Thanks Ken,
However my confusion comes from the fact that my key-to-be-signed DOES
require authorization. I'm providing the TSS_KEY_AUTHORIZATION flag to my
create method:
initFlags = TSS_KEY_TYPE_BIND | TSS_KEY_SIZE_2048 |
TSS_KEY_AUTHORIZATION
| TSS_KEY_NOT_MIGRATABLE;
tss_result = Tspi_Context_CreateObject(hContext, TSS_OBJECT_TYPE_RSAKEY,
initFlags, &hBind_Key);
So now I'm asking, isn't this all I'm supposed to do? How does this relate
to the flag Trousers is checking and failing with BAD_PARAMETER? That's
the knowledge I lack.
I need the internal flags set properly to sign this key. What am I
missing? And is it something I need to do when creating the key or when
trying to sign it?
I did check that my key is getting authorized at sign-time. I assign the
secret to the object policy and the key successfully authorizes and loads
into the TPM:
certifykey:L242 Load Key-To-Sign in TPM returned 0x0 (Success) // my
logging
So, to summarize:
I AM creating the key with the AUTHORIZATION flag
I AM providing a secret and successfully loading the key into TPM
problem -> TSS_CERTIFYKEY still fails saying my target key doesn't require
auth?
I'm pretty stuck.
On Mon, May 2, 2016 at 12:18 PM Ken Goldman <[email protected]> wrote:
> On 4/22/2016 3:04 PM, Tadd Seiff wrote:
> >
> > Which I believe is coming from here in tspi_certify.c:
> > if (useAuthCert && !useAuthKey)
> > return TSPERR(TSS_E_BAD_PARAMETER);
> >
> > Which boils down to some object having the flag TSS_OBJ_FLAG_USAGEAUTH
> set.
>
> I believe (I'm not a Trousers expert) it's this from Part 3:
>
> "TPM_CertifyKey does not support the case where (a) the certifying key
> requires a usage authorization to be provided but (b) the
> key-to-be-certified does not. In such cases, TPM_CertifyKey2 must be used."
>
> I assume that the TSS noticed that you supplied auth for the certifying
> key (useAuthCert) but not the bind key (useAuthKey).
>
> Perhaps try Certify2, which is the reverse.
>
> "TPM_CertifyKey2 does not support the case where (a) the
> key-to-be-certified requires a usage authorization to be provided but
> (b) the certifying key does not."
>
> Of course, if your bind key requires authorization (TPM_AUTH_ALWAYS),
> then you have to supply both auths. Or you can supply both anyway.
>
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
>
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
