ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-04-07 19:34:27 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into v3_issue_546-unittest

Browse Source
This commit is contained in:
D2B8CA1B27286366A8607B6858C0565962613D18D0546480078B520CD7AD705A 2023-07-21 13:36:29 -04:00 committed by GitHub
commit 30c9ddbf7c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
30 changed files with 652 additions and 270 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceDigestValueRepository.java
View File

@ -13,12 +13,11 @@ public interface ReferenceDigestValueRepository extends JpaRepository<ReferenceD
@Query(value = "SELECT * FROM ReferenceDigestValue", nativeQuery = true)
List<ReferenceDigestValue> listAll();
@Query(value = "SELECT * FROM ReferenceDigestValue WHERE model = ?1", nativeQuery = true)
List<ReferenceDigestValue> listByModel(String model);
@Query(value = "SELECT * FROM ReferenceDigestValue WHERE manufacturer = ?1", nativeQuery = true)
List<ReferenceDigestValue> listByManufacturer(String manufacturer);
List<ReferenceDigestValue> findByModel(String model);
List<ReferenceDigestValue> findByManufacturer(String manufacturer);
@Query(value = "SELECT * FROM ReferenceDigestValue WHERE baseRimId = '?1' OR supportRimId = '?1'", nativeQuery = true)
List<ReferenceDigestValue> getValuesByRimId(UUID associatedRimId);
@Query(value = "SELECT * FROM ReferenceDigestValue WHERE supportRimId = '?1'", nativeQuery = true)
List<ReferenceDigestValue> getValuesBySupportRimId(UUID supportRimId);
List<ReferenceDigestValue> findBySupportRimId(UUID supportRimId);
List<ReferenceDigestValue> findBySupportRimHash(String supportRimHash);
}

8
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceManifestRepository.java
View File

@ -14,14 +14,12 @@ import java.util.UUID;
@Repository
public interface ReferenceManifestRepository extends JpaRepository<ReferenceManifest, UUID> {
@Query(value = "SELECT * FROM ReferenceManifest WHERE hexDecHash = ?1", nativeQuery = true)
ReferenceManifest findByHash(String rimHash);
@Query(value = "SELECT * FROM ReferenceManifest WHERE hexDecHash = ?1 AND rimType = ?2", nativeQuery = true)
ReferenceManifest findByHash(String rimHash, String rimType);
ReferenceManifest findByHexDecHash(String hexDecHash);
ReferenceManifest findByHexDecHashAndRimType(String hexDecHash, String rimType);
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND platformModel = ?2 AND rimType = 'Base'", nativeQuery = true)
List<BaseReferenceManifest> getBaseByManufacturerModel(String manufacturer, String model);
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND DTYPE = ?2", nativeQuery = true)
List<ReferenceManifest> getByManufacturer(String manufacturer, String dType);
ReferenceManifest getByManufacturer(String manufacturer, String dType);
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformModel = ?1 AND DTYPE = ?2", nativeQuery = true)
ReferenceManifest getByModel(String model, String dType);
@Query(value = "SELECT * FROM ReferenceManifest WHERE DTYPE = 'BaseReferenceManifest'", nativeQuery = true)

73
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/EventLogMeasurements.java
View File

@ -3,8 +3,6 @@ package hirs.attestationca.persist.entity.userdefined.rim;
import com.fasterxml.jackson.annotation.JsonIgnore;
import hirs.attestationca.persist.entity.userdefined.ReferenceManifest;
import hirs.attestationca.persist.enums.AppraisalStatus;
import hirs.attestationca.persist.service.ReferenceManifestServiceImpl;
import hirs.attestationca.persist.service.selector.ReferenceManifestSelector;
import hirs.utils.tpm.eventlog.TCGEventLog;
import hirs.utils.tpm.eventlog.TpmPcrEvent;
import jakarta.persistence.Column;
@ -41,66 +39,6 @@ public class EventLogMeasurements extends ReferenceManifest {
@Getter @Setter
private AppraisalStatus.Status overallValidationResult = AppraisalStatus.Status.FAIL;
/**
* This class enables the retrieval of SupportReferenceManifest by their attributes.
*/
public static class Selector extends ReferenceManifestSelector<EventLogMeasurements> {
/**
* Construct a new ReferenceManifestSelector that
* will use the given (@link ReferenceManifestService}
* to retrieve one or may SupportReferenceManifest.
*
* @param referenceManifestManager the reference manifest manager to be used to retrieve
* reference manifests.
*/
public Selector(final ReferenceManifestServiceImpl referenceManifestManager) {
super(referenceManifestManager, EventLogMeasurements.class, false);
}
/**
* Specify the platform manufacturer that rims must have to be considered
* as matching.
* @param manufacturer string for the manufacturer
* @return this instance
*/
public Selector byManufacturer(final String manufacturer) {
setFieldValue(PLATFORM_MANUFACTURER, manufacturer);
return this;
}
/**
* Specify the platform model that rims must have to be considered
* as matching.
* @param model string for the model
* @return this instance
*/
public Selector byModel(final String model) {
setFieldValue(PLATFORM_MODEL, model);
return this;
}
/**
* Specify the device name that rims must have to be considered
* as matching.
* @param deviceName string for the deviceName
* @return this instance
*/
public Selector byDeviceName(final String deviceName) {
setFieldValue("deviceName", deviceName);
return this;
}
/**
* Specify the RIM hash associated with the Event Log.
* @param hexDecHash the hash of the file associated with the rim
* @return this instance
*/
public Selector byHexDecHash(final String hexDecHash) {
setFieldValue(HEX_DEC_HASH_FIELD, hexDecHash);
return this;
}
}
/**
* Support constructor for the RIM object.
*
@ -135,17 +73,6 @@ public class EventLogMeasurements extends ReferenceManifest {
this.pcrHash = 0;
}
/**
* Get a Selector for use in retrieving ReferenceManifest.
*
* @param rimMan the ReferenceManifestService to be used to retrieve
* persisted RIMs
* @return a Selector instance to use for retrieving RIMs
*/
public static Selector select(final ReferenceManifestServiceImpl rimMan) {
return new Selector(rimMan);
}
/**
* Getter method for the expected PCR values contained within the support
* RIM.

10
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/ReferenceDigestValue.java
View File

@ -1,6 +1,6 @@
package hirs.attestationca.persist.entity.userdefined.rim;
import hirs.attestationca.persist.entity.ArchivableEntity;
import hirs.attestationca.persist.entity.AbstractEntity;
import jakarta.persistence.Access;
import jakarta.persistence.AccessType;
import jakarta.persistence.Column;
@ -26,7 +26,7 @@ import java.util.UUID;
@EqualsAndHashCode(callSuper=false)
@Table(name = "ReferenceDigestValue")
@Access(AccessType.FIELD)
public class ReferenceDigestValue extends ArchivableEntity {
public class ReferenceDigestValue extends AbstractEntity {
@JdbcTypeCode(java.sql.Types.VARCHAR)
@Column
@ -43,6 +43,8 @@ public class ReferenceDigestValue extends ArchivableEntity {
@Column(nullable = false)
private String digestValue;
@Column(nullable = false)
private String supportRimHash;
@Column(nullable = false)
private String eventType;
@Column(columnDefinition = "blob", nullable = true)
private byte[] contentBlob;
@ -64,6 +66,7 @@ public class ReferenceDigestValue extends ArchivableEntity {
this.model = "";
this.pcrIndex = -1;
this.digestValue = "";
this.supportRimHash = "";
this.eventType = "";
this.matchFail = false;
this.patched = false;
@ -79,6 +82,7 @@ public class ReferenceDigestValue extends ArchivableEntity {
* @param model the specific device type
* @param pcrIndex the event number
* @param digestValue the key digest value
* @param supportRimHash the support file's hash value
* @param eventType the event type to store
* @param matchFail the status of the baseline check
* @param patched the status of the value being updated to patch
@ -88,6 +92,7 @@ public class ReferenceDigestValue extends ArchivableEntity {
public ReferenceDigestValue(final UUID baseRimId, final UUID supportRimId,
final String manufacturer, final String model,
final int pcrIndex, final String digestValue,
final String supportRimHash,
final String eventType, final boolean matchFail,
final boolean patched, final boolean updated,
final byte[] contentBlob) {
@ -97,6 +102,7 @@ public class ReferenceDigestValue extends ArchivableEntity {
this.model = model;
this.pcrIndex = pcrIndex;
this.digestValue = digestValue;
this.supportRimHash = supportRimHash;
this.eventType = eventType;
this.matchFail = matchFail;
this.patched = patched;

14
HIRS_AttestationCAPortal/build.gradle
View File

@ -60,13 +60,13 @@ dependencies {
testImplementation libs.testng
}
//war {
// from(buildDir) {
// include 'VERSION'
// into 'WEB-INF/classes'
// }
// archiveFileName = 'HIRS_AttestationCAPortal.war'
//}
war {
from(buildDir) {
include 'VERSION'
into 'WEB-INF/classes'
}
archiveFileName = 'HIRS_AttestationCAPortal.war'
}
ospackage {
packageName = 'HIRS_AttestationCA'

36
HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
View File

@ -29,7 +29,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
@ -234,8 +233,8 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
data.put("pcUriLocal", baseRim.getPcURILocal());
data.put("rimLinkHash", baseRim.getRimLinkHash());
if (baseRim.getRimLinkHash() != null) {
ReferenceManifest rim = referenceManifestRepository.findByHash(baseRim.getRimLinkHash(),
"BaseReferenceManifest");
ReferenceManifest rim = referenceManifestRepository.findByHexDecHashAndRimType(
baseRim.getRimLinkHash(), ReferenceManifest.BASE_RIM);
if (rim != null) {
data.put("rimLinkId", rim.getId());
data.put("linkHashValid", true);
@ -247,27 +246,12 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
List<SwidResource> resources = baseRim.getFileResources();
TCGEventLog logProcessor = null;
List<ReferenceManifest> subManifests;
SupportReferenceManifest support = null;
if (baseRim.getAssociatedRim() == null) {
/**
* Need to have parsing implemented
*/
// referenceManifestRepository.findByHash("hexDecHash", "Support");
subManifests = referenceManifestRepository
support = (SupportReferenceManifest) referenceManifestRepository
.getByManufacturer(baseRim.getPlatformManufacturer(),
"SupportReferenceManifest");
String fileString = new String(baseRim.getRimBytes(), StandardCharsets.UTF_8);
for (ReferenceManifest rim : subManifests) {
if (rim instanceof SupportReferenceManifest) {
support = (SupportReferenceManifest) rim;
if (fileString.contains(rim.getHexDecHash())) {
break;
}
}
}
if (support != null) {
baseRim.setAssociatedRim(support.getId());
}
@ -314,8 +298,8 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
data.replace("signatureValid", true);
break;
}
} catch (SupplyChainValidatorException scvEx) {
log.warn("Error verifying cert chain: " + scvEx.getMessage());
} catch (SupplyChainValidatorException e) {
log.error("Error verifying cert chain: " + e.getMessage());
}
}
}
@ -329,8 +313,6 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
}
} catch (NullPointerException e) {
log.error("Unable to link signing certificate: " + e.getMessage());
} catch (Exception ex) {
log.warn(ex.getMessage());
}
return data;
}
@ -373,8 +355,8 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
// testing this independent of the above if statement because the above
// starts off checking if associated rim is null; that is irrelevant for
// this statement.
measurements = (EventLogMeasurements) referenceManifestRepository.findByHash(support.getHexDecHash(),
"EventLogMeasurements");
measurements = (EventLogMeasurements) referenceManifestRepository.findByHexDecHashAndRimType(support.getHexDecHash(),
ReferenceManifest.MEASUREMENT_RIM);
if (support.isSwidPatch()) {
data.put("swidPatch", "True");
@ -525,7 +507,7 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
data.put("validationResult", measurements.getOverallValidationResult());
data.put("swidBase", true);
List<ReferenceDigestValue> eventValues = new ArrayList<>();
List<ReferenceDigestValue> eventValues = new LinkedList<>();
if (measurements.getDeviceName() != null) {
supports.addAll(referenceManifestRepository.byDeviceName(measurements
.getDeviceName()));
@ -545,7 +527,7 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
data.put("associatedRim", base.getId());
}
eventValues.addAll(referenceDigestValueRepository.getValuesByRimId(base.getId()));
eventValues.addAll(referenceDigestValueRepository.findBySupportRimId(baseSupport.getId()));
}
}

41
HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java
View File

@ -221,26 +221,25 @@ public class ReferenceManifestPageController extends PageController<NoPageParams
try {
ReferenceManifest referenceManifest = getRimFromDb(id);
List<ReferenceDigestValue> values = new LinkedList<>();
if (referenceManifest == null) {
String notFoundMessage = "Unable to locate RIM with ID: " + id;
messages.addError(notFoundMessage);
log.warn(notFoundMessage);
} else {
// if support rim, update associated events
values = referenceDigestValueRepository.findBySupportRimHash(
referenceManifest.getHexDecHash());
for (ReferenceDigestValue value : values) {
referenceDigestValueRepository.delete(value);
}
referenceManifestRepository.delete(referenceManifest);
String deleteCompletedMessage = "RIM successfully deleted";
messages.addInfo(deleteCompletedMessage);
log.info(deleteCompletedMessage);
// if support rim, update associated events
if (referenceManifest instanceof SupportReferenceManifest) {
List<ReferenceDigestValue> values = referenceDigestValueRepository
.getValuesByRimId(referenceManifest.getId());
for (ReferenceDigestValue value : values) {
referenceDigestValueRepository.delete(value);
}
}
}
} catch (IllegalArgumentException iaEx) {
String uuidError = "Failed to parse ID from: " + id;
@ -396,6 +395,8 @@ public class ReferenceManifestPageController extends PageController<NoPageParams
byte[] fileBytes = new byte[0];
String fileName = file.getOriginalFilename();
BaseReferenceManifest baseRim;
SupportReferenceManifest supportRim;
// build the manifest from the uploaded bytes
try {
@ -409,9 +410,18 @@ public class ReferenceManifestPageController extends PageController<NoPageParams
try {
if (supportRIM) {
supportRims.add(new SupportReferenceManifest(fileName, fileBytes));
supportRim = new SupportReferenceManifest(fileName, fileBytes);
if (referenceManifestRepository.findByHexDecHashAndRimType(supportRim.getHexDecHash(),
supportRim.getRimType()) == null) {
supportRims.add(supportRim);
messages.addInfo("Saved Reference Manifest " + fileName);
}
} else {
baseRims.add(new BaseReferenceManifest(fileName, fileBytes));
baseRim = new BaseReferenceManifest(fileName, fileBytes);
if (referenceManifestRepository.findByHexDecHashAndRimType(baseRim.getHexDecHash(),
baseRim.getRimType()) == null) {
baseRims.add(baseRim);
}
}
} catch (IOException ioEx) {
final String failMessage
@ -489,7 +499,7 @@ public class ReferenceManifestPageController extends PageController<NoPageParams
// So first we'll have to pull values based on support rim
// get by support rim id NEXT
if (dbSupport.getPlatformManufacturer() != null) {
tpmEvents = referenceDigestValueRepository.getValuesBySupportRimId(dbSupport.getAssociatedRim());
tpmEvents = referenceDigestValueRepository.findBySupportRimId(dbSupport.getId());
baseRim = findBaseRim(dbSupport);
if (tpmEvents.isEmpty()) {
try {
@ -498,8 +508,9 @@ public class ReferenceManifestPageController extends PageController<NoPageParams
newRdv = new ReferenceDigestValue(baseRim.getId(),
dbSupport.getId(), dbSupport.getPlatformManufacturer(),
dbSupport.getPlatformModel(), tpe.getPcrIndex(),
tpe.getEventDigestStr(), tpe.getEventTypeStr(),
false, false, true, tpe.getEventContent());
tpe.getEventDigestStr(), dbSupport.getHexDecHash(),
tpe.getEventTypeStr(),false, false,
true, tpe.getEventContent());
this.referenceDigestValueRepository.save(newRdv);
}

24
HIRS_AttestationCAPortal/src/main/resources/application.properties
View File

@ -3,30 +3,33 @@
#spring.mvc.view.prefix=/WEB-INF/jsp/
#spring.mvc.view.suffix=.jsp
# Logging Config (tomcat may have further config)
logging.level.org.springframework=INFO
logging.level.org.apache.catalina=DEBUG
# Database Config
spring.jpa.hibernate.ddl-auto=update
spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
spring.datasource.username=hirs_db
spring.datasource.password=hirs_db
jakarta.persistence.sharedCache.mode = UNSPECIFIED
spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
#spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
#spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
server.tomcat.accesslog.enabled=true
server.tomcat.accesslog.directory=logs
server.tomcat.accesslog.file-date-format=yyyy-MM-dd
server.tomcat.accesslog.prefix=access_log
server.tomcat.accesslog.suffix=.log
server.tomcat.accesslog.rotate=true
# Tomcat Config
server.tomcat.additional-tld-skip-patterns=jakarta.persistence-api*.jar, jakarta.xml.bind-api*.jar, txw2*.jar, *commons*.jar, *annotations*.jar, *checker*.jar, *lombok*.jar, *jsr*.jar, *guava*.jar, *access*.jar, *activation*.jar, *bcprov*.jar, *bcmail*.jar, *bcutil*.jar, *bcpkix*.jar, *json*.jar
server.tomcat.basedir=/opt/embeddedtomcat
server.servlet.register-default-servlet=true
server.servlet.context-path=/HIRS_AttestationCAPortal
spring.mvc.servlet.path=/portal
server.tomcat.accesslog.enabled=true
server.tomcat.accesslog.directory=/var/log/hirs
server.tomcat.accesslog.file-date-format=yyyy-MM-dd
server.tomcat.accesslog.prefix=Tomcat_accesslog_
server.tomcat.accesslog.suffix=.log
server.tomcat.accesslog.rotate=true
#jdbc.driverClassName = com.mysql.cj.jdbc.Driver
#jdbc.url = jdbc:mysql://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
#jdbc.username = root
@ -34,3 +37,6 @@ spring.mvc.servlet.path=/portal
#entitymanager.packagesToScan: hirs.attestationca.portal.page.controllers
#spring.jpa.hibernate.ddl-auto=update
#spring.jpa.show-sql=true
# DB dfault password.
spring.datasource.password=hirs_db

2
HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml
View File

@ -4,7 +4,7 @@
<Console name="STDOUT" target="SYSTEM_OUT">
<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} [%C.%M] %-5p : %m%n"/>
</Console>
<RollingFile name="FILE" fileName="./logs/HIRS_AttestationCA_Portal.log"
<RollingFile name="FILE" fileName="/var/log/hirs/HIRS_AttestationCA_Portal.log"
filePattern="./logs/HIRS_AttestationCA_Portal.log-%d{yyyy-MM-dd}-%i.log" >
<PatternLayout>
<pattern>%d{yyyy-MM-dd HH:mm:ss} [%C.%M] %-5p : %m%n</pattern>

23
HIRS_Utils/build.gradle
View File

@ -41,17 +41,14 @@ dependencies {
implementation 'org.apache.logging.log4j:log4j-core:2.19.0'
implementation 'org.apache.logging.log4j:log4j-api:2.19.0'
implementation 'org.glassfish.jaxb:jaxb-runtime:4.0.1'
implementation 'org.junit.jupiter:junit-jupiter-api:5.9.3'
implementation 'org.junit.jupiter:junit-jupiter-engine:5.9.3'
testImplementation 'org.junit.jupiter:junit-jupiter:5.9.3'
testImplementation 'org.junit.platform:junit-platform-launcher:1.9.3'
testImplementation 'org.hamcrest:hamcrest:2.2'
compileOnly libs.lombok
annotationProcessor libs.lombok
//testImplementation 'org.junit.jupiter:junit-jupiter-api:5.6.0'
//testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine'
testImplementation 'org.junit.platform:junit-platform-launcher:1.9.3'
testImplementation 'org.hamcrest:hamcrest:2.2'
}
test {
@ -62,11 +59,11 @@ jar {
duplicatesStrategy = DuplicatesStrategy.EXCLUDE
manifest {
attributes(
'Class-Path': configurations.runtimeClasspath.files.collect { it.getName() }.join(' ')
)
'Class-Path': configurations.runtimeClasspath.files.collect { it.getName() }.join(' ')
)
}
//jar name format: [archiveBaseName]-[archiveAppendix]-[archiveVersion]-[archiveClassifier].[archiveExtension]
archiveVersion = jarVersion
//jar name format: [archiveBaseName]-[archiveAppendix]-[archiveVersion]-[archiveClassifier].[archiveExtension]
archiveVersion = jarVersion
}
//task generateXjcLibrary(type:Exec) {
@ -74,4 +71,4 @@ jar {
//
// commandLine './genXjcLibrary.sh'
//}
//compileJava.dependsOn generateXjcLibrary
//compileJava.dependsOn generateXjcLibrary

171
HIRS_Utils/src/test/java/hirs/tpm/eventlog/uefi/UefiProcessingTest.java Normal file
View File

@ -0,0 +1,171 @@
package hirs.tpm.eventlog.uefi;
import java.io.IOException;
import java.net.URISyntaxException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import com.eclipsesource.json.JsonObject;
import hirs.utils.JsonUtils;
import hirs.utils.tpm.eventlog.uefi.*;
import org.apache.commons.io.IOUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import hirs.utils.HexUtils;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
/**
* Class for testing TCG Event Log processing of UEFI defined Data.
*/
public class UefiProcessingTest {
// Variable files collected using an Event Parsing tool
private static final String JSON_FILE = "/tcgeventlog/uefi/vendor-table.json";
private static final String UEFI_VARIABLE_BOOT = "/tcgeventlog/uefi/EV_EFI_VARIABLE_BOOT.txt";
private static final String UEFI_VARIABLE_BOOT_SECURE_BOOT
= "/tcgeventlog/uefi/EV_EFI_VAR_SECURE_BOOT.txt";
private static final String UEFI_VARIABLE_BOOT_DRIVER_CONFIG_KEK
= "/tcgeventlog/uefi/EV_EFI_VARIABLE_DRIVER_CONFIG_KEK.txt";
private static final String UEFI_GPT_EVENT = "/tcgeventlog/uefi/EV_EFI_GPT_EVENT.txt";
private static final String UEFI_FW_BLOB = "/tcgeventlog/uefi/EFI_PLATFORM_FIRMWARE_BLOB.txt";
private static final String UEFI_DEVICE_PATH = "/tcgeventlog/uefi/EFI_DEVICE_PATH.txt";
private static final Logger LOGGER
= LogManager.getLogger(UefiProcessingTest.class);
/**
* Initializes a <code>SessionFactory</code>.
* The factory is used for an in-memory database that is used for testing.
*/
@BeforeAll
public static final void setup() {
LOGGER.debug("retrieving session factory");
}
/**
* Closes the <code>SessionFactory</code> from setup.
*/
@AfterAll
public static final void tearDown() {
LOGGER.debug("closing session factory");
}
/**
* Tests the processing of UEFI Variables.
*
* @throws IOException when processing the test fails.
* @throws NoSuchAlgorithmException if non TCG Algorithm is encountered.
* @throws CertificateException if parsing issue for X509 cert is encountered.
* @throws URISyntaxException File location exception
*/
@Test
public final void testUefiVariables() throws IOException,
CertificateException, NoSuchAlgorithmException, URISyntaxException {
LOGGER.debug("Testing the parsing of UEFI Variables");
Path jsonPath = Paths.get(this.getClass()
.getResource(JSON_FILE).toURI());
String uefiTxt = IOUtils.toString(this.getClass().getResourceAsStream(UEFI_VARIABLE_BOOT),
"UTF-8");
byte[] uefiVariableBytes = HexUtils.hexStringToByteArray(uefiTxt);
UefiVariable uefiVariable = new UefiVariable(uefiVariableBytes);
UefiGuid guid = uefiVariable.getUefiVarGuid();
String varName = uefiVariable.getEfiVarName();
JsonObject jsonObject = JsonUtils.getSpecificJsonObject(jsonPath, "VendorTable");
String guidStr = jsonObject.getString(
guid.toStringNoLookup().toLowerCase(), "Unknown GUID reference");
Assertions.assertEquals("EFI_Global_Variable", guidStr);
Assertions.assertEquals("BootOrder", varName);
uefiTxt = IOUtils.toString(this.getClass()
.getResourceAsStream(UEFI_VARIABLE_BOOT_SECURE_BOOT),
"UTF-8");
uefiVariableBytes = HexUtils.hexStringToByteArray(uefiTxt);
uefiVariable = new UefiVariable(uefiVariableBytes);
guid = uefiVariable.getUefiVarGuid();
varName = uefiVariable.getEfiVarName();
guidStr = jsonObject.getString(
guid.toStringNoLookup().toLowerCase(), "Unknown GUID reference");
Assertions.assertEquals("EFI_Global_Variable", guidStr);
Assertions.assertEquals("SecureBoot", varName);
uefiTxt = IOUtils.toString(this.getClass().getResourceAsStream(
UEFI_VARIABLE_BOOT_DRIVER_CONFIG_KEK), "UTF-8");
uefiVariableBytes = HexUtils.hexStringToByteArray(uefiTxt);
uefiVariable = new UefiVariable(uefiVariableBytes);
varName = uefiVariable.getEfiVarName();
Assertions.assertEquals("KEK", varName);
}
/**
* Tests the processing of a UEFI defined GPT Partition event.
*
* @throws IOException when processing the test fails.
* @throws NoSuchAlgorithmException if non TCG Algorithm is encountered.
* @throws CertificateException if parsing issue for X509 cert is encountered.
* @throws URISyntaxException File location exception
*/
@Test
public final void testUefiPartiton() throws IOException,
CertificateException, NoSuchAlgorithmException, URISyntaxException {
LOGGER.debug("Testing the parsing of GPT Data");
Path jsonPath = Paths.get(this.getClass()
.getResource(JSON_FILE).toURI());
String uefiTxt = IOUtils.toString(this.getClass().getResourceAsStream(UEFI_GPT_EVENT),
"UTF-8");
byte[] uefiPartitionBytes = HexUtils.hexStringToByteArray(uefiTxt);
UefiPartition gptPart = new UefiPartition(uefiPartitionBytes);
String gptPartName = gptPart.getPartitionName();
UefiGuid gptTypeuid = gptPart.getPartitionTypeGUID();
UefiGuid gptUniqueGuid = gptPart.getUniquePartitionGUID();
JsonObject jsonObject = JsonUtils.getSpecificJsonObject(jsonPath, "VendorTable");
String guidStr = jsonObject.getString(
gptTypeuid.toStringNoLookup().toLowerCase(), "Unknown GUID reference");
Assertions.assertEquals("EFI System Partition", guidStr);
Assertions.assertEquals("8ca7623c-041e-4fab-8c12-f49a86b85d73 : Unknown GUID reference",
gptUniqueGuid.toString());
Assertions.assertEquals("EFI system partition", gptPartName);
}
/**
* Tests the processing of a UEFI defined GPT Partition event.
*
* @throws IOException when processing the test fails.
* @throws NoSuchAlgorithmException if non TCG Algorithm is encountered.
* @throws CertificateException if parsing issue for X509 cert is encountered.
*/
@Test
public final void testUefiFirmwareBlob() throws IOException,
CertificateException, NoSuchAlgorithmException {
LOGGER.debug("Testing the parsing of Uefi Firmware Blob");
String uefiTxt = IOUtils.toString(this.getClass()
.getResourceAsStream(UEFI_FW_BLOB), "UTF-8");
byte[] uefiFwBlobBytes = HexUtils.hexStringToByteArray(uefiTxt);
UefiFirmware uefiFWBlob = new UefiFirmware(uefiFwBlobBytes);
int fwAddress = uefiFWBlob.getPhysicalBlobAddress();
int fwLength = uefiFWBlob.getBlobLength();
Assertions.assertEquals(1797287936, fwAddress);
Assertions.assertEquals(851968, fwLength);
}
/**
* Tests the processing of a UEFI defined Device Path.
*
* @throws IOException when processing the test fails.
* @throws URISyntaxException File location exception
*/
@Test
public final void testUefiDevicePath() throws IOException, URISyntaxException {
LOGGER.debug("Testing the parsing of Uefi Device Path");
String uefiTxt = IOUtils.toString(this.getClass().getResourceAsStream(UEFI_DEVICE_PATH),
"UTF-8");
byte[] uefiFwBlobBytes = HexUtils.hexStringToByteArray(uefiTxt);
UefiDevicePath uefiDevPath = new UefiDevicePath(uefiFwBlobBytes);
String devPathType = uefiDevPath.getType();
Assertions.assertEquals("Media Device Path", devPathType);
}
}

1
HIRS_Utils/src/test/resources/tcgeventlog/events/EvBootServicesApplication.txt Normal file
View File

@ -0,0 +1 @@
1820d45800000000e0b405000000000000000000000000002c00000000000000040714002ce2edb630defa45bb09ca202c1654b7040614001ae3e1159d9f844c82fb1a707fc0f63b7fff0400

1
HIRS_Utils/src/test/resources/tcgeventlog/events/EvEfiGptPartition.txt Normal file
View File

@ -0,0 +1 @@
4546492050415254000001005c000000a071310c000000000100000000000000af44f21b0000000022000000000000008e44f21b000000006fe7c34e23793e4cb040e8080f1b888302000000000000008000000080000000d0be05490500000000000000a4bb94ded106404da16abfd50179d6ac8787cc4223db454e9981701adc801dc70008000000000000ffa70f000000000001000000000000804200610073006900630020006400610074006100200070006100720074006900740069006f006e00000000000000000000000000000000000000000000000000000000000000000028732ac11ff8d211ba4b00a0c93ec93b3c62a78c1e04ab4f8c12f49a86b85d7300a80f0000000000ffc712000000000000000000000000804500460049002000730079007300740065006d00200070006100720074006900740069006f006e00000000000000000000000000000000000000000000000000000000000000000016e3c9e35c0bb84d817df92df00215aeffcf90d80c32454fb6cfa4d8bee6d9cb00c8120000000000ffc71a000000000000000000000000804d006900630072006f0073006f0066007400200072006500730065007200760065006400200070006100720074006900740069006f006e0000000000000000000000000000000000a2a0d0ebe5b9334487c068b6b72699c71c4c250c124b884ab88442a31866a34800c81a0000000000ff3ff81a0000000000000000000000004200610073006900630020006400610074006100200070006100720074006900740069006f006e000000000000000000000000000000000000000000000000000000000000000000a4bb94ded106404da16abfd50179d6ac92e459bc0fb29549b1488ded030c7ec20040f81a00000000ff3ff21b0000000001000000000000804200610073006900630020006400610074006100200070006100720074006900740069006f006e000000a70afc7f00007051864ba8020000c091dc4ba8020000bf3a758076450000

1
HIRS_Utils/src/test/resources/tcgeventlog/events/EvEfiSpecId.txt Normal file
View File

@ -0,0 +1 @@
53706563204944204576656e743033000000000000020002010000000b00200000

1
HIRS_Utils/src/test/resources/tcgeventlog/events/EvHandoffTables.txt Normal file
View File

@ -0,0 +1 @@
01000000000000004415fdf294972c4a992ee5bbcf20e3940000676300000000

1
HIRS_Utils/src/test/resources/tcgeventlog/events/EvPostCode.txt Normal file
View File

@ -0,0 +1 @@
414350492044415441

1
HIRS_Utils/src/test/resources/tcgeventlog/uefi/EFI_DEVICE_PATH.txt Normal file
View File

@ -0,0 +1 @@
040714002ce2edb630defa45bb09ca202c1654b7040614001ae3e1159d9f844c82fb1a707fc0f63b7fff0400

1
HIRS_Utils/src/test/resources/tcgeventlog/uefi/EFI_PLATFORM_FIRMWARE_BLOB.txt Normal file
View File

@ -0,0 +1 @@
0070206b0000000000000d0000000000

1
HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_GPT_EVENT.txt Normal file
View File

@ -0,0 +1 @@
28732ac11ff8d211ba4b00a0c93ec93b3c62a78c1e04ab4f8c12f49a86b85d7300a80f0000000000ffc712000000000000000000000000804500460049002000730079007300740065006d00200070006100720074006900740069006f006e000000000000000000000000000000000000000000000000000000000000000000

1
HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VARIABLE_BOOT.txt Normal file
View File

@ -0,0 +1 @@
61dfe48bca93d211aa0d00e098032b8c09000000000000000c0000000000000042006f006f0074004f007200640065007200040003000200000001000500

1
HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VARIABLE_DRIVER_CONFIG_KEK.txt Normal file
View File

@ -0,0 +1 @@
61dfe48bca93d211aa0d00e098032b8c030000000000000000000000000000004b0045004b00

1
HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VAR_SECURE_BOOT.txt Normal file
View File

@ -0,0 +1 @@
61dfe48bca93d211aa0d00e098032b8c0a00000000000000010000000000000053006500630075007200650042006f006f00740000

233
HIRS_Utils/src/test/resources/tcgeventlog/uefi/vendor-table.json Normal file
View File

@ -0,0 +1,233 @@
{
"VendorTable": {
"_comment_1": "UUIDS listed in the UEFI Specification",
"eb9d2d30-2d88-11d3-9a16-0090273fc14d": "ACPI_TABLE_GUID",
"eb9d2d32-2d88-11d3-9a16-0090273fc14d": "SAL_SYSTEM_TABLE_GUID",
"eb9d2d31-2d88-11d3-9a16-0090273fc14d": "SMBIOS_TABLE_GUID",
"f2fd1544-9794-4a2c-992e-e5bbcf20e394": "SMBIOS3_TABLE_GUID",
"eb9d2d2f-2d88-11d3-9a16-0090273fc14d": "MPS_TABLE_GUID",
"8868e871-e4f1-11d3-bc22-0080c73c8881": "EFI_ACPI_TABLE_GUID",
"87367f87-1119-41ce-aaec-8be01101f558": "EFI_JSON_CONFIG_DATA_TABLE_GUID",
"35e7a725-8dd2-4cac-8011-33cda8109056": "EFI_JSON_CAPSULE_DATA_TABLE_GUID",
"dbc461c3-b3de-422a-b9b4-9886fd49a1e5": "EFI_JSON_CAPSULE_RESULT_TABLE_GUID",
"77ab535a-45fc-624b-5560-f7b281d1f96e": "EFI_VIRTUAL_DISK_GUID",
"3d5abd30-4175-87Ce-6d64-d2ADe523C4bb": "EFI_VIRTUAL_CD_GUID",
"5Cea02c9-4d07-69d3-269f-4496Fbe096f9": "EFI_PERSISTENT_VIRTUAL_DISK_GUID",
"08018188-42cd-bb48-100f-5387D53ded3d": "EFI_PERSISTENT_VIRTUAL_CD_GUID",
"_comment_2": "DXE GUIds from https://github.com/linuxboot/linuxboot/blob/master/boards/qemu/image-files.txt",
"fc510ee7-ffdc-11d4-bd41-0080c73c8881": "DXE Apriori-FVRECOVERY",
"1b45cc0a-156a-428a-62af-49864da0e6e6": "PEI Apriori file name",
"80cf7257-87ab-47f9-a3fe-d50b76d89541": "PcdDxe",
"b601f8c4-43b7-4784-95b1-f4226cb40cee": "RuntimeDxe",
"f80697e9-7fd6-4665-8646-88e33ef71dfc": "SecurityStubDxe",
"1a1e4886-9517-440e-9fde-3be44cee2136": "CpuDxe",
"11a6edf6-a9be-426d-a6cc-b22fe51d9224": "PciHotPlugInitDxe",
"128fb770-5e79-4176-9e51-9bb268a17dd1": "PciHostBridgeDxe",
"93b80004-9fb3-11d4-9a3a-0090273fc14d": "PCI Bus Driver - PciBusDxe",
"9b680fce-ad6b-4f3a-b60b-f59899003443": "DevicePathDxe",
"f9d88642-0737-49bc-81b5-6889cd57d9ea": "SmbiosDxe",
"4110465d-5ff3-4f4b-b580-24ed0d06747a": "SmbiosPlatformDxe",
"9622e42c-8e38-4a08-9e8f-54f784652f6b": "AcpiTableDxe",
"49970331-e3fa-4637-9abc-3b7868676970": "AcpiPlatform",
"7e374e25-8e01-4fee-87f2-390c23c606cd": "ACPI data",
"bdce85bb-fbaa-4f4e-9264-501a2c249581": "S3SaveStateDxe",
"d9dcc5df-4007-435e-9098-8970935504b2": "PlatformDxe",
"8657015b-ea43-440d-949a-af3be365c0fc": "IoMmuDxe",
"cbd2e4d5-7068-4ff5-b462-9822b4ad8d60": "VariableRuntimeDxe",
"_comment_3": "PIWG Dxe driver Files (FvFile)from https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/1272444",
"70d57d67-7f05-494d-a014-b75d7345b700": "Storage Security Command Driver",
"3acc966d-8e33-45c6-b4fe-62724bcd15a9": "AHCI Bus Driver",
"67bbc344-84bc-4e5c-b4df-f5e4a00e1f3a": "Host Controller Driver",
"86edaae5-073c-4c89-b949-8984ac8a55f3": "MMC/SD Media Device Driver",
"9e863906-a40f-4875-977F-5b93ff237fc6": "Serial Terminal Driver",
"a6cc6bc8-2ada-46C3-bba4-e99672CC9530": "PCI Serial Driver",
"69fd8e47-a161-4550-b01a-5594ceb2b2b2": "PCI IDE/ATAPI Bus Driver",
"51ccf399-4fdf-4e55-a45b-e123f84d456a": "Platform Console Management Driver",
"6b38f7b4-ad98-40e9-9093-aca2b5a253c4": "Generic Disk I/O Driver",
"2d2e62cf-9ecf-43b7-8219-94e7fC713dfe": "Usb Keyboard Driver",
"9fb4b4a7-42C0-4bcd-8540-9bcc6711f83e": "Usb Mass Storage Driver",
"e3752948-b9a1-4770-90c4-df41c38986be": "QEMU Video Driver",
"240612B7-a063-11d4-9a3a-0090273fc14d": "Usb Bus Driver",
"bdfe430e-8F2a-4db0-9991-6f856594777e": "Usb Ehci Driver",
"2fb92efa-2ee0-4bae-9eB6-7464125E1EF7": "Usb Ehci Driver",
"a92cdb4b-82f1-4e0b-a516-8a655d371524": "Virtio Network Driver",
"4579b72d-7ec4-4dd4-8486-083c86b182a7": "iSCSI Driver",
"3b1deaB5-c75d-442e-9238-8e2ffb62b0bb": "UEFI PXE Base Code Driver",
"6b6963ab-906d-4a65-a7ca-bd40e5d6af2b": "UDP Network Service Driver",
"6d6963ab-906d-4a65-a7ca-bd40e5d6af4d": "Tcp Network Service Driver",
"dc3641b8-2fa8-4ed3-bc1f-f9962a03454b": "MTFTP4 Network Service Driver",
"9fb1a1f3-3b71-4324-b39a-745cbb015fff": "IP4 Network Service Driver",
"26841bde-920a-4e7a-9Fbe-637f477143a6": "IP4 CONFIG Network Service Driver",
"94734718-0bbc-47fb-96a5-ee7a5ae6a2ad": "DHCP Protocol Driver",
"529d3f93-e8e9-4e73-b1e1-bdf6a9d50113": "ARP Network Service Driver",
"e4f61863-fe2c-4b56-a8d4-08519bc439df": "VLAN Configuration Driver",
"a2f436ea-a127-4ef8-957c-8048606ff670": "Simple Network Protocol Driver",
"961578fe-b6b7-44c3-af35-6bc705cd2b1f": "FAT File System Driver",
"0abd8284-6da3-4616-971a-83a5148067ba": "ISA Floppy Driver",
"3dc82376-637b-40a6-a8fc-a565417f2c38": "PS/2 Keyboard Driver",
"93b80003-9fb3-11d4-9a3a-0090273fc14d": "ISA Serial Driver",
"240612b5-a063-11d4-9a3a-0090273fc14a": "ISA Bus Driver",
"99549f44-49bb-4820-b9d2-901329412d67": "IDE Controller Init Driver",
"0a66e322-3740-4cce-ad62-bd172cecca35": "Scsi Disk Driver",
"1fa1f39e-feff-4aae-bd7b-38a070a3b609": "Partition Driver",
"9e863906-a40f-4875-977f-5b93ff237fc6": "Serial Terminal Driver",
"cccb0c28-4b24-11d5-9a5a-0090273fc14d": "Graphics Console Driver",
"408edcec-cf6d-477c-a5a8-b4844e3de281": "Console Splitter Driver",
"fab5d4f4-83c0-4aaf-8480-442d11df6cea": "Virtio SCSI Host Driver",
"11d92dfb-3Ca9-4f93-ba2e-4780ed3e03b5": "Virtio Block Driver",
"33cb97af-6c33-4c42-986b-07581fa366d4": "Block MMIO to Block IO Driver",
"_comment_4": "PIWG Volumes (Fv)",
"a881d567-6cb0-4eee-8435-2e72d33e45B5": "PIWG Default Volume",
"_comment_5": "UEFI UUIDS for Certificates",
"3c5766e8-269c-4e34-aa14-ed776e85b3b6": "EFI_CERT_RSA2048_GUID",
"e2b36190-879b-4a3d-ad8d-f2e7bba32784": "EFI_CERT_RSA2048_SHA256_GUID",
"c1c41626-504c-4092-aca9-41f936934328": "EFI_CERT_SHA256_GUID",
"826ca512-cf10-4ac9-b187-be01496631bd": "EFI_CERT_SHA1_GUID",
"67f8444f-8743-48f1-a328-1eaab8736080": "EFI_CERT_RSA2048_SHA1_GUID",
"a5c059a1-94e4-4aa7-87b5-ab155c2bf072": "EFI_CERT_X509_GUID",
"0b6e5233-a65c-44c9-9407-d9ab83bfc8bd": "EFI_CERT_SHA224_GUID",
"ff3e5307-9fd0-48c9-85f1-8ad56c701e01": "EFI_CERT_SHA384_GUID",
"093e0fae-a6c4-4f50-9f1b-d41e2b89c19a": "EFI_CERT_SHA512_GUID",
"3bd2a492-96c0-4079-b420-fcf98ef103ed": "EFI_CERT_X509_SHA256_GUID",
"7076876e-80c2-4ee6-aad2-28b349a6865b": "EFI_CERT_X509_SHA384_GUID",
"446dbf63-2502-4cda-bcfa-2465d2b0fe9d": "EFI_CERT_X509_SHA512_GUID",
"a7717414-c616-4977-9420-844712a735bf": "EFI_CERT_TYPE_RSA2048_SHA256_GUID",
"_comment_6": "UEFI defined variables",
"452e8ced-dfff-4b8c-ae01-5118862e682c": "EFI_CERT_EXTERNAL_MANAGEMENT_GUID",
"d719b2cb-3d3a-4596-a3bc-dad00e67656f": "EFI_IMAGE_SECURITY_DATABASE_GUID",
"4aafd29d-68df-49ee-8aa9-347d375665a7": "EFI_CERT_TYPE_PKCS7_GUID",
"c12a7328-f81f-11d2-ba4b-00a0c93ec93b": "EFI System Partition",
"024DEE41-33E7-11D3-9D69-0008C781F39F": "Partition containing a legacy MBR",
"_comment_7": "RHBoot UEFI Application UUIDs From listed in RHBoot (RHShim) https://github.com/rhboot/efivar/blob/master/src/guids.txt",
"0abba7dc-e516-4167-bbf5-4d9d1c739416": "fwupdate:",
"3b8c8162-188c-46a4-aec9-be43f1d65697": "ux_capsule",
"605dab50-e046-4300-abb6-3dd810dd8b23": "RH_Shim",
"8be4df61-93ca-11d2-aa0d-00e098032b8c": "EFI_Global_Variable",
"91376aff-cba6-42be-949d-06fde81128e8": "GRUB",
"_comment_8": "Partition Table GUIDs",
"0fc63daf-8483-4772-8e79-3d69d8477de4": "Linux filesystem data",
"e6d6d379-f507-44c2-a23c-238f2a3df928": "Logical Volume Manager (LVM) partition",
"4f68bce3-e8cd-4db1-96e7-fbcaf984b709": "Root partition (x86-64)",
"a19d880f-05fc-4d3b-a006-743f0f84911e": "RAID partition",
"933ac7e1-2eb4-4f13-b844-0e14e2aef915": "/home partition[ (x86-64)",
"ebd0a0a2-b9e5-4433-87c0-68b6b72699c7": "GPT Basic data partition",
"_comment_9": "RHBoot Lenovo specific UUIDS",
"3cc24e96-22c7-41d8-8863-8e39dcdcc2cf": "lenovo",
"82988420-7467-4490-9059-feb448dd1963": "lenovo_me_config",
"f7e615b-0d45-4f80-88dc-26b234958560": "lenovo_diag",
"665d3f60-ad3e-4cad-8e26-db46eee9f1b5": "lenovo_rescue",
"721c8b66-426c-4e86-8e99-3457c46ab0b9": "lenovo_setup",
"f46ee6f4-4785-43a3-923d-7f786c3c8479": "lenovo_startup_interrupt",
"126a762d-5758-4fca-8531-201a7f57f850": "lenovo_boot_menu",
"a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380": "lenovo_diag_splash",
"_comment_10": "Company UUIDs (From Internet searches)",
"77fa9abd-0359-4d32-bd60-28f4e78f784b": "Microsoft Inc.",
"f5a96b31-dba0-4faa-a42a-7a0c9832768e": "HPE Inc.",
"2879c886-57ee-45cc-b126-f92f24f906b9": "SUSE Certificate",
"70564dce-9afc-4ee3-85fc-949649d7e45c": "Dell Inc.",
"_comment_11": "Intel GUIDS",
"bfcc0833-2125-42d1-8c6d-13821e23c078": "Intel(R) Desktop Boards",
"80b3ad5b-9880-4af9-a645-e56a68be89de": "Intel(R) CISD FW Update",
"_comment_12": "Microsoft GUIDS",
"e3c9e316-0b5c-4db8-817d-f92df00215ae": "Microsoft Reserved Partition (MSR)",
"5808c8aa-7e8f-42e0-85d2-e1e90434cfb3": "Logical Disk Manager (LDM) metadata partition ",
"af9b60a0-1431-4f62-bc68-3311714a69ad": "Logical Disk Manager data partition",
"de94bba4-06d1-4d40-a16a-bfd50179d6ac": "Windows Recovery Environment",
"9f25ee7a-e7b7-11db-94b5-f7e662935912": "Windows Boot Loader",
"_comment_13": "Linux specific GUIDS",
"0fc63daf-8483-4772-8e79-3d69d8477de": "Linux filesystem data",
"44479540-f297-41b2-9af7-d131d5f0458a4": "Root partition (x86)",
"69dad710-2ce4-4e3c-b16c-21a1d49abed3": "Root partition (32-bit ARM)",
"b921b045-1df0-41c3-af44-4c6f280d3fae": "Root partition (64-bit ARM/AArch64)",
"0657fd6d-a4ab-43c4-84e5-0933c84b4f4f": "Swap partition",
"3b8f8425-20e0-4f3b-907f-1a25a76f98e8": "/srv (server data) partition",
"7ffec5c9-2d00-49b7-8941-3ea10a5586b7": "Plain dm-crypt partitiont",
"ca7d7ccb-63ed-4c53-861c-1742536059cc": "LUKS partition",
"_comment_14": "Linux Boot GUIDS https://github.com/linuxboot/linuxboot/blob/master/boards/s2600wf/vendor-files.txt",
"9cfd802c-09a1-43d6-8217-aa49c1f90d2c": "Intel Management Engine BIOS Extension (Mebx)",
"b62efbbb-3923-4cb9-a6e8-db818e828a80": "Intel Management Engine BIOS Extension (Mebx) Setup Browser",
"9ce4325e-003e-11e3-b582-b8ac6f199a57": "Non-Volatile Dual In-line Memory Module (NVDIMM) Driver",
"ea9de6d5-7839-46f7-9e63-4de8b00e2e5d": "NVM DIMM Human Interface Infrastructure (HII)",
"56a1b86f-0d4a-485d-87de-ad0eba1c8c2a": "IBM C Video Gop",
"a1f436ea-a127-4ef8-957c-8048606ff670": "SnpDxe",
"a210f973-229d-4f4d-aa37-9895e6c9eaba": "DpcDxe",
"025bbfc7-e6a9-4b8b-82ad-6815a1aeaf4a": "MNP Network Service Driver - MnpDxe",
"b44b2005-42bc-41c9-80af-abd7dc7d6923": "RSTesSATAEFI",
"15e1e31a-9f9d-4c84-82fb-1a707fc0f63b": "RSTeSATAEFI",
"2cc25173-bd9f-4c89-89cc-29256a3fd9c3": "RSTesSATALegacy",
"bd5d4ca5-674f-4584-8cf9-ce4ea1f54dd1": "RSTeSATALegacy",
"_comment_15": "WinNt GUIDs, add if they are still found in use https://sourceforge.net/p/uefinotes/wiki/FV%20Sources/?version=3",
"fc5c7020-1a48-4198-9be2-ead5abc8cf2f": "BdsDxe",
"d0893f05-b06d-4161-b947-9be9b85ac3a1": "SnpNt32Dxe",
"9b3ada4f-ae56-4c24-8Dea-f03b7558ae50": "PcdPeim",
"34c8c28F-b61c-45a2-8f2e-89e46becc63b": "PeiVariable",
"fe5cea76-4f72-49e8-986f-2cd899dffe5d": "FaultTolerantWriteDxe",
"_comment_16": "Linux Boot Image files UEFI Platform Initialization (PI) specifications Driver Execution Environment (DXE) Architectural protocols and platform modules https://github.com/linuxboot/linuxboot/blob/master/boards/winterfell/image-files.txt",
"5ae3f37e-4eae-41ae-8240-35465b5e81eb": "CORE_DXE",
"cbc59c4a-383a-41eb-a8ee-4498aea567e4": "DXE Runtime",
"3c1de39f-d207-408a-aacc-731cfb7f1dd7": "DXE PciBus",
"80e66e0a-ccd1-43fa-a7b1-2d5ee0f13910": "DXE PciRootBridge",
"9f3a0016-ae55-4288-829d-d22fd344c347": "DXE AmiBoardInfo",
"13ac6dd0-73d0-11d4-b06b-00aa00bd6de7": "DXE EBC",
"e03abadf-e536-4e88-b3a0-b77f78eb34fe": "CPU DXE",
"b7d19491-e55a-470d-8508-85a5dfa41974": "SBDXE",
"e23f86e1-056e-4888-b685-cfcd67c179d4": "DXE SBRun",
"e4ecd0b2-e277-4f2b-becb-e4d75c9a812e": "NBDXE",
"5ad34ba6-f024-2149-52e4-da0398e2bb9": "DXE Services Table",
"_comment_17": "ACPI configuration and tables",
"750890a6-7acf-4f4f-81bd-b400c2bea95a": "AcpiModeEnable",
"d4c05cd1-5eae-431d-a095-13a9e5822045": "MPST",
"db93cb2c-bf1c-431a-abc8-8737bc2afc1f": "PRAD-ACPI-table",
"3bc5b795-a4e0-4d56-9321-316d18a7aefe": "PRAD",
"16d0a23e-c09c-407d-a14a-ad058fdd0ca1": "ACPI",
"26a2481e-4424-46a2-9943-cc4039ead8f8": "S3Save",
"efd652cc-0e99-40f0-96c0-e08c089070fc": "S3Restore",
"8c783970-f02a-4a4d-af09-8797a51eec8d": "PowerManagement",
"299141bb-211a-48a5-92c0-6f9a0a3a006e0": "PowerManagement-ACPI-table",
"2df10014-cf21-4280-8c3f-e539b8ee5150": "PpmPolicyInitDxe",
"4b680e2d-0d63-4f62-b930-7ae995b9b3a3": "SmBusDxe",
"_comment_18": "SMM handlers",
"4a37320b-3fb3-4365-9730-9e89c600395d": "SmmDispatcher",
"753630c9-fae5-47a9-bbbf-88d621cd7282": "SmmChildDispatcher",
"be216ba8-38c4-4535-a6ca-5dca5b43addf": "SmiVariable",
"a56897a1-a77f-4600-84db-22b0a801fa9a": "SmmRuntime",
"d2596f82-f0e1-49fa-95bc-62012c795728": "SmmBase Data",
"69009842-63f2-43db-964b-efad1c39ec85": "SmmBase Data",
"d0632c90-afd7-4492-b186-257c63143c61": "SmmBase",
"7e2d983f-f703-4a29-9761-77b51f5354ed": "SmmCommunicate",
"_comment_19": "CMOS and NVRAM handlers",
"6869c5b3-ac8d-4973-8b37-e354dbf34add": "CmosManagerSmm",
"842a454a-75e5-408b-8b1c-36420e4e3f21": "NvramSmi",
"5446c293-339b-47cd-b719-585de39408cc": "PostReport",
"71ca9ca1-325d-4bfe-afa3-2ec5c94a8680": "DmAcpi",
"cef68c66-06ab-4fb3-a3ed-5ffa885b5725": "SMBiosBoard",
"b13edd38-684c-41ed-a305-d7b7e32497df": "SMBios64",
"ded7956d-7e20-4f20-91a1-190439b04d5b": "SmbiosGetFlashData64",
"daf4bf89-ce71-4917-b522-c89d32fbc59f": "SmbiosStaticData",
"_comment_20": "Apple GUIDS",
"48465300-0000-11aa-aa11-00306543ecac": "Apple Hierarchical File System Plus (HFS+) partition ",
"7c3457ef-0000-11aa-aa11-00306543ecac": "Apple APFS container",
"55465300-0000-11aa-aa11-00306543ecac": "Apple UFS container",
"52414944-0000-11aa-aa11-00306543ecac": "Apple RAID partition",
"4c616265-6c00-11aa-aa11-00306543ecac": "Apple Label",
"53746f72-6167-11aa-aa11-00306543ecac": "Apple Core Storage Container",
"6a898cc3-1dd2-11b2-99a6-080020736631": "ZFS Partition",
"_comment_21": "Chrome OS GUIDS",
"2568845d-2332-4675-bc39-8fa5a4748d15": "Chrome OS kernel ",
"3cb8e202-3b7e-47dd-8a3c-7ff2a13cfcec": "Chrome OS rootfs ",
"2e0a753d-9e48-43b0-8337-b15192cb1b5e": "Chrome OS future use ",
"_comment_22": "Android GUIDS",
"fe3a2a5d-4f32-41a7-b725-accc3285a309": "Android Bootloader",
"114eaffe-1552-4022-b26e-9b053604cf84": "Android Bootloader 2",
"49a4d17f-93a3-45c1-a0de-f50b2ebe2599": "Android Boot",
"4177c722-9e92-4aab-8644-43502bfd5506": "Android Recovery",
"38f428e6-d326-425d-9140-6e0ea133647c": "Android System",
"bd59408b-4514-490d-bf12-9878d963f378": "Android Config",
"8f68cc74-c5e5-48da-be91-a0c8c15e9c80": "Android Factory",
"ac6d7924-eb71-4df8-b48d-e267b27148ff": "Android OEM",
"_comment_23": "MISC GUIDs",
"5023b95c-db26-429b-a648-bd47664c8012": "Built-in EFI Shell",
"610a0202-d308-00c4-0000-000004300d06": "Mystery UUID",
"00000000-0000-0000-0000-000000000000": "Empty UUID"
}
}

13
package/scripts/aca/aca_bootRun.sh Normal file
View File

@ -0,0 +1,13 @@
#!/bin/bash
#####################################################################################
#
# Script to run ACA using the gradle spring pluing bootRun command with password set
#
#
####################################################################################
CONFIG_FILE="/etc/hirs/aca/application.properties"
echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index"
./gradlew bootRun --args="--spring.config.location=$CONFIG_FILE"

27
package/scripts/aca/aca_property_setup.sh
View File

@ -1,27 +0,0 @@
#!/bin/bash
# Create aca.poperties file
pki_password=$1
rm -f /etc/hirs/aca.properties
aca_prop_file="/etc/hirs/aca.properties"
echo '# *** ACA Directories ***
aca.directories.root = /etc/hirs/
aca.directories.certificates = ${aca.directories.root}/certificates' > $aca_prop_file
echo '# *** Certificate and Key Properties ***
aca.setup.keys.rsa.keySize = 3072
aca.setup.keys.ecc.keySize = 512
aca.setup.certificates.validity = 3652
aca.setup.certificates.subjectName = HIRS_AttestationCA
aca.setup.certificates.expiration = ${aca.setup.certificates.validity}' >> $aca_prop_file
echo '# *** Keystore properties ***
aca.keyStore.alias = HIRS_ACA_KEY
aca.keyStore.rsa.alias = hirs_leaf_ca1_rsa_3072_sha384
aca.keyStore.ecc.alias = hirs_leaf_ca1_ecc_512_sha384
aca.keyStore.location = ${aca.directories.certificates}/keyStore.jks
aca.keyStore.password = '$pki_password >> $aca_prop_file

45
package/scripts/aca/aca_setup.sh
View File

@ -1,23 +1,50 @@
#!/bin/bash
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
SPRING_PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/application.properties'
HIRS_CONF_DIR=/etc/hirs/aca
LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
LOG_DIR="/var/log/hirs/"
HIRS_PROP_DIR="/opt/hirs/default-properties"
COMP_JSON='../../../HIRS_AttestationCA/src/main/resources/component-class.json'
VENDOR_TABLE='../../../HIRS_AttestationCA/src/main/resources/vendor-table.json'
LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
echo "LOG_FILE is $LOG_FILE"
pushd $SCRIPT_DIR
if [ "$EUID" -ne 0 ]
then echo "The first time this script is run, this script requires root. Please run as root"
exit 1
fi
sh ../db/db_create.sh
mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR
echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE"
pushd $SCRIPT_DIR &>/dev/null
# Copy HIRS configuration and data files if not a package install
if [ -f $SPRING_PROP_FILE ]; then
cp -n $SPRING_PROP_FILE $HIRS_CONF_DIR/.
cp -n $COMP_JSON $HIRS_PROP_DIR/.
cp -n $VENDOR_TABLE $HIRS_PROP_DIR/.
fi
sh ../db/db_create.sh $LOG_FILE
if [ $? -eq 0 ]; then
echo "ACA database setup complete"
echo "ACA database setup complete" | tee -a "$LOG_FILE"
else
echo "Error setting up ACA DB"
echo "Error setting up ACA DB" | tee -a "$LOG_FILE"
exit 1
fi
sh ../pki/pki_setup.sh
sh ../pki/pki_setup.sh $LOG_FILE
if [ $? -eq 0 ]; then
echo "ACA PKI setup complete"
echo "ACA PKI setup complete" | tee -a "$LOG_FILE"
else
echo "Error setting up ACA PKI"
echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
exit 1
fi
echo "ACA setup complete"
popd
echo "ACA setup complete" | tee -a "$LOG_FILE"
popd &>/dev/null

9
package/scripts/pki/.prop.file
View File

@ -1,9 +0,0 @@
# *** ACA Directories ***
aca.directories.root = /etc/hirs/
aca.directories.certificates = ${aca.directories.root}/certificates
# *** Certificate and Key Properties ***
aca.setup.keys.rsa.keySize = 3072
aca.setup.keys.ecc.keySize = 512
aca.setup.certificates.validity = 3652
aca.setup.certificates.subjectName = HIRS_AttestationCA
aca.setup.certificates.expiration = ${aca.setup.certificates.validity}

13
package/scripts/pki/ca.conf
View File

@ -23,6 +23,11 @@ organizationalUnitName = optional
commonName = optional
emailAddress = optional
[ alternate_names ]
DNS.1 = localhost
DNS.2 = localhost.localdomain
DNS.3 = 127.0.0.1
[ ca_extensions ]
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
basicConstraints = critical,CA:true,pathlen:1
@ -35,19 +40,17 @@ crlDistributionPoints = URI:https://example.com/crl
[ server_extensions ]
keyUsage = critical,digitalSignature,keyEncipherment
basicConstraints = CA:false
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
authorityInfoAccess = caIssuers;URI:https://example.com/certs
authorityInfoAccess = caIssuers;URI:https://example.com/certs
crlDistributionPoints = URI:https://example.com/crl
subjectAltName = @alternate_names
[ signer_extensions ]
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical,CA:false
keyUsage = critical, digitalSignature
authorityInfoAccess = caIssuers;URI:https://example.com/certs/
crlDistributionPoints = URI:https://example.com/crl
crlDistributionPoints = URI:https://example.com/crl

99
package/scripts/pki/pki_chain_gen.sh
View File

@ -20,6 +20,7 @@ ASYM_ALG=$2
ASYM_SIZE=$3
HASH_ALG=$4
PASS=$5
LOG_FILE=$6
ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test root ca"
INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test intermediate ca"
LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test ca"
@ -32,13 +33,17 @@ KEYSTORE=KeyStore.jks
# Parameter check
if [ -z "${ACTOR}" ] || [ -z "${ASYM_ALG}" ] || [ -z "${ASYM_SIZE}" ] || [ -z "${HASH_ALG}" ] || [ "${ACTOR}" == "-h" ] || [ "${ACTOR}" == "--help" ]; then
echo "parameter missing to pki_chain_gen.sh, exiting pki setup"
echo "parameter missing to pki_chain_gen.sh, exiting pki setup" | tee -a "$LOG_FILE"
exit 1;
fi
if ! { [ $ASYM_ALG == "rsa" ] || [ $ASYM_ALG == "ecc" ]; }; then
echo "$ASYM_ALG is an unsupported assymetric algorithm, exiting pki setup"
exit 1
echo "$ASYM_ALG is an unsupported assymetric algorithm, exiting pki setup" | tee -a "$LOG_FILE"
exit 1;
fi
if [ -z ${LOG_FILE} ]; then
LOG_FILE="/dev/null"
fi
case $ASYM_SIZE in
@ -52,7 +57,7 @@ case $ASYM_SIZE in
3072) KSIZE=3k;;
4096) KSIZE=4k;;
*)
echo "$ASYM_SIZE is an unsupported key size, exiting pki setup"
echo "$ASYM_SIZE is an unsupported key size, exiting pki setup" | tee -a "$LOG_FILE"
exit 1;;
esac
@ -76,21 +81,37 @@ TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" portal"
# Add check for existing folder and halt if it exists
if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
echo "Folder for $CERT_FOLDER exists, exiting..."
echo "Folder for $CERT_FOLDER exists, exiting..." | tee -a "$LOG_FILE"
exit 1;
fi
# Intialize sub folders
#echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..."
echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..." | tee -a "$LOG_FILE"
mkdir -p "$ACTOR_ALT" "$ACTOR_ALT"/"$CERT_FOLDER" "$ACTOR_ALT"/ca/certs
cp ca.conf "$ACTOR_ALT"/.
pushd "$ACTOR_ALT" &> /dev/null
touch ca/db
touch openssl-san.cnf
if [ ! -f "ca/serial.txt" ]; then
echo "01" > ca/serial.txt
echo "01" > ca/serial.txt | tee -a "$LOG_FILE"
fi
# Function to add Cert to Truststore and key to Keystore
add_to_stores () {
CERT_PATH=$1
ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
echo "Addding $ALIAS to the $TRUSTSTORE and $KEYSTORE" | tee -a "$LOG_FILE"
# Add the cert and key to the key store. make a p12 file to import into te keystore
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
# Use the p12 file to import into a java keystore via keytool
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1
# Import the cert into a java trust store via keytool
keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
# Remove the temp p1 file.
rm tmpkey.p12
}
# Function to create an Intermediate Key, CSR, and Certificate
# PARMS:
# 1. Cert Type String
@ -101,27 +122,23 @@ create_cert () {
CERT_PATH="$1"
ISSUER="$2"
SUBJ_DN="$3"
EXTENSION="$4"
ISSUER_KEY="$ISSUER".key
ISSUER_CERT="$ISSUER".pem
ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
if [ "$CERT_TYPE" == "rim_signer" ]; then
EXTENSION="signer_extensions"
else
EXTENSION="ca_extensions"
fi
echo "Creating cert for "$CERT_TYPE" using $ISSUER_KEY with a DN="$SUBJ_DN"..."
echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..." | tee -a "$LOG_FILE"
if [ "$ASYM_ALG" == "rsa" ]; then
openssl req -newkey rsa:"$ASYM_SIZE" \
-keyout "$CERT_PATH".key \
-out "$CERT_PATH".csr -subj "$SUBJ_DN" \
-passout pass:"$PASS" &> /dev/null
-passout pass:"$PASS" >> "$LOG_FILE" 2>&1
else
openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key &> /dev/null
openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" &> /dev/null
openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key >> "$LOG_FILE" 2>&1
openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
fi
openssl ca -config ca.conf \
-keyfile "$ISSUER_KEY" \
-md $HASH_ALG \
@ -131,17 +148,18 @@ create_cert () {
-in "$CERT_PATH".csr \
-passin pass:"$PASS" \
-batch \
-notext &> /dev/null
-notext >> "$LOG_FILE" 2>&1
# Increment the cert serial number
awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt &> /dev/null
SERIAL=$(awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt)
echo "Cert Serial Number = $SERIAL" >> "$LOG_FILE";
# remove csr file
rm -f "$CERT_PATH".csr
# Add the cert and key to the key store. make a p12 file to import into te keystore
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -passout pass:$PASS
openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
# Use the p12 file to import into a java keystore via keytool
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" &> /dev/null
keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1
# Import the cert into a java trust store via keytool
keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" &> /dev/null
keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
# Remove the temp p1 file.
rm tmpkey.p12
}
@ -149,53 +167,58 @@ create_cert () {
create_cert_chain () {
# Create an intermediate CA, Sign with Root CA
create_cert "$PKI_INT" "$PKI_ROOT" "$INT_DN"
create_cert "$PKI_INT" "$PKI_ROOT" "$INT_DN" "ca_extensions"
# Create a Leaf CA (CA1), Sign with intermediate CA
create_cert "$PKI_CA1" "$PKI_INT" "$LEAF_DN"1
create_cert "$PKI_CA1" "$PKI_INT" "$LEAF_DN"1 "ca_extensions"
# Create a Leaf CA (CA2), Sign with intermediate CA
create_cert "$PKI_CA2" "$PKI_INT" "$LEAF_DN"2
create_cert "$PKI_CA2" "$PKI_INT" "$LEAF_DN"2 "ca_extensions"
# Create a Leaf CA (CA3), Sign with intermediate CA
create_cert "$PKI_CA3" "$PKI_INT" "$LEAF_DN"3
create_cert "$PKI_CA3" "$PKI_INT" "$LEAF_DN"3 "ca_extensions"
# Create a RIM Signer
create_cert "$RIM_SIGNER" "$PKI_CA2" "$SIGNER_DN"
create_cert "$RIM_SIGNER" "$PKI_CA2" "$SIGNER_DN" "signer_extensions"
# Create a ACA Sever Cert for TLS use
create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN"
create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN" "server_extensions"
# Create Cert trust store by adding the Intermediate and root certs
cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" > "$TRUST_STORE_FILE"
# echo "Checking signer cert using tust store..."
openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem
openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE"
}
if [ "$ASYM_ALG" == "rsa" ]; then
if [ "$ASYM_ALG" == "rsa" ]; then
# Create Root CA key pair and self signed cert
openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" &> /dev/null
echo "Generating RSA Root CA ...." | tee -a "$LOG_FILE"
openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
# Create a self signed CA certificate
openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
-extensions ca_extensions -out "$PKI_ROOT".pem \
-passout pass:"$PASS" &> /dev/null
-passout pass:"$PASS" >> "$LOG_FILE" 2>&1
# Add the CA root cert to the Trust and Key stores
add_to_stores $PKI_ROOT
# Create an intermediate CA, 2 Leaf CAs, and Signer Certs
create_cert_chain
create_cert_chain
fi
if [ "$ASYM_ALG" == "ecc" ]; then
# Create Root CA key pair and self signed cert
openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key
echo "Generating Ecc Root CA ...." | tee -a "$LOG_FILE"
openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
# Create a self signed CA certificate
openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
-extensions ca_extensions -out "$PKI_ROOT".pem \
-passout pass:"$PASS"
-passout pass:"$PASS" >> "$LOG_FILE" 2>&1
# Add the CA root cert to the Trust and Key stores
add_to_stores $PKI_ROOT
# Create an intermediate CA, 2 Leaf CAs, and Signer Certs
create_cert_chain
fi
fi

61
package/scripts/pki/pki_setup.sh
View File

@ -6,48 +6,59 @@
#
############################################################################################
PROP_FILE=/etc/hirs/aca/application.properties
LOG_FILE=$1
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
echo "SCRIPT_DIR is $SCRIPT_DIR" | tee -a "$LOG_FILE"
# Check for sudo or root user
if [ "$EUID" -ne 0 ]
then echo "The first time this script is run, this script requires root. Please run as root" | tee -a "$LOG_FILE"
exit 1
fi
# Set HIRS PKI password
if [ -z $HIRS_PKI_PWD ]; then
# Create a 32 character random password
PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
#PKI_PASS="xrb204k"
fi
# Create an ACA properties file using the new password
pushd $SCRIPT_DIR &> /dev/null
if [ ! -f "/etc/hirs/aca/aca.properties" ]; then
if [ -d /opt/hirs/scripts/aca ]; then
ACA_SETUP_DIR="/opt/hirs/scripts/aca"
else
ACA_SETUP_DIR=="$SCRIPT_DIR/../aca"
fi
echo "ACA_SETUP_DIR is $ACA_SETUP_DIR"
sh $ACA_SETUP_DIR/aca_property_setup.sh $PKI_PASS
echo "Using randomly generated password" | tee -a "$LOG_FILE"
else
echo "aca property file exists, skipping"
fi
popd &> /dev/null
PKI_PASS=$HIRS_PKI_PWD
echo "Using system supplied password" | tee -a "$LOG_FILE"
fi
# Create Cert Chains
if [ ! -d "/etc/hirs/certificates" ]; then
if [ -d /opt/hirs/scripts/pki ]; then
if [ -d "/opt/hirs/scripts/pki" ]; then
PKI_SETUP_DIR="/opt/hirs/scripts/pki"
else
PKI_SETUP_DIR=="$SCRIPT_DIR/../pki"
PKI_SETUP_DIR="$SCRIPT_DIR"
fi
echo "PKI_SETUP_DIR is $PKI_SETUP_DIR"
echo "PKI_SETUP_DIR is $PKI_SETUP_DIR" | tee -a "$LOG_FILE"
mkdir -p /etc/hirs/certificates/ | tee -a "$LOG_FILE"
mkdir -p /etc/hirs/certificates/
pushd /etc/hirs/certificates/ &> /dev/null
cp $PKI_SETUP_DIR/ca.conf .
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS"
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS"
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$LOG_FILE"
sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
popd &> /dev/null
# Add tomcat TLS support to the application.properties file
echo "# Tomcat TLS support">> $PROP_FILE
echo "server.port=8443">> $PROP_FILE
echo "server.ssl.enabled=true">> $PROP_FILE
echo "server.ssl.trust-store-type=JKS">> $PROP_FILE
echo "server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks">> $PROP_FILE
echo "server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
echo "server.ssl.key-store-type=JKS">> $PROP_FILE
echo "server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks">> $PROP_FILE
echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
else
echo "/etc/hirs/certificates exists, skipping"
echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"
fi