mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-19 04:58:00 +00:00
Found the issue with the component being removed that doesn't have a proper serial number and adding one with it. The code was revalidating the base in the attributes enabled flag. This was unncessary.
This commit is contained in:
Cyrus
parent
4999c96685
commit
7b79ceb07a
@ -90,9 +90,7 @@ import java.security.spec.RSAPublicKeySpec;
|
||||
import java.util.Arrays;
|
||||
import java.util.Calendar;
|
||||
import java.util.Date;
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
@ -411,9 +409,7 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
try {
|
||||
validationResult = doSupplyChainValidation(claim, ekPub);
|
||||
} catch (Exception ex) {
|
||||
for (StackTraceElement ste : ex.getStackTrace()) {
|
||||
LOG.error(ste.toString());
|
||||
}
|
||||
LOG.error(ex.getMessage());
|
||||
}
|
||||
|
||||
if (validationResult == AppraisalStatus.Status.PASS) {
|
||||
@ -455,7 +451,6 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
// attempt to find platform credentials to validate
|
||||
Set<PlatformCredential> platformCredentials = parsePcsFromIdentityClaim(claim,
|
||||
endorsementCredential);
|
||||
Map<BigInteger, PlatformCredential> correctedMap = new HashMap<>();
|
||||
|
||||
// Parse and save device info
|
||||
Device device = processDeviceInfo(claim);
|
||||
|
||||
@ -188,9 +188,9 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
||||
int result = baseCredential.getBeginValidity()
|
||||
.compareTo(pc.getBeginValidity());
|
||||
if (!pc.isBase() && (result > 0)) {
|
||||
pcErrorMessage = String.format("%s%s%n", pcErrorMessage,
|
||||
"Delta Certificate's validity "
|
||||
+ "date is not after Base");
|
||||
pcErrorMessage = String.format("%s%s%n", pcErrorMessage,
|
||||
"Delta Certificate's validity "
|
||||
+ "date is not after Base");
|
||||
break;
|
||||
}
|
||||
}
|
||||
@ -219,39 +219,30 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
||||
if (platformScv != null) {
|
||||
aes.addAll(platformScv.getCertificatesUsed());
|
||||
}
|
||||
// ok, still want to validate the base credential attributes
|
||||
attributeScv = validatePlatformCredentialAttributes(
|
||||
baseCredential, device.getDeviceInfo(), ec);
|
||||
|
||||
if (attributeScv.getResult() != FAIL) {
|
||||
Iterator<PlatformCredential> it = pcs.iterator();
|
||||
String attrErrorMessage = "";
|
||||
while (it.hasNext()) {
|
||||
PlatformCredential pc = it.next();
|
||||
if (pc != null) {
|
||||
if (!pc.isBase() && attributeScv.getResult() != FAIL) {
|
||||
attributeScv = validateDeltaPlatformCredentialAttributes(
|
||||
pc, device.getDeviceInfo(),
|
||||
baseCredential, deltaMapping);
|
||||
if (attributeScv.getResult() == FAIL) {
|
||||
attrErrorMessage = String.format("%s%s%n", attrErrorMessage,
|
||||
attributeScv.getMessage());
|
||||
}
|
||||
Iterator<PlatformCredential> it = pcs.iterator();
|
||||
String attrErrorMessage = "";
|
||||
while (it.hasNext()) {
|
||||
PlatformCredential pc = it.next();
|
||||
if (pc != null) {
|
||||
if (!pc.isBase()) {
|
||||
attributeScv = validateDeltaPlatformCredentialAttributes(
|
||||
pc, device.getDeviceInfo(),
|
||||
baseCredential, deltaMapping);
|
||||
if (attributeScv.getResult() == FAIL) {
|
||||
attrErrorMessage = String.format("%s%s%n", attrErrorMessage,
|
||||
attributeScv.getMessage());
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!attrErrorMessage.isEmpty()) {
|
||||
//combine platform and platform attributes
|
||||
validations.remove(platformScv);
|
||||
}
|
||||
if (!attrErrorMessage.isEmpty()) {
|
||||
//combine platform and platform attributes
|
||||
validations.remove(platformScv);
|
||||
if (platformScv != null) {
|
||||
validations.add(new SupplyChainValidation(
|
||||
platformScv.getValidationType(),
|
||||
attributeScv.getResult(), aes, attributeScv.getMessage()));
|
||||
}
|
||||
} else {
|
||||
validations.remove(platformScv);
|
||||
// base platform has errors
|
||||
validations.add(new SupplyChainValidation(platformScv.getValidationType(),
|
||||
attributeScv.getResult(), aes, attributeScv.getMessage()));
|
||||
}
|
||||
}
|
||||
|
||||
@ -261,6 +252,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
||||
validations.add(validateFirmware(device, policy.getPcrPolicy()));
|
||||
}
|
||||
|
||||
LOGGER.error("The service finished and now summarizing");
|
||||
// Generate validation summary, save it, and return it.
|
||||
SupplyChainValidationSummary summary
|
||||
= new SupplyChainValidationSummary(device, validations);
|
||||
@ -784,9 +776,9 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
||||
* already queried for that organization (which prevents infinite loops on
|
||||
* certs with an identical subject and issuer org)
|
||||
*
|
||||
* @param credential the credential whose CA chain should be retrieved
|
||||
* @param credential the credential whose CA chain should be retrieved
|
||||
* @param previouslyQueriedSubjects a list of organizations to refrain
|
||||
* from querying
|
||||
* from querying
|
||||
* @return a Set containing all relevant CA credentials to the given
|
||||
* certificate's organization
|
||||
*/
|
||||
|
||||
@ -318,6 +318,8 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
|
||||
final Map<PlatformCredential, SupplyChainValidation> deltaMapping) {
|
||||
String message;
|
||||
|
||||
LOGGER.error("Starting the method validateDeltaPlatformCredentialAttributes");
|
||||
|
||||
// this needs to be a loop for all deltas, link to issue #110
|
||||
// check that they don't have the same serial number
|
||||
for (PlatformCredential delta : deltaMapping.keySet()) {
|
||||
@ -340,6 +342,7 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
|
||||
}
|
||||
}
|
||||
|
||||
LOGGER.error("This is before validateDeltaAttributesChainV2p0");
|
||||
// parse out the provided delta and its specific chain.
|
||||
List<ComponentIdentifier> origPcComponents
|
||||
= new LinkedList<>(basePlatformCredential.getComponentIdentifiers());
|
||||
@ -657,7 +660,7 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
|
||||
baseCompList.add(deltaCi);
|
||||
}
|
||||
if (ciV2.isRemoved()) {
|
||||
LOGGER.error("Made it to this!");
|
||||
baseCompList.remove(ciV2);
|
||||
}
|
||||
// if it is a remove
|
||||
// we do nothing because baseCompList doesn't have it
|
||||
@ -1426,13 +1429,11 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
|
||||
// go through the leaf and check the changes against the valid components
|
||||
// forget modifying validOrigPcComponents
|
||||
for (PlatformCredential delta : chainCertificates) {
|
||||
LOGGER.error(delta.getSerialNumber());
|
||||
StringBuilder failureMsg = new StringBuilder();
|
||||
certificateList = new ArrayList<>();
|
||||
certificateList.add(delta);
|
||||
|
||||
for (ComponentIdentifier ci : delta.getComponentIdentifiers()) {
|
||||
LOGGER.error(ci.getComponentSerial());
|
||||
if (!noneSerialValues.contains(ci.getComponentSerial().toString())) {
|
||||
if (ci.isVersion2()) {
|
||||
ciSerial = ci.getComponentSerial().toString();
|
||||
@ -1496,7 +1497,6 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
|
||||
} else {
|
||||
// have to add in case later it is removed
|
||||
chainCiMapping.put(ciSerial, ci);
|
||||
LOGGER.error("This should be what happens");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user