From 17b14262881f37f08026cd03601a4c206c257adb Mon Sep 17 00:00:00 2001 From: apldev3 Date: Tue, 23 Oct 2018 11:40:49 -0400 Subject: [PATCH] [#27] Fix TPMSecurityAssertions Parsing in EndorsementCredential (#31) --- .../certificate/EndorsementCredential.java | 85 +++++++++++++------ .../attributes/TPMSecurityAssertions.java | 2 +- .../EndorsementCredentialTest.java | 15 ++-- 3 files changed, 68 insertions(+), 34 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/certificate/EndorsementCredential.java b/HIRS_Utils/src/main/java/hirs/data/persist/certificate/EndorsementCredential.java index cf44ab0d..d8226d22 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/certificate/EndorsementCredential.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/certificate/EndorsementCredential.java @@ -366,6 +366,7 @@ public class EndorsementCredential extends DeviceAssociatedCertificate { // The next two are special sequences that have already been matched with an OID. } else if (addToMapping && key.equals(TPM_SPECIFICATION) && seq.size() == ASN1_SEQ_KNOWN_SIZE) { + // Parse TPM Specification DERUTF8String family = (DERUTF8String) seq.getObjectAt(ASN1_FAMILY_INDEX); ASN1Integer level = (ASN1Integer) seq.getObjectAt(ASN1_LEVEL_INDEX); ASN1Integer revision = (ASN1Integer) seq.getObjectAt(ASN1_REV_INDEX); @@ -373,40 +374,68 @@ public class EndorsementCredential extends DeviceAssociatedCertificate { revision.getValue()); LOGGER.debug("Found TPM Spec:" + tpmSpecification.toString()); } else if (addToMapping && key.equals(TPM_SECURITY_ASSERTIONS)) { - // TODO(apldev3): Update this block to properly parse TPM Security Assertions - // per the document "TCG EK Credential Profile For TPM Family 2.0; Level 0" (pg. 19) - ASN1Integer ver = (ASN1Integer) seq.getObjectAt(ASN1_VER_INDEX); - ASN1Boolean fieldUpgradeable = (ASN1Boolean) seq.getObjectAt(ASN1_UPGRADEABLE_INDEX); + // Parse TPM Security Assertions + int seqPosition = 0; + + ASN1Integer ver; + // Parse Security Assertions Version + if (seq.getObjectAt(seqPosition) instanceof ASN1Integer) { + ver = (ASN1Integer) seq.getObjectAt(seqPosition); + seqPosition++; + } else { + // Default value of 1 if field not found + ver = new ASN1Integer(BigInteger.ONE); + } + + ASN1Boolean fieldUpgradeable; + // Parse Security Assertions Field Upgradeable + if (seq.getObjectAt(seqPosition) instanceof ASN1Boolean) { + fieldUpgradeable = (ASN1Boolean) seq.getObjectAt(seqPosition); + seqPosition++; + } else { + // Default value of false if field not found + fieldUpgradeable = ASN1Boolean.getInstance(false); + } + tpmSecurityAssertions = new TPMSecurityAssertions(ver.getValue(), fieldUpgradeable.isTrue()); + LOGGER.debug("Found TPM Assertions: " + tpmSecurityAssertions.toString()); - //iterate through remaining fields to set optional attributes - for (int i = 2; i < seq.size(); i++) { - DERTaggedObject obj = (DERTaggedObject) seq.getObjectAt(i); - int tag = obj.getTagNo(); - if (tag == EK_TYPE_TAG) { - int ekGenTypeVal = ((ASN1Enumerated) obj.getObject()).getValue().intValue(); - if (ekGenTypeVal >= EK_TYPE_VAL_MIN && ekGenTypeVal <= EK_TYPE_VAL_MAX) { - TPMSecurityAssertions.EkGenerationType ekGenType - = TPMSecurityAssertions.EkGenerationType.values()[ekGenTypeVal]; - tpmSecurityAssertions.setEkGenType(ekGenType); - } - } else if (tag == EK_LOC_TAG) { - int ekGenLocVal = ((ASN1Enumerated) obj.getObject()).getValue().intValue(); - if (ekGenLocVal >= EK_LOC_VAL_MIN && ekGenLocVal <= EK_LOC_VAL_MAX) { - TPMSecurityAssertions.EkGenerationLocation ekGenLocation + // Iterate through remaining fields to set optional attributes + for (int i = seqPosition; i < seq.size(); i++) { + if (seq.getObjectAt(i) instanceof DERTaggedObject) { + DERTaggedObject obj = (DERTaggedObject) seq.getObjectAt(i); + int tag = obj.getTagNo(); + if (tag == EK_TYPE_TAG) { + int ekGenTypeVal = ((ASN1Enumerated) obj.getObject()).getValue().intValue(); + if (ekGenTypeVal >= EK_TYPE_VAL_MIN && ekGenTypeVal <= EK_TYPE_VAL_MAX) { + TPMSecurityAssertions.EkGenerationType ekGenType + = TPMSecurityAssertions.EkGenerationType.values()[ekGenTypeVal]; + tpmSecurityAssertions.setEkGenType(ekGenType); + } + } else if (tag == EK_LOC_TAG) { + int ekGenLocVal = ((ASN1Enumerated) obj.getObject()).getValue().intValue(); + if (ekGenLocVal >= EK_LOC_VAL_MIN && ekGenLocVal <= EK_LOC_VAL_MAX) { + TPMSecurityAssertions.EkGenerationLocation ekGenLocation = TPMSecurityAssertions.EkGenerationLocation.values()[ekGenLocVal]; - tpmSecurityAssertions.setEkGenLoc(ekGenLocation); - } - } else if (tag == EK_CERT_LOC_TAG) { - int ekCertGenLocVal = ((ASN1Enumerated) obj.getObject()).getValue().intValue(); - if (ekCertGenLocVal >= EK_LOC_VAL_MIN && ekCertGenLocVal <= EK_LOC_VAL_MAX) { - TPMSecurityAssertions.EkGenerationLocation ekCertGenLoc - = TPMSecurityAssertions.EkGenerationLocation. - values()[ekCertGenLocVal]; - tpmSecurityAssertions.setEkCertGenLoc(ekCertGenLoc); + tpmSecurityAssertions.setEkGenLoc(ekGenLocation); + } + } else if (tag == EK_CERT_LOC_TAG) { + int ekCertGenLocVal = ((ASN1Enumerated) obj.getObject()) + .getValue().intValue(); + if (ekCertGenLocVal >= EK_LOC_VAL_MIN + && ekCertGenLocVal <= EK_LOC_VAL_MAX) { + TPMSecurityAssertions.EkGenerationLocation ekCertGenLoc + = TPMSecurityAssertions.EkGenerationLocation. + values()[ekCertGenLocVal]; + tpmSecurityAssertions.setEkCertGenLoc(ekCertGenLoc); + } } + // ccInfo, fipsLevel, iso9000Certified, and iso9000Uri still to be implemented } + // Will need additional else if case in the future for instanceof ASN1Boolean when + // supporting TPMSecurityAssertions iso9000Certified field, which could be either + // DERTaggedObject or ASN1Boolean } } else { //parse the elements of the sequence individually diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/certificate/attributes/TPMSecurityAssertions.java b/HIRS_Utils/src/main/java/hirs/data/persist/certificate/attributes/TPMSecurityAssertions.java index 2385ba80..7cbb93b1 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/certificate/attributes/TPMSecurityAssertions.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/certificate/attributes/TPMSecurityAssertions.java @@ -12,7 +12,7 @@ import java.math.BigInteger; * * Future iterations of this code may want to reference * www.trustedcomputinggroup.org/wp-content/uploads/Credential_Profile_EK_V2.0_R14_published.pdf - * for specifications for TPM 2.0. + * for specifications for TPM 2.0 (pg. 19). */ @Embeddable public class TPMSecurityAssertions { diff --git a/HIRS_Utils/src/test/java/hirs/data/persist/certificate/EndorsementCredentialTest.java b/HIRS_Utils/src/test/java/hirs/data/persist/certificate/EndorsementCredentialTest.java index f719add0..1ba769f1 100644 --- a/HIRS_Utils/src/test/java/hirs/data/persist/certificate/EndorsementCredentialTest.java +++ b/HIRS_Utils/src/test/java/hirs/data/persist/certificate/EndorsementCredentialTest.java @@ -190,16 +190,21 @@ public class EndorsementCredentialTest { * * @throws IOException if there is a problem reading the cert file at the given path */ - @Test(enabled = false) - // TODO(apldev3): Reenable test when update to security assertions is made in - // EndorsementCredential + @Test public void testTpmSecurityAssertionsParsing() throws IOException { Path fPath = Paths.get(CertificateTest.class .getResource(EK_CERT_WITH_SECURITY_ASSERTIONS).getPath()); EndorsementCredential ec = new EndorsementCredential(fPath); - // TODO(apldev3): Make assertions about TPMSecurityAssertions fields - System.out.println(ec); + TPMSecurityAssertions securityAssertions = ec.getTpmSecurityAssertions(); + Assert.assertEquals(securityAssertions.getVersion(), BigInteger.ONE); + Assert.assertTrue(securityAssertions.isFieldUpgradeable()); + Assert.assertEquals(securityAssertions.getEkGenType(), + TPMSecurityAssertions.EkGenerationType.INJECTED); + Assert.assertEquals(securityAssertions.getEkGenLoc(), + TPMSecurityAssertions.EkGenerationLocation.TPM_MANUFACTURER); + Assert.assertEquals(securityAssertions.getEkCertGenLoc(), + TPMSecurityAssertions.EkGenerationLocation.TPM_MANUFACTURER); } }