trustedjava-support

[Trustedjava-support] Problems with AIK create cycle (both local and XMKS types)

[Nektarios I. <ine...@gm...>]

Hello everyone,

I have been away from the OpenTC scene so it's good to be back :-)

I have recently updated my past efforts to the new jTSS 0.1 layer (not using
jTssWrapper anymore).
I believe I have installed everything right since I followed all
instructions and done it all twice to make sure.
I have generated and placed in the right locations all necessary credentials
using the TcCerts and PCA scripts (build_certs.sh).
Everything seems to be running properly except when I try to simulate an AIK
Cycle:
I have been trying to run the "aik_create" and "xkms_aik_create" options of
jTpmTools and I have problems with both.


When I run
./jtt.sh aik_create -a secret -l theAIKlabel -o theoldsecret

I get:

03:58:27:495 [INFO] AikUtil::createEKCertificate (123): created EK
certificate on-the-fly
03:58:27:584 [INFO] Client::overrideCertificates (113): overriding default
EK certificate used by TSS
03:58:28:698 [INFO] PrivacyCa::processRequest (180):    included EK
certificate size: 1065 bytes
03:58:28:703 [INFO] PrivacyCa::processRequest (181):    SubjAltName:
id:49465800,SLD9630TT1.1,id:0104
03:58:28:704 [INFO] PrivacyCa::processRequest (188):    PE: not included
03:58:28:704 [INFO] PrivacyCa::processRequest (196):    CC: not included
03:58:28:764 [INFO] AikUtil::createPECertificate (176): created PE
certificate on-the-fly
03:58:28:772 [INFO] AikUtil::createAIKCertificate (213):        created AIK
certificate on-the-fly
03:58:28:774 [INFO] PrivacyCa::processRequest (212):    AIK blob size: 1390
iaik.tc.tss.api.exceptions.tsp.TcTspException:

TSS Error:
error layer:                0x3000 (TSP)
error code (without layer): 0x0113
error code (full):          0x3113
error message: Authorization failed.

        at iaik.tc.tss.impl.java.tsp.internal.TcTspCommon.validateRespAuth(Unknown
Source)
        at
iaik.tc.tss.impl.java.tsp.internal.TcTspInternal.TspLoadKeyByBlob_Internal(
TcTspInternal.java:105)
        at iaik.tc.tss.impl.java.tsp.TcRsaKey.loadKey(Unknown Source)
        at iaik.tc.apps.jtt.aik.Client.activateIdentity(Client.java:153)
        at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:322)
        at iaik.tc.utils.cmdline.SubCommand.run(SubCommand.java:69)
        at iaik.tc.utils.cmdline.SubCommandParser.parse(
SubCommandParser.java:41)
        at iaik.tc.apps.JTpmTools.main(JTpmTools.java:110)

And when  I run:

./jtt.sh xkms_aik_create -a secret -l aikLabel -o theoldsecret

I get:

03:58:10:665 [INFO] AikUtil::createEKCertificate (123): created EK
certificate on-the-fly
03:58:10:673 [INFO] Client::overrideCertificates (113): overriding default
EK certificate used by TSS
sending RegisterRequest...
...result received

Validating XKMS message signature using certificate:
  CN=IAIK OpenTC XKMS Test Responder,OU=IAIK trusted computing labs,O=Graz
University of Technology,C=AT
XKMS Result message signature is INVALID.

AIK create operation FAILED
===>http://www.w3.org/2002/03/xkms#Sender
===>http://www.w3.org/2002/03/xkms#Failure

I am almost certain that it is not a setup error but something theoretical I
am missing to see here.
Any ideas ?

Regards,

Nektarios

Re: [Trustedjava-support] Problems with AIK create cycle (both local and XMKS types)

[Thomas W. <tc...@to...>]

Hello,

> When I run
> ./jtt.sh aik_create -a secret -l theAIKlabel -o theoldsecret

[...]

> TSS Error:
> error layer:                0x3000 (TSP)
> error code (without layer): 0x0113
> error code (full):          0x3113
> error message: Authorization failed.

[...]

>         at iaik.tc.apps.jtt.aik.AikCreate.execute(AikCreate.java:322)


The error occurs when the activateIdentity method is called.
Are you sure that you are using the correct SRK secret (TSS_WELL_KNOWN_SECRET 
in your case)? YOu have to use the SRK secret you provided when taking 
ownership of your TPM.

hth,
-- 
Thomas Winkler
e-mail: tc...@to...

Re: [Trustedjava-support] Problems with AIK create cycle (both local and XMKS types)

[Martin P. <Mar...@ia...>]

Nektarios Ioannides wrote:
> I have been away from the OpenTC scene so it's good to be back :-)

Don't worry, could happen to anyone :-)

> And when  I run:
> 
> ./jtt.sh xkms_aik_create -a secret -l aikLabel -o theoldsecret
> 
> I get:
> 
> 03:58:10:665 [INFO] AikUtil::createEKCertificate (123): created EK certificate on-the-fly
> 03:58:10:673 [INFO] Client::overrideCertificates (113): overriding default EK certificate used by TSS
> sending RegisterRequest...
> ...result received
> 
> Validating XKMS message signature using certificate:
>   CN=IAIK OpenTC XKMS Test Responder,OU=IAIK trusted computing labs,O=Graz
> University of Technology,C=AT
> XKMS Result message signature is INVALID.
> 
> AIK create operation FAILED
> ===>http://www.w3.org/2002/03/xkms#Sender
> ===>http://www.w3.org/2002/03/xkms#Failure
> 
> I am almost certain that it is not a setup error but something theoretical I
> am missing to see here.
> Any ideas ?

Well, I can look at the server log.... was that you?

04:58:16:499 [INFO] HTTPHandler::run (97):      20070816-04:58:16 request from ......bethere.co.uk
04:58:16:503 [INFO] RequestProcessor::newInstance (133):        === RegisterRequest /aik ===
04:58:16:513 [INFO] PrivacyCa::processRequest (176):    included EK certificate size: 1065 bytes
04:58:16:514 [INFO] PrivacyCa::processRequest (177):    SubjAltName: id:49465800,SLD9630TT1.1,id:0104
04:58:16:514 [INFO] PrivacyCa::processRequest (184):    PE: not included
04:58:16:514 [INFO] PrivacyCa::processRequest (192):    CC: not included
java.security.cert.CertificateException: EK validation FAILED


...meaning the included EK could not be verified, because
a) it is not an IFX TPM EK (development boards are not supported)
b) it is not an EK generated from our PCA server

Unfortunately it is currently not possible to return a "nicer" error message.


for b) you need a password for xkms_ekcert_create to work at our server -> mail me

HTH

-- 
Martin Pirker
IAIK, TU Graz