IAIK/OpenTC TCcert - Trusted Computing certificate tool

Trusted Computing, as specified by the Trusted Computing Group (TCG), comprises multiple layers of hard- and software. While the hardware primarily consists of the Trusted Platform Module (TPM), there are multiple support software components required.

There are potential security benefits in connecting many Trusted Computing enabled platforms, however, there is a need to standardize security credentials to enable easy automated processing and the building of a Trusted Computing aware public key infrastructure (PKI).

TCcert is a software tool which enables one to create special types of certificates, as specified by the Trusted Computing Group.

IAIK TCcert is developed and maintained at the Institute for Applied Information Processing and Communication (Institut für Angewandte Informationsverarbeitung und Kommunikation (IAIK)), at Graz University of Technology (TU Graz).

Development of IAIK TCcert is supported by the European Commission as part of the OpenTC project (Ref. Nr. 027635).

The Open Trusted Computing (OpenTC) consortium is an R&D project focusing on the development of trusted and secure computing systems based on open source software. The project targets traditional computer platforms as well as embedded systems such as mobile phones.

The goal of OpenTC is to reduce system-related threats, errors and malfunctions. The lack of platform security in today’s computers has given rise to waves of successful attacks, resulting in severe damages to enterprises and potential failure of critical infrastructures.

The OpenTC consortium will define and implement an open Trusted Computing framework. The architecture is based on security mechanisms provided by low level operating system layers with isolation properties and interfaces to Trusted Computing hardware. These layers make it possible to leverage enhanced trust and security properties of the platform for standard operating systems, middleware and applications.

For more information about the OpenTC project please refer to the OpenTC homepage.

TCcert is experimental software. The use of TCcert in a real production environment is discouraged. No guarantees for data produced by TCcert can be made. Use the software at your own risk!

Copyright © IAIK, Graz University of Technology, 2010. All rights reserved.

IAIK TCcert is released under a dual licensing model:

This section deals with the technical aspects of TCcert, which comprises development status, requirements and usage documentation.

It is assumed you already have some knowledge about certificates, their encodings, keys, security concepts and how they relate to public key infrastructures. If you want to learn more about this topic, this readme will not help you. Thanks for your understanding.

TCcert implements the "TCG Infrastructure Credential Profiles" document, which at time of this writing is at revision 0.981.

The following credentials are currently supported:

Further, the TCG specified the Subject Key Attestation Evidence (SKAE) extension for certificates in Infrastructure Subject Key Attestation Evidence Extension.
This extension defines the cryptographic binding of TCG-oriented security assertions within common X.509 certificates. TCcert allows to build the SKAE extension, both in plain and encrypted format.

There are additional credentials specified in the TCPA v1.1 Main Specification:

These two types of certificates are currently not supported by this tool.

The current release is not feature complete and in some areas not fully specification compliant. This is an "early access" version, released due to community interest, to stimulate development in related areas and offer a tool to toy around with.

To support experimentation, additional functionality is offered to build a minimal certificate hierarchy with a self signed CA root certificate and one level of intermediate CAs, from which specific credentials can be derived. Note that this does not reflect a real-life setup, as different certificates are usually issued by differing vendors.

The development of TCcert is currently done under Linux operating systems. By the portable nature of Java it is expected to work equally well on other operating systems, however, this is not being tested.

TCcert itself is available for download from Trusted Java at Sourceforge.
In addition you’ll also need some support software packages:

TCcert is expected to run on Java 1.2 or newer. Development was done with Sun JDK, compatibility with older Java versions or other JDK vendors is unknown and untested.

Note: For the cryptographic operations with long RSA keys "unlimited strength encryption" has to be enabled in newer JRE. For more information refer to JCE policy downloads.
(If you see an error message like Illegal key size or default parameters this is an indication that unlimited strength encryption is not enabled on your system.)

IAIK-JCE is a set of APIs and implementations of cryptographic functionality, including hash functions, encryption functions, crypto keys and certificate management functions. It supplements features of the default JCE with required functionality for TCcert.
This package is available as a free evaluation download from SIC website.

IAIK-CMS is a collection of support functions for communication and message security. The SKAE extension implementation by TCcert requires the additional functionality provided by this library.
This package is available as a free evaluation download from SIC website.

TCcert is a commandline based tool. For ease of usage a tccert.sh example shell script is provided to illustrate how to call TCcert. The script itself consists only of a few lines and should be self explanatory.

TCcert takes 2 parameters:

The first parameter specifies which function to execute. This can be one of ca, ek, pe and aik. The ca option creates a certificate hierarchie with a self-signed root CA certificate at the top and derives 3 further intermediate CA certificates which then can be used as anchors for the different certificate types. The ek, pe and aik parameters create a certificate of the specific type.

The second parameter specifies an input file to read all necessary parameters from. The format of the file is a basic ASCII text file, similar in formatting to a Java properties file.

In order to further illustrate the possible commands and parameters an example set of input files is included in the TCcert distribution in the /examples subdirectory. Each command has a corresponding example file, e.g. for the ek command an ek.ini file is included.

Following assumes all files are copied into the same directory.

call
tccert ca ca.ini
This should result in output similar to:

If you take a closer look at the ca.ini file you probably already understand what files got generated:
\*.cert are certificate files in ASN.1 DER format.
\*.pkey are the corresponding private key files.

ca.\* are the files for the self signed root certificate.
caek.\* are for the EK certification authority, derived from the root CA.
Similar for caek.\* and caaik.\*

If you want to take a closer look at a certificate, one can use the dumpasn1 utility which is usually in a similar called package available in major Linux distributions (and a GUI version is available for Windows, too).

Try e.g.
dumpasn1 ca.cert
which gives:

Or, you can employ OpenSSL to take a look at the contents, like
openssl x509 -inform DER -in ca.cert -text

Generated private keys can be inspected with OpenSSL, too:
openssl pkcs8 -inform DER -in ca.pkey

The default password in the examples is secret

output:

The remaining .ini examples generate specific types of certificates:
tccert ek ek.ini builds an EK type certificate.
tccert pe pe.ini builds an PE type certificate (depends on an EK).
tccert aik aik.ini builds an AIK type certificate (depends on EK+PE).

For details of specific data fields in a certificate please refer to the official TCG specification and read the comments in the examples.

Items marked OPTIONAL in the .ini files can be commented with a hash "#" sign. If you want to comment out a large optional block (e.g. CommonCriteriaMeasures), just comment the first field (e.g. …ccInfo.version) and the rest will be ignored automatically. Items marked DEFAULT=something have their initial value set to this, unless explicitly specified otherwise. Some fields default to autogenerated values if not specified (e.g. serialnumber and privatekeysize).

Please do not publish certificates containing the IAIK url examples!

Note that the current input parser is still a little fragile, typing mistakes or ommisions may sometimes create strange error messages.

TCcert comes with SubjectKeyAttestationEvidence (SKAE) support. This functionality is not available from the command line, only by using TCcert as a library in Java. Note again that SKAE additionally requires the IAIK-CMS libraries (see section Requirements).

The /examples directory includes SKAETest.java, which demonstrates how to build a SKAE extension, encrypt it and add it to a certificate. The whole process in reverse is also shown.

TCcert is still under significant development and the APIs are not to be considered stable yet. However, the /doc/apidoc directory includes a set of Javadoc and should enable interested parties the use of TCcert as a library.

As an example of how to build a TCG style certificate with TCcert as a library, the included CertTest.java shows the creation of a minimal EK certificate.

The /examples directory probably already contains more examples than listed here.

If things don’t work as expected…

The following list outlines possible further development of TCcert

For questions, bug reports, feature requests, patches, criticism or suggestions please use the following mailing list: trustedjava-support@lists.sourceforge.net.