Skip to content

verify Command

Verifies the signature of a RIM, CoRIM, or CoSWID tag.

Usage

rim verify -r <string> -i <file> -p <file> [-l <path>] [-t <file>] [-d <file>] [-e]

Parameters

Parameter Description Required Type
-r, --rim-type Specifies the RIM type. Yes String
-i, --in Specifies the input file to verify. Yes File
-l, --rimel Support RIM (PC Client RIM only). See below. No1 Path
-p, --public-certificate The public key certificate to be used to verify the RIM. Yes File
-t, --truststore The trust store used to validate the Base RIM (PC Client RIM only). No2 File
-d, --detached Uses a detached signature file for verification. No File
-e, --embed-cert Uses embedded certificate, depending on input type.3 No

-l option (PC Client RIM only)

The default behavior for the verify command for a TCG PC Client RIM is to ignore the file attribute that specifies the name of the Support RIM file, as well as the hash associated with that file.

This parameter is intended to change that behavior, and enforce the verification of the hash of the Support RIM file found on the host file system as follows:

  • -l "": uses the <Directory> element path (if present) associated with the corresponding <File> element to find the Support RIM.

  • -l <path>: uses the supplied path, along with the file attribute, to find the Support RIM file.

Further Details

NISTIR 8060 , section 4.6.1 states:

Files are described using the <File> element, and folders are described using the <Directory> element.

When processing a PC Client RIM (with the -l "" option), the RIM-Tool will assume that the full path to a Support RIM file is a concatenation of the <Directory> element text (if present), and the <File> element text found in the Base RIM's payload element.

See below Examples section for sample usage of the -l option.

Examples

Before Starting

Before running these examples, please ensure that you change into the data directory (requires install):

cd /opt/rimtool/data

Verify a TCG PC Client Base RIM, alongside Support RIM:

rim verify -r pcrim --in pcrim/laptop.default.1.swidtag -p pcrim/RimSignCert.pem -t pcrim/RIMCaCert.pem -l pcrim/

Verify a signed CoSWID tag:

rim verify -r coswid --in coswid/coswid_rim_1.signed.coswid.cose -p certs/COMP_OEM1_rim_signer_ecc_512_sha384.pem

Verify a signed CoRIM:

rim verify -r corim_comid --in corim/corim_1.signed.corim.cose -p certs/COMP_OEM1_rim_signer_ecc_512_sha384.pem

  1. A Support RIM file is only used for a TCG PC Client RIM . See -l option documentation

  2. Required if type is set to TCG PC Client RIM

  3. If specified, embedded certificate supersedes -p option.

    For XML-DSig : a certificate may be embedded into the signed SWID tag.

    For COSE : a certificate and its thumbprint may be embedded into the protected header.