From dc7301e8a6be3b09b43d04695d07ee15fa8b6e87 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 17 Aug 2021 14:41:00 -0400 Subject: [PATCH 1/3] Update overloaded validateCertChain to check cert chain consistently --- .../SupplyChainCredentialValidator.java | 61 +++++++++++-------- 1 file changed, 34 insertions(+), 27 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java index e157a774..90d4327b 100644 --- a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java +++ b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java @@ -40,6 +40,7 @@ import java.security.NoSuchProviderException; import java.security.PublicKey; import java.security.Security; import java.security.SignatureException; +import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.CertificateExpiredException; import java.security.cert.CertificateNotYetValidException; @@ -1338,43 +1339,49 @@ public final class SupplyChainCredentialValidator implements CredentialValidator * @throws SupplyChainValidatorException tried to validate using null certificates */ public static String validateCertChain(final X509AttributeCertificateHolder cert, - final Set additionalCerts) throws SupplyChainValidatorException { + final Set additionalCerts) + throws SupplyChainValidatorException { if (cert == null || additionalCerts == null) { throw new SupplyChainValidatorException( "Certificate or validation certificates are null"); } + final String intCAError = "Intermediate signing cert found, check for CA cert"; String foundRootOfCertChain = ""; - Iterator certIterator = additionalCerts.iterator(); - X509Certificate trustedCert; - boolean issuerMatchesSubject = false; - boolean signatureMatchesPublicKey = false; + X509AttributeCertificateHolder startOfChain = cert; - while (foundRootOfCertChain.isEmpty() && certIterator.hasNext()) { - trustedCert = certIterator.next(); - issuerMatchesSubject = issuerMatchesSubjectDN(cert, trustedCert); - signatureMatchesPublicKey = signatureMatchesPublicKey(cert, trustedCert); - if (issuerMatchesSubject && signatureMatchesPublicKey) { - if (isSelfSigned(trustedCert)) { - foundRootOfCertChain = ""; - LOGGER.info("CA Root found."); - break; + do { + for (X509Certificate trustedCert : additionalCerts) { + boolean issuerMatchesSubject = issuerMatchesSubjectDN(startOfChain, trustedCert); + boolean signatureMatchesPublicKey = signatureMatchesPublicKey(startOfChain, + trustedCert); + if (issuerMatchesSubject && signatureMatchesPublicKey) { + if (isSelfSigned(trustedCert)) { + LOGGER.info("CA Root found."); + return ""; + } else { + foundRootOfCertChain = intCAError; + try { + startOfChain = new X509AttributeCertificateHolder( + trustedCert.getEncoded()); + } catch (IOException | CertificateEncodingException e) { + LOGGER.error("Error checking cert chain: " + e.getMessage()); + throw new SupplyChainValidatorException("Error checking cert chain: " + + e.getMessage()); + } + break; + } } else { - foundRootOfCertChain = "Intermediate signing cert found. Check for CA Cert: " - + cert.getIssuer().getNames()[0]; - } - } else { - if (!issuerMatchesSubject) { - foundRootOfCertChain = "Issuer DN does not match Subject DN"; - } - if (!signatureMatchesPublicKey) { - foundRootOfCertChain = "Certificate signature failed to verify"; + if (!issuerMatchesSubject) { + foundRootOfCertChain = "Issuer DN does not match Subject DN"; + } + if (!signatureMatchesPublicKey) { + foundRootOfCertChain = "Certificate signature failed to verify"; + } } } - } + } while (foundRootOfCertChain.equals(intCAError)); - if (!foundRootOfCertChain.isEmpty()) { - LOGGER.error(foundRootOfCertChain); - } + LOGGER.error(foundRootOfCertChain); return foundRootOfCertChain; } From f54e1a15d0ee9accdf95c3cac8cf5704a49eee7d Mon Sep 17 00:00:00 2001 From: iadgovuser29 <33426478+iadgovuser29@users.noreply.github.com> Date: Tue, 17 Aug 2021 17:21:32 -0400 Subject: [PATCH 2/3] Fixed a certificate conversion issue. --- .../SupplyChainCredentialValidator.java | 26 ++++++++++--------- .../SupplyChainCredentialValidatorTest.java | 5 ++-- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java index 90d4327b..3c85b88d 100644 --- a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java +++ b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java @@ -40,7 +40,6 @@ import java.security.NoSuchProviderException; import java.security.PublicKey; import java.security.Security; import java.security.SignatureException; -import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.CertificateExpiredException; import java.security.cert.CertificateNotYetValidException; @@ -1348,26 +1347,29 @@ public final class SupplyChainCredentialValidator implements CredentialValidator final String intCAError = "Intermediate signing cert found, check for CA cert"; String foundRootOfCertChain = ""; X509AttributeCertificateHolder startOfChain = cert; + X509Certificate nextInChain = null; do { for (X509Certificate trustedCert : additionalCerts) { - boolean issuerMatchesSubject = issuerMatchesSubjectDN(startOfChain, trustedCert); - boolean signatureMatchesPublicKey = signatureMatchesPublicKey(startOfChain, - trustedCert); + boolean issuerMatchesSubject = false; + boolean signatureMatchesPublicKey = false; + if (nextInChain != null) { + issuerMatchesSubject = issuerMatchesSubjectDN(nextInChain, trustedCert); + signatureMatchesPublicKey = signatureMatchesPublicKey(nextInChain, + trustedCert); + } else { + issuerMatchesSubject = issuerMatchesSubjectDN(startOfChain, trustedCert); + signatureMatchesPublicKey = signatureMatchesPublicKey(startOfChain, + trustedCert); + } + if (issuerMatchesSubject && signatureMatchesPublicKey) { if (isSelfSigned(trustedCert)) { LOGGER.info("CA Root found."); return ""; } else { foundRootOfCertChain = intCAError; - try { - startOfChain = new X509AttributeCertificateHolder( - trustedCert.getEncoded()); - } catch (IOException | CertificateEncodingException e) { - LOGGER.error("Error checking cert chain: " + e.getMessage()); - throw new SupplyChainValidatorException("Error checking cert chain: " - + e.getMessage()); - } + nextInChain = trustedCert; break; } } else { diff --git a/HIRS_Utils/src/test/java/hirs/validation/SupplyChainCredentialValidatorTest.java b/HIRS_Utils/src/test/java/hirs/validation/SupplyChainCredentialValidatorTest.java index 828e6d87..f4dc3ee0 100644 --- a/HIRS_Utils/src/test/java/hirs/validation/SupplyChainCredentialValidatorTest.java +++ b/HIRS_Utils/src/test/java/hirs/validation/SupplyChainCredentialValidatorTest.java @@ -312,10 +312,11 @@ public class SupplyChainCredentialValidatorTest { PlatformCredential pc = new PlatformCredential(certBytes); + // The test certificate has expired. Test will accept expired certs. AppraisalStatus result = supplyChainCredentialValidator.validatePlatformCredential( pc, keyStore, true); - // Assert.assertEquals(result.getAppStatus(), AppraisalStatus.Status.PASS); - Assert.assertEquals(result.getAppStatus(), AppraisalStatus.Status.FAIL); + + Assert.assertEquals(result.getAppStatus(), AppraisalStatus.Status.PASS); Assert.assertEquals(result.getMessage(), SupplyChainCredentialValidator.PLATFORM_VALID); } finally { keyStore.deleteEntry("Intel Intermediate Cert"); From c76a8a074eee6e62f88449f04a8a4e2638b46ef6 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Wed, 18 Aug 2021 09:15:59 -0400 Subject: [PATCH 3/3] Minor code clean up --- .../hirs/validation/SupplyChainCredentialValidator.java | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java index 3c85b88d..e4c3c5ed 100644 --- a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java +++ b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java @@ -1346,7 +1346,6 @@ public final class SupplyChainCredentialValidator implements CredentialValidator } final String intCAError = "Intermediate signing cert found, check for CA cert"; String foundRootOfCertChain = ""; - X509AttributeCertificateHolder startOfChain = cert; X509Certificate nextInChain = null; do { @@ -1358,9 +1357,8 @@ public final class SupplyChainCredentialValidator implements CredentialValidator signatureMatchesPublicKey = signatureMatchesPublicKey(nextInChain, trustedCert); } else { - issuerMatchesSubject = issuerMatchesSubjectDN(startOfChain, trustedCert); - signatureMatchesPublicKey = signatureMatchesPublicKey(startOfChain, - trustedCert); + issuerMatchesSubject = issuerMatchesSubjectDN(cert, trustedCert); + signatureMatchesPublicKey = signatureMatchesPublicKey(cert, trustedCert); } if (issuerMatchesSubject && signatureMatchesPublicKey) {