diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/SupplyChainValidationSummaryRepository.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/SupplyChainValidationSummaryRepository.java index e56f931b..1e7f94f5 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/SupplyChainValidationSummaryRepository.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/SupplyChainValidationSummaryRepository.java @@ -1,12 +1,18 @@ package hirs.attestationca.persist.entity.manager; +import hirs.attestationca.persist.entity.userdefined.Device; import hirs.attestationca.persist.entity.userdefined.SupplyChainValidationSummary; +import org.springframework.data.domain.Page; +import org.springframework.data.domain.Pageable; import org.springframework.data.jpa.repository.JpaRepository; import org.springframework.stereotype.Repository; import java.util.UUID; +import java.util.List; @Repository public interface SupplyChainValidationSummaryRepository extends JpaRepository { - SupplyChainValidationSummary findByDevice(String device); + SupplyChainValidationSummary findByDevice(Device device); + List findByArchiveFlagFalse(); + Page findByArchiveFlagFalse(Pageable pageable); } diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/Device.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/Device.java index 14b8592a..ff6e7c0f 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/Device.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/Device.java @@ -114,8 +114,8 @@ public class Device extends AbstractEntity { public String toString() { return String.format("Device Name: %s%nStatus: %s%nSummary: %s%n", - name, healthStatus.getStatus(), - supplyChainValidationStatus.toString()); + name, (healthStatus == null ? "N/A" : healthStatus.getStatus()), + (supplyChainValidationStatus == null ? "N/A" : supplyChainValidationStatus.toString())); } @Override diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidation.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidation.java index 89eb7ce8..8c4087fe 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidation.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidation.java @@ -105,10 +105,10 @@ public class SupplyChainValidation extends ArchivableEntity { this.certificatesUsed = new ArrayList<>(); this.rimId = ""; for (ArchivableEntity ae : certificatesUsed) { - if (ae instanceof BaseReferenceManifest) { + if (ae instanceof ReferenceManifest) { this.rimId = ae.getId().toString(); break; - } else { + } else if (ae instanceof Certificate) { this.certificatesUsed.add((Certificate) ae); } } diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/EventLogMeasurements.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/EventLogMeasurements.java index de990991..e361c5b7 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/EventLogMeasurements.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/EventLogMeasurements.java @@ -27,7 +27,7 @@ import java.util.Collection; */ @Log4j2 @Entity -public class EventLogMeasurements extends ReferenceManifest { +public class EventLogMeasurements extends SupportReferenceManifest { @Column @JsonIgnore diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/SupplyChainValidationService.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/SupplyChainValidationService.java index c01b0075..adc9e557 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/SupplyChainValidationService.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/SupplyChainValidationService.java @@ -11,10 +11,7 @@ import hirs.attestationca.persist.entity.manager.ReferenceDigestValueRepository; import hirs.attestationca.persist.entity.manager.ReferenceManifestRepository; import hirs.attestationca.persist.entity.manager.SupplyChainValidationRepository; import hirs.attestationca.persist.entity.manager.SupplyChainValidationSummaryRepository; -import hirs.attestationca.persist.entity.userdefined.Device; -import hirs.attestationca.persist.entity.userdefined.PolicySettings; -import hirs.attestationca.persist.entity.userdefined.SupplyChainValidation; -import hirs.attestationca.persist.entity.userdefined.SupplyChainValidationSummary; +import hirs.attestationca.persist.entity.userdefined.*; import hirs.attestationca.persist.entity.userdefined.certificate.ComponentResult; import hirs.attestationca.persist.entity.userdefined.certificate.EndorsementCredential; import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential; @@ -29,6 +26,7 @@ import lombok.extern.log4j.Log4j2; import org.apache.logging.log4j.Level; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; +import org.yaml.snakeyaml.events.Event; import java.security.KeyStore; import java.util.ArrayList; @@ -322,8 +320,11 @@ public class SupplyChainValidationService { + "could be found for %s", deviceName)); } else { - eventLog = (EventLogMeasurements) referenceManifestRepository - .findByHexDecHash(sRim.getEventLogHash()); + ReferenceManifest manifest = referenceManifestRepository + .findByHexDecHashAndRimType(sRim.getEventLogHash(), ReferenceManifest.MEASUREMENT_RIM); + if (manifest instanceof EventLogMeasurements) { + eventLog = (EventLogMeasurements)manifest; + } } if (eventLog == null) { fwStatus = new AppraisalStatus(FAIL, @@ -359,7 +360,8 @@ public class SupplyChainValidationService { // Generate validation summary, save it, and return it. List validations = new ArrayList<>(); SupplyChainValidationSummary previous - = this.supplyChainValidationSummaryRepository.findByDevice(deviceName); + //= this.supplyChainValidationSummaryRepository.findByDevice(deviceName); + = this.supplyChainValidationSummaryRepository.findByDevice(device); for (SupplyChainValidation scv : previous.getValidations()) { if (scv.getValidationType() != SupplyChainValidation.ValidationType.FIRMWARE) { validations.add(ValidationService.buildValidationRecord(scv.getValidationType(), diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java index e495dcf2..68975ea9 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java @@ -23,9 +23,8 @@ import java.nio.charset.StandardCharsets; import java.security.KeyStore; import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; -import java.util.HashMap; -import java.util.LinkedList; -import java.util.List; +import java.security.cert.X509Certificate; +import java.util.*; import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL; import static hirs.attestationca.persist.enums.AppraisalStatus.Status.PASS; @@ -104,8 +103,27 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator { CertificateAuthorityCredential signingCert = null; for (CertificateAuthorityCredential cert : allCerts) { signingCert = cert; - KeyStore keyStore = ValidationService.getCaChain(signingCert, + KeyStore keyStore = null; + Set set = ValidationService.getCaChainRec(signingCert, + Collections.emptySet(), caCredentialRepository); + try { + keyStore = ValidationService.caCertSetToKeystore(set); + } catch (Exception e) { + log.error("Error building CA chain for " + signingCert.getSubjectKeyIdentifier() + ": " + + e.getMessage()); + } + + ArrayList certs = new ArrayList<>(set.size()); + for (CertificateAuthorityCredential cac : set) { + try { + certs.add(cac.getX509Certificate()); + } catch (IOException e) { + log.error("Error building CA chain for " + signingCert.getSubjectKeyIdentifier() + ": " + + e.getMessage()); + } + } + referenceManifestValidator.setTrustStore(certs); try { if (referenceManifestValidator.validateXmlSignature(signingCert.getX509Certificate().getPublicKey(), signingCert.getSubjectKeyIdString(), signingCert.getEncodedPublicKey())) { diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ValidationReportsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ValidationReportsPageController.java index a2a1ccec..ce19f790 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ValidationReportsPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ValidationReportsPageController.java @@ -122,7 +122,7 @@ public class ValidationReportsPageController extends PageController records = new FilteredRecordsList<>(); int currentPage = input.getStart() / input.getLength(); Pageable paging = PageRequest.of(currentPage, input.getLength(), Sort.by(orderColumnName)); - org.springframework.data.domain.Page pagedResult = supplyChainValidatorSummaryRepository.findAll(paging); + org.springframework.data.domain.Page pagedResult = supplyChainValidatorSummaryRepository.findByArchiveFlagFalse(paging); if (pagedResult.hasContent()) { records.addAll(pagedResult.getContent()); diff --git a/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java b/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java index 0e6412c5..749c0ab8 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java +++ b/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java @@ -241,6 +241,7 @@ public class ReferenceManifestValidator { if (embeddedCert != null) { if (isCertChainValid(embeddedCert)) { context = new DOMValidateContext(new X509KeySelector(), nodes.item(0)); + subjectKeyIdentifier = getCertificateSubjectKeyIdentifier(embeddedCert); } } } else { @@ -465,6 +466,10 @@ public class ReferenceManifestValidator { for (X509Certificate trustedCert : trustStore) { boolean isIssuer = areYouMyIssuer(chainCert, trustedCert); boolean isSigner = areYouMySigner(chainCert, trustedCert); + boolean itIsMe = areYouMe(chainCert, trustedCert); + if (itIsMe) { + continue; + } if (isIssuer && isSigner) { if (isSelfSigned(trustedCert)) { log.info("Root CA found."); @@ -490,6 +495,21 @@ public class ReferenceManifestValidator { return false; } + /** + * This method checks if cert's issuerDN matches issuer's subjectDN. + * @param cert the signed certificate + * @param issuer the signing certificate + * @return true if they match, false if not + * @throws Exception if either argument is null + */ + private boolean areYouMe(final X509Certificate cert, final X509Certificate issuer) + throws Exception { + if (cert == null || issuer == null) { + throw new Exception("Cannot verify issuer, null certificate received"); + } + return Arrays.equals(cert.getEncoded(), issuer.getEncoded()); + } + /** * This method checks if cert's issuerDN matches issuer's subjectDN. * @param cert the signed certificate