From 0123a081a8f6c5d3fa0f43f82e42cd673daac337 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Thu, 12 Mar 2020 16:34:34 -0400 Subject: [PATCH] Implement --privateKeyFile and --publicCertificate in JCommander --- tools/tcg_rim_tool/RimSignCert.pem | 22 +++ tools/tcg_rim_tool/privateRimKey.pem | 28 ++++ .../main/java/hirs/swid/CredentialParser.java | 156 ++++++++++++++++++ .../src/main/java/hirs/swid/Main.java | 72 ++++---- .../main/java/hirs/swid/SwidTagGateway.java | 111 +++++-------- .../main/java/hirs/swid/utils/Commander.java | 46 ++---- 6 files changed, 297 insertions(+), 138 deletions(-) create mode 100644 tools/tcg_rim_tool/RimSignCert.pem create mode 100644 tools/tcg_rim_tool/privateRimKey.pem create mode 100644 tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java diff --git a/tools/tcg_rim_tool/RimSignCert.pem b/tools/tcg_rim_tool/RimSignCert.pem new file mode 100644 index 00000000..9d37a2fa --- /dev/null +++ b/tools/tcg_rim_tool/RimSignCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDoTCCAomgAwIBAgIJAPB+r6VBhBn5MA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV +BAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UECgwHRXhhbXBsZTERMA8GA1UECwwI +UENDbGllbnQxEjAQBgNVBAMMCUV4YW1wbGVDQTAeFw0yMDAzMTExODExMjJaFw0z +MDAxMTgxODExMjJaMFwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UE +CgwHRXhhbXBsZTERMA8GA1UECwwIUENDbGllbnQxGzAZBgNVBAMMEmV4YW1wbGUu +UklNLnNpZ25lcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKd1lWGk +SRuxAAY2wHag2GVxUk1dZx2PTpfQOflvLeccAVwa8mQhlsRERq+QK8ilj8Xfqs44 +/nBaccZDOjdfIxIUCMfwhGXjxCaqZbgTucNsExDnu4arTGraoAwzHg0cVLiKT/Cx +j9NL4dcMgxRXsPdHfXb0923C7xYd2t2qfW05umgaj7qeQl6c68CFNsGX4JA8rWFQ +ZvvGx5DGlK4KTcjPuQQINs5fxasNKqLY2hq+z82x/rqwr2hmyizD6FpFSyIABPEM +PfB036GEhRwu1WEMkq8yIp2jgRUoFYke9pB3ph9pVow0Hh4mNFSKD4pP41VSKY1n +us83mdkuukPy5o0CAwEAAaNvMG0wHQYDVR0OBBYEFC/euOfQMKIgnaoBhhqWT+3s +8rzBMB8GA1UdIwQYMBaAFEahuO3bpnFf0NLneoo8XW6aw5Y4MAkGA1UdEwQCMAAw +CwYDVR0PBAQDAgbAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUA +A4IBAQBl2Bu9xpnHCCeeebjx+ILQXJXBd6q5+NQlV3zzBrf0bleZRtsOmsuFvWQo +KQxsfZuk7QcSvVd/1v8mqwJ0PwbFKQmrhIPWP+iowiBNqpG5PH9YxhpHQ1osOfib +NLOXMhudIQRY0yAgqQf+MOlXYa0stX8gkgftVBDRutuMKyOTf4a6d8TUcbG2Rnyz +O/6S9bq4cPDYLqWRBM+aGN8e00UWTKpBl6/1EU8wkJA6WdllK2e8mVkXUPWYyHTZ +0qQnrYiuLr36ycAznABDzEAoj4tMZbjIAfuscty6Ggzxl1WbyZLI6YzyXALwaYvr +crTLeyFynlKxuCfDnr1SAHDM65BY +-----END CERTIFICATE----- diff --git a/tools/tcg_rim_tool/privateRimKey.pem b/tools/tcg_rim_tool/privateRimKey.pem new file mode 100644 index 00000000..afe282c4 --- /dev/null +++ b/tools/tcg_rim_tool/privateRimKey.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCndZVhpEkbsQAG +NsB2oNhlcVJNXWcdj06X0Dn5by3nHAFcGvJkIZbEREavkCvIpY/F36rOOP5wWnHG +Qzo3XyMSFAjH8IRl48QmqmW4E7nDbBMQ57uGq0xq2qAMMx4NHFS4ik/wsY/TS+HX +DIMUV7D3R3129Pdtwu8WHdrdqn1tObpoGo+6nkJenOvAhTbBl+CQPK1hUGb7xseQ +xpSuCk3Iz7kECDbOX8WrDSqi2Noavs/Nsf66sK9oZsosw+haRUsiAATxDD3wdN+h +hIUcLtVhDJKvMiKdo4EVKBWJHvaQd6YfaVaMNB4eJjRUig+KT+NVUimNZ7rPN5nZ +LrpD8uaNAgMBAAECggEAcnG8npd9U0x7HMQMcsZoPaPdwHvF/gCzkLNA+8RM1bZh +A4ZzA5WlCQs0V8Wq9pyXjn7Wp8txsG1PdlT5k2AUgsVoXuR0R4IKyvYHQG9StEjH +GvWURmwJdLlnSg8hSYqEJ/52taNUDO6+MI8fgiaQDd8w0ryF4OCpLy9GJdnfkGYZ +Ayemb3USFUdj/S67NVqxnvAfFMM5FqkKGhkoy7wBRgO6eOeJvoTq8LMiPiponwwF +DW409ZStbrk1f1Oszst/UvFUWA9BdDfeoPmFR61y3eB5zlMQG8Mhr2v5hvkj9TPX +FU4Fm4EzZ1h/60cdWoP6XYCP7F2NqZ8N8u4UBQNAIQKBgQDcGIw5GJEvRF+FFTTR +hYatMRn80DGTVjdT32MgajdKx05OWxBmQsFob34fiSnr0wAXPJeDXG4ruMBE2bSk +EC8rCO08G8ihQoH8x0cvuERe1fpVWk3RWNucVGIiJSEXAIwWrlYZLTfYd5GqBkPE +OQxxo4MtOyqeHmVH1mOywk9ABQKBgQDCxt95luzqQZV9Xl78QQvOIbjOdHLjY23Z +yp8sGt9birL/WZ33TCRgmH1e61BdrSqO7Om/ail2Y59XM5UU6kLbDj0IgmOPTsrJ +JmIVf8r3bKltVUaLePgr4yex7dmtHRH8OkLXKnE0RCO0kCi9kJMB12yE3pWxk+Pu +zztQd3a66QKBgBNJd2g9deONe01fOVyu9clRhzR3ThDaOkj4R2h8xlGgO4V0R3Ce +ovIy6vt6epj2yYg/wAs720+rhfXCmijSXj/ILXnZ+W/gMyHimKNe42boG2LFYhJZ +Vg1R+7OAS3EHlD8ckeDs7Hrkp3gdymx0j1mZ+ZHKIIbwpPFxoRT2IBm9AoGBAI0Z +bIK0puP8psKvPrgWluq42xwUl7XKLaX8dtqIjQ3PqGP7E8g2TJP9Y7UDWrDB5Xas +gZi821R8Ts3o/DKukcgGxIgJjP4f4h9dwug4L1yWRxaBFB2tgHqqj/MBjxMtX/4M +Zqdgg6mNQyBm3lyVAynuWRrX9DE0JYa2cQ2VvVkhAoGBAMBv/oT813w00759PmkO +Uxv3LXTJuYBbq0Rmga25jN3ow8LrGQdSVg7F/af3I5KUF7mLiegDy1pkRfauyXH7 ++WhEqnf86vDrzPpytDMxinWOQZusCqeWHb+nuVTuL3Fv+GxEdwVGYI/7lFJ7B//h +P5rU93ZoYY7sWcGVqaaEkMRU +-----END PRIVATE KEY----- diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java new file mode 100644 index 00000000..0f3198cb --- /dev/null +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java @@ -0,0 +1,156 @@ +package hirs.swid; + +import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; +import org.bouncycastle.util.encoders.Base64; + +import java.io.*; +import java.security.*; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.PKCS8EncodedKeySpec; + +public class CredentialParser { + private static final String X509 = "X.509"; + private static final String JKS = "JKS"; + private static final String PEM = "PEM"; + private X509Certificate certificate; + private PrivateKey privateKey; + private PublicKey publicKey; + + public X509Certificate getCertificate() { + return certificate; + } + + public PrivateKey getPrivateKey() { + return privateKey; + } + + public PublicKey getPublicKey() { + return publicKey; + } + + public void parseJKSCredentials() { + KeyStore.PrivateKeyEntry privateKeyEntry = + parseKeystorePrivateKey(SwidTagConstants.DEFAULT_KEYSTORE_PATH, + SwidTagConstants.DEFAULT_PRIVATE_KEY_ALIAS, + SwidTagConstants.DEFAULT_KEYSTORE_PASSWORD); + certificate = (X509Certificate) privateKeyEntry.getCertificate(); + privateKey = privateKeyEntry.getPrivateKey(); + publicKey = certificate.getPublicKey(); + } + + public void parsePEMCredentials(String certificateFile, String privateKeyFile) throws FileNotFoundException { + certificate = parsePEMCertificate(certificateFile); + + /*User input on algorithm???*/ + privateKey = parsePEMPrivateKey(privateKeyFile, "RSA"); + + publicKey = certificate.getPublicKey(); + } + + /** + * This method returns the X509Certificate found in a PEM file. + * @param filename + * @return + * @throws FileNotFoundException + */ + private X509Certificate parsePEMCertificate(String filename) throws FileNotFoundException { + X509Certificate certificate = null; + try { + FileInputStream fis = new FileInputStream(filename); + BufferedInputStream bis = new BufferedInputStream(fis); + CertificateFactory certificateFactory = CertificateFactory.getInstance(X509); + + while (bis.available() > 0) { + certificate = (X509Certificate) certificateFactory.generateCertificate(bis); + } + + + } catch (CertificateException e) { + System.out.println("Error in certificate factory: " + e.getMessage()); + } catch (IOException e) { + System.out.println("Error reading from input stream: " + e.getMessage()); + } + + return certificate; + } + + /** + * This method extracts the private key from a PEM file. + * @param filename + * @return + */ + private PrivateKey parsePEMPrivateKey(String filename, String algorithm) { + PrivateKey privateKey = null; + try { + File file = new File(filename); + FileInputStream fis = new FileInputStream(file); + DataInputStream dis = new DataInputStream(fis); + byte[] key = new byte[(int) file.length()]; + dis.readFully(key); + dis.close(); + + String privateKeyStr = new String(key); + privateKeyStr = privateKeyStr.replace("-----BEGIN PRIVATE KEY-----\n", ""); + privateKeyStr = privateKeyStr.replace("-----END PRIVATE KEY-----", ""); + + Base64 base64 = new Base64(); + byte[] decodedKey = base64.decode(privateKeyStr); + PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decodedKey); + KeyFactory keyFactory = KeyFactory.getInstance(algorithm); + + privateKey = keyFactory.generatePrivate(spec); + } catch (FileNotFoundException e) { + System.out.println("Unable to locate private key file: " + filename); + } catch (NoSuchAlgorithmException e) { + System.out.println("Unable to instantiate KeyFactory with algorithm: " + algorithm); + } catch (IOException e) { + System.out.println("IOException: " + e.getMessage()); + } catch (InvalidKeySpecException e) { + System.out.println("Error instantiating PKCS8EncodedKeySpec object: " + e.getMessage()); + } + + return privateKey; + } + + /** + * This method returns the private key in a JKS keystore. + * @param keystoreFile + * @param alias + * @param password + * @return KeyStore.PrivateKeyEntry + */ + private KeyStore.PrivateKeyEntry parseKeystorePrivateKey(String keystoreFile, String alias, String password) { + KeyStore keystore = null; + KeyStore.PrivateKeyEntry privateKey = null; + try { + keystore = KeyStore.getInstance("JKS"); + keystore.load(new FileInputStream(keystoreFile), password.toCharArray()); + privateKey = (KeyStore.PrivateKeyEntry) keystore.getEntry(alias, + new KeyStore.PasswordProtection(password.toCharArray())); + } catch (FileNotFoundException e) { + System.out.println("Cannot locate keystore " + keystoreFile); + } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException | IOException e) { + e.printStackTrace(); + } + + return privateKey; + } + + /** + * Utility method for extracting the subjectKeyIdentifier from an X509Certificate. + * The subjectKeyIdentifier is stored as a DER-encoded octet and will be converted to a String. + * @return + */ + public String getCertificateSubjectKeyIdentifier() throws IOException { + String decodedValue = null; + byte[] extension = certificate.getExtensionValue(SwidTagConstants.CERTIFICATE_SUBJECT_KEY_IDENTIFIER); + if (extension != null) { + decodedValue = JcaX509ExtensionUtils.parseExtensionValue(extension).toString(); + } + + return decodedValue; + } +} diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index f85a7813..da3baed2 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -3,6 +3,7 @@ package hirs.swid; import hirs.swid.utils.Commander; import com.beust.jcommander.JCommander; +import java.io.FileNotFoundException; import java.io.IOException; public class Main { @@ -16,44 +17,43 @@ public class Main { if (commander.isHelp()) { jc.usage(); System.out.println(commander.printHelpExamples()); - } else if (!commander.getVerifyFile().isEmpty()) { - System.out.println(commander.toString()); - String verifyFile = commander.getVerifyFile(); - String publicCertificate = commander.getPublicCertificate(); - if (!verifyFile.isEmpty() && !publicCertificate.isEmpty()) { - try { - gateway.validateSwidTag(verifyFile); - } catch (IOException e) { - System.out.println("Error validating RIM file: " + e.getMessage()); + } else { + if (!commander.getVerifyFile().isEmpty()) { + System.out.println(commander.toString()); + String verifyFile = commander.getVerifyFile(); + String publicCertificate = commander.getPublicCertificate(); + if (!verifyFile.isEmpty() && !publicCertificate.isEmpty()) { + try { + gateway.validateSwidTag(verifyFile); + } catch (IOException e) { + System.out.println("Error validating RIM file: " + e.getMessage()); + } + } else { + System.out.println("Need both a RIM file to validate and a public certificate to validate with!"); } } else { - System.out.println("Need both a RIM file to validate and a public certificate to validate with!"); - } - } else { - System.out.println(commander.toString()); - String createType = commander.getCreateType().toUpperCase(); - String attributesFile = commander.getAttributesFile(); - String privateKeyFile = commander.getPrivateKeyFile(); - String alias = commander.getAlias(); - String privateKeyPassword = commander.getPrivateKeyPassword(); - switch (createType) { - case "BASE": - if (!attributesFile.isEmpty()) { - gateway.setAttributesFile(attributesFile); - } - if (!privateKeyFile.isEmpty() && - !alias.isEmpty() && - !privateKeyPassword.isEmpty()) { - gateway.setKeystoreFile(privateKeyFile); - gateway.setPrivateKeyAlias(alias); - gateway.setPrivateKeyPassword(privateKeyPassword); - } - gateway.generateSwidTag(commander.getOutFile()); - break; - case "EVENTLOG": - break; - case "PCR": - break; + System.out.println(commander.toString()); + String createType = commander.getCreateType().toUpperCase(); + String attributesFile = commander.getAttributesFile(); + String certificateFile = commander.getPublicCertificate(); + String privateKeyFile = commander.getPrivateKeyFile(); + switch (createType) { + case "BASE": + if (!attributesFile.isEmpty()) { + gateway.setAttributesFile(attributesFile); + } + if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) { + gateway.setDefaultCredentials(false); + gateway.setPemCertificateFile(certificateFile); + gateway.setPemPrivateKeyFile(privateKeyFile); + } + gateway.generateSwidTag(commander.getOutFile()); + break; + case "EVENTLOG": + break; + case "PCR": + break; + } } } } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 2c98fe52..8b800bd7 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -41,7 +41,6 @@ import javax.xml.crypto.dsig.spec.TransformParameterSpec; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; -import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; import org.w3c.dom.Document; import org.w3c.dom.NodeList; import org.xml.sax.SAXException; @@ -52,7 +51,6 @@ import java.io.InputStream; import java.io.ByteArrayInputStream; import java.io.BufferedReader; import java.io.FileNotFoundException; -import java.io.FileInputStream; import java.io.FileOutputStream; import java.nio.charset.StandardCharsets; @@ -60,7 +58,6 @@ import java.nio.file.Files; import java.nio.file.Paths; import java.security.*; -import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.ArrayList; @@ -114,15 +111,9 @@ public class SwidTagGateway { private Marshaller marshaller; private Unmarshaller unmarshaller; private String attributesFile; - /** - * The keystoreFile is used in signXMLDocument() to pass in the keystore path. - * The same method requires the keystore password and the alias of the private key, - * which would need to be passed in if not using the default keystore. - */ - private String keystoreFile; - private String privateKeyAlias; - private String privateKeyPassword; - private boolean showCert; + private boolean defaultCredentials; + private String pemPrivateKeyFile; + private String pemCertificateFile; /** * Default constructor initializes jaxbcontext, marshaller, and unmarshaller @@ -133,10 +124,8 @@ public class SwidTagGateway { marshaller = jaxbContext.createMarshaller(); unmarshaller = jaxbContext.createUnmarshaller(); attributesFile = SwidTagConstants.DEFAULT_ATTRIBUTES_FILE; - keystoreFile = SwidTagConstants.DEFAULT_KEYSTORE_PATH; - privateKeyAlias = SwidTagConstants.DEFAULT_PRIVATE_KEY_ALIAS; - privateKeyPassword = SwidTagConstants.DEFAULT_KEYSTORE_PASSWORD; - showCert = false; + defaultCredentials = true; + pemCertificateFile = ""; } catch (JAXBException e) { System.out.println("Error initializing jaxbcontext: " + e.getMessage()); } @@ -151,35 +140,27 @@ public class SwidTagGateway { } /** - * Setter for String holding keystore path - * @param keystoreFile + * Setter for boolean governing signing credentials + * @param defaultCredentials + * @return */ - public void setKeystoreFile(String keystoreFile) { - this.keystoreFile = keystoreFile; + public void setDefaultCredentials(boolean defaultCredentials) { + this.defaultCredentials = defaultCredentials; } /** - * Setter for String holding private key alias - * @param privateKeyAlias + * Setter for private key file in PEM format + * @param pemPrivateKeyFile */ - public void setPrivateKeyAlias(String privateKeyAlias) { - this.privateKeyAlias = privateKeyAlias; + public void setPemPrivateKeyFile(String pemPrivateKeyFile) { + this.pemPrivateKeyFile = pemPrivateKeyFile; } - /** - * Setter for String holding private key password - * @param privateKeyPassword + /** Setter for certificate file in PEM format + * @param pemCertificateFile */ - public void setPrivateKeyPassword(String privateKeyPassword) { - this.privateKeyPassword = privateKeyPassword; - } - - /** - * Setter for boolean to display certificate block in xml signature - * @param showCert - */ - public void setShowCert(boolean showCert) { - this.showCert = showCert; + public void setPemCertificateFile(String pemCertificateFile) { + this.pemCertificateFile = pemCertificateFile; } /** @@ -614,39 +595,45 @@ public class SwidTagGateway { sigFactory.newSignatureMethod(SwidTagConstants.SIGNATURE_ALGORITHM_RSA_SHA256, null), Collections.singletonList(reference) ); - KeyStore keystore = KeyStore.getInstance("JKS"); - keystore.load(new FileInputStream(keystoreFile), privateKeyPassword.toCharArray()); - KeyStore.PrivateKeyEntry privateKey = (KeyStore.PrivateKeyEntry) keystore.getEntry(privateKeyAlias, - new KeyStore.PasswordProtection(privateKeyPassword.toCharArray())); - X509Certificate certificate = (X509Certificate) privateKey.getCertificate(); - PublicKey publicKey = certificate.getPublicKey(); List keyInfoElements = new ArrayList(); + KeyInfoFactory kiFactory = sigFactory.getKeyInfoFactory(); - KeyName keyName = kiFactory.newKeyName(getCertificateSubjectKeyIdentifier(certificate)); + PrivateKey privateKey; + PublicKey publicKey; + CredentialParser cp = new CredentialParser(); + if (defaultCredentials) { + cp.parseJKSCredentials(); + privateKey = cp.getPrivateKey(); + publicKey = cp.getPublicKey(); + } else { + cp.parsePEMCredentials(pemCertificateFile, pemPrivateKeyFile); + X509Certificate certificate = cp.getCertificate(); + privateKey = cp.getPrivateKey(); + publicKey = cp.getPublicKey(); + ArrayList x509Content = new ArrayList(); + x509Content.add(certificate.getSubjectX500Principal().getName()); + x509Content.add(certificate); + X509Data data = kiFactory.newX509Data(x509Content); + keyInfoElements.add(data); + } + KeyName keyName = kiFactory.newKeyName(cp.getCertificateSubjectKeyIdentifier()); keyInfoElements.add(keyName); KeyValue keyValue = kiFactory.newKeyValue(publicKey); keyInfoElements.add(keyValue); - ArrayList x509Content = new ArrayList(); - x509Content.add(certificate.getSubjectX500Principal().getName()); - x509Content.add(certificate); - X509Data data = kiFactory.newX509Data(x509Content); - keyInfoElements.add(data); KeyInfo keyinfo = kiFactory.newKeyInfo(keyInfoElements); doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument(); marshaller.marshal(swidTag, doc); - DOMSignContext context = new DOMSignContext(privateKey.getPrivateKey(), doc.getDocumentElement()); + DOMSignContext context = new DOMSignContext(privateKey, doc.getDocumentElement()); XMLSignature signature = sigFactory.newXMLSignature(signedInfo, keyinfo); signature.sign(context); } catch (FileNotFoundException e) { System.out.println("Keystore not found! " + e.getMessage()); } catch (IOException e) { System.out.println("Error loading keystore: " + e.getMessage()); - } catch (NoSuchAlgorithmException | KeyStoreException | InvalidAlgorithmParameterException | - ParserConfigurationException | UnrecoverableEntryException e) { + } catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException | + ParserConfigurationException e) { System.out.println(e.getMessage()); - } catch (CertificateException e) { - System.out.println("Certificate error: " + e.getMessage()); } catch (KeyException e) { System.out.println("Error setting public key in KeyValue: " + e.getMessage()); } catch (JAXBException e) { @@ -730,22 +717,6 @@ public class SwidTagGateway { } } - /** - * Utility method for extracting the subjectKeyIdentifier from an X509Certificate. - * The subjectKeyIdentifier is stored as a DER-encoded octet and will be converted to a String. - * @param certificate - * @return - */ - private String getCertificateSubjectKeyIdentifier(X509Certificate certificate) throws IOException { - String decodedValue = null; - byte[] extension = certificate.getExtensionValue(SwidTagConstants.CERTIFICATE_SUBJECT_KEY_IDENTIFIER); - if (extension != null) { - decodedValue = JcaX509ExtensionUtils.parseExtensionValue(extension).toString(); - } - - return decodedValue; - } - /** * Given an input swidtag at [path] parse any PCRs in the payload into an InputStream object. * This method will be used in a following pull request. diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index a0749f91..551e3769 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -16,43 +16,36 @@ public class Commander { @Parameter(names = {"-h", "--help"}, help = true, description = "Print this help text.") private boolean help; - @Parameter(names = {"-c", "--create"}, order = 0, + @Parameter(names = {"-c", "--create \"base|eventlog|pcr\""}, order = 0, description = "The type of RIM to create. A base RIM will be created by default.") private String createType = "";//other possible values: "eventlog" and "pcr" - @Parameter(names = {"-a", "--attributes"}, order = 1, + @Parameter(names = {"-a", "--attributes "}, order = 1, description = "The configuration file holding attributes to populate the base RIM with.") private String attributesFile = ""; - @Parameter(names = {"-o", "--out"}, order = 2, + @Parameter(names = {"-o", "--out "}, order = 2, description = "The file to write the RIM out to. The RIM will be written to stdout by default.") private String outFile = ""; - @Parameter(names = {"-v", "--verify"}, order = 3, + @Parameter(names = {"-v", "--verify "}, order = 3, description = "Specify a RIM file to verify.") private String verifyFile = ""; - @Parameter(names = {"-k", "--privateKeyFile"}, order = 4, + @Parameter(names = {"-k", "--privateKeyFile "}, order = 4, description = "File containing the private key used to sign the base RIM created by the create function.") private String privateKeyFile = ""; - @Parameter(names = {"--alias"}, order = 5, - description = "The alias of the private key") - private String alias = ""; - @Parameter(names = {"--password"}, order = 6, - description = "Password for the private key", password = true) - private String privateKeyPassword = ""; - @Parameter(names = {"-p", "--publicCertificate"}, order = 7, + @Parameter(names = {"-p", "--publicCertificate "}, order = 5, description = "The public key certificate used to verify a RIM file or to embed in a signed RIM. " + "A signed RIM generated by this tool by default will not show the signing certificate without this parameter present.") private String publicCertificate = ""; - @Parameter(names = {"-l", "--rimel"}, order = 8, + @Parameter(names = {"-l", "--rimel "}, order = 6, description = "The TCG eventlog file to use as a support RIM. By default the last system eventlog will be used.") private String rimEventLog = ""; - @Parameter(names = {"-t", "--rimpcr"}, order = 9, + @Parameter(names = {"-t", "--rimpcr "}, order = 7, description = "The file containing TPM PCR values to use as a support RIM. By default the current platform TPM will be used.") private String rimPcrs = ""; //@Parameter(names = {}, order = 8, description = "") private String toBeSigned = ""; - @Parameter(names = {"-s", "--addSignatureData"}, order = 10, - description = "Specify, in order, , , . The signature data in will be" + - "combined with the data in and written to , or will overwrite if " + - "is not given.") + @Parameter(names = {"-s", "--addSignatureData "}, order = 8, + description = "The signature data in will be combined with the data in " + + "and written to , or will overwrite if is not given.") private String signatureData = ""; public boolean isHelp() { @@ -79,14 +72,6 @@ public class Commander { return privateKeyFile; } - public String getAlias() { - return alias; - } - - public String getPrivateKeyPassword() { - return privateKeyPassword; - } - public String getPublicCertificate() { return publicCertificate; } @@ -113,10 +98,9 @@ public class Commander { "sign it with the default keystore, alias, and password;\n"); sb.append("and write the data to base_rim.swidtag:\n\n"); sb.append("\t\t-c base -a attributes.json -o base_rim.swidtag\n\n\n"); - sb.append("Create a base RIM using the default attribute values; " + - "sign it using privateKey in my_keystore.jks after prompting for the password;\n"); - sb.append("and write the data to console output, to include the public certificate in the signature block:\n\n"); - sb.append("\t\t-c base -k my_keystore.jks --alias privateKey --password -p my_cert.ca\n\n\n"); + sb.append("Create a base RIM using the default attribute values; sign it using privateKey.pem;\n"); + sb.append("and write the data to console output, to include cert.pem in the signature block:\n\n"); + sb.append("\t\t-c base -k privateKey.pem -p cert.pem\n\n\n"); return sb.toString(); } @@ -127,8 +111,6 @@ public class Commander { sb.append("Write to: " + getOutFile() + System.lineSeparator()); sb.append("Verify file: " + getVerifyFile() + System.lineSeparator()); sb.append("Private key file: " + getPrivateKeyFile() + System.lineSeparator()); - sb.append("Private key alias: " + getAlias() + System.lineSeparator()); - sb.append("Private key password: " + getPrivateKeyPassword() + System.lineSeparator()); sb.append("Public certificate: " + getPublicCertificate() + System.lineSeparator()); sb.append("Event log support RIM: " + getRimEventLog() + System.lineSeparator()); sb.append("TPM PCRs support RIM: " + getRimPcrs() + System.lineSeparator());