ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-01-18 18:56:29 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Merge pull request #580 from nsacyber/v3_issue-579

Browse Source 
[#579] MISC ACA issues fixed
This commit is contained in:
Cyrus 2023-09-13 14:29:32 -04:00 committed by GitHub
commit 25101314a2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 211 additions and 142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

143
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/Certificate.java
View File

@ -4,6 +4,7 @@ import com.fasterxml.jackson.annotation.JsonIgnore;
import com.google.common.base.Preconditions;
import hirs.attestationca.persist.entity.ArchivableEntity;
import hirs.attestationca.persist.entity.userdefined.certificate.CertificateVariables;
import hirs.attestationca.persist.util.CredentialHelper;
import hirs.utils.HexUtils;
import jakarta.persistence.Column;
import jakarta.persistence.Entity;
@ -72,7 +73,6 @@ import java.util.List;
import java.util.ListIterator;
import java.util.Objects;
/**
* This class enables the persistence of a single X509 certificates or X509 attribute certificate.
* It stores certain attributes separately from the serialized certificate to enable querying on
@ -312,16 +312,12 @@ public abstract class Certificate extends ArchivableEntity {
// check for and handle possible PEM base 64 encoding
String possiblePem = new String(certificateBytes, StandardCharsets.UTF_8);
if (isPEM(possiblePem)) {
possiblePem = possiblePem.replace(CertificateVariables.PEM_HEADER, "");
possiblePem = possiblePem.replace(CertificateVariables.PEM_FOOTER, "");
possiblePem = possiblePem.replace(CertificateVariables.PEM_ATTRIBUTE_HEADER, "");
possiblePem = possiblePem.replace(CertificateVariables.PEM_ATTRIBUTE_FOOTER, "");
this.certificateBytes = Base64.decode(possiblePem);
if (CredentialHelper.isPEM(possiblePem)) {
this.certificateBytes = CredentialHelper.stripPemHeaderFooter(possiblePem);
}
AuthorityKeyIdentifier authKeyIdentifier;
this.certificateBytes = trimCertificate(this.certificateBytes);
this.certificateBytes = CredentialHelper.trimCertificate(this.certificateBytes);
// Extract certificate data
switch (getCertificateType()) {
@ -345,8 +341,8 @@ public abstract class Certificate extends ArchivableEntity {
this.beginValidity = x509Certificate.getNotBefore();
this.endValidity = x509Certificate.getNotAfter();
this.holderSerialNumber = BigInteger.ZERO;
this.issuerSorted = parseSortDNs(this.issuer);
this.subjectSorted = parseSortDNs(this.subject);
this.issuerSorted = CredentialHelper.parseSortDNs(this.issuer);
this.subjectSorted = CredentialHelper.parseSortDNs(this.subject);
this.policyConstraints = x509Certificate
.getExtensionValue(POLICY_CONSTRAINTS);
authKeyIdentifier = AuthorityKeyIdentifier
@ -438,7 +434,7 @@ public abstract class Certificate extends ArchivableEntity {
this.signature = attCert.getSignatureValue().getBytes();
this.issuer = getAttributeCertificateIssuerNames(
attCertInfo.getIssuer())[0].toString();
this.issuerSorted = parseSortDNs(this.issuer);
this.issuerSorted = CredentialHelper.parseSortDNs(this.issuer);
// Parse notBefore and notAfter dates
this.beginValidity = recoverDate(attCertInfo
@ -468,53 +464,6 @@ public abstract class Certificate extends ArchivableEntity {
this.certAndTypeHash = Objects.hash(certificateHash, getClass().getSimpleName());
}
@SuppressWarnings("magicnumber")
private byte[] trimCertificate(final byte[] certificateBytes) {
int certificateStart = 0;
int certificateLength = 0;
ByteBuffer certificateByteBuffer = ByteBuffer.wrap(certificateBytes);
StringBuilder malformedCertStringBuilder = new StringBuilder(CertificateVariables.MALFORMED_CERT_MESSAGE);
while (certificateByteBuffer.hasRemaining()) {
// Check if there isn't an ASN.1 structure in the provided bytes
if (certificateByteBuffer.remaining() <= 2) {
throw new IllegalArgumentException(malformedCertStringBuilder
.append(" No certificate length field could be found.").toString());
}
// Look for first ASN.1 Sequence marked by the two bytes (0x30) and (0x82)
// The check advances our position in the ByteBuffer by one byte
int currentPosition = certificateByteBuffer.position();
if (certificateByteBuffer.get() == (byte) 0x30
&& certificateByteBuffer.get(currentPosition + 1) == (byte) 0x82) {
// Check if we have anything more in the buffer than an ASN.1 Sequence header
if (certificateByteBuffer.remaining() <= 3) {
throw new IllegalArgumentException(malformedCertStringBuilder
.append(" Certificate is nothing more than ASN.1 Sequence.")
.toString());
}
// Mark the start of the first ASN.1 Sequence / Certificate Body
certificateStart = currentPosition;
// Parse the length as the 2-bytes following the start of the ASN.1 Sequence
certificateLength = Short.toUnsignedInt(
certificateByteBuffer.getShort(currentPosition + 2));
// Add the 4 bytes that comprise the start of the ASN.1 Sequence and the length
certificateLength += 4;
break;
}
}
if (certificateStart + certificateLength > certificateBytes.length) {
throw new IllegalArgumentException(malformedCertStringBuilder
.append(" Value of certificate length field extends beyond length")
.append(" of provided certificate.").toString());
}
// Return bytes representing the main certificate body
return Arrays.copyOfRange(certificateBytes, certificateStart,
certificateStart + certificateLength);
}
/**
* Getter for the CRL Distribution that is reference by the Revocation Locator
* on the portal.
@ -674,10 +623,6 @@ public abstract class Certificate extends ArchivableEntity {
return CertificateType.INVALID_CERTIFICATE;
}
private boolean isPEM(final String possiblePEM) {
return possiblePEM.contains(CertificateVariables.PEM_HEADER)
|| possiblePEM.contains(CertificateVariables.PEM_ATTRIBUTE_HEADER);
}
private String parseKeyUsage(final boolean[] bools) {
StringBuilder sb = new StringBuilder();
@ -685,7 +630,7 @@ public abstract class Certificate extends ArchivableEntity {
if (bools != null) {
for (int i = 0; i < bools.length; i++) {
if (bools[i]) {
sb.append(getKeyUsageString(i));
sb.append(CredentialHelper.getKeyUsageString(i));
}
}
}
@ -693,49 +638,6 @@ public abstract class Certificate extends ArchivableEntity {
return sb.toString();
}
/**
* Return the string associated with the boolean slot.
* @param bit associated with the location in the array.
* @return string value of the bit set.
*/
private String getKeyUsageString(final int bit) {
String tempStr = "";
switch (bit) {
case CertificateVariables.KEY_USAGE_BIT0:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_DS);
break;
case CertificateVariables.KEY_USAGE_BIT1:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_NR);
break;
case CertificateVariables.KEY_USAGE_BIT2:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_KE);
break;
case CertificateVariables.KEY_USAGE_BIT3:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_DE);
break;
case CertificateVariables.KEY_USAGE_BIT4:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_KA);
break;
case CertificateVariables.KEY_USAGE_BIT5:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_KC);
break;
case CertificateVariables.KEY_USAGE_BIT6:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_CS);
break;
case CertificateVariables.KEY_USAGE_BIT7:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_EO);
break;
case CertificateVariables.KEY_USAGE_BIT8:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_DO);
break;
default:
break;
}
return tempStr;
}
/**
* Getter for the authorityKeyIdentifier.
* @return the ID's byte representation
@ -826,35 +728,6 @@ public abstract class Certificate extends ArchivableEntity {
return sb.toString();
}
/**
* This method is to take the DNs from certificates and sort them in an order
* that will be used to lookup issuer certificates. This will not be stored in
* the certificate, just the DB for lookup.
* @param distinguishedName the original DN string.
* @return a modified string of sorted DNs
*/
public static String parseSortDNs(final String distinguishedName) {
StringBuilder sb = new StringBuilder();
String dnsString;
if (distinguishedName == null || distinguishedName.isEmpty()) {
sb.append("BLANK");
} else {
dnsString = distinguishedName.trim();
dnsString = dnsString.toLowerCase();
List<String> dnValArray = Arrays.asList(dnsString.split(","));
Collections.sort(dnValArray);
ListIterator<String> dnListIter = dnValArray.listIterator();
while (dnListIter.hasNext()) {
sb.append(dnListIter.next());
if (dnListIter.hasNext()) {
sb.append(",");
}
}
}
return sb.toString();
}
/**
* Retrieve the original X509 attribute certificate.

2
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/ComponentClass.java
View File

@ -30,7 +30,7 @@ public class ComponentClass {
private static final String TCG_COMPONENT_REGISTRY = "2.23.133.18.3.1";
private static final String SMBIOS_COMPONENT_REGISTRY = "2.23.133.18.3.3";
private static final Path JSON_PATH = FileSystems.getDefault()
.getPath("/opt", "hirs", "default-properties", "component-class.json");
.getPath("/etc", "hirs/aca", "default-properties", "component-class.json");
private static final String OTHER_STRING = "Other";
private static final String UNKNOWN_STRING = "Unknown";

165
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/CredentialHelper.java Normal file
View File

@ -0,0 +1,165 @@
package hirs.attestationca.persist.util;
import hirs.attestationca.persist.entity.userdefined.certificate.CertificateVariables;
import lombok.AccessLevel;
import lombok.NoArgsConstructor;
import lombok.extern.log4j.Log4j2;
import org.bouncycastle.util.encoders.Base64;
import java.nio.ByteBuffer;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.ListIterator;
@Log4j2
@NoArgsConstructor(access = AccessLevel.PRIVATE)
public final class CredentialHelper {
public static boolean isPEM(final String possiblePEM) {
return possiblePEM.contains(CertificateVariables.PEM_HEADER)
|| possiblePEM.contains(CertificateVariables.PEM_ATTRIBUTE_HEADER);
}
public static boolean isMultiPEM(final String possiblePEM) {
boolean multiPem = false;
int iniIndex = possiblePEM.indexOf(CertificateVariables.PEM_HEADER);
if (iniIndex >= 0) {
iniIndex = possiblePEM.indexOf(CertificateVariables.PEM_HEADER,
iniIndex + CertificateVariables.PEM_HEADER.length());
if (iniIndex > 1) {
multiPem = true;
}
}
return multiPem;
}
public static byte[] stripPemHeaderFooter(final String pemFile) {
String strippedFile;
strippedFile = pemFile.replace(CertificateVariables.PEM_HEADER, "");
strippedFile = strippedFile.replace(CertificateVariables.PEM_FOOTER, "");
strippedFile = strippedFile.replace(CertificateVariables.PEM_ATTRIBUTE_HEADER, "");
strippedFile = strippedFile.replace(CertificateVariables.PEM_ATTRIBUTE_FOOTER, "");
return Base64.decode(strippedFile);
}
@SuppressWarnings("magicnumber")
public static byte[] trimCertificate(final byte[] certificateBytes) {
int certificateStart = 0;
int certificateLength = 0;
ByteBuffer certificateByteBuffer = ByteBuffer.wrap(certificateBytes);
StringBuilder malformedCertStringBuilder = new StringBuilder(CertificateVariables.MALFORMED_CERT_MESSAGE);
while (certificateByteBuffer.hasRemaining()) {
// Check if there isn't an ASN.1 structure in the provided bytes
if (certificateByteBuffer.remaining() <= 2) {
throw new IllegalArgumentException(malformedCertStringBuilder
.append(" No certificate length field could be found.").toString());
}
// Look for first ASN.1 Sequence marked by the two bytes (0x30) and (0x82)
// The check advances our position in the ByteBuffer by one byte
int currentPosition = certificateByteBuffer.position();
if (certificateByteBuffer.get() == (byte) 0x30
&& certificateByteBuffer.get(currentPosition + 1) == (byte) 0x82) {
// Check if we have anything more in the buffer than an ASN.1 Sequence header
if (certificateByteBuffer.remaining() <= 3) {
throw new IllegalArgumentException(malformedCertStringBuilder
.append(" Certificate is nothing more than ASN.1 Sequence.")
.toString());
}
// Mark the start of the first ASN.1 Sequence / Certificate Body
certificateStart = currentPosition;
// Parse the length as the 2-bytes following the start of the ASN.1 Sequence
certificateLength = Short.toUnsignedInt(
certificateByteBuffer.getShort(currentPosition + 2));
// Add the 4 bytes that comprise the start of the ASN.1 Sequence and the length
certificateLength += 4;
break;
}
}
if (certificateStart + certificateLength > certificateBytes.length) {
throw new IllegalArgumentException(malformedCertStringBuilder
.append(" Value of certificate length field extends beyond length")
.append(" of provided certificate.").toString());
}
// Return bytes representing the main certificate body
return Arrays.copyOfRange(certificateBytes, certificateStart,
certificateStart + certificateLength);
}
/**
* Return the string associated with the boolean slot.
* @param bit associated with the location in the array.
* @return string value of the bit set.
*/
public static String getKeyUsageString(final int bit) {
String tempStr = "";
switch (bit) {
case CertificateVariables.KEY_USAGE_BIT0:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_DS);
break;
case CertificateVariables.KEY_USAGE_BIT1:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_NR);
break;
case CertificateVariables.KEY_USAGE_BIT2:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_KE);
break;
case CertificateVariables.KEY_USAGE_BIT3:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_DE);
break;
case CertificateVariables.KEY_USAGE_BIT4:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_KA);
break;
case CertificateVariables.KEY_USAGE_BIT5:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_KC);
break;
case CertificateVariables.KEY_USAGE_BIT6:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_CS);
break;
case CertificateVariables.KEY_USAGE_BIT7:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_EO);
break;
case CertificateVariables.KEY_USAGE_BIT8:
tempStr = String.format("%s%n", CertificateVariables.KEY_USAGE_DO);
break;
default:
break;
}
return tempStr;
}
/**
* This method is to take the DNs from certificates and sort them in an order
* that will be used to lookup issuer certificates. This will not be stored in
* the certificate, just the DB for lookup.
* @param distinguishedName the original DN string.
* @return a modified string of sorted DNs
*/
public static String parseSortDNs(final String distinguishedName) {
StringBuilder sb = new StringBuilder();
String dnsString;
if (distinguishedName == null || distinguishedName.isEmpty()) {
sb.append("BLANK");
} else {
dnsString = distinguishedName.trim();
dnsString = dnsString.toLowerCase();
List<String> dnValArray = Arrays.asList(dnsString.split(","));
Collections.sort(dnValArray);
ListIterator<String> dnListIter = dnValArray.listIterator();
while (dnListIter.hasNext()) {
sb.append(dnListIter.next());
if (dnListIter.hasNext()) {
sb.append(",");
}
}
}
return sb.toString();
}
}

25
HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/CertificatePageController.java
View File

@ -14,6 +14,7 @@ import hirs.attestationca.persist.entity.userdefined.certificate.CertificateAuth
import hirs.attestationca.persist.entity.userdefined.certificate.EndorsementCredential;
import hirs.attestationca.persist.entity.userdefined.certificate.IssuedAttestationCertificate;
import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential;
import hirs.attestationca.persist.util.CredentialHelper;
import hirs.attestationca.portal.datatables.DataTableInput;
import hirs.attestationca.portal.datatables.DataTableResponse;
import hirs.attestationca.portal.datatables.OrderedListQueryDataTableAdapter;
@ -48,12 +49,18 @@ import org.springframework.web.servlet.ModelAndView;
import org.springframework.web.servlet.mvc.support.RedirectAttributes;
import org.springframework.web.servlet.view.RedirectView;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.lang.ref.Reference;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
@ -787,6 +794,24 @@ public class CertificatePageController extends PageController<NoPageParams> {
case ENDORSEMENTCREDENTIAL:
return new EndorsementCredential(fileBytes);
case TRUSTCHAIN:
if (CredentialHelper.isMultiPEM(new String(fileBytes, StandardCharsets.UTF_8))) {
try (ByteArrayInputStream certInputStream = new ByteArrayInputStream(fileBytes)) {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Collection c = cf.generateCertificates(certInputStream);
Iterator i = c.iterator();
while (i.hasNext()) {
storeCertificate(
certificateType,
file.getOriginalFilename(),
messages, new CertificateAuthorityCredential(((java.security.cert.Certificate)i.next()).getEncoded()));
}
// stop the main thread from saving/storing
return null;
} catch (CertificateException e) {
throw new IOException("Cannot construct X509Certificate from the input stream", e);
}
}
return new CertificateAuthorityCredential(fileBytes);
default:
final String failMessage = String.format("Failed to parse uploaded file "

8
HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/utils/CertificateStringMapBuilder.java
View File

@ -47,7 +47,7 @@ public final class CertificateStringMapBuilder {
HashMap<String, String> data = new HashMap<>();
if (certificate != null) {
data.put("issuer", certificate.getHolderIssuer());
data.put("issuer", certificate.getIssuer());
//Serial number in hex value
data.put("serialNumber", Hex.toHexString(certificate.getSerialNumber().toByteArray()));
if (!certificate.getAuthoritySerialNumber().equals(BigInteger.ZERO)) {
@ -66,9 +66,9 @@ public final class CertificateStringMapBuilder {
if (certificate.getSubject() != null) {
data.put("subject", certificate.getSubject());
if (certificate.getHolderIssuer() != null) {
if (certificate.getIssuer() != null) {
data.put("isSelfSigned",
String.valueOf(certificate.getHolderIssuer().equals(certificate.getSubject())));
String.valueOf(certificate.getIssuer().equals(certificate.getSubject())));
} else {
data.put("isSelfSigned", "false");
}
@ -107,7 +107,7 @@ public final class CertificateStringMapBuilder {
if (missingCert != null) {
data.put("missingChainIssuer", String.format("Missing %s from the chain.",
missingCert.getHolderIssuer()));
missingCert.getIssuer()));
}
List<Certificate> certificates = certificateRepository.findBySubjectSorted(
certificate.getIssuerSorted(), "CertificateAuthorityCredential");

2
HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiGuid.java
View File

@ -24,7 +24,7 @@ public class UefiGuid {
private static final int UUID_EPOCH_DIVISOR = 10000;
private static final Path JSON_PATH = FileSystems.getDefault().getPath("/opt",
"hirs", "default-properties", "vendor-table.json");
"hirs/aca", "default-properties", "vendor-table.json");
private JsonObject uefiVendorRef;
/**
* guid byte array.

8
package/scripts/aca/aca_setup.sh
View File

@ -6,6 +6,9 @@ LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
LOG_DIR="/var/log/hirs/"
LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
HIRS_PROP_DIR="/opt/hirs/default-properties"
HIRS_JSON_DIR="/etc/hirs/aca/default-properties"
COMP_JSON='../../../HIRS_AttestationCA/src/main/resources/component-class.json'
VENDOR_TABLE='../../../HIRS_AttestationCA/src/main/resources/vendor-table.json'
help () {
echo " Setup script for the HIRS ACA"
@ -55,7 +58,10 @@ done
set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR
mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR $HIRS_JSON_DIR
cp -n $COMP_JSON $HIRS_JSON_DIR/
cp -n $VENDOR_TABLE $HIRS_JSON_DIR/
echo "ACA setup log file is $LOG_FILE"