diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 763e0134..8771f938 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -368,7 +368,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe // verify signatures ReferenceManifestValidator referenceManifestValidator = - new ReferenceManifestValidator(); + new ReferenceManifestValidator( + new ByteArrayInputStream(baseReferenceManifest.getRimBytes())); for (SwidResource swidRes : resources) { if (swidRes.getName().equals(supportReferenceManifest.getFileName())) { @@ -377,9 +378,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe } } - referenceManifestValidator.validateXmlSignature( - new ByteArrayInputStream(baseReferenceManifest.getRimBytes())); - if (!referenceManifestValidator.isSignatureValid()) { passed = false; fwStatus = new AppraisalStatus(FAIL, diff --git a/HIRS_Utils/src/main/java/hirs/utils/ReferenceManifestValidator.java b/HIRS_Utils/src/main/java/hirs/utils/ReferenceManifestValidator.java index 7cebb19e..d8963592 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/ReferenceManifestValidator.java +++ b/HIRS_Utils/src/main/java/hirs/utils/ReferenceManifestValidator.java @@ -111,6 +111,21 @@ public class ReferenceManifestValidator { } } + /** + * This constructor is used for a quick signature check which bypasses the loading of + * the schema url into memory. As a result the full stream is not validated against the schema. + * + * @param input xml data byte array. + */ + public ReferenceManifestValidator(final InputStream input) { + try { + signatureValid = validateSignedXMLDocument( + removeXMLWhitespace(new StreamSource(input))); + } catch (IOException e) { + LOGGER.warn("Error during unmarshal: " + e.getMessage()); + } + } + /** * This method calculates the SHA256 hash of the input byte array and compares it against * the value passed in. @@ -132,7 +147,7 @@ public class ReferenceManifestValidator { */ public void validateXmlSignature(final InputStream input) { try { - Document doc = unmarshallSwidTag(removeXMLWhitespace(new StreamSource(input))); + Document doc = validateSwidtagSchema(removeXMLWhitespace(new StreamSource(input))); signatureValid = validateSignedXMLDocument(doc); } catch (IOException e) { LOGGER.warn("Error during unmarshal: " + e.getMessage()); @@ -203,7 +218,7 @@ public class ReferenceManifestValidator { * It is passed as a parameter to a DOMValidateContext that uses it to validate * an XML signature. */ - public class X509KeySelector extends KeySelector { + public static class X509KeySelector extends KeySelector { private PublicKey publicKey; /** @@ -267,7 +282,7 @@ public class ReferenceManifestValidator { /** * This internal class creates a KeySelectorResult from the public key. */ - private class RIMKeySelectorResult implements KeySelectorResult { + private static class RIMKeySelectorResult implements KeySelectorResult { private Key key; RIMKeySelectorResult(final Key key) { @@ -281,12 +296,12 @@ public class ReferenceManifestValidator { } /** - * This method unmarshalls the Document object and validates it against the schema. + * This method validates the Document against the schema. * * @param doc of the input swidtag. * @return document validated against the schema. */ - private Document unmarshallSwidTag(final Document doc) { + private Document validateSwidtagSchema(final Document doc) { try { JAXBContext jaxbContext = JAXBContext.newInstance(SCHEMA_PACKAGE); unmarshaller = jaxbContext.createUnmarshaller();