How to Generate a Challenge

[Harold-M-Suquillo]

I need to generate a Credentials Challenge on a remote server which will then be sent to a device. At which point the device will use the ActivateCredential command on a TPM to then respond to the challenge issued by the server. But, I am having issues surrounding how to generate that challenge from a remote server.

NOTE: My client with the TPM will not be running any go/go-attestation code

On my device I can generate a challenge with this command

dd if=/dev/urandom of=secret.data bs=32 count=1
tpm2_makecredential --tcti=none --key-algorithm=rsa --encryption-key=artifacts/ek.pub.pem --secret=secret.data --name=$(cat artifacts/ak.name | hexdump -v -e '/1 "%02x"') --credential-blob=secret.blob

The server at the time of challenge creation has access to the device TPM endorsement certificate and the attestation key name. Looking at the example in the readme I'm trying to generate an AttestationParameters which is needed by the ActivationParameters, but I'm not sure how one would create an AttestationParameters from just the attestation key name.

[liamjm]

Hi,

To clarify, is this a general question, or are you asking what your client should do to interact with go-attestation running in the server?

This test case (testActivateCredential) shows both sides of the credential activation. The server generates the challenge based on (att.AttestedCreationInfo.Name.Digest, p.EK, symBlockSize, secret). The crucial aspect that you are asking about ( I think) is that the digest of the name of the credential is used. The rest of the AttestationParameters aren't used to generate the challenge. However, the server should review these before issuing a cert!

Does this help at all?