Merge pull request #309 from nsacyber/aic-policy-rule

[#169] AIC policy rule
This commit is contained in:
Cyrus 2021-03-09 10:52:01 -05:00 committed by GitHub
commit 28f0fdb3e1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 538 additions and 22 deletions

View File

@ -13,6 +13,7 @@ import hirs.data.persist.EventLogMeasurements;
import hirs.data.persist.Device;
import hirs.data.persist.DeviceInfoReport;
import hirs.data.persist.ReferenceManifest;
import hirs.data.persist.SupplyChainPolicy;
import hirs.data.persist.SupportReferenceManifest;
import hirs.data.persist.SwidResource;
import hirs.data.persist.info.FirmwareInfo;
@ -108,7 +109,8 @@ public abstract class AbstractAttestationCertificateAuthority
protected static final Logger LOG = LogManager.getLogger(AttestationCertificateAuthority.class);
/**
* Defines the well known exponent. https://en.wikipedia.org/wiki/65537_(number)#Applications
* Defines the well known exponent.
* https://en.wikipedia.org/wiki/65537_(number)#Applications
*/
private static final BigInteger EXPONENT = new BigInteger("010001",
AttestationCertificateAuthority.DEFAULT_IV_SIZE);
@ -150,8 +152,8 @@ public abstract class AbstractAttestationCertificateAuthority
private final X509Certificate acaCertificate;
/**
* Container wired {@link StructConverter} to be used in serialization / deserialization of TPM
* data structures.
* Container wired {@link StructConverter} to be used in
* serialization / deserialization of TPM data structures.
*/
private final StructConverter structConverter;
@ -164,7 +166,7 @@ public abstract class AbstractAttestationCertificateAuthority
* Container wired application configuration property identifying the number of days that
* certificates issued by this ACA are valid for.
*/
private final Integer validDays;
private Integer validDays = 1;
private final CertificateManager certificateManager;
private final ReferenceManifestManager referenceManifestManager;
@ -358,6 +360,11 @@ public abstract class AbstractAttestationCertificateAuthority
// generate the identity credential
LOG.debug("generating credential from identity proof");
// check the policy set valid date
SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
if (scp != null) {
this.validDays = Integer.parseInt(scp.getValidityDays());
}
// transform the public key struct into a public key
PublicKey publicKey = assemblePublicKey(proof.getIdentityKey().getStorePubKey().getKey());
X509Certificate credential = generateCredential(publicKey, endorsementCredential,
@ -546,6 +553,11 @@ public abstract class AbstractAttestationCertificateAuthority
// Get device name and device
String deviceName = claim.getDv().getNw().getHostname();
Device device = deviceManager.getDevice(deviceName);
// check the policy set valid date
SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
if (scp != null) {
this.validDays = Integer.parseInt(scp.getValidityDays());
}
// Parse through the Provisioner supplied TPM Quote and pcr values
// these fields are optional
@ -1672,12 +1684,38 @@ public abstract class AbstractAttestationCertificateAuthority
final EndorsementCredential endorsementCredential,
final Set<PlatformCredential> platformCredentials,
final Device device) {
IssuedAttestationCertificate issuedAc;
boolean generateCertificate = true;
SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
Date currentDate = new Date();
int days;
try {
// save issued certificate
IssuedAttestationCertificate attCert = new IssuedAttestationCertificate(
derEncodedAttestationCertificate, endorsementCredential, platformCredentials);
attCert.setDevice(device);
certificateManager.save(attCert);
if (scp != null) {
issuedAc = IssuedAttestationCertificate.select(certificateManager)
.byDeviceId(device.getId()).getCertificate();
generateCertificate = scp.isIssueAttestationCertificate();
if (issuedAc != null && scp.isGenerateOnExpiration()) {
if (issuedAc.getEndValidity().after(currentDate)) {
// so the issued AC is expired
// however are we within the threshold
days = daysBetween(currentDate, issuedAc.getEndValidity());
if (days < Integer.parseInt(scp.getReissueThreshold())) {
generateCertificate = true;
} else {
generateCertificate = false;
}
}
}
}
if (generateCertificate) {
attCert.setDevice(device);
certificateManager.save(attCert);
}
} catch (Exception e) {
LOG.error("Error saving generated Attestation Certificate to database.", e);
throw new CertificateProcessingException(
@ -1685,4 +1723,9 @@ public abstract class AbstractAttestationCertificateAuthority
+ e.getMessage(), e);
}
}
@SuppressWarnings("magicnumber")
private int daysBetween(final Date date1, final Date date2) {
return (int) ((date2.getTime() - date1.getTime()) / (1000 * 60 * 60 * 24));
}
}

View File

@ -3,6 +3,7 @@ package hirs.attestationca.service;
import java.util.Set;
import hirs.data.persist.Device;
import hirs.data.persist.SupplyChainPolicy;
import hirs.data.persist.SupplyChainValidationSummary;
import hirs.data.persist.certificate.EndorsementCredential;
import hirs.data.persist.certificate.PlatformCredential;
@ -34,4 +35,10 @@ public interface SupplyChainValidationService {
* @return True if validation is successful, false otherwise.
*/
SupplyChainValidationSummary validateQuote(Device device);
/**
* Allows other service access to the policy information.
* @return supply chain policy
*/
SupplyChainPolicy getPolicy();
}

View File

@ -112,6 +112,17 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
this.supplyChainCredentialValidator = supplyChainCredentialValidator;
}
/**
* Allows other service access to the policy information.
* @return supply chain policy
*/
public SupplyChainPolicy getPolicy() {
final Appraiser supplyChainAppraiser = appraiserManager.getAppraiser(
SupplyChainAppraiser.NAME);
return (SupplyChainPolicy) policyManager.getDefaultPolicy(
supplyChainAppraiser);
}
/**
* The "main" method of supply chain validation. Takes the credentials from
* an identity request and validates the supply chain in accordance to the

View File

@ -13,6 +13,8 @@ public class PolicyPageModel {
private boolean enablePcCertificateValidation;
private boolean enablePcCertificateAttributeValidation;
private boolean enableFirmwareValidation;
private boolean issueAttestationCertificate;
private boolean generateOnExpiration;
private boolean enableIgnoreIma;
private boolean enableIgnoreTboot;
@ -21,8 +23,14 @@ public class PolicyPageModel {
private String pcAttributeValidate;
private String ecValidate;
private String fmValidate;
private String attestationCertificateIssued;
private String generationExpirationOn;
private String numOfValidDays;
private String reissueThreshold;
private String ignoreIma;
private String ignoretBoot;
private String expirationValue;
private String thresholdValue;
/**
* Constructor. Sets fields from policy.
@ -34,8 +42,14 @@ public class PolicyPageModel {
this.enablePcCertificateValidation = policy.isPcValidationEnabled();
this.enablePcCertificateAttributeValidation = policy.isPcAttributeValidationEnabled();
this.enableFirmwareValidation = policy.isFirmwareValidationEnabled();
this.issueAttestationCertificate = policy.isIssueAttestationCertificate();
this.generateOnExpiration = policy.isGenerateOnExpiration();
this.numOfValidDays = policy.getValidityDays();
this.reissueThreshold = policy.getReissueThreshold();
this.enableIgnoreIma = policy.isIgnoreImaEnabled();
this.enableIgnoreTboot = policy.isIgnoreTbootEnabled();
this.expirationValue = policy.getValidityDays();
this.thresholdValue = policy.getReissueThreshold();
}
/**
@ -80,6 +94,24 @@ public class PolicyPageModel {
return enableFirmwareValidation;
}
/**
* Gets the Attestation Certificate issued State.
*
* @return the issued state.
*/
public boolean isIssueAttestationCertificate() {
return issueAttestationCertificate;
}
/**
* Gets the state of generating a certificate.
*
* @return true or false
*/
public boolean isGenerateOnExpiration() {
return generateOnExpiration;
}
/**
* Gets the Enable Ignore IMA state.
* @return the validation state.
@ -132,6 +164,42 @@ public class PolicyPageModel {
return fmValidate;
}
/**
* Gets the attestation certificate issued state.
*
* @return the model string representation of this field.
*/
public String getAttestationCertificateIssued() {
return attestationCertificateIssued;
}
/**
* Gets the attestation certificate issued state.
*
* @return the model string representation of this field.
*/
public String getGenerationExpirationOn() {
return generationExpirationOn;
}
/**
* Gets the number of selected valid days.
*
* @return the number of the days for validity
*/
public String getNumOfValidDays() {
return numOfValidDays;
}
/**
* Gets the number of selected threshold days.
*
* @return the number of the days for reissue
*/
public String getReissueThreshold() {
return reissueThreshold;
}
/**
* Gets the Ignore IMA validation value.
*
@ -187,6 +255,25 @@ public class PolicyPageModel {
this.enableFirmwareValidation = enableFirmwareValidation;
}
/**
* Sets the Attestation Certificate Issued state.
*
* @param issueAttestationCertificate true if generating Certificates.
*/
public void setIssueAttestationCertificate(
final boolean issueAttestationCertificate) {
this.issueAttestationCertificate = issueAttestationCertificate;
}
/**
* Setter for the state of generating a certificate.
*
* @param generateOnExpiration true or false
*/
public void setGenerateOnExpiration(final boolean generateOnExpiration) {
this.generateOnExpiration = generateOnExpiration;
}
/**
* Sets the Enable Ignore IMA state.
*
@ -241,6 +328,26 @@ public class PolicyPageModel {
this.fmValidate = fmValidate;
}
/**
* Sets the Issued Attestation Certificate state.
*
* @param attestationCertificateIssued "checked" if generating certificates.
*/
public void setAttestationCertificateIssued(
final String attestationCertificateIssued) {
this.attestationCertificateIssued = attestationCertificateIssued;
}
/**
* Sets the generation expiration state.
*
* @param generationExpirationOn "checked" if generating expiration is on.
*/
public void setGenerationExpirationOn(
final String generationExpirationOn) {
this.generationExpirationOn = generationExpirationOn;
}
/**
* Sets the Ignore IMA state.
*
@ -259,6 +366,38 @@ public class PolicyPageModel {
this.ignoretBoot = ignoretBoot;
}
/**
* Getter for the expiration value.
* @return the value
*/
public String getExpirationValue() {
return expirationValue;
}
/**
* Setter for the expiration value.
* @param expirationValue string value
*/
public void setExpirationValue(final String expirationValue) {
this.expirationValue = expirationValue;
}
/**
* Getter for the expiration value.
* @return the thresholdValue
*/
public String getThresholdValue() {
return thresholdValue;
}
/**
* Setter for the expiration value.
* @param thresholdValue string value
*/
public void setThresholdValue(final String thresholdValue) {
this.thresholdValue = thresholdValue;
}
@Override
public String toString() {
return "PolicyPageModel{"
@ -266,6 +405,9 @@ public class PolicyPageModel {
+ ", enablePcCertificateValidation=" + enablePcCertificateValidation
+ ", enablePcCertificateAttributeValidation="
+ enablePcCertificateAttributeValidation
+ ", enableFirmwareValidation=" + enableFirmwareValidation + '}';
+ ", enableFirmwareValidation=" + enableFirmwareValidation
+ ", issueAttestationCertificate=" + issueAttestationCertificate
+ ", generateOnExpiration=" + generateOnExpiration
+ ", numOfValidDays=" + numOfValidDays + "}";
}
}

View File

@ -39,10 +39,11 @@ public class PolicyPageController extends PageController<NoPageParams> {
* Represents a web request indicating to enable a setting (based on radio
* buttons from a web form).
*/
private static final String ENABLED_PARAMETER_VALUE = "checked";
private static final String ENABLED_CHECKED_PARAMETER_VALUE = "checked";
private static final String ENABLED_EXPIRES_PARAMETER_VALUE = "expires";
private PolicyManager policyManager;
private AppraiserManager appraiserManager;
/**
@ -67,7 +68,6 @@ public class PolicyPageController extends PageController<NoPageParams> {
public PolicyPageController(final PolicyManager policyManager,
final AppraiserManager appraiserManager) {
super(POLICY);
this.policyManager = policyManager;
this.appraiserManager = appraiserManager;
}
@ -115,7 +115,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
PageMessages messages = new PageMessages();
String successMessage;
boolean pcValidationOptionEnabled
= ppModel.getPcValidate().equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
= ppModel.getPcValidate().equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@ -167,7 +167,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
PageMessages messages = new PageMessages();
String successMessage;
boolean pcAttributeValidationOptionEnabled = ppModel.getPcAttributeValidate()
.equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@ -200,6 +200,190 @@ public class PolicyPageController extends PageController<NoPageParams> {
return redirectToSelf(new NoPageParams(), model, attr);
}
/**
* Updates the Attestation Certificate generation policy setting and redirects
* back to the original page.
*
* @param ppModel The data posted by the form mapped into an object.
* @param attr RedirectAttributes used to forward data back to the original page.
* @return View containing the url and parameters
* @throws URISyntaxException if malformed URI
*/
@RequestMapping(value = "update-issue-attestation", method = RequestMethod.POST)
public RedirectView updateAttestationVal(@ModelAttribute final PolicyPageModel ppModel,
final RedirectAttributes attr)
throws URISyntaxException {
// set the data received to be populated back into the form
Map<String, Object> model = new HashMap<>();
PageMessages messages = new PageMessages();
String successMessage;
boolean issuedAttestationOptionEnabled
= ppModel.getAttestationCertificateIssued()
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
if (issuedAttestationOptionEnabled) {
successMessage = "Attestation Certificate generation enabled.";
} else {
successMessage = "Attestation Certificate generation disabled.";
policy.setGenerateOnExpiration(false);
}
policy.setIssueAttestationCertificate(issuedAttestationOptionEnabled);
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
} catch (PolicyManagerException e) {
handlePolicyManagerUpdateError(model, messages, e,
"Error changing ACA Attestation Certificate generation policy",
"Error updating policy. \n" + e.getMessage());
}
// return the redirect
return redirectToSelf(new NoPageParams(), model, attr);
}
/**
* Updates the state of the policy setting that indicates that the generation
* will occur in a set time frame and redirects
* back to the original page.
*
* @param ppModel The data posted by the form mapped into an object.
* @param attr RedirectAttributes used to forward data back to the original page.
* @return View containing the url and parameters
* @throws URISyntaxException if malformed URI
*/
@RequestMapping(value = "update-expire-on", method = RequestMethod.POST)
public RedirectView updateExpireOnVal(@ModelAttribute final PolicyPageModel ppModel,
final RedirectAttributes attr)
throws URISyntaxException {
// set the data received to be populated back into the form
Map<String, Object> model = new HashMap<>();
PageMessages messages = new PageMessages();
String successMessage;
String numOfDays;
boolean generateCertificateEnabled = false;
// because this is just one option, there is not 'unchecked' value, so it is either
// 'checked' or null
if (ppModel.getGenerationExpirationOn() != null) {
generateCertificateEnabled
= ppModel.getGenerationExpirationOn()
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
}
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
boolean issuedAttestationOptionEnabled
= policy.isIssueAttestationCertificate();
if (issuedAttestationOptionEnabled) {
if (generateCertificateEnabled) {
successMessage = "Attestation Certificate generation expiration time enabled.";
} else {
successMessage = "Attestation Certificate generation expiration time disabled.";
}
if (generateCertificateEnabled) {
numOfDays = ppModel.getExpirationValue();
if (numOfDays == null) {
numOfDays = SupplyChainPolicy.TEN_YEARS;
}
} else {
numOfDays = policy.getValidityDays();
}
policy.setValidityDays(numOfDays);
} else {
generateCertificateEnabled = false;
successMessage = "Attestation Certificate generation is disabled, "
+ "can not set time expiration";
}
policy.setGenerateOnExpiration(generateCertificateEnabled);
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
} catch (PolicyManagerException e) {
handlePolicyManagerUpdateError(model, messages, e,
"Error changing ACA Attestation Certificate generation policy",
"Error updating policy. \n" + e.getMessage());
}
// return the redirect
return redirectToSelf(new NoPageParams(), model, attr);
}
/**
* Updates the state of the policy setting that indicates that the generation
* will occur in a set time frame from the end validity date and redirects
* back to the original page.
*
* @param ppModel The data posted by the form mapped into an object.
* @param attr RedirectAttributes used to forward data back to the original page.
* @return View containing the url and parameters
* @throws URISyntaxException if malformed URI
*/
@RequestMapping(value = "update-threshold", method = RequestMethod.POST)
public RedirectView updateThresholdVal(@ModelAttribute final PolicyPageModel ppModel,
final RedirectAttributes attr)
throws URISyntaxException {
// set the data received to be populated back into the form
Map<String, Object> model = new HashMap<>();
PageMessages messages = new PageMessages();
String successMessage;
String threshold;
boolean generateCertificateEnabled = false;
// because this is just one option, there is not 'unchecked' value, so it is either
// 'checked' or null
if (ppModel.getGenerationExpirationOn() != null) {
generateCertificateEnabled
= ppModel.getGenerationExpirationOn()
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
}
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
boolean issuedAttestationOptionEnabled
= policy.isIssueAttestationCertificate();
if (issuedAttestationOptionEnabled) {
if (generateCertificateEnabled) {
successMessage = "Attestation Certificate generation threshold time enabled.";
} else {
successMessage = "Attestation Certificate generation threshold time disabled.";
}
if (generateCertificateEnabled) {
threshold = ppModel.getThresholdValue();
if (threshold == null) {
threshold = SupplyChainPolicy.YEAR;
}
} else {
threshold = ppModel.getReissueThreshold();
}
policy.setReissueThreshold(threshold);
} else {
generateCertificateEnabled = false;
successMessage = "Attestation Certificate generation is disabled, "
+ "can not set time expiration";
}
policy.setGenerateOnExpiration(generateCertificateEnabled);
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
} catch (PolicyManagerException e) {
handlePolicyManagerUpdateError(model, messages, e,
"Error changing ACA Attestation Certificate generation policy",
"Error updating policy. \n" + e.getMessage());
}
// return the redirect
return redirectToSelf(new NoPageParams(), model, attr);
}
/**
* Updates the Endorsement Credential Validation policy setting and
* redirects back to the original page.
@ -219,7 +403,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
PageMessages messages = new PageMessages();
String successMessage;
boolean ecValidationOptionEnabled
= ppModel.getEcValidate().equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
= ppModel.getEcValidate().equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@ -242,12 +426,10 @@ public class PolicyPageController extends PageController<NoPageParams> {
}
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
} catch (PolicyManagerException e) {
handlePolicyManagerUpdateError(model, messages, e,
"Error changing ACA endorsement validation policy",
"Error updating policy. \n" + e.getMessage());
}
// return the redirect
@ -273,7 +455,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
PageMessages messages = new PageMessages();
String successMessage;
boolean firmwareValidationOptionEnabled = ppModel.getFmValidate()
.equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@ -327,7 +509,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
PageMessages messages = new PageMessages();
String successMessage;
boolean ignoreImaOptionEnabled = ppModel.getIgnoreIma()
.equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@ -336,7 +518,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
if (ignoreImaOptionEnabled && !policy.isFirmwareValidationEnabled()) {
handleUserError(model, messages,
"Ignore IMA can not be "
+ "enabled without Firmware Valdiation policy enabled.");
+ "enabled without Firmware Validation policy enabled.");
return redirectToSelf(new NoPageParams(), model, attr);
}
@ -378,7 +560,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
PageMessages messages = new PageMessages();
String successMessage;
boolean ignoreTbootOptionEnabled = ppModel.getIgnoretBoot()
.equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@ -387,7 +569,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
if (ignoreTbootOptionEnabled && !policy.isFirmwareValidationEnabled()) {
handleUserError(model, messages,
"Ignore TBoot can not be "
+ "enabled without Firmware Valdiation policy enabled.");
+ "enabled without Firmware Validation policy enabled.");
return redirectToSelf(new NoPageParams(), model, attr);
}
@ -491,5 +673,4 @@ public class PolicyPageController extends PageController<NoPageParams> {
model.put(MESSAGES_ATTRIBUTE, messages);
}
}

View File

@ -16,7 +16,7 @@
<div class="aca-input-box">
<form:form method="POST" modelAttribute="initialData" action="policy/update-ec-validation">
<li>Endorsement Credential Validation: ${initialData.enableEcValidation ? 'Enabled' : 'Disabled'}
<my:editor id="ecPolicyEditor" label="Edit Settings ">
<my:editor id="ecPolicyEditor" label="Edit Settings">
<div class="radio">
<label><input id="ecTop" type="radio" name="ecValidate" ${initialData.enableEcValidation ? 'checked' : ''} value="checked"/> Endorsement Credentials will be validated</label>
</div>
@ -103,6 +103,50 @@
</ul>
</li>
</div>
<br />
<%-- Generate Attestation Certificate--%>
<div class="aca-input-box">
<form:form method="POST" modelAttribute="initialData" action="policy/update-issue-attestation">
<li>Generate Attestation Certificate: ${initialData.issueAttestationCertificate ? 'Enabled' : 'Disabled'}
<my:editor id="issuedCertificatePolicyEditor" label="Edit Settings">
<div class="radio">
<label><input id="aicTop" type="radio" name="attestationCertificateIssued" ${initialData.issueAttestationCertificate ? '' : 'checked'} value="unchecked"/> Never generate an Attestation Certificate</label>
</div>
<div class="radio">
<label><input id="aicMid" type="radio" name="attestationCertificateIssued" ${initialData.issueAttestationCertificate ? 'checked' : ''} value="checked"/> Conditionally generate an Attestation Certificate before 'Not After' expiration date</label>
</div>
</my:editor>
</form:form>
<ul>
<form:form method="POST" modelAttribute="initialData" action="policy/update-expire-on">
<li>Attestation Certificate Validity period: ${initialData.generateOnExpiration ? 'Enabled' : 'Disabled'}
<my:editor id="issuedCertificatePolicyExpirationEditor" label="Edit Settings">
<div class="radio">
<label>
<input id="aicBot" type="checkbox" name="generationExpirationOn" ${initialData.generateOnExpiration ? 'checked' : ''} value="checked" />
Attestation Certificate validity period (Default 3651 days)<br />
Select period in days: <input id="expirationValue" type="text" name="expirationValue" value="${initialData.expirationValue}" />
</label>
</div>
</my:editor>
</li>
</form:form>
<form:form method="POST" modelAttribute="initialData" action="policy/update-threshold">
<li>Attestation Certificate Renewal period: ${initialData.generateOnExpiration ? 'Enabled' : 'Disabled'}
<my:editor id="issuedCertificatePolicyGenerateEditor" label="Edit Settings">
<div class="radio">
<label>
<input id="aicBot" type="checkbox" name="generationExpirationOn" ${initialData.generateOnExpiration ? 'checked' : ''} value="checked" />
Renew 'n' days before Attestation Certificate's 'Not After' Validity date (Default 365 days)<br />
Select 'n' period in days: <input id="thresholdValue" type="text" name="thresholdValue" value="${initialData.thresholdValue}" />
</label>
</div>
</my:editor>
</li>
</form:form>
</ul>
</li>
</div>
</ul>
</jsp:body>
</my:page>

View File

@ -15,6 +15,14 @@ public class SupplyChainPolicy extends Policy {
* Name of the default Supply Chain Policy.
*/
public static final String DEFAULT_POLICY = "Default Supply Chain Policy";
/**
* Number of days in 10 years.
*/
public static final String TEN_YEARS = "3651";
/**
* Number of days in 1 year.
*/
public static final String YEAR = "365";
@Column(nullable = false)
private boolean enableEcValidation = false;
@ -37,6 +45,18 @@ public class SupplyChainPolicy extends Policy {
@Column(nullable = false)
private boolean replaceEC = false;
@Column(nullable = false)
private boolean issueAttestationCertificate = true;
@Column(nullable = false)
private String validityDays = TEN_YEARS;
@Column(nullable = false)
private String reissueThreshold = YEAR;
@Column(nullable = false)
private boolean generateOnExpiration = false;
@Embedded
private PCRPolicy pcrPolicy = new PCRPolicy();
@ -232,6 +252,7 @@ public class SupplyChainPolicy extends Policy {
}
/**
* Getter for the current PCR Policy.
* @return the PCR Policy
*/
public PCRPolicy getPcrPolicy() {
@ -239,9 +260,76 @@ public class SupplyChainPolicy extends Policy {
}
/**
* Setter to update the current PCR Policy.
* @param pcrPolicy to apply
*/
public void setPcrPolicy(final PCRPolicy pcrPolicy) {
this.pcrPolicy = pcrPolicy;
}
/**
* Returns whether or not to generate an Attestation Issued Certificate.
* @return current state for generation.
*/
public boolean isIssueAttestationCertificate() {
return issueAttestationCertificate;
}
/**
* Sets whether or not to generate an Attestation Issued Certificate.
* @param issueAttestationCertificate the flag for generation.
*/
public void setIssueAttestationCertificate(final boolean issueAttestationCertificate) {
this.issueAttestationCertificate = issueAttestationCertificate;
}
/**
* Getter for the number of days for the certificates validity.
* @return number of days
*/
public String getValidityDays() {
return validityDays;
}
/**
* Setter for the number of days for validity.
* @param validityDays validity.
*/
public void setValidityDays(final String validityDays) {
this.validityDays = validityDays;
}
/**
* Getter for the number of days before the expiration to reissue
* a certificate.
* @return number of days
*/
public String getReissueThreshold() {
return reissueThreshold;
}
/**
* Setter for the number of days before the expiration to reissue
* a certificate.
* @param reissueThreshold validity.
*/
public void setReissueThreshold(final String reissueThreshold) {
this.reissueThreshold = reissueThreshold;
}
/**
* Getter for the state of when to generate a certificate.
* @return true or false
*/
public boolean isGenerateOnExpiration() {
return generateOnExpiration;
}
/**
* Setter for the state of when to generate a certificate.
* @param generateOnExpiration sets true or false
*/
public void setGenerateOnExpiration(final boolean generateOnExpiration) {
this.generateOnExpiration = generateOnExpiration;
}
}