Fixes to ACA certificate generation

HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java

@@ -19,8 +19,11 @@ import lombok.NoArgsConstructor;
 import lombok.Setter;
 import lombok.extern.log4j.Log4j2;
 import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.BasicConstraints;
 import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.KeyUsage;
 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.asn1.x509.X509Extension;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.X509v3CertificateBuilder;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
@@ -83,7 +86,7 @@ public class AbstractProcessor {
             expiry.add(Calendar.DAY_OF_YEAR, getValidDays());
 
             X500Name issuer =
-                    new X500Name(acaCertificate.getSubjectX500Principal().getName());
+                    new X509CertificateHolder(acaCertificate.getEncoded()).getSubject();
             Date notBefore = new Date();
             Date notAfter = expiry.getTime();
             BigInteger serialNumber = BigInteger.valueOf(System.currentTimeMillis());
@@ -101,7 +104,7 @@ public class AbstractProcessor {
                             endorsementCredential, platformCredentials, deviceName);
 
             Extension authKeyIdentifier = IssuedCertificateAttributeHelper
-                    .buildAuthorityKeyIdentifier(endorsementCredential);
+                    .buildAuthorityKeyIdentifier(acaCertificate);
 
             builder.addExtension(subjectAlternativeName);
             if (authKeyIdentifier != null) {
@@ -116,6 +119,20 @@ public class AbstractProcessor {
                         + "Unable to issue certificates");
             }
 
+            // Add signing extension
+            builder.addExtension(
+                    X509Extension.keyUsage,
+                    true,
+                    new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)
+            );
+
+            // Basic constraints
+            builder.addExtension(
+                    X509Extension.basicConstraints,
+                    true,
+                    new BasicConstraints(false)
+            );
+
             ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSA")
                     .setProvider("BC").build(getPrivateKey());
             X509CertificateHolder holder = builder.build(signer);

HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/helper/IssuedCertificateAttributeHelper.java

@@ -20,6 +20,7 @@ import org.bouncycastle.asn1.x509.GeneralName;
 import org.bouncycastle.asn1.x509.GeneralNames;
 import org.bouncycastle.asn1.x509.GeneralNamesBuilder;
 import org.bouncycastle.asn1.x509.KeyPurposeId;
+import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
 import org.bouncycastle.asn1.x509.TBSCertificate;
 import org.bouncycastle.asn1.x509.AttributeCertificateInfo;
 
@@ -69,26 +70,28 @@ public final class IssuedCertificateAttributeHelper {
     /**
      * This method builds the AKI extension that will be stored in the generated
      * Attestation Issued Certificate.
-     * @param endorsementCredential EK object to pull AKI from.
+     * @param acaCertificate ACA certificate to pull SKI from, that will be used to build matching AKI.
      * @return the AKI extension.
-     * @throws IOException on bad get instance for AKI.
+     * @throws IOException on bad get instance for SKI.
      */
     public static Extension buildAuthorityKeyIdentifier(
-            final EndorsementCredential endorsementCredential) throws IOException {
+            final X509Certificate acaCertificate) throws IOException {
-        if (endorsementCredential == null || endorsementCredential.getX509Certificate() == null) {
+        if (acaCertificate == null) {
             return null;
         }
-        byte[] extValue = endorsementCredential.getX509Certificate()
+        byte[] extValue = acaCertificate
-                .getExtensionValue(Extension.authorityKeyIdentifier.getId());
+                .getExtensionValue(Extension.subjectKeyIdentifier.getId());
 
         if (extValue == null) {
             return null;
         }
 
         byte[] authExtension = ASN1OctetString.getInstance(extValue).getOctets();
-        AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(authExtension);
+        SubjectKeyIdentifier ski = SubjectKeyIdentifier.getInstance(authExtension);
 
-        return new Extension(Extension.authorityKeyIdentifier, true, aki.getEncoded());
+        AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(ski.getKeyIdentifier());
+
+        return new Extension(Extension.authorityKeyIdentifier, false, aki.getEncoded());
     }
 
     /**

HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/AttestationCertificateAuthorityTest.java

@@ -497,7 +497,7 @@ public class AttestationCertificateAuthorityTest {
 
         // validate mock interactions
         verify(acaCertificate).getSubjectX500Principal();
-        verifyNoMoreInteractions(identityProof, asymmetricPublicKey, storePubKey, acaCertificate);
+        verifyNoMoreInteractions(identityProof, asymmetricPublicKey, storePubKey);
     }
 
     /**

HIRS_AttestationCAPortal/src/main/resources/application.properties

@@ -33,7 +33,7 @@ server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks
 server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384
 server.ssl.key-store-type=JKS
 server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks
-server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
+server.ssl.key-alias=HIRS_leaf_ca3_rsa_3k_sha384.pem
 server.ssl.enabled-protocols=TLSv1.2, TLSv1.3
 server.ssl.ciphers=TLS_AES_256_GCM_SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, AES256-GCM-SHA384