Migrate Keys from a Keystore to a TPM

If you want to load existing RSA Keys from a Java Keystore to a Trusted Platform Module (TPM), the procedure is simple and straightforward. For this purpose, we use the Java Implementation of the Trusted Software Stack by the Institute for Applied Information Processing and Communication of the Technical University of Graz (jTSS).

First, you need to initialize your TpmContext and create the RSAKey Object. The key security, usage and migration policies and other key settings are dependent on the key and the application; and therefore not shown here in detail. See the jTSS documentation for more details.

TcIContext TpmContext = new TcTssContextFactory().newContextObject();
TPMContext.connect();
TcIRsaKey RSAKey = TpmContext.createRsaKeyObject(...);
...

After the key and context are initialized, the existing keys need to be loaded from the Keystore. You need both the private and the public key, which are then combined to a KeyPair object.

KeyStore KeySto = KeyStore.getInstance("JKS");
KeySto.load(new FileInputStream("mykeystore.jks"), 
      "StorePassword".toCharArray());

PrivateKey ApplicationKey = (PrivateKey) KeySto.getKey("KeyAlias", 
      "KeyPassword".toCharArray());

Certificate ApplicationCert = KeySto.getCertificate("KeyAlias");
KeyPair AppKeyPair = new KeyPair(ApplicationCert.getPublicKey(), 
      ApplicationKey);

Then, you need to convert the keys to TPM blobs and link them with the RSAKey object. We start with the public key.

TcTpmPubkey pubKeyStruct = TcCrypto.pubJavaToTpmKey(
     (RSAPublicKey)AppKeyPair.getPublic());

RSAkey.setAttribData(TcTssConstants.TSS_TSPATTRIB_KEY_BLOB, 
      TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PUBLIC_KEY,
      pubKeyStruct.getEncoded());

RSAkey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO,
      TcTssConstants.TSS_TSPATTRIB_KEYINFO_SIGSCHEME,
      TcTssConstants.TSS_SS_RSASSAPKCS1V15_SHA1);

RSAkey.setAttribUint32(TcTssConstants.TSS_TSPATTRIB_KEY_INFO,
      TcTssConstants.TSS_TSPATTRIB_KEYINFO_ENCSCHEME,
      TcTssConstants.TSS_ES_RSAESOAEP_SHA1_MGF1);

The procedure for the private key is a bit different, but just as simple as the other steps.

RSAPrivateCrtKey privKey = (RSAPrivateCrtKey) AppKeyPair.getPrivate();
TcBlobData PrivKeyBlob = TcBlobData.newByteArray(
      TcCrypto.privJavaPrimePToByte(privKey));

RSAkey.setAttribData(TcTssConstants.TSS_TSPATTRIB_KEY_BLOB
      TcTssConstants.TSS_TSPATTRIB_KEYBLOB_PRIVATE_KEY
      PrivKeyBlob);

Finally, you need to wrap the new key with the Storage Root Key (SRK) and register with an UUID of your choice. The simplest choice is a random UUID.

RSAkey.wrapKey(SRK, null);
TcTssUuid keyUUID = TcUuidFactory.getInstance().generateRandomUuid();

TpmContext.registerKey(RSAkey
      TcTssConstants.TSS_PS_TYPE_SYSTEM,
      keyUUID,
      TcTssConstants.TSS_PS_TYPE_SYSTEM,
      TcUuidFactory.getInstance().getUuidSRK());

System.out.println("Key registered in persistent system storage with "+ 
      keyUUID.toString());

That’s it. You can now use the key in the TPM operations of your choice.