mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-20 21:43:18 +00:00
* Updated the ACA to verify that the quote and pcrlist exist before trying to parse them. * Removed unused methods for the tpmquote process.
This commit is contained in:
parent
c7454c945e
commit
0ede7191ad
@ -120,6 +120,7 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
private static final String AK_NAME_PREFIX = "000b";
|
||||
private static final String AK_NAME_HASH_PREFIX =
|
||||
"0001000b00050072000000100014000b0800000000000100";
|
||||
private static final String TPM_SIGNATURE_ALG = "sha256";
|
||||
|
||||
private static final int MAC_BYTES = 6;
|
||||
|
||||
@ -154,6 +155,9 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
private final DeviceRegister deviceRegister;
|
||||
private final DeviceManager deviceManager;
|
||||
private final DBManager<TPM2ProvisionerState> tpm2ProvisionerStateDBManager;
|
||||
private String[] pcrsList;
|
||||
private String tpmQuoteHash;
|
||||
private String tpmSignatureHash;
|
||||
|
||||
/**
|
||||
* Constructor.
|
||||
@ -372,6 +376,7 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
* @param identityClaim the request to process, cannot be null
|
||||
* @return an identity claim response for the specified request containing a wrapped blob
|
||||
*/
|
||||
@Override
|
||||
public byte[] processIdentityClaimTpm2(final byte[] identityClaim) {
|
||||
|
||||
LOG.debug("Got identity claim");
|
||||
@ -455,6 +460,7 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
* claim handshake
|
||||
* @return a certificateResponse containing the signed certificate
|
||||
*/
|
||||
@Override
|
||||
public byte[] processCertificateRequest(final byte[] certificateRequest) {
|
||||
LOG.info("Got certificate request");
|
||||
|
||||
@ -492,6 +498,15 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
Set<PlatformCredential> platformCredentials = parsePcsFromIdentityClaim(claim,
|
||||
endorsementCredential);
|
||||
|
||||
// Parse through the Provisioner supplied TPM Quote and pcr values
|
||||
// these fields are optional
|
||||
if (request.getQuote() != null && !request.getQuote().isEmpty()) {
|
||||
parseTPMQuote(request.getQuote().toStringUtf8());
|
||||
}
|
||||
if (request.getPcrslist() != null && !request.getPcrslist().isEmpty()) {
|
||||
parsePCRValues(request.getPcrslist().toStringUtf8());
|
||||
}
|
||||
|
||||
// Get device name and device
|
||||
String deviceName = claim.getDv().getNw().getHostname();
|
||||
Device device = deviceManager.getDevice(deviceName);
|
||||
@ -521,6 +536,44 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* This method takes the provided TPM Quote and splits it between the PCR
|
||||
* quote and the signature hash.
|
||||
* @param tpmQuote contains hash values for the quote and the signature
|
||||
*/
|
||||
private void parseTPMQuote(final String tpmQuote) {
|
||||
if (tpmQuote != null) {
|
||||
String[] lines = tpmQuote.split(":");
|
||||
if (lines[1].contains("signature")) {
|
||||
this.tpmQuoteHash = lines[1].replace("signature", "").trim();
|
||||
} else {
|
||||
this.tpmQuoteHash = lines[1].trim();
|
||||
}
|
||||
this.tpmSignatureHash = lines[2].trim();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* This method splits all hashed pcr values into an array.
|
||||
* @param pcrValues contains the full list of 24 pcr values
|
||||
*/
|
||||
private void parsePCRValues(final String pcrValues) {
|
||||
String[] pcrs = null;
|
||||
|
||||
if (pcrValues != null) {
|
||||
int counter = 0;
|
||||
String[] lines = pcrValues.split("\\r?\\n");
|
||||
pcrs = new String[lines.length - 1];
|
||||
for (String line : lines) {
|
||||
if (!line.contains(TPM_SIGNATURE_ALG)) {
|
||||
pcrs[counter++] = line.split(":")[1].trim();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
this.pcrsList = pcrs;
|
||||
}
|
||||
|
||||
/**
|
||||
* Parse public key from public data segment generated by TPM 2.0.
|
||||
* @param publicArea the public area segment to parse
|
||||
|
@ -67,7 +67,8 @@ public class RestfulAttestationCertificateAuthority
|
||||
*/
|
||||
@Override
|
||||
@ResponseBody
|
||||
@RequestMapping(value = "/identity-request/process", method = RequestMethod.POST,
|
||||
@RequestMapping(value = "/identity-request/process",
|
||||
method = RequestMethod.POST,
|
||||
consumes = MediaType.APPLICATION_OCTET_STREAM_VALUE)
|
||||
public byte[] processIdentityRequest(@RequestBody final byte[] request) {
|
||||
return super.processIdentityRequest(request);
|
||||
|
Loading…
Reference in New Issue
Block a user