use of com.intel.mtwilson.as.data.MwAssetTagCertificate in project OpenAttestation by OpenAttestation.
the class AssetTagCertBO method importAssetTagCertificate.
// public AssetTagCertBO(PersistenceManager pm) {
// super(pm);
// }
/**
* This functions stores a new asset tag certificate that was provisioned by the Asset tag
* provisioning service for a host.This certificate would be associated to the host for
* which it was provisioned only when that host gets registered with Mt.Wilson
* @param atagObj
* @return
*/
public boolean importAssetTagCertificate(AssetTagCertCreateRequest atagObj, String uuid) {
boolean result;
X509AttributeCertificate x509AttrCert;
try {
try {
x509AttrCert = X509AttributeCertificate.valueOf(atagObj.getCertificate());
} catch (IllegalArgumentException ce) {
log.error("Error during retrieval of a new asset tag certificate. Error Details - {}.", ce.getMessage());
throw new ASException(ce, ErrorCode.AS_INVALID_ASSET_TAG_CERTIFICATE, ce.getMessage());
}
MwAssetTagCertificate atagCert = new MwAssetTagCertificate();
if (uuid != null && !uuid.isEmpty())
atagCert.setUuid_hex(uuid);
else
atagCert.setUuid_hex(new UUID().toString());
atagCert.setCertificate(atagObj.getCertificate());
atagCert.setUuid(x509AttrCert.getSubject().toLowerCase());
atagCert.setNotAfter(x509AttrCert.getNotAfter());
atagCert.setNotBefore(x509AttrCert.getNotBefore());
atagCert.setRevoked(false);
//atagCert.setSHA1Hash(Sha1Digest.digestOf(atagObj.getCertificate()).toByteArray());
atagCert.setSHA1Hash(Sha1Digest.digestOf(x509AttrCert.getEncoded()).toByteArray());
log.debug("Certificate creation time is {}", x509AttrCert.getSerialNumber());
log.debug("Certificate SHA1 is {}", Sha1Digest.digestOf(x509AttrCert.getEncoded()).toHexString());
atagCert.setCreate_time(x509AttrCert.getSerialNumber());
//atagCert.setSHA256Hash(Sha256Digest.digestOf(atagObj.getCertificate()).toByteArray()); // not used with TPM 1.2
// We are just writing some default value here, which would be changed when the host would be mapped to this
// certificate.
//atagCert.setPCREvent(Sha1Digest.digestOf(atagCert.getSHA1Hash()).toByteArray());
Sha1Digest sha1D = Sha1Digest.digestOf(atagObj.getCertificate());
Sha1Digest expectedPcr = Sha1Digest.ZERO.extend(Sha1Digest.digestOf(sha1D.toBase64().getBytes()));
atagCert.setPCREvent(expectedPcr.toByteArray());
log.debug("assetTag writing cert to DB");
//My.jpa().mwAssetTagCertificate().create(atagCert);
MwAssetTagCertificateJpaController mwAssetTagCertificateJpaController = new MwAssetTagCertificateJpaController(getEntityManagerFactory());
mwAssetTagCertificateJpaController.create(atagCert);
result = true;
// here we need to check a config option, mtwilson.atag.associate.hosts.auto
// now try to match a host to it
log.debug("trying to associate tag to existing host using " + Hex.encodeHexString(atagCert.getSHA1Hash()));
AssetTagCertAssociateRequest request = new AssetTagCertAssociateRequest();
request.setSha1OfAssetCert(atagCert.getSHA1Hash());
//result =
mapAssetTagCertToHost(request);
} catch (ASException ase) {
log.error("Error during creation of a new asset tag certificate. Error Details - {}:{}.", ase.getErrorCode(), ase.getErrorMessage());
throw ase;
} catch (Exception ex) {
log.error("Unexpected error during creation of a new asset tag certificate. Error Details - {}.", ex.getMessage());
throw new ASException(ex);
}
return result;
}
use of com.intel.mtwilson.as.data.MwAssetTagCertificate in project OpenAttestation by OpenAttestation.
the class AssetTagCertBO method revokeAssetTagCertificate.
/**
* Updates the asset tag certificate entry and sets the revoked flag to true so that this
* asset tag certificate will not be considered during attestation of the asset tag.
* @param atagObj
* @return
*/
public boolean revokeAssetTagCertificate(AssetTagCertRevokeRequest atagObj, String uuid) {
boolean result;
List<MwAssetTagCertificate> atagCerts;
try {
// Find the asset tag certificate for the specified Sha256Hash value
if (uuid != null && !uuid.isEmpty()) {
log.debug("UUID {} is specified for revoking the asset tag certificate", uuid);
//atagCerts = My.jpa().mwAssetTagCertificate().findAssetTagCertificatesByUuid(uuid);
MwAssetTagCertificateJpaController mwAssetTagCertificateJpaController = new MwAssetTagCertificateJpaController(getEntityManagerFactory());
atagCerts = mwAssetTagCertificateJpaController.findAssetTagCertificatesByUuid(uuid);
} else if (atagObj.getSha1OfAssetCert() != null) {
log.error("SHA1 {} is specified for revoking the asset tag certificate", atagObj.getSha1OfAssetCert());
//atagCerts = My.jpa().mwAssetTagCertificate().findAssetTagCertificateBySha1Hash(atagObj.getSha1OfAssetCert());
MwAssetTagCertificateJpaController mwAssetTagCertificateJpaController = new MwAssetTagCertificateJpaController(getEntityManagerFactory());
atagCerts = mwAssetTagCertificateJpaController.findAssetTagCertificateBySha1Hash(atagObj.getSha1OfAssetCert());
} else {
log.error("Sha1 for the asset tag is not specified.");
throw new ASException(ErrorCode.AS_INVALID_ASSET_TAG_CERTIFICATE_HASH);
}
if (atagCerts.isEmpty() || atagCerts.size() > 1) {
log.warn("Either the asset tag certificate does not exist or there were multiple matches for the specified hash.");
// throw new ASException(ErrorCode.AS_INVALID_ASSET_TAG_CERTIFICATE_HASH);
result = true;
} else {
// Now that we have the asset tag identified, set the revoked flag to true.
MwAssetTagCertificate atagCert = atagCerts.get(0);
atagCert.setRevoked(true);
//My.jpa().mwAssetTagCertificate().edit(atagCert);
MwAssetTagCertificateJpaController asert_tag = new MwAssetTagCertificateJpaController(getEntityManagerFactory());
asert_tag.edit(atagCert);
result = true;
}
} catch (ASException ase) {
log.error("Error during revocation of the asset tag certificate. Error Details - {}:{}.", ase.getErrorCode(), ase.getErrorMessage());
throw ase;
} catch (Exception ex) {
log.error("Unexpected error during revocation of the new asset tag certificate. Error Details - {}.", ex.getMessage());
throw new ASException(ex);
}
return result;
}
use of com.intel.mtwilson.as.data.MwAssetTagCertificate in project OpenAttestation by OpenAttestation.
the class AssetTagCertBO method unmapAssetTagCertFromHostById.
/**
* This function removes the mapping between the host and the asset tag certificate. This needs to be
* instantiated when ever the host is deleted from Mt.Wilson.
*
* For removing the mapping, the user need not specify the sha256Hash value. Only the hostID would be
* enough.
*
* @param atagObj
* @return
*/
public boolean unmapAssetTagCertFromHostById(AssetTagCertAssociateRequest atagObj) {
boolean result = false;
try {
// Find the asset tag certificate for the specified Sha256Hash value
if (atagObj.getHostID() != 0) {
//List<MwAssetTagCertificate> atagCerts = My.jpa().mwAssetTagCertificate().findAssetTagCertificatesByHostID(atagObj.getHostID());
MwAssetTagCertificateJpaController mwAssetTagCertificateJpaController = new MwAssetTagCertificateJpaController(getEntityManagerFactory());
List<MwAssetTagCertificate> atagCerts = mwAssetTagCertificateJpaController.findAssetTagCertificatesByHostID(atagObj.getHostID());
if (atagCerts.isEmpty()) {
// There is nothing to unmap. So, we will just return back success
log.info("The host is currently not mapped to any asset tag certificate. So, nothing to unmap.");
return true;
} else {
// to be associated.
for (MwAssetTagCertificate atagTempCert : atagCerts) {
// There is no need to validate during unmapping the asset tag request
// if (validateAssetTagCert(atagTempCert)) {
atagTempCert.setHostID(null);
//My.jpa().mwAssetTagCertificate().edit(atagTempCert);
MwAssetTagCertificateJpaController asert_tag = new MwAssetTagCertificateJpaController(getEntityManagerFactory());
asert_tag.edit(atagTempCert);
log.debug("Successfully upmapped the host with id {} from the asset tag certificate.", atagObj.getHostID());
return true;
//}
}
}
} else {
log.error("Host specified for the asset tag unmap request is not valid.");
throw new ASException(ErrorCode.AS_HOST_SPECIFIED_IS_CURRENTLY_NOT_MAPPED_TO_ASSET_TAG_CERTIFICATE);
}
} catch (ASException ase) {
log.error("Error during unmapping of the host from asset tag certificate. Error Details - {}:{}.", ase.getErrorCode(), ase.getErrorMessage());
throw ase;
} catch (Exception ex) {
log.error("Unexpected error during unmapping of the host from asset tag certificate. Error Details - {}.", ex.getMessage());
throw new ASException(ex);
}
return result;
}
use of com.intel.mtwilson.as.data.MwAssetTagCertificate in project OpenAttestation by OpenAttestation.
the class HostTrustBO method getTrustWithSaml.
public String getTrustWithSaml(TblHosts tblHosts, String hostId, String hostAttestationUuid) {
try {
//String location = hostTrustBO.getHostLocation(new Hostname(hostName)).location; // example: "San Jose"
//HostTrustStatus trustStatus = hostTrustBO.getTrustStatus(new Hostname(hostName)); // example: BIOS:1,VMM:1
TblSamlAssertion tblSamlAssertion = new TblSamlAssertion();
TxtHost host = getHostWithTrust(tblHosts, hostId, tblSamlAssertion);
tblSamlAssertion.setAssertionUuid(hostAttestationUuid);
tblSamlAssertion.setBiosTrust(host.isBiosTrusted());
tblSamlAssertion.setVmmTrust(host.isVmmTrusted());
// We need to add the Asset tag related data only if the host is provisioned for it. This is done
// by verifying in the asset tag certificate table.
X509AttributeCertificate tagCertificate;
AssetTagCertBO atagCertBO = new AssetTagCertBO();
MwAssetTagCertificate atagCertForHost = atagCertBO.findValidAssetTagCertForHost(tblSamlAssertion.getHostId().getId());
if (atagCertForHost != null) {
log.debug("Host has been provisioned in the system with a TAG.");
tagCertificate = X509AttributeCertificate.valueOf(atagCertForHost.getCertificate());
} else {
log.debug("Host has not been provisioned in the system with a TAG.");
tagCertificate = null;
}
// if (tblHosts.getBindingKeyCertificate() != null && !tblHosts.getBindingKeyCertificate().isEmpty()) {
// host.setBindingKeyCertificate(tblHosts.getBindingKeyCertificate());
// }
SamlAssertion samlAssertion = getSamlGenerator().generateHostAssertion(host, tagCertificate, null);
// We will check if the asset-tag was verified successfully for the host. If so, we need to retrieve
// all the attributes for that asset-tag and send it to the saml generator.
/* X509AttributeCertificate tagCertificate = null;
if (host.isAssetTagTrusted()) {
AssetTagCertBO atagCertBO = new AssetTagCertBO();
MwAssetTagCertificate atagCertForHost = atagCertBO.findValidAssetTagCertForHost(tblSamlAssertion.getHostId().getId());
if (atagCertForHost != null) {
tagCertificate = X509AttributeCertificate.valueOf(atagCertForHost.getCertificate());
// atags.add(new AttributeOidAndValue("UUID", atagCertForHost.getUuid())); // should already be the "Subject" attribute of the certificate, if not then we need to get it from one of the cert attributes
}
}
SamlAssertion samlAssertion = getSamlGenerator().generateHostAssertion(host, tagCertificate);
*/
log.debug("Expiry {}", samlAssertion.expiry_ts.toString());
tblSamlAssertion.setSaml(samlAssertion.assertion);
tblSamlAssertion.setExpiryTs(samlAssertion.expiry_ts);
tblSamlAssertion.setCreatedTs(samlAssertion.created_ts);
// TrustReport hostTrustReport = getTrustReportForHost(tblHosts, tblHosts.getName());
// tblSamlAssertion.setTrustReport(mapper.writeValueAsString(hostTrustReport));
// logTrustReport(tblHosts, hostTrustReport); // Need to cache the attestation report ### v1 requirement to log to mw_ta_log
getSamlAssertionJpaController().create(tblSamlAssertion);
return samlAssertion.assertion;
} catch (ASException e) {
// We override that here to give more specific codes when possible:
if (e.getErrorCode().equals(ErrorCode.AS_HOST_NOT_FOUND)) {
throw new WebApplicationException(Status.NOT_FOUND);
}
/*
* if( e.getErrorCode().equals(ErrorCode.TA_ERROR)) { throw new
* WebApplicationException(Status.INTERNAL_SERVER_ERROR); }
*
*/
throw e;
} catch (Exception ex) {
// throw new ASException( e);
log.error("Error during retrieval of host trust status.", ex);
throw new ASException(ErrorCode.AS_HOST_TRUST_ERROR, ex.getClass().getSimpleName());
}
}
use of com.intel.mtwilson.as.data.MwAssetTagCertificate in project OpenAttestation by OpenAttestation.
the class HostTrustBO method verifyTrust.
private HostTrustStatus verifyTrust(TblHosts host, HashMap<String, ? extends IManifest> pcrManifestMap, HashMap<String, ? extends IManifest> gkvBiosPcrManifestMap, HashMap<String, ? extends IManifest> gkvVmmPcrManifestMap) {
HostTrustStatus trust = new HostTrustStatus();
/*
* Verify Bios trust
*/
trust.bios = verifyTrust(host, host.getBiosMleId(), pcrManifestMap, gkvBiosPcrManifestMap);
/*
* Verify Vmm trust
*/
trust.vmm = verifyTrust(host, host.getVmmMleId(), pcrManifestMap, gkvVmmPcrManifestMap);
/*
* Verify Location trust
*/
// if location is available (it comes from PCR 22), it's trusted
trust.location = host.getLocation() != null;
trust.asset_tag = false;
MwAssetTagCertificate atagCert = verifyAssetTagCert(host);
if (atagCert != null) {
trust.asset_tag = verifyAssetTagTrust(host, host.getVmmMleId(), pcrManifestMap, atagCert);
}
logOverallTrustStatus(host, toString(trust));
return trust;
}
Aggregations