Menu
▾
▴
trustedjava-support — Trusted Java General Support
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
(4) |
Jul
(10) |
Aug
(6) |
Sep
(6) |
Oct
(5) |
Nov
(1) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
|
Feb
(14) |
Mar
(25) |
Apr
(9) |
May
(10) |
Jun
(9) |
Jul
(33) |
Aug
(52) |
Sep
(15) |
Oct
(6) |
Nov
(4) |
Dec
(6) |
| 2008 |
Jan
(27) |
Feb
(3) |
Mar
(6) |
Apr
(7) |
May
(8) |
Jun
(4) |
Jul
(21) |
Aug
(8) |
Sep
(9) |
Oct
(6) |
Nov
(1) |
Dec
(1) |
| 2009 |
Jan
(1) |
Feb
(1) |
Mar
(10) |
Apr
(7) |
May
(8) |
Jun
(10) |
Jul
(11) |
Aug
(17) |
Sep
(13) |
Oct
(13) |
Nov
(1) |
Dec
(5) |
| 2010 |
Jan
(5) |
Feb
(9) |
Mar
(12) |
Apr
(4) |
May
(5) |
Jun
(3) |
Jul
(7) |
Aug
(7) |
Sep
(3) |
Oct
(12) |
Nov
(5) |
Dec
(2) |
| 2011 |
Jan
(9) |
Feb
(3) |
Mar
(24) |
Apr
(3) |
May
(1) |
Jun
|
Jul
(3) |
Aug
(8) |
Sep
(2) |
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
(4) |
Feb
|
Mar
|
Apr
(3) |
May
(12) |
Jun
(7) |
Jul
(9) |
Aug
|
Sep
(14) |
Oct
(19) |
Nov
(4) |
Dec
|
| 2013 |
Jan
(1) |
Feb
(3) |
Mar
(1) |
Apr
(5) |
May
(3) |
Jun
(7) |
Jul
(6) |
Aug
(4) |
Sep
(1) |
Oct
|
Nov
|
Dec
(2) |
| 2014 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
(6) |
Jul
(14) |
Aug
(5) |
Sep
(7) |
Oct
(3) |
Nov
|
Dec
(1) |
| 2015 |
Jan
(3) |
Feb
|
Mar
(4) |
Apr
|
May
(1) |
Jun
(9) |
Jul
|
Aug
(1) |
Sep
|
Oct
(1) |
Nov
(4) |
Dec
(4) |
| 2016 |
Jan
|
Feb
(1) |
Mar
|
Apr
(1) |
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(1) |
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
(2) |
Apr
(1) |
May
|
Jun
(1) |
Jul
(1) |
Aug
(1) |
Sep
(1) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2018 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2020 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(11) |
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(2) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2024 |
Jan
(1) |
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Simon M. <sim...@in...> - 2009-07-13 09:52:45
|
Hello,
thanks, that helped.
Another question:
I embedded your apki client into my source and i was able to get the
ekcredential and the aikcredential. I was also able to verify them. That
works great!
I would like to attest to another party that my signingKey belongs to a
tpm, by signing the certificate for the signingKey through the aik.
This operation leads me to an error:
creating the certificate ....
cert.setSignatureAlgorithm(AlgorithmID.sha1WithRSAEncryption);
byte[] toBeSignedCertificate = cert.getTBSCertificate();
TcBlobData data = TcBlobData.newByteArray(toBeSignedCertificate);
TcIHash hash = context_.createHashObject(TcTssConstants.TSS_HASH_SHA1);
hash.updateHashValue(data);
TcBlobData signature = hash.sign(aik);
entityTPMCertificate.setSignature(signature.asByteArray());
error:
TSS Error:
error layer: 0x00 (TPM)
error code (without layer): 0x24
error code (full): 0x24
error message: The usage of a key is not allowed
I created the AIK Key with the following flags:
aik = context_.createRsaKeyObject(TcTssConstants.TSS_KEY_TYPE_IDENTITY |
EntityTPMDefines.AIK_KEY_SIZE |
TcTssConstants.TSS_KEY_AUTHORIZATION |
TcTssConstants.TSS_KEY_VOLATILE |
TcTssConstants.TSS_KEY_NOT_MIGRATABLE);
and the signingKey with the following:
signingKey = context_
.createRsaKeyObject(TcTssConstants.TSS_KEY_SIZE_2048
| TcTssConstants.TSS_KEY_TYPE_SIGNING
| TcTssConstants.TSS_KEY_MIGRATABLE);
If i change the TSS_KEY_TYPE_IDENTITY to TSS_KEY_TYPE_SIGNING it all
works fine. But it has to be an AIK in my scenario.
Do you have any suggestions?
Best regards
Simon
Martin Pirker wrote:
> Simon Mittelberger wrote:
>
>> Hello,
>>
>
> Hi...
>
> Your emails got unfortunately delivered in reverse order you sent them.
>
>
>
>> i am currently trying to create an EKCertificate, but i get this exception:
>>
>> Exception in thread "main" java.lang.RuntimeException: BUG? cannot
>> convert key to OAEP
>> at iaik.tc.cert.common.Common.publicRSAtoPublicRSAOAEP(Common.java:352)
>> at iaik.tc.cert.EKCertificate.create(EKCertificate.java:150)
>> ....
>>
>
> While RSA-OAEP is supported somewhat in standard Java runtime since
> Java 5, I don't think it is complete enough.
>
> So did you initialise the IAIK-JCE library in your program first
> for full crypto support needed by TCcert?
> You need to do at least once at the beginning of your program:
>
> import iaik.security.provider.IAIK;
>
> IAIK.addAsProvider();
>
>
> HTH,
> Martin
>
>
|
|
From: Martin P. <Mar...@ia...> - 2009-07-13 07:40:53
|
Simon Mittelberger wrote: > Hello, Hi... Your emails got unfortunately delivered in reverse order you sent them. > i am currently trying to create an EKCertificate, but i get this exception: > > Exception in thread "main" java.lang.RuntimeException: BUG? cannot > convert key to OAEP > at iaik.tc.cert.common.Common.publicRSAtoPublicRSAOAEP(Common.java:352) > at iaik.tc.cert.EKCertificate.create(EKCertificate.java:150) > .... While RSA-OAEP is supported somewhat in standard Java runtime since Java 5, I don't think it is complete enough. So did you initialise the IAIK-JCE library in your program first for full crypto support needed by TCcert? You need to do at least once at the beginning of your program: import iaik.security.provider.IAIK; IAIK.addAsProvider(); HTH, Martin |
|
From: Ronald T. <ron...@ia...> - 2009-07-09 10:42:03
|
Hello Simon, Could you please try to explain your problems in a little more detail? Ronald Simon Mittelberger wrote: > Hello again, > > sorry, new problem: it also doesn't work with the KeyPairGenerator now. > > Best regards > Simon > -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Trusted Computing Labs fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: Simon M. <sim...@in...> - 2009-07-09 10:12:30
|
Hello,
i am currently trying to create an EKCertificate, but i get this exception:
Exception in thread "main" java.lang.RuntimeException: BUG? cannot
convert key to OAEP
at iaik.tc.cert.common.Common.publicRSAtoPublicRSAOAEP(Common.java:352)
at iaik.tc.cert.EKCertificate.create(EKCertificate.java:150)
....
The code which generates this is the following:
X509Certificate ekCertificate = EKCertificate.create(prop,
privacyCACertificate, privKeyPrivacyCa_, ekPubKey);
If i create the ekPubKey by myself, using KeyPairGenerator it all works
fine.
But when i want to use the PublicEK from the TPM it fails with the above
described error message.
I get the EK from the TPM with the following Code:
TcTpmPubkey pubTPMEK = new
TcTpmPubkey(tpm.getPubEndorsementKeyOwner().getPubKey());
RSAPublicKey ekPubKey = TcCrypto.pubTpmKeyToJava(pubTPMEK);
I hope for some advice.
Thank you,
best regards
Simon Mittelberger
|
|
From: Simon M. <sim...@in...> - 2009-07-09 10:07:35
|
Hello again, sorry, new problem: it also doesn't work with the KeyPairGenerator now. Best regards Simon |
|
From: Martin P. <Mar...@ia...> - 2009-06-23 08:17:45
|
dev...@ar... wrote: >> PCRs content -> provides evidence of system state > > Is it correct that PCRs content checking can be used to detect if a system is corrupted (e.g. hijacked, bot ...)? If the chain of trust is not broken, the stored measurement log (SML) plus signed quote of current PCRs is evidence what software chain was run. However, that alone does not give you any information whether one of the packages in the chain contains e.g. a buffer overflow, which is/was used to silently take complete control of the system. If you know that a certain software is vulnerable, you can examine the chain from the start onwards and, if the specific version is in there, you must assume all later measurements are not the truth. (Because malicious software can only manipulate measurements done after taking control, due to the one-way nature of hashes). > Further is it correct that this check can only be used if the systems already know each other? If you want to check for certain software hashes in the SML, of course you would have to know the "good" (and probably "bad") values for comparison. Martin |
|
From: <dev...@ar...> - 2009-06-23 07:41:50
|
Hello Martin, thanks for answering. I think i got the points. But just to make it clear. > PCRs content -> provides evidence of system state Is it correct that PCRs content checking can be used to detect if a system is corrupted (e.g. hijacked, bot ...)? Further is it correct that this check can only be used if the systems already know each other? Thanks, Jan |
|
From: Martin P. <Mar...@ia...> - 2009-06-22 14:47:20
|
dev...@ar... wrote: > System A communicates with System B for the first time > For my understanding system B cannot check the signed PCR at this time as well as it cannot check the nonce, because of it does not know the expected values. The point of using a nonce is to provide freshness, a random nonce cannot be predicted and thus makes certain attacks (e.g. replay) harder. One entity requests a quote and provides a nonce, the other does the quote and then, by examining the nonce in the response one can be assured the quote was done "just now" - it is a freshly generated reply. > 3. Are the checks, which were described int the scenario are enough for attestation? What is the point of each check? nonce -> provides evidence that the answer is fresh PCRs content -> provides evidence of system state signature on PCRs -> cryptographic binding of PCR info to key AIK certificate -> proof that the key is really a hardware TPM hosted non-migrateable identity key ...and a PKI is needed to manage/validate AIK certificates according to a specific policy, trusted to be done correctly by the application HTH, Martin |
|
From: <dev...@ar...> - 2009-06-19 11:26:42
|
Hello,
the question I have about quoting PCR is probably more likely to understand the concept than how to realize it with jTSS. Nevertheless, I hope someone could help me with that.
I have taken a closer look at the example, which is provided in the apki-application. As far as I understand this example it works as follows
1. Client sends a quote request containing a nonce and the number of the PCR which have to be signed
2. The servers sends a response, with the quote_info(containing: signed PCR, and the nonce), a signature and the AIK-certificate
3. Client does the verification like follows
a. Checks the signature
b. Checks the PCR value
i. Client first calculates the compositeHash of the expected hash –value, which is provided by the user of the client
ii. Afterwards the composite-hash-value and the received DigestValue will be compared
c. Checks the nonce
My understanding of verifying the received signed PCR is to check if the system, which does the quote, is in the expected state (no hardware and/or software changes).
Now we have the following scenario:
System A communicates with System B for the first time
System A sends a message to system B: containing the same information as the quote-response from above to prove its identity
System B now verifies the received message as follows
a. Checks if the AIK is valid; sends request to a PKI-System
b. Checks the signature
For my understanding system B cannot check the signed PCR at this time as well as it cannot check the nonce, because of it does not know the expected values.
My questions are:
1. Is my understanding of verifying and signing PCR correct?
2. Is there any common solution, how to handle the scenario described above?
3. Are the checks, which were described int the scenario are enough for attestation?
I hope someone could help me. I'm a little confused.
Thanks in advance.
Jan
p.s.:
I have read also something about DAA to prove the identity, but as it is not supported by jTSS yet. It is no solution, because of I have to implement a prototypical solution based on Java.
|
|
From: Martin P. <Mar...@ia...> - 2009-06-15 07:43:20
|
Have a nice monday morning... dev...@ar... wrote: > - Debugging the server part, which leads me to the following exception in the file ValidateCertFile.java function validate > Signature decryption error: javax.crypto.BadPaddingException: Invalid PKCS#1 padding: encrypted message and modulus lengths do not match! Decryption failure with PKCS#1 padding errors typically occur when one uses the wrong key for decryption. E.g., you receive the same error if you want to try our demo server setup to create an AIK certificate, but use the credentials which are included in the apki package and not the matching ones from the demo server homepage. Why this happens in your setup with just aik_validate I can't say, have a look at your configuration which certificate (chains) are actually loaded and used for validation. As you can see from the validation module code it is very basic. In a real production setup one would hook up an industrial PKI validation module, but that wasn't the primary development goal for this experimental prototype PrivacyCA setup. HTH, Martin |
|
From: Communication O. O. C. B. <Cle...@fr...> - 2009-06-14 20:54:23
|
.headerTop { background-color:#ffffff; border-top:0px solid #000000; border-bottom:0px
solid #FFCC66; text-align:right; } .adminText { font-size:10px; color:#FFFFCC;
line-height:200%; font-family:verdana; text-decoration:none; } .headerBar {
background-color:#fcd200; border-top:0px solid #fcd200; border-bottom:0px solid
#333333; } .title { font-size:30px; font-weight:bold; color:#336600; font-family:arial;
line-height:110%; } .subTitle { font-size:11px; font-weight:normal; color:#666666;
font-style:italic; font-family:arial; } td { font-size:12px; color:#000000;
line-height:150%; font-family:trebuchet ms; } .footerRow { background-color:#FFFFCC;
border-top:10px solid #fcd200; } .footerText { font-size:10px; color:#333333;
line-height:100%; font-family:verdana; } a { color:#0063be; color:#0063be;
color:#0063be; }
Clean Plus Hand Wipes.
Non-abrasive economical hand cleansing wet wipes for frequent use. Ideal for
use in the industrial, farming, maintenance, and office sectors. Removes all
types of dirt, greasy stains, ink, fuel and odours from hands. Qualified hypoallergenic
and lipo-protective. Antibacterial properties. Perfect when soap and water
are not readily available.
Clean Plus® wants to simplify you life, to make the cleaning process quick
and fun, to deliver nothing but the best.
To learn more about Clean Plus®, click here.
Also Try Other Clean Plus® Hand Care Products.
Industry, automotive, maintenance, office.... Clean Plus® Hand Care offers
hand care products for every professional. Traditional granulated soaps, super-cleaning
hand wet wipes and liquids for people on the move and special creams to protect
and restore your skin.
To learn more click here
Capital Pro Marketing is a specialist in the promotion business. We do not
support Spam mails. This email was sent to you because we feel that whether
you are an investor, distributor, or consumer, you are able to benefit from
the above information pertaining to the corporate image building efforts of
our client, products promotion, and Customer Relationship Management activities.
If you feel that the information provided in this mail was not useful to you
and would like to have your name removed from our mailing list, kindly follow
the directions below. My CNN Now will ensure every effort to take your name
off immediately. We apologize for any inconvenience caused.
T his message is sent in compliance of the new email Bill HR 1910.Under Bill
HR 1910 passed by the 106th US Congress on May 24, 1999,this message cannot
be considered Spam as long as we include the way to be removed.
P er Section HR 1910, Please type "REMOVE ME PLEASE" in the subject line and
send to cap...@fr...< /td>
|
|
From: <dev...@ar...> - 2009-06-11 14:36:35
|
Hello, I have set up and running the apki0.2-server. I do the following steps: 1. I create a EK-Certificate 2. With this EK - Certificate, I create a AIK-Certificate This steps works just fine as well as validation of the EK-Cert. But if I want to validate AIK-Cert I always receive the following result === running VALIDATE_AIK_REQUEST 15:54:47:775 [INFO] PkiServerCommand::action_validate_aik_request (193): received: #20090611155249983, 1111113 15:54:47:776 [INFO] PkiServerCommand::action_validate_aik_request (199): status: INDETERMINATE The commands aik_locate and aik_revoke also works as expected. Further investigation, which I have done - Debugging the server part, which leads me to the following exception in the file ValidateCertFile.java function validate Signature decryption error: javax.crypto.BadPaddingException: Invalid PKCS#1 padding: encrypted message and modulus lengths do not match! I hope someone could give me some advice. Thanks, Jan The version I use APKI: 0.2-20090302-102854-r908c90aa jTSS_TSP: 0.4a 20090227 14:43:27 TCcert: 0.2.2a-20080709-114558 |
|
From: Martin P. <Mar...@ia...> - 2009-06-10 07:27:38
|
Hi... Martin Schneider wrote: > we're working on a kind of TPM-based Certification Authority (CA). The > private key of the CA is located in a TPM which means that the > Certificate Signing Request (CSR) will be signed using a private key > **inside the TPM**. Note that not all TPM key types sign arbitrary externally supplied data. > In my understanding singing a CSR with a key in a TPM could be done > using OpenSSL and a OpenSSL TPM engine. OpenSSL and Java doesn't fit > there's also a Java Package java.security.cert > (http://java.sun.com/j2se/1.5.0/docs/api/java/security/cert/package-summary.html) > available that can be used for certificate creation. As you can read from this link "Provides classes and interfaces for parsing and managing certificates". The classes included in standard Java runtime are either just abstract interfaces or classes with limited functionality (e.g. only parsing, not creating). > Can this package > be used with TPM, too? Or what would you recommend to us? If you need a full implementation of the Java cryptography API, we can recommend our own IAIK-JCE libraries which provide everything you ever need for certificates, cryptography, ASN.1, CRLs etc. etc. with Java. IAIK-JCE is also the toolkit used by the Trusted Computing for Java libraries. Note that IAIK-JCE is a commercial product, but free licenses are available for educational and/or research purposes. Please see further information at http://jce.iaik.tugraz.at/sic/products/core_crypto_toolkits/jca_jce HTH, Martin |
|
From: Martin S. <mar...@go...> - 2009-06-09 20:34:40
|
Hello, we're working on a kind of TPM-based Certification Authority (CA). The private key of the CA is located in a TPM which means that the Certificate Signing Request (CSR) will be signed using a private key **inside the TPM**. In my understanding singing a CSR with a key in a TPM could be done using OpenSSL and a OpenSSL TPM engine. OpenSSL and Java doesn't fit too well together and there's also a Java Package java.security.cert (http://java.sun.com/j2se/1.5.0/docs/api/java/security/cert/package-summary.html) available that can be used for certificate creation. Can this package be used with TPM, too? Or what would you recommend to us? Thanks for your advice. |
|
From: Ronald T. <ron...@ia...> - 2009-05-26 07:58:08
|
Hi Paolo, Just use the SOAP bindings for your application. Then the TCS will mange the TPM and act as server to as many client threads as you need. At least in theory. :-) - Feedback and experience reports on this mechanism are welcome. hth, Ronald Paolo wrote: > Hi, i have a problem > > i know that the TPM can be accessed by one TSS at a time. > But in my application the TSS code is executed by a java thread that > connect it to the TPM with the context_.connect(), do his job and then, > before the thread die, calls the context_.closeContext() method. Than > the thread die and the control return to the main program that continue > to work. > If then i want to execute another thread that must have access to the > TPM then a *resource busy Device /dev/tpm* exception is thrown. > How can i have a multiple access to the TPM? > > best regards Paolo > > -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Trusted Computing Labs fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: Paolo <pao...@gm...> - 2009-05-23 14:09:23
|
Hi, i have a problem i know that the TPM can be accessed by one TSS at a time. But in my application the TSS code is executed by a java thread that connect it to the TPM with the context_.connect(), do his job and then, before the thread die, calls the context_.closeContext() method. Than the thread die and the control return to the main program that continue to work. If then i want to execute another thread that must have access to the TPM then a *resource busy Device /dev/tpm* exception is thrown. How can i have a multiple access to the TPM? best regards Paolo |
|
From: Anders R. <and...@te...> - 2009-05-21 20:35:29
|
Dear List; Although TPMs have been shipping in large quantities in laptop computers, actual adoption has been moderate to say the least. In the mean-time things like the iPhone have quickly become our closest link to the Internet making the need for credible authentication solutions imminent. However, there is no PKI provisioning protocol out there (=adopted) that can use a TPM in any verifiable secure way. Due to that I have begun to develop an authentication-oriented TPM which departs from the 1.2 specification in several aspects: - Independent of PCR measurements, runs on any platform "as is" - Attests all components of user-credentials, including PIN policies - Conventional approach to security and privacy, no DAAs or Privacy CAs. Unlike previous efforts in this space, this "TPM" project is addressing the entire chain ranging from key-store to required browser enhancements. Since a standardization effort would (easily) take another five years to accomplish the concept will be introduced in an iterative way as an Open Software and Open Hardware project. The "alternative" is probably things like: http://www.trustdigital.com/downloads/TD_EMM_CAC_Pack_101008.pdf Who wants that??? "Air-tight" provisioning, the basics: http://webpki.org/papers/keygen2/secure-key-store.pdf "Air-tight" provisioning", core facility: http://webpki.org/papers/keygen2/session-key-establishment--security-element-2-server.pdf Protocol emulator (not yet fully compliant) but (at least) shows the user experience: http://keycenter.webpki.org Initial Open Hardware TPM target: http://www.atmel.com/dyn/products/tools_card.asp?tool_id=3879 which I hope will become the first true multi-issuer token based on open technology. [Planned] feature-set at a glance: - Double-use as a regular USB 2.0 mass memory stick - 4 MB of key-space - PKI, OTP, and InfoCards - Issuer-specific PINs, PUKs, and policies - Universal credential provisioning and management protocol - Issuer-separated credential-management through proof-of-issuance signatures - "Air-tight provisioning" through device attestations Anders Rundgren WebPKI.org |
|
From: Ronald T. <ron...@ia...> - 2009-05-19 08:13:49
|
Hi Simon,
You are right, you need to complete the .ini files before you can use jTSS.
Select the components of your choice for log file and persistent storage
and create the folders in the file system (with proper access rights for
the user/root) you intend to use and fill in the paths in the ini files.
For TSP-TCS communications you can either choose local bindings (i.e.
direct method calls) or SOAP bindings. For the later you need to install
the system daemon before using it.
For local bindings (recommended for testing) you either need root
privileges to access the TPM, or to allow access to /dev/tpm.
Please, also note that the test-suite uses the hardcoded owner password
"opentc", encoded as UTF-16LE without terminating zero. Other tools
than jTpmtools might fail to use the correct encoding.
This is a basic jTSS code example on reading the TPM version.
context_ = new TcTssContextFactory().newContextObject();
context_.connect();
TcTssVersion version = getRealTpmVersion();
TcBlobData subCap = TcBlobData
.newUINT32(TcTssConstants.TSS_TPMCAP_PROP_MANUFACTURER);
TcBlobData tpmMan = context_.getTpmObject().getCapability(
TcTssConstants.TSS_TPMCAP_PROPERTY, subCap);
context_.closeContext();
The complete example source is in iaik.tc.tss.test.tsp.java.simple.
For a tutorial, you can also check out these slides:
http://www.iaik.tugraz.at/content/teaching/master_courses/trusted_computing/downloads/2009/L3_AK_IT_2009-TSS.pdf
hth,
Ronald
Simon Mittelberger wrote:
> Hi,
>
> I'm new to jTSS and would like to have some easy startup steps.
> I set up an ubuntu 9.04 on a lenovo t61.
> My TPM is working (tested with tpm-tools; I can execute takeownership
> and read the public EK).
>
> I tried already to execute the run_test.sh mentioned in the readme file
> which comes with the jTSS_0.4a.tar.bz2.
> It produces a lot of output, which I could not understand. I guess I
> have problems in setting up the .ini files in the correct way.
>
> Can someone explain a few easy steps to get a java program to use the
> jtss library and to read for example the TPM version? I tried to
> understand the source of the above mentioned test, but failed.
>
> Many thanks,
>
> best regards
> Simon Mittelberger
>
> ------------------------------------------------------------------------------
> The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
> production scanning environment may not be a perfect world - but thanks to
> Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
> Series Scanner you'll get full speed at 300 dpi even with all image
> processing features enabled. http://p.sf.net/sfu/kodak-com
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
>
--
Dipl.-Ing. Ronald Tögl phone +43 316/873-5502
Trusted Computing Labs fax +43 316/873-5520
IAIK ron...@ia...
Graz University of Technology http://www.iaik.tugraz.at
|
|
From: Simon M. <sim...@in...> - 2009-05-14 17:28:44
|
Hi, I'm new to jTSS and would like to have some easy startup steps. I set up an ubuntu 9.04 on a lenovo t61. My TPM is working (tested with tpm-tools; I can execute takeownership and read the public EK). I tried already to execute the run_test.sh mentioned in the readme file which comes with the jTSS_0.4a.tar.bz2. It produces a lot of output, which I could not understand. I guess I have problems in setting up the .ini files in the correct way. Can someone explain a few easy steps to get a java program to use the jtss library and to read for example the TPM version? I tried to understand the source of the above mentioned test, but failed. Many thanks, best regards Simon Mittelberger |
|
From: Martin P. <Mar...@ia...> - 2009-05-11 09:13:35
|
René Korthaus wrote: > Compiling works fine, but at runtime I get a NoClassDefFoundError: > iaik/tc/tss/api/exceptions/common/TcTssException. You need to include the jTSS .jar files in your runtime CLASSPATH. HTH, Martin |
|
From: René K. <it...@co...> - 2009-05-08 09:44:01
|
Hi, I am trying to write a small app to read all PCRs from the TPM. Compiling works fine, but at runtime I get a NoClassDefFoundError: iaik/tc/tss/api/exceptions/common/TcTssException. Of course I import this class in header, I also tried both try-catch and declaring throws TcTssException in method signature, but both fail. Thanks in advance! Best, René Source: import java.lang.String.*; import java.io.*; import java.math.*; import iaik.tc.tss.api.tspi.*; import iaik.tc.tss.api.structs.common.*; import iaik.tc.tss.api.constants.tpm.*; import iaik.tc.tss.api.constants.tsp.*; import iaik.tc.tss.api.exceptions.common.*; import iaik.tc.tss.api.tspi.TcITpm; public class PCRRead { public static void main(String args[]) throws TcTssException { /* create a context, connect */ TcIContext context_ = new TcTssContextFactory().newContextObject(); context_.connect(); /* read all 24 pcrs in a loop */ TcITpm tpm = context_.getTpmObject(); long i; TcBlobData p; for(i=0; i<24; i++) { p = tpm.pcrRead(i); System.out.println("PCR " + i + ": " + p.toHexString()); } } } |
|
From: Ronald T. <ron...@ia...> - 2009-04-27 12:16:06
|
Hello Teng Sha, 1. We would need much more information on the first error to attempt an analysis. Source code examples, exception stack trace etc. 2. The test suite uses the card-coded owner password "opentc". If none is set, it will do so automatically. If non is set, it will fail in the way described. Ronald Teng Sha wrote: > Hello,everyone. > When I use the "bind" command in the jTpmTools,there throws an exception > which is " > iaik.tc.tss.api.exceptions.tcs.TcTpmException: > > TSS Error: > error layer: 0x00 (TPM) > error code (without layer): 0x21 > error code (full): 0x21 > error message: The decryption process did not complete. > > at > iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) > ...... > " > But I have run this command successfully before.I don't know why it > cannot work now. > Meanwhile,when I run the test program that jTSS has > itself(jTSS_0.4a/tests/run_tests.sh),there also throws some > exceptions.In fact,it is the same exception which are thrown for many > times.It is: > " > iaik.tc.tss.api.exceptions.tcs.TcTpmException: > > TSS Error: > error layer: 0x00 (TPM) > error code (without layer): 0x01 > error code (full): 0x01 > error message: Authentication failed > > at > iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) > ...... > " > > Ask for help~! > -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Trusted Computing Labs fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: Ronald T. <ron...@ia...> - 2009-04-22 08:32:47
|
Dear trustedJava-users, Besides jTSS and jTSS Wrapper we are also desiging a new, higher-level API. "JSR321" is a Java Specification Request for Trusted Computing API for Java Platform. It is aimed to develop a Trusted Computing API for Java(TM) providing selected functionality the TCG Software Stack offers to the C world, while following the conventions of modern Java APIs. JSR 321 is now available for Early Draft Review from http://www.jcp.org/en/jsr/detail?id=321 JSR321 has taken a transparent approach towards the development of the API and aims to get valuable feedback from the security and Java community in order to develop the most useful specifications. You can read more about the JSR and the procedures followed for its development here: http://jsr321.dev.java.net/ We will be grateful for your comments and opinions on the current draft! <http://www.jcp.org/en/jsr/detail?id=321>Comments/suggestions regarding the JSR should be sent to: jsr...@jc... <mailto:jsr...@jc...> The review phase will end June 8th, 2009. Thank you, Ronald -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Trusted Computing Labs fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: Martin P. <Mar...@ia...> - 2009-04-20 08:58:37
|
Hi... root wrote: > I write to ask help for using jTpm tools.When I use the tools,I find > that I can run some commands(e.g.bind) successfully with or without > trousers.Is this normal?In other word,is trousers essential for using > jTpm tools? jTSS is a standalone TSS, it can communicate directly with the /dev/tpm in Linux and to the Trusted Base Services (TBS) in Vista. TrouSerS is a standalone C TSS. In Linux TrouSerS talks directly to the /dev/tpm. Only one TSS can access the TPM device, thus you cannot run both TSS' at the same time. However, if you want to do both C and Java TPM development you can use the jTSSWrapper package which maps the jTSS high-level API to the TrouSerS C API via Java JNI magic. So you can run jTpmTools with standalone jTSS as well as jTSS via jTSSWrapper on top of TrouSerS. Note, however, that jTSS and TrouSerS do not implement the same set of TSS commands. Some commands may only work on jTSS, some only on TrouSerS. > What's more,I wonder if someone has iaik_jce.jar and iaik_xsect.jar?I It's available from http://jce.iaik.tugraz.at/ You need to register to download the free demo versions. > cannot download them from the website because I don't have SAP on my > computer. "SAP" ? HTH, Martin |
|
From: 赵. <zha...@si...> - 2009-04-03 08:19:19
|
Hello every one: Here is my problem: TcBlobData data = ..... boolean boo = TcBlobData.newString(data.toString()).equals(a) ; some times boo is false. why? ------------------------------------------------------------------- 新浪空间——与朋友开心分享网络新生活!(http://space.sina.com.cn/ ) |
87 messages has been excluded from this view by a project administrator.
