From aebba78b4f2ec0fdb624c24f3a2d116920d6b9e9 Mon Sep 17 00:00:00 2001 From: TheSilentCoder <184309164+ThatSilentCoder@users.noreply.github.com> Date: Thu, 30 Jan 2025 17:55:20 -0500 Subject: [PATCH] issue_896: first cut (again) at trying to introduce the new component registries. --- ...estfulAttestationCertificateAuthority.java | 2 +- .../attributes/ComponentClass.java | 4 ++ .../CertificateAttributeScvValidator.java | 23 ++++------ .../validation/CredentialValidator.java | 2 +- .../SupplyChainCredentialValidatorTest.java | 42 ++++++++----------- 5 files changed, 33 insertions(+), 40 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/RestfulAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/RestfulAttestationCertificateAuthority.java index db00267de..1cc403028 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/RestfulAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/RestfulAttestationCertificateAuthority.java @@ -108,7 +108,7 @@ public byte[] processIdentityClaimTpm2(@RequestBody final byte[] identityClaim) * the client's desired attestation key, if the correct nonce is supplied. * * @param certificateRequest request containing nonce from earlier identity - * * claim handshake + * claim handshake * @return The response to the client provisioner. */ @Override diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/ComponentClass.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/ComponentClass.java index ab4683d1a..dabba9028 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/ComponentClass.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/ComponentClass.java @@ -33,6 +33,10 @@ private static final String SMBIOS_COMPONENT_REGISTRY = "2.23.133.18.3.3"; + private static final String PCIE_BASED_COMPONENT_REGISTRY = "2.23.133.18.3.4"; + + private static final String STORAGE_COMPONENT_REGISTRY = "2.23.133.18.3.5"; + private static final Path WINDOWS_JSON_PATH = FileSystems.getDefault().getPath( "C:/", "ProgramData", "hirs", "aca", "default-properties", "component-class.json"); diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java index af9464ca2..ea92d62a4 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java @@ -89,16 +89,14 @@ public static AppraisalStatus validatePlatformCredentialAttributesV1p2( log.error("Failed to retrieve device chassis serial number"); } else { deviceInfoSerialNumbers.put("chassis serial number", deviceChassisSerialNumber); - log.info("Using device chassis serial number for validation: " - + deviceChassisSerialNumber); + log.info("Using device chassis serial number for validation: {}", deviceChassisSerialNumber); } if (StringUtils.isEmpty(deviceSystemSerialNumber) || DeviceInfoEnums.NOT_SPECIFIED.equalsIgnoreCase(deviceSystemSerialNumber)) { log.error("Failed to retrieve device system serial number"); } else { deviceInfoSerialNumbers.put("system serial number", deviceSystemSerialNumber); - log.info("Using device system serial number for validation: " - + deviceSystemSerialNumber); + log.info("Using device system serial number for validation: {}", deviceSystemSerialNumber); } AppraisalStatus status; @@ -455,7 +453,7 @@ && isMatch(cId, cInfo)) { if (ci.isVersion2() && PciIds.DB.isReady()) { ci = AcaPciIds.translate((ComponentIdentifierV2) ci); } - log.error("Unmatched component: " + ci); + log.error("Unmatched component: {}", ci); fullDeltaChainComponents.add(ci); invalidPcIds.append(String.format( "Manufacturer=%s, Model=%s, Serial=%s, Revision=%s;%n", @@ -608,8 +606,7 @@ private static String validateV2p0PlatformCredentialComponentsExpectingExactMatc if (!pcUnmatchedComponents.isEmpty()) { untrimmedPcComponents.clear(); StringBuilder sb = new StringBuilder(); - log.error(String.format("Platform Credential contained %d unmatched components:", - pcUnmatchedComponents.size())); + log.error("Platform Credential contained {} unmatched components:", pcUnmatchedComponents.size()); int unmatchedComponentCounter = 1; for (ComponentIdentifier unmatchedComponent : pcUnmatchedComponents) { @@ -617,8 +614,7 @@ private static String validateV2p0PlatformCredentialComponentsExpectingExactMatc unmatchedComponent = AcaPciIds.translate((ComponentIdentifierV2) unmatchedComponent); } - log.error("Unmatched component " + unmatchedComponentCounter++ + ": " - + unmatchedComponent); + log.error("Unmatched component {}: {}", unmatchedComponentCounter++, unmatchedComponent); sb.append(String.format("Manufacturer=%s, Model=%s, Serial=%s, Revision=%s;%n", unmatchedComponent.getComponentManufacturer(), unmatchedComponent.getComponentModel(), @@ -797,8 +793,7 @@ private static boolean optionalPlatformCredentialFieldNullOrMatches( private static boolean hasEmptyValueForRequiredField(final String description, final String fieldValue) { if (StringUtils.isEmpty(fieldValue)) { - log.error("Required field was empty or null in Platform Credential: " - + description); + log.error("Required field was empty or null in Platform Credential: {}", description); return true; } return false; @@ -871,7 +866,7 @@ private static List checkDeviceHashMap( final List componentInfos, final List compiledComponentList) { Map> deviceHashMap = new HashMap<>(); - componentInfos.stream().forEach((componentInfo) -> { + componentInfos.forEach((componentInfo) -> { List innerList; Integer compInfoHash = componentInfo.hashCommonElements(); if (deviceHashMap.containsKey(compInfoHash)) { @@ -910,7 +905,7 @@ private static List checkComponentClassMap( // continue down the options, move to a different method. // create component class mapping to component info Map> componentDeviceMap = new HashMap<>(); - componentInfos.stream().forEach((componentInfo) -> { + componentInfos.forEach((componentInfo) -> { List innerList; String componentClass = componentInfo.getComponentClass(); if (componentDeviceMap.containsKey(componentClass)) { @@ -1002,7 +997,7 @@ private static List findMismatchedValues( final ComponentResult componentResult) { // this list only has those of the same class type Map componentSerialMap = new HashMap<>(); - componentClassInfo.stream().forEach((componentInfo) -> { + componentClassInfo.forEach((componentInfo) -> { componentSerialMap.put(componentInfo.getComponentSerial(), componentInfo); }); // see if the serial exists diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CredentialValidator.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CredentialValidator.java index 722f9b486..64f35ca4f 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CredentialValidator.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CredentialValidator.java @@ -35,7 +35,7 @@ public class CredentialValidator extends SupplyChainCredentialValidator { * * @param ec the endorsement credential to verify. * @param trustStore trust store holding trusted certificates. - * @param acceptExpired whether or not to accept expired and not yet valid certificates + * @param acceptExpired whether to accept expired and not yet valid certificates * as valid. * @return the result of the validation. */ diff --git a/HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/validation/SupplyChainCredentialValidatorTest.java b/HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/validation/SupplyChainCredentialValidatorTest.java index 7384e4b5f..278d2a8e2 100644 --- a/HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/validation/SupplyChainCredentialValidatorTest.java +++ b/HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/validation/SupplyChainCredentialValidatorTest.java @@ -415,14 +415,13 @@ private static InetAddress getTestIpAddress() { * Checks if the ST Micro Endorsement Credential can be validated against the * ST/GlobalSIgn Certificate Chain. * - * @throws IOException if error occurs while reading files - * @throws URISyntaxException if error occurs while reading files - * @throws CertificateException if error occurs while processing X509 Certs - * @throws KeyStoreException if error occurs while processing Keystore + * @throws IOException if error occurs while reading files + * @throws URISyntaxException if error occurs while reading files + * @throws KeyStoreException if error occurs while processing Keystore */ @Test public final void testValidateEndorsementCredential() - throws URISyntaxException, IOException, CertificateException, KeyStoreException { + throws URISyntaxException, IOException, KeyStoreException { EndorsementCredential ekcert = new EndorsementCredential(Files.readAllBytes( Paths.get(Objects.requireNonNull(getClass().getResource(TEST_EK_CERT)).toURI())) @@ -455,14 +454,13 @@ public final void testValidateEndorsementCredential() * Validates a generated cert chain pretending to be from Intel. Credential was generated * with an intermediate CA. This tests the entire chain of validation back to the root CA. * - * @throws IOException if error occurs while reading files - * @throws KeyStoreException if there's an issue string certs to the keystore - * @throws CertificateException if error occurs while ingesting a certificate - * @throws URISyntaxException if a URI can't be processed + * @throws IOException if error occurs while reading files + * @throws KeyStoreException if there's an issue string certs to the keystore + * @throws URISyntaxException if a URI can't be processed */ @Test public final void validateIntelPlatformCredentials() - throws URISyntaxException, IOException, CertificateException, KeyStoreException { + throws URISyntaxException, IOException, KeyStoreException { Certificate intermediatecacert = new CertificateAuthorityCredential(Files.readAllBytes(Paths.get( @@ -855,7 +853,7 @@ public final void verifyX509AttributeCertificateAgainstIntermediate() KeyPair caKeyPair = createKeyPair(); KeyPair intermediateKeyPair = createKeyPair(); KeyPair targetKeyPair = createKeyPair(); - Set trustedCerts = new HashSet(); + Set trustedCerts = new HashSet<>(); X509Certificate caCert = createSelfSignedCertificate(caKeyPair); X509Certificate intermediateCert = @@ -899,7 +897,7 @@ public final void verifyX509AttributeCertificateFailsIfSigningCertNotInList() KeyPair caKeyPair = createKeyPair(); KeyPair intermediateKeyPair = createKeyPair(); KeyPair targetKeyPair = createKeyPair(); - Set trustedCerts = new HashSet(); + Set trustedCerts = new HashSet<>(); X509Certificate caCert = createSelfSignedCertificate(caKeyPair); X509Certificate intermediateCert = @@ -938,7 +936,7 @@ public final void verifyX509AttributeCertificateAgainstCA() throws SupplyChainValidatorException { KeyPair caKeyPair = createKeyPair(); KeyPair targetKeyPair = createKeyPair(); - Set trustedCerts = new HashSet(); + Set trustedCerts = new HashSet<>(); X509Certificate caCert = createSelfSignedCertificate(caKeyPair); X509Certificate targetCert = @@ -977,7 +975,7 @@ public final void verifyX509CertificateAgainstIntermediate() KeyPair caKeyPair = createKeyPair(); KeyPair intermediateKeyPair = createKeyPair(); KeyPair targetKeyPair = createKeyPair(); - Set trustedCerts = new HashSet(); + Set trustedCerts = new HashSet<>(); X509Certificate caCert = createSelfSignedCertificate(caKeyPair); X509Certificate intermediateCert = @@ -1017,7 +1015,7 @@ public final void verifyX509CertificateFailsIfSigningCertNotInList() KeyPair caKeyPair = createKeyPair(); KeyPair intermediateKeyPair = createKeyPair(); KeyPair targetKeyPair = createKeyPair(); - Set trustedCerts = new HashSet(); + Set trustedCerts = new HashSet<>(); X509Certificate caCert = createSelfSignedCertificate(caKeyPair); X509Certificate intermediateCert = @@ -1051,7 +1049,7 @@ public final void verifyX509CertificateFailsIfSigningCertNotInList() public final void verifyX509CertificateAgainstCA() throws SupplyChainValidatorException { KeyPair caKeyPair = createKeyPair(); KeyPair targetKeyPair = createKeyPair(); - Set trustedCerts = new HashSet(); + Set trustedCerts = new HashSet<>(); X509Certificate caCert = createSelfSignedCertificate(caKeyPair); X509Certificate targetCert = @@ -1175,13 +1173,12 @@ public final void verifyPlatformCredentialNullDeviceInfoReport() * * @throws URISyntaxException failed to read certificate * @throws IOException failed to read certificate - * @throws KeyStoreException failed to read key store * @throws SupplyChainValidatorException missing credential */ @Test public final void testPlatformDnEquals() throws URISyntaxException, IOException, - KeyStoreException, SupplyChainValidatorException { + SupplyChainValidatorException { Certificate signingCert; signingCert = new CertificateAuthorityCredential(Files.readAllBytes(Paths.get( Objects.requireNonNull(getClass().getResource(INTEL_SIGNING_KEY)).toURI())) @@ -1207,12 +1204,11 @@ public final void testPlatformDnEquals() throws URISyntaxException, IOException, * * @throws URISyntaxException failed to read certificate * @throws IOException failed to read certificate - * @throws KeyStoreException failed to read key store * @throws SupplyChainValidatorException missing credential */ @Test public final void testPlatformDnNotEquals() throws URISyntaxException, IOException, - KeyStoreException, SupplyChainValidatorException { + SupplyChainValidatorException { Certificate signingCert; signingCert = new CertificateAuthorityCredential(Files.readAllBytes(Paths.get( Objects.requireNonNull(getClass().getResource(INTEL_INT_CA)).toURI())) @@ -1237,12 +1233,11 @@ public final void testPlatformDnNotEquals() throws URISyntaxException, IOExcepti * * @throws URISyntaxException failed to read certificate * @throws IOException failed to read certificate - * @throws KeyStoreException failed to read key store * @throws SupplyChainValidatorException missing credential */ @Test public final void testEndorsementDnEquals() throws URISyntaxException, IOException, - KeyStoreException, SupplyChainValidatorException { + SupplyChainValidatorException { Certificate signingCert; signingCert = new CertificateAuthorityCredential(Files.readAllBytes(Paths.get( Objects.requireNonNull(getClass().getResource(INT_CA_CERT02)).toURI())) @@ -1268,12 +1263,11 @@ public final void testEndorsementDnEquals() throws URISyntaxException, IOExcepti * * @throws URISyntaxException failed to read certificate * @throws IOException failed to read certificate - * @throws KeyStoreException failed to read key store * @throws SupplyChainValidatorException missing credential */ @Test public final void testEndorsementDnNotEquals() throws URISyntaxException, IOException, - KeyStoreException, SupplyChainValidatorException { + SupplyChainValidatorException { Certificate signingCert; signingCert = new CertificateAuthorityCredential(Files.readAllBytes(Paths.get( Objects.requireNonNull(getClass().getResource(INTEL_INT_CA)).toURI()))