Menu
▾
▴
Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
|
From: <Fed...@ff...> - 2012-10-02 13:54:44
|
Hi, Thanks a lot for the tip, I was getting very confused :) But it looks like I need to bother you again. I followed the wiki(I assume this is what you meant http://java.net/projects/jsr321/pages/SetupIAIKTCK. The iaik_run command seems to fail, but I am not sure that is essential to what I am trying to do?) and then tried to load the key by its UUID. However, I get the error that no key is registered with such UUID.... This is the proof that the key is indeed in the storage and the UUID is correct: --------------------------------------------------------------------------------------------- IAIK Java TPM Tools --------------------- total number of keys registered in persistent system storage: 1 KeyInfo: Version: 1.2.0.0 key UUID: 0ab736d7-8129-4a2a-84ce-34dfef20adec parent key UUID: 00000000-0000-0000-0000-000000000001 is loaded: false auth data usage: 1 vendor data: none --------------------------------------------------------------------------------------------- This is the code I used: ------------------------------------------------------------------------------------------------ Certifier cert=context.getCertifier(); KeyManager manager=context.getKeyManager(); StorageRootKey srk=manager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET); UUID uuid=UUID.fromString("0ab736d7-8129-4a2a-84ce-34dfef20adec"); Secret aikSecret=context.getSecret("secret".toCharArray()); IdentityKey aikKey= (IdentityKey) manager.loadTPMKey(srk, uuid, aikSecret); ------------------------------------------------------------------------------------------------------------- And this is the error: -------------------------------------------------------------------------------------------------- SEVERE: null iaik.tc.jsr321.TrustedComputingExceptionImpl: Loading the key failed. at iaik.tc.jsr321.tpm.keys.KeyManagerImpl.loadTPMKey(Unknown Source) at tpm_project.TPM_project.main(TPM_project.java:149) Caused by: iaik.tc.tss.api.exceptions.tcs.TcTcsException: TSS Error: error layer: 0x3000 (TSP) error code (without layer): 0x09 error code (full): 0x3009 error message: unknown additional info: Key is not registered:UUID: 0ab736d7-8129-4a2a-84ce-34dfef20adec at iaik.tc.tss.impl.ps.TcTssPsDatabase.getRegisteredKeyBlobImpl(TcTssPsDatabase.java:182) at iaik.tc.tss.impl.ps.TcTssPersistentStorage.getRegisteredKeyBlob(TcTssPersistentStorage.java:124) at iaik.tc.tss.impl.java.tsp.TcContext.getKeyByUuid(TcContext.java:656) ---------------------------------------------------------------------------------------------- Am I forgetting something? Thanks again for your patience with a messy beginner :) Federico -----Opprinnelig melding----- Fra: Ronald Tögl [mailto:ron...@ia...] Sendt: 2. oktober 2012 13:55 Til: Trustedjava IAIK Kopi: Mancini, Federico Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically Frederico, Yes, this is a mess ;) The reason is that a javax.trustedcomputing.tpm.keys.IdentityKey is not binary compatible to iaik.tc.tss.api.structs.tpm.TcTpmKey and I cannot think of a good reason why it should be; and even if there was one, there're the TCG specs as obstacle. I suggest you follow the instructions in the JSR321 Wiki on how to generate an AIK with jTSS and then load the key by its UUID (!) from within JSR321. Also, I do not recommend to mix jTSS and JSR321 code in one application unless you really really really need to and know all the internals. Ronald On 10/02/2012 01:45 PM, Fed...@ff...<mailto:Fed...@ff...> wrote: > Hi again, > I would like to do a step further now, and try and create a new key, signed with the AIK I managed to create with jtt (I assume both its public and private parts are in the aik.tmpkey file), and then use the command TPM_CertifyKey, to get a certificate usable to sign data from outside the TPM. > According to the JSR321, the Tsi_Key_CertifyKey functionality should be handled by the TPMKey class, but here is the first problem. I don't see any such method in the JSR javadoc. Is it maybe the ValidationData which is obtained through the crtifyKey method of a Certifier? > If so, I tried to create a signing key and then apply such method, but my second problem is: how do I get the AIK key from the file and make it into TPMKey object? I can't find a way to create a TPMKey from a given key material, so I used the TcTpmKey constructor instead, but how do I turn this into a TPMKey that can be given as parameter to the certifier? I am for sure doing a mess mixing jTSS and JSR321 here, anyone can point me in the right direction? > This is what I do: > > > Certifier cert=context.getCertifier(); > KeyManager manager=context.getKeyManager(); > StorageRootKey srk=manager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET); > SigningKey sign=manager.createSigningKey(srk, Secret.WELL_KNOWN_SECRET, Secret.WELL_KNOWN_SECRET, true, true, true, 2048, null); > File aikKey=new File("C:\\Users\\aik.tpmkey"); > FileInputStream in=new FileInputStream(aikKey); > byte[] iakKeyByte=new byte[(int)aikKey.length()]; > in.read(iakKeyByte); > in.close(); > TcBlobData aikBlob=TcBlobData.newByteArray(iakKeyByte); > IdentityKey aik=(IdentityKey) new TcTpmKey(aikBlob);<- Problem > ValidationData val=cert.certifyKey(sign, aik, null); > > > Thanks again for any help! > > Federico > > > -----Opprinnelig melding----- > Fra: Fed...@ff...<mailto:Fed...@ff...> [mailto:Fed...@ff...] > Sendt: 1. oktober 2012 14:46 > Til: tru...@li...<mailto:tru...@li...> > Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK > programmatically > > Hi, > Thanks for your answer. > Am I to understand that the jTSS has no method equivalent to Tspi_TPM_CollateIdentityRequest () then? > Is it not defined as a standard method in the TSS? > > Federico > > -----Opprinnelig melding----- > Fra: Martin Pirker [mailto:Mar...@ia...] > Sendt: 1. oktober 2012 14:36 > Til: Mancini, Federico > Kopi: tru...@li...<mailto:tru...@li...> > Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK > programmatically > > Hi... > > On 2012-10-01 13:36, Fed...@ff...<mailto:Fed...@ff...> wrote: >> Now, I would like to create an AIK, .... >> This seems to be some kind of dummy AIK certificate generated by some internal privacy CA? > The AIK cycle in jTT is just for local testing purposes, so yes, certificates are created on-the-fly with random dummy values. > > >> How would I go to get the AIK certificate signed by privacyCA.com instead? >> and send it as a POST to privacyCA.com, > There are undocumented commands/code included with JTT, in iaik.tc.apps.jtt.pki.* you will find experimental code to talk to privacyca.com. > > However, as you can see from the copyright notice this is from > 2007/08 and I don't know anyone who has ever run it again since then, so it's probably non-functioning. > > >> I could not find any clear documentation about this. > For an alternative PrivacyCA implementation look at the "apki" > package in the PrivacyCA 0.2 folder. > (Note that this code is also unfinished and unmaintained) > > > Good luck :-) > Martin > > ---------------------------------------------------------------------- > -------- > Got visibility? > Most devs has no idea what their production app looks like. > Find out how fast your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219671;13503038;y? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > Trustedjava-support mailing list > Tru...@li...<mailto:Tru...@li...> > https://lists.sourceforge.net/lists/listinfo/trustedjava-support > > ---------------------------------------------------------------------- > -------- Don't let slow site performance ruin your business. Deploy > New Relic APM Deploy New Relic app performance management and know > exactly what is happening inside your Ruby, Python, PHP, Java, and > .NET app Try New Relic at no cost today and get our sweet Data Nerd > shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Trustedjava-support mailing list > Tru...@li...<mailto:Tru...@li...> > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia...<mailto:ron...@ia...> Graz University of Technology http://www.iaik.tugraz.at |
