From 02222eb048887e0797dd27db64c521c764a0c341 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Thu, 18 Jun 2026 12:31:02 -0400 Subject: [PATCH] Verify pc client RIMs with just a public key. --- data/pcrim/pubKey.pem | 9 +++++ hirs | 2 +- src/main/java/rimtool/Main.java | 11 ++++-- .../java/rimtool/commands/CommandVerify.java | 2 +- src/test/scripts/pcrim_tests.sh | 36 ++++++++++--------- 5 files changed, 40 insertions(+), 20 deletions(-) create mode 100644 data/pcrim/pubKey.pem diff --git a/data/pcrim/pubKey.pem b/data/pcrim/pubKey.pem new file mode 100644 index 0000000..574f1db --- /dev/null +++ b/data/pcrim/pubKey.pem @@ -0,0 +1,9 @@ +-----BEGIN PUBLIC KEY----- +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp3WVYaRJG7EABjbAdqDY +ZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpxxkM6N18j +EhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew +90d9dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpN +yM+5BAg2zl/Fqw0qotjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7V +YQySrzIinaOBFSgViR72kHemH2lWjDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/Lm +jQIDAQAB +-----END PUBLIC KEY----- diff --git a/hirs b/hirs index 07cda43..804decb 160000 --- a/hirs +++ b/hirs @@ -1 +1 @@ -Subproject commit 07cda438c365c022de51ba0a2ea61e192942cd2e +Subproject commit 804decbb52355b49113bff5117a7d4535424f72d diff --git a/src/main/java/rimtool/Main.java b/src/main/java/rimtool/Main.java index 387896c..4d4f00a 100644 --- a/src/main/java/rimtool/Main.java +++ b/src/main/java/rimtool/Main.java @@ -446,7 +446,10 @@ private static void sign(final String rimType, final byte[] payloadData, final S } if (Objects.equals(rimType, GenericRim.RIMTYPE_CORIM_COMID)) { - toBeSigned = coseSign.createToBeSigned(payloadData, CoRimBuilder.createProtectedCorimHeader(alg, Objects.requireNonNull(cert), embedded)); + toBeSigned = coseSign.createToBeSigned(payloadData, + CoRimBuilder.createProtectedCorimHeader(alg, + Objects.requireNonNull(cert), + embedded)); } else { toBeSigned = coseSign.createToBeSigned(alg, kid, payloadData, cert, useUnprotectdKid, embedded, rimType); @@ -518,7 +521,11 @@ private static void verify(final String rimType, final String inFile, final Stri try { if (sigType.compareTo("xmlDsig") == 0) { PcClientRim pcRim = new PcClientRim(); - verified = pcRim.validate(inFile, certPath, supportRim, trustPath); + if (!publicKeyFile.isEmpty() && certPath.isEmpty() && trustPath.isEmpty()) { + verified = pcRim.validate(inFile, publicKeyFile, supportRim); + } else { + verified = pcRim.validate(inFile, certPath, supportRim, trustPath); + } } else if (sigType.compareTo("cose") == 0) { // Set up the crypto device used for signing CryptoEngine cryptoSigner = new DefaultCrypto(); diff --git a/src/main/java/rimtool/commands/CommandVerify.java b/src/main/java/rimtool/commands/CommandVerify.java index 83e9a07..6a0a4f2 100644 --- a/src/main/java/rimtool/commands/CommandVerify.java +++ b/src/main/java/rimtool/commands/CommandVerify.java @@ -50,7 +50,7 @@ public class CommandVerify { // required = true, validateWith = ValidatorArgFile.class, description = CommandDefinitions.PARAM_DESCR_TRUSTSTORE) - private String truststore; + private String truststore = ""; @Parameter(names = {CommandDefinitions.ARG_DETACHED_SHORT, CommandDefinitions.ARG_DETACHED}, validateWith = ValidatorArgFile.class, description = CommandDefinitions.PARAM_DESCR_DETACHED) diff --git a/src/test/scripts/pcrim_tests.sh b/src/test/scripts/pcrim_tests.sh index 12065a1..8c949c4 100755 --- a/src/test/scripts/pcrim_tests.sh +++ b/src/test/scripts/pcrim_tests.sh @@ -40,37 +40,41 @@ echo "PC Client RIM TEST 6: Verify PC Client signed RIM test pattern XML signatu eval $rim verify -r pcrim --in tmp/laptop.default.1.swidtag -p pcrim/RimSignCert.pem -t pcrim/RIMCaCert.pem >>/dev/null rim_expected_pass_status $? "PC RIM TEST 6: PC RIM Verify" -echo "PC Client RIM TEST 7: Create PC Client signed RIM test pattern with multiple Payload file hashes" +echo "PC Client RIM TEST 7: Verify PC Client signed RIM test pattern with just a public key" +eval $rim verify -r pcrim --in tmp/laptop.default.1.swidtag -k pcrim/pubKey.pem >>/dev/null +rim_expected_pass_status $? "PC RIM TEST 7: PC RIM Verify" + +echo "PC Client RIM TEST 8: Create PC Client signed RIM test pattern with multiple Payload file hashes" eval $rim create -r pcrim -l pcrim/laptop.default.1.rimel --out tmp/laptop.default.3.swidtag -p pcrim/RimSignCert.pem -k pcrim/rimKey.pem -c pcrim/rim_fields_multiple_files.json >>/dev/null -rim_expected_pass_status $? "PC RIM TEST 7: PC RIM Create with multiple payload hashes" +rim_expected_pass_status $? "PC RIM TEST 8: PC RIM Create with multiple payload hashes" -echo "PC Client RIM TEST 8: Verify PC Client signed RIM test pattern with multiple Payload file hashes" +echo "PC Client RIM TEST 9: Verify PC Client signed RIM test pattern with multiple Payload file hashes" eval $rim verify -r pcrim -l pcrim/ --in tmp/laptop.default.3.swidtag -p pcrim/RimSignCert.pem -t pcrim/RIMCaCert.pem >>/dev/null -rim_expected_pass_status $? "PC RIM TEST 8: PC RIM Verify with multiple payload hashes" +rim_expected_pass_status $? "PC RIM TEST 9: PC RIM Verify with multiple payload hashes" -echo "PC Client RIM TEST 9: Verify PC Client will fail when a support RIM name has path separators" +echo "PC Client RIM TEST 10: Verify PC Client will fail when a support RIM name has path separators" eval $rim verify -r pcrim -l pcrim/ --in pcrim/laptop.default.bad-support-name.swidtag -p pcrim/RimSignCert.pem -t pcrim/RIMCaCert.pem >>/dev/null -rim_expected_fail_status $? "PC RIM TEST 9: PC RIM Bad support RIM name" +rim_expected_fail_status $? "PC RIM TEST 10: PC RIM Bad support RIM name" -echo "PC Client RIM TEST 10: Verify PC Client will fail when a signature is invalid" +echo "PC Client RIM TEST 11: Verify PC Client will fail when a signature is invalid" eval $rim verify -r pcrim -l pcrim/ --in pcrim/laptop.default.bad-sig.swidtag -p pcrim/RimSignCert.pem -t pcrim/RIMCaCert.pem >>/dev/null -rim_expected_fail_status $? "PC RIM TEST 10: PC RIM Bad signature check" +rim_expected_fail_status $? "PC RIM TEST 11: PC RIM Bad signature check" -echo "PC Client RIM TEST 11: Create PC Client signed Patch RIM " +echo "PC Client RIM TEST 12: Create PC Client signed Patch RIM " eval $rim create -r pcrim --out tmp/laptop.patch.1.swidtag -l pcrim/laptop.default.1.rimel -p pcrim/RimSignCert.pem -k pcrim/rimKey.pem -c pcrim/rim_fields_patch.json >>/dev/null -rim_expected_pass_status $? "PC RIM TEST 11: Create PC Patch RIM" +rim_expected_pass_status $? "PC RIM TEST 12: Create PC Patch RIM" -echo "PC Client RIM TEST 12: Verify PC Client signed Patch RIM" +echo "PC Client RIM TEST 13: Verify PC Client signed Patch RIM" eval $rim verify -r pcrim --in tmp/laptop.patch.1.swidtag -p pcrim/RimSignCert.pem -t pcrim/RIMCaCert.pem >>/dev/null -rim_expected_pass_status $? "PC RIM TEST 12: PC Patch RIM Verify" +rim_expected_pass_status $? "PC RIM TEST 13: PC Patch RIM Verify" -echo "PC Client RIM TEST 13: Create PC Client signed Supplemental RIM " +echo "PC Client RIM TEST 14: Create PC Client signed Supplemental RIM " eval $rim create -r pcrim --out tmp/laptop.supplemental.1.swidtag -l pcrim/laptop.default.1.rimel -p pcrim/RimSignCert.pem -k pcrim/rimKey.pem -c pcrim/rim_fields_supplemental.json >>/dev/null -rim_expected_pass_status $? "PC RIM TEST 13: Create PC Supplemental RIM" +rim_expected_pass_status $? "PC RIM TEST 14: Create PC Supplemental RIM" -echo "PC Client RIM TEST 14: Verify PC Client signed Supplemental RIM" +echo "PC Client RIM TEST 15: Verify PC Client signed Supplemental RIM" eval $rim verify -r pcrim --in tmp/laptop.supplemental.1.swidtag -p pcrim/RimSignCert.pem -t pcrim/RIMCaCert.pem >>/dev/null -rim_expected_pass_status $? "PC RIM TEST 14: PC Supplemental RIM Verify" +rim_expected_pass_status $? "PC RIM TEST 15: PC Supplemental RIM Verify" rm -rf tmp