mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-01-04 20:24:18 +00:00
Additional refactor
This commit is contained in:
parent
271cfa0145
commit
9812f464e8
@ -1,7 +1,7 @@
|
|||||||
package hirs.attestationca;
|
package hirs.attestationca;
|
||||||
|
|
||||||
import hirs.appraiser.SupplyChainAppraiser;
|
import hirs.appraiser.SupplyChainAppraiser;
|
||||||
import hirs.data.persist.policy.SupplyChainPolicy;
|
import hirs.attestationca.policy.SupplyChainPolicy;
|
||||||
import hirs.attestationca.service.AppraiserService;
|
import hirs.attestationca.service.AppraiserService;
|
||||||
import hirs.attestationca.service.PolicyService;
|
import hirs.attestationca.service.PolicyService;
|
||||||
|
|
||||||
|
@ -1,4 +1,6 @@
|
|||||||
package hirs.data.persist.policy;
|
package hirs.attestationca.policy;
|
||||||
|
|
||||||
|
import hirs.data.persist.policy.Policy;
|
||||||
|
|
||||||
import javax.persistence.Column;
|
import javax.persistence.Column;
|
||||||
import javax.persistence.Embedded;
|
import javax.persistence.Embedded;
|
@ -14,7 +14,7 @@ import hirs.attestationca.entity.certificate.CertificateAuthorityCredential;
|
|||||||
import hirs.attestationca.entity.certificate.DeviceAssociatedCertificate;
|
import hirs.attestationca.entity.certificate.DeviceAssociatedCertificate;
|
||||||
import hirs.attestationca.entity.certificate.EndorsementCredential;
|
import hirs.attestationca.entity.certificate.EndorsementCredential;
|
||||||
import hirs.attestationca.entity.certificate.PlatformCredential;
|
import hirs.attestationca.entity.certificate.PlatformCredential;
|
||||||
import hirs.data.persist.policy.SupplyChainPolicy;
|
import hirs.attestationca.policy.SupplyChainPolicy;
|
||||||
import hirs.persist.CrudManager;
|
import hirs.persist.CrudManager;
|
||||||
import hirs.validation.CredentialValidator;
|
import hirs.validation.CredentialValidator;
|
||||||
import hirs.attestationca.validation.SupplyChainCredentialValidator;
|
import hirs.attestationca.validation.SupplyChainCredentialValidator;
|
||||||
|
@ -35,7 +35,7 @@ import hirs.data.persist.info.HardwareInfo;
|
|||||||
import hirs.data.persist.info.NetworkInfo;
|
import hirs.data.persist.info.NetworkInfo;
|
||||||
import hirs.data.persist.info.OSInfo;
|
import hirs.data.persist.info.OSInfo;
|
||||||
import hirs.data.persist.info.TPMInfo;
|
import hirs.data.persist.info.TPMInfo;
|
||||||
import hirs.data.persist.policy.SupplyChainPolicy;
|
import hirs.attestationca.policy.SupplyChainPolicy;
|
||||||
import hirs.structs.converters.SimpleStructBuilder;
|
import hirs.structs.converters.SimpleStructBuilder;
|
||||||
import hirs.structs.converters.StructConverter;
|
import hirs.structs.converters.StructConverter;
|
||||||
import hirs.structs.elements.aca.IdentityRequestEnvelope;
|
import hirs.structs.elements.aca.IdentityRequestEnvelope;
|
||||||
|
@ -1,9 +1,9 @@
|
|||||||
package hirs;
|
package hirs.attestationca.portal;
|
||||||
|
|
||||||
import com.fasterxml.jackson.core.JsonGenerator;
|
import com.fasterxml.jackson.core.JsonGenerator;
|
||||||
import com.fasterxml.jackson.databind.JsonSerializer;
|
import com.fasterxml.jackson.databind.JsonSerializer;
|
||||||
import com.fasterxml.jackson.databind.SerializerProvider;
|
import com.fasterxml.jackson.databind.SerializerProvider;
|
||||||
import hirs.data.persist.AppraisalResult;
|
import hirs.attestationca.entity.AppraisalResult;
|
||||||
|
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
|
@ -1,6 +1,6 @@
|
|||||||
package hirs.attestationca.portal.model;
|
package hirs.attestationca.portal.model;
|
||||||
|
|
||||||
import hirs.data.persist.policy.SupplyChainPolicy;
|
import hirs.attestationca.policy.SupplyChainPolicy;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* PolicyPage model object to demonstrate data exchange between policy.jsp page
|
* PolicyPage model object to demonstrate data exchange between policy.jsp page
|
||||||
|
@ -6,7 +6,7 @@ import hirs.attestationca.portal.model.PolicyPageModel;
|
|||||||
import hirs.attestationca.portal.page.PageController;
|
import hirs.attestationca.portal.page.PageController;
|
||||||
import hirs.attestationca.portal.page.PageMessages;
|
import hirs.attestationca.portal.page.PageMessages;
|
||||||
import hirs.attestationca.portal.page.params.NoPageParams;
|
import hirs.attestationca.portal.page.params.NoPageParams;
|
||||||
import hirs.data.persist.policy.SupplyChainPolicy;
|
import hirs.attestationca.policy.SupplyChainPolicy;
|
||||||
import hirs.persist.PolicyManagerException;
|
import hirs.persist.PolicyManagerException;
|
||||||
import hirs.attestationca.service.AppraiserService;
|
import hirs.attestationca.service.AppraiserService;
|
||||||
import hirs.attestationca.service.PolicyService;
|
import hirs.attestationca.service.PolicyService;
|
||||||
|
@ -4,7 +4,7 @@ import hirs.attestationca.entity.Device;
|
|||||||
import hirs.attestationca.entity.SupplyChainValidationSummary;
|
import hirs.attestationca.entity.SupplyChainValidationSummary;
|
||||||
import hirs.attestationca.entity.certificate.EndorsementCredential;
|
import hirs.attestationca.entity.certificate.EndorsementCredential;
|
||||||
import hirs.attestationca.entity.certificate.PlatformCredential;
|
import hirs.attestationca.entity.certificate.PlatformCredential;
|
||||||
import hirs.data.persist.policy.SupplyChainPolicy;
|
import hirs.attestationca.policy.SupplyChainPolicy;
|
||||||
|
|
||||||
import java.util.Set;
|
import java.util.Set;
|
||||||
|
|
||||||
|
@ -21,7 +21,7 @@ import hirs.attestationca.entity.certificate.CertificateAuthorityCredential;
|
|||||||
import hirs.attestationca.entity.certificate.EndorsementCredential;
|
import hirs.attestationca.entity.certificate.EndorsementCredential;
|
||||||
import hirs.attestationca.entity.certificate.PlatformCredential;
|
import hirs.attestationca.entity.certificate.PlatformCredential;
|
||||||
import hirs.attestationca.policy.PCRPolicy;
|
import hirs.attestationca.policy.PCRPolicy;
|
||||||
import hirs.data.persist.policy.SupplyChainPolicy;
|
import hirs.attestationca.policy.SupplyChainPolicy;
|
||||||
import hirs.persist.CrudManager;
|
import hirs.persist.CrudManager;
|
||||||
import hirs.persist.DBManagerException;
|
import hirs.persist.DBManagerException;
|
||||||
import hirs.attestationca.service.AppraiserService;
|
import hirs.attestationca.service.AppraiserService;
|
||||||
|
@ -4,7 +4,7 @@ import hirs.appraiser.Appraiser;
|
|||||||
import hirs.appraiser.SupplyChainAppraiser;
|
import hirs.appraiser.SupplyChainAppraiser;
|
||||||
import hirs.attestationca.portal.page.PageController;
|
import hirs.attestationca.portal.page.PageController;
|
||||||
import hirs.attestationca.portal.page.PageControllerTest;
|
import hirs.attestationca.portal.page.PageControllerTest;
|
||||||
import hirs.data.persist.policy.SupplyChainPolicy;
|
import hirs.attestationca.policy.SupplyChainPolicy;
|
||||||
import org.springframework.beans.factory.annotation.Autowired;
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
import org.springframework.test.web.servlet.ResultActions;
|
import org.springframework.test.web.servlet.ResultActions;
|
||||||
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
|
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
|
||||||
|
@ -1,162 +0,0 @@
|
|||||||
package hirs.data.persist;
|
|
||||||
|
|
||||||
import java.sql.Timestamp;
|
|
||||||
|
|
||||||
import javax.persistence.Column;
|
|
||||||
import javax.persistence.Entity;
|
|
||||||
import javax.persistence.EnumType;
|
|
||||||
import javax.persistence.Enumerated;
|
|
||||||
import javax.persistence.GeneratedValue;
|
|
||||||
import javax.persistence.GenerationType;
|
|
||||||
import javax.persistence.Id;
|
|
||||||
import javax.persistence.JoinColumn;
|
|
||||||
import javax.persistence.ManyToOne;
|
|
||||||
import javax.persistence.Table;
|
|
||||||
import javax.xml.bind.annotation.XmlAttribute;
|
|
||||||
import javax.xml.bind.annotation.XmlElement;
|
|
||||||
import javax.xml.bind.annotation.XmlRootElement;
|
|
||||||
import javax.xml.bind.annotation.XmlType;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* DTO representing a Report. Reports are the basic DTOs exchanged between the
|
|
||||||
* HIRS client machines and the HIRS server machines.
|
|
||||||
*
|
|
||||||
* Reports are partially persisted in HIRS server database as rows in the
|
|
||||||
* 'Report' table. Only the values necessary for locating particular reports for
|
|
||||||
* processing or presentation are saved in the database; the remainder of the
|
|
||||||
* Report's contents are saved on disk as a file. The expected use case of the
|
|
||||||
* Report records in the database is:
|
|
||||||
* - Select one or more Report objects from
|
|
||||||
* the database based on some search criteria.
|
|
||||||
* - From the returned Report
|
|
||||||
* objects, obtain the IDs of the reports in question. - Use these IDs to access
|
|
||||||
* the complete report from disk.
|
|
||||||
*
|
|
||||||
* Reports have an XML representation, generated via JAXB
|
|
||||||
*
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
@Entity
|
|
||||||
@Table(name = "ReportMapper")
|
|
||||||
@XmlRootElement(name = "report")
|
|
||||||
public class ReportMapper {
|
|
||||||
|
|
||||||
/*------------------- HIBERNATE-MAPPED PROPERTIES -----------------------*/
|
|
||||||
/**
|
|
||||||
* The unique ID of the Report, if one exists. Reports are assigned their ID
|
|
||||||
* when they are first inserted into the HIRS database. Newly-created
|
|
||||||
* Reports have a 'null' ID, indicating that they have not yet been
|
|
||||||
* persisted. An important use case for this is when a Report DTO is
|
|
||||||
* deserialized as it is submitted by a HIRS client: in this case, no ID
|
|
||||||
* will have been reported by the client (since the client has no idea of
|
|
||||||
* the existence of the server database)
|
|
||||||
*
|
|
||||||
* In XML representation, a Report's id is represented by its 'id'
|
|
||||||
* attribute.
|
|
||||||
*/
|
|
||||||
@Id
|
|
||||||
@Column(name = "id")
|
|
||||||
@GeneratedValue(strategy = GenerationType.AUTO)
|
|
||||||
private Integer id;
|
|
||||||
|
|
||||||
@XmlAttribute(name = "id", required = false)
|
|
||||||
public Integer getId() {
|
|
||||||
return id;
|
|
||||||
}
|
|
||||||
|
|
||||||
public void setId(Integer id) {
|
|
||||||
this.id = id;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* The processing state of this report. Reports have a very simple
|
|
||||||
* lifecycle: - NEW: The report is newly generated - INIT: The report has
|
|
||||||
* had its nonce value assigned and returned to the client; the appraiser is
|
|
||||||
* waiting for the client to return the completed report. - DONE: The report
|
|
||||||
* has been received, saved in the database, and processed.
|
|
||||||
*
|
|
||||||
* Additional states may be added as the system evolves.
|
|
||||||
*/
|
|
||||||
@Column(name = "state")
|
|
||||||
@Enumerated(EnumType.STRING)
|
|
||||||
private State state;
|
|
||||||
|
|
||||||
@XmlType(name = "ReportState")
|
|
||||||
public enum State {
|
|
||||||
|
|
||||||
NEW, INIT, DONE
|
|
||||||
};
|
|
||||||
|
|
||||||
@XmlAttribute(name = "state")
|
|
||||||
public State getState() {
|
|
||||||
return state;
|
|
||||||
}
|
|
||||||
|
|
||||||
public void setState(State state) {
|
|
||||||
this.state = state;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* The Client DTO associated with this Report. Each Report is (optionally)
|
|
||||||
* associated with a Client object, which encapsulates business information
|
|
||||||
* about the client (IP number, OS version, etc.) The Client objects are
|
|
||||||
* persisted in their own database table and have a many-to-one relationship
|
|
||||||
* with their Reports: many Reports can be associated with a single Client
|
|
||||||
* in the database.
|
|
||||||
*
|
|
||||||
* In XML representation, a Report's associated Client is represented by a
|
|
||||||
* child <client> element.
|
|
||||||
*/
|
|
||||||
@ManyToOne
|
|
||||||
@JoinColumn(name = "client_id")
|
|
||||||
private Device client;
|
|
||||||
|
|
||||||
@XmlElement(name = "client", required = false)
|
|
||||||
public Device getClient() {
|
|
||||||
return client;
|
|
||||||
}
|
|
||||||
|
|
||||||
public void setClient(Device client) {
|
|
||||||
this.client = client;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Column(name = "timestamp")
|
|
||||||
private Timestamp timestamp;
|
|
||||||
|
|
||||||
@XmlElement(name = "timestamp")
|
|
||||||
public Timestamp getTimestamp() {
|
|
||||||
return new Timestamp(timestamp.getTime());
|
|
||||||
}
|
|
||||||
|
|
||||||
public void setTimestamp(Timestamp timestamp) {
|
|
||||||
this.timestamp = new Timestamp(timestamp.getTime());
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* The nonce value of the Report, used to prevent replays. The intended use
|
|
||||||
* case is: - A client contacts the appraiser to begin the report submission
|
|
||||||
* process by calling the 'initReport()' method. - The appraiser creates a
|
|
||||||
* new Report object, assigns it a nonce value, and saves the Report in the
|
|
||||||
* database - The appraiser responds back to the client, including the nonce
|
|
||||||
* value.
|
|
||||||
*
|
|
||||||
* Later, when the Client has finished generating the report, it submits it
|
|
||||||
* back to the appraiser including the nonce value: - The client sends the
|
|
||||||
* report to the appraiser. - The appraiser extracts out the nonce value of
|
|
||||||
* the report, and uses it to locate the corresponding Report in the
|
|
||||||
* database. - Once the Report has been located, the appraiser fills out its
|
|
||||||
* details from the report that the client has submitted.
|
|
||||||
*/
|
|
||||||
@Column(name = "nonce")
|
|
||||||
private byte[] nonce;
|
|
||||||
|
|
||||||
@XmlElement(name = "nonce")
|
|
||||||
public byte[] getNonce() {
|
|
||||||
return nonce.clone();
|
|
||||||
}
|
|
||||||
|
|
||||||
public void setNonce(byte[] nonce) {
|
|
||||||
this.nonce = nonce.clone();
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
@ -1,6 +1,5 @@
|
|||||||
package hirs.data.persist.policy;
|
package hirs.data.persist.policy;
|
||||||
|
|
||||||
import hirs.data.persist.TPMMeasurementRecord;
|
|
||||||
import hirs.data.persist.enums.AlertSeverity;
|
import hirs.data.persist.enums.AlertSeverity;
|
||||||
import org.apache.commons.lang3.StringUtils;
|
import org.apache.commons.lang3.StringUtils;
|
||||||
import org.apache.logging.log4j.LogManager;
|
import org.apache.logging.log4j.LogManager;
|
||||||
@ -139,7 +138,6 @@ public final class TPMPolicy extends Policy {
|
|||||||
*/
|
*/
|
||||||
public void addToDeviceSpecificPCRs(final int pcrId) {
|
public void addToDeviceSpecificPCRs(final int pcrId) {
|
||||||
LOGGER.debug("adding device-specific PCR ID# {} to policy {}", pcrId, getName());
|
LOGGER.debug("adding device-specific PCR ID# {} to policy {}", pcrId, getName());
|
||||||
TPMMeasurementRecord.checkForValidPcrId(pcrId);
|
|
||||||
|
|
||||||
if (deviceSpecificPCRs.contains(pcrId)) {
|
if (deviceSpecificPCRs.contains(pcrId)) {
|
||||||
LOGGER.info("PCR ID already exists in list: {}", pcrId);
|
LOGGER.info("PCR ID already exists in list: {}", pcrId);
|
||||||
@ -310,7 +308,6 @@ public final class TPMPolicy extends Policy {
|
|||||||
* @param pcrId the PCR to set to appraised.
|
* @param pcrId the PCR to set to appraised.
|
||||||
*/
|
*/
|
||||||
public void setPcrAppraised(final int pcrId) {
|
public void setPcrAppraised(final int pcrId) {
|
||||||
TPMMeasurementRecord.checkForValidPcrId(pcrId);
|
|
||||||
if (!isPcrReported(pcrId)) {
|
if (!isPcrReported(pcrId)) {
|
||||||
String msg = "Cannot set PCR to be Appraised."
|
String msg = "Cannot set PCR to be Appraised."
|
||||||
+ " It is not being reported on by this Policy.";
|
+ " It is not being reported on by this Policy.";
|
||||||
|
@ -1,8 +1,5 @@
|
|||||||
package hirs.data.persist.tpm;
|
package hirs.data.persist.tpm;
|
||||||
|
|
||||||
import hirs.data.persist.Digest;
|
|
||||||
import hirs.data.persist.TPMMeasurementRecord;
|
|
||||||
import hirs.data.persist.enums.DigestAlgorithm;
|
|
||||||
import org.apache.commons.codec.binary.Hex;
|
import org.apache.commons.codec.binary.Hex;
|
||||||
import org.apache.logging.log4j.LogManager;
|
import org.apache.logging.log4j.LogManager;
|
||||||
import org.apache.logging.log4j.Logger;
|
import org.apache.logging.log4j.Logger;
|
||||||
@ -22,8 +19,6 @@ import java.nio.ByteBuffer;
|
|||||||
import java.security.MessageDigest;
|
import java.security.MessageDigest;
|
||||||
import java.security.NoSuchAlgorithmException;
|
import java.security.NoSuchAlgorithmException;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Iterator;
|
|
||||||
import java.util.List;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Java class for PcrInfoShort complex type, which was modified from code
|
* Java class for PcrInfoShort complex type, which was modified from code
|
||||||
@ -212,12 +207,8 @@ public class PcrInfoShort implements Serializable {
|
|||||||
* if MessageDigest doesn't recognize "SHA-1" or "SHA-256"
|
* if MessageDigest doesn't recognize "SHA-1" or "SHA-256"
|
||||||
*/
|
*/
|
||||||
public final byte[] getCalculatedDigest() throws NoSuchAlgorithmException {
|
public final byte[] getCalculatedDigest() throws NoSuchAlgorithmException {
|
||||||
if (this.isTpm1()) {
|
|
||||||
return getCalculatedDigestTpmV1p2(MessageDigest.getInstance("SHA-1"));
|
|
||||||
} else {
|
|
||||||
return getCalculatedDigestTpmV2p0(MessageDigest.getInstance("SHA-256"));
|
return getCalculatedDigestTpmV2p0(MessageDigest.getInstance("SHA-256"));
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Calculates the SHA-1 digest of the PCR values the same way a TPM computes the digest
|
* Calculates the SHA-1 digest of the PCR values the same way a TPM computes the digest
|
||||||
@ -241,10 +232,6 @@ public class PcrInfoShort implements Serializable {
|
|||||||
byteBuffer.put(this.pcrSelection.getValue());
|
byteBuffer.put(this.pcrSelection.getValue());
|
||||||
byteBuffer.putInt(pcrComposite.getValueSize());
|
byteBuffer.putInt(pcrComposite.getValueSize());
|
||||||
|
|
||||||
for (TPMMeasurementRecord record: pcrComposite.getPcrValueList()) {
|
|
||||||
byteBuffer.put(record.getHash().getDigest());
|
|
||||||
}
|
|
||||||
|
|
||||||
LOGGER.debug("PCR composite buffer to be hashed: {}",
|
LOGGER.debug("PCR composite buffer to be hashed: {}",
|
||||||
Hex.encodeHexString(byteBuffer.array()));
|
Hex.encodeHexString(byteBuffer.array()));
|
||||||
computedDigest = messageDigest.digest(byteBuffer.array());
|
computedDigest = messageDigest.digest(byteBuffer.array());
|
||||||
@ -265,12 +252,6 @@ public class PcrInfoShort implements Serializable {
|
|||||||
int sizeOfByteBuffer = pcrComposite.getValueSize();
|
int sizeOfByteBuffer = pcrComposite.getValueSize();
|
||||||
ByteBuffer byteBuffer = ByteBuffer.allocate(sizeOfByteBuffer);
|
ByteBuffer byteBuffer = ByteBuffer.allocate(sizeOfByteBuffer);
|
||||||
LOGGER.debug("Size of the buffer allocated to hash: {}", sizeOfByteBuffer);
|
LOGGER.debug("Size of the buffer allocated to hash: {}", sizeOfByteBuffer);
|
||||||
Iterator iter = pcrComposite.getPcrValueList().iterator();
|
|
||||||
|
|
||||||
while (iter.hasNext()) {
|
|
||||||
TPMMeasurementRecord record = (TPMMeasurementRecord) iter.next();
|
|
||||||
byteBuffer.put(record.getHash().getDigest());
|
|
||||||
}
|
|
||||||
|
|
||||||
LOGGER.debug("PCR composite buffer to be hashed: {}",
|
LOGGER.debug("PCR composite buffer to be hashed: {}",
|
||||||
Hex.encodeHexString(byteBuffer.array()));
|
Hex.encodeHexString(byteBuffer.array()));
|
||||||
@ -293,22 +274,4 @@ public class PcrInfoShort implements Serializable {
|
|||||||
|
|
||||||
return byteBuffer.array();
|
return byteBuffer.array();
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Determines whether the TPM used to generate this pcr info is version 1.2 or not.
|
|
||||||
*
|
|
||||||
* @return whether the TPM used to generate this pcr info is version 1.2 or not
|
|
||||||
*/
|
|
||||||
public boolean isTpm1() {
|
|
||||||
// need to get an individual PCR and measure length to determine SHA1 v SHA 256
|
|
||||||
List<TPMMeasurementRecord> pcrs = this.getPcrComposite().getPcrValueList();
|
|
||||||
if (pcrs.size() == 0) {
|
|
||||||
// it's the case of an empty pcrmask, so it doesn't matter
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
Digest hash = pcrs.get(0).getHash();
|
|
||||||
// check if the hash algorithm is SHA 1, if so it's TPM 1.2, if not it's TPM 2.0
|
|
||||||
return hash.getAlgorithm() == DigestAlgorithm.SHA1;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user