ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-01-29 15:44:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Updated code for the device pcrs. The provisioner now sends everything associated with the tpm_pcrlist. The ACA stores the full list in a flat file then pulls that file when validating the firmware policy is enabled.

Browse Source
This commit is contained in:
Cyrus 2020-07-27 13:58:22 -04:00
parent 3e9d26f598
commit 2e4ecb6829
6 changed files with 38 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
View File

@ -66,6 +66,10 @@ import java.math.BigInteger;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.ByteBuffer;
import java.nio.file.Files;
import java.nio.file.NoSuchFileException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
@ -103,6 +107,11 @@ public abstract class AbstractAttestationCertificateAuthority
*/
private static final BigInteger EXPONENT = new BigInteger("010001",
AttestationCertificateAuthority.DEFAULT_IV_SIZE);
private static final String CATALINA_HOME = System.getProperty("catalina.base");
private static final String TOMCAT_UPLOAD_DIRECTORY
= "/webapps/HIRS_AttestationCA/upload/";
private static final String PCR_UPLOAD_FOLDER
= CATALINA_HOME + TOMCAT_UPLOAD_DIRECTORY;
/**
* Number of bytes to include in the TPM2.0 nonce.
@ -508,7 +517,6 @@ public abstract class AbstractAttestationCertificateAuthority
}
if (request.getPcrslist() != null && !request.getPcrslist().isEmpty()) {
this.pcrValues = request.getPcrslist().toStringUtf8();
LOG.error(this.pcrValues);
}
// Get device name and device
@ -1469,7 +1477,7 @@ public abstract class AbstractAttestationCertificateAuthority
IssuedAttestationCertificate attCert = new IssuedAttestationCertificate(
derEncodedAttestationCertificate, endorsementCredential, platformCredentials);
attCert.setDevice(device);
attCert.setPcrValues(pcrValues);
attCert.setPcrValues(savePcrValues(pcrValues, device.getName()));
certificateManager.save(attCert);
} catch (Exception e) {
LOG.error("Error saving generated Attestation Certificate to database.", e);
@ -1478,4 +1486,27 @@ public abstract class AbstractAttestationCertificateAuthority
+ e.getMessage(), e);
}
}
private String savePcrValues(final String pcrValues, final String deviceName) {
try {
if (Files.notExists(Paths.get(PCR_UPLOAD_FOLDER))) {
Files.createDirectory(Paths.get(PCR_UPLOAD_FOLDER));
}
Path pcrPath = Paths.get(String.format("%s/%s",
PCR_UPLOAD_FOLDER, deviceName));
if (Files.notExists(pcrPath)) {
Files.createFile(pcrPath);
}
Files.write(pcrPath, pcrValues.getBytes("UTF8"));
return pcrPath.toString();
} catch (NoSuchFileException nsfEx) {
LOG.error(String.format("File Not found!: %s",
deviceName));
LOG.error(nsfEx);
} catch (IOException ioEx) {
LOG.error(ioEx);
}
return "empty";
}
}

17
HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
View File

@ -316,18 +316,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
return subPlatformScv;
}
/**
* For some reason the code isn't creating the directory it needs or saving
* the info to that file.
* I'm probably going to have to move the setting of the pcr values
* from the abstract ACA class, and then
* save the filename to the data base. Then have just this pull that
* file name and open it. the ACA class saves.
*
*/
private SupplyChainValidation validateFirmware(final Device device,
final PCRPolicy pcrPolicy) {
@ -370,7 +358,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
LOGGER.error(ioEx);
}
}
LOGGER.error(pcrContent);
String[] pcrSet = null;
String[] quote = null;
int algorithmLength = baseline[0].length();
@ -391,7 +378,6 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
// a matching hash length
int offset = 1;
// TDM : I wonder if I can split on the sha line itself
for (int i = 0; i < pcrSet.length; i++) {
if (pcrSet[i].contains("sha")) {
// entered a new set, check size
@ -399,13 +385,12 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
== algorithmLength) {
// found the matching set
for (int j = 0; j <= TPMMeasurementRecord.MAX_PCR_ID; j++) {
quote[j] = pcrSet[++i];
quote[j] = pcrSet[++i].split(":")[1].trim();
}
break;
}
}
}
LOGGER.error(quote[offset]);
if (quote[0].isEmpty()) {
// validation fail

1
HIRS_ProvisionerTPM2/include/CommandTpm2.h
View File

@ -61,6 +61,7 @@ class CommandTpm2 {
static const char* const kTpm2ToolsGetQuoteCommand;
static const char* const kTpm2DefaultQuoteFilename;
static const char* const kTpm2DefaultSigFilename;
static const char* const kTpm2Sha256SigAlgorithm;
static const char* const kTpm2ToolsPcrListCommand;
const hirs::tpm2_tools_utils::Tpm2ToolsVersion version;

1
HIRS_ProvisionerTPM2/src/CommandTpm2.cpp
View File

@ -123,6 +123,7 @@ const char* const CommandTpm2::kDefaultActivatedIdentityFilename
= "activatedIdentity.secret";
const char* const CommandTpm2::kTpm2DefaultQuoteFilename = "/tmp/quote.bin";
const char* const CommandTpm2::kTpm2DefaultSigFilename = "/tmp/sig.bin";
const char* const CommandTpm2::kTpm2Sha256SigAlgorithm = "sha256";
/**
* Constructor to create an interface to TPM 2.0 devices.

2
HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
View File

@ -69,7 +69,7 @@ public final class PCRPolicy extends Policy {
LOGGER.info("PCR Policy TBoot Ignore enabled.");
i += NUM_OF_TBOOT_PCR;
}
LOGGER.error(String.format("%s = %s", baselinePcrs[i], quotePcrs[i]));
if (!baselinePcrs[i].equals(quotePcrs[i])) {
sb.append(String.format(failureMsg, i));
}

37
HIRS_Utils/src/main/java/hirs/data/persist/certificate/IssuedAttestationCertificate.java
View File

@ -2,14 +2,9 @@ package hirs.data.persist.certificate;
import hirs.persist.CertificateManager;
import hirs.persist.CertificateSelector;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.NoSuchFileException;
import java.util.Collections;
import java.util.Set;
import java.util.UUID;
@ -26,14 +21,7 @@ import javax.persistence.ManyToOne;
@Entity
public class IssuedAttestationCertificate extends DeviceAssociatedCertificate {
private static final Logger LOGGER = LogManager.getLogger(IssuedAttestationCertificate.class);
private static final int MAX_CERT_LENGTH_BYTES = 1024;
private static final String CATALINA_HOME = System.getProperty("catalina.base");
private static final String TOMCAT_UPLOAD_DIRECTORY
= "/webapps/HIRS_AttestationCAPortal/upload/device_pcrs/";
private static final String PCR_UPLOAD_FOLDER
= CATALINA_HOME + TOMCAT_UPLOAD_DIRECTORY;
/**
* AIC label that must be used.
@ -155,29 +143,6 @@ public class IssuedAttestationCertificate extends DeviceAssociatedCertificate {
* @param pcrValues to be stored.
*/
public void setPcrValues(final String pcrValues) {
this.pcrValues = savePcrValues(pcrValues);
}
private String savePcrValues(final String pcrValues) {
try {
if (Files.notExists(Paths.get(PCR_UPLOAD_FOLDER))) {
Files.createDirectory(Paths.get(PCR_UPLOAD_FOLDER));
}
Path pcrPath = Paths.get(String.format("%s/%s",
PCR_UPLOAD_FOLDER, this.getDevice().getName()));
if (Files.notExists(pcrPath)) {
Files.createFile(pcrPath);
}
Files.write(pcrPath, pcrValues.getBytes("UTF8"));
return pcrPath.toString();
} catch (NoSuchFileException nsfEx) {
LOGGER.error(String.format("File Not found!: %s",
this.getDevice().getName()));
LOGGER.error(nsfEx);
} catch (IOException ioEx) {
LOGGER.error(ioEx);
}
return "";
this.pcrValues = pcrValues;
}
}