ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-30 01:39:05 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

[#191] ACA Processing TPM Quote/PCRs from Certificate Request (#197)

Browse Source 
* Updated the ACA to verify that the quote and pcrlist exist before trying to parse them.

* Removed unused methods for the tpmquote process.
This commit is contained in:
Cyrus 2019-10-29 09:34:06 -04:00 committed by GitHub
parent c7454c945e
commit 0ede7191ad
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 55 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
View File

@ -120,6 +120,7 @@ public abstract class AbstractAttestationCertificateAuthority
private static final String AK_NAME_PREFIX = "000b"; private static final String AK_NAME_PREFIX = "000b";
private static final String AK_NAME_HASH_PREFIX = private static final String AK_NAME_HASH_PREFIX =
"0001000b00050072000000100014000b0800000000000100"; "0001000b00050072000000100014000b0800000000000100";
private static final String TPM_SIGNATURE_ALG = "sha256";
private static final int MAC_BYTES = 6; private static final int MAC_BYTES = 6;
@ -154,6 +155,9 @@ public abstract class AbstractAttestationCertificateAuthority
private final DeviceRegister deviceRegister; private final DeviceRegister deviceRegister;
private final DeviceManager deviceManager; private final DeviceManager deviceManager;
private final DBManager<TPM2ProvisionerState> tpm2ProvisionerStateDBManager; private final DBManager<TPM2ProvisionerState> tpm2ProvisionerStateDBManager;
private String[] pcrsList;
private String tpmQuoteHash;
private String tpmSignatureHash;
/** /**
* Constructor. * Constructor.
@ -372,6 +376,7 @@ public abstract class AbstractAttestationCertificateAuthority
* @param identityClaim the request to process, cannot be null * @param identityClaim the request to process, cannot be null
* @return an identity claim response for the specified request containing a wrapped blob * @return an identity claim response for the specified request containing a wrapped blob
*/ */
@Override
public byte[] processIdentityClaimTpm2(final byte[] identityClaim) { public byte[] processIdentityClaimTpm2(final byte[] identityClaim) {
LOG.debug("Got identity claim"); LOG.debug("Got identity claim");
@ -455,6 +460,7 @@ public abstract class AbstractAttestationCertificateAuthority
* claim handshake * claim handshake
* @return a certificateResponse containing the signed certificate * @return a certificateResponse containing the signed certificate
*/ */
@Override
public byte[] processCertificateRequest(final byte[] certificateRequest) { public byte[] processCertificateRequest(final byte[] certificateRequest) {
LOG.info("Got certificate request"); LOG.info("Got certificate request");
@ -492,6 +498,15 @@ public abstract class AbstractAttestationCertificateAuthority
Set<PlatformCredential> platformCredentials = parsePcsFromIdentityClaim(claim, Set<PlatformCredential> platformCredentials = parsePcsFromIdentityClaim(claim,
endorsementCredential); endorsementCredential);
// Parse through the Provisioner supplied TPM Quote and pcr values
// these fields are optional
if (request.getQuote() != null && !request.getQuote().isEmpty()) {
parseTPMQuote(request.getQuote().toStringUtf8());
}
if (request.getPcrslist() != null && !request.getPcrslist().isEmpty()) {
parsePCRValues(request.getPcrslist().toStringUtf8());
}
// Get device name and device // Get device name and device
String deviceName = claim.getDv().getNw().getHostname(); String deviceName = claim.getDv().getNw().getHostname();
Device device = deviceManager.getDevice(deviceName); Device device = deviceManager.getDevice(deviceName);
@ -521,6 +536,44 @@ public abstract class AbstractAttestationCertificateAuthority
} }
} }
/**
* This method takes the provided TPM Quote and splits it between the PCR
* quote and the signature hash.
* @param tpmQuote contains hash values for the quote and the signature
*/
private void parseTPMQuote(final String tpmQuote) {
if (tpmQuote != null) {
String[] lines = tpmQuote.split(":");
if (lines[1].contains("signature")) {
this.tpmQuoteHash = lines[1].replace("signature", "").trim();
} else {
this.tpmQuoteHash = lines[1].trim();
}
this.tpmSignatureHash = lines[2].trim();
}
}
/**
* This method splits all hashed pcr values into an array.
* @param pcrValues contains the full list of 24 pcr values
*/
private void parsePCRValues(final String pcrValues) {
String[] pcrs = null;
if (pcrValues != null) {
int counter = 0;
String[] lines = pcrValues.split("\\r?\\n");
pcrs = new String[lines.length - 1];
for (String line : lines) {
if (!line.contains(TPM_SIGNATURE_ALG)) {
pcrs[counter++] = line.split(":")[1].trim();
}
}
}
this.pcrsList = pcrs;
}
/** /**
* Parse public key from public data segment generated by TPM 2.0. * Parse public key from public data segment generated by TPM 2.0.
* @param publicArea the public area segment to parse * @param publicArea the public area segment to parse

3
HIRS_AttestationCA/src/main/java/hirs/attestationca/rest/RestfulAttestationCertificateAuthority.java
View File

@ -67,7 +67,8 @@ public class RestfulAttestationCertificateAuthority
*/ */
@Override @Override
@ResponseBody @ResponseBody
@RequestMapping(value = "/identity-request/process", method = RequestMethod.POST, @RequestMapping(value = "/identity-request/process",
method = RequestMethod.POST,
consumes = MediaType.APPLICATION_OCTET_STREAM_VALUE) consumes = MediaType.APPLICATION_OCTET_STREAM_VALUE)
public byte[] processIdentityRequest(@RequestBody final byte[] request) { public byte[] processIdentityRequest(@RequestBody final byte[] request) {
return super.processIdentityRequest(request); return super.processIdentityRequest(request);