There's a TSS/TPM mismatch in your implementation. The pass in
algorithm value for TcITpm.CollateIdentity is one of TSS_ALG_* per the
software stack document, BUT the values in the encrypted
TPM_IDENTITY_REQ (aka TcTpmIdentityReq) are supposed to be TPM_* values
per part 2. Specifically, identityReq.symAlgorithm.algorithmID is
supposed to be of type TPM_ALGORITHM_ID and
identityReq.symAlgorithm.encScheme is supposed to be of type
TPM_ENC_SCHEME (one of TPM_ES_SYM_*).
Instead, it looks like the TSS_ALG_ value is being stored in the blob
for the algorithmId. I'm still trying to find out where the encScheme
value of "21" is coming.
Continuing on this, CBC isn't a valid encryption scheme for AES keys
according to 5.8.1 of part 2. CTR or OFB appear to be required.
TPM_ES_SYM_CNT should probably be TPM_ES_SYM_CTR in
iaik.tc.tss.api.constants.tpm.
Mike
|