diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 26a9fddc..9c7d9c23 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -100,6 +100,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe supplyChainAppraiser); boolean acceptExpiredCerts = policy.isExpiredCertificateValidationEnabled(); HashMap credentialMap = new HashMap<>(); + PlatformCredential baseCredential = null; List validations = new ArrayList<>(); @@ -137,6 +138,14 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe pc.setDevice(device); this.certificateManager.update(pc); credentialMap.put(pc, platformScv); + /* + * This method will be added to PlatformCredential to return whether a given + * object is a base or a delta credential. + */ +/* if (pc.isBase()) { + baseCredential = pc; + } +*/ } } } @@ -156,8 +165,14 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe Iterator it = pcs.iterator(); while (it.hasNext()) { PlatformCredential pc = it.next(); - SupplyChainValidation attributeScv = validatePlatformCredentialAttributes( + SupplyChainValidation attributeScv = null; + if (pc == baseCredential || baseCredential == null) { + attributeScv = validatePlatformCredentialAttributes( pc, device.getDeviceInfo(), ec); + } else { + attributeScv = validateDeltaPlatformCredentialAttributes( + pc, device.getDeviceInfo(), baseCredential); + } SupplyChainValidation platformScv = credentialMap.get(pc); if (platformScv != null) { @@ -288,6 +303,41 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe } } + private SupplyChainValidation validateDeltaPlatformCredentialAttributes( + final PlatformCredential delta, + final DeviceInfoReport deviceInfoReport, + final PlatformCredential base) { + /* + * Do we need a new ValidationType for deltas? + */ + final SupplyChainValidation.ValidationType validationType = + SupplyChainValidation.ValidationType.DELTA_PLATFORM_CREDENTIAL_ATTRIBUTES; + + if (delta == null) { + LOGGER.error("No delta credential to validate"); + return buildValidationRecord(validationType, + AppraisalStatus.Status.FAIL, "Platform credential is missing", + null, Level.ERROR); + } + LOGGER.info("Validating platform credential attributes"); + AppraisalStatus result = supplyChainCredentialValidator. + validateDeltaPlatformCredentialAttributes(delta, deviceInfoReport, base); + switch (result.getAppStatus()) { + case PASS: + return buildValidationRecord(validationType, AppraisalStatus.Status.PASS, + result.getMessage(), delta, Level.INFO); + case FAIL: + return buildValidationRecord(validationType, AppraisalStatus.Status.FAIL, + result.getMessage(), delta, Level.WARN); + case ERROR: + return buildValidationRecord(validationType, AppraisalStatus.Status.ERROR, + result.getMessage(), delta, Level.ERROR); + default: + return buildValidationRecord(validationType, AppraisalStatus.Status.ERROR, + result.getMessage(), delta, Level.ERROR); + } + } + /** * Creates a supply chain validation record and logs the validation * message at the specified log level. diff --git a/HIRS_AttestationCA/src/test/java/hirs/attestationca/service/SupplyChainValidationServiceImplTest.java b/HIRS_AttestationCA/src/test/java/hirs/attestationca/service/SupplyChainValidationServiceImplTest.java index a622fbdd..1e55da0e 100644 --- a/HIRS_AttestationCA/src/test/java/hirs/attestationca/service/SupplyChainValidationServiceImplTest.java +++ b/HIRS_AttestationCA/src/test/java/hirs/attestationca/service/SupplyChainValidationServiceImplTest.java @@ -93,6 +93,7 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest // mocked private SupplyChainPolicy policy; private PlatformCredential pc; +// private PlatformCredential delta; private EndorsementCredential ec; private HashSet pcs; private Device device; @@ -134,8 +135,13 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest pcs = new HashSet(); pcs.add(pc); + /* + * Mock delta platform credential here + */ + Set resultPcs = new HashSet<>(); resultPcs.add(pc); + //resultPcs.add(delta); // mock credential retrieval when(certificateManager.get(any(EndorsementCredential.Selector.class))) @@ -176,6 +182,11 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest doReturn(new AppraisalStatus(PASS, "")).when(supplyChainCredentialValidator) .validatePlatformCredentialAttributes(eq(pc), any(DeviceInfoReport.class), any(EndorsementCredential.class)); +/* + doReturn(new AppraisalStatus(PASS, "")).when(supplyChainCredentialValidator) + .validateDeltaPlatformCredentialAttributes(eq(delta), any(DeviceInfoReport.class), + any(PlatformCredential.class)); +*/ Assert.assertEquals(service.validateSupplyChain(ec, pcs, device).getOverallValidationResult(), PASS); diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainValidation.java b/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainValidation.java index cbbef65e..6f54f389 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainValidation.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainValidation.java @@ -27,14 +27,19 @@ public class SupplyChainValidation extends ArchivableEntity { ENDORSEMENT_CREDENTIAL, /** - * Validation of a platform credential. + * Validation of a platform credential and also delta platform credentials from spec 1.1. */ PLATFORM_CREDENTIAL, /** * Validation of a platform credential's attributes. */ - PLATFORM_CREDENTIAL_ATTRIBUTES + PLATFORM_CREDENTIAL_ATTRIBUTES, + + /** + * Validation of a delta platform credential's attributes. + */ + DELTA_PLATFORM_CREDENTIAL_ATTRIBUTES } @Column diff --git a/HIRS_Utils/src/main/java/hirs/validation/CredentialValidator.java b/HIRS_Utils/src/main/java/hirs/validation/CredentialValidator.java index 1057ae8e..d88642ab 100644 --- a/HIRS_Utils/src/main/java/hirs/validation/CredentialValidator.java +++ b/HIRS_Utils/src/main/java/hirs/validation/CredentialValidator.java @@ -35,6 +35,19 @@ public interface CredentialValidator { AppraisalStatus validatePlatformCredentialAttributes(PlatformCredential pc, DeviceInfoReport deviceInfoReport, EndorsementCredential ec); + + /** + * Checks if the delta credential's attributes are valid. + * @param delta the delta credential to verify + * @param deviceInfoReport The device info report containing + * serial number of the platform to be validated. + * @param base the base credential from the same identity request + * as the delta credential. + * @return the result of the validation. + */ + AppraisalStatus validateDeltaPlatformCredentialAttributes(PlatformCredential delta, + DeviceInfoReport deviceInfoReport, + PlatformCredential base); /** * Checks if the endorsement credential is valid. * diff --git a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java index dcc0e74d..86ee688a 100644 --- a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java +++ b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java @@ -251,6 +251,27 @@ public final class SupplyChainCredentialValidator implements CredentialValidator return validatePlatformCredentialAttributesV1p2(platformCredential, deviceInfoReport); } + /** + * Checks if the delta credential's attributes are valid. + * @param deltaPlatformCredential the delta credential to verify + * @param deviceInfoReport The device info report containing + * serial number of the platform to be validated. + * @param basePlatformCredential the base credential from the same identity request + * as the delta credential. + * @return the result of the validation. + */ + @Override + public AppraisalStatus validateDeltaPlatformCredentialAttributes( + final PlatformCredential deltaPlatformCredential, + final DeviceInfoReport deviceInfoReport, + final PlatformCredential basePlatformCredential) { + + /* + * Code here to check the holder and attribute status fields + */ + return validatePlatformCredentialAttributesV2p0(deltaPlatformCredential, deviceInfoReport); + } + private static AppraisalStatus validatePlatformCredentialAttributesV1p2( final PlatformCredential platformCredential, final DeviceInfoReport deviceInfoReport) {