ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-02-20 09:46:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Check for an empty truststore during cert path validation. Removed the recursion in SupplyChainCredentialValidator.validateCertChain.

Browse Source
This commit is contained in:
chubtub 2021-06-25 11:39:30 -04:00
parent 93f212a193
commit d1f0eb5d88
2 changed files with 38 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
View File

@ -95,6 +95,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
/** /**
* Constructor to set just the CertificateManager, so that cert chain validating * Constructor to set just the CertificateManager, so that cert chain validating
* methods can be called from outside classes. * methods can be called from outside classes.
* @param certificateManager the cert manager
*/ */
public SupplyChainValidationServiceImpl(final CertificateManager certificateManager) { public SupplyChainValidationServiceImpl(final CertificateManager certificateManager) {
this.certificateManager = certificateManager; this.certificateManager = certificateManager;
@ -446,6 +447,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
LOGGER.error("Error getting X509 cert from manager: " + e.getMessage()); LOGGER.error("Error getting X509 cert from manager: " + e.getMessage());
} catch (SupplyChainValidatorException e) { } catch (SupplyChainValidatorException e) {
LOGGER.error("Error validating cert against keystore: " + e.getMessage()); LOGGER.error("Error validating cert against keystore: " + e.getMessage());
fwStatus = new AppraisalStatus(FAIL,
"Firmware validation failed: invalid certificate path.");
} }
break; break;
} }

45
HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java
View File

@ -1249,8 +1249,14 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
*/ */
public static String verifyCertificate(final X509AttributeCertificateHolder cert, public static String verifyCertificate(final X509AttributeCertificateHolder cert,
final KeyStore trustStore) throws SupplyChainValidatorException { final KeyStore trustStore) throws SupplyChainValidatorException {
try {
if (cert == null || trustStore == null) { if (cert == null || trustStore == null) {
throw new SupplyChainValidatorException("Certificate or trust store is null"); throw new SupplyChainValidatorException("Certificate or trust store is null");
} else if (trustStore.size() == 0) {
throw new SupplyChainValidatorException("Truststore is empty");
}
} catch (KeyStoreException e) {
LOGGER.error("Error accessing trust store: " + e.getMessage());
} }
try { try {
@ -1289,9 +1295,16 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
*/ */
public static boolean verifyCertificate(final X509Certificate cert, public static boolean verifyCertificate(final X509Certificate cert,
final KeyStore trustStore) throws SupplyChainValidatorException { final KeyStore trustStore) throws SupplyChainValidatorException {
try {
if (cert == null || trustStore == null) { if (cert == null || trustStore == null) {
throw new SupplyChainValidatorException("Certificate or trust store is null"); throw new SupplyChainValidatorException("Certificate or trust store is null");
} else if (trustStore.size() == 0) {
throw new SupplyChainValidatorException("Truststore is empty");
} }
} catch (KeyStoreException e) {
LOGGER.error("Error accessing trust store: " + e.getMessage());
}
try { try {
Set<X509Certificate> trustedCerts = new HashSet<>(); Set<X509Certificate> trustedCerts = new HashSet<>();
@ -1320,7 +1333,8 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
* certificate to validate * certificate to validate
* @param additionalCerts * @param additionalCerts
* Set of certs to validate against * Set of certs to validate against
* @return boolean indicating if the validation was successful * @return String status of the cert chain validation -
* blank if successful, error message otherwise
* @throws SupplyChainValidatorException tried to validate using null certificates * @throws SupplyChainValidatorException tried to validate using null certificates
*/ */
public static String validateCertChain(final X509AttributeCertificateHolder cert, public static String validateCertChain(final X509AttributeCertificateHolder cert,
@ -1341,14 +1355,12 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
signatureMatchesPublicKey = signatureMatchesPublicKey(cert, trustedCert); signatureMatchesPublicKey = signatureMatchesPublicKey(cert, trustedCert);
if (issuerMatchesSubject && signatureMatchesPublicKey) { if (issuerMatchesSubject && signatureMatchesPublicKey) {
if (isSelfSigned(trustedCert)) { if (isSelfSigned(trustedCert)) {
foundRootOfCertChain = "";
LOGGER.info("CA Root found."); LOGGER.info("CA Root found.");
break;
} else { } else {
foundRootOfCertChain = validateCertChain(trustedCert, additionalCerts); foundRootOfCertChain = "Intermediate signing cert found. Check for CA Cert: "
+ cert.getIssuer().getNames()[0];
if (!foundRootOfCertChain.isEmpty()) {
LOGGER.error("Root of certificate chain not found. Check for CA Cert: "
+ cert.getIssuer().getNames()[0]);
}
} }
} else { } else {
if (!issuerMatchesSubject) { if (!issuerMatchesSubject) {
@ -1360,6 +1372,9 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
} }
} }
if (!foundRootOfCertChain.isEmpty()) {
LOGGER.error(foundRootOfCertChain);
}
return foundRootOfCertChain; return foundRootOfCertChain;
} }
@ -1374,7 +1389,8 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
* certificate to validate * certificate to validate
* @param additionalCerts * @param additionalCerts
* Set of certs to validate against * Set of certs to validate against
* @return boolean indicating if the validation was successful * @return String status of the cert chain validation -
* blank if successful, error message otherwise
* @throws SupplyChainValidatorException tried to validate using null certificates * @throws SupplyChainValidatorException tried to validate using null certificates
*/ */
public static String validateCertChain(final X509Certificate cert, public static String validateCertChain(final X509Certificate cert,
@ -1395,14 +1411,12 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
signatureMatchesPublicKey = signatureMatchesPublicKey(cert, trustedCert); signatureMatchesPublicKey = signatureMatchesPublicKey(cert, trustedCert);
if (issuerMatchesSubject && signatureMatchesPublicKey) { if (issuerMatchesSubject && signatureMatchesPublicKey) {
if (isSelfSigned(trustedCert)) { if (isSelfSigned(trustedCert)) {
foundRootOfCertChain = "";
LOGGER.info("CA Root found."); LOGGER.info("CA Root found.");
break;
} else if (!cert.equals(trustedCert)) { } else if (!cert.equals(trustedCert)) {
foundRootOfCertChain = validateCertChain(trustedCert, additionalCerts); foundRootOfCertChain = "Intermediate signing cert found, check for CA cert "
+ cert.getIssuerDN().getName();
if (!foundRootOfCertChain.isEmpty()) {
LOGGER.error("Root of certificate chain not found. Check for CA Cert: "
+ cert.getIssuerDN().getName());
}
} }
} else { } else {
if (!issuerMatchesSubject) { if (!issuerMatchesSubject) {
@ -1414,6 +1428,9 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
} }
} }
if (!foundRootOfCertChain.isEmpty()) {
LOGGER.error(foundRootOfCertChain);
}
return foundRootOfCertChain; return foundRootOfCertChain;
} }