iaik.tc.tss.api.tspi
Interface TcIEncData

All Superinterfaces:
TcIAttributes, TcIAuthObject, TcIWorkingObject

public interface TcIEncData
extends TcIWorkingObject, TcIAttributes, TcIAuthObject

This class can be used to join externally (e. g. user, application) generated data to a TCG-aware system (bound to PCR or Platform). For the authentication process this class can be assigned to a policy object.


Method Summary
 void bind(TcIRsaKey encKey, TcBlobData data)
          This method encrypts a data blob in a manner that can only be decrypted by unbind(TcIRsaKey).
 void seal(TcIRsaKey encKey, TcBlobData data, TcIPcrComposite pcrComposite)
          This method encrypts a data blob in a manner that can only be decrypted by unseal on the same system.
 TcBlobData unbind(TcIRsaKey key)
          This method unbinds (decrypts) a previously bound (encrypted) data blob.
 TcBlobData unseal(TcIRsaKey key)
          This method reveals data encrypted by Tspi_Data_Seal only if it was encrypted on the same platform and the current configuration (as defined by the named PCR contents of the encrypted data blob) is the one named as qualified to decrypt it.
 
Methods inherited from interface TcIAttributes
getAttribData, getAttribUint32, setAttribData, setAttribUint32
 
Methods inherited from interface TcIAuthObject
changeAuth, changeAuthAsym, getPolicyObject, getUsagePolicyObject
 

Method Detail

bind

void bind(TcIRsaKey encKey,
          TcBlobData data)
          throws TcTssException
This method encrypts a data blob in a manner that can only be decrypted by unbind(TcIRsaKey). The data blob is encrypted using a public key operation with the key addressed by the given encryption key object. To bind data larger than the RSA public key modulus it is the responsibility of the caller to perform the blocking and subsequent combination of data. The bound blob can be obtained using TcIAttributes.getAttribData(long, long). Note that the bind operation is performed entirely in software. It therefore is not restricted to a key generated by the resident TPM. It may be used with any appropriate public key. In such a case the TSS might however not be able to provide the unbind service. Note that the maximum data size for bind operations actually is smaller then the public modulus of the RSA key. For the TcTssConstants.TSS_ES_RSAESPKCSV15 encryption scheme with TcTssConstants.TSS_KEY_TYPE_BIND keys the max size is keySize - 11 - (4 + 1). With TcTssConstants.TSS_KEY_TYPE_LEGACY keys the max size is keySize - 11. For the TcTssConstants.TSS_ES_RSAESOAEP_SHA1_MGF1 encryption scheme with TcTssConstants.TSS_KEY_TYPE_BIND or TcTssConstants.TSS_KEY_TYPE_LEGACY keys the max size is keySize - (2 * 20) - 2 - (4 + 1). The (4 + 1) accounts for the size of the TcTpmBoundData structure.

Parameters:
encKey - The key used for encryption.
data - The data to encrypt.
Throws:
TcTssException
TSS Spec. 1.2 Errata A, page number:
362
TSS Spec. 1.10 Golden, Aug. 20, 2003, page number:
172

unbind

TcBlobData unbind(TcIRsaKey key)
                  throws TcTssException
This method unbinds (decrypts) a previously bound (encrypted) data blob. Before calling the unbind operation, the encrypted blob has to be set using the TcIAttributes.setAttribData(long, long, TcBlobData) method. It the key used for binding is not available in the TPM or is of wrong type, the TPM may not be able to perform the unbind operation. Note that this method operates on a block-by-block basis and has no notion of any relation between blocks. See also unbind(TcIRsaKey) for more information on data blocking.

Parameters:
key - The Key used for decryption.
Returns:
decrypted The decrypted data blob.
Throws:
TcTssException
TSS Spec. 1.2 Errata A, page number:
364
TSS Spec. 1.10 Golden, Aug. 20, 2003, page number:
173

seal

void seal(TcIRsaKey encKey,
          TcBlobData data,
          TcIPcrComposite pcrComposite)
          throws TcTssException
This method encrypts a data blob in a manner that can only be decrypted by unseal on the same system. The data blob is encrypted using a public key operation with the non-migratable key addressed by the given encryption key object. Additionally the seal operation allows software to explicitly state the future trusted configuration that the platform must be in for the encrypted data to be revealed and implicitly includes the relevant Platform Configuration Register (PCR) values when the seal operation was performed. Which PCR registers are going to be part of the seal operation is specified by the PCR composite object. Beginning with the 1.2 TPM specification, the PCR object can also contain the locality at release and two sets of PCR values: The PCRs which are recorded at the time the sealing takes place (i.e. digest at creation) and those specifying the valid PCR state for the unseal operation. To create such a PCR composite object use the TcTssConstants.TSS_PCRS_STRUCT_INFO_LONG init flag when creating the PCR composite object on systems with a 1.2. TPM. The maximum input size for seal operations is keySize - (40 - 2) - 65 where 65 accounts for the size of the TcTpmSealedData structure. It is left to the caller to properly block it input data according to this maximum size.

Parameters:
encKey - The non-migratable key which is used to encrypt the data.
data - The data to be encrypted.
pcrComposite - The PCR values the encrypted data should be sealed to. Set to null to omit sealing to PCR values.
Throws:
TcTssException
TSS Spec. 1.2 Errata A, page number:
299
TSS Spec. 1.10 Golden, Aug. 20, 2003, page number:
174

unseal

TcBlobData unseal(TcIRsaKey key)
                  throws TcTssException
This method reveals data encrypted by Tspi_Data_Seal only if it was encrypted on the same platform and the current configuration (as defined by the named PCR contents of the encrypted data blob) is the one named as qualified to decrypt it. This is internally proofed and guaranteed by the TPM.

Parameters:
key - non-migratable key which is used to decrypt the data
Returns:
decrypted data
Throws:
TcTssException
TSS Spec. 1.2 Errata A, page number:
266
TSS Spec. 1.10 Golden, Aug. 20, 2003, page number:
176