Modify ReferenceManifestDetailsPageController class to include cert path check in reporting RIM signature validity.

HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java

@@ -92,6 +92,14 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
     private static final Logger LOGGER
             = LogManager.getLogger(SupplyChainValidationServiceImpl.class);
 
+    /**
+     * Constructor to set just the CertificateManager, so that cert chain validating
+     * methods can be called from outside classes.
+     */
+    public SupplyChainValidationServiceImpl(final CertificateManager certificateManager) {
+        this.certificateManager = certificateManager;
+    }
+
     /**
      * Constructor.
      *
@@ -426,14 +434,9 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                 if (Arrays.equals(cert.getEncodedPublicKey(),
                         referenceManifestValidator.getPublicKey().getEncoded())) {
                     signingCert = cert;
-                    break;
-                }
-            }
                     KeyStore keyStore = getCaChain(signingCert);
                     try {
-                X509Certificate x509Cert = CertificateAuthorityCredential.select(certificateManager)
+                        X509Certificate x509Cert = signingCert.getX509Certificate();
-                        .bySubjectKeyIdentifier(signingCert.getSubjectKeyIdentifier())
-                        .getX509Certificate();
                         if (!SupplyChainCredentialValidator.verifyCertificate(x509Cert, keyStore)) {
                             passed = false;
                             fwStatus = new AppraisalStatus(FAIL,
@@ -444,7 +447,14 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                     } catch (SupplyChainValidatorException e) {
                         LOGGER.error("Error validating cert against keystore: " + e.getMessage());
                     }
-
+                    break;
+                }
+            }
+            if (signingCert == null) {
+                passed = false;
+                fwStatus = new AppraisalStatus(FAIL,
+                        "Firmware validation failed: signing cert not found.");
+            }
 
             if (!referenceManifestValidator.isSignatureValid()) {
                 passed = false;

HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java

@@ -4,6 +4,7 @@ import hirs.attestationca.portal.page.Page;
 import hirs.attestationca.portal.page.PageController;
 import hirs.attestationca.portal.page.PageMessages;
 import hirs.attestationca.portal.page.params.ReferenceManifestDetailsPageParams;
+import hirs.attestationca.service.SupplyChainValidationServiceImpl;
 import hirs.data.persist.BaseReferenceManifest;
 import hirs.data.persist.EventLogMeasurements;
 import hirs.data.persist.ReferenceManifest;
@@ -16,6 +17,8 @@ import hirs.persist.ReferenceManifestManager;
 import hirs.tpm.eventlog.TCGEventLog;
 import hirs.tpm.eventlog.TpmPcrEvent;
 import hirs.utils.ReferenceManifestValidator;
+import hirs.validation.SupplyChainCredentialValidator;
+import hirs.validation.SupplyChainValidatorException;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -26,8 +29,10 @@ import org.springframework.web.servlet.ModelAndView;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.security.KeyStore;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.LinkedList;
@@ -277,12 +282,33 @@ public class ReferenceManifestDetailsPageController
         }
 
         RIM_VALIDATOR.validateXmlSignature(new ByteArrayInputStream(baseRim.getRimBytes()));
-        data.put("signatureValid", RIM_VALIDATOR.isSignatureValid());
-        data.put("skID", RIM_VALIDATOR.getSubjectKeyIdentifier());
-        try {
         Set<CertificateAuthorityCredential> certificates =
                 CertificateAuthorityCredential.select(certificateManager)
                         .getCertificates();
+        //Report invalid signature unless RIM_VALIDATOR validates it and cert path is valid
+        data.put("signatureValid", false);
+        if (RIM_VALIDATOR.isSignatureValid()) {
+            for (CertificateAuthorityCredential cert : certificates) {
+                if (Arrays.equals(cert.getEncodedPublicKey(),
+                        RIM_VALIDATOR.getPublicKey().getEncoded())) {
+                    SupplyChainValidationServiceImpl scvsImpl =
+                            new SupplyChainValidationServiceImpl(certificateManager);
+                    KeyStore keystore = scvsImpl.getCaChain(cert);
+                    X509Certificate signingCert = cert.getX509Certificate();
+                    try {
+                        if (SupplyChainCredentialValidator.verifyCertificate(signingCert,
+                                                                                keystore)) {
+                            data.replace("signatureValid", true);
+                        }
+                    } catch (SupplyChainValidatorException e) {
+                        LOGGER.error("Error verifying cert chain: " + e.getMessage());
+                    }
+                    break;
+                }
+            }
+        }
+        data.put("skID", RIM_VALIDATOR.getSubjectKeyIdentifier());
+        try {
             for (CertificateAuthorityCredential cert : certificates) {
                 if (Arrays.equals(cert.getEncodedPublicKey(),
                         RIM_VALIDATOR.getPublicKey().getEncoded())) {