Updated the implementation to return a blank identity claim response.

The provisioner tests the blob and if it is empty, exit
2024-12-18 20:47:58 +00:00 · 2022-01-05 16:49:27 -05:00 · 2022-01-05 16:49:27 -05:00 · 5858e36313
commit 5858e36313
parent 78e308e67d
2 changed files with 18 additions and 11 deletions
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
@ -439,10 +439,11 @@ public abstract class AbstractAttestationCertificateAuthority
            }
        }

+        ByteString blobStr = ByteString.copyFrom(new byte[]{});
        if (validationResult == AppraisalStatus.Status.PASS) {
            RSAPublicKey akPub = parsePublicKey(claim.getAkPublicArea().toByteArray());
            byte[] nonce = generateRandomBytes(NONCE_LENGTH);
-            ByteString blobStr = tpm20MakeCredential(ekPub, akPub, nonce);
+            blobStr = tpm20MakeCredential(ekPub, akPub, nonce);
            SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
            String pcrQuoteMask = PCR_QUOTE_MASK;

@ -465,7 +466,12 @@ public abstract class AbstractAttestationCertificateAuthority
        } else {
            LOG.error("Supply chain validation did not succeed. Result is: "
                    + validationResult);
-            return new byte[]{};
+            // empty response
+            ProvisionerTpm2.IdentityClaimResponse response
+                    = ProvisionerTpm2.IdentityClaimResponse.newBuilder()
+                    .setCredentialBlob(blobStr)
+                    .build();
+            return response.toByteArray();
        }
    }

--- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
+++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
@ -144,18 +144,19 @@ int provision() {
    string response = provisioner.sendIdentityClaim(identityClaim);
    hirs::pb::IdentityClaimResponse icr;

-    try {
-        if (response == "" || !icr.has_credential_blob()) {
-            logger.error("The ACA did not send make credential blob.");
-            cout << "----> Provisioning failed." << endl;
-            cout << "The ACA did not send make credential information." << endl;
-            return 0;
-        }
-    } catch (const google::protobuf::FatalException& e) {
-        logger.error(e.what());
+    if (!icr.ParseFromString(response) || !icr.has_credential_blob()) {
+        logger.error("The ACA did not send make credential blob.");
+        cout << "----> Provisioning failed." << endl;
+        cout << "The ACA did not send make credential information." << endl;
+        return 0;
    }

    string nonceBlob = icr.credential_blob();
+    if (nonceBlob == "") {
+        cout << "----> Provisioning failed." << endl;
+        cout << "The ACA did not send make credential information." << endl;
+        return 0;
+    }

    // activateIdentity requires we read makeCredential output from a file
    cout << "----> Received response. Attempting to decrypt nonce" << endl;