mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-19 04:58:00 +00:00
* The base certificate is getting a failure when the delta fixed the problem. The code is being modified to ignore the attribute validation of the base certificate and redo the trust chain check. The code now has a cleaner platform evaluation set up and store.
This commit is contained in:
parent
db2f80edb9
commit
c3e02825f4
@ -105,14 +105,11 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
|||||||
boolean acceptExpiredCerts = policy.isExpiredCertificateValidationEnabled();
|
boolean acceptExpiredCerts = policy.isExpiredCertificateValidationEnabled();
|
||||||
PlatformCredential baseCredential = null;
|
PlatformCredential baseCredential = null;
|
||||||
List<SupplyChainValidation> validations = new LinkedList<>();
|
List<SupplyChainValidation> validations = new LinkedList<>();
|
||||||
Map<SupplyChainValidation.ValidationType,
|
|
||||||
SupplyChainValidation> validationTypeMap = new HashMap<>();
|
|
||||||
Map<PlatformCredential, SupplyChainValidation> deltaMapping = new HashMap<>();
|
Map<PlatformCredential, SupplyChainValidation> deltaMapping = new HashMap<>();
|
||||||
|
|
||||||
// Validate the Endorsement Credential
|
// Validate the Endorsement Credential
|
||||||
if (policy.isEcValidationEnabled()) {
|
if (policy.isEcValidationEnabled()) {
|
||||||
validationTypeMap.put(SupplyChainValidation.ValidationType.ENDORSEMENT_CREDENTIAL,
|
validations.add(validateEndorsementCredential(ec, acceptExpiredCerts));
|
||||||
validateEndorsementCredential(ec, acceptExpiredCerts));
|
|
||||||
// store the device with the credential
|
// store the device with the credential
|
||||||
if (null != ec) {
|
if (null != ec) {
|
||||||
ec.setDevice(device);
|
ec.setDevice(device);
|
||||||
@ -125,9 +122,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
|||||||
// Ensure there are platform credentials to validate
|
// Ensure there are platform credentials to validate
|
||||||
if (pcs == null || pcs.isEmpty()) {
|
if (pcs == null || pcs.isEmpty()) {
|
||||||
LOGGER.error("There were no Platform Credentials to validate.");
|
LOGGER.error("There were no Platform Credentials to validate.");
|
||||||
validationTypeMap.put(SupplyChainValidation
|
validations.add(buildValidationRecord(
|
||||||
.ValidationType.PLATFORM_CREDENTIAL,
|
|
||||||
buildValidationRecord(
|
|
||||||
SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL,
|
SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL,
|
||||||
AppraisalStatus.Status.FAIL,
|
AppraisalStatus.Status.FAIL,
|
||||||
"Platform credential(s) missing", null, Level.ERROR));
|
"Platform credential(s) missing", null, Level.ERROR));
|
||||||
@ -145,14 +140,14 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
|||||||
platformScv = validatePcPolicy(pc, platformScv,
|
platformScv = validatePcPolicy(pc, platformScv,
|
||||||
deltaMapping, acceptExpiredCerts);
|
deltaMapping, acceptExpiredCerts);
|
||||||
|
|
||||||
validationTypeMap.put(SupplyChainValidation
|
validations.add(platformScv);
|
||||||
.ValidationType.PLATFORM_CREDENTIAL,
|
validations.addAll(deltaMapping.values());
|
||||||
platformScv);
|
|
||||||
pc.setDevice(device);
|
|
||||||
this.certificateManager.update(pc);
|
|
||||||
if (pc.isBase()) {
|
if (pc.isBase()) {
|
||||||
baseCredential = pc;
|
baseCredential = pc;
|
||||||
}
|
}
|
||||||
|
pc.setDevice(device);
|
||||||
|
this.certificateManager.update(pc);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -163,33 +158,34 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
|||||||
// Ensure there are platform credentials to validate
|
// Ensure there are platform credentials to validate
|
||||||
if (pcs == null || pcs.isEmpty()) {
|
if (pcs == null || pcs.isEmpty()) {
|
||||||
LOGGER.error("There were no Platform Credentials to validate attributes.");
|
LOGGER.error("There were no Platform Credentials to validate attributes.");
|
||||||
validationTypeMap.put(SupplyChainValidation
|
validations.add(buildValidationRecord(
|
||||||
.ValidationType.PLATFORM_CREDENTIAL,
|
|
||||||
buildValidationRecord(
|
|
||||||
SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL,
|
SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL,
|
||||||
AppraisalStatus.Status.FAIL,
|
AppraisalStatus.Status.FAIL,
|
||||||
"Platform credential(s) missing.\nPlatform credential(s) missing."
|
"Platform credential(s) missing."
|
||||||
+ " Cannot validate attributes",
|
+ " Cannot validate attributes",
|
||||||
null, Level.ERROR));
|
null, Level.ERROR));
|
||||||
} else {
|
} else {
|
||||||
Iterator<PlatformCredential> it = pcs.iterator();
|
Iterator<PlatformCredential> it = pcs.iterator();
|
||||||
while (it.hasNext()) {
|
while (it.hasNext()) {
|
||||||
PlatformCredential pc = it.next();
|
PlatformCredential pc = it.next();
|
||||||
SupplyChainValidation attributeScv;
|
|
||||||
if (baseCredential == null || pc == baseCredential) {
|
|
||||||
attributeScv = validatePlatformCredentialAttributes(
|
|
||||||
pc, device.getDeviceInfo(), ec);
|
|
||||||
validationTypeMap.put(SupplyChainValidation
|
|
||||||
.ValidationType.PLATFORM_CREDENTIAL,
|
|
||||||
attributeScv);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (pc != null && pc.isDeltaChain()) {
|
|
||||||
validateDeltaPlatformCredentialAttributes(
|
|
||||||
pc, device.getDeviceInfo(), baseCredential, deltaMapping);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (pc != null) {
|
if (pc != null) {
|
||||||
|
if (pc.isDeltaChain()) {
|
||||||
|
// this check validates the delta changes and recompares
|
||||||
|
// the modified list to the original.
|
||||||
|
SupplyChainValidation subPlatformScv
|
||||||
|
= validateDeltaPlatformCredentialAttributes(
|
||||||
|
pc, device.getDeviceInfo(),
|
||||||
|
baseCredential, deltaMapping);
|
||||||
|
|
||||||
|
validations.add(subPlatformScv);
|
||||||
|
} else {
|
||||||
|
SupplyChainValidation attributeScv =
|
||||||
|
validatePlatformCredentialAttributes(
|
||||||
|
pc, device.getDeviceInfo(), ec);
|
||||||
|
validations.add(attributeScv);
|
||||||
|
}
|
||||||
|
|
||||||
pc.setDevice(device);
|
pc.setDevice(device);
|
||||||
this.certificateManager.update(pc);
|
this.certificateManager.update(pc);
|
||||||
}
|
}
|
||||||
@ -197,14 +193,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!validationTypeMap.isEmpty()) {
|
|
||||||
validations.addAll(validationTypeMap.values());
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!deltaMapping.isEmpty()) {
|
|
||||||
validations.addAll(deltaMapping.values());
|
|
||||||
}
|
|
||||||
|
|
||||||
// Generate validation summary, save it, and return it.
|
// Generate validation summary, save it, and return it.
|
||||||
SupplyChainValidationSummary summary =
|
SupplyChainValidationSummary summary =
|
||||||
new SupplyChainValidationSummary(device, validations);
|
new SupplyChainValidationSummary(device, validations);
|
||||||
@ -248,6 +236,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
|||||||
message, pc, Level.ERROR);
|
message, pc, Level.ERROR);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// only do check if this is a base certificate
|
||||||
|
if (pc.isBase()) {
|
||||||
// Grab all certs associated with this platform chain
|
// Grab all certs associated with this platform chain
|
||||||
List<PlatformCredential> chainCertificates = PlatformCredential
|
List<PlatformCredential> chainCertificates = PlatformCredential
|
||||||
.select(certificateManager)
|
.select(certificateManager)
|
||||||
@ -275,6 +265,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
return subPlatformScv;
|
return subPlatformScv;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -37,7 +37,6 @@
|
|||||||
<tr>
|
<tr>
|
||||||
<th style="text-align:center">Endorsement</th>
|
<th style="text-align:center">Endorsement</th>
|
||||||
<th style="text-align:center">Platform</th>
|
<th style="text-align:center">Platform</th>
|
||||||
<th></th>
|
|
||||||
</tr>
|
</tr>
|
||||||
</thead>
|
</thead>
|
||||||
</table>
|
</table>
|
||||||
@ -111,14 +110,6 @@
|
|||||||
return getValidationDisplayHtml(full, "PLATFORM_CREDENTIAL")
|
return getValidationDisplayHtml(full, "PLATFORM_CREDENTIAL")
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
|
||||||
data: 'id',
|
|
||||||
searchable: false,
|
|
||||||
orderable: false,
|
|
||||||
render: function (data, type, full, meta) {
|
|
||||||
return getValidationDisplayHtml(full, "PLATFORM_CREDENTIAL_ATTRIBUTES")
|
|
||||||
}
|
|
||||||
},
|
|
||||||
];
|
];
|
||||||
|
|
||||||
//Set data tables
|
//Set data tables
|
||||||
|
Loading…
Reference in New Issue
Block a user