Thread: [Trustedjava-support] How to read EK Certificate from TPM

Brought to you by: jowinter, mpirker_iaik, rtoegl_iaik

trustedjava-support

[Trustedjava-support] How to read EK Certificate from TPM

From: Mudassar A. <mud...@ho...> - 2011-03-07 13:25:47

Hi

I have Infinion TPM which is shipped with EK certificate in TPM NV storage.

1. How can I read this EK certificate and store it in some folder 
(programmatically using jTSS or something else)
2. Do you have an idea that from where I can get root certificate (of e.g. 
Infinion) of EK Certificate provided by Infinion so that I can verify 
signature on EK Certificate.

Regards.

Mudassar Aslam

Re: [Trustedjava-support] How to read EK Certificate from TPM

From: Martin P. <Mar...@ia...> - 2011-03-07 14:29:43

Attachments: smime.p7s

On 03/07/11 14:25, Mudassar Aslam wrote:
> 1. How can I read this EK certificate and store it in some folder 
> (programmatically using jTSS or something else)

jTpmTools provides a command for this


> 2. Do you have an idea that from where I can get root certificate (of e.g. 
> Infinion) of EK Certificate provided by Infinion so that I can verify 
> signature on EK Certificate.

http://www.infineon.com/tpm/


HTH,
Martin

Re: [Trustedjava-support] How to read EK Certificate from TPM

From: Mudassar A. <mud...@ho...> - 2011-03-07 15:19:36

Thanks for your reply. The problem still remains unsolved for me.

When I execute jTpmTools command that is read_ekcert, I get following error:
05:03:49:253 [INFO] ReadEkCert::execute (147):  Unable to obtain EK 
certificate for this TPM.

My TPM has EK certificate which is shown when I use nv_decode command using 
jTpmTools. The output is as follows:
Index         Size        TPUD   Description
------------------------------------------------------------------------
0x10000001      20 bytes  ...D   deprecated DIR command area from TPM 1.1
0x30000001     576 bytes  ..UD   unknown index
0x1000f000    1704 bytes  ...D   TPM Endorsement Key Certificate
0x50000002      64 bytes  .P.D   Intel TXT INDEX_AUX



-----Original Message----- 
From: Martin Pirker
Sent: Monday, March 07, 2011 2:54 PM
To: Mudassar Aslam
Cc: tru...@li...
Subject: Re: [Trustedjava-support] How to read EK Certificate from TPM

On 03/07/11 14:25, Mudassar Aslam wrote:
> 1. How can I read this EK certificate and store it in some folder
> (programmatically using jTSS or something else)

jTpmTools provides a command for this


> 2. Do you have an idea that from where I can get root certificate (of e.g.
> Infinion) of EK Certificate provided by Infinion so that I can verify
> signature on EK Certificate.

http://www.infineon.com/tpm/


HTH,
Martin

Re: [Trustedjava-support] How to read EK Certificate from TPM

From: Martin P. <Mar...@ia...> - 2011-03-07 15:26:25

On 03/07/11 16:19, Mudassar Aslam wrote:
> When I execute jTpmTools command that is read_ekcert, I get following error:
> 05:03:49:253 [INFO] ReadEkCert::execute (147):  Unable to obtain EK 
> certificate for this TPM.

Hmm...


> My TPM has EK certificate which is shown when I use nv_decode command using 
> jTpmTools. The output is as follows:
> Index         Size        TPUD   Description
> ------------------------------------------------------------------------
> 0x10000001      20 bytes  ...D   deprecated DIR command area from TPM 1.1
> 0x30000001     576 bytes  ..UD   unknown index
> 0x1000f000    1704 bytes  ...D   TPM Endorsement Key Certificate
> 0x50000002      64 bytes  .P.D   Intel TXT INDEX_AUX

Alternatively you can also run
jtt nv_decode --index 0x1000f000 --dump-file ekcert.der


HTH,
Martin

Re: [Trustedjava-support] How to read EK Certificate from TPM

From: Mudassar A. <mud...@ho...> - 2011-03-07 16:14:15

Hi again..

I also tried to dump contents to a file but the resultant file is not a 
proper certificate file. Because it could not be parsed by keytool or my 
default windows certificate viewer. :-(

regards.

Mudassar.

-----Original Message----- 
From: Martin Pirker
Sent: Monday, March 07, 2011 4:25 PM
To: Mudassar Aslam
Cc: tru...@li...
Subject: Re: [Trustedjava-support] How to read EK Certificate from TPM

On 03/07/11 16:19, Mudassar Aslam wrote:
> When I execute jTpmTools command that is read_ekcert, I get following 
> error:
> 05:03:49:253 [INFO] ReadEkCert::execute (147):  Unable to obtain EK
> certificate for this TPM.

Hmm...


> My TPM has EK certificate which is shown when I use nv_decode command 
> using
> jTpmTools. The output is as follows:
> Index         Size        TPUD   Description
> ------------------------------------------------------------------------
> 0x10000001      20 bytes  ...D   deprecated DIR command area from TPM 1.1
> 0x30000001     576 bytes  ..UD   unknown index
> 0x1000f000    1704 bytes  ...D   TPM Endorsement Key Certificate
> 0x50000002      64 bytes  .P.D   Intel TXT INDEX_AUX

Alternatively you can also run
jtt nv_decode --index 0x1000f000 --dump-file ekcert.der


HTH,
Martin

Re: [Trustedjava-support] How to read EK Certificate from TPM

From: Martin P. <Mar...@ia...> - 2011-03-07 16:27:31

On 03/07/11 17:14, Mudassar Aslam wrote:
> I also tried to dump contents to a file but the resultant file is not a 
> proper certificate file.

proper == ?

If you got a file of 1704 bytes as indicated by nv_decode the file should be fine.

> Because it could not be parsed by keytool or my
> default windows certificate viewer. :-(

try standard utils like

dumpasn1 ekcert.der
  or
openssl asn1parse -inform DER -in ekcert.der

You may also try the examples from the Infineon homepage with
your favourite tools first.

HTH,
Martin