use of com.intel.mtwilson.as.business.AssetTagCertBO in project OpenAttestation by OpenAttestation.
the class HostTrustBO method getTrustWithSaml.
public String getTrustWithSaml(TblHosts tblHosts, String hostId, String hostAttestationUuid) {
try {
//String location = hostTrustBO.getHostLocation(new Hostname(hostName)).location; // example: "San Jose"
//HostTrustStatus trustStatus = hostTrustBO.getTrustStatus(new Hostname(hostName)); // example: BIOS:1,VMM:1
TblSamlAssertion tblSamlAssertion = new TblSamlAssertion();
TxtHost host = getHostWithTrust(tblHosts, hostId, tblSamlAssertion);
tblSamlAssertion.setAssertionUuid(hostAttestationUuid);
tblSamlAssertion.setBiosTrust(host.isBiosTrusted());
tblSamlAssertion.setVmmTrust(host.isVmmTrusted());
// We need to add the Asset tag related data only if the host is provisioned for it. This is done
// by verifying in the asset tag certificate table.
X509AttributeCertificate tagCertificate;
AssetTagCertBO atagCertBO = new AssetTagCertBO();
MwAssetTagCertificate atagCertForHost = atagCertBO.findValidAssetTagCertForHost(tblSamlAssertion.getHostId().getId());
if (atagCertForHost != null) {
log.debug("Host has been provisioned in the system with a TAG.");
tagCertificate = X509AttributeCertificate.valueOf(atagCertForHost.getCertificate());
} else {
log.debug("Host has not been provisioned in the system with a TAG.");
tagCertificate = null;
}
// if (tblHosts.getBindingKeyCertificate() != null && !tblHosts.getBindingKeyCertificate().isEmpty()) {
// host.setBindingKeyCertificate(tblHosts.getBindingKeyCertificate());
// }
SamlAssertion samlAssertion = getSamlGenerator().generateHostAssertion(host, tagCertificate, null);
// We will check if the asset-tag was verified successfully for the host. If so, we need to retrieve
// all the attributes for that asset-tag and send it to the saml generator.
/* X509AttributeCertificate tagCertificate = null;
if (host.isAssetTagTrusted()) {
AssetTagCertBO atagCertBO = new AssetTagCertBO();
MwAssetTagCertificate atagCertForHost = atagCertBO.findValidAssetTagCertForHost(tblSamlAssertion.getHostId().getId());
if (atagCertForHost != null) {
tagCertificate = X509AttributeCertificate.valueOf(atagCertForHost.getCertificate());
// atags.add(new AttributeOidAndValue("UUID", atagCertForHost.getUuid())); // should already be the "Subject" attribute of the certificate, if not then we need to get it from one of the cert attributes
}
}
SamlAssertion samlAssertion = getSamlGenerator().generateHostAssertion(host, tagCertificate);
*/
log.debug("Expiry {}", samlAssertion.expiry_ts.toString());
tblSamlAssertion.setSaml(samlAssertion.assertion);
tblSamlAssertion.setExpiryTs(samlAssertion.expiry_ts);
tblSamlAssertion.setCreatedTs(samlAssertion.created_ts);
// TrustReport hostTrustReport = getTrustReportForHost(tblHosts, tblHosts.getName());
// tblSamlAssertion.setTrustReport(mapper.writeValueAsString(hostTrustReport));
// logTrustReport(tblHosts, hostTrustReport); // Need to cache the attestation report ### v1 requirement to log to mw_ta_log
getSamlAssertionJpaController().create(tblSamlAssertion);
return samlAssertion.assertion;
} catch (ASException e) {
// We override that here to give more specific codes when possible:
if (e.getErrorCode().equals(ErrorCode.AS_HOST_NOT_FOUND)) {
throw new WebApplicationException(Status.NOT_FOUND);
}
/*
* if( e.getErrorCode().equals(ErrorCode.TA_ERROR)) { throw new
* WebApplicationException(Status.INTERNAL_SERVER_ERROR); }
*
*/
throw e;
} catch (Exception ex) {
// throw new ASException( e);
log.error("Error during retrieval of host trust status.", ex);
throw new ASException(ErrorCode.AS_HOST_TRUST_ERROR, ex.getClass().getSimpleName());
}
}
use of com.intel.mtwilson.as.business.AssetTagCertBO in project OpenAttestation by OpenAttestation.
the class AssetTagCert method revokeAssetTagCertificate.
/**
* This REST API would be called by tag provisioning service whenever a valid asset tag certificate is revoked.
* @param atagObj
* @return
*/
//@RolesAllowed({"AssetTagManagement"})
// @RequiresPermissions({"tag_certificates:store"})
@PUT
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.TEXT_PLAIN)
public String revokeAssetTagCertificate(AssetTagCertRevokeRequest atagObj) {
boolean result;
AssetTagCertBO object = new AssetTagCertBO();
result = object.revokeAssetTagCertificate(atagObj, null);
return Boolean.toString(result);
}
use of com.intel.mtwilson.as.business.AssetTagCertBO in project OpenAttestation by OpenAttestation.
the class AssetTagCert method importAssetTagCertificate.
/**
* This REST API would be called by the tag provisioning service whenever a new asset tag certificate is generated for a host.
* Initially we would stored this asset tag certificate in the DB without being mapped to any host. After the host is registered, then
* the asset tag certificate would be mapped to it.
* @param atagObj
* @return
*/
//@RolesAllowed({"AssetTagManagement"})
// @RequiresPermissions({"tag_certificates:create","hosts:search"})
@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.TEXT_PLAIN)
public String importAssetTagCertificate(AssetTagCertCreateRequest atagObj) {
AssetTagCertBO object = new AssetTagCertBO();
boolean result = object.importAssetTagCertificate(atagObj, null);
return Boolean.toString(result);
}
use of com.intel.mtwilson.as.business.AssetTagCertBO in project OpenAttestation by OpenAttestation.
the class ProvisionTagCertificate method createOne.
//
// /**
// * Returns the tag certificate bytes or null if one was not generated
// *
// * @param subject
// * @param selection may be null; the default selection will be used, if configured
// * @param request
// * @param response
// * @return
// * @throws IOException
// */
public Certificate createOne(String subject, SelectionsType selections, HttpServletRequest request, HttpServletResponse response) throws IOException, ApiException, SignatureException, SQLException, IllegalArgumentException {
// TagConfiguration configuration = new TagConfiguration(My.configuration().getConfiguration());
// TagCertificateAuthority ca = new TagCertificateAuthority(configuration);
TagConfiguration configuration = new TagConfiguration(ASConfig.getConfiguration());
TagCertificateAuthority ca = new TagCertificateAuthority(configuration);
// if the subject is an ip address or hostname, resolve it to a hardware uuid with mtwilson - if the host isn't registered in mtwilson we can't get the hardware uuid so we have to reject the request
if (!UUID.isValid(subject)) {
String subjectUuid = findSubjectHardwareUuid(subject);
if (subjectUuid == null) {
log.error("Cannot find hardware uuid for subject: {}", subject);
throw new IllegalArgumentException("Invalid subject specified in the call");
}
subject = subjectUuid;
}
if (selections == null) {
log.error("Selection input is null");
throw new IllegalArgumentException("Invalid selections specified.");
}
// if external ca is configured then we only save the request to the database and indicate async processing in our response
// if( configuration.isTagProvisionExternal() || isAsync(request) ) {
// // requires async processing - we store the request, and an external ca will poll for requests, generate certs, and post the certs back to us; the client can periodically check the status and then download the cert when it's available
// storeAsyncRequest(subject, selections, response);
// return null;
// }
// if always-generate/no-cache (cache mode off) is enabled then generate it right now and return it - no need to check database for existing certs etc.
String cacheMode = "on";
if (selections.getOptions() != null && selections.getOptions().getCache() != null && selections.getOptions().getCache().getMode() != null) {
cacheMode = selections.getOptions().getCache().getMode().value();
}
// first figure out which selection will be used for the given subject - also filters selections to ones that are currently valid or not marked with validity period
// throws exception if there is no matching selection and no matching default selection
SelectionType targetSelection = ca.findCurrentSelectionForSubject(UUID.valueOf(subject), selections);
log.debug("Cache mode {}", cacheMode);
if ("off".equals(cacheMode) && targetSelection != null) {
byte[] certificateBytes = ca.createTagCertificate(UUID.valueOf(subject), targetSelection);
Certificate certificate = storeTagCertificate(subject, certificateBytes);
return certificate;
}
// if there is an existing currently valid certificate we return it
CertificateFilterCriteria criteria = new CertificateFilterCriteria();
criteria.subjectEqualTo = subject;
criteria.revoked = false;
criteria.validOn = new Iso8601Date(new Date());
CertificateCollection results = certificateRepository.search(criteria);
Date today = new Date();
Certificate latestCert = null;
BigInteger latestCreateTime = BigInteger.ZERO;
// pick the most recently created cert that is currently valid and has the same attributes specified in the selection. we evaluate the notBefore and notAfter fields of the certificate itself even though we already narrowed the search to currently valid certs using the search criteria.
if (!results.getCertificates().isEmpty()) {
for (Certificate certificate : results.getCertificates()) {
X509AttributeCertificate attributeCertificate = X509AttributeCertificate.valueOf(certificate.getCertificate());
if (today.before(attributeCertificate.getNotBefore())) {
continue;
}
if (today.after(attributeCertificate.getNotAfter())) {
continue;
}
if (targetSelection != null && !certificateAttributesEqual(attributeCertificate, targetSelection)) {
continue;
}
// And here we want to return the latest certificate so we keep track as we look through the results.
if (latestCreateTime.compareTo(attributeCertificate.getSerialNumber()) <= 0) {
latestCreateTime = attributeCertificate.getSerialNumber();
latestCert = certificate;
}
}
}
// Check if a valid certificate was found during the search.
if (latestCert != null) {
X509AttributeCertificate attributeCertificate = X509AttributeCertificate.valueOf(latestCert.getCertificate());
AssetTagCertAssociateRequest atca = new AssetTagCertAssociateRequest();
atca.setSha1OfAssetCert(Sha1Digest.digestOf(attributeCertificate.getEncoded()).toByteArray());
AssetTagCertBO object = new AssetTagCertBO();
try {
object.mapAssetTagCertToHost(atca);
} catch (CryptographyException ex) {
java.util.logging.Logger.getLogger(ProvisionTagCertificate.class.getName()).log(Level.SEVERE, null, ex);
}
// ca.mapTagCertificate(UUID.valueOf(subject), attributeCertificate.);
return latestCert;
}
// no cached certificate so generate a new certificate
if (targetSelection == null) {
throw new IllegalArgumentException("No cached certificate and no default selection provided");
}
byte[] certificateBytes = ca.createTagCertificate(UUID.valueOf(subject), targetSelection);
Certificate certificate = storeTagCertificate(subject, certificateBytes);
return certificate;
}
use of com.intel.mtwilson.as.business.AssetTagCertBO in project OpenAttestation by OpenAttestation.
the class HostTrustBO method verifyAssetTagCert.
private MwAssetTagCertificate verifyAssetTagCert(TblHosts tblHosts) {
try {
log.debug("Checking if there are any asset tag certificates mapped to host with ID : {}", tblHosts.getId());
// Load the asset tag certificate only if it is associated and valid.
AssetTagCertBO atagCertBO = new AssetTagCertBO();
MwAssetTagCertificate atagCertForHost = atagCertBO.findValidAssetTagCertForHost(tblHosts.getId());
log.info("atagCertBO.findValidAssetTagCertForHost(" + tblHosts.getId() + ")");
if (atagCertForHost != null) {
log.debug("Asset tag certificate is associated to host {} with status {}.", tblHosts.getName(), atagCertForHost.getRevoked());
return atagCertForHost;
} else {
log.debug("Asset tag certificate is either not associated or valid for host {}.", tblHosts.getName());
}
} catch (Exception ex) {
log.error("Exception when looking up the asset tag whitelist.", ex);
// We cannot do anything ... just log the error and proceed
log.info("Error during look up of asset tag certificates for the host {}", tblHosts.getName());
return null;
}
return null;
}
Aggregations