcIHash hash = context_.createHashObject(TcTssConstants.TSS_HASH_SHA1);
    hash.updateHashValue(data);
    TcBlobData signature = hash.sign(aik);
    entityTPMCertificate.setSignature(signature.asByteArray());

error:

    TSS Error:
    error layer:                0x00 (TPM)
    error code (without layer): 0x24
    error code (full):          0x24
    error message: The usage of a key is not allowed

I created the AIK Key with the following flags:

    aik = context_.createRsaKeyObject(TcTssConstants.TSS_KEY_TYPE_IDENTITY |
                    EntityTPMDefines.AIK_KEY_SIZE |
                    TcTssConstants.TSS_KEY_AUTHORIZATION |
                    TcTssConstants.TSS_KEY_VOLATILE |
                    TcTssConstants.TSS_KEY_NOT_MIGRATABLE);

and the signingKey with the following:

    signingKey = context_
                    .createRsaKeyObject(TcTssConstants.TSS_KEY_SIZE_2048
                            | TcTssConstants.TSS_KEY_TYPE_SIGNING
                            | TcTssConstants.TSS_KEY_MIGRATABLE);

If i change the TSS_KEY_TYPE_IDENTITY to TSS_KEY_TYPE_SIGNING it all 
works fine. But it has to be an AIK in my scenario.

Do you have any suggestions?

Best regards
Simon

Martin Pirker wrote:
> Simon Mittelberger wrote:
>   
>> Hello,
>>     
>
> Hi...
>
> Your emails got unfortunately delivered in reverse order you sent them.
>
>
>   
>> i am currently trying to create an EKCertificate, but i get this exception:
>>
>> Exception in thread "main" java.lang.RuntimeException: BUG? cannot 
>> convert key to OAEP
>>     at iaik.tc.cert.common.Common.publicRSAtoPublicRSAOAEP(Common.java:352)
>>     at iaik.tc.cert.EKCertificate.create(EKCertificate.java:150)
>>     ....
>>     
>
> While RSA-OAEP is supported somewhat in standard Java runtime since
> Java 5, I don't think it is complete enough.
>
> So did you initialise the IAIK-JCE library in your program first
> for full crypto support needed by TCcert?
> You need to do at least once at the beginning of your program:
>
>   import iaik.security.provider.IAIK;
>
>   IAIK.addAsProvider();
>
>
> HTH,
> Martin
>
>   