From beb1ccbee3ab47faf63a0e45d57c404f6463fb89 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Tue, 12 Jan 2021 12:26:54 -0500 Subject: [PATCH] Updated a supply chain validation check for delta certificates. Updated the check for duplicate base platform certificates when storing them for the same device and updated the begin validity date for the delta vs the base check. --- .../java/hirs/attestationca/CredentialManagementHelper.java | 2 +- .../service/SupplyChainValidationServiceImpl.java | 4 ++-- .../hirs/validation/SupplyChainCredentialValidator.java | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/CredentialManagementHelper.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/CredentialManagementHelper.java index e1dbd778..fcb47793 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/CredentialManagementHelper.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/CredentialManagementHelper.java @@ -122,7 +122,7 @@ public final class CredentialManagementHelper { if (!certificates.isEmpty()) { // found associated certificates for (PlatformCredential pc : certificates) { - if (pc.isBase()) { + if (pc.isBase() && platformCredential.isBase()) { // found a base in the database associated with // parsed certificate LOG.error(String.format("Base certificate stored" diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 65b268e9..2dca7923 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -184,8 +184,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe // the base if (baseCredential != null) { for (PlatformCredential pc : pcs) { - int result = pc.getBeginValidity() - .compareTo(baseCredential.getBeginValidity()); + int result = baseCredential.getBeginValidity() + .compareTo(pc.getBeginValidity()); if (!pc.isBase() && (result > 0)) { pcErrorMessage = String.format("%s%s%n", pcErrorMessage, "Delta Certificate's validity " diff --git a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java index ec8b00a1..8aa55638 100644 --- a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java +++ b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java @@ -664,7 +664,7 @@ public final class SupplyChainCredentialValidator implements CredentialValidator "%s attempted MODIFIED with no prior instance.%n", classValue)); scv = deltaMapping.get(delta); - if (scv.getResult() != AppraisalStatus.Status.PASS) { + if (scv != null && scv.getResult() != AppraisalStatus.Status.PASS) { failureMsg.append(scv.getMessage()); } deltaMapping.put(delta, new SupplyChainValidation( @@ -694,7 +694,7 @@ public final class SupplyChainCredentialValidator implements CredentialValidator "%s attempted REMOVED with no prior instance.%n", classValue)); scv = deltaMapping.get(delta); - if (scv.getResult() != AppraisalStatus.Status.PASS) { + if (scv != null && scv.getResult() != AppraisalStatus.Status.PASS) { failureMsg.append(scv.getMessage()); } deltaMapping.put(delta, new SupplyChainValidation( @@ -723,7 +723,7 @@ public final class SupplyChainCredentialValidator implements CredentialValidator "%s was ADDED, the serial already exists.%n", classValue)); scv = deltaMapping.get(delta); - if (scv.getResult() != AppraisalStatus.Status.PASS) { + if (scv != null && scv.getResult() != AppraisalStatus.Status.PASS) { failureMsg.append(scv.getMessage()); } deltaMapping.put(delta, new SupplyChainValidation(