mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-18 20:47:58 +00:00
Merge branch 'main' into v3_issue_793-spdm
This commit is contained in:
iadgovuser58
commit
c4158f6885
@ -1,12 +1,18 @@
|
|||||||
package hirs.attestationca.persist.entity.manager;
|
package hirs.attestationca.persist.entity.manager;
|
||||||
|
|
||||||
|
import hirs.attestationca.persist.entity.userdefined.Device;
|
||||||
import hirs.attestationca.persist.entity.userdefined.SupplyChainValidationSummary;
|
import hirs.attestationca.persist.entity.userdefined.SupplyChainValidationSummary;
|
||||||
|
import org.springframework.data.domain.Page;
|
||||||
|
import org.springframework.data.domain.Pageable;
|
||||||
import org.springframework.data.jpa.repository.JpaRepository;
|
import org.springframework.data.jpa.repository.JpaRepository;
|
||||||
import org.springframework.stereotype.Repository;
|
import org.springframework.stereotype.Repository;
|
||||||
|
|
||||||
import java.util.UUID;
|
import java.util.UUID;
|
||||||
|
import java.util.List;
|
||||||
|
|
||||||
@Repository
|
@Repository
|
||||||
public interface SupplyChainValidationSummaryRepository extends JpaRepository<SupplyChainValidationSummary, UUID> {
|
public interface SupplyChainValidationSummaryRepository extends JpaRepository<SupplyChainValidationSummary, UUID> {
|
||||||
SupplyChainValidationSummary findByDevice(String device);
|
SupplyChainValidationSummary findByDevice(Device device);
|
||||||
|
List<SupplyChainValidationSummary> findByArchiveFlagFalse();
|
||||||
|
Page<SupplyChainValidationSummary> findByArchiveFlagFalse(Pageable pageable);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -114,8 +114,8 @@ public class Device extends AbstractEntity {
|
|||||||
|
|
||||||
public String toString() {
|
public String toString() {
|
||||||
return String.format("Device Name: %s%nStatus: %s%nSummary: %s%n",
|
return String.format("Device Name: %s%nStatus: %s%nSummary: %s%n",
|
||||||
name, healthStatus.getStatus(),
|
name, (healthStatus == null ? "N/A" : healthStatus.getStatus()),
|
||||||
supplyChainValidationStatus.toString());
|
(supplyChainValidationStatus == null ? "N/A" : supplyChainValidationStatus.toString()));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|||||||
@ -105,10 +105,10 @@ public class SupplyChainValidation extends ArchivableEntity {
|
|||||||
this.certificatesUsed = new ArrayList<>();
|
this.certificatesUsed = new ArrayList<>();
|
||||||
this.rimId = "";
|
this.rimId = "";
|
||||||
for (ArchivableEntity ae : certificatesUsed) {
|
for (ArchivableEntity ae : certificatesUsed) {
|
||||||
if (ae instanceof BaseReferenceManifest) {
|
if (ae instanceof ReferenceManifest) {
|
||||||
this.rimId = ae.getId().toString();
|
this.rimId = ae.getId().toString();
|
||||||
break;
|
break;
|
||||||
} else {
|
} else if (ae instanceof Certificate) {
|
||||||
this.certificatesUsed.add((Certificate) ae);
|
this.certificatesUsed.add((Certificate) ae);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -27,7 +27,7 @@ import java.util.Collection;
|
|||||||
*/
|
*/
|
||||||
@Log4j2
|
@Log4j2
|
||||||
@Entity
|
@Entity
|
||||||
public class EventLogMeasurements extends ReferenceManifest {
|
public class EventLogMeasurements extends SupportReferenceManifest {
|
||||||
|
|
||||||
@Column
|
@Column
|
||||||
@JsonIgnore
|
@JsonIgnore
|
||||||
|
|||||||
@ -11,10 +11,7 @@ import hirs.attestationca.persist.entity.manager.ReferenceDigestValueRepository;
|
|||||||
import hirs.attestationca.persist.entity.manager.ReferenceManifestRepository;
|
import hirs.attestationca.persist.entity.manager.ReferenceManifestRepository;
|
||||||
import hirs.attestationca.persist.entity.manager.SupplyChainValidationRepository;
|
import hirs.attestationca.persist.entity.manager.SupplyChainValidationRepository;
|
||||||
import hirs.attestationca.persist.entity.manager.SupplyChainValidationSummaryRepository;
|
import hirs.attestationca.persist.entity.manager.SupplyChainValidationSummaryRepository;
|
||||||
import hirs.attestationca.persist.entity.userdefined.Device;
|
import hirs.attestationca.persist.entity.userdefined.*;
|
||||||
import hirs.attestationca.persist.entity.userdefined.PolicySettings;
|
|
||||||
import hirs.attestationca.persist.entity.userdefined.SupplyChainValidation;
|
|
||||||
import hirs.attestationca.persist.entity.userdefined.SupplyChainValidationSummary;
|
|
||||||
import hirs.attestationca.persist.entity.userdefined.certificate.ComponentResult;
|
import hirs.attestationca.persist.entity.userdefined.certificate.ComponentResult;
|
||||||
import hirs.attestationca.persist.entity.userdefined.certificate.EndorsementCredential;
|
import hirs.attestationca.persist.entity.userdefined.certificate.EndorsementCredential;
|
||||||
import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential;
|
import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential;
|
||||||
@ -29,6 +26,7 @@ import lombok.extern.log4j.Log4j2;
|
|||||||
import org.apache.logging.log4j.Level;
|
import org.apache.logging.log4j.Level;
|
||||||
import org.springframework.beans.factory.annotation.Autowired;
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
import org.springframework.stereotype.Service;
|
import org.springframework.stereotype.Service;
|
||||||
|
import org.yaml.snakeyaml.events.Event;
|
||||||
|
|
||||||
import java.security.KeyStore;
|
import java.security.KeyStore;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
@ -322,8 +320,11 @@ public class SupplyChainValidationService {
|
|||||||
+ "could be found for %s",
|
+ "could be found for %s",
|
||||||
deviceName));
|
deviceName));
|
||||||
} else {
|
} else {
|
||||||
eventLog = (EventLogMeasurements) referenceManifestRepository
|
ReferenceManifest manifest = referenceManifestRepository
|
||||||
.findByHexDecHash(sRim.getEventLogHash());
|
.findByHexDecHashAndRimType(sRim.getEventLogHash(), ReferenceManifest.MEASUREMENT_RIM);
|
||||||
|
if (manifest instanceof EventLogMeasurements) {
|
||||||
|
eventLog = (EventLogMeasurements)manifest;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if (eventLog == null) {
|
if (eventLog == null) {
|
||||||
fwStatus = new AppraisalStatus(FAIL,
|
fwStatus = new AppraisalStatus(FAIL,
|
||||||
@ -359,7 +360,8 @@ public class SupplyChainValidationService {
|
|||||||
// Generate validation summary, save it, and return it.
|
// Generate validation summary, save it, and return it.
|
||||||
List<SupplyChainValidation> validations = new ArrayList<>();
|
List<SupplyChainValidation> validations = new ArrayList<>();
|
||||||
SupplyChainValidationSummary previous
|
SupplyChainValidationSummary previous
|
||||||
= this.supplyChainValidationSummaryRepository.findByDevice(deviceName);
|
//= this.supplyChainValidationSummaryRepository.findByDevice(deviceName);
|
||||||
|
= this.supplyChainValidationSummaryRepository.findByDevice(device);
|
||||||
for (SupplyChainValidation scv : previous.getValidations()) {
|
for (SupplyChainValidation scv : previous.getValidations()) {
|
||||||
if (scv.getValidationType() != SupplyChainValidation.ValidationType.FIRMWARE) {
|
if (scv.getValidationType() != SupplyChainValidation.ValidationType.FIRMWARE) {
|
||||||
validations.add(ValidationService.buildValidationRecord(scv.getValidationType(),
|
validations.add(ValidationService.buildValidationRecord(scv.getValidationType(),
|
||||||
|
|||||||
@ -23,9 +23,8 @@ import java.nio.charset.StandardCharsets;
|
|||||||
import java.security.KeyStore;
|
import java.security.KeyStore;
|
||||||
import java.security.NoSuchAlgorithmException;
|
import java.security.NoSuchAlgorithmException;
|
||||||
import java.security.cert.CertificateException;
|
import java.security.cert.CertificateException;
|
||||||
import java.util.HashMap;
|
import java.security.cert.X509Certificate;
|
||||||
import java.util.LinkedList;
|
import java.util.*;
|
||||||
import java.util.List;
|
|
||||||
|
|
||||||
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL;
|
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL;
|
||||||
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.PASS;
|
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.PASS;
|
||||||
@ -104,8 +103,27 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
|
|||||||
CertificateAuthorityCredential signingCert = null;
|
CertificateAuthorityCredential signingCert = null;
|
||||||
for (CertificateAuthorityCredential cert : allCerts) {
|
for (CertificateAuthorityCredential cert : allCerts) {
|
||||||
signingCert = cert;
|
signingCert = cert;
|
||||||
KeyStore keyStore = ValidationService.getCaChain(signingCert,
|
KeyStore keyStore = null;
|
||||||
|
Set<CertificateAuthorityCredential> set = ValidationService.getCaChainRec(signingCert,
|
||||||
|
Collections.emptySet(),
|
||||||
caCredentialRepository);
|
caCredentialRepository);
|
||||||
|
try {
|
||||||
|
keyStore = ValidationService.caCertSetToKeystore(set);
|
||||||
|
} catch (Exception e) {
|
||||||
|
log.error("Error building CA chain for " + signingCert.getSubjectKeyIdentifier() + ": "
|
||||||
|
+ e.getMessage());
|
||||||
|
}
|
||||||
|
|
||||||
|
ArrayList<X509Certificate> certs = new ArrayList<>(set.size());
|
||||||
|
for (CertificateAuthorityCredential cac : set) {
|
||||||
|
try {
|
||||||
|
certs.add(cac.getX509Certificate());
|
||||||
|
} catch (IOException e) {
|
||||||
|
log.error("Error building CA chain for " + signingCert.getSubjectKeyIdentifier() + ": "
|
||||||
|
+ e.getMessage());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
referenceManifestValidator.setTrustStore(certs);
|
||||||
try {
|
try {
|
||||||
if (referenceManifestValidator.validateXmlSignature(signingCert.getX509Certificate().getPublicKey(),
|
if (referenceManifestValidator.validateXmlSignature(signingCert.getX509Certificate().getPublicKey(),
|
||||||
signingCert.getSubjectKeyIdString(), signingCert.getEncodedPublicKey())) {
|
signingCert.getSubjectKeyIdString(), signingCert.getEncodedPublicKey())) {
|
||||||
|
|||||||
@ -122,7 +122,7 @@ public class ValidationReportsPageController extends PageController<NoPageParams
|
|||||||
FilteredRecordsList<SupplyChainValidationSummary> records = new FilteredRecordsList<>();
|
FilteredRecordsList<SupplyChainValidationSummary> records = new FilteredRecordsList<>();
|
||||||
int currentPage = input.getStart() / input.getLength();
|
int currentPage = input.getStart() / input.getLength();
|
||||||
Pageable paging = PageRequest.of(currentPage, input.getLength(), Sort.by(orderColumnName));
|
Pageable paging = PageRequest.of(currentPage, input.getLength(), Sort.by(orderColumnName));
|
||||||
org.springframework.data.domain.Page<SupplyChainValidationSummary> pagedResult = supplyChainValidatorSummaryRepository.findAll(paging);
|
org.springframework.data.domain.Page<SupplyChainValidationSummary> pagedResult = supplyChainValidatorSummaryRepository.findByArchiveFlagFalse(paging);
|
||||||
|
|
||||||
if (pagedResult.hasContent()) {
|
if (pagedResult.hasContent()) {
|
||||||
records.addAll(pagedResult.getContent());
|
records.addAll(pagedResult.getContent());
|
||||||
|
|||||||
@ -241,6 +241,7 @@ public class ReferenceManifestValidator {
|
|||||||
if (embeddedCert != null) {
|
if (embeddedCert != null) {
|
||||||
if (isCertChainValid(embeddedCert)) {
|
if (isCertChainValid(embeddedCert)) {
|
||||||
context = new DOMValidateContext(new X509KeySelector(), nodes.item(0));
|
context = new DOMValidateContext(new X509KeySelector(), nodes.item(0));
|
||||||
|
subjectKeyIdentifier = getCertificateSubjectKeyIdentifier(embeddedCert);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
@ -465,6 +466,10 @@ public class ReferenceManifestValidator {
|
|||||||
for (X509Certificate trustedCert : trustStore) {
|
for (X509Certificate trustedCert : trustStore) {
|
||||||
boolean isIssuer = areYouMyIssuer(chainCert, trustedCert);
|
boolean isIssuer = areYouMyIssuer(chainCert, trustedCert);
|
||||||
boolean isSigner = areYouMySigner(chainCert, trustedCert);
|
boolean isSigner = areYouMySigner(chainCert, trustedCert);
|
||||||
|
boolean itIsMe = areYouMe(chainCert, trustedCert);
|
||||||
|
if (itIsMe) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
if (isIssuer && isSigner) {
|
if (isIssuer && isSigner) {
|
||||||
if (isSelfSigned(trustedCert)) {
|
if (isSelfSigned(trustedCert)) {
|
||||||
log.info("Root CA found.");
|
log.info("Root CA found.");
|
||||||
@ -490,6 +495,21 @@ public class ReferenceManifestValidator {
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This method checks if cert's issuerDN matches issuer's subjectDN.
|
||||||
|
* @param cert the signed certificate
|
||||||
|
* @param issuer the signing certificate
|
||||||
|
* @return true if they match, false if not
|
||||||
|
* @throws Exception if either argument is null
|
||||||
|
*/
|
||||||
|
private boolean areYouMe(final X509Certificate cert, final X509Certificate issuer)
|
||||||
|
throws Exception {
|
||||||
|
if (cert == null || issuer == null) {
|
||||||
|
throw new Exception("Cannot verify issuer, null certificate received");
|
||||||
|
}
|
||||||
|
return Arrays.equals(cert.getEncoded(), issuer.getEncoded());
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* This method checks if cert's issuerDN matches issuer's subjectDN.
|
* This method checks if cert's issuerDN matches issuer's subjectDN.
|
||||||
* @param cert the signed certificate
|
* @param cert the signed certificate
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user