From c69affd4f638c46f269c54a8521dae9215ac9ead Mon Sep 17 00:00:00 2001
From: chubtub <43381989+chubtub@users.noreply.github.com>
Date: Fri, 12 Jun 2020 09:20:47 -0400
Subject: [PATCH 1/3] Added a check against embedding a self-signed cert.
Requires a support rim whose name, size, and hash are added to the payload.
---
tools/tcg_rim_tool/generated_swidTag.swidtag | 34 -------------
.../main/java/hirs/swid/CredentialParser.java | 5 +-
.../src/main/java/hirs/swid/Main.java | 17 ++++---
.../main/java/hirs/swid/SwidTagGateway.java | 47 ++++++++++++++----
.../main/java/hirs/swid/utils/Commander.java | 14 +++---
.../main/resources}/identity_transform.xslt | 0
.../java/hirs/swid/TestSwidTagGateway.java | 12 +++--
.../src/test/resources/RimSignCert.pem | 22 ++++++++
.../src/test/resources/TpmLog.bin | Bin 0 -> 7549 bytes
.../test/resources/generated_no_cert.swidtag | 14 +++---
.../resources/generated_with_cert.swidtag | 14 +++---
.../src/test/resources/privateRimKey.pem | 28 +++++++++++
12 files changed, 130 insertions(+), 77 deletions(-)
delete mode 100644 tools/tcg_rim_tool/generated_swidTag.swidtag
rename tools/tcg_rim_tool/{ => src/main/resources}/identity_transform.xslt (100%)
create mode 100644 tools/tcg_rim_tool/src/test/resources/RimSignCert.pem
create mode 100644 tools/tcg_rim_tool/src/test/resources/TpmLog.bin
create mode 100644 tools/tcg_rim_tool/src/test/resources/privateRimKey.pem
diff --git a/tools/tcg_rim_tool/generated_swidTag.swidtag b/tools/tcg_rim_tool/generated_swidTag.swidtag
deleted file mode 100644
index 447a409da..000000000
--- a/tools/tcg_rim_tool/generated_swidTag.swidtag
+++ /dev/null
@@ -1,34 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
- gLCM4kz8qvB6JkV+yDnv3KzqEloiSsBik2OeyBOSw/A=
-
-
- a+kmQfOSpSaMnazRJIOq2349Iuskpan4vh0N4dobjJ8Tb3lPjf97YiqgFsoSm5uydOPXs/lkN51g
-Ox9CCBZ2bquDuuBPpAq5IQ3wZ28G+DYzva+pz7EHKge3gIRzMKjCyDx4bjn+3GUeg+A4KNHNcUfi
-qkDVi3245/4IC/nIzm6a+3qVqsYH4mLqp1yO/Xbuqvkc5X0GobGIO6EOhXxuBii6O7GGv+cIVp3v
-Xdd9zIwFVedeqeYextz5EDzDNHittmtNd+KEl0N3/45aXGDiRFiuiNy/sf7KR+wutbwJV7RlaDN7
-QEaanCXCs6h5PehTh8EDEE9atceBS7IBje0dtw==
-
- 2fdeb8e7d030a2209daa01861a964fedecf2bcc1
-
-
- p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx
-xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9
-dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q
-otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW
-jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ==
- AQAB
-
-
-
-
-
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java
index 96f3fe5a5..5cd445085 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java
@@ -52,8 +52,11 @@ public void parseJKSCredentials() {
publicKey = certificate.getPublicKey();
}
- public void parsePEMCredentials(String certificateFile, String privateKeyFile) throws FileNotFoundException {
+ public void parsePEMCredentials(String certificateFile, String privateKeyFile) throws CertificateException, FileNotFoundException {
certificate = parsePEMCertificate(certificateFile);
+ if (certificate.getIssuerX500Principal().equals(certificate.getSubjectX500Principal())) {
+ throw new CertificateException("Signing certificate cannot be self-signed!");
+ }
privateKey = parsePEMPrivateKey(privateKeyFile, "RSA");
publicKey = certificate.getPublicKey();
}
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
index 1f93b38ce..b5da4d61c 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
@@ -21,8 +21,8 @@ public static void main(String[] args) {
if (!commander.getVerifyFile().isEmpty()) {
System.out.println(commander.toString());
String verifyFile = commander.getVerifyFile();
- String publicCertificate = commander.getPublicCertificate();
- if (!verifyFile.isEmpty() && !publicCertificate.isEmpty()) {
+ //String publicCertificate = commander.getPublicCertificate();
+ if (!verifyFile.isEmpty()) {
try {
gateway.validateSwidTag(verifyFile);
} catch (IOException e) {
@@ -30,7 +30,7 @@ public static void main(String[] args) {
System.exit(1);
}
} else {
- System.out.println("Need both a RIM file to validate and a public certificate to validate with!");
+ System.out.println("Need a RIM file to validate!");
System.exit(1);
}
} else {
@@ -39,6 +39,7 @@ public static void main(String[] args) {
String attributesFile = commander.getAttributesFile();
String certificateFile = commander.getPublicCertificate();
String privateKeyFile = commander.getPrivateKeyFile();
+ String rimEventLog = commander.getRimEventLog();
switch (createType) {
case "BASE":
if (!attributesFile.isEmpty()) {
@@ -49,12 +50,14 @@ public static void main(String[] args) {
gateway.setPemCertificateFile(certificateFile);
gateway.setPemPrivateKeyFile(privateKeyFile);
}
+ if (rimEventLog.isEmpty()) {
+ System.out.println("Error: a support RIM is required!");
+ System.exit(1);
+ } else {
+ gateway.setRimEventLog(rimEventLog);
+ }
gateway.generateSwidTag(commander.getOutFile());
break;
- case "EVENTLOG":
- break;
- case "PCR":
- break;
}
}
}
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
index 4fbe8b522..05ac3b27c 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
@@ -42,6 +42,7 @@
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
+import hirs.swid.utils.HashSwid;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
@@ -59,6 +60,8 @@
import java.nio.file.Paths;
import java.security.*;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
@@ -100,6 +103,7 @@ public class SwidTagGateway {
private boolean defaultCredentials;
private String pemPrivateKeyFile;
private String pemCertificateFile;
+ private String rimEventLog;
/**
* Default constructor initializes jaxbcontext, marshaller, and unmarshaller
@@ -142,13 +146,22 @@ public void setPemPrivateKeyFile(String pemPrivateKeyFile) {
this.pemPrivateKeyFile = pemPrivateKeyFile;
}
- /** Setter for certificate file in PEM format
+ /**
+ * Setter for certificate file in PEM format
* @param pemCertificateFile
*/
public void setPemCertificateFile(String pemCertificateFile) {
this.pemCertificateFile = pemCertificateFile;
}
+ /**
+ * Setter for event log support RIM
+ * @param rimEventLog
+ */
+ public void setRimEventLog(String rimEventLog) {
+ this.rimEventLog = rimEventLog;
+ }
+
/**
* This method generates a base RIM from the values in a JSON file.
*
@@ -174,10 +187,7 @@ public void generateSwidTag(final String filename) {
createSoftwareMeta(configProperties.get(SwidTagConstants.META).asObject()));
swidTag.getEntityOrEvidenceOrLink().add(meta);
//File
- hirs.swid.xjc.File file = createFile(
- configProperties.get(SwidTagConstants.PAYLOAD).asObject()
- .get(SwidTagConstants.DIRECTORY).asObject()
- .get(SwidTagConstants.FILE).asObject());
+ hirs.swid.xjc.File file = createFile();
//Directory
Directory directory = createDirectory(
configProperties.get(SwidTagConstants.PAYLOAD).asObject()
@@ -405,13 +415,27 @@ private Directory createDirectory(JsonObject jsonObject) {
return directory;
}
+ /**
+ * This method creates a hirs.swid.xjc.File from an indirect payload type by
+ * calculating the hash of a given event log support RIM.
+ */
+ private hirs.swid.xjc.File createFile() {
+ hirs.swid.xjc.File file = objectFactory.createFile();
+ file.setName(rimEventLog);
+ File rimEventLogFile = new File(rimEventLog);
+ file.setSize(new BigInteger(Long.toString(rimEventLogFile.length())));
+ Map attributes = file.getOtherAttributes();
+ addNonNullAttribute(attributes, _SHA256_HASH, HashSwid.get256Hash(rimEventLog));
+
+ return file;
+ }
+
/**
- * This method creates a hirs.swid.xjc.File from three arguments, then calculates
- * and stores its hash as an attribute in itself.
+ * This method creates a hirs.swid.xjc.File from a direct payload type.
*
* @param jsonObject
* @return hirs.swid.xjc.File object from File object
- */
+ *
private hirs.swid.xjc.File createFile(JsonObject jsonObject) {
hirs.swid.xjc.File file = objectFactory.createFile();
file.setName(jsonObject.getString(SwidTagConstants.NAME, ""));
@@ -423,7 +447,7 @@ private hirs.swid.xjc.File createFile(JsonObject jsonObject) {
addNonNullAttribute(attributes, SwidTagConstants._SUPPORT_RIM_URI_GLOBAL, jsonObject.getString(SwidTagConstants.SUPPORT_RIM_URI_GLOBAL, ""));
return file;
- }
+ }*/
private void addNonNullAttribute(Map attributes, QName key, String value) {
if (!value.isEmpty()) {
@@ -492,6 +516,8 @@ private Document signXMLDocument(JAXBElement swidTag) {
System.out.println(e.getMessage());
} catch (KeyException e) {
System.out.println("Error setting public key in KeyValue: " + e.getMessage());
+ } catch (CertificateException e) {
+ System.out.println(e.getMessage());
} catch (JAXBException e) {
System.out.println("Error marshaling signed swidtag: " + e.getMessage());
} catch (MarshalException | XMLSignatureException e) {
@@ -622,7 +648,8 @@ private Document unmarshallSwidTag(String path) {
*/
private Document removeXMLWhitespace(String path) throws IOException {
TransformerFactory tf = TransformerFactory.newInstance();
- Source source = new StreamSource(new File("identity_transform.xslt"));
+ Source source = new StreamSource(
+ SwidTagGateway.class.getClassLoader().getResourceAsStream("identity_transform.xslt"));
Document document = null;
File input = new File(path);
if (input.length() > 0) {
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java
index da380b034..678b1da7e 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java
@@ -35,10 +35,10 @@ public class Commander {
description = "The public key certificate used to verify a RIM file or to embed in a signed RIM. " +
"A signed RIM generated by this tool by default will not show the signing certificate without this parameter present.")
private String publicCertificate = "";
-/*
@Parameter(names = {"-l", "--rimel "}, order = 6,
description = "The TCG eventlog file to use as a support RIM. By default the last system eventlog will be used.")
private String rimEventLog = "";
+/*
@Parameter(names = {"-t", "--rimpcr "}, order = 7,
description = "The file containing TPM PCR values to use as a support RIM. By default the current platform TPM will be used.")
private String rimPcrs = "";
@@ -76,11 +76,9 @@ public String getPrivateKeyFile() {
public String getPublicCertificate() {
return publicCertificate;
}
-/*
- public String getRimEventLog() {
- return rimEventLog;
- }
+ public String getRimEventLog() { return rimEventLog; }
+/*
public String getRimPcrs() {
return rimPcrs;
}
@@ -98,10 +96,10 @@ public String printHelpExamples() {
sb.append("Create a base RIM using the values in attributes.json; " +
"sign it with the default keystore, alias, and password;\n");
sb.append("and write the data to base_rim.swidtag:\n\n");
- sb.append("\t\t-c base -a attributes.json -o base_rim.swidtag\n\n\n");
+ sb.append("\t\t-c base -a attributes.json -l support_rim.swidtag -o base_rim.swidtag\n\n\n");
sb.append("Create a base RIM using the default attribute values; sign it using privateKey.pem;\n");
sb.append("and write the data to console output, to include cert.pem in the signature block:\n\n");
- sb.append("\t\t-c base -k privateKey.pem -p cert.pem\n\n\n");
+ sb.append("\t\t-c base -l support_rim.swidtag -k privateKey.pem -p cert.pem\n\n\n");
return sb.toString();
}
@@ -113,8 +111,8 @@ public String toString() {
sb.append("Verify file: " + getVerifyFile() + System.lineSeparator());
sb.append("Private key file: " + getPrivateKeyFile() + System.lineSeparator());
sb.append("Public certificate: " + getPublicCertificate() + System.lineSeparator());
-/*
sb.append("Event log support RIM: " + getRimEventLog() + System.lineSeparator());
+/*
sb.append("TPM PCRs support RIM: " + getRimPcrs() + System.lineSeparator());
sb.append("Base RIM to be signed: " + getToBeSigned() + System.lineSeparator());
sb.append("External signature file: " + getSignatureData() + System.lineSeparator());
diff --git a/tools/tcg_rim_tool/identity_transform.xslt b/tools/tcg_rim_tool/src/main/resources/identity_transform.xslt
similarity index 100%
rename from tools/tcg_rim_tool/identity_transform.xslt
rename to tools/tcg_rim_tool/src/main/resources/identity_transform.xslt
diff --git a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java
index 793c0ed67..a50cc0e30 100644
--- a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java
+++ b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java
@@ -5,7 +5,9 @@
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
+import java.nio.file.Paths;
import java.util.Scanner;
+import java.net.URISyntaxException;
import org.testng.Assert;
import org.testng.annotations.BeforeClass;
@@ -19,11 +21,13 @@ public class TestSwidTagGateway {
private final String DEFAULT_NO_CERT = "generated_no_cert.swidtag";
private final String certificateFile = "RimSignCert.pem";
private final String privateKeyFile = "privateRimKey.pem";
+ private final String supportRimFile = "TpmLog.bin";
private InputStream expectedFile;
@BeforeClass
public void setUp() throws Exception {
gateway = new SwidTagGateway();
+ gateway.setRimEventLog(supportRimFile);
}
@AfterClass
@@ -38,10 +42,12 @@ public void tearDown() throws Exception {
* -c base -k privateRimKey.pem -p RimSignCert.pem
*/
@Test
- public void testCreateBaseWithCert() {
+ public void testCreateBaseWithCert() throws URISyntaxException {
gateway.setDefaultCredentials(false);
- gateway.setPemCertificateFile(certificateFile);
- gateway.setPemPrivateKeyFile(privateKeyFile);
+ gateway.setPemCertificateFile(
+ Paths.get(this.getClass().getResource(certificateFile).toURI()).toString());
+ gateway.setPemPrivateKeyFile(
+ Paths.get(this.getClass().getResource(privateKeyFile).toURI()).toString());
gateway.generateSwidTag(DEFAULT_OUTPUT);
expectedFile = (InputStream) TestSwidTagGateway.class.getClassLoader().getResourceAsStream(DEFAULT_WITH_CERT);
Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT));
diff --git a/tools/tcg_rim_tool/src/test/resources/RimSignCert.pem b/tools/tcg_rim_tool/src/test/resources/RimSignCert.pem
new file mode 100644
index 000000000..9d37a2fac
--- /dev/null
+++ b/tools/tcg_rim_tool/src/test/resources/RimSignCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDoTCCAomgAwIBAgIJAPB+r6VBhBn5MA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UECgwHRXhhbXBsZTERMA8GA1UECwwI
+UENDbGllbnQxEjAQBgNVBAMMCUV4YW1wbGVDQTAeFw0yMDAzMTExODExMjJaFw0z
+MDAxMTgxODExMjJaMFwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UE
+CgwHRXhhbXBsZTERMA8GA1UECwwIUENDbGllbnQxGzAZBgNVBAMMEmV4YW1wbGUu
+UklNLnNpZ25lcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKd1lWGk
+SRuxAAY2wHag2GVxUk1dZx2PTpfQOflvLeccAVwa8mQhlsRERq+QK8ilj8Xfqs44
+/nBaccZDOjdfIxIUCMfwhGXjxCaqZbgTucNsExDnu4arTGraoAwzHg0cVLiKT/Cx
+j9NL4dcMgxRXsPdHfXb0923C7xYd2t2qfW05umgaj7qeQl6c68CFNsGX4JA8rWFQ
+ZvvGx5DGlK4KTcjPuQQINs5fxasNKqLY2hq+z82x/rqwr2hmyizD6FpFSyIABPEM
+PfB036GEhRwu1WEMkq8yIp2jgRUoFYke9pB3ph9pVow0Hh4mNFSKD4pP41VSKY1n
+us83mdkuukPy5o0CAwEAAaNvMG0wHQYDVR0OBBYEFC/euOfQMKIgnaoBhhqWT+3s
+8rzBMB8GA1UdIwQYMBaAFEahuO3bpnFf0NLneoo8XW6aw5Y4MAkGA1UdEwQCMAAw
+CwYDVR0PBAQDAgbAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUA
+A4IBAQBl2Bu9xpnHCCeeebjx+ILQXJXBd6q5+NQlV3zzBrf0bleZRtsOmsuFvWQo
+KQxsfZuk7QcSvVd/1v8mqwJ0PwbFKQmrhIPWP+iowiBNqpG5PH9YxhpHQ1osOfib
+NLOXMhudIQRY0yAgqQf+MOlXYa0stX8gkgftVBDRutuMKyOTf4a6d8TUcbG2Rnyz
+O/6S9bq4cPDYLqWRBM+aGN8e00UWTKpBl6/1EU8wkJA6WdllK2e8mVkXUPWYyHTZ
+0qQnrYiuLr36ycAznABDzEAoj4tMZbjIAfuscty6Ggzxl1WbyZLI6YzyXALwaYvr
+crTLeyFynlKxuCfDnr1SAHDM65BY
+-----END CERTIFICATE-----
diff --git a/tools/tcg_rim_tool/src/test/resources/TpmLog.bin b/tools/tcg_rim_tool/src/test/resources/TpmLog.bin
new file mode 100644
index 0000000000000000000000000000000000000000..0b8f1f398d51035bc91afbe8400d4888a28d5669
GIT binary patch
literal 7549
zcmds53p`a>+h2!6H)=?dq+LukI^;4cmCNBAxieB{D&BHAZX@U9mIif5nUNZairneu
zQp}Wyq6@02K{H)mgj^eyq^o4S&)WN_P+#Ny=J)&heQW>rUhAyAp6CC6*7K~jo_!EP
zNEGf5m08fag3om(Oj!gwfa~q2u0;(KK_WD0O+Wlph?h|Ve9UlZ!23O^DykICyO6^xhF!iW#)@Hjb%6?P>>0o5n5keZ!_oTo4uA#OWU*I))Mz&c4)|qjT%7^|5Zq<|bFwt~%T4
zG-1d1*mE~erw5%;uoStY4Wk_!TX$aFdqXNq5;YwVogXzGqeH<2a9M%4$Qk(~AE*rx
z4=z81hQc%)DI9-liEdW9rTrx@mwT^M`bB+HqOw=ty
zu}$$W2wOVf`9#FbideWY@vhyjWhL{UH0<8;tojkH*Sr_A9juwjPK7CK(#1b5-$)?;
zFYkD+(8v#b*)2Z3si(Q*UgDBo3m7d&{P8VRsOh8_uHF`gutgsugBZ<^3e+23vx~=F
zB^a`Hr|IG{NWSIXl%$k!i?BX<{?@V=OScZt(NOf?4}R6*Cw1j|L2g%Z3%7J#T&QHi
z&Oe)r^#^}j(EBg{{h7+zrtPGsM%5AjeMiN5+_%)y4h(vV*+`Janh!?bEa
z$%-KlwX9AQ|J&nG>Vqj1`c2aI^#z0TM;ZMo+dCINOPiba$|^2cV6vX~fH-np9g
zOZg&=-tChLo}gO+v|qDpcy`A7J7TYUSY0=GMxv{?QRs4`LywU~_8Y|W*u~oucQ$&B
zWsgMHX19xA>kmv>v
zN%YIa;0E*eW}a7=w#rP>!6c#~cj6g^D3y`u>_rlsG9|g}R9T~0;d>JJ3hVo2nFb{@
zuQzV;t#_FGltizl(22co!<}q=%JzWV*3ei_Ys++?EVhfUPRyI@d3Gea
zVaNQ1Uu1`q2JR-H}ecZe`4CWTSj41
zvrNzTN-{>Ge}64VJap2G!2J)}oITkkwLUY|@{1AQ*u2ez{`wJJ==ToN_IC%%-}8HM
zpIU*EPLajo`*oqa!y*ME(WC8Z3%}{>7HD=>8M&-#Xy+jpYq>4u8cDyfXKHpHkS1+!
z`kjOEnx2ks#r;dOHBk?>NSz8R%;8N-;9zt-d$8XLcUt>}^N4ocRFpnzIq#aPO*He7
zXN`9XePWKV$fn(MOc5+d2Po*KTVR+~#OZJnZ
zZ;yN1sV(~wbz3!9e7o2#T%w@)gr?WJO`wJV2ImY-g=B}0PNEbOR6H+pIufNw&$f<|ewMJK(7{(k
zgibd`_HYIpBU7j?0l^upo*gfrA>Lxq<{jc-A?lRxE4I
z3XWNWDT_$U>G4gq>F-(4mpR8XfaxdGyzW)X~WY6E>*CVixz>+s$h*X
zTpG}FMOrY<37%iWma&lq_+$lKEVzw;u_1U&
z6WFRFCOiq~TLtf!z+3|?*M|N@aD5{jqlK1(9s=-0XcDNJDN5#fG@3XPlMEYnE+At
zHt)!SXRb;bBe^m(OD;E+nlNeQ-OE(RuVgqaQC!s5^}KSouKsZ~xu*L(F9ij*8B`a9xa+_@3t54R9lO3tbV?H}Ww3h!_k%3Yh}uJGP^Fo$^XhCKqu1P@v`
zUL2wA2&=>go&lsClt-4sswQA1sKc5tf=iv;C-6!)h8{z>7DKHA>qG-?JPNP;k!u9W
zh>D5Bp8TQpfp-S@9um-?o`7`Sd``Zy`oll&whF^yUH_El#XglbTbp?*$D1pXR%xA?
z2cwJ}y}UfU-3Yd^DZ%9Py*!*9{XBTygsTs417XPH`4QH9+yO($eTUNgcfSPiXv}GJ
zQo;;=lu~%#A3YY97`+t!N*TSB_;TJ#|f*P3YYu
zsl{et|b%^Fd9qX!kW_G6T6>b7O&P;Tt&3RBIM?b`!RdqBGmYV6P#8gs=>aT
zV|lf{??m~%b+NDYemmH~YU?;@I9X?ME4TwkhYiyfHcc9wlL)15)F2avL8KF`p6OWg
zZ2W+-TlkyTanVX?vz|qs!Tqt5rvI=Fdlnag@UA{5W;*!AmsuR!P$O<&ndVt~leYO*
zPDI2tL!~;lReUI4zFsh+68{f_%fJ!pq!(ff3}K!5k~=g3CnmM}2-x==VFmg@KfdwW
z{8X9et8#wks~b{h%u(tUy(>$HXApxK#z3X?`>F&~MnM3F&E!77MH|q6gD=~1rNw?i
zp=D@DuWGl*l;ZTnZg~YlplgWGLs>|axQSe`wrfLT>ciH
z^wjDHZADtFh%)zr({ti06)e7#kT(CptT5a#L(VnB1YM?Z2lQVJA@EPl|8W1uw5~3h
z^mCkPzR9jfq7qv!AOi|_K%a`W(fj|%_&4y68vmOe=0_nA%l6chb?Fj+K>(Xt&#;FG
zSH;7?yp;1P`!`PYn|wdJTiJbMGAHCPGfR4fbbZ9B*I&Emfe+*aKarXI;t<(Ek9>g}
z(ZXNz##hT8$R=`I6GBE!Wm1&Tw#Q?-Q_Z-`p$_r5PlqRxw_i{8mX#
zB`rj`gDaOZjUlvfG?@iPe|I+VS>4W}ZPv%U^smcLlA;HT-WWHA#n10wZ!D35w#+-c
z07lz#{rr8r@##dKMxQ#Oh64PPhaV2Le|8HV>WW`~lsR@IAyJ!_cq`y6qo>KCcb9Th
zJiX{IkvM0c%jbhgSL6kft`O{=D4cw%`jjg^lqd~FzwPAberwLf^arPs0(iDD`YIW2
ziM7$z{eN+S%K7E1UPJ+qTvHDD$!uUU1e{FKaL@2iA52nknB&>g7mA%P?IK&Do94&}
zyU2=0qtoZW(P9T5LT>Pxz=G6u18m|Juywl)`~3R<#9nb5D}L%s-sV=`e9oK0C%gVi
z3=3>8^byR|zn}4A$*dl7?hUB9FZ=A~o^7~7?BLy8fu6g1Gpnt=qBXLEkgwH9rt^5V
zQZb&7NcQSN_NMRq8+`_m6WgPgoSD6f%iQWvwf>I^uZpsXU2j&ZBuS@FPw^f2DS(Rm
zY%1{QS^bl^mm>T03`hPRRT0n=C%J$l2ZT*k3zvZo;8X+x=BqN+RFoiyf*k
Z3Uxc}%4JljeszIlpGQT``p
-
+
@@ -17,14 +17,14 @@
- e3V54WPCVKryiRHONI37GttXgePQDEYz1GGPcpity5E=
+ h/jXVVy84NklF+ym8qeNfDEohLKKNLhr35iZ6vage7M=
- OMPKPXsLr0wbtQuUTlGAD9W0fkqmw8XJ3nQHc/LsRpzCZWdN/xtfxe3JleLbXcUt4PItqj1uB5Eg
-8iBWyBSy+WJYvsoROjLjZ1sUQ92jMdCO69uBjaIihn1HS2H/YnB4trjc92AUIdhoJZt9KF90IlJQ
-zu3HTmQfeRYs/c6Ck1k3bL1jnyWoNzhBqCuPYrZtPbv9opVP0YOxM5IjRkRgkZIDgYbh1k4WXw8O
-/iIMZuVJDfKQJSNCTAZsIbUatGDQc/nOihLHdI90wG8zu9amgrl1AEKzH8z864Fan5uuXolfAaak
-sLJl6RPCNcp+JNCXMMZiS8bmYPQnVJc1ze0I1A==
+ huu759PPTMaugu+6/c3JAv/Cb6eCiRxK5i5Mx2IpptDDjbDh9P1931KPEivmG8eZHgbGRFDgUviB
+qHcvd4A8KpIdx1GfebPBGBVqnAHvIgAQp1ZOMFIjtYsJTFKrwG12Yc7uA8qdGLCXZ8OlEvim3P/9
+VECXziVXAaEdC4IlaAt86XfbK+z5r2hFKSErYJZws45x1oZcBVXo9wZd7x0EyU0rMTGQbV5QbDsP
+LOuWmG2t9jlR7Yu7gxJbhFrPJdI/Q6+JsmsnqKB47dVtXCp84lrlZg48S/nZ0OC62EmEHvzilx4C
+y2fM/M0LbkZc5Ms8HD92YBsNF3UL3bHxnJT+YQ==
2fdeb8e7d030a2209daa01861a964fedecf2bcc1
diff --git a/tools/tcg_rim_tool/src/test/resources/generated_with_cert.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_with_cert.swidtag
index 336ea3443..72e8e2f82 100644
--- a/tools/tcg_rim_tool/src/test/resources/generated_with_cert.swidtag
+++ b/tools/tcg_rim_tool/src/test/resources/generated_with_cert.swidtag
@@ -5,7 +5,7 @@
-
+
@@ -17,14 +17,14 @@
- e3V54WPCVKryiRHONI37GttXgePQDEYz1GGPcpity5E=
+ h/jXVVy84NklF+ym8qeNfDEohLKKNLhr35iZ6vage7M=
- OMPKPXsLr0wbtQuUTlGAD9W0fkqmw8XJ3nQHc/LsRpzCZWdN/xtfxe3JleLbXcUt4PItqj1uB5Eg
-8iBWyBSy+WJYvsoROjLjZ1sUQ92jMdCO69uBjaIihn1HS2H/YnB4trjc92AUIdhoJZt9KF90IlJQ
-zu3HTmQfeRYs/c6Ck1k3bL1jnyWoNzhBqCuPYrZtPbv9opVP0YOxM5IjRkRgkZIDgYbh1k4WXw8O
-/iIMZuVJDfKQJSNCTAZsIbUatGDQc/nOihLHdI90wG8zu9amgrl1AEKzH8z864Fan5uuXolfAaak
-sLJl6RPCNcp+JNCXMMZiS8bmYPQnVJc1ze0I1A==
+ huu759PPTMaugu+6/c3JAv/Cb6eCiRxK5i5Mx2IpptDDjbDh9P1931KPEivmG8eZHgbGRFDgUviB
+qHcvd4A8KpIdx1GfebPBGBVqnAHvIgAQp1ZOMFIjtYsJTFKrwG12Yc7uA8qdGLCXZ8OlEvim3P/9
+VECXziVXAaEdC4IlaAt86XfbK+z5r2hFKSErYJZws45x1oZcBVXo9wZd7x0EyU0rMTGQbV5QbDsP
+LOuWmG2t9jlR7Yu7gxJbhFrPJdI/Q6+JsmsnqKB47dVtXCp84lrlZg48S/nZ0OC62EmEHvzilx4C
+y2fM/M0LbkZc5Ms8HD92YBsNF3UL3bHxnJT+YQ==
CN=example.RIM.signer,OU=PCClient,O=Example,ST=VA,C=US
diff --git a/tools/tcg_rim_tool/src/test/resources/privateRimKey.pem b/tools/tcg_rim_tool/src/test/resources/privateRimKey.pem
new file mode 100644
index 000000000..afe282c48
--- /dev/null
+++ b/tools/tcg_rim_tool/src/test/resources/privateRimKey.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCndZVhpEkbsQAG
+NsB2oNhlcVJNXWcdj06X0Dn5by3nHAFcGvJkIZbEREavkCvIpY/F36rOOP5wWnHG
+Qzo3XyMSFAjH8IRl48QmqmW4E7nDbBMQ57uGq0xq2qAMMx4NHFS4ik/wsY/TS+HX
+DIMUV7D3R3129Pdtwu8WHdrdqn1tObpoGo+6nkJenOvAhTbBl+CQPK1hUGb7xseQ
+xpSuCk3Iz7kECDbOX8WrDSqi2Noavs/Nsf66sK9oZsosw+haRUsiAATxDD3wdN+h
+hIUcLtVhDJKvMiKdo4EVKBWJHvaQd6YfaVaMNB4eJjRUig+KT+NVUimNZ7rPN5nZ
+LrpD8uaNAgMBAAECggEAcnG8npd9U0x7HMQMcsZoPaPdwHvF/gCzkLNA+8RM1bZh
+A4ZzA5WlCQs0V8Wq9pyXjn7Wp8txsG1PdlT5k2AUgsVoXuR0R4IKyvYHQG9StEjH
+GvWURmwJdLlnSg8hSYqEJ/52taNUDO6+MI8fgiaQDd8w0ryF4OCpLy9GJdnfkGYZ
+Ayemb3USFUdj/S67NVqxnvAfFMM5FqkKGhkoy7wBRgO6eOeJvoTq8LMiPiponwwF
+DW409ZStbrk1f1Oszst/UvFUWA9BdDfeoPmFR61y3eB5zlMQG8Mhr2v5hvkj9TPX
+FU4Fm4EzZ1h/60cdWoP6XYCP7F2NqZ8N8u4UBQNAIQKBgQDcGIw5GJEvRF+FFTTR
+hYatMRn80DGTVjdT32MgajdKx05OWxBmQsFob34fiSnr0wAXPJeDXG4ruMBE2bSk
+EC8rCO08G8ihQoH8x0cvuERe1fpVWk3RWNucVGIiJSEXAIwWrlYZLTfYd5GqBkPE
+OQxxo4MtOyqeHmVH1mOywk9ABQKBgQDCxt95luzqQZV9Xl78QQvOIbjOdHLjY23Z
+yp8sGt9birL/WZ33TCRgmH1e61BdrSqO7Om/ail2Y59XM5UU6kLbDj0IgmOPTsrJ
+JmIVf8r3bKltVUaLePgr4yex7dmtHRH8OkLXKnE0RCO0kCi9kJMB12yE3pWxk+Pu
+zztQd3a66QKBgBNJd2g9deONe01fOVyu9clRhzR3ThDaOkj4R2h8xlGgO4V0R3Ce
+ovIy6vt6epj2yYg/wAs720+rhfXCmijSXj/ILXnZ+W/gMyHimKNe42boG2LFYhJZ
+Vg1R+7OAS3EHlD8ckeDs7Hrkp3gdymx0j1mZ+ZHKIIbwpPFxoRT2IBm9AoGBAI0Z
+bIK0puP8psKvPrgWluq42xwUl7XKLaX8dtqIjQ3PqGP7E8g2TJP9Y7UDWrDB5Xas
+gZi821R8Ts3o/DKukcgGxIgJjP4f4h9dwug4L1yWRxaBFB2tgHqqj/MBjxMtX/4M
+Zqdgg6mNQyBm3lyVAynuWRrX9DE0JYa2cQ2VvVkhAoGBAMBv/oT813w00759PmkO
+Uxv3LXTJuYBbq0Rmga25jN3ow8LrGQdSVg7F/af3I5KUF7mLiegDy1pkRfauyXH7
++WhEqnf86vDrzPpytDMxinWOQZusCqeWHb+nuVTuL3Fv+GxEdwVGYI/7lFJ7B//h
+P5rU93ZoYY7sWcGVqaaEkMRU
+-----END PRIVATE KEY-----
From 64ddc39c2c0a0b779c12897945b7f81097ec8778 Mon Sep 17 00:00:00 2001
From: chubtub <43381989+chubtub@users.noreply.github.com>
Date: Mon, 15 Jun 2020 09:54:57 -0400
Subject: [PATCH 2/3] Add validation of support RIM in payload
---
.../main/java/hirs/swid/SwidTagGateway.java | 20 ++++++++++++++++++-
.../java/hirs/swid/TestSwidTagGateway.java | 6 ++----
2 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
index 05ac3b27c..f57e875d3 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
@@ -75,6 +75,7 @@
import hirs.swid.xjc.Directory;
import hirs.swid.xjc.Entity;
import hirs.swid.xjc.Link;
+import hirs.swid.xjc.Meta;
import hirs.swid.xjc.ObjectFactory;
import hirs.swid.xjc.ResourceCollection;
import hirs.swid.xjc.SoftwareIdentity;
@@ -229,6 +230,8 @@ public boolean validateSwidTag(String path) throws IOException {
si.append("SoftwareIdentity name: " + softwareIdentity.getAttribute("name") + "\n");
si.append("SoftwareIdentity tagId: " + softwareIdentity.getAttribute("tagId") + "\n");
System.out.println(si.toString());
+ Element file = (Element) document.getElementsByTagName("File").item(0);
+ validateFile(file);
System.out.println("Signature core validity: " + validateSignedXMLDocument(document));
return true;
}
@@ -430,7 +433,22 @@ private hirs.swid.xjc.File createFile() {
return file;
}
- /**
+ /**
+ * This method validates a hirs.swid.xjc.File from an indirect payload
+ */
+ private boolean validateFile(Element file) {
+ String filepath = file.getAttribute(SwidTagConstants.NAME);
+ System.out.println("Support rim found at " + filepath);
+ if (HashSwid.get256Hash(filepath).equals(file.getAttribute(_SHA256_HASH.getPrefix() + ":" + _SHA256_HASH.getLocalPart()))) {
+ System.out.println("Support RIM hash verified!");
+ return true;
+ } else {
+ System.out.println("Support RIM hash does not match Base RIM!");
+ return false;
+ }
+ }
+
+ /**
* This method creates a hirs.swid.xjc.File from a direct payload type.
*
* @param jsonObject
diff --git a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java
index a50cc0e30..5088f876c 100644
--- a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java
+++ b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java
@@ -44,10 +44,8 @@ public void tearDown() throws Exception {
@Test
public void testCreateBaseWithCert() throws URISyntaxException {
gateway.setDefaultCredentials(false);
- gateway.setPemCertificateFile(
- Paths.get(this.getClass().getResource(certificateFile).toURI()).toString());
- gateway.setPemPrivateKeyFile(
- Paths.get(this.getClass().getResource(privateKeyFile).toURI()).toString());
+ gateway.setPemCertificateFile(certificateFile);
+ gateway.setPemPrivateKeyFile(privateKeyFile);
gateway.generateSwidTag(DEFAULT_OUTPUT);
expectedFile = (InputStream) TestSwidTagGateway.class.getClassLoader().getResourceAsStream(DEFAULT_WITH_CERT);
Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT));
From 3747c1911eca79964e0a34022bc42cb3734eee9d Mon Sep 17 00:00:00 2001
From: chubtub <43381989+chubtub@users.noreply.github.com>
Date: Mon, 15 Jun 2020 17:49:37 -0400
Subject: [PATCH 3/3] Update packaging script to install to /opt/hirs/rimtool
---
tools/tcg_rim_tool/build.gradle | 6 ++---
tools/tcg_rim_tool/package.sh | 2 +-
.../main/java/hirs/swid/SwidTagConstants.java | 2 +-
.../main/java/hirs/swid/utils/HashSwid.java | 26 ++++++++++++-------
tools/tcg_rim_tool/tcg_rim_tool.spec | 14 +++++++---
5 files changed, 32 insertions(+), 18 deletions(-)
diff --git a/tools/tcg_rim_tool/build.gradle b/tools/tcg_rim_tool/build.gradle
index 15dc46931..22a7ae168 100644
--- a/tools/tcg_rim_tool/build.gradle
+++ b/tools/tcg_rim_tool/build.gradle
@@ -6,10 +6,8 @@ repositories {
}
dependencies {
- compile libs.minimal_json
- compile libs.jcommander
- compile libs.bouncy_castle
- testCompile libs.testng
+ compile 'com.eclipsesource.minimal-json:minimal-json:0.9.5', 'com.beust:jcommander:1.72', 'org.bouncycastle:bcmail-jdk15on:1.59'
+ testCompile 'org.testng:testng:6.8.8'
}
jar {
diff --git a/tools/tcg_rim_tool/package.sh b/tools/tcg_rim_tool/package.sh
index bca6e5f8a..a84faf857 100755
--- a/tools/tcg_rim_tool/package.sh
+++ b/tools/tcg_rim_tool/package.sh
@@ -6,7 +6,7 @@ pushd $SCRIPT_DIR
name="tcg_rim_tool"
-tar -cf $name.tar build.gradle gradle* src/ docs/
+tar -cf $name.tar build.gradle gradle* src/ docs/ rim_fields.json keystore.jks
gzip $name.tar
if [ -d rpmbuild ]; then
rm -rf rpmbuild
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java
index 1e19a0a55..d8f7f10e2 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java
@@ -15,7 +15,7 @@ public class SwidTagConstants {
public static final String DEFAULT_KEYSTORE_PATH = "keystore.jks";
public static final String DEFAULT_KEYSTORE_PASSWORD = "password";
public static final String DEFAULT_PRIVATE_KEY_ALIAS = "selfsigned";
- public static final String DEFAULT_ATTRIBUTES_FILE = "/etc/hirs/rim_fields.json";
+ public static final String DEFAULT_ATTRIBUTES_FILE = "rim_fields.json";
public static final String DEFAULT_ENGLISH = "en";
public static final String SIGNATURE_ALGORITHM_RSA_SHA256 = "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/HashSwid.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/HashSwid.java
index 6d9ae8d79..1b33f6bf0 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/HashSwid.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/HashSwid.java
@@ -4,6 +4,8 @@
import java.io.FileInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
+import java.nio.file.Files;
+import java.nio.file.Paths;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
@@ -24,8 +26,8 @@ public class HashSwid {
* @param value
* @return
*/
- public static String get256Hash(String value) {
- return getHashValue(value, SHA256);
+ public static String get256Hash(String filepath) {
+ return getHashValue(filepath, SHA256);
}
/**
@@ -33,8 +35,8 @@ public static String get256Hash(String value) {
* @param value
* @return
*/
- public String get384Hash(String value) {
- return getHashValue(value, SHA384);
+ public String get384Hash(String filepath) {
+ return getHashValue(filepath, SHA384);
}
/**
@@ -42,24 +44,28 @@ public String get384Hash(String value) {
* @param value
* @return
*/
- public String get512Hash(String value) {
- return getHashValue(value, SHA512);
+ public String get512Hash(String filepath) {
+ return getHashValue(filepath, SHA512);
}
/**
* This method creates the hash based on the provided algorithm and salt
* only accessible through helper methods.
+ *
+ * This method assumes an input file that is small enough to read in its
+ * entirety. Large files should be handled similarly to the public static
+ * getHashValue() below.
*
- * @param value string object to hash
+ * @param filepath file contents to hash
* @param salt random value to make the hash stronger
* @param sha the algorithm to use for the hash
* @return
*/
- private static String getHashValue(String value, String sha) {
+ private static String getHashValue(String filepath, String sha) {
String resultString = null;
try {
MessageDigest md = MessageDigest.getInstance(sha);
- byte[] bytes = md.digest(value.getBytes(ENCODING));
+ byte[] bytes = md.digest(Files.readAllBytes(Paths.get(filepath)));
StringBuilder sb = new StringBuilder();
for (int i = 0; i < bytes.length; i++) {
@@ -68,6 +74,8 @@ private static String getHashValue(String value, String sha) {
resultString = sb.toString();
} catch (UnsupportedEncodingException | NoSuchAlgorithmException grex) {
System.out.println(grex.getMessage());
+ } catch (IOException e) {
+ System.out.println("Error reading in file to hash: " + e.getMessage());
}
return resultString;
diff --git a/tools/tcg_rim_tool/tcg_rim_tool.spec b/tools/tcg_rim_tool/tcg_rim_tool.spec
index 2e2b23974..8ffc676ac 100644
--- a/tools/tcg_rim_tool/tcg_rim_tool.spec
+++ b/tools/tcg_rim_tool/tcg_rim_tool.spec
@@ -16,17 +16,25 @@ This tool will generate a root RIM file for PC clients in accordance with the sc
%prep
%setup -q -c -n %{name}
+%pre
+rm -f /opt/hirs/rimtool/%{name}*.jar
%build
./gradlew build
%install
-mkdir -p %{buildroot}/opt/hirs/rim/
-cp build/libs/%{name}-%{version}.jar %{buildroot}/opt/hirs/rim/
+mkdir -p %{buildroot}/opt/hirs/rimtool/
+cp build/libs/%{name}-%{version}.jar %{buildroot}/opt/hirs/rimtool/
+cp ./rim_fields.json %{buildroot}/opt/hirs/rimtool/
+cp ./keystore.jks %{buildroot}/opt/hirs/rimtool/
%files
-/opt/hirs/rim/%{name}-%{version}.jar
+/opt/hirs/rimtool/%{name}-%{version}.jar
+/opt/hirs/rimtool/rim_fields.json
+/opt/hirs/rimtool/keystore.jks
%changelog
+* Mon Jun 15 2020 chubtub
+- First release
* Mon Jan 6 2020 chubtub
- First change