def validate(self, image):
if image.is_signed():
cert_chain_blob = image.cert_chain
cert_chain_der = crypto_functions.split_certificate_blob_into_certs(
cert_chain_blob)
return self.validate_sig(image.data_to_sign, image.data_signature,
cert_chain_der)
else:
raise RuntimeError("Image supplied is not signed.")
def validate(self, image):
if image.is_signed():
isValid = False
cert_chain_blob = image.cert_chain
cert_chain_der = crypto_functions.split_certificate_blob_into_certs(cert_chain_blob)
isValid = self.validate_oid_from_certs(cert_chain_der[1], cert_chain_der[0]) and \
self.validate_sig(image.data_to_sign,
image.data_signature,
cert_chain_der)
return isValid
else:
raise RuntimeError("Image supplied is not signed.")
def validate(self, image):
if image.is_signed():
isValid = False
cert_chain_blob = image.cert_chain
cert_chain_der = crypto_functions.split_certificate_blob_into_certs(cert_chain_blob)
isValid = self.validate_tcg_from_certs(cert_chain_der[1], cert_chain_der[0]) and \
self.validate_sig(image.data_to_sign,
image.data_signature,
cert_chain_der)
return isValid
else:
raise RuntimeError("Image supplied is not signed.")
def validate(self, image, root_cert_hash=None, imageinfo=None):
if image.is_signed():
# Create error string
errstr = []
for i, data_to_sign, data_signature, cert_chain in image.get_signing_assets(
):
# Check if empty
if not data_signature and not cert_chain:
if i != image.authority:
logger.warning(i + ' signature is not present')
else:
raise RuntimeError(i + ' signature is not present')
continue
# Extract the cert chain list
cert_chain_der = crypto_functions.split_certificate_blob_into_certs(
cert_chain)
# Signature verification
if not self.validate_sig(data_to_sign, data_signature,
cert_chain_der):
errstr.append(i + ' signature is invalid')
# OID Validation
if len(cert_chain_der) == 3:
if not self.validate_oid_from_certs(
cert_chain_der[1], cert_chain_der[0]):
errstr.append(
'OID values in the certificate are invalid')
# Extract the cert chain list
cert_chain_blob = image.cert_chain
cert_chain_der = crypto_functions.split_certificate_blob_into_certs(
cert_chain_blob)
# Root cert hash validation
if root_cert_hash:
if not cert_chain_der:
errstr.append(
'Root certificate for ' + image.authority +
' is not present in image for root cert hash verification'
)
elif not self.validate_root_cert_hash(cert_chain_der,
root_cert_hash):
errstr.append(
'Root certificate from image does not match the given root cert hash value'
)
# Signing attributes vaidation
if imageinfo is not None:
if not cert_chain_der:
errstr.append(
'Certificate chain for ' + image.authority +
' is not present in image signing attributes verification'
)
else:
mismatch = self.validate_signing_attributes(
cert_chain_der, imageinfo)
if mismatch:
tp = TablePrinter()
tp.insert_data(0, 0, 'Attribute')
tp.insert_data(0, 1, 'Attestation Cert')
tp.insert_data(0, 2, 'Config File')
i = 0
for m in mismatch:
# Handle formatting of items that are lists
if isinstance(m[1], list) and isinstance(
m[2], list):
num_rows = max(len(m[1]), len(m[2]))
tp.insert_data(i + 1, 0, m[0])
for n in range(num_rows):
if n < len(m[1]):
tp.insert_data(i + n + 1, 1, m[1][n])
else:
tp.insert_data(i + n + 1, 1, "")
if n < len(m[2]):
tp.insert_data(i + n + 1, 2, m[2][n])
else:
tp.insert_data(i + n + 1, 2, "")
i += num_rows
continue
tp.insert_data(i + 1, 0, m[0])
tp.insert_data(i + 1, 1, m[1])
tp.insert_data(i + 1, 2, m[2])
i += 1
errstr.append(
'Following signing attributes do not match: \n '
+ '\n '.join(tp.get_data().split('\n')))
if errstr:
raise RuntimeError(
'Following validations failed for the image:\n ' +
'\n '.join([(str(i + 1) + '. ' + e)
for i, e in enumerate(errstr)]))
return True
else:
raise RuntimeError("Image supplied is not signed.")