[Trustedjava-support] Load/ Save AIK key from TPM's NV ram

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I am having trouble with loading the same AIK key that I had created 
previously from a collateIdenitiyRequest command.  The AIK does not 
appear to be migrateable and I cannot figure out how to load it using 
the JTSS API.  I have outlined some of the test code I found in the JTSS 
to show you how I am creating my aikKey.  When I run the 
activateIdentity command at another point in time, I need some way of 
loading the same AIK key that I created in the collateIdentityReq.  Any 
insight or help would be greatly appreciated.

public TcBlobData clientCollateIdentityReq(PublicKey caPublicKey) 
throws TcTssException, IOException
	{
		// get TPM object and set its policy
		TcITpm tpm = context_.getTpmObject();
		TestDefines.tpmPolicy.assignToObject(tpm);

		// create identity key template
		aikKey_ = 
context_.createRsaKeyObject(TcTssConstants.TSS_KEY_TYPE_IDENTITY
				| TcTssConstants.TSS_KEY_SIZE_2048 | 
TcTssConstants.TSS_KEY_AUTHORIZATION
				| TcTssConstants.TSS_KEY_VOLATILE | 
TcTssConstants.TSS_KEY_MIGRATABLE/*TSS_KEY_NOT_MIGRATABLE*/);

//		TcITpmKey idKeyParams = ((TcRsaKey) aikKey_).getInternalTpmKey();

		// set usage secret for identity key
		TcIPolicy aikUsgPol = 
context_.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
		aikUsgPol.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
TcBlobData.newString("aikSecret"));
		aikUsgPol.assignToObject(aikKey_);
		TcIPolicy aikMigPol = 
context_.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
		aikMigPol.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
TcBlobData.newString("none"));
		aikMigPol.assignToObject(aikKey_);

		// get the public key of the selected privacy CA (how to obtain this 
key is beyond the scope of
		// this test case)
		TcIRsaKey pubKeyPrivacyCa = getPrivacyCaPubKey(caPublicKey);

		// do the CollateIdentityReq call
		TcBlobData collIdReqBlob = tpm.collateIdentityRequest(srk_, 
pubKeyPrivacyCa,
				clientGetIdLabel(), aikKey_, SYM_ALGO_TSS);

		return collIdReqBlob;
	}

	public void activateIdentity(String caResponse) throws TcTssException{

                 //TODO we need to load the original AIK from the TPM's 
NV ram
		this.aikKey_ = null;
                 aikKey_.loadKey(srk_);

		// STEP 5 (Client): The encrypted sym and asym blobs are received by 
the client. The new
		// identity is activated by the client.
		byte[] caResponseRaw = Base64.decode(caResponse.getBytes());
		byte[] asymSize = new byte[4];
		System.arraycopy(caResponseRaw, 0, asymSize, 0, 4);
		int symLength = ByteArrayUtil.byteArrayToInt(asymSize);
		byte[] symCaContentsRaw = new byte[symLength];
		System.arraycopy(caResponseRaw, 4, symCaContentsRaw, 0, symLength);

		int asymLength = (caResponseRaw.length - 4 - symLength);
		byte[] asymCaContentsRaw = new byte[asymLength];
		System.arraycopy(caResponseRaw, (4 + symLength), asymCaContentsRaw, 
0, asymLength);

		TcBlobData symCaAttestationEncrypted = 
TcBlobData.newByteArray(symCaContentsRaw);
		TcBlobData asymCaContentsEncrypted = 
TcBlobData.newByteArray(asymCaContentsRaw);
		try {
			TcBlobData aikCredential = 
clientActivateIdentity(symCaAttestationEncrypted, 
asymCaContentsEncrypted);
//			if (aikCredential.equals(caMock.getExpectedAikCredential_())) {
//				Log.info("AIK credential successfully received and activated at 
the client");
//			} else {
//				Log.warn("AIK credential creation failed");
//			}
		} catch (TcTssException e) {
			System.err.println(e.getMessage());
		}
	}

Thanks,
David