tem_ruby 0.9.0

data/lib/tem/buffers.rb

@@ -0,0 +1,98 @@
+module Tem::Buffers
+  def alloc_buffer(length)
+    apdu = [0x00, 0x20, to_tem_short(length), 0x00].flatten
+    response = issue_apdu apdu
+    tem_error(response) if failure_code(response)
+    return read_tem_byte(response, 0)
+  end
+  
+  def release_buffer(buffer_id)
+    apdu = [0x00, 0x21, to_tem_byte(buffer_id), 0x00, 0x00].flatten
+    response = issue_apdu apdu
+    tem_error(response) if failure_code(response)
+    return true
+  end
+
+  def flush_buffers
+    apdu = [0x00, 0x26, 0x00, 0x00, 0x00].flatten
+    response = issue_apdu apdu
+    tem_error(response) if failure_code(response)
+    return true
+  end
+  
+  def get_buffer_length(buffer_id)
+    apdu = [0x00, 0x22, to_tem_byte(buffer_id), 0x00, 0x00].flatten
+    response = issue_apdu apdu
+    tem_error(response) if failure_code(response)
+    return read_tem_short(response, 0)
+  end
+  
+  def read_buffer(buffer_id)
+    @buffer_chunk_size = guess_buffer_chunk_size unless defined? @buffer_chunk_size
+    
+    buffer = []
+    chunk_id = 0
+    while true do
+      apdu = [0x00, 0x23, to_tem_byte(buffer_id), to_tem_byte(chunk_id), 0x00].flatten
+      response = issue_apdu apdu
+      tem_error(response) if failure_code(response)
+      buffer += response[0...(response.length - 2)]
+      break if response.length != @buffer_chunk_size + 2
+      chunk_id += 1
+    end
+    return buffer
+  end
+  
+  def write_buffer(buffer_id, data)
+    @buffer_chunk_size = guess_buffer_chunk_size unless defined? @buffer_chunk_size
+    
+    chunk_id, offset = 0, 0
+    while offset < data.length do
+      write_size = (data.length - offset < @buffer_chunk_size) ?
+          data.length - offset : @buffer_chunk_size
+      apdu = [0x00, 0x24, to_tem_byte(buffer_id), to_tem_byte(chunk_id), to_tem_ubyte(write_size),
+              data.values_at(offset...(offset+write_size))].flatten
+      response = issue_apdu apdu
+      tem_error(response) if failure_code(response)
+
+      chunk_id += 1
+      offset += write_size
+    end
+  end
+  
+  def guess_buffer_chunk_size
+    apdu = [0x00, 0x25, 0x00, 0x00, 0x00].flatten
+    response = issue_apdu apdu
+    tem_error(response) if failure_code(response)
+    return read_tem_short(response, 0)
+  end
+  
+  def stat_buffers
+    apdu = [0x00, 0x27, 0x00, 0x00, 0x00].flatten
+    response = issue_apdu apdu
+    tem_error(response) if failure_code(response)
+    response = reply_data(response)
+    memory_types = [:persistent, :clear_on_reset, :clear_on_deselect]
+    stat = {:free => {}, :buffers => []}
+    memory_types.each_with_index { |mt, i| stat[:free][mt] = read_tem_short(response, i * 2) }
+    offset = 6
+    i = 0
+    while offset < response.length do
+      stat[:buffers][i] =
+        {:type => memory_types[read_tem_ubyte(response, offset) & 0x3f],
+        :pinned => (read_tem_ubyte(response, offset) & 0x80) != 0,
+        :free => (read_tem_ubyte(response, offset) & 0x40) == 0,
+        :length => read_tem_ushort(response, offset + 1), 
+        :xlength => read_tem_ushort(response, offset + 3)}
+      offset += 5
+      i += 1
+    end
+    return stat
+  end
+  
+  def post_buffer(data)
+    buffer_id = alloc_buffer(data.length)
+    write_buffer buffer_id, data
+    return buffer_id
+  end
+end

data/lib/tem/ca.rb

@@ -0,0 +1,114 @@
+require 'openssl'
+require 'yaml'
+
+# Certificate Authority (CA) functionality for TEM manufacturers
+module Tem::CA
+  # creates an Endorsement Certificate for a TEM's Public Endorsement Key
+  def new_ecert(pubek)
+    ca_cert = Tem::CA.ca_cert
+    ca_key = Tem::CA.ca_key
+    conf = Tem::CA.config
+    
+    dn = OpenSSL::X509::Name.new conf[:issuer].merge(conf[:subject]).to_a
+    now = Time.now
+    ecert = OpenSSL::X509::Certificate.new
+    ecert.issuer = ca_cert.subject
+    ecert.subject = dn
+    ecert.not_before = now;
+    ecert.not_after = now + conf[:ecert_validity_days] * 60 * 60 * 24;
+    ecert.public_key = pubek
+    ecert.version = 2
+    cf = OpenSSL::X509::ExtensionFactory.new
+    cf.subject_certificate = ecert 
+    cf.issuer_certificate = ca_cert
+    ecert.add_extension cf.create_extension("basicConstraints", "CA:true", true)
+    ecert.add_extension cf.create_extension("authorityKeyIdentifier", "keyid,issuer")    
+    ecert.add_extension cf.create_extension("keyUsage", "digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign")
+    ecert.add_extension cf.create_extension("extendedKeyUsage", "serverAuth,clientAuth,codeSigning,emailProtection,timeStamping,msCodeInd,msCodeCom,msCTLSign,msSGC,msEFS,nsSGC")
+    ecert.add_extension cf.create_extension("nsCertType", "client,server,email,objsign,sslCA,emailCA,objCA")
+    ecert.add_extension cf.create_extension("subjectKeyIdentifier", "hash")
+    ecert.sign ca_key, OpenSSL::Digest::SHA1.new
+    
+    return ecert
+  end
+  
+  @@dev_dir = File.join(File.dirname(__FILE__), "..", "..", "dev_ca")
+
+  # retrieves the TEM CA configuration 
+  def self.config
+    cpath = Tem::Hive.path_to 'ca/config.yml'
+    cpath = File.join(@@dev_dir, 'config.yml') unless File.exists? cpath
+
+    # try to open it in the base folder
+    scaffold_config unless File.exists? cpath
+    return File.open(cpath, 'r') { |f| YAML.load f } 
+  end
+  
+  # retrieves the TEM CA certificate
+  def self.ca_cert
+    cpath = Tem::Hive.path_to 'ca/ca_cert.pem'
+    cpath = File.join(@@dev_dir, 'ca_cert.pem') unless File.exists? cpath
+    return OpenSSL::X509::Certificate.new(File.open(cpath, 'r') { |f| f.read })
+  end
+  
+  # retrieves the TEM CA key pair (needed for signing)
+  def self.ca_key
+    cpath = Tem::Hive.path_to 'ca/ca_key.pem'
+    cpath = File.join(@@dev_dir, 'ca_key.pem') unless File.exists? cpath
+    return OpenSSL::PKey::RSA.new(File.open(cpath, 'r') { |f| f.read })
+  end
+
+  # scaffolds the structures needed for a TEM CA
+  def self.scaffold_ca
+    conf = config
+    
+    # generate and write key
+    ca_key = Tem::CryptoAbi.generate_ssl_kp
+    key_path = Tem::Hive.create 'ca/ca_key.pem'
+    File.open(key_path, 'w') { |f| f.write ca_key.to_pem }
+    
+    # create the CA certificate
+    dn = OpenSSL::X509::Name.new conf[:issuer].to_a
+    now = Time.now
+    cert = OpenSSL::X509::Certificate.new
+    cert.subject = cert.issuer = dn
+    cert.not_before = now;
+    cert.not_after = now + conf[:ca_validity_days] * 60 * 60 * 24;
+    cert.public_key = ca_key.public_key
+    cert.version = 2
+    cf = OpenSSL::X509::ExtensionFactory.new
+    cf.subject_certificate = cf.issuer_certificate = cert
+    cert.add_extension cf.create_extension("basicConstraints", "CA:true", true)
+    cert.add_extension cf.create_extension("authorityKeyIdentifier", "keyid,issuer")    
+    cert.add_extension cf.create_extension("keyUsage", "cRLSign,keyCertSign")
+    cert.add_extension cf.create_extension("nsCertType", "emailCA,sslCA")
+    cert.add_extension cf.create_extension("subjectKeyIdentifier", "hash")
+    cert.sign ca_key, OpenSSL::Digest::SHA1.new    
+    
+    # write the CA certificate
+    cert_path = Tem::Hive.create 'ca/ca_cert.pem'
+    File.open(cert_path, 'w') { |f| f.write cert.to_pem }
+    cert_path = Tem::Hive.create 'ca/ca_cert.cer'
+    File.open(cert_path, 'wb') { |f| f.write cert.to_der }
+  end
+  
+  # scaffolds a TEM CA configuration
+  def self.scaffold_config
+    def_config = {
+      :issuer => {
+        'C' => 'US', 'ST' => 'Massachusetts', 'L' => 'Cambridge',
+        'O' => 'Massachusetts Insitute of Technology',
+        'OU' => 'Computer Science and Artificial Intelligence Laboratory',
+        'CN' => 'Trusted Execution Module Development CA'
+      },
+      :subject => {
+        'CN' => 'Trusted Execution Module DevChip'
+      },
+      :ca_validity_days => 3652,
+      :ecert_validity_days => 365 * 2,
+    } 
+    
+    cpath = Tem::Hive.create 'ca/config.yml'
+    File.open(cpath, 'w') { |f| YAML.dump def_config, f }
+  end
+end

data/lib/tem/crypto_abi.rb

@@ -0,0 +1,216 @@
+require 'openssl'
+require 'digest'
+require 'yaml'
+
+module Tem::CryptoAbi
+  include Tem::Abi
+  
+  # contains the methods  
+  module MixedMethods
+    def read_tem_bignum(buffer, offset, length)
+      return buffer[offset...(offset+length)].inject(0) { |num, digit| num = (num << 8) | digit }
+    end
+    
+    def to_tem_bignum(n)
+      if n.kind_of? OpenSSL::BN
+        len = n.num_bytes
+        bytes = (0...len).map do |i|
+          bit_i = (len - i) * 8
+          v = 0
+          1.upto(8) do
+            bit_i -= 1
+            v = (v << 1) | (n.bit_set?(bit_i) ? 1 : 0)
+          end
+          v
+        end
+        return bytes
+      else
+        q = 0
+        until n == 0 do
+          q << (n & 0xFF)
+          n >>= 8
+        end
+        return q.reverse
+      end
+    end
+    
+    def load_tem_key_material(key, syms, buffer, offset)
+      lengths = (0...syms.length).map { |i| read_tem_short(buffer, offset + i * 2)}
+      offsets = [offset + syms.length * 2]
+      1.upto(syms.length - 1) { |i| offsets[i] = offsets[i - 1] + lengths[i - 1] }
+      0.upto(syms.length - 1) do |i|
+        key.send((syms[i].to_s + '=').to_sym, read_tem_bignum(buffer, offsets[i], lengths[i]))
+      end    
+    end
+        
+    def read_tem_key(buffer, offset)
+      key_type = read_tem_ubyte buffer, offset
+      if key_type == 0xAA || key_type == 0x55
+        key = OpenSSL::PKey::RSA.new
+        syms = (key_type == 0xAA) ? [:e, :n] : [:p, :q, :dmp1, :dmq1, :iqmp]
+        load_tem_key_material key, syms, buffer, offset + 1
+        if key_type == 0x55
+          # a bit of math to rebuild the public key
+          key.n = key.p * key.q
+          p1, q1 = key.p - 1, key.q - 1          
+          p1q1 = p1 * q1          
+          # HACK: I haven't figured out how to restore d from dmp1 and dmq1, so
+          # I'm betting on the fact that e must be a small prime
+          emp1 = key.dmp1.mod_inverse(p1)
+          emq1 = key.dmq1.mod_inverse(q1)
+          key.e = (emp1 < emq1) ? emp1 : emq1
+          key.d = key.e.mod_inverse(p1q1)
+        end
+        return new_key_from_ssl(key, (key_type == 0xAA)) 
+      else
+        raise "Invalid key type #{'%02x' % key_type}"
+      end
+    end
+    
+    def to_tem_key(ssl_key, type)
+      if [:private, :public].include? type
+        # asymmetric key
+        syms = (type == :public) ? [:e, :n] : [:p, :q, :dmp1, :dmq1, :iqmp]
+        numbers = syms.map { |s| to_tem_bignum ssl_key.send(s) }
+        return [(type == :public) ? 0xAA : 0x55, numbers.map { |n| to_tem_ushort(n.length) }, numbers].flatten
+      else
+        # symmetric key
+      end
+    end
+    
+    def new_key_from_ssl(ssl_key, is_public)
+      AsymmetricKey.new(ssl_key, is_public, :pkcs1)
+    end
+    
+    def hash_for_tem(data)
+      if data.kind_of? String
+        data_string = data
+      else
+        data_string = data.pack('C*')
+      end
+      digest_string = Digest::SHA1.digest(data_string)
+      return digest_string.unpack('C*')
+    end
+  end
+  
+  self.extend MixedMethods
+  include MixedMethods
+  def self.included(klass)
+    klass.extend MixedMethods
+  end
+  
+  def hash_for_tem(data)
+    Tem::CryptoAbi.hash_for_tem data
+  end
+
+  def self.load_ssl(ssl_key)
+    return {:pubkey => AsymmetricKey.new(ssl_key, true, :pkcs1), :privkey => AsymmetricKey.new(ssl_key, false, :pkcs1) }      
+  end
+  
+  def self.generate_ssl_kp
+    return Tem::CryptoAbi::AsymmetricKey.generate_ssl_kp
+  end
+  
+  class AsymmetricKey
+    attr_reader :ssl_key
+    
+    def self.new_from_array(array)
+      AsymmetricKey.new(OpenSSL::PKey::RSA.new(array[0]), *array[1..-1])      
+    end
+    
+    def self.new_from_yaml_str(yaml_str)
+      array = YAML.load yaml_str
+      new_from_array array
+    end
+  
+    def to_array
+      [@ssl_key.to_pem, @is_public, @padding_type]
+    end
+    
+    def to_yaml_str
+      self.to_array.to_yaml.to_s
+    end       
+    
+    def self.generate_ssl_kp
+      return OpenSSL::PKey::RSA.generate(2048, 65537)
+    end
+    def initialize(ssl_key, is_public, padding_type)
+      @ssl_key = ssl_key
+      @is_public = is_public ? true : false
+      @padding_type = padding_type
+      
+      case padding_type
+      when :oaep
+        @padding_id = OpenSSL::PKey::RSA::PKCS1_OAEP_PADDING 
+        @padding_bytes = 42
+      when :pkcs1
+        @padding_id = OpenSSL::PKey::RSA::PKCS1_PADDING
+        @padding_bytes = 11
+      else
+        raise "Unknown padding type #{padding_type}\n"
+      end
+      
+      @size = 0
+      n = is_public ? @ssl_key.n : (@ssl_key.p * @ssl_key.q)
+      while n != 0 do
+        @size += 1
+        n >>= 8
+      end
+    end
+    
+    def to_tem_key
+      Tem::CryptoAbi.to_tem_key @ssl_key, (@is_public ? :public : :private)
+    end
+    
+    def chug_data(data, in_size, &chug_block)
+      output = data.class.new
+      i = 0
+      while i < data.length do
+        block_size = (data.length - i < in_size) ? data.length - i : in_size
+        if data.kind_of? String
+          block = data[i...(i+block_size)]
+        else 
+          block = data[i...(i+block_size)].pack('C*')
+        end
+        o_block = yield block
+        if data.kind_of? String
+          output += o_block
+        else
+          output += o_block.unpack('C*')
+        end
+        i += block_size
+      end
+      return output
+    end
+    
+    def encrypt_decrypt(data, in_size,  op)
+      chug_data(data, in_size) { |block| @ssl_key.send op, block, @padding_id }    
+    end
+      
+    def encrypt(data)
+      encrypt_decrypt(data, @size - @padding_bytes, @is_public ? :public_encrypt : :private_encrypt)      
+    end
+    
+    def decrypt(data)
+      encrypt_decrypt(data, @size, @is_public ? :public_decrypt : :private_decrypt)      
+    end
+    
+    def sign(data)
+      in_data = if data.kind_of? String then data else data.pack('C*') end
+      # PKCS1-padding is forced in by openssl... sigh!
+      out_data = @ssl_key.sign OpenSSL::Digest::SHA1.new, in_data
+      if data.kind_of? String then out_data else out_data.unpack('C*') end
+    end
+    
+    def verify(data, signature)
+      in_data = if data.kind_of? String then data else data.pack('C*') end
+      in_signature = if signature.kind_of? String then signature else signature.pack('C*') end
+      # PKCS1-padding is forced in by openssl... sigh!
+      @ssl_key.verify OpenSSL::Digest::SHA1.new, in_signature, in_data
+    end
+    
+    def is_public?
+      @is_public
+    end
+  end  
+end

data/lib/tem/ecert.rb

@@ -0,0 +1,78 @@
+require 'openssl'
+
+module Tem::ECert
+  # writes an Endorsement Certificate to the TEM's tag
+  def set_ecert(ecert)
+    set_tag ecert.to_der.unpack('C*')
+  end
+  
+  # retrieves the TEM's Endorsement Certificate
+  def endorsement_cert
+    OpenSSL::X509::Certificate.new get_tag[2..-1].pack('C*')
+  end
+  
+  # retrieves the certificate of the TEM's Manfacturer (CA)
+  def manufacturer_cert
+    Tem::CA.ca_cert
+  end
+  
+  # retrieves the TEM's Public Endorsement Key
+  def pubek
+    new_key_from_ssl endorsement_cert.public_key, true
+  end
+  
+  # emits a TEM
+  def emit
+    emit_proc = assemble do |p|
+      # generate EK, compare with (0, 1)
+      p.genkp :type => 0
+      p.ldbc 1
+      p.sub
+      p.jne :to => :not_ok
+      p.ldbc 0
+      p.sub
+      p.jne :to => :not_ok
+      
+      # generate and output random authorization for PrivEK
+      p.ldbc 20
+      p.dupn :n => 1
+      p.outnew
+      p.ldwc :privek_auth
+      p.dupn :n => 2
+      p.rnd
+      p.outvb
+      # set authorizations for PrivEK and PubkEK
+      p.ldbc 0
+      p.authk :auth => :privek_auth
+      p.ldbc 1 # PubEK always has its initial authorization be all zeroes
+      p.authk :auth => :pubek_auth
+      p.halt
+      
+      # emitting didn't go well, return nothing and leave
+      p.label :not_ok
+      p.ldbc 0
+      p.outnew
+      p.halt
+      
+      p.label :privek_auth
+      p.filler :ubyte, 20
+      p.label :pubek_auth
+      p.filler :ubyte, 20
+      p.stack
+      p.extra 8
+    end
+    
+    r = execute emit_proc
+    if r.length == 0
+      return nil
+    else
+      privk_auth = r[0...20]
+      pubek_auth = (0...20).map {|i| 0}
+      pubek = tk_read_key 1, pubek_auth
+      tk_delete_key 1, pubek_auth      
+      ecert = new_ecert pubek.ssl_key
+      set_ecert ecert
+      return { :privek_auth => privk_auth }
+    end
+  end  
+end

data/lib/tem/hive.rb

@@ -0,0 +1,18 @@
+require 'rubygems'
+require 'fileutils'
+
+# The TEM's configuation hive
+module Tem::Hive
+  @@hive_dir = File.join(Gem.user_home, ".tem")
+  
+  def self.path_to(*hive_entry)
+    File.join(@@hive_dir, *hive_entry)
+  end
+    
+  def self.create(*hive_entry)
+    path = File.join(@@hive_dir, *hive_entry)
+    FileUtils.mkdir_p File.dirname(path)
+    File.open(path, "w") { |f| }
+    return path
+  end
+end

data/lib/tem/keys.rb

@@ -0,0 +1,60 @@
+module Tem::Keys
+  def devchip_generate_key_pair
+    response = issue_apdu [0x00, 0x40, 0x00, 0x00, 0x00].flatten
+    tem_error(response) if failure_code(response)
+    return { :privkey_id => read_tem_byte(response, 0), :pubkey_id => read_tem_byte(response, 1) }    
+  end
+  
+  def devchip_release_key(key_id)
+    response = issue_apdu [0x00, 0x41, to_tem_byte(key_id), 0x00, 0x00].flatten
+    tem_error(response) if failure_code(response)
+    return true
+  end
+  
+  def devchip_save_key(key_id)
+    response = issue_apdu [0x00, 0x43, to_tem_byte(key_id), 0x00, 0x00].flatten
+    tem_error(response) if failure_code(response)
+    
+    buffer_id, buffer_length = read_tem_byte(response, 0), read_tem_short(response, 1)
+    key_buffer = read_buffer buffer_id
+    release_buffer buffer_id
+    
+    read_tem_key key_buffer[0...buffer_length], 0
+  end
+  
+  def devchip_encrypt_decrypt(data, key_id, opcode)
+    buffer_id = post_buffer data
+    response = issue_apdu [0x00, opcode, to_tem_byte(key_id), to_tem_byte(buffer_id), 0x00].flatten
+    release_buffer buffer_id
+    tem_error(response) if failure_code(response)
+
+    buffer_id, buffer_length = read_tem_byte(response, 0), read_tem_short(response, 1)
+    data_buffer = read_buffer buffer_id
+    release_buffer buffer_id
+    
+    return data_buffer[0...buffer_length]
+  end
+  def devchip_encrypt(data, key_id)
+    devchip_encrypt_decrypt(data, key_id, 0x44)
+  end
+  def devchip_decrypt(data, key_id)
+    devchip_encrypt_decrypt(data, key_id, 0x45)
+  end
+  
+  def stat_keys
+    apdu = [0x00, 0x27, 0x01, 0x00, 0x00].flatten
+    response = issue_apdu apdu
+    tem_error(response) if failure_code(response)
+    response = reply_data(response)
+    key_types = {0x99 => :symmetric, 0x55 => :private, 0xAA => :public}
+    stat = {:keys => {}}
+    offset = 0
+    while offset < response.length do
+      stat[:keys][read_tem_ubyte(response, offset)] =
+        {:type => key_types[read_tem_ubyte(response, offset + 1)],
+        :bits => read_tem_ushort(response, offset + 2)}
+      offset += 4
+    end
+    return stat
+  end  
+end

data/lib/tem/lifecycle.rb

@@ -0,0 +1,8 @@
+module Tem::Lifecycle
+  def activate
+    issue_apdu([0x00, 0x10, 0x00, 0x00, 0x00])[0] == 0x90 
+  end
+  def kill
+    issue_apdu([0x00, 0x11, 0x00, 0x00, 0x00])[0] == 0x90 
+  end
+end

data/lib/tem/sec_assembler.rb

@@ -0,0 +1,91 @@
+class Tem::SecAssembler
+  def initialize(tem_klass)
+    @tem_klass = tem_klass
+    @body = []
+    @labels = {}
+    @lines = {}
+    @sp, @ep, @extra_bytes = nil, nil, nil
+  end
+    
+  def self.opcode(name, value, *params)
+    p_hash = {}
+    params.each_index { |i| p_hash[params[i][:name]] = i unless params[i][:name].nil? }
+    
+    define_method(name.to_sym) do |*m_params|
+      # linearize the parameters
+      param_idx = 0
+      s_params = []
+      m_params.each_index do |i|
+        if m_params[i].instance_of? Hash
+          raise "no embedded hashes please! (check parameter #{param_idx})" unless i == m_params.length - 1         
+          m_params[i].each do |k, v|
+            raise "no parameter with name #{k} for opcode #{name}" if p_hash[k].nil?
+            raise "parameter #{k} was already assigned a value" unless (param_idx <= p_hash[k] and s_params[p_hash[k]].nil?)
+            s_params[p_hash[k]] = v
+          end        
+        else
+          s_params[param_idx] = m_params[i]
+          param_idx += 1
+        end
+      end
+      
+      # check for missing parameters
+      raise "opcode #{name} requires more parameters" unless s_params.length == params.length and s_params.all? { |v| !v.nil? }
+      
+      # encode parameters
+      @lines[@body.length] = Kernel.caller(0)
+      @body += @tem_klass.to_tem_ubyte(value)
+      s_params.each_index do |i|
+        if (s_params[i].kind_of? Numeric) && !params[i][:relative]
+          @body += @tem_klass.send "to_tem_#{params[i][:type]}".to_sym, s_params[i]
+        else
+          @body << { :type => params[i][:type], :relative => params[i][:reladdr] ? params[i][:reladdr] : false }.merge!(
+            (s_params[i].kind_of? Numeric) ? { :address => s_params[i].to_i } : { :label => s_params[i].to_sym })
+          @body += (@tem_klass.send "to_tem_#{params[i][:type]}".to_sym, 0)[1..-1]
+        end
+      end        
+    end
+  end
+  
+  def assemble(&proc_block)
+    # call the block to build the proc
+    yield self
+    
+    # link in label addresses
+    @body.each_index do |i|
+      if @body[i].kind_of? Hash
+        raise "label #{@body[i][:label]} undefined" if (!@body[i][:label].nil? and @labels[@body[i][:label]].nil?)
+        addr = @body[i][:label].nil? ? @body[i][:address] : @labels[@body[i][:label]]
+        q = @body[i][:relative] ? (@tem_klass.send "to_tem_#{@body[i][:type]}_reladdr".to_sym, addr - i - @body[i][:relative]) :
+                                (@tem_klass.send "to_tem_#{@body[i][:type]}".to_sym, addr) 
+        @body[i, q.length] = *q
+      end
+    end
+            
+    return Tem::SecPack.new(:tem_class => @tem_klass, :body => @body, :labels => @labels,
+      :ep => @ep || 0, :sp => @sp || @body.length, :extra_bytes => @extra_bytes || 0, :lines => @lines)
+  end
+  
+  def label(name)
+    raise "label #{name} already defined" unless @labels[name.to_sym].nil?
+    @labels[name.to_sym] = @body.length
+  end
+  def filler(type_name, count = 1)
+    bytes = count * @tem_klass.send("tem_#{type_name}_length".to_sym)
+    @body += Array.new(bytes, 0)
+  end
+  def immed(type_name, values)
+    values = [values] unless values.instance_of? Array
+    @body += values.map { |v| @tem_klass.send "to_tem_#{type_name}".to_sym, v }.flatten
+  end    
+  def entry
+    @ep = @body.length
+  end
+  def stack
+    @sp = @body.length
+  end
+  def extra(extra_bytes)
+    @extra_bytes = extra_bytes
+  end
+end
+