[Trustedjava-support] Key Migration clarifications (and questions on Infineon TPM problems)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

I'm having some trouble getting key-migration to work between
two machines with TPMs.  My environment is as follows:

Machine 1
---------
TPM:  STM v1.2
OS: CentOS 5.3 (64-bit)
JDK: 6 Update 16 (64-bit)
JTSS: 0.4.1

Machine 2
---------
TPM:  Infineon v1.2
OS: CentOS 5.3 (64-bit)
JDK: 6 Update 16 (64-bit)
JTSS: 0.4.1

First comment that worries me is that the JTSS test code has
explicitly commented out sections related to the Infineon TPM
as not working; can someone elaborate what might be causing
the migration to not work?

I've plowed ahead and tried to see if I could get a Binding
key generated on Machine 2 migrated to Machine 1.  To enable
this, I:

1) Exported the Public Key of a non-migratable Storage Key from
    Machine 1 (the target destination for the migration) into a
    PEM-encoded file;
2) Transferred it to Machine 2 (the source for the migration);
3) Created a TcTpmPubKey from the Java RSAPublicKey on Machine 2;
4) Tried to create a TcIRsaKey from the TcTpmPubKey by setting
    the following parameters (dellrsakey is the Public Key from
    the destination machine - Machine 1):

dellrsakey.setAttribData(TcTssConstants.TSS_TSPATTRIB_KEY_BLOB, 
TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, dellpubkey.getEncoded());

dellrsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO, 
TcTssConstants.TSS_TSPATTRIB_KEYINFO_ALGORITHM, TcTssConstants.TSS_ALG_RSA);

dellrsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, 
TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_PRIMES, 2);

dellrsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO, 
TcTssConstants.TSS_TSPATTRIB_KEYINFO_ENCSCHEME, 
TcTssConstants.TSS_ES_RSAESOAEP_SHA1_MGF1);

However, the migrateKey() method on Machine 2 throws the following
exception:

----------------------
iaik.tc.tss.api.exceptions.tsp.TcTspException:
TSS Error:
error layer:                0x3000 (TSP)
error code (without layer): 0x010e
error code (full):          0x310e
error message: The addressed key is currently not loaded.
additional info: publicKey is not loaded or key handle is invalid.

         at 
iaik.tc.tss.impl.java.tsp.TcWorkingObject.checkKeyHandleNotNull(TcWorkingObject.java:113)
         at iaik.tc.tss.impl.java.tsp.TcRsaKey.migrateKey(TcRsaKey.java:357)
         at jtss.MigrateKey2.main(MigrateKey2.java:200)
----------------------

I presume this has to do with internal handles setup by the Impl
of the Context when createKey() is called by an RsaKey object.

Upon trying to use createKey() an TcIRsaKey using the TcIRsaKey
object, even after setting up the above-mentioned attributes, I get
the following exception:

----------------------
iaik.tc.tss.api.exceptions.tcs.TcTpmException:

TSS Error:
error layer:                0x00 (TPM)
error code (without layer): 0x28
error code (full):          0x28
error message: The key properties in TPM_KEY_PARMs are not supported by 
this TPM

         at 
iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73)
         at 
iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdStorage.TpmCreateWrapKey(TcTpmCmdStorage.java:316)
         at 
iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipCreateWrapKey(TcTcsi.java:754)
         at 
iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipCreateWrapKey(TcTcsBindingLocal.java:450)
         at 
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspCreateWrapKey_Internal(TcTspInternal.java:1842)
         at iaik.tc.tss.impl.java.tsp.TcRsaKey.createKey(TcRsaKey.java:525)
         at jtss.MigrateKey2.main(MigrateKey2.java:187)
----------------------

So, how does one create a TcIRsaKey from a public key of another TPM
to perform the key-migration?  JTSS does not seem to offer an API to
make this possible and the only example in your test code (where a
TcIRsaKey is generated for a public key) is commented out because it
doesn't work on an Infineon or Atmel.

So, how does one migrate a migratable key from one TPM to another in
the simplest possible manner using JTSS?  A high-level explanation of
the steps would be extremely helpful; the TCG documents are not very
helpful or clear in this matter.  Thanks.

Arshad Noor
StrongAuth, Inc.