Add cert path validation to SupplyChainValidationServiceImpl class. Errors of this nature will be reported to the ACA under firmware.

2025-02-20 01:36:15 +00:00 · 2021-06-03 18:19:21 -04:00 · 2021-06-03 18:19:21 -04:00 · 68c6447760
commit 68c6447760
parent 8abffb54e2
1 changed files with 31 additions and 0 deletions
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
@ -38,6 +38,7 @@ import hirs.utils.ReferenceManifestValidator;
 import hirs.validation.CredentialValidator;
 import hirs.validation.SupplyChainCredentialValidator;
 import org.apache.logging.log4j.Level;
+import hirs.validation.SupplyChainValidatorException;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.bouncycastle.util.encoders.Hex;
@ -51,7 +52,9 @@ import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@ -415,6 +418,34 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                }
            }

+            //Validate signing cert
+            Set<CertificateAuthorityCredential> allCerts =
+                    CertificateAuthorityCredential.select(certificateManager).getCertificates();
+            CertificateAuthorityCredential signingCert = null;
+            for (CertificateAuthorityCredential cert : allCerts) {
+                if (Arrays.equals(cert.getEncodedPublicKey(),
+                        referenceManifestValidator.getPublicKey().getEncoded())) {
+                    signingCert = cert;
+                    break;
+                }
+            }
+            KeyStore keyStore = getCaChain(signingCert);
+            try {
+                X509Certificate x509Cert = CertificateAuthorityCredential.select(certificateManager)
+                        .bySubjectKeyIdentifier(signingCert.getSubjectKeyIdentifier())
+                        .getX509Certificate();
+                if (!SupplyChainCredentialValidator.verifyCertificate(x509Cert, keyStore)) {
+                    passed = false;
+                    fwStatus = new AppraisalStatus(FAIL,
+                            "Firmware validation failed: invalid certificate path.");
+                }
+            } catch (IOException e) {
+                LOGGER.error("Error getting X509 cert from manager: " + e.getMessage());
+            } catch (SupplyChainValidatorException e) {
+                LOGGER.error("Error validating cert against keystore: " + e.getMessage());
+            }
+
+
            if (!referenceManifestValidator.isSignatureValid()) {
                passed = false;
                fwStatus = new AppraisalStatus(FAIL,