mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-18 20:47:58 +00:00
Merge pull request #786 from nsacyber/v3_issue-783
Changed DB lookup of RIM EL objects, added null checks to Device.toString
This commit is contained in:
iadgovuser26
GitHub
commit
ba21b2e114
@ -1,12 +1,18 @@
|
||||
package hirs.attestationca.persist.entity.manager;
|
||||
|
||||
import hirs.attestationca.persist.entity.userdefined.Device;
|
||||
import hirs.attestationca.persist.entity.userdefined.SupplyChainValidationSummary;
|
||||
import org.springframework.data.domain.Page;
|
||||
import org.springframework.data.domain.Pageable;
|
||||
import org.springframework.data.jpa.repository.JpaRepository;
|
||||
import org.springframework.stereotype.Repository;
|
||||
|
||||
import java.util.UUID;
|
||||
import java.util.List;
|
||||
|
||||
@Repository
|
||||
public interface SupplyChainValidationSummaryRepository extends JpaRepository<SupplyChainValidationSummary, UUID> {
|
||||
SupplyChainValidationSummary findByDevice(String device);
|
||||
SupplyChainValidationSummary findByDevice(Device device);
|
||||
List<SupplyChainValidationSummary> findByArchiveFlagFalse();
|
||||
Page<SupplyChainValidationSummary> findByArchiveFlagFalse(Pageable pageable);
|
||||
}
|
||||
|
||||
@ -114,8 +114,8 @@ public class Device extends AbstractEntity {
|
||||
|
||||
public String toString() {
|
||||
return String.format("Device Name: %s%nStatus: %s%nSummary: %s%n",
|
||||
name, healthStatus.getStatus(),
|
||||
supplyChainValidationStatus.toString());
|
||||
name, (healthStatus == null ? "N/A" : healthStatus.getStatus()),
|
||||
(supplyChainValidationStatus == null ? "N/A" : supplyChainValidationStatus.toString()));
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@ -105,10 +105,10 @@ public class SupplyChainValidation extends ArchivableEntity {
|
||||
this.certificatesUsed = new ArrayList<>();
|
||||
this.rimId = "";
|
||||
for (ArchivableEntity ae : certificatesUsed) {
|
||||
if (ae instanceof BaseReferenceManifest) {
|
||||
if (ae instanceof ReferenceManifest) {
|
||||
this.rimId = ae.getId().toString();
|
||||
break;
|
||||
} else {
|
||||
} else if (ae instanceof Certificate) {
|
||||
this.certificatesUsed.add((Certificate) ae);
|
||||
}
|
||||
}
|
||||
|
||||
@ -27,7 +27,7 @@ import java.util.Collection;
|
||||
*/
|
||||
@Log4j2
|
||||
@Entity
|
||||
public class EventLogMeasurements extends ReferenceManifest {
|
||||
public class EventLogMeasurements extends SupportReferenceManifest {
|
||||
|
||||
@Column
|
||||
@JsonIgnore
|
||||
|
||||
@ -11,10 +11,7 @@ import hirs.attestationca.persist.entity.manager.ReferenceDigestValueRepository;
|
||||
import hirs.attestationca.persist.entity.manager.ReferenceManifestRepository;
|
||||
import hirs.attestationca.persist.entity.manager.SupplyChainValidationRepository;
|
||||
import hirs.attestationca.persist.entity.manager.SupplyChainValidationSummaryRepository;
|
||||
import hirs.attestationca.persist.entity.userdefined.Device;
|
||||
import hirs.attestationca.persist.entity.userdefined.PolicySettings;
|
||||
import hirs.attestationca.persist.entity.userdefined.SupplyChainValidation;
|
||||
import hirs.attestationca.persist.entity.userdefined.SupplyChainValidationSummary;
|
||||
import hirs.attestationca.persist.entity.userdefined.*;
|
||||
import hirs.attestationca.persist.entity.userdefined.certificate.ComponentResult;
|
||||
import hirs.attestationca.persist.entity.userdefined.certificate.EndorsementCredential;
|
||||
import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential;
|
||||
@ -29,6 +26,7 @@ import lombok.extern.log4j.Log4j2;
|
||||
import org.apache.logging.log4j.Level;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.stereotype.Service;
|
||||
import org.yaml.snakeyaml.events.Event;
|
||||
|
||||
import java.security.KeyStore;
|
||||
import java.util.ArrayList;
|
||||
@ -322,8 +320,11 @@ public class SupplyChainValidationService {
|
||||
+ "could be found for %s",
|
||||
deviceName));
|
||||
} else {
|
||||
eventLog = (EventLogMeasurements) referenceManifestRepository
|
||||
.findByHexDecHash(sRim.getEventLogHash());
|
||||
ReferenceManifest manifest = referenceManifestRepository
|
||||
.findByHexDecHashAndRimType(sRim.getEventLogHash(), ReferenceManifest.MEASUREMENT_RIM);
|
||||
if (manifest instanceof EventLogMeasurements) {
|
||||
eventLog = (EventLogMeasurements)manifest;
|
||||
}
|
||||
}
|
||||
if (eventLog == null) {
|
||||
fwStatus = new AppraisalStatus(FAIL,
|
||||
@ -359,7 +360,8 @@ public class SupplyChainValidationService {
|
||||
// Generate validation summary, save it, and return it.
|
||||
List<SupplyChainValidation> validations = new ArrayList<>();
|
||||
SupplyChainValidationSummary previous
|
||||
= this.supplyChainValidationSummaryRepository.findByDevice(deviceName);
|
||||
//= this.supplyChainValidationSummaryRepository.findByDevice(deviceName);
|
||||
= this.supplyChainValidationSummaryRepository.findByDevice(device);
|
||||
for (SupplyChainValidation scv : previous.getValidations()) {
|
||||
if (scv.getValidationType() != SupplyChainValidation.ValidationType.FIRMWARE) {
|
||||
validations.add(ValidationService.buildValidationRecord(scv.getValidationType(),
|
||||
|
||||
@ -23,9 +23,8 @@ import java.nio.charset.StandardCharsets;
|
||||
import java.security.KeyStore;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.cert.CertificateException;
|
||||
import java.util.HashMap;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.*;
|
||||
|
||||
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL;
|
||||
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.PASS;
|
||||
@ -104,8 +103,27 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
|
||||
CertificateAuthorityCredential signingCert = null;
|
||||
for (CertificateAuthorityCredential cert : allCerts) {
|
||||
signingCert = cert;
|
||||
KeyStore keyStore = ValidationService.getCaChain(signingCert,
|
||||
KeyStore keyStore = null;
|
||||
Set<CertificateAuthorityCredential> set = ValidationService.getCaChainRec(signingCert,
|
||||
Collections.emptySet(),
|
||||
caCredentialRepository);
|
||||
try {
|
||||
keyStore = ValidationService.caCertSetToKeystore(set);
|
||||
} catch (Exception e) {
|
||||
log.error("Error building CA chain for " + signingCert.getSubjectKeyIdentifier() + ": "
|
||||
+ e.getMessage());
|
||||
}
|
||||
|
||||
ArrayList<X509Certificate> certs = new ArrayList<>(set.size());
|
||||
for (CertificateAuthorityCredential cac : set) {
|
||||
try {
|
||||
certs.add(cac.getX509Certificate());
|
||||
} catch (IOException e) {
|
||||
log.error("Error building CA chain for " + signingCert.getSubjectKeyIdentifier() + ": "
|
||||
+ e.getMessage());
|
||||
}
|
||||
}
|
||||
referenceManifestValidator.setTrustStore(certs);
|
||||
try {
|
||||
if (referenceManifestValidator.validateXmlSignature(signingCert.getX509Certificate().getPublicKey(),
|
||||
signingCert.getSubjectKeyIdString(), signingCert.getEncodedPublicKey())) {
|
||||
|
||||
@ -122,7 +122,7 @@ public class ValidationReportsPageController extends PageController<NoPageParams
|
||||
FilteredRecordsList<SupplyChainValidationSummary> records = new FilteredRecordsList<>();
|
||||
int currentPage = input.getStart() / input.getLength();
|
||||
Pageable paging = PageRequest.of(currentPage, input.getLength(), Sort.by(orderColumnName));
|
||||
org.springframework.data.domain.Page<SupplyChainValidationSummary> pagedResult = supplyChainValidatorSummaryRepository.findAll(paging);
|
||||
org.springframework.data.domain.Page<SupplyChainValidationSummary> pagedResult = supplyChainValidatorSummaryRepository.findByArchiveFlagFalse(paging);
|
||||
|
||||
if (pagedResult.hasContent()) {
|
||||
records.addAll(pagedResult.getContent());
|
||||
|
||||
@ -241,6 +241,7 @@ public class ReferenceManifestValidator {
|
||||
if (embeddedCert != null) {
|
||||
if (isCertChainValid(embeddedCert)) {
|
||||
context = new DOMValidateContext(new X509KeySelector(), nodes.item(0));
|
||||
subjectKeyIdentifier = getCertificateSubjectKeyIdentifier(embeddedCert);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
@ -465,6 +466,10 @@ public class ReferenceManifestValidator {
|
||||
for (X509Certificate trustedCert : trustStore) {
|
||||
boolean isIssuer = areYouMyIssuer(chainCert, trustedCert);
|
||||
boolean isSigner = areYouMySigner(chainCert, trustedCert);
|
||||
boolean itIsMe = areYouMe(chainCert, trustedCert);
|
||||
if (itIsMe) {
|
||||
continue;
|
||||
}
|
||||
if (isIssuer && isSigner) {
|
||||
if (isSelfSigned(trustedCert)) {
|
||||
log.info("Root CA found.");
|
||||
@ -490,6 +495,21 @@ public class ReferenceManifestValidator {
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* This method checks if cert's issuerDN matches issuer's subjectDN.
|
||||
* @param cert the signed certificate
|
||||
* @param issuer the signing certificate
|
||||
* @return true if they match, false if not
|
||||
* @throws Exception if either argument is null
|
||||
*/
|
||||
private boolean areYouMe(final X509Certificate cert, final X509Certificate issuer)
|
||||
throws Exception {
|
||||
if (cert == null || issuer == null) {
|
||||
throw new Exception("Cannot verify issuer, null certificate received");
|
||||
}
|
||||
return Arrays.equals(cert.getEncoded(), issuer.getEncoded());
|
||||
}
|
||||
|
||||
/**
|
||||
* This method checks if cert's issuerDN matches issuer's subjectDN.
|
||||
* @param cert the signed certificate
|
||||
|
||||
Loading…
Reference in New Issue
Block a user