Initial Commit. Setup for DevID implementation.

2025-03-16 00:55:25 +00:00 · 2021-09-22 13:26:49 -04:00 · 2021-09-22 13:26:49 -04:00 · 9d8360c1c1
commit 9d8360c1c1
parent f8a3ccd962
10 changed files with 284 additions and 78 deletions
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
@ -22,6 +22,7 @@ import hirs.data.persist.SwidResource;
 import hirs.data.persist.certificate.Certificate;
 import hirs.data.persist.certificate.EndorsementCredential;
 import hirs.data.persist.certificate.IssuedAttestationCertificate;
+import hirs.data.persist.certificate.IssuedCertificate;
 import hirs.data.persist.certificate.PlatformCredential;
 import hirs.data.persist.info.FirmwareInfo;
 import hirs.data.persist.info.HardwareInfo;
@ -1850,7 +1851,7 @@ public abstract class AbstractAttestationCertificateAuthority
                                            final EndorsementCredential endorsementCredential,
                                            final Set<PlatformCredential> platformCredentials,
                                            final Device device) {
-        IssuedAttestationCertificate issuedAc;
+        IssuedCertificate issuedAc;
        boolean generateCertificate = true;
        SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
        Date currentDate = new Date();
@ -1861,7 +1862,7 @@ public abstract class AbstractAttestationCertificateAuthority
                    derEncodedAttestationCertificate, endorsementCredential, platformCredentials);

            if (scp != null) {
-                issuedAc = IssuedAttestationCertificate.select(certificateManager)
+                issuedAc = IssuedCertificate.select(certificateManager)
                        .byDeviceId(device.getId()).getCertificate();

                generateCertificate = scp.isIssueAttestationCertificate();
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AttestationCertificateAuthority.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AttestationCertificateAuthority.java
@ -8,7 +8,7 @@ public interface AttestationCertificateAuthority {
    /**
     * The default size for IV blocks.
     */
-    int DEFAULT_IV_SIZE = 16;
+    public int DEFAULT_IV_SIZE = 16;

    /**
     * Processes a given {@link hirs.structs.elements.aca.IdentityRequestEnvelope} and
--- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/CertificateRequestPageController.java
+++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/CertificateRequestPageController.java
@ -12,7 +12,7 @@ import hirs.attestationca.portal.util.CertificateStringMapBuilder;
 import hirs.data.persist.certificate.Certificate;
 import hirs.data.persist.certificate.CertificateAuthorityCredential;
 import hirs.data.persist.certificate.EndorsementCredential;
-import hirs.data.persist.certificate.IssuedAttestationCertificate;
+import hirs.data.persist.certificate.IssuedCertificate;
 import hirs.data.persist.certificate.PlatformCredential;
 import hirs.persist.CertificateManager;
 import hirs.persist.CriteriaModifier;
@ -446,7 +446,7 @@ public class CertificateRequestPageController extends PageController<NoPageParam
            case ENDORSEMENTCREDENTIAL:
                return EndorsementCredential.class;
            case ISSUEDCERTIFICATES:
-                return IssuedAttestationCertificate.class;
+                return IssuedCertificate.class;
            case TRUSTCHAIN:
                return CertificateAuthorityCredential.class;
            default:
@ -499,7 +499,7 @@ public class CertificateRequestPageController extends PageController<NoPageParam
                        .byEntityId(uuid)
                        .getCertificate();
            case ISSUEDCERTIFICATES:
-                return IssuedAttestationCertificate
+                return IssuedCertificate
                        .select(certificateManager)
                        .byEntityId(uuid)
                        .getCertificate();
--- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/util/CertificateStringMapBuilder.java
+++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/util/CertificateStringMapBuilder.java
@ -1,30 +1,30 @@
 package hirs.attestationca.portal.util;

-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
-
-import java.io.IOException;
-import java.math.BigInteger;
-import java.util.Arrays;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Set;
-import java.util.List;
-import java.util.Comparator;
-import java.util.stream.Collectors;
-import java.util.UUID;
 import hirs.data.persist.certificate.Certificate;
 import hirs.data.persist.certificate.CertificateAuthorityCredential;
 import hirs.data.persist.certificate.EndorsementCredential;
-import hirs.data.persist.certificate.PlatformCredential;
 import hirs.data.persist.certificate.IssuedAttestationCertificate;
+import hirs.data.persist.certificate.IssuedCertificate;
+import hirs.data.persist.certificate.PlatformCredential;
 import hirs.data.persist.certificate.attributes.ComponentIdentifier;
 import hirs.data.persist.certificate.attributes.PlatformConfiguration;
 import hirs.persist.CertificateManager;
 import hirs.utils.BouncyCastleUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.bouncycastle.util.encoders.Hex;

+import java.io.IOException;
+import java.math.BigInteger;
+import java.util.Arrays;
 import java.util.Collections;
+import java.util.Comparator;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.UUID;
+import java.util.stream.Collectors;

 /**
 * Utility class for mapping certificate information in to string maps. These are used to display
@ -469,7 +469,7 @@ public final class CertificateStringMapBuilder {
    public static HashMap<String, String> getIssuedInformation(final UUID uuid,
            final CertificateManager certificateManager) {
        HashMap<String, String> data = new HashMap<>();
-        IssuedAttestationCertificate certificate = IssuedAttestationCertificate
+        IssuedCertificate certificate = IssuedCertificate
                .select(certificateManager)
                .byEntityId(uuid)
                .getCertificate();
--- a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp
+++ b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp
@ -182,7 +182,7 @@
                                    <div class="radio">
                                        <label>
                                        <input id="devIdBot" type="checkbox" name="devIdExpirationChecked" ${initialData.devIdExpirationFlag ? 'checked' : ''} value="checked" />
-                                        Attestation Certificate validity period (Default 3651 days)<br />
+                                        DevID Certificate validity period (Default 3651 days)<br />
                                        Select period in days: <input id="devIdExpirationValue" type="text" name="devIdExpirationValue" value="${initialData.devIdExpirationValue}" />
                                        </label>
                                    </div>
--- a/HIRS_Utils/src/main/java/hirs/data/persist/certificate/IssuedAttestationCertificate.java
+++ b/HIRS_Utils/src/main/java/hirs/data/persist/certificate/IssuedAttestationCertificate.java
@ -3,35 +3,17 @@ package hirs.data.persist.certificate;
 import hirs.persist.CertificateManager;
 import hirs.persist.CertificateSelector;

+import javax.persistence.Entity;
 import java.io.IOException;
 import java.nio.file.Path;
-import java.util.Collections;
 import java.util.Set;
 import java.util.UUID;
-import javax.persistence.Entity;
-import javax.persistence.FetchType;
-import javax.persistence.JoinColumn;
-import javax.persistence.ManyToMany;
-import javax.persistence.ManyToOne;

 /**
 * Represents an issued attestation certificate to a HIRS Client.
 */
@Entity
-public class IssuedAttestationCertificate extends DeviceAssociatedCertificate {
-
-    /**
-     * AIC label that must be used.
-     */
-    public static final String AIC_TYPE_LABEL = "TCPA Trusted Platform Identity";
-
-    @ManyToOne(fetch = FetchType.EAGER)
-    @JoinColumn(name = "ek_id")
-    private EndorsementCredential endorsementCredential;
-
-    @ManyToMany(fetch = FetchType.EAGER)
-    @JoinColumn(name = "pc_id")
-    private Set<PlatformCredential> platformCredentials;
+public class IssuedAttestationCertificate extends IssuedCertificate {

    /**
     * This class enables the retrieval of IssuedAttestationCertificate by their attributes.
@ -60,17 +42,6 @@ public class IssuedAttestationCertificate extends DeviceAssociatedCertificate {
        }
    }

-    /**
-     * Get a Selector for use in retrieving IssuedAttestationCertificate.
-     *
-     * @param certMan the CertificateManager to be used to retrieve persisted certificates
-     * @return a IssuedAttestationCertificate.Selector instance to use for retrieving certificates
-     */
-    public static IssuedAttestationCertificate.Selector select(final CertificateManager certMan) {
-        return new IssuedAttestationCertificate.Selector(certMan);
-    }
-
-
    /**
     * Default constructor for Hibernate.
     */
@ -89,9 +60,8 @@ public class IssuedAttestationCertificate extends DeviceAssociatedCertificate {
                                        final EndorsementCredential endorsementCredential,
                                        final Set<PlatformCredential> platformCredentials)
            throws IOException {
-        super(certificateBytes);
-        this.endorsementCredential = endorsementCredential;
-        this.platformCredentials = platformCredentials;
+        super(certificateBytes, endorsementCredential, platformCredentials);
+        this.setIssuedType(ISSUED_TYPE_AK);
    }

    /**
@ -108,19 +78,4 @@ public class IssuedAttestationCertificate extends DeviceAssociatedCertificate {
        this(readBytes(certificatePath), endorsementCredential, platformCredentials);
    }

-    /**
-     *
-     * @return the Endorsement Credential
-     */
-    public EndorsementCredential getEndorsementCredential() {
-        return endorsementCredential;
-    }
-
-    /**
-     *
-     * @return the platform credential
-     */
-    public Set<PlatformCredential> getPlatformCredentials() {
-        return Collections.unmodifiableSet(platformCredentials);
-    }
 }
--- a/HIRS_Utils/src/main/java/hirs/data/persist/certificate/IssuedCertificate.java
+++ b/HIRS_Utils/src/main/java/hirs/data/persist/certificate/IssuedCertificate.java
@ -0,0 +1,140 @@
+package hirs.data.persist.certificate;
+
+import hirs.persist.CertificateManager;
+import hirs.persist.CertificateSelector;
+
+import javax.persistence.Column;
+import javax.persistence.FetchType;
+import javax.persistence.JoinColumn;
+import javax.persistence.ManyToMany;
+import javax.persistence.ManyToOne;
+import javax.persistence.MappedSuperclass;
+import java.io.IOException;
+import java.util.Collections;
+import java.util.Set;
+import java.util.UUID;
+
+/**
+ * Represents an issued base certificate to a HIRS Client.
+ */
+@MappedSuperclass
+public abstract class IssuedCertificate extends DeviceAssociatedCertificate {
+    /**
+     * Issued Certificate label that must be used.
+     */
+    public static final String AIC_TYPE_LABEL = "TCPA Trusted Platform Identity";
+    /**
+     * The Attestation Issued Certificate type.
+     */
+    public static final String ISSUED_TYPE_AK = "AK";
+    /**
+     * The Local DevID Issued Certificate generated by ACA.
+     */
+    public static final String ISSUED_TYPE_LDEVID = "LDevID";
+    /**
+     * The Initial DevID Issued Certificate generated by the OEM.
+     */
+    public static final String ISSUED_TYPE_IDEVID = "IDevID";
+
+    @ManyToOne(fetch = FetchType.EAGER)
+    @JoinColumn(name = "ek_id")
+    private EndorsementCredential endorsementCredential;
+
+    @ManyToMany(fetch = FetchType.EAGER)
+    @JoinColumn(name = "pc_id")
+    private Set<PlatformCredential> platformCredentials;
+
+    @Column
+    private String issuedType = "UNK";
+
+    /**
+     * This class enables the retrieval of IssuedCertificate by their attributes.
+     */
+    public static class Selector extends CertificateSelector<IssuedCertificate> {
+        /**
+         * Construct a new CertificateSelector that will use
+         * the given {@link hirs.persist.CertificateManager} to
+         * retrieve one or many IssuedCertificate.
+         *
+         * @param certificateManager the certificate manager to be used to retrieve certificates
+         */
+        public Selector(final CertificateManager certificateManager) {
+            super(certificateManager, IssuedCertificate.class);
+        }
+
+        /**
+         * Specify a device id that certificates must have to be considered
+         * as matching.
+         *
+         * @param device the device id to query
+         * @return this instance (for chaining further calls)
+         */
+        public IssuedCertificate.Selector byDeviceId(final UUID device) {
+            setFieldValue(DEVICE_ID_FIELD, device);
+            return this;
+        }
+    }
+
+    /**
+     * Get a Selector for use in retrieving IssuedCertificate.
+     *
+     * @param certMan the CertificateManager to be used to retrieve persisted certificates
+     * @return a IssuedCertificate.Selector instance to use for retrieving certificates
+     */
+    public static IssuedCertificate.Selector select(final CertificateManager certMan) {
+        return new IssuedCertificate.Selector(certMan);
+    }
+
+    /**
+     * Default constructor for Hibernate.
+     */
+    protected IssuedCertificate() {
+    }
+
+    /**
+     * Constructor.
+     * @param certificateBytes the issued certificate bytes
+     * @param endorsementCredential the endorsement credential
+     * @param platformCredentials the platform credentials
+     * @throws IOException if there is a problem extracting information from the certificate
+     */
+    public IssuedCertificate(final byte[] certificateBytes,
+                             final EndorsementCredential endorsementCredential,
+                             final Set<PlatformCredential> platformCredentials) throws IOException {
+        super(certificateBytes);
+        this.endorsementCredential = endorsementCredential;
+        this.platformCredentials = platformCredentials;
+    }
+
+    /**
+     * Getter for the type of Issued Certificate.
+     * @return the string of the type
+     */
+    public String getIssuedType() {
+        return issuedType;
+    }
+
+    /**
+     * Setter for the type of the Issued Certificate.
+     * @param issuedType the String variable of the type
+     */
+    public void setIssuedType(final String issuedType) {
+        this.issuedType = issuedType;
+    }
+
+    /**
+     *
+     * @return the Endorsement Credential
+     */
+    public EndorsementCredential getEndorsementCredential() {
+        return endorsementCredential;
+    }
+
+    /**
+     *
+     * @return the platform credential
+     */
+    public Set<PlatformCredential> getPlatformCredentials() {
+        return Collections.unmodifiableSet(platformCredentials);
+    }
+}
--- a/HIRS_Utils/src/main/java/hirs/data/persist/certificate/IssuedDevIdCertificate.java
+++ b/HIRS_Utils/src/main/java/hirs/data/persist/certificate/IssuedDevIdCertificate.java
@ -0,0 +1,80 @@
+package hirs.data.persist.certificate;
+
+import hirs.persist.CertificateManager;
+import hirs.persist.CertificateSelector;
+
+import java.io.IOException;
+import java.nio.file.Path;
+import java.util.UUID;
+
+/**
+ * Represents an issued DevID certificate to a HIRS Client.
+ *
+ * Implementation requirements:
+ *      * Key Generation
+ *      * Key Insertion
+ *      * Key Deletion, required if Generating and Inserting
+ *      - If generating LDevID
+ *      * Certificate insert
+ *      * Certificate Chain insert
+ *      * Certificate delete
+ *      * Certificate Chain delete
+ *
+ *      -- RNG entropy?
+ */
+public class IssuedDevIdCertificate extends IssuedCertificate {
+
+    /**
+     * This class enables the retrieval of IssuedDevIdCertificate by their attributes.
+     */
+    public static class Selector extends CertificateSelector<IssuedDevIdCertificate> {
+        /**
+         * Construct a new CertificateSelector that will use the given {@link CertificateManager} to
+         * retrieve one or many IssuedDevIdCertificate.
+         *
+         * @param certificateManager the certificate manager to be used to retrieve certificates
+         */
+        public Selector(final CertificateManager certificateManager) {
+            super(certificateManager, IssuedDevIdCertificate.class);
+        }
+
+        /**
+         * Specify a device id that certificates must have to be considered
+         * as matching.
+         *
+         * @param device the device id to query
+         * @return this instance (for chaining further calls)
+         */
+        public IssuedDevIdCertificate.Selector byDeviceId(final UUID device) {
+            setFieldValue(DEVICE_ID_FIELD, device);
+            return this;
+        }
+    }
+
+    /**
+     * Default constructor for Hibernate.
+     */
+    protected IssuedDevIdCertificate() {
+    }
+
+    /**
+     * Constructor.
+     * @param certificateBytes the issued certificate bytes
+     * @throws java.io.IOException if there is a problem extracting information from the certificate
+     */
+    public IssuedDevIdCertificate(final byte[] certificateBytes)
+            throws IOException {
+        super(certificateBytes, null, null);
+        this.setIssuedType(ISSUED_TYPE_LDEVID);
+    }
+
+    /**
+     * Constructor.
+     * @param certificatePath path to certificate
+     * @throws IOException if there is a problem extracting information from the certificate
+     */
+    public IssuedDevIdCertificate(final Path certificatePath)
+            throws IOException {
+        this(readBytes(certificatePath));
+    }
+}
--- a/HIRS_Utils/src/main/java/hirs/utils/HexUtils.java
+++ b/HIRS_Utils/src/main/java/hirs/utils/HexUtils.java
@ -1,6 +1,9 @@
 package hirs.utils;

 import java.math.BigInteger;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;

 /**
 * Utilities for working with hex strings and byte arrays.
@ -19,6 +22,33 @@ public final class HexUtils {

    private HexUtils() { }

+
+    /**
+     * Computes the sha256 hash of the given blob.
+     * @param blob byte array to take the hash of
+     * @return sha256 hash of blob
+     * @throws java.security.NoSuchAlgorithmException improper algorithm selected
+     */
+    public static byte[] sha256hash(final byte[] blob) throws NoSuchAlgorithmException {
+        MessageDigest md = MessageDigest.getInstance("SHA-256");
+        md.update(blob);
+        return md.digest();
+    }
+
+    /**
+     * Generates a array of random bytes.
+     *
+     * @param numberOfBytes
+     *            to be generated
+     * @return byte array filled with the specified number of bytes.
+     */
+    public static byte[] generateRandomBytes(final int numberOfBytes) {
+        byte[] bytes = new byte[numberOfBytes];
+        SecureRandom random = new SecureRandom();
+        random.nextBytes(bytes);
+        return bytes;
+    }
+
    /**
     * Converts a binary hex string to a byte array.
     * @param s string to convert
--- a/HIRS_Utils/src/test/java/hirs/persist/DBCertificateManagerTest.java
+++ b/HIRS_Utils/src/test/java/hirs/persist/DBCertificateManagerTest.java
@ -10,9 +10,9 @@ import hirs.data.persist.certificate.ConformanceCredential;
 import hirs.data.persist.certificate.DeviceAssociatedCertificate;
 import hirs.data.persist.certificate.EndorsementCredential;
 import hirs.data.persist.certificate.IssuedAttestationCertificate;
+import hirs.data.persist.certificate.IssuedCertificate;
 import hirs.data.persist.certificate.PlatformCredential;
 import hirs.data.persist.certificate.PlatformCredentialTest;
-
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.hibernate.Session;
@ -217,10 +217,10 @@ public class DBCertificateManagerTest extends SpringPersistenceTest {
                PlatformCredential.select(certMan).getCertificate()
        );

-        IssuedAttestationCertificate issuedAttestationCertificate =
-                IssuedAttestationCertificate.select(certMan).getCertificate();
+        IssuedCertificate issuedAttestationCertificate =
+                IssuedCertificate.select(certMan).getCertificate();
        Assert.assertEquals(
-                testCertificates.get(IssuedAttestationCertificate.class),
+                testCertificates.get(IssuedCertificate.class),
                issuedAttestationCertificate);

        // verify issued cert's references
@ -413,11 +413,11 @@ public class DBCertificateManagerTest extends SpringPersistenceTest {
        ((DeviceAssociatedCertificate) hirsClientCert).setDevice(savedDevice);
        Certificate savedCert = certMan.save(hirsClientCert);

-        Set<IssuedAttestationCertificate> retrievedCerts =
-                IssuedAttestationCertificate.select(certMan).byDeviceId(savedDevice.getId()).
+        Set<IssuedCertificate> retrievedCerts =
+                IssuedCertificate.select(certMan).byDeviceId(savedDevice.getId()).
                        getCertificates();
        Assert.assertEquals(retrievedCerts.size(), 1);
-        for (IssuedAttestationCertificate cert: retrievedCerts) {
+        for (IssuedCertificate cert: retrievedCerts) {
            Assert.assertEquals(savedCert.getId(), cert.getId());
        }
    }