costan-tem_ruby 0.10.2

data/CHANGELOG

@@ -0,0 +1,45 @@
+v0.10.2. More internal refactorings.
+
+v0.10.1. Internal refactorings.
+
+v0.10.0. New transport code, allowing for multiple readers and TEM proxying.
+
+v0.9.2. Changed exec-SECpack calling sequence for fw 1.9.1(fire, the released version).
+
+v0.9.1. Cleaner names for the pstore data types and opcode arguments. "Bound" instead of "sealed" SECpack. 
+
+v0.9.0. Updated tests and re-implemented buffer stat-ing for fw 1.9(fire).
+
+v0.8.0. Implemented buffer flushing (fw 1.8) and more timing tests.
+
+v0.7.2. Implemented "tem_bench" for benchmarking a TEM.
+
+v0.7.1. Implemented Endorsement Certificates, with rudimentary infrastructure for a CA.
+
+v0.7.0. Updated names to reflect thesis (SEClosure, SECpack). Persistent store opcodes and tests reflect fw 1.7.
+
+v0.6.1. Fixed bug in tk_delete_key.
+
+v0.6.0. Implemented stat-ing TEM keys with test coverage. Updated tem_stat and custom exception.
+
+v0.5.2. Implemented custom exception for errors in TEM SEC execution.
+
+v0.5.1. Implemented tem_stat tool.
+
+v0.5.0. Implemented stat-ing TEM buffers with test coverage.
+
+v0.4.1. Removed exception dumping when connecting to a PC/SC terminal fails.
+
+v0.4.0. Support for adaptive buffer chunk sizing.
+
+v0.3.0. Support for fw 1.3 features (signing). Improved TEM emission.
+
+v0.2.1. Line debugging information in SECs.
+
+v0.2.0. Support for all fw 1.2 features. TEM tests have full coverage now.
+
+v0.1.2. Tag support.
+
+v0.1.1. Named parameters for more opcodes.
+
+v0.1. Initial release.

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2007 Massachusetts Institute of Technology
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/Manifest

@@ -0,0 +1,75 @@
+bin/tem_bench
+bin/tem_ca
+bin/tem_irb
+bin/tem_proxy
+bin/tem_stat
+CHANGELOG
+dev_ca/ca_cert.cer
+dev_ca/ca_cert.pem
+dev_ca/ca_key.pem
+dev_ca/config.yml
+lib/tem/_cert.rb
+lib/tem/apdus/buffers.rb
+lib/tem/apdus/keys.rb
+lib/tem/apdus/lifecycle.rb
+lib/tem/apdus/tag.rb
+lib/tem/auto_conf.rb
+lib/tem/builders/abi.rb
+lib/tem/builders/assembler.rb
+lib/tem/builders/crypto.rb
+lib/tem/builders/isa.rb
+lib/tem/ca.rb
+lib/tem/definitions/abi.rb
+lib/tem/definitions/assembler.rb
+lib/tem/definitions/isa.rb
+lib/tem/ecert.rb
+lib/tem/hive.rb
+lib/tem/keys/asymmetric.rb
+lib/tem/keys/key.rb
+lib/tem/keys/symmetric.rb
+lib/tem/sec_exec_error.rb
+lib/tem/seclosures.rb
+lib/tem/secpack.rb
+lib/tem/tem.rb
+lib/tem/toolkit.rb
+lib/tem/transport/auto_configurator.rb
+lib/tem/transport/java_card_mixin.rb
+lib/tem/transport/jcop_remote_protocol.rb
+lib/tem/transport/jcop_remote_server.rb
+lib/tem/transport/jcop_remote_transport.rb
+lib/tem/transport/pcsc_transport.rb
+lib/tem/transport/transport.rb
+lib/tem_ruby.rb
+LICENSE
+Manifest
+Rakefile
+README
+tem_ruby.gemspec
+test/_test_cert.rb
+test/builders/test_abi_builder.rb
+test/tem_test_case.rb
+test/tem_unit/test_tem_alu.rb
+test/tem_unit/test_tem_bound_secpack.rb
+test/tem_unit/test_tem_branching.rb
+test/tem_unit/test_tem_crypto_asymmetric.rb
+test/tem_unit/test_tem_crypto_hash.rb
+test/tem_unit/test_tem_crypto_pstore.rb
+test/tem_unit/test_tem_crypto_random.rb
+test/tem_unit/test_tem_emit.rb
+test/tem_unit/test_tem_memory.rb
+test/tem_unit/test_tem_memory_compare.rb
+test/tem_unit/test_tem_output.rb
+test/tem_unit/test_tem_yaml_secpack.rb
+test/test_driver.rb
+test/test_exceptions.rb
+test/transport/test_auto_configurator.rb
+test/transport/test_java_card_mixin.rb
+test/transport/test_jcop_remote.rb
+timings/blank_bound_secpack.rb
+timings/blank_sec.rb
+timings/devchip_decrypt.rb
+timings/post_buffer.rb
+timings/simple_apdu.rb
+timings/timings.rb
+timings/vm_perf.rb
+timings/vm_perf_bound.rb

data/README

@@ -0,0 +1,8 @@
+This is the ruby driver for the Trusted Execution Module prototype produced at
+MIT. The best features of the ruby driver are the very powerful DSL
+(domain-specific language) that TEM SECpacks are compiled from, and the
+usage of debugging line info to translate exception IPs to stack traces.
+
+Running coverage tests:
+gem install rcov
+rcov -Ilib test/*.rb

data/Rakefile

@@ -0,0 +1,23 @@
+require 'rubygems'
+gem 'echoe'
+require 'echoe'
+
+Echoe.new('tem_ruby') do |p|
+  p.project = 'tem' # rubyforge project
+  p.docs_host = "costan@rubyforge.org:/var/www/gforge-projects/tem/rdoc/"
+  
+  p.author = 'Victor Costan'
+  p.email = 'victor@costan.us'
+  p.summary = 'TEM (Trusted Execution Module) driver, written in and for ruby.'
+  p.url = 'http://tem.rubyforge.org'
+  p.dependencies = ['smartcard >=0.3.0']
+  
+  p.need_tar_gz = !Platform.windows?
+  p.need_zip = !Platform.windows?
+  p.rdoc_pattern = /^(lib|bin|tasks|ext)|^BUILD|^README|^CHANGELOG|^TODO|^LICENSE|^COPYING$/  
+end
+
+if $0 == __FILE__
+  Rake.application = Rake::Application.new
+  Rake.application.run
+end

data/bin/tem_bench

@@ -0,0 +1,9 @@
+#!/usr/bin/env ruby
+
+# benchmarks a TEM
+require 'rubygems'
+require 'tem_ruby'
+
+require 'timings/timings.rb'
+
+TemTimings.all_timings

data/bin/tem_ca

@@ -0,0 +1,13 @@
+#!/usr/bin/env ruby
+
+# Manages the TEM Certificates and CA
+
+require 'rubygems'
+require 'tem_ruby'
+
+case ARGV[0]
+  when 'config'
+    Tem::CA.scaffold_config
+  when 'ca'
+    Tem::CA.scaffold_ca
+end

data/bin/tem_irb

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+
+# scaffolds an environment suitable for playing inside an irb session
+require 'rubygems'
+require 'tem_ruby'
+
+require 'irb'
+
+Tem.auto_conf
+
+IRB.start __FILE__

data/bin/tem_proxy

@@ -0,0 +1,65 @@
+#!/usr/bin/env ruby
+
+# TEM transport-level proxy.
+# Serves a TCP connection
+
+require 'logger'
+
+require 'rubygems'
+require 'tem_ruby'
+
+# JCOP remote serving logic implementing a proxy to another transport. 
+class ServingLogic
+  include Tem::Transport::JcopRemoteServingStubs
+  def initialize(serving_transport, logging = false)
+    @serving = serving_transport
+    @logger = Logger.new STDERR
+    @logger.level = logging ? Logger::DEBUG : Logger::FATAL
+    @connected = true
+  end
+  def connection_start
+    @logger.info "Connection start"
+    unless @connected
+    	@serving.connect 
+    	@connected = true
+    end
+  end
+  def connection_end
+    @logger.info "Connection end"
+    @serving.disconnect if @connected
+    @connected = false
+  end
+  def exchange_apdu(apdu)
+    @logger.info "APDU request: #{apdu.map { |n| '%02x' % n }.join(' ')}"
+    response = @serving.exchange_apdu apdu
+    @logger.info "APDU response: #{response.map { |n| '%02x' % n }.join(' ')}"
+    response
+  end
+end
+
+# Indefinitely runs a JCOP remove serving loop that proxies to another TEM
+# transport.
+#
+# The TEM transport is automatically configured based on environment information
+# and defaults. 
+#
+def serve(options)
+  @logger = Logger.new STDERR
+  @logger.level = options[:logging] ? Logger::DEBUG : Logger::FATAL
+
+  serving_transport = Tem::Transport.auto_transport
+  @logger.info "Proxying to #{serving_transport.inspect}\n"
+  @logger.info "Serving with #{options.inspect}\n"
+  serving_logic = ServingLogic.new serving_transport, options[:logging]
+  Tem::Transport::JcopRemoteServer.new(options, serving_logic).run
+end
+
+# Parses the commmand-line arguments into an options hash suitable for #serve.
+def parse_args
+  { :ip => ARGV[1] || '0.0.0.0', :port => (ARGV[0] || '9000').to_i,
+    :logging => !(ENV['DEBUG'] &&
+                  ['0', 'no', 'false'].include?(ENV['DEBUG'].downcase)) }
+end
+
+options = parse_args
+serve options

data/bin/tem_stat

@@ -0,0 +1,35 @@
+#!/usr/bin/env ruby
+
+# spews information about the TEM
+require 'rubygems'
+require 'tem_ruby'
+require 'pp'
+
+Tem.auto_conf
+
+print "Connected to TEM using #{$tem.transport.inspect}\n"
+begin
+	fw_ver = $tem.tk_firmware_ver
+	print "TEM firmware version: #{fw_ver[:major]}.#{fw_ver[:minor]}\n"
+rescue Exception => e
+	print "Could not read TEM firmware version. Is the TEM emitted?\n"
+	print "#{e.class.name}: #{e}\n#{e.backtrace.join("\n")}\n"
+end
+
+begin
+	b_stat = $tem.stat_buffers
+	print "TEM memory stat:\n"
+	pp b_stat
+rescue Exception => e
+	print "Could not retrieve TEM memory stat. Is the TEM activated?\n"
+	print "#{e.class.name}: #{e}\n#{e.backtrace.join("\n")}\n"
+end
+
+begin
+	k_stat = $tem.stat_keys
+	print "TEM crypto stat:\n"
+	pp k_stat
+rescue Exception => e
+	print "Could not retrieve TEM crypto stat. Is the TEM activated?\n"
+	print "#{e.class.name}: #{e}\n#{e.backtrace.join("\n")}\n"
+end

data/dev_ca/ca_cert.pem

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFgDCCBGigAwIBAgIAMA0GCSqGSIb3DQEBBQUAMIHcMTAwLgYDVQQDDCdUcnVz
+dGVkIEV4ZWN1dGlvbiBNb2R1bGUgRGV2ZWxvcG1lbnQgQ0ExFjAUBgNVBAgMDU1h
+c3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTELMAkGA1UEBhMCVVMxLTAr
+BgNVBAoMJE1hc3NhY2h1c2V0dHMgSW5zaXR1dGUgb2YgVGVjaG5vbG9neTFAMD4G
+A1UECww3Q29tcHV0ZXIgU2NpZW5jZSBhbmQgQXJ0aWZpY2lhbCBJbnRlbGxpZ2Vu
+Y2UgTGFib3JhdG9yeTAeFw0wODA2MDkxMTMyMTBaFw0xODA2MDkxMTMyMTBaMIHc
+MTAwLgYDVQQDDCdUcnVzdGVkIEV4ZWN1dGlvbiBNb2R1bGUgRGV2ZWxvcG1lbnQg
+Q0ExFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEL
+MAkGA1UEBhMCVVMxLTArBgNVBAoMJE1hc3NhY2h1c2V0dHMgSW5zaXR1dGUgb2Yg
+VGVjaG5vbG9neTFAMD4GA1UECww3Q29tcHV0ZXIgU2NpZW5jZSBhbmQgQXJ0aWZp
+Y2lhbCBJbnRlbGxpZ2VuY2UgTGFib3JhdG9yeTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAM7ebvoLQ/FF+woPjmivWcesdR5hZekmaRy9Md55kT3FRfqq
+AYzEjblo77HVullgpplVCVlEgCXUN1vjVc2dknUPs3eeIIQIBWrX3Je8OY19sYh3
+goybyAkpnDNXGZTpx29kHw9zXNPQRFnQCsUTsmkoZOUBmblqn0m8mxzvbA5mKiFk
+cXr3bLUuTreilwEqW24ictGT85gDiadf2Yx2zmGpvvxtB1RCRdOujftCoV4YaWju
+U1v/4bNY4rcQ6T33NIcA1cbF4QSeMvzbS33pnV4/RPbPjLbn0KVN1XcUGj6L7Nve
+QFOsekCLRHRiahGVgIu90lHUS3FrRcY93p7v3m0CAwEAAaOCAUowggFGMA8GA1Ud
+EwEB/wQFMAMBAf8wgfMGA1UdIwSB6zCB6KGB4qSB3zCB3DEwMC4GA1UEAwwnVHJ1
+c3RlZCBFeGVjdXRpb24gTW9kdWxlIERldmVsb3BtZW50IENBMRYwFAYDVQQIDA1N
+YXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxCzAJBgNVBAYTAlVTMS0w
+KwYDVQQKDCRNYXNzYWNodXNldHRzIEluc2l0dXRlIG9mIFRlY2hub2xvZ3kxQDA+
+BgNVBAsMN0NvbXB1dGVyIFNjaWVuY2UgYW5kIEFydGlmaWNpYWwgSW50ZWxsaWdl
+bmNlIExhYm9yYXRvcnmCAQAwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIB
+BjAdBgNVHQ4EFgQU9eaMHf5cp5ZV1AiqEpZChwV1vC8wDQYJKoZIhvcNAQEFBQAD
+ggEBAIsZ3SVu08m2zWYZSlyf3ylczSLjCUGYlRg30JzCejIxZkYE+zzgwpPLIngQ
+yXcSqXSlO0t14GbidVhOnSq6WoMqftxC6chT82GGOpl0oWGeFZnX7fSQQfI6Rwqk
+VVxaLv23xD3GU5dpsGy81blrl4n0ocMcAeEynAOBAj/c+sw+lowIZtpZ32MgJRVc
+iBmbAOV8RXj8hymylz+UlScrmjwl0k5hHQ+beDyLNkUDrKG13rs6iSl+AEXrzzbM
+wpSr/41JWjwkIuM5D7MVVk06UtFWzTEm766DbP4plopkaYzzzmjCRelMoGIoI1yD
+tAtZLRzXomQ2xLX70O+bKuyP694=
+-----END CERTIFICATE-----

data/dev_ca/ca_key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAzt5u+gtD8UX7Cg+OaK9Zx6x1HmFl6SZpHL0x3nmRPcVF+qoB
+jMSNuWjvsdW6WWCmmVUJWUSAJdQ3W+NVzZ2SdQ+zd54ghAgFatfcl7w5jX2xiHeC
+jJvICSmcM1cZlOnHb2QfD3Nc09BEWdAKxROyaShk5QGZuWqfSbybHO9sDmYqIWRx
+evdstS5Ot6KXASpbbiJy0ZPzmAOJp1/ZjHbOYam+/G0HVEJF066N+0KhXhhpaO5T
+W//hs1jitxDpPfc0hwDVxsXhBJ4y/NtLfemdXj9E9s+MtufQpU3VdxQaPovs295A
+U6x6QItEdGJqEZWAi73SUdRLcWtFxj3enu/ebQIDAQABAoIBAEiUvnc4kKQMm6HS
+B3MvYt6t4YHBRpJhCawtrVuTZ6Q2nPDvyQ9svxT4fnD0vicxxAI0Vc1ePWAIb0vs
+HWTBDmvIEH29m0b30X7FMf6C6eZ83Vc2JzXSSoL8eHOC8dTPmUu54zP2k/E1N2YT
+mlO/L2+53nyC7T6i7DRg2kNytYTvLf5+gKI0Pca47xfE2oA6R7mbM7ew/1GBSwup
+9SrszudcSf31quuDTOG2lGtUkzosi9p7LZ3SagqHR9YGRXeQ3xjNo/MgkAprffjC
+xlrCdpvTnZS/ACu0TXGuDvEn8JtcPWg8ZeHx4UKW+Ll3eEoILaSxvFzgY8jR8RWy
+xk0HVTkCgYEA61TbQcD6pqd+8m1WGEo2BagBsNavbU8v5Xoaj5Cebe968FybBiKU
+T9thbbvxCy8PC/hEOn0S/tFzNdgZp17/HGNqRtLMkiogj4h+n8ikCbcMKBGIVqrw
+tT3kgPe/66RLVnNx/QuY53AgSIMhEZtmuomuO0rVdJNA2z3ami/GuJsCgYEA4Qmh
+T5rCgID/CGGt7lNTGkGhgt3IPBBlakXXhvwRcrmfkqKVztu0l4aRrwAA4tE6xkKa
+/89FgliKpSFAp2ipmMysTfhmM4so6M/7JwxkZqBtl33umg+RM7J0qCl7IQzIXHb3
+GB/6EJIzxTpxk/EF1CM+wuLIDlIWzN3N5wcXIZcCgYAU/QN1ENYKCQQ8cN3t2qiI
+xpwn/m207QwThllaFobavTIUv92fpXPez20YEVwFKFRKOAE1yjPogBurYLOhBsrv
+6DnxSRmvq4wt4PmSHJ3ss+OkqzOiryo6r+NyUSZPyN5jPnabH+6qLYjjjrZjUJ3P
+4zmj1h/FfuCY7SJTABHUIwKBgQDAwqf7cRwUSOqr+kerMpKnlfpMB7+Bu6WzL1ob
+lQU5GUlXqI7cHxQFC0708PLRVtmag+kTIC9xJHi2U9J2088aRI9/Rjv9AMGtEqIW
+Y6YIxni5YDSmoJkHCGCmvslqmPFzSrADaTihQyq3UYWCbN1KRlp3QxyML8K5/3Bk
+6YzlxwKBgQDhoquhyRjUzxsuKjKdLZa8RLwK720/kLOWgA1MfNEodIrcPZphNDpO
+ln/KeMQ/If6zZ9KH/hd/KYet366X0gO6+e+Pon8YIYpwZrrLhZ8qKQHmLZDz4bY1
+X+ghsQnpj5X0klQbpVtsKSKU6LL6eYR3yBEVwGvh94Rt02g++6K2+Q==
+-----END RSA PRIVATE KEY-----

data/dev_ca/config.yml

@@ -0,0 +1,14 @@
+--- 
+# the development CA is valid for 10 years
+:ca_validity_days: 3652
+:issuer: 
+  CN: Trusted Execution Module Development CA
+  L: Cambridge
+  ST: Massachusetts
+  C: US
+  O: Massachusetts Insitute of Technology
+  OU: Computer Science and Artificial Intelligence Laboratory
+# a TEM is valid for two days
+:ecert_validity_days: 730
+:subject: 
+  CN: Trusted Execution Module DevChip

data/lib/tem/_cert.rb

@@ -0,0 +1,158 @@
+# Victor Costan:
+#    dropped because it wasn't hooked up to the rest of the code
+#    preserved to move all the features into the new ca.rb / ecert.rb 
+
+#@author: Jorge de la Garza (MIT '08), mongoose08@alum.mit.edu
+#The Cert module contains methods for digesting a X.509 certificate into a tag
+#for the TEM and to methods to reconstruct the certificate from the tag.  Methods
+#to create some sample certificates are also included for convenience.
+
+module Tem::Cert
+  #@param key An OpenSSL::PKey instance that will be this cert's key and will be used to sign this cert
+  #@returns a self-signed X.509 certificate that is supposed to be the TEM manufacturer's
+  def self.create_issuer_cert(key)
+    issuer_cert = OpenSSL::X509::Certificate.new
+    issuer_cert.public_key = key.public_key
+    issuer_dist_name = OpenSSL::X509::Name.new [['CN', 'TEM Manufacturer'], ['L', 'Cambridge'], ['ST', 'Massachusetts'],\
+                         ['O', 'Trusted Execution Modules, Inc.'], ['OU', 'Certificates Division'], ['C', 'US']]
+    issuer_cert.issuer = issuer_dist_name
+    issuer_cert.subject = issuer_dist_name
+    issuer_cert.not_before = Time.now
+    issuer_cert.not_after = Time.now + (60 * 60 * 24 * 365.25) * 10
+    issuer_cert.sign key, OpenSSL::Digest::SHA1.new
+    return issuer_cert
+  end
+  
+  
+  #@param subject_key An OpenSSL::PKey instance that will be this cert's key
+  #@param issuer_key An OpenSSL::Pkey instance that will be used to sign this cert (i.e. the issuer's/manufacturer's key)
+  #@param issuer_cert The OpenSSL::X509::Certificate instance of the authority that issued this cert
+  #@returns An OpenSSL::X509::Certificate instance issued by issuer_cert and signed by issuer_key
+  def self.create_subject_cert(subject_key, issuer_key, issuer_cert)
+    subject_cert = OpenSSL::X509::Certificate.new
+    subject_cert.public_key = subject_key.public_key
+    subject_cert.serial = Time.now.to_i   #no significance to this #, just a value for demonstration of purpose
+    subject_dist_name = OpenSSL::X509::Name.new [['CN', 'TEM Device'], ['L', 'Cambridge'], ['ST', 'Massachusetts'],\
+                         ['O', 'Trusted Execution Modules, Inc.'], ['OU', 'Certificates Division'], ['C', 'US']]
+    subject_cert.issuer = issuer_cert.subject
+    subject_cert.subject = subject_dist_name
+    subject_cert.not_before = Time.now
+    subject_cert.not_after = Time.now + (60 * 60 * 24 * 365.25) * 10
+    subject_cert.sign issuer_key, OpenSSL::Digest::SHA1.new
+    return subject_cert
+  end
+  
+  
+  #@param cert An OpenSSL::X509::Certificate instance
+  #@returns The tag to write to the TEM as a byte array
+  #The tag is 527 bytes long.  What the bytes encode is as follows:
+  #    -Serial number   tag[0..3]
+  #    -Not before date tag[4..7]
+  #    -Not after date  tag[8..11]
+  #    -Modulus         tag[12..267]
+  #    -Public key exp  tag[268..270]
+  #    -Signature       tag[271..526]
+  def self.create_tag_from_cert(cert)
+    tag_serial_num = Tem::CryptoAbi.to_tem_bignum(OpenSSL::BN.new(cert.serial.to_s))
+    while tag_serial_num.length < 4
+      tag_serial_num = [0] + tag_serial_num  #make sure array is 4 bytes
+    end
+    #The dates are encoded as the number of seconds since epoch (Jan 1, 1970 00:00:00 GMT)
+    #TODO: check that dates are exactly 4 bytes, else throw an exception
+    tag_not_before = Tem::CryptoAbi.to_tem_bignum(OpenSSL::BN.new(cert.not_before.to_i.to_s))
+    tag_not_after = Tem::CryptoAbi.to_tem_bignum(OpenSSL::BN.new(cert.not_after.to_i.to_s))
+    tag_modulus = Tem::CryptoAbi.to_tem_bignum(OpenSSL::BN.new(cert.public_key.n.to_s))
+    #TODO: ensure that exponent is exactly three bytes, or come up with a safer way to encode it
+    tag_public_exp = Tem::CryptoAbi.to_tem_bignum(OpenSSL::BN.new(cert.public_key.e.to_s))
+    tag = [tag_serial_num, tag_not_before, tag_not_after, tag_modulus, tag_public_exp].flatten
+    return tag
+  end
+  
+  #@param tag The tag read from the TEM
+  #@param issuer_cert The OpenSSL::X509::Certificate of the entity that issued the TEM's certificate
+  #@returns The unsigned OpenSSL::X509::Certificate from which the tag was created.
+  def self.create_cert_from_tag(tag, issuer_cert)
+    cert = OpenSSL::X509::Certificate.new
+    cert.public_key = Cert.extract_key(tag)
+    cert.serial = Cert.extract_serial_num(tag)
+    cert_name = OpenSSL::X509::Name.new [['CN', 'TEM Device'], ['L', 'Cambridge'], ['ST', 'Massachusetts'],\
+                         ['O', 'Trusted Execution Modules, Inc.'], ['OU', 'Certificates Division'], ['C', 'US']]
+    cert.issuer = issuer_cert.subject
+    cert.subject = cert_name
+    cert.not_before = Cert.extract_not_before(tag)
+    cert.not_after = Cert.extract_not_after(tag)
+    return cert
+  end
+  
+  
+  #returns a number
+  def self.extract_serial_num(tag)
+    serial_num_array = tag[0..3]
+    serial_num = 0
+    for i in (0..serial_num_array.length-1)
+      serial_num = serial_num << 8
+      serial_num += serial_num_array[i]
+    end
+    return serial_num
+  end
+  
+  #returns a Time
+  def self.extract_not_before(tag)
+    time_array = tag[4..7]
+    offset_in_sec = 0
+    for i in (0..time_array.length-1)
+      offset_in_sec = offset_in_sec << 8
+      offset_in_sec += time_array[i]
+    end
+    return Time.at(offset_in_sec)
+  end
+  
+  #returns a time
+  def self.extract_not_after(tag)
+    time_array = tag[8..11]
+    offset_in_sec = 0
+    for i in (0..time_array.length-1)
+      offset_in_sec = offset_in_sec << 8
+      offset_in_sec += time_array[i]
+    end
+    return Time.at(offset_in_sec)
+  end
+  
+  #returns a OpenSSL::PKey::RSA public key
+  def self.extract_key(tag)
+    mod_array = tag[12..267]
+    mod = 0
+    for i in (0..mod_array.length-1)
+      mod = mod << 8
+      mod += mod_array[i]
+    end
+    exp_array = tag[268..271]
+    exp = 0
+    for i in (0..exp_array.length-1)
+      exp = exp << 8
+      exp += exp_array[i]
+    end
+    key = OpenSSL::PKey::RSA.new
+    key.n = mod
+    key.e = exp
+    return key.public_key
+  end
+  
+  
+  #@param cert A signed OpenSSL::X509::Certificate instance
+  #cert must be signed with sha1WithRSAEncryption algorithm
+  #TODO: how to make this method compatible with any algorithm
+  #@returns a byte array corresponding to the signature
+  def self.extract_sig_from_cert(cert)
+    str = 'Signature Algorithm: sha1WithRSAEncryption'
+    text_sig = cert.to_text
+    first_index = text_sig.index(str)
+    text_sig = text_sig[first_index+1..-1]
+    second_index = text_sig.index(str)
+    sig_start_index = second_index+str.length + 1 #the 1 is for the newline character
+    text_sig = text_sig[sig_start_index..-1]
+    sig_array = []
+    text_sig.each(':') {|byte| sig_array.push(byte.delete(':').hex)}
+    return sig_array
+  end  
+end