Menu
▾
▴
trustedjava-support — Trusted Java General Support
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(3) |
Jun
(4) |
Jul
(10) |
Aug
(6) |
Sep
(6) |
Oct
(5) |
Nov
(1) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
|
Feb
(14) |
Mar
(25) |
Apr
(9) |
May
(10) |
Jun
(9) |
Jul
(33) |
Aug
(52) |
Sep
(15) |
Oct
(6) |
Nov
(4) |
Dec
(6) |
| 2008 |
Jan
(27) |
Feb
(3) |
Mar
(6) |
Apr
(7) |
May
(8) |
Jun
(4) |
Jul
(21) |
Aug
(8) |
Sep
(9) |
Oct
(6) |
Nov
(1) |
Dec
(1) |
| 2009 |
Jan
(1) |
Feb
(1) |
Mar
(10) |
Apr
(7) |
May
(8) |
Jun
(10) |
Jul
(11) |
Aug
(17) |
Sep
(13) |
Oct
(13) |
Nov
(1) |
Dec
(5) |
| 2010 |
Jan
(5) |
Feb
(9) |
Mar
(12) |
Apr
(4) |
May
(5) |
Jun
(3) |
Jul
(7) |
Aug
(7) |
Sep
(3) |
Oct
(12) |
Nov
(5) |
Dec
(2) |
| 2011 |
Jan
(9) |
Feb
(3) |
Mar
(24) |
Apr
(3) |
May
(1) |
Jun
|
Jul
(3) |
Aug
(8) |
Sep
(2) |
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
(4) |
Feb
|
Mar
|
Apr
(3) |
May
(12) |
Jun
(7) |
Jul
(9) |
Aug
|
Sep
(14) |
Oct
(19) |
Nov
(4) |
Dec
|
| 2013 |
Jan
(1) |
Feb
(3) |
Mar
(1) |
Apr
(5) |
May
(3) |
Jun
(7) |
Jul
(6) |
Aug
(4) |
Sep
(1) |
Oct
|
Nov
|
Dec
(2) |
| 2014 |
Jan
|
Feb
(2) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
(6) |
Jul
(14) |
Aug
(5) |
Sep
(7) |
Oct
(3) |
Nov
|
Dec
(1) |
| 2015 |
Jan
(3) |
Feb
|
Mar
(4) |
Apr
|
May
(1) |
Jun
(9) |
Jul
|
Aug
(1) |
Sep
|
Oct
(1) |
Nov
(4) |
Dec
(4) |
| 2016 |
Jan
|
Feb
(1) |
Mar
|
Apr
(1) |
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(1) |
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
(2) |
Apr
(1) |
May
|
Jun
(1) |
Jul
(1) |
Aug
(1) |
Sep
(1) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2018 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2020 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
|
Mar
(11) |
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
|
Mar
|
Apr
(2) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(2) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2024 |
Jan
(1) |
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Jonathan M. <jon...@cm...> - 2012-01-13 16:25:26
|
You might also look at IBM's software implementation to see how they implemented the internals of the TPM in this regard: http://ibmswtpm.sourceforge.net/ -Jon On Fri, Jan 13, 2012 at 10:14 AM, <Fed...@ff...> wrote: > Hi again, > > Maybe I found the answer myself, so I will report it just in case anyone > else ever wondered or someone who already knows can correct me if I am > wrong. > > After going through the source code of the jTSS I realized that the wrapping > of a key is done inside the TPM, os I went to look at the TPM specs, in > particular the data structure part, and there it says the an asymmetric key > is stored so that the private part cannot be bigger than 151 bytes > (TPM_STORE_PRIVKEY). > > This is possible because it is not the private exponent that is stored as > private key (which is usually nearly as big as the modulus itself), but one > of the two prime factor of the modulus, and 151 bytes CAN be encrypted by a > 2048 RSA public key in one block. > > > > Federico > > > > Fra: Fed...@ff... [mailto:Fed...@ff...] > Sendt: 12. januar 2012 09:18 > Til: sha...@ya... > Kopi: tru...@li... > > > Emne: Re: [Trustedjava-support] Encrypting the private part of an RSA key > > > > Hi, > > Thanks for your pointer, but I had already read the book, and that is what > confused me. > > In chapter 2 “Secure Storage – Storing asymmetric keys” it says that > asymmetric keys are encrypted under a 2048 RSA key and the format used is > the PKSC#1 v2.0. My question was about how this was done in practice since a > public 2048 RSA key can encrypt less than 256 bytes and a RSA private key is > usually at least as big as the modulus, i.e. 256 bytes. I read also the > PKSC#1 v2.0 (not line by line, but I had a close look), and I could not > find any specific guidelines for encrypting private keys, only to format and > encode them. > > In other words, if at some point the TPM produces an AIK, and this must be > stored outside the TPM protected by the SRK key, how is this done in > practice? > > Or is the AIK key encrypted with a symmetric key in turn encrypted with the > SRK public key? > > Also a pointer to the source code where this is implemented would be fine, > if possible. > > > > Thanks again, and sorry if the question is trivial, but I am clearly missing > some probably stupid detail here, and I cannot seem to figure out what it > is. > > > > Federico > > > > Fra: Shakir Ullah shah [mailto:sha...@ya...] > Sendt: 12. januar 2012 05:59 > Til: Mancini, Federico > Emne: Re: [Trustedjava-support] Encrypting the private part of an RSA key > > > > Hi > > > > You can find answer to your question by reading chapter 2 of > IBM.Press.A.Practical.Guide.to.Trusted.Computing.Jan.2008 book. > > > > Regards > > Shakir > > > > From: "Fed...@ff..." <Fed...@ff...> > To: tru...@li... > Sent: Wednesday, January 11, 2012 8:15 PM > Subject: [Trustedjava-support] Encrypting the private part of an RSA key > > > > Hi, > > I am new here and I have only recently started reading up on trusted > computing and TPM for a project I am part of. > > I think I got all the basics, but now that I am entering more technical > details, I find all my books and sources are not enough any more. > > That is why I have starting looking at your implementation of the TSS (which > I plan to use soon to implement some ideas) and why I am posting here, > since whoever implemented something like this, must have a very good and > practical knowledge of the specifications J > > The question I have is about how asymmetric keys are stored securely outside > the TPM. > > As far as I understand, AIK or Storage keys are asymmetric pairs of keys and > are stored outside the TPM in a secure way protected by their parent key. > > I guess this means that the private part of these keys must be encrypted, > and in particular it should be encrypted with the SRK or > > other parent storage keys, which are also asymmetric. So how is this done? > By encrypting the private part of a key with the public part of its parent > key (possibly the SRK itself)? > > If so, isn’t a private key too big to fit in one RSA encrypted block? Does > it have to be split in smaller blocks first? If so how (is there a standard) > ? > > Reading your Javadoc I found at least two methods that return an encrypted > private key (TspCreateWrapKey_Internal), so I hope you can help me out with > this. > > > > This question is bugging me since in the book “A practical guide to trusted > computing” there is a whole section dedicated to how big a symmetric key can > be to be encrypted by a binding (asymmetric) key, > > but there does not seem to be a problem to encrypt potentially big private > keys instead. > > > > Thanks for any answer! > > > > Federico Mancini > > > > > ------------------------------------------------------------------------------ > Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex > infrastructure or vast IT resources to deliver seamless, secure access to > virtual desktops. With this all-in-one solution, easily deploy virtual > desktops for less than the cost of PCs and save 60% on VDI infrastructure > costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support > > > ------------------------------------------------------------------------------ > RSA(R) Conference 2012 > Mar 27 - Feb 2 > Save $400 by Jan. 27 > Register now! > http://p.sf.net/sfu/rsa-sfdev2dev2 > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support > |
|
From: <Fed...@ff...> - 2012-01-13 15:15:42
|
Hi again, Maybe I found the answer myself, so I will report it just in case anyone else ever wondered or someone who already knows can correct me if I am wrong. After going through the source code of the jTSS I realized that the wrapping of a key is done inside the TPM, os I went to look at the TPM specs, in particular the data structure part, and there it says the an asymmetric key is stored so that the private part cannot be bigger than 151 bytes (TPM_STORE_PRIVKEY). This is possible because it is not the private exponent that is stored as private key (which is usually nearly as big as the modulus itself), but one of the two prime factor of the modulus, and 151 bytes CAN be encrypted by a 2048 RSA public key in one block. Federico Fra: Fed...@ff... [mailto:Fed...@ff...] Sendt: 12. januar 2012 09:18 Til: sha...@ya... Kopi: tru...@li... Emne: Re: [Trustedjava-support] Encrypting the private part of an RSA key Hi, Thanks for your pointer, but I had already read the book, and that is what confused me. In chapter 2 “Secure Storage – Storing asymmetric keys” it says that asymmetric keys are encrypted under a 2048 RSA key and the format used is the PKSC#1 v2.0. My question was about how this was done in practice since a public 2048 RSA key can encrypt less than 256 bytes and a RSA private key is usually at least as big as the modulus, i.e. 256 bytes. I read also the PKSC#1 v2.0 (not line by line, but I had a close look), and I could not find any specific guidelines for encrypting private keys, only to format and encode them. In other words, if at some point the TPM produces an AIK, and this must be stored outside the TPM protected by the SRK key, how is this done in practice? Or is the AIK key encrypted with a symmetric key in turn encrypted with the SRK public key? Also a pointer to the source code where this is implemented would be fine, if possible. Thanks again, and sorry if the question is trivial, but I am clearly missing some probably stupid detail here, and I cannot seem to figure out what it is. Federico Fra: Shakir Ullah shah [mailto:sha...@ya...] Sendt: 12. januar 2012 05:59 Til: Mancini, Federico Emne: Re: [Trustedjava-support] Encrypting the private part of an RSA key Hi You can find answer to your question by reading chapter 2 of IBM.Press.A.Practical.Guide.to.Trusted.Computing.Jan.2008 book. Regards Shakir From: "Fed...@ff..." <Fed...@ff...> To: tru...@li... Sent: Wednesday, January 11, 2012 8:15 PM Subject: [Trustedjava-support] Encrypting the private part of an RSA key Hi, I am new here and I have only recently started reading up on trusted computing and TPM for a project I am part of. I think I got all the basics, but now that I am entering more technical details, I find all my books and sources are not enough any more. That is why I have starting looking at your implementation of the TSS (which I plan to use soon to implement some ideas) and why I am posting here, since whoever implemented something like this, must have a very good and practical knowledge of the specifications J The question I have is about how asymmetric keys are stored securely outside the TPM. As far as I understand, AIK or Storage keys are asymmetric pairs of keys and are stored outside the TPM in a secure way protected by their parent key. I guess this means that the private part of these keys must be encrypted, and in particular it should be encrypted with the SRK or other parent storage keys, which are also asymmetric. So how is this done? By encrypting the private part of a key with the public part of its parent key (possibly the SRK itself)? If so, isn’t a private key too big to fit in one RSA encrypted block? Does it have to be split in smaller blocks first? If so how (is there a standard) ? Reading your Javadoc I found at least two methods that return an encrypted private key (TspCreateWrapKey_Internal), so I hope you can help me out with this. This question is bugging me since in the book “A practical guide to trusted computing” there is a whole section dedicated to how big a symmetric key can be to be encrypted by a binding (asymmetric) key, but there does not seem to be a problem to encrypt potentially big private keys instead. Thanks for any answer! Federico Mancini ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox _______________________________________________ Trustedjava-support mailing list Tru...@li... https://lists.sourceforge.net/lists/listinfo/trustedjava-support |
|
From: <Fed...@ff...> - 2012-01-12 08:18:53
|
Hi, Thanks for your pointer, but I had already read the book, and that is what confused me. In chapter 2 “Secure Storage – Storing asymmetric keys” it says that asymmetric keys are encrypted under a 2048 RSA key and the format used is the PKSC#1 v2.0. My question was about how this was done in practice since a public 2048 RSA key can encrypt less than 256 bytes and a RSA private key is usually at least as big as the modulus, i.e. 256 bytes. I read also the PKSC#1 v2.0 (not line by line, but I had a close look), and I could not find any specific guidelines for encrypting private keys, only to format and encode them. In other words, if at some point the TPM produces an AIK, and this must be stored outside the TPM protected by the SRK key, how is this done in practice? Or is the AIK key encrypted with a symmetric key in turn encrypted with the SRK public key? Also a pointer to the source code where this is implemented would be fine, if possible. Thanks again, and sorry if the question is trivial, but I am clearly missing some probably stupid detail here, and I cannot seem to figure out what it is. Federico Fra: Shakir Ullah shah [mailto:sha...@ya...] Sendt: 12. januar 2012 05:59 Til: Mancini, Federico Emne: Re: [Trustedjava-support] Encrypting the private part of an RSA key Hi You can find answer to your question by reading chapter 2 of IBM.Press.A.Practical.Guide.to.Trusted.Computing.Jan.2008 book. Regards Shakir From: "Fed...@ff..." <Fed...@ff...> To: tru...@li... Sent: Wednesday, January 11, 2012 8:15 PM Subject: [Trustedjava-support] Encrypting the private part of an RSA key Hi, I am new here and I have only recently started reading up on trusted computing and TPM for a project I am part of. I think I got all the basics, but now that I am entering more technical details, I find all my books and sources are not enough any more. That is why I have starting looking at your implementation of the TSS (which I plan to use soon to implement some ideas) and why I am posting here, since whoever implemented something like this, must have a very good and practical knowledge of the specifications J The question I have is about how asymmetric keys are stored securely outside the TPM. As far as I understand, AIK or Storage keys are asymmetric pairs of keys and are stored outside the TPM in a secure way protected by their parent key. I guess this means that the private part of these keys must be encrypted, and in particular it should be encrypted with the SRK or other parent storage keys, which are also asymmetric. So how is this done? By encrypting the private part of a key with the public part of its parent key (possibly the SRK itself)? If so, isn’t a private key too big to fit in one RSA encrypted block? Does it have to be split in smaller blocks first? If so how (is there a standard) ? Reading your Javadoc I found at least two methods that return an encrypted private key (TspCreateWrapKey_Internal), so I hope you can help me out with this. This question is bugging me since in the book “A practical guide to trusted computing” there is a whole section dedicated to how big a symmetric key can be to be encrypted by a binding (asymmetric) key, but there does not seem to be a problem to encrypt potentially big private keys instead. Thanks for any answer! Federico Mancini ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox _______________________________________________ Trustedjava-support mailing list Tru...@li... https://lists.sourceforge.net/lists/listinfo/trustedjava-support |
|
From: <Fed...@ff...> - 2012-01-11 15:28:04
|
Hi, I am new here and I have only recently started reading up on trusted computing and TPM for a project I am part of. I think I got all the basics, but now that I am entering more technical details, I find all my books and sources are not enough any more. That is why I have starting looking at your implementation of the TSS (which I plan to use soon to implement some ideas) and why I am posting here, since whoever implemented something like this, must have a very good and practical knowledge of the specifications J The question I have is about how asymmetric keys are stored securely outside the TPM. As far as I understand, AIK or Storage keys are asymmetric pairs of keys and are stored outside the TPM in a secure way protected by their parent key. I guess this means that the private part of these keys must be encrypted, and in particular it should be encrypted with the SRK or other parent storage keys, which are also asymmetric. So how is this done? By encrypting the private part of a key with the public part of its parent key (possibly the SRK itself)? If so, isn't a private key too big to fit in one RSA encrypted block? Does it have to be split in smaller blocks first? If so how (is there a standard) ? Reading your Javadoc I found at least two methods that return an encrypted private key (TspCreateWrapKey_Internal), so I hope you can help me out with this. This question is bugging me since in the book "A practical guide to trusted computing" there is a whole section dedicated to how big a symmetric key can be to be encrypted by a binding (asymmetric) key, but there does not seem to be a problem to encrypt potentially big private keys instead. Thanks for any answer! Federico Mancini |
|
From: Shohei K. <kak...@gm...> - 2011-09-20 08:06:31
|
Hello, I have a question regarding the TSS tickStampBlob command. Here is the example of my source code: TcIHash hash = context.createHashObject(TcTssConstants.TSS_HASH_SHA1); Object[] result = hash.tickStampBlob(signingKey, validationData); I successfully this command. Now the question is how do I verify the signature (the TcTssValidation structure) later with the same SigningKey's public key? Is there any method in TSS or do I have to sha1 the bind key manually and use verifySignature method? Could you help me, please? Regards, Shohei Kakei |
|
From: Ronald T. <ron...@ia...> - 2011-09-16 14:24:51
|
No less than three updated packages flooded the TrustedJava Project today! Releases of jTSS and jTpmTools surfaced for immediate download in version 0.7 and the acTvSM platform ran abeach in version 0.3. First unconfirmed reports also tell us that a release candidate of the JSR321 High-Level API has been sighted at http://jsr321.java.net/ This comprehensive set of Java TCG Software Stack, command-line tools and a secure, integrity-enforcing platform allows to employ the latest Trusted Computing technology such as the TPM and Intel TXT in practice. jTSS now features a tutorial document and code examples, improved default configurations, making the much-feared ini-file setup optional, plus support for JSR321 implementations, better monotonic counter support, an improved simple test tool and many bugfixes. jTpmTools have been updated with new features to collect a quote, manage monotonic counters and gather entropy from the TPM. Thanks go to Jon McCune of CMU for his contributions. jTpmTools now ship with TCcert pre-installed. The acTvSM platform has been rebased on Debian Squeeze, added support for the Intel Series 5 chipsets and features more improvements and bugfixes. Have fun, Martin & Ronald -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: Ronald T. <ron...@ia...> - 2011-08-29 15:07:26
|
Hi Jon, On 08/29/2011 04:46 PM, Jonathan McCune wrote: >> The problem is that jTSS doesn't support unauthenticated commands. > I don't fully understand the scope of this limitation, as the TPM > supports many commands that do not require authentication. jTSS handles each commands in a uniform way. Once authentication is required in one case, it is in all. > Are there plans for jTSS to ever support unauthenticated NVRAM commands? Currently none; usually, TSS_WELL_KNOWN_SECRET serves very well as an substitute. Also, most object get this set as their default policy, so that the user experience usually does not suffer at all. It is certainly possibly to make an exception for a small set of commands and add the necessary if clauses in all layers (tsp, soap, tcs). > I'm trying to discern whether these issues are symptomatic of a > work-in-progress, or if they are by design. And if so, why? It's a pragmatic compromise, due to limited (human) resources. Ronald -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: Jonathan M. <jon...@cm...> - 2011-08-29 14:46:22
|
Hi Michael, Thanks for both of your emails. > The problem is that jTSS doesn't support unauthenticated commands. I don't fully understand the scope of this limitation, as the TPM supports many commands that do not require authentication. Are there plans for jTSS to ever support unauthenticated NVRAM commands? I'm trying to discern whether these issues are symptomatic of a work-in-progress, or if they are by design. And if so, why? Thanks, -Jon |
|
From: Michael G. <m.g...@tu...> - 2011-08-29 14:28:02
|
On 2011-08-26 20:11, Jonathan McCune wrote:
> Hello again. :)
Hi again :)
> I follow-up with a second question that is different, but related.
> Here I try to define space that exclusively depends upon the value of
> PCR 10:
>
> jtt nv_definespace --index 0x00011222 --size 64 -o tpm -e ASCII -p 10
> -w --permission 0x00000000
>
> additional info: no write permissions set
>
> at iaik.tc.tss.impl.java.tsp.TcNvRam.defineSpace(TcNvRam.java:168)
>
> In jtss_tsp/src/iaik/tc/tss/impl/java/tsp/TcNvRam.java, we see that
> this is an exception that is thrown if no write permissions are set:
>
> if (((permissions& TcTpmConstants.TPM_NV_PER_AUTHWRITE) == 0)
> && ((permissions&
> TcTpmConstants.TPM_NV_PER_OWNERWRITE) == 0)
> && ((permissions&
> TcTpmConstants.TPM_NV_PER_WRITEDEFINE) == 0)
> && ((permissions&
> TcTpmConstants.TPM_NV_PER_PPWRITE) == 0)
> && !writeLocalities) {
> throw new
> TcTcsException(TcTcsErrors.TCS_E_BAD_PARAMETER,
> "no write permissions set");
> }
>
> Again, what's the problem? I did specify PCR-based access control for
> writing. Is there any fundamental reason why this shouldn't work?
> The only thing I can think of is that NV space without any access
> control might be more susceptible to malicious wear-out.
The reason for this is that TPM Spec prohibits an index defined that way. You have
to specify a write access restriction by either
TPM_NV_PER_OWNERWRITE,
TPM_NV_PER_AUTHWRITE,
TPM_NV_PER_WRITEDEFINE,
TPM_NV_PER_PPWRITE
or by excluding at least one locality.
This is specified in TPM Spec Commands, Revision 116, lines 4093 to 4107. jTSS
just does the check before the command is actually send to the TPM.
You can either exclude one locality that you don't use (and won't be able to write
to this index using jTSS) or you use the TPM_NV_PER_AUTHWRITE method.
> Again, many thanks for your time and attention.
> -Jon
Best regards,
Michael
|
|
From: Michael G. <m.g...@tu...> - 2011-08-29 14:11:52
|
On 2011-08-26 20:03, Jonathan McCune wrote: > Greetings, Hi, > Let's suppose I want some NV space defined where the only access > control mechanisms I care about are PCR values and Locality. I can do > something like this: > > jtt nv_definespace --index 0x00011222 --size 64 -p 10 -w --permission > 0x00000000 --writelocality 0,1,2,3 > > However, when I try to write to this new space, I get an error. > > jtt nv_write --file /tmp/64bytes --index 0x00011222 > > additional info: illegal permissions - should not happen > > at iaik.tc.tss.impl.java.tsp.TcNvRam.writeValue(TcNvRam.java:371) > > Looking at jTSS_0.6/src/jtss_tsp/src/iaik/tc/tss/impl/java/tsp/TcNvRam.java, > we see that this exception is thrown by the last else in a tree of > if-else statements that look at the value returned by: > nvDataPub.getPermission().getAttributes(). In other words, this looks > like intentional, fail-safe programming. Yes, but unfortunately there is one "else if" statement (no write permission set and restricted by locality) missing, and that would have to throw a TSS_E_NOTIMPL. The problem is that jTSS doesn't support unauthenticated commands. A NV index which was defined as above would require an unauthenticated TPM_NV_WriteValue command. The error message in this case needs to be clarified. > My real question then becomes, what's the problem? Nothing stops me > from defining an NV space and using the "auth method" to control > access to it, and using a "well-known secret" for that auth value, but > that seems silly. That would be a possible work around for this scenario. > Thus, I'm wondering if jTSS is being overly restrictive, or if I've > missed some other rationale for this design choice. Any insight would > be much appreciated. See above. > Many Thanks, > -Jon Best regards, Michael |
|
From: Ronald T. <ron...@ia...> - 2011-08-29 09:14:43
|
Hi Jan,
DAA is not supported or tested in jTSS. Sorry.
Best regards,
Ronald
PS: I will get you in touch with our DAA expert.
On 08/25/2011 09:53 AM, Jan Vossaert wrote:
> Dear All,
>
> I am working on a project which involves making a Java implementation of
> DAA.
> I am using the jTSS framework to access the TPM functionality.
> However, when I send the first command for the DAA Join (stage 0) I
> receive an 'INVALID_AUTHHANDLE' error code.
> Does anyone have an idea what I am doing wrong (code sample below)?
>
> Thanks,
> Jan
>
> public void test(){
> try{
> tcs_ = new TcTcsBindingLocal();
>
> Object[] ret = tcs_.TcsiOpenContext();
> if(!new Long(TcTcsErrors.TCS_SUCCESS).equals((Long)ret[0]))
> System.out.println("Unable to open context");
>
> hContext_ = (Long) ret[1];
>
> TcTcsAuth auth = TspOIAP();
> auth.setNonceOdd(TcCrypto.createTcgNonce());
> auth.setContAuthSession(true);
> TcTpmSecret oiapSecret = new
> TcTpmSecret(TcBlobData.newByteArray(Base64.decode("G9HrogY4LoZC6RIxR8YqMCj3ZgM=")));
>
> Long handle = 0L;
> short stage = 0;
> TcBlobData input0 = TcBlobData.newUINT32(1L);
> TcBlobData input1 = TcBlobData.newByteArray(new byte[]{});
>
> TcBlobData[] blob1H = { // 1H
>
> TcBlobData.newUINT32(TcTpmOrdinals.TPM_ORD_DAA_Join), // 1S
> TcBlobData.newBYTE(stage), // 2S
> TcBlobData.newUINT32(input0.getLengthAsLong()), // 3S
> input0, // 4S
> TcBlobData.newUINT32(input1.getLengthAsLong()), // 5S
> input1 // 6S
> };
>
> TcBlobData authDataH1 = computeAuthData( //
> blob1H, // 1H1
> auth.getNonceEven().getEncoded(), // 2H1
> auth.getNonceOdd().getEncoded(), // 3H1
> TcBlobData.newBOOL(auth.getContAuthSession()),// 4H1
> oiapSecret.getEncoded()); // HMAC key
>
> auth.setHmac(new TcTpmAuthdata(authDataH1));
>
> //Stage 1 DAA Join
> tcs_.TcsipDaaJoin(hContext_, handle, stage, input0, input1,
> auth);
> }catch(Exception e){
> e.printStackTrace();
> }
> }
>
> private TcBlobData computeAuthData(final TcBlobData[] blob1H, final
> TcBlobData blob2H,
> final TcBlobData blob3H, final TcBlobData blob4H, final
> TcBlobData authHash)
> {
> TcBlobData combinedBlob1H = TcBlobData.newBlobData(blob1H[0]);
> for (int i = 1; i< blob1H.length; i++) {
> combinedBlob1H.append(blob1H[i]);
> }
>
> TcBlobData authData = combinedBlob1H.sha1();
> authData.append(blob2H);
> authData.append(blob3H);
> authData.append(blob4H);
> TcBlobData retVal = authData.hmacSha1(authHash);
> return retVal;
> }
>
> private TcTcsAuth TspOIAP() throws TcTddlException, TcTpmException,
> TcTcsException
> {
> Object[] outDataTpm = tcs_.TcsipOIAP(hContext_);
>
> // get return values
> Long authHandle = (Long) outDataTpm[1];
> TcTpmNonce nonceEven = (TcTpmNonce) outDataTpm[2];
>
> TcTcsAuth auth = new TcTcsAuth();
> auth.setAuthHandle(authHandle.longValue());
> auth.setNonceEven(nonceEven);
>
> return auth;
> }
>
> ------------------------------------------------------------------------------
> EMC VNX: the world's simplest storage, starting under $10K
> The only unified storage solution that offers unified management
> Up to 160% more powerful than alternatives and 25% more efficient.
> Guaranteed. http://p.sf.net/sfu/emc-vnx-dev2dev
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
--
Dipl.-Ing. Ronald Tögl phone +43 316/873-5502
Secure and Correct Systems fax +43 316/873-5520
IAIK ron...@ia...
Graz University of Technology http://www.iaik.tugraz.at
|
|
From: Jonathan M. <jon...@cm...> - 2011-08-26 18:11:36
|
Hello again. :)
I follow-up with a second question that is different, but related.
Here I try to define space that exclusively depends upon the value of
PCR 10:
jtt nv_definespace --index 0x00011222 --size 64 -o tpm -e ASCII -p 10
-w --permission 0x00000000
14:05:13:544 [INFO] NvDefineSpace::execute (146): Defining NV
space to depend on pcr: 10
iaik.tc.tss.api.exceptions.tcs.TcTcsException:
TSS Error:
error layer: 0x3000 (TSP)
error code (without layer): 0x03
error code (full): 0x3003
error message: unknown
additional info: no write permissions set
at iaik.tc.tss.impl.java.tsp.TcNvRam.defineSpace(TcNvRam.java:168)
at iaik.tc.apps.jtt.tboot.NvDefineSpace.execute(NvDefineSpace.java:240)
at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
at iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.java:41)
at iaik.tc.apps.JTpmTools.main(JTpmTools.java:198)
14:05:13:778 [ERROR] JTpmTools::main (209): application exits with error:
TSS Error:
error layer: 0x3000 (TSP)
error code (without layer): 0x03
error code (full): 0x3003
error message: unknown
additional info: no write permissions set
(return: -1)
In jtss_tsp/src/iaik/tc/tss/impl/java/tsp/TcNvRam.java, we see that
this is an exception that is thrown if no write permissions are set:
if (((permissions & TcTpmConstants.TPM_NV_PER_AUTHWRITE) == 0)
&& ((permissions &
TcTpmConstants.TPM_NV_PER_OWNERWRITE) == 0)
&& ((permissions &
TcTpmConstants.TPM_NV_PER_WRITEDEFINE) == 0)
&& ((permissions &
TcTpmConstants.TPM_NV_PER_PPWRITE) == 0)
&& !writeLocalities) {
throw new
TcTcsException(TcTcsErrors.TCS_E_BAD_PARAMETER,
"no write permissions set");
}
Again, what's the problem? I did specify PCR-based access control for
writing. Is there any fundamental reason why this shouldn't work?
The only thing I can think of is that NV space without any access
control might be more susceptible to malicious wear-out.
For both this and my previous message, I am happy to augment the code
with a patch that adds a check for a non-empty set of PCR-based
restrictions for writing. From a design perspective, is there any
reason that this is not an acceptable set of restrictions?
Again, many thanks for your time and attention.
-Jon
|
|
From: Jonathan M. <jon...@cm...> - 2011-08-26 18:03:46
|
Greetings,
Let's suppose I want some NV space defined where the only access
control mechanisms I care about are PCR values and Locality. I can do
something like this:
jtt nv_definespace --index 0x00011222 --size 64 -p 10 -w --permission
0x00000000 --writelocality 0,1,2,3
(Including lower localities just so that jtt can continue to attempt
nv_read and nv_write commands from Linux; obviously the locality
enforcement doesn't help in any way if all localities are valid.)
However, when I try to write to this new space, I get an error.
jtt nv_write --file /tmp/64bytes --index 0x00011222
iaik.tc.tss.api.exceptions.tsp.TcTspException:
TSS Error:
error layer: 0x3000 (TSP)
error code (without layer): 0x02
error code (full): 0x3002
error message: An internal error has been detected, but the source is unknown.
additional info: illegal permissions - should not happen
at iaik.tc.tss.impl.java.tsp.TcNvRam.writeValue(TcNvRam.java:371)
at iaik.tc.apps.jtt.tboot.NvWrite.execute(NvWrite.java:87)
at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
at iaik.tc.utils.cmdline.SubCommandParser.parse(SubCommandParser.java:41)
at iaik.tc.apps.JTpmTools.main(JTpmTools.java:198)
13:32:41:204 [ERROR] JTpmTools::main (209): application exits with error:
TSS Error:
error layer: 0x3000 (TSP)
error code (without layer): 0x02
error code (full): 0x3002
error message: An internal error has been detected, but the source is unknown.
additional info: illegal permissions - should not happen
(return: -1)
Looking at jTSS_0.6/src/jtss_tsp/src/iaik/tc/tss/impl/java/tsp/TcNvRam.java,
we see that this exception is thrown by the last else in a tree of
if-else statements that look at the value returned by:
nvDataPub.getPermission().getAttributes(). In other words, this looks
like intentional, fail-safe programming.
My real question then becomes, what's the problem? Nothing stops me
from defining an NV space and using the "auth method" to control
access to it, and using a "well-known secret" for that auth value, but
that seems silly.
I've taken a look at rev 116 of the TPM spec (Ch 28 of Part 1, Ch 19
of Part 2, and Ch 20 of Part 3), and I can't find anything to suggest
that this is an illegal set of permissions for a TPM's NV space.
Looking at the TSS spec (TCG Software Stack (TSS) Specification
Version 1.2, Level 1, Errata A, Part 1: Commands and Structures, March
7, 2007), it looks like Tspi_NV_WriteValue can fail with any of the
following:
TSS_SUCCESS
TSS_E_INVALID_HANDLE
TSS_E_BAD_PARAMETER
TSS_E_INTERNAL_ERROR
TPM_BAD_INDEX
TPM_MAXNVWRITE
TPM_AUTH_CONFLICT
TPM_AUTHFAIL
TPM_AREA_LOCKED
TPM_BAD_LOCALITY
TPM_BAD_PRESENCE
TPM_DISABLED_CMD
TPM_NOSPACE
TPM_NOT_FULLWRITE
TPM_WRONGPCRVALUE
...however those correspond fairly nicely with the errors that the TPM
itself may generate. I don't see anything that suggests I'm trying to
do something in violation of another layer's spec (I also checked the
PC Client spec).
Thus, I'm wondering if jTSS is being overly restrictive, or if I've
missed some other rationale for this design choice. Any insight would
be much appreciated.
Many Thanks,
-Jon
|
|
From: Jan V. <jan...@ka...> - 2011-08-25 08:24:23
|
Dear All,
I am working on a project which involves making a Java implementation of
DAA.
I am using the jTSS framework to access the TPM functionality.
However, when I send the first command for the DAA Join (stage 0) I
receive an 'INVALID_AUTHHANDLE' error code.
Does anyone have an idea what I am doing wrong (code sample below)?
Thanks,
Jan
public void test(){
try{
tcs_ = new TcTcsBindingLocal();
Object[] ret = tcs_.TcsiOpenContext();
if(!new Long(TcTcsErrors.TCS_SUCCESS).equals((Long)ret[0]))
System.out.println("Unable to open context");
hContext_ = (Long) ret[1];
TcTcsAuth auth = TspOIAP();
auth.setNonceOdd(TcCrypto.createTcgNonce());
auth.setContAuthSession(true);
TcTpmSecret oiapSecret = new
TcTpmSecret(TcBlobData.newByteArray(Base64.decode("G9HrogY4LoZC6RIxR8YqMCj3ZgM=")));
Long handle = 0L;
short stage = 0;
TcBlobData input0 = TcBlobData.newUINT32(1L);
TcBlobData input1 = TcBlobData.newByteArray(new byte[]{});
TcBlobData[] blob1H = { // 1H
TcBlobData.newUINT32(TcTpmOrdinals.TPM_ORD_DAA_Join), // 1S
TcBlobData.newBYTE(stage), // 2S
TcBlobData.newUINT32(input0.getLengthAsLong()), // 3S
input0, // 4S
TcBlobData.newUINT32(input1.getLengthAsLong()), // 5S
input1 // 6S
};
TcBlobData authDataH1 = computeAuthData( //
blob1H, // 1H1
auth.getNonceEven().getEncoded(), // 2H1
auth.getNonceOdd().getEncoded(), // 3H1
TcBlobData.newBOOL(auth.getContAuthSession()),// 4H1
oiapSecret.getEncoded()); // HMAC key
auth.setHmac(new TcTpmAuthdata(authDataH1));
//Stage 1 DAA Join
tcs_.TcsipDaaJoin(hContext_, handle, stage, input0, input1,
auth);
}catch(Exception e){
e.printStackTrace();
}
}
private TcBlobData computeAuthData(final TcBlobData[] blob1H, final
TcBlobData blob2H,
final TcBlobData blob3H, final TcBlobData blob4H, final
TcBlobData authHash)
{
TcBlobData combinedBlob1H = TcBlobData.newBlobData(blob1H[0]);
for (int i = 1; i < blob1H.length; i++) {
combinedBlob1H.append(blob1H[i]);
}
TcBlobData authData = combinedBlob1H.sha1();
authData.append(blob2H);
authData.append(blob3H);
authData.append(blob4H);
TcBlobData retVal = authData.hmacSha1(authHash);
return retVal;
}
private TcTcsAuth TspOIAP() throws TcTddlException, TcTpmException,
TcTcsException
{
Object[] outDataTpm = tcs_.TcsipOIAP(hContext_);
// get return values
Long authHandle = (Long) outDataTpm[1];
TcTpmNonce nonceEven = (TcTpmNonce) outDataTpm[2];
TcTcsAuth auth = new TcTcsAuth();
auth.setAuthHandle(authHandle.longValue());
auth.setNonceEven(nonceEven);
return auth;
}
|
|
From: Ronald T. <ron...@ia...> - 2011-07-20 08:25:19
|
Hello, You may encounter this error on recent Linux Kernels (version around 2.6.32-32), at least when using an Infineon TPM with the tpm_tis driver. Caused by: iaik.tc.tss.api.exceptions.tcs.TcTddlException: TSS Error: error layer: 0x1000 (TDDL) error code (without layer): 0x87 error code (full): 0x1087 error message: The request could not be performed because of an IO device error. additional info: Timer expired Reading from TPM device (/dev/tpm0) failed. Workaround is to use the tpm_infineon driver instead. Ronald -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: Ronald T. <ron...@ia...> - 2011-07-19 11:59:31
|
Hello Fady, The exception is thrown when the checksums for the authorization protocol are calculated. I noticed, that you're using the TSS_KEY_NO_AUTHORIZATION flag for the key. This mode is not supported in jTSS. Rather use the TcTssConstants.TSS_KEY_AUTHORIZATION flag an either apply your own secret, or the well-kown-secret, if you really do not need authentication. Please report improvements or (new) errors. Regarding you second question, AFIAR the SRK is always the parent of any AIK. hth, Ronald On 07/16/2011 10:21 AM, Fady wrote: > Dear ALL Trusted Java Team, > > i try to certify a legacy key, it works fine if it created without pcr > composite as > myLegKey.createKey(srk, null); > but when using > myLegKey.createKey(srk, pcrComp); > this exception is thrown at the line myLegKey.certifyKey(aikKey, > serverNonceValidation); > Exception in thread "main" java.lang.NullPointerException > at iaik.tc > <http://iaik.tc.tss.impl.java.tsp.internal.tc/>.tss.impl.java.tsp.internal.TcTspInternal.TspCertifyKey_Internal(TcTspInternal.java:3252) > at iaik.tc > <http://iaik.tc.tss.impl.java.tsp.tc/>.tss.impl.java.tsp.TcRsaKey.certifyKey(TcRsaKey.java:289) > sometimes it thrown > Exception in thread "main" > java.lang.IndexOutOfBoundsException: Unable to decode requested type. > Current offset + type length exceeds data length. > at iaik.tc > <http://iaik.tc.tss.api.structs.common.tcbasictypedecoder.ch/>.tss.api.structs.common.TcBasicTypeDecoder.checkBoundaryPreconditions(TcBasicTypeDecoder.java:91) > at iaik.tc > <http://iaik.tc.tss.api.structs.common.tcbasictypedecoder.de/>.tss.api.structs.common.TcBasicTypeDecoder.decodeBytes(TcBasicTypeDecoder.java:228) > at > iaik.tc.tss.api.structs.common.TcBasicTypeDecoder.decodeBytes(TcBasicTypeDecoder.java:246) > at iaik.tc > <http://iaik.tc.tss.impl.java.tcs.pbg.tctpmcmdcrypto.tp/>.tss.impl.java.tcs.pbg.TcTpmCmdCrypto.TpmCertifyKey(TcTpmCmdCrypto.java:423) > at iaik.tc > <http://iaik.tc.tss.impl.java.tcs.tcsi.tctcsi.tc/>.tss.impl.java.tcs.tcsi.TcTcsi.TcsipCertifyKey(TcTcsi.java:2300) > at iaik.tc > <http://iaik.tc.tss.impl.java.tsp.tcsbinding.local.tc/>.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipCertifyKey(TcTcsBindingLocal.java:634) > at iaik.tc > <http://iaik.tc.tss.impl.java.tsp.internal.tc/>.tss.impl.java.tsp.internal.TcTspInternal.TspCertifyKey_Internal(TcTspInternal.java:3231) > at iaik.tc > <http://iaik.tc.tss.impl.java.tsp.tc/>.tss.impl.java.tsp.TcRsaKey.certifyKey(TcRsaKey.java:289) > > The complete used code is > //create PCR > Composite************************************************************************** > TcIPcrComposite pcrComp = > context.createPcrCompositeObject(TcTssConstants.TSS_PCRS_STRUCT_INFO_LONG); > pcrComp.selectPcrIndexEx(pcrIndex, > TcTssConstants.TSS_PCRS_DIRECTION_RELEASE);//release > pcrComp.setPcrValue(pcrIndex, > context.getTpmObject().pcrRead(pcrIndex)); > > //******************************************************************************************** > > //create Legacy > Key***************************************************************************** > TcIRsaKey myLegKey = context.createRsaKeyObject( > TcTssConstants.TSS_KEY_SIZE_2048 > > | TcTssConstants.TSS_KEY_TYPE_LEGACY > > | TcTssConstants.TSS_KEY_VOLATILE > > | TcTssConstants.TSS_KEY_NOT_MIGRATABLE > > | TcTssConstants.TSS_KEY_NO_AUTHORIZATION); > > TcIPolicy legKeyUsgPolicy = > context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE); > > legKeyUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, > TcBlobData.newString(usageSecret, false)); > legKeyUsgPolicy.assignToObject(myLegKey); > > TcIPolicy legkeyMigPolicy = > context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION); > > legkeyMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, > TcBlobData.newString(migSecret, false)); > legkeyMigPolicy.assignToObject(myLegKey); > > myLegKey.createKey(srk, pcrComp); > //myLegKey.createKey(srk, null); > myLegKey.loadKey(srk); > > //******************************************************************************************** > > //Get > Nonce************************************************************************************ > String serverNonceString = "test"; > TcTssValidation serverNonceValidation = new TcTssValidation(); > TcBlobData serverNonceBlob = > TcBlobData.newString(serverNonceString).sha1(); > serverNonceValidation.setExternalData(serverNonceBlob); > > //******************************************************************************************** > > //Load AIk > ************************************************************************************ > TcIRsaKey aikKey = context.loadKeyByBlob(srk, > readFile(aikFile)); > > TcIPolicy aikUsgPolicy = > context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE); > > aikUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, > TcBlobData.newString(aikPass, false));//false > aikUsgPolicy.assignToObject(aikKey); > > TcIPolicy aikMigPolicy = > context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION); > > aikMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN, > TcBlobData.newString(aikPass, false));//false > aikMigPolicy.assignToObject(aikKey); > > //********************************************************************************************* > > //Certify Key > ************************************************************************************ > TcTssValidation certifyResult = > myLegKey.certifyKey(aikKey, serverNonceValidation); > > //********************************************************************************************* > > as i know legacy and storage keys can be used for sealing, i use both > but i have the same exception in both. > > > i have another question just to be certain, the parent of AIKs is SRK > not the EK (as done in the quote example), is this true? > > > Thanks > > > ------------------------------------------------------------------------------ > AppSumo Presents a FREE Video for the SourceForge Community by Eric > Ries, the creator of the Lean Startup Methodology on "Lean Startup > Secrets Revealed." This video shows you how to validate your ideas, > optimize your ideas and identify your business strategy. > http://p.sf.net/sfu/appsumosfdev2dev > > > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: Fady <fad...@ya...> - 2011-07-16 08:21:26
|
Dear ALL Trusted Java Team,
i try to certify a legacy key, it works fine if it created without pcr composite
as
myLegKey.createKey(srk, null);
but when using
myLegKey.createKey(srk, pcrComp);
this exception is thrown at the line myLegKey.certifyKey(aikKey,
serverNonceValidation);
Exception in thread "main" java.lang.NullPointerException
at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspCertifyKey_Internal(TcTspInternal.java:3252)
at iaik.tc.tss.impl.java.tsp.TcRsaKey.certifyKey(TcRsaKey.java:289)
sometimes it thrown
Exception in thread "main" java.lang.IndexOutOfBoundsException: Unable
to decode requested type. Current offset + type length exceeds data length.
at
iaik.tc.tss.api.structs.common.TcBasicTypeDecoder.checkBoundaryPreconditions(TcBasicTypeDecoder.java:91)
at
iaik.tc.tss.api.structs.common.TcBasicTypeDecoder.decodeBytes(TcBasicTypeDecoder.java:228)
at
iaik.tc.tss.api.structs.common.TcBasicTypeDecoder.decodeBytes(TcBasicTypeDecoder.java:246)
at
iaik.tc.tss.impl.java.tcs.pbg.TcTpmCmdCrypto.TpmCertifyKey(TcTpmCmdCrypto.java:423)
at
iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.TcsipCertifyKey(TcTcsi.java:2300)
at
iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsipCertifyKey(TcTcsBindingLocal.java:634)
at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspCertifyKey_Internal(TcTspInternal.java:3231)
at iaik.tc.tss.impl.java.tsp.TcRsaKey.certifyKey(TcRsaKey.java:289)
The complete used code is
//create PCR
Composite**************************************************************************
TcIPcrComposite pcrComp =
context.createPcrCompositeObject(TcTssConstants.TSS_PCRS_STRUCT_INFO_LONG);
pcrComp.selectPcrIndexEx(pcrIndex,
TcTssConstants.TSS_PCRS_DIRECTION_RELEASE);//release
pcrComp.setPcrValue(pcrIndex,
context.getTpmObject().pcrRead(pcrIndex));
//********************************************************************************************
//create Legacy
Key*****************************************************************************
TcIRsaKey myLegKey = context.createRsaKeyObject(
TcTssConstants.TSS_KEY_SIZE_2048
| TcTssConstants.TSS_KEY_TYPE_LEGACY
| TcTssConstants.TSS_KEY_VOLATILE
| TcTssConstants.TSS_KEY_NOT_MIGRATABLE
| TcTssConstants.TSS_KEY_NO_AUTHORIZATION);
TcIPolicy legKeyUsgPolicy =
context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
legKeyUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
TcBlobData.newString(usageSecret, false));
legKeyUsgPolicy.assignToObject(myLegKey);
TcIPolicy legkeyMigPolicy =
context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
legkeyMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
TcBlobData.newString(migSecret, false));
legkeyMigPolicy.assignToObject(myLegKey);
myLegKey.createKey(srk, pcrComp);
//myLegKey.createKey(srk, null);
myLegKey.loadKey(srk);
//********************************************************************************************
//Get
Nonce************************************************************************************
String serverNonceString = "test";
TcTssValidation serverNonceValidation = new TcTssValidation();
TcBlobData serverNonceBlob =
TcBlobData.newString(serverNonceString).sha1();
serverNonceValidation.setExternalData(serverNonceBlob);
//********************************************************************************************
//Load AIk
************************************************************************************
TcIRsaKey aikKey = context.loadKeyByBlob(srk, readFile(aikFile));
TcIPolicy aikUsgPolicy =
context.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
aikUsgPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
TcBlobData.newString(aikPass, false));//false
aikUsgPolicy.assignToObject(aikKey);
TcIPolicy aikMigPolicy =
context.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
aikMigPolicy.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
TcBlobData.newString(aikPass, false));//false
aikMigPolicy.assignToObject(aikKey);
//*********************************************************************************************
//Certify Key
************************************************************************************
TcTssValidation certifyResult = myLegKey.certifyKey(aikKey,
serverNonceValidation);
//*********************************************************************************************
as i know legacy and storage keys can be used for sealing, i use both but i have
the same exception in both.
i have another question just to be certain, the parent of AIKs is SRK not the EK
(as done in the quote example), is this true?
Thanks
|
|
From: waqar a. <afr...@gm...> - 2011-04-11 09:36:52
|
I was about to reply, I have Fixed the problem, Actually the TPM was in use
by the Trousers, Fedora 14 had it installed by default which i didn't know,
Stopping it solved the above problem.
Thanx Ronald
On Mon, Apr 11, 2011 at 2:30 PM, Ronald Tögl <ron...@ia...>wrote:
> Hello,
>
> What's your platform? How did you configure the jTSS TCS and are there any
> other TSSes installed?
>
> Ronald
>
>
> On 04/09/2011 09:49 AM, waqar afridi wrote:
>
> Hello Dear List
>
> I am using Trusted JAVA to Extend a byte array to the PCR 11 of the TPM but
> when I do I get the Following Error:
>
>
> ===========================================================================================
>
> 12:09:24:305 [WARN] TcTddlLinux::open (106): Unable to open TPM device
> file /dev/tpm.
> Reason: /dev/tpm (Device or resource busy)
>
> 12:09:24:306 [ERROR] TcTcsi::<clinit> (129): TCS startup failed.
> 12:09:24:307 [ERROR] TcTcsi::<clinit> (129):
> TSS Error:
> error layer: 0x1000 (TDDL)
> error code (without layer): 0x87
> error code (full): 0x1087
> error message: The request could not be performed because of an IO device
> error.
> additional info: Unable to open TPM device file /dev/tpm.
> Reason: /dev/tpm (Device or resource busy)
>
>
> iaik.tc.tss.api.exceptions.tcs.TcTddlException:
> TSS Error:
> error layer: 0x1000 (TDDL)
> error code (without layer): 0x87
> error code (full): 0x1087
> error message: The request could not be performed because of an IO device
> error.
> additional info: Unable to open TPM device file /dev/tpm.
> Reason: /dev/tpm (Device or resource busy)
>
>
> at iaik.tc.tss.impl.java.tddl.TcTddlLinux.open(TcTddlLinux.java:107)
> at iaik.tc.tss.impl.java.tddl.TcTddl.getInstance(TcTddl.java:44)
> at
> iaik.tc.tss.impl.java.tcs.TcTcsCommon.isOrdinalSupported(TcTcsCommon.java:66)
> at iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.<clinit>(TcTcsi.java:112)
> at
> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsiOpenContext(TcTcsBindingLocal.java:177)
> at
> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspContextOpen_Internal(TcTspInternal.java:378)
> at iaik.tc.tss.impl.java.tsp.TcContext.connect(TcContext.java:167)
>
>
> ===========================================================================================
>
> The Part of Code for PCR Extending is:
>
>
> ===========================================================================================
>
> int pcrIndex = 11;
> byte[] byteData = xmlFromNode.getBytes();
>
> TcBlobData data = TcBlobData.newByteArray(byteData);
>
> try
> {
> TcTssAbstractFactory factory = new TcTssLocalCallFactory();
> TcIContext context = factory.newContextObject();
>
> context.connect("localhost");
> TcITpm tpm = context.getTpmObject();
> TcTssPcrEvent event = new TcTssPcrEvent();
> event.setPcrIndex(pcrIndex);
> event.setEventType(TcTssConstants.TSS_EV_PLATFORM_SPECIFIC);
>
> event.setVersionInfo(tpm.getCapabilityVersion(TcTssConstants.TSS_TPMCAP_VERSION,
> null));
> // event.setEvent(TcBlobData.newString(logEntry));
>
> TcBlobData oldPcrContent = tpm.pcrRead(pcrIndex);
>
> try
> {
> tpm.pcrExtend(pcrIndex, data.sha1(), event);
> }
>
> catch (TcTssException e)
> {
> if (e.getErrCode() == TcTssErrors.TSS_E_NOTIMPL)
> {
> System.out.println("\n\nNote: This TSS has no event log
> support\n\n");
> }
> else
> {
> throw e;
> }
> }
>
> context.closeContext();
>
> System.out.println("\n\nExtendPcr succeeded\n\n");
>
> if (event != null)
> {
> TcBlobData newPcrContentPlain = TcBlobData.newUINT32(pcrIndex);
> newPcrContentPlain.append(data.sha1());
>
> newPcrContentPlain.append(TcBlobData.newUINT32(event.getEventType()));
> newPcrContentPlain.append(event.getEvent());
> oldPcrContent.append(newPcrContentPlain.sha1());
> }
> else
> {
> oldPcrContent.append(data.sha1());
> }
> System.out.println("expected new content of PCR " + pcrIndex +
> ": "
> + oldPcrContent.sha1().toHexStringNoWrap());
>
> }
> catch (TcTssException e)
> {
> if (e.getErrLayer() == TcTssErrors.TSS_LAYER_TPM)
> {
> System.out.println("can't extend this pcr - wrong locality");
> }
> else
> {
> System.out.println("Error");
> }
> }
> }
>
>
> ===========================================================================================
>
> I tried with both Hardware TPM and TPM Emulator but still getting the
> Error, The above Error is of Software TPM (Both Error messages are exactly
> the Same just for hardware TPM its tpm0)
>
> Any Idea or Hint what could be the Problem?
>
> Thanx in Advance
>
> --
> *Waqar Afridi*
>
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
>
>
> _______________________________________________
> Trustedjava-support mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/trustedjava-support
>
>
>
> --
> Dipl.-Ing. Ronald Tögl phone +43 316/873-5502
> Secure and Correct Systems fax +43 316/873-5520
> IAIK ron...@ia...
> Graz University of Technology http://www.iaik.tugraz.at
>
>
--
*Waqar Afridi*
|
|
From: Ronald T. <ron...@ia...> - 2011-04-11 09:31:09
|
Hello,
What's your platform? How did you configure the jTSS TCS and are there
any other TSSes installed?
Ronald
On 04/09/2011 09:49 AM, waqar afridi wrote:
> Hello Dear List
>
> I am using Trusted JAVA to Extend a byte array to the PCR 11 of the
> TPM but when I do I get the Following Error:
>
> ===========================================================================================
>
> 12:09:24:305 [WARN] TcTddlLinux::open (106): Unable to open TPM
> device file /dev/tpm.
> Reason: /dev/tpm (Device or resource busy)
>
> 12:09:24:306 [ERROR] TcTcsi::<clinit> (129): TCS startup failed.
> 12:09:24:307 [ERROR] TcTcsi::<clinit> (129):
> TSS Error:
> error layer: 0x1000 (TDDL)
> error code (without layer): 0x87
> error code (full): 0x1087
> error message: The request could not be performed because of an IO
> device error.
> additional info: Unable to open TPM device file /dev/tpm.
> Reason: /dev/tpm (Device or resource busy)
>
>
> iaik.tc.tss.api.exceptions.tcs.TcTddlException:
> TSS Error:
> error layer: 0x1000 (TDDL)
> error code (without layer): 0x87
> error code (full): 0x1087
> error message: The request could not be performed because of an IO
> device error.
> additional info: Unable to open TPM device file /dev/tpm.
> Reason: /dev/tpm (Device or resource busy)
>
>
> at iaik.tc.tss.impl.java.tddl.TcTddlLinux.open(TcTddlLinux.java:107)
> at iaik.tc.tss.impl.java.tddl.TcTddl.getInstance(TcTddl.java:44)
> at
> iaik.tc.tss.impl.java.tcs.TcTcsCommon.isOrdinalSupported(TcTcsCommon.java:66)
> at iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.<clinit>(TcTcsi.java:112)
> at
> iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsiOpenContext(TcTcsBindingLocal.java:177)
> at
> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspContextOpen_Internal(TcTspInternal.java:378)
> at iaik.tc.tss.impl.java.tsp.TcContext.connect(TcContext.java:167)
>
> ===========================================================================================
>
> The Part of Code for PCR Extending is:
>
> ===========================================================================================
>
> int pcrIndex = 11;
> byte[] byteData = xmlFromNode.getBytes();
>
> TcBlobData data = TcBlobData.newByteArray(byteData);
>
> try
> {
> TcTssAbstractFactory factory = new TcTssLocalCallFactory();
> TcIContext context = factory.newContextObject();
>
> context.connect("localhost");
> TcITpm tpm = context.getTpmObject();
> TcTssPcrEvent event = new TcTssPcrEvent();
> event.setPcrIndex(pcrIndex);
> event.setEventType(TcTssConstants.TSS_EV_PLATFORM_SPECIFIC);
>
> event.setVersionInfo(tpm.getCapabilityVersion(TcTssConstants.TSS_TPMCAP_VERSION,
> null));
> // event.setEvent(TcBlobData.newString(logEntry));
>
> TcBlobData oldPcrContent = tpm.pcrRead(pcrIndex);
>
> try
> {
> tpm.pcrExtend(pcrIndex, data.sha1(), event);
> }
>
> catch (TcTssException e)
> {
> if (e.getErrCode() == TcTssErrors.TSS_E_NOTIMPL)
> {
> System.out.println("\n\nNote: This TSS has no event
> log support\n\n");
> }
> else
> {
> throw e;
> }
> }
>
> context.closeContext();
>
> System.out.println("\n\nExtendPcr succeeded\n\n");
>
> if (event != null)
> {
> TcBlobData newPcrContentPlain =
> TcBlobData.newUINT32(pcrIndex);
> newPcrContentPlain.append(data.sha1());
>
> newPcrContentPlain.append(TcBlobData.newUINT32(event.getEventType()));
> newPcrContentPlain.append(event.getEvent());
> oldPcrContent.append(newPcrContentPlain.sha1());
> }
> else
> {
> oldPcrContent.append(data.sha1());
> }
> System.out.println("expected new content of PCR " +
> pcrIndex + ": "
> + oldPcrContent.sha1().toHexStringNoWrap());
>
> }
> catch (TcTssException e)
> {
> if (e.getErrLayer() == TcTssErrors.TSS_LAYER_TPM)
> {
> System.out.println("can't extend this pcr - wrong locality");
> }
> else
> {
> System.out.println("Error");
> }
> }
> }
>
> ===========================================================================================
>
> I tried with both Hardware TPM and TPM Emulator but still getting the
> Error, The above Error is of Software TPM (Both Error messages are
> exactly the Same just for hardware TPM its tpm0)
>
> Any Idea or Hint what could be the Problem?
>
> Thanx in Advance
>
> --
> *Waqar Afridi*
>
>
> ------------------------------------------------------------------------------
> Xperia(TM) PLAY
> It's a major breakthrough. An authentic gaming
> smartphone on the nation's most reliable network.
> And it wants your games.
> http://p.sf.net/sfu/verizon-sfdev
>
>
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
--
Dipl.-Ing. Ronald Tögl phone +43 316/873-5502
Secure and Correct Systems fax +43 316/873-5520
IAIK ron...@ia...
Graz University of Technology http://www.iaik.tugraz.at
|
|
From: waqar a. <afr...@gm...> - 2011-04-09 07:50:08
|
Hello Dear List
I am using Trusted JAVA to Extend a byte array to the PCR 11 of the TPM but
when I do I get the Following Error:
===========================================================================================
12:09:24:305 [WARN] TcTddlLinux::open (106): Unable to open TPM device
file /dev/tpm.
Reason: /dev/tpm (Device or resource busy)
12:09:24:306 [ERROR] TcTcsi::<clinit> (129): TCS startup failed.
12:09:24:307 [ERROR] TcTcsi::<clinit> (129):
TSS Error:
error layer: 0x1000 (TDDL)
error code (without layer): 0x87
error code (full): 0x1087
error message: The request could not be performed because of an IO device
error.
additional info: Unable to open TPM device file /dev/tpm.
Reason: /dev/tpm (Device or resource busy)
iaik.tc.tss.api.exceptions.tcs.TcTddlException:
TSS Error:
error layer: 0x1000 (TDDL)
error code (without layer): 0x87
error code (full): 0x1087
error message: The request could not be performed because of an IO device
error.
additional info: Unable to open TPM device file /dev/tpm.
Reason: /dev/tpm (Device or resource busy)
at iaik.tc.tss.impl.java.tddl.TcTddlLinux.open(TcTddlLinux.java:107)
at iaik.tc.tss.impl.java.tddl.TcTddl.getInstance(TcTddl.java:44)
at
iaik.tc.tss.impl.java.tcs.TcTcsCommon.isOrdinalSupported(TcTcsCommon.java:66)
at iaik.tc.tss.impl.java.tcs.tcsi.TcTcsi.<clinit>(TcTcsi.java:112)
at
iaik.tc.tss.impl.java.tsp.tcsbinding.local.TcTcsBindingLocal.TcsiOpenContext(TcTcsBindingLocal.java:177)
at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspContextOpen_Internal(TcTspInternal.java:378)
at iaik.tc.tss.impl.java.tsp.TcContext.connect(TcContext.java:167)
===========================================================================================
The Part of Code for PCR Extending is:
===========================================================================================
int pcrIndex = 11;
byte[] byteData = xmlFromNode.getBytes();
TcBlobData data = TcBlobData.newByteArray(byteData);
try
{
TcTssAbstractFactory factory = new TcTssLocalCallFactory();
TcIContext context = factory.newContextObject();
context.connect("localhost");
TcITpm tpm = context.getTpmObject();
TcTssPcrEvent event = new TcTssPcrEvent();
event.setPcrIndex(pcrIndex);
event.setEventType(TcTssConstants.TSS_EV_PLATFORM_SPECIFIC);
event.setVersionInfo(tpm.getCapabilityVersion(TcTssConstants.TSS_TPMCAP_VERSION,
null));
// event.setEvent(TcBlobData.newString(logEntry));
TcBlobData oldPcrContent = tpm.pcrRead(pcrIndex);
try
{
tpm.pcrExtend(pcrIndex, data.sha1(), event);
}
catch (TcTssException e)
{
if (e.getErrCode() == TcTssErrors.TSS_E_NOTIMPL)
{
System.out.println("\n\nNote: This TSS has no event log
support\n\n");
}
else
{
throw e;
}
}
context.closeContext();
System.out.println("\n\nExtendPcr succeeded\n\n");
if (event != null)
{
TcBlobData newPcrContentPlain = TcBlobData.newUINT32(pcrIndex);
newPcrContentPlain.append(data.sha1());
newPcrContentPlain.append(TcBlobData.newUINT32(event.getEventType()));
newPcrContentPlain.append(event.getEvent());
oldPcrContent.append(newPcrContentPlain.sha1());
}
else
{
oldPcrContent.append(data.sha1());
}
System.out.println("expected new content of PCR " + pcrIndex +
": "
+ oldPcrContent.sha1().toHexStringNoWrap());
}
catch (TcTssException e)
{
if (e.getErrLayer() == TcTssErrors.TSS_LAYER_TPM)
{
System.out.println("can't extend this pcr - wrong locality");
}
else
{
System.out.println("Error");
}
}
}
===========================================================================================
I tried with both Hardware TPM and TPM Emulator but still getting the Error,
The above Error is of Software TPM (Both Error messages are exactly the Same
just for hardware TPM its tpm0)
Any Idea or Hint what could be the Problem?
Thanx in Advance
--
*Waqar Afridi*
|
|
From: Ronald T. <ron...@ia...> - 2011-03-25 09:07:53
|
Hi, You also need to include the jars in the ext_libs directory. Ronald On 03/24/2011 11:23 PM, Mudassar Aslam wrote: > Hi > I have installed the TCS as windows service using setup.exe as > directed in documentation (section 7.3). I have also configured .ini > files. I can see TPM commands as services when I enter > http://localhost:30004/axis/services/TSSCoreServiceBindingImpl in my > browser which means that TCS daemon is running. > I am using eclipse to run very basic program using soap binding for > some reason. I have set class path for jtss_tcs.jar and jtss_tsp.jars > (normal and soap). I am not sure how to configure my eclipse project > to run my program with soap binding (e.g. axis server, port, wsdl > etc). I am getting following exceptions: > Exception in thread "main" java.lang.NoClassDefFoundError: > javax/xml/rpc/ServiceException > at > iaik.tc.tss.impl.java.tsp.TcTssSOAPCallFactory.newContextObject(TcTssSOAPCallFactory.java:18) > at > iaik.tc.tss.api.tspi.TcTssContextFactory.newContextObject(TcTssContextFactory.java:68) > at tests.TestTpm.main(TestTpm.java:21) > Caused by: java.lang.ClassNotFoundException: > javax.xml.rpc.ServiceException > at java.net.URLClassLoader$1.run(Unknown Source) > at java.security.AccessController.doPrivileged(Native Method) > at java.net.URLClassLoader.findClass(Unknown Source) > at java.lang.ClassLoader.loadClass(Unknown Source) > at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source) > at java.lang.ClassLoader.loadClass(Unknown Source) > ... 3 more > Regards. > > Mudassar. > -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: Mudassar A. <mud...@ho...> - 2011-03-24 22:23:58
|
Hi
I have installed the TCS as windows service using setup.exe as directed in documentation (section 7.3). I have also configured .ini files. I can see TPM commands as services when I enter http://localhost:30004/axis/services/TSSCoreServiceBindingImpl in my browser which means that TCS daemon is running.
I am using eclipse to run very basic program using soap binding for some reason. I have set class path for jtss_tcs.jar and jtss_tsp.jars (normal and soap). I am not sure how to configure my eclipse project to run my program with soap binding (e.g. axis server, port, wsdl etc). I am getting following exceptions:
Exception in thread "main" java.lang.NoClassDefFoundError: javax/xml/rpc/ServiceException
at iaik.tc.tss.impl.java.tsp.TcTssSOAPCallFactory.newContextObject(TcTssSOAPCallFactory.java:18)
at iaik.tc.tss.api.tspi.TcTssContextFactory.newContextObject(TcTssContextFactory.java:68)
at tests.TestTpm.main(TestTpm.java:21)
Caused by: java.lang.ClassNotFoundException: javax.xml.rpc.ServiceException
at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.misc.Launcher$AppClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
... 3 more
Regards.
Mudassar. |
|
From: Ronald T. <ron...@ia...> - 2011-03-24 09:46:28
|
Hi, I noted you're using Infineon FW 3.16. They have an issue with key certification: IFX TPM's prior to revision 3.17 calculate the signature over the entire TPM_STORE_PUBKEY structure instead of just the modulus, therefore it can't be validated. You could try an firmware update (available for some HP desktops (Windows), dc7900 afair). TcRsaKey.certifyKey() should accommodate for the different structs. TpmCertifyKey2 seems only to be called if TPM_MIGRATEAUTHORITY is set as key flag... Overall, it seem to be a tricky problem. ;) I'd suggest careful debugging across all the stack layers. There might be a small corner case hidden somewhere that we did not think of. Ronald On 03/23/2011 04:56 PM, Mudassar Aslam wrote: > Hi > Well, I tried to step in and find out that just before generating NULL > POINTER exception, following exception occured: > java.lang.ClassCastException: > iaik.tc.tss.api.structs.tpm.TcTpmCertifyInfo2 cannot be cast to > iaik.tc.tss.api.structs.tpm.TcTpmCertifyInfo > Give me some reason to think that my key attributes are causing > TcTpmCertifyInfo2 structure to be returned (see TSS note below). If I > specify OTHER key attributes so that TcTpmCertifyInfo structure is > returned then I might not get exception. Currently I am using > following key attributes: > public static final long BIND_KEY_ATTRIBUTES = > TcTssConstants.TSS_KEY_TYPE_BIND > | > TcTssConstants.TSS_KEY_SIZE_2048 > | > TcTssConstants.TSS_KEY_VOLATILE > | > TcTssConstants.TSS_KEY_NOT_MIGRATABLE; > Any suggestion on the possible key attributes combination? > *********************************************** > TCG SOFTWARE STACK (TSS) SPECIFICATION : PAGE 320 > *********************************************** > pValidationData > Pointer addresses a TSS_VALIDATION structure. After successful > completion of the call the member rgbValidationData of this structure > contains the signature data of the command. The member prgbData of the > structure points to a buffer containing a TCPA_CERTIFY_INFO2 data > stream as specified within the TCG TPM 1.2 Main Specification or a > TCPA_CERTIFY_INFO data stream as specified within the TCG 1.1b Main > Specification. > TCPA_CERTIFY_INFO2: On TPM v1.2 with usage of CMK keys and keys > with locality restrictions (TPM_KEY12 key complex). > TCPA_CERTIFY_INFO: Is returned if the TSS is connected to a TPM v1.1 or > the key which is used on a TPM v1.2 is a legacy one (PCR’s without > locality > -> TPM_KEY key complex). > Regards. > > Mudassar Aslam -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: Mudassar A. <mud...@ho...> - 2011-03-23 15:56:58
|
Hi
Well, I tried to step in and find out that just before generating NULL POINTER exception, following exception occured:
java.lang.ClassCastException: iaik.tc.tss.api.structs.tpm.TcTpmCertifyInfo2 cannot be cast to iaik.tc.tss.api.structs.tpm.TcTpmCertifyInfo
Give me some reason to think that my key attributes are causing TcTpmCertifyInfo2 structure to be returned (see TSS note below). If I specify OTHER key attributes so that TcTpmCertifyInfo structure is returned then I might not get exception. Currently I am using following key attributes:
public static final long BIND_KEY_ATTRIBUTES = TcTssConstants.TSS_KEY_TYPE_BIND
| TcTssConstants.TSS_KEY_SIZE_2048
| TcTssConstants.TSS_KEY_VOLATILE
| TcTssConstants.TSS_KEY_NOT_MIGRATABLE;
Any suggestion on the possible key attributes combination?
***********************************************
TCG SOFTWARE STACK (TSS) SPECIFICATION : PAGE 320
***********************************************
pValidationData
Pointer addresses a TSS_VALIDATION structure. After successful
completion of the call the member rgbValidationData of this structure
contains the signature data of the command. The member prgbData of the
structure points to a buffer containing a TCPA_CERTIFY_INFO2 data
stream as specified within the TCG TPM 1.2 Main Specification or a
TCPA_CERTIFY_INFO data stream as specified within the TCG 1.1b Main
Specification.
TCPA_CERTIFY_INFO2: On TPM v1.2 with usage of CMK keys and keys
with locality restrictions (TPM_KEY12 key complex).
TCPA_CERTIFY_INFO: Is returned if the TSS is connected to a TPM v1.1 or
the key which is used on a TPM v1.2 is a legacy one (PCR’s without locality
-> TPM_KEY key complex).
Regards.
Mudassar Aslam |
|
From: Ronald T. <ron...@ia...> - 2011-03-23 15:35:34
|
Hi,
Hmmm, the line that throws the Exception
is as simple as
long resultCode = ((Long) outDataTpm[0]).longValue();
and there should always be some return value..
Also, the HW TPMs should be fine. Perhaps there are different software
setups on the two machines?
Please try LocalTCSBindings and do some more detailed debugging /
perhaps stepping through the code to narrow the problem down.
Ronald
On 03/23/2011 02:45 PM, Mudassar Aslam wrote:
> Hi,
>
> Thanks for your help and I appreciate your prompt support. Now with
> nonce in External Data, It worked for my Lenovo X200 laptop which has
> TPM version 1.2.4.1. But when I run the same code on actual target
> platform which has Infinion TPM 1.2.3.16, I get following exception:
>
> Exception in thread "main" java.lang.NullPointerException
> at
> iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspCertifyKey_Internal(TcTspInternal.java:3247)
> at
> iaik.tc.tss.impl.java.tsp.TcRsaKey.certifyKey(TcRsaKey.java:294)
> at tests.TestCertifyKey.main(TestCertifyKey.java:130)
>
> Regards.
>
> Mudassar
>
>
> -----Original Message----- From: Ronald Tögl
> Sent: Wednesday, March 23, 2011 11:32 AM
> To: tru...@li...
> Cc: Mudassar Aslam
> Subject: Re: [Trustedjava-support] NullPointerException in
> TcIRsaKey.certifiyKey()
>
> Hi!
>
> Try to place the nonce in the External Data.
>
> hth,
> Ronald
>
>
>
> On 03/23/2011 11:28 AM, Mudassar Aslam wrote:
>> Hi
>>
>> I tried to initialize it as well but did not work.
>>
>> TcTssValidation val = new TcTssValidation();
>> val.setData(TcBlobData.newString("ddd"));
>> TcTssValidation validationResult = bindKey.certifyKey(aikKey, val);
>>
>> Regards.
>>
>> Mudassar.
--
Dipl.-Ing. Ronald Tögl phone +43 316/873-5502
Secure and Correct Systems fax +43 316/873-5520
IAIK ron...@ia...
Graz University of Technology http://www.iaik.tugraz.at
|
87 messages has been excluded from this view by a project administrator.
