|
||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
Object EKCertificate
public class EKCertificate
An EK certificate is an instantiation of the TCG Endorsement Key Credential.
The value "Standard" in Field Status column in the table below means the field is an inherent component of the standard certificate syntax and is not optional.
Some fields are assigned a value even though the certificate user performs no action based on that value. In such cases, the intention is to inhibit non-TCG implementations from making inappropriate use of the certificate.
Field Name Description Field Status ------------------------------------------------------------------------------------------------ Version Certificate syntax version number Standard Serial Number Positive integer value unique relative to the issuer Standard Signature Algorithm Algorithm used by the issuer to sign this certificate Standard Issuer Distinguished name of the EK certificate issuer Standard Validity Time interval during which the certificate is valid Standard Subject Distinguished name of the certificate Standard Public Key Info Identifier of the algorithm for the public key Standard Certificate Policies Policy terms under which the certificate was issued MUST Alternative Names Name forms other than directory distinguished names MUST Basic Constraints CA certificate indicator and path constraints MUST Subject Directory Attributes Various device characteristics MUST Authority Key Id Identifies the subject public key of the certificate issuer SHOULD Authority Info Access Indicates how to access CA information MAY CRL Distribution Indicates how to access CRL information MAY Key Usage Indicates the intended use of the subject public key SHOULD NOT Extended Key Usage Indicates the intended use of the subject public key SHOULD NOT Subject Key Id Identifies the subject public key of the certificate SHOULD NOT Subject Unique Id Unique value when using a shared a subject name SHOULD NOT Issuer Unique Id Unique value when using a shared a issuer name SHOULD NOT
For details on this certificate please refer to the public TCG specification https://www.trustedcomputinggroup.org/specs/IWG/Credential_Profiles_V1_rev981.pdf
Field Summary | |
---|---|
static String |
policyUserNotice
"TCPA Trusted Platform Module Endorsement" . |
Method Summary | |
---|---|
static SubjectAltName |
alternativeNames(String manufacturer,
String model,
String version)
Creates SubjectAlternativeNames extension as specified for an EK. |
static X509Certificate |
create(Properties prop,
X509Certificate caCert,
PrivateKey caPrivateKey,
RSAPublicKey ekPublicKey)
Creates a TPM Endorsement Key (EK) certificate. |
static SubjectDirectoryAttributes |
subjectDirectoryAttributes(Attribute tpmSpecification,
Attribute supportedAlgo,
TPMSecurityAssertions tpmSecAss)
Creates SubjectDirectoryAttributes extension as specified for an EK. |
static Attribute |
supportedAlgorithms()
Creates supportedAlgorithms Attribute as specified for an EK. |
static Attribute |
TPMSpecification(String family,
int level,
int revision)
Creates TPMSpecification Attribute as specified for an EK. |
Methods inherited from class Object |
---|
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static String policyUserNotice
"TCPA Trusted Platform Module Endorsement"
.
UserNotice string for EK certificate CertificatePolicies extension.
Method Detail |
---|
public static X509Certificate create(Properties prop, X509Certificate caCert, PrivateKey caPrivateKey, RSAPublicKey ekPublicKey) throws X509ExtensionException, CertificateException
Before calling set the properties section pointer to the section to be used as input. e.g.
prop.setSectionPointer("EK"); EKCertificate.create(prop, ....);
prop
- custom setable properties of certificatecaCert
- certificate of issuing authoritycaPrivateKey
- private key of issuing authorityekPublicKey
- public part of TPM endorsement key
X509ExtensionException
CertificateException
public static Attribute TPMSpecification(String family, int level, int revision)
The 'TPM Specification' attribute which identifies the family and revision of the TCG TPM specification to which the TPM was designed.
tPMSpecification ATTRIBUTE ::= { WITH SYNTAX TPMSpecification ID tcg-at-tpmSpecification } TPMSpecification ::= SEQUENCE { family UTF8String, level INTEGER, revision INTEGER }
public static Attribute supportedAlgorithms()
The multi-valued attribute 'supported algorithms' (see X.509) which SHOULD include object identifiers for the algorithms RSAES-OAEP, SHA-1 (1.3.14.3.2.26), and other algorithms implemented by the TPM.
(current implementation includes RSAES-OAEP, SHA1 and TpmIdProtocol)
public static SubjectDirectoryAttributes subjectDirectoryAttributes(Attribute tpmSpecification, Attribute supportedAlgo, TPMSecurityAssertions tpmSecAss) throws X509ExtensionException
The following attribute MUST be included in a Subject Directory Attributes extension in the EK Certificate:
The 'TPM Specification' attribute which identifies the family and revision of the TCG TPM specification to which the TPM was designed.
The following attribute SHOULD be included in a Subject Directory Attributes extension in the EK Certificate:
The multi-valued attribute 'supported algorithms' (see X.509) which SHOULD include object identifiers for the algorithms RSAES-OAEP, SHA-1 (1.3.14.3.2.26), and other algorithms implemented by the TPM.
The 'TPM Security Assertions' attribute which describes various assertions about the security properties of the TPM and the conditions under which the Endorsement Key was generated.
The following attributes are documented for compatibility with TCPA
but SHOULD NOT be included in EK Certificates (see Changes Since TCPA 1.1b):
The 'TCPA Specification Version' attribute, with field values correctly
reflecting the highest version of the TCG specification with which the TPM
implementation conforms.
The 'security qualities' attribute with a text string reflecting
the security qualities of the TPM.
The extension SHOULD be non-critical.
X509ExtensionException
public static SubjectAltName alternativeNames(String manufacturer, String model, String version)
Include the TPM identity, using the directory name-form with RDNs for the TPM manufacturer, model and version numbers.
TPMManufacturer ATTRIBUTE ::= { WITH SYNTAX UTF8String ID tcg-at-tpmManufacturer } TPMModel ATTRIBUTE ::= { WITH SYNTAX UTF8String ID tcg-at-tpmModel } TPMVersion ATTRIBUTE ::= { WITH SYNTAX UTF8String ID tcg-at-tpmVersion }Assign "critical" the value TRUE.
|
||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |