costan-tem_ruby 0.10.2

data/lib/tem/ca.rb

@@ -0,0 +1,114 @@
+require 'openssl'
+require 'yaml'
+
+# Certificate Authority (CA) functionality for TEM manufacturers
+module Tem::CA
+  # creates an Endorsement Certificate for a TEM's Public Endorsement Key
+  def new_ecert(pubek)
+    ca_cert = Tem::CA.ca_cert
+    ca_key = Tem::CA.ca_key
+    conf = Tem::CA.config
+    
+    dn = OpenSSL::X509::Name.new conf[:issuer].merge(conf[:subject]).to_a
+    now = Time.now
+    ecert = OpenSSL::X509::Certificate.new
+    ecert.issuer = ca_cert.subject
+    ecert.subject = dn
+    ecert.not_before = now;
+    ecert.not_after = now + conf[:ecert_validity_days] * 60 * 60 * 24;
+    ecert.public_key = pubek
+    ecert.version = 2
+    cf = OpenSSL::X509::ExtensionFactory.new
+    cf.subject_certificate = ecert 
+    cf.issuer_certificate = ca_cert
+    ecert.add_extension cf.create_extension("basicConstraints", "CA:true", true)
+    ecert.add_extension cf.create_extension("authorityKeyIdentifier", "keyid,issuer")    
+    ecert.add_extension cf.create_extension("keyUsage", "digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign")
+    ecert.add_extension cf.create_extension("extendedKeyUsage", "serverAuth,clientAuth,codeSigning,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC")
+    ecert.add_extension cf.create_extension("nsCertType", "client,server,email,objsign,sslCA,emailCA,objCA")
+    ecert.add_extension cf.create_extension("subjectKeyIdentifier", "hash")
+    ecert.sign ca_key, OpenSSL::Digest::SHA1.new
+    
+    return ecert
+  end
+  
+  @@dev_dir = File.join(File.dirname(__FILE__), "..", "..", "dev_ca")
+
+  # retrieves the TEM CA configuration 
+  def self.config
+    cpath = Tem::Hive.path_to 'ca/config.yml'
+    cpath = File.join(@@dev_dir, 'config.yml') unless File.exists? cpath
+
+    # try to open it in the base folder
+    scaffold_config unless File.exists? cpath
+    return File.open(cpath, 'r') { |f| YAML.load f } 
+  end
+  
+  # retrieves the TEM CA certificate
+  def self.ca_cert
+    cpath = Tem::Hive.path_to 'ca/ca_cert.pem'
+    cpath = File.join(@@dev_dir, 'ca_cert.pem') unless File.exists? cpath
+    return OpenSSL::X509::Certificate.new(File.open(cpath, 'r') { |f| f.read })
+  end
+  
+  # retrieves the TEM CA key pair (needed for signing)
+  def self.ca_key
+    cpath = Tem::Hive.path_to 'ca/ca_key.pem'
+    cpath = File.join(@@dev_dir, 'ca_key.pem') unless File.exists? cpath
+    return OpenSSL::PKey::RSA.new(File.open(cpath, 'r') { |f| f.read })
+  end
+
+  # scaffolds the structures needed for a TEM CA
+  def self.scaffold_ca
+    conf = config
+    
+    # generate and write key
+    ca_key = Tem::CryptoAbi.generate_ssl_kp
+    key_path = Tem::Hive.create 'ca/ca_key.pem'
+    File.open(key_path, 'w') { |f| f.write ca_key.to_pem }
+    
+    # create the CA certificate
+    dn = OpenSSL::X509::Name.new conf[:issuer].to_a
+    now = Time.now
+    cert = OpenSSL::X509::Certificate.new
+    cert.subject = cert.issuer = dn
+    cert.not_before = now;
+    cert.not_after = now + conf[:ca_validity_days] * 60 * 60 * 24;
+    cert.public_key = ca_key.public_key
+    cert.version = 2
+    cf = OpenSSL::X509::ExtensionFactory.new
+    cf.subject_certificate = cf.issuer_certificate = cert
+    cert.add_extension cf.create_extension("basicConstraints", "CA:true", true)
+    cert.add_extension cf.create_extension("authorityKeyIdentifier", "keyid,issuer")    
+    cert.add_extension cf.create_extension("keyUsage", "cRLSign,keyCertSign")
+    cert.add_extension cf.create_extension("nsCertType", "emailCA,sslCA")
+    cert.add_extension cf.create_extension("subjectKeyIdentifier", "hash")
+    cert.sign ca_key, OpenSSL::Digest::SHA1.new    
+    
+    # write the CA certificate
+    cert_path = Tem::Hive.create 'ca/ca_cert.pem'
+    File.open(cert_path, 'w') { |f| f.write cert.to_pem }
+    cert_path = Tem::Hive.create 'ca/ca_cert.cer'
+    File.open(cert_path, 'wb') { |f| f.write cert.to_der }
+  end
+  
+  # scaffolds a TEM CA configuration
+  def self.scaffold_config
+    def_config = {
+      :issuer => {
+        'C' => 'US', 'ST' => 'Massachusetts', 'L' => 'Cambridge',
+        'O' => 'Massachusetts Insitute of Technology',
+        'OU' => 'Computer Science and Artificial Intelligence Laboratory',
+        'CN' => 'Trusted Execution Module Development CA'
+      },
+      :subject => {
+        'CN' => 'Trusted Execution Module DevChip'
+      },
+      :ca_validity_days => 3652,
+      :ecert_validity_days => 365 * 2,
+    } 
+    
+    cpath = Tem::Hive.create 'ca/config.yml'
+    File.open(cpath, 'w') { |f| YAML.dump def_config, f }
+  end
+end

data/lib/tem/definitions/abi.rb

@@ -0,0 +1,65 @@
+require 'openssl'
+require 'digest/sha1'
+
+
+module Tem::Abi
+  Tem::Builders::Abi.define_abi self do |abi|
+    abi.fixed_length_number :tem_byte, 1, :signed => true, :big_endian => true
+    abi.fixed_length_number :tem_ubyte, 1, :signed => false, :big_endian => true
+    abi.fixed_length_number :tem_short, 2, :signed => true, :big_endian => true
+    abi.fixed_length_number :tem_ushort, 2, :signed => false,
+                            :big_endian => true    
+    abi.fixed_length_number :tem_ps_addr, 20, :signed => false,
+                            :big_endian => true
+    abi.fixed_length_number :tem_ps_value, 20, :signed => false,
+                            :big_endian => true
+                            
+    abi.packed_variable_length_numbers :tem_privrsa_numbers, :tem_ushort,
+        [:p, :q, :dmp1, :dmq1, :iqmp], :signed => false, :big_endian => true
+    abi.packed_variable_length_numbers :tem_pubrsa_numbers, :tem_ushort,
+        [:e, :n], :signed => false, :big_endian => true
+    abi.fixed_length_string :tem_aes_key_string, 16    
+  end
+  
+  Tem::Builders::Crypto.define_crypto self do |crypto|
+    crypto.crypto_hash :tem_hash, Digest::SHA1
+    
+    crypto.asymmetric_key :tem_rsa, OpenSSL::PKey::RSA, :tem_privrsa_numbers,
+        :tem_pubrsa_numbers, 
+        :read_private => lambda { |key|
+      # The TEM uses the Chinese Remainder Theorem form of RSA keys, while
+      # OpenSSL uses the straightforward form (n, e, d).
+
+      # Rebuild the straightforward form from the CRT form.
+      key.n = key.p * key.q
+      p1, q1 = key.p - 1, key.q - 1          
+      p1q1 = p1 * q1
+      # HACK(costan): I haven't figured out how to restore d from dmp1 and
+      # dmq1, so I'm betting on the fact that e must be a small prime.
+      emp1 = key.dmp1.mod_inverse p1
+      emq1 = key.dmq1.mod_inverse q1
+      key.e = (emp1 < emq1) ? emp1 : emq1
+      key.d = key.e.mod_inverse p1q1
+      Tem::Keys::Asymmetric.new key
+    }
+    
+    crypto.symmetric_key :tem_aes_key, OpenSSL::Cipher::AES, 'ECB',
+                         :tem_aes_key_string
+    
+    crypto.conditional_wrapper :tem_key, 1,
+        [{:tag => [0x99], :type => :tem_key,
+          :class => Tem::Keys::Symmetric },
+         {:tag => [0xAA], :type => :public_tem_rsa,
+          :class => Tem::Keys::Asymmetric,
+          :predicate => lambda { |k| k.ssl_key.kind_of?(OpenSSL::PKey::RSA) &&
+                                     k.is_public? } },
+         {:tag => [0x55], :type => :private_tem_rsa,
+          :class => Tem::Keys::Asymmetric,
+          :predicate => lambda { |k| k.ssl_key.kind_of?(OpenSSL::PKey::RSA) } }]
+  end
+  
+  # For convenience, include the Abi methods in Tem::Session's namespace.
+  def self.included(klass)
+    klass.extend Tem::Abi
+  end
+end  # module Tem::Abi

data/lib/tem/definitions/assembler.rb

@@ -0,0 +1,23 @@
+class Tem::Assembler
+  Tem::Builders::Assembler.define_assembler self do |assembler|
+    assembler.target_isa Tem::Isa
+    assembler.stack_directive :stack, :label => :__stack,
+                                      :slot_type => :tem_short
+    assembler.label_directive :label
+    assembler.special_label_directive :entry, :__entry
+    assembler.zeros_directive :zeros
+    assembler.data_directive :data
+  end
+  
+  class Builder
+    def done_assembling(proxy)
+      assembled = super
+      bytes = assembled[:bytes]
+      labels = assembled[:labels]
+      Tem::SecPack.new :body => bytes,
+                       :labels => labels, :ep => labels[:__entry] || 0,
+                       :sp => labels[:__stack] || bytes.length,
+                       :lines => assembled[:line_info]    
+    end
+  end
+end

data/lib/tem/definitions/isa.rb

@@ -0,0 +1,188 @@
+module Tem::Isa
+  Tem::Builders::Isa.define_isa self, Tem::Abi,
+                                :opcode_type => :tem_ubyte do |isa|
+    # 2 ST -> 1 ST
+    isa.instruction 0x10, :add
+    # 2 ST -> 1 ST
+    isa.instruction 0x11, :sub
+    # 2 ST -> 1 ST
+    isa.instruction 0x12, :mul
+    # 2 ST -> 1 ST
+    isa.instruction 0x13, :div
+    # 2 ST -> 1 ST
+    isa.instruction 0x14, :mod
+    # 2 ST -> 1 ST 
+    isa.instruction 0x1E, :rnd
+    
+  
+    # 2 ST -> 1 ST
+    isa.instruction 0x3A, :stbv
+    # 2 ST -> 1 ST
+    isa.instruction 0x3B, :stwv
+  
+    # 2 ST -> 1 ST
+    isa.instruction 0x5B, :stk
+    
+  
+    # 1 ST, 1 IM -> 1 ST
+    isa.instruction 0x38, :stb, {:name => :to, :type => :tem_ushort}
+    # 1 ST, 1 IM -> 1 ST
+    isa.instruction 0x39, :stw, {:name => :to, :type => :tem_ushort}
+    
+  
+    # 2 IM -> 1 ST
+    isa.instruction 0x48, :psupfxb, {:name => :addr, :type => :tem_ushort},
+                                    {:name => :from, :type => :tem_ushort}
+    # 2 ST -> 1 ST
+    isa.instruction 0x49, :psupvb
+    # 2 IM -> 1 ST
+    isa.instruction 0x4A, :pswrfxb, {:name => :addr, :type => :tem_ushort},
+                                    {:name => :from, :type => :tem_ushort}
+    # 2 ST -> 1 ST
+    isa.instruction 0x4B, :pswrvb
+    # 2 IM -> 1 ST
+    isa.instruction 0x4C, :psrdfxb, {:name => :addr, :type => :tem_ushort},
+                                    {:name => :to, :type => :tem_ushort}
+    # 2 ST -> 1 ST
+    isa.instruction 0x4D, :psrdvb
+    # 2 IM -> 1 ST
+    isa.instruction 0x4E, :pshkfxb, {:name => :addr, :type => :tem_ushort}
+    # 2 ST -> 1 ST
+    isa.instruction 0x4F, :pshkvb
+    
+    
+    # 3 IM -> 1 ST
+    isa.instruction 0x18, :mdfxb, {:name => :size, :type => :tem_ushort},
+                                  {:name => :from, :type => :tem_ushort},
+                                  {:name => :to, :type => :tem_ushort}
+    # 3 ST -> 1 ST
+    isa.instruction 0x19, :mdvb
+    # 3 IM -> 1 ST
+    isa.instruction 0x1A, :mcmpfxb, {:name => :size, :type => :tem_ushort},
+                                    {:name => :op1, :type => :tem_ushort},
+                                    {:name => :op2, :type => :tem_ushort}
+    # 3 ST -> 1 ST  
+    isa.instruction 0x1B, :mcmpvb
+    # 3 IM -> 1 ST
+    isa.instruction 0x1C, :mcfxb, {:name => :size, :type => :tem_ushort},
+                                  {:name => :from, :type => :tem_ushort},
+                                  {:name => :to, :type => :tem_ushort}
+    # 3 ST -> 1 ST
+    isa.instruction 0x1D, :mcvb
+    
+    # 1 ST, 3 IM -> 1 ST   
+    isa.instruction 0x50, :kefxb, {:name => :size, :type => :tem_ushort},
+                                  {:name => :from, :type => :tem_ushort},
+                                  {:name => :to, :type => :tem_ushort}
+    # 4 ST -> 1 ST
+    isa.instruction 0x51, :kevb
+    # 1 ST, 3 IM -> 1 ST   
+    isa.instruction 0x52, :kdfxb, {:name => :size, :type => :tem_ushort},
+                                  {:name => :from, :type => :tem_ushort},
+                                  {:name => :to, :type => :tem_ushort}
+    # 4 ST -> 1 ST
+    isa.instruction 0x53, :kdvb
+    # 1 ST, 3 IM -> 1 ST   
+    isa.instruction 0x54, :ksfxb, {:name => :size, :type => :tem_ushort},
+                                  {:name => :from, :type => :tem_ushort},
+                                  {:name => :to, :type => :tem_ushort}
+    # 4 ST -> 1 ST
+    isa.instruction 0x55, :ksvb   
+    # 1 ST, 3 IM -> 1 ST   
+    isa.instruction 0x56, :kvsfxb, {:name => :size, :type => :tem_ushort},
+                                   {:name => :from, :type => :tem_ushort},
+                                   {:name => :signature, :type => :tem_ushort}
+    # 4 ST -> 1 ST
+    isa.instruction 0x57, :kvsvb
+      
+  
+    # 0 ST -> 0 ST; IP
+    isa.instruction 0x27, :jmp, {:name => :to, :type => :tem_ushort,
+                                 :reladdr => 2}
+    # 1 ST -> 0 ST; IP
+    isa.instruction 0x21, :jz, {:name => :to, :type => :tem_ushort,
+                                :reladdr => 2}
+    isa.instruction 0x21, :je, {:name => :to, :type => :tem_ushort,
+                                :reladdr => 2}
+    # 1 ST -> 0 ST; IP
+    isa.instruction 0x26, :jnz, {:name => :to, :type => :tem_ushort,
+                                 :reladdr => 2}
+    isa.instruction 0x26, :jne, {:name => :to, :type => :tem_ushort,
+                                 :reladdr => 2}
+    # 1 ST -> 0 ST; IP
+    isa.instruction 0x22, :ja, {:name => :to, :type => :tem_ushort,
+                                :reladdr => 2}
+    isa.instruction 0x22, :jg, {:name => :to, :type => :tem_ushort,
+                                :reladdr => 2}
+    # 1 ST -> 0 ST; IP
+    isa.instruction 0x23, :jae, {:name => :to, :type => :tem_ushort,
+                                 :reladdr => 2}
+    isa.instruction 0x23, :jge, {:name => :to, :type => :tem_ushort,
+                                 :reladdr => 2}
+    # 1 ST -> 0 ST; IP
+    isa.instruction 0x24, :jb, {:name => :to, :type => :tem_ushort,
+                                :reladdr => 2}
+    isa.instruction 0x24, :jl, {:name => :to, :type => :tem_ushort,
+                                :reladdr => 2}
+    # 1 ST -> 0 ST; IP
+    isa.instruction 0x25, :jbe, {:name => :to, :type => :tem_ushort,
+                                 :reladdr => 2}
+    isa.instruction 0x25, :jle, {:name => :to, :type => :tem_ushort,
+                                 :reladdr => 2}
+  
+    # 1 IM_B -> 1 ST
+    isa.instruction 0x30, :ldbc, {:name => :const, :type => :tem_byte}
+    # 1 IM -> 1 ST
+    isa.instruction 0x31, :ldwc, {:name => :const, :type => :tem_short}
+    # 1 ST -> 1 ST
+    isa.instruction 0x32, :ldb, {:name => :from, :type => :tem_ushort}
+    # 1 ST -> 1 ST
+    isa.instruction 0x33, :ldw, {:name => :from, :type => :tem_ushort}
+    # 1 ST -> 1 ST
+    isa.instruction 0x36, :ldbv
+    # 1 ST -> 1 ST
+    isa.instruction 0x37, :ldwv
+  
+    # 1 ST -> 0 ST
+    isa.instruction 0x42, :outnew
+    # 1 ST -> 0 ST
+    isa.instruction 0x44, :outb
+    # 1 ST -> 0 ST
+    isa.instruction 0x45, :outw
+  
+    # 1 ST -> 0 ST
+    isa.instruction 0x34, :pop
+    # 2 ST -> 0 ST
+    isa.instruction 0x35, :pop2
+  
+    # 1 IM, x ST -> 2x ST  
+    isa.instruction 0x3C, :dupn, {:name => :n, :type => :tem_ubyte}
+    # 1 IM, x ST -> x ST
+    isa.instruction 0x3D, :flipn, {:name => :n, :type => :tem_ubyte}
+  
+    # 2 IM -> 0 ST
+    isa.instruction 0x40, :outfxb, {:name => :size, :type => :tem_ushort},
+                                   {:name => :from, :type => :tem_ushort}
+    # 2 ST -> 0 ST
+    isa.instruction 0x41, :outvlb, {:name => :from, :type => :tem_ushort} 
+  
+    
+    # 1 IM, 1 ST -> 0 ST
+    isa.instruction 0x43, :outvb
+    # 0 ST -> 0 ST;;
+    isa.instruction 0x46, :halt
+    # 1 ST -> 0 ST
+    isa.instruction 0x47, :psrm
+    
+    # 1 ST -> 1 ST
+    isa.instruction 0x5A, :rdk     
+    # 1 ST -> 0 ST
+    isa.instruction 0x5C, :relk
+    
+    isa.instruction 0x5D, :ldkl
+    # 1 IM_B -> 2 ST
+    isa.instruction 0x5E, :genkp, {:name => :type, :type => :tem_ubyte }
+    # 1 ST, 1 IM -> 1 ST
+    isa.instruction 0x5F, :authk, {:name => :auth, :type => :tem_ushort }
+  end  
+end

data/lib/tem/ecert.rb

@@ -0,0 +1,77 @@
+require 'openssl'
+
+module Tem::ECert
+  # Writes an Endorsement Certificate to the TEM's tag.
+  def set_ecert(ecert)
+    set_tag ecert.to_der.unpack('C*')
+  end
+  
+  # Retrieves the TEM's Endorsement Certificate.
+  def endorsement_cert
+    OpenSSL::X509::Certificate.new get_tag[2..-1].pack('C*')
+  end
+  
+  # Retrieves the certificate of the TEM's Manfacturer (CA).
+  def manufacturer_cert
+    Tem::CA.ca_cert
+  end
+  
+  # Retrieves the TEM's Public Endorsement Key.
+  def pubek
+    Tem::Key.new_from_ssl_key endorsement_cert.public_key
+  end
+  
+  # Drives a TEM though the emitting process.
+  def emit
+    emit_sec = assemble do |s|
+      # Generate Endorsement Key pair, should end up in slots (0, 1).
+      s.genkp :type => 0
+      s.ldbc 1
+      s.sub
+      s.jne :to => :not_ok
+      s.ldbc 0
+      s.sub
+      s.jne :to => :not_ok
+      
+      # Generate and output random authorization for PrivEK.
+      s.ldbc 20
+      s.dupn :n => 1
+      s.outnew
+      s.ldwc :privek_auth
+      s.dupn :n => 2
+      s.rnd
+      s.outvb
+      # Set authorizations for PrivEK and PubkEK.
+      s.ldbc 0
+      s.authk :auth => :privek_auth
+      s.ldbc 1 # PubEK always has its initial authorization be all zeroes.
+      s.authk :auth => :pubek_auth
+      s.halt
+      
+      # Emitting didn't go well, return nothing and leave.
+      s.label :not_ok
+      s.ldbc 0
+      s.outnew
+      s.halt
+      
+      s.label :privek_auth
+      s.zeros :tem_ubyte, 20
+      s.label :pubek_auth
+      s.zeros :tem_ubyte, 20
+      s.stack 4
+    end
+    
+    r = execute emit_sec
+    if r.length == 0
+      return nil
+    else
+      privk_auth = r[0...20]
+      pubek_auth = (0...20).map {|i| 0}
+      pubek = tk_read_key 1, pubek_auth
+      tk_delete_key 1, pubek_auth      
+      ecert = new_ecert pubek.ssl_key
+      set_ecert ecert
+      return { :privek_auth => privk_auth }
+    end
+  end
+end