-
Notifications
You must be signed in to change notification settings - Fork 58
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #584 from nsacyber/v3_provision-init-setup
Initial Setup for ACA provisioning
- Loading branch information
Showing
70 changed files
with
4,447 additions
and
1,133 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
138 changes: 138 additions & 0 deletions
138
...testationCA/src/main/java/hirs/attestationca/persist/AttestationCertificateAuthority.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,138 @@ | ||
| package hirs.attestationca.persist; | ||
|
|
||
| import hirs.attestationca.persist.entity.manager.CertificateRepository; | ||
| import hirs.attestationca.persist.entity.manager.ComponentResultRepository; | ||
| import hirs.attestationca.persist.entity.manager.DeviceRepository; | ||
| import hirs.attestationca.persist.entity.manager.IssuedCertificateRepository; | ||
| import hirs.attestationca.persist.entity.manager.PolicyRepository; | ||
| import hirs.attestationca.persist.entity.manager.ReferenceDigestValueRepository; | ||
| import hirs.attestationca.persist.entity.manager.ReferenceManifestRepository; | ||
| import hirs.attestationca.persist.entity.manager.TPM2ProvisionerStateRepository; | ||
| import hirs.attestationca.persist.provision.CertificateRequestHandler; | ||
| import hirs.attestationca.persist.provision.IdentityClaimHandler; | ||
| import hirs.attestationca.persist.provision.IdentityRequestHandler; | ||
| import hirs.attestationca.persist.service.SupplyChainValidationService; | ||
| import hirs.structs.converters.StructConverter; | ||
| import lombok.extern.log4j.Log4j2; | ||
|
|
||
| import java.security.PrivateKey; | ||
| import java.security.cert.X509Certificate; | ||
|
|
||
| /** | ||
| * Provides base implementation of common tasks of an ACA that are required for attestation of an | ||
| * Identity Request. | ||
| */ | ||
| @Log4j2 | ||
| public abstract class AttestationCertificateAuthority { | ||
|
|
||
| /** | ||
| * Container wired ACA private key. | ||
| */ | ||
| private final PrivateKey privateKey; | ||
|
|
||
| /** | ||
| * Container wired ACA certificate. | ||
| */ | ||
| private final X509Certificate acaCertificate; | ||
|
|
||
| /** | ||
| * Container wired {@link StructConverter} to be used in | ||
| * serialization / deserialization of TPM data structures. | ||
| */ | ||
| private final StructConverter structConverter; | ||
|
|
||
| /** | ||
| * A handle to the service used to validate the supply chain. | ||
| */ | ||
| private final SupplyChainValidationService supplyChainValidationService; | ||
|
|
||
| /** | ||
| * Container wired application configuration property identifying the number of days that | ||
| * certificates issued by this ACA are valid for. | ||
| */ | ||
| private Integer validDays = 1; | ||
|
|
||
| private final ComponentResultRepository componentResultRepository; | ||
| private final CertificateRepository certificateRepository; | ||
| private final IssuedCertificateRepository issuedCertificateRepository; | ||
| private final ReferenceManifestRepository referenceManifestRepository; | ||
| private final DeviceRepository deviceRepository; | ||
| // private final DBManager<TPM2ProvisionerState> tpm2ProvisionerStateDBManager; | ||
| private final ReferenceDigestValueRepository referenceDigestValueRepository; | ||
| private final PolicyRepository policyRepository; | ||
| private final TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository; | ||
|
|
||
| private CertificateRequestHandler certificateRequestHandler; | ||
| private IdentityClaimHandler identityClaimHandler; | ||
| private IdentityRequestHandler identityRequestHandler; | ||
|
|
||
| /** | ||
| * Constructor. | ||
| * @param supplyChainValidationService the supply chain service | ||
| * @param privateKey the ACA private key | ||
| * @param acaCertificate the ACA certificate | ||
| * @param structConverter the struct converter | ||
| * @param componentResultRepository the component result manager | ||
| * @param certificateRepository the certificate manager | ||
| * @param referenceManifestRepository the Reference Manifest manager | ||
| * @param validDays the number of days issued certs are valid | ||
| * @param deviceRepository the device manager | ||
| * @param referenceDigestValueRepository the reference event manager | ||
| * @param policyRepository | ||
| * @param tpm2ProvisionerStateRepository | ||
| */ | ||
| @SuppressWarnings("checkstyle:parameternumber") | ||
| public AttestationCertificateAuthority( | ||
| final SupplyChainValidationService supplyChainValidationService, | ||
| final PrivateKey privateKey, final X509Certificate acaCertificate, | ||
| final StructConverter structConverter, | ||
| final ComponentResultRepository componentResultRepository, | ||
| final CertificateRepository certificateRepository, | ||
| final IssuedCertificateRepository issuedCertificateRepository, | ||
| final ReferenceManifestRepository referenceManifestRepository, | ||
| final int validDays, | ||
| final DeviceRepository deviceRepository, | ||
| final ReferenceDigestValueRepository referenceDigestValueRepository, | ||
| final PolicyRepository policyRepository, | ||
| final TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository) { | ||
| this.supplyChainValidationService = supplyChainValidationService; | ||
| this.privateKey = privateKey; | ||
| this.acaCertificate = acaCertificate; | ||
| this.structConverter = structConverter; | ||
| this.componentResultRepository = componentResultRepository; | ||
| this.certificateRepository = certificateRepository; | ||
| this.issuedCertificateRepository = issuedCertificateRepository; | ||
| this.referenceManifestRepository = referenceManifestRepository; | ||
| this.validDays = validDays; | ||
| this.deviceRepository = deviceRepository; | ||
| this.referenceDigestValueRepository = referenceDigestValueRepository; | ||
| this.policyRepository = policyRepository; | ||
| this.tpm2ProvisionerStateRepository = tpm2ProvisionerStateRepository; | ||
|
|
||
| this.certificateRequestHandler = new CertificateRequestHandler(supplyChainValidationService, | ||
| certificateRepository, deviceRepository, | ||
| privateKey, acaCertificate, validDays, tpm2ProvisionerStateRepository); | ||
| this.identityClaimHandler = new IdentityClaimHandler(supplyChainValidationService, | ||
| certificateRepository, referenceManifestRepository, | ||
| referenceDigestValueRepository, | ||
| deviceRepository, tpm2ProvisionerStateRepository, policyRepository); | ||
| this.identityRequestHandler = new IdentityRequestHandler(structConverter, certificateRepository, | ||
| deviceRepository, supplyChainValidationService, privateKey, validDays, acaCertificate); | ||
| } | ||
|
|
||
| byte[] processIdentityRequest(final byte[] identityRequest) { | ||
| return this.identityRequestHandler.processIdentityRequest(identityRequest); | ||
| } | ||
|
|
||
| byte[] processIdentityClaimTpm2(final byte[] identityClaim) { | ||
| return this.identityClaimHandler.processIdentityClaimTpm2(identityClaim); | ||
| } | ||
|
|
||
| byte[] processCertificateRequest(final byte[] certificateRequest) { | ||
| return this.certificateRequestHandler.processCertificateRequest(certificateRequest); | ||
| } | ||
|
|
||
| public byte[] getPublicKey() { | ||
| return acaCertificate.getPublicKey().getEncoded(); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
146 changes: 146 additions & 0 deletions
146
...onCA/src/main/java/hirs/attestationca/persist/RestfulAttestationCertificateAuthority.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,146 @@ | ||
| package hirs.attestationca.persist; | ||
|
|
||
| import hirs.attestationca.persist.entity.manager.CertificateRepository; | ||
| import hirs.attestationca.persist.entity.manager.ComponentResultRepository; | ||
| import hirs.attestationca.persist.entity.manager.DeviceRepository; | ||
| import hirs.attestationca.persist.entity.manager.IssuedCertificateRepository; | ||
| import hirs.attestationca.persist.entity.manager.PolicyRepository; | ||
| import hirs.attestationca.persist.entity.manager.ReferenceDigestValueRepository; | ||
| import hirs.attestationca.persist.entity.manager.ReferenceManifestRepository; | ||
| import hirs.attestationca.persist.entity.manager.TPM2ProvisionerStateRepository; | ||
| import hirs.attestationca.persist.service.SupplyChainValidationService; | ||
| import hirs.structs.converters.StructConverter; | ||
| import lombok.extern.log4j.Log4j2; | ||
| import org.springframework.beans.factory.annotation.Autowired; | ||
| import org.springframework.beans.factory.annotation.Value; | ||
| import org.springframework.context.annotation.PropertySource; | ||
| import org.springframework.http.MediaType; | ||
| import org.springframework.web.bind.annotation.RequestBody; | ||
| import org.springframework.web.bind.annotation.RequestMapping; | ||
| import org.springframework.web.bind.annotation.RequestMethod; | ||
| import org.springframework.web.bind.annotation.ResponseBody; | ||
| import org.springframework.web.bind.annotation.RestController; | ||
|
|
||
| import java.security.PrivateKey; | ||
| import java.security.cert.X509Certificate; | ||
|
|
||
| /** | ||
| * Restful implementation of the {@link AttestationCertificateAuthority}. | ||
| * Exposes the ACA methods as REST endpoints. | ||
| */ | ||
| @PropertySource(value = "file:/etc/hirs/aca/application.properties", | ||
| ignoreResourceNotFound = true) | ||
| @RestController | ||
| @RequestMapping("/HIRS_AttestationCA") | ||
| public class RestfulAttestationCertificateAuthority extends AttestationCertificateAuthority implements RestfulInterface { | ||
|
|
||
| /** | ||
| * Constructor. | ||
| * | ||
| * @param supplyChainValidationService scp service | ||
| * @param privateKey the ACA private key | ||
| * @param acaCertificate the ACA certificate | ||
| * @param componentResultRepository the component result repository | ||
| * @param certificateRepository the certificate manager | ||
| * @param referenceManifestRepository the referenceManifestManager | ||
| * @param validDays the number of days issued certs are valid | ||
| * @param deviceRepository the device manager | ||
| * @param referenceDigestValueRepository the reference event repository | ||
| * @param policyRepository the provisioning policy entity | ||
| * @param tpm2ProvisionerStateRepository the provisioner state | ||
| */ | ||
| @SuppressWarnings({"checkstyle:parameternumber"}) | ||
| @Autowired | ||
| public RestfulAttestationCertificateAuthority( | ||
| final SupplyChainValidationService supplyChainValidationService, | ||
| final PrivateKey privateKey, final X509Certificate acaCertificate, | ||
| final StructConverter structConverter, | ||
| final ComponentResultRepository componentResultRepository, | ||
| final CertificateRepository certificateRepository, | ||
| final IssuedCertificateRepository issuedCertificateRepository, | ||
| final ReferenceManifestRepository referenceManifestRepository, | ||
| final DeviceRepository deviceRepository, | ||
| final ReferenceDigestValueRepository referenceDigestValueRepository, | ||
| @Value("${aca.certificates.validity}") final int validDays, | ||
| final PolicyRepository policyRepository, | ||
| final TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository) { | ||
| super(supplyChainValidationService, privateKey, acaCertificate, structConverter, | ||
| componentResultRepository, certificateRepository, issuedCertificateRepository, | ||
| referenceManifestRepository, | ||
| validDays, deviceRepository, | ||
| referenceDigestValueRepository, policyRepository, tpm2ProvisionerStateRepository); | ||
| } | ||
|
|
||
| /** | ||
| * Processes a given IdentityRequestEnvelope and | ||
| * generates a IdentityResponseEnvelope. In most cases, | ||
| * a client will generate the request using the TPM "Collate Identity" process. | ||
| * | ||
| * Wrap the {@link AttestationCertificateAuthority#processIdentityRequest(byte[])} | ||
| * with a Spring {@link org.springframework.web.bind.annotation.RequestMapping}. Effectively, this method then will allow spring to | ||
| * serialize and deserialize the request and responses on method invocation and | ||
| * return, respectively. | ||
| * | ||
| * @param identityRequest generated during the collate identity process with a Tpm | ||
| * @return response for the request | ||
| */ | ||
| @Override | ||
| @ResponseBody | ||
| @RequestMapping(value = "/identity-request/process", | ||
| method = RequestMethod.POST, | ||
| consumes = MediaType.APPLICATION_OCTET_STREAM_VALUE) | ||
| public byte[] processIdentityRequest(@RequestBody final byte[] identityRequest) { | ||
| return super.processIdentityRequest(identityRequest); | ||
| } | ||
|
|
||
| /** | ||
| * Listener for identity requests from TPM 2.0 provisioning. | ||
| * | ||
| * Processes a given IdentityClaim and generates a response | ||
| * containing an encrypted nonce to be returned by the client in | ||
| * a future handshake request. | ||
| * | ||
| * @param identityClaim The request object from the provisioner. | ||
| * @return The response to the provisioner. | ||
| */ | ||
| @Override | ||
| @ResponseBody | ||
| @RequestMapping(value = "/identity-claim-tpm2/process", | ||
| method = RequestMethod.POST, | ||
| consumes = MediaType.APPLICATION_OCTET_STREAM_VALUE) | ||
| public byte[] processIdentityClaimTpm2(@RequestBody final byte[] identityClaim) { | ||
| return super.processIdentityClaimTpm2(identityClaim); | ||
| } | ||
|
|
||
| /** | ||
| * Processes a given CertificateRequest | ||
| * and generates a response containing the signed, public certificate for | ||
| * the client's desired attestation key, if the correct nonce is supplied. | ||
| * | ||
| * @param certificateRequest request containing nonce from earlier identity | ||
| * * claim handshake | ||
| * @return The response to the client provisioner. | ||
| */ | ||
| @Override | ||
| @ResponseBody | ||
| @RequestMapping(value = "/request-certificate-tpm2", | ||
| method = RequestMethod.POST, | ||
| consumes = MediaType.APPLICATION_OCTET_STREAM_VALUE) | ||
| public byte[] processCertificateRequest(@RequestBody final byte[] certificateRequest) { | ||
| return super.processCertificateRequest(certificateRequest); | ||
| } | ||
|
|
||
| /** | ||
| * (non-javadoc) | ||
| * <p> | ||
| * Wrap the {@link AttestationCertificateAuthority#getPublicKey()} with a Spring | ||
| * {@link org.springframework.web.bind.annotation.RequestMapping} such that Spring can serialize the certificate to be returned to an | ||
| * HTTP Request. | ||
| */ | ||
| @Override | ||
| @ResponseBody | ||
| @RequestMapping(value = "/public-key", method = RequestMethod.GET) | ||
| public byte[] getPublicKey() { | ||
| return super.getPublicKey(); | ||
| } | ||
| } |
14 changes: 14 additions & 0 deletions
14
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/RestfulInterface.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| package hirs.attestationca.persist; | ||
|
|
||
| /** | ||
| * Defines the responsibilities of the Attestation Certificate Authority. | ||
| */ | ||
| public interface RestfulInterface { | ||
|
|
||
| byte[] processIdentityRequest(byte[] identityRequest); | ||
|
|
||
| byte[] processIdentityClaimTpm2(byte[] identityClaim); | ||
|
|
||
| byte[] processCertificateRequest(byte[] certificateRequest); | ||
|
|
||
| } |
21 changes: 0 additions & 21 deletions
21
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/StorageProperties.java
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.