Commit Graph

327 Commits

Author SHA1 Message Date
Cyrus
c7f796d1a3 Updated status error checking for validating firmware. 2020-06-26 09:47:04 -04:00
Cyrus
d41cb46468
[#260] RIM validation report page links (#264)
* Made some minor tweaks to investigate supply chain validation report bug.  The bug doesn't save the summary report for some unknown reason (no error currently appears).  This change uses the device object to retrieve a RIM.  Still need Attestation Certificate to pull PCRs from quote.  A follow up issue will be created to move that functionality to a different object from the provisioner.
2020-06-23 13:24:34 -04:00
Cyrus
6a62002b05
[#265] IMA/TBoot PCR ignore policy (#271)
* Updated code to include an official policy to ignore IMA and TBoot.  The policies will disable if firmware validation is disabled.
2020-06-23 12:48:06 -04:00
Cyrus
16f38751ca
[#265] Skip ima pcr (#267)
* Added temp code edit to ignore IMA pcr during firmware validation

* Removed redundant check
2020-06-17 13:33:02 -04:00
Cyrus
49e4ce4db4
Validation bug (#263)
* Updated code to correctly match up the PCR to the baseline PCR.  Also updated values of error messages and reduced firmware error message.
2020-06-15 11:55:05 -04:00
Cyrus
da5bc217ef
[#236] Firmware validation update part 2 (#259)
* Modified the hirs.data.persist package to have better fidelity into the objects necessary to create and maintain a baseline.  the info objects will be next.
2020-06-10 11:17:45 -04:00
Cyrus
2805df9f8b
[#236] Firmware validation update part 1 (#243)
* This commit includes changes to the provisioner for what is sent up.  Originally only SHA256 was being used, this change includes both.
* This last commit cover the items 2-4 in issue #236.  The Provisioner sends up and updated list of pcrs that include 256, not just sha1.  The validation and policy pages have been updated.  A second pull request will be created to address parsing the information into a baseline.
2020-03-27 10:13:37 -04:00
Cyrus
4a6115f443
[#212] Added functionality to process and display RIM files. (#226)
* Some initial additions to the details page for displaying Rim information.

* Initial changes for uploading a rim file.

* This is an update to the display of the Reference Integrity Manifest code base that'll allow a user to upload a swidtag.  This code includes some additions from #217, slightly modified.

* This code update include changes to import, archive and delete a swidtag into the RIM object.

* This commit consolidated the SwidTagGatway code and Constants into Reference Manifest.

* This is the final main push of code that will upload, process, store, retrive/delete and display the contents of a RIM swid tag.

* Interim commit for demo purposes.

* Updated Unit Tests

* This commit adds the unit tests that weren't added in the previous commit

* Updated code to reduce execution time when processing reference manifest objects.

* Updated code for better GUI performance.

* Removed previously added suppression entries.
2020-02-21 11:16:46 -05:00
Cyrus
81e13831b2
[#202] Certificate fail to save upon deletion during provisioning FIXED (#206)
* This commit fixes an error produced when provisioning when the certificate from a previous provision is deleted from the ACA.  The error involves doing a look up for an existing certificate and getting nothing however this is due to not using the 'includeArchived' attribute for the Certificate Selector.  Include Archived is used when manually uploading a certificate.
2020-01-06 08:17:04 -05:00
Cyrus
0ede7191ad
[#191] ACA Processing TPM Quote/PCRs from Certificate Request (#197)
* Updated the ACA to verify that the quote and pcrlist exist before trying to parse them.

* Removed unused methods for the tpmquote process.
2019-10-29 09:34:06 -04:00
Cyrus
f73d65c952
[#181] Delta holder validation (#186)
* This is a quick fix to ensure that a delta that is being uploaded has a holder serial number that exists in the database.

* Fixed syntax issues.

* Through further testing with delta certificates that had differing begin validity dates, the code to test the sorting failed.  This push includes a fix that places the deltas in the proper order.

In addition, this code includes a placeholder for deltas that don't have an existing holder certificate in the database.

* Findbugs is a cumbersome COTS product that generates more hassle than help.  Upon indicating 'dodgy' code about redundant null checks, that didn't exist, it then didn't like using non-short circuit operators to verify that both objects are not null.  It then spells out what non-shorting curcuit operators do, without acknowledges that's what you mean to do.
2019-08-29 13:35:41 -04:00
Cyrus
9318c22549
[#167] Component color failure (#185)
* Initial changes to pull down the serial from the validation reports page and transfer them to the certificates details page.  This will then allow the certificate details page to reference the serial numbers that are in failure.

* This is an attempt to transfer data from page to page via the certificate manager.

* Previous attempt didn't work, the manager isn't saving the summary.  Switching to augmenting the database by adding a new column for platform credentials.

* These changes add identifying color to the components that fail validation in the base certificate.  This code however does change the database by adding a new column to track the fails and pass to the classes that display the information.

* Updated the jsp display of the highlighted component to red background with a white foreground.  Updated the index of the string parse to not use magic numbers.
2019-08-29 11:45:22 -04:00
Cyrus
2e07d2cfd7
The validation page was not showing an error icon for attributes failures. This was due to the retained validation type for attributes. This has been removed and the code was additionally updated with logic to handle showing just one icon for both policy checks for the platform credential. (#184) 2019-08-27 10:40:55 -04:00
Cyrus
c3e02825f4
[#181] Validation systemcheck fix (#182)
* The base certificate is getting a failure when the delta fixed the problem.  The code is being modified to ignore the attribute validation of the base certificate and redo the trust chain check.  The code now has a cleaner platform evaluation set up and store.
2019-08-21 10:52:40 -04:00
Cyrus
7cfabe756d
[#166] Validation icon swap (#173)
* This pull request contains 2 main changes, the first is transferring the status text from the attributes failure to the icon specifically for platform trust chain validation.  Then this removes the third column on the validation page that singles out the icons for the attribute status.  In addition, this status is also rolled up to the summary status icon and displays the text there as well for all that have failed.  This last change meant a change to the sizes of the columns in the database.

The validation of a single base certificate with an error was not handled in the code base.  Due to the changes with the introduction of delta certifications, the validation was modified and only handled changes presented by the deltas and ignored errors in the base certificate.  This commit modifies the code that if there is just a single base certificate that is bad and error is thrown.
2019-08-02 09:41:44 -04:00
Cyrus
f4bfe47c9c
Clean up (#172)
* This is a test build to determine code to block script base certificate upload if one already exists.

* Added null check

* Fixed checkstyle error
2019-07-25 09:32:33 -04:00
Cyrus
a8e2c5cc6e
[#163] Delta issuer validation (#164)
* This code change will add in the delta certficates to the platform validation check.  The current base passes the policy check as long as the base is valid.  The deltas are ignored.  This is because the validation pulls in what is associated with a particular EK associated with the machine provisioning.
2019-06-24 13:01:32 -04:00
Cyrus
157dcb649d
[#109] Delta Chain Validation (#151)
* This code adds functionality to check the delta certificates in a chain. The main operation validates that the delta belongs in that chain and then that the chain establishes correct component modification. No removes before an add, no add to a component that exists, no remove to a component that doesn't exist. The unit test was updated to not use any flat file certificate.

Closes #109

* Changes were made to the validation of a delta certificate based on newer information.  There can be multiple bases and multiple leaves in a tree of associated certificates.  However currently we don't have certificates to validate the entirety of the code to test.

* Updated the code to treat the platform attributes policy, if v2, against all in the chain rather than one at a time.
2019-06-04 14:07:35 -04:00
chubtub
86f2cddb22 [#108] Validity Check for Base and Delta Certs (#126)
* Added methods and placeholders for checking the supply chain for base and delta credentials according to the new TCG spec

Checkstyle changes

Created a new SupplyChainValidation.ValidationType for delta credential attributes. The existing PLATFORM_CREDENTIAL
ValidationType will be used for both base and delta platform credentials from spec 1.1.

* Checkstyle error: trailing spaces
2019-05-02 07:15:43 -04:00
apldev4
0586afb9d8
[#41] Provisioners use PACCOR for device info collection. (#45)
The provisioners used to shell out using different tools
to collect device info. Now they both use PACCOR instead.
2018-11-07 14:54:48 -05:00
apldev3
ce380db48c [#38] ACA checks uploaded EK Certs if one is not provided during provisioning 2018-11-01 09:30:01 -04:00
apldev3
87be5a396b [#25] Make ACA exception handling more descriptive 2018-10-31 09:26:20 -04:00
apldev3
f192ce5826 [#23] Update HIRS Utils and ACA to handle certificate padding (#26) 2018-10-18 14:34:52 -04:00
Taruan Matthews
cc12a02c53 This change forces the supply chain validation service to verify that the Platform Credential has a status of PASS. If it does not, no matter the outcome of the Attributes validation, the status of the Attributes can not be PASS.
Added an additional null check for a platform supply validation.  Added a mapping object for platform credential to the associated attributes during validations.

Added an additional null check for a platform supply validation.  Added a mapping object for platform credential to the associated attributes during validations. Missed import statement.
2018-10-15 10:38:21 -04:00
apldev3
bdbc85ef4d [#3] Ensure ACA and TPM2 Provisioner handle versioning correctly 2018-09-17 12:28:05 -04:00
apldev3
12f770080a [#1] Add support for processing ECC certificates as part of the trust chain 2018-09-13 13:09:48 -04:00
apldev4
d7e44b8310 Initial release 2018-09-06 09:47:33 -04:00