ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-01-31 16:35:29 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #635 from nsacyber/v3_provision-fixes

Browse Source 
ACA Provisioning Clean up
This commit is contained in:
Cyrus 2023-11-30 18:46:43 -05:00 committed by GitHub
commit fa95eb4974
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 43 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/ArchivableEntity.java
View File

@ -60,7 +60,6 @@ public abstract class ArchivableEntity extends AbstractEntity {
* false is archived time is already set, signifying the entity has been archived.
*/
public final boolean archive() {
this.archiveFlag = false;
if (this.archivedTime == null) {
this.archivedTime = new Date();
archiveFlag = true;

1
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceManifestRepository.java
View File

@ -43,6 +43,7 @@ public interface ReferenceManifestRepository extends JpaRepository<ReferenceMani
List<SupportReferenceManifest> getSupportByManufacturerModel(String manufacturer, String model);
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformModel = ?1 AND DTYPE = 'EventLogMeasurements'", nativeQuery = true)
EventLogMeasurements getLogByModel(String model);
List<ReferenceManifest> findByDeviceName(String deviceName);
List<ReferenceManifest> findByArchiveFlag(boolean archiveFlag);
Page<ReferenceManifest> findByArchiveFlag(boolean archiveFlag, Pageable pageable);
}

3
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidation.java
View File

@ -2,6 +2,7 @@ package hirs.attestationca.persist.entity.userdefined;
import com.google.common.base.Preconditions;
import hirs.attestationca.persist.entity.ArchivableEntity;
import hirs.attestationca.persist.entity.userdefined.rim.BaseReferenceManifest;
import hirs.attestationca.persist.enums.AppraisalStatus;
import jakarta.persistence.Column;
import jakarta.persistence.Entity;
@ -104,7 +105,7 @@ public class SupplyChainValidation extends ArchivableEntity {
this.certificatesUsed = new ArrayList<>();
this.rimId = "";
for (ArchivableEntity ae : certificatesUsed) {
if (ae instanceof ReferenceManifest) {
if (ae instanceof BaseReferenceManifest) {
this.rimId = ae.getId().toString();
break;
} else {

2
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/info/ComponentInfo.java
View File

@ -145,7 +145,7 @@ public class ComponentInfo implements Serializable {
final String componentModel,
final String componentSerial,
final String componentRevision) {
return !(StringUtils.isEmpty(componentManufacturer)
return (StringUtils.isEmpty(componentManufacturer)
|| StringUtils.isEmpty(componentModel));
}
}

3
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java
View File

@ -170,7 +170,8 @@ public class AbstractProcessor {
for (ByteString platformCredential : identityClaim.getPlatformCredentialList()) {
if (!platformCredential.isEmpty()) {
platformCredentials.add(CredentialManagementHelper.storePlatformCredential(
certificateRepository, platformCredential.toByteArray()));
certificateRepository, platformCredential.toByteArray(),
identityClaim.getDv().getNw().getHostname()));
}
}
} else if (endorsementCredential != null) {

12
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java
View File

@ -187,6 +187,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
// Parse and save device info
Device device = processDeviceInfo(claim);
device.getDeviceInfo().setPaccorOutputString(claim.getPaccorOutput());
// There are situations in which the claim is sent with no PCs
// or a PC from the tpm which will be deprecated
// this is to check what is in the platform object and pull
@ -318,8 +319,9 @@ public class IdentityClaimProcessor extends AbstractProcessor {
if (dv.getLogfileCount() > 0) {
for (ByteString logFile : dv.getLogfileList()) {
try {
support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHash(
Hex.encodeHexString(messageDigest.digest(logFile.toByteArray())));
support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType(
Hex.encodeHexString(messageDigest.digest(logFile.toByteArray())),
ReferenceManifest.SUPPORT_RIM);
if (support == null) {
support = new SupportReferenceManifest(
String.format("%s.rimel",
@ -346,8 +348,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
} catch (IOException ioEx) {
log.error(ioEx);
} catch (Exception ex) {
log.error(String.format("Failed to load support rim: %s", messageDigest.digest(
logFile.toByteArray()).toString()));
log.error(String.format("Failed to load support rim: %s", ex.getMessage()));
}
}
} else {
@ -381,6 +382,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
this.referenceManifestRepository.save(dbBaseRim);
}
}
tagId = dbBaseRim.getTagId();
} catch (IOException ioEx) {
log.error(ioEx);
}
@ -409,7 +411,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
// now update support rim
SupportReferenceManifest dbSupport = (SupportReferenceManifest) referenceManifestRepository
.findByHexDecHash(swid.getHashValue());
.findByHexDecHashAndRimType(swid.getHashValue(), ReferenceManifest.SUPPORT_RIM);
if (dbSupport != null) {
dbSupport.setFileName(swid.getName());
dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion());

4
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/helper/CredentialManagementHelper.java
View File

@ -82,11 +82,12 @@ public final class CredentialManagementHelper {
* it is unarchived.
* @param certificateRepository the certificate manager used for storage
* @param platformBytes the raw PC bytes used for parsing
* @param deviceName the host name of the associated machine
* @return the parsed, valid PC, or null if the provided bytes are not a valid EK.
*/
public static PlatformCredential storePlatformCredential(
final CertificateRepository certificateRepository,
final byte[] platformBytes) {
final byte[] platformBytes, final String deviceName) {
if (certificateRepository == null) {
throw new IllegalArgumentException("null certificate manager");
@ -130,6 +131,7 @@ public final class CredentialManagementHelper {
}
}
}
platformCredential.setDeviceName(deviceName);
return (PlatformCredential) certificateRepository.save(platformCredential);
} else if (existingCredential.isArchived()) {
// if the PC is stored in the DB and it's archived, unarchive.

10
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/ValidationService.java
View File

@ -9,6 +9,7 @@ import hirs.attestationca.persist.entity.manager.ReferenceManifestRepository;
import hirs.attestationca.persist.entity.userdefined.Certificate;
import hirs.attestationca.persist.entity.userdefined.Device;
import hirs.attestationca.persist.entity.userdefined.PolicySettings;
import hirs.attestationca.persist.entity.userdefined.ReferenceManifest;
import hirs.attestationca.persist.entity.userdefined.SupplyChainValidation;
import hirs.attestationca.persist.entity.userdefined.certificate.CertificateAuthorityCredential;
import hirs.attestationca.persist.entity.userdefined.certificate.ComponentResult;
@ -187,6 +188,13 @@ public class ValidationService {
final SupplyChainValidation.ValidationType validationType
= SupplyChainValidation.ValidationType.FIRMWARE;
List<ReferenceManifest> rims = rimRepo.findByDeviceName(device.getName());
ReferenceManifest baseRim = null;
for (ReferenceManifest rim : rims) {
if (rim.getRimType().equals(ReferenceManifest.BASE_RIM)) {
baseRim = rim;
}
}
AppraisalStatus result = FirmwareScvValidator.validateFirmware(device, policySettings,
rimRepo, rdvRepo, caRepo);
Level logLevel;
@ -203,7 +211,7 @@ public class ValidationService {
logLevel = Level.ERROR;
}
return buildValidationRecord(validationType, result.getAppStatus(),
result.getMessage(), null, logLevel);
result.getMessage(), baseRim, logLevel);
}
/**

8
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java
View File

@ -66,8 +66,8 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
failedString = "Base Reference Integrity Manifest\n";
passed = false;
} else {
measurement = (EventLogMeasurements) referenceManifestRepository.findByHexDecHash(
baseReferenceManifest.getEventLogHash());
measurement = (EventLogMeasurements) referenceManifestRepository.findByHexDecHashAndRimType(
baseReferenceManifest.getEventLogHash(), ReferenceManifest.MEASUREMENT_RIM);
if (measurement == null) {
measurement = referenceManifestRepository.byMeasurementDeviceName(
@ -125,8 +125,8 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
}
for (SwidResource swidRes : resources) {
supportReferenceManifest = referenceManifestRepository.findByHexDecHash(
swidRes.getHashValue());
supportReferenceManifest = referenceManifestRepository.findByHexDecHashAndRimType(
swidRes.getHashValue(), ReferenceManifest.SUPPORT_RIM);
if (supportReferenceManifest != null) {
// Removed the filename check from this if statement
referenceManifestValidator.validateSupportRimHash(

2
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/SupplyChainCredentialValidator.java
View File

@ -342,7 +342,7 @@ public class SupplyChainCredentialValidator {
private static String getJSONNodeValueAsText(final JsonNode node, final String fieldName) {
if (node.hasNonNull(fieldName)) {
return node.findValue(fieldName).asText();
return node.findValue(fieldName).textValue();
}
return null;
}

25
HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/CertificatePageController.java
View File

@ -375,7 +375,7 @@ public class CertificatePageController extends PageController<NoPageParams> {
try {
UUID uuid = UUID.fromString(id);
Certificate certificate = getCertificateById(certificateType, uuid);
Certificate certificate = certificateRepository.getCertificate(uuid);
if (certificate == null) {
// Use the term "record" here to avoid user confusion b/t cert and cred
@ -749,29 +749,6 @@ public class CertificatePageController extends PageController<NoPageParams> {
return associatedCertificates;
}
private Certificate getCertificateById(final String certificateType, final UUID uuid) {
switch (certificateType) {
case PLATFORMCREDENTIAL:
if (platformCertificateRepository.existsById(uuid)) {
return platformCertificateRepository.getReferenceById(uuid);
}
case ENDORSEMENTCREDENTIAL:
if (endorsementCredentialRepository.existsById(uuid)) {
return endorsementCredentialRepository.getReferenceById(uuid);
}
case ISSUEDCERTIFICATES:
if (issuedCertificateRepository.existsById(uuid)) {
return issuedCertificateRepository.getReferenceById(uuid);
}
case TRUSTCHAIN:
if (caCredentialRepository.existsById(uuid)) {
return caCredentialRepository.getReferenceById(uuid);
}
default:
return null;
}
}
/**
* Parses an uploaded file into a certificate and populates the given model
* with error messages if parsing fails.

3
HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
View File

@ -271,7 +271,8 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
// to get the id to make the link
RIM_VALIDATOR.setRim(baseRim.getRimBytes());
for (SwidResource swidRes : resources) {
support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHash(swidRes.getHashValue());
support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType(
swidRes.getHashValue(), ReferenceManifest.SUPPORT_RIM);
if (support != null && swidRes.getHashValue()
.equalsIgnoreCase(support.getHexDecHash())) {

12
HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java
View File

@ -39,7 +39,13 @@ import javax.xml.transform.dom.DOMResult;
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import java.io.*;
import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.*;
@ -204,7 +210,9 @@ public class ReferenceManifestValidator {
log.error("Cannot validate RIM, signature element not found!");
return false;
}
trustStore = parseCertificatesFromPem(trustStoreFile);
if (trustStoreFile != null && !trustStoreFile.isEmpty()) {
trustStore = parseCertificatesFromPem(trustStoreFile);
}
NodeList certElement = rim.getElementsByTagName("X509Certificate");
if (certElement.getLength() > 0) {
X509Certificate embeddedCert = parseCertFromPEMString(