Menu
▾
▴
trustedjava-support — Trusted Java General Support
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
(4) |
Jul
(10) |
Aug
(6) |
Sep
(6) |
Oct
(5) |
Nov
(1) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
|
Feb
(14) |
Mar
(25) |
Apr
(9) |
May
(10) |
Jun
(9) |
Jul
(33) |
Aug
(52) |
Sep
(15) |
Oct
(6) |
Nov
(4) |
Dec
(6) |
| 2008 |
Jan
(27) |
Feb
(3) |
Mar
(6) |
Apr
(7) |
May
(8) |
Jun
(4) |
Jul
(21) |
Aug
(8) |
Sep
(9) |
Oct
(6) |
Nov
(1) |
Dec
(1) |
| 2009 |
Jan
(1) |
Feb
(1) |
Mar
(10) |
Apr
(7) |
May
(8) |
Jun
(10) |
Jul
(11) |
Aug
(17) |
Sep
(13) |
Oct
(13) |
Nov
(1) |
Dec
(5) |
| 2010 |
Jan
(5) |
Feb
(9) |
Mar
(12) |
Apr
(4) |
May
(5) |
Jun
(3) |
Jul
(7) |
Aug
(7) |
Sep
(3) |
Oct
(12) |
Nov
(5) |
Dec
(2) |
| 2011 |
Jan
(9) |
Feb
(3) |
Mar
(24) |
Apr
(3) |
May
(1) |
Jun
|
Jul
(3) |
Aug
(8) |
Sep
(2) |
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
(4) |
Feb
|
Mar
|
Apr
(3) |
May
(12) |
Jun
(7) |
Jul
(9) |
Aug
|
Sep
(14) |
Oct
(19) |
Nov
(4) |
Dec
|
| 2013 |
Jan
(1) |
Feb
(3) |
Mar
(1) |
Apr
(5) |
May
(3) |
Jun
(7) |
Jul
(6) |
Aug
(4) |
Sep
(1) |
Oct
|
Nov
|
Dec
(2) |
| 2014 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
(6) |
Jul
(14) |
Aug
(5) |
Sep
(7) |
Oct
(3) |
Nov
|
Dec
(1) |
| 2015 |
Jan
(3) |
Feb
|
Mar
(4) |
Apr
|
May
(1) |
Jun
(9) |
Jul
|
Aug
(1) |
Sep
|
Oct
(1) |
Nov
(4) |
Dec
(4) |
| 2016 |
Jan
|
Feb
(1) |
Mar
|
Apr
(1) |
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(1) |
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
(2) |
Apr
(1) |
May
|
Jun
(1) |
Jul
(1) |
Aug
(1) |
Sep
(1) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2018 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2020 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(11) |
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(2) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2024 |
Jan
(1) |
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Ronald T. <ron...@ia...> - 2012-10-02 11:55:34
|
Frederico,
Yes, this is a mess ;)
The reason is that a javax.trustedcomputing.tpm.keys.IdentityKey is not
binary compatible to iaik.tc.tss.api.structs.tpm.TcTpmKey and I cannot
think of a good reason why it should be; and even if there was one,
there're the TCG specs as obstacle.
I suggest you follow the instructions in the JSR321 Wiki on how to
generate an AIK with jTSS and then load the key by its UUID (!) from
within JSR321.
Also, I do not recommend to mix jTSS and JSR321 code in one application
unless you really really really need to and know all the internals.
Ronald
On 10/02/2012 01:45 PM, Fed...@ff... wrote:
> Hi again,
> I would like to do a step further now, and try and create a new key, signed with the AIK I managed to create with jtt (I assume both its public and private parts are in the aik.tmpkey file), and then use the command TPM_CertifyKey, to get a certificate usable to sign data from outside the TPM.
> According to the JSR321, the Tsi_Key_CertifyKey functionality should be handled by the TPMKey class, but here is the first problem. I don't see any such method in the JSR javadoc. Is it maybe the ValidationData which is obtained through the crtifyKey method of a Certifier?
> If so, I tried to create a signing key and then apply such method, but my second problem is: how do I get the AIK key from the file and make it into TPMKey object? I can't find a way to create a TPMKey from a given key material, so I used the TcTpmKey constructor instead, but how do I turn this into a TPMKey that can be given as parameter to the certifier? I am for sure doing a mess mixing jTSS and JSR321 here, anyone can point me in the right direction?
> This is what I do:
>
>
> Certifier cert=context.getCertifier();
> KeyManager manager=context.getKeyManager();
> StorageRootKey srk=manager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET);
> SigningKey sign=manager.createSigningKey(srk, Secret.WELL_KNOWN_SECRET, Secret.WELL_KNOWN_SECRET, true, true, true, 2048, null);
> File aikKey=new File("C:\\Users\\aik.tpmkey");
> FileInputStream in=new FileInputStream(aikKey);
> byte[] iakKeyByte=new byte[(int)aikKey.length()];
> in.read(iakKeyByte);
> in.close();
> TcBlobData aikBlob=TcBlobData.newByteArray(iakKeyByte);
> IdentityKey aik=(IdentityKey) new TcTpmKey(aikBlob);<- Problem
> ValidationData val=cert.certifyKey(sign, aik, null);
>
>
> Thanks again for any help!
>
> Federico
>
>
> -----Opprinnelig melding-----
> Fra: Fed...@ff... [mailto:Fed...@ff...]
> Sendt: 1. oktober 2012 14:46
> Til: tru...@li...
> Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
>
> Hi,
> Thanks for your answer.
> Am I to understand that the jTSS has no method equivalent to Tspi_TPM_CollateIdentityRequest () then?
> Is it not defined as a standard method in the TSS?
>
> Federico
>
> -----Opprinnelig melding-----
> Fra: Martin Pirker [mailto:Mar...@ia...]
> Sendt: 1. oktober 2012 14:36
> Til: Mancini, Federico
> Kopi: tru...@li...
> Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
>
> Hi...
>
> On 2012-10-01 13:36, Fed...@ff... wrote:
>> Now, I would like to create an AIK, ....
>> This seems to be some kind of dummy AIK certificate generated by some internal privacy CA?
> The AIK cycle in jTT is just for local testing purposes, so yes, certificates are created on-the-fly with random dummy values.
>
>
>> How would I go to get the AIK certificate signed by privacyCA.com instead?
>> and send it as a POST to privacyCA.com,
> There are undocumented commands/code included with JTT, in iaik.tc.apps.jtt.pki.* you will find experimental code to talk to privacyca.com.
>
> However, as you can see from the copyright notice this is from
> 2007/08 and I don't know anyone who has ever run it again since then, so it's probably non-functioning.
>
>
>> I could not find any clear documentation about this.
> For an alternative PrivacyCA implementation look at the "apki"
> package in the PrivacyCA 0.2 folder.
> (Note that this code is also unfinished and unmaintained)
>
>
> Good luck :-)
> Martin
>
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
--
Dipl.-Ing. Ronald Tögl phone +43 316/873-5502
Secure and Correct Systems fax +43 316/873-5520
IAIK ron...@ia...
Graz University of Technology http://www.iaik.tugraz.at
|
|
From: <Fed...@ff...> - 2012-10-02 11:46:14
|
Hi again,
I would like to do a step further now, and try and create a new key, signed with the AIK I managed to create with jtt (I assume both its public and private parts are in the aik.tmpkey file), and then use the command TPM_CertifyKey, to get a certificate usable to sign data from outside the TPM.
According to the JSR321, the Tsi_Key_CertifyKey functionality should be handled by the TPMKey class, but here is the first problem. I don't see any such method in the JSR javadoc. Is it maybe the ValidationData which is obtained through the crtifyKey method of a Certifier?
If so, I tried to create a signing key and then apply such method, but my second problem is: how do I get the AIK key from the file and make it into TPMKey object? I can't find a way to create a TPMKey from a given key material, so I used the TcTpmKey constructor instead, but how do I turn this into a TPMKey that can be given as parameter to the certifier? I am for sure doing a mess mixing jTSS and JSR321 here, anyone can point me in the right direction?
This is what I do:
Certifier cert=context.getCertifier();
KeyManager manager=context.getKeyManager();
StorageRootKey srk=manager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET);
SigningKey sign=manager.createSigningKey(srk, Secret.WELL_KNOWN_SECRET, Secret.WELL_KNOWN_SECRET, true, true, true, 2048, null);
File aikKey=new File("C:\\Users\\aik.tpmkey");
FileInputStream in=new FileInputStream(aikKey);
byte[] iakKeyByte=new byte[(int)aikKey.length()];
in.read(iakKeyByte);
in.close();
TcBlobData aikBlob=TcBlobData.newByteArray(iakKeyByte);
IdentityKey aik=(IdentityKey) new TcTpmKey(aikBlob);<- Problem
ValidationData val=cert.certifyKey(sign, aik, null);
Thanks again for any help!
Federico
-----Opprinnelig melding-----
Fra: Fed...@ff... [mailto:Fed...@ff...]
Sendt: 1. oktober 2012 14:46
Til: tru...@li...
Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
Hi,
Thanks for your answer.
Am I to understand that the jTSS has no method equivalent to Tspi_TPM_CollateIdentityRequest () then?
Is it not defined as a standard method in the TSS?
Federico
-----Opprinnelig melding-----
Fra: Martin Pirker [mailto:Mar...@ia...]
Sendt: 1. oktober 2012 14:36
Til: Mancini, Federico
Kopi: tru...@li...
Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
Hi...
On 2012-10-01 13:36, Fed...@ff... wrote:
> Now, I would like to create an AIK, ....
> This seems to be some kind of dummy AIK certificate generated by some internal privacy CA?
The AIK cycle in jTT is just for local testing purposes, so yes, certificates are created on-the-fly with random dummy values.
> How would I go to get the AIK certificate signed by privacyCA.com instead?
> and send it as a POST to privacyCA.com,
There are undocumented commands/code included with JTT, in iaik.tc.apps.jtt.pki.* you will find experimental code to talk to privacyca.com.
However, as you can see from the copyright notice this is from
2007/08 and I don't know anyone who has ever run it again since then, so it's probably non-functioning.
> I could not find any clear documentation about this.
For an alternative PrivacyCA implementation look at the "apki"
package in the PrivacyCA 0.2 folder.
(Note that this code is also unfinished and unmaintained)
Good luck :-)
Martin
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Trustedjava-support mailing list
Tru...@li...
https://lists.sourceforge.net/lists/listinfo/trustedjava-support
|
|
From: <Fed...@ff...> - 2012-10-01 13:00:40
|
Hi,
Indeed the PATH variable was missing system32, now it works fine.....the previous owner of the machine must have played with the environmental variables....
Thanks,
Federico
Fra: Ronald Tögl [mailto:ron...@ia...]
Sendt: 1. oktober 2012 14:25
Til: tru...@li...
Kopi: Mancini, Federico
Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
Hi Federico,
I have no idea why your system cannot find the system utility reg.exe on the path. Perhaps you or some tool modified it in some incorrect way.
I suggest you check your path settings and make sure it includes the c:\windows\system32 folder.
Alternatively, you can just replace line 19 in the script with a hardcoded path to your jTSS installation.
SET jtssreg=<path>
hth,
Ronald
On 10/01/2012 01:36 PM, Fed...@ff...<mailto:Fed...@ff...> wrote:
Sorry I forgot to mention (as in written in the subject) that I had trouble running jtt from command line, because I get the following error:
C:\Users\Public\jsr321\jTSS_0.7\jTpmTools_0.7>jtt
'REG' is not recognized as an internal or external command,
operable program or batch file.
---------------------
IAIK Java TPM Tools
---------------------
Exception in thread "main" java.lang.NoClassDefFoundError: iaik/tc/utils/cmdline
/CommandlineException
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2442)
at java.lang.Class.getMethod0(Class.java:2685)
at java.lang.Class.getMethod(Class.java:1620)
at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:492)
at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:484)
Caused by: java.lang.ClassNotFoundException: iaik.tc.utils.cmdline.CommandlineEx
ception
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
... 6 more
Seems to be something with the REG command which is not supported in Windows 7?
Fra: Mancini, Federico
Sendt: 1. oktober 2012 13:29
Til: 'tru...@li...<mailto:tru...@li...>'
Emne: jtt on win 7 and creating an AIK programmatically
Hi,
I have finally managed to find some time to start playing with jTSS and I have managed to set up everything properly and started writing some java code.
Looks like I have successfully taken ownership of the TPM and can query PCRs values and extract the EK certificate programmatically.
Now, I would like to create an AIK, and I seem to have managed, using the j_tpm_tools programmatically, in the following manner:
RSAKeyPairGenerator rsa=new RSAKeyPairGenerator();
KeyPair rsaKeys=rsa.generateKeyPair();
RSAPublicKey rsaPub=(RSAPublicKey) rsaKeys.getPublic();
X509Certificate EKCert=new X509Certificate(EKcert.asByteArray());//extracted before by ReadEKCert.getEKCertAlternative(pass);
AttributeCertificate peCert=AikUtil.createPECertificate(EKCert);
X509Certificate AIKCert=AikUtil.createAIKCertificate(EKCert, peCert, RSApub, "AIK test");
This seems to be some kind of dummy AIK certificate generated by some internal privacy CA?
How would I go to get the AIK certificate signed by privacyCA.com instead?
I see that I have to generate TPM_IDENTITY_REQ blob and send it as a POST to privacyCA.com, but I don't see any Tspi_TPM_CollateIdentityRequest ()anywhere, only a TcTPMIdentityRequest() method in the jTSS, but when I call it like that I don't get anything.
Should I call it with the blob parameter? If so, how would I generate such a blob?
Sorry if the question is trivial, but it is the first time playing with the TPM, although I read the theory, and I could not find any clear documentation about this.
Thanks in advance for any help.
Federico Mancini
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Trustedjava-support mailing list
Tru...@li...<mailto:Tru...@li...>
https://lists.sourceforge.net/lists/listinfo/trustedjava-support
--
Dipl.-Ing. Ronald Tögl phone +43 316/873-5502
Secure and Correct Systems fax +43 316/873-5520
IAIK ron...@ia...<mailto:ron...@ia...>
Graz University of Technology http://www.iaik.tugraz.at
|
|
From: <Fed...@ff...> - 2012-10-01 12:46:32
|
Hi, Thanks for your answer. Am I to understand that the jTSS has no method equivalent to Tspi_TPM_CollateIdentityRequest () then? Is it not defined as a standard method in the TSS? Federico -----Opprinnelig melding----- Fra: Martin Pirker [mailto:Mar...@ia...] Sendt: 1. oktober 2012 14:36 Til: Mancini, Federico Kopi: tru...@li... Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically Hi... On 2012-10-01 13:36, Fed...@ff... wrote: > Now, I would like to create an AIK, .... > This seems to be some kind of dummy AIK certificate generated by some internal privacy CA? The AIK cycle in jTT is just for local testing purposes, so yes, certificates are created on-the-fly with random dummy values. > How would I go to get the AIK certificate signed by privacyCA.com instead? > and send it as a POST to privacyCA.com, There are undocumented commands/code included with JTT, in iaik.tc.apps.jtt.pki.* you will find experimental code to talk to privacyca.com. However, as you can see from the copyright notice this is from 2007/08 and I don't know anyone who has ever run it again since then, so it's probably non-functioning. > I could not find any clear documentation about this. For an alternative PrivacyCA implementation look at the "apki" package in the PrivacyCA 0.2 folder. (Note that this code is also unfinished and unmaintained) Good luck :-) Martin |
|
From: Martin P. <Mar...@ia...> - 2012-10-01 12:38:44
|
Hi... On 2012-10-01 13:36, Fed...@ff... wrote: > Now, I would like to create an AIK, .... > This seems to be some kind of dummy AIK certificate generated by some internal privacy CA? The AIK cycle in jTT is just for local testing purposes, so yes, certificates are created on-the-fly with random dummy values. > How would I go to get the AIK certificate signed by privacyCA.com instead? > and send it as a POST to privacyCA.com, There are undocumented commands/code included with JTT, in iaik.tc.apps.jtt.pki.* you will find experimental code to talk to privacyca.com. However, as you can see from the copyright notice this is from 2007/08 and I don't know anyone who has ever run it again since then, so it's probably non-functioning. > I could not find any clear documentation about this. For an alternative PrivacyCA implementation look at the "apki" package in the PrivacyCA 0.2 folder. (Note that this code is also unfinished and unmaintained) Good luck :-) Martin |
|
From: Ronald T. <ron...@ia...> - 2012-10-01 12:25:17
|
Hi Federico, I have no idea why your system cannot find the system utility reg.exe on the path. Perhaps you or some tool modified it in some incorrect way. I suggest you check your path settings and make sure it includes the c:\windows\system32 folder. Alternatively, you can just replace line 19 in the script with a hardcoded path to your jTSS installation. SET jtssreg=<path> hth, Ronald On 10/01/2012 01:36 PM, Fed...@ff... wrote: > > Sorry I forgot to mention (as in written in the subject) that I had > trouble running jtt from command line, because I get the following error: > > C:\Users\Public\jsr321\jTSS_0.7\jTpmTools_0.7>jtt > > 'REG' is not recognized as an internal or external command, > > operable program or batch file. > > --------------------- > > IAIK Java TPM Tools > > --------------------- > > Exception in thread "main" java.lang.NoClassDefFoundError: > iaik/tc/utils/cmdline > > /CommandlineException > > at java.lang.Class.getDeclaredMethods0(Native Method) > > at java.lang.Class.privateGetDeclaredMethods(Class.java:2442) > > at java.lang.Class.getMethod0(Class.java:2685) > > at java.lang.Class.getMethod(Class.java:1620) > > at > sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:492) > > at > sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:484) > > Caused by: java.lang.ClassNotFoundException: > iaik.tc.utils.cmdline.CommandlineEx > > ception > > at java.net.URLClassLoader$1.run(URLClassLoader.java:366) > > at java.net.URLClassLoader$1.run(URLClassLoader.java:355) > > at java.security.AccessController.doPrivileged(Native Method) > > at java.net.URLClassLoader.findClass(URLClassLoader.java:354) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:423) > > at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:356) > > ... 6 more > > Seems to be something with the REG command which is not supported in > Windows 7? > > *Fra:*Mancini, Federico > *Sendt:* 1. oktober 2012 13:29 > *Til:* 'tru...@li...' > *Emne:* jtt on win 7 and creating an AIK programmatically > > Hi, > > I have finally managed to find some time to start playing with jTSS > and I have managed to set up everything properly and started writing > some java code. > > Looks like I have successfully taken ownership of the TPM and can > query PCRs values and extract the EK certificate programmatically. > > Now, I would like to create an AIK, and I seem to have managed, using > the j_tpm_tools programmatically, in the following manner: > > RSAKeyPairGenerator rsa=new RSAKeyPairGenerator(); > > KeyPair rsaKeys=rsa.generateKeyPair(); > > RSAPublicKey rsaPub=(RSAPublicKey) rsaKeys.getPublic(); > > X509Certificate EKCert=new > X509Certificate(EKcert.asByteArray());//extracted before by > ReadEKCert.getEKCertAlternative(pass); > > AttributeCertificate peCert=AikUtil.createPECertificate(EKCert); > > X509Certificate AIKCert=AikUtil.createAIKCertificate(EKCert, peCert, > RSApub, "AIK test"); > > This seems to be some kind of dummy AIK certificate generated by some > internal privacy CA? > > How would I go to get the AIK certificate signed by privacyCA.com instead? > > I see that I have to generate TPM_IDENTITY_REQ blob and send it as a > POST to privacyCA.com, but I don't see any > Tspi_TPM_CollateIdentityRequest()anywhere, only a > TcTPMIdentityRequest()method in the jTSS, but when I call it like that > I don't get anything. > > Should I call it with the blob parameter? If so, how would I generate > such a blob? > > Sorry if the question is trivial, but it is the first time playing > with the TPM, although I read the theory, and I could not find any > clear documentation about this. > > Thanks in advance for any help. > > Federico Mancini > > > > ------------------------------------------------------------------------------ > Got visibility? > Most devs has no idea what their production app looks like. > Find out how fast your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219671;13503038;y? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > > > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: <Fed...@ff...> - 2012-10-01 11:41:59
|
Hi, I have finally managed to find some time to start playing with jTSS and I have managed to set up everything properly and started writing some java code. Looks like I have successfully taken ownership of the TPM and can query PCRs values and extract the EK certificate programmatically. Now, I would like to create an AIK, and I seem to have managed, using the j_tpm_tools programmatically, in the following manner: RSAKeyPairGenerator rsa=new RSAKeyPairGenerator(); KeyPair rsaKeys=rsa.generateKeyPair(); RSAPublicKey rsaPub=(RSAPublicKey) rsaKeys.getPublic(); X509Certificate EKCert=new X509Certificate(EKcert.asByteArray());//extracted before by ReadEKCert.getEKCertAlternative(pass); AttributeCertificate peCert=AikUtil.createPECertificate(EKCert); X509Certificate AIKCert=AikUtil.createAIKCertificate(EKCert, peCert, RSApub, "AIK test"); This seems to be some kind of dummy AIK certificate generated by some internal privacy CA? How would I go to get the AIK certificate signed by privacyCA.com instead? I see that I have to generate TPM_IDENTITY_REQ blob and send it as a POST to privacyCA.com, but I don't see any Tspi_TPM_CollateIdentityRequest ()anywhere, only a TcTPMIdentityRequest() method in the jTSS, but when I call it like that I don't get anything. Should I call it with the blob parameter? If so, how would I generate such a blob? Sorry if the question is trivial, but it is the first time playing with the TPM, although I read the theory, and I could not find any clear documentation about this. Thanks in advance for any help. Federico Mancini |
|
From: <Fed...@ff...> - 2012-10-01 11:41:34
|
Sorry I forgot to mention (as in written in the subject) that I had trouble running jtt from command line, because I get the following error:
C:\Users\Public\jsr321\jTSS_0.7\jTpmTools_0.7>jtt
'REG' is not recognized as an internal or external command,
operable program or batch file.
---------------------
IAIK Java TPM Tools
---------------------
Exception in thread "main" java.lang.NoClassDefFoundError: iaik/tc/utils/cmdline
/CommandlineException
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2442)
at java.lang.Class.getMethod0(Class.java:2685)
at java.lang.Class.getMethod(Class.java:1620)
at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:492)
at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:484)
Caused by: java.lang.ClassNotFoundException: iaik.tc.utils.cmdline.CommandlineEx
ception
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
... 6 more
Seems to be something with the REG command which is not supported in Windows 7?
Fra: Mancini, Federico
Sendt: 1. oktober 2012 13:29
Til: 'tru...@li...'
Emne: jtt on win 7 and creating an AIK programmatically
Hi,
I have finally managed to find some time to start playing with jTSS and I have managed to set up everything properly and started writing some java code.
Looks like I have successfully taken ownership of the TPM and can query PCRs values and extract the EK certificate programmatically.
Now, I would like to create an AIK, and I seem to have managed, using the j_tpm_tools programmatically, in the following manner:
RSAKeyPairGenerator rsa=new RSAKeyPairGenerator();
KeyPair rsaKeys=rsa.generateKeyPair();
RSAPublicKey rsaPub=(RSAPublicKey) rsaKeys.getPublic();
X509Certificate EKCert=new X509Certificate(EKcert.asByteArray());//extracted before by ReadEKCert.getEKCertAlternative(pass);
AttributeCertificate peCert=AikUtil.createPECertificate(EKCert);
X509Certificate AIKCert=AikUtil.createAIKCertificate(EKCert, peCert, RSApub, "AIK test");
This seems to be some kind of dummy AIK certificate generated by some internal privacy CA?
How would I go to get the AIK certificate signed by privacyCA.com instead?
I see that I have to generate TPM_IDENTITY_REQ blob and send it as a POST to privacyCA.com, but I don't see any Tspi_TPM_CollateIdentityRequest ()anywhere, only a TcTPMIdentityRequest() method in the jTSS, but when I call it like that I don't get anything.
Should I call it with the blob parameter? If so, how would I generate such a blob?
Sorry if the question is trivial, but it is the first time playing with the TPM, although I read the theory, and I could not find any clear documentation about this.
Thanks in advance for any help.
Federico Mancini
|
|
From: Ronald T. <ron...@ia...> - 2012-09-26 08:52:01
|
Hal, On a second thought (thanks to my colleagues to correct me), you might just have a mismatch of jtt and jtss versions. Make sure you use the latest versions (SOAP should be ok). Also jTSS Wrapper for TrouSerS is not supported anymore. Ronald On 09/18/2012 10:15 AM, Ronald Tögl wrote: > Hal, > > The monotonic counter support is there, but not in the SOAP bindings > (because there is no XML definition in the TCG specs). > You just need to configure your jTSS library for local bindings. > > Ronald > > On 09/18/2012 05:21 AM, Hal Finney wrote: >> I just got started with the trusted java software because I want to >> play with monotonic counters. I have used trousers, but the tcg did >> not think it useful to put counter create or increment in the tss >> spec, so trousers doesn't provide them. >> >> Unfortunately, counter creation is not working with jtpmtools. I have >> tried with both jtss and the wrapper around the trousers tcsd.The >> error logs are below. It seems to be failing to find >> getMonotonicCounters. I've looked through what source code I have and >> I can't find this function. >> >> Do monotonic counters really work? Do I need an extra library to >> supply the missing function? Any help would be appreciated. >> >> Thanks! >> >> sudo ./jtt.sh ctr_create --label rpla -o test >& err.log >> >> --------------------- >> IAIK Java TPM Tools >> --------------------- >> >> 18:01:10:475 [INFO] TcTcsEventMgrMem::<init> (44): Using "in >> memory" event log. >> Exception in thread "main" java.lang.NoSuchMethodError: >> iaik.tc.tss.api.tspi.TcIContext.getMonotonicCounters(J)Liaik/tc/tss/api/tspi/TcIMonotonicCtr; >> at iaik.tc.apps.jtt.ctr.MonotonicCtrCreate.execute(MonotonicCtrCreate.java:70) >> at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69) >> at iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.java:41) >> at iaik.tc.apps.JTpmTools.main(JTpmTools.java:224) >> >> >> >> >> >> sudo ./jtt.sh ctr_create --label rpla -o test >& err-t.log >> >> --------------------- >> IAIK Java TPM Tools >> --------------------- >> >> 18:00:16:819 [INFO] CommonSettings::getTssFactory (66): TrouSerS >> TSS detected. Using JNI bindings... >> Exception in thread "main" java.lang.NoSuchMethodError: >> iaik.tc.tss.api.tspi.TcIContext.getMonotonicCounters(J)Liaik/tc/tss/api/tspi/TcIMonotonicCtr; >> at iaik.tc.apps.jtt.ctr.MonotonicCtrCreate.execute(MonotonicCtrCreate.java:70) >> at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69) >> at iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.java:41) >> at iaik.tc.apps.JTpmTools.main(JTpmTools.java:224) >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Trustedjava-support mailing list >> Tru...@li... >> https://lists.sourceforge.net/lists/listinfo/trustedjava-support > -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: Ronald T. <ron...@ia...> - 2012-09-18 08:16:04
|
Hal, The monotonic counter support is there, but not in the SOAP bindings (because there is no XML definition in the TCG specs). You just need to configure your jTSS library for local bindings. Ronald On 09/18/2012 05:21 AM, Hal Finney wrote: > I just got started with the trusted java software because I want to > play with monotonic counters. I have used trousers, but the tcg did > not think it useful to put counter create or increment in the tss > spec, so trousers doesn't provide them. > > Unfortunately, counter creation is not working with jtpmtools. I have > tried with both jtss and the wrapper around the trousers tcsd.The > error logs are below. It seems to be failing to find > getMonotonicCounters. I've looked through what source code I have and > I can't find this function. > > Do monotonic counters really work? Do I need an extra library to > supply the missing function? Any help would be appreciated. > > Thanks! > > sudo ./jtt.sh ctr_create --label rpla -o test >& err.log > > --------------------- > IAIK Java TPM Tools > --------------------- > > 18:01:10:475 [INFO] TcTcsEventMgrMem::<init> (44): Using "in > memory" event log. > Exception in thread "main" java.lang.NoSuchMethodError: > iaik.tc.tss.api.tspi.TcIContext.getMonotonicCounters(J)Liaik/tc/tss/api/tspi/TcIMonotonicCtr; > at iaik.tc.apps.jtt.ctr.MonotonicCtrCreate.execute(MonotonicCtrCreate.java:70) > at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69) > at iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.java:41) > at iaik.tc.apps.JTpmTools.main(JTpmTools.java:224) > > > > > > sudo ./jtt.sh ctr_create --label rpla -o test >& err-t.log > > --------------------- > IAIK Java TPM Tools > --------------------- > > 18:00:16:819 [INFO] CommonSettings::getTssFactory (66): TrouSerS > TSS detected. Using JNI bindings... > Exception in thread "main" java.lang.NoSuchMethodError: > iaik.tc.tss.api.tspi.TcIContext.getMonotonicCounters(J)Liaik/tc/tss/api/tspi/TcIMonotonicCtr; > at iaik.tc.apps.jtt.ctr.MonotonicCtrCreate.execute(MonotonicCtrCreate.java:70) > at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69) > at iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.java:41) > at iaik.tc.apps.JTpmTools.main(JTpmTools.java:224) > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: Hal F. <hal...@gm...> - 2012-09-18 03:21:59
|
I just got started with the trusted java software because I want to
play with monotonic counters. I have used trousers, but the tcg did
not think it useful to put counter create or increment in the tss
spec, so trousers doesn't provide them.
Unfortunately, counter creation is not working with jtpmtools. I have
tried with both jtss and the wrapper around the trousers tcsd.The
error logs are below. It seems to be failing to find
getMonotonicCounters. I've looked through what source code I have and
I can't find this function.
Do monotonic counters really work? Do I need an extra library to
supply the missing function? Any help would be appreciated.
Thanks!
sudo ./jtt.sh ctr_create --label rpla -o test >& err.log
---------------------
IAIK Java TPM Tools
---------------------
18:01:10:475 [INFO] TcTcsEventMgrMem::<init> (44): Using "in
memory" event log.
Exception in thread "main" java.lang.NoSuchMethodError:
iaik.tc.tss.api.tspi.TcIContext.getMonotonicCounters(J)Liaik/tc/tss/api/tspi/TcIMonotonicCtr;
at iaik.tc.apps.jtt.ctr.MonotonicCtrCreate.execute(MonotonicCtrCreate.java:70)
at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
at iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.java:41)
at iaik.tc.apps.JTpmTools.main(JTpmTools.java:224)
sudo ./jtt.sh ctr_create --label rpla -o test >& err-t.log
---------------------
IAIK Java TPM Tools
---------------------
18:00:16:819 [INFO] CommonSettings::getTssFactory (66): TrouSerS
TSS detected. Using JNI bindings...
Exception in thread "main" java.lang.NoSuchMethodError:
iaik.tc.tss.api.tspi.TcIContext.getMonotonicCounters(J)Liaik/tc/tss/api/tspi/TcIMonotonicCtr;
at iaik.tc.apps.jtt.ctr.MonotonicCtrCreate.execute(MonotonicCtrCreate.java:70)
at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
at iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.java:41)
at iaik.tc.apps.JTpmTools.main(JTpmTools.java:224)
|
|
From: Hal F. <hal...@gm...> - 2012-09-18 03:08:25
|
I got started with the trusted java software because I want to play
with monotonic counters. I have used trousers, but the tcg did not think it
useful to put counter create or increment in the tss spec, so trousers
doesn't provide them.
Unfortunately, counter creation is not working with jtpmtools. I have tried
with both jtss and the wrapper around the trousers tcsd.The error logs are
below. It seems to be failing to find getMonotonicCounters. I've looked
through what source code I have and I can't find this function.
Do monotonic counters really work? Do I need an extra library to supply the
missing function? Any help would be appreciated.
Thanks!
sudo ./jtt.sh ctr_create --label rpla -o test >& err.log
---------------------
IAIK Java TPM Tools
---------------------
18:01:10:475 [INFO] TcTcsEventMgrMem::<init> (44): Using "in memory"
event log.
Exception in thread "main" java.lang.NoSuchMethodError:
iaik.tc.tss.api.tspi.TcIContext.getMonotonicCounters(J)Liaik/tc/tss/api/tspi/TcIMonotonicCtr;
at
iaik.tc.apps.jtt.ctr.MonotonicCtrCreate.execute(MonotonicCtrCreate.java:70)
at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
at
iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.java:41)
at iaik.tc.apps.JTpmTools.main(JTpmTools.java:224)
sudo ./jtt.sh ctr_create --label rpla -o test >& err-t.log
---------------------
IAIK Java TPM Tools
---------------------
18:00:16:819 [INFO] CommonSettings::getTssFactory (66): TrouSerS TSS
detected. Using JNI bindings...
Exception in thread "main" java.lang.NoSuchMethodError:
iaik.tc.tss.api.tspi.TcIContext.getMonotonicCounters(J)Liaik/tc/tss/api/tspi/TcIMonotonicCtr;
at
iaik.tc.apps.jtt.ctr.MonotonicCtrCreate.execute(MonotonicCtrCreate.java:70)
at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
at
iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.java:41)
at iaik.tc.apps.JTpmTools.main(JTpmTools.java:224)
|
|
From: Ronald T. <ron...@ia...> - 2012-09-10 15:28:06
|
Hello Shohei,
I am very sorry, but Transport Sessions are not supported in jTSS.
If you really need them you would have to implement them yourself.
I believe TrouSerS for C supports this feature.
I hope this helps a little bit,
Ronald
Am 10.09.2012 10:44, schrieb Shohei Kakei:
> Hello,
>
> I am a student at Gifu University, Japan.
> I am having trouble with establishing the transport session
> with a TPM.
> I don't know how to use "TPM_EstablishTransport" command.
> Any insight or help would be greatly appreciated.
>
> a program I wrote:
> TcTddl dest = TcTddl.getInstance();
> long encHandle = 1073741827L;
> TcTpmTransportPublic transPublic = new TcTpmTransportPublic();
> transPublic.setTag(TcTpmConstants.TPM_TAG_TRANSPORT_PUBLIC);
> // TPM_TAG_TRANSPORT_PUBLIC
> transPublic.setTransAttributes(TcTpmConstants.TPM_TRANSPORT_LOG);
> // TPM_TRANSPORT_ATTRIBUTES
> transPublic.setAlgId(TcTpmConstants.TPM_ALG_RSA); //
> TPM_ALGORITHM_ID
> transPublic.setEncScheme(TcTpmConstants.TPM_ES_NONE); //
> TPM_ENC_SCHEME
> TcBlobData secret = TcBlobData.newString("Hello.");
> TcTcsAuth inAuth1 = TcTspInternal.TspOIAP_Internal(context_);
> Object[] obj = TcTpmCmdTransport.TpmEstablishTransport(dest,
> encHandle, transPublic, secret, inAuth1);
>
> console:
> TSS Error:
> error layer: 0x00 (TPM)
> error code (without layer): 0x19
> error code (full): 0x19
> error message: The paramSize argument to the command has the
> incorrect value
>
> at
> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73)
> at
> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdTransport.TpmEstablishTransport(TcTpmCmdTransport.java:81)
> at kakei.jtss.test.TransportSession.Main.main(Main.java:50)
>
>
> Thanks,
> Shohei
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
|
|
From: Shohei K. <sunrisel0c_0l.sunsetl-c_-lzzz@i.softbank.jp> - 2012-09-10 08:58:30
|
Hello,
I am a student at Gifu University, Japan.
I am having trouble with establishing the transport session
with a TPM.
I don't know how to use "TPM_EstablishTransport" command.
Any insight or help would be greatly appreciated.
a program I wrote:
TcTddl dest = TcTddl.getInstance();
long encHandle = 1073741827L;
TcTpmTransportPublic transPublic = new TcTpmTransportPublic();
transPublic.setTag(TcTpmConstants.TPM_TAG_TRANSPORT_PUBLIC);
// TPM_TAG_TRANSPORT_PUBLIC
transPublic.setTransAttributes(TcTpmConstants.TPM_TRANSPORT_LOG);
// TPM_TRANSPORT_ATTRIBUTES
transPublic.setAlgId(TcTpmConstants.TPM_ALG_RSA); //
TPM_ALGORITHM_ID
transPublic.setEncScheme(TcTpmConstants.TPM_ES_NONE); //
TPM_ENC_SCHEME
TcBlobData secret = TcBlobData.newString("Hello.");
TcTcsAuth inAuth1 = TcTspInternal.TspOIAP_Internal(context_);
Object[] obj = TcTpmCmdTransport.TpmEstablishTransport(dest,
encHandle, transPublic, secret, inAuth1);
console:
TSS Error:
error layer: 0x00 (TPM)
error code (without layer): 0x19
error code (full): 0x19
error message: The paramSize argument to the command has the
incorrect value
at
iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73)
at
iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdTransport.TpmEstablishTransport(TcTpmCmdTransport.java:81)
at kakei.jtss.test.TransportSession.Main.main(Main.java:50)
Thanks,
Shohei
|
|
From: Ronald T. <ron...@ia...> - 2012-09-05 12:57:40
|
Arshad, You only gave us a selection of your error messages to look at and so there's plenty of room for interpretation and speculations... jTSS has of course been doing resource management, key swapping and all that stuff since before there was a TPM 1.2 and ever since. There are some special cases when running on Windows, but this should not affect your setup at all. So, all we really know is that something in your platform is broken that was not broken before... I suggest you get a fresh box either with an up-to-date HW-TPM or Emulator to set up your OS, old and recent jTSS and your application step-by-step and report on the point where it fails, if ever. Ronald On 09/05/2012 02:44 PM, Arshad Noor wrote: > I'm not sure why my browser does not display Ariel's full message, but > I've copied it here in case others have similar problems: > > "At first glance, it sure looks like your TPM is out of key slots. The > TSS is supposed to handle swapping keys in and out for you, so getting > that from a TSS seems very odd. I'll also be honest and admit that I > *thought* the TPM handled that for you (by simply dumping some loaded > key for the new one) but it looks like LoadKey does, in fact, give back > no space errors if there isn't room in memory for the key. At a glance, > it looks like FlushSpecific is the command to use to explicitly force a > key out. Presumably, your TSS isn't doing something right in its key > management behind the scenes, although debugging that is going to be a > pain in the neck, I'm afraid." > > Arshad > > On 09/05/2012 05:40 AM, Arshad Noor wrote: >> Ronald, >> >> Any thoughts/comments on Ariel's response to my query on the Trousers >> mailing list? >> >> http://sourceforge.net/mailarchive/forum.php?thread_name=7265F7B88E689F4B97101260F8F70B71013A99E2%40IMCMBX03.MITRE.ORG&forum_name=trousers-users >> >> Thanks. >> >> Arshad >> >> On 09/04/2012 07:30 AM, Ronald Tögl wrote: >>> The jTSS test suite does not expect a general/systematic error. >>> Actually, a TPM is expected to do a self-test at power-on, but I believe >>> it is vendor specific what happens there. >>> >>> You could try to replace the TPM with the TPM Emulator to learn if the >>> hardware or the software is failing. >>> >>> Ronald >>> >>> On 09/04/2012 02:53 PM, Arshad Noor wrote: >>>> Thank you for your response, Ronald. >>>> >>>> I was afraid that your answer might be along these lines. The hardware >>>> is about 2 years old and has been using the TPM everyday. So, it is >>>> quite possible that the NVRAM has degraded. >>>> >>>> I will try your suggestions, but is there any test in the JTSS suite >>>> that can confirm that the TPM has permanently failed? Or, must one >>>> assume that if all/most of the tests fail? >>>> >>>> Thanks. >>>> >>>> Arshad >>>> >>>> On Sep 4, 2012, at 1:37 AM, Ronald Tögl<ron...@ia...> >>>> wrote: >>>> >>>>> Hello Arshad, >>>>> >>>>> We have not encountered this before, but I'd guess that something in >>>>> your ecosystem must have changed. >>>>> >>>>> Is it an issue with a specific piece of (old) hardware? Perhaps the >>>>> TPM you use has aged and now encounters problems with its NV-storage >>>>> memory. >>>>> >>>>> Or is it an issue that occurs in several devices? >>>>> A not so obvious thing to check is the JCE library you use. Could >>>>> there be a license issue? >>>>> Some OS hotfix might also influence the setup, for instance a new TPM >>>>> driver. >>>>> >>>>> Of course, you should also test if the newest jTSS version happens to >>>>> fix for your issues. >>>>> >>>>> Ronald >>>>> >>>>> >>>>> On 09/04/2012 06:14 AM, Arshad Noor wrote: >>>>>> Hello, >>>>>> >>>>>> We've been using JTSS 0.5 for two years and it has been fairly >>>>>> stable. However, suddenly without explanation, it has started >>>>>> failing on almost all decryptions. Some of the error messages >>>>>> are: >>>>>> >>>>>> ----------------------- >>>>>> iaik.tc.tss.api.exceptions.tcs.TcTcsException: >>>>>> TSS Error: >>>>>> error layer: 0x3000 (TSP) >>>>>> error code (without layer): 0x04 >>>>>> error code (full): 0x3004 >>>>>> error message: unknown >>>>>> additional info: Unable to determine LRU key handle >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyHandleMgr.getTpmKhLruNotParent(TcTcsKeyHandleMgr.java:196) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCacheTpm12.swapOutKeyNotParent(TcTcsKeyCacheTpm12.java:43) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCache.ensureCanLoadKey(TcTcsKeyCache.java:205) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyManager.LoadKey2ByBlob(TcTcsKeyManager.java:100) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipLoadKey2ByBlob(TcTcsi.java:626) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipLoadKey2ByBlob(TcTcsBindingLocal.java:121) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKey2ByBlob_Internal(TcTspInternal.java:140) >>>>>> >>>>>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:633) >>>>>> ----------------------- >>>>>> >>>>>> Later on, similar attempts at the operation result in: >>>>>> >>>>>> ----------------------- >>>>>> iaik.tc.tss.api.exceptions.tcs.TcTpmException: >>>>>> >>>>>> TSS Error: >>>>>> error layer: 0x00 (TPM) >>>>>> error code (without layer): 0x15 >>>>>> error code (full): 0x15 >>>>>> error message: The TPM has insufficient internal resources to perform >>>>>> the requested action. >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdAuthorization.TpmOIAP(TcTpmCmdAuthorization.java:52) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.authmgr.TcTcsAuthManager.startOIAP(TcTcsAuthManager.java:27) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipOIAP(TcTcsi.java:2720) >>>>>> at >>>>>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipOIAP(TcTcsBindingLocal.java:739) >>>>>> >>>>>> at >>>>>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspOIAP_Internal(TcTspInternal.java:4064) >>>>>> >>>>>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:629) >>>>>> ----------------------- >>>>>> >>>>>> The details of our configuration: >>>>>> >>>>>> TPM: STM v1.2 >>>>>> OS: CentOS 5.3 (64-bit) >>>>>> JDK: 6 Update 16 (64-bit) >>>>>> JTSS: 0.5 >>>>>> >>>>>> >>>>>> Any suggestions on what might be causing these problems suddenly on >>>>>> something that has been behaving well for nearly two years? Thanks. >>>>>> >>>>>> Arshad Noor >>>>>> StrongAuth, Inc. >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> >>>>>> Live Security Virtual Conference >>>>>> Exclusive live event will cover all the ways today's security and >>>>>> threat landscape has changed and how IT managers can respond. >>>>>> Discussions >>>>>> will include endpoint security, mobile security and the latest in >>>>>> malware >>>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>>>> _______________________________________________ >>>>>> Trustedjava-support mailing list >>>>>> Tru...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/trustedjava-support >>>>> -- >>>>> Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 >>>>> Secure and Correct Systems fax +43 316/873-5520 >>>>> IAIK ron...@ia... >>>>> Graz University of Technology http://www.iaik.tugraz.at >>>>> >>>>> >>> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Trustedjava-support mailing list >> Tru...@li... >> https://lists.sourceforge.net/lists/listinfo/trustedjava-support > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: Arshad N. <ars...@st...> - 2012-09-05 12:45:06
|
I'm not sure why my browser does not display Ariel's full message, but I've copied it here in case others have similar problems: "At first glance, it sure looks like your TPM is out of key slots. The TSS is supposed to handle swapping keys in and out for you, so getting that from a TSS seems very odd. I'll also be honest and admit that I *thought* the TPM handled that for you (by simply dumping some loaded key for the new one) but it looks like LoadKey does, in fact, give back no space errors if there isn't room in memory for the key. At a glance, it looks like FlushSpecific is the command to use to explicitly force a key out. Presumably, your TSS isn't doing something right in its key management behind the scenes, although debugging that is going to be a pain in the neck, I'm afraid." Arshad On 09/05/2012 05:40 AM, Arshad Noor wrote: > Ronald, > > Any thoughts/comments on Ariel's response to my query on the Trousers > mailing list? > > http://sourceforge.net/mailarchive/forum.php?thread_name=7265F7B88E689F4B97101260F8F70B71013A99E2%40IMCMBX03.MITRE.ORG&forum_name=trousers-users > > Thanks. > > Arshad > > On 09/04/2012 07:30 AM, Ronald Tögl wrote: >> >> The jTSS test suite does not expect a general/systematic error. >> Actually, a TPM is expected to do a self-test at power-on, but I believe >> it is vendor specific what happens there. >> >> You could try to replace the TPM with the TPM Emulator to learn if the >> hardware or the software is failing. >> >> Ronald >> >> On 09/04/2012 02:53 PM, Arshad Noor wrote: >>> Thank you for your response, Ronald. >>> >>> I was afraid that your answer might be along these lines. The hardware >>> is about 2 years old and has been using the TPM everyday. So, it is >>> quite possible that the NVRAM has degraded. >>> >>> I will try your suggestions, but is there any test in the JTSS suite >>> that can confirm that the TPM has permanently failed? Or, must one >>> assume that if all/most of the tests fail? >>> >>> Thanks. >>> >>> Arshad >>> >>> On Sep 4, 2012, at 1:37 AM, Ronald Tögl<ron...@ia...> >>> wrote: >>> >>>> Hello Arshad, >>>> >>>> We have not encountered this before, but I'd guess that something in >>>> your ecosystem must have changed. >>>> >>>> Is it an issue with a specific piece of (old) hardware? Perhaps the >>>> TPM you use has aged and now encounters problems with its NV-storage >>>> memory. >>>> >>>> Or is it an issue that occurs in several devices? >>>> A not so obvious thing to check is the JCE library you use. Could >>>> there be a license issue? >>>> Some OS hotfix might also influence the setup, for instance a new TPM >>>> driver. >>>> >>>> Of course, you should also test if the newest jTSS version happens to >>>> fix for your issues. >>>> >>>> Ronald >>>> >>>> >>>> On 09/04/2012 06:14 AM, Arshad Noor wrote: >>>>> Hello, >>>>> >>>>> We've been using JTSS 0.5 for two years and it has been fairly >>>>> stable. However, suddenly without explanation, it has started >>>>> failing on almost all decryptions. Some of the error messages >>>>> are: >>>>> >>>>> ----------------------- >>>>> iaik.tc.tss.api.exceptions.tcs.TcTcsException: >>>>> TSS Error: >>>>> error layer: 0x3000 (TSP) >>>>> error code (without layer): 0x04 >>>>> error code (full): 0x3004 >>>>> error message: unknown >>>>> additional info: Unable to determine LRU key handle >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyHandleMgr.getTpmKhLruNotParent(TcTcsKeyHandleMgr.java:196) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCacheTpm12.swapOutKeyNotParent(TcTcsKeyCacheTpm12.java:43) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCache.ensureCanLoadKey(TcTcsKeyCache.java:205) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyManager.LoadKey2ByBlob(TcTcsKeyManager.java:100) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipLoadKey2ByBlob(TcTcsi.java:626) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipLoadKey2ByBlob(TcTcsBindingLocal.java:121) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKey2ByBlob_Internal(TcTspInternal.java:140) >>>>> >>>>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:633) >>>>> ----------------------- >>>>> >>>>> Later on, similar attempts at the operation result in: >>>>> >>>>> ----------------------- >>>>> iaik.tc.tss.api.exceptions.tcs.TcTpmException: >>>>> >>>>> TSS Error: >>>>> error layer: 0x00 (TPM) >>>>> error code (without layer): 0x15 >>>>> error code (full): 0x15 >>>>> error message: The TPM has insufficient internal resources to perform >>>>> the requested action. >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdAuthorization.TpmOIAP(TcTpmCmdAuthorization.java:52) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.authmgr.TcTcsAuthManager.startOIAP(TcTcsAuthManager.java:27) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipOIAP(TcTcsi.java:2720) >>>>> at >>>>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipOIAP(TcTcsBindingLocal.java:739) >>>>> >>>>> at >>>>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspOIAP_Internal(TcTspInternal.java:4064) >>>>> >>>>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:629) >>>>> ----------------------- >>>>> >>>>> The details of our configuration: >>>>> >>>>> TPM: STM v1.2 >>>>> OS: CentOS 5.3 (64-bit) >>>>> JDK: 6 Update 16 (64-bit) >>>>> JTSS: 0.5 >>>>> >>>>> >>>>> Any suggestions on what might be causing these problems suddenly on >>>>> something that has been behaving well for nearly two years? Thanks. >>>>> >>>>> Arshad Noor >>>>> StrongAuth, Inc. >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> >>>>> Live Security Virtual Conference >>>>> Exclusive live event will cover all the ways today's security and >>>>> threat landscape has changed and how IT managers can respond. >>>>> Discussions >>>>> will include endpoint security, mobile security and the latest in >>>>> malware >>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>>> _______________________________________________ >>>>> Trustedjava-support mailing list >>>>> Tru...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/trustedjava-support >>>> >>>> -- >>>> Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 >>>> Secure and Correct Systems fax +43 316/873-5520 >>>> IAIK ron...@ia... >>>> Graz University of Technology http://www.iaik.tugraz.at >>>> >>>> >> >> > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support |
|
From: Arshad N. <ars...@st...> - 2012-09-05 12:40:29
|
Ronald, Any thoughts/comments on Ariel's response to my query on the Trousers mailing list? http://sourceforge.net/mailarchive/forum.php?thread_name=7265F7B88E689F4B97101260F8F70B71013A99E2%40IMCMBX03.MITRE.ORG&forum_name=trousers-users Thanks. Arshad On 09/04/2012 07:30 AM, Ronald Tögl wrote: > > The jTSS test suite does not expect a general/systematic error. > Actually, a TPM is expected to do a self-test at power-on, but I believe > it is vendor specific what happens there. > > You could try to replace the TPM with the TPM Emulator to learn if the > hardware or the software is failing. > > Ronald > > On 09/04/2012 02:53 PM, Arshad Noor wrote: >> Thank you for your response, Ronald. >> >> I was afraid that your answer might be along these lines. The hardware >> is about 2 years old and has been using the TPM everyday. So, it is >> quite possible that the NVRAM has degraded. >> >> I will try your suggestions, but is there any test in the JTSS suite >> that can confirm that the TPM has permanently failed? Or, must one >> assume that if all/most of the tests fail? >> >> Thanks. >> >> Arshad >> >> On Sep 4, 2012, at 1:37 AM, Ronald Tögl <ron...@ia...> >> wrote: >> >>> Hello Arshad, >>> >>> We have not encountered this before, but I'd guess that something in >>> your ecosystem must have changed. >>> >>> Is it an issue with a specific piece of (old) hardware? Perhaps the >>> TPM you use has aged and now encounters problems with its NV-storage >>> memory. >>> >>> Or is it an issue that occurs in several devices? >>> A not so obvious thing to check is the JCE library you use. Could >>> there be a license issue? >>> Some OS hotfix might also influence the setup, for instance a new TPM >>> driver. >>> >>> Of course, you should also test if the newest jTSS version happens to >>> fix for your issues. >>> >>> Ronald >>> >>> >>> On 09/04/2012 06:14 AM, Arshad Noor wrote: >>>> Hello, >>>> >>>> We've been using JTSS 0.5 for two years and it has been fairly >>>> stable. However, suddenly without explanation, it has started >>>> failing on almost all decryptions. Some of the error messages >>>> are: >>>> >>>> ----------------------- >>>> iaik.tc.tss.api.exceptions.tcs.TcTcsException: >>>> TSS Error: >>>> error layer: 0x3000 (TSP) >>>> error code (without layer): 0x04 >>>> error code (full): 0x3004 >>>> error message: unknown >>>> additional info: Unable to determine LRU key handle >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyHandleMgr.getTpmKhLruNotParent(TcTcsKeyHandleMgr.java:196) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCacheTpm12.swapOutKeyNotParent(TcTcsKeyCacheTpm12.java:43) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCache.ensureCanLoadKey(TcTcsKeyCache.java:205) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyManager.LoadKey2ByBlob(TcTcsKeyManager.java:100) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipLoadKey2ByBlob(TcTcsi.java:626) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipLoadKey2ByBlob(TcTcsBindingLocal.java:121) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKey2ByBlob_Internal(TcTspInternal.java:140) >>>> >>>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:633) >>>> ----------------------- >>>> >>>> Later on, similar attempts at the operation result in: >>>> >>>> ----------------------- >>>> iaik.tc.tss.api.exceptions.tcs.TcTpmException: >>>> >>>> TSS Error: >>>> error layer: 0x00 (TPM) >>>> error code (without layer): 0x15 >>>> error code (full): 0x15 >>>> error message: The TPM has insufficient internal resources to perform >>>> the requested action. >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdAuthorization.TpmOIAP(TcTpmCmdAuthorization.java:52) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.authmgr.TcTcsAuthManager.startOIAP(TcTcsAuthManager.java:27) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipOIAP(TcTcsi.java:2720) >>>> at >>>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipOIAP(TcTcsBindingLocal.java:739) >>>> >>>> at >>>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspOIAP_Internal(TcTspInternal.java:4064) >>>> >>>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:629) >>>> ----------------------- >>>> >>>> The details of our configuration: >>>> >>>> TPM: STM v1.2 >>>> OS: CentOS 5.3 (64-bit) >>>> JDK: 6 Update 16 (64-bit) >>>> JTSS: 0.5 >>>> >>>> >>>> Any suggestions on what might be causing these problems suddenly on >>>> something that has been behaving well for nearly two years? Thanks. >>>> >>>> Arshad Noor >>>> StrongAuth, Inc. >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> Live Security Virtual Conference >>>> Exclusive live event will cover all the ways today's security and >>>> threat landscape has changed and how IT managers can respond. >>>> Discussions >>>> will include endpoint security, mobile security and the latest in >>>> malware >>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>> _______________________________________________ >>>> Trustedjava-support mailing list >>>> Tru...@li... >>>> https://lists.sourceforge.net/lists/listinfo/trustedjava-support >>> >>> -- >>> Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 >>> Secure and Correct Systems fax +43 316/873-5520 >>> IAIK ron...@ia... >>> Graz University of Technology http://www.iaik.tugraz.at >>> >>> > > |
|
From: Ronald T. <ron...@ia...> - 2012-09-04 14:30:46
|
The jTSS test suite does not expect a general/systematic error. Actually, a TPM is expected to do a self-test at power-on, but I believe it is vendor specific what happens there. You could try to replace the TPM with the TPM Emulator to learn if the hardware or the software is failing. Ronald On 09/04/2012 02:53 PM, Arshad Noor wrote: > Thank you for your response, Ronald. > > I was afraid that your answer might be along these lines. The hardware is about 2 years old and has been using the TPM everyday. So, it is quite possible that the NVRAM has degraded. > > I will try your suggestions, but is there any test in the JTSS suite that can confirm that the TPM has permanently failed? Or, must one assume that if all/most of the tests fail? > > Thanks. > > Arshad > > On Sep 4, 2012, at 1:37 AM, Ronald Tögl <ron...@ia...> wrote: > >> Hello Arshad, >> >> We have not encountered this before, but I'd guess that something in your ecosystem must have changed. >> >> Is it an issue with a specific piece of (old) hardware? Perhaps the TPM you use has aged and now encounters problems with its NV-storage memory. >> >> Or is it an issue that occurs in several devices? >> A not so obvious thing to check is the JCE library you use. Could there be a license issue? >> Some OS hotfix might also influence the setup, for instance a new TPM driver. >> >> Of course, you should also test if the newest jTSS version happens to fix for your issues. >> >> Ronald >> >> >> On 09/04/2012 06:14 AM, Arshad Noor wrote: >>> Hello, >>> >>> We've been using JTSS 0.5 for two years and it has been fairly >>> stable. However, suddenly without explanation, it has started >>> failing on almost all decryptions. Some of the error messages >>> are: >>> >>> ----------------------- >>> iaik.tc.tss.api.exceptions.tcs.TcTcsException: >>> TSS Error: >>> error layer: 0x3000 (TSP) >>> error code (without layer): 0x04 >>> error code (full): 0x3004 >>> error message: unknown >>> additional info: Unable to determine LRU key handle >>> >>> at >>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyHandleMgr.getTpmKhLruNotParent(TcTcsKeyHandleMgr.java:196) >>> at >>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCacheTpm12.swapOutKeyNotParent(TcTcsKeyCacheTpm12.java:43) >>> at >>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCache.ensureCanLoadKey(TcTcsKeyCache.java:205) >>> at >>> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyManager.LoadKey2ByBlob(TcTcsKeyManager.java:100) >>> at >>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipLoadKey2ByBlob(TcTcsi.java:626) >>> at >>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipLoadKey2ByBlob(TcTcsBindingLocal.java:121) >>> at >>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKey2ByBlob_Internal(TcTspInternal.java:140) >>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:633) >>> ----------------------- >>> >>> Later on, similar attempts at the operation result in: >>> >>> ----------------------- >>> iaik.tc.tss.api.exceptions.tcs.TcTpmException: >>> >>> TSS Error: >>> error layer: 0x00 (TPM) >>> error code (without layer): 0x15 >>> error code (full): 0x15 >>> error message: The TPM has insufficient internal resources to perform >>> the requested action. >>> >>> at >>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) >>> at >>> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdAuthorization.TpmOIAP(TcTpmCmdAuthorization.java:52) >>> at >>> iaik.tc.tss.impl.java.tcs.authmgr.TcTcsAuthManager.startOIAP(TcTcsAuthManager.java:27) >>> at >>> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipOIAP(TcTcsi.java:2720) >>> at >>> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipOIAP(TcTcsBindingLocal.java:739) >>> at >>> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspOIAP_Internal(TcTspInternal.java:4064) >>> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:629) >>> ----------------------- >>> >>> The details of our configuration: >>> >>> TPM: STM v1.2 >>> OS: CentOS 5.3 (64-bit) >>> JDK: 6 Update 16 (64-bit) >>> JTSS: 0.5 >>> >>> >>> Any suggestions on what might be causing these problems suddenly on >>> something that has been behaving well for nearly two years? Thanks. >>> >>> Arshad Noor >>> StrongAuth, Inc. >>> >>> ------------------------------------------------------------------------------ >>> Live Security Virtual Conference >>> Exclusive live event will cover all the ways today's security and >>> threat landscape has changed and how IT managers can respond. Discussions >>> will include endpoint security, mobile security and the latest in malware >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>> _______________________________________________ >>> Trustedjava-support mailing list >>> Tru...@li... >>> https://lists.sourceforge.net/lists/listinfo/trustedjava-support >> >> -- >> Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 >> Secure and Correct Systems fax +43 316/873-5520 >> IAIK ron...@ia... >> Graz University of Technology http://www.iaik.tugraz.at >> >> -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: Arshad N. <ars...@st...> - 2012-09-04 12:53:36
|
Thank you for your response, Ronald. I was afraid that your answer might be along these lines. The hardware is about 2 years old and has been using the TPM everyday. So, it is quite possible that the NVRAM has degraded. I will try your suggestions, but is there any test in the JTSS suite that can confirm that the TPM has permanently failed? Or, must one assume that if all/most of the tests fail? Thanks. Arshad On Sep 4, 2012, at 1:37 AM, Ronald Tögl <ron...@ia...> wrote: > Hello Arshad, > > We have not encountered this before, but I'd guess that something in your ecosystem must have changed. > > Is it an issue with a specific piece of (old) hardware? Perhaps the TPM you use has aged and now encounters problems with its NV-storage memory. > > Or is it an issue that occurs in several devices? > A not so obvious thing to check is the JCE library you use. Could there be a license issue? > Some OS hotfix might also influence the setup, for instance a new TPM driver. > > Of course, you should also test if the newest jTSS version happens to fix for your issues. > > Ronald > > > On 09/04/2012 06:14 AM, Arshad Noor wrote: >> Hello, >> >> We've been using JTSS 0.5 for two years and it has been fairly >> stable. However, suddenly without explanation, it has started >> failing on almost all decryptions. Some of the error messages >> are: >> >> ----------------------- >> iaik.tc.tss.api.exceptions.tcs.TcTcsException: >> TSS Error: >> error layer: 0x3000 (TSP) >> error code (without layer): 0x04 >> error code (full): 0x3004 >> error message: unknown >> additional info: Unable to determine LRU key handle >> >> at >> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyHandleMgr.getTpmKhLruNotParent(TcTcsKeyHandleMgr.java:196) >> at >> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCacheTpm12.swapOutKeyNotParent(TcTcsKeyCacheTpm12.java:43) >> at >> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCache.ensureCanLoadKey(TcTcsKeyCache.java:205) >> at >> iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyManager.LoadKey2ByBlob(TcTcsKeyManager.java:100) >> at >> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipLoadKey2ByBlob(TcTcsi.java:626) >> at >> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipLoadKey2ByBlob(TcTcsBindingLocal.java:121) >> at >> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKey2ByBlob_Internal(TcTspInternal.java:140) >> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:633) >> ----------------------- >> >> Later on, similar attempts at the operation result in: >> >> ----------------------- >> iaik.tc.tss.api.exceptions.tcs.TcTpmException: >> >> TSS Error: >> error layer: 0x00 (TPM) >> error code (without layer): 0x15 >> error code (full): 0x15 >> error message: The TPM has insufficient internal resources to perform >> the requested action. >> >> at >> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) >> at >> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdAuthorization.TpmOIAP(TcTpmCmdAuthorization.java:52) >> at >> iaik.tc.tss.impl.java.tcs.authmgr.TcTcsAuthManager.startOIAP(TcTcsAuthManager.java:27) >> at >> iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipOIAP(TcTcsi.java:2720) >> at >> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipOIAP(TcTcsBindingLocal.java:739) >> at >> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspOIAP_Internal(TcTspInternal.java:4064) >> at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:629) >> ----------------------- >> >> The details of our configuration: >> >> TPM: STM v1.2 >> OS: CentOS 5.3 (64-bit) >> JDK: 6 Update 16 (64-bit) >> JTSS: 0.5 >> >> >> Any suggestions on what might be causing these problems suddenly on >> something that has been behaving well for nearly two years? Thanks. >> >> Arshad Noor >> StrongAuth, Inc. >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Trustedjava-support mailing list >> Tru...@li... >> https://lists.sourceforge.net/lists/listinfo/trustedjava-support > > > -- > Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 > Secure and Correct Systems fax +43 316/873-5520 > IAIK ron...@ia... > Graz University of Technology http://www.iaik.tugraz.at > > |
|
From: Ronald T. <ron...@ia...> - 2012-09-04 09:08:19
|
Hello Arshad, We have not encountered this before, but I'd guess that something in your ecosystem must have changed. Is it an issue with a specific piece of (old) hardware? Perhaps the TPM you use has aged and now encounters problems with its NV-storage memory. Or is it an issue that occurs in several devices? A not so obvious thing to check is the JCE library you use. Could there be a license issue? Some OS hotfix might also influence the setup, for instance a new TPM driver. Of course, you should also test if the newest jTSS version happens to fix for your issues. Ronald On 09/04/2012 06:14 AM, Arshad Noor wrote: > Hello, > > We've been using JTSS 0.5 for two years and it has been fairly > stable. However, suddenly without explanation, it has started > failing on almost all decryptions. Some of the error messages > are: > > ----------------------- > iaik.tc.tss.api.exceptions.tcs.TcTcsException: > TSS Error: > error layer: 0x3000 (TSP) > error code (without layer): 0x04 > error code (full): 0x3004 > error message: unknown > additional info: Unable to determine LRU key handle > > at > iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyHandleMgr.getTpmKhLruNotParent(TcTcsKeyHandleMgr.java:196) > at > iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCacheTpm12.swapOutKeyNotParent(TcTcsKeyCacheTpm12.java:43) > at > iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCache.ensureCanLoadKey(TcTcsKeyCache.java:205) > at > iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyManager.LoadKey2ByBlob(TcTcsKeyManager.java:100) > at > iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipLoadKey2ByBlob(TcTcsi.java:626) > at > iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipLoadKey2ByBlob(TcTcsBindingLocal.java:121) > at > iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKey2ByBlob_Internal(TcTspInternal.java:140) > at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:633) > ----------------------- > > Later on, similar attempts at the operation result in: > > ----------------------- > iaik.tc.tss.api.exceptions.tcs.TcTpmException: > > TSS Error: > error layer: 0x00 (TPM) > error code (without layer): 0x15 > error code (full): 0x15 > error message: The TPM has insufficient internal resources to perform > the requested action. > > at > iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73) > at > iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdAuthorization.TpmOIAP(TcTpmCmdAuthorization.java:52) > at > iaik.tc.tss.impl.java.tcs.authmgr.TcTcsAuthManager.startOIAP(TcTcsAuthManager.java:27) > at > iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipOIAP(TcTcsi.java:2720) > at > iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipOIAP(TcTcsBindingLocal.java:739) > at > iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspOIAP_Internal(TcTspInternal.java:4064) > at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:629) > ----------------------- > > The details of our configuration: > > TPM: STM v1.2 > OS: CentOS 5.3 (64-bit) > JDK: 6 Update 16 (64-bit) > JTSS: 0.5 > > > Any suggestions on what might be causing these problems suddenly on > something that has been behaving well for nearly two years? Thanks. > > Arshad Noor > StrongAuth, Inc. > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: Arshad N. <ars...@st...> - 2012-09-04 04:14:21
|
Hello,
We've been using JTSS 0.5 for two years and it has been fairly
stable. However, suddenly without explanation, it has started
failing on almost all decryptions. Some of the error messages
are:
-----------------------
iaik.tc.tss.api.exceptions.tcs.TcTcsException:
TSS Error:
error layer: 0x3000 (TSP)
error code (without layer): 0x04
error code (full): 0x3004
error message: unknown
additional info: Unable to determine LRU key handle
at
iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyHandleMgr.getTpmKhLruNotParent(TcTcsKeyHandleMgr.java:196)
at
iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCacheTpm12.swapOutKeyNotParent(TcTcsKeyCacheTpm12.java:43)
at
iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyCache.ensureCanLoadKey(TcTcsKeyCache.java:205)
at
iaik.tc.tss.impl.java.tcs.kcmgr.TcTcsKeyManager.LoadKey2ByBlob(TcTcsKeyManager.java:100)
at
iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipLoadKey2ByBlob(TcTcsi.java:626)
at
iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipLoadKey2ByBlob(TcTcsBindingLocal.java:121)
at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKey2ByBlob_Internal(TcTspInternal.java:140)
at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:633)
-----------------------
Later on, similar attempts at the operation result in:
-----------------------
iaik.tc.tss.api.exceptions.tcs.TcTpmException:
TSS Error:
error layer: 0x00 (TPM)
error code (without layer): 0x15
error code (full): 0x15
error message: The TPM has insufficient internal resources to perform
the requested action.
at
iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73)
at
iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdAuthorization.TpmOIAP(TcTpmCmdAuthorization.java:52)
at
iaik.tc.tss.impl.java.tcs.authmgr.TcTcsAuthManager.startOIAP(TcTcsAuthManager.java:27)
at
iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipOIAP(TcTcsi.java:2720)
at
iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipOIAP(TcTcsBindingLocal.java:739)
at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspOIAP_Internal(TcTspInternal.java:4064)
at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(TcRsaKey.java:629)
-----------------------
The details of our configuration:
TPM: STM v1.2
OS: CentOS 5.3 (64-bit)
JDK: 6 Update 16 (64-bit)
JTSS: 0.5
Any suggestions on what might be causing these problems suddenly on
something that has been behaving well for nearly two years? Thanks.
Arshad Noor
StrongAuth, Inc.
|
|
From: Martin P. <Mar...@ia...> - 2012-07-18 08:31:19
|
On 2012-07-18 04:24, Jonathan M. Chu wrote: > When I try to run privacyCA server with sun JAVA 7, I get error > ./resources/certs/caaik.pkey Unable to decrypt private key: javax.crypto.BadPaddingException: Given final block not properly padded > > Do you know how I can fix it? The code has never been run with Java 7 as the project where this was all developed has ended quite some time ago and Java 7 did not yet exist back then. Consider the PCA code "AS IS", unmaintained/experimental. However, please report back if you find that Java 7 requires some specific fixes to make it run, others might want to know. HTH, Martin |
|
From: Martin P. <Mar...@ia...> - 2012-07-18 08:25:26
|
On 2012-07-17 22:28, Jonathan M. Chu wrote: > I was wondering if the privacyCA worked with JTSS? > In the documentation it said it had to work with Trousers and doesnt mention JTSS. The documentation for the PCA C client gives TrouSerS as a requirement, all the Java code runs with pure jTSS, of course. HTH, Martin |
|
From: Jonathan M. C. <des...@gm...> - 2012-07-18 02:24:32
|
Hi, When I try to run privacyCA server with sun JAVA 7, I get error ./resources/certs/caaik.pkey Unable to decrypt private key: javax.crypto.BadPaddingException: Given final block not properly padded Do you know how I can fix it? -Jon |
|
From: Jonathan M. C. <des...@gm...> - 2012-07-17 20:29:04
|
Hi, I was wondering if the privacyCA worked with JTSS? In the documentation it said it had to work with Trousers and doesnt mention JTSS. -Jonathan |
87 messages has been excluded from this view by a project administrator.
