Hi John,
Indeed, when I said I "followed someone else's example", I meant Hal
Finney. No need to second-guess it, especially if it has been working.
I see now that you aren't actually trying to create an AIK key in this
step. That's how I interpreted "When making an AIK...(I call this
function)". You just meant, "in the greater process of creating an AIK, I
do this at some point and it's failing".
Now that all of that is cleared up, no ideas, sorry, especially since this
code has worked for you in the past.
-Tadd
On Fri, Mar 3, 2017 at 12:27 PM Ramsdell, John D. <[email protected]>
wrote:
Tadd,
Thank you for your quick reply. The code I wrote was inspired by Hal
Finney's code on http://privacyca.com. I hadn't thought to second guess
Hal's algorithm as it has worked for me for at least seven years. I will
check the documents and see if I can verify Hal's work.
As to your second point, hPCA is just a dummy PCA key. Here is how the PCA
object is created and used.
/* Create dummy PCA key */
TSS_HKEY hPCA;
rc = Tspi_Context_CreateObject(hContext,
TSS_OBJECT_TYPE_RSAKEY,
TSS_KEY_TYPE_LEGACY|TSS_KEY_SIZE_2048,
&hPCA);
if (rc != TSS_SUCCESS)
return tidy(hContext, tss_err(rc, "creating PCA object"));
/* Create the PCA key in the TPM, it is not user supplied */
rc = Tspi_Key_CreateKey(hPCA, hSRK, 0);
if (rc != TSS_SUCCESS)
return tidy(hContext, tss_err(rc, "creating PCA key in TPM"));
John
*From: *Tadd Seiff <[email protected]>
*Date: *Friday, March 3, 2017 at 3:08 PM
*To: *"Ramsdell, John D." <[email protected]>, "
[email protected]" <[email protected]>
*Cc: *Andrew Pollock <[email protected]>
*Subject: *Re: [TrouSerS-users] Trousers error code 0x1
Hey John,
I'm not sure about the return code.
But some other comments here:
1) I've used Tspi_ContextCreateObject(...) to create AIK objects with
success. I guess CreateKey() should work too, seems logical. I'm not sure
how I ended up using CreateObject(), I'm guessing I followed someone else's
example:
UINT32 initFlags = TSS_KEY_TYPE_IDENTITY | TSS_KEY_SIZE_2048 |
TSS_KEY_AUTHORIZATION |
TSS_KEY_VOLATILE | TSS_KEY_NOT_MIGRATABLE;
result = Tspi_Context_CreateObject(hContext,
TSS_OBJECT_TYPE_RSAKEY,
initFlags, &hIdentKey);
2) Even if CreateKey() should work, it looks like you are passing in your
PCA server public key as the first argument (hPCA)? This should be the
handle to your new key, I think, so if this is a TSS KEY object that you
created from DER that the user passed in (deduced from Andrew's comments
below), I don't think that would work anyway. The PCA key material is not
used until the CollateIdentityRequest() step.
-Tadd
On Fri, Mar 3, 2017 at 6:37 AM Ramsdell, John D. <[email protected]> wrote:
I am trying to address a bug report for TPM Quote Tools which is built on
Trousers. I am having trouble diagnosing the problem because the return
code is not what I expect. When making an AIK, my program executes:
rc = Tspi_Key_CreateKey(hPCA, hSRK, 0);
if rc != TSS_SUCCESS, I print an error message using the values in
tss/tspi.h which includes tss/tss_error.h. In the bug report, the return
value is 1, but that value has no translation. What does it mean when
create key returns an error code of 1?
John
-----Original Message-----
From: Andrew Pollock <[email protected]>
Date: Friday, March 3, 2017 at 2:44 AM
To: "Ramsdell, John D." <[email protected]>
Subject: Re: Fooling around with tpm-quote-tools
Excellent. I finally had some spare cycles to return to this, and after
addressing a bug with an older version of Trousers, I was able to
reproduce
the problem again.
So, I have a Lenovo X1 Carbon
$ sudo tpm_version
TPM 1.2 Version Info:
Chip Version: 1.2.13.12
Spec Level: 2
Errata Revision: 3
TPM Vendor ID: STM
Vendor Specific data: 50
TPM Version: 01010000
Manufacturer Info: 53544d20
I have previously taken ownership of it with a non-well-known owner
password.
Note that I'm executing this with two non-existent files for both
arguments
$ sudo tpm_mkaik /tmp/blob /tmp/pubkey
Enter owner password:
Error while creating PCA key in TPM. Error code: 0x1
Just in case I had misunderstood something for grins I created a CA with
OpenSSL and converted the public key to DER and used it as the second
argument,
but got the same result
Any further insights you have would be much appreciated.
regards
Andrew
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
