ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-18 20:47:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

issue_847: Applied formatting changes to entire CA module. Reduced errors by 100.

Browse Source
This commit is contained in:
TheSilentCoder 2024-10-21 13:46:57 -04:00
parent 99188f17c1
commit b3d1bd8fcc
88 changed files with 1713 additions and 1773 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
HIRS_AttestationCA/build.gradle
View File

@ -70,10 +70,10 @@ configurations.checkstyle {
}
}
checkstyleMain {
source ='src/main/java'
source = 'src/main/java'
}
checkstyleTest {
source ='src/test/java'
source = 'src/test/java'
}
tasks.withType(Checkstyle) {
reports {
@ -82,16 +82,16 @@ tasks.withType(Checkstyle) {
}
}
protobuf {
protoc {
artifact = 'com.google.protobuf:protoc:3.24.3'
}
protoc {
artifact = 'com.google.protobuf:protoc:3.24.3'
}
}
sourceSets {
main {
proto {
srcDir '../HIRS_ProvisionerTPM2/src'
main {
proto {
srcDir '../HIRS_ProvisionerTPM2/src'
}
}
}
}
test {

8
HIRS_AttestationCA/config/spotbugs/spotbugs-exclude.xml
View File

@ -2,18 +2,18 @@
<!-- Docs at http://findbugs.sourceforge.net/manual/filter.html -->
<FindBugsFilter>
<Match>
<Package name="~hirs\.attestationca\.configuration.*" />
<Package name="~hirs\.attestationca\.configuration.*"/>
</Match>
<Match>
<!-- https://github.com/spotbugs/spotbugs/pull/2748 -->
<Bug pattern="CT_CONSTRUCTOR_THROW" />
<Bug pattern="CT_CONSTRUCTOR_THROW"/>
</Match>
<!-- roughly 55 instances of this appear -->
<Match>
<Bug pattern="EI_EXPOSE_REP" />
<Bug pattern="EI_EXPOSE_REP"/>
</Match>
<Match>
<Bug pattern="EI_EXPOSE_REP2" />
<Bug pattern="EI_EXPOSE_REP2"/>
</Match>
<Match>
<Class name="hirs.attestationca.persist.AttestationCertificateAuthorityTest"/>

39
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/OrderedListQuerier.java
View File

@ -5,6 +5,7 @@ import java.util.Map;
/**
* Interface defining methods for getting ordered lists from a data source. Includes
* properties for sorting, paging, and searching.
*
* @param <T> the record type, T.
*/
public interface OrderedListQuerier<T> {
@ -14,16 +15,16 @@ public interface OrderedListQuerier<T> {
* direction (ASC, DESC) that is provided by the user. This method helps
* support the server-side processing in the JQuery DataTables.
*
* @param clazz class type of <code>T</code>s to search for (may be null to
* use Class&lt;T&gt;)
* @param columnToOrder Column to be ordered
* @param ascending direction of sort
* @param firstResult starting point of first result in set
* @param maxResults total number we want returned for display in table
* @param search string of criteria to be matched to visible columns
* @param clazz class type of <code>T</code>s to search for (may be null to
* use Class&lt;T&gt;)
* @param columnToOrder Column to be ordered
* @param ascending direction of sort
* @param firstResult starting point of first result in set
* @param maxResults total number we want returned for display in table
* @param search string of criteria to be matched to visible columns
* @param searchableColumns Map of String and boolean values with column
* headers and whether they should be searched. Boolean is true if field provides a
* typical String that can be searched by Hibernate without transformation.
* headers and whether they should be searched. Boolean is true if field provides a
* typical String that can be searched by Hibernate without transformation.
* @return FilteredRecordsList object with query data
* @throws DBManagerException if unable to create the list
*/
@ -41,17 +42,17 @@ public interface OrderedListQuerier<T> {
* support the server-side processing in the JQuery DataTables. For entities that support
* soft-deletes, the returned list does not contain <code>T</code>s that have been soft-deleted.
*
* @param clazz class type of <code>T</code>s to search for (may be null to
* use Class&lt;T&gt;)
* @param columnToOrder Column to be ordered
* @param ascending direction of sort
* @param firstResult starting point of first result in set
* @param maxResults total number we want returned for display in table
* @param search string of criteria to be matched to visible columns
* @param clazz class type of <code>T</code>s to search for (may be null to
* use Class&lt;T&gt;)
* @param columnToOrder Column to be ordered
* @param ascending direction of sort
* @param firstResult starting point of first result in set
* @param maxResults total number we want returned for display in table
* @param search string of criteria to be matched to visible columns
* @param searchableColumns Map of String and boolean values with column
* headers and whether they should be searched. Boolean is true if field provides a
* typical String that can be searched by Hibernate without transformation.
* @param criteriaModifier a way to modify the criteria used in the query
* headers and whether they should be searched. Boolean is true if field provides a
* typical String that can be searched by Hibernate without transformation.
* @param criteriaModifier a way to modify the criteria used in the query
* @return FilteredRecordsList object with query data
* @throws DBManagerException if unable to create the list
*/

15
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/ArchivableEntity.java
View File

@ -55,9 +55,8 @@ public abstract class ArchivableEntity extends AbstractEntity {
* Signals that this entity has been archived, by setting the archivedTime to the current date
* and time.
*
* @return
* true if time was null and date was set.
* false is archived time is already set, signifying the entity has been archived.
* @return true if time was null and date was set.
* false is archived time is already set, signifying the entity has been archived.
*/
public final boolean archive() {
if (this.archivedTime == null) {
@ -73,8 +72,7 @@ public abstract class ArchivableEntity extends AbstractEntity {
* purposes so the reason for action taken can be referenced.
*
* @param description - description of the action taken for resolution
* @return
* boolean result is dependent on the return value of the archive() method
* @return boolean result is dependent on the return value of the archive() method
*/
public final boolean archive(final String description) {
if (archive()) {
@ -90,7 +88,7 @@ public abstract class ArchivableEntity extends AbstractEntity {
* entity has not been resolved, then null is returned.
*
* @return archivedTime
* If entity was archived, timestamp of the occurrence, null otherwise.
* If entity was archived, timestamp of the occurrence, null otherwise.
*/
public final Date getArchivedTime() {
if (archivedTime == null) {
@ -104,9 +102,8 @@ public abstract class ArchivableEntity extends AbstractEntity {
* Sets the archivedTime to null. The archivedTime being null signifies that the entity has
* not been archived. If the time is already null then this call was unnecessary.
*
* @return
* true if the time is changed to null.
* false if time was already set to null.
* @return true if the time is changed to null.
* false if time was already set to null.
*/
public final boolean restore() {
if (this.archivedTime != null) {

11
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/Policy.java
View File

@ -16,7 +16,7 @@ import jakarta.persistence.MappedSuperclass;
@Inheritance(strategy = InheritanceType.JOINED)
@Access(AccessType.FIELD)
@MappedSuperclass
public abstract class Policy extends UserDefinedEntity {
public abstract class Policy extends UserDefinedEntity {
/**
* Default empty constructor is required for Hibernate. It is protected to
@ -29,8 +29,7 @@ public abstract class Policy extends UserDefinedEntity {
/**
* Creates a new <code>Policy</code> with the specified name.
*
* @param name
* name
* @param name name
*/
public Policy(final String name) {
super(name);
@ -40,10 +39,8 @@ public abstract class Policy extends UserDefinedEntity {
* Creates a new <code>Policy</code> with the specified name and
* description.
*
* @param name
* name (required)
* @param description
* description (may be null)
* @param name name (required)
* @param description description (may be null)
*/
public Policy(final String name, final String description) {
super(name, description);

14
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/UserDefinedEntity.java
View File

@ -4,9 +4,9 @@ import jakarta.persistence.Column;
import jakarta.persistence.MappedSuperclass;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.NonNull;
import lombok.Setter;
import lombok.ToString;
import lombok.NonNull;
/**
* An abstract archivable entity that can be given a user-defined name and description.
@ -18,11 +18,13 @@ import lombok.NonNull;
public abstract class UserDefinedEntity extends ArchivableEntity {
@Column(nullable = false, unique = true)
@NonNull private String name;
@NonNull
private String name;
@ToString.Exclude
@Column(nullable = false, unique = false)
@NonNull private String description = "";
@NonNull
private String description = "";
/**
* Default empty constructor is required for Hibernate. It is protected to
@ -47,8 +49,7 @@ public abstract class UserDefinedEntity extends ArchivableEntity {
* an instance of <code>UserDefinedEntity</code> and its name is the same as this
* <code>UserDefinedEntity</code>. Otherwise this returns false.
*
* @param other
* other object to test for equals
* @param other other object to test for equals
* @return true if other is <code>Baseline</code> and has same name
*/
@Override
@ -56,11 +57,10 @@ public abstract class UserDefinedEntity extends ArchivableEntity {
if (this == other) {
return true;
}
if (!(other instanceof UserDefinedEntity)) {
if (!(other instanceof UserDefinedEntity entity)) {
return false;
}
final UserDefinedEntity entity = (UserDefinedEntity) other;
return this.getName().equals(entity.getName());
}

8
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/IDevIDCertificateRepository.java
View File

@ -30,7 +30,7 @@ public interface IDevIDCertificateRepository extends JpaRepository<IDevIDCertifi
Page<IDevIDCertificate> findByArchiveFlag(boolean archiveFlag, Pageable pageable);
// /**
// /**
// * Query that retrieves a list of IDevId certificates using the provided subject.
// *
// * @param subject string representation of the subject
@ -56,7 +56,8 @@ public interface IDevIDCertificateRepository extends JpaRepository<IDevIDCertifi
// List<IDevIDCertificate> findBySubjectAndArchiveFlag(String subject, boolean archiveFlag);
//
// /**
// * Query that retrieves a sorted list of IDevId certificates using the provided subject and archive flag.
// * Query that retrieves a sorted list of IDevId certificates using the provided subject
// * and archive flag.
// *
// * @param subject string representation of the subject
// * @param archiveFlag archive flag
@ -79,5 +80,6 @@ public interface IDevIDCertificateRepository extends JpaRepository<IDevIDCertifi
// * @param archiveFlag archive flag
// * @return an IDevId certificate
// */
// IDevIDCertificate findBySubjectKeyIdStringAndArchiveFlag(String subjectKeyIdString, boolean archiveFlag);
// IDevIDCertificate findBySubjectKeyIdStringAndArchiveFlag(String subjectKeyIdString,
// boolean archiveFlag);
}

46
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/tpm/TPM2ProvisionerState.java
View File

@ -35,12 +35,12 @@ public class TPM2ProvisionerState {
private byte[] identityClaim;
@Column(nullable = false)
private Date timestamp = new Date();
private final Date timestamp = new Date();
/**
* Constructor.
*
* @param nonce the nonce
* @param nonce the nonce
* @param identityClaim the identity claim
*/
public TPM2ProvisionerState(final byte[] nonce, final byte[] identityClaim) {
@ -69,33 +69,15 @@ public class TPM2ProvisionerState {
}
}
/**
* Get the nonce.
*
* @return the nonce
*/
public byte[] getNonce() {
return Arrays.clone(nonce);
}
/**
* Get the identity claim.
*
* @return the identity claim
*/
public byte[] getIdentityClaim() {
return Arrays.clone(identityClaim);
}
/**
* Convenience method for finding the {@link TPM2ProvisionerState} associated with the nonce.
*
* @param tpm2ProvisionerStateRepository the {@link TPM2ProvisionerStateRepository}
* to use when looking for the
* {@link TPM2ProvisionerState}
* @param nonce the nonce to use as the key for the {@link TPM2ProvisionerState}
* {@link TPM2ProvisionerState}
* @param nonce the nonce to use as the key for the {@link TPM2ProvisionerState}
* @return the {@link TPM2ProvisionerState} associated with the nonce;
* null if a match is not found
* null if a match is not found
*/
public static TPM2ProvisionerState getTPM2ProvisionerState(
final TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository,
@ -114,4 +96,22 @@ public class TPM2ProvisionerState {
}
return null;
}
/**
* Get the nonce.
*
* @return the nonce
*/
public byte[] getNonce() {
return Arrays.clone(nonce);
}
/**
* Get the identity claim.
*
* @return the identity claim
*/
public byte[] getIdentityClaim() {
return Arrays.clone(identityClaim);
}
}

45
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/ExaminableRecord.java
View File

@ -23,6 +23,29 @@ import lombok.extern.log4j.Log4j2;
@XmlAccessorType(XmlAccessType.FIELD)
public abstract class ExaminableRecord {
@Getter
@Column(nullable = false)
// Decided on ORDINAL instead of STRING due to concerns surrounding overall size and retrieval
// time of field from database. Consistent with other implementations of ExaminableRecord.
@Enumerated(EnumType.ORDINAL)
private ExamineState examineState = ExamineState.UNEXAMINED;
/**
* Sets the examine state for this record.
*
* @param examineState the examine state
*/
public void setExamineState(final ExamineState examineState) {
if (examineState == ExamineState.UNEXAMINED) {
log.error("Can't set ExamineState on ExaminableRecord to Unexamined");
throw new IllegalArgumentException(
"Can't set ExamineState on ExaminableRecord to Unexamined"
);
}
this.examineState = examineState;
}
/**
* State capturing if a record was examined during appraisal or not.
*/
@ -42,26 +65,4 @@ public abstract class ExaminableRecord {
*/
IGNORED
}
@Getter
@Column(nullable = false)
// Decided on ORDINAL instead of STRING due to concerns surrounding overall size and retrieval
// time of field from database. Consistent with other implementations of ExaminableRecord.
@Enumerated(EnumType.ORDINAL)
private ExamineState examineState = ExamineState.UNEXAMINED;
/**
* Sets the examine state for this record.
* @param examineState the examine state
*/
public void setExamineState(final ExamineState examineState) {
if (examineState == ExamineState.UNEXAMINED) {
log.error("Can't set ExamineState on ExaminableRecord to Unexamined");
throw new IllegalArgumentException(
"Can't set ExamineState on ExaminableRecord to Unexamined"
);
}
this.examineState = examineState;
}
}

9
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/PolicySettings.java
View File

@ -105,8 +105,7 @@ public class PolicySettings extends UserDefinedEntity {
/**
* Constructor used to initialize PolicySettings object.
*
* @param name
* A name used to uniquely identify and reference the Supply Chain policy.
* @param name A name used to uniquely identify and reference the Supply Chain policy.
*/
public PolicySettings(final String name) {
super(name);
@ -115,10 +114,8 @@ public class PolicySettings extends UserDefinedEntity {
/**
* Constructor used to initialize PolicySettings object.
*
* @param name
* A name used to uniquely identify and reference the supply chain policy.
* @param description
* Optional description of the policy that can be added by the user
* @param name A name used to uniquely identify and reference the supply chain policy.
* @param description Optional description of the policy that can be added by the user
*/
public PolicySettings(final String name, final String description) {
super(name, description);

21
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/ConformanceCredential.java
View File

@ -12,12 +12,13 @@ import java.nio.file.Path;
* This class persists Conformance credentials by extending the base Certificate
* class with fields unique to Conformance credentials.
*/
@NoArgsConstructor(access= AccessLevel.PROTECTED)
@NoArgsConstructor(access = AccessLevel.PROTECTED)
@Entity
public class ConformanceCredential extends Certificate {
/**
* This class enables the retrieval of ConformanceCredentials by their attributes.
*/
// /**
// * This class enables the retrieval of ConformanceCredentials by their attributes.
// */
// public static class Selector extends CertificateSelector<ConformanceCredential> {
// /**
// * Construct a new CertificateSelector that will use the given {@link CertificateManager} to
@ -30,12 +31,12 @@ public class ConformanceCredential extends Certificate {
// }
// }
/**
* Get a Selector for use in retrieving ConformanceCredentials.
*
* @param certMan the CertificateManager to be used to retrieve persisted certificates
* @return a ConformanceCredential.Selector instance to use for retrieving certificates
*/
// /**
// * Get a Selector for use in retrieving ConformanceCredentials.
// *
// * @param certMan the CertificateManager to be used to retrieve persisted certificates
// * @return a ConformanceCredential.Selector instance to use for retrieving certificates
// */
// public static Selector select(final CertificateManager certMan) {
// return new Selector(certMan);
// }

23
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/DeviceAssociatedCertificate.java
View File

@ -18,26 +18,25 @@ import java.util.UUID;
*
* @see Certificate
*/
@NoArgsConstructor(access= AccessLevel.PACKAGE)
@Setter
@Getter
@NoArgsConstructor(access = AccessLevel.PACKAGE)
@MappedSuperclass
public abstract class DeviceAssociatedCertificate extends Certificate {
// a device can have multiple certs of this type.
@Getter
@Setter
@JdbcTypeCode(java.sql.Types.VARCHAR)
@Column
private UUID deviceId;
@Getter
@Setter
@Column
private String deviceName;
/**
* Holds the name of the entity 'DEVICE_ID' field.
*/
protected static final String DEVICE_ID_FIELD = "device_id";
// a device can have multiple certs of this type.
@JdbcTypeCode(java.sql.Types.VARCHAR)
@Column
private UUID deviceId;
@Column
private String deviceName;
/**
* Construct a new Certificate by parsing the file at the given path. The given certificate
* should represent either an X509 certificate or X509 attribute certificate.

281
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/CommonCriteriaMeasures.java
View File

@ -25,7 +25,8 @@ import org.bouncycastle.asn1.ASN1TaggedObject;
* targetUri [4] IMPLICIT URIReference OPTIONAL }
* </pre>
*/
@Getter @Setter
@Getter
@Setter
public class CommonCriteriaMeasures {
private static final int STRENGTH_OF_FUNCTION = 0;
@ -33,140 +34,6 @@ public class CommonCriteriaMeasures {
private static final int PROFILE_URI = 2;
private static final int TARGET_OID = 3;
private static final int TARGET_URI = 4;
/**
* A type to handle the evaluation status used in the Common Criteria Measurement.
* Ordering of enum types is intentional and their ordinal values correspond to enum
* values in the TCG spec.
*
* <pre>
* EvaluationStatus ::= ENUMERATED {
* designedToMeet (0),
* evaluationInProgress (1),
* evaluationCompleted (2) }
* </pre>
*/
public enum EvaluationStatus {
/**
* Evaluation designed to meet.
*/
DESIGNEDTOMEET("designed To Meet"),
/**
* Evaluation in progress.
*/
EVALUATIONINPROGRESS("evaluation In Progress"),
/**
* Evaluation completed.
*/
EVALUATIONCOMPLETED("evaluation Completed");
@Getter
private final String value;
/**
* Basic constructor.
* @param value string containing the value.
*/
EvaluationStatus(final String value) {
this.value = value;
}
}
/**
* A type to handle the strength of function used in the Common Criteria Measurement.
* Ordering of enum types is intentional and their ordinal values correspond to enum
* values in the TCG spec.
*
* <pre>
* StrengthOfFunction ::= ENUMERATED {
* basic (0),
* medium (1),
* high (2) }
* </pre>
*/
public enum StrengthOfFunction {
/**
* Basic function.
*/
BASIC("basic"),
/**
* Medium function.
*/
MEDIUM("medium"),
/**
* Hight function.
*/
HIGH("high");
@Getter
private final String value;
/**
* Basic constructor.
* @param value string containing the value.
*/
StrengthOfFunction(final String value) {
this.value = value;
}
}
/**
* A type to handle the evaluation assurance aevel used in the Common Criteria Measurement.
* Ordering of enum types is intentional and their ordinal values correspond to enum
* values in the TCG spec.
*
* <pre>
* EvaluationAssuranceLevel ::= ENUMERATED {
* levell (1),
* level2 (2),
* level3 (3),
* level4 (4),
* level5 (5),
* level6 (6),
* level7 (7) }
* </pre>
*/
public enum EvaluationAssuranceLevel {
/**
* Evaluation Assurance Level 1.
*/
LEVEL1("level 1"),
/**
* Evaluation Assurance Level 2.
*/
LEVEL2("level 2"),
/**
* Evaluation Assurance Level 3.
*/
LEVEL3("level 3"),
/**
* Evaluation Assurance Level 4.
*/
LEVEL4("level 4"),
/**
* Evaluation Assurance Level 5.
*/
LEVEL5("level 5"),
/**
* Evaluation Assurance Level 6.
*/
LEVEL6("level 6"),
/**
* Evaluation Assurance Level 7.
*/
LEVEL7("level 7");
@Getter
private final String value;
/**
* Basic constructor.
* @param value string containing the value.
*/
EvaluationAssuranceLevel(final String value) {
this.value = value;
}
}
private ASN1IA5String version;
private EvaluationAssuranceLevel assuranceLevel;
private EvaluationStatus evaluationStatus;
@ -194,6 +61,7 @@ public class CommonCriteriaMeasures {
/**
* Constructor given the SEQUENCE that contains Common Criteria Measures.
*
* @param sequence containing the the common criteria measures
* @throws IllegalArgumentException if there was an error on the parsing
*/
@ -258,7 +126,6 @@ public class CommonCriteriaMeasures {
}
}
@Override
public String toString() {
StringBuilder sb = new StringBuilder();
@ -278,7 +145,7 @@ public class CommonCriteriaMeasures {
}
sb.append(", profileUri=");
if (profileUri != null) {
sb.append(profileUri.toString());
sb.append(profileUri);
}
sb.append(", targetOid=");
if (targetOid != null) {
@ -286,10 +153,148 @@ public class CommonCriteriaMeasures {
}
sb.append(", targetUri=");
if (targetUri != null) {
sb.append(targetUri.toString());
sb.append(targetUri);
}
sb.append("}");
return sb.toString();
}
/**
* A type to handle the evaluation status used in the Common Criteria Measurement.
* Ordering of enum types is intentional and their ordinal values correspond to enum
* values in the TCG spec.
*
* <pre>
* EvaluationStatus ::= ENUMERATED {
* designedToMeet (0),
* evaluationInProgress (1),
* evaluationCompleted (2) }
* </pre>
*/
public enum EvaluationStatus {
/**
* Evaluation designed to meet.
*/
DESIGNEDTOMEET("designed To Meet"),
/**
* Evaluation in progress.
*/
EVALUATIONINPROGRESS("evaluation In Progress"),
/**
* Evaluation completed.
*/
EVALUATIONCOMPLETED("evaluation Completed");
@Getter
private final String value;
/**
* Basic constructor.
*
* @param value string containing the value.
*/
EvaluationStatus(final String value) {
this.value = value;
}
}
/**
* A type to handle the strength of function used in the Common Criteria Measurement.
* Ordering of enum types is intentional and their ordinal values correspond to enum
* values in the TCG spec.
*
* <pre>
* StrengthOfFunction ::= ENUMERATED {
* basic (0),
* medium (1),
* high (2) }
* </pre>
*/
public enum StrengthOfFunction {
/**
* Basic function.
*/
BASIC("basic"),
/**
* Medium function.
*/
MEDIUM("medium"),
/**
* Hight function.
*/
HIGH("high");
@Getter
private final String value;
/**
* Basic constructor.
*
* @param value string containing the value.
*/
StrengthOfFunction(final String value) {
this.value = value;
}
}
/**
* A type to handle the evaluation assurance aevel used in the Common Criteria Measurement.
* Ordering of enum types is intentional and their ordinal values correspond to enum
* values in the TCG spec.
*
* <pre>
* EvaluationAssuranceLevel ::= ENUMERATED {
* levell (1),
* level2 (2),
* level3 (3),
* level4 (4),
* level5 (5),
* level6 (6),
* level7 (7) }
* </pre>
*/
public enum EvaluationAssuranceLevel {
/**
* Evaluation Assurance Level 1.
*/
LEVEL1("level 1"),
/**
* Evaluation Assurance Level 2.
*/
LEVEL2("level 2"),
/**
* Evaluation Assurance Level 3.
*/
LEVEL3("level 3"),
/**
* Evaluation Assurance Level 4.
*/
LEVEL4("level 4"),
/**
* Evaluation Assurance Level 5.
*/
LEVEL5("level 5"),
/**
* Evaluation Assurance Level 6.
*/
LEVEL6("level 6"),
/**
* Evaluation Assurance Level 7.
*/
LEVEL7("level 7");
@Getter
private final String value;
/**
* Basic constructor.
*
* @param value string containing the value.
*/
EvaluationAssuranceLevel(final String value) {
this.value = value;
}
}
}

110
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/FIPSLevel.java
View File

@ -21,60 +21,14 @@ import org.bouncycastle.asn1.ASN1Sequence;
public class FIPSLevel {
private static final int MAX_SEQUENCE_SIZE = 3;
/**
* A type to handle the security Level used in the FIPS Level.
* Ordering of enum types is intentional and their ordinal values correspond to enum
* values in the TCG spec.
*
* <pre>
* SecurityLevel ::= ENUMERATED {
* level1 (1),
* level2 (2),
* level3 (3),
* level4 (4) }
* </pre>
*/
public enum SecurityLevel {
/**
* Security Level 1.
*/
LEVEL1("level 1"),
/**
* Security Level 2.
*/
LEVEL2("level 2"),
/**
* Security Level 3.
*/
LEVEL3("level 3"),
/**
* Security Level 4.
*/
LEVEL4("level 4");
private final String value;
/**
* Basic constructor.
* @param value string containing the value.
*/
SecurityLevel(final String value) {
this.value = value;
}
/**
* Get the string value from the StrengthOfFunction.
* @return the string containing the value.
*/
public String getValue() {
return this.value;
}
}
@Getter @Setter
@Getter
@Setter
private ASN1IA5String version;
@Getter @Setter
@Getter
@Setter
private SecurityLevel level;
@Getter @Setter
@Getter
@Setter
private ASN1Boolean plus;
/**
@ -119,4 +73,56 @@ public class FIPSLevel {
+ ", plus=" + plus.toString()
+ '}';
}
/**
* A type to handle the security Level used in the FIPS Level.
* Ordering of enum types is intentional and their ordinal values correspond to enum
* values in the TCG spec.
*
* <pre>
* SecurityLevel ::= ENUMERATED {
* level1 (1),
* level2 (2),
* level3 (3),
* level4 (4) }
* </pre>
*/
public enum SecurityLevel {
/**
* Security Level 1.
*/
LEVEL1("level 1"),
/**
* Security Level 2.
*/
LEVEL2("level 2"),
/**
* Security Level 3.
*/
LEVEL3("level 3"),
/**
* Security Level 4.
*/
LEVEL4("level 4");
private final String value;
/**
* Basic constructor.
*
* @param value string containing the value.
*/
SecurityLevel(final String value) {
this.value = value;
}
/**
* Get the string value from the StrengthOfFunction.
*
* @return the string containing the value.
*/
public String getValue() {
return this.value;
}
}
}

44
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/PlatformConfiguration.java
View File

@ -15,10 +15,12 @@ import java.util.List;
@AllArgsConstructor
public abstract class PlatformConfiguration {
private ArrayList<ComponentIdentifier> componentIdentifier = new ArrayList<>();
@Getter @Setter
@Getter
@Setter
private URIReference componentIdentifierUri;
private ArrayList<PlatformProperty> platformProperties = new ArrayList<>();
@Getter @Setter
@Getter
@Setter
private URIReference platformPropertiesUri;
/**
@ -34,10 +36,10 @@ public abstract class PlatformConfiguration {
/**
* Constructor given the Platform Configuration values.
*
* @param componentIdentifier list containing all the components inside the
* Platform Configuration.
* @param platformProperties list containing all the properties inside the
* Platform Configuration.
* @param componentIdentifier list containing all the components inside the
* Platform Configuration.
* @param platformProperties list containing all the properties inside the
* Platform Configuration.
* @param platformPropertiesUri object containing the URI Reference
*/
public PlatformConfiguration(final List<ComponentIdentifier> componentIdentifier,
@ -55,8 +57,16 @@ public abstract class PlatformConfiguration {
return Collections.unmodifiableList(componentIdentifier);
}
/**
* @param componentIdentifier the componentIdentifier to set
*/
public void setComponentIdentifier(final List<ComponentIdentifier> componentIdentifier) {
this.componentIdentifier = new ArrayList<>(componentIdentifier);
}
/**
* Add function for the component identifier array.
*
* @param componentIdentifier object to add
* @return status of the add, if successful or not
*/
@ -68,13 +78,6 @@ public abstract class PlatformConfiguration {
return false;
}
/**
* @param componentIdentifier the componentIdentifier to set
*/
public void setComponentIdentifier(final List<ComponentIdentifier> componentIdentifier) {
this.componentIdentifier = new ArrayList<>(componentIdentifier);
}
/**
* @return the platformProperties
*/
@ -82,8 +85,16 @@ public abstract class PlatformConfiguration {
return Collections.unmodifiableList(platformProperties);
}
/**
* @param platformProperties the platformProperties to set
*/
public void setPlatformProperties(final List<PlatformProperty> platformProperties) {
this.platformProperties = new ArrayList<>(platformProperties);
}
/**
* Add function for the platform property array.
*
* @param platformProperty property object to add
* @return status of the add, if successful or not
*/
@ -94,11 +105,4 @@ public abstract class PlatformConfiguration {
return false;
}
/**
* @param platformProperties the platformProperties to set
*/
public void setPlatformProperties(final List<PlatformProperty> platformProperties) {
this.platformProperties = new ArrayList<>(platformProperties);
}
}

3
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/PlatformConfigurationV1.java
View File

@ -25,6 +25,7 @@ public class PlatformConfigurationV1 extends PlatformConfiguration {
/**
* Constructor given the SEQUENCE that contains Platform Configuration.
*
* @param sequence containing the Platform Configuration.
* @throws IllegalArgumentException if there was an error on the parsing
*/
@ -96,7 +97,7 @@ public class PlatformConfigurationV1 extends PlatformConfiguration {
}
sb.append(", platformPropertiesUri=");
if (getPlatformPropertiesUri() != null) {
sb.append(getPlatformPropertiesUri().toString());
sb.append(getPlatformPropertiesUri());
}
sb.append("}");

5
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/PlatformProperty.java
View File

@ -8,7 +8,6 @@ import org.bouncycastle.asn1.ASN1UTF8String;
import org.bouncycastle.asn1.DERUTF8String;
/**
*
* Basic class that handles a single property for the platform configuration.
* <pre>
* Properties ::= SEQUENCE {
@ -22,13 +21,11 @@ import org.bouncycastle.asn1.DERUTF8String;
@AllArgsConstructor
public class PlatformProperty {
private static final String NOT_SPECIFIED = "Not Specified";
/**
* Number of identifiers for version 1.
*/
protected static final int IDENTIFIER_NUMBER = 2;
private static final String NOT_SPECIFIED = "Not Specified";
private ASN1UTF8String propertyName;
private ASN1UTF8String propertyValue;

113
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/TBBSecurityAssertion.java
View File

@ -30,60 +30,6 @@ public class TBBSecurityAssertion {
private static final int CCINFO = 0;
private static final int FIPSLEVEL = 1;
private static final int RTMTYPE = 2;
/**
* A type to handle the evaluation status used in the Common Criteria Measurement.
* Ordering of enum types is intentional and their ordinal values correspond to enum
* values in the TCG spec.
*
* <pre>
* MeasurementRootType ::= ENUMERATED {
* static (0),
* dynamic (1),
* nonHost (2),
* hybrid (3),
* physical (4),
* virtual (5) }
* </pre>
*/
public enum MeasurementRootType {
/**
* Static measurement root type.
*/
STATIC("static"),
/**
* Dynamic measurement root type.
*/
DYNAMIC("dynamic"),
/**
* Non-Host measurement root type.
*/
NONHOST("nonHost"),
/**
* Hybrid measurement root type.
*/
HYBRID("hybrid"),
/**
* Physical measurement root type.
*/
PHYSICAL("physical"),
/**
* Virtual measurement root type.
*/
VIRTUAL("virtual");
@Getter
private final String value;
/**
* Basic constructor.
* @param value string containing the value.
*/
MeasurementRootType(final String value) {
this.value = value;
}
}
private ASN1Integer version;
private CommonCriteriaMeasures ccInfo;
private FIPSLevel fipsLevel;
@ -105,6 +51,7 @@ public class TBBSecurityAssertion {
/**
* Constructor given the SEQUENCE that contains a TBBSecurityAssertion Object.
*
* @param sequence containing the the TBB Security Assertion
* @throws IllegalArgumentException if there was an error on the parsing
*/
@ -260,11 +207,11 @@ public class TBBSecurityAssertion {
//Optional values not null
sb.append(", ccInfo=");
if (ccInfo != null) {
sb.append(ccInfo.toString());
sb.append(ccInfo);
}
sb.append(", fipsLevel=");
if (fipsLevel != null) {
sb.append(fipsLevel.toString());
sb.append(fipsLevel);
}
sb.append(", rtmType=");
if (rtmType != null) {
@ -279,4 +226,58 @@ public class TBBSecurityAssertion {
return sb.toString();
}
/**
* A type to handle the evaluation status used in the Common Criteria Measurement.
* Ordering of enum types is intentional and their ordinal values correspond to enum
* values in the TCG spec.
*
* <pre>
* MeasurementRootType ::= ENUMERATED {
* static (0),
* dynamic (1),
* nonHost (2),
* hybrid (3),
* physical (4),
* virtual (5) }
* </pre>
*/
public enum MeasurementRootType {
/**
* Static measurement root type.
*/
STATIC("static"),
/**
* Dynamic measurement root type.
*/
DYNAMIC("dynamic"),
/**
* Non-Host measurement root type.
*/
NONHOST("nonHost"),
/**
* Hybrid measurement root type.
*/
HYBRID("hybrid"),
/**
* Physical measurement root type.
*/
PHYSICAL("physical"),
/**
* Virtual measurement root type.
*/
VIRTUAL("virtual");
@Getter
private final String value;
/**
* Basic constructor.
*
* @param value string containing the value.
*/
MeasurementRootType(final String value) {
this.value = value;
}
}
}

96
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/TPMSecurityAssertions.java
View File

@ -14,19 +14,61 @@ import java.math.BigInteger;
/**
* A class to represent the TPM Security Assertions in an Endorsement Credential as
* defined by the TCG spec for TPM 1.2.
*
* <p>
* https://www.trustedcomputinggroup.org/wp-content/uploads/IWG-Credential_Profiles_V1_R0.pdf
*
* <p>
* Future iterations of this code may want to reference
* www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf
* for specifications for TPM 2.0 (pg. 19).
*/
@AllArgsConstructor
@NoArgsConstructor(access = AccessLevel.PROTECTED)
@Getter @Setter
@Getter
@Setter
@Embeddable
public class TPMSecurityAssertions implements Serializable {
@Column
private BigInteger tpmSecAssertsVersion; //default v1
@Column
private boolean fieldUpgradeable; //default false
@Column(nullable = true)
private EkGenerationType ekGenType; //optional
@Column(nullable = true)
private EkGenerationLocation ekGenerationLocation; //optional
@Column(nullable = true)
private EkGenerationLocation ekCertificateGenerationLocation; //optional
/**
* Standard constructor that sets required fields. Use accessor methods
* to set optional fields.
*
* @param version the version of the security assertions
* @param fieldUpgradeable whether or not the security assertions are
* field upgradeable.
*/
public TPMSecurityAssertions(final BigInteger version, final boolean fieldUpgradeable) {
this.tpmSecAssertsVersion = version;
this.fieldUpgradeable = fieldUpgradeable;
}
@Override
public String toString() {
return "TPMSecurityAssertions{"
+ "version=" + tpmSecAssertsVersion
+ ", fieldUpgradeable=" + fieldUpgradeable
+ ", ekGenType=" + ekGenType
+ ", ekGenLoc=" + ekGenerationLocation
+ ", ekCertGenLoc=" + ekCertificateGenerationLocation
+ '}';
}
// Future work (may need to create other classes):
//private CommonCriteriaMeasures commCritMeasures; //optional
//private FIPSLevel fipsLevel; //optional
//private boolean iso9000Certified; //default false
//private IA5String iso9000Uri; //optional
/**
* A type to handle the different endorsement key generation types used in the TPM
* Assertions field of an endorsement credential. Ordering of enum types is intentional
@ -51,7 +93,7 @@ public class TPMSecurityAssertions implements Serializable {
* Generated externally and then inserted under a controlled environment during
* manufacturing. Can be revoked. Enum value of 3.
*/
INJECTED_REVOCABLE;
INJECTED_REVOCABLE
}
/**
@ -73,50 +115,6 @@ public class TPMSecurityAssertions implements Serializable {
/**
* Generated by the endorsement key certificate signer. Enum value of 2.
*/
EK_CERT_SIGNER;
}
@Column
private BigInteger tpmSecAssertsVersion; //default v1
@Column
private boolean fieldUpgradeable; //default false
@Column(nullable = true)
private EkGenerationType ekGenType; //optional
@Column(nullable = true)
private EkGenerationLocation ekGenerationLocation; //optional
@Column(nullable = true)
private EkGenerationLocation ekCertificateGenerationLocation; //optional
// Future work (may need to create other classes):
//private CommonCriteriaMeasures commCritMeasures; //optional
//private FIPSLevel fipsLevel; //optional
//private boolean iso9000Certified; //default false
//private IA5String iso9000Uri; //optional
/**
* Standard constructor that sets required fields. Use accessor methods
* to set optional fields.
* @param version the version of the security assertions
* @param fieldUpgradeable whether or not the security assertions are
* field upgradeable.
*/
public TPMSecurityAssertions(final BigInteger version, final boolean fieldUpgradeable) {
this.tpmSecAssertsVersion = version;
this.fieldUpgradeable = fieldUpgradeable;
}
@Override
public String toString() {
return "TPMSecurityAssertions{"
+ "version=" + tpmSecAssertsVersion
+ ", fieldUpgradeable=" + fieldUpgradeable
+ ", ekGenType=" + ekGenType
+ ", ekGenLoc=" + ekGenerationLocation
+ ", ekCertGenLoc=" + ekCertificateGenerationLocation
+ '}';
EK_CERT_SIGNER
}
}

11
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/TPMSpecification.java
View File

@ -13,15 +13,15 @@ import java.math.BigInteger;
/**
* A class to represent the TPM Specification in an Endorsement Credential as
* defined by the TCG spec for TPM 1.2.
*
* <p>
* https://www.trustedcomputinggroup.org/wp-content/uploads/IWG-Credential_Profiles_V1_R0.pdf
*
* <p>
* Future iterations of this code may want to reference
* www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf
* for specifications for TPM 2.0.
*/
@EqualsAndHashCode
@NoArgsConstructor(access= AccessLevel.PROTECTED)
@NoArgsConstructor(access = AccessLevel.PROTECTED)
@Getter
@Embeddable
public class TPMSpecification implements Serializable {
@ -37,8 +37,9 @@ public class TPMSpecification implements Serializable {
/**
* Standard constructor.
* @param family the specification family.
* @param level the specification level.
*
* @param family the specification family.
* @param level the specification level.
* @param revision the specification revision.
*/
public TPMSpecification(final String family, final BigInteger level,

11
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/URIReference.java
View File

@ -10,27 +10,26 @@ import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
/**
*
* Basic class that handle a URIReference object.
* <pre>
* URIReference ::= SEQUENCE {
* uniformResourceIdentifier IA5String (SIZE (1..URIMAX)),
* hashAlgorithm AlgorithmIdentifier OPTIONAL,
* hashValue BIT STRING OPTIONAL
}
* }
* </pre>
*/
@Getter @Setter
@Getter
@Setter
@AllArgsConstructor
public class URIReference {
private static final int PLATFORM_PROPERTIES_URI_MAX = 3;
private static final int PLATFORM_PROPERTIES_URI_MIN = 1;
private ASN1IA5String uniformResourceIdentifier;
private AlgorithmIdentifier hashAlgorithm;
@JsonIgnore
private ASN1BitString hashValue;
private static final int PLATFORM_PROPERTIES_URI_MAX = 3;
private static final int PLATFORM_PROPERTIES_URI_MIN = 1;
/**
* Default constructor.
*/

6
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/V2/CertificateIdentifier.java
View File

@ -51,6 +51,7 @@ public class CertificateIdentifier {
/**
* Primary constructor for the parsing of the sequence.
*
* @param sequence containing the name and value of the Certificate Identifier
*/
public CertificateIdentifier(final ASN1Sequence sequence) {
@ -103,6 +104,7 @@ public class CertificateIdentifier {
/**
* String for the internal data stored.
*
* @return String representation of the data.
*/
@Override
@ -114,11 +116,11 @@ public class CertificateIdentifier {
sb.append(", hashSigValue").append(hashSigValue);
sb.append(", issuerDN=");
if (issuerDN != null) {
sb.append(issuerDN.toString());
sb.append(issuerDN);
}
sb.append(", certificateSerialNumber=");
if (certificateSerialNumber != null) {
sb.append(certificateSerialNumber.toString());
sb.append(certificateSerialNumber);
}
sb.append("}");

5
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/V2/PlatformConfigurationV2.java
View File

@ -29,6 +29,7 @@ public class PlatformConfigurationV2 extends PlatformConfiguration {
/**
* Constructor given the SEQUENCE that contains Platform Configuration.
*
* @param sequence containing the the Platform Configuration.
* @throws IllegalArgumentException if there was an error on the parsing
*/
@ -99,7 +100,7 @@ public class PlatformConfigurationV2 extends PlatformConfiguration {
}
sb.append(", componentIdentifierUri=");
if (getComponentIdentifierUri() != null) {
sb.append(getComponentIdentifierUri().toString());
sb.append(getComponentIdentifierUri());
}
sb.append(", platformProperties=");
if (getPlatformProperties().size() > 0) {
@ -110,7 +111,7 @@ public class PlatformConfigurationV2 extends PlatformConfiguration {
}
sb.append(", platformPropertiesUri=");
if (getPlatformPropertiesUri() != null) {
sb.append(getPlatformPropertiesUri().toString());
sb.append(getPlatformPropertiesUri());
}
sb.append("}");

7
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/V2/PlatformPropertyV2.java
View File

@ -8,7 +8,6 @@ import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1UTF8String;
/**
*
* Basic class that handles a single property for the platform configuration.
* <pre>
* Properties ::= SEQUENCE {
@ -35,8 +34,8 @@ public class PlatformPropertyV2 extends PlatformProperty {
/**
* Constructor given the name and value for the platform property.
*
* @param propertyName string containing the property name
* @param propertyValue string containing the property value
* @param propertyName string containing the property name
* @param propertyValue string containing the property value
* @param attributeStatus enumerated object with the status of the property
*/
public PlatformPropertyV2(final ASN1UTF8String propertyName, final ASN1UTF8String propertyValue,
@ -91,7 +90,7 @@ public class PlatformPropertyV2 extends PlatformProperty {
sb.append("PropertyName=").append(getPropertyName().getString());
sb.append(", propertyValue=").append(getPropertyValue().getString());
if (attributeStatus != null) {
sb.append(", attributeStatus=").append(attributeStatus.toString());
sb.append(", attributeStatus=").append(attributeStatus);
}
sb.append("}");

46
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/info/ComponentInfo.java
View File

@ -34,6 +34,7 @@ public class ComponentInfo extends ArchivableEntity {
@Column(nullable = false)
private String deviceName;
@XmlElement
@Column(nullable = false)
private String componentManufacturer;
@ -56,10 +57,11 @@ public class ComponentInfo extends ArchivableEntity {
/**
* Base constructor for children.
*
* @param componentManufacturer Component Manufacturer (must not be null)
* @param componentModel Component Model (must not be null)
* @param componentSerial Component Serial Number (can be null)
* @param componentRevision Component Revision or Version (can be null)
* @param componentModel Component Model (must not be null)
* @param componentSerial Component Serial Number (can be null)
* @param componentRevision Component Revision or Version (can be null)
*/
public ComponentInfo(final String componentManufacturer,
final String componentModel,
@ -68,13 +70,15 @@ public class ComponentInfo extends ArchivableEntity {
this(DeviceInfoEnums.NOT_SPECIFIED, componentManufacturer, componentModel,
componentSerial, componentRevision);
}
/**
* Constructor.
* @param deviceName the host machine associated with this component. (must not be null)
*
* @param deviceName the host machine associated with this component. (must not be null)
* @param componentManufacturer Component Manufacturer (must not be null)
* @param componentModel Component Model (must not be null)
* @param componentSerial Component Serial Number (can be null)
* @param componentRevision Component Revision or Version (can be null)
* @param componentModel Component Model (must not be null)
* @param componentSerial Component Serial Number (can be null)
* @param componentRevision Component Revision or Version (can be null)
*/
public ComponentInfo(final String deviceName,
final String componentManufacturer,
@ -108,12 +112,13 @@ public class ComponentInfo extends ArchivableEntity {
/**
* Constructor.
* @param deviceName the host machine associated with this component.
*
* @param deviceName the host machine associated with this component.
* @param componentManufacturer Component Manufacturer (must not be null)
* @param componentModel Component Model (must not be null)
* @param componentSerial Component Serial Number (can be null)
* @param componentRevision Component Revision or Version (can be null)
* @param componentClass Component Class (can be null)
* @param componentModel Component Model (must not be null)
* @param componentSerial Component Serial Number (can be null)
* @param componentRevision Component Revision or Version (can be null)
* @param componentClass Component Class (can be null)
*/
public ComponentInfo(final String deviceName,
final String componentManufacturer,
@ -134,9 +139,9 @@ public class ComponentInfo extends ArchivableEntity {
* manufacturer and model are considered valid.
*
* @param componentManufacturer a String containing a component's manufacturer
* @param componentModel a String representing a component's model
* @param componentSerial a String representing a component's serial number
* @param componentRevision a String representing a component's revision
* @param componentModel a String representing a component's model
* @param componentSerial a String representing a component's serial number
* @param componentRevision a String representing a component's revision
* @return true if the component is valid, false if not
*/
public static boolean isComplete(final String componentManufacturer,
@ -149,13 +154,18 @@ public class ComponentInfo extends ArchivableEntity {
/**
* Equals for the component info that just uses this classes attributes.
*
* @param object the object to compare
* @return the boolean result
*/
@Override
public boolean equals(Object object) {
if (this == object) return true;
if (object == null || getClass() != object.getClass()) return false;
if (this == object) {
return true;
}
if (object == null || getClass() != object.getClass()) {
return false;
}
ComponentInfo that = (ComponentInfo) object;
return Objects.equals(deviceName, that.deviceName)
@ -169,6 +179,7 @@ public class ComponentInfo extends ArchivableEntity {
/**
* Returns a hash code that is associated with common fields for components.
*
* @return int value of the elements
*/
public int hashCommonElements() {
@ -178,6 +189,7 @@ public class ComponentInfo extends ArchivableEntity {
/**
* Hash method for the attributes of this class.
*
* @return int value that represents this class
*/
@Override

4
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/info/FirmwareInfo.java
View File

@ -33,8 +33,8 @@ public class FirmwareInfo implements Serializable {
/**
* Constructor used to create a populated firmware info object.
*
* @param biosVendor String bios vendor name, i.e. Dell Inc.
* @param biosVersion String bios version info, i.e. A11
* @param biosVendor String bios vendor name, i.e. Dell Inc.
* @param biosVersion String bios version info, i.e. A11
* @param biosReleaseDate String bios release date info, i.e. 03/12/2013
*/
public FirmwareInfo(final String biosVendor, final String biosVersion,

16
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/info/HardwareInfo.java
View File

@ -48,11 +48,11 @@ public class HardwareInfo implements Serializable {
/**
* Constructor used to create a populated firmware info object.
*
* @param manufacturer String manufacturer name
* @param productName String product name info
* @param version String bios release date info
* @param systemSerialNumber String device serial number
* @param chassisSerialNumber String device chassis serial number
* @param manufacturer String manufacturer name
* @param productName String product name info
* @param version String bios release date info
* @param systemSerialNumber String device serial number
* @param chassisSerialNumber String device chassis serial number
* @param baseboardSerialNumber String device baseboard serial number
*/
public HardwareInfo(
@ -80,19 +80,19 @@ public class HardwareInfo implements Serializable {
if (!StringUtils.isBlank(systemSerialNumber)) {
this.systemSerialNumber = StringValidator.check(systemSerialNumber,
"systemSerialNumber")
"systemSerialNumber")
.maxLength(DeviceInfoEnums.LONG_STRING_LENGTH).getValue();
}
if (!StringUtils.isBlank(chassisSerialNumber)) {
this.chassisSerialNumber = StringValidator.check(chassisSerialNumber,
"chassisSerialNumber")
"chassisSerialNumber")
.maxLength(DeviceInfoEnums.LONG_STRING_LENGTH).getValue();
}
if (!StringUtils.isBlank(baseboardSerialNumber)) {
this.baseboardSerialNumber = StringValidator.check(
baseboardSerialNumber, "baseboardSerialNumber")
baseboardSerialNumber, "baseboardSerialNumber")
.maxLength(DeviceInfoEnums.LONG_STRING_LENGTH).getValue();
}
}

58
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/info/NetworkInfo.java
View File

@ -10,47 +10,42 @@ import lombok.extern.log4j.Log4j2;
import java.io.Serializable;
import java.net.InetAddress;
import java.util.Arrays;
import java.util.Objects;
/**
* This class is used to represent the network info of a device.
*/
@Log4j2
@Embeddable
@EqualsAndHashCode
public class NetworkInfo implements Serializable {
private static final int NUM_MAC_ADDRESS_BYTES = 6;
@XmlElement
@Getter
@Column(length = DeviceInfoEnums.LONG_STRING_LENGTH, nullable = true)
@Column(length = DeviceInfoEnums.LONG_STRING_LENGTH)
private String hostname;
@XmlElement
@Getter
// @XmlJavaTypeAdapter(value = InetAddressXmlAdapter.class)
@Column(length = DeviceInfoEnums.SHORT_STRING_LENGTH, nullable = true)
@Column(length = DeviceInfoEnums.SHORT_STRING_LENGTH)
// @JsonSubTypes.Type(type = "hirs.data.persist.type.InetAddressType")
private InetAddress ipAddress;
@XmlElement
@Column(length = NUM_MAC_ADDRESS_BYTES, nullable = true)
@SuppressWarnings("checkstyle:magicnumber")
@Column(length = NUM_MAC_ADDRESS_BYTES)
private byte[] macAddress;
/**
* Constructor used to create a NetworkInfo object.
*
* @param hostname
* String representing the hostname information for the device,
* can be null if hostname unknown
* @param ipAddress
* InetAddress object representing the IP address for the device,
* can be null if IP address unknown
* @param macAddress
* byte array representing the MAC address for the device, can be
* null if MAC address is unknown
* @param hostname String representing the hostname information for the device,
* can be null if hostname unknown
* @param ipAddress InetAddress object representing the IP address for the device,
* can be null if IP address unknown
* @param macAddress byte array representing the MAC address for the device, can be
* null if MAC address is unknown
*/
public NetworkInfo(final String hostname, final InetAddress ipAddress,
final byte[] macAddress) {
@ -72,7 +67,7 @@ public class NetworkInfo implements Serializable {
* Used to retrieve the MAC address of the device.
*
* @return a String representing the MAC address, may return null if no
* value is set
* value is set
*/
public final byte[] getMacAddress() {
if (macAddress == null) {
@ -82,16 +77,6 @@ public class NetworkInfo implements Serializable {
}
}
private void setHostname(final String hostname) {
log.debug("setting hostname to: {}", hostname);
this.hostname = hostname;
}
private void setIpAddress(final InetAddress ipAddress) {
log.debug("setting IP address to: {}", ipAddress);
this.ipAddress = ipAddress;
}
private void setMacAddress(final byte[] macAddress) {
StringBuilder sb;
if (macAddress == null) {
@ -114,22 +99,13 @@ public class NetworkInfo implements Serializable {
this.macAddress = macAddress;
}
@Override
public boolean equals(Object o) {
if (this == o) return true;
if (!(o instanceof NetworkInfo)) {
return false;
}
NetworkInfo that = (NetworkInfo) o;
return Objects.equals(hostname, that.hostname)
&& Objects.equals(ipAddress, that.ipAddress)
&& Arrays.equals(macAddress, that.macAddress);
private void setHostname(final String hostname) {
log.debug("setting hostname to: {}", hostname);
this.hostname = hostname;
}
@Override
public int hashCode() {
int result = Objects.hash(hostname, ipAddress);
result = 31 * result + Arrays.hashCode(macAddress);
return result;
private void setIpAddress(final InetAddress ipAddress) {
log.debug("setting IP address to: {}", ipAddress);
this.ipAddress = ipAddress;
}
}

15
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/info/OSInfo.java
View File

@ -47,16 +47,11 @@ public class OSInfo implements Serializable {
* Fedora), and distribution release (7.0.1406). Distribution only makes
* sense for Linux, so distribution and distributionRelease may be null.
*
* @param osName
* String OS name (Linux | Mac OS X | Windows 7)
* @param osVersion
* String OS version (i.e. 3.10.0-123.el7.x86_64)
* @param osArch
* String OS architecture (x86_64)
* @param distribution
* String distribution (CentOS | Fedora)
* @param distributionRelease
* String distribution release (7.0.1406)
* @param osName String OS name (Linux | Mac OS X | Windows 7)
* @param osVersion String OS version (i.e. 3.10.0-123.el7.x86_64)
* @param osArch String OS architecture (x86_64)
* @param distribution String distribution (CentOS | Fedora)
* @param distributionRelease String distribution release (7.0.1406)
*/
public OSInfo(final String osName, final String osVersion,
final String osArch, final String distribution,

7
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/info/RIMInfo.java
View File

@ -38,10 +38,11 @@ public class RIMInfo implements Serializable {
/**
* Constructor for the initial values of the class.
*
* @param rimManufacturer string of the rimManufacturer
* @param model string of the model
* @param fileHash string of the file hash
* @param pcrHash string of the pcr hash
* @param model string of the model
* @param fileHash string of the file hash
* @param pcrHash string of the pcr hash
*/
public RIMInfo(final String rimManufacturer, final String model,
final String fileHash, final String pcrHash) {

163
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/info/TPMInfo.java
View File

@ -68,25 +68,16 @@ public class TPMInfo implements Serializable {
/**
* Constructor used to create a TPMInfo object.
*
* @param tpmMake
* String representing the make information for the TPM,
* NullPointerException thrown if null
* @param tpmVersionMajor
* short representing the major version number for the TPM
* @param tpmVersionMinor
* short representing the minor version number for the TPM
* @param tpmVersionRevMajor
* short representing the major revision number for the TPM
* @param tpmVersionRevMinor
* short representing the minor revision number for the TPM
* @param identityCertificate
* byte array with the value of the identity certificate
* @param pcrValues
* short representing the major revision number for the TPM
* @param tpmQuoteHash
* short representing the minor revision number for the TPM
* @param tpmQuoteSignature
* byte array with the value of the identity certificate
* @param tpmMake String representing the make information for the TPM,
* NullPointerException thrown if null
* @param tpmVersionMajor short representing the major version number for the TPM
* @param tpmVersionMinor short representing the minor version number for the TPM
* @param tpmVersionRevMajor short representing the major revision number for the TPM
* @param tpmVersionRevMinor short representing the minor revision number for the TPM
* @param identityCertificate byte array with the value of the identity certificate
* @param pcrValues short representing the major revision number for the TPM
* @param tpmQuoteHash short representing the minor revision number for the TPM
* @param tpmQuoteSignature byte array with the value of the identity certificate
*/
@SuppressWarnings("parameternumber")
public TPMInfo(final String tpmMake, final short tpmVersionMajor,
@ -109,23 +100,15 @@ public class TPMInfo implements Serializable {
* Constructor used to create a TPMInfo object without an identity
* certificate.
*
* @param tpmMake
* String representing the make information for the TPM,
* NullPointerException thrown if null
* @param tpmVersionMajor
* short representing the major version number for the TPM
* @param tpmVersionMinor
* short representing the minor version number for the TPM
* @param tpmVersionRevMajor
* short representing the major revision number for the TPM
* @param tpmVersionRevMinor
* short representing the minor revision number for the TPM
* @param pcrValues
* short representing the major revision number for the TPM
* @param tpmQuoteHash
* short representing the minor revision number for the TPM
* @param tpmQuoteSignature
* byte array with the value of the identity certificate
* @param tpmMake String representing the make information for the TPM,
* NullPointerException thrown if null
* @param tpmVersionMajor short representing the major version number for the TPM
* @param tpmVersionMinor short representing the minor version number for the TPM
* @param tpmVersionRevMajor short representing the major revision number for the TPM
* @param tpmVersionRevMinor short representing the minor revision number for the TPM
* @param pcrValues short representing the major revision number for the TPM
* @param tpmQuoteHash short representing the minor revision number for the TPM
* @param tpmQuoteSignature byte array with the value of the identity certificate
*/
@SuppressWarnings("parameternumber")
public TPMInfo(final String tpmMake, final short tpmVersionMajor,
@ -146,17 +129,12 @@ public class TPMInfo implements Serializable {
* Constructor used to create a TPMInfo object without an identity
* certificate.
*
* @param tpmMake
* String representing the make information for the TPM,
* NullPointerException thrown if null
* @param tpmVersionMajor
* short representing the major version number for the TPM
* @param tpmVersionMinor
* short representing the minor version number for the TPM
* @param tpmVersionRevMajor
* short representing the major revision number for the TPM
* @param tpmVersionRevMinor
* short representing the minor revision number for the TPM
* @param tpmMake String representing the make information for the TPM,
* NullPointerException thrown if null
* @param tpmVersionMajor short representing the major version number for the TPM
* @param tpmVersionMinor short representing the minor version number for the TPM
* @param tpmVersionRevMajor short representing the major revision number for the TPM
* @param tpmVersionRevMinor short representing the minor revision number for the TPM
*/
public TPMInfo(final String tpmMake, final short tpmVersionMajor,
final short tpmVersionMinor, final short tpmVersionRevMajor,
@ -170,19 +148,13 @@ public class TPMInfo implements Serializable {
* Constructor used to create a TPMInfo object without an identity
* certificate.
*
* @param tpmMake
* String representing the make information for the TPM,
* NullPointerException thrown if null
* @param tpmVersionMajor
* short representing the major version number for the TPM
* @param tpmVersionMinor
* short representing the minor version number for the TPM
* @param tpmVersionRevMajor
* short representing the major revision number for the TPM
* @param tpmVersionRevMinor
* short representing the minor revision number for the TPM
* @param identityCertificate
* byte array with the value of the identity certificate
* @param tpmMake String representing the make information for the TPM,
* NullPointerException thrown if null
* @param tpmVersionMajor short representing the major version number for the TPM
* @param tpmVersionMinor short representing the minor version number for the TPM
* @param tpmVersionRevMajor short representing the major revision number for the TPM
* @param tpmVersionRevMinor short representing the minor revision number for the TPM
* @param identityCertificate byte array with the value of the identity certificate
*/
public TPMInfo(final String tpmMake, final short tpmVersionMajor,
final short tpmVersionMinor, final short tpmVersionRevMajor,
@ -217,30 +189,67 @@ public class TPMInfo implements Serializable {
return identityCertificate;
}
private void setIdentityCertificate(
final X509Certificate identityCertificate) {
if (identityCertificate == null) {
log.error("identity certificate cannot be null");
throw new NullPointerException("identityCertificate");
}
log.debug("setting identity certificate");
this.identityCertificate = identityCertificate;
}
/**
* Getter for the tpmQuote passed up by the client.
*
* @return a byte blob of quote
*/
public final byte[] getTpmQuoteHash() {
return tpmQuoteHash.clone();
}
private void setTpmQuoteHash(final byte[] tpmQuoteHash) {
if (tpmQuoteHash == null) {
this.tpmQuoteHash = new byte[0];
} else {
this.tpmQuoteHash = tpmQuoteHash.clone();
}
}
/**
* Getter for the quote signature.
*
* @return a byte blob.
*/
public final byte[] getTpmQuoteSignature() {
return tpmQuoteSignature.clone();
}
private void setTpmQuoteSignature(final byte[] tpmQuoteSignature) {
if (tpmQuoteSignature == null) {
this.tpmQuoteSignature = new byte[0];
} else {
this.tpmQuoteSignature = tpmQuoteSignature.clone();
}
}
/**
* Getter for the pcr values.
*
* @return a byte blob for the pcrValues.
*/
public final byte[] getPcrValues() {
return pcrValues.clone();
}
private void setPcrValues(final byte[] pcrValues) {
if (pcrValues == null) {
this.pcrValues = new byte[0];
} else {
this.pcrValues = pcrValues.clone();
}
}
private void setTPMMake(final String tpmMake) {
log.debug("setting TPM make info: {}", tpmMake);
this.tpmMake = StringValidator.check(tpmMake, "tpmMake")
@ -292,38 +301,4 @@ public class TPMInfo implements Serializable {
tpmVersionRevMinor);
this.tpmVersionRevMinor = tpmVersionRevMinor;
}
private void setIdentityCertificate(
final X509Certificate identityCertificate) {
if (identityCertificate == null) {
log.error("identity certificate cannot be null");
throw new NullPointerException("identityCertificate");
}
log.debug("setting identity certificate");
this.identityCertificate = identityCertificate;
}
private void setPcrValues(final byte[] pcrValues) {
if (pcrValues == null) {
this.pcrValues = new byte[0];
} else {
this.pcrValues = pcrValues.clone();
}
}
private void setTpmQuoteHash(final byte[] tpmQuoteHash) {
if (tpmQuoteHash == null) {
this.tpmQuoteHash = new byte[0];
} else {
this.tpmQuoteHash = tpmQuoteHash.clone();
}
}
private void setTpmQuoteSignature(final byte[] tpmQuoteSignature) {
if (tpmQuoteSignature == null) {
this.tpmQuoteSignature = new byte[0];
} else {
this.tpmQuoteSignature = tpmQuoteSignature.clone();
}
}
}

1
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/info/component/package-info.java Normal file
View File

@ -0,0 +1 @@
package hirs.attestationca.persist.entity.userdefined.info.component;

1
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/info/package-info.java Normal file
View File

@ -0,0 +1 @@
package hirs.attestationca.persist.entity.userdefined.info;

34
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/record/TPMMeasurementRecord.java
View File

@ -63,9 +63,8 @@ public final class TPMMeasurementRecord extends ExaminableRecord {
* Constructor initializes values associated with TPMMeasurementRecord.
*
* @param pcrId is the TPM PCR index. pcrId must be between 0 and 23.
* @param hash
* represents the measurement digest found at the particular PCR
* index.
* @param hash represents the measurement digest found at the particular PCR
* index.
* @throws IllegalArgumentException if pcrId is not valid
*/
public TPMMeasurementRecord(final int pcrId, final Digest hash)
@ -85,8 +84,8 @@ public final class TPMMeasurementRecord extends ExaminableRecord {
* Constructor initializes values associated with TPMMeasurementRecord.
*
* @param pcrId is the TPM PCR index. pcrId must be between 0 and 23.
* @param hash represents the measurement digest found at the particular PCR
* index.
* @param hash represents the measurement digest found at the particular PCR
* index.
* @throws DecoderException if there is a decode issue with string hex.
*/
public TPMMeasurementRecord(final int pcrId, final String hash)
@ -98,18 +97,26 @@ public final class TPMMeasurementRecord extends ExaminableRecord {
* Constructor initializes values associated with TPMMeasurementRecord.
*
* @param pcrId is the TPM PCR index. pcrId must be between 0 and 23.
* @param hash represents the measurement digest found at the particular PCR
* index.
* @param hash represents the measurement digest found at the particular PCR
* index.
*/
public TPMMeasurementRecord(final int pcrId, final byte[] hash) {
this(pcrId, new Digest(hash));
}
/**
* Default constructor necessary for Hibernate.
*/
private TPMMeasurementRecord() {
super();
this.pcrId = -1;
this.hash = null;
}
/**
* Helper method to determine if a PCR ID number is valid.
*
* @param pcrId
* int to check
* @param pcrId int to check
*/
public static void checkForValidPcrId(final int pcrId) {
if (pcrId < MIN_PCR_ID || pcrId > MAX_PCR_ID) {
@ -118,13 +125,4 @@ public final class TPMMeasurementRecord extends ExaminableRecord {
throw new IllegalArgumentException(msg);
}
}
/**
* Default constructor necessary for Hibernate.
*/
protected TPMMeasurementRecord() {
super();
this.pcrId = -1;
this.hash = null;
}
}

94
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/report/DeviceInfoReport.java
View File

@ -67,17 +67,12 @@ public class DeviceInfoReport extends AbstractEntity implements Serializable {
* information cannot be changed after the <code>DeviceInfoReport</code> is
* created.
*
* @param networkInfo
* NetworkInfo object, cannot be null
* @param osInfo
* OSInfo object, cannot be null
* @param firmwareInfo
* FirmwareInfo object, cannot be null
* @param hardwareInfo
* HardwareInfo object, cannot be null
* @param tpmInfo
* TPMInfo object, may be null if a TPM is not available on the
* device
* @param networkInfo NetworkInfo object, cannot be null
* @param osInfo OSInfo object, cannot be null
* @param firmwareInfo FirmwareInfo object, cannot be null
* @param hardwareInfo HardwareInfo object, cannot be null
* @param tpmInfo TPMInfo object, may be null if a TPM is not available on the
* device
*/
public DeviceInfoReport(final NetworkInfo networkInfo, final OSInfo osInfo,
final FirmwareInfo firmwareInfo, final HardwareInfo hardwareInfo,
@ -90,20 +85,14 @@ public class DeviceInfoReport extends AbstractEntity implements Serializable {
* information cannot be changed after the <code>DeviceInfoReport</code> is
* created.
*
* @param networkInfo
* NetworkInfo object, cannot be null
* @param osInfo
* OSInfo object, cannot be null
* @param firmwareInfo
* FirmwareInfo object, cannot be null
* @param hardwareInfo
* HardwareInfo object, cannot be null
* @param tpmInfo
* TPMInfo object, may be null if a TPM is not available on the
* device
* @param clientApplicationVersion
* string representing the version of the client that submitted this report,
* cannot be null
* @param networkInfo NetworkInfo object, cannot be null
* @param osInfo OSInfo object, cannot be null
* @param firmwareInfo FirmwareInfo object, cannot be null
* @param hardwareInfo HardwareInfo object, cannot be null
* @param tpmInfo TPMInfo object, may be null if a TPM is not available on the
* device
* @param clientApplicationVersion string representing the version of the client that submitted this report,
* cannot be null
*/
public DeviceInfoReport(final NetworkInfo networkInfo, final OSInfo osInfo,
final FirmwareInfo firmwareInfo, final HardwareInfo hardwareInfo,
@ -135,6 +124,14 @@ public class DeviceInfoReport extends AbstractEntity implements Serializable {
networkInfo.getIpAddress(), networkInfo.getMacAddress());
}
private void setNetworkInfo(final NetworkInfo networkInfo) {
if (networkInfo == null) {
log.error("NetworkInfo cannot be null");
throw new NullPointerException("network info");
}
this.networkInfo = networkInfo;
}
/**
* Retrieves the OSInfo for this <code>DeviceInfoReport</code>.
*
@ -154,6 +151,14 @@ public class DeviceInfoReport extends AbstractEntity implements Serializable {
return osInfo;
}
private void setOSInfo(final OSInfo osInfo) {
if (osInfo == null) {
log.error("OSInfo cannot be null");
throw new NullPointerException("os info");
}
this.osInfo = osInfo;
}
/**
* Retrieves the FirmwareInfo for this <code>DeviceInfoReport</code>.
*
@ -172,6 +177,14 @@ public class DeviceInfoReport extends AbstractEntity implements Serializable {
return firmwareInfo;
}
private void setFirmwareInfo(final FirmwareInfo firmwareInfo) {
if (firmwareInfo == null) {
log.error("FirmwareInfo cannot be null");
throw new NullPointerException("firmware info");
}
this.firmwareInfo = firmwareInfo;
}
/**
* Retrieves the OSInfo for this <code>DeviceInfoReport</code>.
*
@ -196,30 +209,6 @@ public class DeviceInfoReport extends AbstractEntity implements Serializable {
return hardwareInfo;
}
private void setNetworkInfo(final NetworkInfo networkInfo) {
if (networkInfo == null) {
log.error("NetworkInfo cannot be null");
throw new NullPointerException("network info");
}
this.networkInfo = networkInfo;
}
private void setOSInfo(final OSInfo osInfo) {
if (osInfo == null) {
log.error("OSInfo cannot be null");
throw new NullPointerException("os info");
}
this.osInfo = osInfo;
}
private void setFirmwareInfo(final FirmwareInfo firmwareInfo) {
if (firmwareInfo == null) {
log.error("FirmwareInfo cannot be null");
throw new NullPointerException("firmware info");
}
this.firmwareInfo = firmwareInfo;
}
private void setHardwareInfo(final HardwareInfo hardwareInfo) {
if (hardwareInfo == null) {
log.error("HardwareInfo cannot be null");
@ -234,11 +223,12 @@ public class DeviceInfoReport extends AbstractEntity implements Serializable {
@Override
public boolean equals(Object o) {
if (this == o) return true;
if (!(o instanceof DeviceInfoReport)) {
if (this == o) {
return true;
}
if (!(o instanceof DeviceInfoReport that)) {
return false;
}
DeviceInfoReport that = (DeviceInfoReport) o;
return Objects.equals(networkInfo, that.networkInfo)
&& Objects.equals(osInfo, that.osInfo)
&& Objects.equals(firmwareInfo, that.firmwareInfo)

35
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/result/CertificateValidationResult.java
View File

@ -6,11 +6,27 @@ import lombok.Setter;
/**
* An <code>CertificateValidationResult</code> represents the result of a certificate validation
* operation.
*
*/
@Getter
@Setter
public class CertificateValidationResult {
private CertificateValidationStatus validationStatus;
private String validationResultMessage;
/**
* Sets the certificate validation status and result message.
*
* @param status enum representing the certificate validation status
* @param resultMessage String representing certificate validation message
*/
public final void setCertValidationStatusAndResultMessage(
final CertificateValidationStatus status,
final String resultMessage) {
this.validationStatus = status;
this.validationResultMessage = resultMessage;
}
/**
* Enum used to represent certificate validation status.
*/
@ -31,21 +47,4 @@ public class CertificateValidationResult {
*/
ERROR
}
private CertificateValidationStatus validationStatus;
private String validationResultMessage;
/**
* Sets the certificate validation status and result message.
*
* @param status enum representing the certificate validation status
* @param resultMessage String representing certificate validation message
*/
public final void setCertValidationStatusAndResultMessage(
final CertificateValidationStatus status,
final String resultMessage) {
this.validationStatus = status;
this.validationResultMessage = resultMessage;
}
}

26
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/BaseReferenceManifest.java
View File

@ -127,9 +127,11 @@ public class BaseReferenceManifest extends ReferenceManifest {
SwidTagConstants.SWIDTAG_NAMESPACE, SwidTagConstants.META).item(0);
setTagId(softwareIdentity.getAttribute(SwidTagConstants.TAGID));
this.swidName = softwareIdentity.getAttribute(SwidTagConstants.NAME);
this.swidCorpus = Boolean.parseBoolean(softwareIdentity.getAttribute(SwidTagConstants.CORPUS)) ? 1 : 0;
this.swidCorpus =
Boolean.parseBoolean(softwareIdentity.getAttribute(SwidTagConstants.CORPUS)) ? 1 : 0;
this.setSwidPatch(Boolean.parseBoolean(softwareIdentity.getAttribute(SwidTagConstants.PATCH)));
this.setSwidSupplemental(Boolean.parseBoolean(softwareIdentity.getAttribute(SwidTagConstants.SUPPLEMENTAL)));
this.setSwidSupplemental(
Boolean.parseBoolean(softwareIdentity.getAttribute(SwidTagConstants.SUPPLEMENTAL)));
this.setSwidVersion(softwareIdentity.getAttribute(SwidTagConstants.VERSION));
this.setSwidTagVersion(softwareIdentity.getAttribute(SwidTagConstants.TAGVERSION));
@ -154,8 +156,10 @@ public class BaseReferenceManifest extends ReferenceManifest {
this.rimLinkHash = softwareMeta.getAttribute(SwidTagConstants._RIM_LINK_HASH_STR);
this.bindingSpec = softwareMeta.getAttribute(SwidTagConstants._BINDING_SPEC_STR);
this.bindingSpecVersion = softwareMeta.getAttribute(SwidTagConstants._BINDING_SPEC_VERSION_STR);
this.setPlatformManufacturerId(softwareMeta.getAttribute(SwidTagConstants._PLATFORM_MANUFACTURER_ID_STR));
this.setPlatformManufacturer(softwareMeta.getAttribute(SwidTagConstants._PLATFORM_MANUFACTURER_STR));
this.setPlatformManufacturerId(
softwareMeta.getAttribute(SwidTagConstants._PLATFORM_MANUFACTURER_ID_STR));
this.setPlatformManufacturer(
softwareMeta.getAttribute(SwidTagConstants._PLATFORM_MANUFACTURER_STR));
this.setPlatformModel(softwareMeta.getAttribute(SwidTagConstants._PLATFORM_MODEL_STR));
this.platformVersion = softwareMeta.getAttribute(SwidTagConstants._PLATFORM_VERSION_STR);
this.payloadType = softwareMeta.getAttribute(SwidTagConstants._PAYLOAD_TYPE_STR);
@ -202,7 +206,6 @@ public class BaseReferenceManifest extends ReferenceManifest {
* This method validates the .swidtag file at the given filepath against the
* schema. A successful validation results in the output of the tag's name
* and tagId attributes, otherwise a generic error message is printed.
*
*/
private Element getDirectoryTag(final byte[] rimBytes) {
if (rimBytes == null || rimBytes.length == 0) {
@ -254,7 +257,6 @@ public class BaseReferenceManifest extends ReferenceManifest {
* This method iterates over the list of File elements under the directory.
*
* @param rimBytes the bytes to find the files
*
*/
public List<SwidResource> getFileResources(final byte[] rimBytes) {
Element directoryTag = getDirectoryTag(rimBytes);
@ -353,9 +355,15 @@ public class BaseReferenceManifest extends ReferenceManifest {
@Override
public boolean equals(Object o) {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;
if (!super.equals(o)) return false;
if (this == o) {
return true;
}
if (o == null || getClass() != o.getClass()) {
return false;
}
if (!super.equals(o)) {
return false;
}
BaseReferenceManifest that = (BaseReferenceManifest) o;
return swidCorpus == that.swidCorpus && Objects.equals(swidName, that.swidName)
&& Objects.equals(colloquialVersion, that.colloquialVersion)

8
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/EventLogMeasurements.java
View File

@ -1,7 +1,6 @@
package hirs.attestationca.persist.entity.userdefined.rim;
import com.fasterxml.jackson.annotation.JsonIgnore;
import hirs.attestationca.persist.entity.userdefined.ReferenceManifest;
import hirs.attestationca.persist.enums.AppraisalStatus;
import hirs.utils.tpm.eventlog.TCGEventLog;
import hirs.utils.tpm.eventlog.TpmPcrEvent;
@ -31,10 +30,12 @@ public class EventLogMeasurements extends SupportReferenceManifest {
@Column
@JsonIgnore
@Getter @Setter
@Getter
@Setter
private int pcrHash = 0;
@Enumerated(EnumType.STRING)
@Getter @Setter
@Getter
@Setter
private AppraisalStatus.Status overallValidationResult = AppraisalStatus.Status.FAIL;
/**
@ -74,6 +75,7 @@ public class EventLogMeasurements extends SupportReferenceManifest {
/**
* Getter method for the expected PCR values contained within the support
* RIM.
*
* @return a string array of the pcr values.
*/
public String[] getExpectedPCRList() {

31
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/ReferenceDigestValue.java
View File

@ -8,7 +8,6 @@ import jakarta.persistence.Entity;
import jakarta.persistence.Table;
import lombok.AllArgsConstructor;
import lombok.Builder;
import lombok.EqualsAndHashCode;
import lombok.Getter;
import lombok.Setter;
@ -25,7 +24,7 @@ import java.util.UUID;
@Builder
@AllArgsConstructor
@Entity
@EqualsAndHashCode(callSuper=false)
@EqualsAndHashCode(callSuper = false)
@Table(name = "ReferenceDigestValue")
@Access(AccessType.FIELD)
public class ReferenceDigestValue extends AbstractEntity {
@ -88,18 +87,19 @@ public class ReferenceDigestValue extends AbstractEntity {
/**
* Default Constructor with parameters for all associated data.
* @param baseRimId the UUID of the associated record
* @param supportRimId the UUID of the associated record
* @param manufacturer associated creator for this information
* @param model the specific device type
* @param pcrIndex the event number
* @param digestValue the key digest value
*
* @param baseRimId the UUID of the associated record
* @param supportRimId the UUID of the associated record
* @param manufacturer associated creator for this information
* @param model the specific device type
* @param pcrIndex the event number
* @param digestValue the key digest value
* @param supportRimHash the support file's hash value
* @param eventType the event type to store
* @param matchFail the status of the baseline check
* @param patched the status of the value being updated to patch
* @param updated the status of the value being updated with info
* @param contentBlob the data value of the content
* @param eventType the event type to store
* @param matchFail the status of the baseline check
* @param patched the status of the value being updated to patch
* @param updated the status of the value being updated with info
* @param contentBlob the data value of the content
*/
public ReferenceDigestValue(final UUID baseRimId, final UUID supportRimId,
final String manufacturer, final String model,
@ -124,6 +124,7 @@ public class ReferenceDigestValue extends AbstractEntity {
/**
* the object that contains the raw bytes for this RDV.
*
* @return the raw bytes
*/
public byte[] getContentBlob() {
@ -132,7 +133,8 @@ public class ReferenceDigestValue extends AbstractEntity {
/**
* Helper method to update the attributes of this object.
* @param support the associated RIM.
*
* @param support the associated RIM.
* @param baseRimId the main id to update
*/
public void updateInfo(final SupportReferenceManifest support, final UUID baseRimId) {
@ -151,6 +153,7 @@ public class ReferenceDigestValue extends AbstractEntity {
/**
* Returns a string of the classes fields.
*
* @return a string
*/
public String toString() {

14
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/SupportReferenceManifest.java
View File

@ -71,6 +71,7 @@ public class SupportReferenceManifest extends ReferenceManifest {
/**
* Getter method for the expected PCR values contained within the support
* RIM.
*
* @return a string array of the pcr values.
*/
public String[] getExpectedPCRList() {
@ -113,6 +114,7 @@ public class SupportReferenceManifest extends ReferenceManifest {
/**
* This is a method to indicate whether or not this support
* rim is a base log file.
*
* @return flag for base.
*/
public boolean isBaseSupport() {
@ -121,9 +123,15 @@ public class SupportReferenceManifest extends ReferenceManifest {
@Override
public boolean equals(Object o) {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;
if (!super.equals(o)) return false;
if (this == o) {
return true;
}
if (o == null || getClass() != o.getClass()) {
return false;
}
if (!super.equals(o)) {
return false;
}
SupportReferenceManifest that = (SupportReferenceManifest) o;
return pcrHash == that.pcrHash && updated == that.updated;
}

56
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/enums/AppraisalStatus.java
View File

@ -9,6 +9,35 @@ import lombok.Setter;
@Getter
@Setter
public class AppraisalStatus {
private Status appStatus;
private String message;
private String additionalInfo;
/**
* Default constructor. Set appraisal status and description.
*
* @param appStatus status of appraisal
* @param message description of result
*/
public AppraisalStatus(final Status appStatus, final String message) {
this(appStatus, message, "");
}
/**
* Default constructor. Set appraisal status and description.
*
* @param appStatus status of appraisal
* @param message description of result
* @param additionalInfo any additional information needed to
* be passed on
*/
public AppraisalStatus(final Status appStatus, final String message,
final String additionalInfo) {
this.appStatus = appStatus;
this.message = message;
this.additionalInfo = additionalInfo;
}
/**
* Enum used to represent appraisal status.
*/
@ -33,31 +62,4 @@ public class AppraisalStatus {
*/
UNKNOWN
}
private Status appStatus;
private String message;
private String additionalInfo;
/**
* Default constructor. Set appraisal status and description.
* @param appStatus status of appraisal
* @param message description of result
*/
public AppraisalStatus(final Status appStatus, final String message) {
this(appStatus, message, "");
}
/**
* Default constructor. Set appraisal status and description.
* @param appStatus status of appraisal
* @param message description of result
* @param additionalInfo any additional information needed to
* be passed on
*/
public AppraisalStatus(final Status appStatus, final String message,
final String additionalInfo) {
this.appStatus = appStatus;
this.message = message;
this.additionalInfo = additionalInfo;
}
}

19
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/enums/HealthStatus.java
View File

@ -22,18 +22,24 @@ public enum HealthStatus {
*/
UNKNOWN("unknown");
private String healthStatus;
private final String healthStatus;
/**
* Creates a new <code>HealthStatus</code> object given a String.
*
* @param healthStatus
* "trusted", "untrusted", or "unknown"
* @param healthStatus "trusted", "untrusted", or "unknown"
*/
HealthStatus(final String healthStatus) {
this.healthStatus = healthStatus;
}
public static boolean isValidStatus(final String healthStatus) {
return Arrays.stream(HealthStatus.values())
.map(HealthStatus::name)
.collect(Collectors.toSet())
.contains(healthStatus);
}
/**
* Returns the health status.
*
@ -47,11 +53,4 @@ public enum HealthStatus {
public String toString() {
return getStatus();
}
public static boolean isValidStatus(final String healthStatus) {
return Arrays.stream(HealthStatus.values())
.map(HealthStatus::name)
.collect(Collectors.toSet())
.contains(healthStatus);
}
}

66
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java
View File

@ -54,8 +54,9 @@ public class AbstractProcessor {
/**
* Default constructor that sets main class fields.
*
* @param privateKey private key used for communication authentication
* @param validDays property value to set for issued certificates
* @param validDays property value to set for issued certificates
*/
public AbstractProcessor(final PrivateKey privateKey,
final int validDays) {
@ -66,17 +67,18 @@ public class AbstractProcessor {
/**
* Generates a credential using the specified public key.
*
* @param publicKey cannot be null
* @param publicKey cannot be null
* @param endorsementCredential the endorsement credential
* @param platformCredentials the set of platform credentials
* @param deviceName The host name used in the subject alternative name
* @param acaCertificate object used to create credential
* @param platformCredentials the set of platform credentials
* @param deviceName The host name used in the subject alternative name
* @param acaCertificate object used to create credential
* @return identity credential
*/
protected X509Certificate generateCredential(final PublicKey publicKey,
final EndorsementCredential endorsementCredential,
final List<PlatformCredential> platformCredentials,
final String deviceName, final X509Certificate acaCertificate) {
final EndorsementCredential endorsementCredential,
final List<PlatformCredential> platformCredentials,
final String deviceName,
final X509Certificate acaCertificate) {
try {
// have the certificate expire in the configured number of days
Calendar expiry = Calendar.getInstance();
@ -132,8 +134,8 @@ public class AbstractProcessor {
* IdentityClaim. Will also check if the Endorsement Credential was already uploaded.
* Persists the Endorsement Credential if it does not already exist.
*
* @param identityClaim a Protobuf generated Identity Claim object
* @param ekPub the endorsement public key from the Identity Claim object
* @param identityClaim a Protobuf generated Identity Claim object
* @param ekPub the endorsement public key from the Identity Claim object
* @param certificateRepository db connector from certificates
* @return the Endorsement Credential, if one exists, null otherwise
*/
@ -162,7 +164,7 @@ public class AbstractProcessor {
* IdentityClaim and Endorsement Credential. Persists the Platform Credentials if they
* do not already exist.
*
* @param identityClaim a Protobuf generated Identity Claim object
* @param identityClaim a Protobuf generated Identity Claim object
* @param endorsementCredential an endorsement credential to check if platform credentials
* exist
* @param certificateRepository db connector from certificates
@ -193,7 +195,8 @@ public class AbstractProcessor {
/**
* Gets the Endorsement Credential from the DB given the EK public key.
* @param ekPublicKey the EK public key
*
* @param ekPublicKey the EK public key
* @param certificateRepository db store manager for certificates
* @return the Endorsement credential, if found, otherwise null
*/
@ -229,22 +232,22 @@ public class AbstractProcessor {
* Helper method to create an {@link IssuedAttestationCertificate} object, set its
* corresponding device and persist it.
*
* @param certificateRepository db store manager for certificates
* @param certificateRepository db store manager for certificates
* @param derEncodedAttestationCertificate the byte array representing the Attestation
* certificate
* @param endorsementCredential the endorsement credential used to generate the AC
* @param platformCredentials the platform credentials used to generate the AC
* @param device the device to which the attestation certificate is tied
* @param isLDevID whether the certificate is a ldevid
* @param endorsementCredential the endorsement credential used to generate the AC
* @param platformCredentials the platform credentials used to generate the AC
* @param device the device to which the attestation certificate is tied
* @param isLDevID whether the certificate is a ldevid
* @return whether the certificate was saved successfully
* @throws {@link CertificateProcessingException} if error occurs in persisting the Attestation
* Certificate
* Certificate
*/
public boolean saveAttestationCertificate(final CertificateRepository certificateRepository,
final byte[] derEncodedAttestationCertificate,
final EndorsementCredential endorsementCredential,
final List<PlatformCredential> platformCredentials,
final Device device, boolean isLDevID) {
final byte[] derEncodedAttestationCertificate,
final EndorsementCredential endorsementCredential,
final List<PlatformCredential> platformCredentials,
final Device device, boolean isLDevID) {
List<IssuedAttestationCertificate> issuedAc;
boolean generateCertificate = true;
PolicyRepository scp = getPolicyRepository();
@ -260,23 +263,22 @@ public class AbstractProcessor {
policySettings = scp.findByName("Default");
Sort sortCriteria = Sort.by(Sort.Direction.DESC, "endValidity");
issuedAc = certificateRepository.findByDeviceIdAndIsLDevID(device.getId(), isLDevID, sortCriteria);
issuedAc = certificateRepository.findByDeviceIdAndIsLDevID(device.getId(), isLDevID,
sortCriteria);
generateCertificate = isLDevID ? policySettings.isIssueDevIdCertificate()
: policySettings.isIssueAttestationCertificate();
if (issuedAc != null && issuedAc.size() > 0 && (isLDevID ? policySettings.isDevIdExpirationFlag()
: policySettings.isGenerateOnExpiration())) {
if (issuedAc != null && issuedAc.size() > 0 &&
(isLDevID ? policySettings.isDevIdExpirationFlag()
: policySettings.isGenerateOnExpiration())) {
if (issuedAc.get(0).getEndValidity().after(currentDate)) {
// so the issued AC is not expired
// however are we within the threshold
days = ProvisionUtils.daysBetween(currentDate, issuedAc.get(0).getEndValidity());
if (days < Integer.parseInt(isLDevID ? policySettings.getDevIdReissueThreshold()
: policySettings.getReissueThreshold())) {
generateCertificate = true;
} else {
generateCertificate = false;
}
generateCertificate =
days < Integer.parseInt(isLDevID ? policySettings.getDevIdReissueThreshold()
: policySettings.getReissueThreshold());
}
}
}
@ -297,7 +299,7 @@ public class AbstractProcessor {
}
private List<PlatformCredential> getPlatformCredentials(final CertificateRepository certificateRepository,
final EndorsementCredential ec) {
final EndorsementCredential ec) {
List<PlatformCredential> credentials = null;
if (ec == null) {

41
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/CertificateRequestProcessor.java
View File

@ -30,22 +30,23 @@ import java.util.List;
@Log4j2
public class CertificateRequestProcessor extends AbstractProcessor {
private SupplyChainValidationService supplyChainValidationService;
private CertificateRepository certificateRepository;
private DeviceRepository deviceRepository;
private X509Certificate acaCertificate;
private TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository;
private final SupplyChainValidationService supplyChainValidationService;
private final CertificateRepository certificateRepository;
private final DeviceRepository deviceRepository;
private final X509Certificate acaCertificate;
private final TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository;
/**
* Constructor.
* @param supplyChainValidationService object that is used to run provisioning
* @param certificateRepository db connector for all certificates.
* @param deviceRepository database connector for Devices.
* @param privateKey private key used for communication authentication
* @param acaCertificate object used to create credential
* @param validDays int for the time in which a certificate is valid.
*
* @param supplyChainValidationService object that is used to run provisioning
* @param certificateRepository db connector for all certificates.
* @param deviceRepository database connector for Devices.
* @param privateKey private key used for communication authentication
* @param acaCertificate object used to create credential
* @param validDays int for the time in which a certificate is valid.
* @param tpm2ProvisionerStateRepository db connector for provisioner state.
* @param policyRepository db connector for policies.
* @param policyRepository db connector for policies.
*/
public CertificateRequestProcessor(final SupplyChainValidationService supplyChainValidationService,
final CertificateRepository certificateRepository,
@ -170,10 +171,12 @@ public class CertificateRequestProcessor extends AbstractProcessor {
ByteString ldevidCertificateBytes = ByteString
.copyFrom(derEncodedLdevidCertificate);
boolean generateAtt = saveAttestationCertificate(certificateRepository, derEncodedAttestationCertificate,
boolean generateAtt = saveAttestationCertificate(certificateRepository,
derEncodedAttestationCertificate,
endorsementCredential, platformCredentials, device, false);
boolean generateLDevID = saveAttestationCertificate(certificateRepository, derEncodedLdevidCertificate,
endorsementCredential, platformCredentials, device, true);
boolean generateLDevID =
saveAttestationCertificate(certificateRepository, derEncodedLdevidCertificate,
endorsementCredential, platformCredentials, device, true);
ProvisionerTpm2.CertificateResponse.Builder builder = ProvisionerTpm2.CertificateResponse.
newBuilder().setStatus(ProvisionerTpm2.ResponseStatus.PASS);
@ -186,8 +189,7 @@ public class CertificateRequestProcessor extends AbstractProcessor {
ProvisionerTpm2.CertificateResponse response = builder.build();
return response.toByteArray();
}
else {
} else {
byte[] derEncodedAttestationCertificate = ProvisionUtils.getDerEncodedCertificate(
attestationCertificate);
@ -200,7 +202,8 @@ public class CertificateRequestProcessor extends AbstractProcessor {
ProvisionerTpm2.CertificateResponse.Builder builder = ProvisionerTpm2.CertificateResponse.
newBuilder().setStatus(ProvisionerTpm2.ResponseStatus.PASS);
boolean generateAtt = saveAttestationCertificate(certificateRepository, derEncodedAttestationCertificate,
boolean generateAtt = saveAttestationCertificate(certificateRepository,
derEncodedAttestationCertificate,
endorsementCredential, platformCredentials, device, false);
if (generateAtt) {
builder = builder.setCertificate(certificateBytes);
@ -221,7 +224,7 @@ public class CertificateRequestProcessor extends AbstractProcessor {
}
} else {
log.error("Could not process credential request. Invalid nonce provided: "
+ request.getNonce().toString());
+ request.getNonce());
throw new CertificateProcessingException("Invalid nonce given in request by client.");
}
}

14
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/helper/CredentialManagementHelper.java
View File

@ -22,9 +22,10 @@ public final class CredentialManagementHelper {
/**
* Parses and stores the EK in the cert manager. If the cert is already present and archived,
* it is unarchived.
*
* @param certificateRepository the certificate manager used for storage
* @param endorsementBytes the raw EK bytes used for parsing
* @param deviceName the host name
* @param endorsementBytes the raw EK bytes used for parsing
* @param deviceName the host name
* @return the parsed, valid EK
* @throws IllegalArgumentException if the provided bytes are not a valid EK.
*/
@ -63,7 +64,7 @@ public final class CredentialManagementHelper {
if (existingCredential == null) {
log.info("No Endorsement Credential found with hash: " + certificateHash);
endorsementCredential.setDeviceName(deviceName);
return (EndorsementCredential) certificateRepository.save(endorsementCredential);
return certificateRepository.save(endorsementCredential);
} else if (existingCredential.isArchived()) {
// if the EK is stored in the DB and it's archived, unarchive.
log.info("Unarchiving credential");
@ -77,9 +78,10 @@ public final class CredentialManagementHelper {
/**
* Parses and stores the PC in the cert manager. If the cert is already present and archived,
* it is unarchived.
*
* @param certificateRepository the certificate manager used for storage
* @param platformBytes the raw PC bytes used for parsing
* @param deviceName the host name of the associated machine
* @param platformBytes the raw PC bytes used for parsing
* @param deviceName the host name of the associated machine
* @return the parsed, valid PC, or null if the provided bytes are not a valid EK.
*/
public static PlatformCredential storePlatformCredential(
@ -129,7 +131,7 @@ public final class CredentialManagementHelper {
}
}
platformCredential.setDeviceName(deviceName);
return (PlatformCredential) certificateRepository.save(platformCredential);
return certificateRepository.save(platformCredential);
} else if (existingCredential.isArchived()) {
// if the PC is stored in the DB and it's archived, unarchive.
log.info("Unarchiving credential");

22
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/helper/IssuedCertificateAttributeHelper.java
View File

@ -12,6 +12,7 @@ import org.bouncycastle.asn1.x500.AttributeTypeAndValue;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x509.AttributeCertificateInfo;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
@ -21,7 +22,6 @@ import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.GeneralNamesBuilder;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.TBSCertificate;
import org.bouncycastle.asn1.x509.AttributeCertificateInfo;
import java.io.IOException;
import java.security.cert.CertificateEncodingException;
@ -35,17 +35,16 @@ import java.util.Collection;
@Log4j2
public final class IssuedCertificateAttributeHelper {
/**
* The extended key usage extension.
*/
public static final Extension EXTENDED_KEY_USAGE_EXTENSION;
private static final String TPM_ID_LABEL_OID = "2.23.133.2.15";
/**
* Object Identifier TCPA at TPM ID Label.
*/
public static final ASN1ObjectIdentifier TCPA_AT_TPM_ID_LABEL =
new ASN1ObjectIdentifier(TPM_ID_LABEL_OID);
/**
* The extended key usage extension.
*/
public static final Extension EXTENDED_KEY_USAGE_EXTENSION;
private static final ASN1ObjectIdentifier TCG_KP_AIK_CERTIFICATE_ATTRIBUTE =
new ASN1ObjectIdentifier("2.23.133.8.3");
@ -69,6 +68,7 @@ public final class IssuedCertificateAttributeHelper {
/**
* This method builds the AKI extension that will be stored in the generated
* Attestation Issued Certificate.
*
* @param endorsementCredential EK object to pull AKI from.
* @return the AKI extension.
* @throws IOException on bad get instance for AKI.
@ -93,11 +93,12 @@ public final class IssuedCertificateAttributeHelper {
/**
* Builds the subject alternative name based on the supplied certificates.
*
* @param endorsementCredential the endorsement credential
* @param platformCredentials the platform credentials
* @param hostName the host name
* @param platformCredentials the platform credentials
* @param hostName the host name
* @return the subject alternative name extension
* @throws IOException an IO exception occurs building the extension
* @throws IOException an IO exception occurs building the extension
* @throws IllegalArgumentException if the host name is null
*/
public static Extension buildSubjectAlternativeNameFromCerts(
@ -178,14 +179,11 @@ public final class IssuedCertificateAttributeHelper {
populateRdnAttributesInNameBuilder(nameBuilder, rdns);
} else {
log.error("No RDNs in endorsement credential attributes");
return;
}
} catch (CertificateEncodingException e) {
log.error("Certificate encoding exception", e);
return;
} catch (IOException e) {
log.error("Error creating x509 cert from endorsement credential", e);
return;
}
}

101
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/helper/ProvisionUtils.java
View File

@ -3,7 +3,6 @@ package hirs.attestationca.persist.provision.helper;
import com.google.protobuf.ByteString;
import com.google.protobuf.InvalidProtocolBufferException;
import hirs.attestationca.configuration.provisionerTpm2.ProvisionerTpm2;
import hirs.attestationca.persist.entity.userdefined.info.TPMInfo;
import hirs.attestationca.persist.exceptions.CertificateProcessingException;
import hirs.attestationca.persist.exceptions.IdentityProcessingException;
import hirs.attestationca.persist.exceptions.UnexpectedServerException;
@ -14,7 +13,6 @@ import hirs.structs.elements.tpm.IdentityRequest;
import hirs.structs.elements.tpm.SymmetricKey;
import hirs.structs.elements.tpm.SymmetricKeyParams;
import hirs.utils.HexUtils;
import hirs.utils.enums.DeviceInfoEnums;
import lombok.extern.log4j.Log4j2;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.lang3.ArrayUtils;
@ -54,16 +52,16 @@ public final class ProvisionUtils {
* The default size for IV blocks.
*/
public final static int DEFAULT_IV_SIZE = 16;
/**
* Defines the well known exponent.
* https://en.wikipedia.org/wiki/65537_(number)#Applications
*/
private final static BigInteger EXPONENT = new BigInteger("010001", DEFAULT_IV_SIZE);
public static final int HMAC_SIZE_LENGTH_BYTES = 2;
public static final int HMAC_KEY_LENGTH_BYTES = 32;
public static final int SEED_LENGTH = 32;
public static final int MAX_SECRET_LENGTH = 32;
public static final int AES_KEY_LENGTH_BYTES = 16;
/**
* Defines the well known exponent.
* https://en.wikipedia.org/wiki/65537_(number)#Applications
*/
private final static BigInteger EXPONENT = new BigInteger("010001", DEFAULT_IV_SIZE);
private static final int TPM2_CREDENTIAL_BLOB_SIZE = 392;
private static final int RSA_MODULUS_LENGTH = 256;
// Constants used to parse out the ak name from the ak public data. Used in generateAkName
@ -77,8 +75,8 @@ public final class ProvisionUtils {
*
* @param identityClaim byte array that should be converted to a Protobuf IdentityClaim
* object
* @throws {@link IdentityProcessingException} if byte array could not be parsed
* @return the Protobuf generated Identity Claim object
* @throws {@link IdentityProcessingException} if byte array could not be parsed
*/
public static ProvisionerTpm2.IdentityClaim parseIdentityClaim(final byte[] identityClaim) {
try {
@ -93,8 +91,8 @@ public final class ProvisionUtils {
* Helper method to extract a DER encoded ASN.1 certificate from an X509 certificate.
*
* @param certificate the X509 certificate to be converted to DER encoding
* @throws {@link UnexpectedServerException} if error occurs during encoding retrieval
* @return the byte array representing the DER encoded certificate
* @throws {@link UnexpectedServerException} if error occurs during encoding retrieval
*/
public static byte[] getDerEncodedCertificate(final X509Certificate certificate) {
try {
@ -109,6 +107,7 @@ public final class ProvisionUtils {
/**
* Parse public key from public data segment generated by TPM 2.0.
*
* @param publicArea the public area segment to parse
* @return the RSA public key of the supplied public data
*/
@ -128,8 +127,7 @@ public final class ProvisionUtils {
/**
* Constructs a public key where the modulus is in raw form.
*
* @param modulus
* in byte array form
* @param modulus in byte array form
* @return public key using specific modulus and the well known exponent
*/
public static PublicKey assemblePublicKey(final byte[] modulus) {
@ -139,8 +137,7 @@ public final class ProvisionUtils {
/**
* Constructs a public key where the modulus is Hex encoded.
*
* @param modulus
* hex encoded modulus
* @param modulus hex encoded modulus
* @return public key using specific modulus and the well known exponent
*/
public static PublicKey assemblePublicKey(final String modulus) {
@ -169,8 +166,8 @@ public final class ProvisionUtils {
* {@link hirs.structs.elements.tpm.IdentityRequest} using the cipher transformation.
*
* @param asymmetricBlob to be decrypted
* @param scheme to decrypt with
* @param privateKey cipher private key
* @param scheme to decrypt with
* @param privateKey cipher private key
* @return decrypted blob
*/
public static byte[] decryptAsymmetricBlob(final byte[] asymmetricBlob,
@ -197,8 +194,8 @@ public final class ProvisionUtils {
return cipher.doFinal();
} catch (NoSuchPaddingException | NoSuchAlgorithmException | InvalidKeyException
| BadPaddingException | IllegalBlockSizeException
| InvalidAlgorithmParameterException e) {
| BadPaddingException | IllegalBlockSizeException
| InvalidAlgorithmParameterException e) {
throw new IdentityProcessingException(
"Encountered error while decrypting asymmetric blob of an identity request: "
+ e.getMessage(), e);
@ -210,14 +207,14 @@ public final class ProvisionUtils {
* {@link hirs.structs.elements.tpm.IdentityRequest} using the specified symmetric key
* and cipher transformation.
*
* @param symmetricBlob to be decrypted
* @param symmetricKey to use to decrypt
* @param iv to use with decryption cipher
* @param symmetricBlob to be decrypted
* @param symmetricKey to use to decrypt
* @param iv to use with decryption cipher
* @param transformation of the cipher
* @return decrypted symmetric blob
*/
public static byte[] decryptSymmetricBlob(final byte[] symmetricBlob, final byte[] symmetricKey,
final byte[] iv, final String transformation) {
final byte[] iv, final String transformation) {
try {
// create a cipher from the specified transformation
Cipher cipher = Cipher.getInstance(transformation);
@ -231,8 +228,8 @@ public final class ProvisionUtils {
// decrypt the symmetric blob
return cipher.doFinal(symmetricBlob);
} catch (IllegalBlockSizeException | InvalidKeyException | NoSuchAlgorithmException
| BadPaddingException | NoSuchPaddingException
| InvalidAlgorithmParameterException exception) {
| BadPaddingException | NoSuchPaddingException
| InvalidAlgorithmParameterException exception) {
log.error("Encountered error while decrypting symmetric blob of an identity request: "
+ exception.getMessage(), exception);
}
@ -261,16 +258,16 @@ public final class ProvisionUtils {
* key to generate an HMAC to cover the encrypted secret and the ak name. The output is an
* encrypted blob that acts as the first part of a challenge-response authentication mechanism
* to validate an identity claim.
*
* <p>
* Equivalent to calling tpm2_makecredential using tpm2_tools.
*
* @param ek endorsement key in the identity claim
* @param ak attestation key in the identity claim
* @param ek endorsement key in the identity claim
* @param ak attestation key in the identity claim
* @param secret a nonce
* @return the encrypted blob forming the identity claim challenge
*/
public static ByteString tpm20MakeCredential(final RSAPublicKey ek, final RSAPublicKey ak,
final byte[] secret) {
final byte[] secret) {
// check size of the secret
if (secret.length > MAX_SECRET_LENGTH) {
throw new IllegalArgumentException("Secret must be " + MAX_SECRET_LENGTH
@ -284,7 +281,8 @@ public final class ProvisionUtils {
// encrypt seed with pubEk
Cipher asymCipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
OAEPParameterSpec oaepSpec = new OAEPParameterSpec("SHA-256", "MGF1",
MGF1ParameterSpec.SHA256, new PSource.PSpecified("IDENTITY\0".getBytes(StandardCharsets.UTF_8)));
MGF1ParameterSpec.SHA256,
new PSource.PSpecified("IDENTITY\0".getBytes(StandardCharsets.UTF_8)));
asymCipher.init(Cipher.PUBLIC_KEY, ek, oaepSpec);
asymCipher.update(seed);
byte[] encSeed = asymCipher.doFinal();
@ -339,8 +337,8 @@ public final class ProvisionUtils {
return ByteString.copyFrom(bytesToReturn);
} catch (BadPaddingException | IllegalBlockSizeException | NoSuchAlgorithmException
| InvalidKeyException | InvalidAlgorithmParameterException
| NoSuchPaddingException e) {
| InvalidKeyException | InvalidAlgorithmParameterException
| NoSuchPaddingException e) {
throw new IdentityProcessingException(
"Encountered error while making the identity claim challenge: "
+ e.getMessage(), e);
@ -351,13 +349,13 @@ public final class ProvisionUtils {
* Generate asymmetric contents part of the identity response.
*
* @param identityKey identity requests symmetric contents, otherwise, the identity proof
* @param sessionKey identity response session key
* @param publicKey of the EK certificate contained within the identity proof
* @param sessionKey identity response session key
* @param publicKey of the EK certificate contained within the identity proof
* @return encrypted asymmetric contents
*/
public static byte[] generateAsymmetricContents(final byte[] identityKey,
final byte[] sessionKey,
final PublicKey publicKey) {
final byte[] sessionKey,
final PublicKey publicKey) {
try {
// create a SHA1 digest of the identity key
MessageDigest md = MessageDigest.getInstance("SHA-1");
@ -382,8 +380,8 @@ public final class ProvisionUtils {
return cipher.doFinal(asymmetricContents);
} catch (NoSuchAlgorithmException | IllegalBlockSizeException | NoSuchPaddingException
| InvalidKeyException | BadPaddingException
| InvalidAlgorithmParameterException e) {
| InvalidKeyException | BadPaddingException
| InvalidAlgorithmParameterException e) {
throw new CertificateProcessingException(
"Encountered error while generating ACA session key: " + e.getMessage(), e);
}
@ -421,12 +419,12 @@ public final class ProvisionUtils {
/**
* Generate the Identity Response using the identity credential and the session key.
*
* @param credential the identity credential
* @param credential the identity credential
* @param symmetricKey generated session key for this request/response chain
* @return identity response for an identity request
*/
public static SymmetricAttestation generateAttestation(final X509Certificate credential,
final SymmetricKey symmetricKey) {
final SymmetricKey symmetricKey) {
try {
// initialize the symmetric cipher
Cipher aesCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
@ -463,8 +461,8 @@ public final class ProvisionUtils {
return attestation;
} catch (BadPaddingException | IllegalBlockSizeException | NoSuchAlgorithmException
| InvalidKeyException | InvalidAlgorithmParameterException | NoSuchPaddingException
| CertificateEncodingException exception) {
| InvalidKeyException | InvalidAlgorithmParameterException | NoSuchPaddingException
| CertificateEncodingException exception) {
throw new CertificateProcessingException(
"Encountered error while generating Identity Response: "
+ exception.getMessage(), exception);
@ -473,8 +471,8 @@ public final class ProvisionUtils {
@SuppressWarnings("magicnumber")
public static byte[] assembleCredential(final byte[] topSize, final byte[] integrityHmac,
final byte[] encryptedSecret,
final byte[] encryptedSeed) {
final byte[] encryptedSecret,
final byte[] encryptedSeed) {
/*
* Credential structure breakdown with endianness:
* 0-1 topSize (2), LE
@ -503,6 +501,7 @@ public final class ProvisionUtils {
/**
* Determines the AK name from the AK Modulus.
*
* @param akModulus modulus of an attestation key
* @return the ak name byte array
* @throws java.security.NoSuchAlgorithmException Underlying SHA256 method used a bad algorithm
@ -526,24 +525,24 @@ public final class ProvisionUtils {
* multiple contexts are not supported in this implementation. This should work for all uses of
* the KDF for TPM2_MakeCredential.
*
* @param seed random value used to generate the key
* @param label first portion of message used to generate key
* @param context second portion of message used to generate key
* @param seed random value used to generate the key
* @param label first portion of message used to generate key
* @param context second portion of message used to generate key
* @param sizeInBytes size of key to generate in bytes
* @return the derived key
* @throws NoSuchAlgorithmException Wrong crypto algorithm selected
* @throws NoSuchAlgorithmException Wrong crypto algorithm selected
* @throws java.security.InvalidKeyException Invalid key used
*/
@SuppressWarnings("magicnumber")
public static byte[] cryptKDFa(final byte[] seed, final String label, final byte[] context,
final int sizeInBytes)
final int sizeInBytes)
throws NoSuchAlgorithmException, InvalidKeyException {
ByteBuffer b = ByteBuffer.allocate(4);
b.putInt(1);
byte[] counter = b.array();
// get the label
String labelWithEnding = label;
if (label.charAt(label.length() - 1) != "\0".charAt(0)) {
if (label.charAt(label.length() - 1) != '\u0000') {
labelWithEnding = label + "\0";
}
byte[] labelBytes = labelWithEnding.getBytes(StandardCharsets.UTF_8);
@ -580,6 +579,7 @@ public final class ProvisionUtils {
/**
* This method takes the provided TPM Quote and splits it between the PCR
* quote and the signature hash.
*
* @param tpmQuote contains hash values for the quote and the signature
*/
public static String parseTPMQuoteHash(final String tpmQuote) {
@ -598,6 +598,7 @@ public final class ProvisionUtils {
/**
* This method takes the provided TPM Quote and splits it between the PCR
* quote and the signature hash.
*
* @param tpmQuote contains hash values for the quote and the signature
*/
public static String parseTPMQuoteSignature(final String tpmQuote) {
@ -612,6 +613,7 @@ public final class ProvisionUtils {
/**
* Computes the sha256 hash of the given blob.
*
* @param blob byte array to take the hash of
* @return sha256 hash of blob
* @throws NoSuchAlgorithmException improper algorithm selected
@ -625,8 +627,7 @@ public final class ProvisionUtils {
/**
* Generates a array of random bytes.
*
* @param numberOfBytes
* to be generated
* @param numberOfBytes to be generated
* @return byte array filled with the specified number of bytes.
*/
public static byte[] generateRandomBytes(final int numberOfBytes) {

6
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/ValidationService.java
View File

@ -18,7 +18,6 @@ import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredent
import hirs.attestationca.persist.entity.userdefined.info.ComponentInfo;
import hirs.attestationca.persist.entity.userdefined.report.DeviceInfoReport;
import hirs.attestationca.persist.enums.AppraisalStatus;
import hirs.attestationca.persist.validation.CertificateAttributeScvValidator;
import hirs.attestationca.persist.validation.CredentialValidator;
import hirs.attestationca.persist.validation.FirmwareScvValidator;
import hirs.utils.BouncyCastleUtils;
@ -258,7 +257,7 @@ public class ValidationService {
* include the trust chain if it exists in this class' CertificateManager.
* Returns the certificate authority credentials in a KeyStore.
*
* @param certificate the credential whose CA chain should be retrieved
* @param certificate the credential whose CA chain should be retrieved
* @param caCredentialRepository db service to get CA Certs
* @return A keystore containing all relevant CA credentials to the given
* certificate's organization or null if the keystore can't be assembled
@ -318,7 +317,8 @@ public class ValidationService {
certAuthsWithMatchingIssuer = caCredentialRepository.findBySubject(credential.getIssuer());
} else {
//Get certificates by subject organization
certAuthsWithMatchingIssuer = caCredentialRepository.findBySubjectSorted(credential.getIssuerSorted());
certAuthsWithMatchingIssuer =
caCredentialRepository.findBySubjectSorted(credential.getIssuerSorted());
}
} else {
certAuthsWithMatchingIssuer.add(skiCA);

27
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/selector/CertificateSelector.java
View File

@ -24,7 +24,7 @@ import java.util.UUID;
* This class is used to select one or many certificates in conjunction
* with a {@link }. To make use of this object,
* use (some CertificateImpl).select(CertificateManager).
*
* <p>
* This class loosely follows the builder pattern. It is instantiated with
* the type of certificate that should be retrieved. It is possible to
* further specify which certificate(s) should be retrieved by using an
@ -32,10 +32,10 @@ import java.util.UUID;
* restrict the result set. At any time, the results may be retrieved
* by using one of the get* methods according to the form the
* results should be in.
*
* <p>
* If no matching certificates were found for the query, the returned
* value may empty or null, depending on the return type.
*
* <p>
* For example, to retrieve all platform certificates:
*
* <pre>
@ -45,7 +45,7 @@ import java.util.UUID;
* .getCertificates();
* }
* </pre>
*
* <p>
* To retrieve all CA certificates in a KeyStore:
*
* <pre>
@ -55,7 +55,7 @@ import java.util.UUID;
* .getKeyStore();
* }
* </pre>
*
* <p>
* To retrieve all CA certificates matching a certain issuer in X509 format:
*
* <pre>
@ -91,7 +91,7 @@ public abstract class CertificateSelector<T extends Certificate> {
* Construct a new CertificateSelector that will use the given {@link } to
* retrieve certificates of the given type.
*
* @param certificateClass the class of certificate to be retrieved
* @param certificateClass the class of certificate to be retrieved
* @param excludeArchivedCertificates true if excluding archived certificates
*/
public CertificateSelector(
@ -105,6 +105,7 @@ public abstract class CertificateSelector<T extends Certificate> {
this.fieldValueSelections = new HashMap<>();
this.excludeArchivedCertificates = excludeArchivedCertificates;
}
/**
* Specify the entity id that certificates must have to be considered
* as matching.
@ -249,6 +250,7 @@ public abstract class CertificateSelector<T extends Certificate> {
/**
* Specify the authority key identifier to find certificate(s).
*
* @param authorityKeyIdentifier the string of the AKI associated with the certificate.
* @return this instance
*/
@ -289,7 +291,7 @@ public abstract class CertificateSelector<T extends Certificate> {
/**
* Set a field name and value to match.
*
* @param name the field name to query
* @param name the field name to query
* @param value the value to query
*/
protected void setFieldValue(final String name, final Object value) {
@ -307,8 +309,7 @@ public abstract class CertificateSelector<T extends Certificate> {
);
}
if (value instanceof byte[]) {
byte[] valueBytes = (byte[]) value;
if (value instanceof byte[] valueBytes) {
Preconditions.checkArgument(
ArrayUtils.isNotEmpty(valueBytes),
@ -329,7 +330,7 @@ public abstract class CertificateSelector<T extends Certificate> {
*
* @return a KeyStore populated with the matching certificates, if any
* @throws KeyStoreException if there is a problem instantiating a JKS-formatted KeyStore
* @throws IOException if there is a problem populating the keystore
* @throws IOException if there is a problem populating the keystore
*/
public KeyStore getKeyStore() throws KeyStoreException, IOException {
KeyStore keyStore = KeyStore.getInstance("JKS");
@ -350,7 +351,7 @@ public abstract class CertificateSelector<T extends Certificate> {
* of this {@link CertificateSelector}.
*
* @return a Criterion that can be used to query for certificates matching the configuration of
* this instance
* this instance
*/
Predicate[] getCriterion(final CriteriaBuilder criteriaBuilder) {
Predicate[] predicates = new Predicate[fieldValueSelections.size()];
@ -359,7 +360,8 @@ public abstract class CertificateSelector<T extends Certificate> {
int i = 0;
for (Map.Entry<String, Object> fieldValueEntry : fieldValueSelections.entrySet()) {
predicates[i++] = criteriaBuilder.equal(root.get(fieldValueEntry.getKey()), fieldValueEntry.getValue());
predicates[i++] =
criteriaBuilder.equal(root.get(fieldValueEntry.getKey()), fieldValueEntry.getValue());
}
if (this.excludeArchivedCertificates) {
@ -378,6 +380,7 @@ public abstract class CertificateSelector<T extends Certificate> {
/**
* Configures the selector to query for archived and unarchived certificates.
*
* @return the selector
*/
public CertificateSelector<T> includeArchived() {

14
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/selector/ReferenceManifestSelector.java
View File

@ -12,9 +12,7 @@ import org.apache.commons.lang3.StringUtils;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
/**
@ -60,7 +58,7 @@ public abstract class ReferenceManifestSelector<T extends ReferenceManifest> {
/**
* Standard Constructor for the Selector.
*
* @param referenceTypeClass the type of Reference Manifest to process.
* @param referenceTypeClass the type of Reference Manifest to process.
* @param excludeArchivedRims true if excluding archived RIMs
*/
public ReferenceManifestSelector(final Class<T> referenceTypeClass,
@ -88,6 +86,7 @@ public abstract class ReferenceManifestSelector<T extends ReferenceManifest> {
/**
* Specify the file name of the object to grab.
*
* @param fileName the name of the file associated with the rim
* @return instance of the manifest in relation to the filename.
*/
@ -98,6 +97,7 @@ public abstract class ReferenceManifestSelector<T extends ReferenceManifest> {
/**
* Specify the RIM Type to match.
*
* @param rimType the type of rim
* @return this instance
*/
@ -109,7 +109,7 @@ public abstract class ReferenceManifestSelector<T extends ReferenceManifest> {
/**
* Set a field name and value to match.
*
* @param name the field name to query
* @param name the field name to query
* @param value the value to query
*/
protected void setFieldValue(final String name, final Object value) {
@ -127,8 +127,7 @@ public abstract class ReferenceManifestSelector<T extends ReferenceManifest> {
);
}
if (value instanceof byte[]) {
byte[] valueBytes = (byte[]) value;
if (value instanceof byte[] valueBytes) {
Preconditions.checkArgument(
ArrayUtils.isNotEmpty(valueBytes),
@ -155,7 +154,8 @@ public abstract class ReferenceManifestSelector<T extends ReferenceManifest> {
int i = 0;
for (Map.Entry<String, Object> fieldValueEntry : fieldValueSelections.entrySet()) {
predicates[i++] = criteriaBuilder.equal(root.get(fieldValueEntry.getKey()), fieldValueEntry.getValue());
predicates[i++] =
criteriaBuilder.equal(root.get(fieldValueEntry.getKey()), fieldValueEntry.getValue());
}
if (this.excludeArchivedRims) {

19
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/tpm/PcrComposite.java
View File

@ -25,13 +25,13 @@ import java.util.List;
* was removed. This change was not TCG-compliant, as the auto-generated code
* would produce something like:
* <p>&nbsp;
* <pre>
* <pre>
* &lt;PcrValue PcrNumber="0"&gt;06fl7EXo34MWxuLq9kcXI9la9NA=&lt;/ns3:PcrValue&gt;
* </pre>
* <p>
* but using TPMMeasurementRecords result in something like:
* but using TPMMeasurementRecords result in something like:
* <p>&nbsp;
* <pre>
* <pre>
* &lt;PcrValue PcrNumber="2"&gt;
* &lt;hash&gt;
* &lt;digest&gt;AAECAwQFBgcICQoLDA0ODxAREhM=&lt;/digest&gt;
@ -39,14 +39,13 @@ import java.util.List;
* &lt;/hash&gt;
* &lt;/PcrValue&gt;
* </pre>
*
*/
@Log4j2
@XmlAccessorType(XmlAccessType.FIELD)
@XmlType(name = "PcrComposite",
namespace = "http://www.trustedcomputinggroup.org/XML/SCHEMA/"
+ "Integrity_Report_v1_0#", propOrder = {"pcrSelection",
"valueSize", "pcrValueList" })
"valueSize", "pcrValueList"})
@Embeddable
public class PcrComposite {
@ -69,11 +68,9 @@ public class PcrComposite {
/**
* Constructor used to create a PcrComposite object.
*
* @param pcrSelection
* {@link PcrSelection } object, identifies which TPM PCRs are
* quoted
* @param pcrValueList
* List of TPMMeasurementRecords representing the PCR values
* @param pcrSelection {@link PcrSelection } object, identifies which TPM PCRs are
* quoted
* @param pcrValueList List of TPMMeasurementRecords representing the PCR values
*/
public PcrComposite(final PcrSelection pcrSelection,
final List<TPMMeasurementRecord> pcrValueList) {
@ -90,13 +87,11 @@ public class PcrComposite {
}
/**
* Gets the value of the valueSize property, the length in bytes of the
* array of PcrValue complex types.
*
* @return int value representing the valueSize
*
*/
@XmlElement(name = "ValueSize", required = true)
public final int getValueSize() {

23
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/tpm/PcrInfoShort.java
View File

@ -39,7 +39,7 @@ import java.util.List;
@XmlType(name = "PcrInfoShort",
namespace = "http://www.trustedcomputinggroup.org/XML/SCHEMA/"
+ "Integrity_Report_v1_0#", propOrder = {"pcrSelection",
"localityAtRelease", "compositeHash", "pcrComposite" })
"localityAtRelease", "compositeHash", "pcrComposite"})
@Embeddable
public class PcrInfoShort {
@ -77,16 +77,12 @@ public class PcrInfoShort {
/**
* Constructor used to create a PcrInfoShort object.
*
* @param pcrSelection
* PcrSelection defines which TPM PCRs are used in the TPM Quote.
* @param localityAtRelease
* short value includes locality information to provide the
* requestor a more complete view of the current platform
* configuration
* @param compositeHash
* A hash of PcrComposite
* @param pcrComposite
* A structure containing the actual values of the PCRs quoted.
* @param pcrSelection PcrSelection defines which TPM PCRs are used in the TPM Quote.
* @param localityAtRelease short value includes locality information to provide the
* requestor a more complete view of the current platform
* configuration
* @param compositeHash A hash of PcrComposite
* @param pcrComposite A structure containing the actual values of the PCRs quoted.
*/
public PcrInfoShort(final PcrSelection pcrSelection,
final short localityAtRelease, final byte[] compositeHash,
@ -126,8 +122,7 @@ public class PcrInfoShort {
* collected PCR values match the digest in the quote.
*
* @return byte array containing the digest
* @throws NoSuchAlgorithmException
* if MessageDigest doesn't recognize "SHA-1" or "SHA-256"
* @throws NoSuchAlgorithmException if MessageDigest doesn't recognize "SHA-1" or "SHA-256"
*/
public final byte[] getCalculatedDigest() throws NoSuchAlgorithmException {
if (this.isTpm1()) {
@ -159,7 +154,7 @@ public class PcrInfoShort {
byteBuffer.put(this.pcrSelection.getValue());
byteBuffer.putInt(pcrComposite.getValueSize());
for (TPMMeasurementRecord record: pcrComposite.getPcrValueList()) {
for (TPMMeasurementRecord record : pcrComposite.getPcrValueList()) {
byteBuffer.put(record.getHash().getDigest());
}

11
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/tpm/PcrSelection.java
View File

@ -6,7 +6,6 @@ import jakarta.xml.bind.annotation.XmlAccessorType;
import jakarta.xml.bind.annotation.XmlAttribute;
import jakarta.xml.bind.annotation.XmlSchemaType;
import jakarta.xml.bind.annotation.XmlType;
import lombok.extern.java.Log;
import lombok.extern.log4j.Log4j2;
import java.nio.ByteBuffer;
@ -27,12 +26,11 @@ import java.util.Arrays;
@Embeddable
public class PcrSelection {
private static final int MAX_SIZE_PCR_ARRAY = 3;
/**
* All PCRs are on.
*/
public static final int ALL_PCRS_ON = 0xffffff;
private static final int MAX_SIZE_PCR_ARRAY = 3;
@XmlAttribute(name = "PcrSelect", required = true)
private final byte[] pcrSelect;
@ -50,9 +48,7 @@ public class PcrSelection {
* Each byte represents 8 PCRs. Byte 0 indicates PCRs 0-7, byte 1 8-15 and
* so on. For each byte, the individual bits represent a corresponding PCR.
*
* @param pcrSelect
* byte array indicating which PCRS are selected
*
* @param pcrSelect byte array indicating which PCRS are selected
*/
public PcrSelection(final byte[] pcrSelect) {
if (pcrSelect == null) {
@ -74,8 +70,7 @@ public class PcrSelection {
* selection value. For example, to select the first 3 PCRs, one would use
* the long value 7 (b0000 0000 0000 0111).
*
* @param pcrSelectLong
* long value representing the bits to be selected
* @param pcrSelectLong long value representing the bits to be selected
*/
public PcrSelection(final long pcrSelectLong) {
if (pcrSelectLong > ALL_PCRS_ON) {

30
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/type/InetAddressType.java
View File

@ -72,19 +72,13 @@ public final class InetAddressType implements UserType {
* Converts the IP address that is stored as a <code>String</code> and
* converts it to an <code>InetAddress</code>.
*
* @param rs
* result set
* @param index
* column names
* @param session
* session
* @param owner
* owner
* @param rs result set
* @param index column names
* @param session session
* @param owner owner
* @return InetAddress of String
* @throws HibernateException
* if unable to convert the String to an InetAddress
* @throws SQLException
* if unable to retrieve the String from the result set
* @throws HibernateException if unable to convert the String to an InetAddress
* @throws SQLException if unable to retrieve the String from the result set
*/
@Override
public Object nullSafeGet(final ResultSet rs, final int index,
@ -107,9 +101,9 @@ public final class InetAddressType implements UserType {
* Converts the <code>InetAddress</code> <code>value</code> to a
* <code>String</code> and stores it in the database.
*
* @param st prepared statement
* @param value InetAddress
* @param index index
* @param st prepared statement
* @param value InetAddress
* @param index index
* @param session session
* @throws SQLException if unable to set the value in the result set
*/
@ -165,7 +159,7 @@ public final class InetAddressType implements UserType {
* immutable.
*
* @param cached cached
* @param owner owner
* @param owner owner
* @return cached
*/
@Override
@ -178,8 +172,8 @@ public final class InetAddressType implements UserType {
* immutable.
*
* @param original original
* @param target target
* @param owner owner
* @param target target
* @param owner owner
* @return original
*/
@Override

34
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/type/X509CertificateType.java
View File

@ -26,7 +26,7 @@ import java.util.Objects;
* Hibernate. This class provides the mapping from <code>X509Certificate</code>
* to Hibernate commands to JDBC.
*/
@NoArgsConstructor(access= AccessLevel.PUBLIC)
@NoArgsConstructor(access = AccessLevel.PUBLIC)
public final class X509CertificateType implements UserType {
@Override
@ -73,19 +73,13 @@ public final class X509CertificateType implements UserType {
* Converts the X509Certificate that is stored as a <code>String</code> and
* converts it to an <code>X509Certificate</code>.
*
* @param rs
* result set
* @param names
* column names
* @param session
* session
* @param owner
* owner
* @param rs result set
* @param names column names
* @param session session
* @param owner owner
* @return X509Certificate of String
* @throws HibernateException
* if unable to convert the String to an X509Certificate
* @throws SQLException
* if unable to retrieve the String from the result set
* @throws HibernateException if unable to convert the String to an X509Certificate
* @throws SQLException if unable to retrieve the String from the result set
*/
@Override
public Object nullSafeGet(final ResultSet rs, final int names,
@ -111,9 +105,9 @@ public final class X509CertificateType implements UserType {
* Converts the <code>X509Certificate</code> <code>value</code> to a
* <code>String</code> and stores it in the database.
*
* @param st prepared statement
* @param value X509Certificate
* @param index index
* @param st prepared statement
* @param value X509Certificate
* @param index index
* @param session session
* @throws SQLException if unable to set the value in the result set
*/
@ -131,7 +125,7 @@ public final class X509CertificateType implements UserType {
} catch (Exception e) {
final String msg =
String.format("unable to convert certificate: %s",
value.toString());
value);
throw new HibernateException(msg, e);
}
}
@ -178,7 +172,7 @@ public final class X509CertificateType implements UserType {
* immutable.
*
* @param cached cached
* @param owner owner
* @param owner owner
* @return cached
*/
@Override
@ -191,8 +185,8 @@ public final class X509CertificateType implements UserType {
* immutable.
*
* @param original original
* @param target target
* @param owner owner
* @param target target
* @param owner owner
* @return original
*/
@Override

5
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/AcaPciIds.java
View File

@ -3,7 +3,6 @@ package hirs.attestationca.persist.util;
import hirs.attestationca.persist.entity.userdefined.certificate.ComponentResult;
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.ComponentIdentifier;
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.V2.ComponentIdentifierV2;
import lombok.extern.log4j.Log4j2;
import org.bouncycastle.asn1.DERUTF8String;
@ -35,6 +34,7 @@ public final class AcaPciIds {
/**
* Iterate through all components and translate PCI hardware IDs as necessary. It will only
* translate ComponentIdentifierV2+ objects as it relies on Component Class information.
*
* @param components List of ComponentIdentifiers.
* @return the translated list of ComponentIdentifiers.
*/
@ -58,6 +58,7 @@ public final class AcaPciIds {
/**
* Iterate through all components and translate PCI hardware IDs as necessary. It will only
* translate ComponentResults objects as it relies on Component Class information.
*
* @param componentResults List of ComponentResults.
* @return the translated list of ComponentResults.
*/
@ -75,6 +76,7 @@ public final class AcaPciIds {
/**
* Translate Vendor and Device IDs, if found, in ComponentIdentifierV2 objects.
* It will only translate ID values, any other value will pass through.
*
* @param component ComponentIdentifierV2 object.
* @return the translated ComponentIdentifierV2 object.
*/
@ -113,6 +115,7 @@ public final class AcaPciIds {
/**
* Translate Vendor and Device IDs, if found, in ComponentResult objects.
* It will only translate ID values, any other value will pass through.
*
* @param componentResult ComponentResult object.
* @return the translated ComponentResult object.
*/

8
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/CredentialHelper.java
View File

@ -1,8 +1,6 @@
package hirs.attestationca.persist.util;
import hirs.attestationca.persist.entity.userdefined.certificate.CertificateVariables;
import lombok.AccessLevel;
import lombok.NoArgsConstructor;
import lombok.extern.log4j.Log4j2;
import org.bouncycastle.util.encoders.Base64;
@ -17,6 +15,7 @@ public final class CredentialHelper {
/**
* Small method to check if the certificate is a PEM.
*
* @param possiblePEM header information
* @return true if it is.
*/
@ -27,6 +26,7 @@ public final class CredentialHelper {
/**
* Small method to check if there are multi pem files
*
* @param possiblePEM header information
* @return true if it is.
*/
@ -45,6 +45,7 @@ public final class CredentialHelper {
/**
* Method to remove header footer information from PEM
*
* @param pemFile string representation of the file
* @return a cleaned up raw byte object
*/
@ -59,6 +60,7 @@ public final class CredentialHelper {
/**
* The method is used to remove unwanted spaces and other artifacts from the certificate.
*
* @param certificateBytes raw byte form
* @return a cleaned up byte form
*/
@ -112,6 +114,7 @@ public final class CredentialHelper {
/**
* Return the string associated with the boolean slot.
*
* @param bit associated with the location in the array.
* @return string value of the bit set.
*/
@ -157,6 +160,7 @@ public final class CredentialHelper {
* This method is to take the DNs from certificates and sort them in an order
* that will be used to lookup issuer certificates. This will not be stored in
* the certificate, just the DB for lookup.
*
* @param distinguishedName the original DN string.
* @return a modified string of sorted DNs
*/

48
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CredentialValidator.java
View File

@ -33,8 +33,8 @@ public class CredentialValidator extends SupplyChainCredentialValidator {
/**
* Checks if the endorsement credential is valid.
*
* @param ec the endorsement credential to verify.
* @param trustStore trust store holding trusted certificates.
* @param ec the endorsement credential to verify.
* @param trustStore trust store holding trusted certificates.
* @param acceptExpired whether or not to accept expired and not yet valid certificates
* as valid.
* @return the result of the validation.
@ -98,8 +98,8 @@ public class CredentialValidator extends SupplyChainCredentialValidator {
/**
* Checks if the platform credential is valid.
*
* @param pc The platform credential to verify.
* @param trustStore trust store holding trusted certificates.
* @param pc The platform credential to verify.
* @param trustStore trust store holding trusted certificates.
* @param acceptExpired whether or not to accept expired certificates as valid.
* @return The result of the validation.
*/
@ -163,16 +163,17 @@ public class CredentialValidator extends SupplyChainCredentialValidator {
/**
* Checks if the platform credential's attributes are valid.
* @param platformCredential The platform credential to verify.
* @param deviceInfoReport The device info report containing
* serial number of the platform to be validated.
* @param endorsementCredential The endorsement credential supplied from the same
* identity request as the platform credential.
* @param componentResultRepository db access to component result of mismatching
* @param componentAttributeRepository db access to component attribute match status
* @param componentInfos list of device components
* @param provisionSessionId UUID associated with this run of the provision
* @param ignoreRevisionAttribute policy flag to ignore the revision attribute
*
* @param platformCredential The platform credential to verify.
* @param deviceInfoReport The device info report containing
* serial number of the platform to be validated.
* @param endorsementCredential The endorsement credential supplied from the same
* identity request as the platform credential.
* @param componentResultRepository db access to component result of mismatching
* @param componentAttributeRepository db access to component attribute match status
* @param componentInfos list of device components
* @param provisionSessionId UUID associated with this run of the provision
* @param ignoreRevisionAttribute policy flag to ignore the revision attribute
* @return The result of the validation.
*/
public static AppraisalStatus validatePlatformCredentialAttributes(
@ -223,16 +224,17 @@ public class CredentialValidator extends SupplyChainCredentialValidator {
/**
* Checks if the delta credential's attributes are valid.
* @param deviceInfoReport The device info report containing
* serial number of the platform to be validated.
* @param basePlatformCredential the base credential from the same identity request
* * as the delta credential.
* @param deltaMapping delta certificates associated with the
* * delta supply validation.
* @param componentInfos list of device components
* @param componentResultRepository repository for component results
*
* @param deviceInfoReport The device info report containing
* serial number of the platform to be validated.
* @param basePlatformCredential the base credential from the same identity request
* * as the delta credential.
* @param deltaMapping delta certificates associated with the
* * delta supply validation.
* @param componentInfos list of device components
* @param componentResultRepository repository for component results
* @param componentAttributeRepository repository for the attribute status
* @param provisionSessionId the session id to share
* @param provisionSessionId the session id to share
* @return the result of the validation.
*/
public static AppraisalStatus validateDeltaPlatformCredentialAttributes(

79
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/PcrValidator.java
View File

@ -63,13 +63,38 @@ public class PcrValidator {
*/
public PcrValidator(final String[] pcrValues) {
baselinePcrs = new String[TPMMeasurementRecord.MAX_PCR_ID + 1];
for (int i = 0; i <= TPMMeasurementRecord.MAX_PCR_ID; i++) {
baselinePcrs[i] = pcrValues[i];
System.arraycopy(pcrValues, 0, baselinePcrs, 0, TPMMeasurementRecord.MAX_PCR_ID + 1);
}
public static String[] buildStoredPcrs(final String pcrContent, final int algorithmLength) {
// we have a full set of PCR values
String[] pcrSet = pcrContent.split("\\n");
String[] storedPcrs = new String[TPMMeasurementRecord.MAX_PCR_ID + 1];
// we need to scroll through the entire list until we find
// a matching hash length
int offset = 1;
for (int i = 0; i < pcrSet.length; i++) {
if (pcrSet[i].contains("sha")) {
// entered a new set, check size
if (pcrSet[i + offset].split(":")[1].trim().length()
== algorithmLength) {
// found the matching set
for (int j = 0; j <= TPMMeasurementRecord.MAX_PCR_ID; j++) {
storedPcrs[j] = pcrSet[++i].split(":")[1].trim();
}
break;
}
}
}
return storedPcrs;
}
/**
* Getter for the array of baseline PCRs.
*
* @return instance of the PCRs.
*/
public String[] getBaselinePcrs() {
@ -78,6 +103,7 @@ public class PcrValidator {
/**
* Setter for the array of baseline PCRs.
*
* @param baselinePcrs instance of the PCRs.
*/
public void setBaselinePcrs(final String[] baselinePcrs) {
@ -88,7 +114,7 @@ public class PcrValidator {
* Compares the baseline pcr list and the quote pcr list. If the
* ignore flags are set, 10 and 17-19 will be skipped for comparison.
*
* @param storedPcrs non-baseline pcr list
* @param storedPcrs non-baseline pcr list
* @param policySettings db entity that holds all of policy
* @return a StringBuilder that is empty if everything passes.
*/
@ -128,9 +154,10 @@ public class PcrValidator {
/**
* Checks that the expected FM events occurring. There are policy options that
* will ignore certin PCRs, Event Types and Event Variables present.
*
* @param tcgMeasurementLog Measurement log from the client
* @param eventValueMap The events stored as baseline to compare
* @param policySettings db entity that holds all of policy
* @param eventValueMap The events stored as baseline to compare
* @param policySettings db entity that holds all of policy
* @return the events that didn't pass
*/
public List<TpmPcrEvent> validateTpmEvents(final TCGEventLog tcgMeasurementLog,
@ -151,11 +178,11 @@ public class PcrValidator {
log.info(String.format("GPT Ignored -> %s", tpe));
} else if (policySettings.isIgnoreOsEvtEnabled() && (
tpe.getEventTypeStr().contains(EVT_EFI_BOOT)
|| tpe.getEventTypeStr().contains(EVT_EFI_VAR))) {
|| tpe.getEventTypeStr().contains(EVT_EFI_VAR))) {
log.info(String.format("OS Evt Ignored -> %s", tpe));
} else if (policySettings.isIgnoreOsEvtEnabled() && (
tpe.getEventTypeStr().contains(EVT_EFI_CFG)
&& tpe.getEventContentStr().contains("SecureBoot"))) {
&& tpe.getEventContentStr().contains("SecureBoot"))) {
log.info(String.format("OS Evt Config Ignored -> %s", tpe));
} else {
if (!eventValueMap.containsKey(tpe.getEventDigestStr())) {
@ -171,8 +198,8 @@ public class PcrValidator {
/**
* Compares hashs to validate the quote from the client.
*
* @param tpmQuote the provided quote
* @param storedPcrs values from the RIM file
* @param tpmQuote the provided quote
* @param storedPcrs values from the RIM file
* @param policySettings db entity that holds all of policy
* @return true if validated, false if not
*/
@ -211,10 +238,10 @@ public class PcrValidator {
try {
// The calculated string is being used in the contains method
// because the TPM Quote's hash isn't just for PCR values,
// it contains the calculated digest of the PCRs, along with
// other information.
// The calculated string is being used in the contains method
// because the TPM Quote's hash isn't just for PCR values,
// it contains the calculated digest of the PCRs, along with
// other information.
String calculatedString = Hex.encodeHexString(
pcrInfoShort.getCalculatedDigest());
log.debug("Validating PCR information with the following:" +
@ -230,30 +257,4 @@ public class PcrValidator {
return validated;
}
public static String[] buildStoredPcrs(final String pcrContent, final int algorithmLength) {
// we have a full set of PCR values
String[] pcrSet = pcrContent.split("\\n");
String[] storedPcrs = new String[TPMMeasurementRecord.MAX_PCR_ID + 1];
// we need to scroll through the entire list until we find
// a matching hash length
int offset = 1;
for (int i = 0; i < pcrSet.length; i++) {
if (pcrSet[i].contains("sha")) {
// entered a new set, check size
if (pcrSet[i + offset].split(":")[1].trim().length()
== algorithmLength) {
// found the matching set
for (int j = 0; j <= TPMMeasurementRecord.MAX_PCR_ID; j++) {
storedPcrs[j] = pcrSet[++i].split(":")[1].trim();
}
break;
}
}
}
return storedPcrs;
}
}

72
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/SupplyChainCredentialValidator.java
View File

@ -36,7 +36,7 @@ import java.util.Set;
@Log4j2
@NoArgsConstructor
public class SupplyChainCredentialValidator {
public class SupplyChainCredentialValidator {
/**
* used to identify and clear a nuc
@ -78,13 +78,10 @@ public class SupplyChainCredentialValidator {
* continue to try to find the signing cert of the intermediate cert. It will continue searching
* until it follows the chain up to a root (self-signed) cert.
*
* @param cert
* certificate to validate
* @param trustStore
* trust store holding trusted root certificates and intermediate certificates
* @param cert certificate to validate
* @param trustStore trust store holding trusted root certificates and intermediate certificates
* @return the certificate chain if validation is successful
* @throws SupplyChainValidatorException
* if the verification is not successful
* @throws SupplyChainValidatorException if the verification is not successful
*/
public static String verifyCertificate(final X509AttributeCertificateHolder cert,
final KeyStore trustStore) throws SupplyChainValidatorException {
@ -122,13 +119,10 @@ public class SupplyChainCredentialValidator {
* continue to try to find the signing cert of the intermediate cert. It will continue searching
* until it follows the chain up to a root (self-signed) cert.
*
* @param cert
* certificate to validate
* @param trustStore
* trust store holding trusted root certificates and intermediate certificates
* @param cert certificate to validate
* @param trustStore trust store holding trusted root certificates and intermediate certificates
* @return the certificate chain if validation is successful
* @throws SupplyChainValidatorException
* if the verification is not successful
* @throws SupplyChainValidatorException if the verification is not successful
*/
public static boolean verifyCertificate(final X509Certificate cert,
final KeyStore trustStore) throws SupplyChainValidatorException {
@ -164,12 +158,10 @@ public class SupplyChainCredentialValidator {
* to find the signing cert of the intermediate cert. It will continue searching until it
* follows the chain up to a root (self-signed) cert.
*
* @param cert
* certificate to validate
* @param additionalCerts
* Set of certs to validate against
* @param cert certificate to validate
* @param additionalCerts Set of certs to validate against
* @return String status of the cert chain validation -
* blank if successful, error message otherwise
* blank if successful, error message otherwise
* @throws SupplyChainValidatorException tried to validate using null certificates
*/
public static String validateCertChain(final X509AttributeCertificateHolder cert,
@ -227,12 +219,10 @@ public class SupplyChainCredentialValidator {
* to find the signing cert of the intermediate cert. It will continue searching until it
* follows the chain up to a root (self-signed) cert.
*
* @param cert
* certificate to validate
* @param additionalCerts
* Set of certs to validate against
* @param cert certificate to validate
* @param additionalCerts Set of certs to validate against
* @return String status of the cert chain validation -
* blank if successful, error message otherwise
* blank if successful, error message otherwise
* @throws SupplyChainValidatorException tried to validate using null certificates
*/
public static String validateCertChain(final X509Certificate cert,
@ -277,7 +267,8 @@ public class SupplyChainCredentialValidator {
/**
* Parses the output from PACCOR's allcomponents.sh script into ComponentInfo objects.
* @param hostName the host machine associated with the component
*
* @param hostName the host machine associated with the component
* @param paccorOutput the output from PACCOR's allcomoponents.sh
* @return a list of ComponentInfo objects built from paccorOutput
* @throws java.io.IOException if something goes wrong parsing the JSON
@ -333,10 +324,8 @@ public class SupplyChainCredentialValidator {
* Checks if the issuer info of an attribute cert matches the supposed signing cert's
* distinguished name.
*
* @param cert
* the attribute certificate with the signature to validate
* @param signingCert
* the certificate with the public key to validate
* @param cert the attribute certificate with the signature to validate
* @param signingCert the certificate with the public key to validate
* @return boolean indicating if the names
* @throws SupplyChainValidatorException tried to validate using null certificates
*/
@ -359,10 +348,8 @@ public class SupplyChainCredentialValidator {
* Checks if the issuer info of a public-key cert matches the supposed signing cert's
* distinguished name.
*
* @param cert
* the public-key certificate with the signature to validate
* @param signingCert
* the certificate with the public key to validate
* @param cert the public-key certificate with the signature to validate
* @param signingCert the certificate with the public key to validate
* @return boolean indicating if the names
* @throws SupplyChainValidatorException tried to validate using null certificates
*/
@ -387,10 +374,8 @@ public class SupplyChainCredentialValidator {
* Checks if the signature of an attribute cert is validated against the signing cert's public
* key.
*
* @param cert
* the public-key certificate with the signature to validate
* @param signingCert
* the certificate with the public key to validate
* @param cert the public-key certificate with the signature to validate
* @param signingCert the certificate with the public key to validate
* @return boolean indicating if the validation passed
* @throws SupplyChainValidatorException tried to validate using null certificates
*/
@ -423,10 +408,8 @@ public class SupplyChainCredentialValidator {
* Checks if the signature of a public-key cert is validated against the signing cert's public
* key.
*
* @param cert
* the attribute certificate with the signature to validate
* @param signingCert
* the certificate with the public key to validate
* @param cert the attribute certificate with the signature to validate
* @param signingCert the certificate with the public key to validate
* @return boolean indicating if the validation passed
* @throws SupplyChainValidatorException tried to validate using null certificates
*/
@ -442,10 +425,8 @@ public class SupplyChainCredentialValidator {
/**
* Checks if an X509 Attribute Certificate is valid directly against a public key.
*
* @param cert
* the attribute certificate with the signature to validate
* @param signingKey
* the key to use to check the attribute cert
* @param cert the attribute certificate with the signature to validate
* @param signingKey the key to use to check the attribute cert
* @return boolean indicating if the validation passed
* @throws SupplyChainValidatorException tried to validate using null certificates
*/
@ -472,8 +453,7 @@ public class SupplyChainCredentialValidator {
* Checks whether given X.509 public-key certificate is self-signed. If the cert can be
* verified using its own public key, that means it was self-signed.
*
* @param cert
* X.509 Certificate
* @param cert X.509 Certificate
* @return boolean indicating if the cert was self-signed
*/
private static boolean isSelfSigned(final X509Certificate cert)

12
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/SupplyChainValidatorException.java
View File

@ -11,10 +11,8 @@ public class SupplyChainValidatorException extends Exception {
* Creates a new <code>SupplyChainValidatorException</code> that has the message
* <code>message</code> and <code>Throwable</code> cause <code>cause</code>.
*
* @param message
* exception message
* @param cause
* root cause
* @param message exception message
* @param cause root cause
*/
public SupplyChainValidatorException(final String message, final Throwable cause) {
super(message, cause);
@ -24,8 +22,7 @@ public class SupplyChainValidatorException extends Exception {
* Creates a new <code>SupplyChainValidatorException</code> that has the <code>String</code>
* message <code>message</code>.
*
* @param message
* exception message
* @param message exception message
*/
public SupplyChainValidatorException(final String message) {
super(message);
@ -35,8 +32,7 @@ public class SupplyChainValidatorException extends Exception {
* Creates a new <code>SupplyChainValidatorException</code> that has the <code>Throwable</code>
* cause <code>cause</code>.
*
* @param cause
* root cause
* @param cause root cause
*/
public SupplyChainValidatorException(final Throwable cause) {
super(cause);

4
HIRS_AttestationCA/src/main/resources/identity_transform.xslt
View File

@ -1,6 +1,6 @@
<?xml version="1.0"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output indent="no" />
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:output indent="no"/>
<xsl:strip-space elements="*"/>
<xsl:template match="@*|node()">
<xsl:copy>

134
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/AttestationCertificateAuthorityTest.java
View File

@ -72,62 +72,10 @@ import static org.mockito.Mockito.when;
@TestInstance(TestInstance.Lifecycle.PER_CLASS) // needed to use non-static BeforeAll
public class AttestationCertificateAuthorityTest {
/**
* This internal class handles setup for testing the function
* generateCredential() from class AbstractProcessor. Because the
* function is Protected and in a different package than the test,
* it cannot be accessed directly.
*/
@Nested
public class AccessAbstractProcessor extends AbstractProcessor {
/**
* Constructor.
*
* @param privateKey the private key of the ACA
* @param validDays int for the time in which a certificate is valid.
*/
public AccessAbstractProcessor(final PrivateKey privateKey,
final int validDays) {
super(privateKey, validDays);
}
/**
* Public wrapper for the protected function generateCredential(), to access for testing.
*
* @param publicKey cannot be null
* @param endorsementCredential the endorsement credential
* @param platformCredentials the set of platform credentials
* @param deviceName The host name used in the subject alternative name
* @param acaCertificate the aca certificate
* @return the generated X509 certificate
*/
public X509Certificate accessGenerateCredential(final PublicKey publicKey,
final EndorsementCredential endorsementCredential,
final List<PlatformCredential> platformCredentials,
final String deviceName,
final X509Certificate acaCertificate) {
return generateCredential(publicKey,
endorsementCredential,
platformCredentials,
deviceName,
acaCertificate);
}
}
// object in test
private AttestationCertificateAuthority aca;
private AccessAbstractProcessor abstractProcessor;
// test key pair
private KeyPair keyPair;
// length of IV used in PKI
private static final int ENCRYPTION_IV_LEN = 16;
// length of secret key used in PKI
private static final int SECRETKEY_LEN = 128;
private static final String EK_PUBLIC_PATH = "/tpm2/ek.pub";
private static final String AK_PUBLIC_PATH = "/tpm2/ak.pub";
private static final String AK_NAME_PATH = "/tpm2/ak.name";
@ -167,7 +115,11 @@ public class AttestationCertificateAuthorityTest {
private static final String AK_NAME_HEX = "00 0b 6e 8f 79 1c 7e 16 96 1b 11 71 65 9c e0 cd"
+ "ae 0d 4d aa c5 41 be 58 89 74 67 55 96 c2 5e 38"
+ "e2 94";
// object in test
private AttestationCertificateAuthority aca;
private AccessAbstractProcessor abstractProcessor;
// test key pair
private KeyPair keyPair;
/**
* Registers bouncy castle as a security provider. Normally the JEE container will handle this,
@ -199,7 +151,7 @@ public class AttestationCertificateAuthorityTest {
@Test
public void testProcessIdentityClaimTpm2NullRequest() {
assertThrows(IllegalArgumentException.class, () ->
aca.processIdentityClaimTpm2(null));
aca.processIdentityClaimTpm2(null));
}
/**
@ -209,7 +161,7 @@ public class AttestationCertificateAuthorityTest {
public void testGetPublicKey() {
// encoded byte array to be returned by public key
byte[] encoded = new byte[]{0, 1, 0, 1, 0};
byte[] encoded = new byte[] {0, 1, 0, 1, 0};
// create mocks for testing
X509Certificate acaCertificate = mock(X509Certificate.class);
@ -260,7 +212,7 @@ public class AttestationCertificateAuthorityTest {
/**
* Tests {@link ProvisionUtils#decryptSymmetricBlob(
* byte[], byte[], byte[], String)}.
*byte[], byte[], byte[], String)}.
*
* @throws Exception during aca processing
*/
@ -315,7 +267,7 @@ public class AttestationCertificateAuthorityTest {
/**
* Tests {@link ProvisionUtils#generateAsymmetricContents(
* byte[], byte[], PublicKey)}.
*byte[], byte[], PublicKey)}.
*
* @throws Exception during aca processing
*/
@ -323,7 +275,7 @@ public class AttestationCertificateAuthorityTest {
public void testGenerateAsymmetricContents() throws Exception {
// "encoded" identity proof (returned by struct converter)
byte[] identityProofEncoded = new byte[]{0, 0, 1, 1};
byte[] identityProofEncoded = new byte[] {0, 0, 1, 1};
// generate a random session key to be used for encryption and decryption
byte[] sessionKey = new byte[ENCRYPTION_IV_LEN];
@ -478,10 +430,10 @@ public class AttestationCertificateAuthorityTest {
assertEquals("", certificate.getSubjectX500Principal().getName());
assertEquals("exampleIdLabel",
((X500Name) GeneralNames.fromExtensions(((TBSCertificate.getInstance(
certificate.getTBSCertificate()).getExtensions())), Extension.
subjectAlternativeName).getNames()[0].getName()).getRDNs(
certificate.getTBSCertificate()).getExtensions())), Extension.
subjectAlternativeName).getNames()[0].getName()).getRDNs(
IssuedCertificateAttributeHelper.TCPA_AT_TPM_ID_LABEL)[0].getFirst()
.getValue().toString());
.getValue().toString());
assertArrayEquals(modulus, resultMod);
@ -540,8 +492,9 @@ public class AttestationCertificateAuthorityTest {
/**
* Tests parsing the EK from the TPM2 output file.
*
* @throws URISyntaxException incorrect resource path
* @throws IOException unable to read from file
* @throws IOException unable to read from file
*/
@Test
public void testParseEk() throws URISyntaxException, IOException {
@ -567,8 +520,9 @@ public class AttestationCertificateAuthorityTest {
/**
* Tests parsing the AK public key from the TPM2 output file.
*
* @throws URISyntaxException incorrect resource path
* @throws IOException unable to read from file
* @throws IOException unable to read from file
*/
@Test
public void testParseAk() throws URISyntaxException, IOException {
@ -594,8 +548,9 @@ public class AttestationCertificateAuthorityTest {
/**
* Tests parsing the AK name from the TPM2 output file.
* @throws URISyntaxException incorrect resource path
* @throws IOException unable to read from file
*
* @throws URISyntaxException incorrect resource path
* @throws IOException unable to read from file
* @throws NoSuchAlgorithmException inavlid algorithm
*/
@Test
@ -624,8 +579,9 @@ public class AttestationCertificateAuthorityTest {
* and ekPubPath are correct. Your output file will be
* HIRS_AttestationCA/src/test/resources/tpm2/test/make.blob and the nonce used will be
* output as HIRS_AttestationCA/src/test/resources/tpm2/test/secret.blob
*
* @throws URISyntaxException invalid file path
* @throws IOException unable to read file
* @throws IOException unable to read file
*/
@Disabled
@Test
@ -647,7 +603,7 @@ public class AttestationCertificateAuthorityTest {
ByteString blob = ProvisionUtils.tpm20MakeCredential(ekPub, akPub, nonce);
Path resources = Objects.requireNonNull(Paths.get(Objects.requireNonNull(this.getClass().getResource(
"/").toURI()))
"/").toURI()))
.getParent().getParent().getParent().getParent());
Path makeBlob = resources.resolve("src/test/resources/tpm2/test/make.blob");
Files.write(makeBlob, blob.toByteArray());
@ -754,4 +710,48 @@ public class AttestationCertificateAuthorityTest {
// return the cipher text
return cipher.doFinal(blob);
}
/**
* This internal class handles setup for testing the function
* generateCredential() from class AbstractProcessor. Because the
* function is Protected and in a different package than the test,
* it cannot be accessed directly.
*/
@Nested
public class AccessAbstractProcessor extends AbstractProcessor {
/**
* Constructor.
*
* @param privateKey the private key of the ACA
* @param validDays int for the time in which a certificate is valid.
*/
public AccessAbstractProcessor(final PrivateKey privateKey,
final int validDays) {
super(privateKey, validDays);
}
/**
* Public wrapper for the protected function generateCredential(), to access for testing.
*
* @param publicKey cannot be null
* @param endorsementCredential the endorsement credential
* @param platformCredentials the set of platform credentials
* @param deviceName The host name used in the subject alternative name
* @param acaCertificate the aca certificate
* @return the generated X509 certificate
*/
public X509Certificate accessGenerateCredential(final PublicKey publicKey,
final EndorsementCredential endorsementCredential,
final List<PlatformCredential> platformCredentials,
final String deviceName,
final X509Certificate acaCertificate) {
return generateCredential(publicKey,
endorsementCredential,
platformCredentials,
deviceName,
acaCertificate);
}
}
}

25
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/tpm/TPM2ProvisionerStateTest.java
View File

@ -1,20 +1,20 @@
package hirs.attestationca.persist.entity.tpm;
import hirs.attestationca.persist.entity.manager.TPM2ProvisionerStateRepository;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertArrayEquals;
import static org.junit.jupiter.api.Assertions.assertThrows;
import org.junit.jupiter.api.Test;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.util.Random;
import static org.junit.jupiter.api.Assertions.assertArrayEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
/**
* Contains unit tests for {@link TPM2ProvisionerState}.
*/
@ -88,9 +88,10 @@ public class TPM2ProvisionerStateTest {
/**
* Test that {@link TPM2ProvisionerState#getTPM2ProvisionerState(
* TPM2ProvisionerStateRepository, byte[])} works.
*TPM2ProvisionerStateRepository, byte[])} works.
* {@link TPM2ProvisionerState#getTPM2ProvisionerState(
* TPM2ProvisionerStateRepository, byte[])}, null is returned.
*TPM2ProvisionerStateRepository, byte[])}, null is returned.
*
* @throws IOException this will never happen
*/
@Test
@ -116,7 +117,8 @@ public class TPM2ProvisionerStateTest {
/**
* Test that if a null is passed as a nonce to
* {@link TPM2ProvisionerState#getTPM2ProvisionerState(
* TPM2ProvisionerStateRepository, byte[])}, null is returned.
*TPM2ProvisionerStateRepository, byte[])}, null is returned.
*
* @throws IOException this will never happen
*/
@Test
@ -139,7 +141,8 @@ public class TPM2ProvisionerStateTest {
/**
* Test that if a nonce that is less than 8 bytes is passed to
* {@link TPM2ProvisionerState#getTPM2ProvisionerState(
* TPM2ProvisionerStateRepository, byte[])}, null is returned.
*TPM2ProvisionerStateRepository, byte[])}, null is returned.
*
* @throws IOException this will never happen
*/
@Test

24
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/AbstractUserdefinedEntityTest.java
View File

@ -33,7 +33,6 @@ import java.util.Objects;
/**
* Class with definitions and functions common to multiple Userdefined Entity object tests.
*
*/
public class AbstractUserdefinedEntityTest {
@ -58,54 +57,45 @@ public class AbstractUserdefinedEntityTest {
*/
public static final String FAKE_ROOT_CA_SUBJECT_KEY_IDENTIFIER_HEX =
"58ec313a1699f94c1c8c4e2c6412402b258f0177";
/**
* Location of a test identity certificate.
*/
private static final String TEST_IDENTITY_CERT = "/tpm/sample_identity_cert.cer";
/**
* Location of a test platform attribute cert.
*/
public static final String TEST_PLATFORM_CERT_1 =
"/validation/platform_credentials/Intel_pc1.cer";
/**
* Location of another, slightly different platform attribute cert.
*/
public static final String TEST_PLATFORM_CERT_2 =
"/validation/platform_credentials/Intel_pc2.cer";
/**
* Location of another, slightly different platform attribute cert.
*/
public static final String TEST_PLATFORM_CERT_3 =
"/validation/platform_credentials/Intel_pc3.cer";
/**
* Platform cert with comma separated baseboard and chassis serial number.
*/
public static final String TEST_PLATFORM_CERT_4 =
"/validation/platform_credentials/Intel_pc4.pem";
/**
* Another platform cert with comma separated baseboard and chassis serial number.
*/
public static final String TEST_PLATFORM_CERT_5 =
"/validation/platform_credentials/Intel_pc5.pem";
/**
* Location of another, slightly different platform attribute cert.
*/
public static final String TEST_PLATFORM_CERT_6 =
"/validation/platform_credentials/TPM_INTC_Platform_Cert_RSA.txt";
private static final Logger LOGGER = LogManager.getLogger(DeviceInfoReportTest.class);
/**
* Dummy message for supply chain validation test.
*/
public static final String VALIDATION_MESSAGE = "Some message.";
/**
* Location of a test identity certificate.
*/
private static final String TEST_IDENTITY_CERT = "/tpm/sample_identity_cert.cer";
private static final Logger LOGGER = LogManager.getLogger(DeviceInfoReportTest.class);
/**
* Construct a test certificate from the given parameters.
@ -294,8 +284,8 @@ public class AbstractUserdefinedEntityTest {
/**
* Construct a SupplyChainValidation for use in tests according to the provided parameters.
*
* @param type the type of validation
* @param result the appraisal result
* @param type the type of validation
* @param result the appraisal result
* @param certificates the certificates related to this validation
* @return the resulting SupplyChainValidation object
*/

72
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/CertificateTest.java
View File

@ -21,11 +21,12 @@ import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Objects;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertArrayEquals;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotEquals;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
/**
* This class tests functionality of the {@link Certificate} class.
@ -88,6 +89,37 @@ public class CertificateTest extends AbstractUserdefinedEntityTest {
private static final String EK_CERT_WITH_PADDED_BYTES =
"/certificates/ek_cert_with_padded_bytes.cer";
/**
* Construct a CertificateAuthorityCredential from the given parameters.
*
* @param filename the location of the certificate to be used
* @return the newly-constructed Certificate
* @throws IOException if there is a problem constructing the test certificate
*/
public static Certificate getTestCertificate(
final String filename) throws IOException {
return getTestCertificate(CertificateAuthorityCredential.class, filename);
}
private static X509Certificate readX509Certificate(final String resourceName)
throws IOException {
CertificateFactory cf;
try {
cf = CertificateFactory.getInstance("X.509");
} catch (CertificateException e) {
throw new IOException("Cannot get X509 CertificateFactory instance", e);
}
try (FileInputStream certInputStream = new FileInputStream(Paths.get(
Objects.requireNonNull(CertificateTest.class.getResource(
resourceName)).toURI()).toFile()
)) {
return (X509Certificate) cf.generateCertificate(certInputStream);
} catch (CertificateException | URISyntaxException e) {
throw new IOException("Cannot read certificate", e);
}
}
/**
* Tests that a certificate can be constructed from a byte array.
@ -132,7 +164,7 @@ public class CertificateTest extends AbstractUserdefinedEntityTest {
public void testConstructCertFromEmptyByteArray()
throws IOException, CertificateException {
assertThrows(IllegalArgumentException.class, () ->
new CertificateAuthorityCredential(new byte[]{}));
new CertificateAuthorityCredential(new byte[] {}));
}
/**
@ -293,7 +325,7 @@ public class CertificateTest extends AbstractUserdefinedEntityTest {
attrCertHolder.getIssuer().getNames()[0].toString(),
platformCert.getIssuer()
);
assertEquals(null, platformCert.getSubject());
assertNull(platformCert.getSubject());
assertArrayEquals(null, platformCert.getEncodedPublicKey());
assertArrayEquals(attrCertHolder.getSignature(), platformCert.getSignature());
assertEquals(attrCertHolder.getNotBefore(), platformCert.getBeginValidity());
@ -492,36 +524,4 @@ public class CertificateTest extends AbstractUserdefinedEntityTest {
).hashCode()
);
}
/**
* Construct a CertificateAuthorityCredential from the given parameters.
*
* @param filename the location of the certificate to be used
* @return the newly-constructed Certificate
* @throws IOException if there is a problem constructing the test certificate
*/
public static Certificate getTestCertificate(
final String filename) throws IOException {
return getTestCertificate(CertificateAuthorityCredential.class, filename);
}
private static X509Certificate readX509Certificate(final String resourceName)
throws IOException {
CertificateFactory cf;
try {
cf = CertificateFactory.getInstance("X.509");
} catch (CertificateException e) {
throw new IOException("Cannot get X509 CertificateFactory instance", e);
}
try (FileInputStream certInputStream = new FileInputStream(Paths.get(
Objects.requireNonNull(CertificateTest.class.getResource(
resourceName)).toURI()).toFile()
)) {
return (X509Certificate) cf.generateCertificate(certInputStream);
} catch (CertificateException | URISyntaxException e) {
throw new IOException("Cannot read certificate", e);
}
}
}

3
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/DeviceTest.java
View File

@ -11,7 +11,6 @@ import static org.junit.jupiter.api.Assertions.assertNull;
/**
* This is the test class for the <code>Device</code> class.
*
*/
public final class DeviceTest extends AbstractUserdefinedEntityTest {
@ -113,7 +112,7 @@ public final class DeviceTest extends AbstractUserdefinedEntityTest {
*/
@Test
public void testSetHealthStatus() {
final Device device = new Device("test-device", null, HealthStatus.UNKNOWN,
final Device device = new Device("test-device", null, HealthStatus.UNKNOWN,
AppraisalStatus.Status.UNKNOWN, null, false,
null, null);
device.setHealthStatus(HealthStatus.TRUSTED);

7
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/PolicySettingsTest.java
View File

@ -1,10 +1,11 @@
package hirs.attestationca.persist.entity.userdefined;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assertions.assertFalse;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertTrue;
/**
* Unit test class for PolicySettings.
*/

39
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidationSummaryTest.java
View File

@ -26,16 +26,28 @@ public class SupplyChainValidationSummaryTest extends AbstractUserdefinedEntityT
/**
* Test device.
*
*/
private Device device;
/**
* List of test certificates.
*
*/
private List<ArchivableEntity> certificates;
/**
* Utility method for getting a <code>Device</code> that can be used for
* testing.
*
* @param name name for the <code>Device</code>
* @return device
*/
public static Device getTestDevice(final String name) {
final DeviceInfoReport deviceInfo = getTestDeviceInfoReport();
return new Device(name, deviceInfo, HealthStatus.UNKNOWN,
AppraisalStatus.Status.UNKNOWN, null,
false, null, null);
}
/**
* Create a set of certificates and a device for use by these tests.
*
@ -152,28 +164,12 @@ public class SupplyChainValidationSummaryTest extends AbstractUserdefinedEntityT
assertNotNull(twoBadValidations.getCreateTime());
}
/**
* Utility method for getting a <code>Device</code> that can be used for
* testing.
*
* @param name name for the <code>Device</code>
*
* @return device
*/
public static Device getTestDevice(final String name) {
final DeviceInfoReport deviceInfo = getTestDeviceInfoReport();
return new Device(name, deviceInfo, HealthStatus.UNKNOWN,
AppraisalStatus.Status.UNKNOWN, null,
false, null, null);
}
/**
* Utility method for getting a <code>SupplyChainValidationSummary</code> that can be used for
* testing.
*
* @param numberOfValidations number of validations for the <code>SupplyChainValidationSummary</code>
* @param numFail number of failed validations
*
* @param numFail number of failed validations
* @return device
*/
private SupplyChainValidationSummary getTestSummary(
@ -199,10 +195,7 @@ public class SupplyChainValidationSummaryTest extends AbstractUserdefinedEntityT
Collection<SupplyChainValidation> validations = new HashSet<>();
for (int i = 0; i < numberOfValidations; i++) {
boolean successful = true;
if (i >= (numberOfValidations - numFail)) {
successful = false;
}
boolean successful = i < (numberOfValidations - numFail);
AppraisalStatus.Status result = AppraisalStatus.Status.FAIL;
if (successful) {

32
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidationTest.java
View File

@ -14,6 +14,22 @@ import static org.junit.jupiter.api.Assertions.assertThrows;
*/
class SupplyChainValidationTest extends AbstractUserdefinedEntityTest {
/**
* Construct a SupplyChainValidation for use in tests. It will have a validation
* type of ENDORSEMENT_CREDENTIAL, will represent a successful validation, and will use
* multiple test certificates.
*
* @return the test SupplyChainValidation
* @throws IOException if there si
*/
public static SupplyChainValidation getTestSupplyChainValidation() throws IOException {
return getTestSupplyChainValidation(
SupplyChainValidation.ValidationType.ENDORSEMENT_CREDENTIAL,
AppraisalStatus.Status.PASS,
getAllTestCertificates()
);
}
/**
* Test that this class' getter methods work properly.
*
@ -79,20 +95,4 @@ class SupplyChainValidationTest extends AbstractUserdefinedEntityTest {
VALIDATION_MESSAGE
);
}
/**
* Construct a SupplyChainValidation for use in tests. It will have a validation
* type of ENDORSEMENT_CREDENTIAL, will represent a successful validation, and will use
* multiple test certificates.
*
* @return the test SupplyChainValidation
* @throws IOException if there si
*/
public static SupplyChainValidation getTestSupplyChainValidation() throws IOException {
return getTestSupplyChainValidation(
SupplyChainValidation.ValidationType.ENDORSEMENT_CREDENTIAL,
AppraisalStatus.Status.PASS,
getAllTestCertificates()
);
}
}

9
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/certificate/CertificateAuthorityCredentialTest.java
View File

@ -2,8 +2,6 @@ package hirs.attestationca.persist.entity.userdefined.certificate;
import hirs.attestationca.persist.entity.userdefined.AbstractUserdefinedEntityTest;
import org.apache.commons.codec.binary.Hex;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import org.junit.jupiter.api.Test;
import java.io.IOException;
@ -12,6 +10,9 @@ import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.cert.CertificateException;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
/**
* Tests that CertificateAuthorityCredential properly parses its fields.
*/
@ -21,10 +22,10 @@ public class CertificateAuthorityCredentialTest extends AbstractUserdefinedEntit
* Tests that a CertificateAuthorityCredential can be created from an X.509 certificate and
* that the subject key identifier is correctly extracted.
*
* @throws IOException if the certificate could not be constructed properly
* @throws IOException if the certificate could not be constructed properly
* @throws CertificateException if there is a problem with the KeyStore or de/serializing the
* certificate
* @throws URISyntaxException if there is a problem constructing the path to the certificate
* @throws URISyntaxException if there is a problem constructing the path to the certificate
*/
@Test
public void testGetSubjectKeyIdentifier()

19
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/certificate/EndorsementCredentialTest.java
View File

@ -1,10 +1,7 @@
package hirs.attestationca.persist.entity.userdefined.certificate;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotEquals;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.TPMSecurityAssertions;
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.TPMSpecification;
import org.junit.jupiter.api.Test;
import java.io.IOException;
@ -12,8 +9,11 @@ import java.math.BigInteger;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.TPMSecurityAssertions;
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.TPMSpecification;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertTrue;
/**
* Tests for the EndorsementCredential class.
@ -32,6 +32,7 @@ public class EndorsementCredentialTest {
/**
* Tests the successful parsing of an EC using a test cert from STM.
*
* @throws IOException test failed due to invalid certificate parsing
*/
@Test
@ -65,6 +66,7 @@ public class EndorsementCredentialTest {
/**
* Tests the successful parsing of an EC using a test cert from NUC 1.
*
* @throws IOException test failed due to invalid certificate parsing
*/
@Test
@ -99,6 +101,7 @@ public class EndorsementCredentialTest {
/**
* Tests the successful parsing of an EC using a test cert from NUC 1,
* using the static builder method.
*
* @throws IOException test failed due to invalid certificate parsing
*/
@Test
@ -134,6 +137,7 @@ public class EndorsementCredentialTest {
/**
* Tests the successful parsing of an EC using a test cert from NUC 2.
*
* @throws IOException test failed due to invalid certificate parsing
*/
@Test
@ -167,6 +171,7 @@ public class EndorsementCredentialTest {
/**
* Tests that different EC certificates aren't the same, even if their attributes are the same.
*
* @throws IOException test failed due to invalid certificate parsing
*/
@Test

215
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/certificate/PlatformCredentialTest.java
View File

@ -12,7 +12,6 @@ import org.apache.commons.codec.binary.Hex;
import org.bouncycastle.util.encoders.Base64;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.fail;
import java.io.IOException;
import java.net.URISyntaxException;
@ -23,6 +22,8 @@ import java.util.Calendar;
import java.util.List;
import java.util.TimeZone;
import static org.junit.jupiter.api.Assertions.fail;
/**
* Tests that a PlatformCredential parses its fields correctly.
*/
@ -169,7 +170,7 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
* extension but is missing the subject alternative name extension. This certificate
* also has a policy extension, but it is not currently parsed.
*
* @throws IOException if an IO error occurs during processing
* @throws IOException if an IO error occurs during processing
* @throws URISyntaxException if there is a problem constructing the cert's URI
*/
@Test
@ -206,7 +207,7 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
Assertions.assertEquals(credential.getCredentialType(), "TCPA Trusted Platform Endorsement");
// the platform certificate in this test does not contain the following information
Assertions.assertEquals(credential.getPlatformSerial(), null);
Assertions.assertNull(credential.getPlatformSerial());
Assertions.assertEquals(credential.getMajorVersion(), 1);
Assertions.assertEquals(credential.getMinorVersion(), 2);
Assertions.assertEquals(credential.getRevisionLevel(), 1);
@ -218,7 +219,7 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
* extension but is missing the subject alternative name extension. This certificate
* also has a policy extension, but it is not currently parsed.
*
* @throws IOException if an IO error occurs during processing
* @throws IOException if an IO error occurs during processing
* @throws URISyntaxException if there is a problem constructing the cert's URI
*/
@Test
@ -255,7 +256,7 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
Assertions.assertEquals(credential.getCredentialType(), "TCPA Trusted Platform Endorsement");
// the platform certificate in this test does not contain the following information
Assertions.assertEquals(credential.getPlatformSerial(), null);
Assertions.assertNull(credential.getPlatformSerial());
Assertions.assertEquals(credential.getMajorVersion(), 1);
Assertions.assertEquals(credential.getMinorVersion(), 2);
Assertions.assertEquals(credential.getRevisionLevel(), 1);
@ -266,7 +267,7 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
* Tests the parsing of a platform credential that has a combined baseboard and chassis
* serial number in one attribute can be parsed.
*
* @throws IOException if an IO error occurs during processing
* @throws IOException if an IO error occurs during processing
* @throws URISyntaxException if there is a problem constructing the cert's URI
*/
@Test
@ -311,7 +312,7 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
* Tests the parsing another platform credential that has a combined baseboard and chassis
* serial number in one attribute can be parsed.
*
* @throws IOException if an IO error occurs during processing
* @throws IOException if an IO error occurs during processing
* @throws URISyntaxException if there is a problem constructing the cert's URI
*/
@Test
@ -355,7 +356,7 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
/**
* Tests isIssuer of a platform credential.
*
* @throws IOException if an IO error occurs during processing
* @throws IOException if an IO error occurs during processing
* @throws URISyntaxException if there is a problem constructing the cert's URI
*/
@Test
@ -376,7 +377,7 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
/**
* Tests platform Configuration Values.
*
* @throws IOException if an IO error occurs during processing
* @throws IOException if an IO error occurs during processing
* @throws URISyntaxException if there is a problem constructing the cert's URI
*/
@Test
@ -398,37 +399,30 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
ComponentIdentifier component;
//Check component #2
component = (ComponentIdentifier) allComponents.get(1);
Assertions.assertTrue(component.getComponentManufacturer()
.getString()
.equals("Intel Corporation"));
Assertions.assertTrue(component.getComponentModel()
.getString()
.equals("NUC7i5DNB"));
Assertions.assertTrue(component.getComponentSerial()
.getString()
.equals("BTDN732000QM"));
component = allComponents.get(1);
Assertions.assertEquals("Intel Corporation", component.getComponentManufacturer()
.getString());
Assertions.assertEquals("NUC7i5DNB", component.getComponentModel()
.getString());
Assertions.assertEquals("BTDN732000QM", component.getComponentSerial()
.getString());
//Check component #3
component = (ComponentIdentifier) allComponents.get(2);
Assertions.assertTrue(component.getComponentManufacturer()
.getString()
.equals("Intel(R) Corporation"));
Assertions.assertTrue(component.getComponentModel().getString().equals("Core i5"));
component = allComponents.get(2);
Assertions.assertEquals("Intel(R) Corporation", component.getComponentManufacturer()
.getString());
Assertions.assertEquals("Core i5", component.getComponentModel().getString());
Assertions.assertTrue(component.getFieldReplaceable().isTrue());
//Check component #5
component = (ComponentIdentifier) allComponents.get(4);
Assertions.assertTrue(component.getComponentModel()
.getString()
.equals("Ethernet Connection I219-LM"));
Assertions.assertTrue(component.getComponentAddress().get(0)
component = allComponents.get(4);
Assertions.assertEquals("Ethernet Connection I219-LM", component.getComponentModel()
.getString());
Assertions.assertEquals("8c:0f:6f:72:c6:c5", component.getComponentAddress().get(0)
.getAddressValue()
.getString()
.equals("8c:0f:6f:72:c6:c5"));
Assertions.assertTrue(component.getComponentAddress().get(0)
.getAddressTypeValue()
.equals("ethernet mac"));
.getString());
Assertions.assertEquals("ethernet mac", component.getComponentAddress().get(0)
.getAddressTypeValue());
//Check Platform Properties
List<PlatformProperty> platformProperties = platformConfig.getPlatformProperties();
@ -441,22 +435,22 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
PlatformProperty property;
//Check property #1
property = (PlatformProperty) platformProperties.get(0);
Assertions.assertTrue(property.getPropertyName().getString().equals("vPro"));
Assertions.assertTrue(property.getPropertyValue().getString().equals("true"));
property = platformProperties.get(0);
Assertions.assertEquals("vPro", property.getPropertyName().getString());
Assertions.assertEquals("true", property.getPropertyValue().getString());
//Check property #2
property = (PlatformProperty) platformProperties.get(1);
Assertions.assertTrue(property.getPropertyName().getString().equals("AMT"));
Assertions.assertTrue(property.getPropertyValue().getString().equals("true"));
property = platformProperties.get(1);
Assertions.assertEquals("AMT", property.getPropertyName().getString());
Assertions.assertEquals("true", property.getPropertyValue().getString());
//Check Platform Properties URI
URIReference platformPropertyUri = platformConfig.getPlatformPropertiesUri();
Assertions.assertNotNull(platformPropertyUri);
Assertions.assertTrue(platformPropertyUri.getUniformResourceIdentifier()
.getString()
.equals("https://www.intel.com/platformproperties.xml"));
Assertions.assertEquals("https://www.intel.com/platformproperties.xml",
platformPropertyUri.getUniformResourceIdentifier()
.getString());
Assertions.assertNull(platformPropertyUri.getHashAlgorithm());
Assertions.assertNull(platformPropertyUri.getHashValue());
}
@ -464,7 +458,7 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
/**
* Tests Platform Configuration Values. View platform Properties
*
* @throws IOException if an IO error occurs during processing
* @throws IOException if an IO error occurs during processing
* @throws URISyntaxException if there is a problem constructing the cert's URI
*/
@Test
@ -489,20 +483,20 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
PlatformProperty property;
//Check property #1
property = (PlatformProperty) platformProperties.get(0);
Assertions.assertTrue(property.getPropertyName().getString().equals("vPro"));
Assertions.assertTrue(property.getPropertyValue().getString().equals("true"));
property = platformProperties.get(0);
Assertions.assertEquals("vPro", property.getPropertyName().getString());
Assertions.assertEquals("true", property.getPropertyValue().getString());
//Check property #2
property = (PlatformProperty) platformProperties.get(1);
Assertions.assertTrue(property.getPropertyName().getString().equals("AMT"));
Assertions.assertTrue(property.getPropertyValue().getString().equals("true"));
property = platformProperties.get(1);
Assertions.assertEquals("AMT", property.getPropertyName().getString());
Assertions.assertEquals("true", property.getPropertyValue().getString());
}
/**
* Tests Platform Configuration Values. View platform Properties
*
* @throws IOException if an IO error occurs during processing
* @throws IOException if an IO error occurs during processing
* @throws URISyntaxException if there is a problem constructing the cert's URI
*/
@Test
@ -524,25 +518,20 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
ComponentIdentifier component;
//Check component #2
component = (ComponentIdentifier) allComponents.get(1);
Assertions.assertTrue(component.getComponentManufacturer()
.getString()
.equals("Intel(R) Corporation"));
Assertions.assertTrue(component.getComponentModel()
.getString()
.equals("Intel(R) Core(TM) i5-7300U CPU @ 2.60GHz"));
component = allComponents.get(1);
Assertions.assertEquals("Intel(R) Corporation", component.getComponentManufacturer()
.getString());
Assertions.assertEquals("Intel(R) Core(TM) i5-7300U CPU @ 2.60GHz", component.getComponentModel()
.getString());
//Check component #3
component = (ComponentIdentifier) allComponents.get(2);
Assertions.assertTrue(component.getComponentModel()
.getString()
.equals("BIOS"));
Assertions.assertTrue(component.getComponentSerial()
.getString()
.equals(ComponentIdentifier.NOT_SPECIFIED_COMPONENT));
Assertions.assertTrue(component.getComponentRevision()
.getString()
.equals("DNKBLi5v.86A.0019.2017.0804.1146"));
component = allComponents.get(2);
Assertions.assertEquals("BIOS", component.getComponentModel()
.getString());
Assertions.assertEquals(ComponentIdentifier.NOT_SPECIFIED_COMPONENT, component.getComponentSerial()
.getString());
Assertions.assertEquals("DNKBLi5v.86A.0019.2017.0804.1146", component.getComponentRevision()
.getString());
//Check Platform Properties
List<PlatformProperty> platformProperties = platformConfig.getPlatformProperties();
@ -556,26 +545,26 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
URIReference platformPropertyUri = platformConfig.getPlatformPropertiesUri();
Assertions.assertNotNull(platformPropertyUri);
Assertions.assertTrue(platformPropertyUri.getUniformResourceIdentifier()
.getString()
.equals("https://www.intel.com/platformproperties.xml"));
Assertions.assertEquals("https://www.intel.com/platformproperties.xml",
platformPropertyUri.getUniformResourceIdentifier()
.getString());
Assertions.assertNull(platformPropertyUri.getHashAlgorithm());
Assertions.assertNull(platformPropertyUri.getHashValue());
//Test TBBSecurityAssertion
TBBSecurityAssertion tbbSec = platformCert.getTBBSecurityAssertion();
Assertions.assertNotNull(tbbSec);
Assertions.assertTrue(tbbSec.getCcInfo().getVersion().getString().equals("3.1"));
Assertions.assertTrue(tbbSec.getCcInfo().getProfileOid().getId().equals("1.2.3.4.5.6"));
Assertions.assertTrue(tbbSec.getFipsLevel().getVersion().getString().equals("140-2"));
Assertions.assertTrue(tbbSec.getIso9000Uri().getString()
.equals("https://www.intel.com/isocertification.pdf"));
Assertions.assertEquals("3.1", tbbSec.getCcInfo().getVersion().getString());
Assertions.assertEquals("1.2.3.4.5.6", tbbSec.getCcInfo().getProfileOid().getId());
Assertions.assertEquals("140-2", tbbSec.getFipsLevel().getVersion().getString());
Assertions.assertEquals("https://www.intel.com/isocertification.pdf",
tbbSec.getIso9000Uri().getString());
}
/**
* Tests Platform Configuration Values. View platform Properties
*
* @throws IOException if an IO error occurs during processing
* @throws IOException if an IO error occurs during processing
* @throws URISyntaxException if there is a problem constructing the cert's URI
*/
@Test
@ -597,24 +586,20 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
ComponentIdentifier component;
//Check component #1
component = (ComponentIdentifier) allComponents.get(0);
Assertions.assertTrue(component.getComponentModel()
.getString()
.equals("NUC7i5DNB"));
Assertions.assertTrue(component.getComponentRevision()
.getString()
.equals("J57626-401"));
component = allComponents.get(0);
Assertions.assertEquals("NUC7i5DNB", component.getComponentModel()
.getString());
Assertions.assertEquals("J57626-401", component.getComponentRevision()
.getString());
//Check component #7
component = (ComponentIdentifier) allComponents.get(6);
component = allComponents.get(6);
Assertions.assertTrue(component.getComponentAddress().size() > 0);
Assertions.assertTrue(component.getComponentAddress().get(0)
Assertions.assertEquals("8c:0f:6f:72:c6:c5", component.getComponentAddress().get(0)
.getAddressValue()
.getString()
.equals("8c:0f:6f:72:c6:c5"));
Assertions.assertTrue(component.getComponentAddress().get(0)
.getAddressTypeValue()
.equals("ethernet mac"));
.getString());
Assertions.assertEquals("ethernet mac", component.getComponentAddress().get(0)
.getAddressTypeValue());
//Check Platform Properties
List<PlatformProperty> platformProperties = platformConfig.getPlatformProperties();
@ -628,27 +613,27 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
URIReference platformPropertyUri = platformConfig.getPlatformPropertiesUri();
Assertions.assertNotNull(platformPropertyUri);
Assertions.assertTrue(platformPropertyUri.getUniformResourceIdentifier()
.getString()
.equals("https://www.intel.com/platformproperties.xml"));
Assertions.assertEquals("https://www.intel.com/platformproperties.xml",
platformPropertyUri.getUniformResourceIdentifier()
.getString());
Assertions.assertNull(platformPropertyUri.getHashAlgorithm());
Assertions.assertNull(platformPropertyUri.getHashValue());
//Test TBBSecurityAssertion
TBBSecurityAssertion tbbSec = platformCert.getTBBSecurityAssertion();
Assertions.assertNotNull(tbbSec);
Assertions.assertTrue(tbbSec.getCcInfo().getVersion().getString().equals("3.1"));
Assertions.assertTrue(tbbSec.getCcInfo().getProfileOid().getId().equals("1.2.3.4.5.6"));
Assertions.assertTrue(tbbSec.getFipsLevel().getVersion().getString().equals("140-2"));
Assertions.assertTrue(tbbSec.getIso9000Uri().getString()
.equals("https://www.intel.com/isocertification.pdf"));
Assertions.assertEquals("3.1", tbbSec.getCcInfo().getVersion().getString());
Assertions.assertEquals("1.2.3.4.5.6", tbbSec.getCcInfo().getProfileOid().getId());
Assertions.assertEquals("140-2", tbbSec.getFipsLevel().getVersion().getString());
Assertions.assertEquals("https://www.intel.com/isocertification.pdf",
tbbSec.getIso9000Uri().getString());
}
/**
* Tests Platform Configuration Values. View platform Properties
*
* @throws IOException if an IO error occurs during processing
* @throws IOException if an IO error occurs during processing
* @throws URISyntaxException if there is a problem constructing the cert's URI
*/
@Test
@ -675,25 +660,25 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
PlatformProperty property;
//Check property #1
property = (PlatformProperty) platformProperties.get(0);
Assertions.assertTrue(property.getPropertyName().getString().equals("AMT"));
Assertions.assertTrue(property.getPropertyValue().getString().equals("true"));
property = platformProperties.get(0);
Assertions.assertEquals("AMT", property.getPropertyName().getString());
Assertions.assertEquals("true", property.getPropertyValue().getString());
//Check property #2
property = (PlatformProperty) platformProperties.get(1);
Assertions.assertTrue(property.getPropertyName().getString().equals("vPro Enabled"));
Assertions.assertTrue(property.getPropertyValue().getString().equals("true"));
property = platformProperties.get(1);
Assertions.assertEquals("vPro Enabled", property.getPropertyName().getString());
Assertions.assertEquals("true", property.getPropertyValue().getString());
//Check property #3
property = (PlatformProperty) platformProperties.get(2);
Assertions.assertTrue(property.getPropertyName().getString().equals("DropShip Enabled"));
Assertions.assertTrue(property.getPropertyValue().getString().equals("false"));
property = platformProperties.get(2);
Assertions.assertEquals("DropShip Enabled", property.getPropertyName().getString());
Assertions.assertEquals("false", property.getPropertyValue().getString());
}
/**
* Tests Platform Configuration Values. View platform Properties
*
* @throws IOException if an IO error occurs during processing
* @throws IOException if an IO error occurs during processing
* @throws URISyntaxException if there is a problem constructing the cert's URI
*/
@Test
@ -705,7 +690,7 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
PlatformCredential platformCert = new PlatformCredential(certPath);
PlatformConfiguration platformConfig = platformCert.getPlatformConfiguration();
Assertions.assertTrue(platformConfig instanceof PlatformConfigurationV2);
Assertions.assertInstanceOf(PlatformConfigurationV2.class, platformConfig);
Assertions.assertEquals(platformConfig.getPlatformPropertiesUri()
.getUniformResourceIdentifier().toString(),
"https://www.intel.com/platformproperties.xml");
@ -721,7 +706,7 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
* Tests Platform Configuration Values. View platform Properties
*
* @throws URISyntaxException if there is a problem constructing the cert's URI
* @throws IOException if there is a problem reading the cert file
* @throws IOException if there is a problem reading the cert file
*/
@Test
public final void testSmallNewPlatformCredential() throws URISyntaxException, IOException {
@ -734,7 +719,7 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
/**
* Tests Platform Configuration Values. View platform Properties
*
* @throws IOException if an IO error occurs during processing
* @throws IOException if an IO error occurs during processing
* @throws URISyntaxException if there is a problem constructing the cert's URI
*/
@Test
@ -748,7 +733,7 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
/**
* Tests Platform Configuration Values. View platform Properties
*
* @throws IOException if an IO error occurs during processing
* @throws IOException if an IO error occurs during processing
* @throws URISyntaxException if there is a problem constructing the cert's URI
*/
@Test
@ -762,7 +747,7 @@ public class PlatformCredentialTest extends AbstractUserdefinedEntityTest {
/**
* Tests Platform Configuration Values. View platform Properties
*
* @throws IOException if an IO error occurs during processing
* @throws IOException if an IO error occurs during processing
* @throws URISyntaxException if there is a problem constructing the cert's URI
*/
@Test

24
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/ComponentClassTest.java
View File

@ -1,12 +1,13 @@
package hirs.attestationca.persist.entity.userdefined.certificate.attributes;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNull;
import org.junit.jupiter.api.Test;
import java.net.URISyntaxException;
import java.nio.file.Paths;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNull;
/**
* Tests for the ComponentClassTest class.
*/
@ -16,6 +17,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -32,6 +34,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -47,6 +50,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -59,8 +63,10 @@ public class ComponentClassTest {
assertEquals(resultComponent, "Unknown");
assertEquals(resultCategory, "None");
}
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -76,6 +82,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -91,6 +98,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -106,6 +114,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -121,6 +130,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -136,6 +146,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -151,6 +162,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -166,6 +178,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -181,6 +194,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -196,6 +210,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -211,6 +226,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -226,6 +242,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -241,6 +258,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -256,6 +274,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test
@ -271,6 +290,7 @@ public class ComponentClassTest {
/**
* Test of getComponent method, of class ComponentClass.
*
* @throws URISyntaxException if there is a problem constructing the URI
*/
@Test

5
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/TPMSecurityAssertionsTest.java
View File

@ -1,9 +1,10 @@
package hirs.attestationca.persist.entity.userdefined.certificate.attributes;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.fail;
import org.junit.jupiter.api.Test;
/**
* Tests for the TPMSecurityAssertions class.
@ -28,7 +29,6 @@ public class TPMSecurityAssertionsTest {
assertNull(TPMSecurityAssertions.EkGenerationType.values()[4]);
fail();
} catch (ArrayIndexOutOfBoundsException e) {
return;
}
}
@ -48,7 +48,6 @@ public class TPMSecurityAssertionsTest {
assertNull(TPMSecurityAssertions.EkGenerationLocation.values()[3]);
fail();
} catch (ArrayIndexOutOfBoundsException e) {
return;
}
}
}

7
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/info/PortalInfoTest.java
View File

@ -1,12 +1,13 @@
package hirs.attestationca.persist.entity.userdefined.info;
import hirs.utils.enums.PortalScheme;
import org.junit.jupiter.api.Test;
import java.net.InetAddress;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.fail;
import org.junit.jupiter.api.Test;
/**
* Provides tests for PortalInfo.
@ -56,6 +57,7 @@ public class PortalInfoTest {
/**
* Test that the ip address can be set and retrieved via an InetAddress.
*
* @throws Exception If there is a problem with InetAddress.
*/
@Test
@ -70,6 +72,7 @@ public class PortalInfoTest {
/**
* Test that the ip address can be set and retrieved via a String.
*
* @throws Exception If there is a problem with InetAddress.
*/
@Test

21
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/info/TPMInfoTest.java
View File

@ -1,15 +1,16 @@
package hirs.attestationca.persist.entity.userdefined.info;
import static hirs.utils.enums.DeviceInfoEnums.NOT_SPECIFIED;
import hirs.attestationca.persist.entity.userdefined.AbstractUserdefinedEntityTest;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.junit.jupiter.api.Test;
import static hirs.utils.enums.DeviceInfoEnums.NOT_SPECIFIED;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotEquals;
import static org.junit.jupiter.api.Assertions.assertNull;
import static org.junit.jupiter.api.Assertions.assertThrows;
import org.junit.jupiter.api.Test;
/**
* TPMInfoTest is a unit test class for TPMInfo.
@ -53,7 +54,7 @@ public class TPMInfoTest extends AbstractUserdefinedEntityTest {
assertEquals(tpmInfo.getTpmVersionMinor(), (short) 0);
assertEquals(tpmInfo.getTpmVersionRevMajor(), (short) 0);
assertEquals(tpmInfo.getTpmVersionRevMinor(), (short) 0);
assertEquals(tpmInfo.getIdentityCertificate(), null);
assertNull(tpmInfo.getIdentityCertificate());
}
/**
@ -63,7 +64,7 @@ public class TPMInfoTest extends AbstractUserdefinedEntityTest {
public final void tpmMakeNullTest() {
assertThrows(IllegalArgumentException.class, () ->
new TPMInfo(null, VERSION_MAJOR, VERSION_MINOR, VERSION_REV_MAJOR,
VERSION_REV_MINOR, getTestIdentityCertificate()));
VERSION_REV_MINOR, getTestIdentityCertificate()));
}
/**
@ -73,7 +74,7 @@ public class TPMInfoTest extends AbstractUserdefinedEntityTest {
public final void tpmMakeLongTest() {
assertThrows(IllegalArgumentException.class, () ->
new TPMInfo(LONG_TPM_MAKE, VERSION_MAJOR, VERSION_MINOR, VERSION_REV_MAJOR,
VERSION_REV_MINOR, getTestIdentityCertificate()));
VERSION_REV_MINOR, getTestIdentityCertificate()));
}
/**
@ -84,7 +85,7 @@ public class TPMInfoTest extends AbstractUserdefinedEntityTest {
public final void testTPMInfoInvalidVersionMajor() {
assertThrows(IllegalArgumentException.class, () ->
new TPMInfo(TPM_MAKE, (short) -1, VERSION_MINOR, VERSION_REV_MAJOR,
VERSION_REV_MINOR, getTestIdentityCertificate()));
VERSION_REV_MINOR, getTestIdentityCertificate()));
}
/**
@ -95,7 +96,7 @@ public class TPMInfoTest extends AbstractUserdefinedEntityTest {
public final void testTPMInfoInvalidVersionMinor() {
assertThrows(IllegalArgumentException.class, () ->
new TPMInfo(TPM_MAKE, VERSION_MAJOR, (short) -1, VERSION_REV_MAJOR,
VERSION_REV_MINOR, getTestIdentityCertificate()));
VERSION_REV_MINOR, getTestIdentityCertificate()));
}
/**
@ -106,7 +107,7 @@ public class TPMInfoTest extends AbstractUserdefinedEntityTest {
public final void testTPMInfoInvalidVersionRevMajor() {
assertThrows(IllegalArgumentException.class, () ->
new TPMInfo(TPM_MAKE, VERSION_MAJOR, VERSION_MINOR, (short) -1,
VERSION_REV_MINOR, getTestIdentityCertificate()));
VERSION_REV_MINOR, getTestIdentityCertificate()));
}
/**
@ -117,7 +118,7 @@ public class TPMInfoTest extends AbstractUserdefinedEntityTest {
public final void testTPMInfoInvalidVersionRevMinor() {
assertThrows(IllegalArgumentException.class, () ->
new TPMInfo(TPM_MAKE, VERSION_MAJOR, VERSION_MINOR, VERSION_REV_MAJOR,
(short) -1, getTestIdentityCertificate()));
(short) -1, getTestIdentityCertificate()));
}
/**

7
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/record/TPMMeasurementRecordTest.java
View File

@ -5,14 +5,13 @@ import hirs.utils.digest.Digest;
import hirs.utils.digest.DigestAlgorithm;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.junit.jupiter.api.Test;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertNotEquals;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertThrows;
/**

11
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/report/DeviceInfoReportTest.java
View File

@ -1,14 +1,14 @@
package hirs.attestationca.persist.entity.userdefined.report;
import hirs.attestationca.persist.entity.userdefined.AbstractUserdefinedEntityTest;
import hirs.attestationca.persist.entity.userdefined.info.FirmwareInfo;
import hirs.attestationca.persist.entity.userdefined.info.HardwareInfo;
import hirs.attestationca.persist.entity.userdefined.info.NetworkInfo;
import hirs.attestationca.persist.entity.userdefined.info.OSInfo;
import hirs.attestationca.persist.entity.userdefined.info.TPMInfo;
import hirs.attestationca.persist.entity.userdefined.info.NetworkInfo;
import hirs.attestationca.persist.entity.userdefined.info.HardwareInfo;
import hirs.attestationca.persist.entity.userdefined.info.FirmwareInfo;
import hirs.utils.VersionHelper;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertThrows;
@ -16,14 +16,13 @@ import static org.junit.jupiter.api.Assertions.assertThrows;
* Unit test class for DeviceInfoReports.
*/
public class DeviceInfoReportTest extends AbstractUserdefinedEntityTest {
private static final String EXPECTED_CLIENT_VERSION = VersionHelper.getVersion();
private final NetworkInfo networkInfo = createTestNetworkInfo();
private final OSInfo osInfo = createTestOSInfo();
private final FirmwareInfo firmwareInfo = createTestFirmwareInfo();
private final HardwareInfo hardwareInfo = createTestHardwareInfo();
private final TPMInfo tpmInfo = createTPMInfo();
private static final String EXPECTED_CLIENT_VERSION = VersionHelper.getVersion();
/**
* Tests instantiation of a DeviceInfoReport.
*/

20
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/provision/helper/CredentialManagementHelperTest.java
View File

@ -20,13 +20,12 @@ import static org.mockito.Mockito.verify;
*/
public class CredentialManagementHelperTest {
@Mock
private CertificateRepository certificateRepository;
private static final String EK_HEADER_TRUNCATED
= "/certificates/nuc-1/ek_cert_7_byte_header_removed.cer";
private static final String EK_UNTOUCHED
= "/certificates/nuc-1/ek_cert_untouched.cer";
@Mock
private CertificateRepository certificateRepository;
/**
* Setup mocks.
@ -39,6 +38,7 @@ public class CredentialManagementHelperTest {
/**
* Tests exception generated if providing a null cert repository.
*
* @throws IOException if an IO error occurs
*/
@Test
@ -47,7 +47,7 @@ public class CredentialManagementHelperTest {
String path = CredentialManagementHelperTest.class.getResource(EK_UNTOUCHED).getPath();
byte[] ekBytes = IOUtils.toByteArray(new FileInputStream(path));
assertThrows(IllegalArgumentException.class, () ->
CredentialManagementHelper.storeEndorsementCredential(null, ekBytes, "testName"));
CredentialManagementHelper.storeEndorsementCredential(null, ekBytes, "testName"));
}
/**
@ -56,7 +56,8 @@ public class CredentialManagementHelperTest {
@Test
public void processNullEndorsementCredential() {
assertThrows(IllegalArgumentException.class, () ->
CredentialManagementHelper.storeEndorsementCredential(certificateRepository, null, "testName"));
CredentialManagementHelper.storeEndorsementCredential(certificateRepository, null,
"testName"));
}
/**
@ -65,8 +66,8 @@ public class CredentialManagementHelperTest {
@Test
public void processEmptyEndorsementCredential() {
assertThrows(IllegalArgumentException.class, () ->
CredentialManagementHelper.storeEndorsementCredential(
certificateRepository, new byte[0], "testName"));
CredentialManagementHelper.storeEndorsementCredential(
certificateRepository, new byte[0], "testName"));
}
/**
@ -87,11 +88,13 @@ public class CredentialManagementHelperTest {
public void processInvalidEndorsementCredentialCase2() {
byte[] ekBytes = new byte[] {1, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0};
assertThrows(IllegalArgumentException.class, () ->
CredentialManagementHelper.storeEndorsementCredential(certificateRepository, ekBytes, "testName"));
CredentialManagementHelper.storeEndorsementCredential(certificateRepository, ekBytes,
"testName"));
}
/**
* Tests processing a valid EK with the 7 byte header in tact.
*
* @throws IOException if an IO error occurs
*/
@Test
@ -105,6 +108,7 @@ public class CredentialManagementHelperTest {
/**
* Tests processing a valid EK with the 7 byte header already stripped.
*
* @throws IOException if an IO error occurs
*/
@Test

19
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/provision/helper/IssuedCertificateAttributeHelperTest.java
View File

@ -1,7 +1,7 @@
package hirs.attestationca.persist.provision.helper;
import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential;
import hirs.attestationca.persist.entity.userdefined.certificate.EndorsementCredential;
import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.ASN1TaggedObject;
@ -51,23 +51,25 @@ public class IssuedCertificateAttributeHelperTest {
/**
* Test that provide a null host name and is rejected.
*
* @throws IOException an IO error occurs
*/
@Test
public void rejectNullHostName() throws IOException {
assertThrows(IllegalArgumentException.class, () ->
IssuedCertificateAttributeHelper.buildSubjectAlternativeNameFromCerts(null, null, ""));
IssuedCertificateAttributeHelper.buildSubjectAlternativeNameFromCerts(null, null, ""));
}
/**
* Test that subject alt name can be built without an EC or PC.
*
* @throws IOException an IO error occurs
*/
@Test
public void buildAttributesNoEndorsementNoPlatform() throws IOException {
Extension subjectAlternativeName =
IssuedCertificateAttributeHelper.buildSubjectAlternativeNameFromCerts(
null, new ArrayList<PlatformCredential>(), TEST_HOSTNAME);
IssuedCertificateAttributeHelper.buildSubjectAlternativeNameFromCerts(
null, new ArrayList<PlatformCredential>(), TEST_HOSTNAME);
Map<String, String> subjectAlternativeNameAttrMap = getSubjectAlternativeNameAttributes(
subjectAlternativeName);
@ -83,7 +85,8 @@ public class IssuedCertificateAttributeHelperTest {
/**
* Test that subject alt name can be built with an EC but no PC.
* @throws IOException an IO error occurs
*
* @throws IOException an IO error occurs
* @throws URISyntaxException unrecognized URI for EC Path
*/
@Test
@ -114,7 +117,8 @@ public class IssuedCertificateAttributeHelperTest {
/**
* Test that subject alt name can be built with an PC but no EC.
* @throws IOException an IO error occurs
*
* @throws IOException an IO error occurs
* @throws URISyntaxException unrecognized URI for PC Path
*/
@Test
@ -147,7 +151,8 @@ public class IssuedCertificateAttributeHelperTest {
/**
* Test that subject alt name can be built with a PC and an EC.
* @throws IOException an IO error occurs
*
* @throws IOException an IO error occurs
* @throws URISyntaxException unrecognized URI for EC or PC Path
*/
@Test

566
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/validation/SupplyChainCredentialValidatorTest.java
View File

@ -1,26 +1,20 @@
package hirs.attestationca.persist.validation;
import hirs.attestationca.persist.entity.ArchivableEntity;
import hirs.attestationca.persist.entity.userdefined.Certificate;
import hirs.attestationca.persist.entity.userdefined.SupplyChainValidation;
import hirs.attestationca.persist.entity.userdefined.certificate.CertificateAuthorityCredential;
import hirs.attestationca.persist.entity.userdefined.certificate.EndorsementCredential;
import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential;
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.ComponentClass;
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.V2.AttributeStatus;
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.ComponentIdentifier;
import hirs.attestationca.persist.entity.userdefined.info.ComponentInfo;
import hirs.attestationca.persist.entity.userdefined.info.HardwareInfo;
import hirs.attestationca.persist.entity.userdefined.info.OSInfo;
import hirs.attestationca.persist.entity.userdefined.info.NetworkInfo;
import hirs.attestationca.persist.entity.userdefined.info.FirmwareInfo;
import hirs.attestationca.persist.entity.userdefined.info.HardwareInfo;
import hirs.attestationca.persist.entity.userdefined.info.NetworkInfo;
import hirs.attestationca.persist.entity.userdefined.info.OSInfo;
import hirs.attestationca.persist.entity.userdefined.info.TPMInfo;
import hirs.attestationca.persist.entity.userdefined.info.component.NICComponentInfo;
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.ComponentIdentifier;
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.V2.ComponentIdentifierV2;
import hirs.attestationca.persist.entity.userdefined.report.DeviceInfoReport;
import hirs.attestationca.persist.enums.AppraisalStatus;
import hirs.utils.enums.DeviceInfoEnums;
import org.apache.commons.io.IOUtils;
import org.bouncycastle.asn1.ASN1Boolean;
import org.bouncycastle.asn1.DERUTF8String;
@ -39,18 +33,10 @@ import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.fail;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileOutputStream;
@ -81,17 +67,22 @@ import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.List;
import java.util.ArrayList;
import java.util.Date;
import java.util.Map;
import java.util.HashMap;
import java.util.UUID;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assertions.fail;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
/**
* Tests the SupplyChainCredentialValidator and CredentialValidator class.
* Migration note: Tests specifically for test Intel Nuc Platform Credentials
@ -100,24 +91,6 @@ import java.util.UUID;
*/
public class SupplyChainCredentialValidatorTest {
private static final String JSON_FILE = "/config/component-class.json";
private static final String SAMPLE_PACCOR_OUTPUT_TXT = "/hirs/validation/sample_paccor_output.txt";
private static final String SAMPLE_PACCOR_OUTPUT_NOT_SPECIFIED_TXT
= "/hirs/validation/sample_paccor_output_not_specified_values.txt";
private static final String SAMPLE_TEST_PACCOR_CERT
= "/validation/platform_credentials_2/paccor_platform_cert.crt";
private static final String SAMPLE_PACCOR_OUTPUT_WITH_EXTRA_COMPONENT_TXT
= "/hirs/validation/sample_paccor_output_with_extra_component.txt";
private static HardwareInfo hardwareInfo;
private final SupplyChainCredentialValidator supplyChainCredentialValidator =
new SupplyChainCredentialValidator();
private final CredentialValidator credentialValidator =
new CredentialValidator();
private static KeyStore keyStore;
private static KeyStore emptyKeyStore;
/**
* File name used to initialize a test KeyStore.
*/
@ -126,17 +99,21 @@ public class SupplyChainCredentialValidatorTest {
* SecureRandom instance.
*/
static final SecureRandom SECURE_RANDOM = new SecureRandom();
private static final String JSON_FILE = "/config/component-class.json";
private static final String SAMPLE_PACCOR_OUTPUT_TXT = "/hirs/validation/sample_paccor_output.txt";
private static final String SAMPLE_PACCOR_OUTPUT_NOT_SPECIFIED_TXT
= "/hirs/validation/sample_paccor_output_not_specified_values.txt";
private static final String SAMPLE_TEST_PACCOR_CERT
= "/validation/platform_credentials_2/paccor_platform_cert.crt";
private static final String SAMPLE_PACCOR_OUTPUT_WITH_EXTRA_COMPONENT_TXT
= "/hirs/validation/sample_paccor_output_with_extra_component.txt";
private static final String TEST_SIGNING_KEY = "/validation/platform_credentials/ca.pub";
private static final String TEST_PLATFORM_CRED =
"/validation/platform_credentials/plat_cert1.pem";
private static final String TEST_PLATFORM_CRED2 =
"/validation/platform_credentials/pciids_plat_cert_2-0.pem";
private static final String TEST_PLATFORM_CRED_BASE_CHASIS_COMBO =
"/validation/platform_credentials/Intel_pc5.pem";
private static final String TEST_BOARD_SERIAL_NUMBER = "GETY421001GV";
private static final String TEST_CHASSIS_SERIAL_NUMBER = "G6YK42300C87";
private static final String TEST_EK_CERT = "/certificates/nuc-2/tpmcert.pem";
@ -145,20 +122,16 @@ public class SupplyChainCredentialValidatorTest {
private static final String TEST_COMPONENT_MODEL = "platform2018";
private static final String TEST_COMPONENT_REVISION = "1.0";
private static final String BAD_SERIAL = "BAD_SERIAL";
//-------Actual ST Micro Endorsement Credential Certificate Chain!--------------
private static final String EK_CERT = "";
private static final String INT_CA_CERT02 = "/certificates/fakestmtpmekint02.pem";
//-------Generated Intel Credential Certificate Chain--------------
private static final String INTEL_PLATFORM_CERT =
"/validation/platform_credentials/plat_cert3.pem";
private static final String INTEL_PLATFORM_CERT_2 =
"/validation/platform_credentials/Intel_pc2.pem";
private static final String INTEL_PLATFORM_CERT_3 =
"/validation/platform_credentials/pciids_plat_cert_2-0.pem";
private static final String INTEL_INT_CA =
"/validation/platform_credentials/intel_chain/root/intermediate1.crt";
private static final String FAKE_ROOT_CA =
@ -166,7 +139,6 @@ public class SupplyChainCredentialValidatorTest {
private static final String PLATFORM_MANUFACTURER = "Intel";
private static final String PLATFORM_MODEL = "S2600KP";
private static final String PLATFORM_VERSION = "H76962-350";
//-------Original Intel Credential Certificate Chain--------------
private static final String INTEL_PLATFORM_CERT_ORIG =
"/certificates/fakeIntel_S2600KP_F00F00F00F00.pem";
@ -174,38 +146,36 @@ public class SupplyChainCredentialValidatorTest {
"/certificates/fakeIntelIntermediateCA.pem";
private static final String FAKE_ROOT_CA_ORIG =
"/certificates/fakeCA.pem";
//-------Fake SGI Credential Certificate Chain--------------
private static final String SGI_PLATFORM_CERT = "/certificates/fakeSGI_J2_F00F00F0.pem";
private static final String SGI_INT_CA = "/certificates/fakeSGIIntermediateCA.pem";
private static final String SGI_CRED_SERIAL_NUMBER = "F00F00F0";
//-------Actual Intel NUC Platform --------------
private static final String NUC_PLATFORM_CERT =
"/certificates/Intel_nuc_pc.pem";
private static final String NUC_PLATFORM_CERT_SERIAL_NUMBER = "GETY421001DY";
private static final String NUC_PLATFORM_CERT2 =
"/certificates/Intel_nuc_pc2.pem";
private static final String NUC_PLATFORM_CERT_SERIAL_NUMBER2 = "GETY4210001M";
private static final String INTEL_SIGNING_KEY = "/certificates/IntelSigningKey_20April2017.pem";
private static final String NEW_NUC1 =
"/validation/platform_credentials/Intel_pc3.cer";
private static HardwareInfo hardwareInfo;
private static KeyStore keyStore;
private static KeyStore emptyKeyStore;
private final SupplyChainCredentialValidator supplyChainCredentialValidator =
new SupplyChainCredentialValidator();
private final CredentialValidator credentialValidator =
new CredentialValidator();
/**
* Sets up a KeyStore for testing.
*
* @throws KeyStoreException
* if no Provider supports a KeyStoreSpi implementation for the specified type.
* @throws NoSuchAlgorithmException
* if the algorithm used to check the integrity of the keystore cannot be found
* @throws CertificateException
* if any of the certificates in the keystore could not be loaded
* @throws IOException
* if there is an I/O or format problem with the keystore data, if a password is
* required but not given, or if the given password was incorrect
* @throws KeyStoreException if no Provider supports a KeyStoreSpi implementation for the specified type.
* @throws NoSuchAlgorithmException if the algorithm used to check the integrity of the keystore cannot be found
* @throws CertificateException if any of the certificates in the keystore could not be loaded
* @throws IOException if there is an I/O or format problem with the keystore data, if a password is
* required but not given, or if the given password was incorrect
*/
@BeforeAll
public static void setUp() throws KeyStoreException, NoSuchAlgorithmException,
@ -234,13 +204,178 @@ public class SupplyChainCredentialValidatorTest {
}
}
private static DeviceInfoReport setupDeviceInfoReport() {
hardwareInfo = new HardwareInfo(
"ACME",
"anvil",
"3.0",
"1234",
"567",
"890");
DeviceInfoReport deviceInfoReport = mock(DeviceInfoReport.class);
when(deviceInfoReport.getHardwareInfo()).thenReturn(hardwareInfo);
return deviceInfoReport;
}
private static DeviceInfoReport setupDeviceInfoReportWithComponents() throws IOException {
return setupDeviceInfoReportWithComponents(SAMPLE_PACCOR_OUTPUT_TXT);
}
private static DeviceInfoReport setupDeviceInfoReportWithNotSpecifiedComponents()
throws IOException {
return setupDeviceInfoReportWithComponents(SAMPLE_PACCOR_OUTPUT_NOT_SPECIFIED_TXT);
}
private static DeviceInfoReport setupDeviceInfoReportWithComponents(
final String paccorOutputResource) throws IOException {
DeviceInfoReport deviceInfoReport = setupDeviceInfoReport();
URL url = SupplyChainCredentialValidator.class.getResource(paccorOutputResource);
String paccorOutputString = IOUtils.toString(url, StandardCharsets.UTF_8);
when(deviceInfoReport.getPaccorOutputString()).thenReturn(paccorOutputString);
return deviceInfoReport;
}
/**
* Creates a new RSA 1024-bit KeyPair using a Bouncy Castle Provider.
*
* @return new KeyPair
*/
private static KeyPair createKeyPair() {
final int keySize = 1024;
KeyPairGenerator gen;
KeyPair keyPair = null;
try {
gen = KeyPairGenerator.getInstance("RSA", BouncyCastleProvider.PROVIDER_NAME);
gen.initialize(keySize, SECURE_RANDOM);
keyPair = gen.generateKeyPair();
} catch (NoSuchAlgorithmException | NoSuchProviderException e) {
fail("Error occurred while generating key pair", e);
}
return keyPair;
}
/**
* Create a new X.509 attribute certificate given the holder cert, the signing cert, and the
* signing key.
*
* @param targetCert X509Certificate that will be the holder of the attribute cert
* @param signingCert X509Certificate used to sign the new attribute cert
* @param caPrivateKey PrivateKey used to sign the new attribute cert
* @return new X509AttributeCertificate
*/
private static X509AttributeCertificateHolder createAttributeCert(
final X509Certificate targetCert, final X509Certificate signingCert,
final PrivateKey caPrivateKey) {
X509AttributeCertificateHolder cert = null;
try {
final int timeRange = 50000;
AttributeCertificateHolder holder =
new AttributeCertificateHolder(new X509CertificateHolder(
targetCert.getEncoded()));
AttributeCertificateIssuer issuer =
new AttributeCertificateIssuer(new X500Name(signingCert
.getSubjectX500Principal().getName()));
BigInteger serialNumber = BigInteger.ONE;
Date notBefore = new Date(System.currentTimeMillis() - timeRange);
Date notAfter = new Date(System.currentTimeMillis() + timeRange);
X509v2AttributeCertificateBuilder builder =
new X509v2AttributeCertificateBuilder(holder, issuer, serialNumber, notBefore,
notAfter);
ContentSigner signer =
new JcaContentSignerBuilder("SHA1WithRSA").setProvider("BC")
.build(caPrivateKey);
cert = builder.build(signer);
} catch (CertificateEncodingException | IOException | OperatorCreationException e) {
fail("Exception occurred while creating a cert", e);
}
return cert;
}
/**
* Create a new X.509 public-key certificate signed by the given certificate.
*
* @param keyPair KeyPair to create the cert for
* @param signingKey PrivateKey of the signing cert
* @param signingCert signing cert
* @return new X509Certificate
*/
private static X509Certificate createCertSignedByAnotherCert(final KeyPair keyPair,
final PrivateKey signingKey,
final X509Certificate signingCert) {
final int timeRange = 10000;
X509Certificate cert = null;
try {
X500Name issuerName = new X500Name(signingCert.getSubjectX500Principal().getName());
X500Name subjectName = new X500Name("CN=Test V3 Certificate");
BigInteger serialNumber = BigInteger.ONE;
Date notBefore = new Date(System.currentTimeMillis() - timeRange);
Date notAfter = new Date(System.currentTimeMillis() + timeRange);
X509v3CertificateBuilder builder =
new JcaX509v3CertificateBuilder(issuerName, serialNumber, notBefore, notAfter,
subjectName, keyPair.getPublic());
ContentSigner signer =
new JcaContentSignerBuilder("SHA1WithRSA").setProvider("BC").build(signingKey);
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(
builder.build(signer));
} catch (Exception e) {
fail("Exception occurred while creating a cert", e);
}
return cert;
}
/**
* Creates a self-signed X.509 public-key certificate.
*
* @param pair KeyPair to create the cert for
* @return self-signed X509Certificate
*/
private static X509Certificate createSelfSignedCertificate(final KeyPair pair) {
Security.addProvider(new BouncyCastleProvider());
final int timeRange = 10000;
X509Certificate cert = null;
try {
X500Name issuerName = new X500Name("CN=Test Self-Signed V3 Certificate");
X500Name subjectName = new X500Name("CN=Test Self-Signed V3 Certificate");
BigInteger serialNumber = BigInteger.ONE;
Date notBefore = new Date(System.currentTimeMillis() - timeRange);
Date notAfter = new Date(System.currentTimeMillis() + timeRange);
X509v3CertificateBuilder builder =
new JcaX509v3CertificateBuilder(issuerName, serialNumber, notBefore, notAfter,
subjectName, pair.getPublic());
ContentSigner signer =
new JcaContentSignerBuilder("SHA1WithRSA").setProvider("BC").build(
pair.getPrivate());
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(
builder.build(signer));
} catch (Exception e) {
fail("Exception occurred while creating a cert", e);
}
return cert;
}
private static InetAddress getTestIpAddress() {
try {
return InetAddress.getByAddress(new byte[] {127, 0, 0, 1});
} catch (UnknownHostException e) {
return null;
}
}
/**
* Checks if the ST Micro Endorsement Credential can be validated against the
* ST/GlobalSIgn Certificate Chain.
* @throws IOException if error occurs while reading files
* @throws URISyntaxException if error occurs while reading files
*
* @throws IOException if error occurs while reading files
* @throws URISyntaxException if error occurs while reading files
* @throws CertificateException if error occurs while processing X509 Certs
* @throws KeyStoreException if error occurs while processing Keystore
* @throws KeyStoreException if error occurs while processing Keystore
*/
@Test
public final void testValidateEndorsementCredential()
@ -267,7 +402,7 @@ public class SupplyChainCredentialValidatorTest {
ekcert, keyStore, true);
assertEquals(AppraisalStatus.Status.PASS, result.getAppStatus());
assertEquals(SupplyChainCredentialValidator.ENDORSEMENT_VALID, result.getMessage());
} finally {
} finally {
keyStore.deleteEntry("Intel Intermediate Cert");
keyStore.deleteEntry("CA cert");
}
@ -277,10 +412,10 @@ public class SupplyChainCredentialValidatorTest {
* Validates a generated cert chain pretending to be from Intel. Credential was generated
* with an intermediate CA. This tests the entire chain of validation back to the root CA.
*
* @throws IOException if error occurs while reading files
* @throws KeyStoreException if there's an issue string certs to the keystore
* @throws IOException if error occurs while reading files
* @throws KeyStoreException if there's an issue string certs to the keystore
* @throws CertificateException if error occurs while ingesting a certificate
* @throws URISyntaxException if a URI can't be processed
* @throws URISyntaxException if a URI can't be processed
*/
@Test
public final void validateIntelPlatformCredentials()
@ -288,13 +423,13 @@ public class SupplyChainCredentialValidatorTest {
Certificate intermediatecacert =
new CertificateAuthorityCredential(Files.readAllBytes(Paths.get(
Objects.requireNonNull(getClass().getResource(INTEL_INT_CA)).toURI()))
);
Objects.requireNonNull(getClass().getResource(INTEL_INT_CA)).toURI()))
);
Certificate rootcacert =
new CertificateAuthorityCredential(Files.readAllBytes(Paths.get(
Objects.requireNonNull(getClass().getResource(FAKE_ROOT_CA)).toURI()))
);
Objects.requireNonNull(getClass().getResource(FAKE_ROOT_CA)).toURI()))
);
try {
keyStore.setCertificateEntry("CA cert", rootcacert.getX509Certificate());
@ -354,9 +489,9 @@ public class SupplyChainCredentialValidatorTest {
/**
* Checks if the Platform Credential contains the serial number from
* the device in the platform serial number field.
* @throws Exception If there are errors.
*
* */
* @throws Exception If there are errors.
*/
// @Test
public final void validatePlatformCredentialWithDeviceBaseboard()
throws Exception {
@ -377,7 +512,7 @@ public class SupplyChainCredentialValidatorTest {
AppraisalStatus result =
CredentialValidator.validatePlatformCredentialAttributes(pc,
deviceInfoReport, ec, null, null,
Collections.emptyList(), UUID.randomUUID(), false);
Collections.emptyList(), UUID.randomUUID(), false);
assertEquals(AppraisalStatus.Status.PASS, result.getAppStatus());
assertEquals(SupplyChainCredentialValidator.PLATFORM_ATTRIBUTES_VALID,
result.getMessage());
@ -414,10 +549,10 @@ public class SupplyChainCredentialValidatorTest {
result.getMessage());
}
/**
* Checks if the NUC Platform Credential contains the serial number from
* the device as a baseboard component in the serial number field.
*
* @throws Exception If there are errors.
*/
// @Test
@ -462,7 +597,7 @@ public class SupplyChainCredentialValidatorTest {
byte[] certBytes = Files.readAllBytes(Paths.get(
Objects.requireNonNull(SupplyChainCredentialValidatorTest.class.
getResource(INTEL_PLATFORM_CERT_2)).toURI()));
getResource(INTEL_PLATFORM_CERT_2)).toURI()));
PlatformCredential pc = new PlatformCredential(certBytes);
@ -530,7 +665,7 @@ public class SupplyChainCredentialValidatorTest {
PlatformCredential pc = new PlatformCredential(certBytes);
EndorsementCredential ec = new EndorsementCredential(Files.readAllBytes(Paths.get(
Objects.requireNonNull(getClass().getResource(TEST_EK_CERT)).toURI())));
Objects.requireNonNull(getClass().getResource(TEST_EK_CERT)).toURI())));
AppraisalStatus result =
CredentialValidator.validatePlatformCredentialAttributes(pc,
@ -544,6 +679,7 @@ public class SupplyChainCredentialValidatorTest {
/**
* Checks if the Platform Credential validator appropriately fails
* when there are no serial numbers returned from the device.
*
* @throws Exception If there are errors.
*/
// @Test
@ -578,6 +714,7 @@ public class SupplyChainCredentialValidatorTest {
/**
* Checks if the Platform Credential validator appropriately fails
* when there are no serial numbers matching any of the platform info from the device.
*
* @throws Exception If there are errors.
*/
// @Test
@ -611,10 +748,10 @@ public class SupplyChainCredentialValidatorTest {
/**
* Checks if a cert can be validated against the given public key.
*
* @throws IOException if error occurs while reading files
* @throws InvalidKeySpecException if error occurs while generating the PublicKey
* @throws NoSuchAlgorithmException if error occurs while getting RSA KeyFactory
* @throws URISyntaxException if error occurs constructing test cert path
* @throws IOException if error occurs while reading files
* @throws InvalidKeySpecException if error occurs while generating the PublicKey
* @throws NoSuchAlgorithmException if error occurs while getting RSA KeyFactory
* @throws URISyntaxException if error occurs constructing test cert path
* @throws SupplyChainValidatorException if error occurs due to using null certificates
*/
@Test
@ -643,8 +780,8 @@ public class SupplyChainCredentialValidatorTest {
* Negative test to check if validation against a public key can fail. Generates a random
* key pair and attempts to validate it against the Intel cert, which is expected to fail.
*
* @throws IOException if error occurs while reading files
* @throws URISyntaxException if an error occurs while constructing test resource's URI
* @throws IOException if error occurs while reading files
* @throws URISyntaxException if an error occurs while constructing test resource's URI
* @throws SupplyChainValidatorException if error occurs due to using null certificates
*/
@Test
@ -899,7 +1036,7 @@ public class SupplyChainCredentialValidatorTest {
* validation passes. This should result in an error as keystores should never
* be empty.
*
* @throws IOException an error occurs when parsing the certificate
* @throws IOException an error occurs when parsing the certificate
* @throws URISyntaxException an error occurs parsing the certificate file path
*/
@Test
@ -907,7 +1044,7 @@ public class SupplyChainCredentialValidatorTest {
throws URISyntaxException, IOException {
byte[] certBytes = Files.readAllBytes(Paths.get(
Objects.requireNonNull(SupplyChainCredentialValidatorTest.class.getResource(
INTEL_PLATFORM_CERT)).toURI()));
INTEL_PLATFORM_CERT)).toURI()));
PlatformCredential pc = new PlatformCredential(certBytes);
@ -939,7 +1076,7 @@ public class SupplyChainCredentialValidatorTest {
* Verifies that a null check is performed on the keyStore
* when validating platform credentials.
*
* @throws IOException an error occurs when parsing the certificate
* @throws IOException an error occurs when parsing the certificate
* @throws URISyntaxException an error occurs parsing the certificate file path
*/
@Test
@ -947,7 +1084,7 @@ public class SupplyChainCredentialValidatorTest {
throws URISyntaxException, IOException {
byte[] certBytes = Files.readAllBytes(Paths.get(
Objects.requireNonNull(SupplyChainCredentialValidatorTest.class.getResource(
INTEL_PLATFORM_CERT)).toURI()));
INTEL_PLATFORM_CERT)).toURI()));
PlatformCredential pc = new PlatformCredential(certBytes);
@ -964,7 +1101,7 @@ public class SupplyChainCredentialValidatorTest {
* Verifies that a null check is performed on the device info report
* when validating platform credentials.
*
* @throws IOException an error occurs when parsing the certificate
* @throws IOException an error occurs when parsing the certificate
* @throws URISyntaxException an error occurs parsing the certificate file path
*/
// @Test
@ -972,7 +1109,7 @@ public class SupplyChainCredentialValidatorTest {
throws URISyntaxException, IOException {
byte[] certBytes = Files.readAllBytes(Paths.get(
Objects.requireNonNull(SupplyChainCredentialValidatorTest.class.getResource(
INTEL_PLATFORM_CERT_2)).toURI()));
INTEL_PLATFORM_CERT_2)).toURI()));
PlatformCredential pc = new PlatformCredential(certBytes);
@ -992,9 +1129,10 @@ public class SupplyChainCredentialValidatorTest {
/**
* Tests that issuer/subject distinguished names can be properly verified as equal even
* if their elements are in different orders.
* @throws URISyntaxException failed to read certificate
* @throws IOException failed to read certificate
* @throws KeyStoreException failed to read key store
*
* @throws URISyntaxException failed to read certificate
* @throws IOException failed to read certificate
* @throws KeyStoreException failed to read key store
* @throws SupplyChainValidatorException missing credential
*/
@ -1023,9 +1161,10 @@ public class SupplyChainCredentialValidatorTest {
/**
* Tests that issuer/subject distinguished names can be properly verified as being unequal
* if their elements don't match.
* @throws URISyntaxException failed to read certificate
* @throws IOException failed to read certificate
* @throws KeyStoreException failed to read key store
*
* @throws URISyntaxException failed to read certificate
* @throws IOException failed to read certificate
* @throws KeyStoreException failed to read key store
* @throws SupplyChainValidatorException missing credential
*/
@Test
@ -1038,7 +1177,7 @@ public class SupplyChainCredentialValidatorTest {
byte[] certBytes = Files.readAllBytes(Paths.get(
Objects.requireNonNull(SupplyChainCredentialValidator.class.
getResource(NEW_NUC1)).toURI()));
getResource(NEW_NUC1)).toURI()));
PlatformCredential pc = new PlatformCredential(certBytes);
@ -1052,9 +1191,10 @@ public class SupplyChainCredentialValidatorTest {
/**
* Tests that issuer/subject distinguished names can be properly verified as equal.
* @throws URISyntaxException failed to read certificate
* @throws IOException failed to read certificate
* @throws KeyStoreException failed to read key store
*
* @throws URISyntaxException failed to read certificate
* @throws IOException failed to read certificate
* @throws KeyStoreException failed to read key store
* @throws SupplyChainValidatorException missing credential
*/
@Test
@ -1082,9 +1222,10 @@ public class SupplyChainCredentialValidatorTest {
/**
* Tests that issuer/subject distinguished names can be properly verified as being unequal
* if their elements don't match.
* @throws URISyntaxException failed to read certificate
* @throws IOException failed to read certificate
* @throws KeyStoreException failed to read key store
*
* @throws URISyntaxException failed to read certificate
* @throws IOException failed to read certificate
* @throws KeyStoreException failed to read key store
* @throws SupplyChainValidatorException missing credential
*/
@Test
@ -1097,7 +1238,7 @@ public class SupplyChainCredentialValidatorTest {
byte[] certBytes = Files.readAllBytes(Paths.get(
Objects.requireNonNull(SupplyChainCredentialValidator.class.
getResource(TEST_EK_CERT)).toURI()));
getResource(TEST_EK_CERT)).toURI()));
EndorsementCredential ec = new EndorsementCredential(certBytes);
@ -1109,38 +1250,6 @@ public class SupplyChainCredentialValidatorTest {
x509Cert, caX509));
}
private static DeviceInfoReport setupDeviceInfoReport() {
hardwareInfo = new HardwareInfo(
"ACME",
"anvil",
"3.0",
"1234",
"567",
"890");
DeviceInfoReport deviceInfoReport = mock(DeviceInfoReport.class);
when(deviceInfoReport.getHardwareInfo()).thenReturn(hardwareInfo);
return deviceInfoReport;
}
private static DeviceInfoReport setupDeviceInfoReportWithComponents() throws IOException {
return setupDeviceInfoReportWithComponents(SAMPLE_PACCOR_OUTPUT_TXT);
}
private static DeviceInfoReport setupDeviceInfoReportWithNotSpecifiedComponents()
throws IOException {
return setupDeviceInfoReportWithComponents(SAMPLE_PACCOR_OUTPUT_NOT_SPECIFIED_TXT);
}
private static DeviceInfoReport setupDeviceInfoReportWithComponents(
final String paccorOutputResource) throws IOException {
DeviceInfoReport deviceInfoReport = setupDeviceInfoReport();
URL url = SupplyChainCredentialValidator.class.getResource(paccorOutputResource);
String paccorOutputString = IOUtils.toString(url, StandardCharsets.UTF_8);
when(deviceInfoReport.getPaccorOutputString()).thenReturn(paccorOutputString);
return deviceInfoReport;
}
/**
* Tests that isMatch works correctly in comparing component info to component identifier.
*/
@ -1199,7 +1308,7 @@ public class SupplyChainCredentialValidatorTest {
List<ComponentInfo> deviceInfoComponents
= SupplyChainCredentialValidator.getComponentInfoFromPaccorOutput(
deviceInfoReport.getNetworkInfo().getHostname(),
deviceInfoReport.getNetworkInfo().getHostname(),
deviceInfoReport.getPaccorOutputString());
List<ComponentIdentifier> componentIdentifierList = new ArrayList<>();
for (ComponentInfo deviceInfoComponent : deviceInfoComponents) {
@ -1231,6 +1340,7 @@ public class SupplyChainCredentialValidatorTest {
/**
* Tests that TPM 2.0 Platform Credentials validate correctly against the device info report
* when there are no components.
*
* @throws IOException if unable to set up DeviceInfoReport from resource file
*/
// @Test
@ -1251,6 +1361,7 @@ public class SupplyChainCredentialValidatorTest {
/**
* Tests that TPM 2.0 Platform Credentials validate correctly against the device info report
* when there are components present.
*
* @throws IOException if unable to set up DeviceInfoReport from resource file
*/
// @Test
@ -1271,6 +1382,7 @@ public class SupplyChainCredentialValidatorTest {
* Tests that TPM 2.0 Platform Credentials validate correctly against the device info report
* when there are components present, and when the PlatformSerial field holds the system's
* serial number instead of the baseboard serial number.
*
* @throws IOException if unable to set up DeviceInfoReport from resource file
*/
// @Test
@ -1293,7 +1405,8 @@ public class SupplyChainCredentialValidatorTest {
* Tests that TPM 2.0 Platform Credentials validate correctly against the device info report
* when there are components present, and when the PlatformSerial field holds the system's
* serial number instead of the baseboard serial number.
* @throws IOException if unable to set up DeviceInfoReport from resource file
*
* @throws IOException if unable to set up DeviceInfoReport from resource file
* @throws URISyntaxException failed to read certificate
*/
// @Test
@ -1302,8 +1415,8 @@ public class SupplyChainCredentialValidatorTest {
DeviceInfoReport deviceInfoReport = setupDeviceInfoReportWithNotSpecifiedComponents();
PlatformCredential platformCredential = new PlatformCredential(
Files.readAllBytes(Paths.get(
Objects.requireNonNull(SupplyChainCredentialValidator.class.getResource(
SAMPLE_TEST_PACCOR_CERT)).toURI())));
Objects.requireNonNull(SupplyChainCredentialValidator.class.getResource(
SAMPLE_TEST_PACCOR_CERT)).toURI())));
AppraisalStatus appraisalStatus = CertificateAttributeScvValidator
.validatePlatformCredentialAttributesV2p0(platformCredential, deviceInfoReport, null, null,
@ -1313,6 +1426,7 @@ public class SupplyChainCredentialValidatorTest {
/**
* Tests that the SupplyChainCredentialValidator fails when required fields are null.
*
* @throws IOException if unable to set up DeviceInfoReport from resource file
*/
// @Test
@ -1425,6 +1539,7 @@ public class SupplyChainCredentialValidatorTest {
/**
* Tests that the SupplyChainCredentialValidator fails when required fields contain only empty
* strings.
*
* @throws IOException if unable to set up DeviceInfoReport from resource file
*/
// @Test
@ -1484,7 +1599,7 @@ public class SupplyChainCredentialValidatorTest {
result = CertificateAttributeScvValidator
.validatePlatformCredentialAttributesV2p0(platformCredential,
deviceInfoReport, null, null,
Collections.emptyList(), UUID.randomUUID(), false);
Collections.emptyList(), UUID.randomUUID(), false);
assertEquals(AppraisalStatus.Status.PASS, result.getAppStatus());
assertEquals(SupplyChainCredentialValidator.PLATFORM_ATTRIBUTES_VALID,
result.getMessage());
@ -1514,9 +1629,9 @@ public class SupplyChainCredentialValidatorTest {
Collections.emptyList(), UUID.randomUUID(), false);
assertEquals(AppraisalStatus.Status.FAIL, result.getAppStatus());
assertEquals("Component manufacturer is empty\n"
+ "There are unmatched components:\n"
+ "Manufacturer=, Model=Core i7, Serial=Not Specified,"
+ " Revision=Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz;\n",
+ "There are unmatched components:\n"
+ "Manufacturer=, Model=Core i7, Serial=Not Specified,"
+ " Revision=Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz;\n",
result.getMessage());
platformCredential = setupMatchingPlatformCredential(deviceInfoReport);
@ -1541,6 +1656,7 @@ public class SupplyChainCredentialValidatorTest {
/**
* Tests that {@link SupplyChainCredentialValidator} failes when a component exists in the
* platform credential, but not in the device info report.
*
* @throws IOException if unable to set up DeviceInfoReport from resource file
*/
// @Test
@ -1577,7 +1693,7 @@ public class SupplyChainCredentialValidatorTest {
Collections.emptyList(), UUID.randomUUID(), false);
assertEquals(AppraisalStatus.Status.FAIL, result.getAppStatus());
assertEquals("There are unmatched components:\n"
+ "Manufacturer=ACME, Model=TNT, Serial=2, Revision=1.1;\n",
+ "Manufacturer=ACME, Model=TNT, Serial=2, Revision=1.1;\n",
result.getMessage());
}
@ -1585,6 +1701,7 @@ public class SupplyChainCredentialValidatorTest {
* Tests that SupplyChainCredentialValidator passes when everything matches but there are
* extra components in the device info report that are not represented in the platform
* credential.
*
* @throws IOException if unable to set up DeviceInfoReport from resource file
*/
// @Test
@ -1617,6 +1734,7 @@ public class SupplyChainCredentialValidatorTest {
/**
* Tests that SupplyChainCredentialValidator fails when a component is found in the platform
* credential without a manufacturer or model.
*
* @throws IOException if unable to set up DeviceInfoReport from resource file
*/
// @Test
@ -1644,9 +1762,9 @@ public class SupplyChainCredentialValidatorTest {
Collections.emptyList(), UUID.randomUUID(), false);
assertEquals(AppraisalStatus.Status.FAIL, result.getAppStatus());
assertEquals("Component manufacturer is empty\n"
+ "There are unmatched components:\n"
+ "Manufacturer=, Model=Core i7, Serial=Not Specified,"
+ " Revision=Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz;\n",
+ "There are unmatched components:\n"
+ "Manufacturer=, Model=Core i7, Serial=Not Specified,"
+ " Revision=Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz;\n",
result.getMessage());
platformCredential = setupMatchingPlatformCredential(deviceInfoReport);
@ -1673,6 +1791,7 @@ public class SupplyChainCredentialValidatorTest {
/**
* Tests that SupplyChainCredentialValidator passes when a component on the system has a
* matching component in the platform certificate, except the serial value is missing.
*
* @throws IOException if unable to set up DeviceInfoReport from resource file
*/
// @Test
@ -1704,6 +1823,7 @@ public class SupplyChainCredentialValidatorTest {
/**
* Tests that SupplyChainCredentialValidator passes when a component on the system has a
* matching component in the platform certificate, except the revision value is missing.
*
* @throws IOException if unable to set up DeviceInfoReport from resource file
*/
// @Test
@ -1736,6 +1856,7 @@ public class SupplyChainCredentialValidatorTest {
* Tests that SupplyChainCredentialValidator passes when a component on the system has a
* matching component in the platform certificate, except the serial and revision values
* are missing.
*
* @throws IOException if unable to set up DeviceInfoReport from resource file
*/
// @Test
@ -1768,7 +1889,8 @@ public class SupplyChainCredentialValidatorTest {
/**
* Tests that SupplyChainCredentialValidator passes with a base and delta certificate where
* the base serial number and delta holder serial number match.
* @throws java.io.IOException Reading file for the certificates
*
* @throws java.io.IOException Reading file for the certificates
* @throws java.net.URISyntaxException when loading certificates bytes
*/
// @Test
@ -1904,7 +2026,8 @@ public class SupplyChainCredentialValidatorTest {
/**
* Tests that SupplyChainCredentialValidator fails when a component needs to
* be replaced but hasn't been by a delta certificate.
* @throws java.io.IOException Reading file for the certificates
*
* @throws java.io.IOException Reading file for the certificates
* @throws java.net.URISyntaxException when loading certificates bytes
*/
// @Test
@ -2014,136 +2137,6 @@ public class SupplyChainCredentialValidatorTest {
// result.getMessage());
}
/**
* Creates a new RSA 1024-bit KeyPair using a Bouncy Castle Provider.
*
* @return new KeyPair
*/
private static KeyPair createKeyPair() {
final int keySize = 1024;
KeyPairGenerator gen;
KeyPair keyPair = null;
try {
gen = KeyPairGenerator.getInstance("RSA", BouncyCastleProvider.PROVIDER_NAME);
gen.initialize(keySize, SECURE_RANDOM);
keyPair = gen.generateKeyPair();
} catch (NoSuchAlgorithmException | NoSuchProviderException e) {
fail("Error occurred while generating key pair", e);
}
return keyPair;
}
/**
* Create a new X.509 attribute certificate given the holder cert, the signing cert, and the
* signing key.
*
* @param targetCert
* X509Certificate that will be the holder of the attribute cert
* @param signingCert
* X509Certificate used to sign the new attribute cert
* @param caPrivateKey
* PrivateKey used to sign the new attribute cert
* @return new X509AttributeCertificate
*/
private static X509AttributeCertificateHolder createAttributeCert(
final X509Certificate targetCert, final X509Certificate signingCert,
final PrivateKey caPrivateKey) {
X509AttributeCertificateHolder cert = null;
try {
final int timeRange = 50000;
AttributeCertificateHolder holder =
new AttributeCertificateHolder(new X509CertificateHolder(
targetCert.getEncoded()));
AttributeCertificateIssuer issuer =
new AttributeCertificateIssuer(new X500Name(signingCert
.getSubjectX500Principal().getName()));
BigInteger serialNumber = BigInteger.ONE;
Date notBefore = new Date(System.currentTimeMillis() - timeRange);
Date notAfter = new Date(System.currentTimeMillis() + timeRange);
X509v2AttributeCertificateBuilder builder =
new X509v2AttributeCertificateBuilder(holder, issuer, serialNumber, notBefore,
notAfter);
ContentSigner signer =
new JcaContentSignerBuilder("SHA1WithRSA").setProvider("BC")
.build(caPrivateKey);
cert = builder.build(signer);
} catch (CertificateEncodingException | IOException | OperatorCreationException e) {
fail("Exception occurred while creating a cert", e);
}
return cert;
}
/**
* Create a new X.509 public-key certificate signed by the given certificate.
*
* @param keyPair
* KeyPair to create the cert for
* @param signingKey
* PrivateKey of the signing cert
* @param signingCert
* signing cert
* @return new X509Certificate
*/
private static X509Certificate createCertSignedByAnotherCert(final KeyPair keyPair,
final PrivateKey signingKey, final X509Certificate signingCert) {
final int timeRange = 10000;
X509Certificate cert = null;
try {
X500Name issuerName = new X500Name(signingCert.getSubjectX500Principal().getName());
X500Name subjectName = new X500Name("CN=Test V3 Certificate");
BigInteger serialNumber = BigInteger.ONE;
Date notBefore = new Date(System.currentTimeMillis() - timeRange);
Date notAfter = new Date(System.currentTimeMillis() + timeRange);
X509v3CertificateBuilder builder =
new JcaX509v3CertificateBuilder(issuerName, serialNumber, notBefore, notAfter,
subjectName, keyPair.getPublic());
ContentSigner signer =
new JcaContentSignerBuilder("SHA1WithRSA").setProvider("BC").build(signingKey);
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(
builder.build(signer));
} catch (Exception e) {
fail("Exception occurred while creating a cert", e);
}
return cert;
}
/**
* Creates a self-signed X.509 public-key certificate.
*
* @param pair
* KeyPair to create the cert for
* @return self-signed X509Certificate
*/
private static X509Certificate createSelfSignedCertificate(final KeyPair pair) {
Security.addProvider(new BouncyCastleProvider());
final int timeRange = 10000;
X509Certificate cert = null;
try {
X500Name issuerName = new X500Name("CN=Test Self-Signed V3 Certificate");
X500Name subjectName = new X500Name("CN=Test Self-Signed V3 Certificate");
BigInteger serialNumber = BigInteger.ONE;
Date notBefore = new Date(System.currentTimeMillis() - timeRange);
Date notAfter = new Date(System.currentTimeMillis() + timeRange);
X509v3CertificateBuilder builder =
new JcaX509v3CertificateBuilder(issuerName, serialNumber, notBefore, notAfter,
subjectName, pair.getPublic());
ContentSigner signer =
new JcaContentSignerBuilder("SHA1WithRSA").setProvider("BC").build(
pair.getPrivate());
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(
builder.build(signer));
} catch (Exception e) {
fail("Exception occurred while creating a cert", e);
}
return cert;
}
private DeviceInfoReport buildReport(final HardwareInfo givenHardwareInfo) {
final InetAddress ipAddress = getTestIpAddress();
final byte[] macAddress = new byte[] {11, 22, 33, 44, 55, 66};
@ -2156,11 +2149,4 @@ public class SupplyChainCredentialValidatorTest {
return new DeviceInfoReport(networkInfo, osInfo,
firmwareInfo, givenHardwareInfo, tpmInfo);
}
private static InetAddress getTestIpAddress() {
try {
return InetAddress.getByAddress(new byte[] {127, 0, 0, 1});
} catch (UnknownHostException e) {
return null;
}
}
}