Menu
▾
▴
Re: [Trustedjava-support] [Fwd: Re: Key Migration clarifications (and questions on Infineon TPM problems)]
|
From: Arshad N. <ars...@st...> - 2009-10-04 19:46:48
|
I have solved the migration problem, Ronald, so please feel free
to ignore this last message of mine.
I will summarize the solution in a future e-mail to this list so
others might benefit from my experiments; the JTSS code is fine
and so are the STM and IFX TPM chips (I was able to migrate keys
from one to the other and in reverse too). The problem is that
neither the TCG documentation nor the JTSS APIs provide enough
clarity on how to accomplish key-migration.
I did discover in the process that the JTSS only works with the
MIGRATE option and not the REWRAP option; since one works for me,
I can live with this for now. The source code in JTSS tests and
the PDF link you sent in your last response were very helpful in
arriving at the migration solution.
Thank you.
Arshad Noor
StrongAuth, Inc.
Arshad Noor wrote:
> Ronald,
>
> I have confirmed that the Migration Ticket is not null; here are
> the contents of the migration ticket if it is of any help. The
> exception, unfortunately, continues to show up. Thanks.
>
> Arshad Noor
> StrongAuth, Inc.
>
> --------------
> migrationKey: algorithmParms:
> algorithmID: 1
> encScheme: 3
> sigScheme: 2
> parmSize: 12
> parms: 00 00 08 00 00 00 00 02 00 00 00 00
>
> pubKey:
> keyLength: 256
> key: 81 7d 3e 0a 64 8a 41 06 bf 1a 18 e2 5a b8 ec 6c
> d2 1d df b0 cb 8f 92 fe 0a ec 8d 87 07 b1 34 93
> aa 53 7d 96 be c2 05 e2 c7 6a 08 82 c5 2c 8b a3
> e9 e9 a2 96 a6 9f ef ba 5f 5a 0b aa 4a 07 10 93
> 62 ed b6 41 16 e9 4c 7b f3 69 de 09 58 0d cf 5f
> a7 25 30 62 26 0d 29 20 34 b1 69 84 dd c7 6f 08
> be 55 0a 0a da cb 55 4f 89 e9 e7 be 0b 40 1c 5a
> 71 f9 73 a0 1d 3c 02 84 66 19 80 d5 23 fb 19 5f
> 9e f0 9f e4 6c 48 9e 28 5c b7 aa f4 4d b1 9b 48
> 9d ce 89 a7 35 66 a0 33 86 68 c4 9b 7e d4 9c 1c
> e3 d4 8a 2d ac 4f 10 5e 73 e8 3b e0 c3 3c f3 42
> 01 ad da 2f 72 c6 30 c7 9a 55 99 9c c4 ab 6e 0c
> 75 22 7a 6f 65 b6 ef a6 89 ca 0c 59 70 f1 a6 21
> 04 51 c2 41 b3 52 28 ff 1b 3d 7a f2 15 31 9e e4
> 95 1b 63 1d 5e 73 67 af f3 54 3c 0e 77 6a 27 d7
> 7a c3 3c 79 d9 1d be e9 98 85 31 e3 ae 5c 90 e1
>
> migrationScheme: 2
> digest: digest: c1 0c 5e 5e d8 d4 b7 54 69 43 10 de 94 df 6f 6b
> b4 eb 0a 46
> --------------
>
> Arshad Noor wrote:
>> Thank you for the response and the document link, Ronald. The PDF
>> was so much clearer than the TCG specification, and the clouds parted
>> a little more. :-)
>>
>> While I progressed beyond the error I reported in this thread, I now
>> have a new error at createMigrationBlob() as follows:
>>
>> Exception in thread "main" java.lang.NullPointerException
>> at
>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspCreateMigrationBlob_Internal(TcTspInternal.java:2134)
>> at
>> iaik.tc.tss.impl.java.tsp.TcRsaKey.createMigrationBlob(TcRsaKey.java:554)
>> at jtss.RewrapKey.main(RewrapKey.java:189)
>>
>> I do have a migration ticket that is created and authorized for the
>> destination TPM; what I don't know is if the internal structure of
>> the RsaKey of the destination TPM is OK; you will probably know more
>> from this exception message.
>>
>> Here are some snippets of the relevant code I'm using (I am trying
>> to move a Binding key from the Dell to the HP machine this time, so
>> the hprsakey is the destination PublicKey):
>>
>> ----------------------------
>> ...
>> // Create the destination key container
>> TcIRsaKey hprsakey = tpmctx.createRsaKeyObject(
>> TcTssConstants.TSS_KEY_TYPE_STORAGE |
>> TcTssConstants.TSS_KEY_SIZE_2048 |
>> TcTssConstants.TSS_KEY_VOLATILE |
>> TcTssConstants.TSS_KEY_AUTHORIZATION |
>> TcTssConstants.TSS_KEY_NOT_MIGRATABLE);
>> ...
>> ...
>> // Convert Java Public Key to TcIRsaKey
>> TcTpmPubkey hppubkey = TcCrypto.pubJavaToTpmKey(hppemkey);
>>
>> hprsakey.setAttribData(TcTssConstants.TSS_TSPATTRIB_KEY_BLOB,
>> TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY, hppubkey.getEncoded());
>>
>> hprsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO,
>> TcTssConstants.TSS_TSPATTRIB_KEYINFO_ALGORITHM, TcTssConstants.TSS_ALG_RSA);
>>
>> hprsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO,
>> TcTssConstants.TSS_TSPATTRIB_KEYINFO_ENCSCHEME,
>> TcTssConstants.TSS_ES_RSAESOAEP_SHA1_MGF1);
>>
>> hprsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO,
>> TcTssConstants.TSS_TSPATTRIB_KEYINFO_SIGSCHEME,
>> TcTssConstants.TSS_SS_RSASSAPKCS1V15_SHA1);
>> System.out.println("HP SRK PublicKey parameters set..");
>>
>> ...
>> ...
>> TcTpmMigrationkeyAuth migticket = tpm.authorizeMigrationTicket(hprsakey,
>> TcTssConstants.TSS_MS_REWRAP);
>>
>> // Create the migration blob (throws exception)
>> TcBlobData migblob[] = srckey.createMigrationBlob(srk, migticket);
>> ----------------------------
>>
>> Any hint what might be throwing this new exception? Thank you for
>> your attention to this.
>>
>> Arshad Noor
>> StrongAuth, Inc.
>>
>> P.S. BTW, the JTSS API for TcITpm is a little different from the TCG
>> specification for the following method/function; the TCG documentation
>> states the function is TPM_AuthorizeMigrationKey (Section 11.3 Page 94)
>> while the TcITpm API has "authorizeMigrationTicket". Given that the
>> method is authorizing an RsaKey for use with a migration ticket, it
>> seems that the TCG name is a little clearer. Just an FYI. I am however,
>> very impressed with JTSS so far. :-)
>>
>> Ronald Tögl wrote:
>>
>>> Hello Arshad,
>>>
>>> I agree that the TCG specifications are not very helpful. The best intro
>>> on the topic I could find is
>>> http://www.ei.rub.de/media/ei/lehrmaterialien/trusted-computing/KeyReplication_.pdf
>>>
>>>
>>> As far as I remember we had some problems with TPM_MigrateKey last year,
>>> also concering different TPM implementations.
>>>
>>> For the dellrsakey object, make sure to use appropriate flags when first
>>> initializing the object with TcIContext.createRsaKeyObject(..). As you
>>> already have the RSA primes in place, you do not need to use
>>> createKey(). You should be able to do loadKey() instead.
>>>
>>> I hope this helps a little bit,
>>> Ronald
>>>
>>> Arshad Noor schrieb:
>>>> Hi,
>>>>
>>>> I'm having some trouble getting key-migration to work between
>>>> two machines with TPMs. My environment is as follows:
>>>>
>>>> Machine 1
>>>> ---------
>>>> TPM: STM v1.2
>>>> OS: CentOS 5.3 (64-bit)
>>>> JDK: 6 Update 16 (64-bit)
>>>> JTSS: 0.4.1
>>>>
>>>> Machine 2
>>>> ---------
>>>> TPM: Infineon v1.2
>>>> OS: CentOS 5.3 (64-bit)
>>>> JDK: 6 Update 16 (64-bit)
>>>> JTSS: 0.4.1
>>>>
>>>> First comment that worries me is that the JTSS test code has
>>>> explicitly commented out sections related to the Infineon TPM
>>>> as not working; can someone elaborate what might be causing
>>>> the migration to not work?
>>>>
>>>> I've plowed ahead and tried to see if I could get a Binding
>>>> key generated on Machine 2 migrated to Machine 1. To enable
>>>> this, I:
>>>>
>>>> 1) Exported the Public Key of a non-migratable Storage Key from
>>>> Machine 1 (the target destination for the migration) into a
>>>> PEM-encoded file;
>>>> 2) Transferred it to Machine 2 (the source for the migration);
>>>> 3) Created a TcTpmPubKey from the Java RSAPublicKey on Machine 2;
>>>> 4) Tried to create a TcIRsaKey from the TcTpmPubKey by setting
>>>> the following parameters (dellrsakey is the Public Key from
>>>> the destination machine - Machine 1):
>>>>
>>>> dellrsakey.setAttribData(TcTssConstants.TSS_TSPATTRIB_KEY_BLOB,
>>>> TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY,
>>>> dellpubkey.getEncoded());
>>>>
>>>> dellrsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO,
>>>> TcTssConstants.TSS_TSPATTRIB_KEYINFO_ALGORITHM,
>>>> TcTssConstants.TSS_ALG_RSA);
>>>>
>>>> dellrsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO,
>>>> TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_PRIMES, 2);
>>>>
>>>> dellrsakey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO,
>>>> TcTssConstants.TSS_TSPATTRIB_KEYINFO_ENCSCHEME,
>>>> TcTssConstants.TSS_ES_RSAESOAEP_SHA1_MGF1);
>>>>
>>>> However, the migrateKey() method on Machine 2 throws the following
>>>> exception:
>>>>
>>>> ----------------------
>>>> iaik.tc.tss.api.exceptions.tsp.TcTspException:
>>>> TSS Error:
>>>> error layer: 0x3000 (TSP)
>>>> error code (without layer): 0x010e
>>>> error code (full): 0x310e
>>>> error message: The addressed key is currently not loaded.
>>>> additional info: publicKey is not loaded or key handle is invalid.
>>>>
>>>> at
>>>> iaik.tc.tss.impl.java.tsp.TcWorkingObject.checkKeyHandleNotNull(TcWorkingObject.java:113)
>>>>
>>>> at
>>>> iaik.tc.tss.impl.java.tsp.TcRsaKey.migrateKey(TcRsaKey.java:357)
>>>> at jtss.MigrateKey2.main(MigrateKey2.java:200)
>>>> ----------------------
>>>>
>>>> I presume this has to do with internal handles setup by the Impl
>>>> of the Context when createKey() is called by an RsaKey object.
>>>>
>>>> Upon trying to use createKey() an TcIRsaKey using the TcIRsaKey
>>>> object, even after setting up the above-mentioned attributes, I get
>>>> the following exception:
>>>>
>>>> ----------------------
>>>> iaik.tc.tss.api.exceptions.tcs.TcTpmException:
>>>>
>>>> TSS Error:
>>>> error layer: 0x00 (TPM)
>>>> error code (without layer): 0x28
>>>> error code (full): 0x28
>>>> error message: The key properties in TPM_KEY_PARMs are not supported
>>>> by this TPM
>>>>
>>>> at
>>>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73)
>>>>
>>>> at
>>>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdStorage.TpmCreateWrapKey(TcTpmCmdStorage.java:316)
>>>>
>>>> at
>>>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipCreateWrapKey(TcTcsi.java:754)
>>>> at
>>>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipCreateWrapKey(TcTcsBindingLocal.java:450)
>>>>
>>>> at
>>>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspCreateWrapKey_Internal(TcTspInternal.java:1842)
>>>>
>>>> at
>>>> iaik.tc.tss.impl.java.tsp.TcRsaKey.createKey(TcRsaKey.java:525)
>>>> at jtss.MigrateKey2.main(MigrateKey2.java:187)
>>>> ----------------------
>>>>
>>>> So, how does one create a TcIRsaKey from a public key of another TPM
>>>> to perform the key-migration? JTSS does not seem to offer an API to
>>>> make this possible and the only example in your test code (where a
>>>> TcIRsaKey is generated for a public key) is commented out because it
>>>> doesn't work on an Infineon or Atmel.
>>>>
>>>> So, how does one migrate a migratable key from one TPM to another in
>>>> the simplest possible manner using JTSS? A high-level explanation of
>>>> the steps would be extremely helpful; the TCG documents are not very
>>>> helpful or clear in this matter. Thanks.
>>>>
>>>> Arshad Noor
>>>> StrongAuth, Inc.
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>>
>>>> Come build with us! The BlackBerry® Developer Conference in SF, CA
>>>> is the only developer event you need to attend this year. Jumpstart your
>>>> developing skills, take BlackBerry mobile applications to market and
>>>> stay ahead of the curve. Join us from November 9-12, 2009.
>>>> Register now!
>>>> http://p.sf.net/sfu/devconf
>>>> _______________________________________________
>>>> Trustedjava-support mailing list
>>>> Tru...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
>>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> ------------------------------------------------------------------------------
>>> Come build with us! The BlackBerry® Developer Conference in SF, CA
>>> is the only developer event you need to attend this year. Jumpstart your
>>> developing skills, take BlackBerry mobile applications to market and stay
>>> ahead of the curve. Join us from November 9-12, 2009. Register now!
>>> http://p.sf.net/sfu/devconf
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Trustedjava-support mailing list
>>> Tru...@li...
>>> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
>> ------------------------------------------------------------------------------
>> Come build with us! The BlackBerry® Developer Conference in SF, CA
>> is the only developer event you need to attend this year. Jumpstart your
>> developing skills, take BlackBerry mobile applications to market and stay
>> ahead of the curve. Join us from November 9-12, 2009. Register now!
>> http://p.sf.net/sfu/devconf
>> _______________________________________________
>> Trustedjava-support mailing list
>> Tru...@li...
>> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry® Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9-12, 2009. Register now!
> http://p.sf.net/sfu/devconf
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
|