EKCertificate (TCcert Documentation)

Overview

Package

Class

Tree

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

iaik.tc.cert
Class EKCertificate

Object
  EKCertificate

public class EKCertificate
extends Object
extends Object

An EK certificate is an instantiation of the TCG Endorsement Key Credential.

The value "Standard" in Field Status column in the table below means the field is an inherent component of the standard certificate syntax and is not optional.

Some fields are assigned a value even though the certificate user performs no action based on that value. In such cases, the intention is to inhibit non-TCG implementations from making inappropriate use of the certificate.

 Field Name             Description                                                  Field Status
 ------------------------------------------------------------------------------------------------
 Version                Certificate syntax version number                            Standard
 Serial Number          Positive integer value unique relative to the issuer         Standard
 Signature Algorithm    Algorithm used by the issuer to sign this certificate        Standard
 Issuer                 Distinguished name of the EK certificate issuer              Standard
 Validity               Time interval during which the certificate is valid          Standard
 Subject                Distinguished name of the certificate                        Standard
 Public Key Info        Identifier of the algorithm for the public key               Standard
 Certificate Policies   Policy terms under which the certificate was issued          MUST
 Alternative Names      Name forms other than directory distinguished names          MUST
 Basic Constraints      CA certificate indicator and path constraints                MUST
 Subject Directory Attributes      Various device characteristics                    MUST
 Authority Key Id       Identifies the subject public key of the certificate issuer  SHOULD
 Authority Info Access  Indicates how to access CA information                       MAY
 CRL Distribution       Indicates how to access CRL information                      MAY
 Key Usage              Indicates the intended use of the subject public key         SHOULD NOT
 Extended Key Usage     Indicates the intended use of the subject public key         SHOULD NOT
 Subject Key Id         Identifies the subject public key of the certificate         SHOULD NOT
 Subject Unique Id      Unique value when using a shared a subject name              SHOULD NOT
 Issuer Unique Id       Unique value when using a shared a issuer name               SHOULD NOT

For details on this certificate please refer to the public TCG specification https://www.trustedcomputinggroup.org/specs/IWG/Credential_Profiles_V1_rev981.pdf

Field Summary
`static String`	`policyUserNotice` `"TCPA Trusted Platform Module Endorsement"`.

Method Summary
`static SubjectAltName`	`alternativeNames(String manufacturer, String model, String version)` Creates SubjectAlternativeNames extension as specified for an EK.
`static X509Certificate`	`create(Properties prop, X509Certificate caCert, PrivateKey caPrivateKey, RSAPublicKey ekPublicKey)` Creates a TPM Endorsement Key (EK) certificate.
`static SubjectDirectoryAttributes`	`subjectDirectoryAttributes(Attribute tpmSpecification, Attribute supportedAlgo, TPMSecurityAssertions tpmSecAss)` Creates SubjectDirectoryAttributes extension as specified for an EK.
`static Attribute`	`supportedAlgorithms()` Creates supportedAlgorithms Attribute as specified for an EK.
`static Attribute`	`TPMSpecification(String family, int level, int revision)` Creates TPMSpecification Attribute as specified for an EK.

Methods inherited from class Object
`equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

policyUserNotice

public static String policyUserNotice

"TCPA Trusted Platform Module Endorsement".

UserNotice string for EK certificate CertificatePolicies extension.

Method Detail

create

public static X509Certificate create(Properties prop,
                                     X509Certificate caCert,
                                     PrivateKey caPrivateKey,
                                     RSAPublicKey ekPublicKey)
                              throws X509ExtensionException,
                                     CertificateException

Creates a TPM Endorsement Key (EK) certificate.

Before calling set the properties section pointer to the section to be used as input. e.g.

 prop.setSectionPointer("EK");
 EKCertificate.create(prop, ....);

Parameters:: prop - custom setable properties of certificate; caCert - certificate of issuing authority; caPrivateKey - private key of issuing authority; ekPublicKey - public part of TPM endorsement key
Throws:: X509ExtensionException; CertificateException

TPMSpecification

public static Attribute TPMSpecification(String family,
                                         int level,
                                         int revision)

Creates TPMSpecification Attribute as specified for an EK.

The 'TPM Specification' attribute which identifies the family and revision of the TCG TPM specification to which the TPM was designed.

 tPMSpecification ATTRIBUTE ::= {
     WITH SYNTAX TPMSpecification
     ID tcg-at-tpmSpecification }

 TPMSpecification ::= SEQUENCE {
     family   UTF8String,
     level    INTEGER,
     revision INTEGER }

supportedAlgorithms

public static Attribute supportedAlgorithms()

Creates supportedAlgorithms Attribute as specified for an EK.

The multi-valued attribute 'supported algorithms' (see X.509) which SHOULD include object identifiers for the algorithms RSAES-OAEP, SHA-1 (1.3.14.3.2.26), and other algorithms implemented by the TPM.

(current implementation includes RSAES-OAEP, SHA1 and TpmIdProtocol)

subjectDirectoryAttributes

public static SubjectDirectoryAttributes subjectDirectoryAttributes(Attribute tpmSpecification,
                                                                    Attribute supportedAlgo,
                                                                    TPMSecurityAssertions tpmSecAss)
                                                             throws X509ExtensionException

Creates SubjectDirectoryAttributes extension as specified for an EK.

The following attribute MUST be included in a Subject Directory Attributes extension in the EK Certificate:

The 'TPM Specification' attribute which identifies the family and revision of the TCG TPM specification to which the TPM was designed.

The following attribute SHOULD be included in a Subject Directory Attributes extension in the EK Certificate:

The 'TPM Security Assertions' attribute which describes various assertions about the security properties of the TPM and the conditions under which the Endorsement Key was generated.

The following attributes are documented for compatibility with TCPA but SHOULD NOT be included in EK Certificates (see Changes Since TCPA 1.1b):
The 'TCPA Specification Version' attribute, with field values correctly reflecting the highest version of the TCG specification with which the TPM implementation conforms.
The 'security qualities' attribute with a text string reflecting the security qualities of the TPM.

The extension SHOULD be non-critical.

Throws:: X509ExtensionException

alternativeNames

public static SubjectAltName alternativeNames(String manufacturer,
                                              String model,
                                              String version)

Creates SubjectAlternativeNames extension as specified for an EK.

Include the TPM identity, using the directory name-form with RDNs for the TPM manufacturer, model and version numbers.

 TPMManufacturer ATTRIBUTE ::= {
     WITH SYNTAX UTF8String
     ID tcg-at-tpmManufacturer }

 TPMModel ATTRIBUTE ::= {
     WITH SYNTAX UTF8String
     ID tcg-at-tpmModel }

 TPMVersion ATTRIBUTE ::= {
     WITH SYNTAX UTF8String
     ID tcg-at-tpmVersion }

Assign "critical" the value TRUE.