Detached signature references its signed data by URI. Modified the validator class to distinguish between enveloped and detached signatures.

tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java

@@ -63,6 +63,7 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.StringReader;
 import java.math.BigInteger;
+import java.net.URI;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.security.InvalidAlgorithmParameterException;
@@ -569,6 +570,7 @@ public class SwidTagGateway {
     public Document signXMLDocument(String signFile) {
         //Read signFile contents
         String xmlToSign = "";
+        URI fileUri = new File(signFile).toURI();
         try {
             byte[] fileContents = Files.readAllBytes(Paths.get(signFile));
             xmlToSign = new String(fileContents);    //safe to assume default charset??
@@ -605,7 +607,7 @@ public class SwidTagGateway {
         try {
             sigFactory = XMLSignatureFactory.getInstance("DOM");
             //ref must be distinguished from existing <Reference URI="">
-            Reference ref = sigFactory.newReference("#" + softwareIdentityId,
+            Reference ref = sigFactory.newReference(fileUri.toString(),
                     sigFactory.newDigestMethod(DigestMethod.SHA256, null));
             signedInfo = sigFactory.newSignedInfo(
                     sigFactory.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE,

tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java

@@ -5,6 +5,7 @@ import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
+import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
 import javax.security.auth.x500.X500Principal;
@@ -26,6 +27,9 @@ import javax.xml.crypto.dsig.dom.DOMValidateContext;
 import javax.xml.crypto.dsig.keyinfo.KeyInfo;
 import javax.xml.crypto.dsig.keyinfo.KeyValue;
 import javax.xml.crypto.dsig.keyinfo.X509Data;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.Source;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerConfigurationException;
@@ -38,6 +42,9 @@ import javax.xml.validation.SchemaFactory;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.StringReader;
+import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.security.InvalidKeyException;
 import java.security.Key;
 import java.security.KeyException;
@@ -112,18 +119,31 @@ public class SwidTagValidator {
         Document document = unmarshallSwidTag(path);
         Element softwareIdentity =
                 (Element) document.getElementsByTagName("SoftwareIdentity").item(0);
-        StringBuilder si = new StringBuilder("Base RIM detected:\n");
-        si.append("SoftwareIdentity name: " + softwareIdentity.getAttribute("name") + "\n");
-        si.append("SoftwareIdentity tagId: " + softwareIdentity.getAttribute("tagId") + "\n");
-        System.out.println(si.toString());
-        Element file = (Element) document.getElementsByTagName("File").item(0);
+        Element signature = (Element) document.getElementsByTagName("Signature").item(0);
+        if (signature != null && softwareIdentity == null) {
+            return validateDetachedSignature(document, format);
+        } else if (signature != null && softwareIdentity != null) {
+            StringBuilder si = new StringBuilder("Base RIM detected:\n");
+            si.append("SoftwareIdentity name: " + softwareIdentity.getAttribute("name") + "\n");
+            si.append("SoftwareIdentity tagId: " + softwareIdentity.getAttribute("tagId") + "\n");
+            System.out.println(si.toString());
+            return validateEnvelopedSignature(document, format);
+        } else {
+            System.out.println("Invalid xml for validation, please verify " + path);
+        }
+
+        return false;
+    }
+
+    private boolean validateEnvelopedSignature(Document doc, String format) {
+        Element file = (Element) doc.getElementsByTagName("File").item(0);
         try {
             validateFile(file);
         } catch (Exception e) {
             System.out.println(e.getMessage());
             return false;
         }
-        boolean swidtagValidity = validateSignedXMLDocument(document, format);
+        boolean swidtagValidity = validateSignedXMLDocument(doc, format);
         if (swidtagValidity) {
             System.out.println("Signature core validity: true");
             return true;
@@ -133,6 +153,34 @@ public class SwidTagValidator {
         }
     }
 
+    private boolean validateDetachedSignature(Document doc, String format) {
+/*        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        DocumentBuilder db = null;
+        Document doc = null;
+
+        byte[] fileContents = new byte[0];
+        try {
+            fileContents = Files.readAllBytes(Paths.get(path));
+        } catch (IOException e) {
+            System.out.println("Error reading " + path + " for validation");
+        }
+        String xmlString = new String(fileContents);
+        try {
+            db = dbf.newDocumentBuilder();
+            doc = db.parse(path);
+        } catch (ParserConfigurationException e) {
+            System.out.println("Error instantiating DocumentBuilder object: " + e.getMessage());
+        } catch (SAXException e) {
+            e.printStackTrace();
+        } catch (IOException e) {
+            e.printStackTrace();
+        } catch (IllegalArgumentException e) {
+            System.out.println("Tried to parse a null file at " + path);
+        }
+*/
+        return validateSignedXMLDocument(doc, format);
+    }
+
     /**
      * This method validates a hirs.swid.xjc.File from an indirect payload
      */

tools/tcg_rim_tool/src/test/resources/detached_signature.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
+  <SignedInfo>
+    <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
+    <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
+    <Reference URI="file:/home/matsai/nsacyber/HIRS/tools/tcg_rim_tool/build/resources/test/generated_timestamp_rfc3852.swidtag">
+      <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
+      <DigestValue>2nWBzbaADibxwD1sTQltPrKXt+bhJ2qMjKWgLg18EZE=</DigestValue>
+    </Reference>
+  </SignedInfo>
+  <SignatureValue>oCj3hZK/vZLncKPWIVbjNUa7nwHVTPZrzBLwX7e11eWmSDSvTtfsl+UrBrgAit5FFpG/3oSEtnw6&#13;
+iQAIr80aWaL1/EFylI/w94/zh9m2Y1f0P5w+HD6pS34ALBSBn+9GbDZ48/v1nJ6oDGCw7/3oXkIT&#13;
+Id+SpS/vuG3SPK0Ej3eFQQc2ahHvOdBKT+UhD9kWVi/esqF0PI0qwd18coMsrQNcqpTBghou+n++&#13;
+G+YIWG4Tkgey+EOQLdWLEIch0KeVL1s9ANPOFHKqT4a2BaYe0S7g8xhQ9ERtCnSusb09fgycjl0V&#13;
+5Mx9t3pdwIXjsS8FWNd25Xc7kayNrq8H+3aRgg==</SignatureValue>
+  <KeyInfo>
+    <KeyName>2fdeb8e7d030a2209daa01861a964fedecf2bcc1</KeyName>
+  </KeyInfo>
+</Signature>