Initial Commit

This commit is contained in:
Cyrus 2020-10-29 08:58:37 -04:00
parent 525e4f6f6b
commit e1c3a1fc0f
7 changed files with 274 additions and 15 deletions
HIRS_AttestationCA/src/main/java/hirs/attestationca
HIRS_AttestationCAPortal/src/main
java/hirs/attestationca/portal
webapp/WEB-INF/jsp
HIRS_Utils/src/main/java/hirs/data/persist

View File

@ -13,6 +13,7 @@ import hirs.data.persist.EventLogMeasurements;
import hirs.data.persist.Device;
import hirs.data.persist.DeviceInfoReport;
import hirs.data.persist.ReferenceManifest;
import hirs.data.persist.SupplyChainPolicy;
import hirs.data.persist.SupportReferenceManifest;
import hirs.data.persist.SwidResource;
import hirs.data.persist.info.FirmwareInfo;
@ -108,7 +109,8 @@ public abstract class AbstractAttestationCertificateAuthority
protected static final Logger LOG = LogManager.getLogger(AttestationCertificateAuthority.class);
/**
* Defines the well known exponent. https://en.wikipedia.org/wiki/65537_(number)#Applications
* Defines the well known exponent.
* https://en.wikipedia.org/wiki/65537_(number)#Applications
*/
private static final BigInteger EXPONENT = new BigInteger("010001",
AttestationCertificateAuthority.DEFAULT_IV_SIZE);
@ -150,8 +152,8 @@ public abstract class AbstractAttestationCertificateAuthority
private final X509Certificate acaCertificate;
/**
* Container wired {@link StructConverter} to be used in serialization / deserialization of TPM
* data structures.
* Container wired {@link StructConverter} to be used in
* serialization / deserialization of TPM data structures.
*/
private final StructConverter structConverter;
@ -164,7 +166,7 @@ public abstract class AbstractAttestationCertificateAuthority
* Container wired application configuration property identifying the number of days that
* certificates issued by this ACA are valid for.
*/
private final Integer validDays;
private Integer validDays;
private final CertificateManager certificateManager;
private final ReferenceManifestManager referenceManifestManager;
@ -358,6 +360,9 @@ public abstract class AbstractAttestationCertificateAuthority
// generate the identity credential
LOG.debug("generating credential from identity proof");
// check the policy set valid date
SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
this.validDays = Integer.getInteger(scp.getValidityDays());
// transform the public key struct into a public key
PublicKey publicKey = assemblePublicKey(proof.getIdentityKey().getStorePubKey().getKey());
X509Certificate credential = generateCredential(publicKey, endorsementCredential,
@ -545,6 +550,9 @@ public abstract class AbstractAttestationCertificateAuthority
// Get device name and device
String deviceName = claim.getDv().getNw().getHostname();
Device device = deviceManager.getDevice(deviceName);
// check the policy set valid date
SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
this.validDays = Integer.parseInt(scp.getValidityDays());
// Parse through the Provisioner supplied TPM Quote and pcr values
// these fields are optional
@ -1647,12 +1655,25 @@ public abstract class AbstractAttestationCertificateAuthority
final EndorsementCredential endorsementCredential,
final Set<PlatformCredential> platformCredentials,
final Device device) {
IssuedAttestationCertificate issuedAc;
boolean validDate = false;
SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
try {
// save issued certificate
IssuedAttestationCertificate attCert = new IssuedAttestationCertificate(
derEncodedAttestationCertificate, endorsementCredential, platformCredentials);
attCert.setDevice(device);
certificateManager.save(attCert);
if (!scp.isIssueAttestationCertificate()) {
issuedAc = IssuedAttestationCertificate.select(certificateManager)
.byDeviceId(device.getId()).getCertificate();
if (issuedAc != null) {
validDate = issuedAc.isValidOn(attCert.getBeginValidity());
}
}
if (!validDate) {
attCert.setDevice(device);
certificateManager.save(attCert);
}
} catch (Exception e) {
LOG.error("Error saving generated Attestation Certificate to database.", e);
throw new CertificateProcessingException(

View File

@ -3,6 +3,7 @@ package hirs.attestationca.service;
import java.util.Set;
import hirs.data.persist.Device;
import hirs.data.persist.SupplyChainPolicy;
import hirs.data.persist.SupplyChainValidationSummary;
import hirs.data.persist.certificate.EndorsementCredential;
import hirs.data.persist.certificate.PlatformCredential;
@ -34,4 +35,10 @@ public interface SupplyChainValidationService {
* @return True if validation is successful, false otherwise.
*/
SupplyChainValidationSummary validateQuote(Device device);
/**
* Allows other service access to the policy information.
* @return supply chain policy
*/
SupplyChainPolicy getPolicy();
}

View File

@ -106,6 +106,17 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
this.supplyChainCredentialValidator = supplyChainCredentialValidator;
}
/**
* Allows other service access to the policy information.
* @return supply chain policy
*/
public SupplyChainPolicy getPolicy() {
final Appraiser supplyChainAppraiser = appraiserManager.getAppraiser(
SupplyChainAppraiser.NAME);
return (SupplyChainPolicy) policyManager.getDefaultPolicy(
supplyChainAppraiser);
}
/**
* The "main" method of supply chain validation. Takes the credentials from
* an identity request and validates the supply chain in accordance to the

View File

@ -13,6 +13,8 @@ public class PolicyPageModel {
private boolean enablePcCertificateValidation;
private boolean enablePcCertificateAttributeValidation;
private boolean enableFirmwareValidation;
private boolean issueAttestationCertificate;
private boolean generateOnExpiration;
private boolean enableIgnoreIma;
private boolean enableIgnoreTboot;
@ -21,6 +23,8 @@ public class PolicyPageModel {
private String pcAttributeValidate;
private String ecValidate;
private String fmValidate;
private String attestationCertificateIssued;
private String numOfValidDays;
private String ignoreIma;
private String ignoretBoot;
@ -34,6 +38,9 @@ public class PolicyPageModel {
this.enablePcCertificateValidation = policy.isPcValidationEnabled();
this.enablePcCertificateAttributeValidation = policy.isPcAttributeValidationEnabled();
this.enableFirmwareValidation = policy.isFirmwareValidationEnabled();
this.issueAttestationCertificate = policy.isIssueAttestationCertificate();
this.generateOnExpiration = policy.isGenerateOnExpiration();
this.numOfValidDays = policy.getValidityDays();
this.enableIgnoreIma = policy.isIgnoreImaEnabled();
this.enableIgnoreTboot = policy.isIgnoreTbootEnabled();
}
@ -80,6 +87,24 @@ public class PolicyPageModel {
return enableFirmwareValidation;
}
/**
* Gets the Attestation Certificate issued State.
*
* @return the issued state.
*/
public boolean isIssueAttestationCertificate() {
return issueAttestationCertificate;
}
/**
* Gets the state of generating a certificate.
*
* @return true or false
*/
public boolean isGenerateOnExpiration() {
return generateOnExpiration;
}
/**
* Gets the Enable Ignore IMA state.
* @return the validation state.
@ -132,6 +157,24 @@ public class PolicyPageModel {
return fmValidate;
}
/**
* Gets the attestation certificate issued state.
*
* @return the model string representation of this field.
*/
public String getAttestationCertificateIssued() {
return attestationCertificateIssued;
}
/**
* Gets the number of selected valid days.
*
* @return the number of the days for validity
*/
public String getNumOfValidDays() {
return numOfValidDays;
}
/**
* Gets the Ignore IMA validation value.
*
@ -187,6 +230,25 @@ public class PolicyPageModel {
this.enableFirmwareValidation = enableFirmwareValidation;
}
/**
* Sets the Attestation Certificate Issued state.
*
* @param issueAttestationCertificate true if generating Certificates.
*/
public void setIssueAttestationCertificate(
final boolean issueAttestationCertificate) {
this.issueAttestationCertificate = issueAttestationCertificate;
}
/**
* Setter for the state of generating a certificate.
*
* @param generateOnExpiration true or false
*/
public void setGenerateOnExpiration(final boolean generateOnExpiration) {
this.generateOnExpiration = generateOnExpiration;
}
/**
* Sets the Enable Ignore IMA state.
*
@ -241,6 +303,16 @@ public class PolicyPageModel {
this.fmValidate = fmValidate;
}
/**
* Sets the Issued Attestation Certificate state.
*
* @param attestationCertificateIssued "checked" if generating certificates.
*/
public void setAttestationCertificateIssued(
final String attestationCertificateIssued) {
this.attestationCertificateIssued = attestationCertificateIssued;
}
/**
* Sets the Ignore IMA state.
*
@ -266,6 +338,9 @@ public class PolicyPageModel {
+ ", enablePcCertificateValidation=" + enablePcCertificateValidation
+ ", enablePcCertificateAttributeValidation="
+ enablePcCertificateAttributeValidation
+ ", enableFirmwareValidation=" + enableFirmwareValidation + '}';
+ ", enableFirmwareValidation=" + enableFirmwareValidation
+ ", issueAttestationCertificate=" + issueAttestationCertificate
+ ", generateOnExpiration=" + generateOnExpiration
+ ", numOfValidDays=" + numOfValidDays + "}";
}
}

View File

@ -39,7 +39,9 @@ public class PolicyPageController extends PageController<NoPageParams> {
* Represents a web request indicating to enable a setting (based on radio
* buttons from a web form).
*/
private static final String ENABLED_PARAMETER_VALUE = "checked";
private static final String ENABLED_CHECKED_PARAMETER_VALUE = "checked";
private static final String ENABLED_EXPIRES_PARAMETER_VALUE = "expires";
private PolicyManager policyManager;
@ -115,7 +117,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
PageMessages messages = new PageMessages();
String successMessage;
boolean pcValidationOptionEnabled
= ppModel.getPcValidate().equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
= ppModel.getPcValidate().equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@ -167,7 +169,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
PageMessages messages = new PageMessages();
String successMessage;
boolean pcAttributeValidationOptionEnabled = ppModel.getPcAttributeValidate()
.equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@ -200,6 +202,64 @@ public class PolicyPageController extends PageController<NoPageParams> {
return redirectToSelf(new NoPageParams(), model, attr);
}
/**
* Updates the Attestation Certificate generation policy setting and redirects
* back to the original page.
*
* @param ppModel The data posted by the form mapped into an object.
* @param attr RedirectAttributes used to forward data back to the original page.
* @return View containing the url and parameters
* @throws URISyntaxException if malformed URI
*/
@RequestMapping(value = "update-issue-attestation", method = RequestMethod.POST)
public RedirectView updateAttestationVal(@ModelAttribute final PolicyPageModel ppModel,
final RedirectAttributes attr)
throws URISyntaxException {
// set the data received to be populated back into the form
Map<String, Object> model = new HashMap<>();
PageMessages messages = new PageMessages();
String successMessage;
String numOfDays;
boolean issuedAttestationOptionEnabled
= ppModel.getAttestationCertificateIssued()
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
boolean generateCertificateEnabled
= ppModel.getAttestationCertificateIssued()
.equalsIgnoreCase(ENABLED_EXPIRES_PARAMETER_VALUE);
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
if (issuedAttestationOptionEnabled) {
successMessage = "Attestation Certificate generation enabled.";
} else {
successMessage = "Attestation Certificate generation disabled.";
}
if (generateCertificateEnabled) {
numOfDays = ppModel.getNumOfValidDays();
if (numOfDays == null) {
numOfDays = SupplyChainPolicy.TEN_YEARS;
}
} else {
numOfDays = policy.getValidityDays();
}
policy.setValidityDays(numOfDays);
policy.setIssueAttestationCertificate(issuedAttestationOptionEnabled);
policy.setGenerateOnExpiration(generateCertificateEnabled);
savePolicyAndApplySuccessMessage(ppModel, model, messages, successMessage, policy);
} catch (PolicyManagerException e) {
handlePolicyManagerUpdateError(model, messages, e,
"Error changing ACA Attestation Certificate generation policy",
"Error updating policy. \n" + e.getMessage());
}
// return the redirect
return redirectToSelf(new NoPageParams(), model, attr);
}
/**
* Updates the Endorsement Credential Validation policy setting and
* redirects back to the original page.
@ -219,7 +279,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
PageMessages messages = new PageMessages();
String successMessage;
boolean ecValidationOptionEnabled
= ppModel.getEcValidate().equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
= ppModel.getEcValidate().equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@ -273,7 +333,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
PageMessages messages = new PageMessages();
String successMessage;
boolean firmwareValidationOptionEnabled = ppModel.getFmValidate()
.equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@ -327,7 +387,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
PageMessages messages = new PageMessages();
String successMessage;
boolean ignoreImaOptionEnabled = ppModel.getIgnoreIma()
.equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);
@ -378,7 +438,7 @@ public class PolicyPageController extends PageController<NoPageParams> {
PageMessages messages = new PageMessages();
String successMessage;
boolean ignoreTbootOptionEnabled = ppModel.getIgnoretBoot()
.equalsIgnoreCase(ENABLED_PARAMETER_VALUE);
.equalsIgnoreCase(ENABLED_CHECKED_PARAMETER_VALUE);
try {
SupplyChainPolicy policy = getDefaultPolicyAndSetInModel(ppModel, model);

View File

@ -16,7 +16,7 @@
<div class="aca-input-box">
<form:form method="POST" modelAttribute="initialData" action="policy/update-ec-validation">
<li>Endorsement Credential Validation: ${initialData.enableEcValidation ? 'Enabled' : 'Disabled'}
<my:editor id="ecPolicyEditor" label="Edit Settings ">
<my:editor id="ecPolicyEditor" label="Edit Settings">
<div class="radio">
<label><input id="ecTop" type="radio" name="ecValidate" ${initialData.enableEcValidation ? 'checked' : ''} value="checked"/> Endorsement Credentials will be validated</label>
</div>
@ -62,6 +62,29 @@
</form:form>
</div>
<%-- Generate Attestation Certificate--%>
<div class="aca-input-box">
<form:form method="POST" modelAttribute="initialData" action="policy/update-issue-attestation">
<li>Generate Attestation Certificate: ${(initialData.issueAttestationCertificate || initialData.generateOnExpiration) ? 'Enabled' : 'Disabled'}
<my:editor id="issuedCertificatePolicyEditor" label="Edit Settings">
<div class="radio">
<label><input id="aicTop" type="radio" name="attestationCertificateIssued" ${initialData.issueAttestationCertificate ? '' : 'checked'} value="unchecked"/> Never generate an Attestation Certificate</label>
</div>
<div class="radio">
<label><input id="aicMid" type="radio" name="attestationCertificateIssued" ${initialData.issueAttestationCertificate ? 'checked' : ''} value="checked"/> Always generate an Attestation Certificate</label>
</div>
<div class="radio">
<label>
<input id="aicBot" type="radio" name="attestationCertificateIssued" ${initialData.generateOnExpiration ? 'checked' : ''} value="expires"/> Only Generate when current Attestation Certificate expires<br />
** Validity period for the Attestation Certificate
<input id="validLen" type="text" name="numOfValidDays" value="3650" size="6" maxlength="6" ${(initialData.generateOnExpiration) ? '' : 'disabled'} />
</label>
</div>
</my:editor>
</li>
</form:form>
</div>
<%-- Firmware validation --%>
<div class="aca-input-box">
<form:form method="POST" modelAttribute="initialData" action="policy/update-firmware-validation">

View File

@ -15,6 +15,10 @@ public class SupplyChainPolicy extends Policy {
* Name of the default Supply Chain Policy.
*/
public static final String DEFAULT_POLICY = "Default Supply Chain Policy";
/**
* Number of days in 10 years.
*/
public static final String TEN_YEARS = "3650";
@Column(nullable = false)
private boolean enableEcValidation = false;
@ -37,6 +41,15 @@ public class SupplyChainPolicy extends Policy {
@Column(nullable = false)
private boolean replaceEC = false;
@Column(nullable = false)
private boolean issueAttestationCertificate = true;
@Column(nullable = false)
private String validityDays = TEN_YEARS;
@Column(nullable = false)
private boolean generateOnExpiration = false;
@Embedded
private PCRPolicy pcrPolicy = new PCRPolicy();
@ -232,6 +245,7 @@ public class SupplyChainPolicy extends Policy {
}
/**
* Getter for the current PCR Policy.
* @return the PCR Policy
*/
public PCRPolicy getPcrPolicy() {
@ -239,9 +253,57 @@ public class SupplyChainPolicy extends Policy {
}
/**
* Setter to update the current PCR Policy.
* @param pcrPolicy to apply
*/
public void setPcrPolicy(final PCRPolicy pcrPolicy) {
this.pcrPolicy = pcrPolicy;
}
/**
* Returns whether or not to generate an Attestation Issued Certificate.
* @return current state for generation.
*/
public boolean isIssueAttestationCertificate() {
return issueAttestationCertificate;
}
/**
* Sets whether or not to generate an Attestation Issued Certificate.
* @param issueAttestationCertificate the flag for generation.
*/
public void setIssueAttestationCertificate(final boolean issueAttestationCertificate) {
this.issueAttestationCertificate = issueAttestationCertificate;
}
/**
* Getter for the number of days for the certificates validity.
* @return number of days
*/
public String getValidityDays() {
return validityDays;
}
/**
* Setter for the number of days for validity.
* @param validityDays validity.
*/
public void setValidityDays(final String validityDays) {
this.validityDays = validityDays;
}
/**
* Getter for the state of when to generate a certificate.
* @return true or false
*/
public boolean isGenerateOnExpiration() {
return generateOnExpiration;
}
/**
* Setter for the state of when to generate a certificate.
* @param generateOnExpiration sets true or false
*/
public void setGenerateOnExpiration(final boolean generateOnExpiration) {
this.generateOnExpiration = generateOnExpiration;
}
}