Tadd,
Thank you for your quick reply. The code I wrote was inspired by Hal Finney's
code on http://privacyca.com. I hadn't thought to second guess Hal's algorithm
as it has worked for me for at least seven years. I will check the documents
and see if I can verify Hal's work.
As to your second point, hPCA is just a dummy PCA key. Here is how the PCA
object is created and used.
/* Create dummy PCA key */
TSS_HKEY hPCA;
rc = Tspi_Context_CreateObject(hContext,
TSS_OBJECT_TYPE_RSAKEY,
TSS_KEY_TYPE_LEGACY|TSS_KEY_SIZE_2048,
&hPCA);
if (rc != TSS_SUCCESS)
return tidy(hContext, tss_err(rc, "creating PCA object"));
/* Create the PCA key in the TPM, it is not user supplied */
rc = Tspi_Key_CreateKey(hPCA, hSRK, 0);
if (rc != TSS_SUCCESS)
return tidy(hContext, tss_err(rc, "creating PCA key in TPM"));
John
From: Tadd Seiff <[email protected]>
Date: Friday, March 3, 2017 at 3:08 PM
To: "Ramsdell, John D." <[email protected]>,
"[email protected]" <[email protected]>
Cc: Andrew Pollock <[email protected]>
Subject: Re: [TrouSerS-users] Trousers error code 0x1
Hey John,
I'm not sure about the return code.
But some other comments here:
1) I've used Tspi_ContextCreateObject(...) to create AIK objects with success.
I guess CreateKey() should work too, seems logical. I'm not sure how I ended
up using CreateObject(), I'm guessing I followed someone else's example:
UINT32 initFlags = TSS_KEY_TYPE_IDENTITY | TSS_KEY_SIZE_2048 |
TSS_KEY_AUTHORIZATION |
TSS_KEY_VOLATILE | TSS_KEY_NOT_MIGRATABLE;
result = Tspi_Context_CreateObject(hContext,
TSS_OBJECT_TYPE_RSAKEY,
initFlags, &hIdentKey);
2) Even if CreateKey() should work, it looks like you are passing in your PCA
server public key as the first argument (hPCA)? This should be the handle to
your new key, I think, so if this is a TSS KEY object that you created from DER
that the user passed in (deduced from Andrew's comments below), I don't think
that would work anyway. The PCA key material is not used until the
CollateIdentityRequest() step.
-Tadd
On Fri, Mar 3, 2017 at 6:37 AM Ramsdell, John D.
<[email protected]<mailto:[email protected]>> wrote:
I am trying to address a bug report for TPM Quote Tools which is built on
Trousers. I am having trouble diagnosing the problem because the return code
is not what I expect. When making an AIK, my program executes:
rc = Tspi_Key_CreateKey(hPCA, hSRK, 0);
if rc != TSS_SUCCESS, I print an error message using the values in tss/tspi.h
which includes tss/tss_error.h. In the bug report, the return value is 1, but
that value has no translation. What does it mean when create key returns an
error code of 1?
John
-----Original Message-----
From: Andrew Pollock <[email protected]<mailto:[email protected]>>
Date: Friday, March 3, 2017 at 2:44 AM
To: "Ramsdell, John D." <[email protected]<mailto:[email protected]>>
Subject: Re: Fooling around with tpm-quote-tools
Excellent. I finally had some spare cycles to return to this, and after
addressing a bug with an older version of Trousers, I was able to reproduce
the problem again.
So, I have a Lenovo X1 Carbon
$ sudo tpm_version
TPM 1.2 Version Info:
Chip Version: 1.2.13.12
Spec Level: 2
Errata Revision: 3
TPM Vendor ID: STM
Vendor Specific data: 50
TPM Version: 01010000
Manufacturer Info: 53544d20
I have previously taken ownership of it with a non-well-known owner
password.
Note that I'm executing this with two non-existent files for both arguments
$ sudo tpm_mkaik /tmp/blob /tmp/pubkey
Enter owner password:
Error while creating PCA key in TPM. Error code: 0x1
Just in case I had misunderstood something for grins I created a CA with
OpenSSL and converted the public key to DER and used it as the second
argument,
but got the same result
Any further insights you have would be much appreciated.
regards
Andrew
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TrouSerS-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/trousers-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
