You can subscribe to this list here.
2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
(4) |
Jul
(10) |
Aug
(6) |
Sep
(6) |
Oct
(5) |
Nov
(1) |
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2007 |
Jan
|
Feb
(14) |
Mar
(25) |
Apr
(9) |
May
(10) |
Jun
(9) |
Jul
(33) |
Aug
(52) |
Sep
(15) |
Oct
(6) |
Nov
(4) |
Dec
(6) |
2008 |
Jan
(27) |
Feb
(3) |
Mar
(6) |
Apr
(7) |
May
(8) |
Jun
(4) |
Jul
(21) |
Aug
(8) |
Sep
(9) |
Oct
(6) |
Nov
(1) |
Dec
(1) |
2009 |
Jan
(1) |
Feb
(1) |
Mar
(10) |
Apr
(7) |
May
(8) |
Jun
(10) |
Jul
(11) |
Aug
(17) |
Sep
(13) |
Oct
(13) |
Nov
(1) |
Dec
(5) |
2010 |
Jan
(5) |
Feb
(9) |
Mar
(12) |
Apr
(4) |
May
(5) |
Jun
(3) |
Jul
(7) |
Aug
(7) |
Sep
(3) |
Oct
(12) |
Nov
(5) |
Dec
(2) |
2011 |
Jan
(9) |
Feb
(3) |
Mar
(24) |
Apr
(3) |
May
(1) |
Jun
|
Jul
(3) |
Aug
(8) |
Sep
(2) |
Oct
|
Nov
|
Dec
|
2012 |
Jan
(4) |
Feb
|
Mar
|
Apr
(3) |
May
(12) |
Jun
(7) |
Jul
(9) |
Aug
|
Sep
(14) |
Oct
(19) |
Nov
(4) |
Dec
|
2013 |
Jan
(1) |
Feb
(3) |
Mar
(1) |
Apr
(5) |
May
(3) |
Jun
(7) |
Jul
(6) |
Aug
(4) |
Sep
(1) |
Oct
|
Nov
|
Dec
(2) |
2014 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
(6) |
Jul
(14) |
Aug
(5) |
Sep
(7) |
Oct
(3) |
Nov
|
Dec
(1) |
2015 |
Jan
(3) |
Feb
|
Mar
(4) |
Apr
|
May
(1) |
Jun
(9) |
Jul
|
Aug
(1) |
Sep
|
Oct
(1) |
Nov
(4) |
Dec
(4) |
2016 |
Jan
|
Feb
(1) |
Mar
|
Apr
(1) |
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(1) |
Dec
|
2017 |
Jan
|
Feb
|
Mar
(2) |
Apr
(1) |
May
|
Jun
(1) |
Jul
(1) |
Aug
(1) |
Sep
(1) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
2018 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
2020 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
|
Dec
|
2021 |
Jan
|
Feb
|
Mar
(11) |
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2022 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2023 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(2) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
2024 |
Jan
(1) |
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Martin P. <Mar...@ia...> - 2013-04-25 08:04:48
|
Hi... On 2013-04-24 11:50, ravi kiran wrote: > I am trying to do basic NVRAM operations like definespace,read and write. > The problem is i am unable to Instantiate TcINvram. TcINvRam is an interface. You cannot instantiate interfaces in Java. > I could'nt find any docs or examples . The Javadoc for jTSS is also available online: http://trustedjava.sourceforge.net/jtss/javadoc_tsp/index.html > Can you please provide a sample to do the same? jTpmTools comes with sources, there are 5 commands named nv_..... HTH, Martin |
From: ravi k. <rk...@ya...> - 2013-04-24 09:50:29
|
Hi I am trying to do basic NVRAM operations like definespace,read and write. The problem is i am unable to Instantiate TcINvram. I could'nt find any docs or examples . Can you please provide a sample to do the same? Regards Ravi |
From: ravi k. <rk...@ya...> - 2013-04-19 08:55:46
|
Hi Ronald, Thanks for your reply. Yes I called the create key method. Given below are list of method calls i used objKey.createKey(objsrk, null); objKey.loadKey(objsrk); objKey.getAttribData(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_MODULUS); objKey.getAttribData(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_EXPONENT); where objKey is rsa key object of type migratable | legacy and objsrk is the wrapping key. As said previously in trailing mail i am able to extract public key and modulus but failed to extract only rsa exponent Regards Ravi ________________________________ From: Ronald Tögl <ron...@ia...> To: Trustedjava IAIK <Tru...@li...> Cc: ravi kiran <rk...@ya...> Sent: Friday, 19 April 2013 1:36 PM Subject: Re: [Trustedjava-support] Failed to get RSA Exponent using getAttribData Hi Ravi, Did you actually call the createKey() method or did you just create the Java object? Ronald On 04/19/2013 09:35 AM, ravi kiran wrote: Hi > >I recently started working on jTss. >I have created a 2048 bit legacy key. > >I am getting Internal Software error while trying to export rsa key info using the below method > >objKey.getAttribData(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_EXPONENT); > >The complete error stack is given below > >iaik.tc.tss.api.exceptions.tsp.TcTspException: >TSS Error: >error layer: 0x3000 (TSP) >error code (without layer): 0x04 >error code (full): 0x3004 >error message: An internal SW error has been detected. >additional info: Getter method did throw unknown exception (not a TcTssException). >null > at iaik.tc.tss.impl.java.tsp.TcAttributes.getAttribData(TcAttributes.java:170). > > > >but when i try to get rsa modulus using below method call > > >objKey.getAttribData(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_MODULUS); > >i am getting result without error. > >My system configuration is windows7 Ultimate 64 bit,java-64 bit > > >Kindly assist me > > >Regards >Ravi > > >------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter > > >_______________________________________________ Trustedjava-support mailing list Tru...@li... https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at/ |
From: Ronald T. <ron...@ia...> - 2013-04-19 08:28:54
|
Hi Ravi, Did you actually call the createKey() method or did you just create the Java object? Ronald On 04/19/2013 09:35 AM, ravi kiran wrote: > Hi > I recently started working on jTss. > I have created a 2048 bit legacy key. > I am getting Internal Software error while trying to export rsa key > info using the below method > /objKey.getAttribData(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, > TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_EXPONENT);/ > The complete error stack is given below > /iaik.tc.tss.api.exceptions.tsp.TcTspException: > TSS Error: > error layer: 0x3000 (TSP) > error code (without layer): 0x04 > error code (full): 0x3004 > error message: An internal SW error has been detected. > additional info: Getter method did throw unknown exception (not a > TcTssException)./ > /null/ > /at > iaik.tc.tss.impl.java.tsp.TcAttributes.getAttribData(TcAttributes.java:170)./ > but when i try to get rsa modulus using below method call > /objKey.getAttribData(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, > TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_MODULUS);/ > i am getting result without error. > My system configuration is windows7 Ultimate 64 bit,java-64 bit > Kindly assist me > Regards > Ravi > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > > > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
From: ravi k. <rk...@ya...> - 2013-04-19 07:35:59
|
Hi I recently started working on jTss. I have created a 2048 bit legacy key. I am getting Internal Software error while trying to export rsa key info using the below method objKey.getAttribData(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_EXPONENT); The complete error stack is given below iaik.tc.tss.api.exceptions.tsp.TcTspException: TSS Error: error layer: 0x3000 (TSP) error code (without layer): 0x04 error code (full): 0x3004 error message: An internal SW error has been detected. additional info: Getter method did throw unknown exception (not a TcTssException). null at iaik.tc.tss.impl.java.tsp.TcAttributes.getAttribData(TcAttributes.java:170). but when i try to get rsa modulus using below method call objKey.getAttribData(TcTssConstants.TSS_TSPATTRIB_RSAKEY_INFO, TcTssConstants.TSS_TSPATTRIB_KEYINFO_RSA_MODULUS); i am getting result without error. My system configuration is windows7 Ultimate 64 bit,java-64 bit Kindly assist me Regards Ravi |
From: Michael S. <ms...@nt...> - 2013-03-16 00:43:18
|
There's a TSS/TPM mismatch in your implementation. The pass in algorithm value for TcITpm.CollateIdentity is one of TSS_ALG_* per the software stack document, BUT the values in the encrypted TPM_IDENTITY_REQ (aka TcTpmIdentityReq) are supposed to be TPM_* values per part 2. Specifically, identityReq.symAlgorithm.algorithmID is supposed to be of type TPM_ALGORITHM_ID and identityReq.symAlgorithm.encScheme is supposed to be of type TPM_ENC_SCHEME (one of TPM_ES_SYM_*). Instead, it looks like the TSS_ALG_ value is being stored in the blob for the algorithmId. I'm still trying to find out where the encScheme value of "21" is coming. Continuing on this, CBC isn't a valid encryption scheme for AES keys according to 5.8.1 of part 2. CTR or OFB appear to be required. TPM_ES_SYM_CNT should probably be TPM_ES_SYM_CTR in iaik.tc.tss.api.constants.tpm. Mike |
From: Najeeb Ur R. <naj...@nu...> - 2013-02-22 06:39:48
|
Dear All, I am trying to unbind a bound byte stream using jTPMTools (/jTpmTools_0.7/src/iaik/tc/apps/jtt/data/Unbind.java). int i; for (i = 0; i < byteData.length / blockLen; i++) { TcBlobData rawData = TcBlobData.newByteArray(byteData, i * blockLen, blockLen); encData.setAttribData(TcTssConstants.TSS_TSPATTRIB_ENCDATA_BLOB, TcTssConstants.TSS_TSPATTRIB_ENCDATABLOB_BLOB, rawData); TCTest.printByteArray(rawData.asByteArray(), "Raw Data"); if (i == 0) { unboundData = TcBlobData.newBlobData(encData.unbind(key)); } else { unboundData.append(encData.unbind(key)); } TCTest.printByteArray(unboundData.asByteArray(), "Intermediate"); } In above given code, rawData is fine but when I try to get the Final unboundData, it always returns me NULL DATA (a sequence of 0's). Can any one tell me if there is any technical problem for doing this. any other way to do the same task? Thanks in advance. Let me know, if any more clarification. -- Regards Najeeb-Ur Rehman |
From: Michael S. <ms...@nt...> - 2013-02-18 17:41:11
|
On 2/17/2013 10:11 PM, Michael StJohns wrote: > The second problem I encountered was in the same code. I attempted to > lock the NVRam by defining space of size 0 at index 0xffffffff so I > wouldn't encounter further problems. Unfortunately, that failed with a > Null pointer error which I traced to line 88 of TcNvRam. You pass in > a null pointer for the iAuth argument and later routines blow up > because of it. I haven't yet tried the simple work around of > commenting out this "if" block, but it's probable that > TcTspInternal.TspNvDefineSpace_Internal needs some revision to catch > null arguments and handle them properly. This appears to be specific to the SOAP binding. TcTcsBindingSoap fails at line 2532 due to the null value for inAuth1. So there's an argument encoding issue for SOAP. Mike |
From: Michael S. <ms...@nt...> - 2013-02-18 04:10:21
|
After a long break, I'm finally getting back to this, and with a different set of TPMs. I've got an STM TPM on my Lenovo T530 (as opposed to the intel one I had on the T510). I've got an ATMEL TPM on a server machine with a TPM daughter card. It turns out that the TPM daughter card with the ATMEL TPM does not have the nvLocked bit set. I found this out when I was trying to use the TPM_NV_INDEX_TRIAL index to check space availability, which instead ended up actually creating stuff. I tried both the 0xf004 and 0x1000f004 indexes and both ended up creating NV space. I was easily able to delete the 0xf004 stuff, but I kept getting an error when I tried to delete the 0x1000f004 item. This turned out to be a problem in /jTSS_0.7a/src/jtss_tsp/src/iaik/tc/tss/impl/java/tsp/TcNvRam.java around line 261. The code checks to see if you're trying to delete an index with the D bit set and throws an error, rather than attempting to do the delete and passing on the TPM originated error. What I think you probably wanted to do here is do a try/catch block around the low-level call, and if there is an error, change the error cause message on the caught exception and continue the throw. Basically, explain the error if it happens, rather than anticipating it. e.g. try { TcTspInternal.TspNvDefineSpace_Internal(context_, pubData, encAuth, inAuth1, ownerAuth); } catch (TcTssException ex) { if (ex.getErrCode() == TPM_E_BADINDEX) { if ((nvIndex_ & TcTssConstants.TSS_NV_DEFINED) != 0) { ex.setMessage("index with set-defined bit is not allowed"); } } throw ex; } I know there isn't a setMessage method for TcTssException, but you should either have that or the normal exception "new <exception>(Throwable cause)" constructor. For my work around, I commented out the block and was able to delete both rogue indexes. The second problem I encountered was in the same code. I attempted to lock the NVRam by defining space of size 0 at index 0xffffffff so I wouldn't encounter further problems. Unfortunately, that failed with a Null pointer error which I traced to line 88 of TcNvRam. You pass in a null pointer for the iAuth argument and later routines blow up because of it. I haven't yet tried the simple work around of commenting out this "if" block, but it's probable that TcTspInternal.TspNvDefineSpace_Internal needs some revision to catch null arguments and handle them properly. Thanks - Mike On 7/9/2012 10:55 AM, Michael Gissing wrote: > On 05/14/2012 07:31 PM, Michael StJohns wrote: >> Hi -- > > Hi Michael, > >> For some reason, TcTpmConstants.TPM_NV_INDEX_TRIAL has the "D" bit >> set. This is probably a bug. > > I agree that this is not the best value for this constant. It will be > changed to 0x0000f004 in a future release. Anyhow please note that > it's a valid index according to the specification. > >> I used the constant in TcINvRam.defineSpace (in TcTpmNvData) to see if I >> had space to create a 100 octet space. What I ended up with was a >> permanent 100 octet space that I can't get rid of. > > What exactly do you mean by 'can't get rid of'? According to the TPM > specification this should not happen. When you try to define an index > with the D-bit set, a shipped TPM should return TPM_BADINDEX. Which > TPM do you use? Is the TPM's nvLocked bit set to true? If it is not, > then D-bit indices can be defined, but also deleted. > > Can you please provide the output of the following commands? > > jtt tpm_version > jtt tpm_flags > jtt nv_decode --index 0x1000f004 > >> When I use the correct value - 0xF004 - as the index, I get the >> anticipated behavior. A "success" results in a return with no creation. > > That's what I would have expected ;) > >> I'd review all of the TPM_NV_INDEX_* values and make sure you're using >> the correct values. > > Both versions with and without D-bit set are correct. For > compatibility reasons the other constants will remain unchanged. > >> Mike > > HTH, > Michael |
From: <Fed...@ff...> - 2013-01-15 10:23:41
|
I was wondering whether it is possible to drop the PCA public key as a parameter to the TPM when calling the CollateIdentityRequest method. Is it a requirement that the request to the PCA is encrypted? What if I don't care? Can I just give null as PCAPubKey parameter? Federico |
From: <Fed...@ff...> - 2012-11-13 15:14:42
|
Quick question about the quote method in the Attestor class of the jsr321. I though PCR values could be signed only by an AIK, but I see that also using a normal SigningKey is possible. Doesn't this give the opportunity to feed false external PCR values to the TPM and make it sign with the Signing key? I though that was the reason why only AIKs could be used, since they can only sign data generated inside the TPM. Or is there a way to force a SigningKey to not sign external data. Or did I misunderstand something? Thanks for any clarification! Federico |
From: <Fed...@ff...> - 2012-11-07 13:26:18
|
Hi, Thanks for the clarification. I was also wondering it is actually so that a legacy key can ONLY be an external RSA key, or whether the TPM should also be able to internally generate a legacy key according to the specs, but the functionality is not offered by the JSR 321? Federico -----Original Message----- From: Ronald Tögl [mailto:ron...@ia...] Sent: 6. november 2012 15:20 To: tru...@li... Subject: Re: [Trustedjava-support] Legacy keys Hi Federico, You're right, the TPM spec does allow binding and unbinding with legacy keys. Yet, the JSR321 API specification does not. Actually the functionality did not occur to the JSR321 expert group at the time of writing the spec.. :-/ Feel free to add the functionality to your Binder implementation. Ronald On 11/06/2012 01:17 PM, Fed...@ff... wrote: > Hei, > According to the JSR321 documentation, Legacy keys are the only one that can perform both signing and encryption. I can see that the Signer object also has a method that accepts legacy keys, but what about encryption? Should I use an external library to do that? And if so, how do I decrypt the data with the private key, if only the TPM has access to it? I thought of the Binder and RemoteBinder objects, which are the only ones that have to do with encryption, but they do not accept Legacy keys. > Any tips? > > Thanks! > > Federico > > ---------------------------------------------------------------------- > -------- LogMeIn Central: Instant, anywhere, Remote PC access and > management. > Stay in control, update software, and manage PCs from one command > center Diagnose problems and improve visibility into emerging IT > issues Automate, monitor and manage. Do more in less time with Central > http://p.sf.net/sfu/logmein12331_d2d > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Trustedjava-support mailing list Tru...@li... https://lists.sourceforge.net/lists/listinfo/trustedjava-support |
From: Ronald T. <ron...@ia...> - 2012-11-06 14:20:18
|
Hi Federico, You're right, the TPM spec does allow binding and unbinding with legacy keys. Yet, the JSR321 API specification does not. Actually the functionality did not occur to the JSR321 expert group at the time of writing the spec.. :-/ Feel free to add the functionality to your Binder implementation. Ronald On 11/06/2012 01:17 PM, Fed...@ff... wrote: > Hei, > According to the JSR321 documentation, Legacy keys are the only one that can perform both signing and encryption. I can see that the Signer object also has a method that accepts legacy keys, but what about encryption? Should I use an external library to do that? And if so, how do I decrypt the data with the private key, if only the TPM has access to it? I thought of the Binder and RemoteBinder objects, which are the only ones that have to do with encryption, but they do not accept Legacy keys. > Any tips? > > Thanks! > > Federico > > ------------------------------------------------------------------------------ > LogMeIn Central: Instant, anywhere, Remote PC access and management. > Stay in control, update software, and manage PCs from one command center > Diagnose problems and improve visibility into emerging IT issues > Automate, monitor and manage. Do more in less time with Central > http://p.sf.net/sfu/logmein12331_d2d > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
From: <Fed...@ff...> - 2012-11-06 12:17:56
|
Hei, According to the JSR321 documentation, Legacy keys are the only one that can perform both signing and encryption. I can see that the Signer object also has a method that accepts legacy keys, but what about encryption? Should I use an external library to do that? And if so, how do I decrypt the data with the private key, if only the TPM has access to it? I thought of the Binder and RemoteBinder objects, which are the only ones that have to do with encryption, but they do not accept Legacy keys. Any tips? Thanks! Federico |
From: <Fed...@ff...> - 2012-10-29 12:01:02
|
Hi again, I have now been trying to modify a couple of lines of code in the Jtss libraries in order to be able to create AIK keys and import them programmatically, without having to go through command line. The problem was simply to be able to get out the UUID after the AIK was imported, in order to be able to store it programmatically and load the key later on, without the copy and paste from command line. Now, I have done that, and on one computer it was working, by using the iaik_jtss_tcs.jar and iaik_jtss_tsp.jar I had recompiled (both of them since I had to modify the AbstracApp class in iaik.tc.utils.cmdline package, which is common to both jar). Now I got a new laptop and did the same, but when I use the new libraries (which I put in the lib folder where the jtss is installed), it says that it can't bind to the TCS core. I used the source included with the jtss package to do the modifications, but when I compared the original jar and the one I built, I could see that many classes were slightly bigger in the custom one (1 kB). Is the source version different from what is in the precompiled jar files? Federico |
From: Michael G. <m.g...@tu...> - 2012-10-21 00:09:08
|
On 2012-10-18 11:04, Fed...@ff... wrote: > Btw, where do I see exactly which firmware version I have? You can find the information in the output of tpm_version. ----- TPM Version Info: version: 1.2 rev: 3.17 specLevel: 2 errataRev: 2 tpmVendorID: Infineon ("IFX") vendorSpecificSize: 5 vendorSpecificData: 03 11 00 08 00 ----- The string after 'rev:' is the firmware revision of IFX TPMs, so 3.17 in this example. Michael |
From: <Fed...@ff...> - 2012-10-18 09:16:51
|
Here is the output of the test you sent me. It confirms what you said. Waiting for new laptop...:) Thanks again. Federico run: -== TPM Information ==- TPM Version Info: tpmVendorID: IFX -== VALIDATION ==- The calculated SHA-1 hash of the modulus: df5733968e250ebe07b82bb099109f5590d57dfa The SHA-1 hash of the modulus as it was returned in the validation data: 4a06c58f10e86cf76bec2cce0cb71dac927a4e54 The SHA-1 hash of the entire TPM_STORE_PUBKEY struct 4a06c58f10e86cf76bec2cce0cb71dac927a4e54 ERROR: Digest of the certified key's modulus does not match the one in the provided validation data! ______________ SUCCESS: Signature successfully verified. ______________ SUCCESS: The nonce was successfully verified. ______________ 2012/10/18 <Fed...@ff...<mailto:Fed...@ff...>> -----Opprinnelig melding----- Fra: Martin Pirker [mailto:Mar...@ia...<mailto:Mar...@ia...>] Sendt: 18. oktober 2012 10:15 Til: tru...@li...<mailto:tru...@li...> Emne: Re: [Trustedjava-support] validate a certified key On 2012-10-17 22:29, Ronald Tögl wrote: > I recall that some not so old Infineon TPMs needed a Firmware Update (to 3.17) to certify keys correctly... IFX TPMs up to FW 3.16 are calculating the hash over the entire TPM_STORE_PUBKEY struct instead of just the key modulus as described in the TPM specification. This was fixed in FW 3.17. FYI, test code to check for this TPM bug and sample outputs attached. HTH, Martin |
From: <Fed...@ff...> - 2012-10-18 09:04:52
|
Hi, Thanks for the answer! I would have never thought something like that, and it seems like that is indeed the problem. Since I had no idea how to find out the firmware version I tried running the test script that comes with the jTSS, and the last test says exactly: "skipping testCertifyKeyandValidate() on IFX TPM's with revision <3.17".... Well, updating the firmware does not seem an easy task. Hp has a long list of requirement to make it work. Among which having taken ownership of TPM through the HP security tools, install the HP protect tools, etc....Maybe I should just wait for my new laptop... Federico Btw, where do I see exactly which firmware version I have? Fra: Ronald Tögl [mailto:ron...@ia...] Sendt: 17. oktober 2012 22:30 Til: Mancini, Federico; tru...@li... Emne: Re: [Trustedjava-support] validate a certified key Hi, What TPM are you using? I recall that some not so old Infineon TPMs needed a Firmware Update (to 3.17) to certify keys correctly... t Ronald Am 17.10.2012 15:01, schrieb Fed...@ff...<mailto:Fed...@ff...>: Hi again, Just wondering whether anyone has any idea why this code return false (that is, the key that I certified with the AIK does not seem to be valid when reversing the certification process ). Some digging revealed that the test failed when the digest of the public key of sign is compared with the digest extracted from val.getData()(I checked the code in RemoteCertifierImpl). The two digests are indeed different, but why? I don't see how that can fail, since I am passing the validation data directly to the remote certifier..... TPMContext context=TPMContext.getInstance(); context.connect(null); TPM tpm=context.getTPMInstance(); Certifier cert=context.getCertifier(); IdentityKey aikKey=(IdentityKey) manager.loadTPMSystemKey(srk, UUID.fromString("15b986a9-6124-4c70-bf1b-4a9e39e5998c"), secretAik); SigningKey sign = (SigningKey) manager.loadTPMSystemKey(srk, UUID.fromString("13f478d6-f5a9-4445-892a-730427a2fe69"), Secret.WELL_KNOWN_SECRET); Digest digest = context.getDigest(tpm.getRandom(20)); ValidationData val = cert.certifyKey(sign, aikKey, digest); RemoteCertifier remCert=context.getRemoteCertifier(); System.out.println("The signing key is valid = "+remCert.validate(val, (RSAPublicKey) sign.getPublicKey(), (RSAPublicKey) aikKey.getPublicKey(), digest)); Federico ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Trustedjava-support mailing list Tru...@li...<mailto:Tru...@li...> https://lists.sourceforge.net/lists/listinfo/trustedjava-support |
From: Martin P. <Mar...@ia...> - 2012-10-18 08:17:21
|
On 2012-10-17 22:29, Ronald Tögl wrote: > I recall that some not so old Infineon TPMs needed a Firmware Update (to 3.17) to certify keys correctly... IFX TPMs up to FW 3.16 are calculating the hash over the entire TPM_STORE_PUBKEY struct instead of just the key modulus as described in the TPM specification. This was fixed in FW 3.17. FYI, test code to check for this TPM bug and sample outputs attached. HTH, Martin |
From: Ronald T. <ron...@ia...> - 2012-10-17 20:29:31
|
Hi, What TPM are you using? I recall that some not so old Infineon TPMs needed a Firmware Update (to 3.17) to certify keys correctly... t Ronald Am 17.10.2012 15:01, schrieb Fed...@ff...: > > Hi again, > > Just wondering whether anyone has any idea why this code return false > (that is, the key that I certified with the AIK does not seem to be > valid when reversing the certification process ). Some digging > revealed that the test failed when the digest of the public key of > sign is compared with the digest extracted fromval.getData()(I checked > the code inRemoteCertifierImpl). The two digests are indeed different, > but why?I don't see how that can fail, since I am passing the > validation data directly to the remote certifier..... > > TPMContext context=TPMContext.getInstance(); > > context.connect(null); > > TPM tpm=context.getTPMInstance(); > > Certifier cert=context.getCertifier(); > > IdentityKey aikKey=(IdentityKey) manager.loadTPMSystemKey(srk, > UUID.fromString("15b986a9-6124-4c70-bf1b-4a9e39e5998c"), secretAik); > > SigningKey sign = (SigningKey) > manager.loadTPMSystemKey(srk, > UUID.fromString("13f478d6-f5a9-4445-892a-730427a2fe69"), > Secret.WELL_KNOWN_SECRET); > > Digest digest = context.getDigest(tpm.getRandom(20)); > > ValidationData val = cert.certifyKey(sign, aikKey, digest); > > RemoteCertifier remCert=context.getRemoteCertifier(); > > System.out.println("The signing key is valid = > "+remCert.validate(val, (RSAPublicKey) sign.getPublicKey(), > (RSAPublicKey) aikKey.getPublicKey(), digest)); > > Federico > > > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_sfd2d_oct > > > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support |
From: <Fed...@ff...> - 2012-10-17 13:02:07
|
Hi again, Just wondering whether anyone has any idea why this code return false (that is, the key that I certified with the AIK does not seem to be valid when reversing the certification process ). Some digging revealed that the test failed when the digest of the public key of sign is compared with the digest extracted from val.getData()(I checked the code in RemoteCertifierImpl). The two digests are indeed different, but why? I don't see how that can fail, since I am passing the validation data directly to the remote certifier..... TPMContext context=TPMContext.getInstance(); context.connect(null); TPM tpm=context.getTPMInstance(); Certifier cert=context.getCertifier(); IdentityKey aikKey=(IdentityKey) manager.loadTPMSystemKey(srk, UUID.fromString("15b986a9-6124-4c70-bf1b-4a9e39e5998c"), secretAik); SigningKey sign = (SigningKey) manager.loadTPMSystemKey(srk, UUID.fromString("13f478d6-f5a9-4445-892a-730427a2fe69"), Secret.WELL_KNOWN_SECRET); Digest digest = context.getDigest(tpm.getRandom(20)); ValidationData val = cert.certifyKey(sign, aikKey, digest); RemoteCertifier remCert=context.getRemoteCertifier(); System.out.println("The signing key is valid = "+remCert.validate(val, (RSAPublicKey) sign.getPublicKey(), (RSAPublicKey) aikKey.getPublicKey(), digest)); Federico |
From: <Fed...@ff...> - 2012-10-09 09:25:43
|
Hi again, Just wanted to inform you, in case anyone else might be interested, that I have tested the rest API to communicate to PrivacyCA.com, and they seem to work. Here is the code: public class PrivacyCAaik { public static void main(String[] args){ //First retrieve the PrivacyCA certificate of the level you want String[] arg1 = new String[5]; arg1[0] = "rest_cacert"; arg1[1] = "--level"; arg1[2] = "1"; arg1[3] = "--cacert"; arg1[4] = "cacertLevel1"; PKIClient.main(arg1); //Then create the AIK String[] arg=new String[11]; arg[0]="rest_aik_create"; arg[1]="--cacert"; arg[2]="cacertLevel1"; arg[3]="-a"; arg[4]="aiksecret"; arg[5]="-l"; arg[6]="aikRest"; arg[7]="-o"; arg[8]="YOUR_TPM_OWNER_SECRET"; arg[9]="--level"; arg[10]="1";//MUST BE THE SAME AS THE CACERT OR YOU GET 403 RESPONSE CODE PKIClient.main(arg); } } Federico |
From: <Fed...@ff...> - 2012-10-04 09:51:34
|
I will answer myself: no idea why it didn't work (tried for a whole day), but just restart your computer, it might magically work afterwards, as it happened in my case.... Now, I have the AIK and a signing key, and I would like to use the AIK to certify the key and get a TPM_CERTIFY_INFO data structure that can be used in the SKAE extension of a X509 certificate. I used the JSR321 Certifier class to generate a ValidationData Object, question is, how is the ValidationData object related to the TPM_CERTIFY_INFO structure? The validationData return from the DataValidation object, is some random data, or the public part of the signing key I certified? I see that the jTSS has a TcTPMCertifyInfo class that could return the exact structure, is it possible to use it from the JSR321? Or is it exactly what happens when using the Certifier? Thanks for any insight! Federico Fra: Mancini, Federico Sendt: 3. oktober 2012 14:43 Til: Mancini, Federico; Tru...@li... Emne: SV: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically (Sorry if this has been sent twice, but I got a message about that something was blocked because too big, so I resent it with no previous conversations) Hi, I did some digging (used the getStoredTPMKeys method....), and found out that the error was due to the fact that I used the LoadTPMKey method instead for the loadTPMSystemKey method. (By the way, what is the difference?) However now I get another error: Authorization failed. I assume this has to do with the secret associated to the key. Do I create it wrong, or is the srk not the actual parent key of all AIKs created as illustrated here http://java.net/projects/jsr321/pages/SetupIAIKTCK? StorageRootKey srk=keyManager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET); Secret pass=context.getSecret("justASecret".toCharArray); IdentityKey aik=(IdentityKey) keyManager.loadTPMSystemKey(srk,uuid,pass); Federico |
From: <Fed...@ff...> - 2012-10-03 12:42:51
|
(Sorry if this has been sent twice, but I got a message about that something was blocked because too big, so I resent it with no previous conversations) Hi, I did some digging (used the getStoredTPMKeys method....), and found out that the error was due to the fact that I used the LoadTPMKey method instead for the loadTPMSystemKey method. (By the way, what is the difference?) However now I get another error: Authorization failed. I assume this has to do with the secret associated to the key. Do I create it wrong, or is the srk not the actual parent key of all AIKs created as illustrated here http://java.net/projects/jsr321/pages/SetupIAIKTCK? StorageRootKey srk=keyManager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET); Secret pass=context.getSecret("justASecret".toCharArray); IdentityKey aik=(IdentityKey) keyManager.loadTPMSystemKey(srk,uuid,pass); Federico |
From: <Fed...@ff...> - 2012-10-02 13:54:44
|
Hi, Thanks a lot for the tip, I was getting very confused :) But it looks like I need to bother you again. I followed the wiki(I assume this is what you meant http://java.net/projects/jsr321/pages/SetupIAIKTCK. The iaik_run command seems to fail, but I am not sure that is essential to what I am trying to do?) and then tried to load the key by its UUID. However, I get the error that no key is registered with such UUID.... This is the proof that the key is indeed in the storage and the UUID is correct: --------------------------------------------------------------------------------------------- IAIK Java TPM Tools --------------------- total number of keys registered in persistent system storage: 1 KeyInfo: Version: 1.2.0.0 key UUID: 0ab736d7-8129-4a2a-84ce-34dfef20adec parent key UUID: 00000000-0000-0000-0000-000000000001 is loaded: false auth data usage: 1 vendor data: none --------------------------------------------------------------------------------------------- This is the code I used: ------------------------------------------------------------------------------------------------ Certifier cert=context.getCertifier(); KeyManager manager=context.getKeyManager(); StorageRootKey srk=manager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET); UUID uuid=UUID.fromString("0ab736d7-8129-4a2a-84ce-34dfef20adec"); Secret aikSecret=context.getSecret("secret".toCharArray()); IdentityKey aikKey= (IdentityKey) manager.loadTPMKey(srk, uuid, aikSecret); ------------------------------------------------------------------------------------------------------------- And this is the error: -------------------------------------------------------------------------------------------------- SEVERE: null iaik.tc.jsr321.TrustedComputingExceptionImpl: Loading the key failed. at iaik.tc.jsr321.tpm.keys.KeyManagerImpl.loadTPMKey(Unknown Source) at tpm_project.TPM_project.main(TPM_project.java:149) Caused by: iaik.tc.tss.api.exceptions.tcs.TcTcsException: TSS Error: error layer: 0x3000 (TSP) error code (without layer): 0x09 error code (full): 0x3009 error message: unknown additional info: Key is not registered:UUID: 0ab736d7-8129-4a2a-84ce-34dfef20adec at iaik.tc.tss.impl.ps.TcTssPsDatabase.getRegisteredKeyBlobImpl(TcTssPsDatabase.java:182) at iaik.tc.tss.impl.ps.TcTssPersistentStorage.getRegisteredKeyBlob(TcTssPersistentStorage.java:124) at iaik.tc.tss.impl.java.tsp.TcContext.getKeyByUuid(TcContext.java:656) ---------------------------------------------------------------------------------------------- Am I forgetting something? Thanks again for your patience with a messy beginner :) Federico -----Opprinnelig melding----- Fra: Ronald Tögl [mailto:ron...@ia...] Sendt: 2. oktober 2012 13:55 Til: Trustedjava IAIK Kopi: Mancini, Federico Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically Frederico, Yes, this is a mess ;) The reason is that a javax.trustedcomputing.tpm.keys.IdentityKey is not binary compatible to iaik.tc.tss.api.structs.tpm.TcTpmKey and I cannot think of a good reason why it should be; and even if there was one, there're the TCG specs as obstacle. I suggest you follow the instructions in the JSR321 Wiki on how to generate an AIK with jTSS and then load the key by its UUID (!) from within JSR321. Also, I do not recommend to mix jTSS and JSR321 code in one application unless you really really really need to and know all the internals. Ronald On 10/02/2012 01:45 PM, Fed...@ff...<mailto:Fed...@ff...> wrote: > Hi again, > I would like to do a step further now, and try and create a new key, signed with the AIK I managed to create with jtt (I assume both its public and private parts are in the aik.tmpkey file), and then use the command TPM_CertifyKey, to get a certificate usable to sign data from outside the TPM. > According to the JSR321, the Tsi_Key_CertifyKey functionality should be handled by the TPMKey class, but here is the first problem. I don't see any such method in the JSR javadoc. Is it maybe the ValidationData which is obtained through the crtifyKey method of a Certifier? > If so, I tried to create a signing key and then apply such method, but my second problem is: how do I get the AIK key from the file and make it into TPMKey object? I can't find a way to create a TPMKey from a given key material, so I used the TcTpmKey constructor instead, but how do I turn this into a TPMKey that can be given as parameter to the certifier? I am for sure doing a mess mixing jTSS and JSR321 here, anyone can point me in the right direction? > This is what I do: > > > Certifier cert=context.getCertifier(); > KeyManager manager=context.getKeyManager(); > StorageRootKey srk=manager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET); > SigningKey sign=manager.createSigningKey(srk, Secret.WELL_KNOWN_SECRET, Secret.WELL_KNOWN_SECRET, true, true, true, 2048, null); > File aikKey=new File("C:\\Users\\aik.tpmkey"); > FileInputStream in=new FileInputStream(aikKey); > byte[] iakKeyByte=new byte[(int)aikKey.length()]; > in.read(iakKeyByte); > in.close(); > TcBlobData aikBlob=TcBlobData.newByteArray(iakKeyByte); > IdentityKey aik=(IdentityKey) new TcTpmKey(aikBlob);<- Problem > ValidationData val=cert.certifyKey(sign, aik, null); > > > Thanks again for any help! > > Federico > > > -----Opprinnelig melding----- > Fra: Fed...@ff...<mailto:Fed...@ff...> [mailto:Fed...@ff...] > Sendt: 1. oktober 2012 14:46 > Til: tru...@li...<mailto:tru...@li...> > Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK > programmatically > > Hi, > Thanks for your answer. > Am I to understand that the jTSS has no method equivalent to Tspi_TPM_CollateIdentityRequest () then? > Is it not defined as a standard method in the TSS? > > Federico > > -----Opprinnelig melding----- > Fra: Martin Pirker [mailto:Mar...@ia...] > Sendt: 1. oktober 2012 14:36 > Til: Mancini, Federico > Kopi: tru...@li...<mailto:tru...@li...> > Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK > programmatically > > Hi... > > On 2012-10-01 13:36, Fed...@ff...<mailto:Fed...@ff...> wrote: >> Now, I would like to create an AIK, .... >> This seems to be some kind of dummy AIK certificate generated by some internal privacy CA? > The AIK cycle in jTT is just for local testing purposes, so yes, certificates are created on-the-fly with random dummy values. > > >> How would I go to get the AIK certificate signed by privacyCA.com instead? >> and send it as a POST to privacyCA.com, > There are undocumented commands/code included with JTT, in iaik.tc.apps.jtt.pki.* you will find experimental code to talk to privacyca.com. > > However, as you can see from the copyright notice this is from > 2007/08 and I don't know anyone who has ever run it again since then, so it's probably non-functioning. > > >> I could not find any clear documentation about this. > For an alternative PrivacyCA implementation look at the "apki" > package in the PrivacyCA 0.2 folder. > (Note that this code is also unfinished and unmaintained) > > > Good luck :-) > Martin > > ---------------------------------------------------------------------- > -------- > Got visibility? > Most devs has no idea what their production app looks like. > Find out how fast your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219671;13503038;y? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > Trustedjava-support mailing list > Tru...@li...<mailto:Tru...@li...> > https://lists.sourceforge.net/lists/listinfo/trustedjava-support > > ---------------------------------------------------------------------- > -------- Don't let slow site performance ruin your business. Deploy > New Relic APM Deploy New Relic app performance management and know > exactly what is happening inside your Ruby, Python, PHP, Java, and > .NET app Try New Relic at no cost today and get our sweet Data Nerd > shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Trustedjava-support mailing list > Tru...@li...<mailto:Tru...@li...> > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia...<mailto:ron...@ia...> Graz University of Technology http://www.iaik.tugraz.at |