From 379e1e1ce539682b21e885ef862f719efcabed4b Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Mon, 7 Nov 2022 12:13:31 -0500 Subject: [PATCH] Add support to commandline interface for secondary signatures --- .../src/main/java/hirs/swid/Main.java | 60 +++++++++++++------ .../main/java/hirs/swid/utils/Commander.java | 30 +++++++--- 2 files changed, 62 insertions(+), 28 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index 30f68048..93e19878 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -16,6 +16,7 @@ public class Main { SwidTagGateway gateway; SwidTagValidator validator; CredentialArgumentValidator caValidator; + String rimEventLogFile, trustStoreFile, certificateFile, privateKeyFile; if (commander.isHelp()) { jc.usage(); @@ -25,18 +26,17 @@ public class Main { validator = new SwidTagValidator(); System.out.println(commander.toString()); String verifyFile = commander.getVerifyFile(); - String rimel = commander.getRimEventLog(); - String certificateFile = commander.getPublicCertificate(); - String trustStore = commander.getTruststoreFile(); + certificateFile = commander.getPublicCertificate(); + rimEventLogFile = commander.getRimEventLog(); + trustStoreFile = commander.getTruststoreFile(); boolean defaultKey = commander.isDefaultKey(); - validator.setRimEventLog(rimel); if (defaultKey) { validator.validateSwidTag(verifyFile, "DEFAULT"); } else { - caValidator = new CredentialArgumentValidator(trustStore, + caValidator = new CredentialArgumentValidator(trustStoreFile, certificateFile, "", "", "", true); if (caValidator.isValid()) { - validator.setTrustStoreFile(trustStore); + validator.setTrustStoreFile(trustStoreFile); validator.validateSwidTag(verifyFile, caValidator.getFormat()); } else { System.out.println("Invalid combination of credentials given: " @@ -47,16 +47,18 @@ public class Main { } else { gateway = new SwidTagGateway(); System.out.println(commander.toString()); - String createType = commander.getCreateType().toUpperCase(); - String attributesFile = commander.getAttributesFile(); - String truststoreFile = commander.getTruststoreFile(); - String certificateFile = commander.getPublicCertificate(); - String privateKeyFile = commander.getPrivateKeyFile(); + rimEventLogFile = commander.getRimEventLog(); + trustStoreFile = commander.getTruststoreFile(); + certificateFile = commander.getPublicCertificate(); + privateKeyFile = commander.getPrivateKeyFile(); boolean embeddedCert = commander.isEmbedded(); boolean defaultKey = commander.isDefaultKey(); - String rimEventLog = commander.getRimEventLog(); - switch (createType) { - case "BASE": + if (!commander.getSignFile().isEmpty()) { + + } else { + String createType = commander.getCreateType().toUpperCase(); + String attributesFile = commander.getAttributesFile(); + if (createType.equals("BASE")) { if (!attributesFile.isEmpty()) { gateway.setAttributesFile(attributesFile); } @@ -65,10 +67,10 @@ public class Main { gateway.setTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE); } else { gateway.setDefaultCredentials(false); - caValidator = new CredentialArgumentValidator(truststoreFile, + caValidator = new CredentialArgumentValidator(trustStoreFile, certificateFile, privateKeyFile, "", "", false); if (caValidator.isValid()) { - gateway.setTruststoreFile(truststoreFile); + gateway.setTruststoreFile(trustStoreFile); gateway.setPemCertificateFile(certificateFile); gateway.setPemPrivateKeyFile(privateKeyFile); } else { @@ -80,7 +82,7 @@ public class Main { gateway.setEmbeddedCert(true); } } - gateway.setRimEventLog(rimEventLog); + gateway.setRimEventLog(rimEventLogFile); List timestampArguments = commander.getTimestampArguments(); if (timestampArguments.size() > 0) { if (new TimestampArgumentValidator(timestampArguments).isValid()) { @@ -93,10 +95,30 @@ public class Main { } } gateway.generateSwidTag(commander.getOutFile()); - break; - default: + } else { System.out.println("No create type given, nothing to do"); + System.exit(1); + } } + if (!trustStoreFile.isEmpty()) { + gateway.setDefaultCredentials(true); + gateway.setJksTruststoreFile(trustStoreFile); + } else if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) { + gateway.setDefaultCredentials(false); + gateway.setPemCertificateFile(certificateFile); + gateway.setPemPrivateKeyFile(privateKeyFile); + if (embeddedCert) { + gateway.setEmbeddedCert(true); + } + } else if (defaultKey) { + gateway.setDefaultCredentials(true); + gateway.setJksTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE); + } else { + System.out.println("A private key (-k) and public certificate (-p) " + + "are required, or the default key (-d) must be indicated."); + System.exit(1); + } + gateway.generateSwidTag(commander.getOutFile()); } } } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index bdb448ae..3e07f517 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -25,30 +25,33 @@ public class Commander { description = "The file to write the RIM out to. " + "The RIM will be written to stdout by default.") private String outFile = ""; - @Parameter(names = {"-v", "--verify "}, order = 3, + @Parameter(names = {"-s", "--sign "}, order = 3, + description = "Specify a RIM file to append a signature to.") + private String signFile = ""; + @Parameter(names = {"-v", "--verify "}, order = 4, description = "Specify a RIM file to verify.") private String verifyFile = ""; - @Parameter(names = {"-t", "--truststore "}, order = 4, + @Parameter(names = {"-t", "--truststore "}, order = 5, description = "The truststore to sign the base RIM created " + "or to validate the signed base RIM.") private String truststoreFile = ""; - @Parameter(names = {"-k", "--privateKeyFile "}, order = 5, + @Parameter(names = {"-k", "--privateKeyFile "}, order = 6, description = "The private key used to sign the base RIM created by this tool.") private String privateKeyFile = ""; - @Parameter(names = {"-p", "--publicCertificate "}, order = 6, + @Parameter(names = {"-p", "--publicCertificate "}, order = 7, description = "The public key certificate to embed in the base RIM created by " + "this tool.") private String publicCertificate = ""; - @Parameter(names = {"-e", "--embed-cert"}, order = 7, + @Parameter(names = {"-e", "--embed-cert"}, order = 8, description = "Embed the provided certificate in the signed swidtag.") private boolean embedded = false; - @Parameter(names = {"-d", "--default-key"}, order = 8, + @Parameter(names = {"-d", "--default-key"}, order = 9, description = "Use keystore.jks from the rimtool installation to sign.") private boolean defaultKey = false; - @Parameter(names = {"-l", "--rimel "}, order = 9, required = true, + @Parameter(names = {"-l", "--rimel "}, order = 10, required = true, description = "The TCG eventlog file to use as a support RIM.") private String rimEventLog = ""; - @Parameter(names = {"--timestamp"}, order = 10, variableArity = true, + @Parameter(names = {"--timestamp"}, order = 11, variableArity = true, description = "Add a timestamp to the signature. " + "Currently only RFC3339 and RFC3852 are supported:\n" + "\tRFC3339 [yyyy-MM-ddThh:mm:ssZ]\n\tRFC3852 ") @@ -70,6 +73,10 @@ public class Commander { return outFile; } + public String getSignFile() { + return signFile; + } + public String getVerifyFile() { return verifyFile; } @@ -111,13 +118,17 @@ public class Commander { "\n\n\n"); sb.append("Create a base RIM using the default attribute values; "); sb.append("sign it using privateKey.pem; embed cert.pem in the signature block; "); - sb.append("and write the data to console output:\n\n"); + sb.append("and write the data to console stdout:\n\n"); sb.append("\t\t-c base -l support_rim.bin -k privateKey.pem -p cert.pem -e\n\n\n"); sb.append("Create a base RIM using the values in attributes.json; " + "sign it with the default keystore; add a RFC3852 timestamp; "); sb.append("and write the data to base_rim.swidtag:\n\n"); sb.append("\t\t-c base -a attributes.json -d -l support_rim.bin " + "--timestamp RFC3852 counterSignature.bin -o base_rim.swidtag\n\n\n"); + sb.append("Add another signature to a signed base RIM using privateKey.pem; "); + sb.append("embed cert.pem in the signature block; "); + sb.append("and write the output to console stdout:\n\n"); + sb.append("\t\t-s signed_base_rim.swidtag -k privateKey.pem -p cert.pem -e\n\n\n"); sb.append("Validate a base RIM using an external support RIM to override the "); sb.append("payload file:\n\n"); sb.append("\t\t-v base_rim.swidtag -l support_rim.bin\n\n\n"); @@ -133,6 +144,7 @@ public class Commander { sb.append("Creating: " + this.getCreateType() + System.lineSeparator()); sb.append("Using attributes file: " + this.getAttributesFile() + System.lineSeparator()); sb.append("Write to: " + this.getOutFile() + System.lineSeparator()); + sb.append("Signing file: " + this.getSignFile() + System.lineSeparator()); sb.append("Verify file: " + this.getVerifyFile() + System.lineSeparator()); if (this.isDefaultKey()) { sb.append("Truststore file: default (" + SwidTagConstants.DEFAULT_KEYSTORE_FILE + ")"