From 1867e00301e6d0036fbffd80bdf0e3bd6ffaa711 Mon Sep 17 00:00:00 2001
From: Cyrus <24922493+cyrus-dev@users.noreply.github.com>
Date: Tue, 31 Oct 2023 10:48:37 -0400
Subject: [PATCH] Updated the Rim Validator to remove direct object parameters
 from the database and pass in the information the methods needed to function

---
 .../validation/FirmwareScvValidator.java      | 31 +++++++++++--------
 ...eferenceManifestDetailsPageController.java |  5 +--
 .../utils/rim/ReferenceManifestValidator.java | 23 ++++++++------
 3 files changed, 34 insertions(+), 25 deletions(-)

diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java
index 65c3654c..068f4dd1 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java
@@ -90,7 +90,7 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
             // verify signatures
             ReferenceManifestValidator referenceManifestValidator =
                     new ReferenceManifestValidator();
-            referenceManifestValidator.setRim(baseReferenceManifest);
+            referenceManifestValidator.setRim(baseReferenceManifest.getRimBytes());
 
             //Validate signing cert
             List<CertificateAuthorityCredential> allCerts = caCredentialRepository.findAll();
@@ -99,23 +99,28 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
                 signingCert = cert;
                 KeyStore keyStore = ValidationService.getCaChain(signingCert,
                         caCredentialRepository);
-                if (referenceManifestValidator.validateXmlSignature(signingCert)) {
-                    try {
-                        if (!SupplyChainCredentialValidator.verifyCertificate(
+                try {
+                    if (referenceManifestValidator.validateXmlSignature(signingCert.getX509Certificate().getPublicKey(),
+                        signingCert.getSubjectKeyIdString(), signingCert.getEncodedPublicKey())) {
+                        try {
+                            if (!SupplyChainCredentialValidator.verifyCertificate(
                                 signingCert.getX509Certificate(), keyStore)) {
-                            passed = false;
+                                passed = false;
+                                fwStatus = new AppraisalStatus(FAIL,
+                                    "Firmware validation failed: invalid certificate path.");
+                                validationObject = baseReferenceManifest;
+                            }
+                        } catch (IOException ioEx) {
+                            log.error("Error getting X509 cert from manager: " + ioEx.getMessage());
+                        } catch (SupplyChainValidatorException scvEx) {
+                            log.error("Error validating cert against keystore: " + scvEx.getMessage());
                             fwStatus = new AppraisalStatus(FAIL,
                                     "Firmware validation failed: invalid certificate path.");
-                            validationObject = baseReferenceManifest;
                         }
-                    } catch (IOException ioEx) {
-                        log.error("Error getting X509 cert from manager: " + ioEx.getMessage());
-                    } catch (SupplyChainValidatorException scvEx) {
-                        log.error("Error validating cert against keystore: " + scvEx.getMessage());
-                        fwStatus = new AppraisalStatus(FAIL,
-                                "Firmware validation failed: invalid certificate path.");
+                        break;
                     }
-                    break;
+                } catch (IOException ioEx) {
+                    log.error("Error getting X509 cert from manager: " + ioEx.getMessage());
                 }
             }
 
diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
index e57701af..d20a4a29 100644
--- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
+++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
@@ -272,7 +272,7 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
         }
         // going to have to pull the filename and grab that from the DB
         // to get the id to make the link
-        RIM_VALIDATOR.setRim(baseRim);
+        RIM_VALIDATOR.setRim(baseRim.getRimBytes());
         for (SwidResource swidRes : resources) {
             if (support != null && swidRes.getHashValue()
                     .equalsIgnoreCase(support.getHexDecHash())) {
@@ -300,7 +300,8 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
         data.put("signatureValid", false);
         for (CertificateAuthorityCredential cert : certificates) {
             KeyStore keystore = ValidationService.getCaChain(cert, caCertificateRepository);
-            if (RIM_VALIDATOR.validateXmlSignature(cert)) {
+            if (RIM_VALIDATOR.validateXmlSignature(cert.getX509Certificate().getPublicKey(),
+                    cert.getSubjectKeyIdString(), cert.getEncodedPublicKey())) {
                 try {
                     if (SupplyChainCredentialValidator.verifyCertificate(
                             cert.getX509Certificate(), keystore)) {
diff --git a/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java b/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java
index 2a11868a..2f3bcc14 100644
--- a/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java
+++ b/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java
@@ -1,6 +1,5 @@
 package hirs.utils.rim;
 
-import hirs.utils.CertificateAuthorityCredential;
 import jakarta.xml.bind.JAXBContext;
 import jakarta.xml.bind.JAXBException;
 import jakarta.xml.bind.UnmarshalException;
@@ -78,12 +77,12 @@ public class ReferenceManifestValidator {
      * Setter for the RIM to be validated.  The ReferenceManifest object is converted into a
      * Document for processing.
      *
-     * @param rim ReferenceManifest object
+     * @param rimBytes ReferenceManifest object bytes
      */
-    public void setRim(final ReferenceManifest rim) {
+    public void setRim(final byte[] rimBytes) {
         try {
             Document doc = validateSwidtagSchema(removeXMLWhitespace(new StreamSource(
-                    new ByteArrayInputStream(rim.getRimBytes()))));
+                    new ByteArrayInputStream(rimBytes))));
             this.rim = doc;
         } catch (IOException e) {
             log.error("Error while unmarshalling rim bytes: " + e.getMessage());
@@ -152,11 +151,15 @@ public class ReferenceManifestValidator {
      * or the RIM's subject key identifier.  If the cert is matched then validation proceeds,
      * otherwise validation ends.
      *
-     * @param cert the cert to be checked against the RIM
+     * @param publicKey public key from the CA credential
+     * @param subjectKeyIdString string version of the subjet key id of the CA credential
+     * @param encodedPublicKey the encoded public key
      * @return true if the signature element is validated, false otherwise
      */
     @SuppressWarnings("magicnumber")
-    public boolean validateXmlSignature(final CertificateAuthorityCredential cert) {
+    public boolean validateXmlSignature(final PublicKey publicKey,
+                                        final String subjectKeyIdString,
+                                        final byte[] encodedPublicKey) {
         DOMValidateContext context = null;
         try {
             NodeList nodes = rim.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
@@ -171,19 +174,19 @@ public class ReferenceManifestValidator {
                 if (embeddedCert != null) {
                     subjectKeyIdentifier = getCertificateSubjectKeyIdentifier(embeddedCert);
                     if (Arrays.equals(embeddedCert.getPublicKey().getEncoded(),
-                            cert.getEncodedPublicKey())) {
+                            encodedPublicKey)) {
                         context = new DOMValidateContext(new X509KeySelector(), nodes.item(0));
                     }
                 }
             } else {
                 subjectKeyIdentifier = getKeyName(rim);
-                if (subjectKeyIdentifier.equals(cert.getSubjectKeyIdString())) {
-                    context = new DOMValidateContext(cert.getX509Certificate().getPublicKey(),
+                if (subjectKeyIdentifier.equals(subjectKeyIdString)) {
+                    context = new DOMValidateContext(publicKey,
                             nodes.item(0));
                 }
             }
             if (context != null) {
-                publicKey = cert.getX509Certificate().getPublicKey();
+                this.publicKey = publicKey;
                 signatureValid = validateSignedXMLDocument(context);
                 return signatureValid;
             }