ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-27 00:21:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add BC validator for validation. Clean up log messages.

Browse Source
This commit is contained in:
chubtub 2024-05-16 15:00:50 -04:00
parent ecc6ee6d04
commit efe2bbf9b4
1 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java
View File

@ -50,7 +50,15 @@ import java.io.InputStream;
import java.io.UnsupportedEncodingException; import java.io.UnsupportedEncodingException;
import java.nio.file.Files; import java.nio.file.Files;
import java.nio.file.Paths; import java.nio.file.Paths;
import java.security.*; import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory; import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
@ -184,6 +192,7 @@ public class ReferenceManifestValidator {
*/ */
public ReferenceManifestValidator() { public ReferenceManifestValidator() {
try { try {
Security.addProvider(new BouncyCastleProvider());
InputStream is = ReferenceManifestValidator.class InputStream is = ReferenceManifestValidator.class
.getClassLoader().getResourceAsStream(SCHEMA_URL); .getClassLoader().getResourceAsStream(SCHEMA_URL);
SchemaFactory schemaFactory = SchemaFactory.newInstance(SCHEMA_LANGUAGE); SchemaFactory schemaFactory = SchemaFactory.newInstance(SCHEMA_LANGUAGE);
@ -410,7 +419,6 @@ public class ReferenceManifestValidator {
*/ */
private void whySignatureInvalid(final XMLSignature signature, final DOMValidateContext context) private void whySignatureInvalid(final XMLSignature signature, final DOMValidateContext context)
throws XMLSignatureException{ throws XMLSignatureException{
log.error("Verifying xml signature:");
boolean cryptoValidity = signature.getSignatureValue().validate(context); boolean cryptoValidity = signature.getSignatureValue().validate(context);
if (cryptoValidity) { if (cryptoValidity) {
log.error("Signature value is valid."); log.error("Signature value is valid.");
@ -448,13 +456,12 @@ public class ReferenceManifestValidator {
throw new Exception("Truststore is empty"); throw new Exception("Truststore is empty");
} }
final String INT_CA_ERROR = "Intermediate CA found, searching for root CA";
String errorMessage = ""; String errorMessage = "";
X509Certificate chainCert = cert; X509Certificate chainCert = cert;
boolean isChainCertValid; boolean isChainCertValid;
do { do {
isChainCertValid = false; isChainCertValid = false;
log.error("Validating " + chainCert.getSubjectX500Principal().getName()); log.info("Validating " + chainCert.getSubjectX500Principal().getName());
for (X509Certificate trustedCert : trustStore) { for (X509Certificate trustedCert : trustStore) {
boolean isIssuer = areYouMyIssuer(chainCert, trustedCert); boolean isIssuer = areYouMyIssuer(chainCert, trustedCert);
boolean isSigner = areYouMySigner(chainCert, trustedCert); boolean isSigner = areYouMySigner(chainCert, trustedCert);
@ -479,7 +486,7 @@ public class ReferenceManifestValidator {
} while (isChainCertValid); } while (isChainCertValid);
log.error("CA chain validation failed to validate " log.error("CA chain validation failed to validate "
+ chainCert.getSubjectX500Principal().getName()); + chainCert.getSubjectX500Principal().getName() + ", " + errorMessage);
return false; return false;
} }
@ -525,7 +532,7 @@ public class ReferenceManifestValidator {
+ System.lineSeparator() + System.lineSeparator()
+ "Certificate needed for verification is missing: " + "Certificate needed for verification is missing: "
+ signer.getSubjectX500Principal().getName(); + signer.getSubjectX500Principal().getName();
log.error(error); log.info(error);
} catch (CertificateException e) { } catch (CertificateException e) {
throw new Exception("Encoding error: " + e.getMessage()); throw new Exception("Encoding error: " + e.getMessage());
} }