Merge branch 'master' into client-display-log-mismatch

This commit is contained in:
Cyrus 2020-11-06 09:17:38 -05:00
commit 9aa2c6a46d
6 changed files with 561 additions and 99 deletions

View File

@ -1,5 +1,6 @@
package hirs.attestationca.service; package hirs.attestationca.service;
import java.io.ByteArrayInputStream;
import java.io.IOException; import java.io.IOException;
import java.security.KeyStore; import java.security.KeyStore;
import java.security.KeyStoreException; import java.security.KeyStoreException;
@ -9,11 +10,13 @@ import java.security.cert.CertificateException;
import hirs.data.persist.BaseReferenceManifest; import hirs.data.persist.BaseReferenceManifest;
import hirs.data.persist.EventLogMeasurements; import hirs.data.persist.EventLogMeasurements;
import hirs.data.persist.SupportReferenceManifest; import hirs.data.persist.SupportReferenceManifest;
import hirs.data.persist.SwidResource;
import hirs.data.persist.TPMMeasurementRecord; import hirs.data.persist.TPMMeasurementRecord;
import hirs.data.persist.PCRPolicy; import hirs.data.persist.PCRPolicy;
import hirs.data.persist.ArchivableEntity; import hirs.data.persist.ArchivableEntity;
import hirs.tpm.eventlog.TCGEventLog; import hirs.tpm.eventlog.TCGEventLog;
import hirs.tpm.eventlog.TpmPcrEvent; import hirs.tpm.eventlog.TpmPcrEvent;
import hirs.utils.ReferenceManifestValidator;
import hirs.validation.SupplyChainCredentialValidator; import hirs.validation.SupplyChainCredentialValidator;
import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.Logger;
@ -93,11 +96,12 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
* @param supplyChainCredentialValidator the credential validator * @param supplyChainCredentialValidator the credential validator
*/ */
@Autowired @Autowired
public SupplyChainValidationServiceImpl(final PolicyManager policyManager, public SupplyChainValidationServiceImpl(
final AppraiserManager appraiserManager, final CertificateManager certificateManager, final PolicyManager policyManager, final AppraiserManager appraiserManager,
final ReferenceManifestManager referenceManifestManager, final CertificateManager certificateManager,
final CrudManager<SupplyChainValidationSummary> supplyChainValidatorSummaryManager, final ReferenceManifestManager referenceManifestManager,
final CredentialValidator supplyChainCredentialValidator) { final CrudManager<SupplyChainValidationSummary> supplyChainValidatorSummaryManager,
final CredentialValidator supplyChainCredentialValidator) {
this.policyManager = policyManager; this.policyManager = policyManager;
this.appraiserManager = appraiserManager; this.appraiserManager = appraiserManager;
this.certificateManager = certificateManager; this.certificateManager = certificateManager;
@ -325,7 +329,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
@SuppressWarnings("methodlength") @SuppressWarnings("methodlength")
private SupplyChainValidation validateFirmware(final Device device, private SupplyChainValidation validateFirmware(final Device device,
final PCRPolicy pcrPolicy) { final PCRPolicy pcrPolicy) {
boolean passed = true; boolean passed = true;
String[] baseline = new String[Integer.SIZE]; String[] baseline = new String[Integer.SIZE];
Level level = Level.ERROR; Level level = Level.ERROR;
@ -341,6 +344,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
.byManufacturer(manufacturer).getRIM(); .byManufacturer(manufacturer).getRIM();
supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager) supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager)
.byManufacturer(manufacturer).getRIM(); .byManufacturer(manufacturer).getRIM();
List<SwidResource> resources =
((BaseReferenceManifest) baseReferenceManifest).parseResource();
measurement = EventLogMeasurements.select(referenceManifestManager) measurement = EventLogMeasurements.select(referenceManifestManager)
.byManufacturer(manufacturer).includeArchived().getRIM(); .byManufacturer(manufacturer).includeArchived().getRIM();
@ -362,99 +367,128 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
if (passed) { if (passed) {
fwStatus = new AppraisalStatus(PASS, fwStatus = new AppraisalStatus(PASS,
SupplyChainCredentialValidator.FIRMWARE_VALID); SupplyChainCredentialValidator.FIRMWARE_VALID);
TCGEventLog logProcessor;
try { // verify signatures
logProcessor = new TCGEventLog(supportReferenceManifest.getRimBytes()); ReferenceManifestValidator referenceManifestValidator =
baseline = logProcessor.getExpectedPCRValues(); new ReferenceManifestValidator(
} catch (CertificateException cEx) { new ByteArrayInputStream(baseReferenceManifest.getRimBytes()));
LOGGER.error(cEx);
} catch (NoSuchAlgorithmException noSaEx) { for (SwidResource swidRes : resources) {
LOGGER.error(noSaEx); if (swidRes.getName().equals(supportReferenceManifest.getFileName())) {
} catch (IOException ioEx) { referenceManifestValidator.validateSupportRimHash(
LOGGER.error(ioEx); supportReferenceManifest.getRimBytes(), swidRes.getHashValue());
}
} }
// part 1 of firmware validation check: PCR baseline match if (!referenceManifestValidator.isSignatureValid()) {
pcrPolicy.setBaselinePcrs(baseline); passed = false;
fwStatus = new AppraisalStatus(FAIL,
"Firmware validation failed: Signature validation "
+ "failed for Base RIM.");
}
if (baseline.length > 0) { if (passed && !referenceManifestValidator.isSupportRimValid()) {
String pcrContent = ""; passed = false;
pcrContent = new String(device.getDeviceInfo().getTPMInfo().getPcrValues()); fwStatus = new AppraisalStatus(FAIL,
"Firmware validation failed: Hash validation "
+ "failed for Support RIM.");
}
if (pcrContent.isEmpty()) { if (passed) {
fwStatus = new AppraisalStatus(FAIL, TCGEventLog logProcessor;
"Firmware validation failed: Client did not " try {
+ "provide pcr values."); logProcessor = new TCGEventLog(supportReferenceManifest.getRimBytes());
LOGGER.warn(String.format( baseline = logProcessor.getExpectedPCRValues();
"Firmware validation failed: Client (%s) did not " } catch (CertificateException cEx) {
+ "provide pcr values.", device.getName())); LOGGER.error(cEx);
} else { } catch (NoSuchAlgorithmException noSaEx) {
// we have a full set of PCR values LOGGER.error(noSaEx);
int algorithmLength = baseline[0].length(); } catch (IOException ioEx) {
String[] storedPcrs = buildStoredPcrs(pcrContent, algorithmLength); LOGGER.error(ioEx);
}
if (storedPcrs[0].isEmpty()) { // part 1 of firmware validation check: PCR baseline match
// validation fail pcrPolicy.setBaselinePcrs(baseline);
if (baseline.length > 0) {
String pcrContent = "";
pcrContent = new String(device.getDeviceInfo().getTPMInfo().getPcrValues());
if (pcrContent.isEmpty()) {
fwStatus = new AppraisalStatus(FAIL, fwStatus = new AppraisalStatus(FAIL,
"Firmware validation failed: " "Firmware validation failed: Client did not "
+ "Client provided PCR " + "provide pcr values.");
+ "values are not the same algorithm " LOGGER.warn(String.format(
+ "as associated RIM."); "Firmware validation failed: Client (%s) did not "
+ "provide pcr values.", device.getName()));
} else { } else {
StringBuilder sb = pcrPolicy.validatePcrs(storedPcrs); // we have a full set of PCR values
if (sb.length() > 0) { int algorithmLength = baseline[0].length();
validationObject = supportReferenceManifest; String[] storedPcrs = buildStoredPcrs(pcrContent, algorithmLength);
level = Level.ERROR;
fwStatus = new AppraisalStatus(FAIL, sb.toString()); if (storedPcrs[0].isEmpty()) {
// validation fail
fwStatus = new AppraisalStatus(FAIL,
"Firmware validation failed: "
+ "Client provided PCR "
+ "values are not the same algorithm "
+ "as associated RIM.");
} else { } else {
level = Level.INFO; StringBuilder sb = pcrPolicy.validatePcrs(storedPcrs);
} if (sb.length() > 0) {
} validationObject = supportReferenceManifest;
// part 2 of firmware validation check: bios measurements level = Level.ERROR;
// vs baseline tcg event log fwStatus = new AppraisalStatus(FAIL, sb.toString());
// find the measurement } else {
TCGEventLog tcgEventLog; level = Level.INFO;
TCGEventLog tcgMeasurementLog;
LinkedList<TpmPcrEvent> tpmPcrEvents = new LinkedList<>();
try {
if (measurement.getPlatformManufacturer().equals(manufacturer)) {
tcgMeasurementLog = new TCGEventLog(measurement.getRimBytes());
tcgEventLog = new TCGEventLog(
supportReferenceManifest.getRimBytes());
for (TpmPcrEvent tpe : tcgEventLog.getEventList()) {
if (!tpe.eventCompare(
tcgMeasurementLog.getEventByNumber(
tpe.getEventNumber()))) {
tpmPcrEvents.add(tpe);
}
} }
} }
} catch (CertificateException cEx) { // part 2 of firmware validation check: bios measurements
LOGGER.error(cEx); // vs baseline tcg event log
} catch (NoSuchAlgorithmException noSaEx) { // find the measurement
LOGGER.error(noSaEx); TCGEventLog tcgEventLog;
} catch (IOException ioEx) { TCGEventLog tcgMeasurementLog;
LOGGER.error(ioEx); LinkedList<TpmPcrEvent> tpmPcrEvents = new LinkedList<>();
} try {
if (measurement.getPlatformManufacturer().equals(manufacturer)) {
tcgMeasurementLog = new TCGEventLog(measurement.getRimBytes());
tcgEventLog = new TCGEventLog(
supportReferenceManifest.getRimBytes());
for (TpmPcrEvent tpe : tcgEventLog.getEventList()) {
if (!tpe.eventCompare(
tcgMeasurementLog.getEventByNumber(
tpe.getEventNumber()))) {
tpmPcrEvents.add(tpe);
}
}
}
} catch (CertificateException cEx) {
LOGGER.error(cEx);
} catch (NoSuchAlgorithmException noSaEx) {
LOGGER.error(noSaEx);
} catch (IOException ioEx) {
LOGGER.error(ioEx);
}
if (!tpmPcrEvents.isEmpty()) { if (!tpmPcrEvents.isEmpty()) {
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();
validationObject = measurement; validationObject = measurement;
for (TpmPcrEvent tpe : tpmPcrEvents) { for (TpmPcrEvent tpe : tpmPcrEvents) {
sb.append(String.format("Event %s - %s%n", sb.append(String.format("Event %s - %s%n",
tpe.getEventNumber(), tpe.getEventNumber(),
tpe.getEventTypeStr())); tpe.getEventTypeStr()));
} }
if (fwStatus.getAppStatus().equals(FAIL)) { if (fwStatus.getAppStatus().equals(FAIL)) {
fwStatus = new AppraisalStatus(FAIL, String.format("%s%n%s", fwStatus = new AppraisalStatus(FAIL, String.format("%s%n%s",
fwStatus.getMessage(), sb.toString())); fwStatus.getMessage(), sb.toString()));
} else { } else {
fwStatus = new AppraisalStatus(FAIL, sb.toString()); fwStatus = new AppraisalStatus(FAIL, sb.toString());
}
} }
} }
} else {
fwStatus = new AppraisalStatus(FAIL, "The RIM baseline could not be found.");
} }
} else {
fwStatus = new AppraisalStatus(FAIL, "The RIM baseline could not be found.");
} }
} else { } else {
fwStatus = new AppraisalStatus(FAIL, String.format("Firmware Validation failed: " fwStatus = new AppraisalStatus(FAIL, String.format("Firmware Validation failed: "
@ -585,8 +619,9 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
} }
} }
private SupplyChainValidation validatePlatformCredential(final PlatformCredential pc, private SupplyChainValidation validatePlatformCredential(
final KeyStore trustedCertificateAuthority, final boolean acceptExpiredCerts) { final PlatformCredential pc,
final KeyStore trustedCertificateAuthority, final boolean acceptExpiredCerts) {
final SupplyChainValidation.ValidationType validationType final SupplyChainValidation.ValidationType validationType
= SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL; = SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL;

View File

@ -5,6 +5,9 @@ import hirs.data.persist.EventLogMeasurements;
import hirs.data.persist.ReferenceManifest; import hirs.data.persist.ReferenceManifest;
import hirs.data.persist.SupportReferenceManifest; import hirs.data.persist.SupportReferenceManifest;
import hirs.data.persist.SwidResource; import hirs.data.persist.SwidResource;
import hirs.data.persist.certificate.Certificate;
import hirs.data.persist.certificate.CertificateAuthorityCredential;
import hirs.persist.CertificateManager;
import hirs.persist.DBManagerException; import hirs.persist.DBManagerException;
import hirs.persist.ReferenceManifestManager; import hirs.persist.ReferenceManifestManager;
import hirs.tpm.eventlog.TCGEventLog; import hirs.tpm.eventlog.TCGEventLog;
@ -13,6 +16,7 @@ import hirs.attestationca.portal.page.PageController;
import hirs.attestationca.portal.page.PageMessages; import hirs.attestationca.portal.page.PageMessages;
import hirs.attestationca.portal.page.params.ReferenceManifestDetailsPageParams; import hirs.attestationca.portal.page.params.ReferenceManifestDetailsPageParams;
import java.io.ByteArrayInputStream;
import java.io.IOException; import java.io.IOException;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
@ -25,6 +29,7 @@ import java.util.Map;
import java.util.UUID; import java.util.UUID;
import hirs.tpm.eventlog.TpmPcrEvent; import hirs.tpm.eventlog.TpmPcrEvent;
import hirs.utils.ReferenceManifestValidator;
import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
@ -42,19 +47,25 @@ public class ReferenceManifestDetailsPageController
extends PageController<ReferenceManifestDetailsPageParams> { extends PageController<ReferenceManifestDetailsPageParams> {
private final ReferenceManifestManager referenceManifestManager; private final ReferenceManifestManager referenceManifestManager;
private final CertificateManager certificateManager;
private static final ReferenceManifestValidator RIM_VALIDATOR
= new ReferenceManifestValidator();
private static final Logger LOGGER private static final Logger LOGGER
= LogManager.getLogger(ReferenceManifestDetailsPageController.class); = LogManager.getLogger(ReferenceManifestDetailsPageController.class);
/** /**
* Constructor providing the Page's display and routing specification. * Constructor providing the Page's display and routing specification.
* *
* @param referenceManifestManager the reference manifest manager * @param referenceManifestManager the reference manifest manager.
* @param certificateManager the certificate manager.
*/ */
@Autowired @Autowired
public ReferenceManifestDetailsPageController( public ReferenceManifestDetailsPageController(
final ReferenceManifestManager referenceManifestManager) { final ReferenceManifestManager referenceManifestManager,
final CertificateManager certificateManager) {
super(Page.RIM_DETAILS); super(Page.RIM_DETAILS);
this.referenceManifestManager = referenceManifestManager; this.referenceManifestManager = referenceManifestManager;
this.certificateManager = certificateManager;
} }
/** /**
@ -84,7 +95,7 @@ public class ReferenceManifestDetailsPageController
} else { } else {
try { try {
UUID uuid = UUID.fromString(params.getId()); UUID uuid = UUID.fromString(params.getId());
data.putAll(getRimDetailInfo(uuid, referenceManifestManager)); data.putAll(getRimDetailInfo(uuid, referenceManifestManager, certificateManager));
} catch (IllegalArgumentException iaEx) { } catch (IllegalArgumentException iaEx) {
String uuidError = "Failed to parse ID from: " + params.getId(); String uuidError = "Failed to parse ID from: " + params.getId();
messages.addError(uuidError); messages.addError(uuidError);
@ -112,14 +123,15 @@ public class ReferenceManifestDetailsPageController
* *
* @param uuid database reference for the requested RIM. * @param uuid database reference for the requested RIM.
* @param referenceManifestManager the reference manifest manager. * @param referenceManifestManager the reference manifest manager.
* @param certificateManager the certificate manager.
* @return mapping of the RIM information from the database. * @return mapping of the RIM information from the database.
* @throws java.io.IOException error for reading file bytes. * @throws java.io.IOException error for reading file bytes.
* @throws NoSuchAlgorithmException If an unknown Algorithm is encountered. * @throws NoSuchAlgorithmException If an unknown Algorithm is encountered.
* @throws CertificateException if a certificate doesn't parse. * @throws CertificateException if a certificate doesn't parse.
*/ */
private HashMap<String, Object> getRimDetailInfo( public static HashMap<String, Object> getRimDetailInfo(final UUID uuid,
final UUID uuid, final ReferenceManifestManager referenceManifestManager,
final ReferenceManifestManager referenceManifestManager) throws IOException, final CertificateManager certificateManager) throws IOException,
CertificateException, NoSuchAlgorithmException { CertificateException, NoSuchAlgorithmException {
HashMap<String, Object> data = new HashMap<>(); HashMap<String, Object> data = new HashMap<>();
@ -127,7 +139,7 @@ public class ReferenceManifestDetailsPageController
.byEntityId(uuid).getRIM(); .byEntityId(uuid).getRIM();
if (bRim != null) { if (bRim != null) {
data.putAll(getBaseRimInfo(bRim, referenceManifestManager)); data.putAll(getBaseRimInfo(bRim, referenceManifestManager, certificateManager));
} }
SupportReferenceManifest sRim = SupportReferenceManifest.select(referenceManifestManager) SupportReferenceManifest sRim = SupportReferenceManifest.select(referenceManifestManager)
@ -153,14 +165,16 @@ public class ReferenceManifestDetailsPageController
* *
* @param baseRim established ReferenceManifest Type. * @param baseRim established ReferenceManifest Type.
* @param referenceManifestManager the reference manifest manager. * @param referenceManifestManager the reference manifest manager.
* @param certificateManager the certificate manager.
* @return mapping of the RIM information from the database. * @return mapping of the RIM information from the database.
* @throws java.io.IOException error for reading file bytes. * @throws java.io.IOException error for reading file bytes.
* @throws NoSuchAlgorithmException If an unknown Algorithm is encountered. * @throws NoSuchAlgorithmException If an unknown Algorithm is encountered.
* @throws CertificateException if a certificate doesn't parse. * @throws CertificateException if a certificate doesn't parse.
*/ */
private HashMap<String, Object> getBaseRimInfo( private static HashMap<String, Object> getBaseRimInfo(
final BaseReferenceManifest baseRim, final BaseReferenceManifest baseRim,
final ReferenceManifestManager referenceManifestManager) final ReferenceManifestManager referenceManifestManager,
final CertificateManager certificateManager)
throws IOException, CertificateException, NoSuchAlgorithmException { throws IOException, CertificateException, NoSuchAlgorithmException {
HashMap<String, Object> data = new HashMap<>(); HashMap<String, Object> data = new HashMap<>();
@ -228,6 +242,13 @@ public class ReferenceManifestDetailsPageController
for (SwidResource swidRes : resources) { for (SwidResource swidRes : resources) {
if (support != null && swidRes.getName() if (support != null && swidRes.getName()
.equals(support.getFileName())) { .equals(support.getFileName())) {
RIM_VALIDATOR.validateSupportRimHash(support.getRimBytes(),
swidRes.getHashValue());
if (RIM_VALIDATOR.isSupportRimValid()) {
data.put("supportRimHashValid", true);
} else {
data.put("supportRimHashValid", false);
}
swidRes.setPcrValues(Arrays.asList( swidRes.setPcrValues(Arrays.asList(
logProcessor.getExpectedPCRValues())); logProcessor.getExpectedPCRValues()));
break; break;
@ -239,6 +260,20 @@ public class ReferenceManifestDetailsPageController
data.put("associatedRim", baseRim.getAssociatedRim()); data.put("associatedRim", baseRim.getAssociatedRim());
data.put("swidFiles", resources); data.put("swidFiles", resources);
RIM_VALIDATOR.validateXmlSignature(new ByteArrayInputStream(baseRim.getRimBytes()));
data.put("signatureValid", RIM_VALIDATOR.isSignatureValid());
if (RIM_VALIDATOR.isSignatureValid()) {
LOGGER.info("Public key: " + RIM_VALIDATOR.getPublicKey().toString());
try {
Certificate certificate =
CertificateAuthorityCredential.select(certificateManager)
.byEncodedPublicKey(RIM_VALIDATOR.getPublicKey().getEncoded())
.getCertificate();
data.put("issuerID", certificate.getId().toString());
} catch (NullPointerException e) {
LOGGER.info("Unable to get signing certificate link: " + e.getMessage());
}
}
return data; return data;
} }
@ -253,7 +288,7 @@ public class ReferenceManifestDetailsPageController
* @throws NoSuchAlgorithmException If an unknown Algorithm is encountered. * @throws NoSuchAlgorithmException If an unknown Algorithm is encountered.
* @throws CertificateException if a certificate doesn't parse. * @throws CertificateException if a certificate doesn't parse.
*/ */
private HashMap<String, Object> getSupportRimInfo( private static HashMap<String, Object> getSupportRimInfo(
final SupportReferenceManifest support, final SupportReferenceManifest support,
final ReferenceManifestManager referenceManifestManager) final ReferenceManifestManager referenceManifestManager)
throws IOException, CertificateException, NoSuchAlgorithmException { throws IOException, CertificateException, NoSuchAlgorithmException {
@ -310,7 +345,7 @@ public class ReferenceManifestDetailsPageController
* @throws NoSuchAlgorithmException If an unknown Algorithm is encountered. * @throws NoSuchAlgorithmException If an unknown Algorithm is encountered.
* @throws CertificateException if a certificate doesn't parse. * @throws CertificateException if a certificate doesn't parse.
*/ */
private HashMap<String, Object> getMeasurementsRimInfo( private static HashMap<String, Object> getMeasurementsRimInfo(
final EventLogMeasurements measurements, final EventLogMeasurements measurements,
final ReferenceManifestManager referenceManifestManager) final ReferenceManifestManager referenceManifestManager)
throws IOException, CertificateException, NoSuchAlgorithmException { throws IOException, CertificateException, NoSuchAlgorithmException {

View File

@ -17,7 +17,13 @@
</a> </a>
</jsp:attribute> </jsp:attribute>
<jsp:body> <jsp:body>
<div id="certificate-details-page" class="container-fluid"> <c:set var="passIcon" value="${icons}/ic_checkbox_marked_circle_black_green_24dp.png"/>
<c:set var="failIcon" value="${icons}/ic_error_red_24dp.png"/>
<c:set var="signatureValidText" value="Signature valid!"/>
<c:set var="signatureInvalidText" value="Signature not valid!"/>
<c:set var="supportRimHashValidText" value="Support RIM hash valid!"/>
<c:set var="supportRimHashInvalidText" value="Support RIM hash not valid!"/>
<div id="certificate-details-page" class="container-fluid">
<c:choose> <c:choose>
<c:when test="${initialData.rimType=='Support'}"> <c:when test="${initialData.rimType=='Support'}">
<div class="row"> <div class="row">
@ -248,6 +254,14 @@
<c:choose> <c:choose>
<c:when test="${not empty initialData.associatedRim}"> <c:when test="${not empty initialData.associatedRim}">
<a href="${portal}/rim-details?id=${initialData.associatedRim}">${resource.getName()}</a> <a href="${portal}/rim-details?id=${initialData.associatedRim}">${resource.getName()}</a>
<c:choose>
<c:when test="${not empty initialData.supportRimHashValid}">
<img src="${passIcon}" title="${supportRimHashValidText}"/>
</c:when>
<c:otherwise>
<img src="${failIcon}" title="${supportRimHashInvalidText}"/>
</c:otherwise>
</c:choose>
</c:when> </c:when>
<c:otherwise> <c:otherwise>
${resource.getName()} ${resource.getName()}
@ -314,6 +328,24 @@
</div> </div>
</div> </div>
</div> </div>
<div class="row">
<div class="col-md-1 col-md-offset-1"><span class="colHeader">Signature</span></div>
<div id="signature" class="col col-md-8">
<div>Validity:&nbsp;<span>
<c:choose>
<c:when test="${initialData.signatureValid}">
<img src="${passIcon}" title="${signatureValidText}"/>
<c:if test="${not empty initialData.issuerID}">
<div><a href="${portal}/certificate-details?id=${initialData.issuerID}&type=certificateauthority">Signing certificate</a></div>
</c:if>
</c:when>
<c:otherwise>
<img src="${failIcon}" title="${signatureInvalidText}"/>
</c:otherwise>
</c:choose>
</span></div>
</div>
</div>
</c:otherwise> </c:otherwise>
</c:choose> </c:choose>
</div> </div>

View File

@ -151,6 +151,7 @@ public class BaseReferenceManifest extends ReferenceManifest {
public BaseReferenceManifest(final byte[] rimBytes) throws IOException { public BaseReferenceManifest(final byte[] rimBytes) throws IOException {
super(rimBytes); super(rimBytes);
this.setRimType(BASE_RIM); this.setRimType(BASE_RIM);
this.setFileName("");
SoftwareIdentity si = validateSwidTag(new ByteArrayInputStream(rimBytes)); SoftwareIdentity si = validateSwidTag(new ByteArrayInputStream(rimBytes));
// begin parsing valid swid tag // begin parsing valid swid tag

View File

@ -0,0 +1,349 @@
package hirs.utils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.w3c.dom.Document;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;
import javax.xml.XMLConstants;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.bind.UnmarshalException;
import javax.xml.bind.Unmarshaller;
import javax.xml.crypto.AlgorithmMethod;
import javax.xml.crypto.KeySelector;
import javax.xml.crypto.KeySelectorException;
import javax.xml.crypto.KeySelectorResult;
import javax.xml.crypto.MarshalException;
import javax.xml.crypto.XMLCryptoContext;
import javax.xml.crypto.XMLStructure;
import javax.xml.crypto.dsig.XMLSignature;
import javax.xml.crypto.dsig.XMLSignatureException;
import javax.xml.crypto.dsig.XMLSignatureFactory;
import javax.xml.crypto.dsig.dom.DOMValidateContext;
import javax.xml.crypto.dsig.keyinfo.KeyInfo;
import javax.xml.crypto.dsig.keyinfo.X509Data;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMResult;
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import java.io.IOException;
import java.io.InputStream;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.Iterator;
/**
* This class handles validation functions of RIM files.
* Currently supports validation of support RIM hashes and
* base RIM signatures.
*/
public class ReferenceManifestValidator {
private static final String SIGNATURE_ALGORITHM_RSA_SHA256 =
"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
private static final String SCHEMA_PACKAGE = "hirs.utils.xjc";
private static final String SCHEMA_URL = "swid_schema.xsd";
private static final String SCHEMA_LANGUAGE = XMLConstants.W3C_XML_SCHEMA_NS_URI;
private static final String IDENTITY_TRANSFORM = "identity_transform.xslt";
private static final String SHA256 = "SHA-256";
private static final int EIGHT_BIT_MASK = 0xff;
private static final int LEFT_SHIFT = 0x100;
private static final int RADIX = 16;
private static final Logger LOGGER = LogManager.getLogger(ReferenceManifestValidator.class);
private Unmarshaller unmarshaller;
private PublicKey publicKey;
private Schema schema;
private boolean signatureValid, supportRimValid;
/**
* Getter for signatureValid.
*
* @return true if valid, false if not.
*/
public boolean isSignatureValid() {
return signatureValid;
}
/**
* Getter for supportRimValid.
*
* @return true if valid, false if not.
*/
public boolean isSupportRimValid() {
return supportRimValid;
}
/**
* Getter for certificate PublicKey.
*
* @return PublicKey
*/
public PublicKey getPublicKey() {
return publicKey;
}
/**
* This default constructor creates the Schema object from SCHEMA_URL immediately to save
* time during validation calls later.
*/
public ReferenceManifestValidator() {
try {
InputStream is = ReferenceManifestValidator.class
.getClassLoader().getResourceAsStream(SCHEMA_URL);
SchemaFactory schemaFactory = SchemaFactory.newInstance(SCHEMA_LANGUAGE);
schema = schemaFactory.newSchema(new StreamSource(is));
signatureValid = false;
supportRimValid = false;
publicKey = null;
} catch (SAXException e) {
LOGGER.warn("Error setting schema for validation!");
}
}
/**
* This constructor is used for a quick signature check which bypasses the loading of
* the schema url into memory. As a result the full stream is not validated against the schema.
*
* @param input xml data byte array.
*/
public ReferenceManifestValidator(final InputStream input) {
try {
signatureValid = validateSignedXMLDocument(
removeXMLWhitespace(new StreamSource(input)));
} catch (IOException e) {
LOGGER.warn("Error during unmarshal: " + e.getMessage());
}
}
/**
* This method calculates the SHA256 hash of the input byte array and compares it against
* the value passed in.
*
* @param input byte array to hash.
* @param expected value to compare against.
*/
public void validateSupportRimHash(final byte[] input, final String expected) {
String calculatedHash = getHashValue(input, SHA256);
LOGGER.info("Calculated hash: " + calculatedHash + ", actual: " + expected);
supportRimValid = calculatedHash.equals(expected);
}
/**
* This method validates the xml signature in the stream and stores the
* result for public access.
*
* @param input the xml data stream.
*/
public void validateXmlSignature(final InputStream input) {
try {
Document doc = validateSwidtagSchema(removeXMLWhitespace(new StreamSource(input)));
signatureValid = validateSignedXMLDocument(doc);
} catch (IOException e) {
LOGGER.warn("Error during unmarshal: " + e.getMessage());
}
}
/**
* This method calculates the digest of a byte array based on the hashing algorithm passed in.
* @param input byte array.
* @param sha hash algorithm.
* @return String digest.
*/
private String getHashValue(final byte[] input, final String sha) {
String resultString = null;
try {
MessageDigest md = MessageDigest.getInstance(sha);
byte[] bytes = md.digest(input);
StringBuilder sb = new StringBuilder();
for (int i = 0; i < bytes.length; i++) {
sb.append(Integer.toString((bytes[i] & EIGHT_BIT_MASK)
+ LEFT_SHIFT, RADIX).substring(1));
}
resultString = sb.toString();
} catch (NoSuchAlgorithmException grex) {
LOGGER.warn(grex.getMessage());
}
return resultString;
}
/**
* This method validates a Document with a signature element.
*
* @param doc
*/
private boolean validateSignedXMLDocument(final Document doc) {
DOMValidateContext context;
boolean isValid = false;
try {
NodeList nodes = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
if (nodes.getLength() == 0) {
throw new Exception("Signature element not found!");
}
NodeList embeddedCert = doc.getElementsByTagName("X509Data");
if (embeddedCert.getLength() > 0) {
X509KeySelector keySelector = new ReferenceManifestValidator.X509KeySelector();
context = new DOMValidateContext(keySelector, nodes.item(0));
XMLSignatureFactory sigFactory = XMLSignatureFactory.getInstance("DOM");
XMLSignature signature = sigFactory.unmarshalXMLSignature(context);
isValid = signature.validate(context);
publicKey = keySelector.getPublicKey();
} else {
LOGGER.info("Signing certificate not found for validation!");
}
} catch (MarshalException | XMLSignatureException e) {
LOGGER.warn(e.getMessage());
} catch (Exception e) {
LOGGER.warn(e.getMessage());
LOGGER.info(e.getMessage());
}
return isValid;
}
/**
* This internal class handles selecting an X509 certificate embedded in a KeyInfo element.
* It is passed as a parameter to a DOMValidateContext that uses it to validate
* an XML signature.
*/
public static class X509KeySelector extends KeySelector {
private PublicKey publicKey;
/**
* This method selects an X509 cert based on the provided algorithm.
*
* @param keyinfo object containing the cert.
* @param purpose purpose.
* @param algorithm algorithm.
* @param context XMLCryptoContext.
* @return KeySelectorResult holding the PublicKey.
* @throws KeySelectorException exception.
*/
public KeySelectorResult select(final KeyInfo keyinfo,
final KeySelector.Purpose purpose,
final AlgorithmMethod algorithm,
final XMLCryptoContext context)
throws KeySelectorException {
Iterator keyinfoItr = keyinfo.getContent().iterator();
while (keyinfoItr.hasNext()) {
XMLStructure element = (XMLStructure) keyinfoItr.next();
if (element instanceof X509Data) {
X509Data data = (X509Data) element;
Iterator dataItr = data.getContent().iterator();
while (dataItr.hasNext()) {
Object object = dataItr.next();
if (object instanceof X509Certificate) {
publicKey = ((X509Certificate) object).getPublicKey();
if (areAlgorithmsEqual(algorithm.getAlgorithm(),
publicKey.getAlgorithm())) {
return new ReferenceManifestValidator.X509KeySelector
.RIMKeySelectorResult(publicKey);
}
}
}
}
}
throw new KeySelectorException("No key found!");
}
/**
* This method checks if two strings refer to the same algorithm.
*
* @param uri string 1
* @param name string 2
* @return true if equal, false if not
*/
public boolean areAlgorithmsEqual(final String uri, final String name) {
return uri.equals(SIGNATURE_ALGORITHM_RSA_SHA256) && name.equalsIgnoreCase("RSA");
}
/**
* Getter for the public key that is parsed in the select() method above.
*
* @return PublicKey encoded in the X509 cert.
*/
public PublicKey getPublicKey() {
return publicKey;
}
/**
* This internal class creates a KeySelectorResult from the public key.
*/
private static class RIMKeySelectorResult implements KeySelectorResult {
private Key key;
RIMKeySelectorResult(final Key key) {
this.key = key;
}
public Key getKey() {
return key;
}
}
}
/**
* This method validates the Document against the schema.
*
* @param doc of the input swidtag.
* @return document validated against the schema.
*/
private Document validateSwidtagSchema(final Document doc) {
try {
JAXBContext jaxbContext = JAXBContext.newInstance(SCHEMA_PACKAGE);
unmarshaller = jaxbContext.createUnmarshaller();
unmarshaller.setSchema(schema);
unmarshaller.unmarshal(doc);
} catch (UnmarshalException e) {
LOGGER.warn("Error validating swidtag file!");
} catch (IllegalArgumentException e) {
LOGGER.warn("Input file empty.");
} catch (JAXBException e) {
e.printStackTrace();
}
return doc;
}
/**
* This method strips all whitespace from an xml file, including indents and spaces
* added for human-readability.
*
* @param source of the input xml.
* @return Document representation of the xml.
*/
private Document removeXMLWhitespace(final StreamSource source) throws IOException {
TransformerFactory tf = TransformerFactory.newInstance();
Source identitySource = new StreamSource(
ReferenceManifestValidator.class.getClassLoader()
.getResourceAsStream(IDENTITY_TRANSFORM));
Document doc = null;
try {
Transformer transformer = tf.newTransformer(identitySource);
DOMResult result = new DOMResult();
transformer.transform(source, result);
doc = (Document) result.getNode();
} catch (TransformerConfigurationException e) {
LOGGER.warn("Error configuring transformer!");
e.printStackTrace();
} catch (TransformerException e) {
LOGGER.warn("Error transforming input!");
e.printStackTrace();
}
return doc;
}
}

View File

@ -0,0 +1,10 @@
<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output indent="no" />
<xsl:strip-space elements="*"/>
<xsl:template match="@*|node()">
<xsl:copy>
<xsl:apply-templates select="@*|node()"/>
</xsl:copy>
</xsl:template>
</xsl:stylesheet>