From: Arshad N. <ars...@st...> - 2009-10-02 18:10:15
|
Ronald, I have confirmed that the Migration Ticket is not null; here are the contents of the migration ticket if it is of any help. The exception, unfortunately, continues to show up. Thanks. Arshad Noor StrongAuth, Inc. -------------- migrationKey: algorithmParms: algorithmID: 1 encScheme: 3 sigScheme: 2 parmSize: 12 parms: 00 00 08 00 00 00 00 02 00 00 00 00 pubKey: keyLength: 256 key: 81 7d 3e 0a 64 8a 41 06 bf 1a 18 e2 5a b8 ec 6c d2 1d df b0 cb 8f 92 fe 0a ec 8d 87 07 b1 34 93 aa 53 7d 96 be c2 05 e2 c7 6a 08 82 c5 2c 8b a3 e9 e9 a2 96 a6 9f ef ba 5f 5a 0b aa 4a 07 10 93 62 ed b6 41 16 e9 4c 7b f3 69 de 09 58 0d cf 5f a7 25 30 62 26 0d 29 20 34 b1 69 84 dd c7 6f 08 be 55 0a 0a da cb 55 4f 89 e9 e7 be 0b 40 1c 5a 71 f9 73 a0 1d 3c 02 84 66 19 80 d5 23 fb 19 5f 9e f0 9f e4 6c 48 9e 28 5c b7 aa f4 4d b1 9b 48 9d ce 89 a7 35 66 a0 33 86 68 c4 9b 7e d4 9c 1c e3 d4 8a 2d ac 4f 10 5e 73 e8 3b e0 c3 3c f3 42 01 ad da 2f 72 c6 30 c7 9a 55 99 9c c4 ab 6e 0c 75 22 7a 6f 65 b6 ef a6 89 ca 0c 59 70 f1 a6 21 04 51 c2 41 b3 52 28 ff 1b 3d 7a f2 15 31 9e e4 95 1b 63 1d 5e 73 67 af f3 54 3c 0e 77 6a 27 d7 7a c3 3c 79 d9 1d be e9 98 85 31 e3 ae 5c 90 e1 migrationScheme: 2 digest: digest: c1 0c 5e 5e d8 d4 b7 54 69 43 10 de 94 df 6f 6b b4 eb 0a 46 -------------- Arshad Noor wrote: > Thank you for the response and the document link, Ronald. The PDF > was so much clearer than the TCG specification, and the clouds parted > a little more. :-) > > While I progressed beyond the error I reported in this thread, I now > have a new error at createMigrationBlob() as follows: > > Exception in thread "main" java.lang.NullPointerException > at > iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspCreateMigrationBlob_Internal(TcTspInternal.java:2134) > at > iaik.tc.tss.impl.java.tsp.TcRsaKey.createMigrationBlob(TcRsaKey.java:554) > at jtss.RewrapKey.main(RewrapKey.java:189) > > I do have a migration ticket that is created and authorized for the > destination TPM; what I don't know is if the internal structure of > the RsaKey of the destination TPM is OK; you will probably know more > from this exception message. > > Here are some snippets of the relevant code I'm using (I am trying > to move a Binding key from the Dell to the HP machine this time, so > the hprsakey is the destination PublicKey): > > ---------------------------- > ... > // Create the destination key container > TcIRsaKey hprsakey = tpmctx.createRsaKeyObject( > TcTssConstants.TSS_KEY_TYPE_STORAGE | > TcTssConstants.TSS_KEY_SIZE_2048 | > TcTssConstants.TSS_KEY_VOLATILE | > TcTssConstants.TSS_KEY_AUTHORIZATION | > TcTssConstants.TSS_KEY_NOT_MIGRATABLE); > ... > ... > // Convert Java Public Key to TcIRsaKey > TcTpmPubkey hppubkey = TcCrypto.pubJavaToTpmKey(hppemkey); > > hprsakey.setAttribData(TcTssConstants.TSS_TSPATTRIB_KEY_BLOB, > TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, hppubkey.getEncoded()); > > hprsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO, > TcTssConstants.TSS_TSPATTRIB_KEYINFO_ALGORITHM, TcTssConstants.TSS_ALG_RSA); > > hprsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO, > TcTssConstants.TSS_TSPATTRIB_KEYINFO_ENCSCHEME, > TcTssConstants.TSS_ES_RSAESOAEP_SHA1_MGF1); > > hprsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO, > TcTssConstants.TSS_TSPATTRIB_KEYINFO_SIGSCHEME, > TcTssConstants.TSS_SS_RSASSAPKCS1V15_SHA1); > System.out.println("HP SRK PublicKey parameters set.."); > > ... > ... > TcTpmMigrationkeyAuth migticket = tpm.authorizeMigrationTicket(hprsakey, > TcTssConstants.TSS_MS_REWRAP); > > // Create the migration blob (throws exception) > TcBlobData migblob[] = srckey.createMigrationBlob(srk, migticket); > ---------------------------- > > Any hint what might be throwing this new exception? Thank you for > your attention to this. > > Arshad Noor > StrongAuth, Inc. > > P.S. BTW, the JTSS API for TcITpm is a little different from the TCG > specification for the following method/function; the TCG documentation > states the function is TPM_AuthorizeMigrationKey (Section 11.3 Page 94) > while the TcITpm API has "authorizeMigrationTicket". Given that the > method is authorizing an RsaKey for use with a migration ticket, it > seems that the TCG name is a little clearer. Just an FYI. I am however, > very impressed with JTSS so far. :-) > > Ronald Tögl wrote: > >> Hello Arshad, >> >> I agree that the TCG specifications are not very helpful. The best intro >> on the topic I could find is >> http://www.ei.rub.de/media/ei/lehrmaterialien/trusted-computing/KeyReplication_.pdf >> >> >> As far as I remember we had some problems with TPM_MigrateKey last year, >> also concering different TPM implementations. >> >> For the dellrsakey object, make sure to use appropriate flags when first >> initializing the object with TcIContext.createRsaKeyObject(..). As you >> already have the RSA primes in place, you do not need to use >> createKey(). You should be able to do loadKey() instead. >> >> I hope this helps a little bit, >> Ronald >> >> Arshad Noor schrieb: >>> Hi, >>> >>> I'm having some trouble getting key-migration to work between >>> two machines with TPMs. My environment is as follows: >>> >>> Machine 1 >>> --------- >>> TPM: STM v1.2 >>> OS: CentOS 5.3 (64-bit) >>> JDK: 6 Update 16 (64-bit) >>> JTSS: 0.4.1 >>> >>> Machine 2 >>> --------- >>> TPM: Infineon v1.2 >>> OS: CentOS 5.3 (64-bit) >>> JDK: 6 Update 16 (64-bit) >>> JTSS: 0.4.1 >>> >>> First comment that worries me is that the JTSS test code has >>> explicitly commented out sections related to the Infineon TPM >>> as not working; can someone elaborate what might be causing >>> the migration to not work? >>> >>> I've plowed ahead and tried to see if I could get a Binding >>> key generated on Machine 2 migrated to Machine 1. To enable >>> this, I: >>> >>> 1) Exported the Public Key of a non-migratable Storage Key from >>> Machine 1 (the target destination for the migration) into a >>> PEM-encoded file; >>> 2) Transferred it to Machine 2 (the source for the migration); >>> 3) Created a TcTpmPubKey from the Java RSAPublicKey on Machine 2; >>> 4) Tried to create a TcIRsaKey from the TcTpmPubKey by setting >>> the following parameters (dellrsakey is the Public Key from >>> the destination machine - Machine 1): >>> >>> dellrsakey.setAttribData(TcTssConstants.TSS_TSPATTRIB_KEY_BLOB, >>> TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, >>> dellpubkey.getEncoded()); >>> >>> dellrsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO, >>> TcTssConstants.TSS_TSPATTRIB_KEYINFO_ALGORITHM, >>> TcTssConstants.TSS_ALG_RSA); >>> >>> dellrsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, >>> TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_PRIMES, 2); >>> >>> dellrsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO, >>> TcTssConstants.TSS_TSPATTRIB_KEYINFO_ENCSCHEME, >>> TcTssConstants.TSS_ES_RSAESOAEP_SHA1_MGF1); >>> >>> However, the migrateKey() method on Machine 2 throws the following >>> exception: >>> >>> ---------------------- >>> iaik.tc.tss.api.exceptions.tsp.TcTspException: >>> TSS Error: >>> error layer: 0x3000 (TSP) >>> error code (without layer): 0x010e >>> error code (full): 0x310e >>> error message: The addressed key is currently not loaded. >>> additional info: publicKey is not loaded or key handle is invalid. >>> >>> at >>> iaik.tc.tss.impl.java.tsp.TcWorkingObject.checkKeyHandleNotNull(TcWorkingObject.java:113) >>> >>> at >>> iaik.tc.tss.impl.java.tsp.TcRsaKey.migrateKey(TcRsaKey.java:357) >>> at jtss.MigrateKey2.main(MigrateKey2.java:200) >>> ---------------------- >>> >>> I presume this has to do with internal handles setup by the Impl >>> of the Context when createKey() is called by an RsaKey object. >>> >>> Upon trying to use createKey() an TcIRsaKey using the TcIRsaKey >>> object, even after setting up the above-mentioned attributes, I get >>> the following exception: >>> >>> ---------------------- >>> iaik.tc.tss.api.exceptions.tcs.TcTpmException: >>> >>> TSS Error: >>> error layer: 0x00 (TPM) >>> error code (without layer): 0x28 >>> error code (full): 0x28 >>> error message: The key properties in TPM_KEY_PARMs are not supported >>> by this TPM >>> >>> at >>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) >>> >>> at >>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdStorage.TpmCreateWrapKey(TcTpmCmdStorage.java:316) >>> >>> at >>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipCreateWrapKey(TcTcsi.java:754) >>> at >>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipCreateWrapKey(TcTcsBindingLocal.java:450) >>> >>> at >>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspCreateWrapKey_Internal(TcTspInternal.java:1842) >>> >>> at >>> iaik.tc.tss.impl.java.tsp.TcRsaKey.createKey(TcRsaKey.java:525) >>> at jtss.MigrateKey2.main(MigrateKey2.java:187) >>> ---------------------- >>> >>> So, how does one create a TcIRsaKey from a public key of another TPM >>> to perform the key-migration? JTSS does not seem to offer an API to >>> make this possible and the only example in your test code (where a >>> TcIRsaKey is generated for a public key) is commented out because it >>> doesn't work on an Infineon or Atmel. >>> >>> So, how does one migrate a migratable key from one TPM to another in >>> the simplest possible manner using JTSS? A high-level explanation of >>> the steps would be extremely helpful; the TCG documents are not very >>> helpful or clear in this matter. Thanks. >>> >>> Arshad Noor >>> StrongAuth, Inc. >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> Come build with us! The BlackBerry® Developer Conference in SF, CA >>> is the only developer event you need to attend this year. Jumpstart your >>> developing skills, take BlackBerry mobile applications to market and >>> stay ahead of the curve. Join us from November 9-12, 2009. >>> Register now! >>> http://p.sf.net/sfu/devconf >>> _______________________________________________ >>> Trustedjava-support mailing list >>> Tru...@li... >>> https://lists.sourceforge.net/lists/listinfo/trustedjava-support >>> >> >> >> ------------------------------------------------------------------------ >> >> ------------------------------------------------------------------------------ >> Come build with us! The BlackBerry® Developer Conference in SF, CA >> is the only developer event you need to attend this year. Jumpstart your >> developing skills, take BlackBerry mobile applications to market and stay >> ahead of the curve. Join us from November 9-12, 2009. Register now! >> http://p.sf.net/sfu/devconf >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> Trustedjava-support mailing list >> Tru...@li... >> https://lists.sourceforge.net/lists/listinfo/trustedjava-support > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support |