From 3e35fe4524291e7897f263c93a23452aec7206df Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Mon, 9 Nov 2020 11:20:37 -0500 Subject: [PATCH 1/9] Typing conflict when comparing event logs --- .../src/main/java/hirs/tcg_eventlog/Main.java | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java b/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java index 81da7c90..3f7a83ef 100644 --- a/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java +++ b/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java @@ -11,6 +11,7 @@ import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.Arrays; +import java.util.Collection; import hirs.tpm.eventlog.TCGEventLog; import hirs.tpm.eventlog.TpmPcrEvent; @@ -135,14 +136,16 @@ final class Main { || commander.getPcrNumber() == -1) { if (bHexFlag) { if (bEventFlag || bHexEvent) { - writeOut(HexUtils.byteArrayToHexString(event.getEvent()) + "\n"); + writeOut(HexUtils.byteArrayToHexString(event.getEvent()) + + "\n"); } if (bContentFlag) { writeOut(HexUtils.byteArrayToHexString(event.getEventContent()) + "\n"); } } else { - writeOut(event.toString(bEventFlag, bContentFlag, bHexEvent) + "\n"); + writeOut(event.toString(bEventFlag, bContentFlag, bHexEvent) + + "\n"); } } } @@ -291,8 +294,9 @@ final class Main { * @param pcr used as a filter. Use -1 to check all pcrs. * @return array list of strings. Null of no events mismatched. */ - public static ArrayList diffEventLogs(final ArrayList eventList, - final ArrayList eventList2, final int pcr) { + public static ArrayList diffEventLogs(final Collection eventList, + final Collection eventList2, + final int pcr) { ArrayList results = new ArrayList(); for (TpmPcrEvent event2 : eventList2) { if (pcr >= 0) { @@ -317,7 +321,7 @@ final class Main { * @param event single event to match. * @return */ - private static boolean digestMatch(final ArrayList eventLog, + private static boolean digestMatch(final Collection eventLog, final TpmPcrEvent event) { boolean matchFound = false; for (TpmPcrEvent event2 : eventLog) { From 00d3846dfe8b77a06919dff166736d10b0d0056f Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Mon, 9 Nov 2020 15:23:56 -0500 Subject: [PATCH 2/9] Remove default keystore file constant, this file is now an input parameter. --- .../main/java/hirs/swid/CredentialParser.java | 4 +- .../src/main/java/hirs/swid/Main.java | 6 ++- .../main/java/hirs/swid/SwidTagConstants.java | 1 - .../main/java/hirs/swid/SwidTagGateway.java | 50 +++++++++++++++--- .../main/java/hirs/swid/SwidTagValidator.java | 18 +++++-- .../main/java/hirs/swid/utils/Commander.java | 11 ++-- .../java/hirs/swid/TestSwidTagGateway.java | 4 +- .../src/test/resources/keystore.jks | Bin 0 -> 2290 bytes 8 files changed, 76 insertions(+), 18 deletions(-) create mode 100644 tools/tcg_rim_tool/src/test/resources/keystore.jks diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java index e4ca291a..0defcb80 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java @@ -50,9 +50,9 @@ public class CredentialParser { return publicKey; } - public void parseJKSCredentials() { + public void parseJKSCredentials(String jksKeystore) { KeyStore.PrivateKeyEntry privateKeyEntry = - parseKeystorePrivateKey(SwidTagConstants.DEFAULT_KEYSTORE_PATH, + parseKeystorePrivateKey(jksKeystore, SwidTagConstants.DEFAULT_PRIVATE_KEY_ALIAS, SwidTagConstants.DEFAULT_KEYSTORE_PASSWORD); certificate = (X509Certificate) privateKeyEntry.getCertificate(); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index fd269b4b..f1d2c540 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -47,6 +47,7 @@ public class Main { System.out.println(commander.toString()); String createType = commander.getCreateType().toUpperCase(); String attributesFile = commander.getAttributesFile(); + String jksKeystoreFile = commander.getKeystoreFile(); String certificateFile = commander.getPublicCertificate(); String privateKeyFile = commander.getPrivateKeyFile(); String rimEventLog = commander.getRimEventLog(); @@ -55,7 +56,10 @@ public class Main { if (!attributesFile.isEmpty()) { gateway.setAttributesFile(attributesFile); } - if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) { + if (!jksKeystoreFile.isEmpty()) { + gateway.setDefaultCredentials(true); + gateway.setJksKeystoreFile(jksKeystoreFile); + } else if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) { gateway.setDefaultCredentials(false); gateway.setPemCertificateFile(certificateFile); gateway.setPemPrivateKeyFile(privateKeyFile); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java index 9572018f..6d5721de 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java @@ -12,7 +12,6 @@ import javax.xml.namespace.QName; */ public class SwidTagConstants { - public static final String DEFAULT_KEYSTORE_PATH = "keystore.jks"; public static final String DEFAULT_KEYSTORE_PASSWORD = "password"; public static final String DEFAULT_PRIVATE_KEY_ALIAS = "selfsigned"; public static final String DEFAULT_ATTRIBUTES_FILE = "rim_fields.json"; diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index 09a8ca0b..46a90026 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -4,7 +4,13 @@ import com.eclipsesource.json.Json; import com.eclipsesource.json.JsonObject; import com.eclipsesource.json.ParseException; import hirs.swid.utils.HashSwid; -import hirs.swid.xjc.*; +import hirs.swid.xjc.Directory; +import hirs.swid.xjc.Entity; +import hirs.swid.xjc.Link; +import hirs.swid.xjc.ObjectFactory; +import hirs.swid.xjc.ResourceCollection; +import hirs.swid.xjc.SoftwareIdentity; +import hirs.swid.xjc.SoftwareMeta; import org.w3c.dom.Document; import javax.xml.bind.JAXBContext; @@ -13,24 +19,47 @@ import javax.xml.bind.JAXBException; import javax.xml.bind.Marshaller; import javax.xml.crypto.MarshalException; import javax.xml.crypto.XMLStructure; -import javax.xml.crypto.dsig.*; +import javax.xml.crypto.dsig.CanonicalizationMethod; +import javax.xml.crypto.dsig.DigestMethod; +import javax.xml.crypto.dsig.Reference; +import javax.xml.crypto.dsig.SignedInfo; +import javax.xml.crypto.dsig.Transform; +import javax.xml.crypto.dsig.XMLSignature; +import javax.xml.crypto.dsig.XMLSignatureException; +import javax.xml.crypto.dsig.XMLSignatureFactory; import javax.xml.crypto.dsig.dom.DOMSignContext; -import javax.xml.crypto.dsig.keyinfo.*; +import javax.xml.crypto.dsig.keyinfo.KeyInfo; +import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory; +import javax.xml.crypto.dsig.keyinfo.KeyName; +import javax.xml.crypto.dsig.keyinfo.KeyValue; +import javax.xml.crypto.dsig.keyinfo.X509Data; import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec; import javax.xml.crypto.dsig.spec.TransformParameterSpec; import javax.xml.namespace.QName; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; -import javax.xml.transform.*; +import javax.xml.transform.OutputKeys; +import javax.xml.transform.Source; +import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerConfigurationException; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactory; import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; +import java.io.BufferedReader; import java.io.File; -import java.io.*; +import java.io.FileNotFoundException; +import java.io.FileOutputStream; +import java.io.IOException; import java.math.BigInteger; import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Paths; -import java.security.*; +import java.security.InvalidAlgorithmParameterException; +import java.security.KeyException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.PublicKey; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.ArrayList; @@ -51,6 +80,7 @@ public class SwidTagGateway { private Marshaller marshaller; private String attributesFile; private boolean defaultCredentials; + private String jksKeystoreFile; private String pemPrivateKeyFile; private String pemCertificateFile; private String rimEventLog; @@ -88,6 +118,12 @@ public class SwidTagGateway { this.defaultCredentials = defaultCredentials; } + /** + * Setter for JKS keystore file + * @param jksKeystoreFile + */ + public void setJksKeystoreFile(String jksKeystoreFile) { this.jksKeystoreFile = jksKeystoreFile; } + /** * Setter for private key file in PEM format * @param pemPrivateKeyFile @@ -404,7 +440,7 @@ public class SwidTagGateway { PublicKey publicKey; CredentialParser cp = new CredentialParser(); if (defaultCredentials) { - cp.parseJKSCredentials(); + cp.parseJKSCredentials(jksKeystoreFile); privateKey = cp.getPrivateKey(); publicKey = cp.getPublicKey(); KeyName keyName = kiFactory.newKeyName(cp.getCertificateSubjectKeyIdentifier()); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java index 74c5165e..7c580dae 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java @@ -10,20 +10,29 @@ import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBException; import javax.xml.bind.UnmarshalException; import javax.xml.bind.Unmarshaller; -import javax.xml.crypto.*; +import javax.xml.crypto.AlgorithmMethod; +import javax.xml.crypto.KeySelector; +import javax.xml.crypto.KeySelectorException; +import javax.xml.crypto.KeySelectorResult; +import javax.xml.crypto.MarshalException; +import javax.xml.crypto.XMLCryptoContext; +import javax.xml.crypto.XMLStructure; import javax.xml.crypto.dsig.XMLSignature; import javax.xml.crypto.dsig.XMLSignatureException; import javax.xml.crypto.dsig.XMLSignatureFactory; import javax.xml.crypto.dsig.dom.DOMValidateContext; import javax.xml.crypto.dsig.keyinfo.KeyInfo; import javax.xml.crypto.dsig.keyinfo.X509Data; -import javax.xml.transform.*; +import javax.xml.transform.Source; +import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerConfigurationException; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactory; import javax.xml.transform.dom.DOMResult; import javax.xml.transform.stream.StreamSource; import javax.xml.validation.Schema; import javax.xml.validation.SchemaFactory; import java.io.File; -import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; import java.security.Key; @@ -31,6 +40,9 @@ import java.security.PublicKey; import java.security.cert.X509Certificate; import java.util.Iterator; +/** + * This class handles validating base Reference Integrity Manifest files. + */ public class SwidTagValidator { private Unmarshaller unmarshaller; private String rimEventLog; diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index 2fb0652d..d267d59e 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -28,14 +28,17 @@ public class Commander { @Parameter(names = {"-v", "--verify "}, order = 3, description = "Specify a RIM file to verify.") private String verifyFile = ""; - @Parameter(names = {"-k", "--privateKeyFile "}, order = 4, + @Parameter(names = {"--keystore "}, order = 4, + description = "JKS keystore containing a private key to sign the base RIM created by the create function.") + private String keystoreFile = ""; + @Parameter(names = {"-k", "--privateKeyFile "}, order = 5, description = "File containing the private key used to sign the base RIM created by the create function.") private String privateKeyFile = ""; - @Parameter(names = {"-p", "--publicCertificate "}, order = 5, + @Parameter(names = {"-p", "--publicCertificate "}, order = 6, description = "The public key certificate used to verify a RIM file or to embed in a signed RIM. " + "A signed RIM generated by this tool by default will not show the signing certificate without this parameter present.") private String publicCertificate = ""; - @Parameter(names = {"-l", "--rimel "}, order = 6, + @Parameter(names = {"-l", "--rimel "}, order = 7, description = "The TCG eventlog file to use as a support RIM. By default the last system eventlog will be used.") private String rimEventLog = ""; /* @@ -69,6 +72,8 @@ public class Commander { return verifyFile; } + public String getKeystoreFile() { return keystoreFile; } + public String getPrivateKeyFile() { return privateKeyFile; } diff --git a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java index 2b420ac6..93883d67 100644 --- a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java +++ b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java @@ -21,6 +21,7 @@ public class TestSwidTagGateway { private final String DEFAULT_WITH_CERT = "generated_with_cert.swidtag"; private final String DEFAULT_NO_CERT = "generated_no_cert.swidtag"; private final String ATTRIBUTES_FILE = TestSwidTagGateway.class.getClassLoader().getResource("rim_fields.json").getPath(); + private final String JKS_KEYSTORE_FILE = TestSwidTagGateway.class.getClassLoader().getResource("keystore.jks").getPath(); private final String SIGNING_CERT_FILE = TestSwidTagGateway.class.getClassLoader().getResource("RimSignCert.pem").getPath(); private final String PRIVATE_KEY_FILE = TestSwidTagGateway.class.getClassLoader().getResource("privateRimKey.pem").getPath(); private final String SUPPORT_RIM_FILE = TestSwidTagGateway.class.getClassLoader().getResource("TpmLog.bin").getPath(); @@ -48,7 +49,7 @@ public class TestSwidTagGateway { * where RimSignCert.pem has the AIA extension. */ @Test - public void testCreateBaseWithCert() throws URISyntaxException { + public void testCreateBaseWithCert() { gateway.setDefaultCredentials(false); gateway.setPemCertificateFile(SIGNING_CERT_FILE); gateway.setPemPrivateKeyFile(PRIVATE_KEY_FILE); @@ -64,6 +65,7 @@ public class TestSwidTagGateway { @Test public void testCreateBaseWithoutCert() { gateway.setDefaultCredentials(true); + gateway.setJksKeystoreFile(JKS_KEYSTORE_FILE); gateway.generateSwidTag(DEFAULT_OUTPUT); expectedFile = (InputStream) TestSwidTagGateway.class.getClassLoader().getResourceAsStream(DEFAULT_NO_CERT); Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); diff --git a/tools/tcg_rim_tool/src/test/resources/keystore.jks b/tools/tcg_rim_tool/src/test/resources/keystore.jks new file mode 100644 index 0000000000000000000000000000000000000000..2877d7f4c9d5c1f8d1b80c74e05e60b1e1652a2b GIT binary patch literal 2290 zcmbtVc{J1w7oLsGn906Gh6s`Pp=`ZTjU^${$XX&pNTDocna|iswvg1=!<1#LV=}g3 z@Fs+$?E8`_JIV4=-}%n_|M$oJ<9Y5q=dR~IyUblC2n2%c8~C>&9^mdeK5%xrhjZAc z-2eV~Uj_tXfdB;9E^wF?agr4b1It3Vz+e^-i~ySlupF90qB{>7dBx0D1`ekmc?WOq zEr`l#rq)U|Aw*{}j3m8}qCFp$uAtdNUt_mlnr!6OGOcOq540d7+0EfV(a4DmEf=%p zt6RJPdU&R1w#(%aAzj#Z4jChnSa|HtSkCUTXoMfY%ucR+n3~KjnSvd!87;HlrC&{O z>2J>z7wYv)x>mK)-(DXkrsuBh5;)%D{q$rNjhy8yQ&M0avprSx^+{1Ev2|tAJ<7&g zGqjVu7E>n0I%!lSu5f?g=PD%7MF~Yt*VrhD#;To~J%d`>Xz;I-&2*&XKc*FX2F46y z%afw|Ac#qSkqv+QK;J5Mi1g1dzj7%qInN^QS5$K)8>I`KtJ` zUK4*)NVTSa;?lR34js0oxa*SJr#(5OB)hH6qT~k?FGe!YwXV8msMk4__lT_HKYs5r zc9au(%tf@PpXQv~puxXYQbxSL$B)YxdyYtOc?Zja9HwW-=*tbG>n0v&OA7dNUKPVK z;dK|S>eRo&o9LyEt+srRs*?*awsgF8i`Y$C_bryHowTQVKT`Y(ZWzVnHSl>5V9f+Qw+dHR?LTrV2;yIopO?H)tVXF{^8O8w3c+s_4L&*>L*2biXl zO^PLb2>MTn3}tMon&0*3X3$%{S87v|)fUWI#;EQLXyw&`ooJEUVo}d-C(YjH5)O`g zocn3IZNUHyP(wL=hV>D{uNt3i2e}L2gx)aDXPMf0UUcJpads%a^b&HXXVRBsnUT9?6L@1So_e?*-E_|bHjsv zZD>tt>A*o(of6N`n)UY;#IBA?3wFsTgrF>{65^Nq_)0eKHJk3l<4@TnP9C4m%DbGz z?`0T-Kjjp!&}XFKx^;YfYFp)O)|q&@9Dbz6-8O|vZ^rs@6#IC#cq!Kcexa(nQKf6i zd5F-qscbru$l28t|2eI3QahVOX6 zNsNf1Qv;l>L#OWC(w7{i>24Z@Csj>l?O|htqo+F3_xQ$jDK-940Hq872jC9`Z2sS*!oZO~Nx5-G?(G4e&*efYr>Ob$FnmG!#5n6UQmfWPR zTO4u%-2z-Xx2N^tYCwJe65vY{8?y}IGn_=8{M>kuixO`Up2D3(gRc=P4A`cRdIl+n1q z3hhiBe=%C(7|)6jMy;LIFgBGA+vYbY*{uGrLbaVA$h*{%;yaFi%h6}8bPU8nuqEWV z#fKxAA)!a*KiMG@ij~A)We4${;EP1B$N9V#b-w=OG#V{+8XLtCWjtYKDih;G?Nm+u zB2UFEPsc!@U=TR_KHvt3><>}oFpM9@t1wKN=>oFEUXj3ILdnL=h2@$CK=i;Z0TTrH z|HG@BNnsAW_OR{ho_QSg*NuBG=*eoo4@ZOt1_3|-`#~%R3RQ*{Rp zzjz-?b2uS`yc>{~!#u=IGspMsNxgwQ)M9Oxfxig}?$eshZxk~k#aI7@w_phAVXWlT zH`7j+r6>u%ItH`o5fdvovh2RLfM~B~#bRng9jmsE_i_@_Df;;I{lWHkovi7|7;g{|l>B5L2 zdD>Q6z4A*Crv3bh*l0r>r4{_^t>++B2)UGEme!WgI`?GR2D0cJ{mrxdz27lUqA8go jO()V!LGJC};w%DUvMt_eO1|oUKT&5*!YtcZPrLsE4Iu|3 literal 0 HcmV?d00001 From 118254e6602b2b7f5ed02b2dce7ac606b3908d9e Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Mon, 9 Nov 2020 13:04:11 -0500 Subject: [PATCH 3/9] Updated build.gradle for tcg_eventlog_tool so that the vendor UEFI ID table is also copied over and installed for tool usage. --- tools/tcg_eventlog_tool/build.gradle | 67 ++++++++++++++++------------ 1 file changed, 38 insertions(+), 29 deletions(-) diff --git a/tools/tcg_eventlog_tool/build.gradle b/tools/tcg_eventlog_tool/build.gradle index 9a44691a..a78e0743 100644 --- a/tools/tcg_eventlog_tool/build.gradle +++ b/tools/tcg_eventlog_tool/build.gradle @@ -6,7 +6,7 @@ apply plugin: 'nebula.ospackage' version = '1.0' repositories { - mavenCentral() + mavenCentral() } dependencies { @@ -38,21 +38,21 @@ findbugs { } jar { - manifest { - attributes("Main-Class": "hirs.tcg_eventlog.Main", - "Class-Path": configurations.runtime.files.collect { "lib/$it.name" }.join(' ') - ) - } - from(configurations.compile.collect { it.isDirectory() ? it : zipTree(it) }) {} - exclude 'META-INF/*.RSA', 'META-INF/*.SF', 'META-INF/*.DSA' + manifest { + attributes("Main-Class": "hirs.tcg_eventlog.Main", + "Class-Path": configurations.runtime.files.collect { "lib/$it.name" }.join(' ') + ) + } + from(configurations.compile.collect { it.isDirectory() ? it : zipTree(it) }) {} + exclude 'META-INF/*.RSA', 'META-INF/*.SF', 'META-INF/*.DSA' } uploadArchives { - repositories { - flatDir { - dirs "${buildDir}" - } - } + repositories { + flatDir { + dirs "${buildDir}" + } + } } buildscript { @@ -66,15 +66,15 @@ buildscript { // Produce packages ospackage { - packageName='tcg_eventlog_tool' - os=LINUX - arch=NOARCH - version='1.0.0' - release='1' + packageName = 'tcg_eventlog_tool' + os = LINUX + arch = NOARCH + version = '1.0.0' + release = '1' into '/opt/hirs/eventlog' user 'root' - fileMode=0755 + fileMode = 0755 from(jar.outputs.files) { into 'lib' @@ -88,29 +88,38 @@ ospackage { from('scripts') { exclude { FileTreeElement details -> - details.file.name.endsWith('.bat') + details.file.name.endsWith('.bat') } into 'scripts' } from('docs') { exclude { FileTreeElement details -> - details.file.name.endsWith('.odt') + details.file.name.endsWith('.odt') } into 'docs' } from('./') { include { FileTreeElement details -> - details.file.name.endsWith('.md') + details.file.name.endsWith('.md') } into './' - link("/usr/local/bin/elt","/opt/hirs/eventlog/scripts/eventlog.sh",0x755 ) + link("/usr/local/bin/elt", "/opt/hirs/eventlog/scripts/eventlog.sh", 0x755) + } + + into('/opt/hirs/default-properties/') { + fileMode 0664 + from ('../../HIRS_Utils/src/main/resources/vendor-table.json') { + addParentDirs true + createDirectoryEntry true + } + } + + buildRpm { + arch = I386 + } + buildDeb { + arch = I386 } -buildRpm { - arch = I386 -} -buildDeb { - arch = I386 -} } \ No newline at end of file From d35aaac41dd62c2e4319d88e9c78931c46c34498 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Mon, 9 Nov 2020 13:21:20 -0500 Subject: [PATCH 4/9] Updated version number --- tools/tcg_eventlog_tool/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/tcg_eventlog_tool/build.gradle b/tools/tcg_eventlog_tool/build.gradle index a78e0743..675b5978 100644 --- a/tools/tcg_eventlog_tool/build.gradle +++ b/tools/tcg_eventlog_tool/build.gradle @@ -69,7 +69,7 @@ ospackage { packageName = 'tcg_eventlog_tool' os = LINUX arch = NOARCH - version = '1.0.0' + version = '2.0.0' release = '1' into '/opt/hirs/eventlog' From 43208332ae4f7b1fb8d5ca13ff26d0d46b483933 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 10 Nov 2020 08:04:41 -0500 Subject: [PATCH 5/9] Add default keystore in case of no input --- .../src/main/java/hirs/swid/Main.java | 3 +++ .../main/java/hirs/swid/SwidTagConstants.java | 1 + .../main/java/hirs/swid/utils/Commander.java | 23 +++++++++++++------ 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java index f1d2c540..56c911e0 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java @@ -63,6 +63,9 @@ public class Main { gateway.setDefaultCredentials(false); gateway.setPemCertificateFile(certificateFile); gateway.setPemPrivateKeyFile(privateKeyFile); + } else { + gateway.setDefaultCredentials(true); + gateway.setJksKeystoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE); } if (rimEventLog.isEmpty()) { System.out.println("Error: a support RIM is required!"); diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java index 6d5721de..0342ca9c 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagConstants.java @@ -12,6 +12,7 @@ import javax.xml.namespace.QName; */ public class SwidTagConstants { + public static final String DEFAULT_KEYSTORE_FILE = "/opt/hirs/rimtool/keystore.jks"; public static final String DEFAULT_KEYSTORE_PASSWORD = "password"; public static final String DEFAULT_PRIVATE_KEY_ALIAS = "selfsigned"; public static final String DEFAULT_ATTRIBUTES_FILE = "rim_fields.json"; diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java index d267d59e..d18282e5 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/Commander.java @@ -7,6 +7,7 @@ import java.nio.file.InvalidPathException; import java.nio.file.Paths; import com.beust.jcommander.Parameter; +import hirs.swid.SwidTagConstants; /** * Commander is a class that handles the command line arguments for the SWID @@ -115,13 +116,21 @@ public class Commander { } public String toString() { StringBuilder sb = new StringBuilder(); - sb.append("Creating: " + getCreateType() + System.lineSeparator()); - sb.append("Using attributes file: " + getAttributesFile() + System.lineSeparator()); - sb.append("Write to: " + getOutFile() + System.lineSeparator()); - sb.append("Verify file: " + getVerifyFile() + System.lineSeparator()); - sb.append("Private key file: " + getPrivateKeyFile() + System.lineSeparator()); - sb.append("Public certificate: " + getPublicCertificate() + System.lineSeparator()); - sb.append("Event log support RIM: " + getRimEventLog() + System.lineSeparator()); + sb.append("Creating: " + this.getCreateType() + System.lineSeparator()); + sb.append("Using attributes file: " + this.getAttributesFile() + System.lineSeparator()); + sb.append("Write to: " + this.getOutFile() + System.lineSeparator()); + sb.append("Verify file: " + this.getVerifyFile() + System.lineSeparator()); + if (!this.getKeystoreFile().isEmpty()) { + sb.append("Keystore file: " + this.getKeystoreFile() + System.lineSeparator()); + } else if (!this.getPrivateKeyFile().isEmpty() && + !this.getPublicCertificate().isEmpty()) { + sb.append("Private key file: " + this.getPrivateKeyFile() + System.lineSeparator()); + sb.append("Public certificate: " + this.getPublicCertificate() + System.lineSeparator()); + } else { + sb.append("Keystore file: default (" + SwidTagConstants.DEFAULT_KEYSTORE_FILE + ")" + + System.lineSeparator()); + } + sb.append("Event log support RIM: " + this.getRimEventLog() + System.lineSeparator()); /* sb.append("TPM PCRs support RIM: " + getRimPcrs() + System.lineSeparator()); sb.append("Base RIM to be signed: " + getToBeSigned() + System.lineSeparator()); From dbfdcdf9fd789d545713c7cf2528805bf825a63c Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 10 Nov 2020 15:39:47 -0500 Subject: [PATCH 6/9] Update version to 2.0.0 --- tools/tcg_rim_tool/build.gradle | 2 +- tools/tcg_rim_tool/scripts/rimtool.sh | 2 +- .../src/test/java/hirs/swid/TestSwidTagGateway.java | 4 ++-- tools/tcg_rim_tool/tcg_rim_tool.spec | 6 ++++-- 4 files changed, 8 insertions(+), 6 deletions(-) diff --git a/tools/tcg_rim_tool/build.gradle b/tools/tcg_rim_tool/build.gradle index 22a7ae16..423e0ced 100644 --- a/tools/tcg_rim_tool/build.gradle +++ b/tools/tcg_rim_tool/build.gradle @@ -1,5 +1,5 @@ apply plugin: 'java' -version = '1.0' +version = '2.0.0' repositories { mavenCentral() diff --git a/tools/tcg_rim_tool/scripts/rimtool.sh b/tools/tcg_rim_tool/scripts/rimtool.sh index 30e731c1..8b0fc5b1 100644 --- a/tools/tcg_rim_tool/scripts/rimtool.sh +++ b/tools/tcg_rim_tool/scripts/rimtool.sh @@ -3,6 +3,6 @@ # Calls the the_tcg_rim_tool and passes in parameters scriptDir=$(dirname -- "$(readlink -f -- "${BASH_SOURCE[0]}")") baseDir=${scriptDir%/*} -jar="tcg_rim_tool-1.0.jar"; +jar="tcg_rim_tool-2.0.0.jar"; java -jar $baseDir/$jar "$@" diff --git a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java index 93883d67..554f3ca5 100644 --- a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java +++ b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java @@ -54,7 +54,7 @@ public class TestSwidTagGateway { gateway.setPemCertificateFile(SIGNING_CERT_FILE); gateway.setPemPrivateKeyFile(PRIVATE_KEY_FILE); gateway.generateSwidTag(DEFAULT_OUTPUT); - expectedFile = (InputStream) TestSwidTagGateway.class.getClassLoader().getResourceAsStream(DEFAULT_WITH_CERT); + expectedFile = TestSwidTagGateway.class.getClassLoader().getResourceAsStream(DEFAULT_WITH_CERT); Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); } @@ -67,7 +67,7 @@ public class TestSwidTagGateway { gateway.setDefaultCredentials(true); gateway.setJksKeystoreFile(JKS_KEYSTORE_FILE); gateway.generateSwidTag(DEFAULT_OUTPUT); - expectedFile = (InputStream) TestSwidTagGateway.class.getClassLoader().getResourceAsStream(DEFAULT_NO_CERT); + expectedFile = TestSwidTagGateway.class.getClassLoader().getResourceAsStream(DEFAULT_NO_CERT); Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT)); } diff --git a/tools/tcg_rim_tool/tcg_rim_tool.spec b/tools/tcg_rim_tool/tcg_rim_tool.spec index 84230204..ed6f5a0d 100644 --- a/tools/tcg_rim_tool/tcg_rim_tool.spec +++ b/tools/tcg_rim_tool/tcg_rim_tool.spec @@ -1,5 +1,5 @@ Name: tcg_rim_tool -Version: 1.0 +Version: 2.0.0 Release: 1%{?dist} Summary: A java command-line tool to create PC client root RIM @@ -23,7 +23,7 @@ rm -f /opt/hirs/rimtool/%{name}*.jar %install mkdir -p %{buildroot}/opt/hirs/rimtool/ %{buildroot}/usr/local/bin -cp build/libs/%{name}-%{version}.jar %{buildroot}/opt/hirs/rimtool/ +cp build/libs/tools/%{name}-%{version}.jar %{buildroot}/opt/hirs/rimtool/ cp ./rim_fields.json %{buildroot}/opt/hirs/rimtool/ cp ./keystore.jks %{buildroot}/opt/hirs/rimtool/ cp -r ./scripts/ %{buildroot}/opt/hirs/rimtool/ @@ -39,6 +39,8 @@ ln -sf /opt/hirs/rimtool/scripts/rimtool.sh %{buildroot}/usr/local/bin/rim %attr(755, root, root) /opt/hirs/rimtool/scripts/rimtool.sh %changelog +* Tue Nov 10 2020 chubtub +- Second release * Mon Jun 15 2020 chubtub - First release * Mon Jan 6 2020 chubtub From 6eeb630a75264aad7a37a17c593b05737c6f78d2 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Thu, 12 Nov 2020 13:45:38 -0500 Subject: [PATCH 7/9] This PR addresses the bugs identified in #314. Due to previous changes to the RIM upload process, the suppor RIM was not being updated properly when manually uploaded. Closes #314 --- .../AbstractAttestationCertificateAuthority.java | 13 +++++++++++-- .../ReferenceManifestDetailsPageController.java | 16 ++++++++++------ 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index f990bd26..e3051ee0 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -736,7 +736,7 @@ public abstract class AbstractAttestationCertificateAuthority String clientName = String.format("%s_%s", dv.getHw().getManufacturer(), dv.getHw().getProductName()); - ReferenceManifest dbBaseRim; + ReferenceManifest dbBaseRim = null; ReferenceManifest support; String tagId = ""; String fileName = ""; @@ -798,7 +798,16 @@ public abstract class AbstractAttestationCertificateAuthority support.setTagId(tagId); this.referenceManifestManager.save(support); } else { - LOG.info("Client provided Support RIM already loaded in database."); + LOG.error("Client provided Support RIM already loaded in database."); + if (dbBaseRim != null) { + support.setPlatformManufacturer(dbBaseRim.getPlatformManufacturer()); + support.setPlatformModel(dbBaseRim.getPlatformModel()); + support.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); + support.setAssociatedRim(dbBaseRim.getId()); + support.setTagId(dbBaseRim.getTagId()); + } + + this.referenceManifestManager.update(support); } } catch (IOException ioEx) { LOG.error(ioEx); diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java index 20a9b317..4d95f87f 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java @@ -293,8 +293,11 @@ public class ReferenceManifestDetailsPageController final ReferenceManifestManager referenceManifestManager) throws IOException, CertificateException, NoSuchAlgorithmException { HashMap data = new HashMap<>(); + EventLogMeasurements measurements = null; - if (support.getAssociatedRim() == null) { + if (support.getAssociatedRim() == null + && (support.getPlatformManufacturer() != null + && !support.getPlatformManufacturer().isEmpty())) { ReferenceManifest baseRim = BaseReferenceManifest.select(referenceManifestManager) .byManufacturer(support.getPlatformManufacturer()).getRIM(); if (baseRim != null) { @@ -305,16 +308,16 @@ public class ReferenceManifestDetailsPageController LOGGER.error("Failed to update Support RIM", ex); } } + measurements = EventLogMeasurements.select(referenceManifestManager) + .byManufacturer(support.getPlatformManufacturer()).getRIM(); } + data.put("baseRim", support.getTagId()); data.put("associatedRim", support.getAssociatedRim()); data.put("rimType", support.getRimType()); data.put("tagId", support.getTagId()); TCGEventLog logProcessor = new TCGEventLog(support.getRimBytes()); - EventLogMeasurements measurements = EventLogMeasurements.select(referenceManifestManager) - .byManufacturer(support.getPlatformManufacturer()).getRIM(); - LinkedList tpmPcrEvents = new LinkedList<>(); TCGEventLog measurementsProcess; if (measurements != null) { @@ -327,10 +330,11 @@ public class ReferenceManifestDetailsPageController } tpmPcrEvents.add(tpe); } + data.put("events", tpmPcrEvents); + } else { + data.put("events", logProcessor.getEventList()); } - data.put("events", tpmPcrEvents); - return data; } From 4291059142db0a8a2327bed09876a6bbd0540d99 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Mon, 16 Nov 2020 12:39:57 -0500 Subject: [PATCH 8/9] Updated the break line option for failed string during firmware validation. --- .../service/SupplyChainValidationServiceImpl.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index be430c30..a2a1e889 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -352,11 +352,11 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe validationObject = baseReferenceManifest; String failedString = ""; if (baseReferenceManifest == null) { - failedString = "Base Reference Integrity Manifest%n"; + failedString = "Base Reference Integrity Manifest\n"; passed = false; } if (supportReferenceManifest == null) { - failedString += "Support Reference Integrity Manifest%n"; + failedString += "Support Reference Integrity Manifest\n"; passed = false; } if (measurement == null) { From e3b5d164a3680b8f0bbae407be8ee79ac349acc0 Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Fri, 13 Nov 2020 10:33:01 -0500 Subject: [PATCH 9/9] Add SKI to front end. Extract PK from base RIM to validate signature if not found in db --- ...eferenceManifestDetailsPageController.java | 25 +++--- .../main/webapp/WEB-INF/jsp/rim-details.jsp | 20 ++++- .../utils/ReferenceManifestValidator.java | 79 ++++++++++++++----- 3 files changed, 89 insertions(+), 35 deletions(-) diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java index 20a9b317..bde70841 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java @@ -5,7 +5,6 @@ import hirs.data.persist.EventLogMeasurements; import hirs.data.persist.ReferenceManifest; import hirs.data.persist.SupportReferenceManifest; import hirs.data.persist.SwidResource; -import hirs.data.persist.certificate.Certificate; import hirs.data.persist.certificate.CertificateAuthorityCredential; import hirs.persist.CertificateManager; import hirs.persist.DBManagerException; @@ -26,6 +25,7 @@ import java.util.LinkedList; import java.util.List; import java.util.ArrayList; import java.util.Map; +import java.util.Set; import java.util.UUID; import hirs.tpm.eventlog.TpmPcrEvent; @@ -262,17 +262,20 @@ public class ReferenceManifestDetailsPageController RIM_VALIDATOR.validateXmlSignature(new ByteArrayInputStream(baseRim.getRimBytes())); data.put("signatureValid", RIM_VALIDATOR.isSignatureValid()); - if (RIM_VALIDATOR.isSignatureValid()) { - LOGGER.info("Public key: " + RIM_VALIDATOR.getPublicKey().toString()); - try { - Certificate certificate = - CertificateAuthorityCredential.select(certificateManager) - .byEncodedPublicKey(RIM_VALIDATOR.getPublicKey().getEncoded()) - .getCertificate(); - data.put("issuerID", certificate.getId().toString()); - } catch (NullPointerException e) { - LOGGER.info("Unable to get signing certificate link: " + e.getMessage()); + data.put("skID", RIM_VALIDATOR.getSubjectKeyIdentifier()); + try { + Set certificates = + CertificateAuthorityCredential.select(certificateManager) + .getCertificates(); + for (CertificateAuthorityCredential cert : certificates) { + if (Arrays.equals(cert.getEncodedPublicKey(), + RIM_VALIDATOR.getPublicKey().getEncoded())) { + LOGGER.info("Found matching cert!"); + data.put("issuerID", cert.getId().toString()); + } } + } catch (NullPointerException e) { + LOGGER.error("Unable to link signing certificate: " + e.getMessage()); } return data; } diff --git a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp index 189c22c4..558dcb44 100644 --- a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp +++ b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp @@ -335,15 +335,27 @@ - - - - + + +
+ + + + + +
+
+ + +
Subject Key Identifier: ${initialData.skID}
+ + +
diff --git a/HIRS_Utils/src/main/java/hirs/utils/ReferenceManifestValidator.java b/HIRS_Utils/src/main/java/hirs/utils/ReferenceManifestValidator.java index d8963592..6bb931cf 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/ReferenceManifestValidator.java +++ b/HIRS_Utils/src/main/java/hirs/utils/ReferenceManifestValidator.java @@ -23,6 +23,7 @@ import javax.xml.crypto.dsig.XMLSignatureException; import javax.xml.crypto.dsig.XMLSignatureFactory; import javax.xml.crypto.dsig.dom.DOMValidateContext; import javax.xml.crypto.dsig.keyinfo.KeyInfo; +import javax.xml.crypto.dsig.keyinfo.KeyValue; import javax.xml.crypto.dsig.keyinfo.X509Data; import javax.xml.transform.Source; import javax.xml.transform.Transformer; @@ -36,6 +37,7 @@ import javax.xml.validation.SchemaFactory; import java.io.IOException; import java.io.InputStream; import java.security.Key; +import java.security.KeyException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.PublicKey; @@ -64,6 +66,7 @@ public class ReferenceManifestValidator { private Unmarshaller unmarshaller; private PublicKey publicKey; private Schema schema; + private String subjectKeyIdentifier; private boolean signatureValid, supportRimValid; /** @@ -93,6 +96,14 @@ public class ReferenceManifestValidator { return publicKey; } + /** + * Getter for subjectKeyIdentifier. + * @return subjectKeyIdentifier + */ + public String getSubjectKeyIdentifier() { + return subjectKeyIdentifier; + } + /** * This default constructor creates the Schema object from SCHEMA_URL immediately to save * time during validation calls later. @@ -106,6 +117,7 @@ public class ReferenceManifestValidator { signatureValid = false; supportRimValid = false; publicKey = null; + subjectKeyIdentifier = ""; } catch (SAXException e) { LOGGER.warn("Error setting schema for validation!"); } @@ -192,22 +204,21 @@ public class ReferenceManifestValidator { if (nodes.getLength() == 0) { throw new Exception("Signature element not found!"); } - NodeList embeddedCert = doc.getElementsByTagName("X509Data"); - if (embeddedCert.getLength() > 0) { - X509KeySelector keySelector = new ReferenceManifestValidator.X509KeySelector(); - context = new DOMValidateContext(keySelector, nodes.item(0)); - XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM"); - XMLSignature signature = sigFactory.unmarshalXMLSignature(context); - isValid = signature.validate(context); - publicKey = keySelector.getPublicKey(); - } else { - LOGGER.info("Signing certificate not found for validation!"); - } - } catch (MarshalException | XMLSignatureException e) { - LOGGER.warn(e.getMessage()); + X509KeySelector keySelector = new ReferenceManifestValidator.X509KeySelector(); + context = new DOMValidateContext(keySelector, nodes.item(0)); + XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM"); + XMLSignature signature = sigFactory.unmarshalXMLSignature(context); + isValid = signature.validate(context); + publicKey = keySelector.getPublicKey(); + subjectKeyIdentifier = getKeyName(doc); + } catch (MarshalException e) { + LOGGER.warn("Error while unmarshalling XML signature: " + e.getMessage()); + } catch (XMLSignatureException e) { + LOGGER.warn("Error while validating XML signature: " + e.getMessage()); + } catch (KeySelectorException e) { + LOGGER.warn("Public key not found in XML signature: " + e.getMessage()); } catch (Exception e) { LOGGER.warn(e.getMessage()); - LOGGER.info(e.getMessage()); } return isValid; @@ -222,7 +233,12 @@ public class ReferenceManifestValidator { private PublicKey publicKey; /** - * This method selects an X509 cert based on the provided algorithm. + * This method selects a public key for validation. + * PKs are parsed preferentially from the following elements: + * - X509Data + * - KeyValue + * The parsed PK is then verified based on the provided algorithm before + * being returned in a KeySelectorResult. * * @param keyinfo object containing the cert. * @param purpose purpose. @@ -246,15 +262,23 @@ public class ReferenceManifestValidator { Object object = dataItr.next(); if (object instanceof X509Certificate) { publicKey = ((X509Certificate) object).getPublicKey(); - if (areAlgorithmsEqual(algorithm.getAlgorithm(), - publicKey.getAlgorithm())) { - return new ReferenceManifestValidator.X509KeySelector - .RIMKeySelectorResult(publicKey); - } + break; } } + } else if (element instanceof KeyValue) { + try { + publicKey = ((KeyValue) element).getPublicKey(); + } catch (KeyException e) { + LOGGER.warn("KeyException thrown while getting PK from KeyValue: " + + e.getMessage()); + } } } + if (areAlgorithmsEqual(algorithm.getAlgorithm(), + publicKey.getAlgorithm())) { + return new ReferenceManifestValidator.X509KeySelector + .RIMKeySelectorResult(publicKey); + } throw new KeySelectorException("No key found!"); } @@ -295,6 +319,21 @@ public class ReferenceManifestValidator { } } + /** + * This method parses the subject key identifier from the KeyName element of a signature. + * + * @param doc + * @return SKID if found, or an empty string. + */ + private String getKeyName(final Document doc) { + NodeList keyName = doc.getElementsByTagName("KeyName"); + if (keyName.getLength() > 0) { + return keyName.item(0).getTextContent(); + } else { + return null; + } + } + /** * This method validates the Document against the schema. *