mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-04-06 19:06:52 +00:00
Additional fixes and updates to track supply chain validation to the
component result attribute. Fixes to run time issues
This commit is contained in:
Cyrus
parent
55dd9e2c90
commit
06245c385d
@ -14,4 +14,11 @@ public interface ComponentAttributeRepository extends JpaRepository<ComponentAtt
|
||||
* @return a list of attribute results
|
||||
*/
|
||||
List<ComponentAttributeResult> findByComponentId(UUID componentId);
|
||||
|
||||
/**
|
||||
* Query to look up Attribute Results based on the validation id.
|
||||
* @param provisionSessionId uuid for the supplychainvalidationsummary
|
||||
* @return a list of attribute results
|
||||
*/
|
||||
List<ComponentAttributeResult> findByProvisionSessionId(UUID provisionSessionId);
|
||||
}
|
||||
|
||||
@ -46,6 +46,7 @@ public class SupplyChainValidationSummary extends ArchivableEntity {
|
||||
|
||||
private static final String DEVICE_ID_FIELD = "device.id";
|
||||
|
||||
@Getter
|
||||
@Column
|
||||
@Enumerated(EnumType.STRING)
|
||||
private final AppraisalStatus.Status overallValidationResult;
|
||||
@ -58,6 +59,9 @@ public class SupplyChainValidationSummary extends ArchivableEntity {
|
||||
targetEntity = SupplyChainValidation.class, orphanRemoval = true)
|
||||
private final Set<SupplyChainValidation> validations;
|
||||
|
||||
@Column
|
||||
private UUID provisionSessionId;
|
||||
|
||||
/**
|
||||
* Default constructor necessary for Hibernate.
|
||||
*/
|
||||
@ -177,6 +181,20 @@ public class SupplyChainValidationSummary extends ArchivableEntity {
|
||||
return new SupplyChainValidationSummary.Selector(certMan);
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a new SupplyChainValidationSummary.
|
||||
*
|
||||
* @param device device that underwent supply chain validation
|
||||
* @param validations a Collection of Validations that should comprise this summary; not null
|
||||
* @param provisionSessionId randomly generated UUID to associate with results
|
||||
*/
|
||||
public SupplyChainValidationSummary(final Device device,
|
||||
final Collection<SupplyChainValidation> validations,
|
||||
final UUID provisionSessionId) {
|
||||
this(device, validations);
|
||||
this.provisionSessionId = provisionSessionId;
|
||||
}
|
||||
|
||||
/**
|
||||
* Construct a new SupplyChainValidationSummary.
|
||||
*
|
||||
@ -212,13 +230,6 @@ public class SupplyChainValidationSummary extends ArchivableEntity {
|
||||
return new Device(this.device.getDeviceInfo());
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the overall appraisal result
|
||||
*/
|
||||
public AppraisalStatus.Status getOverallValidationResult() {
|
||||
return overallValidationResult;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return the validations that this summary contains
|
||||
*/
|
||||
|
||||
@ -5,6 +5,7 @@ import jakarta.persistence.Entity;
|
||||
import lombok.AccessLevel;
|
||||
import lombok.Getter;
|
||||
import lombok.NoArgsConstructor;
|
||||
import lombok.Setter;
|
||||
|
||||
import java.util.UUID;
|
||||
|
||||
@ -19,12 +20,14 @@ import java.util.UUID;
|
||||
public class ComponentAttributeResult extends ArchivableEntity {
|
||||
|
||||
private UUID componentId;
|
||||
private UUID validationId;
|
||||
@Setter
|
||||
private UUID provisionSessionId;
|
||||
private String expectedValue;
|
||||
private String actualValue;
|
||||
|
||||
/**
|
||||
* Default constructor that populates the expected and actual values.
|
||||
* @param componentId id associated with component result
|
||||
* @param expectedValue platform certificate value
|
||||
* @param actualValue paccor value from the device
|
||||
*/
|
||||
|
||||
@ -35,6 +35,7 @@ import java.util.Iterator;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.UUID;
|
||||
|
||||
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL;
|
||||
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.PASS;
|
||||
@ -52,6 +53,7 @@ public class SupplyChainValidationService {
|
||||
private CertificateRepository certificateRepository;
|
||||
private SupplyChainValidationRepository supplyChainValidationRepository;
|
||||
private SupplyChainValidationSummaryRepository supplyChainValidationSummaryRepository;
|
||||
private UUID provisionSessionId;
|
||||
|
||||
/**
|
||||
* Constructor.
|
||||
@ -105,6 +107,7 @@ public class SupplyChainValidationService {
|
||||
final Device device,
|
||||
final List<ComponentInfo> componentInfos) {
|
||||
boolean acceptExpiredCerts = getPolicySettings().isExpiredCertificateValidationEnabled();
|
||||
provisionSessionId = UUID.randomUUID();
|
||||
PlatformCredential baseCredential = null;
|
||||
SupplyChainValidation platformScv = null;
|
||||
SupplyChainValidation basePlatformScv = null;
|
||||
@ -235,7 +238,7 @@ public class SupplyChainValidationService {
|
||||
platformScv = ValidationService.evaluatePCAttributesStatus(
|
||||
baseCredential, device.getDeviceInfo(), ec,
|
||||
certificateRepository, componentResultRepository,
|
||||
componentAttributeRepository, componentInfos);
|
||||
componentAttributeRepository, componentInfos, provisionSessionId);
|
||||
validations.add(new SupplyChainValidation(
|
||||
SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL,
|
||||
platformScv.getValidationResult(), aes, platformScv.getMessage()));
|
||||
@ -262,7 +265,7 @@ public class SupplyChainValidationService {
|
||||
log.info("The validation finished, summarizing...");
|
||||
// Generate validation summary, save it, and return it.
|
||||
SupplyChainValidationSummary summary
|
||||
= new SupplyChainValidationSummary(device, validations);
|
||||
= new SupplyChainValidationSummary(device, validations, provisionSessionId);
|
||||
try {
|
||||
supplyChainValidationSummaryRepository.save(summary);
|
||||
} catch (DBManagerException dbMEx) {
|
||||
|
||||
@ -38,6 +38,7 @@ import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.UUID;
|
||||
|
||||
@Log4j2
|
||||
public class ValidationService {
|
||||
@ -107,7 +108,8 @@ public class ValidationService {
|
||||
final CertificateRepository certificateRepository,
|
||||
final ComponentResultRepository componentResultRepository,
|
||||
final ComponentAttributeRepository componentAttributeRepository,
|
||||
final List<ComponentInfo> componentInfos) {
|
||||
final List<ComponentInfo> componentInfos,
|
||||
final UUID provisionSessionId) {
|
||||
final SupplyChainValidation.ValidationType validationType
|
||||
= SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL_ATTRIBUTES;
|
||||
|
||||
@ -118,12 +120,10 @@ public class ValidationService {
|
||||
null, Level.ERROR);
|
||||
}
|
||||
log.info("Validating platform credential attributes");
|
||||
// List<ComponentResult> componentResults = componentResultRepository
|
||||
// .findByCertificateSerialNumberAndBoardSerialNumber(
|
||||
// pc.getSerialNumber().toString(), pc.getPlatformSerial());
|
||||
AppraisalStatus result = CredentialValidator.
|
||||
validatePlatformCredentialAttributes(pc, deviceInfoReport, ec,
|
||||
componentResultRepository, componentAttributeRepository, componentInfos);
|
||||
componentResultRepository, componentAttributeRepository,
|
||||
componentInfos, provisionSessionId);
|
||||
switch (result.getAppStatus()) {
|
||||
case PASS:
|
||||
return buildValidationRecord(validationType, AppraisalStatus.Status.PASS,
|
||||
|
||||
@ -36,6 +36,7 @@ import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.Optional;
|
||||
import java.util.Set;
|
||||
import java.util.UUID;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.ERROR;
|
||||
@ -196,6 +197,7 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
|
||||
* @param componentResultRepository db access to component result of mismatching
|
||||
* @param componentAttributeRepository db access to component attribute match status
|
||||
* @param componentInfos list of device components
|
||||
* @param provisionSessionId UUID associated with the SCV Summary
|
||||
* @return either PASS or FAIL
|
||||
*/
|
||||
public static AppraisalStatus validatePlatformCredentialAttributesV2p0(
|
||||
@ -203,7 +205,8 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
|
||||
final DeviceInfoReport deviceInfoReport,
|
||||
final ComponentResultRepository componentResultRepository,
|
||||
final ComponentAttributeRepository componentAttributeRepository,
|
||||
final List<ComponentInfo> componentInfos) {
|
||||
final List<ComponentInfo> componentInfos,
|
||||
final UUID provisionSessionId) {
|
||||
boolean passesValidation = true;
|
||||
StringBuilder resultMessage = new StringBuilder();
|
||||
|
||||
@ -355,6 +358,7 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
|
||||
}
|
||||
|
||||
for (ComponentAttributeResult componentAttributeResult : attributeResults) {
|
||||
componentAttributeResult.setProvisionSessionId(provisionSessionId);
|
||||
componentAttributeRepository.save(componentAttributeResult);
|
||||
fieldValidation &= componentAttributeResult.checkMatchedStatus();
|
||||
}
|
||||
|
||||
@ -18,6 +18,7 @@ import java.security.cert.CertificateNotYetValidException;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.Date;
|
||||
import java.util.List;
|
||||
import java.util.UUID;
|
||||
|
||||
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.ERROR;
|
||||
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL;
|
||||
@ -175,7 +176,8 @@ public class CredentialValidator extends SupplyChainCredentialValidator {
|
||||
final EndorsementCredential endorsementCredential,
|
||||
final ComponentResultRepository componentResultRepository,
|
||||
final ComponentAttributeRepository componentAttributeRepository,
|
||||
final List<ComponentInfo> componentInfos) {
|
||||
final List<ComponentInfo> componentInfos,
|
||||
final UUID provisionSessionId) {
|
||||
final String baseErrorMessage = "Can't validate platform credential attributes without ";
|
||||
String message;
|
||||
if (platformCredential == null) {
|
||||
@ -207,7 +209,7 @@ public class CredentialValidator extends SupplyChainCredentialValidator {
|
||||
if (PlatformCredential.CERTIFICATE_TYPE_2_0.equals(credentialType)) {
|
||||
return CertificateAttributeScvValidator.validatePlatformCredentialAttributesV2p0(
|
||||
platformCredential, deviceInfoReport, componentResultRepository,
|
||||
componentAttributeRepository, componentInfos);
|
||||
componentAttributeRepository, componentInfos, provisionSessionId);
|
||||
}
|
||||
return CertificateAttributeScvValidator.validatePlatformCredentialAttributesV1p2(
|
||||
platformCredential, deviceInfoReport);
|
||||
|
||||
@ -5,6 +5,7 @@ import hirs.attestationca.persist.entity.manager.CertificateRepository;
|
||||
import hirs.attestationca.persist.entity.manager.ComponentResultRepository;
|
||||
import hirs.attestationca.persist.entity.userdefined.Certificate;
|
||||
import hirs.attestationca.persist.entity.userdefined.certificate.CertificateAuthorityCredential;
|
||||
import hirs.attestationca.persist.entity.userdefined.certificate.ComponentResult;
|
||||
import hirs.attestationca.persist.entity.userdefined.certificate.EndorsementCredential;
|
||||
import hirs.attestationca.persist.entity.userdefined.certificate.IssuedAttestationCertificate;
|
||||
import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential;
|
||||
@ -363,8 +364,13 @@ public final class CertificateStringMapBuilder {
|
||||
data.put("x509Version", certificate.getX509CredentialVersion());
|
||||
//CPSuri
|
||||
data.put("CPSuri", certificate.getCPSuri());
|
||||
data.put("componentResults", PciIds.translateResults(componentResultRepository
|
||||
.findByBoardSerialNumber(certificate.getPlatformSerial())));
|
||||
List<ComponentResult> compResults = componentResultRepository
|
||||
.findByBoardSerialNumber(certificate.getPlatformSerial());
|
||||
if (PciIds.DB.isReady()) {
|
||||
data.put("componentResults", PciIds.translateResults(compResults));
|
||||
} else {
|
||||
data.put("componentResults", compResults);
|
||||
}
|
||||
|
||||
//Get platform Configuration values and set map with it
|
||||
PlatformConfiguration platformConfiguration = certificate.getPlatformConfiguration();
|
||||
|
||||
@ -628,7 +628,7 @@
|
||||
</c:choose>
|
||||
<c:choose>
|
||||
<c:when test="${component.isVersion2()=='TRUE'}">
|
||||
<span data-toggle="tooltip" data-placement="top" title="Component Class">${component.getComponentClass()}</span>
|
||||
<span data-toggle="tooltip" data-placement="top" title="Component Class">${component.getComponentClassValue()}</span>
|
||||
</c:when>
|
||||
<c:otherwise>
|
||||
<span data-toggle="tooltip" data-placement="top" title="Component Class">Platform Components</span>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user