trustedjava-support

[Trustedjava-support] "Unable to open TPM device" error with aik_create

[Nektarios I. <ine...@gm...>]

Hello,

>JTpmTools simulates a full AIK cycle, not only keys but also with
certificates.

>case a) JTSS contains EK cert handling
>case b) JTssWrapper does not (because TrouSerS does not)

Yes. I've seen a note on this somewhere in the code  :-)

>a) works because JTpmTools looks for an EK cert on-chip and
>if you don't have one builds a fake one on-the-fly.
>
>b) does not work because JTpmTools does not know which stack version is
>running (remember, the top level API is the same). JTT tries to fetch
>the certificate from the chip, but this method only exists in a native
>version (=JTSS code), but running both obviously conflicts with usage of
/dev/tpm.

Yes. This is what I concluded as well... albeit after hours of going through
the code...lol

>So the solution for the JTssWrapper case is to tell JTT to have faith
>that the stack already has an EK cert loaded, or as the command-line docu
says:
>
> --noek                ... EK certificate is already known by TSS (e.g. via
tcsd.conf
>                           of TrouSerS)

I have tried to specify an "ek.cert" file either through jtt "--ekfile"
option or through
 tcsd.conf (and chosing --noek for jtt) but both give this error:

------------------------------------------------------------------------------------------------------------------
11:38:54:485 [WARN] PrivacyCa::<clinit> (86):    could not load CLIENT
PrivacyCA
default certificate (ok on server)
iaik.tc.tss.api.exceptions.tcs.TcTpmException:

TSS Error:
error layer:                0x00 (TPM)
error code (without layer): 0x22
error code (full):          0x22
error message: An invalid handle was used.

        at iaik.tc.tss.impl.jni.tsp.TcBaseObject.handleRetCode(
TcBaseObject.java:104)
11:38:54:681 [ERROR] AikCreate::execute (345):    client:
CollateIdentityRequest failed
        at iaik.tc.tss.impl.jni.tsp.TcTpm.collateIdentityRequest(TcTpm.java
:1071)
        at iaik.tc.apps.jtt.aik.Client.collateIdentityReq(Client.java:110)
        at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:341)
        at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:80)
        at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:52)
        at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)
        at com.test.CommandTool.main(CommandTool.java:27)
-----------------------------------------------------------------------------------------------------------------------
I am guessing this is an issue with my certificate file. I have created this
using the
examples of TcCerts (with TcCerts) but I'm not sure if this is correct.

Many thanks,

Nektarios

Re: [Trustedjava-support] xkms_aik_create certificates

[Martin P. <Mar...@ia...>]

Nektarios Ioannides wrote:
> 11:38:54:485 [WARN] PrivacyCa::<clinit> (86):    could not load CLIENT
> PrivacyCA default certificate (ok on server)

> I am guessing this is an issue with my certificate file. I have created this
> using the examples of TcCerts (with TcCerts) but I'm not sure if this is correct.

The .jar of JTpmTools contains 2 certificates:
a) PrivacyCA certificate
b) XKMS responder certificate

Both are expected to be used with our testserver, either you extract them
from the .jar or download them from http://opentc.iaik.tugraz.at/index.php?item=certs


a) contains the public key to encrypt the AIK request blob with, for the AIK
cycle with the PrivacyCA, as specified by TCG (remember: the answer from the PCA
is encrypted with the EK public, the EK cert is contained in the encrypted request)

b) is used to verify the server answer on a protocol level, every XKMS response is signed


a) is obviously needed if you talk to our server
b) is not strictly needed, you just get a warning if it is not available


HTH

-- 
Martin Pirker
IAIK, TU Graz