Re: [Trustedjava-support] [Fwd: Re: Key Migration clarifications (and questions on Infineon TPM problems)]

[Arshad N. <ars...@st...>]

Thank you for the response and the document link, Ronald.  The PDF
was so much clearer than the TCG specification, and the clouds parted
a little more. :-)

While I progressed beyond the error I reported in this thread, I now
have a new error at createMigrationBlob() as follows:

Exception in thread "main" java.lang.NullPointerException
         at 
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspCreateMigrationBlob_Internal(TcTspInternal.java:2134)
         at 
iaik.tc.tss.impl.java.tsp.TcRsaKey.createMigrationBlob(TcRsaKey.java:554)
         at jtss.RewrapKey.main(RewrapKey.java:189)

I do have a migration ticket that is created and authorized for the
destination TPM; what I don't know is if the internal structure of
the RsaKey of the destination TPM is OK; you will probably know more
from this exception message.

Here are some snippets of the relevant code I'm using (I am trying
to move a Binding key from the Dell to the HP machine this time, so
the hprsakey is the destination PublicKey):

----------------------------
...
// Create the destination key container
TcIRsaKey hprsakey = tpmctx.createRsaKeyObject(
	TcTssConstants.TSS_KEY_TYPE_STORAGE |
         TcTssConstants.TSS_KEY_SIZE_2048 |
         TcTssConstants.TSS_KEY_VOLATILE |
         TcTssConstants.TSS_KEY_AUTHORIZATION |
         TcTssConstants.TSS_KEY_NOT_MIGRATABLE);
...
...
// Convert Java Public Key to TcIRsaKey
TcTpmPubkey hppubkey = TcCrypto.pubJavaToTpmKey(hppemkey);
 
hprsakey.setAttribData(TcTssConstants.TSS_TSPATTRIB_KEY_BLOB, 
TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, hppubkey.getEncoded());
 
hprsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO, 
TcTssConstants.TSS_TSPATTRIB_KEYINFO_ALGORITHM, TcTssConstants.TSS_ALG_RSA);
 
hprsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO, 
TcTssConstants.TSS_TSPATTRIB_KEYINFO_ENCSCHEME, 
TcTssConstants.TSS_ES_RSAESOAEP_SHA1_MGF1);
 
hprsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO, 
TcTssConstants.TSS_TSPATTRIB_KEYINFO_SIGSCHEME, 
TcTssConstants.TSS_SS_RSASSAPKCS1V15_SHA1);
             System.out.println("HP SRK PublicKey parameters set..");

...
...
TcTpmMigrationkeyAuth migticket = tpm.authorizeMigrationTicket(hprsakey, 
TcTssConstants.TSS_MS_REWRAP);

// Create the migration blob (throws exception)
TcBlobData migblob[] = srckey.createMigrationBlob(srk, migticket);
----------------------------

Any hint what might be throwing this new exception?  Thank you for
your attention to this.

Arshad Noor
StrongAuth, Inc.

P.S.  BTW, the JTSS API for TcITpm is a little different from the TCG
specification for the following method/function; the TCG documentation
states the function is TPM_AuthorizeMigrationKey (Section 11.3 Page 94)
while the TcITpm API has "authorizeMigrationTicket".  Given that the
method is authorizing an RsaKey for use with a migration ticket, it
seems that the TCG name is a little clearer.  Just an FYI. I am however,
very impressed with JTSS so far. :-)

Ronald Tögl wrote:

> 
> Hello Arshad,
> 
> I agree that the TCG specifications are not very helpful. The best intro 
> on the topic I could find is
> http://www.ei.rub.de/media/ei/lehrmaterialien/trusted-computing/KeyReplication_.pdf 
> 
> 
> As far as I remember we had some problems with TPM_MigrateKey last year, 
> also concering different TPM implementations.
> 
> For the dellrsakey object, make sure to use appropriate flags when first 
> initializing the object with TcIContext.createRsaKeyObject(..). As you 
> already have the RSA primes in place, you do not need to use 
> createKey(). You should be able to do loadKey() instead.
> 
> I hope this helps a little bit,
> Ronald
> 
> Arshad Noor schrieb:
>> Hi,
>>
>> I'm having some trouble getting key-migration to work between
>> two machines with TPMs.  My environment is as follows:
>>
>> Machine 1
>> ---------
>> TPM:  STM v1.2
>> OS: CentOS 5.3 (64-bit)
>> JDK: 6 Update 16 (64-bit)
>> JTSS: 0.4.1
>>
>> Machine 2
>> ---------
>> TPM:  Infineon v1.2
>> OS: CentOS 5.3 (64-bit)
>> JDK: 6 Update 16 (64-bit)
>> JTSS: 0.4.1
>>
>> First comment that worries me is that the JTSS test code has
>> explicitly commented out sections related to the Infineon TPM
>> as not working; can someone elaborate what might be causing
>> the migration to not work?
>>
>> I've plowed ahead and tried to see if I could get a Binding
>> key generated on Machine 2 migrated to Machine 1.  To enable
>> this, I:
>>
>> 1) Exported the Public Key of a non-migratable Storage Key from
>>     Machine 1 (the target destination for the migration) into a
>>     PEM-encoded file;
>> 2) Transferred it to Machine 2 (the source for the migration);
>> 3) Created a TcTpmPubKey from the Java RSAPublicKey on Machine 2;
>> 4) Tried to create a TcIRsaKey from the TcTpmPubKey by setting
>>     the following parameters (dellrsakey is the Public Key from
>>     the destination machine - Machine 1):
>>
>> dellrsakey.setAttribData(TcTssConstants.TSS_TSPATTRIB_KEY_BLOB, 
>> TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, 
>> dellpubkey.getEncoded());
>>  
>> dellrsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO, 
>> TcTssConstants.TSS_TSPATTRIB_KEYINFO_ALGORITHM, 
>> TcTssConstants.TSS_ALG_RSA);
>>  
>> dellrsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, 
>> TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_PRIMES, 2);
>>  
>> dellrsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO, 
>> TcTssConstants.TSS_TSPATTRIB_KEYINFO_ENCSCHEME, 
>> TcTssConstants.TSS_ES_RSAESOAEP_SHA1_MGF1);
>>
>> However, the migrateKey() method on Machine 2 throws the following
>> exception:
>>
>> ----------------------
>> iaik.tc.tss.api.exceptions.tsp.TcTspException:
>> TSS Error:
>> error layer:                0x3000 (TSP)
>> error code (without layer): 0x010e
>> error code (full):          0x310e
>> error message: The addressed key is currently not loaded.
>> additional info: publicKey is not loaded or key handle is invalid.
>>
>>          at 
>> iaik.tc.tss.impl.java.tsp.TcWorkingObject.checkKeyHandleNotNull(TcWorkingObject.java:113) 
>>
>>          at 
>> iaik.tc.tss.impl.java.tsp.TcRsaKey.migrateKey(TcRsaKey.java:357)
>>          at jtss.MigrateKey2.main(MigrateKey2.java:200)
>> ----------------------
>>
>> I presume this has to do with internal handles setup by the Impl
>> of the Context when createKey() is called by an RsaKey object.
>>
>> Upon trying to use createKey() an TcIRsaKey using the TcIRsaKey
>> object, even after setting up the above-mentioned attributes, I get
>> the following exception:
>>
>> ----------------------
>> iaik.tc.tss.api.exceptions.tcs.TcTpmException:
>>
>> TSS Error:
>> error layer:                0x00 (TPM)
>> error code (without layer): 0x28
>> error code (full):          0x28
>> error message: The key properties in TPM_KEY_PARMs are not supported 
>> by this TPM
>>
>>          at 
>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) 
>>
>>          at 
>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdStorage.TpmCreateWrapKey(TcTpmCmdStorage.java:316) 
>>
>>          at 
>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipCreateWrapKey(TcTcsi.java:754)
>>          at 
>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipCreateWrapKey(TcTcsBindingLocal.java:450) 
>>
>>          at 
>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspCreateWrapKey_Internal(TcTspInternal.java:1842) 
>>
>>          at 
>> iaik.tc.tss.impl.java.tsp.TcRsaKey.createKey(TcRsaKey.java:525)
>>          at jtss.MigrateKey2.main(MigrateKey2.java:187)
>> ----------------------
>>
>> So, how does one create a TcIRsaKey from a public key of another TPM
>> to perform the key-migration?  JTSS does not seem to offer an API to
>> make this possible and the only example in your test code (where a
>> TcIRsaKey is generated for a public key) is commented out because it
>> doesn't work on an Infineon or Atmel.
>>
>> So, how does one migrate a migratable key from one TPM to another in
>> the simplest possible manner using JTSS?  A high-level explanation of
>> the steps would be extremely helpful; the TCG documents are not very
>> helpful or clear in this matter.  Thanks.
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>>
>> ------------------------------------------------------------------------------ 
>>
>> Come build with us! The BlackBerry® Developer Conference in SF, CA
>> is the only developer event you need to attend this year. Jumpstart your
>> developing skills, take BlackBerry mobile applications to market and 
>> stay ahead of the curve. Join us from November 9-12, 2009. 
>> Register now!
>> http://p.sf.net/sfu/devconf
>> _______________________________________________
>> Trustedjava-support mailing list
>> Tru...@li...
>> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
>>   
> 
> 
> 
> ------------------------------------------------------------------------
> 
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay 
> ahead of the curve. Join us from November 9-12, 2009. Register now!
> http://p.sf.net/sfu/devconf
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support