Menu
▾
▴
trustedjava-support
|
From: Nektarios I. <ine...@gm...> - 2007-03-12 16:20:18
|
Hello everyone,
I am trying to create a "sealed" package using the "seal" subcommand of
jTPMTools. I couldn't find anyone having a similar problem on the mailing
list so I am posting my case here.
"somefile.txt" is a plaintext file I created with a few words in it.
"newpass" is the sealing key's password. The key has been created using the
"create_key" subcommand as follows:
create_key -k newpass [SUCCESSFULL]
---> This gave key: 1.2.3.4.5.3589e17f4313
"somefile_sealed.txt" is the file to be created by the (successful)
[root@localhost jTpmTools_0.2]# sh jtt.sh seal -i somefile.txt -k newpass -o
somefile_sealed.txt -p 0 -u 1.2.3.4.5.3589e17f4313
Here is the output,
-----------------------------------
IAIK/OpenTC Java TPM Tools
- - - - - - - - - -
based on IAIK/OpenTC jTSS Wrapper
-----------------------------------
/home/inectarios/Trusted_Computing/jTpmTools_0.2/ext_libs
16:13:31:967 [INFO] Seal::execute (205): sealing to pcr: 0
TSPI call error:
error code: 0x24
error message: TPM layer: Invalid key usage
at iaik.tss.impl.jni.TcBaseObject.handleRetCode(TcBaseObject.java
:102)
at iaik.tss.impl.jni.TcEncData.seal(TcEncData.java:129)
at iaik.tc.apps.jtt.data.Seal.execute(Seal.java:271)
at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:80)
at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:52)
at iaik.tc.apps.jtt.common.JTpmTools.main(JTpmTools.java:67)
|
|
From: Nektarios I. <ine...@gm...> - 2007-03-12 16:44:33
|
Hello everyone,
I have been having problems in creating a "sealed" package using the "seal
subcommand of jTPMTools
"somefile.txt" is a plaintext file that I created myself with some simple
text in it. This is the file to be "sealed".
"somefile_sealed.txt" is the (sealed version) file that will be created by
the "seal" subcommand.
"newpass" is the password of the sealing key to be used (
1.2.3.4.5.3589e17f4313). The sealing key was created as follows:
create_key -k newpass [SUCCESSFULL]
So when I run the command with the following:
[root@localhost jTpmTools_0.2]# sh jtt.sh seal -i somefile.txt -k newpass -o
somefile_sealed.txt -p 0 -u 1.2.3.4.5.3589e17f4313
The following error occurs:
-----------------------------------
IAIK/OpenTC Java TPM Tools
- - - - - - - - - -
based on IAIK/OpenTC jTSS Wrapper
-----------------------------------
/home/inectarios/Trusted_Computing/jTpmTools_0.2/ext_libs
16:13:31:967 [INFO] Seal::execute (205): sealing to pcr: 0
TSPI call error:
error code: 0x24
error message: TPM layer: Invalid key usage
at iaik.tss.impl.jni.TcBaseObject.handleRetCode(TcBaseObject.java
:102)
at iaik.tss.impl.jni.TcEncData.seal(TcEncData.java:129)
at iaik.tc.apps.jtt.data.Seal.execute(Seal.java:271)
at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java :80)
at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:52)
at iaik.tc.apps.jtt.common.JTpmTools.main(JTpmTools.java:67)
I am 99% sure it has to do something with the key (-k parameter) used in the
"seal" subcommand.
Note: I believe, theoretically the seal key should be the one of the
"sealling key" but just for testing I tried to use some other random key
with the same command:
seal -i somefile.txt -k pass -o somefile_sealed.txt -p 0 -u
1.2.3.4.5.3589e17f4313
As expected I get the following error:
TSPI call error:
error code: 0x01
error message: TPM layer: Authentication failed
at iaik.tss.impl.jni.TcBaseObject.handleRetCode(TcBaseObject.java
:102)
at iaik.tss.impl.jni.TcEncData.seal(TcEncData.java:129)
at iaik.tc.apps.jtt.data.Seal.execute(Seal.java:271)
at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:80)
at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:52)
at iaik.tc.apps.jtt.common.JTpmTools.main(JTpmTools.java:67)
at com.test.Test.main(Test.java:25)
This is why I believe there must be something wrong with the (checking of)
the key.
Best regards,
Nektarios Ioannides
|
|
From: Thomas W. <tho...@ia...> - 2007-03-13 06:43:01
Attachments:
smime.p7s
|
Hello,
> error code: 0x24
> error message: TPM layer: Invalid key usage
For sealing you have to use a key of type TPM_KEY_STORAGE (.
Have a look at the command "./jtt.sh create_key". It says:
"[...]
-t type ... type of key (use 'legacy' for binding and 'storage' for
sealing operations) (legal values: storage, legacy) (default: legacy)
[...]"
So - the "magic" is the "-t storage" option:
./jtt.sh create_key -t storage -k test
-----------------------------------
IAIK/OpenTC Java TPM Tools
- - - - - - - - - -
based on IAIK/OpenTC jTSS Wrapper
-----------------------------------
07:30:11:734 [INFO] CreateKey::execute (136): parent key is SRK, key
length is 2048 bits
07:30:11:758 [INFO] CreateKey::execute (137): key type is storage
07:30:11:759 [INFO] CreateKey::execute (138): key registered in
persistent system storage with UUID: 1.2.3.4.5.8dd8f68218c1
07:30:11:759 [INFO] CreateKey::execute (139): CreateKey succeeded
With that key, the sealing should work:
./jtt.sh seal -i somefile.txt -k test -o ./sealed.data -p 10 -u
1.2.3.4.5.8dd8f68218c1
-----------------------------------
IAIK/OpenTC Java TPM Tools
- - - - - - - - - -
based on IAIK/OpenTC jTSS Wrapper
-----------------------------------
07:30:44:585 [INFO] Seal::execute (205): sealing to pcr: 10
07:30:44:764 [INFO] Seal::execute (295): Sealing succeeded
hth,
Thomas Winkler
|
|
From: Nektarios I. <ine...@gm...> - 2007-04-22 20:34:43
|
Hello Thomas,
Thank you for your help. Yes the "magic" was the key type indeed ! :-)
However, now I would like to do something "useful" with an AIK instead of a
"storage" or "legacy" type key. That is, be able to either "bind" or "seal"
some data (e.g. some textfile) using an AIK I have created previously.
When I tried to do that I before:
Input:
seal -i PCR_values -k nectarios -o PCR_values_SEALED_2 -p 1 -u
1.2.3.4.5.d5daefea84e1
where,
"1.2.3.4.5.d5daefea84e1" is my AIK's UUID
"nectarios" is the password of the above AIK
"PCR_values" is the file to be sealed
"PCR_values_SEALED_2" is the file to be created after the sealing operation.
and the above data is to be sealed in PCR #1
I got something like:
Ignoring unexpected element:
20:07:24:986 [INFO] Seal::execute (205): sealing to pcr: 1
TSPI call error:
error code : 0x01
error message: TPM layer: Authentication failed
Any ideas?
P.S I do not understand why i get the "Ignoring unexpected element" warning
at the beginning either.
Many thanks,
Nektarios
On 13/03/07, Thomas Winkler <tho...@ia...> wrote:
>
> Hello,
>
> > error code: 0x24
> > error message: TPM layer: Invalid key usage
>
> For sealing you have to use a key of type TPM_KEY_STORAGE (.
>
> Have a look at the command "./jtt.sh create_key". It says:
>
> "[...]
>
> -t type ... type of key (use 'legacy' for binding and 'storage' for
> sealing operations) (legal values: storage, legacy) (default: legacy)
>
> [...]"
>
> So - the "magic" is the "-t storage" option:
>
>
>
> ./jtt.sh create_key -t storage -k test
>
> -----------------------------------
> IAIK/OpenTC Java TPM Tools
> - - - - - - - - - -
> based on IAIK/OpenTC jTSS Wrapper
> -----------------------------------
>
>
> 07:30:11:734 [INFO] CreateKey::execute (136): parent key is SRK, key
> length is 2048 bits
> 07:30:11:758 [INFO] CreateKey::execute (137): key type is storage
> 07:30:11:759 [INFO] CreateKey::execute (138): key registered in
> persistent system storage with UUID: 1.2.3.4.5.8dd8f68218c1
> 07:30:11:759 [INFO] CreateKey::execute (139): CreateKey succeeded
>
>
>
> With that key, the sealing should work:
>
>
>
> ./jtt.sh seal -i somefile.txt -k test -o ./sealed.data -p 10 -u
> 1.2.3.4.5.8dd8f68218c1
>
> -----------------------------------
> IAIK/OpenTC Java TPM Tools
> - - - - - - - - - -
> based on IAIK/OpenTC jTSS Wrapper
> -----------------------------------
>
>
> 07:30:44:585 [INFO] Seal::execute (205): sealing to pcr: 10
> 07:30:44:764 [INFO] Seal::execute (295): Sealing succeeded
>
>
>
> hth,
> Thomas Winkler
>
>
|
|
From: Thomas W. <tho...@ia...> - 2007-04-23 05:27:15
Attachments:
smime.p7s
|
Hello, > However, now I would like to do something "useful" with an AIK instead > of a "storage" or "legacy" type key. That is, be able to either "bind" > or "seal" some data ( e.g. some textfile) using an AIK I have created > previously. Short answer: You can't. Longer answer: An AIK can only be used for TPM Quote and CertifyKey operations. You can not use an AIK to e.g. bind or seal data. That is not some arbitrary limitation imposed by the TSS or jTSS implementations but that is the way the TPM works. For more details please have a look at the TPM specification. Regards, Thomas Winkler |
|
From: Nektarios I. <ine...@gm...> - 2007-04-25 10:57:14
|
Hello, Yes, I understand. Well the reason I wanted to do that was because I was trying to "simulate" the signing of the PCR-values with an AIK by copying the PCR-values given by the "pcr_read" jTPMTools command and manually copying them into a text file and then signing that textfile with some key ! Since the textfile is just an ordinary data file only the storage key seemed to work. (right?) Assuming I am... is there a way to sign the ACTUAL PCR-values from the TPM with an AIK that I have created? Does this already exist somewhere in the jTSSWrapper source code? The reason I am asking all these questions is that ultimately, I would like to be able to implement a small java application in which a Client manages to attest its self to a Challenger before the Challenger allows it to perform some other operation. That is, I would like to perform a full Attestation procedure (or as full as it is currently possible). If I'm not mistaken, from what I've understood from the jTSSWrapper source code, when creating an AIK key, some steps of an Attestation procedure are included as well. (i.e. the "create_aik" command from jTPMTools does not only create an AIK key pair but also assumes that a PrivacyCA has certified the AIK as well. Is this correct? Since I am interested in performing an attestation procedure, I would also need to know, Is there a way to extract the Storage Measurement Log (SML) from the TPM through jTSSWrapper code? Also is the AIK certificate that has been signed by the PrivacyCA (and will have to be verified by the Challenger afterwards) the aik-uuid<some numbers>.cert file that appears on disk after I run a successful "create_aik" command? Finally, is there an API / Documentation for jTSSWrapper ? It would be really useful for me and less annoying for you... :-) In any case, many thanks once again, Nektarios P.S Is the TPM_QUOTE command implemented somewhere in jTSSWrapper? I have found some references to it in the source code but was not quite sure as to what I was looking at was such an implementation or not... On 23/04/07, Thomas Winkler <tho...@ia...> wrote: > > Hello, > > > However, now I would like to do something "useful" with an AIK instead > > of a "storage" or "legacy" type key. That is, be able to either "bind" > > or "seal" some data ( e.g. some textfile) using an AIK I have created > > previously. > > Short answer: You can't. > > Longer answer: An AIK can only be used for TPM Quote and CertifyKey > operations. You can not use an AIK to e.g. bind or seal data. That is > not some arbitrary limitation imposed by the TSS or jTSS implementations > but that is the way the TPM works. For more details please have a look > at the TPM specification. > > Regards, > Thomas Winkler > > |
|
From: Saurabh A. <tan...@gm...> - 2007-04-25 14:30:55
|
Hi On 4/25/07, Nektarios Ioannides <ine...@gm...> wrote: > Hello, > > Yes, I understand. Well the reason I wanted to do that was because I was > trying to "simulate" the signing of the PCR-values with an AIK by copying > the PCR-values given by the "pcr_read" jTPMTools command and manually > copying them into a text file and then signing that textfile with some key ! > Since the textfile is just an ordinary data file only the storage key seemed > to work. (right?) you want to sign PCR values, i assume you would not need to sign all 16/24 PCRs.. only required ones. so better not convert it into text file. and specify the pcr-index you want to use in tpm_quote operation. > > Assuming I am... is there a way to sign the ACTUAL PCR-values from the TPM > with an AIK that I have created? Does this already exist somewhere in the > jTSSWrapper source code? this process is tpm_quote and yes it exist in trustedjava suite. For tpm_quote, look at the junit tests which comes with the jTssWrapper package. it has a testquote.java file. > > The reason I am asking all these questions is that ultimately, I would like > to be able to implement a small java application in which a Client manages > to attest its self to a Challenger before the Challenger allows it to > perform some other operation. That is, I would like to perform a full > Attestation procedure (or as full as it is currently possible). > > If I'm not mistaken, from what I've understood from the jTSSWrapper source > code, when creating an AIK key, some steps of an Attestation procedure are > included as well. (i.e. the "create_aik" command from jTPMTools does not > only create an AIK key pair but also assumes that a PrivacyCA has certified > the AIK as well. Is this correct? yes. instead of assuming, it simulates a PrivacyCA and do that. i would recommend you to look the source code of jTpmtools package, which is inside the respective jar file. codes are well documented and self explanatory. you will get the answer of all your ques. > > Since I am interested in performing an attestation procedure, I would also > need to know, Is there a way to extract the Storage Measurement Log (SML) > from the TPM through jTSSWrapper code? i do not think there is any method to do that. but if you are using Linux-IMA kernel you can easily check the measurement list. > > Also is the AIK certificate that has been signed by the PrivacyCA (and will > have to be verified by the Challenger afterwards) the aik-uuid<some > numbers>.cert file that appears on disk after I run a successful > "create_aik" command? > yes. file creation on disk is the last step in the above command implementation. somewhile ago, i was at the same position where you are. I made a java app, which is running on top of JTSS libraries, and to complete the attestation procedure, i used the following steps: - call aik_create with appropriate values(aik,owner,srk passwords , ini files) - after the aik_keys are activated, i use them to quote desired PCR values. -------------- best saurabh |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X