From: Ronald T. <ron...@ia...> - 2012-10-02 11:55:34
|
Frederico, Yes, this is a mess ;) The reason is that a javax.trustedcomputing.tpm.keys.IdentityKey is not binary compatible to iaik.tc.tss.api.structs.tpm.TcTpmKey and I cannot think of a good reason why it should be; and even if there was one, there're the TCG specs as obstacle. I suggest you follow the instructions in the JSR321 Wiki on how to generate an AIK with jTSS and then load the key by its UUID (!) from within JSR321. Also, I do not recommend to mix jTSS and JSR321 code in one application unless you really really really need to and know all the internals. Ronald On 10/02/2012 01:45 PM, Fed...@ff... wrote: > Hi again, > I would like to do a step further now, and try and create a new key, signed with the AIK I managed to create with jtt (I assume both its public and private parts are in the aik.tmpkey file), and then use the command TPM_CertifyKey, to get a certificate usable to sign data from outside the TPM. > According to the JSR321, the Tsi_Key_CertifyKey functionality should be handled by the TPMKey class, but here is the first problem. I don't see any such method in the JSR javadoc. Is it maybe the ValidationData which is obtained through the crtifyKey method of a Certifier? > If so, I tried to create a signing key and then apply such method, but my second problem is: how do I get the AIK key from the file and make it into TPMKey object? I can't find a way to create a TPMKey from a given key material, so I used the TcTpmKey constructor instead, but how do I turn this into a TPMKey that can be given as parameter to the certifier? I am for sure doing a mess mixing jTSS and JSR321 here, anyone can point me in the right direction? > This is what I do: > > > Certifier cert=context.getCertifier(); > KeyManager manager=context.getKeyManager(); > StorageRootKey srk=manager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET); > SigningKey sign=manager.createSigningKey(srk, Secret.WELL_KNOWN_SECRET, Secret.WELL_KNOWN_SECRET, true, true, true, 2048, null); > File aikKey=new File("C:\\Users\\aik.tpmkey"); > FileInputStream in=new FileInputStream(aikKey); > byte[] iakKeyByte=new byte[(int)aikKey.length()]; > in.read(iakKeyByte); > in.close(); > TcBlobData aikBlob=TcBlobData.newByteArray(iakKeyByte); > IdentityKey aik=(IdentityKey) new TcTpmKey(aikBlob);<- Problem > ValidationData val=cert.certifyKey(sign, aik, null); > > > Thanks again for any help! > > Federico > > > -----Opprinnelig melding----- > Fra: Fed...@ff... [mailto:Fed...@ff...] > Sendt: 1. oktober 2012 14:46 > Til: tru...@li... > Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically > > Hi, > Thanks for your answer. > Am I to understand that the jTSS has no method equivalent to Tspi_TPM_CollateIdentityRequest () then? > Is it not defined as a standard method in the TSS? > > Federico > > -----Opprinnelig melding----- > Fra: Martin Pirker [mailto:Mar...@ia...] > Sendt: 1. oktober 2012 14:36 > Til: Mancini, Federico > Kopi: tru...@li... > Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically > > Hi... > > On 2012-10-01 13:36, Fed...@ff... wrote: >> Now, I would like to create an AIK, .... >> This seems to be some kind of dummy AIK certificate generated by some internal privacy CA? > The AIK cycle in jTT is just for local testing purposes, so yes, certificates are created on-the-fly with random dummy values. > > >> How would I go to get the AIK certificate signed by privacyCA.com instead? >> and send it as a POST to privacyCA.com, > There are undocumented commands/code included with JTT, in iaik.tc.apps.jtt.pki.* you will find experimental code to talk to privacyca.com. > > However, as you can see from the copyright notice this is from > 2007/08 and I don't know anyone who has ever run it again since then, so it's probably non-functioning. > > >> I could not find any clear documentation about this. > For an alternative PrivacyCA implementation look at the "apki" > package in the PrivacyCA 0.2 folder. > (Note that this code is also unfinished and unmaintained) > > > Good luck :-) > Martin > > ------------------------------------------------------------------------------ > Got visibility? > Most devs has no idea what their production app looks like. > Find out how fast your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219671;13503038;y? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |