From 06245c385d4b1b446a692c6bc572c21a7a9c7de2 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Thu, 29 Feb 2024 16:03:41 -0500 Subject: [PATCH] Additional fixes and updates to track supply chain validation to the component result attribute. Fixes to run time issues --- .../manager/ComponentAttributeRepository.java | 7 ++++++ .../SupplyChainValidationSummary.java | 25 +++++++++++++------ .../attributes/ComponentAttributeResult.java | 5 +++- .../service/SupplyChainValidationService.java | 7 ++++-- .../persist/service/ValidationService.java | 10 ++++---- .../CertificateAttributeScvValidator.java | 6 ++++- .../validation/CredentialValidator.java | 6 +++-- .../utils/CertificateStringMapBuilder.java | 10 ++++++-- .../WEB-INF/jsp/certificate-details.jsp | 2 +- 9 files changed, 57 insertions(+), 21 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ComponentAttributeRepository.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ComponentAttributeRepository.java index 69ac13a0..67245188 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ComponentAttributeRepository.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ComponentAttributeRepository.java @@ -14,4 +14,11 @@ public interface ComponentAttributeRepository extends JpaRepository findByComponentId(UUID componentId); + + /** + * Query to look up Attribute Results based on the validation id. + * @param provisionSessionId uuid for the supplychainvalidationsummary + * @return a list of attribute results + */ + List findByProvisionSessionId(UUID provisionSessionId); } diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidationSummary.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidationSummary.java index 1fe1e0cf..8793fe37 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidationSummary.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidationSummary.java @@ -46,6 +46,7 @@ public class SupplyChainValidationSummary extends ArchivableEntity { private static final String DEVICE_ID_FIELD = "device.id"; + @Getter @Column @Enumerated(EnumType.STRING) private final AppraisalStatus.Status overallValidationResult; @@ -58,6 +59,9 @@ public class SupplyChainValidationSummary extends ArchivableEntity { targetEntity = SupplyChainValidation.class, orphanRemoval = true) private final Set validations; + @Column + private UUID provisionSessionId; + /** * Default constructor necessary for Hibernate. */ @@ -177,6 +181,20 @@ public class SupplyChainValidationSummary extends ArchivableEntity { return new SupplyChainValidationSummary.Selector(certMan); } + /** + * Construct a new SupplyChainValidationSummary. + * + * @param device device that underwent supply chain validation + * @param validations a Collection of Validations that should comprise this summary; not null + * @param provisionSessionId randomly generated UUID to associate with results + */ + public SupplyChainValidationSummary(final Device device, + final Collection validations, + final UUID provisionSessionId) { + this(device, validations); + this.provisionSessionId = provisionSessionId; + } + /** * Construct a new SupplyChainValidationSummary. * @@ -212,13 +230,6 @@ public class SupplyChainValidationSummary extends ArchivableEntity { return new Device(this.device.getDeviceInfo()); } - /** - * @return the overall appraisal result - */ - public AppraisalStatus.Status getOverallValidationResult() { - return overallValidationResult; - } - /** * @return the validations that this summary contains */ diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/ComponentAttributeResult.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/ComponentAttributeResult.java index cc5ccc11..79b0ad52 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/ComponentAttributeResult.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/ComponentAttributeResult.java @@ -5,6 +5,7 @@ import jakarta.persistence.Entity; import lombok.AccessLevel; import lombok.Getter; import lombok.NoArgsConstructor; +import lombok.Setter; import java.util.UUID; @@ -19,12 +20,14 @@ import java.util.UUID; public class ComponentAttributeResult extends ArchivableEntity { private UUID componentId; - private UUID validationId; + @Setter + private UUID provisionSessionId; private String expectedValue; private String actualValue; /** * Default constructor that populates the expected and actual values. + * @param componentId id associated with component result * @param expectedValue platform certificate value * @param actualValue paccor value from the device */ diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/SupplyChainValidationService.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/SupplyChainValidationService.java index 373e02d7..bdf23c46 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/SupplyChainValidationService.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/SupplyChainValidationService.java @@ -35,6 +35,7 @@ import java.util.Iterator; import java.util.LinkedList; import java.util.List; import java.util.Map; +import java.util.UUID; import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL; import static hirs.attestationca.persist.enums.AppraisalStatus.Status.PASS; @@ -52,6 +53,7 @@ public class SupplyChainValidationService { private CertificateRepository certificateRepository; private SupplyChainValidationRepository supplyChainValidationRepository; private SupplyChainValidationSummaryRepository supplyChainValidationSummaryRepository; + private UUID provisionSessionId; /** * Constructor. @@ -105,6 +107,7 @@ public class SupplyChainValidationService { final Device device, final List componentInfos) { boolean acceptExpiredCerts = getPolicySettings().isExpiredCertificateValidationEnabled(); + provisionSessionId = UUID.randomUUID(); PlatformCredential baseCredential = null; SupplyChainValidation platformScv = null; SupplyChainValidation basePlatformScv = null; @@ -235,7 +238,7 @@ public class SupplyChainValidationService { platformScv = ValidationService.evaluatePCAttributesStatus( baseCredential, device.getDeviceInfo(), ec, certificateRepository, componentResultRepository, - componentAttributeRepository, componentInfos); + componentAttributeRepository, componentInfos, provisionSessionId); validations.add(new SupplyChainValidation( SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL, platformScv.getValidationResult(), aes, platformScv.getMessage())); @@ -262,7 +265,7 @@ public class SupplyChainValidationService { log.info("The validation finished, summarizing..."); // Generate validation summary, save it, and return it. SupplyChainValidationSummary summary - = new SupplyChainValidationSummary(device, validations); + = new SupplyChainValidationSummary(device, validations, provisionSessionId); try { supplyChainValidationSummaryRepository.save(summary); } catch (DBManagerException dbMEx) { diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/ValidationService.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/ValidationService.java index 081ff71e..84b229f0 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/ValidationService.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/ValidationService.java @@ -38,6 +38,7 @@ import java.util.LinkedList; import java.util.List; import java.util.Map; import java.util.Set; +import java.util.UUID; @Log4j2 public class ValidationService { @@ -107,7 +108,8 @@ public class ValidationService { final CertificateRepository certificateRepository, final ComponentResultRepository componentResultRepository, final ComponentAttributeRepository componentAttributeRepository, - final List componentInfos) { + final List componentInfos, + final UUID provisionSessionId) { final SupplyChainValidation.ValidationType validationType = SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL_ATTRIBUTES; @@ -118,12 +120,10 @@ public class ValidationService { null, Level.ERROR); } log.info("Validating platform credential attributes"); -// List componentResults = componentResultRepository -// .findByCertificateSerialNumberAndBoardSerialNumber( -// pc.getSerialNumber().toString(), pc.getPlatformSerial()); AppraisalStatus result = CredentialValidator. validatePlatformCredentialAttributes(pc, deviceInfoReport, ec, - componentResultRepository, componentAttributeRepository, componentInfos); + componentResultRepository, componentAttributeRepository, + componentInfos, provisionSessionId); switch (result.getAppStatus()) { case PASS: return buildValidationRecord(validationType, AppraisalStatus.Status.PASS, diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java index a1ea00b5..1dbb3b3a 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java @@ -36,6 +36,7 @@ import java.util.List; import java.util.Map; import java.util.Optional; import java.util.Set; +import java.util.UUID; import java.util.stream.Collectors; import static hirs.attestationca.persist.enums.AppraisalStatus.Status.ERROR; @@ -196,6 +197,7 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid * @param componentResultRepository db access to component result of mismatching * @param componentAttributeRepository db access to component attribute match status * @param componentInfos list of device components + * @param provisionSessionId UUID associated with the SCV Summary * @return either PASS or FAIL */ public static AppraisalStatus validatePlatformCredentialAttributesV2p0( @@ -203,7 +205,8 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid final DeviceInfoReport deviceInfoReport, final ComponentResultRepository componentResultRepository, final ComponentAttributeRepository componentAttributeRepository, - final List componentInfos) { + final List componentInfos, + final UUID provisionSessionId) { boolean passesValidation = true; StringBuilder resultMessage = new StringBuilder(); @@ -355,6 +358,7 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid } for (ComponentAttributeResult componentAttributeResult : attributeResults) { + componentAttributeResult.setProvisionSessionId(provisionSessionId); componentAttributeRepository.save(componentAttributeResult); fieldValidation &= componentAttributeResult.checkMatchedStatus(); } diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CredentialValidator.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CredentialValidator.java index 95fe8b7a..5917e130 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CredentialValidator.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CredentialValidator.java @@ -18,6 +18,7 @@ import java.security.cert.CertificateNotYetValidException; import java.security.cert.X509Certificate; import java.util.Date; import java.util.List; +import java.util.UUID; import static hirs.attestationca.persist.enums.AppraisalStatus.Status.ERROR; import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL; @@ -175,7 +176,8 @@ public class CredentialValidator extends SupplyChainCredentialValidator { final EndorsementCredential endorsementCredential, final ComponentResultRepository componentResultRepository, final ComponentAttributeRepository componentAttributeRepository, - final List componentInfos) { + final List componentInfos, + final UUID provisionSessionId) { final String baseErrorMessage = "Can't validate platform credential attributes without "; String message; if (platformCredential == null) { @@ -207,7 +209,7 @@ public class CredentialValidator extends SupplyChainCredentialValidator { if (PlatformCredential.CERTIFICATE_TYPE_2_0.equals(credentialType)) { return CertificateAttributeScvValidator.validatePlatformCredentialAttributesV2p0( platformCredential, deviceInfoReport, componentResultRepository, - componentAttributeRepository, componentInfos); + componentAttributeRepository, componentInfos, provisionSessionId); } return CertificateAttributeScvValidator.validatePlatformCredentialAttributesV1p2( platformCredential, deviceInfoReport); diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/utils/CertificateStringMapBuilder.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/utils/CertificateStringMapBuilder.java index f6dab990..728cd965 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/utils/CertificateStringMapBuilder.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/utils/CertificateStringMapBuilder.java @@ -5,6 +5,7 @@ import hirs.attestationca.persist.entity.manager.CertificateRepository; import hirs.attestationca.persist.entity.manager.ComponentResultRepository; import hirs.attestationca.persist.entity.userdefined.Certificate; import hirs.attestationca.persist.entity.userdefined.certificate.CertificateAuthorityCredential; +import hirs.attestationca.persist.entity.userdefined.certificate.ComponentResult; import hirs.attestationca.persist.entity.userdefined.certificate.EndorsementCredential; import hirs.attestationca.persist.entity.userdefined.certificate.IssuedAttestationCertificate; import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential; @@ -363,8 +364,13 @@ public final class CertificateStringMapBuilder { data.put("x509Version", certificate.getX509CredentialVersion()); //CPSuri data.put("CPSuri", certificate.getCPSuri()); - data.put("componentResults", PciIds.translateResults(componentResultRepository - .findByBoardSerialNumber(certificate.getPlatformSerial()))); + List compResults = componentResultRepository + .findByBoardSerialNumber(certificate.getPlatformSerial()); + if (PciIds.DB.isReady()) { + data.put("componentResults", PciIds.translateResults(compResults)); + } else { + data.put("componentResults", compResults); + } //Get platform Configuration values and set map with it PlatformConfiguration platformConfiguration = certificate.getPlatformConfiguration(); diff --git a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/certificate-details.jsp b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/certificate-details.jsp index 434e7f14..5a45d1c5 100644 --- a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/certificate-details.jsp +++ b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/certificate-details.jsp @@ -628,7 +628,7 @@ - ${component.getComponentClass()} + ${component.getComponentClassValue()} Platform Components