ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-19 21:17:59 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

issue_847: Added javadoc comments + params to the rest of the repo classes, cleaned up imports, and made more styling changes.

Browse Source
This commit is contained in:
TheSilentCoder 2024-10-17 17:12:58 -04:00
parent 59f50212f1
commit 63521a4075
21 changed files with 977 additions and 671 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/CertificateRepository.java
View File

@ -29,7 +29,7 @@ public interface CertificateRepository extends JpaRepository<Certificate, UUID>
* Query that retrieves a list of certificates using the provided subject and dtype. * Query that retrieves a list of certificates using the provided subject and dtype.
* *
* @param subject subject * @param subject subject
* @param dType d type * @param dType dtype
* @return a list of certificates * @return a list of certificates
*/ */
@Query(value = "SELECT * FROM Certificate where subject = ?1 AND DTYPE = ?2", nativeQuery = true) @Query(value = "SELECT * FROM Certificate where subject = ?1 AND DTYPE = ?2", nativeQuery = true)
@ -38,100 +38,107 @@ public interface CertificateRepository extends JpaRepository<Certificate, UUID>
/** /**
* Query that retrieves a sorted list of certificates using the provided subject and dtype. * Query that retrieves a sorted list of certificates using the provided subject and dtype.
* *
* @param subjectSorted * @param subjectSorted subject
* @param dType * @param dType dtype
* @return a list of sorted certificates * @return a list of sorted certificates
*/ */
@Query(value = "SELECT * FROM Certificate where subjectSorted = ?1 AND DTYPE = ?2", nativeQuery = true) @Query(value = "SELECT * FROM Certificate where subjectSorted = ?1 AND DTYPE = ?2", nativeQuery = true)
List<Certificate> findBySubjectSorted(String subjectSorted, String dType); List<Certificate> findBySubjectSorted(String subjectSorted, String dType);
/** /**
* Query that retrieves a * Query that retrieves a list of certificates using the provided dtype.
* *
* @param dType * @param dType dtype
* @return * @return a list of certificates
*/ */
@Query(value = "SELECT * FROM Certificate where DTYPE = ?1", nativeQuery = true) @Query(value = "SELECT * FROM Certificate where DTYPE = ?1", nativeQuery = true)
List<Certificate> findByType(String dType); List<Certificate> findByType(String dType);
/** /**
* Query that retrieves a * Query that retrieves a list of certificates using the provided serial number and dtype.
* *
* @param serialNumber * @param serialNumber serial number
* @param dType * @param dType dtype
* @return * @return a certificate
*/ */
@Query(value = "SELECT * FROM Certificate where serialNumber = ?1 AND DTYPE = ?2", nativeQuery = true) @Query(value = "SELECT * FROM Certificate where serialNumber = ?1 AND DTYPE = ?2", nativeQuery = true)
Certificate findBySerialNumber(BigInteger serialNumber, String dType); Certificate findBySerialNumber(BigInteger serialNumber, String dType);
/** /**
* Query that retrieves a * Query that retrieves a list of platform credentials using the provided board serial number
* and a dtype of "Platform Credential".
* *
* @param boardSerialNumber * @param boardSerialNumber board serial number
* @return * @return a list of platform credentials
*/ */
@Query(value = "SELECT * FROM Certificate where platformSerial = ?1 AND DTYPE = 'PlatformCredential'", nativeQuery = true) @Query(value = "SELECT * FROM Certificate where platformSerial = ?1 AND DTYPE = 'PlatformCredential'",
nativeQuery = true)
List<PlatformCredential> byBoardSerialNumber(String boardSerialNumber); List<PlatformCredential> byBoardSerialNumber(String boardSerialNumber);
/** /**
* Query that retrieves a * Query that retrieves a platform credential using the provided holder serial number
* and a dtype of "Platform Credential".
* *
* @param holderSerialNumber * @param holderSerialNumber holder serial number
* @return * @return platform credential
*/ */
@Query(value = "SELECT * FROM Certificate where holderSerialNumber = ?1 AND DTYPE = 'PlatformCredential'", nativeQuery = true) @Query(value = "SELECT * FROM Certificate where holderSerialNumber = ?1 AND DTYPE = 'PlatformCredential'",
nativeQuery = true)
PlatformCredential getPcByHolderSerialNumber(BigInteger holderSerialNumber); PlatformCredential getPcByHolderSerialNumber(BigInteger holderSerialNumber);
/** /**
* Query that retrieves a * Query that retrieves a list of platform credentials using the provided holder serial number
* and a dtype of "Platform Credential".
* *
* @param holderSerialNumber * @param holderSerialNumber holder serial numberz
* @return * @return a list of platform credentials
*/ */
@Query(value = "SELECT * FROM Certificate where holderSerialNumber = ?1 AND DTYPE = 'PlatformCredential'", nativeQuery = true) @Query(value = "SELECT * FROM Certificate where holderSerialNumber = ?1 AND DTYPE = 'PlatformCredential'",
nativeQuery = true)
List<PlatformCredential> getByHolderSerialNumber(BigInteger holderSerialNumber); List<PlatformCredential> getByHolderSerialNumber(BigInteger holderSerialNumber);
/** /**
* Query that retrieves a * Query that retrieves a certificate using the provided certificate hash and dtype.
* *
* @param certificateHash * @param certificateHash integer certificate hash
* @param dType * @param dType dtype
* @return * @return a certificate
*/ */
@Query(value = "SELECT * FROM Certificate where certificateHash = ?1 AND DTYPE = ?2", nativeQuery = true) @Query(value = "SELECT * FROM Certificate where certificateHash = ?1 AND DTYPE = ?2", nativeQuery = true)
Certificate findByCertificateHash(int certificateHash, String dType); Certificate findByCertificateHash(int certificateHash, String dType);
/** /**
* Query that retrieves a * Query that retrieves an endorssement credential using the provided public key modulus hex value.
* *
* @param publicKeyModulusHexValue * @param publicKeyModulusHexValue public key modulus hex value
* @return * @return an endorsement credential
*/ */
EndorsementCredential findByPublicKeyModulusHexValue(String publicKeyModulusHexValue); EndorsementCredential findByPublicKeyModulusHexValue(String publicKeyModulusHexValue);
/** /**
* Query that retrieves a * Query that retrieves an issued attestation certificate using the provided device id.
* *
* @param deviceId * @param deviceId uuid representation of the device id
* @return * @return an issued attestation certificate
*/ */
IssuedAttestationCertificate findByDeviceId(UUID deviceId); IssuedAttestationCertificate findByDeviceId(UUID deviceId);
/** /**
* Query that retrieves a * Query that retrieves a list of issued attestation certificates using the provided device id,
* isLDevID value and sort value.
* *
* @param deviceId * @param deviceId device id
* @param isLDevID * @param isLDevID is it a LDevId
* @param sort * @param sort sort
* @return * @return a list of issued attestation certificates
*/ */
List<IssuedAttestationCertificate> findByDeviceIdAndIsLDevID(UUID deviceId, boolean isLDevID, Sort sort); List<IssuedAttestationCertificate> findByDeviceIdAndIsLDevID(UUID deviceId, boolean isLDevID, Sort sort);
/** /**
* Query that retrieves a * Query that retrieves a certificates using the provided certificate hash.
* *
* @param certificateHash * @param certificateHash integer certificate hash
* @return * @return a certificate
*/ */
Certificate findByCertificateHash(int certificateHash); Certificate findByCertificateHash(int certificateHash);
} }

32
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/EndorsementCredentialRepository.java
View File

@ -14,43 +14,43 @@ import java.util.UUID;
public interface EndorsementCredentialRepository extends JpaRepository<EndorsementCredential, UUID> { public interface EndorsementCredentialRepository extends JpaRepository<EndorsementCredential, UUID> {
/** /**
* Query that retrieves a * Query that retrieves a list of endorsement credentials using the provided archive flag.
* *
* @param archiveFlag * @param archiveFlag archive flag
* @return * @return a list of endorsement credentials
*/ */
List<EndorsementCredential> findByArchiveFlag(boolean archiveFlag); List<EndorsementCredential> findByArchiveFlag(boolean archiveFlag);
/** /**
* Query that retrieves a * Query that retrieves a page of endorsement credentials using provided archive flag and pageable value.
* *
* @param archiveFlag * @param archiveFlag archive flag
* @param pageable * @param pageable pageable value
* @return * @return a page of endorsement credentials
*/ */
Page<EndorsementCredential> findByArchiveFlag(boolean archiveFlag, Pageable pageable); Page<EndorsementCredential> findByArchiveFlag(boolean archiveFlag, Pageable pageable);
/** /**
* Query that retrieves a * Query that retrieves an endorsement credential using the provided holder serial number.
* *
* @param holderSerialNumber * @param holderSerialNumber big integer representation of the holder serial number
* @return * @return an endorsement credential
*/ */
EndorsementCredential findByHolderSerialNumber(BigInteger holderSerialNumber); EndorsementCredential findByHolderSerialNumber(BigInteger holderSerialNumber);
/** /**
* Query that retrieves a * Query that retrieves an endorsement credential using the provided serial number.
* *
* @param serialNumber * @param serialNumber big integer representation of the serial number
* @return * @return an endorsement credential
*/ */
EndorsementCredential findBySerialNumber(BigInteger serialNumber); EndorsementCredential findBySerialNumber(BigInteger serialNumber);
/** /**
* Query that retrieves a * Query that retrieves a list of endorsement credentials using the provided device id.
* *
* @param deviceId * @param deviceId uuid representation of the device id
* @return * @return an endorsement credential
*/ */
List<EndorsementCredential> findByDeviceId(UUID deviceId); List<EndorsementCredential> findByDeviceId(UUID deviceId);
} }

72
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/IDevIDCertificateRepository.java
View File

@ -13,26 +13,70 @@ import java.util.UUID;
public interface IDevIDCertificateRepository extends JpaRepository<IDevIDCertificate, UUID> { public interface IDevIDCertificateRepository extends JpaRepository<IDevIDCertificate, UUID> {
/** /**
* Query that retrieves a * Query that retrieves a list of IDevId certificates using the provided archive flag.
* *
* @param archiveFlag * @param archiveFlag archive flag
* @return * @return a list of IDevId certificates
*/ */
List<IDevIDCertificate> findByArchiveFlag(boolean archiveFlag); List<IDevIDCertificate> findByArchiveFlag(boolean archiveFlag);
/** /**
* Query that retrieves a * Query that retrieves a page of IDevId certificates using the provided archive flag and pageable value.
* *
* @param archiveFlag * @param archiveFlag archive flag
* @param pageable * @param pageable pageable value
* @return * @return a page of IDevId certificates
*/ */
Page<IDevIDCertificate> findByArchiveFlag(boolean archiveFlag, Pageable pageable); Page<IDevIDCertificate> findByArchiveFlag(boolean archiveFlag, Pageable pageable);
/*List<IDevIDCertificate> findBySubject(String subject);
List<IDevIDCertificate> findBySubjectSorted(String subject); /**
List<IDevIDCertificate> findBySubjectAndArchiveFlag(String subject, boolean archiveFlag); * Query that retrieves a list of IDevId certificates using the provided subject.
List<IDevIDCertificate> findBySubjectSortedAndArchiveFlag(String subject, boolean archiveFlag); *
IDevIDCertificate findBySubjectKeyIdentifier(byte[] subjectKeyIdentifier); * @param subject string representation of the subject
IDevIDCertificate findBySubjectKeyIdStringAndArchiveFlag(String subjectKeyIdString, boolean archiveFlag); * @return a list of IDevId certificates
*/ */
} List<IDevIDCertificate> findBySubject(String subject);
/**
* Query that retrieves a sorted list of IDevId certificates using the provided subject.
*
* @param subject string representation of the subject
* @return a sorted list of IDevId certificates
*/
List<IDevIDCertificate> findBySubjectSorted(String subject);
/**
* Query that retrieves a list of IDevId certificates using the provided subject and archive flag.
*
* @param subject string representation of the subject
* @param archiveFlag archive flag
* @return a list of IDevId certificates
*/
List<IDevIDCertificate> findBySubjectAndArchiveFlag(String subject, boolean archiveFlag);
/**
* Query that retrieves a sorted list of IDevId certificates using the provided subject and archive flag.
*
* @param subject string representation of the subject
* @param archiveFlag archive flag
* @return a sorted list of IDevId certificates
*/
List<IDevIDCertificate> findBySubjectSortedAndArchiveFlag(String subject, boolean archiveFlag);
/**
* Query that retrieves an IDevId certificate using the provided subject key identifier.
*
* @param subjectKeyIdentifier byte representation of the subject key identifier
* @return an IDevId certificate
*/
IDevIDCertificate findBySubjectKeyIdentifier(byte[] subjectKeyIdentifier);
/**
* Query that retrieves an IDevId certificate using the provided subject key and archive flag.
*
* @param subjectKeyIdString string representation of the subject key id
* @param archiveFlag archive flag
* @return an IDevId certificate
*/
IDevIDCertificate findBySubjectKeyIdStringAndArchiveFlag(String subjectKeyIdString, boolean archiveFlag);
}

23
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/IssuedCertificateRepository.java
View File

@ -13,25 +13,28 @@ import java.util.UUID;
public interface IssuedCertificateRepository extends JpaRepository<IssuedAttestationCertificate, UUID> { public interface IssuedCertificateRepository extends JpaRepository<IssuedAttestationCertificate, UUID> {
/** /**
* Query that retrieves a * Query that retrieves a list of issued attestation certificates using the provided archive flag.
* *
* @param archiveFlag * @param archiveFlag archive flag
* @return * @return a list of issued attestation certificates
*/ */
List<IssuedAttestationCertificate> findByArchiveFlag(boolean archiveFlag); List<IssuedAttestationCertificate> findByArchiveFlag(boolean archiveFlag);
/** /**
* Query that retrieves a * Query that retrieves a page of issued attestation certificates using the provided archive flag
* and pageable value.
* *
* @param archiveFlag * @param archiveFlag archive flag
* @param pageable * @param pageable pageable value
* @return * @return a page of issued attestation certificates
*/ */
Page<IssuedAttestationCertificate> findByArchiveFlag(boolean archiveFlag, Pageable pageable); Page<IssuedAttestationCertificate> findByArchiveFlag(boolean archiveFlag, Pageable pageable);
/** /**
* @param deviceId * Query that retrieves a list of issued attestation certificates using the provided device id.
* @return *
* @param deviceId uuid representation of the device id
* @return a list of issued attestation certificates
*/ */
List<IssuedAttestationCertificate> findByDeviceId(UUID deviceId); List<IssuedAttestationCertificate> findByDeviceId(UUID deviceId);
} }

21
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/PlatformCertificateRepository.java
View File

@ -13,27 +13,28 @@ import java.util.UUID;
public interface PlatformCertificateRepository extends JpaRepository<PlatformCredential, UUID> { public interface PlatformCertificateRepository extends JpaRepository<PlatformCredential, UUID> {
/** /**
* Query that retrieves a * Query that retrieves a list of platform credentials using the provided archive flag.
* *
* @param archiveFlag * @param archiveFlag archive flag
* @return * @return a list of platform credentials
*/ */
List<PlatformCredential> findByArchiveFlag(boolean archiveFlag); List<PlatformCredential> findByArchiveFlag(boolean archiveFlag);
/** /**
* Query that retrieves a * Query that retrieves a page of platform credentials using the provided archive flag
* and pageable value.
* *
* @param archiveFlag * @param archiveFlag archive flag
* @param pageable * @param pageable pageable
* @return * @return a page of platform credentials
*/ */
Page<PlatformCredential> findByArchiveFlag(boolean archiveFlag, Pageable pageable); Page<PlatformCredential> findByArchiveFlag(boolean archiveFlag, Pageable pageable);
/** /**
* Query that retrieves a * Query that retrieves a list of platform credentials using the provided device id.
* *
* @param deviceId * @param deviceId uuid representation of the device id
* @return * @return a list of platform credentials
*/ */
List<PlatformCredential> findByDeviceId(UUID deviceId); List<PlatformCredential> findByDeviceId(UUID deviceId);
} }

38
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceDigestValueRepository.java
View File

@ -11,51 +11,51 @@ import java.util.UUID;
public interface ReferenceDigestValueRepository extends JpaRepository<ReferenceDigestValue, UUID> { public interface ReferenceDigestValueRepository extends JpaRepository<ReferenceDigestValue, UUID> {
/** /**
* Query that retrieves a * Query that retrieves a list of reference digest values using the provided model.
* *
* @param model * @param model string representation of the model
* @return * @return a list of reference digest values
*/ */
List<ReferenceDigestValue> findByModel(String model); List<ReferenceDigestValue> findByModel(String model);
/** /**
* Query that retrieves a * Query that retrieves a list of reference digest values using the provided manufacturer.
* *
* @param manufacturer * @param manufacturer string representation of the manufacturer
* @return * @return a list of reference digest values
*/ */
List<ReferenceDigestValue> findByManufacturer(String manufacturer); List<ReferenceDigestValue> findByManufacturer(String manufacturer);
/** /**
* Query that retrieves a * Query that retrieves a list of reference digest values using the provided associated rim id.
* *
* @param associatedRimId * @param associatedRimId uuid representation of the associated rim ID
* @return * @return a list of reference digest values
*/ */
List<ReferenceDigestValue> findValuesByBaseRimId(UUID associatedRimId); List<ReferenceDigestValue> findValuesByBaseRimId(UUID associatedRimId);
/** /**
* Query that retrieves a * Query that retrieves a list of reference digest values using the provided support rim id.
* *
* @param supportRimId * @param supportRimId uuid representation of the support rim ID
* @return * @return a list of reference digest values
*/ */
List<ReferenceDigestValue> findBySupportRimId(UUID supportRimId); List<ReferenceDigestValue> findBySupportRimId(UUID supportRimId);
/** /**
* Query that retrieves a * Query that retrieves a list of reference digest values using the provided support rim hash.
* *
* @param supportRimHash * @param supportRimHash a string representation of the support rim hash
* @return * @return a list of reference digest values
*/ */
List<ReferenceDigestValue> findBySupportRimHash(String supportRimHash); List<ReferenceDigestValue> findBySupportRimHash(String supportRimHash);
/** /**
* Query that retrieves a * Query that retrieves a list of reference digest values using the provided manufacturer and model.
* *
* @param manufacturer * @param manufacturer string representation of the manufacturer
* @param model * @param model string representation of the model
* @return * @return a list of reference digest values
*/ */
List<ReferenceDigestValue> findByManufacturerAndModel(String manufacturer, String model); List<ReferenceDigestValue> findByManufacturerAndModel(String manufacturer, String model);
} }

169
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceManifestRepository.java
View File

@ -16,159 +16,192 @@ import java.util.UUID;
@Repository @Repository
public interface ReferenceManifestRepository extends JpaRepository<ReferenceManifest, UUID> { public interface ReferenceManifestRepository extends JpaRepository<ReferenceManifest, UUID> {
/** /**
* Query that retrieves a * Query that retrieves a reference manifest using the provided hex/dec hash.
* *
* @param hexDecHash * @param hexDecHash string representation of the hex dec hash
* @return * @return a reference manifest
*/ */
ReferenceManifest findByHexDecHash(String hexDecHash); ReferenceManifest findByHexDecHash(String hexDecHash);
/** /**
* Query that retrieves a * Query that retrieves a reference manifest using the provided base 64 hash.
* *
* @param base64Hash * @param base64Hash string representation of the base 64 hash
* @return * @return a reference manifest
*/ */
ReferenceManifest findByBase64Hash(String base64Hash); ReferenceManifest findByBase64Hash(String base64Hash);
/** /**
* @param hexDecHash * Query that retrieves a reference manifest using the provided hex/dec hash and rim type.
* @param rimType *
* @return * @param hexDecHash string representation of the hex dec hash
* @param rimType string representation of the rim type
* @return a reference manifest
*/ */
ReferenceManifest findByHexDecHashAndRimType(String hexDecHash, String rimType); ReferenceManifest findByHexDecHashAndRimType(String hexDecHash, String rimType);
/** /**
* @param hexDecHash * Query that retrieves a reference manifest using the provided event log hash and rim type.
* @param rimType *
* @return * @param hexDecHash string representation of the event log hash
* @param rimType string representation of the rim type
* @return a reference manifest
*/ */
ReferenceManifest findByEventLogHashAndRimType(String hexDecHash, String rimType); ReferenceManifest findByEventLogHashAndRimType(String hexDecHash, String rimType);
/** /**
* @param manufacturer * Query that retrieves a list of base reference manifests using the provided manufacturer and model
* @param model * and where the rim type is equal to base.
* @return *
* @param manufacturer string representation of platform manufacturer
* @param model string representation of platform model
* @return a list of base reference manifests
*/ */
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND platformModel = ?2 AND rimType = 'Base'", nativeQuery = true) @Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND platformModel = ?2 "
+ "AND rimType = 'Base'", nativeQuery = true)
List<BaseReferenceManifest> getBaseByManufacturerModel(String manufacturer, String model); List<BaseReferenceManifest> getBaseByManufacturerModel(String manufacturer, String model);
/** /**
* @param manufacturer * Query that retrieves a list of base reference manifests using the provided manufacturer and model.
* @param dType *
* @return * @param manufacturer string representation of platform manufacturer
* @param dType dtype
* @return a list of base reference manifests
*/ */
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND DTYPE = ?2", nativeQuery = true) @Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND DTYPE = ?2",
nativeQuery = true)
List<BaseReferenceManifest> getByManufacturer(String manufacturer, String dType); List<BaseReferenceManifest> getByManufacturer(String manufacturer, String dType);
/** /**
* @param model * Query that retrieves a reference manifest using the provided model and dtype.
* @param dType *
* @return * @param model string representation of platform model
* @param dType dtype
* @return a reference manifest
*/ */
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformModel = ?1 AND DTYPE = ?2", nativeQuery = true) @Query(value = "SELECT * FROM ReferenceManifest WHERE platformModel = ?1 AND DTYPE = ?2",
nativeQuery = true)
ReferenceManifest getByModel(String model, String dType); ReferenceManifest getByModel(String model, String dType);
/** /**
* @return * Query that retrieves a list of base reference manifests where the dtype is a base reference manifest.
*
* @return a list of base reference manifests
*/ */
@Query(value = "SELECT * FROM ReferenceManifest WHERE DTYPE = 'BaseReferenceManifest'", nativeQuery = true) @Query(value = "SELECT * FROM ReferenceManifest WHERE DTYPE = 'BaseReferenceManifest'",
nativeQuery = true)
List<BaseReferenceManifest> findAllBaseRims(); List<BaseReferenceManifest> findAllBaseRims();
/** /**
* Query that retrieves a * Query that retrieves a list of support reference manifests where the dtype is a
* support reference manifest.
* *
* @return * @return a list of support reference manifests
*/ */
@Query(value = "SELECT * FROM ReferenceManifest WHERE DTYPE = 'SupportReferenceManifest'", nativeQuery = true) @Query(value = "SELECT * FROM ReferenceManifest WHERE DTYPE = 'SupportReferenceManifest'",
nativeQuery = true)
List<SupportReferenceManifest> findAllSupportRims(); List<SupportReferenceManifest> findAllSupportRims();
/** /**
* Query that retrieves a * Query that retrieves a base reference manifest using the provided uuid and where the dtype is a
* base reference manifest.
* *
* @param uuid * @param uuid uuid
* @return * @return a base reference manifest
*/ */
@Query(value = "SELECT * FROM ReferenceManifest WHERE id = ?1 AND DTYPE = 'BaseReferenceManifest'", nativeQuery = true) @Query(value = "SELECT * FROM ReferenceManifest WHERE id = ?1 AND DTYPE = 'BaseReferenceManifest'",
nativeQuery = true)
BaseReferenceManifest getBaseRimEntityById(UUID uuid); BaseReferenceManifest getBaseRimEntityById(UUID uuid);
/** /**
* Query that retrieves a * Query that retrieves a support reference manifest using the provided uuid and
* where the dtype is a support reference manifest.
* *
* @param uuid * @param uuid uuid
* @return * @return a support reference manifest
*/ */
@Query(value = "SELECT * FROM ReferenceManifest WHERE id = ?1 AND DTYPE = 'SupportReferenceManifest'", nativeQuery = true) @Query(value = "SELECT * FROM ReferenceManifest WHERE id = ?1 AND DTYPE = 'SupportReferenceManifest'",
nativeQuery = true)
SupportReferenceManifest getSupportRimEntityById(UUID uuid); SupportReferenceManifest getSupportRimEntityById(UUID uuid);
/** /**
* Query that retrieves a * Query that retrieves event log measurements using the provided uuid and where the dtype is an
* event log measurement.
* *
* @param uuid * @param uuid uuid
* @return * @return event log measurements
*/ */
@Query(value = "SELECT * FROM ReferenceManifest WHERE id = ?1 AND DTYPE = 'EventLogMeasurements'", nativeQuery = true) @Query(value = "SELECT * FROM ReferenceManifest WHERE id = ?1 AND DTYPE = 'EventLogMeasurements'",
nativeQuery = true)
EventLogMeasurements getEventLogRimEntityById(UUID uuid); EventLogMeasurements getEventLogRimEntityById(UUID uuid);
/** /**
* Query that retrieves a * Query that retrieves a list of support reference manifests using the provided device name and where the
* dtype is a support reference manifest.
* *
* @param deviceName * @param deviceName string representation of the device name
* @return * @return a list of support reference manifests
*/ */
@Query(value = "SELECT * FROM ReferenceManifest WHERE deviceName = ?1 AND DTYPE = 'SupportReferenceManifest'", nativeQuery = true) @Query(value = "SELECT * FROM ReferenceManifest WHERE deviceName = ?1 "
+ "AND DTYPE = 'SupportReferenceManifest'", nativeQuery = true)
List<SupportReferenceManifest> byDeviceName(String deviceName); List<SupportReferenceManifest> byDeviceName(String deviceName);
/** /**
* Query that retrieves a * Query that retrieves event log measurements using the provided device name and where the dtype is
* event log measurements.
* *
* @param deviceName * @param deviceName string representation of the device name
* @return * @return event log measurements
*/ */
@Query(value = "SELECT * FROM ReferenceManifest WHERE deviceName = ?1 AND DTYPE = 'EventLogMeasurements'", nativeQuery = true) @Query(value = "SELECT * FROM ReferenceManifest WHERE deviceName = ?1 "
+ "AND DTYPE = 'EventLogMeasurements'", nativeQuery = true)
EventLogMeasurements byMeasurementDeviceName(String deviceName); EventLogMeasurements byMeasurementDeviceName(String deviceName);
/** /**
* Query that retrieves a * Query that retrieves a list of support reference manifests using the provided manufacturer and platform
* model and where the rim type is support.
* *
* @param manufacturer * @param manufacturer string representation of platform manufacturer
* @param model * @param model string representation of platform model
* @return * @return a list of support reference manifests
*/ */
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND platformModel = ?2 AND rimType = 'Support'", nativeQuery = true) @Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND platformModel = ?2 "
+ "AND rimType = 'Support'", nativeQuery = true)
List<SupportReferenceManifest> getSupportByManufacturerModel(String manufacturer, String model); List<SupportReferenceManifest> getSupportByManufacturerModel(String manufacturer, String model);
/** /**
* Query that retrieves a * Query that retrieves event log measurements using the provided platform model and where the dtype is
* event log measurements.
* *
* @param model * @param model string representation of platform model.
* @return * @return event log measurements
*/ */
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformModel = ?1 AND DTYPE = 'EventLogMeasurements'", nativeQuery = true) @Query(value = "SELECT * FROM ReferenceManifest WHERE platformModel = ?1 "
+ "AND DTYPE = 'EventLogMeasurements'", nativeQuery = true)
EventLogMeasurements getLogByModel(String model); EventLogMeasurements getLogByModel(String model);
/** /**
* Query that retrieves a * Query that retrieves a list of reference manifests using the provided device name.
* *
* @param deviceName * @param deviceName string representation of device name
* @return * @return a list of reference manifests
*/ */
List<ReferenceManifest> findByDeviceName(String deviceName); List<ReferenceManifest> findByDeviceName(String deviceName);
/** /**
* Query that retrieves a * Query that retrieves a list of reference manifests using the provided archive flag.
* *
* @param archiveFlag * @param archiveFlag archive flag
* @return * @return a list of reference manifests
*/ */
List<ReferenceManifest> findByArchiveFlag(boolean archiveFlag); List<ReferenceManifest> findByArchiveFlag(boolean archiveFlag);
/** /**
* Query that retrieves a * Query that retrieves a page of reference manifests using the provided archive flag and pageable value.
* *
* @param archiveFlag * @param archiveFlag archive flag
* @param pageable * @param pageable pageable
* @return * @return a page of reference manifests
*/ */
Page<ReferenceManifest> findByArchiveFlag(boolean archiveFlag, Pageable pageable); Page<ReferenceManifest> findByArchiveFlag(boolean archiveFlag, Pageable pageable);
} }

4
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/SupplyChainValidationRepository.java
View File

@ -12,7 +12,7 @@ public interface SupplyChainValidationRepository extends JpaRepository<SupplyCha
/** /**
* Query that retrieves a list of supply chain validation using the provided validate type. * Query that retrieves a list of supply chain validation using the provided validate type.
* *
* @param validateType validate type * @param validateType string representation of the validate type
* @return a list of supply chain validation * @return a list of supply chain validation
*/ */
List<SupplyChainValidation> findByValidationType(String validateType); List<SupplyChainValidation> findByValidationType(String validateType);
@ -20,7 +20,7 @@ public interface SupplyChainValidationRepository extends JpaRepository<SupplyCha
/** /**
* Query that retrieves a list of supply chain validation using the provided validation result. * Query that retrieves a list of supply chain validation using the provided validation result.
* *
* @param validationResult validation result * @param validationResult string representation of the validation result
* @return a list of supply chain validation * @return a list of supply chain validation
*/ */
List<SupplyChainValidation> findByValidationResult(String validationResult); List<SupplyChainValidation> findByValidationResult(String validationResult);

17
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/SupplyChainValidationSummaryRepository.java
View File

@ -15,19 +15,26 @@ public interface SupplyChainValidationSummaryRepository
extends JpaRepository<SupplyChainValidationSummary, UUID> { extends JpaRepository<SupplyChainValidationSummary, UUID> {
/** /**
* @param device * Query that retrieves a supply chain validation summary using the provided device.
* @return *
* @param device device
* @return a supply chain validation summary
*/ */
SupplyChainValidationSummary findByDevice(Device device); SupplyChainValidationSummary findByDevice(Device device);
/** /**
* @return * Query that retrieves a list of supply chain validation summaries where the archive flag is false.
*
* @return a list of supply chain validation summary
*/ */
List<SupplyChainValidationSummary> findByArchiveFlagFalse(); List<SupplyChainValidationSummary> findByArchiveFlagFalse();
/** /**
* @param pageable * Query that retrieves a page of supply chain validation summaries using the provided pageable value
* @return * and where the archive flag is false.
*
* @param pageable pageable
* @return a page of supply chain validation summary
*/ */
Page<SupplyChainValidationSummary> findByArchiveFlagFalse(Pageable pageable); Page<SupplyChainValidationSummary> findByArchiveFlagFalse(Pageable pageable);
} }

2
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/TPM2ProvisionerStateRepository.java
View File

@ -10,7 +10,7 @@ public interface TPM2ProvisionerStateRepository extends JpaRepository<TPM2Provis
/** /**
* Query that retrieves the TPM2 Provisioner State using the provided first part of nonce. * Query that retrieves the TPM2 Provisioner State using the provided first part of nonce.
* *
* @param findByFirstPartOfNonce * @param findByFirstPartOfNonce long representation of the first part of nonce
* @return TPM2 Provisioner State * @return TPM2 Provisioner State
*/ */
TPM2ProvisionerState findByFirstPartOfNonce(Long findByFirstPartOfNonce); TPM2ProvisionerState findByFirstPartOfNonce(Long findByFirstPartOfNonce);

485
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/Certificate.java
View File

@ -18,13 +18,11 @@ import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1GeneralizedTime; import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1InputStream; import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.ASN1Primitive; import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence; import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERIA5String; import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString; import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERTaggedObject; import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.DLSequence;
import org.bouncycastle.asn1.DLTaggedObject; import org.bouncycastle.asn1.DLTaggedObject;
import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AccessDescription; import org.bouncycastle.asn1.x509.AccessDescription;
@ -79,24 +77,6 @@ import java.util.Objects;
@Entity @Entity
public abstract class Certificate extends ArchivableEntity { public abstract class Certificate extends ArchivableEntity {
/**
* Holds the different certificate types.
*/
public enum CertificateType {
/**
* Basic X509 Certificate.
*/
X509_CERTIFICATE,
/**
* Basic Attribute Certificate.
*/
ATTRIBUTE_CERTIFICATE,
/**
* Invalid Certificate.
*/
INVALID_CERTIFICATE
}
/** /**
* Decimal digit representation of base 16. * Decimal digit representation of base 16.
*/ */
@ -106,6 +86,7 @@ public abstract class Certificate extends ArchivableEntity {
* Min length representing the attribute certificate. * Min length representing the attribute certificate.
*/ */
public static final int MIN_ATTR_CERT_LENGTH = 8; public static final int MIN_ATTR_CERT_LENGTH = 8;
/** /**
* Holds the name of the entity 'ID' field. * Holds the name of the entity 'ID' field.
*/ */
@ -120,52 +101,78 @@ public abstract class Certificate extends ArchivableEntity {
* Holds the name of the 'serialNumber' field. * Holds the name of the 'serialNumber' field.
*/ */
public static final String SERIAL_NUMBER_FIELD = "serialNumber"; public static final String SERIAL_NUMBER_FIELD = "serialNumber";
@Getter
@Column(nullable = false, precision = CertificateVariables.MAX_NUMERIC_PRECISION, scale = 0)
private final BigInteger serialNumber;
/** /**
* Holds the name of the 'issuer' field. * Holds the name of the 'issuer' field.
*/ */
public static final String ISSUER_FIELD = "issuer"; public static final String ISSUER_FIELD = "issuer";
@Getter
@Column(nullable = false)
private final String issuer;
/** /**
* Holds the name of the 'issuerSorted' field. * Holds the name of the 'issuerSorted' field.
*/ */
public static final String ISSUER_SORTED_FIELD = "issuerSorted"; public static final String ISSUER_SORTED_FIELD = "issuerSorted";
@Getter
@Column
private final String issuerSorted;
/** /**
* Holds the name of the 'subject' field. * Holds the name of the 'subject' field.
*/ */
public static final String SUBJECT_FIELD = "subject"; public static final String SUBJECT_FIELD = "subject";
@Getter
@Column(nullable = true)
private final String subject;
/** /**
* Holds the name of the 'subjectSorted' field. * Holds the name of the 'subjectSorted' field.
*/ */
public static final String SUBJECT_SORTED_FIELD = "subjectSorted"; public static final String SUBJECT_SORTED_FIELD = "subjectSorted";
@Getter
@Column
private final String subjectSorted;
/** /**
* Holds the name of the 'encodedPublicKey' field. * Holds the name of the 'encodedPublicKey' field.
*/ */
public static final String ENCODED_PUBLIC_KEY_FIELD = "encodedPublicKey"; public static final String ENCODED_PUBLIC_KEY_FIELD = "encodedPublicKey";
@Column(length = CertificateVariables.MAX_CERT_LENGTH_BYTES, nullable = true)
private final byte[] encodedPublicKey;
/** /**
* Holds the name of the 'encodedPublicKey' field. * Holds the name of the 'encodedPublicKey' field.
*/ */
public static final String PUBLIC_KEY_MODULUS_FIELD = "publicKeyModulusHexValue"; public static final String PUBLIC_KEY_MODULUS_FIELD = "publicKeyModulusHexValue";
/**
* Holds the name of the 'certificateHash' field.
*/
public static final String CERTIFICATE_HASH_FIELD = "certificateHash";
/**
* Holds the name of the 'holderSerialNumber' field.
*/
public static final String HOLDER_SERIAL_NUMBER_FIELD = "holderSerialNumber";
/**
* Holds the name of the 'authorityKeyIdentifier' field.
*/
public static final String AUTHORITY_KEY_ID_FIELD = "authorityKeyIdentifier";
@SuppressWarnings("PMD.AvoidUsingHardCodedIP") // this is not an IP address; PMD thinks it is
private static final String POLICY_CONSTRAINTS = "2.5.29.36";
@Getter
@Column(nullable = false, precision = CertificateVariables.MAX_NUMERIC_PRECISION, scale = 0)
private final BigInteger serialNumber;
@Getter
@Column(nullable = false)
private final String issuer;
@Getter
@Column
private final String issuerSorted;
@Getter
@Column
private final String subject;
@Getter
@Column
private final String subjectSorted;
@Column(length = CertificateVariables.MAX_CERT_LENGTH_BYTES)
private final byte[] encodedPublicKey;
// We're currently seeing 2048-bit keys, which is 512 hex digits. // We're currently seeing 2048-bit keys, which is 512 hex digits.
// Using a max length of 1024 for future-proofing. // Using a max length of 1024 for future-proofing.
@Getter @Getter
@ -181,16 +188,9 @@ public abstract class Certificate extends ArchivableEntity {
@Column(nullable = false) @Column(nullable = false)
private final Date endValidity; private final Date endValidity;
@Column(length = CertificateVariables.MAX_CERT_LENGTH_BYTES*CertificateVariables.KEY_USAGE_BIT4, nullable = false)
@JsonIgnore
private byte[] certificateBytes;
/**
* Holds the name of the 'certificateHash' field.
*/
public static final String CERTIFICATE_HASH_FIELD = "certificateHash";
@Column(nullable = false) @Column(nullable = false)
@JsonIgnore @Getter @JsonIgnore
@Getter
private final int certificateHash; private final int certificateHash;
/** /**
@ -202,42 +202,48 @@ public abstract class Certificate extends ArchivableEntity {
@JsonIgnore @JsonIgnore
private final int certAndTypeHash; private final int certAndTypeHash;
/** @Getter
* Holds the name of the 'holderSerialNumber' field. @Column(nullable = false, precision = CertificateVariables.MAX_NUMERIC_PRECISION)
*/ private final BigInteger holderSerialNumber;
public static final String HOLDER_SERIAL_NUMBER_FIELD = "holderSerialNumber";
@Getter @Getter
@Column(nullable = false, precision = CertificateVariables.MAX_NUMERIC_PRECISION, scale = 0) @Column(precision = CertificateVariables.MAX_NUMERIC_PRECISION)
private final BigInteger holderSerialNumber;
@Getter
private String holderIssuer;
@Getter
@Column(nullable = true, precision = CertificateVariables.MAX_NUMERIC_PRECISION, scale = 0)
private final BigInteger authoritySerialNumber; private final BigInteger authoritySerialNumber;
@SuppressWarnings("PMD.AvoidUsingHardCodedIP") // this is not an IP address; PMD thinks it is @Column(length = CertificateVariables.MAX_CERT_LENGTH_BYTES * CertificateVariables.KEY_USAGE_BIT4,
private static final String POLICY_CONSTRAINTS = "2.5.29.36"; nullable = false)
@JsonIgnore
private byte[] certificateBytes;
@Getter
private String holderIssuer;
// we don't need to persist this, but we don't want to unpack this cert multiple times // we don't need to persist this, but we don't want to unpack this cert multiple times
@Transient @Transient
private X509Certificate parsedX509Cert = null; private X509Certificate parsedX509Cert = null;
@Getter @Getter
private String signatureAlgorithm, publicKeyAlgorithm; private String signatureAlgorithm;
@Getter @Getter
private String keyUsage, extendedKeyUsage; private String publicKeyAlgorithm;
@Getter
private String keyUsage;
@Getter
private String extendedKeyUsage;
private byte[] policyConstraints; private byte[] policyConstraints;
/**
* Holds the name of the 'authorityKeyIdentifier' field.
*/
public static final String AUTHORITY_KEY_ID_FIELD = "authorityKeyIdentifier";
@Getter @Getter
private String authorityKeyIdentifier; private String authorityKeyIdentifier;
@Getter @Getter
private String authorityInfoAccess; private String authorityInfoAccess;
@Getter @Getter
private String crlPoints; private String crlPoints;
@Getter @Getter
private int publicKeySize; private int publicKeySize;
@ -291,7 +297,7 @@ public abstract class Certificate extends ArchivableEntity {
* @param certificateBytes the contents of a certificate file * @param certificateBytes the contents of a certificate file
* @throws IOException if there is a problem extracting information from the certificate * @throws IOException if there is a problem extracting information from the certificate
*/ */
@SuppressWarnings("methodlength")
public Certificate(final byte[] certificateBytes) throws IOException { public Certificate(final byte[] certificateBytes) throws IOException {
Preconditions.checkArgument( Preconditions.checkArgument(
certificateBytes != null, certificateBytes != null,
@ -342,7 +348,7 @@ public abstract class Certificate extends ArchivableEntity {
this.policyConstraints = x509Certificate this.policyConstraints = x509Certificate
.getExtensionValue(POLICY_CONSTRAINTS); .getExtensionValue(POLICY_CONSTRAINTS);
authKeyIdentifier = AuthorityKeyIdentifier authKeyIdentifier = AuthorityKeyIdentifier
.getInstance((DLSequence) getExtensionValue( .getInstance(getExtensionValue(
Extension.authorityKeyIdentifier.getId())); Extension.authorityKeyIdentifier.getId()));
this.authorityInfoAccess = getAuthorityInfoAccess(x509Certificate this.authorityInfoAccess = getAuthorityInfoAccess(x509Certificate
@ -460,6 +466,161 @@ public abstract class Certificate extends ArchivableEntity {
this.certAndTypeHash = Objects.hash(certificateHash, getClass().getSimpleName()); this.certAndTypeHash = Objects.hash(certificateHash, getClass().getSimpleName());
} }
/**
* Gets the raw bytes for the certificate.
*
* @param certificatePath path to the certificate file
* @return bytes from the certificate file
* @throws IOException if there is a problem reading the file
*/
public static byte[] readBytes(final Path certificatePath) throws IOException {
Preconditions.checkArgument(
certificatePath != null,
"Cannot construct a Certificate from a null path"
);
return Files.readAllBytes(certificatePath);
}
/**
* Retrieve a formatted subject DN string from a certificate. This allows for extended support of DNs
* found in various RFCs.
*
* @param certificate the certificate holding subject DNs
* @return IOException if there is an issue decoding the subject DNs
*/
public static String getSubjectDNString(final X509Certificate certificate)
throws IOException {
X509CertificateHolder certificateHolder = null;
try {
certificateHolder = new X509CertificateHolder(certificate.getEncoded());
} catch (CertificateEncodingException e) {
throw new IOException("Could not encode certificate", e);
}
X500Name x500Name = certificateHolder.getSubject();
return x500Name.toString();
}
/**
* Retrieve a formatted issuer DN string from a certificate. This allows for extended support of DNs found
* in various RFCs.
*
* @param certificate the certificate holding issuer DNs
* @return IOException if there is an issue decoding the issuer DNs
*/
public static String getIssuerDNString(final X509Certificate certificate)
throws IOException {
X509CertificateHolder certificateHolder = null;
try {
certificateHolder = new X509CertificateHolder(certificate.getEncoded());
} catch (CertificateEncodingException e) {
throw new IOException("Could not encode certificate", e);
}
X500Name x500Name = certificateHolder.getIssuer();
return x500Name.toString();
}
/**
* Retrieve an RSA-based X509 certificate's public key modulus.
*
* @param certificate the certificate holding a public key
* @return a BigInteger representing its public key's modulus or null if none found
* @throws IOException if there is an issue decoding the encoded public key
*/
public static BigInteger getPublicKeyModulus(final X509Certificate certificate)
throws IOException {
X509CertificateHolder certificateHolder = null;
try {
certificateHolder = new X509CertificateHolder(certificate.getEncoded());
} catch (CertificateEncodingException e) {
throw new IOException("Could not encode certificate", e);
}
try {
return getPublicKeyModulus(
certificateHolder.getSubjectPublicKeyInfo().parsePublicKey().toASN1Primitive()
);
} catch (IOException e) {
log.info("No RSA Key Detected in certificate");
return null;
}
}
/**
* Retrieves the modulus of the given PublicKey.
*
* @param publicKey the public key
* @return a BigInteger representing the public key's modulus
* @throws IOException if there is an issue decoding the public key
*/
public static BigInteger getPublicKeyModulus(final PublicKey publicKey) throws IOException {
ASN1Primitive publicKeyASN1 = ASN1Primitive.fromByteArray(publicKey.getEncoded());
if (publicKeyASN1 instanceof ASN1Sequence publicKeyASN1Sequence) {
ASN1BitString encodedModulusAndExponent = (ASN1BitString)
publicKeyASN1Sequence.getObjectAt(1);
byte[] modulusAndExponentBytes = encodedModulusAndExponent.getOctets();
return getPublicKeyModulus(ASN1Primitive.fromByteArray(modulusAndExponentBytes));
} else {
throw new IOException("Could not read public key as ASN1Sequence");
}
}
private static BigInteger getPublicKeyModulus(final ASN1Primitive publicKey)
throws IOException {
if (publicKey instanceof ASN1Sequence pubKeySeq) {
ASN1Encodable modulus = pubKeySeq.getObjectAt(0);
if (modulus instanceof ASN1Integer) {
return ((ASN1Integer) modulus).getValue();
} else {
throw new IOException("Could not read modulus as an ASN1Integer");
}
} else {
throw new IOException("Could not parse public key information as an ASN1Sequence");
}
}
/**
* Retrieve the X509 Name array from the issuer in an Attribute Certificate.
*
* @param issuer for the Attribute Certificate
* @return a X500Name[] representing the names of the issuer
*/
public static X500Name[] getAttributeCertificateIssuerNames(final AttCertIssuer issuer) {
final ASN1Encodable form = issuer.getIssuer();
GeneralNames name;
if (form instanceof V2Form) {
name = ((V2Form) form).getIssuerName();
} else {
name = (GeneralNames) form;
}
GeneralName[] names = name.getNames();
List<X500Name> l = new ArrayList<>(names.length);
for (int i = 0; i != names.length; i++) {
if (names[i].getTagNo() == GeneralName.directoryName) {
l.add(X500Name.getInstance(names[i].getName()));
}
}
return l.toArray(new X500Name[l.size()]);
}
/**
* Retrieve the Date from an ASN1GeneralizedTime.
*
* @param time (ASN1GeneralizedTime) of the certificate
* @return the Date from a ASN1GeneralizedTime
*/
public static Date recoverDate(final ASN1GeneralizedTime time) {
try {
return time.getDate();
} catch (ParseException e) {
throw new IllegalStateException("unable to recover date: " + e.getMessage());
}
}
/** /**
* Getter for the CRL Distribution that is reference by the Revocation Locator * Getter for the CRL Distribution that is reference by the Revocation Locator
* on the portal. * on the portal.
@ -502,6 +663,7 @@ public abstract class Certificate extends ArchivableEntity {
/** /**
* Getter for the x509 Platform Certificate version. * Getter for the x509 Platform Certificate version.
*
* @return a big integer representing the certificate version. If there * @return a big integer representing the certificate version. If there
* is an error, return the max value to visible show error. * is an error, return the max value to visible show error.
*/ */
@ -519,7 +681,7 @@ public abstract class Certificate extends ArchivableEntity {
* Checks if another certificate is the issuer for this certificate. * Checks if another certificate is the issuer for this certificate.
* *
* @param issuer the other certificate to check (must be an X509Certificate, * @param issuer the other certificate to check (must be an X509Certificate,
* not an X509AttributeCertificateHolder) * not an X509AttributeCertificateHolder)
* @return whether or not the other certificate is the issuer for this certificate * @return whether or not the other certificate is the issuer for this certificate
* @throws IOException if there is an issue deserializing either certificate * @throws IOException if there is an issue deserializing either certificate
*/ */
@ -536,7 +698,7 @@ public abstract class Certificate extends ArchivableEntity {
certX509.verify(issuerX509.getPublicKey()); certX509.verify(issuerX509.getPublicKey());
isIssuer = ""; isIssuer = "";
} catch (CertificateException | NoSuchAlgorithmException | InvalidKeyException } catch (CertificateException | NoSuchAlgorithmException | InvalidKeyException
| NoSuchProviderException | SignatureException e) { | NoSuchProviderException | SignatureException e) {
log.error(e); log.error(e);
} }
break; break;
@ -550,8 +712,8 @@ public abstract class Certificate extends ArchivableEntity {
isIssuer = ""; isIssuer = "";
} }
} catch (NoSuchAlgorithmException } catch (NoSuchAlgorithmException
| InvalidKeyException | InvalidKeyException
| SignatureException sigEx) { | SignatureException sigEx) {
log.error(sigEx); log.error(sigEx);
} }
break; break;
@ -564,7 +726,7 @@ public abstract class Certificate extends ArchivableEntity {
} }
/** /**
* Return whether or not this certificate is valid on a particular date. * Return whether this certificate is valid on a particular date.
* *
* @param date the date of interest. * @param date the date of interest.
* @return true if the attribute certificate is valid, false otherwise. * @return true if the attribute certificate is valid, false otherwise.
@ -601,7 +763,7 @@ public abstract class Certificate extends ArchivableEntity {
protected CertificateType getCertificateType() throws IOException { protected CertificateType getCertificateType() throws IOException {
//Parse the certificate into a sequence //Parse the certificate into a sequence
ASN1Sequence testCred1 = (ASN1Sequence) ASN1Primitive.fromByteArray(this.certificateBytes); ASN1Sequence testCred1 = (ASN1Sequence) ASN1Primitive.fromByteArray(this.certificateBytes);
ASN1Sequence testSeq = (ASN1Sequence) ((ASN1Object) testCred1.toArray()[0]); ASN1Sequence testSeq = (ASN1Sequence) testCred1.toArray()[0];
if (testSeq.toArray()[0] instanceof ASN1Integer) { if (testSeq.toArray()[0] instanceof ASN1Integer) {
if (testSeq.toArray().length >= MIN_ATTR_CERT_LENGTH) { if (testSeq.toArray().length >= MIN_ATTR_CERT_LENGTH) {
@ -611,7 +773,8 @@ public abstract class Certificate extends ArchivableEntity {
// V1 X509Certificate // V1 X509Certificate
return CertificateType.X509_CERTIFICATE; return CertificateType.X509_CERTIFICATE;
} }
} else if (testSeq.toArray()[0] instanceof DERTaggedObject || testSeq.toArray()[0] instanceof DLTaggedObject) { } else if (testSeq.toArray()[0] instanceof DERTaggedObject
|| testSeq.toArray()[0] instanceof DLTaggedObject) {
// V2 or V3 X509Certificate // V2 or V3 X509Certificate
return CertificateType.X509_CERTIFICATE; return CertificateType.X509_CERTIFICATE;
} }
@ -619,7 +782,6 @@ public abstract class Certificate extends ArchivableEntity {
return CertificateType.INVALID_CERTIFICATE; return CertificateType.INVALID_CERTIFICATE;
} }
private String parseKeyUsage(final boolean[] bools) { private String parseKeyUsage(final boolean[] bools) {
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();
@ -636,6 +798,8 @@ public abstract class Certificate extends ArchivableEntity {
/** /**
* Getter for the authorityKeyIdentifier. * Getter for the authorityKeyIdentifier.
*
* @param aki authority key identifier
* @return the ID's byte representation * @return the ID's byte representation
*/ */
private String authKeyIdentifierToString(final AuthorityKeyIdentifier aki) { private String authKeyIdentifierToString(final AuthorityKeyIdentifier aki) {
@ -655,7 +819,7 @@ public abstract class Certificate extends ArchivableEntity {
* *
* @param oid Object Identifier * @param oid Object Identifier
* @return ASN1Primitive Content related to the requested OID * @return ASN1Primitive Content related to the requested OID
* @throws java.io.IOException * @throws IOException io exception
*/ */
private ASN1Primitive getExtensionValue(final String oid) throws IOException { private ASN1Primitive getExtensionValue(final String oid) throws IOException {
byte[] extensionValue = getX509Certificate().getExtensionValue(oid); byte[] extensionValue = getX509Certificate().getExtensionValue(oid);
@ -684,6 +848,7 @@ public abstract class Certificate extends ArchivableEntity {
/** /**
* Getter for the AuthorityInfoAccess extension value on list format. * Getter for the AuthorityInfoAccess extension value on list format.
* *
* @param authInfoAccess byte representation of the authority info access
* @return List Authority info access list * @return List Authority info access list
*/ */
private String getAuthorityInfoAccess(final byte[] authInfoAccess) { private String getAuthorityInfoAccess(final byte[] authInfoAccess) {
@ -704,6 +869,7 @@ public abstract class Certificate extends ArchivableEntity {
/** /**
* Getter for the AuthorityInfoAccess extension value on list format. * Getter for the AuthorityInfoAccess extension value on list format.
* *
* @param authInfoAccess authority information access
* @return List Authority info access list * @return List Authority info access list
*/ */
private String getAuthorityInfoAccess(final AuthorityInformationAccess authInfoAccess) { private String getAuthorityInfoAccess(final AuthorityInformationAccess authInfoAccess) {
@ -724,7 +890,6 @@ public abstract class Certificate extends ArchivableEntity {
return sb.toString(); return sb.toString();
} }
/** /**
* Retrieve the original X509 attribute certificate. * Retrieve the original X509 attribute certificate.
* *
@ -773,6 +938,7 @@ public abstract class Certificate extends ArchivableEntity {
/** /**
* Getter for the policy statement. * Getter for the policy statement.
*
* @return cloned bit representation of constraints * @return cloned bit representation of constraints
*/ */
public byte[] getPolicyConstraints() { public byte[] getPolicyConstraints() {
@ -837,159 +1003,20 @@ public abstract class Certificate extends ArchivableEntity {
} }
/** /**
* * Holds the different certificate types.
* Gets the raw bytes for the certificate.
* @param certificatePath path to the certificate file
* @return bytes from the certificate file
* @throws IOException if there is a problem reading the file
*/ */
public static byte[] readBytes(final Path certificatePath) throws IOException { public enum CertificateType {
Preconditions.checkArgument( /**
certificatePath != null, * Basic X509 Certificate.
"Cannot construct a Certificate from a null path" */
); X509_CERTIFICATE,
/**
return Files.readAllBytes(certificatePath); * Basic Attribute Certificate.
} */
ATTRIBUTE_CERTIFICATE,
/** /**
* Retrieve a formatted subject DN string from a certificate. This allows for extended support of DNs found in * Invalid Certificate.
* various RFCs. */
* INVALID_CERTIFICATE
* @param certificate the certificate holding subject DNs
* @return IOException if there is an issue decoding the subject DNs
*/
public static String getSubjectDNString(final X509Certificate certificate)
throws IOException {
X509CertificateHolder certificateHolder = null;
try {
certificateHolder = new X509CertificateHolder(certificate.getEncoded());
} catch (CertificateEncodingException e) {
throw new IOException("Could not encode certificate", e);
}
X500Name x500Name = certificateHolder.getSubject();
return x500Name.toString();
}
/**
* Retrieve a formatted issuer DN string from a certificate. This allows for extended support of DNs found in
* various RFCs.
*
* @param certificate the certificate holding issuer DNs
* @return IOException if there is an issue decoding the issuer DNs
*/
public static String getIssuerDNString(final X509Certificate certificate)
throws IOException {
X509CertificateHolder certificateHolder = null;
try {
certificateHolder = new X509CertificateHolder(certificate.getEncoded());
} catch (CertificateEncodingException e) {
throw new IOException("Could not encode certificate", e);
}
X500Name x500Name = certificateHolder.getIssuer();
return x500Name.toString();
}
/**
* Retrieve an RSA-based X509 certificate's public key modulus.
*
* @param certificate the certificate holding a public key
* @return a BigInteger representing its public key's modulus or null if none found
* @throws IOException if there is an issue decoding the encoded public key
*/
public static BigInteger getPublicKeyModulus(final X509Certificate certificate)
throws IOException {
X509CertificateHolder certificateHolder = null;
try {
certificateHolder = new X509CertificateHolder(certificate.getEncoded());
} catch (CertificateEncodingException e) {
throw new IOException("Could not encode certificate", e);
}
try {
return getPublicKeyModulus(
certificateHolder.getSubjectPublicKeyInfo().parsePublicKey().toASN1Primitive()
);
} catch (IOException e) {
log.info("No RSA Key Detected in certificate");
return null;
}
}
/**
* Retrieves the modulus of the given PublicKey.
*
* @param publicKey the public key
* @return a BigInteger representing the public key's modulus
* @throws IOException if there is an issue decoding the public key
*/
public static BigInteger getPublicKeyModulus(final PublicKey publicKey) throws IOException {
ASN1Primitive publicKeyASN1 = ASN1Primitive.fromByteArray(publicKey.getEncoded());
if (publicKeyASN1 instanceof ASN1Sequence) {
ASN1Sequence publicKeyASN1Sequence = (ASN1Sequence) publicKeyASN1;
ASN1BitString encodedModulusAndExponent = (ASN1BitString)
publicKeyASN1Sequence.getObjectAt(1);
byte[] modulusAndExponentBytes = encodedModulusAndExponent.getOctets();
return getPublicKeyModulus(ASN1Primitive.fromByteArray(modulusAndExponentBytes));
} else {
throw new IOException("Could not read public key as ASN1Sequence");
}
}
private static BigInteger getPublicKeyModulus(final ASN1Primitive publicKey)
throws IOException {
if (publicKey instanceof ASN1Sequence) {
ASN1Sequence pubKeySeq = (ASN1Sequence) publicKey;
ASN1Encodable modulus = pubKeySeq.getObjectAt(0);
if (modulus instanceof ASN1Integer) {
return ((ASN1Integer) modulus).getValue();
} else {
throw new IOException("Could not read modulus as an ASN1Integer");
}
} else {
throw new IOException("Could not parse public key information as an ASN1Sequence");
}
}
/**
* Retrieve the X509 Name array from the issuer in an Attribute Certificate.
*
* @param issuer for the Attribute Certificate
* @return a X500Name[] representing the names of the issuer
*/
public static X500Name[] getAttributeCertificateIssuerNames(final AttCertIssuer issuer) {
final ASN1Encodable form = issuer.getIssuer();
GeneralNames name;
if (form instanceof V2Form) {
name = ((V2Form) form).getIssuerName();
} else {
name = (GeneralNames) form;
}
GeneralName[] names = name.getNames();
List<X500Name> l = new ArrayList<>(names.length);
for (int i = 0; i != names.length; i++) {
if (names[i].getTagNo() == GeneralName.directoryName) {
l.add(X500Name.getInstance(names[i].getName()));
}
}
return (X500Name[]) l.toArray(new X500Name[l.size()]);
}
/**
* Retrieve the Date from an ASN1GeneralizedTime.
*
* @param time (ASN1GeneralizedTime) of the certificate
* @return the Date from a ASN1GeneralizedTime
*/
public static Date recoverDate(final ASN1GeneralizedTime time) {
try {
return time.getDate();
} catch (ParseException e) {
throw new IllegalStateException("unable to recover date: " + e.getMessage());
}
} }
} }

19
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/Device.java
View File

@ -65,6 +65,11 @@ public class Device extends AbstractEntity {
@Column(name = "summary_id") @Column(name = "summary_id")
private String summaryId; private String summaryId;
/**
* Constructor creates a Device object using the provided device info report.
*
* @param deviceInfoReport device information report
*/
public Device(final DeviceInfoReport deviceInfoReport) { public Device(final DeviceInfoReport deviceInfoReport) {
super(); super();
if (deviceInfoReport != null) { if (deviceInfoReport != null) {
@ -94,6 +99,7 @@ public class Device extends AbstractEntity {
/** /**
* Getter for the report time stamp. * Getter for the report time stamp.
*
* @return a cloned version * @return a cloned version
*/ */
public Timestamp getLastReportTimestamp() { public Timestamp getLastReportTimestamp() {
@ -106,12 +112,14 @@ public class Device extends AbstractEntity {
/** /**
* Setter for the report time stamp. * Setter for the report time stamp.
*
* @param lastReportTimestamp * @param lastReportTimestamp
*/ */
public void setLastReportTimestamp(final Timestamp lastReportTimestamp) { public void setLastReportTimestamp(final Timestamp lastReportTimestamp) {
this.lastReportTimestamp = (Timestamp) lastReportTimestamp.clone(); this.lastReportTimestamp = (Timestamp) lastReportTimestamp.clone();
} }
@Override
public String toString() { public String toString() {
return String.format("Device Name: %s%nStatus: %s%nSummary: %s%n", return String.format("Device Name: %s%nStatus: %s%nSummary: %s%n",
name, (healthStatus == null ? "N/A" : healthStatus.getStatus()), name, (healthStatus == null ? "N/A" : healthStatus.getStatus()),
@ -119,13 +127,14 @@ public class Device extends AbstractEntity {
} }
@Override @Override
public boolean equals(Object o) { public boolean equals(final Object o) {
if (this == o) return true; if (this == o) {
if (!(o instanceof Device)) { return true;
}
if (!(o instanceof Device device)) {
return false; return false;
} }
Device device = (Device) o;
return isStateOverridden == device.isStateOverridden return isStateOverridden == device.isStateOverridden
&& Objects.equals(name, device.name) && Objects.equals(name, device.name)
&& healthStatus == device.healthStatus && healthStatus == device.healthStatus
@ -141,4 +150,4 @@ public class Device extends AbstractEntity {
supplyChainValidationStatus, lastReportTimestamp, supplyChainValidationStatus, lastReportTimestamp,
isStateOverridden, overrideReason, summaryId); isStateOverridden, overrideReason, summaryId);
} }
} }

61
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidation.java
View File

@ -2,7 +2,6 @@ package hirs.attestationca.persist.entity.userdefined;
import com.google.common.base.Preconditions; import com.google.common.base.Preconditions;
import hirs.attestationca.persist.entity.ArchivableEntity; import hirs.attestationca.persist.entity.ArchivableEntity;
import hirs.attestationca.persist.entity.userdefined.rim.BaseReferenceManifest;
import hirs.attestationca.persist.enums.AppraisalStatus; import hirs.attestationca.persist.enums.AppraisalStatus;
import jakarta.persistence.Column; import jakarta.persistence.Column;
import jakarta.persistence.Entity; import jakarta.persistence.Entity;
@ -21,48 +20,19 @@ import java.util.List;
*/ */
@Entity @Entity
public class SupplyChainValidation extends ArchivableEntity { public class SupplyChainValidation extends ArchivableEntity {
/**
* Used to indicate which type of validation a result is related to.
*/
public enum ValidationType {
/**
* Validation of an endorsement credential.
*/
ENDORSEMENT_CREDENTIAL,
/**
* Validation of a platform credential and also delta platform credentials from spec 1.1.
*/
PLATFORM_CREDENTIAL,
/**
* Validation of a platform credential's attributes.
*/
PLATFORM_CREDENTIAL_ATTRIBUTES,
/**
* Validation of the device firmware.
*/
FIRMWARE
}
@Getter @Getter
@Column @Column
private final ValidationType validationType; private final ValidationType validationType;
@Getter @Getter
@Column @Column
private final AppraisalStatus.Status validationResult; private final AppraisalStatus.Status validationResult;
@ManyToMany(fetch = FetchType.EAGER) @ManyToMany(fetch = FetchType.EAGER)
@JoinTable(name = "CertificatesUsedToValidate", @JoinTable(name = "CertificatesUsedToValidate",
joinColumns = { @JoinColumn(name = "validation_id", nullable = false) }) joinColumns = {@JoinColumn(name = "validation_id", nullable = false)})
private final List<Certificate> certificatesUsed; private final List<Certificate> certificatesUsed;
@Getter @Getter
@Column(length = RESULT_MESSAGE_LENGTH) @Column(length = RESULT_MESSAGE_LENGTH)
private final String message; private final String message;
@Getter @Getter
@Column @Column
private String rimId; private String rimId;
@ -81,10 +51,10 @@ public class SupplyChainValidation extends ArchivableEntity {
/** /**
* Construct a new SupplyChainValidation instance. * Construct a new SupplyChainValidation instance.
* *
* @param validationType the type of validation this instance will represent; not null * @param validationType the type of validation this instance will represent; not null
* @param validationResult whether the validation was successful or not * @param validationResult whether the validation was successful or not
* @param certificatesUsed certificates used, if any, in the validation process; not null * @param certificatesUsed certificates used, if any, in the validation process; not null
* @param message a related information or error message; may be null * @param message a related information or error message; may be null
*/ */
public SupplyChainValidation(final ValidationType validationType, public SupplyChainValidation(final ValidationType validationType,
final AppraisalStatus.Status validationResult, final AppraisalStatus.Status validationResult,
@ -122,4 +92,29 @@ public class SupplyChainValidation extends ArchivableEntity {
public List<Certificate> getCertificatesUsed() { public List<Certificate> getCertificatesUsed() {
return Collections.unmodifiableList(certificatesUsed); return Collections.unmodifiableList(certificatesUsed);
} }
/**
* Used to indicate which type of validation a result is related to.
*/
public enum ValidationType {
/**
* Validation of an endorsement credential.
*/
ENDORSEMENT_CREDENTIAL,
/**
* Validation of a platform credential and also delta platform credentials from spec 1.1.
*/
PLATFORM_CREDENTIAL,
/**
* Validation of a platform credential's attributes.
*/
PLATFORM_CREDENTIAL_ATTRIBUTES,
/**
* Validation of the device firmware.
*/
FIRMWARE
}
} }

230
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidationSummary.java
View File

@ -32,7 +32,6 @@ import java.util.Set;
import java.util.UUID; import java.util.UUID;
/** /**
* A container class to group multiple related {@link SupplyChainValidation} instances * A container class to group multiple related {@link SupplyChainValidation} instances
* together. * together.
@ -40,12 +39,10 @@ import java.util.UUID;
@Entity @Entity
public class SupplyChainValidationSummary extends ArchivableEntity { public class SupplyChainValidationSummary extends ArchivableEntity {
private static final String DEVICE_ID_FIELD = "device.id";
@ManyToOne @ManyToOne
@JoinColumn(name = "device_id") @JoinColumn(name = "device_id")
private final Device device; private final Device device;
private static final String DEVICE_ID_FIELD = "device.id";
@Getter @Getter
@Column @Column
@Enumerated(EnumType.STRING) @Enumerated(EnumType.STRING)
@ -72,120 +69,11 @@ public class SupplyChainValidationSummary extends ArchivableEntity {
this.message = Strings.EMPTY; this.message = Strings.EMPTY;
} }
/**
* This class enables the retrieval of SupplyChainValidationSummaries by their attributes.
*/
public static class Selector {
private final CrudRepository<SupplyChainValidationSummary, UUID>
supplyChainValidationSummaryCrudManager;
private final Map<String, Object> fieldValueSelections;
/**
* Construct a new Selector that will use the given {@link CrudRepository} to
* retrieve SupplyChainValidationSummaries.
*
* @param supplyChainValidationSummaryCrudManager the summary manager to be used to retrieve
* supply chain validation summaries
*/
public Selector(
final CrudRepository<SupplyChainValidationSummary, UUID>
supplyChainValidationSummaryCrudManager) {
Preconditions.checkArgument(
supplyChainValidationSummaryCrudManager != null,
"supply chain validation summary manager cannot be null"
);
this.supplyChainValidationSummaryCrudManager = supplyChainValidationSummaryCrudManager;
this.fieldValueSelections = new HashMap<>();
}
/**
* Construct the criterion that can be used to query for supply chain validation summaries
* matching the configuration of this Selector.
*
* @return a Criterion that can be used to query for supply chain validation summaries
* matching the configuration of this instance
*/
public Predicate[] getCriterion(final CriteriaBuilder criteriaBuilder) {
Predicate[] predicates = new Predicate[fieldValueSelections.size()];
CriteriaQuery<SupplyChainValidationSummary> query = criteriaBuilder.createQuery(SupplyChainValidationSummary.class);
Root<SupplyChainValidationSummary> root = query.from(SupplyChainValidationSummary.class);
int i = 0;
for (Map.Entry<String, Object> fieldValueEntry : fieldValueSelections.entrySet()) {
predicates[i++] = criteriaBuilder.equal(root.get(fieldValueEntry.getKey()), fieldValueEntry.getValue());
}
return predicates;
}
/**
* Set a field name and value to match.
*
* @param name the field name to query
* @param value the value to query
*/
protected void setFieldValue(final String name, final Object value) {
Object valueToAssign = value;
Preconditions.checkArgument(
value != null,
"field value cannot be null."
);
if (value instanceof String) {
Preconditions.checkArgument(
StringUtils.isNotEmpty((String) value),
"field value cannot be empty."
);
}
if (value instanceof byte[]) {
byte[] valueBytes = (byte[]) value;
Preconditions.checkArgument(
ArrayUtils.isNotEmpty(valueBytes),
"field value cannot be empty."
);
valueToAssign = Arrays.copyOf(valueBytes, valueBytes.length);
}
fieldValueSelections.put(name, valueToAssign);
}
/**
* Specify a device id that supply chain validation summaries must have to be considered
* as matching.
*
* @param device the device id to query
* @return this instance (for chaining further calls)
*/
public Selector byDeviceId(final UUID device) {
setFieldValue(DEVICE_ID_FIELD, device);
return this;
}
}
/**
* Get a Selector for use in retrieving SupplyChainValidationSummary.
*
* @param certMan the CrudManager to be used to retrieve persisted supply chain validation
* summaries
* @return a SupplyChainValidationSummary.Selector instance to use for retrieving certificates
*/
public static SupplyChainValidationSummary.Selector select(
final CrudRepository<SupplyChainValidationSummary, UUID> certMan) {
return new SupplyChainValidationSummary.Selector(certMan);
}
/** /**
* Construct a new SupplyChainValidationSummary. * Construct a new SupplyChainValidationSummary.
* *
* @param device device that underwent supply chain validation * @param device device that underwent supply chain validation
* @param validations a Collection of Validations that should comprise this summary; not null * @param validations a Collection of Validations that should comprise this summary; not null
* @param provisionSessionId randomly generated UUID to associate with results * @param provisionSessionId randomly generated UUID to associate with results
*/ */
public SupplyChainValidationSummary(final Device device, public SupplyChainValidationSummary(final Device device,
@ -198,7 +86,7 @@ public class SupplyChainValidationSummary extends ArchivableEntity {
/** /**
* Construct a new SupplyChainValidationSummary. * Construct a new SupplyChainValidationSummary.
* *
* @param device device that underwent supply chain validation * @param device device that underwent supply chain validation
* @param validations a Collection of Validations that should comprise this summary; not null * @param validations a Collection of Validations that should comprise this summary; not null
*/ */
public SupplyChainValidationSummary(final Device device, public SupplyChainValidationSummary(final Device device,
@ -221,6 +109,18 @@ public class SupplyChainValidationSummary extends ArchivableEntity {
this.message = status.getMessage(); this.message = status.getMessage();
} }
/**
* Get a Selector for use in retrieving SupplyChainValidationSummary.
*
* @param certMan the CrudManager to be used to retrieve persisted supply chain validation
* summaries
* @return a SupplyChainValidationSummary.Selector instance to use for retrieving certificates
*/
public static SupplyChainValidationSummary.Selector select(
final CrudRepository<SupplyChainValidationSummary, UUID> certMan) {
return new SupplyChainValidationSummary.Selector(certMan);
}
/** /**
* This retrieves the device associated with the supply chain validation summaries. * This retrieves the device associated with the supply chain validation summaries.
* *
@ -270,4 +170,102 @@ public class SupplyChainValidationSummary extends ArchivableEntity {
return new AppraisalStatus(AppraisalStatus.Status.PASS, return new AppraisalStatus(AppraisalStatus.Status.PASS,
Strings.EMPTY); Strings.EMPTY);
} }
/**
* This class enables the retrieval of SupplyChainValidationSummaries by their attributes.
*/
public static class Selector {
private final CrudRepository<SupplyChainValidationSummary, UUID>
supplyChainValidationSummaryCrudManager;
private final Map<String, Object> fieldValueSelections;
/**
* Construct a new Selector that will use the given {@link CrudRepository} to
* retrieve SupplyChainValidationSummaries.
*
* @param supplyChainValidationSummaryCrudManager the summary manager to be used to retrieve
* supply chain validation summaries
*/
public Selector(
final CrudRepository<SupplyChainValidationSummary, UUID>
supplyChainValidationSummaryCrudManager) {
Preconditions.checkArgument(
supplyChainValidationSummaryCrudManager != null,
"supply chain validation summary manager cannot be null"
);
this.supplyChainValidationSummaryCrudManager = supplyChainValidationSummaryCrudManager;
this.fieldValueSelections = new HashMap<>();
}
/**
* Construct the criterion that can be used to query for supply chain validation summaries
* matching the configuration of this Selector.
*
* @return a Criterion that can be used to query for supply chain validation summaries
* matching the configuration of this instance
*/
public Predicate[] getCriterion(final CriteriaBuilder criteriaBuilder) {
Predicate[] predicates = new Predicate[fieldValueSelections.size()];
CriteriaQuery<SupplyChainValidationSummary> query =
criteriaBuilder.createQuery(SupplyChainValidationSummary.class);
Root<SupplyChainValidationSummary> root = query.from(SupplyChainValidationSummary.class);
int i = 0;
for (Map.Entry<String, Object> fieldValueEntry : fieldValueSelections.entrySet()) {
predicates[i++] =
criteriaBuilder.equal(root.get(fieldValueEntry.getKey()), fieldValueEntry.getValue());
}
return predicates;
}
/**
* Set a field name and value to match.
*
* @param name the field name to query
* @param value the value to query
*/
protected void setFieldValue(final String name, final Object value) {
Object valueToAssign = value;
Preconditions.checkArgument(
value != null,
"field value cannot be null."
);
if (value instanceof String) {
Preconditions.checkArgument(
StringUtils.isNotEmpty((String) value),
"field value cannot be empty."
);
}
if (value instanceof byte[] valueBytes) {
Preconditions.checkArgument(
ArrayUtils.isNotEmpty(valueBytes),
"field value cannot be empty."
);
valueToAssign = Arrays.copyOf(valueBytes, valueBytes.length);
}
fieldValueSelections.put(name, valueToAssign);
}
/**
* Specify a device id that supply chain validation summaries must have to be considered
* as matching.
*
* @param device the device id to query
* @return this instance (for chaining further calls)
*/
public Selector byDeviceId(final UUID device) {
setFieldValue(DEVICE_ID_FIELD, device);
return this;
}
}
} }

165
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/CertificateVariables.java
View File

@ -2,46 +2,209 @@ package hirs.attestationca.persist.entity.userdefined.certificate;
public class CertificateVariables { public class CertificateVariables {
/**
*
*/
public static final String PEM_HEADER = "-----BEGIN CERTIFICATE-----"; public static final String PEM_HEADER = "-----BEGIN CERTIFICATE-----";
/**
*
*/
public static final String PEM_FOOTER = "-----END CERTIFICATE-----"; public static final String PEM_FOOTER = "-----END CERTIFICATE-----";
/**
*
*/
public static final String PEM_ATTRIBUTE_HEADER = "-----BEGIN ATTRIBUTE CERTIFICATE-----"; public static final String PEM_ATTRIBUTE_HEADER = "-----BEGIN ATTRIBUTE CERTIFICATE-----";
/**
*
*/
public static final String PEM_ATTRIBUTE_FOOTER = "-----END ATTRIBUTE CERTIFICATE-----"; public static final String PEM_ATTRIBUTE_FOOTER = "-----END ATTRIBUTE CERTIFICATE-----";
/**
*
*/
public static final String MALFORMED_CERT_MESSAGE = "Malformed certificate detected."; public static final String MALFORMED_CERT_MESSAGE = "Malformed certificate detected.";
/**
*
*/
public static final int MAX_CERT_LENGTH_BYTES = 2048; public static final int MAX_CERT_LENGTH_BYTES = 2048;
public static final int MAX_NUMERIC_PRECISION = 49; // Can store up to 160 bit values
/**
*
*/
public static final int MAX_NUMERIC_PRECISION = 49;
/**
* Can store up to 160 bit values
*/
public static final int MAX_PUB_KEY_MODULUS_HEX_LENGTH = 1024; public static final int MAX_PUB_KEY_MODULUS_HEX_LENGTH = 1024;
/**
*
*/
public static final int KEY_USAGE_BIT0 = 0; public static final int KEY_USAGE_BIT0 = 0;
/**
*
*/
public static final int KEY_USAGE_BIT1 = 1; public static final int KEY_USAGE_BIT1 = 1;
/**
*
*/
public static final int KEY_USAGE_BIT2 = 2; public static final int KEY_USAGE_BIT2 = 2;
/**
*
*/
public static final int KEY_USAGE_BIT3 = 3; public static final int KEY_USAGE_BIT3 = 3;
/**
*
*/
public static final int KEY_USAGE_BIT4 = 4; public static final int KEY_USAGE_BIT4 = 4;
/**
*
*/
public static final int KEY_USAGE_BIT5 = 5; public static final int KEY_USAGE_BIT5 = 5;
/**
*
*/
public static final int KEY_USAGE_BIT6 = 6; public static final int KEY_USAGE_BIT6 = 6;
/**
*
*/
public static final int KEY_USAGE_BIT7 = 7; public static final int KEY_USAGE_BIT7 = 7;
/**
*
*/
public static final int KEY_USAGE_BIT8 = 8; public static final int KEY_USAGE_BIT8 = 8;
/**
*
*/
public static final String KEY_USAGE_DS = "DIGITAL SIGNATURE"; public static final String KEY_USAGE_DS = "DIGITAL SIGNATURE";
/**
*
*/
public static final String KEY_USAGE_NR = "NON-REPUDIATION"; public static final String KEY_USAGE_NR = "NON-REPUDIATION";
/**
*
*/
public static final String KEY_USAGE_KE = "KEY ENCIPHERMENT"; public static final String KEY_USAGE_KE = "KEY ENCIPHERMENT";
/**
*
*/
public static final String KEY_USAGE_DE = "DATA ENCIPHERMENT"; public static final String KEY_USAGE_DE = "DATA ENCIPHERMENT";
/**
*
*/
public static final String KEY_USAGE_KA = "KEY AGREEMENT"; public static final String KEY_USAGE_KA = "KEY AGREEMENT";
/**
*
*/
public static final String KEY_USAGE_KC = "KEY CERT SIGN"; public static final String KEY_USAGE_KC = "KEY CERT SIGN";
/**
*
*/
public static final String KEY_USAGE_CS = "CRL SIGN"; public static final String KEY_USAGE_CS = "CRL SIGN";
/**
*
*/
public static final String KEY_USAGE_EO = "ENCIPHER ONLY"; public static final String KEY_USAGE_EO = "ENCIPHER ONLY";
/**
*
*/
public static final String KEY_USAGE_DO = "DECIPHER ONLY"; public static final String KEY_USAGE_DO = "DECIPHER ONLY";
/**
*
*/
public static final String ECDSA_OID = "1.2.840.10045.4.3.2"; public static final String ECDSA_OID = "1.2.840.10045.4.3.2";
/**
*
*/
public static final String ECDSA_SHA224_OID = "1.2.840.10045.4.1"; public static final String ECDSA_SHA224_OID = "1.2.840.10045.4.1";
/**
*
*/
public static final String RSA256_OID = "1.2.840.113549.1.1.11"; public static final String RSA256_OID = "1.2.840.113549.1.1.11";
/**
*
*/
public static final String RSA384_OID = "1.2.840.113549.1.1.12"; public static final String RSA384_OID = "1.2.840.113549.1.1.12";
/**
*
*/
public static final String RSA512_OID = "1.2.840.113549.1.1.13"; public static final String RSA512_OID = "1.2.840.113549.1.1.13";
/**
*
*/
public static final String RSA224_OID = "1.2.840.113549.1.1.14"; public static final String RSA224_OID = "1.2.840.113549.1.1.14";
/**
*
*/
public static final String RSA512_224_OID = "1.2.840.113549.1.1.15"; public static final String RSA512_224_OID = "1.2.840.113549.1.1.15";
/**
*
*/
public static final String RSA512_256_OID = "1.2.840.113549.1.1.16"; public static final String RSA512_256_OID = "1.2.840.113549.1.1.16";
/**
*
*/
public static final String RSA256_STRING = "SHA256WithRSA"; public static final String RSA256_STRING = "SHA256WithRSA";
/**
*
*/
public static final String RSA384_STRING = "SHA384WithRSA"; public static final String RSA384_STRING = "SHA384WithRSA";
/**
*
*/
public static final String RSA224_STRING = "SHA224WithRSA"; public static final String RSA224_STRING = "SHA224WithRSA";
/**
*
*/
public static final String RSA512_STRING = "SHA512WithRSA"; public static final String RSA512_STRING = "SHA512WithRSA";
/**
*
*/
public static final String RSA512_224_STRING = "SHA512-224WithRSA"; public static final String RSA512_224_STRING = "SHA512-224WithRSA";
/**
*
*/
public static final String RSA512_256_STRING = "SHA512-256WithRSA"; public static final String RSA512_256_STRING = "SHA512-256WithRSA";
/**
*
*/
public static final String ECDSA_STRING = "SHA256WithECDSA"; public static final String ECDSA_STRING = "SHA256WithECDSA";
public static final String ECDSA_SHA224_STRING = "SHA224WithECDSA"; public static final String ECDSA_SHA224_STRING = "SHA224WithECDSA";
} }

36
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/IDevIDCertificate.java
View File

@ -6,8 +6,12 @@ import jakarta.persistence.Entity;
import jakarta.persistence.Transient; import jakarta.persistence.Transient;
import lombok.Getter; import lombok.Getter;
import lombok.extern.log4j.Log4j2; import lombok.extern.log4j.Log4j2;
import org.apache.commons.codec.binary.Hex; import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.*; import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.x509.CertificatePolicies; import org.bouncycastle.asn1.x509.CertificatePolicies;
import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.PolicyInformation; import org.bouncycastle.asn1.x509.PolicyInformation;
@ -15,21 +19,13 @@ import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import java.io.ByteArrayInputStream; import java.io.ByteArrayInputStream;
import java.io.IOException; import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.charset.Charset;
import java.nio.charset.CharsetDecoder;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path; import java.nio.file.Path;
import java.time.Instant; import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;
import java.util.HashMap; import java.util.HashMap;
import java.util.Iterator; import java.util.Iterator;
import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Objects; import java.util.Objects;
import java.util.Set;
@Entity @Entity
@Log4j2 @Log4j2
@ -154,6 +150,7 @@ public class IDevIDCertificate extends Certificate {
/** /**
* Parses fields related to IDevID certificates. * Parses fields related to IDevID certificates.
*
* @throws IOException if a problem is encountered during parsing * @throws IOException if a problem is encountered during parsing
*/ */
private void parseIDevIDCertificate() throws IOException { private void parseIDevIDCertificate() throws IOException {
@ -207,12 +204,12 @@ public class IDevIDCertificate extends Certificate {
} catch (IllegalArgumentException e) { } catch (IllegalArgumentException e) {
// Some certs have been found to contain tagged objects for hwSerialNum. // Some certs have been found to contain tagged objects for hwSerialNum.
// Handle this as a special case. // Handle this as a special case.
log.warn("Could not parse octet string for hwSerialNum. Attempting to parse tag."); log.warn(
"Could not parse octet string for hwSerialNum. Attempting to parse tag.");
try { try {
tagObj1 = ASN1TaggedObject.getInstance(seq1.getObjectAt(1)); tagObj1 = ASN1TaggedObject.getInstance(seq1.getObjectAt(1));
obj2 = ASN1OctetString.getInstance(tagObj1, false); obj2 = ASN1OctetString.getInstance(tagObj1, false);
} } catch (Exception i) { // Invalid object found
catch (Exception i) { // Invalid object found
log.warn("Invalid object found for hwSerialNum."); log.warn("Invalid object found for hwSerialNum.");
break; break;
} }
@ -223,7 +220,7 @@ public class IDevIDCertificate extends Certificate {
// the hwSerialNum field will be parsed accordingly. // the hwSerialNum field will be parsed accordingly.
hwType = obj1.toString(); hwType = obj1.toString();
if (hasTCGOIDs()) { if (hasTCGOIDs()) {
tcgOid = true; tcgOid = true;
} }
// Convert octet string to byte array // Convert octet string to byte array
@ -237,7 +234,8 @@ public class IDevIDCertificate extends Certificate {
// Check for certificate policy qualifiers, which should be present for IDevIDs if in compliance with the // Check for certificate policy qualifiers, which should be present for IDevIDs if in compliance with the
// TCG specification. // TCG specification.
// For interoperability reasons, this will only log a warning if a TCG OID is specified above. // For interoperability reasons, this will only log a warning if a TCG OID is specified above.
byte[] policyBytes = getX509Certificate().getExtensionValue(Extension.certificatePolicies.getId()); byte[] policyBytes =
getX509Certificate().getExtensionValue(Extension.certificatePolicies.getId());
Map<String, Boolean> policyQualifiers = null; Map<String, Boolean> policyQualifiers = null;
if (policyBytes != null) { if (policyBytes != null) {
@ -264,8 +262,9 @@ public class IDevIDCertificate extends Certificate {
failCondition = true; failCondition = true;
} }
if (failCondition) { if (failCondition) {
log.warn("TPM policy qualifiers not found, or do not meet logical criteria. Certificate may not " + log.warn(
"be in compliance with TCG specification."); "TPM policy qualifiers not found, or do not meet logical criteria. Certificate may not " +
"be in compliance with TCG specification.");
} }
} }
@ -288,8 +287,7 @@ public class IDevIDCertificate extends Certificate {
public boolean hasTCGOIDs() { public boolean hasTCGOIDs() {
if (this.getHwType() != null) { if (this.getHwType() != null) {
return this.getHwType().equals(HWTYPE_TCG_TPM2_OID); return this.getHwType().equals(HWTYPE_TCG_TPM2_OID);
} } else {
else {
return false; return false;
} }
} }

57
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java
View File

@ -1,6 +1,5 @@
package hirs.attestationca.persist.provision; package hirs.attestationca.persist.provision;
import com.fasterxml.jackson.databind.ser.Serializers;
import com.google.protobuf.ByteString; import com.google.protobuf.ByteString;
import hirs.attestationca.configuration.provisionerTpm2.ProvisionerTpm2; import hirs.attestationca.configuration.provisionerTpm2.ProvisionerTpm2;
import hirs.attestationca.persist.entity.manager.CertificateRepository; import hirs.attestationca.persist.entity.manager.CertificateRepository;
@ -69,24 +68,23 @@ import java.util.regex.Pattern;
@Log4j2 @Log4j2
public class IdentityClaimProcessor extends AbstractProcessor { public class IdentityClaimProcessor extends AbstractProcessor {
private static final String PCR_QUOTE_MASK = "0,1,2,3,4,5,6,7,8,9,10,11,12,13,"
+ "14,15,16,17,18,19,20,21,22,23";
private static final int NUM_OF_VARIABLES = 5;
/** /**
* Number of bytes to include in the TPM2.0 nonce. * Number of bytes to include in the TPM2.0 nonce.
*/ */
public static final int NONCE_LENGTH = 20; public static final int NONCE_LENGTH = 20;
private static final String PCR_QUOTE_MASK = "0,1,2,3,4,5,6,7,8,9,10,11,12,13,"
+ "14,15,16,17,18,19,20,21,22,23";
private static final int NUM_OF_VARIABLES = 5;
private static final int MAC_BYTES = 6; private static final int MAC_BYTES = 6;
private SupplyChainValidationService supplyChainValidationService; private final SupplyChainValidationService supplyChainValidationService;
private CertificateRepository certificateRepository; private final CertificateRepository certificateRepository;
private ComponentResultRepository componentResultRepository; private final ComponentResultRepository componentResultRepository;
private ComponentInfoRepository componentInfoRepository; private final ComponentInfoRepository componentInfoRepository;
private ReferenceManifestRepository referenceManifestRepository; private final ReferenceManifestRepository referenceManifestRepository;
private ReferenceDigestValueRepository referenceDigestValueRepository; private final ReferenceDigestValueRepository referenceDigestValueRepository;
private DeviceRepository deviceRepository; private final DeviceRepository deviceRepository;
private TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository; private final TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository;
/** /**
* Constructor. * Constructor.
@ -116,8 +114,8 @@ public class IdentityClaimProcessor extends AbstractProcessor {
* Basic implementation of the ACA processIdentityClaimTpm2 method. Parses the claim, * Basic implementation of the ACA processIdentityClaimTpm2 method. Parses the claim,
* stores the device info, performs supply chain validation, generates a nonce, * stores the device info, performs supply chain validation, generates a nonce,
* and wraps that nonce with the make credential process before returning it to the client. * and wraps that nonce with the make credential process before returning it to the client.
* attCert.setPcrValues(pcrValues); * attCert.setPcrValues(pcrValues);
*
* @param identityClaim the request to process, cannot be null * @param identityClaim the request to process, cannot be null
* @return an identity claim response for the specified request containing a wrapped blob * @return an identity claim response for the specified request containing a wrapped blob
*/ */
@ -147,7 +145,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
} }
} }
ByteString blobStr = ByteString.copyFrom(new byte[]{}); ByteString blobStr = ByteString.copyFrom(new byte[] {});
if (validationResult == AppraisalStatus.Status.PASS) { if (validationResult == AppraisalStatus.Status.PASS) {
RSAPublicKey akPub = ProvisionUtils.parsePublicKey(claim.getAkPublicArea().toByteArray()); RSAPublicKey akPub = ProvisionUtils.parsePublicKey(claim.getAkPublicArea().toByteArray());
byte[] nonce = ProvisionUtils.generateRandomBytes(NONCE_LENGTH); byte[] nonce = ProvisionUtils.generateRandomBytes(NONCE_LENGTH);
@ -195,7 +193,8 @@ public class IdentityClaimProcessor extends AbstractProcessor {
private AppraisalStatus.Status doSupplyChainValidation( private AppraisalStatus.Status doSupplyChainValidation(
final ProvisionerTpm2.IdentityClaim claim, final PublicKey ekPub) { final ProvisionerTpm2.IdentityClaim claim, final PublicKey ekPub) {
// attempt to find an endorsement credential to validate // attempt to find an endorsement credential to validate
EndorsementCredential endorsementCredential = parseEcFromIdentityClaim(claim, ekPub, certificateRepository); EndorsementCredential endorsementCredential =
parseEcFromIdentityClaim(claim, ekPub, certificateRepository);
// attempt to find platform credentials to validate // attempt to find platform credentials to validate
List<PlatformCredential> platformCredentials = parsePcsFromIdentityClaim(claim, List<PlatformCredential> platformCredentials = parsePcsFromIdentityClaim(claim,
@ -283,10 +282,10 @@ public class IdentityClaimProcessor extends AbstractProcessor {
/** /**
* Converts a protobuf DeviceInfo object to a HIRS Utils DeviceInfoReport object. * Converts a protobuf DeviceInfo object to a HIRS Utils DeviceInfoReport object.
*
* @param claim the protobuf serialized identity claim containing the device info * @param claim the protobuf serialized identity claim containing the device info
* @return a HIRS Utils DeviceInfoReport representation of device info * @return a HIRS Utils DeviceInfoReport representation of device info
*/ */
@SuppressWarnings("methodlength")
private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim claim) private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim claim)
throws NoSuchAlgorithmException { throws NoSuchAlgorithmException {
ProvisionerTpm2.DeviceInfo dv = claim.getDv(); ProvisionerTpm2.DeviceInfo dv = claim.getDv();
@ -357,7 +356,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
String fileName = ""; String fileName = "";
Pattern pattern = Pattern.compile("([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)"); Pattern pattern = Pattern.compile("([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)");
Matcher matcher; Matcher matcher;
MessageDigest messageDigest = MessageDigest.getInstance("SHA-256"); MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
if (dv.getSwidfileCount() > 0) { if (dv.getSwidfileCount() > 0) {
for (ByteString swidFile : dv.getSwidfileList()) { for (ByteString swidFile : dv.getSwidfileList()) {
@ -425,9 +424,10 @@ public class IdentityClaimProcessor extends AbstractProcessor {
if (dv.getLogfileCount() > 0) { if (dv.getLogfileCount() > 0) {
for (ByteString logFile : dv.getLogfileList()) { for (ByteString logFile : dv.getLogfileList()) {
try { try {
support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType( support =
(SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType(
Hex.encodeHexString(messageDigest.digest(logFile.toByteArray())), Hex.encodeHexString(messageDigest.digest(logFile.toByteArray())),
ReferenceManifest.SUPPORT_RIM); ReferenceManifest.SUPPORT_RIM);
if (support == null) { if (support == null) {
/* /*
Either the logFile does not have a corresponding support RIM in the backend Either the logFile does not have a corresponding support RIM in the backend
@ -512,8 +512,10 @@ public class IdentityClaimProcessor extends AbstractProcessor {
} }
// now update support rim // now update support rim
SupportReferenceManifest dbSupport = (SupportReferenceManifest) referenceManifestRepository SupportReferenceManifest dbSupport =
.findByHexDecHashAndRimType(swid.getHashValue(), ReferenceManifest.SUPPORT_RIM); (SupportReferenceManifest) referenceManifestRepository
.findByHexDecHashAndRimType(swid.getHashValue(),
ReferenceManifest.SUPPORT_RIM);
if (dbSupport != null) { if (dbSupport != null) {
dbSupport.setFileName(swid.getName()); dbSupport.setFileName(swid.getName());
dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion());
@ -584,7 +586,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
dv.getNw().getHostname())); dv.getNw().getHostname()));
} }
// Get TPM info, currently unimplemented // Get TPM info, currently unimplemented
TPMInfo tpmInfo = new TPMInfo(DeviceInfoEnums.NOT_SPECIFIED, TPMInfo tpmInfo = new TPMInfo(DeviceInfoEnums.NOT_SPECIFIED,
(short) 0, (short) 0,
(short) 0, (short) 0,
@ -628,7 +630,8 @@ public class IdentityClaimProcessor extends AbstractProcessor {
} }
if (baseSupportRim != null if (baseSupportRim != null
&& referenceDigestValueRepository.findBySupportRimHash(baseSupportRim.getHexDecHash()).isEmpty()) { && referenceDigestValueRepository.findBySupportRimHash(baseSupportRim.getHexDecHash())
.isEmpty()) {
try { try {
TCGEventLog logProcessor = new TCGEventLog(baseSupportRim.getRimBytes()); TCGEventLog logProcessor = new TCGEventLog(baseSupportRim.getRimBytes());
ReferenceDigestValue rdv; ReferenceDigestValue rdv;
@ -688,7 +691,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
log.error(String.format("Patching value does not exist (%s)", log.error(String.format("Patching value does not exist (%s)",
patchedValue)); patchedValue));
} else { } else {
// WIP - Until we get patch examples // WIP - Until we get patch examples
dbRdv.setPatched(true); dbRdv.setPatched(true);
} }
} }
@ -721,7 +724,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
} }
private int handleDeviceComponents(final String hostName, final String paccorString) { private int handleDeviceComponents(final String hostName, final String paccorString) {
int deviceComponents = 0 ; int deviceComponents = 0;
Map<Integer, ComponentInfo> componentInfoMap = new HashMap<>(); Map<Integer, ComponentInfo> componentInfoMap = new HashMap<>();
try { try {
List<ComponentInfo> componentInfos = SupplyChainCredentialValidator List<ComponentInfo> componentInfos = SupplyChainCredentialValidator

63
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/SupplyChainValidationService.java
View File

@ -11,7 +11,11 @@ import hirs.attestationca.persist.entity.manager.ReferenceDigestValueRepository;
import hirs.attestationca.persist.entity.manager.ReferenceManifestRepository; import hirs.attestationca.persist.entity.manager.ReferenceManifestRepository;
import hirs.attestationca.persist.entity.manager.SupplyChainValidationRepository; import hirs.attestationca.persist.entity.manager.SupplyChainValidationRepository;
import hirs.attestationca.persist.entity.manager.SupplyChainValidationSummaryRepository; import hirs.attestationca.persist.entity.manager.SupplyChainValidationSummaryRepository;
import hirs.attestationca.persist.entity.userdefined.*; import hirs.attestationca.persist.entity.userdefined.Device;
import hirs.attestationca.persist.entity.userdefined.PolicySettings;
import hirs.attestationca.persist.entity.userdefined.ReferenceManifest;
import hirs.attestationca.persist.entity.userdefined.SupplyChainValidation;
import hirs.attestationca.persist.entity.userdefined.SupplyChainValidationSummary;
import hirs.attestationca.persist.entity.userdefined.certificate.ComponentResult; import hirs.attestationca.persist.entity.userdefined.certificate.ComponentResult;
import hirs.attestationca.persist.entity.userdefined.certificate.EndorsementCredential; import hirs.attestationca.persist.entity.userdefined.certificate.EndorsementCredential;
import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential; import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential;
@ -27,12 +31,10 @@ import lombok.extern.log4j.Log4j2;
import org.apache.logging.log4j.Level; import org.apache.logging.log4j.Level;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service; import org.springframework.stereotype.Service;
import org.yaml.snakeyaml.events.Event;
import java.security.KeyStore; import java.security.KeyStore;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.HashMap; import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
@ -46,28 +48,28 @@ import static hirs.attestationca.persist.enums.AppraisalStatus.Status.PASS;
@Service @Service
public class SupplyChainValidationService { public class SupplyChainValidationService {
private CACredentialRepository caCredentialRepository; private final CACredentialRepository caCredentialRepository;
private PolicyRepository policyRepository; private final PolicyRepository policyRepository;
private ReferenceManifestRepository referenceManifestRepository; private final ReferenceManifestRepository referenceManifestRepository;
private ReferenceDigestValueRepository referenceDigestValueRepository; private final ReferenceDigestValueRepository referenceDigestValueRepository;
private ComponentResultRepository componentResultRepository; private final ComponentResultRepository componentResultRepository;
private ComponentAttributeRepository componentAttributeRepository; private final ComponentAttributeRepository componentAttributeRepository;
private CertificateRepository certificateRepository; private final CertificateRepository certificateRepository;
private SupplyChainValidationRepository supplyChainValidationRepository; private final SupplyChainValidationRepository supplyChainValidationRepository;
private SupplyChainValidationSummaryRepository supplyChainValidationSummaryRepository; private final SupplyChainValidationSummaryRepository supplyChainValidationSummaryRepository;
private UUID provisionSessionId; private UUID provisionSessionId;
/** /**
* Constructor. * Constructor.
* *
* @param caCredentialRepository ca credential repository * @param caCredentialRepository ca credential repository
* @param policyRepository the policy manager * @param policyRepository the policy manager
* @param certificateRepository the cert manager * @param certificateRepository the cert manager
* @param componentResultRepository the comp result manager * @param componentResultRepository the comp result manager
* @param referenceManifestRepository the RIM manager * @param referenceManifestRepository the RIM manager
* @param supplyChainValidationRepository the scv manager * @param supplyChainValidationRepository the scv manager
* @param supplyChainValidationSummaryRepository the summary manager * @param supplyChainValidationSummaryRepository the summary manager
* @param referenceDigestValueRepository the even manager * @param referenceDigestValueRepository the even manager
*/ */
@Autowired @Autowired
@SuppressWarnings("ParameterNumberCheck") @SuppressWarnings("ParameterNumberCheck")
@ -97,13 +99,12 @@ public class SupplyChainValidationService {
* an identity request and validates the supply chain in accordance to the * an identity request and validates the supply chain in accordance to the
* current supply chain policy. * current supply chain policy.
* *
* @param ec The endorsement credential from the identity request. * @param ec The endorsement credential from the identity request.
* @param pcs The platform credentials from the identity request. * @param pcs The platform credentials from the identity request.
* @param device The device to be validated. * @param device The device to be validated.
* @param componentInfos list of components from the device * @param componentInfos list of components from the device
* @return A summary of the validation results. * @return A summary of the validation results.
*/ */
@SuppressWarnings("methodlength")
public SupplyChainValidationSummary validateSupplyChain(final EndorsementCredential ec, public SupplyChainValidationSummary validateSupplyChain(final EndorsementCredential ec,
final List<PlatformCredential> pcs, final List<PlatformCredential> pcs,
final Device device, final Device device,
@ -250,8 +251,8 @@ public class SupplyChainValidationService {
updateComponentStatus(componentResultRepository updateComponentStatus(componentResultRepository
.findByCertificateSerialNumberAndBoardSerialNumber( .findByCertificateSerialNumberAndBoardSerialNumber(
baseCredential.getSerialNumber().toString(), baseCredential.getSerialNumber().toString(),
baseCredential.getPlatformSerial())); baseCredential.getPlatformSerial()));
} }
if (!attrErrorMessage.isEmpty()) { if (!attrErrorMessage.isEmpty()) {
//combine platform and platform attributes //combine platform and platform attributes
@ -323,9 +324,10 @@ public class SupplyChainValidationService {
deviceName)); deviceName));
} else { } else {
ReferenceManifest manifest = referenceManifestRepository ReferenceManifest manifest = referenceManifestRepository
.findByHexDecHashAndRimType(sRim.getEventLogHash(), ReferenceManifest.MEASUREMENT_RIM); .findByHexDecHashAndRimType(sRim.getEventLogHash(),
ReferenceManifest.MEASUREMENT_RIM);
if (manifest instanceof EventLogMeasurements) { if (manifest instanceof EventLogMeasurements) {
eventLog = (EventLogMeasurements)manifest; eventLog = (EventLogMeasurements) manifest;
} }
} }
if (eventLog == null) { if (eventLog == null) {
@ -357,7 +359,8 @@ public class SupplyChainValidationService {
BaseReferenceManifest bRim = null; BaseReferenceManifest bRim = null;
if (sRim != null && sRim.getAssociatedRim() != null) { if (sRim != null && sRim.getAssociatedRim() != null) {
Optional<ReferenceManifest> oRim = referenceManifestRepository.findById(sRim.getAssociatedRim()); Optional<ReferenceManifest> oRim =
referenceManifestRepository.findById(sRim.getAssociatedRim());
if (oRim.isPresent()) { if (oRim.isPresent()) {
ReferenceManifest rim = oRim.get(); ReferenceManifest rim = oRim.get();
if (rim instanceof BaseReferenceManifest) { if (rim instanceof BaseReferenceManifest) {
@ -375,7 +378,8 @@ public class SupplyChainValidationService {
Optional<SupplyChainValidationSummary> previousOpt Optional<SupplyChainValidationSummary> previousOpt
//= this.supplyChainValidationSummaryRepository.findByDevice(deviceName); //= this.supplyChainValidationSummaryRepository.findByDevice(deviceName);
//= this.supplyChainValidationSummaryRepository.findByDevice(device); //= this.supplyChainValidationSummaryRepository.findByDevice(device);
= this.supplyChainValidationSummaryRepository.findById(UUID.fromString(device.getSummaryId())); = this.supplyChainValidationSummaryRepository.findById(
UUID.fromString(device.getSummaryId()));
if (previousOpt.isPresent()) { if (previousOpt.isPresent()) {
SupplyChainValidationSummary previous = previousOpt.get(); SupplyChainValidationSummary previous = previousOpt.get();
for (SupplyChainValidation scv : previous.getValidations()) { for (SupplyChainValidation scv : previous.getValidations()) {
@ -421,6 +425,7 @@ public class SupplyChainValidationService {
* If the platform attributes policy is enabled, this method updates the matched * If the platform attributes policy is enabled, this method updates the matched
* status for the component result. This is done so that the details page for the * status for the component result. This is done so that the details page for the
* platform certificate highlights the title card red. * platform certificate highlights the title card red.
*
* @param componentResults list of associated component results * @param componentResults list of associated component results
*/ */
private void updateComponentStatus(final List<ComponentResult> componentResults) { private void updateComponentStatus(final List<ComponentResult> componentResults) {

26
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java
View File

@ -49,10 +49,11 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
private static final String LC_UNKNOWN = "unknown"; private static final String LC_UNKNOWN = "unknown";
/** /**
* Validates platform credential attributes v1 p2.
* *
* @param platformCredential * @param platformCredential platform credential
* @param deviceInfoReport * @param deviceInfoReport device information report
* @return * @return an appraisal status
*/ */
public static AppraisalStatus validatePlatformCredentialAttributesV1p2( public static AppraisalStatus validatePlatformCredentialAttributesV1p2(
final PlatformCredential platformCredential, final PlatformCredential platformCredential,
@ -159,7 +160,7 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
* @param componentAttributeRepository db access to component attribute match status * @param componentAttributeRepository db access to component attribute match status
* @param componentInfos list of device components * @param componentInfos list of device components
* @param provisionSessionId UUID associated with the SCV Summary * @param provisionSessionId UUID associated with the SCV Summary
* @param ignoreRevisionAttribute policy flag to ignore the revision attribute * @param ignoreRevisionAttribute policy flag to ignore the revision attribute
* @return either PASS or FAIL * @return either PASS or FAIL
*/ */
public static AppraisalStatus validatePlatformCredentialAttributesV2p0( public static AppraisalStatus validatePlatformCredentialAttributesV2p0(
@ -275,10 +276,10 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
numOfAttributes = attributeResults.size(); numOfAttributes = attributeResults.size();
boolean saveAttributeResult; boolean saveAttributeResult;
for (ComponentAttributeResult componentAttributeResult : attributeResults) { for (ComponentAttributeResult componentAttributeResult : attributeResults) {
saveAttributeResult = true; saveAttributeResult = true;
if (ignoreRevisionAttribute) { if (ignoreRevisionAttribute) {
saveAttributeResult = !componentAttributeResult.getAttribute() saveAttributeResult = !componentAttributeResult.getAttribute()
.equalsIgnoreCase(ComponentResult.ATTRIBUTE_REVISION); .equalsIgnoreCase(ComponentResult.ATTRIBUTE_REVISION);
} }
if (saveAttributeResult) { if (saveAttributeResult) {
componentAttributeResult.setProvisionSessionId(provisionSessionId); componentAttributeResult.setProvisionSessionId(provisionSessionId);
@ -318,7 +319,7 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
* base cert for this specific chain * base cert for this specific chain
* @return Appraisal Status of delta being validated. * @return Appraisal Status of delta being validated.
*/ */
@SuppressWarnings("methodlength")
static AppraisalStatus validateDeltaAttributesChainV2p0( static AppraisalStatus validateDeltaAttributesChainV2p0(
final DeviceInfoReport deviceInfoReport, final DeviceInfoReport deviceInfoReport,
final Map<PlatformCredential, SupplyChainValidation> deltaMapping, final Map<PlatformCredential, SupplyChainValidation> deltaMapping,
@ -366,7 +367,7 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
if (!componentAttributeResults.isEmpty()) { if (!componentAttributeResults.isEmpty()) {
resultMessage.append(String.format("There are %d errors with Delta " resultMessage.append(String.format("There are %d errors with Delta "
+ "Components associated with: %s%n", + "Components associated with: %s%n",
componentAttributeResults.size(), componentAttributeResults.size(),
deltaCertificates.get(0).getPlatformSerial())); deltaCertificates.get(0).getPlatformSerial()));
fieldValidation = false; fieldValidation = false;
@ -856,7 +857,8 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
/** /**
* This method uses a specific hash to match device components with certificate components. * This method uses a specific hash to match device components with certificate components.
* @param componentInfos list of device component infos *
* @param componentInfos list of device component infos
* @param compiledComponentList list of the remaining unmatched component results * @param compiledComponentList list of the remaining unmatched component results
* @return remaining component results not matched * @return remaining component results not matched
*/ */
@ -892,7 +894,8 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
/** /**
* This method is used to find matches based on the component class value. * This method is used to find matches based on the component class value.
* @param componentInfos list of device component infos *
* @param componentInfos list of device component infos
* @param remainingComponentResults list of the remaining unmatched component results * @param remainingComponentResults list of the remaining unmatched component results
* @return a generated list of component attributes results * @return a generated list of component attributes results
*/ */
@ -1019,7 +1022,6 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
} }
/** /**
*
* @param deltaCertificates * @param deltaCertificates
* @param componentResultRepository * @param componentResultRepository
* @param componentAttributeRepository * @param componentAttributeRepository

37
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java
View File

@ -12,8 +12,8 @@ import hirs.attestationca.persist.entity.userdefined.rim.EventLogMeasurements;
import hirs.attestationca.persist.entity.userdefined.rim.ReferenceDigestValue; import hirs.attestationca.persist.entity.userdefined.rim.ReferenceDigestValue;
import hirs.attestationca.persist.enums.AppraisalStatus; import hirs.attestationca.persist.enums.AppraisalStatus;
import hirs.attestationca.persist.service.ValidationService; import hirs.attestationca.persist.service.ValidationService;
import hirs.utils.rim.ReferenceManifestValidator;
import hirs.utils.SwidResource; import hirs.utils.SwidResource;
import hirs.utils.rim.ReferenceManifestValidator;
import hirs.utils.tpm.eventlog.TCGEventLog; import hirs.utils.tpm.eventlog.TCGEventLog;
import hirs.utils.tpm.eventlog.TpmPcrEvent; import hirs.utils.tpm.eventlog.TpmPcrEvent;
import lombok.extern.log4j.Log4j2; import lombok.extern.log4j.Log4j2;
@ -24,7 +24,12 @@ import java.security.KeyStore;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.*; import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL; import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL;
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.PASS; import static hirs.attestationca.persist.enums.AppraisalStatus.Status.PASS;
@ -35,7 +40,6 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
private static PcrValidator pcrValidator; private static PcrValidator pcrValidator;
/** /**
*
* @param device * @param device
* @param policySettings * @param policySettings
* @param referenceManifestRepository * @param referenceManifestRepository
@ -43,7 +47,7 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
* @param caCredentialRepository * @param caCredentialRepository
* @return * @return
*/ */
@SuppressWarnings("methodlength")
public static AppraisalStatus validateFirmware( public static AppraisalStatus validateFirmware(
final Device device, final PolicySettings policySettings, final Device device, final PolicySettings policySettings,
final ReferenceManifestRepository referenceManifestRepository, final ReferenceManifestRepository referenceManifestRepository,
@ -66,7 +70,8 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
// In this case, try to look up the event log associated with the device, then get the base rim associated by event log hash // In this case, try to look up the event log associated with the device, then get the base rim associated by event log hash
List<ReferenceManifest> deviceRims = referenceManifestRepository.findByDeviceName(hostName); List<ReferenceManifest> deviceRims = referenceManifestRepository.findByDeviceName(hostName);
for (ReferenceManifest deviceRim : deviceRims) { for (ReferenceManifest deviceRim : deviceRims) {
if (deviceRim instanceof BaseReferenceManifest && !deviceRim.isSwidSupplemental() && !deviceRim.isSwidPatch()) { if (deviceRim instanceof BaseReferenceManifest && !deviceRim.isSwidSupplemental() &&
!deviceRim.isSwidPatch()) {
baseReferenceManifest = (BaseReferenceManifest) deviceRim; baseReferenceManifest = (BaseReferenceManifest) deviceRim;
} }
@ -77,7 +82,9 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
// Attempt to get an event log from the database matching the expected hash // Attempt to get an event log from the database matching the expected hash
if (baseReferenceManifest == null && measurement != null) { if (baseReferenceManifest == null && measurement != null) {
baseReferenceManifest = (BaseReferenceManifest)referenceManifestRepository.findByEventLogHashAndRimType(measurement.getHexDecHash(), ReferenceManifest.BASE_RIM); baseReferenceManifest =
(BaseReferenceManifest) referenceManifestRepository.findByEventLogHashAndRimType(
measurement.getHexDecHash(), ReferenceManifest.BASE_RIM);
} }
String failedString = ""; String failedString = "";
@ -101,7 +108,7 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
if (passed) { if (passed) {
List<SwidResource> resources = List<SwidResource> resources =
((BaseReferenceManifest) baseReferenceManifest).getFileResources(); baseReferenceManifest.getFileResources();
fwStatus = new AppraisalStatus(PASS, fwStatus = new AppraisalStatus(PASS,
SupplyChainCredentialValidator.FIRMWARE_VALID); SupplyChainCredentialValidator.FIRMWARE_VALID);
@ -131,20 +138,22 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
try { try {
certs.add(cac.getX509Certificate()); certs.add(cac.getX509Certificate());
} catch (IOException e) { } catch (IOException e) {
log.error("Error building CA chain for " + signingCert.getSubjectKeyIdentifier() + ": " log.error(
+ e.getMessage()); "Error building CA chain for " + signingCert.getSubjectKeyIdentifier() + ": "
+ e.getMessage());
} }
} }
referenceManifestValidator.setTrustStore(certs); referenceManifestValidator.setTrustStore(certs);
try { try {
if (referenceManifestValidator.validateXmlSignature(signingCert.getX509Certificate().getPublicKey(), if (referenceManifestValidator.validateXmlSignature(
signingCert.getSubjectKeyIdString(), signingCert.getEncodedPublicKey())) { signingCert.getX509Certificate().getPublicKey(),
signingCert.getSubjectKeyIdString(), signingCert.getEncodedPublicKey())) {
try { try {
if (!SupplyChainCredentialValidator.verifyCertificate( if (!SupplyChainCredentialValidator.verifyCertificate(
signingCert.getX509Certificate(), keyStore)) { signingCert.getX509Certificate(), keyStore)) {
passed = false; passed = false;
fwStatus = new AppraisalStatus(FAIL, fwStatus = new AppraisalStatus(FAIL,
"Firmware validation failed: invalid certificate path."); "Firmware validation failed: invalid certificate path.");
} }
} catch (IOException ioEx) { } catch (IOException ioEx) {
log.error("Error getting X509 cert from manager: " + ioEx.getMessage()); log.error("Error getting X509 cert from manager: " + ioEx.getMessage());
@ -268,7 +277,7 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
} }
if (fwStatus.getAppStatus().equals(FAIL)) { if (fwStatus.getAppStatus().equals(FAIL)) {
fwStatus = new AppraisalStatus(FAIL, String.format("%s%n%s", fwStatus = new AppraisalStatus(FAIL, String.format("%s%n%s",
fwStatus.getMessage(), sb.toString())); fwStatus.getMessage(), sb));
} else { } else {
fwStatus = new AppraisalStatus(FAIL, fwStatus = new AppraisalStatus(FAIL,
sb.toString(), ReferenceManifest.MEASUREMENT_RIM); sb.toString(), ReferenceManifest.MEASUREMENT_RIM);

4
config/checkstyle/checkstyle.xml
View File

@ -133,7 +133,9 @@
<!-- Checks for Size Violations. --> <!-- Checks for Size Violations. -->
<!-- See https://checkstyle.org/checks/sizes/index.html --> <!-- See https://checkstyle.org/checks/sizes/index.html -->
<module name="MethodLength"/> <module name="MethodLength">
<property name="max" value="300"/>
</module>
<!-- Checks for whitespace --> <!-- Checks for whitespace -->
<!-- See https://checkstyle.org/checks/whitespace/index.html --> <!-- See https://checkstyle.org/checks/whitespace/index.html -->