Menu
▾
▴
Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
|
From: Ronald T. <ron...@ia...> - 2012-10-02 11:55:34
|
Frederico,
Yes, this is a mess ;)
The reason is that a javax.trustedcomputing.tpm.keys.IdentityKey is not
binary compatible to iaik.tc.tss.api.structs.tpm.TcTpmKey and I cannot
think of a good reason why it should be; and even if there was one,
there're the TCG specs as obstacle.
I suggest you follow the instructions in the JSR321 Wiki on how to
generate an AIK with jTSS and then load the key by its UUID (!) from
within JSR321.
Also, I do not recommend to mix jTSS and JSR321 code in one application
unless you really really really need to and know all the internals.
Ronald
On 10/02/2012 01:45 PM, Fed...@ff... wrote:
> Hi again,
> I would like to do a step further now, and try and create a new key, signed with the AIK I managed to create with jtt (I assume both its public and private parts are in the aik.tmpkey file), and then use the command TPM_CertifyKey, to get a certificate usable to sign data from outside the TPM.
> According to the JSR321, the Tsi_Key_CertifyKey functionality should be handled by the TPMKey class, but here is the first problem. I don't see any such method in the JSR javadoc. Is it maybe the ValidationData which is obtained through the crtifyKey method of a Certifier?
> If so, I tried to create a signing key and then apply such method, but my second problem is: how do I get the AIK key from the file and make it into TPMKey object? I can't find a way to create a TPMKey from a given key material, so I used the TcTpmKey constructor instead, but how do I turn this into a TPMKey that can be given as parameter to the certifier? I am for sure doing a mess mixing jTSS and JSR321 here, anyone can point me in the right direction?
> This is what I do:
>
>
> Certifier cert=context.getCertifier();
> KeyManager manager=context.getKeyManager();
> StorageRootKey srk=manager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET);
> SigningKey sign=manager.createSigningKey(srk, Secret.WELL_KNOWN_SECRET, Secret.WELL_KNOWN_SECRET, true, true, true, 2048, null);
> File aikKey=new File("C:\\Users\\aik.tpmkey");
> FileInputStream in=new FileInputStream(aikKey);
> byte[] iakKeyByte=new byte[(int)aikKey.length()];
> in.read(iakKeyByte);
> in.close();
> TcBlobData aikBlob=TcBlobData.newByteArray(iakKeyByte);
> IdentityKey aik=(IdentityKey) new TcTpmKey(aikBlob);<- Problem
> ValidationData val=cert.certifyKey(sign, aik, null);
>
>
> Thanks again for any help!
>
> Federico
>
>
> -----Opprinnelig melding-----
> Fra: Fed...@ff... [mailto:Fed...@ff...]
> Sendt: 1. oktober 2012 14:46
> Til: tru...@li...
> Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
>
> Hi,
> Thanks for your answer.
> Am I to understand that the jTSS has no method equivalent to Tspi_TPM_CollateIdentityRequest () then?
> Is it not defined as a standard method in the TSS?
>
> Federico
>
> -----Opprinnelig melding-----
> Fra: Martin Pirker [mailto:Mar...@ia...]
> Sendt: 1. oktober 2012 14:36
> Til: Mancini, Federico
> Kopi: tru...@li...
> Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
>
> Hi...
>
> On 2012-10-01 13:36, Fed...@ff... wrote:
>> Now, I would like to create an AIK, ....
>> This seems to be some kind of dummy AIK certificate generated by some internal privacy CA?
> The AIK cycle in jTT is just for local testing purposes, so yes, certificates are created on-the-fly with random dummy values.
>
>
>> How would I go to get the AIK certificate signed by privacyCA.com instead?
>> and send it as a POST to privacyCA.com,
> There are undocumented commands/code included with JTT, in iaik.tc.apps.jtt.pki.* you will find experimental code to talk to privacyca.com.
>
> However, as you can see from the copyright notice this is from
> 2007/08 and I don't know anyone who has ever run it again since then, so it's probably non-functioning.
>
>
>> I could not find any clear documentation about this.
> For an alternative PrivacyCA implementation look at the "apki"
> package in the PrivacyCA 0.2 folder.
> (Note that this code is also unfinished and unmaintained)
>
>
> Good luck :-)
> Martin
>
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
--
Dipl.-Ing. Ronald Tögl phone +43 316/873-5502
Secure and Correct Systems fax +43 316/873-5520
IAIK ron...@ia...
Graz University of Technology http://www.iaik.tugraz.at
|
