Skip to content

[#1124] Add preliminary DICE certificate support #1125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
iadgovuser59 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[#1124] Add preliminary DICE certificate support #1125

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6ccaa33
Add preliminary DICE certificate support
iadgovuser59 Mar 4, 2026
1e3ca9a
Revising DICE certificate support
iadgovuser59 Mar 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 51 additions & 29 deletions ...ain/java/hirs/attestationca/persist/entity/userdefined/certificate/IDevIDCertificate.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
package hirs.attestationca.persist.entity.userdefined.certificate;

import hirs.attestationca.persist.entity.userdefined.Certificate;
import jakarta.persistence.Column;
import jakarta.persistence.Entity;
import jakarta.persistence.Transient;
import lombok.EqualsAndHashCode;
import lombok.Getter;
import lombok.extern.log4j.Log4j2;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.file.Path;
import java.time.Instant;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;

import jakarta.persistence.PostLoad;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
Expand All @@ -18,13 +20,14 @@
import org.bouncycastle.asn1.x509.PolicyInformation;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.file.Path;
import java.time.Instant;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import hirs.attestationca.persist.entity.userdefined.Certificate;
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.DiceAttributes;
import jakarta.persistence.Column;
import jakarta.persistence.Entity;
import jakarta.persistence.Transient;
import lombok.EqualsAndHashCode;
import lombok.Getter;
import lombok.extern.log4j.Log4j2;

@Entity
@Getter
Expand All @@ -46,9 +49,19 @@ public class IDevIDCertificate extends Certificate {
private static final String POLICY_QUALIFIER_VERIFIED_TPM_FIXED = "2.23.133.11.1.2";
private static final String POLICY_QUALIFIER_VERIFIED_TPM_RESTRICTED = "2.23.133.11.1.3";

/**
* The raw byte array of the subject alternative name extension, if present.
* This will be null if the certificate does not contain a subject alternative name extension.
*/
@Transient
private byte[] subjectAltName;

/**
* Parsed DICE attributes from the certificate, if present.
*/
@Transient
private transient DiceAttributes.DiceCertInfo diceCertInfo;

/**
* Corresponds to the hwType field found in a Hardware Module Name (if present).
*/
Expand All @@ -67,6 +80,11 @@ public class IDevIDCertificate extends Certificate {
@Column
private String tpmPolicies;

/**
* Serial version UID for serialization.
*/
private static final long serialVersionUID = 9223372036854775807L;

/**
* Construct a new IDevIDCertificate given its binary contents. The given
* certificate should represent a valid X.509 certificate.
Expand Down Expand Up @@ -123,36 +141,40 @@ public Map<String, Boolean> getTPMPolicyQualifiers(final byte[] policyBytes) thr
for (PolicyInformation policy : certPolicies.getPolicyInformation()) {
// Add the data based on the OIDs
switch (policy.getPolicyIdentifier().toString()) {
case POLICY_QUALIFIER_VERIFIED_TPM_RESIDENCY:
verifiedTPMResidency = true;
break;
case POLICY_QUALIFIER_VERIFIED_TPM_FIXED:
verifiedTPMFixed = true;
break;
case POLICY_QUALIFIER_VERIFIED_TPM_RESTRICTED:
verifiedTPMRestricted = true;
break;
default:
break;
case POLICY_QUALIFIER_VERIFIED_TPM_RESIDENCY -> verifiedTPMResidency = true;
case POLICY_QUALIFIER_VERIFIED_TPM_FIXED -> verifiedTPMFixed = true;
case POLICY_QUALIFIER_VERIFIED_TPM_RESTRICTED -> verifiedTPMRestricted = true;
default -> { /* No action needed for unknown policies */ }
}
}
}

// Add to map
policyQualifiers.put("verifiedTPMResidency", Boolean.valueOf(verifiedTPMResidency));
policyQualifiers.put("verifiedTPMFixed", Boolean.valueOf(verifiedTPMFixed));
policyQualifiers.put("verifiedTPMRestricted", Boolean.valueOf(verifiedTPMRestricted));
policyQualifiers.put("verifiedTPMResidency", verifiedTPMResidency);
policyQualifiers.put("verifiedTPMFixed", verifiedTPMFixed);
policyQualifiers.put("verifiedTPMRestricted", verifiedTPMRestricted);

return policyQualifiers;
}

/**
* Helper function to parse transient fields after load.
*
* @throws IOException if there is an exception during parsing.
*/
@PostLoad
private void parseTransientFields() throws IOException {
this.diceCertInfo = DiceAttributes.parseDiceCertificate(this.getX509Certificate());
this.subjectAltName =
getX509Certificate().getExtensionValue(SUBJECT_ALTERNATIVE_NAME_EXTENSION);
}

/**
* Parses fields related to IDevID certificates.
*
* @throws IOException if a problem is encountered during parsing
*/
private void parseIDevIDCertificate() throws IOException {

this.subjectAltName =
getX509Certificate().getExtensionValue(SUBJECT_ALTERNATIVE_NAME_EXTENSION);

Expand Down
Loading