Resolved the merge conflicts.

HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java

@@ -37,6 +37,7 @@ import hirs.utils.BouncyCastleUtils;
 import hirs.utils.ReferenceManifestValidator;
 import hirs.validation.CredentialValidator;
 import hirs.validation.SupplyChainCredentialValidator;
+import hirs.validation.SupplyChainValidatorException;
 import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -51,7 +52,9 @@ import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -89,6 +92,15 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
     private static final Logger LOGGER
             = LogManager.getLogger(SupplyChainValidationServiceImpl.class);
 
+    /**
+     * Constructor to set just the CertificateManager, so that cert chain validating
+     * methods can be called from outside classes.
+     * @param certificateManager    the cert manager
+     */
+    public SupplyChainValidationServiceImpl(final CertificateManager certificateManager) {
+        this.certificateManager = certificateManager;
+    }
+
     /**
      * Constructor.
      *
@@ -411,6 +423,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                     new ReferenceManifestValidator(
                             new ByteArrayInputStream(baseReferenceManifest.getRimBytes()));
 
+
             for (SwidResource swidRes : resources) {
                 supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager)
                         .byHexDecHash(swidRes.getHashValue()).getRIM();
@@ -422,7 +435,40 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                     supportReferenceManifest = null;
                 }
             }
-            if (supportReferenceManifest == null) {
+            //Validate signing cert
+            Set<CertificateAuthorityCredential> allCerts =
+                    CertificateAuthorityCredential.select(certificateManager).getCertificates();
+            CertificateAuthorityCredential signingCert = null;
+            for (CertificateAuthorityCredential cert : allCerts) {
+                if (Arrays.equals(cert.getEncodedPublicKey(),
+                        referenceManifestValidator.getPublicKey().getEncoded())) {
+                    signingCert = cert;
+                    KeyStore keyStore = getCaChain(signingCert);
+                    try {
+                        X509Certificate x509Cert = signingCert.getX509Certificate();
+                        if (!SupplyChainCredentialValidator.verifyCertificate(x509Cert, keyStore)) {
+                            passed = false;
+                            fwStatus = new AppraisalStatus(FAIL,
+                                    "Firmware validation failed: invalid certificate path.");
+                        }
+                    } catch (IOException e) {
+                        LOGGER.error("Error getting X509 cert from manager: " + e.getMessage());
+                    } catch (SupplyChainValidatorException e) {
+                        LOGGER.error("Error validating cert against keystore: " + e.getMessage());
+                        fwStatus = new AppraisalStatus(FAIL,
+                                "Firmware validation failed: invalid certificate path.");
+                    }
+                    break;
+                }
+            }
+
+            if (signingCert == null) {
+                passed = false;
+                fwStatus = new AppraisalStatus(FAIL,
+                        "Firmware validation failed: signing cert not found.");
+            }
+
+            if (passed && supportReferenceManifest == null) {
                 fwStatus = new AppraisalStatus(FAIL,
                         "Support Reference Integrity Manifest can not be found\n");
                 passed = false;

HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java

@@ -4,6 +4,7 @@ import hirs.attestationca.portal.page.Page;
 import hirs.attestationca.portal.page.PageController;
 import hirs.attestationca.portal.page.PageMessages;
 import hirs.attestationca.portal.page.params.ReferenceManifestDetailsPageParams;
+import hirs.attestationca.service.SupplyChainValidationServiceImpl;
 import hirs.data.persist.BaseReferenceManifest;
 import hirs.data.persist.EventLogMeasurements;
 import hirs.data.persist.ReferenceDigestRecord;
@@ -20,6 +21,8 @@ import hirs.persist.ReferenceManifestManager;
 import hirs.tpm.eventlog.TCGEventLog;
 import hirs.tpm.eventlog.TpmPcrEvent;
 import hirs.utils.ReferenceManifestValidator;
+import hirs.validation.SupplyChainCredentialValidator;
+import hirs.validation.SupplyChainValidatorException;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -30,8 +33,10 @@ import org.springframework.web.servlet.ModelAndView;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.security.KeyStore;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
@@ -301,12 +306,33 @@ public class ReferenceManifestDetailsPageController
         }
 
         RIM_VALIDATOR.validateXmlSignature(new ByteArrayInputStream(baseRim.getRimBytes()));
-        data.put("signatureValid", RIM_VALIDATOR.isSignatureValid());
+        Set<CertificateAuthorityCredential> certificates =
+                CertificateAuthorityCredential.select(certificateManager)
+                        .getCertificates();
+        //Report invalid signature unless RIM_VALIDATOR validates it and cert path is valid
+        data.put("signatureValid", false);
+        if (RIM_VALIDATOR.isSignatureValid()) {
+            for (CertificateAuthorityCredential cert : certificates) {
+                if (Arrays.equals(cert.getEncodedPublicKey(),
+                        RIM_VALIDATOR.getPublicKey().getEncoded())) {
+                    SupplyChainValidationServiceImpl scvsImpl =
+                            new SupplyChainValidationServiceImpl(certificateManager);
+                    KeyStore keystore = scvsImpl.getCaChain(cert);
+                    X509Certificate signingCert = cert.getX509Certificate();
+                    try {
+                        if (SupplyChainCredentialValidator.verifyCertificate(signingCert,
+                                keystore)) {
+                            data.replace("signatureValid", true);
+                        }
+                    } catch (SupplyChainValidatorException e) {
+                        LOGGER.error("Error verifying cert chain: " + e.getMessage());
+                    }
+                    break;
+                }
+            }
+        }
         data.put("skID", RIM_VALIDATOR.getSubjectKeyIdentifier());
         try {
-            Set<CertificateAuthorityCredential> certificates =
-                    CertificateAuthorityCredential.select(certificateManager)
-                            .getCertificates();
             for (CertificateAuthorityCredential cert : certificates) {
                 if (Arrays.equals(cert.getEncodedPublicKey(),
                         RIM_VALIDATOR.getPublicKey().getEncoded())) {