ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-04-14 14:36:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Modify CLI to support subcommands

Browse Source
This commit is contained in:
chubtub 2025-04-04 08:46:17 -04:00
parent 221eb3cc04
commit 430f41396b
7 changed files with 185 additions and 255 deletions

136
tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java

@ -1,113 +1,65 @@
package hirs.swid;
import hirs.swid.utils.Commander;
import hirs.swid.utils.TimestampArgumentValidator;
import hirs.utils.rim.ReferenceManifestValidator;
import hirs.swid.utils.CommandCreate;
import hirs.swid.utils.CommandMain;
import hirs.swid.utils.CommandPrint;
import hirs.swid.utils.CommandSign;
import hirs.swid.utils.CommandVerify;
import com.beust.jcommander.JCommander;
import lombok.extern.log4j.Log4j2;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@Log4j2
public class Main {
public static void main(String[] args) {
Commander commander = new Commander();
JCommander jc = JCommander.newBuilder().addObject(commander).build();
CommandMain mainCom = new CommandMain();
CommandCreate createCom = new CommandCreate();
CommandSign signCom = new CommandSign();
CommandVerify verifyCom = new CommandVerify();
CommandPrint printCom = new CommandPrint();
JCommander jc = JCommander.newBuilder()
.addObject(mainCom)
.addCommand("create", createCom)
.addCommand("sign", signCom)
.addCommand("verify", verifyCom)
.addCommand("print", printCom)
.build();
try {
jc.parse(args);
} catch (Exception e) {
exitWithErrorCode(e.getMessage());
}
SwidTagGateway gateway;
ReferenceManifestValidator validator;
List<String> unknownOpts = commander.getUnknownOptions();
if (!unknownOpts.isEmpty()) {
StringBuilder sb = new StringBuilder("Unknown options encountered: ");
for (String opt : unknownOpts) {
sb.append(opt + ", ");
}
exitWithErrorCode(sb.substring(0,sb.lastIndexOf(",")));
} else if (commander.isHelp()) {
jc.usage();
System.out.println(commander.printHelpExamples());
} else if (commander.isVersion()) {
try {
byte[] content = Files.readAllBytes(Paths.get(SwidTagConstants.VERSION_FILE));
String version = new String(content);
System.out.println("TCG rimtool version: " + version);
} catch (IOException e) {
parseVersionFromJar();
}
} else {
if (!commander.getVerifyFile().isEmpty()) {
validator = new ReferenceManifestValidator();
if (commander.isVerbose()) {
System.out.println(commander.toString());
}
String verifyFile = commander.getVerifyFile();
String rimel = commander.getRimEventLog();
String certificateFile = commander.getPublicCertificate();
String trustStore = commander.getTruststoreFile();
validator.setRim(verifyFile);
validator.setRimEventLog(rimel);
validator.setTrustStoreFile(trustStore);
if (validator.validateRim(certificateFile)) {
System.out.println("Successfully verified " + verifyFile);
} else {
exitWithErrorCode("Failed to verify " + verifyFile);
}
} else {
gateway = new SwidTagGateway();
if (commander.isVerbose()) {
System.out.println(commander.toString());
}
String createType = commander.getCreateType().toUpperCase();
String attributesFile = commander.getAttributesFile();
String certificateFile = commander.getPublicCertificate();
String privateKeyFile = commander.getPrivateKeyFile();
boolean embeddedCert = commander.isEmbedded();
boolean defaultKey = commander.isDefaultKey();
String rimEventLog = commander.getRimEventLog();
switch (createType) {
case "BASE":
gateway.setAttributesFile(attributesFile);
gateway.setRimEventLog(rimEventLog);
if (defaultKey){
gateway.setDefaultCredentials(true);
gateway.setJksTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE);
} else {
gateway.setDefaultCredentials(false);
gateway.setPemCertificateFile(certificateFile);
gateway.setPemPrivateKeyFile(privateKeyFile);
if (embeddedCert) {
gateway.setEmbeddedCert(true);
}
}
List<String> timestampArguments = commander.getTimestampArguments();
if (timestampArguments.size() > 0) {
if (new TimestampArgumentValidator(timestampArguments).isValid()) {
gateway.setTimestampFormat(timestampArguments.get(0));
if (timestampArguments.size() > 1) {
gateway.setTimestampArgument(timestampArguments.get(1));
}
} else {
exitWithErrorCode("The provided timestamp argument(s) " +
"is/are not valid.");
}
}
gateway.generateSwidTag(commander.getOutFile());
break;
default:
exitWithErrorCode("Create type not recognized.");
}
}
if (mainCom.isVersion()) {
parseVersionFromJar();
} else if(mainCom.isVerbose()) {
System.out.println("Rimtool in verbose mode.");
}
switch(jc.getParsedCommand()) {
case "create":
System.out.println("Create " + createCom.getOutFile()
+ " using " + createCom.getAttributesFile()
+ " and " + createCom.getRimEventLog());
break;
case "sign":
System.out.println("Sign " + signCom.getInFile()
+ " with credentials " + signCom.getTruststore() + ", "
+ signCom.getPublicCertificate() + ", "
+ signCom.getPrivateKey());
break;
case "verify":
System.out.println("Verify " + verifyCom.getInFile()
+ " with " + verifyCom.getRimEventLog() + " and "
+ verifyCom.getTruststore());
break;
case "print":
System.out.println("Print " + printCom.getInFile());
break;
default:
System.out.println("No command given.");
}
}

21
tools/tcg_rim_tool/src/main/java/hirs/swid/utils/CommandCreate.java Normal file

@ -0,0 +1,21 @@
package hirs.swid.utils;
import com.beust.jcommander.Parameter;
import com.beust.jcommander.Parameters;
import lombok.Getter;
@Parameters(parametersValidators = CreateArgumentValidator.class)
@Getter
public class CommandCreate {
@Parameter(names = {"-a", "--attributes"}, validateWith = FileArgumentValidator.class,
description = "The configuration file holding attributes "
+ "to populate the base RIM with. An example file can be found in /opt/rimtool/data.")
private String attributesFile = "";
@Parameter(names = {"-l", "--rimel"}, validateWith = FileArgumentValidator.class,
description = "The TCG eventlog file to use as a support RIM.")
private String rimEventLog = "";
@Parameter(names = {"-o", "--out"},
description = "The file to write the RIM out to. "
+ "The RIM will be written to stdout by default.")
private String outFile = "";
}

44
tools/tcg_rim_tool/src/main/java/hirs/swid/utils/CommandMain.java Normal file

@ -0,0 +1,44 @@
package hirs.swid.utils;
import com.beust.jcommander.Parameter;
import com.beust.jcommander.Parameters;
import hirs.swid.SwidTagConstants;
import lombok.Getter;
import java.util.ArrayList;
import java.util.List;
/**
* Commander is a class that handles the command line arguments for the SWID
* Tags gateway by implementing the JCommander package.
*/
@Parameters
@Getter
public class CommandMain {
@Parameter(description = "This parameter catches all unrecognized arguments.")
private List<String> unknownOptions = new ArrayList<>();
@Parameter(names = {"-h", "--help"}, help = true, description = "Print this help text.")
private boolean help;
@Parameter(names = {"--version"}, description = "Output the current version.")
private boolean version = false;
@Parameter(names = {"--verbose"}, description = "Control output verbosity.")
private boolean verbose = false;
public String printHelpExamples() {
StringBuilder sb = new StringBuilder();
sb.append("Create a base RIM: use the values in attributes.json; ");
sb.append("add support_rim.bin to the payload; ");
sb.append("sign it using privateKey.pem and cert.pem; embed cert.pem in the signature; ");
sb.append("add a RFC3852 timestamp; and write the data to base_rim.swidtag:\n\n");
sb.append("\t\t-c base -a attributes.json -l support_rim.bin "
+ "-k privateKey.pem -p cert.pem -e --timestamp RFC3852 counterSignature.bin "
+ "-o base_rim.swidtag\n\n\n");
sb.append("Validate base_rim.swidtag: "
+ "the payload <File> is validated with support_rim.bin; "
+ "and the signature is validated with ca.crt:\n\n");
sb.append("\t\t-v base_rim.swidtag -l support_rim.bin -t ca.crt\n\n\n");
return sb.toString();
}
}

16
tools/tcg_rim_tool/src/main/java/hirs/swid/utils/CommandPrint.java Normal file

@ -0,0 +1,16 @@
package hirs.swid.utils;
import com.beust.jcommander.Parameter;
import com.beust.jcommander.Parameters;
import lombok.Getter;
@Parameters
@Getter
public class CommandPrint {
@Parameter(names = {"--in"},
validateWith = FileArgumentValidator.class,
description = "The path of the file to print")
private String inFile = "";
@Parameter(names = {"-h", "--help"}, help = true, description = "Print this help text.")
private boolean help;
}

40
tools/tcg_rim_tool/src/main/java/hirs/swid/utils/CommandSign.java Normal file

@ -0,0 +1,40 @@
package hirs.swid.utils;
import com.beust.jcommander.Parameter;
import com.beust.jcommander.Parameters;
import lombok.Getter;
import java.util.ArrayList;
import java.util.List;
@Parameters
@Getter
public class CommandSign {
@Parameter(names = {"--in"}, validateWith = FileArgumentValidator.class,
description = "")
private String inFile = "";
@Parameter(names = {"-d", "--default-key"},
description = "Use the JKS keystore installed in /opt/rimtool/data.")
private boolean defaultKey = false;
@Parameter(names = {"-t", "--truststore"}, validateWith = FileArgumentValidator.class,
description = "The truststore to sign the base RIM created "
+ "or to validate the signed base RIM.")
private String truststore = "";
@Parameter(names = {"-p", "--publicCertificate"},
validateWith = FileArgumentValidator.class,
description = "The public key certificate to embed in the base RIM created by "
+ "this tool.")
private String publicCertificate = "";
@Parameter(names = {"-k", "--privateKeyFile"},
validateWith = FileArgumentValidator.class,
description = "The private key used to sign the base RIM created by this tool.")
private String privateKey = "";
@Parameter(names = {"-e", "--embed-cert"},
description = "Embed the provided certificate in the signed swidtag.")
private boolean embedded = false;
@Parameter(names = {"--timestamp"}, variableArity = true,
description = "Add a timestamp to the signature. " +
"Currently only RFC3339 and RFC3852 are supported:\n" +
"\tRFC3339 [yyyy-MM-ddThh:mm:ssZ]\n\tRFC3852 <counterSignature.bin>")
private List<String> timestampArguments = new ArrayList<String>(2);
}

20
tools/tcg_rim_tool/src/main/java/hirs/swid/utils/CommandVerify.java Normal file

@ -0,0 +1,20 @@
package hirs.swid.utils;
import com.beust.jcommander.Parameter;
import com.beust.jcommander.Parameters;
import lombok.Getter;
@Parameters(parametersValidators = VerifyArgumentValidator.class)
@Getter
public class CommandVerify {
@Parameter(names = {"--in"}, validateWith = FileArgumentValidator.class,
description = "")
private String inFile = "";
@Parameter(names = {"-l", "--rimel"}, validateWith = FileArgumentValidator.class,
description = "The TCG eventlog file to use as a support RIM.")
private String rimEventLog = "";
@Parameter(names = {"-t", "--truststore"}, validateWith = FileArgumentValidator.class,
description = "The truststore to sign the base RIM created "
+ "or to validate the signed base RIM.")
private String truststore = "";
}

163
tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java

@ -1,163 +0,0 @@
package hirs.swid.utils;
import com.beust.jcommander.Parameter;
import com.beust.jcommander.Parameters;
import hirs.swid.SwidTagConstants;
import java.util.ArrayList;
import java.util.List;
/**
* Commander is a class that handles the command line arguments for the SWID
* Tags gateway by implementing the JCommander package.
*/
@Parameters(parametersValidators = {CreateArgumentValidator.class, VerifyArgumentValidator.class})
public class Commander {
@Parameter(description = "This parameter catches all unrecognized arguments.")
private List<String> unknownOptions = new ArrayList<>();
@Parameter(names = {"-h", "--help"}, help = true, description = "Print this help text.")
private boolean help;
@Parameter(names = {"-c", "--create"}, order = 0,
description = "The type of RIM to create. A base RIM will be created by default.")
private String createType = "";
@Parameter(names = {"-v", "--verify"}, validateWith = FileArgumentValidator.class,
description = "Specify a RIM file to verify.")
private String verifyFile = "";
@Parameter(names = {"-V", "--version"}, description = "Output the current version.")
private boolean version = false;
@Parameter(names = {"-a", "--attributes"}, validateWith = FileArgumentValidator.class,
description = "The configuration file holding attributes "
+ "to populate the base RIM with. An example file can be found in /opt/rimtool/data.")
private String attributesFile = "";
@Parameter(names = {"-o", "--out"}, order = 2,
description = "The file to write the RIM out to. "
+ "The RIM will be written to stdout by default.")
private String outFile = "";
@Parameter(names = {"--verbose"}, description = "Control output verbosity.")
private boolean verbose = false;
@Parameter(names = {"-t", "--truststore"}, validateWith = FileArgumentValidator.class,
description = "The truststore to sign the base RIM created "
+ "or to validate the signed base RIM.")
private String truststoreFile = "";
@Parameter(names = {"-k", "--privateKeyFile"},
validateWith = FileArgumentValidator.class,
description = "The private key used to sign the base RIM created by this tool.")
private String privateKeyFile = "";
@Parameter(names = {"-p", "--publicCertificate"},
validateWith = FileArgumentValidator.class,
description = "The public key certificate to embed in the base RIM created by "
+ "this tool.")
private String publicCertificate = "";
@Parameter(names = {"-e", "--embed-cert"}, order = 7,
description = "Embed the provided certificate in the signed swidtag.")
private boolean embedded = false;
@Parameter(names = {"-d", "--default-key"}, order = 8,
description = "Use the JKS keystore installed in /opt/rimtool/data.")
private boolean defaultKey = false;
@Parameter(names = {"-l", "--rimel"}, validateWith = FileArgumentValidator.class,
description = "The TCG eventlog file to use as a support RIM.")
private String rimEventLog = "";
@Parameter(names = {"--timestamp"}, order = 10, variableArity = true,
description = "Add a timestamp to the signature. " +
"Currently only RFC3339 and RFC3852 are supported:\n" +
"\tRFC3339 [yyyy-MM-ddThh:mm:ssZ]\n\tRFC3852 <counterSignature.bin>")
private List<String> timestampArguments = new ArrayList<String>(2);
public List<String> getUnknownOptions() {
return unknownOptions;
}
public boolean isHelp() {
return help;
}
public String getCreateType() {
return createType;
}
public String getVerifyFile() {
return verifyFile;
}
public boolean isVersion() {
return version;
}
public boolean isVerbose() { return verbose; }
public String getAttributesFile() {
return attributesFile;
}
public String getOutFile() {
return outFile;
}
public String getTruststoreFile() { return truststoreFile; }
public String getPrivateKeyFile() {
return privateKeyFile;
}
public String getPublicCertificate() {
return publicCertificate;
}
public boolean isEmbedded() { return embedded; }
public boolean isDefaultKey() { return defaultKey; }
public String getRimEventLog() { return rimEventLog; }
public List<String> getTimestampArguments() {
return timestampArguments;
}
public String printHelpExamples() {
StringBuilder sb = new StringBuilder();
sb.append("Create a base RIM: use the values in attributes.json; ");
sb.append("add support_rim.bin to the payload; ");
sb.append("sign it using privateKey.pem and cert.pem; embed cert.pem in the signature; ");
sb.append("add a RFC3852 timestamp; and write the data to base_rim.swidtag:\n\n");
sb.append("\t\t-c base -a attributes.json -l support_rim.bin "
+ "-k privateKey.pem -p cert.pem -e --timestamp RFC3852 counterSignature.bin "
+ "-o base_rim.swidtag\n\n\n");
sb.append("Validate base_rim.swidtag: "
+ "the payload <File> is validated with support_rim.bin; "
+ "and the signature is validated with ca.crt:\n\n");
sb.append("\t\t-v base_rim.swidtag -l support_rim.bin -t ca.crt\n\n\n");
return sb.toString();
}
public String toString() {
StringBuilder sb = new StringBuilder();
sb.append("Creating: " + this.getCreateType() + System.lineSeparator());
sb.append("Using attributes file: " + this.getAttributesFile() + System.lineSeparator());
sb.append("Write to: " + this.getOutFile() + System.lineSeparator());
sb.append("Verify file: " + this.getVerifyFile() + System.lineSeparator());
if (!this.getTruststoreFile().isEmpty()) {
sb.append("Truststore file: " + this.getTruststoreFile() + System.lineSeparator());
} else if (!this.getPrivateKeyFile().isEmpty() &&
!this.getPublicCertificate().isEmpty()) {
sb.append("Private key file: " + this.getPrivateKeyFile() + System.lineSeparator());
sb.append("Public certificate: " + this.getPublicCertificate()
+ System.lineSeparator());
sb.append("Embedded certificate: " + this.isEmbedded() + System.lineSeparator());
} else if (this.isDefaultKey()){
sb.append("Truststore file: default (" + SwidTagConstants.DEFAULT_KEYSTORE_FILE + ")"
+ System.lineSeparator());
} else {
sb.append("Signing credential: (none given)" + System.lineSeparator());
}
sb.append("Event log support RIM: " + this.getRimEventLog() + System.lineSeparator());
List<String> timestampArguments = this.getTimestampArguments();
if (timestampArguments.size() > 0) {
sb.append("Timestamp format: " + timestampArguments.get(0));
if (timestampArguments.size() == 2) {
sb.append(", " + timestampArguments.get(1));
}
} else {
sb.append("No timestamp included");
}
return sb.toString();
}
}