I am having trouble with loading the same AIK key that I had created
previously from a collateIdenitiyRequest command. The AIK does not
appear to be migrateable and I cannot figure out how to load it using
the JTSS API. I have outlined some of the test code I found in the JTSS
to show you how I am creating my aikKey. When I run the
activateIdentity command at another point in time, I need some way of
loading the same AIK key that I created in the collateIdentityReq. Any
insight or help would be greatly appreciated.
public TcBlobData clientCollateIdentityReq(PublicKey caPublicKey)
throws TcTssException, IOException
{
// get TPM object and set its policy
TcITpm tpm = context_.getTpmObject();
TestDefines.tpmPolicy.assignToObject(tpm);
// create identity key template
aikKey_ =
context_.createRsaKeyObject(TcTssConstants.TSS_KEY_TYPE_IDENTITY
| TcTssConstants.TSS_KEY_SIZE_2048 |
TcTssConstants.TSS_KEY_AUTHORIZATION
| TcTssConstants.TSS_KEY_VOLATILE |
TcTssConstants.TSS_KEY_MIGRATABLE/*TSS_KEY_NOT_MIGRATABLE*/);
// TcITpmKey idKeyParams = ((TcRsaKey) aikKey_).getInternalTpmKey();
// set usage secret for identity key
TcIPolicy aikUsgPol =
context_.createPolicyObject(TcTssConstants.TSS_POLICY_USAGE);
aikUsgPol.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
TcBlobData.newString("aikSecret"));
aikUsgPol.assignToObject(aikKey_);
TcIPolicy aikMigPol =
context_.createPolicyObject(TcTssConstants.TSS_POLICY_MIGRATION);
aikMigPol.setSecret(TcTssConstants.TSS_SECRET_MODE_PLAIN,
TcBlobData.newString("none"));
aikMigPol.assignToObject(aikKey_);
// get the public key of the selected privacy CA (how to obtain this
key is beyond the scope of
// this test case)
TcIRsaKey pubKeyPrivacyCa = getPrivacyCaPubKey(caPublicKey);
// do the CollateIdentityReq call
TcBlobData collIdReqBlob = tpm.collateIdentityRequest(srk_,
pubKeyPrivacyCa,
clientGetIdLabel(), aikKey_, SYM_ALGO_TSS);
return collIdReqBlob;
}
public void activateIdentity(String caResponse) throws TcTssException{
//TODO we need to load the original AIK from the TPM's
NV ram
this.aikKey_ = null;
aikKey_.loadKey(srk_);
// STEP 5 (Client): The encrypted sym and asym blobs are received by
the client. The new
// identity is activated by the client.
byte[] caResponseRaw = Base64.decode(caResponse.getBytes());
byte[] asymSize = new byte[4];
System.arraycopy(caResponseRaw, 0, asymSize, 0, 4);
int symLength = ByteArrayUtil.byteArrayToInt(asymSize);
byte[] symCaContentsRaw = new byte[symLength];
System.arraycopy(caResponseRaw, 4, symCaContentsRaw, 0, symLength);
int asymLength = (caResponseRaw.length - 4 - symLength);
byte[] asymCaContentsRaw = new byte[asymLength];
System.arraycopy(caResponseRaw, (4 + symLength), asymCaContentsRaw,
0, asymLength);
TcBlobData symCaAttestationEncrypted =
TcBlobData.newByteArray(symCaContentsRaw);
TcBlobData asymCaContentsEncrypted =
TcBlobData.newByteArray(asymCaContentsRaw);
try {
TcBlobData aikCredential =
clientActivateIdentity(symCaAttestationEncrypted,
asymCaContentsEncrypted);
// if (aikCredential.equals(caMock.getExpectedAikCredential_())) {
// Log.info("AIK credential successfully received and activated at
the client");
// } else {
// Log.warn("AIK credential creation failed");
// }
} catch (TcTssException e) {
System.err.println(e.getMessage());
}
}
Thanks,
David
|
