[#1090] Fix ACA Provisioning Issue When Using ECC Key#1127
Open
ThatSilentCoder wants to merge 36 commits intomainfrom
Open
[#1090] Fix ACA Provisioning Issue When Using ECC Key#1127ThatSilentCoder wants to merge 36 commits intomainfrom
ThatSilentCoder wants to merge 36 commits intomainfrom
Conversation
…hm used throughout the application (prop has been added to the app.properties for both win and linux machines), deleted a repo that wasnt being used anywhere, changed the name of the rest controller and service class, re-wrote the workflow from rest controller to backend since it was setup incorrectly. Provisioning is sort-of crypto-agile. It can parse the rsa key without an issue, now need to work on doing the same for the ecc key.
… array. Fixing up some warnings for the shell scripts.
…n bash scripts. Took care of a majority of them.
…s in the utils class.
…ential using ecc. Fixed the enum class. Removed throws exception decorator from methods. Made abstract processor abstract. Might consider ditching the abstract processor and placing them in a utils class. This might be a bit more complicated than we imagined.
…methods, moved the restconrtoller, service and service impl to a package that makes sense for these classes, deleted abstract processor, moved methods that pertain to each procressor to their respective processor and moved any common utilities to a util function. Might need to change the way we extract the public key algorithm for this to work properly.
…services to reduce the lines of code in some of the bigger processors (and to separate responsibilities). Removed public key algorithm property in app.properties. Can now extract algo from the alg id inside of a byte array. Added a new property to Public Key Algorithm enum.
…tored the device info processor service so now there isnt one huge monolith that handles the device info parsing. Will take on more refactoring for other intricate parts in future commits.
…ed to figure how to remove componetinforepo completely since it is only being used once. Same with device repo.
… need to add algo param to the powershell scripts so this works on windows and will have to address scenarios where the ak and ek keys are not rsa keys. currently have a method that handles that situation but will need to figure out how to implement that issue.
ThatSilentCoder
added
the
refactor
…ripts slowly but surely. Renamed some functions in the service/helper classes.
…n params are set. Corrrected language/presentation of help menu for both bash and ps scripts.
…a, aa, and da parameters and can now set the ecc and rsa configs based on the provided alg param. Corrected spelling, syntax errors, and other minor things to ensure these scripts can be run without any issues.
…toring the cert request processor service. Refactored PS setup script and formatted ps1 scripts. Will work on the method that takes ak and ek ecc key and should be done with draft PR.
…ionerStateService class, moved validation services to the validation service package. Started working on creating a credential blob using two ecc keys. Almost at the finish line.
…provision utils. Can remove WIP from PR.
ThatSilentCoder
requested review from
iadgovuser26,
iadgovuser29 and
iadgovuser59
…e that holds the rest controller, fixed other minor issues.
ThatSilentCoder
commented
Mar 19, 2026
| * Utility class which includes credential management functions used by the ACA. | ||
| */ | ||
| @Log4j2 | ||
| public final class CredentialManagementHelper { |
Collaborator
Author
There was a problem hiding this comment.
This has been refactored to a SpringBoot service class.
| * Interface that defines the responsibilities of the Attestation Certificate Authority service. | ||
| */ | ||
| public interface RestfulInterface { | ||
| public interface AttestationCertificateAuthorityService { |
Collaborator
Author
There was a problem hiding this comment.
Renamed the interface class to better reflect its purpose.
| * Test suite for {@link AttestationCertificateAuthority}. | ||
| */ | ||
| @TestInstance(TestInstance.Lifecycle.PER_CLASS) // needed to use non-static BeforeAll | ||
| public class AttestationCertificateAuthorityTest { |
Collaborator
Author
There was a problem hiding this comment.
The class has been renamed.
| @Log4j2 | ||
| @RestController | ||
| @RequestMapping("/HIRS_AttestationCA") | ||
| public class RestfulAttestationCertificateAuthority extends AttestationCertificateAuthority |
Collaborator
Author
There was a problem hiding this comment.
REST Controller class has been renamed and refactored.
| * | ||
| * @return signature algorithm associated with the private key | ||
| */ | ||
| private String getSignatureAlgorithm() { |
Collaborator
Author
There was a problem hiding this comment.
This function resolves the issue.
| import java.util.List; | ||
|
|
||
| @Log4j2 | ||
| public class CertificateRequestProcessor extends AbstractProcessor { |
Collaborator
Author
There was a problem hiding this comment.
This has been renamed and has been turned into a @service component.
| @@ -1,4 +1,4 @@ | |||
| package hirs.attestationca.persist.service; | |||
| package hirs.attestationca.persist.validation; | |||
|
|
|||
Collaborator
Author
There was a problem hiding this comment.
Moved this Service class to the appropriate package.
| * Identity Request. | ||
| */ | ||
| @Log4j2 | ||
| public abstract class AttestationCertificateAuthority { |
Collaborator
Author
There was a problem hiding this comment.
Has been renamed and refactored into a @service component.
| */ | ||
| @Service | ||
| @Log4j2 | ||
| public class CertificateRequestProcessorService { |
Collaborator
Author
There was a problem hiding this comment.
This is just the refactored version of the original CertificateRequestProcessor
| */ | ||
| @Service | ||
| @Log4j2 | ||
| public class IdentityClaimProcessorService { |
Collaborator
Author
There was a problem hiding this comment.
Refactored version of the Identity Claim Processor class.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Fix exceptions caused by provisioning against the ACA that is setup using the ECC key parameter in the setup script.
Test Instructions:
On Linux:
On Windows (Powershell 7 Core in Admin mode):
On Linux:
On Windows (Powershell 7 Core in Admin mode):
validation enabled, endorsement credential validation enabled, firmware validation enabled.
Summary Of Changes:
Added the
-aca-alg,-ta-alg, and-db-algparameters to the PowerShell scripts to enable ACA setup on Windows using both ECC and RSA. Since introducing these parameters required updates across multiple scripts, additional fixes were made to address improper PowerShell syntax, along with general formatting improvements to the .ps1 files.Used the ShellCheck plugin while updating portions of the Bash scripts to address warnings and potential issues. Also improved the help menu output for better usability.
Refactored the REST controller and service classes (specifically the Identity Claim and Certificate Processor classes) to align with proper Spring Boot MVC design patterns.
Converted the Identity Claim and Certificate Processor classes into Spring-managed services by annotating them with
@Serviceannotation, as they were effectively acting as services.Simplified the Identity Claim and Certificate Processor classes by moving unrelated logic into appropriate service classes, reducing complexity and better adhering to the Single Responsibility Principle.
Converted utility classes used by the Identity Claim and Certificate Processor classes into Spring-managed service classes, as they contained business logic and repository interactions.
ACA can now determine the type of keys being provided, rather than assuming all keys are RSA, and supports handling both ECC and RSA during the provisioning process.
Issues This PR Addresses:
Closes #1090