AIKCertificate (TCcert Documentation)

Overview

Package

Class

Tree

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

iaik.tc.cert
Class AIKCertificate

Object
  AIKCertificate

public class AIKCertificate
extends Object
extends Object

An AIK certificate is an instantiation of the TCG Attestation Identity Key Credential.

The value "Standard" in Field Status column in the table below means the field is an inherent component of the standard certificate syntax and is not optional.

Some fields are assigned a value even though the certificate user performs no action based on that value. In such cases, the intention is to inhibit non-TCG implementations from making inappropriate use of the certificate.

 Field Name            Description                                                  Field Status
 -----------------------------------------------------------------------------------------------
 Version               Certificate syntax version number                            Standard
 Serial Number         Positive integer value unique relative to the issuer         Standard
 Signature Algorithm   Algorithm was used by the issuer to sign this certificate    Standard
 Issuer                Distinguished name of the AIK certificate issuer             Standard
 Validity              Time interval during which the certificate is valid          Standard
 Subject               Distinguished name of the certificate. MUST be empty.        Standard
 Public Key Info       Identifier of the algorithm for the public key               Standard
 Certificate Policies  Policy terms under which the certificate was issued          MUST
 Alternative Names     Name forms other than directory distinguished names          MUST
 Basic Constraints     CA certificate indicator and path constraints                MUST
 Subject Directory Attributes   Various device characteristics                      MUST
 Authority Key Id      Identifies the subject public key of the certificate issuer  SHOULD
 Authority Info Access Indicates how to access CA information                       MAY
 CRL Distribution      Indicates how to access CRL information                      MAY
 Key Usage             Indicates the intended use of the subject public key         SHOULD NOT
 Extended Key Usage    Indicates the intended use of the subject public key         SHOULD NOT
 Subject Key Id        Identifies the subject public key of the certificate         SHOULD NOT
 Subject Unique Id     Unique value when using a shared subject name                SHOULD NOT
 Issuer Unique Id      Unique value when using a shared issuer name                 SHOULD NOT

For details on this certificate please refer to the public TCG specification https://www.trustedcomputinggroup.org/specs/IWG/Credential_Profiles_V1_rev981.pdf

Field Summary
`static String`	`policyUserNotice` `"TCPA Trusted Platform Identity"`.

Method Summary
`static SubjectAltName`	`alternativeNames(X509Certificate ekCert, AttributeCertificate peCert, String tpmIdlabel)` Creates SubjectAlternativeName extension as specified for an AIK.
`static CertificatePolicies`	`certificatePolicies(X509Certificate ekCert, AttributeCertificate peCert, String policyOID, String policyURL)` Creates CertificatePolices extension as specified for an AIK.
`static X509Certificate`	`create(Properties prop, X509Certificate caCert, PrivateKey caPrivateKey, X509Certificate ekCert, AttributeCertificate peCert, RSAPublicKey aikPublicKey)` Creates an Attestation Identity Key (AIK) certificate.
`static String`	`getTPMLabelID(X509Certificate cert)` Extracts the identity label of an AIK certificate.
`static SubjectDirectoryAttributes`	`subjectDirectoryAttributes(X509Certificate ekCert, AttributeCertificate peCert)` Creates SubjectDirectoryAttributes extension as specified for an AIK.

Methods inherited from class Object
`equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

policyUserNotice

public static String policyUserNotice

"TCPA Trusted Platform Identity".

UserNotice string for AIK certificate CertificatePolicies extension.

Method Detail

create

public static X509Certificate create(Properties prop,
                                     X509Certificate caCert,
                                     PrivateKey caPrivateKey,
                                     X509Certificate ekCert,
                                     AttributeCertificate peCert,
                                     RSAPublicKey aikPublicKey)
                              throws X509ExtensionException,
                                     CertificateException

Creates an Attestation Identity Key (AIK) certificate.

Before calling set the properties section pointer to the section to be used as input. e.g.

 prop.setSectionPointer("AIK");
 AIKCertificate.create(prop, ....);

Parameters:: prop - custom setable properties of certificate; caCert - certificate of issuing authority; caPrivateKey - private key of issuing authority; ekCert - TPM Endorsement Key credential; peCert - Platform Endorsement credential; aikPublicKey - public part of attestation identity key
Throws:: X509ExtensionException; CertificateException

getTPMLabelID

public static String getTPMLabelID(X509Certificate cert)

Extracts the identity label of an AIK certificate.

Parameters:: cert - X509certificate of type AIK
Returns:: the identity label of the AIK certificate, or null on error or if no label is found.

certificatePolicies

public static CertificatePolicies certificatePolicies(X509Certificate ekCert,
                                                      AttributeCertificate peCert,
                                                      String policyOID,
                                                      String policyURL)
                                               throws X509ExtensionException

Creates CertificatePolices extension as specified for an AIK.

For policyOID and policyURL see Extensions.certificatePolicies(java.lang.String, java.lang.String, java.lang.String).

Also, include the policyInformation values from the certificate policies extensions of the TPM EK and platform certificates provided in the TPM identity request message

Throws:: X509ExtensionException

subjectDirectoryAttributes

public static SubjectDirectoryAttributes subjectDirectoryAttributes(X509Certificate ekCert,
                                                                    AttributeCertificate peCert)
                                                             throws X509ExtensionException

Creates SubjectDirectoryAttributes extension as specified for an AIK.

The following attributes MUST be included in a Subject Directory Attributes extension in the AIK certificate:

The 'TPM Specification' attribute which identifies the family and revision of the TCG TPM specification to which the TPM was designed.

The 'TCG Platform Specification' attribute references the platform class, version and revision level of the TCG platform-specific specification to which the platform was designed.

The following attributes SHOULD be included in a Subject Directory Attributes extension in the AIK certificate:

The multi-valued attribute "supported algorithms" (see X.509) which SHOULD include object identifiers for the algorithms RSAES-OAEP, SHA-1 (1.3.14.3.2.26), and other algorithms implemented by the TPM.

The 'TPM Security Assertions' attribute which describes various assertions about the security properties of the TPM and the conditions under which the Endorsement Key was generated.

The platform "TBB Security Assertions" attribute describes various assertions about the security properties of the TBB of the platform.

The extension SHOULD be non-critical.

Throws:: X509ExtensionException

alternativeNames

public static SubjectAltName alternativeNames(X509Certificate ekCert,
                                              AttributeCertificate peCert,
                                              String tpmIdlabel)

Creates SubjectAlternativeName extension as specified for an AIK.

Include three values in the extension:

The TPM manufacturer, model and version numbers from the TPM EK certificate "Subject Alternative Name" extension.

The platform manufacturer, model and version numbers from the platform certificate "subject alternative name" extension.

The TPM identity label provided to the Privacy-CA by the TPM owner encoded as a TPMIdLabel other-name. The TPM owner should choose a label syntax and semantics that are understood by the integrity verifier. (Note: the specified syntax accommodates multi-byte character sets).

 TPMIdLabel OTHER-NAME ::= {UTF8String IDENTIFIED BY {tcg-at-tpmIdLabel} }

Assign "critical" the value TRUE.