From c69affd4f638c46f269c54a8521dae9215ac9ead Mon Sep 17 00:00:00 2001
From: chubtub <43381989+chubtub@users.noreply.github.com>
Date: Fri, 12 Jun 2020 09:20:47 -0400
Subject: [PATCH] Added a check against embedding a self-signed cert. Requires
a support rim whose name, size, and hash are added to the payload.
---
tools/tcg_rim_tool/generated_swidTag.swidtag | 34 -------------
.../main/java/hirs/swid/CredentialParser.java | 5 +-
.../src/main/java/hirs/swid/Main.java | 17 ++++---
.../main/java/hirs/swid/SwidTagGateway.java | 47 ++++++++++++++----
.../main/java/hirs/swid/utils/Commander.java | 14 +++---
.../main/resources}/identity_transform.xslt | 0
.../java/hirs/swid/TestSwidTagGateway.java | 12 +++--
.../src/test/resources/RimSignCert.pem | 22 ++++++++
.../src/test/resources/TpmLog.bin | Bin 0 -> 7549 bytes
.../test/resources/generated_no_cert.swidtag | 14 +++---
.../resources/generated_with_cert.swidtag | 14 +++---
.../src/test/resources/privateRimKey.pem | 28 +++++++++++
12 files changed, 130 insertions(+), 77 deletions(-)
delete mode 100644 tools/tcg_rim_tool/generated_swidTag.swidtag
rename tools/tcg_rim_tool/{ => src/main/resources}/identity_transform.xslt (100%)
create mode 100644 tools/tcg_rim_tool/src/test/resources/RimSignCert.pem
create mode 100644 tools/tcg_rim_tool/src/test/resources/TpmLog.bin
create mode 100644 tools/tcg_rim_tool/src/test/resources/privateRimKey.pem
diff --git a/tools/tcg_rim_tool/generated_swidTag.swidtag b/tools/tcg_rim_tool/generated_swidTag.swidtag
deleted file mode 100644
index 447a409d..00000000
--- a/tools/tcg_rim_tool/generated_swidTag.swidtag
+++ /dev/null
@@ -1,34 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
- gLCM4kz8qvB6JkV+yDnv3KzqEloiSsBik2OeyBOSw/A=
-
-
- a+kmQfOSpSaMnazRJIOq2349Iuskpan4vh0N4dobjJ8Tb3lPjf97YiqgFsoSm5uydOPXs/lkN51g
-Ox9CCBZ2bquDuuBPpAq5IQ3wZ28G+DYzva+pz7EHKge3gIRzMKjCyDx4bjn+3GUeg+A4KNHNcUfi
-qkDVi3245/4IC/nIzm6a+3qVqsYH4mLqp1yO/Xbuqvkc5X0GobGIO6EOhXxuBii6O7GGv+cIVp3v
-Xdd9zIwFVedeqeYextz5EDzDNHittmtNd+KEl0N3/45aXGDiRFiuiNy/sf7KR+wutbwJV7RlaDN7
-QEaanCXCs6h5PehTh8EDEE9atceBS7IBje0dtw==
-
- 2fdeb8e7d030a2209daa01861a964fedecf2bcc1
-
-
- p3WVYaRJG7EABjbAdqDYZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpx
-xkM6N18jEhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew90d9
-dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpNyM+5BAg2zl/Fqw0q
-otjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7VYQySrzIinaOBFSgViR72kHemH2lW
-jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ==
- AQAB
-
-
-
-
-
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java
index 96f3fe5a..5cd44508 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java
@@ -52,8 +52,11 @@ public class CredentialParser {
publicKey = certificate.getPublicKey();
}
- public void parsePEMCredentials(String certificateFile, String privateKeyFile) throws FileNotFoundException {
+ public void parsePEMCredentials(String certificateFile, String privateKeyFile) throws CertificateException, FileNotFoundException {
certificate = parsePEMCertificate(certificateFile);
+ if (certificate.getIssuerX500Principal().equals(certificate.getSubjectX500Principal())) {
+ throw new CertificateException("Signing certificate cannot be self-signed!");
+ }
privateKey = parsePEMPrivateKey(privateKeyFile, "RSA");
publicKey = certificate.getPublicKey();
}
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
index 1f93b38c..b5da4d61 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
@@ -21,8 +21,8 @@ public class Main {
if (!commander.getVerifyFile().isEmpty()) {
System.out.println(commander.toString());
String verifyFile = commander.getVerifyFile();
- String publicCertificate = commander.getPublicCertificate();
- if (!verifyFile.isEmpty() && !publicCertificate.isEmpty()) {
+ //String publicCertificate = commander.getPublicCertificate();
+ if (!verifyFile.isEmpty()) {
try {
gateway.validateSwidTag(verifyFile);
} catch (IOException e) {
@@ -30,7 +30,7 @@ public class Main {
System.exit(1);
}
} else {
- System.out.println("Need both a RIM file to validate and a public certificate to validate with!");
+ System.out.println("Need a RIM file to validate!");
System.exit(1);
}
} else {
@@ -39,6 +39,7 @@ public class Main {
String attributesFile = commander.getAttributesFile();
String certificateFile = commander.getPublicCertificate();
String privateKeyFile = commander.getPrivateKeyFile();
+ String rimEventLog = commander.getRimEventLog();
switch (createType) {
case "BASE":
if (!attributesFile.isEmpty()) {
@@ -49,12 +50,14 @@ public class Main {
gateway.setPemCertificateFile(certificateFile);
gateway.setPemPrivateKeyFile(privateKeyFile);
}
+ if (rimEventLog.isEmpty()) {
+ System.out.println("Error: a support RIM is required!");
+ System.exit(1);
+ } else {
+ gateway.setRimEventLog(rimEventLog);
+ }
gateway.generateSwidTag(commander.getOutFile());
break;
- case "EVENTLOG":
- break;
- case "PCR":
- break;
}
}
}
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
index 4fbe8b52..05ac3b27 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
@@ -42,6 +42,7 @@ import javax.xml.crypto.dsig.spec.TransformParameterSpec;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
+import hirs.swid.utils.HashSwid;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
@@ -59,6 +60,8 @@ import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.*;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
@@ -100,6 +103,7 @@ public class SwidTagGateway {
private boolean defaultCredentials;
private String pemPrivateKeyFile;
private String pemCertificateFile;
+ private String rimEventLog;
/**
* Default constructor initializes jaxbcontext, marshaller, and unmarshaller
@@ -142,13 +146,22 @@ public class SwidTagGateway {
this.pemPrivateKeyFile = pemPrivateKeyFile;
}
- /** Setter for certificate file in PEM format
+ /**
+ * Setter for certificate file in PEM format
* @param pemCertificateFile
*/
public void setPemCertificateFile(String pemCertificateFile) {
this.pemCertificateFile = pemCertificateFile;
}
+ /**
+ * Setter for event log support RIM
+ * @param rimEventLog
+ */
+ public void setRimEventLog(String rimEventLog) {
+ this.rimEventLog = rimEventLog;
+ }
+
/**
* This method generates a base RIM from the values in a JSON file.
*
@@ -174,10 +187,7 @@ public class SwidTagGateway {
createSoftwareMeta(configProperties.get(SwidTagConstants.META).asObject()));
swidTag.getEntityOrEvidenceOrLink().add(meta);
//File
- hirs.swid.xjc.File file = createFile(
- configProperties.get(SwidTagConstants.PAYLOAD).asObject()
- .get(SwidTagConstants.DIRECTORY).asObject()
- .get(SwidTagConstants.FILE).asObject());
+ hirs.swid.xjc.File file = createFile();
//Directory
Directory directory = createDirectory(
configProperties.get(SwidTagConstants.PAYLOAD).asObject()
@@ -405,13 +415,27 @@ public class SwidTagGateway {
return directory;
}
+ /**
+ * This method creates a hirs.swid.xjc.File from an indirect payload type by
+ * calculating the hash of a given event log support RIM.
+ */
+ private hirs.swid.xjc.File createFile() {
+ hirs.swid.xjc.File file = objectFactory.createFile();
+ file.setName(rimEventLog);
+ File rimEventLogFile = new File(rimEventLog);
+ file.setSize(new BigInteger(Long.toString(rimEventLogFile.length())));
+ Map attributes = file.getOtherAttributes();
+ addNonNullAttribute(attributes, _SHA256_HASH, HashSwid.get256Hash(rimEventLog));
+
+ return file;
+ }
+
/**
- * This method creates a hirs.swid.xjc.File from three arguments, then calculates
- * and stores its hash as an attribute in itself.
+ * This method creates a hirs.swid.xjc.File from a direct payload type.
*
* @param jsonObject
* @return hirs.swid.xjc.File object from File object
- */
+ *
private hirs.swid.xjc.File createFile(JsonObject jsonObject) {
hirs.swid.xjc.File file = objectFactory.createFile();
file.setName(jsonObject.getString(SwidTagConstants.NAME, ""));
@@ -423,7 +447,7 @@ public class SwidTagGateway {
addNonNullAttribute(attributes, SwidTagConstants._SUPPORT_RIM_URI_GLOBAL, jsonObject.getString(SwidTagConstants.SUPPORT_RIM_URI_GLOBAL, ""));
return file;
- }
+ }*/
private void addNonNullAttribute(Map attributes, QName key, String value) {
if (!value.isEmpty()) {
@@ -492,6 +516,8 @@ public class SwidTagGateway {
System.out.println(e.getMessage());
} catch (KeyException e) {
System.out.println("Error setting public key in KeyValue: " + e.getMessage());
+ } catch (CertificateException e) {
+ System.out.println(e.getMessage());
} catch (JAXBException e) {
System.out.println("Error marshaling signed swidtag: " + e.getMessage());
} catch (MarshalException | XMLSignatureException e) {
@@ -622,7 +648,8 @@ public class SwidTagGateway {
*/
private Document removeXMLWhitespace(String path) throws IOException {
TransformerFactory tf = TransformerFactory.newInstance();
- Source source = new StreamSource(new File("identity_transform.xslt"));
+ Source source = new StreamSource(
+ SwidTagGateway.class.getClassLoader().getResourceAsStream("identity_transform.xslt"));
Document document = null;
File input = new File(path);
if (input.length() > 0) {
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java
index da380b03..678b1da7 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java
@@ -35,10 +35,10 @@ public class Commander {
description = "The public key certificate used to verify a RIM file or to embed in a signed RIM. " +
"A signed RIM generated by this tool by default will not show the signing certificate without this parameter present.")
private String publicCertificate = "";
-/*
@Parameter(names = {"-l", "--rimel "}, order = 6,
description = "The TCG eventlog file to use as a support RIM. By default the last system eventlog will be used.")
private String rimEventLog = "";
+/*
@Parameter(names = {"-t", "--rimpcr "}, order = 7,
description = "The file containing TPM PCR values to use as a support RIM. By default the current platform TPM will be used.")
private String rimPcrs = "";
@@ -76,11 +76,9 @@ public class Commander {
public String getPublicCertificate() {
return publicCertificate;
}
-/*
- public String getRimEventLog() {
- return rimEventLog;
- }
+ public String getRimEventLog() { return rimEventLog; }
+/*
public String getRimPcrs() {
return rimPcrs;
}
@@ -98,10 +96,10 @@ public class Commander {
sb.append("Create a base RIM using the values in attributes.json; " +
"sign it with the default keystore, alias, and password;\n");
sb.append("and write the data to base_rim.swidtag:\n\n");
- sb.append("\t\t-c base -a attributes.json -o base_rim.swidtag\n\n\n");
+ sb.append("\t\t-c base -a attributes.json -l support_rim.swidtag -o base_rim.swidtag\n\n\n");
sb.append("Create a base RIM using the default attribute values; sign it using privateKey.pem;\n");
sb.append("and write the data to console output, to include cert.pem in the signature block:\n\n");
- sb.append("\t\t-c base -k privateKey.pem -p cert.pem\n\n\n");
+ sb.append("\t\t-c base -l support_rim.swidtag -k privateKey.pem -p cert.pem\n\n\n");
return sb.toString();
}
@@ -113,8 +111,8 @@ public class Commander {
sb.append("Verify file: " + getVerifyFile() + System.lineSeparator());
sb.append("Private key file: " + getPrivateKeyFile() + System.lineSeparator());
sb.append("Public certificate: " + getPublicCertificate() + System.lineSeparator());
-/*
sb.append("Event log support RIM: " + getRimEventLog() + System.lineSeparator());
+/*
sb.append("TPM PCRs support RIM: " + getRimPcrs() + System.lineSeparator());
sb.append("Base RIM to be signed: " + getToBeSigned() + System.lineSeparator());
sb.append("External signature file: " + getSignatureData() + System.lineSeparator());
diff --git a/tools/tcg_rim_tool/identity_transform.xslt b/tools/tcg_rim_tool/src/main/resources/identity_transform.xslt
similarity index 100%
rename from tools/tcg_rim_tool/identity_transform.xslt
rename to tools/tcg_rim_tool/src/main/resources/identity_transform.xslt
diff --git a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java
index 793c0ed6..a50cc0e3 100644
--- a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java
+++ b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java
@@ -5,7 +5,9 @@ import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
+import java.nio.file.Paths;
import java.util.Scanner;
+import java.net.URISyntaxException;
import org.testng.Assert;
import org.testng.annotations.BeforeClass;
@@ -19,11 +21,13 @@ public class TestSwidTagGateway {
private final String DEFAULT_NO_CERT = "generated_no_cert.swidtag";
private final String certificateFile = "RimSignCert.pem";
private final String privateKeyFile = "privateRimKey.pem";
+ private final String supportRimFile = "TpmLog.bin";
private InputStream expectedFile;
@BeforeClass
public void setUp() throws Exception {
gateway = new SwidTagGateway();
+ gateway.setRimEventLog(supportRimFile);
}
@AfterClass
@@ -38,10 +42,12 @@ public class TestSwidTagGateway {
* -c base -k privateRimKey.pem -p RimSignCert.pem
*/
@Test
- public void testCreateBaseWithCert() {
+ public void testCreateBaseWithCert() throws URISyntaxException {
gateway.setDefaultCredentials(false);
- gateway.setPemCertificateFile(certificateFile);
- gateway.setPemPrivateKeyFile(privateKeyFile);
+ gateway.setPemCertificateFile(
+ Paths.get(this.getClass().getResource(certificateFile).toURI()).toString());
+ gateway.setPemPrivateKeyFile(
+ Paths.get(this.getClass().getResource(privateKeyFile).toURI()).toString());
gateway.generateSwidTag(DEFAULT_OUTPUT);
expectedFile = (InputStream) TestSwidTagGateway.class.getClassLoader().getResourceAsStream(DEFAULT_WITH_CERT);
Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT));
diff --git a/tools/tcg_rim_tool/src/test/resources/RimSignCert.pem b/tools/tcg_rim_tool/src/test/resources/RimSignCert.pem
new file mode 100644
index 00000000..9d37a2fa
--- /dev/null
+++ b/tools/tcg_rim_tool/src/test/resources/RimSignCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDoTCCAomgAwIBAgIJAPB+r6VBhBn5MA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
+BAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UECgwHRXhhbXBsZTERMA8GA1UECwwI
+UENDbGllbnQxEjAQBgNVBAMMCUV4YW1wbGVDQTAeFw0yMDAzMTExODExMjJaFw0z
+MDAxMTgxODExMjJaMFwxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJWQTEQMA4GA1UE
+CgwHRXhhbXBsZTERMA8GA1UECwwIUENDbGllbnQxGzAZBgNVBAMMEmV4YW1wbGUu
+UklNLnNpZ25lcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKd1lWGk
+SRuxAAY2wHag2GVxUk1dZx2PTpfQOflvLeccAVwa8mQhlsRERq+QK8ilj8Xfqs44
+/nBaccZDOjdfIxIUCMfwhGXjxCaqZbgTucNsExDnu4arTGraoAwzHg0cVLiKT/Cx
+j9NL4dcMgxRXsPdHfXb0923C7xYd2t2qfW05umgaj7qeQl6c68CFNsGX4JA8rWFQ
+ZvvGx5DGlK4KTcjPuQQINs5fxasNKqLY2hq+z82x/rqwr2hmyizD6FpFSyIABPEM
+PfB036GEhRwu1WEMkq8yIp2jgRUoFYke9pB3ph9pVow0Hh4mNFSKD4pP41VSKY1n
+us83mdkuukPy5o0CAwEAAaNvMG0wHQYDVR0OBBYEFC/euOfQMKIgnaoBhhqWT+3s
+8rzBMB8GA1UdIwQYMBaAFEahuO3bpnFf0NLneoo8XW6aw5Y4MAkGA1UdEwQCMAAw
+CwYDVR0PBAQDAgbAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUA
+A4IBAQBl2Bu9xpnHCCeeebjx+ILQXJXBd6q5+NQlV3zzBrf0bleZRtsOmsuFvWQo
+KQxsfZuk7QcSvVd/1v8mqwJ0PwbFKQmrhIPWP+iowiBNqpG5PH9YxhpHQ1osOfib
+NLOXMhudIQRY0yAgqQf+MOlXYa0stX8gkgftVBDRutuMKyOTf4a6d8TUcbG2Rnyz
+O/6S9bq4cPDYLqWRBM+aGN8e00UWTKpBl6/1EU8wkJA6WdllK2e8mVkXUPWYyHTZ
+0qQnrYiuLr36ycAznABDzEAoj4tMZbjIAfuscty6Ggzxl1WbyZLI6YzyXALwaYvr
+crTLeyFynlKxuCfDnr1SAHDM65BY
+-----END CERTIFICATE-----
diff --git a/tools/tcg_rim_tool/src/test/resources/TpmLog.bin b/tools/tcg_rim_tool/src/test/resources/TpmLog.bin
new file mode 100644
index 0000000000000000000000000000000000000000..0b8f1f398d51035bc91afbe8400d4888a28d5669
GIT binary patch
literal 7549
zcmds53p`a>+h2!6H)=?dq+LukI^;4cmCNBAxieB{D&BHAZX@U9mIif5nUNZairneu
zQp}Wyq6@02K{H)mgj^eyq^o4S&)WN_P+#Ny=J)&heQW>rUhAyAp6CC6*7K~jo_!EP
zNEGf5m08fag3om(Oj!gwfa~q2u0;(KK_WD0O+Wlph?h|Ve9UlZ!23O^DykICyO6^xhF!iW#)@Hjb%6?P>>0o5n5keZ!_oTo4uA#OWU*I))Mz&c4)|qjT%7^|5Zq<|bFwt~%T4
zG-1d1*mE~erw5%;uoStY4Wk_!TX$aFdqXNq5;YwVogXzGqeH<2a9M%4$Qk(~AE*rx
z4=z81hQc%)DI9-liEdW9rTrx@mwT^M`bB+HqOw=ty
zu}$$W2wOVf`9#FbideWY@vhyjWhL{UH0<8;tojkH*Sr_A9juwjPK7CK(#1b5-$)?;
zFYkD+(8v#b*)2Z3si(Q*UgDBo3m7d&{P8VRsOh8_uHF`gutgsugBZ<^3e+23vx~=F
zB^a`Hr|IG{NWSIXl%$k!i?BX<{?@V=OScZt(NOf?4}R6*Cw1j|L2g%Z3%7J#T&QHi
z&Oe)r^#^}j(EBg{{h7+zrtPGsM%5AjeMiN5+_%)y4h(vV*+`Janh!?bEa
z$%-KlwX9AQ|J&nG>Vqj1`c2aI^#z0TM;ZMo+dCINOPiba$|^2cV6vX~fH-np9g
zOZg&=-tChLo}gO+v|qDpcy`A7J7TYUSY0=GMxv{?QRs4`LywU~_8Y|W*u~oucQ$&B
zWsgMHX19xA>kmv>v
zN%YIa;0E*eW}a7=w#rP>!6c#~cj6g^D3y`u>_rlsG9|g}R9T~0;d>JJ3hVo2nFb{@
zuQzV;t#_FGltizl(22co!<}q=%JzWV*3ei_Ys++?EVhfUPRyI@d3Gea
zVaNQ1Uu1`q2JR-H}ecZe`4CWTSj41
zvrNzTN-{>Ge}64VJap2G!2J)}oITkkwLUY|@{1AQ*u2ez{`wJJ==ToN_IC%%-}8HM
zpIU*EPLajo`*oqa!y*ME(WC8Z3%}{>7HD=>8M&-#Xy+jpYq>4u8cDyfXKHpHkS1+!
z`kjOEnx2ks#r;dOHBk?>NSz8R%;8N-;9zt-d$8XLcUt>}^N4ocRFpnzIq#aPO*He7
zXN`9XePWKV$fn(MOc5+d2Po*KTVR+~#OZJnZ
zZ;yN1sV(~wbz3!9e7o2#T%w@)gr?WJO`wJV2ImY-g=B}0PNEbOR6H+pIufNw&$f<|ewMJK(7{(k
zgibd`_HYIpBU7j?0l^upo*gfrA>Lxq<{jc-A?lRxE4I
z3XWNWDT_$U>G4gq>F-(4mpR8XfaxdGyzW)X~WY6E>*CVixz>+s$h*X
zTpG}FMOrY<37%iWma&lq_+$lKEVzw;u_1U&
z6WFRFCOiq~TLtf!z+3|?*M|N@aD5{jqlK1(9s=-0XcDNJDN5#fG@3XPlMEYnE+At
zHt)!SXRb;bBe^m(OD;E+nlNeQ-OE(RuVgqaQC!s5^}KSouKsZ~xu*L(F9ij*8B`a9xa+_@3t54R9lO3tbV?H}Ww3h!_k%3Yh}uJGP^Fo$^XhCKqu1P@v`
zUL2wA2&=>go&lsClt-4sswQA1sKc5tf=iv;C-6!)h8{z>7DKHA>qG-?JPNP;k!u9W
zh>D5Bp8TQpfp-S@9um-?o`7`Sd``Zy`oll&whF^yUH_El#XglbTbp?*$D1pXR%xA?
z2cwJ}y}UfU-3Yd^DZ%9Py*!*9{XBTygsTs417XPH`4QH9+yO($eTUNgcfSPiXv}GJ
zQo;;=lu~%#A3YY97`+t!N*TSB_;TJ#|f*P3YYu
zsl{et|b%^Fd9qX!kW_G6T6>b7O&P;Tt&3RBIM?b`!RdqBGmYV6P#8gs=>aT
zV|lf{??m~%b+NDYemmH~YU?;@I9X?ME4TwkhYiyfHcc9wlL)15)F2avL8KF`p6OWg
zZ2W+-TlkyTanVX?vz|qs!Tqt5rvI=Fdlnag@UA{5W;*!AmsuR!P$O<&ndVt~leYO*
zPDI2tL!~;lReUI4zFsh+68{f_%fJ!pq!(ff3}K!5k~=g3CnmM}2-x==VFmg@KfdwW
z{8X9et8#wks~b{h%u(tUy(>$HXApxK#z3X?`>F&~MnM3F&E!77MH|q6gD=~1rNw?i
zp=D@DuWGl*l;ZTnZg~YlplgWGLs>|axQSe`wrfLT>ciH
z^wjDHZADtFh%)zr({ti06)e7#kT(CptT5a#L(VnB1YM?Z2lQVJA@EPl|8W1uw5~3h
z^mCkPzR9jfq7qv!AOi|_K%a`W(fj|%_&4y68vmOe=0_nA%l6chb?Fj+K>(Xt&#;FG
zSH;7?yp;1P`!`PYn|wdJTiJbMGAHCPGfR4fbbZ9B*I&Emfe+*aKarXI;t<(Ek9>g}
z(ZXNz##hT8$R=`I6GBE!Wm1&Tw#Q?-Q_Z-`p$_r5PlqRxw_i{8mX#
zB`rj`gDaOZjUlvfG?@iPe|I+VS>4W}ZPv%U^smcLlA;HT-WWHA#n10wZ!D35w#+-c
z07lz#{rr8r@##dKMxQ#Oh64PPhaV2Le|8HV>WW`~lsR@IAyJ!_cq`y6qo>KCcb9Th
zJiX{IkvM0c%jbhgSL6kft`O{=D4cw%`jjg^lqd~FzwPAberwLf^arPs0(iDD`YIW2
ziM7$z{eN+S%K7E1UPJ+qTvHDD$!uUU1e{FKaL@2iA52nknB&>g7mA%P?IK&Do94&}
zyU2=0qtoZW(P9T5LT>Pxz=G6u18m|Juywl)`~3R<#9nb5D}L%s-sV=`e9oK0C%gVi
z3=3>8^byR|zn}4A$*dl7?hUB9FZ=A~o^7~7?BLy8fu6g1Gpnt=qBXLEkgwH9rt^5V
zQZb&7NcQSN_NMRq8+`_m6WgPgoSD6f%iQWvwf>I^uZpsXU2j&ZBuS@FPw^f2DS(Rm
zY%1{QS^bl^mm>T03`hPRRT0n=C%J$l2ZT*k3zvZo;8X+x=BqN+RFoiyf*k
Z3Uxc}%4JljeszIlpGQT``p
-
+
@@ -17,14 +17,14 @@
- e3V54WPCVKryiRHONI37GttXgePQDEYz1GGPcpity5E=
+ h/jXVVy84NklF+ym8qeNfDEohLKKNLhr35iZ6vage7M=
- OMPKPXsLr0wbtQuUTlGAD9W0fkqmw8XJ3nQHc/LsRpzCZWdN/xtfxe3JleLbXcUt4PItqj1uB5Eg
-8iBWyBSy+WJYvsoROjLjZ1sUQ92jMdCO69uBjaIihn1HS2H/YnB4trjc92AUIdhoJZt9KF90IlJQ
-zu3HTmQfeRYs/c6Ck1k3bL1jnyWoNzhBqCuPYrZtPbv9opVP0YOxM5IjRkRgkZIDgYbh1k4WXw8O
-/iIMZuVJDfKQJSNCTAZsIbUatGDQc/nOihLHdI90wG8zu9amgrl1AEKzH8z864Fan5uuXolfAaak
-sLJl6RPCNcp+JNCXMMZiS8bmYPQnVJc1ze0I1A==
+ huu759PPTMaugu+6/c3JAv/Cb6eCiRxK5i5Mx2IpptDDjbDh9P1931KPEivmG8eZHgbGRFDgUviB
+qHcvd4A8KpIdx1GfebPBGBVqnAHvIgAQp1ZOMFIjtYsJTFKrwG12Yc7uA8qdGLCXZ8OlEvim3P/9
+VECXziVXAaEdC4IlaAt86XfbK+z5r2hFKSErYJZws45x1oZcBVXo9wZd7x0EyU0rMTGQbV5QbDsP
+LOuWmG2t9jlR7Yu7gxJbhFrPJdI/Q6+JsmsnqKB47dVtXCp84lrlZg48S/nZ0OC62EmEHvzilx4C
+y2fM/M0LbkZc5Ms8HD92YBsNF3UL3bHxnJT+YQ==
2fdeb8e7d030a2209daa01861a964fedecf2bcc1
diff --git a/tools/tcg_rim_tool/src/test/resources/generated_with_cert.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_with_cert.swidtag
index 336ea344..72e8e2f8 100644
--- a/tools/tcg_rim_tool/src/test/resources/generated_with_cert.swidtag
+++ b/tools/tcg_rim_tool/src/test/resources/generated_with_cert.swidtag
@@ -5,7 +5,7 @@
-
+
@@ -17,14 +17,14 @@
- e3V54WPCVKryiRHONI37GttXgePQDEYz1GGPcpity5E=
+ h/jXVVy84NklF+ym8qeNfDEohLKKNLhr35iZ6vage7M=
- OMPKPXsLr0wbtQuUTlGAD9W0fkqmw8XJ3nQHc/LsRpzCZWdN/xtfxe3JleLbXcUt4PItqj1uB5Eg
-8iBWyBSy+WJYvsoROjLjZ1sUQ92jMdCO69uBjaIihn1HS2H/YnB4trjc92AUIdhoJZt9KF90IlJQ
-zu3HTmQfeRYs/c6Ck1k3bL1jnyWoNzhBqCuPYrZtPbv9opVP0YOxM5IjRkRgkZIDgYbh1k4WXw8O
-/iIMZuVJDfKQJSNCTAZsIbUatGDQc/nOihLHdI90wG8zu9amgrl1AEKzH8z864Fan5uuXolfAaak
-sLJl6RPCNcp+JNCXMMZiS8bmYPQnVJc1ze0I1A==
+ huu759PPTMaugu+6/c3JAv/Cb6eCiRxK5i5Mx2IpptDDjbDh9P1931KPEivmG8eZHgbGRFDgUviB
+qHcvd4A8KpIdx1GfebPBGBVqnAHvIgAQp1ZOMFIjtYsJTFKrwG12Yc7uA8qdGLCXZ8OlEvim3P/9
+VECXziVXAaEdC4IlaAt86XfbK+z5r2hFKSErYJZws45x1oZcBVXo9wZd7x0EyU0rMTGQbV5QbDsP
+LOuWmG2t9jlR7Yu7gxJbhFrPJdI/Q6+JsmsnqKB47dVtXCp84lrlZg48S/nZ0OC62EmEHvzilx4C
+y2fM/M0LbkZc5Ms8HD92YBsNF3UL3bHxnJT+YQ==
CN=example.RIM.signer,OU=PCClient,O=Example,ST=VA,C=US
diff --git a/tools/tcg_rim_tool/src/test/resources/privateRimKey.pem b/tools/tcg_rim_tool/src/test/resources/privateRimKey.pem
new file mode 100644
index 00000000..afe282c4
--- /dev/null
+++ b/tools/tcg_rim_tool/src/test/resources/privateRimKey.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCndZVhpEkbsQAG
+NsB2oNhlcVJNXWcdj06X0Dn5by3nHAFcGvJkIZbEREavkCvIpY/F36rOOP5wWnHG
+Qzo3XyMSFAjH8IRl48QmqmW4E7nDbBMQ57uGq0xq2qAMMx4NHFS4ik/wsY/TS+HX
+DIMUV7D3R3129Pdtwu8WHdrdqn1tObpoGo+6nkJenOvAhTbBl+CQPK1hUGb7xseQ
+xpSuCk3Iz7kECDbOX8WrDSqi2Noavs/Nsf66sK9oZsosw+haRUsiAATxDD3wdN+h
+hIUcLtVhDJKvMiKdo4EVKBWJHvaQd6YfaVaMNB4eJjRUig+KT+NVUimNZ7rPN5nZ
+LrpD8uaNAgMBAAECggEAcnG8npd9U0x7HMQMcsZoPaPdwHvF/gCzkLNA+8RM1bZh
+A4ZzA5WlCQs0V8Wq9pyXjn7Wp8txsG1PdlT5k2AUgsVoXuR0R4IKyvYHQG9StEjH
+GvWURmwJdLlnSg8hSYqEJ/52taNUDO6+MI8fgiaQDd8w0ryF4OCpLy9GJdnfkGYZ
+Ayemb3USFUdj/S67NVqxnvAfFMM5FqkKGhkoy7wBRgO6eOeJvoTq8LMiPiponwwF
+DW409ZStbrk1f1Oszst/UvFUWA9BdDfeoPmFR61y3eB5zlMQG8Mhr2v5hvkj9TPX
+FU4Fm4EzZ1h/60cdWoP6XYCP7F2NqZ8N8u4UBQNAIQKBgQDcGIw5GJEvRF+FFTTR
+hYatMRn80DGTVjdT32MgajdKx05OWxBmQsFob34fiSnr0wAXPJeDXG4ruMBE2bSk
+EC8rCO08G8ihQoH8x0cvuERe1fpVWk3RWNucVGIiJSEXAIwWrlYZLTfYd5GqBkPE
+OQxxo4MtOyqeHmVH1mOywk9ABQKBgQDCxt95luzqQZV9Xl78QQvOIbjOdHLjY23Z
+yp8sGt9birL/WZ33TCRgmH1e61BdrSqO7Om/ail2Y59XM5UU6kLbDj0IgmOPTsrJ
+JmIVf8r3bKltVUaLePgr4yex7dmtHRH8OkLXKnE0RCO0kCi9kJMB12yE3pWxk+Pu
+zztQd3a66QKBgBNJd2g9deONe01fOVyu9clRhzR3ThDaOkj4R2h8xlGgO4V0R3Ce
+ovIy6vt6epj2yYg/wAs720+rhfXCmijSXj/ILXnZ+W/gMyHimKNe42boG2LFYhJZ
+Vg1R+7OAS3EHlD8ckeDs7Hrkp3gdymx0j1mZ+ZHKIIbwpPFxoRT2IBm9AoGBAI0Z
+bIK0puP8psKvPrgWluq42xwUl7XKLaX8dtqIjQ3PqGP7E8g2TJP9Y7UDWrDB5Xas
+gZi821R8Ts3o/DKukcgGxIgJjP4f4h9dwug4L1yWRxaBFB2tgHqqj/MBjxMtX/4M
+Zqdgg6mNQyBm3lyVAynuWRrX9DE0JYa2cQ2VvVkhAoGBAMBv/oT813w00759PmkO
+Uxv3LXTJuYBbq0Rmga25jN3ow8LrGQdSVg7F/af3I5KUF7mLiegDy1pkRfauyXH7
++WhEqnf86vDrzPpytDMxinWOQZusCqeWHb+nuVTuL3Fv+GxEdwVGYI/7lFJ7B//h
+P5rU93ZoYY7sWcGVqaaEkMRU
+-----END PRIVATE KEY-----