Merge pull request #309 from nsacyber/aic-policy-rule

[#169] AIC policy rule

HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java

@@ -13,6 +13,7 @@ import hirs.data.persist.EventLogMeasurements;
 import hirs.data.persist.Device;
 import hirs.data.persist.DeviceInfoReport;
 import hirs.data.persist.ReferenceManifest;
+import hirs.data.persist.SupplyChainPolicy;
 import hirs.data.persist.SupportReferenceManifest;
 import hirs.data.persist.SwidResource;
 import hirs.data.persist.info.FirmwareInfo;
@@ -108,7 +109,8 @@ public abstract class AbstractAttestationCertificateAuthority
     protected static final Logger LOG = LogManager.getLogger(AttestationCertificateAuthority.class);
 
     /**
-     * Defines the well known exponent. https://en.wikipedia.org/wiki/65537_(number)#Applications
+     * Defines the well known exponent.
+     * https://en.wikipedia.org/wiki/65537_(number)#Applications
      */
     private static final BigInteger EXPONENT = new BigInteger("010001",
             AttestationCertificateAuthority.DEFAULT_IV_SIZE);
@@ -150,8 +152,8 @@ public abstract class AbstractAttestationCertificateAuthority
     private final X509Certificate acaCertificate;
 
     /**
-     * Container wired {@link StructConverter} to be used in serialization / deserialization of TPM
+     * Container wired {@link StructConverter} to be used in
-     * data structures.
+     * serialization / deserialization of TPM data structures.
      */
     private final StructConverter structConverter;
 
@@ -164,7 +166,7 @@ public abstract class AbstractAttestationCertificateAuthority
      * Container wired application configuration property identifying the number of days that
      * certificates issued by this ACA are valid for.
      */
-    private final Integer validDays;
+    private Integer validDays = 1;
 
     private final CertificateManager certificateManager;
     private final ReferenceManifestManager referenceManifestManager;
@@ -358,6 +360,11 @@ public abstract class AbstractAttestationCertificateAuthority
 
         // generate the identity credential
         LOG.debug("generating credential from identity proof");
+        // check the policy set valid date
+        SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
+        if (scp != null) {
+            this.validDays = Integer.parseInt(scp.getValidityDays());
+        }
         // transform the public key struct into a public key
         PublicKey publicKey = assemblePublicKey(proof.getIdentityKey().getStorePubKey().getKey());
         X509Certificate credential = generateCredential(publicKey, endorsementCredential,
@@ -546,6 +553,11 @@ public abstract class AbstractAttestationCertificateAuthority
             // Get device name and device
             String deviceName = claim.getDv().getNw().getHostname();
             Device device = deviceManager.getDevice(deviceName);
+            // check the policy set valid date
+            SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
+            if (scp != null) {
+                this.validDays = Integer.parseInt(scp.getValidityDays());
+            }
 
             // Parse through the Provisioner supplied TPM Quote and pcr values
             // these fields are optional
@@ -1672,12 +1684,38 @@ public abstract class AbstractAttestationCertificateAuthority
                                             final EndorsementCredential endorsementCredential,
                                             final Set<PlatformCredential> platformCredentials,
                                             final Device device) {
+        IssuedAttestationCertificate issuedAc;
+        boolean generateCertificate = true;
+        SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
+        Date currentDate = new Date();
+        int days;
         try {
             // save issued certificate
             IssuedAttestationCertificate attCert = new IssuedAttestationCertificate(
                     derEncodedAttestationCertificate, endorsementCredential, platformCredentials);
-            attCert.setDevice(device);
+
-            certificateManager.save(attCert);
+            if (scp != null) {
+                issuedAc = IssuedAttestationCertificate.select(certificateManager)
+                        .byDeviceId(device.getId()).getCertificate();
+
+                generateCertificate = scp.isIssueAttestationCertificate();
+                if (issuedAc != null && scp.isGenerateOnExpiration()) {
+                    if (issuedAc.getEndValidity().after(currentDate)) {
+                        // so the issued AC is expired
+                        // however are we within the threshold
+                        days = daysBetween(currentDate, issuedAc.getEndValidity());
+                        if (days < Integer.parseInt(scp.getReissueThreshold())) {
+                            generateCertificate = true;
+                        } else {
+                            generateCertificate = false;
+                        }
+                    }
+                }
+            }
+            if (generateCertificate) {
+                attCert.setDevice(device);
+                certificateManager.save(attCert);
+            }
         } catch (Exception e) {
             LOG.error("Error saving generated Attestation Certificate to database.", e);
             throw new CertificateProcessingException(
@@ -1685,4 +1723,9 @@ public abstract class AbstractAttestationCertificateAuthority
                             + e.getMessage(), e);
         }
     }
+
+    @SuppressWarnings("magicnumber")
+    private int daysBetween(final Date date1, final Date date2) {
+        return (int) ((date2.getTime() - date1.getTime()) / (1000 * 60 * 60 * 24));
+    }
 }

HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationService.java

@@ -3,6 +3,7 @@ package hirs.attestationca.service;
 import java.util.Set;
 
 import hirs.data.persist.Device;
+import hirs.data.persist.SupplyChainPolicy;
 import hirs.data.persist.SupplyChainValidationSummary;
 import hirs.data.persist.certificate.EndorsementCredential;
 import hirs.data.persist.certificate.PlatformCredential;
@@ -34,4 +35,10 @@ public interface SupplyChainValidationService {
      * @return True if validation is successful, false otherwise.
      */
     SupplyChainValidationSummary validateQuote(Device device);
+
+    /**
+     * Allows other service access to the policy information.
+     * @return supply chain policy
+     */
+    SupplyChainPolicy getPolicy();
 }

HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java

@@ -112,6 +112,17 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
         this.supplyChainCredentialValidator = supplyChainCredentialValidator;
     }
 
+    /**
+     * Allows other service access to the policy information.
+     * @return supply chain policy
+     */
+    public SupplyChainPolicy getPolicy() {
+        final Appraiser supplyChainAppraiser = appraiserManager.getAppraiser(
+                SupplyChainAppraiser.NAME);
+        return (SupplyChainPolicy) policyManager.getDefaultPolicy(
+                supplyChainAppraiser);
+    }
+
     /**
      * The "main" method of supply chain validation. Takes the credentials from
      * an identity request and validates the supply chain in accordance to the

HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/model/PolicyPageModel.java

@@ -13,6 +13,8 @@ public class PolicyPageModel {
     private boolean enablePcCertificateValidation;
     private boolean enablePcCertificateAttributeValidation;
     private boolean enableFirmwareValidation;
+    private boolean issueAttestationCertificate;
+    private boolean generateOnExpiration;
     private boolean enableIgnoreIma;
     private boolean enableIgnoreTboot;
 
@@ -21,8 +23,14 @@ public class PolicyPageModel {
     private String pcAttributeValidate;
     private String ecValidate;
     private String fmValidate;
+    private String attestationCertificateIssued;
+    private String generationExpirationOn;
+    private String numOfValidDays;
+    private String reissueThreshold;
     private String ignoreIma;
     private String ignoretBoot;
+    private String expirationValue;
+    private String thresholdValue;
 
     /**
      * Constructor. Sets fields from policy.
@@ -34,8 +42,14 @@ public class PolicyPageModel {
         this.enablePcCertificateValidation = policy.isPcValidationEnabled();
         this.enablePcCertificateAttributeValidation = policy.isPcAttributeValidationEnabled();
         this.enableFirmwareValidation = policy.isFirmwareValidationEnabled();
+        this.issueAttestationCertificate = policy.isIssueAttestationCertificate();
+        this.generateOnExpiration = policy.isGenerateOnExpiration();
+        this.numOfValidDays = policy.getValidityDays();
+        this.reissueThreshold = policy.getReissueThreshold();
         this.enableIgnoreIma = policy.isIgnoreImaEnabled();
         this.enableIgnoreTboot = policy.isIgnoreTbootEnabled();
+        this.expirationValue = policy.getValidityDays();
+        this.thresholdValue = policy.getReissueThreshold();
     }
 
     /**
@@ -80,6 +94,24 @@ public class PolicyPageModel {
         return enableFirmwareValidation;
     }
 
+    /**
+     * Gets the Attestation Certificate issued State.
+     *
+     * @return the issued state.
+     */
+    public boolean isIssueAttestationCertificate() {
+        return issueAttestationCertificate;
+    }
+
+    /**
+     * Gets the state of generating a certificate.
+     *
+     * @return true or false
+     */
+    public boolean isGenerateOnExpiration() {
+        return generateOnExpiration;
+    }
+
     /**
      *  Gets the Enable Ignore IMA state.
      * @return the validation state.
@@ -132,6 +164,42 @@ public class PolicyPageModel {
         return fmValidate;
     }
 
+    /**
+     * Gets the attestation certificate issued state.
+     *
+     * @return the model string representation of this field.
+     */
+    public String getAttestationCertificateIssued() {
+        return attestationCertificateIssued;
+    }
+
+    /**
+     * Gets the attestation certificate issued state.
+     *
+     * @return the model string representation of this field.
+     */
+    public String getGenerationExpirationOn() {
+        return generationExpirationOn;
+    }
+
+    /**
+     * Gets the number of selected valid days.
+     *
+     * @return the number of the days for validity
+     */
+    public String getNumOfValidDays() {
+        return numOfValidDays;
+    }
+
+    /**
+     * Gets the number of selected threshold days.
+     *
+     * @return the number of the days for reissue
+     */
+    public String getReissueThreshold() {
+        return reissueThreshold;
+    }
+
     /**
      * Gets the Ignore IMA validation value.
      *
@@ -187,6 +255,25 @@ public class PolicyPageModel {
         this.enableFirmwareValidation = enableFirmwareValidation;
     }
 
+    /**
+     * Sets the Attestation Certificate Issued state.
+     *
+     * @param issueAttestationCertificate true if generating Certificates.
+     */
+    public void setIssueAttestationCertificate(
+            final boolean issueAttestationCertificate) {
+        this.issueAttestationCertificate = issueAttestationCertificate;
+    }
+
+    /**
+     * Setter for the state of generating a certificate.
+     *
+     * @param generateOnExpiration true or false
+     */
+    public void setGenerateOnExpiration(final boolean generateOnExpiration) {
+        this.generateOnExpiration = generateOnExpiration;
+    }
+
     /**
      * Sets the Enable Ignore IMA state.
      *
@@ -241,6 +328,26 @@ public class PolicyPageModel {
         this.fmValidate = fmValidate;
     }
 
+    /**
+     * Sets the Issued Attestation Certificate state.
+     *
+     * @param attestationCertificateIssued "checked" if generating certificates.
+     */
+    public void setAttestationCertificateIssued(
+            final String attestationCertificateIssued) {
+        this.attestationCertificateIssued = attestationCertificateIssued;
+    }
+
+    /**
+     * Sets the generation expiration state.
+     *
+     * @param generationExpirationOn "checked" if generating expiration is on.
+     */
+    public void setGenerationExpirationOn(
+            final String generationExpirationOn) {
+        this.generationExpirationOn = generationExpirationOn;
+    }
+
     /**
      * Sets the Ignore IMA state.
      *
@@ -259,6 +366,38 @@ public class PolicyPageModel {
         this.ignoretBoot = ignoretBoot;
     }
 
+    /**
+     * Getter for the expiration value.
+     * @return the value
+     */
+    public String getExpirationValue() {
+        return expirationValue;
+    }
+
+    /**
+     * Setter for the expiration value.
+     * @param expirationValue string value
+     */
+    public void setExpirationValue(final String expirationValue) {
+        this.expirationValue = expirationValue;
+    }
+
+    /**
+     * Getter for the expiration value.
+     * @return the thresholdValue
+     */
+    public String getThresholdValue() {
+        return thresholdValue;
+    }
+
+    /**
+     * Setter for the expiration value.
+     * @param thresholdValue string value
+     */
+    public void setThresholdValue(final String thresholdValue) {
+        this.thresholdValue = thresholdValue;
+    }
+
     @Override
     public String toString() {
         return "PolicyPageModel{"
@@ -266,6 +405,9 @@ public class PolicyPageModel {
                 + ", enablePcCertificateValidation=" + enablePcCertificateValidation
                 + ", enablePcCertificateAttributeValidation="
                 + enablePcCertificateAttributeValidation
-                + ", enableFirmwareValidation=" + enableFirmwareValidation + '}';
+                + ", enableFirmwareValidation=" + enableFirmwareValidation
+                + ", issueAttestationCertificate=" + issueAttestationCertificate
+                + ", generateOnExpiration=" + generateOnExpiration
+                + ", numOfValidDays=" + numOfValidDays + "}";
     }
 }

HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java

@@ -39,10 +39,11 @@ public class PolicyPageController extends PageController<NoPageParams> {
      * Represents a web request indicating to enable a setting (based on radio
      * buttons from a web form).
      */
-    private static final String ENABLED_PARAMETER_VALUE = "checked";
+    private static final String ENABLED_CHECKED_PARAMETER_VALUE = "checked";
+
+    private static final String ENABLED_EXPIRES_PARAMETER_VALUE = "expires";
 
     private PolicyManager policyManager;
-
     private AppraiserManager appraiserManager;
 
     /**
@@ -67,7 +68,6 @@ public class PolicyPageController extends PageController<NoPageParams> {
     public PolicyPageController(final PolicyManager policyManager,
             final AppraiserManager appraiserManager) {
         super(POLICY);
-
         this.policyManager = policyManager;
         this.appraiserManager = appraiserManager;
     }
@@ -115,7 +115,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
         PageMessages messages = new PageMessages();
         String successMessage;
         boolean pcValidationOptionEnabled
-                = ppModel.getPcValidate().equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
+                = ppModel.getPcValidate().equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
 
         try {
             SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@@ -167,7 +167,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
         PageMessages messages = new PageMessages();
         String successMessage;
         boolean pcAttributeValidationOptionEnabled = ppModel.getPcAttributeValidate()
-                .equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
+                .equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
 
         try {
             SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@@ -200,6 +200,190 @@ public class PolicyPageController extends PageController<NoPageParams> {
         return redirectToSelf(new NoPageParams(), model, attr);
     }
 
+    /**
+     * Updates the Attestation Certificate generation policy setting and redirects
+     * back to the original page.
+     *
+     * @param ppModel The data posted by the form mapped into an object.
+     * @param attr RedirectAttributes used to forward data back to the original page.
+     * @return View containing the url and parameters
+     * @throws URISyntaxException if malformed URI
+     */
+    @RequestMapping(value = "update-issue-attestation", method = RequestMethod.POST)
+    public RedirectView updateAttestationVal(@ModelAttribute final PolicyPageModel ppModel,
+                                             final RedirectAttributes attr)
+            throws URISyntaxException {
+
+        // set the data received to be populated back into the form
+        Map<String, Object> model = new HashMap<>();
+        PageMessages messages = new PageMessages();
+        String successMessage;
+        boolean issuedAttestationOptionEnabled
+                = ppModel.getAttestationCertificateIssued()
+                .equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
+
+        try {
+            SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
+
+            if (issuedAttestationOptionEnabled) {
+                successMessage = "Attestation Certificate generation enabled.";
+            } else {
+                successMessage = "Attestation Certificate generation disabled.";
+                policy.setGenerateOnExpiration(false);
+            }
+
+            policy.setIssueAttestationCertificate(issuedAttestationOptionEnabled);
+            savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
+        } catch (PolicyManagerException e) {
+            handlePolicyManagerUpdateError(model, messages, e,
+                    "Error changing ACA Attestation Certificate generation policy",
+                    "Error updating policy. \n" + e.getMessage());
+        }
+
+        // return the redirect
+        return redirectToSelf(new NoPageParams(), model, attr);
+    }
+
+    /**
+     * Updates the state of the policy setting that indicates that the generation
+     * will occur in a set time frame and redirects
+     * back to the original page.
+     *
+     * @param ppModel The data posted by the form mapped into an object.
+     * @param attr RedirectAttributes used to forward data back to the original page.
+     * @return View containing the url and parameters
+     * @throws URISyntaxException if malformed URI
+     */
+    @RequestMapping(value = "update-expire-on", method = RequestMethod.POST)
+    public RedirectView updateExpireOnVal(@ModelAttribute final PolicyPageModel ppModel,
+                                             final RedirectAttributes attr)
+            throws URISyntaxException {
+
+        // set the data received to be populated back into the form
+        Map<String, Object> model = new HashMap<>();
+        PageMessages messages = new PageMessages();
+        String successMessage;
+        String numOfDays;
+
+        boolean generateCertificateEnabled = false;
+        // because this is just one option, there is not 'unchecked' value, so it is either
+        // 'checked' or null
+        if (ppModel.getGenerationExpirationOn() != null) {
+            generateCertificateEnabled
+                    = ppModel.getGenerationExpirationOn()
+                    .equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
+        }
+
+        try {
+            SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
+            boolean issuedAttestationOptionEnabled
+                    = policy.isIssueAttestationCertificate();
+
+            if (issuedAttestationOptionEnabled) {
+                if (generateCertificateEnabled) {
+                    successMessage = "Attestation Certificate generation expiration time enabled.";
+                } else {
+                    successMessage = "Attestation Certificate generation expiration time disabled.";
+                }
+
+                if (generateCertificateEnabled) {
+                    numOfDays = ppModel.getExpirationValue();
+                    if (numOfDays == null) {
+                        numOfDays = SupplyChainPolicy.TEN_YEARS;
+                    }
+                } else {
+                    numOfDays = policy.getValidityDays();
+                }
+
+                policy.setValidityDays(numOfDays);
+            } else {
+                generateCertificateEnabled = false;
+                successMessage = "Attestation Certificate generation is disabled, "
+                        + "can not set time expiration";
+            }
+
+            policy.setGenerateOnExpiration(generateCertificateEnabled);
+            savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
+        } catch (PolicyManagerException e) {
+            handlePolicyManagerUpdateError(model, messages, e,
+                    "Error changing ACA Attestation Certificate generation policy",
+                    "Error updating policy. \n" + e.getMessage());
+        }
+
+        // return the redirect
+        return redirectToSelf(new NoPageParams(), model, attr);
+    }
+
+    /**
+     * Updates the state of the policy setting that indicates that the generation
+     * will occur in a set time frame from the end validity date and redirects
+     * back to the original page.
+     *
+     * @param ppModel The data posted by the form mapped into an object.
+     * @param attr RedirectAttributes used to forward data back to the original page.
+     * @return View containing the url and parameters
+     * @throws URISyntaxException if malformed URI
+     */
+    @RequestMapping(value = "update-threshold", method = RequestMethod.POST)
+    public RedirectView updateThresholdVal(@ModelAttribute final PolicyPageModel ppModel,
+                                          final RedirectAttributes attr)
+            throws URISyntaxException {
+
+        // set the data received to be populated back into the form
+        Map<String, Object> model = new HashMap<>();
+        PageMessages messages = new PageMessages();
+        String successMessage;
+        String threshold;
+
+        boolean generateCertificateEnabled = false;
+        // because this is just one option, there is not 'unchecked' value, so it is either
+        // 'checked' or null
+        if (ppModel.getGenerationExpirationOn() != null) {
+            generateCertificateEnabled
+                    = ppModel.getGenerationExpirationOn()
+                    .equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
+        }
+
+        try {
+            SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
+            boolean issuedAttestationOptionEnabled
+                    = policy.isIssueAttestationCertificate();
+
+            if (issuedAttestationOptionEnabled) {
+                if (generateCertificateEnabled) {
+                    successMessage = "Attestation Certificate generation threshold time enabled.";
+                } else {
+                    successMessage = "Attestation Certificate generation threshold time disabled.";
+                }
+
+                if (generateCertificateEnabled) {
+                    threshold = ppModel.getThresholdValue();
+                    if (threshold == null) {
+                        threshold = SupplyChainPolicy.YEAR;
+                    }
+                } else {
+                    threshold = ppModel.getReissueThreshold();
+                }
+
+                policy.setReissueThreshold(threshold);
+            } else {
+                generateCertificateEnabled = false;
+                successMessage = "Attestation Certificate generation is disabled, "
+                        + "can not set time expiration";
+            }
+
+            policy.setGenerateOnExpiration(generateCertificateEnabled);
+            savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
+        } catch (PolicyManagerException e) {
+            handlePolicyManagerUpdateError(model, messages, e,
+                    "Error changing ACA Attestation Certificate generation policy",
+                    "Error updating policy. \n" + e.getMessage());
+        }
+
+        // return the redirect
+        return redirectToSelf(new NoPageParams(), model, attr);
+    }
+
     /**
      * Updates the Endorsement Credential Validation policy setting and
      * redirects back to the original page.
@@ -219,7 +403,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
         PageMessages messages = new PageMessages();
         String successMessage;
         boolean ecValidationOptionEnabled
-                = ppModel.getEcValidate().equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
+                = ppModel.getEcValidate().equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
 
         try {
             SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@@ -242,12 +426,10 @@ public class PolicyPageController extends PageController<NoPageParams> {
             }
 
             savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
-
         } catch (PolicyManagerException e) {
             handlePolicyManagerUpdateError(model, messages, e,
                     "Error changing ACA endorsement validation policy",
                     "Error updating policy. \n" + e.getMessage());
-
         }
 
         // return the redirect
@@ -273,7 +455,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
         PageMessages messages = new PageMessages();
         String successMessage;
         boolean firmwareValidationOptionEnabled = ppModel.getFmValidate()
-                .equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
+                .equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
 
         try {
             SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@@ -327,7 +509,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
         PageMessages messages = new PageMessages();
         String successMessage;
         boolean ignoreImaOptionEnabled = ppModel.getIgnoreIma()
-                .equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
+                .equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
 
         try {
             SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@@ -336,7 +518,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
             if (ignoreImaOptionEnabled && !policy.isFirmwareValidationEnabled()) {
                 handleUserError(model, messages,
                         "Ignore IMA can not be "
-                        + "enabled without Firmware Valdiation policy enabled.");
+                        + "enabled without Firmware Validation policy enabled.");
                 return redirectToSelf(new NoPageParams(), model, attr);
             }
 
@@ -378,7 +560,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
         PageMessages messages = new PageMessages();
         String successMessage;
         boolean ignoreTbootOptionEnabled = ppModel.getIgnoretBoot()
-                .equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
+                .equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
 
         try {
             SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@@ -387,7 +569,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
             if (ignoreTbootOptionEnabled && !policy.isFirmwareValidationEnabled()) {
                 handleUserError(model, messages,
                         "Ignore TBoot can not be "
-                        + "enabled without Firmware Valdiation policy enabled.");
+                        + "enabled without Firmware Validation policy enabled.");
                 return redirectToSelf(new NoPageParams(), model, attr);
             }
 
@@ -491,5 +673,4 @@ public class PolicyPageController extends PageController<NoPageParams> {
 
         model.put(MESSAGES_ATTRIBUTE, messages);
     }
-
 }

HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp

@@ -16,7 +16,7 @@
             <div class="aca-input-box">
                 <form:form method="POST" modelAttribute="initialData" action="policy/update-ec-validation">
                     <li>Endorsement Credential Validation: ${initialData.enableEcValidation ? 'Enabled' : 'Disabled'}
-                        <my:editor id="ecPolicyEditor" label="Edit Settings ">
+                        <my:editor id="ecPolicyEditor" label="Edit Settings">
                             <div class="radio">
                                 <label><input id="ecTop" type="radio" name="ecValidate" ${initialData.enableEcValidation ? 'checked' : ''}  value="checked"/> Endorsement Credentials will be validated</label>
                             </div>
@@ -103,6 +103,50 @@
                     </ul>
                 </li>
             </div>
+            <br />
+            <%-- Generate Attestation Certificate--%>
+            <div class="aca-input-box">
+                <form:form method="POST" modelAttribute="initialData" action="policy/update-issue-attestation">
+                    <li>Generate Attestation Certificate: ${initialData.issueAttestationCertificate ? 'Enabled' : 'Disabled'}
+                        <my:editor id="issuedCertificatePolicyEditor" label="Edit Settings">
+                            <div class="radio">
+                                <label><input id="aicTop" type="radio" name="attestationCertificateIssued" ${initialData.issueAttestationCertificate ? '' : 'checked'} value="unchecked"/> Never generate an Attestation Certificate</label>
+                            </div>
+                            <div class="radio">
+                                <label><input id="aicMid" type="radio" name="attestationCertificateIssued" ${initialData.issueAttestationCertificate ? 'checked' : ''} value="checked"/> Conditionally generate an Attestation Certificate before 'Not After' expiration date</label>
+                            </div>
+                        </my:editor>
+                </form:form>
+                        <ul>
+                <form:form method="POST" modelAttribute="initialData" action="policy/update-expire-on">
+                            <li>Attestation Certificate Validity period: ${initialData.generateOnExpiration ? 'Enabled' : 'Disabled'}
+                                <my:editor id="issuedCertificatePolicyExpirationEditor" label="Edit Settings">
+                                    <div class="radio">
+                                        <label>
+                                            <input id="aicBot" type="checkbox" name="generationExpirationOn" ${initialData.generateOnExpiration ? 'checked' : ''} value="checked" />
+                                                Attestation Certificate validity period (Default 3651 days)<br />
+                                                Select period in days: <input id="expirationValue" type="text" name="expirationValue" value="${initialData.expirationValue}" />
+                                        </label>
+                                    </div>
+                                </my:editor>
+                            </li>
+                </form:form>
+                <form:form method="POST" modelAttribute="initialData" action="policy/update-threshold">
+                            <li>Attestation Certificate Renewal period: ${initialData.generateOnExpiration ? 'Enabled' : 'Disabled'}
+                                <my:editor id="issuedCertificatePolicyGenerateEditor" label="Edit Settings">
+                                    <div class="radio">
+                                        <label>
+                                            <input id="aicBot" type="checkbox" name="generationExpirationOn" ${initialData.generateOnExpiration ? 'checked' : ''} value="checked" />
+                                                Renew 'n' days before Attestation Certificate's  'Not After' Validity date (Default 365 days)<br />
+                                                Select 'n' period in days: <input id="thresholdValue" type="text" name="thresholdValue" value="${initialData.thresholdValue}" />
+                                        </label>
+                                    </div>
+                                </my:editor>
+                            </li>
+                </form:form>
+                        </ul>
+                    </li>
+            </div>
         </ul>
     </jsp:body>
 </my:page>

HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainPolicy.java

@@ -15,6 +15,14 @@ public class SupplyChainPolicy extends Policy {
      * Name of the default Supply Chain Policy.
      */
     public static final String DEFAULT_POLICY = "Default Supply Chain Policy";
+    /**
+     * Number of days in 10 years.
+     */
+    public static final String TEN_YEARS = "3651";
+    /**
+     * Number of days in 1 year.
+     */
+    public static final String YEAR = "365";
 
     @Column(nullable = false)
     private boolean enableEcValidation = false;
@@ -37,6 +45,18 @@ public class SupplyChainPolicy extends Policy {
     @Column(nullable = false)
     private boolean replaceEC = false;
 
+    @Column(nullable = false)
+    private boolean issueAttestationCertificate = true;
+
+    @Column(nullable = false)
+    private String validityDays = TEN_YEARS;
+
+    @Column(nullable = false)
+    private String reissueThreshold = YEAR;
+
+    @Column(nullable = false)
+    private boolean generateOnExpiration = false;
+
     @Embedded
     private PCRPolicy pcrPolicy = new PCRPolicy();
 
@@ -232,6 +252,7 @@ public class SupplyChainPolicy extends Policy {
     }
 
     /**
+     * Getter for the current PCR Policy.
      * @return the PCR Policy
      */
     public PCRPolicy getPcrPolicy() {
@@ -239,9 +260,76 @@ public class SupplyChainPolicy extends Policy {
     }
 
     /**
+     * Setter to update the current PCR Policy.
      * @param pcrPolicy to apply
      */
     public void setPcrPolicy(final PCRPolicy pcrPolicy) {
         this.pcrPolicy = pcrPolicy;
     }
+
+    /**
+     * Returns whether or not to generate an Attestation Issued Certificate.
+     * @return current state for generation.
+     */
+    public boolean isIssueAttestationCertificate() {
+        return issueAttestationCertificate;
+    }
+
+    /**
+     * Sets whether or not to generate an Attestation Issued Certificate.
+     * @param issueAttestationCertificate the flag for generation.
+     */
+    public void setIssueAttestationCertificate(final boolean issueAttestationCertificate) {
+        this.issueAttestationCertificate = issueAttestationCertificate;
+    }
+
+    /**
+     * Getter for the number of days for the certificates validity.
+     * @return number of days
+     */
+    public String getValidityDays() {
+        return validityDays;
+    }
+
+    /**
+     * Setter for the number of days for validity.
+     * @param validityDays validity.
+     */
+    public void setValidityDays(final String validityDays) {
+        this.validityDays = validityDays;
+    }
+
+    /**
+     * Getter for the number of days before the expiration to reissue
+     * a certificate.
+     * @return number of days
+     */
+    public String getReissueThreshold() {
+        return reissueThreshold;
+    }
+
+    /**
+     * Setter for the number of days before the expiration to reissue
+     * a certificate.
+     * @param reissueThreshold validity.
+     */
+    public void setReissueThreshold(final String reissueThreshold) {
+        this.reissueThreshold = reissueThreshold;
+    }
+
+    /**
+     * Getter for the state of when to generate a certificate.
+     * @return true or false
+     */
+    public boolean isGenerateOnExpiration() {
+        return generateOnExpiration;
+    }
+
+    /**
+     * Setter for the state of when to generate a certificate.
+     * @param generateOnExpiration sets true or false
+     */
+    public void setGenerateOnExpiration(final boolean generateOnExpiration) {
+        this.generateOnExpiration = generateOnExpiration;
+    }
 }