Merge pull request #624 from nsacyber/v3_issue-607

[#607] Rimtool uses ReferenceManifestValidator for validation
This commit is contained in:
chubtub 2023-11-08 15:13:44 -05:00 committed by GitHub
commit 6aba9b9c5d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 366 additions and 1232 deletions

View File

@ -1,5 +1,6 @@
package hirs.utils.rim;
import hirs.utils.swid.SwidTagConstants;
import jakarta.xml.bind.JAXBContext;
import jakarta.xml.bind.JAXBException;
import jakarta.xml.bind.UnmarshalException;
@ -7,10 +8,13 @@ import jakarta.xml.bind.Unmarshaller;
import lombok.extern.log4j.Log4j2;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;
import javax.security.auth.x500.X500Principal;
import javax.xml.XMLConstants;
import javax.xml.crypto.AlgorithmMethod;
import javax.xml.crypto.KeySelector;
@ -24,6 +28,7 @@ import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
@ -34,19 +39,16 @@ import javax.xml.transform.dom.DOMResult;
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.io.*;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.*;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
/**
* This class handles validation functions of RIM files.
@ -71,6 +73,9 @@ public class ReferenceManifestValidator {
private PublicKey publicKey;
private Schema schema;
private String subjectKeyIdentifier;
private String rimEventLog;
private String trustStoreFile;
private List<X509Certificate> trustStore;
private boolean signatureValid, supportRimValid;
/**
@ -89,6 +94,22 @@ public class ReferenceManifestValidator {
}
}
/**
* Setter for the swidtag XML to be validated. The XML is passed in via a filepath
* and converted into a Document for processing.
*
* @param path String filepath
*/
public void setRim(final String path) {
File swidtagFile = new File(path);
try {
Document doc = validateSwidtagSchema(removeXMLWhitespace(new StreamSource(swidtagFile)));
this.rim = doc;
} catch (IOException e) {
log.error("Error while unmarshalling rim bytes: " + e.getMessage());
}
}
/**
* Getter for signatureValid.
*
@ -125,6 +146,22 @@ public class ReferenceManifestValidator {
return subjectKeyIdentifier;
}
/**
* Setter for the truststore file path.
* @param trustStoreFile the truststore
*/
public void setTrustStoreFile(String trustStoreFile) {
this.trustStoreFile = trustStoreFile;
}
/**
* Setter for rimel file path.
* @param rimEventLog the rimel file
*/
public void setRimEventLog(String rimEventLog) {
this.rimEventLog = rimEventLog;
}
/**
* This default constructor creates the Schema object from SCHEMA_URL immediately to save
* time during validation calls later.
@ -167,6 +204,7 @@ public class ReferenceManifestValidator {
log.error("Cannot validate RIM, signature element not found!");
return false;
}
trustStore = parseCertificatesFromPem(trustStoreFile);
NodeList certElement = rim.getElementsByTagName("X509Certificate");
if (certElement.getLength() > 0) {
X509Certificate embeddedCert = parseCertFromPEMString(
@ -199,6 +237,32 @@ public class ReferenceManifestValidator {
return false;
}
/**
* This method validates a signed swidtag XML file.
* @param path to the swidtag XML
*/
public boolean validateSwidtagFile(String path) {
Element fileElement = (Element) rim.getElementsByTagName("File").item(0);
X509Certificate signingCert = null;
try {
signingCert = getCertFromTruststore();
} catch (IOException e) {
log.warn("Error while parsing signing cert from truststore: " + e.getMessage());
return false;
}
String subjectKeyIdentifier = "";
try {
subjectKeyIdentifier = getCertificateSubjectKeyIdentifier(signingCert);
} catch (IOException e) {
log.warn("Error while parsing certificate data: " + e.getMessage());
return false;
}
return validateXmlSignature(signingCert.getPublicKey(),
subjectKeyIdentifier,
signingCert.getPublicKey().getEncoded())
&& validateFile(fileElement);
}
/**
* This method calculates the SHA256 hash of the input byte array and compares it against
* the value passed in.
@ -215,6 +279,66 @@ public class ReferenceManifestValidator {
}
}
/**
* This method validates a hirs.swid.xjc.File from an indirect payload
*/
private boolean validateFile(final Element file) {
String filepath;
if (!rimEventLog.isEmpty()) {
filepath = rimEventLog;
} else {
filepath = file.getAttribute(SwidTagConstants.NAME);
}
System.out.println("Support rim found at " + filepath);
if (getHashValue(filepath, "SHA256").equals(
file.getAttribute(SwidTagConstants._SHA256_HASH.getPrefix() + ":" +
SwidTagConstants._SHA256_HASH.getLocalPart()))) {
System.out.println("Support RIM hash verified!" + System.lineSeparator());
return true;
} else {
System.out.println("Support RIM hash does not match Base RIM!" + System.lineSeparator());
return false;
}
}
/**
* This method pulls the signing certificate from the truststore based on the
* SKID parsed from this instance's swidtag XML.
*
* @return X509Certificate signing cert
*/
private X509Certificate getCertFromTruststore() throws IOException {
String subjectKeyIdentifier = getKeyName(rim);
for (X509Certificate trustedCert : trustStore) {
String trustedSubjectKeyIdentifier = getCertificateSubjectKeyIdentifier(trustedCert);
if (subjectKeyIdentifier.equals(trustedSubjectKeyIdentifier)) {
return trustedCert;
}
}
return null;
}
/**
* This method calculates the digest of the file at filepath based on algorithm sha
*
* @param filepath the file to hash
* @param sha the algorithm to use
* @return String digest
*/
private String getHashValue(final String filepath, final String sha) {
try {
MessageDigest md = MessageDigest.getInstance(sha);
byte[] bytes = md.digest(Files.readAllBytes(Paths.get(filepath)));
return getHashValue(bytes, sha);
} catch (NoSuchAlgorithmException e) {
log.warn(e.getMessage());
} catch (IOException e) {
log.warn("Error reading " + filepath + " for hashing: " + e.getMessage());
}
return null;
}
/**
* This method calculates the digest of a byte array based on the hashing algorithm passed in.
*
@ -260,7 +384,9 @@ public class ReferenceManifestValidator {
* It is passed as a parameter to a DOMValidateContext that uses it to validate
* an XML signature.
*/
public static class X509KeySelector extends KeySelector {
public class X509KeySelector extends KeySelector {
PublicKey publicKey;
X509Certificate signingCert;
/**
* This method selects a public key for validation.
* PKs are parsed preferentially from the following elements:
@ -290,28 +416,172 @@ public class ReferenceManifestValidator {
while (dataItr.hasNext()) {
Object object = dataItr.next();
if (object instanceof X509Certificate) {
final PublicKey publicKey = ((X509Certificate) object).getPublicKey();
if (areAlgorithmsEqual(algorithm.getAlgorithm(),
publicKey.getAlgorithm())) {
X509Certificate embeddedCert = (X509Certificate) object;
try {
if (isCertChainValid(embeddedCert)) {
publicKey = ((X509Certificate) embeddedCert).getPublicKey();
signingCert = embeddedCert;
System.out.println("Certificate chain validity: true");
}
} catch (Exception e) {
System.out.println("Certificate chain invalid: "
+ e.getMessage());
}
}
}
} else if (element instanceof KeyValue) {
try {
PublicKey pk = ((KeyValue) element).getPublicKey();
if (isPublicKeyTrusted(pk)) {
publicKey = pk;
try {
System.out.println("Certificate chain validity: "
+ isCertChainValid(signingCert));
} catch (Exception e) {
System.out.println("Certificate chain invalid: "
+ e.getMessage());
}
}
} catch (KeyException e) {
System.out.println("Unable to convert KeyValue data to PK.");
}
}
if (publicKey != null) {
if (areAlgorithmsEqual(algorithm.getAlgorithm(), publicKey.getAlgorithm())) {
return new ReferenceManifestValidator.X509KeySelector
.RIMKeySelectorResult(publicKey);
}
}
}
}
}
throw new KeySelectorException("No key found!");
}
/**
* This method checks if two strings refer to the same algorithm.
*
* @param uri string 1
* @param name string 2
* @return true if equal, false if not
* This method checks that the signature and public key algorithms match.
* @param uri to match the signature algorithm
* @param name to match the public key algorithm
* @return true if both match, false otherwise
*/
public boolean areAlgorithmsEqual(final String uri, final String name) {
return uri.equals(SIGNATURE_ALGORITHM_RSA_SHA256) && name.equalsIgnoreCase("RSA");
public boolean areAlgorithmsEqual(String uri, String name) {
return uri.equals(SwidTagConstants.SIGNATURE_ALGORITHM_RSA_SHA256)
&& name.equalsIgnoreCase("RSA");
}
/**
* This method validates the cert chain for a given certificate. The truststore is iterated
* over until a root CA is found, otherwise an error is returned.
* @param cert the certificate at the start of the chain
* @return true if the chain is valid
* @throws Exception if a valid chain is not found in the truststore
*/
private boolean isCertChainValid(final X509Certificate cert)
throws Exception {
if (cert == null || trustStore == null) {
throw new Exception("Null certificate or truststore received");
} else if (trustStore.size() == 0) {
throw new Exception("Truststore is empty");
}
final String INT_CA_ERROR = "Intermediate CA found, searching for root CA";
String errorMessage = "";
X509Certificate startOfChain = cert;
do {
for (X509Certificate trustedCert : trustStore) {
boolean isIssuer = areYouMyIssuer(startOfChain, trustedCert);
boolean isSigner = areYouMySigner(startOfChain, trustedCert);
if (isIssuer && isSigner) {
if (isSelfSigned(trustedCert)) {
return true;
} else {
startOfChain = trustedCert;
errorMessage = INT_CA_ERROR;
break;
}
} else {
if (!isIssuer) {
errorMessage = "Issuer cert not found";
} else if (!isSigner) {
errorMessage = "Signing cert not found";
}
}
}
} while (errorMessage.equals(INT_CA_ERROR));
throw new Exception("Error while validating cert chain: " + errorMessage);
}
/**
* This method checks if cert's issuerDN matches issuer's subjectDN.
* @param cert the signed certificate
* @param issuer the signing certificate
* @return true if they match, false if not
* @throws Exception if either argument is null
*/
private boolean areYouMyIssuer(final X509Certificate cert, final X509Certificate issuer)
throws Exception {
if (cert == null || issuer == null) {
throw new Exception("Cannot verify issuer, null certificate received");
}
X500Principal issuerDN = new X500Principal(cert.getIssuerX500Principal().getName());
return issuer.getSubjectX500Principal().equals(issuerDN);
}
/**
* This method checks if cert's signature matches signer's public key.
* @param cert the signed certificate
* @param signer the signing certificate
* @return true if they match
* @throws Exception if an error occurs or there is no match
*/
private boolean areYouMySigner(final X509Certificate cert, final X509Certificate signer)
throws Exception {
if (cert == null || signer == null) {
throw new Exception("Cannot verify signature, null certificate received");
}
try {
cert.verify(signer.getPublicKey(), BouncyCastleProvider.PROVIDER_NAME);
return true;
} catch (NoSuchAlgorithmException e) {
throw new Exception("Signing algorithm in signing cert not supported");
} catch (InvalidKeyException e) {
throw new Exception("Signing certificate key does not match signature");
} catch (NoSuchProviderException e) {
throw new Exception("Error with BouncyCastleProvider: " + e.getMessage());
} catch (SignatureException e) {
String error = "Error with signature: " + e.getMessage()
+ System.lineSeparator()
+ "Certificate needed for verification is missing: "
+ signer.getSubjectX500Principal().getName();
throw new Exception(error);
} catch (CertificateException e) {
throw new Exception("Encoding error: " + e.getMessage());
}
}
/**
* This method checks if a given certificate is self signed or not.
* @param cert the cert to check
* @return true if self signed, false if not
*/
private boolean isSelfSigned(final X509Certificate cert) {
return cert.getIssuerX500Principal().equals(cert.getSubjectX500Principal());
}
/**
* This method compares a public key against those in the truststore.
* @param pk a public key
* @return true if pk is found in the trust store, false otherwise
*/
private boolean isPublicKeyTrusted(final PublicKey pk) {
for (X509Certificate trustedCert : trustStore) {
if (Arrays.equals(trustedCert.getPublicKey().getEncoded(),
pk.getEncoded())) {
signingCert = trustedCert;
return true;
}
}
return false;
}
/**
@ -359,6 +629,52 @@ public class ReferenceManifestValidator {
return null;
}
/**
* This method returns the X509Certificate found in a PEM file.
* Unchecked type case warnings are suppressed because the CertificateFactory
* implements X509Certificate objects explicitly.
* @param filename pem file
* @return a list containing all X509Certificates extracted
*/
@SuppressWarnings("unchecked")
private List<X509Certificate> parseCertificatesFromPem(String filename) {
List<X509Certificate> certificates = null;
FileInputStream fis = null;
BufferedInputStream bis = null;
try {
fis = new FileInputStream(filename);
bis = new BufferedInputStream(fis);
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
while (bis.available() > 0) {
certificates =
(List<X509Certificate>) certificateFactory.generateCertificates(bis);
}
if (certificates.size() < 1) {
System.out.println("ERROR: No certificates parsed from " + filename);
}
bis.close();
} catch (CertificateException e) {
System.out.println("Error in certificate factory: " + e.getMessage());
} catch (IOException e) {
System.out.println("Error reading from input stream: " + e.getMessage());
} finally {
try {
if (fis != null) {
fis.close();
}
if (bis != null) {
bis.close();
}
} catch (IOException e) {
System.out.println("Error closing input stream: " + e.getMessage());
}
}
return certificates;
}
/**
* This method returns the subjectKeyIdentifier from a given X509Certificate.
*

View File

@ -21,6 +21,8 @@ repositories {
}
dependencies {
implementation project(':HIRS_Utils')
implementation libs.bouncycastle
implementation libs.glassfish.json
implementation libs.glassfish.jaxb.runtime
@ -51,9 +53,12 @@ jar {
exclude 'META-INF/*.SF', 'META-INF/*.DSA', 'META-INF/*.RSA', 'META-INF/*.MF'
duplicatesStrategy = DuplicatesStrategy.EXCLUDE
manifest {
attributes("Main-Class": "hirs.swid.Main",
'Class-Path':configurations.runtimeClasspath.files.collect { it.getName() }.join(' ')
)
attributes "Main-Class": "hirs.swid.Main"
}
from {
configurations.runtimeClasspath.collect { it.isDirectory() ? it : zipTree(it) }
}
//jar name format: [archiveBaseName]-[archiveAppendix]-[archiveVersion]-[archiveClassifier].[archiveExtension]
archiveVersion = jarVersion

View File

@ -1,6 +1,6 @@
#Thu Sep 13 15:33:27 EDT 2018
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-8.3-bin.zip
networkTimeout=10000
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-bin.zip

View File

@ -1,360 +0,0 @@
package hirs.swid;
import com.fasterxml.jackson.annotation.JsonIgnore;
import hirs.swid.ReferenceManifest;
import hirs.swid.SwidResource;
import hirs.swid.SwidTagConstants;
import jakarta.persistence.Column;
import jakarta.persistence.Entity;
import jakarta.xml.bind.JAXBContext;
import jakarta.xml.bind.JAXBException;
import jakarta.xml.bind.UnmarshalException;
import jakarta.xml.bind.Unmarshaller;
import lombok.AccessLevel;
import lombok.Getter;
import lombok.NoArgsConstructor;
import lombok.Setter;
import lombok.extern.log4j.Log4j2;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMResult;
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
/**
*
*/
@Log4j2
@Getter
@Setter
@NoArgsConstructor(access = AccessLevel.PROTECTED)
@Entity
public class BaseReferenceManifest extends ReferenceManifest {
/**
* Holds the name of the 'base64Hash' field.
*/
public static final String BASE_64_HASH_FIELD = "base64Hash";
private static JAXBContext jaxbContext;
@Column
@JsonIgnore
private String base64Hash = "";
@Column
private String swidName = null;
@Column
private int swidCorpus = 0;
@Column
private String colloquialVersion = null;
@Column
private String product = null;
@Column
private String revision = null;
@Column
private String edition = null;
@Column
private String rimLinkHash = null;
@Column
private String bindingSpec = null;
@Column
private String bindingSpecVersion = null;
@Column
private String platformVersion = null;
@Column
private String payloadType = null;
@Column
private String pcURIGlobal = null;
@Column
private String pcURILocal = null;
private String entityName = null;
private String entityRegId = null;
private String entityRole = null;
private String entityThumbprint = null;
private String linkHref = null;
private String linkRel = null;
/**
* Support constructor for the RIM object.
*
* @param rimBytes - the file content of the uploaded file.
* @throws IOException - thrown if the file is invalid.
*/
public BaseReferenceManifest(final byte[] rimBytes) throws IOException {
this("", rimBytes);
}
/**
* Main constructor for the RIM object. This takes in a byte array of a
* valid swidtag file and parses the information.
*
* @param fileName - string representation of the uploaded file.
* @param rimBytes byte array representation of the RIM
* @throws IOException if unable to unmarshal the string
*/
@SuppressWarnings("checkstyle:AvoidInlineConditionals")
public BaseReferenceManifest(final String fileName, final byte[] rimBytes) throws IOException {
super(rimBytes);
this.setRimType(BASE_RIM);
this.setFileName(fileName);
Document document = unmarshallSwidTag(new ByteArrayInputStream(rimBytes));
Element softwareIdentity;
Element meta;
Element entity;
Element link;
MessageDigest digest = null;
this.base64Hash = "";
try {
digest = MessageDigest.getInstance("SHA-256");
this.base64Hash = Base64.getEncoder().encodeToString(
digest.digest(rimBytes));
} catch (NoSuchAlgorithmException noSaEx) {
log.error(noSaEx);
}
// begin parsing valid swid tag
if (document != null) {
softwareIdentity = (Element) document.getElementsByTagName(SwidTagConstants.SOFTWARE_IDENTITY).item(0);
entity = (Element) document.getElementsByTagName(SwidTagConstants.ENTITY).item(0);
link = (Element) document.getElementsByTagName(SwidTagConstants.LINK).item(0);
meta = (Element) document.getElementsByTagName(SwidTagConstants.META).item(0);
setTagId(softwareIdentity.getAttribute(SwidTagConstants.TAGID));
this.swidName = softwareIdentity.getAttribute(SwidTagConstants.NAME);
this.swidCorpus = Boolean.parseBoolean(softwareIdentity.getAttribute(SwidTagConstants.CORPUS)) ? 1 : 0;
this.setSwidPatch(Boolean.parseBoolean(softwareIdentity.getAttribute(SwidTagConstants.PATCH)));
this.setSwidSupplemental(Boolean.parseBoolean(softwareIdentity.getAttribute(SwidTagConstants.SUPPLEMENTAL)));
this.setSwidVersion(softwareIdentity.getAttribute(SwidTagConstants.VERSION));
this.setSwidTagVersion(softwareIdentity.getAttribute(SwidTagConstants.TAGVERSION));
parseSoftwareMeta(meta);
parseEntity(entity);
parseLink(link);
}
}
/**
* This is a helper method that parses the SoftwareMeta tag and stores the
* information in the class fields.
*
* @param softwareMeta The object to parse.
*/
private void parseSoftwareMeta(final Element softwareMeta) {
if (softwareMeta != null) {
this.colloquialVersion = softwareMeta.getAttribute(SwidTagConstants.COLLOQUIAL_VERSION);
this.product = softwareMeta.getAttribute(SwidTagConstants.PRODUCT);
this.revision = softwareMeta.getAttribute(SwidTagConstants.REVISION);
this.edition = softwareMeta.getAttribute(SwidTagConstants.EDITION);
this.rimLinkHash = softwareMeta.getAttribute(SwidTagConstants.RIM_LINK_HASH);
this.bindingSpec = softwareMeta.getAttribute(SwidTagConstants.BINDING_SPEC);
this.bindingSpecVersion = softwareMeta.getAttribute(SwidTagConstants.BINDING_SPEC_VERSION);
this.setPlatformManufacturerId(softwareMeta.getAttribute(SwidTagConstants.PLATFORM_MANUFACTURER_ID));
this.setPlatformManufacturer(softwareMeta.getAttribute(SwidTagConstants.PLATFORM_MANUFACTURER_STR));
this.setPlatformModel(softwareMeta.getAttribute(SwidTagConstants.PLATFORM_MODEL));
this.platformVersion = softwareMeta.getAttribute(SwidTagConstants.PLATFORM_VERSION);
this.payloadType = softwareMeta.getAttribute(SwidTagConstants.PAYLOAD_TYPE);
this.pcURIGlobal = softwareMeta.getAttribute(SwidTagConstants.PC_URI_GLOBAL);
this.pcURILocal = softwareMeta.getAttribute(SwidTagConstants.PC_URI_LOCAL);
} else {
log.warn("SoftwareMeta Tag not found.");
}
}
/**
* This is a helper method that parses the Entity tag and stores the
* information in the class fields.
*
* @param entity The object to parse.
*/
private void parseEntity(final Element entity) {
if (entity != null) {
this.entityName = entity.getAttribute(SwidTagConstants.NAME);
this.entityRegId = entity.getAttribute(SwidTagConstants.REGID);
this.entityRole = entity.getAttribute(SwidTagConstants.ROLE);
this.entityThumbprint = entity.getAttribute(SwidTagConstants.THUMBPRINT);
} else {
log.warn("Entity Tag not found.");
}
}
/**
* This is a helper method that parses the Link tag and stores the
* information in the class fields.
*
* @param link The object to parse.
*/
private void parseLink(final Element link) {
if (link != null) {
this.linkHref = link.getAttribute(SwidTagConstants.HREF);
this.linkRel = link.getAttribute(SwidTagConstants.REL);
} else {
log.warn("Link Tag not found.");
}
}
/**
* This method validates the .swidtag file at the given filepath against the
* schema. A successful validation results in the output of the tag's name
* and tagId attributes, otherwise a generic error message is printed.
*
*/
private Element getDirectoryTag() {
return getDirectoryTag(new ByteArrayInputStream(getRimBytes()));
}
/**
* This method validates the .swidtag file at the given filepath against the
* schema. A successful validation results in the output of the tag's name
* and tagId attributes, otherwise a generic error message is printed.
*
* @param byteArrayInputStream the location of the file to be validated
*/
private Element getDirectoryTag(final ByteArrayInputStream byteArrayInputStream) {
Document document = unmarshallSwidTag(byteArrayInputStream);
Element softwareIdentity =
(Element) document.getElementsByTagName("SoftwareIdentity").item(0);
if (softwareIdentity != null) {
Element directory = (Element) document.getElementsByTagName("Directory").item(0);
return directory;
} else {
log.error("Invalid xml for validation, please verify ");
}
return null;
}
/**
* This method iterates over the list of File elements under the directory. *
*/
public List<SwidResource> getFileResources() {
return getFileResources(getRimBytes());
}
/**
* This method iterates over the list of File elements under the directory.
*
* @param rimBytes the bytes to find the files
*
*/
public List<SwidResource> getFileResources(final byte[] rimBytes) {
Element directoryTag = getDirectoryTag(new ByteArrayInputStream(rimBytes));
List<SwidResource> validHashes = new ArrayList<>();
NodeList fileNodeList = directoryTag.getChildNodes();
Element file = null;
SwidResource swidResource = null;
for (int i = 0; i < fileNodeList.getLength(); i++) {
file = (Element) fileNodeList.item(i);
swidResource = new SwidResource();
swidResource.setName(file.getAttribute(SwidTagConstants.NAME));
swidResource.setSize(file.getAttribute(SwidTagConstants.SIZE));
swidResource.setHashValue(file.getAttribute(SwidTagConstants._SHA256_HASH.getPrefix() + ":"
+ SwidTagConstants._SHA256_HASH.getLocalPart()));
validHashes.add(swidResource);
}
return validHashes;
}
/**
* This method unmarshalls the swidtag found at [path] into a Document object
* and validates it according to the schema.
*
* @param byteArrayInputStream to the input swidtag
* @return the Document element at the root of the swidtag
*/
private Document unmarshallSwidTag(final ByteArrayInputStream byteArrayInputStream) {
InputStream is = null;
Document document = null;
Unmarshaller unmarshaller = null;
try {
document = removeXMLWhitespace(byteArrayInputStream);
SchemaFactory schemaFactory = SchemaFactory.newInstance(SCHEMA_LANGUAGE);
is = getClass().getClassLoader().getResourceAsStream(SwidTagConstants.SCHEMA_URL);
Schema schema = schemaFactory.newSchema(new StreamSource(is));
if (jaxbContext == null) {
jaxbContext = JAXBContext.newInstance(SCHEMA_PACKAGE);
}
unmarshaller = jaxbContext.createUnmarshaller();
unmarshaller.setSchema(schema);
unmarshaller.unmarshal(document);
} catch (IOException e) {
log.error(e.getMessage());
} catch (SAXException e) {
log.error("Error setting schema for validation!");
} catch (UnmarshalException e) {
log.error("Error validating swidtag file!");
} catch (IllegalArgumentException e) {
log.error("Input file empty.");
} catch (JAXBException e) {
e.printStackTrace();
} finally {
if (is != null) {
try {
is.close();
} catch (IOException e) {
System.out.println("Error closing input stream");
}
}
}
return document;
}
/**
* This method strips all whitespace from an xml file, including indents and spaces
* added for human-readability.
*
* @param byteArrayInputStream to the xml file
* @return Document object without whitespace
*/
private Document removeXMLWhitespace(final ByteArrayInputStream byteArrayInputStream) throws IOException {
TransformerFactory tf = TransformerFactory.newInstance();
Source source = new StreamSource(
getClass().getClassLoader().getResourceAsStream("identity_transform.xslt"));
Document document = null;
if (byteArrayInputStream.available() > 0) {
try {
Transformer transformer = tf.newTransformer(source);
DOMResult result = new DOMResult();
transformer.transform(new StreamSource(byteArrayInputStream), result);
document = (Document) result.getNode();
} catch (TransformerConfigurationException tcEx) {
log.error("Error configuring transformer!");
} catch (TransformerException tEx) {
log.error("Error transforming input!");
}
} else {
throw new IOException("Input file is empty!");
}
return document;
}
@Override
public String toString() {
return String.format("ReferenceManifest{swidName=%s,"
+ "platformManufacturer=%s,"
+ " platformModel=%s,"
+ "tagId=%s, base64Hash=%s}",
swidName, this.getPlatformManufacturer(),
this.getPlatformModel(), getTagId(), this.getBase64Hash());
}
}

View File

@ -1,66 +0,0 @@
package hirs.swid;
import lombok.AllArgsConstructor;
import lombok.Getter;
/**
* Enum of digest algorithms. The enum values also provide a standardized
* algorithm name. The standardized algorithm name is a String of the algorithm
* name as defined by Java.
*/
@Getter
@AllArgsConstructor
public enum DigestAlgorithm {
/**
* MD2 digest algorithm.
*/
MD2("MD2", 16),
/**
* MD5 digest algorithm.
*/
MD5("MD5", 16),
/**
* SHA-1 digest algorithm.
*/
SHA1("SHA-1", 20),
/**
* SHA-256 digest algorithm.
*/
SHA256("SHA-256", 32),
/**
* SHA-384 digest algorithm.
*/
SHA384("SHA-384", 48),
/**
* SHA-512 digest algorithm.
*/
SHA512("SHA-512", 64),
/**
* Condition used when an algorithm is not specified and
* the size doesn't match known digests.
*/
UNSPECIFIED("NOT SPECIFIED", Integer.BYTES);
private final String standardAlgorithmName;
private final int lengthInBytes;
/**
* Returns a DigestAlgorithm object given a String. The String is expected to be one of the
* options for standardAlgorithmName. Throws an IllegalArgumentException if no Enum exists with
* that value.
*
* @param standardAlgorithmName
* String value of the Enum
* @return DigestAlgorithm object
*/
public static DigestAlgorithm findByString(final String standardAlgorithmName) {
for (DigestAlgorithm algorithm: DigestAlgorithm.values()) {
if (algorithm.getStandardAlgorithmName().equals(standardAlgorithmName)) {
return algorithm;
}
}
throw new IllegalArgumentException(String.format("No constant with text \"%s\" found",
standardAlgorithmName));
}
}

View File

@ -1,8 +1,9 @@
package hirs.swid;
import hirs.swid.utils.Commander;
import com.beust.jcommander.JCommander;
import hirs.swid.utils.TimestampArgumentValidator;
import hirs.utils.rim.ReferenceManifestValidator;
import com.beust.jcommander.JCommander;
import java.util.List;
@ -13,14 +14,14 @@ public class Main {
JCommander jc = JCommander.newBuilder().addObject(commander).build();
jc.parse(args);
SwidTagGateway gateway;
SwidTagValidator validator;
ReferenceManifestValidator validator;
if (commander.isHelp()) {
jc.usage();
System.out.println(commander.printHelpExamples());
} else {
if (!commander.getVerifyFile().isEmpty()) {
validator = new SwidTagValidator();
validator = new ReferenceManifestValidator();
System.out.println(commander.toString());
String verifyFile = commander.getVerifyFile();
String rimel = commander.getRimEventLog();
@ -37,7 +38,7 @@ public class Main {
System.out.println("A single cert cannot be used for verification. " +
"The signing cert will be searched for in the trust store.");
}
validator.validateSwidTag(verifyFile);
validator.validateSwidtagFile(verifyFile);
} else {
System.out.println("Need a RIM file to validate!");
System.exit(1);

View File

@ -1,165 +0,0 @@
package hirs.swid;
import com.fasterxml.jackson.annotation.JsonIgnore;
import com.google.common.base.Preconditions;
import jakarta.persistence.Access;
import jakarta.persistence.AccessType;
import jakarta.persistence.Column;
import jakarta.persistence.Entity;
import jakarta.persistence.Inheritance;
import jakarta.persistence.InheritanceType;
import jakarta.persistence.Table;
import lombok.EqualsAndHashCode;
import lombok.Getter;
import lombok.Setter;
import lombok.ToString;
import lombok.extern.log4j.Log4j2;
import org.apache.commons.codec.binary.Hex;
import org.hibernate.annotations.JdbcTypeCode;
import javax.xml.XMLConstants;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.UUID;
/**
* This class represents the Reference Integrity Manifest object that will be
* loaded into the DB and displayed in the ACA.
*/
@Getter @Setter @ToString
@EqualsAndHashCode(onlyExplicitlyIncluded = true, callSuper = false)
@Log4j2
@Entity
@Inheritance(strategy = InheritanceType.SINGLE_TABLE)
@Table(name = "ReferenceManifest")
@Access(AccessType.FIELD)
public class ReferenceManifest {
/**
* Holds the name of the 'hexDecHash' field.
*/
public static final String HEX_DEC_HASH_FIELD = "hexDecHash";
/**
* String for display of a Base RIM.
*/
public static final String BASE_RIM = "Base";
/**
* String for display of a Support RIM.
*/
public static final String SUPPORT_RIM = "Support";
/**
* String for display of a Support RIM.
*/
public static final String MEASUREMENT_RIM = "Measurement";
/**
* String for the xml schema ios standard.
*/
public static final String SCHEMA_STATEMENT = "ISO/IEC 19770-2:2015 Schema (XSD 1.0) "
+ "- September 2015, see http://standards.iso.org/iso/19770/-2/2015/schema.xsd";
/**
* String for the xml schema URL file name.
*/
public static final String SCHEMA_URL = "swid_schema.xsd";
/**
* String for the language type for the xml schema.
*/
public static final String SCHEMA_LANGUAGE = XMLConstants.W3C_XML_SCHEMA_NS_URI;
/**
* String for the package location of the xml generated java files.
*/
public static final String SCHEMA_PACKAGE = "hirs.utils.xjc";
@EqualsAndHashCode.Include
@Column(columnDefinition = "mediumblob", nullable = false)
private byte[] rimBytes;
@EqualsAndHashCode.Include
@Column(nullable = false)
private String rimType = "Base";
@Column
private String tagId = null;
@Column
private boolean swidPatch = false;
@Column
private boolean swidSupplemental = false;
@Column
private String platformManufacturer = null;
@Column
private String platformManufacturerId = null;
@Column
private String swidTagVersion = null;
@Column
private String swidVersion = null;
@Column
private String platformModel = null;
@Column(nullable = false)
private String fileName = null;
@JdbcTypeCode(java.sql.Types.VARCHAR)
@Column
private UUID associatedRim;
@Column
private String deviceName;
@Column
private String hexDecHash = "";
@Column
private String eventLogHash = "";
/**
* Default constructor necessary for Hibernate.
*/
protected ReferenceManifest() {
super();
this.rimBytes = null;
this.rimType = null;
this.platformManufacturer = null;
this.platformManufacturerId = null;
this.platformModel = null;
this.fileName = BASE_RIM;
this.tagId = null;
this.associatedRim = null;
}
/**
* Default constructor for ingesting the bytes of the file content.
* @param rimBytes - file contents.
*/
public ReferenceManifest(final byte[] rimBytes) {
Preconditions.checkArgument(rimBytes != null,
"Cannot construct a RIM from a null byte array");
Preconditions.checkArgument(rimBytes.length > 0,
"Cannot construct a RIM from an empty byte array");
this.rimBytes = rimBytes.clone();
MessageDigest digest = null;
this.hexDecHash = "";
try {
digest = MessageDigest.getInstance("SHA-256");
this.hexDecHash = Hex.encodeHexString(
digest.digest(rimBytes));
} catch (NoSuchAlgorithmException noSaEx) {
log.error(noSaEx);
}
}
/**
* Getter for the Reference Integrity Manifest as a byte array.
*
* @return array of bytes
*/
@JsonIgnore
public byte[] getRimBytes() {
if (this.rimBytes != null) {
return this.rimBytes.clone();
}
return null;
}
public boolean isBase() {
return rimType.equals(BASE_RIM);
}
public boolean isSupport() {
return rimType.equals(SUPPORT_RIM);
}
}

View File

@ -1,83 +0,0 @@
package hirs.swid;
import com.google.common.base.Preconditions;
import hirs.swid.DigestAlgorithm;
import hirs.swid.xjc.File;
import lombok.Getter;
import lombok.Setter;
import lombok.ToString;
import javax.xml.namespace.QName;
import java.math.BigInteger;
import java.util.Map;
/**
* This object is used to represent the content of a Swid Tags Directory
* section.
*/
@ToString
public class SwidResource {
@Getter
@Setter
private String name, size, hashValue;
@Getter
private String rimFormat, rimType, rimUriGlobal;
private DigestAlgorithm digest = DigestAlgorithm.SHA1;
@Getter
private boolean validFileSize = false;
/**
* Default constructor.
*/
public SwidResource() {
name = null;
size = null;
rimFormat = null;
rimType = null;
rimUriGlobal = null;
hashValue = null;
}
/**
* The main constructor that processes a {@code hirs.utils.xjc.File}.
*
* @param file {@link File}
* @param digest algorithm associated with pcr values
*/
public SwidResource(final File file, final DigestAlgorithm digest) {
Preconditions.checkArgument(file != null,
"Cannot construct a RIM Resource from a null File object");
this.name = file.getName();
// at this time, there is a possibility to get an object with
// no size even though it is required.
if (file.getSize() != null) {
this.size = file.getSize().toString();
} else {
this.size = BigInteger.ZERO.toString();
}
for (Map.Entry<QName, String> entry
: file.getOtherAttributes().entrySet()) {
switch (entry.getKey().getLocalPart()) {
case "supportRIMFormat":
this.rimFormat = entry.getValue();
break;
case "supportRIMType":
this.rimType = entry.getValue();
break;
case "supportRIMURIGlobal":
this.rimUriGlobal = entry.getValue();
break;
case "hash":
this.hashValue = entry.getValue();
break;
default:
}
}
this.digest = digest;
// tpmWhiteList = new TpmWhiteListBaseline(this.name);
}
}

View File

@ -1,516 +0,0 @@
package hirs.swid;
import hirs.swid.utils.HashSwid;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;
import javax.security.auth.x500.X500Principal;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.bind.UnmarshalException;
import javax.xml.bind.Unmarshaller;
import javax.xml.crypto.AlgorithmMethod;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.KeySelectorException;
import javax.xml.crypto.KeySelectorResult;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.KeyValue;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMResult;
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
/**
* This class handles validating base Reference Integrity Manifest files.
*/
public class SwidTagValidator {
private Unmarshaller unmarshaller;
private String rimEventLog;
private String certificateFile;
private String trustStoreFile;
private List<X509Certificate> trustStore;
/**
* Ensure that BouncyCastle is configured as a javax.security.Security provider, as this
* class expects it to be available.
*/
static {
Security.addProvider(new BouncyCastleProvider());
}
/**
* Setter for rimel file path.
* @param rimEventLog the rimel file
*/
public void setRimEventLog(String rimEventLog) {
this.rimEventLog = rimEventLog;
}
/**
* Setter for the truststore file path.
* @param trustStoreFile the truststore
*/
public void setTrustStoreFile(String trustStoreFile) {
this.trustStoreFile = trustStoreFile;
}
public SwidTagValidator() {
try {
JAXBContext jaxbContext = JAXBContext.newInstance(SwidTagConstants.SCHEMA_PACKAGE);
unmarshaller = jaxbContext.createUnmarshaller();
rimEventLog = "";
certificateFile = "";
trustStoreFile = SwidTagConstants.DEFAULT_KEYSTORE_FILE;
} catch (JAXBException e) {
System.out.println("Error initializing JAXBContext: " + e.getMessage());
}
}
/**
* This method validates the .swidtag file at the given filepath against the
* schema. A successful validation results in the output of the tag's name
* and tagId attributes, otherwise a generic error message is printed.
*
* @param path the location of the file to be validated
*/
public boolean validateSwidTag(String path) {
Document document = unmarshallSwidTag(path);
Element softwareIdentity = (Element) document.getElementsByTagName("SoftwareIdentity").item(0);
StringBuilder si = new StringBuilder("Base RIM detected:\n");
si.append("SoftwareIdentity name: " + softwareIdentity.getAttribute("name") + "\n");
si.append("SoftwareIdentity tagId: " + softwareIdentity.getAttribute("tagId") + "\n");
System.out.println(si.toString());
Element file = (Element) document.getElementsByTagName("File").item(0);
try {
validateFile(file);
} catch (Exception e) {
System.out.println(e.getMessage());
return false;
}
System.out.println("Signature core validity: " + validateSignedXMLDocument(document));
return true;
}
/**
* This method validates a hirs.swid.xjc.File from an indirect payload
*/
private boolean validateFile(Element file) throws Exception {
String filepath;
if (!rimEventLog.isEmpty()) {
filepath = rimEventLog;
} else {
filepath = file.getAttribute(SwidTagConstants.NAME);
}
System.out.println("Support rim found at " + filepath);
if (HashSwid.get256Hash(filepath).equals(
file.getAttribute(SwidTagConstants._SHA256_HASH.getPrefix() + ":" +
SwidTagConstants._SHA256_HASH.getLocalPart()))) {
System.out.println("Support RIM hash verified!" + System.lineSeparator());
return true;
} else {
System.out.println("Support RIM hash does not match Base RIM!" + System.lineSeparator());
return false;
}
}
/**
* This method validates a signed XML document.
* First, the signing certificate is either parsed from the embedded X509Certificate element or
* generated from the Modulus and Exponent elements.
* Next, the signature is inspected for two things:
* 1. valid signature
* 2. valid certificate chain
* @param doc XML document
* @return true if both the signature and cert chain are valid; false otherwise
*/
private boolean validateSignedXMLDocument(Document doc) {
try {
DOMValidateContext context;
CredentialParser cp = new CredentialParser();
X509Certificate signingCert = null;
trustStore = cp.parseCertsFromPEM(trustStoreFile);
X509KeySelector keySelector = new X509KeySelector();
NodeList nodes = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
if (nodes.getLength() == 0) {
throw new Exception("Signature element not found!");
} else {
context = new DOMValidateContext(keySelector, nodes.item(0));
}
NodeList keyName = doc.getElementsByTagName("KeyName");
if (keyName.getLength() > 0) {
String skId = keyName.item(0).getTextContent();
if (skId != null && !skId.isEmpty()) {
for (X509Certificate trustedCert : trustStore) {
String trustedSkId = cp.getCertificateSubjectKeyIdentifier(trustedCert);
if (skId.equals(trustedSkId)) {
signingCert = trustedCert;
break;
}
}
if (signingCert != null) {
context = new DOMValidateContext(signingCert.getPublicKey(),
nodes.item(0));
} else {
System.out.println("Issuer certificate with subject key identifier = "
+ skId + " not found");
System.exit(1);
}
} else {
System.out.println("Base RIM must have a non-empty, non-null " +
"Subject Key Identifier (SKID) in the <KeyName> element");
System.exit(1);
}
}
XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM");
XMLSignature signature = sigFactory.unmarshalXMLSignature(context);
boolean signatureIsValid = signature.validate(context);
System.out.println("Signature validity: " + signatureIsValid);
if (signingCert == null) {
signingCert = keySelector.getSigningCert();
}
cp.setCertificate(signingCert);
System.out.println(System.lineSeparator() + cp.getCertificateAuthorityInfoAccess());
return signatureIsValid;
} catch (FileNotFoundException e) {
System.out.println("Error parsing truststore: " + e.getMessage());
} catch (NoSuchAlgorithmException e) {
System.out.println("Error instantiating a KeyFactory to generate pk: "
+ e.getMessage());
} catch (InvalidKeySpecException e) {
System.out.println("Failed to generate a pk from swidtag: " + e.getMessage());
} catch (MarshalException | XMLSignatureException e) {
System.out.println(e.getMessage());
} catch (Exception e) {
System.out.println(e.getMessage());
}
return false;
}
/**
* This internal class handles parsing the public key from a KeyInfo element.
*/
public class X509KeySelector extends KeySelector {
PublicKey publicKey;
X509Certificate signingCert;
public PublicKey getPublicKey() {
return publicKey;
}
public X509Certificate getSigningCert() {
return signingCert;
}
/**
* This method extracts a public key from either an X509Certificate element
* or a KeyValue element. If the public key's algorithm matches the declared
* algorithm it is returned in a KeySelecctorResult.
* @param keyinfo the KeyInfo element
* @param purpose
* @param algorithm the encapsulating signature's declared signing algorithm
* @param context
* @return a KeySelectorResult if the public key's algorithm matches the declared algorithm
* @throws KeySelectorException if the algorithms do not match
*/
public KeySelectorResult select(final KeyInfo keyinfo,
final KeySelector.Purpose purpose,
final AlgorithmMethod algorithm,
final XMLCryptoContext context)
throws KeySelectorException {
Iterator keyinfoItr = keyinfo.getContent().iterator();
while(keyinfoItr.hasNext()) {
XMLStructure element = (XMLStructure) keyinfoItr.next();
if (element instanceof X509Data) {
X509Data data = (X509Data) element;
Iterator dataItr = data.getContent().iterator();
while (dataItr.hasNext()) {
Object object = dataItr.next();
if (object instanceof X509Certificate) {
X509Certificate embeddedCert = (X509Certificate) object;
try {
if (isCertChainValid(embeddedCert)) {
publicKey = ((X509Certificate) embeddedCert).getPublicKey();
signingCert = embeddedCert;
System.out.println("Certificate chain validity: true");
}
} catch (Exception e) {
System.out.println("Certificate chain invalid: "
+ e.getMessage());
}
}
}
} else if (element instanceof KeyValue) {
try {
PublicKey pk = ((KeyValue) element).getPublicKey();
if (isPublicKeyTrusted(pk)) {
publicKey = pk;
try {
System.out.println("Certificate chain validity: "
+ isCertChainValid(signingCert));
} catch (Exception e) {
System.out.println("Certificate chain invalid: "
+ e.getMessage());
}
}
} catch (KeyException e) {
System.out.println("Unable to convert KeyValue data to PK.");
}
}
if (publicKey != null) {
if (areAlgorithmsEqual(algorithm.getAlgorithm(), publicKey.getAlgorithm())) {
return new
SwidTagValidator.X509KeySelector.RIMKeySelectorResult(publicKey);
}
}
}
throw new KeySelectorException("No key found!");
}
/**
* This method checks that the signature and public key algorithms match.
* @param uri to match the signature algorithm
* @param name to match the public key algorithm
* @return true if both match, false otherwise
*/
public boolean areAlgorithmsEqual(String uri, String name) {
return uri.equals(SwidTagConstants.SIGNATURE_ALGORITHM_RSA_SHA256)
&& name.equalsIgnoreCase("RSA");
}
/**
* This method validates the cert chain for a given certificate. The truststore is iterated
* over until a root CA is found, otherwise an error is returned.
* @param cert the certificate at the start of the chain
* @return true if the chain is valid
* @throws Exception if a valid chain is not found in the truststore
*/
private boolean isCertChainValid(final X509Certificate cert)
throws Exception {
if (cert == null || trustStore == null) {
throw new Exception("Null certificate or truststore received");
} else if (trustStore.size() == 0) {
throw new Exception("Truststore is empty");
}
final String INT_CA_ERROR = "Intermediate CA found, searching for root CA";
String errorMessage = "";
X509Certificate startOfChain = cert;
do {
for (X509Certificate trustedCert : trustStore) {
boolean isIssuer = areYouMyIssuer(startOfChain, trustedCert);
boolean isSigner = areYouMySigner(startOfChain, trustedCert);
if (isIssuer && isSigner) {
if (isSelfSigned(trustedCert)) {
return true;
} else {
startOfChain = trustedCert;
errorMessage = INT_CA_ERROR;
break;
}
} else {
if (!isIssuer) {
errorMessage = "Issuer cert not found";
} else if (!isSigner) {
errorMessage = "Signing cert not found";
}
}
}
} while (errorMessage.equals(INT_CA_ERROR));
throw new Exception("Error while validating cert chain: " + errorMessage);
}
/**
* This method checks if cert's issuerDN matches issuer's subjectDN.
* @param cert the signed certificate
* @param issuer the signing certificate
* @return true if they match, false if not
* @throws Exception if either argument is null
*/
private boolean areYouMyIssuer(final X509Certificate cert, final X509Certificate issuer)
throws Exception {
if (cert == null || issuer == null) {
throw new Exception("Cannot verify issuer, null certificate received");
}
X500Principal issuerDN = new X500Principal(cert.getIssuerX500Principal().getName());
return issuer.getSubjectX500Principal().equals(issuerDN);
}
/**
* This method checks if cert's signature matches signer's public key.
* @param cert the signed certificate
* @param signer the signing certificate
* @return true if they match
* @throws Exception if an error occurs or there is no match
*/
private boolean areYouMySigner(final X509Certificate cert, final X509Certificate signer)
throws Exception {
if (cert == null || signer == null) {
throw new Exception("Cannot verify signature, null certificate received");
}
try {
cert.verify(signer.getPublicKey(), BouncyCastleProvider.PROVIDER_NAME);
return true;
} catch (NoSuchAlgorithmException e) {
throw new Exception("Signing algorithm in signing cert not supported");
} catch (InvalidKeyException e) {
throw new Exception("Signing certificate key does not match signature");
} catch (NoSuchProviderException e) {
throw new Exception("Error with BouncyCastleProvider: " + e.getMessage());
} catch (SignatureException e) {
String error = "Error with signature: " + e.getMessage()
+ System.lineSeparator()
+ "Certificate needed for verification is missing: "
+ signer.getSubjectX500Principal().getName();
throw new Exception(error);
} catch (CertificateException e) {
throw new Exception("Encoding error: " + e.getMessage());
}
}
/**
* This method checks if a given certificate is self signed or not.
* @param cert the cert to check
* @return true if self signed, false if not
*/
private boolean isSelfSigned(final X509Certificate cert) {
return cert.getIssuerX500Principal().equals(cert.getSubjectX500Principal());
}
/**
* This method compares a public key against those in the truststore.
* @param pk a public key
* @return true if pk is found in the trust store, false otherwise
*/
private boolean isPublicKeyTrusted(final PublicKey pk) {
for (X509Certificate trustedCert : trustStore) {
if (Arrays.equals(trustedCert.getPublicKey().getEncoded(),
pk.getEncoded())) {
signingCert = trustedCert;
return true;
}
}
return false;
}
private class RIMKeySelectorResult implements KeySelectorResult {
private Key key;
public RIMKeySelectorResult(Key key) {
this.key = key;
}
public Key getKey() {
return key;
}
}
}
/**
* This method unmarshalls the swidtag found at [path] into a Document object
* and validates it according to the schema.
*
* @param path to the input swidtag
* @return the SoftwareIdentity element at the root of the swidtag
* @throws IOException if the swidtag cannot be unmarshalled or validated
*/
private Document unmarshallSwidTag(String path) {
InputStream is = null;
Document document = null;
try {
document = removeXMLWhitespace(path);
is = SwidTagGateway.class.getClassLoader().getResourceAsStream(SwidTagConstants.SCHEMA_URL);
SchemaFactory schemaFactory = SchemaFactory.newInstance(SwidTagConstants.SCHEMA_LANGUAGE);
Schema schema = schemaFactory.newSchema(new StreamSource(is));
unmarshaller.setSchema(schema);
unmarshaller.unmarshal(document);
} catch (IOException e) {
System.out.println(e.getMessage());
} catch (SAXException e) {
System.out.println("Error setting schema for validation!");
} catch (UnmarshalException e) {
System.out.println("Error validating swidtag file!");
} catch (IllegalArgumentException e) {
System.out.println("Input file empty.");
} catch (JAXBException e) {
e.printStackTrace();
} finally {
if (is != null) {
try {
is.close();
} catch (IOException e) {
System.out.println("Error closing input stream");
}
}
}
return document;
}
/**
* This method strips all whitespace from an xml file, including indents and spaces
* added for human-readability.
* @param path to the xml file
* @return Document object without whitespace
*/
private Document removeXMLWhitespace(String path) throws IOException {
TransformerFactory tf = TransformerFactory.newInstance();
Source source = new StreamSource(
SwidTagGateway.class.getClassLoader().getResourceAsStream("identity_transform.xslt"));
Document document = null;
File input = new File(path);
if (input.length() > 0) {
try {
Transformer transformer = tf.newTransformer(source);
DOMResult result = new DOMResult();
transformer.transform(new StreamSource(input), result);
document = (Document) result.getNode();
} catch (TransformerConfigurationException e) {
System.out.println("Error configuring transformer!");
e.printStackTrace();
} catch (TransformerException e) {
System.out.println("Error transforming input!");
e.printStackTrace();
}
} else {
throw new IOException("Input file is empty!");
}
return document;
}
}

View File

@ -1,5 +1,7 @@
package hirs.swid;
import hirs.utils.rim.ReferenceManifestValidator;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
@ -12,7 +14,7 @@ import org.testng.annotations.Test;
public class TestSwidTagGateway {
private SwidTagGateway gateway;
private SwidTagValidator validator;
private ReferenceManifestValidator validator;
private final String DEFAULT_OUTPUT = "generated_swidTag.swidtag";
private final String BASE_USER_CERT = "generated_user_cert.swidtag";
private final String BASE_USER_CERT_EMBED = "generated_user_cert_embed.swidtag";
@ -40,7 +42,7 @@ public class TestSwidTagGateway {
gateway = new SwidTagGateway();
gateway.setRimEventLog(SUPPORT_RIM_FILE);
gateway.setAttributesFile(ATTRIBUTES_FILE);
validator = new SwidTagValidator();
validator = new ReferenceManifestValidator();
validator.setRimEventLog(SUPPORT_RIM_FILE);
validator.setTrustStoreFile(CA_CHAIN_FILE);
}
@ -67,7 +69,7 @@ public class TestSwidTagGateway {
expectedFile = TestSwidTagGateway.class.getClassLoader()
.getResourceAsStream(BASE_USER_CERT);
Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT));
Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT));
Assert.assertTrue(validator.validateSwidtagFile(DEFAULT_OUTPUT));
}
/**
@ -86,7 +88,7 @@ public class TestSwidTagGateway {
expectedFile = TestSwidTagGateway.class.getClassLoader()
.getResourceAsStream(BASE_USER_CERT_EMBED);
Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT));
Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT));
Assert.assertTrue(validator.validateSwidtagFile(DEFAULT_OUTPUT));
}
/**
@ -101,7 +103,7 @@ public class TestSwidTagGateway {
expectedFile = TestSwidTagGateway.class.getClassLoader()
.getResourceAsStream(BASE_DEFAULT_CERT);
Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT));
Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT));
Assert.assertTrue(validator.validateSwidtagFile(DEFAULT_OUTPUT));
}
/**
@ -118,7 +120,7 @@ public class TestSwidTagGateway {
expectedFile = TestSwidTagGateway.class.getClassLoader()
.getResourceAsStream(BASE_RFC3339_TIMESTAMP);
Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT));
Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT));
Assert.assertTrue(validator.validateSwidtagFile(DEFAULT_OUTPUT));
}
/**
@ -135,7 +137,7 @@ public class TestSwidTagGateway {
expectedFile = TestSwidTagGateway.class.getClassLoader()
.getResourceAsStream(BASE_RFC3852_TIMESTAMP);
Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT));
Assert.assertTrue(validator.validateSwidTag(DEFAULT_OUTPUT));
Assert.assertTrue(validator.validateSwidtagFile(DEFAULT_OUTPUT));
}
/**
@ -143,11 +145,11 @@ public class TestSwidTagGateway {
* -v <path>
*/
public void testValidateSwidTag() {
public void testvalidateSwidtagFile() {
String filepath = TestSwidTagGateway.class.getClassLoader()
.getResource(BASE_USER_CERT).getPath();
System.out.println("Validating file at " + filepath);
Assert.assertTrue(validator.validateSwidTag(filepath));
Assert.assertTrue(validator.validateSwidtagFile(filepath));
}
/**