Search for signing cert by SKID instead of PK

tools/tcg_rim_tool/src/main/java/hirs/swid/CredentialParser.java

@@ -273,8 +273,8 @@ public class CredentialParser {
     }
 
     /**
-     * This method returns the subjectKeyIdentifier from an X509Certificate.
-     * @return
+     * This method returns the subjectKeyIdentifier from the local X509Certificate.
+     * @return the String representation of the subjectKeyIdentifier
      * @throws IOException
      */
     public String getCertificateSubjectKeyIdentifier() throws IOException {
@@ -285,4 +285,19 @@ public class CredentialParser {
         }
         return decodedValue.substring(1);//Drop the # at the beginning of the string
     }
+
+    /**
+     * This method returns the subjectKeyIdentifier from a given X509Certificate.
+     * @param certificate the cert to pull the subjectKeyIdentifier from
+     * @return the String representation of the subjectKeyIdentifier
+     * @throws IOException
+     */
+    public String getCertificateSubjectKeyIdentifier(X509Certificate certificate) throws IOException {
+        String decodedValue = null;
+        byte[] extension = certificate.getExtensionValue(Extension.subjectKeyIdentifier.getId());
+        if (extension != null && extension.length > 0) {
+            decodedValue = JcaX509ExtensionUtils.parseExtensionValue(extension).toString();
+        }
+        return decodedValue.substring(1);//Drop the # at the beginning of the string
+    }
 }

tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java

@@ -168,10 +168,12 @@ public class SwidTagValidator {
                 context = new DOMValidateContext(new X509KeySelector(), nodes.item(0));
                 signingCert = cp.parseCertFromPEMString(embeddedCert.item(0).getTextContent());
             } else {
-                PublicKey pk = getPKFromKeyValue(doc);
+                String skId = doc.getElementsByTagName("KeyName").item(0).getTextContent();
                 for (X509Certificate trustedCert : trustStore) {
-                    if (Arrays.equals(pk.getEncoded(), trustedCert.getPublicKey().getEncoded())) {
+                    String trustedSkId = cp.getCertificateSubjectKeyIdentifier(trustedCert);
+                    if (skId.equals(trustedSkId)) {
                         signingCert = trustedCert;
+                        break;
                     }
                 }
                 if (signingCert == null) {
@@ -205,27 +207,6 @@ public class SwidTagValidator {
         return false;
     }
 
-    /**
-     * This method generates a public key from the modulus and exponent elements
-     * parsed from a signed swidtag.
-     * @param doc Document object containing the swidtag
-     * @return the generated PublicKey object
-     * @throws NoSuchAlgorithmException if the KeyFactory instance fails to instantiate
-     * @throws InvalidKeySpecException if the KeyFactory fails to generate the public key
-     */
-    private PublicKey getPKFromKeyValue(Document doc)
-            throws NoSuchAlgorithmException, InvalidKeySpecException {
-        Node modulusElement = doc.getElementsByTagName("Modulus").item(0);
-        Node exponentElement = doc.getElementsByTagName("Exponent").item(0);
-        BigInteger modulus = new BigInteger(
-                Base64.getMimeDecoder().decode(modulusElement.getTextContent()));
-        BigInteger exponent = new BigInteger(
-                Base64.getMimeDecoder().decode(exponentElement.getTextContent()));
-        RSAPublicKeySpec keySpec = new RSAPublicKeySpec(modulus, exponent);
-        KeyFactory factory = KeyFactory.getInstance("RSA");
-        return factory.generatePublic(keySpec);
-    }
-
     /**
      * This method validates the cert chain for a given certificate. The truststore is iterated
      * over until a root CA is found, otherwise an error is returned.