trustedjava-support — Trusted Java General Support

Re: [Trustedjava-support] Problems with AIK create cycle (both local and XMKS types) [2]

[Saurabh A. <tan...@gm...>]

hi

just try using " -e ASCII  "option with aik_create command.

saurabh

On 8/16/07, Nektarios Ioannides <ine...@gm...> wrote:
> Hello,
>
> Thanks  Martin and Thomas for your replies.
>
> >The error occurs when the activateIdentity method is called.
> >Are you sure that you are using the correct SRK secret
> (TSS_WELL_KNOWN_SECRET
>  >in your case)? YOu have to use the SRK secret you provided when taking
>  >ownership of your TPM.
>
> I am pretty sure I am using the right owner password. I tried clearing and
> taking ownership several times and then tried the command again to make sure
> I was using the right owner password. I had not specified a custom SRK
> password so the TSS_WELL_KNOWN_SECRET should have been used by default. I
> did take a new ownership with a custom SRK key and specified this during
> "aik_create" but I am still getting the same exact error.
>
> Just to confirm here are my "clear_owner" and "take_owner" results just
> before trying "aik_create":
>
> [root@localhost jTpmTools_0.3]# ./jtt.sh clear_owner -o theBIGsecret
>
> gives
>
> 16:16:54:270 [INFO] CommonSettings::getTssFactory (39): TrouSerS and/or jTSS
> Wrapper not found. Trying IAIK jTSS.
>  16:16:54:367 [INFO] TcTcsi::<clinit> (-1):      Unable to open TCS
> configuration file for system persistent storage information. Disabling
> system persistent storage.
>  16:16:54:392 [INFO] CommonSettings::getTssFactory (47): IAIK jTSS found.
> Using local bindings...
> 16:16:54:416 [INFO] ClearOwnership::execute (63):       ClearOwnership
> succeeded
>
> [root@localhost jTpmTools_0.3]# ./jtt.sh take_owner -o theBIGsecret
>
> gives
>
>  16:17:00:507 [INFO] CommonSettings::getTssFactory (39): TrouSerS and/or
> jTSS Wrapper not found. Trying IAIK jTSS.
> 16:17:00:586 [INFO] TcTcsi::<clinit> (-1):      Unable to open TCS
> configuration file for system persistent storage information. Disabling
> system persistent storage.
> 16:17:00:617 [INFO] CommonSettings::getTssFactory (47): IAIK jTSS found.
> Using local bindings...
>  16:17:02:525 [INFO] TakeOwnership::execute (82):        TakeOwnership
> succeeded
>
>
> Now, trying "aik_create" with the new password:
>
>  [root@localhost jTpmTools_0.3]# ./jtt.sh aik_create -o theBIGsecret -a
> theAIKsecret -l myAIK_0
>
> still gives
>
> 16:20:06:492 [INFO] CommonSettings::getTssFactory (39): TrouSerS and/or jTSS
> Wrapper not found. Trying IAIK jTSS.
> 16:20:06:602 [INFO] TcTcsi::<clinit> (-1):      Unable to open TCS
> configuration file for system persistent storage information. Disabling
> system persistent storage.
> 16:20:06:615 [INFO] CommonSettings::getTssFactory (47): IAIK jTSS found.
> Using local bindings...
>  ***
>                ***
> ***                    Welcome to the IAIK JCE Library
> ***
> ***
>               ***
>  *** This version of IAIK JCE is licensed for educational and research use
> ***
> *** and evaluation only. Commercial use of this software is prohibited.
> ***
> *** For details please see
> http://jce.iaik.tugraz.at/sales/licences/.     ***
>  *** This message does not appear in the registered commercial version.
> ***
> ***
>               ***
>
> 16:20:07:611 [INFO] AikUtil::createEKCertificate (123): created EK
> certificate on-the-fly
>  16:20:07:687 [INFO] Client::overrideCertificates (113): overriding default
> EK certificate used by TSS
> 16:20:08:401 [INFO] PrivacyCa::processRequest (180):    included EK
> certificate size: 1065 bytes
> 16:20:08:410 [INFO] PrivacyCa::processRequest (181):    SubjAltName:
> id:49465800,SLD9630TT1.1,id:0104
>  16:20:08:410 [INFO] PrivacyCa::processRequest (188):    PE: not included
> 16:20:08:410 [INFO] PrivacyCa::processRequest (196):    CC: not included
> 16:20:08:451 [INFO] AikUtil::createPECertificate (176): created PE
> certificate on-the-fly
>  16:20:08:460 [INFO] AikUtil::createAIKCertificate (213):        created AIK
> certificate on-the-fly
> 16:20:08:461 [INFO] PrivacyCa::processRequest (212):    AIK blob size: 1386
> iaik.tc.tss.api.exceptions.tsp.TcTspException:
>
>  TSS Error:
> error layer:                0x3000 (TSP)
> error code (without layer): 0x0113
> error code (full):          0x3113
> error message: Authorization failed.
>
>         at
> iaik.tc.tss.impl.java.tsp.internal.TcTspCommon.validateRespAuth(Unknown
> Source)
>          at
> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKeyByBlob_Internal(TcTspInternal.java:105)
>         at
> iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(Unknown Source)
>         at
> iaik.tc.apps.jtt.aik.Client.activateIdentity(Client.java:153)
>          at
> iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:322)
>         at iaik.tc.utils.cmdline.SubCommand.run
> (SubCommand.java:69)
>         at
> iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.java:41)
>          at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)
> 16:20:08:720 [ERROR] AikCreate::execute (326):  client: ActivateIdentity
> failed
>
>
> Guessing that this might be an issue with jTSS_0.1 I reverted back to
> jTSSWrapper0.3, cleared and took ownership again (just to be safe) but now I
> get something more weird. Here's a sample:
>
>  ./jtt.sh aik_create -o theBIGsecret -a theAIKsecret -l myAIK_0
>
> And what I get is:
>
> 15:50:28:601 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found.
> Using JNI bindings...
> 15:50:28:684 [WARN] TcTddlLinux::open (-1):     Unable to open TPM device
> file /dev/tpm.
>  Reason: /dev/tpm (Device or resource busy)
>
> 15:50:28:685 [ERROR] TcTcsi::<clinit> (-1):     TCS startup failed.
> 15:50:28:685 [ERROR] TcTcsi::<clinit> (-1):
> TSS Error:
>  error layer:                0x1000 (TDDL)
> error code (without layer): 0x87
>  error code (full):          0x1087
> error message: The request could not be performed because of an IO device
> error.
>  additional info: Unable to open TPM device file /dev/tpm.
> Reason: /dev/tpm (Device or resource busy)
>
>
> iaik.tc.tss.api.exceptions.tcs.TcTddlException:
> TSS Error:
> error layer:                0x1000 (TDDL)
> error code (without layer): 0x87
> error code (full):          0x1087
> error message: The request could not be performed because of an IO device
> error.
> additional info: Unable to open TPM device file /dev/tpm.
> Reason: /dev/tpm (Device or resource busy)
>
>
>         at
> iaik.tc.tss.impl.java.tddl.TcTddlLinux.open(Unknown Source)
>          at
> iaik.tc.tss.impl.java.tddl.TcTddl.getInstance(Unknown
> Source)
>         at
> iaik.tc.tss.impl.java.tcs.TcTcsCommon.isOrdinalSupported
> (Unknown Source)
>         at
> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.<clinit>(Unknown
> Source)
>          at
> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsiOpenContext(Unknown
> Source)
>         at
> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspContextOpen_Internal
> (TcTspInternal.java:378)
>         at
> iaik.tc.tss.impl.java.tsp.TcContext.connect(Unknown Source)
>          at
> iaik.tc.tss.impl.java.tsp.TcContext.connect(Unknown Source)
>         at
> iaik.tc.apps.jtt.ek.ReadEkCert.getEkCert(ReadEkCert.java:41)
>         at
> iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:255)
>         at iaik.tc.utils.cmdline.SubCommand.run
> (SubCommand.java:69)
>         at
> iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.java:41)
>          at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)
>
>
> I know that this seems similar to the problem experienced by Carl in
> https://sourceforge.net/mailarchive/message.php?msg_id=300eed510707111800h71eadba1xf0113bd4b433ce65%40mail.gmail.com
> but the difference in my case is that
> TSS TrouSerS is found! (i.e. both the TPM and TSS (TrouSerS since I am using
> the jTSSWrapper this time) are both loaded correctly ---> This is awfully
> weird since other commands run fine under the same (TrouSerS + jTSSWrapper)
> configuration.
>
> For example,
>
> [root@localhost jTpmTools_0.3]# ./jtt.sh clear_owner -o theBIGsecret
>
> gives:
>
>  16:14:14:090 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found.
> Using JNI bindings...
> 16:14:14:142 [INFO] ClearOwnership::execute (63):       ClearOwnership
> succeeded
>
> and
>
> [root@localhost jTpmTools_0.3]# ./jtt.sh take_owner -o theBIGsecret
>
> gives
>
>  16:14:47:218 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found.
> Using JNI bindings...
> 16:14:47:699 [INFO] TakeOwnership::execute (82):        TakeOwnership
> succeeded
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> P.S I don't think the two errors are related with the same cause but I am
> reporting them in the same mail anyways since they are both related to what
> I am trying to do!
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >>  http://get.splunk.com/
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
>
>

[Trustedjava-support] Problems with AIK create cycle (both local and XMKS types) [2]

[Nektarios I. <ine...@gm...>]

Hello,

Thanks  Martin and Thomas for your replies.

>The error occurs when the activateIdentity method is called.
>Are you sure that you are using the correct SRK secret
(TSS_WELL_KNOWN_SECRET
>in your case)? YOu have to use the SRK secret you provided when taking
>ownership of your TPM.

I am pretty sure I am using the right owner password. I tried clearing and
taking ownership several times and then tried the command again to make sure
I was using the right owner password. I had not specified a custom SRK
password so the TSS_WELL_KNOWN_SECRET should have been used by default. I
did take a new ownership with a custom SRK key and specified this during
"aik_create" but I am still getting the same exact error.

Just to confirm here are my "clear_owner" and "take_owner" results just
before trying "aik_create":

[root@localhost jTpmTools_0.3]# ./jtt.sh clear_owner -o theBIGsecret

gives

16:16:54:270 [INFO] CommonSettings::getTssFactory (39): TrouSerS and/or jTSS
Wrapper not found. Trying IAIK jTSS.
16:16:54:367 [INFO] TcTcsi::<clinit> (-1):      Unable to open TCS
configuration file for system persistent storage information. Disabling
system persistent storage.
16:16:54:392 [INFO] CommonSettings::getTssFactory (47): IAIK jTSS found.
Using local bindings...
16:16:54:416 [INFO] ClearOwnership::execute (63):       ClearOwnership
succeeded

[root@localhost jTpmTools_0.3]# ./jtt.sh take_owner -o theBIGsecret

gives

16:17:00:507 [INFO] CommonSettings::getTssFactory (39): TrouSerS and/or jTSS
Wrapper not found. Trying IAIK jTSS.
16:17:00:586 [INFO] TcTcsi::<clinit> (-1):      Unable to open TCS
configuration file for system persistent storage information. Disabling
system persistent storage.
16:17:00:617 [INFO] CommonSettings::getTssFactory (47): IAIK jTSS found.
Using local bindings...
16:17:02:525 [INFO] TakeOwnership::execute (82):        TakeOwnership
succeeded


Now, trying "aik_create" with the new password:

[root@localhost jTpmTools_0.3]# ./jtt.sh aik_create -o theBIGsecret -a
theAIKsecret -l myAIK_0

still gives

16:20:06:492 [INFO] CommonSettings::getTssFactory (39): TrouSerS and/or jTSS
Wrapper not found. Trying IAIK jTSS.
16:20:06:602 [INFO] TcTcsi::<clinit> (-1):      Unable to open TCS
configuration file for system persistent storage information. Disabling
system persistent storage.
16:20:06:615 [INFO] CommonSettings::getTssFactory (47): IAIK jTSS found.
Using local bindings...
***
***
***                    Welcome to the IAIK JCE Library
***
***
***
*** This version of IAIK JCE is licensed for educational and research use
***
*** and evaluation only. Commercial use of this software is prohibited.
***
*** For details please see http://jce.iaik.tugraz.at/sales/licences/.
***
*** This message does not appear in the registered commercial version.
***
***
***

16:20:07:611 [INFO] AikUtil::createEKCertificate (123): created EK
certificate on-the-fly
16:20:07:687 [INFO] Client::overrideCertificates (113): overriding default
EK certificate used by TSS
16:20:08:401 [INFO] PrivacyCa::processRequest (180):    included EK
certificate size: 1065 bytes
16:20:08:410 [INFO] PrivacyCa::processRequest (181):    SubjAltName:
id:49465800,SLD9630TT1.1,id:0104
16:20:08:410 [INFO] PrivacyCa::processRequest (188):    PE: not included
16:20:08:410 [INFO] PrivacyCa::processRequest (196):    CC: not included
16:20:08:451 [INFO] AikUtil::createPECertificate (176): created PE
certificate on-the-fly
16:20:08:460 [INFO] AikUtil::createAIKCertificate (213):        created AIK
certificate on-the-fly
16:20:08:461 [INFO] PrivacyCa::processRequest (212):    AIK blob size: 1386
iaik.tc.tss.api.exceptions.tsp.TcTspException:

TSS Error:
error layer:                0x3000 (TSP)
error code (without layer): 0x0113
error code (full):          0x3113
error message: Authorization failed.

        at iaik.tc.tss.impl.java.tsp.internal.TcTspCommon.validateRespAuth(Unknown
Source)
        at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKeyByBlob_Internal(
TcTspInternal.java:105)
        at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(Unknown Source)
        at iaik.tc.apps.jtt.aik.Client.activateIdentity(Client.java:153)
        at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:322)
        at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
        at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:41)
        at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)
16:20:08:720 [ERROR] AikCreate::execute (326):  client: ActivateIdentity
failed


Guessing that this might be an issue with jTSS_0.1 I reverted back to
jTSSWrapper0.3, cleared and took ownership again (just to be safe) but now I
get something more weird. Here's a sample:

./jtt.sh aik_create -o theBIGsecret -a theAIKsecret -l myAIK_0

And what I get is:

15:50:28:601 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found.
Using JNI bindings...
15:50:28:684 [WARN] TcTddlLinux::open (-1):     Unable to open TPM device
file /dev/tpm.
Reason: /dev/tpm (Device or resource busy)

15:50:28:685 [ERROR] TcTcsi::<clinit> (-1):     TCS startup failed.
15:50:28:685 [ERROR] TcTcsi::<clinit> (-1):
TSS Error:
error layer:                0x1000 (TDDL)
error code (without layer): 0x87
error code (full):          0x1087
error message: The request could not be performed because of an IO device
error.
additional info: Unable to open TPM device file /dev/tpm.
Reason: /dev/tpm (Device or resource busy)


iaik.tc.tss.api.exceptions.tcs.TcTddlException:
TSS Error:
error layer:                0x1000 (TDDL)
error code (without layer): 0x87
error code (full):          0x1087
error message: The request could not be performed because of an IO device
error.
additional info: Unable to open TPM device file /dev/tpm.
Reason: /dev/tpm (Device or resource busy)


        at iaik.tc.tss.impl.java.tddl.TcTddlLinux.open(Unknown Source)
        at iaik.tc.tss.impl.java.tddl.TcTddl.getInstance(Unknown Source)
        at iaik.tc.tss.impl.java.tcs.TcTcsCommon.isOrdinalSupported(Unknown
Source)
        at iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.<clinit>(Unknown Source)
        at
iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsiOpenContext(Unknown
Source)
        at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspContextOpen_Internal(
TcTspInternal.java:378)
        at iaik.tc.tss.impl.java.tsp.TcContext.connect(Unknown Source)
        at iaik.tc.tss.impl.java.tsp.TcContext.connect(Unknown Source)
        at iaik.tc.apps.jtt.ek.ReadEkCert.getEkCert(ReadEkCert.java:41)
        at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:255)
        at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
        at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:41)
        at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)


I know that this seems similar to the problem experienced by Carl in
https://sourceforge.net/mailarchive/message.php?msg_id=300eed510707111800h71eadba1xf0113bd4b433ce65%40mail.gmail.combut
the difference in my case is that
TSS TrouSerS is found! (i.e. both the TPM and TSS (TrouSerS since I am using
the jTSSWrapper this time) are both loaded correctly ---> This is awfully
weird since other commands run fine under the same (TrouSerS + jTSSWrapper)
configuration.

For example,

[root@localhost jTpmTools_0.3]# ./jtt.sh clear_owner -o theBIGsecret

gives:

16:14:14:090 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found.
Using JNI bindings...
16:14:14:142 [INFO] ClearOwnership::execute (63):       ClearOwnership
succeeded

and

[root@localhost jTpmTools_0.3]# ./jtt.sh take_owner -o theBIGsecret

gives

16:14:47:218 [INFO] CommonSettings::getTssFactory (37): TrouSerS TSS found.
Using JNI bindings...
16:14:47:699 [INFO] TakeOwnership::execute (82):        TakeOwnership
succeeded














P.S I don't think the two errors are related with the same cause but I am
reporting them in the same mail anyways since they are both related to what
I am trying to do!

[Trustedjava-support] JTT 0.3 AikCreate password issue

[Martin P. <Mar...@ia...>]

FYI:

The 0.3 release of JTpmTools contains an issue in AikCreate.java. If you
examine the code you will notice that the command line options -e and -n
are not used for determining the encoding of the AIK secret.

If you only use JTpmTools this is not a problem.

However, this may cause password incompatibilities when sharing
local AIK keys with other local applications (e.g. tpm_tools), be
careful of the encoding.


The following fix will be incorporated in the next JTpmTools release:

===================================================================
--- AikCreate.java      (revision old)
+++ AikCreate.java      (revision new)

                // aik password (required)
-               TcBlobData aikSecret = TcBlobData.newString(params_.getValue(PARAM_AIK_SECRET), false);
+               TcBlobData aikSecret = TcBlobData.newString(params_.getValue(PARAM_AIK_SECRET), appendNullTerm, encoding);

Re: [Trustedjava-support] Problems with AIK create cycle (both local and XMKS types)

[Martin P. <Mar...@ia...>]

Nektarios Ioannides wrote:
> I have been away from the OpenTC scene so it's good to be back :-)

Don't worry, could happen to anyone :-)

> And when  I run:
> 
> ./jtt.sh xkms_aik_create -a secret -l aikLabel -o theoldsecret
> 
> I get:
> 
> 03:58:10:665 [INFO] AikUtil::createEKCertificate (123): created EK certificate on-the-fly
> 03:58:10:673 [INFO] Client::overrideCertificates (113): overriding default EK certificate used by TSS
> sending RegisterRequest...
> ...result received
> 
> Validating XKMS message signature using certificate:
>   CN=IAIK OpenTC XKMS Test Responder,OU=IAIK trusted computing labs,O=Graz
> University of Technology,C=AT
> XKMS Result message signature is INVALID.
> 
> AIK create operation FAILED
> ===>http://www.w3.org/2002/03/xkms#Sender
> ===>http://www.w3.org/2002/03/xkms#Failure
> 
> I am almost certain that it is not a setup error but something theoretical I
> am missing to see here.
> Any ideas ?

Well, I can look at the server log.... was that you?

04:58:16:499 [INFO] HTTPHandler::run (97):      20070816-04:58:16 request from ......bethere.co.uk
04:58:16:503 [INFO] RequestProcessor::newInstance (133):        === RegisterRequest /aik ===
04:58:16:513 [INFO] PrivacyCa::processRequest (176):    included EK certificate size: 1065 bytes
04:58:16:514 [INFO] PrivacyCa::processRequest (177):    SubjAltName: id:49465800,SLD9630TT1.1,id:0104
04:58:16:514 [INFO] PrivacyCa::processRequest (184):    PE: not included
04:58:16:514 [INFO] PrivacyCa::processRequest (192):    CC: not included
java.security.cert.CertificateException: EK validation FAILED


...meaning the included EK could not be verified, because
a) it is not an IFX TPM EK (development boards are not supported)
b) it is not an EK generated from our PCA server

Unfortunately it is currently not possible to return a "nicer" error message.


for b) you need a password for xkms_ekcert_create to work at our server -> mail me

HTH

-- 
Martin Pirker
IAIK, TU Graz

Re: [Trustedjava-support] Problems with AIK create cycle (both local and XMKS types)

[Thomas W. <tc...@to...>]

Hello,

> When I run
> ./jtt.sh aik_create -a secret -l theAIKlabel -o theoldsecret

[...]

> TSS Error:
> error layer:                0x3000 (TSP)
> error code (without layer): 0x0113
> error code (full):          0x3113
> error message: Authorization failed.

[...]

>         at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:322)


The error occurs when the activateIdentity method is called.
Are you sure that you are using the correct SRK secret (TSS_WELL_KNOWN_SECRET 
in your case)? YOu have to use the SRK secret you provided when taking 
ownership of your TPM.

hth,
-- 
Thomas Winkler
e-mail: tc...@to...

Re: [Trustedjava-support] ActivateIdentity - Authorization Failed message.

[Thomas W. <tc...@to...>]

Hello,

> With `Authorization Failed`, I am guessing it is saying the SRK cannot
> unwrap the AIK?

That would be my guess too.

> I get the message when I call:
>
> aik.loadKey(srk)

It is kind of hard to say something more detailed without having a look at the 
code before this statement.

Regards,
Thomas Winkler
-- 
Thomas Winkler
e-mail: tc...@to...

[Trustedjava-support] Problems with AIK create cycle (both local and XMKS types)

[Nektarios I. <ine...@gm...>]

Hello everyone,

I have been away from the OpenTC scene so it's good to be back :-)

I have recently updated my past efforts to the new jTSS 0.1 layer (not using
jTssWrapper anymore).
I believe I have installed everything right since I followed all
instructions and done it all twice to make sure.
I have generated and placed in the right locations all necessary credentials
using the TcCerts and PCA scripts (build_certs.sh).
Everything seems to be running properly except when I try to simulate an AIK
Cycle:
I have been trying to run the "aik_create" and "xkms_aik_create" options of
jTpmTools and I have problems with both.


When I run
./jtt.sh aik_create -a secret -l theAIKlabel -o theoldsecret

I get:

03:58:27:495 [INFO] AikUtil::createEKCertificate (123): created EK
certificate on-the-fly
03:58:27:584 [INFO] Client::overrideCertificates (113): overriding default
EK certificate used by TSS
03:58:28:698 [INFO] PrivacyCa::processRequest (180):    included EK
certificate size: 1065 bytes
03:58:28:703 [INFO] PrivacyCa::processRequest (181):    SubjAltName:
id:49465800,SLD9630TT1.1,id:0104
03:58:28:704 [INFO] PrivacyCa::processRequest (188):    PE: not included
03:58:28:704 [INFO] PrivacyCa::processRequest (196):    CC: not included
03:58:28:764 [INFO] AikUtil::createPECertificate (176): created PE
certificate on-the-fly
03:58:28:772 [INFO] AikUtil::createAIKCertificate (213):        created AIK
certificate on-the-fly
03:58:28:774 [INFO] PrivacyCa::processRequest (212):    AIK blob size: 1390
iaik.tc.tss.api.exceptions.tsp.TcTspException:

TSS Error:
error layer:                0x3000 (TSP)
error code (without layer): 0x0113
error code (full):          0x3113
error message: Authorization failed.

        at iaik.tc.tss.impl.java.tsp.internal.TcTspCommon.validateRespAuth(Unknown
Source)
        at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKeyByBlob_Internal(
TcTspInternal.java:105)
        at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(Unknown Source)
        at iaik.tc.apps.jtt.aik.Client.activateIdentity(Client.java:153)
        at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:322)
        at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
        at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:41)
        at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)

And when  I run:

./jtt.sh xkms_aik_create -a secret -l aikLabel -o theoldsecret

I get:

03:58:10:665 [INFO] AikUtil::createEKCertificate (123): created EK
certificate on-the-fly
03:58:10:673 [INFO] Client::overrideCertificates (113): overriding default
EK certificate used by TSS
sending RegisterRequest...
...result received

Validating XKMS message signature using certificate:
  CN=IAIK OpenTC XKMS Test Responder,OU=IAIK trusted computing labs,O=Graz
University of Technology,C=AT
XKMS Result message signature is INVALID.

AIK create operation FAILED
===>http://www.w3.org/2002/03/xkms#Sender
===>http://www.w3.org/2002/03/xkms#Failure

I am almost certain that it is not a setup error but something theoretical I
am missing to see here.
Any ideas ?

Regards,

Nektarios

[Trustedjava-support] ActivateIdentity - Authorization Failed message.

[<Hon...@cs...>]

Hi,

Here is my current configuration:

TPM Emulator version 0.5
jTSS 0.1 (using Java native jTSS)

I have been writing code to do a remote attestation.

The code run fine in terms of generating a TCPA_IDENTITY_REQ via =
CollateIdentityRequest method.  The server can parse the =
TCPA_IDENTITY_REQ structure, and is able to generate the =
TCPA_SYM_CA_CONTENTS and TCPA_SYM_CA_ATTESTATION structures.

The problem is in the ActivateIdentity command on the client side.

I keep getting `Authorization Failed` message.

I assume this is different from `Authentication Failed` message, which =
to me means wrong password - specifically, SRK password.

With `Authorization Failed`, I am guessing it is saying the SRK cannot =
unwrap the AIK?

I get the message when I call:

aik.loadKey(srk)

Where `aik` is an instance of TcIRsaKey class that was passed into =
CollateIdentityRequest.  `srk` is an instance of TcIRsaKey that was =
instantiated and passed into CollateIdentityRequest as well.

The jTSS test case for remote attestation ran fine.

So any hints on where I did something wrong?

Thanks.

Hon Hwang.

Re: [Trustedjava-support] How to use the Wrapper + IDE

[<ron...@ia...>]

Hello Tiago,

Tiago Lopes wrote:
 > On 8/9/07, *Ronald T=F6gl* <ron...@ia...=20
<mailto:ron...@ia...>> wrote:
 >
 >     You will have to add the two created jars (as external jars) to yo=
ur
 >     project to compile.
 >
 >     iaik_jtss_wrapper.jar
 >     iaik_jtss_wrapper_swig.jar
 >
 >
 > Ok, now I've managed to compile and run fine. I've added these two=20
new Jar's plus iaik_jtss_tsp.jar to the referenced libraries, otherwise=20
all the top TSP interfaces wouldn't be found by eclipse (ex. TcIContext).=

Sorry, I missed that one.


 > I've having some issues: the first is that if I use the=20
=2E/take_ownership (included in the trousers tpm-tools package) and a nul=
l=20
(press enter) SRK key, I have to use on my code:
 >
 > TcBlobData TPM_SRK_SECRET =3D TcBlobData.newString("");
 > SRK_SECRET_MODE =3D TcTssConstants.TSS_SECRET_MODE_PLAIN;
 >
 > otherwise auth will fail!

This is not a bug, but a feature. :-)

With the TrouSerS tools, the SRK is given an authorisation secret, which =

is a 160-bit SHA-1 hash.
So you don't have a "null" secret for the key, but a complex 160-bit=20
value, which just happens to have an extremely simple pre-image to type i=
n.
With the TSS_SECRET_MODE_PLAIN setting in the Wrapper, the secret string =

will first be hashed and then applied to the key, thus creating the=20
identical authorisation secret.


 > The second issue is that
 > "context.getRegisteredKeysByUuidSystem (null);"
 > Returns exactly the same output as
 > "context.getRegisteredKeysByUuidUser(null);"
 >
 > and I'm registering different USER and SYSTEM keys using something=20
like this:
 >
 > context.registerKey (key,
 >                 TcTssConstants.TSS_PS_TYPE_USER,
 >                 keyUuid,
 >                 TcTssConstants.TSS_PS_TYPE_USER,
 >                 TcUuidFactory.getInstance().getUuidSRK());
 >
 > Is this the expected behavior or I'm not reading the javadoc's right?

This is unexpected behavior.

However, the wrapper just accesses the TrouSerS for this functionality.=20
The Java part provides the correct function call, passing the right=20
parameters for both different cases. Apparently, TrouSerS does not=20
implement (or is not correctly configured) two persistent storages (user =

and system).

Feel free to look at the TrouSerS C source code to find out what is=20
implemented there and what not.

Regards, Ronald

--=20
Ronald Toegl
IAIK, TU Graz

Re: [Trustedjava-support] How to use the Wrapper + IDE

[<ron...@ia...>]

Hello Tiago,

Tiago Lopes wrote:

 > I'm having difficulties do understand how do someone uses the wrapper 
on a java project.

 > Using the jTSS_0.1 I've found that some methods like "
 > context.registerKey()" are NOT implemented on jTSS_0.1, but they are 
on the wrapper_0.3.
Yes, that's right. We are currently working on implementing persistent 
storage for jTSS.

 > So now I'm trying to work with this wrapper... I've compiled it and 
now I don't have a clue how to add this to my java project.
Ok, if you can compile it you should have all required libraries etc. on 
your system.
Of course, you need to have the TPM driver and TrouSerS up and running 
before you try any access!

The best way to start is to try
  makefile run_tests
with the newly built Wrapper. At this target in the makefile you can see 
  which environment is needed to use the classes.
Once this runs from the shell, you should configure your IDE.

 > I'm supposed to add the "iaik_jtss_tsp.jar" on the ext_libs folder, 
and the "iaik_jtss_wrapper.jar" on output/jar folder to my project?

You will have to add the two created jars (as external jars) to your 
project to compile.

iaik_jtss_wrapper.jar
iaik_jtss_wrapper_swig.jar

adding JUnit 3 might be useful, but is no requirement.

To run your application, you need to add these jars to your classpath. 
Furthermore you have to extend the LD_LIBRARY_PATH environment variable
path, to include outpub/lib with the

libtspiwrapper.so

In Eclipse you can do this by selecting the class that contains your 
main(), and then Run as..


 > I have to make any alterations to my java code?
Yes.

You have to use class
  TcTssJniFactory (for wrapper)
instead of
  TcTssLocalCallFactory (for jTSS)
to instantiate your first factory.

Regards, Ronald

-- 
Ronald Toegl
IAIK, TU Graz

[Trustedjava-support] How to use the Wrapper + IDE

[Tiago L. <tia...@gm...>]

Hi,
I'm having difficulties do understand how do someone uses the wrapper on a
java project.
I was using the jTSS_0.1 on my project using eclipse IDE, and basically the
only thing I did was adding both the "iaik_jtss_tcs.jar" and
"iaik_jtss_tsp.jar" to my project referenced libraries. Everything compiled
and the TPM emulator worked fine.
I've created RSA keys and used them to bind and seal data, so the next step
was to made those keys persistent, so they could be "saved" somewhere. Using
the jTSS_0.1 I've found that some methods like "context.registerKey()" are
NOT implemented on jTSS_0.1, but they are on the wrapper_0.3. So now I'm
trying to work with this wrapper... I've compiled it and now I don't have a
clue how to add this to my java project.
I'm supposed to add the "iaik_jtss_tsp.jar" on the ext_libs folder, and the
"iaik_jtss_wrapper.jar" on output/jar folder to my project? I have to make
any alterations to my java code? On the documentation there is a reference
saying that all interfaces remained the same, but I can't find any of them
on these libraries..... :(
Thanks for your help.

Tiago Lopes

Re: [Trustedjava-support] Order of UUID

[<ron...@ia...>]

Hello Till,

Thank your for pointing this issue out!! In version 0.3, the byte order 
of the UUID attribute blob returned from the TrouSerS to the Wrapper is 
not corrected upon creation of the TcTssUuid object.

This will be fixed in the next release.

Regard, Ronald


Till Bentz wrote:
> the log is: generated Uuid: b0d36260-5523-41b1-8d6d-c5d65a5a6ecd
> This time the log is: Uuid: UUID: 6062d3b0-2355-b141-8d6d-c5d65a5a6ecd
>
> Can anyone explain me this difference?
>

-- 
IAIK, TU Graz

[Trustedjava-support] Order of UUID

[Till B. <ti...@on...>]

Hello,

I have a question regarding the UUID of newly registered keys.

I create a new key:
---
TcIRsaKey signingKey = context.createRsaKeyObject(
TcTssConstants.TSS_KEY_SIZE_2048 | TcTssConstants.TSS_KEY_TYPE_SIGNING
                | TcTssConstants.TSS_KEY_MIGRATABLE);
keyUsagePolicy.assignToObject(signingKey);
keyMigrationPolicy.assignToObject(signingKey);
signingKey.createKey(srk, null);
signingKey.loadKey(srk);
---

Now I register that key:
---
TcUuidFactory fac = TcUuidFactory.getInstance();
TcTssUuid uuid = fac.generateRandomUuid();
log.debug("generated Uuid: " + uuid.toStringNoPrefix());
try {
            context.registerKey(key, TcTssConstants.TSS_PS_TYPE_SYSTEM,
uuid, TcTssConstants.TSS_PS_TYPE_SYSTEM, fac.getUuidSRK());
            key.unloadKey();
} catch (TcTssException e) {...}
---
the log is: generated Uuid: b0d36260-5523-41b1-8d6d-c5d65a5a6ecd

In the next step I load the key and use it for a TPM_Quote:
---
try {
            TcIRsaKey key = context.loadKeyByUuidFromSystem(uuid);
} catch (TcTssException e) {...}
log.debug("Uuid: " + key.getAttribUuid());
---
This time the log is: Uuid: UUID: 6062d3b0-2355-b141-8d6d-c5d65a5a6ecd

Can anyone explain me this difference?

Thanks a lot!
-- 
MfG
  Till

**********************************************
      Der Benutzer ist eine nicht zu
  tolerierende Quelle der Unsicherheit
**********************************************

Re: [Trustedjava-support] Performance?

[Till B. <ti...@on...>]

On 8/1/07, Saurabh Arora <tan...@gm...> wrote:
>
> Hi Till
>
>
> On 8/1/07, Till Bentz <ti...@on...> wrote:
> > Hi,
> >
> > thanks for the quick reply. Would it be faster if I register the key
> after
> > creating and then load it if I need it instead of creating a new?
> >
>
> of course and very much.
> also I wud appreciate if you can try to load a registered key and tell
> whether you encountered a problem( like i did) using wrapper and
> trousers.


I now create a key, then register it and load it via the Uuid. It is much
faster and I did not encounter any problems so far.

best
> Saurabh
>



-- 
MfG
  Till

**********************************************
      Der Benutzer ist eine nicht zu
  tolerierende Quelle der Unsicherheit
**********************************************

Re: [Trustedjava-support] Performance?

[Saurabh A. <tan...@gm...>]

Hi Till


On 8/1/07, Till Bentz <ti...@on...> wrote:
> Hi,
>
> thanks for the quick reply. Would it be faster if I register the key after
> creating and then load it if I need it instead of creating a new?
>

of course and very much.
also I wud appreciate if you can try to load a registered key and tell
whether you encountered a problem( like i did) using wrapper and
trousers.

best
Saurabh

Re: [Trustedjava-support] Performance?

[Till B. <ti...@on...>]

Hi,

thanks for the quick reply. Would it be faster if I register the key after
creating and then load it if I need it instead of creating a new?

On 8/1/07, Martin Pirker <Mar...@ia...> wrote:
>
> Hi...
>
> Till Bentz wrote:
> > I have a performance problem with the key generation process and I was
> > wondering if someone could help me. I create a new key and assign some
> > policies to it. This process takes between 25 and 50 or more seconds.
>
> The TPM is not a crypto accelerator.
> The TPM is designed to be manufactured cheaply.
>
> However, actual TPM implementation varies from manufacturer to
> manufacturer.
> Some TPMs precalculate new keys while idle and cache them, so when a
> "create key" command arrives it is "fast". However, if the keycache is
> empty and the TPM has to create a new 2048bit RSA key from scratch, on
> a chip running only a few MHz.... well, it takes some time...
>
> For comparison of TPM features see e.g.
>   http://www.prosec.rub.de/tpmcompliance.html
>
>
> HTH
>
> --
> Martin Pirker
> IAIK, TU Graz
>
>


-- 
MfG
  Till

**********************************************
      Der Benutzer ist eine nicht zu
  tolerierende Quelle der Unsicherheit
**********************************************

Re: [Trustedjava-support] Performance?

[Martin P. <Mar...@ia...>]

Hi...

Till Bentz wrote:
> I have a performance problem with the key generation process and I was
> wondering if someone could help me. I create a new key and assign some
> policies to it. This process takes between 25 and 50 or more seconds.

The TPM is not a crypto accelerator.
The TPM is designed to be manufactured cheaply.

However, actual TPM implementation varies from manufacturer to manufacturer.
Some TPMs precalculate new keys while idle and cache them, so when a
"create key" command arrives it is "fast". However, if the keycache is
empty and the TPM has to create a new 2048bit RSA key from scratch, on
a chip running only a few MHz.... well, it takes some time...

For comparison of TPM features see e.g.
  http://www.prosec.rub.de/tpmcompliance.html


HTH

-- 
Martin Pirker
IAIK, TU Graz

[Trustedjava-support] Performance?

[Till B. <ti...@on...>]

Hello,

I have a performance problem with the key generation process and I was
wondering if someone could help me. I create a new key and assign some
policies to it. This process takes between 25 and 50 or more seconds. I use
the following code:

---
TcIPolicy keyUsagePolicy = context.createPolicyObject(
TcTssConstants.TSS_POLICY_USAGE);
keyUsagePolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, KEY_SECRET);

TcIPolicy keyMigrationPolicy = context.createPolicyObject(
TcTssConstants.TSS_POLICY_MIGRATION);
keyMigrationPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
KEY_SECRET);

TcIRsaKey signingKey = context.createRsaKeyObject(
TcTssConstants.TSS_KEY_SIZE_2048 | TcTssConstants.TSS_KEY_TYPE_SIGNING
                | TcTssConstants.TSS_KEY_MIGRATABLE);

log.debug("Assigning Policies");     <--------------------------10:17:41,894

keyUsagePolicy.assignToObject(signingKey);
keyMigrationPolicy.assignToObject(signingKey);
signingKey.createKey(srk, null);
signingKey.loadKey(srk);

log.debug("Leaving method 'createSigningKey()'"); <---10:18:23,137
---

Next to the log.debug messages are timestamps.
I use jTssWrapper_0.3 with TouSerS 0.2.9.1

Thanks a lot.

-- 
MfG
  Till

**********************************************
      Der Benutzer ist eine nicht zu
  tolerierende Quelle der Unsicherheit
**********************************************

Re: [Trustedjava-support] Where does jTSS gets the PubEKCert from in CollateIdentityRequest?

[Thomas W. <tc...@to...>]

Hello,

> I like to know where jTSS gets the Public Endorsement Key Certificate
> (EKCert) from during the CollateIdentityRequest operation?

If you have a IFX TPM (1.1b or 1.2), the EK Cert is read from the chip.

> I know that if I use the TrouSers wrappers, TrouSers supply this from its
> configuration file.

No - you can not specify it in a configuration file.
But jTSS is a 1.2 compliant TSS and therefore you can supply the certificates 
via the setAttribData method of the TPM object and one of the following 
subflags (see TSS spec):

TcTssConstants.TSS_TPMATTRIB_EKCERT
TcTssConstants.TSS_TPMATTRIB_PLATFORM_CC
TcTssConstants.TSS_TPMATTRIB_PLATFORMCERT
TcTssConstants.TSS_TPMATTRIB_PLATFORM_CC

hth,
-- 
Thomas Winkler
e-mail: tc...@to...

[Trustedjava-support] Where does jTSS gets the PubEKCert from in CollateIdentityRequest?

[<Hon...@cs...>]

SGkgYWxsLA0KDQpJIGxpa2UgdG8ga25vdyB3aGVyZSBqVFNTIGdldHMgdGhlIFB1YmxpYyBFbmRv
cnNlbWVudCBLZXkgQ2VydGlmaWNhdGUgKEVLQ2VydCkgZnJvbSBkdXJpbmcgdGhlIENvbGxhdGVJ
ZGVudGl0eVJlcXVlc3Qgb3BlcmF0aW9uPw0KDQpJIGtub3cgdGhhdCBpZiBJIHVzZSB0aGUgVHJv
dVNlcnMgd3JhcHBlcnMsIFRyb3VTZXJzIHN1cHBseSB0aGlzIGZyb20gaXRzIGNvbmZpZ3VyYXRp
b24gZmlsZS4NCg0KRG9lcyBqVFNTIGhhcyBhIGNvbmZpZ3VyYXRpb24gZmlsZT8gIEkgbm90aWNl
IHRoZXJlIGlzIGEgLmluaSBmaWxlIHdpdGgga2V5LXZhbHVlIHBhaXIgZGF0YSBmb3IgcGVyc2lz
dGVudCBzdG9yYWdlLg0KDQpPciBJIGhhdmUgdG8gdXNlIFRyb3VTZXJzIHRvIG9idGFpbiB0aGUg
RUtDZXJ0Pw0KDQpJIGFtIHVzaW5nIGpUU1MgMC4xLCB3aXRoIFRQTSBFbXVsYXRvciAwLjUuDQoN
ClRoYW5rcy4NCg0KSG9uIEh3YW5nLg0K

[Trustedjava-support] View this price

[Mollie K. <lor...@ap...>]

Re: [Trustedjava-support] Questions regarding Quote

[Martin P. <Mar...@ia...>]

Till Bentz wrote:
> I have the values of each quoted PCR, but how do I manually recompute that
> value so I can check the quote?

Subject: "Re: Recompute PRC based on SML and TPM_Quote problem"
Message-ID: <469...@ia...>
Date: Mon, 16 Jul 2007 09:28:06 +0200


HTH

-- 
Martin Pirker
IAIK, TU Graz

[Trustedjava-support] Pharmacy paradice

[Pedro D. <gra...@ae...>]

[Trustedjava-support] Questions regarding Quote

[Till B. <ti...@on...>]

Hello,

I try to do a tpm_quote. I managed to set the relevant pPCRs, the validation
information and actually execute the
quote call.

My problem is now that i somehow want to check the quote. How can I do that
on a PC without a TPM. As far as I understood the quote process computes a
hash over the quoted PCRs and stores it in TcTpmQuoteInfo.getDigestValue()

I have the values of each quoted PCR, but how do I manually recompute that
value so I can check the quote?

Thanks.
-- 
MfG
  Till

**********************************************
      Der Benutzer ist eine nicht zu
  tolerierende Quelle der Unsicherheit
**********************************************

Re: [Trustedjava-support] Key Uuid

[<ron...@ia...>]

Hello Till,



Till Bentz wrote:


> Hello,
>
> I create a new key with the following code based on the examples:
>
> -- 
>         TcIRsaKey signingKey = 
> context.createRsaKeyObject(TcTssConstants.TSS_KEY_SIZE_2048 | 
> TcTssConstants.TSS_KEY_TYPE_SIGNING
>                 | TcTssConstants.TSS_KEY_MIGRATABLE);
>         keyUsagePolicy.assignToObject(signingKey);
>         keyMigrationPolicy.assignToObject(signingKey);
>         signingKey.createKey(srk, null);
>         signingKey.loadKey(srk);
> -- 
>
> This seems to work. But how can I make this key to appear in the list 
> of loaded keys of my TPM. Also this key always has the Uuid 
> 00000000-0000-0000-0000-000000000000. Is that correct? It seems 
> somehow strange...
> -- 
> MfG
>   Till

At the creation of a TcIRsaKey object, no UUID is generated.
In general, UUIDs are only needed when using persistent storage. For 
instance (see the code below for an example), when you register a key in 
the PS, you need to provide an UUID.

TcTssUuid keyUUID = TcUuidFactory.getInstance().generateRandomUuid();

context.registerKey(key, TcTssConstants.TSS_PS_TYPE_SYSTEM, keyUuid,
                      TcTssConstants.TSS_PS_TYPE_SYSTEM,

See also the example code from jTpmTools, in iaik/tc/apps/jtt/keys/*,java.

Regards, Ronald

-- 
Ronald Toegl
IAIK, TU Graz