ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-18 12:46:30 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

issue_847: Added javadoc comments + params to the rest of the repo classes, cleaned up imports, and made more styling changes.

Browse Source
This commit is contained in:
TheSilentCoder 2024-10-17 17:12:58 -04:00
parent 59f50212f1
commit 63521a4075
21 changed files with 977 additions and 671 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/CertificateRepository.java
View File

@ -29,7 +29,7 @@ public interface CertificateRepository extends JpaRepository<Certificate, UUID>
* Query that retrieves a list of certificates using the provided subject and dtype.
*
* @param subject subject
* @param dType d type
* @param dType dtype
* @return a list of certificates
*/
@Query(value = "SELECT * FROM Certificate where subject = ?1 AND DTYPE = ?2", nativeQuery = true)
@ -38,100 +38,107 @@ public interface CertificateRepository extends JpaRepository<Certificate, UUID>
/**
* Query that retrieves a sorted list of certificates using the provided subject and dtype.
*
* @param subjectSorted
* @param dType
* @param subjectSorted subject
* @param dType dtype
* @return a list of sorted certificates
*/
@Query(value = "SELECT * FROM Certificate where subjectSorted = ?1 AND DTYPE = ?2", nativeQuery = true)
List<Certificate> findBySubjectSorted(String subjectSorted, String dType);
/**
* Query that retrieves a
* Query that retrieves a list of certificates using the provided dtype.
*
* @param dType
* @return
* @param dType dtype
* @return a list of certificates
*/
@Query(value = "SELECT * FROM Certificate where DTYPE = ?1", nativeQuery = true)
List<Certificate> findByType(String dType);
/**
* Query that retrieves a
* Query that retrieves a list of certificates using the provided serial number and dtype.
*
* @param serialNumber
* @param dType
* @return
* @param serialNumber serial number
* @param dType dtype
* @return a certificate
*/
@Query(value = "SELECT * FROM Certificate where serialNumber = ?1 AND DTYPE = ?2", nativeQuery = true)
Certificate findBySerialNumber(BigInteger serialNumber, String dType);
/**
* Query that retrieves a
* Query that retrieves a list of platform credentials using the provided board serial number
* and a dtype of "Platform Credential".
*
* @param boardSerialNumber
* @return
* @param boardSerialNumber board serial number
* @return a list of platform credentials
*/
@Query(value = "SELECT * FROM Certificate where platformSerial = ?1 AND DTYPE = 'PlatformCredential'", nativeQuery = true)
@Query(value = "SELECT * FROM Certificate where platformSerial = ?1 AND DTYPE = 'PlatformCredential'",
nativeQuery = true)
List<PlatformCredential> byBoardSerialNumber(String boardSerialNumber);
/**
* Query that retrieves a
* Query that retrieves a platform credential using the provided holder serial number
* and a dtype of "Platform Credential".
*
* @param holderSerialNumber
* @return
* @param holderSerialNumber holder serial number
* @return platform credential
*/
@Query(value = "SELECT * FROM Certificate where holderSerialNumber = ?1 AND DTYPE = 'PlatformCredential'", nativeQuery = true)
@Query(value = "SELECT * FROM Certificate where holderSerialNumber = ?1 AND DTYPE = 'PlatformCredential'",
nativeQuery = true)
PlatformCredential getPcByHolderSerialNumber(BigInteger holderSerialNumber);
/**
* Query that retrieves a
* Query that retrieves a list of platform credentials using the provided holder serial number
* and a dtype of "Platform Credential".
*
* @param holderSerialNumber
* @return
* @param holderSerialNumber holder serial numberz
* @return a list of platform credentials
*/
@Query(value = "SELECT * FROM Certificate where holderSerialNumber = ?1 AND DTYPE = 'PlatformCredential'", nativeQuery = true)
@Query(value = "SELECT * FROM Certificate where holderSerialNumber = ?1 AND DTYPE = 'PlatformCredential'",
nativeQuery = true)
List<PlatformCredential> getByHolderSerialNumber(BigInteger holderSerialNumber);
/**
* Query that retrieves a
* Query that retrieves a certificate using the provided certificate hash and dtype.
*
* @param certificateHash
* @param dType
* @return
* @param certificateHash integer certificate hash
* @param dType dtype
* @return a certificate
*/
@Query(value = "SELECT * FROM Certificate where certificateHash = ?1 AND DTYPE = ?2", nativeQuery = true)
Certificate findByCertificateHash(int certificateHash, String dType);
/**
* Query that retrieves a
* Query that retrieves an endorssement credential using the provided public key modulus hex value.
*
* @param publicKeyModulusHexValue
* @return
* @param publicKeyModulusHexValue public key modulus hex value
* @return an endorsement credential
*/
EndorsementCredential findByPublicKeyModulusHexValue(String publicKeyModulusHexValue);
/**
* Query that retrieves a
* Query that retrieves an issued attestation certificate using the provided device id.
*
* @param deviceId
* @return
* @param deviceId uuid representation of the device id
* @return an issued attestation certificate
*/
IssuedAttestationCertificate findByDeviceId(UUID deviceId);
/**
* Query that retrieves a
* Query that retrieves a list of issued attestation certificates using the provided device id,
* isLDevID value and sort value.
*
* @param deviceId
* @param isLDevID
* @param sort
* @return
* @param deviceId device id
* @param isLDevID is it a LDevId
* @param sort sort
* @return a list of issued attestation certificates
*/
List<IssuedAttestationCertificate> findByDeviceIdAndIsLDevID(UUID deviceId, boolean isLDevID, Sort sort);
/**
* Query that retrieves a
* Query that retrieves a certificates using the provided certificate hash.
*
* @param certificateHash
* @return
* @param certificateHash integer certificate hash
* @return a certificate
*/
Certificate findByCertificateHash(int certificateHash);
}

32
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/EndorsementCredentialRepository.java
View File

@ -14,43 +14,43 @@ import java.util.UUID;
public interface EndorsementCredentialRepository extends JpaRepository<EndorsementCredential, UUID> {
/**
* Query that retrieves a
* Query that retrieves a list of endorsement credentials using the provided archive flag.
*
* @param archiveFlag
* @return
* @param archiveFlag archive flag
* @return a list of endorsement credentials
*/
List<EndorsementCredential> findByArchiveFlag(boolean archiveFlag);
/**
* Query that retrieves a
* Query that retrieves a page of endorsement credentials using provided archive flag and pageable value.
*
* @param archiveFlag
* @param pageable
* @return
* @param archiveFlag archive flag
* @param pageable pageable value
* @return a page of endorsement credentials
*/
Page<EndorsementCredential> findByArchiveFlag(boolean archiveFlag, Pageable pageable);
/**
* Query that retrieves a
* Query that retrieves an endorsement credential using the provided holder serial number.
*
* @param holderSerialNumber
* @return
* @param holderSerialNumber big integer representation of the holder serial number
* @return an endorsement credential
*/
EndorsementCredential findByHolderSerialNumber(BigInteger holderSerialNumber);
/**
* Query that retrieves a
* Query that retrieves an endorsement credential using the provided serial number.
*
* @param serialNumber
* @return
* @param serialNumber big integer representation of the serial number
* @return an endorsement credential
*/
EndorsementCredential findBySerialNumber(BigInteger serialNumber);
/**
* Query that retrieves a
* Query that retrieves a list of endorsement credentials using the provided device id.
*
* @param deviceId
* @return
* @param deviceId uuid representation of the device id
* @return an endorsement credential
*/
List<EndorsementCredential> findByDeviceId(UUID deviceId);
}

72
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/IDevIDCertificateRepository.java
View File

@ -13,26 +13,70 @@ import java.util.UUID;
public interface IDevIDCertificateRepository extends JpaRepository<IDevIDCertificate, UUID> {
/**
* Query that retrieves a
* Query that retrieves a list of IDevId certificates using the provided archive flag.
*
* @param archiveFlag
* @return
* @param archiveFlag archive flag
* @return a list of IDevId certificates
*/
List<IDevIDCertificate> findByArchiveFlag(boolean archiveFlag);
/**
* Query that retrieves a
* Query that retrieves a page of IDevId certificates using the provided archive flag and pageable value.
*
* @param archiveFlag
* @param pageable
* @return
* @param archiveFlag archive flag
* @param pageable pageable value
* @return a page of IDevId certificates
*/
Page<IDevIDCertificate> findByArchiveFlag(boolean archiveFlag, Pageable pageable);
/*List<IDevIDCertificate> findBySubject(String subject);
List<IDevIDCertificate> findBySubjectSorted(String subject);
List<IDevIDCertificate> findBySubjectAndArchiveFlag(String subject, boolean archiveFlag);
List<IDevIDCertificate> findBySubjectSortedAndArchiveFlag(String subject, boolean archiveFlag);
IDevIDCertificate findBySubjectKeyIdentifier(byte[] subjectKeyIdentifier);
IDevIDCertificate findBySubjectKeyIdStringAndArchiveFlag(String subjectKeyIdString, boolean archiveFlag);
/**
* Query that retrieves a list of IDevId certificates using the provided subject.
*
* @param subject string representation of the subject
* @return a list of IDevId certificates
*/
}
List<IDevIDCertificate> findBySubject(String subject);
/**
* Query that retrieves a sorted list of IDevId certificates using the provided subject.
*
* @param subject string representation of the subject
* @return a sorted list of IDevId certificates
*/
List<IDevIDCertificate> findBySubjectSorted(String subject);
/**
* Query that retrieves a list of IDevId certificates using the provided subject and archive flag.
*
* @param subject string representation of the subject
* @param archiveFlag archive flag
* @return a list of IDevId certificates
*/
List<IDevIDCertificate> findBySubjectAndArchiveFlag(String subject, boolean archiveFlag);
/**
* Query that retrieves a sorted list of IDevId certificates using the provided subject and archive flag.
*
* @param subject string representation of the subject
* @param archiveFlag archive flag
* @return a sorted list of IDevId certificates
*/
List<IDevIDCertificate> findBySubjectSortedAndArchiveFlag(String subject, boolean archiveFlag);
/**
* Query that retrieves an IDevId certificate using the provided subject key identifier.
*
* @param subjectKeyIdentifier byte representation of the subject key identifier
* @return an IDevId certificate
*/
IDevIDCertificate findBySubjectKeyIdentifier(byte[] subjectKeyIdentifier);
/**
* Query that retrieves an IDevId certificate using the provided subject key and archive flag.
*
* @param subjectKeyIdString string representation of the subject key id
* @param archiveFlag archive flag
* @return an IDevId certificate
*/
IDevIDCertificate findBySubjectKeyIdStringAndArchiveFlag(String subjectKeyIdString, boolean archiveFlag);
}

23
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/IssuedCertificateRepository.java
View File

@ -13,25 +13,28 @@ import java.util.UUID;
public interface IssuedCertificateRepository extends JpaRepository<IssuedAttestationCertificate, UUID> {
/**
* Query that retrieves a
* Query that retrieves a list of issued attestation certificates using the provided archive flag.
*
* @param archiveFlag
* @return
* @param archiveFlag archive flag
* @return a list of issued attestation certificates
*/
List<IssuedAttestationCertificate> findByArchiveFlag(boolean archiveFlag);
/**
* Query that retrieves a
* Query that retrieves a page of issued attestation certificates using the provided archive flag
* and pageable value.
*
* @param archiveFlag
* @param pageable
* @return
* @param archiveFlag archive flag
* @param pageable pageable value
* @return a page of issued attestation certificates
*/
Page<IssuedAttestationCertificate> findByArchiveFlag(boolean archiveFlag, Pageable pageable);
/**
* @param deviceId
* @return
* Query that retrieves a list of issued attestation certificates using the provided device id.
*
* @param deviceId uuid representation of the device id
* @return a list of issued attestation certificates
*/
List<IssuedAttestationCertificate> findByDeviceId(UUID deviceId);
}
}

21
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/PlatformCertificateRepository.java
View File

@ -13,27 +13,28 @@ import java.util.UUID;
public interface PlatformCertificateRepository extends JpaRepository<PlatformCredential, UUID> {
/**
* Query that retrieves a
* Query that retrieves a list of platform credentials using the provided archive flag.
*
* @param archiveFlag
* @return
* @param archiveFlag archive flag
* @return a list of platform credentials
*/
List<PlatformCredential> findByArchiveFlag(boolean archiveFlag);
/**
* Query that retrieves a
* Query that retrieves a page of platform credentials using the provided archive flag
* and pageable value.
*
* @param archiveFlag
* @param pageable
* @return
* @param archiveFlag archive flag
* @param pageable pageable
* @return a page of platform credentials
*/
Page<PlatformCredential> findByArchiveFlag(boolean archiveFlag, Pageable pageable);
/**
* Query that retrieves a
* Query that retrieves a list of platform credentials using the provided device id.
*
* @param deviceId
* @return
* @param deviceId uuid representation of the device id
* @return a list of platform credentials
*/
List<PlatformCredential> findByDeviceId(UUID deviceId);
}

38
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceDigestValueRepository.java
View File

@ -11,51 +11,51 @@ import java.util.UUID;
public interface ReferenceDigestValueRepository extends JpaRepository<ReferenceDigestValue, UUID> {
/**
* Query that retrieves a
* Query that retrieves a list of reference digest values using the provided model.
*
* @param model
* @return
* @param model string representation of the model
* @return a list of reference digest values
*/
List<ReferenceDigestValue> findByModel(String model);
/**
* Query that retrieves a
* Query that retrieves a list of reference digest values using the provided manufacturer.
*
* @param manufacturer
* @return
* @param manufacturer string representation of the manufacturer
* @return a list of reference digest values
*/
List<ReferenceDigestValue> findByManufacturer(String manufacturer);
/**
* Query that retrieves a
* Query that retrieves a list of reference digest values using the provided associated rim id.
*
* @param associatedRimId
* @return
* @param associatedRimId uuid representation of the associated rim ID
* @return a list of reference digest values
*/
List<ReferenceDigestValue> findValuesByBaseRimId(UUID associatedRimId);
/**
* Query that retrieves a
* Query that retrieves a list of reference digest values using the provided support rim id.
*
* @param supportRimId
* @return
* @param supportRimId uuid representation of the support rim ID
* @return a list of reference digest values
*/
List<ReferenceDigestValue> findBySupportRimId(UUID supportRimId);
/**
* Query that retrieves a
* Query that retrieves a list of reference digest values using the provided support rim hash.
*
* @param supportRimHash
* @return
* @param supportRimHash a string representation of the support rim hash
* @return a list of reference digest values
*/
List<ReferenceDigestValue> findBySupportRimHash(String supportRimHash);
/**
* Query that retrieves a
* Query that retrieves a list of reference digest values using the provided manufacturer and model.
*
* @param manufacturer
* @param model
* @return
* @param manufacturer string representation of the manufacturer
* @param model string representation of the model
* @return a list of reference digest values
*/
List<ReferenceDigestValue> findByManufacturerAndModel(String manufacturer, String model);
}

169
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceManifestRepository.java
View File

@ -16,159 +16,192 @@ import java.util.UUID;
@Repository
public interface ReferenceManifestRepository extends JpaRepository<ReferenceManifest, UUID> {
/**
* Query that retrieves a
* Query that retrieves a reference manifest using the provided hex/dec hash.
*
* @param hexDecHash
* @return
* @param hexDecHash string representation of the hex dec hash
* @return a reference manifest
*/
ReferenceManifest findByHexDecHash(String hexDecHash);
/**
* Query that retrieves a
* Query that retrieves a reference manifest using the provided base 64 hash.
*
* @param base64Hash
* @return
* @param base64Hash string representation of the base 64 hash
* @return a reference manifest
*/
ReferenceManifest findByBase64Hash(String base64Hash);
/**
* @param hexDecHash
* @param rimType
* @return
* Query that retrieves a reference manifest using the provided hex/dec hash and rim type.
*
* @param hexDecHash string representation of the hex dec hash
* @param rimType string representation of the rim type
* @return a reference manifest
*/
ReferenceManifest findByHexDecHashAndRimType(String hexDecHash, String rimType);
/**
* @param hexDecHash
* @param rimType
* @return
* Query that retrieves a reference manifest using the provided event log hash and rim type.
*
* @param hexDecHash string representation of the event log hash
* @param rimType string representation of the rim type
* @return a reference manifest
*/
ReferenceManifest findByEventLogHashAndRimType(String hexDecHash, String rimType);
/**
* @param manufacturer
* @param model
* @return
* Query that retrieves a list of base reference manifests using the provided manufacturer and model
* and where the rim type is equal to base.
*
* @param manufacturer string representation of platform manufacturer
* @param model string representation of platform model
* @return a list of base reference manifests
*/
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND platformModel = ?2 AND rimType = 'Base'", nativeQuery = true)
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND platformModel = ?2 "
+ "AND rimType = 'Base'", nativeQuery = true)
List<BaseReferenceManifest> getBaseByManufacturerModel(String manufacturer, String model);
/**
* @param manufacturer
* @param dType
* @return
* Query that retrieves a list of base reference manifests using the provided manufacturer and model.
*
* @param manufacturer string representation of platform manufacturer
* @param dType dtype
* @return a list of base reference manifests
*/
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND DTYPE = ?2", nativeQuery = true)
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND DTYPE = ?2",
nativeQuery = true)
List<BaseReferenceManifest> getByManufacturer(String manufacturer, String dType);
/**
* @param model
* @param dType
* @return
* Query that retrieves a reference manifest using the provided model and dtype.
*
* @param model string representation of platform model
* @param dType dtype
* @return a reference manifest
*/
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformModel = ?1 AND DTYPE = ?2", nativeQuery = true)
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformModel = ?1 AND DTYPE = ?2",
nativeQuery = true)
ReferenceManifest getByModel(String model, String dType);
/**
* @return
* Query that retrieves a list of base reference manifests where the dtype is a base reference manifest.
*
* @return a list of base reference manifests
*/
@Query(value = "SELECT * FROM ReferenceManifest WHERE DTYPE = 'BaseReferenceManifest'", nativeQuery = true)
@Query(value = "SELECT * FROM ReferenceManifest WHERE DTYPE = 'BaseReferenceManifest'",
nativeQuery = true)
List<BaseReferenceManifest> findAllBaseRims();
/**
* Query that retrieves a
* Query that retrieves a list of support reference manifests where the dtype is a
* support reference manifest.
*
* @return
* @return a list of support reference manifests
*/
@Query(value = "SELECT * FROM ReferenceManifest WHERE DTYPE = 'SupportReferenceManifest'", nativeQuery = true)
@Query(value = "SELECT * FROM ReferenceManifest WHERE DTYPE = 'SupportReferenceManifest'",
nativeQuery = true)
List<SupportReferenceManifest> findAllSupportRims();
/**
* Query that retrieves a
* Query that retrieves a base reference manifest using the provided uuid and where the dtype is a
* base reference manifest.
*
* @param uuid
* @return
* @param uuid uuid
* @return a base reference manifest
*/
@Query(value = "SELECT * FROM ReferenceManifest WHERE id = ?1 AND DTYPE = 'BaseReferenceManifest'", nativeQuery = true)
@Query(value = "SELECT * FROM ReferenceManifest WHERE id = ?1 AND DTYPE = 'BaseReferenceManifest'",
nativeQuery = true)
BaseReferenceManifest getBaseRimEntityById(UUID uuid);
/**
* Query that retrieves a
* Query that retrieves a support reference manifest using the provided uuid and
* where the dtype is a support reference manifest.
*
* @param uuid
* @return
* @param uuid uuid
* @return a support reference manifest
*/
@Query(value = "SELECT * FROM ReferenceManifest WHERE id = ?1 AND DTYPE = 'SupportReferenceManifest'", nativeQuery = true)
@Query(value = "SELECT * FROM ReferenceManifest WHERE id = ?1 AND DTYPE = 'SupportReferenceManifest'",
nativeQuery = true)
SupportReferenceManifest getSupportRimEntityById(UUID uuid);
/**
* Query that retrieves a
* Query that retrieves event log measurements using the provided uuid and where the dtype is an
* event log measurement.
*
* @param uuid
* @return
* @param uuid uuid
* @return event log measurements
*/
@Query(value = "SELECT * FROM ReferenceManifest WHERE id = ?1 AND DTYPE = 'EventLogMeasurements'", nativeQuery = true)
@Query(value = "SELECT * FROM ReferenceManifest WHERE id = ?1 AND DTYPE = 'EventLogMeasurements'",
nativeQuery = true)
EventLogMeasurements getEventLogRimEntityById(UUID uuid);
/**
* Query that retrieves a
* Query that retrieves a list of support reference manifests using the provided device name and where the
* dtype is a support reference manifest.
*
* @param deviceName
* @return
* @param deviceName string representation of the device name
* @return a list of support reference manifests
*/
@Query(value = "SELECT * FROM ReferenceManifest WHERE deviceName = ?1 AND DTYPE = 'SupportReferenceManifest'", nativeQuery = true)
@Query(value = "SELECT * FROM ReferenceManifest WHERE deviceName = ?1 "
+ "AND DTYPE = 'SupportReferenceManifest'", nativeQuery = true)
List<SupportReferenceManifest> byDeviceName(String deviceName);
/**
* Query that retrieves a
* Query that retrieves event log measurements using the provided device name and where the dtype is
* event log measurements.
*
* @param deviceName
* @return
* @param deviceName string representation of the device name
* @return event log measurements
*/
@Query(value = "SELECT * FROM ReferenceManifest WHERE deviceName = ?1 AND DTYPE = 'EventLogMeasurements'", nativeQuery = true)
@Query(value = "SELECT * FROM ReferenceManifest WHERE deviceName = ?1 "
+ "AND DTYPE = 'EventLogMeasurements'", nativeQuery = true)
EventLogMeasurements byMeasurementDeviceName(String deviceName);
/**
* Query that retrieves a
* Query that retrieves a list of support reference manifests using the provided manufacturer and platform
* model and where the rim type is support.
*
* @param manufacturer
* @param model
* @return
* @param manufacturer string representation of platform manufacturer
* @param model string representation of platform model
* @return a list of support reference manifests
*/
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND platformModel = ?2 AND rimType = 'Support'", nativeQuery = true)
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND platformModel = ?2 "
+ "AND rimType = 'Support'", nativeQuery = true)
List<SupportReferenceManifest> getSupportByManufacturerModel(String manufacturer, String model);
/**
* Query that retrieves a
* Query that retrieves event log measurements using the provided platform model and where the dtype is
* event log measurements.
*
* @param model
* @return
* @param model string representation of platform model.
* @return event log measurements
*/
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformModel = ?1 AND DTYPE = 'EventLogMeasurements'", nativeQuery = true)
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformModel = ?1 "
+ "AND DTYPE = 'EventLogMeasurements'", nativeQuery = true)
EventLogMeasurements getLogByModel(String model);
/**
* Query that retrieves a
* Query that retrieves a list of reference manifests using the provided device name.
*
* @param deviceName
* @return
* @param deviceName string representation of device name
* @return a list of reference manifests
*/
List<ReferenceManifest> findByDeviceName(String deviceName);
/**
* Query that retrieves a
* Query that retrieves a list of reference manifests using the provided archive flag.
*
* @param archiveFlag
* @return
* @param archiveFlag archive flag
* @return a list of reference manifests
*/
List<ReferenceManifest> findByArchiveFlag(boolean archiveFlag);
/**
* Query that retrieves a
* Query that retrieves a page of reference manifests using the provided archive flag and pageable value.
*
* @param archiveFlag
* @param pageable
* @return
* @param archiveFlag archive flag
* @param pageable pageable
* @return a page of reference manifests
*/
Page<ReferenceManifest> findByArchiveFlag(boolean archiveFlag, Pageable pageable);
}

4
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/SupplyChainValidationRepository.java
View File

@ -12,7 +12,7 @@ public interface SupplyChainValidationRepository extends JpaRepository<SupplyCha
/**
* Query that retrieves a list of supply chain validation using the provided validate type.
*
* @param validateType validate type
* @param validateType string representation of the validate type
* @return a list of supply chain validation
*/
List<SupplyChainValidation> findByValidationType(String validateType);
@ -20,7 +20,7 @@ public interface SupplyChainValidationRepository extends JpaRepository<SupplyCha
/**
* Query that retrieves a list of supply chain validation using the provided validation result.
*
* @param validationResult validation result
* @param validationResult string representation of the validation result
* @return a list of supply chain validation
*/
List<SupplyChainValidation> findByValidationResult(String validationResult);

17
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/SupplyChainValidationSummaryRepository.java
View File

@ -15,19 +15,26 @@ public interface SupplyChainValidationSummaryRepository
extends JpaRepository<SupplyChainValidationSummary, UUID> {
/**
* @param device
* @return
* Query that retrieves a supply chain validation summary using the provided device.
*
* @param device device
* @return a supply chain validation summary
*/
SupplyChainValidationSummary findByDevice(Device device);
/**
* @return
* Query that retrieves a list of supply chain validation summaries where the archive flag is false.
*
* @return a list of supply chain validation summary
*/
List<SupplyChainValidationSummary> findByArchiveFlagFalse();
/**
* @param pageable
* @return
* Query that retrieves a page of supply chain validation summaries using the provided pageable value
* and where the archive flag is false.
*
* @param pageable pageable
* @return a page of supply chain validation summary
*/
Page<SupplyChainValidationSummary> findByArchiveFlagFalse(Pageable pageable);
}

2
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/TPM2ProvisionerStateRepository.java
View File

@ -10,7 +10,7 @@ public interface TPM2ProvisionerStateRepository extends JpaRepository<TPM2Provis
/**
* Query that retrieves the TPM2 Provisioner State using the provided first part of nonce.
*
* @param findByFirstPartOfNonce
* @param findByFirstPartOfNonce long representation of the first part of nonce
* @return TPM2 Provisioner State
*/
TPM2ProvisionerState findByFirstPartOfNonce(Long findByFirstPartOfNonce);

485
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/Certificate.java
View File

@ -18,13 +18,11 @@ import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.DLSequence;
import org.bouncycastle.asn1.DLTaggedObject;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AccessDescription;
@ -79,24 +77,6 @@ import java.util.Objects;
@Entity
public abstract class Certificate extends ArchivableEntity {
/**
* Holds the different certificate types.
*/
public enum CertificateType {
/**
* Basic X509 Certificate.
*/
X509_CERTIFICATE,
/**
* Basic Attribute Certificate.
*/
ATTRIBUTE_CERTIFICATE,
/**
* Invalid Certificate.
*/
INVALID_CERTIFICATE
}
/**
* Decimal digit representation of base 16.
*/
@ -106,6 +86,7 @@ public abstract class Certificate extends ArchivableEntity {
* Min length representing the attribute certificate.
*/
public static final int MIN_ATTR_CERT_LENGTH = 8;
/**
* Holds the name of the entity 'ID' field.
*/
@ -120,52 +101,78 @@ public abstract class Certificate extends ArchivableEntity {
* Holds the name of the 'serialNumber' field.
*/
public static final String SERIAL_NUMBER_FIELD = "serialNumber";
@Getter
@Column(nullable = false, precision = CertificateVariables.MAX_NUMERIC_PRECISION, scale = 0)
private final BigInteger serialNumber;
/**
* Holds the name of the 'issuer' field.
*/
public static final String ISSUER_FIELD = "issuer";
@Getter
@Column(nullable = false)
private final String issuer;
/**
* Holds the name of the 'issuerSorted' field.
*/
public static final String ISSUER_SORTED_FIELD = "issuerSorted";
@Getter
@Column
private final String issuerSorted;
/**
* Holds the name of the 'subject' field.
*/
public static final String SUBJECT_FIELD = "subject";
@Getter
@Column(nullable = true)
private final String subject;
/**
* Holds the name of the 'subjectSorted' field.
*/
public static final String SUBJECT_SORTED_FIELD = "subjectSorted";
@Getter
@Column
private final String subjectSorted;
/**
* Holds the name of the 'encodedPublicKey' field.
*/
public static final String ENCODED_PUBLIC_KEY_FIELD = "encodedPublicKey";
@Column(length = CertificateVariables.MAX_CERT_LENGTH_BYTES, nullable = true)
private final byte[] encodedPublicKey;
/**
* Holds the name of the 'encodedPublicKey' field.
*/
public static final String PUBLIC_KEY_MODULUS_FIELD = "publicKeyModulusHexValue";
/**
* Holds the name of the 'certificateHash' field.
*/
public static final String CERTIFICATE_HASH_FIELD = "certificateHash";
/**
* Holds the name of the 'holderSerialNumber' field.
*/
public static final String HOLDER_SERIAL_NUMBER_FIELD = "holderSerialNumber";
/**
* Holds the name of the 'authorityKeyIdentifier' field.
*/
public static final String AUTHORITY_KEY_ID_FIELD = "authorityKeyIdentifier";
@SuppressWarnings("PMD.AvoidUsingHardCodedIP") // this is not an IP address; PMD thinks it is
private static final String POLICY_CONSTRAINTS = "2.5.29.36";
@Getter
@Column(nullable = false, precision = CertificateVariables.MAX_NUMERIC_PRECISION, scale = 0)
private final BigInteger serialNumber;
@Getter
@Column(nullable = false)
private final String issuer;
@Getter
@Column
private final String issuerSorted;
@Getter
@Column
private final String subject;
@Getter
@Column
private final String subjectSorted;
@Column(length = CertificateVariables.MAX_CERT_LENGTH_BYTES)
private final byte[] encodedPublicKey;
// We're currently seeing 2048-bit keys, which is 512 hex digits.
// Using a max length of 1024 for future-proofing.
@Getter
@ -181,16 +188,9 @@ public abstract class Certificate extends ArchivableEntity {
@Column(nullable = false)
private final Date endValidity;
@Column(length = CertificateVariables.MAX_CERT_LENGTH_BYTES*CertificateVariables.KEY_USAGE_BIT4, nullable = false)
@JsonIgnore
private byte[] certificateBytes;
/**
* Holds the name of the 'certificateHash' field.
*/
public static final String CERTIFICATE_HASH_FIELD = "certificateHash";
@Column(nullable = false)
@JsonIgnore @Getter
@JsonIgnore
@Getter
private final int certificateHash;
/**
@ -202,42 +202,48 @@ public abstract class Certificate extends ArchivableEntity {
@JsonIgnore
private final int certAndTypeHash;
/**
* Holds the name of the 'holderSerialNumber' field.
*/
public static final String HOLDER_SERIAL_NUMBER_FIELD = "holderSerialNumber";
@Getter
@Column(nullable = false, precision = CertificateVariables.MAX_NUMERIC_PRECISION)
private final BigInteger holderSerialNumber;
@Getter
@Column(nullable = false, precision = CertificateVariables.MAX_NUMERIC_PRECISION, scale = 0)
private final BigInteger holderSerialNumber;
@Getter
private String holderIssuer;
@Getter
@Column(nullable = true, precision = CertificateVariables.MAX_NUMERIC_PRECISION, scale = 0)
@Column(precision = CertificateVariables.MAX_NUMERIC_PRECISION)
private final BigInteger authoritySerialNumber;
@SuppressWarnings("PMD.AvoidUsingHardCodedIP") // this is not an IP address; PMD thinks it is
private static final String POLICY_CONSTRAINTS = "2.5.29.36";
@Column(length = CertificateVariables.MAX_CERT_LENGTH_BYTES * CertificateVariables.KEY_USAGE_BIT4,
nullable = false)
@JsonIgnore
private byte[] certificateBytes;
@Getter
private String holderIssuer;
// we don't need to persist this, but we don't want to unpack this cert multiple times
@Transient
private X509Certificate parsedX509Cert = null;
@Getter
private String signatureAlgorithm, publicKeyAlgorithm;
private String signatureAlgorithm;
@Getter
private String keyUsage, extendedKeyUsage;
private String publicKeyAlgorithm;
@Getter
private String keyUsage;
@Getter
private String extendedKeyUsage;
private byte[] policyConstraints;
/**
* Holds the name of the 'authorityKeyIdentifier' field.
*/
public static final String AUTHORITY_KEY_ID_FIELD = "authorityKeyIdentifier";
@Getter
private String authorityKeyIdentifier;
@Getter
private String authorityInfoAccess;
@Getter
private String crlPoints;
@Getter
private int publicKeySize;
@ -291,7 +297,7 @@ public abstract class Certificate extends ArchivableEntity {
* @param certificateBytes the contents of a certificate file
* @throws IOException if there is a problem extracting information from the certificate
*/
@SuppressWarnings("methodlength")
public Certificate(final byte[] certificateBytes) throws IOException {
Preconditions.checkArgument(
certificateBytes != null,
@ -342,7 +348,7 @@ public abstract class Certificate extends ArchivableEntity {
this.policyConstraints = x509Certificate
.getExtensionValue(POLICY_CONSTRAINTS);
authKeyIdentifier = AuthorityKeyIdentifier
.getInstance((DLSequence) getExtensionValue(
.getInstance(getExtensionValue(
Extension.authorityKeyIdentifier.getId()));
this.authorityInfoAccess = getAuthorityInfoAccess(x509Certificate
@ -460,6 +466,161 @@ public abstract class Certificate extends ArchivableEntity {
this.certAndTypeHash = Objects.hash(certificateHash, getClass().getSimpleName());
}
/**
* Gets the raw bytes for the certificate.
*
* @param certificatePath path to the certificate file
* @return bytes from the certificate file
* @throws IOException if there is a problem reading the file
*/
public static byte[] readBytes(final Path certificatePath) throws IOException {
Preconditions.checkArgument(
certificatePath != null,
"Cannot construct a Certificate from a null path"
);
return Files.readAllBytes(certificatePath);
}
/**
* Retrieve a formatted subject DN string from a certificate. This allows for extended support of DNs
* found in various RFCs.
*
* @param certificate the certificate holding subject DNs
* @return IOException if there is an issue decoding the subject DNs
*/
public static String getSubjectDNString(final X509Certificate certificate)
throws IOException {
X509CertificateHolder certificateHolder = null;
try {
certificateHolder = new X509CertificateHolder(certificate.getEncoded());
} catch (CertificateEncodingException e) {
throw new IOException("Could not encode certificate", e);
}
X500Name x500Name = certificateHolder.getSubject();
return x500Name.toString();
}
/**
* Retrieve a formatted issuer DN string from a certificate. This allows for extended support of DNs found
* in various RFCs.
*
* @param certificate the certificate holding issuer DNs
* @return IOException if there is an issue decoding the issuer DNs
*/
public static String getIssuerDNString(final X509Certificate certificate)
throws IOException {
X509CertificateHolder certificateHolder = null;
try {
certificateHolder = new X509CertificateHolder(certificate.getEncoded());
} catch (CertificateEncodingException e) {
throw new IOException("Could not encode certificate", e);
}
X500Name x500Name = certificateHolder.getIssuer();
return x500Name.toString();
}
/**
* Retrieve an RSA-based X509 certificate's public key modulus.
*
* @param certificate the certificate holding a public key
* @return a BigInteger representing its public key's modulus or null if none found
* @throws IOException if there is an issue decoding the encoded public key
*/
public static BigInteger getPublicKeyModulus(final X509Certificate certificate)
throws IOException {
X509CertificateHolder certificateHolder = null;
try {
certificateHolder = new X509CertificateHolder(certificate.getEncoded());
} catch (CertificateEncodingException e) {
throw new IOException("Could not encode certificate", e);
}
try {
return getPublicKeyModulus(
certificateHolder.getSubjectPublicKeyInfo().parsePublicKey().toASN1Primitive()
);
} catch (IOException e) {
log.info("No RSA Key Detected in certificate");
return null;
}
}
/**
* Retrieves the modulus of the given PublicKey.
*
* @param publicKey the public key
* @return a BigInteger representing the public key's modulus
* @throws IOException if there is an issue decoding the public key
*/
public static BigInteger getPublicKeyModulus(final PublicKey publicKey) throws IOException {
ASN1Primitive publicKeyASN1 = ASN1Primitive.fromByteArray(publicKey.getEncoded());
if (publicKeyASN1 instanceof ASN1Sequence publicKeyASN1Sequence) {
ASN1BitString encodedModulusAndExponent = (ASN1BitString)
publicKeyASN1Sequence.getObjectAt(1);
byte[] modulusAndExponentBytes = encodedModulusAndExponent.getOctets();
return getPublicKeyModulus(ASN1Primitive.fromByteArray(modulusAndExponentBytes));
} else {
throw new IOException("Could not read public key as ASN1Sequence");
}
}
private static BigInteger getPublicKeyModulus(final ASN1Primitive publicKey)
throws IOException {
if (publicKey instanceof ASN1Sequence pubKeySeq) {
ASN1Encodable modulus = pubKeySeq.getObjectAt(0);
if (modulus instanceof ASN1Integer) {
return ((ASN1Integer) modulus).getValue();
} else {
throw new IOException("Could not read modulus as an ASN1Integer");
}
} else {
throw new IOException("Could not parse public key information as an ASN1Sequence");
}
}
/**
* Retrieve the X509 Name array from the issuer in an Attribute Certificate.
*
* @param issuer for the Attribute Certificate
* @return a X500Name[] representing the names of the issuer
*/
public static X500Name[] getAttributeCertificateIssuerNames(final AttCertIssuer issuer) {
final ASN1Encodable form = issuer.getIssuer();
GeneralNames name;
if (form instanceof V2Form) {
name = ((V2Form) form).getIssuerName();
} else {
name = (GeneralNames) form;
}
GeneralName[] names = name.getNames();
List<X500Name> l = new ArrayList<>(names.length);
for (int i = 0; i != names.length; i++) {
if (names[i].getTagNo() == GeneralName.directoryName) {
l.add(X500Name.getInstance(names[i].getName()));
}
}
return l.toArray(new X500Name[l.size()]);
}
/**
* Retrieve the Date from an ASN1GeneralizedTime.
*
* @param time (ASN1GeneralizedTime) of the certificate
* @return the Date from a ASN1GeneralizedTime
*/
public static Date recoverDate(final ASN1GeneralizedTime time) {
try {
return time.getDate();
} catch (ParseException e) {
throw new IllegalStateException("unable to recover date: " + e.getMessage());
}
}
/**
* Getter for the CRL Distribution that is reference by the Revocation Locator
* on the portal.
@ -502,6 +663,7 @@ public abstract class Certificate extends ArchivableEntity {
/**
* Getter for the x509 Platform Certificate version.
*
* @return a big integer representing the certificate version. If there
* is an error, return the max value to visible show error.
*/
@ -519,7 +681,7 @@ public abstract class Certificate extends ArchivableEntity {
* Checks if another certificate is the issuer for this certificate.
*
* @param issuer the other certificate to check (must be an X509Certificate,
* not an X509AttributeCertificateHolder)
* not an X509AttributeCertificateHolder)
* @return whether or not the other certificate is the issuer for this certificate
* @throws IOException if there is an issue deserializing either certificate
*/
@ -536,7 +698,7 @@ public abstract class Certificate extends ArchivableEntity {
certX509.verify(issuerX509.getPublicKey());
isIssuer = "";
} catch (CertificateException | NoSuchAlgorithmException | InvalidKeyException
| NoSuchProviderException | SignatureException e) {
| NoSuchProviderException | SignatureException e) {
log.error(e);
}
break;
@ -550,8 +712,8 @@ public abstract class Certificate extends ArchivableEntity {
isIssuer = "";
}
} catch (NoSuchAlgorithmException
| InvalidKeyException
| SignatureException sigEx) {
| InvalidKeyException
| SignatureException sigEx) {
log.error(sigEx);
}
break;
@ -564,7 +726,7 @@ public abstract class Certificate extends ArchivableEntity {
}
/**
* Return whether or not this certificate is valid on a particular date.
* Return whether this certificate is valid on a particular date.
*
* @param date the date of interest.
* @return true if the attribute certificate is valid, false otherwise.
@ -601,7 +763,7 @@ public abstract class Certificate extends ArchivableEntity {
protected CertificateType getCertificateType() throws IOException {
//Parse the certificate into a sequence
ASN1Sequence testCred1 = (ASN1Sequence) ASN1Primitive.fromByteArray(this.certificateBytes);
ASN1Sequence testSeq = (ASN1Sequence) ((ASN1Object) testCred1.toArray()[0]);
ASN1Sequence testSeq = (ASN1Sequence) testCred1.toArray()[0];
if (testSeq.toArray()[0] instanceof ASN1Integer) {
if (testSeq.toArray().length >= MIN_ATTR_CERT_LENGTH) {
@ -611,7 +773,8 @@ public abstract class Certificate extends ArchivableEntity {
// V1 X509Certificate
return CertificateType.X509_CERTIFICATE;
}
} else if (testSeq.toArray()[0] instanceof DERTaggedObject || testSeq.toArray()[0] instanceof DLTaggedObject) {
} else if (testSeq.toArray()[0] instanceof DERTaggedObject
|| testSeq.toArray()[0] instanceof DLTaggedObject) {
// V2 or V3 X509Certificate
return CertificateType.X509_CERTIFICATE;
}
@ -619,7 +782,6 @@ public abstract class Certificate extends ArchivableEntity {
return CertificateType.INVALID_CERTIFICATE;
}
private String parseKeyUsage(final boolean[] bools) {
StringBuilder sb = new StringBuilder();
@ -636,6 +798,8 @@ public abstract class Certificate extends ArchivableEntity {
/**
* Getter for the authorityKeyIdentifier.
*
* @param aki authority key identifier
* @return the ID's byte representation
*/
private String authKeyIdentifierToString(final AuthorityKeyIdentifier aki) {
@ -655,7 +819,7 @@ public abstract class Certificate extends ArchivableEntity {
*
* @param oid Object Identifier
* @return ASN1Primitive Content related to the requested OID
* @throws java.io.IOException
* @throws IOException io exception
*/
private ASN1Primitive getExtensionValue(final String oid) throws IOException {
byte[] extensionValue = getX509Certificate().getExtensionValue(oid);
@ -684,6 +848,7 @@ public abstract class Certificate extends ArchivableEntity {
/**
* Getter for the AuthorityInfoAccess extension value on list format.
*
* @param authInfoAccess byte representation of the authority info access
* @return List Authority info access list
*/
private String getAuthorityInfoAccess(final byte[] authInfoAccess) {
@ -704,6 +869,7 @@ public abstract class Certificate extends ArchivableEntity {
/**
* Getter for the AuthorityInfoAccess extension value on list format.
*
* @param authInfoAccess authority information access
* @return List Authority info access list
*/
private String getAuthorityInfoAccess(final AuthorityInformationAccess authInfoAccess) {
@ -724,7 +890,6 @@ public abstract class Certificate extends ArchivableEntity {
return sb.toString();
}
/**
* Retrieve the original X509 attribute certificate.
*
@ -773,6 +938,7 @@ public abstract class Certificate extends ArchivableEntity {
/**
* Getter for the policy statement.
*
* @return cloned bit representation of constraints
*/
public byte[] getPolicyConstraints() {
@ -837,159 +1003,20 @@ public abstract class Certificate extends ArchivableEntity {
}
/**
*
* Gets the raw bytes for the certificate.
* @param certificatePath path to the certificate file
* @return bytes from the certificate file
* @throws IOException if there is a problem reading the file
* Holds the different certificate types.
*/
public static byte[] readBytes(final Path certificatePath) throws IOException {
Preconditions.checkArgument(
certificatePath != null,
"Cannot construct a Certificate from a null path"
);
return Files.readAllBytes(certificatePath);
}
/**
* Retrieve a formatted subject DN string from a certificate. This allows for extended support of DNs found in
* various RFCs.
*
* @param certificate the certificate holding subject DNs
* @return IOException if there is an issue decoding the subject DNs
*/
public static String getSubjectDNString(final X509Certificate certificate)
throws IOException {
X509CertificateHolder certificateHolder = null;
try {
certificateHolder = new X509CertificateHolder(certificate.getEncoded());
} catch (CertificateEncodingException e) {
throw new IOException("Could not encode certificate", e);
}
X500Name x500Name = certificateHolder.getSubject();
return x500Name.toString();
}
/**
* Retrieve a formatted issuer DN string from a certificate. This allows for extended support of DNs found in
* various RFCs.
*
* @param certificate the certificate holding issuer DNs
* @return IOException if there is an issue decoding the issuer DNs
*/
public static String getIssuerDNString(final X509Certificate certificate)
throws IOException {
X509CertificateHolder certificateHolder = null;
try {
certificateHolder = new X509CertificateHolder(certificate.getEncoded());
} catch (CertificateEncodingException e) {
throw new IOException("Could not encode certificate", e);
}
X500Name x500Name = certificateHolder.getIssuer();
return x500Name.toString();
}
/**
* Retrieve an RSA-based X509 certificate's public key modulus.
*
* @param certificate the certificate holding a public key
* @return a BigInteger representing its public key's modulus or null if none found
* @throws IOException if there is an issue decoding the encoded public key
*/
public static BigInteger getPublicKeyModulus(final X509Certificate certificate)
throws IOException {
X509CertificateHolder certificateHolder = null;
try {
certificateHolder = new X509CertificateHolder(certificate.getEncoded());
} catch (CertificateEncodingException e) {
throw new IOException("Could not encode certificate", e);
}
try {
return getPublicKeyModulus(
certificateHolder.getSubjectPublicKeyInfo().parsePublicKey().toASN1Primitive()
);
} catch (IOException e) {
log.info("No RSA Key Detected in certificate");
return null;
}
}
/**
* Retrieves the modulus of the given PublicKey.
*
* @param publicKey the public key
* @return a BigInteger representing the public key's modulus
* @throws IOException if there is an issue decoding the public key
*/
public static BigInteger getPublicKeyModulus(final PublicKey publicKey) throws IOException {
ASN1Primitive publicKeyASN1 = ASN1Primitive.fromByteArray(publicKey.getEncoded());
if (publicKeyASN1 instanceof ASN1Sequence) {
ASN1Sequence publicKeyASN1Sequence = (ASN1Sequence) publicKeyASN1;
ASN1BitString encodedModulusAndExponent = (ASN1BitString)
publicKeyASN1Sequence.getObjectAt(1);
byte[] modulusAndExponentBytes = encodedModulusAndExponent.getOctets();
return getPublicKeyModulus(ASN1Primitive.fromByteArray(modulusAndExponentBytes));
} else {
throw new IOException("Could not read public key as ASN1Sequence");
}
}
private static BigInteger getPublicKeyModulus(final ASN1Primitive publicKey)
throws IOException {
if (publicKey instanceof ASN1Sequence) {
ASN1Sequence pubKeySeq = (ASN1Sequence) publicKey;
ASN1Encodable modulus = pubKeySeq.getObjectAt(0);
if (modulus instanceof ASN1Integer) {
return ((ASN1Integer) modulus).getValue();
} else {
throw new IOException("Could not read modulus as an ASN1Integer");
}
} else {
throw new IOException("Could not parse public key information as an ASN1Sequence");
}
}
/**
* Retrieve the X509 Name array from the issuer in an Attribute Certificate.
*
* @param issuer for the Attribute Certificate
* @return a X500Name[] representing the names of the issuer
*/
public static X500Name[] getAttributeCertificateIssuerNames(final AttCertIssuer issuer) {
final ASN1Encodable form = issuer.getIssuer();
GeneralNames name;
if (form instanceof V2Form) {
name = ((V2Form) form).getIssuerName();
} else {
name = (GeneralNames) form;
}
GeneralName[] names = name.getNames();
List<X500Name> l = new ArrayList<>(names.length);
for (int i = 0; i != names.length; i++) {
if (names[i].getTagNo() == GeneralName.directoryName) {
l.add(X500Name.getInstance(names[i].getName()));
}
}
return (X500Name[]) l.toArray(new X500Name[l.size()]);
}
/**
* Retrieve the Date from an ASN1GeneralizedTime.
*
* @param time (ASN1GeneralizedTime) of the certificate
* @return the Date from a ASN1GeneralizedTime
*/
public static Date recoverDate(final ASN1GeneralizedTime time) {
try {
return time.getDate();
} catch (ParseException e) {
throw new IllegalStateException("unable to recover date: " + e.getMessage());
}
public enum CertificateType {
/**
* Basic X509 Certificate.
*/
X509_CERTIFICATE,
/**
* Basic Attribute Certificate.
*/
ATTRIBUTE_CERTIFICATE,
/**
* Invalid Certificate.
*/
INVALID_CERTIFICATE
}
}

19
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/Device.java
View File

@ -65,6 +65,11 @@ public class Device extends AbstractEntity {
@Column(name = "summary_id")
private String summaryId;
/**
* Constructor creates a Device object using the provided device info report.
*
* @param deviceInfoReport device information report
*/
public Device(final DeviceInfoReport deviceInfoReport) {
super();
if (deviceInfoReport != null) {
@ -94,6 +99,7 @@ public class Device extends AbstractEntity {
/**
* Getter for the report time stamp.
*
* @return a cloned version
*/
public Timestamp getLastReportTimestamp() {
@ -106,12 +112,14 @@ public class Device extends AbstractEntity {
/**
* Setter for the report time stamp.
*
* @param lastReportTimestamp
*/
public void setLastReportTimestamp(final Timestamp lastReportTimestamp) {
this.lastReportTimestamp = (Timestamp) lastReportTimestamp.clone();
}
@Override
public String toString() {
return String.format("Device Name: %s%nStatus: %s%nSummary: %s%n",
name, (healthStatus == null ? "N/A" : healthStatus.getStatus()),
@ -119,13 +127,14 @@ public class Device extends AbstractEntity {
}
@Override
public boolean equals(Object o) {
if (this == o) return true;
if (!(o instanceof Device)) {
public boolean equals(final Object o) {
if (this == o) {
return true;
}
if (!(o instanceof Device device)) {
return false;
}
Device device = (Device) o;
return isStateOverridden == device.isStateOverridden
&& Objects.equals(name, device.name)
&& healthStatus == device.healthStatus
@ -141,4 +150,4 @@ public class Device extends AbstractEntity {
supplyChainValidationStatus, lastReportTimestamp,
isStateOverridden, overrideReason, summaryId);
}
}
}

61
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidation.java
View File

@ -2,7 +2,6 @@ package hirs.attestationca.persist.entity.userdefined;
import com.google.common.base.Preconditions;
import hirs.attestationca.persist.entity.ArchivableEntity;
import hirs.attestationca.persist.entity.userdefined.rim.BaseReferenceManifest;
import hirs.attestationca.persist.enums.AppraisalStatus;
import jakarta.persistence.Column;
import jakarta.persistence.Entity;
@ -21,48 +20,19 @@ import java.util.List;
*/
@Entity
public class SupplyChainValidation extends ArchivableEntity {
/**
* Used to indicate which type of validation a result is related to.
*/
public enum ValidationType {
/**
* Validation of an endorsement credential.
*/
ENDORSEMENT_CREDENTIAL,
/**
* Validation of a platform credential and also delta platform credentials from spec 1.1.
*/
PLATFORM_CREDENTIAL,
/**
* Validation of a platform credential's attributes.
*/
PLATFORM_CREDENTIAL_ATTRIBUTES,
/**
* Validation of the device firmware.
*/
FIRMWARE
}
@Getter
@Column
private final ValidationType validationType;
@Getter
@Column
private final AppraisalStatus.Status validationResult;
@ManyToMany(fetch = FetchType.EAGER)
@JoinTable(name = "CertificatesUsedToValidate",
joinColumns = { @JoinColumn(name = "validation_id", nullable = false) })
joinColumns = {@JoinColumn(name = "validation_id", nullable = false)})
private final List<Certificate> certificatesUsed;
@Getter
@Column(length = RESULT_MESSAGE_LENGTH)
private final String message;
@Getter
@Column
private String rimId;
@ -81,10 +51,10 @@ public class SupplyChainValidation extends ArchivableEntity {
/**
* Construct a new SupplyChainValidation instance.
*
* @param validationType the type of validation this instance will represent; not null
* @param validationType the type of validation this instance will represent; not null
* @param validationResult whether the validation was successful or not
* @param certificatesUsed certificates used, if any, in the validation process; not null
* @param message a related information or error message; may be null
* @param message a related information or error message; may be null
*/
public SupplyChainValidation(final ValidationType validationType,
final AppraisalStatus.Status validationResult,
@ -122,4 +92,29 @@ public class SupplyChainValidation extends ArchivableEntity {
public List<Certificate> getCertificatesUsed() {
return Collections.unmodifiableList(certificatesUsed);
}
/**
* Used to indicate which type of validation a result is related to.
*/
public enum ValidationType {
/**
* Validation of an endorsement credential.
*/
ENDORSEMENT_CREDENTIAL,
/**
* Validation of a platform credential and also delta platform credentials from spec 1.1.
*/
PLATFORM_CREDENTIAL,
/**
* Validation of a platform credential's attributes.
*/
PLATFORM_CREDENTIAL_ATTRIBUTES,
/**
* Validation of the device firmware.
*/
FIRMWARE
}
}

230
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidationSummary.java
View File

@ -32,7 +32,6 @@ import java.util.Set;
import java.util.UUID;
/**
* A container class to group multiple related {@link SupplyChainValidation} instances
* together.
@ -40,12 +39,10 @@ import java.util.UUID;
@Entity
public class SupplyChainValidationSummary extends ArchivableEntity {
private static final String DEVICE_ID_FIELD = "device.id";
@ManyToOne
@JoinColumn(name = "device_id")
private final Device device;
private static final String DEVICE_ID_FIELD = "device.id";
@Getter
@Column
@Enumerated(EnumType.STRING)
@ -72,120 +69,11 @@ public class SupplyChainValidationSummary extends ArchivableEntity {
this.message = Strings.EMPTY;
}
/**
* This class enables the retrieval of SupplyChainValidationSummaries by their attributes.
*/
public static class Selector {
private final CrudRepository<SupplyChainValidationSummary, UUID>
supplyChainValidationSummaryCrudManager;
private final Map<String, Object> fieldValueSelections;
/**
* Construct a new Selector that will use the given {@link CrudRepository} to
* retrieve SupplyChainValidationSummaries.
*
* @param supplyChainValidationSummaryCrudManager the summary manager to be used to retrieve
* supply chain validation summaries
*/
public Selector(
final CrudRepository<SupplyChainValidationSummary, UUID>
supplyChainValidationSummaryCrudManager) {
Preconditions.checkArgument(
supplyChainValidationSummaryCrudManager != null,
"supply chain validation summary manager cannot be null"
);
this.supplyChainValidationSummaryCrudManager = supplyChainValidationSummaryCrudManager;
this.fieldValueSelections = new HashMap<>();
}
/**
* Construct the criterion that can be used to query for supply chain validation summaries
* matching the configuration of this Selector.
*
* @return a Criterion that can be used to query for supply chain validation summaries
* matching the configuration of this instance
*/
public Predicate[] getCriterion(final CriteriaBuilder criteriaBuilder) {
Predicate[] predicates = new Predicate[fieldValueSelections.size()];
CriteriaQuery<SupplyChainValidationSummary> query = criteriaBuilder.createQuery(SupplyChainValidationSummary.class);
Root<SupplyChainValidationSummary> root = query.from(SupplyChainValidationSummary.class);
int i = 0;
for (Map.Entry<String, Object> fieldValueEntry : fieldValueSelections.entrySet()) {
predicates[i++] = criteriaBuilder.equal(root.get(fieldValueEntry.getKey()), fieldValueEntry.getValue());
}
return predicates;
}
/**
* Set a field name and value to match.
*
* @param name the field name to query
* @param value the value to query
*/
protected void setFieldValue(final String name, final Object value) {
Object valueToAssign = value;
Preconditions.checkArgument(
value != null,
"field value cannot be null."
);
if (value instanceof String) {
Preconditions.checkArgument(
StringUtils.isNotEmpty((String) value),
"field value cannot be empty."
);
}
if (value instanceof byte[]) {
byte[] valueBytes = (byte[]) value;
Preconditions.checkArgument(
ArrayUtils.isNotEmpty(valueBytes),
"field value cannot be empty."
);
valueToAssign = Arrays.copyOf(valueBytes, valueBytes.length);
}
fieldValueSelections.put(name, valueToAssign);
}
/**
* Specify a device id that supply chain validation summaries must have to be considered
* as matching.
*
* @param device the device id to query
* @return this instance (for chaining further calls)
*/
public Selector byDeviceId(final UUID device) {
setFieldValue(DEVICE_ID_FIELD, device);
return this;
}
}
/**
* Get a Selector for use in retrieving SupplyChainValidationSummary.
*
* @param certMan the CrudManager to be used to retrieve persisted supply chain validation
* summaries
* @return a SupplyChainValidationSummary.Selector instance to use for retrieving certificates
*/
public static SupplyChainValidationSummary.Selector select(
final CrudRepository<SupplyChainValidationSummary, UUID> certMan) {
return new SupplyChainValidationSummary.Selector(certMan);
}
/**
* Construct a new SupplyChainValidationSummary.
*
* @param device device that underwent supply chain validation
* @param validations a Collection of Validations that should comprise this summary; not null
* @param device device that underwent supply chain validation
* @param validations a Collection of Validations that should comprise this summary; not null
* @param provisionSessionId randomly generated UUID to associate with results
*/
public SupplyChainValidationSummary(final Device device,
@ -198,7 +86,7 @@ public class SupplyChainValidationSummary extends ArchivableEntity {
/**
* Construct a new SupplyChainValidationSummary.
*
* @param device device that underwent supply chain validation
* @param device device that underwent supply chain validation
* @param validations a Collection of Validations that should comprise this summary; not null
*/
public SupplyChainValidationSummary(final Device device,
@ -221,6 +109,18 @@ public class SupplyChainValidationSummary extends ArchivableEntity {
this.message = status.getMessage();
}
/**
* Get a Selector for use in retrieving SupplyChainValidationSummary.
*
* @param certMan the CrudManager to be used to retrieve persisted supply chain validation
* summaries
* @return a SupplyChainValidationSummary.Selector instance to use for retrieving certificates
*/
public static SupplyChainValidationSummary.Selector select(
final CrudRepository<SupplyChainValidationSummary, UUID> certMan) {
return new SupplyChainValidationSummary.Selector(certMan);
}
/**
* This retrieves the device associated with the supply chain validation summaries.
*
@ -270,4 +170,102 @@ public class SupplyChainValidationSummary extends ArchivableEntity {
return new AppraisalStatus(AppraisalStatus.Status.PASS,
Strings.EMPTY);
}
/**
* This class enables the retrieval of SupplyChainValidationSummaries by their attributes.
*/
public static class Selector {
private final CrudRepository<SupplyChainValidationSummary, UUID>
supplyChainValidationSummaryCrudManager;
private final Map<String, Object> fieldValueSelections;
/**
* Construct a new Selector that will use the given {@link CrudRepository} to
* retrieve SupplyChainValidationSummaries.
*
* @param supplyChainValidationSummaryCrudManager the summary manager to be used to retrieve
* supply chain validation summaries
*/
public Selector(
final CrudRepository<SupplyChainValidationSummary, UUID>
supplyChainValidationSummaryCrudManager) {
Preconditions.checkArgument(
supplyChainValidationSummaryCrudManager != null,
"supply chain validation summary manager cannot be null"
);
this.supplyChainValidationSummaryCrudManager = supplyChainValidationSummaryCrudManager;
this.fieldValueSelections = new HashMap<>();
}
/**
* Construct the criterion that can be used to query for supply chain validation summaries
* matching the configuration of this Selector.
*
* @return a Criterion that can be used to query for supply chain validation summaries
* matching the configuration of this instance
*/
public Predicate[] getCriterion(final CriteriaBuilder criteriaBuilder) {
Predicate[] predicates = new Predicate[fieldValueSelections.size()];
CriteriaQuery<SupplyChainValidationSummary> query =
criteriaBuilder.createQuery(SupplyChainValidationSummary.class);
Root<SupplyChainValidationSummary> root = query.from(SupplyChainValidationSummary.class);
int i = 0;
for (Map.Entry<String, Object> fieldValueEntry : fieldValueSelections.entrySet()) {
predicates[i++] =
criteriaBuilder.equal(root.get(fieldValueEntry.getKey()), fieldValueEntry.getValue());
}
return predicates;
}
/**
* Set a field name and value to match.
*
* @param name the field name to query
* @param value the value to query
*/
protected void setFieldValue(final String name, final Object value) {
Object valueToAssign = value;
Preconditions.checkArgument(
value != null,
"field value cannot be null."
);
if (value instanceof String) {
Preconditions.checkArgument(
StringUtils.isNotEmpty((String) value),
"field value cannot be empty."
);
}
if (value instanceof byte[] valueBytes) {
Preconditions.checkArgument(
ArrayUtils.isNotEmpty(valueBytes),
"field value cannot be empty."
);
valueToAssign = Arrays.copyOf(valueBytes, valueBytes.length);
}
fieldValueSelections.put(name, valueToAssign);
}
/**
* Specify a device id that supply chain validation summaries must have to be considered
* as matching.
*
* @param device the device id to query
* @return this instance (for chaining further calls)
*/
public Selector byDeviceId(final UUID device) {
setFieldValue(DEVICE_ID_FIELD, device);
return this;
}
}
}

165
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/CertificateVariables.java
View File

@ -2,46 +2,209 @@ package hirs.attestationca.persist.entity.userdefined.certificate;
public class CertificateVariables {
/**
*
*/
public static final String PEM_HEADER = "-----BEGIN CERTIFICATE-----";
/**
*
*/
public static final String PEM_FOOTER = "-----END CERTIFICATE-----";
/**
*
*/
public static final String PEM_ATTRIBUTE_HEADER = "-----BEGIN ATTRIBUTE CERTIFICATE-----";
/**
*
*/
public static final String PEM_ATTRIBUTE_FOOTER = "-----END ATTRIBUTE CERTIFICATE-----";
/**
*
*/
public static final String MALFORMED_CERT_MESSAGE = "Malformed certificate detected.";
/**
*
*/
public static final int MAX_CERT_LENGTH_BYTES = 2048;
public static final int MAX_NUMERIC_PRECISION = 49; // Can store up to 160 bit values
/**
*
*/
public static final int MAX_NUMERIC_PRECISION = 49;
/**
* Can store up to 160 bit values
*/
public static final int MAX_PUB_KEY_MODULUS_HEX_LENGTH = 1024;
/**
*
*/
public static final int KEY_USAGE_BIT0 = 0;
/**
*
*/
public static final int KEY_USAGE_BIT1 = 1;
/**
*
*/
public static final int KEY_USAGE_BIT2 = 2;
/**
*
*/
public static final int KEY_USAGE_BIT3 = 3;
/**
*
*/
public static final int KEY_USAGE_BIT4 = 4;
/**
*
*/
public static final int KEY_USAGE_BIT5 = 5;
/**
*
*/
public static final int KEY_USAGE_BIT6 = 6;
/**
*
*/
public static final int KEY_USAGE_BIT7 = 7;
/**
*
*/
public static final int KEY_USAGE_BIT8 = 8;
/**
*
*/
public static final String KEY_USAGE_DS = "DIGITAL SIGNATURE";
/**
*
*/
public static final String KEY_USAGE_NR = "NON-REPUDIATION";
/**
*
*/
public static final String KEY_USAGE_KE = "KEY ENCIPHERMENT";
/**
*
*/
public static final String KEY_USAGE_DE = "DATA ENCIPHERMENT";
/**
*
*/
public static final String KEY_USAGE_KA = "KEY AGREEMENT";
/**
*
*/
public static final String KEY_USAGE_KC = "KEY CERT SIGN";
/**
*
*/
public static final String KEY_USAGE_CS = "CRL SIGN";
/**
*
*/
public static final String KEY_USAGE_EO = "ENCIPHER ONLY";
/**
*
*/
public static final String KEY_USAGE_DO = "DECIPHER ONLY";
/**
*
*/
public static final String ECDSA_OID = "1.2.840.10045.4.3.2";
/**
*
*/
public static final String ECDSA_SHA224_OID = "1.2.840.10045.4.1";
/**
*
*/
public static final String RSA256_OID = "1.2.840.113549.1.1.11";
/**
*
*/
public static final String RSA384_OID = "1.2.840.113549.1.1.12";
/**
*
*/
public static final String RSA512_OID = "1.2.840.113549.1.1.13";
/**
*
*/
public static final String RSA224_OID = "1.2.840.113549.1.1.14";
/**
*
*/
public static final String RSA512_224_OID = "1.2.840.113549.1.1.15";
/**
*
*/
public static final String RSA512_256_OID = "1.2.840.113549.1.1.16";
/**
*
*/
public static final String RSA256_STRING = "SHA256WithRSA";
/**
*
*/
public static final String RSA384_STRING = "SHA384WithRSA";
/**
*
*/
public static final String RSA224_STRING = "SHA224WithRSA";
/**
*
*/
public static final String RSA512_STRING = "SHA512WithRSA";
/**
*
*/
public static final String RSA512_224_STRING = "SHA512-224WithRSA";
/**
*
*/
public static final String RSA512_256_STRING = "SHA512-256WithRSA";
/**
*
*/
public static final String ECDSA_STRING = "SHA256WithECDSA";
public static final String ECDSA_SHA224_STRING = "SHA224WithECDSA";
}

36
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/IDevIDCertificate.java
View File

@ -6,8 +6,12 @@ import jakarta.persistence.Entity;
import jakarta.persistence.Transient;
import lombok.Getter;
import lombok.extern.log4j.Log4j2;
import org.apache.commons.codec.binary.Hex;
import org.bouncycastle.asn1.*;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.x509.CertificatePolicies;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.PolicyInformation;
@ -15,21 +19,13 @@ import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.charset.Charset;
import java.nio.charset.CharsetDecoder;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
@Entity
@Log4j2
@ -154,6 +150,7 @@ public class IDevIDCertificate extends Certificate {
/**
* Parses fields related to IDevID certificates.
*
* @throws IOException if a problem is encountered during parsing
*/
private void parseIDevIDCertificate() throws IOException {
@ -207,12 +204,12 @@ public class IDevIDCertificate extends Certificate {
} catch (IllegalArgumentException e) {
// Some certs have been found to contain tagged objects for hwSerialNum.
// Handle this as a special case.
log.warn("Could not parse octet string for hwSerialNum. Attempting to parse tag.");
log.warn(
"Could not parse octet string for hwSerialNum. Attempting to parse tag.");
try {
tagObj1 = ASN1TaggedObject.getInstance(seq1.getObjectAt(1));
obj2 = ASN1OctetString.getInstance(tagObj1, false);
}
catch (Exception i) { // Invalid object found
} catch (Exception i) { // Invalid object found
log.warn("Invalid object found for hwSerialNum.");
break;
}
@ -223,7 +220,7 @@ public class IDevIDCertificate extends Certificate {
// the hwSerialNum field will be parsed accordingly.
hwType = obj1.toString();
if (hasTCGOIDs()) {
tcgOid = true;
tcgOid = true;
}
// Convert octet string to byte array
@ -237,7 +234,8 @@ public class IDevIDCertificate extends Certificate {
// Check for certificate policy qualifiers, which should be present for IDevIDs if in compliance with the
// TCG specification.
// For interoperability reasons, this will only log a warning if a TCG OID is specified above.
byte[] policyBytes = getX509Certificate().getExtensionValue(Extension.certificatePolicies.getId());
byte[] policyBytes =
getX509Certificate().getExtensionValue(Extension.certificatePolicies.getId());
Map<String, Boolean> policyQualifiers = null;
if (policyBytes != null) {
@ -264,8 +262,9 @@ public class IDevIDCertificate extends Certificate {
failCondition = true;
}
if (failCondition) {
log.warn("TPM policy qualifiers not found, or do not meet logical criteria. Certificate may not " +
"be in compliance with TCG specification.");
log.warn(
"TPM policy qualifiers not found, or do not meet logical criteria. Certificate may not " +
"be in compliance with TCG specification.");
}
}
@ -288,8 +287,7 @@ public class IDevIDCertificate extends Certificate {
public boolean hasTCGOIDs() {
if (this.getHwType() != null) {
return this.getHwType().equals(HWTYPE_TCG_TPM2_OID);
}
else {
} else {
return false;
}
}

57
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java
View File

@ -1,6 +1,5 @@
package hirs.attestationca.persist.provision;
import com.fasterxml.jackson.databind.ser.Serializers;
import com.google.protobuf.ByteString;
import hirs.attestationca.configuration.provisionerTpm2.ProvisionerTpm2;
import hirs.attestationca.persist.entity.manager.CertificateRepository;
@ -69,24 +68,23 @@ import java.util.regex.Pattern;
@Log4j2
public class IdentityClaimProcessor extends AbstractProcessor {
private static final String PCR_QUOTE_MASK = "0,1,2,3,4,5,6,7,8,9,10,11,12,13,"
+ "14,15,16,17,18,19,20,21,22,23";
private static final int NUM_OF_VARIABLES = 5;
/**
* Number of bytes to include in the TPM2.0 nonce.
*/
public static final int NONCE_LENGTH = 20;
private static final String PCR_QUOTE_MASK = "0,1,2,3,4,5,6,7,8,9,10,11,12,13,"
+ "14,15,16,17,18,19,20,21,22,23";
private static final int NUM_OF_VARIABLES = 5;
private static final int MAC_BYTES = 6;
private SupplyChainValidationService supplyChainValidationService;
private CertificateRepository certificateRepository;
private ComponentResultRepository componentResultRepository;
private ComponentInfoRepository componentInfoRepository;
private ReferenceManifestRepository referenceManifestRepository;
private ReferenceDigestValueRepository referenceDigestValueRepository;
private DeviceRepository deviceRepository;
private TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository;
private final SupplyChainValidationService supplyChainValidationService;
private final CertificateRepository certificateRepository;
private final ComponentResultRepository componentResultRepository;
private final ComponentInfoRepository componentInfoRepository;
private final ReferenceManifestRepository referenceManifestRepository;
private final ReferenceDigestValueRepository referenceDigestValueRepository;
private final DeviceRepository deviceRepository;
private final TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository;
/**
* Constructor.
@ -116,8 +114,8 @@ public class IdentityClaimProcessor extends AbstractProcessor {
* Basic implementation of the ACA processIdentityClaimTpm2 method. Parses the claim,
* stores the device info, performs supply chain validation, generates a nonce,
* and wraps that nonce with the make credential process before returning it to the client.
* attCert.setPcrValues(pcrValues);
* attCert.setPcrValues(pcrValues);
*
* @param identityClaim the request to process, cannot be null
* @return an identity claim response for the specified request containing a wrapped blob
*/
@ -147,7 +145,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
}
}
ByteString blobStr = ByteString.copyFrom(new byte[]{});
ByteString blobStr = ByteString.copyFrom(new byte[] {});
if (validationResult == AppraisalStatus.Status.PASS) {
RSAPublicKey akPub = ProvisionUtils.parsePublicKey(claim.getAkPublicArea().toByteArray());
byte[] nonce = ProvisionUtils.generateRandomBytes(NONCE_LENGTH);
@ -195,7 +193,8 @@ public class IdentityClaimProcessor extends AbstractProcessor {
private AppraisalStatus.Status doSupplyChainValidation(
final ProvisionerTpm2.IdentityClaim claim, final PublicKey ekPub) {
// attempt to find an endorsement credential to validate
EndorsementCredential endorsementCredential = parseEcFromIdentityClaim(claim, ekPub, certificateRepository);
EndorsementCredential endorsementCredential =
parseEcFromIdentityClaim(claim, ekPub, certificateRepository);
// attempt to find platform credentials to validate
List<PlatformCredential> platformCredentials = parsePcsFromIdentityClaim(claim,
@ -283,10 +282,10 @@ public class IdentityClaimProcessor extends AbstractProcessor {
/**
* Converts a protobuf DeviceInfo object to a HIRS Utils DeviceInfoReport object.
*
* @param claim the protobuf serialized identity claim containing the device info
* @return a HIRS Utils DeviceInfoReport representation of device info
*/
@SuppressWarnings("methodlength")
private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim claim)
throws NoSuchAlgorithmException {
ProvisionerTpm2.DeviceInfo dv = claim.getDv();
@ -357,7 +356,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
String fileName = "";
Pattern pattern = Pattern.compile("([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)");
Matcher matcher;
MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
if (dv.getSwidfileCount() > 0) {
for (ByteString swidFile : dv.getSwidfileList()) {
@ -425,9 +424,10 @@ public class IdentityClaimProcessor extends AbstractProcessor {
if (dv.getLogfileCount() > 0) {
for (ByteString logFile : dv.getLogfileList()) {
try {
support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType(
support =
(SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType(
Hex.encodeHexString(messageDigest.digest(logFile.toByteArray())),
ReferenceManifest.SUPPORT_RIM);
ReferenceManifest.SUPPORT_RIM);
if (support == null) {
/*
Either the logFile does not have a corresponding support RIM in the backend
@ -512,8 +512,10 @@ public class IdentityClaimProcessor extends AbstractProcessor {
}
// now update support rim
SupportReferenceManifest dbSupport = (SupportReferenceManifest) referenceManifestRepository
.findByHexDecHashAndRimType(swid.getHashValue(), ReferenceManifest.SUPPORT_RIM);
SupportReferenceManifest dbSupport =
(SupportReferenceManifest) referenceManifestRepository
.findByHexDecHashAndRimType(swid.getHashValue(),
ReferenceManifest.SUPPORT_RIM);
if (dbSupport != null) {
dbSupport.setFileName(swid.getName());
dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion());
@ -584,7 +586,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
dv.getNw().getHostname()));
}
// Get TPM info, currently unimplemented
// Get TPM info, currently unimplemented
TPMInfo tpmInfo = new TPMInfo(DeviceInfoEnums.NOT_SPECIFIED,
(short) 0,
(short) 0,
@ -628,7 +630,8 @@ public class IdentityClaimProcessor extends AbstractProcessor {
}
if (baseSupportRim != null
&& referenceDigestValueRepository.findBySupportRimHash(baseSupportRim.getHexDecHash()).isEmpty()) {
&& referenceDigestValueRepository.findBySupportRimHash(baseSupportRim.getHexDecHash())
.isEmpty()) {
try {
TCGEventLog logProcessor = new TCGEventLog(baseSupportRim.getRimBytes());
ReferenceDigestValue rdv;
@ -688,7 +691,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
log.error(String.format("Patching value does not exist (%s)",
patchedValue));
} else {
// WIP - Until we get patch examples
// WIP - Until we get patch examples
dbRdv.setPatched(true);
}
}
@ -721,7 +724,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
}
private int handleDeviceComponents(final String hostName, final String paccorString) {
int deviceComponents = 0 ;
int deviceComponents = 0;
Map<Integer, ComponentInfo> componentInfoMap = new HashMap<>();
try {
List<ComponentInfo> componentInfos = SupplyChainCredentialValidator

63
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/SupplyChainValidationService.java
View File

@ -11,7 +11,11 @@ import hirs.attestationca.persist.entity.manager.ReferenceDigestValueRepository;
import hirs.attestationca.persist.entity.manager.ReferenceManifestRepository;
import hirs.attestationca.persist.entity.manager.SupplyChainValidationRepository;
import hirs.attestationca.persist.entity.manager.SupplyChainValidationSummaryRepository;
import hirs.attestationca.persist.entity.userdefined.*;
import hirs.attestationca.persist.entity.userdefined.Device;
import hirs.attestationca.persist.entity.userdefined.PolicySettings;
import hirs.attestationca.persist.entity.userdefined.ReferenceManifest;
import hirs.attestationca.persist.entity.userdefined.SupplyChainValidation;
import hirs.attestationca.persist.entity.userdefined.SupplyChainValidationSummary;
import hirs.attestationca.persist.entity.userdefined.certificate.ComponentResult;
import hirs.attestationca.persist.entity.userdefined.certificate.EndorsementCredential;
import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential;
@ -27,12 +31,10 @@ import lombok.extern.log4j.Log4j2;
import org.apache.logging.log4j.Level;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.yaml.snakeyaml.events.Event;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
@ -46,28 +48,28 @@ import static hirs.attestationca.persist.enums.AppraisalStatus.Status.PASS;
@Service
public class SupplyChainValidationService {
private CACredentialRepository caCredentialRepository;
private PolicyRepository policyRepository;
private ReferenceManifestRepository referenceManifestRepository;
private ReferenceDigestValueRepository referenceDigestValueRepository;
private ComponentResultRepository componentResultRepository;
private ComponentAttributeRepository componentAttributeRepository;
private CertificateRepository certificateRepository;
private SupplyChainValidationRepository supplyChainValidationRepository;
private SupplyChainValidationSummaryRepository supplyChainValidationSummaryRepository;
private final CACredentialRepository caCredentialRepository;
private final PolicyRepository policyRepository;
private final ReferenceManifestRepository referenceManifestRepository;
private final ReferenceDigestValueRepository referenceDigestValueRepository;
private final ComponentResultRepository componentResultRepository;
private final ComponentAttributeRepository componentAttributeRepository;
private final CertificateRepository certificateRepository;
private final SupplyChainValidationRepository supplyChainValidationRepository;
private final SupplyChainValidationSummaryRepository supplyChainValidationSummaryRepository;
private UUID provisionSessionId;
/**
* Constructor.
*
* @param caCredentialRepository ca credential repository
* @param policyRepository the policy manager
* @param certificateRepository the cert manager
* @param componentResultRepository the comp result manager
* @param referenceManifestRepository the RIM manager
* @param supplyChainValidationRepository the scv manager
* @param caCredentialRepository ca credential repository
* @param policyRepository the policy manager
* @param certificateRepository the cert manager
* @param componentResultRepository the comp result manager
* @param referenceManifestRepository the RIM manager
* @param supplyChainValidationRepository the scv manager
* @param supplyChainValidationSummaryRepository the summary manager
* @param referenceDigestValueRepository the even manager
* @param referenceDigestValueRepository the even manager
*/
@Autowired
@SuppressWarnings("ParameterNumberCheck")
@ -97,13 +99,12 @@ public class SupplyChainValidationService {
* an identity request and validates the supply chain in accordance to the
* current supply chain policy.
*
* @param ec The endorsement credential from the identity request.
* @param pcs The platform credentials from the identity request.
* @param device The device to be validated.
* @param ec The endorsement credential from the identity request.
* @param pcs The platform credentials from the identity request.
* @param device The device to be validated.
* @param componentInfos list of components from the device
* @return A summary of the validation results.
*/
@SuppressWarnings("methodlength")
public SupplyChainValidationSummary validateSupplyChain(final EndorsementCredential ec,
final List<PlatformCredential> pcs,
final Device device,
@ -250,8 +251,8 @@ public class SupplyChainValidationService {
updateComponentStatus(componentResultRepository
.findByCertificateSerialNumberAndBoardSerialNumber(
baseCredential.getSerialNumber().toString(),
baseCredential.getPlatformSerial()));
baseCredential.getSerialNumber().toString(),
baseCredential.getPlatformSerial()));
}
if (!attrErrorMessage.isEmpty()) {
//combine platform and platform attributes
@ -323,9 +324,10 @@ public class SupplyChainValidationService {
deviceName));
} else {
ReferenceManifest manifest = referenceManifestRepository
.findByHexDecHashAndRimType(sRim.getEventLogHash(), ReferenceManifest.MEASUREMENT_RIM);
.findByHexDecHashAndRimType(sRim.getEventLogHash(),
ReferenceManifest.MEASUREMENT_RIM);
if (manifest instanceof EventLogMeasurements) {
eventLog = (EventLogMeasurements)manifest;
eventLog = (EventLogMeasurements) manifest;
}
}
if (eventLog == null) {
@ -357,7 +359,8 @@ public class SupplyChainValidationService {
BaseReferenceManifest bRim = null;
if (sRim != null && sRim.getAssociatedRim() != null) {
Optional<ReferenceManifest> oRim = referenceManifestRepository.findById(sRim.getAssociatedRim());
Optional<ReferenceManifest> oRim =
referenceManifestRepository.findById(sRim.getAssociatedRim());
if (oRim.isPresent()) {
ReferenceManifest rim = oRim.get();
if (rim instanceof BaseReferenceManifest) {
@ -375,7 +378,8 @@ public class SupplyChainValidationService {
Optional<SupplyChainValidationSummary> previousOpt
//= this.supplyChainValidationSummaryRepository.findByDevice(deviceName);
//= this.supplyChainValidationSummaryRepository.findByDevice(device);
= this.supplyChainValidationSummaryRepository.findById(UUID.fromString(device.getSummaryId()));
= this.supplyChainValidationSummaryRepository.findById(
UUID.fromString(device.getSummaryId()));
if (previousOpt.isPresent()) {
SupplyChainValidationSummary previous = previousOpt.get();
for (SupplyChainValidation scv : previous.getValidations()) {
@ -421,6 +425,7 @@ public class SupplyChainValidationService {
* If the platform attributes policy is enabled, this method updates the matched
* status for the component result. This is done so that the details page for the
* platform certificate highlights the title card red.
*
* @param componentResults list of associated component results
*/
private void updateComponentStatus(final List<ComponentResult> componentResults) {

26
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java
View File

@ -49,10 +49,11 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
private static final String LC_UNKNOWN = "unknown";
/**
* Validates platform credential attributes v1 p2.
*
* @param platformCredential
* @param deviceInfoReport
* @return
* @param platformCredential platform credential
* @param deviceInfoReport device information report
* @return an appraisal status
*/
public static AppraisalStatus validatePlatformCredentialAttributesV1p2(
final PlatformCredential platformCredential,
@ -159,7 +160,7 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
* @param componentAttributeRepository db access to component attribute match status
* @param componentInfos list of device components
* @param provisionSessionId UUID associated with the SCV Summary
* @param ignoreRevisionAttribute policy flag to ignore the revision attribute
* @param ignoreRevisionAttribute policy flag to ignore the revision attribute
* @return either PASS or FAIL
*/
public static AppraisalStatus validatePlatformCredentialAttributesV2p0(
@ -275,10 +276,10 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
numOfAttributes = attributeResults.size();
boolean saveAttributeResult;
for (ComponentAttributeResult componentAttributeResult : attributeResults) {
saveAttributeResult = true;
saveAttributeResult = true;
if (ignoreRevisionAttribute) {
saveAttributeResult = !componentAttributeResult.getAttribute()
.equalsIgnoreCase(ComponentResult.ATTRIBUTE_REVISION);
saveAttributeResult = !componentAttributeResult.getAttribute()
.equalsIgnoreCase(ComponentResult.ATTRIBUTE_REVISION);
}
if (saveAttributeResult) {
componentAttributeResult.setProvisionSessionId(provisionSessionId);
@ -318,7 +319,7 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
* base cert for this specific chain
* @return Appraisal Status of delta being validated.
*/
@SuppressWarnings("methodlength")
static AppraisalStatus validateDeltaAttributesChainV2p0(
final DeviceInfoReport deviceInfoReport,
final Map<PlatformCredential, SupplyChainValidation> deltaMapping,
@ -366,7 +367,7 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
if (!componentAttributeResults.isEmpty()) {
resultMessage.append(String.format("There are %d errors with Delta "
+ "Components associated with: %s%n",
+ "Components associated with: %s%n",
componentAttributeResults.size(),
deltaCertificates.get(0).getPlatformSerial()));
fieldValidation = false;
@ -856,7 +857,8 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
/**
* This method uses a specific hash to match device components with certificate components.
* @param componentInfos list of device component infos
*
* @param componentInfos list of device component infos
* @param compiledComponentList list of the remaining unmatched component results
* @return remaining component results not matched
*/
@ -892,7 +894,8 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
/**
* This method is used to find matches based on the component class value.
* @param componentInfos list of device component infos
*
* @param componentInfos list of device component infos
* @param remainingComponentResults list of the remaining unmatched component results
* @return a generated list of component attributes results
*/
@ -1019,7 +1022,6 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
}
/**
*
* @param deltaCertificates
* @param componentResultRepository
* @param componentAttributeRepository

37
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java
View File

@ -12,8 +12,8 @@ import hirs.attestationca.persist.entity.userdefined.rim.EventLogMeasurements;
import hirs.attestationca.persist.entity.userdefined.rim.ReferenceDigestValue;
import hirs.attestationca.persist.enums.AppraisalStatus;
import hirs.attestationca.persist.service.ValidationService;
import hirs.utils.rim.ReferenceManifestValidator;
import hirs.utils.SwidResource;
import hirs.utils.rim.ReferenceManifestValidator;
import hirs.utils.tpm.eventlog.TCGEventLog;
import hirs.utils.tpm.eventlog.TpmPcrEvent;
import lombok.extern.log4j.Log4j2;
@ -24,7 +24,12 @@ import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.*;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL;
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.PASS;
@ -35,7 +40,6 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
private static PcrValidator pcrValidator;
/**
*
* @param device
* @param policySettings
* @param referenceManifestRepository
@ -43,7 +47,7 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
* @param caCredentialRepository
* @return
*/
@SuppressWarnings("methodlength")
public static AppraisalStatus validateFirmware(
final Device device, final PolicySettings policySettings,
final ReferenceManifestRepository referenceManifestRepository,
@ -66,7 +70,8 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
// In this case, try to look up the event log associated with the device, then get the base rim associated by event log hash
List<ReferenceManifest> deviceRims = referenceManifestRepository.findByDeviceName(hostName);
for (ReferenceManifest deviceRim : deviceRims) {
if (deviceRim instanceof BaseReferenceManifest && !deviceRim.isSwidSupplemental() && !deviceRim.isSwidPatch()) {
if (deviceRim instanceof BaseReferenceManifest && !deviceRim.isSwidSupplemental() &&
!deviceRim.isSwidPatch()) {
baseReferenceManifest = (BaseReferenceManifest) deviceRim;
}
@ -77,7 +82,9 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
// Attempt to get an event log from the database matching the expected hash
if (baseReferenceManifest == null && measurement != null) {
baseReferenceManifest = (BaseReferenceManifest)referenceManifestRepository.findByEventLogHashAndRimType(measurement.getHexDecHash(), ReferenceManifest.BASE_RIM);
baseReferenceManifest =
(BaseReferenceManifest) referenceManifestRepository.findByEventLogHashAndRimType(
measurement.getHexDecHash(), ReferenceManifest.BASE_RIM);
}
String failedString = "";
@ -101,7 +108,7 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
if (passed) {
List<SwidResource> resources =
((BaseReferenceManifest) baseReferenceManifest).getFileResources();
baseReferenceManifest.getFileResources();
fwStatus = new AppraisalStatus(PASS,
SupplyChainCredentialValidator.FIRMWARE_VALID);
@ -131,20 +138,22 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
try {
certs.add(cac.getX509Certificate());
} catch (IOException e) {
log.error("Error building CA chain for " + signingCert.getSubjectKeyIdentifier() + ": "
+ e.getMessage());
log.error(
"Error building CA chain for " + signingCert.getSubjectKeyIdentifier() + ": "
+ e.getMessage());
}
}
referenceManifestValidator.setTrustStore(certs);
try {
if (referenceManifestValidator.validateXmlSignature(signingCert.getX509Certificate().getPublicKey(),
signingCert.getSubjectKeyIdString(), signingCert.getEncodedPublicKey())) {
if (referenceManifestValidator.validateXmlSignature(
signingCert.getX509Certificate().getPublicKey(),
signingCert.getSubjectKeyIdString(), signingCert.getEncodedPublicKey())) {
try {
if (!SupplyChainCredentialValidator.verifyCertificate(
signingCert.getX509Certificate(), keyStore)) {
signingCert.getX509Certificate(), keyStore)) {
passed = false;
fwStatus = new AppraisalStatus(FAIL,
"Firmware validation failed: invalid certificate path.");
"Firmware validation failed: invalid certificate path.");
}
} catch (IOException ioEx) {
log.error("Error getting X509 cert from manager: " + ioEx.getMessage());
@ -268,7 +277,7 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
}
if (fwStatus.getAppStatus().equals(FAIL)) {
fwStatus = new AppraisalStatus(FAIL, String.format("%s%n%s",
fwStatus.getMessage(), sb.toString()));
fwStatus.getMessage(), sb));
} else {
fwStatus = new AppraisalStatus(FAIL,
sb.toString(), ReferenceManifest.MEASUREMENT_RIM);

4
config/checkstyle/checkstyle.xml
View File

@ -133,7 +133,9 @@
<!-- Checks for Size Violations. -->
<!-- See https://checkstyle.org/checks/sizes/index.html -->
<module name="MethodLength"/>
<module name="MethodLength">
<property name="max" value="300"/>
</module>
<!-- Checks for whitespace -->
<!-- See https://checkstyle.org/checks/whitespace/index.html -->