Menu
▾
▴
Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
|
From: <Fed...@ff...> - 2012-10-02 11:46:14
|
Hi again,
I would like to do a step further now, and try and create a new key, signed with the AIK I managed to create with jtt (I assume both its public and private parts are in the aik.tmpkey file), and then use the command TPM_CertifyKey, to get a certificate usable to sign data from outside the TPM.
According to the JSR321, the Tsi_Key_CertifyKey functionality should be handled by the TPMKey class, but here is the first problem. I don't see any such method in the JSR javadoc. Is it maybe the ValidationData which is obtained through the crtifyKey method of a Certifier?
If so, I tried to create a signing key and then apply such method, but my second problem is: how do I get the AIK key from the file and make it into TPMKey object? I can't find a way to create a TPMKey from a given key material, so I used the TcTpmKey constructor instead, but how do I turn this into a TPMKey that can be given as parameter to the certifier? I am for sure doing a mess mixing jTSS and JSR321 here, anyone can point me in the right direction?
This is what I do:
Certifier cert=context.getCertifier();
KeyManager manager=context.getKeyManager();
StorageRootKey srk=manager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET);
SigningKey sign=manager.createSigningKey(srk, Secret.WELL_KNOWN_SECRET, Secret.WELL_KNOWN_SECRET, true, true, true, 2048, null);
File aikKey=new File("C:\\Users\\aik.tpmkey");
FileInputStream in=new FileInputStream(aikKey);
byte[] iakKeyByte=new byte[(int)aikKey.length()];
in.read(iakKeyByte);
in.close();
TcBlobData aikBlob=TcBlobData.newByteArray(iakKeyByte);
IdentityKey aik=(IdentityKey) new TcTpmKey(aikBlob);<- Problem
ValidationData val=cert.certifyKey(sign, aik, null);
Thanks again for any help!
Federico
-----Opprinnelig melding-----
Fra: Fed...@ff... [mailto:Fed...@ff...]
Sendt: 1. oktober 2012 14:46
Til: tru...@li...
Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
Hi,
Thanks for your answer.
Am I to understand that the jTSS has no method equivalent to Tspi_TPM_CollateIdentityRequest () then?
Is it not defined as a standard method in the TSS?
Federico
-----Opprinnelig melding-----
Fra: Martin Pirker [mailto:Mar...@ia...]
Sendt: 1. oktober 2012 14:36
Til: Mancini, Federico
Kopi: tru...@li...
Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
Hi...
On 2012-10-01 13:36, Fed...@ff... wrote:
> Now, I would like to create an AIK, ....
> This seems to be some kind of dummy AIK certificate generated by some internal privacy CA?
The AIK cycle in jTT is just for local testing purposes, so yes, certificates are created on-the-fly with random dummy values.
> How would I go to get the AIK certificate signed by privacyCA.com instead?
> and send it as a POST to privacyCA.com,
There are undocumented commands/code included with JTT, in iaik.tc.apps.jtt.pki.* you will find experimental code to talk to privacyca.com.
However, as you can see from the copyright notice this is from
2007/08 and I don't know anyone who has ever run it again since then, so it's probably non-functioning.
> I could not find any clear documentation about this.
For an alternative PrivacyCA implementation look at the "apki"
package in the PrivacyCA 0.2 folder.
(Note that this code is also unfinished and unmaintained)
Good luck :-)
Martin
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Trustedjava-support mailing list
Tru...@li...
https://lists.sourceforge.net/lists/listinfo/trustedjava-support
|
