Search in sources :

Example 6 with MwAssetTagCertificate

use of com.intel.mtwilson.as.data.MwAssetTagCertificate in project OpenAttestation by OpenAttestation.

the class AssetTagCertBO method importAssetTagCertificate.

//    public AssetTagCertBO(PersistenceManager pm) {
//        super(pm);
//    }
/**
     * This functions stores a new asset tag certificate that was provisioned by the Asset tag
     * provisioning service for a host.This certificate would be associated to the host for
     * which it was provisioned only when that host gets registered with Mt.Wilson
     * @param atagObj
     * @return 
     */
public boolean importAssetTagCertificate(AssetTagCertCreateRequest atagObj, String uuid) {
    boolean result;
    X509AttributeCertificate x509AttrCert;
    try {
        try {
            x509AttrCert = X509AttributeCertificate.valueOf(atagObj.getCertificate());
        } catch (IllegalArgumentException ce) {
            log.error("Error during retrieval of a new asset tag certificate. Error Details - {}.", ce.getMessage());
            throw new ASException(ce, ErrorCode.AS_INVALID_ASSET_TAG_CERTIFICATE, ce.getMessage());
        }
        MwAssetTagCertificate atagCert = new MwAssetTagCertificate();
        if (uuid != null && !uuid.isEmpty())
            atagCert.setUuid_hex(uuid);
        else
            atagCert.setUuid_hex(new UUID().toString());
        atagCert.setCertificate(atagObj.getCertificate());
        atagCert.setUuid(x509AttrCert.getSubject().toLowerCase());
        atagCert.setNotAfter(x509AttrCert.getNotAfter());
        atagCert.setNotBefore(x509AttrCert.getNotBefore());
        atagCert.setRevoked(false);
        //atagCert.setSHA1Hash(Sha1Digest.digestOf(atagObj.getCertificate()).toByteArray());
        atagCert.setSHA1Hash(Sha1Digest.digestOf(x509AttrCert.getEncoded()).toByteArray());
        log.debug("Certificate creation time is {}", x509AttrCert.getSerialNumber());
        log.debug("Certificate SHA1 is {}", Sha1Digest.digestOf(x509AttrCert.getEncoded()).toHexString());
        atagCert.setCreate_time(x509AttrCert.getSerialNumber());
        //atagCert.setSHA256Hash(Sha256Digest.digestOf(atagObj.getCertificate()).toByteArray()); // not used with TPM 1.2
        // We are just writing some default value here, which would be changed when the host would be mapped to this
        // certificate.
        //atagCert.setPCREvent(Sha1Digest.digestOf(atagCert.getSHA1Hash()).toByteArray());
        Sha1Digest sha1D = Sha1Digest.digestOf(atagObj.getCertificate());
        Sha1Digest expectedPcr = Sha1Digest.ZERO.extend(Sha1Digest.digestOf(sha1D.toBase64().getBytes()));
        atagCert.setPCREvent(expectedPcr.toByteArray());
        log.debug("assetTag writing cert to DB");
        //My.jpa().mwAssetTagCertificate().create(atagCert);
        MwAssetTagCertificateJpaController mwAssetTagCertificateJpaController = new MwAssetTagCertificateJpaController(getEntityManagerFactory());
        mwAssetTagCertificateJpaController.create(atagCert);
        result = true;
        // here we need to check a config option, mtwilson.atag.associate.hosts.auto
        // now try to match a host to it
        log.debug("trying to associate tag to existing host using " + Hex.encodeHexString(atagCert.getSHA1Hash()));
        AssetTagCertAssociateRequest request = new AssetTagCertAssociateRequest();
        request.setSha1OfAssetCert(atagCert.getSHA1Hash());
        //result = 
        mapAssetTagCertToHost(request);
    } catch (ASException ase) {
        log.error("Error during creation of a new asset tag certificate. Error Details - {}:{}.", ase.getErrorCode(), ase.getErrorMessage());
        throw ase;
    } catch (Exception ex) {
        log.error("Unexpected error during creation of a new asset tag certificate. Error Details - {}.", ex.getMessage());
        throw new ASException(ex);
    }
    return result;
}
Also used : Sha1Digest(com.intel.mtwilson.util.crypto.Sha1Digest) X509AttributeCertificate(com.intel.mtwilson.datatypes.X509AttributeCertificate) UUID(com.intel.mtwilson.util.io.UUID) MwAssetTagCertificateJpaController(com.intel.mtwilson.as.controller.MwAssetTagCertificateJpaController) ASException(com.intel.mountwilson.as.common.ASException) MwAssetTagCertificate(com.intel.mtwilson.as.data.MwAssetTagCertificate) ASException(com.intel.mountwilson.as.common.ASException) ApiException(com.intel.mtwilson.ApiException) CryptographyException(com.intel.mtwilson.crypto.CryptographyException) SignatureException(java.security.SignatureException) IOException(java.io.IOException) KeyManagementException(java.security.KeyManagementException) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) AssetTagCertAssociateRequest(com.intel.mtwilson.datatypes.AssetTagCertAssociateRequest)

Example 7 with MwAssetTagCertificate

use of com.intel.mtwilson.as.data.MwAssetTagCertificate in project OpenAttestation by OpenAttestation.

the class AssetTagCertBO method revokeAssetTagCertificate.

/**
     * Updates the asset tag certificate entry and sets the revoked flag to true so that this
     * asset tag certificate will not be considered during attestation of the asset tag.
     * @param atagObj
     * @return 
     */
public boolean revokeAssetTagCertificate(AssetTagCertRevokeRequest atagObj, String uuid) {
    boolean result;
    List<MwAssetTagCertificate> atagCerts;
    try {
        // Find the asset tag certificate for the specified Sha256Hash value
        if (uuid != null && !uuid.isEmpty()) {
            log.debug("UUID {} is specified for revoking the asset tag certificate", uuid);
            //atagCerts = My.jpa().mwAssetTagCertificate().findAssetTagCertificatesByUuid(uuid);
            MwAssetTagCertificateJpaController mwAssetTagCertificateJpaController = new MwAssetTagCertificateJpaController(getEntityManagerFactory());
            atagCerts = mwAssetTagCertificateJpaController.findAssetTagCertificatesByUuid(uuid);
        } else if (atagObj.getSha1OfAssetCert() != null) {
            log.error("SHA1 {} is specified for revoking the asset tag certificate", atagObj.getSha1OfAssetCert());
            //atagCerts = My.jpa().mwAssetTagCertificate().findAssetTagCertificateBySha1Hash(atagObj.getSha1OfAssetCert());
            MwAssetTagCertificateJpaController mwAssetTagCertificateJpaController = new MwAssetTagCertificateJpaController(getEntityManagerFactory());
            atagCerts = mwAssetTagCertificateJpaController.findAssetTagCertificateBySha1Hash(atagObj.getSha1OfAssetCert());
        } else {
            log.error("Sha1 for the asset tag is not specified.");
            throw new ASException(ErrorCode.AS_INVALID_ASSET_TAG_CERTIFICATE_HASH);
        }
        if (atagCerts.isEmpty() || atagCerts.size() > 1) {
            log.warn("Either the asset tag certificate does not exist or there were multiple matches for the specified hash.");
            //                throw new ASException(ErrorCode.AS_INVALID_ASSET_TAG_CERTIFICATE_HASH);
            result = true;
        } else {
            // Now that we have the asset tag identified, set the revoked flag to true.
            MwAssetTagCertificate atagCert = atagCerts.get(0);
            atagCert.setRevoked(true);
            //My.jpa().mwAssetTagCertificate().edit(atagCert);
            MwAssetTagCertificateJpaController asert_tag = new MwAssetTagCertificateJpaController(getEntityManagerFactory());
            asert_tag.edit(atagCert);
            result = true;
        }
    } catch (ASException ase) {
        log.error("Error during revocation of the asset tag certificate. Error Details - {}:{}.", ase.getErrorCode(), ase.getErrorMessage());
        throw ase;
    } catch (Exception ex) {
        log.error("Unexpected error during revocation of the new asset tag certificate. Error Details - {}.", ex.getMessage());
        throw new ASException(ex);
    }
    return result;
}
Also used : MwAssetTagCertificateJpaController(com.intel.mtwilson.as.controller.MwAssetTagCertificateJpaController) MwAssetTagCertificate(com.intel.mtwilson.as.data.MwAssetTagCertificate) ASException(com.intel.mountwilson.as.common.ASException) ASException(com.intel.mountwilson.as.common.ASException) ApiException(com.intel.mtwilson.ApiException) CryptographyException(com.intel.mtwilson.crypto.CryptographyException) SignatureException(java.security.SignatureException) IOException(java.io.IOException) KeyManagementException(java.security.KeyManagementException) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)

Example 8 with MwAssetTagCertificate

use of com.intel.mtwilson.as.data.MwAssetTagCertificate in project OpenAttestation by OpenAttestation.

the class AssetTagCertBO method unmapAssetTagCertFromHostById.

/**
     * This function removes the mapping between the host and the asset tag certificate. This needs to be 
     * instantiated when ever the host is deleted from Mt.Wilson.
     * 
     * For removing the mapping, the user need not specify the sha256Hash value. Only the hostID would be 
     * enough.
     * 
     * @param atagObj
     * @return 
     */
public boolean unmapAssetTagCertFromHostById(AssetTagCertAssociateRequest atagObj) {
    boolean result = false;
    try {
        // Find the asset tag certificate for the specified Sha256Hash value
        if (atagObj.getHostID() != 0) {
            //List<MwAssetTagCertificate> atagCerts = My.jpa().mwAssetTagCertificate().findAssetTagCertificatesByHostID(atagObj.getHostID());                
            MwAssetTagCertificateJpaController mwAssetTagCertificateJpaController = new MwAssetTagCertificateJpaController(getEntityManagerFactory());
            List<MwAssetTagCertificate> atagCerts = mwAssetTagCertificateJpaController.findAssetTagCertificatesByHostID(atagObj.getHostID());
            if (atagCerts.isEmpty()) {
                // There is nothing to unmap. So, we will just return back success
                log.info("The host is currently not mapped to any asset tag certificate. So, nothing to unmap.");
                return true;
            } else {
                // to be associated.
                for (MwAssetTagCertificate atagTempCert : atagCerts) {
                    // There is no need to validate during unmapping the asset tag request
                    // if (validateAssetTagCert(atagTempCert)) {
                    atagTempCert.setHostID(null);
                    //My.jpa().mwAssetTagCertificate().edit(atagTempCert);
                    MwAssetTagCertificateJpaController asert_tag = new MwAssetTagCertificateJpaController(getEntityManagerFactory());
                    asert_tag.edit(atagTempCert);
                    log.debug("Successfully upmapped the host with id {} from the asset tag certificate.", atagObj.getHostID());
                    return true;
                //}
                }
            }
        } else {
            log.error("Host specified for the asset tag unmap request is not valid.");
            throw new ASException(ErrorCode.AS_HOST_SPECIFIED_IS_CURRENTLY_NOT_MAPPED_TO_ASSET_TAG_CERTIFICATE);
        }
    } catch (ASException ase) {
        log.error("Error during unmapping of the host from asset tag certificate. Error Details - {}:{}.", ase.getErrorCode(), ase.getErrorMessage());
        throw ase;
    } catch (Exception ex) {
        log.error("Unexpected error during unmapping of the host from asset tag certificate. Error Details - {}.", ex.getMessage());
        throw new ASException(ex);
    }
    return result;
}
Also used : MwAssetTagCertificateJpaController(com.intel.mtwilson.as.controller.MwAssetTagCertificateJpaController) MwAssetTagCertificate(com.intel.mtwilson.as.data.MwAssetTagCertificate) ASException(com.intel.mountwilson.as.common.ASException) ASException(com.intel.mountwilson.as.common.ASException) ApiException(com.intel.mtwilson.ApiException) CryptographyException(com.intel.mtwilson.crypto.CryptographyException) SignatureException(java.security.SignatureException) IOException(java.io.IOException) KeyManagementException(java.security.KeyManagementException) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)

Example 9 with MwAssetTagCertificate

use of com.intel.mtwilson.as.data.MwAssetTagCertificate in project OpenAttestation by OpenAttestation.

the class HostTrustBO method getTrustWithSaml.

public String getTrustWithSaml(TblHosts tblHosts, String hostId, String hostAttestationUuid) {
    try {
        //String location = hostTrustBO.getHostLocation(new Hostname(hostName)).location; // example: "San Jose"
        //HostTrustStatus trustStatus = hostTrustBO.getTrustStatus(new Hostname(hostName)); // example:  BIOS:1,VMM:1
        TblSamlAssertion tblSamlAssertion = new TblSamlAssertion();
        TxtHost host = getHostWithTrust(tblHosts, hostId, tblSamlAssertion);
        tblSamlAssertion.setAssertionUuid(hostAttestationUuid);
        tblSamlAssertion.setBiosTrust(host.isBiosTrusted());
        tblSamlAssertion.setVmmTrust(host.isVmmTrusted());
        // We need to add the Asset tag related data only if the host is provisioned for it. This is done
        // by verifying in the asset tag certificate table. 
        X509AttributeCertificate tagCertificate;
        AssetTagCertBO atagCertBO = new AssetTagCertBO();
        MwAssetTagCertificate atagCertForHost = atagCertBO.findValidAssetTagCertForHost(tblSamlAssertion.getHostId().getId());
        if (atagCertForHost != null) {
            log.debug("Host has been provisioned in the system with a TAG.");
            tagCertificate = X509AttributeCertificate.valueOf(atagCertForHost.getCertificate());
        } else {
            log.debug("Host has not been provisioned in the system with a TAG.");
            tagCertificate = null;
        }
        //            if (tblHosts.getBindingKeyCertificate() != null && !tblHosts.getBindingKeyCertificate().isEmpty()) {
        //                host.setBindingKeyCertificate(tblHosts.getBindingKeyCertificate());
        //            }
        SamlAssertion samlAssertion = getSamlGenerator().generateHostAssertion(host, tagCertificate, null);
        // We will check if the asset-tag was verified successfully for the host. If so, we need to retrieve
        // all the attributes for that asset-tag and send it to the saml generator.
        /*            X509AttributeCertificate tagCertificate = null; 
            if (host.isAssetTagTrusted()) {
                AssetTagCertBO atagCertBO = new AssetTagCertBO();
                MwAssetTagCertificate atagCertForHost = atagCertBO.findValidAssetTagCertForHost(tblSamlAssertion.getHostId().getId());
                if (atagCertForHost != null) {
                    tagCertificate = X509AttributeCertificate.valueOf(atagCertForHost.getCertificate());
//                        atags.add(new AttributeOidAndValue("UUID", atagCertForHost.getUuid())); // should already be the "Subject" attribute of the certificate, if not then we need to get it from one of the cert attributes
                }
            }

            SamlAssertion samlAssertion = getSamlGenerator().generateHostAssertion(host, tagCertificate);
*/
        log.debug("Expiry {}", samlAssertion.expiry_ts.toString());
        tblSamlAssertion.setSaml(samlAssertion.assertion);
        tblSamlAssertion.setExpiryTs(samlAssertion.expiry_ts);
        tblSamlAssertion.setCreatedTs(samlAssertion.created_ts);
        //            TrustReport hostTrustReport = getTrustReportForHost(tblHosts, tblHosts.getName());
        //            tblSamlAssertion.setTrustReport(mapper.writeValueAsString(hostTrustReport));
        //            logTrustReport(tblHosts, hostTrustReport); // Need to cache the attestation report ### v1 requirement to log to mw_ta_log
        getSamlAssertionJpaController().create(tblSamlAssertion);
        return samlAssertion.assertion;
    } catch (ASException e) {
        // We override that here to give more specific codes when possible:
        if (e.getErrorCode().equals(ErrorCode.AS_HOST_NOT_FOUND)) {
            throw new WebApplicationException(Status.NOT_FOUND);
        }
        /*
             * if( e.getErrorCode().equals(ErrorCode.TA_ERROR)) { throw new
             * WebApplicationException(Status.INTERNAL_SERVER_ERROR); }
             *
             */
        throw e;
    } catch (Exception ex) {
        // throw new ASException( e);
        log.error("Error during retrieval of host trust status.", ex);
        throw new ASException(ErrorCode.AS_HOST_TRUST_ERROR, ex.getClass().getSimpleName());
    }
}
Also used : WebApplicationException(javax.ws.rs.WebApplicationException) SamlAssertion(com.intel.mtwilson.saml.SamlAssertion) TblSamlAssertion(com.intel.mtwilson.as.data.TblSamlAssertion) AssetTagCertBO(com.intel.mtwilson.as.business.AssetTagCertBO) TblSamlAssertion(com.intel.mtwilson.as.data.TblSamlAssertion) MwAssetTagCertificate(com.intel.mtwilson.as.data.MwAssetTagCertificate) ASException(com.intel.mountwilson.as.common.ASException) ASException(com.intel.mountwilson.as.common.ASException) WebApplicationException(javax.ws.rs.WebApplicationException) ConfigurationException(org.apache.commons.configuration.ConfigurationException) CryptographyException(com.intel.mtwilson.crypto.CryptographyException) IOException(java.io.IOException) UnknownHostException(java.net.UnknownHostException)

Example 10 with MwAssetTagCertificate

use of com.intel.mtwilson.as.data.MwAssetTagCertificate in project OpenAttestation by OpenAttestation.

the class HostTrustBO method verifyTrust.

private HostTrustStatus verifyTrust(TblHosts host, HashMap<String, ? extends IManifest> pcrManifestMap, HashMap<String, ? extends IManifest> gkvBiosPcrManifestMap, HashMap<String, ? extends IManifest> gkvVmmPcrManifestMap) {
    HostTrustStatus trust = new HostTrustStatus();
    /*
         * Verify Bios trust
         */
    trust.bios = verifyTrust(host, host.getBiosMleId(), pcrManifestMap, gkvBiosPcrManifestMap);
    /*
         * Verify Vmm trust
         */
    trust.vmm = verifyTrust(host, host.getVmmMleId(), pcrManifestMap, gkvVmmPcrManifestMap);
    /*
         * Verify Location trust 
         */
    // if location is available (it comes from PCR 22), it's trusted
    trust.location = host.getLocation() != null;
    trust.asset_tag = false;
    MwAssetTagCertificate atagCert = verifyAssetTagCert(host);
    if (atagCert != null) {
        trust.asset_tag = verifyAssetTagTrust(host, host.getVmmMleId(), pcrManifestMap, atagCert);
    }
    logOverallTrustStatus(host, toString(trust));
    return trust;
}
Also used : MwAssetTagCertificate(com.intel.mtwilson.as.data.MwAssetTagCertificate)

Aggregations

MwAssetTagCertificate (com.intel.mtwilson.as.data.MwAssetTagCertificate)16 ASException (com.intel.mountwilson.as.common.ASException)11 CryptographyException (com.intel.mtwilson.crypto.CryptographyException)10 IOException (java.io.IOException)10 MwAssetTagCertificateJpaController (com.intel.mtwilson.as.controller.MwAssetTagCertificateJpaController)7 ApiException (com.intel.mtwilson.ApiException)6 KeyManagementException (java.security.KeyManagementException)6 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)6 SignatureException (java.security.SignatureException)6 CertificateException (java.security.cert.CertificateException)6 UnknownHostException (java.net.UnknownHostException)4 AssetTagCertBO (com.intel.mtwilson.as.business.AssetTagCertBO)3 Sha1Digest (com.intel.mtwilson.util.crypto.Sha1Digest)3 EntityManager (javax.persistence.EntityManager)3 WebApplicationException (javax.ws.rs.WebApplicationException)3 ConfigurationException (org.apache.commons.configuration.ConfigurationException)3 NonexistentEntityException (com.intel.mtwilson.as.controller.exceptions.NonexistentEntityException)2 TblHosts (com.intel.mtwilson.as.data.TblHosts)2 TblSamlAssertion (com.intel.mtwilson.as.data.TblSamlAssertion)2 AssetTagCertAssociateRequest (com.intel.mtwilson.datatypes.AssetTagCertAssociateRequest)2