Merge pull request #262 from nsacyber/issue-257

[#257] Changes for 2.0 beta

tools/tcg_rim_tool/build.gradle

@@ -6,10 +6,8 @@ repositories {
 }
 
 dependencies {
-	compile libs.minimal_json
-	compile libs.jcommander
-	compile libs.bouncy_castle
-	testCompile libs.testng
+	compile 'com.eclipsesource.minimal-json:minimal-json:0.9.5', 'com.beust:jcommander:1.72', 'org.bouncycastle:bcmail-jdk15on:1.59'
+	testCompile 'org.testng:testng:6.8.8'
 }
 
 jar {

tools/tcg_rim_tool/package.sh

@@ -6,7 +6,7 @@ pushd $SCRIPT_DIR
 
 name="tcg_rim_tool"
 
-tar -cf $name.tar build.gradle gradle* src/ docs/
+tar -cf $name.tar build.gradle gradle* src/ docs/ rim_fields.json keystore.jks
 gzip $name.tar
 if [ -d rpmbuild ]; then
 	rm -rf rpmbuild

tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java

@@ -52,8 +52,11 @@ public void parseJKSCredentials() {
         publicKey = certificate.getPublicKey();
     }
 
-    public void parsePEMCredentials(String certificateFile, String privateKeyFile) throws FileNotFoundException {
+    public void parsePEMCredentials(String certificateFile, String privateKeyFile) throws CertificateException, FileNotFoundException {
         certificate = parsePEMCertificate(certificateFile);
+        if (certificate.getIssuerX500Principal().equals(certificate.getSubjectX500Principal())) {
+            throw new CertificateException("Signing certificate cannot be self-signed!");
+        }
         privateKey = parsePEMPrivateKey(privateKeyFile, "RSA");
         publicKey = certificate.getPublicKey();
     }

tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java

@@ -21,16 +21,16 @@ public static void main(String[] args) {
             if (!commander.getVerifyFile().isEmpty()) {
                 System.out.println(commander.toString());
                 String verifyFile = commander.getVerifyFile();
-                String publicCertificate = commander.getPublicCertificate();
-                if (!verifyFile.isEmpty() && !publicCertificate.isEmpty()) {
+                //String publicCertificate = commander.getPublicCertificate();
+                if (!verifyFile.isEmpty()) {
                     try {
                         gateway.validateSwidTag(verifyFile);
                     } catch (IOException e) {
                         System.out.println("Error validating RIM file: " + e.getMessage());
                         System.exit(1);
                     }
                 } else {
-                    System.out.println("Need both a RIM file to validate and a public certificate to validate with!");
+                    System.out.println("Need a RIM file to validate!");
                     System.exit(1);
                 }
             } else {
@@ -39,6 +39,7 @@ public static void main(String[] args) {
                 String attributesFile = commander.getAttributesFile();
                 String certificateFile = commander.getPublicCertificate();
                 String privateKeyFile = commander.getPrivateKeyFile();
+                String rimEventLog = commander.getRimEventLog();
                 switch (createType) {
                     case "BASE":
                         if (!attributesFile.isEmpty()) {
@@ -49,12 +50,14 @@ public static void main(String[] args) {
                             gateway.setPemCertificateFile(certificateFile);
                             gateway.setPemPrivateKeyFile(privateKeyFile);
                         }
+                        if (rimEventLog.isEmpty()) {
+                            System.out.println("Error: a support RIM is required!");
+                            System.exit(1);
+                        } else {
+                            gateway.setRimEventLog(rimEventLog);
+                        }
                         gateway.generateSwidTag(commander.getOutFile());
                         break;
-                    case "EVENTLOG":
-                        break;
-                    case "PCR":
-                        break;
                 }
             }
         }

tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java

@@ -15,7 +15,7 @@ public class SwidTagConstants {
     public static final String DEFAULT_KEYSTORE_PATH = "keystore.jks";
     public static final String DEFAULT_KEYSTORE_PASSWORD = "password";
     public static final String DEFAULT_PRIVATE_KEY_ALIAS = "selfsigned";
-    public static final String DEFAULT_ATTRIBUTES_FILE = "/etc/hirs/rim_fields.json";
+    public static final String DEFAULT_ATTRIBUTES_FILE = "rim_fields.json";
     public static final String DEFAULT_ENGLISH = "en";
 
     public static final String SIGNATURE_ALGORITHM_RSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";

tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java

@@ -42,6 +42,7 @@
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 
+import hirs.swid.utils.HashSwid;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
@@ -59,6 +60,8 @@
 import java.nio.file.Paths;
 
 import java.security.*;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 
 import java.util.ArrayList;
@@ -72,6 +75,7 @@
 import hirs.swid.xjc.Directory;
 import hirs.swid.xjc.Entity;
 import hirs.swid.xjc.Link;
+import hirs.swid.xjc.Meta;
 import hirs.swid.xjc.ObjectFactory;
 import hirs.swid.xjc.ResourceCollection;
 import hirs.swid.xjc.SoftwareIdentity;
@@ -100,6 +104,7 @@ public class SwidTagGateway {
     private boolean defaultCredentials;
     private String pemPrivateKeyFile;
     private String pemCertificateFile;
+    private String rimEventLog;
 
     /**
      * Default constructor initializes jaxbcontext, marshaller, and unmarshaller
@@ -142,13 +147,22 @@ public void setPemPrivateKeyFile(String pemPrivateKeyFile) {
         this.pemPrivateKeyFile = pemPrivateKeyFile;
     }
 
-    /** Setter for certificate file in PEM format
+    /**
+     * Setter for certificate file in PEM format
      * @param pemCertificateFile
      */
     public void setPemCertificateFile(String pemCertificateFile) {
         this.pemCertificateFile = pemCertificateFile;
     }
 
+    /**
+     * Setter for event log support RIM
+     * @param rimEventLog
+     */
+    public void setRimEventLog(String rimEventLog) {
+        this.rimEventLog = rimEventLog;
+    }
+
     /**
      * This method generates a base RIM from the values in a JSON file.
      *
@@ -174,10 +188,7 @@ public void generateSwidTag(final String filename) {
                     createSoftwareMeta(configProperties.get(SwidTagConstants.META).asObject()));
             swidTag.getEntityOrEvidenceOrLink().add(meta);
             //File
-            hirs.swid.xjc.File file = createFile(
-                    configProperties.get(SwidTagConstants.PAYLOAD).asObject()
-                                    .get(SwidTagConstants.DIRECTORY).asObject()
-                                    .get(SwidTagConstants.FILE).asObject());
+            hirs.swid.xjc.File file = createFile();
             //Directory
             Directory directory = createDirectory(
                     configProperties.get(SwidTagConstants.PAYLOAD).asObject()
@@ -219,6 +230,8 @@ public boolean validateSwidTag(String path) throws IOException {
         si.append("SoftwareIdentity name: " + softwareIdentity.getAttribute("name") + "\n");
         si.append("SoftwareIdentity tagId: " + softwareIdentity.getAttribute("tagId") + "\n");
         System.out.println(si.toString());
+        Element file = (Element) document.getElementsByTagName("File").item(0);
+        validateFile(file);
         System.out.println("Signature core validity: " + validateSignedXMLDocument(document));
         return true;
     }
@@ -405,13 +418,42 @@ private Directory createDirectory(JsonObject jsonObject) {
         return directory;
     }
 
-   /**
-     * This method creates a hirs.swid.xjc.File from three arguments, then calculates
-     * and stores its hash as an attribute in itself.
+    /**
+     * This method creates a hirs.swid.xjc.File from an indirect payload type by
+     * calculating the hash of a given event log support RIM.
+     */
+    private hirs.swid.xjc.File createFile() {
+        hirs.swid.xjc.File file = objectFactory.createFile();
+        file.setName(rimEventLog);
+        File rimEventLogFile = new File(rimEventLog);
+        file.setSize(new BigInteger(Long.toString(rimEventLogFile.length())));
+        Map<QName, String> attributes = file.getOtherAttributes();
+        addNonNullAttribute(attributes, _SHA256_HASH, HashSwid.get256Hash(rimEventLog));
+
+        return file;
+    }
+
+    /**
+     * This method validates a hirs.swid.xjc.File from an indirect payload
+     */
+    private boolean validateFile(Element file) {
+        String filepath = file.getAttribute(SwidTagConstants.NAME);
+        System.out.println("Support rim found at " + filepath);
+        if (HashSwid.get256Hash(filepath).equals(file.getAttribute(_SHA256_HASH.getPrefix() + ":" + _SHA256_HASH.getLocalPart()))) {
+            System.out.println("Support RIM hash verified!");
+            return true;
+        } else {
+            System.out.println("Support RIM hash does not match Base RIM!");
+            return false;
+        }
+    }
+
+    /**
+     * This method creates a hirs.swid.xjc.File from a direct payload type.
      *
      * @param jsonObject
      * @return hirs.swid.xjc.File object from File object
-     */
+     *
     private hirs.swid.xjc.File createFile(JsonObject jsonObject) {
         hirs.swid.xjc.File file = objectFactory.createFile();
         file.setName(jsonObject.getString(SwidTagConstants.NAME, ""));
@@ -423,7 +465,7 @@ private hirs.swid.xjc.File createFile(JsonObject jsonObject) {
         addNonNullAttribute(attributes, SwidTagConstants._SUPPORT_RIM_URI_GLOBAL, jsonObject.getString(SwidTagConstants.SUPPORT_RIM_URI_GLOBAL, ""));
 
         return file;
-    }
+    }*/
 
     private void addNonNullAttribute(Map<QName, String> attributes, QName key, String value) {
         if (!value.isEmpty()) {
@@ -492,6 +534,8 @@ private Document signXMLDocument(JAXBElement<SoftwareIdentity> swidTag) {
             System.out.println(e.getMessage());
         } catch (KeyException e) {
             System.out.println("Error setting public key in KeyValue: " + e.getMessage());
+        } catch (CertificateException e) {
+            System.out.println(e.getMessage());
         } catch (JAXBException e) {
             System.out.println("Error marshaling signed swidtag: " + e.getMessage());
         } catch (MarshalException | XMLSignatureException e) {
@@ -622,7 +666,8 @@ private Document unmarshallSwidTag(String path) {
      */
     private Document removeXMLWhitespace(String path) throws IOException {
         TransformerFactory tf = TransformerFactory.newInstance();
-        Source source = new StreamSource(new File("identity_transform.xslt"));
+        Source source = new StreamSource(
+                SwidTagGateway.class.getClassLoader().getResourceAsStream("identity_transform.xslt"));
         Document document = null;
         File input = new File(path);
         if (input.length() > 0) {

tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java

@@ -35,10 +35,10 @@ public class Commander {
             description = "The public key certificate used to verify a RIM file or to embed in a signed RIM. " +
                     "A signed RIM generated by this tool by default will not show the signing certificate without this parameter present.")
     private String publicCertificate = "";
-/*
     @Parameter(names = {"-l", "--rimel <path>"}, order = 6,
             description = "The TCG eventlog file to use as a support RIM. By default the last system eventlog will be used.")
     private String rimEventLog = "";
+/*
     @Parameter(names = {"-t", "--rimpcr <path>"}, order = 7,
             description = "The file containing TPM PCR values to use as a support RIM. By default the current platform TPM will be used.")
     private String rimPcrs = "";
@@ -76,11 +76,9 @@ public String getPrivateKeyFile() {
     public String getPublicCertificate() {
         return publicCertificate;
     }
-/*
-    public String getRimEventLog() {
-        return rimEventLog;
-    }
 
+    public String getRimEventLog() { return rimEventLog; }
+/*
     public String getRimPcrs() {
         return rimPcrs;
     }
@@ -98,10 +96,10 @@ public String printHelpExamples() {
         sb.append("Create a base RIM using the values in attributes.json; " +
                 "sign it with the default keystore, alias, and password;\n");
         sb.append("and write the data to base_rim.swidtag:\n\n");
-        sb.append("\t\t-c base -a attributes.json -o base_rim.swidtag\n\n\n");
+        sb.append("\t\t-c base -a attributes.json -l support_rim.swidtag -o base_rim.swidtag\n\n\n");
         sb.append("Create a base RIM using the default attribute values; sign it using privateKey.pem;\n");
         sb.append("and write the data to console output, to include cert.pem in the signature block:\n\n");
-        sb.append("\t\t-c base -k privateKey.pem -p cert.pem\n\n\n");
+        sb.append("\t\t-c base -l support_rim.swidtag -k privateKey.pem -p cert.pem\n\n\n");
 
         return sb.toString();
     }
@@ -113,8 +111,8 @@ public String toString() {
         sb.append("Verify file: " + getVerifyFile() + System.lineSeparator());
         sb.append("Private key file: " + getPrivateKeyFile() + System.lineSeparator());
         sb.append("Public certificate: " + getPublicCertificate() + System.lineSeparator());
-/*
         sb.append("Event log support RIM: " + getRimEventLog() + System.lineSeparator());
+/*
         sb.append("TPM PCRs support RIM: " + getRimPcrs() + System.lineSeparator());
         sb.append("Base RIM to be signed: " + getToBeSigned() + System.lineSeparator());
         sb.append("External signature file: " + getSignatureData() + System.lineSeparator());