def validate(self, image): if image.is_signed(): cert_chain_blob = image.cert_chain cert_chain_der = crypto_functions.split_certificate_blob_into_certs( cert_chain_blob) return self.validate_sig(image.data_to_sign, image.data_signature, cert_chain_der) else: raise RuntimeError("Image supplied is not signed.")
def validate(self, image): if image.is_signed(): isValid = False cert_chain_blob = image.cert_chain cert_chain_der = crypto_functions.split_certificate_blob_into_certs(cert_chain_blob) isValid = self.validate_oid_from_certs(cert_chain_der[1], cert_chain_der[0]) and \ self.validate_sig(image.data_to_sign, image.data_signature, cert_chain_der) return isValid else: raise RuntimeError("Image supplied is not signed.")
def validate(self, image): if image.is_signed(): isValid = False cert_chain_blob = image.cert_chain cert_chain_der = crypto_functions.split_certificate_blob_into_certs(cert_chain_blob) isValid = self.validate_tcg_from_certs(cert_chain_der[1], cert_chain_der[0]) and \ self.validate_sig(image.data_to_sign, image.data_signature, cert_chain_der) return isValid else: raise RuntimeError("Image supplied is not signed.")
def validate(self, image, root_cert_hash=None, imageinfo=None): if image.is_signed(): # Create error string errstr = [] for i, data_to_sign, data_signature, cert_chain in image.get_signing_assets( ): # Check if empty if not data_signature and not cert_chain: if i != image.authority: logger.warning(i + ' signature is not present') else: raise RuntimeError(i + ' signature is not present') continue # Extract the cert chain list cert_chain_der = crypto_functions.split_certificate_blob_into_certs( cert_chain) # Signature verification if not self.validate_sig(data_to_sign, data_signature, cert_chain_der): errstr.append(i + ' signature is invalid') # OID Validation if len(cert_chain_der) == 3: if not self.validate_oid_from_certs( cert_chain_der[1], cert_chain_der[0]): errstr.append( 'OID values in the certificate are invalid') # Extract the cert chain list cert_chain_blob = image.cert_chain cert_chain_der = crypto_functions.split_certificate_blob_into_certs( cert_chain_blob) # Root cert hash validation if root_cert_hash: if not cert_chain_der: errstr.append( 'Root certificate for ' + image.authority + ' is not present in image for root cert hash verification' ) elif not self.validate_root_cert_hash(cert_chain_der, root_cert_hash): errstr.append( 'Root certificate from image does not match the given root cert hash value' ) # Signing attributes vaidation if imageinfo is not None: if not cert_chain_der: errstr.append( 'Certificate chain for ' + image.authority + ' is not present in image signing attributes verification' ) else: mismatch = self.validate_signing_attributes( cert_chain_der, imageinfo) if mismatch: tp = TablePrinter() tp.insert_data(0, 0, 'Attribute') tp.insert_data(0, 1, 'Attestation Cert') tp.insert_data(0, 2, 'Config File') i = 0 for m in mismatch: # Handle formatting of items that are lists if isinstance(m[1], list) and isinstance( m[2], list): num_rows = max(len(m[1]), len(m[2])) tp.insert_data(i + 1, 0, m[0]) for n in range(num_rows): if n < len(m[1]): tp.insert_data(i + n + 1, 1, m[1][n]) else: tp.insert_data(i + n + 1, 1, "") if n < len(m[2]): tp.insert_data(i + n + 1, 2, m[2][n]) else: tp.insert_data(i + n + 1, 2, "") i += num_rows continue tp.insert_data(i + 1, 0, m[0]) tp.insert_data(i + 1, 1, m[1]) tp.insert_data(i + 1, 2, m[2]) i += 1 errstr.append( 'Following signing attributes do not match: \n ' + '\n '.join(tp.get_data().split('\n'))) if errstr: raise RuntimeError( 'Following validations failed for the image:\n ' + '\n '.join([(str(i + 1) + '. ' + e) for i, e in enumerate(errstr)])) return True else: raise RuntimeError("Image supplied is not signed.")