mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-04-07 11:26:51 +00:00
Final changes that adds in the additional setting for the renewal period threshold. This value indicates that if the end validity has been reached for the current issued attestation certificate, then don't generate one. However if we are within the number of days set by the threshold, then generate the certificate before it expires. The default is 1 year from the end validity.
This commit is contained in:
Cyrus
parent
9c3dfe16b1
commit
a5184f5a5b
@ -1685,21 +1685,34 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
final Set<PlatformCredential> platformCredentials,
|
||||
final Device device) {
|
||||
IssuedAttestationCertificate issuedAc;
|
||||
boolean validDate = false;
|
||||
boolean generateCertificate = true;
|
||||
SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
|
||||
Date currentDate = new Date();
|
||||
int days;
|
||||
try {
|
||||
// save issued certificate
|
||||
IssuedAttestationCertificate attCert = new IssuedAttestationCertificate(
|
||||
derEncodedAttestationCertificate, endorsementCredential, platformCredentials);
|
||||
|
||||
if (scp != null && !scp.isIssueAttestationCertificate()) {
|
||||
if (scp != null) {
|
||||
issuedAc = IssuedAttestationCertificate.select(certificateManager)
|
||||
.byDeviceId(device.getId()).getCertificate();
|
||||
if (issuedAc != null) {
|
||||
validDate = issuedAc.isValidOn(attCert.getBeginValidity());
|
||||
|
||||
generateCertificate = scp.isIssueAttestationCertificate();
|
||||
if (issuedAc != null && scp.isGenerateOnExpiration()) {
|
||||
if (issuedAc.getEndValidity().after(currentDate)) {
|
||||
// so the issued AC is expired
|
||||
// however are we within the threshold
|
||||
days = daysBetween(currentDate, issuedAc.getEndValidity());
|
||||
if (days < Integer.parseInt(scp.getReissueThreshold())) {
|
||||
generateCertificate = true;
|
||||
} else {
|
||||
generateCertificate = false;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!validDate) {
|
||||
if (generateCertificate) {
|
||||
attCert.setDevice(device);
|
||||
certificateManager.save(attCert);
|
||||
}
|
||||
@ -1710,4 +1723,9 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
+ e.getMessage(), e);
|
||||
}
|
||||
}
|
||||
|
||||
@SuppressWarnings("magicnumber")
|
||||
private int daysBetween(final Date date1, final Date date2) {
|
||||
return (int) ((date2.getTime() - date1.getTime()) / (1000 * 60 * 60 * 24));
|
||||
}
|
||||
}
|
||||
|
||||
@ -24,10 +24,13 @@ public class PolicyPageModel {
|
||||
private String ecValidate;
|
||||
private String fmValidate;
|
||||
private String attestationCertificateIssued;
|
||||
private String generationExpiration;
|
||||
private String generationExpirationOn;
|
||||
private String numOfValidDays;
|
||||
private String reissueThreshold;
|
||||
private String ignoreIma;
|
||||
private String ignoretBoot;
|
||||
private String expirationValue;
|
||||
private String thresholdValue;
|
||||
|
||||
/**
|
||||
* Constructor. Sets fields from policy.
|
||||
@ -42,8 +45,11 @@ public class PolicyPageModel {
|
||||
this.issueAttestationCertificate = policy.isIssueAttestationCertificate();
|
||||
this.generateOnExpiration = policy.isGenerateOnExpiration();
|
||||
this.numOfValidDays = policy.getValidityDays();
|
||||
this.reissueThreshold = policy.getReissueThreshold();
|
||||
this.enableIgnoreIma = policy.isIgnoreImaEnabled();
|
||||
this.enableIgnoreTboot = policy.isIgnoreTbootEnabled();
|
||||
this.expirationValue = policy.getValidityDays();
|
||||
this.thresholdValue = policy.getReissueThreshold();
|
||||
}
|
||||
|
||||
/**
|
||||
@ -172,8 +178,8 @@ public class PolicyPageModel {
|
||||
*
|
||||
* @return the model string representation of this field.
|
||||
*/
|
||||
public String getGenerationExpiration() {
|
||||
return generationExpiration;
|
||||
public String getGenerationExpirationOn() {
|
||||
return generationExpirationOn;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -185,6 +191,15 @@ public class PolicyPageModel {
|
||||
return numOfValidDays;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the number of selected threshold days.
|
||||
*
|
||||
* @return the number of the days for reissue
|
||||
*/
|
||||
public String getReissueThreshold() {
|
||||
return reissueThreshold;
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the Ignore IMA validation value.
|
||||
*
|
||||
@ -326,11 +341,11 @@ public class PolicyPageModel {
|
||||
/**
|
||||
* Sets the generation expiration state.
|
||||
*
|
||||
* @param generationExpiration "checked" if generating expiration is on.
|
||||
* @param generationExpirationOn "checked" if generating expiration is on.
|
||||
*/
|
||||
public void setGenerationExpiration(
|
||||
final String generationExpiration) {
|
||||
this.generationExpiration = generationExpiration;
|
||||
public void setGenerationExpirationOn(
|
||||
final String generationExpirationOn) {
|
||||
this.generationExpirationOn = generationExpirationOn;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -351,6 +366,38 @@ public class PolicyPageModel {
|
||||
this.ignoretBoot = ignoretBoot;
|
||||
}
|
||||
|
||||
/**
|
||||
* Getter for the expiration value.
|
||||
* @return the value
|
||||
*/
|
||||
public String getExpirationValue() {
|
||||
return expirationValue;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for the expiration value.
|
||||
* @param expirationValue string value
|
||||
*/
|
||||
public void setExpirationValue(final String expirationValue) {
|
||||
this.expirationValue = expirationValue;
|
||||
}
|
||||
|
||||
/**
|
||||
* Getter for the expiration value.
|
||||
* @return the thresholdValue
|
||||
*/
|
||||
public String getThresholdValue() {
|
||||
return thresholdValue;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for the expiration value.
|
||||
* @param thresholdValue string value
|
||||
*/
|
||||
public void setThresholdValue(final String thresholdValue) {
|
||||
this.thresholdValue = thresholdValue;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "PolicyPageModel{"
|
||||
|
||||
@ -264,10 +264,15 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
||||
PageMessages messages = new PageMessages();
|
||||
String successMessage;
|
||||
String numOfDays;
|
||||
LOGGER.error("We got this value -> {}", ppModel.getGenerationExpiration());
|
||||
boolean generateCertificateEnabled
|
||||
= ppModel.getGenerationExpiration()
|
||||
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
|
||||
|
||||
boolean generateCertificateEnabled = false;
|
||||
// because this is just one option, there is not 'unchecked' value, so it is either
|
||||
// 'checked' or null
|
||||
if (ppModel.getGenerationExpirationOn() != null) {
|
||||
generateCertificateEnabled
|
||||
= ppModel.getGenerationExpirationOn()
|
||||
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
|
||||
}
|
||||
|
||||
try {
|
||||
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
|
||||
@ -282,7 +287,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
||||
}
|
||||
|
||||
if (generateCertificateEnabled) {
|
||||
numOfDays = ppModel.getNumOfValidDays();
|
||||
numOfDays = ppModel.getExpirationValue();
|
||||
if (numOfDays == null) {
|
||||
numOfDays = SupplyChainPolicy.TEN_YEARS;
|
||||
}
|
||||
@ -309,6 +314,76 @@ public class PolicyPageController extends PageController<NoPageParams> {
|
||||
return redirectToSelf(new NoPageParams(), model, attr);
|
||||
}
|
||||
|
||||
/**
|
||||
* Updates the state of the policy setting that indicates that the generation
|
||||
* will occur in a set time frame from the end validity date and redirects
|
||||
* back to the original page.
|
||||
*
|
||||
* @param ppModel The data posted by the form mapped into an object.
|
||||
* @param attr RedirectAttributes used to forward data back to the original page.
|
||||
* @return View containing the url and parameters
|
||||
* @throws URISyntaxException if malformed URI
|
||||
*/
|
||||
@RequestMapping(value = "update-threshold", method = RequestMethod.POST)
|
||||
public RedirectView updateThresholdVal(@ModelAttribute final PolicyPageModel ppModel,
|
||||
final RedirectAttributes attr)
|
||||
throws URISyntaxException {
|
||||
|
||||
// set the data received to be populated back into the form
|
||||
Map<String, Object> model = new HashMap<>();
|
||||
PageMessages messages = new PageMessages();
|
||||
String successMessage;
|
||||
String threshold;
|
||||
|
||||
boolean generateCertificateEnabled = false;
|
||||
// because this is just one option, there is not 'unchecked' value, so it is either
|
||||
// 'checked' or null
|
||||
if (ppModel.getGenerationExpirationOn() != null) {
|
||||
generateCertificateEnabled
|
||||
= ppModel.getGenerationExpirationOn()
|
||||
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
|
||||
}
|
||||
|
||||
try {
|
||||
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
|
||||
boolean issuedAttestationOptionEnabled
|
||||
= policy.isIssueAttestationCertificate();
|
||||
|
||||
if (issuedAttestationOptionEnabled) {
|
||||
if (generateCertificateEnabled) {
|
||||
successMessage = "Attestation Certificate generation threshold time enabled.";
|
||||
} else {
|
||||
successMessage = "Attestation Certificate generation threshold time disabled.";
|
||||
}
|
||||
|
||||
if (generateCertificateEnabled) {
|
||||
threshold = ppModel.getThresholdValue();
|
||||
if (threshold == null) {
|
||||
threshold = SupplyChainPolicy.YEAR;
|
||||
}
|
||||
} else {
|
||||
threshold = ppModel.getReissueThreshold();
|
||||
}
|
||||
|
||||
policy.setReissueThreshold(threshold);
|
||||
} else {
|
||||
generateCertificateEnabled = false;
|
||||
successMessage = "Attestation Certificate generation is disabled, "
|
||||
+ "can not set time expiration";
|
||||
}
|
||||
|
||||
policy.setGenerateOnExpiration(generateCertificateEnabled);
|
||||
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
|
||||
} catch (PolicyManagerException e) {
|
||||
handlePolicyManagerUpdateError(model, messages, e,
|
||||
"Error changing ACA Attestation Certificate generation policy",
|
||||
"Error updating policy. \n" + e.getMessage());
|
||||
}
|
||||
|
||||
// return the redirect
|
||||
return redirectToSelf(new NoPageParams(), model, attr);
|
||||
}
|
||||
|
||||
/**
|
||||
* Updates the Endorsement Credential Validation policy setting and
|
||||
* redirects back to the original page.
|
||||
|
||||
@ -107,7 +107,7 @@
|
||||
<%-- Generate Attestation Certificate--%>
|
||||
<div class="aca-input-box">
|
||||
<form:form method="POST" modelAttribute="initialData" action="policy/update-issue-attestation">
|
||||
<li>Generate Attestation Certificate: ${initialData.issueAttestationCertificate ? 'Enabled' : 'Disabled'}
|
||||
<li>Conditionally generate Attestation Certificate: ${initialData.issueAttestationCertificate ? 'Enabled' : 'Disabled'}
|
||||
<my:editor id="issuedCertificatePolicyEditor" label="Edit Settings">
|
||||
<div class="radio">
|
||||
<label><input id="aicTop" type="radio" name="attestationCertificateIssued" ${initialData.issueAttestationCertificate ? '' : 'checked'} value="unchecked"/> Never generate an Attestation Certificate</label>
|
||||
@ -117,23 +117,35 @@
|
||||
</div>
|
||||
</my:editor>
|
||||
</form:form>
|
||||
<form:form method="POST" modelAttribute="initialData" action="policy/update-expire-on">
|
||||
<ul>
|
||||
<li> Set generate on expire time frame: ${initialData.generationExpiration ? 'Enabled' : 'Disabled'}
|
||||
<form:form method="POST" modelAttribute="initialData" action="policy/update-expire-on">
|
||||
<li>Attestation Certificate Validity: ${initialData.generateOnExpiration ? 'Enabled' : 'Disabled'}
|
||||
<my:editor id="issuedCertificatePolicyExpirationEditor" label="Edit Settings">
|
||||
<div class="radio">
|
||||
<label>
|
||||
<input id="aicBot" type="checkbox" name="generationExpiration" ${initialData.generationExpiration ? 'checked' : ''} value="checked"/>
|
||||
Only Generate when current Attestation Certificate expires<br />
|
||||
** Validity period for the Attestation Certificate
|
||||
<input id="validLen" type="text" name="numOfValidDays" value="3651" size="6" maxlength="6" enabled />
|
||||
<input id="aicBot" type="checkbox" name="generationExpirationOn" ${initialData.generateOnExpiration ? 'checked' : ''} value="checked" />
|
||||
Attestation Certificate validity time frame (Default 3651 days)<br />
|
||||
Select time frame in days: <input id="expirationValue" type="text" name="expirationValue" value="${initialData.expirationValue}" />
|
||||
</label>
|
||||
</div>
|
||||
</my:editor>
|
||||
</li>
|
||||
</form:form>
|
||||
<form:form method="POST" modelAttribute="initialData" action="policy/update-threshold">
|
||||
<li>Attestation Renewal time: ${initialData.generateOnExpiration ? 'Enabled' : 'Disabled'}
|
||||
<my:editor id="issuedCertificatePolicyGenerateEditor" label="Edit Settings">
|
||||
<div class="radio">
|
||||
<label>
|
||||
<input id="aicBot" type="checkbox" name="generationExpirationOn" ${initialData.generateOnExpiration ? 'checked' : ''} value="checked" />
|
||||
Renew Attestation Certificate before expiration time frame (Default 365 days)<br />
|
||||
Select time frame in days: <input id="thresholdValue" type="text" name="thresholdValue" value="${initialData.thresholdValue}" />
|
||||
</label>
|
||||
</div>
|
||||
</my:editor>
|
||||
</li>
|
||||
</form:form>
|
||||
</ul>
|
||||
</li>
|
||||
</form:form>
|
||||
</div>
|
||||
</ul>
|
||||
</jsp:body>
|
||||
|
||||
@ -18,7 +18,11 @@ public class SupplyChainPolicy extends Policy {
|
||||
/**
|
||||
* Number of days in 10 years.
|
||||
*/
|
||||
public static final String TEN_YEARS = "3650";
|
||||
public static final String TEN_YEARS = "3651";
|
||||
/**
|
||||
* Number of days in 1 year.
|
||||
*/
|
||||
public static final String YEAR = "365";
|
||||
|
||||
@Column(nullable = false)
|
||||
private boolean enableEcValidation = false;
|
||||
@ -47,6 +51,9 @@ public class SupplyChainPolicy extends Policy {
|
||||
@Column(nullable = false)
|
||||
private String validityDays = TEN_YEARS;
|
||||
|
||||
@Column(nullable = false)
|
||||
private String reissueThreshold = YEAR;
|
||||
|
||||
@Column(nullable = false)
|
||||
private boolean generateOnExpiration = false;
|
||||
|
||||
@ -291,6 +298,25 @@ public class SupplyChainPolicy extends Policy {
|
||||
public void setValidityDays(final String validityDays) {
|
||||
this.validityDays = validityDays;
|
||||
}
|
||||
|
||||
/**
|
||||
* Getter for the number of days before the expiration to reissue
|
||||
* a certificate.
|
||||
* @return number of days
|
||||
*/
|
||||
public String getReissueThreshold() {
|
||||
return reissueThreshold;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for the number of days before the expiration to reissue
|
||||
* a certificate.
|
||||
* @param reissueThreshold validity.
|
||||
*/
|
||||
public void setReissueThreshold(final String reissueThreshold) {
|
||||
this.reissueThreshold = reissueThreshold;
|
||||
}
|
||||
|
||||
/**
|
||||
* Getter for the state of when to generate a certificate.
|
||||
* @return true or false
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user