trustedjava-support — Trusted Java General Support

[Trustedjava-support] error running pki-server.sh of PCA

[<fra...@in...>]

Hi, i've installed your package Privacy CA using the installation instructions. I suppose i've done the correctly setup, but when i run the scrypt it gives me the following error:


./pki-server.sh
***                                                                       ***
***                    Welcome to the IAIK JCE Library                    ***
***                                                                       ***
*** This version of IAIK JCE is licensed for educational and research use ***
*** and evaluation only. Commercial use of this software is prohibited.   ***
*** For details please see http://jce.iaik.tugraz.at/sales/licences/.     ***
*** This message does not appear in the registered commercial version.    ***
***                                                                       ***

Exception in thread "main" java.lang.NoClassDefFoundError: iaik.tc.apps.jtt.common.QueryVersion
   at iaik.tc.apps.pki.server.TCServer.main(TCServer.java:144)

Please help me!
Thanks, Francesca Fabbri

----------------------------------------------------------------------------
DEXGATEMICRO il centralino VoIP multifunzione per l'azienda.
Prova gratuita per 4 utenti!


Scopri tutte le funzionalita' sul sito Dexgate.com
----------------------------------------------------------------------------

Re: [Trustedjava-support] Create certificate of key signed with EK

[Thomas W. <tc...@to...>]

Hello,

> -> I'd like to sign a certificate containing the public part of the key
> with the EK of the TPM so other host that know the public part of the
> remote EK can check that the remote host is geuine.

This is against the TPM spec. The spec does not allow you to directly use the 
EK for signing data or doing a TPM quote. To to that you would need a TPM 
that violates the TPM spec.

> Is a snippet of java code that creates a certificate and signs it with the
> EK available? (this is my biggest problem, I haven't find anything within
> jTpmTools sources with a quote using EK as signing key...)

You do not find such code in the jTpmTools for the reason explained above.

hth,
-- 
Thomas Winkler
tc...@to...

Re: [Trustedjava-support] "Unable to open TPM device" error with aik_create

[Nektarios I. <ine...@gm...>]

>15:35:13:178 [INFO] Client::overrideCertificates (113): overriding defaul=
>t EK certificate used by TSS
>15:35:13:180 [WARN] Client::overrideCertificates (121): Unable to overrid=
>e EK certificate. If this is a TrouSerS TSS, you can set the EK certifica=
>te in the tcsd.conf!
>iaik.tc.tss.api.exceptions.tcs.TcTpmException:
>
>TSS Error:
>error layer: 0x00 (TPM)
>error code (without layer): 0x22
>error code (full): 0x22
>error message: An invalid handle was used.
>
>at iaik.tc.tss.impl.jni.tsp.TcBaseObject.handleRetCode(TcBaseObje=
> ct.java:104)
>at iaik.tc.tss.impl.jni.tsp.TcTpm.collateIdentityRequest(TcTpm.ja=
>va:1071)
>at iaik.tc.apps.jtt.aik.Client.collateIdentityReq(Client.java:99)=
>
>at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:301)
>at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
>at iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.=
>java:41)
>at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)
>15:35:13:187 [ERROR] AikCreate::execute (305): client: CollateIdentityRe=
>quest failed

BTW..What does  "invalid handle was used"mean anyways? Does this mean that
one of the parameters of CollateIdentity() method was wrong?
Is there a way to narrow down the error to which parameter is causing the
error?

Nektarios

[Trustedjava-support] Create certificate of key signed with EK

[rinberg\@libero\.it <ri...@li...>]

Hi. I'm trying to setup a scenario where every host knows the public part=
 of EK of the others (no Privacy CA needed). I managed to create keys and=
 quote with them but the public part of the created keys should be sent t=
o the other hosts and they should show evidence that it's genuine. 

-> I'd like to sign a certificate containing the public part of the key w=
ith the EK of the TPM so other host that know the public part of the remo=
te EK can check that the remote host is geuine.

Is a snippet of java code that creates a certificate and signs it with th=
e EK available? (this is my biggest problem, I haven't find anything with=
in jTpmTools sources with a quote using EK as signing key...)

Any help would be much appreciated.Thank you. 

Best Regards,

Rinaldo Bergamini

Re: [Trustedjava-support] Same error here - TSS Authorization error (0x3113) when running "aik_create"

[Martin P. <Mar...@ia...>]

Hon...@cs... wrote:
> I also notice that this problem cannot be replicated at the developer's end; is that correct?

Yes.

I tried it now on
Ubuntu 5, Ubuntu 7,
with TPMemu 0.5, with IFX 1.2,
with Java 5 or Java 6

The same commands as posted yesterday, it always works here.


> Could this be result of Java 1.6?

Java 6 needs the XKMS patch posted a few days ago, but this
only affects networking communication and not TPM operations.

Martin

[Trustedjava-support] Same error here - TSS Authorization error (0x3113) when running "aik_create"

[<Hon...@cs...>]

Hi all,

I've been following Nektarios Ioannides' problem about the AIK creation. =
 Specifically, authorisation error when loading the AIK Key.

A while back, I also posted with the same error, and this error still =
persists.

I am using jTSS 0.1 with TPM Emulator 0.5.  I am using Sun's Java 1.6 on =
Ubuntu 7.04 (x86).

The code I used is one of the samples attestation code.  The error is =
when a TPM client (in a remote attestation with Privacy CA), attempts to =
load the AIK to verify the messages from the server:

aikKey.loadKey(srk)

I also notice that this problem cannot be replicated at the developer's =
end; is that correct?  Could this be result of Java 1.6?

Thanks.

Hon Hwang.

Re: [Trustedjava-support] "Unable to open TPM device" error with aik_create

[rinberg\@libero\.it <ri...@li...>]

Hi. I can't create an aik certificate, the error is the same reported by =
Nektarios. This is my setup and the commands that fail. The EK cert has b=
een created by the iaik test server today.


rinaldo@talullah:~/newiaik/jTpmTools_0.3/ext_libs$ md5sum *
0fa07ab364b2c696fdea40ba0a42ec90  iaik_jce.jar
321c846448df1eeead65f7007ea0cb76  iaik_jtss_tcs.jar
699a1d5653d3bb6d4291c260e0d33c6d  iaik_jtss_tsp.jar
444a998ec535a37d6dd335254b897fbe  iaik_jtss_wrapper.jar
4f933fd2bebbb3bcef2974b722337574  iaik_jtss_wrapper_swig.jar
4fc96bac6143ccac3be5850ea8653d8d  iaik_tccert.jar
f1d00a83d6be8b8974678fb071d938d0  iaik_xkms.jar
f789ce61c05a8efd6c4c829f0cc607fd  iaik_xsect.jar


rinaldo@talullah:~/newiaik/jTpmTools_0.3$ ./jtt.sh version

  -----------------------------------
   IAIK/OpenTC        Java TPM Tools 
  - - - - -                 - - - - -
   using IAIK Trusted Computing libs 
         jTSS, TCcert and XKMS       
  -----------------------------------


15:53:02:449 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS foun=
d. Using JNI bindings...
 JTpmTools: 0.3 20070425 11:38:53
  JTSS_TSP: 0.1 20070425 10:54:03
  JTSS_JNI: 0.3 20070425 11:44:45 
      XKMS: 0.2-20070208 
    TCcert: 0.2.2-20070423-111432 



@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@=
@@@@@@@@@@@


rinaldo@talullah:~/newiaik/jTpmTools_0.3$ ./jtt.sh aik_create -a aik -l l=
abel -o opentc --aikfile aik.file --ekfile /home/rinaldo/ek.cert

  -----------------------------------
   IAIK/OpenTC        Java TPM Tools 
  - - - - -                 - - - - -
   using IAIK Trusted Computing libs 
         jTSS, TCcert and XKMS       
  -----------------------------------


15:35:12:704 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS foun=
d. Using JNI bindings...
***                                                                      =
 ***
***                    Welcome to the IAIK JCE Library                   =
 ***
***                                                                      =
 ***
*** This version of IAIK JCE is licensed for educational and research use=
 ***
*** and evaluation only. Commercial use of this software is prohibited.  =
 ***
*** For details please see http://jce.iaik.tugraz.at/sales/licences/.    =
 ***
*** This message does not appear in the registered commercial version.   =
 ***
***                                                                      =
 ***

15:35:13:178 [INFO] Client::overrideCertificates (113): overriding defaul=
t EK certificate used by TSS
15:35:13:180 [WARN] Client::overrideCertificates (121): Unable to overrid=
e EK certificate. If this is a TrouSerS TSS, you can set the EK certifica=
te in the tcsd.conf!
iaik.tc.tss.api.exceptions.tcs.TcTpmException: 

TSS Error:
error layer:                0x00 (TPM)
error code (without layer): 0x22
error code (full):          0x22
error message: An invalid handle was used.

        at iaik.tc.tss.impl.jni.tsp.TcBaseObject.handleRetCode(TcBaseObje=
ct.java:104)
        at iaik.tc.tss.impl.jni.tsp.TcTpm.collateIdentityRequest(TcTpm.ja=
va:1071)
        at iaik.tc.apps.jtt.aik.Client.collateIdentityReq(Client.java:99)=

        at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:301)
        at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
        at iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.=
java:41)
        at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)
15:35:13:187 [ERROR] AikCreate::execute (305):  client: CollateIdentityRe=
quest failed

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@=
@@@@@@@@@@@@@@@@@@@@@@
the same happens using the --noek:

rinaldo@talullah:~/newiaik/jTpmTools_0.3$ ./jtt.sh aik_create -a aik -l l=
abel -o opentc --aikfile aik.file --noek

  -----------------------------------
   IAIK/OpenTC        Java TPM Tools 
  - - - - -                 - - - - -
   using IAIK Trusted Computing libs 
         jTSS, TCcert and XKMS       
  -----------------------------------


15:41:29:056 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS foun=
d. Using JNI bindings...
***                                                                      =
 ***
***                    Welcome to the IAIK JCE Library                   =
 ***
***                                                                      =
 ***
*** This version of IAIK JCE is licensed for educational and research use=
 ***
*** and evaluation only. Commercial use of this software is prohibited.  =
 ***
*** For details please see http://jce.iaik.tugraz.at/sales/licences/.    =
 ***
*** This message does not appear in the registered commercial version.   =
 ***
***                                                                      =
 ***

iaik.tc.tss.api.exceptions.tcs.TcTpmException: 

TSS Error:
error layer:                0x00 (TPM)
error code (without layer): 0x22
error code (full):          0x22
error message: An invalid handle was used.

        at iaik.tc.tss.impl.jni.tsp.TcBaseObject.handleRetCode(TcBaseObje=
ct.java:104)
        at iaik.tc.tss.impl.jni.tsp.TcTpm.collateIdentityRequest(TcTpm.ja=
va:1071)
        at iaik.tc.apps.jtt.aik.Client.collateIdentityReq(Client.java:99)=

        at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:301)
        at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
        at iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.=
java:41)
        at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)
15:41:29:497 [ERROR] AikCreate::execute (305):  client: CollateIdentityRe=
quest failed


Any help would be appreciated.

Thank you,

Rinaldo Bergamini

Re: [Trustedjava-support] Problems with AIK create cycle (both local and XMKS types) [2]

[Martin P. <Mar...@ia...>]

Nektarios Ioannides wrote:
> None of the AIK creation sub-commands work neither with jTSS nor TrouSerS.
> Any comments?


We still cannot reproduce this, so we cannot debug it. :-/


For reference, commands as I run them:

(with TPM Emu 0.5)

root@...:/home/mpirker # tcsd -f
TCSD trousers 0.2.9.1 (with TPM 1.2 DUAL patch by IAIK <tho...@ia...>): TCSD up and running.

[...]

/testjtt/jTpmTools_0.3$ ./jtt.sh version

  -----------------------------------
   IAIK/OpenTC        Java TPM Tools
  - - - - -                 - - - - -
   using IAIK Trusted Computing libs
         jTSS, TCcert and XKMS
  -----------------------------------


14:26:09:640 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found. Using JNI bindings...
 JTpmTools: 0.3 20070425 11:38:53
  JTSS_TSP: 0.1 20070425 10:54:03
  JTSS_JNI: 0.3 20070425 11:44:45
      XKMS: 0.2-20070208
    TCcert: 0.2.2-20070423-111432


/testjtt/jTpmTools_0.3$ md5sum ext_libs/*

0fa07ab364b2c696fdea40ba0a42ec90  ext_libs/iaik_jce.jar
321c846448df1eeead65f7007ea0cb76  ext_libs/iaik_jtss_tcs.jar
699a1d5653d3bb6d4291c260e0d33c6d  ext_libs/iaik_jtss_tsp.jar
444a998ec535a37d6dd335254b897fbe  ext_libs/iaik_jtss_wrapper.jar
4f933fd2bebbb3bcef2974b722337574  ext_libs/iaik_jtss_wrapper_swig.jar
4fc96bac6143ccac3be5850ea8653d8d  ext_libs/iaik_tccert.jar
f1d00a83d6be8b8974678fb071d938d0  ext_libs/iaik_xkms.jar
f789ce61c05a8efd6c4c829f0cc607fd  ext_libs/iaik_xsect.jar



/testjtt/jTpmTools_0.3$ ./jtt.sh aik_create -a whatever -l mycertlabel -o opentc --aikfile aik.file --noek

  -----------------------------------
   IAIK/OpenTC        Java TPM Tools
  - - - - -                 - - - - -
   using IAIK Trusted Computing libs
         jTSS, TCcert and XKMS
  -----------------------------------


14:29:41:177 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found. Using JNI bindings...
***                                                                       ***
***                    Welcome to the IAIK JCE Library                    ***
***                                                                       ***
*** This version of IAIK JCE is licensed for educational and research use ***
*** and evaluation only. Commercial use of this software is prohibited.   ***
*** For details please see http://jce.iaik.tugraz.at/sales/licences/.     ***
*** This message does not appear in the registered commercial version.    ***
***                                                                       ***

14:29:43:769 [INFO] PrivacyCa::decryptIdentityReqBlob (276):    processed request from TrouSerS
14:29:43:851 [INFO] PrivacyCa::processRequest (180):    included EK certificate size: 1389 bytes
14:29:43:881 [INFO] PrivacyCa::processRequest (181):    SubjAltName: id:4941494B,unknownTPM,id:0100
14:29:43:890 [INFO] PrivacyCa::processRequest (188):    PE: not included
14:29:43:897 [INFO] PrivacyCa::processRequest (196):    CC: not included
14:29:50:635 [INFO] AikUtil::createPECertificate (176): created PE certificate on-the-fly
14:29:50:659 [INFO] AikUtil::createAIKCertificate (213):        created AIK certificate on-the-fly
14:29:50:666 [INFO] PrivacyCa::processRequest (212):    AIK blob size: 1448
14:29:51:059 [INFO] AikCreate::execute (330):   AIK ActivateIdentity succeeded!
14:29:51:069 [INFO] AikCreate::verifyAndPrintAikLabel (171):    received AIK certificate with IdLabel: 'mycertlabel'
14:29:51:070 [INFO] AikCreate::execute (339):   AIK certificate written into file: aik.file
14:29:51:070 [INFO] AikCreate::execute (358):   AIK TPM key structure written into file: aik.tpmkey



/testjtt/jTpmTools_0.3$ ./jtt.sh xkms_aik_create -a whatever -l mycertlabel -o opentc --aikfile aik.file --noek

  -----------------------------------
   IAIK/OpenTC        Java TPM Tools
  - - - - -                 - - - - -
   using IAIK Trusted Computing libs
         jTSS, TCcert and XKMS
  -----------------------------------


14:30:35:355 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found. Using JNI bindings...
***                                                                       ***
***                    Welcome to the IAIK JCE Library                    ***
***                                                                       ***
*** This version of IAIK JCE is licensed for educational and research use ***
*** and evaluation only. Commercial use of this software is prohibited.   ***
*** For details please see http://jce.iaik.tugraz.at/sales/licences/.     ***
*** This message does not appear in the registered commercial version.    ***
***                                                                       ***

***                                                                       ***
***                    Welcome to the IAIK XKMS Library                   ***
***                                                                       ***
***     This version of XKMS is licensed for educational, research use    ***
***  and evaluation only. Commercial use of this software is prohibited.  ***
***                                                                       ***

***                                                                       ***
***          Welcome to the IAIK XML Security Toolkit (XSECT)             ***
***                                                                       ***
*** This version of  XSECT  is licensed for educational and research use  ***
*** and evaluation only.  Commercial use of this software is prohibited.  ***
*** For more details please see http://jce.iaik.at/products/.             ***
*** This message  does not appear in the registered  commercial version.  ***
***                                                                       ***

sending RegisterRequest...
...result received

Validating XKMS message signature using certificate:
  CN=IAIK OpenTC XKMS Test Responder,OU=IAIK trusted computing labs,O=Graz University of Technology,C=AT
WARNING: No Version of Xerces found, please check your classpath, defaulting to DOM LEVEL 3
XKMS Result message signature is VALID.

14:30:40:635 [INFO] AikCreate::execute (330):   AIK ActivateIdentity succeeded!
14:30:40:646 [INFO] AikCreate::verifyAndPrintAikLabel (171):    received AIK certificate with IdLabel: 'mycertlabel'
14:30:40:647 [INFO] AikCreate::execute (339):   AIK certificate written into file: aik.file
14:30:40:647 [INFO] AikCreate::execute (358):   AIK TPM key structure written into file: aik.tpmkey



/testjtt/jTpmTools_0.3$ sudo killall tcsd


/testjtt/jTpmTools_0.3$ ./jtt.sh aik_create -a whatever -l mycertlabel -o opentc --aikfile aik.file --ekfile ek.cert

  -----------------------------------
   IAIK/OpenTC        Java TPM Tools
  - - - - -                 - - - - -
   using IAIK Trusted Computing libs
         jTSS, TCcert and XKMS
  -----------------------------------


14:31:35:638 [INFO] CommonSettings::getTssFactory (39): TrouSerS and/or jTSS Wrapper not found. Trying IAIK jTSS.
14:31:35:759 [INFO] TcTcsi::<clinit> (-1):      Unable to open TCS configuration file for system persistent storage information. Disabling system persistent
storage.
14:31:35:789 [INFO] CommonSettings::getTssFactory (47): IAIK jTSS found. Using local bindings...
***                                                                       ***
***                    Welcome to the IAIK JCE Library                    ***
***                                                                       ***
*** This version of IAIK JCE is licensed for educational and research use ***
*** and evaluation only. Commercial use of this software is prohibited.   ***
*** For details please see http://jce.iaik.tugraz.at/sales/licences/.     ***
*** This message does not appear in the registered commercial version.    ***
***                                                                       ***

14:31:36:596 [INFO] Client::overrideCertificates (113): overriding default EK certificate used by TSS
14:31:39:072 [INFO] PrivacyCa::processRequest (180):    included EK certificate size: 1390 bytes
14:31:39:101 [INFO] PrivacyCa::processRequest (181):    SubjAltName: id:4941494B,unknownTPM,id:0100
14:31:39:102 [INFO] PrivacyCa::processRequest (188):    PE: not included
14:31:39:102 [INFO] PrivacyCa::processRequest (196):    CC: not included
14:31:39:468 [INFO] AikUtil::createPECertificate (176): created PE certificate on-the-fly
14:31:39:492 [INFO] AikUtil::createAIKCertificate (213):        created AIK certificate on-the-fly
14:31:39:501 [INFO] PrivacyCa::processRequest (212):    AIK blob size: 1448
14:31:39:922 [INFO] AikCreate::execute (330):   AIK ActivateIdentity succeeded!
14:31:39:927 [INFO] AikCreate::verifyAndPrintAikLabel (171):    received AIK certificate with IdLabel: 'mycertlabel'
14:31:39:927 [INFO] AikCreate::execute (339):   AIK certificate written into file: aik.file
14:31:39:927 [INFO] AikCreate::execute (358):   AIK TPM key structure written into file: aik.tpmkey



/testjtt/jTpmTools_0.3$ ./jtt.sh xkms_aik_create -a whatever -l mycertlabel -o opentc --aikfile aik.file --ekfile ek.cert

  -----------------------------------
   IAIK/OpenTC        Java TPM Tools
  - - - - -                 - - - - -
   using IAIK Trusted Computing libs
         jTSS, TCcert and XKMS
  -----------------------------------


14:31:58:190 [INFO] CommonSettings::getTssFactory (39): TrouSerS and/or jTSS Wrapper not found. Trying IAIK jTSS.
14:31:58:311 [INFO] TcTcsi::<clinit> (-1):      Unable to open TCS configuration file for system persistent storage information. Disabling system persistent
storage.
14:31:58:341 [INFO] CommonSettings::getTssFactory (47): IAIK jTSS found. Using local bindings...
***                                                                       ***
***                    Welcome to the IAIK JCE Library                    ***
***                                                                       ***
*** This version of IAIK JCE is licensed for educational and research use ***
*** and evaluation only. Commercial use of this software is prohibited.   ***
*** For details please see http://jce.iaik.tugraz.at/sales/licences/.     ***
*** This message does not appear in the registered commercial version.    ***
***                                                                       ***

***                                                                       ***
***                    Welcome to the IAIK XKMS Library                   ***
***                                                                       ***
***     This version of XKMS is licensed for educational, research use    ***
***  and evaluation only. Commercial use of this software is prohibited.  ***
***                                                                       ***

***                                                                       ***
***          Welcome to the IAIK XML Security Toolkit (XSECT)             ***
***                                                                       ***
*** This version of  XSECT  is licensed for educational and research use  ***
*** and evaluation only.  Commercial use of this software is prohibited.  ***
*** For more details please see http://jce.iaik.at/products/.             ***
*** This message  does not appear in the registered  commercial version.  ***
***                                                                       ***

14:32:00:733 [INFO] Client::overrideCertificates (113): overriding default EK certificate used by TSS
sending RegisterRequest...
...result received

Validating XKMS message signature using certificate:
  CN=IAIK OpenTC XKMS Test Responder,OU=IAIK trusted computing labs,O=Graz University of Technology,C=AT
WARNING: No Version of Xerces found, please check your classpath, defaulting to DOM LEVEL 3
XKMS Result message signature is VALID.

14:32:03:115 [INFO] AikCreate::execute (330):   AIK ActivateIdentity succeeded!
14:32:03:136 [INFO] AikCreate::verifyAndPrintAikLabel (171):    received AIK certificate with IdLabel: 'mycertlabel'
14:32:03:136 [INFO] AikCreate::execute (339):   AIK certificate written into file: aik.file
14:32:03:137 [INFO] AikCreate::execute (358):   AIK TPM key structure written into file: aik.tpmkey

Re: [Trustedjava-support] Problems with loading a custom RSA key with jTSS.

[<ron...@ia...>]

Hello, Nektarios,

Nektarios Ioannides wrote:
> I am running the following code:

I just tested your code on jTSS. Here it runs perfectly. I cannot 
reproduce your problem.

There is a differences though:
What is this tpmDevice object of yours?

Also make sure, that the TcRsaKey object with the SRK has a properly 
configured usage policy object assigned to it. Take especially care that 
the SRK secret is identical to the one given at taking ownership.

> Is this a jTSS limitation?
No.

> Nektarios

Regards, Ronald

-- 
Ronald Toegl
IAIK, TU Graz

[Trustedjava-support] Problems with loading a custom RSA key with jTSS.

[Nektarios I. <ine...@gm...>]

Hi,

I am running the following code:

// create new signing key container
        TcIRsaKey aikKey = tpmDevice.context.createRsaKeyObject( //
                TcTssConstants.TSS_KEY_SIZE_2048 | //
                TcTssConstants.TSS_KEY_TYPE_SIGNING | //
                TcTssConstants.TSS_KEY_NOT_MIGRATABLE);

        // create a key usage policy for this key
        TcIPolicy keyUsgPolicy = tpmDevice.context.createPolicyObject(
TcTssConstants.TSS_POLICY_USAGE);
        keyUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
TcBlobData.newString("theAIKsecret"));
        keyUsgPolicy.assignToObject(aikKey);

        //create a key migration policy for this key
        TcIPolicy keyMigPolicy = tpmDevice.context.createPolicyObject(
TcTssConstants.TSS_POLICY_MIGRATION);
        keyMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
TcBlobData.newString("theAIKsecret"));
        keyMigPolicy.assignToObject(aikKey);

        aikKey.createKey(tpmDevice.srk, null);
        aikKey.loadKey(tpmDevice.srk);

which completes without any error using TrouSerS and jTSSWrapper but running
it under jTSS causes this error:

========================================================================================
iaik.tc.tss.api.exceptions.tsp.TcTspException:

TSS Error:
error layer:                0x3000 (TSP)
error code (without layer): 0x0113
error code (full):          0x3113
error message: Authorization failed.

        at iaik.tc.tss.impl.java.tsp.internal.TcTspCommon.validateRespAuth(
TcTspCommon.java:142)
        at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKeyByBlob_Internal(
TcTspInternal.java:105)
        at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:494)
        at com.test.AttestationProcedure.clientCreateSigningKey(
AttestationProcedure.java:828)
        at com.test.AttestationProcedure.step_1(AttestationProcedure.java
:241)
        at com.test.AttestationProcedure.access$100(
AttestationProcedure.java:58)
        at com.test.AttestationProcedure$1.run(AttestationProcedure.java
:442)

========================================================================================

Is this a jTSS limitation?
Btw.. this looks like the same exact error I get when I come across when I
run "xkms_aik_create" or "aik_create" with jTSS.
Any ideas on what can be similar in the two cases and thus causing the
error?


Nektarios

[Trustedjava-support] Problems with AIK create cycle (both local and XMKS types) [2]

[Nektarios I. <ine...@gm...>]

Hello again,

So the situation so far is as follows:

Becoming desperate I resorted to extreme measures like reverting back to
Java 1.5 JDK , updating my Linux kernel to 2.6.22.2-42,
re-installed everything (from emulator to TrouSerS etc etc) from scratch....

In the mean time, back to the TC scene...
* I have managed to create and validate correctly an "ek.cert" file and I am
using that with my AIK creation "attempts". (Many thanks to Martin ;-) )

* None of the AIK creation sub-commands work neither with jTSS nor TrouSerS.
However I do get different errors in each case:
==========
jTSS case
==========
xkms_aik_create -a theAIKsecret -l aikLabel -o theBIGsecret --ekfile
/root/workspace/certificates/ek.cert

gives

12:34:24:847 [INFO] Client::overrideCertificates (123):    overriding
default EK certificate used by TSS
sending RegisterRequest...
...result received

Validating XKMS message signature using certificate:
  CN=IAIK OpenTC XKMS Test Responder,OU=IAIK trusted computing labs,O=Graz
University of Technology,C=AT
XKMS Result message signature is VALID.

iaik.tc.tss.api.exceptions.tsp.TcTspException:

TSS Error:
error layer:                0x3000 (TSP)
error code (without layer): 0x0113
error code (full):          0x3113
error message: Authorization failed.

        at iaik.tc.tss.impl.java.tsp.internal.TcTspCommon.validateRespAuth(
TcTspCommon.java:144)
12:34:26:883 [ERROR] AikCreate::execute (360):    client: ActivateIdentity
failed
        at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKeyByBlob_Internal(
TcTspInternal.java:105)
        at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:494)
        at iaik.tc.apps.jtt.aik.Client.activateIdentity(Client.java:171)
        at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:356)
        at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:80)
        at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:52)
        at iaik.tc.apps.JTpmTools.main(JTpmTools.java:113)
        at com.test.CommandTool.main(CommandTool.java:31)

I have also print the two hashes that don't match in validateRespAuth():

outAuthValues hash:  06 9b 61 c5 21 2a ac 5a 02 fd 1f 11 1d f6 5e 04
 0b 97 da 60
resAuthDataExpected hash:  b6 99 29 09 ad 9f 82 1c 6c b7 d7 7f 2b 00 5b 9e
 fd 88 82 93

Does anyone know what these two are? Where do the derive from?

==============
TrouSerS case
==============

xkms_aik_create -a theAIKsecret -l aikLabel -o theBIGsecret --noek
(I have specified the "ek.cert" file in tcsd.conf of TrouSerS so I am using
the --noek option here.)

this gives:


iaik.tc.tss.api.exceptions.tcs.TcTpmException:

TSS Error:
error layer:                0x00 (TPM)
error code (without layer): 0x22
error code (full):          0x22
error message: An invalid handle was used.

        at iaik.tc.tss.impl.jni.tsp.TcBaseObject.handleRetCode(
TcBaseObject.java:104)
        at iaik.tc.tss.impl.jni.tsp.TcTpm.collateIdentityRequest(TcTpm.java
:1071)
        at iaik.tc.apps.jtt.aik.Client.collateIdentityReq(Client.java:110)
        at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:335)
        at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:80)
        at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:52)
        at iaik.tc.apps.JTpmTools.main(JTpmTools.java:113)
        at com.test.CommandTool.main(CommandTool.java:31)
12:50:20:862 [ERROR] AikCreate::execute (339):    client:
CollateIdentityRequest failed


Any comments?

Regards,

Nektarios

Re: [Trustedjava-support] xkms_aik_create certificates

[Martin P. <Mar...@ia...>]

Nektarios Ioannides wrote:
> 11:38:54:485 [WARN] PrivacyCa::<clinit> (86):    could not load CLIENT
> PrivacyCA default certificate (ok on server)

> I am guessing this is an issue with my certificate file. I have created this
> using the examples of TcCerts (with TcCerts) but I'm not sure if this is correct.

The .jar of JTpmTools contains 2 certificates:
a) PrivacyCA certificate
b) XKMS responder certificate

Both are expected to be used with our testserver, either you extract them
from the .jar or download them from http://opentc.iaik.tugraz.at/index.php?item=certs


a) contains the public key to encrypt the AIK request blob with, for the AIK
cycle with the PrivacyCA, as specified by TCG (remember: the answer from the PCA
is encrypted with the EK public, the EK cert is contained in the encrypted request)

b) is used to verify the server answer on a protocol level, every XKMS response is signed


a) is obviously needed if you talk to our server
b) is not strictly needed, you just get a warning if it is not available


HTH

-- 
Martin Pirker
IAIK, TU Graz

Re: [Trustedjava-support] XKMS 0.2 + Java 6

[Martin P. <Mar...@ia...>]

Nektarios Ioannides wrote:
> WARNING: No Version of Xerces found, please check your classpath, defaulting to DOM LEVEL 3
> signing failed: Cannot find algorithm 'http://www.w3.org/2001/10/xml-exc-c14n#' for mechanism type 'DOM'.

The warning is displayed by Xsect 1.11, Xsect 1.10 does not print a warning.

The underlying issue is that Java 6 contains new (partial) XMLDSIG support which
was not included in Java 5. Xsect offers full XMLDSIG+XMLENC and when using Java 6
you have to be careful with mixing both implementations/providers.

The next build of Xsect should be more robust in interaction with Java 6
provided parts, in the meantime one has to be a little careful during initialisation.

Please replace your IAIK.class in your iaik_xkms.jar with attached version.
The Xerces warning persists (because Suns bundled version of Xerces AFAIR does not
contain a version), but the signing works as expected.


HTH

-- 
Martin Pirker
IAIK, TU Graz

Re: [Trustedjava-support] 09:24:23:722 [INFO] [...]

[Martin P. <Mar...@ia...>]

Nektarios Ioannides wrote:
> ./jtt.sh xkms_ekcert_create -o theBIGsecret --ekfile ek.cert --auth iloveiaik

password yanked

On the positive side, upgraded server to pca 0.1 release version
(and cleared certstore)



> WARNING: No Version of Xerces found, please check your classpath, defaulting to DOM LEVEL 3

Sun Java 5 and newer includes Xerces for XML handling, there is no need to specify
an external version.
(Note, however, that IAIK XKMS 0.2 currently only supports Java 5, see documentation)


-- 
Martin Pirker
IAIK, TU Graz

[Trustedjava-support] TSS Authorization error (0x3113) when running "aik_create"

[Nektarios I. <ine...@gm...>]

 Hello,

>Yes, the SRK secret is currently hardwired in JTT to TSS_WELL_KNOWN_SECRET,
>this should be a command line option. However, if the SRK secret is wrong
the
>error would come from the TPM layer during CollateIdentity (because loading
>of the key fails)

Yes this is true. In fact, in some attempts I specified my own SRK secret
and intentionally
gave it wrong to jtt during "aik_create" and CollateIdentity complained
before ActivateIdentity
as expected.

>> What exactly is the purpose of validateRespAuth() ? What are the
>> 2 hashes that is comparing? hashes of the SRK?
>
>These are two different things, the secret used for the key itself and
>the hashing used for securing the communication with the TPM.

Hm.. from what I understand, validateRespAuth() compares two hash values
in the end. I have been printing the Hex strings of these two out and I can
see
the two hashes do not match, hence the exception given.

So what values affect the outcome of these two hashes? Can you give me more
details
on how the validateRespAuth works? (i.e what affects the two compared values

outAuthValues and resAuthDataExpected etc...). If  I'm not mistaken,
resAuthDataExpected is the re-calculated hash and outAuthValues is what is
collected
from the TPM ???

>It is the duty of both communication endpoints, TPM and TSS to check
> whether the exchange has been tampered with. If you just override
> the check in the TSS, well, of course it always works.
>Exactly.
>One way to debug this problem is to add debut statements to the
>TcTspInternal.TspLoadKeyByBlob_Internal method. You could do hexdumps of
the
>data being sent to the TPM and received from the TPM and compare this data
to
>the TPM spec.

OK I will try that as well.

>There is still no hint why it fails for you.
>TPMemu 0.5 + JTss 0.3, ok.
>Java version?
>32bit or 64bit Linux?
>Which Linux? GCC version? ...
>Maybe we can spot a difference...

My configuration is this:

* Tpm-emulator 0.5
* jTSS_0.1
* Java version:
    java version "1.6.0"
    Java(TM) SE Runtime Environment (build 1.6.0-b105)
    Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode, sharing)
* 32-bit Fedora Core 6 Linux, Kernel 2.6.18-1.2798.fc6.i586
* GCC version: 4.1.2-13

If there are any other relevant info let me know and I will look it up.

[Trustedjava-support] jTpmTools "XKMS-commands" error due to classpath

[Nektarios I. <ine...@gm...>]

Hello,

When I try to run the command

./jtt.sh xkms_ekcert_create -o theBIGsecret --ekfile ek.cert --auth xxxxxx

I get
--------------------------------------------------------------------------------------------------------------------------------------
11:49:34:385 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found.
Using JNI bindings...
***
***
***
***
Public EK extracted (MD5:b7c12929370ef4bce4585cea772be146)
***
***
***
***

sending RegisterRequest...
WARNING: No Version of Xerces found, please check your classpath, defaulting
to DOM LEVEL 3
11:49:38:059 [ERROR] XEkCreate::execute (141):  iaik.xkms.XKMSException:
signing failed: Cannot find algorithm '
http://www.w3.org/2001/10/xml-exc-c14n#' for mechanism type 'DOM'.

--------------------------------------------------------------------------------------------------------------------------------------

I was facing the same problem with XKMS's testsuite script "runtest.rb" but
after adding the path
to my "xerces.jar" file to the script's "classpath" variable fixed the
problem.

How can I do the same for jtt (so that it's XKMS-type commands can find my
"xerces. jar") ?

(I tried to add the xerces path to my $PATH variable for my terminal
sessions but this did not help)

Regards,

Nektarios

[Trustedjava-support] "Unable to open TPM device" error with aik_create

[Nektarios I. <ine...@gm...>]

Hello,

>JTpmTools simulates a full AIK cycle, not only keys but also with
certificates.

>case a) JTSS contains EK cert handling
>case b) JTssWrapper does not (because TrouSerS does not)

Yes. I've seen a note on this somewhere in the code  :-)

>a) works because JTpmTools looks for an EK cert on-chip and
>if you don't have one builds a fake one on-the-fly.
>
>b) does not work because JTpmTools does not know which stack version is
>running (remember, the top level API is the same). JTT tries to fetch
>the certificate from the chip, but this method only exists in a native
>version (=JTSS code), but running both obviously conflicts with usage of
/dev/tpm.

Yes. This is what I concluded as well... albeit after hours of going through
the code...lol

>So the solution for the JTssWrapper case is to tell JTT to have faith
>that the stack already has an EK cert loaded, or as the command-line docu
says:
>
> --noek                ... EK certificate is already known by TSS (e.g. via
tcsd.conf
>                           of TrouSerS)

I have tried to specify an "ek.cert" file either through jtt "--ekfile"
option or through
 tcsd.conf (and chosing --noek for jtt) but both give this error:

------------------------------------------------------------------------------------------------------------------
11:38:54:485 [WARN] PrivacyCa::<clinit> (86):    could not load CLIENT
PrivacyCA
default certificate (ok on server)
iaik.tc.tss.api.exceptions.tcs.TcTpmException:

TSS Error:
error layer:                0x00 (TPM)
error code (without layer): 0x22
error code (full):          0x22
error message: An invalid handle was used.

        at iaik.tc.tss.impl.jni.tsp.TcBaseObject.handleRetCode(
TcBaseObject.java:104)
11:38:54:681 [ERROR] AikCreate::execute (345):    client:
CollateIdentityRequest failed
        at iaik.tc.tss.impl.jni.tsp.TcTpm.collateIdentityRequest(TcTpm.java
:1071)
        at iaik.tc.apps.jtt.aik.Client.collateIdentityReq(Client.java:110)
        at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:341)
        at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:80)
        at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:52)
        at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)
        at com.test.CommandTool.main(CommandTool.java:27)
-----------------------------------------------------------------------------------------------------------------------
I am guessing this is an issue with my certificate file. I have created this
using the
examples of TcCerts (with TcCerts) but I'm not sure if this is correct.

Many thanks,

Nektarios

Re: [Trustedjava-support] TSS Authorization error (0x3113) when running "aik_create"

[Thomas W. <tc...@to...>]

Hello,

> Yes, the SRK secret is currently hardwired in JTT to TSS_WELL_KNOWN_SECRET,
> this should be a command line option. However, if the SRK secret is wrong
> the error would come from the TPM layer during CollateIdentity (because
> loading of the key fails)

Well - hardwired is probably not the right word. The default is 
TSS_WELL_KNOWN_SECRET but you can override it using the "-s" command line 
parameter.

> These are two different things, the secret used for the key itself and
> the hashing used for securing the communication with the TPM.

Correct.
However, there are some pitfalls behind the scenes. In TPM emulator there are 
some issues with the LoadKey2 function. jTSS therefore detects the emulator 
and falls back to the LoadKey function. This has been tested and is known to 
work.

> It is the duty of both communication endpoints, TPM and TSS to check
> whether the exchange has been tampered with. If you just override
> the check in the TSS, well, of course it always works.

Exactly.
One way to debug this problem is to add debut statements to the 
TcTspInternal.TspLoadKeyByBlob_Internal method. You could do hexdumps of the 
data being sent to the TPM and received from the TPM and compare this data to 
the TPM spec.

> There is still no hint why it fails for you.
> TPMemu 0.5 + JTss 0.3, ok.
> Java version?
> 32bit or 64bit Linux?
> Which Linux? GCC version? ...
> Maybe we can spot a difference...

Yes, a full list describing your setup would be helpful.

Regards,
-- 
Thomas Winkler
e-mail: tc...@to...

Re: [Trustedjava-support] TSS Authorization error (0x3113) when running "aik_create"

[Martin P. <Mar...@ia...>]

Nektarios Ioannides wrote:
> As I mentioned in previous posts, I am using the TSS_WELL_KNOWN_SECRET for
> my SRK
> so there is is no reason for my SRK being the problem. (I have even tried
> altering various options
> in the source code where the SRK object is created but with no luck)

Yes, the SRK secret is currently hardwired in JTT to TSS_WELL_KNOWN_SECRET,
this should be a command line option. However, if the SRK secret is wrong the
error would come from the TPM layer during CollateIdentity (because loading
of the key fails)

> The above raise a number of questions:
> 
> Why are the LoadKey() and ActivateIdentity() key successful in the TPM
> emulator if
> I skip the TSS validation? Is this expected?
> 
> What exactly is the purpose of validateRespAuth() ? What are the
> 2 hashes that is comparing? hashes of the SRK?

These are two different things, the secret used for the key itself and
the hashing used for securing the communication with the TPM.

It is the duty of both communication endpoints, TPM and TSS to check
whether the exchange has been tampered with. If you just override
the check in the TSS, well, of course it always works.

There is still no hint why it fails for you.
TPMemu 0.5 + JTss 0.3, ok.
Java version?
32bit or 64bit Linux?
Which Linux? GCC version? ...
Maybe we can spot a difference...


HTH


-- 
Martin Pirker
IAIK, TU Graz

Re: [Trustedjava-support] "Unable to open TPM device" error with aik_create

[Martin P. <Mar...@ia...>]

Nektarios Ioannides wrote:
> The only explanation I can give is that jTPMTools is trying to use jTSS with
> "aik_create" when it SHOULD have been using TrouSerS and jTSSWrapper...

While in the shower I thought about it again.... ;-)


JTpmTools simulates a full AIK cycle, not only keys but also with certificates.

case a) JTSS contains EK cert handling
case b) JTssWrapper does not (because TrouSerS does not)


a) works because JTpmTools looks for an EK cert on-chip and
if you don't have one builds a fake one on-the-fly.

b) does not work because JTpmTools does not know which stack version is
running (remember, the top level API is the same). JTT tries to fetch
the certificate from the chip, but this method only exists in a native
version (=JTSS code), but running both obviously conflicts with usage of /dev/tpm.

So the solution for the JTssWrapper case is to tell JTT to have faith
that the stack already has an EK cert loaded, or as the command-line docu says:

  --noek                ... EK certificate is already known by TSS (e.g. via tcsd.conf
                            of TrouSerS)



I still cannot reproduce your validation problem...

HTH


-- 
Martin Pirker
IAIK, TU Graz

[Trustedjava-support] TSS Authorization error (0x3113) when running "aik_create"

[Nektarios I. <ine...@gm...>]

Hello,

I am going to try to keep this as short as possible! This regards the
problem
I encountered with using the "aik_create" subcommand of jTpmTools.

The following is the error message I receive from jTpmTools:
----------------------------------------------------------------------------------------------------------

03:58:28:774 [INFO] PrivacyCa::processRequest (212): AIK blob size: 1390
iaik.tc.tss.api.exceptions.tsp.TcTspException:

TSS Error:
error layer: 0x3000 (TSP)
error code (without layer): 0x0113
error code (full): 0x3113
error message: Authorization failed.

at iaik.tc.tss.impl.java.tsp.internal.TcTspCommon.validateRespAuth(Unknown
Source)
at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKeyByBlob_Internal(
TcTspInternal.java:105)
at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(Unknown Source)
at iaik.tc.apps.jtt.aik.Client.activateIdentity(Client.java:153)
at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:322)
....
----------------------------------------------------------------------------------------------------------
The line that causes this error is this:

 aikKey_.loadKey(srk);

It is found in the activateIdentity() method of "Client.java"

I am using Mario Strasse's tpm_emulator_0.5. Upon inspecting the
emulator's output I discovered that despite the TSS error the AIK key does
in fact get successfully loaded into the TPM:

----------------------------------------------------------------------------------------------------------
../tpm/tpm_storage.c:518: Info: TPM_LoadKey()
../tpm/tpm_cmd_handler.c:4125: Info: TPM command succeeded
----------------------------------------------------------------------------------------------------------

Long story short, I discovered that

aikKey_.loadKey(srk); [in Client.java]

causes a call to

TspLoadKeyByBlob_Internal(..) [in TcTspInternal.java]

which in turn calls

validateRespAuth() [in TcTspCommon.java]

This is where the error lies. For some reason, the validation check by the
last method fails.

As I mentioned in previous posts, I am using the TSS_WELL_KNOWN_SECRET for
my SRK
so there is is no reason for my SRK being the problem. (I have even tried
altering various options
in the source code where the SRK object is created but with no luck)

After commenting the following in validateRespAuth() [in TcTspCommon.java]:

if (!outAuthValues.getHmac().getDigest().equals(resAuthDataExpected)) {
             //<Nektarios> if validation fails do nothing
            //throw new
TcTspException(TcTssErrors.TSS_E_TSP_AUTHFAIL);

        }

 I was able to get command to complete:
----------------------------------------------------------------------------------------------------------
aik_create -a theAIKsecret -o theBIGsecret -l myAIK_0
----------------------------------------------------------------------------------------------------------
01:03:39:971 [INFO] AikUtil::createEKCertificate (123):    created EK
certificate on-the-fly
01:03:40:049 [WARN] PrivacyCa::<clinit> (86):    could not load CLIENT
PrivacyCA default certificate (ok on server)
01:03:40:054 [INFO] Client::overrideCertificates (123):    overriding
default EK certificate used by TSS
01:03:40:852 [INFO] PrivacyCa::processRequest (191):    included EK
certificate size: 1065 bytes
01:03:40:854 [WARN] XKMSClientBase::<clinit> (85):    could not load XKMS
responder default certificate
01:03:40:857 [INFO] PrivacyCa::processRequest (192):    SubjAltName:
id:49465800,SLD9630TT1.1,id:0104
01:03:40:857 [INFO] PrivacyCa::processRequest (199):    PE: not included
01:03:40:857 [INFO] PrivacyCa::processRequest (207):    CC: not included
01:03:40:889 [INFO] AikUtil::createPECertificate (176):    created PE
certificate on-the-fly
01:03:40:898 [INFO] AikUtil::createAIKCertificate (213):    created AIK
certificate on-the-fly
01:03:40:900 [INFO] PrivacyCa::processRequest (223):    AIK blob size: 1386
01:03:41:189 [INFO] AikCreate::execute (367):    AIK ActivateIdentity
succeeded!
01:03:41:191 [INFO] AikCreate::verifyAndPrintAikLabel (188):    received AIK
certificate with IdLabel: 'myAIK_0'
01:03:41:191 [INFO] AikCreate::execute (379):    AIK certificate written
into file: aik.cert
01:03:41:192 [INFO] AikCreate::execute (398):    AIK TPM key structure
written into file: aik.tpmkey
----------------------------------------------------------------------------------------------------------

And here's the TPM 's output:

----------------------------------------------------------------------------------------------------------
../tpm/tpm_storage.c:518: Info: TPM_LoadKey()
../tpm/tpm_cmd_handler.c:4125: Info: TPM command succeeded
..
.. (some output)
../tpm/tpm_identity.c:399: Info: TPM_ActivateIdentity()
../tpm/tpm_authorization.c:288: Info: tpm_verify_auth()
../tpm/tpm_authorization.c:288: Info: tpm_verify_auth()
../tpm/tpm_cmd_handler.c:4125: Info: TPM command succeeded
..
..(some output)
----------------------------------------------------------------------------------------------------------

The above raise a number of questions:

Why are the LoadKey() and ActivateIdentity() key successful in the TPM
emulator if
I skip the TSS validation? Is this expected?

What exactly is the purpose of validateRespAuth() ? What are the
2 hashes that is comparing? hashes of the SRK?

Best Regards,

Nektarios

[Trustedjava-support] "Unable to open TPM device" error while using TrouSerS TSS 0.2.9.1 & jTSSWrapper 0.3

[Nektarios I. <ine...@gm...>]

>Only one process can use /dev/tpm at a time.

>a) standalone/native JTSS directly accesses /dev/tpm
>or
>b) tcsd is sitting on /dev/tpm, JTssWrapper talks to tcsd on port 30003.

Yes I am aware of that.

>To see who is currently using /dev/tpm use the lsof command, e.g.:
>$ sudo lsof /dev/tpm
>COMMAND   PID USER   FD   TYPE DEVICE SIZE  NODE NAME
>tcsd    26753 root    3u   CHR 10,224      29876 /dev/tpm

Yes I have tried that and I get a similar output showing that tcsd is in
control (when I have TrouSerS running), otherwise I don't get any output.

>If you want to test your access/permission/setup try a simple command, e.g
.:

OK here's a small experiment. I am writing it here as I perform the steps in
my terminal:

1) I load my TPM emulator
2) I load TCSD
3) I run a jTPMTools command:

./jtt.sh pcr_read

09:46:55:455 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found.
Using JNI bindings...
number of PCRs: 24
00:  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
01:  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
...

4) I unload TCSD (so that jTSS gets picked up by jTPMTools)
5) I run the SAME command:

./jtt.sh pcr_read

09:49:55:260 [INFO] CommonSettings::getTssFactory (39): TrouSerS and/or jTSS
Wrapper not found. Trying IAIK jTSS.
09:49:55:382 [INFO] TcTcsi::<clinit> (-1):      Unable to instantiate system
persistent storage (iaik.tc.tss.impl.ps.TcTssPsFileSystem). Disabling system
persistent storage.
09:49:55:394 [INFO] CommonSettings::getTssFactory (47): IAIK jTSS found.
Using local bindings...
number of PCRs: 24
00:  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
01:  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
...

This shows that both configurations (jTSS and TrouSerS-jTSSWrapper) work
fine.

Now, lets try "aik_create"...

6) I reload TCSD
I run
./jtt.sh aik_create -a theAIKsecret -o theBIGsecret -l myAIK_0

and I get:

09:52:31:305 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found.
Using JNI bindings...
09:52:31:425 [WARN] TcTddlLinux::open (-1):     Unable to open TPM device
file /dev/tpm.
Reason: /dev/tpm (Device or resource busy)

09:52:31:427 [ERROR] TcTcsi::<clinit> (-1):     TCS startup failed.
09:52:31:427 [ERROR] TcTcsi::<clinit> (-1):
TSS Error:
error layer:                0x1000 (TDDL)
error code (without layer): 0x87
error code (full):          0x1087
error message: The request could not be performed because of an IO device
error.
additional info: Unable to open TPM device file /dev/tpm.
Reason: /dev/tpm (Device or resource busy)


iaik.tc.tss.api.exceptions.tcs.TcTddlException:
TSS Error:
error layer:                0x1000 (TDDL)
error code (without layer): 0x87
error code (full):          0x1087
error message: The request could not be performed because of an IO device
error.
additional info: Unable to open TPM device file /dev/tpm.
Reason: /dev/tpm (Device or resource busy)


        at iaik.tc.tss.impl.java.tddl.TcTddlLinux.open(Unknown Source)
        at iaik.tc.tss.impl.java.tddl.TcTddl.getInstance(Unknown Source)
        at iaik.tc.tss.impl.java.tcs.TcTcsCommon.isOrdinalSupported(Unknown
Source)
        at iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.<clinit>(Unknown Source)
        at
iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsiOpenContext(Unknown
Source)
        at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspContextOpen_Internal(
TcTspInternal.java:378)
        at iaik.tc.tss.impl.java.tsp.TcContext.connect(Unknown Source)
        at iaik.tc.tss.impl.java.tsp.TcContext.connect(Unknown Source)
        at iaik.tc.apps.jtt.ek.ReadEkCert.getEkCert(ReadEkCert.java:41)
        at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:255)
        at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
        at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:41)
        at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)

7) I unload the TCSD and try the SAME EXACT command:

./jtt.sh aik_create -a theAIKsecret -o theBIGsecret -l myAIK_0

and I get a DIFFERENT output !!! :

09:54:07:897 [INFO] CommonSettings::getTssFactory (39): TrouSerS and/or jTSS
Wrapper not found. Trying IAIK jTSS.
09:54:08:020 [INFO] TcTcsi::<clinit> (-1):      Unable to instantiate system
persistent storage (iaik.tc.tss.impl.ps.TcTssPsFileSystem). Disabling system
persistent storage.
09:54:08:032 [INFO] CommonSettings::getTssFactory (47): IAIK jTSS found.
Using local bindings...
                                                ***
09:54:09:121 [INFO] AikUtil::createEKCertificate (123): created EK
certificate on-the-fly
09:54:09:197 [INFO] Client::overrideCertificates (113): overriding default
EK certificate used by TSS
09:54:10:792 [INFO] PrivacyCa::processRequest (180):    included EK
certificate size: 1065 bytes
09:54:10:800 [INFO] PrivacyCa::processRequest (181):    SubjAltName:
id:49465800,SLD9630TT1.1,id:0104
09:54:10:800 [INFO] PrivacyCa::processRequest (188):    PE: not included
09:54:10:800 [INFO] PrivacyCa::processRequest (196):    CC: not included
09:54:10:852 [INFO] AikUtil::createPECertificate (176): created PE
certificate on-the-fly
09:54:10:860 [INFO] AikUtil::createAIKCertificate (213):        created AIK
certificate on-the-fly
09:54:10:862 [INFO] PrivacyCa::processRequest (212):    AIK blob size: 1386
iaik.tc.tss.api.exceptions.tsp.TcTspException:

TSS Error:
error layer:                0x3000 (TSP)
error code (without layer): 0x0113
error code (full):          0x3113
error message: Authorization failed.

        at iaik.tc.tss.impl.java.tsp.internal.TcTspCommon.validateRespAuth(Unknown
Source)
        at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKeyByBlob_Internal(
TcTspInternal.java:105)
        at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(Unknown Source)
        at iaik.tc.apps.jtt.aik.Client.activateIdentity(Client.java:153)
        at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:322)
        at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
        at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:41)
        at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)
09:54:11:123 [ERROR] AikCreate::execute (326):  client: ActivateIdentity
failed

It seems that when the pure jTSS is running "aik_create" does not get the IO
devife error and goes on... OK I haven't the reason I am getting the 0x3113
error yet BUT THE ISSUE REMAINS:
The only explanation I can give is that jTPMTools is trying to use jTSS with
"aik_create" when it SHOULD have been using TrouSerS and jTSSWrapper...

>Sorry, I cannot reproduce your problem.
As I said, the problem appears ONLY when i try to use "aik_create"!  -->
could this be bug then with jTpmTools ???
Please, try it with "aik_create" as well ... this is giving me a big
headache :-) !

>a full set of libraries:

Yes I have multi-checked. I have all the necessary libraries.

Many thanks,

Nektarios

[Trustedjava-support] 09:24:23:722 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found. Using JNI bindings... *** *** *** Welcome to the IAIK JCE Library *** *** *** *** This version of IAIK JCE is licensed for educational and research use *** *** and evaluation

[Nektarios I. <ine...@gm...>]

>In theory I'm on vacation this week, in practice I can't resist reading
email....

I know...email can be addictive... :-)

>If you don't own an Infineon TPM with on-chip EK cert, you need to create
>an EK cert for the AIK creation cycle.

I am using a TPM emulator so I need to create an EK cert

OK. I have tried this (theBIGsecret being my owner password):

./jtt.sh xkms_ekcert_create -o theBIGsecret --ekfile ek.cert --auth
iloveiaik

what I get is:

09:24:23:722 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found.
Using JNI bindings...
***
***
***
***
Public EK extracted (MD5:b7c12929370ef4bce4585cea772be146)
***
***

sending RegisterRequest...
WARNING: No Version of Xerces found, please check your classpath, defaulting
to DOM LEVEL 3
09:24:25:827 [ERROR] XEkCreate::execute (141):  iaik.xkms.XKMSException:
signing failed: Cannot find algorithm '
http://www.w3.org/2001/10/xml-exc-c14n#' for mechanism type 'DOM'.

Please help!

Nektarios

Re: [Trustedjava-support] "Unable to open TPM device" error while using TrouSerS TSS 0.2.9.1 & jTSSWrapper 0.3

[Martin P. <Mar...@ia...>]

Nektarios Ioannides wrote:
> 15:50:28:601 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found.
> Using JNI bindings...
> 15:50:28:684 [WARN] TcTddlLinux::open (-1): Unable to open TPM device file /dev/tpm.
> Reason: /dev/tpm (Device or resource busy)

Only one process can use /dev/tpm at a time.

a) standalone/native JTSS directly accesses /dev/tpm
or
b) tcsd is sitting on /dev/tpm, JTssWrapper talks to tcsd on port 30003.


To see who is currently using /dev/tpm use the lsof command, e.g.:
$ sudo lsof /dev/tpm
COMMAND   PID USER   FD   TYPE DEVICE SIZE  NODE NAME
tcsd    26753 root    3u   CHR 10,224      29876 /dev/tpm



JTpmTools autodetects in which mode to run.

If you want to test your access/permission/setup try a simple command, e.g.:


with tcsd running:

/jTpmTools_0.3$ ./jttcut.sh pcr_read
09:26:44:499 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found. Using JNI bindings...
number of PCRs: 24
00:  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
01:  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[...]


without tcsd running:

/jTpmTools_0.3$ ./jttcut.sh pcr_read
09:27:35:197 [INFO] CommonSettings::getTssFactory (39): TrouSerS and/or jTSS Wrapper not found. Trying IAIK jTSS.
09:27:35:318 [INFO] TcTcsi::<clinit> (-1):      Unable to open TCS configuration file for system persistent storage information. Disabling system persistent
storage.
09:27:35:345 [INFO] CommonSettings::getTssFactory (47): IAIK jTSS found. Using local bindings...
number of PCRs: 24
00:  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
01:  ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[...]



a full set of libraries:

/jTpmTools_0.3$ find ext_libs/ |sort
ext_libs/iaik_jce.jar
ext_libs/iaik_jtss_tcs.jar
ext_libs/iaik_jtss_tsp.jar
ext_libs/iaik_jtss_wrapper.jar
ext_libs/iaik_jtss_wrapper_swig.jar
ext_libs/iaik_tccert.jar
ext_libs/iaik_xkms.jar
ext_libs/iaik_xsect.jar
ext_libs/jaxb/activation.jar
ext_libs/jaxb/jaxb-api.jar
ext_libs/jaxb/jaxb-impl.jar
ext_libs/jaxb/jsr173_1.0_api.jar
ext_libs/libtspiwrapper.so




Sorry, I cannot reproduce your problem.


HTH


-- 
Martin Pirker
IAIK, TU Graz

[Trustedjava-support] "Unable to open TPM device" error while using TrouSerS TSS 0.2.9.1 & jTSSWrapper 0.3

[Nektarios I. <ine...@gm...>]

Hello I run on to this problem while I was trying to  perform an
"aik_create" cycle using jTPMTools but I decided to open a new mail thread
for it since this seems to be a different issue.

So this happens when my TPM emulator and TCSD are up and running. Btw.. all
jTSSWrapper 0.3 tests have run successfully with this configuration.

Although at a first glance this might seem to be an error with TrouSerS I
have a suspicion that this is caused by jTpmTools since

1) The first line of output (look below) reports that TrouSerS TSS is found
therefore although the error message is the same with that in the case of
Carl (
https://sourceforge.net/mailarchive/message.php?msg_id=300eed510707111800h71eadba1xf0113bd4b433ce65%40mail.gmail.combut),
it does NOT seem to be caused by the same reason.

2) all other commands using the exact same configuration work fine.
(e.g"pcr_read", "read_pubek", "version", "take_owner", "clear_owner").

I have looked at jTpmTools source code but unfortunately am not savvy enough
to figure out where the problem lies (or if it lies with jTpmTools at all).

Here is my input:

./jtt.sh aik_create -o theBIGsecret -a theAIKsecret -l myAIK_0

And what I get is:

15:50:28:601 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found.
Using JNI bindings...
15:50:28:684 [WARN] TcTddlLinux::open (-1): Unable to open TPM device
file /dev/tpm.
Reason: /dev/tpm (Device or resource busy)

15:50:28:685 [ERROR] TcTcsi::<clinit> (-1): TCS startup failed.
15:50:28:685 [ERROR] TcTcsi::<clinit> (-1):
TSS Error:
error layer: 0x1000 (TDDL)
error code (without layer): 0x87
error code (full): 0x1087
error message: The request could not be performed because of an IO device
error.
additional info: Unable to open TPM device file /dev/tpm.
Reason: /dev/tpm (Device or resource busy)


iaik.tc.tss.api.exceptions.tcs.TcTddlException:
TSS Error:
error layer: 0x1000 (TDDL)
error code (without layer): 0x87
error code (full): 0x1087
error message: The request could not be performed because of an IO device
error.
additional info: Unable to open TPM device file /dev/tpm.
Reason: /dev/tpm (Device or resource busy)


at iaik.tc.tss.impl.java.tddl.TcTddlLinux.open(Unknown Source)
at iaik.tc.tss.impl.java.tddl.TcTddl.getInstance(Unknown Source)
at iaik.tc.tss.impl.java.tcs.TcTcsCommon.isOrdinalSupported(Unknown
Source)
at iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.<clinit>(Unknown Source)
at
iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsiOpenContext
(Unknown
Source)
at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspContextOpen_Internal(
TcTspInternal.java:378)
at iaik.tc.tss.impl.java.tsp.TcContext.connect(Unknown Source)
at iaik.tc.tss.impl.java.tsp.TcContext.connect(Unknown Source)
at iaik.tc.apps.jtt.ek.ReadEkCert.getEkCert(ReadEkCert.java:41)
at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:255)
at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:41)
at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)

Any ideas?

Regards,

Nektarios