Merge pull request #715 from nsacyber/v3_issue-661_updated

[#661] Output handling should be more concise

Author: chubtub

HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java

@@ -253,20 +253,26 @@ public boolean validateSwidtagFile(String path) {
         Element fileElement = (Element) rim.getElementsByTagName("File").item(0);
         if (trustStoreFile != null && !trustStoreFile.isEmpty()) {
             trustStore = parseCertificatesFromPem(trustStoreFile);
+        } else {
+            return failWithError("File <" + trustStoreFile + "> is empty; " +
+                    "a valid, non-empty truststore file is required for validation.");
         }
         X509Certificate signingCert = null;
         try {
             signingCert = getCertFromTruststore();
+            if (signingCert == null) {
+                return failWithError("Unable to locate the signing cert in the provided " +
+                        "truststore " + trustStoreFile);
+            }
         } catch (IOException e) {
-            log.warn("Error while parsing signing cert from truststore: " + e.getMessage());
-            return false;
+            return failWithError("Error while parsing signing cert from truststore: " +
+                    e.getMessage());
         }
         String subjectKeyIdentifier = "";
         try {
             subjectKeyIdentifier = getCertificateSubjectKeyIdentifier(signingCert);
         } catch (IOException e) {
-            log.warn("Error while parsing certificate data: " + e.getMessage());
-            return false;
+            return failWithError("Error while parsing certificate data: " + e.getMessage());
         }
         return validateXmlSignature(signingCert.getPublicKey(),
                                     subjectKeyIdentifier,
@@ -307,8 +313,7 @@ private boolean validateFile(final Element file) {
             System.out.println("Support RIM hash verified!" + System.lineSeparator());
             return true;
         } else {
-            System.out.println("Support RIM hash does not match Base RIM!" + System.lineSeparator());
-            return false;
+            return failWithError("Support RIM hash does not match Base RIM!");
         }
     }
 
@@ -771,4 +776,14 @@ private Document removeXMLWhitespace(final StreamSource source) throws IOExcepti
 
         return doc;
     }
+
+    /**
+     * This method logs an error message and returns a false to signal failed validation.
+     * @param errorMessage String description of what went wrong
+     * @return false to represent failed validation
+     */
+    private boolean failWithError(String errorMessage) {
+        log.error(errorMessage);
+        return false;
+    }
 }

tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java

@@ -1,9 +1,11 @@
 package hirs.swid;
 
 import hirs.swid.utils.Commander;
+import hirs.swid.utils.CredentialArgumentValidator;
 import hirs.swid.utils.TimestampArgumentValidator;
 import hirs.utils.rim.ReferenceManifestValidator;
 import com.beust.jcommander.JCommander;
+import lombok.extern.log4j.Log4j2;
 
 import java.io.File;
 import java.io.IOException;
@@ -12,17 +14,29 @@
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
-
+@Log4j2
 public class Main {
 
     public static void main(String[] args) {
         Commander commander = new Commander();
         JCommander jc = JCommander.newBuilder().addObject(commander).build();
-        jc.parse(args);
+        try {
+            jc.parse(args);
+        } catch (Exception e) {
+            exitWithErrorCode(e.getMessage());
+        }
         SwidTagGateway gateway;
         ReferenceManifestValidator validator;
+        List<String> unknownOpts = commander.getUnknownOptions();
+        CredentialArgumentValidator credValidator;
 
-        if (commander.isHelp()) {
+        if (!unknownOpts.isEmpty()) {
+            StringBuilder sb = new StringBuilder("Unknown options encountered: ");
+            for (String opt : unknownOpts) {
+                sb.append(opt + ", ");
+            }
+            exitWithErrorCode(sb.substring(0,sb.lastIndexOf(",")));
+        } else if (commander.isHelp()) {
             jc.usage();
             System.out.println(commander.printHelpExamples());
         } else if (commander.isVersion()) {
@@ -36,67 +50,56 @@ public static void main(String[] args) {
         } else {
             if (!commander.getVerifyFile().isEmpty()) {
                 validator = new ReferenceManifestValidator();
-                System.out.println(commander.toString());
+                if (commander.isVerbose()) {
+                    System.out.println(commander.toString());
+                }
                 String verifyFile = commander.getVerifyFile();
                 String rimel = commander.getRimEventLog();
-                String certificateFile = commander.getPublicCertificate();
                 String trustStore = commander.getTruststoreFile();
-                if (!verifyFile.isEmpty()) {
-                    validator.setRim(verifyFile);
-                    if (!rimel.isEmpty()) {
-                        validator.setRimEventLog(rimel);
-                    }
-                    if (!trustStore.isEmpty()) {
-                        validator.setTrustStoreFile(trustStore);
-                    }
-                    if (!certificateFile.isEmpty()) {
-                        System.out.println("A single cert cannot be used for verification. " +
-                                "The signing cert will be searched for in the trust store.");
-                    }
-                    validator.validateSwidtagFile(verifyFile);
+                validator.setRim(verifyFile);
+                validator.setRimEventLog(rimel);
+                credValidator = new CredentialArgumentValidator(trustStore,
+                        "","", true);
+                if (credValidator.isValid()) {
+                    validator.setTrustStoreFile(trustStore);
                 } else {
-                    System.out.println("Need a RIM file to validate!");
-                    System.exit(1);
+                    exitWithErrorCode(credValidator.getErrorMessage());
+                }
+                if (validator.validateSwidtagFile(verifyFile)) {
+                    System.out.println("Successfully verified " + verifyFile);
+                } else {
+                    exitWithErrorCode("Failed to verify " + verifyFile);
                 }
             } else {
                 gateway = new SwidTagGateway();
-                System.out.println(commander.toString());
+                if (commander.isVerbose()) {
+                    System.out.println(commander.toString());
+                }
                 String createType = commander.getCreateType().toUpperCase();
                 String attributesFile = commander.getAttributesFile();
-                String jksTruststoreFile = commander.getTruststoreFile();
                 String certificateFile = commander.getPublicCertificate();
                 String privateKeyFile = commander.getPrivateKeyFile();
                 boolean embeddedCert = commander.isEmbedded();
                 boolean defaultKey = commander.isDefaultKey();
                 String rimEventLog = commander.getRimEventLog();
                 switch (createType) {
                     case "BASE":
-                        if (!attributesFile.isEmpty()) {
-                            gateway.setAttributesFile(attributesFile);
-                        }
-                        if (!jksTruststoreFile.isEmpty()) {
+                        gateway.setAttributesFile(attributesFile);
+                        gateway.setRimEventLog(rimEventLog);
+                        credValidator = new CredentialArgumentValidator("" ,
+                                certificateFile, privateKeyFile, false);
+                        if (defaultKey){
                             gateway.setDefaultCredentials(true);
-                            gateway.setJksTruststoreFile(jksTruststoreFile);
-                        } else if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) {
+                            gateway.setJksTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE);
+                        } else if (credValidator.isValid()) {
                             gateway.setDefaultCredentials(false);
                             gateway.setPemCertificateFile(certificateFile);
                             gateway.setPemPrivateKeyFile(privateKeyFile);
                             if (embeddedCert) {
                                 gateway.setEmbeddedCert(true);
                             }
-                        } else if (defaultKey){
-                            gateway.setDefaultCredentials(true);
-                            gateway.setJksTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE);
-                        } else {
-                            System.out.println("A private key (-k) and public certificate (-p) " +
-                                    "are required, or the default key (-d) must be indicated.");
-                            System.exit(1);
-                        }
-                        if (rimEventLog.isEmpty()) {
-                            System.out.println("Error: a support RIM is required!");
-                            System.exit(1);
                         } else {
-                            gateway.setRimEventLog(rimEventLog);
+                            exitWithErrorCode(credValidator.getErrorMessage());
                         }
                         List<String> timestampArguments = commander.getTimestampArguments();
                         if (timestampArguments.size() > 0) {
@@ -106,18 +109,27 @@ public static void main(String[] args) {
                                     gateway.setTimestampArgument(timestampArguments.get(1));
                                 }
                             } else {
-                                System.exit(1);
+                                exitWithErrorCode("The provided timestamp argument(s) " +
+                                        "is/are not valid.");
                             }
                         }
                         gateway.generateSwidTag(commander.getOutFile());
                         break;
                     default:
-                        System.out.println("No create type given, nothing to do");
+                        exitWithErrorCode("Create type not recognized.");
                 }
             }
         }
     }
 
+    /**
+     * Use cases that exit with an error code are redirected here.
+     */
+    private static void exitWithErrorCode(String errorMessage) {
+        log.error(errorMessage);
+        System.exit(1);
+    }
+
     /**
      * This method parses the version number from the jar filename in the absence of
      * the VERSION file expected with an rpm installation.

tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java

@@ -64,7 +64,6 @@
 import java.security.KeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
-import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.time.LocalDateTime;
 import java.util.ArrayList;
@@ -100,7 +99,7 @@ public SwidTagGateway() {
         try {
             JAXBContext jaxbContext = JAXBContext.newInstance(SwidTagConstants.SCHEMA_PACKAGE);
             marshaller = jaxbContext.createMarshaller();
-            attributesFile = SwidTagConstants.DEFAULT_ATTRIBUTES_FILE;
+            attributesFile = "";
             defaultCredentials = true;
             pemCertificateFile = "";
             embeddedCert = false;

tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java

@@ -12,42 +12,48 @@
  */
 public class Commander {
 
+    @Parameter(description = "This parameter catches all unrecognized arguments.")
+    private List<String> unknownOptions = new ArrayList<>();
     @Parameter(names = {"-h", "--help"}, help = true, description = "Print this help text.")
     private boolean help;
     @Parameter(names = {"-c", "--create \"base\""}, order = 0,
             description = "The type of RIM to create. A base RIM will be created by default.")
     private String createType = "";
-    @Parameter(names = {"-v", "--verify <path>"}, order = 3,
+    @Parameter(names = {"-v", "--verify <path>"}, validateWith = FileArgumentValidator.class,
             description = "Specify a RIM file to verify.")
     private String verifyFile = "";
     @Parameter(names = {"-V", "--version"}, description = "Output the current version.")
     private boolean version = false;
-    @Parameter(names = {"-a", "--attributes <path>"}, order = 1,
+    @Parameter(names = {"-a", "--attributes <path>"}, validateWith = FileArgumentValidator.class,
             description = "The configuration file holding attributes "
-            + "to populate the base RIM with.")
+            + "to populate the base RIM with.  An example file can be found in /opt/rimtool/data.")
     private String attributesFile = "";
     @Parameter(names = {"-o", "--out <path>"}, order = 2,
             description = "The file to write the RIM out to. "
             + "The RIM will be written to stdout by default.")
     private String outFile = "";
-    @Parameter(names = {"-t", "--truststore <path>"}, order = 4,
+    @Parameter(names = {"--verbose"}, description = "Control output verbosity.")
+    private boolean verbose = false;
+    @Parameter(names = {"-t", "--truststore <path>"}, validateWith = FileArgumentValidator.class,
             description = "The truststore to sign the base RIM created "
             + "or to validate the signed base RIM.")
     private String truststoreFile = "";
-    @Parameter(names = {"-k", "--privateKeyFile <path>"}, order = 5,
+    @Parameter(names = {"-k", "--privateKeyFile <path>"},
+            validateWith = FileArgumentValidator.class,
             description = "The private key used to sign the base RIM created by this tool.")
     private String privateKeyFile = "";
-    @Parameter(names = {"-p", "--publicCertificate <path>"}, order = 6,
+    @Parameter(names = {"-p", "--publicCertificate <path>"},
+            validateWith = FileArgumentValidator.class,
             description = "The public key certificate to embed in the base RIM created by "
             + "this tool.")
     private String publicCertificate = "";
     @Parameter(names = {"-e", "--embed-cert"}, order = 7,
             description = "Embed the provided certificate in the signed swidtag.")
     private boolean embedded = false;
     @Parameter(names = {"-d", "--default-key"}, order = 8,
-            description = "Use default signing credentials.")
+            description = "Use the JKS keystore installed in /opt/rimtool/data.")
     private boolean defaultKey = false;
-    @Parameter(names = {"-l", "--rimel <path>"}, order = 9,
+    @Parameter(names = {"-l", "--rimel <path>"}, validateWith = FileArgumentValidator.class,
             description = "The TCG eventlog file to use as a support RIM.")
     private String rimEventLog = "";
     @Parameter(names = {"--timestamp"}, order = 10, variableArity = true,
@@ -56,6 +62,10 @@ public class Commander {
                     "\tRFC3339 [yyyy-MM-ddThh:mm:ssZ]\n\tRFC3852 <counterSignature.bin>")
     private List<String> timestampArguments = new ArrayList<String>(2);
 
+    public List<String> getUnknownOptions() {
+        return unknownOptions;
+    }
+
     public boolean isHelp() {
         return help;
     }
@@ -71,6 +81,7 @@ public String getVerifyFile() {
     public boolean isVersion() {
         return version;
     }
+    public boolean isVerbose() { return verbose; }
     public String getAttributesFile() {
         return attributesFile;
     }
@@ -101,26 +112,17 @@ public List<String> getTimestampArguments() {
 
     public String printHelpExamples() {
         StringBuilder sb = new StringBuilder();
-        sb.append("Create a base RIM using the values in attributes.json; " +
-                "sign it with the default keystore; ");
-        sb.append("and write the data to base_rim.swidtag:\n\n");
-        sb.append("\t\t-c base -a attributes.json -d -l support_rim.bin -o base_rim.swidtag" +
-                "\n\n\n");
-        sb.append("Create a base RIM using the default attribute values; ");
-        sb.append("sign it using privateKey.pem; embed cert.pem in the signature block; ");
-        sb.append("and write the data to console output:\n\n");
-        sb.append("\t\t-c base -l support_rim.bin -k privateKey.pem -p cert.pem -e\n\n\n");
-        sb.append("Create a base RIM using the values in attributes.json; " +
-                "sign it with the default keystore; add a RFC3852 timestamp; ");
-        sb.append("and write the data to base_rim.swidtag:\n\n");
-        sb.append("\t\t-c base -a attributes.json -d -l support_rim.bin " +
-                "--timestamp RFC3852 counterSignature.bin -o base_rim.swidtag\n\n\n");
-        sb.append("Validate a base RIM using an external support RIM to override the ");
-        sb.append("payload file:\n\n");
-        sb.append("\t\t-v base_rim.swidtag -l support_rim.bin\n\n\n");
-        sb.append("Validate a base RIM with its own payload file and a PEM truststore ");
-        sb.append("containing the signing cert:\n\n");
-        sb.append("\t\t-v base_rim.swidtag -t ca.crt\n\n\n");
+        sb.append("Create a base RIM: use the values in attributes.json; ");
+        sb.append("add support_rim.bin to the payload; ");
+        sb.append("sign it using privateKey.pem and cert.pem; embed cert.pem in the signature; ");
+        sb.append("add a RFC3852 timestamp; and write the data to base_rim.swidtag:\n\n");
+        sb.append("\t\t-c base -a attributes.json -l support_rim.bin "
+                + "-k privateKey.pem -p cert.pem -e --timestamp RFC3852 counterSignature.bin "
+                + "-o base_rim.swidtag\n\n\n");
+        sb.append("Validate base_rim.swidtag: "
+                + "the payload <File> is validated with support_rim.bin; "
+                + "and the signature is validated with ca.crt:\n\n");
+        sb.append("\t\t-v base_rim.swidtag -l support_rim.bin -t ca.crt\n\n\n");
 
         return sb.toString();
     }