[#108] Validity Check for Base and Delta Certs (#126)

* Added methods and placeholders for checking the supply chain for base and delta credentials according to the new TCG spec

Checkstyle changes

Created a new SupplyChainValidation.ValidationType for delta credential attributes. The existing PLATFORM_CREDENTIAL
ValidationType will be used for both base and delta platform credentials from spec 1.1.

* Checkstyle error: trailing spaces

HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java

@@ -100,6 +100,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                 supplyChainAppraiser);
         boolean acceptExpiredCerts = policy.isExpiredCertificateValidationEnabled();
         HashMap<PlatformCredential, SupplyChainValidation> credentialMap = new HashMap<>();
+        PlatformCredential baseCredential = null;
 
         List<SupplyChainValidation> validations = new ArrayList<>();
 
@@ -137,6 +138,14 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                         pc.setDevice(device);
                         this.certificateManager.update(pc);
                         credentialMap.put(pc, platformScv);
+                        /*
+                         * This method will be added to PlatformCredential to return whether a given
+                         * object is a base or a delta credential.
+                         */
+/*                        if (pc.isBase()) {
+                            baseCredential = pc;
+                        }
+*/
                     }
                 }
             }
@@ -156,8 +165,14 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                 Iterator<PlatformCredential> it = pcs.iterator();
                 while (it.hasNext()) {
                     PlatformCredential pc = it.next();
-                    SupplyChainValidation attributeScv = validatePlatformCredentialAttributes(
+                    SupplyChainValidation attributeScv = null;
+                    if (pc == baseCredential || baseCredential == null) {
+                        attributeScv = validatePlatformCredentialAttributes(
                             pc, device.getDeviceInfo(), ec);
+                    } else {
+                        attributeScv = validateDeltaPlatformCredentialAttributes(
+                            pc, device.getDeviceInfo(), baseCredential);
+                    }
 
                     SupplyChainValidation platformScv = credentialMap.get(pc);
                     if (platformScv != null) {
@@ -288,6 +303,41 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
         }
     }
 
+    private SupplyChainValidation validateDeltaPlatformCredentialAttributes(
+            final PlatformCredential delta,
+            final DeviceInfoReport deviceInfoReport,
+            final PlatformCredential base) {
+    /*
+     * Do we need a new ValidationType for deltas?
+     */
+        final SupplyChainValidation.ValidationType validationType =
+                SupplyChainValidation.ValidationType.DELTA_PLATFORM_CREDENTIAL_ATTRIBUTES;
+
+        if (delta == null) {
+            LOGGER.error("No delta credential to validate");
+            return buildValidationRecord(validationType,
+                    AppraisalStatus.Status.FAIL, "Platform credential is missing",
+                    null, Level.ERROR);
+        }
+        LOGGER.info("Validating platform credential attributes");
+        AppraisalStatus result = supplyChainCredentialValidator.
+                validateDeltaPlatformCredentialAttributes(delta, deviceInfoReport, base);
+        switch (result.getAppStatus()) {
+            case PASS:
+                return buildValidationRecord(validationType, AppraisalStatus.Status.PASS,
+                        result.getMessage(), delta, Level.INFO);
+            case FAIL:
+                return buildValidationRecord(validationType, AppraisalStatus.Status.FAIL,
+                        result.getMessage(), delta, Level.WARN);
+            case ERROR:
+                return buildValidationRecord(validationType, AppraisalStatus.Status.ERROR,
+                        result.getMessage(), delta, Level.ERROR);
+            default:
+                return buildValidationRecord(validationType, AppraisalStatus.Status.ERROR,
+                        result.getMessage(), delta, Level.ERROR);
+        }
+    }
+
     /**
      * Creates a supply chain validation record and logs the validation
      * message at the specified log level.

HIRS_AttestationCA/src/test/java/hirs/attestationca/service/SupplyChainValidationServiceImplTest.java

@@ -93,6 +93,7 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest
     // mocked
     private SupplyChainPolicy policy;
     private PlatformCredential pc;
+//    private PlatformCredential delta;
     private EndorsementCredential ec;
     private HashSet<PlatformCredential> pcs;
     private Device device;
@@ -134,8 +135,13 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest
         pcs = new HashSet<PlatformCredential>();
         pcs.add(pc);
 
+        /*
+         * Mock delta platform credential here
+         */
+
         Set<Certificate> resultPcs = new HashSet<>();
         resultPcs.add(pc);
+        //resultPcs.add(delta);
 
         // mock credential retrieval
         when(certificateManager.get(any(EndorsementCredential.Selector.class)))
@@ -176,6 +182,11 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest
         doReturn(new AppraisalStatus(PASS, "")).when(supplyChainCredentialValidator)
                 .validatePlatformCredentialAttributes(eq(pc), any(DeviceInfoReport.class),
                         any(EndorsementCredential.class));
+/*
+        doReturn(new AppraisalStatus(PASS, "")).when(supplyChainCredentialValidator)
+                .validateDeltaPlatformCredentialAttributes(eq(delta), any(DeviceInfoReport.class),
+                        any(PlatformCredential.class));
+*/
 
         Assert.assertEquals(service.validateSupplyChain(ec, pcs,
                 device).getOverallValidationResult(), PASS);

HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainValidation.java

@@ -27,14 +27,19 @@ public class SupplyChainValidation extends ArchivableEntity {
         ENDORSEMENT_CREDENTIAL,
 
         /**
-         * Validation of a platform credential.
+         * Validation of a platform credential and also delta platform credentials from spec 1.1.
          */
         PLATFORM_CREDENTIAL,
 
         /**
          * Validation of a platform credential's attributes.
          */
-        PLATFORM_CREDENTIAL_ATTRIBUTES
+        PLATFORM_CREDENTIAL_ATTRIBUTES,
+
+        /**
+         * Validation of a delta platform credential's attributes.
+         */
+        DELTA_PLATFORM_CREDENTIAL_ATTRIBUTES
     }
 
     @Column

HIRS_Utils/src/main/java/hirs/validation/CredentialValidator.java

@@ -35,6 +35,19 @@ public interface CredentialValidator {
     AppraisalStatus validatePlatformCredentialAttributes(PlatformCredential pc,
                                                          DeviceInfoReport deviceInfoReport,
                                                          EndorsementCredential ec);
+
+    /**
+     * Checks if the delta credential's attributes are valid.
+     * @param delta the delta credential to verify
+     * @param deviceInfoReport The device info report containing
+     *                         serial number of the platform to be validated.
+     * @param base the base credential from the same identity request
+     *                              as the delta credential.
+     * @return the result of the validation.
+     */
+    AppraisalStatus validateDeltaPlatformCredentialAttributes(PlatformCredential delta,
+                                                              DeviceInfoReport deviceInfoReport,
+                                                              PlatformCredential base);
     /**
      * Checks if the endorsement credential is valid.
      *

HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java

@@ -251,6 +251,27 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
         return validatePlatformCredentialAttributesV1p2(platformCredential, deviceInfoReport);
     }
 
+    /**
+     * Checks if the delta credential's attributes are valid.
+     * @param deltaPlatformCredential the delta credential to verify
+     * @param deviceInfoReport The device info report containing
+     *                         serial number of the platform to be validated.
+     * @param basePlatformCredential the base credential from the same identity request
+     *                              as the delta credential.
+     * @return the result of the validation.
+     */
+    @Override
+    public AppraisalStatus validateDeltaPlatformCredentialAttributes(
+            final PlatformCredential deltaPlatformCredential,
+            final DeviceInfoReport deviceInfoReport,
+            final PlatformCredential basePlatformCredential) {
+
+        /*
+         * Code here to check the holder and attribute status fields
+         */
+        return validatePlatformCredentialAttributesV2p0(deltaPlatformCredential, deviceInfoReport);
+    }
+
     private static AppraisalStatus validatePlatformCredentialAttributesV1p2(
             final PlatformCredential platformCredential,
             final DeviceInfoReport deviceInfoReport) {