From fc802bce6e044bad133dad5ff26e7a51fca2099f Mon Sep 17 00:00:00 2001 From: chubtub <43381989+chubtub@users.noreply.github.com> Date: Tue, 25 Apr 2023 07:08:18 -0400 Subject: [PATCH] Detached signature references its signed data by URI. Modified the validator class to distinguish between enveloped and detached signatures. --- .../main/java/hirs/swid/SwidTagGateway.java | 4 +- .../main/java/hirs/swid/SwidTagValidator.java | 60 +++++++++++++++++-- .../src/test/resources/detached_signature.xml | 19 ++++++ 3 files changed, 76 insertions(+), 7 deletions(-) create mode 100644 tools/tcg_rim_tool/src/test/resources/detached_signature.xml diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java index d969fc16..9c9f5ace 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagGateway.java @@ -63,6 +63,7 @@ import java.io.IOException; import java.io.InputStream; import java.io.StringReader; import java.math.BigInteger; +import java.net.URI; import java.nio.file.Files; import java.nio.file.Paths; import java.security.InvalidAlgorithmParameterException; @@ -569,6 +570,7 @@ public class SwidTagGateway { public Document signXMLDocument(String signFile) { //Read signFile contents String xmlToSign = ""; + URI fileUri = new File(signFile).toURI(); try { byte[] fileContents = Files.readAllBytes(Paths.get(signFile)); xmlToSign = new String(fileContents); //safe to assume default charset?? @@ -605,7 +607,7 @@ public class SwidTagGateway { try { sigFactory = XMLSignatureFactory.getInstance("DOM"); //ref must be distinguished from existing - Reference ref = sigFactory.newReference("#" + softwareIdentityId, + Reference ref = sigFactory.newReference(fileUri.toString(), sigFactory.newDigestMethod(DigestMethod.SHA256, null)); signedInfo = sigFactory.newSignedInfo( sigFactory.newCanonicalizationMethod(CanonicalizationMethod.INCLUSIVE, diff --git a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java index e2cabca2..974db1b0 100644 --- a/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java +++ b/tools/tcg_rim_tool/src/main/java/hirs/swid/SwidTagValidator.java @@ -5,6 +5,7 @@ import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.NodeList; +import org.xml.sax.InputSource; import org.xml.sax.SAXException; import javax.security.auth.x500.X500Principal; @@ -26,6 +27,9 @@ import javax.xml.crypto.dsig.dom.DOMValidateContext; import javax.xml.crypto.dsig.keyinfo.KeyInfo; import javax.xml.crypto.dsig.keyinfo.KeyValue; import javax.xml.crypto.dsig.keyinfo.X509Data; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.Source; import javax.xml.transform.Transformer; import javax.xml.transform.TransformerConfigurationException; @@ -38,6 +42,9 @@ import javax.xml.validation.SchemaFactory; import java.io.File; import java.io.IOException; import java.io.InputStream; +import java.io.StringReader; +import java.nio.file.Files; +import java.nio.file.Paths; import java.security.InvalidKeyException; import java.security.Key; import java.security.KeyException; @@ -112,18 +119,31 @@ public class SwidTagValidator { Document document = unmarshallSwidTag(path); Element softwareIdentity = (Element) document.getElementsByTagName("SoftwareIdentity").item(0); - StringBuilder si = new StringBuilder("Base RIM detected:\n"); - si.append("SoftwareIdentity name: " + softwareIdentity.getAttribute("name") + "\n"); - si.append("SoftwareIdentity tagId: " + softwareIdentity.getAttribute("tagId") + "\n"); - System.out.println(si.toString()); - Element file = (Element) document.getElementsByTagName("File").item(0); + Element signature = (Element) document.getElementsByTagName("Signature").item(0); + if (signature != null && softwareIdentity == null) { + return validateDetachedSignature(document, format); + } else if (signature != null && softwareIdentity != null) { + StringBuilder si = new StringBuilder("Base RIM detected:\n"); + si.append("SoftwareIdentity name: " + softwareIdentity.getAttribute("name") + "\n"); + si.append("SoftwareIdentity tagId: " + softwareIdentity.getAttribute("tagId") + "\n"); + System.out.println(si.toString()); + return validateEnvelopedSignature(document, format); + } else { + System.out.println("Invalid xml for validation, please verify " + path); + } + + return false; + } + + private boolean validateEnvelopedSignature(Document doc, String format) { + Element file = (Element) doc.getElementsByTagName("File").item(0); try { validateFile(file); } catch (Exception e) { System.out.println(e.getMessage()); return false; } - boolean swidtagValidity = validateSignedXMLDocument(document, format); + boolean swidtagValidity = validateSignedXMLDocument(doc, format); if (swidtagValidity) { System.out.println("Signature core validity: true"); return true; @@ -133,6 +153,34 @@ public class SwidTagValidator { } } + private boolean validateDetachedSignature(Document doc, String format) { +/* DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + DocumentBuilder db = null; + Document doc = null; + + byte[] fileContents = new byte[0]; + try { + fileContents = Files.readAllBytes(Paths.get(path)); + } catch (IOException e) { + System.out.println("Error reading " + path + " for validation"); + } + String xmlString = new String(fileContents); + try { + db = dbf.newDocumentBuilder(); + doc = db.parse(path); + } catch (ParserConfigurationException e) { + System.out.println("Error instantiating DocumentBuilder object: " + e.getMessage()); + } catch (SAXException e) { + e.printStackTrace(); + } catch (IOException e) { + e.printStackTrace(); + } catch (IllegalArgumentException e) { + System.out.println("Tried to parse a null file at " + path); + } +*/ + return validateSignedXMLDocument(doc, format); + } + /** * This method validates a hirs.swid.xjc.File from an indirect payload */ diff --git a/tools/tcg_rim_tool/src/test/resources/detached_signature.xml b/tools/tcg_rim_tool/src/test/resources/detached_signature.xml new file mode 100644 index 00000000..fc2ca755 --- /dev/null +++ b/tools/tcg_rim_tool/src/test/resources/detached_signature.xml @@ -0,0 +1,19 @@ + + + + + + + + 2nWBzbaADibxwD1sTQltPrKXt+bhJ2qMjKWgLg18EZE= + + + oCj3hZK/vZLncKPWIVbjNUa7nwHVTPZrzBLwX7e11eWmSDSvTtfsl+UrBrgAit5FFpG/3oSEtnw6 +iQAIr80aWaL1/EFylI/w94/zh9m2Y1f0P5w+HD6pS34ALBSBn+9GbDZ48/v1nJ6oDGCw7/3oXkIT +Id+SpS/vuG3SPK0Ej3eFQQc2ahHvOdBKT+UhD9kWVi/esqF0PI0qwd18coMsrQNcqpTBghou+n++ +G+YIWG4Tkgey+EOQLdWLEIch0KeVL1s9ANPOFHKqT4a2BaYe0S7g8xhQ9ERtCnSusb09fgycjl0V +5Mx9t3pdwIXjsS8FWNd25Xc7kayNrq8H+3aRgg== + + 2fdeb8e7d030a2209daa01861a964fedecf2bcc1 + +