mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-24 07:06:46 +00:00
Implement --privateKeyFile and --publicCertificate in JCommander
This commit is contained in:
parent
030ce39613
commit
0123a081a8
22
tools/tcg_rim_tool/RimSignCert.pem
Normal file
22
tools/tcg_rim_tool/RimSignCert.pem
Normal file
@ -0,0 +1,22 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDoTCCAomgAwIBAgIJAPB+r6VBhBn5MA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
|
||||
BAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UECgwHRXhhbXBsZTERMA8GA1UECwwI
|
||||
UENDbGllbnQxEjAQBgNVBAMMCUV4YW1wbGVDQTAeFw0yMDAzMTExODExMjJaFw0z
|
||||
MDAxMTgxODExMjJaMFwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UE
|
||||
CgwHRXhhbXBsZTERMA8GA1UECwwIUENDbGllbnQxGzAZBgNVBAMMEmV4YW1wbGUu
|
||||
UklNLnNpZ25lcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKd1lWGk
|
||||
SRuxAAY2wHag2GVxUk1dZx2PTpfQOflvLeccAVwa8mQhlsRERq+QK8ilj8Xfqs44
|
||||
/nBaccZDOjdfIxIUCMfwhGXjxCaqZbgTucNsExDnu4arTGraoAwzHg0cVLiKT/Cx
|
||||
j9NL4dcMgxRXsPdHfXb0923C7xYd2t2qfW05umgaj7qeQl6c68CFNsGX4JA8rWFQ
|
||||
ZvvGx5DGlK4KTcjPuQQINs5fxasNKqLY2hq+z82x/rqwr2hmyizD6FpFSyIABPEM
|
||||
PfB036GEhRwu1WEMkq8yIp2jgRUoFYke9pB3ph9pVow0Hh4mNFSKD4pP41VSKY1n
|
||||
us83mdkuukPy5o0CAwEAAaNvMG0wHQYDVR0OBBYEFC/euOfQMKIgnaoBhhqWT+3s
|
||||
8rzBMB8GA1UdIwQYMBaAFEahuO3bpnFf0NLneoo8XW6aw5Y4MAkGA1UdEwQCMAAw
|
||||
CwYDVR0PBAQDAgbAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUA
|
||||
A4IBAQBl2Bu9xpnHCCeeebjx+ILQXJXBd6q5+NQlV3zzBrf0bleZRtsOmsuFvWQo
|
||||
KQxsfZuk7QcSvVd/1v8mqwJ0PwbFKQmrhIPWP+iowiBNqpG5PH9YxhpHQ1osOfib
|
||||
NLOXMhudIQRY0yAgqQf+MOlXYa0stX8gkgftVBDRutuMKyOTf4a6d8TUcbG2Rnyz
|
||||
O/6S9bq4cPDYLqWRBM+aGN8e00UWTKpBl6/1EU8wkJA6WdllK2e8mVkXUPWYyHTZ
|
||||
0qQnrYiuLr36ycAznABDzEAoj4tMZbjIAfuscty6Ggzxl1WbyZLI6YzyXALwaYvr
|
||||
crTLeyFynlKxuCfDnr1SAHDM65BY
|
||||
-----END CERTIFICATE-----
|
28
tools/tcg_rim_tool/privateRimKey.pem
Normal file
28
tools/tcg_rim_tool/privateRimKey.pem
Normal file
@ -0,0 +1,28 @@
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCndZVhpEkbsQAG
|
||||
NsB2oNhlcVJNXWcdj06X0Dn5by3nHAFcGvJkIZbEREavkCvIpY/F36rOOP5wWnHG
|
||||
Qzo3XyMSFAjH8IRl48QmqmW4E7nDbBMQ57uGq0xq2qAMMx4NHFS4ik/wsY/TS+HX
|
||||
DIMUV7D3R3129Pdtwu8WHdrdqn1tObpoGo+6nkJenOvAhTbBl+CQPK1hUGb7xseQ
|
||||
xpSuCk3Iz7kECDbOX8WrDSqi2Noavs/Nsf66sK9oZsosw+haRUsiAATxDD3wdN+h
|
||||
hIUcLtVhDJKvMiKdo4EVKBWJHvaQd6YfaVaMNB4eJjRUig+KT+NVUimNZ7rPN5nZ
|
||||
LrpD8uaNAgMBAAECggEAcnG8npd9U0x7HMQMcsZoPaPdwHvF/gCzkLNA+8RM1bZh
|
||||
A4ZzA5WlCQs0V8Wq9pyXjn7Wp8txsG1PdlT5k2AUgsVoXuR0R4IKyvYHQG9StEjH
|
||||
GvWURmwJdLlnSg8hSYqEJ/52taNUDO6+MI8fgiaQDd8w0ryF4OCpLy9GJdnfkGYZ
|
||||
Ayemb3USFUdj/S67NVqxnvAfFMM5FqkKGhkoy7wBRgO6eOeJvoTq8LMiPiponwwF
|
||||
DW409ZStbrk1f1Oszst/UvFUWA9BdDfeoPmFR61y3eB5zlMQG8Mhr2v5hvkj9TPX
|
||||
FU4Fm4EzZ1h/60cdWoP6XYCP7F2NqZ8N8u4UBQNAIQKBgQDcGIw5GJEvRF+FFTTR
|
||||
hYatMRn80DGTVjdT32MgajdKx05OWxBmQsFob34fiSnr0wAXPJeDXG4ruMBE2bSk
|
||||
EC8rCO08G8ihQoH8x0cvuERe1fpVWk3RWNucVGIiJSEXAIwWrlYZLTfYd5GqBkPE
|
||||
OQxxo4MtOyqeHmVH1mOywk9ABQKBgQDCxt95luzqQZV9Xl78QQvOIbjOdHLjY23Z
|
||||
yp8sGt9birL/WZ33TCRgmH1e61BdrSqO7Om/ail2Y59XM5UU6kLbDj0IgmOPTsrJ
|
||||
JmIVf8r3bKltVUaLePgr4yex7dmtHRH8OkLXKnE0RCO0kCi9kJMB12yE3pWxk+Pu
|
||||
zztQd3a66QKBgBNJd2g9deONe01fOVyu9clRhzR3ThDaOkj4R2h8xlGgO4V0R3Ce
|
||||
ovIy6vt6epj2yYg/wAs720+rhfXCmijSXj/ILXnZ+W/gMyHimKNe42boG2LFYhJZ
|
||||
Vg1R+7OAS3EHlD8ckeDs7Hrkp3gdymx0j1mZ+ZHKIIbwpPFxoRT2IBm9AoGBAI0Z
|
||||
bIK0puP8psKvPrgWluq42xwUl7XKLaX8dtqIjQ3PqGP7E8g2TJP9Y7UDWrDB5Xas
|
||||
gZi821R8Ts3o/DKukcgGxIgJjP4f4h9dwug4L1yWRxaBFB2tgHqqj/MBjxMtX/4M
|
||||
Zqdgg6mNQyBm3lyVAynuWRrX9DE0JYa2cQ2VvVkhAoGBAMBv/oT813w00759PmkO
|
||||
Uxv3LXTJuYBbq0Rmga25jN3ow8LrGQdSVg7F/af3I5KUF7mLiegDy1pkRfauyXH7
|
||||
+WhEqnf86vDrzPpytDMxinWOQZusCqeWHb+nuVTuL3Fv+GxEdwVGYI/7lFJ7B//h
|
||||
P5rU93ZoYY7sWcGVqaaEkMRU
|
||||
-----END PRIVATE KEY-----
|
156
tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java
Normal file
156
tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java
Normal file
@ -0,0 +1,156 @@
|
||||
package hirs.swid;
|
||||
|
||||
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
|
||||
import org.bouncycastle.util.encoders.Base64;
|
||||
|
||||
import java.io.*;
|
||||
import java.security.*;
|
||||
import java.security.cert.CertificateException;
|
||||
import java.security.cert.CertificateFactory;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.security.spec.InvalidKeySpecException;
|
||||
import java.security.spec.PKCS8EncodedKeySpec;
|
||||
|
||||
public class CredentialParser {
|
||||
private static final String X509 = "X.509";
|
||||
private static final String JKS = "JKS";
|
||||
private static final String PEM = "PEM";
|
||||
private X509Certificate certificate;
|
||||
private PrivateKey privateKey;
|
||||
private PublicKey publicKey;
|
||||
|
||||
public X509Certificate getCertificate() {
|
||||
return certificate;
|
||||
}
|
||||
|
||||
public PrivateKey getPrivateKey() {
|
||||
return privateKey;
|
||||
}
|
||||
|
||||
public PublicKey getPublicKey() {
|
||||
return publicKey;
|
||||
}
|
||||
|
||||
public void parseJKSCredentials() {
|
||||
KeyStore.PrivateKeyEntry privateKeyEntry =
|
||||
parseKeystorePrivateKey(SwidTagConstants.DEFAULT_KEYSTORE_PATH,
|
||||
SwidTagConstants.DEFAULT_PRIVATE_KEY_ALIAS,
|
||||
SwidTagConstants.DEFAULT_KEYSTORE_PASSWORD);
|
||||
certificate = (X509Certificate) privateKeyEntry.getCertificate();
|
||||
privateKey = privateKeyEntry.getPrivateKey();
|
||||
publicKey = certificate.getPublicKey();
|
||||
}
|
||||
|
||||
public void parsePEMCredentials(String certificateFile, String privateKeyFile) throws FileNotFoundException {
|
||||
certificate = parsePEMCertificate(certificateFile);
|
||||
|
||||
/*User input on algorithm???*/
|
||||
privateKey = parsePEMPrivateKey(privateKeyFile, "RSA");
|
||||
|
||||
publicKey = certificate.getPublicKey();
|
||||
}
|
||||
|
||||
/**
|
||||
* This method returns the X509Certificate found in a PEM file.
|
||||
* @param filename
|
||||
* @return
|
||||
* @throws FileNotFoundException
|
||||
*/
|
||||
private X509Certificate parsePEMCertificate(String filename) throws FileNotFoundException {
|
||||
X509Certificate certificate = null;
|
||||
try {
|
||||
FileInputStream fis = new FileInputStream(filename);
|
||||
BufferedInputStream bis = new BufferedInputStream(fis);
|
||||
CertificateFactory certificateFactory = CertificateFactory.getInstance(X509);
|
||||
|
||||
while (bis.available() > 0) {
|
||||
certificate = (X509Certificate) certificateFactory.generateCertificate(bis);
|
||||
}
|
||||
|
||||
|
||||
} catch (CertificateException e) {
|
||||
System.out.println("Error in certificate factory: " + e.getMessage());
|
||||
} catch (IOException e) {
|
||||
System.out.println("Error reading from input stream: " + e.getMessage());
|
||||
}
|
||||
|
||||
return certificate;
|
||||
}
|
||||
|
||||
/**
|
||||
* This method extracts the private key from a PEM file.
|
||||
* @param filename
|
||||
* @return
|
||||
*/
|
||||
private PrivateKey parsePEMPrivateKey(String filename, String algorithm) {
|
||||
PrivateKey privateKey = null;
|
||||
try {
|
||||
File file = new File(filename);
|
||||
FileInputStream fis = new FileInputStream(file);
|
||||
DataInputStream dis = new DataInputStream(fis);
|
||||
byte[] key = new byte[(int) file.length()];
|
||||
dis.readFully(key);
|
||||
dis.close();
|
||||
|
||||
String privateKeyStr = new String(key);
|
||||
privateKeyStr = privateKeyStr.replace("-----BEGIN PRIVATE KEY-----\n", "");
|
||||
privateKeyStr = privateKeyStr.replace("-----END PRIVATE KEY-----", "");
|
||||
|
||||
Base64 base64 = new Base64();
|
||||
byte[] decodedKey = base64.decode(privateKeyStr);
|
||||
PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decodedKey);
|
||||
KeyFactory keyFactory = KeyFactory.getInstance(algorithm);
|
||||
|
||||
privateKey = keyFactory.generatePrivate(spec);
|
||||
} catch (FileNotFoundException e) {
|
||||
System.out.println("Unable to locate private key file: " + filename);
|
||||
} catch (NoSuchAlgorithmException e) {
|
||||
System.out.println("Unable to instantiate KeyFactory with algorithm: " + algorithm);
|
||||
} catch (IOException e) {
|
||||
System.out.println("IOException: " + e.getMessage());
|
||||
} catch (InvalidKeySpecException e) {
|
||||
System.out.println("Error instantiating PKCS8EncodedKeySpec object: " + e.getMessage());
|
||||
}
|
||||
|
||||
return privateKey;
|
||||
}
|
||||
|
||||
/**
|
||||
* This method returns the private key in a JKS keystore.
|
||||
* @param keystoreFile
|
||||
* @param alias
|
||||
* @param password
|
||||
* @return KeyStore.PrivateKeyEntry
|
||||
*/
|
||||
private KeyStore.PrivateKeyEntry parseKeystorePrivateKey(String keystoreFile, String alias, String password) {
|
||||
KeyStore keystore = null;
|
||||
KeyStore.PrivateKeyEntry privateKey = null;
|
||||
try {
|
||||
keystore = KeyStore.getInstance("JKS");
|
||||
keystore.load(new FileInputStream(keystoreFile), password.toCharArray());
|
||||
privateKey = (KeyStore.PrivateKeyEntry) keystore.getEntry(alias,
|
||||
new KeyStore.PasswordProtection(password.toCharArray()));
|
||||
} catch (FileNotFoundException e) {
|
||||
System.out.println("Cannot locate keystore " + keystoreFile);
|
||||
} catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException | IOException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
|
||||
return privateKey;
|
||||
}
|
||||
|
||||
/**
|
||||
* Utility method for extracting the subjectKeyIdentifier from an X509Certificate.
|
||||
* The subjectKeyIdentifier is stored as a DER-encoded octet and will be converted to a String.
|
||||
* @return
|
||||
*/
|
||||
public String getCertificateSubjectKeyIdentifier() throws IOException {
|
||||
String decodedValue = null;
|
||||
byte[] extension = certificate.getExtensionValue(SwidTagConstants.CERTIFICATE_SUBJECT_KEY_IDENTIFIER);
|
||||
if (extension != null) {
|
||||
decodedValue = JcaX509ExtensionUtils.parseExtensionValue(extension).toString();
|
||||
}
|
||||
|
||||
return decodedValue;
|
||||
}
|
||||
}
|
@ -3,6 +3,7 @@ package hirs.swid;
|
||||
import hirs.swid.utils.Commander;
|
||||
import com.beust.jcommander.JCommander;
|
||||
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
|
||||
public class Main {
|
||||
@ -16,44 +17,43 @@ public class Main {
|
||||
if (commander.isHelp()) {
|
||||
jc.usage();
|
||||
System.out.println(commander.printHelpExamples());
|
||||
} else if (!commander.getVerifyFile().isEmpty()) {
|
||||
System.out.println(commander.toString());
|
||||
String verifyFile = commander.getVerifyFile();
|
||||
String publicCertificate = commander.getPublicCertificate();
|
||||
if (!verifyFile.isEmpty() && !publicCertificate.isEmpty()) {
|
||||
try {
|
||||
gateway.validateSwidTag(verifyFile);
|
||||
} catch (IOException e) {
|
||||
System.out.println("Error validating RIM file: " + e.getMessage());
|
||||
} else {
|
||||
if (!commander.getVerifyFile().isEmpty()) {
|
||||
System.out.println(commander.toString());
|
||||
String verifyFile = commander.getVerifyFile();
|
||||
String publicCertificate = commander.getPublicCertificate();
|
||||
if (!verifyFile.isEmpty() && !publicCertificate.isEmpty()) {
|
||||
try {
|
||||
gateway.validateSwidTag(verifyFile);
|
||||
} catch (IOException e) {
|
||||
System.out.println("Error validating RIM file: " + e.getMessage());
|
||||
}
|
||||
} else {
|
||||
System.out.println("Need both a RIM file to validate and a public certificate to validate with!");
|
||||
}
|
||||
} else {
|
||||
System.out.println("Need both a RIM file to validate and a public certificate to validate with!");
|
||||
}
|
||||
} else {
|
||||
System.out.println(commander.toString());
|
||||
String createType = commander.getCreateType().toUpperCase();
|
||||
String attributesFile = commander.getAttributesFile();
|
||||
String privateKeyFile = commander.getPrivateKeyFile();
|
||||
String alias = commander.getAlias();
|
||||
String privateKeyPassword = commander.getPrivateKeyPassword();
|
||||
switch (createType) {
|
||||
case "BASE":
|
||||
if (!attributesFile.isEmpty()) {
|
||||
gateway.setAttributesFile(attributesFile);
|
||||
}
|
||||
if (!privateKeyFile.isEmpty() &&
|
||||
!alias.isEmpty() &&
|
||||
!privateKeyPassword.isEmpty()) {
|
||||
gateway.setKeystoreFile(privateKeyFile);
|
||||
gateway.setPrivateKeyAlias(alias);
|
||||
gateway.setPrivateKeyPassword(privateKeyPassword);
|
||||
}
|
||||
gateway.generateSwidTag(commander.getOutFile());
|
||||
break;
|
||||
case "EVENTLOG":
|
||||
break;
|
||||
case "PCR":
|
||||
break;
|
||||
System.out.println(commander.toString());
|
||||
String createType = commander.getCreateType().toUpperCase();
|
||||
String attributesFile = commander.getAttributesFile();
|
||||
String certificateFile = commander.getPublicCertificate();
|
||||
String privateKeyFile = commander.getPrivateKeyFile();
|
||||
switch (createType) {
|
||||
case "BASE":
|
||||
if (!attributesFile.isEmpty()) {
|
||||
gateway.setAttributesFile(attributesFile);
|
||||
}
|
||||
if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) {
|
||||
gateway.setDefaultCredentials(false);
|
||||
gateway.setPemCertificateFile(certificateFile);
|
||||
gateway.setPemPrivateKeyFile(privateKeyFile);
|
||||
}
|
||||
gateway.generateSwidTag(commander.getOutFile());
|
||||
break;
|
||||
case "EVENTLOG":
|
||||
break;
|
||||
case "PCR":
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -41,7 +41,6 @@ import javax.xml.crypto.dsig.spec.TransformParameterSpec;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.parsers.ParserConfigurationException;
|
||||
|
||||
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.NodeList;
|
||||
import org.xml.sax.SAXException;
|
||||
@ -52,7 +51,6 @@ import java.io.InputStream;
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.io.BufferedReader;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.FileOutputStream;
|
||||
|
||||
import java.nio.charset.StandardCharsets;
|
||||
@ -60,7 +58,6 @@ import java.nio.file.Files;
|
||||
import java.nio.file.Paths;
|
||||
|
||||
import java.security.*;
|
||||
import java.security.cert.CertificateException;
|
||||
import java.security.cert.X509Certificate;
|
||||
|
||||
import java.util.ArrayList;
|
||||
@ -114,15 +111,9 @@ public class SwidTagGateway {
|
||||
private Marshaller marshaller;
|
||||
private Unmarshaller unmarshaller;
|
||||
private String attributesFile;
|
||||
/**
|
||||
* The keystoreFile is used in signXMLDocument() to pass in the keystore path.
|
||||
* The same method requires the keystore password and the alias of the private key,
|
||||
* which would need to be passed in if not using the default keystore.
|
||||
*/
|
||||
private String keystoreFile;
|
||||
private String privateKeyAlias;
|
||||
private String privateKeyPassword;
|
||||
private boolean showCert;
|
||||
private boolean defaultCredentials;
|
||||
private String pemPrivateKeyFile;
|
||||
private String pemCertificateFile;
|
||||
|
||||
/**
|
||||
* Default constructor initializes jaxbcontext, marshaller, and unmarshaller
|
||||
@ -133,10 +124,8 @@ public class SwidTagGateway {
|
||||
marshaller = jaxbContext.createMarshaller();
|
||||
unmarshaller = jaxbContext.createUnmarshaller();
|
||||
attributesFile = SwidTagConstants.DEFAULT_ATTRIBUTES_FILE;
|
||||
keystoreFile = SwidTagConstants.DEFAULT_KEYSTORE_PATH;
|
||||
privateKeyAlias = SwidTagConstants.DEFAULT_PRIVATE_KEY_ALIAS;
|
||||
privateKeyPassword = SwidTagConstants.DEFAULT_KEYSTORE_PASSWORD;
|
||||
showCert = false;
|
||||
defaultCredentials = true;
|
||||
pemCertificateFile = "";
|
||||
} catch (JAXBException e) {
|
||||
System.out.println("Error initializing jaxbcontext: " + e.getMessage());
|
||||
}
|
||||
@ -151,35 +140,27 @@ public class SwidTagGateway {
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for String holding keystore path
|
||||
* @param keystoreFile
|
||||
* Setter for boolean governing signing credentials
|
||||
* @param defaultCredentials
|
||||
* @return
|
||||
*/
|
||||
public void setKeystoreFile(String keystoreFile) {
|
||||
this.keystoreFile = keystoreFile;
|
||||
public void setDefaultCredentials(boolean defaultCredentials) {
|
||||
this.defaultCredentials = defaultCredentials;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for String holding private key alias
|
||||
* @param privateKeyAlias
|
||||
* Setter for private key file in PEM format
|
||||
* @param pemPrivateKeyFile
|
||||
*/
|
||||
public void setPrivateKeyAlias(String privateKeyAlias) {
|
||||
this.privateKeyAlias = privateKeyAlias;
|
||||
public void setPemPrivateKeyFile(String pemPrivateKeyFile) {
|
||||
this.pemPrivateKeyFile = pemPrivateKeyFile;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for String holding private key password
|
||||
* @param privateKeyPassword
|
||||
/** Setter for certificate file in PEM format
|
||||
* @param pemCertificateFile
|
||||
*/
|
||||
public void setPrivateKeyPassword(String privateKeyPassword) {
|
||||
this.privateKeyPassword = privateKeyPassword;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for boolean to display certificate block in xml signature
|
||||
* @param showCert
|
||||
*/
|
||||
public void setShowCert(boolean showCert) {
|
||||
this.showCert = showCert;
|
||||
public void setPemCertificateFile(String pemCertificateFile) {
|
||||
this.pemCertificateFile = pemCertificateFile;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -614,39 +595,45 @@ public class SwidTagGateway {
|
||||
sigFactory.newSignatureMethod(SwidTagConstants.SIGNATURE_ALGORITHM_RSA_SHA256, null),
|
||||
Collections.singletonList(reference)
|
||||
);
|
||||
KeyStore keystore = KeyStore.getInstance("JKS");
|
||||
keystore.load(new FileInputStream(keystoreFile), privateKeyPassword.toCharArray());
|
||||
KeyStore.PrivateKeyEntry privateKey = (KeyStore.PrivateKeyEntry) keystore.getEntry(privateKeyAlias,
|
||||
new KeyStore.PasswordProtection(privateKeyPassword.toCharArray()));
|
||||
X509Certificate certificate = (X509Certificate) privateKey.getCertificate();
|
||||
PublicKey publicKey = certificate.getPublicKey();
|
||||
List<XMLStructure> keyInfoElements = new ArrayList<XMLStructure>();
|
||||
|
||||
KeyInfoFactory kiFactory = sigFactory.getKeyInfoFactory();
|
||||
KeyName keyName = kiFactory.newKeyName(getCertificateSubjectKeyIdentifier(certificate));
|
||||
PrivateKey privateKey;
|
||||
PublicKey publicKey;
|
||||
CredentialParser cp = new CredentialParser();
|
||||
if (defaultCredentials) {
|
||||
cp.parseJKSCredentials();
|
||||
privateKey = cp.getPrivateKey();
|
||||
publicKey = cp.getPublicKey();
|
||||
} else {
|
||||
cp.parsePEMCredentials(pemCertificateFile, pemPrivateKeyFile);
|
||||
X509Certificate certificate = cp.getCertificate();
|
||||
privateKey = cp.getPrivateKey();
|
||||
publicKey = cp.getPublicKey();
|
||||
ArrayList<Object> x509Content = new ArrayList<Object>();
|
||||
x509Content.add(certificate.getSubjectX500Principal().getName());
|
||||
x509Content.add(certificate);
|
||||
X509Data data = kiFactory.newX509Data(x509Content);
|
||||
keyInfoElements.add(data);
|
||||
}
|
||||
KeyName keyName = kiFactory.newKeyName(cp.getCertificateSubjectKeyIdentifier());
|
||||
keyInfoElements.add(keyName);
|
||||
KeyValue keyValue = kiFactory.newKeyValue(publicKey);
|
||||
keyInfoElements.add(keyValue);
|
||||
ArrayList<Object> x509Content = new ArrayList<Object>();
|
||||
x509Content.add(certificate.getSubjectX500Principal().getName());
|
||||
x509Content.add(certificate);
|
||||
X509Data data = kiFactory.newX509Data(x509Content);
|
||||
keyInfoElements.add(data);
|
||||
KeyInfo keyinfo = kiFactory.newKeyInfo(keyInfoElements);
|
||||
|
||||
doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
|
||||
marshaller.marshal(swidTag, doc);
|
||||
DOMSignContext context = new DOMSignContext(privateKey.getPrivateKey(), doc.getDocumentElement());
|
||||
DOMSignContext context = new DOMSignContext(privateKey, doc.getDocumentElement());
|
||||
XMLSignature signature = sigFactory.newXMLSignature(signedInfo, keyinfo);
|
||||
signature.sign(context);
|
||||
} catch (FileNotFoundException e) {
|
||||
System.out.println("Keystore not found! " + e.getMessage());
|
||||
} catch (IOException e) {
|
||||
System.out.println("Error loading keystore: " + e.getMessage());
|
||||
} catch (NoSuchAlgorithmException | KeyStoreException | InvalidAlgorithmParameterException |
|
||||
ParserConfigurationException | UnrecoverableEntryException e) {
|
||||
} catch (NoSuchAlgorithmException | InvalidAlgorithmParameterException |
|
||||
ParserConfigurationException e) {
|
||||
System.out.println(e.getMessage());
|
||||
} catch (CertificateException e) {
|
||||
System.out.println("Certificate error: " + e.getMessage());
|
||||
} catch (KeyException e) {
|
||||
System.out.println("Error setting public key in KeyValue: " + e.getMessage());
|
||||
} catch (JAXBException e) {
|
||||
@ -730,22 +717,6 @@ public class SwidTagGateway {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Utility method for extracting the subjectKeyIdentifier from an X509Certificate.
|
||||
* The subjectKeyIdentifier is stored as a DER-encoded octet and will be converted to a String.
|
||||
* @param certificate
|
||||
* @return
|
||||
*/
|
||||
private String getCertificateSubjectKeyIdentifier(X509Certificate certificate) throws IOException {
|
||||
String decodedValue = null;
|
||||
byte[] extension = certificate.getExtensionValue(SwidTagConstants.CERTIFICATE_SUBJECT_KEY_IDENTIFIER);
|
||||
if (extension != null) {
|
||||
decodedValue = JcaX509ExtensionUtils.parseExtensionValue(extension).toString();
|
||||
}
|
||||
|
||||
return decodedValue;
|
||||
}
|
||||
|
||||
/**
|
||||
* Given an input swidtag at [path] parse any PCRs in the payload into an InputStream object.
|
||||
* This method will be used in a following pull request.
|
||||
|
@ -16,43 +16,36 @@ public class Commander {
|
||||
|
||||
@Parameter(names = {"-h", "--help"}, help = true, description = "Print this help text.")
|
||||
private boolean help;
|
||||
@Parameter(names = {"-c", "--create"}, order = 0,
|
||||
@Parameter(names = {"-c", "--create \"base|eventlog|pcr\""}, order = 0,
|
||||
description = "The type of RIM to create. A base RIM will be created by default.")
|
||||
private String createType = "";//other possible values: "eventlog" and "pcr"
|
||||
@Parameter(names = {"-a", "--attributes"}, order = 1,
|
||||
@Parameter(names = {"-a", "--attributes <path>"}, order = 1,
|
||||
description = "The configuration file holding attributes to populate the base RIM with.")
|
||||
private String attributesFile = "";
|
||||
@Parameter(names = {"-o", "--out"}, order = 2,
|
||||
@Parameter(names = {"-o", "--out <path>"}, order = 2,
|
||||
description = "The file to write the RIM out to. The RIM will be written to stdout by default.")
|
||||
private String outFile = "";
|
||||
@Parameter(names = {"-v", "--verify"}, order = 3,
|
||||
@Parameter(names = {"-v", "--verify <path>"}, order = 3,
|
||||
description = "Specify a RIM file to verify.")
|
||||
private String verifyFile = "";
|
||||
@Parameter(names = {"-k", "--privateKeyFile"}, order = 4,
|
||||
@Parameter(names = {"-k", "--privateKeyFile <path>"}, order = 4,
|
||||
description = "File containing the private key used to sign the base RIM created by the create function.")
|
||||
private String privateKeyFile = "";
|
||||
@Parameter(names = {"--alias"}, order = 5,
|
||||
description = "The alias of the private key")
|
||||
private String alias = "";
|
||||
@Parameter(names = {"--password"}, order = 6,
|
||||
description = "Password for the private key", password = true)
|
||||
private String privateKeyPassword = "";
|
||||
@Parameter(names = {"-p", "--publicCertificate"}, order = 7,
|
||||
@Parameter(names = {"-p", "--publicCertificate <path>"}, order = 5,
|
||||
description = "The public key certificate used to verify a RIM file or to embed in a signed RIM. " +
|
||||
"A signed RIM generated by this tool by default will not show the signing certificate without this parameter present.")
|
||||
private String publicCertificate = "";
|
||||
@Parameter(names = {"-l", "--rimel"}, order = 8,
|
||||
@Parameter(names = {"-l", "--rimel <path>"}, order = 6,
|
||||
description = "The TCG eventlog file to use as a support RIM. By default the last system eventlog will be used.")
|
||||
private String rimEventLog = "";
|
||||
@Parameter(names = {"-t", "--rimpcr"}, order = 9,
|
||||
@Parameter(names = {"-t", "--rimpcr <path>"}, order = 7,
|
||||
description = "The file containing TPM PCR values to use as a support RIM. By default the current platform TPM will be used.")
|
||||
private String rimPcrs = "";
|
||||
//@Parameter(names = {}, order = 8, description = "")
|
||||
private String toBeSigned = "";
|
||||
@Parameter(names = {"-s", "--addSignatureData"}, order = 10,
|
||||
description = "Specify, in order, <originalBaseRIM>, <signatureFile>, <outputFile>. The signature data in <signatureFile> will be" +
|
||||
"combined with the data in <originalBaseRIM> and written to <outputFile>, or will overwrite <originalBaseRIM> if <outputFile>" +
|
||||
"is not given.")
|
||||
@Parameter(names = {"-s", "--addSignatureData <originalBaseRIM> <signatureFile> <outputFile>"}, order = 8,
|
||||
description = "The signature data in <signatureFile> will be combined with the data in <originalBaseRIM>" +
|
||||
"and written to <outputFile>, or will overwrite <originalBaseRIM> if <outputFile> is not given.")
|
||||
private String signatureData = "";
|
||||
|
||||
public boolean isHelp() {
|
||||
@ -79,14 +72,6 @@ public class Commander {
|
||||
return privateKeyFile;
|
||||
}
|
||||
|
||||
public String getAlias() {
|
||||
return alias;
|
||||
}
|
||||
|
||||
public String getPrivateKeyPassword() {
|
||||
return privateKeyPassword;
|
||||
}
|
||||
|
||||
public String getPublicCertificate() {
|
||||
return publicCertificate;
|
||||
}
|
||||
@ -113,10 +98,9 @@ public class Commander {
|
||||
"sign it with the default keystore, alias, and password;\n");
|
||||
sb.append("and write the data to base_rim.swidtag:\n\n");
|
||||
sb.append("\t\t-c base -a attributes.json -o base_rim.swidtag\n\n\n");
|
||||
sb.append("Create a base RIM using the default attribute values; " +
|
||||
"sign it using privateKey in my_keystore.jks after prompting for the password;\n");
|
||||
sb.append("and write the data to console output, to include the public certificate in the signature block:\n\n");
|
||||
sb.append("\t\t-c base -k my_keystore.jks --alias privateKey --password -p my_cert.ca\n\n\n");
|
||||
sb.append("Create a base RIM using the default attribute values; sign it using privateKey.pem;\n");
|
||||
sb.append("and write the data to console output, to include cert.pem in the signature block:\n\n");
|
||||
sb.append("\t\t-c base -k privateKey.pem -p cert.pem\n\n\n");
|
||||
|
||||
return sb.toString();
|
||||
}
|
||||
@ -127,8 +111,6 @@ public class Commander {
|
||||
sb.append("Write to: " + getOutFile() + System.lineSeparator());
|
||||
sb.append("Verify file: " + getVerifyFile() + System.lineSeparator());
|
||||
sb.append("Private key file: " + getPrivateKeyFile() + System.lineSeparator());
|
||||
sb.append("Private key alias: " + getAlias() + System.lineSeparator());
|
||||
sb.append("Private key password: " + getPrivateKeyPassword() + System.lineSeparator());
|
||||
sb.append("Public certificate: " + getPublicCertificate() + System.lineSeparator());
|
||||
sb.append("Event log support RIM: " + getRimEventLog() + System.lineSeparator());
|
||||
sb.append("TPM PCRs support RIM: " + getRimPcrs() + System.lineSeparator());
|
||||
|
Loading…
Reference in New Issue
Block a user