From 990b6cf322da7533966d2bab6ebe6f3341ef367f Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Mon, 13 Mar 2023 10:00:13 -0400 Subject: [PATCH 01/18] Modified rimtool to support multiple payload files for creating and validating base RIMs --- tools/tcg_rim_tool/rim_fields.json | 6 +-- .../main/java/hirs/swid/SwidTagGateway.java | 34 ++++++++---- .../main/java/hirs/swid/SwidTagValidator.java | 54 +++++++++++-------- .../src/test/resources/rim_fields.json | 4 +- 4 files changed, 61 insertions(+), 37 deletions(-) diff --git a/tools/tcg_rim_tool/rim_fields.json b/tools/tcg_rim_tool/rim_fields.json index 192bc897..b01859ef 100644 --- a/tools/tcg_rim_tool/rim_fields.json +++ b/tools/tcg_rim_tool/rim_fields.json @@ -32,9 +32,9 @@ "Directory": { "supportRIMFormat": "TCG_EventLog_Assertion", "name": "iotBase", - "File": { - "name": "TpmLog.bin" - } + "File": [ + { "name": "TpmLog.bin" } + ] } } } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 2715a4e5..d6dbd016 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -11,6 +11,7 @@ import hirs.swid.xjc.SoftwareMeta; import org.w3c.dom.Document; import javax.json.Json; +import javax.json.JsonArray; import javax.json.JsonException; import javax.json.JsonObject; import javax.json.JsonReader; @@ -61,6 +62,7 @@ import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Collections; +import java.util.Iterator; import java.util.List; import java.util.Map; @@ -199,12 +201,16 @@ public class SwidTagGateway { configProperties.getJsonObject(SwidTagConstants.PAYLOAD) .getJsonObject(SwidTagConstants.DIRECTORY)); //File - hirs.swid.xjc.File file = createFile( - configProperties.getJsonObject(SwidTagConstants.PAYLOAD) - .getJsonObject(SwidTagConstants.DIRECTORY) - .getJsonObject(SwidTagConstants.FILE)); - //Nest File in Directory in Payload - directory.getDirectoryOrFile().add(file); + JsonArray fileArray = configProperties.getJsonObject(SwidTagConstants.PAYLOAD) + .getJsonObject(SwidTagConstants.DIRECTORY) + .getJsonArray(SwidTagConstants.FILE); + Iterator itr = fileArray.iterator(); + while(itr.hasNext()) { + JsonObject arrayItem = (JsonObject) itr.next(); + hirs.swid.xjc.File file = createFile(arrayItem); + //Nest File in Directory in Payload + directory.getDirectoryOrFile().add(file); + } payload.getDirectoryOrFileOrProcess().add(directory); JAXBElement jaxbPayload = objectFactory.createSoftwareIdentityPayload(payload); @@ -225,8 +231,12 @@ public class SwidTagGateway { } catch (FileNotFoundException e) { System.out.println("File does not exist or cannot be read: " + e.getMessage()); System.exit(1); + } catch (ClassCastException e) { + System.out.println("File object in JSON attributes file must be an array."); + System.exit(1); } catch (Exception e) { System.out.println(e.getMessage()); + e.printStackTrace(); System.exit(1); } } @@ -467,9 +477,9 @@ public class SwidTagGateway { * @param jsonObject the Properties object containing parameters from file * @return File object created from the properties */ - private hirs.swid.xjc.File createFile(JsonObject jsonObject) throws Exception { + private hirs.swid.xjc.File createFile(JsonObject jsonObject) + throws Exception { hirs.swid.xjc.File file = objectFactory.createFile(); - file.setName(jsonObject.getString(SwidTagConstants.NAME, "")); Map attributes = file.getOtherAttributes(); String supportRimFormat = jsonObject.getString(SwidTagConstants.SUPPORT_RIM_FORMAT, SwidTagConstants.SUPPORT_RIM_FORMAT_MISSING); @@ -485,11 +495,13 @@ public class SwidTagGateway { jsonObject.getString(SwidTagConstants.SUPPORT_RIM_TYPE, "")); addNonNullAttribute(attributes, SwidTagConstants._SUPPORT_RIM_URI_GLOBAL, jsonObject.getString(SwidTagConstants.SUPPORT_RIM_URI_GLOBAL, "")); - File rimEventLogFile = new File(rimEventLog); - file.setSize(new BigInteger(Long.toString(rimEventLogFile.length()))); + String filepath = jsonObject.getString(SwidTagConstants.NAME); + File fileToAdd = new File(filepath); + file.setName(filepath); + file.setSize(new BigInteger(Long.toString(fileToAdd.length()))); addNonNullAttribute(attributes, SwidTagConstants._SHA256_HASH, jsonObject.getString(SwidTagConstants.HASH, - HashSwid.get256Hash(rimEventLog)), true); + HashSwid.get256Hash(filepath)), true); return file; } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java index 10d83a91..00c064c2 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java @@ -113,35 +113,45 @@ public class SwidTagValidator { si.append("SoftwareIdentity name: " + softwareIdentity.getAttribute("name") + "\n"); si.append("SoftwareIdentity tagId: " + softwareIdentity.getAttribute("tagId") + "\n"); System.out.println(si.toString()); - Element file = (Element) document.getElementsByTagName("File").item(0); - try { - validateFile(file); - } catch (Exception e) { - System.out.println(e.getMessage()); - return false; - } + Element directory = (Element) document.getElementsByTagName("Directory").item(0); + validateDirectory(directory); System.out.println("Signature core validity: " + validateSignedXMLDocument(document)); return true; } + /** + * This method iterates over the list of File elements under the directory. + * + * @param directory the Directory element + */ + private boolean validateDirectory(Element directory) { + boolean isValid = true; + NodeList fileNodeList = directory.getChildNodes(); + for (int i = 0;i < fileNodeList.getLength();i++) { + Element file = (Element) fileNodeList.item(i); + isValid &= validateFile(file); + } + + return isValid; + } + /** * This method validates a hirs.swid.xjc.File from an indirect payload */ - private boolean validateFile(Element file) throws Exception { - String filepath; - if (!rimEventLog.isEmpty()) { - filepath = rimEventLog; - } else { - filepath = file.getAttribute(SwidTagConstants.NAME); - } - System.out.println("Support rim found at " + filepath); - if (HashSwid.get256Hash(filepath).equals( - file.getAttribute(SwidTagConstants._SHA256_HASH.getPrefix() + ":" + - SwidTagConstants._SHA256_HASH.getLocalPart()))) { - System.out.println("Support RIM hash verified!" + System.lineSeparator()); - return true; - } else { - System.out.println("Support RIM hash does not match Base RIM!" + System.lineSeparator()); + private boolean validateFile(Element file) { + String filepath = file.getAttribute(SwidTagConstants.NAME); + try { + if (HashSwid.get256Hash(filepath).equals( + file.getAttribute(SwidTagConstants._SHA256_HASH.getPrefix() + ":" + + SwidTagConstants._SHA256_HASH.getLocalPart()))) { + System.out.println("Support RIM hash verified for " + filepath); + return true; + } else { + System.out.println("Hash of " + filepath + " does not match value in Base RIM"); + return false; + } + } catch (Exception e) { + System.out.println(e.getMessage()); return false; } } diff --git a/tools/tcg_rim_tool/src/test/resources/rim_fields.json b/tools/tcg_rim_tool/src/test/resources/rim_fields.json index c5cd3f41..299a4f30 100644 --- a/tools/tcg_rim_tool/src/test/resources/rim_fields.json +++ b/tools/tcg_rim_tool/src/test/resources/rim_fields.json @@ -41,12 +41,14 @@ "Directory": { "name": "rim", "root": "/boot/tcg/manifest/rim/", - "File": { + "File": [ + { "version":"01", "name": "Example.com.BIOS.01.rimel", "size": "7549", "hash": "4479ca722623f8c47b703996ced3cbd981b06b1ae8a897db70137e0b7c546848" } + ] } } } From 1b1cbb6f8e823233bcf3f7d046972743d459eee9 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Mon, 13 Mar 2023 12:14:20 -0400 Subject: [PATCH 02/18] Add resource file for unit testing --- tools/tcg_rim_tool/Example.com.BIOS.01.rimel | Bin 0 -> 7549 bytes tools/tcg_rim_tool/generated_swidTag.swidtag | 41 +++++++++++++++++++ tools/tcg_rim_tool/rim_fields.json | 3 +- 3 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 tools/tcg_rim_tool/Example.com.BIOS.01.rimel create mode 100644 tools/tcg_rim_tool/generated_swidTag.swidtag diff --git a/tools/tcg_rim_tool/Example.com.BIOS.01.rimel b/tools/tcg_rim_tool/Example.com.BIOS.01.rimel new file mode 100644 index 0000000000000000000000000000000000000000..0b8f1f398d51035bc91afbe8400d4888a28d5669 GIT binary patch literal 7549 zcmds53p`a>+h2!6H)=?dq+LukI^;4cmCNBAxieB{D&BHAZX@U9mIif5nUNZairneu zQp}Wyq6@02K{H)mgj^eyq^o4S&)WN_P+#Ny=J)&heQW>rUhAyAp6CC6*7K~jo_!EP zNEGf5m08fag3om(Oj!gwfa~q2u0;(KK_WD0O+Wlph?h|Ve9UlZ!23O^DykICyO6^xhF!iW#)@Hjb%6?P>>0o5n5keZ!_oTo4uA#OWU*I))Mz&c4)|qjT%7^|5Zq<|bFwt~%T4 zG-1d1*mE~erw5%;uoStY4Wk_!TX$aFdqXNq5;YwVogXzGqeH<2a9M%4$Qk(~AE*rx z4=z81hQc%)DI9-liEdW9rTrx@mwT^M`bB+HqOw=ty zu}$$W2wOVf`9#FbideWY@vhyjWhL{UH0<8;tojkH*Sr_A9juwjPK7CK(#1b5-$)?; zFYkD+(8v#b*)2Z3si(Q*UgDBo3m7d&{P8VRsOh8_uHF`gutgsugBZ<^3e+23vx~=F zB^a`Hr|IG{NWSIXl%$k!i?BX<{?@V=OScZt(NOf?4}R6*Cw1j|L2g%Z3%7J#T&QHi z&Oe)r^#^}j(EBg{{h7+zrtPGsM%5AjeMiN5+_%)y4h(vV*+`Janh!?bEa z$%-KlwX9AQ|J&nG>Vqj1`c2aI^#z0TM;ZMo+dCINOPiba$|^2cV6vX~fH-np9g zOZg&=-tChLo}gO+v|qDpcy`A7J7TYUSY0=GMxv{?QRs4`LywU~_8Y|W*u~oucQ$&B zWsgMHX19xA>kmv>v zN%YIa;0E*eW}a7=w#rP>!6c#~cj6g^D3y`u>_rlsG9|g}R9T~0;d>JJ3hVo2nFb{@ zuQzV;t#_FGltizl(22co!<}q=%JzWV*3ei_Ys++?EVhfUPRyI@d3Gea zVaNQ1Uu1`q2JR-H}ecZe`4CWTSj41 zvrNzTN-{>Ge}64VJap2G!2J)}oITkkwLUY|@{1AQ*u2ez{`wJJ==ToN_IC%%-}8HM zpIU*EPLajo`*oqa!y*ME(WC8Z3%}{>7HD=>8M&-#Xy+jpYq>4u8cDyfXKHpHkS1+! z`kjOEnx2ks#r;dOHBk?>NSz8R%;8N-;9zt-d$8XLcUt>}^N4ocRFpnzIq#aPO*He7 zXN`9XePWKV$fn(MOc5+d2Po*KTVR+~#OZJnZ zZ;yN1sV(~wbz3!9e7o2#T%w@)gr?WJO`wJV2ImY-g=B}0PNEbOR6H+pIufNw&$f<|ewMJK(7{(k zgibd`_HYIpBU7j?0l^upo*gfrA>Lxq<{jc-A?lRxE4I z3XWNWDT_$U>G4gq>F-(4mpR8XfaxdGyzW)X~WY6E>*CVixz>+s$h*X zTpG}FMOrY<37%iWma&lq_+$lKEVzw;u_1U& z6WFRFCOiq~TLtf!z+3|?*M|N@aD5{jqlK1(9s=-0XcDNJDN5#fG@3XPlMEYnE+At zHt)!SXRb;bBe^m(OD;E+nlNeQ-OE(RuVgqaQC!s5^}KSouKsZ~xu*L(F9ij*8B`a9xa+_@3t54R9lO3tbV?H}Ww3h!_k%3Yh}uJGP^Fo$^XhCKqu1P@v` zUL2wA2&=>go&lsClt-4sswQA1sKc5tf=iv;C-6!)h8{z>7DKHA>qG-?JPNP;k!u9W zh>D5Bp8TQpfp-S@9um-?o`7`Sd``Zy`oll&whF^yUH_El#XglbTbp?*$D1pXR%xA? z2cwJ}y}UfU-3Yd^DZ%9Py*!*9{XBTygsTs417XPH`4QH9+yO($eTUNgcfSPiXv}GJ zQo;;=lu~%#A3YY97`+t!N*TSB_;TJ#|f*P3YYu zsl{et|b%^Fd9qX!kW_G6T6>b7O&P;Tt&3RBIM?b`!RdqBGmYV6P#8gs=>aT zV|lf{??m~%b+NDYemmH~YU?;@I9X?ME4TwkhYiyfHcc9wlL)15)F2avL8KF`p6OWg zZ2W+-TlkyTanVX?vz|qs!Tqt5rvI=Fdlnag@UA{5W;*!AmsuR!P$O<&ndVt~leYO* zPDI2tL!~;lReUI4zFsh+68{f_%fJ!pq!(ff3}K!5k~=g3CnmM}2-x==VFmg@KfdwW z{8X9et8#wks~b{h%u(tUy(>$HXApxK#z3X?`>F&~MnM3F&E!77MH|q6gD=~1rNw?i zp=D@DuWGl*l;ZTnZg~YlplgWGLs>|axQSe`wrfLT>ciH z^wjDHZADtFh%)zr({ti06)e7#kT(CptT5a#L(VnB1YM?Z2lQVJA@EPl|8W1uw5~3h z^mCkPzR9jfq7qv!AOi|_K%a`W(fj|%_&4y68vmOe=0_nA%l6chb?Fj+K>(Xt&#;FG zSH;7?yp;1P`!`PYn|wdJTiJbMGAHCPGfR4fbbZ9B*I&Emfe+*aKarXI;t<(Ek9>g} z(ZXNz##hT8$R=`I6GBE!Wm1&Tw#Q?-Q_Z-`p$_r5PlqRxw_i{8mX# zB`rj`gDaOZjUlvfG?@iPe|I+VS>4W}ZPv%U^smcLlA;HT-WWHA#n10wZ!D35w#+-c z07lz#{rr8r@##dKMxQ#Oh64PPhaV2Le|8HV>WW`~lsR@IAyJ!_cq`y6qo>KCcb9Th zJiX{IkvM0c%jbhgSL6kft`O{=D4cw%`jjg^lqd~FzwPAberwLf^arPs0(iDD`YIW2 ziM7$z{eN+S%K7E1UPJ+qTvHDD$!uUU1e{FKaL@2iA52nknB&>g7mA%P?IK&Do94&} zyU2=0qtoZW(P9T5LT>Pxz=G6u18m|Juywl)`~3R<#9nb5D}L%s-sV=`e9oK0C%gVi z3=3>8^byR|zn}4A$*dl7?hUB9FZ=A~o^7~7?BLy8fu6g1Gpnt=qBXLEkgwH9rt^5V zQZb&7NcQSN_NMRq8+`_m6WgPgoSD6f%iQWvwf>I^uZpsXU2j&ZBuS@FPw^f2DS(Rm zY%1{QS^bl^mm>T03`hPRRT0n=C%J$l2ZT*k3zvZo;8X+x=BqN+RFoiyf*k Z3Uxc}%4JljeszIlpGQT``p + + + + + + + + + + + + + + + + + + + Ao7tTmXHCYeFmCJ0R6AY3cdfpyj1PdMq4yC9HJTDanY= + + + HNyKHDH8Q+Ii5pjzGJL3JV+4VdMObhE4EV7S7rfvZLeqFgkbmWe1jILv4Km0PXdHN8jJYxU+HT8R +akV0sab11+oope50lvivfPR3MspkdB0hxTyEq92z6m3MrBbjAtIgfsAnmq68LQ33je8vuL8jXAS9 +xhLBQq8spYXTKpMvbiaipAqD4NOzsUxpk5htPDsEImChaHGKVMlDZlSL5dL4Vh/FvDj6UrUNxp2d +ltXl+Vov0tlh5dj2g8g2OlJXiMbxr47Qssn6EaUWmcNu+cdrhvWhpYJGc3mZdEWnsV8bvGNrC2tU +TVIBVsDLOmw5sVPoFrnvWc41sPVDSF0dKLwIYA== + + + + p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx +xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9 +dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q +otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW +jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ== + AQAB + + + + + diff --git a/tools/tcg_rim_tool/rim_fields.json b/tools/tcg_rim_tool/rim_fields.json index b01859ef..ca68c93b 100644 --- a/tools/tcg_rim_tool/rim_fields.json +++ b/tools/tcg_rim_tool/rim_fields.json @@ -33,7 +33,8 @@ "supportRIMFormat": "TCG_EventLog_Assertion", "name": "iotBase", "File": [ - { "name": "TpmLog.bin" } + { "name": "TpmLog.bin" }, + { "name": "generated_swidTag.swidtag" } ] } } From 32edd6ce48b1a9db859718b44f98819305c3d636 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Fri, 24 Mar 2023 16:32:18 -0400 Subject: [PATCH 03/18] Add frontend support for --directory option --- .../src/main/java/hirs/swid/Main.java | 12 ++++++----- .../main/java/hirs/swid/utils/Commander.java | 8 ++++++- .../utils/DirectoryArgumentValidator.java | 21 +++++++++++++++++++ 3 files changed, 35 insertions(+), 6 deletions(-) create mode 100644 tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index b1fe58bc..29745c59 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -23,11 +23,15 @@ public class Main { System.out.println(commander.toString()); String verifyFile = commander.getVerifyFile(); String rimel = commander.getRimEventLog(); + String directory = commander.getDirectoryOverride(); String certificateFile = commander.getPublicCertificate(); String trustStore = commander.getTruststoreFile(); if (!verifyFile.isEmpty()) { if (!rimel.isEmpty()) { validator.setRimEventLog(rimel); + } + if (!directory.isEmpty()) { + } if (!trustStore.isEmpty()) { validator.setTrustStoreFile(trustStore); @@ -52,6 +56,7 @@ public class Main { boolean embeddedCert = commander.isEmbedded(); boolean defaultKey = commander.isDefaultKey(); String rimEventLog = commander.getRimEventLog(); + String directory = commander.getDirectoryOverride(); switch (createType) { case "BASE": if (!attributesFile.isEmpty()) { @@ -75,11 +80,8 @@ public class Main { "are required, or the default key (-d) must be indicated."); System.exit(1); } - if (rimEventLog.isEmpty()) { - System.out.println("Error: a support RIM is required!"); - System.exit(1); - } else { - gateway.setRimEventLog(rimEventLog); + if (!directory.isEmpty()) { + } gateway.generateSwidTag(commander.getOutFile()); break; diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index a769409b..fbed6e70 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -45,6 +45,9 @@ public class Commander { @Parameter(names = {"-l", "--rimel "}, order = 9, description = "The TCG eventlog file to use as a support RIM.") private String rimEventLog = ""; + @Parameter(names = {"--directory"}, validateWith = DirectoryArgumentValidator.class, + description = "The directory in which to locate required files.") + private String directoryOverride = ""; public boolean isHelp() { return help; @@ -82,6 +85,8 @@ public class Commander { public String getRimEventLog() { return rimEventLog; } + public String getDirectoryOverride() { return directoryOverride; } + public String printHelpExamples() { StringBuilder sb = new StringBuilder(); sb.append("Create a base RIM using the values in attributes.json; " + @@ -122,7 +127,8 @@ public class Commander { } else { sb.append("Signing credential: (none given)" + System.lineSeparator()); } - sb.append("Event log support RIM: " + this.getRimEventLog() + System.lineSeparator()); + sb.append("Override payload directory with: " + this.getDirectoryOverride() + + System.lineSeparator()); return sb.toString(); } } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java new file mode 100644 index 00000000..548d4780 --- /dev/null +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java @@ -0,0 +1,21 @@ +package hirs.swid.utils; + +import com.beust.jcommander.IParameterValidator; +import com.beust.jcommander.ParameterException; + +import java.io.File; + +public class DirectoryArgumentValidator implements IParameterValidator { + public void validate(String name, String value) throws ParameterException { + try { + File directory = new File(value); + if (!directory.isDirectory()) { + throw new ParameterException("Invalid directory given, " + + "please provide a valid directory path."); + } + } catch (SecurityException e) { + throw new ParameterException("Read access denied for " + value + + ", please verify permissions."); + } + } +} From fd32c9fc8cac878dca147246dfebd0da1a001e00 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 4 Apr 2023 10:02:18 -0400 Subject: [PATCH 04/18] Modify gateway class to handle a directory override argument --- .../tcg_rim_tool/src/main/java/hirs/swid/Main.java | 4 +--- .../src/main/java/hirs/swid/SwidTagGateway.java | 13 ++++++++++++- .../hirs/swid/utils/DirectoryArgumentValidator.java | 5 +++++ 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index 29745c59..1ccc9d06 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -80,9 +80,7 @@ public class Main { "are required, or the default key (-d) must be indicated."); System.exit(1); } - if (!directory.isEmpty()) { - - } + gateway.setDirectoryOverride(directory); gateway.generateSwidTag(commander.getOutFile()); break; default: diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index d6dbd016..34f2f24b 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -82,6 +82,7 @@ public class SwidTagGateway { private String pemCertificateFile; private boolean embeddedCert; private String rimEventLog; + private String directoryOverride; private String errorRequiredFields; /** @@ -96,6 +97,7 @@ public class SwidTagGateway { pemCertificateFile = ""; embeddedCert = false; rimEventLog = ""; + directoryOverride = ""; errorRequiredFields = ""; } catch (JAXBException e) { System.out.println("Error initializing jaxbcontext: " + e.getMessage()); @@ -166,6 +168,15 @@ public class SwidTagGateway { this.rimEventLog = rimEventLog; } + /** + * Setter for directory path to search for required files + * + * @param directoryOverride + */ + public void setDirectoryOverride(String directoryOverride) { + this.directoryOverride = directoryOverride; + } + /** * This method generates a base RIM from the values in a JSON file. * @@ -495,7 +506,7 @@ public class SwidTagGateway { jsonObject.getString(SwidTagConstants.SUPPORT_RIM_TYPE, "")); addNonNullAttribute(attributes, SwidTagConstants._SUPPORT_RIM_URI_GLOBAL, jsonObject.getString(SwidTagConstants.SUPPORT_RIM_URI_GLOBAL, "")); - String filepath = jsonObject.getString(SwidTagConstants.NAME); + String filepath = directoryOverride + jsonObject.getString(SwidTagConstants.NAME); File fileToAdd = new File(filepath); file.setName(filepath); file.setSize(new BigInteger(Long.toString(fileToAdd.length()))); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java index 548d4780..3d41fa38 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java @@ -5,6 +5,11 @@ import com.beust.jcommander.ParameterException; import java.io.File; +/** + * This class validates a directory argument. If the directory is neither valid nor + * read-accessible then an error is thrown. + */ + public class DirectoryArgumentValidator implements IParameterValidator { public void validate(String name, String value) throws ParameterException { try { From 04043b9ab8373b5712b68a5e377178ed547c4276 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Mon, 13 Mar 2023 10:00:13 -0400 Subject: [PATCH 05/18] Modified rimtool to support multiple payload files for creating and validating base RIMs --- tools/tcg_rim_tool/rim_fields.json | 6 +-- .../main/java/hirs/swid/SwidTagGateway.java | 34 ++++++++---- .../main/java/hirs/swid/SwidTagValidator.java | 54 +++++++++++-------- .../src/test/resources/rim_fields.json | 4 +- 4 files changed, 61 insertions(+), 37 deletions(-) diff --git a/tools/tcg_rim_tool/rim_fields.json b/tools/tcg_rim_tool/rim_fields.json index 192bc897..b01859ef 100644 --- a/tools/tcg_rim_tool/rim_fields.json +++ b/tools/tcg_rim_tool/rim_fields.json @@ -32,9 +32,9 @@ "Directory": { "supportRIMFormat": "TCG_EventLog_Assertion", "name": "iotBase", - "File": { - "name": "TpmLog.bin" - } + "File": [ + { "name": "TpmLog.bin" } + ] } } } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 9c9af605..775a54b4 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -12,6 +12,7 @@ import org.w3c.dom.Document; import org.w3c.dom.Element; import javax.json.Json; +import javax.json.JsonArray; import javax.json.JsonException; import javax.json.JsonObject; import javax.json.JsonReader; @@ -70,6 +71,7 @@ import java.time.LocalDateTime; import java.util.ArrayList; import java.util.Base64; import java.util.Collections; +import java.util.Iterator; import java.util.List; import java.util.Map; @@ -228,12 +230,16 @@ public class SwidTagGateway { configProperties.getJsonObject(SwidTagConstants.PAYLOAD) .getJsonObject(SwidTagConstants.DIRECTORY)); //File - hirs.swid.xjc.File file = createFile( - configProperties.getJsonObject(SwidTagConstants.PAYLOAD) - .getJsonObject(SwidTagConstants.DIRECTORY) - .getJsonObject(SwidTagConstants.FILE)); - //Nest File in Directory in Payload - directory.getDirectoryOrFile().add(file); + JsonArray fileArray = configProperties.getJsonObject(SwidTagConstants.PAYLOAD) + .getJsonObject(SwidTagConstants.DIRECTORY) + .getJsonArray(SwidTagConstants.FILE); + Iterator itr = fileArray.iterator(); + while(itr.hasNext()) { + JsonObject arrayItem = (JsonObject) itr.next(); + hirs.swid.xjc.File file = createFile(arrayItem); + //Nest File in Directory in Payload + directory.getDirectoryOrFile().add(file); + } payload.getDirectoryOrFileOrProcess().add(directory); JAXBElement jaxbPayload = objectFactory.createSoftwareIdentityPayload(payload); @@ -254,8 +260,12 @@ public class SwidTagGateway { } catch (FileNotFoundException e) { System.out.println("File does not exist or cannot be read: " + e.getMessage()); System.exit(1); + } catch (ClassCastException e) { + System.out.println("File object in JSON attributes file must be an array."); + System.exit(1); } catch (Exception e) { System.out.println(e.getMessage()); + e.printStackTrace(); System.exit(1); } } @@ -496,9 +506,9 @@ public class SwidTagGateway { * @param jsonObject the Properties object containing parameters from file * @return File object created from the properties */ - private hirs.swid.xjc.File createFile(JsonObject jsonObject) throws Exception { + private hirs.swid.xjc.File createFile(JsonObject jsonObject) + throws Exception { hirs.swid.xjc.File file = objectFactory.createFile(); - file.setName(jsonObject.getString(SwidTagConstants.NAME, "")); Map attributes = file.getOtherAttributes(); String supportRimFormat = jsonObject.getString(SwidTagConstants.SUPPORT_RIM_FORMAT, SwidTagConstants.SUPPORT_RIM_FORMAT_MISSING); @@ -514,11 +524,13 @@ public class SwidTagGateway { jsonObject.getString(SwidTagConstants.SUPPORT_RIM_TYPE, "")); addNonNullAttribute(attributes, SwidTagConstants._SUPPORT_RIM_URI_GLOBAL, jsonObject.getString(SwidTagConstants.SUPPORT_RIM_URI_GLOBAL, "")); - File rimEventLogFile = new File(rimEventLog); - file.setSize(new BigInteger(Long.toString(rimEventLogFile.length()))); + String filepath = jsonObject.getString(SwidTagConstants.NAME); + File fileToAdd = new File(filepath); + file.setName(filepath); + file.setSize(new BigInteger(Long.toString(fileToAdd.length()))); addNonNullAttribute(attributes, SwidTagConstants._SHA256_HASH, jsonObject.getString(SwidTagConstants.HASH, - HashSwid.get256Hash(rimEventLog)), true); + HashSwid.get256Hash(filepath)), true); return file; } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java index 10d83a91..00c064c2 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java @@ -113,35 +113,45 @@ public class SwidTagValidator { si.append("SoftwareIdentity name: " + softwareIdentity.getAttribute("name") + "\n"); si.append("SoftwareIdentity tagId: " + softwareIdentity.getAttribute("tagId") + "\n"); System.out.println(si.toString()); - Element file = (Element) document.getElementsByTagName("File").item(0); - try { - validateFile(file); - } catch (Exception e) { - System.out.println(e.getMessage()); - return false; - } + Element directory = (Element) document.getElementsByTagName("Directory").item(0); + validateDirectory(directory); System.out.println("Signature core validity: " + validateSignedXMLDocument(document)); return true; } + /** + * This method iterates over the list of File elements under the directory. + * + * @param directory the Directory element + */ + private boolean validateDirectory(Element directory) { + boolean isValid = true; + NodeList fileNodeList = directory.getChildNodes(); + for (int i = 0;i < fileNodeList.getLength();i++) { + Element file = (Element) fileNodeList.item(i); + isValid &= validateFile(file); + } + + return isValid; + } + /** * This method validates a hirs.swid.xjc.File from an indirect payload */ - private boolean validateFile(Element file) throws Exception { - String filepath; - if (!rimEventLog.isEmpty()) { - filepath = rimEventLog; - } else { - filepath = file.getAttribute(SwidTagConstants.NAME); - } - System.out.println("Support rim found at " + filepath); - if (HashSwid.get256Hash(filepath).equals( - file.getAttribute(SwidTagConstants._SHA256_HASH.getPrefix() + ":" + - SwidTagConstants._SHA256_HASH.getLocalPart()))) { - System.out.println("Support RIM hash verified!" + System.lineSeparator()); - return true; - } else { - System.out.println("Support RIM hash does not match Base RIM!" + System.lineSeparator()); + private boolean validateFile(Element file) { + String filepath = file.getAttribute(SwidTagConstants.NAME); + try { + if (HashSwid.get256Hash(filepath).equals( + file.getAttribute(SwidTagConstants._SHA256_HASH.getPrefix() + ":" + + SwidTagConstants._SHA256_HASH.getLocalPart()))) { + System.out.println("Support RIM hash verified for " + filepath); + return true; + } else { + System.out.println("Hash of " + filepath + " does not match value in Base RIM"); + return false; + } + } catch (Exception e) { + System.out.println(e.getMessage()); return false; } } diff --git a/tools/tcg_rim_tool/src/test/resources/rim_fields.json b/tools/tcg_rim_tool/src/test/resources/rim_fields.json index c5cd3f41..299a4f30 100644 --- a/tools/tcg_rim_tool/src/test/resources/rim_fields.json +++ b/tools/tcg_rim_tool/src/test/resources/rim_fields.json @@ -41,12 +41,14 @@ "Directory": { "name": "rim", "root": "/boot/tcg/manifest/rim/", - "File": { + "File": [ + { "version":"01", "name": "Example.com.BIOS.01.rimel", "size": "7549", "hash": "4479ca722623f8c47b703996ced3cbd981b06b1ae8a897db70137e0b7c546848" } + ] } } } From ef6718af2a28014bb75b73182071f3c9577d4f30 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Mon, 13 Mar 2023 12:14:20 -0400 Subject: [PATCH 06/18] Add resource file for unit testing --- tools/tcg_rim_tool/Example.com.BIOS.01.rimel | Bin 0 -> 7549 bytes tools/tcg_rim_tool/generated_swidTag.swidtag | 41 +++++++++++++++++++ tools/tcg_rim_tool/rim_fields.json | 3 +- 3 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 tools/tcg_rim_tool/Example.com.BIOS.01.rimel create mode 100644 tools/tcg_rim_tool/generated_swidTag.swidtag diff --git a/tools/tcg_rim_tool/Example.com.BIOS.01.rimel b/tools/tcg_rim_tool/Example.com.BIOS.01.rimel new file mode 100644 index 0000000000000000000000000000000000000000..0b8f1f398d51035bc91afbe8400d4888a28d5669 GIT binary patch literal 7549 zcmds53p`a>+h2!6H)=?dq+LukI^;4cmCNBAxieB{D&BHAZX@U9mIif5nUNZairneu zQp}Wyq6@02K{H)mgj^eyq^o4S&)WN_P+#Ny=J)&heQW>rUhAyAp6CC6*7K~jo_!EP zNEGf5m08fag3om(Oj!gwfa~q2u0;(KK_WD0O+Wlph?h|Ve9UlZ!23O^DykICyO6^xhF!iW#)@Hjb%6?P>>0o5n5keZ!_oTo4uA#OWU*I))Mz&c4)|qjT%7^|5Zq<|bFwt~%T4 zG-1d1*mE~erw5%;uoStY4Wk_!TX$aFdqXNq5;YwVogXzGqeH<2a9M%4$Qk(~AE*rx z4=z81hQc%)DI9-liEdW9rTrx@mwT^M`bB+HqOw=ty zu}$$W2wOVf`9#FbideWY@vhyjWhL{UH0<8;tojkH*Sr_A9juwjPK7CK(#1b5-$)?; zFYkD+(8v#b*)2Z3si(Q*UgDBo3m7d&{P8VRsOh8_uHF`gutgsugBZ<^3e+23vx~=F zB^a`Hr|IG{NWSIXl%$k!i?BX<{?@V=OScZt(NOf?4}R6*Cw1j|L2g%Z3%7J#T&QHi z&Oe)r^#^}j(EBg{{h7+zrtPGsM%5AjeMiN5+_%)y4h(vV*+`Janh!?bEa z$%-KlwX9AQ|J&nG>Vqj1`c2aI^#z0TM;ZMo+dCINOPiba$|^2cV6vX~fH-np9g zOZg&=-tChLo}gO+v|qDpcy`A7J7TYUSY0=GMxv{?QRs4`LywU~_8Y|W*u~oucQ$&B zWsgMHX19xA>kmv>v zN%YIa;0E*eW}a7=w#rP>!6c#~cj6g^D3y`u>_rlsG9|g}R9T~0;d>JJ3hVo2nFb{@ zuQzV;t#_FGltizl(22co!<}q=%JzWV*3ei_Ys++?EVhfUPRyI@d3Gea zVaNQ1Uu1`q2JR-H}ecZe`4CWTSj41 zvrNzTN-{>Ge}64VJap2G!2J)}oITkkwLUY|@{1AQ*u2ez{`wJJ==ToN_IC%%-}8HM zpIU*EPLajo`*oqa!y*ME(WC8Z3%}{>7HD=>8M&-#Xy+jpYq>4u8cDyfXKHpHkS1+! z`kjOEnx2ks#r;dOHBk?>NSz8R%;8N-;9zt-d$8XLcUt>}^N4ocRFpnzIq#aPO*He7 zXN`9XePWKV$fn(MOc5+d2Po*KTVR+~#OZJnZ zZ;yN1sV(~wbz3!9e7o2#T%w@)gr?WJO`wJV2ImY-g=B}0PNEbOR6H+pIufNw&$f<|ewMJK(7{(k zgibd`_HYIpBU7j?0l^upo*gfrA>Lxq<{jc-A?lRxE4I z3XWNWDT_$U>G4gq>F-(4mpR8XfaxdGyzW)X~WY6E>*CVixz>+s$h*X zTpG}FMOrY<37%iWma&lq_+$lKEVzw;u_1U& z6WFRFCOiq~TLtf!z+3|?*M|N@aD5{jqlK1(9s=-0XcDNJDN5#fG@3XPlMEYnE+At zHt)!SXRb;bBe^m(OD;E+nlNeQ-OE(RuVgqaQC!s5^}KSouKsZ~xu*L(F9ij*8B`a9xa+_@3t54R9lO3tbV?H}Ww3h!_k%3Yh}uJGP^Fo$^XhCKqu1P@v` zUL2wA2&=>go&lsClt-4sswQA1sKc5tf=iv;C-6!)h8{z>7DKHA>qG-?JPNP;k!u9W zh>D5Bp8TQpfp-S@9um-?o`7`Sd``Zy`oll&whF^yUH_El#XglbTbp?*$D1pXR%xA? z2cwJ}y}UfU-3Yd^DZ%9Py*!*9{XBTygsTs417XPH`4QH9+yO($eTUNgcfSPiXv}GJ zQo;;=lu~%#A3YY97`+t!N*TSB_;TJ#|f*P3YYu zsl{et|b%^Fd9qX!kW_G6T6>b7O&P;Tt&3RBIM?b`!RdqBGmYV6P#8gs=>aT zV|lf{??m~%b+NDYemmH~YU?;@I9X?ME4TwkhYiyfHcc9wlL)15)F2avL8KF`p6OWg zZ2W+-TlkyTanVX?vz|qs!Tqt5rvI=Fdlnag@UA{5W;*!AmsuR!P$O<&ndVt~leYO* zPDI2tL!~;lReUI4zFsh+68{f_%fJ!pq!(ff3}K!5k~=g3CnmM}2-x==VFmg@KfdwW z{8X9et8#wks~b{h%u(tUy(>$HXApxK#z3X?`>F&~MnM3F&E!77MH|q6gD=~1rNw?i zp=D@DuWGl*l;ZTnZg~YlplgWGLs>|axQSe`wrfLT>ciH z^wjDHZADtFh%)zr({ti06)e7#kT(CptT5a#L(VnB1YM?Z2lQVJA@EPl|8W1uw5~3h z^mCkPzR9jfq7qv!AOi|_K%a`W(fj|%_&4y68vmOe=0_nA%l6chb?Fj+K>(Xt&#;FG zSH;7?yp;1P`!`PYn|wdJTiJbMGAHCPGfR4fbbZ9B*I&Emfe+*aKarXI;t<(Ek9>g} z(ZXNz##hT8$R=`I6GBE!Wm1&Tw#Q?-Q_Z-`p$_r5PlqRxw_i{8mX# zB`rj`gDaOZjUlvfG?@iPe|I+VS>4W}ZPv%U^smcLlA;HT-WWHA#n10wZ!D35w#+-c z07lz#{rr8r@##dKMxQ#Oh64PPhaV2Le|8HV>WW`~lsR@IAyJ!_cq`y6qo>KCcb9Th zJiX{IkvM0c%jbhgSL6kft`O{=D4cw%`jjg^lqd~FzwPAberwLf^arPs0(iDD`YIW2 ziM7$z{eN+S%K7E1UPJ+qTvHDD$!uUU1e{FKaL@2iA52nknB&>g7mA%P?IK&Do94&} zyU2=0qtoZW(P9T5LT>Pxz=G6u18m|Juywl)`~3R<#9nb5D}L%s-sV=`e9oK0C%gVi z3=3>8^byR|zn}4A$*dl7?hUB9FZ=A~o^7~7?BLy8fu6g1Gpnt=qBXLEkgwH9rt^5V zQZb&7NcQSN_NMRq8+`_m6WgPgoSD6f%iQWvwf>I^uZpsXU2j&ZBuS@FPw^f2DS(Rm zY%1{QS^bl^mm>T03`hPRRT0n=C%J$l2ZT*k3zvZo;8X+x=BqN+RFoiyf*k Z3Uxc}%4JljeszIlpGQT``p + + + + + + + + + + + + + + + + + + + Ao7tTmXHCYeFmCJ0R6AY3cdfpyj1PdMq4yC9HJTDanY= + + + HNyKHDH8Q+Ii5pjzGJL3JV+4VdMObhE4EV7S7rfvZLeqFgkbmWe1jILv4Km0PXdHN8jJYxU+HT8R +akV0sab11+oope50lvivfPR3MspkdB0hxTyEq92z6m3MrBbjAtIgfsAnmq68LQ33je8vuL8jXAS9 +xhLBQq8spYXTKpMvbiaipAqD4NOzsUxpk5htPDsEImChaHGKVMlDZlSL5dL4Vh/FvDj6UrUNxp2d +ltXl+Vov0tlh5dj2g8g2OlJXiMbxr47Qssn6EaUWmcNu+cdrhvWhpYJGc3mZdEWnsV8bvGNrC2tU +TVIBVsDLOmw5sVPoFrnvWc41sPVDSF0dKLwIYA== + + + + p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx +xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9 +dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q +otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW +jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ== + AQAB + + + + + diff --git a/tools/tcg_rim_tool/rim_fields.json b/tools/tcg_rim_tool/rim_fields.json index b01859ef..ca68c93b 100644 --- a/tools/tcg_rim_tool/rim_fields.json +++ b/tools/tcg_rim_tool/rim_fields.json @@ -33,7 +33,8 @@ "supportRIMFormat": "TCG_EventLog_Assertion", "name": "iotBase", "File": [ - { "name": "TpmLog.bin" } + { "name": "TpmLog.bin" }, + { "name": "generated_swidTag.swidtag" } ] } } From 23f2b0a47ac777baf7b2e6d77397bc013980b334 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Fri, 24 Mar 2023 16:32:18 -0400 Subject: [PATCH 07/18] Add frontend support for --directory option --- .../src/main/java/hirs/swid/Main.java | 12 ++++++----- .../main/java/hirs/swid/utils/Commander.java | 7 ++++++- .../utils/DirectoryArgumentValidator.java | 21 +++++++++++++++++++ 3 files changed, 34 insertions(+), 6 deletions(-) create mode 100644 tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index 6356f0cd..524893b0 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -24,11 +24,15 @@ public class Main { System.out.println(commander.toString()); String verifyFile = commander.getVerifyFile(); String rimel = commander.getRimEventLog(); + String directory = commander.getDirectoryOverride(); String certificateFile = commander.getPublicCertificate(); String trustStore = commander.getTruststoreFile(); if (!verifyFile.isEmpty()) { if (!rimel.isEmpty()) { validator.setRimEventLog(rimel); + } + if (!directory.isEmpty()) { + } if (!trustStore.isEmpty()) { validator.setTrustStoreFile(trustStore); @@ -53,6 +57,7 @@ public class Main { boolean embeddedCert = commander.isEmbedded(); boolean defaultKey = commander.isDefaultKey(); String rimEventLog = commander.getRimEventLog(); + String directory = commander.getDirectoryOverride(); switch (createType) { case "BASE": if (!attributesFile.isEmpty()) { @@ -76,11 +81,8 @@ public class Main { "are required, or the default key (-d) must be indicated."); System.exit(1); } - if (rimEventLog.isEmpty()) { - System.out.println("Error: a support RIM is required!"); - System.exit(1); - } else { - gateway.setRimEventLog(rimEventLog); + if (!directory.isEmpty()) { + } List timestampArguments = commander.getTimestampArguments(); if (timestampArguments.size() > 0) { diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index d84f4dbf..75f471ac 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -53,6 +53,9 @@ public class Commander { "Currently only RFC3339 and RFC3852 are supported:\n" + "\tRFC3339 [yyyy-MM-ddThh:mm:ssZ]\n\tRFC3852 ") private List timestampArguments = new ArrayList(2); + @Parameter(names = {"--directory"}, validateWith = DirectoryArgumentValidator.class, + description = "The directory in which to locate required files.") + private String directoryOverride = ""; public boolean isHelp() { return help; @@ -93,6 +96,7 @@ public class Commander { public List getTimestampArguments() { return timestampArguments; } + public String getDirectoryOverride() { return directoryOverride; } public String printHelpExamples() { StringBuilder sb = new StringBuilder(); @@ -139,7 +143,6 @@ public class Commander { } else { sb.append("Signing credential: (none given)" + System.lineSeparator()); } - sb.append("Event log support RIM: " + this.getRimEventLog() + System.lineSeparator()); List timestampArguments = this.getTimestampArguments(); if (timestampArguments.size() > 0) { sb.append("Timestamp format: " + timestampArguments.get(0)); @@ -149,6 +152,8 @@ public class Commander { } else { sb.append("No timestamp included"); } + sb.append("Override payload directory with: " + this.getDirectoryOverride() + + System.lineSeparator()); return sb.toString(); } } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java new file mode 100644 index 00000000..548d4780 --- /dev/null +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java @@ -0,0 +1,21 @@ +package hirs.swid.utils; + +import com.beust.jcommander.IParameterValidator; +import com.beust.jcommander.ParameterException; + +import java.io.File; + +public class DirectoryArgumentValidator implements IParameterValidator { + public void validate(String name, String value) throws ParameterException { + try { + File directory = new File(value); + if (!directory.isDirectory()) { + throw new ParameterException("Invalid directory given, " + + "please provide a valid directory path."); + } + } catch (SecurityException e) { + throw new ParameterException("Read access denied for " + value + + ", please verify permissions."); + } + } +} From cb9b93a47ab50ec2ef8e8bd1253eb6d9f6b490bb Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 4 Apr 2023 10:02:18 -0400 Subject: [PATCH 08/18] Modify gateway class to handle a directory override argument --- .../tcg_rim_tool/src/main/java/hirs/swid/Main.java | 4 +--- .../src/main/java/hirs/swid/SwidTagGateway.java | 13 ++++++++++++- .../hirs/swid/utils/DirectoryArgumentValidator.java | 5 +++++ 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index 524893b0..4a9c62b0 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -80,9 +80,6 @@ public class Main { System.out.println("A private key (-k) and public certificate (-p) " + "are required, or the default key (-d) must be indicated."); System.exit(1); - } - if (!directory.isEmpty()) { - } List timestampArguments = commander.getTimestampArguments(); if (timestampArguments.size() > 0) { @@ -95,6 +92,7 @@ public class Main { System.exit(1); } } + gateway.setDirectoryOverride(directory); gateway.generateSwidTag(commander.getOutFile()); break; default: diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 775a54b4..277b195e 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -93,6 +93,7 @@ public class SwidTagGateway { private String rimEventLog; private String timestampFormat; private String timestampArgument; + private String directoryOverride; private String errorRequiredFields; /** @@ -109,6 +110,7 @@ public class SwidTagGateway { rimEventLog = ""; timestampFormat = ""; timestampArgument = ""; + directoryOverride = ""; errorRequiredFields = ""; } catch (JAXBException e) { System.out.println("Error initializing jaxbcontext: " + e.getMessage()); @@ -195,6 +197,15 @@ public class SwidTagGateway { this.timestampArgument = timestampArgument; } + /** + * Setter for directory path to search for required files + * + * @param directoryOverride + */ + public void setDirectoryOverride(String directoryOverride) { + this.directoryOverride = directoryOverride; + } + /** * This method generates a base RIM from the values in a JSON file. * @@ -524,7 +535,7 @@ public class SwidTagGateway { jsonObject.getString(SwidTagConstants.SUPPORT_RIM_TYPE, "")); addNonNullAttribute(attributes, SwidTagConstants._SUPPORT_RIM_URI_GLOBAL, jsonObject.getString(SwidTagConstants.SUPPORT_RIM_URI_GLOBAL, "")); - String filepath = jsonObject.getString(SwidTagConstants.NAME); + String filepath = directoryOverride + jsonObject.getString(SwidTagConstants.NAME); File fileToAdd = new File(filepath); file.setName(filepath); file.setSize(new BigInteger(Long.toString(fileToAdd.length()))); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java index 548d4780..3d41fa38 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java @@ -5,6 +5,11 @@ import com.beust.jcommander.ParameterException; import java.io.File; +/** + * This class validates a directory argument. If the directory is neither valid nor + * read-accessible then an error is thrown. + */ + public class DirectoryArgumentValidator implements IParameterValidator { public void validate(String name, String value) throws ParameterException { try { From 52655d3c850ade6d77c1f84e495b83fa8dee3345 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 4 Apr 2023 13:26:22 -0400 Subject: [PATCH 09/18] Modify validator class to handle a directory override argument --- .../src/main/java/hirs/swid/Main.java | 9 +------- .../main/java/hirs/swid/SwidTagGateway.java | 14 ------------ .../main/java/hirs/swid/SwidTagValidator.java | 22 +++++++++---------- .../main/java/hirs/swid/utils/Commander.java | 11 +++------- .../utils/DirectoryArgumentValidator.java | 4 ++-- .../java/hirs/swid/TestSwidTagGateway.java | 4 ---- 6 files changed, 17 insertions(+), 47 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index 4a9c62b0..64de4efb 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -23,17 +23,10 @@ public class Main { validator = new SwidTagValidator(); System.out.println(commander.toString()); String verifyFile = commander.getVerifyFile(); - String rimel = commander.getRimEventLog(); String directory = commander.getDirectoryOverride(); String certificateFile = commander.getPublicCertificate(); String trustStore = commander.getTruststoreFile(); if (!verifyFile.isEmpty()) { - if (!rimel.isEmpty()) { - validator.setRimEventLog(rimel); - } - if (!directory.isEmpty()) { - - } if (!trustStore.isEmpty()) { validator.setTrustStoreFile(trustStore); } @@ -41,6 +34,7 @@ public class Main { System.out.println("A single cert cannot be used for verification. " + "The signing cert will be searched for in the trust store."); } + validator.setDirectoryOverride(directory); validator.validateSwidTag(verifyFile); } else { System.out.println("Need a RIM file to validate!"); @@ -56,7 +50,6 @@ public class Main { String privateKeyFile = commander.getPrivateKeyFile(); boolean embeddedCert = commander.isEmbedded(); boolean defaultKey = commander.isDefaultKey(); - String rimEventLog = commander.getRimEventLog(); String directory = commander.getDirectoryOverride(); switch (createType) { case "BASE": diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 30719128..d97c6248 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -90,7 +90,6 @@ public class SwidTagGateway { private String pemPrivateKeyFile; private String pemCertificateFile; private boolean embeddedCert; - private String rimEventLog; private String timestampFormat; private String timestampArgument; private String directoryOverride; @@ -107,7 +106,6 @@ public class SwidTagGateway { defaultCredentials = true; pemCertificateFile = ""; embeddedCert = false; - rimEventLog = ""; timestampFormat = ""; timestampArgument = ""; directoryOverride = ""; @@ -173,16 +171,6 @@ public class SwidTagGateway { } /** - * Setter for event log support RIM - * - * @param rimEventLog - */ - public void setRimEventLog(final String rimEventLog) { - this.rimEventLog = rimEventLog; - } - - /** -<<<<<<< HEAD * Setter for timestamp format in XML signature * @param timestampFormat */ @@ -199,8 +187,6 @@ public class SwidTagGateway { } /** -======= ->>>>>>> fd32c9fc8cac878dca147246dfebd0da1a001e00 * Setter for directory path to search for required files * * @param directoryOverride diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java index 00c064c2..e912d651 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java @@ -59,10 +59,10 @@ import java.util.List; */ public class SwidTagValidator { private Unmarshaller unmarshaller; - private String rimEventLog; private String certificateFile; private String trustStoreFile; private List trustStore; + private String directoryOverride; /** * Ensure that BouncyCastle is configured as a javax.security.Security provider, as this @@ -72,14 +72,6 @@ public class SwidTagValidator { Security.addProvider(new BouncyCastleProvider()); } - /** - * Setter for rimel file path. - * @param rimEventLog the rimel file - */ - public void setRimEventLog(String rimEventLog) { - this.rimEventLog = rimEventLog; - } - /** * Setter for the truststore file path. * @param trustStoreFile the truststore @@ -88,13 +80,21 @@ public class SwidTagValidator { this.trustStoreFile = trustStoreFile; } + /** + * Setter for directory override path. + * @param directoryOverride directory path + */ + public void setDirectoryOverride(String directoryOverride) { + this.directoryOverride = directoryOverride; + } + public SwidTagValidator() { try { JAXBContext jaxbContext = JAXBContext.newInstance(SwidTagConstants.SCHEMA_PACKAGE); unmarshaller = jaxbContext.createUnmarshaller(); - rimEventLog = ""; certificateFile = ""; trustStoreFile = SwidTagConstants.DEFAULT_KEYSTORE_FILE; + directoryOverride = ""; } catch (JAXBException e) { System.out.println("Error initializing JAXBContext: " + e.getMessage()); } @@ -139,7 +139,7 @@ public class SwidTagValidator { * This method validates a hirs.swid.xjc.File from an indirect payload */ private boolean validateFile(Element file) { - String filepath = file.getAttribute(SwidTagConstants.NAME); + String filepath = directoryOverride + file.getAttribute(SwidTagConstants.NAME); try { if (HashSwid.get256Hash(filepath).equals( file.getAttribute(SwidTagConstants._SHA256_HASH.getPrefix() + ":" + diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index 75f471ac..5aa92060 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -45,9 +45,6 @@ public class Commander { @Parameter(names = {"-d", "--default-key"}, order = 8, description = "Use default signing credentials.") private boolean defaultKey = false; - @Parameter(names = {"-l", "--rimel "}, order = 9, - description = "The TCG eventlog file to use as a support RIM.") - private String rimEventLog = ""; @Parameter(names = {"--timestamp"}, order = 10, variableArity = true, description = "Add a timestamp to the signature. " + "Currently only RFC3339 and RFC3852 are supported:\n" + @@ -91,8 +88,6 @@ public class Commander { public boolean isDefaultKey() { return defaultKey; } - public String getRimEventLog() { return rimEventLog; } - public List getTimestampArguments() { return timestampArguments; } @@ -143,6 +138,8 @@ public class Commander { } else { sb.append("Signing credential: (none given)" + System.lineSeparator()); } + sb.append("Override payload directory with: " + this.getDirectoryOverride() + + System.lineSeparator()); List timestampArguments = this.getTimestampArguments(); if (timestampArguments.size() > 0) { sb.append("Timestamp format: " + timestampArguments.get(0)); @@ -150,10 +147,8 @@ public class Commander { sb.append(", " + timestampArguments.get(1)); } } else { - sb.append("No timestamp included"); + sb.append("No timestamp included" + System.lineSeparator()); } - sb.append("Override payload directory with: " + this.getDirectoryOverride() - + System.lineSeparator()); return sb.toString(); } } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java index 3d41fa38..369581f9 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java @@ -15,8 +15,8 @@ public class DirectoryArgumentValidator implements IParameterValidator { try { File directory = new File(value); if (!directory.isDirectory()) { - throw new ParameterException("Invalid directory given, " + - "please provide a valid directory path."); + throw new ParameterException("Invalid directory given: " + value + + ". Please provide a valid directory path."); } } catch (SecurityException e) { throw new ParameterException("Read access denied for " + value + diff --git a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java index a1768ef7..f6441b31 100644 --- a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java +++ b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java @@ -29,8 +29,6 @@ public class TestSwidTagGateway { .getResource("privateRimKey.pem").getPath(); private final String CA_CHAIN_FILE = TestSwidTagGateway.class.getClassLoader() .getResource("RimCertChain.pem").getPath(); - private final String SUPPORT_RIM_FILE = TestSwidTagGateway.class.getClassLoader() - .getResource("TpmLog.bin").getPath(); private final String RFC3852_COUNTERSIGNATURE_FILE = TestSwidTagGateway.class.getClassLoader() .getResource("counterSignature.file").getPath(); private InputStream expectedFile; @@ -38,10 +36,8 @@ public class TestSwidTagGateway { @BeforeClass public void setUp() throws Exception { gateway = new SwidTagGateway(); - gateway.setRimEventLog(SUPPORT_RIM_FILE); gateway.setAttributesFile(ATTRIBUTES_FILE); validator = new SwidTagValidator(); - validator.setRimEventLog(SUPPORT_RIM_FILE); validator.setTrustStoreFile(CA_CHAIN_FILE); } From 2ed3361e72b500d9a4cbee7d53fb0296a947adce Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Mon, 13 Mar 2023 10:00:13 -0400 Subject: [PATCH 10/18] Modified rimtool to support multiple payload files for creating and validating base RIMs --- tools/tcg_rim_tool/rim_fields.json | 6 +-- .../main/java/hirs/swid/SwidTagGateway.java | 34 +++++++++----- .../main/java/hirs/swid/SwidTagValidator.java | 47 +++++++++++++------ .../src/test/resources/rim_fields.json | 4 +- 4 files changed, 61 insertions(+), 30 deletions(-) diff --git a/tools/tcg_rim_tool/rim_fields.json b/tools/tcg_rim_tool/rim_fields.json index 192bc897..b01859ef 100644 --- a/tools/tcg_rim_tool/rim_fields.json +++ b/tools/tcg_rim_tool/rim_fields.json @@ -32,9 +32,9 @@ "Directory": { "supportRIMFormat": "TCG_EventLog_Assertion", "name": "iotBase", - "File": { - "name": "TpmLog.bin" - } + "File": [ + { "name": "TpmLog.bin" } + ] } } } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 9c9f5ace..928d0876 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -15,6 +15,7 @@ import org.xml.sax.InputSource; import org.xml.sax.SAXException; import javax.json.Json; +import javax.json.JsonArray; import javax.json.JsonException; import javax.json.JsonObject; import javax.json.JsonReader; @@ -76,6 +77,7 @@ import java.time.LocalDateTime; import java.util.ArrayList; import java.util.Base64; import java.util.Collections; +import java.util.Iterator; import java.util.List; import java.util.Map; @@ -237,12 +239,16 @@ public class SwidTagGateway { configProperties.getJsonObject(SwidTagConstants.PAYLOAD) .getJsonObject(SwidTagConstants.DIRECTORY)); //File - hirs.swid.xjc.File file = createFile( - configProperties.getJsonObject(SwidTagConstants.PAYLOAD) - .getJsonObject(SwidTagConstants.DIRECTORY) - .getJsonObject(SwidTagConstants.FILE)); - //Nest File in Directory in Payload - directory.getDirectoryOrFile().add(file); + JsonArray fileArray = configProperties.getJsonObject(SwidTagConstants.PAYLOAD) + .getJsonObject(SwidTagConstants.DIRECTORY) + .getJsonArray(SwidTagConstants.FILE); + Iterator itr = fileArray.iterator(); + while(itr.hasNext()) { + JsonObject arrayItem = (JsonObject) itr.next(); + hirs.swid.xjc.File file = createFile(arrayItem); + //Nest File in Directory in Payload + directory.getDirectoryOrFile().add(file); + } payload.getDirectoryOrFileOrProcess().add(directory); JAXBElement jaxbPayload = objectFactory.createSoftwareIdentityPayload(payload); @@ -263,8 +269,12 @@ public class SwidTagGateway { } catch (FileNotFoundException e) { System.out.println("File does not exist or cannot be read: " + e.getMessage()); System.exit(1); + } catch (ClassCastException e) { + System.out.println("File object in JSON attributes file must be an array."); + System.exit(1); } catch (Exception e) { System.out.println(e.getMessage()); + e.printStackTrace(); System.exit(1); } } @@ -506,9 +516,9 @@ public class SwidTagGateway { * @param jsonObject the Properties object containing parameters from file * @return File object created from the properties */ - private hirs.swid.xjc.File createFile(JsonObject jsonObject) throws Exception { + private hirs.swid.xjc.File createFile(JsonObject jsonObject) + throws Exception { hirs.swid.xjc.File file = objectFactory.createFile(); - file.setName(jsonObject.getString(SwidTagConstants.NAME, "")); Map attributes = file.getOtherAttributes(); String supportRimFormat = jsonObject.getString(SwidTagConstants.SUPPORT_RIM_FORMAT, SwidTagConstants.SUPPORT_RIM_FORMAT_MISSING); @@ -524,11 +534,13 @@ public class SwidTagGateway { jsonObject.getString(SwidTagConstants.SUPPORT_RIM_TYPE, "")); addNonNullAttribute(attributes, SwidTagConstants._SUPPORT_RIM_URI_GLOBAL, jsonObject.getString(SwidTagConstants.SUPPORT_RIM_URI_GLOBAL, "")); - File rimEventLogFile = new File(rimEventLog); - file.setSize(new BigInteger(Long.toString(rimEventLogFile.length()))); + String filepath = jsonObject.getString(SwidTagConstants.NAME); + File fileToAdd = new File(filepath); + file.setName(filepath); + file.setSize(new BigInteger(Long.toString(fileToAdd.length()))); addNonNullAttribute(attributes, SwidTagConstants._SHA256_HASH, jsonObject.getString(SwidTagConstants.HASH, - HashSwid.get256Hash(rimEventLog)), true); + HashSwid.get256Hash(filepath)), true); return file; } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java index 974db1b0..51fe3e5b 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java @@ -127,6 +127,8 @@ public class SwidTagValidator { si.append("SoftwareIdentity name: " + softwareIdentity.getAttribute("name") + "\n"); si.append("SoftwareIdentity tagId: " + softwareIdentity.getAttribute("tagId") + "\n"); System.out.println(si.toString()); + Element directory = (Element) document.getElementsByTagName("Directory").item(0); + validateDirectory(directory); return validateEnvelopedSignature(document, format); } else { System.out.println("Invalid xml for validation, please verify " + path); @@ -181,24 +183,39 @@ public class SwidTagValidator { return validateSignedXMLDocument(doc, format); } + /** + * This method iterates over the list of File elements under the directory. + * + * @param directory the Directory element + */ + private boolean validateDirectory(Element directory) { + boolean isValid = true; + NodeList fileNodeList = directory.getChildNodes(); + for (int i = 0;i < fileNodeList.getLength();i++) { + Element file = (Element) fileNodeList.item(i); + isValid &= validateFile(file); + } + + return isValid; + } + /** * This method validates a hirs.swid.xjc.File from an indirect payload */ - private boolean validateFile(Element file) throws Exception { - String filepath; - if (!rimEventLog.isEmpty()) { - filepath = rimEventLog; - } else { - filepath = file.getAttribute(SwidTagConstants.NAME); - } - System.out.println("Support rim found at " + filepath); - if (HashSwid.get256Hash(filepath).equals( - file.getAttribute(SwidTagConstants._SHA256_HASH.getPrefix() + ":" + - SwidTagConstants._SHA256_HASH.getLocalPart()))) { - System.out.println("Support RIM hash verified!" + System.lineSeparator()); - return true; - } else { - System.out.println("Support RIM hash does not match Base RIM!" + System.lineSeparator()); + private boolean validateFile(Element file) { + String filepath = file.getAttribute(SwidTagConstants.NAME); + try { + if (HashSwid.get256Hash(filepath).equals( + file.getAttribute(SwidTagConstants._SHA256_HASH.getPrefix() + ":" + + SwidTagConstants._SHA256_HASH.getLocalPart()))) { + System.out.println("Support RIM hash verified for " + filepath); + return true; + } else { + System.out.println("Hash of " + filepath + " does not match value in Base RIM"); + return false; + } + } catch (Exception e) { + System.out.println(e.getMessage()); return false; } } diff --git a/tools/tcg_rim_tool/src/test/resources/rim_fields.json b/tools/tcg_rim_tool/src/test/resources/rim_fields.json index c5cd3f41..299a4f30 100644 --- a/tools/tcg_rim_tool/src/test/resources/rim_fields.json +++ b/tools/tcg_rim_tool/src/test/resources/rim_fields.json @@ -41,12 +41,14 @@ "Directory": { "name": "rim", "root": "/boot/tcg/manifest/rim/", - "File": { + "File": [ + { "version":"01", "name": "Example.com.BIOS.01.rimel", "size": "7549", "hash": "4479ca722623f8c47b703996ced3cbd981b06b1ae8a897db70137e0b7c546848" } + ] } } } From c7a276a3e5473a28a80f4e1c1b4db88af2796c20 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Mon, 13 Mar 2023 12:14:20 -0400 Subject: [PATCH 11/18] Add resource file for unit testing --- tools/tcg_rim_tool/Example.com.BIOS.01.rimel | Bin 0 -> 7549 bytes tools/tcg_rim_tool/generated_swidTag.swidtag | 41 +++++++++++++++++++ tools/tcg_rim_tool/rim_fields.json | 3 +- 3 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 tools/tcg_rim_tool/Example.com.BIOS.01.rimel create mode 100644 tools/tcg_rim_tool/generated_swidTag.swidtag diff --git a/tools/tcg_rim_tool/Example.com.BIOS.01.rimel b/tools/tcg_rim_tool/Example.com.BIOS.01.rimel new file mode 100644 index 0000000000000000000000000000000000000000..0b8f1f398d51035bc91afbe8400d4888a28d5669 GIT binary patch literal 7549 zcmds53p`a>+h2!6H)=?dq+LukI^;4cmCNBAxieB{D&BHAZX@U9mIif5nUNZairneu zQp}Wyq6@02K{H)mgj^eyq^o4S&)WN_P+#Ny=J)&heQW>rUhAyAp6CC6*7K~jo_!EP zNEGf5m08fag3om(Oj!gwfa~q2u0;(KK_WD0O+Wlph?h|Ve9UlZ!23O^DykICyO6^xhF!iW#)@Hjb%6?P>>0o5n5keZ!_oTo4uA#OWU*I))Mz&c4)|qjT%7^|5Zq<|bFwt~%T4 zG-1d1*mE~erw5%;uoStY4Wk_!TX$aFdqXNq5;YwVogXzGqeH<2a9M%4$Qk(~AE*rx z4=z81hQc%)DI9-liEdW9rTrx@mwT^M`bB+HqOw=ty zu}$$W2wOVf`9#FbideWY@vhyjWhL{UH0<8;tojkH*Sr_A9juwjPK7CK(#1b5-$)?; zFYkD+(8v#b*)2Z3si(Q*UgDBo3m7d&{P8VRsOh8_uHF`gutgsugBZ<^3e+23vx~=F zB^a`Hr|IG{NWSIXl%$k!i?BX<{?@V=OScZt(NOf?4}R6*Cw1j|L2g%Z3%7J#T&QHi z&Oe)r^#^}j(EBg{{h7+zrtPGsM%5AjeMiN5+_%)y4h(vV*+`Janh!?bEa z$%-KlwX9AQ|J&nG>Vqj1`c2aI^#z0TM;ZMo+dCINOPiba$|^2cV6vX~fH-np9g zOZg&=-tChLo}gO+v|qDpcy`A7J7TYUSY0=GMxv{?QRs4`LywU~_8Y|W*u~oucQ$&B zWsgMHX19xA>kmv>v zN%YIa;0E*eW}a7=w#rP>!6c#~cj6g^D3y`u>_rlsG9|g}R9T~0;d>JJ3hVo2nFb{@ zuQzV;t#_FGltizl(22co!<}q=%JzWV*3ei_Ys++?EVhfUPRyI@d3Gea zVaNQ1Uu1`q2JR-H}ecZe`4CWTSj41 zvrNzTN-{>Ge}64VJap2G!2J)}oITkkwLUY|@{1AQ*u2ez{`wJJ==ToN_IC%%-}8HM zpIU*EPLajo`*oqa!y*ME(WC8Z3%}{>7HD=>8M&-#Xy+jpYq>4u8cDyfXKHpHkS1+! z`kjOEnx2ks#r;dOHBk?>NSz8R%;8N-;9zt-d$8XLcUt>}^N4ocRFpnzIq#aPO*He7 zXN`9XePWKV$fn(MOc5+d2Po*KTVR+~#OZJnZ zZ;yN1sV(~wbz3!9e7o2#T%w@)gr?WJO`wJV2ImY-g=B}0PNEbOR6H+pIufNw&$f<|ewMJK(7{(k zgibd`_HYIpBU7j?0l^upo*gfrA>Lxq<{jc-A?lRxE4I z3XWNWDT_$U>G4gq>F-(4mpR8XfaxdGyzW)X~WY6E>*CVixz>+s$h*X zTpG}FMOrY<37%iWma&lq_+$lKEVzw;u_1U& z6WFRFCOiq~TLtf!z+3|?*M|N@aD5{jqlK1(9s=-0XcDNJDN5#fG@3XPlMEYnE+At zHt)!SXRb;bBe^m(OD;E+nlNeQ-OE(RuVgqaQC!s5^}KSouKsZ~xu*L(F9ij*8B`a9xa+_@3t54R9lO3tbV?H}Ww3h!_k%3Yh}uJGP^Fo$^XhCKqu1P@v` zUL2wA2&=>go&lsClt-4sswQA1sKc5tf=iv;C-6!)h8{z>7DKHA>qG-?JPNP;k!u9W zh>D5Bp8TQpfp-S@9um-?o`7`Sd``Zy`oll&whF^yUH_El#XglbTbp?*$D1pXR%xA? z2cwJ}y}UfU-3Yd^DZ%9Py*!*9{XBTygsTs417XPH`4QH9+yO($eTUNgcfSPiXv}GJ zQo;;=lu~%#A3YY97`+t!N*TSB_;TJ#|f*P3YYu zsl{et|b%^Fd9qX!kW_G6T6>b7O&P;Tt&3RBIM?b`!RdqBGmYV6P#8gs=>aT zV|lf{??m~%b+NDYemmH~YU?;@I9X?ME4TwkhYiyfHcc9wlL)15)F2avL8KF`p6OWg zZ2W+-TlkyTanVX?vz|qs!Tqt5rvI=Fdlnag@UA{5W;*!AmsuR!P$O<&ndVt~leYO* zPDI2tL!~;lReUI4zFsh+68{f_%fJ!pq!(ff3}K!5k~=g3CnmM}2-x==VFmg@KfdwW z{8X9et8#wks~b{h%u(tUy(>$HXApxK#z3X?`>F&~MnM3F&E!77MH|q6gD=~1rNw?i zp=D@DuWGl*l;ZTnZg~YlplgWGLs>|axQSe`wrfLT>ciH z^wjDHZADtFh%)zr({ti06)e7#kT(CptT5a#L(VnB1YM?Z2lQVJA@EPl|8W1uw5~3h z^mCkPzR9jfq7qv!AOi|_K%a`W(fj|%_&4y68vmOe=0_nA%l6chb?Fj+K>(Xt&#;FG zSH;7?yp;1P`!`PYn|wdJTiJbMGAHCPGfR4fbbZ9B*I&Emfe+*aKarXI;t<(Ek9>g} z(ZXNz##hT8$R=`I6GBE!Wm1&Tw#Q?-Q_Z-`p$_r5PlqRxw_i{8mX# zB`rj`gDaOZjUlvfG?@iPe|I+VS>4W}ZPv%U^smcLlA;HT-WWHA#n10wZ!D35w#+-c z07lz#{rr8r@##dKMxQ#Oh64PPhaV2Le|8HV>WW`~lsR@IAyJ!_cq`y6qo>KCcb9Th zJiX{IkvM0c%jbhgSL6kft`O{=D4cw%`jjg^lqd~FzwPAberwLf^arPs0(iDD`YIW2 ziM7$z{eN+S%K7E1UPJ+qTvHDD$!uUU1e{FKaL@2iA52nknB&>g7mA%P?IK&Do94&} zyU2=0qtoZW(P9T5LT>Pxz=G6u18m|Juywl)`~3R<#9nb5D}L%s-sV=`e9oK0C%gVi z3=3>8^byR|zn}4A$*dl7?hUB9FZ=A~o^7~7?BLy8fu6g1Gpnt=qBXLEkgwH9rt^5V zQZb&7NcQSN_NMRq8+`_m6WgPgoSD6f%iQWvwf>I^uZpsXU2j&ZBuS@FPw^f2DS(Rm zY%1{QS^bl^mm>T03`hPRRT0n=C%J$l2ZT*k3zvZo;8X+x=BqN+RFoiyf*k Z3Uxc}%4JljeszIlpGQT``p + + + + + + + + + + + + + + + + + + + Ao7tTmXHCYeFmCJ0R6AY3cdfpyj1PdMq4yC9HJTDanY= + + + HNyKHDH8Q+Ii5pjzGJL3JV+4VdMObhE4EV7S7rfvZLeqFgkbmWe1jILv4Km0PXdHN8jJYxU+HT8R +akV0sab11+oope50lvivfPR3MspkdB0hxTyEq92z6m3MrBbjAtIgfsAnmq68LQ33je8vuL8jXAS9 +xhLBQq8spYXTKpMvbiaipAqD4NOzsUxpk5htPDsEImChaHGKVMlDZlSL5dL4Vh/FvDj6UrUNxp2d +ltXl+Vov0tlh5dj2g8g2OlJXiMbxr47Qssn6EaUWmcNu+cdrhvWhpYJGc3mZdEWnsV8bvGNrC2tU +TVIBVsDLOmw5sVPoFrnvWc41sPVDSF0dKLwIYA== + + + + p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx +xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9 +dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q +otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW +jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ== + AQAB + + + + + diff --git a/tools/tcg_rim_tool/rim_fields.json b/tools/tcg_rim_tool/rim_fields.json index b01859ef..ca68c93b 100644 --- a/tools/tcg_rim_tool/rim_fields.json +++ b/tools/tcg_rim_tool/rim_fields.json @@ -33,7 +33,8 @@ "supportRIMFormat": "TCG_EventLog_Assertion", "name": "iotBase", "File": [ - { "name": "TpmLog.bin" } + { "name": "TpmLog.bin" }, + { "name": "generated_swidTag.swidtag" } ] } } From bfe00a99a93c1577d175cc2ca63a8abddd77c25a Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Fri, 24 Mar 2023 16:32:18 -0400 Subject: [PATCH 12/18] Add frontend support for --directory option --- .../src/main/java/hirs/swid/Main.java | 13 ++++++++++-- .../main/java/hirs/swid/utils/Commander.java | 7 ++++++- .../utils/DirectoryArgumentValidator.java | 21 +++++++++++++++++++ 3 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index 4fbbd524..32aca654 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -17,7 +17,7 @@ public class Main { SwidTagGateway gateway; SwidTagValidator validator; CredentialArgumentValidator caValidator; - String rimEventLogFile, trustStoreFile, certificateFile, privateKeyFile; + String rimEventLogFile, trustStoreFile, certificateFile, privateKeyFile, directory; if (commander.isHelp()) { jc.usage(); @@ -30,6 +30,8 @@ public class Main { certificateFile = commander.getPublicCertificate(); privateKeyFile = commander.getPrivateKeyFile(); trustStoreFile = commander.getTruststoreFile(); + rimEventLogFile = commander.getRimEventLog(); + directory = commander.getDirectoryOverride(); boolean defaultKey = commander.isDefaultKey(); if (defaultKey) { validator.validateSwidTag(verifyFile, "DEFAULT"); @@ -37,8 +39,11 @@ public class Main { caValidator = new CredentialArgumentValidator(trustStoreFile, certificateFile, privateKeyFile, "", "", true); if (caValidator.isValid()) { - validator.setTrustStoreFile(trustStoreFile); + validator.setRimEventLog(rimEventLogFile); + if (!directory.isEmpty()) { + } + validator.setTrustStoreFile(trustStoreFile); validator.validateSwidTag(verifyFile, caValidator.getFormat()); } else { System.out.println("Invalid combination of credentials given: " @@ -53,6 +58,7 @@ public class Main { trustStoreFile = commander.getTruststoreFile(); certificateFile = commander.getPublicCertificate(); privateKeyFile = commander.getPrivateKeyFile(); + directory = commander.getDirectoryOverride(); boolean embeddedCert = commander.isEmbedded(); boolean defaultKey = commander.isDefaultKey(); String outputFile = commander.getOutFile(); @@ -85,6 +91,9 @@ public class Main { if (embeddedCert) { gateway.setEmbeddedCert(true); } + if (!directory.isEmpty()) { + + } } gateway.setRimEventLog(rimEventLogFile); List timestampArguments = commander.getTimestampArguments(); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index da985dc9..a9ccc357 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -57,6 +57,9 @@ public class Commander { "Currently only RFC3339 and RFC3852 are supported:\n" + "\tRFC3339 [yyyy-MM-ddThh:mm:ssZ]\n\tRFC3852 ") private List timestampArguments = new ArrayList(2); + @Parameter(names = {"--directory"}, validateWith = DirectoryArgumentValidator.class, + description = "The directory in which to locate required files.") + private String directoryOverride = ""; public boolean isHelp() { return help; @@ -109,6 +112,7 @@ public class Commander { public List getTimestampArguments() { return timestampArguments; } + public String getDirectoryOverride() { return directoryOverride; } public String printHelpExamples() { StringBuilder sb = new StringBuilder(); @@ -157,7 +161,6 @@ public class Commander { + System.lineSeparator()); sb.append("Embedded certificate: " + this.isEmbedded() + System.lineSeparator()); } - sb.append("Event log support RIM: " + this.getRimEventLog() + System.lineSeparator()); List timestampArguments = this.getTimestampArguments(); if (timestampArguments.size() > 0) { sb.append("Timestamp format: " + timestampArguments.get(0)); @@ -167,6 +170,8 @@ public class Commander { } else { sb.append("No timestamp included"); } + sb.append("Override payload directory with: " + this.getDirectoryOverride() + + System.lineSeparator()); return sb.toString(); } } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java new file mode 100644 index 00000000..548d4780 --- /dev/null +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java @@ -0,0 +1,21 @@ +package hirs.swid.utils; + +import com.beust.jcommander.IParameterValidator; +import com.beust.jcommander.ParameterException; + +import java.io.File; + +public class DirectoryArgumentValidator implements IParameterValidator { + public void validate(String name, String value) throws ParameterException { + try { + File directory = new File(value); + if (!directory.isDirectory()) { + throw new ParameterException("Invalid directory given, " + + "please provide a valid directory path."); + } + } catch (SecurityException e) { + throw new ParameterException("Read access denied for " + value + + ", please verify permissions."); + } + } +} From 2b57569a2fa19f907c60237a2cd1df1e9257d7fa Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 4 Apr 2023 10:02:18 -0400 Subject: [PATCH 13/18] Modify gateway class to handle a directory override argument --- .../src/main/java/hirs/swid/SwidTagGateway.java | 13 ++++++++++++- .../hirs/swid/utils/DirectoryArgumentValidator.java | 5 +++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 928d0876..368031db 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -99,6 +99,7 @@ public class SwidTagGateway { private String rimEventLog; private String timestampFormat; private String timestampArgument; + private String directoryOverride; private String errorRequiredFields; /** @@ -116,6 +117,7 @@ public class SwidTagGateway { rimEventLog = ""; timestampFormat = ""; timestampArgument = ""; + directoryOverride = ""; errorRequiredFields = ""; } catch (JAXBException e) { System.out.println("Error initializing jaxbcontext: " + e.getMessage()); @@ -204,6 +206,15 @@ public class SwidTagGateway { this.timestampArgument = timestampArgument; } + /** + * Setter for directory path to search for required files + * + * @param directoryOverride + */ + public void setDirectoryOverride(String directoryOverride) { + this.directoryOverride = directoryOverride; + } + /** * This method generates a base RIM from the values in a JSON file. * @@ -534,7 +545,7 @@ public class SwidTagGateway { jsonObject.getString(SwidTagConstants.SUPPORT_RIM_TYPE, "")); addNonNullAttribute(attributes, SwidTagConstants._SUPPORT_RIM_URI_GLOBAL, jsonObject.getString(SwidTagConstants.SUPPORT_RIM_URI_GLOBAL, "")); - String filepath = jsonObject.getString(SwidTagConstants.NAME); + String filepath = directoryOverride + jsonObject.getString(SwidTagConstants.NAME); File fileToAdd = new File(filepath); file.setName(filepath); file.setSize(new BigInteger(Long.toString(fileToAdd.length()))); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java index 548d4780..3d41fa38 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java @@ -5,6 +5,11 @@ import com.beust.jcommander.ParameterException; import java.io.File; +/** + * This class validates a directory argument. If the directory is neither valid nor + * read-accessible then an error is thrown. + */ + public class DirectoryArgumentValidator implements IParameterValidator { public void validate(String name, String value) throws ParameterException { try { From cd56830f931358a6180f182469d477ea53542112 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Fri, 24 Mar 2023 16:32:18 -0400 Subject: [PATCH 14/18] Add frontend support for --directory option --- tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index a9ccc357..d51db929 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -112,6 +112,7 @@ public class Commander { public List getTimestampArguments() { return timestampArguments; } + public String getDirectoryOverride() { return directoryOverride; } public String printHelpExamples() { From d46091802ce2071485e9daf89743fb171c2b6a62 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 4 Apr 2023 10:02:18 -0400 Subject: [PATCH 15/18] Modify gateway class to handle a directory override argument --- tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java | 2 +- tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index 32aca654..5b2700c0 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -92,7 +92,7 @@ public class Main { gateway.setEmbeddedCert(true); } if (!directory.isEmpty()) { - + gateway.setDirectoryOverride(directory); } } gateway.setRimEventLog(rimEventLogFile); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 368031db..84e362c4 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -189,6 +189,7 @@ public class SwidTagGateway { } /** +<<<<<<< HEAD * Setter for timestamp format in XML signature * * @param timestampFormat @@ -207,6 +208,8 @@ public class SwidTagGateway { } /** +======= +>>>>>>> fd32c9fc (Modify gateway class to handle a directory override argument) * Setter for directory path to search for required files * * @param directoryOverride From 3722e97f8ef1d1a588fada305bf7119fa77767e0 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 4 Apr 2023 13:26:22 -0400 Subject: [PATCH 16/18] Modify validator class to handle a directory override argument --- .../src/main/java/hirs/swid/Main.java | 2 +- .../src/main/java/hirs/swid/SwidTagGateway.java | 9 +++------ .../src/main/java/hirs/swid/SwidTagValidator.java | 15 ++++++++++++--- .../src/main/java/hirs/swid/utils/Commander.java | 10 ++++++---- .../swid/utils/DirectoryArgumentValidator.java | 4 ++-- 5 files changed, 24 insertions(+), 16 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index 5b2700c0..efba2553 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -41,7 +41,7 @@ public class Main { if (caValidator.isValid()) { validator.setRimEventLog(rimEventLogFile); if (!directory.isEmpty()) { - + validator.setDirectoryOverride(directory); } validator.setTrustStoreFile(trustStoreFile); validator.validateSwidTag(verifyFile, caValidator.getFormat()); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 84e362c4..e93b07c6 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -180,16 +180,15 @@ public class SwidTagGateway { } /** - * Setter for event log support RIM + * Setter for rim event log file * * @param rimEventLog */ - public void setRimEventLog(final String rimEventLog) { + public void setRimEventLog(String rimEventLog) { this.rimEventLog = rimEventLog; } /** -<<<<<<< HEAD * Setter for timestamp format in XML signature * * @param timestampFormat @@ -208,9 +207,7 @@ public class SwidTagGateway { } /** -======= ->>>>>>> fd32c9fc (Modify gateway class to handle a directory override argument) - * Setter for directory path to search for required files +p * Setter for directory path to search for required files * * @param directoryOverride */ diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java index 51fe3e5b..0f01e82b 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java @@ -65,10 +65,11 @@ import java.util.List; */ public class SwidTagValidator { private Unmarshaller unmarshaller; - private String rimEventLog; private String certificateFile; private String trustStoreFile; + private String rimEventLog; private List trustStore; + private String directoryOverride; /** * Ensure that BouncyCastle is configured as a javax.security.Security provider, as this @@ -96,13 +97,21 @@ public class SwidTagValidator { this.trustStoreFile = trustStoreFile; } + /** + * Setter for directory override path. + * @param directoryOverride directory path + */ + public void setDirectoryOverride(String directoryOverride) { + this.directoryOverride = directoryOverride; + } + public SwidTagValidator() { try { JAXBContext jaxbContext = JAXBContext.newInstance(SwidTagConstants.SCHEMA_PACKAGE); unmarshaller = jaxbContext.createUnmarshaller(); - rimEventLog = ""; certificateFile = ""; trustStoreFile = SwidTagConstants.DEFAULT_KEYSTORE_FILE; + directoryOverride = ""; } catch (JAXBException e) { System.out.println("Error initializing JAXBContext: " + e.getMessage()); } @@ -203,7 +212,7 @@ public class SwidTagValidator { * This method validates a hirs.swid.xjc.File from an indirect payload */ private boolean validateFile(Element file) { - String filepath = file.getAttribute(SwidTagConstants.NAME); + String filepath = directoryOverride + file.getAttribute(SwidTagConstants.NAME); try { if (HashSwid.get256Hash(filepath).equals( file.getAttribute(SwidTagConstants._SHA256_HASH.getPrefix() + ":" + diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index d51db929..bb140233 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -113,7 +113,9 @@ public class Commander { return timestampArguments; } - public String getDirectoryOverride() { return directoryOverride; } + public String getDirectoryOverride() { + return directoryOverride; + } public String printHelpExamples() { StringBuilder sb = new StringBuilder(); @@ -162,6 +164,8 @@ public class Commander { + System.lineSeparator()); sb.append("Embedded certificate: " + this.isEmbedded() + System.lineSeparator()); } + sb.append("Override payload directory with: " + this.getDirectoryOverride() + + System.lineSeparator()); List timestampArguments = this.getTimestampArguments(); if (timestampArguments.size() > 0) { sb.append("Timestamp format: " + timestampArguments.get(0)); @@ -169,10 +173,8 @@ public class Commander { sb.append(", " + timestampArguments.get(1)); } } else { - sb.append("No timestamp included"); + sb.append("No timestamp included" + System.lineSeparator()); } - sb.append("Override payload directory with: " + this.getDirectoryOverride() - + System.lineSeparator()); return sb.toString(); } } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java index 3d41fa38..369581f9 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/DirectoryArgumentValidator.java @@ -15,8 +15,8 @@ public class DirectoryArgumentValidator implements IParameterValidator { try { File directory = new File(value); if (!directory.isDirectory()) { - throw new ParameterException("Invalid directory given, " + - "please provide a valid directory path."); + throw new ParameterException("Invalid directory given: " + value + + ". Please provide a valid directory path."); } } catch (SecurityException e) { throw new ParameterException("Read access denied for " + value + From f26c7784da3d1c9851d1610218937d1e34b70d73 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Wed, 14 Jun 2023 14:34:13 -0400 Subject: [PATCH 17/18] Modify validator class so that payload validation failure will stop validation --- .../src/main/java/hirs/swid/SwidTagValidator.java | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java index 0f01e82b..d9539011 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java @@ -137,8 +137,9 @@ public class SwidTagValidator { si.append("SoftwareIdentity tagId: " + softwareIdentity.getAttribute("tagId") + "\n"); System.out.println(si.toString()); Element directory = (Element) document.getElementsByTagName("Directory").item(0); - validateDirectory(directory); - return validateEnvelopedSignature(document, format); + if (validateDirectory(directory)) { + return validateEnvelopedSignature(document, format); + } } else { System.out.println("Invalid xml for validation, please verify " + path); } @@ -147,13 +148,6 @@ public class SwidTagValidator { } private boolean validateEnvelopedSignature(Document doc, String format) { - Element file = (Element) doc.getElementsByTagName("File").item(0); - try { - validateFile(file); - } catch (Exception e) { - System.out.println(e.getMessage()); - return false; - } boolean swidtagValidity = validateSignedXMLDocument(doc, format); if (swidtagValidity) { System.out.println("Signature core validity: true"); From e92d3d41dd43efa8d97bc8544ec24a04be89cf4a Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Wed, 14 Jun 2023 15:10:56 -0400 Subject: [PATCH 18/18] Remove support rim from validation function --- .../src/main/java/hirs/swid/Main.java | 2 -- .../main/java/hirs/swid/SwidTagValidator.java | 17 ----------------- .../main/java/hirs/swid/utils/Commander.java | 2 +- .../test/java/hirs/swid/TestSwidTagGateway.java | 1 - 4 files changed, 1 insertion(+), 21 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index efba2553..3f85e355 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -30,7 +30,6 @@ public class Main { certificateFile = commander.getPublicCertificate(); privateKeyFile = commander.getPrivateKeyFile(); trustStoreFile = commander.getTruststoreFile(); - rimEventLogFile = commander.getRimEventLog(); directory = commander.getDirectoryOverride(); boolean defaultKey = commander.isDefaultKey(); if (defaultKey) { @@ -39,7 +38,6 @@ public class Main { caValidator = new CredentialArgumentValidator(trustStoreFile, certificateFile, privateKeyFile, "", "", true); if (caValidator.isValid()) { - validator.setRimEventLog(rimEventLogFile); if (!directory.isEmpty()) { validator.setDirectoryOverride(directory); } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java index d9539011..731b7c92 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java @@ -5,7 +5,6 @@ import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.NodeList; -import org.xml.sax.InputSource; import org.xml.sax.SAXException; import javax.security.auth.x500.X500Principal; @@ -27,9 +26,6 @@ import javax.xml.crypto.dsig.dom.DOMValidateContext; import javax.xml.crypto.dsig.keyinfo.KeyInfo; import javax.xml.crypto.dsig.keyinfo.KeyValue; import javax.xml.crypto.dsig.keyinfo.X509Data; -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; -import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.Source; import javax.xml.transform.Transformer; import javax.xml.transform.TransformerConfigurationException; @@ -42,9 +38,6 @@ import javax.xml.validation.SchemaFactory; import java.io.File; import java.io.IOException; import java.io.InputStream; -import java.io.StringReader; -import java.nio.file.Files; -import java.nio.file.Paths; import java.security.InvalidKeyException; import java.security.Key; import java.security.KeyException; @@ -67,7 +60,6 @@ public class SwidTagValidator { private Unmarshaller unmarshaller; private String certificateFile; private String trustStoreFile; - private String rimEventLog; private List trustStore; private String directoryOverride; @@ -79,15 +71,6 @@ public class SwidTagValidator { Security.addProvider(new BouncyCastleProvider()); } - /** - * Setter for rimel file path. - * - * @param rimEventLog the rimel file - */ - public void setRimEventLog(String rimEventLog) { - this.rimEventLog = rimEventLog; - } - /** * Setter for the truststore file path. * diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index bb140233..75bb42fc 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -49,7 +49,7 @@ public class Commander { @Parameter(names = {"-d", "--default-key"}, order = 9, description = "Use keystore.jks from the rimtool installation to sign.") private boolean defaultKey = false; - @Parameter(names = {"-l", "--rimel "}, order = 10, required = true, + @Parameter(names = {"-l", "--rimel "}, order = 10, description = "The TCG eventlog file to use as a support RIM.") private String rimEventLog = ""; @Parameter(names = {"--timestamp"}, order = 11, variableArity = true, diff --git a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java index ce32ef43..b240287a 100644 --- a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java +++ b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java @@ -45,7 +45,6 @@ public class TestSwidTagGateway { gateway.setRimEventLog(SUPPORT_RIM_FILE); gateway.setAttributesFile(ATTRIBUTES_FILE); validator = new SwidTagValidator(); - validator.setRimEventLog(SUPPORT_RIM_FILE); validator.setTrustStoreFile(CA_CHAIN_FILE); }