mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-24 07:06:46 +00:00
Validate signature and validation arguments, and output appropriate error messages
This commit is contained in:
parent
adb1da93b4
commit
fbf3de2517
@ -1,6 +1,7 @@
|
|||||||
package hirs.swid;
|
package hirs.swid;
|
||||||
|
|
||||||
import hirs.swid.utils.Commander;
|
import hirs.swid.utils.Commander;
|
||||||
|
import hirs.swid.utils.CredentialArgumentValidator;
|
||||||
import hirs.swid.utils.TimestampArgumentValidator;
|
import hirs.swid.utils.TimestampArgumentValidator;
|
||||||
import hirs.utils.rim.ReferenceManifestValidator;
|
import hirs.utils.rim.ReferenceManifestValidator;
|
||||||
import com.beust.jcommander.JCommander;
|
import com.beust.jcommander.JCommander;
|
||||||
@ -27,6 +28,7 @@ public class Main {
|
|||||||
SwidTagGateway gateway;
|
SwidTagGateway gateway;
|
||||||
ReferenceManifestValidator validator;
|
ReferenceManifestValidator validator;
|
||||||
List<String> unknownOpts = commander.getUnknownOptions();
|
List<String> unknownOpts = commander.getUnknownOptions();
|
||||||
|
CredentialArgumentValidator credValidator;
|
||||||
|
|
||||||
if (!unknownOpts.isEmpty()) {
|
if (!unknownOpts.isEmpty()) {
|
||||||
StringBuilder sb = new StringBuilder("Unknown options encountered: ");
|
StringBuilder sb = new StringBuilder("Unknown options encountered: ");
|
||||||
@ -53,7 +55,6 @@ public class Main {
|
|||||||
}
|
}
|
||||||
String verifyFile = commander.getVerifyFile();
|
String verifyFile = commander.getVerifyFile();
|
||||||
String rimel = commander.getRimEventLog();
|
String rimel = commander.getRimEventLog();
|
||||||
String certificateFile = commander.getPublicCertificate();
|
|
||||||
String trustStore = commander.getTruststoreFile();
|
String trustStore = commander.getTruststoreFile();
|
||||||
validator.setRim(verifyFile);
|
validator.setRim(verifyFile);
|
||||||
validator.setRimEventLog(rimel);
|
validator.setRimEventLog(rimel);
|
||||||
@ -61,6 +62,13 @@ public class Main {
|
|||||||
if (!certificateFile.isEmpty()) {
|
if (!certificateFile.isEmpty()) {
|
||||||
System.out.println("A single cert cannot be used for verification. " +
|
System.out.println("A single cert cannot be used for verification. " +
|
||||||
"The signing cert will be searched for in the trust store.");
|
"The signing cert will be searched for in the trust store.");
|
||||||
|
credValidator = new CredentialArgumentValidator(trustStore,
|
||||||
|
"","", true);
|
||||||
|
if (credValidator.isValid()) {
|
||||||
|
validator.setTrustStoreFile(trustStore);
|
||||||
|
} else {
|
||||||
|
System.out.println(credValidator.getErrorMessage());
|
||||||
|
System.exit(1);
|
||||||
}
|
}
|
||||||
if (validator.validateSwidtagFile(verifyFile)) {
|
if (validator.validateSwidtagFile(verifyFile)) {
|
||||||
System.out.println("Successfully verified " + verifyFile);
|
System.out.println("Successfully verified " + verifyFile);
|
||||||
@ -75,7 +83,6 @@ public class Main {
|
|||||||
}
|
}
|
||||||
String createType = commander.getCreateType().toUpperCase();
|
String createType = commander.getCreateType().toUpperCase();
|
||||||
String attributesFile = commander.getAttributesFile();
|
String attributesFile = commander.getAttributesFile();
|
||||||
String jksTruststoreFile = commander.getTruststoreFile();
|
|
||||||
String certificateFile = commander.getPublicCertificate();
|
String certificateFile = commander.getPublicCertificate();
|
||||||
String privateKeyFile = commander.getPrivateKeyFile();
|
String privateKeyFile = commander.getPrivateKeyFile();
|
||||||
boolean embeddedCert = commander.isEmbedded();
|
boolean embeddedCert = commander.isEmbedded();
|
||||||
@ -86,22 +93,26 @@ public class Main {
|
|||||||
if (!attributesFile.isEmpty()) {
|
if (!attributesFile.isEmpty()) {
|
||||||
gateway.setAttributesFile(attributesFile);
|
gateway.setAttributesFile(attributesFile);
|
||||||
}
|
}
|
||||||
if (!jksTruststoreFile.isEmpty()) {
|
if (!rimEventLog.isEmpty()) {
|
||||||
|
gateway.setRimEventLog(rimEventLog);
|
||||||
|
} else {
|
||||||
|
System.out.println("Error: a support RIM is required!");
|
||||||
|
System.exit(1);
|
||||||
|
}
|
||||||
|
credValidator = new CredentialArgumentValidator("" ,
|
||||||
|
certificateFile, privateKeyFile, false);
|
||||||
|
if (defaultKey){
|
||||||
gateway.setDefaultCredentials(true);
|
gateway.setDefaultCredentials(true);
|
||||||
gateway.setJksTruststoreFile(jksTruststoreFile);
|
gateway.setJksTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE);
|
||||||
} else if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) {
|
} else if (credValidator.isValid()) {
|
||||||
gateway.setDefaultCredentials(false);
|
gateway.setDefaultCredentials(false);
|
||||||
gateway.setPemCertificateFile(certificateFile);
|
gateway.setPemCertificateFile(certificateFile);
|
||||||
gateway.setPemPrivateKeyFile(privateKeyFile);
|
gateway.setPemPrivateKeyFile(privateKeyFile);
|
||||||
if (embeddedCert) {
|
if (embeddedCert) {
|
||||||
gateway.setEmbeddedCert(true);
|
gateway.setEmbeddedCert(true);
|
||||||
}
|
}
|
||||||
} else if (defaultKey){
|
|
||||||
gateway.setDefaultCredentials(true);
|
|
||||||
gateway.setJksTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE);
|
|
||||||
} else {
|
} else {
|
||||||
exitWithErrorCode("A private key (-k) and public certificate (-p) " +
|
exitWithErrorCode(credValidator.getErrorMessage());
|
||||||
"are required, or the default key (-d) must be indicated.");
|
|
||||||
}
|
}
|
||||||
if (rimEventLog.isEmpty()) {
|
if (rimEventLog.isEmpty()) {
|
||||||
exitWithErrorCode("A support RIM is required.");
|
exitWithErrorCode("A support RIM is required.");
|
||||||
|
@ -64,7 +64,6 @@ import java.security.InvalidAlgorithmParameterException;
|
|||||||
import java.security.KeyException;
|
import java.security.KeyException;
|
||||||
import java.security.NoSuchAlgorithmException;
|
import java.security.NoSuchAlgorithmException;
|
||||||
import java.security.PrivateKey;
|
import java.security.PrivateKey;
|
||||||
import java.security.cert.CertificateException;
|
|
||||||
import java.security.cert.X509Certificate;
|
import java.security.cert.X509Certificate;
|
||||||
import java.time.LocalDateTime;
|
import java.time.LocalDateTime;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
|
@ -0,0 +1,76 @@
|
|||||||
|
package hirs.swid.utils;
|
||||||
|
|
||||||
|
public class CredentialArgumentValidator {
|
||||||
|
private String truststoreFile;
|
||||||
|
private String certificateFile;
|
||||||
|
private String privateKeyFile;
|
||||||
|
private String format;
|
||||||
|
private boolean isValidating;
|
||||||
|
private String errorMessage;
|
||||||
|
private static final String PEM = "PEM";
|
||||||
|
|
||||||
|
public CredentialArgumentValidator(String truststoreFile,
|
||||||
|
String certificateFile,
|
||||||
|
String privateKeyFile,
|
||||||
|
boolean isValidating) {
|
||||||
|
this.truststoreFile = truststoreFile;
|
||||||
|
this.certificateFile = certificateFile;
|
||||||
|
this.privateKeyFile = privateKeyFile;
|
||||||
|
this.isValidating = isValidating;
|
||||||
|
errorMessage = "";
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Getter for format property
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public String getFormat() {
|
||||||
|
return format;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Getter for error message
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public String getErrorMessage() {
|
||||||
|
return errorMessage;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This method checks for the following valid configurations of input arguments:
|
||||||
|
* 1.
|
||||||
|
* 2. truststore only for validating (PEM format)
|
||||||
|
* 3. certificate + private key for signing (PEM format)
|
||||||
|
* 4.
|
||||||
|
*
|
||||||
|
* @return true if the above are found, false otherwise
|
||||||
|
*/
|
||||||
|
public boolean isValid() {
|
||||||
|
if (isValidating) {
|
||||||
|
if (!truststoreFile.isEmpty()) {
|
||||||
|
format = PEM;
|
||||||
|
return true;
|
||||||
|
} else {
|
||||||
|
errorMessage = "Validation requires a valid truststore file.";
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) {
|
||||||
|
format = PEM;
|
||||||
|
return true;
|
||||||
|
} else {
|
||||||
|
if (certificateFile.isEmpty()) {
|
||||||
|
errorMessage = "A public certificate must be specified by \'-p\' " +
|
||||||
|
"for signing operations.";
|
||||||
|
}
|
||||||
|
if (privateKeyFile.isEmpty()) {
|
||||||
|
errorMessage = "A private key must be specified by \'-k\' " +
|
||||||
|
"for signing operations.";
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user