Merge pull request #447 from nsacyber/issue-442

[#442] Provisioning Status Impl
2025-01-29 15:44:14 +00:00 · 2022-03-02 08:31:32 -05:00 · 2022-03-02 08:31:32 -05:00 · 65471c87f1
commit 65471c87f1
parent f19916c454 6a8c0f47c0
4 changed files with 41 additions and 6 deletions
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
@ -460,8 +460,8 @@ public abstract class AbstractAttestationCertificateAuthority
            ProvisionerTpm2.IdentityClaimResponse response
                    = ProvisionerTpm2.IdentityClaimResponse.newBuilder()
                    .setCredentialBlob(blobStr).setPcrMask(pcrQuoteMask)
+                    .setStatus(ProvisionerTpm2.ResponseStatus.PASS)
                    .build();
-
            return response.toByteArray();
        } else {
            LOG.error("Supply chain validation did not succeed. Result is: "
@ -470,6 +470,7 @@ public abstract class AbstractAttestationCertificateAuthority
            ProvisionerTpm2.IdentityClaimResponse response
                    = ProvisionerTpm2.IdentityClaimResponse.newBuilder()
                    .setCredentialBlob(blobStr)
+                    .setStatus(ProvisionerTpm2.ResponseStatus.FAIL)
                    .build();
            return response.toByteArray();
        }
@ -640,6 +641,7 @@ public abstract class AbstractAttestationCertificateAuthority
                        .copyFrom(derEncodedAttestationCertificate);
                ProvisionerTpm2.CertificateResponse response = ProvisionerTpm2.CertificateResponse
                        .newBuilder().setCertificate(certificateBytes)
+                        .setStatus(ProvisionerTpm2.ResponseStatus.PASS)
                        .build();

                saveAttestationCertificate(derEncodedAttestationCertificate, endorsementCredential,
@ -651,7 +653,9 @@ public abstract class AbstractAttestationCertificateAuthority
                        + "Firmware Quote Validation failed. Result is: "
                        + validationResult);
                ProvisionerTpm2.CertificateResponse response = ProvisionerTpm2.CertificateResponse
-                        .newBuilder().setCertificate(ByteString.EMPTY).build();
+                        .newBuilder()
+                        .setStatus(ProvisionerTpm2.ResponseStatus.FAIL)
+                        .build();
                return response.toByteArray();
            }
        } else {
--- a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto
+++ b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto
@ -77,9 +77,15 @@ message TpmQuote {
  required string success = 1;
 }

+enum ResponseStatus {
+  PASS = 0;
+  FAIL = 1;
+}
+
 message IdentityClaimResponse {
-  required bytes credential_blob = 1;
+  optional bytes credential_blob = 1;
  optional string pcr_mask = 2;
+  optional ResponseStatus status = 3 [default = FAIL];
 }

 message CertificateRequest {
@ -88,6 +94,7 @@ message CertificateRequest {
 }

 message CertificateResponse {
-  required bytes certificate = 1;
+  optional bytes certificate = 1;
+  optional ResponseStatus status = 2 [default = FAIL];
 }

--- a/HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp
+++ b/HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp
@ -144,7 +144,8 @@ string RestfulClientProvisioner::sendAttestationCertificateRequest(
        }

        // Return the public attestation certificate
-        return response.certificate();
+//        return response.certificate();
+        return response.SerializeAsString();

    } else {
        stringstream errormsg;
--- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
+++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
@ -144,7 +144,21 @@ int provision() {
    string response = provisioner.sendIdentityClaim(identityClaim);
    hirs::pb::IdentityClaimResponse icr;

-    if (!icr.ParseFromString(response) || !icr.has_credential_blob()) {
+    if (!icr.ParseFromString(response) || !icr.has_status()) {
+        logger.error("The ACA did not send a provisioning status.");
+        cout << "----> Provisioning failed." << endl;
+        cout << "Please refer to the Attestation CA for details." << endl;
+        return 0;
+    }
+
+    if (icr.status() == hirs::pb::ResponseStatus::FAIL) {
+        logger.error("The ACA responded with a FAIL status.");
+        cout << "----> Provisioning failed." << endl;
+        cout << "Please refer to the Attestation CA for details." << endl;
+        return 0;
+    }
+
+    if (!icr.has_credential_blob()) {
        logger.error("The ACA did not send make credential blob.");
        cout << "----> Provisioning failed." << endl;
        cout << "The ACA did not send make credential information." << endl;
@ -183,6 +197,15 @@ int provision() {
    const string& akCertificateByteString
            = provisioner.sendAttestationCertificateRequest(certificateRequest);

+    hirs::pb::CertificateResponse cr;
+    if (!cr.ParseFromString(akCertificateByteString) && cr.has_status()) {
+        if (cr.status() == hirs::pb::ResponseStatus::FAIL) {
+            cout << "----> Provisioning the quote failed.";
+            cout << "Please refer to the Attestation CA for details." << endl;
+            return 0;
+        }
+    }
+
    if (akCertificateByteString == "") {
        cout << "----> Provisioning the quote failed.";
        cout << "Please refer to the Attestation CA for details." << endl;