iaik.tc.tss.impl.java.tsp
Class TcTpm

java.lang.Object
  extended by iaik.tc.tss.impl.java.tsp.TcAttributes
      extended by iaik.tc.tss.impl.java.tsp.TcWorkingObject
          extended by iaik.tc.tss.impl.java.tsp.TcAuthObject
              extended by iaik.tc.tss.impl.java.tsp.TcTpm
All Implemented Interfaces:
TcIAttributes, TcIAuthObject, TcITpm, TcIWorkingObject

public class TcTpm
extends TcAuthObject
implements TcITpm

TPM class implemented using singleton pattern.


Method Summary
 TcBlobData activateIdentity(TcIRsaKey identityKey, TcBlobData asymCaContentsBlob, TcBlobData symCaAttestationBlob)
          For general information about this method refer to TcITpm.activateIdentity(TcIRsaKey, TcBlobData, TcBlobData).
 TcTpmMigrationkeyAuth authorizeMigrationTicket(TcIRsaKey migrationKey, long migrationScheme)
          This method provides the migration ticket required for the migration process.
 TcTssValidation certifySelfTest(TcIRsaKey key, TcTssValidation validation)
          This method performs a self-test of each internal TPM function and returns an authenticated value (signature) if the test has passed.
 void changeAuth(TcIAuthObject parentObject, TcIPolicy newPolicy)
          This method changes the authorization data (secret) of an entity (object) and assigns the object to the newPolicy object.
 TcTssValidation checkMaintenancePubKey(TcIRsaKey key, TcTssValidation validationData)
          This method proofs the maintenance public key.
 void clearOwner(boolean forcedClear)
          This method clears the TPM ownership.
 void CMKApproveMA(TcIMigData maAuthData)
          This method creates an authorization ticket, to allow the TPM owner to specify which Migration Authorities they approve and allow users to create certified-migration-keys without further involvement with the TPM owner.
 void CMKCreateTicket(TcIRsaKey verifyKey, TcIMigData sigData)
          This method uses a public key to verify the signature over a digest.
 void CMKSetRestrictions(long cmkDelegate)
          This method is used by the owner to globally dictate the usage of a certified migration key with delegated authorization.
 TcBlobData collateIdentityRequest(TcIRsaKey srk, TcIRsaKey caPubKeyRsa, TcBlobData identityLabel, TcIRsaKey identityKey, long algId)
          Implementation specific notes: This implementation only supports AES for symmetric encryption.
 TcTssValidation createEndorsementKey(TcIRsaKey key, TcTssValidation validationData)
          This method creates the endorsement key.
 java.lang.Object[] createRevocableEndorsementKey(TcIRsaKey key, TcTssValidation validationData, TcTpmNonce ekResetData)
          This method creates the revocable endorsement key.
 TcBlobData dirRead(long dirIndex)
          This method reads a Data Integrity Register.
 void dirWrite(long dirIndex, TcBlobData dirData)
          This method writes a Data Integrity Register.
 TcBlobData getAttribCallback(long subFlag)
          Not yet supported.
 long getAttribCallbackUINT32(long subFlag)
          The sole purpose of this method is to notify callers that TSS 1.1 style callback functions are not supported.
 TcBlobData getCapability(long capArea, TcBlobData subCap)
          This method provides the capabilities of the TPM.
 boolean getCapabilityBoolean(long capArea, TcBlobData subCap)
          This method is an alternative to TcITpm.getCapability(long, TcBlobData).
 void getCapabilitySigned()
          The TPM function TPM_GetCapabilitySigned that actually performs this functions was found to contain a vulnerability that makes its security questionable therefore its use unadvised.
 long getCapabilityUINT32(long capArea, TcBlobData subCap)
          This method is an alternative to TcITpm.getCapability(long, TcBlobData).
 TcTssVersion getCapabilityVersion(long capArea, TcBlobData subCap)
          This method is an alternative to TcITpm.getCapability(long, TcBlobData).
 java.lang.Object[] getCredentials()
          This method is a TSP level front end to the TCS getCredentials method.
 TcTssPcrEvent getEvent(long pcrIndex, long eventNumber)
          This method provides a PCR event for a given PCR index and event number.
 int getEventCount(long pcrIndex)
          This method is similar to the getEvents method.
 TcTssPcrEvent[] getEventLog()
          This method provides the whole event log.
 TcTssPcrEvent[] getEvents(long pcrIndex, long startNumber, long eventNumber)
          This method provides a specific number of PCR events for a given index.
 TcIPolicy getOperatorPolicyObject()
          This method returns a policy object representing the operator policy currently assigned to the object.
 TcIPolicy getPolicyObject(long policyType)
          Note: Policy objects are returned by reference.
 java.lang.Object[] getPubEndorsementKey(boolean ownerAuthorized, TcTssValidation validationData)
          This method returns the public endorsement key.
 TcIRsaKey getPubEndorsementKeyOwner()
          This method returns the public endorsement key.
 TcBlobData getRandom(long length)
          This method returns random data obtained from the TPM via the TSS.
 TcTssVersion getRealTpmVersion()
          This internal method returns the TPM version as reported by using TcTssConstants.TSS_TPMCAP_VERSION_VAL for 1.2 chips and TcTssConstants.TSS_TPMCAP_VERSION for 1.1 chips.
 boolean getStatus(long statusFlag)
          This method returns the TPM status.
 TcBlobData getTestResult()
          This method provides manufacturer specific information regarding the results of the self test.
 boolean isOrdinalSupported(long ordinal)
          This method allows developers to check if a given command ordinal is supported by the TPM the context is connected to.
 boolean isTrousersCompatible()
           
 void killMaintenanceFeature()
          This method disables the functionality of creating a maintenance archive.
 TcTssValidation loadMaintenancePubKey(TcIRsaKey key, TcTssValidation validationData)
          This method loads the public maintenance key into the TPM.
 TcIRsaKey OwnerGetSRKPubKey()
          This method returns the public part of the SRK.
 TcBlobData pcrExtend(long pcrIndex, TcBlobData data, TcTssPcrEvent pcrEvent)
          This method extends a PCR register and writes the PCR event log.
 TcBlobData pcrRead(long pcrIndex)
          This methods reads a PCR register.
 void pcrReset(TcIPcrComposite pcrComposite)
          This methods resets a PCR register.
 TcTssValidation quote(TcIRsaKey identKey, TcIPcrComposite pcrComposite, TcTssValidation validation)
          This method quotes a TCG system.
 java.lang.Object[] quote2(TcIRsaKey identKey, boolean addVersion, TcIPcrComposite pcrComposite, TcTssValidation validation)
          This method quotes a TCG system using TPM_Quote2 which provides the requestor a more complete view of the current platform configuration than TPM_Quote.
 TcTpmCounterValue readCurrentCounter()
          This method reads the current value of the current active counter register.
 TcTpmCurrentTicks readCurrentTicks()
          This method reads the current tick out of the TPM.
 TcBlobData readEkCertIfx11()
          This method is VENDOR SPECIFIC for Infineon 1.1 TPMs.
 void revokeEndorsementKey(TcTpmNonce ekResetData)
          This method clears the TPM revocable endorsement key pair.
 void selfTestFull()
          This method performs a self-test of each internal TPM function.
 void setAttribCallback(long subFlag, TcBlobData attrib)
          Not yet supported.
 void setAttribCallbackUINT32(long subFlag, long attrib)
          The sole purpose of this method is to notify callers that TSS 1.1 style callback functions are not supported.
 void setAttribCredential(long subFlag, TcBlobData credential)
          This method can be used to set credentials (EK, Platform, ...) that should be used in the collateIdentity method.
 void setOperatorAuth(TcIPolicy operatorPolicy)
          This function sets the operator authorization value in the TPM.
 void setStatus(long statusFlag, boolean tpmState)
          This method modifies the TPM status.
 void setTrousersCompatible(boolean trousersCompatible)
           
 void stirRandom(TcBlobData entropyData)
          This method adds entropy to the TPM Random Number Generator.
 void takeOwnership(TcIRsaKey srk, TcIRsaKey pubEk)
          This method takes ownership of the TPM.
 
Methods inherited from class iaik.tc.tss.impl.java.tsp.TcAuthObject
changeAuthAsym, getUsagePolicyObject
 
Methods inherited from class iaik.tc.tss.impl.java.tsp.TcAttributes
getAttribData, getAttribUint32, setAttribData, setAttribUint32
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 
Methods inherited from interface iaik.tc.tss.api.tspi.TcIAttributes
getAttribData, getAttribUint32, setAttribData, setAttribUint32
 
Methods inherited from interface iaik.tc.tss.api.tspi.TcIAuthObject
changeAuthAsym, getUsagePolicyObject
 

Method Detail

isTrousersCompatible

public boolean isTrousersCompatible()

setTrousersCompatible

public void setTrousersCompatible(boolean trousersCompatible)

activateIdentity

public TcBlobData activateIdentity(TcIRsaKey identityKey,
                                   TcBlobData asymCaContentsBlob,
                                   TcBlobData symCaAttestationBlob)
                            throws TcTssException
For general information about this method refer to TcITpm.activateIdentity(TcIRsaKey, TcBlobData, TcBlobData). Implementation note: The following symmetric algorithms are supported:

Specified by:
activateIdentity in interface TcITpm
Parameters:
identityKey - The identity key object.
asymCaContentsBlob - The blob containing the encrypted ASYM_CA_CONTENTS data structure received from the Privacy CA.
symCaAttestationBlob - The blob containing the encrypted SYM_CA_ATTESTATION data structure received from the Privacy CA.
Returns:
The blob containing the decrypted credential.
Throws:
TcTssException

authorizeMigrationTicket

public TcTpmMigrationkeyAuth authorizeMigrationTicket(TcIRsaKey migrationKey,
                                                      long migrationScheme)
                                               throws TcTssException
Description copied from interface: TcITpm
This method provides the migration ticket required for the migration process.

Specified by:
authorizeMigrationTicket in interface TcITpm
Parameters:
migrationKey - key object representing the migration key.
migrationScheme - Flag indicating the migration scheme to be used.
Valid migrationSchemes are:
Returns:
memory block containing the migration ticket blob.
Throws:
TcTssException

certifySelfTest

public TcTssValidation certifySelfTest(TcIRsaKey key,
                                       TcTssValidation validation)
                                throws TcTssException
Description copied from interface: TcITpm
This method performs a self-test of each internal TPM function and returns an authenticated value (signature) if the test has passed. If the signature scheme of the provided key is not TcTssConstants.TSS_SS_RSASSAPKCS1V15_SHA1, the return value can either be a BAD_PARAMETER error or success with a vendor specific signature.

Specified by:
certifySelfTest in interface TcITpm
Parameters:
key - Signature key.
validation - ExternalData information required to compute the signature. If not validation data is provided (i.e. this parameter is set to null), validation is done by the TSP.
Returns:
Validation data and the data the validation data was computed from. Calculation of hash value for the validation data: SHA1 hash of the following three concatenated data blobs: ("Test Passed\0" || externalData || ordinal).
Throws:
TcTssException

checkMaintenancePubKey

public TcTssValidation checkMaintenancePubKey(TcIRsaKey key,
                                              TcTssValidation validationData)
                                       throws TcTssException
Description copied from interface: TcITpm
This method proofs the maintenance public key.

Specified by:
checkMaintenancePubKey in interface TcITpm
Parameters:
key - maintenance key object
validationData - externalData information required to compute the signature.
Returns:
validation data and the data the validation data was computed from. Note: If validation is not null, the state of the provided validation object is modified by this method.
Throws:
TcTssException

clearOwner

public void clearOwner(boolean forcedClear)
                throws TcTssException
Description copied from interface: TcITpm
This method clears the TPM ownership. Note on using physical presence for proofing TPM ownership: As the mechanism to determine physical presence is platform dependent you have to consult the manual of your system for further information. On typical PC type platforms, a forced clear can only be done from the systems BIOS.

Specified by:
clearOwner in interface TcITpm
Parameters:
forcedClear - If FALSE, a clear ownership with proof of the TPM owner secret is done. If TRUE, a forced clear ownership with proof of physical access is done.
Throws:
TcTssException

collateIdentityRequest

public TcBlobData collateIdentityRequest(TcIRsaKey srk,
                                         TcIRsaKey caPubKeyRsa,
                                         TcBlobData identityLabel,
                                         TcIRsaKey identityKey,
                                         long algId)
                                  throws TcTssException
Implementation specific notes: This implementation only supports AES for symmetric encryption. Valid algId parameters are: Note: If using the jTSS Core Services, the EK credentials of IFX 1.1 and 1.2 TPMs will be automatically included in the collageIdentityReq blob. For IFX 1.1 chips the credential is read from the TPM using vendor specific mechanisms. For IFX 1.2 TPMs the credential is read from the NV storage. The mode of operation is fixed to CBC and the padding is set to PKCS5 (TcTssConstants.TSS_ES_SYM_CBC_PKCS5PAD). For general information about this method refer to TcITpm.collateIdentityRequest(TcIRsaKey, TcIRsaKey, TcBlobData, TcIRsaKey, long).

Specified by:
collateIdentityRequest in interface TcITpm
Parameters:
srk - object (Storage Root Key).
caPubKeyRsa - Key object holding the public key of the CA which signs the certificate of the created identity key.
identityLabel - The identity label which should be a UNICODE string.
identityKey - Identity key object. The template for the identity key to be created. The key parameters must be set up correctly when creating the key object before this method is called..
algId - Symmetric algorithm to use as required by the Privacy CA.
Returns:
A blob containing the certificate request structure of type TPM_IDENTITY_REQ. This structure holds two blob: The symBlob is encrypted with a symmetric session key. The asymBlob holds this symmetric session key encrypted using the public key of the chosen Privacy CA. By that it is ensured that only this Privacy CA can decrypt the request blob.
Throws:
TcTssException

createEndorsementKey

public TcTssValidation createEndorsementKey(TcIRsaKey key,
                                            TcTssValidation validationData)
                                     throws TcTssException,
                                            TcTcsException,
                                            TcTpmException,
                                            TcTddlException
Description copied from interface: TcITpm
This method creates the endorsement key. The key information required for creating the endorsement key must be set in the key object using TcIAttributes.setAttribUint32(long, long, long) and TcIAttributes.setAttribData(long, long, TcBlobData)

Specified by:
createEndorsementKey in interface TcITpm
Parameters:
key - Key object specifying the attributes of the endorsement key to create.
validationData - Provides externalData information required to compute the checksum. If the TSP should compute compute the checksum set this parameter to null.
Returns:
The validation checksum and the data the validation checksum was computed from.
Throws:
TcTssException
TcTcsException
TcTpmException
TcTddlException

createRevocableEndorsementKey

public java.lang.Object[] createRevocableEndorsementKey(TcIRsaKey key,
                                                        TcTssValidation validationData,
                                                        TcTpmNonce ekResetData)
                                                 throws TcTssException,
                                                        TcTcsException,
                                                        TcTpmException,
                                                        TcTddlException
Description copied from interface: TcITpm
This method creates the revocable endorsement key. The key information required for creating the endorsement key must be set in the key object using TcIAttributes.setAttribUint32(long, long, long) and TcIAttributes.setAttribData(long, long, TcBlobData)

Specified by:
createRevocableEndorsementKey in interface TcITpm
Parameters:
key - Key object specifying the attributes of the endorsement key to create.
validationData - Provides externalData information required to compute the checksum. If the TSP should compute compute the checksum set this parameter to null.
ekResetData - The authorization value to be used with RevokeEndorsementKeyPair. Generated by the TPM if null.
Returns:
The returned Object[] contains the following elements:
  • 0 ... validation data plus checksum TcTssValidation
  • 1 ... authorisation value for resetting the endorsement key (TcTpmNonce
Throws:
TcTssException
TcTcsException
TcTpmException
TcTddlException

revokeEndorsementKey

public void revokeEndorsementKey(TcTpmNonce ekResetData)
                          throws TcTssException,
                                 TcTcsException,
                                 TcTpmException,
                                 TcTddlException
Description copied from interface: TcITpm
This method clears the TPM revocable endorsement key pair.

Specified by:
revokeEndorsementKey in interface TcITpm
Parameters:
ekResetData - The authorization value which was set with createRevocableEndorsementKey
Throws:
TcTssException
TcTcsException
TcTpmException
TcTddlException

dirRead

public TcBlobData dirRead(long dirIndex)
                   throws TcTssException
Description copied from interface: TcITpm
This method reads a Data Integrity Register.

Specified by:
dirRead in interface TcITpm
Parameters:
dirIndex - Index of the DIR to read.
Returns:
memory block containing the the DIR data.
Throws:
TcTssException

dirWrite

public void dirWrite(long dirIndex,
                     TcBlobData dirData)
              throws TcTssException
Description copied from interface: TcITpm
This method writes a Data Integrity Register.

Specified by:
dirWrite in interface TcITpm
Parameters:
dirIndex - Index of the DIR to write.
dirData - data to be written to the DIR.
Throws:
TcTssException

getCapability

public TcBlobData getCapability(long capArea,
                                TcBlobData subCap)
                         throws TcTssException
Description copied from interface: TcITpm
This method provides the capabilities of the TPM.

Specified by:
getCapability in interface TcITpm
Parameters:
capArea - Flag indicating the attribute to query.
Valid capAreas are:
subCap - Data indicating the attribute to query.
Valid subCaps are:
  • TcTpmOrdinals.TPM_ORD_*
  • TcTssConstants.TSS_ALG_*
  • TcTpmConstants.TPM_SYM_MODE_*
  • TcTssConstants.TSS_RT_*
  • TcTssConstants.TSS_ES_*
Returns:
data of the specified attribute
Throws:
TcTssException

getCapabilityBoolean

public boolean getCapabilityBoolean(long capArea,
                                    TcBlobData subCap)
                             throws TcTssException
Description copied from interface: TcITpm
This method is an alternative to TcITpm.getCapability(long, TcBlobData). The only difference is that the returned data is interpreted as TSS_BOOL (boolean).

Specified by:
getCapabilityBoolean in interface TcITpm
Throws:
TcTssException

getCapabilityUINT32

public long getCapabilityUINT32(long capArea,
                                TcBlobData subCap)
                         throws TcTssException
Description copied from interface: TcITpm
This method is an alternative to TcITpm.getCapability(long, TcBlobData). The only difference is that the returned data is interpreted as UINT32 (long).

Specified by:
getCapabilityUINT32 in interface TcITpm
Throws:
TcTssException

getCapabilityVersion

public TcTssVersion getCapabilityVersion(long capArea,
                                         TcBlobData subCap)
                                  throws TcTssException
Description copied from interface: TcITpm
This method is an alternative to TcITpm.getCapability(long, TcBlobData). The only difference is that the returned data is interpreted as TSS_VERSION. Note that on 1.2 TPMs, TSS_TPMCAP_VERSION is fixed to always return 1.1.0.0. To obtain the real TPM version on a 1.2 TPM, TSS_TPMCAP_VERSION_VAL has to be used. TSS_TPMCAP_VERSION_VAL not only retrieves the version but a TcTpmCapVersionInfo structure. This method returns the version field of this structure. To obtain the full TcTpmCapVersionInfo structure, use TcITpm.getCapability(long, TcBlobData).

Specified by:
getCapabilityVersion in interface TcITpm
Parameters:
capArea - Flag indicating the attribute to query
Valid capAreas are:
subCap - Ignored (set to null);
Returns:
The TPM version.
Throws:
TcTssException

getRealTpmVersion

public TcTssVersion getRealTpmVersion()
                               throws TcTssException
This internal method returns the TPM version as reported by using TcTssConstants.TSS_TPMCAP_VERSION_VAL for 1.2 chips and TcTssConstants.TSS_TPMCAP_VERSION for 1.1 chips.

Throws:
TcTssException

getCapabilitySigned

public void getCapabilitySigned()
                         throws TcTssException
Description copied from interface: TcITpm
The TPM function TPM_GetCapabilitySigned that actually performs this functions was found to contain a vulnerability that makes its security questionable therefore its use unadvised.

Specified by:
getCapabilitySigned in interface TcITpm
Throws:
TcTssException

getEvent

public TcTssPcrEvent getEvent(long pcrIndex,
                              long eventNumber)
                       throws TcTssException
Description copied from interface: TcITpm
This method provides a PCR event for a given PCR index and event number.

Specified by:
getEvent in interface TcITpm
Parameters:
pcrIndex - Index of the PCR to request.
eventNumber - Index of the event to request.
Returns:
PCR event data.
Throws:
TcTssException

getEventCount

public int getEventCount(long pcrIndex)
                  throws TcTssException
Description copied from interface: TcITpm
This method is similar to the getEvents method. The only difference is the return value: This method returns the number of entries that would be retrieved when calling the getEvents method. This method is based on the getEvents method of the TSS where the prgPcrEvents parameter is set to 0.

Specified by:
getEventCount in interface TcITpm
Parameters:
pcrIndex - Index of the PCR to request.
Returns:
number of events reported
Throws:
TcTssException

getEventLog

public TcTssPcrEvent[] getEventLog()
                            throws TcTssException
Description copied from interface: TcITpm
This method provides the whole event log.

Specified by:
getEventLog in interface TcITpm
Returns:
The event log.
Throws:
TcTssException

getEvents

public TcTssPcrEvent[] getEvents(long pcrIndex,
                                 long startNumber,
                                 long eventNumber)
                          throws TcTssException
Description copied from interface: TcITpm
This method provides a specific number of PCR events for a given index.

Specified by:
getEvents in interface TcITpm
Parameters:
pcrIndex - Index of the PCR to request.
startNumber - Index of the first event to request.
eventNumber - Number of elements to request.
Returns:
array of PCR event data.
Throws:
TcTssException

getPubEndorsementKey

public java.lang.Object[] getPubEndorsementKey(boolean ownerAuthorized,
                                               TcTssValidation validationData)
                                        throws TcTssException
Description copied from interface: TcITpm
This method returns the public endorsement key. The public key information of the endorsement key can be retrieved via TcIAttributes.getAttribData(long, long).

Specified by:
getPubEndorsementKey in interface TcITpm
Parameters:
ownerAuthorized - Flag determining if owner authorization is required. Note that owner authorization is not required if the ownership of the TPM has not yet been taken. After TPM ownership has been taken, owner authorization is required to obtain the public EK.
validationData - External data that is used by the TPM to compute the checksum. If this parameter is omitted (i.e. it is set to null), the validation is done by the TSP:
Returns:
The returned Object[] contains the following elements:
Throws:
TcTssException

getPubEndorsementKeyOwner

public TcIRsaKey getPubEndorsementKeyOwner()
                                    throws TcTssException
Description copied from interface: TcITpm
This method returns the public endorsement key. The public key information of the endorsement key can be retrieved via TcIAttributes.getAttribData(long, long). This method always tries to read the public EK using owner authorization. If effectively is a shortcut for TcITpm.getPubEndorsementKey(boolean, TcTssValidation) with (true, null) as parameters.

Specified by:
getPubEndorsementKeyOwner in interface TcITpm
Returns:
TcIRsaKey
Throws:
TcTssException

getRandom

public TcBlobData getRandom(long length)
                     throws TcTssException
Description copied from interface: TcITpm
This method returns random data obtained from the TPM via the TSS.

Specified by:
getRandom in interface TcITpm
Parameters:
length - The length of the data to be requested. The maximum length of the random data is 4096.
Returns:
Random data received from the TPM.
Throws:
TcTssException

getStatus

public boolean getStatus(long statusFlag)
                  throws TcTssException
Description copied from interface: TcITpm
This method returns the TPM status.
Valid statusFlags are:

Specified by:
getStatus in interface TcITpm
Parameters:
statusFlag - status flag to be read
Returns:
value of status flag
Throws:
TcTssException

getTestResult

public TcBlobData getTestResult()
                         throws TcTssException
Description copied from interface: TcITpm
This method provides manufacturer specific information regarding the results of the self test.

Specified by:
getTestResult in interface TcITpm
Returns:
Memory block containing the TPM manufacturer specific information.
Throws:
TcTssException

killMaintenanceFeature

public void killMaintenanceFeature()
                            throws TcTssException
Description copied from interface: TcITpm
This method disables the functionality of creating a maintenance archive. After disabling the functionality of creating a maintenance archive, this functionality can only be enabled again by releasing the TPM ownership.

Specified by:
killMaintenanceFeature in interface TcITpm
Throws:
TcTssException

loadMaintenancePubKey

public TcTssValidation loadMaintenancePubKey(TcIRsaKey key,
                                             TcTssValidation validationData)
                                      throws TcTssException
Description copied from interface: TcITpm
This method loads the public maintenance key into the TPM. The maintenance public key can only be loaded once. Subsequent calls to Tspi_TPM_LoadMaintenancePubKey will fail.

Specified by:
loadMaintenancePubKey in interface TcITpm
Parameters:
key - maintenance key object
validationData - externalData information required to compute the signature. If validationData != NULL: The caller has to proof the digest by its own. If validationData == NULL: The TSS Service Provider proofs the digest got from the TPM internally.
Returns:
validation data and the data the validation data was computed from. Calculation of hash value for the validation data: SHA1 hash of the concatenated data of ||
Throws:
TcTssException

pcrExtend

public TcBlobData pcrExtend(long pcrIndex,
                            TcBlobData data,
                            TcTssPcrEvent pcrEvent)
                     throws TcTssException
Description copied from interface: TcITpm
This method extends a PCR register and writes the PCR event log. If no pcrEvent parameter is supplied, the pcrEventData parameter is expected to be a SHA-1 hash that is directly extended into the specified PCR register. In this case, the provided pcrEventData value is not touched by the TSP. If however a pcrEvent is provided, then the value that is extended into the specified PCR is computed as follows: SHA-1(pcrIndex || pcrEventData || pcrEvent.eventType || pcrEvent).

Specified by:
pcrExtend in interface TcITpm
Parameters:
pcrIndex - Index of the PCR to extend.
data - Data blob for the PCR extend operation.
pcrEvent - Contains the info for an event entry. If this object is null no event entry is created and the method only executes an TPM extend operation
Returns:
Memory block containing the PCR data after the extend operation.
Throws:
TcTssException

pcrRead

public TcBlobData pcrRead(long pcrIndex)
                   throws TcTssException
Description copied from interface: TcITpm
This methods reads a PCR register.

Specified by:
pcrRead in interface TcITpm
Parameters:
pcrIndex - Index of the PCR to read.
Returns:
The PCR data read from the TPM.
Throws:
TcTssException

pcrReset

public void pcrReset(TcIPcrComposite pcrComposite)
              throws TcTssException
Description copied from interface: TcITpm
This methods resets a PCR register. Whether or not is succeeds may depend on the locality executing the command. PCRs can be defined in a platform specific specification to allow reset of certain PCRs only for certain localities. The one exception is PCR 16 which can always be reset in a 1.2 implementation. This is to allow for software testing.

Specified by:
pcrReset in interface TcITpm
Parameters:
pcrComposite - Indices of the PCR to read.
Throws:
TcTssException

quote

public TcTssValidation quote(TcIRsaKey identKey,
                             TcIPcrComposite pcrComposite,
                             TcTssValidation validation)
                      throws TcTssException
Description copied from interface: TcITpm
This method quotes a TCG system. Which PCRs should be quoted must be set in the PcrComposite object before calling this method.
If structure type other than TcTssConstants.TSS_PCRS_STRUCT_INFO is used in the PcrComposite a TcTssException with error code TcTssErrors.TSS_E_INVALID_OBJ_ACCESS is thrown. The returned signature is computed over the TcTpmQuoteInfo structure.

Specified by:
quote in interface TcITpm
Parameters:
identKey - Signature key.
pcrComposite - PCR composite object. Will be used as input only.
validation - Provides externalData information required to compute the signature. If this parameter is omitted (set to null), the TSP will generate external data and do the validation.
An important use of TPM_Quote is to provide a digital signature on arbitrary data, where the signature includes the PCR values of the platform at the time of signing. Hence, the externalData is not just for anti-replay purposes although it is used for that purpose in an integrity challenge. If the validation parameter is omitted (set to null), the TSP will generate anti-replay data that is validated upon receiving the response from the TPM.
Returns:
The validation data and the data the validation data was computed from.
Throws:
TcTssException

quote2

public java.lang.Object[] quote2(TcIRsaKey identKey,
                                 boolean addVersion,
                                 TcIPcrComposite pcrComposite,
                                 TcTssValidation validation)
                          throws TcTssException
Description copied from interface: TcITpm
This method quotes a TCG system using TPM_Quote2 which provides the requestor a more complete view of the current platform configuration than TPM_Quote. The required information about which PCRs should be quoted must be set in the PcrComposite object before calling this method.
If structure type other than TcTssConstants.TSS_PCRS_STRUCT_INFO_SHORT is used in the PcrComposite a TcTssException with error code TcTssErrors.TSS_E_INVALID_OBJ_ACCESS is thrown. The returned signature is computed over the TcTpmQuoteInfo structure.

Specified by:
quote2 in interface TcITpm
Parameters:
identKey - Signature key.
addVersion - If true, the TPM version is added to the output otherwise it is omitted.
pcrComposite - PCR composite object. Will be used as input only.
validation - Provides externalData information required to compute the signature. If this parameter is omitted (set to null), the TSP will generate external data and do the validation.
An important use of TPM_Quote is to provide a digital signature on arbitrary data, where the signature includes the PCR values of the platform at the time of signing. Hence, the externalData is not just for anti-replay purposes although it is used for that purpose in an integrity challenge. If the validation parameter is omitted (set to null), the TSP will generate anti-replay data that is validated upon receiving the response from the TPM.
Returns:
The returned Object[] contains the following elements:
Throws:
TcTssException

selfTestFull

public void selfTestFull()
                  throws TcTssException
Description copied from interface: TcITpm
This method performs a self-test of each internal TPM function.

Specified by:
selfTestFull in interface TcITpm
Throws:
TcTssException

setStatus

public void setStatus(long statusFlag,
                      boolean tpmState)
               throws TcTssException
Description copied from interface: TcITpm
This method modifies the TPM status.

Specified by:
setStatus in interface TcITpm
Parameters:
statusFlag - determines the flag to be set.
Valid statusFlags are:
tpmState - the new value of the flag
Throws:
TcTssException

stirRandom

public void stirRandom(TcBlobData entropyData)
                throws TcTssException
Description copied from interface: TcITpm
This method adds entropy to the TPM Random Number Generator.

Specified by:
stirRandom in interface TcITpm
Parameters:
entropyData - The entropy data.
Throws:
TcTssException

takeOwnership

public void takeOwnership(TcIRsaKey srk,
                          TcIRsaKey pubEk)
                   throws TcTssException
Description copied from interface: TcITpm
This method takes ownership of the TPM. The process of taking ownership is the procedure whereby the owner inserts a shared secret into the TPM. The owner of the TPM has the right to perform special operations. As part of this command, the owner password is set and a new SRK key pair is created.

Specified by:
takeOwnership in interface TcITpm
Parameters:
srk - The storage root key object.
pubEk - The public endorsement key object. The public endorsement key is required for encryption of the SRK and EK secret sent to the TPM. The pubEk parameter can be set to null. In this case, the takeOwnership method will query the TPM for the public endorsement key.s
Throws:
TcTssException

getPolicyObject

public TcIPolicy getPolicyObject(long policyType)
                          throws TcTssException
Description copied from class: TcAuthObject
Note: Policy objects are returned by reference. Keep that in mind when modifying a policy. For general documentation of this method refer to TcIAuthObject.getPolicyObject(long).

Specified by:
getPolicyObject in interface TcIAuthObject
Overrides:
getPolicyObject in class TcAuthObject
Parameters:
policyType - The policy type to be returned (TSS_POLICY_*)
Returns:
Policy object currently assigned to the object.
Throws:
TcTssException

getOperatorPolicyObject

public TcIPolicy getOperatorPolicyObject()
                                  throws TcTssException
This method returns a policy object representing the operator policy currently assigned to the object. It is based on the getPolicy method of the TSS with TSS_POLICY_OPERATOR as parameter. Note: Policy objects are returned by reference. Keep that in mind when modifying a policy.

Returns:
Operator policy object.
Throws:
TcTssException
TSS Spec. 1.2 Errata A, page number:
182
TSS Spec. 1.10 Golden, Aug. 20, 2003, page number:
73

getCredentials

public java.lang.Object[] getCredentials()
                                  throws TcTssException
This method is a TSP level front end to the TCS getCredentials method. It calls down to the TCS to obtain the endorsement, platform and conformance certificates. Note that this TSP level method is not standardized by the TSS specification and therefore is not part TcITpm interface. Note that if a certificate is not available on the system, null is returned for this certificate.

Returns:
The return value array contains the following elements:
  • 0 ... endorsement credential (TcBlobData)
  • 1 ... platform credential (TcBlobData)
  • 2 ... conformance credential (TcBlobData)
Throws:
{@link - TcTssException}
TcTssException

readEkCertIfx11

public TcBlobData readEkCertIfx11()
                           throws TcTssException
This method is VENDOR SPECIFIC for Infineon 1.1 TPMs. It reads the EK certificate contained in such chips and returns it. If the TPM is not an IFX 1.1 TPM, a TcTspException will be thrown. This obviously is not available in all TSSs and therefore not standardized in the TcITpm.

Returns:
EK certificate blob read from the TPM chip.
Throws:
{@link - TcTssException}
TcTssException

isOrdinalSupported

public boolean isOrdinalSupported(long ordinal)
                           throws TcTssException
This method allows developers to check if a given command ordinal is supported by the TPM the context is connected to. This is useful in cases where developers e.g. want to sued optional or commands that are not part of all versions of the TPM specification. The same functionality can be achieved using the getCapability functionality to check for supported ordinals. This method however, is simpler to use and additionally provides caching of the results. In cases where the same ordinal is queried more than once, this method avoids the calls to the TCS and TPM.

Parameters:
ordinal - The TPM command ordinal to be checked.
Returns:
Returns true if the ordinal is supported, false otherwise.
Throws:
{@link - TcTssException}
TcTssException

changeAuth

public void changeAuth(TcIAuthObject parentObject,
                       TcIPolicy newPolicy)
                throws TcTssException
Description copied from interface: TcIAuthObject
This method changes the authorization data (secret) of an entity (object) and assigns the object to the newPolicy object. All classes using secrets provide this method for changing their authorization data. To change the TPM owner authorization, this method has to be called on the TPM object. The parent has to be set to null. To change the SRK authorization, this method has to be called on the SRK key object and the parent has to be set to the TPM object.

Specified by:
changeAuth in interface TcIAuthObject
Parameters:
parentObject - The parent object wrapping this object.
newPolicy - Policy object providing the new authorization data.
Throws:
TcTssException

setAttribCallbackUINT32

public void setAttribCallbackUINT32(long subFlag,
                                    long attrib)
                             throws TcTssException
The sole purpose of this method is to notify callers that TSS 1.1 style callback functions are not supported.

Throws:
TcTssException

getAttribCallbackUINT32

public long getAttribCallbackUINT32(long subFlag)
                             throws TcTssException
The sole purpose of this method is to notify callers that TSS 1.1 style callback functions are not supported.

Throws:
TcTssException

setAttribCallback

public void setAttribCallback(long subFlag,
                              TcBlobData attrib)
                       throws TcTssException
Not yet supported.

Throws:
TcTssException

getAttribCallback

public TcBlobData getAttribCallback(long subFlag)
                             throws TcTssException
Not yet supported.

Throws:
TcTssException

setAttribCredential

public void setAttribCredential(long subFlag,
                                TcBlobData credential)
                         throws TcTssException
This method can be used to set credentials (EK, Platform, ...) that should be used in the collateIdentity method. Credentials set via this method have precedence over credentials that are internally obtained by the TSS.

Parameters:
subFlag - Sub flag indicating the attribute to set. Valid subFlags are:
credential - The credential blob to set.
Throws:
{@link - TcTssException}
TcTssException
TSS Spec. 1.2 Errata A, page number:
240

readCurrentTicks

public TcTpmCurrentTicks readCurrentTicks()
                                   throws TcTssException
Description copied from interface: TcITpm
This method reads the current tick out of the TPM.

Specified by:
readCurrentTicks in interface TcITpm
Returns:
Current value of tick counter in the TPM
Throws:
TcTssException

readCurrentCounter

public TcTpmCounterValue readCurrentCounter()
                                     throws TcTssException
Description copied from interface: TcITpm
This method reads the current value of the current active counter register.

Specified by:
readCurrentCounter in interface TcITpm
Returns:
Current value of the counter
Throws:
TcTssException

OwnerGetSRKPubKey

public TcIRsaKey OwnerGetSRKPubKey()
                            throws TcTssException
Description copied from interface: TcITpm
This method returns the public part of the SRK. Can be used to initialize the system persistent storage with the SRK without the need to take ownership again.

Specified by:
OwnerGetSRKPubKey in interface TcITpm
Returns:
A key object containing only the public part of the storage root key (SRK).
Throws:
TcTssException

CMKApproveMA

public void CMKApproveMA(TcIMigData maAuthData)
                  throws TcTssException
Description copied from interface: TcITpm
This method creates an authorization ticket, to allow the TPM owner to specify which Migration Authorities they approve and allow users to create certified-migration-keys without further involvement with the TPM owner.

Specified by:
CMKApproveMA in interface TcITpm
Parameters:
maAuthData - Migration data properties object to transfer the input and output data blob during the migration process. For this command the object calculates the digest of the selected MSA (Migration Selection Authority) which are imported into this object.
Throws:
TcTssException

CMKCreateTicket

public void CMKCreateTicket(TcIRsaKey verifyKey,
                            TcIMigData sigData)
                     throws TcTssException
Description copied from interface: TcITpm
This method uses a public key to verify the signature over a digest. The output ticket data can be used to prove the same TPM for signature verification. This operation requires owner authorization which can be delegated.

Specified by:
CMKCreateTicket in interface TcITpm
Parameters:
verifyKey - The Key object containing the public key used to check the signature value.
sigData - Migration data properties object to transfer the input and output data blob during the migration process. For this command the object includes the data proper to be signed and the signature value to be verified. The caller can access the ticket/signature data via GetAttribData().
Throws:
TcTssException

CMKSetRestrictions

public void CMKSetRestrictions(long cmkDelegate)
                        throws TcTssException
Description copied from interface: TcITpm
This method is used by the owner to globally dictate the usage of a certified migration key with delegated authorization. This command can't be owner delegated.

Specified by:
CMKSetRestrictions in interface TcITpm
Parameters:
cmkDelegate - Bit mask to determine the restrictions on certified-migration-keys Valid Flags are:
Throws:
TcTssException

setOperatorAuth

public void setOperatorAuth(TcIPolicy operatorPolicy)
                     throws TcTssException
Description copied from interface: TcITpm
This function sets the operator authorization value in the TPM.

Specified by:
setOperatorAuth in interface TcITpm
Parameters:
operatorPolicy - the policy object holding the new operator authorization value.
Throws:
TcTssException