Skip to content

Commit

Permalink
add check for null manifest assertions
Browse files Browse the repository at this point in the history
  • Loading branch information
@elizabethhealy
elizabethhealy committed Nov 19, 2024
1 parent 32825b0 commit 4541fbb
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 25 deletions.
3 changes: 2 additions & 1 deletion sdk/src/main/java/io/opentdf/platform/sdk/Manifest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@ public boolean equals(Object o) {
return false;
Manifest manifest = (Manifest) o;
return Objects.equals(encryptionInformation, manifest.encryptionInformation)
&& Objects.equals(payload, manifest.payload) && Objects.equals(assertions, manifest.assertions);
&& Objects.equals(payload, manifest.payload)
&& (manifest.assertions != null && Objects.equals(assertions, manifest.assertions));
}

@Override
Expand Down
50 changes: 26 additions & 24 deletions sdk/src/main/java/io/opentdf/platform/sdk/TDF.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -695,35 +695,37 @@ public Reader loadTDF(SeekableByteChannel tdf, SDK.KAS kas,
}

// Validate assertions
for (var assertion : manifest.assertions) {
// Skip assertion verification if disabled
if (tdfReaderConfig.disableAssertionVerification) {
break;
}
if (manifest.assertions != null) {
for (var assertion : manifest.assertions) {
// Skip assertion verification if disabled
if (tdfReaderConfig.disableAssertionVerification) {
break;
}

// Set default to HS256
var assertionKey = new AssertionConfig.AssertionKey(AssertionConfig.AssertionKeyAlg.HS256, payloadKey);
Config.AssertionVerificationKeys assertionVerificationKeys = tdfReaderConfig.assertionVerificationKeys;
if (!assertionVerificationKeys.isEmpty()) {
var keyForAssertion = assertionVerificationKeys.getKey(assertion.id);
if (keyForAssertion != null) {
assertionKey = keyForAssertion;
// Set default to HS256
var assertionKey = new AssertionConfig.AssertionKey(AssertionConfig.AssertionKeyAlg.HS256, payloadKey);
Config.AssertionVerificationKeys assertionVerificationKeys = tdfReaderConfig.assertionVerificationKeys;
if (!assertionVerificationKeys.isEmpty()) {
var keyForAssertion = assertionVerificationKeys.getKey(assertion.id);
if (keyForAssertion != null) {
assertionKey = keyForAssertion;
}
}
}

var hashValues = assertion.verify(assertionKey);
var assertionAsJson = gson.toJson(assertion);
JsonCanonicalizer jc = new JsonCanonicalizer(assertionAsJson);
var hashOfAssertion = Hex.encodeHexString(digest.digest(jc.getEncodedUTF8()));
var signature = aggregateHash + hashOfAssertion;
var encodeSignature = Base64.getEncoder().encodeToString(signature.getBytes());
var hashValues = assertion.verify(assertionKey);
var assertionAsJson = gson.toJson(assertion);
JsonCanonicalizer jc = new JsonCanonicalizer(assertionAsJson);
var hashOfAssertion = Hex.encodeHexString(digest.digest(jc.getEncodedUTF8()));
var signature = aggregateHash + hashOfAssertion;
var encodeSignature = Base64.getEncoder().encodeToString(signature.getBytes());

if (!Objects.equals(hashOfAssertion, hashValues.getAssertionHash())) {
throw new AssertionException("assertion hash mismatch", assertion.id);
}
if (!Objects.equals(hashOfAssertion, hashValues.getAssertionHash())) {
throw new AssertionException("assertion hash mismatch", assertion.id);
}

if (!Objects.equals(encodeSignature, hashValues.getSignature())) {
throw new AssertionException("failed integrity check on assertion signature", assertion.id);
if (!Objects.equals(encodeSignature, hashValues.getSignature())) {
throw new AssertionException("failed integrity check on assertion signature", assertion.id);
}
}
}

Expand Down

0 comments on commit 4541fbb

Please sign in to comment.