[Trustedjava-support] Certifying Legacy Sealing Key

[Fady <fad...@ya...>]

Dear ALL Trusted Java Team,

i try to certify a legacy key, it works fine if it created without pcr composite 
as
            myLegKey.createKey(srk,  null);  
but when using             
            myLegKey.createKey(srk, pcrComp); 
this exception is thrown at the line myLegKey.certifyKey(aikKey,  
serverNonceValidation);
        Exception in thread "main" java.lang.NullPointerException
        at 
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspCertifyKey_Internal(TcTspInternal.java:3252)

        at iaik.tc.tss.impl.java.tsp.TcRsaKey.certifyKey(TcRsaKey.java:289)
sometimes it thrown
        Exception in thread "main" java.lang.IndexOutOfBoundsException: Unable  
to decode requested type. Current offset + type length exceeds data  length.
        at 
iaik.tc.tss.api.structs.common.TcBasicTypeDecoder.checkBoundaryPreconditions(TcBasicTypeDecoder.java:91)

        at 
iaik.tc.tss.api.structs.common.TcBasicTypeDecoder.decodeBytes(TcBasicTypeDecoder.java:228)

        at 
iaik.tc.tss.api.structs.common.TcBasicTypeDecoder.decodeBytes(TcBasicTypeDecoder.java:246)

        at 
iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCrypto.TpmCertifyKey(TcTpmCmdCrypto.java:423)

        at 
iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipCertifyKey(TcTcsi.java:2300)
        at 
iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipCertifyKey(TcTcsBindingLocal.java:634)

        at 
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspCertifyKey_Internal(TcTspInternal.java:3231)

        at iaik.tc.tss.impl.java.tsp.TcRsaKey.certifyKey(TcRsaKey.java:289)

The complete used code is
            //create PCR 
Composite**************************************************************************

            TcIPcrComposite pcrComp = 
context.createPcrCompositeObject(TcTssConstants.TSS_PCRS_STRUCT_INFO_LONG);
            pcrComp.selectPcrIndexEx(pcrIndex, 
TcTssConstants.TSS_PCRS_DIRECTION_RELEASE);//release
            pcrComp.setPcrValue(pcrIndex, 
context.getTpmObject().pcrRead(pcrIndex));            

             
//********************************************************************************************


            //create Legacy 
Key*****************************************************************************
            TcIRsaKey myLegKey = context.createRsaKeyObject(    
TcTssConstants.TSS_KEY_SIZE_2048
                                                                                           
 |  TcTssConstants.TSS_KEY_TYPE_LEGACY
                                                                                           
 |  TcTssConstants.TSS_KEY_VOLATILE
                                                                                           
 |  TcTssConstants.TSS_KEY_NOT_MIGRATABLE
                                                                                           
 | TcTssConstants.TSS_KEY_NO_AUTHORIZATION);
            
            TcIPolicy legKeyUsgPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
             legKeyUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
TcBlobData.newString(usageSecret, false));
            legKeyUsgPolicy.assignToObject(myLegKey);
            
            TcIPolicy legkeyMigPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
            legkeyMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
TcBlobData.newString(migSecret, false));
            legkeyMigPolicy.assignToObject(myLegKey);

            myLegKey.createKey(srk, pcrComp);
            //myLegKey.createKey(srk,  null); 
            myLegKey.loadKey(srk);      
            
//********************************************************************************************


            //Get 
Nonce************************************************************************************

            String serverNonceString = "test";
            TcTssValidation serverNonceValidation = new TcTssValidation();
            TcBlobData serverNonceBlob = 
TcBlobData.newString(serverNonceString).sha1();
            
serverNonceValidation.setExternalData(serverNonceBlob);                

             
//********************************************************************************************


           //Load AIk 
************************************************************************************

            TcIRsaKey aikKey = context.loadKeyByBlob(srk, readFile(aikFile));

            TcIPolicy aikUsgPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
            aikUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
TcBlobData.newString(aikPass, false));//false
            aikUsgPolicy.assignToObject(aikKey);            

            TcIPolicy aikMigPolicy = 
context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
            aikMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
TcBlobData.newString(aikPass, false));//false
            aikMigPolicy.assignToObject(aikKey);
            
//*********************************************************************************************


            //Certify Key 
************************************************************************************

            TcTssValidation certifyResult = myLegKey.certifyKey(aikKey,  
serverNonceValidation);
             
//*********************************************************************************************


as i know legacy and storage keys can be used for sealing, i use both but i have 
the same exception in both.


i have another question just to be certain, the parent of AIKs is SRK not the EK 
(as done in the quote example), is this true?


Thanks