Commit Graph

449 Commits

Author SHA1 Message Date
Cyrus
0934b3106f
Merge pull request #420 from nsacyber/base-rim-link-fix
RimLinkHash Fix
2021-11-10 10:06:11 -05:00
Cyrus
70d92c4b38
Merge pull request #417 from nsacyber/issue-404
[#404] PXE Policy options
2021-11-10 10:05:52 -05:00
Cyrus
04b050de15 The rimlinkhash meta information wasn't linking up with the associated swidtag. This is because the wrong hash look up was being used. Previously when the hexDecHash and base64Hash were implemented, the main focus was on the rimel and not the swidtag. 2021-11-10 09:50:17 -05:00
Cyrus
2d9fb19d38 Updated the new polices after doing a bit of testing to make sure that they do ignore when there is a failure on that specific bit. 2021-11-10 07:27:33 -05:00
chubtub
0c233ae771 Set signature validity so that the ACA can report accurately 2021-11-08 14:51:38 -05:00
chubtub
3a6be133eb Checkstyle changes 2021-11-08 14:51:38 -05:00
chubtub
bc7e07583f Match only the actual extension bytes of the SKID 2021-11-08 14:51:38 -05:00
chubtub
962ca45bb7 Modify ACA RIM validation to search for a signing cert if the base RIM does not have an embedded cert. Validate the ca chain of the found signing cert. 2021-11-08 14:46:04 -05:00
Cyrus
f0ea84d199 I added code to do different masks on the pcr selection, but that was not needed. So I just uncommented the one section of ignore not being used. 2021-11-05 16:11:28 -04:00
chubtub
7bb9d8698d
Merge pull request #408 from nsacyber/support-rim-filename-correction
Support RIM Filename Fix
2021-11-05 08:57:06 -04:00
Cyrus
e82de12341 Updated the ignore OS events check with the last rule for #404 2021-11-01 09:35:36 -04:00
Cyrus
fe617ea948 Updated the policy code to ignore based on the TPM Log Event. Added in the code for OS Events. 2021-10-29 20:24:46 -04:00
Cyrus
aae6845730 Initial Commit. This adds the visual object to the policy page. 2021-10-29 14:55:23 -04:00
iadgovuser29
4403a98b3b [#414] Handle MODIFIED component without serial number 2021-10-29 09:02:56 -04:00
iadgovuser29
867833dc9d [#411] Changed assumption regarding Delta cert components with ADDED status. 2021-10-27 14:14:09 -04:00
iadgovuser29
647c88d16b [#409] Fixed one problem with delta component checking. 2021-10-26 15:53:05 -04:00
Cyrus
bb6ec6cc4b The rim hash validation icon is coming up red when both base and support RIMs are loaded. This fixes that issue. 2021-10-26 11:09:36 -04:00
chubtub
0b4febf53b WIP: frontend hangs while getting records from backend 2021-10-20 14:57:52 -04:00
iadgovuser29
e8085aae0f [#401] Changed instanceof check and error message. 2021-10-17 21:51:29 -04:00
chubtub
324865b434 Merge branch 'master' into issue-395 2021-10-06 15:01:02 -04:00
chubtub
84a2ff723c Controller class for returning TPM Event data to jsp 2021-10-06 15:00:23 -04:00
Cyrus
f8a3ccd962 This is an initial commit updates the policy page. Adds additional policies for generating a DevID. The underlying code doesn't actually generate one yet. But the SupplyChainPolicy holds the flags. 2021-09-17 07:55:44 -04:00
Cyrus
14ecd9832e Updated unit tested to correct the failures that were occurring because of the updated code changes. 2021-08-30 11:44:37 -04:00
Cyrus
cf5472242b
Merge pull request #393 from nsacyber/uefi-test-update
Checkstyle fix on a Unit Test
2021-08-24 09:42:12 -04:00
Cyrus
5a26093d57 Missed and update for a method that was updated with a new exception thrown. 2021-08-20 13:47:20 -04:00
iadgovuser26
71666542c1
Merge pull request #392 from nsacyber/uefi-test-update
UEFI Unit Test Update
2021-08-20 12:16:35 -04:00
iadgovuser26
761fb6aaa9
Merge pull request #391 from nsacyber/fix-certificatetest-testisissuer
Fix for faulty logic in CertificateTest.testIsIssuer
2021-08-20 12:16:23 -04:00
iadgovuser26
793d21ae5b
Merge pull request #390 from nsacyber/fix-testappraiser-name
Fixing one unit test revealed additional test updates.
2021-08-20 12:16:04 -04:00
iadgovuser26
3132a590e1
Merge pull request #388 from nsacyber/ignore-tpmbaselinegeneratortest-csvgeneratortest
Ignore tests from TPMBaselineGeneratorTest and ima.CSVGeneratorTest.
2021-08-20 12:15:35 -04:00
Cyrus
61497809f5 Updated the UefiGuid to have the vendor json file get passed in. This updates the unit test and fixes the issue. 2021-08-20 09:19:01 -04:00
iadgovuser26
9fbbf81ada
Merge pull request #389 from nsacyber/eventLogTesFix
updated TCGEventLogEventsTest
2021-08-18 16:20:16 -04:00
iadgovuser29
7e3eaf4c5c Fix for faulty logic in CertificateTest.testIsIssuer 2021-08-18 14:09:27 -04:00
iadgovuser29
f9a32e3f52 Fixing one unit test revealed additional test updates. 2021-08-18 13:29:49 -04:00
chubtub
c76a8a074e Minor code clean up 2021-08-18 09:15:59 -04:00
iadgovuser29
b8741039a9 Ignore tests from TPMBaselineGeneratorTest and ima.CSVGeneratorTest. 2021-08-17 17:59:34 -04:00
lareine
32887eb598 updated TCGEventLogEventsTest 2021-08-17 17:30:45 -04:00
iadgovuser29
f54e1a15d0 Fixed a certificate conversion issue. 2021-08-17 17:21:32 -04:00
chubtub
dc7301e8a6 Update overloaded validateCertChain to check cert chain consistently 2021-08-17 14:41:00 -04:00
chubtub
6e849d601c Merge branch 'master' into issue-345 2021-07-02 16:49:26 -04:00
chubtub
3b621770d5 Modify SupplyChainCredentialValidator.validateCertChain to thoroughly validate cert path. 2021-07-02 13:45:32 -04:00
Cyrus
e7cdba07c4
Merge pull request #377 from nsacyber/component-class-revision
Component Class Bug Fix
2021-07-01 14:29:21 -04:00
Cyrus
cac913af11 Updated the component class to no longer use ints but instead use only Strings 2021-07-01 12:49:35 -04:00
chubtub
e86d1efbbf One line change to SupplyChainCredentialValidator to loop fully through truststore. 2021-07-01 10:50:53 -04:00
Cyrus
a555fac716 Finished updating the unit test. The value of being passed in wasn't of a format that the component class could handle. 2021-06-29 20:33:59 -04:00
Cyrus
3269e81783 All components were failing on tests specifically set up to match components and pass. This happened because the int value of the component class value was being translated with SHORT.size. This is odd because it worked before but stopped. 2021-06-29 12:04:22 -04:00
Cyrus
5c448057d4
Merge branch 'master' into fm-validation-pass-link 2021-06-28 12:15:47 -04:00
chubtub
d1f0eb5d88 Check for an empty truststore during cert path validation. Removed the recursion in SupplyChainCredentialValidator.validateCertChain. 2021-06-25 11:40:08 -04:00
Cyrus
be3cd2bd32 Removed the validation of the PCRs line by line for the expected PCR values. 2021-06-24 11:46:01 -04:00
Cyrus
adb93dbd94 Updated the unit tests 2021-06-21 10:32:44 -04:00
Cyrus
e8d84b88f5 Updated the component class values for SMBIOS 2021-06-17 14:32:49 -04:00
Cyrus
132a336549 Updated the print out of the the component string to leave out Unkown and Other for display. Instead it'll just show nothing. 2021-06-17 13:12:26 -04:00
Cyrus
b06025a71f Updated the Event Log Measurements class to use a hash for lookup 2021-06-17 12:52:28 -04:00
Cyrus
cd206f870c These changes may be removed because the issue is becoming more involved and I may need to rethink how this will work. 2021-06-16 08:52:40 -04:00
Cyrus
9c060dec55 Updated event log measurements to pass in the overall result status. However display isn't printing out correctly. 2021-06-09 11:07:11 -04:00
Cyrus
218002a3c2 Merge remote-tracking branch 'origin/digest-implement-final' into fm-validation-pass-link 2021-06-08 22:19:52 -04:00
Cyrus
13043856ef These changes update the component class object to handled SMBIOS components along with the TCG ones presented originally. The unit tests also were updated to use the new structure of the class and added additional tests for the SMBIOS entries 2021-06-07 13:46:47 -04:00
Cyrus
8a258f2b76 Updated some text associated with the rimType 2021-05-28 08:48:40 -04:00
Cyrus
0e8e88b536 This commit has updated changes that save both a base64 and a hex dec value of the RIM file hash to the database. Depending on what is needed, they are used to pull either the base or support RIM. Also fixed the link for the rimlinkhash on the details page. 2021-05-27 13:46:43 -04:00
Cyrus
8fbd6e1a39 Changed up some of the encoded for the rim byte array 2021-05-25 13:11:57 -04:00
Cyrus
65d596a756 Some additional updates that included deviceNames as a means to pull RIM information. In addition updated the display of the failures, adding filters for like events from the baseline. 2021-05-20 06:26:07 -04:00
Cyrus
ddc36d81f4 This set of code changes deals with the displaying of failed digests values from the validation process. The way there were displayed before was going to be unsustainable because event numbers will never match up. There for a direct compare to a failed event would never be accurate. 2021-05-17 12:44:03 -04:00
Cyrus
5acc393541 This commit adds several changes that updates how the RIM files are accessed and made accessible from the DB as well as what is shown visually when there is a validation failure and the measurement log is shown. 2021-05-06 08:43:26 -04:00
Cyrus
1d33054577
Merge pull request #350 from nsacyber/ignore-gpt-events
[#349] Ignore GPT PCR
2021-05-04 10:14:53 -04:00
Cyrus
c7fb94d7b4
Merge pull request #352 from nsacyber/event-digest-update
[#343] Event digest update (UI)
2021-04-23 08:45:13 -04:00
Cyrus
46c9640cbe Updated the code with additional OIDs for the algorithms that certificates use for the signatures. And updated the isIssuer method to not use the hard coded algorithm string. 2021-04-15 14:15:11 -04:00
Cyrus
b52b8101a6 The new policy setting is supposed to be default on. 2021-04-14 14:23:43 -04:00
Cyrus
523bae8f9d This set of code adds an additional policy to the page for the GPT PCR. Details for the change can be found in issue #349. 2021-04-14 13:55:52 -04:00
Cyrus
5a82e48b61 Merge branch 'master' into event-digest-update 2021-04-13 08:50:42 -04:00
Cyrus
e70e019c6b This commit has some changes to how patch and supplemental are handled. It adds some flags to the Record and Value objects to note that data has been processed so that multiple entries aren't created. 2021-04-13 07:45:52 -04:00
Cyrus
760f246096
Merge pull request #342 from nsacyber/rim_digest_store
[#341] RIM Event Digest Store
2021-04-13 07:45:17 -04:00
Cyrus
c46aa2b48b
Merge pull request #348 from nsacyber/certificate-failure-fidelity
Certificate Failure Fidelity
2021-04-09 14:15:43 -04:00
Cyrus
ea5b85b703 Updated the code to now display the var swidtag and rimel. However there are issues with the examples. This commit has fixes for how the pcr values are pulled for display on the base RIM page. 2021-04-02 06:34:47 -04:00
Cyrus
2abb13d99d This change is to update the code to the values listed in Table 13 of Registry of Reserved TPM 2.0 Handles and Localities for Platform Class Values. 2021-03-30 06:54:10 -04:00
Cyrus
4911742c7a This is a checkout of some changes to the resource management for swid tags so that the file name listed is associated with the stored support RIMS. 2021-03-30 06:35:14 -04:00
Cyrus
f2308f2955 Updated the isIssuer and the containsAll to allow the reason for the platform certificate failure isn't that the issuer is missing but that the issuer available fails the public key on the details page for certificates 2021-03-26 10:32:19 -04:00
Cyrus
a6c6fbfb31 Made some changes for using just the RIM Hash to pull support rims from the database to associated with the swid tag. Changed the rim hash from and int to a string. 2021-03-25 13:28:31 -04:00
Cyrus
c290ba25be Modified how unmatched log events are tested. Now it uses the reference event value from the database. 2021-03-23 13:13:17 -04:00
Cyrus
108748fb2a Undid some code and change the Digest Value class into a table in the database. This code then updates those values when a provision is initiated. At this time, that is all it does. 2021-03-19 11:01:25 -04:00
Cyrus
53cb300063 This is an initial commit with changes that add new classes for digest reference matching. 2021-03-17 10:23:08 -04:00
Cyrus
9134e2ab9d Merge branch 'master' into rim_digest_store 2021-03-12 07:33:47 -05:00
Cyrus
accbc422e7 This adds the additional classes 2021-03-11 10:56:19 -05:00
Cyrus
19aa3c27a1 initial commit with the structures that are to be set up 2021-03-11 10:55:22 -05:00
Cyrus
c66f4f7648
Merge pull request #334 from nsacyber/Unmatched-component-refactor
Unmatched component refactor
2021-03-09 13:07:16 -05:00
Cyrus
9008972fbc Cleared all build errors 2021-03-08 06:43:10 -05:00
Cyrus
0e3eabc34f Removed unused import 2021-03-08 06:31:31 -05:00
Cyrus
bd5bca58ea I have modified the code to correct handle the situation in which the device has more components than the certificate and I have taken steps to make the system test GOOD pass for test A6, A7 and A8. 2021-03-05 15:36:29 -05:00
Cyrus
763dcbd975 These are changes that were made in the system-tests-test that resolved the issues in the first TPM 2.0 system tests on travis. 2021-03-04 08:01:18 -05:00
Cyrus
8a571f1788 When a delta has the component that is bad, not the base, it wasn't highlighting. This is because the component failures wasn't be updated and then the certificate needed to be updated as well. 2021-02-25 06:59:56 -05:00
Cyrus
a5184f5a5b Final changes that adds in the additional setting for the renewal period threshold. This value indicates that if the end validity has been reached for the current issued attestation certificate, then don't generate one. However if we are within the number of days set by the threshold, then generate the certificate before it expires. The default is 1 year from the end validity. 2021-02-23 10:17:56 -05:00
Cyrus
dcf0ec8101 Merge branch 'master' into aic-policy-rule 2021-02-11 14:13:28 -05:00
Cyrus
9917fadef7 On a previous commit, I removed a piece of code that checked the base credential first. Because the delta fixed a problem in the base, the base failed before the delta was checked. This was completely removed. On a test that we had previously done, the test passes when it should fail because there is only a base, so that check isn't being done. This change reintroduces the check but in a different location with flags for when there is a delta present. 2021-02-09 13:30:37 -05:00
Cyrus
69cd06df3b Merging error didn't include the update to Assert.State 2021-02-09 06:54:31 -05:00
Cyrus
5e4dc8ce82 Merge branch 'master' into Unmatched-component-refactor 2021-02-08 15:23:21 -05:00
Cyrus
7b79ceb07a Found the issue with the component being removed that doesn't have a proper serial number and adding one with it. The code was revalidating the base in the attributes enabled flag. This was unncessary. 2021-02-08 14:25:10 -05:00
Cyrus
4999c96685 Updated code to correct situations that were not linking up with properly for delta and platform certificate component validation. 2021-02-05 16:10:15 -05:00
Cyrus
677716fa08 Merge branch 'master' into Unmatched-component-refactor 2021-02-04 08:51:31 -05:00
Cyrus
447c817839 Updated the lists for the left over components. 2021-02-02 12:57:55 -05:00
Cyrus
2d9bbe1bd7 initial commit 2021-02-01 11:24:20 -05:00
Cyrus
8d6a697a23 Removed some unnecessary comments 2021-01-28 08:08:12 -05:00
Cyrus
653bfddc6d Updated some code and took out things that didin't need to be in the official build for unit tests 2021-01-21 07:40:55 -05:00
Cyrus
5589096443 Cleaned up some stuff I found during code compare in github. 2021-01-20 13:23:51 -05:00
Cyrus
acc022d784 Finalized clean up. 2021-01-20 13:05:43 -05:00
Cyrus
e9eef0e5b3 Updated the code to go through the serial numbers that are valid numbers verus generic filler. Tested against the provisioner. 2021-01-20 08:00:24 -05:00
Cyrus
fa12614221 Testing out new code 2021-01-14 10:34:27 -05:00
Cyrus
beb1ccbee3 Updated a supply chain validation check for delta certificates. Updated the check for duplicate base platform certificates when storing them for the same device and updated the begin validity date for the delta vs the base check. 2021-01-12 12:26:54 -05:00
Cyrus
fcb496686c This includes some refactoring of the component identifier. 2021-01-11 13:24:49 -05:00
Cyrus
7028810707 This latest push should have the code that'll highlight the components based on a string rather than the serial number. This also adds additional checks for the validity begin date of the delta not matching or being before the base. It also checks that they don't have the same certificate serial number. 2020-12-30 08:41:47 -05:00
Cyrus
1db52cebf9 This is a stopping point because the code can't be fully worked out because the data (certificates) aren't correct. 2020-12-17 07:24:51 -05:00
Cyrus
8fa5dfdd9e Removed unused imports 2020-12-14 10:57:35 -05:00
Cyrus
62c7ca2d90 This PR is to address issue #308. The ACA was pulling Issuer Certificates using the organization RDN of the subject string and getting this from the issuer string of the EC or PC. This presents a problem because it isn't a required field. The organization field cannot be null or empty. Pulling objects from a DB using null or empty would produce bad results. The main change of this issue (which has not been full tested) is pulling using the AKI for the db lookup. If this fails, instead of falling back on potentially left out fields like the O= RDN, the ACA takes the issuer/subject fields, breaks them apart and sorts them based on the key. It also changes the case. This way the lookup can be assured to match in case of some random situation in which the issuer or subject field don't match because RDN keys are just in different positions of the string. 2020-12-11 14:47:46 -05:00
Cyrus
e64c6cf772 Merge branch 'master' into aic-policy-rule 2020-12-03 13:34:29 -05:00
Cyrus
e32e9412d8 Merge branch 'master' into Unmatched-component-refactor 2020-12-03 13:20:12 -05:00
Cyrus
a32d3a5f02 Remove comments 2020-12-01 09:46:05 -05:00
Cyrus
29b7d466cd Updated wording in validation for failed trust store 2020-11-30 09:23:10 -05:00
Cyrus
9433c97dc9 The code now uses a combination of the class value and the platform manufacturer and model to identify mismatches. This now highlights the failured components 2020-11-25 08:02:45 -05:00
Cyrus
ffbcebbf11 Found the issue with the isMatch class not working. The component class string for the class value has a pound sign. 2020-11-24 09:12:00 -05:00
Cyrus
fbdcf83840 Continued refactoring to update the failed components part of the attribute validation. The delta mapping needs to be reworked to not use serials. 2020-11-23 14:46:29 -05:00
Cyrus
2b41720ded Merge branch 'master' into update-component-failure-highlight 2020-11-17 15:24:27 -05:00
chubtub
e3b5d164a3 Add SKI to front end. Extract PK from base RIM to validate signature if not found in db 2020-11-16 16:43:11 -08:00
Cyrus
e8f5107137 Updating code to use a different format for identifying failed components. 2020-11-09 13:59:19 -05:00
Cyrus
bdb32d13ad initial commit 2020-11-09 12:45:36 -05:00
Cyrus
967d9a0030 Merge branch 'master' into aic-policy-rule 2020-11-09 07:24:33 -05:00
Cyrus
9aa2c6a46d Merge branch 'master' into client-display-log-mismatch 2020-11-06 09:17:38 -05:00
Cyrus
ed7dea3706 Merge branch 'master' into aic-policy-rule 2020-11-06 06:42:44 -05:00
Cyrus
6130f29dfa Merge branch 'master' into aic-policy-rule 2020-11-05 14:47:52 -05:00
chubtub
623da2ce80 Overload RIM validator class for faster signature checking 2020-11-05 14:13:50 -05:00
Cyrus
c7ffb1c57d Merge branch 'master' into client-display-log-mismatch 2020-11-05 12:39:35 -05:00
chubtub
302ffd81ee Load Schema object in ReferenceManifestValidator class with controller class instantiation to save time 2020-11-05 11:07:17 -05:00
chubtub
24cf71642d Add validation for support RIM hash and base RIM signature. 2020-11-05 11:07:17 -05:00
Cyrus
1b3abe465a
Merge pull request #303 from nsacyber/vendor-table-refactor
[#302] UEFI Table Map Refactor
2020-11-05 11:02:18 -05:00
Cyrus
388e3e9aa0 Merge branch 'master' into aic-policy-rule 2020-11-04 10:03:08 -05:00
Cyrus
49714fb3f2 Updated the Component Class Registry to rev. 4 2020-11-04 07:44:07 -05:00
Cyrus
e1c3a1fc0f Initial Commit 2020-10-29 08:58:37 -04:00
Cyrus
1a86012e72 Merge branch 'master' into vendor-table-refactor 2020-10-27 13:05:48 -04:00
Cyrus
24e460e0c4 This is a refactore that changes BiosMeasurements into EventLogMeasurements for evolving naming convention updates. 2020-10-26 11:09:26 -04:00
Cyrus
d7ade70b5c This branch takes the validated status of a failed event log matching from the bios measurements on the client and displays what failed on the support RIM page and the fail validation icon, if log mismatch, links to a bios measurments page that displays the events that didn't match next to baseline. 2020-10-22 13:32:30 -04:00
Cyrus
51f91b759d Merge branch 'master' into vendor-table-refactor 2020-10-20 09:40:32 -04:00
Cyrus
96970142cb This commit includes a completed rewrite of the ReferenceManifestSelector framework. Like the previous rewrite, it was easier and made more sense to create addition classes ands that are specific to a type of RIM (base, support, measurement) for referencing in the DB. Once this was rewritten the code was modified to validate the measurement against the support rim. 2020-10-19 13:06:44 -04:00
Cyrus
6052d8f8f2 The current script for generating the xjc didn't check if the files already existed. This causes the script to run multiple times during a build, which slows down the build process. This tweak checks the location to see if it exists and skips generating the xjc again. 2020-10-14 10:49:14 -04:00
Cyrus
9d793f50e6
Merge pull request #305 from nsacyber/client-eventlog
[#238] Client eventlog upload
2020-10-14 10:46:37 -04:00
Cyrus
e902c89a19
Merge pull request #304 from nsacyber/xjc-library-test
Updated XJC implementation/integration
2020-10-14 09:56:34 -04:00
Cyrus
4b0bb2df91 This commit updates the provisioner to pull the rim and swidtag locations from a properties file that will be created during the post install process. The provisioner then pulls the values and sends them to the ACA. The ACA currently just prints out the content and saves the swidtag. 2020-10-09 10:48:17 -04:00
Cyrus
369ce81c21 Merge branch 'master' into vendor-table-refactor 2020-10-06 09:45:12 -04:00
Cyrus
17728d3019 Updated the error message for no associated RIM not found, cleaned up display of the event content and adjusted the column of the digest display. 2020-10-06 07:42:15 -04:00
Cyrus
653acd270e With the changes to how the ReferenceManifest is represented in the code and the previous firmware validation PR update, this branch wasn't properly updated for quote validation. The code was still pulling information for the baseline from an old source that wouldn't work anymore. Therefore all validations for the quote failed. The update now pulls the baseline information from the support RIM which is now stored in the database. 2020-10-01 12:14:29 -04:00
Cyrus
e97e17b534 This is a change to exclude the jaxb generated files from the git tracked file list just like the protobuf class is. The script runs and generates, the files are ignored by pmd and compile depends on building the xjc directory successfully. 2020-10-01 08:36:59 -04:00
Cyrus
35dcc226a6 Updated and fixed the difference in the code from the master branch merge 2020-09-30 11:33:28 -04:00
Cyrus
89dd2084c2 Merge branch 'master' into rimel-delete-details 2020-09-30 10:03:27 -04:00
Cyrus
2b57207445 Updated the Tag Version and version fields for Base and Support rims. In addition, adjusted the lay out of the support rim table so that the events column isn't as long. Instead, the full content shows up in an hover action. 2020-09-30 07:51:27 -04:00
Cyrus
3852bd7c6e This code push removes a large switch/case statement structure and refactors it into a json file call. This follows the similar implementation of the Component Class but for UEFI vendor names. 2020-09-25 11:19:50 -04:00
Cyrus
3636782987 This commit adds functionality to display tpm even log information to the support RIM display page. Outstanding issues to implement: 1) add link to base from support RIM, 2) make event table scrollable 2020-09-24 09:58:10 -04:00
Cyrus
39cfaa5fac After discussion, the concept of a Support RIM was clarified and because of this the ReferenceManifest.java file has to be updated to treat the Support rim similarly to the Base (which is a binary file vs an XML file). This initial code push is the beginning of that 2020-09-21 07:34:07 -04:00
Cyrus
4167696e13 Removed commented line 2020-09-09 07:12:29 -04:00
Cyrus
0291b96ca8 Updated code should be able to print one summary 2020-08-28 14:02:40 -04:00
Cyrus
792a248ba0 This code finishes up validating the pcrs against the provided tpm quote. However this will cause a second summary object to display if firmware validation is enabled. This is because the summary manager isn't able to get or update the previously saved summary. 2020-08-28 12:24:02 -04:00
Cyrus
5fe19c5904 Updated the code to compare the composite hash and the calculated value. 2020-08-28 07:14:27 -04:00
Cyrus
0ab91b9b41 All bugs are fixed. The SupplyChainValidationSummary wasn't getting pulled from the DB. 2020-08-27 12:11:12 -04:00
Cyrus
0f3eb1b5d0 Took out initalizing TPMMeasurementRecord in PCRPolicy's constructor. This was likely throwing the DecoderException which caused the 404 error in the ACA. 2020-08-26 11:13:00 -04:00
Cyrus
905f12052d This is the next stage of changes that doesn't cause a 404 error. This has a compile error because the PCRPolicy class references PCRComposite and PCRInfoShort. Both of the later classes had changes to add new constructors, and these new constructors are the source of the problem. 2020-08-26 07:54:39 -04:00
Cyrus
ee294e4562 SupplyCahinValidationService did not like the additions of a method returning a SupplyChainValidation, switched to Summary and it worked. This was the cause of the DB crashing. 2020-08-25 11:36:37 -04:00
Cyrus
6ae95da3a0 Merge branch 'master' into aca-test-validation 2020-07-29 09:47:41 -04:00
Cyrus
2b2e7c744b Updated the messaging for an invalid swid tag file and added .log as another type of tmp log file to extension to accept. 2020-07-29 09:27:15 -04:00
Cyrus
c46b416504 Removed logging statement. 2020-07-27 14:10:22 -04:00
Cyrus
2e4ecb6829 Updated code for the device pcrs. The provisioner now sends everything associated with the tpm_pcrlist. The ACA stores the full list in a flat file then pulls that file when validating the firmware policy is enabled. 2020-07-27 13:58:22 -04:00
iadgovuser26
0e1413dd3c removed unmappable characters from comment lines 2020-07-23 15:54:57 -04:00
Cyrus
3e9d26f598 This code changes how the ACA handles a pcr list provided by the provisioner. The provisioner also is changed to send all supported algorithms and no longer delimits them with a + sign. The ACA is now set up to cycle through the entire list until is matches the baseline found in the rim associated log file. Currently the code is having issues saving the larger list of pcr values. It is too big for the database. 2020-07-17 12:44:31 -04:00
iadgovuser26
d10e7f1ebd
Merge pull request #279 from nsacyber/issue-278
Set initialized values for PCRs 17-23
2020-07-07 12:25:38 -04:00
iadgovuser26
00f2f33fd0 set initialized values for PCRs 17-23 2020-07-06 12:21:11 -04:00
Cyrus
e763461e46 Updated RIM Details page to display File Not Found when the associated event log has not been uploaded with the swid tag. 2020-06-25 08:47:51 -04:00
Cyrus
d41cb46468
[#260] RIM validation report page links (#264)
* Made some minor tweaks to investigate supply chain validation report bug.  The bug doesn't save the summary report for some unknown reason (no error currently appears).  This change uses the device object to retrieve a RIM.  Still need Attestation Certificate to pull PCRs from quote.  A follow up issue will be created to move that functionality to a different object from the provisioner.
2020-06-23 13:24:34 -04:00
Cyrus
6a62002b05
[#265] IMA/TBoot PCR ignore policy (#271)
* Updated code to include an official policy to ignore IMA and TBoot.  The policies will disable if firmware validation is disabled.
2020-06-23 12:48:06 -04:00
Cyrus
db31614694
Added case statement for 2.23.133.2.25 just like for 2.23.133.2.17 so that the error isn't thrown. (#272) 2020-06-19 11:11:58 -04:00
Cyrus
49e4ce4db4
Validation bug (#263)
* Updated code to correctly match up the PCR to the baseline PCR.  Also updated values of error messages and reduced firmware error message.
2020-06-15 11:55:05 -04:00
iadgovuser26
47fd1085cb Changed description when no event data is provided for EV_EFI_BOOT_SERVICES_APPLICATION 2020-06-10 17:54:15 -04:00
iadgovuser26
7f5d97e9fa Fixed merge conflicts 2020-06-10 17:33:57 -04:00
iadgovuser26
586c29c0f3 Fixed merge conflicts 2020-06-10 16:51:47 -04:00
iadgovuser26
f2fd7f31bd conflict resoltion step 1 2020-06-10 14:04:23 -04:00
iadgovuser26
75734015a7 rephrased EV_EFI_BOOT_SERVICES_APPLICATION message when no device path is present 2020-06-10 11:35:00 -04:00
Cyrus
da5bc217ef
[#236] Firmware validation update part 2 (#259)
* Modified the hirs.data.persist package to have better fidelity into the objects necessary to create and maintain a baseline.  the info objects will be next.
2020-06-10 11:17:45 -04:00
iadgovuser26
ff955bd499 added a eventcheck script to check and event log against a signed RIM 2020-05-27 17:31:15 -04:00
iadgovuser26
56552898da Merge branch 'issue-249' into issue-252 2020-05-15 12:19:58 -04:00
iadgovuser26
4e6e94aea3 fixed merge issue 2020-05-15 11:00:49 -04:00
iadgovuser26
b8f4182415 added tcg_eventlog_tool 2020-05-15 10:46:47 -04:00
iadgovuser26
70986caf5c
Merge branch 'master' into issue-245 2020-05-15 09:32:16 -04:00
iadgovuser26
2743077c83
Merge pull request #244 from nsacyber/issue-242
[#242] Add UEFI Variable processing for TCG Event Logs
2020-05-15 08:50:37 -04:00
iadgovuser26
f24c53f6c6 Added support for obtaining event and content data. Removed TCGLogProcessor. 2020-05-13 08:06:58 -04:00
iadgovuser26
a7d57f92d9 added command line log parser 2020-05-01 18:11:34 -04:00
iadgovuser26
7a9dc26df5 Added TCG Event Processing. 2020-05-01 09:18:14 -04:00
iadgovuser26
dda14ca16d Merge branch 'issue-242' into issue-245 2020-04-28 10:50:34 -04:00
iadgovuser26
3ae9cb87c8 Made code review adjustments 2020-04-28 10:11:51 -04:00
lareine
94cf172ce8 add support for EvCompactHash EvEfiSpecIdEvent and EvNoAction events 2020-03-27 15:58:05 -04:00
lareine
faa77be822 Merge branch 'issue-242' into issue-245
Uefi support included into issue-245.
2020-03-27 13:43:59 -04:00
iadgovuser26
d7f075d70c
Merge pull request #241 from nsacyber/issue-240
[#240] Adds ability to get the DigestAlgorithm from an Event Log
2020-03-27 11:00:17 -04:00
lareine
62247f8cfb Fixed unmappable character for encoding ASCII issue 2020-03-27 10:41:21 -04:00
Cyrus
2805df9f8b
[#236] Firmware validation update part 1 (#243)
* This commit includes changes to the provisioner for what is sent up.  Originally only SHA256 was being used, this change includes both.
* This last commit cover the items 2-4 in issue #236.  The Provisioner sends up and updated list of pcrs that include 256, not just sha1.  The validation and policy pages have been updated.  A second pull request will be created to address parsing the information into a baseline.
2020-03-27 10:13:37 -04:00
lareine
fecc84a5be Added unit tests for Uefi processing. 2020-03-27 08:20:04 -04:00
lareine
828e6d4e65 added uefi variable processing 2020-03-24 13:12:44 -04:00
lareine
b5867e0cf6 added UEFI GUID, Partiton, and Firmware Varible support 2020-03-17 17:08:09 -04:00
lareine
f3da6b44ac Added methods to retrieve event log hash algorithm and algorithm id 2020-03-17 09:48:02 -04:00
Cyrus
21db725815
[#230] Update RIM details page to display PCRs (#233)
* This is an update to the display of the Reference Integrity Manifest code base that'll allow a user to upload a swidtag.  This code includes some additions from #217, slightly modified.

* This code update include changes to import, archive and delete a swidtag into the RIM object.

* Updated the code with additional checks on the uploaded file locations.  Added the number associated with the PCR value to the detail page.

* This change fixes the bug that caused the rim detail page to go blank if the associated event log file associated with the resource file doesn't exist.

Co-authored-by: lareine <lareine@tycho.ncsc.mil>
2020-03-06 07:06:09 -05:00
Cyrus
4a6115f443
[#212] Added functionality to process and display RIM files. (#226)
* Some initial additions to the details page for displaying Rim information.

* Initial changes for uploading a rim file.

* This is an update to the display of the Reference Integrity Manifest code base that'll allow a user to upload a swidtag.  This code includes some additions from #217, slightly modified.

* This code update include changes to import, archive and delete a swidtag into the RIM object.

* This commit consolidated the SwidTagGatway code and Constants into Reference Manifest.

* This is the final main push of code that will upload, process, store, retrive/delete and display the contents of a RIM swid tag.

* Interim commit for demo purposes.

* Updated Unit Tests

* This commit adds the unit tests that weren't added in the previous commit

* Updated code to reduce execution time when processing reference manifest objects.

* Updated code for better GUI performance.

* Removed previously added suppression entries.
2020-02-21 11:16:46 -05:00
iadgovuser26
9a835d8923
[222] Added TCG Event Log Processing that converts TCG Event Logs to HIRS T… (#223)
* Added TCG Event Log Processing that converts TCG Event Logs to HIRS TPM Baselines

* Some minor formating, syntax and code refactoring updates.

* Updated checkstyle failures.

* String format was missing additional %s.

Co-authored-by: Cyrus <24922493+cyrus-dev@users.noreply.github.com>
2020-02-21 06:37:43 -05:00
Cyrus
84a76608f3
[#198] Reference Integrity Manifest Page List (#210)
* Initial commit of changes to display RIM information.
2020-01-10 13:47:17 -05:00
Cyrus
81e13831b2
[#202] Certificate fail to save upon deletion during provisioning FIXED (#206)
* This commit fixes an error produced when provisioning when the certificate from a previous provision is deleted from the ACA.  The error involves doing a look up for an existing certificate and getting nothing however this is due to not using the 'includeArchived' attribute for the Certificate Selector.  Include Archived is used when manually uploading a certificate.
2020-01-06 08:17:04 -05:00
busaboy1340
a2497c064c
[#88] Integrate System Tests with Dockerized TPM 1.2 Provisioner (#208)
* Initial system test for TPM 1.2 emulator.

* Update .travis.yml file.

* Added system test: test_20_tpm_1_2_initial_provision

* Cleaned up files.

* Correct docker location

* Re-arranged system tests.

* Execute test_12_attestation_ca_portal_online for all current collectors.

* Clean up files.

* Cleaned up files.

* Cleaned up files.

* Cleaned up files.

* Cleaned up files

* Updated system test driver.

* Set logging properties to DEBUG.

* Commented out test_13_tpm_1_2_initial_provision. Need to fix it.
2019-12-23 05:28:26 -05:00
Cyrus
09aafa8041
[#168] Additional fields added to the Issued AC (#201)
* Added additional code pulled from the original branch for these changes aik-field-additions.
* Updated code to include the TCG Credential Specification, which is a different version from the Platform specification.
2019-11-13 10:46:00 -05:00
busaboy1340
00287725da
[#194] Update TPM Provisioner Docker images with latest PACCOR (v1.1.3r3) (#200)
* [#195] Components identified by Component Class will have hardware IDs translated to names

* Update TPM Docker images to latest PACCOR(v1.1.3r3). Comment out the
failing system tests caused by invalid input to PACCOR.
2019-11-07 09:37:06 -05:00
chubtub
8af49dc6b7 WIP: update version number in ACA banner following upgrade 2019-09-11 12:35:27 -04:00
Cyrus
f73d65c952
[#181] Delta holder validation (#186)
* This is a quick fix to ensure that a delta that is being uploaded has a holder serial number that exists in the database.

* Fixed syntax issues.

* Through further testing with delta certificates that had differing begin validity dates, the code to test the sorting failed.  This push includes a fix that places the deltas in the proper order.

In addition, this code includes a placeholder for deltas that don't have an existing holder certificate in the database.

* Findbugs is a cumbersome COTS product that generates more hassle than help.  Upon indicating 'dodgy' code about redundant null checks, that didn't exist, it then didn't like using non-short circuit operators to verify that both objects are not null.  It then spells out what non-shorting curcuit operators do, without acknowledges that's what you mean to do.
2019-08-29 13:35:41 -04:00
Cyrus
9318c22549
[#167] Component color failure (#185)
* Initial changes to pull down the serial from the validation reports page and transfer them to the certificates details page.  This will then allow the certificate details page to reference the serial numbers that are in failure.

* This is an attempt to transfer data from page to page via the certificate manager.

* Previous attempt didn't work, the manager isn't saving the summary.  Switching to augmenting the database by adding a new column for platform credentials.

* These changes add identifying color to the components that fail validation in the base certificate.  This code however does change the database by adding a new column to track the fails and pass to the classes that display the information.

* Updated the jsp display of the highlighted component to red background with a white foreground.  Updated the index of the string parse to not use magic numbers.
2019-08-29 11:45:22 -04:00
Cyrus
ce45adbb26
Updated the component class definitions to the current rev 4. (#179) 2019-08-05 13:28:08 -04:00
Cyrus
7cfabe756d
[#166] Validation icon swap (#173)
* This pull request contains 2 main changes, the first is transferring the status text from the attributes failure to the icon specifically for platform trust chain validation.  Then this removes the third column on the validation page that singles out the icons for the attribute status.  In addition, this status is also rolled up to the summary status icon and displays the text there as well for all that have failed.  This last change meant a change to the sizes of the columns in the database.

The validation of a single base certificate with an error was not handled in the code base.  Due to the changes with the introduction of delta certifications, the validation was modified and only handled changes presented by the deltas and ignored errors in the base certificate.  This commit modifies the code that if there is just a single base certificate that is bad and error is thrown.
2019-08-02 09:41:44 -04:00
Cyrus
f4bfe47c9c
Clean up (#172)
* This is a test build to determine code to block script base certificate upload if one already exists.

* Added null check

* Fixed checkstyle error
2019-07-25 09:32:33 -04:00
Cyrus
3208241cc3
[#162] Attribute match fix (#165)
* Updated code by removing a loop that wasn't necessary.  It was supposed to filter out the deltas but this wasn't needed as the chain was established.

* The debug code was left in, this is now removed.
2019-06-24 13:02:01 -04:00
Cyrus
a8e2c5cc6e
[#163] Delta issuer validation (#164)
* This code change will add in the delta certficates to the platform validation check.  The current base passes the policy check as long as the base is valid.  The deltas are ignored.  This is because the validation pulls in what is associated with a particular EK associated with the machine provisioning.
2019-06-24 13:01:32 -04:00
Cyrus
157dcb649d
[#109] Delta Chain Validation (#151)
* This code adds functionality to check the delta certificates in a chain. The main operation validates that the delta belongs in that chain and then that the chain establishes correct component modification. No removes before an add, no add to a component that exists, no remove to a component that doesn't exist. The unit test was updated to not use any flat file certificate.

Closes #109

* Changes were made to the validation of a delta certificate based on newer information.  There can be multiple bases and multiple leaves in a tree of associated certificates.  However currently we don't have certificates to validate the entirety of the code to test.

* Updated the code to treat the platform attributes policy, if v2, against all in the chain rather than one at a time.
2019-06-04 14:07:35 -04:00
apldev3
d26a3da5ea [#135] Fix DeviceInfoCollector's handling of C-Style Strings 2019-05-13 15:03:27 -04:00
Cyrus
3bebec1154
Attribute Validation Match Update (#128)
* Updated the default values of the component identifier and component info classes.  The provisioner side of the process was updated to populate with Empty, the current ACA is using ---.

* Updated unit tests.  For the supply chain validation, I updated the validation fail message to include additional information.

* Updated code for the component identifier classes to correct the default values that can be seen from either paccor or devices when data isn't specified.

* Removed unused variable and change package for the EMPTY variable.
2019-05-06 13:54:16 -04:00
Cyrus
805b87ffb6
[#111] ACA UI updates for V2 platform certificates (#129)
* This issue updates the UI for the newest V2 information for platform attribute certificates.  This first push has updates from #111 for items 1, 2 and 3a/b.

* Updated for additional changes.

* Updated example of numerated base to delta certificates linked on platform details page instead of using previous and next buttons.

* Updated code to unlink supply chain identifier number if that is the current page.

* A unit test was failing because of the next spec and how the certificate string mapper was being used.  I added a null check before sending it to a selector. In addition I updated the selector to print the actual variable name that of the field value failing for better clarity when it fails.

* Updated variable name to reflect changes in the issue around labeling certificates vs credentials.
2019-05-03 06:53:17 -04:00
chubtub
86f2cddb22 [#108] Validity Check for Base and Delta Certs (#126)
* Added methods and placeholders for checking the supply chain for base and delta credentials according to the new TCG spec

Checkstyle changes

Created a new SupplyChainValidation.ValidationType for delta credential attributes. The existing PLATFORM_CREDENTIAL
ValidationType will be used for both base and delta platform credentials from spec 1.1.

* Checkstyle error: trailing spaces
2019-05-02 07:15:43 -04:00
apldev4
7ab8d11dbb [#124] Added length to DigestAlgorithm enum values. (#125)
Added length to DigestAlgorithm enum values.
2019-04-15 10:52:22 -04:00
Cyrus
2e767994ff
[#107] Additional component fields for version 2 (#121)
* Updated CONTRIBUTING.md

* Remove old CI Runner config

* [#1] Add support for processing ECC certificates as part of the trust chain

* [#3] Ensure ACA and TPM2 Provisioner handle versioning correctly

* [#3] Ensure ACA and TPM2 Provisioner handle versioning correctly

* Update Link to Build Instructions on main README

* Fixed link to the Platform Credential Profile.

* [#7] Support Building (Not Packaging) on Ubuntu 18.04

* [#10] Fix representation of zero-valued hashes

Zero-value hashes, and hashes of no data, are now
considered as matches to equal values instead of
treating them as 'unknown'.

* [#12] Setup basic Travis CI build

* Update README to include Build Status

* [#7] Setup Build/Package Support for Ubuntu (#9)

* Updating the certificate details page to display the Holder information and include a link to the associated Endorsement Certificate.

* Adding ability to delete Attestation Certificates on the ACA.

* [#14] Parallelize Subproject CI Builds and Pull Pre-Built Image

* Revise Docker to Always Pull Latest HIRS project

* This change forces the supply chain validation service to verify that the Platform Credential has a status of PASS.  If it does not, no matter the outcome of the Attributes validation, the status of the Attributes can not be PASS.

Added an additional null check for a platform supply validation.  Added a mapping object for platform credential to the associated attributes during validations.

Added an additional null check for a platform supply validation.  Added a mapping object for platform credential to the associated attributes during validations. Missed import statement.

* Adding Tpm2-tss support for Deb packaging.

Changes how tpm20.h, which contains the TPM2 SAPI, is
imported to allow successful packaging of both debs and
rpms.

* [#23] Update HIRS Utils and ACA to handle certificate padding (#26)

* [#27] Fix TPMSecurityAssertions Parsing in EndorsementCredential (#31)

* [#28] ACA RPM modifies SELinux policy to allow Tomcat to use MySQL.

The CentOS7 package selinux-policy-targeted does not allow Tomcat
to use port 3306, which is the default MySQL port. This commit
changes the ACA RPM to modify the SELinux policy to grant that
permission on fresh installs. This makes the ACA RPM now require
the policycoreutils package to be installed.

* Print provisioner installation comments to console

* [#25] Make ACA exception handling more descriptive

* [#38] ACA checks uploaded EK Certs if one is not provided during provisioning

* [#7] Ensure Ubuntu support pending end-user installation of supported TPM2 Libraries

* [#33] IMA baselines can match measurements based solely on hashes (#34)

ImaAcceptableRecordBaseline and its subclasses have been updated to include
a containsHashes method to be able to match IMA measurement records
based solely on their hashes.  Supporting classes have been
updated or created as necessary.

Additionally, the set of path equivalencies as specified in the IMA
policy have been updated to include additional entries.

Closes #33.

* Updated for release 1.0.2

* [#32] Add package stage to Travis Build

* [#47] Prevent deletion of external dependencies for TPM 2.0 Provisioner (#48)

* [#41] Provisioners use PACCOR for device info collection. (#45)

The provisioners used to shell out using different tools
to collect device info. Now they both use PACCOR instead.

* [#49] Modify getPolicy behavior to reflect use

DBPolicyManager's getPolicy(appraiser, device) has historically
returned the default policy for an appraiser if none is defined
in the device group that the given device belongs to.  However,
this behavior does not in fact support the current use of devices,
groups, and policies; in the case where a group has no policy
assigned for a type of appraiser, the system is in a state
where that type of appraisal will not occur for devices in
a given group.  To better reflect desired behavior, the method
now returns null if a policy is not explicitly set for
the given (appraiser, device group) pair.

Closes #49.

* [#52] Make TPM2 Provisioner check for a running Resource Manager (#53)

[#52] Make TPM2 Provisioner check for a running Resource Manager

* [#55] Add displayTitle to Alert

These changes simply add a field called
'displayTitle' to the Alert class to hold
a human-readable title for each Alert instance.

Closes #55.

* Add changes for device deletion.

Changes data structures to facilitate deletion of devices
from the DB and all other entries with foreign key relationships.

* TPMBaseline.isEmpty() method, activated tests

Added unit test for TPMBaseline.isEmpty(). Change exception type thrown in generator class

Added unit tests to account for both an empty and a non-empty baseline object

Checkstyle changes

* Replace Refs of yum localinstall with yum install

There is no functional difference between `yum install` and `yum localinstall`, however the former is preferred for modern conventions' sake.

* [#62] Cleaned up preprocessor file expansion.

There were unnecessary references to file paths in the executable.

* [#43] Additional certificate fields to display

* This change adds in additional information about the certificate, which include the public key and signature algoritms and their sizes, the key usage and extended key usage, the certificate version number for EK and CA certs and the issuer section expanded with Auth Key Id and Auth Info Access.

* Made some fixes to the platform class print out.  Needs to print out string representation of the value.

* Additional changes for the certificate details page.  Going over the spec determining what should be shown and what should be hidden if no information is specified.

* This change adds in additional information about the certificate, which include the public key and signature algoritms and their sizes, the key usage and extended key usage, the certificate version number for EK and CA certs and the issuer section expanded with Auth Key Id and Auth Info Access.

Made some fixes to the platform class print out.  Needs to print out string representation of the value.

Additional changes for the certificate details page.  Going over the spec determining what should be shown and what should be hidden if no information is specified.

Small updates to code commits and statements

* Stashing changes.

* Correcting some unit test fail instances.  The PC Test fails because the tested cert is not updated to new (constantly changing) specs.  Not just on the value but also on the value type.

* Fixing git merge meta data.

* Updates to include the Authority Key information as a set rather than just one item.  Using a bouncy castle defined class.

* Reversed the type of variable the public key value returns so that the unit test for it doesn't have to change.  The type wasn't important, it was a convenience decision.

* Adding changes based on review comments from @apldev3.

* Made changes based on github review comments.

* Additional changes for github comments

* Updated the code for the public key size on CA and EK certificates.  There was a previous issue with 4 additional bytes being included in the size.

* Some more changes for Github comments

* Add selector for Endorsement Credential and Platform Credential Deletion (#66)

Adds a selector method to retrieve ECs and PCs by their associated device
so they can be deleted.

* [#69] Add null checks to Component Identifier Serial/Revision Trimming (#70)

* [#54] ACA Users guide (#57)

* Added the ACA Users Guide

* Updated the installation notes on the ACA portal help page

* changed format of user guide from pdf to doc

* [#54] Edit ACA Users Guide

* Updated the ACA Install and User Guide

* Added the ACA Users Guide.

Updated the ACA install Notes and added the ACA User Guide.

* [#46] Setup Travis for HIRS Integration Tests (#68)

* [#46] Ensure Travis mounts repository rather than clones it in Docker

* [#46] Containerize HIRS ACA and prep ACA container for Integration Tests

* [#46] Containerize HIRS TPM2Provisioner and prep TPM2Provisioner container for Integration Tests

* [#46] Replace localinstall with install

* [#46] Prevent rebuilding of packages unnecessarily

* [#46] Finish initial docker compose setup for integration tests

* [#46] Allow for detection of complete Integration Environment Setup

* [#46] Fix Travis CI to allow for detecting Integ Test Environ Stand-Up

* [#46] Fix Initial Integration Test Script

* [#46] Troubleshoot Integration Test script

* #67 Add systems tests for HIRS Provisioner TPM 2.0  (#73)

* Added System Tests.

* Cleaned up scripts

* Cleaned up system tests.

* Cleaned up system tests.

* Cleaned up system tests.

* Updated system tests.

* Code review updates.

* Fix Style Issue in Build (#76)

A couple of variables had conflicting names and the inner scope was
shadowing the outer. Style checker was complaining. Deleted one inner
definition and renamed another variable.

* Incremented VERSION to 1.0.3 (#81)

* [#78] hirs-provisioner-tpm2 on path after installation. (#84)

There was a problem in the rpm-post-install.sh script
that ran as part of the CentOS7 rpm installation where
a link was being created called libcurl.so which pointed
to libcurl.so.4. If the link could not be created because
it already existed, the script would quit before finishing
and never place hirs-provisioner-tpm2 in a directory on
the PATH.

The proper solution was to link hirs-provisioner against
libcurl.so.4 so that it is clear which version of the API
was compiled against. This was not happening because
we were linking against a version of curl build by the CPR
project which was not properly embedding the SONAME in the
shared object file. By linking instead against the shared
object file distributed in the development package of
libcurl, hirs-provisioner-tpm2 now looks for libcurl.so.4
rather than the generic libcurl.so. This will prevent our
executable from breaking if libcurl.so gets updated to point
to a newer version of libcurl that uses a different API.

Closes #78.

* [#82] Systems Tests not Reporting Failure Correctly (#83)

* Test failing system tests report correctly in Travis.

* Test successful system tests report correctly in Travis.

* Test failing system tests report correctly in Travis.

* Test successful system tests report correctly in Travis.

* Test failing system tests report correctly in Travis.

* Test successful system tests report correctly in Travis.

* [#71] Dockerize TPM 1.2 Provisioner and Integrate with Docker Compose (#77)

* [#71] Initial Dockerization of TPM 1.2 Provisioner

* Fix permissions on new script

* Fix current bugs

* [#71] Try a new direction for setting up TPM 1.2 Provisioner Testing

* [#71] Attempt to the latest version of Trousers on Travis CI VM for 1.2 Provisioner support

* [#71] Try IBM TPM 1.2 Emulator

* [#71] Move towards cleaning up work

* [#71] Update TPM1.2 Provisioner Docker to work with Docker Compose in Systems Test

* [#71] Get TPM 1.2 Provisioner to provision successfully in Docker container

* Update system tests script to include TPM 1.2 Provisioner container

* [#71] Separate TPM 1.2 and 2.0 Provisioner System Tests

* [#71] Pipe TPM Emulator log output to file to clear up system test output

* [#87] Combine Packaging and System Tests into One Travis Test Phase (#89)

* [#91] Add Authority Information Access to Issuer field of Attribute Certificates (#92)

* Updated code base for Attribute Certificates.  They are currently not showing Authority Information Access in the Issuer field on the certificate details page.  The code was not written to handle this
or to set it.

* Updated unit tests to test Authority Info Access and Key Identifier.

* Adding extra certificates to be used in the new tests.

* Updated unit test, the new tests were missing the @Test parameter.

* [#19] General Name/DN equals functionality (#93)

* Adding new class GeneralNames, I will be changing it to adjust to the bc class as to not confuse the two.  This class takes the subject string and parse out the information for comparsion.

* Adding file I didn't have tracked in the previous commit.

* Updating code to handle the instance of multiple organization units.

* A null exception was being thrown from the unit tests for the organization unit variable.

* Add some comments

* continued testing and updates are needed.

* Cleanup - removed excess commented code and debug lines.

* Updating code base to use X500Name for name compares, removing GeneralNamesParser.java file as it is not necessary

* Updated for final changes.

* Modification to previous changes per request on github.  Separated out compare method into its own class and created unit tests.

* Added Users Guide to the Quick Links section

* [#72] Supply Chain Validator fix and update (#94)

* This fix correct an IllegalStateException for the SupplyChainValider when all policy settings are true.  When trying to remove a value from the iterator in the validator, the item was null and caused this issue.  This also takes out the Platform Serial as a required field.

Closes #72

* checking in a small change that puts back in a line for checking the serial number.  It has been changed from FAIL to PASS however.

* Committing updated changes.

* Committing test certs for changes.

* Updated unit tests

* Fixing travis checkstyle for URISyntaxException missing from UnitTests

* [#96] Validation tooltip update (#98)

* Updating code to list what specifically is unmatched for platform components on the validation page when there is a failure.

* Updates include a small shift for the policy page, putting the correct order for setting them (top to bottom).  Updated unit tests for the additional text that now appears on the tool tip for the validation failure icon.

* Updates to allow for TPM 2.0 quote.

* [#106] Platform Configuration v2 (#112)

* These changes are the beginning stage for spec 2 changes to the platform configuration section of the attributes platform certificate.

* Updated typos and corrected check style errors.

* Updating Platform Credential Unit test from #24

* Added unit test resource

* [#24] Implementation of Component Class field (#114)

* This is new code that parses a new field in the upcoming TCG spec for the platform components fields. The new field indicates the type of hardware (ex Memory - DDR3). This information wasn't provided before so it wasn't always clear what the component was. The new information is provided in a json file. A unit test was created to test the different variations. This commit does not include hooks in the base code to use this class yet. This commit is mainly to include the added library and correct bug and checkstyle issues associated with the new code.

Closes #24

* Removed duplicate CONSTANT variable.

* Added newline

* Added Newline

* Updated variable names for json object.

* Fixed line length style error.

* This is an initial set up for the new tagged elements for the component identifier.

* This is an initial set up for the new tagged elements for the component identifier.

* Split out functionality for version 2 changes.  Added a new class to handle newer component elements.

* Split out functionality for version 2 changes.  Added a new class to handle newer component elements.

* Updated for how to display version 2 versus version 1.

* Updated for how to display version 2 versus version 1.

* Moved V2 versions of class files to V2 specific folder.

* Moved V2 versions of class files to V2 specific folder.

* Debugging a problem with the componentclass portion of the spec 2 certificate.  Pushing up so that I can debug at a different location.

* Debugging a problem with the componentclass portion of the spec 2 certificate.  Pushing up so that I can debug at a different location.

* Updated changes that fixed a bug.  The V2 of component identifier wasn't actually being used, and causes the cert to not upload.

* Updated changes that fixed a bug.  The V2 of component identifier wasn't actually being used, and causes the cert to not upload.

* Additional changes made to resovle unit test failures and changes made to the unit test to validate some of the additional changes.

* Additional changes made to resovle unit test failures and changes made to the unit test to validate some of the additional changes.

* Fixed checkstyle issue of unused import.

* Fixed checkstyle issue of unused import.

* Last minute changes to fix some elements that were missed as prep for pull request.

* Last minute changes to fix some elements that were missed as prep for pull request.

* Update CertificateIdentifier for the issuerDN field so that findbugs does not error on the line setting it only to null.

* Update CertificateIdentifier for the issuerDN field so that findbugs does not error on the line setting it only to null.

* Updates to the placeholder class to avoid findbug errors.

* Updates to the placeholder class to avoid findbug errors.

* Added instanceof object check for attribute status in platform property V2 as an additional safeguard against type mismatch.

* Added instanceof object check for attribute status in platform property V2 as an additional safeguard against type mismatch.

* Corrected logic on AttributeStatus isRemoved method.

* Removed reference to ComponentClass in V1 of ComponentIdentifer.  Updated CertificateIdentifer to deal with tagged objects being optional, therefore the check for required in constructor is unnecessary.

* Updated the parsing statements for the CertificateIdentifier's elements.
2019-04-08 14:09:21 -04:00
apldev3
1a28853d23
[#18] Add in Null Checks for Certificate and Subclasses (#118)
* [#18] Add in null checks to Certificate and PlatformCredential

* [#18] Fix checkstyle errors
2019-03-29 10:18:44 -04:00
apldev3
267001226e
[#61] Remove Magic String Usage from PersistenceConfiguration (#116) 2019-03-28 09:53:50 -04:00
Cyrus
35c63efe19
[#24] Implementation of Component Class field (#114)
* This is new code that parses a new field in the upcoming TCG spec for the platform components fields. The new field indicates the type of hardware (ex Memory - DDR3). This information wasn't provided before so it wasn't always clear what the component was. The new information is provided in a json file. A unit test was created to test the different variations. This commit does not include hooks in the base code to use this class yet. This commit is mainly to include the added library and correct bug and checkstyle issues associated with the new code.

Closes #24

* Removed duplicate CONSTANT variable.

* Added newline

* Added Newline

* Updated variable names for json object.

* Fixed line length style error.
2019-03-25 11:14:19 -04:00
Cyrus
3ae32b6777
[#106] Platform Configuration v2 (#112)
* These changes are the beginning stage for spec 2 changes to the platform configuration section of the attributes platform certificate.

* Updated typos and corrected check style errors.

* Updating Platform Credential Unit test from #24

* Added unit test resource
2019-03-25 11:13:09 -04:00
apldev2
c83b3c2de5
Merge pull request #100 from nsacyber/update-provisioner-installation
Updates to allow for TPM 2.0 quote.
2019-03-08 15:07:00 -05:00
apldev4
efbd22812d Updates to allow for TPM 2.0 quote. 2019-03-08 14:33:06 -05:00
Cyrus
df72603476 [#96] Validation tooltip update (#98)
* Updating code to list what specifically is unmatched for platform components on the validation page when there is a failure.

* Updates include a small shift for the policy page, putting the correct order for setting them (top to bottom).  Updated unit tests for the additional text that now appears on the tool tip for the validation failure icon.
2019-02-27 11:03:46 -05:00
Cyrus
aeebd068f5 [#72] Supply Chain Validator fix and update (#94)
* This fix correct an IllegalStateException for the SupplyChainValider when all policy settings are true.  When trying to remove a value from the iterator in the validator, the item was null and caused this issue.  This also takes out the Platform Serial as a required field.

Closes #72

* checking in a small change that puts back in a line for checking the serial number.  It has been changed from FAIL to PASS however.

* Committing updated changes.

* Committing test certs for changes.

* Updated unit tests

* Fixing travis checkstyle for URISyntaxException missing from UnitTests
2019-02-25 10:37:11 -05:00
Cyrus
30caf57edb [#19] General Name/DN equals functionality (#93)
* Adding new class GeneralNames, I will be changing it to adjust to the bc class as to not confuse the two.  This class takes the subject string and parse out the information for comparsion.

* Adding file I didn't have tracked in the previous commit.

* Updating code to handle the instance of multiple organization units.

* A null exception was being thrown from the unit tests for the organization unit variable.

* Add some comments

* continued testing and updates are needed.

* Cleanup - removed excess commented code and debug lines.

* Updating code base to use X500Name for name compares, removing GeneralNamesParser.java file as it is not necessary

* Updated for final changes.

* Modification to previous changes per request on github.  Separated out compare method into its own class and created unit tests.
2019-02-19 10:26:25 -05:00
Cyrus
3a31631c59 [#91] Add Authority Information Access to Issuer field of Attribute Certificates (#92)
* Updated code base for Attribute Certificates.  They are currently not showing Authority Information Access in the Issuer field on the certificate details page.  The code was not written to handle this
or to set it.

* Updated unit tests to test Authority Info Access and Key Identifier.

* Adding extra certificates to be used in the new tests.

* Updated unit test, the new tests were missing the @Test parameter.
2019-02-19 10:16:39 -05:00
apldev3
a6f5a48307
[#69] Add null checks to Component Identifier Serial/Revision Trimming (#70) 2019-01-06 22:06:46 -05:00
apldev2
634d09ff5d Add selector for Endorsement Credential and Platform Credential Deletion (#66)
Adds a selector method to retrieve ECs and PCs by their associated device
so they can be deleted.
2018-12-14 12:02:03 -05:00
Cyrus
6624296abe [#43] Additional certificate fields to display
* This change adds in additional information about the certificate, which include the public key and signature algoritms and their sizes, the key usage and extended key usage, the certificate version number for EK and CA certs and the issuer section expanded with Auth Key Id and Auth Info Access.

* Made some fixes to the platform class print out.  Needs to print out string representation of the value.

* Additional changes for the certificate details page.  Going over the spec determining what should be shown and what should be hidden if no information is specified.

* This change adds in additional information about the certificate, which include the public key and signature algoritms and their sizes, the key usage and extended key usage, the certificate version number for EK and CA certs and the issuer section expanded with Auth Key Id and Auth Info Access.

Made some fixes to the platform class print out.  Needs to print out string representation of the value.

Additional changes for the certificate details page.  Going over the spec determining what should be shown and what should be hidden if no information is specified.

Small updates to code commits and statements

* Stashing changes.

* Correcting some unit test fail instances.  The PC Test fails because the tested cert is not updated to new (constantly changing) specs.  Not just on the value but also on the value type.

* Fixing git merge meta data.

* Updates to include the Authority Key information as a set rather than just one item.  Using a bouncy castle defined class.

* Reversed the type of variable the public key value returns so that the unit test for it doesn't have to change.  The type wasn't important, it was a convenience decision.

* Adding changes based on review comments from @apldev3.

* Made changes based on github review comments.

* Additional changes for github comments

* Updated the code for the public key size on CA and EK certificates.  There was a previous issue with 4 additional bytes being included in the size.

* Some more changes for Github comments
2018-12-13 09:30:10 -05:00
Michael Tsai
e2e07a3ec2 TPMBaseline.isEmpty() method, activated tests
Added unit test for TPMBaseline.isEmpty(). Change exception type thrown in generator class

Added unit tests to account for both an empty and a non-empty baseline object

Checkstyle changes
2018-12-07 10:03:19 -05:00
apldev2
02cb30ad6d Add changes for device deletion.
Changes data structures to facilitate deletion of devices
from the DB and all other entries with foreign key relationships.
2018-12-04 17:25:35 -05:00
apldev1
3c5a657c17 [#55] Add displayTitle to Alert
These changes simply add a field called
'displayTitle' to the Alert class to hold
a human-readable title for each Alert instance.

Closes #55.
2018-11-30 15:20:01 -05:00
apldev1
c12cb135f1 [#49] Modify getPolicy behavior to reflect use
DBPolicyManager's getPolicy(appraiser, device) has historically
returned the default policy for an appraiser if none is defined
in the device group that the given device belongs to.  However,
this behavior does not in fact support the current use of devices,
groups, and policies; in the case where a group has no policy
assigned for a type of appraiser, the system is in a state
where that type of appraisal will not occur for devices in
a given group.  To better reflect desired behavior, the method
now returns null if a policy is not explicitly set for
the given (appraiser, device group) pair.

Closes #49.
2018-11-08 10:53:31 -05:00
apldev4
0586afb9d8
[#41] Provisioners use PACCOR for device info collection. (#45)
The provisioners used to shell out using different tools
to collect device info. Now they both use PACCOR instead.
2018-11-07 14:54:48 -05:00
apldev1
2d0806e5a8 [#33] IMA baselines can match measurements based solely on hashes (#34)
ImaAcceptableRecordBaseline and its subclasses have been updated to include
a containsHashes method to be able to match IMA measurement records
based solely on their hashes.  Supporting classes have been
updated or created as necessary.

Additionally, the set of path equivalencies as specified in the IMA
policy have been updated to include additional entries.

Closes #33.
2018-11-01 10:47:33 -04:00
apldev3
17b1426288 [#27] Fix TPMSecurityAssertions Parsing in EndorsementCredential (#31) 2018-10-23 11:40:49 -04:00
apldev3
f192ce5826 [#23] Update HIRS Utils and ACA to handle certificate padding (#26) 2018-10-18 14:34:52 -04:00
Taruan Matthews
916638be03 Updating the certificate details page to display the Holder information and include a link to the associated Endorsement Certificate. 2018-10-04 10:08:05 -04:00
apldev3
00b1c913e4 [#12] Setup basic Travis CI build 2018-09-26 13:18:51 -04:00
apldev1
eced951933 [#10] Fix representation of zero-valued hashes
Zero-value hashes, and hashes of no data, are now
considered as matches to equal values instead of
treating them as 'unknown'.
2018-09-24 11:18:45 -04:00
apldev3
bdbc85ef4d [#3] Ensure ACA and TPM2 Provisioner handle versioning correctly 2018-09-17 12:28:05 -04:00
apldev3
12f770080a [#1] Add support for processing ECC certificates as part of the trust chain 2018-09-13 13:09:48 -04:00
apldev4
d7e44b8310 Initial release 2018-09-06 09:47:33 -04:00