From 4620fa33c7e8a121f227e8a4078230e01ca847b2 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 28 Mar 2023 12:34:59 -0400 Subject: [PATCH 01/16] Add KeyName to all signed swidtags without embedded signing certs. Specify keystore.jks as the signing credential used by --default-key. --- tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java | 2 ++ tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java | 2 +- .../tcg_rim_tool/src/test/resources/generated_user_cert.swidtag | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 17df6d08..9e8e197d 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -617,6 +617,8 @@ public class SwidTagGateway { X509Data data = kiFactory.newX509Data(x509Content); keyInfoElements.add(data); } else { + KeyName keyName = kiFactory.newKeyName(cp.getCertificateSubjectKeyIdentifier()); + keyInfoElements.add(keyName); keyInfoElements.add(kiFactory.newKeyValue(certificate.getPublicKey())); } } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index afd61626..bdb448ae 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -43,7 +43,7 @@ public class Commander { description = "Embed the provided certificate in the signed swidtag.") private boolean embedded = false; @Parameter(names = {"-d", "--default-key"}, order = 8, - description = "Use default signing credentials.") + description = "Use keystore.jks from the rimtool installation to sign.") private boolean defaultKey = false; @Parameter(names = {"-l", "--rimel "}, order = 9, required = true, description = "The TCG eventlog file to use as a support RIM.") diff --git a/tools/tcg_rim_tool/src/test/resources/generated_user_cert.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_user_cert.swidtag index eaf50f57..b9588ce9 100644 --- a/tools/tcg_rim_tool/src/test/resources/generated_user_cert.swidtag +++ b/tools/tcg_rim_tool/src/test/resources/generated_user_cert.swidtag @@ -26,6 +26,7 @@ tA598YY7o0Hf6hK5qO8oWGQxXUKfpUwvtGLxHpbDWYFuVSPa+uk6OTzutt/QyzTERzxyO9Le1i6K nrpzh4lgHn6EfGs6HR1ffdHQ069q0bE61zDx0VC18nK9DmszW6p6FlMzApiTVW/4PiVt+dSFeVGR 9///OdtxcoBCeofDDFPRyO+s+kY1pXd92Q3nfg== + 2fdeb8e7d030a2209daa01861a964fedecf2bcc1 p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx From 379e1e1ce539682b21e885ef862f719efcabed4b Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Mon, 7 Nov 2022 12:13:31 -0500 Subject: [PATCH 02/16] Add support to commandline interface for secondary signatures --- .../src/main/java/hirs/swid/Main.java | 60 +++++++++++++------ .../main/java/hirs/swid/utils/Commander.java | 30 +++++++--- 2 files changed, 62 insertions(+), 28 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index 30f68048..93e19878 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -16,6 +16,7 @@ public class Main { SwidTagGateway gateway; SwidTagValidator validator; CredentialArgumentValidator caValidator; + String rimEventLogFile, trustStoreFile, certificateFile, privateKeyFile; if (commander.isHelp()) { jc.usage(); @@ -25,18 +26,17 @@ public class Main { validator = new SwidTagValidator(); System.out.println(commander.toString()); String verifyFile = commander.getVerifyFile(); - String rimel = commander.getRimEventLog(); - String certificateFile = commander.getPublicCertificate(); - String trustStore = commander.getTruststoreFile(); + certificateFile = commander.getPublicCertificate(); + rimEventLogFile = commander.getRimEventLog(); + trustStoreFile = commander.getTruststoreFile(); boolean defaultKey = commander.isDefaultKey(); - validator.setRimEventLog(rimel); if (defaultKey) { validator.validateSwidTag(verifyFile, "DEFAULT"); } else { - caValidator = new CredentialArgumentValidator(trustStore, + caValidator = new CredentialArgumentValidator(trustStoreFile, certificateFile, "", "", "", true); if (caValidator.isValid()) { - validator.setTrustStoreFile(trustStore); + validator.setTrustStoreFile(trustStoreFile); validator.validateSwidTag(verifyFile, caValidator.getFormat()); } else { System.out.println("Invalid combination of credentials given: " @@ -47,16 +47,18 @@ public class Main { } else { gateway = new SwidTagGateway(); System.out.println(commander.toString()); - String createType = commander.getCreateType().toUpperCase(); - String attributesFile = commander.getAttributesFile(); - String truststoreFile = commander.getTruststoreFile(); - String certificateFile = commander.getPublicCertificate(); - String privateKeyFile = commander.getPrivateKeyFile(); + rimEventLogFile = commander.getRimEventLog(); + trustStoreFile = commander.getTruststoreFile(); + certificateFile = commander.getPublicCertificate(); + privateKeyFile = commander.getPrivateKeyFile(); boolean embeddedCert = commander.isEmbedded(); boolean defaultKey = commander.isDefaultKey(); - String rimEventLog = commander.getRimEventLog(); - switch (createType) { - case "BASE": + if (!commander.getSignFile().isEmpty()) { + + } else { + String createType = commander.getCreateType().toUpperCase(); + String attributesFile = commander.getAttributesFile(); + if (createType.equals("BASE")) { if (!attributesFile.isEmpty()) { gateway.setAttributesFile(attributesFile); } @@ -65,10 +67,10 @@ public class Main { gateway.setTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE); } else { gateway.setDefaultCredentials(false); - caValidator = new CredentialArgumentValidator(truststoreFile, + caValidator = new CredentialArgumentValidator(trustStoreFile, certificateFile, privateKeyFile, "", "", false); if (caValidator.isValid()) { - gateway.setTruststoreFile(truststoreFile); + gateway.setTruststoreFile(trustStoreFile); gateway.setPemCertificateFile(certificateFile); gateway.setPemPrivateKeyFile(privateKeyFile); } else { @@ -80,7 +82,7 @@ public class Main { gateway.setEmbeddedCert(true); } } - gateway.setRimEventLog(rimEventLog); + gateway.setRimEventLog(rimEventLogFile); List timestampArguments = commander.getTimestampArguments(); if (timestampArguments.size() > 0) { if (new TimestampArgumentValidator(timestampArguments).isValid()) { @@ -93,10 +95,30 @@ public class Main { } } gateway.generateSwidTag(commander.getOutFile()); - break; - default: + } else { System.out.println("No create type given, nothing to do"); + System.exit(1); + } } + if (!trustStoreFile.isEmpty()) { + gateway.setDefaultCredentials(true); + gateway.setJksTruststoreFile(trustStoreFile); + } else if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) { + gateway.setDefaultCredentials(false); + gateway.setPemCertificateFile(certificateFile); + gateway.setPemPrivateKeyFile(privateKeyFile); + if (embeddedCert) { + gateway.setEmbeddedCert(true); + } + } else if (defaultKey) { + gateway.setDefaultCredentials(true); + gateway.setJksTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE); + } else { + System.out.println("A private key (-k) and public certificate (-p) " + + "are required, or the default key (-d) must be indicated."); + System.exit(1); + } + gateway.generateSwidTag(commander.getOutFile()); } } } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index bdb448ae..3e07f517 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -25,30 +25,33 @@ public class Commander { description = "The file to write the RIM out to. " + "The RIM will be written to stdout by default.") private String outFile = ""; - @Parameter(names = {"-v", "--verify "}, order = 3, + @Parameter(names = {"-s", "--sign "}, order = 3, + description = "Specify a RIM file to append a signature to.") + private String signFile = ""; + @Parameter(names = {"-v", "--verify "}, order = 4, description = "Specify a RIM file to verify.") private String verifyFile = ""; - @Parameter(names = {"-t", "--truststore "}, order = 4, + @Parameter(names = {"-t", "--truststore "}, order = 5, description = "The truststore to sign the base RIM created " + "or to validate the signed base RIM.") private String truststoreFile = ""; - @Parameter(names = {"-k", "--privateKeyFile "}, order = 5, + @Parameter(names = {"-k", "--privateKeyFile "}, order = 6, description = "The private key used to sign the base RIM created by this tool.") private String privateKeyFile = ""; - @Parameter(names = {"-p", "--publicCertificate "}, order = 6, + @Parameter(names = {"-p", "--publicCertificate "}, order = 7, description = "The public key certificate to embed in the base RIM created by " + "this tool.") private String publicCertificate = ""; - @Parameter(names = {"-e", "--embed-cert"}, order = 7, + @Parameter(names = {"-e", "--embed-cert"}, order = 8, description = "Embed the provided certificate in the signed swidtag.") private boolean embedded = false; - @Parameter(names = {"-d", "--default-key"}, order = 8, + @Parameter(names = {"-d", "--default-key"}, order = 9, description = "Use keystore.jks from the rimtool installation to sign.") private boolean defaultKey = false; - @Parameter(names = {"-l", "--rimel "}, order = 9, required = true, + @Parameter(names = {"-l", "--rimel "}, order = 10, required = true, description = "The TCG eventlog file to use as a support RIM.") private String rimEventLog = ""; - @Parameter(names = {"--timestamp"}, order = 10, variableArity = true, + @Parameter(names = {"--timestamp"}, order = 11, variableArity = true, description = "Add a timestamp to the signature. " + "Currently only RFC3339 and RFC3852 are supported:\n" + "\tRFC3339 [yyyy-MM-ddThh:mm:ssZ]\n\tRFC3852 ") @@ -70,6 +73,10 @@ public class Commander { return outFile; } + public String getSignFile() { + return signFile; + } + public String getVerifyFile() { return verifyFile; } @@ -111,13 +118,17 @@ public class Commander { "\n\n\n"); sb.append("Create a base RIM using the default attribute values; "); sb.append("sign it using privateKey.pem; embed cert.pem in the signature block; "); - sb.append("and write the data to console output:\n\n"); + sb.append("and write the data to console stdout:\n\n"); sb.append("\t\t-c base -l support_rim.bin -k privateKey.pem -p cert.pem -e\n\n\n"); sb.append("Create a base RIM using the values in attributes.json; " + "sign it with the default keystore; add a RFC3852 timestamp; "); sb.append("and write the data to base_rim.swidtag:\n\n"); sb.append("\t\t-c base -a attributes.json -d -l support_rim.bin " + "--timestamp RFC3852 counterSignature.bin -o base_rim.swidtag\n\n\n"); + sb.append("Add another signature to a signed base RIM using privateKey.pem; "); + sb.append("embed cert.pem in the signature block; "); + sb.append("and write the output to console stdout:\n\n"); + sb.append("\t\t-s signed_base_rim.swidtag -k privateKey.pem -p cert.pem -e\n\n\n"); sb.append("Validate a base RIM using an external support RIM to override the "); sb.append("payload file:\n\n"); sb.append("\t\t-v base_rim.swidtag -l support_rim.bin\n\n\n"); @@ -133,6 +144,7 @@ public class Commander { sb.append("Creating: " + this.getCreateType() + System.lineSeparator()); sb.append("Using attributes file: " + this.getAttributesFile() + System.lineSeparator()); sb.append("Write to: " + this.getOutFile() + System.lineSeparator()); + sb.append("Signing file: " + this.getSignFile() + System.lineSeparator()); sb.append("Verify file: " + this.getVerifyFile() + System.lineSeparator()); if (this.isDefaultKey()) { sb.append("Truststore file: default (" + SwidTagConstants.DEFAULT_KEYSTORE_FILE + ")" From 2e4accde0bc90e75422c50215a8ae3d8a0bfe02d Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 6 Dec 2022 06:47:24 -0500 Subject: [PATCH 03/16] WIP: attach detached signature as a sibling element to a signed base RIM --- .../src/main/java/hirs/swid/Main.java | 24 +++- .../main/java/hirs/swid/SwidTagGateway.java | 117 ++++++++++++++++++ 2 files changed, 140 insertions(+), 1 deletion(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index 93e19878..7f8f38d8 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -4,6 +4,7 @@ import com.beust.jcommander.JCommander; import hirs.swid.utils.Commander; import hirs.swid.utils.CredentialArgumentValidator; import hirs.swid.utils.TimestampArgumentValidator; +import org.w3c.dom.Document; import java.util.List; @@ -118,7 +119,28 @@ public class Main { "are required, or the default key (-d) must be indicated."); System.exit(1); } - gateway.generateSwidTag(commander.getOutFile()); + if (!commander.getSignFile().isEmpty()) { + Document doc = gateway.signXMLDocument(commander.getSignFile()); + gateway.writeSwidTagFile(doc, ""); + } else { + String createType = commander.getCreateType().toUpperCase(); + String attributesFile = commander.getAttributesFile(); + if (createType.equals("BASE")) { + if (!attributesFile.isEmpty()) { + gateway.setAttributesFile(attributesFile); + } + if (!rimEventLogFile.isEmpty()) { + gateway.setRimEventLog(rimEventLogFile); + } else { + System.out.println("Error: a support RIM is required!"); + System.exit(1); + } + } else { + System.out.println("No create type given, nothing to do"); + System.exit(1); + } + gateway.generateSwidTag(commander.getOutFile()); + } } } } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 9e8e197d..3d1af3bd 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -10,6 +10,10 @@ import hirs.swid.xjc.SoftwareIdentity; import hirs.swid.xjc.SoftwareMeta; import org.w3c.dom.Document; import org.w3c.dom.Element; +import org.w3c.dom.Node; +import org.w3c.dom.NodeList; +import org.xml.sax.InputSource; +import org.xml.sax.SAXException; import javax.json.Json; import javax.json.JsonException; @@ -41,6 +45,7 @@ import javax.xml.crypto.dsig.keyinfo.X509Data; import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec; import javax.xml.crypto.dsig.spec.TransformParameterSpec; import javax.xml.namespace.QName; +import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.OutputKeys; @@ -57,6 +62,7 @@ import java.io.FileNotFoundException; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; +import java.io.StringReader; import java.math.BigInteger; import java.nio.file.Files; import java.nio.file.Paths; @@ -549,6 +555,117 @@ public class SwidTagGateway { } } + private void printXmlAttributes(Node node) { + org.w3c.dom.NamedNodeMap attributes = node.getAttributes(); + if (attributes.getLength() <= 0) { + System.out.println("No attributes in this node"); + } else { + for (int i = 0; i < attributes.getLength(); i++) { + System.out.println("SoftwareIdentity attribute: " + attributes.item(i).getNodeName()); + } + } + } + + public Document signXMLDocument(String signFile) { + //Read signFile contents + String xmlToSign = ""; + try { + byte[] fileContents = Files.readAllBytes(Paths.get(signFile)); + xmlToSign = new String(fileContents); //safe to assume default charset?? + } catch (IOException e) { + System.out.println("Error reading contents of " + signFile); + System.exit(1); + } + + //Parse SoftwareIdentity id + String tagId = ""; + Document swidTag = null; + Element softwareIdentity = null; + try { + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + DocumentBuilder db = dbf.newDocumentBuilder(); + swidTag = db.parse(new InputSource(new StringReader(xmlToSign))); + softwareIdentity = (Element) swidTag.getElementsByTagName( + SwidTagConstants.SOFTWARE_IDENTITY).item(0); + tagId = softwareIdentity.getAttributes() + .getNamedItem(SwidTagConstants.TAGID).getNodeValue(); + //How to sign without an Id attribute? + } catch (ParserConfigurationException e) { + System.out.println("Error instantiating DocumentBuilder object: " + e.getMessage()); + System.exit(1); + } catch (IOException | SAXException e) { + System.out.println("Error parsing XML from " + signFile); + } + + //Create signature with a reference to SoftwareIdentity id + System.out.println("Referencing SoftwareIdentity with tagID " + tagId); + Document detachedSignature = null; + try { + XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM"); + Reference ref = sigFactory.newReference("#" + tagId, + sigFactory.newDigestMethod(DigestMethod.SHA256, null)); + SignedInfo signedInfo = sigFactory.newSignedInfo( + sigFactory.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE, + (C14NMethodParameterSpec) null), + sigFactory.newSignatureMethod(SwidTagConstants.SIGNATURE_ALGORITHM_RSA_SHA256, + null), + Collections.singletonList(ref) + ); + List keyInfoElements = new ArrayList(); + + KeyInfoFactory kiFactory = sigFactory.getKeyInfoFactory(); + PrivateKey privateKey; + CredentialParser cp = new CredentialParser(); + if (defaultCredentials) { + cp.parseJKSCredentials(jksTruststoreFile); + privateKey = cp.getPrivateKey(); + KeyName keyName = kiFactory.newKeyName(cp.getCertificateSubjectKeyIdentifier()); + keyInfoElements.add(keyName); + } else { + cp.parsePEMCredentials(pemCertificateFile, pemPrivateKeyFile); + X509Certificate certificate = cp.getCertificate(); + privateKey = cp.getPrivateKey(); + if (embeddedCert) { + ArrayList x509Content = new ArrayList(); + x509Content.add(certificate.getSubjectX500Principal().getName()); + x509Content.add(certificate); + X509Data data = kiFactory.newX509Data(x509Content); + keyInfoElements.add(data); + } else { + keyInfoElements.add(kiFactory.newKeyValue(certificate.getPublicKey())); + } + } + KeyInfo keyinfo = kiFactory.newKeyInfo(keyInfoElements); + + detachedSignature = DocumentBuilderFactory.newInstance() + .newDocumentBuilder().newDocument(); + detachedSignature.appendChild(detachedSignature.createElement("root")); + DOMSignContext context = new DOMSignContext(privateKey, + detachedSignature.getDocumentElement()); + XMLSignature signature = sigFactory.newXMLSignature(signedInfo, keyinfo); + signature.sign(context); + System.out.println("Detached signature: " + detachedSignature); + } catch (InvalidAlgorithmParameterException e) { + System.out.println("Digest method parameters are invalid: " + e.getMessage()); + } catch (NoSuchAlgorithmException e) { + System.out.println("The digest algorithm could not be found: " + e.getMessage()); + } catch (IOException e) { + System.out.println("Error getting SKID from signing credentials: " + e.getMessage()); + } catch (ParserConfigurationException e) { + System.out.println("Error creating new document object: " + e.getMessage()); + } catch (MarshalException | XMLSignatureException e) { + System.out.println("Error while signing SoftwareIdentity"); + e.printStackTrace(); + } catch (KeyException e) { + System.out.println("Public key algorithm not recognized or supported: " + + e.getMessage()); + } catch (Exception e) { + e.printStackTrace(); + } + + return swidTag; + } + /** * This method signs a SoftwareIdentity with an xmldsig in compatibility mode. * Current assumptions: digest method SHA256, signature method SHA256, enveloped signature From 76d99fa765a4f774fc9f322de070e5cfd580d5a8 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Thu, 15 Dec 2022 12:52:19 -0500 Subject: [PATCH 04/16] WIP: Add xpath filter to select SoftwareIdentity element --- .../src/main/java/hirs/swid/SwidTagGateway.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 3d1af3bd..695dd21a 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -44,6 +44,7 @@ import javax.xml.crypto.dsig.keyinfo.KeyName; import javax.xml.crypto.dsig.keyinfo.X509Data; import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec; import javax.xml.crypto.dsig.spec.TransformParameterSpec; +import javax.xml.crypto.dsig.spec.XPathFilterParameterSpec; import javax.xml.namespace.QName; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -602,8 +603,13 @@ public class SwidTagGateway { Document detachedSignature = null; try { XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM"); + //Use xpath to select SoftwareIdentity + XPathFilterParameterSpec xPathParams = new XPathFilterParameterSpec("/SoftwareIdentity"); + //ref must be distinguished from existing Reference ref = sigFactory.newReference("#" + tagId, - sigFactory.newDigestMethod(DigestMethod.SHA256, null)); + sigFactory.newDigestMethod(DigestMethod.SHA256, null), + Collections.singletonList(sigFactory.newTransform(Transform.XPATH, xPathParams)), + null, null); SignedInfo signedInfo = sigFactory.newSignedInfo( sigFactory.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE, (C14NMethodParameterSpec) null), From edf9f6afa0e2ad37d8a77e03508de21bc105e99f Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 21 Mar 2023 02:05:40 -0400 Subject: [PATCH 05/16] WIP: register id attribute for SoftwareIdentity --- .../src/main/java/hirs/swid/SwidTagGateway.java | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 695dd21a..9028a095 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -79,6 +79,7 @@ import java.util.Base64; import java.util.Collections; import java.util.List; import java.util.Map; +import java.util.UUID; /** @@ -317,6 +318,7 @@ public class SwidTagGateway { if (!tagId.isEmpty()) { swidTag.setTagId(tagId); } + swidTag.getOtherAttributes().put(new QName("id"), tagId); swidTag.setTagVersion(new BigInteger( jsonObject.getString(SwidTagConstants.TAGVERSION, "0"))); swidTag.setVersion(jsonObject.getString(SwidTagConstants.VERSION, "0.0")); @@ -579,7 +581,7 @@ public class SwidTagGateway { } //Parse SoftwareIdentity id - String tagId = ""; + String softwareIdentityId = ""; Document swidTag = null; Element softwareIdentity = null; try { @@ -588,8 +590,8 @@ public class SwidTagGateway { swidTag = db.parse(new InputSource(new StringReader(xmlToSign))); softwareIdentity = (Element) swidTag.getElementsByTagName( SwidTagConstants.SOFTWARE_IDENTITY).item(0); - tagId = softwareIdentity.getAttributes() - .getNamedItem(SwidTagConstants.TAGID).getNodeValue(); + softwareIdentityId = softwareIdentity.getAttributes() + .getNamedItem("id").getNodeValue(); //How to sign without an Id attribute? } catch (ParserConfigurationException e) { System.out.println("Error instantiating DocumentBuilder object: " + e.getMessage()); @@ -599,14 +601,14 @@ public class SwidTagGateway { } //Create signature with a reference to SoftwareIdentity id - System.out.println("Referencing SoftwareIdentity with tagID " + tagId); + System.out.println("Referencing SoftwareIdentity with id " + softwareIdentityId); Document detachedSignature = null; try { XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM"); //Use xpath to select SoftwareIdentity XPathFilterParameterSpec xPathParams = new XPathFilterParameterSpec("/SoftwareIdentity"); //ref must be distinguished from existing - Reference ref = sigFactory.newReference("#" + tagId, + Reference ref = sigFactory.newReference("#" + softwareIdentityId, sigFactory.newDigestMethod(DigestMethod.SHA256, null), Collections.singletonList(sigFactory.newTransform(Transform.XPATH, xPathParams)), null, null); @@ -648,6 +650,7 @@ public class SwidTagGateway { detachedSignature.appendChild(detachedSignature.createElement("root")); DOMSignContext context = new DOMSignContext(privateKey, detachedSignature.getDocumentElement()); + context.setIdAttributeNS(softwareIdentity, null, "id"); XMLSignature signature = sigFactory.newXMLSignature(signedInfo, keyinfo); signature.sign(context); System.out.println("Detached signature: " + detachedSignature); From 114443ff14d5885832e5e3f0d00b68c598cdcb28 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 21 Mar 2023 02:13:05 -0400 Subject: [PATCH 06/16] Revert "WIP: Add xpath filter to select SoftwareIdentity element" This reverts commit de594103090862570c1517f78fe3944de1f2d7e5. --- .../src/main/java/hirs/swid/SwidTagGateway.java | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 9028a095..30ea30f4 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -11,7 +11,6 @@ import hirs.swid.xjc.SoftwareMeta; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; -import org.w3c.dom.NodeList; import org.xml.sax.InputSource; import org.xml.sax.SAXException; @@ -44,7 +43,6 @@ import javax.xml.crypto.dsig.keyinfo.KeyName; import javax.xml.crypto.dsig.keyinfo.X509Data; import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec; import javax.xml.crypto.dsig.spec.TransformParameterSpec; -import javax.xml.crypto.dsig.spec.XPathFilterParameterSpec; import javax.xml.namespace.QName; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -79,7 +77,6 @@ import java.util.Base64; import java.util.Collections; import java.util.List; import java.util.Map; -import java.util.UUID; /** @@ -605,13 +602,9 @@ public class SwidTagGateway { Document detachedSignature = null; try { XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM"); - //Use xpath to select SoftwareIdentity - XPathFilterParameterSpec xPathParams = new XPathFilterParameterSpec("/SoftwareIdentity"); - //ref must be distinguished from existing + //ref must be distinguished from existing Reference ref = sigFactory.newReference("#" + softwareIdentityId, - sigFactory.newDigestMethod(DigestMethod.SHA256, null), - Collections.singletonList(sigFactory.newTransform(Transform.XPATH, xPathParams)), - null, null); + sigFactory.newDigestMethod(DigestMethod.SHA256, null)); SignedInfo signedInfo = sigFactory.newSignedInfo( sigFactory.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE, (C14NMethodParameterSpec) null), From 7f840e9a354d1fc30aff3d961ee19a93fe57f751 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Thu, 23 Mar 2023 05:17:24 -0400 Subject: [PATCH 07/16] Restructure try/catch blocks for readability --- .../main/java/hirs/swid/SwidTagGateway.java | 83 +++++++++++-------- 1 file changed, 47 insertions(+), 36 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 30ea30f4..1469326f 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -578,45 +578,54 @@ public class SwidTagGateway { } //Parse SoftwareIdentity id - String softwareIdentityId = ""; Document swidTag = null; - Element softwareIdentity = null; + DocumentBuilder db = null; try { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - DocumentBuilder db = dbf.newDocumentBuilder(); - swidTag = db.parse(new InputSource(new StringReader(xmlToSign))); - softwareIdentity = (Element) swidTag.getElementsByTagName( - SwidTagConstants.SOFTWARE_IDENTITY).item(0); - softwareIdentityId = softwareIdentity.getAttributes() - .getNamedItem("id").getNodeValue(); - //How to sign without an Id attribute? + dbf.setNamespaceAware(false); + db = dbf.newDocumentBuilder(); } catch (ParserConfigurationException e) { System.out.println("Error instantiating DocumentBuilder object: " + e.getMessage()); System.exit(1); + } + try { + swidTag = db.parse(new InputSource(new StringReader(xmlToSign))); } catch (IOException | SAXException e) { System.out.println("Error parsing XML from " + signFile); + System.exit(1); } + Element softwareIdentity = (Element) swidTag.getElementsByTagName( + SwidTagConstants.SOFTWARE_IDENTITY).item(0); + String softwareIdentityId = softwareIdentity.getAttributes() + .getNamedItem("id").getNodeValue(); //Create signature with a reference to SoftwareIdentity id System.out.println("Referencing SoftwareIdentity with id " + softwareIdentityId); - Document detachedSignature = null; + XMLSignatureFactory sigFactory = null; + SignedInfo signedInfo = null; try { - XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM"); + sigFactory = XMLSignatureFactory.getInstance("DOM"); //ref must be distinguished from existing Reference ref = sigFactory.newReference("#" + softwareIdentityId, sigFactory.newDigestMethod(DigestMethod.SHA256, null)); - SignedInfo signedInfo = sigFactory.newSignedInfo( + signedInfo = sigFactory.newSignedInfo( sigFactory.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE, (C14NMethodParameterSpec) null), sigFactory.newSignatureMethod(SwidTagConstants.SIGNATURE_ALGORITHM_RSA_SHA256, null), Collections.singletonList(ref) ); - List keyInfoElements = new ArrayList(); + } catch (InvalidAlgorithmParameterException e) { + System.out.println("Digest method parameters are invalid: " + e.getMessage()); + } catch (NoSuchAlgorithmException e) { + System.out.println("The digest algorithm could not be found: " + e.getMessage()); + } + List keyInfoElements = new ArrayList(); - KeyInfoFactory kiFactory = sigFactory.getKeyInfoFactory(); - PrivateKey privateKey; - CredentialParser cp = new CredentialParser(); + KeyInfoFactory kiFactory = sigFactory.getKeyInfoFactory(); + PrivateKey privateKey = null; + CredentialParser cp = new CredentialParser(); + try { if (defaultCredentials) { cp.parseJKSCredentials(jksTruststoreFile); privateKey = cp.getPrivateKey(); @@ -636,34 +645,36 @@ public class SwidTagGateway { keyInfoElements.add(kiFactory.newKeyValue(certificate.getPublicKey())); } } - KeyInfo keyinfo = kiFactory.newKeyInfo(keyInfoElements); - - detachedSignature = DocumentBuilderFactory.newInstance() - .newDocumentBuilder().newDocument(); - detachedSignature.appendChild(detachedSignature.createElement("root")); - DOMSignContext context = new DOMSignContext(privateKey, - detachedSignature.getDocumentElement()); - context.setIdAttributeNS(softwareIdentity, null, "id"); - XMLSignature signature = sigFactory.newXMLSignature(signedInfo, keyinfo); - signature.sign(context); - System.out.println("Detached signature: " + detachedSignature); - } catch (InvalidAlgorithmParameterException e) { - System.out.println("Digest method parameters are invalid: " + e.getMessage()); - } catch (NoSuchAlgorithmException e) { - System.out.println("The digest algorithm could not be found: " + e.getMessage()); } catch (IOException e) { System.out.println("Error getting SKID from signing credentials: " + e.getMessage()); - } catch (ParserConfigurationException e) { - System.out.println("Error creating new document object: " + e.getMessage()); - } catch (MarshalException | XMLSignatureException e) { - System.out.println("Error while signing SoftwareIdentity"); - e.printStackTrace(); } catch (KeyException e) { System.out.println("Public key algorithm not recognized or supported: " + e.getMessage()); } catch (Exception e) { + e.printStackTrace(); + } + KeyInfo keyinfo = kiFactory.newKeyInfo(keyInfoElements); + + Document detachedSignature = null; + try { + detachedSignature = DocumentBuilderFactory.newInstance() + .newDocumentBuilder().newDocument(); + } catch (ParserConfigurationException e) { + System.out.println("Error creating new document object: " + e.getMessage()); + } + detachedSignature.setXmlVersion("1.0"); + detachedSignature.appendChild(detachedSignature.createElement("root")); + DOMSignContext context = new DOMSignContext(privateKey, + detachedSignature.getDocumentElement()); + context.setIdAttributeNS(softwareIdentity, null, "id"); + XMLSignature signature = sigFactory.newXMLSignature(signedInfo, keyinfo); + try { + signature.sign(context); + } catch (MarshalException | XMLSignatureException e) { + System.out.println("Error while signing SoftwareIdentity"); e.printStackTrace(); } + System.out.println("Detached signature: " + detachedSignature); return swidTag; } From 9d35b3c17a49d10e0102c928ea3960c38c7bd661 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Thu, 13 Apr 2023 00:14:15 -0400 Subject: [PATCH 08/16] Modify gateway class to generate a detached signature for a signed swidtag. Created new unit test and updated test resource files. --- .../src/main/java/hirs/swid/Main.java | 64 +++++++------------ .../main/java/hirs/swid/SwidTagGateway.java | 17 +---- .../main/java/hirs/swid/utils/Commander.java | 3 +- .../swid/utils/FileArgumentValidator.java | 24 +++++++ .../java/hirs/swid/TestSwidTagGateway.java | 18 ++++++ .../resources/generated_default_cert.swidtag | 14 ++-- .../generated_timestamp_rfc3339.swidtag | 14 ++-- .../generated_timestamp_rfc3852.swidtag | 14 ++-- .../resources/generated_user_cert.swidtag | 14 ++-- .../generated_user_cert_embed.swidtag | 14 ++-- 10 files changed, 104 insertions(+), 92 deletions(-) create mode 100644 tools/tcg_rim_tool/src/main/java/hirs/swid/utils/FileArgumentValidator.java diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index 7f8f38d8..65ea328f 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -54,8 +54,28 @@ public class Main { privateKeyFile = commander.getPrivateKeyFile(); boolean embeddedCert = commander.isEmbedded(); boolean defaultKey = commander.isDefaultKey(); + String outputFile = commander.getOutFile(); + if (!trustStoreFile.isEmpty()) { + gateway.setDefaultCredentials(true); + gateway.setJksTruststoreFile(trustStoreFile); + } else if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) { + gateway.setDefaultCredentials(false); + gateway.setPemCertificateFile(certificateFile); + gateway.setPemPrivateKeyFile(privateKeyFile); + if (embeddedCert) { + gateway.setEmbeddedCert(true); + } + } else if (defaultKey) { + gateway.setDefaultCredentials(true); + gateway.setJksTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE); + } else { + System.out.println("A private key (-k) and public certificate (-p) " + + "are required, or the default key (-d) must be indicated."); + System.exit(1); + } if (!commander.getSignFile().isEmpty()) { - + Document doc = gateway.signXMLDocument(commander.getSignFile()); + gateway.writeSwidTagFile(doc, outputFile); } else { String createType = commander.getCreateType().toUpperCase(); String attributesFile = commander.getAttributesFile(); @@ -95,51 +115,11 @@ public class Main { System.exit(1); } } - gateway.generateSwidTag(commander.getOutFile()); } else { System.out.println("No create type given, nothing to do"); System.exit(1); } - } - if (!trustStoreFile.isEmpty()) { - gateway.setDefaultCredentials(true); - gateway.setJksTruststoreFile(trustStoreFile); - } else if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) { - gateway.setDefaultCredentials(false); - gateway.setPemCertificateFile(certificateFile); - gateway.setPemPrivateKeyFile(privateKeyFile); - if (embeddedCert) { - gateway.setEmbeddedCert(true); - } - } else if (defaultKey) { - gateway.setDefaultCredentials(true); - gateway.setJksTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE); - } else { - System.out.println("A private key (-k) and public certificate (-p) " + - "are required, or the default key (-d) must be indicated."); - System.exit(1); - } - if (!commander.getSignFile().isEmpty()) { - Document doc = gateway.signXMLDocument(commander.getSignFile()); - gateway.writeSwidTagFile(doc, ""); - } else { - String createType = commander.getCreateType().toUpperCase(); - String attributesFile = commander.getAttributesFile(); - if (createType.equals("BASE")) { - if (!attributesFile.isEmpty()) { - gateway.setAttributesFile(attributesFile); - } - if (!rimEventLogFile.isEmpty()) { - gateway.setRimEventLog(rimEventLogFile); - } else { - System.out.println("Error: a support RIM is required!"); - System.exit(1); - } - } else { - System.out.println("No create type given, nothing to do"); - System.exit(1); - } - gateway.generateSwidTag(commander.getOutFile()); + gateway.generateSwidTag(outputFile); } } } diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 1469326f..81f8043b 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -600,7 +600,6 @@ public class SwidTagGateway { .getNamedItem("id").getNodeValue(); //Create signature with a reference to SoftwareIdentity id - System.out.println("Referencing SoftwareIdentity with id " + softwareIdentityId); XMLSignatureFactory sigFactory = null; SignedInfo signedInfo = null; try { @@ -655,17 +654,8 @@ public class SwidTagGateway { } KeyInfo keyinfo = kiFactory.newKeyInfo(keyInfoElements); - Document detachedSignature = null; - try { - detachedSignature = DocumentBuilderFactory.newInstance() - .newDocumentBuilder().newDocument(); - } catch (ParserConfigurationException e) { - System.out.println("Error creating new document object: " + e.getMessage()); - } - detachedSignature.setXmlVersion("1.0"); - detachedSignature.appendChild(detachedSignature.createElement("root")); - DOMSignContext context = new DOMSignContext(privateKey, - detachedSignature.getDocumentElement()); + Document detachedSignature = db.newDocument(); + DOMSignContext context = new DOMSignContext(privateKey, detachedSignature); context.setIdAttributeNS(softwareIdentity, null, "id"); XMLSignature signature = sigFactory.newXMLSignature(signedInfo, keyinfo); try { @@ -674,9 +664,8 @@ public class SwidTagGateway { System.out.println("Error while signing SoftwareIdentity"); e.printStackTrace(); } - System.out.println("Detached signature: " + detachedSignature); - return swidTag; + return detachedSignature; } /** diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index 3e07f517..da985dc9 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -26,7 +26,8 @@ public class Commander { + "The RIM will be written to stdout by default.") private String outFile = ""; @Parameter(names = {"-s", "--sign "}, order = 3, - description = "Specify a RIM file to append a signature to.") + validateWith = FileArgumentValidator.class, + description = "Generate a detached signature for the file at ") private String signFile = ""; @Parameter(names = {"-v", "--verify "}, order = 4, description = "Specify a RIM file to verify.") diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/FileArgumentValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/FileArgumentValidator.java new file mode 100644 index 00000000..6ead93cc --- /dev/null +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/FileArgumentValidator.java @@ -0,0 +1,24 @@ +package hirs.swid.utils; + +import com.beust.jcommander.IParameterValidator; +import com.beust.jcommander.ParameterException; + +import java.io.File; +import java.io.IOException; + +public class FileArgumentValidator implements IParameterValidator { + public void validate(String name, String value) throws ParameterException { + try { + File file = new File(value); + if (!file.isFile()) { + throw new ParameterException("Invalid file path: " + value + + ". Please verify file path."); + } + } catch (NullPointerException e) { + throw new ParameterException("File path cannot be null: " + e.getMessage()); + } catch (SecurityException e) { + throw new ParameterException("Read access denied for " + value + + ", please verify permissions."); + } + } +} diff --git a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java index 4d4960b3..4b462004 100644 --- a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java +++ b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java @@ -9,6 +9,7 @@ import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; +import org.w3c.dom.Document; public class TestSwidTagGateway { private SwidTagGateway gateway; @@ -162,6 +163,23 @@ public class TestSwidTagGateway { Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT, "DEFAULT")); } + /** + * This test corresponds to the arguments: + * -s -d + */ + @Test + public void testCreateDetachedSignature() { + try { + String signFilePath = TestSwidTagGateway.class.getClassLoader() + .getResource(BASE_RFC3852_TIMESTAMP).getPath(); + gateway.setDefaultCredentials(true); + Document doc = gateway.signXMLDocument(signFilePath); + gateway.writeSwidTagFile(doc, DEFAULT_OUTPUT); + } catch (Exception e) { + e.printStackTrace(); + } + } + /** * This method compares two files by bytes to determine if they are the same or not. * diff --git a/tools/tcg_rim_tool/src/test/resources/generated_default_cert.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_default_cert.swidtag index 855718c1..834d9a2b 100644 --- a/tools/tcg_rim_tool/src/test/resources/generated_default_cert.swidtag +++ b/tools/tcg_rim_tool/src/test/resources/generated_default_cert.swidtag @@ -1,5 +1,5 @@ - + @@ -17,14 +17,14 @@ - DJMc0n3VHHwU+F3HNpiY/l3EMcjRZAQOYlrjhD5v9qE= + f3ulvid12X4b4EqgAQrriXwqvqlNd1GXoSf/wI+zf2A= - ojJ6v8ToxLWWekCKmBoZ+Yg2V4MYMPbKB9FjDs/QG/AMP+LKjnb55Z7FSLhC8+CvvShKPAoS9mv1 -QepwI17NEqbfnC1U4WH0u578A3J6wiHMXIDnIQqKAAXb8v2c/wjMDArzFl8CXmDA7HUDIt+3C4VC -tA598YY7o0Hf6hK5qO8oWGQxXUKfpUwvtGLxHpbDWYFuVSPa+uk6OTzutt/QyzTERzxyO9Le1i6K -nrpzh4lgHn6EfGs6HR1ffdHQ069q0bE61zDx0VC18nK9DmszW6p6FlMzApiTVW/4PiVt+dSFeVGR -9///OdtxcoBCeofDDFPRyO+s+kY1pXd92Q3nfg== + GbvVCBhCDBa1Oz0HereVan1VzqFnkhQbG/QvYAtaPwWCpqtVqSTla0dvEW8LFKJtoLpE8ZQopshx +se53rd9Z4aR2ok7VKfhtFV6LCNseyvmzWypqzCvLaG0net7EpMCixj8i0A5e4zaAEgt5Jqg1Acew +hAY8XSnz9/e0EuzC3s9QlWSZHBtSvqlWUhsSVThf9KyHE3F/bwUGmEg6QdtREAr3c2jNK+LEN5MF +hx64fG/WLRaAkw0lEWnBbjCdiB1ao+1G/c9yzxUQ82EriJdRBYjuRVmMlIOFRtYqe7oc5148pAAY +qhol4MYlrmdjg9aW+2nv4KHHSDIhVgAAwRNJoQ== 2fdeb8e7d030a2209daa01861a964fedecf2bcc1 diff --git a/tools/tcg_rim_tool/src/test/resources/generated_timestamp_rfc3339.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_timestamp_rfc3339.swidtag index cee8c323..13538603 100644 --- a/tools/tcg_rim_tool/src/test/resources/generated_timestamp_rfc3339.swidtag +++ b/tools/tcg_rim_tool/src/test/resources/generated_timestamp_rfc3339.swidtag @@ -1,5 +1,5 @@ - + @@ -17,18 +17,18 @@ - DJMc0n3VHHwU+F3HNpiY/l3EMcjRZAQOYlrjhD5v9qE= + f3ulvid12X4b4EqgAQrriXwqvqlNd1GXoSf/wI+zf2A= j8sqX9NGt8DAPOvbhXKAT648BGdPnQnblai1PYDUryE= - N8QB5dMLnSLaDuCO8Ds/9nPlJGzsF1HJCthEXDXPrMTpfWBwmsVTqtNwoGzHIXlx8HDdDcfTLa3j -3rfFmDZNMqv6+6jjjJZerpN6XyWHGaVjVuPiNGmafE5SajTg53+6KlWXTGs3kcbbV5cTtjASz/A0 -cz9gBYTwYXmWA3+V0USLA0MNYzPkKp83eDnizbrkGx824NU9qG1DetVFfZqotWoTGJ1Wz4J8D1yR -wUILS0DbtZalCNVv3kw9raIRKQ/CjlDztfP1SgiNuXu6IaVZKoVG9HGp3s8pQvFPHr0HD2sNrAkx -twKcg3XIzGrTc22Y2TYw9Dk3NxumQSp4kve6ow== + RvpLLE0rAaZrj54xy3Ki1GJ3csJI5lzshcpQQz7M5dn56Wo1ShfQR7OqGN1ZMULAtYsR0vtt9UFk +3JuB1/tsA1KuT5sNTR6ZbOCaMGfV448ufbY48Vbk8Bs+2N0mZuuD3IUwARlbjXxZwb/k1GnkGVKS +jneEK2dJ6Ktk8+XOLhoFd1JZqpz9Qv7s53GMtQc/QC18vrmUZDW5HABMCtZRpylGjBsP/Mabakb4 +Nr4veMqhEMGVm2UpYY3171nTCjerxrf0jXsLZoTbJdJtyjo9ihCbjzYUOG361liQ3k63jVfPQbDl +460jU4v+45L/sWNRUi29VBtgia7xAkQ3IdmSPA== 2fdeb8e7d030a2209daa01861a964fedecf2bcc1 diff --git a/tools/tcg_rim_tool/src/test/resources/generated_timestamp_rfc3852.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_timestamp_rfc3852.swidtag index d78d0b8c..5abb4248 100644 --- a/tools/tcg_rim_tool/src/test/resources/generated_timestamp_rfc3852.swidtag +++ b/tools/tcg_rim_tool/src/test/resources/generated_timestamp_rfc3852.swidtag @@ -1,5 +1,5 @@ - + @@ -17,18 +17,18 @@ - DJMc0n3VHHwU+F3HNpiY/l3EMcjRZAQOYlrjhD5v9qE= + f3ulvid12X4b4EqgAQrriXwqvqlNd1GXoSf/wI+zf2A= KC51x7iXfEjDYEieFP1lktWNGP6eCWpXe5/sr3V8PlU= - M6a+lIU7vIQmO0By/WCtocI4qzk4R4oXtduEpeyOfIH/xOTKkDI7E17v6dywLd7psZSKMPw8lRqp -AZCBvsU6zDXzLsAakO2ydmH2i5POWNArUq+GRw9KDnNPZWanmRSqjpV2mEjfx84IF2MaqXDPng1q -JrzKN8f00uHM+eOmXktyiBhJR9gT+htceMzAEzk8qeWCg6o6wFMx0JR1lUbGOXe070DtZCR7I0iQ -0iZfnNzMzuRf2GHw6aKnSyGwdr1pUeoxEVGR5jkY8a7mT/0mt+8kVq4FL1gikrSOzvotoZ+dGb0Q -JjzA2IgK+ti/Tc/FpLYKefXQwcVSUY+CD/HCvA== + kXHqmvPCDdlUrgxKVKNXy9xmYmrMiIunv/Rc4gaho2Cm6G46BYBcjfBFkKtvvKxt+iRwk2d0JxLA ++4oACcnUqrvfsP8WLUttrZmWvVWFcZ0WjVaqp06NVLK4for/XpJ0SQQQdO+PmEEgLzyZtydYl8n0 +tdFe9jAmIQD+DZmuHPE/abHvzCmCHgbfogHpkcoeDzT0FQu7Tvxyvae92F3jr2E/Tnt2pF9plxa0 +WZ+5WDmQ4gI+8DXETGxBhSMaR3GOvN+eFOyOUq/OzLs+T7UaOHLtmZHWKYWdBQa3j49VUREGu601 +qOAHjj9sJYSVuyrzDka6brY756ib6e7f1xwphw== 2fdeb8e7d030a2209daa01861a964fedecf2bcc1 diff --git a/tools/tcg_rim_tool/src/test/resources/generated_user_cert.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_user_cert.swidtag index b9588ce9..4bdde8f2 100644 --- a/tools/tcg_rim_tool/src/test/resources/generated_user_cert.swidtag +++ b/tools/tcg_rim_tool/src/test/resources/generated_user_cert.swidtag @@ -1,5 +1,5 @@ - + @@ -17,14 +17,14 @@ - DJMc0n3VHHwU+F3HNpiY/l3EMcjRZAQOYlrjhD5v9qE= + f3ulvid12X4b4EqgAQrriXwqvqlNd1GXoSf/wI+zf2A= - ojJ6v8ToxLWWekCKmBoZ+Yg2V4MYMPbKB9FjDs/QG/AMP+LKjnb55Z7FSLhC8+CvvShKPAoS9mv1 -QepwI17NEqbfnC1U4WH0u578A3J6wiHMXIDnIQqKAAXb8v2c/wjMDArzFl8CXmDA7HUDIt+3C4VC -tA598YY7o0Hf6hK5qO8oWGQxXUKfpUwvtGLxHpbDWYFuVSPa+uk6OTzutt/QyzTERzxyO9Le1i6K -nrpzh4lgHn6EfGs6HR1ffdHQ069q0bE61zDx0VC18nK9DmszW6p6FlMzApiTVW/4PiVt+dSFeVGR -9///OdtxcoBCeofDDFPRyO+s+kY1pXd92Q3nfg== + GbvVCBhCDBa1Oz0HereVan1VzqFnkhQbG/QvYAtaPwWCpqtVqSTla0dvEW8LFKJtoLpE8ZQopshx +se53rd9Z4aR2ok7VKfhtFV6LCNseyvmzWypqzCvLaG0net7EpMCixj8i0A5e4zaAEgt5Jqg1Acew +hAY8XSnz9/e0EuzC3s9QlWSZHBtSvqlWUhsSVThf9KyHE3F/bwUGmEg6QdtREAr3c2jNK+LEN5MF +hx64fG/WLRaAkw0lEWnBbjCdiB1ao+1G/c9yzxUQ82EriJdRBYjuRVmMlIOFRtYqe7oc5148pAAY +qhol4MYlrmdjg9aW+2nv4KHHSDIhVgAAwRNJoQ== 2fdeb8e7d030a2209daa01861a964fedecf2bcc1 diff --git a/tools/tcg_rim_tool/src/test/resources/generated_user_cert_embed.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_user_cert_embed.swidtag index 5f0d13e5..a2fcadf6 100644 --- a/tools/tcg_rim_tool/src/test/resources/generated_user_cert_embed.swidtag +++ b/tools/tcg_rim_tool/src/test/resources/generated_user_cert_embed.swidtag @@ -1,5 +1,5 @@ - + @@ -17,14 +17,14 @@ - DJMc0n3VHHwU+F3HNpiY/l3EMcjRZAQOYlrjhD5v9qE= + f3ulvid12X4b4EqgAQrriXwqvqlNd1GXoSf/wI+zf2A= - ojJ6v8ToxLWWekCKmBoZ+Yg2V4MYMPbKB9FjDs/QG/AMP+LKjnb55Z7FSLhC8+CvvShKPAoS9mv1 -QepwI17NEqbfnC1U4WH0u578A3J6wiHMXIDnIQqKAAXb8v2c/wjMDArzFl8CXmDA7HUDIt+3C4VC -tA598YY7o0Hf6hK5qO8oWGQxXUKfpUwvtGLxHpbDWYFuVSPa+uk6OTzutt/QyzTERzxyO9Le1i6K -nrpzh4lgHn6EfGs6HR1ffdHQ069q0bE61zDx0VC18nK9DmszW6p6FlMzApiTVW/4PiVt+dSFeVGR -9///OdtxcoBCeofDDFPRyO+s+kY1pXd92Q3nfg== + GbvVCBhCDBa1Oz0HereVan1VzqFnkhQbG/QvYAtaPwWCpqtVqSTla0dvEW8LFKJtoLpE8ZQopshx +se53rd9Z4aR2ok7VKfhtFV6LCNseyvmzWypqzCvLaG0net7EpMCixj8i0A5e4zaAEgt5Jqg1Acew +hAY8XSnz9/e0EuzC3s9QlWSZHBtSvqlWUhsSVThf9KyHE3F/bwUGmEg6QdtREAr3c2jNK+LEN5MF +hx64fG/WLRaAkw0lEWnBbjCdiB1ao+1G/c9yzxUQ82EriJdRBYjuRVmMlIOFRtYqe7oc5148pAAY +qhol4MYlrmdjg9aW+2nv4KHHSDIhVgAAwRNJoQ== CN=example.RIM.signer,OU=PCClient,O=Example,ST=VA,C=US From b237309ec9456c852c5a6e22afd28af24d429158 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Fri, 21 Apr 2023 09:16:52 -0400 Subject: [PATCH 09/16] Clean up code following rebase with master. --- .../src/main/java/hirs/swid/Main.java | 18 ------------------ .../main/java/hirs/swid/SwidTagGateway.java | 2 +- .../generated_truststore_embed.swidtag | 14 +++++++------- 3 files changed, 8 insertions(+), 26 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index 65ea328f..6070fa25 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -55,24 +55,6 @@ public class Main { boolean embeddedCert = commander.isEmbedded(); boolean defaultKey = commander.isDefaultKey(); String outputFile = commander.getOutFile(); - if (!trustStoreFile.isEmpty()) { - gateway.setDefaultCredentials(true); - gateway.setJksTruststoreFile(trustStoreFile); - } else if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) { - gateway.setDefaultCredentials(false); - gateway.setPemCertificateFile(certificateFile); - gateway.setPemPrivateKeyFile(privateKeyFile); - if (embeddedCert) { - gateway.setEmbeddedCert(true); - } - } else if (defaultKey) { - gateway.setDefaultCredentials(true); - gateway.setJksTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE); - } else { - System.out.println("A private key (-k) and public certificate (-p) " + - "are required, or the default key (-d) must be indicated."); - System.exit(1); - } if (!commander.getSignFile().isEmpty()) { Document doc = gateway.signXMLDocument(commander.getSignFile()); gateway.writeSwidTagFile(doc, outputFile); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 81f8043b..d969fc16 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -626,7 +626,7 @@ public class SwidTagGateway { CredentialParser cp = new CredentialParser(); try { if (defaultCredentials) { - cp.parseJKSCredentials(jksTruststoreFile); + cp.parseDefaultCredentials(); privateKey = cp.getPrivateKey(); KeyName keyName = kiFactory.newKeyName(cp.getCertificateSubjectKeyIdentifier()); keyInfoElements.add(keyName); diff --git a/tools/tcg_rim_tool/src/test/resources/generated_truststore_embed.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_truststore_embed.swidtag index 9387733a..0c10f304 100644 --- a/tools/tcg_rim_tool/src/test/resources/generated_truststore_embed.swidtag +++ b/tools/tcg_rim_tool/src/test/resources/generated_truststore_embed.swidtag @@ -1,5 +1,5 @@ - + @@ -17,14 +17,14 @@ - DJMc0n3VHHwU+F3HNpiY/l3EMcjRZAQOYlrjhD5v9qE= + f3ulvid12X4b4EqgAQrriXwqvqlNd1GXoSf/wI+zf2A= - ojJ6v8ToxLWWekCKmBoZ+Yg2V4MYMPbKB9FjDs/QG/AMP+LKjnb55Z7FSLhC8+CvvShKPAoS9mv1 -QepwI17NEqbfnC1U4WH0u578A3J6wiHMXIDnIQqKAAXb8v2c/wjMDArzFl8CXmDA7HUDIt+3C4VC -tA598YY7o0Hf6hK5qO8oWGQxXUKfpUwvtGLxHpbDWYFuVSPa+uk6OTzutt/QyzTERzxyO9Le1i6K -nrpzh4lgHn6EfGs6HR1ffdHQ069q0bE61zDx0VC18nK9DmszW6p6FlMzApiTVW/4PiVt+dSFeVGR -9///OdtxcoBCeofDDFPRyO+s+kY1pXd92Q3nfg== + GbvVCBhCDBa1Oz0HereVan1VzqFnkhQbG/QvYAtaPwWCpqtVqSTla0dvEW8LFKJtoLpE8ZQopshx +se53rd9Z4aR2ok7VKfhtFV6LCNseyvmzWypqzCvLaG0net7EpMCixj8i0A5e4zaAEgt5Jqg1Acew +hAY8XSnz9/e0EuzC3s9QlWSZHBtSvqlWUhsSVThf9KyHE3F/bwUGmEg6QdtREAr3c2jNK+LEN5MF +hx64fG/WLRaAkw0lEWnBbjCdiB1ao+1G/c9yzxUQ82EriJdRBYjuRVmMlIOFRtYqe7oc5148pAAY +qhol4MYlrmdjg9aW+2nv4KHHSDIhVgAAwRNJoQ== CN=example.RIM.signer,OU=PCClient,O=Example,ST=VA,C=US From fc802bce6e044bad133dad5ff26e7a51fca2099f Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 25 Apr 2023 07:08:18 -0400 Subject: [PATCH 10/16] Detached signature references its signed data by URI. Modified the validator class to distinguish between enveloped and detached signatures. --- .../main/java/hirs/swid/SwidTagGateway.java | 4 +- .../main/java/hirs/swid/SwidTagValidator.java | 60 +++++++++++++++++-- .../src/test/resources/detached_signature.xml | 19 ++++++ 3 files changed, 76 insertions(+), 7 deletions(-) create mode 100644 tools/tcg_rim_tool/src/test/resources/detached_signature.xml diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index d969fc16..9c9f5ace 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -63,6 +63,7 @@ import java.io.IOException; import java.io.InputStream; import java.io.StringReader; import java.math.BigInteger; +import java.net.URI; import java.nio.file.Files; import java.nio.file.Paths; import java.security.InvalidAlgorithmParameterException; @@ -569,6 +570,7 @@ public class SwidTagGateway { public Document signXMLDocument(String signFile) { //Read signFile contents String xmlToSign = ""; + URI fileUri = new File(signFile).toURI(); try { byte[] fileContents = Files.readAllBytes(Paths.get(signFile)); xmlToSign = new String(fileContents); //safe to assume default charset?? @@ -605,7 +607,7 @@ public class SwidTagGateway { try { sigFactory = XMLSignatureFactory.getInstance("DOM"); //ref must be distinguished from existing - Reference ref = sigFactory.newReference("#" + softwareIdentityId, + Reference ref = sigFactory.newReference(fileUri.toString(), sigFactory.newDigestMethod(DigestMethod.SHA256, null)); signedInfo = sigFactory.newSignedInfo( sigFactory.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE, diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java index e2cabca2..974db1b0 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java @@ -5,6 +5,7 @@ import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.NodeList; +import org.xml.sax.InputSource; import org.xml.sax.SAXException; import javax.security.auth.x500.X500Principal; @@ -26,6 +27,9 @@ import javax.xml.crypto.dsig.dom.DOMValidateContext; import javax.xml.crypto.dsig.keyinfo.KeyInfo; import javax.xml.crypto.dsig.keyinfo.KeyValue; import javax.xml.crypto.dsig.keyinfo.X509Data; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.Source; import javax.xml.transform.Transformer; import javax.xml.transform.TransformerConfigurationException; @@ -38,6 +42,9 @@ import javax.xml.validation.SchemaFactory; import java.io.File; import java.io.IOException; import java.io.InputStream; +import java.io.StringReader; +import java.nio.file.Files; +import java.nio.file.Paths; import java.security.InvalidKeyException; import java.security.Key; import java.security.KeyException; @@ -112,18 +119,31 @@ public class SwidTagValidator { Document document = unmarshallSwidTag(path); Element softwareIdentity = (Element) document.getElementsByTagName("SoftwareIdentity").item(0); - StringBuilder si = new StringBuilder("Base RIM detected:\n"); - si.append("SoftwareIdentity name: " + softwareIdentity.getAttribute("name") + "\n"); - si.append("SoftwareIdentity tagId: " + softwareIdentity.getAttribute("tagId") + "\n"); - System.out.println(si.toString()); - Element file = (Element) document.getElementsByTagName("File").item(0); + Element signature = (Element) document.getElementsByTagName("Signature").item(0); + if (signature != null && softwareIdentity == null) { + return validateDetachedSignature(document, format); + } else if (signature != null && softwareIdentity != null) { + StringBuilder si = new StringBuilder("Base RIM detected:\n"); + si.append("SoftwareIdentity name: " + softwareIdentity.getAttribute("name") + "\n"); + si.append("SoftwareIdentity tagId: " + softwareIdentity.getAttribute("tagId") + "\n"); + System.out.println(si.toString()); + return validateEnvelopedSignature(document, format); + } else { + System.out.println("Invalid xml for validation, please verify " + path); + } + + return false; + } + + private boolean validateEnvelopedSignature(Document doc, String format) { + Element file = (Element) doc.getElementsByTagName("File").item(0); try { validateFile(file); } catch (Exception e) { System.out.println(e.getMessage()); return false; } - boolean swidtagValidity = validateSignedXMLDocument(document, format); + boolean swidtagValidity = validateSignedXMLDocument(doc, format); if (swidtagValidity) { System.out.println("Signature core validity: true"); return true; @@ -133,6 +153,34 @@ public class SwidTagValidator { } } + private boolean validateDetachedSignature(Document doc, String format) { +/* DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + DocumentBuilder db = null; + Document doc = null; + + byte[] fileContents = new byte[0]; + try { + fileContents = Files.readAllBytes(Paths.get(path)); + } catch (IOException e) { + System.out.println("Error reading " + path + " for validation"); + } + String xmlString = new String(fileContents); + try { + db = dbf.newDocumentBuilder(); + doc = db.parse(path); + } catch (ParserConfigurationException e) { + System.out.println("Error instantiating DocumentBuilder object: " + e.getMessage()); + } catch (SAXException e) { + e.printStackTrace(); + } catch (IOException e) { + e.printStackTrace(); + } catch (IllegalArgumentException e) { + System.out.println("Tried to parse a null file at " + path); + } +*/ + return validateSignedXMLDocument(doc, format); + } + /** * This method validates a hirs.swid.xjc.File from an indirect payload */ diff --git a/tools/tcg_rim_tool/src/test/resources/detached_signature.xml b/tools/tcg_rim_tool/src/test/resources/detached_signature.xml new file mode 100644 index 00000000..fc2ca755 --- /dev/null +++ b/tools/tcg_rim_tool/src/test/resources/detached_signature.xml @@ -0,0 +1,19 @@ + + + + + + + + 2nWBzbaADibxwD1sTQltPrKXt+bhJ2qMjKWgLg18EZE= + + + oCj3hZK/vZLncKPWIVbjNUa7nwHVTPZrzBLwX7e11eWmSDSvTtfsl+UrBrgAit5FFpG/3oSEtnw6 +iQAIr80aWaL1/EFylI/w94/zh9m2Y1f0P5w+HD6pS34ALBSBn+9GbDZ48/v1nJ6oDGCw7/3oXkIT +Id+SpS/vuG3SPK0Ej3eFQQc2ahHvOdBKT+UhD9kWVi/esqF0PI0qwd18coMsrQNcqpTBghou+n++ +G+YIWG4Tkgey+EOQLdWLEIch0KeVL1s9ANPOFHKqT4a2BaYe0S7g8xhQ9ERtCnSusb09fgycjl0V +5Mx9t3pdwIXjsS8FWNd25Xc7kayNrq8H+3aRgg== + + 2fdeb8e7d030a2209daa01861a964fedecf2bcc1 + + From f98edb93712644cb24013909baceceaea5a5d047 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Thu, 15 Dec 2022 12:52:19 -0500 Subject: [PATCH 11/16] Add xpath filter to select SoftwareIdentity element --- tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 9c9f5ace..e988dd3b 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -43,6 +43,7 @@ import javax.xml.crypto.dsig.keyinfo.KeyName; import javax.xml.crypto.dsig.keyinfo.X509Data; import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec; import javax.xml.crypto.dsig.spec.TransformParameterSpec; +import javax.xml.crypto.dsig.spec.XPathFilterParameterSpec; import javax.xml.namespace.QName; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; From 21108defbb3250130838e02c987062bae3729827 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 21 Mar 2023 02:05:40 -0400 Subject: [PATCH 12/16] Register id attribute for SoftwareIdentity --- tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index e988dd3b..cdccf46e 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -79,6 +79,7 @@ import java.util.Base64; import java.util.Collections; import java.util.List; import java.util.Map; +import java.util.UUID; /** From 1a5673a29b20a8907868506b9bd3bb3420f409bf Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 21 Mar 2023 02:13:05 -0400 Subject: [PATCH 13/16] Revert "Add xpath filter to select SoftwareIdentity element" This reverts commit de594103090862570c1517f78fe3944de1f2d7e5. --- tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index cdccf46e..9c9f5ace 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -43,7 +43,6 @@ import javax.xml.crypto.dsig.keyinfo.KeyName; import javax.xml.crypto.dsig.keyinfo.X509Data; import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec; import javax.xml.crypto.dsig.spec.TransformParameterSpec; -import javax.xml.crypto.dsig.spec.XPathFilterParameterSpec; import javax.xml.namespace.QName; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -79,7 +78,6 @@ import java.util.Base64; import java.util.Collections; import java.util.List; import java.util.Map; -import java.util.UUID; /** From f4645192357038a70d7763c504991b4ae56c3c9b Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Thu, 23 Mar 2023 05:17:24 -0400 Subject: [PATCH 14/16] Restructure try/catch blocks for readability --- .../src/main/java/hirs/swid/SwidTagGateway.java | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 9c9f5ace..b1f982b2 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -656,8 +656,17 @@ public class SwidTagGateway { } KeyInfo keyinfo = kiFactory.newKeyInfo(keyInfoElements); - Document detachedSignature = db.newDocument(); - DOMSignContext context = new DOMSignContext(privateKey, detachedSignature); + Document detachedSignature = null; + try { + detachedSignature = DocumentBuilderFactory.newInstance() + .newDocumentBuilder().newDocument(); + } catch (ParserConfigurationException e) { + System.out.println("Error creating new document object: " + e.getMessage()); + } + detachedSignature.setXmlVersion("1.0"); + detachedSignature.appendChild(detachedSignature.createElement("root")); + DOMSignContext context = new DOMSignContext(privateKey, + detachedSignature.getDocumentElement()); context.setIdAttributeNS(softwareIdentity, null, "id"); XMLSignature signature = sigFactory.newXMLSignature(signedInfo, keyinfo); try { @@ -666,6 +675,7 @@ public class SwidTagGateway { System.out.println("Error while signing SoftwareIdentity"); e.printStackTrace(); } + System.out.println("Detached signature: " + detachedSignature); return detachedSignature; } From 681fc92a3c38f2c3985e8741dbc6fd13d1a774f8 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Thu, 13 Apr 2023 00:14:15 -0400 Subject: [PATCH 15/16] Modify gateway class to generate a detached signature for a signed swidtag. Created new unit test and updated test resource files. --- .../src/main/java/hirs/swid/SwidTagGateway.java | 14 ++------------ .../test/java/hirs/swid/TestSwidTagGateway.java | 1 + 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index b1f982b2..9c9f5ace 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -656,17 +656,8 @@ public class SwidTagGateway { } KeyInfo keyinfo = kiFactory.newKeyInfo(keyInfoElements); - Document detachedSignature = null; - try { - detachedSignature = DocumentBuilderFactory.newInstance() - .newDocumentBuilder().newDocument(); - } catch (ParserConfigurationException e) { - System.out.println("Error creating new document object: " + e.getMessage()); - } - detachedSignature.setXmlVersion("1.0"); - detachedSignature.appendChild(detachedSignature.createElement("root")); - DOMSignContext context = new DOMSignContext(privateKey, - detachedSignature.getDocumentElement()); + Document detachedSignature = db.newDocument(); + DOMSignContext context = new DOMSignContext(privateKey, detachedSignature); context.setIdAttributeNS(softwareIdentity, null, "id"); XMLSignature signature = sigFactory.newXMLSignature(signedInfo, keyinfo); try { @@ -675,7 +666,6 @@ public class SwidTagGateway { System.out.println("Error while signing SoftwareIdentity"); e.printStackTrace(); } - System.out.println("Detached signature: " + detachedSignature); return detachedSignature; } diff --git a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java index 4b462004..ce32ef43 100644 --- a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java +++ b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java @@ -175,6 +175,7 @@ public class TestSwidTagGateway { gateway.setDefaultCredentials(true); Document doc = gateway.signXMLDocument(signFilePath); gateway.writeSwidTagFile(doc, DEFAULT_OUTPUT); + validator.validateSwidTag(DEFAULT_OUTPUT, "DEFAULT"); } catch (Exception e) { e.printStackTrace(); } From 5fc268381e3dbc8a987b94f179d7a55937c0f4c9 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Mon, 8 May 2023 20:53:02 -0400 Subject: [PATCH 16/16] Delete detached_signature.xml --- .../src/test/resources/detached_signature.xml | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 tools/tcg_rim_tool/src/test/resources/detached_signature.xml diff --git a/tools/tcg_rim_tool/src/test/resources/detached_signature.xml b/tools/tcg_rim_tool/src/test/resources/detached_signature.xml deleted file mode 100644 index fc2ca755..00000000 --- a/tools/tcg_rim_tool/src/test/resources/detached_signature.xml +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - 2nWBzbaADibxwD1sTQltPrKXt+bhJ2qMjKWgLg18EZE= - - - oCj3hZK/vZLncKPWIVbjNUa7nwHVTPZrzBLwX7e11eWmSDSvTtfsl+UrBrgAit5FFpG/3oSEtnw6 -iQAIr80aWaL1/EFylI/w94/zh9m2Y1f0P5w+HD6pS34ALBSBn+9GbDZ48/v1nJ6oDGCw7/3oXkIT -Id+SpS/vuG3SPK0Ej3eFQQc2ahHvOdBKT+UhD9kWVi/esqF0PI0qwd18coMsrQNcqpTBghou+n++ -G+YIWG4Tkgey+EOQLdWLEIch0KeVL1s9ANPOFHKqT4a2BaYe0S7g8xhQ9ERtCnSusb09fgycjl0V -5Mx9t3pdwIXjsS8FWNd25Xc7kayNrq8H+3aRgg== - - 2fdeb8e7d030a2209daa01861a964fedecf2bcc1 - -