Skip to content

[#47] Verify pc client RIMs with PK #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
iadgovuser59 merged 1 commit into from
Jun 18, 2026
Merged

[#47] Verify pc client RIMs with PK #48

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions data/pcrim/pubKey.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp3WVYaRJG7EABjbAdqDY
ZXFSTV1nHY9Ol9A5+W8t5xwBXBryZCGWxERGr5AryKWPxd+qzjj+cFpxxkM6N18j
EhQIx/CEZePEJqpluBO5w2wTEOe7hqtMatqgDDMeDRxUuIpP8LGP00vh1wyDFFew
90d9dvT3bcLvFh3a3ap9bTm6aBqPup5CXpzrwIU2wZfgkDytYVBm+8bHkMaUrgpN
yM+5BAg2zl/Fqw0qotjaGr7PzbH+urCvaGbKLMPoWkVLIgAE8Qw98HTfoYSFHC7V
YQySrzIinaOBFSgViR72kHemH2lWjDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/Lm
jQIDAQAB
-----END PUBLIC KEY-----
2 changes: 1 addition & 1 deletion hirs
Open in desktop
Submodule hirs updated 24 files
+20 −99 HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/BaseReferenceManifest.java
+16 −0 HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/enums/PublicKeyAlgorithm.java
+89 −0 HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/helper/ParsedTpmPublic.java
+7 −36 HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/helper/ProvisionUtils.java
+90 −50 HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/helper/TpmPublicHelper.java
+71 −31 HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/service/DeviceInfoProcessorService.java
+74 −9 HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/ReferenceManifestDetailsPageService.java
+1 −6 HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java
+5 −6 HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/SupplyChainValidationService.java
+12 −38 .../src/test/java/hirs/attestationca/persist/provision/service/AttestationCertificateAuthorityServiceTest.java
+1 −0 HIRS_AttestationCA/src/test/resources/tpm2/ak.mod
+ HIRS_AttestationCA/src/test/resources/tpm2/ak.pub
+1 −0 HIRS_AttestationCA/src/test/resources/tpm2/ek.mod
+ HIRS_AttestationCA/src/test/resources/tpm2/ek.pub
+7 −2 ...tionCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/CertificateDetailsPageController.java
+4 −0 ...nCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/TrustChainCertificatePageController.java
+95 −22 HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/utils/CertificateStringMapBuilder.java
+10 −2 HIRS_AttestationCAPortal/src/main/resources/templates/rim-details.html
+4 −0 ...CAPortal/src/test/java/hirs/attestationca/portal/page/controllers/CertificateDetailsPageControllerTest.java
+95 −202 HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java
+211 −0 HIRS_Utils/src/main/java/hirs/utils/rim/SwidTagParser.java
+60 −14 HIRS_Utils/src/main/java/hirs/utils/rim/unsignedRim/xml/pcclientrim/PcClientRim.java
+5 −0 HIRS_Utils/src/main/java/hirs/utils/swid/SwidTagConstants.java
+1 −1 VERSION
11 changes: 9 additions & 2 deletions src/main/java/rimtool/Main.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -446,7 +446,10 @@ private static void sign(final String rimType, final byte[] payloadData, final S
}

if (Objects.equals(rimType, GenericRim.RIMTYPE_CORIM_COMID)) {
toBeSigned = coseSign.createToBeSigned(payloadData, CoRimBuilder.createProtectedCorimHeader(alg, Objects.requireNonNull(cert), embedded));
toBeSigned = coseSign.createToBeSigned(payloadData,
CoRimBuilder.createProtectedCorimHeader(alg,
Objects.requireNonNull(cert),
embedded));
} else {
toBeSigned = coseSign.createToBeSigned(alg, kid,
payloadData, cert, useUnprotectdKid, embedded, rimType);
Expand Down Expand Up @@ -518,7 +521,11 @@ private static void verify(final String rimType, final String inFile, final Stri
try {
if (sigType.compareTo("xmlDsig") == 0) {
PcClientRim pcRim = new PcClientRim();
verified = pcRim.validate(inFile, certPath, supportRim, trustPath);
if (!publicKeyFile.isEmpty() && certPath.isEmpty() && trustPath.isEmpty()) {
verified = pcRim.validate(inFile, publicKeyFile, supportRim);
} else {
verified = pcRim.validate(inFile, certPath, supportRim, trustPath);
}
} else if (sigType.compareTo("cose") == 0) {
// Set up the crypto device used for signing
CryptoEngine cryptoSigner = new DefaultCrypto();
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/rimtool/commands/CommandVerify.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ public class CommandVerify {
// required = true,
validateWith = ValidatorArgFile.class,
description = CommandDefinitions.PARAM_DESCR_TRUSTSTORE)
private String truststore;
private String truststore = "";
@Parameter(names = {CommandDefinitions.ARG_DETACHED_SHORT, CommandDefinitions.ARG_DETACHED},
validateWith = ValidatorArgFile.class,
description = CommandDefinitions.PARAM_DESCR_DETACHED)
Expand Down
36 changes: 20 additions & 16 deletions src/test/scripts/pcrim_tests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,37 +40,41 @@ echo "PC Client RIM TEST 6: Verify PC Client signed RIM test pattern XML signatu
eval $rim verify -r pcrim --in tmp/laptop.default.1.swidtag -p pcrim/RimSignCert.pem -t pcrim/RIMCaCert.pem >>/dev/null
rim_expected_pass_status $? "PC RIM TEST 6: PC RIM Verify"

echo "PC Client RIM TEST 7: Create PC Client signed RIM test pattern with multiple Payload file hashes"
echo "PC Client RIM TEST 7: Verify PC Client signed RIM test pattern with just a public key"
eval $rim verify -r pcrim --in tmp/laptop.default.1.swidtag -k pcrim/pubKey.pem >>/dev/null
rim_expected_pass_status $? "PC RIM TEST 7: PC RIM Verify"

echo "PC Client RIM TEST 8: Create PC Client signed RIM test pattern with multiple Payload file hashes"
eval $rim create -r pcrim -l pcrim/laptop.default.1.rimel --out tmp/laptop.default.3.swidtag -p pcrim/RimSignCert.pem -k pcrim/rimKey.pem -c pcrim/rim_fields_multiple_files.json >>/dev/null
rim_expected_pass_status $? "PC RIM TEST 7: PC RIM Create with multiple payload hashes"
rim_expected_pass_status $? "PC RIM TEST 8: PC RIM Create with multiple payload hashes"

echo "PC Client RIM TEST 8: Verify PC Client signed RIM test pattern with multiple Payload file hashes"
echo "PC Client RIM TEST 9: Verify PC Client signed RIM test pattern with multiple Payload file hashes"
eval $rim verify -r pcrim -l pcrim/ --in tmp/laptop.default.3.swidtag -p pcrim/RimSignCert.pem -t pcrim/RIMCaCert.pem >>/dev/null
rim_expected_pass_status $? "PC RIM TEST 8: PC RIM Verify with multiple payload hashes"
rim_expected_pass_status $? "PC RIM TEST 9: PC RIM Verify with multiple payload hashes"

echo "PC Client RIM TEST 9: Verify PC Client will fail when a support RIM name has path separators"
echo "PC Client RIM TEST 10: Verify PC Client will fail when a support RIM name has path separators"
eval $rim verify -r pcrim -l pcrim/ --in pcrim/laptop.default.bad-support-name.swidtag -p pcrim/RimSignCert.pem -t pcrim/RIMCaCert.pem >>/dev/null
rim_expected_fail_status $? "PC RIM TEST 9: PC RIM Bad support RIM name"
rim_expected_fail_status $? "PC RIM TEST 10: PC RIM Bad support RIM name"

echo "PC Client RIM TEST 10: Verify PC Client will fail when a signature is invalid"
echo "PC Client RIM TEST 11: Verify PC Client will fail when a signature is invalid"
eval $rim verify -r pcrim -l pcrim/ --in pcrim/laptop.default.bad-sig.swidtag -p pcrim/RimSignCert.pem -t pcrim/RIMCaCert.pem >>/dev/null
rim_expected_fail_status $? "PC RIM TEST 10: PC RIM Bad signature check"
rim_expected_fail_status $? "PC RIM TEST 11: PC RIM Bad signature check"

echo "PC Client RIM TEST 11: Create PC Client signed Patch RIM "
echo "PC Client RIM TEST 12: Create PC Client signed Patch RIM "
eval $rim create -r pcrim --out tmp/laptop.patch.1.swidtag -l pcrim/laptop.default.1.rimel -p pcrim/RimSignCert.pem -k pcrim/rimKey.pem -c pcrim/rim_fields_patch.json >>/dev/null
rim_expected_pass_status $? "PC RIM TEST 11: Create PC Patch RIM"
rim_expected_pass_status $? "PC RIM TEST 12: Create PC Patch RIM"

echo "PC Client RIM TEST 12: Verify PC Client signed Patch RIM"
echo "PC Client RIM TEST 13: Verify PC Client signed Patch RIM"
eval $rim verify -r pcrim --in tmp/laptop.patch.1.swidtag -p pcrim/RimSignCert.pem -t pcrim/RIMCaCert.pem >>/dev/null
rim_expected_pass_status $? "PC RIM TEST 12: PC Patch RIM Verify"
rim_expected_pass_status $? "PC RIM TEST 13: PC Patch RIM Verify"

echo "PC Client RIM TEST 13: Create PC Client signed Supplemental RIM "
echo "PC Client RIM TEST 14: Create PC Client signed Supplemental RIM "
eval $rim create -r pcrim --out tmp/laptop.supplemental.1.swidtag -l pcrim/laptop.default.1.rimel -p pcrim/RimSignCert.pem -k pcrim/rimKey.pem -c pcrim/rim_fields_supplemental.json >>/dev/null
rim_expected_pass_status $? "PC RIM TEST 13: Create PC Supplemental RIM"
rim_expected_pass_status $? "PC RIM TEST 14: Create PC Supplemental RIM"

echo "PC Client RIM TEST 14: Verify PC Client signed Supplemental RIM"
echo "PC Client RIM TEST 15: Verify PC Client signed Supplemental RIM"
eval $rim verify -r pcrim --in tmp/laptop.supplemental.1.swidtag -p pcrim/RimSignCert.pem -t pcrim/RIMCaCert.pem >>/dev/null
rim_expected_pass_status $? "PC RIM TEST 14: PC Supplemental RIM Verify"
rim_expected_pass_status $? "PC RIM TEST 15: PC Supplemental RIM Verify"

rm -rf tmp

Expand Down
Loading