tem_ruby 0.9.0

data/CHANGELOG

@@ -0,0 +1,35 @@
+v0.9.0. Updated tests and re-implemented buffer stat-ing for fw 1.9(fire).
+
+v0.8.0. Implemented buffer flushing (fw 1.8) and more timing tests.
+
+v0.7.2. Implemented "tem_bench" for benchmarking a TEM.
+
+v0.7.1. Implemented Endorsement Certificates, with rudimentary infrastructure for a CA.
+
+v0.7.0. Updated names to reflect thesis (SEClosure, SECpack). Persistent store opcodes and tests reflect fw 1.7.
+
+v0.6.1. Fixed bug in tk_delete_key.
+
+v0.6.0. Implemented stat-ing TEM keys with test coverage. Updated tem_stat and custom exception.
+
+v0.5.2. Implemented custom exception for errors in TEM SEC execution.
+
+v0.5.1. Implemented tem_stat tool.
+
+v0.5.0. Implemented stat-ing TEM buffers with test coverage.
+
+v0.4.1. Removed exception dumping when connecting to a PC/SC terminal fails.
+
+v0.4.0. Support for adaptive buffer chunk sizing.
+
+v0.3.0. Support for fw 1.3 features (signing). Improved TEM emission.
+
+v0.2.1. Line debugging information in SECs.
+
+v0.2.0. Support for all fw 1.2 features. TEM tests have full coverage now.
+
+v0.1.2. Tag support.
+
+v0.1.1. Named parameters for more opcodes.
+
+v0.1. Initial release.

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2007 Massachusetts Institute of Technology
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/Manifest

@@ -0,0 +1,45 @@
+bin/tem_stat
+bin/tem_ca
+bin/tem_irb
+bin/tem_bench
+Manifest
+LICENSE
+test/test_driver.rb
+test/test_tem.rb
+test/test_exceptions.rb
+test/_test_cert.rb
+timings/vm_perf.rb
+timings/devchip_decrypt.rb
+timings/simple_apdu.rb
+timings/post_buffer.rb
+timings/blank_bound_secpack.rb
+timings/vm_perf_bound.rb
+timings/timings.rb
+timings/blank_sec.rb
+lib/scard/java_card.rb
+lib/scard/jcop_remote_terminal.rb
+lib/scard/pcsc_terminal.rb
+lib/tem_ruby.rb
+lib/tem/tag.rb
+lib/tem/keys.rb
+lib/tem/sec_opcodes.rb
+lib/tem/_cert.rb
+lib/tem/buffers.rb
+lib/tem/toolkit.rb
+lib/tem/tem.rb
+lib/tem/abi.rb
+lib/tem/crypto_abi.rb
+lib/tem/ca.rb
+lib/tem/secpack.rb
+lib/tem/sec_exec_error.rb
+lib/tem/sec_assembler.rb
+lib/tem/lifecycle.rb
+lib/tem/ecert.rb
+lib/tem/hive.rb
+lib/tem/seclosures.rb
+README
+CHANGELOG
+dev_ca/ca_cert.cer
+dev_ca/ca_cert.pem
+dev_ca/ca_key.pem
+dev_ca/config.yml

data/README

@@ -0,0 +1,6 @@
+This is the ruby driver for the Trusted Execution Module prototype produced at MIT. The best feature of the
+ruby driver is the very powerful DSL (domain-specific language) that TEM procedures are compiled from.
+
+Running coverage tests:
+gem install rcov
+rcov -Ilib test/*.rb

data/bin/tem_bench

@@ -0,0 +1,9 @@
+#!/usr/bin/env ruby
+
+# benchmarks a TEM
+require 'rubygems'
+require 'tem_ruby'
+
+require 'timings/timings.rb'
+
+TemTimings.all_timings

data/bin/tem_ca

@@ -0,0 +1,13 @@
+#!/usr/bin/env ruby
+
+# Manages the TEM Certificates and CA
+
+require 'rubygems'
+require 'tem_ruby'
+
+case ARGV[0]
+  when 'config'
+    Tem::CA.scaffold_config
+  when 'ca'
+    Tem::CA.scaffold_ca
+end

data/bin/tem_irb

@@ -0,0 +1,18 @@
+#!/usr/bin/env ruby
+
+# scaffolds an environment suitable for playing inside an irb session
+require 'rubygems'
+require 'tem_ruby'
+
+require 'irb'
+
+$terminal = Tem::SCard::JCOPRemoteTerminal.new
+unless $terminal.connect
+  $terminal.disconnect
+  $terminal = Tem::SCard::PCSCTerminal.new
+  $terminal.connect
+end
+$javacard = Tem::SCard::JavaCard.new($terminal)
+$tem = Tem::Session.new($javacard)
+
+IRB.start __FILE__

data/bin/tem_stat

@@ -0,0 +1,39 @@
+#!/usr/bin/env ruby
+
+# spews information about the TEM
+require 'rubygems'
+require 'tem_ruby'
+require 'pp'
+
+$terminal = Tem::SCard::JCOPRemoteTerminal.new
+unless $terminal.connect
+  $terminal.disconnect
+  $terminal = Tem::SCard::PCSCTerminal.new
+  $terminal.connect
+end
+$javacard = Tem::SCard::JavaCard.new($terminal)
+$tem = Tem::Session.new($javacard)
+
+print "Connected to TEM using #{$terminal.to_s}\n"
+begin
+	fw_ver = $tem.tk_firmware_ver
+	print "TEM firmware version: #{fw_ver[:major]}.#{fw_ver[:minor]}\n"
+rescue
+	print "Could not read TEM firmware version. Is the TEM emitted?\n"
+end
+
+begin
+	b_stat = $tem.stat_buffers
+	print "TEM memory stat:\n"
+	pp b_stat
+rescue
+	print "Could not retrieve TEM memory stat. Is the TEM activated?\n"
+end
+
+begin
+	k_stat = $tem.stat_keys
+	print "TEM crypto stat:\n"
+	pp k_stat
+rescue
+	print "Could not retrieve TEM crypto stat. Is the TEM activated?\n"
+end

data/dev_ca/ca_cert.pem

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFgDCCBGigAwIBAgIAMA0GCSqGSIb3DQEBBQUAMIHcMTAwLgYDVQQDDCdUcnVz
+dGVkIEV4ZWN1dGlvbiBNb2R1bGUgRGV2ZWxvcG1lbnQgQ0ExFjAUBgNVBAgMDU1h
+c3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTELMAkGA1UEBhMCVVMxLTAr
+BgNVBAoMJE1hc3NhY2h1c2V0dHMgSW5zaXR1dGUgb2YgVGVjaG5vbG9neTFAMD4G
+A1UECww3Q29tcHV0ZXIgU2NpZW5jZSBhbmQgQXJ0aWZpY2lhbCBJbnRlbGxpZ2Vu
+Y2UgTGFib3JhdG9yeTAeFw0wODA2MDkxMTMyMTBaFw0xODA2MDkxMTMyMTBaMIHc
+MTAwLgYDVQQDDCdUcnVzdGVkIEV4ZWN1dGlvbiBNb2R1bGUgRGV2ZWxvcG1lbnQg
+Q0ExFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEL
+MAkGA1UEBhMCVVMxLTArBgNVBAoMJE1hc3NhY2h1c2V0dHMgSW5zaXR1dGUgb2Yg
+VGVjaG5vbG9neTFAMD4GA1UECww3Q29tcHV0ZXIgU2NpZW5jZSBhbmQgQXJ0aWZp
+Y2lhbCBJbnRlbGxpZ2VuY2UgTGFib3JhdG9yeTCCASIwDQYJKoZIhvcNAQEBBQAD
+ggEPADCCAQoCggEBAM7ebvoLQ/FF+woPjmivWcesdR5hZekmaRy9Md55kT3FRfqq
+AYzEjblo77HVullgpplVCVlEgCXUN1vjVc2dknUPs3eeIIQIBWrX3Je8OY19sYh3
+goybyAkpnDNXGZTpx29kHw9zXNPQRFnQCsUTsmkoZOUBmblqn0m8mxzvbA5mKiFk
+cXr3bLUuTreilwEqW24ictGT85gDiadf2Yx2zmGpvvxtB1RCRdOujftCoV4YaWju
+U1v/4bNY4rcQ6T33NIcA1cbF4QSeMvzbS33pnV4/RPbPjLbn0KVN1XcUGj6L7Nve
+QFOsekCLRHRiahGVgIu90lHUS3FrRcY93p7v3m0CAwEAAaOCAUowggFGMA8GA1Ud
+EwEB/wQFMAMBAf8wgfMGA1UdIwSB6zCB6KGB4qSB3zCB3DEwMC4GA1UEAwwnVHJ1
+c3RlZCBFeGVjdXRpb24gTW9kdWxlIERldmVsb3BtZW50IENBMRYwFAYDVQQIDA1N
+YXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxCzAJBgNVBAYTAlVTMS0w
+KwYDVQQKDCRNYXNzYWNodXNldHRzIEluc2l0dXRlIG9mIFRlY2hub2xvZ3kxQDA+
+BgNVBAsMN0NvbXB1dGVyIFNjaWVuY2UgYW5kIEFydGlmaWNpYWwgSW50ZWxsaWdl
+bmNlIExhYm9yYXRvcnmCAQAwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIB
+BjAdBgNVHQ4EFgQU9eaMHf5cp5ZV1AiqEpZChwV1vC8wDQYJKoZIhvcNAQEFBQAD
+ggEBAIsZ3SVu08m2zWYZSlyf3ylczSLjCUGYlRg30JzCejIxZkYE+zzgwpPLIngQ
+yXcSqXSlO0t14GbidVhOnSq6WoMqftxC6chT82GGOpl0oWGeFZnX7fSQQfI6Rwqk
+VVxaLv23xD3GU5dpsGy81blrl4n0ocMcAeEynAOBAj/c+sw+lowIZtpZ32MgJRVc
+iBmbAOV8RXj8hymylz+UlScrmjwl0k5hHQ+beDyLNkUDrKG13rs6iSl+AEXrzzbM
+wpSr/41JWjwkIuM5D7MVVk06UtFWzTEm766DbP4plopkaYzzzmjCRelMoGIoI1yD
+tAtZLRzXomQ2xLX70O+bKuyP694=
+-----END CERTIFICATE-----

data/dev_ca/ca_key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAzt5u+gtD8UX7Cg+OaK9Zx6x1HmFl6SZpHL0x3nmRPcVF+qoB
+jMSNuWjvsdW6WWCmmVUJWUSAJdQ3W+NVzZ2SdQ+zd54ghAgFatfcl7w5jX2xiHeC
+jJvICSmcM1cZlOnHb2QfD3Nc09BEWdAKxROyaShk5QGZuWqfSbybHO9sDmYqIWRx
+evdstS5Ot6KXASpbbiJy0ZPzmAOJp1/ZjHbOYam+/G0HVEJF066N+0KhXhhpaO5T
+W//hs1jitxDpPfc0hwDVxsXhBJ4y/NtLfemdXj9E9s+MtufQpU3VdxQaPovs295A
+U6x6QItEdGJqEZWAi73SUdRLcWtFxj3enu/ebQIDAQABAoIBAEiUvnc4kKQMm6HS
+B3MvYt6t4YHBRpJhCawtrVuTZ6Q2nPDvyQ9svxT4fnD0vicxxAI0Vc1ePWAIb0vs
+HWTBDmvIEH29m0b30X7FMf6C6eZ83Vc2JzXSSoL8eHOC8dTPmUu54zP2k/E1N2YT
+mlO/L2+53nyC7T6i7DRg2kNytYTvLf5+gKI0Pca47xfE2oA6R7mbM7ew/1GBSwup
+9SrszudcSf31quuDTOG2lGtUkzosi9p7LZ3SagqHR9YGRXeQ3xjNo/MgkAprffjC
+xlrCdpvTnZS/ACu0TXGuDvEn8JtcPWg8ZeHx4UKW+Ll3eEoILaSxvFzgY8jR8RWy
+xk0HVTkCgYEA61TbQcD6pqd+8m1WGEo2BagBsNavbU8v5Xoaj5Cebe968FybBiKU
+T9thbbvxCy8PC/hEOn0S/tFzNdgZp17/HGNqRtLMkiogj4h+n8ikCbcMKBGIVqrw
+tT3kgPe/66RLVnNx/QuY53AgSIMhEZtmuomuO0rVdJNA2z3ami/GuJsCgYEA4Qmh
+T5rCgID/CGGt7lNTGkGhgt3IPBBlakXXhvwRcrmfkqKVztu0l4aRrwAA4tE6xkKa
+/89FgliKpSFAp2ipmMysTfhmM4so6M/7JwxkZqBtl33umg+RM7J0qCl7IQzIXHb3
+GB/6EJIzxTpxk/EF1CM+wuLIDlIWzN3N5wcXIZcCgYAU/QN1ENYKCQQ8cN3t2qiI
+xpwn/m207QwThllaFobavTIUv92fpXPez20YEVwFKFRKOAE1yjPogBurYLOhBsrv
+6DnxSRmvq4wt4PmSHJ3ss+OkqzOiryo6r+NyUSZPyN5jPnabH+6qLYjjjrZjUJ3P
+4zmj1h/FfuCY7SJTABHUIwKBgQDAwqf7cRwUSOqr+kerMpKnlfpMB7+Bu6WzL1ob
+lQU5GUlXqI7cHxQFC0708PLRVtmag+kTIC9xJHi2U9J2088aRI9/Rjv9AMGtEqIW
+Y6YIxni5YDSmoJkHCGCmvslqmPFzSrADaTihQyq3UYWCbN1KRlp3QxyML8K5/3Bk
+6YzlxwKBgQDhoquhyRjUzxsuKjKdLZa8RLwK720/kLOWgA1MfNEodIrcPZphNDpO
+ln/KeMQ/If6zZ9KH/hd/KYet366X0gO6+e+Pon8YIYpwZrrLhZ8qKQHmLZDz4bY1
+X+ghsQnpj5X0klQbpVtsKSKU6LL6eYR3yBEVwGvh94Rt02g++6K2+Q==
+-----END RSA PRIVATE KEY-----

data/dev_ca/config.yml

@@ -0,0 +1,12 @@
+--- 
+:ca_validity_days: 3652
+:issuer: 
+  CN: Trusted Execution Module Development CA
+  L: Cambridge
+  ST: Massachusetts
+  C: US
+  O: Massachusetts Insitute of Technology
+  OU: Computer Science and Artificial Intelligence Laboratory
+:ecert_validity_days: 730
+:subject: 
+  CN: Trusted Execution Module DevChip

data/lib/scard/java_card.rb

@@ -0,0 +1,31 @@
+class Tem::SCard::JavaCard
+  attr_accessor :terminal
+  
+  def initialize(_terminal = nil)
+    @terminal = _terminal
+  end
+
+  def select_applet(aid)
+    result = @terminal.issue_apdu [0x00, 0xA4, 0x04, 0x00, aid.length, aid].flatten
+    (result == [0x90, 0x00])
+  end
+  
+  def issue_apdu(apdu)
+    @terminal.issue_apdu apdu
+  end
+  
+  # returns the failure code of an operation (success would be 0x9000)
+  # returns nil for success
+  def failure_code(reply_apdu)
+    status = reply_apdu[-2] * 256 + reply_apdu.length[-1]
+    return (status == 0x9000) ? nil : status     
+  end
+  
+  def reply_data(reply_apdu)
+    return reply_apdu[0...-2]
+  end
+  
+  def install_applet(cap_contents)
+    raise "Not implemeted; it'd be nice though, right?"
+  end
+end

data/lib/scard/jcop_remote_terminal.rb

@@ -0,0 +1,52 @@
+require 'socket'
+class Tem::SCard::JCOPRemoteTerminal    
+  def initialize(remote_host = 'localhost', remote_port = 8050)
+    @remote_host = remote_host
+    @remote_port = remote_port
+    @sockaddr = Socket.pack_sockaddr_in(@remote_port, @remote_host)
+    @socket = nil
+  end
+  
+  def send_message(payload, message_type = 1, node_address = 0)
+    @socket.send [message_type, node_address, payload.length / 256, payload.length % 256, payload].flatten.pack('C*'), 0
+  end
+  
+  def receive_message
+    header = @socket.recv(4)
+    message_type, node_address, payload_length = *header.unpack('CCn')
+    return @socket.recv(payload_length).unpack('C*')
+  end
+  
+  def connect
+    begin
+      # connect to the terminal
+      @socket = Socket.new(Socket::AF_INET, Socket::SOCK_STREAM, 0)
+      @socket.connect(@sockaddr)
+      
+      # wait for the card to be inserted
+      send_message [0, 1, 0, 0], 0
+      receive_message # ATR should come here, but who cares
+    rescue
+      @socket = nil
+      return false
+    end
+    return true
+  end
+  
+  def to_s
+    "#<JCOP Remote Terminal: disconnected>" if @socket.nil?
+    "#<JCOP Remote Terminal: #{@remote_host}:#{@remote_port}>"    
+  end
+  
+  def disconnect
+    unless @socket.nil?
+      @socket.close
+      @socket = nil
+    end
+  end
+  
+  def issue_apdu(apdu)
+    send_message apdu
+    return receive_message
+  end
+end

data/lib/scard/pcsc_terminal.rb

@@ -0,0 +1,83 @@
+require 'pp'
+
+class Tem::SCard::PCSCTerminal
+  include Smartcard
+  
+  @@xmit_iorequest = {
+    Smartcard::PCSC::PROTOCOL_T0 => Smartcard::PCSC::IOREQUEST_T0,
+    Smartcard::PCSC::PROTOCOL_T1 => Smartcard::PCSC::IOREQUEST_T1,
+  }
+  
+  def initialize
+    @context = nil
+    @readers = nil
+    @card = nil
+  end
+  
+  def connect
+    begin
+      @context = PCSC::Context.new(PCSC::SCOPE_SYSTEM) if @context.nil?
+      
+      # get the first reader
+      @readers = @context.list_readers nil
+      @reader_name = @readers.first
+      
+      # get the reader's status
+      reader_states = PCSC::ReaderStates.new(1)
+      reader_states.set_reader_name_of!(0, @reader_name)
+      reader_states.set_current_state_of!(0, PCSC::STATE_UNKNOWN)
+      @context.get_status_change reader_states, 100
+      reader_states.acknowledge_events!
+      
+      # prompt for card insertion unless that already happened
+      if (reader_states.current_state_of(0) & PCSC::STATE_PRESENT) == 0
+        puts "Please insert TEM card in reader #{@reader_name}\n"
+        while (reader_states.current_state_of(0) & PCSC::STATE_PRESENT) == 0 do
+          @context.get_status_change reader_states, PCSC::INFINITE_TIMEOUT
+          reader_states.acknowledge_events!
+        end
+        puts "Card detected\n"
+      end
+      
+      # connect to card
+      @card = PCSC::Card.new(@context, @reader_name, PCSC::SHARE_EXCLUSIVE, PCSC::PROTOCOL_ANY)
+      
+      # build the transmit / receive IoRequests
+      status = @card.status
+      @xmit_ioreq = @@xmit_iorequest[status[:protocol]]
+      if RUBY_PLATFORM =~ /win/ and (not RUBY_PLATFORM =~ /darwin/)
+        @recv_ioreq = nil
+      else
+        @recv_ioreq = PCSC::IoRequest.new
+      end
+    rescue
+      return false
+    end
+  end
+  
+  def to_s
+    "#<PC/SC Terminal: disconnected>" if @card.nil?
+    "#<PC/SC Terminal: #{@reader_name}>"
+  end
+  
+  def disconnect
+    unless @card.nil?
+      @card.disconnect PCSC::DISPOSITION_LEAVE unless @card.nil?
+      @card = nil
+    end
+    unless @context.nil?
+      @context.release
+      @context = nil
+    end
+  end
+  
+  def issue_apdu(apdu)
+    xmit_apdu_string = apdu.map { |byte| byte.chr }.join('')
+    result_string = @card.transmit xmit_apdu_string, @xmit_ioreq, @recv_ioreq
+    return (0...(result_string.length)).map { |i| result_string[i].to_i }
+  end  
+end
+
+# for compatibility with old source code
+class Tem::SCard::Terminal < Tem::SCard::PCSCTerminal
+end

data/lib/tem/_cert.rb

@@ -0,0 +1,158 @@
+# Victor Costan:
+#    dropped because it wasn't hooked up to the rest of the code
+#    preserved to move all the features into the new ca.rb / ecert.rb 
+
+#@author: Jorge de la Garza (MIT '08), mongoose08@alum.mit.edu
+#The Cert module contains methods for digesting a X.509 certificate into a tag
+#for the TEM and to methods to reconstruct the certificate from the tag.  Methods
+#to create some sample certificates are also included for convenience.
+
+module Tem::Cert
+  #@param key An OpenSSL::PKey instance that will be this cert's key and will be used to sign this cert
+  #@returns a self-signed X.509 certificate that is supposed to be the TEM manufacturer's
+  def self.create_issuer_cert(key)
+    issuer_cert = OpenSSL::X509::Certificate.new
+    issuer_cert.public_key = key.public_key
+    issuer_dist_name = OpenSSL::X509::Name.new [['CN', 'TEM Manufacturer'], ['L', 'Cambridge'], ['ST', 'Massachusetts'],\
+                         ['O', 'Trusted Execution Modules, Inc.'], ['OU', 'Certificates Division'], ['C', 'US']]
+    issuer_cert.issuer = issuer_dist_name
+    issuer_cert.subject = issuer_dist_name
+    issuer_cert.not_before = Time.now
+    issuer_cert.not_after = Time.now + (60 * 60 * 24 * 365.25) * 10
+    issuer_cert.sign key, OpenSSL::Digest::SHA1.new
+    return issuer_cert
+  end
+  
+  
+  #@param subject_key An OpenSSL::PKey instance that will be this cert's key
+  #@param issuer_key An OpenSSL::Pkey instance that will be used to sign this cert (i.e. the issuer's/manufacturer's key)
+  #@param issuer_cert The OpenSSL::X509::Certificate instance of the authority that issued this cert
+  #@returns An OpenSSL::X509::Certificate instance issued by issuer_cert and signed by issuer_key
+  def self.create_subject_cert(subject_key, issuer_key, issuer_cert)
+    subject_cert = OpenSSL::X509::Certificate.new
+    subject_cert.public_key = subject_key.public_key
+    subject_cert.serial = Time.now.to_i   #no significance to this #, just a value for demonstration of purpose
+    subject_dist_name = OpenSSL::X509::Name.new [['CN', 'TEM Device'], ['L', 'Cambridge'], ['ST', 'Massachusetts'],\
+                         ['O', 'Trusted Execution Modules, Inc.'], ['OU', 'Certificates Division'], ['C', 'US']]
+    subject_cert.issuer = issuer_cert.subject
+    subject_cert.subject = subject_dist_name
+    subject_cert.not_before = Time.now
+    subject_cert.not_after = Time.now + (60 * 60 * 24 * 365.25) * 10
+    subject_cert.sign issuer_key, OpenSSL::Digest::SHA1.new
+    return subject_cert
+  end
+  
+  
+  #@param cert An OpenSSL::X509::Certificate instance
+  #@returns The tag to write to the TEM as a byte array
+  #The tag is 527 bytes long.  What the bytes encode is as follows:
+  #    -Serial number   tag[0..3]
+  #    -Not before date tag[4..7]
+  #    -Not after date  tag[8..11]
+  #    -Modulus         tag[12..267]
+  #    -Public key exp  tag[268..270]
+  #    -Signature       tag[271..526]
+  def self.create_tag_from_cert(cert)
+    tag_serial_num = Tem::CryptoAbi.to_tem_bignum(OpenSSL::BN.new(cert.serial.to_s))
+    while tag_serial_num.length < 4
+      tag_serial_num = [0] + tag_serial_num  #make sure array is 4 bytes
+    end
+    #The dates are encoded as the number of seconds since epoch (Jan 1, 1970 00:00:00 GMT)
+    #TODO: check that dates are exactly 4 bytes, else throw an exception
+    tag_not_before = Tem::CryptoAbi.to_tem_bignum(OpenSSL::BN.new(cert.not_before.to_i.to_s))
+    tag_not_after = Tem::CryptoAbi.to_tem_bignum(OpenSSL::BN.new(cert.not_after.to_i.to_s))
+    tag_modulus = Tem::CryptoAbi.to_tem_bignum(OpenSSL::BN.new(cert.public_key.n.to_s))
+    #TODO: ensure that exponent is exactly three bytes, or come up with a safer way to encode it
+    tag_public_exp = Tem::CryptoAbi.to_tem_bignum(OpenSSL::BN.new(cert.public_key.e.to_s))
+    tag = [tag_serial_num, tag_not_before, tag_not_after, tag_modulus, tag_public_exp].flatten
+    return tag
+  end
+  
+  #@param tag The tag read from the TEM
+  #@param issuer_cert The OpenSSL::X509::Certificate of the entity that issued the TEM's certificate
+  #@returns The unsigned OpenSSL::X509::Certificate from which the tag was created.
+  def self.create_cert_from_tag(tag, issuer_cert)
+    cert = OpenSSL::X509::Certificate.new
+    cert.public_key = Cert.extract_key(tag)
+    cert.serial = Cert.extract_serial_num(tag)
+    cert_name = OpenSSL::X509::Name.new [['CN', 'TEM Device'], ['L', 'Cambridge'], ['ST', 'Massachusetts'],\
+                         ['O', 'Trusted Execution Modules, Inc.'], ['OU', 'Certificates Division'], ['C', 'US']]
+    cert.issuer = issuer_cert.subject
+    cert.subject = cert_name
+    cert.not_before = Cert.extract_not_before(tag)
+    cert.not_after = Cert.extract_not_after(tag)
+    return cert
+  end
+  
+  
+  #returns a number
+  def self.extract_serial_num(tag)
+    serial_num_array = tag[0..3]
+    serial_num = 0
+    for i in (0..serial_num_array.length-1)
+      serial_num = serial_num << 8
+      serial_num += serial_num_array[i]
+    end
+    return serial_num
+  end
+  
+  #returns a Time
+  def self.extract_not_before(tag)
+    time_array = tag[4..7]
+    offset_in_sec = 0
+    for i in (0..time_array.length-1)
+      offset_in_sec = offset_in_sec << 8
+      offset_in_sec += time_array[i]
+    end
+    return Time.at(offset_in_sec)
+  end
+  
+  #returns a time
+  def self.extract_not_after(tag)
+    time_array = tag[8..11]
+    offset_in_sec = 0
+    for i in (0..time_array.length-1)
+      offset_in_sec = offset_in_sec << 8
+      offset_in_sec += time_array[i]
+    end
+    return Time.at(offset_in_sec)
+  end
+  
+  #returns a OpenSSL::PKey::RSA public key
+  def self.extract_key(tag)
+    mod_array = tag[12..267]
+    mod = 0
+    for i in (0..mod_array.length-1)
+      mod = mod << 8
+      mod += mod_array[i]
+    end
+    exp_array = tag[268..271]
+    exp = 0
+    for i in (0..exp_array.length-1)
+      exp = exp << 8
+      exp += exp_array[i]
+    end
+    key = OpenSSL::PKey::RSA.new
+    key.n = mod
+    key.e = exp
+    return key.public_key
+  end
+  
+  
+  #@param cert A signed OpenSSL::X509::Certificate instance
+  #cert must be signed with sha1WithRSAEncryption algorithm
+  #TODO: how to make this method compatible with any algorithm
+  #@returns a byte array corresponding to the signature
+  def self.extract_sig_from_cert(cert)
+    str = 'Signature Algorithm: sha1WithRSAEncryption'
+    text_sig = cert.to_text
+    first_index = text_sig.index(str)
+    text_sig = text_sig[first_index+1..-1]
+    second_index = text_sig.index(str)
+    sig_start_index = second_index+str.length + 1 #the 1 is for the newline character
+    text_sig = text_sig[sig_start_index..-1]
+    sig_array = []
+    text_sig.each(':') {|byte| sig_array.push(byte.delete(':').hex)}
+    return sig_array
+  end  
+end

data/lib/tem/abi.rb

@@ -0,0 +1,55 @@
+module Tem::Abi
+  def self.included(klass)
+    klass.extend MixedMethods
+    
+    klass.tem_value_type :byte, 1, :signed => true, :endian => :big
+    klass.tem_value_type :ubyte, 1, :signed => false, :endian => :big
+    klass.tem_value_type :short, 2, :signed => true, :endian => :big
+    klass.tem_value_type :ushort, 2, :signed => false, :endian => :big    
+    klass.tem_value_type :ps_key, 20, :signed => false, :endian => :big
+    klass.tem_value_type :ps_value, 20, :signed => false, :endian => :big
+  end
+  
+  module MixedMethods
+    def tem_value_type(name, bytes, options = {:signed => true, :endian => :big})
+      range = 1 << (8 * bytes)
+      if options[:signed]
+        min, max = -(range >> 1), (range >> 1) - 1
+      else
+        min, max = 0, range - 1
+      end
+      
+      badass_defines = Proc.new do 
+        define_method("read_tem_#{name}".to_sym) do |array, offset|
+          array = array.reverse unless options[:endian] == :big
+          n = (0...bytes).inject(0) { |v, i| (v << 8) | array[offset + i] }
+          rv = (options[:signed] and n > max) ? n - range : n
+          # pp [:read, name, array, offset, rv]
+          return rv
+        end
+        define_method("to_tem_#{name}".to_sym) do |n|
+          n = n.to_i
+          raise "Value #{n} not between #{min} and #{max}" unless (n <= max) and (n >= min)
+          n += range if(options[:signed] and n < 0)      
+          array = []
+          bytes.times { array.push(n & 0xFF); n >>= 8 }
+          array.reverse! if options[:endian] == :big
+          # pp [:to, name, n, array]
+          return array
+        end
+        define_method("to_tem_#{name}_reladdr".to_sym) do |n|
+          n = n.to_i
+          n += range if (n < 0 and (not options[:signed]))
+          array = []
+          bytes.times { array.push(n & 0xFF); n >>= 8 }
+          array.reverse! if options[:endian] == :big
+          return array
+        end
+        define_method("tem_#{name}_length".to_sym) { bytes }
+      end
+      
+      self.class_eval(&badass_defines)      
+      (class << self; self; end).module_eval(&badass_defines)
+    end
+  end
+end