diff --git a/tools/tcg_rim_tool/rim_fields.json b/tools/tcg_rim_tool/rim_fields.json
index 179cdd63..faeff38d 100644
--- a/tools/tcg_rim_tool/rim_fields.json
+++ b/tools/tcg_rim_tool/rim_fields.json
@@ -32,9 +32,7 @@
"Directory": {
"name": "iotBase",
"File": {
- "name": "Example.com.iotBase.bin",
- "size": "15400",
- "hash": "688e293e3ccb522f6cf8a027c9ade7960f84bd0bf3a0b99812bc1fa498a2db8d"
+ "name": "TpmLog.bin"
}
}
}
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java
index 5cd44508..8e15c03b 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java
@@ -61,6 +61,16 @@ public class CredentialParser {
publicKey = certificate.getPublicKey();
}
+ /**
+ * This method returns the PublicKey object from a PEM certificate file.
+ * @param certificateFile
+ * @return
+ * @throws FileNotFoundException
+ */
+ public PublicKey parseKeyFromPEMCertificate(String certificateFile) throws FileNotFoundException {
+ return parsePEMCertificate(certificateFile).getPublicKey();
+ }
+
/**
* This method returns the X509Certificate found in a PEM file.
* @param filename
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
index f46f636b..fd269b4b 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
@@ -24,10 +24,13 @@ public class Main {
System.out.println(commander.toString());
String verifyFile = commander.getVerifyFile();
String rimel = commander.getRimEventLog();
- //String publicCertificate = commander.getPublicCertificate();
+ String certificateFile = commander.getPublicCertificate();
if (!verifyFile.isEmpty()) {
if (!rimel.isEmpty()) {
- gateway.setRimEventLog(rimel);
+ validator.setRimEventLog(rimel);
+ }
+ if (!certificateFile.isEmpty()) {
+ validator.setCertificateFile(certificateFile);
}
try {
validator.validateSwidTag(verifyFile);
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
index 639b6b8c..6d191c7f 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
@@ -424,6 +424,8 @@ public class SwidTagGateway {
cp.parseJKSCredentials();
privateKey = cp.getPrivateKey();
publicKey = cp.getPublicKey();
+ KeyName keyName = kiFactory.newKeyName(cp.getCertificateSubjectKeyIdentifier());
+ keyInfoElements.add(keyName);
} else {
cp.parsePEMCredentials(pemCertificateFile, pemPrivateKeyFile);
X509Certificate certificate = cp.getCertificate();
@@ -435,8 +437,6 @@ public class SwidTagGateway {
X509Data data = kiFactory.newX509Data(x509Content);
keyInfoElements.add(data);
}
- KeyName keyName = kiFactory.newKeyName(cp.getCertificateSubjectKeyIdentifier());
- keyInfoElements.add(keyName);
KeyValue keyValue = kiFactory.newKeyValue(publicKey);
keyInfoElements.add(keyValue);
KeyInfo keyinfo = kiFactory.newKeyInfo(keyInfoElements);
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java
index 008060c9..2b88f71e 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java
@@ -23,6 +23,7 @@ import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import java.io.File;
+import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.security.Key;
@@ -32,11 +33,27 @@ import java.util.Iterator;
public class SwidTagValidator {
private Unmarshaller unmarshaller;
+ private String rimEventLog;
+ private String certificateFile;
+
+ /**
+ * Setter for rimel file path.
+ * @param rimEventLog
+ */
+ public void setRimEventLog(String rimEventLog) {
+ this.rimEventLog = rimEventLog;
+ }
+
+ public void setCertificateFile(String certificateFile) {
+ this.certificateFile = certificateFile;
+ }
public SwidTagValidator() {
try {
JAXBContext jaxbContext = JAXBContext.newInstance(SwidTagConstants.SCHEMA_PACKAGE);
unmarshaller = jaxbContext.createUnmarshaller();
+ rimEventLog = "";
+ certificateFile = "";
} catch (JAXBException e) {
System.out.println("Error initializing JAXBContext: " + e.getMessage());
}
@@ -65,7 +82,12 @@ public class SwidTagValidator {
* This method validates a hirs.swid.xjc.File from an indirect payload
*/
private boolean validateFile(Element file) {
- String filepath = file.getAttribute(SwidTagConstants.NAME);
+ String filepath;
+ if (!rimEventLog.isEmpty()) {
+ filepath = rimEventLog;
+ } else {
+ filepath = file.getAttribute(SwidTagConstants.NAME);
+ }
System.out.println("Support rim found at " + filepath);
if (HashSwid.get256Hash(filepath).equals(
file.getAttribute(SwidTagConstants._SHA256_HASH.getPrefix() + ":" +
@@ -84,13 +106,25 @@ public class SwidTagValidator {
* @param doc
*/
private boolean validateSignedXMLDocument(Document doc) {
+ DOMValidateContext context = null;
boolean isValid = false;
try {
NodeList nodes = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
if (nodes.getLength() == 0) {
throw new Exception("Signature element not found!");
}
- DOMValidateContext context = new DOMValidateContext(new SwidTagValidator.X509KeySelector(), nodes.item(0));
+ NodeList embeddedCert = doc.getElementsByTagName("X509Data");
+ if (embeddedCert.getLength() > 0) {
+ context = new DOMValidateContext(new SwidTagValidator.X509KeySelector(), nodes.item(0));
+ } else {
+ CredentialParser cp = new CredentialParser();
+ if (!certificateFile.isEmpty()) {
+ context = new DOMValidateContext(cp.parseKeyFromPEMCertificate(certificateFile), nodes.item(0));
+ } else {
+ System.out.println("Signing certificate not found for validation!");
+ System.exit(1);
+ }
+ }
XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM");
XMLSignature signature = sigFactory.unmarshalXMLSignature(context);
isValid = signature.validate(context);
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java
index 678b1da7..2fb0652d 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java
@@ -96,10 +96,15 @@ public class Commander {
sb.append("Create a base RIM using the values in attributes.json; " +
"sign it with the default keystore, alias, and password;\n");
sb.append("and write the data to base_rim.swidtag:\n\n");
- sb.append("\t\t-c base -a attributes.json -l support_rim.swidtag -o base_rim.swidtag\n\n\n");
+ sb.append("\t\t-c base -a attributes.json -l support_rim.bin -o base_rim.swidtag\n\n\n");
sb.append("Create a base RIM using the default attribute values; sign it using privateKey.pem;\n");
- sb.append("and write the data to console output, to include cert.pem in the signature block:\n\n");
- sb.append("\t\t-c base -l support_rim.swidtag -k privateKey.pem -p cert.pem\n\n\n");
+ sb.append("and write the data to console output, to embed cert.pem in the signature block:\n\n");
+ sb.append("\t\t-c base -l support_rim.bin -k privateKey.pem -p cert.pem\n\n\n");
+ sb.append("Validate a base RIM using an external support RIM to override the payload file:\n\n");
+ sb.append("\t\t-v base_rim.swidtag -l support_rim.bin\n\n\n");
+ sb.append("Validate a base RIM with an external cert:\n\n");
+ sb.append("\t\t-v base_rim.swidtag -p signing_cert.pem\n\n\n");
+
return sb.toString();
}
diff --git a/tools/tcg_rim_tool/src/test/resources/generated_no_cert.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_no_cert.swidtag
index 0cde8738..96a73c73 100644
--- a/tools/tcg_rim_tool/src/test/resources/generated_no_cert.swidtag
+++ b/tools/tcg_rim_tool/src/test/resources/generated_no_cert.swidtag
@@ -5,7 +5,7 @@
-
+
@@ -17,14 +17,14 @@
- HEzVxviL8a3g7VhLtkMDabH2f9n/3mPwEg1NRJBYLA0=
+ jpPZu16C8KjtwY2JpJuyR3SBc2XclVEaVsv/DgyZKTM=
- Qjg51EQPVS5paqBbw8e0b8lu4yqzWUEdvE2S64bvt59f6LPaG+1EDgQCimgXMdIg/+tSR4Wou6Hr
-u0ym8K6RqoipWBbF2KNVtR8vCavJblVA+6tCd+iLnFiQ/b2Zud/v/DZq89wQ/hKX0WoskSy/3tiT
-ariMcpP75dYO1b/tYkMshPo0/F0p39VoZxhGDahmYTRT0Wt4KQeIVe/4nDXEu+EbIi18yHVHYFWq
-uO/hC+BoKd/xBKmQnhtGkT4y3vETOoCr0TOHpRUClKC/nL0FhL9hPtpwhPBhakLtbi1WOwBnpxjV
-zFAR1SzeOG87S2Cl8pSDXjwfzHzzcPaJKpXj2g==
+ pWPozFWH2oytfgZse1Ai769c/cBFS/vapKj27asI8XDLdK8FkNs2K/+OTf4lScBiPLTCvWPIihoe
+hielmV8dWZqvR2z09pr+yCF7q/E8sCGhQXSsVlNZjElMXk2Qz2c6C9XtRk4UNmSfTSYsKEm2AST4
+oh6da+x1CeSHipALfuZZrXwa2AMtc9yTNfqaQFBxRqEDeTypLwNQqdr9va2T8C9ZNnEzooTf5FWw
+OUqc+Ewk5V9ZyOJ/0UdUxs40mGPpsIG90ikx59eu1A4qP4BzjHR3vrNbYDA4hBeIpDHC4vzwJrR4
+xqXw1SLqAm8ngL9Haj2Ww+y0PEZfo++JlOMZuQ==
2fdeb8e7d030a2209daa01861a964fedecf2bcc1
diff --git a/tools/tcg_rim_tool/src/test/resources/generated_with_cert.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_with_cert.swidtag
index e1ae7ed4..a48b2fa7 100644
--- a/tools/tcg_rim_tool/src/test/resources/generated_with_cert.swidtag
+++ b/tools/tcg_rim_tool/src/test/resources/generated_with_cert.swidtag
@@ -5,7 +5,7 @@
-
+
@@ -17,14 +17,14 @@
- HEzVxviL8a3g7VhLtkMDabH2f9n/3mPwEg1NRJBYLA0=
+ jpPZu16C8KjtwY2JpJuyR3SBc2XclVEaVsv/DgyZKTM=
- Qjg51EQPVS5paqBbw8e0b8lu4yqzWUEdvE2S64bvt59f6LPaG+1EDgQCimgXMdIg/+tSR4Wou6Hr
-u0ym8K6RqoipWBbF2KNVtR8vCavJblVA+6tCd+iLnFiQ/b2Zud/v/DZq89wQ/hKX0WoskSy/3tiT
-ariMcpP75dYO1b/tYkMshPo0/F0p39VoZxhGDahmYTRT0Wt4KQeIVe/4nDXEu+EbIi18yHVHYFWq
-uO/hC+BoKd/xBKmQnhtGkT4y3vETOoCr0TOHpRUClKC/nL0FhL9hPtpwhPBhakLtbi1WOwBnpxjV
-zFAR1SzeOG87S2Cl8pSDXjwfzHzzcPaJKpXj2g==
+ pWPozFWH2oytfgZse1Ai769c/cBFS/vapKj27asI8XDLdK8FkNs2K/+OTf4lScBiPLTCvWPIihoe
+hielmV8dWZqvR2z09pr+yCF7q/E8sCGhQXSsVlNZjElMXk2Qz2c6C9XtRk4UNmSfTSYsKEm2AST4
+oh6da+x1CeSHipALfuZZrXwa2AMtc9yTNfqaQFBxRqEDeTypLwNQqdr9va2T8C9ZNnEzooTf5FWw
+OUqc+Ewk5V9ZyOJ/0UdUxs40mGPpsIG90ikx59eu1A4qP4BzjHR3vrNbYDA4hBeIpDHC4vzwJrR4
+xqXw1SLqAm8ngL9Haj2Ww+y0PEZfo++JlOMZuQ==
CN=example.RIM.signer,OU=PCClient,O=Example,ST=VA,C=US
@@ -46,7 +46,6 @@ utuMKyOTf4a6d8TUcbG2RnyzO/6S9bq4cPDYLqWRBM+aGN8e00UWTKpBl6/1EU8wkJA6WdllK2e8
mVkXUPWYyHTZ0qQnrYiuLr36ycAznABDzEAoj4tMZbjIAfuscty6Ggzxl1WbyZLI6YzyXALwaYvr
crTLeyFynlKxuCfDnr1SAHDM65BY
- 2fdeb8e7d030a2209daa01861a964fedecf2bcc1
p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx