Menu
▾
▴
trustedjava-support — Trusted Java General Support
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
(4) |
Jul
(10) |
Aug
(6) |
Sep
(6) |
Oct
(5) |
Nov
(1) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
|
Feb
(14) |
Mar
(25) |
Apr
(9) |
May
(10) |
Jun
(9) |
Jul
(33) |
Aug
(52) |
Sep
(15) |
Oct
(6) |
Nov
(4) |
Dec
(6) |
| 2008 |
Jan
(27) |
Feb
(3) |
Mar
(6) |
Apr
(7) |
May
(8) |
Jun
(4) |
Jul
(21) |
Aug
(8) |
Sep
(9) |
Oct
(6) |
Nov
(1) |
Dec
(1) |
| 2009 |
Jan
(1) |
Feb
(1) |
Mar
(10) |
Apr
(7) |
May
(8) |
Jun
(10) |
Jul
(11) |
Aug
(17) |
Sep
(13) |
Oct
(13) |
Nov
(1) |
Dec
(5) |
| 2010 |
Jan
(5) |
Feb
(9) |
Mar
(12) |
Apr
(4) |
May
(5) |
Jun
(3) |
Jul
(7) |
Aug
(7) |
Sep
(3) |
Oct
(12) |
Nov
(5) |
Dec
(2) |
| 2011 |
Jan
(9) |
Feb
(3) |
Mar
(24) |
Apr
(3) |
May
(1) |
Jun
|
Jul
(3) |
Aug
(8) |
Sep
(2) |
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
(4) |
Feb
|
Mar
|
Apr
(3) |
May
(12) |
Jun
(7) |
Jul
(9) |
Aug
|
Sep
(14) |
Oct
(19) |
Nov
(4) |
Dec
|
| 2013 |
Jan
(1) |
Feb
(3) |
Mar
(1) |
Apr
(5) |
May
(3) |
Jun
(7) |
Jul
(6) |
Aug
(4) |
Sep
(1) |
Oct
|
Nov
|
Dec
(2) |
| 2014 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
(6) |
Jul
(14) |
Aug
(5) |
Sep
(7) |
Oct
(3) |
Nov
|
Dec
(1) |
| 2015 |
Jan
(3) |
Feb
|
Mar
(4) |
Apr
|
May
(1) |
Jun
(9) |
Jul
|
Aug
(1) |
Sep
|
Oct
(1) |
Nov
(4) |
Dec
(4) |
| 2016 |
Jan
|
Feb
(1) |
Mar
|
Apr
(1) |
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(1) |
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
(2) |
Apr
(1) |
May
|
Jun
(1) |
Jul
(1) |
Aug
(1) |
Sep
(1) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2018 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2020 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(11) |
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(2) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2024 |
Jan
(1) |
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
|
From: 柳 <liu...@12...> - 2013-05-15 08:04:16
|
may 15,2013
Dear sir/madam,
I am very glad to write letter for your help.I'm a student of BeiJing Institute of technology.I am developing a demonstration of
trusted computing via TPM_emulator and jTSS recently.And now I have installed the TPM_emulator and jTSS 0.6 successfully.Furthermore,
jTSS can accesss TPM_emulator by the example 0.6.sh.But now I have founed that the value of PCRs is zero.The TPM_emulator has not measured anything.I want your help sincerely.I hope getting same instances for measuring and demonstrating how to developing PTS.
Sincerely yours,
LiuWei |
|
From: Martin P. <Mar...@ia...> - 2013-04-25 08:04:48
|
Hi... On 2013-04-24 11:50, ravi kiran wrote: > I am trying to do basic NVRAM operations like definespace,read and write. > The problem is i am unable to Instantiate TcINvram. TcINvRam is an interface. You cannot instantiate interfaces in Java. > I could'nt find any docs or examples . The Javadoc for jTSS is also available online: http://trustedjava.sourceforge.net/jtss/javadoc_tsp/index.html > Can you please provide a sample to do the same? jTpmTools comes with sources, there are 5 commands named nv_..... HTH, Martin |
|
From: ravi k. <rk...@ya...> - 2013-04-24 09:50:29
|
Hi I am trying to do basic NVRAM operations like definespace,read and write. The problem is i am unable to Instantiate TcINvram. I could'nt find any docs or examples . Can you please provide a sample to do the same? Regards Ravi |
|
From: ravi k. <rk...@ya...> - 2013-04-19 08:55:46
|
Hi Ronald, Thanks for your reply. Yes I called the create key method. Given below are list of method calls i used objKey.createKey(objsrk, null); objKey.loadKey(objsrk); objKey.getAttribData(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_MODULUS); objKey.getAttribData(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_EXPONENT); where objKey is rsa key object of type migratable | legacy and objsrk is the wrapping key. As said previously in trailing mail i am able to extract public key and modulus but failed to extract only rsa exponent Regards Ravi ________________________________ From: Ronald Tögl <ron...@ia...> To: Trustedjava IAIK <Tru...@li...> Cc: ravi kiran <rk...@ya...> Sent: Friday, 19 April 2013 1:36 PM Subject: Re: [Trustedjava-support] Failed to get RSA Exponent using getAttribData Hi Ravi, Did you actually call the createKey() method or did you just create the Java object? Ronald On 04/19/2013 09:35 AM, ravi kiran wrote: Hi > >I recently started working on jTss. >I have created a 2048 bit legacy key. > >I am getting Internal Software error while trying to export rsa key info using the below method > >objKey.getAttribData(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_EXPONENT); > >The complete error stack is given below > >iaik.tc.tss.api.exceptions.tsp.TcTspException: >TSS Error: >error layer: 0x3000 (TSP) >error code (without layer): 0x04 >error code (full): 0x3004 >error message: An internal SW error has been detected. >additional info: Getter method did throw unknown exception (not a TcTssException). >null > at iaik.tc.tss.impl.java.tsp.TcAttributes.getAttribData(TcAttributes.java:170). > > > >but when i try to get rsa modulus using below method call > > >objKey.getAttribData(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_MODULUS); > >i am getting result without error. > >My system configuration is windows7 Ultimate 64 bit,java-64 bit > > >Kindly assist me > > >Regards >Ravi > > >------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter > > >_______________________________________________ Trustedjava-support mailing list Tru...@li... https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at/ |
|
From: Ronald T. <ron...@ia...> - 2013-04-19 08:28:54
|
Hi Ravi, Did you actually call the createKey() method or did you just create the Java object? Ronald On 04/19/2013 09:35 AM, ravi kiran wrote: > Hi > I recently started working on jTss. > I have created a 2048 bit legacy key. > I am getting Internal Software error while trying to export rsa key > info using the below method > /objKey.getAttribData(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, > TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_EXPONENT);/ > The complete error stack is given below > /iaik.tc.tss.api.exceptions.tsp.TcTspException: > TSS Error: > error layer: 0x3000 (TSP) > error code (without layer): 0x04 > error code (full): 0x3004 > error message: An internal SW error has been detected. > additional info: Getter method did throw unknown exception (not a > TcTssException)./ > /null/ > /at > iaik.tc.tss.impl.java.tsp.TcAttributes.getAttribData(TcAttributes.java:170)./ > but when i try to get rsa modulus using below method call > /objKey.getAttribData(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, > TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_MODULUS);/ > i am getting result without error. > My system configuration is windows7 Ultimate 64 bit,java-64 bit > Kindly assist me > Regards > Ravi > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > > > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: ravi k. <rk...@ya...> - 2013-04-19 07:35:59
|
Hi I recently started working on jTss. I have created a 2048 bit legacy key. I am getting Internal Software error while trying to export rsa key info using the below method objKey.getAttribData(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_EXPONENT); The complete error stack is given below iaik.tc.tss.api.exceptions.tsp.TcTspException: TSS Error: error layer: 0x3000 (TSP) error code (without layer): 0x04 error code (full): 0x3004 error message: An internal SW error has been detected. additional info: Getter method did throw unknown exception (not a TcTssException). null at iaik.tc.tss.impl.java.tsp.TcAttributes.getAttribData(TcAttributes.java:170). but when i try to get rsa modulus using below method call objKey.getAttribData(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_MODULUS); i am getting result without error. My system configuration is windows7 Ultimate 64 bit,java-64 bit Kindly assist me Regards Ravi |
|
From: Michael S. <ms...@nt...> - 2013-03-16 00:43:18
|
There's a TSS/TPM mismatch in your implementation. The pass in algorithm value for TcITpm.CollateIdentity is one of TSS_ALG_* per the software stack document, BUT the values in the encrypted TPM_IDENTITY_REQ (aka TcTpmIdentityReq) are supposed to be TPM_* values per part 2. Specifically, identityReq.symAlgorithm.algorithmID is supposed to be of type TPM_ALGORITHM_ID and identityReq.symAlgorithm.encScheme is supposed to be of type TPM_ENC_SCHEME (one of TPM_ES_SYM_*). Instead, it looks like the TSS_ALG_ value is being stored in the blob for the algorithmId. I'm still trying to find out where the encScheme value of "21" is coming. Continuing on this, CBC isn't a valid encryption scheme for AES keys according to 5.8.1 of part 2. CTR or OFB appear to be required. TPM_ES_SYM_CNT should probably be TPM_ES_SYM_CTR in iaik.tc.tss.api.constants.tpm. Mike |
|
From: Najeeb Ur R. <naj...@nu...> - 2013-02-22 06:39:48
|
Dear All,
I am trying to unbind a bound byte stream using jTPMTools
(/jTpmTools_0.7/src/iaik/tc/apps/jtt/data/Unbind.java).
int i;
for (i = 0; i < byteData.length / blockLen; i++) {
TcBlobData rawData = TcBlobData.newByteArray(byteData, i *
blockLen, blockLen);
encData.setAttribData(TcTssConstants.TSS_TSPATTRIB_ENCDATA_BLOB,
TcTssConstants.TSS_TSPATTRIB_ENCDATABLOB_BLOB, rawData);
TCTest.printByteArray(rawData.asByteArray(), "Raw Data");
if (i == 0) {
unboundData = TcBlobData.newBlobData(encData.unbind(key));
} else {
unboundData.append(encData.unbind(key));
}
TCTest.printByteArray(unboundData.asByteArray(), "Intermediate");
}
In above given code, rawData is fine but when I try to get the Final
unboundData, it always returns me NULL DATA (a sequence of 0's).
Can any one tell me if there is any technical problem for doing this.
any other way to do the same task?
Thanks in advance.
Let me know, if any more clarification.
--
Regards
Najeeb-Ur Rehman
|
|
From: Michael S. <ms...@nt...> - 2013-02-18 17:41:11
|
On 2/17/2013 10:11 PM, Michael StJohns wrote: > The second problem I encountered was in the same code. I attempted to > lock the NVRam by defining space of size 0 at index 0xffffffff so I > wouldn't encounter further problems. Unfortunately, that failed with a > Null pointer error which I traced to line 88 of TcNvRam. You pass in > a null pointer for the iAuth argument and later routines blow up > because of it. I haven't yet tried the simple work around of > commenting out this "if" block, but it's probable that > TcTspInternal.TspNvDefineSpace_Internal needs some revision to catch > null arguments and handle them properly. This appears to be specific to the SOAP binding. TcTcsBindingSoap fails at line 2532 due to the null value for inAuth1. So there's an argument encoding issue for SOAP. Mike |
|
From: Michael S. <ms...@nt...> - 2013-02-18 04:10:21
|
After a long break, I'm finally getting back to this, and with a
different set of TPMs.
I've got an STM TPM on my Lenovo T530 (as opposed to the intel one I had
on the T510). I've got an ATMEL TPM on a server machine with a TPM
daughter card.
It turns out that the TPM daughter card with the ATMEL TPM does not have
the nvLocked bit set. I found this out when I was trying to use the
TPM_NV_INDEX_TRIAL index to check space availability, which instead
ended up actually creating stuff. I tried both the 0xf004 and
0x1000f004 indexes and both ended up creating NV space. I was easily
able to delete the 0xf004 stuff, but I kept getting an error when I
tried to delete the 0x1000f004 item. This turned out to be a problem in
/jTSS_0.7a/src/jtss_tsp/src/iaik/tc/tss/impl/java/tsp/TcNvRam.java
around line 261. The code checks to see if you're trying to delete an
index with the D bit set and throws an error, rather than attempting to
do the delete and passing on the TPM originated error.
What I think you probably wanted to do here is do a try/catch block
around the low-level call, and if there is an error, change the error
cause message on the caught exception and continue the throw.
Basically, explain the error if it happens, rather than anticipating it.
e.g.
try {
TcTspInternal.TspNvDefineSpace_Internal(context_, pubData, encAuth,
inAuth1, ownerAuth);
} catch (TcTssException ex) {
if (ex.getErrCode() == TPM_E_BADINDEX) {
if ((nvIndex_ & TcTssConstants.TSS_NV_DEFINED) != 0) {
ex.setMessage("index with set-defined bit is not allowed");
}
}
throw ex;
}
I know there isn't a setMessage method for TcTssException, but you
should either have that or the normal exception "new
<exception>(Throwable cause)" constructor.
For my work around, I commented out the block and was able to delete
both rogue indexes.
The second problem I encountered was in the same code. I attempted to
lock the NVRam by defining space of size 0 at index 0xffffffff so I
wouldn't encounter further problems. Unfortunately, that failed with a
Null pointer error which I traced to line 88 of TcNvRam. You pass in a
null pointer for the iAuth argument and later routines blow up because
of it. I haven't yet tried the simple work around of commenting out
this "if" block, but it's probable that
TcTspInternal.TspNvDefineSpace_Internal needs some revision to catch
null arguments and handle them properly.
Thanks - Mike
On 7/9/2012 10:55 AM, Michael Gissing wrote:
> On 05/14/2012 07:31 PM, Michael StJohns wrote:
>> Hi --
>
> Hi Michael,
>
>> For some reason, TcTpmConstants.TPM_NV_INDEX_TRIAL has the "D" bit
>> set. This is probably a bug.
>
> I agree that this is not the best value for this constant. It will be
> changed to 0x0000f004 in a future release. Anyhow please note that
> it's a valid index according to the specification.
>
>> I used the constant in TcINvRam.defineSpace (in TcTpmNvData) to see if I
>> had space to create a 100 octet space. What I ended up with was a
>> permanent 100 octet space that I can't get rid of.
>
> What exactly do you mean by 'can't get rid of'? According to the TPM
> specification this should not happen. When you try to define an index
> with the D-bit set, a shipped TPM should return TPM_BADINDEX. Which
> TPM do you use? Is the TPM's nvLocked bit set to true? If it is not,
> then D-bit indices can be defined, but also deleted.
>
> Can you please provide the output of the following commands?
>
> jtt tpm_version
> jtt tpm_flags
> jtt nv_decode --index 0x1000f004
>
>> When I use the correct value - 0xF004 - as the index, I get the
>> anticipated behavior. A "success" results in a return with no creation.
>
> That's what I would have expected ;)
>
>> I'd review all of the TPM_NV_INDEX_* values and make sure you're using
>> the correct values.
>
> Both versions with and without D-bit set are correct. For
> compatibility reasons the other constants will remain unchanged.
>
>> Mike
>
> HTH,
> Michael
|
|
From: <Fed...@ff...> - 2013-01-15 10:23:41
|
I was wondering whether it is possible to drop the PCA public key as a parameter to the TPM when calling the CollateIdentityRequest method. Is it a requirement that the request to the PCA is encrypted? What if I don't care? Can I just give null as PCAPubKey parameter? Federico |
|
From: <Fed...@ff...> - 2012-11-13 15:14:42
|
Quick question about the quote method in the Attestor class of the jsr321. I though PCR values could be signed only by an AIK, but I see that also using a normal SigningKey is possible. Doesn't this give the opportunity to feed false external PCR values to the TPM and make it sign with the Signing key? I though that was the reason why only AIKs could be used, since they can only sign data generated inside the TPM. Or is there a way to force a SigningKey to not sign external data. Or did I misunderstand something? Thanks for any clarification! Federico |
|
From: <Fed...@ff...> - 2012-11-07 13:26:18
|
Hi, Thanks for the clarification. I was also wondering it is actually so that a legacy key can ONLY be an external RSA key, or whether the TPM should also be able to internally generate a legacy key according to the specs, but the functionality is not offered by the JSR 321? Federico -----Original Message----- From: Ronald Tögl [mailto:ron...@ia...] Sent: 6. november 2012 15:20 To: tru...@li... Subject: Re: [Trustedjava-support] Legacy keys Hi Federico, You're right, the TPM spec does allow binding and unbinding with legacy keys. Yet, the JSR321 API specification does not. Actually the functionality did not occur to the JSR321 expert group at the time of writing the spec.. :-/ Feel free to add the functionality to your Binder implementation. Ronald On 11/06/2012 01:17 PM, Fed...@ff... wrote: > Hei, > According to the JSR321 documentation, Legacy keys are the only one that can perform both signing and encryption. I can see that the Signer object also has a method that accepts legacy keys, but what about encryption? Should I use an external library to do that? And if so, how do I decrypt the data with the private key, if only the TPM has access to it? I thought of the Binder and RemoteBinder objects, which are the only ones that have to do with encryption, but they do not accept Legacy keys. > Any tips? > > Thanks! > > Federico > > ---------------------------------------------------------------------- > -------- LogMeIn Central: Instant, anywhere, Remote PC access and > management. > Stay in control, update software, and manage PCs from one command > center Diagnose problems and improve visibility into emerging IT > issues Automate, monitor and manage. Do more in less time with Central > http://p.sf.net/sfu/logmein12331_d2d > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Trustedjava-support mailing list Tru...@li... https://lists.sourceforge.net/lists/listinfo/trustedjava-support |
|
From: Ronald T. <ron...@ia...> - 2012-11-06 14:20:18
|
Hi Federico, You're right, the TPM spec does allow binding and unbinding with legacy keys. Yet, the JSR321 API specification does not. Actually the functionality did not occur to the JSR321 expert group at the time of writing the spec.. :-/ Feel free to add the functionality to your Binder implementation. Ronald On 11/06/2012 01:17 PM, Fed...@ff... wrote: > Hei, > According to the JSR321 documentation, Legacy keys are the only one that can perform both signing and encryption. I can see that the Signer object also has a method that accepts legacy keys, but what about encryption? Should I use an external library to do that? And if so, how do I decrypt the data with the private key, if only the TPM has access to it? I thought of the Binder and RemoteBinder objects, which are the only ones that have to do with encryption, but they do not accept Legacy keys. > Any tips? > > Thanks! > > Federico > > ------------------------------------------------------------------------------ > LogMeIn Central: Instant, anywhere, Remote PC access and management. > Stay in control, update software, and manage PCs from one command center > Diagnose problems and improve visibility into emerging IT issues > Automate, monitor and manage. Do more in less time with Central > http://p.sf.net/sfu/logmein12331_d2d > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: <Fed...@ff...> - 2012-11-06 12:17:56
|
Hei, According to the JSR321 documentation, Legacy keys are the only one that can perform both signing and encryption. I can see that the Signer object also has a method that accepts legacy keys, but what about encryption? Should I use an external library to do that? And if so, how do I decrypt the data with the private key, if only the TPM has access to it? I thought of the Binder and RemoteBinder objects, which are the only ones that have to do with encryption, but they do not accept Legacy keys. Any tips? Thanks! Federico |
|
From: <Fed...@ff...> - 2012-10-29 12:01:02
|
Hi again, I have now been trying to modify a couple of lines of code in the Jtss libraries in order to be able to create AIK keys and import them programmatically, without having to go through command line. The problem was simply to be able to get out the UUID after the AIK was imported, in order to be able to store it programmatically and load the key later on, without the copy and paste from command line. Now, I have done that, and on one computer it was working, by using the iaik_jtss_tcs.jar and iaik_jtss_tsp.jar I had recompiled (both of them since I had to modify the AbstracApp class in iaik.tc.utils.cmdline package, which is common to both jar). Now I got a new laptop and did the same, but when I use the new libraries (which I put in the lib folder where the jtss is installed), it says that it can't bind to the TCS core. I used the source included with the jtss package to do the modifications, but when I compared the original jar and the one I built, I could see that many classes were slightly bigger in the custom one (1 kB). Is the source version different from what is in the precompiled jar files? Federico |
|
From: Michael G. <m.g...@tu...> - 2012-10-21 00:09:08
|
On 2012-10-18 11:04, Fed...@ff... wrote:
> Btw, where do I see exactly which firmware version I have?
You can find the information in the output of tpm_version.
-----
TPM Version Info:
version: 1.2 rev: 3.17
specLevel: 2
errataRev: 2
tpmVendorID: Infineon ("IFX")
vendorSpecificSize: 5
vendorSpecificData: 03 11 00 08 00
-----
The string after 'rev:' is the firmware revision of IFX TPMs, so 3.17 in
this example.
Michael
|
|
From: <Fed...@ff...> - 2012-10-18 09:16:51
|
Here is the output of the test you sent me. It confirms what you said. Waiting for new laptop...:)
Thanks again.
Federico
run:
-== TPM Information ==-
TPM Version Info:
tpmVendorID: IFX
-== VALIDATION ==-
The calculated SHA-1 hash of the modulus:
df5733968e250ebe07b82bb099109f5590d57dfa
The SHA-1 hash of the modulus as it was returned in the validation data:
4a06c58f10e86cf76bec2cce0cb71dac927a4e54
The SHA-1 hash of the entire TPM_STORE_PUBKEY struct
4a06c58f10e86cf76bec2cce0cb71dac927a4e54
ERROR: Digest of the certified key's modulus does not match the one in the provided validation data!
______________
SUCCESS: Signature successfully verified.
______________
SUCCESS: The nonce was successfully verified.
______________
2012/10/18 <Fed...@ff...<mailto:Fed...@ff...>>
-----Opprinnelig melding-----
Fra: Martin Pirker [mailto:Mar...@ia...<mailto:Mar...@ia...>]
Sendt: 18. oktober 2012 10:15
Til: tru...@li...<mailto:tru...@li...>
Emne: Re: [Trustedjava-support] validate a certified key
On 2012-10-17 22:29, Ronald Tögl wrote:
> I recall that some not so old Infineon TPMs needed a Firmware Update (to 3.17) to certify keys correctly...
IFX TPMs up to FW 3.16 are calculating the hash over the entire TPM_STORE_PUBKEY struct instead of just the key modulus as described in the TPM specification.
This was fixed in FW 3.17.
FYI, test code to check for this TPM bug and sample outputs attached.
HTH,
Martin
|
|
From: <Fed...@ff...> - 2012-10-18 09:04:52
|
Hi,
Thanks for the answer!
I would have never thought something like that, and it seems like that is indeed the problem. Since I had no idea how to find out the firmware version I tried running the test script that comes with the jTSS, and the last test says exactly:
"skipping testCertifyKeyandValidate() on IFX TPM's with revision <3.17"....
Well, updating the firmware does not seem an easy task. Hp has a long list of requirement to make it work. Among which having taken ownership of TPM through the HP security tools, install the HP protect tools, etc....Maybe I should just wait for my new laptop...
Federico
Btw, where do I see exactly which firmware version I have?
Fra: Ronald Tögl [mailto:ron...@ia...]
Sendt: 17. oktober 2012 22:30
Til: Mancini, Federico; tru...@li...
Emne: Re: [Trustedjava-support] validate a certified key
Hi,
What TPM are you using? I recall that some not so old Infineon TPMs needed a Firmware Update (to 3.17) to certify keys correctly...
t
Ronald
Am 17.10.2012 15:01, schrieb Fed...@ff...<mailto:Fed...@ff...>:
Hi again,
Just wondering whether anyone has any idea why this code return false (that is, the key that I certified with the AIK does not seem to be valid when reversing the certification process ). Some digging revealed that the test failed when the digest of the public key of sign is compared with the digest extracted from val.getData()(I checked the code in RemoteCertifierImpl). The two digests are indeed different, but why? I don't see how that can fail, since I am passing the validation data directly to the remote certifier.....
TPMContext context=TPMContext.getInstance();
context.connect(null);
TPM tpm=context.getTPMInstance();
Certifier cert=context.getCertifier();
IdentityKey aikKey=(IdentityKey) manager.loadTPMSystemKey(srk, UUID.fromString("15b986a9-6124-4c70-bf1b-4a9e39e5998c"), secretAik);
SigningKey sign = (SigningKey) manager.loadTPMSystemKey(srk, UUID.fromString("13f478d6-f5a9-4445-892a-730427a2fe69"), Secret.WELL_KNOWN_SECRET);
Digest digest = context.getDigest(tpm.getRandom(20));
ValidationData val = cert.certifyKey(sign, aikKey, digest);
RemoteCertifier remCert=context.getRemoteCertifier();
System.out.println("The signing key is valid = "+remCert.validate(val, (RSAPublicKey) sign.getPublicKey(), (RSAPublicKey) aikKey.getPublicKey(), digest));
Federico
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Trustedjava-support mailing list
Tru...@li...<mailto:Tru...@li...>
https://lists.sourceforge.net/lists/listinfo/trustedjava-support
|
|
From: Martin P. <Mar...@ia...> - 2012-10-18 08:17:21
|
On 2012-10-17 22:29, Ronald Tögl wrote: > I recall that some not so old Infineon TPMs needed a Firmware Update (to 3.17) to certify keys correctly... IFX TPMs up to FW 3.16 are calculating the hash over the entire TPM_STORE_PUBKEY struct instead of just the key modulus as described in the TPM specification. This was fixed in FW 3.17. FYI, test code to check for this TPM bug and sample outputs attached. HTH, Martin |
|
From: Ronald T. <ron...@ia...> - 2012-10-17 20:29:31
|
Hi,
What TPM are you using? I recall that some not so old Infineon TPMs
needed a Firmware Update (to 3.17) to certify keys correctly...
t
Ronald
Am 17.10.2012 15:01, schrieb Fed...@ff...:
>
> Hi again,
>
> Just wondering whether anyone has any idea why this code return false
> (that is, the key that I certified with the AIK does not seem to be
> valid when reversing the certification process ). Some digging
> revealed that the test failed when the digest of the public key of
> sign is compared with the digest extracted fromval.getData()(I checked
> the code inRemoteCertifierImpl). The two digests are indeed different,
> but why?I don't see how that can fail, since I am passing the
> validation data directly to the remote certifier.....
>
> TPMContext context=TPMContext.getInstance();
>
> context.connect(null);
>
> TPM tpm=context.getTPMInstance();
>
> Certifier cert=context.getCertifier();
>
> IdentityKey aikKey=(IdentityKey) manager.loadTPMSystemKey(srk,
> UUID.fromString("15b986a9-6124-4c70-bf1b-4a9e39e5998c"), secretAik);
>
> SigningKey sign = (SigningKey)
> manager.loadTPMSystemKey(srk,
> UUID.fromString("13f478d6-f5a9-4445-892a-730427a2fe69"),
> Secret.WELL_KNOWN_SECRET);
>
> Digest digest = context.getDigest(tpm.getRandom(20));
>
> ValidationData val = cert.certifyKey(sign, aikKey, digest);
>
> RemoteCertifier remCert=context.getRemoteCertifier();
>
> System.out.println("The signing key is valid =
> "+remCert.validate(val, (RSAPublicKey) sign.getPublicKey(),
> (RSAPublicKey) aikKey.getPublicKey(), digest));
>
> Federico
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
>
>
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
|
|
From: <Fed...@ff...> - 2012-10-17 13:02:07
|
Hi again,
Just wondering whether anyone has any idea why this code return false (that is, the key that I certified with the AIK does not seem to be valid when reversing the certification process ). Some digging revealed that the test failed when the digest of the public key of sign is compared with the digest extracted from val.getData()(I checked the code in RemoteCertifierImpl). The two digests are indeed different, but why? I don't see how that can fail, since I am passing the validation data directly to the remote certifier.....
TPMContext context=TPMContext.getInstance();
context.connect(null);
TPM tpm=context.getTPMInstance();
Certifier cert=context.getCertifier();
IdentityKey aikKey=(IdentityKey) manager.loadTPMSystemKey(srk, UUID.fromString("15b986a9-6124-4c70-bf1b-4a9e39e5998c"), secretAik);
SigningKey sign = (SigningKey) manager.loadTPMSystemKey(srk, UUID.fromString("13f478d6-f5a9-4445-892a-730427a2fe69"), Secret.WELL_KNOWN_SECRET);
Digest digest = context.getDigest(tpm.getRandom(20));
ValidationData val = cert.certifyKey(sign, aikKey, digest);
RemoteCertifier remCert=context.getRemoteCertifier();
System.out.println("The signing key is valid = "+remCert.validate(val, (RSAPublicKey) sign.getPublicKey(), (RSAPublicKey) aikKey.getPublicKey(), digest));
Federico
|
|
From: <Fed...@ff...> - 2012-10-09 09:25:43
|
Hi again, Just wanted to inform you, in case anyone else might be interested, that I have tested the rest API to communicate to PrivacyCA.com, and they seem to work. Here is the code: public class PrivacyCAaik { public static void main(String[] args){ //First retrieve the PrivacyCA certificate of the level you want String[] arg1 = new String[5]; arg1[0] = "rest_cacert"; arg1[1] = "--level"; arg1[2] = "1"; arg1[3] = "--cacert"; arg1[4] = "cacertLevel1"; PKIClient.main(arg1); //Then create the AIK String[] arg=new String[11]; arg[0]="rest_aik_create"; arg[1]="--cacert"; arg[2]="cacertLevel1"; arg[3]="-a"; arg[4]="aiksecret"; arg[5]="-l"; arg[6]="aikRest"; arg[7]="-o"; arg[8]="YOUR_TPM_OWNER_SECRET"; arg[9]="--level"; arg[10]="1";//MUST BE THE SAME AS THE CACERT OR YOU GET 403 RESPONSE CODE PKIClient.main(arg); } } Federico |
|
From: <Fed...@ff...> - 2012-10-04 09:51:34
|
I will answer myself: no idea why it didn't work (tried for a whole day), but just restart your computer, it might magically work afterwards, as it happened in my case.... Now, I have the AIK and a signing key, and I would like to use the AIK to certify the key and get a TPM_CERTIFY_INFO data structure that can be used in the SKAE extension of a X509 certificate. I used the JSR321 Certifier class to generate a ValidationData Object, question is, how is the ValidationData object related to the TPM_CERTIFY_INFO structure? The validationData return from the DataValidation object, is some random data, or the public part of the signing key I certified? I see that the jTSS has a TcTPMCertifyInfo class that could return the exact structure, is it possible to use it from the JSR321? Or is it exactly what happens when using the Certifier? Thanks for any insight! Federico Fra: Mancini, Federico Sendt: 3. oktober 2012 14:43 Til: Mancini, Federico; Tru...@li... Emne: SV: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically (Sorry if this has been sent twice, but I got a message about that something was blocked because too big, so I resent it with no previous conversations) Hi, I did some digging (used the getStoredTPMKeys method....), and found out that the error was due to the fact that I used the LoadTPMKey method instead for the loadTPMSystemKey method. (By the way, what is the difference?) However now I get another error: Authorization failed. I assume this has to do with the secret associated to the key. Do I create it wrong, or is the srk not the actual parent key of all AIKs created as illustrated here http://java.net/projects/jsr321/pages/SetupIAIKTCK? StorageRootKey srk=keyManager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET); Secret pass=context.getSecret("justASecret".toCharArray); IdentityKey aik=(IdentityKey) keyManager.loadTPMSystemKey(srk,uuid,pass); Federico |
|
From: <Fed...@ff...> - 2012-10-03 12:42:51
|
(Sorry if this has been sent twice, but I got a message about that something was blocked because too big, so I resent it with no previous conversations) Hi, I did some digging (used the getStoredTPMKeys method....), and found out that the error was due to the fact that I used the LoadTPMKey method instead for the loadTPMSystemKey method. (By the way, what is the difference?) However now I get another error: Authorization failed. I assume this has to do with the secret associated to the key. Do I create it wrong, or is the srk not the actual parent key of all AIKs created as illustrated here http://java.net/projects/jsr321/pages/SetupIAIKTCK? StorageRootKey srk=keyManager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET); Secret pass=context.getSecret("justASecret".toCharArray); IdentityKey aik=(IdentityKey) keyManager.loadTPMSystemKey(srk,uuid,pass); Federico |
87 messages has been excluded from this view by a project administrator.
