ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-19 04:58:00 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

[#181] Validation systemcheck fix (#182)

Browse Source 
* The base certificate is getting a failure when the delta fixed the problem.  The code is being modified to ignore the attribute validation of the base certificate and redo the trust chain check.  The code now has a cleaner platform evaluation set up and store.
This commit is contained in:
Cyrus 2019-08-21 10:52:40 -04:00 committed by GitHub
parent db2f80edb9
commit c3e02825f4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 51 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
View File

@ -105,14 +105,11 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
boolean acceptExpiredCerts = policy.isExpiredCertificateValidationEnabled(); boolean acceptExpiredCerts = policy.isExpiredCertificateValidationEnabled();
PlatformCredential baseCredential = null; PlatformCredential baseCredential = null;
List<SupplyChainValidation> validations = new LinkedList<>(); List<SupplyChainValidation> validations = new LinkedList<>();
Map<SupplyChainValidation.ValidationType,
SupplyChainValidation> validationTypeMap = new HashMap<>();
Map<PlatformCredential, SupplyChainValidation> deltaMapping = new HashMap<>(); Map<PlatformCredential, SupplyChainValidation> deltaMapping = new HashMap<>();
// Validate the Endorsement Credential // Validate the Endorsement Credential
if (policy.isEcValidationEnabled()) { if (policy.isEcValidationEnabled()) {
validationTypeMap.put(SupplyChainValidation.ValidationType.ENDORSEMENT_CREDENTIAL, validations.add(validateEndorsementCredential(ec, acceptExpiredCerts));
validateEndorsementCredential(ec, acceptExpiredCerts));
// store the device with the credential // store the device with the credential
if (null != ec) { if (null != ec) {
ec.setDevice(device); ec.setDevice(device);
@ -125,9 +122,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
// Ensure there are platform credentials to validate // Ensure there are platform credentials to validate
if (pcs == null || pcs.isEmpty()) { if (pcs == null || pcs.isEmpty()) {
LOGGER.error("There were no Platform Credentials to validate."); LOGGER.error("There were no Platform Credentials to validate.");
validationTypeMap.put(SupplyChainValidation validations.add(buildValidationRecord(
.ValidationType.PLATFORM_CREDENTIAL,
buildValidationRecord(
SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL, SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL,
AppraisalStatus.Status.FAIL, AppraisalStatus.Status.FAIL,
"Platform credential(s) missing", null, Level.ERROR)); "Platform credential(s) missing", null, Level.ERROR));
@ -145,14 +140,14 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
platformScv = validatePcPolicy(pc, platformScv, platformScv = validatePcPolicy(pc, platformScv,
deltaMapping, acceptExpiredCerts); deltaMapping, acceptExpiredCerts);
validationTypeMap.put(SupplyChainValidation validations.add(platformScv);
.ValidationType.PLATFORM_CREDENTIAL, validations.addAll(deltaMapping.values());
platformScv);
pc.setDevice(device);
this.certificateManager.update(pc);
if (pc.isBase()) { if (pc.isBase()) {
baseCredential = pc; baseCredential = pc;
} }
pc.setDevice(device);
this.certificateManager.update(pc);
} }
} }
} }
@ -163,33 +158,34 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
// Ensure there are platform credentials to validate // Ensure there are platform credentials to validate
if (pcs == null || pcs.isEmpty()) { if (pcs == null || pcs.isEmpty()) {
LOGGER.error("There were no Platform Credentials to validate attributes."); LOGGER.error("There were no Platform Credentials to validate attributes.");
validationTypeMap.put(SupplyChainValidation validations.add(buildValidationRecord(
.ValidationType.PLATFORM_CREDENTIAL,
buildValidationRecord(
SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL, SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL,
AppraisalStatus.Status.FAIL, AppraisalStatus.Status.FAIL,
"Platform credential(s) missing.\nPlatform credential(s) missing." "Platform credential(s) missing."
+ " Cannot validate attributes", + " Cannot validate attributes",
null, Level.ERROR)); null, Level.ERROR));
} else { } else {
Iterator<PlatformCredential> it = pcs.iterator(); Iterator<PlatformCredential> it = pcs.iterator();
while (it.hasNext()) { while (it.hasNext()) {
PlatformCredential pc = it.next(); PlatformCredential pc = it.next();
SupplyChainValidation attributeScv;
if (baseCredential == null || pc == baseCredential) {
attributeScv = validatePlatformCredentialAttributes(
pc, device.getDeviceInfo(), ec);
validationTypeMap.put(SupplyChainValidation
.ValidationType.PLATFORM_CREDENTIAL,
attributeScv);
}
if (pc != null && pc.isDeltaChain()) {
validateDeltaPlatformCredentialAttributes(
pc, device.getDeviceInfo(), baseCredential, deltaMapping);
}
if (pc != null) { if (pc != null) {
if (pc.isDeltaChain()) {
// this check validates the delta changes and recompares
// the modified list to the original.
SupplyChainValidation subPlatformScv
= validateDeltaPlatformCredentialAttributes(
pc, device.getDeviceInfo(),
baseCredential, deltaMapping);
validations.add(subPlatformScv);
} else {
SupplyChainValidation attributeScv =
validatePlatformCredentialAttributes(
pc, device.getDeviceInfo(), ec);
validations.add(attributeScv);
}
pc.setDevice(device); pc.setDevice(device);
this.certificateManager.update(pc); this.certificateManager.update(pc);
} }
@ -197,14 +193,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
} }
} }
if (!validationTypeMap.isEmpty()) {
validations.addAll(validationTypeMap.values());
}
if (!deltaMapping.isEmpty()) {
validations.addAll(deltaMapping.values());
}
// Generate validation summary, save it, and return it. // Generate validation summary, save it, and return it.
SupplyChainValidationSummary summary = SupplyChainValidationSummary summary =
new SupplyChainValidationSummary(device, validations); new SupplyChainValidationSummary(device, validations);
@ -248,30 +236,33 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
message, pc, Level.ERROR); message, pc, Level.ERROR);
} }
// Grab all certs associated with this platform chain // only do check if this is a base certificate
List<PlatformCredential> chainCertificates = PlatformCredential if (pc.isBase()) {
.select(certificateManager) // Grab all certs associated with this platform chain
.byBoardSerialNumber(pc.getPlatformSerial()) List<PlatformCredential> chainCertificates = PlatformCredential
.getCertificates().stream().collect(Collectors.toList()); .select(certificateManager)
Collections.sort(chainCertificates, .byBoardSerialNumber(pc.getPlatformSerial())
new Comparator<PlatformCredential>() { .getCertificates().stream().collect(Collectors.toList());
@Override Collections.sort(chainCertificates,
public int compare(final PlatformCredential obj1, new Comparator<PlatformCredential>() {
final PlatformCredential obj2) { @Override
return obj1.getBeginValidity() public int compare(final PlatformCredential obj1,
.compareTo(obj2.getBeginValidity()); final PlatformCredential obj2) {
} return obj1.getBeginValidity()
}); .compareTo(obj2.getBeginValidity());
}
});
SupplyChainValidation deltaScv; SupplyChainValidation deltaScv;
KeyStore trustedCa; KeyStore trustedCa;
// verify that the deltas trust chain is valid. // verify that the deltas trust chain is valid.
for (PlatformCredential delta : chainCertificates) { for (PlatformCredential delta : chainCertificates) {
if (delta != null && !delta.isBase()) { if (delta != null && !delta.isBase()) {
trustedCa = getCaChain(delta); trustedCa = getCaChain(delta);
deltaScv = validatePlatformCredential( deltaScv = validatePlatformCredential(
delta, trustedCa, acceptExpiredCerts); delta, trustedCa, acceptExpiredCerts);
deltaMapping.put(delta, deltaScv); deltaMapping.put(delta, deltaScv);
}
} }
} }
} }

9
HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/validation-reports.jsp
View File

@ -37,7 +37,6 @@
<tr> <tr>
<th style="text-align:center">Endorsement</th> <th style="text-align:center">Endorsement</th>
<th style="text-align:center">Platform</th> <th style="text-align:center">Platform</th>
<th></th>
</tr> </tr>
</thead> </thead>
</table> </table>
@ -111,14 +110,6 @@
return getValidationDisplayHtml(full, "PLATFORM_CREDENTIAL") return getValidationDisplayHtml(full, "PLATFORM_CREDENTIAL")
} }
}, },
{
data: 'id',
searchable: false,
orderable: false,
render: function (data, type, full, meta) {
return getValidationDisplayHtml(full, "PLATFORM_CREDENTIAL_ATTRIBUTES")
}
},
]; ];
//Set data tables //Set data tables