search

usnistgov / ACVP-Server

A repository tracking releases of NIST's ACVP server. See www.github.com/usnistgov/ACVP for the protocol.
46 stars 16 forks source link

ACVP Server DB consistency issue? #49

Open smuellerDD opened 3 years ago

smuellerDD commented 3 years ago

During preparation of a search capability following https://github.com/usnistgov/ACVP/wiki/Finding-ACVTS-Metadata-IDs-of-Legacy-Validation-Data I tried to query the certificate for our ACVP Proxy tool: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?product=11251.

I queried the Prod server for /acvp/v1/validations/11251 and got:

[
  {
    "acvVersion": "1.0"
  },
  {
    "url": "/acvp/v1/validations/11251",
    "validationId": "AES2189",
    "moduleUrl": "/acvp/v1/modules/428",
    "oeUrls": [
      "/acvp/v1/oes/744"
    ]
  }
]

This is followed by querying the Prod server /acvp/v1/modules/428 and I got

[
  {
    "acvVersion": "1.0"
  },
  {
    "url": "/acvp/v1/modules/428",
    "name": "AES GCM for User Data and Key Wrapping",
    "version": "POPOVICH10 1.0 (Firmware)",
    "type": "Firmware",
    "website": "www.hp.com",
    "vendorUrl": "/acvp/v1/vendors/428",
    "addressUrl": "/acvp/v1/vendors/428/addresses/428",
    "contactUrls": [
      "/acvp/v1/persons/553"
    ],
    "description": "The Hewlett Packard LTO-6 Tape Drive is a multi-chip standalone module composed of hardware and firmware components, providing cryptographic services to a host."
  }
]

This is strange - shouldn't there be my ACVP Proxy entries?

Besides, applying the same queries to the demo server, I get the very same data. What am I missing?

shaneshaffer commented 3 years ago

The CSRC URL you listed is the one that shows all the validations for a given product - you then used that product ID on the validation endpoint. You want the ID from URL from CSRC that is for a single validation, https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?validation=xxxxxx

smuellerDD commented 3 years ago

Am Dienstag, den 08.12.2020, 06:12 -0800 schrieb shaneshaffer:

The CSRC URL you listed is the one that shows all the validations for a given product - you then used that product ID on the validation endpoint. You want the ID from URL from CSRC that is for a single validation, https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?validation=xxxxxx

Agreed, ist.gov/projects/cryptographic-algorithm-validation- program/details?product=11251 shows the validation of our ACVP Proxy.

However, https://github.com/usnistgov/ACVP/wiki/Finding-ACVTS-Metadata-IDs-of-Legacy-Validation-Data says that the ID number in that URL can be used to request validation details via ACVP.

And indeed, this works as outlined in the communication mentioned above. But the returned data is unexpected.