From 623da2ce8005f07c437a756bd44af7cd0dd539e9 Mon Sep 17 00:00:00 2001
From: chubtub <43381989+chubtub@users.noreply.github.com>
Date: Thu, 5 Nov 2020 13:44:09 -0500
Subject: [PATCH] Overload RIM validator class for faster signature checking

---
 .../SupplyChainValidationServiceImpl.java     |  6 ++---
 .../utils/ReferenceManifestValidator.java     | 25 +++++++++++++++----
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
index 763e0134..8771f938 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
@@ -368,7 +368,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
 
             // verify signatures
             ReferenceManifestValidator referenceManifestValidator =
-                                    new ReferenceManifestValidator();
+                            new ReferenceManifestValidator(
+                                    new ByteArrayInputStream(baseReferenceManifest.getRimBytes()));
 
             for (SwidResource swidRes : resources) {
                 if (swidRes.getName().equals(supportReferenceManifest.getFileName())) {
@@ -377,9 +378,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                 }
             }
 
-            referenceManifestValidator.validateXmlSignature(
-                    new ByteArrayInputStream(baseReferenceManifest.getRimBytes()));
-
             if (!referenceManifestValidator.isSignatureValid()) {
                 passed = false;
                 fwStatus = new AppraisalStatus(FAIL,
diff --git a/HIRS_Utils/src/main/java/hirs/utils/ReferenceManifestValidator.java b/HIRS_Utils/src/main/java/hirs/utils/ReferenceManifestValidator.java
index 7cebb19e..d8963592 100644
--- a/HIRS_Utils/src/main/java/hirs/utils/ReferenceManifestValidator.java
+++ b/HIRS_Utils/src/main/java/hirs/utils/ReferenceManifestValidator.java
@@ -111,6 +111,21 @@ public class ReferenceManifestValidator {
         }
     }
 
+    /**
+     * This constructor is used for a quick signature check which bypasses the loading of
+     * the schema url into memory. As a result the full stream is not validated against the schema.
+     *
+     * @param input xml data byte array.
+     */
+    public ReferenceManifestValidator(final InputStream input) {
+        try {
+            signatureValid = validateSignedXMLDocument(
+                    removeXMLWhitespace(new StreamSource(input)));
+        } catch (IOException e) {
+            LOGGER.warn("Error during unmarshal: " + e.getMessage());
+        }
+    }
+
     /**
      * This method calculates the SHA256 hash of the input byte array and compares it against
      * the value passed in.
@@ -132,7 +147,7 @@ public class ReferenceManifestValidator {
      */
     public void validateXmlSignature(final InputStream input) {
         try {
-            Document doc = unmarshallSwidTag(removeXMLWhitespace(new StreamSource(input)));
+            Document doc = validateSwidtagSchema(removeXMLWhitespace(new StreamSource(input)));
             signatureValid = validateSignedXMLDocument(doc);
         } catch (IOException e) {
             LOGGER.warn("Error during unmarshal: " + e.getMessage());
@@ -203,7 +218,7 @@ public class ReferenceManifestValidator {
      * It is passed as a parameter to a DOMValidateContext that uses it to validate
      * an XML signature.
      */
-    public class X509KeySelector extends KeySelector {
+    public static class X509KeySelector extends KeySelector {
         private PublicKey publicKey;
 
         /**
@@ -267,7 +282,7 @@ public class ReferenceManifestValidator {
         /**
          * This internal class creates a KeySelectorResult from the public key.
          */
-        private class RIMKeySelectorResult implements KeySelectorResult {
+        private static class RIMKeySelectorResult implements KeySelectorResult {
             private Key key;
 
             RIMKeySelectorResult(final Key key) {
@@ -281,12 +296,12 @@ public class ReferenceManifestValidator {
     }
 
     /**
-     * This method unmarshalls the Document object and validates it against the schema.
+     * This method validates the Document against the schema.
      *
      * @param doc of the input swidtag.
      * @return document validated against the schema.
      */
-    private Document unmarshallSwidTag(final Document doc) {
+    private Document validateSwidtagSchema(final Document doc) {
         try {
             JAXBContext jaxbContext = JAXBContext.newInstance(SCHEMA_PACKAGE);
             unmarshaller = jaxbContext.createUnmarshaller();