Menu
▾
▴
trustedjava-support
|
From: <Fed...@ff...> - 2012-10-01 11:41:59
|
Hi, I have finally managed to find some time to start playing with jTSS and I have managed to set up everything properly and started writing some java code. Looks like I have successfully taken ownership of the TPM and can query PCRs values and extract the EK certificate programmatically. Now, I would like to create an AIK, and I seem to have managed, using the j_tpm_tools programmatically, in the following manner: RSAKeyPairGenerator rsa=new RSAKeyPairGenerator(); KeyPair rsaKeys=rsa.generateKeyPair(); RSAPublicKey rsaPub=(RSAPublicKey) rsaKeys.getPublic(); X509Certificate EKCert=new X509Certificate(EKcert.asByteArray());//extracted before by ReadEKCert.getEKCertAlternative(pass); AttributeCertificate peCert=AikUtil.createPECertificate(EKCert); X509Certificate AIKCert=AikUtil.createAIKCertificate(EKCert, peCert, RSApub, "AIK test"); This seems to be some kind of dummy AIK certificate generated by some internal privacy CA? How would I go to get the AIK certificate signed by privacyCA.com instead? I see that I have to generate TPM_IDENTITY_REQ blob and send it as a POST to privacyCA.com, but I don't see any Tspi_TPM_CollateIdentityRequest ()anywhere, only a TcTPMIdentityRequest() method in the jTSS, but when I call it like that I don't get anything. Should I call it with the blob parameter? If so, how would I generate such a blob? Sorry if the question is trivial, but it is the first time playing with the TPM, although I read the theory, and I could not find any clear documentation about this. Thanks in advance for any help. Federico Mancini |
|
From: <Fed...@ff...> - 2012-10-01 11:41:34
|
Sorry I forgot to mention (as in written in the subject) that I had trouble running jtt from command line, because I get the following error:
C:\Users\Public\jsr321\jTSS_0.7\jTpmTools_0.7>jtt
'REG' is not recognized as an internal or external command,
operable program or batch file.
---------------------
IAIK Java TPM Tools
---------------------
Exception in thread "main" java.lang.NoClassDefFoundError: iaik/tc/utils/cmdline
/CommandlineException
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2442)
at java.lang.Class.getMethod0(Class.java:2685)
at java.lang.Class.getMethod(Class.java:1620)
at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:492)
at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:484)
Caused by: java.lang.ClassNotFoundException: iaik.tc.utils.cmdline.CommandlineEx
ception
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
... 6 more
Seems to be something with the REG command which is not supported in Windows 7?
Fra: Mancini, Federico
Sendt: 1. oktober 2012 13:29
Til: 'tru...@li...'
Emne: jtt on win 7 and creating an AIK programmatically
Hi,
I have finally managed to find some time to start playing with jTSS and I have managed to set up everything properly and started writing some java code.
Looks like I have successfully taken ownership of the TPM and can query PCRs values and extract the EK certificate programmatically.
Now, I would like to create an AIK, and I seem to have managed, using the j_tpm_tools programmatically, in the following manner:
RSAKeyPairGenerator rsa=new RSAKeyPairGenerator();
KeyPair rsaKeys=rsa.generateKeyPair();
RSAPublicKey rsaPub=(RSAPublicKey) rsaKeys.getPublic();
X509Certificate EKCert=new X509Certificate(EKcert.asByteArray());//extracted before by ReadEKCert.getEKCertAlternative(pass);
AttributeCertificate peCert=AikUtil.createPECertificate(EKCert);
X509Certificate AIKCert=AikUtil.createAIKCertificate(EKCert, peCert, RSApub, "AIK test");
This seems to be some kind of dummy AIK certificate generated by some internal privacy CA?
How would I go to get the AIK certificate signed by privacyCA.com instead?
I see that I have to generate TPM_IDENTITY_REQ blob and send it as a POST to privacyCA.com, but I don't see any Tspi_TPM_CollateIdentityRequest ()anywhere, only a TcTPMIdentityRequest() method in the jTSS, but when I call it like that I don't get anything.
Should I call it with the blob parameter? If so, how would I generate such a blob?
Sorry if the question is trivial, but it is the first time playing with the TPM, although I read the theory, and I could not find any clear documentation about this.
Thanks in advance for any help.
Federico Mancini
|
|
From: Ronald T. <ron...@ia...> - 2012-10-01 12:25:17
|
Hi Federico, I have no idea why your system cannot find the system utility reg.exe on the path. Perhaps you or some tool modified it in some incorrect way. I suggest you check your path settings and make sure it includes the c:\windows\system32 folder. Alternatively, you can just replace line 19 in the script with a hardcoded path to your jTSS installation. SET jtssreg=<path> hth, Ronald On 10/01/2012 01:36 PM, Fed...@ff... wrote: > > Sorry I forgot to mention (as in written in the subject) that I had > trouble running jtt from command line, because I get the following error: > > C:\Users\Public\jsr321\jTSS_0.7\jTpmTools_0.7>jtt > > 'REG' is not recognized as an internal or external command, > > operable program or batch file. > > --------------------- > > IAIK Java TPM Tools > > --------------------- > > Exception in thread "main" java.lang.NoClassDefFoundError: > iaik/tc/utils/cmdline > > /CommandlineException > > at java.lang.Class.getDeclaredMethods0(Native Method) > > at java.lang.Class.privateGetDeclaredMethods(Class.java:2442) > > at java.lang.Class.getMethod0(Class.java:2685) > > at java.lang.Class.getMethod(Class.java:1620) > > at > sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:492) > > at > sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:484) > > Caused by: java.lang.ClassNotFoundException: > iaik.tc.utils.cmdline.CommandlineEx > > ception > > at java.net.URLClassLoader$1.run(URLClassLoader.java:366) > > at java.net.URLClassLoader$1.run(URLClassLoader.java:355) > > at java.security.AccessController.doPrivileged(Native Method) > > at java.net.URLClassLoader.findClass(URLClassLoader.java:354) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:423) > > at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308) > > at java.lang.ClassLoader.loadClass(ClassLoader.java:356) > > ... 6 more > > Seems to be something with the REG command which is not supported in > Windows 7? > > *Fra:*Mancini, Federico > *Sendt:* 1. oktober 2012 13:29 > *Til:* 'tru...@li...' > *Emne:* jtt on win 7 and creating an AIK programmatically > > Hi, > > I have finally managed to find some time to start playing with jTSS > and I have managed to set up everything properly and started writing > some java code. > > Looks like I have successfully taken ownership of the TPM and can > query PCRs values and extract the EK certificate programmatically. > > Now, I would like to create an AIK, and I seem to have managed, using > the j_tpm_tools programmatically, in the following manner: > > RSAKeyPairGenerator rsa=new RSAKeyPairGenerator(); > > KeyPair rsaKeys=rsa.generateKeyPair(); > > RSAPublicKey rsaPub=(RSAPublicKey) rsaKeys.getPublic(); > > X509Certificate EKCert=new > X509Certificate(EKcert.asByteArray());//extracted before by > ReadEKCert.getEKCertAlternative(pass); > > AttributeCertificate peCert=AikUtil.createPECertificate(EKCert); > > X509Certificate AIKCert=AikUtil.createAIKCertificate(EKCert, peCert, > RSApub, "AIK test"); > > This seems to be some kind of dummy AIK certificate generated by some > internal privacy CA? > > How would I go to get the AIK certificate signed by privacyCA.com instead? > > I see that I have to generate TPM_IDENTITY_REQ blob and send it as a > POST to privacyCA.com, but I don't see any > Tspi_TPM_CollateIdentityRequest()anywhere, only a > TcTPMIdentityRequest()method in the jTSS, but when I call it like that > I don't get anything. > > Should I call it with the blob parameter? If so, how would I generate > such a blob? > > Sorry if the question is trivial, but it is the first time playing > with the TPM, although I read the theory, and I could not find any > clear documentation about this. > > Thanks in advance for any help. > > Federico Mancini > > > > ------------------------------------------------------------------------------ > Got visibility? > Most devs has no idea what their production app looks like. > Find out how fast your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219671;13503038;y? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > > > _______________________________________________ > Trustedjava-support mailing list > Tru...@li... > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia... Graz University of Technology http://www.iaik.tugraz.at |
|
From: <Fed...@ff...> - 2012-10-01 13:00:40
|
Hi,
Indeed the PATH variable was missing system32, now it works fine.....the previous owner of the machine must have played with the environmental variables....
Thanks,
Federico
Fra: Ronald Tögl [mailto:ron...@ia...]
Sendt: 1. oktober 2012 14:25
Til: tru...@li...
Kopi: Mancini, Federico
Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
Hi Federico,
I have no idea why your system cannot find the system utility reg.exe on the path. Perhaps you or some tool modified it in some incorrect way.
I suggest you check your path settings and make sure it includes the c:\windows\system32 folder.
Alternatively, you can just replace line 19 in the script with a hardcoded path to your jTSS installation.
SET jtssreg=<path>
hth,
Ronald
On 10/01/2012 01:36 PM, Fed...@ff...<mailto:Fed...@ff...> wrote:
Sorry I forgot to mention (as in written in the subject) that I had trouble running jtt from command line, because I get the following error:
C:\Users\Public\jsr321\jTSS_0.7\jTpmTools_0.7>jtt
'REG' is not recognized as an internal or external command,
operable program or batch file.
---------------------
IAIK Java TPM Tools
---------------------
Exception in thread "main" java.lang.NoClassDefFoundError: iaik/tc/utils/cmdline
/CommandlineException
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2442)
at java.lang.Class.getMethod0(Class.java:2685)
at java.lang.Class.getMethod(Class.java:1620)
at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:492)
at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:484)
Caused by: java.lang.ClassNotFoundException: iaik.tc.utils.cmdline.CommandlineEx
ception
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
... 6 more
Seems to be something with the REG command which is not supported in Windows 7?
Fra: Mancini, Federico
Sendt: 1. oktober 2012 13:29
Til: 'tru...@li...<mailto:tru...@li...>'
Emne: jtt on win 7 and creating an AIK programmatically
Hi,
I have finally managed to find some time to start playing with jTSS and I have managed to set up everything properly and started writing some java code.
Looks like I have successfully taken ownership of the TPM and can query PCRs values and extract the EK certificate programmatically.
Now, I would like to create an AIK, and I seem to have managed, using the j_tpm_tools programmatically, in the following manner:
RSAKeyPairGenerator rsa=new RSAKeyPairGenerator();
KeyPair rsaKeys=rsa.generateKeyPair();
RSAPublicKey rsaPub=(RSAPublicKey) rsaKeys.getPublic();
X509Certificate EKCert=new X509Certificate(EKcert.asByteArray());//extracted before by ReadEKCert.getEKCertAlternative(pass);
AttributeCertificate peCert=AikUtil.createPECertificate(EKCert);
X509Certificate AIKCert=AikUtil.createAIKCertificate(EKCert, peCert, RSApub, "AIK test");
This seems to be some kind of dummy AIK certificate generated by some internal privacy CA?
How would I go to get the AIK certificate signed by privacyCA.com instead?
I see that I have to generate TPM_IDENTITY_REQ blob and send it as a POST to privacyCA.com, but I don't see any Tspi_TPM_CollateIdentityRequest ()anywhere, only a TcTPMIdentityRequest() method in the jTSS, but when I call it like that I don't get anything.
Should I call it with the blob parameter? If so, how would I generate such a blob?
Sorry if the question is trivial, but it is the first time playing with the TPM, although I read the theory, and I could not find any clear documentation about this.
Thanks in advance for any help.
Federico Mancini
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Trustedjava-support mailing list
Tru...@li...<mailto:Tru...@li...>
https://lists.sourceforge.net/lists/listinfo/trustedjava-support
--
Dipl.-Ing. Ronald Tögl phone +43 316/873-5502
Secure and Correct Systems fax +43 316/873-5520
IAIK ron...@ia...<mailto:ron...@ia...>
Graz University of Technology http://www.iaik.tugraz.at
|
|
From: Martin P. <Mar...@ia...> - 2012-10-01 12:38:44
|
Hi... On 2012-10-01 13:36, Fed...@ff... wrote: > Now, I would like to create an AIK, .... > This seems to be some kind of dummy AIK certificate generated by some internal privacy CA? The AIK cycle in jTT is just for local testing purposes, so yes, certificates are created on-the-fly with random dummy values. > How would I go to get the AIK certificate signed by privacyCA.com instead? > and send it as a POST to privacyCA.com, There are undocumented commands/code included with JTT, in iaik.tc.apps.jtt.pki.* you will find experimental code to talk to privacyca.com. However, as you can see from the copyright notice this is from 2007/08 and I don't know anyone who has ever run it again since then, so it's probably non-functioning. > I could not find any clear documentation about this. For an alternative PrivacyCA implementation look at the "apki" package in the PrivacyCA 0.2 folder. (Note that this code is also unfinished and unmaintained) Good luck :-) Martin |
|
From: <Fed...@ff...> - 2012-10-01 12:46:32
|
Hi, Thanks for your answer. Am I to understand that the jTSS has no method equivalent to Tspi_TPM_CollateIdentityRequest () then? Is it not defined as a standard method in the TSS? Federico -----Opprinnelig melding----- Fra: Martin Pirker [mailto:Mar...@ia...] Sendt: 1. oktober 2012 14:36 Til: Mancini, Federico Kopi: tru...@li... Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically Hi... On 2012-10-01 13:36, Fed...@ff... wrote: > Now, I would like to create an AIK, .... > This seems to be some kind of dummy AIK certificate generated by some internal privacy CA? The AIK cycle in jTT is just for local testing purposes, so yes, certificates are created on-the-fly with random dummy values. > How would I go to get the AIK certificate signed by privacyCA.com instead? > and send it as a POST to privacyCA.com, There are undocumented commands/code included with JTT, in iaik.tc.apps.jtt.pki.* you will find experimental code to talk to privacyca.com. However, as you can see from the copyright notice this is from 2007/08 and I don't know anyone who has ever run it again since then, so it's probably non-functioning. > I could not find any clear documentation about this. For an alternative PrivacyCA implementation look at the "apki" package in the PrivacyCA 0.2 folder. (Note that this code is also unfinished and unmaintained) Good luck :-) Martin |
|
From: <Fed...@ff...> - 2012-10-02 11:46:14
|
Hi again,
I would like to do a step further now, and try and create a new key, signed with the AIK I managed to create with jtt (I assume both its public and private parts are in the aik.tmpkey file), and then use the command TPM_CertifyKey, to get a certificate usable to sign data from outside the TPM.
According to the JSR321, the Tsi_Key_CertifyKey functionality should be handled by the TPMKey class, but here is the first problem. I don't see any such method in the JSR javadoc. Is it maybe the ValidationData which is obtained through the crtifyKey method of a Certifier?
If so, I tried to create a signing key and then apply such method, but my second problem is: how do I get the AIK key from the file and make it into TPMKey object? I can't find a way to create a TPMKey from a given key material, so I used the TcTpmKey constructor instead, but how do I turn this into a TPMKey that can be given as parameter to the certifier? I am for sure doing a mess mixing jTSS and JSR321 here, anyone can point me in the right direction?
This is what I do:
Certifier cert=context.getCertifier();
KeyManager manager=context.getKeyManager();
StorageRootKey srk=manager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET);
SigningKey sign=manager.createSigningKey(srk, Secret.WELL_KNOWN_SECRET, Secret.WELL_KNOWN_SECRET, true, true, true, 2048, null);
File aikKey=new File("C:\\Users\\aik.tpmkey");
FileInputStream in=new FileInputStream(aikKey);
byte[] iakKeyByte=new byte[(int)aikKey.length()];
in.read(iakKeyByte);
in.close();
TcBlobData aikBlob=TcBlobData.newByteArray(iakKeyByte);
IdentityKey aik=(IdentityKey) new TcTpmKey(aikBlob);<- Problem
ValidationData val=cert.certifyKey(sign, aik, null);
Thanks again for any help!
Federico
-----Opprinnelig melding-----
Fra: Fed...@ff... [mailto:Fed...@ff...]
Sendt: 1. oktober 2012 14:46
Til: tru...@li...
Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
Hi,
Thanks for your answer.
Am I to understand that the jTSS has no method equivalent to Tspi_TPM_CollateIdentityRequest () then?
Is it not defined as a standard method in the TSS?
Federico
-----Opprinnelig melding-----
Fra: Martin Pirker [mailto:Mar...@ia...]
Sendt: 1. oktober 2012 14:36
Til: Mancini, Federico
Kopi: tru...@li...
Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
Hi...
On 2012-10-01 13:36, Fed...@ff... wrote:
> Now, I would like to create an AIK, ....
> This seems to be some kind of dummy AIK certificate generated by some internal privacy CA?
The AIK cycle in jTT is just for local testing purposes, so yes, certificates are created on-the-fly with random dummy values.
> How would I go to get the AIK certificate signed by privacyCA.com instead?
> and send it as a POST to privacyCA.com,
There are undocumented commands/code included with JTT, in iaik.tc.apps.jtt.pki.* you will find experimental code to talk to privacyca.com.
However, as you can see from the copyright notice this is from
2007/08 and I don't know anyone who has ever run it again since then, so it's probably non-functioning.
> I could not find any clear documentation about this.
For an alternative PrivacyCA implementation look at the "apki"
package in the PrivacyCA 0.2 folder.
(Note that this code is also unfinished and unmaintained)
Good luck :-)
Martin
------------------------------------------------------------------------------
Got visibility?
Most devs has no idea what their production app looks like.
Find out how fast your code is with AppDynamics Lite.
http://ad.doubleclick.net/clk;262219671;13503038;y?
http://info.appdynamics.com/FreeJavaPerformanceDownload.html
_______________________________________________
Trustedjava-support mailing list
Tru...@li...
https://lists.sourceforge.net/lists/listinfo/trustedjava-support
|
|
From: Ronald T. <ron...@ia...> - 2012-10-02 11:55:34
|
Frederico,
Yes, this is a mess ;)
The reason is that a javax.trustedcomputing.tpm.keys.IdentityKey is not
binary compatible to iaik.tc.tss.api.structs.tpm.TcTpmKey and I cannot
think of a good reason why it should be; and even if there was one,
there're the TCG specs as obstacle.
I suggest you follow the instructions in the JSR321 Wiki on how to
generate an AIK with jTSS and then load the key by its UUID (!) from
within JSR321.
Also, I do not recommend to mix jTSS and JSR321 code in one application
unless you really really really need to and know all the internals.
Ronald
On 10/02/2012 01:45 PM, Fed...@ff... wrote:
> Hi again,
> I would like to do a step further now, and try and create a new key, signed with the AIK I managed to create with jtt (I assume both its public and private parts are in the aik.tmpkey file), and then use the command TPM_CertifyKey, to get a certificate usable to sign data from outside the TPM.
> According to the JSR321, the Tsi_Key_CertifyKey functionality should be handled by the TPMKey class, but here is the first problem. I don't see any such method in the JSR javadoc. Is it maybe the ValidationData which is obtained through the crtifyKey method of a Certifier?
> If so, I tried to create a signing key and then apply such method, but my second problem is: how do I get the AIK key from the file and make it into TPMKey object? I can't find a way to create a TPMKey from a given key material, so I used the TcTpmKey constructor instead, but how do I turn this into a TPMKey that can be given as parameter to the certifier? I am for sure doing a mess mixing jTSS and JSR321 here, anyone can point me in the right direction?
> This is what I do:
>
>
> Certifier cert=context.getCertifier();
> KeyManager manager=context.getKeyManager();
> StorageRootKey srk=manager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET);
> SigningKey sign=manager.createSigningKey(srk, Secret.WELL_KNOWN_SECRET, Secret.WELL_KNOWN_SECRET, true, true, true, 2048, null);
> File aikKey=new File("C:\\Users\\aik.tpmkey");
> FileInputStream in=new FileInputStream(aikKey);
> byte[] iakKeyByte=new byte[(int)aikKey.length()];
> in.read(iakKeyByte);
> in.close();
> TcBlobData aikBlob=TcBlobData.newByteArray(iakKeyByte);
> IdentityKey aik=(IdentityKey) new TcTpmKey(aikBlob);<- Problem
> ValidationData val=cert.certifyKey(sign, aik, null);
>
>
> Thanks again for any help!
>
> Federico
>
>
> -----Opprinnelig melding-----
> Fra: Fed...@ff... [mailto:Fed...@ff...]
> Sendt: 1. oktober 2012 14:46
> Til: tru...@li...
> Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
>
> Hi,
> Thanks for your answer.
> Am I to understand that the jTSS has no method equivalent to Tspi_TPM_CollateIdentityRequest () then?
> Is it not defined as a standard method in the TSS?
>
> Federico
>
> -----Opprinnelig melding-----
> Fra: Martin Pirker [mailto:Mar...@ia...]
> Sendt: 1. oktober 2012 14:36
> Til: Mancini, Federico
> Kopi: tru...@li...
> Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically
>
> Hi...
>
> On 2012-10-01 13:36, Fed...@ff... wrote:
>> Now, I would like to create an AIK, ....
>> This seems to be some kind of dummy AIK certificate generated by some internal privacy CA?
> The AIK cycle in jTT is just for local testing purposes, so yes, certificates are created on-the-fly with random dummy values.
>
>
>> How would I go to get the AIK certificate signed by privacyCA.com instead?
>> and send it as a POST to privacyCA.com,
> There are undocumented commands/code included with JTT, in iaik.tc.apps.jtt.pki.* you will find experimental code to talk to privacyca.com.
>
> However, as you can see from the copyright notice this is from
> 2007/08 and I don't know anyone who has ever run it again since then, so it's probably non-functioning.
>
>
>> I could not find any clear documentation about this.
> For an alternative PrivacyCA implementation look at the "apki"
> package in the PrivacyCA 0.2 folder.
> (Note that this code is also unfinished and unmaintained)
>
>
> Good luck :-)
> Martin
>
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
>
> ------------------------------------------------------------------------------
> Don't let slow site performance ruin your business. Deploy New Relic APM
> Deploy New Relic app performance management and know exactly
> what is happening inside your Ruby, Python, PHP, Java, and .NET app
> Try New Relic at no cost today and get our sweet Data Nerd shirt too!
> http://p.sf.net/sfu/newrelic-dev2dev
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
--
Dipl.-Ing. Ronald Tögl phone +43 316/873-5502
Secure and Correct Systems fax +43 316/873-5520
IAIK ron...@ia...
Graz University of Technology http://www.iaik.tugraz.at
|
|
From: <Fed...@ff...> - 2012-10-02 13:54:44
|
Hi, Thanks a lot for the tip, I was getting very confused :) But it looks like I need to bother you again. I followed the wiki(I assume this is what you meant http://java.net/projects/jsr321/pages/SetupIAIKTCK. The iaik_run command seems to fail, but I am not sure that is essential to what I am trying to do?) and then tried to load the key by its UUID. However, I get the error that no key is registered with such UUID.... This is the proof that the key is indeed in the storage and the UUID is correct: --------------------------------------------------------------------------------------------- IAIK Java TPM Tools --------------------- total number of keys registered in persistent system storage: 1 KeyInfo: Version: 1.2.0.0 key UUID: 0ab736d7-8129-4a2a-84ce-34dfef20adec parent key UUID: 00000000-0000-0000-0000-000000000001 is loaded: false auth data usage: 1 vendor data: none --------------------------------------------------------------------------------------------- This is the code I used: ------------------------------------------------------------------------------------------------ Certifier cert=context.getCertifier(); KeyManager manager=context.getKeyManager(); StorageRootKey srk=manager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET); UUID uuid=UUID.fromString("0ab736d7-8129-4a2a-84ce-34dfef20adec"); Secret aikSecret=context.getSecret("secret".toCharArray()); IdentityKey aikKey= (IdentityKey) manager.loadTPMKey(srk, uuid, aikSecret); ------------------------------------------------------------------------------------------------------------- And this is the error: -------------------------------------------------------------------------------------------------- SEVERE: null iaik.tc.jsr321.TrustedComputingExceptionImpl: Loading the key failed. at iaik.tc.jsr321.tpm.keys.KeyManagerImpl.loadTPMKey(Unknown Source) at tpm_project.TPM_project.main(TPM_project.java:149) Caused by: iaik.tc.tss.api.exceptions.tcs.TcTcsException: TSS Error: error layer: 0x3000 (TSP) error code (without layer): 0x09 error code (full): 0x3009 error message: unknown additional info: Key is not registered:UUID: 0ab736d7-8129-4a2a-84ce-34dfef20adec at iaik.tc.tss.impl.ps.TcTssPsDatabase.getRegisteredKeyBlobImpl(TcTssPsDatabase.java:182) at iaik.tc.tss.impl.ps.TcTssPersistentStorage.getRegisteredKeyBlob(TcTssPersistentStorage.java:124) at iaik.tc.tss.impl.java.tsp.TcContext.getKeyByUuid(TcContext.java:656) ---------------------------------------------------------------------------------------------- Am I forgetting something? Thanks again for your patience with a messy beginner :) Federico -----Opprinnelig melding----- Fra: Ronald Tögl [mailto:ron...@ia...] Sendt: 2. oktober 2012 13:55 Til: Trustedjava IAIK Kopi: Mancini, Federico Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically Frederico, Yes, this is a mess ;) The reason is that a javax.trustedcomputing.tpm.keys.IdentityKey is not binary compatible to iaik.tc.tss.api.structs.tpm.TcTpmKey and I cannot think of a good reason why it should be; and even if there was one, there're the TCG specs as obstacle. I suggest you follow the instructions in the JSR321 Wiki on how to generate an AIK with jTSS and then load the key by its UUID (!) from within JSR321. Also, I do not recommend to mix jTSS and JSR321 code in one application unless you really really really need to and know all the internals. Ronald On 10/02/2012 01:45 PM, Fed...@ff...<mailto:Fed...@ff...> wrote: > Hi again, > I would like to do a step further now, and try and create a new key, signed with the AIK I managed to create with jtt (I assume both its public and private parts are in the aik.tmpkey file), and then use the command TPM_CertifyKey, to get a certificate usable to sign data from outside the TPM. > According to the JSR321, the Tsi_Key_CertifyKey functionality should be handled by the TPMKey class, but here is the first problem. I don't see any such method in the JSR javadoc. Is it maybe the ValidationData which is obtained through the crtifyKey method of a Certifier? > If so, I tried to create a signing key and then apply such method, but my second problem is: how do I get the AIK key from the file and make it into TPMKey object? I can't find a way to create a TPMKey from a given key material, so I used the TcTpmKey constructor instead, but how do I turn this into a TPMKey that can be given as parameter to the certifier? I am for sure doing a mess mixing jTSS and JSR321 here, anyone can point me in the right direction? > This is what I do: > > > Certifier cert=context.getCertifier(); > KeyManager manager=context.getKeyManager(); > StorageRootKey srk=manager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET); > SigningKey sign=manager.createSigningKey(srk, Secret.WELL_KNOWN_SECRET, Secret.WELL_KNOWN_SECRET, true, true, true, 2048, null); > File aikKey=new File("C:\\Users\\aik.tpmkey"); > FileInputStream in=new FileInputStream(aikKey); > byte[] iakKeyByte=new byte[(int)aikKey.length()]; > in.read(iakKeyByte); > in.close(); > TcBlobData aikBlob=TcBlobData.newByteArray(iakKeyByte); > IdentityKey aik=(IdentityKey) new TcTpmKey(aikBlob);<- Problem > ValidationData val=cert.certifyKey(sign, aik, null); > > > Thanks again for any help! > > Federico > > > -----Opprinnelig melding----- > Fra: Fed...@ff...<mailto:Fed...@ff...> [mailto:Fed...@ff...] > Sendt: 1. oktober 2012 14:46 > Til: tru...@li...<mailto:tru...@li...> > Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK > programmatically > > Hi, > Thanks for your answer. > Am I to understand that the jTSS has no method equivalent to Tspi_TPM_CollateIdentityRequest () then? > Is it not defined as a standard method in the TSS? > > Federico > > -----Opprinnelig melding----- > Fra: Martin Pirker [mailto:Mar...@ia...] > Sendt: 1. oktober 2012 14:36 > Til: Mancini, Federico > Kopi: tru...@li...<mailto:tru...@li...> > Emne: Re: [Trustedjava-support] jtt on win 7 and creating an AIK > programmatically > > Hi... > > On 2012-10-01 13:36, Fed...@ff...<mailto:Fed...@ff...> wrote: >> Now, I would like to create an AIK, .... >> This seems to be some kind of dummy AIK certificate generated by some internal privacy CA? > The AIK cycle in jTT is just for local testing purposes, so yes, certificates are created on-the-fly with random dummy values. > > >> How would I go to get the AIK certificate signed by privacyCA.com instead? >> and send it as a POST to privacyCA.com, > There are undocumented commands/code included with JTT, in iaik.tc.apps.jtt.pki.* you will find experimental code to talk to privacyca.com. > > However, as you can see from the copyright notice this is from > 2007/08 and I don't know anyone who has ever run it again since then, so it's probably non-functioning. > > >> I could not find any clear documentation about this. > For an alternative PrivacyCA implementation look at the "apki" > package in the PrivacyCA 0.2 folder. > (Note that this code is also unfinished and unmaintained) > > > Good luck :-) > Martin > > ---------------------------------------------------------------------- > -------- > Got visibility? > Most devs has no idea what their production app looks like. > Find out how fast your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219671;13503038;y? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > Trustedjava-support mailing list > Tru...@li...<mailto:Tru...@li...> > https://lists.sourceforge.net/lists/listinfo/trustedjava-support > > ---------------------------------------------------------------------- > -------- Don't let slow site performance ruin your business. Deploy > New Relic APM Deploy New Relic app performance management and know > exactly what is happening inside your Ruby, Python, PHP, Java, and > .NET app Try New Relic at no cost today and get our sweet Data Nerd > shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Trustedjava-support mailing list > Tru...@li...<mailto:Tru...@li...> > https://lists.sourceforge.net/lists/listinfo/trustedjava-support -- Dipl.-Ing. Ronald Tögl phone +43 316/873-5502 Secure and Correct Systems fax +43 316/873-5520 IAIK ron...@ia...<mailto:ron...@ia...> Graz University of Technology http://www.iaik.tugraz.at |
|
From: <Fed...@ff...> - 2012-10-03 12:42:51
|
(Sorry if this has been sent twice, but I got a message about that something was blocked because too big, so I resent it with no previous conversations) Hi, I did some digging (used the getStoredTPMKeys method....), and found out that the error was due to the fact that I used the LoadTPMKey method instead for the loadTPMSystemKey method. (By the way, what is the difference?) However now I get another error: Authorization failed. I assume this has to do with the secret associated to the key. Do I create it wrong, or is the srk not the actual parent key of all AIKs created as illustrated here http://java.net/projects/jsr321/pages/SetupIAIKTCK? StorageRootKey srk=keyManager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET); Secret pass=context.getSecret("justASecret".toCharArray); IdentityKey aik=(IdentityKey) keyManager.loadTPMSystemKey(srk,uuid,pass); Federico |
|
From: <Fed...@ff...> - 2012-10-04 09:51:34
|
I will answer myself: no idea why it didn't work (tried for a whole day), but just restart your computer, it might magically work afterwards, as it happened in my case.... Now, I have the AIK and a signing key, and I would like to use the AIK to certify the key and get a TPM_CERTIFY_INFO data structure that can be used in the SKAE extension of a X509 certificate. I used the JSR321 Certifier class to generate a ValidationData Object, question is, how is the ValidationData object related to the TPM_CERTIFY_INFO structure? The validationData return from the DataValidation object, is some random data, or the public part of the signing key I certified? I see that the jTSS has a TcTPMCertifyInfo class that could return the exact structure, is it possible to use it from the JSR321? Or is it exactly what happens when using the Certifier? Thanks for any insight! Federico Fra: Mancini, Federico Sendt: 3. oktober 2012 14:43 Til: Mancini, Federico; Tru...@li... Emne: SV: [Trustedjava-support] jtt on win 7 and creating an AIK programmatically (Sorry if this has been sent twice, but I got a message about that something was blocked because too big, so I resent it with no previous conversations) Hi, I did some digging (used the getStoredTPMKeys method....), and found out that the error was due to the fact that I used the LoadTPMKey method instead for the loadTPMSystemKey method. (By the way, what is the difference?) However now I get another error: Authorization failed. I assume this has to do with the secret associated to the key. Do I create it wrong, or is the srk not the actual parent key of all AIKs created as illustrated here http://java.net/projects/jsr321/pages/SetupIAIKTCK? StorageRootKey srk=keyManager.loadStorageRootKey(Secret.WELL_KNOWN_SECRET); Secret pass=context.getSecret("justASecret".toCharArray); IdentityKey aik=(IdentityKey) keyManager.loadTPMSystemKey(srk,uuid,pass); Federico |
|
From: <Fed...@ff...> - 2012-10-09 09:25:43
|
Hi again, Just wanted to inform you, in case anyone else might be interested, that I have tested the rest API to communicate to PrivacyCA.com, and they seem to work. Here is the code: public class PrivacyCAaik { public static void main(String[] args){ //First retrieve the PrivacyCA certificate of the level you want String[] arg1 = new String[5]; arg1[0] = "rest_cacert"; arg1[1] = "--level"; arg1[2] = "1"; arg1[3] = "--cacert"; arg1[4] = "cacertLevel1"; PKIClient.main(arg1); //Then create the AIK String[] arg=new String[11]; arg[0]="rest_aik_create"; arg[1]="--cacert"; arg[2]="cacertLevel1"; arg[3]="-a"; arg[4]="aiksecret"; arg[5]="-l"; arg[6]="aikRest"; arg[7]="-o"; arg[8]="YOUR_TPM_OWNER_SECRET"; arg[9]="--level"; arg[10]="1";//MUST BE THE SAME AS THE CACERT OR YOU GET 403 RESPONSE CODE PKIClient.main(arg); } } Federico |
|
From: <Fed...@ff...> - 2012-10-17 13:02:07
|
Hi again,
Just wondering whether anyone has any idea why this code return false (that is, the key that I certified with the AIK does not seem to be valid when reversing the certification process ). Some digging revealed that the test failed when the digest of the public key of sign is compared with the digest extracted from val.getData()(I checked the code in RemoteCertifierImpl). The two digests are indeed different, but why? I don't see how that can fail, since I am passing the validation data directly to the remote certifier.....
TPMContext context=TPMContext.getInstance();
context.connect(null);
TPM tpm=context.getTPMInstance();
Certifier cert=context.getCertifier();
IdentityKey aikKey=(IdentityKey) manager.loadTPMSystemKey(srk, UUID.fromString("15b986a9-6124-4c70-bf1b-4a9e39e5998c"), secretAik);
SigningKey sign = (SigningKey) manager.loadTPMSystemKey(srk, UUID.fromString("13f478d6-f5a9-4445-892a-730427a2fe69"), Secret.WELL_KNOWN_SECRET);
Digest digest = context.getDigest(tpm.getRandom(20));
ValidationData val = cert.certifyKey(sign, aikKey, digest);
RemoteCertifier remCert=context.getRemoteCertifier();
System.out.println("The signing key is valid = "+remCert.validate(val, (RSAPublicKey) sign.getPublicKey(), (RSAPublicKey) aikKey.getPublicKey(), digest));
Federico
|
|
From: Ronald T. <ron...@ia...> - 2012-10-17 20:29:31
|
Hi,
What TPM are you using? I recall that some not so old Infineon TPMs
needed a Firmware Update (to 3.17) to certify keys correctly...
t
Ronald
Am 17.10.2012 15:01, schrieb Fed...@ff...:
>
> Hi again,
>
> Just wondering whether anyone has any idea why this code return false
> (that is, the key that I certified with the AIK does not seem to be
> valid when reversing the certification process ). Some digging
> revealed that the test failed when the digest of the public key of
> sign is compared with the digest extracted fromval.getData()(I checked
> the code inRemoteCertifierImpl). The two digests are indeed different,
> but why?I don't see how that can fail, since I am passing the
> validation data directly to the remote certifier.....
>
> TPMContext context=TPMContext.getInstance();
>
> context.connect(null);
>
> TPM tpm=context.getTPMInstance();
>
> Certifier cert=context.getCertifier();
>
> IdentityKey aikKey=(IdentityKey) manager.loadTPMSystemKey(srk,
> UUID.fromString("15b986a9-6124-4c70-bf1b-4a9e39e5998c"), secretAik);
>
> SigningKey sign = (SigningKey)
> manager.loadTPMSystemKey(srk,
> UUID.fromString("13f478d6-f5a9-4445-892a-730427a2fe69"),
> Secret.WELL_KNOWN_SECRET);
>
> Digest digest = context.getDigest(tpm.getRandom(20));
>
> ValidationData val = cert.certifyKey(sign, aikKey, digest);
>
> RemoteCertifier remCert=context.getRemoteCertifier();
>
> System.out.println("The signing key is valid =
> "+remCert.validate(val, (RSAPublicKey) sign.getPublicKey(),
> (RSAPublicKey) aikKey.getPublicKey(), digest));
>
> Federico
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
>
>
> _______________________________________________
> Trustedjava-support mailing list
> Tru...@li...
> https://lists.sourceforge.net/lists/listinfo/trustedjava-support
|
|
From: Martin P. <Mar...@ia...> - 2012-10-18 08:17:21
Attachments:
certify-key-test.zip
|
On 2012-10-17 22:29, Ronald Tögl wrote: > I recall that some not so old Infineon TPMs needed a Firmware Update (to 3.17) to certify keys correctly... IFX TPMs up to FW 3.16 are calculating the hash over the entire TPM_STORE_PUBKEY struct instead of just the key modulus as described in the TPM specification. This was fixed in FW 3.17. FYI, test code to check for this TPM bug and sample outputs attached. HTH, Martin |
|
From: <Fed...@ff...> - 2012-10-18 09:04:52
|
Hi,
Thanks for the answer!
I would have never thought something like that, and it seems like that is indeed the problem. Since I had no idea how to find out the firmware version I tried running the test script that comes with the jTSS, and the last test says exactly:
"skipping testCertifyKeyandValidate() on IFX TPM's with revision <3.17"....
Well, updating the firmware does not seem an easy task. Hp has a long list of requirement to make it work. Among which having taken ownership of TPM through the HP security tools, install the HP protect tools, etc....Maybe I should just wait for my new laptop...
Federico
Btw, where do I see exactly which firmware version I have?
Fra: Ronald Tögl [mailto:ron...@ia...]
Sendt: 17. oktober 2012 22:30
Til: Mancini, Federico; tru...@li...
Emne: Re: [Trustedjava-support] validate a certified key
Hi,
What TPM are you using? I recall that some not so old Infineon TPMs needed a Firmware Update (to 3.17) to certify keys correctly...
t
Ronald
Am 17.10.2012 15:01, schrieb Fed...@ff...<mailto:Fed...@ff...>:
Hi again,
Just wondering whether anyone has any idea why this code return false (that is, the key that I certified with the AIK does not seem to be valid when reversing the certification process ). Some digging revealed that the test failed when the digest of the public key of sign is compared with the digest extracted from val.getData()(I checked the code in RemoteCertifierImpl). The two digests are indeed different, but why? I don't see how that can fail, since I am passing the validation data directly to the remote certifier.....
TPMContext context=TPMContext.getInstance();
context.connect(null);
TPM tpm=context.getTPMInstance();
Certifier cert=context.getCertifier();
IdentityKey aikKey=(IdentityKey) manager.loadTPMSystemKey(srk, UUID.fromString("15b986a9-6124-4c70-bf1b-4a9e39e5998c"), secretAik);
SigningKey sign = (SigningKey) manager.loadTPMSystemKey(srk, UUID.fromString("13f478d6-f5a9-4445-892a-730427a2fe69"), Secret.WELL_KNOWN_SECRET);
Digest digest = context.getDigest(tpm.getRandom(20));
ValidationData val = cert.certifyKey(sign, aikKey, digest);
RemoteCertifier remCert=context.getRemoteCertifier();
System.out.println("The signing key is valid = "+remCert.validate(val, (RSAPublicKey) sign.getPublicKey(), (RSAPublicKey) aikKey.getPublicKey(), digest));
Federico
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
Trustedjava-support mailing list
Tru...@li...<mailto:Tru...@li...>
https://lists.sourceforge.net/lists/listinfo/trustedjava-support
|
|
From: Michael G. <m.g...@tu...> - 2012-10-21 00:09:08
|
On 2012-10-18 11:04, Fed...@ff... wrote:
> Btw, where do I see exactly which firmware version I have?
You can find the information in the output of tpm_version.
-----
TPM Version Info:
version: 1.2 rev: 3.17
specLevel: 2
errataRev: 2
tpmVendorID: Infineon ("IFX")
vendorSpecificSize: 5
vendorSpecificData: 03 11 00 08 00
-----
The string after 'rev:' is the firmware revision of IFX TPMs, so 3.17 in
this example.
Michael
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X