Merge pull request #444 from nsacyber/ski-prefix-truncate

Truncate 4 bytes from SKI

HIRS_Utils/src/main/java/hirs/data/persist/certificate/CertificateAuthorityCredential.java

@@ -25,6 +25,9 @@ public class CertificateAuthorityCredential extends Certificate {
      */
     public static final String SUBJECT_KEY_IDENTIFIER_FIELD = "subjectKeyIdentifier";
 
+    private static final int CA_BYTE_SIZE = 20;
+    private static final int PREFIX_BYTE_SIZE = 4;
+
     @Column
     private final byte[] subjectKeyIdentifier;
 
@@ -85,8 +88,16 @@ public class CertificateAuthorityCredential extends Certificate {
     public CertificateAuthorityCredential(final byte[] certificateBytes)
             throws IOException {
         super(certificateBytes);
-        this.subjectKeyIdentifier =
-                getX509Certificate().getExtensionValue(SUBJECT_KEY_IDENTIFIER_EXTENSION);
+        byte[] tempBytes = getX509Certificate()
+                .getExtensionValue(SUBJECT_KEY_IDENTIFIER_EXTENSION);
+
+        if (tempBytes != null && tempBytes.length > CA_BYTE_SIZE) {
+            this.subjectKeyIdentifier = truncatePrefixBytes(tempBytes);
+        } else {
+            this.subjectKeyIdentifier =
+                    getX509Certificate().getExtensionValue(SUBJECT_KEY_IDENTIFIER_EXTENSION);
+        }
+
         if (this.subjectKeyIdentifier != null) {
             this.subjectKeyIdString = Hex.encodeHexString(this.subjectKeyIdentifier);
         }
@@ -103,8 +114,18 @@ public class CertificateAuthorityCredential extends Certificate {
     public CertificateAuthorityCredential(final Path certificatePath)
             throws IOException {
         super(certificatePath);
-        this.subjectKeyIdentifier =
-                getX509Certificate().getExtensionValue(SUBJECT_KEY_IDENTIFIER_EXTENSION);
+        byte[] tempBytes = getX509Certificate()
+                .getExtensionValue(SUBJECT_KEY_IDENTIFIER_EXTENSION);
+
+        if (tempBytes.length > CA_BYTE_SIZE) {
+            this.subjectKeyIdentifier = truncatePrefixBytes(tempBytes);
+        } else {
+            this.subjectKeyIdentifier =
+                    getX509Certificate().getExtensionValue(SUBJECT_KEY_IDENTIFIER_EXTENSION);
+        }
+        if (this.subjectKeyIdentifier != null) {
+            this.subjectKeyIdString = Hex.encodeHexString(this.subjectKeyIdentifier);
+        }
     }
 
     /**
@@ -141,6 +162,13 @@ public class CertificateAuthorityCredential extends Certificate {
         return this.subjectKeyIdString;
     }
 
+    private byte[] truncatePrefixBytes(final byte[] certificateBytes) {
+        byte[] temp = new byte[CA_BYTE_SIZE];
+        System.arraycopy(certificateBytes, PREFIX_BYTE_SIZE, temp, 0, CA_BYTE_SIZE);
+
+        return temp;
+    }
+
     @Override
     @SuppressWarnings("checkstyle:avoidinlineconditionals")
     public boolean equals(final Object o) {

HIRS_Utils/src/main/java/hirs/utils/ReferenceManifestValidator.java

@@ -180,7 +180,7 @@ public class ReferenceManifestValidator {
                 }
             } else {
                 subjectKeyIdentifier = getKeyName(rim);
-                if (subjectKeyIdentifier.equals(cert.getSubjectKeyIdString().substring(8))) {
+                if (subjectKeyIdentifier.equals(cert.getSubjectKeyIdString())) {
                     context = new DOMValidateContext(cert.getX509Certificate().getPublicKey(),
                             nodes.item(0));
                 }

HIRS_Utils/src/test/java/hirs/data/persist/certificate/CertificateTest.java

@@ -77,7 +77,7 @@ public class CertificateTest {
      * Hex-encoded subject key identifier for the FAKE_ROOT_CA_FILE.
      */
     public static final String FAKE_ROOT_CA_SUBJECT_KEY_IDENTIFIER_HEX =
-            "0416041458ec313a1699f94c1c8c4e2c6412402b258f0177";
+            "58ec313a1699f94c1c8c4e2c6412402b258f0177";
 
     /**
      * Location of a test STM endorsement credential.