Re: [Trustedjava-support] Certifying Legacy Sealing Key

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello Fady,

The exception is thrown when the checksums for the authorization 
protocol are calculated.
I noticed, that you're using the TSS_KEY_NO_AUTHORIZATION flag for the 
key. This mode is not supported in jTSS.
Rather use the TcTssConstants.TSS_KEY_AUTHORIZATION flag an either apply 
your own secret, or the well-kown-secret, if you really do not need 
authentication.

Please report improvements or (new) errors.

Regarding you second question, AFIAR the SRK is always the parent of any 
AIK.

hth,
Ronald

On 07/16/2011 10:21 AM, Fady wrote:
> Dear ALL Trusted Java Team,
>
> i try to certify a legacy key, it works fine if it created without pcr 
> composite as
>             myLegKey.createKey(srk, null);
> but when using
>             myLegKey.createKey(srk, pcrComp);
> this exception is thrown at the line myLegKey.certifyKey(aikKey, 
> serverNonceValidation);
>         Exception in thread "main" java.lang.NullPointerException
>         at iaik.tc 
> <http://iaik.tc.tss.impl.java.tsp.internal.tc/>.tss.impl.java.tsp.internal.TcTspInternal.TspCertifyKey_Internal(TcTspInternal.java:3252)
>         at iaik.tc 
> <http://iaik.tc.tss.impl.java.tsp.tc/>.tss.impl.java.tsp.TcRsaKey.certifyKey(TcRsaKey.java:289)
> sometimes it thrown
>         Exception in thread "main" 
> java.lang.IndexOutOfBoundsException: Unable to decode requested type. 
> Current offset + type length exceeds data length.
>         at iaik.tc 
> <http://iaik.tc.tss.api.structs.common.tcbasictypedecoder.ch/>.tss.api.structs.common.TcBasicTypeDecoder.checkBoundaryPreconditions(TcBasicTypeDecoder.java:91)
>         at iaik.tc 
> <http://iaik.tc.tss.api.structs.common.tcbasictypedecoder.de/>.tss.api.structs.common.TcBasicTypeDecoder.decodeBytes(TcBasicTypeDecoder.java:228)
>         at 
> iaik.tc.tss.api.structs.common.TcBasicTypeDecoder.decodeBytes(TcBasicTypeDecoder.java:246)
>         at iaik.tc 
> <http://iaik.tc.tss.impl.java.tcs.pbg.tctpmcmdcrypto.tp/>.tss.impl.java.tcs.pbg.TcTpmCmdCrypto.TpmCertifyKey(TcTpmCmdCrypto.java:423)
>         at iaik.tc 
> <http://iaik.tc.tss.impl.java.tcs.tcsi.tctcsi.tc/>.tss.impl.java.tcs.tcsi.TcTcsi.TcsipCertifyKey(TcTcsi.java:2300)
>         at iaik.tc 
> <http://iaik.tc.tss.impl.java.tsp.tcsbinding.local.tc/>.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipCertifyKey(TcTcsBindingLocal.java:634)
>         at iaik.tc 
> <http://iaik.tc.tss.impl.java.tsp.internal.tc/>.tss.impl.java.tsp.internal.TcTspInternal.TspCertifyKey_Internal(TcTspInternal.java:3231)
>         at iaik.tc 
> <http://iaik.tc.tss.impl.java.tsp.tc/>.tss.impl.java.tsp.TcRsaKey.certifyKey(TcRsaKey.java:289)
>
> The complete used code is
>             //create PCR 
> Composite**************************************************************************
>             TcIPcrComposite pcrComp = 
> context.createPcrCompositeObject(TcTssConstants.TSS_PCRS_STRUCT_INFO_LONG);
>             pcrComp.selectPcrIndexEx(pcrIndex, 
> TcTssConstants.TSS_PCRS_DIRECTION_RELEASE);//release
>             pcrComp.setPcrValue(pcrIndex, 
> context.getTpmObject().pcrRead(pcrIndex));
>             
> //********************************************************************************************
>
>             //create Legacy 
> Key*****************************************************************************
>             TcIRsaKey myLegKey = context.createRsaKeyObject(   
> TcTssConstants.TSS_KEY_SIZE_2048
>                                                                                             
> | TcTssConstants.TSS_KEY_TYPE_LEGACY
>                                                                                             
> | TcTssConstants.TSS_KEY_VOLATILE
>                                                                                             
> | TcTssConstants.TSS_KEY_NOT_MIGRATABLE
>                                                                                             
> | TcTssConstants.TSS_KEY_NO_AUTHORIZATION);
>
>             TcIPolicy legKeyUsgPolicy = 
> context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
>             
> legKeyUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
> TcBlobData.newString(usageSecret, false));
>             legKeyUsgPolicy.assignToObject(myLegKey);
>
>             TcIPolicy legkeyMigPolicy = 
> context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
>             
> legkeyMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
> TcBlobData.newString(migSecret, false));
>             legkeyMigPolicy.assignToObject(myLegKey);
>
>             myLegKey.createKey(srk, pcrComp);
>             //myLegKey.createKey(srk, null);
>             myLegKey.loadKey(srk);
>             
> //********************************************************************************************
>
>             //Get 
> Nonce************************************************************************************
>             String serverNonceString = "test";
>             TcTssValidation serverNonceValidation = new TcTssValidation();
>             TcBlobData serverNonceBlob = 
> TcBlobData.newString(serverNonceString).sha1();
>             serverNonceValidation.setExternalData(serverNonceBlob);
>             
> //********************************************************************************************
>
>            //Load AIk 
> ************************************************************************************
>             TcIRsaKey aikKey = context.loadKeyByBlob(srk, 
> readFile(aikFile));
>
>             TcIPolicy aikUsgPolicy = 
> context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
>             
> aikUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
> TcBlobData.newString(aikPass, false));//false
>             aikUsgPolicy.assignToObject(aikKey);
>
>             TcIPolicy aikMigPolicy = 
> context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
>             
> aikMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
> TcBlobData.newString(aikPass, false));//false
>             aikMigPolicy.assignToObject(aikKey);
>             
> //*********************************************************************************************
>
>             //Certify Key 
> ************************************************************************************
>             TcTssValidation certifyResult = 
> myLegKey.certifyKey(aikKey, serverNonceValidation);
>             
> //*********************************************************************************************
>
> as i know legacy and storage keys can be used for sealing, i use both 
> but i have the same exception in both.
>
>
> i have another question just to be certain, the parent of AIKs is SRK 
> not the EK (as done in the quote example), is this true?
>
>
> Thanks
>
>
> ------------------------------------------------------------------------------
> AppSumo Presents a FREE Video for the SourceForge Community by Eric
> Ries, the creator of the Lean Startup Methodology on "Lean Startup
> Secrets Revealed." This video shows you how to validate your ideas,
> optimize your ideas and identify your business strategy.
> http://p.sf.net/sfu/appsumosfdev2dev
>
>
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support

-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at