Util.java

/*
 * Copyright (C) 2014 Intel Corporation
 * All rights reserved.
 */
package com.intel.mtwilson.trustagent.niarl;

import com.intel.dcsg.cpg.crypto.RandomUtil;
import gov.niarl.his.privacyca.TpmModule;
import java.io.IOException;
import org.apache.commons.codec.binary.Hex;
import java.util.NoSuchElementException;

/**
 * Test TPM ownership status by attempting to change the SRK secret and then
 * (if successful) change it back to its original value:
 * 
 * hOldSecret = current SRK secret;
 * Tspi_ChangeAuth(hSRK, hTPM, hNewSecret); 
 * Tspi_ChangeAuth(hSRK, hTPM, hOldSecret);
 * 
 * @author jbuhacoff
 */
public class Util {
    private static final org.slf4j.Logger log = org.slf4j.LoggerFactory.getLogger(Util.class);
    
    public static boolean isOwner(byte[] secret) {
        try {
            //TpmModule.getCredential(secret, "EC");
            byte[] ekModulus = TpmModule.getEndorsementKeyModulus(secret, RandomUtil.randomByteArray(20));
            if( ekModulus != null ) { log.debug("EK modulus: {}", Hex.encodeHexString(ekModulus)); }
            return true;
        }
        catch(IOException | NoSuchElementException e) {
            log.debug("Failed ownership test (get endorsement credential)", e);
            return false;
        }
        catch(TpmModule.TpmModuleException e) {
            if( e.getErrorCode() != null && e.getErrorCode() == 2 ) {
                // error code 2 is TPM_BADINDEX which in this case means the EC
                // is not present; but the ownership test succeeded
                return true;
            }
            // error code 1 is TPM_AUTHFAIL which is the expected case when
            // we don't have ownership; and we'll also fail the test on any
            // other error
            log.debug("Failed ownership test (get endorsement credential) with error code {}", e.getErrorCode());
            return false;
        }
    }
    
    public static boolean isEndorsementCertificatePresent(byte[] secret) {
        try {
            byte[] ekCert = TpmModule.getCredential(secret, "EC");
            return ekCert != null && ekCert.length > 0;
        }
        catch(TpmModule.TpmModuleException e) {
            if( e.getErrorCode() == 2 ) {
                return false; // Endorsement Certificate is missing
            }
            else {
                log.error("Cannot determine presence of Endorsement Certificate");
                log.debug("TpmModule error: {}", e.getMessage());
                return false;
            }
        }
        catch(IOException e) {
            log.error("Cannot determine presence of Endorsement Certificate");
            log.debug("IO error: {}", e.getMessage());
            return false;
        }
    }
}