[] Add Authority Information Access to Issuer field of Attribute Certificates ()

* Updated code base for Attribute Certificates.  They are currently not showing Authority Information Access in the Issuer field on the certificate details page.  The code was not written to handle this
or to set it.

* Updated unit tests to test Authority Info Access and Key Identifier.

* Adding extra certificates to be used in the new tests.

* Updated unit test, the new tests were missing the @Test parameter.
This commit is contained in:
Cyrus 2019-02-19 10:16:39 -05:00 committed by apldev3
parent 2e926d633e
commit 3a31631c59
6 changed files with 81 additions and 18 deletions
HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/util
HIRS_Utils/src
main/java/hirs/data/persist/certificate
test
java/hirs/data/persist/certificate
resources/validation/platform_credentials

@ -49,6 +49,7 @@ public final class CertificateStringMapBuilder {
data.put("authSerialNumber", Long.toHexString(certificate data.put("authSerialNumber", Long.toHexString(certificate
.getAuthoritySerialNumber().longValue())); .getAuthoritySerialNumber().longValue()));
} }
data.put("authInfoAccess", certificate.getAuthInfoAccess());
data.put("beginValidity", certificate.getBeginValidity().toString()); data.put("beginValidity", certificate.getBeginValidity().toString());
data.put("endValidity", certificate.getEndValidity().toString()); data.put("endValidity", certificate.getEndValidity().toString());
data.put("signature", Arrays.toString(certificate.getSignature())); data.put("signature", Arrays.toString(certificate.getSignature()));
@ -207,7 +208,6 @@ public final class CertificateStringMapBuilder {
//x509 credential version //x509 credential version
data.put("x509Version", Integer.toString(certificate data.put("x509Version", Integer.toString(certificate
.getX509CredentialVersion())); .getX509CredentialVersion()));
data.put("authInfoAccess", certificate.getAuthInfoAccess());
data.put("credentialType", certificate.getCredentialType()); data.put("credentialType", certificate.getCredentialType());
} else { } else {
LOGGER.error(notFoundMessage); LOGGER.error(notFoundMessage);
@ -237,7 +237,6 @@ public final class CertificateStringMapBuilder {
data.put("version", certificate.getVersion()); data.put("version", certificate.getVersion());
data.put("policyReference", certificate.getPolicyReference()); data.put("policyReference", certificate.getPolicyReference());
data.put("crlPoints", certificate.getCrlPoints()); data.put("crlPoints", certificate.getCrlPoints());
data.put("authInfoAccess", certificate.getAuthInfoAccess());
data.put("credentialType", certificate.getCredentialType()); data.put("credentialType", certificate.getCredentialType());
//x509 credential version //x509 credential version
data.put("x509Version", Integer.toString(certificate data.put("x509Version", Integer.toString(certificate

@ -365,7 +365,8 @@ public abstract class Certificate extends ArchivableEntity {
.getInstance((DLSequence) getExtensionValue( .getInstance((DLSequence) getExtensionValue(
Extension.authorityKeyIdentifier.getId())); Extension.authorityKeyIdentifier.getId()));
this.authorityInfoAccess = getAuthorityInfoAccess(); this.authorityInfoAccess = getAuthorityInfoAccess(x509Certificate
.getExtensionValue(Extension.authorityInfoAccess.getId()));
this.keyUsage = parseKeyUsage(x509Certificate.getKeyUsage()); this.keyUsage = parseKeyUsage(x509Certificate.getKeyUsage());
this.crlPoints = getCRLDistributionPoint(); this.crlPoints = getCRLDistributionPoint();
@ -395,6 +396,9 @@ public abstract class Certificate extends ArchivableEntity {
authKeyIdentifier = AuthorityKeyIdentifier authKeyIdentifier = AuthorityKeyIdentifier
.fromExtensions(attCertInfo.getExtensions()); .fromExtensions(attCertInfo.getExtensions());
this.authorityInfoAccess = getAuthorityInfoAccess(
AuthorityInformationAccess.fromExtensions(
attCertInfo.getExtensions()));
switch (attCert.getSignatureAlgorithm().getAlgorithm().getId()) { switch (attCert.getSignatureAlgorithm().getAlgorithm().getId()) {
case RSA256_OID: case RSA256_OID:
@ -668,16 +672,31 @@ public abstract class Certificate extends ArchivableEntity {
* *
* @return List Authority info access list * @return List Authority info access list
*/ */
private String getAuthorityInfoAccess() { private String getAuthorityInfoAccess(final byte[] authoInfoAccess) {
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();
try { try {
byte[] authAccess = getX509Certificate().getExtensionValue( if (authoInfoAccess != null && authoInfoAccess.length > 0) {
Extension.authorityInfoAccess.getId()); sb.append(getAuthorityInfoAccess(AuthorityInformationAccess
if (authAccess != null && authAccess.length > 0) { .getInstance(X509ExtensionUtil.fromExtensionValue(authoInfoAccess))));
AuthorityInformationAccess authInfoAccess = AuthorityInformationAccess }
.getInstance(X509ExtensionUtil.fromExtensionValue(authAccess)); } catch (IOException ioEx) {
for (AccessDescription desc : authInfoAccess.getAccessDescriptions()) { LOGGER.error(ioEx);
}
return sb.toString();
}
/**
* Getter for the AuthorityInfoAccess extension value on list format.
*
* @return List Authority info access list
*/
private String getAuthorityInfoAccess(final AuthorityInformationAccess authInfoAccess) {
StringBuilder sb = new StringBuilder();
if (authInfoAccess != null) {
for (AccessDescription desc : authInfoAccess.getAccessDescriptions()) {
if (desc.getAccessLocation().getTagNo() == GeneralName if (desc.getAccessLocation().getTagNo() == GeneralName
.uniformResourceIdentifier) { .uniformResourceIdentifier) {
sb.append(String.format("%s%n", ((DERIA5String) desc sb.append(String.format("%s%n", ((DERIA5String) desc
@ -685,10 +704,7 @@ public abstract class Certificate extends ArchivableEntity {
.getName()) .getName())
.getString())); .getString()));
} }
}
} }
} catch (IOException ioEx) {
LOGGER.error(ioEx);
} }
return sb.toString(); return sb.toString();

@ -35,6 +35,12 @@ public class CertificateTest {
public static final String FAKE_INTEL_INT_CA_FILE = public static final String FAKE_INTEL_INT_CA_FILE =
"/certificates/fakeIntelIntermediateCA.cer"; "/certificates/fakeIntelIntermediateCA.cer";
/**
* Location of a test (fake) Intel intermediate CA certificate.
*/
public static final String INTEL_INT_CA_FILE =
"/validation/platform_credentials/intel_chain/root/intermediate2.cer";
/** /**
* Location of a test (fake) SGI intermediate CA certificate. * Location of a test (fake) SGI intermediate CA certificate.
*/ */
@ -227,16 +233,32 @@ public class CertificateTest {
X509Certificate certificate = readX509Certificate(FAKE_ROOT_CA_FILE); X509Certificate certificate = readX509Certificate(FAKE_ROOT_CA_FILE);
Assert.assertEquals(rootCert.getSerialNumber(), certificate.getSerialNumber()); Assert.assertEquals(rootCert.getSerialNumber(), certificate.getSerialNumber());
Assert.assertEquals(rootCert.getIssuer(), certificate.getIssuerX500Principal().getName()); Assert.assertEquals(rootCert.getIssuer(),
Assert.assertEquals(rootCert.getSubject(), certificate.getSubjectX500Principal().getName()); certificate.getIssuerX500Principal().getName());
Assert.assertEquals( Assert.assertEquals(rootCert.getSubject(),
rootCert.getEncodedPublicKey(), certificate.getPublicKey().getEncoded() certificate.getSubjectX500Principal().getName());
); Assert.assertEquals(rootCert.getEncodedPublicKey(),
certificate.getPublicKey().getEncoded());
Assert.assertEquals(rootCert.getSignature(), certificate.getSignature()); Assert.assertEquals(rootCert.getSignature(), certificate.getSignature());
Assert.assertEquals(rootCert.getBeginValidity(), certificate.getNotBefore()); Assert.assertEquals(rootCert.getBeginValidity(), certificate.getNotBefore());
Assert.assertEquals(rootCert.getEndValidity(), certificate.getNotAfter()); Assert.assertEquals(rootCert.getEndValidity(), certificate.getNotAfter());
} }
/**
* Tests that Certificate correctly parses out non standard fields from an X509 Certificate.
*
* @throws IOException if there is a problem reading the cert file at the given path
*/
@Test
public void testX509CertificateParsingExtended() throws IOException {
Certificate rootCert = getTestCertificate(INTEL_INT_CA_FILE);
Assert.assertEquals(rootCert.getAuthInfoAccess(),
"https://trustedservices.intel.com/"
+ "content/TSC/certs/TSC_SS_RootCA_Certificate.cer\n");
Assert.assertEquals(rootCert.getAuthKeyId(),
"b56f72cdfd66ce839e1fdb40498f07291f5b99b7");
}
/** /**
* Tests that Certificate correctly parses out standard fields from an X509 attribute * Tests that Certificate correctly parses out standard fields from an X509 attribute
* certificate. * certificate.
@ -272,6 +294,26 @@ public class CertificateTest {
Assert.assertEquals(platformCert.getEndValidity(), attrCertHolder.getNotAfter()); Assert.assertEquals(platformCert.getEndValidity(), attrCertHolder.getNotAfter());
} }
/**
* Tests that Certificate correctly parses out non-standard fields from an X509 attribute
* certificate.
*
* @throws IOException if there is a problem reading the cert file at the given path
* @throws URISyntaxException if there is a problem constructing the file's URI
*/
@Test
public void testX509AttributeCertificateParsingExtended()
throws IOException, URISyntaxException {
Certificate platformCert = getTestCertificate(
PlatformCredential.class, PlatformCredentialTest.TEST_PLATFORM_CERT_6);
Assert.assertEquals(platformCert.getAuthInfoAccess(),
"https://trustedservices.intel.com/"
+ "content/TSC/certs/TSC_IssuingCAIKGF_TEST.cer\n");
Assert.assertEquals(platformCert.getAuthKeyId(),
"3c06b9fb63a53ca57c6b87433339f1dca807fba4");
}
/** /**
* Tests that Certificate correctly trims out additional padding from a given certificate. * Tests that Certificate correctly trims out additional padding from a given certificate.
* *

@ -56,6 +56,12 @@ public class PlatformCredentialTest {
static final String TEST_PLATFORM_CERT_5 = static final String TEST_PLATFORM_CERT_5 =
"/validation/platform_credentials/Intel_pc5.pem"; "/validation/platform_credentials/Intel_pc5.pem";
/**
* Location of another, slightly different platform attribute cert.
*/
static final String TEST_PLATFORM_CERT_6 =
"/validation/platform_credentials/Intel_nuc1.cer";
/** /**
* Platform Certificate 2.0 with all the expected data. * Platform Certificate 2.0 with all the expected data.
*/ */