costan-tem_ruby 0.10.2
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG +45 -0
- data/LICENSE +21 -0
- data/Manifest +75 -0
- data/README +8 -0
- data/Rakefile +23 -0
- data/bin/tem_bench +9 -0
- data/bin/tem_ca +13 -0
- data/bin/tem_irb +11 -0
- data/bin/tem_proxy +65 -0
- data/bin/tem_stat +35 -0
- data/dev_ca/ca_cert.cer +0 -0
- data/dev_ca/ca_cert.pem +32 -0
- data/dev_ca/ca_key.pem +27 -0
- data/dev_ca/config.yml +14 -0
- data/lib/tem/_cert.rb +158 -0
- data/lib/tem/apdus/buffers.rb +89 -0
- data/lib/tem/apdus/keys.rb +64 -0
- data/lib/tem/apdus/lifecycle.rb +13 -0
- data/lib/tem/apdus/tag.rb +38 -0
- data/lib/tem/auto_conf.rb +25 -0
- data/lib/tem/builders/abi.rb +482 -0
- data/lib/tem/builders/assembler.rb +314 -0
- data/lib/tem/builders/crypto.rb +124 -0
- data/lib/tem/builders/isa.rb +120 -0
- data/lib/tem/ca.rb +114 -0
- data/lib/tem/definitions/abi.rb +65 -0
- data/lib/tem/definitions/assembler.rb +23 -0
- data/lib/tem/definitions/isa.rb +188 -0
- data/lib/tem/ecert.rb +77 -0
- data/lib/tem/hive.rb +18 -0
- data/lib/tem/keys/asymmetric.rb +116 -0
- data/lib/tem/keys/key.rb +48 -0
- data/lib/tem/keys/symmetric.rb +47 -0
- data/lib/tem/sec_exec_error.rb +63 -0
- data/lib/tem/seclosures.rb +81 -0
- data/lib/tem/secpack.rb +107 -0
- data/lib/tem/tem.rb +31 -0
- data/lib/tem/toolkit.rb +101 -0
- data/lib/tem/transport/auto_configurator.rb +87 -0
- data/lib/tem/transport/java_card_mixin.rb +99 -0
- data/lib/tem/transport/jcop_remote_protocol.rb +59 -0
- data/lib/tem/transport/jcop_remote_server.rb +171 -0
- data/lib/tem/transport/jcop_remote_transport.rb +65 -0
- data/lib/tem/transport/pcsc_transport.rb +87 -0
- data/lib/tem/transport/transport.rb +10 -0
- data/lib/tem_ruby.rb +47 -0
- data/tem_ruby.gemspec +35 -0
- data/test/_test_cert.rb +70 -0
- data/test/builders/test_abi_builder.rb +298 -0
- data/test/tem_test_case.rb +26 -0
- data/test/tem_unit/test_tem_alu.rb +33 -0
- data/test/tem_unit/test_tem_bound_secpack.rb +51 -0
- data/test/tem_unit/test_tem_branching.rb +56 -0
- data/test/tem_unit/test_tem_crypto_asymmetric.rb +123 -0
- data/test/tem_unit/test_tem_crypto_hash.rb +35 -0
- data/test/tem_unit/test_tem_crypto_pstore.rb +53 -0
- data/test/tem_unit/test_tem_crypto_random.rb +25 -0
- data/test/tem_unit/test_tem_emit.rb +23 -0
- data/test/tem_unit/test_tem_memory.rb +48 -0
- data/test/tem_unit/test_tem_memory_compare.rb +65 -0
- data/test/tem_unit/test_tem_output.rb +32 -0
- data/test/tem_unit/test_tem_yaml_secpack.rb +47 -0
- data/test/test_driver.rb +108 -0
- data/test/test_exceptions.rb +35 -0
- data/test/transport/test_auto_configurator.rb +114 -0
- data/test/transport/test_java_card_mixin.rb +90 -0
- data/test/transport/test_jcop_remote.rb +82 -0
- data/timings/blank_bound_secpack.rb +18 -0
- data/timings/blank_sec.rb +14 -0
- data/timings/devchip_decrypt.rb +9 -0
- data/timings/post_buffer.rb +10 -0
- data/timings/simple_apdu.rb +5 -0
- data/timings/timings.rb +64 -0
- data/timings/vm_perf.rb +140 -0
- data/timings/vm_perf_bound.rb +141 -0
- metadata +201 -0
data/CHANGELOG
ADDED
@@ -0,0 +1,45 @@
|
|
1
|
+
v0.10.2. More internal refactorings.
|
2
|
+
|
3
|
+
v0.10.1. Internal refactorings.
|
4
|
+
|
5
|
+
v0.10.0. New transport code, allowing for multiple readers and TEM proxying.
|
6
|
+
|
7
|
+
v0.9.2. Changed exec-SECpack calling sequence for fw 1.9.1(fire, the released version).
|
8
|
+
|
9
|
+
v0.9.1. Cleaner names for the pstore data types and opcode arguments. "Bound" instead of "sealed" SECpack.
|
10
|
+
|
11
|
+
v0.9.0. Updated tests and re-implemented buffer stat-ing for fw 1.9(fire).
|
12
|
+
|
13
|
+
v0.8.0. Implemented buffer flushing (fw 1.8) and more timing tests.
|
14
|
+
|
15
|
+
v0.7.2. Implemented "tem_bench" for benchmarking a TEM.
|
16
|
+
|
17
|
+
v0.7.1. Implemented Endorsement Certificates, with rudimentary infrastructure for a CA.
|
18
|
+
|
19
|
+
v0.7.0. Updated names to reflect thesis (SEClosure, SECpack). Persistent store opcodes and tests reflect fw 1.7.
|
20
|
+
|
21
|
+
v0.6.1. Fixed bug in tk_delete_key.
|
22
|
+
|
23
|
+
v0.6.0. Implemented stat-ing TEM keys with test coverage. Updated tem_stat and custom exception.
|
24
|
+
|
25
|
+
v0.5.2. Implemented custom exception for errors in TEM SEC execution.
|
26
|
+
|
27
|
+
v0.5.1. Implemented tem_stat tool.
|
28
|
+
|
29
|
+
v0.5.0. Implemented stat-ing TEM buffers with test coverage.
|
30
|
+
|
31
|
+
v0.4.1. Removed exception dumping when connecting to a PC/SC terminal fails.
|
32
|
+
|
33
|
+
v0.4.0. Support for adaptive buffer chunk sizing.
|
34
|
+
|
35
|
+
v0.3.0. Support for fw 1.3 features (signing). Improved TEM emission.
|
36
|
+
|
37
|
+
v0.2.1. Line debugging information in SECs.
|
38
|
+
|
39
|
+
v0.2.0. Support for all fw 1.2 features. TEM tests have full coverage now.
|
40
|
+
|
41
|
+
v0.1.2. Tag support.
|
42
|
+
|
43
|
+
v0.1.1. Named parameters for more opcodes.
|
44
|
+
|
45
|
+
v0.1. Initial release.
|
data/LICENSE
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
The MIT License
|
2
|
+
|
3
|
+
Copyright (c) 2007 Massachusetts Institute of Technology
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in
|
13
|
+
all copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
21
|
+
THE SOFTWARE.
|
data/Manifest
ADDED
@@ -0,0 +1,75 @@
|
|
1
|
+
bin/tem_bench
|
2
|
+
bin/tem_ca
|
3
|
+
bin/tem_irb
|
4
|
+
bin/tem_proxy
|
5
|
+
bin/tem_stat
|
6
|
+
CHANGELOG
|
7
|
+
dev_ca/ca_cert.cer
|
8
|
+
dev_ca/ca_cert.pem
|
9
|
+
dev_ca/ca_key.pem
|
10
|
+
dev_ca/config.yml
|
11
|
+
lib/tem/_cert.rb
|
12
|
+
lib/tem/apdus/buffers.rb
|
13
|
+
lib/tem/apdus/keys.rb
|
14
|
+
lib/tem/apdus/lifecycle.rb
|
15
|
+
lib/tem/apdus/tag.rb
|
16
|
+
lib/tem/auto_conf.rb
|
17
|
+
lib/tem/builders/abi.rb
|
18
|
+
lib/tem/builders/assembler.rb
|
19
|
+
lib/tem/builders/crypto.rb
|
20
|
+
lib/tem/builders/isa.rb
|
21
|
+
lib/tem/ca.rb
|
22
|
+
lib/tem/definitions/abi.rb
|
23
|
+
lib/tem/definitions/assembler.rb
|
24
|
+
lib/tem/definitions/isa.rb
|
25
|
+
lib/tem/ecert.rb
|
26
|
+
lib/tem/hive.rb
|
27
|
+
lib/tem/keys/asymmetric.rb
|
28
|
+
lib/tem/keys/key.rb
|
29
|
+
lib/tem/keys/symmetric.rb
|
30
|
+
lib/tem/sec_exec_error.rb
|
31
|
+
lib/tem/seclosures.rb
|
32
|
+
lib/tem/secpack.rb
|
33
|
+
lib/tem/tem.rb
|
34
|
+
lib/tem/toolkit.rb
|
35
|
+
lib/tem/transport/auto_configurator.rb
|
36
|
+
lib/tem/transport/java_card_mixin.rb
|
37
|
+
lib/tem/transport/jcop_remote_protocol.rb
|
38
|
+
lib/tem/transport/jcop_remote_server.rb
|
39
|
+
lib/tem/transport/jcop_remote_transport.rb
|
40
|
+
lib/tem/transport/pcsc_transport.rb
|
41
|
+
lib/tem/transport/transport.rb
|
42
|
+
lib/tem_ruby.rb
|
43
|
+
LICENSE
|
44
|
+
Manifest
|
45
|
+
Rakefile
|
46
|
+
README
|
47
|
+
tem_ruby.gemspec
|
48
|
+
test/_test_cert.rb
|
49
|
+
test/builders/test_abi_builder.rb
|
50
|
+
test/tem_test_case.rb
|
51
|
+
test/tem_unit/test_tem_alu.rb
|
52
|
+
test/tem_unit/test_tem_bound_secpack.rb
|
53
|
+
test/tem_unit/test_tem_branching.rb
|
54
|
+
test/tem_unit/test_tem_crypto_asymmetric.rb
|
55
|
+
test/tem_unit/test_tem_crypto_hash.rb
|
56
|
+
test/tem_unit/test_tem_crypto_pstore.rb
|
57
|
+
test/tem_unit/test_tem_crypto_random.rb
|
58
|
+
test/tem_unit/test_tem_emit.rb
|
59
|
+
test/tem_unit/test_tem_memory.rb
|
60
|
+
test/tem_unit/test_tem_memory_compare.rb
|
61
|
+
test/tem_unit/test_tem_output.rb
|
62
|
+
test/tem_unit/test_tem_yaml_secpack.rb
|
63
|
+
test/test_driver.rb
|
64
|
+
test/test_exceptions.rb
|
65
|
+
test/transport/test_auto_configurator.rb
|
66
|
+
test/transport/test_java_card_mixin.rb
|
67
|
+
test/transport/test_jcop_remote.rb
|
68
|
+
timings/blank_bound_secpack.rb
|
69
|
+
timings/blank_sec.rb
|
70
|
+
timings/devchip_decrypt.rb
|
71
|
+
timings/post_buffer.rb
|
72
|
+
timings/simple_apdu.rb
|
73
|
+
timings/timings.rb
|
74
|
+
timings/vm_perf.rb
|
75
|
+
timings/vm_perf_bound.rb
|
data/README
ADDED
@@ -0,0 +1,8 @@
|
|
1
|
+
This is the ruby driver for the Trusted Execution Module prototype produced at
|
2
|
+
MIT. The best features of the ruby driver are the very powerful DSL
|
3
|
+
(domain-specific language) that TEM SECpacks are compiled from, and the
|
4
|
+
usage of debugging line info to translate exception IPs to stack traces.
|
5
|
+
|
6
|
+
Running coverage tests:
|
7
|
+
gem install rcov
|
8
|
+
rcov -Ilib test/*.rb
|
data/Rakefile
ADDED
@@ -0,0 +1,23 @@
|
|
1
|
+
require 'rubygems'
|
2
|
+
gem 'echoe'
|
3
|
+
require 'echoe'
|
4
|
+
|
5
|
+
Echoe.new('tem_ruby') do |p|
|
6
|
+
p.project = 'tem' # rubyforge project
|
7
|
+
p.docs_host = "costan@rubyforge.org:/var/www/gforge-projects/tem/rdoc/"
|
8
|
+
|
9
|
+
p.author = 'Victor Costan'
|
10
|
+
p.email = 'victor@costan.us'
|
11
|
+
p.summary = 'TEM (Trusted Execution Module) driver, written in and for ruby.'
|
12
|
+
p.url = 'http://tem.rubyforge.org'
|
13
|
+
p.dependencies = ['smartcard >=0.3.0']
|
14
|
+
|
15
|
+
p.need_tar_gz = !Platform.windows?
|
16
|
+
p.need_zip = !Platform.windows?
|
17
|
+
p.rdoc_pattern = /^(lib|bin|tasks|ext)|^BUILD|^README|^CHANGELOG|^TODO|^LICENSE|^COPYING$/
|
18
|
+
end
|
19
|
+
|
20
|
+
if $0 == __FILE__
|
21
|
+
Rake.application = Rake::Application.new
|
22
|
+
Rake.application.run
|
23
|
+
end
|
data/bin/tem_bench
ADDED
data/bin/tem_ca
ADDED
data/bin/tem_irb
ADDED
data/bin/tem_proxy
ADDED
@@ -0,0 +1,65 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
# TEM transport-level proxy.
|
4
|
+
# Serves a TCP connection
|
5
|
+
|
6
|
+
require 'logger'
|
7
|
+
|
8
|
+
require 'rubygems'
|
9
|
+
require 'tem_ruby'
|
10
|
+
|
11
|
+
# JCOP remote serving logic implementing a proxy to another transport.
|
12
|
+
class ServingLogic
|
13
|
+
include Tem::Transport::JcopRemoteServingStubs
|
14
|
+
def initialize(serving_transport, logging = false)
|
15
|
+
@serving = serving_transport
|
16
|
+
@logger = Logger.new STDERR
|
17
|
+
@logger.level = logging ? Logger::DEBUG : Logger::FATAL
|
18
|
+
@connected = true
|
19
|
+
end
|
20
|
+
def connection_start
|
21
|
+
@logger.info "Connection start"
|
22
|
+
unless @connected
|
23
|
+
@serving.connect
|
24
|
+
@connected = true
|
25
|
+
end
|
26
|
+
end
|
27
|
+
def connection_end
|
28
|
+
@logger.info "Connection end"
|
29
|
+
@serving.disconnect if @connected
|
30
|
+
@connected = false
|
31
|
+
end
|
32
|
+
def exchange_apdu(apdu)
|
33
|
+
@logger.info "APDU request: #{apdu.map { |n| '%02x' % n }.join(' ')}"
|
34
|
+
response = @serving.exchange_apdu apdu
|
35
|
+
@logger.info "APDU response: #{response.map { |n| '%02x' % n }.join(' ')}"
|
36
|
+
response
|
37
|
+
end
|
38
|
+
end
|
39
|
+
|
40
|
+
# Indefinitely runs a JCOP remove serving loop that proxies to another TEM
|
41
|
+
# transport.
|
42
|
+
#
|
43
|
+
# The TEM transport is automatically configured based on environment information
|
44
|
+
# and defaults.
|
45
|
+
#
|
46
|
+
def serve(options)
|
47
|
+
@logger = Logger.new STDERR
|
48
|
+
@logger.level = options[:logging] ? Logger::DEBUG : Logger::FATAL
|
49
|
+
|
50
|
+
serving_transport = Tem::Transport.auto_transport
|
51
|
+
@logger.info "Proxying to #{serving_transport.inspect}\n"
|
52
|
+
@logger.info "Serving with #{options.inspect}\n"
|
53
|
+
serving_logic = ServingLogic.new serving_transport, options[:logging]
|
54
|
+
Tem::Transport::JcopRemoteServer.new(options, serving_logic).run
|
55
|
+
end
|
56
|
+
|
57
|
+
# Parses the commmand-line arguments into an options hash suitable for #serve.
|
58
|
+
def parse_args
|
59
|
+
{ :ip => ARGV[1] || '0.0.0.0', :port => (ARGV[0] || '9000').to_i,
|
60
|
+
:logging => !(ENV['DEBUG'] &&
|
61
|
+
['0', 'no', 'false'].include?(ENV['DEBUG'].downcase)) }
|
62
|
+
end
|
63
|
+
|
64
|
+
options = parse_args
|
65
|
+
serve options
|
data/bin/tem_stat
ADDED
@@ -0,0 +1,35 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
|
3
|
+
# spews information about the TEM
|
4
|
+
require 'rubygems'
|
5
|
+
require 'tem_ruby'
|
6
|
+
require 'pp'
|
7
|
+
|
8
|
+
Tem.auto_conf
|
9
|
+
|
10
|
+
print "Connected to TEM using #{$tem.transport.inspect}\n"
|
11
|
+
begin
|
12
|
+
fw_ver = $tem.tk_firmware_ver
|
13
|
+
print "TEM firmware version: #{fw_ver[:major]}.#{fw_ver[:minor]}\n"
|
14
|
+
rescue Exception => e
|
15
|
+
print "Could not read TEM firmware version. Is the TEM emitted?\n"
|
16
|
+
print "#{e.class.name}: #{e}\n#{e.backtrace.join("\n")}\n"
|
17
|
+
end
|
18
|
+
|
19
|
+
begin
|
20
|
+
b_stat = $tem.stat_buffers
|
21
|
+
print "TEM memory stat:\n"
|
22
|
+
pp b_stat
|
23
|
+
rescue Exception => e
|
24
|
+
print "Could not retrieve TEM memory stat. Is the TEM activated?\n"
|
25
|
+
print "#{e.class.name}: #{e}\n#{e.backtrace.join("\n")}\n"
|
26
|
+
end
|
27
|
+
|
28
|
+
begin
|
29
|
+
k_stat = $tem.stat_keys
|
30
|
+
print "TEM crypto stat:\n"
|
31
|
+
pp k_stat
|
32
|
+
rescue Exception => e
|
33
|
+
print "Could not retrieve TEM crypto stat. Is the TEM activated?\n"
|
34
|
+
print "#{e.class.name}: #{e}\n#{e.backtrace.join("\n")}\n"
|
35
|
+
end
|
data/dev_ca/ca_cert.cer
ADDED
Binary file
|
data/dev_ca/ca_cert.pem
ADDED
@@ -0,0 +1,32 @@
|
|
1
|
+
-----BEGIN CERTIFICATE-----
|
2
|
+
MIIFgDCCBGigAwIBAgIAMA0GCSqGSIb3DQEBBQUAMIHcMTAwLgYDVQQDDCdUcnVz
|
3
|
+
dGVkIEV4ZWN1dGlvbiBNb2R1bGUgRGV2ZWxvcG1lbnQgQ0ExFjAUBgNVBAgMDU1h
|
4
|
+
c3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTELMAkGA1UEBhMCVVMxLTAr
|
5
|
+
BgNVBAoMJE1hc3NhY2h1c2V0dHMgSW5zaXR1dGUgb2YgVGVjaG5vbG9neTFAMD4G
|
6
|
+
A1UECww3Q29tcHV0ZXIgU2NpZW5jZSBhbmQgQXJ0aWZpY2lhbCBJbnRlbGxpZ2Vu
|
7
|
+
Y2UgTGFib3JhdG9yeTAeFw0wODA2MDkxMTMyMTBaFw0xODA2MDkxMTMyMTBaMIHc
|
8
|
+
MTAwLgYDVQQDDCdUcnVzdGVkIEV4ZWN1dGlvbiBNb2R1bGUgRGV2ZWxvcG1lbnQg
|
9
|
+
Q0ExFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEL
|
10
|
+
MAkGA1UEBhMCVVMxLTArBgNVBAoMJE1hc3NhY2h1c2V0dHMgSW5zaXR1dGUgb2Yg
|
11
|
+
VGVjaG5vbG9neTFAMD4GA1UECww3Q29tcHV0ZXIgU2NpZW5jZSBhbmQgQXJ0aWZp
|
12
|
+
Y2lhbCBJbnRlbGxpZ2VuY2UgTGFib3JhdG9yeTCCASIwDQYJKoZIhvcNAQEBBQAD
|
13
|
+
ggEPADCCAQoCggEBAM7ebvoLQ/FF+woPjmivWcesdR5hZekmaRy9Md55kT3FRfqq
|
14
|
+
AYzEjblo77HVullgpplVCVlEgCXUN1vjVc2dknUPs3eeIIQIBWrX3Je8OY19sYh3
|
15
|
+
goybyAkpnDNXGZTpx29kHw9zXNPQRFnQCsUTsmkoZOUBmblqn0m8mxzvbA5mKiFk
|
16
|
+
cXr3bLUuTreilwEqW24ictGT85gDiadf2Yx2zmGpvvxtB1RCRdOujftCoV4YaWju
|
17
|
+
U1v/4bNY4rcQ6T33NIcA1cbF4QSeMvzbS33pnV4/RPbPjLbn0KVN1XcUGj6L7Nve
|
18
|
+
QFOsekCLRHRiahGVgIu90lHUS3FrRcY93p7v3m0CAwEAAaOCAUowggFGMA8GA1Ud
|
19
|
+
EwEB/wQFMAMBAf8wgfMGA1UdIwSB6zCB6KGB4qSB3zCB3DEwMC4GA1UEAwwnVHJ1
|
20
|
+
c3RlZCBFeGVjdXRpb24gTW9kdWxlIERldmVsb3BtZW50IENBMRYwFAYDVQQIDA1N
|
21
|
+
YXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxCzAJBgNVBAYTAlVTMS0w
|
22
|
+
KwYDVQQKDCRNYXNzYWNodXNldHRzIEluc2l0dXRlIG9mIFRlY2hub2xvZ3kxQDA+
|
23
|
+
BgNVBAsMN0NvbXB1dGVyIFNjaWVuY2UgYW5kIEFydGlmaWNpYWwgSW50ZWxsaWdl
|
24
|
+
bmNlIExhYm9yYXRvcnmCAQAwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIB
|
25
|
+
BjAdBgNVHQ4EFgQU9eaMHf5cp5ZV1AiqEpZChwV1vC8wDQYJKoZIhvcNAQEFBQAD
|
26
|
+
ggEBAIsZ3SVu08m2zWYZSlyf3ylczSLjCUGYlRg30JzCejIxZkYE+zzgwpPLIngQ
|
27
|
+
yXcSqXSlO0t14GbidVhOnSq6WoMqftxC6chT82GGOpl0oWGeFZnX7fSQQfI6Rwqk
|
28
|
+
VVxaLv23xD3GU5dpsGy81blrl4n0ocMcAeEynAOBAj/c+sw+lowIZtpZ32MgJRVc
|
29
|
+
iBmbAOV8RXj8hymylz+UlScrmjwl0k5hHQ+beDyLNkUDrKG13rs6iSl+AEXrzzbM
|
30
|
+
wpSr/41JWjwkIuM5D7MVVk06UtFWzTEm766DbP4plopkaYzzzmjCRelMoGIoI1yD
|
31
|
+
tAtZLRzXomQ2xLX70O+bKuyP694=
|
32
|
+
-----END CERTIFICATE-----
|
data/dev_ca/ca_key.pem
ADDED
@@ -0,0 +1,27 @@
|
|
1
|
+
-----BEGIN RSA PRIVATE KEY-----
|
2
|
+
MIIEpAIBAAKCAQEAzt5u+gtD8UX7Cg+OaK9Zx6x1HmFl6SZpHL0x3nmRPcVF+qoB
|
3
|
+
jMSNuWjvsdW6WWCmmVUJWUSAJdQ3W+NVzZ2SdQ+zd54ghAgFatfcl7w5jX2xiHeC
|
4
|
+
jJvICSmcM1cZlOnHb2QfD3Nc09BEWdAKxROyaShk5QGZuWqfSbybHO9sDmYqIWRx
|
5
|
+
evdstS5Ot6KXASpbbiJy0ZPzmAOJp1/ZjHbOYam+/G0HVEJF066N+0KhXhhpaO5T
|
6
|
+
W//hs1jitxDpPfc0hwDVxsXhBJ4y/NtLfemdXj9E9s+MtufQpU3VdxQaPovs295A
|
7
|
+
U6x6QItEdGJqEZWAi73SUdRLcWtFxj3enu/ebQIDAQABAoIBAEiUvnc4kKQMm6HS
|
8
|
+
B3MvYt6t4YHBRpJhCawtrVuTZ6Q2nPDvyQ9svxT4fnD0vicxxAI0Vc1ePWAIb0vs
|
9
|
+
HWTBDmvIEH29m0b30X7FMf6C6eZ83Vc2JzXSSoL8eHOC8dTPmUu54zP2k/E1N2YT
|
10
|
+
mlO/L2+53nyC7T6i7DRg2kNytYTvLf5+gKI0Pca47xfE2oA6R7mbM7ew/1GBSwup
|
11
|
+
9SrszudcSf31quuDTOG2lGtUkzosi9p7LZ3SagqHR9YGRXeQ3xjNo/MgkAprffjC
|
12
|
+
xlrCdpvTnZS/ACu0TXGuDvEn8JtcPWg8ZeHx4UKW+Ll3eEoILaSxvFzgY8jR8RWy
|
13
|
+
xk0HVTkCgYEA61TbQcD6pqd+8m1WGEo2BagBsNavbU8v5Xoaj5Cebe968FybBiKU
|
14
|
+
T9thbbvxCy8PC/hEOn0S/tFzNdgZp17/HGNqRtLMkiogj4h+n8ikCbcMKBGIVqrw
|
15
|
+
tT3kgPe/66RLVnNx/QuY53AgSIMhEZtmuomuO0rVdJNA2z3ami/GuJsCgYEA4Qmh
|
16
|
+
T5rCgID/CGGt7lNTGkGhgt3IPBBlakXXhvwRcrmfkqKVztu0l4aRrwAA4tE6xkKa
|
17
|
+
/89FgliKpSFAp2ipmMysTfhmM4so6M/7JwxkZqBtl33umg+RM7J0qCl7IQzIXHb3
|
18
|
+
GB/6EJIzxTpxk/EF1CM+wuLIDlIWzN3N5wcXIZcCgYAU/QN1ENYKCQQ8cN3t2qiI
|
19
|
+
xpwn/m207QwThllaFobavTIUv92fpXPez20YEVwFKFRKOAE1yjPogBurYLOhBsrv
|
20
|
+
6DnxSRmvq4wt4PmSHJ3ss+OkqzOiryo6r+NyUSZPyN5jPnabH+6qLYjjjrZjUJ3P
|
21
|
+
4zmj1h/FfuCY7SJTABHUIwKBgQDAwqf7cRwUSOqr+kerMpKnlfpMB7+Bu6WzL1ob
|
22
|
+
lQU5GUlXqI7cHxQFC0708PLRVtmag+kTIC9xJHi2U9J2088aRI9/Rjv9AMGtEqIW
|
23
|
+
Y6YIxni5YDSmoJkHCGCmvslqmPFzSrADaTihQyq3UYWCbN1KRlp3QxyML8K5/3Bk
|
24
|
+
6YzlxwKBgQDhoquhyRjUzxsuKjKdLZa8RLwK720/kLOWgA1MfNEodIrcPZphNDpO
|
25
|
+
ln/KeMQ/If6zZ9KH/hd/KYet366X0gO6+e+Pon8YIYpwZrrLhZ8qKQHmLZDz4bY1
|
26
|
+
X+ghsQnpj5X0klQbpVtsKSKU6LL6eYR3yBEVwGvh94Rt02g++6K2+Q==
|
27
|
+
-----END RSA PRIVATE KEY-----
|
data/dev_ca/config.yml
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
---
|
2
|
+
# the development CA is valid for 10 years
|
3
|
+
:ca_validity_days: 3652
|
4
|
+
:issuer:
|
5
|
+
CN: Trusted Execution Module Development CA
|
6
|
+
L: Cambridge
|
7
|
+
ST: Massachusetts
|
8
|
+
C: US
|
9
|
+
O: Massachusetts Insitute of Technology
|
10
|
+
OU: Computer Science and Artificial Intelligence Laboratory
|
11
|
+
# a TEM is valid for two days
|
12
|
+
:ecert_validity_days: 730
|
13
|
+
:subject:
|
14
|
+
CN: Trusted Execution Module DevChip
|
data/lib/tem/_cert.rb
ADDED
@@ -0,0 +1,158 @@
|
|
1
|
+
# Victor Costan:
|
2
|
+
# dropped because it wasn't hooked up to the rest of the code
|
3
|
+
# preserved to move all the features into the new ca.rb / ecert.rb
|
4
|
+
|
5
|
+
#@author: Jorge de la Garza (MIT '08), mongoose08@alum.mit.edu
|
6
|
+
#The Cert module contains methods for digesting a X.509 certificate into a tag
|
7
|
+
#for the TEM and to methods to reconstruct the certificate from the tag. Methods
|
8
|
+
#to create some sample certificates are also included for convenience.
|
9
|
+
|
10
|
+
module Tem::Cert
|
11
|
+
#@param key An OpenSSL::PKey instance that will be this cert's key and will be used to sign this cert
|
12
|
+
#@returns a self-signed X.509 certificate that is supposed to be the TEM manufacturer's
|
13
|
+
def self.create_issuer_cert(key)
|
14
|
+
issuer_cert = OpenSSL::X509::Certificate.new
|
15
|
+
issuer_cert.public_key = key.public_key
|
16
|
+
issuer_dist_name = OpenSSL::X509::Name.new [['CN', 'TEM Manufacturer'], ['L', 'Cambridge'], ['ST', 'Massachusetts'],\
|
17
|
+
['O', 'Trusted Execution Modules, Inc.'], ['OU', 'Certificates Division'], ['C', 'US']]
|
18
|
+
issuer_cert.issuer = issuer_dist_name
|
19
|
+
issuer_cert.subject = issuer_dist_name
|
20
|
+
issuer_cert.not_before = Time.now
|
21
|
+
issuer_cert.not_after = Time.now + (60 * 60 * 24 * 365.25) * 10
|
22
|
+
issuer_cert.sign key, OpenSSL::Digest::SHA1.new
|
23
|
+
return issuer_cert
|
24
|
+
end
|
25
|
+
|
26
|
+
|
27
|
+
#@param subject_key An OpenSSL::PKey instance that will be this cert's key
|
28
|
+
#@param issuer_key An OpenSSL::Pkey instance that will be used to sign this cert (i.e. the issuer's/manufacturer's key)
|
29
|
+
#@param issuer_cert The OpenSSL::X509::Certificate instance of the authority that issued this cert
|
30
|
+
#@returns An OpenSSL::X509::Certificate instance issued by issuer_cert and signed by issuer_key
|
31
|
+
def self.create_subject_cert(subject_key, issuer_key, issuer_cert)
|
32
|
+
subject_cert = OpenSSL::X509::Certificate.new
|
33
|
+
subject_cert.public_key = subject_key.public_key
|
34
|
+
subject_cert.serial = Time.now.to_i #no significance to this #, just a value for demonstration of purpose
|
35
|
+
subject_dist_name = OpenSSL::X509::Name.new [['CN', 'TEM Device'], ['L', 'Cambridge'], ['ST', 'Massachusetts'],\
|
36
|
+
['O', 'Trusted Execution Modules, Inc.'], ['OU', 'Certificates Division'], ['C', 'US']]
|
37
|
+
subject_cert.issuer = issuer_cert.subject
|
38
|
+
subject_cert.subject = subject_dist_name
|
39
|
+
subject_cert.not_before = Time.now
|
40
|
+
subject_cert.not_after = Time.now + (60 * 60 * 24 * 365.25) * 10
|
41
|
+
subject_cert.sign issuer_key, OpenSSL::Digest::SHA1.new
|
42
|
+
return subject_cert
|
43
|
+
end
|
44
|
+
|
45
|
+
|
46
|
+
#@param cert An OpenSSL::X509::Certificate instance
|
47
|
+
#@returns The tag to write to the TEM as a byte array
|
48
|
+
#The tag is 527 bytes long. What the bytes encode is as follows:
|
49
|
+
# -Serial number tag[0..3]
|
50
|
+
# -Not before date tag[4..7]
|
51
|
+
# -Not after date tag[8..11]
|
52
|
+
# -Modulus tag[12..267]
|
53
|
+
# -Public key exp tag[268..270]
|
54
|
+
# -Signature tag[271..526]
|
55
|
+
def self.create_tag_from_cert(cert)
|
56
|
+
tag_serial_num = Tem::CryptoAbi.to_tem_bignum(OpenSSL::BN.new(cert.serial.to_s))
|
57
|
+
while tag_serial_num.length < 4
|
58
|
+
tag_serial_num = [0] + tag_serial_num #make sure array is 4 bytes
|
59
|
+
end
|
60
|
+
#The dates are encoded as the number of seconds since epoch (Jan 1, 1970 00:00:00 GMT)
|
61
|
+
#TODO: check that dates are exactly 4 bytes, else throw an exception
|
62
|
+
tag_not_before = Tem::CryptoAbi.to_tem_bignum(OpenSSL::BN.new(cert.not_before.to_i.to_s))
|
63
|
+
tag_not_after = Tem::CryptoAbi.to_tem_bignum(OpenSSL::BN.new(cert.not_after.to_i.to_s))
|
64
|
+
tag_modulus = Tem::CryptoAbi.to_tem_bignum(OpenSSL::BN.new(cert.public_key.n.to_s))
|
65
|
+
#TODO: ensure that exponent is exactly three bytes, or come up with a safer way to encode it
|
66
|
+
tag_public_exp = Tem::CryptoAbi.to_tem_bignum(OpenSSL::BN.new(cert.public_key.e.to_s))
|
67
|
+
tag = [tag_serial_num, tag_not_before, tag_not_after, tag_modulus, tag_public_exp].flatten
|
68
|
+
return tag
|
69
|
+
end
|
70
|
+
|
71
|
+
#@param tag The tag read from the TEM
|
72
|
+
#@param issuer_cert The OpenSSL::X509::Certificate of the entity that issued the TEM's certificate
|
73
|
+
#@returns The unsigned OpenSSL::X509::Certificate from which the tag was created.
|
74
|
+
def self.create_cert_from_tag(tag, issuer_cert)
|
75
|
+
cert = OpenSSL::X509::Certificate.new
|
76
|
+
cert.public_key = Cert.extract_key(tag)
|
77
|
+
cert.serial = Cert.extract_serial_num(tag)
|
78
|
+
cert_name = OpenSSL::X509::Name.new [['CN', 'TEM Device'], ['L', 'Cambridge'], ['ST', 'Massachusetts'],\
|
79
|
+
['O', 'Trusted Execution Modules, Inc.'], ['OU', 'Certificates Division'], ['C', 'US']]
|
80
|
+
cert.issuer = issuer_cert.subject
|
81
|
+
cert.subject = cert_name
|
82
|
+
cert.not_before = Cert.extract_not_before(tag)
|
83
|
+
cert.not_after = Cert.extract_not_after(tag)
|
84
|
+
return cert
|
85
|
+
end
|
86
|
+
|
87
|
+
|
88
|
+
#returns a number
|
89
|
+
def self.extract_serial_num(tag)
|
90
|
+
serial_num_array = tag[0..3]
|
91
|
+
serial_num = 0
|
92
|
+
for i in (0..serial_num_array.length-1)
|
93
|
+
serial_num = serial_num << 8
|
94
|
+
serial_num += serial_num_array[i]
|
95
|
+
end
|
96
|
+
return serial_num
|
97
|
+
end
|
98
|
+
|
99
|
+
#returns a Time
|
100
|
+
def self.extract_not_before(tag)
|
101
|
+
time_array = tag[4..7]
|
102
|
+
offset_in_sec = 0
|
103
|
+
for i in (0..time_array.length-1)
|
104
|
+
offset_in_sec = offset_in_sec << 8
|
105
|
+
offset_in_sec += time_array[i]
|
106
|
+
end
|
107
|
+
return Time.at(offset_in_sec)
|
108
|
+
end
|
109
|
+
|
110
|
+
#returns a time
|
111
|
+
def self.extract_not_after(tag)
|
112
|
+
time_array = tag[8..11]
|
113
|
+
offset_in_sec = 0
|
114
|
+
for i in (0..time_array.length-1)
|
115
|
+
offset_in_sec = offset_in_sec << 8
|
116
|
+
offset_in_sec += time_array[i]
|
117
|
+
end
|
118
|
+
return Time.at(offset_in_sec)
|
119
|
+
end
|
120
|
+
|
121
|
+
#returns a OpenSSL::PKey::RSA public key
|
122
|
+
def self.extract_key(tag)
|
123
|
+
mod_array = tag[12..267]
|
124
|
+
mod = 0
|
125
|
+
for i in (0..mod_array.length-1)
|
126
|
+
mod = mod << 8
|
127
|
+
mod += mod_array[i]
|
128
|
+
end
|
129
|
+
exp_array = tag[268..271]
|
130
|
+
exp = 0
|
131
|
+
for i in (0..exp_array.length-1)
|
132
|
+
exp = exp << 8
|
133
|
+
exp += exp_array[i]
|
134
|
+
end
|
135
|
+
key = OpenSSL::PKey::RSA.new
|
136
|
+
key.n = mod
|
137
|
+
key.e = exp
|
138
|
+
return key.public_key
|
139
|
+
end
|
140
|
+
|
141
|
+
|
142
|
+
#@param cert A signed OpenSSL::X509::Certificate instance
|
143
|
+
#cert must be signed with sha1WithRSAEncryption algorithm
|
144
|
+
#TODO: how to make this method compatible with any algorithm
|
145
|
+
#@returns a byte array corresponding to the signature
|
146
|
+
def self.extract_sig_from_cert(cert)
|
147
|
+
str = 'Signature Algorithm: sha1WithRSAEncryption'
|
148
|
+
text_sig = cert.to_text
|
149
|
+
first_index = text_sig.index(str)
|
150
|
+
text_sig = text_sig[first_index+1..-1]
|
151
|
+
second_index = text_sig.index(str)
|
152
|
+
sig_start_index = second_index+str.length + 1 #the 1 is for the newline character
|
153
|
+
text_sig = text_sig[sig_start_index..-1]
|
154
|
+
sig_array = []
|
155
|
+
text_sig.each(':') {|byte| sig_array.push(byte.delete(':').hex)}
|
156
|
+
return sig_array
|
157
|
+
end
|
158
|
+
end
|