From c578ec7bd71497a48cf2fd1bb0016a7743bff44c Mon Sep 17 00:00:00 2001 From: antkorczak Date: Thu, 23 Dec 2021 09:45:32 +0100 Subject: [PATCH] Release 1.1.82.5 (#4) --- Verifier/build.gradle | 2 +- .../certificate/CrlVerifierTestIT.java | 3 +- ...509CertificateChainVerifierTestDiceIT.java | 3 +- .../certificate/X509CertificateUtils.java | 8 +- .../ext/core/crl/CrlSerialNumberBuilder.java | 5 +- .../ext/core/manufacturing/model/PufType.java | 6 +- .../psgcertificate/model/PsgPublicKey.java | 5 - .../verifier/command/MailboxCommandLayer.java | 7 +- .../bkp/verifier/command/logger/ILogger.java | 4 +- .../GetMeasurementMessageBuilder.java | 4 +- ...CreateAttestationSubKeyMessageBuilder.java | 4 +- .../subkey/VerifierChainBackupUtil.java | 5 +- .../DeviceStateMeasurementRecord.java | 5 +- .../UserDesignMeasurementRecord.java | 5 +- .../chip/GetCertificateResponseBuilder.java | 2 - .../chip/GetChipIdResponseBuilder.java | 2 - .../chip/SigmaTeardownResponseBuilder.java | 9 +- .../DiceRevocationCacheEntityService.java | 5 +- .../repository/S10CacheEntityService.java | 5 +- .../dp/DistributionPointConnector.java | 11 +- .../CacheEntityDoesNotExistException.java | 2 +- .../exceptions/CommandFailedException.java | 2 +- .../exceptions/ConnectionException.java | 2 +- .../exceptions/CrlSignatureException.java | 2 +- .../exceptions/DatabaseException.java | 5 +- .../exceptions/InternalLibraryException.java | 2 +- .../exceptions/JtagResponseException.java | 2 +- .../exceptions/SectionTypeException.java | 2 +- .../verifier/exceptions/SigmaException.java | 2 +- .../exceptions/TcbInfoFieldException.java | 2 +- .../exceptions/TclCommandException.java | 2 +- .../exceptions/TransportLayerException.java | 2 +- .../VerifierKeyNotInitializedException.java | 2 +- ...ion.java => VerifierRuntimeException.java} | 11 +- .../exceptions/X509ParsingException.java | 2 +- .../bkp/verifier/model/dice/DiceParams.java | 9 +- .../verifier/model/dice/FwidFieldParser.java | 5 +- .../model/dice/IntegerFieldParser.java | 5 +- .../model/dice/OctetStringFieldParser.java | 5 +- .../dice/OperationalFlagsFieldParser.java | 5 +- .../bkp/verifier/model/s10/S10Params.java | 5 +- ...reateDeviceAttestationSubKeyComponent.java | 7 +- .../service/DiceAttestationComponent.java | 4 +- .../service/VerifierExchangeImpl.java | 11 +- .../certificate/DiceAliasChainVerifier.java | 57 ++++++++++ .../DiceAttestationRevocationService.java | 10 +- ...rifier.java => DiceChainVerifierBase.java} | 42 ++++---- .../DistributionPointCrlProvider.java | 5 +- .../S10AttestationRevocationService.java | 7 +- ...ateVerifier.java => S10ChainVerifier.java} | 31 +++--- .../validator/DeviceStateMaskHelper.java | 10 +- .../sigma/GetMeasurementVerifier.java | 9 +- .../sigma/SigmaM2DeviceIdVerifier.java | 7 +- .../SigmaM2VerifierDhPubKeyVerifier.java | 7 +- .../transport/hps/HpsTransportImpl.java | 7 +- .../SystemConsoleHexConverter.java | 4 +- .../verifier/x509/X509CertificateParser.java | 8 -- .../command/MailboxCommandLayerTest.java | 101 ++++++++++++++++++ .../GetMeasurementMessageBuilderTest.java | 4 +- ...teAttestationSubKeyMessageBuilderTest.java | 4 +- .../DeviceStateMeasurementRecordTest.java | 5 +- .../UserDesignMeasurementRecordTest.java | 5 +- .../SigmaTeardownResponseBuilderTest.java | 76 +++++++++++++ .../model/dice/FieldParserTestUtils.java | 7 +- .../model/evidence/SectionTypeTest.java | 12 +-- .../service/VerifierExchangeImplTest.java | 6 +- .../DiceAliasChainVerifierTest.java | 83 ++++++++++++++ .../DiceAttestationRevocationServiceTest.java | 4 +- ...st.java => DiceChainVerifierBaseTest.java} | 63 +++++++---- .../S10AttestationRevocationServiceTest.java | 8 +- ...ierTest.java => S10ChainVerifierTest.java} | 45 ++++---- .../sigma/GetMeasurementVerifierTest.java | 4 +- ...ddca0b53a_7eukZEEF-nzSZWoHQrqQf53ru9A.cer} | Bin Verifier/third_party_licenses.md | 2 +- gradle.properties | 7 +- workload/third_party_licenses.md | 2 +- 76 files changed, 591 insertions(+), 249 deletions(-) rename Verifier/src/main/java/com/intel/bkp/verifier/exceptions/{CertificateChainSigmaException.java => VerifierRuntimeException.java} (87%) create mode 100644 Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DiceAliasChainVerifier.java rename Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/{DiceCertificateVerifier.java => DiceChainVerifierBase.java} (73%) rename Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/{S10CertificateVerifier.java => S10ChainVerifier.java} (77%) create mode 100644 Verifier/src/test/java/com/intel/bkp/verifier/command/MailboxCommandLayerTest.java create mode 100644 Verifier/src/test/java/com/intel/bkp/verifier/command/responses/chip/SigmaTeardownResponseBuilderTest.java create mode 100644 Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/DiceAliasChainVerifierTest.java rename Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/{DiceCertificateVerifierTest.java => DiceChainVerifierBaseTest.java} (76%) rename Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/{S10CertificateVerifierTest.java => S10ChainVerifierTest.java} (80%) rename Verifier/src/test/resources/certs/diceChain/{deviceid_08cbe74ddca0b53a_7eukZEEF-nzSZWoH.cer => deviceid_08cbe74ddca0b53a_7eukZEEF-nzSZWoHQrqQf53ru9A.cer} (100%) diff --git a/Verifier/build.gradle b/Verifier/build.gradle index e81a2cf..e148ae7 100644 --- a/Verifier/build.gradle +++ b/Verifier/build.gradle @@ -125,7 +125,7 @@ dependencies { } testImplementation "org.junit.jupiter:junit-jupiter-engine:${junit5_version}" - testImplementation "org.mockito:mockito-core:${mockito_version}" + testImplementation "org.mockito:mockito-inline:${mockito_version}" testImplementation "org.mockito:mockito-junit-jupiter:${mockito_version}" testImplementation "org.junit.platform:junit-platform-launcher:${junit5_platform_version}" } diff --git a/Verifier/src/integrationTest/java/com/intel/bkp/verifier/service/certificate/CrlVerifierTestIT.java b/Verifier/src/integrationTest/java/com/intel/bkp/verifier/service/certificate/CrlVerifierTestIT.java index 0c71b0c..dd9cd08 100644 --- a/Verifier/src/integrationTest/java/com/intel/bkp/verifier/service/certificate/CrlVerifierTestIT.java +++ b/Verifier/src/integrationTest/java/com/intel/bkp/verifier/service/certificate/CrlVerifierTestIT.java @@ -86,7 +86,8 @@ void prepareSut() { static void init() throws Exception { aliasCert = X509_PARSER.toX509(getBytesFromFile("UDS_EFUSE_ALIAS_3AB5A0DC4DE7CB08.cer")); firmwareCert = X509_PARSER.toX509(getBytesFromFile("FIRMWARE_3AB5A0DC4DE7CB08.cer")); - deviceIdCert = X509_PARSER.toX509(getBytesFromFile("deviceid_08cbe74ddca0b53a_7eukZEEF-nzSZWoH.cer")); + deviceIdCert = X509_PARSER.toX509(getBytesFromFile("deviceid_08cbe74ddca0b53a_7eukZEEF-nzSZWoHQrqQf53ru9A" + + ".cer")); productFamilyCert = X509_PARSER.toX509(getBytesFromFile("IPCS_agilex.cer")); rootCert = X509_PARSER.toX509(getBytesFromFile("DICE_RootCA.cer")); diff --git a/Verifier/src/integrationTest/java/com/intel/bkp/verifier/x509/X509CertificateChainVerifierTestDiceIT.java b/Verifier/src/integrationTest/java/com/intel/bkp/verifier/x509/X509CertificateChainVerifierTestDiceIT.java index 1aeec56..399c8e9 100644 --- a/Verifier/src/integrationTest/java/com/intel/bkp/verifier/x509/X509CertificateChainVerifierTestDiceIT.java +++ b/Verifier/src/integrationTest/java/com/intel/bkp/verifier/x509/X509CertificateChainVerifierTestDiceIT.java @@ -65,7 +65,8 @@ public class X509CertificateChainVerifierTestDiceIT { static void init() throws Exception { aliasCert = X509_PARSER.toX509(getBytesFromFile("UDS_EFUSE_ALIAS_3AB5A0DC4DE7CB08.cer")); firmwareCert = X509_PARSER.toX509(getBytesFromFile("FIRMWARE_3AB5A0DC4DE7CB08.cer")); - deviceIdCert = X509_PARSER.toX509(getBytesFromFile("deviceid_08cbe74ddca0b53a_7eukZEEF-nzSZWoH.cer")); + deviceIdCert = X509_PARSER.toX509(getBytesFromFile("deviceid_08cbe74ddca0b53a_7eukZEEF-nzSZWoHQrqQf53ru9A" + + ".cer")); productFamilyCert = X509_PARSER.toX509(getBytesFromFile("IPCS_agilex.cer")); rootCert = X509_PARSER.toX509(getBytesFromFile("DICE_RootCA.cer")); } diff --git a/Verifier/src/main/java/com/intel/bkp/ext/core/certificate/X509CertificateUtils.java b/Verifier/src/main/java/com/intel/bkp/ext/core/certificate/X509CertificateUtils.java index e2ff773..a240a59 100644 --- a/Verifier/src/main/java/com/intel/bkp/ext/core/certificate/X509CertificateUtils.java +++ b/Verifier/src/main/java/com/intel/bkp/ext/core/certificate/X509CertificateUtils.java @@ -48,7 +48,9 @@ import java.security.SignatureException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; +import java.util.HashSet; import java.util.Optional; +import java.util.Set; public class X509CertificateUtils { @@ -112,7 +114,9 @@ public static boolean isSelfSigned(final X509Certificate certificate) { */ public static boolean containsExtension(final X509Certificate certificate, ASN1ObjectIdentifier extensionOid) { final String oid = extensionOid.getId(); - return certificate.getCriticalExtensionOIDs().contains(oid) - || certificate.getNonCriticalExtensionOIDs().contains(oid); + final Set allExtOids = new HashSet<>(); + Optional.ofNullable(certificate.getCriticalExtensionOIDs()).ifPresent(allExtOids::addAll); + Optional.ofNullable(certificate.getNonCriticalExtensionOIDs()).ifPresent(allExtOids::addAll); + return allExtOids.contains(oid); } } diff --git a/Verifier/src/main/java/com/intel/bkp/ext/core/crl/CrlSerialNumberBuilder.java b/Verifier/src/main/java/com/intel/bkp/ext/core/crl/CrlSerialNumberBuilder.java index 87c2f13..784e6d2 100644 --- a/Verifier/src/main/java/com/intel/bkp/ext/core/crl/CrlSerialNumberBuilder.java +++ b/Verifier/src/main/java/com/intel/bkp/ext/core/crl/CrlSerialNumberBuilder.java @@ -33,20 +33,21 @@ package com.intel.bkp.ext.core.crl; -import com.intel.bkp.ext.utils.HexConverter; import lombok.AccessLevel; import lombok.NoArgsConstructor; import java.math.BigInteger; import java.nio.ByteBuffer; +import static com.intel.bkp.ext.utils.HexConverter.fromHex; + @NoArgsConstructor(access = AccessLevel.PRIVATE) public class CrlSerialNumberBuilder { public static final byte CRL_VERSION_BYTE = (byte)0x01; public static BigInteger convertToBigInteger(String deviceId) { - return convertToBigInteger(HexConverter.fromHex(deviceId)); + return convertToBigInteger(fromHex(deviceId)); } public static BigInteger convertToBigInteger(byte[] deviceId) { diff --git a/Verifier/src/main/java/com/intel/bkp/ext/core/manufacturing/model/PufType.java b/Verifier/src/main/java/com/intel/bkp/ext/core/manufacturing/model/PufType.java index 66ac378..fc23fbe 100644 --- a/Verifier/src/main/java/com/intel/bkp/ext/core/manufacturing/model/PufType.java +++ b/Verifier/src/main/java/com/intel/bkp/ext/core/manufacturing/model/PufType.java @@ -33,13 +33,13 @@ package com.intel.bkp.ext.core.manufacturing.model; -import com.intel.bkp.ext.utils.HexConverter; - import java.nio.ByteBuffer; import java.nio.ByteOrder; import java.util.EnumSet; import java.util.Locale; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + /** * The PufType enumeration. */ @@ -54,7 +54,7 @@ public static PufType fromOrdinal(int ordinal) { } public static String getPufTypeHex(PufType pufType) { - return HexConverter.toHex(ByteBuffer.allocate(Integer.BYTES) + return toHex(ByteBuffer.allocate(Integer.BYTES) .order(ByteOrder.BIG_ENDIAN) .putInt(pufType.ordinal()) .array() diff --git a/Verifier/src/main/java/com/intel/bkp/ext/core/psgcertificate/model/PsgPublicKey.java b/Verifier/src/main/java/com/intel/bkp/ext/core/psgcertificate/model/PsgPublicKey.java index f99e244..17bc38a 100644 --- a/Verifier/src/main/java/com/intel/bkp/ext/core/psgcertificate/model/PsgPublicKey.java +++ b/Verifier/src/main/java/com/intel/bkp/ext/core/psgcertificate/model/PsgPublicKey.java @@ -34,7 +34,6 @@ package com.intel.bkp.ext.core.psgcertificate.model; import com.intel.bkp.ext.core.interfaces.IPsgFormat; -import com.intel.bkp.ext.utils.HexConverter; import lombok.Getter; import lombok.Setter; @@ -68,8 +67,4 @@ public byte[] array() { .put(pointY) .array(); } - - public String toHex() { - return HexConverter.toHex(array()); - } } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/command/MailboxCommandLayer.java b/Verifier/src/main/java/com/intel/bkp/verifier/command/MailboxCommandLayer.java index df5cad0..f3fe0a6 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/command/MailboxCommandLayer.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/command/MailboxCommandLayer.java @@ -34,7 +34,6 @@ package com.intel.bkp.verifier.command; import com.intel.bkp.ext.utils.ByteBufferSafe; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.command.header.CommandHeader; import com.intel.bkp.verifier.command.header.CommandHeaderManager; import com.intel.bkp.verifier.interfaces.CommandLayer; @@ -44,6 +43,8 @@ import java.nio.ByteBuffer; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + @Slf4j public class MailboxCommandLayer implements CommandLayer { @@ -56,13 +57,13 @@ public byte[] create(Message data, CommandIdentifier command) { final byte[] dataBytes = data.array(); final byte[] header = buildCommandHeader(commandCode, getArgumentsLen(dataBytes), 0, CLIENT_IDENTIFIER); final byte[] rawData = withAppendedHeader(dataBytes, header); - log.trace("Sending raw data for command {}: {}", command.name(), HexConverter.toHex(rawData)); + log.trace("Sending raw data for command {}: {}", command.name(), toHex(rawData)); return rawData; } @Override public byte[] retrieve(byte[] data, CommandIdentifier command) { - log.trace("Received raw data for response {}: {}", command.name(), HexConverter.toHex(data)); + log.trace("Received raw data for response {}: {}", command.name(), toHex(data)); CommandHeaderManager.validateCommandHeaderCode(data, command.name()); return ByteBufferSafe.wrap(data).skip(COMMAND_HEADER_LEN).getRemaining(); } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/command/logger/ILogger.java b/Verifier/src/main/java/com/intel/bkp/verifier/command/logger/ILogger.java index 0bbbc1f..3c3bac8 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/command/logger/ILogger.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/command/logger/ILogger.java @@ -33,7 +33,7 @@ package com.intel.bkp.verifier.command.logger; -import com.intel.bkp.ext.utils.HexConverter; +import static com.intel.bkp.ext.utils.HexConverter.toHex; public interface ILogger { @@ -42,6 +42,6 @@ default byte[] array() { } default String hex() { - return HexConverter.toHex(array()); + return toHex(array()); } } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/command/messages/attestation/GetMeasurementMessageBuilder.java b/Verifier/src/main/java/com/intel/bkp/verifier/command/messages/attestation/GetMeasurementMessageBuilder.java index c89f754..f8fbac8 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/command/messages/attestation/GetMeasurementMessageBuilder.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/command/messages/attestation/GetMeasurementMessageBuilder.java @@ -36,7 +36,6 @@ import com.intel.bkp.ext.core.manufacturing.model.PufType; import com.intel.bkp.ext.utils.ByteBufferSafe; import com.intel.bkp.ext.utils.ByteSwap; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.command.messages.VerifierDHCertBuilder; import com.intel.bkp.verifier.command.messages.VerifierDhEntryManager; import com.intel.bkp.verifier.model.RootChainType; @@ -45,6 +44,7 @@ import java.nio.ByteBuffer; import static com.intel.bkp.ext.utils.ByteSwapOrder.B2L; +import static com.intel.bkp.ext.utils.HexConverter.fromHex; import static com.intel.bkp.verifier.command.Magic.GET_MEASUREMENT; @NoArgsConstructor @@ -82,7 +82,7 @@ public GetMeasurementMessageBuilder pufType(PufType pufType) { public GetMeasurementMessageBuilder context(String context) { ByteBuffer.allocate(CONTEXT_LEN) - .put(HexConverter.fromHex(context)) + .put(fromHex(context)) .rewind() .get(this.verifierInputContext); return this; diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/command/messages/subkey/CreateAttestationSubKeyMessageBuilder.java b/Verifier/src/main/java/com/intel/bkp/verifier/command/messages/subkey/CreateAttestationSubKeyMessageBuilder.java index 338ceea..b46dc1c 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/command/messages/subkey/CreateAttestationSubKeyMessageBuilder.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/command/messages/subkey/CreateAttestationSubKeyMessageBuilder.java @@ -36,7 +36,6 @@ import com.intel.bkp.ext.core.manufacturing.model.PufType; import com.intel.bkp.ext.utils.ByteBufferSafe; import com.intel.bkp.ext.utils.ByteSwap; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.command.messages.VerifierDHCertBuilder; import com.intel.bkp.verifier.command.messages.VerifierDhEntryManager; import com.intel.bkp.verifier.model.RootChainType; @@ -44,6 +43,7 @@ import java.nio.ByteBuffer; import static com.intel.bkp.ext.utils.ByteSwapOrder.B2L; +import static com.intel.bkp.ext.utils.HexConverter.fromHex; import static com.intel.bkp.verifier.command.Magic.CREATE_SUBKEY; public class CreateAttestationSubKeyMessageBuilder { @@ -81,7 +81,7 @@ public CreateAttestationSubKeyMessageBuilder pufType(PufType pufType) { public CreateAttestationSubKeyMessageBuilder context(String context) { ByteBuffer.allocate(CONTEXT_LEN) - .put(HexConverter.fromHex(context)) + .put(fromHex(context)) .rewind() .get(this.verifierInputContext); return this; diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/command/messages/subkey/VerifierChainBackupUtil.java b/Verifier/src/main/java/com/intel/bkp/verifier/command/messages/subkey/VerifierChainBackupUtil.java index b3be9bb..badbace 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/command/messages/subkey/VerifierChainBackupUtil.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/command/messages/subkey/VerifierChainBackupUtil.java @@ -33,7 +33,6 @@ package com.intel.bkp.verifier.command.messages.subkey; -import com.intel.bkp.ext.utils.HexConverter; import lombok.NoArgsConstructor; import lombok.extern.slf4j.Slf4j; @@ -41,6 +40,8 @@ import java.nio.file.Path; import java.security.SecureRandom; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + @Slf4j @NoArgsConstructor public class VerifierChainBackupUtil { @@ -76,6 +77,6 @@ long getTimestamp() { String getRandomizedHex() { final byte[] randomized = new byte[Integer.BYTES]; new SecureRandom().nextBytes(randomized); - return HexConverter.toHex(randomized); + return toHex(randomized); } } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/attestation/DeviceStateMeasurementRecord.java b/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/attestation/DeviceStateMeasurementRecord.java index 176b190..ed7ba60 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/attestation/DeviceStateMeasurementRecord.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/attestation/DeviceStateMeasurementRecord.java @@ -36,10 +36,11 @@ import com.intel.bkp.ext.utils.ByteBufferSafe; import com.intel.bkp.ext.utils.ByteSwap; import com.intel.bkp.ext.utils.ByteSwapOrder; -import com.intel.bkp.ext.utils.HexConverter; import java.nio.ByteBuffer; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + public class DeviceStateMeasurementRecord { private static final int FLAGS_LEN = Integer.BYTES; @@ -57,7 +58,7 @@ public DeviceStateMeasurementRecord(ByteBufferSafe buffer) { } public String getData() { - return HexConverter.toHex(ByteBuffer.allocate(flags.length + counters.length) + return toHex(ByteBuffer.allocate(flags.length + counters.length) .put(flags) .put(counters) .array()); diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/attestation/UserDesignMeasurementRecord.java b/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/attestation/UserDesignMeasurementRecord.java index 7488aa2..64d0a0d 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/attestation/UserDesignMeasurementRecord.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/attestation/UserDesignMeasurementRecord.java @@ -34,7 +34,8 @@ package com.intel.bkp.verifier.command.responses.attestation; import com.intel.bkp.ext.utils.ByteBufferSafe; -import com.intel.bkp.ext.utils.HexConverter; + +import static com.intel.bkp.ext.utils.HexConverter.toHex; public class UserDesignMeasurementRecord { @@ -45,6 +46,6 @@ public UserDesignMeasurementRecord(ByteBufferSafe buffer) { } public String getData() { - return HexConverter.toHex(measurementValue); + return toHex(measurementValue); } } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/chip/GetCertificateResponseBuilder.java b/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/chip/GetCertificateResponseBuilder.java index a08770b..0c0ab8a 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/chip/GetCertificateResponseBuilder.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/chip/GetCertificateResponseBuilder.java @@ -36,13 +36,11 @@ import com.intel.bkp.ext.utils.ByteBufferSafe; import com.intel.bkp.verifier.exceptions.SigmaException; import com.intel.bkp.verifier.model.CertificateRequestType; -import lombok.Getter; import lombok.Setter; import lombok.extern.slf4j.Slf4j; import static com.intel.bkp.ext.utils.HexConverter.toHex; -@Getter @Setter @Slf4j public class GetCertificateResponseBuilder { diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/chip/GetChipIdResponseBuilder.java b/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/chip/GetChipIdResponseBuilder.java index 57beccc..b16d2b7 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/chip/GetChipIdResponseBuilder.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/chip/GetChipIdResponseBuilder.java @@ -34,10 +34,8 @@ package com.intel.bkp.verifier.command.responses.chip; import com.intel.bkp.ext.utils.ByteBufferSafe; -import lombok.Getter; import lombok.Setter; -@Getter @Setter public class GetChipIdResponseBuilder { diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/chip/SigmaTeardownResponseBuilder.java b/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/chip/SigmaTeardownResponseBuilder.java index a6a4cc7..5d30fa4 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/chip/SigmaTeardownResponseBuilder.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/command/responses/chip/SigmaTeardownResponseBuilder.java @@ -33,11 +33,8 @@ package com.intel.bkp.verifier.command.responses.chip; -import lombok.Getter; -import lombok.Setter; +import com.intel.bkp.verifier.exceptions.SigmaException; -@Getter -@Setter public class SigmaTeardownResponseBuilder { public SigmaTeardownResponse build() { @@ -45,6 +42,10 @@ public SigmaTeardownResponse build() { } public SigmaTeardownResponseBuilder parse(byte[] message) { + if (message.length > 0) { + throw new SigmaException( + String.format("Message size invalid. Expected: %d, Actual: %d", 0, message.length)); + } return this; } } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/database/repository/DiceRevocationCacheEntityService.java b/Verifier/src/main/java/com/intel/bkp/verifier/database/repository/DiceRevocationCacheEntityService.java index 4a582b6..54dcc8f 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/database/repository/DiceRevocationCacheEntityService.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/database/repository/DiceRevocationCacheEntityService.java @@ -33,7 +33,6 @@ package com.intel.bkp.verifier.database.repository; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.database.model.DiceRevocationCacheEntity; import com.intel.bkp.verifier.database.table.DiceTableDefinition; import lombok.extern.slf4j.Slf4j; @@ -42,6 +41,8 @@ import java.sql.Connection; import java.util.Optional; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + @Slf4j public class DiceRevocationCacheEntityService extends CacheEntityServiceBase { @@ -56,7 +57,7 @@ public DiceRevocationCacheEntityService store(DiceRevocationCacheEntity entity) } public Optional read(byte[] deviceId) { - final String deviceIdHex = HexConverter.toHex(deviceId); + final String deviceIdHex = toHex(deviceId); log.debug("Reading cached entity for deviceId: {}", deviceIdHex); return select(getResultsHandler()) diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/database/repository/S10CacheEntityService.java b/Verifier/src/main/java/com/intel/bkp/verifier/database/repository/S10CacheEntityService.java index c8fabf4..61e5a5b 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/database/repository/S10CacheEntityService.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/database/repository/S10CacheEntityService.java @@ -33,7 +33,6 @@ package com.intel.bkp.verifier.database.repository; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.database.model.S10CacheEntity; import com.intel.bkp.verifier.database.table.S10TableDefinition; import lombok.extern.slf4j.Slf4j; @@ -42,6 +41,8 @@ import java.sql.Connection; import java.util.Optional; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + @Slf4j public class S10CacheEntityService extends CacheEntityServiceBase { @@ -56,7 +57,7 @@ public S10CacheEntityService store(S10CacheEntity entity) { } public Optional read(byte[] deviceId) { - final String deviceIdHex = HexConverter.toHex(deviceId); + final String deviceIdHex = toHex(deviceId); log.debug("Reading cached entity for deviceId: {}", deviceIdHex); return select(getResultsHandler()) diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/dp/DistributionPointConnector.java b/Verifier/src/main/java/com/intel/bkp/verifier/dp/DistributionPointConnector.java index ba1b0ef..2879c48 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/dp/DistributionPointConnector.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/dp/DistributionPointConnector.java @@ -44,21 +44,20 @@ import java.net.http.HttpClient; import java.net.http.HttpRequest; import java.net.http.HttpResponse; +import java.time.Duration; import java.util.Optional; @Slf4j public class DistributionPointConnector { + public static final int CONNECTION_TIMEOUT_SECONDS = 10; + public static final int REQUEST_TIMEOUT_SECONDS = 15; private final ProxySelector proxy; public DistributionPointConnector(Proxy proxy) { this.proxy = ProxyCallbackFactory.get(proxy.getHost(), proxy.getPort()).get(); } - public String getString(String url) { - return getHttpResponseBody(url, HttpResponse.BodyHandlers.ofString()); - } - public byte[] getBytes(String url) { return getHttpResponseBody(url, HttpResponse.BodyHandlers.ofByteArray()); } @@ -72,7 +71,7 @@ public Optional tryGetBytes(String url) { responseBody = Optional.of(response.body()); } } catch (IOException | InterruptedException e) { - log.warn("Failed to get http response.", e); + log.error("Failed to get http response.", e); } return responseBody; } @@ -95,6 +94,7 @@ private HttpResponse tryGetHttpResponse(String url, HttpResponse.BodyHand return HttpClient.newBuilder() .proxy(proxy) + .connectTimeout(Duration.ofSeconds(CONNECTION_TIMEOUT_SECONDS)) .build() .send(getHttpRequest(url), bodyHandler); } @@ -102,6 +102,7 @@ private HttpResponse tryGetHttpResponse(String url, HttpResponse.BodyHand private HttpRequest getHttpRequest(String url) { log.info("Performing request to: {}", url); return HttpRequest.newBuilder(URI.create(url)) + .timeout(Duration.ofSeconds(REQUEST_TIMEOUT_SECONDS)) .GET() .build(); } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/CacheEntityDoesNotExistException.java b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/CacheEntityDoesNotExistException.java index 4bb9e95..ff76c20 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/CacheEntityDoesNotExistException.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/CacheEntityDoesNotExistException.java @@ -33,7 +33,7 @@ package com.intel.bkp.verifier.exceptions; -public class CacheEntityDoesNotExistException extends RuntimeException { +public class CacheEntityDoesNotExistException extends VerifierRuntimeException { public CacheEntityDoesNotExistException() { super("Call CreateAttestationSubKey API first."); diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/CommandFailedException.java b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/CommandFailedException.java index f3cc891..32ee6b9 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/CommandFailedException.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/CommandFailedException.java @@ -35,7 +35,7 @@ import com.intel.bkp.verifier.command.header.CommandHeader; -public class CommandFailedException extends RuntimeException { +public class CommandFailedException extends VerifierRuntimeException { public CommandFailedException(String responseName, CommandHeader parsedHeader) { this(responseName, parsedHeader.getId(), parsedHeader.getClient(), parsedHeader.getCode()); diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/ConnectionException.java b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/ConnectionException.java index a3f0902..efad955 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/ConnectionException.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/ConnectionException.java @@ -33,7 +33,7 @@ package com.intel.bkp.verifier.exceptions; -public class ConnectionException extends RuntimeException { +public class ConnectionException extends VerifierRuntimeException { public ConnectionException(String message) { super(message); diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/CrlSignatureException.java b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/CrlSignatureException.java index 0a05216..4232033 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/CrlSignatureException.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/CrlSignatureException.java @@ -33,7 +33,7 @@ package com.intel.bkp.verifier.exceptions; -public class CrlSignatureException extends RuntimeException { +public class CrlSignatureException extends VerifierRuntimeException { public CrlSignatureException(String message) { super(message); diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/DatabaseException.java b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/DatabaseException.java index 3a73ef2..43b58a8 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/DatabaseException.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/DatabaseException.java @@ -33,10 +33,7 @@ package com.intel.bkp.verifier.exceptions; -import lombok.NoArgsConstructor; - -@NoArgsConstructor -public class DatabaseException extends RuntimeException { +public class DatabaseException extends VerifierRuntimeException { public DatabaseException(String message, Throwable cause) { super(message, cause); diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/InternalLibraryException.java b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/InternalLibraryException.java index a5246b0..7f5a999 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/InternalLibraryException.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/InternalLibraryException.java @@ -33,7 +33,7 @@ package com.intel.bkp.verifier.exceptions; -public class InternalLibraryException extends RuntimeException { +public class InternalLibraryException extends VerifierRuntimeException { public InternalLibraryException(String message, Throwable e) { super(message, e); diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/JtagResponseException.java b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/JtagResponseException.java index 37daa3a..582202b 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/JtagResponseException.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/JtagResponseException.java @@ -33,7 +33,7 @@ package com.intel.bkp.verifier.exceptions; -public class JtagResponseException extends RuntimeException { +public class JtagResponseException extends VerifierRuntimeException { public JtagResponseException(String internalMessage) { super(internalMessage); } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/SectionTypeException.java b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/SectionTypeException.java index a463358..cc89e36 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/SectionTypeException.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/SectionTypeException.java @@ -33,7 +33,7 @@ package com.intel.bkp.verifier.exceptions; -public class SectionTypeException extends IllegalArgumentException { +public class SectionTypeException extends VerifierRuntimeException { public SectionTypeException(String message) { super(message); diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/SigmaException.java b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/SigmaException.java index a3bec55..ec03235 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/SigmaException.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/SigmaException.java @@ -33,7 +33,7 @@ package com.intel.bkp.verifier.exceptions; -public class SigmaException extends RuntimeException { +public class SigmaException extends VerifierRuntimeException { public SigmaException(String message, Throwable e) { super(message, e); diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/TcbInfoFieldException.java b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/TcbInfoFieldException.java index e2f5d79..c9bdb68 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/TcbInfoFieldException.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/TcbInfoFieldException.java @@ -33,7 +33,7 @@ package com.intel.bkp.verifier.exceptions; -public class TcbInfoFieldException extends IllegalArgumentException { +public class TcbInfoFieldException extends VerifierRuntimeException { public TcbInfoFieldException(String message) { super(message); diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/TclCommandException.java b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/TclCommandException.java index 30ac33d..04191ce 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/TclCommandException.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/TclCommandException.java @@ -33,7 +33,7 @@ package com.intel.bkp.verifier.exceptions; -public class TclCommandException extends RuntimeException { +public class TclCommandException extends VerifierRuntimeException { public TclCommandException(String message, Throwable e) { super(message, e); } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/TransportLayerException.java b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/TransportLayerException.java index bd52222..faa09fc 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/TransportLayerException.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/TransportLayerException.java @@ -33,7 +33,7 @@ package com.intel.bkp.verifier.exceptions; -public class TransportLayerException extends RuntimeException { +public class TransportLayerException extends VerifierRuntimeException { public TransportLayerException(String msg, Throwable e) { super(msg, e); } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/VerifierKeyNotInitializedException.java b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/VerifierKeyNotInitializedException.java index c31d7e1..d21f97b 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/VerifierKeyNotInitializedException.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/VerifierKeyNotInitializedException.java @@ -33,7 +33,7 @@ package com.intel.bkp.verifier.exceptions; -public class VerifierKeyNotInitializedException extends RuntimeException { +public class VerifierKeyNotInitializedException extends VerifierRuntimeException { public VerifierKeyNotInitializedException() { super("User must initialize Verifier Key first."); diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/CertificateChainSigmaException.java b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/VerifierRuntimeException.java similarity index 87% rename from Verifier/src/main/java/com/intel/bkp/verifier/exceptions/CertificateChainSigmaException.java rename to Verifier/src/main/java/com/intel/bkp/verifier/exceptions/VerifierRuntimeException.java index 08fc20d..1cabc3d 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/CertificateChainSigmaException.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/VerifierRuntimeException.java @@ -33,13 +33,12 @@ package com.intel.bkp.verifier.exceptions; -public class CertificateChainSigmaException extends SigmaException { - - public CertificateChainSigmaException(String message, Throwable e) { - super(message, e); +public class VerifierRuntimeException extends RuntimeException { + public VerifierRuntimeException(String message) { + super(message); } - public CertificateChainSigmaException(String message) { - super(message); + public VerifierRuntimeException(String message, Throwable throwable) { + super(message, throwable); } } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/X509ParsingException.java b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/X509ParsingException.java index 6bd3531..d88a70d 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/X509ParsingException.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/exceptions/X509ParsingException.java @@ -33,7 +33,7 @@ package com.intel.bkp.verifier.exceptions; -public class X509ParsingException extends RuntimeException { +public class X509ParsingException extends VerifierRuntimeException { public X509ParsingException(String message, Throwable e) { super(message, e); diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/DiceParams.java b/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/DiceParams.java index 13d23ca..7043d47 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/DiceParams.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/DiceParams.java @@ -35,12 +35,14 @@ import com.intel.bkp.ext.utils.ByteSwap; import com.intel.bkp.ext.utils.ByteSwapOrder; -import com.intel.bkp.ext.utils.HexConverter; import lombok.AllArgsConstructor; import lombok.Getter; import java.util.Locale; +import static com.intel.bkp.ext.utils.HexConverter.fromHex; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + /** * ski - Subject Key Identifier * uid - same as deviceId/chipId but reversed by 8-bytes, eg. deviceId = 0102030405060708 -> uid = 0807060504030201. @@ -67,8 +69,7 @@ public String toString() { protected final String getUidInLogsFormat() { // uid is used in diceParams on purpose (it is in Distribution Point format) // uidInLittleEndian is used to present it in logs in consistent format (as received from GET_CHIPID) - final String uidInLittleEndian = HexConverter.toHex(ByteSwap.getSwappedArrayByLong( - HexConverter.fromHex(uid), ByteSwapOrder.B2L)); - return uidInLittleEndian; + final byte[] uidInLittleEndian = ByteSwap.getSwappedArrayByLong(fromHex(uid), ByteSwapOrder.B2L); + return toHex(uidInLittleEndian); } } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/FwidFieldParser.java b/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/FwidFieldParser.java index 6b7b2c5..7100a4e 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/FwidFieldParser.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/FwidFieldParser.java @@ -33,7 +33,6 @@ package com.intel.bkp.verifier.model.dice; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.interfaces.ITcbInfoFieldParser; import lombok.extern.slf4j.Slf4j; import org.bouncycastle.asn1.ASN1Encodable; @@ -42,6 +41,8 @@ import org.bouncycastle.asn1.ASN1TaggedObject; import org.bouncycastle.asn1.DEROctetString; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + @Slf4j public class FwidFieldParser extends BaseExtensionParser implements ITcbInfoFieldParser { @@ -74,7 +75,7 @@ private void mapToField(FwIdField field, ASN1Encodable obj) { if (obj instanceof ASN1ObjectIdentifier) { field.setHashAlg(parseAsn1Identifier(obj)); } else if (obj instanceof DEROctetString) { - field.setDigest(HexConverter.toHex(parseOctetString(obj))); + field.setDigest(toHex(parseOctetString(obj))); } } } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/IntegerFieldParser.java b/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/IntegerFieldParser.java index c91bd2f..7474b38 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/IntegerFieldParser.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/IntegerFieldParser.java @@ -33,14 +33,15 @@ package com.intel.bkp.verifier.model.dice; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.interfaces.ITcbInfoFieldParser; import org.bouncycastle.asn1.ASN1TaggedObject; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + public class IntegerFieldParser extends BaseExtensionParser implements ITcbInfoFieldParser { @Override public Integer parse(ASN1TaggedObject object) { - return Integer.parseInt(HexConverter.toHex(parseOctetString(object)), 16); + return Integer.parseInt(toHex(parseOctetString(object)), 16); } } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/OctetStringFieldParser.java b/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/OctetStringFieldParser.java index 046d6f6..85467f0 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/OctetStringFieldParser.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/OctetStringFieldParser.java @@ -33,16 +33,17 @@ package com.intel.bkp.verifier.model.dice; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.interfaces.ITcbInfoFieldParser; import org.bouncycastle.asn1.ASN1TaggedObject; import java.util.Locale; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + public class OctetStringFieldParser extends BaseExtensionParser implements ITcbInfoFieldParser { @Override public String parse(ASN1TaggedObject object) { - return HexConverter.toHex(parseOctetString(object)).toLowerCase(Locale.ROOT); + return toHex(parseOctetString(object)).toLowerCase(Locale.ROOT); } } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/OperationalFlagsFieldParser.java b/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/OperationalFlagsFieldParser.java index b0c64d3..64594c3 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/OperationalFlagsFieldParser.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/model/dice/OperationalFlagsFieldParser.java @@ -33,14 +33,15 @@ package com.intel.bkp.verifier.model.dice; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.interfaces.ITcbInfoFieldParser; import org.bouncycastle.asn1.ASN1TaggedObject; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + public class OperationalFlagsFieldParser extends BaseExtensionParser implements ITcbInfoFieldParser { @Override public String parse(ASN1TaggedObject object) { - return HexConverter.toHex(parseBitString(object)); + return toHex(parseBitString(object)); } } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/model/s10/S10Params.java b/Verifier/src/main/java/com/intel/bkp/verifier/model/s10/S10Params.java index 53cc1d9..8546686 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/model/s10/S10Params.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/model/s10/S10Params.java @@ -33,13 +33,14 @@ package com.intel.bkp.verifier.model.s10; -import com.intel.bkp.ext.utils.HexConverter; import lombok.AccessLevel; import lombok.Data; import lombok.Getter; import java.util.Locale; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + /** * deviceId - little endian chipId - as received from device. * pufType - big endian hex value of PufType. @@ -62,6 +63,6 @@ public String getPufType() { } public static S10Params from(byte[] deviceId, String pufTypeHex) { - return new S10Params(HexConverter.toHex(deviceId), pufTypeHex); + return new S10Params(toHex(deviceId), pufTypeHex); } } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/service/CreateDeviceAttestationSubKeyComponent.java b/Verifier/src/main/java/com/intel/bkp/verifier/service/CreateDeviceAttestationSubKeyComponent.java index 1cd6edd..a45c899 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/service/CreateDeviceAttestationSubKeyComponent.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/service/CreateDeviceAttestationSubKeyComponent.java @@ -38,7 +38,6 @@ import com.intel.bkp.ext.core.psgcertificate.model.PsgPublicKey; import com.intel.bkp.ext.crypto.ecdh.EcdhKeyPair; import com.intel.bkp.ext.crypto.exceptions.EcdhKeyPairException; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.command.responses.subkey.CreateAttestationSubKeyResponse; import com.intel.bkp.verifier.command.responses.subkey.CreateAttestationSubKeyResponseBuilder; import com.intel.bkp.verifier.database.model.S10CacheEntity; @@ -59,6 +58,8 @@ import java.security.PublicKey; import java.security.SecureRandom; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + @Slf4j @RequiredArgsConstructor(access = AccessLevel.PACKAGE) public class CreateDeviceAttestationSubKeyComponent { @@ -139,8 +140,8 @@ private void createEntityInDatabase(AppContext appContext, byte[] deviceId, Stri .getSqLiteHelper() .getS10CacheEntityService() .store( - new S10CacheEntity(HexConverter.toHex(deviceId), context, counter, pufType.name(), - HexConverter.toHex(getAttestationSubKeyXY(subKeyResponseBuilder))) + new S10CacheEntity(toHex(deviceId), context, counter, pufType.name(), + toHex(getAttestationSubKeyXY(subKeyResponseBuilder))) ); } } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/service/DiceAttestationComponent.java b/Verifier/src/main/java/com/intel/bkp/verifier/service/DiceAttestationComponent.java index d150bd1..7ac6f5f 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/service/DiceAttestationComponent.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/service/DiceAttestationComponent.java @@ -35,7 +35,6 @@ import com.intel.bkp.ext.crypto.ecdh.EcdhKeyPair; import com.intel.bkp.ext.crypto.exceptions.EcdhKeyPairException; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.command.responses.attestation.GetMeasurementResponse; import com.intel.bkp.verifier.command.responses.attestation.GetMeasurementResponseToTcbInfoMapper; import com.intel.bkp.verifier.database.model.DiceRevocationCacheEntity; @@ -69,6 +68,7 @@ import java.util.Optional; import static com.intel.bkp.ext.core.manufacturing.model.AttFamily.AGILEX; +import static com.intel.bkp.ext.utils.HexConverter.toHex; import static com.intel.bkp.verifier.model.CertificateRequestType.DEVICE_ID_ENROLLMENT; import static com.intel.bkp.verifier.model.CertificateRequestType.UDS_EFUSE_ALIAS; import static com.intel.bkp.verifier.model.CertificateRequestType.UDS_IID_PUF_ALIAS; @@ -209,7 +209,7 @@ private void createRevokedEntityInDatabase(AppContext appContext, byte[] deviceI .getSqLiteHelper() .getDiceRevocationCacheEntityService() .store( - new DiceRevocationCacheEntity(HexConverter.toHex(deviceId), REVOKED) + new DiceRevocationCacheEntity(toHex(deviceId), REVOKED) ); } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/service/VerifierExchangeImpl.java b/Verifier/src/main/java/com/intel/bkp/verifier/service/VerifierExchangeImpl.java index 8eaec43..a41b805 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/service/VerifierExchangeImpl.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/service/VerifierExchangeImpl.java @@ -34,7 +34,6 @@ package com.intel.bkp.verifier.service; import com.intel.bkp.ext.core.manufacturing.model.PufType; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.exceptions.VerifierKeyNotInitializedException; import com.intel.bkp.verifier.interfaces.TransportLayer; import com.intel.bkp.verifier.interfaces.VerifierExchange; @@ -47,6 +46,8 @@ import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + @Slf4j @RequiredArgsConstructor(access = AccessLevel.PACKAGE) public class VerifierExchangeImpl implements VerifierExchange { @@ -114,7 +115,7 @@ int createSubKeyInternal(AppContext appContext, String transportId, String conte transportLayer.initialize(transportId); final byte[] deviceId = initSessionComponent.initializeSessionForDeviceId(); log.info("CREATE_ATTESTATION_SUBKEY will be performed for device of id: {}", - HexConverter.toHex(deviceId)); + toHex(deviceId)); return createSubKeyComponent.perform(context, pufType, deviceId) .getCode(); @@ -134,9 +135,9 @@ VerifierExchangeResponseDTO getAttestationInternal( try { transportLayer.initialize(transportId); final byte[] deviceId = initSessionComponent.initializeSessionForDeviceId(); - response.setDeviceId(HexConverter.toHex(deviceId)); + response.setDeviceId(toHex(deviceId)); log.info("GET_MEASUREMENT will be performed for device of id: {}", - HexConverter.toHex(deviceId)); + toHex(deviceId)); response.setStatus(getAttestationComponent.perform(refMeasurement, deviceId) .getCode()); @@ -153,7 +154,7 @@ int healthCheckInternal(AppContext appContext, String transportId) { final TransportLayer transportLayer = appContext.getTransportLayer(); try { transportLayer.initialize(transportId); - final String result = HexConverter.toHex(transportLayer.sendCommand(GET_CHIPID)); + final String result = toHex(transportLayer.sendCommand(GET_CHIPID)); log.info("Health check result: {}", result); return StringUtils.isBlank(result) ? VerifierExchangeResponse.ERROR.getCode() diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DiceAliasChainVerifier.java b/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DiceAliasChainVerifier.java new file mode 100644 index 0000000..baf0201 --- /dev/null +++ b/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DiceAliasChainVerifier.java @@ -0,0 +1,57 @@ +/* + * This project is licensed as below. + * + * ************************************************************************** + * + * Copyright 2020-2021 Intel Corporation. All Rights Reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER + * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * ************************************************************************** + * + */ + +package com.intel.bkp.verifier.service.certificate; + +import com.intel.bkp.verifier.exceptions.SigmaException; +import com.intel.bkp.verifier.model.TrustedRootHash; + +import static com.intel.bkp.verifier.x509.X509CertificateExtendedKeyUsageVerifier.KEY_PURPOSE_ATTEST_INIT; +import static com.intel.bkp.verifier.x509.X509CertificateExtendedKeyUsageVerifier.KEY_PURPOSE_ATTEST_LOC; + +public class DiceAliasChainVerifier extends DiceChainVerifierBase { + + public DiceAliasChainVerifier(ICrlProvider crlProvider, TrustedRootHash trustedRootHash) { + super(crlProvider, trustedRootHash); + } + + @Override + protected String[] getExpectedLeafCertKeyPurposes() { + return new String[]{KEY_PURPOSE_ATTEST_INIT, KEY_PURPOSE_ATTEST_LOC}; + } + + @Override + protected void handleVerificationFailure(String failureDetails) { + throw new SigmaException(failureDetails); + } +} diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DiceAttestationRevocationService.java b/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DiceAttestationRevocationService.java index 6fd685c..9214c59 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DiceAttestationRevocationService.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DiceAttestationRevocationService.java @@ -55,7 +55,7 @@ public class DiceAttestationRevocationService { private final DistributionPointConnector connector; - private final DiceCertificateVerifier diceCertificateVerifier; + private final DiceAliasChainVerifier diceAliasChainVerifier; private final X509CertificateParser certificateParser; private final DistributionPointAddressProvider addressProvider; @@ -72,13 +72,13 @@ public DiceAttestationRevocationService(AppContext appContext) { public DiceAttestationRevocationService(DistributionPoint dp) { this(new DistributionPointConnector(dp.getProxy()), - new DiceCertificateVerifier(new DistributionPointCrlProvider(dp.getProxy()), dp.getTrustedRootHash()), + new DiceAliasChainVerifier(new DistributionPointCrlProvider(dp.getProxy()), dp.getTrustedRootHash()), new X509CertificateParser(), new DistributionPointAddressProvider(dp.getPathCer())); } public DiceAttestationRevocationService withDeviceId(byte[] deviceId) { - diceCertificateVerifier.withDeviceId(deviceId); + diceAliasChainVerifier.setDeviceId(deviceId); return this; } @@ -134,11 +134,11 @@ private void fetchParents() { private void verifyChainsInternal() { log.debug("Verifying chain with EFUSE UDS that has {} certificates.", certificates.size()); - diceCertificateVerifier.verifyAliasChain(certificates); + diceAliasChainVerifier.verifyChain(certificates); if (!certificatesIID.isEmpty()) { log.debug("Verifying chain with IID UDS that has {} certificates.", certificatesIID.size()); - diceCertificateVerifier.verifyAliasChain(certificatesIID); + diceAliasChainVerifier.verifyChain(certificatesIID); } } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DiceCertificateVerifier.java b/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DiceChainVerifierBase.java similarity index 73% rename from Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DiceCertificateVerifier.java rename to Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DiceChainVerifierBase.java index d624506..8d9134e 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DiceCertificateVerifier.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DiceChainVerifierBase.java @@ -33,7 +33,6 @@ package com.intel.bkp.verifier.service.certificate; -import com.intel.bkp.verifier.exceptions.SigmaException; import com.intel.bkp.verifier.model.TrustedRootHash; import com.intel.bkp.verifier.x509.X509CertificateChainVerifier; import com.intel.bkp.verifier.x509.X509CertificateExtendedKeyUsageVerifier; @@ -42,6 +41,7 @@ import lombok.AccessLevel; import lombok.Getter; import lombok.RequiredArgsConstructor; +import lombok.Setter; import lombok.extern.slf4j.Slf4j; import java.security.cert.X509Certificate; @@ -52,19 +52,17 @@ import static com.intel.bkp.verifier.model.AttestationOid.TCG_DICE_TCB_INFO; import static com.intel.bkp.verifier.model.AttestationOid.TCG_DICE_UEID; import static com.intel.bkp.verifier.x509.X509CertificateBasicConstraintsVerifier.CA_TRUE_PATHLENGTH_NONE; -import static com.intel.bkp.verifier.x509.X509CertificateExtendedKeyUsageVerifier.KEY_PURPOSE_ATTEST_INIT; -import static com.intel.bkp.verifier.x509.X509CertificateExtendedKeyUsageVerifier.KEY_PURPOSE_ATTEST_LOC; @Slf4j @Getter(AccessLevel.PACKAGE) @RequiredArgsConstructor(access = AccessLevel.PACKAGE) -public class DiceCertificateVerifier { +public abstract class DiceChainVerifierBase { private static final int ROOT_BASIC_CONSTRAINTS = CA_TRUE_PATHLENGTH_NONE; private static final Set DICE_EXTENSION_OIDS = Set.of(TCG_DICE_TCB_INFO.getOid(), TCG_DICE_MULTI_TCB_INFO.getOid(), TCG_DICE_UEID.getOid()); - protected final X509CertificateExtendedKeyUsageVerifier extendedKeyUsageVerifier; + private final X509CertificateExtendedKeyUsageVerifier extendedKeyUsageVerifier; private final X509CertificateChainVerifier certificateChainVerifier; private final CrlVerifier crlVerifier; private final RootHashVerifier rootHashVerifier; @@ -72,48 +70,44 @@ public class DiceCertificateVerifier { private final X509CertificateSubjectKeyIdentifierVerifier subjectKeyIdentifierVerifier; private final TrustedRootHash trustedRootHash; + @Setter private byte[] deviceId; - public DiceCertificateVerifier(ICrlProvider crlProvider, TrustedRootHash trustedRootHash) { + protected DiceChainVerifierBase(ICrlProvider crlProvider, TrustedRootHash trustedRootHash) { this(new X509CertificateExtendedKeyUsageVerifier(), new X509CertificateChainVerifier(), new CrlVerifier(crlProvider), new RootHashVerifier(), new X509CertificateUeidVerifier(), new X509CertificateSubjectKeyIdentifierVerifier(), trustedRootHash); } - public DiceCertificateVerifier withDeviceId(byte[] deviceId) { - this.deviceId = deviceId; - return this; - } - - public void verifyAliasChain(LinkedList certificates) { - verifyCommon(certificates); + protected abstract String[] getExpectedLeafCertKeyPurposes(); - if (!extendedKeyUsageVerifier.certificate(certificates.getFirst()) - .verify(KEY_PURPOSE_ATTEST_INIT, KEY_PURPOSE_ATTEST_LOC)) { - throw new SigmaException("Alias certificate is invalid."); - } - } + protected abstract void handleVerificationFailure(String failureDetails); - protected void verifyCommon(LinkedList certificates) { + public void verifyChain(LinkedList certificates) { if (!certificateChainVerifier.certificates(certificates).rootBasicConstraints(ROOT_BASIC_CONSTRAINTS) .knownExtensionOids(DICE_EXTENSION_OIDS).verify()) { - throw new SigmaException("Parent signature verification in X509 attestation chain failed."); + handleVerificationFailure("Parent signature verification in X509 attestation chain failed."); } if (!ueidVerifier.certificates(certificates).verify(deviceId)) { - throw new SigmaException("One of certificates in X509 attestation chain has invalid UEID extension value."); + handleVerificationFailure( + "One of certificates in X509 attestation chain has invalid UEID extension value."); } if (!subjectKeyIdentifierVerifier.certificates(certificates).verify()) { - throw new SigmaException("One of certificates in X509 attestation chain has invalid SKI extension value."); + handleVerificationFailure("One of certificates in X509 attestation chain has invalid SKI extension value."); } if (!rootHashVerifier.verifyRootHash(certificates.getLast(), trustedRootHash.getDice())) { - throw new SigmaException("Root hash in X509 DICE chain is different from trusted root hash."); + handleVerificationFailure("Root hash in X509 DICE chain is different from trusted root hash."); } if (!crlVerifier.certificates(certificates).doNotRequireCrlForLeafCertificate().verify()) { - throw new SigmaException("One of the certificates in chain is revoked."); + handleVerificationFailure("One of the certificates in chain is revoked."); + } + + if (!extendedKeyUsageVerifier.certificate(certificates.getFirst()).verify(getExpectedLeafCertKeyPurposes())) { + handleVerificationFailure("Leaf certificate has invalid key usages."); } } } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DistributionPointCrlProvider.java b/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DistributionPointCrlProvider.java index 597132e..b2fa2dd 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DistributionPointCrlProvider.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/DistributionPointCrlProvider.java @@ -55,11 +55,8 @@ public DistributionPointCrlProvider(Proxy proxy) { this(new DistributionPointConnector(proxy)); } + @Override public X509CRL getCrl(String crlUrl) { - return downloadCrl(crlUrl); - } - - private X509CRL downloadCrl(String crlUrl) { final byte[] crlBytes = connector.getBytes(crlUrl); try { return toX509Crl(crlBytes); diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/S10AttestationRevocationService.java b/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/S10AttestationRevocationService.java index 18765ab..0e022e8 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/S10AttestationRevocationService.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/S10AttestationRevocationService.java @@ -53,7 +53,7 @@ public class S10AttestationRevocationService { private final X509CertificateParser certificateParser; - private final S10CertificateVerifier s10CertificateVerifier; + private final S10ChainVerifier s10ChainVerifier; private final DistributionPointConnector connector; private final DistributionPointAddressProvider addressProvider; @@ -69,7 +69,7 @@ public S10AttestationRevocationService(AppContext appContext) { public S10AttestationRevocationService(DistributionPoint dp) { this(new X509CertificateParser(), - new S10CertificateVerifier(new DistributionPointCrlProvider(dp.getProxy()), dp.getTrustedRootHash()), + new S10ChainVerifier(new DistributionPointCrlProvider(dp.getProxy()), dp.getTrustedRootHash()), new DistributionPointConnector(dp.getProxy()), new DistributionPointAddressProvider(dp.getPathCer())); } @@ -78,7 +78,8 @@ public PublicKey checkAndRetrieve(byte[] deviceId, String pufTypeHex) { certificates.clear(); certificates.addAll(fetchChain(deviceId, pufTypeHex)); - s10CertificateVerifier.withDevice(deviceId).verify(certificates); + s10ChainVerifier.setDeviceId(deviceId); + s10ChainVerifier.verifyChain(certificates); return getAttestationPublicKey(); } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/S10CertificateVerifier.java b/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/S10ChainVerifier.java similarity index 77% rename from Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/S10CertificateVerifier.java rename to Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/S10ChainVerifier.java index 1094ad0..803bf10 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/S10CertificateVerifier.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/service/certificate/S10ChainVerifier.java @@ -34,8 +34,6 @@ package com.intel.bkp.verifier.service.certificate; import com.intel.bkp.ext.core.crl.CrlSerialNumberBuilder; -import com.intel.bkp.ext.utils.HexConverter; -import com.intel.bkp.verifier.exceptions.CertificateChainSigmaException; import com.intel.bkp.verifier.exceptions.SigmaException; import com.intel.bkp.verifier.model.TrustedRootHash; import com.intel.bkp.verifier.x509.X509CertificateChainVerifier; @@ -43,17 +41,19 @@ import lombok.AccessLevel; import lombok.Getter; import lombok.RequiredArgsConstructor; +import lombok.Setter; import lombok.extern.slf4j.Slf4j; import java.security.cert.X509Certificate; import java.util.LinkedList; +import static com.intel.bkp.ext.utils.HexConverter.toHex; import static com.intel.bkp.verifier.x509.X509CertificateExtendedKeyUsageVerifier.KEY_PURPOSE_CODE_SIGNING; @Slf4j @Getter(AccessLevel.PACKAGE) @RequiredArgsConstructor(access = AccessLevel.PACKAGE) -public class S10CertificateVerifier { +public class S10ChainVerifier { private final X509CertificateChainVerifier certificateChainVerifier; private final X509CertificateExtendedKeyUsageVerifier extendedKeyUsageVerifier; @@ -61,41 +61,40 @@ public class S10CertificateVerifier { private final RootHashVerifier rootHashVerifier; private final TrustedRootHash trustedRootHash; + @Setter private byte[] deviceId; - public S10CertificateVerifier(ICrlProvider crlProvider, TrustedRootHash trustedRootHash) { + public S10ChainVerifier(ICrlProvider crlProvider, TrustedRootHash trustedRootHash) { this(new X509CertificateChainVerifier(), new X509CertificateExtendedKeyUsageVerifier(), new CrlVerifier(crlProvider), new RootHashVerifier(), trustedRootHash); } - public S10CertificateVerifier withDevice(byte[] deviceId) { - this.deviceId = deviceId; - return this; - } - - public void verify(LinkedList certificates) { + public void verifyChain(LinkedList certificates) { final var attCert = certificates.getFirst(); final var rootCert = certificates.getLast(); if (attCert.getSerialNumber().compareTo(CrlSerialNumberBuilder.convertToBigInteger(deviceId)) != 0) { - throw new SigmaException("Certificate Serial Number does not match device id."); + handleVerificationFailure("Certificate Serial Number does not match device id."); } if (!certificateChainVerifier.certificates(certificates).verify()) { - throw new CertificateChainSigmaException("Parent signature verification in X509 attestation chain failed."); + handleVerificationFailure("Parent signature verification in X509 attestation chain failed."); } if (!extendedKeyUsageVerifier.certificate(attCert).verify(KEY_PURPOSE_CODE_SIGNING)) { - throw new SigmaException("Attestation certificate is invalid."); + handleVerificationFailure("Attestation certificate is invalid."); } if (!rootHashVerifier.verifyRootHash(rootCert, trustedRootHash.getS10())) { - throw new SigmaException("Root hash in X509 attestation chain is different from trusted root hash."); + handleVerificationFailure("Root hash in X509 attestation chain is different from trusted root hash."); } if (!crlVerifier.certificates(certificates).verify()) { - throw new SigmaException(String.format("Device with device id %s is revoked.", - HexConverter.toHex(deviceId))); + handleVerificationFailure(String.format("Device with device id %s is revoked.", toHex(deviceId))); } } + + protected void handleVerificationFailure(String failureDetails) { + throw new SigmaException(failureDetails); + } } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/service/measurements/validator/DeviceStateMaskHelper.java b/Verifier/src/main/java/com/intel/bkp/verifier/service/measurements/validator/DeviceStateMaskHelper.java index 8bb9891..cbfc5a1 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/service/measurements/validator/DeviceStateMaskHelper.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/service/measurements/validator/DeviceStateMaskHelper.java @@ -34,11 +34,13 @@ package com.intel.bkp.verifier.service.measurements.validator; import com.intel.bkp.ext.utils.ByteBufferSafe; -import com.intel.bkp.ext.utils.HexConverter; import org.apache.commons.lang3.StringUtils; import java.nio.ByteBuffer; +import static com.intel.bkp.ext.utils.HexConverter.fromHex; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + public class DeviceStateMaskHelper { public static final int INTEGER_HEX_LEN = 8; @@ -53,9 +55,9 @@ public static String getMask(String value, String mask) { public static String applyMask(String value, String mask) { value = alignValueToMask(value, mask); - final byte[] valueBytes = HexConverter.fromHex(value); - final byte[] maskBytes = HexConverter.fromHex(mask); - return HexConverter.toHex(applyMask(valueBytes, maskBytes)); + final byte[] valueBytes = fromHex(value); + final byte[] maskBytes = fromHex(mask); + return toHex(applyMask(valueBytes, maskBytes)); } private static byte[] applyMask(byte[] value, byte[] mask) { diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/sigma/GetMeasurementVerifier.java b/Verifier/src/main/java/com/intel/bkp/verifier/sigma/GetMeasurementVerifier.java index 15c15d5..37567ec 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/sigma/GetMeasurementVerifier.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/sigma/GetMeasurementVerifier.java @@ -35,10 +35,8 @@ import com.intel.bkp.ext.core.psgcertificate.exceptions.PsgInvalidSignatureException; import com.intel.bkp.ext.crypto.CryptoUtils; -import com.intel.bkp.ext.crypto.constants.CryptoConstants; import com.intel.bkp.ext.crypto.ecdh.EcdhKeyPair; import com.intel.bkp.ext.crypto.exceptions.EcdhKeyPairException; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.command.responses.attestation.GetMeasurementResponse; import com.intel.bkp.verifier.database.model.S10CacheEntity; import com.intel.bkp.verifier.exceptions.SigmaException; @@ -51,6 +49,10 @@ import java.security.PublicKey; import java.security.spec.InvalidKeySpecException; +import static com.intel.bkp.ext.crypto.constants.CryptoConstants.ECDSA_KEY; +import static com.intel.bkp.ext.crypto.constants.CryptoConstants.EC_CURVE_SPEC_384; +import static com.intel.bkp.ext.utils.HexConverter.fromHex; + @Slf4j @AllArgsConstructor(access = AccessLevel.PACKAGE) @NoArgsConstructor @@ -87,8 +89,7 @@ private void verifyVerifierDhPubKey(GetMeasurementResponse response, EcdhKeyPair private PublicKey getPublicKey(S10CacheEntity entity) { try { final String pubKeyXY = entity.getAlias(); - return CryptoUtils.toEcPublicBC(HexConverter.fromHex(pubKeyXY), CryptoConstants.ECDSA_KEY, - CryptoConstants.EC_CURVE_SPEC_384); + return CryptoUtils.toEcPublicBC(fromHex(pubKeyXY), ECDSA_KEY, EC_CURVE_SPEC_384); } catch (NoSuchAlgorithmException | InvalidKeySpecException | EcdhKeyPairException e) { throw new SigmaException("Failed to recover PublicKey from alias.", e); diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/sigma/SigmaM2DeviceIdVerifier.java b/Verifier/src/main/java/com/intel/bkp/verifier/sigma/SigmaM2DeviceIdVerifier.java index 7a41f6d..cdad7cd 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/sigma/SigmaM2DeviceIdVerifier.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/sigma/SigmaM2DeviceIdVerifier.java @@ -33,17 +33,18 @@ package com.intel.bkp.verifier.sigma; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.exceptions.SigmaException; import lombok.extern.slf4j.Slf4j; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + @Slf4j public class SigmaM2DeviceIdVerifier { public void verify(byte[] expectedDeviceId, byte[] incomingDeviceId) { log.debug("Verifying deviceId."); - final String expectedDeviceIdHex = HexConverter.toHex(expectedDeviceId); - final String incomingDeviceIdHex = HexConverter.toHex(incomingDeviceId); + final String expectedDeviceIdHex = toHex(expectedDeviceId); + final String incomingDeviceIdHex = toHex(incomingDeviceId); if (!expectedDeviceIdHex.equals(incomingDeviceIdHex)) { throw new SigmaException(String.format( "DeviceId in M2 (%s) is different than received from GET_CHIPID command (%s).", diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/sigma/SigmaM2VerifierDhPubKeyVerifier.java b/Verifier/src/main/java/com/intel/bkp/verifier/sigma/SigmaM2VerifierDhPubKeyVerifier.java index 5b38466..39443e1 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/sigma/SigmaM2VerifierDhPubKeyVerifier.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/sigma/SigmaM2VerifierDhPubKeyVerifier.java @@ -33,17 +33,18 @@ package com.intel.bkp.verifier.sigma; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.exceptions.SigmaException; import lombok.extern.slf4j.Slf4j; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + @Slf4j public class SigmaM2VerifierDhPubKeyVerifier { public void verify(byte[] expectedDhPubKey, byte[] incomingDhPubKey) { log.debug("Verifying DH Pub Key."); - final String expectedDhPubKeyHex = HexConverter.toHex(expectedDhPubKey); - final String incomingDhPubKeyHex = HexConverter.toHex(incomingDhPubKey); + final String expectedDhPubKeyHex = toHex(expectedDhPubKey); + final String incomingDhPubKeyHex = toHex(incomingDhPubKey); if (!expectedDhPubKeyHex.equals(incomingDhPubKeyHex)) { throw new SigmaException(String.format( "Verifier DH Public Key from M2 (%s) is different than sent in M1 command (%s).", diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/transport/hps/HpsTransportImpl.java b/Verifier/src/main/java/com/intel/bkp/verifier/transport/hps/HpsTransportImpl.java index 121b797..0098b07 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/transport/hps/HpsTransportImpl.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/transport/hps/HpsTransportImpl.java @@ -33,13 +33,14 @@ package com.intel.bkp.verifier.transport.hps; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.interfaces.TransportLayer; import com.intel.bkp.verifier.transport.tcp.TcpClient; import com.intel.bkp.verifier.transport.tcp.TcpConfig; import lombok.Setter; import lombok.extern.slf4j.Slf4j; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + @Slf4j public class HpsTransportImpl implements TransportLayer { @@ -55,9 +56,9 @@ public void initialize(String connectionConfig) { @Override public byte[] sendCommand(byte[] command) { - log.debug("Sending command: {}", HexConverter.toHex(command)); + log.debug("Sending command: {}", toHex(command)); byte[] result = client.sendPacket(command); - log.debug("Command result: {}", HexConverter.toHex(result)); + log.debug("Command result: {}", toHex(result)); return result; } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/transport/systemconsole/SystemConsoleHexConverter.java b/Verifier/src/main/java/com/intel/bkp/verifier/transport/systemconsole/SystemConsoleHexConverter.java index 5853ae9..016569a 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/transport/systemconsole/SystemConsoleHexConverter.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/transport/systemconsole/SystemConsoleHexConverter.java @@ -42,6 +42,8 @@ import java.util.List; import java.util.stream.Collectors; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + public class SystemConsoleHexConverter { private static final int WORD_SIZE = 4; @@ -57,7 +59,7 @@ public static String toString(byte[] array) { byte[] subarraySwapped = swapArrayDueToWordFormat(subarray); sb .append("0x") - .append(HexConverter.toHex(subarraySwapped)) + .append(toHex(subarraySwapped)) .append(i + WORD_SIZE == array.length ? "" : " "); } diff --git a/Verifier/src/main/java/com/intel/bkp/verifier/x509/X509CertificateParser.java b/Verifier/src/main/java/com/intel/bkp/verifier/x509/X509CertificateParser.java index edf476c..38f5e1a 100644 --- a/Verifier/src/main/java/com/intel/bkp/verifier/x509/X509CertificateParser.java +++ b/Verifier/src/main/java/com/intel/bkp/verifier/x509/X509CertificateParser.java @@ -127,14 +127,6 @@ public X509Certificate toX509(byte[] certificate) { } } - public Optional tryToX509(byte[] certificate) { - try { - return Optional.of(toX509Certificate(certificate)); - } catch (X509CertificateParsingException e) { - return Optional.empty(); - } - } - private Optional tryGetAccessDescriptions(byte[] authorityInfoAccess) { if (authorityInfoAccess == null) { return Optional.empty(); diff --git a/Verifier/src/test/java/com/intel/bkp/verifier/command/MailboxCommandLayerTest.java b/Verifier/src/test/java/com/intel/bkp/verifier/command/MailboxCommandLayerTest.java new file mode 100644 index 0000000..bb91834 --- /dev/null +++ b/Verifier/src/test/java/com/intel/bkp/verifier/command/MailboxCommandLayerTest.java @@ -0,0 +1,101 @@ +/* + * This project is licensed as below. + * + * ************************************************************************** + * + * Copyright 2020-2021 Intel Corporation. All Rights Reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER + * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * ************************************************************************** + * + */ + +package com.intel.bkp.verifier.command; + +import com.intel.bkp.verifier.command.messages.chip.GetCertificateMessageBuilder; +import com.intel.bkp.verifier.command.messages.chip.GetChipIdMessage; +import com.intel.bkp.verifier.exceptions.JtagResponseException; +import com.intel.bkp.verifier.interfaces.Message; +import com.intel.bkp.verifier.model.CommandIdentifier; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.Test; + +import static com.intel.bkp.ext.utils.HexConverter.fromHex; +import static com.intel.bkp.verifier.model.CertificateRequestType.FIRMWARE; + +public class MailboxCommandLayerTest { + private MailboxCommandLayer sut = new MailboxCommandLayer(); + + @Test + void create_commandWithoutData_Success() { + // given + final Message message = new GetChipIdMessage(); + final CommandIdentifier command = CommandIdentifier.GET_CHIPID; + final byte[] expected = fromHex("12000010"); + + // when + final byte[] result = sut.create(message, command); + + // then + Assertions.assertArrayEquals(expected, result); + } + + @Test + void create_commandWithData_Success() { + // given + final Message message = new GetCertificateMessageBuilder().withType(FIRMWARE).build(); + final CommandIdentifier command = CommandIdentifier.GET_CERTIFICATE; + final byte[] expected = fromHex("8111001001000000"); + + // when + final byte[] result = sut.create(message, command); + + // then + Assertions.assertArrayEquals(expected, result); + } + + @Test + void retrieve_Success() { + // given + final CommandIdentifier command = CommandIdentifier.GET_CHIPID; + final byte[] responseDataWithHeader = fromHex("00200010695D48644C08D307"); + final byte[] expected = fromHex("695D48644C08D307"); + + // when + final byte[] result = sut.retrieve(responseDataWithHeader, command); + + // then + Assertions.assertArrayEquals(expected, result); + } + + @Test + void retrieve_HeaderValidationFails_Throws() { + // given + final CommandIdentifier command = CommandIdentifier.GET_CHIPID; + final byte[] tooShortResponse = fromHex("002000"); + + // when + Assertions.assertThrows(JtagResponseException.class, () -> sut.retrieve(tooShortResponse, command)); + } +} diff --git a/Verifier/src/test/java/com/intel/bkp/verifier/command/messages/attestation/GetMeasurementMessageBuilderTest.java b/Verifier/src/test/java/com/intel/bkp/verifier/command/messages/attestation/GetMeasurementMessageBuilderTest.java index c76eba4..009a4aa 100644 --- a/Verifier/src/test/java/com/intel/bkp/verifier/command/messages/attestation/GetMeasurementMessageBuilderTest.java +++ b/Verifier/src/test/java/com/intel/bkp/verifier/command/messages/attestation/GetMeasurementMessageBuilderTest.java @@ -34,7 +34,6 @@ package com.intel.bkp.verifier.command.messages.attestation; import com.intel.bkp.ext.utils.ByteBufferSafe; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.Utils; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.BeforeAll; @@ -45,6 +44,7 @@ import java.nio.ByteOrder; +import static com.intel.bkp.ext.utils.HexConverter.toHex; import static com.intel.bkp.verifier.command.Magic.GET_MEASUREMENT; @ExtendWith(MockitoExtension.class) @@ -77,7 +77,7 @@ void parse() { // then Assertions.assertEquals(GET_MEASUREMENT.getCode(), ByteBufferSafe.wrap(result.getMagic()).getInt(ByteOrder.LITTLE_ENDIAN)); - Assertions.assertEquals(VERIFIER_DH_PUBKEY, HexConverter.toHex(result.getVerifierDhPubKey())); + Assertions.assertEquals(VERIFIER_DH_PUBKEY, toHex(result.getVerifierDhPubKey())); Assertions.assertTrue(new String(result.getVerifierInputContext()).contains(CONTEXT)); } } diff --git a/Verifier/src/test/java/com/intel/bkp/verifier/command/messages/subkey/CreateAttestationSubKeyMessageBuilderTest.java b/Verifier/src/test/java/com/intel/bkp/verifier/command/messages/subkey/CreateAttestationSubKeyMessageBuilderTest.java index 1a8d820..0441813 100644 --- a/Verifier/src/test/java/com/intel/bkp/verifier/command/messages/subkey/CreateAttestationSubKeyMessageBuilderTest.java +++ b/Verifier/src/test/java/com/intel/bkp/verifier/command/messages/subkey/CreateAttestationSubKeyMessageBuilderTest.java @@ -34,7 +34,6 @@ package com.intel.bkp.verifier.command.messages.subkey; import com.intel.bkp.ext.utils.ByteBufferSafe; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.Utils; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.BeforeAll; @@ -45,6 +44,7 @@ import java.nio.ByteOrder; +import static com.intel.bkp.ext.utils.HexConverter.toHex; import static com.intel.bkp.verifier.command.Magic.CREATE_SUBKEY; @ExtendWith(MockitoExtension.class) @@ -77,7 +77,7 @@ void parse() { // then Assertions.assertEquals(CREATE_SUBKEY.getCode(), ByteBufferSafe.wrap(result.getMagic()).getInt(ByteOrder.LITTLE_ENDIAN)); - Assertions.assertEquals(VERIFIER_DH_PUBKEY, HexConverter.toHex(result.getVerifierDhPubKey())); + Assertions.assertEquals(VERIFIER_DH_PUBKEY, toHex(result.getVerifierDhPubKey())); Assertions.assertTrue(new String(result.getVerifierInputContext()).contains(CONTEXT)); } } diff --git a/Verifier/src/test/java/com/intel/bkp/verifier/command/responses/attestation/DeviceStateMeasurementRecordTest.java b/Verifier/src/test/java/com/intel/bkp/verifier/command/responses/attestation/DeviceStateMeasurementRecordTest.java index 5bfaceb..d3a2db2 100644 --- a/Verifier/src/test/java/com/intel/bkp/verifier/command/responses/attestation/DeviceStateMeasurementRecordTest.java +++ b/Verifier/src/test/java/com/intel/bkp/verifier/command/responses/attestation/DeviceStateMeasurementRecordTest.java @@ -34,10 +34,11 @@ package com.intel.bkp.verifier.command.responses.attestation; import com.intel.bkp.ext.utils.ByteBufferSafe; -import com.intel.bkp.ext.utils.HexConverter; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.Test; +import static com.intel.bkp.ext.utils.HexConverter.fromHex; + class DeviceStateMeasurementRecordTest { @Test @@ -45,7 +46,7 @@ void getData() { // given final String data = "0102030405060708"; final String expectedReversedEndiannessData = "0403020105060708"; - final ByteBufferSafe buffer = ByteBufferSafe.wrap(HexConverter.fromHex(data)); + final ByteBufferSafe buffer = ByteBufferSafe.wrap(fromHex(data)); // when final DeviceStateMeasurementRecord record = new DeviceStateMeasurementRecord(buffer); diff --git a/Verifier/src/test/java/com/intel/bkp/verifier/command/responses/attestation/UserDesignMeasurementRecordTest.java b/Verifier/src/test/java/com/intel/bkp/verifier/command/responses/attestation/UserDesignMeasurementRecordTest.java index 6378d85..f7d3e3c 100644 --- a/Verifier/src/test/java/com/intel/bkp/verifier/command/responses/attestation/UserDesignMeasurementRecordTest.java +++ b/Verifier/src/test/java/com/intel/bkp/verifier/command/responses/attestation/UserDesignMeasurementRecordTest.java @@ -34,12 +34,13 @@ package com.intel.bkp.verifier.command.responses.attestation; import com.intel.bkp.ext.utils.ByteBufferSafe; -import com.intel.bkp.ext.utils.HexConverter; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.Test; import java.security.SecureRandom; +import static com.intel.bkp.ext.utils.HexConverter.toHex; + class UserDesignMeasurementRecordTest { @Test @@ -54,6 +55,6 @@ void getData() { final String result = record.getData(); // then - Assertions.assertEquals(HexConverter.toHex(data), result); + Assertions.assertEquals(toHex(data), result); } } diff --git a/Verifier/src/test/java/com/intel/bkp/verifier/command/responses/chip/SigmaTeardownResponseBuilderTest.java b/Verifier/src/test/java/com/intel/bkp/verifier/command/responses/chip/SigmaTeardownResponseBuilderTest.java new file mode 100644 index 0000000..48f0a0a --- /dev/null +++ b/Verifier/src/test/java/com/intel/bkp/verifier/command/responses/chip/SigmaTeardownResponseBuilderTest.java @@ -0,0 +1,76 @@ +/* + * This project is licensed as below. + * + * ************************************************************************** + * + * Copyright 2020-2021 Intel Corporation. All Rights Reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER + * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * ************************************************************************** + * + */ + +package com.intel.bkp.verifier.command.responses.chip; + +import com.intel.bkp.verifier.exceptions.SigmaException; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; + +public class SigmaTeardownResponseBuilderTest { + + private SigmaTeardownResponseBuilder sut; + + @BeforeEach + void setUp() { + sut = new SigmaTeardownResponseBuilder(); + } + + @Test + public void build_ReturnValidObject() { + // when + final SigmaTeardownResponse msg = sut.build(); + + // then + Assertions.assertArrayEquals(new byte[0], msg.array()); + } + + @Test + public void parse_WithNoData() { + // given + byte[] message = new byte[0]; + + // when-then + Assertions.assertDoesNotThrow(() -> sut.parse(message)); + } + + @Test + public void parse_WithData_Throws() { + // given + byte[] message = new byte[5]; + + // when-then + Assertions.assertThrows(SigmaException.class, () -> sut.parse(message)); + } +} diff --git a/Verifier/src/test/java/com/intel/bkp/verifier/model/dice/FieldParserTestUtils.java b/Verifier/src/test/java/com/intel/bkp/verifier/model/dice/FieldParserTestUtils.java index 15287e9..68b2e5b 100644 --- a/Verifier/src/test/java/com/intel/bkp/verifier/model/dice/FieldParserTestUtils.java +++ b/Verifier/src/test/java/com/intel/bkp/verifier/model/dice/FieldParserTestUtils.java @@ -34,7 +34,6 @@ package com.intel.bkp.verifier.model.dice; import com.intel.bkp.ext.core.utils.Converter; -import com.intel.bkp.ext.utils.HexConverter; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.ASN1Primitive; import org.bouncycastle.asn1.ASN1TaggedObject; @@ -43,6 +42,8 @@ import org.bouncycastle.asn1.DLSequence; import org.bouncycastle.asn1.DLTaggedObject; +import static com.intel.bkp.ext.utils.HexConverter.fromHex; + class FieldParserTestUtils { public static ASN1TaggedObject getTaggedObject(ASN1Primitive obj) { @@ -54,7 +55,7 @@ public static ASN1ObjectIdentifier getAsn1ObjectIdentifier(String str) { } public static DEROctetString getOctetString(String hexStr) { - return getOctetString(HexConverter.fromHex(hexStr)); + return getOctetString(fromHex(hexStr)); } public static DEROctetString getOctetString(Integer integer) { @@ -66,7 +67,7 @@ public static DEROctetString getOctetString(byte[] value) { } public static DERBitString getBitString(String dataHex, int padBits) { - return new DERBitString(HexConverter.fromHex(dataHex), padBits); + return new DERBitString(fromHex(dataHex), padBits); } public static ASN1TaggedObject getSequence(ASN1Primitive... obj) { diff --git a/Verifier/src/test/java/com/intel/bkp/verifier/model/evidence/SectionTypeTest.java b/Verifier/src/test/java/com/intel/bkp/verifier/model/evidence/SectionTypeTest.java index 82e8054..5049d58 100644 --- a/Verifier/src/test/java/com/intel/bkp/verifier/model/evidence/SectionTypeTest.java +++ b/Verifier/src/test/java/com/intel/bkp/verifier/model/evidence/SectionTypeTest.java @@ -83,7 +83,7 @@ void fromByte_UnsupportedSection_Throws() { final byte value = 13; // when-then - final IllegalArgumentException thrown = + final SectionTypeException thrown = Assertions.assertThrows(SectionTypeException.class, () -> SectionType.from(value)); Assertions.assertEquals(String.format(SectionType.UNSUPPORTED_SECTION_TYPE, value), thrown.getMessage()); } @@ -94,7 +94,7 @@ void fromBlock_BlockWithNullTypeAndLayer_Throws() { final BaseEvidenceBlock block = new BaseEvidenceBlock(); // when-then - final IllegalArgumentException thrown = + final SectionTypeException thrown = Assertions.assertThrows(SectionTypeException.class, () -> SectionType.from(block)); Assertions.assertEquals(SectionType.FAILED_TO_DETERMINE_SECTION_TYPE, thrown.getMessage()); } @@ -119,7 +119,7 @@ void fromBlock_BlockWithTypeNotByte_ThrowsDueToTypeNotBeingByteValue() { block.setType("A.A"); // when-then - final IllegalArgumentException thrown = + final SectionTypeException thrown = Assertions.assertThrows(SectionTypeException.class, () -> SectionType.from(block)); Assertions.assertEquals(SectionType.TYPE_IDENTIFIER_MUST_BE_BYTE_VALUE, thrown.getMessage()); } @@ -170,7 +170,7 @@ void from_BlockWithLayer3_ThrowsDueToUnsupportedLayer() { block.setLayer("3"); // when-then - final IllegalArgumentException thrown = + final SectionTypeException thrown = Assertions.assertThrows(SectionTypeException.class, () -> SectionType.from(block)); Assertions.assertEquals(SectionType.LAYER_CAN_ONLY_HAVE_VALUES, thrown.getMessage()); } @@ -182,7 +182,7 @@ void from_BlockWithLayerMinusOne_ThrowsDueToUnsupportedLayer() { block.setLayer("-1"); // when-then - final IllegalArgumentException thrown = + final SectionTypeException thrown = Assertions.assertThrows(SectionTypeException.class, () -> SectionType.from(block)); Assertions.assertEquals(SectionType.LAYER_CAN_ONLY_HAVE_VALUES, thrown.getMessage()); } @@ -194,7 +194,7 @@ void from_BlockWithLayerNotInteger_ThrowsDueToLayerNotBeingIntegerValue() { block.setLayer("A"); // when-then - final IllegalArgumentException thrown = + final SectionTypeException thrown = Assertions.assertThrows(SectionTypeException.class, () -> SectionType.from(block)); Assertions.assertEquals(SectionType.LAYER_MUST_BE_INTEGER_VALUE, thrown.getMessage()); } diff --git a/Verifier/src/test/java/com/intel/bkp/verifier/service/VerifierExchangeImplTest.java b/Verifier/src/test/java/com/intel/bkp/verifier/service/VerifierExchangeImplTest.java index 576792f..65da5b1 100644 --- a/Verifier/src/test/java/com/intel/bkp/verifier/service/VerifierExchangeImplTest.java +++ b/Verifier/src/test/java/com/intel/bkp/verifier/service/VerifierExchangeImplTest.java @@ -34,7 +34,6 @@ package com.intel.bkp.verifier.service; import com.intel.bkp.ext.core.manufacturing.model.PufType; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.exceptions.InitSessionFailedException; import com.intel.bkp.verifier.exceptions.TransportLayerException; import com.intel.bkp.verifier.interfaces.TransportLayer; @@ -49,6 +48,7 @@ import org.mockito.Spy; import org.mockito.junit.jupiter.MockitoExtension; +import static com.intel.bkp.ext.utils.HexConverter.toHex; import static org.mockito.ArgumentMatchers.any; import static org.mockito.Mockito.never; import static org.mockito.Mockito.times; @@ -157,7 +157,7 @@ void getDeviceAttestation_ExceptionThrown_ReturnsError() throws Exception { // then Assertions.assertEquals(VerifierExchangeResponse.ERROR.getCode(), result.getStatus()); - Assertions.assertEquals(HexConverter.toHex(deviceId), result.getDeviceId()); + Assertions.assertEquals(toHex(deviceId), result.getDeviceId()); } @Test @@ -174,7 +174,7 @@ void getDeviceAttestation_Success_ReturnsOk() throws Exception { // then Assertions.assertEquals(VerifierExchangeResponse.OK.getCode(), result.getStatus()); - Assertions.assertEquals(HexConverter.toHex(deviceId), result.getDeviceId()); + Assertions.assertEquals(toHex(deviceId), result.getDeviceId()); } @Test diff --git a/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/DiceAliasChainVerifierTest.java b/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/DiceAliasChainVerifierTest.java new file mode 100644 index 0000000..2d29e70 --- /dev/null +++ b/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/DiceAliasChainVerifierTest.java @@ -0,0 +1,83 @@ +/* + * This project is licensed as below. + * + * ************************************************************************** + * + * Copyright 2020-2021 Intel Corporation. All Rights Reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER + * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * ************************************************************************** + * + */ + +package com.intel.bkp.verifier.service.certificate; + +import com.intel.bkp.verifier.exceptions.SigmaException; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.InjectMocks; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; + +import static com.intel.bkp.verifier.x509.X509CertificateExtendedKeyUsageVerifier.KEY_PURPOSE_ATTEST_INIT; +import static com.intel.bkp.verifier.x509.X509CertificateExtendedKeyUsageVerifier.KEY_PURPOSE_ATTEST_LOC; + +@ExtendWith(MockitoExtension.class) +class DiceAliasChainVerifierTest { + + @Mock + private ICrlProvider crlProvider; + + @Mock + private RootHashVerifier rootHashVerifier; + + @InjectMocks + private DiceAliasChainVerifier sut; + + @Test + void getExpectedLeafCertKeyPurposes_ReturnsPurposesForAliasCertificate() { + // given + final String[] aliasCertificateKeyPurposes = new String[]{KEY_PURPOSE_ATTEST_INIT, KEY_PURPOSE_ATTEST_LOC}; + + // when + final String[] result = sut.getExpectedLeafCertKeyPurposes(); + + // then + Assertions.assertArrayEquals(aliasCertificateKeyPurposes, result); + } + + @Test + void handleVerificationFailure_throwsSigmaException() { + // given + final String failureDetails = "some details about why validation happened."; + + // when-then + SigmaException ex = Assertions.assertThrows(SigmaException.class, + () -> sut.handleVerificationFailure(failureDetails)); + + // then + Assertions.assertEquals(failureDetails, ex.getMessage()); + } +} diff --git a/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/DiceAttestationRevocationServiceTest.java b/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/DiceAttestationRevocationServiceTest.java index c345c0d..b8bfd82 100644 --- a/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/DiceAttestationRevocationServiceTest.java +++ b/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/DiceAttestationRevocationServiceTest.java @@ -81,7 +81,7 @@ class DiceAttestationRevocationServiceTest { private DistributionPointConnector connector; @Mock - private DiceCertificateVerifier diceCertificateVerifier; + private DiceAliasChainVerifier diceAliasChainVerifier; @Mock private X509CertificateParser certificateParser; @@ -126,7 +126,7 @@ void constructor_configuresProperly() { sut = new DiceAttestationRevocationService(appContext); // then - final var diceCertVerifier = sut.getDiceCertificateVerifier(); + final var diceCertVerifier = sut.getDiceAliasChainVerifier(); Assertions.assertEquals(trustedRootHash, diceCertVerifier.getTrustedRootHash()); final var crlProvider = diceCertVerifier.getCrlVerifier().getCrlProvider(); diff --git a/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/DiceCertificateVerifierTest.java b/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/DiceChainVerifierBaseTest.java similarity index 76% rename from Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/DiceCertificateVerifierTest.java rename to Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/DiceChainVerifierBaseTest.java index 6c31dff..5349261 100644 --- a/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/DiceCertificateVerifierTest.java +++ b/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/DiceChainVerifierBaseTest.java @@ -33,7 +33,6 @@ package com.intel.bkp.verifier.service.certificate; -import com.intel.bkp.verifier.exceptions.SigmaException; import com.intel.bkp.verifier.model.TrustedRootHash; import com.intel.bkp.verifier.x509.X509CertificateChainVerifier; import com.intel.bkp.verifier.x509.X509CertificateExtendedKeyUsageVerifier; @@ -56,17 +55,39 @@ import static com.intel.bkp.verifier.model.AttestationOid.TCG_DICE_TCB_INFO; import static com.intel.bkp.verifier.model.AttestationOid.TCG_DICE_UEID; import static com.intel.bkp.verifier.x509.X509CertificateBasicConstraintsVerifier.CA_TRUE_PATHLENGTH_NONE; -import static com.intel.bkp.verifier.x509.X509CertificateExtendedKeyUsageVerifier.KEY_PURPOSE_ATTEST_INIT; -import static com.intel.bkp.verifier.x509.X509CertificateExtendedKeyUsageVerifier.KEY_PURPOSE_ATTEST_LOC; +import static com.intel.bkp.verifier.x509.X509CertificateExtendedKeyUsageVerifier.KEY_PURPOSE_CODE_SIGNING; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anyInt; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; @ExtendWith(MockitoExtension.class) -class DiceCertificateVerifierTest { +class DiceChainVerifierBaseTest { + + private static class DiceChainVerifierTestImpl extends DiceChainVerifierBase { + + DiceChainVerifierTestImpl(X509CertificateExtendedKeyUsageVerifier extendedKeyUsageVerifier, + X509CertificateChainVerifier certificateChainVerifier, CrlVerifier crlVerifier, + RootHashVerifier rootHashVerifier, X509CertificateUeidVerifier ueidVerifier, + X509CertificateSubjectKeyIdentifierVerifier subjectKeyIdentifierVerifier, + TrustedRootHash trustedRootHash) { + super(extendedKeyUsageVerifier, certificateChainVerifier, crlVerifier, rootHashVerifier, ueidVerifier, + subjectKeyIdentifierVerifier, trustedRootHash); + } + + @Override + protected String[] getExpectedLeafCertKeyPurposes() { + return new String[]{KEY_PURPOSE}; + } + + @Override + protected void handleVerificationFailure(String failureDetails) { + throw new RuntimeException(failureDetails); + } + } private static final byte[] DEVICE_ID = new byte[]{1, 2, 3, 4, 5, 6, 7, 8}; + private static final String KEY_PURPOSE = KEY_PURPOSE_CODE_SIGNING; private static final byte[] DICE_ROOT_CERT = new byte[]{7, 8}; private static final String DICE_ROOT_HASH = DigestUtils.sha256Hex(DICE_ROOT_CERT); private static final Set DICE_EXTENSION_OIDS = Set.of(TCG_DICE_TCB_INFO.getOid(), @@ -97,49 +118,49 @@ class DiceCertificateVerifierTest { private TrustedRootHash trustedRootHash; @InjectMocks - private DiceCertificateVerifier sut; + private DiceChainVerifierTestImpl sut; private LinkedList certificates; @BeforeEach void setUp() { - sut.withDeviceId(DEVICE_ID); + sut.setDeviceId(DEVICE_ID); certificates = new LinkedList<>(); certificates.add(certificate); } @Test - void verifyAliasChain_ParentVerificationFails_Throws() { + void verifyChain_ParentVerificationFails_Throws() { // given mockCertificateParentVerification(false); // when-then - Assertions.assertThrows(SigmaException.class, () -> sut.verifyAliasChain(certificates)); + Assertions.assertThrows(RuntimeException.class, () -> sut.verifyChain(certificates)); } @Test - void verifyAliasChain_UeidVerificationFails_Throws() { + void verifyChain_UeidVerificationFails_Throws() { // given mockCertificateParentVerification(true); mockUeidVerification(false); // when-then - Assertions.assertThrows(SigmaException.class, () -> sut.verifyAliasChain(certificates)); + Assertions.assertThrows(RuntimeException.class, () -> sut.verifyChain(certificates)); } @Test - void verifyAliasChain_SkiVerificationFails_Throws() { + void verifyChain_SkiVerificationFails_Throws() { // given mockCertificateParentVerification(true); mockUeidVerification(true); mockSkiVerification(false); // when-then - Assertions.assertThrows(SigmaException.class, () -> sut.verifyAliasChain(certificates)); + Assertions.assertThrows(RuntimeException.class, () -> sut.verifyChain(certificates)); } @Test - void verifyAliasChain_RootHashVerificationFails_Throws() { + void verifyChain_RootHashVerificationFails_Throws() { // given mockCertificateParentVerification(true); mockUeidVerification(true); @@ -147,11 +168,11 @@ void verifyAliasChain_RootHashVerificationFails_Throws() { mockRootHashVerification(false); // when-then - Assertions.assertThrows(SigmaException.class, () -> sut.verifyAliasChain(certificates)); + Assertions.assertThrows(RuntimeException.class, () -> sut.verifyChain(certificates)); } @Test - void verifyAliasChain_CrlVerificationFails_Throws() { + void verifyChain_CrlVerificationFails_Throws() { // given mockCertificateParentVerification(true); mockUeidVerification(true); @@ -160,11 +181,11 @@ void verifyAliasChain_CrlVerificationFails_Throws() { mockCrlVerification(false); // when-then - Assertions.assertThrows(SigmaException.class, () -> sut.verifyAliasChain(certificates)); + Assertions.assertThrows(RuntimeException.class, () -> sut.verifyChain(certificates)); } @Test - void verifyAliasChain_ExtendedKeyUsageVerificationFails_Throws() { + void verifyChain_ExtendedKeyUsageVerificationFails_Throws() { // given mockCertificateParentVerification(true); mockUeidVerification(true); @@ -174,11 +195,11 @@ void verifyAliasChain_ExtendedKeyUsageVerificationFails_Throws() { mockExtendedKeyUsageVerification(false); // when-then - Assertions.assertThrows(SigmaException.class, () -> sut.verifyAliasChain(certificates)); + Assertions.assertThrows(RuntimeException.class, () -> sut.verifyChain(certificates)); } @Test - void verifyAliasChain_AllPassed() { + void verifyChain_AllPassed() { // given mockCertificateParentVerification(true); mockUeidVerification(true); @@ -188,10 +209,10 @@ void verifyAliasChain_AllPassed() { mockCrlVerification(true); // when-then - Assertions.assertDoesNotThrow(() -> sut.verifyAliasChain(certificates)); + Assertions.assertDoesNotThrow(() -> sut.verifyChain(certificates)); verify(certificateParentVerifier).rootBasicConstraints(CA_TRUE_PATHLENGTH_NONE); verify(certificateParentVerifier).knownExtensionOids(DICE_EXTENSION_OIDS); - verify(extendedKeyUsageVerifier).verify(KEY_PURPOSE_ATTEST_INIT, KEY_PURPOSE_ATTEST_LOC); + verify(extendedKeyUsageVerifier).verify(KEY_PURPOSE); verify(ueidVerifier).verify(DEVICE_ID); } diff --git a/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/S10AttestationRevocationServiceTest.java b/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/S10AttestationRevocationServiceTest.java index c47a40e..e62af3e 100644 --- a/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/S10AttestationRevocationServiceTest.java +++ b/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/S10AttestationRevocationServiceTest.java @@ -98,7 +98,7 @@ class S10AttestationRevocationServiceTest { private X509CertificateParser certificateParser; @Mock - private S10CertificateVerifier s10CertificateVerifier; + private S10ChainVerifier s10ChainVerifier; @Mock private DistributionPointConnector connector; @@ -148,7 +148,7 @@ void constructor_configuresProperly() { sut = new S10AttestationRevocationService(appContext); // then - final var s10CertVerifier = sut.getS10CertificateVerifier(); + final var s10CertVerifier = sut.getS10ChainVerifier(); Assertions.assertEquals(trustedRootHash, s10CertVerifier.getTrustedRootHash()); final var crlProvider = s10CertVerifier.getCrlVerifier().getCrlProvider(); @@ -165,14 +165,14 @@ void checkAndRetrieve_Success() { // given mockFetchingCertificates(DEVICE_ID, PUF_TYPE); mockAttestationKey(attestationPublicKey); - when(s10CertificateVerifier.withDevice(DEVICE_ID)).thenReturn(s10CertificateVerifier); // when final PublicKey result = sut.checkAndRetrieve(DEVICE_ID, PUF_TYPE); // then Assertions.assertEquals(attestationPublicKey, result); - verify(s10CertificateVerifier).verify(certificatesCaptor.capture()); + verify(s10ChainVerifier).setDeviceId(DEVICE_ID); + verify(s10ChainVerifier).verifyChain(certificatesCaptor.capture()); final LinkedList certificates = certificatesCaptor.getValue(); Assertions.assertEquals(attestationCert, certificates.getFirst()); Assertions.assertEquals(parentCert, certificates.get(1)); diff --git a/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/S10CertificateVerifierTest.java b/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/S10ChainVerifierTest.java similarity index 80% rename from Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/S10CertificateVerifierTest.java rename to Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/S10ChainVerifierTest.java index be44ae5..0681f11 100644 --- a/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/S10CertificateVerifierTest.java +++ b/Verifier/src/test/java/com/intel/bkp/verifier/service/certificate/S10ChainVerifierTest.java @@ -34,7 +34,6 @@ package com.intel.bkp.verifier.service.certificate; import com.intel.bkp.ext.core.crl.CrlSerialNumberBuilder; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.exceptions.SigmaException; import com.intel.bkp.verifier.model.TrustedRootHash; import com.intel.bkp.verifier.x509.X509CertificateChainVerifier; @@ -51,16 +50,17 @@ import java.security.cert.X509Certificate; import java.util.LinkedList; +import static com.intel.bkp.ext.utils.HexConverter.fromHex; import static com.intel.bkp.verifier.x509.X509CertificateExtendedKeyUsageVerifier.KEY_PURPOSE_CODE_SIGNING; import static org.mockito.Mockito.when; @ExtendWith(MockitoExtension.class) -class S10CertificateVerifierTest { +class S10ChainVerifierTest { - private static final byte[] DEVICE_ID = HexConverter.fromHex("0011223344556677"); - private static final byte[] WRONG_DEVICE_ID = HexConverter.fromHex("7766554433221100"); + private static final byte[] DEVICE_ID = fromHex("0011223344556677"); + private static final byte[] WRONG_DEVICE_ID = fromHex("7766554433221100"); - private static final byte[] S10_ROOT_CERT = new byte[] { 5, 6 }; + private static final byte[] S10_ROOT_CERT = new byte[]{5, 6}; private static final String S10_ROOT_HASH = DigestUtils.sha256Hex(S10_ROOT_CERT); @Mock @@ -88,18 +88,18 @@ class S10CertificateVerifierTest { private TrustedRootHash trustedRootHash; @InjectMocks - private S10CertificateVerifier sut; + private S10ChainVerifier sut; private final LinkedList certificates = new LinkedList<>(); @BeforeEach void setUp() { setUpCertificates(); - sut.withDevice(DEVICE_ID); + sut.setDeviceId(DEVICE_ID); } @Test - void verify_Success() { + void verifyChain_Success() { // given mockSerialNumberOfAttestationCert(); mockCertificateParentVerification(true); @@ -108,42 +108,42 @@ void verify_Success() { mockCrlVerification(true); // when - Assertions.assertDoesNotThrow(() -> sut.verify(certificates)); + Assertions.assertDoesNotThrow(() -> sut.verifyChain(certificates)); } @Test - void verify_SerialNumNotMatchDeviceId_Throws() { + void verifyChain_SerialNumNotMatchDeviceId_Throws() { // given mockSerialNumberOfAttestationCert(); - sut.withDevice(WRONG_DEVICE_ID); + sut.setDeviceId(WRONG_DEVICE_ID); // when-then - assertVerifyThrowsSigmaException("Certificate Serial Number does not match device id."); + assertVerifyChainThrowsSigmaException("Certificate Serial Number does not match device id."); } @Test - void verify_ParentVerificationFails_Throws() { + void verifyChain_ParentVerificationFails_Throws() { // given mockSerialNumberOfAttestationCert(); mockCertificateParentVerification(false); // when-then - assertVerifyThrowsSigmaException("Parent signature verification in X509 attestation chain failed."); + assertVerifyChainThrowsSigmaException("Parent signature verification in X509 attestation chain failed."); } @Test - void verify_UsageVerificationFails_Throws() { + void verifyChain_UsageVerificationFails_Throws() { // given mockSerialNumberOfAttestationCert(); mockCertificateParentVerification(true); mockCertificateUsageVerification(false); // when-then - assertVerifyThrowsSigmaException("Attestation certificate is invalid."); + assertVerifyChainThrowsSigmaException("Attestation certificate is invalid."); } @Test - void verify_CrlVerificationFails_Throws() { + void verifyChain_CrlVerificationFails_Throws() { // given mockSerialNumberOfAttestationCert(); mockCertificateParentVerification(true); @@ -152,11 +152,11 @@ void verify_CrlVerificationFails_Throws() { mockCrlVerification(false); // when-then - assertVerifyThrowsSigmaException("Device with device id 0011223344556677 is revoked."); + assertVerifyChainThrowsSigmaException("Device with device id 0011223344556677 is revoked."); } @Test - void verify_RootHashVerificationFails_Throws() { + void verifyChain_RootHashVerificationFails_Throws() { // given mockSerialNumberOfAttestationCert(); mockCertificateParentVerification(true); @@ -164,11 +164,12 @@ void verify_RootHashVerificationFails_Throws() { mockRootHashVerification(false); // when-then - assertVerifyThrowsSigmaException("Root hash in X509 attestation chain is different from trusted root hash."); + assertVerifyChainThrowsSigmaException("Root hash in X509 attestation chain is different from trusted root " + + "hash."); } - private void assertVerifyThrowsSigmaException(String expectedExceptionMessage) { - SigmaException thrown = Assertions.assertThrows(SigmaException.class, () -> sut.verify(certificates)); + private void assertVerifyChainThrowsSigmaException(String expectedExceptionMessage) { + SigmaException thrown = Assertions.assertThrows(SigmaException.class, () -> sut.verifyChain(certificates)); Assertions.assertEquals(thrown.getMessage(), expectedExceptionMessage); } diff --git a/Verifier/src/test/java/com/intel/bkp/verifier/sigma/GetMeasurementVerifierTest.java b/Verifier/src/test/java/com/intel/bkp/verifier/sigma/GetMeasurementVerifierTest.java index a6ce6b2..5cf882c 100644 --- a/Verifier/src/test/java/com/intel/bkp/verifier/sigma/GetMeasurementVerifierTest.java +++ b/Verifier/src/test/java/com/intel/bkp/verifier/sigma/GetMeasurementVerifierTest.java @@ -36,7 +36,6 @@ import com.intel.bkp.ext.core.psgcertificate.exceptions.PsgInvalidSignatureException; import com.intel.bkp.ext.crypto.ecdh.EcdhKeyPair; import com.intel.bkp.ext.crypto.exceptions.EcdhKeyPairException; -import com.intel.bkp.ext.utils.HexConverter; import com.intel.bkp.verifier.command.responses.attestation.GetMeasurementResponse; import com.intel.bkp.verifier.database.model.S10CacheEntity; import com.intel.bkp.verifier.exceptions.SigmaException; @@ -48,6 +47,7 @@ import org.mockito.Mock; import org.mockito.junit.jupiter.MockitoExtension; +import static com.intel.bkp.ext.utils.HexConverter.toHex; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.eq; import static org.mockito.Mockito.doThrow; @@ -117,6 +117,6 @@ void verify_DhPubKeyFailed_Throws() throws Exception { } private void mockAlias() throws EcdhKeyPairException { - when(entity.getAlias()).thenReturn(HexConverter.toHex(EcdhKeyPair.generate().getPublicKey())); + when(entity.getAlias()).thenReturn(toHex(EcdhKeyPair.generate().getPublicKey())); } } diff --git a/Verifier/src/test/resources/certs/diceChain/deviceid_08cbe74ddca0b53a_7eukZEEF-nzSZWoH.cer b/Verifier/src/test/resources/certs/diceChain/deviceid_08cbe74ddca0b53a_7eukZEEF-nzSZWoHQrqQf53ru9A.cer similarity index 100% rename from Verifier/src/test/resources/certs/diceChain/deviceid_08cbe74ddca0b53a_7eukZEEF-nzSZWoH.cer rename to Verifier/src/test/resources/certs/diceChain/deviceid_08cbe74ddca0b53a_7eukZEEF-nzSZWoHQrqQf53ru9A.cer diff --git a/Verifier/third_party_licenses.md b/Verifier/third_party_licenses.md index 002cd60..e2c60e5 100644 --- a/Verifier/third_party_licenses.md +++ b/Verifier/third_party_licenses.md @@ -1,7 +1,7 @@ #VERIFIER dependency list ##Dependency License Report -_2021-12-13 08:09:56 CET_ +_2021-12-22 15:16:47 CET_ ## Apache License 2.0 **1** **Group:** `javax.validation` **Name:** `validation-api` **Version:** `2.0.1.Final` diff --git a/gradle.properties b/gradle.properties index 907d8f1..a81e7c6 100644 --- a/gradle.properties +++ b/gradle.properties @@ -34,9 +34,8 @@ lombok_version=5.3.3.3 commons_lang3_version=3.12.0 logback_version=1.2.3 slf4j_version=1.7.31 - ## Test Dependency versions -junit5_version=5.8.1 -junit5_platform_version=1.8.1 -mockito_version=4.0.0 +junit5_version=5.8.2 +junit5_platform_version=1.8.2 +mockito_version=4.2.0 hamcrest_version=2.2 diff --git a/workload/third_party_licenses.md b/workload/third_party_licenses.md index 244a424..dc378d1 100644 --- a/workload/third_party_licenses.md +++ b/workload/third_party_licenses.md @@ -1,7 +1,7 @@ #WORKLOAD dependency list ##Dependency License Report -_2021-12-13 08:10:06 CET_ +_2021-12-22 15:16:52 CET_ ## Apache License 2.0 **1** **Group:** `javax.validation` **Name:** `validation-api` **Version:** `2.0.1.Final`