ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-18 20:47:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

FirmwareScvValidator rename tcgMeasurementLog -> eventLog, tpmPcrEvents -> failedPcrValues. Checkstyle changes.

Browse Source
This commit is contained in:
chubtub 2024-11-06 14:35:42 -05:00
parent 4af1c0a726
commit 3e8e55a00c
1 changed files with 29 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java
View File

@ -12,8 +12,8 @@ import hirs.attestationca.persist.entity.userdefined.rim.EventLogMeasurements;
import hirs.attestationca.persist.entity.userdefined.rim.ReferenceDigestValue; import hirs.attestationca.persist.entity.userdefined.rim.ReferenceDigestValue;
import hirs.attestationca.persist.enums.AppraisalStatus; import hirs.attestationca.persist.enums.AppraisalStatus;
import hirs.attestationca.persist.service.ValidationService; import hirs.attestationca.persist.service.ValidationService;
import hirs.utils.rim.ReferenceManifestValidator;
import hirs.utils.SwidResource; import hirs.utils.SwidResource;
import hirs.utils.rim.ReferenceManifestValidator;
import hirs.utils.tpm.eventlog.TCGEventLog; import hirs.utils.tpm.eventlog.TCGEventLog;
import hirs.utils.tpm.eventlog.TpmPcrEvent; import hirs.utils.tpm.eventlog.TpmPcrEvent;
import lombok.extern.log4j.Log4j2; import lombok.extern.log4j.Log4j2;
@ -24,7 +24,12 @@ import java.security.KeyStore;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.*; import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL; import static hirs.attestationca.persist.enums.AppraisalStatus.Status.FAIL;
import static hirs.attestationca.persist.enums.AppraisalStatus.Status.PASS; import static hirs.attestationca.persist.enums.AppraisalStatus.Status.PASS;
@ -35,7 +40,6 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
private static PcrValidator pcrValidator; private static PcrValidator pcrValidator;
/** /**
*
* @param device * @param device
* @param policySettings * @param policySettings
* @param referenceManifestRepository * @param referenceManifestRepository
@ -66,7 +70,8 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
// In this case, try to look up the event log associated with the device, then get the base rim associated by event log hash // In this case, try to look up the event log associated with the device, then get the base rim associated by event log hash
List<ReferenceManifest> deviceRims = referenceManifestRepository.findByDeviceName(hostName); List<ReferenceManifest> deviceRims = referenceManifestRepository.findByDeviceName(hostName);
for (ReferenceManifest deviceRim : deviceRims) { for (ReferenceManifest deviceRim : deviceRims) {
if (deviceRim instanceof BaseReferenceManifest && !deviceRim.isSwidSupplemental() && !deviceRim.isSwidPatch()) { if (deviceRim instanceof BaseReferenceManifest && !deviceRim.isSwidSupplemental() &&
!deviceRim.isSwidPatch()) {
baseReferenceManifest = (BaseReferenceManifest) deviceRim; baseReferenceManifest = (BaseReferenceManifest) deviceRim;
} }
@ -77,7 +82,9 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
// Attempt to get an event log from the database matching the expected hash // Attempt to get an event log from the database matching the expected hash
if (baseReferenceManifest == null && measurement != null) { if (baseReferenceManifest == null && measurement != null) {
baseReferenceManifest = (BaseReferenceManifest)referenceManifestRepository.findByEventLogHashAndRimType(measurement.getHexDecHash(), ReferenceManifest.BASE_RIM); baseReferenceManifest =
(BaseReferenceManifest) referenceManifestRepository.findByEventLogHashAndRimType(
measurement.getHexDecHash(), ReferenceManifest.BASE_RIM);
} }
String failedString = ""; String failedString = "";
@ -101,7 +108,7 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
if (passed) { if (passed) {
List<SwidResource> resources = List<SwidResource> resources =
((BaseReferenceManifest) baseReferenceManifest).getFileResources(); baseReferenceManifest.getFileResources();
fwStatus = new AppraisalStatus(PASS, fwStatus = new AppraisalStatus(PASS,
SupplyChainCredentialValidator.FIRMWARE_VALID); SupplyChainCredentialValidator.FIRMWARE_VALID);
@ -131,20 +138,22 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
try { try {
certs.add(cac.getX509Certificate()); certs.add(cac.getX509Certificate());
} catch (IOException e) { } catch (IOException e) {
log.error("Error building CA chain for " + signingCert.getSubjectKeyIdentifier() + ": " log.error(
+ e.getMessage()); "Error building CA chain for " + signingCert.getSubjectKeyIdentifier() + ": "
+ e.getMessage());
} }
} }
referenceManifestValidator.setTrustStore(certs); referenceManifestValidator.setTrustStore(certs);
try { try {
if (referenceManifestValidator.validateXmlSignature(signingCert.getX509Certificate().getPublicKey(), if (referenceManifestValidator.validateXmlSignature(
signingCert.getSubjectKeyIdString(), signingCert.getEncodedPublicKey())) { signingCert.getX509Certificate().getPublicKey(),
signingCert.getSubjectKeyIdString(), signingCert.getEncodedPublicKey())) {
try { try {
if (!SupplyChainCredentialValidator.verifyCertificate( if (!SupplyChainCredentialValidator.verifyCertificate(
signingCert.getX509Certificate(), keyStore)) { signingCert.getX509Certificate(), keyStore)) {
passed = false; passed = false;
fwStatus = new AppraisalStatus(FAIL, fwStatus = new AppraisalStatus(FAIL,
"Firmware validation failed: invalid certificate path."); "Firmware validation failed: invalid certificate path.");
} }
} catch (IOException ioEx) { } catch (IOException ioEx) {
log.error("Error getting X509 cert from manager: " + ioEx.getMessage()); log.error("Error getting X509 cert from manager: " + ioEx.getMessage());
@ -233,21 +242,21 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
// part 2 of firmware validation check: bios measurements // part 2 of firmware validation check: bios measurements
// vs baseline tcg event log // vs baseline tcg event log
// find the measurement // find the measurement
TCGEventLog tcgMeasurementLog; TCGEventLog eventLog;
LinkedList<TpmPcrEvent> tpmPcrEvents = new LinkedList<>(); LinkedList<TpmPcrEvent> failedPcrValues = new LinkedList<>();
List<ReferenceDigestValue> eventValue; List<ReferenceDigestValue> eventValue;
HashMap<String, ReferenceDigestValue> eventValueMap = new HashMap<>(); HashMap<String, ReferenceDigestValue> eventValueMap = new HashMap<>();
try { try {
if (measurement.getDeviceName().equals(hostName)) { if (measurement.getDeviceName().equals(hostName)) {
tcgMeasurementLog = new TCGEventLog(measurement.getRimBytes()); eventLog = new TCGEventLog(measurement.getRimBytes());
eventValue = referenceDigestValueRepository eventValue = referenceDigestValueRepository
.findValuesByBaseRimId(baseReferenceManifest.getId()); .findValuesByBaseRimId(baseReferenceManifest.getId());
for (ReferenceDigestValue rdv : eventValue) { for (ReferenceDigestValue rdv : eventValue) {
eventValueMap.put(rdv.getDigestValue(), rdv); eventValueMap.put(rdv.getDigestValue(), rdv);
} }
tpmPcrEvents.addAll(pcrValidator.validateTpmEvents( failedPcrValues.addAll(pcrValidator.validateTpmEvents(
tcgMeasurementLog, eventValueMap, policySettings)); eventLog, eventValueMap, policySettings));
} }
} catch (CertificateException cEx) { } catch (CertificateException cEx) {
log.error(cEx); log.error(cEx);
@ -257,11 +266,11 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
log.error(ioEx); log.error(ioEx);
} }
if (!tpmPcrEvents.isEmpty()) { if (!failedPcrValues.isEmpty()) {
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();
sb.append(String.format("%d digest(s) were not found:%n", sb.append(String.format("%d digest(s) were not found:%n",
tpmPcrEvents.size())); failedPcrValues.size()));
for (TpmPcrEvent tpe : tpmPcrEvents) { for (TpmPcrEvent tpe : failedPcrValues) {
sb.append(String.format("PCR Index %d - %s%n", sb.append(String.format("PCR Index %d - %s%n",
tpe.getPcrIndex(), tpe.getPcrIndex(),
tpe.getEventTypeStr())); tpe.getEventTypeStr()));