ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-01-18 10:46:39 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Found the issue with the isMatch class not working. The component class string for the class value has a pound sign.

Browse Source
This commit is contained in:
Cyrus 2020-11-24 09:12:00 -05:00
parent fbdcf83840
commit ffbcebbf11
1 changed files with 106 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

136
HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java
View File

@ -606,12 +606,12 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
List<PlatformCredential> chainCertificates = new LinkedList<>(deltaMapping.keySet()); List<PlatformCredential> chainCertificates = new LinkedList<>(deltaMapping.keySet());
// map the components throughout the chain // map the components throughout the chain
Map<String, ComponentIdentifier> chainCiMapping = new HashMap<>();
List<ComponentIdentifier> deltaBuildList = new LinkedList<>(validOrigPcComponents); List<ComponentIdentifier> deltaBuildList = new LinkedList<>(validOrigPcComponents);
deltaBuildList.stream().forEach((ci) -> { List<ComponentIdentifier> builtMatchList = new LinkedList<>(validOrigPcComponents);
chainCiMapping.put(ci.getComponentSerial().toString(), ci);
});
/**
* Make sure the certificates are in the correct order.
*/
Collections.sort(chainCertificates, new Comparator<PlatformCredential>() { Collections.sort(chainCertificates, new Comparator<PlatformCredential>() {
@Override @Override
public int compare(final PlatformCredential obj1, public int compare(final PlatformCredential obj1,
@ -629,7 +629,7 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
} }
}); });
String ciSerial; List<String> modifiedClassValues = new LinkedList<>();
List<ArchivableEntity> certificateList = null; List<ArchivableEntity> certificateList = null;
SupplyChainValidation scv = null; SupplyChainValidation scv = null;
resultMessage.append("There are errors with Delta " resultMessage.append("There are errors with Delta "
@ -640,22 +640,39 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
StringBuilder failureMsg = new StringBuilder(); StringBuilder failureMsg = new StringBuilder();
certificateList = new ArrayList<>(); certificateList = new ArrayList<>();
certificateList.add(delta); certificateList.add(delta);
/** String classValue;
* This chainnn maipping may have to change because ComponentIdentifierV2 ciV2;
* the serial number isn't required boolean classFound = false;
*/
for (ComponentIdentifier ci : delta.getComponentIdentifiers()) { for (ComponentIdentifier ci : delta.getComponentIdentifiers()) {
if (ci.isVersion2()) { if (ci.isVersion2()) {
ciSerial = ci.getComponentSerial().toString(); ciV2 = (ComponentIdentifierV2) ci;
ComponentIdentifierV2 ciV2 = (ComponentIdentifierV2) ci; classValue = ciV2.getComponentClass().getClassValueString();
if (ciV2.isModified()) { if (ciV2.isModified()) {
// this won't match // A component was modified
// check it is there // if it exists, update
if (!chainCiMapping.containsKey(ciSerial)) { // if doesn't exist, error
for (ComponentIdentifier subCi : deltaBuildList) {
ComponentIdentifierV2 subCiV2 = (ComponentIdentifierV2) subCi;
classFound = classValue.equals(subCiV2.getComponentClass()
.getClassValueString());
if (classFound && isMatch(ciV2, subCiV2)) {
if (modifiedClassValues.contains(classValue)) {
modifiedClassValues.remove(classValue);
} else {
// we found the class and it is a match
break;
}
}
}
if (classFound) {
modifiedClassValues.add(classValue);
builtMatchList.add(ci);
} else {
fieldValidation = false; fieldValidation = false;
failureMsg.append(String.format( failureMsg.append(String.format(
"%s attempted MODIFIED with no prior instance.%n", "%s attempted MODIFIED with no prior instance.%n",
ciSerial)); classValue));
scv = deltaMapping.get(delta); scv = deltaMapping.get(delta);
if (scv.getResult() != AppraisalStatus.Status.PASS) { if (scv.getResult() != AppraisalStatus.Status.PASS) {
failureMsg.append(scv.getMessage()); failureMsg.append(scv.getMessage());
@ -665,16 +682,27 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
AppraisalStatus.Status.FAIL, AppraisalStatus.Status.FAIL,
certificateList, certificateList,
failureMsg.toString())); failureMsg.toString()));
} else {
chainCiMapping.put(ciSerial, ci);
} }
} else if (ciV2.isRemoved()) { } else if (ciV2.isRemoved()) {
if (!chainCiMapping.containsKey(ciSerial)) { for (ComponentIdentifier subCi : deltaBuildList) {
ComponentIdentifierV2 subCiV2 = (ComponentIdentifierV2) subCi;
classFound = classValue.equals(subCiV2.getComponentClass()
.getClassValueString());
if (classFound && isMatch(ciV2, subCiV2)) {
break;
} else {
classFound = false;
}
}
if (classFound) {
builtMatchList.remove(ci);
} else {
// error thrown, can't remove if it doesn't exist // error thrown, can't remove if it doesn't exist
fieldValidation = false; fieldValidation = false;
failureMsg.append(String.format( failureMsg.append(String.format(
"%s attempted REMOVED with no prior instance.%n", "%s attempted REMOVED with no prior instance.%n",
ciSerial)); classValue));
scv = deltaMapping.get(delta); scv = deltaMapping.get(delta);
if (scv.getResult() != AppraisalStatus.Status.PASS) { if (scv.getResult() != AppraisalStatus.Status.PASS) {
failureMsg.append(scv.getMessage()); failureMsg.append(scv.getMessage());
@ -684,17 +712,26 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
AppraisalStatus.Status.FAIL, AppraisalStatus.Status.FAIL,
certificateList, certificateList,
failureMsg.toString())); failureMsg.toString()));
} else {
chainCiMapping.remove(ciSerial);
} }
} else if (ciV2.isAdded()) { } else if (ciV2.isAdded()) {
// ADDED // ADDED
if (chainCiMapping.containsKey(ciSerial)) { for (ComponentIdentifier subCi : deltaBuildList) {
ComponentIdentifierV2 subCiV2 = (ComponentIdentifierV2) subCi;
classFound = classValue.equals(subCiV2.getComponentClass()
.getClassValueString());
if (classFound && isMatch(ciV2, subCiV2)) {
break;
} else {
classFound = false;
}
}
if (classFound) {
// error, shouldn't exist // error, shouldn't exist
fieldValidation = false; fieldValidation = false;
failureMsg.append(String.format( failureMsg.append(String.format(
"%s was ADDED, the serial already exists.%n", "%s was ADDED, the serial already exists.%n",
ciSerial)); classValue));
scv = deltaMapping.get(delta); scv = deltaMapping.get(delta);
if (scv.getResult() != AppraisalStatus.Status.PASS) { if (scv.getResult() != AppraisalStatus.Status.PASS) {
failureMsg.append(scv.getMessage()); failureMsg.append(scv.getMessage());
@ -705,12 +742,13 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
certificateList, certificateList,
failureMsg.toString())); failureMsg.toString()));
} else { } else {
// have to add in case later it is removed builtMatchList.add(ci);
chainCiMapping.put(ciSerial, ci);
} }
} }
} }
} }
// each delta has a change to change or modify what was just modified
modifiedClassValues.clear();
resultMessage.append(failureMsg.toString()); resultMessage.append(failureMsg.toString());
} }
@ -732,7 +770,7 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
// new LinkedList<>(chainCiMapping.values()), // new LinkedList<>(chainCiMapping.values()),
// compMapping.keySet().stream().collect(Collectors.toList())); // compMapping.keySet().stream().collect(Collectors.toList()));
unmatchedComponents = validateV2PlatformCredentialAttributes( unmatchedComponents = validateV2PlatformCredentialAttributes(
new LinkedList<>(chainCiMapping.values()), builtMatchList,
componentInfoList); componentInfoList);
fieldValidation &= unmatchedComponents.isEmpty(); fieldValidation &= unmatchedComponents.isEmpty();
} catch (IOException e) { } catch (IOException e) {
@ -766,16 +804,24 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
.stream().collect(Collectors.toList()); .stream().collect(Collectors.toList());
List<ComponentInfo> subCompInfoList = allDeviceInfoComponents List<ComponentInfo> subCompInfoList = allDeviceInfoComponents
.stream().collect(Collectors.toList()); .stream().collect(Collectors.toList());
LOGGER.error(String.format("fullDeltaChainComponents - %d", fullDeltaChainComponents.size())); LOGGER.error(String.format("fullDeltaChainComponents - %d",
fullDeltaChainComponents.size()));
LOGGER.error(String.format("subCompIdList - %d", subCompIdList.size())); LOGGER.error(String.format("subCompIdList - %d", subCompIdList.size()));
LOGGER.error(String.format("allDeviceInfoComponents - %d", allDeviceInfoComponents.size())); LOGGER.error(String.format("allDeviceInfoComponents - %d",
allDeviceInfoComponents.size()));
LOGGER.error(String.format("subCompInfoList - %d", subCompInfoList.size())); LOGGER.error(String.format("subCompInfoList - %d", subCompInfoList.size()));
// Delta is the baseline // Delta is the baseline
for (ComponentInfo cInfo : allDeviceInfoComponents) { for (ComponentInfo cInfo : allDeviceInfoComponents) {
for (ComponentIdentifier cId : fullDeltaChainComponents) { for (ComponentIdentifier cId : fullDeltaChainComponents) {
ciV2 = (ComponentIdentifierV2) cId; ciV2 = (ComponentIdentifierV2) cId;
if (cInfo.getComponentClass().equals( LOGGER.error(String.format("%s -> %s", cInfo.getComponentClass(),
ciV2.getComponentClass().getClassValueString())) { ciV2.getComponentClass().getClassValueString()));
if (ciV2.getComponentClass().getClassValueString()
.contains(cInfo.getComponentClass())) {
// TDM RIGHT HERE, you are getting a # from componentclass
/**
* YOU CAN DO IT. Don't fall asleep -_-
*/
LOGGER.error(String.format("Testing %s -> %s%n%n", cInfo, ciV2)); LOGGER.error(String.format("Testing %s -> %s%n%n", cInfo, ciV2));
if (!isMatch(cId, cInfo)) { if (!isMatch(cId, cInfo)) {
invalidDeviceInfo.append(String.format("%s:%s;", invalidDeviceInfo.append(String.format("%s:%s;",
@ -788,6 +834,8 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
subCompIdList.remove(cId); subCompIdList.remove(cId);
subCompInfoList.remove(cInfo); subCompInfoList.remove(cInfo);
} }
} else {
LOGGER.error("Didn't match.");
} }
} }
} }
@ -1113,6 +1161,28 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
return matchesSoFar; return matchesSoFar;
} }
/**
* Checks if the fields in the potentialMatch match the fields in the pcComponent,
* or if the relevant field in the pcComponent is empty.
* @param pcComponent the platform credential component
* @param potentialMatch the component info from a device info report
* @return true if the fields match exactly (null is considered the same as an empty string)
*/
static boolean isMatch(final ComponentIdentifierV2 pcComponent,
final ComponentIdentifierV2 potentialMatch) {
boolean matchesSoFar = true;
matchesSoFar &= isMatchOrEmptyInPlatformCert(
potentialMatch.getComponentManufacturer(),
pcComponent.getComponentManufacturer());
matchesSoFar &= isMatchOrEmptyInPlatformCert(
potentialMatch.getComponentModel(),
pcComponent.getComponentModel());
return matchesSoFar;
}
private static boolean isMatchOrEmptyInPlatformCert( private static boolean isMatchOrEmptyInPlatformCert(
final String evidenceFromDevice, final String evidenceFromDevice,
final DERUTF8String valueInPlatformCert) { final DERUTF8String valueInPlatformCert) {
@ -1122,6 +1192,12 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
return valueInPlatformCert.getString().equals(evidenceFromDevice); return valueInPlatformCert.getString().equals(evidenceFromDevice);
} }
private static boolean isMatchOrEmptyInPlatformCert(
final DERUTF8String evidenceFromDevice,
final DERUTF8String valueInPlatformCert) {
return evidenceFromDevice.equals(valueInPlatformCert);
}
/** /**
* Validates the platform credential's serial numbers with the device info's set of * Validates the platform credential's serial numbers with the device info's set of
* serial numbers. * serial numbers.