Validate signature and validation arguments, and output appropriate error messages

2024-12-20 05:28:22 +00:00 · 2024-02-07 09:10:41 -05:00 · 2024-02-07 09:10:41 -05:00 · fbf3de2517
commit fbf3de2517
parent adb1da93b4
3 changed files with 97 additions and 11 deletions
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/Main.java
@ -1,6 +1,7 @@
 package hirs.swid;

 import hirs.swid.utils.Commander;
+import hirs.swid.utils.CredentialArgumentValidator;
 import hirs.swid.utils.TimestampArgumentValidator;
 import hirs.utils.rim.ReferenceManifestValidator;
 import com.beust.jcommander.JCommander;
@ -27,6 +28,7 @@ public class Main {
        SwidTagGateway gateway;
        ReferenceManifestValidator validator;
        List<String> unknownOpts = commander.getUnknownOptions();
+        CredentialArgumentValidator credValidator;

        if (!unknownOpts.isEmpty()) {
            StringBuilder sb = new StringBuilder("Unknown options encountered: ");
@ -53,7 +55,6 @@ public class Main {
                }
                String verifyFile = commander.getVerifyFile();
                String rimel = commander.getRimEventLog();
-                String certificateFile = commander.getPublicCertificate();
                String trustStore = commander.getTruststoreFile();
                    validator.setRim(verifyFile);
                    validator.setRimEventLog(rimel);
@ -61,6 +62,13 @@ public class Main {
                    if (!certificateFile.isEmpty()) {
                        System.out.println("A single cert cannot be used for verification. " +
                                "The signing cert will be searched for in the trust store.");
+                    credValidator = new CredentialArgumentValidator(trustStore,
+                            "","", true);
+                    if (credValidator.isValid()) {
+                        validator.setTrustStoreFile(trustStore);
+                    } else {
+                        System.out.println(credValidator.getErrorMessage());
+                        System.exit(1);
                    }
                    if (validator.validateSwidtagFile(verifyFile)) {
                        System.out.println("Successfully verified " + verifyFile);
@ -75,7 +83,6 @@ public class Main {
                }
                String createType = commander.getCreateType().toUpperCase();
                String attributesFile = commander.getAttributesFile();
-                String jksTruststoreFile = commander.getTruststoreFile();
                String certificateFile = commander.getPublicCertificate();
                String privateKeyFile = commander.getPrivateKeyFile();
                boolean embeddedCert = commander.isEmbedded();
@ -86,22 +93,26 @@ public class Main {
                        if (!attributesFile.isEmpty()) {
                            gateway.setAttributesFile(attributesFile);
                        }
-                        if (!jksTruststoreFile.isEmpty()) {
+                        if (!rimEventLog.isEmpty()) {
+                            gateway.setRimEventLog(rimEventLog);
+                        } else {
+                            System.out.println("Error: a support RIM is required!");
+                            System.exit(1);
+                        }
+                        credValidator = new CredentialArgumentValidator("" ,
+                                certificateFile, privateKeyFile, false);
+                        if (defaultKey){
                            gateway.setDefaultCredentials(true);
-                            gateway.setJksTruststoreFile(jksTruststoreFile);
-                        } else if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) {
+                            gateway.setJksTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE);
+                        } else if (credValidator.isValid()) {
                            gateway.setDefaultCredentials(false);
                            gateway.setPemCertificateFile(certificateFile);
                            gateway.setPemPrivateKeyFile(privateKeyFile);
                            if (embeddedCert) {
                                gateway.setEmbeddedCert(true);
                            }
-                        } else if (defaultKey){
-                            gateway.setDefaultCredentials(true);
-                            gateway.setJksTruststoreFile(SwidTagConstants.DEFAULT_KEYSTORE_FILE);
                        } else {
-                            exitWithErrorCode("A private key (-k) and public certificate (-p) " +
-                                    "are required, or the default key (-d) must be indicated.");
+                            exitWithErrorCode(credValidator.getErrorMessage());
                        }
                        if (rimEventLog.isEmpty()) {
                            exitWithErrorCode("A support RIM is required.");
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java
@ -64,7 +64,6 @@ import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
-import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.time.LocalDateTime;
 import java.util.ArrayList;
--- a/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/CredentialArgumentValidator.java
+++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/utils/CredentialArgumentValidator.java
@ -0,0 +1,76 @@
+package hirs.swid.utils;
+
+public class CredentialArgumentValidator {
+    private String truststoreFile;
+    private String certificateFile;
+    private String privateKeyFile;
+    private String format;
+    private boolean isValidating;
+    private String errorMessage;
+    private static final String PEM = "PEM";
+
+    public CredentialArgumentValidator(String truststoreFile,
+                                       String certificateFile,
+                                       String privateKeyFile,
+                                       boolean isValidating) {
+        this.truststoreFile = truststoreFile;
+        this.certificateFile = certificateFile;
+        this.privateKeyFile = privateKeyFile;
+        this.isValidating = isValidating;
+        errorMessage = "";
+    }
+
+    /**
+     * Getter for format property
+     *
+     * @return string
+     */
+    public String getFormat() {
+        return format;
+    }
+
+    /**
+     * Getter for error message
+     *
+     * @return string
+     */
+    public String getErrorMessage() {
+        return errorMessage;
+    }
+
+    /**
+     * This method checks for the following valid configurations of input arguments:
+     * 1.
+     * 2. truststore only for validating (PEM format)
+     * 3. certificate + private key for signing (PEM format)
+     * 4.
+     *
+     * @return true if the above are found, false otherwise
+     */
+    public boolean isValid() {
+        if (isValidating) {
+            if (!truststoreFile.isEmpty()) {
+                format = PEM;
+                return true;
+            } else {
+                errorMessage = "Validation requires a valid truststore file.";
+                return false;
+            }
+        } else {
+            if (!certificateFile.isEmpty() && !privateKeyFile.isEmpty()) {
+                format = PEM;
+                return true;
+            } else {
+                if (certificateFile.isEmpty()) {
+                    errorMessage = "A public certificate must be specified by \'-p\' " +
+                            "for signing operations.";
+                }
+                if (privateKeyFile.isEmpty()) {
+                    errorMessage = "A private key must be specified by \'-k\' " +
+                            "for signing operations.";
+                }
+                return false;
+            }
+        }
+    }
+}