trustedjava-support — Trusted Java General Support

[Trustedjava-support] info about CaCertificate tccert

[francesca f. <fra...@ju...>]

Hi all!

I'm using your Tccert package to create a test certificate for a CA.

I've a question:
is it possible to create a Ca certificate where the public and private 
key of the Ca are created by me?

Another question: when i invoke the CaCertificate construct as follows:

cacert = new CACertificate(properties, null, null);

and i invoke the method:

cacert.getKeyPair().getPrivate()

or

caCert.getKeyPair().getPublic()

do i obtain something?
Does the constructor create a keypair for the Ca?

thank you,
F.F.

Re: [Trustedjava-support] Question about XKMS

[Martin P. <Mar...@ia...>]

alberto fernandez castillo wrote:
> Hello, I’m a student from Spain. I’m working with Tommy Lindberg´s
> XKMS 2.0 server with a client that I’ve designed with the package that
> I found in IAIK page (http://trustedjava.sourceforge.net/index.php?item=xkms/readme).
> The package has the private key that I need, but I can’t obtain it with
> java to send it to the server, in the package there are a public key, a
> private key and some certificates, but when I send a private key with a
> ProofOfPossesion to the server, for example to the Reissue service
> (this service always require the ProofOfPossesion), it always generates
> an error.
>
> The code that I use is the next one:
> Security.addProvider(new BouncyCastleProvider());

IAIK XKMS requires IAIK-JCE as provider as documented in the README,
BouncyCastle is not supported/tested, if you want to use BC you are on
your own.


A demo code to import a private key would be (see also examples in IAIK-JCE docs):

  /**
   * Reads private key from PKCS8 file.
   */
  public static PrivateKey readPrivateKeyFromFile(String filename, String password) throws Exception {
    EncryptedPrivateKeyInfo epk = null;;
    epk = new EncryptedPrivateKeyInfo(new FileInputStream(filename));
    epk.decrypt(password);
    return epk.getPrivateKeyInfo();
  }



HTH

-- 
Martin Pirker
IAIK, TU Graz

[Trustedjava-support] Question about XKMS

[alberto f. c. <afe...@ho...>]

Hello, I=92m a student from Spain. I=92m working with Tommy Lindberg=B4s XK=
MS 2.0 server with a client that I=92ve designed with the package that I fo=
und in IAIK page (http://trustedjava.sourceforge.net/index.php?item=3Dxkms/=
readme). The package has the private key that I need, but I can=92t obtain =
it with java to send it to the server, in the package there are a public ke=
y, a private key and some certificates, but when I send a private key with =
a ProofOfPossesion to the server, for example to the Reissue service (this =
service always require the ProofOfPossesion), it always generates an error.
=20
The code that I use is the next one:
=20
Security.addProvider(new BouncyCastleProvider());
KeyFactory keyFactory =3D KeyFactory.getInstance("RSA", "BC");       =20
byte[] bufferPriv =3D new byte[5000];
FileInputStream in =3D new FileInputStream("privKey");
in.read(bufferPriv, 0 , 5000);       =20
in.close();
PKCS8EncodedKeySpec clavePrivadaSpec =3D new PKCS8EncodedKeySpec(bufferPriv=
);
PrivateKey clavePrivada =3D keyFactory.generatePrivate(clavePrivadaSpec);
System.out.println("Privada:"+clavePrivada);
=20
Thanks a lot.
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/=

Re: [Trustedjava-support] how to control log

[Martin P. <Mar...@ia...>]

pat...@in... wrote:
> when i do
> TcTssPcrEvent event=tpm.getEvent(pcrIndex, 0);
> TcBlobData pcrValue=event.getPcrValue();
> 
> what is extactly the pcrValue?

If in doubt, ask the spec (TSS spec, chapter 2.6.2, TSS_PCR_EVENT):

"...containing the value extended into the TPM by Tspi_TPM_PcrExtend.
 This SHALL be the result of the calculation of
 SHA-1(ulPcrIndex || pbPcrData || eventType || rgbEvent), where[...]"


If still in doubt, ask the code:
See method pcrExtend in jtss_tsp/src/iaik/tc/tss/impl/java/tsp/TcTpm.java


HTH

-- 
Martin Pirker
IAIK, TU Graz

Re: [Trustedjava-support] how to control log

[<pat...@in...>]

Thanks!

an another question about this:
when i do
TcTssPcrEvent event=tpm.getEvent(pcrIndex, 0);
TcBlobData pcrValue=event.getPcrValue();

what is extactly the pcrValue?

this is my code:
TcBlobData pcrValue = TcBlobData.newByteArray(contenutoKernel).sha1();
Log.info("PCR value: "+pcrValue.toHexStringNoWrap());
            TcTssPcrEvent pcrEvent = new TcTssPcrEvent();
            pcrEvent.init(TcTssVersion.TPM_V1_1, pcrIndex, TcTssConstants.TSS_EV_ACTION, null,TcBlobData.newString("vmlinuz added"));
            TcBlobData extendData=tpm.pcrExtend(pcrIndex, pcrValue, pcrEvent);
Log.info("Extended data: "+extendData.toHexStringNoWrap());
TcTssPcrEvent event=tpm.getEvent(pcrIndex, 0);
TcBlobData pcrValue2=event.getPcrValue();
Log.info("PCR value in event: "+pcrValue2.toHexStringNoWrap());

The output of the code is:

16:40:25:473 [INFO] ProtocolThread::run (120):	PCR value:  b3 85 c6 54 24 70 60 55 0e e3 19 03 4d d7 5c 41 05 96 9d 79
16:40:25:489 [INFO] ProtocolThread::run (125):	Extended data:  b5 e9 3a 22 cd e5 78 e9 a9 d6 f8 d7 c0 3f fd 2a 42 1c a5 1b
16:40:25:491 [INFO] ProtocolThread::run (139):	PCR value in event:  69 ed aa 82 0c 3c 40 c4 6b 9b 0e e8 c9 b8 44 63 f5 3a c4 22


what is the value that is in the PCRValue field of the event? Why is it different in comparison with the PCR value of the first line of my code?

Regards P.C.



>pat...@in... wrote:
>> i know that the server has to bring the list of measures and has to
>> reproduce the extend operations the client has done and compare with
>> the quote result.
>> i've seen that the log is an array of TcTssPcrEvent, but how is this
>> structure correleted with the TcTssValidation  that is the result of
>> a quote operation?
>> How can i compare them?
>
>a quick rundown:
>
>system state = set of PCR registers with specific value
>
>PCR composite digest = one hash value, calculated from set of PCR register 
>states(hashes)
>
>How to calculate a PCR composite digest (=current system state) from PCR states, 
>see discussion on this mailing list ca. middle of July.
>
>How to calculate single PCR register extend operation, see ExtendPcrs.java 
>example from JTpmTools.
>
>|TcTssValidation quoteResult = context.getTpm().quote(aikKey, pcrSelection, 
>validation);
>
>pcrSelection contains the mask of PCRs to do the quote from
>
>|... = quoteResult.getData();            // plain data |... = 
>quoteResult.getValidationData(); // signature
>
>TcTpmQuoteInfo qInfo = new TcTpmQuoteInfo(....plaindata...); TcTpmCompositeHash 
>compHash = qInfo.getDigestValue();    // get compositeDigest hash
>
>and compare this with you own result on the server side.
>
>> Please, can you tell me the code i have to use to compare the log with the 
>quote result?
>
>There is no standard/protocol (yet) on how to get a client log + quote to the 
>server, you have to invent your own. Further, currently there is no helper
>code for helping you in replaying/recalculating the PCR log.
>
>HTH
>
>--  Martin Pirker
>IAIK, TU Graz
>
>

----------------------------------------------------------------------------
DEXGATEMICRO il centralino VoIP multifunzione per l'azienda.
Prova gratuita per 4 utenti!


Scopri tutte le funzionalita' sul sito Dexgate.com
----------------------------------------------------------------------------

Re: [Trustedjava-support] R: info about privacy ca

[Martin P. <Mar...@ia...>]

cas...@al... wrote:
> this is my code that is as your code in the tool, at the client side:
> 
> try {
>         aikCertificate = new X509Certificate(aikCredential.asByteArray());
>             
>         } catch (CertificateException ex) {
>             ex.printStackTrace();
>         }
>         Log.info("received AIK certificate with IdLabel: '" + AIKCertificate.getTPMLabelID(aikCertificate) + "'");
> 
> as you do in the verifyAndPrintAikLabel function.

This is quick test code that the received result is not complete crap:
a) if certificate instantiation from the passed byte array does not
   fail it probably is a real X509 certificate.
b) if there is a TCG certificate extension holding an AIK label it
   probably is a real AIK certificate.

Nothing more checked here.

> to the remote host i send the aikCredential (returned by the activateIdentity),
> but the remote host has to verify the correctness of the aik certificate.
> how can it do?

If you trust your issueing entity to always issue correctly assembled
and signed AIK certificates you do a basic PKI signature chain check:
 aikcert.verify(aikcacert.getPublicKey());
and if that's ok you trust the content. Or, a chain validation, see
ServerPCA.java, method verifyCredentials in the PrivacyCA package.

If not, you have to examine every part of the certificate to be
as described by the TCG credential profiles document.


HTH

-- 
Martin Pirker
IAIK, TU Graz

Re: [Trustedjava-support] how to control log

[Martin P. <Mar...@ia...>]

pat...@in... wrote:
> i know that the server has to bring the list of measures and has to
> reproduce the extend operations the client has done and compare with
> the quote result.
> i've seen that the log is an array of TcTssPcrEvent, but how is this
> structure correleted with the TcTssValidation  that is the result of
> a quote operation?
> How can i compare them?

a quick rundown:

system state = set of PCR registers with specific value

PCR composite digest = one hash value, calculated from set of PCR register states(hashes)

How to calculate a PCR composite digest (=current system state) from PCR states,
see discussion on this mailing list ca. middle of July.

How to calculate single PCR register extend operation,
see ExtendPcrs.java example from JTpmTools.



|TcTssValidation quoteResult = context.getTpm().quote(aikKey, pcrSelection, validation);

pcrSelection contains the mask of PCRs to do the quote from

|... = quoteResult.getData();            // plain data
|... = quoteResult.getValidationData();  // signature


TcTpmQuoteInfo qInfo = new TcTpmQuoteInfo(....plaindata...);
TcTpmCompositeHash compHash = qInfo.getDigestValue();    // get compositeDigest hash

and compare this with you own result on the server side.


> Please, can you tell me the code i have to use to compare the log with the quote result?

There is no standard/protocol (yet) on how to get a client log + quote to the
server, you have to invent your own. Further, currently there is no helper
code for helping you in replaying/recalculating the PCR log.


HTH

-- 
Martin Pirker
IAIK, TU Graz

[Trustedjava-support] how to control log

[<pat...@in...>]

Hello!

i've a question for you: i have to control that the measurement list received by a remote server is correct in comparison with the quote result received by the server.

i know that the server has to bring the list of measures and has to reproduce the extend operations the client has done and compare with the quote result. 
i've seen that the log is an array of TcTssPcrEvent, but how is this structure correleted with the TcTssValidation  that is the result of a quote operation?
How can i compare them?

Is there any function that does all automatically?

Please, can you tell me the code i have to use to compare the log with the quote result?

thank you, 
Patrizia Cellesi  

----------------------------------------------------------------------------
DEXGATEMICRO il centralino VoIP multifunzione per l'azienda.
Prova gratuita per 4 utenti!


Scopri tutte le funzionalita' sul sito Dexgate.com
----------------------------------------------------------------------------

[Trustedjava-support] R: info about privacy ca

[<cas...@al...>]

Thank you for your response, sorry but maybe i didn't explain very =
well!!
this is my code  that is as your code in the tool, at the client side:

try {
            aikCertificate =3D new =
X509Certificate(aikCredential.asByteArray());
           =20
        } catch (CertificateException ex) {
            ex.printStackTrace();
        }
        Log.info("received AIK certificate with IdLabel: '" + =
AIKCertificate.getTPMLabelID(aikCertificate) + "'");

as you do in the verifyAndPrintAikLabel function.

to the remote host i send the aikCredential (returned by the =
activateIdentity), but the remote host has to verify the correctness of =
the aik certificate.
how can it do?

i encapsulate it in an x509Certificate and i do the verify function.
Also i get the aik key from this certificate using the proper function =
of iaik-jce.


aikCert =3D new X509Certificate(aikCredential.asByteArray());
aikCert.getPublicKey()

Sorry if i am boring. I understand if you will not want to answer me.

Thank you again

A.F.





-----Messaggio originale-----
Da: Martin Pirker [mailto:Mar...@ia...]
Inviato: gio 13/09/2007 9.48
A: cas...@al...
Cc: tru...@li...
Oggetto: Re: [Trustedjava-support] info about privacy ca
=20
cas...@al... wrote:
> i have done a privacy ca emulating your privacy ca in jtpmtools =
(client and privacy ca are local).
> after i have done the activateidentity at the client side i create a =
x509certificate
> using iaik-jce as you do in your tool with the aik credential.

If you look at AikCreate.java in JTpmTools...
  aikCredential =3D client.activateIdentity(symCaAttestationEncrypted, =
asymCaContentsEncrypted, srkSecret, srkSecretMode);
...the goal of the PCA cycle is to create a certificate for the identity =
key in the TPM,
activateidentity at the client extracts the certificate from the PCA =
answer.

Creating a AIK certificate after activateidentity ignores the PCA =
concept - I don't
understand why you would do that.

> when the remote host performs the x509certificate.verify it gives an =
error of bad padding,
> exactly: java.security.SignatureException: Signature decryption error: =
javax.crypto.BadPaddingException:
> Maybe is the certificate without something important?

Maybe .verify does just what it says in the IAIK-JCE documentation, =
namely check the
signature of a self signed certificate - which I don't understand why =
you would want
to do that here.

> have i to do other operations after the creation of the certificate =
with aik credential
> or is it enough to send it to a remote host that has to verify it?

Please find someone explaining public key infrastructures (PKI)
with X509 certificates to you. You seem to be not sure what you want
to achieve (and why).


HTH

--=20
Martin Pirker
IAIK, TU Graz

Re: [Trustedjava-support] info about privacy ca

[Martin P. <Mar...@ia...>]

cas...@al... wrote:
> i have done a privacy ca emulating your privacy ca in jtpmtools (client and privacy ca are local).
> after i have done the activateidentity at the client side i create a x509certificate
> using iaik-jce as you do in your tool with the aik credential.

If you look at AikCreate.java in JTpmTools...
  aikCredential = client.activateIdentity(symCaAttestationEncrypted, asymCaContentsEncrypted, srkSecret, srkSecretMode);
...the goal of the PCA cycle is to create a certificate for the identity key in the TPM,
activateidentity at the client extracts the certificate from the PCA answer.

Creating a AIK certificate after activateidentity ignores the PCA concept - I don't
understand why you would do that.

> when the remote host performs the x509certificate.verify it gives an error of bad padding,
> exactly: java.security.SignatureException: Signature decryption error: javax.crypto.BadPaddingException:
> Maybe is the certificate without something important?

Maybe .verify does just what it says in the IAIK-JCE documentation, namely check the
signature of a self signed certificate - which I don't understand why you would want
to do that here.

> have i to do other operations after the creation of the certificate with aik credential
> or is it enough to send it to a remote host that has to verify it?

Please find someone explaining public key infrastructures (PKI)
with X509 certificates to you. You seem to be not sure what you want
to achieve (and why).


HTH

-- 
Martin Pirker
IAIK, TU Graz

[Trustedjava-support] info about privacy ca

[<cas...@al...>]

hi!
i have done a privacy ca emulating your privacy ca in jtpmtools (client =
and privacy ca are local).
after i have done the activateidentity at the client side i create a =
x509certificate using iaik-jce as you do in your tool with the aik =
credential.
Then i have to send this certificate to a remote host but when the =
remote host performs the x509certificate.verify it gives an error of bad =
padding, exactly: java.security.SignatureException: Signature decryption =
error: javax.crypto.BadPaddingException: Invalid PKCS#1 padding: =
encrypted message and modulus lengths do not match!

Maybe is the certificate without something important? have i to do other =
operations after the creation of the certificate with aik credential or =
is it enough to send it to a remote host that has to verify it?

thank you very much!

Re: [Trustedjava-support] info about tpm quote

[Martin P. <Mar...@ia...>]

cas...@al... wrote:
> in my remote attestation the server receives the message (resultQuote,eventLog,aikcertification).
> i have to attest the resultQuote using event log. how can i do?

Typically the server side in an attestation process has to
* check correctness of supplied AIK certificate
* use public key from certificate to verify quote blob signature
* check correctness/freshness of nonce
* check PCR composite digest to be expected value,
  by replaying the extension events in the log


>  Are there documents that explain something about this in details?

AFAIK no.

We do strive to include demo code/tests/javadoc for functions as much as we
can, see the sources and unit tests of jTss/JTssWrapper/JTpmTools etc.,
however, our manpower is limited.

Note that the current Java API is not very highlevel and matches
more the official TCG lowlevel C API. You may learn a lot by following
TrouSerS development, too.
The TCG specs are rather cryptic reading, but if you want an
authorative source, you'll have to bite through.


HTH

-- 
Martin Pirker
IAIK, TU Graz

[Trustedjava-support] R: info about tpm quote

[<cas...@al...>]

Thank you for your response!

If i can, i have an other question:
in my remote attestation the server receives the message =
(resultQuote,eventLog,aikcertification).
i have to attest the resultQuote using event log. how can i do?
which functions have i to use?=20

if you want to response me, i will be really grateful to you. Are there =
documents that explain something about this in details?

thanks in advance,
regards

Alessandro Fabbri



-----Messaggio originale-----
Da: Martin Pirker [mailto:Mar...@ia...]
Inviato: mar 11/09/2007 11.17
A: cas...@al...
Cc: tru...@li...
Oggetto: Re: [Trustedjava-support] info about tpm quote
=20
cas...@al... wrote:
> an untrusted terminal has to do a quote operation
> the message the terminal has to send is: {pcr_set,nonce} signed with =
private aik,
> but i don't understand how i can retrieve this message from the =
structures the quote operation uses

TcTssValidation validation =3D TcTssStructFactory.newValidation();
validation.setExternalData(...nonce...);

TcIPcrComposite pcrSelection =3D context.createPcrCompositeObject(0);
pcrSelection.selectPcrIndex(...yourfavouritePCR...);

TcTssValidation quoteResult =3D context.getTpm().quote(aikKey, =
pcrSelection, validation);

... =3D quoteResult.getData();            // plain data
... =3D quoteResult.getValidationData();  // signature


HTH

--=20
Martin Pirker
IAIK, TU Graz

Re: [Trustedjava-support] info about tpm quote

[Martin P. <Mar...@ia...>]

cas...@al... wrote:
> an untrusted terminal has to do a quote operation
> the message the terminal has to send is: {pcr_set,nonce} signed with private aik,
> but i don't understand how i can retrieve this message from the structures the quote operation uses

TcTssValidation validation = TcTssStructFactory.newValidation();
validation.setExternalData(...nonce...);

TcIPcrComposite pcrSelection = context.createPcrCompositeObject(0);
pcrSelection.selectPcrIndex(...yourfavouritePCR...);

TcTssValidation quoteResult = context.getTpm().quote(aikKey, pcrSelection, validation);

... = quoteResult.getData();            // plain data
... = quoteResult.getValidationData();  // signature


HTH

-- 
Martin Pirker
IAIK, TU Graz

[Trustedjava-support] info about tpm quote

[<cas...@al...>]

hi all!
i've to implement a mechanism of remote attestation, where an untrusted =
terminal has to do a quote operation to send a set of pcr values to a =
server that decides if the terminal is trusted or not.

the message the terminal has to send is: {pcr_set,nonce} signed with =
private aik, but i don't understand how i can retrieve  this message =
from the structures the quote operation uses or .

is this message in the tssvalidation or in the pcrcomposite object?=20

Please can you explain me how i can retrieve this information from the =
quote operation?

What is the tss validation structure? i have looked for in the tss =
specification but i don't understand what it is.

Please help me if you want or tell me where i can find more information =
about.

Thanks in advance!
regards, Alessandro Fabbri

Re: [Trustedjava-support] error tpm emulator

[Martin P. <Mar...@ia...>]

Hi...

patrizia cellesi wrote:
> i have a problem: i have done an interation between a client and a privacy CA
> using your example in the JTSS package. The only difference is that the client
> and the PCA are not in the same project, but i've realized the PCA as a servlet
> to simulate a real communication. the client and the Pca use the TSS stack. i
> have create a context in the client and in the pca, but when i do the
> context.connect() in the pca it gives me the follow error (i use the tpm emulator):

> 13:03:27:284 [WARN] TcTddlLinux::open (-1): Unable to open TPM device file /dev/tpm.
> Reason: /dev/tpm (Device or resource busy)

The TPM chip (/dev/tpm) can only be accessed by one TSS at a time. The TSS design
calls for one system-wide TSS running, multiplexing application accesses.

If you want to simulate a PrivacyCA setup with both client and server on
the same machine, this is doable.
The client gets to run the TSS and access the TPM.
The server side of a PrivacyCA does not need a TPM, only some crypto helper
routines from the TSS top level.

Take a closer look at PrivacyCA.java from JTpmTools, lines 117-

  // context for crypto operations in verify
  // NOTE: IAIK jTSS context does not need to be connected to a TPM
  context_ = new TcTssLocalCallFactory().newContextObject();

A context is created to get access to some helper functions, but never connected
on the server side, thus no TPM is needed. This trick works only on jTSS.


HTH

-- 
Martin Pirker
IAIK, TU Graz

[Trustedjava-support] IAIK/OpenTC Java TSS 0.2 and Java TPM Tools 0.3a released

[<ron...@ia...>]

IAIK announces the release of IAIK/OpenTC Java TSS 0.2 and Java TPM 
Tools 0.3a, which are
available for download from http://trustedjava.sf.net

== jTSS 0.2 Changes ==

* Persistent Storage (PS) support
* Time stamping
* Bug fixes

Please note:
0. See the jUnit tests for usage examples.
1. Time Stamping is only supported by 1.2 TPMs.
2. PS needs to be configured in the .ini files (see documentation).
3. The SRK must be stored in the system PS. This happens automatically 
upon taking ownership. If you do not want to re-take ownership, running 
the jUnit tests will also extract and store the SRK.


== jTpmTools 0.3a ==

* Bug fixes
* Activate persistent storage commands if using jTSS


Have fun,

Ronald

-- 
Ronald Toegl
IAIK, TU Graz

[Trustedjava-support] error tpm emulator

[patrizia c. <pat...@in...>]

hi all!

i have a problem: i have done an interation between a client and a =
privacy CA using your example in the JTSS package. The only difference =
is that the client and the PCA are not in the same project, but i've =
realized the PCA as a servlet to simulate a real communication. the =
client and the Pca use the TSS stack. i have create a context in the =
client and in the pca, but when i do the context.connect() in the pca it =
gives me the follow error (i use the tpm emulator):



13:03:27:284 [WARN] TcTddlLinux::open (-1): Unable to open TPM device =
file /dev/tpm.

Reason: /dev/tpm (Device or resource busy)

13:03:27:286 [ERROR] TcTcsi::<clinit> (-1): TCS startup failed.

13:03:27:286 [ERROR] TcTcsi::<clinit> (-1):=20

TSS Error:

error layer: 0x1000 (TDDL)

error code (without layer): 0x87

error code (full): 0x1087

error message: The request could not be performed because of an IO =
device error.

additional info: Unable to open TPM device file /dev/tpm.

Reason: /dev/tpm (Device or resource busy)



iaik.tc.tss.api.exceptions.tcs.TcTddlException:=20

TSS Error:

error layer: 0x1000 (TDDL)

error code (without layer): 0x87

error code (full): 0x1087

error message: The request could not be performed because of an IO =
device error.

additional info: Unable to open TPM device file /dev/tpm.

Reason: /dev/tpm (Device or resource busy)



at iaik.tc.tss.impl.java.tddl.TcTddlLinux.open(Unknown Source)

at iaik.tc.tss.impl.java.tddl.TcTddl.getInstance(Unknown Source)

at iaik.tc.tss.impl.java.tcs.TcTcsCommon.isOrdinalSupported(Unknown =
Source)

at iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.<clinit>(Unknown Source)

at =
iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsiOpenCont=
ext(Unknown Source)

at =
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspContextOpen_Internal(=
TcTspInternal.java:378)

at iaik.tc.tss.impl.java.tsp.TcContext.connect(Unknown Source)

at iaik.tc.tss.impl.java.tsp.TcContext.connect(Unknown Source)

at MiaCa.doPost(MiaCa.java:101)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)

at =
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applicat=
ionFilterChain.java:252)

at =
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilte=
rChain.java:173)

at =
org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFil=
ter.java:368)

at =
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applicat=
ionFilterChain.java:202)

at =
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilte=
rChain.java:173)

at =
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve=
.java:213)

at =
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve=
.java:178)

at =
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:=
126)

at =
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:=
105)

at =
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.j=
ava:107)

at =
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:14=
8)

at =
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869=
)

at =
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.proce=
ssConnection(Http11BaseProtocol.java:664)

at =
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.=
java:527)

at =
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowe=
rWorkerThread.java:80)

at =
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.=
java:684)

at java.lang.Thread.run(Thread.java:619)

13:03:30:554 [ERROR] TcTddlVista::<clinit> (-1): Unable to load native =
Vista DLL (neither from library path nor from jar file).=20



how can i do? i understand that if the client uses the tpm emulator, the =
PCA doesn't use it. Or not?

Can you suggest me any solution?

thanks patrizia cellesi

Re: [Trustedjava-support] Check signature with public key from remote peer

[rinberg\@libero\.it <ri...@li...>]

> It cannot be done.
> In asymmetric cryptography in general you can only ENcrypt with the 
> public key and only DEcrypt with the private key. That's what it is all=
 
> about.

Hi Ronald, thank you for the detailed answer. 

What I have to do is sign an hash on the local system with the key I crea=
ted. The hash is the IMA measures list digest (but as far as I have a TPM=
 Emulator, I'm computing the digest myself, I'm not getting the one from =
the PCR register). All I have to do is check that the the signature of th=
e IMA list digest on the remote system is valid. 

How could I sign (with private key) a byte array and verify the signature=
 on the remote host with its public one? Isn't this the basic HMAC messag=
e authentication scheme? 

Just to clarify...My target is to sign this list digest locally and verif=
y the signature on a remote host that knows the public key (with a certif=
icate maybe in future) of the local system. What I have right now is a ke=
y successfully loaded locally in the TPM, how could I do it?

Thank you in advance, any help would be appreciated.

Best Regards,

Rinaldo Bergamini

Re: [Trustedjava-support] Check signature with public key from remote peer

[<ron...@ia...>]

Hi Rinaldo,

ri...@li... wrote:
> I have to send to a remote peer the public part of a key created locally.
> And then I'm sending th byte array via a socket to the remote peer together
 > with the encrypted data. Then I should decrypt the data when I have
 > received it on the remote peer, how could I do it?

It cannot be done.
In asymmetric cryptography in general you can only ENcrypt with the 
public key and only DEcrypt with the private key. That's what it is all 
about.

In case you want to do something else, here is a piece of code that 
creates a standard Java public key from a modulus in a TcBlobData object 
as a start. (Note that the exponent of public TPM RSA keys is a constant.)

Regards, Ronald

import java.security.PublicKey;
import java.math.BigInteger;

   protected RSAPublicKey convertEkModulusToJavaPublicKey(TcBlobData 
pubEkBlob) {

     // BigInteger requires a leading sign-byte
     pubEkBlob.prepend(TcTssStructFactory.newBlobData().initBYTE(((byte) 
0)));
     RSAPublicKeySpec pubEkSpec = new RSAPublicKeySpec(new 
BigInteger(pubEkBlob.asByteArray()), new BigInteger("65537"));
     try {
       RSAPublicKey pubEk = (RSAPublicKey) 
KeyFactory.getInstance("RSA").generatePublic(pubEkSpec);

       byte[] finger = (new 
iaik.security.rsa.RSAPublicKey(pubEk)).getFingerprint();
       System.out.println("key fingerprint: " 
+byteArrayToHexString(finger));

       return pubEk;

     } catch (InvalidKeySpecException e) {
       e.printStackTrace();
     } catch (NoSuchAlgorithmException e) {
       e.printStackTrace();
     }
     System.exit(1);
     return

[Trustedjava-support] Authorization Error on "aik.loadkey" solved.

[<Hon...@cs...>]

Hi all,

For those that are interested, I've was able to resolve the =
Authorization Error I was getting when calling `aik.loadkey` method =
during attestation process.

The simple fix was to use SHA-1 SRK passwords instead of plain text as =
SRK password.  Specifically, something like this:

srkUsagePolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_SHA1, =
srkPassBlob);

where `srkPassBlob` contains a SHA-1 of the SRK password string.

For me, I am getting this string via console, then turned into a JRE's =
String object.

Still haven't completed the entire attestation process, but just letting =
you guys know how to solve similar problems.

I am using jTSS 0.1 on TPM Emulator 0.5, Sun's Java 6 on Ubuntu 7 (x86).

Thanks to Ronald and Martin for the help.

Hon Hwang.

[Trustedjava-support] Check signature with public key from remote peer

[rinberg\@libero\.it <ri...@li...>]

Hi. I have to send to a remote peer the public part of a key created loca=
lly. I managed to extract the byte array with the following code:

byte[] p_k =3D key.getPubKey().asByteArray();
try {
 System.out.println("PubAIK size: "+p_k.length);
 FileOutputStream file_pk =3D new FileOutputStream("aik_pubkey");
 file_pk.write(p_k, 0, p_k.length);
 file_pk.flush();
}

And then I'm sending th byte array via a socket to the remote peer togeth=
er with the encrypted data. Then I should decrypt the data when I have re=
ceived it on the remote peer, how could I do it?

Any help would be appreciated. Thank you.

Best Regards,

 Rinaldo Bergamini

Re: [Trustedjava-support] error running pki-server.sh of PCA

[Martin P. <Mar...@ia...>]

fra...@in... wrote:
> Thanks for your response. I've build my own jtpmtool in the lib directory, so it didn't run. Now i use your jtpmtool build and it seems to function.

> Exception in thread "main" java.lang.NoClassDefFoundError: iaik.tc.tss.impl.csp.TcCrypto
>    at java.lang.Class.initializeClass(libgcj.so.70)

Please read the PCA readme, section 2.3.1 "Java".
GCJ is not supported, use Sun Java.


HTH

-- 
Martin Pirker
IAIK, TU Graz

[Trustedjava-support] error running pki-server.sh of PCA

[<fra...@in...>]

Thanks for your response. I've build my own jtpmtool in the lib directory, so it didn't run. Now i use your jtpmtool build and it seems to function.

But now i've a problem with jtpmtool: i run ./jtt.sh but the output is:

 ./jtt.sh

  -----------------------------------
   IAIK/OpenTC        Java TPM Tools
  - - - - -                 - - - - -
   using IAIK Trusted Computing libs
         jTSS, TCcert and XKMS
  -----------------------------------


16:45:59:072 [INFO] CommonSettings::getTssFactory (39): TrouSerS and/or jTSS Wrapper not found. Trying IAIK jTSS.
Exception in thread "main" java.lang.NoClassDefFoundError: iaik.tc.tss.impl.csp.TcCrypto
   at java.lang.Class.initializeClass(libgcj.so.70)
   at iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.<clinit>(Unknown Source)
   at java.lang.Class.initializeClass(libgcj.so.70)
   at iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsiOpenContext(Unknown Source)
   at iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspContextOpen_Internal(TcTspInternal.java:378)
   at iaik.tc.tss.impl.java.tsp.TcContext.connect(Unknown Source)
   at iaik.tc.tss.impl.java.tsp.TcContext.connect(Unknown Source)
   at iaik.tc.apps.jtt.common.CommonSettings.getTssFactory(CommonSettings.java:44)
   at iaik.tc.apps.JTpmTools.main(JTpmTools.java:42)
Caused by: java.lang.ClassNotFoundException: javax.crypto.spec.PSource not found in gnu.gcj.runtime.SystemClassLoader{urls=[file:/home/francesca/Desktop/download/tpm/jTpmTools_0.3/ext_libs/iaik_jtss_tcs.jar,file:/home/francesca/Desktop/download/tpm/jTpmTools_0.3/ext_libs/iaik_jtss_tsp.jar,file:/home/francesca/Desktop/download/tpm/jTpmTools_0.3/lib/iaik_jtpmtools.jar,file:/home/francesca/Desktop/download/tpm/jTpmTools_0.3/ext_libs/iaik_xkms.jar,file:/home/francesca/Desktop/download/tpm/jTpmTools_0.3/ext_libs/iaik_jce.jar,file:/home/francesca/Desktop/download/tpm/jTpmTools_0.3/ext_libs/iaik_xsect.jar,file:/home/francesca/Desktop/download/tpm/jTpmTools_0.3/ext_libs/jaxb/activation.jar,file:/home/francesca/Desktop/download/tpm/jTpmTools_0.3/ext_libs/jaxb/jaxb-api.jar,file:/home/francesca/Desktop/download/tpm/jTpmTools_0.3/ext_libs/jaxb/jaxb-impl.jar,file:/home/francesca/Desktop/download/tpm/jTpmTools_0.3/ext_libs/jaxb/jsr173_1.0_api.jar,file:/home/francesca/Desktop/download/tpm/jTpmTools_0.3/ext_libs/iaik_tccert.jar], parent=gnu.gcj.runtime.ExtensionClassLoader{urls=[], parent=null}}
   at java.net.URLClassLoader.findClass(libgcj.so.70)
   at gnu.gcj.runtime.SystemClassLoader.findClass(libgcj.so.70)
   at java.lang.ClassLoader.loadClass(libgcj.so.70)
   at java.lang.ClassLoader.loadClass(libgcj.so.70)
   at java.lang.Class.initializeClass(libgcj.so.70)
   ...8 more

i've just controlled that all the libraries were in ext-lib.

Can you help me?

thanks Francesca Fabbri 

----------------------------------------------------------------------------
DEXGATEMICRO il centralino VoIP multifunzione per l'azienda.
Prova gratuita per 4 utenti!


Scopri tutte le funzionalita' sul sito Dexgate.com
----------------------------------------------------------------------------

Re: [Trustedjava-support] error running pki-server.sh of PCA

[Martin P. <Mar...@ia...>]

fra...@in... wrote:
> Hi, i've installed your package Privacy CA using the installation instructions.
> I suppose i've done the correctly setup, but when i run the scrypt it gives me the following error:

> Exception in thread "main" java.lang.NoClassDefFoundError: iaik.tc.apps.jtt.common.QueryVersion
>    at iaik.tc.apps.pki.server.TCServer.main(TCServer.java:144)

Please read the PCA readme, section 2.3.2 "Libraries".
The above error suggests you are missing JTpmTools.

(The PCA package basically requires all other packages. JTpmTools already
 implements the AIK cycle in a local version. The PCA extends the class from
 JTpmTools and overrides only 3 specific methods to make it a server service).


HTH

-- 
Martin Pirker
IAIK, TU Graz