ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-19 04:58:00 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

[#181] Validation systemcheck fix (#182)

Browse Source 
* The base certificate is getting a failure when the delta fixed the problem.  The code is being modified to ignore the attribute validation of the base certificate and redo the trust chain check.  The code now has a cleaner platform evaluation set up and store.
This commit is contained in:
Cyrus 2019-08-21 10:52:40 -04:00 committed by GitHub
parent db2f80edb9
commit c3e02825f4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 51 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
View File

@ -105,14 +105,11 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
boolean acceptExpiredCerts = policy.isExpiredCertificateValidationEnabled();
PlatformCredential baseCredential = null;
List<SupplyChainValidation> validations = new LinkedList<>();
Map<SupplyChainValidation.ValidationType,
SupplyChainValidation> validationTypeMap = new HashMap<>();
Map<PlatformCredential, SupplyChainValidation> deltaMapping = new HashMap<>();
// Validate the Endorsement Credential
if (policy.isEcValidationEnabled()) {
validationTypeMap.put(SupplyChainValidation.ValidationType.ENDORSEMENT_CREDENTIAL,
validateEndorsementCredential(ec, acceptExpiredCerts));
validations.add(validateEndorsementCredential(ec, acceptExpiredCerts));
// store the device with the credential
if (null != ec) {
ec.setDevice(device);
@ -125,9 +122,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
// Ensure there are platform credentials to validate
if (pcs == null || pcs.isEmpty()) {
LOGGER.error("There were no Platform Credentials to validate.");
validationTypeMap.put(SupplyChainValidation
.ValidationType.PLATFORM_CREDENTIAL,
buildValidationRecord(
validations.add(buildValidationRecord(
SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL,
AppraisalStatus.Status.FAIL,
"Platform credential(s) missing", null, Level.ERROR));
@ -145,14 +140,14 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
platformScv = validatePcPolicy(pc, platformScv,
deltaMapping, acceptExpiredCerts);
validationTypeMap.put(SupplyChainValidation
.ValidationType.PLATFORM_CREDENTIAL,
platformScv);
pc.setDevice(device);
this.certificateManager.update(pc);
validations.add(platformScv);
validations.addAll(deltaMapping.values());
if (pc.isBase()) {
baseCredential = pc;
}
pc.setDevice(device);
this.certificateManager.update(pc);
}
}
}
@ -163,33 +158,34 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
// Ensure there are platform credentials to validate
if (pcs == null || pcs.isEmpty()) {
LOGGER.error("There were no Platform Credentials to validate attributes.");
validationTypeMap.put(SupplyChainValidation
.ValidationType.PLATFORM_CREDENTIAL,
buildValidationRecord(
validations.add(buildValidationRecord(
SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL,
AppraisalStatus.Status.FAIL,
"Platform credential(s) missing.\nPlatform credential(s) missing."
"Platform credential(s) missing."
+ " Cannot validate attributes",
null, Level.ERROR));
} else {
Iterator<PlatformCredential> it = pcs.iterator();
while (it.hasNext()) {
PlatformCredential pc = it.next();
SupplyChainValidation attributeScv;
if (baseCredential == null || pc == baseCredential) {
attributeScv = validatePlatformCredentialAttributes(
pc, device.getDeviceInfo(), ec);
validationTypeMap.put(SupplyChainValidation
.ValidationType.PLATFORM_CREDENTIAL,
attributeScv);
}
if (pc != null && pc.isDeltaChain()) {
validateDeltaPlatformCredentialAttributes(
pc, device.getDeviceInfo(), baseCredential, deltaMapping);
}
if (pc != null) {
if (pc.isDeltaChain()) {
// this check validates the delta changes and recompares
// the modified list to the original.
SupplyChainValidation subPlatformScv
= validateDeltaPlatformCredentialAttributes(
pc, device.getDeviceInfo(),
baseCredential, deltaMapping);
validations.add(subPlatformScv);
} else {
SupplyChainValidation attributeScv =
validatePlatformCredentialAttributes(
pc, device.getDeviceInfo(), ec);
validations.add(attributeScv);
}
pc.setDevice(device);
this.certificateManager.update(pc);
}
@ -197,14 +193,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
}
}
if (!validationTypeMap.isEmpty()) {
validations.addAll(validationTypeMap.values());
}
if (!deltaMapping.isEmpty()) {
validations.addAll(deltaMapping.values());
}
// Generate validation summary, save it, and return it.
SupplyChainValidationSummary summary =
new SupplyChainValidationSummary(device, validations);
@ -248,6 +236,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
message, pc, Level.ERROR);
}
// only do check if this is a base certificate
if (pc.isBase()) {
// Grab all certs associated with this platform chain
List<PlatformCredential> chainCertificates = PlatformCredential
.select(certificateManager)
@ -275,6 +265,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
}
}
}
}
return subPlatformScv;
}

9
HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/validation-reports.jsp
View File

@ -37,7 +37,6 @@
<tr>
<th style="text-align:center">Endorsement</th>
<th style="text-align:center">Platform</th>
<th></th>
</tr>
</thead>
</table>
@ -111,14 +110,6 @@
return getValidationDisplayHtml(full, "PLATFORM_CREDENTIAL")
}
},
{
data: 'id',
searchable: false,
orderable: false,
render: function (data, type, full, meta) {
return getValidationDisplayHtml(full, "PLATFORM_CREDENTIAL_ATTRIBUTES")
}
},
];
//Set data tables