diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index b9a2415c..4bc71471 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -1467,8 +1467,8 @@ public abstract class AbstractAttestationCertificateAuthority // save issued certificate IssuedAttestationCertificate attCert = new IssuedAttestationCertificate( derEncodedAttestationCertificate, endorsementCredential, platformCredentials); - attCert.setPcrValues(pcrValues); attCert.setDevice(device); + attCert.setPcrValues(pcrValues); certificateManager.save(attCert); } catch (Exception e) { LOG.error("Error saving generated Attestation Certificate to database.", e); diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 3939ef0a..4858b716 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -9,6 +9,7 @@ import java.security.cert.CertificateException; import hirs.data.persist.TPMMeasurementRecord; import hirs.data.persist.SwidResource; import hirs.data.persist.PCRPolicy; +import hirs.data.persist.ArchivableEntity; import hirs.validation.SupplyChainCredentialValidator; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -215,10 +216,13 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe // if both trust store and attributes validated or failed // combine messages validations.remove(platformScv); + List aes = new ArrayList<>(); + for (Certificate cert : platformScv.getCertificatesUsed()) { + aes.add(cert); + } validations.add(new SupplyChainValidation( platformScv.getValidationType(), - platformScv.getResult(), - platformScv.getCertificatesUsed(), + platformScv.getResult(), aes, String.format("%s%n%s", platformScv.getMessage(), attributeScv.getMessage()))); } @@ -235,14 +239,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe if (policy.isFirmwareValidationEnabled()) { // may need to associated with device to pull the correct info // compare tpm quote with what is pulled from RIM associated file - IssuedAttestationCertificate attCert = IssuedAttestationCertificate - .select(this.certificateManager) - .byDeviceId(device.getId()).getCertificate(); - PlatformCredential pc = PlatformCredential - .select(this.certificateManager) - .byDeviceId(device.getId()).getCertificate(); - - validations.add(validateFirmware(pc, attCert, policy.getPcrPolicy())); + validations.add(validateFirmware(device, policy.getPcrPolicy())); } // Generate validation summary, save it, and return it. @@ -255,7 +252,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe try { supplyChainValidatorSummaryManager.save(summary); } catch (DBManagerException ex) { - LOGGER.error("Failed to save Supply chain summary", ex); + LOGGER.error("Failed to save Supply Chain summary", ex); } return summary; } @@ -316,33 +313,35 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe return subPlatformScv; } - private SupplyChainValidation validateFirmware(final PlatformCredential pc, - final IssuedAttestationCertificate attCert, final PCRPolicy pcrPolicy) { + private SupplyChainValidation validateFirmware(final Device device, + final PCRPolicy pcrPolicy) { - ReferenceManifest rim; String[] baseline = new String[Integer.SIZE]; Level level = Level.ERROR; AppraisalStatus fwStatus = null; + String manufacturer = device.getDeviceInfo() + .getHardwareInfo().getManufacturer(); - if (pc != null) { - rim = ReferenceManifest.select( - this.referenceManifestManager) - .byManufacturer(pc.getManufacturer()) - .getRIM(); + IssuedAttestationCertificate attCert = IssuedAttestationCertificate + .select(this.certificateManager) + .byDeviceId(device.getId()).getCertificate(); + ReferenceManifest rim = ReferenceManifest.select( + this.referenceManifestManager) + .byManufacturer(manufacturer) + .getRIM(); - if (rim == null) { - fwStatus = new AppraisalStatus(FAIL, - String.format("Firmware validation failed: " - + "No associated RIM file could be found for %s", - pc.getManufacturer())); - } else { - List swids = rim.parseResource(); - for (SwidResource swid : swids) { - baseline = swid.getPcrValues() - .toArray(new String[swid.getPcrValues().size()]); - } - pcrPolicy.setBaselinePcrs(baseline); + if (rim == null) { + fwStatus = new AppraisalStatus(FAIL, + String.format("Firmware validation failed: " + + "No associated RIM file could be found for %s", + manufacturer)); + } else { + List swids = rim.parseResource(); + for (SwidResource swid : swids) { + baseline = swid.getPcrValues() + .toArray(new String[swid.getPcrValues().size()]); } + pcrPolicy.setBaselinePcrs(baseline); } if (attCert != null && fwStatus == null) { @@ -352,7 +351,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe String[] quote = new String[TPMMeasurementRecord.MAX_PCR_ID + 1]; int offset = 0; - StringBuilder sb; fwStatus = new AppraisalStatus(PASS, SupplyChainCredentialValidator.FIRMWARE_VALID); @@ -375,7 +373,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe quote[i] = pcrs256[i + offset].split(":")[1].trim(); } } - sb = pcrPolicy.validatePcrs(quote); + StringBuilder sb = pcrPolicy.validatePcrs(quote); if (sb.length() > 0) { level = Level.ERROR; fwStatus = new AppraisalStatus(FAIL, sb.toString()); @@ -388,7 +386,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe } return buildValidationRecord(SupplyChainValidation.ValidationType.FIRMWARE, - fwStatus.getAppStatus(), fwStatus.getMessage(), pc, level); + fwStatus.getAppStatus(), fwStatus.getMessage(), rim, level); } private SupplyChainValidation validateEndorsementCredential(final EndorsementCredential ec, @@ -516,22 +514,22 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe * @param validationType the type of validation * @param result the appraisal status * @param message the validation message to include in the summary and log - * @param certificate the certificate associated with the validation + * @param archivableEntity the archivableEntity associated with the validation * @param logLevel the log level * @return a SupplyChainValidation */ private SupplyChainValidation buildValidationRecord( final SupplyChainValidation.ValidationType validationType, final AppraisalStatus.Status result, final String message, - final Certificate certificate, final Level logLevel) { + final ArchivableEntity archivableEntity, final Level logLevel) { - List certificateList = new ArrayList<>(); - if (certificate != null) { - certificateList.add(certificate); + List aeList = new ArrayList<>(); + if (archivableEntity != null) { + aeList.add(archivableEntity); } LOGGER.log(logLevel, message); - return new SupplyChainValidation(validationType, result, certificateList, message); + return new SupplyChainValidation(validationType, result, aeList, message); } /** diff --git a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/validation-reports.jsp b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/validation-reports.jsp index c57315df..530d4f3c 100644 --- a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/validation-reports.jsp +++ b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/validation-reports.jsp @@ -43,83 +43,83 @@ diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainValidation.java b/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainValidation.java index d9ec278e..20455738 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainValidation.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainValidation.java @@ -11,6 +11,7 @@ import javax.persistence.JoinTable; import javax.persistence.ManyToMany; import java.util.Collections; import java.util.List; +import java.util.ArrayList; /** * Stores results of a single element of the supply chain validation process. @@ -56,6 +57,9 @@ public class SupplyChainValidation extends ArchivableEntity { @Column(length = MAX_MESSAGE_LENGTH) private final String message; + @Column + private String rimId; + /** * Default constructor necessary for Hibernate. */ @@ -64,6 +68,7 @@ public class SupplyChainValidation extends ArchivableEntity { this.validationResult = AppraisalStatus.Status.ERROR; this.certificatesUsed = Collections.emptyList(); this.message = null; + this.rimId = ""; } /** @@ -76,7 +81,7 @@ public class SupplyChainValidation extends ArchivableEntity { */ public SupplyChainValidation(final ValidationType validationType, final AppraisalStatus.Status validationResult, - final List certificatesUsed, + final List certificatesUsed, final String message) { Preconditions.checkArgument( validationType != null, @@ -90,7 +95,17 @@ public class SupplyChainValidation extends ArchivableEntity { this.validationType = validationType; this.validationResult = validationResult; - this.certificatesUsed = certificatesUsed; + this.certificatesUsed = new ArrayList<>(); + this.rimId = ""; + for (ArchivableEntity ae : certificatesUsed) { + if (ae instanceof ReferenceManifest) { + this.rimId = ae.getId().toString(); + break; + } else { + this.certificatesUsed.add((Certificate) ae); + } + } + this.message = message; } @@ -121,4 +136,11 @@ public class SupplyChainValidation extends ArchivableEntity { public String getMessage() { return message; } + + /** + * @return Getter for the Rim ID. + */ + public String getRimId() { + return rimId; + } } diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainValidationSummary.java b/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainValidationSummary.java index 99c89829..84399c2c 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainValidationSummary.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/SupplyChainValidationSummary.java @@ -186,7 +186,6 @@ public class SupplyChainValidationSummary extends ArchivableEntity { "Cannot construct a SupplyChainValidationSummary with a null validations list" ); - this.device = device; AppraisalStatus status = calculateValidationResult(validations); this.overallValidationResult = status.getAppStatus(); @@ -243,7 +242,7 @@ public class SupplyChainValidationSummary extends ArchivableEntity { validation.getMessage()); case FAIL: hasAnyFailures = true; - failureMsg.append(validation.getMessage()); + failureMsg.append(String.format("%s%n", validation.getValidationType())); break; default: break; diff --git a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java index 63ebe14a..addf6d15 100644 --- a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java +++ b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java @@ -55,8 +55,8 @@ import java.util.stream.Collectors; import static hirs.data.persist.AppraisalStatus.Status.ERROR; import static hirs.data.persist.AppraisalStatus.Status.FAIL; import static hirs.data.persist.AppraisalStatus.Status.PASS; +import hirs.data.persist.ArchivableEntity; import hirs.data.persist.SupplyChainValidation; -import hirs.data.persist.certificate.Certificate; import hirs.data.persist.certificate.attributes.V2.ComponentIdentifierV2; import java.util.Collections; import java.util.Comparator; @@ -592,7 +592,7 @@ public final class SupplyChainCredentialValidator implements CredentialValidator }); String ciSerial; - List certificateList = null; + List certificateList = null; SupplyChainValidation scv = null; resultMessage.append("There are errors with Delta " + "Component Statuses components:\n"); diff --git a/HIRS_Utils/src/test/java/hirs/data/persist/SupplyChainValidationSummaryTest.java b/HIRS_Utils/src/test/java/hirs/data/persist/SupplyChainValidationSummaryTest.java index f35d5e6b..f4b96d8d 100644 --- a/HIRS_Utils/src/test/java/hirs/data/persist/SupplyChainValidationSummaryTest.java +++ b/HIRS_Utils/src/test/java/hirs/data/persist/SupplyChainValidationSummaryTest.java @@ -22,7 +22,7 @@ import java.util.List; public class SupplyChainValidationSummaryTest extends SpringPersistenceTest { private Device device; private DeviceGroup deviceGroup; - private List certificates; + private List certificates; /** * Create a session factory to use for persistence testing and persist some certificates @@ -34,8 +34,8 @@ public class SupplyChainValidationSummaryTest extends SpringPersistenceTest { public void setup() throws Exception { certificates = CertificateTest.getAllTestCertificates(); DBCertificateManager certMan = new DBCertificateManager(sessionFactory); - for (Certificate cert : certificates) { - certMan.save(cert); + for (ArchivableEntity cert : certificates) { + certMan.save((Certificate) cert); } deviceGroup = new DeviceGroup("TestDeviceGroup", "TestDeviceGroupDescription"); @@ -54,8 +54,8 @@ public class SupplyChainValidationSummaryTest extends SpringPersistenceTest { @AfterClass public void teardown() { DBCertificateManager certManager = new DBCertificateManager(sessionFactory); - for (Certificate cert : certificates) { - certManager.deleteCertificate(cert); + for (ArchivableEntity cert : certificates) { + certManager.deleteCertificate((Certificate) cert); } } @@ -233,7 +233,7 @@ public class SupplyChainValidationSummaryTest extends SpringPersistenceTest { SupplyChainValidationSummary.class, sessionFactory ); - List singleCert = certificates.subList(0, 1); + List singleCert = certificates.subList(0, 1); SupplyChainValidationSummary smallSummary = getTestSummary( 1, @@ -304,7 +304,7 @@ public class SupplyChainValidationSummaryTest extends SpringPersistenceTest { private SupplyChainValidationSummary getTestSummary( final int numberOfValidations, final int numFail, - final List certificates + final List certificates ) { SupplyChainValidation.ValidationType[] validationTypes = SupplyChainValidation.ValidationType.values(); diff --git a/HIRS_Utils/src/test/java/hirs/data/persist/SupplyChainValidationTest.java b/HIRS_Utils/src/test/java/hirs/data/persist/SupplyChainValidationTest.java index e6e3f601..f4135844 100644 --- a/HIRS_Utils/src/test/java/hirs/data/persist/SupplyChainValidationTest.java +++ b/HIRS_Utils/src/test/java/hirs/data/persist/SupplyChainValidationTest.java @@ -6,7 +6,6 @@ import hirs.data.persist.certificate.CertificateTest; import java.io.IOException; import java.util.List; -import hirs.data.persist.certificate.Certificate; /** * Simple tests for the {@link SupplyChainValidation} class. Tests for the persistence of this @@ -106,7 +105,7 @@ public class SupplyChainValidationTest { public static SupplyChainValidation getTestSupplyChainValidation( final SupplyChainValidation.ValidationType type, final AppraisalStatus.Status result, - final List certificates) { + final List certificates) { return new SupplyChainValidation( type, result, diff --git a/HIRS_Utils/src/test/java/hirs/data/persist/certificate/CertificateTest.java b/HIRS_Utils/src/test/java/hirs/data/persist/certificate/CertificateTest.java index 68452a0a..f0fe3a1e 100644 --- a/HIRS_Utils/src/test/java/hirs/data/persist/certificate/CertificateTest.java +++ b/HIRS_Utils/src/test/java/hirs/data/persist/certificate/CertificateTest.java @@ -1,5 +1,6 @@ package hirs.data.persist.certificate; +import hirs.data.persist.ArchivableEntity; import hirs.data.persist.certificate.Certificate.CertificateType; import org.bouncycastle.cert.X509AttributeCertificateHolder; import org.testng.Assert; @@ -524,7 +525,7 @@ public class CertificateTest { * @return the newly-constructed Certificate * @throws IOException if there is a problem constructing the test certificate */ - public static Certificate getTestCertificate( + public static Certificate getTestCertificate( final Class certificateClass, final String filename) throws IOException { return getTestCertificate(certificateClass, filename, null, null); @@ -541,7 +542,7 @@ public class CertificateTest { * @return the newly-constructed Certificate * @throws IOException if there is a problem constructing the test certificate */ - public static Certificate getTestCertificate( + public static Certificate getTestCertificate( final Class certificateClass, final String filename, final EndorsementCredential endorsementCredential, final Set platformCredentials) @@ -579,7 +580,7 @@ public class CertificateTest { * @return a list of all test certificates * @throws IOException if there is a problem deserializing certificates */ - public static List getAllTestCertificates() throws IOException { + public static List getAllTestCertificates() throws IOException { return Arrays.asList( getTestCertificate(CertificateAuthorityCredential.class, FAKE_SGI_INT_CA_FILE), getTestCertificate(CertificateAuthorityCredential.class, FAKE_INTEL_INT_CA_FILE), diff --git a/HIRS_Utils/src/test/java/hirs/validation/SupplyChainCredentialValidatorTest.java b/HIRS_Utils/src/test/java/hirs/validation/SupplyChainCredentialValidatorTest.java index d16cf223..75309c2b 100644 --- a/HIRS_Utils/src/test/java/hirs/validation/SupplyChainCredentialValidatorTest.java +++ b/HIRS_Utils/src/test/java/hirs/validation/SupplyChainCredentialValidatorTest.java @@ -2,6 +2,7 @@ package hirs.validation; import hirs.client.collector.DeviceInfoCollector; import hirs.data.persist.AppraisalStatus; +import hirs.data.persist.ArchivableEntity; import hirs.data.persist.info.ComponentInfo; import hirs.data.persist.DeviceInfoReport; import hirs.data.persist.info.FirmwareInfo; @@ -2097,7 +2098,7 @@ public class SupplyChainCredentialValidatorTest { when(delta2.getComponentIdentifiers()).thenReturn(delta2List); Map chainCredentials = new HashMap<>(0); - List certsUsed = new ArrayList<>(); + List certsUsed = new ArrayList<>(); certsUsed.add(base); chainCredentials.put(base, new SupplyChainValidation( SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL, @@ -2202,7 +2203,7 @@ public class SupplyChainCredentialValidatorTest { when(delta1.getComponentIdentifiers()).thenReturn(delta1List); Map chainCredentials = new HashMap<>(0); - List certsUsed = new ArrayList<>(); + List certsUsed = new ArrayList<>(); certsUsed.add(base); chainCredentials.put(base, new SupplyChainValidation( SupplyChainValidation.ValidationType.PLATFORM_CREDENTIAL,