ReferenceManifestValidator trustStore not populated during provision

This commit is contained in:
iadgovuser29 2024-06-18 17:03:51 -04:00 committed by chubtub
parent c6a665da78
commit 77cd6597ff

View File

@ -23,9 +23,8 @@ import java.nio.charset.StandardCharsets;
import java.security.KeyStore; import java.security.KeyStore;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
import java.util.HashMap; import java.security.cert.X509Certificate;
import java.util.LinkedList; import java.util.*;
import java.util.List;
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL; import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL;
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.PASS; import static hirs.attestationca.persist.enums.AppraisalStatus.Status.PASS;
@ -106,6 +105,19 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
signingCert = cert; signingCert = cert;
KeyStore keyStore = ValidationService.getCaChain(signingCert, KeyStore keyStore = ValidationService.getCaChain(signingCert,
caCredentialRepository); caCredentialRepository);
Set<CertificateAuthorityCredential> set = ValidationService.getCaChainRec(signingCert,
Collections.emptySet(),
caCredentialRepository);
ArrayList<X509Certificate> certs = new ArrayList<>(set.size());
for (CertificateAuthorityCredential cac : set) {
try {
certs.add(cac.getX509Certificate());
} catch (IOException e) {
log.error("Error building CA chain for " + signingCert.getSubjectKeyIdentifier() + ": "
+ e.getMessage());
}
}
referenceManifestValidator.setTrustStore(certs);
try { try {
if (referenceManifestValidator.validateXmlSignature(signingCert.getX509Certificate().getPublicKey(), if (referenceManifestValidator.validateXmlSignature(signingCert.getX509Certificate().getPublicKey(),
signingCert.getSubjectKeyIdString(), signingCert.getEncodedPublicKey())) { signingCert.getSubjectKeyIdString(), signingCert.getEncodedPublicKey())) {