Thread: [Trustedjava-support] Creating EKCertificate

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello again,

sorry, new problem: it also doesn't work with the KeyPairGenerator now.

Best regards
Simon

Hello,

i am currently trying to create an EKCertificate, but i get this exception:

Exception in thread "main" java.lang.RuntimeException: BUG? cannot 
convert key to OAEP
    at iaik.tc.cert.common.Common.publicRSAtoPublicRSAOAEP(Common.java:352)
    at iaik.tc.cert.EKCertificate.create(EKCertificate.java:150)
    ....

The code which generates this is the following:

X509Certificate ekCertificate = EKCertificate.create(prop, 
privacyCACertificate, privKeyPrivacyCa_, ekPubKey);

If i create the ekPubKey by myself, using KeyPairGenerator it all works 
fine.
But when i want to use the PublicEK from the TPM it fails with the above 
described error message.

I get the EK from the TPM with the following Code:

TcTpmPubkey pubTPMEK = new 
TcTpmPubkey(tpm.getPubEndorsementKeyOwner().getPubKey());
RSAPublicKey ekPubKey =  TcCrypto.pubTpmKeyToJava(pubTPMEK);

I hope for some advice.

Thank you,
best regards
Simon Mittelberger

Simon Mittelberger wrote:
> Hello,

Hi...

Your emails got unfortunately delivered in reverse order you sent them.

> i am currently trying to create an EKCertificate, but i get this exception:
> 
> Exception in thread "main" java.lang.RuntimeException: BUG? cannot 
> convert key to OAEP
>     at iaik.tc.cert.common.Common.publicRSAtoPublicRSAOAEP(Common.java:352)
>     at iaik.tc.cert.EKCertificate.create(EKCertificate.java:150)
>     ....

While RSA-OAEP is supported somewhat in standard Java runtime since
Java 5, I don't think it is complete enough.

So did you initialise the IAIK-JCE library in your program first
for full crypto support needed by TCcert?
You need to do at least once at the beginning of your program:

  import iaik.security.provider.IAIK;

  IAIK.addAsProvider();

HTH,
Martin

Hello,

thanks, that helped.

Another question:
I embedded your apki client into my source and i was able to get the 
ekcredential and the aikcredential. I was also able to verify them. That 
works great!

I would like to attest to another party that my signingKey belongs to a 
tpm, by signing the certificate for the signingKey through the aik.
This operation leads me to an error:

    creating the certificate ....
    cert.setSignatureAlgorithm(AlgorithmID.sha1WithRSAEncryption);
    byte[] toBeSignedCertificate = cert.getTBSCertificate();
    TcBlobData data = TcBlobData.newByteArray(toBeSignedCertificate);
    TcIHash hash = context_.createHashObject(TcTssConstants.TSS_HASH_SHA1);
    hash.updateHashValue(data);
    TcBlobData signature = hash.sign(aik);
    entityTPMCertificate.setSignature(signature.asByteArray());

error:

    TSS Error:
    error layer:                0x00 (TPM)
    error code (without layer): 0x24
    error code (full):          0x24
    error message: The usage of a key is not allowed

I created the AIK Key with the following flags:

    aik = context_.createRsaKeyObject(TcTssConstants.TSS_KEY_TYPE_IDENTITY |
                    EntityTPMDefines.AIK_KEY_SIZE |
                    TcTssConstants.TSS_KEY_AUTHORIZATION |
                    TcTssConstants.TSS_KEY_VOLATILE |
                    TcTssConstants.TSS_KEY_NOT_MIGRATABLE);

and the signingKey with the following:

    signingKey = context_
                    .createRsaKeyObject(TcTssConstants.TSS_KEY_SIZE_2048
                            | TcTssConstants.TSS_KEY_TYPE_SIGNING
                            | TcTssConstants.TSS_KEY_MIGRATABLE);

If i change the TSS_KEY_TYPE_IDENTITY to TSS_KEY_TYPE_SIGNING it all 
works fine. But it has to be an AIK in my scenario.

Do you have any suggestions?

Best regards
Simon

Martin Pirker wrote:
> Simon Mittelberger wrote:
>   
>> Hello,
>>     
>
> Hi...
>
> Your emails got unfortunately delivered in reverse order you sent them.
>
>
>   
>> i am currently trying to create an EKCertificate, but i get this exception:
>>
>> Exception in thread "main" java.lang.RuntimeException: BUG? cannot 
>> convert key to OAEP
>>     at iaik.tc.cert.common.Common.publicRSAtoPublicRSAOAEP(Common.java:352)
>>     at iaik.tc.cert.EKCertificate.create(EKCertificate.java:150)
>>     ....
>>     
>
> While RSA-OAEP is supported somewhat in standard Java runtime since
> Java 5, I don't think it is complete enough.
>
> So did you initialise the IAIK-JCE library in your program first
> for full crypto support needed by TCcert?
> You need to do at least once at the beginning of your program:
>
>   import iaik.security.provider.IAIK;
>
>   IAIK.addAsProvider();
>
>
> HTH,
> Martin
>
>   

Simon Mittelberger wrote:
> I would like to attest to another party that my signingKey belongs to a
> tpm, by signing the certificate for the signingKey through the aik.
[...]
>    error layer:                0x00 (TPM)
>    error message: The usage of a key is not allowed
[...]
> If i change the TSS_KEY_TYPE_IDENTITY to TSS_KEY_TYPE_SIGNING it all
> works fine. But it has to be an AIK in my scenario.
> 
> Do you have any suggestions?

Read TPM specifications rev 103, part 3,
chapter 13.5, command "TPM_Sign", action number 3.

Martin

Hello Simon,

Could you please try to explain your problems in a little more detail?

Ronald

Simon Mittelberger wrote:
> Hello again,
>
> sorry, new problem: it also doesn't work with the KeyPairGenerator now.
>
> Best regards
> Simon
>   

-- 
Dipl.-Ing. Ronald Tögl          phone +43 316/873-5502
Trusted Computing Labs          fax   +43 316/873-5520
IAIK                            ron...@ia...
Graz University of Technology   http://www.iaik.tugraz.at

Thread: [Trustedjava-support] Creating EKCertificate

trustedjava-support