ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-01-18 10:46:39 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

[#163] Delta issuer validation (#164)

Browse Source 
* This code change will add in the delta certficates to the platform validation check.  The current base passes the policy check as long as the base is valid.  The deltas are ignored.  This is because the validation pulls in what is associated with a particular EK associated with the machine provisioning.
This commit is contained in:
Cyrus 2019-06-24 13:01:32 -04:00 committed by GitHub
parent 2329d725e8
commit a8e2c5cc6e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 102 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
View File

@ -18,7 +18,6 @@ import java.util.List;
import java.util.Set;
import java.util.Comparator;
import java.util.LinkedList;
import java.util.Map;
import java.util.stream.Collectors;
import java.util.HashMap;
import org.apache.logging.log4j.Level;
@ -106,7 +105,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
HashMap<PlatformCredential, SupplyChainValidation> credentialMap = new HashMap<>();
PlatformCredential baseCredential = null;
List<SupplyChainValidation> validations = new LinkedList<>();
Map<String, Boolean> multiBaseCheckMap = new HashMap<>();
List<SupplyChainValidation> deltaValidations = new LinkedList<>();
// validate all supply chain pieces. Potentially, a policy setting could be made
// to dictate stopping after the first validation failure.
@ -141,28 +140,13 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
// check if this cert has been verified for multiple base associated
// with the serial number
if (pc != null) {
boolean checked = multiBaseCheckMap.containsKey(pc.getPlatformSerial());
if (!checked) {
// if not checked, update the map
boolean result = checkForMultipleBaseCredentials(
pc.getPlatformSerial());
multiBaseCheckMap.put(pc.getPlatformSerial(), result);
// if it is, then update the SupplyChainValidation message and result
if (result) {
String message = "Multiple Base certificates found in chain.";
if (!platformScv.getResult()
.equals(AppraisalStatus.Status.PASS)) {
message = String.format("%s,%n%s",
platformScv.getMessage(), message);
}
platformScv = buildValidationRecord(
SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL,
AppraisalStatus.Status.FAIL,
message, pc, Level.ERROR);
}
}
platformScv = validatePcPolicy(pc, platformScv,
deltaValidations, acceptExpiredCerts);
}
validations.add(platformScv);
if (!deltaValidations.isEmpty()) {
validations.addAll(deltaValidations);
}
if (pc != null) {
pc.setDevice(device);
this.certificateManager.update(pc);
@ -248,6 +232,60 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
return summary;
}
/**
* This method is a sub set of the validate supply chain method and focuses on the specific
* multibase validation check for a delta chain. This method also includes the check
* for delta certificate CA validation as well.
*
* @param pc The platform credential getting checked
* @param platformScv The validation record
* @return The validation record
*/
private SupplyChainValidation validatePcPolicy(
final PlatformCredential pc,
final SupplyChainValidation platformScv,
final List<SupplyChainValidation> deltaValidations,
final boolean acceptExpiredCerts) {
SupplyChainValidation subPlatformScv = platformScv;
if (pc != null) {
// if not checked, update the map
boolean result = checkForMultipleBaseCredentials(
pc.getPlatformSerial());
// if it is, then update the SupplyChainValidation message and result
if (result) {
String message = "Multiple Base certificates found in chain.";
if (!platformScv.getResult().equals(AppraisalStatus.Status.PASS)) {
message = String.format("%s,%n%s", platformScv.getMessage(), message);
}
subPlatformScv = buildValidationRecord(
SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL,
AppraisalStatus.Status.FAIL,
message, pc, Level.ERROR);
}
}
// Grab all certs associated with this platform chain
List<PlatformCredential> chainCertificates = PlatformCredential
.select(certificateManager)
.byBoardSerialNumber(pc.getPlatformSerial())
.getCertificates().stream().collect(Collectors.toList());
SupplyChainValidation deltaScv;
KeyStore trustedCa;
// verify that the deltas trust chain is valid.
for (PlatformCredential delta : chainCertificates) {
if (delta != null && !delta.isBase()) {
trustedCa = getCaChain(delta);
deltaScv = validatePlatformCredential(
delta, trustedCa, acceptExpiredCerts);
deltaValidations.add(deltaScv);
}
}
return subPlatformScv;
}
private SupplyChainValidation validateEndorsementCredential(final EndorsementCredential ec,
final boolean acceptExpiredCerts) {
final SupplyChainValidation.ValidationType validationType

1
HIRS_AttestationCA/src/test/java/hirs/attestationca/service/SupplyChainValidationServiceImplTest.java
View File

@ -130,6 +130,7 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest
when(pc.getId()).thenReturn(UUID.randomUUID());
when(pc.getX509Certificate()).thenReturn(cert);
when(pc.getSerialNumber()).thenReturn(BigInteger.ONE);
when(pc.getPlatformSerial()).thenReturn(String.valueOf(Integer.MIN_VALUE));
when(pc.getIssuerOrganization()).thenReturn("STMicroelectronics NV");
when(ec.getSubjectOrganization()).thenReturn("STMicroelectronics NV");
pcs = new HashSet<PlatformCredential>();

80
HIRS_AttestationCAPortal/src/test/java/hirs/attestationca/portal/page/controllers/CertificateDetailsPageControllerTest.java
View File

@ -56,8 +56,8 @@ public class CertificateDetailsPageControllerTest extends PageControllerTest {
private CertificateAuthorityCredential caCertificate;
private CertificateAuthorityCredential caRootCertificate;
private PlatformCredential platofrmCredential;
private PlatformCredential platofrmCredential2;
private PlatformCredential platformCredential;
private PlatformCredential platformCredential2;
private EndorsementCredential endorsementCredential;
private IssuedAttestationCertificate issuedCredential;
@ -93,7 +93,7 @@ public class CertificateDetailsPageControllerTest extends PageControllerTest {
Set<PlatformCredential> pcCertSet = new HashSet<>();
//Create new device grup
//Create new device group
DeviceGroup group = new DeviceGroup("default");
group = deviceGroupManager.saveDeviceGroup(group);
@ -130,26 +130,26 @@ public class CertificateDetailsPageControllerTest extends PageControllerTest {
certificateManager.save(caRootCertificate);
//Upload and save Platform Cert
platofrmCredential = (PlatformCredential)
platformCredential = (PlatformCredential)
getTestCertificate(
PlatformCredential.class,
TEST_PLATFORM_CREDENTIAL,
null,
null);
certificateManager.save(platofrmCredential);
certificateManager.save(platformCredential);
pcCertSet.add(platofrmCredential);
pcCertSet.add(platformCredential);
//Upload and save Platform Cert 2.0
platofrmCredential2 = (PlatformCredential)
platformCredential2 = (PlatformCredential)
getTestCertificate(
PlatformCredential.class,
TEST_PLATFORM_CREDENTIAL_2,
null,
null);
certificateManager.save(platofrmCredential2);
certificateManager.save(platformCredential2);
pcCertSet.add(platofrmCredential);
pcCertSet.add(platformCredential);
//Upload and save Issued Attestation Cert
issuedCredential = (IssuedAttestationCertificate)
@ -233,12 +233,12 @@ public class CertificateDetailsPageControllerTest extends PageControllerTest {
.andExpect(model().attributeExists(PolicyPageController.INITIAL_DATA))
.andReturn();
// Obtain initalData HashMap
Map<String, String> initalData = (Map<String, String>) result
// Obtain initialData HashMap
Map<String, String> initialData = (Map<String, String>) result
.getModelAndView()
.getModel()
.get(PolicyPageController.INITIAL_DATA);
Assert.assertEquals(initalData.get("issuer"), caCertificate.getIssuer());
Assert.assertEquals(initialData.get("issuer"), caCertificate.getIssuer());
}
@ -254,20 +254,20 @@ public class CertificateDetailsPageControllerTest extends PageControllerTest {
MvcResult result = getMockMvc()
.perform(MockMvcRequestBuilders.get("/" + getPage().getViewName())
.param("id", platofrmCredential.getId().toString())
.param("id", platformCredential.getId().toString())
.param("type", "platform"))
.andExpect(status().isOk())
.andExpect(model().attributeExists(PolicyPageController.INITIAL_DATA))
.andReturn();
// Obtain initalData HashMap
Map<String, String> initalData = (Map<String, String>) result
// Obtain initialData HashMap
Map<String, String> initialData = (Map<String, String>) result
.getModelAndView()
.getModel()
.get(PolicyPageController.INITIAL_DATA);
Assert.assertEquals(initalData.get("issuer"), platofrmCredential.getIssuer());
Assert.assertEquals(initalData.get("credentialType"),
((PlatformCredential) platofrmCredential).getCredentialType());
Assert.assertEquals(initialData.get("issuer"), platformCredential.getIssuer());
Assert.assertEquals(initialData.get("credentialType"),
((PlatformCredential) platformCredential).getCredentialType());
}
@ -283,28 +283,28 @@ public class CertificateDetailsPageControllerTest extends PageControllerTest {
MvcResult result = getMockMvc()
.perform(MockMvcRequestBuilders.get("/" + getPage().getViewName())
.param("id", platofrmCredential2.getId().toString())
.param("id", platformCredential2.getId().toString())
.param("type", "platform"))
.andExpect(status().isOk())
.andExpect(model().attributeExists(PolicyPageController.INITIAL_DATA))
.andReturn();
// Obtain initalData HashMap
Map<String, Object> initalData = (Map<String, Object>) result
// Obtain initialData HashMap
Map<String, Object> initialData = (Map<String, Object>) result
.getModelAndView()
.getModel()
.get(PolicyPageController.INITIAL_DATA);
Assert.assertEquals(initalData.get("issuer"), platofrmCredential2.getIssuer());
Assert.assertEquals(initalData.get("credentialType"),
((PlatformCredential) platofrmCredential2).getCredentialType());
Assert.assertEquals(initialData.get("issuer"), platformCredential2.getIssuer());
Assert.assertEquals(initialData.get("credentialType"),
((PlatformCredential) platformCredential2).getCredentialType());
// Check component identifier
Assert.assertNotNull(initalData.get("componentsIdentifier"));
List<?> obj = (List<?>) initalData.get("componentsIdentifier");
Assert.assertNotNull(initialData.get("componentsIdentifier"));
List<?> obj = (List<?>) initialData.get("componentsIdentifier");
Assert.assertEquals(obj.size(), 7);
// Check platform properties
Assert.assertNotNull(initalData.get("platformProperties"));
obj = (List<?>) initalData.get("platformProperties");
Assert.assertNotNull(initialData.get("platformProperties"));
obj = (List<?>) initialData.get("platformProperties");
Assert.assertEquals(obj.size(), 2);
}
@ -327,13 +327,13 @@ public class CertificateDetailsPageControllerTest extends PageControllerTest {
.andExpect(model().attributeExists(PolicyPageController.INITIAL_DATA))
.andReturn();
// Obtain initalData HashMap
Map<String, String> initalData = (Map<String, String>) result
// Obtain initialData HashMap
Map<String, String> initialData = (Map<String, String>) result
.getModelAndView()
.getModel()
.get(PolicyPageController.INITIAL_DATA);
Assert.assertEquals(initalData.get("issuer"), endorsementCredential.getIssuer());
Assert.assertEquals(initalData.get("manufacturer"),
Assert.assertEquals(initialData.get("issuer"), endorsementCredential.getIssuer());
Assert.assertEquals(initialData.get("manufacturer"),
((EndorsementCredential) endorsementCredential).getManufacturer());
}
@ -355,14 +355,14 @@ public class CertificateDetailsPageControllerTest extends PageControllerTest {
.andReturn();
// Obtain initalData HashMap
Map<String, String> initalData = (Map<String, String>) result
// Obtain initialData HashMap
Map<String, String> initialData = (Map<String, String>) result
.getModelAndView()
.getModel()
.get(PolicyPageController.INITIAL_DATA);
Assert.assertEquals(initalData.get("issuer"), caCertificate.getIssuer());
Assert.assertEquals(initalData.get("issuerID"),
Assert.assertEquals(initialData.get("issuer"), caCertificate.getIssuer());
Assert.assertEquals(initialData.get("issuerID"),
caRootCertificate.getId().toString());
}
@ -384,13 +384,13 @@ public class CertificateDetailsPageControllerTest extends PageControllerTest {
.andExpect(model().attributeExists(PolicyPageController.INITIAL_DATA))
.andReturn();
// Obtain initalData HashMap
Map<String, String> initalData = (Map<String, String>) result
// Obtain initialData HashMap
Map<String, String> initialData = (Map<String, String>) result
.getModelAndView()
.getModel()
.get(PolicyPageController.INITIAL_DATA);
Assert.assertEquals(initalData.get("issuer"), issuedCredential.getIssuer());
Assert.assertEquals(initalData.get("endorsementID"),
Assert.assertEquals(initialData.get("issuer"), issuedCredential.getIssuer());
Assert.assertEquals(initialData.get("endorsementID"),
issuedCredential.getEndorsementCredential().getId().toString());

2
HIRS_Utils/src/main/java/hirs/data/persist/certificate/PlatformCredential.java
View File

@ -305,7 +305,7 @@ public class PlatformCredential extends DeviceAssociatedCertificate {
AttributeCertificate attCert = getAttributeCertificate();
AttributeCertificateInfo acinfo = getAttributeCertificate().getAcinfo();
// Check if the algorith identifier is the same
// Check if the algorithm identifier is the same
if (!isAlgIdEqual(acinfo.getSignature(), attCert.getSignatureAlgorithm())) {
throw new IOException("signature invalid - algorithm identifier mismatch");
}