From c0e2f0ecee5b3401736e274291bcfc9b736ade41 Mon Sep 17 00:00:00 2001 From: iadgovuser62 Date: Wed, 15 Apr 2026 16:13:45 -0400 Subject: [PATCH 1/3] issue_41: Add signing for CoRIM protected header + Tests --- build.gradle | 1 + gradle/versions.toml | 2 ++ src/main/java/rimtool/Main.java | 10 ++++++++-- src/test/scripts/corim_comid_tests.sh | 13 +++++++++++++ 4 files changed, 24 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 2ac29d2..bb50e61 100644 --- a/build.gradle +++ b/build.gradle @@ -72,6 +72,7 @@ dependencyCheck { } } dependencies { + implementation libs.authlete.cbor implementation libs.bouncycastle implementation libs.jcommander diff --git a/gradle/versions.toml b/gradle/versions.toml index 8dd32e6..bca40a4 100644 --- a/gradle/versions.toml +++ b/gradle/versions.toml @@ -1,4 +1,5 @@ [versions] +authleteCborVersion = "1.21" bouncyCastleVersion = "1.83" jcommanderVersion = "3.0" lombokVersion = "1.18.42" @@ -7,6 +8,7 @@ lombokVersion = "1.18.42" jupiterVersion = "6.0.3" [libraries] +authlete-cbor = { module = "com.authlete:cbor", version.ref = "authleteCborVersion" } bouncycastle = { module = "org.bouncycastle:bcmail-jdk18on", version.ref = "bouncyCastleVersion" } jcommander = { module = "org.jcommander:jcommander", version.ref = "jcommanderVersion" } lombok = { module = "org.projectlombok:lombok", version.ref = "lombokVersion" } diff --git a/src/main/java/rimtool/Main.java b/src/main/java/rimtool/Main.java index e232454..d9e18ed 100644 --- a/src/main/java/rimtool/Main.java +++ b/src/main/java/rimtool/Main.java @@ -13,6 +13,7 @@ import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; +import java.util.Objects; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -408,6 +409,7 @@ private static void sign(final String rimType, final byte[] payloadData, final S X509Certificate cert = null; byte[] signedRim = null; byte[] kid = null; + byte[] toBeSigned = null; boolean useUnprotectdKid = false; //File payloadFile = new File(inFile); DefaultCrypto cryptoSigner = new DefaultCrypto(); @@ -436,8 +438,12 @@ private static void sign(final String rimType, final byte[] payloadData, final S kid = cryptoSigner.getKid().getBytes(StandardCharsets.UTF_8); } - byte[] toBeSigned = coseSign.createToBeSigned(alg, kid, - payloadData, cert, useUnprotectdKid, embedded, rimType); + if (Objects.equals(rimType, GenericRim.RIMTYPE_CORIM_COMID)) { + toBeSigned = coseSign.createToBeSigned(payloadData, CoRimBuilder.createProtectedCorimHeader(alg, Objects.requireNonNull(cert), embedded)); + } else { + toBeSigned = coseSign.createToBeSigned(alg, kid, + payloadData, cert, useUnprotectdKid, embedded, rimType); + } byte[] signature = cryptoSigner.sign(toBeSigned); coseSign.addSignature(signature); diff --git a/src/test/scripts/corim_comid_tests.sh b/src/test/scripts/corim_comid_tests.sh index 139d1a1..1dabc15 100755 --- a/src/test/scripts/corim_comid_tests.sh +++ b/src/test/scripts/corim_comid_tests.sh @@ -51,6 +51,19 @@ echo "CoRim TEST 6: Verify a signed CoRIM with an embedded cert" eval $rim verify -r corim_comid --in $dataDir/tmp/corim-test-embedded-signed1.cose -e >>/dev/null rim_expected_pass_status $? "CoRim TEST 6: CoRim verify (embedded)" +# creating a signed CoRIM with CoMID +echo "CoRim TEST 7: Create an signed CoRIM (with CoMID) from an input configuration file" +eval $rim create -r corim_comid -c $dataDir/corim/corim_1.json --out \ + $dataDir/tmp/corim-test-signed2.cbor -p $dataDir/certs/COMP_OEM1_rim_signer_ecc_512_sha384.pem -k \ + $dataDir/keys/COMP_OEM1_rim_signer_ecc_512_sha384.key >>/dev/null +rim_expected_pass_status $? "CoRim TEST 7: CoRim create with CoMID (signed)" + +# verify signed CoRIM +echo "CoRim TEST 8: Verify a signed CoRIM" +eval $rim verify -r corim_comid --in $dataDir/tmp/corim-test-signed2.cbor \ + -p $dataDir/certs/COMP_OEM1_rim_signer_ecc_512_sha384.pem >>/dev/null +rim_expected_pass_status $? "CoRim TEST 8: CoRim verify (signed)" + # TODO: Corim with Coswids # TODO: Corim with CoTLs From d13073349b8769fe51c323303770adcaca1f35f2 Mon Sep 17 00:00:00 2001 From: iadgovuser62 Date: Thu, 16 Apr 2026 13:40:11 -0400 Subject: [PATCH 2/3] Add Authlete to Notice --- NOTICE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NOTICE.md b/NOTICE.md index f2a147a..2425e0e 100644 --- a/NOTICE.md +++ b/NOTICE.md @@ -4,7 +4,7 @@ RIM-Tool License This file contains all the licenses for the dependencies used to create the RIM-Tool project. RIM-Tool is licensed under the Apache 2.0 license. -The following dependencies are also licensed under Apache 2.0: JCommander +The following dependencies are also licensed under Apache 2.0: JCommander, Authlete This project also bundles HIRS (https://github.com/nsacyber/HIRS), also licensed under Apache 2.0. The NOTICE file for HIRS can be located at the /hirs path from the RIM-Tool source code. From 980fe7e471651d66643f30df0cbc3bbf90128b12 Mon Sep 17 00:00:00 2001 From: iadgovuser62 Date: Mon, 20 Apr 2026 09:39:39 -0400 Subject: [PATCH 3/3] issue_41: Update hirs submodule --- hirs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hirs b/hirs index ed5cbd1..1dfe2d8 160000 --- a/hirs +++ b/hirs @@ -1 +1 @@ -Subproject commit ed5cbd1481f0ee45d57a5be868ecc187480ab35a +Subproject commit 1dfe2d84871ed2ad6b9e8f5820984d00a28c6102