ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-02-21 18:06:42 +00:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

Merge pull request #516 from nsacyber/issue/515

Browse Source 
[#515] FIM Assertions visible on cert details page
This commit is contained in:
iadgovuser26 2023-05-10 07:01:03 -04:00 committed by GitHub
commit 003cab023a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 326 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/certificate-details.jsp
View File

@ -591,6 +591,103 @@
</div>
</div>
</div>
<!-- FIM Add ons -->
<c:set var="platformfwsignatureverification" value="${initialData.tbbSecurityAssertion.getPlatformFwSignatureVerificationStr()}" />
<c:set var="platformfirmwareupdatecompliance" value="${initialData.tbbSecurityAssertion.getPlatformFirmwareUpdateComplianceStr()}" />
<c:set var="firmwarecapabilities" value="${initialData.tbbSecurityAssertion.getFirmwareCapabilitiesStr()}" />
<c:set var="hardwarecapabilities" value="${initialData.tbbSecurityAssertion.getHardwareCapabilitiesStr()}" />
<c:if test="${(not empty platformfwsignatureverification) or (not empty platformfirmwareupdatecompliance) or (not empty firmwarecapabilities) or (not empty hardwarecapabilities)}">
<div class="panel panel-default">
<div class="panel-heading" role="tab" id="headingFour">
<h4 class="panel-title">
<a role="button" data-toggle="collapse" data-parent="#tbbsecurity" class="collapsed"
href="#fimaddonscollapse" aria-expanded="false" aria-controls="fimaddonscollapse">
FIM Platform Firmware Assertions
</a>
</h4>
</div>
<div id="fimaddonscollapse" class="panel-collapse collapse" role="tabpanel" aria-labelledby="headingThree">
<div class="panel-body">
<div id="fimAddons" class="row">
<c:if test="${not empty platformfwsignatureverification}">
<div class="tbbsecurityLine">
<span class="fieldHeader">Signature Verification:</span>
<span class="fieldValue">
<c:if test="${fn:contains(platformfwsignatureverification, '00')}">
<span class="label label-success">HardwareSRTM</span>
</c:if>
<c:if test="${fn:contains(platformfwsignatureverification, '01')}">
<span class="label label-success">SecureBoot</span>
</c:if>
</span>
</div>
</c:if>
<c:if test="${not empty platformfirmwareupdatecompliance}">
<div class="tbbsecurityLine">
<span class="fieldHeader">Update Compliance:</span>
<span class="fieldValue">
<c:if test="${fn:contains(platformfirmwareupdatecompliance, '00')}">
<span class="label label-success">SP800-147</span>
</c:if>
<c:if test="${fn:contains(platformfirmwareupdatecompliance, '01')}">
<span class="label label-success">SP800-147B</span>
</c:if>
<c:if test="${fn:contains(platformfirmwareupdatecompliance, '02')}">
<span class="label label-success">SP800-193</span>
</c:if>
</span>
</div>
</c:if>
<c:if test="${not empty firmwarecapabilities}">
<div class="tbbsecurityLine">
<span class="fieldHeader">Firmware Capabilities:</span>
<span class="fieldValue">
<c:if test="${fn:contains(firmwarecapabilities, '00')}">
<span class="label label-success">fwSetupAuthLocal</span>
</c:if>
<c:if test="${fn:contains(firmwarecapabilities, '01')}">
<span class="label label-success">fwSetupAuthRemote</span>
</c:if>
<c:if test="${fn:contains(firmwarecapabilities, '02')}">
<span class="label label-success">SMMProtection</span>
</c:if>
<c:if test="${fn:contains(firmwarecapabilities, '03')}">
<span class="label label-success">fwKernelDMAProtection</span>
</c:if>
</span>
</div>
</c:if>
<c:if test="${not empty hardwarecapabilities}">
<div class="tbbsecurityLine">
<span class="fieldHeader">Hardware Capabilities:</span>
<span class="fieldValue">
<c:if test="${fn:contains(hardwarecapabilities, '00')}">
<span class="label label-success">IOMMUSupport</span>
</c:if>
<c:if test="${fn:contains(hardwarecapabilities, '01')}">
<span class="label label-success">trustedExecutionEnvironment</span>
</c:if>
<c:if test="${fn:contains(hardwarecapabilities, '02')}">
<span class="label label-success">physicalTamperProtection</span>
</c:if>
<c:if test="${fn:contains(hardwarecapabilities, '03')}">
<span class="label label-success">physicalTamperDetection</span>
</c:if>
<c:if test="${fn:contains(hardwarecapabilities, '04')}">
<span class="label label-success">firmwareFlashWP</span>
</c:if>
<c:if test="${fn:contains(hardwarecapabilities, '05')}">
<span class="label label-success">externalDMASupport</span>
</c:if>
</span>
</div>
</c:if>
</div>
</div>
</div>
</div>
</c:if>
</div>
</div>
</c:if>

271
HIRS_Utils/src/main/java/hirs/data/persist/certificate/attributes/TBBSecurityAssertion.java
View File

@ -7,7 +7,13 @@ import org.bouncycastle.asn1.ASN1Enumerated;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DEROctetString;
import com.fasterxml.jackson.annotation.JsonIgnore;
import hirs.utils.HexUtils;
/**
* Basic class that handle component identifiers from the Platform Configuration
@ -19,7 +25,11 @@ import org.bouncycastle.asn1.DERIA5String;
* fipsLevel [1] IMPLICIT FIPSLevel OPTIONAL,
* rtmType [2] IMPLICIT MeasurementRootType OPTIONAL,
* iso9000Certified BOOLEAN DEFAULT FALSE,
* iso9000Uri IA5STRING (SIZE (1..URIMAX)) OPTIONAL }
* iso9000Uri IA5STRING (SIZE (1..URIMAX)) OPTIONAL,
* platformFwSignatureVerification [3] IMPLICIT BIT STRING OPTIONAL,
* platformFirmwareUpdateCompliance [4] IMPLICIT BIT STRING OPTIONAL,
* firmwareCapabilities [5] IMPLICIT BIT STRING OPTIONAL,
* hardwareCapabilities [6] IMPLICIT BIT STRING OPTIONAL }
* </pre>
*/
public class TBBSecurityAssertion {
@ -27,6 +37,10 @@ public class TBBSecurityAssertion {
private static final int CCINFO = 0;
private static final int FIPSLEVEL = 1;
private static final int RTMTYPE = 2;
private static final int PLATFORMFWSIGNATUREVERIFICATION = 3;
private static final int PLATFORMFIRMWAREUPDATECOMPLIANCE = 4;
private static final int FIRMWARECAPABILITIES = 5;
private static final int HARDWARECAPABILITIES = 6;
/**
* A type to handle the evaluation status used in the Common Criteria Measurement.
@ -94,7 +108,14 @@ public class TBBSecurityAssertion {
private MeasurementRootType rtmType;
private ASN1Boolean iso9000Certified;
private DERIA5String iso9000Uri;
@JsonIgnore
private DERBitString platformFwSignatureVerification;
@JsonIgnore
private DERBitString platformFirmwareUpdateCompliance;
@JsonIgnore
private DERBitString firmwareCapabilities;
@JsonIgnore
private DERBitString hardwareCapabilities;
/**
* Default constructor.
*/
@ -105,6 +126,10 @@ public class TBBSecurityAssertion {
rtmType = null;
iso9000Certified = null;
iso9000Uri = null;
platformFwSignatureVerification = null;
platformFirmwareUpdateCompliance = null;
firmwareCapabilities = null;
hardwareCapabilities = null;
}
/**
@ -113,7 +138,7 @@ public class TBBSecurityAssertion {
* @param version represents the version of the TBB Security Assertion
* @param ccInfo represents the common criteria measures
* @param fipsLevel represent the FIPSLevel
* @param rtmType represent the measurement toot type
* @param rtmType represent the measurement root type
* @param iso9000Certified indicate if is iso9000 certifies
* @param iso9000Uri URI string for the iso9000
*/
@ -123,12 +148,48 @@ public class TBBSecurityAssertion {
final MeasurementRootType rtmType,
final ASN1Boolean iso9000Certified,
final DERIA5String iso9000Uri) {
this(version, ccInfo, fipsLevel, rtmType, iso9000Certified, iso9000Uri,
null, null, null, null);
}
/**
* Constructor given the components values.
*
* @param version represents the version of the TBB Security Assertion
* @param ccInfo represents the common criteria measures
* @param fipsLevel represent the FIPSLevel
* @param rtmType represent the measurement root type
* @param iso9000Certified indicate if is iso9000 certifies
* @param iso9000Uri URI string for the iso9000
* @param platformFwSignatureVerification represent the FIM platform
* firmware signature verification method
* @param platformFirmwareUpdateCompliance represent the FIM platform
* firmware update compliance level
* @param firmwareCapabilities represent the security capabilities of
* the firmware as defined in the FIM
* @param hardwareCapabilities represent the security capabilities of
* the platform motherboard or its attached components
*/
public TBBSecurityAssertion(final ASN1Integer version,
final CommonCriteriaMeasures ccInfo,
final FIPSLevel fipsLevel,
final MeasurementRootType rtmType,
final ASN1Boolean iso9000Certified,
final DERIA5String iso9000Uri,
final DERBitString platformFwSignatureVerification,
final DERBitString platformFirmwareUpdateCompliance,
final DERBitString firmwareCapabilities,
final DERBitString hardwareCapabilities) {
this.version = version;
this.ccInfo = ccInfo;
this.fipsLevel = fipsLevel;
this.rtmType = rtmType;
this.iso9000Certified = iso9000Certified;
this.iso9000Uri = iso9000Uri;
this.platformFwSignatureVerification = null;
this.platformFirmwareUpdateCompliance = null;
this.firmwareCapabilities = null;
this.hardwareCapabilities = null;
}
/**
@ -137,7 +198,6 @@ public class TBBSecurityAssertion {
* @throws IllegalArgumentException if there was an error on the parsing
*/
public TBBSecurityAssertion(final ASN1Sequence sequence) throws IllegalArgumentException {
int index = 0;
//sequence size
int sequenceSize = sequence.size();
@ -148,51 +208,110 @@ public class TBBSecurityAssertion {
rtmType = null;
iso9000Certified = ASN1Boolean.FALSE;
iso9000Uri = null;
platformFwSignatureVerification = null;
platformFirmwareUpdateCompliance = null;
firmwareCapabilities = null;
hardwareCapabilities = null;
// Only contains defaults
if (sequence.size() == 0) {
return;
}
// Get version if present
if (sequence.getObjectAt(index).toASN1Primitive() instanceof ASN1Integer) {
version = ASN1Integer.getInstance(sequence.getObjectAt(index));
index++;
}
// Check if it's a tag value
while (index < sequenceSize
&& sequence.getObjectAt(index).toASN1Primitive() instanceof ASN1TaggedObject) {
ASN1TaggedObject taggedObj = ASN1TaggedObject.getInstance(sequence.getObjectAt(index));
switch (taggedObj.getTagNo()) {
case CCINFO:
ASN1Sequence cciSequence = ASN1Sequence.getInstance(taggedObj, false);
ccInfo = new CommonCriteriaMeasures(cciSequence);
break;
case FIPSLEVEL:
ASN1Sequence fipsSequence = ASN1Sequence.getInstance(taggedObj, false);
fipsLevel = new FIPSLevel(fipsSequence);
break;
case RTMTYPE:
ASN1Enumerated enumarated = ASN1Enumerated.getInstance(taggedObj, false);
rtmType = MeasurementRootType.values()[enumarated.getValue().intValue()];
break;
default:
throw new IllegalArgumentException("TBB Security Assertion contains "
+ "invalid tagged object.");
// Parse sequence elements
int nonTaggedPosition = 0;
for (int index = 0; index < sequenceSize; index++) {
// Get version if present
if (sequence.getObjectAt(index).toASN1Primitive() instanceof ASN1Integer
&& nonTaggedPosition == 0) {
version = ASN1Integer.getInstance(sequence.getObjectAt(index));
nonTaggedPosition++;
}
// Check if it's a tag value
if (sequence.getObjectAt(index).toASN1Primitive() instanceof ASN1TaggedObject) {
ASN1TaggedObject taggedObj =
ASN1TaggedObject.getInstance(sequence.getObjectAt(index));
switch (taggedObj.getTagNo()) {
case CCINFO:
ASN1Sequence cciSequence = ASN1Sequence.getInstance(taggedObj, false);
ccInfo = new CommonCriteriaMeasures(cciSequence);
break;
case FIPSLEVEL:
ASN1Sequence fipsSequence = ASN1Sequence.getInstance(taggedObj, false);
fipsLevel = new FIPSLevel(fipsSequence);
break;
case RTMTYPE:
ASN1Enumerated enumerated =
ASN1Enumerated.getInstance(taggedObj, false);
rtmType =
MeasurementRootType.values()[enumerated.getValue().intValue()];
break;
case PLATFORMFWSIGNATUREVERIFICATION:
if (taggedObj.getObject() instanceof DEROctetString) {
// workaround for an issue with DERBitString.fromOctetString
// in BC 1.59. Looks fixed as of BC 1.69.
platformFwSignatureVerification =
new DERBitString(
((DEROctetString) taggedObj.getObject()).getOctets());
} else {
platformFwSignatureVerification =
DERBitString.getInstance(taggedObj.getObject());
}
break;
case PLATFORMFIRMWAREUPDATECOMPLIANCE:
if (taggedObj.getObject() instanceof DEROctetString) {
// workaround for an issue with DERBitString.fromOctetString
// in BC 1.59. Looks fixed as of BC 1.69.
platformFirmwareUpdateCompliance =
new DERBitString(
((DEROctetString) taggedObj.getObject()).getOctets());
} else {
platformFirmwareUpdateCompliance =
DERBitString.getInstance(taggedObj.getObject());
}
break;
case FIRMWARECAPABILITIES:
if (taggedObj.getObject() instanceof DEROctetString) {
// workaround for an issue with DERBitString.fromOctetString
// in BC 1.59. Looks fixed as of BC 1.69.
firmwareCapabilities =
new DERBitString(
((DEROctetString) taggedObj.getObject()).getOctets());
} else {
firmwareCapabilities =
DERBitString.getInstance(taggedObj.getObject());
}
break;
case HARDWARECAPABILITIES:
if (taggedObj.getObject() instanceof DEROctetString) {
// workaround for an issue with DERBitString.fromOctetString
// in BC 1.59. Looks fixed as of BC 1.69.
hardwareCapabilities =
new DERBitString(
((DEROctetString) taggedObj.getObject()).getOctets());
} else {
hardwareCapabilities =
DERBitString.getInstance(taggedObj.getObject());
}
break;
default:
throw new IllegalArgumentException("TBB Security Assertion contains "
+ "invalid tagged object.");
}
}
// Check if it's a boolean
if (sequence.getObjectAt(index).toASN1Primitive() instanceof ASN1Boolean
&& nonTaggedPosition == 1) {
iso9000Certified = ASN1Boolean.getInstance(sequence.getObjectAt(index));
nonTaggedPosition++;
}
// Check if it's a IA5String
if (sequence.getObjectAt(index).toASN1Primitive() instanceof DERIA5String
&& nonTaggedPosition == 2) {
iso9000Uri = DERIA5String.getInstance(sequence.getObjectAt(index));
nonTaggedPosition++;
}
index++;
}
// Check if it's a boolean
if (index < sequenceSize
&& sequence.getObjectAt(index).toASN1Primitive() instanceof ASN1Boolean) {
iso9000Certified = ASN1Boolean.getInstance(sequence.getObjectAt(index));
index++;
}
// Check if it's a IA5String
if (index < sequenceSize
&& sequence.getObjectAt(index).toASN1Primitive() instanceof DERIA5String) {
iso9000Uri = DERIA5String.getInstance(sequence.getObjectAt(index));
}
}
@ -280,6 +399,74 @@ public class TBBSecurityAssertion {
this.iso9000Uri = iso9000Uri;
}
/**
* @return the platformFwSignatureVerification byte array
*/
public DERBitString getPlatformFwSignatureVerification() {
return platformFwSignatureVerification;
}
/**
* @return the platformFwSignatureVerification as a string
*/
public String getPlatformFwSignatureVerificationStr() {
if (platformFwSignatureVerification == null) {
return null;
}
return HexUtils.byteArrayToHexString(platformFwSignatureVerification.getOctets());
}
/**
* @return the platformFirmwareUpdateCompliance byte array
*/
public DERBitString getPlatformFirmwareUpdateCompliance() {
return platformFirmwareUpdateCompliance;
}
/**
* @return the platformFirmwareUpdateCompliance as a string
*/
public String getPlatformFirmwareUpdateComplianceStr() {
if (platformFirmwareUpdateCompliance == null) {
return null;
}
return HexUtils.byteArrayToHexString(platformFirmwareUpdateCompliance.getOctets());
}
/**
* @return the firmwareCapabilities byte array
*/
public DERBitString getFirmwareCapabilities() {
return firmwareCapabilities;
}
/**
* @return the firmwareCapabilities as a string
*/
public String getFirmwareCapabilitiesStr() {
if (firmwareCapabilities == null) {
return null;
}
return HexUtils.byteArrayToHexString(firmwareCapabilities.getOctets());
}
/**
* @return the hardwareCapabilities byte array
*/
public DERBitString getHardwareCapabilities() {
return hardwareCapabilities;
}
/**
* @return the hardwareCapabilities as a string
*/
public String getHardwareCapabilitiesStr() {
if (hardwareCapabilities == null) {
return null;
}
return HexUtils.byteArrayToHexString(hardwareCapabilities.getOctets());
}
@Override
public String toString() {
StringBuilder sb = new StringBuilder();