Merge branch 'master' into update-component-failure-highlight

2025-01-18 18:56:29 +00:00 · 2020-11-17 15:24:27 -05:00 · 2020-11-17 15:24:27 -05:00 · 2b41720ded
commit 2b41720ded
parent f7912908e0 1339f2b63c
18 changed files with 263 additions and 110 deletions
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
@ -736,7 +736,7 @@ public abstract class AbstractAttestationCertificateAuthority
        String clientName = String.format("%s_%s",
                dv.getHw().getManufacturer(),
                dv.getHw().getProductName());
-        ReferenceManifest dbBaseRim;
+        ReferenceManifest dbBaseRim = null;
        ReferenceManifest support;
        String tagId = "";
        String fileName = "";
@ -798,7 +798,16 @@ public abstract class AbstractAttestationCertificateAuthority
                    support.setTagId(tagId);
                    this.referenceManifestManager.save(support);
                } else {
-                    LOG.info("Client provided Support RIM already loaded in database.");
+                    LOG.error("Client provided Support RIM already loaded in database.");
+                    if (dbBaseRim != null) {
+                        support.setPlatformManufacturer(dbBaseRim.getPlatformManufacturer());
+                        support.setPlatformModel(dbBaseRim.getPlatformModel());
+                        support.setSwidTagVersion(dbBaseRim.getSwidTagVersion());
+                        support.setAssociatedRim(dbBaseRim.getId());
+                        support.setTagId(dbBaseRim.getTagId());
+                    }
+
+                    this.referenceManifestManager.update(support);
                }
            } catch (IOException ioEx) {
                LOG.error(ioEx);
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
@ -377,11 +377,11 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
        validationObject = baseReferenceManifest;
        String failedString = "";
        if (baseReferenceManifest == null) {
-            failedString = "Base Reference Integrity Manifest%n";
+            failedString = "Base Reference Integrity Manifest\n";
            passed = false;
        }
        if (supportReferenceManifest == null) {
-            failedString += "Support Reference Integrity Manifest%n";
+            failedString += "Support Reference Integrity Manifest\n";
            passed = false;
        }
        if (measurement == null) {
--- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
+++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
@ -5,7 +5,6 @@ import hirs.data.persist.EventLogMeasurements;
 import hirs.data.persist.ReferenceManifest;
 import hirs.data.persist.SupportReferenceManifest;
 import hirs.data.persist.SwidResource;
-import hirs.data.persist.certificate.Certificate;
 import hirs.data.persist.certificate.CertificateAuthorityCredential;
 import hirs.persist.CertificateManager;
 import hirs.persist.DBManagerException;
@ -26,6 +25,7 @@ import java.util.LinkedList;
 import java.util.List;
 import java.util.ArrayList;
 import java.util.Map;
+import java.util.Set;
 import java.util.UUID;

 import hirs.tpm.eventlog.TpmPcrEvent;
@ -262,17 +262,20 @@ public class ReferenceManifestDetailsPageController

        RIM_VALIDATOR.validateXmlSignature(new ByteArrayInputStream(baseRim.getRimBytes()));
        data.put("signatureValid", RIM_VALIDATOR.isSignatureValid());
-        if (RIM_VALIDATOR.isSignatureValid()) {
-            LOGGER.info("Public key: " + RIM_VALIDATOR.getPublicKey().toString());
-            try {
-                Certificate certificate =
-                        CertificateAuthorityCredential.select(certificateManager)
-                                .byEncodedPublicKey(RIM_VALIDATOR.getPublicKey().getEncoded())
-                                .getCertificate();
-                data.put("issuerID", certificate.getId().toString());
-            } catch (NullPointerException e) {
-                LOGGER.info("Unable to get signing certificate link: " + e.getMessage());
+        data.put("skID", RIM_VALIDATOR.getSubjectKeyIdentifier());
+        try {
+            Set<CertificateAuthorityCredential> certificates =
+                    CertificateAuthorityCredential.select(certificateManager)
+                            .getCertificates();
+            for (CertificateAuthorityCredential cert : certificates) {
+                if (Arrays.equals(cert.getEncodedPublicKey(),
+                        RIM_VALIDATOR.getPublicKey().getEncoded())) {
+                    LOGGER.info("Found matching cert!");
+                    data.put("issuerID", cert.getId().toString());
+                }
            }
+        } catch (NullPointerException e) {
+            LOGGER.error("Unable to link signing certificate: " + e.getMessage());
        }
        return data;
    }
@ -293,8 +296,11 @@ public class ReferenceManifestDetailsPageController
            final ReferenceManifestManager referenceManifestManager)
            throws IOException, CertificateException, NoSuchAlgorithmException {
        HashMap<String, Object> data = new HashMap<>();
+        EventLogMeasurements measurements = null;

-        if (support.getAssociatedRim() == null) {
+        if (support.getAssociatedRim() == null
+                && (support.getPlatformManufacturer() != null
+                && !support.getPlatformManufacturer().isEmpty())) {
            ReferenceManifest baseRim = BaseReferenceManifest.select(referenceManifestManager)
                    .byManufacturer(support.getPlatformManufacturer()).getRIM();
            if (baseRim != null) {
@ -305,16 +311,16 @@ public class ReferenceManifestDetailsPageController
                    LOGGER.error("Failed to update Support RIM", ex);
                }
            }
+            measurements = EventLogMeasurements.select(referenceManifestManager)
+                    .byManufacturer(support.getPlatformManufacturer()).getRIM();
        }
+
        data.put("baseRim", support.getTagId());
        data.put("associatedRim", support.getAssociatedRim());
        data.put("rimType", support.getRimType());
        data.put("tagId", support.getTagId());

        TCGEventLog logProcessor = new TCGEventLog(support.getRimBytes());
-        EventLogMeasurements measurements = EventLogMeasurements.select(referenceManifestManager)
-                .byManufacturer(support.getPlatformManufacturer()).getRIM();
-
        LinkedList<TpmPcrEvent> tpmPcrEvents = new LinkedList<>();
        TCGEventLog measurementsProcess;
        if (measurements != null) {
@ -327,10 +333,11 @@ public class ReferenceManifestDetailsPageController
                }
                tpmPcrEvents.add(tpe);
            }
+            data.put("events", tpmPcrEvents);
+        } else {
+            data.put("events", logProcessor.getEventList());
        }

-        data.put("events", tpmPcrEvents);
-
        return data;
    }

--- a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp
+++ b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp
@ -335,15 +335,27 @@
                                <c:choose>
                                    <c:when test="${initialData.signatureValid}">
                                        <img src="${passIcon}" title="${signatureValidText}"/>
-                                        <c:if test="${not empty initialData.issuerID}">
-                                            <div><a href="${portal}/certificate-details?id=${initialData.issuerID}&type=certificateauthority">Signing certificate</a></div>
-                                        </c:if>
                                    </c:when>
                                    <c:otherwise>
                                        <img src="${failIcon}" title="${signatureInvalidText}"/>
                                    </c:otherwise>
                                </c:choose>
-                        </span></div>
+                                </span>
+                            </div>
+                            <div>
+                                <span>
+                                <c:if test="${not empty initialData.issuerID}">
+                                    <div><a href="${portal}/certificate-details?id=${initialData.issuerID}&type=certificateauthority">Signing certificate</a></div>
+                                </c:if>
+                                </span>
+                            </div>
+                            <div>
+                                <span>
+                                <c:if test="${not empty initialData.skID}">
+                                    <div>Subject Key Identifier: ${initialData.skID}</div>
+                                </c:if>
+                                </span>
+                            </div>
                        </div>
                    </div>
                </c:otherwise>
--- a/HIRS_Utils/src/main/java/hirs/utils/ReferenceManifestValidator.java
+++ b/HIRS_Utils/src/main/java/hirs/utils/ReferenceManifestValidator.java
@ -23,6 +23,7 @@ import javax.xml.crypto.dsig.XMLSignatureException;
 import javax.xml.crypto.dsig.XMLSignatureFactory;
 import javax.xml.crypto.dsig.dom.DOMValidateContext;
 import javax.xml.crypto.dsig.keyinfo.KeyInfo;
+import javax.xml.crypto.dsig.keyinfo.KeyValue;
 import javax.xml.crypto.dsig.keyinfo.X509Data;
 import javax.xml.transform.Source;
 import javax.xml.transform.Transformer;
@ -36,6 +37,7 @@ import javax.xml.validation.SchemaFactory;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.Key;
+import java.security.KeyException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.PublicKey;
@ -64,6 +66,7 @@ public class ReferenceManifestValidator {
    private Unmarshaller unmarshaller;
    private PublicKey publicKey;
    private Schema schema;
+    private String subjectKeyIdentifier;
    private boolean signatureValid, supportRimValid;

    /**
@ -93,6 +96,14 @@ public class ReferenceManifestValidator {
        return publicKey;
    }

+    /**
+     * Getter for subjectKeyIdentifier.
+     * @return subjectKeyIdentifier
+     */
+    public String getSubjectKeyIdentifier() {
+        return subjectKeyIdentifier;
+    }
+
    /**
     * This default constructor creates the Schema object from SCHEMA_URL immediately to save
     * time during validation calls later.
@ -106,6 +117,7 @@ public class ReferenceManifestValidator {
            signatureValid = false;
            supportRimValid = false;
            publicKey = null;
+            subjectKeyIdentifier = "";
        } catch (SAXException e) {
            LOGGER.warn("Error setting schema for validation!");
        }
@ -192,22 +204,21 @@ public class ReferenceManifestValidator {
            if (nodes.getLength() == 0) {
                throw new Exception("Signature element not found!");
            }
-            NodeList embeddedCert = doc.getElementsByTagName("X509Data");
-            if (embeddedCert.getLength() > 0) {
-                X509KeySelector keySelector = new ReferenceManifestValidator.X509KeySelector();
-                context = new DOMValidateContext(keySelector, nodes.item(0));
-                XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM");
-                XMLSignature signature = sigFactory.unmarshalXMLSignature(context);
-                isValid = signature.validate(context);
-                publicKey = keySelector.getPublicKey();
-            } else {
-                LOGGER.info("Signing certificate not found for validation!");
-            }
-        } catch (MarshalException | XMLSignatureException e) {
-            LOGGER.warn(e.getMessage());
+            X509KeySelector keySelector = new ReferenceManifestValidator.X509KeySelector();
+            context = new DOMValidateContext(keySelector, nodes.item(0));
+            XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM");
+            XMLSignature signature = sigFactory.unmarshalXMLSignature(context);
+            isValid = signature.validate(context);
+            publicKey = keySelector.getPublicKey();
+            subjectKeyIdentifier = getKeyName(doc);
+        } catch (MarshalException e) {
+            LOGGER.warn("Error while unmarshalling XML signature: " + e.getMessage());
+        } catch (XMLSignatureException e) {
+            LOGGER.warn("Error while validating XML signature: " + e.getMessage());
+        } catch (KeySelectorException e) {
+            LOGGER.warn("Public key not found in XML signature: " + e.getMessage());
        } catch (Exception e) {
            LOGGER.warn(e.getMessage());
-            LOGGER.info(e.getMessage());
        }

        return isValid;
@ -222,7 +233,12 @@ public class ReferenceManifestValidator {
        private PublicKey publicKey;

        /**
-         * This method selects an X509 cert based on the provided algorithm.
+         * This method selects a public key for validation.
+         * PKs are parsed preferentially from the following elements:
+         * - X509Data
+         * - KeyValue
+         * The parsed PK is then verified based on the provided algorithm before
+         * being returned in a KeySelectorResult.
         *
         * @param keyinfo object containing the cert.
         * @param purpose purpose.
@ -246,15 +262,23 @@ public class ReferenceManifestValidator {
                        Object object = dataItr.next();
                        if (object instanceof X509Certificate) {
                            publicKey = ((X509Certificate) object).getPublicKey();
-                            if (areAlgorithmsEqual(algorithm.getAlgorithm(),
-                                                    publicKey.getAlgorithm())) {
-                                return new ReferenceManifestValidator.X509KeySelector
-                                                        .RIMKeySelectorResult(publicKey);
-                            }
+                            break;
                        }
                    }
+                } else if (element instanceof KeyValue) {
+                    try {
+                        publicKey = ((KeyValue) element).getPublicKey();
+                    } catch (KeyException e) {
+                        LOGGER.warn("KeyException thrown while getting PK from KeyValue: "
+                                + e.getMessage());
+                    }
                }
            }
+            if (areAlgorithmsEqual(algorithm.getAlgorithm(),
+                    publicKey.getAlgorithm())) {
+                return new ReferenceManifestValidator.X509KeySelector
+                        .RIMKeySelectorResult(publicKey);
+            }

            throw new KeySelectorException("No key found!");
        }
@ -295,6 +319,21 @@ public class ReferenceManifestValidator {
        }
    }

+    /**
+     * This method parses the subject key identifier from the KeyName element of a signature.
+     *
+     * @param doc
+     * @return SKID if found, or an empty string.
+     */
+    private String getKeyName(final Document doc) {
+        NodeList keyName = doc.getElementsByTagName("KeyName");
+        if (keyName.getLength() > 0) {
+            return keyName.item(0).getTextContent();
+        } else {
+            return null;
+        }
+    }
+
    /**
     * This method validates the Document against the schema.
     *
--- a/tools/tcg_eventlog_tool/build.gradle
+++ b/tools/tcg_eventlog_tool/build.gradle
@ -6,7 +6,7 @@ apply plugin: 'nebula.ospackage'
 version = '1.0'

 repositories {
-	mavenCentral()
+    mavenCentral()
 }

 dependencies {
@ -38,21 +38,21 @@ findbugs {
 }

 jar {
-	manifest {
-		attributes("Main-Class": "hirs.tcg_eventlog.Main",
-			   "Class-Path": configurations.runtime.files.collect { "lib/$it.name" }.join(' ')
-			  )
-	}
-	from(configurations.compile.collect { it.isDirectory() ? it : zipTree(it) }) {}
-	exclude 'META-INF/*.RSA', 'META-INF/*.SF', 'META-INF/*.DSA'
+    manifest {
+        attributes("Main-Class": "hirs.tcg_eventlog.Main",
+                "Class-Path": configurations.runtime.files.collect { "lib/$it.name" }.join(' ')
+        )
+    }
+    from(configurations.compile.collect { it.isDirectory() ? it : zipTree(it) }) {}
+    exclude 'META-INF/*.RSA', 'META-INF/*.SF', 'META-INF/*.DSA'
 }

 uploadArchives {
-	repositories {
-		flatDir {
-			dirs "${buildDir}"
-		}
-	}
+    repositories {
+        flatDir {
+            dirs "${buildDir}"
+        }
+    }
 }

 buildscript {
@ -66,15 +66,15 @@ buildscript {

 // Produce packages
 ospackage {
-    packageName='tcg_eventlog_tool'
-    os=LINUX
-    arch=NOARCH
-    version='1.0.0'
-    release='1'
+    packageName = 'tcg_eventlog_tool'
+    os = LINUX
+    arch = NOARCH
+    version = '2.0.0'
+    release = '1'

    into '/opt/hirs/eventlog'
    user 'root'
-    fileMode=0755
+    fileMode = 0755

    from(jar.outputs.files) {
        into 'lib'
@ -88,29 +88,38 @@ ospackage {
    from('scripts') {
        exclude {
            FileTreeElement details ->
-            details.file.name.endsWith('.bat')
+                details.file.name.endsWith('.bat')
        }
        into 'scripts'
    }
    from('docs') {
        exclude {
            FileTreeElement details ->
-            details.file.name.endsWith('.odt')
+                details.file.name.endsWith('.odt')
        }
        into 'docs'
    }
    from('./') {
        include {
            FileTreeElement details ->
-            details.file.name.endsWith('.md')
+                details.file.name.endsWith('.md')
        }
        into './'
-    link("/usr/local/bin/elt","/opt/hirs/eventlog/scripts/eventlog.sh",0x755 ) 
+        link("/usr/local/bin/elt", "/opt/hirs/eventlog/scripts/eventlog.sh", 0x755)
+    }
+
+    into('/opt/hirs/default-properties/') {
+        fileMode 0664
+        from ('../../HIRS_Utils/src/main/resources/vendor-table.json') {
+            addParentDirs true
+            createDirectoryEntry true
+        }
+    }
+
+    buildRpm {
+        arch = I386
+    }
+    buildDeb {
+        arch = I386
    }
-buildRpm {
-    arch = I386
-}
-buildDeb {
-    arch = I386
-}
 }
--- a/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java
+++ b/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java
@ -11,6 +11,7 @@ import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collection;

 import hirs.tpm.eventlog.TCGEventLog;
 import hirs.tpm.eventlog.TpmPcrEvent;
@ -135,14 +136,16 @@ final class Main {
                                || commander.getPcrNumber() == -1) {
                            if (bHexFlag) {
                                if (bEventFlag || bHexEvent) {
-                                    writeOut(HexUtils.byteArrayToHexString(event.getEvent()) + "\n");
+                                    writeOut(HexUtils.byteArrayToHexString(event.getEvent())
+                                            + "\n");
                                }
                                if (bContentFlag) {
                                    writeOut(HexUtils.byteArrayToHexString(event.getEventContent())
                                            + "\n");
                                }
                            } else {
-                                writeOut(event.toString(bEventFlag, bContentFlag, bHexEvent) + "\n");
+                                writeOut(event.toString(bEventFlag, bContentFlag, bHexEvent)
+                                        + "\n");
                            }
                        }
                    }
@ -291,8 +294,9 @@ final class Main {
     * @param pcr        used as a filter. Use -1 to check all pcrs.
     * @return array list of strings. Null of no events mismatched.
     */
-    public static ArrayList<TpmPcrEvent> diffEventLogs(final ArrayList<TpmPcrEvent> eventList,
-                                                       final ArrayList<TpmPcrEvent> eventList2, final int pcr) {
+    public static ArrayList<TpmPcrEvent> diffEventLogs(final Collection<TpmPcrEvent> eventList,
+                                                       final Collection<TpmPcrEvent> eventList2,
+                                                       final int pcr) {
        ArrayList<TpmPcrEvent> results = new ArrayList<TpmPcrEvent>();
        for (TpmPcrEvent event2 : eventList2) {
            if (pcr >= 0) {
@ -317,7 +321,7 @@ final class Main {
     * @param event    single event to match.
     * @return
     */
-    private static boolean digestMatch(final ArrayList<TpmPcrEvent> eventLog,
+    private static boolean digestMatch(final Collection<TpmPcrEvent> eventLog,
                                       final TpmPcrEvent event) {
        boolean matchFound = false;
        for (TpmPcrEvent event2 : eventLog) {
--- a/tools/tcg_rim_tool/build.gradle
+++ b/tools/tcg_rim_tool/build.gradle
@ -1,5 +1,5 @@
 apply plugin: 'java'
-version = '1.0'
+version = '2.0.0'

 repositories {
 	mavenCentral()
--- a/tools/tcg_rim_tool/scripts/rimtool.sh
+++ b/tools/tcg_rim_tool/scripts/rimtool.sh
@ -3,6 +3,6 @@
 # Calls the the_tcg_rim_tool and passes in parameters
 scriptDir=$(dirname -- "$(readlink -f -- "${BASH_SOURCE[0]}")")
 baseDir=${scriptDir%/*}
-jar="tcg_rim_tool-1.0.jar";
+jar="tcg_rim_tool-2.0.0.jar";
 java -jar $baseDir/$jar "$@"

--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java
@ -50,9 +50,9 @@ public class CredentialParser {
        return publicKey;
    }

-    public void parseJKSCredentials() {
+    public void parseJKSCredentials(String jksKeystore) {
        KeyStore.PrivateKeyEntry privateKeyEntry =
-                parseKeystorePrivateKey(SwidTagConstants.DEFAULT_KEYSTORE_PATH,
+                parseKeystorePrivateKey(jksKeystore,
                        SwidTagConstants.DEFAULT_PRIVATE_KEY_ALIAS,
                        SwidTagConstants.DEFAULT_KEYSTORE_PASSWORD);
        certificate = (X509Certificate) privateKeyEntry.getCertificate();
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
@ -47,6 +47,7 @@ public class Main {
                System.out.println(commander.toString());
                String createType = commander.getCreateType().toUpperCase();
                String attributesFile = commander.getAttributesFile();
+                String jksKeystoreFile = commander.getKeystoreFile();
                String certificateFile = commander.getPublicCertificate();
                String privateKeyFile = commander.getPrivateKeyFile();
                String rimEventLog = commander.getRimEventLog();
@ -55,10 +56,16 @@ public class Main {
                        if (!attributesFile.isEmpty()) {
                            gateway.setAttributesFile(attributesFile);
                        }
-                        if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) {
+                        if (!jksKeystoreFile.isEmpty()) {
+                            gateway.setDefaultCredentials(true);
+                            gateway.setJksKeystoreFile(jksKeystoreFile);
+                        } else if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) {
                            gateway.setDefaultCredentials(false);
                            gateway.setPemCertificateFile(certificateFile);
                            gateway.setPemPrivateKeyFile(privateKeyFile);
+                        } else {
+                            gateway.setDefaultCredentials(true);
+                            gateway.setJksKeystoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE);
                        }
                        if (rimEventLog.isEmpty()) {
                            System.out.println("Error: a support RIM is required!");
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java
@ -12,7 +12,7 @@ import javax.xml.namespace.QName;
 */
 public class SwidTagConstants {

-    public static final String DEFAULT_KEYSTORE_PATH = "keystore.jks";
+    public static final String DEFAULT_KEYSTORE_FILE = "/opt/hirs/rimtool/keystore.jks";
    public static final String DEFAULT_KEYSTORE_PASSWORD = "password";
    public static final String DEFAULT_PRIVATE_KEY_ALIAS = "selfsigned";
    public static final String DEFAULT_ATTRIBUTES_FILE = "rim_fields.json";
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
@ -4,7 +4,13 @@ import com.eclipsesource.json.Json;
 import com.eclipsesource.json.JsonObject;
 import com.eclipsesource.json.ParseException;
 import hirs.swid.utils.HashSwid;
-import hirs.swid.xjc.*;
+import hirs.swid.xjc.Directory;
+import hirs.swid.xjc.Entity;
+import hirs.swid.xjc.Link;
+import hirs.swid.xjc.ObjectFactory;
+import hirs.swid.xjc.ResourceCollection;
+import hirs.swid.xjc.SoftwareIdentity;
+import hirs.swid.xjc.SoftwareMeta;
 import org.w3c.dom.Document;

 import javax.xml.bind.JAXBContext;
@ -13,24 +19,47 @@ import javax.xml.bind.JAXBException;
 import javax.xml.bind.Marshaller;
 import javax.xml.crypto.MarshalException;
 import javax.xml.crypto.XMLStructure;
-import javax.xml.crypto.dsig.*;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
+import javax.xml.crypto.dsig.DigestMethod;
+import javax.xml.crypto.dsig.Reference;
+import javax.xml.crypto.dsig.SignedInfo;
+import javax.xml.crypto.dsig.Transform;
+import javax.xml.crypto.dsig.XMLSignature;
+import javax.xml.crypto.dsig.XMLSignatureException;
+import javax.xml.crypto.dsig.XMLSignatureFactory;
 import javax.xml.crypto.dsig.dom.DOMSignContext;
-import javax.xml.crypto.dsig.keyinfo.*;
+import javax.xml.crypto.dsig.keyinfo.KeyInfo;
+import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
+import javax.xml.crypto.dsig.keyinfo.KeyName;
+import javax.xml.crypto.dsig.keyinfo.KeyValue;
+import javax.xml.crypto.dsig.keyinfo.X509Data;
 import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
 import javax.xml.crypto.dsig.spec.TransformParameterSpec;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.transform.*;
+import javax.xml.transform.OutputKeys;
+import javax.xml.transform.Source;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
+import java.io.BufferedReader;
 import java.io.File;
-import java.io.*;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
+import java.io.IOException;
 import java.math.BigInteger;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Paths;
-import java.security.*;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@ -51,6 +80,7 @@ public class SwidTagGateway {
    private Marshaller marshaller;
    private String attributesFile;
    private boolean defaultCredentials;
+    private String jksKeystoreFile;
    private String pemPrivateKeyFile;
    private String pemCertificateFile;
    private String rimEventLog;
@ -88,6 +118,12 @@ public class SwidTagGateway {
        this.defaultCredentials = defaultCredentials;
    }

+    /**
+     * Setter for JKS keystore file
+     * @param jksKeystoreFile
+     */
+    public void setJksKeystoreFile(String jksKeystoreFile) { this.jksKeystoreFile = jksKeystoreFile; }
+
    /**
     * Setter for private key file in PEM format
     * @param pemPrivateKeyFile
@ -404,7 +440,7 @@ public class SwidTagGateway {
            PublicKey publicKey;
            CredentialParser cp = new CredentialParser();
            if (defaultCredentials) {
-                cp.parseJKSCredentials();
+                cp.parseJKSCredentials(jksKeystoreFile);
                privateKey = cp.getPrivateKey();
                publicKey = cp.getPublicKey();
                KeyName keyName = kiFactory.newKeyName(cp.getCertificateSubjectKeyIdentifier());
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java
@ -10,20 +10,29 @@ import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBException;
 import javax.xml.bind.UnmarshalException;
 import javax.xml.bind.Unmarshaller;
-import javax.xml.crypto.*;
+import javax.xml.crypto.AlgorithmMethod;
+import javax.xml.crypto.KeySelector;
+import javax.xml.crypto.KeySelectorException;
+import javax.xml.crypto.KeySelectorResult;
+import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.XMLCryptoContext;
+import javax.xml.crypto.XMLStructure;
 import javax.xml.crypto.dsig.XMLSignature;
 import javax.xml.crypto.dsig.XMLSignatureException;
 import javax.xml.crypto.dsig.XMLSignatureFactory;
 import javax.xml.crypto.dsig.dom.DOMValidateContext;
 import javax.xml.crypto.dsig.keyinfo.KeyInfo;
 import javax.xml.crypto.dsig.keyinfo.X509Data;
-import javax.xml.transform.*;
+import javax.xml.transform.Source;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMResult;
 import javax.xml.transform.stream.StreamSource;
 import javax.xml.validation.Schema;
 import javax.xml.validation.SchemaFactory;
 import java.io.File;
-import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.Key;
@ -31,6 +40,9 @@ import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.util.Iterator;

+/**
+ * This class handles validating base Reference Integrity Manifest files.
+ */
 public class SwidTagValidator {
    private Unmarshaller unmarshaller;
    private String rimEventLog;
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java
@ -7,6 +7,7 @@ import java.nio.file.InvalidPathException;
 import java.nio.file.Paths;

 import com.beust.jcommander.Parameter;
+import hirs.swid.SwidTagConstants;

 /**
 * Commander is a class that handles the command line arguments for the SWID
@ -28,14 +29,17 @@ public class Commander {
    @Parameter(names = {"-v", "--verify <path>"}, order = 3,
            description = "Specify a RIM file to verify.")
    private String verifyFile = "";
-    @Parameter(names = {"-k", "--privateKeyFile <path>"}, order = 4,
+    @Parameter(names = {"--keystore <path>"}, order = 4,
+            description = "JKS keystore containing a private key to sign the base RIM created by the create function.")
+    private String keystoreFile = "";
+    @Parameter(names = {"-k", "--privateKeyFile <path>"}, order = 5,
            description = "File containing the private key used to sign the base RIM created by the create function.")
    private String privateKeyFile = "";
-    @Parameter(names = {"-p", "--publicCertificate <path>"}, order = 5,
+    @Parameter(names = {"-p", "--publicCertificate <path>"}, order = 6,
            description = "The public key certificate used to verify a RIM file or to embed in a signed RIM. " +
                    "A signed RIM generated by this tool by default will not show the signing certificate without this parameter present.")
    private String publicCertificate = "";
-    @Parameter(names = {"-l", "--rimel <path>"}, order = 6,
+    @Parameter(names = {"-l", "--rimel <path>"}, order = 7,
            description = "The TCG eventlog file to use as a support RIM. By default the last system eventlog will be used.")
    private String rimEventLog = "";
 /*
@ -69,6 +73,8 @@ public class Commander {
        return verifyFile;
    }

+    public String getKeystoreFile() { return keystoreFile; }
+
    public String getPrivateKeyFile() {
        return privateKeyFile;
    }
@ -110,13 +116,21 @@ public class Commander {
    }
    public String toString() {
        StringBuilder sb = new StringBuilder();
-        sb.append("Creating: " + getCreateType() + System.lineSeparator());
-        sb.append("Using attributes file: " + getAttributesFile() + System.lineSeparator());
-        sb.append("Write to: " + getOutFile() + System.lineSeparator());
-        sb.append("Verify file: " + getVerifyFile() + System.lineSeparator());
-        sb.append("Private key file: " + getPrivateKeyFile() + System.lineSeparator());
-        sb.append("Public certificate: " + getPublicCertificate() + System.lineSeparator());
-        sb.append("Event log support RIM: " + getRimEventLog() + System.lineSeparator());
+        sb.append("Creating: " + this.getCreateType() + System.lineSeparator());
+        sb.append("Using attributes file: " + this.getAttributesFile() + System.lineSeparator());
+        sb.append("Write to: " + this.getOutFile() + System.lineSeparator());
+        sb.append("Verify file: " + this.getVerifyFile() + System.lineSeparator());
+        if (!this.getKeystoreFile().isEmpty()) {
+            sb.append("Keystore file: " + this.getKeystoreFile() + System.lineSeparator());
+        } else if (!this.getPrivateKeyFile().isEmpty() &&
+                    !this.getPublicCertificate().isEmpty()) {
+            sb.append("Private key file: " + this.getPrivateKeyFile() + System.lineSeparator());
+            sb.append("Public certificate: " + this.getPublicCertificate() + System.lineSeparator());
+        } else {
+            sb.append("Keystore file: default (" + SwidTagConstants.DEFAULT_KEYSTORE_FILE + ")"
+                    + System.lineSeparator());
+        }
+        sb.append("Event log support RIM: " + this.getRimEventLog() + System.lineSeparator());
 /*
        sb.append("TPM PCRs support RIM: " + getRimPcrs() + System.lineSeparator());
        sb.append("Base RIM to be signed: " + getToBeSigned() + System.lineSeparator());
--- a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java
+++ b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java
@ -21,6 +21,7 @@ public class TestSwidTagGateway {
 	private final String DEFAULT_WITH_CERT = "generated_with_cert.swidtag";
 	private final String DEFAULT_NO_CERT = "generated_no_cert.swidtag";
 	private final String ATTRIBUTES_FILE = TestSwidTagGateway.class.getClassLoader().getResource("rim_fields.json").getPath();
+	private final String JKS_KEYSTORE_FILE = TestSwidTagGateway.class.getClassLoader().getResource("keystore.jks").getPath();
 	private final String SIGNING_CERT_FILE = TestSwidTagGateway.class.getClassLoader().getResource("RimSignCert.pem").getPath();
 	private final String PRIVATE_KEY_FILE = TestSwidTagGateway.class.getClassLoader().getResource("privateRimKey.pem").getPath();
 	private final String SUPPORT_RIM_FILE = TestSwidTagGateway.class.getClassLoader().getResource("TpmLog.bin").getPath();
@ -48,12 +49,12 @@ public class TestSwidTagGateway {
 	 * where RimSignCert.pem has the AIA extension.
 	 */
 	@Test
-	public void testCreateBaseWithCert() throws URISyntaxException {
+	public void testCreateBaseWithCert() {
 		gateway.setDefaultCredentials(false);
 		gateway.setPemCertificateFile(SIGNING_CERT_FILE);
 		gateway.setPemPrivateKeyFile(PRIVATE_KEY_FILE);
 		gateway.generateSwidTag(DEFAULT_OUTPUT);
-		expectedFile = (InputStream) TestSwidTagGateway.class.getClassLoader().getResourceAsStream(DEFAULT_WITH_CERT);
+		expectedFile = TestSwidTagGateway.class.getClassLoader().getResourceAsStream(DEFAULT_WITH_CERT);
 		Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT));
 	}

@ -64,8 +65,9 @@ public class TestSwidTagGateway {
 	@Test
 	public void testCreateBaseWithoutCert() {
 		gateway.setDefaultCredentials(true);
+		gateway.setJksKeystoreFile(JKS_KEYSTORE_FILE);
 		gateway.generateSwidTag(DEFAULT_OUTPUT);
-		expectedFile = (InputStream) TestSwidTagGateway.class.getClassLoader().getResourceAsStream(DEFAULT_NO_CERT);
+		expectedFile = TestSwidTagGateway.class.getClassLoader().getResourceAsStream(DEFAULT_NO_CERT);
 		Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT));
 	}

--- a/tools/tcg_rim_tool/src/test/resources/keystore.jks
+++ b/tools/tcg_rim_tool/src/test/resources/keystore.jks
--- a/tools/tcg_rim_tool/tcg_rim_tool.spec
+++ b/tools/tcg_rim_tool/tcg_rim_tool.spec
@ -1,5 +1,5 @@
 Name:           tcg_rim_tool
-Version:        1.0
+Version:        2.0.0
 Release:        1%{?dist}
 Summary:        A java command-line tool to create PC client root RIM

@ -23,7 +23,7 @@ rm -f /opt/hirs/rimtool/%{name}*.jar

 %install
 mkdir -p %{buildroot}/opt/hirs/rimtool/ %{buildroot}/usr/local/bin
-cp build/libs/%{name}-%{version}.jar %{buildroot}/opt/hirs/rimtool/
+cp build/libs/tools/%{name}-%{version}.jar %{buildroot}/opt/hirs/rimtool/
 cp ./rim_fields.json %{buildroot}/opt/hirs/rimtool/
 cp ./keystore.jks %{buildroot}/opt/hirs/rimtool/
 cp -r ./scripts/ %{buildroot}/opt/hirs/rimtool/
@ -39,6 +39,8 @@ ln -sf /opt/hirs/rimtool/scripts/rimtool.sh %{buildroot}/usr/local/bin/rim
 %attr(755, root, root) /opt/hirs/rimtool/scripts/rimtool.sh

 %changelog
+* Tue Nov 10 2020 chubtub
+- Second release
 * Mon Jun 15 2020 chubtub
 - First release
 * Mon Jan 6 2020 chubtub