/*
* Copyright (C) 2014 Intel Corporation
* All rights reserved.
*/
package com.intel.mtwilson.trustagent.setup;
import com.intel.dcsg.cpg.configuration.CompositeConfiguration;
import com.intel.dcsg.cpg.configuration.Configuration;
import com.intel.dcsg.cpg.configuration.EnvironmentConfiguration;
import com.intel.dcsg.cpg.configuration.KeyTransformerConfiguration;
import com.intel.dcsg.cpg.crypto.SimpleKeystore;
import com.intel.dcsg.cpg.io.FileResource;
import com.intel.dcsg.cpg.util.AllCapsNamingStrategy;
import com.intel.dcsg.cpg.x509.X509Util;
import com.intel.mtwilson.setup.AbstractSetupTask;
import com.intel.mtwilson.trustagent.TrustagentConfiguration;
import com.intel.mtwilson.trustagent.niarl.CreateIdentity;
import com.intel.mtwilson.trustagent.niarl.Util;
import gov.niarl.his.privacyca.TpmModule;
import java.io.File;
import java.security.InvalidKeyException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.UnrecoverableEntryException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import org.apache.commons.io.FileUtils;
/**
*
* @author jbuhacoff
*/
public class RequestAikCertificate extends AbstractSetupTask {
private static final org.slf4j.Logger log = org.slf4j.LoggerFactory.getLogger(RequestAikCertificate.class);
private TrustagentConfiguration config;
private SimpleKeystore keystore;
private X509Certificate privacyCA;
private String url;
private String username;
private String password;
@Override
protected void configure() throws Exception {
config = new TrustagentConfiguration(getConfiguration());
url = config.getMtWilsonApiUrl();
username = config.getMtWilsonApiUsername();
password = config.getMtWilsonApiPassword();
if (url == null || url.isEmpty()) {
configuration("Mt Wilson URL [mtwilson.api.url] must be set");
}
if (username == null || username.isEmpty()) {
configuration("Mt Wilson username [mtwilson.api.username] must be set");
}
if (password == null || password.isEmpty()) {
configuration("Mt Wilson password [mtwilson.api.password] must be set");
}
if( config.getTrustagentKeystoreFile().exists() ) {
keystore = new SimpleKeystore(new FileResource(config.getTrustagentKeystoreFile()), config.getTrustagentKeystorePassword());
try {
privacyCA = keystore.getX509Certificate("privacy", SimpleKeystore.CA);
}
catch(NoSuchAlgorithmException | UnrecoverableEntryException | KeyStoreException | CertificateEncodingException e) {
log.debug("Cannot load Privacy CA certificate", e);
configuration("Privacy CA certificate is missing");
}
}
else {
configuration("Keystore file is missing");
}
if (!Util.isOwner(config.getTpmOwnerSecret())) {
configuration("Trust Agent is not the TPM owner");
return;
}
// we need an EC in order to request an AIK, so make sure we have it
try {
byte[] ekCert = TpmModule.getCredential(config.getTpmOwnerSecret(), "EC");
if( ekCert == null || ekCert.length == 0 ) {
configuration("Endorsement Certificate is null or zero-length");
}
}
catch(TpmModule.TpmModuleException e) {
if( e.getErrorCode() == 2 ) {
configuration("Endorsement Certificate is missing");
}
else {
configuration("Cannot determine presence of Endorsement Certificate: %s", e.getMessage());
}
}
}
@Override
protected void validate() throws Exception {
File aikCertificateFile = config.getAikCertificateFile();
if( !aikCertificateFile.exists() ) {
validation("AIK has not been created");
return;
}
X509Certificate aikCertificate = X509Util.decodePemCertificate(FileUtils.readFileToString(aikCertificateFile));
try {
aikCertificate.verify(privacyCA.getPublicKey());
}
catch(SignatureException e) {
validation("Known Privacy CA did not sign AIK", e);
}
catch(CertificateException | NoSuchAlgorithmException | InvalidKeyException | NoSuchProviderException e) {
validation("Unable to verify AIK", e);
}
}
@Override
protected void execute() throws Exception {
/*
System.setProperty("javax.net.ssl.trustStore", config.getTrustagentKeystoreFile().getAbsolutePath());
System.setProperty("javax.net.ssl.trustStorePassword", config.getTrustagentKeystorePassword());
System.setProperty("javax.net.ssl.keyStore", config.getTrustagentKeystoreFile().getAbsolutePath());
System.setProperty("javax.net.ssl.keyStorePassword", config.getTrustagentKeystorePassword());
*/
CreateIdentity provisioner = new CreateIdentity();
provisioner.configure(config.getConfiguration());
provisioner.run();
}
}