ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-01-18 02:39:56 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Add -p option under -v to validate a self-signed base RIM with an external cert

Browse Source
This commit is contained in:
chubtub 2020-07-21 13:48:25 -04:00
parent a0a2222554
commit 6e36eee1ab
8 changed files with 76 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
tools/tcg_rim_tool/rim_fields.json
View File

@ -32,9 +32,7 @@
"Directory": { "Directory": {
"name": "iotBase", "name": "iotBase",
"File": { "File": {
"name": "Example.com.iotBase.bin", "name": "TpmLog.bin"
"size": "15400",
"hash": "688e293e3ccb522f6cf8a027c9ade7960f84bd0bf3a0b99812bc1fa498a2db8d"
} }
} }
} }

10
tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java
View File

@ -61,6 +61,16 @@ public class CredentialParser {
publicKey = certificate.getPublicKey(); publicKey = certificate.getPublicKey();
} }
/**
* This method returns the PublicKey object from a PEM certificate file.
* @param certificateFile
* @return
* @throws FileNotFoundException
*/
public PublicKey parseKeyFromPEMCertificate(String certificateFile) throws FileNotFoundException {
return parsePEMCertificate(certificateFile).getPublicKey();
}
/** /**
* This method returns the X509Certificate found in a PEM file. * This method returns the X509Certificate found in a PEM file.
* @param filename * @param filename

7
tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
View File

@ -24,10 +24,13 @@ public class Main {
System.out.println(commander.toString()); System.out.println(commander.toString());
String verifyFile = commander.getVerifyFile(); String verifyFile = commander.getVerifyFile();
String rimel = commander.getRimEventLog(); String rimel = commander.getRimEventLog();
//String publicCertificate = commander.getPublicCertificate(); String certificateFile = commander.getPublicCertificate();
if (!verifyFile.isEmpty()) { if (!verifyFile.isEmpty()) {
if (!rimel.isEmpty()) { if (!rimel.isEmpty()) {
gateway.setRimEventLog(rimel); validator.setRimEventLog(rimel);
}
if (!certificateFile.isEmpty()) {
validator.setCertificateFile(certificateFile);
} }
try { try {
validator.validateSwidTag(verifyFile); validator.validateSwidTag(verifyFile);

4
tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
View File

@ -424,6 +424,8 @@ public class SwidTagGateway {
cp.parseJKSCredentials(); cp.parseJKSCredentials();
privateKey = cp.getPrivateKey(); privateKey = cp.getPrivateKey();
publicKey = cp.getPublicKey(); publicKey = cp.getPublicKey();
KeyName keyName = kiFactory.newKeyName(cp.getCertificateSubjectKeyIdentifier());
keyInfoElements.add(keyName);
} else { } else {
cp.parsePEMCredentials(pemCertificateFile, pemPrivateKeyFile); cp.parsePEMCredentials(pemCertificateFile, pemPrivateKeyFile);
X509Certificate certificate = cp.getCertificate(); X509Certificate certificate = cp.getCertificate();
@ -435,8 +437,6 @@ public class SwidTagGateway {
X509Data data = kiFactory.newX509Data(x509Content); X509Data data = kiFactory.newX509Data(x509Content);
keyInfoElements.add(data); keyInfoElements.add(data);
} }
KeyName keyName = kiFactory.newKeyName(cp.getCertificateSubjectKeyIdentifier());
keyInfoElements.add(keyName);
KeyValue keyValue = kiFactory.newKeyValue(publicKey); KeyValue keyValue = kiFactory.newKeyValue(publicKey);
keyInfoElements.add(keyValue); keyInfoElements.add(keyValue);
KeyInfo keyinfo = kiFactory.newKeyInfo(keyInfoElements); KeyInfo keyinfo = kiFactory.newKeyInfo(keyInfoElements);

38
tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java
View File

@ -23,6 +23,7 @@ import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema; import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory; import javax.xml.validation.SchemaFactory;
import java.io.File; import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.security.Key; import java.security.Key;
@ -32,11 +33,27 @@ import java.util.Iterator;
public class SwidTagValidator { public class SwidTagValidator {
private Unmarshaller unmarshaller; private Unmarshaller unmarshaller;
private String rimEventLog;
private String certificateFile;
/**
* Setter for rimel file path.
* @param rimEventLog
*/
public void setRimEventLog(String rimEventLog) {
this.rimEventLog = rimEventLog;
}
public void setCertificateFile(String certificateFile) {
this.certificateFile = certificateFile;
}
public SwidTagValidator() { public SwidTagValidator() {
try { try {
JAXBContext jaxbContext = JAXBContext.newInstance(SwidTagConstants.SCHEMA_PACKAGE); JAXBContext jaxbContext = JAXBContext.newInstance(SwidTagConstants.SCHEMA_PACKAGE);
unmarshaller = jaxbContext.createUnmarshaller(); unmarshaller = jaxbContext.createUnmarshaller();
rimEventLog = "";
certificateFile = "";
} catch (JAXBException e) { } catch (JAXBException e) {
System.out.println("Error initializing JAXBContext: " + e.getMessage()); System.out.println("Error initializing JAXBContext: " + e.getMessage());
} }
@ -65,7 +82,12 @@ public class SwidTagValidator {
* This method validates a hirs.swid.xjc.File from an indirect payload * This method validates a hirs.swid.xjc.File from an indirect payload
*/ */
private boolean validateFile(Element file) { private boolean validateFile(Element file) {
String filepath = file.getAttribute(SwidTagConstants.NAME); String filepath;
if (!rimEventLog.isEmpty()) {
filepath = rimEventLog;
} else {
filepath = file.getAttribute(SwidTagConstants.NAME);
}
System.out.println("Support rim found at " + filepath); System.out.println("Support rim found at " + filepath);
if (HashSwid.get256Hash(filepath).equals( if (HashSwid.get256Hash(filepath).equals(
file.getAttribute(SwidTagConstants._SHA256_HASH.getPrefix() + ":" + file.getAttribute(SwidTagConstants._SHA256_HASH.getPrefix() + ":" +
@ -84,13 +106,25 @@ public class SwidTagValidator {
* @param doc * @param doc
*/ */
private boolean validateSignedXMLDocument(Document doc) { private boolean validateSignedXMLDocument(Document doc) {
DOMValidateContext context = null;
boolean isValid = false; boolean isValid = false;
try { try {
NodeList nodes = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature"); NodeList nodes = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
if (nodes.getLength() == 0) { if (nodes.getLength() == 0) {
throw new Exception("Signature element not found!"); throw new Exception("Signature element not found!");
} }
DOMValidateContext context = new DOMValidateContext(new SwidTagValidator.X509KeySelector(), nodes.item(0)); NodeList embeddedCert = doc.getElementsByTagName("X509Data");
if (embeddedCert.getLength() > 0) {
context = new DOMValidateContext(new SwidTagValidator.X509KeySelector(), nodes.item(0));
} else {
CredentialParser cp = new CredentialParser();
if (!certificateFile.isEmpty()) {
context = new DOMValidateContext(cp.parseKeyFromPEMCertificate(certificateFile), nodes.item(0));
} else {
System.out.println("Signing certificate not found for validation!");
System.exit(1);
}
}
XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM"); XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM");
XMLSignature signature = sigFactory.unmarshalXMLSignature(context); XMLSignature signature = sigFactory.unmarshalXMLSignature(context);
isValid = signature.validate(context); isValid = signature.validate(context);

11
tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java
View File

@ -96,10 +96,15 @@ public class Commander {
sb.append("Create a base RIM using the values in attributes.json; " + sb.append("Create a base RIM using the values in attributes.json; " +
"sign it with the default keystore, alias, and password;\n"); "sign it with the default keystore, alias, and password;\n");
sb.append("and write the data to base_rim.swidtag:\n\n"); sb.append("and write the data to base_rim.swidtag:\n\n");
sb.append("\t\t-c base -a attributes.json -l support_rim.swidtag -o base_rim.swidtag\n\n\n"); sb.append("\t\t-c base -a attributes.json -l support_rim.bin -o base_rim.swidtag\n\n\n");
sb.append("Create a base RIM using the default attribute values; sign it using privateKey.pem;\n"); sb.append("Create a base RIM using the default attribute values; sign it using privateKey.pem;\n");
sb.append("and write the data to console output, to include cert.pem in the signature block:\n\n"); sb.append("and write the data to console output, to embed cert.pem in the signature block:\n\n");
sb.append("\t\t-c base -l support_rim.swidtag -k privateKey.pem -p cert.pem\n\n\n"); sb.append("\t\t-c base -l support_rim.bin -k privateKey.pem -p cert.pem\n\n\n");
sb.append("Validate a base RIM using an external support RIM to override the payload file:\n\n");
sb.append("\t\t-v base_rim.swidtag -l support_rim.bin\n\n\n");
sb.append("Validate a base RIM with an external cert:\n\n");
sb.append("\t\t-v base_rim.swidtag -p signing_cert.pem\n\n\n");
return sb.toString(); return sb.toString();
} }

14
tools/tcg_rim_tool/src/test/resources/generated_no_cert.swidtag
View File

@ -5,7 +5,7 @@
<Meta xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" rim:bindingSpec="IOT RIM" rim:bindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Example.com" rim:platformModel="ProductA" rim:rimLinkHash="88f21d8e44d4271149297404df91caf207130bfa116582408abd04ede6db7f51"/> <Meta xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" rim:bindingSpec="IOT RIM" rim:bindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Example.com" rim:platformModel="ProductA" rim:rimLinkHash="88f21d8e44d4271149297404df91caf207130bfa116582408abd04ede6db7f51"/>
<Payload> <Payload>
<Directory name="iotBase"> <Directory name="iotBase">
<File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="4479ca722623f8c47b703996ced3cbd981b06b1ae8a897db70137e0b7c546848" name="Example.com.iotBase.bin" size="7549"/> <File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="4479ca722623f8c47b703996ced3cbd981b06b1ae8a897db70137e0b7c546848" name="TpmLog.bin" size="7549"/>
</Directory> </Directory>
</Payload> </Payload>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
@ -17,14 +17,14 @@
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms> </Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>HEzVxviL8a3g7VhLtkMDabH2f9n/3mPwEg1NRJBYLA0=</DigestValue> <DigestValue>jpPZu16C8KjtwY2JpJuyR3SBc2XclVEaVsv/DgyZKTM=</DigestValue>
</Reference> </Reference>
</SignedInfo> </SignedInfo>
<SignatureValue>Qjg51EQPVS5paqBbw8e0b8lu4yqzWUEdvE2S64bvt59f6LPaG+1EDgQCimgXMdIg/+tSR4Wou6Hr <SignatureValue>pWPozFWH2oytfgZse1Ai769c/cBFS/vapKj27asI8XDLdK8FkNs2K/+OTf4lScBiPLTCvWPIihoe
u0ym8K6RqoipWBbF2KNVtR8vCavJblVA+6tCd+iLnFiQ/b2Zud/v/DZq89wQ/hKX0WoskSy/3tiT hielmV8dWZqvR2z09pr+yCF7q/E8sCGhQXSsVlNZjElMXk2Qz2c6C9XtRk4UNmSfTSYsKEm2AST4
ariMcpP75dYO1b/tYkMshPo0/F0p39VoZxhGDahmYTRT0Wt4KQeIVe/4nDXEu+EbIi18yHVHYFWq oh6da+x1CeSHipALfuZZrXwa2AMtc9yTNfqaQFBxRqEDeTypLwNQqdr9va2T8C9ZNnEzooTf5FWw
uO/hC+BoKd/xBKmQnhtGkT4y3vETOoCr0TOHpRUClKC/nL0FhL9hPtpwhPBhakLtbi1WOwBnpxjV OUqc+Ewk5V9ZyOJ/0UdUxs40mGPpsIG90ikx59eu1A4qP4BzjHR3vrNbYDA4hBeIpDHC4vzwJrR4
zFAR1SzeOG87S2Cl8pSDXjwfzHzzcPaJKpXj2g==</SignatureValue> xqXw1SLqAm8ngL9Haj2Ww+y0PEZfo++JlOMZuQ==</SignatureValue>
<KeyInfo> <KeyInfo>
<KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName> <KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
<KeyValue> <KeyValue>

15
tools/tcg_rim_tool/src/test/resources/generated_with_cert.swidtag
View File

@ -5,7 +5,7 @@
<Meta xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" rim:bindingSpec="IOT RIM" rim:bindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Example.com" rim:platformModel="ProductA" rim:rimLinkHash="88f21d8e44d4271149297404df91caf207130bfa116582408abd04ede6db7f51"/> <Meta xmlns:rim="https://trustedcomputinggroup.org/wp-content/uploads/TCG_RIM_Model" rim:bindingSpec="IOT RIM" rim:bindingSpecVersion="1.2" rim:platformManufacturerId="00201234" rim:platformManufacturerStr="Example.com" rim:platformModel="ProductA" rim:rimLinkHash="88f21d8e44d4271149297404df91caf207130bfa116582408abd04ede6db7f51"/>
<Payload> <Payload>
<Directory name="iotBase"> <Directory name="iotBase">
<File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="4479ca722623f8c47b703996ced3cbd981b06b1ae8a897db70137e0b7c546848" name="Example.com.iotBase.bin" size="7549"/> <File xmlns:SHA256="http://www.w3.org/2001/04/xmlenc#sha256" SHA256:hash="4479ca722623f8c47b703996ced3cbd981b06b1ae8a897db70137e0b7c546848" name="TpmLog.bin" size="7549"/>
</Directory> </Directory>
</Payload> </Payload>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
@ -17,14 +17,14 @@
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms> </Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>HEzVxviL8a3g7VhLtkMDabH2f9n/3mPwEg1NRJBYLA0=</DigestValue> <DigestValue>jpPZu16C8KjtwY2JpJuyR3SBc2XclVEaVsv/DgyZKTM=</DigestValue>
</Reference> </Reference>
</SignedInfo> </SignedInfo>
<SignatureValue>Qjg51EQPVS5paqBbw8e0b8lu4yqzWUEdvE2S64bvt59f6LPaG+1EDgQCimgXMdIg/+tSR4Wou6Hr <SignatureValue>pWPozFWH2oytfgZse1Ai769c/cBFS/vapKj27asI8XDLdK8FkNs2K/+OTf4lScBiPLTCvWPIihoe
u0ym8K6RqoipWBbF2KNVtR8vCavJblVA+6tCd+iLnFiQ/b2Zud/v/DZq89wQ/hKX0WoskSy/3tiT hielmV8dWZqvR2z09pr+yCF7q/E8sCGhQXSsVlNZjElMXk2Qz2c6C9XtRk4UNmSfTSYsKEm2AST4
ariMcpP75dYO1b/tYkMshPo0/F0p39VoZxhGDahmYTRT0Wt4KQeIVe/4nDXEu+EbIi18yHVHYFWq oh6da+x1CeSHipALfuZZrXwa2AMtc9yTNfqaQFBxRqEDeTypLwNQqdr9va2T8C9ZNnEzooTf5FWw
uO/hC+BoKd/xBKmQnhtGkT4y3vETOoCr0TOHpRUClKC/nL0FhL9hPtpwhPBhakLtbi1WOwBnpxjV OUqc+Ewk5V9ZyOJ/0UdUxs40mGPpsIG90ikx59eu1A4qP4BzjHR3vrNbYDA4hBeIpDHC4vzwJrR4
zFAR1SzeOG87S2Cl8pSDXjwfzHzzcPaJKpXj2g==</SignatureValue> xqXw1SLqAm8ngL9Haj2Ww+y0PEZfo++JlOMZuQ==</SignatureValue>
<KeyInfo> <KeyInfo>
<X509Data> <X509Data>
<X509SubjectName>CN=example.RIM.signer,OU=PCClient,O=Example,ST=VA,C=US</X509SubjectName> <X509SubjectName>CN=example.RIM.signer,OU=PCClient,O=Example,ST=VA,C=US</X509SubjectName>
@ -46,7 +46,6 @@ utuMKyOTf4a6d8TUcbG2RnyzO/6S9bq4cPDYLqWRBM+aGN8e00UWTKpBl6/1EU8wkJA6WdllK2e8
mVkXUPWYyHTZ0qQnrYiuLr36ycAznABDzEAoj4tMZbjIAfuscty6Ggzxl1WbyZLI6YzyXALwaYvr mVkXUPWYyHTZ0qQnrYiuLr36ycAznABDzEAoj4tMZbjIAfuscty6Ggzxl1WbyZLI6YzyXALwaYvr
crTLeyFynlKxuCfDnr1SAHDM65BY</X509Certificate> crTLeyFynlKxuCfDnr1SAHDM65BY</X509Certificate>
</X509Data> </X509Data>
<KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
<KeyValue> <KeyValue>
<RSAKeyValue> <RSAKeyValue>
<Modulus>p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx <Modulus>p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx