I am pretty certain that you have to use: Tspi_TPM_CollateIdentityRequest
in order to make an AIK.
It does not work to make one with Key_CreateKey because of an offhand
remark I typed into an informative comment into the spec under
Key_CreateKey that was somehow taken as Gospel. (It said that under the
covers the command used the TPM command that generates normal keys, and
didn't mention the MakeIdentity command. Mea culpa.
That is of course fixed in 2.0
On Fri, Mar 3, 2017 at 4:37 PM, Tadd Seiff <[email protected]> wrote:
> Hi John,
>
> Indeed, when I said I "followed someone else's example", I meant Hal
> Finney. No need to second-guess it, especially if it has been working.
>
> I see now that you aren't actually trying to create an AIK key in this
> step. That's how I interpreted "When making an AIK...(I call this
> function)". You just meant, "in the greater process of creating an AIK, I
> do this at some point and it's failing".
>
> Now that all of that is cleared up, no ideas, sorry, especially since this
> code has worked for you in the past.
>
> -Tadd
>
> On Fri, Mar 3, 2017 at 12:27 PM Ramsdell, John D. <[email protected]>
> wrote:
>
> Tadd,
>
>
>
> Thank you for your quick reply. The code I wrote was inspired by Hal
> Finney's code on http://privacyca.com. I hadn't thought to second guess
> Hal's algorithm as it has worked for me for at least seven years. I will
> check the documents and see if I can verify Hal's work.
>
>
>
> As to your second point, hPCA is just a dummy PCA key. Here is how the PCA
> object is created and used.
>
>
>
> /* Create dummy PCA key */
>
> TSS_HKEY hPCA;
>
> rc = Tspi_Context_CreateObject(hContext,
>
> TSS_OBJECT_TYPE_RSAKEY,
>
> TSS_KEY_TYPE_LEGACY|TSS_KEY_SIZE_2048,
>
> &hPCA);
>
> if (rc != TSS_SUCCESS)
>
> return tidy(hContext, tss_err(rc, "creating PCA object"));
>
>
>
> /* Create the PCA key in the TPM, it is not user supplied */
>
> rc = Tspi_Key_CreateKey(hPCA, hSRK, 0);
>
> if (rc != TSS_SUCCESS)
>
> return tidy(hContext, tss_err(rc, "creating PCA key in TPM"));
>
>
>
> John
>
>
>
> *From: *Tadd Seiff <[email protected]>
> *Date: *Friday, March 3, 2017 at 3:08 PM
> *To: *"Ramsdell, John D." <[email protected]>, "trousers-users@lists.
> sourceforge.net" <[email protected]>
> *Cc: *Andrew Pollock <[email protected]>
> *Subject: *Re: [TrouSerS-users] Trousers error code 0x1
>
>
>
> Hey John,
>
>
>
> I'm not sure about the return code.
>
>
>
> But some other comments here:
>
> 1) I've used Tspi_ContextCreateObject(...) to create AIK objects with
> success. I guess CreateKey() should work too, seems logical. I'm not sure
> how I ended up using CreateObject(), I'm guessing I followed someone else's
> example:
>
>
>
> UINT32 initFlags = TSS_KEY_TYPE_IDENTITY | TSS_KEY_SIZE_2048 |
> TSS_KEY_AUTHORIZATION |
>
> TSS_KEY_VOLATILE | TSS_KEY_NOT_MIGRATABLE;
>
> result = Tspi_Context_CreateObject(hContext,
>
> TSS_OBJECT_TYPE_RSAKEY,
>
> initFlags, &hIdentKey);
>
>
>
>
>
> 2) Even if CreateKey() should work, it looks like you are passing in your
> PCA server public key as the first argument (hPCA)? This should be the
> handle to your new key, I think, so if this is a TSS KEY object that you
> created from DER that the user passed in (deduced from Andrew's comments
> below), I don't think that would work anyway. The PCA key material is not
> used until the CollateIdentityRequest() step.
>
>
>
> -Tadd
>
>
>
>
>
> On Fri, Mar 3, 2017 at 6:37 AM Ramsdell, John D. <[email protected]>
> wrote:
>
> I am trying to address a bug report for TPM Quote Tools which is built on
> Trousers. I am having trouble diagnosing the problem because the return
> code is not what I expect. When making an AIK, my program executes:
>
> rc = Tspi_Key_CreateKey(hPCA, hSRK, 0);
>
> if rc != TSS_SUCCESS, I print an error message using the values in
> tss/tspi.h which includes tss/tss_error.h. In the bug report, the return
> value is 1, but that value has no translation. What does it mean when
> create key returns an error code of 1?
>
> John
>
> -----Original Message-----
> From: Andrew Pollock <[email protected]>
> Date: Friday, March 3, 2017 at 2:44 AM
> To: "Ramsdell, John D." <[email protected]>
> Subject: Re: Fooling around with tpm-quote-tools
>
> Excellent. I finally had some spare cycles to return to this, and after
> addressing a bug with an older version of Trousers, I was able to
> reproduce
> the problem again.
>
> So, I have a Lenovo X1 Carbon
>
> $ sudo tpm_version
> TPM 1.2 Version Info:
> Chip Version: 1.2.13.12
> Spec Level: 2
> Errata Revision: 3
> TPM Vendor ID: STM
> Vendor Specific data: 50
> TPM Version: 01010000
> Manufacturer Info: 53544d20
>
> I have previously taken ownership of it with a non-well-known owner
> password.
>
> Note that I'm executing this with two non-existent files for both
> arguments
>
> $ sudo tpm_mkaik /tmp/blob /tmp/pubkey
> Enter owner password:
> Error while creating PCA key in TPM. Error code: 0x1
>
> Just in case I had misunderstood something for grins I created a CA
> with
> OpenSSL and converted the public key to DER and used it as the second
> argument,
> but got the same result
>
> Any further insights you have would be much appreciated.
>
> regards
>
> Andrew
>
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> TrouSerS-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/trousers-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
