From b53c4fa123c4b6fcf96b3eb4a0138b9c0f4ab51a Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Mon, 9 Jan 2023 10:38:22 -0500 Subject: [PATCH 1/6] Modify gateway class to detect JKS or PEM truststore for creating base RIMs --- .../main/java/hirs/swid/CredentialParser.java | 70 +++++++++++++------ .../src/main/java/hirs/swid/Main.java | 32 ++++----- .../main/java/hirs/swid/SwidTagGateway.java | 15 ++-- .../main/java/hirs/swid/SwidTagValidator.java | 2 - .../java/hirs/swid/TestSwidTagGateway.java | 2 +- 5 files changed, 74 insertions(+), 47 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java index 013095d8..a2523bf8 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java @@ -12,8 +12,24 @@ import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter; import org.bouncycastle.util.encoders.Base64; import org.bouncycastle.util.encoders.DecoderException; -import java.io.*; -import java.security.*; +import java.io.BufferedInputStream; +import java.io.ByteArrayInputStream; +import java.io.DataInputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.FileReader; +import java.io.IOException; +import java.io.InputStream; +import java.security.KeyFactory; +import java.security.KeyPair; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.Security; +import java.security.UnrecoverableEntryException; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; @@ -22,7 +38,8 @@ import java.security.spec.PKCS8EncodedKeySpec; import java.util.List; /** - * This class parses private key, public key, and certificate for use in their respective java.security objects. + * This class parses private key, public key, and certificates for use in + * their respective java.security objects. */ public class CredentialParser { private static final String X509 = "X.509"; @@ -54,16 +71,37 @@ public class CredentialParser { return publicKey; } - public void parseJKSCredentials(String jksKeystore) { + /** + * This method parses the X509 signing cert, private key, and public key from + * a JKS truststore. + * @param jksKeystore the truststore file + */ + public void parseJKSCredentials(String jksKeystore, String alias, String password) { KeyStore.PrivateKeyEntry privateKeyEntry = - parseKeystorePrivateKey(jksKeystore, - SwidTagConstants.DEFAULT_PRIVATE_KEY_ALIAS, - SwidTagConstants.DEFAULT_KEYSTORE_PASSWORD); + parseKeystorePrivateKey(jksKeystore, alias, password); certificate = (X509Certificate) privateKeyEntry.getCertificate(); privateKey = privateKeyEntry.getPrivateKey(); publicKey = certificate.getPublicKey(); } + /** + * Convenience method for parsing the cert and keys of the default JKS. + */ + public void parseDefaultCredentials() { + parseJKSCredentials(SwidTagConstants.DEFAULT_KEYSTORE_FILE, + SwidTagConstants.DEFAULT_PRIVATE_KEY_ALIAS, + SwidTagConstants.DEFAULT_KEYSTORE_PASSWORD); + } + + /** + * This method returns the X509Certificate object from a PEM truststore. + * @param truststore the PEM truststore + * @return a list of X509 certs + */ + public List parseCertsFromPEM(String truststore) { + return parsePEMCertificates(truststore); + } + public void parsePEMCredentials(String certificateFile, String privateKeyFile) throws Exception { certificate = parsePEMCertificates(certificateFile).get(0); @@ -96,17 +134,6 @@ public class CredentialParser { } } - /** - * This method returns the X509Certificate object from a PEM certificate file. - * @param certificateFile - * @return - * @throws FileNotFoundException - */ - public List parseCertsFromPEM(String certificateFile) - throws FileNotFoundException { - return parsePEMCertificates(certificateFile); - } - /** * This method returns the X509Certificate found in a PEM file. * Unchecked typcase warnings are suppressed because the CertificateFactory @@ -237,7 +264,9 @@ public class CredentialParser { * @param password * @return KeyStore.PrivateKeyEntry */ - private KeyStore.PrivateKeyEntry parseKeystorePrivateKey(String keystoreFile, String alias, String password) { + private KeyStore.PrivateKeyEntry parseKeystorePrivateKey(String keystoreFile, + String alias, + String password) { KeyStore keystore = null; KeyStore.PrivateKeyEntry privateKey = null; try { @@ -247,7 +276,8 @@ public class CredentialParser { new KeyStore.PasswordProtection(password.toCharArray())); } catch (FileNotFoundException e) { System.out.println("Cannot locate keystore " + keystoreFile); - } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException | IOException e) { + } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | + CertificateException | IOException e) { e.printStackTrace(); } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index b1fe58bc..86a9b3f1 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -3,8 +3,6 @@ package hirs.swid; import hirs.swid.utils.Commander; import com.beust.jcommander.JCommander; -import java.io.IOException; - public class Main { public static void main(String[] args) { @@ -46,7 +44,7 @@ public class Main { System.out.println(commander.toString()); String createType = commander.getCreateType().toUpperCase(); String attributesFile = commander.getAttributesFile(); - String jksTruststoreFile = commander.getTruststoreFile(); + String truststoreFile = commander.getTruststoreFile(); String certificateFile = commander.getPublicCertificate(); String privateKeyFile = commander.getPrivateKeyFile(); boolean embeddedCert = commander.isEmbedded(); @@ -57,23 +55,21 @@ public class Main { if (!attributesFile.isEmpty()) { gateway.setAttributesFile(attributesFile); } - if (!jksTruststoreFile.isEmpty()) { - gateway.setDefaultCredentials(true); - gateway.setJksTruststoreFile(jksTruststoreFile); - } else if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) { + if (!defaultKey) { gateway.setDefaultCredentials(false); - gateway.setPemCertificateFile(certificateFile); - gateway.setPemPrivateKeyFile(privateKeyFile); - if (embeddedCert) { - gateway.setEmbeddedCert(true); + if (!truststoreFile.isEmpty()) { + gateway.setTruststoreFile(truststoreFile); + } else if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) { + gateway.setPemCertificateFile(certificateFile); + gateway.setPemPrivateKeyFile(privateKeyFile); + if (embeddedCert) { + gateway.setEmbeddedCert(true); + } + } else { + System.out.println("Signing credentials must be provided " + + "if not using defaults"); + System.exit(1); } - } else if (defaultKey){ - gateway.setDefaultCredentials(true); - gateway.setJksTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE); - } else { - System.out.println("A private key (-k) and public certificate (-p) " + - "are required, or the default key (-d) must be indicated."); - System.exit(1); } if (rimEventLog.isEmpty()) { System.out.println("Error: a support RIM is required!"); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 2715a4e5..b9b3237f 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -75,7 +75,7 @@ public class SwidTagGateway { private Marshaller marshaller; private String attributesFile; private boolean defaultCredentials; - private String jksTruststoreFile; + private String truststoreFile; private String pemPrivateKeyFile; private String pemCertificateFile; private boolean embeddedCert; @@ -91,6 +91,7 @@ public class SwidTagGateway { marshaller = jaxbContext.createMarshaller(); attributesFile = SwidTagConstants.DEFAULT_ATTRIBUTES_FILE; defaultCredentials = true; + truststoreFile = SwidTagConstants.DEFAULT_KEYSTORE_FILE; pemCertificateFile = ""; embeddedCert = false; rimEventLog = ""; @@ -120,12 +121,12 @@ public class SwidTagGateway { } /** - * Setter for JKS keystore file + * Setter for keystore file * - * @param jksTruststoreFile + * @param truststoreFile */ - public void setJksTruststoreFile(final String jksTruststoreFile) { - this.jksTruststoreFile = jksTruststoreFile; + public void setTruststoreFile(final String truststoreFile) { + this.truststoreFile = truststoreFile; } /** @@ -545,11 +546,13 @@ public class SwidTagGateway { PrivateKey privateKey; CredentialParser cp = new CredentialParser(); if (defaultCredentials) { - cp.parseJKSCredentials(jksTruststoreFile); + cp.parseDefaultCredentials(); privateKey = cp.getPrivateKey(); KeyName keyName = kiFactory.newKeyName(cp.getCertificateSubjectKeyIdentifier()); keyInfoElements.add(keyName); } else { + //If JKS or PEM... + cp.parsePEMCredentials(pemCertificateFile, pemPrivateKeyFile); X509Certificate certificate = cp.getCertificate(); privateKey = cp.getPrivateKey(); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java index 10d83a91..f70c10fa 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java @@ -204,8 +204,6 @@ public class SwidTagValidator { cp.setCertificate(signingCert); System.out.println(System.lineSeparator() + cp.getCertificateAuthorityInfoAccess()); return signatureIsValid; - } catch (FileNotFoundException e) { - System.out.println("Error parsing truststore: " + e.getMessage()); } catch (NoSuchAlgorithmException e) { System.out.println("Error instantiating a KeyFactory to generate pk: " + e.getMessage()); diff --git a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java index 09b75977..b41ba8f8 100644 --- a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java +++ b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java @@ -92,7 +92,7 @@ public class TestSwidTagGateway { @Test public void testCreateBaseDefaultCert() { gateway.setDefaultCredentials(true); - gateway.setJksTruststoreFile(JKS_KEYSTORE_FILE); + gateway.setTruststoreFile(JKS_KEYSTORE_FILE); gateway.generateSwidTag(DEFAULT_OUTPUT); expectedFile = TestSwidTagGateway.class.getClassLoader() .getResourceAsStream(BASE_DEFAULT_CERT); From 12338e40c26bab0edbb2b7435c9ffa5a41c98236 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Mon, 13 Feb 2023 15:32:57 -0500 Subject: [PATCH 2/6] Overload CredentialParser method to handle parsing correct signing cert from a PEM truststore. --- .../main/java/hirs/swid/CredentialParser.java | 34 +++++++++++-- .../src/main/java/hirs/swid/Main.java | 30 +++++------ .../main/java/hirs/swid/SwidTagGateway.java | 13 +++-- .../main/java/hirs/swid/utils/Commander.java | 14 ++--- .../java/hirs/swid/TestSwidTagGateway.java | 30 +++++++++-- .../generated_truststore_embed.swidtag | 51 +++++++++++++++++++ 6 files changed, 135 insertions(+), 37 deletions(-) create mode 100644 tools/tcg_rim_tool/src/test/resources/generated_truststore_embed.swidtag diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java index a2523bf8..37b48a90 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java @@ -28,7 +28,9 @@ import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.PublicKey; +import java.security.SecureRandom; import java.security.Security; +import java.security.Signature; import java.security.UnrecoverableEntryException; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; @@ -45,6 +47,7 @@ public class CredentialParser { private static final String X509 = "X.509"; private static final String JKS = "JKS"; private static final String PEM = "PEM"; + private static final String DEFAULT_ALGORITHM = "RSA"; private static final String PKCS1_HEADER = "-----BEGIN RSA PRIVATE KEY-----"; private static final String PKCS1_FOOTER = "-----END RSA PRIVATE KEY-----"; private static final String PKCS8_HEADER = "-----BEGIN PRIVATE KEY-----"; @@ -98,17 +101,41 @@ public class CredentialParser { * @param truststore the PEM truststore * @return a list of X509 certs */ - public List parseCertsFromPEM(String truststore) { + public List parseCertsFromPEM(String truststore) { return parsePEMCertificates(truststore); } + public void parsePEMCredentials(List truststore, + String privateKeyFile) + throws Exception { + byte[] challengeString = new byte[15]; + for (X509Certificate cert : truststore) { + certificate = cert; + privateKey = parsePEMPrivateKey(privateKeyFile, DEFAULT_ALGORITHM); + publicKey = certificate.getPublicKey(); + SecureRandom.getInstanceStrong().nextBytes(challengeString); + Signature signature = Signature.getInstance("SHA256withRSA"); + signature.initSign(privateKey); + signature.update(challengeString); + byte[] signedChallenge = signature.sign(); + signature.initVerify(publicKey); + signature.update(challengeString); + if (signature.verify(signedChallenge)) { + System.out.println("Matched private key to truststore certificate"); + break; + } else { + publicKey = null; + } + } + } + public void parsePEMCredentials(String certificateFile, String privateKeyFile) throws Exception { certificate = parsePEMCertificates(certificateFile).get(0); if (certificate.getIssuerX500Principal().equals(certificate.getSubjectX500Principal())) { throw new CertificateException("Signing certificate cannot be self-signed!"); } - privateKey = parsePEMPrivateKey(privateKeyFile, "RSA"); + privateKey = parsePEMPrivateKey(privateKeyFile, DEFAULT_ALGORITHM); publicKey = certificate.getPublicKey(); } @@ -163,7 +190,8 @@ public class CredentialParser { } catch (CertificateException e) { System.out.println("Error in certificate factory: " + e.getMessage()); } catch (IOException e) { - System.out.println("Error reading from input stream: " + e.getMessage()); + System.out.println("Error reading from input stream: " + filename); + e.printStackTrace(); } finally { try { if (fis != null) { diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index c0d7efd8..c5d05f4b 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -58,28 +58,26 @@ public class Main { if (!attributesFile.isEmpty()) { gateway.setAttributesFile(attributesFile); } - if (!defaultKey) { + if (defaultKey) { + gateway.setDefaultCredentials(true); + gateway.setTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE); + } else { gateway.setDefaultCredentials(false); - if (!truststoreFile.isEmpty()) { - gateway.setTruststoreFile(truststoreFile); - } else if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) { - gateway.setPemCertificateFile(certificateFile); - gateway.setPemPrivateKeyFile(privateKeyFile); - if (embeddedCert) { - gateway.setEmbeddedCert(true); - } - } else { + gateway.setTruststoreFile(truststoreFile); + gateway.setPemCertificateFile(certificateFile); + gateway.setPemPrivateKeyFile(privateKeyFile); +/* + if () { System.out.println("Signing credentials must be provided " + "if not using defaults"); System.exit(1); } +*/ + if (embeddedCert) { + gateway.setEmbeddedCert(true); + } } - if (rimEventLog.isEmpty()) { - System.out.println("Error: a support RIM is required!"); - System.exit(1); - } else { - gateway.setRimEventLog(rimEventLog); - } + gateway.setRimEventLog(rimEventLog); List timestampArguments = commander.getTimestampArguments(); if (timestampArguments.size() > 0) { if (new TimestampArgumentValidator(timestampArguments).isValid()) { diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 1aa16a90..7fdbfed5 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -102,7 +102,7 @@ public class SwidTagGateway { marshaller = jaxbContext.createMarshaller(); attributesFile = SwidTagConstants.DEFAULT_ATTRIBUTES_FILE; defaultCredentials = true; - truststoreFile = SwidTagConstants.DEFAULT_KEYSTORE_FILE; + truststoreFile = ""; pemCertificateFile = ""; embeddedCert = false; rimEventLog = ""; @@ -599,11 +599,14 @@ public class SwidTagGateway { KeyName keyName = kiFactory.newKeyName(cp.getCertificateSubjectKeyIdentifier()); keyInfoElements.add(keyName); } else { - //If JKS or PEM... - - cp.parsePEMCredentials(pemCertificateFile, pemPrivateKeyFile); - X509Certificate certificate = cp.getCertificate(); + if (!truststoreFile.isEmpty()) { + List truststore = cp.parseCertsFromPEM(truststoreFile); + cp.parsePEMCredentials(truststore, pemPrivateKeyFile); + } else { + cp.parsePEMCredentials(pemCertificateFile, pemPrivateKeyFile); + } privateKey = cp.getPrivateKey(); + X509Certificate certificate = cp.getCertificate(); if (embeddedCert) { ArrayList x509Content = new ArrayList(); x509Content.add(certificate.getSubjectX500Principal().getName()); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index d84f4dbf..1e0de7e9 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -45,7 +45,7 @@ public class Commander { @Parameter(names = {"-d", "--default-key"}, order = 8, description = "Use default signing credentials.") private boolean defaultKey = false; - @Parameter(names = {"-l", "--rimel "}, order = 9, + @Parameter(names = {"-l", "--rimel "}, order = 9, required = true, description = "The TCG eventlog file to use as a support RIM.") private String rimEventLog = ""; @Parameter(names = {"--timestamp"}, order = 10, variableArity = true, @@ -125,19 +125,15 @@ public class Commander { sb.append("Using attributes file: " + this.getAttributesFile() + System.lineSeparator()); sb.append("Write to: " + this.getOutFile() + System.lineSeparator()); sb.append("Verify file: " + this.getVerifyFile() + System.lineSeparator()); - if (!this.getTruststoreFile().isEmpty()) { + if (this.isDefaultKey()) { + sb.append("Truststore file: default (" + SwidTagConstants.DEFAULT_KEYSTORE_FILE + ")" + + System.lineSeparator()); + } else { sb.append("Truststore file: " + this.getTruststoreFile() + System.lineSeparator()); - } else if (!this.getPrivateKeyFile().isEmpty() && - !this.getPublicCertificate().isEmpty()) { sb.append("Private key file: " + this.getPrivateKeyFile() + System.lineSeparator()); sb.append("Public certificate: " + this.getPublicCertificate() + System.lineSeparator()); sb.append("Embedded certificate: " + this.isEmbedded() + System.lineSeparator()); - } else if (this.isDefaultKey()){ - sb.append("Truststore file: default (" + SwidTagConstants.DEFAULT_KEYSTORE_FILE + ")" - + System.lineSeparator()); - } else { - sb.append("Signing credential: (none given)" + System.lineSeparator()); } sb.append("Event log support RIM: " + this.getRimEventLog() + System.lineSeparator()); List timestampArguments = this.getTimestampArguments(); diff --git a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java index 717278c8..7fdaaabf 100644 --- a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java +++ b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java @@ -16,6 +16,7 @@ public class TestSwidTagGateway { private final String DEFAULT_OUTPUT = "generated_swidTag.swidtag"; private final String BASE_USER_CERT = "generated_user_cert.swidtag"; private final String BASE_USER_CERT_EMBED = "generated_user_cert_embed.swidtag"; + private final String BASE_TRUSTSTORE_EMBED = "generated_truststore_embed.swidtag"; private final String BASE_DEFAULT_CERT = "generated_default_cert.swidtag"; private final String BASE_RFC3339_TIMESTAMP = "generated_timestamp_rfc3339.swidtag"; private final String BASE_RFC3852_TIMESTAMP = "generated_timestamp_rfc3852.swidtag"; @@ -58,7 +59,7 @@ public class TestSwidTagGateway { * where RimSignCert.pem has the AIA extension. */ @Test - public void testCreateBaseUserCertNotEmbedded() { + public void testCreateBasePemCertNotEmbedded() { gateway.setDefaultCredentials(false); gateway.setPemCertificateFile(SIGNING_CERT_FILE); gateway.setPemPrivateKeyFile(PRIVATE_KEY_FILE); @@ -77,8 +78,9 @@ public class TestSwidTagGateway { * -v [base RIM] -l TpmLog.bin -t RimCertChain.pem */ @Test - public void testCreateBaseUserCertEmbedded() { + public void testCreateBasePemCertEmbedded() { gateway.setDefaultCredentials(false); + gateway.setTruststoreFile(""); gateway.setPemCertificateFile(SIGNING_CERT_FILE); gateway.setPemPrivateKeyFile(PRIVATE_KEY_FILE); gateway.setEmbeddedCert(true); @@ -89,6 +91,26 @@ public class TestSwidTagGateway { Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT)); } + /** + * This test corresponds to: + * -c base -l TpmLog.bin -t RimCertChain.pem -k privateRimKey.pem -e + * And then validates it: + * -v [base RIM] -l TpmLog.bin -t RimCertChain.pem + */ + @Test + public void testCreateBasePemTruststoreEmbedded() { + gateway.setDefaultCredentials(false); + gateway.setTruststoreFile(CA_CHAIN_FILE); + gateway.setPemCertificateFile(""); + gateway.setPemPrivateKeyFile(PRIVATE_KEY_FILE); + gateway.setEmbeddedCert(true); + gateway.generateSwidTag(DEFAULT_OUTPUT); + expectedFile = TestSwidTagGateway.class.getClassLoader() + .getResourceAsStream(BASE_TRUSTSTORE_EMBED); + Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); + Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT)); + } + /** * This test corresponds to the arguments: * -c base -l TpmLog.bin -d @@ -111,7 +133,7 @@ public class TestSwidTagGateway { @Test public void testCreateTimestampRfc3339() { gateway.setDefaultCredentials(true); - gateway.setJksTruststoreFile(JKS_KEYSTORE_FILE); + gateway.setTruststoreFile(JKS_KEYSTORE_FILE); gateway.setTimestampFormat("RFC3339"); gateway.setTimestampArgument("2023-01-01T00:00:00Z"); gateway.generateSwidTag(DEFAULT_OUTPUT); @@ -128,7 +150,7 @@ public class TestSwidTagGateway { @Test public void testCreateTimestampRfc3852() { gateway.setDefaultCredentials(true); - gateway.setJksTruststoreFile(JKS_KEYSTORE_FILE); + gateway.setTruststoreFile(JKS_KEYSTORE_FILE); gateway.setTimestampFormat("RFC3852"); gateway.setTimestampArgument(RFC3852_COUNTERSIGNATURE_FILE); gateway.generateSwidTag(DEFAULT_OUTPUT); diff --git a/tools/tcg_rim_tool/src/test/resources/generated_truststore_embed.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_truststore_embed.swidtag new file mode 100644 index 00000000..9387733a --- /dev/null +++ b/tools/tcg_rim_tool/src/test/resources/generated_truststore_embed.swidtag @@ -0,0 +1,51 @@ + + + + + + + + + + + + + + + + + + + + DJMc0n3VHHwU+F3HNpiY/l3EMcjRZAQOYlrjhD5v9qE= + + + ojJ6v8ToxLWWekCKmBoZ+Yg2V4MYMPbKB9FjDs/QG/AMP+LKjnb55Z7FSLhC8+CvvShKPAoS9mv1 +QepwI17NEqbfnC1U4WH0u578A3J6wiHMXIDnIQqKAAXb8v2c/wjMDArzFl8CXmDA7HUDIt+3C4VC +tA598YY7o0Hf6hK5qO8oWGQxXUKfpUwvtGLxHpbDWYFuVSPa+uk6OTzutt/QyzTERzxyO9Le1i6K +nrpzh4lgHn6EfGs6HR1ffdHQ069q0bE61zDx0VC18nK9DmszW6p6FlMzApiTVW/4PiVt+dSFeVGR +9///OdtxcoBCeofDDFPRyO+s+kY1pXd92Q3nfg== + + + CN=example.RIM.signer,OU=PCClient,O=Example,ST=VA,C=US + MIIDoTCCAomgAwIBAgIJAIKly+6bklZlMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNVBAYTAlVTMQsw +CQYDVQQIDAJWQTEQMA4GA1UECgwHRXhhbXBsZTERMA8GA1UECwwIUENDbGllbnQxEjAQBgNVBAMM +CUV4YW1wbGVDQTAeFw0yMDA2MTExNjUzMDFaFw0zMDA0MjAxNjUzMDFaMFwxCzAJBgNVBAYTAlVT +MQswCQYDVQQIDAJWQTEQMA4GA1UECgwHRXhhbXBsZTERMA8GA1UECwwIUENDbGllbnQxGzAZBgNV +BAMMEmV4YW1wbGUuUklNLnNpZ25lcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKd1 +lWGkSRuxAAY2wHag2GVxUk1dZx2PTpfQOflvLeccAVwa8mQhlsRERq+QK8ilj8Xfqs44/nBaccZD +OjdfIxIUCMfwhGXjxCaqZbgTucNsExDnu4arTGraoAwzHg0cVLiKT/Cxj9NL4dcMgxRXsPdHfXb0 +923C7xYd2t2qfW05umgaj7qeQl6c68CFNsGX4JA8rWFQZvvGx5DGlK4KTcjPuQQINs5fxasNKqLY +2hq+z82x/rqwr2hmyizD6FpFSyIABPEMPfB036GEhRwu1WEMkq8yIp2jgRUoFYke9pB3ph9pVow0 +Hh4mNFSKD4pP41VSKY1nus83mdkuukPy5o0CAwEAAaNvMG0wHQYDVR0OBBYEFC/euOfQMKIgnaoB +hhqWT+3s8rzBMB8GA1UdIwQYMBaAFEahuO3bpnFf0NLneoo8XW6aw5Y4MAkGA1UdEwQCMAAwCwYD +VR0PBAQDAgbAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IBAQC1mG0naE0W +4E9vujPhygf7LXHMFkMPs5uWyvkxe4zWgTg0RHTClbOFJQJ+pGLOcthSG6vIC6xYJxT5EKtB9rzR +lEYHOi4MxuwXz9rLWQhA2zdbSo54Fb/BPoca5K9kxvAanRltEfqEFhCcRmqIX1i6mpOWiZsrdMs7 +IflHKBsylUTn+v636BAz3p2H8/lpJbF4LUFUxFU5FWB3tLuasxYTsbeE6YyNAnQIS95ML7c5H8z2 +aEQs5TCNHZJDyc0PZT2aPOuEj5lGv9oyBHbYDitszUWSVxF7z86uVGmYR/2oTIj6tqb+IwuvFtnO +wiXFRS5ctLCdESr3SjdQF5wmIN4n + + + + From 53a4816dec1a6e147e97651524b1fc76184957f1 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Fri, 17 Feb 2023 00:13:39 -0500 Subject: [PATCH 3/6] Add a validator class for credential argument input --- .../main/java/hirs/swid/CredentialParser.java | 2 - .../src/main/java/hirs/swid/Main.java | 19 +++-- .../utils/CredentialArgumentValidator.java | 73 +++++++++++++++++++ 3 files changed, 84 insertions(+), 10 deletions(-) create mode 100644 tools/tcg_rim_tool/src/main/java/hirs/swid/utils/CredentialArgumentValidator.java diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java index 37b48a90..bff0b740 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java @@ -45,8 +45,6 @@ import java.util.List; */ public class CredentialParser { private static final String X509 = "X.509"; - private static final String JKS = "JKS"; - private static final String PEM = "PEM"; private static final String DEFAULT_ALGORITHM = "RSA"; private static final String PKCS1_HEADER = "-----BEGIN RSA PRIVATE KEY-----"; private static final String PKCS1_FOOTER = "-----END RSA PRIVATE KEY-----"; diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index c5d05f4b..2077bc32 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -2,6 +2,7 @@ package hirs.swid; import hirs.swid.utils.Commander; import com.beust.jcommander.JCommander; +import hirs.swid.utils.CredentialArgumentValidator; import hirs.swid.utils.TimestampArgumentValidator; import java.util.List; @@ -14,6 +15,7 @@ public class Main { jc.parse(args); SwidTagGateway gateway; SwidTagValidator validator; + CredentialArgumentValidator caValidator; if (commander.isHelp()) { jc.usage(); @@ -63,16 +65,17 @@ public class Main { gateway.setTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE); } else { gateway.setDefaultCredentials(false); - gateway.setTruststoreFile(truststoreFile); - gateway.setPemCertificateFile(certificateFile); - gateway.setPemPrivateKeyFile(privateKeyFile); -/* - if () { - System.out.println("Signing credentials must be provided " + - "if not using defaults"); + caValidator = new CredentialArgumentValidator(truststoreFile, + certificateFile, privateKeyFile,"","", false); + if (caValidator.isValid()) { + gateway.setTruststoreFile(truststoreFile); + gateway.setPemCertificateFile(certificateFile); + gateway.setPemPrivateKeyFile(privateKeyFile); + } else { + System.out.println("Invalid combination of credentials given: " + + caValidator.getErrorMessage()); System.exit(1); } -*/ if (embeddedCert) { gateway.setEmbeddedCert(true); } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/CredentialArgumentValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/CredentialArgumentValidator.java new file mode 100644 index 00000000..c410199f --- /dev/null +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/CredentialArgumentValidator.java @@ -0,0 +1,73 @@ +package hirs.swid.utils; + +public class CredentialArgumentValidator { + private String truststoreFile; + private String certificateFile; + private String privateKeyFile; + private String password; + private String alias; + private String format; + private boolean isValidating; + private String errorMessage; + private static final String JKS = "JKS"; + private static final String PEM = "PEM"; + + public CredentialArgumentValidator(String truststoreFile, + String certificateFile, + String privateKeyFile, + String password, + String alias, + boolean isValidating) { + this.truststoreFile = truststoreFile; + this.certificateFile = certificateFile; + this.privateKeyFile = privateKeyFile; + this.password = password; + this.alias = alias; + this.isValidating = isValidating; + errorMessage = ""; + } + + /** + * Getter for format property + * @return string + */ + public String getFormat() { return format; } + + /** + * Getter for error message + * @return string + */ + public String getErrorMessage() { return errorMessage; } + + /** + * This method checks for the following valid configurations of input arguments: + * 1. truststore + password + alias (JKS format) + * 2. truststore + private key (PEM format) + * 3. truststore only for validating (PEM format) + * 4. certificate + private key (PEM format) + * 5. certificate only for validating (PEM format) + * + * @return true if the above are found, false otherwise + */ + public boolean isValid() { + if (!truststoreFile.isEmpty()) { + if (!password.isEmpty() && !alias.isEmpty()) { + format = JKS; + return true; + } else if (!privateKeyFile.isEmpty() || isValidating) { + format = PEM; + return true; + } else { + errorMessage = "A JKS truststore needs a password and alias; " + + "a PEM truststore needs a private key file."; + return false; + } + } else if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) { + format = PEM; + return true; + } else { + errorMessage = "A public certificate must be accompanied by a private key file."; + return false; + } + } +} From 401fb404f041f67a0199e68a9622bf37eb27b928 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Wed, 1 Mar 2023 20:03:20 -0500 Subject: [PATCH 4/6] Modify validator class to handle JKS and PEM truststores appropriately. --- tools/tcg_rim_tool/keystore.jks | Bin 2290 -> 3204 bytes .../main/java/hirs/swid/CredentialParser.java | 86 +++- .../src/main/java/hirs/swid/Main.java | 32 +- .../main/java/hirs/swid/SwidTagConstants.java | 13 +- .../main/java/hirs/swid/SwidTagGateway.java | 10 +- .../main/java/hirs/swid/SwidTagValidator.java | 54 ++- .../main/java/hirs/swid/utils/Commander.java | 25 +- .../utils/CredentialArgumentValidator.java | 10 +- .../utils/TimestampArgumentValidator.java | 3 +- .../java/hirs/swid/TestSwidTagGateway.java | 407 +++++++++--------- .../src/test/resources/keystore.jks | Bin 2290 -> 3204 bytes 11 files changed, 366 insertions(+), 274 deletions(-) diff --git a/tools/tcg_rim_tool/keystore.jks b/tools/tcg_rim_tool/keystore.jks index 2877d7f4c9d5c1f8d1b80c74e05e60b1e1652a2b..3c4bd3162415b48932480586f450d91fc0e52ae1 100644 GIT binary patch delta 2345 zcmV+^3D)-V5ri3k{_Xzl00002000010000100A)o00D+|?MlD^00jatf&~6B4h9M< z1_1;CDgqG!0R;dAf&}WZB%Q;68%e#LX&b&byw&sDV|fM$x(0}xS%7>a?IW3YZ9~LW zm<7%!+uG0@2dcJO>#PQjH?z^j&Z&@9U$7PwaL+MLY_)TL7S^!P8WTv>KI^MkyFZWJ zDGaEsi0WlsCdn1guIxG$Hhdwp zADvCdYF~hX;xc)Gr8S81$*7g62atRjw~dWGNEL!O^S~uHsRiXd2F{B&(!Mba$vY>K zKM(C&5rFo8M))Gc2aT*a*zFouq7LFD_@hVExs2FDpQ|7}Ayr8|<~wt`9BS+Hqjmh- zbrcgnt88g3eq;z5<$%cII%X9mr=G;~d!HOEI})*PW-XMtLzjxcgT}(-UhrJ2Exn&n z;Dd&@ACO9n?vM}O33H|CgG9VI|OwmaX`$L%eD3okEtl%rs)sRu+XypAg=|3kzu zo}daUx$*^pIv)*KUmVGV?-G%plQM>9 z2-WF+(h(lI0+oNb>2i!WqGVno*6=~uCj>ks;gY%s0X~9Kgzhbs&?y^oM^=lE+2*y}J$-JC>aPTY6>(2wtwLpQ11TBDZ}^H{spR@uF*|0! zUJf0yNajNKPrh`pcLO{o4ldJ;h`-d z;Ck``>qTnfyqs?1n7Rz1om?L%ryv#;8TsD1?Z{jqE47Zy)5ZNNRRAi#kJms)hB-HX zB%`Wq`l0D7kaT3dLlx-hUJ0W^nqELu-=ayVU4n|i7cx(7;VpEAY?vzEyL9=(gHQEc|2gWwvr{fLC>cogYHtb3e4fm*9I>ho zSdeZe9HR97y!HYMjof0YA%E)|U1EFIs!48AhOg9rNvuXoD7;Uhp#>k4xLv?0Q}a8#_U5I7DU-)dvf*bo z&Gh^E9R9QU%`Uhey##%crc{H*of@HlJbj~cm*BX5Qis!i@hw0$IxDnW&ue1cF+BAs zBiUDr2;y=rgWecn5O7H}zhCfc8WaBF@gRo?Tyz7zU`QIJ6j}oS5G4*T2`0?w?0%u; z%u3sV=;LHc=O*)aI?8c;TnN3xVdiN$Z6!)C(&c^nxb(~b0007$E(IG1f~Cvuo03*# zlTih07&b96F*Y?bFfm#e4Kpw>G%_$THZ?OaF|*VK3Icz%m~AI$O%~u!Z@M$#$_M)` zam*G&53`$=%K0&SjMjlTG(>d5m9vE<0)C`o&T`mN8>`3*tXL-$`4Fo?_Po)QMh7}B z494si&)Umb2teC6TS|_26~DnghZ^LsWXA9sof&Nr`h*q`oJMMhUs$@Dla`5_D|E{{ zA^Arr8!~^DMCbbcx9AWv-kpc@`DrDwcr8Ix#8o*JV0W~;nzI%YvA2ZjjEw?x2ut2f zFSj`#%=TzREafnb9g;)I%@1Wgnmp@-kC{fl+A;)o*bXaf%|((|5qrjQ$JKEN0lTih088R_2F*h^+D5I-Il-O51V3UVCWNe)**3sk+|GWa>t{j<-S8bn;{1P?wo3N23aLUVUt|XQt^2<(GR?U5<=K(WN1H^1Le44B_ z#WLT7moHEgsOo!EDO(8=>Y4sN4F#nILwDSN5&n_x? zaRLJY00E<8Fkvtq1_M!H1Ox*D0fsOQ1_>&LNQU2V7PtCCtv%-k73CE26xcT%ugTW6CEkjAMxH?{pP!W1A?^V<%e8M_I^)TxT3#k#&G#0nqiL&lXy(I3;z@lGBKg{D;eoKW|r zzU^DRIdeY(-=oEcFs|Pypg(F=@=^K}Fdp9L)9BD@d4iuCU+D~uBa^KmXyK&(A&Uxo zFzut3wse`65+#>Z;=JIqV*bNXl4{t0%%LJ0)N++mxAWM{z=j}4a71c;;?s7HE4RI| zqG>6xsaK8s<*wR{u7#e+^W<=fTy{Q%&$0E5vnB@QO|Bv@Z`=9w0)A>T4Y8j(_ppmp zI4$Tk4e|HEe7`E8X1J(&y{~e9jowtWm5SB^3gmnp_k3c0c()4zC;8d?rMPN;q?Cwm zTj};m9~Yo~Q~*iCeMhkBL%=M87BEbPOQ;$BD)5kxT6RdAZ(?4+=!3KJ>ao|>1nPCt zhtD1ewfB>ui$$k6!CY;_j$!1M1iUU^w158fx7(ICs+*qEW!<*}e~98k?>oI?x$ncv z4bwhw#%?~vBc9`D$lw(fXb*ya#gpk1H?8)8_2kV7fkua(cxko7N8SWaVxGs&E}_Fr zw4bP3d1@T0$%i%)lM8o)>VjA=I##6GF`U3Ye_k3lyx8MN>+{Y<2=S0sCHypU4<;qj zTUClK+>=6y?LEl!YoIy5XSCBD_J7gt&`)M88hR0)V#72L>G!<}>$bRm-*)bi;wevZ z-y;!rgDL=I=IG(W^1RIh(;n+w3MeY?J9khH2n6itfsJDn={jv<$s5cCMex_Tkp-UT_?7yih zQ{2&@V2E}6drtpS7bb~7wnK@336jaGZILI|zq9z#gnXzyc1HATCk+CVm34A=P#0FN z;(KGVz`D}m9_pb2qqnkqK;B~MeWU3~snUH?pRrJ{C3k{Jj-JLdRI)gGR+v=-V0ccx zmzFr}R|Vm^aK;0Fwo%*tiydPiij-rO=x-4lgOGZq)#l0UOCB(~g%Ee%NebSb!j$}h za2I77tHwa0QekpJYj z!t)RMv8TIV=N128g{>(^;{oJF=>jP~7`cWvimbdCP?Ly?!@7NGTZQFlU`Zw5y+-&= zhn2VGqW@Hl8;j-6pZ^u&M!39uS^cuEhsVy;##;#;;Oa{4ateR46TNwZyuN`SJ&|FP z4Fwk@0RRP9E;TSY000A}FoFZ2FoFV!paTK{0s;vD@P4nQL4+CklSlF)=tXI59CYGPBDC3Icy+*c-jZna2nxo_VNY<-)g?FSOQSAW+3CaVH;KL*7q39E#I)<5W|!XQnmk-0p7 zSjHMhLs~33_?tAdmogijAp}^{ARws+{xIoRVXZ8+e;|?v?Nkuay4#E^Ba?rBhPrpe z)N!%4Mtrk7{*v{&xNz{;E~SwK&zczD9@9k@OsYYbuk{g6Fp!WsS=nVPXS|tN7f|(> z$aLA#q$jP2t}ea$$-pz507J|`D36OwWw^)z`>b-@x*81emsOj|lE~?d@>~M&X^ZP} sw99)Ta-LGLxF^G&y;1;h% parseJKSCredentials(String jksKeystore, + String alias, + String password) { + ArrayList keystoreAsList = new ArrayList<>(); + try { + KeyStore keystore = KeyStore.getInstance("JKS"); + keystore.load(new FileInputStream(jksKeystore), password.toCharArray()); + for (Certificate cert : keystore.getCertificateChain(alias)) { + keystoreAsList.add((X509Certificate) cert); + } + KeyStore.PrivateKeyEntry privateKeyEntry = + (KeyStore.PrivateKeyEntry) keystore.getEntry(alias, + new KeyStore.PasswordProtection(password.toCharArray())); + certificate = (X509Certificate) privateKeyEntry.getCertificate(); + privateKey = privateKeyEntry.getPrivateKey(); + publicKey = certificate.getPublicKey(); + } catch (KeyStoreException e) { + System.out.println("JKS keystore type not supported"); + } catch (FileNotFoundException e) { + System.out.println("Unable to locate " + jksKeystore); + } catch (IOException e) { + if (e.getCause() instanceof UnrecoverableKeyException) { + System.out.println("Password is incorrect, please resubmit"); + } else if (password.isEmpty()) { + System.out.println("No password given, please resubmit"); + } else { + System.out.println("Error importing keystore data:"); + e.printStackTrace(); + } + } catch (NoSuchAlgorithmException e) { + System.out.println("Unable to verify keystore integrity"); + e.printStackTrace(); + } catch (CertificateException e) { + System.out.println("Error loading certificates from keystore:"); + e.printStackTrace(); + } catch (UnrecoverableEntryException e) { + e.printStackTrace(); + } + + return keystoreAsList; } /** - * Convenience method for parsing the cert and keys of the default JKS. + * Convenience method for parsing the default JKS. */ - public void parseDefaultCredentials() { - parseJKSCredentials(SwidTagConstants.DEFAULT_KEYSTORE_FILE, - SwidTagConstants.DEFAULT_PRIVATE_KEY_ALIAS, - SwidTagConstants.DEFAULT_KEYSTORE_PASSWORD); + public List parseDefaultCredentials() { + return parseJKSCredentials(SwidTagConstants.DEFAULT_KEYSTORE_FILE, + SwidTagConstants.DEFAULT_PRIVATE_KEY_ALIAS, + SwidTagConstants.DEFAULT_KEYSTORE_PASSWORD); } /** * This method returns the X509Certificate object from a PEM truststore. + * * @param truststore the PEM truststore * @return a list of X509 certs */ @@ -103,9 +142,8 @@ public class CredentialParser { return parsePEMCertificates(truststore); } - public void parsePEMCredentials(List truststore, - String privateKeyFile) - throws Exception { + public void parsePEMCredentials(List truststore, String privateKeyFile) + throws Exception { byte[] challengeString = new byte[15]; for (X509Certificate cert : truststore) { certificate = cert; @@ -141,6 +179,7 @@ public class CredentialParser { * This method extracts certificate bytes from a string. The bytes are assumed to be * PEM format, and a header and footer are concatenated with the input string to * facilitate proper parsing. + * * @param pemString the input string * @return an X509Certificate created from the string * @throws CertificateException if instantiating the CertificateFactory errors @@ -149,10 +188,10 @@ public class CredentialParser { try { CertificateFactory factory = CertificateFactory.getInstance(X509); InputStream inputStream = new ByteArrayInputStream((CERTIFICATE_HEADER - + System.lineSeparator() - + pemString - + System.lineSeparator() - + CERTIFICATE_FOOTER).getBytes()); + + System.lineSeparator() + + pemString + + System.lineSeparator() + + CERTIFICATE_FOOTER).getBytes()); return (X509Certificate) factory.generateCertificate(inputStream); } catch (CertificateException e) { throw e; @@ -163,6 +202,7 @@ public class CredentialParser { * This method returns the X509Certificate found in a PEM file. * Unchecked typcase warnings are suppressed because the CertificateFactory * implements X509Certificate objects explicitly. + * * @param filename pem file * @return a list containing all X509Certificates extracted */ @@ -211,6 +251,7 @@ public class CredentialParser { * Both PKCS1 and PKCS8 formats are handled. * Algorithm argument is present to allow handling of multiple encryption algorithms, * but for now it is always RSA. + * * @param filename * @return */ @@ -271,6 +312,7 @@ public class CredentialParser { /** * This method reads a PKCS1 keypair from a PEM file. + * * @param filename * @return */ @@ -285,6 +327,7 @@ public class CredentialParser { /** * This method returns the private key from a JKS keystore. + * * @param keystoreFile * @param alias * @param password @@ -312,6 +355,7 @@ public class CredentialParser { /** * This method returns the authorityInfoAccess from an X509Certificate. + * * @return * @throws IOException */ @@ -320,7 +364,7 @@ public class CredentialParser { byte[] extension = certificate.getExtensionValue(Extension.authorityInfoAccess.getId()); if (extension != null && extension.length > 0) { AuthorityInformationAccess aia = AuthorityInformationAccess.getInstance( - JcaX509ExtensionUtils.parseExtensionValue(extension)); + JcaX509ExtensionUtils.parseExtensionValue(extension)); for (AccessDescription ad : aia.getAccessDescriptions()) { if (ad.getAccessMethod().toString().equals(SwidTagConstants.CA_ISSUERS)) { sb.append("CA issuers - "); @@ -335,6 +379,7 @@ public class CredentialParser { /** * This method returns the subjectKeyIdentifier from the local X509Certificate. + * * @return the String representation of the subjectKeyIdentifier * @throws IOException */ @@ -349,6 +394,7 @@ public class CredentialParser { /** * This method returns the subjectKeyIdentifier from a given X509Certificate. + * * @param certificate the cert to pull the subjectKeyIdentifier from * @return the String representation of the subjectKeyIdentifier * @throws IOException diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index 2077bc32..30f68048 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -1,7 +1,7 @@ package hirs.swid; -import hirs.swid.utils.Commander; import com.beust.jcommander.JCommander; +import hirs.swid.utils.Commander; import hirs.swid.utils.CredentialArgumentValidator; import hirs.swid.utils.TimestampArgumentValidator; @@ -28,21 +28,21 @@ public class Main { String rimel = commander.getRimEventLog(); String certificateFile = commander.getPublicCertificate(); String trustStore = commander.getTruststoreFile(); - if (!verifyFile.isEmpty()) { - if (!rimel.isEmpty()) { - validator.setRimEventLog(rimel); - } - if (!trustStore.isEmpty()) { - validator.setTrustStoreFile(trustStore); - } - if (!certificateFile.isEmpty()) { - System.out.println("A single cert cannot be used for verification. " + - "The signing cert will be searched for in the trust store."); - } - validator.validateSwidTag(verifyFile); + boolean defaultKey = commander.isDefaultKey(); + validator.setRimEventLog(rimel); + if (defaultKey) { + validator.validateSwidTag(verifyFile, "DEFAULT"); } else { - System.out.println("Need a RIM file to validate!"); - System.exit(1); + caValidator = new CredentialArgumentValidator(trustStore, + certificateFile, "", "", "", true); + if (caValidator.isValid()) { + validator.setTrustStoreFile(trustStore); + validator.validateSwidTag(verifyFile, caValidator.getFormat()); + } else { + System.out.println("Invalid combination of credentials given: " + + caValidator.getErrorMessage()); + System.exit(1); + } } } else { gateway = new SwidTagGateway(); @@ -66,7 +66,7 @@ public class Main { } else { gateway.setDefaultCredentials(false); caValidator = new CredentialArgumentValidator(truststoreFile, - certificateFile, privateKeyFile,"","", false); + certificateFile, privateKeyFile, "", "", false); if (caValidator.isValid()) { gateway.setTruststoreFile(truststoreFile); gateway.setPemCertificateFile(certificateFile); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java index 3ca76778..8abfb915 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java @@ -8,13 +8,12 @@ import javax.xml.namespace.QName; * This class contains the String constants that are referenced by the gateway * class. It is expected that member properties of this class will expand as * more functionality is added to SwidTagGateway. - * */ public class SwidTagConstants { public static final String DEFAULT_KEYSTORE_FILE = "/opt/hirs/rimtool/keystore.jks"; public static final String DEFAULT_KEYSTORE_PASSWORD = "password"; - public static final String DEFAULT_PRIVATE_KEY_ALIAS = "selfsigned"; + public static final String DEFAULT_PRIVATE_KEY_ALIAS = "1"; public static final String DEFAULT_ATTRIBUTES_FILE = "/opt/hirs/rimtool/rim_fields.json"; public static final String DEFAULT_ENGLISH = "en"; @@ -43,7 +42,7 @@ public class SwidTagConstants { public static final String ROLE = "role"; public static final String THUMBPRINT = "thumbprint"; public static final String HREF = "href"; - public static final String REL = "rel"; + public static final String REL = "rel"; public static final String COLLOQUIAL_VERSION = "colloquialVersion"; public static final String EDITION = "edition"; public static final String PRODUCT = "product"; @@ -72,12 +71,12 @@ public class SwidTagConstants { public static final String SUPPORT_RIM_FORMAT_MISSING = "supportRIMFormat missing"; public static final String SUPPORT_RIM_URI_GLOBAL = "supportRIMURIGlobal"; public static final String DATETIME = "dateTime"; - + public static final String NIST_NS = "http://csrc.nist.gov/ns/swid/2015-extensions/1.0"; - public static final String TCG_NS = "https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model"; + public static final String TCG_NS = "https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model"; public static final String RFC3852_NS = "https://www.ietf.org/rfc/rfc3852.txt"; public static final String RFC3339_NS = "https://www.ietf.org/rfc/rfc3339.txt"; - + public static final String N8060_PFX = "n8060"; public static final String RIM_PFX = "rim"; public static final String RFC3852_PFX = "rcf3852"; @@ -119,7 +118,7 @@ public class SwidTagConstants { TCG_NS, PC_URI_LOCAL, RIM_PFX); public static final QName _PC_URI_GLOBAL = new QName( TCG_NS, PC_URI_GLOBAL, RIM_PFX); - public static final QName _RIM_LINK_HASH = new QName( + public static final QName _RIM_LINK_HASH = new QName( TCG_NS, RIM_LINK_HASH, RIM_PFX); public static final QName _SUPPORT_RIM_TYPE = new QName( TCG_NS, SUPPORT_RIM_TYPE, RIM_PFX); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 7fdbfed5..17df6d08 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -180,6 +180,7 @@ public class SwidTagGateway { /** * Setter for timestamp format in XML signature + * * @param timestampFormat */ public void setTimestampFormat(String timestampFormat) { @@ -188,6 +189,7 @@ public class SwidTagGateway { /** * Setter for timestamp input - RFC3852 + file or RFC3339 + value + * * @param timestampArgument */ public void setTimestampArgument(String timestampArgument) { @@ -246,7 +248,7 @@ public class SwidTagGateway { writeSwidTagFile(signedSoftwareIdentity, filename); } else { System.out.println("The following fields cannot be empty or null: " - + errorRequiredFields.substring(0, errorRequiredFields.length()-2)); + + errorRequiredFields.substring(0, errorRequiredFields.length() - 2)); System.exit(1); } } catch (JsonException e) { @@ -532,6 +534,7 @@ public class SwidTagGateway { addNonNullAttribute(attributes, key, value); } } + /** * This utility method checks if an attribute value is empty before adding it to the map. * @@ -652,7 +655,8 @@ public class SwidTagGateway { /** * This method creates a timestamp element and populates it with data according to * the RFC format set in timestampFormat. The element is returned within an XMLObject. - * @param doc the Document representing the XML to be signed + * + * @param doc the Document representing the XML to be signed * @param sigFactory the SignatureFactory object * @return an XMLObject containing the timestamp element */ @@ -693,7 +697,7 @@ public class SwidTagGateway { SignatureProperties signatureProperties = sigFactory.newSignatureProperties( Collections.singletonList(signatureProperty), null); XMLObject xmlObject = sigFactory.newXMLObject( - Collections.singletonList(signatureProperties), null,null,null); + Collections.singletonList(signatureProperties), null, null, null); return xmlObject; } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java index f70c10fa..e2cabca2 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java @@ -36,7 +36,6 @@ import javax.xml.transform.stream.StreamSource; import javax.xml.validation.Schema; import javax.xml.validation.SchemaFactory; import java.io.File; -import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; import java.security.InvalidKeyException; @@ -74,6 +73,7 @@ public class SwidTagValidator { /** * Setter for rimel file path. + * * @param rimEventLog the rimel file */ public void setRimEventLog(String rimEventLog) { @@ -82,6 +82,7 @@ public class SwidTagValidator { /** * Setter for the truststore file path. + * * @param trustStoreFile the truststore */ public void setTrustStoreFile(String trustStoreFile) { @@ -99,6 +100,7 @@ public class SwidTagValidator { System.out.println("Error initializing JAXBContext: " + e.getMessage()); } } + /** * This method validates the .swidtag file at the given filepath against the * schema. A successful validation results in the output of the tag's name @@ -106,9 +108,10 @@ public class SwidTagValidator { * * @param path the location of the file to be validated */ - public boolean validateSwidTag(String path) { + public boolean validateSwidTag(String path, String format) { Document document = unmarshallSwidTag(path); - Element softwareIdentity = (Element) document.getElementsByTagName("SoftwareIdentity").item(0); + Element softwareIdentity = + (Element) document.getElementsByTagName("SoftwareIdentity").item(0); StringBuilder si = new StringBuilder("Base RIM detected:\n"); si.append("SoftwareIdentity name: " + softwareIdentity.getAttribute("name") + "\n"); si.append("SoftwareIdentity tagId: " + softwareIdentity.getAttribute("tagId") + "\n"); @@ -120,8 +123,14 @@ public class SwidTagValidator { System.out.println(e.getMessage()); return false; } - System.out.println("Signature core validity: " + validateSignedXMLDocument(document)); - return true; + boolean swidtagValidity = validateSignedXMLDocument(document, format); + if (swidtagValidity) { + System.out.println("Signature core validity: true"); + return true; + } else { + System.out.println("Signature core validity: false"); + return false; + } } /** @@ -153,15 +162,22 @@ public class SwidTagValidator { * Next, the signature is inspected for two things: * 1. valid signature * 2. valid certificate chain + * * @param doc XML document * @return true if both the signature and cert chain are valid; false otherwise */ - private boolean validateSignedXMLDocument(Document doc) { + private boolean validateSignedXMLDocument(Document doc, String credentialFormat) { try { DOMValidateContext context; CredentialParser cp = new CredentialParser(); X509Certificate signingCert = null; - trustStore = cp.parseCertsFromPEM(trustStoreFile); + switch (credentialFormat) { + case "DEFAULT": + trustStore = cp.parseDefaultCredentials(); + break; + case "PEM": + trustStore = cp.parseCertsFromPEM(trustStoreFile); + } X509KeySelector keySelector = new X509KeySelector(); NodeList nodes = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature"); if (nodes.getLength() == 0) { @@ -190,7 +206,7 @@ public class SwidTagValidator { } } else { System.out.println("Base RIM must have a non-empty, non-null " + - "Subject Key Identifier (SKID) in the element"); + "Subject Key Identifier (SKID) in the element"); System.exit(1); } } @@ -212,7 +228,7 @@ public class SwidTagValidator { } catch (MarshalException | XMLSignatureException e) { System.out.println(e.getMessage()); } catch (Exception e) { - System.out.println(e.getMessage()); + e.printStackTrace(); } return false; @@ -237,7 +253,8 @@ public class SwidTagValidator { * This method extracts a public key from either an X509Certificate element * or a KeyValue element. If the public key's algorithm matches the declared * algorithm it is returned in a KeySelecctorResult. - * @param keyinfo the KeyInfo element + * + * @param keyinfo the KeyInfo element * @param purpose * @param algorithm the encapsulating signature's declared signing algorithm * @param context @@ -248,9 +265,9 @@ public class SwidTagValidator { final KeySelector.Purpose purpose, final AlgorithmMethod algorithm, final XMLCryptoContext context) - throws KeySelectorException { + throws KeySelectorException { Iterator keyinfoItr = keyinfo.getContent().iterator(); - while(keyinfoItr.hasNext()) { + while (keyinfoItr.hasNext()) { XMLStructure element = (XMLStructure) keyinfoItr.next(); if (element instanceof X509Data) { X509Data data = (X509Data) element; @@ -300,7 +317,8 @@ public class SwidTagValidator { /** * This method checks that the signature and public key algorithms match. - * @param uri to match the signature algorithm + * + * @param uri to match the signature algorithm * @param name to match the public key algorithm * @return true if both match, false otherwise */ @@ -312,6 +330,7 @@ public class SwidTagValidator { /** * This method validates the cert chain for a given certificate. The truststore is iterated * over until a root CA is found, otherwise an error is returned. + * * @param cert the certificate at the start of the chain * @return true if the chain is valid * @throws Exception if a valid chain is not found in the truststore @@ -354,7 +373,8 @@ public class SwidTagValidator { /** * This method checks if cert's issuerDN matches issuer's subjectDN. - * @param cert the signed certificate + * + * @param cert the signed certificate * @param issuer the signing certificate * @return true if they match, false if not * @throws Exception if either argument is null @@ -370,7 +390,8 @@ public class SwidTagValidator { /** * This method checks if cert's signature matches signer's public key. - * @param cert the signed certificate + * + * @param cert the signed certificate * @param signer the signing certificate * @return true if they match * @throws Exception if an error occurs or there is no match @@ -402,6 +423,7 @@ public class SwidTagValidator { /** * This method checks if a given certificate is self signed or not. + * * @param cert the cert to check * @return true if self signed, false if not */ @@ -411,6 +433,7 @@ public class SwidTagValidator { /** * This method compares a public key against those in the truststore. + * * @param pk a public key * @return true if pk is found in the trust store, false otherwise */ @@ -483,6 +506,7 @@ public class SwidTagValidator { /** * This method strips all whitespace from an xml file, including indents and spaces * added for human-readability. + * * @param path to the xml file * @return Document object without whitespace */ diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index 1e0de7e9..afd61626 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -19,25 +19,25 @@ public class Commander { private String createType = ""; @Parameter(names = {"-a", "--attributes "}, order = 1, description = "The configuration file holding attributes " - + "to populate the base RIM with.") + + "to populate the base RIM with.") private String attributesFile = ""; @Parameter(names = {"-o", "--out "}, order = 2, description = "The file to write the RIM out to. " - + "The RIM will be written to stdout by default.") + + "The RIM will be written to stdout by default.") private String outFile = ""; @Parameter(names = {"-v", "--verify "}, order = 3, description = "Specify a RIM file to verify.") private String verifyFile = ""; @Parameter(names = {"-t", "--truststore "}, order = 4, description = "The truststore to sign the base RIM created " - + "or to validate the signed base RIM.") + + "or to validate the signed base RIM.") private String truststoreFile = ""; @Parameter(names = {"-k", "--privateKeyFile "}, order = 5, description = "The private key used to sign the base RIM created by this tool.") private String privateKeyFile = ""; @Parameter(names = {"-p", "--publicCertificate "}, order = 6, description = "The public key certificate to embed in the base RIM created by " - + "this tool.") + + "this tool.") private String publicCertificate = ""; @Parameter(names = {"-e", "--embed-cert"}, order = 7, description = "Embed the provided certificate in the signed swidtag.") @@ -74,7 +74,9 @@ public class Commander { return verifyFile; } - public String getTruststoreFile() { return truststoreFile; } + public String getTruststoreFile() { + return truststoreFile; + } public String getPrivateKeyFile() { return privateKeyFile; @@ -84,11 +86,17 @@ public class Commander { return publicCertificate; } - public boolean isEmbedded() { return embedded; } + public boolean isEmbedded() { + return embedded; + } - public boolean isDefaultKey() { return defaultKey; } + public boolean isDefaultKey() { + return defaultKey; + } - public String getRimEventLog() { return rimEventLog; } + public String getRimEventLog() { + return rimEventLog; + } public List getTimestampArguments() { return timestampArguments; @@ -119,6 +127,7 @@ public class Commander { return sb.toString(); } + public String toString() { StringBuilder sb = new StringBuilder(); sb.append("Creating: " + this.getCreateType() + System.lineSeparator()); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/CredentialArgumentValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/CredentialArgumentValidator.java index c410199f..58caeebc 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/CredentialArgumentValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/CredentialArgumentValidator.java @@ -29,15 +29,21 @@ public class CredentialArgumentValidator { /** * Getter for format property + * * @return string */ - public String getFormat() { return format; } + public String getFormat() { + return format; + } /** * Getter for error message + * * @return string */ - public String getErrorMessage() { return errorMessage; } + public String getErrorMessage() { + return errorMessage; + } /** * This method checks for the following valid configurations of input arguments: diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/TimestampArgumentValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/TimestampArgumentValidator.java index 1b1be43d..5d25a074 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/TimestampArgumentValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/TimestampArgumentValidator.java @@ -11,6 +11,7 @@ import java.util.regex.Pattern; public class TimestampArgumentValidator { List args; + /** * This class handles validation of the --timestamp commandline parameter. * Currently only RFC3339 and RFC3852 formats are supported. @@ -35,7 +36,7 @@ public class TimestampArgumentValidator { } else { return false; } - } else if (args.size() == 1){ + } else if (args.size() == 1) { System.out.println("Countersignature file is required for RFC3852 timestamps"); return false; } diff --git a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java index 7fdaaabf..4b6b694f 100644 --- a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java +++ b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java @@ -1,222 +1,225 @@ package hirs.swid; +import org.testng.Assert; +import org.testng.annotations.AfterClass; +import org.testng.annotations.BeforeClass; +import org.testng.annotations.Test; + import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; -import org.testng.Assert; -import org.testng.annotations.BeforeClass; -import org.testng.annotations.AfterClass; -import org.testng.annotations.Test; - public class TestSwidTagGateway { - private SwidTagGateway gateway; - private SwidTagValidator validator; - private final String DEFAULT_OUTPUT = "generated_swidTag.swidtag"; - private final String BASE_USER_CERT = "generated_user_cert.swidtag"; - private final String BASE_USER_CERT_EMBED = "generated_user_cert_embed.swidtag"; - private final String BASE_TRUSTSTORE_EMBED = "generated_truststore_embed.swidtag"; - private final String BASE_DEFAULT_CERT = "generated_default_cert.swidtag"; - private final String BASE_RFC3339_TIMESTAMP = "generated_timestamp_rfc3339.swidtag"; - private final String BASE_RFC3852_TIMESTAMP = "generated_timestamp_rfc3852.swidtag"; - private final String ATTRIBUTES_FILE = TestSwidTagGateway.class.getClassLoader() - .getResource("rim_fields.json").getPath(); - private final String JKS_KEYSTORE_FILE = TestSwidTagGateway.class.getClassLoader() - .getResource("keystore.jks").getPath(); - private final String SIGNING_CERT_FILE = TestSwidTagGateway.class.getClassLoader() - .getResource("RimSignCert.pem").getPath(); - private final String PRIVATE_KEY_FILE = TestSwidTagGateway.class.getClassLoader() - .getResource("privateRimKey.pem").getPath(); - private final String CA_CHAIN_FILE = TestSwidTagGateway.class.getClassLoader() - .getResource("RimCertChain.pem").getPath(); - private final String SUPPORT_RIM_FILE = TestSwidTagGateway.class.getClassLoader() - .getResource("TpmLog.bin").getPath(); - private final String RFC3852_COUNTERSIGNATURE_FILE = TestSwidTagGateway.class.getClassLoader() - .getResource("counterSignature.file").getPath(); - private InputStream expectedFile; + private SwidTagGateway gateway; + private SwidTagValidator validator; + private final String JKS = "JKS"; + private final String PEM = "PEM"; + private final String DEFAULT_OUTPUT = "generated_swidTag.swidtag"; + private final String BASE_USER_CERT = "generated_user_cert.swidtag"; + private final String BASE_USER_CERT_EMBED = "generated_user_cert_embed.swidtag"; + private final String BASE_TRUSTSTORE_EMBED = "generated_truststore_embed.swidtag"; + private final String BASE_DEFAULT_CERT = "generated_default_cert.swidtag"; + private final String BASE_RFC3339_TIMESTAMP = "generated_timestamp_rfc3339.swidtag"; + private final String BASE_RFC3852_TIMESTAMP = "generated_timestamp_rfc3852.swidtag"; + private final String ATTRIBUTES_FILE = TestSwidTagGateway.class.getClassLoader() + .getResource("rim_fields.json").getPath(); + private final String JKS_KEYSTORE_FILE = TestSwidTagGateway.class.getClassLoader() + .getResource("keystore.jks").getPath(); + private final String SIGNING_CERT_FILE = TestSwidTagGateway.class.getClassLoader() + .getResource("RimSignCert.pem").getPath(); + private final String PRIVATE_KEY_FILE = TestSwidTagGateway.class.getClassLoader() + .getResource("privateRimKey.pem").getPath(); + private final String CA_CHAIN_FILE = TestSwidTagGateway.class.getClassLoader() + .getResource("RimCertChain.pem").getPath(); + private final String SUPPORT_RIM_FILE = TestSwidTagGateway.class.getClassLoader() + .getResource("TpmLog.bin").getPath(); + private final String RFC3852_COUNTERSIGNATURE_FILE = TestSwidTagGateway.class.getClassLoader() + .getResource("counterSignature.file").getPath(); + private InputStream expectedFile; - @BeforeClass - public void setUp() throws Exception { - gateway = new SwidTagGateway(); - gateway.setRimEventLog(SUPPORT_RIM_FILE); - gateway.setAttributesFile(ATTRIBUTES_FILE); - validator = new SwidTagValidator(); - validator.setRimEventLog(SUPPORT_RIM_FILE); - validator.setTrustStoreFile(CA_CHAIN_FILE); - } + @BeforeClass + public void setUp() throws Exception { + gateway = new SwidTagGateway(); + gateway.setRimEventLog(SUPPORT_RIM_FILE); + gateway.setAttributesFile(ATTRIBUTES_FILE); + validator = new SwidTagValidator(); + validator.setRimEventLog(SUPPORT_RIM_FILE); + validator.setTrustStoreFile(CA_CHAIN_FILE); + } - @AfterClass - public void tearDown() throws Exception { - if (expectedFile != null) { - expectedFile.close(); - } - } + @AfterClass + public void tearDown() throws Exception { + if (expectedFile != null) { + expectedFile.close(); + } + } - /** - * This test corresponds to the arguments: - * -c base -l TpmLog.bin -k privateRimKey.pem -p RimSignCert.pem - * where RimSignCert.pem has the AIA extension. - */ - @Test - public void testCreateBasePemCertNotEmbedded() { - gateway.setDefaultCredentials(false); - gateway.setPemCertificateFile(SIGNING_CERT_FILE); - gateway.setPemPrivateKeyFile(PRIVATE_KEY_FILE); - gateway.setEmbeddedCert(false); - gateway.generateSwidTag(DEFAULT_OUTPUT); - expectedFile = TestSwidTagGateway.class.getClassLoader() - .getResourceAsStream(BASE_USER_CERT); - Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); - Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT)); - } + /** + * This test corresponds to the arguments: + * -c base -l TpmLog.bin -k privateRimKey.pem -p RimSignCert.pem + * where RimSignCert.pem has the AIA extension. + */ + @Test + public void testCreateBasePemCertNotEmbedded() { + gateway.setDefaultCredentials(false); + gateway.setPemCertificateFile(SIGNING_CERT_FILE); + gateway.setPemPrivateKeyFile(PRIVATE_KEY_FILE); + gateway.setEmbeddedCert(false); + gateway.generateSwidTag(DEFAULT_OUTPUT); + expectedFile = TestSwidTagGateway.class.getClassLoader() + .getResourceAsStream(BASE_USER_CERT); + Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); + Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT, PEM)); + } - /** - * This test creates the following base RIM: - * -c base -l TpmLog.bin -k privateRimKey.pem -p RimSignCert.pem -e - * And then validates it: - * -v [base RIM] -l TpmLog.bin -t RimCertChain.pem - */ - @Test - public void testCreateBasePemCertEmbedded() { - gateway.setDefaultCredentials(false); - gateway.setTruststoreFile(""); - gateway.setPemCertificateFile(SIGNING_CERT_FILE); - gateway.setPemPrivateKeyFile(PRIVATE_KEY_FILE); - gateway.setEmbeddedCert(true); - gateway.generateSwidTag(DEFAULT_OUTPUT); - expectedFile = TestSwidTagGateway.class.getClassLoader() - .getResourceAsStream(BASE_USER_CERT_EMBED); - Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); - Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT)); - } + /** + * This test creates the following base RIM: + * -c base -l TpmLog.bin -k privateRimKey.pem -p RimSignCert.pem -e + * And then validates it: + * -v [base RIM] -l TpmLog.bin -t RimCertChain.pem + */ + @Test + public void testCreateBasePemCertEmbedded() { + gateway.setDefaultCredentials(false); + gateway.setTruststoreFile(""); + gateway.setPemCertificateFile(SIGNING_CERT_FILE); + gateway.setPemPrivateKeyFile(PRIVATE_KEY_FILE); + gateway.setEmbeddedCert(true); + gateway.generateSwidTag(DEFAULT_OUTPUT); + expectedFile = TestSwidTagGateway.class.getClassLoader() + .getResourceAsStream(BASE_USER_CERT_EMBED); + Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); + Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT, PEM)); + } - /** - * This test corresponds to: - * -c base -l TpmLog.bin -t RimCertChain.pem -k privateRimKey.pem -e - * And then validates it: - * -v [base RIM] -l TpmLog.bin -t RimCertChain.pem - */ - @Test - public void testCreateBasePemTruststoreEmbedded() { - gateway.setDefaultCredentials(false); - gateway.setTruststoreFile(CA_CHAIN_FILE); - gateway.setPemCertificateFile(""); - gateway.setPemPrivateKeyFile(PRIVATE_KEY_FILE); - gateway.setEmbeddedCert(true); - gateway.generateSwidTag(DEFAULT_OUTPUT); - expectedFile = TestSwidTagGateway.class.getClassLoader() - .getResourceAsStream(BASE_TRUSTSTORE_EMBED); - Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); - Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT)); - } + /** + * This test corresponds to: + * -c base -l TpmLog.bin -t RimCertChain.pem -k privateRimKey.pem -e + * And then validates it: + * -v [base RIM] -l TpmLog.bin -t RimCertChain.pem + */ + @Test + public void testCreateBasePemTruststoreEmbedded() { + gateway.setDefaultCredentials(false); + gateway.setTruststoreFile(CA_CHAIN_FILE); + gateway.setPemCertificateFile(""); + gateway.setPemPrivateKeyFile(PRIVATE_KEY_FILE); + gateway.setEmbeddedCert(true); + gateway.generateSwidTag(DEFAULT_OUTPUT); + expectedFile = TestSwidTagGateway.class.getClassLoader() + .getResourceAsStream(BASE_TRUSTSTORE_EMBED); + Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); + Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT, PEM)); + } - /** - * This test corresponds to the arguments: - * -c base -l TpmLog.bin -d - */ - @Test - public void testCreateBaseDefaultCert() { - gateway.setDefaultCredentials(true); - gateway.setTruststoreFile(JKS_KEYSTORE_FILE); - gateway.generateSwidTag(DEFAULT_OUTPUT); - expectedFile = TestSwidTagGateway.class.getClassLoader() - .getResourceAsStream(BASE_DEFAULT_CERT); - Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); - Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT)); - } + /** + * This test corresponds to the arguments: + * -c base -l TpmLog.bin -d + */ + @Test + public void testCreateBaseDefaultCert() { + gateway.setDefaultCredentials(true); + gateway.setTruststoreFile(JKS_KEYSTORE_FILE); + gateway.generateSwidTag(DEFAULT_OUTPUT); + expectedFile = TestSwidTagGateway.class.getClassLoader() + .getResourceAsStream(BASE_DEFAULT_CERT); + Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); + Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT, "DEFAULT")); + } - /** - * This test corresponds to the arguments: - * -c base -l TpmLog.bin -d --timestamp rfc3339 2023-01-01T00:00:00Z - */ - @Test - public void testCreateTimestampRfc3339() { - gateway.setDefaultCredentials(true); - gateway.setTruststoreFile(JKS_KEYSTORE_FILE); - gateway.setTimestampFormat("RFC3339"); - gateway.setTimestampArgument("2023-01-01T00:00:00Z"); - gateway.generateSwidTag(DEFAULT_OUTPUT); - expectedFile = TestSwidTagGateway.class.getClassLoader() - .getResourceAsStream(BASE_RFC3339_TIMESTAMP); - Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); - Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT)); - } + /** + * This test corresponds to the arguments: + * -c base -l TpmLog.bin -d --timestamp rfc3339 2023-01-01T00:00:00Z + */ + @Test + public void testCreateTimestampRfc3339() { + gateway.setDefaultCredentials(true); + gateway.setTruststoreFile(JKS_KEYSTORE_FILE); + gateway.setTimestampFormat("RFC3339"); + gateway.setTimestampArgument("2023-01-01T00:00:00Z"); + gateway.generateSwidTag(DEFAULT_OUTPUT); + expectedFile = TestSwidTagGateway.class.getClassLoader() + .getResourceAsStream(BASE_RFC3339_TIMESTAMP); + Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); + Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT, JKS)); + } - /** - * This test corresponds to the arguments: - * -c base -l TpmLog.bin -d --timestamp rfc3852 countersignature.file - */ - @Test - public void testCreateTimestampRfc3852() { - gateway.setDefaultCredentials(true); - gateway.setTruststoreFile(JKS_KEYSTORE_FILE); - gateway.setTimestampFormat("RFC3852"); - gateway.setTimestampArgument(RFC3852_COUNTERSIGNATURE_FILE); - gateway.generateSwidTag(DEFAULT_OUTPUT); - expectedFile = TestSwidTagGateway.class.getClassLoader() - .getResourceAsStream(BASE_RFC3852_TIMESTAMP); - Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); - Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT)); - } + /** + * This test corresponds to the arguments: + * -c base -l TpmLog.bin -d --timestamp rfc3852 countersignature.file + */ + @Test + public void testCreateTimestampRfc3852() { + gateway.setDefaultCredentials(true); + gateway.setTruststoreFile(JKS_KEYSTORE_FILE); + gateway.setTimestampFormat("RFC3852"); + gateway.setTimestampArgument(RFC3852_COUNTERSIGNATURE_FILE); + gateway.generateSwidTag(DEFAULT_OUTPUT); + expectedFile = TestSwidTagGateway.class.getClassLoader() + .getResourceAsStream(BASE_RFC3852_TIMESTAMP); + Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); + Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT, JKS)); + } - /** - * This test corresponds to the arguments: - * -v - */ + /** + * This test corresponds to the arguments: + * -v + */ - public void testValidateSwidTag() { - String filepath = TestSwidTagGateway.class.getClassLoader() - .getResource(BASE_USER_CERT).getPath(); - System.out.println("Validating file at " + filepath); - Assert.assertTrue(validator.validateSwidTag(filepath)); - } + public void testValidateSwidTag() { + String filepath = TestSwidTagGateway.class.getClassLoader() + .getResource(BASE_USER_CERT).getPath(); + System.out.println("Validating file at " + filepath); + Assert.assertTrue(validator.validateSwidTag(filepath, PEM)); + } - /** - * This method compares two files by bytes to determine if they are the same or not. - * @param file to be compared to the expected value. - * @return true if they are equal, false if not. - */ - private boolean compareFileBytesToExpectedFile(String file) { - FileInputStream testFile = null; - try { - int data; - testFile = new FileInputStream(file); - while ((data = testFile.read()) != -1) { - int expected = expectedFile.read(); - if (data != expected) { - System.out.println("Expected: " + expected); - System.out.println("Got: " + data); - return false; - } - } - } catch (FileNotFoundException e) { - e.printStackTrace(); - return false; - } catch (IOException e) { - e.printStackTrace(); - return false; - } catch (NullPointerException e) { - e.printStackTrace(); - return false; - } finally { - if (testFile != null) { - try { - testFile.close(); - } catch (IOException e) { - e.printStackTrace(); - return false; - } - } - if (expectedFile != null) { - try { - expectedFile.close(); - } catch (IOException e) { - e.printStackTrace(); - return false; - } - } - } - return true; - } + /** + * This method compares two files by bytes to determine if they are the same or not. + * + * @param file to be compared to the expected value. + * @return true if they are equal, false if not. + */ + private boolean compareFileBytesToExpectedFile(String file) { + FileInputStream testFile = null; + try { + int data; + testFile = new FileInputStream(file); + while ((data = testFile.read()) != -1) { + int expected = expectedFile.read(); + if (data != expected) { + System.out.println("Expected: " + expected); + System.out.println("Got: " + data); + return false; + } + } + } catch (FileNotFoundException e) { + e.printStackTrace(); + return false; + } catch (IOException e) { + e.printStackTrace(); + return false; + } catch (NullPointerException e) { + e.printStackTrace(); + return false; + } finally { + if (testFile != null) { + try { + testFile.close(); + } catch (IOException e) { + e.printStackTrace(); + return false; + } + } + if (expectedFile != null) { + try { + expectedFile.close(); + } catch (IOException e) { + e.printStackTrace(); + return false; + } + } + } + return true; + } } diff --git a/tools/tcg_rim_tool/src/test/resources/keystore.jks b/tools/tcg_rim_tool/src/test/resources/keystore.jks index 2877d7f4c9d5c1f8d1b80c74e05e60b1e1652a2b..3c4bd3162415b48932480586f450d91fc0e52ae1 100644 GIT binary patch delta 2345 zcmV+^3D)-V5ri3k{_Xzl00002000010000100A)o00D+|?MlD^00jatf&~6B4h9M< z1_1;CDgqG!0R;dAf&}WZB%Q;68%e#LX&b&byw&sDV|fM$x(0}xS%7>a?IW3YZ9~LW zm<7%!+uG0@2dcJO>#PQjH?z^j&Z&@9U$7PwaL+MLY_)TL7S^!P8WTv>KI^MkyFZWJ zDGaEsi0WlsCdn1guIxG$Hhdwp zADvCdYF~hX;xc)Gr8S81$*7g62atRjw~dWGNEL!O^S~uHsRiXd2F{B&(!Mba$vY>K zKM(C&5rFo8M))Gc2aT*a*zFouq7LFD_@hVExs2FDpQ|7}Ayr8|<~wt`9BS+Hqjmh- zbrcgnt88g3eq;z5<$%cII%X9mr=G;~d!HOEI})*PW-XMtLzjxcgT}(-UhrJ2Exn&n z;Dd&@ACO9n?vM}O33H|CgG9VI|OwmaX`$L%eD3okEtl%rs)sRu+XypAg=|3kzu zo}daUx$*^pIv)*KUmVGV?-G%plQM>9 z2-WF+(h(lI0+oNb>2i!WqGVno*6=~uCj>ks;gY%s0X~9Kgzhbs&?y^oM^=lE+2*y}J$-JC>aPTY6>(2wtwLpQ11TBDZ}^H{spR@uF*|0! zUJf0yNajNKPrh`pcLO{o4ldJ;h`-d z;Ck``>qTnfyqs?1n7Rz1om?L%ryv#;8TsD1?Z{jqE47Zy)5ZNNRRAi#kJms)hB-HX zB%`Wq`l0D7kaT3dLlx-hUJ0W^nqELu-=ayVU4n|i7cx(7;VpEAY?vzEyL9=(gHQEc|2gWwvr{fLC>cogYHtb3e4fm*9I>ho zSdeZe9HR97y!HYMjof0YA%E)|U1EFIs!48AhOg9rNvuXoD7;Uhp#>k4xLv?0Q}a8#_U5I7DU-)dvf*bo z&Gh^E9R9QU%`Uhey##%crc{H*of@HlJbj~cm*BX5Qis!i@hw0$IxDnW&ue1cF+BAs zBiUDr2;y=rgWecn5O7H}zhCfc8WaBF@gRo?Tyz7zU`QIJ6j}oS5G4*T2`0?w?0%u; z%u3sV=;LHc=O*)aI?8c;TnN3xVdiN$Z6!)C(&c^nxb(~b0007$E(IG1f~Cvuo03*# zlTih07&b96F*Y?bFfm#e4Kpw>G%_$THZ?OaF|*VK3Icz%m~AI$O%~u!Z@M$#$_M)` zam*G&53`$=%K0&SjMjlTG(>d5m9vE<0)C`o&T`mN8>`3*tXL-$`4Fo?_Po)QMh7}B z494si&)Umb2teC6TS|_26~DnghZ^LsWXA9sof&Nr`h*q`oJMMhUs$@Dla`5_D|E{{ zA^Arr8!~^DMCbbcx9AWv-kpc@`DrDwcr8Ix#8o*JV0W~;nzI%YvA2ZjjEw?x2ut2f zFSj`#%=TzREafnb9g;)I%@1Wgnmp@-kC{fl+A;)o*bXaf%|((|5qrjQ$JKEN0lTih088R_2F*h^+D5I-Il-O51V3UVCWNe)**3sk+|GWa>t{j<-S8bn;{1P?wo3N23aLUVUt|XQt^2<(GR?U5<=K(WN1H^1Le44B_ z#WLT7moHEgsOo!EDO(8=>Y4sN4F#nILwDSN5&n_x? zaRLJY00E<8Fkvtq1_M!H1Ox*D0fsOQ1_>&LNQU2V7PtCCtv%-k73CE26xcT%ugTW6CEkjAMxH?{pP!W1A?^V<%e8M_I^)TxT3#k#&G#0nqiL&lXy(I3;z@lGBKg{D;eoKW|r zzU^DRIdeY(-=oEcFs|Pypg(F=@=^K}Fdp9L)9BD@d4iuCU+D~uBa^KmXyK&(A&Uxo zFzut3wse`65+#>Z;=JIqV*bNXl4{t0%%LJ0)N++mxAWM{z=j}4a71c;;?s7HE4RI| zqG>6xsaK8s<*wR{u7#e+^W<=fTy{Q%&$0E5vnB@QO|Bv@Z`=9w0)A>T4Y8j(_ppmp zI4$Tk4e|HEe7`E8X1J(&y{~e9jowtWm5SB^3gmnp_k3c0c()4zC;8d?rMPN;q?Cwm zTj};m9~Yo~Q~*iCeMhkBL%=M87BEbPOQ;$BD)5kxT6RdAZ(?4+=!3KJ>ao|>1nPCt zhtD1ewfB>ui$$k6!CY;_j$!1M1iUU^w158fx7(ICs+*qEW!<*}e~98k?>oI?x$ncv z4bwhw#%?~vBc9`D$lw(fXb*ya#gpk1H?8)8_2kV7fkua(cxko7N8SWaVxGs&E}_Fr zw4bP3d1@T0$%i%)lM8o)>VjA=I##6GF`U3Ye_k3lyx8MN>+{Y<2=S0sCHypU4<;qj zTUClK+>=6y?LEl!YoIy5XSCBD_J7gt&`)M88hR0)V#72L>G!<}>$bRm-*)bi;wevZ z-y;!rgDL=I=IG(W^1RIh(;n+w3MeY?J9khH2n6itfsJDn={jv<$s5cCMex_Tkp-UT_?7yih zQ{2&@V2E}6drtpS7bb~7wnK@336jaGZILI|zq9z#gnXzyc1HATCk+CVm34A=P#0FN z;(KGVz`D}m9_pb2qqnkqK;B~MeWU3~snUH?pRrJ{C3k{Jj-JLdRI)gGR+v=-V0ccx zmzFr}R|Vm^aK;0Fwo%*tiydPiij-rO=x-4lgOGZq)#l0UOCB(~g%Ee%NebSb!j$}h za2I77tHwa0QekpJYj z!t)RMv8TIV=N128g{>(^;{oJF=>jP~7`cWvimbdCP?Ly?!@7NGTZQFlU`Zw5y+-&= zhn2VGqW@Hl8;j-6pZ^u&M!39uS^cuEhsVy;##;#;;Oa{4ateR46TNwZyuN`SJ&|FP z4Fwk@0RRP9E;TSY000A}FoFZ2FoFV!paTK{0s;vD@P4nQL4+CklSlF)=tXI59CYGPBDC3Icy+*c-jZna2nxo_VNY<-)g?FSOQSAW+3CaVH;KL*7q39E#I)<5W|!XQnmk-0p7 zSjHMhLs~33_?tAdmogijAp}^{ARws+{xIoRVXZ8+e;|?v?Nkuay4#E^Ba?rBhPrpe z)N!%4Mtrk7{*v{&xNz{;E~SwK&zczD9@9k@OsYYbuk{g6Fp!WsS=nVPXS|tN7f|(> z$aLA#q$jP2t}ea$$-pz507J|`D36OwWw^)z`>b-@x*81emsOj|lE~?d@>~M&X^ZP} sw99)Ta-LGLxF^G&y;1;h% Date: Wed, 1 Mar 2023 23:48:06 -0500 Subject: [PATCH 5/6] Fix unit tests --- .../main/java/hirs/swid/SwidTagConstants.java | 2 +- .../test/java/hirs/swid/TestSwidTagGateway.java | 16 ++-------------- 2 files changed, 3 insertions(+), 15 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java index 8abfb915..1f2331a4 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java @@ -11,7 +11,7 @@ import javax.xml.namespace.QName; */ public class SwidTagConstants { - public static final String DEFAULT_KEYSTORE_FILE = "/opt/hirs/rimtool/keystore.jks"; + public static final String DEFAULT_KEYSTORE_FILE = "keystore.jks";//"/opt/hirs/rimtool/keystore.jks"; public static final String DEFAULT_KEYSTORE_PASSWORD = "password"; public static final String DEFAULT_PRIVATE_KEY_ALIAS = "1"; public static final String DEFAULT_ATTRIBUTES_FILE = "/opt/hirs/rimtool/rim_fields.json"; diff --git a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java index 4b6b694f..4d4960b3 100644 --- a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java +++ b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java @@ -142,7 +142,7 @@ public class TestSwidTagGateway { expectedFile = TestSwidTagGateway.class.getClassLoader() .getResourceAsStream(BASE_RFC3339_TIMESTAMP); Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); - Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT, JKS)); + Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT, "DEFAULT")); } /** @@ -159,19 +159,7 @@ public class TestSwidTagGateway { expectedFile = TestSwidTagGateway.class.getClassLoader() .getResourceAsStream(BASE_RFC3852_TIMESTAMP); Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); - Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT, JKS)); - } - - /** - * This test corresponds to the arguments: - * -v - */ - - public void testValidateSwidTag() { - String filepath = TestSwidTagGateway.class.getClassLoader() - .getResource(BASE_USER_CERT).getPath(); - System.out.println("Validating file at " + filepath); - Assert.assertTrue(validator.validateSwidTag(filepath, PEM)); + Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT, "DEFAULT")); } /** From 4620fa33c7e8a121f227e8a4078230e01ca847b2 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 28 Mar 2023 12:34:59 -0400 Subject: [PATCH 6/6] Add KeyName to all signed swidtags without embedded signing certs. Specify keystore.jks as the signing credential used by --default-key. --- tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java | 2 ++ tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java | 2 +- .../tcg_rim_tool/src/test/resources/generated_user_cert.swidtag | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 17df6d08..9e8e197d 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -617,6 +617,8 @@ public class SwidTagGateway { X509Data data = kiFactory.newX509Data(x509Content); keyInfoElements.add(data); } else { + KeyName keyName = kiFactory.newKeyName(cp.getCertificateSubjectKeyIdentifier()); + keyInfoElements.add(keyName); keyInfoElements.add(kiFactory.newKeyValue(certificate.getPublicKey())); } } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index afd61626..bdb448ae 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -43,7 +43,7 @@ public class Commander { description = "Embed the provided certificate in the signed swidtag.") private boolean embedded = false; @Parameter(names = {"-d", "--default-key"}, order = 8, - description = "Use default signing credentials.") + description = "Use keystore.jks from the rimtool installation to sign.") private boolean defaultKey = false; @Parameter(names = {"-l", "--rimel "}, order = 9, required = true, description = "The TCG eventlog file to use as a support RIM.") diff --git a/tools/tcg_rim_tool/src/test/resources/generated_user_cert.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_user_cert.swidtag index eaf50f57..b9588ce9 100644 --- a/tools/tcg_rim_tool/src/test/resources/generated_user_cert.swidtag +++ b/tools/tcg_rim_tool/src/test/resources/generated_user_cert.swidtag @@ -26,6 +26,7 @@ tA598YY7o0Hf6hK5qO8oWGQxXUKfpUwvtGLxHpbDWYFuVSPa+uk6OTzutt/QyzTERzxyO9Le1i6K nrpzh4lgHn6EfGs6HR1ffdHQ069q0bE61zDx0VC18nK9DmszW6p6FlMzApiTVW/4PiVt+dSFeVGR 9///OdtxcoBCeofDDFPRyO+s+kY1pXd92Q3nfg== + 2fdeb8e7d030a2209daa01861a964fedecf2bcc1 p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx