trustedjava-support — Trusted Java General Support

[Trustedjava-support] tests fail , windows 7

[Jeppsen, I. B <JEP...@ba...>]

Hi,
I've been trying to get jtss to work on a windows 7 box and have gotten the "run_tests_simple.cmd" to work but can't seem to get the "run_tests.cmd" to work.  The error says that TakeOwnership command fails (even though i've provided the owner password via the command line).  Any thoughts on getting the tests to work would be appreciated.

Thanks,
IB

Isaac Ben Jeppsen

Here is the output from the command prompt (run as administrator):
  ----------------------------------
   IAIK                        jTSS
  - - - - -                - - - - -
              Test Suite
     (c) Copyright 2006-9, IAIK,
    Graz University of Technology
  ----------------------------------
16:29:37:227 [DEBUG] TestMain::allTests (54):   testsuite starting up
.16:29:38:444 [INFO] TestContext::testContextCreation (37):     TPM version : Ve
rsion: 1.2.3.17
16:29:38:450 [INFO] TestContext::testContextCreation (47):      TCS version : Ve
rsion: 1.2.0.7
16:29:38:451 [INFO] TestContext::testContextCreation (50):      TSP version : Ve
rsion: 1.2.0.7
.16:29:38:572 [INFO] TestTakeOwnership::testTakeOwnership (36): TPM ownership co
mmand is disabled
.16:29:38:753 [INFO] TestTpm::testGetEndorsementKeyNoOwnerSelfValidate (133):
Reading public EK without owner authorization is disabled.
.16:29:38:936 [INFO] TestTpm::testReadCurrentCounter (241):     There is no coun
ter active
..16:29:39:359 [INFO] TestTpm::testGetEndorsementKeyNoOwner (93):       Reading
public EK without owner authorization is disabled.
.............Terminate batch job (Y/N)? y

Re: [Trustedjava-support] TPM_NV_INDEX_TRIAL - wrong value

[Michael G. <m.g...@tu...>]

On 05/14/2012 07:31 PM, Michael StJohns wrote:
> Hi --

Hi Michael,

> For some reason, TcTpmConstants.TPM_NV_INDEX_TRIAL has the "D" bit
> set.    This is probably a bug.

I agree that this is not the best value for this constant. It will be 
changed to 0x0000f004 in a future release. Anyhow please note that it's 
a valid index according to the specification.

> I used the constant in TcINvRam.defineSpace (in TcTpmNvData) to see if I
> had space to create a 100 octet space.  What I ended up with was a
> permanent 100 octet space that I can't get rid of.

What exactly do you mean by 'can't get rid of'? According to the TPM 
specification this should not happen. When you try to define an index 
with the D-bit set, a shipped TPM should return TPM_BADINDEX. Which TPM 
do you use? Is the TPM's nvLocked bit set to true? If it is not, then 
D-bit indices can be defined, but also deleted.

Can you please provide the output of the following commands?

jtt tpm_version
jtt tpm_flags
jtt nv_decode --index 0x1000f004

> When I use the correct value - 0xF004 - as the index, I get the
> anticipated behavior.  A "success" results in a return with no creation.

That's what I would have expected ;)

> I'd review all of the TPM_NV_INDEX_* values and make sure you're using
> the correct values.

Both versions with and without D-bit set are correct. For compatibility 
reasons the other constants will remain unchanged.

> Mike

HTH,
Michael

Re: [Trustedjava-support] Can jTSS use an external database for persistent storage?

[Ronald T. <ron...@ia...>]

Hi Jon,

Both persistent storage implementations are very simple. They just store 
the keys in the file system location provided. Also the "database" class 
just dumps DB tables there.
If you need a proper database providing (serious) concurrent services to 
different host you'll need to implement the 
iaik.tc.tss.impl.ps.TcITssPersistentStorage interface yourself.

In case you just want to store TPM keys remotely, you could of course 
just mount a remote location in the local file system and use the 
iaik.tc.tss.impl.ps.TcTssPsFileSystem implementation with all its 
shortcomings. Caveats are to have separate folders with the correct 
access rights for the jTSS process(es) and that a SRK is expected to be 
in the system DB. SRK extraction and storage is a convenient side effect 
of taking ownership with jTT.

Hope this helps,
Ronald

On 07/05/2012 09:44 PM, Jonathan McCune wrote:
> Howdy,
>
> It's unclear to me from the documentation whether setting jTSS to use
> the database (i.e., line
> 'type=iaik.tc.tss.impl.ps.TcTssSystemPsDatabase' in
> /usr/share/jtss/lib/ini/jtss_tcs.ini) flavor of persistent storage
> also enables one to use an outside database.  I would like to use a
> stand-alone database server if possible to facilitate testing multiple
> hosts that all boot identical read-only filesystem images.
>
> Thanks,
> -Jon
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support


-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at

[Trustedjava-support] Can jTSS use an external database for persistent storage?

[Jonathan M. <jon...@cm...>]

Howdy,

It's unclear to me from the documentation whether setting jTSS to use
the database (i.e., line
'type=iaik.tc.tss.impl.ps.TcTssSystemPsDatabase' in
/usr/share/jtss/lib/ini/jtss_tcs.ini) flavor of persistent storage
also enables one to use an outside database.  I would like to use a
stand-alone database server if possible to facilitate testing multiple
hosts that all boot identical read-only filesystem images.

Thanks,
-Jon

[Trustedjava-support] connection of jsr321 with tpm emulator is, getting failed

[Ronald T. <ron...@ia...>]

Hello,

We should probably take this discussion to the trustedJava mailing list.

Anyway, apparently you seem to have issues with the jTSS component that 
is needed between TPM (emulator) and the JSR321 RI.
You'll need to be more specific on what you aactually did before we can 
help you.
Have you followed the installation guide at 
http://java.net/projects/jsr321/pages/GettingStartedGuide ?

Best regards,
Ronald

On 07/04/2012 12:00 PM, tpm...@li... wrote:
> Send tpm-emulator-user mailing list submissions to
> 	tpm...@li...
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://lists.berlios.de/mailman/listinfo/tpm-emulator-user
> or, via email, send a message with subject or body 'help' to
> 	tpm...@li...
>
> You can reach the person managing the list at
> 	tpm...@li...
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of tpm-emulator-user digest..."
>
>
> Today's Topics:
>
>     1. connection of jsr321 with tpm emulator is	getting failed
>        (shreya sharma)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 4 Jul 2012 11:53:08 +0530
> From: shreya sharma <shr...@gm...>
> To: tpm...@li...
> Subject: [tpm-emulator-user] connection of jsr321 with tpm emulator is
> 	getting failed
> Message-ID:
> 	<CAF...@ma...>
> Content-Type: text/plain; charset="iso-8859-1"
>
> I Have installed TPM Emulator on Ubuntu 12.04. The installation was
> successful. I have a file /dev/tpm made. However when I try to connect
> using JSR 321 following error message comes:
>
> 15:22:52:547 [ERROR] TcTcsBindingSoap::connect (116):    There seems no TCS
> running
> 15:22:52:560 [ERROR] TcTcsBindingSoap::connect (116):    There seems no TCS
> running
> iaik.tc.tss.api.exceptions.
> tsp.TcTspException:
>
> TSS Error:
> error layer:                0x3000 (TSP)
> error code (without layer): 0x0103
> error code (full):          0x3103
> error message: Core Service connection failed.
>
>      at
> iaik.tc.tss.impl.java.tsp.tcsbinding.soapservice.TcTcsBindingSoap.connect(TcTcsBindingSoap.java:117)
>      at
> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspContextConnect_Internal(TcTspInternal.java:368)
>      at iaik.tc.tss.impl.java.tsp.TcContext.connect(TcContext.java:174)
>      at iaik.tc.apps.jtt.tpm.TpmFlags.execute(TpmFlags.java:36)
>      at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
>      at
> iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.java:41)
>      at iaik.tc.apps.JTpmTools.main(JTpmTools.java:224)
>
>
> Kindly let me know how to reslove this issue.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.berlios.de/pipermail/tpm-emulator-user/attachments/20120704/347db9ce/attachment-0001.html>
>
> ------------------------------
>
> _______________________________________________
> tpm-emulator-user mailing list
> tpm...@li...
> https://lists.berlios.de/mailman/listinfo/tpm-emulator-user
>
> End of tpm-emulator-user Digest, Vol 40, Issue 2
> ************************************************


-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at

Re: [Trustedjava-support] How do you pull the activated identity for signing a quote?

[Ronald T. <ron...@ia...>]

Hello David,

Please be a bit more specific. Where to you want to "pull" what to? And 
how was it pushed there anyway? ;)
Your code looks fine at a first glimpse. Is it code working? Then you've 
already achieved a lot...

Ronald

Am 20.06.2012 02:40, schrieb dna...@de...:
> After successfully running the activateIdentity command, how do I pull
> the activated AIK from the TPM for signing the quote?  I could not find
> any sample code that demonstrates this.
>
> At the moment, I am registering the AIK PubKey to the TPM using a UUID
> during the collateIdentityRequest command.  I then pull it at a later
> point in time when I wish to sign the quote.  I don't think the current
> way I am doing this is the correct way.  Any insight or direction would
> be greatly appreciated.
>
> TcITpm tpm = context_.getTpmObject();
> TestDefines.tpmPolicy.assignToObject(tpm);
> UUID uuid = UUID.fromString("2426c67e-9a0f-4588-bde5-fde2c23b0be9");
> TcTssUuid keyUUID =
> TcUuidFactory.getInstance().convertUuidJavaToTss(uuid);
> TcIRsaKey aikKey =
> context_.getKeyByUuid(TcTssConstants.TSS_PS_TYPE_SYSTEM, keyUUID);
>
> setAIKKeyPolicies(aikKey);
> aikKey.loadKey(srk_);
> ..... etc
>
> Object[] tpmOutData = tpm.quote2(aikKey, false, pcrComp, null);
>
> ..... etc
>
> Thanks,
> David
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support

[Trustedjava-support] How do you pull the activated identity for signing a quote?

[<dna...@de...>]

After successfully running the activateIdentity command, how do I pull 
the activated AIK from the TPM for signing the quote?  I could not find 
any sample code that demonstrates this.

At the moment, I am registering the AIK PubKey to the TPM using a UUID 
during the collateIdentityRequest command.  I then pull it at a later 
point in time when I wish to sign the quote.  I don't think the current 
way I am doing this is the correct way.  Any insight or direction would 
be greatly appreciated.

TcITpm tpm = context_.getTpmObject();
TestDefines.tpmPolicy.assignToObject(tpm);
UUID uuid = UUID.fromString("2426c67e-9a0f-4588-bde5-fde2c23b0be9");
TcTssUuid keyUUID = 
TcUuidFactory.getInstance().convertUuidJavaToTss(uuid);
TcIRsaKey aikKey = 
context_.getKeyByUuid(TcTssConstants.TSS_PS_TYPE_SYSTEM, keyUUID);

setAIKKeyPolicies(aikKey);
aikKey.loadKey(srk_);
..... etc

Object[] tpmOutData = tpm.quote2(aikKey, false, pcrComp, null);

..... etc

Thanks,
David

Re: [Trustedjava-support] Create/Load AIK key

[Martin P. <Mar...@ia...>]

On 2012-06-04 19:13, dna...@de... wrote:
> I am having trouble with loading the same AIK key that I had created
> previously from a collateIdenitiyRequest command.  The AIK does not
> appear to be migrateable

An AIK is never migrateable.

collateIdentity calls the MakeIdentity low-level command of the TPM.
See TPM specs part3, section 15.1 TPM_MakeIdentity, action 5:

   "Verify that idKeyParams -> keyFlags -> migratable is FALSE.
    If it is not, return TPM_INVALID_KEYUSAGE"

The TPM refuses to create migrateable AIKs.


> and I cannot figure out how to load it using the JTSS API.

Once created, an AIK key blob is just like any other TPM key blob.


HTH,
Martin

[Trustedjava-support] Load/ Save AIK key from TPM's NV ram

[<dna...@de...>]

I am having trouble with loading the same AIK key that I had created 
previously from a collateIdenitiyRequest command.  The AIK does not 
appear to be migrateable and I cannot figure out how to load it using 
the JTSS API.  I have outlined some of the test code I found in the JTSS 
to show you how I am creating my aikKey.  When I run the 
activateIdentity command at another point in time, I need some way of 
loading the same AIK key that I created in the collateIdentityReq.  Any 
insight or help would be greatly appreciated.


public TcBlobData clientCollateIdentityReq(PublicKey caPublicKey) 
throws TcTssException, IOException
	{
		// get TPM object and set its policy
		TcITpm tpm = context_.getTpmObject();
		TestDefines.tpmPolicy.assignToObject(tpm);

		// create identity key template
		aikKey_ = 
context_.createRsaKeyObject(TcTssConstants.TSS_KEY_TYPE_IDENTITY
				| TcTssConstants.TSS_KEY_SIZE_2048 | 
TcTssConstants.TSS_KEY_AUTHORIZATION
				| TcTssConstants.TSS_KEY_VOLATILE | 
TcTssConstants.TSS_KEY_MIGRATABLE/*TSS_KEY_NOT_MIGRATABLE*/);

//		TcITpmKey idKeyParams = ((TcRsaKey) aikKey_).getInternalTpmKey();

		// set usage secret for identity key
		TcIPolicy aikUsgPol = 
context_.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
		aikUsgPol.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
TcBlobData.newString("aikSecret"));
		aikUsgPol.assignToObject(aikKey_);
		TcIPolicy aikMigPol = 
context_.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
		aikMigPol.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, 
TcBlobData.newString("none"));
		aikMigPol.assignToObject(aikKey_);

		// get the public key of the selected privacy CA (how to obtain this 
key is beyond the scope of
		// this test case)
		TcIRsaKey pubKeyPrivacyCa = getPrivacyCaPubKey(caPublicKey);

		// do the CollateIdentityReq call
		TcBlobData collIdReqBlob = tpm.collateIdentityRequest(srk_, 
pubKeyPrivacyCa,
				clientGetIdLabel(), aikKey_, SYM_ALGO_TSS);



		return collIdReqBlob;
	}


	public void activateIdentity(String caResponse) throws TcTssException{

                 //TODO we need to load the original AIK from the TPM's 
NV ram
		this.aikKey_ = null;
                 aikKey_.loadKey(srk_);

		// STEP 5 (Client): The encrypted sym and asym blobs are received by 
the client. The new
		// identity is activated by the client.
		byte[] caResponseRaw = Base64.decode(caResponse.getBytes());
		byte[] asymSize = new byte[4];
		System.arraycopy(caResponseRaw, 0, asymSize, 0, 4);
		int symLength = ByteArrayUtil.byteArrayToInt(asymSize);
		byte[] symCaContentsRaw = new byte[symLength];
		System.arraycopy(caResponseRaw, 4, symCaContentsRaw, 0, symLength);

		int asymLength = (caResponseRaw.length - 4 - symLength);
		byte[] asymCaContentsRaw = new byte[asymLength];
		System.arraycopy(caResponseRaw, (4 + symLength), asymCaContentsRaw, 
0, asymLength);

		TcBlobData symCaAttestationEncrypted = 
TcBlobData.newByteArray(symCaContentsRaw);
		TcBlobData asymCaContentsEncrypted = 
TcBlobData.newByteArray(asymCaContentsRaw);
		try {
			TcBlobData aikCredential = 
clientActivateIdentity(symCaAttestationEncrypted, 
asymCaContentsEncrypted);
//			if (aikCredential.equals(caMock.getExpectedAikCredential_())) {
//				Log.info("AIK credential successfully received and activated at 
the client");
//			} else {
//				Log.warn("AIK credential creation failed");
//			}
		} catch (TcTssException e) {
			System.err.println(e.getMessage());
		}
	}

Thanks,
David

Re: [Trustedjava-support] EK certificate storage

[Martin P. <Mar...@ia...>]

Hi...

On 2012-05-28 19:09, dna...@de... wrote:
> Is there a way to to install EK certificates to the the TPM's NV ram

An EK certificate in the TPM's NV ram is located in an NV area with
a well-known index.

If you run jTpmTools nv_decode command you can examine the NV area in
more detail. An example output on an IFX TPM may look like this:

   8 indices in NV storage found
   use '--index xxxxxxxx' for full details
   (append '--raw' for additional raw hex dump of content)
   (append '--dump-file path' to dump the content of index to a file)

   Index         Size        TPUD   Description
   ------------------------------------------------------------------------
   0x20000001     256 bytes  ..U.   tboot Verified Launch Policy
   0x10000001      20 bytes  ...D   deprecated DIR command area from TPM 1.1
   0x1000f000    1704 bytes  ...D   TPM Endorsement Key Certificate
   0x30000001     576 bytes  ..UD   unknown index
   0x50000001      34 bytes  .P.D   Intel TXT INDEX_LCP_DEF
   0x20000002       8 bytes  ..U.   tboot launch error index
   0x50000002      64 bytes  .P.D   Intel TXT INDEX_AUX
   0x40000001      34 bytes  .P..   Intel TXT INDEX_LCP_OWN


Here you see that the EK cert is at index 0x1000f000.
Please see the TPM specifications part 2, chapter 19.1 "TPM_NV_INDEX"
for an explanation of the index number.

You may use the other options of nv_decode to explore the NV data
areas in more detail.


In theory, on a TPM without preloaded EK certificate you may just
setup a correct NV area on your own and load your own certificate.

In practice, we know no one who has ever tried this.


> that have been either self signed or issued by a privacy certificate
> authority?

The EK cert is the proof that there is really a hardware TPM and not
some kind of TPM software emulation on a platform.

You can create your own EK certificate - our tccert library should
provide all the necessary X509 certificate data structures - however
then you have to convince some other party that your self-created
cert is of any value.


> At the moment I am having an issue with collateIdentityRequest Command
> not sending the EK public key in its Identity Proof for manufacturers
> that are not IFX.  Is there a way around this problem?

In the best case a TSS can automatically use the EK cert provided
on-chip as it is in a defined location - see above.

However, depending on the TSS you use you may just provide the EK cert
in a different way. With TrouSerS you may set in tcsd.conf the path
to the EK cert file and TrouSerS then uses this one.

Alternatively, you can explicitly provide the TSS with an EK cert
at program runtime, in jTSS this can be achieved like

  TcITpm tpm = context_.getTpmObject();
  tpm.setAttribData(TcTssConstants.TSS_TSPATTRIB_TPM_CREDENTIAL,
                    TcTssConstants.TSS_TPMATTRIB_EKCERT, ekcertblob);

Please see the TSS specification and our JTpmTools code examples for
more details.


HTH,
Martin

Re: [Trustedjava-support] Error on static initializer for TcTddlVista.java

[Ronald T. <ron...@ia...>]

Michael,

This is a very curious bug that has never happened in my tests, 
especially as the library loading mechanism has worked fine for years. 
jTSS has been tested against various versions of the JRE/JDK and also 
different
Windows releases.

Could you be using a very new or very old JRE? Or did you do some manual 
installations or configurations of class- and library paths?

Please specify your exact configuration.

Ronald


On 05/28/2012 05:52 AM, Michael StJohns wrote:
> In the initializer for iaik.tc.tss.impl.java.tddl.TcTddlVista  you
> programatically append a ".dll" to the end of the library name (either
> jTssTddlVista or jTssTddlVistax64 and then feed that to
> "System.loadLibrary()".
>
> The problem is that System.loadLibrary does mapping of the name you pass
> in to append the appropriate suffix based on the type of operating
> system.  So "jTssTddlVista.dll" gets mapped to "jTssTddlVista.dll.dll" -
> which obviously appears nowhere in the paths.
>
>
> The fix is to not add the suffix manually.  (Lines 51, 52, 77 and 78).
>
> I finally got the direct path to work by manually renaming a file to the
> double "dll" suffix.
>
> Mike
>
>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support


-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at

[Trustedjava-support] EK certificate storage

[<dna...@de...>]

Hello,

Is there a way to to install EK certificates to the the TPM's NV ram 
that have been either self signed or issued by a privacy certificate 
authority?

At the moment I am having an issue with collateIdentityRequest Command 
not sending the EK public key in its Identity Proof for manufacturers 
that are not IFX.  Is there a way around this problem?

Please disregard/ delete my last post as it was sent accidentally.

Regards,
David

[Trustedjava-support] Help - I would like to post to your mailing list

[<dna...@de...>]

Please add me to your mailing list so I may post to it.

Thanks,
David

[Trustedjava-support] Error on static initializer for TcTddlVista.java

[Michael S. <ms...@nt...>]

In the initializer for iaik.tc.tss.impl.java.tddl.TcTddlVista  you 
programatically append a ".dll" to the end of the library name (either 
jTssTddlVista or jTssTddlVistax64 and then feed that to 
"System.loadLibrary()".

The problem is that System.loadLibrary does mapping of the name you pass 
in to append the appropriate suffix based on the type of operating 
system.  So "jTssTddlVista.dll" gets mapped to "jTssTddlVista.dll.dll" - 
which obviously appears nowhere in the paths.


The fix is to not add the suffix manually.  (Lines 51, 52, 77 and 78).

I finally got the direct path to work by manually renaming a file to the 
double "dll" suffix.

Mike

[Trustedjava-support] Unhanded "RemoteException" causing null pointers.

[Michael S. <ms...@nt...>]

In "iaik.tc.tss.impl.java.tsp.tcsbinding.soapservice.TcTcsBindingSoap" 
and possibly other places you use an idiom of

     } catch (RemoteException e) {
       ConvertRemoteExceptions.convertTcTcsException(e);
       ConvertRemoteExceptions.convertTcTddlException(e);
       ConvertRemoteExceptions.convertTcTpmException(e);
       return null;
     }

to catch remote errors and turn them into local errors of an appropriate 
type.  For some reason, I keep finding cases that as far as I can tell 
are causing RemoteExceptions where the underlying cause is not 
TcTcsException, TcTddlException or TcTpmException and which result in 
the call returning a null object.  That then causes an NPE the next 
layer up when it trys to extract the error code value.   I'd suggest 
replacing "return null" with something that returns


My most recent one was a simple attempt to try and retrieve TPM status bits.

"tpm.getStatus (TSS_TPMSTATUS_DISABLED)"

I'm running this on a Lenovo Thinkpad T500 with an Atmel chip.   I'm 
using SOAP because I can't seem to get the direct thing to work.  Going 
to try that again.

JDK is 1.6.0_17 for various reasons.  I've tried others without much 
success.  I'm using the pre-compiled v0.7 of jTSS.

Mike

Re: [Trustedjava-support] TPM_NV_INDEX_TRIAL - wrong value

[Ronald T. <ron...@ia...>]

Hi Michael,

Thank you for pointing this out. We will take a look at this issue but 
it might take some time..

Ronald

On 05/14/2012 07:31 PM, Michael StJohns wrote:
> Hi --
>
> For some reason, TcTpmConstants.TPM_NV_INDEX_TRIAL has the "D" bit
> set.    This is probably a bug.
>
> I used the constant in TcINvRam.defineSpace (in TcTpmNvData) to see if I
> had space to create a 100 octet space.  What I ended up with was a
> permanent 100 octet space that I can't get rid of.
>
> When I use the correct value - 0xF004 - as the index, I get the
> anticipated behavior.  A "success" results in a return with no creation.
>
> I'd review all of the TPM_NV_INDEX_* values and make sure you're using
> the correct values.
>
> Mike
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support


-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at

[Trustedjava-support] jTSS 0.7a

[Ronald T. <ron...@ia...>]

Dear trustedJava users,

There is now a fresh bugfix for jTSS, version 0.7a, available for 
immediate download.
This should work with the newest and also upcoming releases of Windows.

Enjoy,
Ronald

-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at

Re: [Trustedjava-support] jTSS running on windows server 2008 r2

[Ronald T. <ron...@ia...>]

Hello,

The current jTSS does is not compatible with Windows 8 right now.
It appears to be a minor thing and we are working on a patch.

Ronald


On 05/24/2012 10:58 PM, jva...@de... wrote:
> Just wondering if anyone has gotten the jTSS test files to run on
> windows 2008 server.  I made sure that all of the tpm commands were not
> blocked , the tcsdaemon is running , my firewall is off and I ran the
> test in administration mode.
>
>    When I run the test run_tests_simple no matter which option I pick I
> get the error:
> 15:50:24:803 [ERROR] TcTcsBindingSoap::connect (116):   There seems no
> TCS running
> iaik.tc.tss.api.exceptions.tsp.TcTspException:
>
> TSS Error:
> error layer:                0x3000 (TSP)
> error code (without layer): 0x0103
> error code (full):          0x3103
> error message: Core Service connection failed.
>
> just wondering if anyone has gotten jTSS to run on windows server 2008
> and if they had to do any configureations
> thanks
> Joe
>
>


-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at

[Trustedjava-support] jTSS running on windows server 2008 r2

[<jva...@de...>]

Just wondering if anyone has gotten the jTSS test files to run on 
windows 2008 server.  I made sure that all of the tpm commands were not 
blocked , the tcsdaemon is running , my firewall is off and I ran the 
test in administration mode.

  When I run the test run_tests_simple no matter which option I pick I 
get the error:
15:50:24:803 [ERROR] TcTcsBindingSoap::connect (116):   There seems no 
TCS running
iaik.tc.tss.api.exceptions.tsp.TcTspException:

TSS Error:
error layer:                0x3000 (TSP)
error code (without layer): 0x0103
error code (full):          0x3103
error message: Core Service connection failed.

just wondering if anyone has gotten jTSS to run on windows server 2008 
and if they had to do any configureations
thanks
Joe

[Trustedjava-support] TPM_NV_INDEX_TRIAL - wrong value

[Michael S. <ms...@nt...>]

Hi --

For some reason, TcTpmConstants.TPM_NV_INDEX_TRIAL has the "D" bit 
set.    This is probably a bug.

I used the constant in TcINvRam.defineSpace (in TcTpmNvData) to see if I 
had space to create a 100 octet space.  What I ended up with was a 
permanent 100 octet space that I can't get rid of.

When I use the correct value - 0xF004 - as the index, I get the 
anticipated behavior.  A "success" results in a return with no creation.

I'd review all of the TPM_NV_INDEX_* values and make sure you're using 
the correct values.

Mike

Re: [Trustedjava-support] about Privacy CA and STM TPM

[Martin P. <Mar...@ia...>]

Hi...

On 2012-05-10 06:58, Jungho Song wrote:
> I implement 'PrivacyCA' by using your source(http://trustedjava.sourceforge.net/index.php?item=pca/apki).
> It works with 'Infineon TPM', but doesn't work with 'STM TPM'.
>
> How can I do for 'STM TPM'?
> can you help about this problem?


Your problem description "doesn't work" does not provide any kind
of information what is not working.

Please provide a more detailed description of your problem,
error message, call executed etc.


Best regards,
Martin

[Trustedjava-support] about Privacy CA and STM TPM

[Jungho S. <jh...@ca...>]

Hi, I'm Jungho Song, PhD candidate at KAIST(Korea Advanced Institute of
Science and Technology) CS dept.
I have a question about PrivacyCA.

I implement 'PrivacyCA' by using your source(
http://trustedjava.sourceforge.net/index.php?item=pca/apki).
It works with 'Infineon TPM', but doesn't work with 'STM TPM'.

How can I do for 'STM TPM'?
can you help about this problem?

Have a nice day!

from jhSong.

Re: [Trustedjava-support] Binding through public part of binding key

[Ronald T. <ron...@ia...>]

Hi Shakir,

The data must be stored in the appropriate TPM data structure before it 
is encrypted.
The best will be to refer to the source code of jTT on how this is done.

Hoping to help,
Ronald


On 04/23/2012 06:58 AM, Shakir Ullah Shah wrote:
> I'm trying to bind some data using the public part of a binding key. 
> I've exported the public part through:
>
>     byte blob[] = null;
>     try {
>         File f = new File(BINDKEY_FILENAME);
>         blob = new byte[(int) f.length()];
>         FileInputStream fi = new FileInputStream(f);
>         fi.read(blob);
>     } catch (Exception e) {
>         e.printStackTrace();
>     }
>
>     TcBlobData srkSecret = TcBlobData
>             .newByteArray(TcTssConstants.TSS_WELL_KNOWN_SECRET);
>     long srkSecretMode = TcTssConstants.TSS_SECRET_MODE_SHA1;
>
>     TcIRsaKey srk = context.loadKeyByUuidFromSystem(TcUuidFactory
>             .getInstance().getUuidSRK());
>
>     TcIPolicy srkPolicy = srk.getUsagePolicyObject();
>     srkPolicy.setSecret(srkSecretMode, srkSecret);
>     srkPolicy.assignToObject(srk);
>
>     // create a TcBlobData using
>     TcBlobData keyBlob = TcBlobData.newByteArray(blob);
>
>     // load the key using this blob
>     TcIRsaKey identityKey = context.loadKeyByBlob(srk, keyBlob);
>
>     TcIRsaKey pubBindKey = identityKey;
>     TcBlobData pubBindKeyBlob = pubBindKey.getAttribData(
>             TcTssConstants.TSS_TSPATTRIB_KEY_BLOB,
>             TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY);
>
>     // write this pubBindKeyBlob to a file and send it to the challenger
>     File f = new File(BINDKEY_PUB_FILENAME);
>     byte[] pubKeyBytes = pubBindKeyBlob.asByteArray();
>     System.out.println(pubKeyBytes);
>     FileOutputStream fo = new FileOutputStream(f);
>
>     fo.write(pubKeyBytes);
>     fo.close();
>
>
> The encryption algorithm is the following:
>
>
>     public static byte[] encrypt(byte[] text, RSAPublicKey key)
>             throws Exception {
>
>         byte[] cipherText = null;
>         Cipher cipher = Cipher.getInstance("RSA");
>         cipher.init(Cipher.ENCRYPT_MODE, key);
>         cipherText = cipher.doFinal(text);
>         return cipherText;
>     }
>
>     public static void main(String[] argv) {
>         final String pubBindKeyFilename = "bac_bind_pub.key";
>         String fileforEncryption = "inputFileforEncryption";
>
>         // first get the pubBindKeyBlob from file (received from the 
> target earlier)
>         byte pubBindKey[] = null;
>         byte bytefileEncryption[] = null;
>         byte byteDataEncrypted[] = null;
>
>         File f = new File(pubBindKeyFilename);
>         pubBindKey = new byte[(int) f.length()];
>         FileInputStream fi = new FileInputStream(f);
>         fi.read(pubBindKey);
>         TcBlobData pubBindKeyBlob = TcBlobData.newByteArray(pubBindKey);
>         TcTpmPubkey pubBindKeyStruct = new TcTpmPubkey(pubBindKeyBlob);
>         RSAPublicKey rsaPub = TcCrypto.pubTpmKeyToJava(pubBindKeyStruct);
>
>         File ftemp = new File(fileforEncryption);
>         bytefileEncryption = new byte[(int) ftemp.length()];
>         FileInputStream fitemp = new FileInputStream(ftemp);
>         fitemp.read(bytefileEncryption);
>
>         byteDataEncrypted = encrypt(bytefileEncryption, rsaPub);
>         String outFilename = "outputEncRsaFile";
>
>         File f2 = new File(outFilename);
>         FileOutputStream fo = new FileOutputStream(f2);
>         fo.write(byteDataEncrypted);
>         fo.close();
>
>
> I'm using jTpmTools to decrypt the data using the binding key. Here's 
> the command for the decryption using jTpmTools:
>
>     unbind -i /path/to/outputEncRsaFile -o 
> /path/to/outputdecEncRsaFile -u 00000001-0002-0003-0405-9296a5ae537a
>
> The UUID is of the same binding key that I've exported. I'm getting 
> the following exception though. I'm not sure what I'm doing wrong.
>
>     00:55:30:935 [INFO] Unbind::execute (123):    Using default 
> TSS_WELL_KNOWN_SECRET as key secret
>     00:55:31:078 [INFO] TcTcsEventMgrMem::<init> (44):    Using "in 
> memory" event log.
>     iaik.tc.tss.api.exceptions.tcs.TcTpmException:
>
>     TSS Error:
>     error layer:                0x00 (TPM)
>     error code (without layer): 0x21
>     error code (full):          0x21
>     error message: The decryption process did not complete.
>
>     at 
> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73)
>     at 
> iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdStorage.TpmUnBind(TcTpmCmdStorage.java:244)
>     at iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipUnBind(TcTcsi.java:1638)
>     at 
> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipUnBind(TcTcsBindingLocal.java:442)
>     at 
> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspUnBind_Internal(TcTspInternal.java:1766)
>     at iaik.tc.tss.impl.java.tsp.TcEncData.unbind(TcEncData.java:255)
>     at iaik.tc.apps.jtt.data.Unbind.execute(Unbind.java:171)
>     at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
>     at 
> iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.java:41)
>     at iaik.tc.apps.JTpmTools.main(JTpmTools.java:224)
>
>     00:55:31:561 [ERROR] JTpmTools::main (235):    application exits 
> with error:
>
>     TSS Error:
>     error layer:                0x00 (TPM)
>     error code (without layer): 0x21
>     error code (full):          0x21
>     error message: The decryption process did not complete.
>
>
> Any help would be greatly appreciated.
>
>
>
> ------------------------------------------------------------------------------
> For Developers, A Lot Can Happen In A Second.
> Boundary is the first to Know...and Tell You.
> Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
> http://p.sf.net/sfu/Boundary-d2dvs2
>
>
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support


-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Secure and Correct Systems      fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at

[Trustedjava-support] Request to Subscribe for Trusted Computing Mailing List

[Najeeb Ur R. <naj...@nu...>]

Dear All,

I am new to this mailing list as I am working on Trusted Computing and want
collaborative work with this community.

Waiting for the response when i will be ablle to post my question on this
mailing list.
-- 
*Mr.Najeeb-Ur Rehman*

[Trustedjava-support] Binding through public part of binding key

[Shakir U. S. <sha...@nu...>]

I'm trying to bind some data using the public part of a binding key. I've
exported the public part through:

    byte blob[] = null;
    try {
        File f = new File(BINDKEY_FILENAME);
        blob = new byte[(int) f.length()];
        FileInputStream fi = new FileInputStream(f);
        fi.read(blob);
    } catch (Exception e) {
        e.printStackTrace();
    }

    TcBlobData srkSecret = TcBlobData
            .newByteArray(TcTssConstants.TSS_WELL_KNOWN_SECRET);
    long srkSecretMode = TcTssConstants.TSS_SECRET_MODE_SHA1;

    TcIRsaKey srk = context.loadKeyByUuidFromSystem(TcUuidFactory
            .getInstance().getUuidSRK());

    TcIPolicy srkPolicy = srk.getUsagePolicyObject();
    srkPolicy.setSecret(srkSecretMode, srkSecret);
    srkPolicy.assignToObject(srk);

    // create a TcBlobData using
    TcBlobData keyBlob = TcBlobData.newByteArray(blob);

    // load the key using this blob
    TcIRsaKey identityKey = context.loadKeyByBlob(srk, keyBlob);

    TcIRsaKey pubBindKey = identityKey;
    TcBlobData pubBindKeyBlob = pubBindKey.getAttribData(
            TcTssConstants.TSS_TSPATTRIB_KEY_BLOB,
            TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY);

    // write this pubBindKeyBlob to a file and send it to the challenger
    File f = new File(BINDKEY_PUB_FILENAME);
    byte[] pubKeyBytes = pubBindKeyBlob.asByteArray();
    System.out.println(pubKeyBytes);
    FileOutputStream fo = new FileOutputStream(f);

    fo.write(pubKeyBytes);
    fo.close();


The encryption algorithm is the following:


    public static byte[] encrypt(byte[] text, RSAPublicKey key)
            throws Exception {

        byte[] cipherText = null;
        Cipher cipher = Cipher.getInstance("RSA");
        cipher.init(Cipher.ENCRYPT_MODE, key);
        cipherText = cipher.doFinal(text);
        return cipherText;
    }

    public static void main(String[] argv) {
        final String pubBindKeyFilename = "bac_bind_pub.key";
        String fileforEncryption = "inputFileforEncryption";

        // first get the pubBindKeyBlob from file (received from the target
earlier)
        byte pubBindKey[] = null;
        byte bytefileEncryption[] = null;
        byte byteDataEncrypted[] = null;

        File f = new File(pubBindKeyFilename);
        pubBindKey = new byte[(int) f.length()];
        FileInputStream fi = new FileInputStream(f);
        fi.read(pubBindKey);
        TcBlobData pubBindKeyBlob = TcBlobData.newByteArray(pubBindKey);
        TcTpmPubkey pubBindKeyStruct = new TcTpmPubkey(pubBindKeyBlob);
        RSAPublicKey rsaPub = TcCrypto.pubTpmKeyToJava(pubBindKeyStruct);

        File ftemp = new File(fileforEncryption);
        bytefileEncryption = new byte[(int) ftemp.length()];
        FileInputStream fitemp = new FileInputStream(ftemp);
        fitemp.read(bytefileEncryption);

        byteDataEncrypted = encrypt(bytefileEncryption, rsaPub);
        String outFilename = "outputEncRsaFile";

        File f2 = new File(outFilename);
        FileOutputStream fo = new FileOutputStream(f2);
        fo.write(byteDataEncrypted);
        fo.close();


I'm using jTpmTools to decrypt the data using the binding key. Here's the
command for the decryption using jTpmTools:

    unbind -i /path/to/outputEncRsaFile -o /path/to/outputdecEncRsaFile -u
00000001-0002-0003-0405-9296a5ae537a

The UUID is of the same binding key that I've exported. I'm getting the
following exception though. I'm not sure what I'm doing wrong.

    00:55:30:935 [INFO] Unbind::execute (123):    Using default
TSS_WELL_KNOWN_SECRET as key secret
    00:55:31:078 [INFO] TcTcsEventMgrMem::<init> (44):    Using "in memory"
event log.
    iaik.tc.tss.api.exceptions.tcs.TcTpmException:

    TSS Error:
    error layer:                0x00 (TPM)
    error code (without layer): 0x21
    error code (full):          0x21
    error message: The decryption process did not complete.

    at
iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCommon.handleRetCode(TcTpmCmdCommon.java:73)
    at
iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdStorage.TpmUnBind(TcTpmCmdStorage.java:244)
    at iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipUnBind(TcTcsi.java:1638)
    at
iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipUnBind(TcTcsBindingLocal.java:442)
    at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspUnBind_Internal(TcTspInternal.java:1766)
    at iaik.tc.tss.impl.java.tsp.TcEncData.unbind(TcEncData.java:255)
    at iaik.tc.apps.jtt.data.Unbind.execute(Unbind.java:171)
    at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
    at
iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.java:41)
    at iaik.tc.apps.JTpmTools.main(JTpmTools.java:224)

    00:55:31:561 [ERROR] JTpmTools::main (235):    application exits with
error:

    TSS Error:
    error layer:                0x00 (TPM)
    error code (without layer): 0x21
    error code (full):          0x21
    error message: The decryption process did not complete.


Any help would be greatly appreciated.