From 6c5a17a2f7572cd88153482bb7b8b95c4c5ac57f Mon Sep 17 00:00:00 2001
From: chubtub <43381989+chubtub@users.noreply.github.com>
Date: Thu, 14 Dec 2023 13:25:25 -0500
Subject: [PATCH 1/2] In ReferenceManifestValidator, set the truststore for
swidtag XML files, and check if it has already been set for signature
validation; removed a duplicate digest command for calculating file hashes.
---
.../java/hirs/utils/rim/ReferenceManifestValidator.java | 7 +++++--
tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java | 1 +
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java b/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java
index 57511a2d..112c7168 100644
--- a/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java
+++ b/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java
@@ -210,7 +210,7 @@ public class ReferenceManifestValidator {
log.error("Cannot validate RIM, signature element not found!");
return false;
}
- if (trustStoreFile != null && !trustStoreFile.isEmpty()) {
+ if (trustStore == null && trustStoreFile != null && !trustStoreFile.isEmpty()) {
trustStore = parseCertificatesFromPem(trustStoreFile);
}
NodeList certElement = rim.getElementsByTagName("X509Certificate");
@@ -251,6 +251,9 @@ public class ReferenceManifestValidator {
*/
public boolean validateSwidtagFile(String path) {
Element fileElement = (Element) rim.getElementsByTagName("File").item(0);
+ if (trustStoreFile != null && !trustStoreFile.isEmpty()) {
+ trustStore = parseCertificatesFromPem(trustStoreFile);
+ }
X509Certificate signingCert = null;
try {
signingCert = getCertFromTruststore();
@@ -337,7 +340,7 @@ public class ReferenceManifestValidator {
private String getHashValue(final String filepath, final String sha) {
try {
MessageDigest md = MessageDigest.getInstance(sha);
- byte[] bytes = md.digest(Files.readAllBytes(Paths.get(filepath)));
+ byte[] bytes = Files.readAllBytes(Paths.get(filepath));
return getHashValue(bytes, sha);
} catch (NoSuchAlgorithmException e) {
log.warn(e.getMessage());
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
index b3185b22..e8b5e4b3 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
@@ -28,6 +28,7 @@ public class Main {
String certificateFile = commander.getPublicCertificate();
String trustStore = commander.getTruststoreFile();
if (!verifyFile.isEmpty()) {
+ validator.setRim(verifyFile);
if (!rimel.isEmpty()) {
validator.setRimEventLog(rimel);
}
From ab01bb86470b3f97a1bc7286e706782c9d219e19 Mon Sep 17 00:00:00 2001
From: chubtub <43381989+chubtub@users.noreply.github.com>
Date: Thu, 21 Dec 2023 20:21:38 -0500
Subject: [PATCH 2/2] Add KeyName to all signed base RIMs, and modify all unit
test files to reflect this change.
---
.../main/java/hirs/swid/SwidTagGateway.java | 15 +++++-----
.../java/hirs/swid/TestSwidTagGateway.java | 6 ++++
.../resources/generated_default_cert.swidtag | 26 ++++++++---------
.../generated_timestamp_rfc3339.swidtag | 28 +++++++++----------
.../generated_timestamp_rfc3852.swidtag | 28 +++++++++----------
.../resources/generated_user_cert.swidtag | 27 +++++++++---------
.../generated_user_cert_embed.swidtag | 27 +++++++++---------
7 files changed, 82 insertions(+), 75 deletions(-)
diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
index d596f0fb..0cd4ffc1 100644
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
@@ -623,14 +623,6 @@ public class SwidTagGateway {
if (defaultCredentials) {
cp.parseJKSCredentials(jksTruststoreFile);
privateKey = cp.getPrivateKey();
- KeyName keyName = null;
- try {
- keyName = kiFactory.newKeyName(cp.getCertificateSubjectKeyIdentifier());
- } catch (IOException e) {
- System.out.println("Error while getting SKID: " + e.getMessage());
- System.exit(1);
- }
- keyInfoElements.add(keyName);
} else {
try {
cp.parsePEMCredentials(pemCertificateFile, pemPrivateKeyFile);
@@ -654,6 +646,13 @@ public class SwidTagGateway {
}
}
}
+ try {
+ KeyName keyName = kiFactory.newKeyName(cp.getCertificateSubjectKeyIdentifier());
+ keyInfoElements.add(keyName);
+ } catch (IOException e) {
+ System.out.println("Error while getting SKID: " + e.getMessage());
+ System.exit(1);
+ }
KeyInfo keyinfo = kiFactory.newKeyInfo(keyInfoElements);
DOMSignContext context = new DOMSignContext(privateKey, doc.getDocumentElement());
diff --git a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java
index 29e3b71c..831bc77e 100644
--- a/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java
+++ b/tools/tcg_rim_tool/src/test/java/hirs/swid/TestSwidTagGateway.java
@@ -69,6 +69,7 @@ public class TestSwidTagGateway {
expectedFile = TestSwidTagGateway.class.getClassLoader()
.getResourceAsStream(BASE_USER_CERT);
Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT));
+ validator.setRim(DEFAULT_OUTPUT);
Assert.assertTrue(validator.validateSwidtagFile(DEFAULT_OUTPUT));
}
@@ -88,6 +89,7 @@ public class TestSwidTagGateway {
expectedFile = TestSwidTagGateway.class.getClassLoader()
.getResourceAsStream(BASE_USER_CERT_EMBED);
Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT));
+ validator.setRim(DEFAULT_OUTPUT);
Assert.assertTrue(validator.validateSwidtagFile(DEFAULT_OUTPUT));
}
@@ -103,6 +105,7 @@ public class TestSwidTagGateway {
expectedFile = TestSwidTagGateway.class.getClassLoader()
.getResourceAsStream(BASE_DEFAULT_CERT);
Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT));
+ validator.setRim(DEFAULT_OUTPUT);
Assert.assertTrue(validator.validateSwidtagFile(DEFAULT_OUTPUT));
}
@@ -120,6 +123,7 @@ public class TestSwidTagGateway {
expectedFile = TestSwidTagGateway.class.getClassLoader()
.getResourceAsStream(BASE_RFC3339_TIMESTAMP);
Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT));
+ validator.setRim(DEFAULT_OUTPUT);
Assert.assertTrue(validator.validateSwidtagFile(DEFAULT_OUTPUT));
}
@@ -137,6 +141,7 @@ public class TestSwidTagGateway {
expectedFile = TestSwidTagGateway.class.getClassLoader()
.getResourceAsStream(BASE_RFC3852_TIMESTAMP);
Assert.assertTrue(compareFileBytesToExpectedFile(DEFAULT_OUTPUT));
+ validator.setRim(DEFAULT_OUTPUT);
Assert.assertTrue(validator.validateSwidtagFile(DEFAULT_OUTPUT));
}
@@ -149,6 +154,7 @@ public class TestSwidTagGateway {
String filepath = TestSwidTagGateway.class.getClassLoader()
.getResource(BASE_USER_CERT).getPath();
System.out.println("Validating file at " + filepath);
+ validator.setRim(DEFAULT_OUTPUT);
Assert.assertTrue(validator.validateSwidtagFile(filepath));
}
diff --git a/tools/tcg_rim_tool/src/test/resources/generated_default_cert.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_default_cert.swidtag
index 855718c1..731efa99 100644
--- a/tools/tcg_rim_tool/src/test/resources/generated_default_cert.swidtag
+++ b/tools/tcg_rim_tool/src/test/resources/generated_default_cert.swidtag
@@ -1,13 +1,13 @@
-
-
-
-
-
+
+
+
+
+
-
+
@@ -17,16 +17,16 @@
- DJMc0n3VHHwU+F3HNpiY/l3EMcjRZAQOYlrjhD5v9qE=
+ ltjNmhHEqfpWwGmv1fTLLhJbtcn36wzPc8ZrOoUxXAI=
- ojJ6v8ToxLWWekCKmBoZ+Yg2V4MYMPbKB9FjDs/QG/AMP+LKjnb55Z7FSLhC8+CvvShKPAoS9mv1
-QepwI17NEqbfnC1U4WH0u578A3J6wiHMXIDnIQqKAAXb8v2c/wjMDArzFl8CXmDA7HUDIt+3C4VC
-tA598YY7o0Hf6hK5qO8oWGQxXUKfpUwvtGLxHpbDWYFuVSPa+uk6OTzutt/QyzTERzxyO9Le1i6K
-nrpzh4lgHn6EfGs6HR1ffdHQ069q0bE61zDx0VC18nK9DmszW6p6FlMzApiTVW/4PiVt+dSFeVGR
-9///OdtxcoBCeofDDFPRyO+s+kY1pXd92Q3nfg==
+ UWzTHnnQwc4+OYRl3bGXdGwAZsYBjQpoJb6jgif6c9/mHl1xCNjO1zJUzAGpeEq14j4qJ1WV8rHb
+5R16iMN05xQ5FCC8o1KvtJ6xwAkIgYei06iWaypgv39R42MD8HySVWBv5Ya7qIrvCBfp57L7z8Wm
+KvKptRctbb8of7OBdAH/Ywr2z1avwVVI7K7ugvjYkxn4sBfO4HkGABcJ4vIr1haOOU0/ip0qA/4U
+Fm1EJRDA2cYhTPcxHNoWDh2SAYVDH3t9vF/1BEPy5ke5iqRIsvTjoLz3WJtub6zKJ7fg4+1oyDK6
+641x+SIRT7EqRMLtxlpXniVMGbp8i4mxFaQGpQ==
2fdeb8e7d030a2209daa01861a964fedecf2bcc1
-
+
diff --git a/tools/tcg_rim_tool/src/test/resources/generated_timestamp_rfc3339.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_timestamp_rfc3339.swidtag
index cee8c323..8600edab 100644
--- a/tools/tcg_rim_tool/src/test/resources/generated_timestamp_rfc3339.swidtag
+++ b/tools/tcg_rim_tool/src/test/resources/generated_timestamp_rfc3339.swidtag
@@ -1,13 +1,13 @@
-
-
-
-
-
+
+
+
+
+
-
+
@@ -17,18 +17,18 @@
- DJMc0n3VHHwU+F3HNpiY/l3EMcjRZAQOYlrjhD5v9qE=
+ ltjNmhHEqfpWwGmv1fTLLhJbtcn36wzPc8ZrOoUxXAI=
- j8sqX9NGt8DAPOvbhXKAT648BGdPnQnblai1PYDUryE=
+ KOli94FU4OwApn2yz7J4SmnBEDE2u+jc1Fm2ajoaBhI=
- N8QB5dMLnSLaDuCO8Ds/9nPlJGzsF1HJCthEXDXPrMTpfWBwmsVTqtNwoGzHIXlx8HDdDcfTLa3j
-3rfFmDZNMqv6+6jjjJZerpN6XyWHGaVjVuPiNGmafE5SajTg53+6KlWXTGs3kcbbV5cTtjASz/A0
-cz9gBYTwYXmWA3+V0USLA0MNYzPkKp83eDnizbrkGx824NU9qG1DetVFfZqotWoTGJ1Wz4J8D1yR
-wUILS0DbtZalCNVv3kw9raIRKQ/CjlDztfP1SgiNuXu6IaVZKoVG9HGp3s8pQvFPHr0HD2sNrAkx
-twKcg3XIzGrTc22Y2TYw9Dk3NxumQSp4kve6ow==
+ jJQLwoWj8AXLzNn9H0jTtDV32SvFonY0TDlMQg9lhOCTi3HPRGuUzPCCBg+JukM9THuAbXx8yVKW
+pGr8fCLmGkfLy7S0YJwQLaulZvGgV0gprD5M8lqDAUibkN98ArOzTDBd6AxW8GVcOpb7Wc9ckS20
+K/uQCLC4AyxRT8AVJ193Ru3DGBOH/WRXBHFIo6ySSi2i8a3soOEzFWmU1euXD0XqrQLa4Q4n4u2e
+ChivQNqC8s9Xl1h07S9JFF4v1q+hmAOY+8pqYxDZtw6cVpiXQGufSuzBIxiYKv4p+cAD+OhXL9z1
+h0PAgMBd0VsH8SrtKaDe/Jw91GG8L8YvP1tG0g==
2fdeb8e7d030a2209daa01861a964fedecf2bcc1
@@ -40,4 +40,4 @@ twKcg3XIzGrTc22Y2TYw9Dk3NxumQSp4kve6ow==
-
+
diff --git a/tools/tcg_rim_tool/src/test/resources/generated_timestamp_rfc3852.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_timestamp_rfc3852.swidtag
index d78d0b8c..6ff1a39e 100644
--- a/tools/tcg_rim_tool/src/test/resources/generated_timestamp_rfc3852.swidtag
+++ b/tools/tcg_rim_tool/src/test/resources/generated_timestamp_rfc3852.swidtag
@@ -1,13 +1,13 @@
-
-
-
-
-
+
+
+
+
+
-
+
@@ -17,18 +17,18 @@
- DJMc0n3VHHwU+F3HNpiY/l3EMcjRZAQOYlrjhD5v9qE=
+ ltjNmhHEqfpWwGmv1fTLLhJbtcn36wzPc8ZrOoUxXAI=
- KC51x7iXfEjDYEieFP1lktWNGP6eCWpXe5/sr3V8PlU=
+ 5l1XanjF3l/o5zXbuAaQUVv242+X9ZeiGbg8AAXCNgc=
- M6a+lIU7vIQmO0By/WCtocI4qzk4R4oXtduEpeyOfIH/xOTKkDI7E17v6dywLd7psZSKMPw8lRqp
-AZCBvsU6zDXzLsAakO2ydmH2i5POWNArUq+GRw9KDnNPZWanmRSqjpV2mEjfx84IF2MaqXDPng1q
-JrzKN8f00uHM+eOmXktyiBhJR9gT+htceMzAEzk8qeWCg6o6wFMx0JR1lUbGOXe070DtZCR7I0iQ
-0iZfnNzMzuRf2GHw6aKnSyGwdr1pUeoxEVGR5jkY8a7mT/0mt+8kVq4FL1gikrSOzvotoZ+dGb0Q
-JjzA2IgK+ti/Tc/FpLYKefXQwcVSUY+CD/HCvA==
+ DP+66mRubZK3X+zyeDPL0yKevIALl+REu6siVBNtHyf2nDPk5/Iekvqdki8ild1ieSD0i7Wbsz9+
+8StHMfOOYRd7QDwOL0QVW213JZRemn/EckuQic1Rz+V2Kw2kjBuzsLsJE4GHR8WFO4SDklze74KL
+U43suxuZ4hqPsNRS0Fe085h7y7KcXNLlmsIQfLsVVHfdXLZPt29nN7DscT+PhCI4QuUU0SKnkOx1
+/iW2wWf1lCESgpUmRKU5Tf1uvgbPgEf7CWurHptSKs38ZVwz6AFyMIY5g2XwbDkCTocgrC9xlI9h
+GV3jB3ojUwB3ne06Sp21FgRbOgI9xbvoD3G33g==
2fdeb8e7d030a2209daa01861a964fedecf2bcc1
@@ -40,4 +40,4 @@ JjzA2IgK+ti/Tc/FpLYKefXQwcVSUY+CD/HCvA==
-
+
diff --git a/tools/tcg_rim_tool/src/test/resources/generated_user_cert.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_user_cert.swidtag
index eaf50f57..46e1b0f9 100644
--- a/tools/tcg_rim_tool/src/test/resources/generated_user_cert.swidtag
+++ b/tools/tcg_rim_tool/src/test/resources/generated_user_cert.swidtag
@@ -1,13 +1,13 @@
-
-
-
-
-
+
+
+
+
+
-
+
@@ -17,14 +17,14 @@
- DJMc0n3VHHwU+F3HNpiY/l3EMcjRZAQOYlrjhD5v9qE=
+ ltjNmhHEqfpWwGmv1fTLLhJbtcn36wzPc8ZrOoUxXAI=
- ojJ6v8ToxLWWekCKmBoZ+Yg2V4MYMPbKB9FjDs/QG/AMP+LKjnb55Z7FSLhC8+CvvShKPAoS9mv1
-QepwI17NEqbfnC1U4WH0u578A3J6wiHMXIDnIQqKAAXb8v2c/wjMDArzFl8CXmDA7HUDIt+3C4VC
-tA598YY7o0Hf6hK5qO8oWGQxXUKfpUwvtGLxHpbDWYFuVSPa+uk6OTzutt/QyzTERzxyO9Le1i6K
-nrpzh4lgHn6EfGs6HR1ffdHQ069q0bE61zDx0VC18nK9DmszW6p6FlMzApiTVW/4PiVt+dSFeVGR
-9///OdtxcoBCeofDDFPRyO+s+kY1pXd92Q3nfg==
+ UWzTHnnQwc4+OYRl3bGXdGwAZsYBjQpoJb6jgif6c9/mHl1xCNjO1zJUzAGpeEq14j4qJ1WV8rHb
+5R16iMN05xQ5FCC8o1KvtJ6xwAkIgYei06iWaypgv39R42MD8HySVWBv5Ya7qIrvCBfp57L7z8Wm
+KvKptRctbb8of7OBdAH/Ywr2z1avwVVI7K7ugvjYkxn4sBfO4HkGABcJ4vIr1haOOU0/ip0qA/4U
+Fm1EJRDA2cYhTPcxHNoWDh2SAYVDH3t9vF/1BEPy5ke5iqRIsvTjoLz3WJtub6zKJ7fg4+1oyDK6
+641x+SIRT7EqRMLtxlpXniVMGbp8i4mxFaQGpQ==
@@ -36,6 +36,7 @@ jDQeHiY0VIoPik/jVVIpjWe6zzeZ2S66Q/LmjQ==
AQAB
+ 2fdeb8e7d030a2209daa01861a964fedecf2bcc1
-
+
diff --git a/tools/tcg_rim_tool/src/test/resources/generated_user_cert_embed.swidtag b/tools/tcg_rim_tool/src/test/resources/generated_user_cert_embed.swidtag
index 5f0d13e5..05ed83df 100644
--- a/tools/tcg_rim_tool/src/test/resources/generated_user_cert_embed.swidtag
+++ b/tools/tcg_rim_tool/src/test/resources/generated_user_cert_embed.swidtag
@@ -1,13 +1,13 @@
-
-
-
-
-
+
+
+
+
+
-
+
@@ -17,14 +17,14 @@
- DJMc0n3VHHwU+F3HNpiY/l3EMcjRZAQOYlrjhD5v9qE=
+ ltjNmhHEqfpWwGmv1fTLLhJbtcn36wzPc8ZrOoUxXAI=
- ojJ6v8ToxLWWekCKmBoZ+Yg2V4MYMPbKB9FjDs/QG/AMP+LKjnb55Z7FSLhC8+CvvShKPAoS9mv1
-QepwI17NEqbfnC1U4WH0u578A3J6wiHMXIDnIQqKAAXb8v2c/wjMDArzFl8CXmDA7HUDIt+3C4VC
-tA598YY7o0Hf6hK5qO8oWGQxXUKfpUwvtGLxHpbDWYFuVSPa+uk6OTzutt/QyzTERzxyO9Le1i6K
-nrpzh4lgHn6EfGs6HR1ffdHQ069q0bE61zDx0VC18nK9DmszW6p6FlMzApiTVW/4PiVt+dSFeVGR
-9///OdtxcoBCeofDDFPRyO+s+kY1pXd92Q3nfg==
+ UWzTHnnQwc4+OYRl3bGXdGwAZsYBjQpoJb6jgif6c9/mHl1xCNjO1zJUzAGpeEq14j4qJ1WV8rHb
+5R16iMN05xQ5FCC8o1KvtJ6xwAkIgYei06iWaypgv39R42MD8HySVWBv5Ya7qIrvCBfp57L7z8Wm
+KvKptRctbb8of7OBdAH/Ywr2z1avwVVI7K7ugvjYkxn4sBfO4HkGABcJ4vIr1haOOU0/ip0qA/4U
+Fm1EJRDA2cYhTPcxHNoWDh2SAYVDH3t9vF/1BEPy5ke5iqRIsvTjoLz3WJtub6zKJ7fg4+1oyDK6
+641x+SIRT7EqRMLtxlpXniVMGbp8i4mxFaQGpQ==
CN=example.RIM.signer,OU=PCClient,O=Example,ST=VA,C=US
@@ -47,6 +47,7 @@ BzAChhlodHRwczovL2V4YW1wbGUuY29tL2NlcnRzMA0GCSqGSIb3DQEBCwUAA4IBAQDpKx5oQlkS
cIEQ5OqfpdFrV3De238RhMH6J4xePSidnFpfBc6FrdyDI1A8eRFz36I4xfVL3ZnJP/+j+NE4q6yz
5VGvm0npLO394ZihtsI1sRAR8ORJ
+ 2fdeb8e7d030a2209daa01861a964fedecf2bcc1
-
+