ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-02-01 00:45:36 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into v3_issue_645-hatSetup

Browse Source
This commit is contained in:
iadgovuser26 2024-01-23 17:29:44 -05:00 committed by GitHub
commit 75dae09ace
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
123 changed files with 4942 additions and 406 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
.ci/docker/compose-acceptance-test-linux.yml Normal file
View File

@ -0,0 +1,34 @@
version: "3.9"
services:
aca: # policy settings not saved, will have a clean database/default policy on each boot for now
image: ghcr.io/nsacyber/hirs/aca
container_name: aca
ports:
- 8443:8443
networks:
hat_network:
ipv4_address: 172.16.1.75
default:
hat:
image: ghcr.io/nsacyber/hirs/hat
container_name: hat
ports:
- 53:53/tcp
- 53:53/udp
- 67:67/udp
- 68:68/udp
- 69:69
- 80:80
networks:
hat_network:
ipv4_address: 172.16.1.3
networks:
hat_network:
driver: macvlan
name: hat_network
driver_opts:
parent: eno2
ipam:
config:
- subnet: 172.16.1.0/24
gateway: 172.16.1.1

0
.ci/docker/compose-acceptance-test.yml → .ci/docker/compose-acceptance-test-windows.yml
View File

136
.github/workflows/dotnet_provisioner_unit_tests.yml vendored Normal file
View File

@ -0,0 +1,136 @@
name: Dotnet Provisioner Unit Tests
on: push
env:
DOTNET_VERSION: '6.0'
jobs:
dotnet_provisioner_unit_tests:
name: Restore and Run Unit Tests
continue-on-error: true
runs-on: ${{ matrix.os }}
strategy:
matrix:
include:
- os: windows-2022
- os: ubuntu-20.04
# - os: windows-2019 Cannot Target windows-2019 because the .NET 6 SDK won't receive security patches for this image
steps:
- name: Set git to use LF
run: |
git config --global core.autocrlf false
git config --global core.eol lf
- name: Checkout repo
uses: actions/checkout@v3
with:
submodules: recursive
- name: Restore Project
working-directory: HIRS_Provisioner.NET
run: |
dotnet restore
- name: Build on Windows
working-directory: HIRS_Provisioner.NET
if: contains(matrix.os, 'windows')
run: |
cd hirs
dotnet build -r win-x64 --configuration Release --no-restore
cd ..
- name: Build on Ubuntu
working-directory: HIRS_Provisioner.NET
if: contains(matrix.os, 'ubuntu')
run: |
dotnet build --configuration Release --no-restore
- name: Run Unit Tests and Save Logs - Windows
id: window_result
if: contains(matrix.os, 'windows') && always()
working-directory: HIRS_Provisioner.NET
run: |
$logs = dotnet test /p:PublishSingleFile=false --no-restore -v m
$results = [string]$logs
$results = $results.Contains("Passed!")
if($results) { $results = "Pass" } else { $results = "Fail"}
echo "::set-output name=result::$results"
$logName = "${{matrix.os}}-unit-tests-" + $results + ".log"
New-Item $logName
Set-Content $logName $logs
Get-Content $logName
- name: Run Unit Tests Ubuntu
if: contains(matrix.os, 'ubuntu')
working-directory: HIRS_Provisioner.NET
run: |
logName="${{matrix.os}}-unit-tests.log"
dotnet test --no-restore -v m > $logName
- name: Extract Ubuntu Unit Test Results
id: ubuntu_result
if: contains(matrix.os, 'ubuntu') && always()
working-directory: HIRS_Provisioner.NET
run: |
logName="${{matrix.os}}-unit-tests.log"
if grep -rnw $logName -e "Passed\!" ;
then
result="Pass"
else
result="Fail"
fi
echo "::set-output name=result::$result"
more $logName
- name: Upload Logs Ubuntu
uses: actions/upload-artifact@v2
if: contains(matrix.os, 'ubuntu') && always()
with:
name: "${{matrix.os}}-unit-tests-${{steps.ubuntu_result.outputs.result}}.log"
path: HIRS_Provisioner.NET/*.log
- name: Upload Logs Windows
uses: actions/upload-artifact@v2
if: contains(matrix.os, 'windows') && always()
with:
name: "${{matrix.os}}-unit-tests-${{steps.window_result.outputs.result}}.log"
path: HIRS_Provisioner.NET/*.log
Evaluator:
name: Evaluate Tests
needs: [dotnet_provisioner_unit_tests]
runs-on: ubuntu-latest
continue-on-error: false
steps:
- uses: actions/checkout@v2
with:
submodules: recursive
- name: Make artifact directory
run: |
mkdir artifacts
- uses: actions/download-artifact@v3
with:
path: artifacts
- name: Determine if a test failed
working-directory: artifacts
run: |
result=""
suffix="-unit-tests-Fail.log"
msg=" OS did not pass all the unit tests."
# Generate Annotations and Console Output
for file in *.log; do
if [[ "$file" == *"Fail"* ]]; then
title=${file%"$suffix"}
echo "::error title=$title Unit Tests Failed::The $title $msg"
result="Failed"
fi
done
if [ -n "$result" ]
then
exit 1
fi

10
.github/workflows/hirs_unit_tests.yml vendored
View File

@ -56,19 +56,19 @@ jobs:
# clean, build and run unit tests on all sub-projects; copy build reports to an artifacts directory
./gradlew :HIRS_AttestationCA:clean :HIRS_AttestationCA:build :HIRS_AttestationCA:test
if (( $? != "0" )) ; then gradle_status=1; fi
#cp -r /HIRS/HIRS_AttestationCA/build/reports/ /HIRS/artifacts/upload_reports/HIRS_AttestationCA/.
cp -r /HIRS/HIRS_AttestationCA/build/reports/ /HIRS/artifacts/upload_reports/HIRS_AttestationCA/.
./gradlew :HIRS_AttestationCAPortal:clean :HIRS_AttestationCAPortal:build :HIRS_AttestationCAPortal:test
if (( $? != "0" )) ; then gradle_status=1; fi
#cp -r /HIRS/HIRS_AttestationCAPortal/build/reports/ /HIRS/artifacts/upload_reports/HIRS_AttestationCAPortal/.
cp -r /HIRS/HIRS_AttestationCAPortal/build/reports/ /HIRS/artifacts/upload_reports/HIRS_AttestationCAPortal/.
#./gradlew :HIRS_Provisioner:clean :HIRS_Provisioner:build :HIRS_Provisioner:test
#if (( $? != "0" )) ; then gradle_status=1; fi
#cp -r /HIRS/HIRS_Provisioner/build/reports/ /HIRS/artifacts/upload_reports/HIRS_Provisioner/.
#./gradlew :HIRS_ProvisionerTPM2:clean :HIRS_ProvisionerTPM2:build :HIRS_ProvisionerTPM2:test
#if (( $? != "0" )) ; then gradle_status=1; fi
#cp -r /HIRS/HIRS_ProvisionerTPM2/docs/ /HIRS/artifacts/upload_reports/HIRS_ProvisionerTPM2/.
#./gradlew :HIRS_Structs:clean :HIRS_Structs:build :HIRS_Structs:test
#if (( $? != "0" )) ; then gradle_status=1; fi
#cp -r /HIRS/HIRS_Structs/build/reports/ /HIRS/artifacts/upload_reports/HIRS_Structs/.
./gradlew :HIRS_Structs:clean :HIRS_Structs:build :HIRS_Structs:test
if (( $? != "0" )) ; then gradle_status=1; fi
cp -r /HIRS/HIRS_Structs/build/reports/ /HIRS/artifacts/upload_reports/HIRS_Structs/.
./gradlew :HIRS_Utils:clean :HIRS_Utils:build :HIRS_Utils:test
if (( $? != "0" )) ; then gradle_status=1; fi
cp -r /HIRS/HIRS_Utils/build/reports/ /HIRS/artifacts/upload_reports/HIRS_Utils/.

15
HIRS_AttestationCA/config/spotbugs/spotbugs-exclude.xml
View File

@ -2,17 +2,18 @@
<!-- Docs at http://findbugs.sourceforge.net/manual/filter.html -->
<FindBugsFilter>
<Match>
<Package name="~hirs\.attestationca.*" />
<Package name="~hirs\.attestationca\.configuration.*" />
</Match>
<Match>
<!-- https://github.com/spotbugs/spotbugs/pull/2748 -->
<Bug pattern="CT_CONSTRUCTOR_THROW" />
</Match>
<!-- <Match>-->
<!-- &lt;!&ndash; To suppress false warnings in unit-tests for lambdas not using return values. &ndash;&gt;-->
<!-- <Package name="~com\.company\.service\.interfaces\.types\.contacts"/>-->
<!-- <Bug pattern="RV_RETURN_VALUE_IGNORED"/>-->
<!-- </Match>-->
<!-- roughly 55 instances of this appear -->
<Match>
<Bug pattern="EI_EXPOSE_REP" />
</Match>
<Match>
<Bug pattern="EI_EXPOSE_REP2" />
</Match>
</FindBugsFilter>

25
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/AbstractEntity.java
View File

@ -4,7 +4,6 @@ import jakarta.persistence.Column;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.Id;
import jakarta.persistence.MappedSuperclass;
import lombok.EqualsAndHashCode;
import lombok.Getter;
import lombok.ToString;
import org.hibernate.annotations.UuidGenerator;
@ -16,7 +15,6 @@ import java.util.UUID;
/**
* An abstract database entity.
*/
@EqualsAndHashCode
@ToString
@MappedSuperclass
public abstract class AbstractEntity implements Serializable {
@ -75,4 +73,27 @@ public abstract class AbstractEntity implements Serializable {
public void resetCreateTime() {
createTime.setTime(new Date().getTime());
}
@Override
public int hashCode() {
if (id != null) {
return id.hashCode();
}
return super.hashCode();
}
@Override
public boolean equals(final Object object) {
if (this == object) {
return true;
}
if (object == null) {
return false;
}
if (!(this.getClass().equals(object.getClass()))) {
return false;
}
return this.hashCode() == object.hashCode();
}
}

10
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/tpm/TPM2ProvisionerState.java
View File

@ -6,6 +6,7 @@ import jakarta.persistence.Entity;
import jakarta.persistence.Id;
import jakarta.persistence.Lob;
import lombok.NoArgsConstructor;
import lombok.extern.log4j.Log4j2;
import org.bouncycastle.util.Arrays;
import java.io.ByteArrayInputStream;
@ -17,6 +18,7 @@ import java.util.Date;
* This class is for saving the Identity Claim and the Nonce between the two passes of the
* TPM 2.0 Provisioner.
*/
@Log4j2
@NoArgsConstructor
@Entity
public class TPM2ProvisionerState {
@ -100,11 +102,13 @@ public class TPM2ProvisionerState {
try (DataInputStream dis
= new DataInputStream(new ByteArrayInputStream(nonce))) {
long firstPartOfNonce = dis.readLong();
TPM2ProvisionerState stateFound = tpm2ProvisionerStateRepository.findByFirstPartOfNonce(firstPartOfNonce);
if (Arrays.areEqual(stateFound.getNonce(), nonce)) {
TPM2ProvisionerState stateFound = tpm2ProvisionerStateRepository
.findByFirstPartOfNonce(firstPartOfNonce);
if (stateFound != null && Arrays.areEqual(stateFound.getNonce(), nonce)) {
return stateFound;
}
} catch (IOException | NullPointerException e) {
} catch (IOException ioEx) {
log.error(ioEx.getMessage());
return null;
}
return null;

16
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/Certificate.java
View File

@ -44,12 +44,10 @@ import org.bouncycastle.asn1.x509.V2Form;
import org.bouncycastle.cert.X509AttributeCertificateHolder;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.util.encoders.Base64;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
@ -67,10 +65,8 @@ import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.ListIterator;
import java.util.Objects;
/**
@ -176,7 +172,6 @@ public abstract class Certificate extends ArchivableEntity {
@Column(length = CertificateVariables.MAX_PUB_KEY_MODULUS_HEX_LENGTH, nullable = true)
private final String publicKeyModulusHexValue;
@Getter
@Column(length = CertificateVariables.MAX_CERT_LENGTH_BYTES, nullable = false)
private final byte[] signature;
@ -593,8 +588,8 @@ public abstract class Certificate extends ArchivableEntity {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
parsedX509Cert = (X509Certificate) cf.generateCertificate(certInputStream);
return parsedX509Cert;
} catch (CertificateException e) {
throw new IOException("Cannot construct X509Certificate from the input stream", e);
} catch (CertificateException cEx) {
throw new IOException("Cannot construct X509Certificate from the input stream", cEx);
}
}
@ -754,6 +749,13 @@ public abstract class Certificate extends ArchivableEntity {
.getInstance(ASN1Primitive.fromByteArray(certificateBytes));
}
/**
* @return this certificate's signature
*/
public byte[] getSignature() {
return signature.clone();
}
/**
* @return this certificate's validity start date
*/

72
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/Device.java
View File

@ -19,15 +19,17 @@ import lombok.NoArgsConstructor;
import lombok.Setter;
import java.sql.Timestamp;
import java.time.LocalDateTime;
import java.util.Objects;
@Entity
@Table(name = "Device")
@Getter
@Setter
@NoArgsConstructor(access = AccessLevel.PROTECTED)
@AllArgsConstructor
public class Device extends AbstractEntity {
@Getter
@Column(name = "name", unique = true)
private String name;
@ -35,10 +37,12 @@ public class Device extends AbstractEntity {
optional = true, orphanRemoval = true)
private DeviceInfoReport deviceInfo;
@Getter
@Column
@Enumerated(EnumType.ORDINAL)
private HealthStatus healthStatus;
@Getter
@Column
@Enumerated(EnumType.ORDINAL)
private AppraisalStatus.Status supplyChainValidationStatus;
@ -49,12 +53,15 @@ public class Device extends AbstractEntity {
@Column(name = "last_report_timestamp")
private Timestamp lastReportTimestamp;
@Getter
@Column(name = "is_state_overridden")
private boolean isStateOverridden;
@Getter
@Column(name = "state_override_reason")
private String overrideReason;
@Getter
@Column(name = "summary_id")
private String summaryId;
@ -68,10 +75,71 @@ public class Device extends AbstractEntity {
}
}
/**
* Returns a report with information about this device. This may return null
* if this property has not been set.
*
* @return device info report
*/
public final DeviceInfoReport getDeviceInfo() {
if (deviceInfo != null) {
return new DeviceInfoReport(deviceInfo.getNetworkInfo(),
deviceInfo.getOSInfo(), deviceInfo.getFirmwareInfo(),
deviceInfo.getHardwareInfo(), deviceInfo.getTpmInfo(),
deviceInfo.getClientApplicationVersion());
} else {
return null;
}
}
/**
* Getter for the report time stamp.
* @return a cloned version
*/
public Timestamp getLastReportTimestamp() {
if (lastReportTimestamp != null) {
return (Timestamp) lastReportTimestamp.clone();
} else {
return Timestamp.valueOf(LocalDateTime.MAX);
}
}
/**
* Setter for the report time stamp.
* @param lastReportTimestamp
*/
public void setLastReportTimestamp(final Timestamp lastReportTimestamp) {
this.lastReportTimestamp = (Timestamp) lastReportTimestamp.clone();
}
public String toString() {
return String.format("Device Name: %s%nStatus: %s%nSummary: %s",
return String.format("Device Name: %s%nStatus: %s%nSummary: %s%n",
name, healthStatus.getStatus(),
supplyChainValidationStatus.toString(),
summaryId);
}
@Override
public boolean equals(Object o) {
if (this == o) return true;
if (!(o instanceof Device)) {
return false;
}
Device device = (Device) o;
return isStateOverridden == device.isStateOverridden
&& Objects.equals(name, device.name)
&& healthStatus == device.healthStatus
&& supplyChainValidationStatus == device.supplyChainValidationStatus
&& Objects.equals(lastReportTimestamp, device.lastReportTimestamp)
&& Objects.equals(overrideReason, device.overrideReason)
&& Objects.equals(summaryId, device.summaryId);
}
@Override
public int hashCode() {
return Objects.hash(super.hashCode(), name, healthStatus,
supplyChainValidationStatus, lastReportTimestamp,
isStateOverridden, overrideReason, summaryId);
}
}

17
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/ReferenceManifest.java
View File

@ -28,7 +28,7 @@ import java.util.UUID;
* This class represents the Reference Integrity Manifest object that will be
* loaded into the DB and displayed in the ACA.
*/
@Getter @Setter @ToString
@Getter @ToString
@EqualsAndHashCode(onlyExplicitlyIncluded = true, callSuper = false)
@Log4j2
@Entity
@ -75,36 +75,51 @@ public class ReferenceManifest extends ArchivableEntity {
@EqualsAndHashCode.Include
@Column(columnDefinition = "mediumblob", nullable = false)
private byte[] rimBytes;
@Setter
@EqualsAndHashCode.Include
@Column(nullable = false)
private String rimType = "Base";
@Setter
@Column
private String tagId = null;
@Setter
@Column
private boolean swidPatch = false;
@Setter
@Column
private boolean swidSupplemental = false;
@Setter
@Column
private String platformManufacturer = null;
@Setter
@Column
private String platformManufacturerId = null;
@Setter
@Column
private String swidTagVersion = null;
@Setter
@Column
private String swidVersion = null;
@Setter
@Column
private String platformModel = null;
@Setter
@Column(nullable = false)
private String fileName = null;
@Setter
@JdbcTypeCode(java.sql.Types.VARCHAR)
@Column
private UUID associatedRim;
@Setter
@Column
private String deviceName;
@Setter
@Column
private String hexDecHash = "";
@Setter
@Column
private String eventLogHash = "";
@Setter
@Column
@JsonIgnore
private String base64Hash = "";

10
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidationSummary.java
View File

@ -40,7 +40,6 @@ import java.util.UUID;
@Entity
public class SupplyChainValidationSummary extends ArchivableEntity {
@Getter
@ManyToOne
@JoinColumn(name = "device_id")
private final Device device;
@ -204,6 +203,15 @@ public class SupplyChainValidationSummary extends ArchivableEntity {
this.message = status.getMessage();
}
/**
* This retrieves the device associated with the supply chain validation summaries.
*
* @return the validated device
*/
public Device getDevice() {
return new Device(this.device.getDeviceInfo());
}
/**
* @return the overall appraisal result
*/

8
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/EndorsementCredential.java
View File

@ -353,21 +353,21 @@ public class EndorsementCredential extends DeviceAssociatedCertificate {
obj = (ASN1TaggedObject) seq.getObjectAt(i);
tag = obj.getTagNo();
if (tag == EK_TYPE_TAG) {
int ekGenTypeVal = ((ASN1Enumerated) obj.getObject()).getValue().intValue();
int ekGenTypeVal = ((ASN1Enumerated) obj.getBaseObject()).getValue().intValue();
if (ekGenTypeVal >= EK_TYPE_VAL_MIN && ekGenTypeVal <= EK_TYPE_VAL_MAX) {
TPMSecurityAssertions.EkGenerationType ekGenType
= TPMSecurityAssertions.EkGenerationType.values()[ekGenTypeVal];
tpmSecurityAssertions.setEkGenType(ekGenType);
}
} else if (tag == EK_LOC_TAG) {
int ekGenLocVal = ((ASN1Enumerated) obj.getObject()).getValue().intValue();
int ekGenLocVal = ((ASN1Enumerated) obj.getBaseObject()).getValue().intValue();
if (ekGenLocVal >= EK_LOC_VAL_MIN && ekGenLocVal <= EK_LOC_VAL_MAX) {
TPMSecurityAssertions.EkGenerationLocation ekGenLocation
= TPMSecurityAssertions.EkGenerationLocation.values()[ekGenLocVal];
tpmSecurityAssertions.setEkGenerationLocation(ekGenLocation);
}
} else if (tag == EK_CERT_LOC_TAG) {
int ekCertGenLocVal = ((ASN1Enumerated) obj.getObject())
int ekCertGenLocVal = ((ASN1Enumerated) obj.getBaseObject())
.getValue().intValue();
if (ekCertGenLocVal >= EK_LOC_VAL_MIN
&& ekCertGenLocVal <= EK_LOC_VAL_MAX) {
@ -426,7 +426,7 @@ public class EndorsementCredential extends DeviceAssociatedCertificate {
} else if (component instanceof ASN1TaggedObject) {
ASN1TaggedObject taggedObj = (ASN1TaggedObject) component;
parseSingle(taggedObj.getObject(), addToMapping, key);
parseSingle(taggedObj.getBaseObject().toASN1Primitive(), addToMapping, key);
} else if (component instanceof ASN1OctetString) {
// this may contain parseable data or may just be a OID key-pair value

6
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/IssuedAttestationCertificate.java
View File

@ -11,6 +11,7 @@ import lombok.NoArgsConstructor;
import java.io.IOException;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.List;
/**
@ -47,7 +48,7 @@ public class IssuedAttestationCertificate extends DeviceAssociatedCertificate {
throws IOException {
super(certificateBytes);
this.endorsementCredential = endorsementCredential;
this.platformCredentials = platformCredentials;
this.platformCredentials = new ArrayList<>(platformCredentials);
}
/**
@ -64,4 +65,7 @@ public class IssuedAttestationCertificate extends DeviceAssociatedCertificate {
this(readBytes(certificatePath), endorsementCredential, platformCredentials);
}
public List<PlatformCredential> getPlatformCredentials() {
return new ArrayList<>(platformCredentials);
}
}

21
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/CommonCriteriaMeasures.java
View File

@ -4,10 +4,10 @@ import lombok.Getter;
import lombok.Setter;
import org.bouncycastle.asn1.ASN1Boolean;
import org.bouncycastle.asn1.ASN1Enumerated;
import org.bouncycastle.asn1.ASN1IA5String;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DERIA5String;
/**
* Basic class that handle CommonCriteriaMeasures for the Platform Certificate
@ -167,14 +167,14 @@ public class CommonCriteriaMeasures {
}
}
private DERIA5String version;
private ASN1IA5String version;
private EvaluationAssuranceLevel assuranceLevel;
private EvaluationStatus evaluationStatus;
private ASN1Boolean plus;
private StrengthOfFunction strengthOfFunction;
private ASN1ObjectIdentifier profileOid;
private URIReference profileUri;
private ASN1ObjectIdentifier targetOid;
private URIReference profileUri;
private URIReference targetUri;
/**
@ -187,8 +187,8 @@ public class CommonCriteriaMeasures {
this.plus = ASN1Boolean.FALSE;
this.strengthOfFunction = null;
this.profileOid = null;
this.profileUri = null;
this.targetOid = null;
this.profileUri = null;
this.targetUri = null;
}
@ -198,29 +198,24 @@ public class CommonCriteriaMeasures {
* @throws IllegalArgumentException if there was an error on the parsing
*/
public CommonCriteriaMeasures(final ASN1Sequence sequence) throws IllegalArgumentException {
//Get all the mandatory values
int index = 0;
version = DERIA5String.getInstance(sequence.getObjectAt(index));
++index;
ASN1Enumerated enumarated = ASN1Enumerated.getInstance(sequence.getObjectAt(index));
++index;
version = ASN1IA5String.getInstance(sequence.getObjectAt(index++));
ASN1Enumerated enumarated = ASN1Enumerated.getInstance(sequence.getObjectAt(index++));
//Throw exception when is not between 1 and 7
if (enumarated.getValue().intValue() <= 0
|| enumarated.getValue().intValue() > EvaluationAssuranceLevel.values().length) {
throw new IllegalArgumentException("Invalid assurance level.");
}
assuranceLevel = EvaluationAssuranceLevel.values()[enumarated.getValue().intValue() - 1];
enumarated = ASN1Enumerated.getInstance(sequence.getObjectAt(index));
++index;
enumarated = ASN1Enumerated.getInstance(sequence.getObjectAt(index++));
evaluationStatus = EvaluationStatus.values()[enumarated.getValue().intValue()];
//Default plus value
plus = ASN1Boolean.FALSE;
//Current sequence index
if (sequence.getObjectAt(index).toASN1Primitive() instanceof ASN1Boolean) {
plus = ASN1Boolean.getInstance(sequence.getObjectAt(index));
index++;
plus = ASN1Boolean.getInstance(sequence.getObjectAt(index++));
}
//Optional values (default to null or empty)

6
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/ComponentAddress.java
View File

@ -5,7 +5,7 @@ import lombok.Getter;
import lombok.Setter;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.ASN1UTF8String;
/**
* Basic class that handle component addresses from the component identifier.
@ -31,7 +31,7 @@ public class ComponentAddress {
private static final String BLUETOOTH_MAC = "2.23.133.17.3";
private ASN1ObjectIdentifier addressType;
private DERUTF8String addressValue;
private ASN1UTF8String addressValue;
/**
* Default constructor.
@ -55,7 +55,7 @@ public class ComponentAddress {
+ "all the required fields.");
}
addressType = ASN1ObjectIdentifier.getInstance(sequence.getObjectAt(0));
addressValue = DERUTF8String.getInstance(sequence.getObjectAt(1));
addressValue = ASN1UTF8String.getInstance(sequence.getObjectAt(1));
}
/**

34
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/ComponentIdentifier.java
View File

@ -1,15 +1,14 @@
package hirs.attestationca.persist.entity.userdefined.certificate.attributes;
import lombok.AllArgsConstructor;
import lombok.EqualsAndHashCode;
import lombok.Getter;
import lombok.Setter;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.asn1.ASN1Boolean;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.ASN1UTF8String;
import org.bouncycastle.asn1.DERUTF8String;
import java.util.ArrayList;
@ -35,7 +34,6 @@ import java.util.stream.Collectors;
*/
@Getter
@Setter
@AllArgsConstructor
@EqualsAndHashCode
public class ComponentIdentifier {
@ -90,8 +88,8 @@ public class ComponentIdentifier {
public ComponentIdentifier() {
componentManufacturer = new DERUTF8String(NOT_SPECIFIED_COMPONENT);
componentModel = new DERUTF8String(NOT_SPECIFIED_COMPONENT);
componentSerial = new DERUTF8String(StringUtils.EMPTY);
componentRevision = new DERUTF8String(StringUtils.EMPTY);
componentSerial = new DERUTF8String(EMPTY_COMPONENT);
componentRevision = new DERUTF8String(EMPTY_COMPONENT);
componentManufacturerId = null;
fieldReplaceable = null;
componentAddress = new ArrayList<>();
@ -121,7 +119,7 @@ public class ComponentIdentifier {
this.componentRevision = componentRevision;
this.componentManufacturerId = componentManufacturerId;
this.fieldReplaceable = fieldReplaceable;
this.componentAddress = componentAddress;
this.componentAddress = componentAddress.stream().toList();
}
/**
@ -138,18 +136,18 @@ public class ComponentIdentifier {
}
//Mandatory values
componentManufacturer = DERUTF8String.getInstance(sequence.getObjectAt(0));
componentModel = DERUTF8String.getInstance(sequence.getObjectAt(1));
componentManufacturer = (DERUTF8String) ASN1UTF8String.getInstance(sequence.getObjectAt(0));
componentModel = (DERUTF8String) ASN1UTF8String.getInstance(sequence.getObjectAt(1));
//Continue reading the sequence if it does contain more than 2 values
for (int i = 2; i < sequence.size(); i++) {
ASN1TaggedObject taggedObj = ASN1TaggedObject.getInstance(sequence.getObjectAt(i));
switch (taggedObj.getTagNo()) {
case COMPONENT_SERIAL:
componentSerial = DERUTF8String.getInstance(taggedObj, false);
componentSerial = (DERUTF8String) ASN1UTF8String.getInstance(taggedObj, false);
break;
case COMPONENT_REVISION:
componentRevision = DERUTF8String.getInstance(taggedObj, false);
componentRevision = (DERUTF8String) ASN1UTF8String.getInstance(taggedObj, false);
break;
case COMPONENT_MANUFACTURER_ID:
componentManufacturerId = ASN1ObjectIdentifier.getInstance(taggedObj, false);
@ -200,6 +198,22 @@ public class ComponentIdentifier {
return false;
}
/**
* Getter for the component addresses.
* @return a collection of component addresses
*/
public List<ComponentAddress> getComponentAddress() {
return componentAddress.stream().toList();
}
/**
* Setter for the list of component addresses.
* @param componentAddress collection of addresses
*/
public void setComponentAddress(List<ComponentAddress> componentAddress) {
this.componentAddress = componentAddress.stream().toList();
}
@Override
public String toString() {
StringBuilder sb = new StringBuilder();

14
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/FIPSLevel.java
View File

@ -5,8 +5,8 @@ import lombok.Getter;
import lombok.Setter;
import org.bouncycastle.asn1.ASN1Boolean;
import org.bouncycastle.asn1.ASN1Enumerated;
import org.bouncycastle.asn1.ASN1IA5String;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERIA5String;
/**
* Basic class that handle FIPS Level.
@ -71,7 +71,7 @@ public class FIPSLevel {
}
@Getter @Setter
private DERIA5String version;
private ASN1IA5String version;
@Getter @Setter
private SecurityLevel level;
@Getter @Setter
@ -94,15 +94,15 @@ public class FIPSLevel {
*/
public FIPSLevel(final ASN1Sequence sequence) throws IllegalArgumentException {
//Get version
version = DERIA5String.getInstance(sequence.getObjectAt(0));
version = ASN1IA5String.getInstance(sequence.getObjectAt(0));
//Get and validate level
ASN1Enumerated enumarated = ASN1Enumerated.getInstance(sequence.getObjectAt(1));
ASN1Enumerated enumerated = ASN1Enumerated.getInstance(sequence.getObjectAt(1));
//Throw exception when is not between 1 and 7
if (enumarated.getValue().intValue() <= 0
|| enumarated.getValue().intValue() > SecurityLevel.values().length) {
if (enumerated.getValue().intValue() <= 0
|| enumerated.getValue().intValue() > SecurityLevel.values().length) {
throw new IllegalArgumentException("Invalid security level on FIPSLevel.");
}
level = SecurityLevel.values()[enumarated.getValue().intValue() - 1];
level = SecurityLevel.values()[enumerated.getValue().intValue() - 1];
//Check if there is another value on the sequence for the plus
plus = ASN1Boolean.FALSE; //Default to false

12
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/PlatformConfiguration.java
View File

@ -14,10 +14,10 @@ import java.util.List;
*/
@AllArgsConstructor
public abstract class PlatformConfiguration {
private List<ComponentIdentifier> componentIdentifier;
private ArrayList<ComponentIdentifier> componentIdentifier = new ArrayList<>();
@Getter @Setter
private URIReference componentIdentifierUri;
private List<PlatformProperty> platformProperties;
private ArrayList<PlatformProperty> platformProperties = new ArrayList<>();
@Getter @Setter
private URIReference platformPropertiesUri;
@ -43,8 +43,8 @@ public abstract class PlatformConfiguration {
public PlatformConfiguration(final List<ComponentIdentifier> componentIdentifier,
final List<PlatformProperty> platformProperties,
final URIReference platformPropertiesUri) {
this.componentIdentifier = componentIdentifier;
this.platformProperties = platformProperties;
this.componentIdentifier = new ArrayList<>(componentIdentifier);
this.platformProperties = new ArrayList<>(platformProperties);
this.platformPropertiesUri = platformPropertiesUri;
}
@ -72,7 +72,7 @@ public abstract class PlatformConfiguration {
* @param componentIdentifier the componentIdentifier to set
*/
public void setComponentIdentifier(final List<ComponentIdentifier> componentIdentifier) {
this.componentIdentifier = componentIdentifier;
this.componentIdentifier = new ArrayList<>(componentIdentifier);
}
/**
@ -99,6 +99,6 @@ public abstract class PlatformConfiguration {
* @param platformProperties the platformProperties to set
*/
public void setPlatformProperties(final List<PlatformProperty> platformProperties) {
this.platformProperties = platformProperties;
this.platformProperties = new ArrayList<>(platformProperties);
}
}

9
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/PlatformProperty.java
View File

@ -4,6 +4,7 @@ import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.Setter;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1UTF8String;
import org.bouncycastle.asn1.DERUTF8String;
/**
@ -28,8 +29,8 @@ public class PlatformProperty {
*/
protected static final int IDENTIFIER_NUMBER = 2;
private DERUTF8String propertyName;
private DERUTF8String propertyValue;
private ASN1UTF8String propertyName;
private ASN1UTF8String propertyValue;
/**
* Default constructor.
@ -53,8 +54,8 @@ public class PlatformProperty {
+ "the required fields.");
}
this.propertyName = DERUTF8String.getInstance(sequence.getObjectAt(0));
this.propertyValue = DERUTF8String.getInstance(sequence.getObjectAt(1));
this.propertyName = ASN1UTF8String.getInstance(sequence.getObjectAt(0));
this.propertyValue = ASN1UTF8String.getInstance(sequence.getObjectAt(1));
}
@Override

12
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/TBBSecurityAssertion.java
View File

@ -4,10 +4,10 @@ import lombok.AllArgsConstructor;
import lombok.Getter;
import org.bouncycastle.asn1.ASN1Boolean;
import org.bouncycastle.asn1.ASN1Enumerated;
import org.bouncycastle.asn1.ASN1IA5String;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DERIA5String;
import java.math.BigInteger;
@ -89,7 +89,7 @@ public class TBBSecurityAssertion {
private FIPSLevel fipsLevel;
private MeasurementRootType rtmType;
private ASN1Boolean iso9000Certified;
private DERIA5String iso9000Uri;
private ASN1IA5String iso9000Uri;
/**
* Default constructor.
@ -163,8 +163,8 @@ public class TBBSecurityAssertion {
}
// Check if it's a IA5String
if (index < sequenceSize
&& sequence.getObjectAt(index).toASN1Primitive() instanceof DERIA5String) {
iso9000Uri = DERIA5String.getInstance(sequence.getObjectAt(index));
&& sequence.getObjectAt(index).toASN1Primitive() instanceof ASN1IA5String) {
iso9000Uri = ASN1IA5String.getInstance(sequence.getObjectAt(index));
}
}
@ -241,14 +241,14 @@ public class TBBSecurityAssertion {
/**
* @return the iso9000Uri
*/
public DERIA5String getIso9000Uri() {
public ASN1IA5String getIso9000Uri() {
return iso9000Uri;
}
/**
* @param iso9000Uri the iso9000Uri to set
*/
public void setIso9000Uri(final DERIA5String iso9000Uri) {
public void setIso9000Uri(final ASN1IA5String iso9000Uri) {
this.iso9000Uri = iso9000Uri;
}

3
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/TPMSecurityAssertions.java
View File

@ -8,6 +8,7 @@ import lombok.Getter;
import lombok.NoArgsConstructor;
import lombok.Setter;
import java.io.Serializable;
import java.math.BigInteger;
/**
@ -24,7 +25,7 @@ import java.math.BigInteger;
@NoArgsConstructor(access = AccessLevel.PROTECTED)
@Getter @Setter
@Embeddable
public class TPMSecurityAssertions {
public class TPMSecurityAssertions implements Serializable {
/**
* A type to handle the different endorsement key generation types used in the TPM

3
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/TPMSpecification.java
View File

@ -7,6 +7,7 @@ import lombok.EqualsAndHashCode;
import lombok.Getter;
import lombok.NoArgsConstructor;
import java.io.Serializable;
import java.math.BigInteger;
/**
@ -23,7 +24,7 @@ import java.math.BigInteger;
@NoArgsConstructor(access= AccessLevel.PROTECTED)
@Getter
@Embeddable
public class TPMSpecification {
public class TPMSpecification implements Serializable {
@Column
private String family;

21
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/URIReference.java
View File

@ -4,9 +4,9 @@ import com.fasterxml.jackson.annotation.JsonIgnore;
import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.Setter;
import org.bouncycastle.asn1.ASN1BitString;
import org.bouncycastle.asn1.ASN1IA5String;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
/**
@ -23,10 +23,10 @@ import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
@Getter @Setter
@AllArgsConstructor
public class URIReference {
private DERIA5String uniformResourceIdentifier;
private ASN1IA5String uniformResourceIdentifier;
private AlgorithmIdentifier hashAlgorithm;
@JsonIgnore
private DERBitString hashValue;
private ASN1BitString hashValue;
private static final int PLATFORM_PROPERTIES_URI_MAX = 3;
private static final int PLATFORM_PROPERTIES_URI_MIN = 1;
@ -56,14 +56,14 @@ public class URIReference {
//Get the Platform Configuration URI values
for (int j = 0; j < sequence.size(); j++) {
if (sequence.getObjectAt(j) instanceof DERIA5String) {
this.uniformResourceIdentifier = DERIA5String.getInstance(sequence.getObjectAt(j));
if (sequence.getObjectAt(j) instanceof ASN1IA5String) {
this.uniformResourceIdentifier = ASN1IA5String.getInstance(sequence.getObjectAt(j));
} else if ((sequence.getObjectAt(j) instanceof AlgorithmIdentifier)
|| (sequence.getObjectAt(j) instanceof ASN1Sequence)) {
this.hashAlgorithm =
AlgorithmIdentifier.getInstance(sequence.getObjectAt(j));
} else if (sequence.getObjectAt(j) instanceof DERBitString) {
this.hashValue = DERBitString.getInstance(sequence.getObjectAt(j));
} else if (sequence.getObjectAt(j) instanceof ASN1BitString) {
this.hashValue = ASN1BitString.getInstance(sequence.getObjectAt(j));
} else {
throw new IllegalArgumentException("Unexpected DER type found. "
+ sequence.getObjectAt(j).getClass().getName() + " found at index " + j + ".");
@ -75,7 +75,10 @@ public class URIReference {
public String toString() {
StringBuilder sb = new StringBuilder();
sb.append("URIReference{");
sb.append("uniformResourceIdentifier=").append(uniformResourceIdentifier.getString());
sb.append("uniformResourceIdentifier=");
if (uniformResourceIdentifier != null) {
sb.append(uniformResourceIdentifier.getString());
}
//Check of optional values are not null
sb.append(", hashAlgorithm=");
if (hashAlgorithm != null) {

34
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/V2/ComponentIdentifierV2.java
View File

@ -4,18 +4,19 @@ import hirs.attestationca.persist.entity.userdefined.certificate.attributes.Comp
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.ComponentClass;
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.ComponentIdentifier;
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.URIReference;
import lombok.EqualsAndHashCode;
import lombok.Getter;
import lombok.Setter;
import org.bouncycastle.asn1.ASN1Boolean;
import org.bouncycastle.asn1.ASN1Enumerated;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.ASN1UTF8String;
import org.bouncycastle.asn1.DERUTF8String;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
/**
@ -39,7 +40,6 @@ import java.util.stream.Collectors;
*/
@Getter
@Setter
@EqualsAndHashCode(callSuper = false)
public class ComponentIdentifierV2 extends ComponentIdentifier {
private static final int MANDATORY_ELEMENTS = 3;
@ -117,21 +117,21 @@ public class ComponentIdentifierV2 extends ComponentIdentifier {
int tag = 0;
ASN1Sequence componentIdSeq = ASN1Sequence.getInstance(sequence.getObjectAt(tag));
componentClass = new ComponentClass(componentIdSeq.getObjectAt(tag++).toString(),
DEROctetString.getInstance(componentIdSeq.getObjectAt(tag)).toString());
ASN1OctetString.getInstance(componentIdSeq.getObjectAt(tag)).toString());
// Mandatory values
this.setComponentManufacturer(DERUTF8String.getInstance(sequence.getObjectAt(tag++)));
this.setComponentModel(DERUTF8String.getInstance(sequence.getObjectAt(tag++)));
this.setComponentManufacturer((DERUTF8String) ASN1UTF8String.getInstance(sequence.getObjectAt(tag++)));
this.setComponentModel((DERUTF8String) ASN1UTF8String.getInstance(sequence.getObjectAt(tag++)));
// Continue reading the sequence if it does contain more than 2 values
for (int i = tag; i < sequence.size(); i++) {
ASN1TaggedObject taggedObj = ASN1TaggedObject.getInstance(sequence.getObjectAt(i));
switch (taggedObj.getTagNo()) {
case COMPONENT_SERIAL:
this.setComponentSerial(DERUTF8String.getInstance(taggedObj, false));
this.setComponentSerial((DERUTF8String) ASN1UTF8String.getInstance(taggedObj, false));
break;
case COMPONENT_REVISION:
this.setComponentRevision(DERUTF8String.getInstance(taggedObj, false));
this.setComponentRevision((DERUTF8String) ASN1UTF8String.getInstance(taggedObj, false));
break;
case COMPONENT_MANUFACTURER_ID:
this.setComponentManufacturerId(ASN1ObjectIdentifier
@ -200,6 +200,24 @@ public class ComponentIdentifierV2 extends ComponentIdentifier {
return true;
}
@Override
public boolean equals(Object o) {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;
if (!super.equals(o)) return false;
ComponentIdentifierV2 that = (ComponentIdentifierV2) o;
return Objects.equals(componentClass, that.componentClass)
&& Objects.equals(certificateIdentifier, that.certificateIdentifier)
&& Objects.equals(componentPlatformUri, that.componentPlatformUri)
&& attributeStatus == that.attributeStatus;
}
@Override
public int hashCode() {
return Objects.hash(super.hashCode(), componentClass,
certificateIdentifier, componentPlatformUri, attributeStatus);
}
@Override
public String toString() {
StringBuilder sb = new StringBuilder();

8
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/V2/PlatformPropertyV2.java
View File

@ -5,7 +5,7 @@ import lombok.Getter;
import lombok.Setter;
import org.bouncycastle.asn1.ASN1Enumerated;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.ASN1UTF8String;
/**
*
@ -39,7 +39,7 @@ public class PlatformPropertyV2 extends PlatformProperty {
* @param propertyValue string containing the property value
* @param attributeStatus enumerated object with the status of the property
*/
public PlatformPropertyV2(final DERUTF8String propertyName, final DERUTF8String propertyValue,
public PlatformPropertyV2(final ASN1UTF8String propertyName, final ASN1UTF8String propertyValue,
final AttributeStatus attributeStatus) {
super(propertyName, propertyValue);
this.attributeStatus = attributeStatus;
@ -59,8 +59,8 @@ public class PlatformPropertyV2 extends PlatformProperty {
+ "the required fields.");
}
setPropertyName(DERUTF8String.getInstance(sequence.getObjectAt(0)));
setPropertyValue(DERUTF8String.getInstance(sequence.getObjectAt(1)));
setPropertyName(ASN1UTF8String.getInstance(sequence.getObjectAt(0)));
setPropertyValue(ASN1UTF8String.getInstance(sequence.getObjectAt(1)));
// optional value which is a placeholder for now
if (sequence.size() > IDENTIFIER_NUMBER

22
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/info/NetworkInfo.java
View File

@ -10,11 +10,12 @@ import lombok.extern.log4j.Log4j2;
import java.io.Serializable;
import java.net.InetAddress;
import java.util.Arrays;
import java.util.Objects;
/**
* This class is used to represent the network info of a device.
*/
@EqualsAndHashCode
@Log4j2
@Embeddable
public class NetworkInfo implements Serializable {
@ -112,4 +113,23 @@ public class NetworkInfo implements Serializable {
log.debug("setting MAC address to: {}", sb);
this.macAddress = macAddress;
}
@Override
public boolean equals(Object o) {
if (this == o) return true;
if (!(o instanceof NetworkInfo)) {
return false;
}
NetworkInfo that = (NetworkInfo) o;
return Objects.equals(hostname, that.hostname)
&& Objects.equals(ipAddress, that.ipAddress)
&& Arrays.equals(macAddress, that.macAddress);
}
@Override
public int hashCode() {
int result = Objects.hash(hostname, ipAddress);
result = 31 * result + Arrays.hashCode(macAddress);
return result;
}
}

10
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/info/PortalInfo.java
View File

@ -19,26 +19,26 @@ import java.net.UnknownHostException;
* Store information about the Portal into the database.
*/
@NoArgsConstructor
@Getter
@Entity
@Table(name = "PortalInfo")
@Access(AccessType.FIELD)
public class PortalInfo {
@Id
@Getter
@Column
@GeneratedValue(strategy = GenerationType.AUTO)
private Long id;
@Getter
@Column(unique = true, nullable = false)
private String name;
@Getter
@Column
private InetAddress ipAddress;
@Getter
@Column
private int port = 0;
@Getter
@Column
private String context;

9
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/info/TPMInfo.java
View File

@ -208,6 +208,15 @@ public class TPMInfo implements Serializable {
identityCertificate = null;
}
/**
* Used to retrieve the identity certificate for the device.
*
* @return a byte array holding the certificate information
*/
public X509Certificate getIdentityCertificate() {
return identityCertificate;
}
/**
* Getter for the tpmQuote passed up by the client.
* @return a byte blob of quote

31
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/report/DeviceInfoReport.java
View File

@ -19,6 +19,8 @@ import lombok.Setter;
import lombok.extern.log4j.Log4j2;
import java.io.Serializable;
import java.net.InetAddress;
import java.util.Objects;
/**
* A <code>DeviceInfoReport</code> is a <code>Report</code> used to transfer the
@ -126,9 +128,11 @@ public class DeviceInfoReport extends AbstractEntity implements Serializable {
* without null may be returned, which this interface does not support
*/
if (networkInfo == null) {
networkInfo = new NetworkInfo(null, null, null);
networkInfo = new NetworkInfo(DeviceInfoEnums.NOT_SPECIFIED,
InetAddress.getLoopbackAddress(), new byte[0]);
}
return networkInfo;
return new NetworkInfo(networkInfo.getHostname(),
networkInfo.getIpAddress(), networkInfo.getMacAddress());
}
/**
@ -227,4 +231,27 @@ public class DeviceInfoReport extends AbstractEntity implements Serializable {
private void setTPMInfo(TPMInfo tpmInfo) {
this.tpmInfo = tpmInfo;
}
@Override
public boolean equals(Object o) {
if (this == o) return true;
if (!(o instanceof DeviceInfoReport)) {
return false;
}
DeviceInfoReport that = (DeviceInfoReport) o;
return Objects.equals(networkInfo, that.networkInfo)
&& Objects.equals(osInfo, that.osInfo)
&& Objects.equals(firmwareInfo, that.firmwareInfo)
&& Objects.equals(hardwareInfo, that.hardwareInfo)
&& Objects.equals(tpmInfo, that.tpmInfo)
&& Objects.equals(clientApplicationVersion, that.clientApplicationVersion)
&& Objects.equals(paccorOutputString, that.paccorOutputString);
}
@Override
public int hashCode() {
return Objects.hash(super.hashCode(), networkInfo, osInfo,
firmwareInfo, hardwareInfo, tpmInfo,
clientApplicationVersion, paccorOutputString);
}
}

48
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/BaseReferenceManifest.java
View File

@ -33,6 +33,7 @@ import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
/**
*
@ -198,8 +199,12 @@ public class BaseReferenceManifest extends ReferenceManifest {
* and tagId attributes, otherwise a generic error message is printed.
*
*/
private Element getDirectoryTag() {
return getDirectoryTag(new ByteArrayInputStream(getRimBytes()));
private Element getDirectoryTag(final byte[] rimBytes) {
if (rimBytes == null || rimBytes.length == 0) {
return getDirectoryTag(new ByteArrayInputStream(getRimBytes()));
} else {
return getDirectoryTag(new ByteArrayInputStream(rimBytes));
}
}
/**
@ -238,7 +243,7 @@ public class BaseReferenceManifest extends ReferenceManifest {
*
*/
public List<SwidResource> getFileResources(final byte[] rimBytes) {
Element directoryTag = getDirectoryTag(new ByteArrayInputStream(rimBytes));
Element directoryTag = getDirectoryTag(rimBytes);
List<SwidResource> validHashes = new ArrayList<>();
NodeList fileNodeList = directoryTag.getChildNodes();
Element file = null;
@ -331,6 +336,43 @@ public class BaseReferenceManifest extends ReferenceManifest {
return document;
}
@Override
public boolean equals(Object o) {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;
if (!super.equals(o)) return false;
BaseReferenceManifest that = (BaseReferenceManifest) o;
return swidCorpus == that.swidCorpus && Objects.equals(swidName, that.swidName)
&& Objects.equals(colloquialVersion, that.colloquialVersion)
&& Objects.equals(product, that.product)
&& Objects.equals(revision, that.revision)
&& Objects.equals(edition, that.edition)
&& Objects.equals(rimLinkHash, that.rimLinkHash)
&& Objects.equals(bindingSpec, that.bindingSpec)
&& Objects.equals(bindingSpecVersion, that.bindingSpecVersion)
&& Objects.equals(platformVersion, that.platformVersion)
&& Objects.equals(payloadType, that.payloadType)
&& Objects.equals(pcURIGlobal, that.pcURIGlobal)
&& Objects.equals(pcURILocal, that.pcURILocal)
&& Objects.equals(entityName, that.entityName)
&& Objects.equals(entityRegId, that.entityRegId)
&& Objects.equals(entityRole, that.entityRole)
&& Objects.equals(entityThumbprint, that.entityThumbprint)
&& Objects.equals(linkHref, that.linkHref)
&& Objects.equals(linkRel, that.linkRel);
}
@Override
public int hashCode() {
return Objects.hash(super.hashCode(), swidName,
swidCorpus, colloquialVersion, product,
revision, edition, rimLinkHash, bindingSpec,
bindingSpecVersion, platformVersion,
payloadType, pcURIGlobal, pcURILocal,
entityName, entityRegId, entityRole,
entityThumbprint, linkHref, linkRel);
}
@Override
public String toString() {
return String.format("ReferenceManifest{swidName=%s,"

20
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/EventLogMeasurements.java
View File

@ -9,7 +9,6 @@ import jakarta.persistence.Column;
import jakarta.persistence.Entity;
import jakarta.persistence.EnumType;
import jakarta.persistence.Enumerated;
import lombok.EqualsAndHashCode;
import lombok.Getter;
import lombok.Setter;
import lombok.extern.log4j.Log4j2;
@ -27,7 +26,6 @@ import java.util.Collection;
* however this is the live log from the client.
*/
@Log4j2
@EqualsAndHashCode(callSuper=false)
@Entity
public class EventLogMeasurements extends ReferenceManifest {
@ -114,4 +112,22 @@ public class EventLogMeasurements extends ReferenceManifest {
return new ArrayList<>();
}
@Override
public boolean equals(final Object object) {
if (this == object) {
return true;
}
if (object == null || getClass() != object.getClass()) {
return false;
}
EventLogMeasurements that = (EventLogMeasurements) object;
return this.getHexDecHash().equals(that.getHexDecHash());
}
@Override
public int hashCode() {
return super.hashCode();
}
}

26
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/ReferenceDigestValue.java
View File

@ -8,8 +8,10 @@ import jakarta.persistence.Entity;
import jakarta.persistence.Table;
import lombok.AllArgsConstructor;
import lombok.Builder;
import lombok.Data;
import lombok.EqualsAndHashCode;
import lombok.Getter;
import lombok.Setter;
import org.bouncycastle.util.Arrays;
import org.hibernate.annotations.JdbcTypeCode;
@ -19,7 +21,7 @@ import java.util.UUID;
* This class represents that actual entry in the Support RIM.
* Digest Value, Event Type, index, RIM Tagid
*/
@Data
@Getter
@Builder
@AllArgsConstructor
@Entity
@ -27,31 +29,41 @@ import java.util.UUID;
@Table(name = "ReferenceDigestValue")
@Access(AccessType.FIELD)
public class ReferenceDigestValue extends AbstractEntity {
@Setter
@JdbcTypeCode(java.sql.Types.VARCHAR)
@Column
private UUID baseRimId;
@Setter
@JdbcTypeCode(java.sql.Types.VARCHAR)
@Column
private UUID supportRimId;
@Setter
@Column(nullable = false)
private String manufacturer;
@Setter
@Column(nullable = false)
private String model;
@Setter
@Column(nullable = false)
private int pcrIndex;
@Setter
@Column(nullable = false)
private String digestValue;
@Setter
@Column(nullable = false)
private String supportRimHash;
@Setter
@Column(nullable = false)
private String eventType;
@Column(columnDefinition = "blob", nullable = true)
private byte[] contentBlob;
@Setter
@Column(nullable = false)
private boolean matchFail;
@Setter
@Column(nullable = false)
private boolean patched;
@Setter
@Column(nullable = false)
private boolean updated;
@ -110,6 +122,14 @@ public class ReferenceDigestValue extends AbstractEntity {
this.contentBlob = Arrays.clone(contentBlob);
}
/**
* the object that contains the raw bytes for this RDV.
* @return the raw bytes
*/
public byte[] getContentBlob() {
return Arrays.clone(contentBlob);
}
/**
* Helper method to update the attributes of this object.
* @param support the associated RIM.

15
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/SupportReferenceManifest.java
View File

@ -16,6 +16,7 @@ import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Objects;
/**
* Sub class that will just focus on PCR Values and Events.
@ -119,4 +120,18 @@ public class SupportReferenceManifest extends ReferenceManifest {
public boolean isBaseSupport() {
return !this.isSwidSupplemental() && !this.isSwidPatch();
}
@Override
public boolean equals(Object o) {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;
if (!super.equals(o)) return false;
SupportReferenceManifest that = (SupportReferenceManifest) o;
return pcrHash == that.pcrHash && updated == that.updated && processed == that.processed;
}
@Override
public int hashCode() {
return Objects.hash(super.hashCode(), pcrHash, updated, processed);
}
}

6
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java
View File

@ -314,7 +314,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
Pattern pattern = Pattern.compile("([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)");
Matcher matcher;
MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
List<ReferenceManifest> listOfSavedRims = new LinkedList<>();
// List<ReferenceManifest> listOfSavedRims = new LinkedList<>();
if (dv.getLogfileCount() > 0) {
for (ByteString logFile : dv.getLogfileList()) {
@ -424,11 +424,11 @@ public class IdentityClaimProcessor extends AbstractProcessor {
dbSupport.setUpdated(true);
dbSupport.setAssociatedRim(dbBaseRim.getId());
this.referenceManifestRepository.save(dbSupport);
listOfSavedRims.add(dbSupport);
// listOfSavedRims.add(dbSupport);
}
}
this.referenceManifestRepository.save(dbBaseRim);
listOfSavedRims.add(dbBaseRim);
// listOfSavedRims.add(dbBaseRim);
}
}

10
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/helper/ProvisionUtils.java
View File

@ -70,6 +70,7 @@ public final class ProvisionUtils {
private static final String AK_NAME_PREFIX = "000b";
private static final String AK_NAME_HASH_PREFIX =
"0001000b00050072000000100014000b0800000000000100";
private static final SecureRandom random = new SecureRandom();
/**
* Helper method to parse a byte array into an {@link hirs.attestationca.configuration.provisionerTpm2.ProvisionerTpm2.IdentityClaim}.
@ -183,7 +184,7 @@ public final class ProvisionUtils {
case OAEP:
OAEPParameterSpec spec =
new OAEPParameterSpec("Sha1", "MGF1", MGF1ParameterSpec.SHA1,
new PSource.PSpecified("".getBytes()));
new PSource.PSpecified("".getBytes(StandardCharsets.UTF_8)));
cipher.init(Cipher.PRIVATE_KEY, privateKey, spec);
break;
@ -283,7 +284,7 @@ public final class ProvisionUtils {
// encrypt seed with pubEk
Cipher asymCipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
OAEPParameterSpec oaepSpec = new OAEPParameterSpec("SHA-256", "MGF1",
MGF1ParameterSpec.SHA256, new PSource.PSpecified("IDENTITY\0".getBytes()));
MGF1ParameterSpec.SHA256, new PSource.PSpecified("IDENTITY\0".getBytes(StandardCharsets.UTF_8)));
asymCipher.init(Cipher.PUBLIC_KEY, ek, oaepSpec);
asymCipher.update(seed);
byte[] encSeed = asymCipher.doFinal();
@ -371,7 +372,7 @@ public final class ProvisionUtils {
// encrypt the asymmetric contents and return
OAEPParameterSpec oaepSpec =
new OAEPParameterSpec("Sha1", "MGF1", MGF1ParameterSpec.SHA1,
new PSource.PSpecified("TCPA".getBytes()));
new PSource.PSpecified("TCPA".getBytes(StandardCharsets.UTF_8)));
// initialize the asymmetric cipher using the default OAEP transformation
Cipher cipher = Cipher.getInstance(EncryptionScheme.OAEP.toString());
@ -545,7 +546,7 @@ public final class ProvisionUtils {
if (label.charAt(label.length() - 1) != "\0".charAt(0)) {
labelWithEnding = label + "\0";
}
byte[] labelBytes = labelWithEnding.getBytes();
byte[] labelBytes = labelWithEnding.getBytes(StandardCharsets.UTF_8);
b = ByteBuffer.allocate(4);
b.putInt(sizeInBytes * 8);
byte[] desiredSizeInBits = b.array();
@ -630,7 +631,6 @@ public final class ProvisionUtils {
*/
public static byte[] generateRandomBytes(final int numberOfBytes) {
byte[] bytes = new byte[numberOfBytes];
SecureRandom random = new SecureRandom();
random.nextBytes(bytes);
return bytes;
}

12
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/SupplyChainValidationService.java
View File

@ -279,7 +279,6 @@ public class SupplyChainValidationService {
// check if the policy is enabled
if (getPolicySettings().isFirmwareValidationEnabled()) {
String[] baseline = new String[Integer.SIZE];
String deviceName = device.getDeviceInfo()
.getNetworkInfo().getHostname();
@ -293,8 +292,6 @@ public class SupplyChainValidationService {
sRim = support;
}
}
eventLog = (EventLogMeasurements) referenceManifestRepository
.findByHexDecHash(sRim.getEventLogHash());
if (sRim == null) {
fwStatus = new AppraisalStatus(FAIL,
@ -302,16 +299,19 @@ public class SupplyChainValidationService {
+ "No associated Support RIM file "
+ "could be found for %s",
deviceName));
} else if (eventLog == null) {
} else {
eventLog = (EventLogMeasurements) referenceManifestRepository
.findByHexDecHash(sRim.getEventLogHash());
}
if (eventLog == null) {
fwStatus = new AppraisalStatus(FAIL,
String.format("Firmware Quote validation failed: "
+ "No associated Client Log file "
+ "could be found for %s",
deviceName));
} else {
baseline = sRim.getExpectedPCRList();
String[] storedPcrs = eventLog.getExpectedPCRList();
PcrValidator pcrValidator = new PcrValidator(baseline);
PcrValidator pcrValidator = new PcrValidator(sRim.getExpectedPCRList());
// grab the quote
byte[] hash = device.getDeviceInfo().getTpmInfo().getTpmQuoteHash();
if (pcrValidator.validateQuote(hash, storedPcrs, getPolicySettings())) {

2
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/tpm/PcrComposite.java
View File

@ -86,7 +86,7 @@ public class PcrComposite {
throw new NullPointerException("pcrValueList");
}
this.pcrSelection = pcrSelection;
this.pcrValueList = pcrValueList;
this.pcrValueList = pcrValueList.stream().toList();
}

27
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/util/PciIds.java
View File

@ -8,6 +8,7 @@ import hirs.attestationca.persist.entity.userdefined.certificate.attributes.Comp
import hirs.attestationca.persist.entity.userdefined.certificate.attributes.V2.ComponentIdentifierV2;
import lombok.AccessLevel;
import lombok.NoArgsConstructor;
import org.bouncycastle.asn1.ASN1UTF8String;
import org.bouncycastle.asn1.DERUTF8String;
import java.io.File;
@ -126,8 +127,8 @@ public final class PciIds {
final String compClassValue = component.getComponentClass().getCategory();
if (compClassValue.equals(COMPCLASS_TCG_CAT_NIC)
|| compClassValue.equals(COMPCLASS_TCG_CAT_GFX)) {
DERUTF8String manufacturer = translateVendor(component.getComponentManufacturer());
DERUTF8String model = translateDevice(component.getComponentManufacturer(),
DERUTF8String manufacturer = (DERUTF8String) translateVendor(component.getComponentManufacturer());
DERUTF8String model = (DERUTF8String) translateDevice(component.getComponentManufacturer(),
component.getComponentModel());
newComponent = new ComponentIdentifierV2(component.getComponentClass(),
@ -153,12 +154,12 @@ public final class PciIds {
* @param refManufacturer DERUTF8String, likely from a ComponentIdentifier
* @return DERUTF8String with the discovered vendor name, or the original manufacturer value.
*/
public static DERUTF8String translateVendor(final DERUTF8String refManufacturer) {
DERUTF8String manufacturer = refManufacturer;
public static ASN1UTF8String translateVendor(final ASN1UTF8String refManufacturer) {
ASN1UTF8String manufacturer = refManufacturer;
if (manufacturer != null && manufacturer.getString().trim().matches("^[0-9A-Fa-f]{4}$")) {
Vendor ven = DB.findVendor(manufacturer.getString().toLowerCase());
if (ven != null && !Strings.isNullOrEmpty(ven.getName())) {
manufacturer = new DERUTF8String(ven.getName());
manufacturer = ASN1UTF8String.getInstance(ven.getName());
}
}
return manufacturer;
@ -168,14 +169,14 @@ public final class PciIds {
* Look up the device name from the PCI IDs list, if the input strings contain IDs.
* The Device lookup requires the Vendor ID AND the Device ID to be valid values.
* If any part of this fails, return the original model value.
* @param refManufacturer DERUTF8String, likely from a ComponentIdentifier
* @param refModel DERUTF8String, likely from a ComponentIdentifier
* @return DERUTF8String with the discovered device name, or the original model value.
* @param refManufacturer ASN1UTF8String, likely from a ComponentIdentifier
* @param refModel ASN1UTF8String, likely from a ComponentIdentifier
* @return ASN1UTF8String with the discovered device name, or the original model value.
*/
public static DERUTF8String translateDevice(final DERUTF8String refManufacturer,
final DERUTF8String refModel) {
DERUTF8String manufacturer = refManufacturer;
DERUTF8String model = refModel;
public static ASN1UTF8String translateDevice(final ASN1UTF8String refManufacturer,
final ASN1UTF8String refModel) {
ASN1UTF8String manufacturer = refManufacturer;
ASN1UTF8String model = refModel;
if (manufacturer != null
&& model != null
&& manufacturer.getString().trim().matches("^[0-9A-Fa-f]{4}$")
@ -183,7 +184,7 @@ public final class PciIds {
Device dev = DB.findDevice(manufacturer.getString().toLowerCase(),
model.getString().toLowerCase());
if (dev != null && !Strings.isNullOrEmpty(dev.getName())) {
model = new DERUTF8String(dev.getName());
model = ASN1UTF8String.getInstance(dev.getName());
}
}
return model;

33
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CertificateAttributeScvValidator.java
View File

@ -12,12 +12,11 @@ import hirs.attestationca.persist.entity.userdefined.report.DeviceInfoReport;
import hirs.attestationca.persist.enums.AppraisalStatus;
import hirs.attestationca.persist.util.PciIds;
import hirs.utils.enums.DeviceInfoEnums;
import lombok.Getter;
import lombok.Setter;
import lombok.extern.log4j.Log4j2;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.util.Strings;
import org.bouncycastle.asn1.ASN1UTF8String;
import org.bouncycastle.asn1.DERUTF8String;
import java.io.IOException;
@ -44,10 +43,16 @@ import static hirs.attestationca.persist.enums.AppraisalStatus.Status.PASS;
@Log4j2
public class CertificateAttributeScvValidator extends SupplyChainCredentialValidator {
@Setter
@Getter
private static List<ComponentResult> componentResultList = new LinkedList<>();
/**
* Getter for the list of components to verify.
* @return a collection of components
*/
public static List<ComponentResult> getComponentResultList() {
return Collections.unmodifiableList(componentResultList);
}
/**
* Checks if the delta credential's attributes are valid.
* @param deltaPlatformCredential the delta credential to verify
@ -725,19 +730,19 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
final List<ComponentIdentifier> pcComponents = new ArrayList<>();
for (ComponentIdentifier component : untrimmedPcComponents) {
if (component.getComponentManufacturer() != null) {
component.setComponentManufacturer(new DERUTF8String(
component.setComponentManufacturer((DERUTF8String) ASN1UTF8String.getInstance(
component.getComponentManufacturer().getString().trim()));
}
if (component.getComponentModel() != null) {
component.setComponentModel(new DERUTF8String(
component.setComponentModel((DERUTF8String) ASN1UTF8String.getInstance(
component.getComponentModel().getString().trim()));
}
if (component.getComponentSerial() != null) {
component.setComponentSerial(new DERUTF8String(
component.setComponentSerial((DERUTF8String) ASN1UTF8String.getInstance(
component.getComponentSerial().getString().trim()));
}
if (component.getComponentRevision() != null) {
component.setComponentRevision(new DERUTF8String(
component.setComponentRevision((DERUTF8String) ASN1UTF8String.getInstance(
component.getComponentRevision().getString().trim()));
}
pcComponents.add(component);
@ -747,13 +752,13 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
pcComponents.forEach(component -> log.info(component.toString()));
log.info("...against the the following DeviceInfoReport components:");
allDeviceInfoComponents.forEach(component -> log.info(component.toString()));
Set<DERUTF8String> manufacturerSet = new HashSet<>();
Set<ASN1UTF8String> manufacturerSet = new HashSet<>();
pcComponents.forEach(pcComp -> manufacturerSet.add(pcComp.getComponentManufacturer()));
// Create a list for unmatched components across all manufacturers to display at the end.
List<ComponentIdentifier> pcUnmatchedComponents = new ArrayList<>();
for (DERUTF8String derUtf8Manufacturer : manufacturerSet) {
for (ASN1UTF8String derUtf8Manufacturer : manufacturerSet) {
List<ComponentIdentifier> pcComponentsFromManufacturer
= pcComponents.stream().filter(compIdentifier
-> compIdentifier.getComponentManufacturer().equals(derUtf8Manufacturer))
@ -949,7 +954,7 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
private static boolean isMatchOrEmptyInPlatformCert(
final String evidenceFromDevice,
final DERUTF8String valueInPlatformCert) {
final ASN1UTF8String valueInPlatformCert) {
if (valueInPlatformCert == null || StringUtils.isEmpty(valueInPlatformCert.getString())) {
return true;
}
@ -957,8 +962,8 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
}
private static boolean isMatchOrEmptyInPlatformCert(
final DERUTF8String evidenceFromDevice,
final DERUTF8String valueInPlatformCert) {
final ASN1UTF8String evidenceFromDevice,
final ASN1UTF8String valueInPlatformCert) {
return evidenceFromDevice.equals(valueInPlatformCert);
}
@ -1114,7 +1119,7 @@ public class CertificateAttributeScvValidator extends SupplyChainCredentialValid
* @return true if fieldValue is null or empty; false otherwise
*/
private static boolean hasEmptyValueForRequiredField(final String description,
final DERUTF8String fieldValue) {
final ASN1UTF8String fieldValue) {
if (fieldValue == null || StringUtils.isEmpty(fieldValue.getString().trim())) {
log.error("Required field was empty or null in Platform Credential: "
+ description);

11
HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java
View File

@ -19,6 +19,7 @@ import hirs.utils.tpm.eventlog.TpmPcrEvent;
import lombok.extern.log4j.Log4j2;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
@ -44,9 +45,7 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
String[] baseline = new String[Integer.SIZE];
AppraisalStatus fwStatus = null;
String hostName = device.getDeviceInfo().getNetworkInfo().getHostname();
String manufacturer = device.getDeviceInfo()
.getHardwareInfo().getManufacturer();
ReferenceManifest validationObject;
// ReferenceManifest validationObject;
List<BaseReferenceManifest> baseReferenceManifests = null;
BaseReferenceManifest baseReferenceManifest = null;
ReferenceManifest supportReferenceManifest = null;
@ -79,7 +78,6 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
failedString += "Bios measurement";
passed = false;
}
validationObject = measurement;
if (passed) {
List<SwidResource> resources =
@ -108,7 +106,6 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
passed = false;
fwStatus = new AppraisalStatus(FAIL,
"Firmware validation failed: invalid certificate path.");
validationObject = baseReferenceManifest;
}
} catch (IOException ioEx) {
log.error("Error getting X509 cert from manager: " + ioEx.getMessage());
@ -178,7 +175,8 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
if (baseline.length > 0) {
String pcrContent = "";
pcrContent = new String(device.getDeviceInfo().getTpmInfo().getPcrValues());
pcrContent = new String(device.getDeviceInfo().getTpmInfo().getPcrValues(),
StandardCharsets.UTF_8);
if (pcrContent.isEmpty()) {
fwStatus = new AppraisalStatus(FAIL,
@ -222,7 +220,6 @@ public class FirmwareScvValidator extends SupplyChainCredentialValidator {
if (!tpmPcrEvents.isEmpty()) {
StringBuilder sb = new StringBuilder();
validationObject = measurement;
sb.append(String.format("%d digest(s) were not found:%n",
tpmPcrEvents.size()));
for (TpmPcrEvent tpe : tpmPcrEvents) {

4
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/AppraiserTest.java
View File

@ -63,10 +63,10 @@ public final class AppraiserTest {
final String name = "Test Appraiser";
final Appraiser appraiser = new TestAppraiser(name);
assertEquals(name, appraiser.getName());
NullPointerException expected = null;
Exception expected = null;
try {
appraiser.setName(null);
} catch (NullPointerException e) {
} catch (Exception e) {
expected = e;
}
assertNotNull(expected, "NullPointerException not caught");

45
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/tpm/TPM2ProvisionerStateTest.java
View File

@ -20,6 +20,8 @@ import java.util.Random;
*/
public class TPM2ProvisionerStateTest {
private static final Random random = new Random();
/**
* Tests that the values passed to the constructor are equal to the values
* returned by the getters.
@ -28,11 +30,10 @@ public class TPM2ProvisionerStateTest {
*/
@Test
public final void testTPM2ProvisionerState() throws IOException {
Random rand = new Random();
byte[] nonce = new byte[32];
byte[] identityClaim = new byte[360];
rand.nextBytes(nonce);
rand.nextBytes(identityClaim);
random.nextBytes(nonce);
random.nextBytes(identityClaim);
TPM2ProvisionerState state = new TPM2ProvisionerState(nonce, identityClaim);
@ -48,12 +49,10 @@ public class TPM2ProvisionerStateTest {
*/
@Test
public final void testNullNonce() throws IOException {
Random rand = new Random();
byte[] nonce = null;
byte[] identityClaim = new byte[360];
rand.nextBytes(identityClaim);
random.nextBytes(identityClaim);
assertThrows(IllegalArgumentException.class, () ->
new TPM2ProvisionerState(nonce, identityClaim));
new TPM2ProvisionerState(null, identityClaim));
}
/**
@ -64,12 +63,10 @@ public class TPM2ProvisionerStateTest {
*/
@Test
public final void testNullIdentityClaim() throws IOException {
Random rand = new Random();
byte[] nonce = new byte[32];
byte[] identityClaim = null;
rand.nextBytes(nonce);
random.nextBytes(nonce);
assertThrows(IllegalArgumentException.class, () ->
new TPM2ProvisionerState(nonce, identityClaim));
new TPM2ProvisionerState(nonce, null));
}
/**
@ -80,11 +77,10 @@ public class TPM2ProvisionerStateTest {
*/
@Test
public final void testNonceToSmall() throws IOException {
Random rand = new Random();
byte[] nonce = new byte[7];
byte[] identityClaim = new byte[360];
rand.nextBytes(nonce);
rand.nextBytes(identityClaim);
random.nextBytes(nonce);
random.nextBytes(identityClaim);
assertThrows(IllegalArgumentException.class, () ->
new TPM2ProvisionerState(nonce, identityClaim));
}
@ -98,11 +94,10 @@ public class TPM2ProvisionerStateTest {
@Test
public final void testGetTPM2ProvisionerStateNominal() throws IOException {
TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository = mock(TPM2ProvisionerStateRepository.class);
Random rand = new Random();
byte[] nonce = new byte[32];
byte[] identityClaim = new byte[360];
rand.nextBytes(nonce);
rand.nextBytes(identityClaim);
random.nextBytes(nonce);
random.nextBytes(identityClaim);
DataInputStream dis = new DataInputStream(new ByteArrayInputStream(nonce));
Long index = dis.readLong();
@ -123,20 +118,17 @@ public class TPM2ProvisionerStateTest {
@Test
public final void testGetTPM2ProvisionerStateNullNonce() throws IOException {
TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository = mock(TPM2ProvisionerStateRepository.class);
Random rand = new Random();
byte[] nonce = new byte[32];
byte[] identityClaim = new byte[360];
rand.nextBytes(nonce);
rand.nextBytes(identityClaim);
random.nextBytes(nonce);
random.nextBytes(identityClaim);
DataInputStream dis = new DataInputStream(new ByteArrayInputStream(nonce));
Long index = dis.readLong();
dis.close();
TPM2ProvisionerState value = new TPM2ProvisionerState(nonce, identityClaim);
when(tpm2ProvisionerStateRepository.findByFirstPartOfNonce(index)).thenReturn(value);
TPM2ProvisionerState tpm2ProvisionerState
= TPM2ProvisionerState.getTPM2ProvisionerState(tpm2ProvisionerStateRepository, null);
assertNull(tpm2ProvisionerState);
assertThrows(NullPointerException.class, () ->
TPM2ProvisionerState.getTPM2ProvisionerState(tpm2ProvisionerStateRepository, null));
}
/**
@ -147,11 +139,10 @@ public class TPM2ProvisionerStateTest {
@Test
public final void testGetTPM2ProvisionerStateNonceTooSmall() throws IOException {
TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository = mock(TPM2ProvisionerStateRepository.class);
Random rand = new Random();
byte[] nonce = new byte[32];
byte[] identityClaim = new byte[360];
rand.nextBytes(nonce);
rand.nextBytes(identityClaim);
random.nextBytes(nonce);
random.nextBytes(identityClaim);
DataInputStream dis = new DataInputStream(new ByteArrayInputStream(nonce));
Long index = dis.readLong();
dis.close();

155
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/DeviceTest.java Normal file
View File

@ -0,0 +1,155 @@
package hirs.attestationca.persist.entity.userdefined;
import hirs.attestationca.persist.entity.userdefined.report.DeviceInfoReport;
import hirs.attestationca.persist.entity.userdefined.report.DeviceInfoReportTest;
import hirs.attestationca.persist.enums.AppraisalStatus;
import hirs.attestationca.persist.enums.HealthStatus;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertNull;
/**
* This is the test class for the <code>Device</code> class.
*
*/
public final class DeviceTest {
/**
* Utility method for getting a <code>Device</code> that can be used for
* testing.
*
* @param name name for the <code>Device</code>
*
* @return device
*/
public static Device getTestDevice(final String name) {
final DeviceInfoReport deviceInfo = DeviceInfoReportTest.getTestReport();
return new Device(name, deviceInfo, HealthStatus.UNKNOWN, AppraisalStatus.Status.UNKNOWN, null, false, null, null);
}
/**
* Tests that the device constructor can take a name.
*/
@Test
public void testDevice() {
final String name = "my-laptop";
final Device device = new Device(name, null, HealthStatus.UNKNOWN, AppraisalStatus.Status.UNKNOWN, null, false, null , null);
assertNotNull(device);
}
/**
* Tests that a name and device info report can be passed into the
* constructor.
*/
@Test
public void testDeviceNameAndInfo() {
final String name = "my-laptop";
final DeviceInfoReport deviceInfo = DeviceInfoReportTest.getTestReport();
new Device(name, deviceInfo, HealthStatus.UNKNOWN, AppraisalStatus.Status.UNKNOWN, null, false, null, null);
}
/**
* Tests that the device name can be supplied and device info be null.
*/
@Test
public void testDeviceNameAndNullInfo() {
final String name = "my-laptop";
final DeviceInfoReport deviceInfo = null;
new Device(name, deviceInfo, HealthStatus.UNKNOWN, AppraisalStatus.Status.UNKNOWN, null, false, null, null);
}
/**
* Tests that get device info report returns the device info report.
*/
@Test
public void testGetDeviceInfo() {
final String name = "my-laptop";
final DeviceInfoReport deviceInfo = DeviceInfoReportTest.getTestReport();
final Device device = new Device(name, deviceInfo, HealthStatus.UNKNOWN, AppraisalStatus.Status.UNKNOWN, null, false, null, null);
assertEquals(deviceInfo, device.getDeviceInfo());
}
/**
* Tests that device info can be set.
*/
@Test
public void testSetDeviceInfo() {
final String name = "my-laptop";
final Device device = new Device(name, null, HealthStatus.UNKNOWN, AppraisalStatus.Status.UNKNOWN, null, false, null, null);
assertNull(device.getDeviceInfo());
final DeviceInfoReport deviceInfo = DeviceInfoReportTest.getTestReport();
device.setDeviceInfo(deviceInfo);
assertEquals(deviceInfo, device.getDeviceInfo());
}
/**
* Tests that get device info report returns the device info report.
*/
@Test
public void testSetNullDeviceInfo() {
final String name = "my-laptop";
final DeviceInfoReport deviceInfo = DeviceInfoReportTest.getTestReport();
final Device device = new Device(name, deviceInfo, HealthStatus.UNKNOWN, AppraisalStatus.Status.UNKNOWN, null, false, null, null);
assertEquals(deviceInfo, device.getDeviceInfo());
device.setDeviceInfo(null);
assertNull(device.getDeviceInfo());
}
/**
* Tests that retrieving a null LastReportTimestamp will not trigger an exception.
*/
@Test
public void testNotNullLastReportTimeStamp() {
final String name = "my-laptop";
final DeviceInfoReport deviceInfo = DeviceInfoReportTest.getTestReport();
final Device device = new Device(name, deviceInfo, HealthStatus.UNKNOWN, AppraisalStatus.Status.UNKNOWN, null, false, null, null);
assertNotNull(device.getLastReportTimestamp());
}
/**
* Tests that setting and getting the health status works correctly.
*/
@Test
public void testSetHealthStatus() {
final Device device = new Device("test-device", null, HealthStatus.UNKNOWN, AppraisalStatus.Status.UNKNOWN, null, false, null, null);
device.setHealthStatus(HealthStatus.TRUSTED);
assertEquals(HealthStatus.TRUSTED, device.getHealthStatus());
}
/**
* Tests equals returns true for two devices that have the same name.
*/
@Test
public void testDeviceEquals() {
final String name = "my-laptop";
final String otherName = "my-laptop";
final DeviceInfoReport deviceInfo = DeviceInfoReportTest.getTestReport();
final Device device = new Device(name, deviceInfo, HealthStatus.UNKNOWN, AppraisalStatus.Status.UNKNOWN, null, false, null, null);
final Device other = new Device(otherName, deviceInfo, HealthStatus.UNKNOWN, AppraisalStatus.Status.UNKNOWN, null, false, null, null);
assertEquals(device, other);
}
/**
* Tests that the default setting of the supply chain validation status is unknown.
*/
@Test
public void testGetDefaultSupplyChainStatus() {
String name = "my-laptop";
DeviceInfoReport deviceInfo = DeviceInfoReportTest.getTestReport();
final Device device = new Device(name, deviceInfo, HealthStatus.UNKNOWN, AppraisalStatus.Status.UNKNOWN, null, false, null, null);
assertEquals(AppraisalStatus.Status.UNKNOWN, device.getSupplyChainValidationStatus());
}
/**
* Tests that the supply chain validation status getters and setters work.
*/
@Test
public void testSetAndGetSupplyChainStatus() {
String name = "my-laptop";
DeviceInfoReport deviceInfo = DeviceInfoReportTest.getTestReport();
final Device device = new Device(name, deviceInfo, HealthStatus.UNKNOWN, AppraisalStatus.Status.UNKNOWN, null, false, null, null);
device.setSupplyChainValidationStatus(AppraisalStatus.Status.PASS);
assertEquals(AppraisalStatus.Status.PASS, device.getSupplyChainValidationStatus());
}
}

10
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/certificate/PlatformCredentialTest.java
View File

@ -573,7 +573,7 @@ public class PlatformCredentialTest {
.equals("BIOS"));
Assertions.assertTrue(component.getComponentSerial()
.getString()
.equals(""));
.equals(ComponentIdentifier.EMPTY_COMPONENT));
Assertions.assertTrue(component.getComponentRevision()
.getString()
.equals("DNKBLi5v.86A.0019.2017.0804.1146"));
@ -743,11 +743,11 @@ public class PlatformCredentialTest {
Assertions.assertEquals(platformConfig.getPlatformPropertiesUri()
.getUniformResourceIdentifier().toString(),
"https://www.intel.com/platformproperties.xml");
Assertions.assertNotNull(platformConfig.getComponentIdentifierUri());
// Assertions.assertNotNull(platformConfig.getComponentIdentifierUri());
Assertions.assertEquals(platformConfig.getComponentIdentifierUri()
.getUniformResourceIdentifier().toString(),
"https://www.intel.com/platformidentifiers.xml");
// Assertions.assertEquals(platformConfig.getComponentIdentifierUri()
// .getUniformResourceIdentifier().toString(),
// "https://www.intel.com/platformidentifiers.xml");
}

4
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/info/PortalInfoTest.java
View File

@ -49,7 +49,7 @@ public class PortalInfoTest {
try {
info.setSchemeName(scheme);
fail("The null scheme should have caused an error.");
} catch (NullPointerException e) {
} catch (Exception e) {
assertNull(info.getName());
}
}
@ -120,7 +120,7 @@ public class PortalInfoTest {
try {
info.setContextName(context);
fail("The null context should have caused an error.");
} catch (NullPointerException e) {
} catch (Exception e) {
assertNull(info.getContext());
}
}

1
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/info/TPMInfoTest.java
View File

@ -40,7 +40,6 @@ public class TPMInfoTest {
new TPMInfo(TPM_MAKE, VERSION_MAJOR, VERSION_MINOR,
VERSION_REV_MAJOR, VERSION_REV_MINOR,
getTestIdentityCertificate());
String yea = tpmInfo.getTpmMake();
assertEquals(tpmInfo.getTpmMake(), TPM_MAKE);
assertEquals(tpmInfo.getTpmVersionMajor(), VERSION_MAJOR);
assertEquals(tpmInfo.getTpmVersionMinor(), VERSION_MINOR);

284
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/record/TPMMeasurementRecordTest.java Normal file
View File

@ -0,0 +1,284 @@
package hirs.attestationca.persist.entity.userdefined.record;
import hirs.attestationca.persist.entity.userdefined.ExaminableRecord;
import hirs.utils.digest.Digest;
import hirs.utils.digest.DigestAlgorithm;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex;
import org.junit.jupiter.api.Test;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertNotEquals;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertThrows;
/**
* <code>PCRMeasurementRecordTest</code> represents a unit test class for
* <code>PCRMeasurementRecord</code>.
*/
public class TPMMeasurementRecordTest {
private static final Logger LOGGER
= LogManager.getLogger(TPMMeasurementRecordTest.class);
private static final int DEFAULT_PCR_ID = 3;
private static final String DEFAULT_HASH =
"3d5f3c2f7f3003d2e4baddc46ed4763a4954f648";
private static final ExaminableRecord.ExamineState DEFAULT_STATE = ExaminableRecord.ExamineState.UNEXAMINED;
/**
* Tests instantiation of new <code>PCRMeasurementRecord</code>.
*/
@Test
public final void tpmMeasurementRecord() {
TPMMeasurementRecord pcrRecord = new TPMMeasurementRecord(0,
getDigest(DEFAULT_HASH));
assertNotNull(pcrRecord);
}
/**
* Tests that <code>PCRMeasurementRecord</code> constructor throws a
* NullPointerException with null hash.
*/
@Test
public final void tpmMeasurementRecordNullHash() {
Digest digest = null;
assertThrows(NullPointerException.class, () ->
new TPMMeasurementRecord(0, digest));
}
/**
* Tests that <code>PCRMeasurementRecord</code> constructor throws a
* IllegalArgumentException with negative value for pcr id.
*/
@Test
public final void tpmMeasurementRecordNegativePcrId() {
assertThrows(IllegalArgumentException.class, () ->
new TPMMeasurementRecord(-1, getDigest(DEFAULT_HASH)));
}
/**
* Tests that <code>PCRMeasurementRecord</code> constructor throws a
* IllegalArgumentException with pcr id greater than 23.
*/
@Test
public final void tpmMeasurementRecordInvalidPcrId() {
final int invalidPCR = 24;
assertThrows(IllegalArgumentException.class, () ->
new TPMMeasurementRecord(invalidPCR, getDigest(DEFAULT_HASH)));
}
/**
* Tests that <code>getHash()</code> returns the measurement hash.
*/
@Test
public final void getHash() {
TPMMeasurementRecord pcrRecord = new TPMMeasurementRecord(0,
getDigest(DEFAULT_HASH));
assertNotNull(pcrRecord.getHash());
}
/**
* Tests that <code>getPcrId()</code> returns the pcr id.
*/
@Test
public final void getPcrId() {
int id;
TPMMeasurementRecord pcrRecord = new TPMMeasurementRecord(0,
getDigest(DEFAULT_HASH));
id = pcrRecord.getPcrId();
assertNotNull(id);
}
/**
* Tests that <code>getExamineState</code> returns the correct state.
*/
@Test
public final void getExamineState() {
final TPMMeasurementRecord record = getDefaultRecord();
assertEquals(DEFAULT_STATE, record.getExamineState());
}
/**
* Tests that two <code>IMAMeasurementRecord</code>s are equal if they have
* the same name and the same path.
*/
@Test
public final void testEquals() {
TPMMeasurementRecord r1 = getDefaultRecord();
TPMMeasurementRecord r2 = getDefaultRecord();
assertEquals(r1, r2);
assertEquals(r2, r1);
assertEquals(r1, r1);
assertEquals(r2, r2);
}
/**
* Tests that two <code>TPMMeasurementRecord</code>s are not equal if the
* PCR IDs are different.
*/
@Test
public final void testNotEqualsPcr() {
final int pcrId = 5;
TPMMeasurementRecord r1 = getDefaultRecord();
TPMMeasurementRecord r2 = new TPMMeasurementRecord(pcrId,
getDigest(DEFAULT_HASH));
assertNotEquals(r1, r2);
assertNotEquals(r2, r1);
assertEquals(r1, r1);
assertEquals(r2, r2);
}
/**
* Tests that two <code>TPMMeasurementRecord</code>s are not equal if the
* hashes are different.
*/
@Test
public final void testNotEqualsHash() {
final String hash = "aacc3c2f7f3003d2e4baddc46ed4763a4954f648";
TPMMeasurementRecord r1 = getDefaultRecord();
TPMMeasurementRecord r2 =
new TPMMeasurementRecord(DEFAULT_PCR_ID, getDigest(hash));
assertNotEquals(r1, r2);
assertNotEquals(r2, r1);
assertEquals(r1, r1);
assertEquals(r2, r2);
}
/**
* Tests that the hash code of two <code>TPMMeasurementRecord</code>s are
* the same.
*/
@Test
public final void testHashCodeEquals() {
TPMMeasurementRecord r1 = getDefaultRecord();
TPMMeasurementRecord r2 = getDefaultRecord();
assertEquals(r1.hashCode(), r2.hashCode());
assertEquals(r2.hashCode(), r1.hashCode());
assertEquals(r1.hashCode(), r1.hashCode());
assertEquals(r2.hashCode(), r2.hashCode());
}
/**
* Tests that the hash code of two <code>TPMBaselineRecord</code>s is
* different if they have different names.
*/
@Test
public final void testHashCodeNotEqualsPcrs() {
final int pcrId = 5;
TPMMeasurementRecord r1 = getDefaultRecord();
TPMMeasurementRecord r2 = new TPMMeasurementRecord(pcrId,
getDigest(DEFAULT_HASH));
assertNotEquals(r1.hashCode(), r2.hashCode());
assertNotEquals(r2.hashCode(), r1.hashCode());
assertEquals(r1.hashCode(), r1.hashCode());
assertEquals(r2.hashCode(), r2.hashCode());
}
/**
* Tests that the hash code of two <code>TPMMeasurementRecord</code>s is
* different if they have different hashes.
*/
@Test
public final void testHashCodeNotEqualsHashes() {
final String hash = "aacc3c2f7f3003d2e4baddc46ed4763a4954f648";
TPMMeasurementRecord r1 = getDefaultRecord();
TPMMeasurementRecord r2 =
new TPMMeasurementRecord(DEFAULT_PCR_ID, getDigest(hash));
assertNotEquals(r1.hashCode(), r2.hashCode());
assertNotEquals(r2.hashCode(), r1.hashCode());
assertEquals(r1.hashCode(), r1.hashCode());
assertEquals(r2.hashCode(), r2.hashCode());
}
/**
* Tests that the expected valid PCR IDs do not throw an IllegalArgumentException.
*/
@Test
public final void testCheckForValidPcrId() {
final int minPcrId = TPMMeasurementRecord.MIN_PCR_ID;
final int maxPcrId = TPMMeasurementRecord.MAX_PCR_ID;
for (int i = minPcrId; i < maxPcrId; i++) {
TPMMeasurementRecord.checkForValidPcrId(i);
}
}
/**
* Tests that a negative PCR ID throws an IllegalArgumentException.
*/
@Test
public final void testCheckForValidPcrIdNegative() {
final int pcrId = -1;
assertThrows(IllegalArgumentException.class, () ->
TPMMeasurementRecord.checkForValidPcrId(pcrId));
}
/**
* Tests that a high invalid PCR ID throws an IllegalArgumentException.
*/
@Test
public final void testCheckForValidPcrIdInvalidId() {
final int pcrId = 35;
assertThrows(IllegalArgumentException.class, () ->
TPMMeasurementRecord.checkForValidPcrId(pcrId));
}
/**
* Tests that the ExamineState can be successfully set to EXAMINED.
*/
@Test
public final void testSetExamineStateExamined() {
final ExaminableRecord.ExamineState state = ExaminableRecord.ExamineState.EXAMINED;
TPMMeasurementRecord r1 = getDefaultRecord();
r1.setExamineState(state);
assertEquals(state, r1.getExamineState());
}
/**
* Tests that the ExamineState can be successfully set to IGNORED.
*/
@Test
public final void testSetExamineStateIgnored() {
final ExaminableRecord.ExamineState state = ExaminableRecord.ExamineState.IGNORED;
TPMMeasurementRecord r1 = getDefaultRecord();
r1.setExamineState(state);
assertEquals(state, r1.getExamineState());
}
/**
* Tests that the ExamineState is successfully initialized to UNEXAMINED.
*/
@Test
public final void testSetExamineStateInitial() {
TPMMeasurementRecord r1 = getDefaultRecord();
assertEquals(ExaminableRecord.ExamineState.UNEXAMINED, r1.getExamineState());
}
/**
* Tests that setting the ExamineState to UNEXAMINED throws an IllegalArgumentException.
*/
@Test
public final void testSetExamineStateUnexamined() {
final ExaminableRecord.ExamineState state = ExaminableRecord.ExamineState.UNEXAMINED;
TPMMeasurementRecord r1 = getDefaultRecord();
assertThrows(IllegalArgumentException.class, () ->
r1.setExamineState(state));
}
private TPMMeasurementRecord getDefaultRecord() {
return new TPMMeasurementRecord(DEFAULT_PCR_ID,
getDigest(DEFAULT_HASH));
}
private Digest getDigest(final String hash) {
try {
final byte[] bytes = Hex.decodeHex(hash.toCharArray());
return new Digest(DigestAlgorithm.SHA1, bytes);
} catch (DecoderException e) {
LOGGER.error("unable to create digest", e);
throw new RuntimeException("unable to create digest", e);
}
}
}

209
HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/report/DeviceInfoReportTest.java Normal file
View File

@ -0,0 +1,209 @@
package hirs.attestationca.persist.entity.userdefined.report;
import hirs.attestationca.persist.entity.userdefined.info.OSInfo;
import hirs.attestationca.persist.entity.userdefined.info.TPMInfo;
import hirs.attestationca.persist.entity.userdefined.info.NetworkInfo;
import hirs.attestationca.persist.entity.userdefined.info.HardwareInfo;
import hirs.attestationca.persist.entity.userdefined.info.FirmwareInfo;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertThrows;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
/**
* DeviceInfoReportTest is a unit test class for DeviceInfoReports.
*/
public class DeviceInfoReportTest {
private final NetworkInfo networkInfo = createTestNetworkInfo();
private final OSInfo osInfo = createTestOSInfo();
private final FirmwareInfo firmwareInfo = createTestFirmwareInfo();
private final HardwareInfo hardwareInfo = createTestHardwareInfo();
private final TPMInfo tpmInfo = createTPMInfo();
private static final String TEST_IDENTITY_CERT = "/tpm/sample_identity_cert.cer";
private static final Logger LOGGER = LogManager.getLogger(DeviceInfoReportTest.class);
private static final String EXPECTED_CLIENT_VERSION = "Test.Version";
/**
* Tests instantiation of a DeviceInfoReport.
*/
@Test
public final void deviceInfoReport() {
new DeviceInfoReport(networkInfo, osInfo, firmwareInfo, hardwareInfo, tpmInfo);
}
/**
* Tests that NetworkInfo cannot be null.
*/
@Test
public final void networkInfoNull() {
assertThrows(NullPointerException.class, () ->
new DeviceInfoReport(null, osInfo, firmwareInfo, hardwareInfo, tpmInfo));
}
/**
* Tests that OSInfo cannot be null.
*/
@Test
public final void osInfoNull() {
assertThrows(NullPointerException.class, () ->
new DeviceInfoReport(networkInfo, null, firmwareInfo, hardwareInfo, tpmInfo));
}
/**
* Tests that FirmwareInfo cannot be null.
*/
@Test
public final void firmwareInfoNull() {
assertThrows(NullPointerException.class, () ->
new DeviceInfoReport(networkInfo, osInfo, null, hardwareInfo, tpmInfo));
}
/**
* Tests that HardwareInfo cannot be null.
*/
@Test
public final void hardwareInfoNull() {
assertThrows(NullPointerException.class, () ->
new DeviceInfoReport(networkInfo, osInfo, firmwareInfo, null, tpmInfo));
}
/**
* Tests that TPMInfo may be null.
*/
@Test
public final void tpmInfoNull() {
new DeviceInfoReport(networkInfo, osInfo, firmwareInfo, hardwareInfo, null);
}
/**
* Tests that the getters for DeviceInfoReport work as expected.
*/
@Test
public final void testGetters() {
DeviceInfoReport deviceInfoReport =
new DeviceInfoReport(networkInfo, osInfo, firmwareInfo, hardwareInfo, tpmInfo);
assertEquals(networkInfo, deviceInfoReport.getNetworkInfo());
assertEquals(osInfo, deviceInfoReport.getOSInfo());
assertEquals(firmwareInfo, deviceInfoReport.getFirmwareInfo());
assertEquals(hardwareInfo, deviceInfoReport.getHardwareInfo());
assertEquals(tpmInfo, deviceInfoReport.getTpmInfo());
assertEquals(EXPECTED_CLIENT_VERSION, deviceInfoReport.getClientApplicationVersion());
}
/**
* Creates a DeviceInfoReport instance usable for testing.
*
* @return a test DeviceInfoReport
*/
public static DeviceInfoReport getTestReport() {
return new DeviceInfoReport(
createTestNetworkInfo(), createTestOSInfo(), createTestFirmwareInfo(),
createTestHardwareInfo(), createTPMInfo()
);
}
/**
* Creates a test instance of NetworkInfo.
*
* @return network information for a fake device
*/
public static NetworkInfo createTestNetworkInfo() {
try {
final String hostname = "test.hostname";
final InetAddress ipAddress =
InetAddress.getByAddress(new byte[] {127, 0, 0, 1});
final byte[] macAddress = new byte[] {11, 22, 33, 44, 55, 66};
return new NetworkInfo(hostname, ipAddress, macAddress);
} catch (UnknownHostException e) {
LOGGER.error("error occurred while creating InetAddress");
return null;
}
}
/**
* Creates a test instance of OSInfo.
*
* @return OS information for a fake device
*/
public static OSInfo createTestOSInfo() {
return new OSInfo("test os name", "test os version", "test os arch",
"test distribution", "test distribution release");
}
/**
* Creates a test instance of FirmwareInfo.
*
* @return Firmware information for a fake device
*/
public static FirmwareInfo createTestFirmwareInfo() {
return new FirmwareInfo("test bios vendor", "test bios version", "test bios release date");
}
/**
* Creates a test instance of HardwareInfo.
*
* @return Hardware information for a fake device
*/
public static HardwareInfo createTestHardwareInfo() {
return new HardwareInfo("test manufacturer", "test product name", "test version",
"test really long serial number with many characters", "test really long chassis "
+ "serial number with many characters",
"test really long baseboard serial number with many characters");
}
/**
* Creates a test instance of TPMInfo.
*
* @return TPM information for a fake device
*/
public static final TPMInfo createTPMInfo() {
final short num1 = 1;
final short num2 = 2;
final short num3 = 3;
final short num4 = 4;
return new TPMInfo("test os make", num1, num2, num3, num4,
getTestIdentityCertificate());
}
private static X509Certificate getTestIdentityCertificate() {
X509Certificate certificateValue = null;
InputStream istream = null;
istream = DeviceInfoReportTest.class.getResourceAsStream(
TEST_IDENTITY_CERT
);
try {
if (istream == null) {
throw new FileNotFoundException(TEST_IDENTITY_CERT);
}
CertificateFactory cf = CertificateFactory.getInstance("X.509");
certificateValue = (X509Certificate) cf.generateCertificate(
istream);
} catch (Exception e) {
return null;
} finally {
if (istream != null) {
try {
istream.close();
} catch (IOException e) {
LOGGER.error("test certificate file could not be closed");
}
}
}
return certificateValue;
}
}

1
HIRS_AttestationCA/src/test/resources/VERSION Normal file
View File

@ -0,0 +1 @@
Test.Version

2
HIRS_AttestationCAPortal/build.gradle
View File

@ -104,6 +104,8 @@ ospackage {
postInstall '/opt/hirs/aca/scripts/aca/aca_bootRun.sh -w &'
postInstall 'chmod +x /opt/hirs/aca/scripts/aca/*'
postInstall 'bash /opt/hirs/aca/scripts/aca/check_for_aca.sh'
postInstall 'mkdir -p /etc/hirs/aca && touch /etc/hirs/aca/VERSION'
postInstall "echo ${jarVersion} > /etc/hirs/aca/VERSION"
// Uninstall
preUninstall 'bash /opt/hirs/aca/scripts/aca/aca_remove_setup.sh'

5
HIRS_AttestationCAPortal/config/spotbugs/spotbugs-exclude.xml
View File

@ -9,10 +9,5 @@
<Bug pattern="CT_CONSTRUCTOR_THROW" />
</Match>
<!-- <Match>-->
<!-- &lt;!&ndash; To suppress false warnings in unit-tests for lambdas not using return values. &ndash;&gt;-->
<!-- <Package name="~com\.company\.service\.interfaces\.types\.contacts"/>-->
<!-- <Bug pattern="RV_RETURN_VALUE_IGNORED"/>-->
<!-- </Match>-->
</FindBugsFilter>

6
HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/utils/CertificateStringMapBuilder.java
View File

@ -480,7 +480,11 @@ public final class CertificateStringMapBuilder {
// add endorsement credential ID if not null
if (certificate.getEndorsementCredential() != null) {
EndorsementCredential ek = certificate.getEndorsementCredential();
data.put("endorsementID", ek.getId().toString());
if (ek.getId() != null) {
data.put("endorsementID", ek.getId().toString());
} else {
data.put("endorsementID", "0");
}
// Add hashmap with TPM information if available
if (ek.getTpmSpecification() != null) {
data.putAll(

14
HIRS_AttestationCAPortal/src/test/java/hirs/attestationca/portal/page/controllers/CertificateDetailsPageControllerTest.java
View File

@ -13,8 +13,12 @@ import hirs.attestationca.portal.page.Page;
import hirs.attestationca.portal.page.PageController;
import hirs.attestationca.portal.page.PageControllerTest;
import java.io.IOException;
import java.util.*;
import java.security.Security;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
@ -314,8 +318,8 @@ public class CertificateDetailsPageControllerTest extends PageControllerTest {
*
* @throws Exception if an exception occurs
*/
@Test
@Rollback
// @Test
// @Rollback
@SuppressWarnings("unchecked")
public void testInitPagePlatform20PCI() throws Exception {
@ -435,7 +439,7 @@ public class CertificateDetailsPageControllerTest extends PageControllerTest {
.getModel()
.get(PolicyPageController.INITIAL_DATA);
assertEquals(issuedCredential.getIssuer(), initialData.get("issuer"));
assertEquals(issuedCredential.getEndorsementCredential().getId().toString(),
initialData.get("endorsementID"));
//assertEquals(issuedCredential.getEndorsementCredential().getId().toString(),
// initialData.get("endorsementID"));
}
}

201
HIRS_Provisioner.NET/.editorconfig Normal file
View File

@ -0,0 +1,201 @@
# Remove the line below if you want to inherit .editorconfig settings from higher directories
root = true
# C# files
[*.cs]
#### Core EditorConfig Options ####
# Indentation and spacing
indent_size = 4
indent_style = space
tab_width = 4
# New line preferences
end_of_line = crlf
insert_final_newline = false
#### .NET Coding Conventions ####
# Organize usings
dotnet_separate_import_directive_groups = false
dotnet_sort_system_directives_first = false
file_header_template = unset
# this. and Me. preferences
dotnet_style_qualification_for_event = false:silent
dotnet_style_qualification_for_field = false:silent
dotnet_style_qualification_for_method = false:silent
dotnet_style_qualification_for_property = false:silent
# Language keywords vs BCL types preferences
dotnet_style_predefined_type_for_locals_parameters_members = true:silent
dotnet_style_predefined_type_for_member_access = true:silent
# Parentheses preferences
dotnet_style_parentheses_in_arithmetic_binary_operators = always_for_clarity:silent
dotnet_style_parentheses_in_other_binary_operators = always_for_clarity:silent
dotnet_style_parentheses_in_other_operators = never_if_unnecessary:silent
dotnet_style_parentheses_in_relational_binary_operators = always_for_clarity:silent
# Modifier preferences
dotnet_style_require_accessibility_modifiers = for_non_interface_members:silent
# Expression-level preferences
dotnet_style_coalesce_expression = true:suggestion
dotnet_style_collection_initializer = true:suggestion
dotnet_style_explicit_tuple_names = true:suggestion
dotnet_style_null_propagation = true:suggestion
dotnet_style_object_initializer = true:suggestion
dotnet_style_operator_placement_when_wrapping = beginning_of_line
dotnet_style_prefer_auto_properties = true:silent
dotnet_style_prefer_compound_assignment = true:suggestion
dotnet_style_prefer_conditional_expression_over_assignment = true:silent
dotnet_style_prefer_conditional_expression_over_return = true:silent
dotnet_style_prefer_inferred_anonymous_type_member_names = true:suggestion
dotnet_style_prefer_inferred_tuple_names = true:suggestion
dotnet_style_prefer_is_null_check_over_reference_equality_method = true:suggestion
dotnet_style_prefer_simplified_boolean_expressions = true:suggestion
dotnet_style_prefer_simplified_interpolation = true:suggestion
# Field preferences
dotnet_style_readonly_field = true:suggestion
# Parameter preferences
dotnet_code_quality_unused_parameters = all:suggestion
#### C# Coding Conventions ####
# var preferences
csharp_style_var_elsewhere = false:silent
csharp_style_var_for_built_in_types = false:silent
csharp_style_var_when_type_is_apparent = false:silent
# Expression-bodied members
csharp_style_expression_bodied_accessors = true:silent
csharp_style_expression_bodied_constructors = false:silent
csharp_style_expression_bodied_indexers = true:silent
csharp_style_expression_bodied_lambdas = true:silent
csharp_style_expression_bodied_local_functions = false:silent
csharp_style_expression_bodied_methods = false:silent
csharp_style_expression_bodied_operators = false:silent
csharp_style_expression_bodied_properties = true:silent
# Pattern matching preferences
csharp_style_pattern_matching_over_as_with_null_check = true:suggestion
csharp_style_pattern_matching_over_is_with_cast_check = true:suggestion
csharp_style_prefer_switch_expression = true:suggestion
# Null-checking preferences
csharp_style_conditional_delegate_call = true:suggestion
# Modifier preferences
csharp_prefer_static_local_function = true:suggestion
csharp_preferred_modifier_order = public,private,protected,internal,static,extern,new,virtual,abstract,sealed,override,readonly,unsafe,volatile,async:silent
# Code-block preferences
csharp_prefer_braces = true:silent
csharp_prefer_simple_using_statement = true:suggestion
# Expression-level preferences
csharp_prefer_simple_default_expression = true:suggestion
csharp_style_deconstructed_variable_declaration = true:suggestion
csharp_style_inlined_variable_declaration = true:suggestion
csharp_style_pattern_local_over_anonymous_function = true:suggestion
csharp_style_prefer_index_operator = true:suggestion
csharp_style_prefer_range_operator = true:suggestion
csharp_style_throw_expression = true:suggestion
csharp_style_unused_value_assignment_preference = discard_variable:suggestion
csharp_style_unused_value_expression_statement_preference = discard_variable:silent
# 'using' directive preferences
csharp_using_directive_placement = outside_namespace:silent
#### C# Formatting Rules ####
# New line preferences
csharp_new_line_before_catch = false
csharp_new_line_before_else = false
csharp_new_line_before_finally = false
csharp_new_line_before_members_in_anonymous_types = true
csharp_new_line_before_members_in_object_initializers = true
csharp_new_line_before_open_brace = none
csharp_new_line_between_query_expression_clauses = true
# Indentation preferences
csharp_indent_block_contents = true
csharp_indent_braces = false
csharp_indent_case_contents = true
csharp_indent_case_contents_when_block = true
csharp_indent_labels = one_less_than_current
csharp_indent_switch_labels = true
# Space preferences
csharp_space_after_cast = false
csharp_space_after_colon_in_inheritance_clause = true
csharp_space_after_comma = true
csharp_space_after_dot = false
csharp_space_after_keywords_in_control_flow_statements = true
csharp_space_after_semicolon_in_for_statement = true
csharp_space_around_binary_operators = before_and_after
csharp_space_around_declaration_statements = false
csharp_space_before_colon_in_inheritance_clause = true
csharp_space_before_comma = false
csharp_space_before_dot = false
csharp_space_before_open_square_brackets = false
csharp_space_before_semicolon_in_for_statement = false
csharp_space_between_empty_square_brackets = false
csharp_space_between_method_call_empty_parameter_list_parentheses = false
csharp_space_between_method_call_name_and_opening_parenthesis = false
csharp_space_between_method_call_parameter_list_parentheses = false
csharp_space_between_method_declaration_empty_parameter_list_parentheses = false
csharp_space_between_method_declaration_name_and_open_parenthesis = false
csharp_space_between_method_declaration_parameter_list_parentheses = false
csharp_space_between_parentheses = false
csharp_space_between_square_brackets = false
# Wrapping preferences
csharp_preserve_single_line_blocks = false
csharp_preserve_single_line_statements = false
#### Naming styles ####
# Naming rules
dotnet_naming_rule.interface_should_be_begins_with_i.severity = suggestion
dotnet_naming_rule.interface_should_be_begins_with_i.symbols = interface
dotnet_naming_rule.interface_should_be_begins_with_i.style = begins_with_i
dotnet_naming_rule.types_should_be_pascal_case.severity = suggestion
dotnet_naming_rule.types_should_be_pascal_case.symbols = types
dotnet_naming_rule.types_should_be_pascal_case.style = pascal_case
dotnet_naming_rule.non_field_members_should_be_pascal_case.severity = suggestion
dotnet_naming_rule.non_field_members_should_be_pascal_case.symbols = non_field_members
dotnet_naming_rule.non_field_members_should_be_pascal_case.style = pascal_case
# Symbol specifications
dotnet_naming_symbols.interface.applicable_kinds = interface
dotnet_naming_symbols.interface.applicable_accessibilities = public, internal, private, protected, protected_internal, private_protected
dotnet_naming_symbols.interface.required_modifiers =
dotnet_naming_symbols.types.applicable_kinds = class, struct, interface, enum
dotnet_naming_symbols.types.applicable_accessibilities = public, internal, private, protected, protected_internal, private_protected
dotnet_naming_symbols.types.required_modifiers =
dotnet_naming_symbols.non_field_members.applicable_kinds = property, event, method
dotnet_naming_symbols.non_field_members.applicable_accessibilities = public, internal, private, protected, protected_internal, private_protected
dotnet_naming_symbols.non_field_members.required_modifiers =
# Naming styles
dotnet_naming_style.pascal_case.required_prefix =
dotnet_naming_style.pascal_case.required_suffix =
dotnet_naming_style.pascal_case.word_separator =
dotnet_naming_style.pascal_case.capitalization = pascal_case
dotnet_naming_style.begins_with_i.required_prefix = I
dotnet_naming_style.begins_with_i.required_suffix =
dotnet_naming_style.begins_with_i.word_separator =
dotnet_naming_style.begins_with_i.capitalization = pascal_case

158
HIRS_Provisioner.NET/hirs.sln Normal file
View File

@ -0,0 +1,158 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.1.32421.90
MinimumVisualStudioVersion = 10.0.40219.1
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "hirs", "hirs\HIRS_Provisioner.NET.csproj", "{300FF15E-1E10-4586-843D-D652BA40DEE5}"
EndProject
Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{E61D6E28-B993-436D-AA88-165857AAEEC0}"
ProjectSection(SolutionItems) = preProject
.editorconfig = .editorconfig
EndProjectSection
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "hirsTest", "hirsTest\hirsTest.csproj", "{C6458436-D548-428C-B250-23E3084F74FC}"
EndProject
Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "pcrextend", "tools\pcrextend\pcrextend.csproj", "{2D518622-5C95-4180-87CE-9F730B2714AD}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Debug|ARM = Debug|ARM
Debug|ARM64 = Debug|ARM64
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|Any CPU = Release|Any CPU
Release|ARM = Release|ARM
Release|ARM64 = Release|ARM64
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Debug|Any CPU.Build.0 = Debug|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Debug|ARM.ActiveCfg = Debug|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Debug|ARM.Build.0 = Debug|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Debug|ARM64.ActiveCfg = Debug|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Debug|ARM64.Build.0 = Debug|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Debug|x64.ActiveCfg = Debug|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Debug|x64.Build.0 = Debug|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Debug|x86.ActiveCfg = Debug|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Debug|x86.Build.0 = Debug|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Release|Any CPU.ActiveCfg = Release|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Release|Any CPU.Build.0 = Release|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Release|ARM.ActiveCfg = Release|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Release|ARM.Build.0 = Release|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Release|ARM64.ActiveCfg = Release|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Release|ARM64.Build.0 = Release|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Release|x64.ActiveCfg = Release|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Release|x64.Build.0 = Release|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Release|x86.ActiveCfg = Release|Any CPU
{300FF15E-1E10-4586-843D-D652BA40DEE5}.Release|x86.Build.0 = Release|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Debug|Any CPU.Build.0 = Debug|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Debug|ARM.ActiveCfg = Debug|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Debug|ARM.Build.0 = Debug|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Debug|ARM64.ActiveCfg = Debug|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Debug|ARM64.Build.0 = Debug|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Debug|x64.ActiveCfg = Debug|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Debug|x64.Build.0 = Debug|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Debug|x86.ActiveCfg = Debug|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Debug|x86.Build.0 = Debug|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Release|Any CPU.ActiveCfg = Release|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Release|Any CPU.Build.0 = Release|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Release|ARM.ActiveCfg = Release|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Release|ARM.Build.0 = Release|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Release|ARM64.ActiveCfg = Release|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Release|ARM64.Build.0 = Release|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Release|x64.ActiveCfg = Release|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Release|x64.Build.0 = Release|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Release|x86.ActiveCfg = Release|Any CPU
{C6458436-D548-428C-B250-23E3084F74FC}.Release|x86.Build.0 = Release|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Debug|Any CPU.Build.0 = Debug|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Debug|ARM.ActiveCfg = Debug|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Debug|ARM.Build.0 = Debug|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Debug|ARM64.ActiveCfg = Debug|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Debug|ARM64.Build.0 = Debug|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Debug|x64.ActiveCfg = Debug|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Debug|x64.Build.0 = Debug|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Debug|x86.ActiveCfg = Debug|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Debug|x86.Build.0 = Debug|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Release|Any CPU.ActiveCfg = Release|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Release|Any CPU.Build.0 = Release|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Release|ARM.ActiveCfg = Release|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Release|ARM.Build.0 = Release|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Release|ARM64.ActiveCfg = Release|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Release|ARM64.Build.0 = Release|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Release|x64.ActiveCfg = Release|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Release|x64.Build.0 = Release|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Release|x86.ActiveCfg = Release|Any CPU
{2D518622-5C95-4180-87CE-9F730B2714AD}.Release|x86.Build.0 = Release|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Debug|Any CPU.Build.0 = Debug|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Debug|ARM.ActiveCfg = Debug|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Debug|ARM.Build.0 = Debug|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Debug|ARM64.ActiveCfg = Debug|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Debug|ARM64.Build.0 = Debug|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Debug|x64.ActiveCfg = Debug|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Debug|x64.Build.0 = Debug|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Debug|x86.ActiveCfg = Debug|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Debug|x86.Build.0 = Debug|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Release|Any CPU.ActiveCfg = Release|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Release|Any CPU.Build.0 = Release|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Release|ARM.ActiveCfg = Release|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Release|ARM.Build.0 = Release|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Release|ARM64.ActiveCfg = Release|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Release|ARM64.Build.0 = Release|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Release|x64.ActiveCfg = Release|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Release|x64.Build.0 = Release|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Release|x86.ActiveCfg = Release|Any CPU
{08A014E3-3E70-4E8B-9870-5000F3429E9F}.Release|x86.Build.0 = Release|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Debug|Any CPU.Build.0 = Debug|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Debug|ARM.ActiveCfg = Debug|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Debug|ARM.Build.0 = Debug|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Debug|ARM64.ActiveCfg = Debug|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Debug|ARM64.Build.0 = Debug|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Debug|x64.ActiveCfg = Debug|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Debug|x64.Build.0 = Debug|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Debug|x86.ActiveCfg = Debug|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Debug|x86.Build.0 = Debug|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Release|Any CPU.ActiveCfg = Release|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Release|Any CPU.Build.0 = Release|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Release|ARM.ActiveCfg = Release|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Release|ARM.Build.0 = Release|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Release|ARM64.ActiveCfg = Release|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Release|ARM64.Build.0 = Release|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Release|x64.ActiveCfg = Release|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Release|x64.Build.0 = Release|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Release|x86.ActiveCfg = Release|Any CPU
{34463663-1DEF-46FB-99AC-D8FABB71E7F0}.Release|x86.Build.0 = Release|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Debug|Any CPU.Build.0 = Debug|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Debug|ARM.ActiveCfg = Debug|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Debug|ARM.Build.0 = Debug|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Debug|ARM64.ActiveCfg = Debug|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Debug|ARM64.Build.0 = Debug|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Debug|x64.ActiveCfg = Debug|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Debug|x64.Build.0 = Debug|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Debug|x86.ActiveCfg = Debug|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Debug|x86.Build.0 = Debug|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Release|Any CPU.ActiveCfg = Release|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Release|Any CPU.Build.0 = Release|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Release|ARM.ActiveCfg = Release|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Release|ARM.Build.0 = Release|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Release|ARM64.ActiveCfg = Release|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Release|ARM64.Build.0 = Release|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Release|x64.ActiveCfg = Release|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Release|x64.Build.0 = Release|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Release|x86.ActiveCfg = Release|Any CPU
{540546BE-36E3-4C3A-B84B-70A4F0393546}.Release|x86.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {6F78678F-F528-4DE8-BC2A-71FA403D68B8}
EndGlobalSection
EndGlobal

44
HIRS_Provisioner.NET/hirs/Directory.Build.targets Normal file
View File

@ -0,0 +1,44 @@
<Project>
<Target Name="RenameBeforePublishLinux" BeforeTargets="CreatePackageProperties" Condition="$(RuntimeIdentifier.Contains('linux'))">
<PropertyGroup>
<SymlinkAppHostInBin Condition="'$(SymlinkAppHostInBin)' == ''">false</SymlinkAppHostInBin> <!-- If true, this will place a symlink in /usr/local/bin/, which is not on $PATH for root by default. We need the symlink in /bin or /sbin -->
</PropertyGroup>
<Move SourceFiles="$(OUTDIR)publish\$(AssemblyName)" DestinationFiles="$(OUTDIR)publish\tpm_aca_provision" />
<Message Text="Renamed linux binary file." Importance="high" />
<PropertyGroup>
<Prefix>/usr/share/hirs</Prefix>
<PostInstallScript>/usr/bin/chmod 644 /usr/share/hirs/appsettings.json; /usr/bin/ln -s /usr/share/hirs/tpm_aca_provision /usr/bin/tpm_aca_provision</PostInstallScript>
<PostRemoveScript>rm -f /usr/bin/tpm_aca_provision; rm -rf /usr/share/hirs</PostRemoveScript>
</PropertyGroup>
<Message Text="Set installed directory prefix to $(PREFIX)." Importance="high" />
</Target>
<Target Name="RenameBeforePublishWindows" BeforeTargets="SetWixPath" Condition="$(RuntimeIdentifier.Contains('win'))">
<Move SourceFiles="$(OUTDIR)publish\$(AssemblyName).exe" DestinationFiles="$(OUTDIR)publish\tpm_aca_provision.exe" />
<Message Text="Renamed exe binary file." Importance="high" />
</Target>
<Target Name="SetWixPath" BeforeTargets="Msi">
<PropertyGroup>
<ProductSourceFilePath>$(MSBuildThisFileDirectory)\Resources\Product.wxs</ProductSourceFilePath>
<WixInstallPath>$(NuGetPackageRoot)wix\3.11.2\tools\</WixInstallPath>
<Heat>$(WixInstallPath)heat.exe</Heat>
<Candle>$(WixInstallPath)candle.exe</Candle>
<Light>$(WixInstallPath)light.exe</Light>
</PropertyGroup>
</Target>
<Target Name="DeletePDB" AfterTargets="RenameBeforePublishLinux;RenameBeforePublishWindows">
<ItemGroup>
<PDBToDelete Include="$(PublishDir)*.pdb"/>
</ItemGroup>
<Delete Files="@(PDBToDelete)" />
<Message Text="Deleted PDB files." Importance="high" />
</Target>
<Target Name="CopyFiles" AfterTargets="DeletePDB">
<ItemGroup>
<PaccorScriptsDll Include="$(OUTDIR)paccor_scripts.dll"/>
</ItemGroup>
<Copy
SourceFiles="@(PaccorScriptsDll)"
DestinationFolder="$(PublishDir)plugins"
/>
</Target>
</Project>

102
HIRS_Provisioner.NET/hirs/HIRS_Provisioner.NET.csproj Normal file
View File

@ -0,0 +1,102 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net6.0</TargetFramework>
<RuntimeIdentifiers>linux-x64;win-x64</RuntimeIdentifiers>
<StartupObject>hirs.Program</StartupObject>
<PublishSingleFile>true</PublishSingleFile>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<PackageVersion>2.2.0</PackageVersion>
<Release></Release>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
<DefineConstants>DEBUG;TRACE</DefineConstants>
<WarningLevel>0</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
<DefineConstants>TRACE</DefineConstants>
<WarningLevel>0</WarningLevel>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="CommandLineParser" Version="2.9.1" />
<PackageReference Include="Google.Protobuf" Version="3.20.1" />
<PackageReference Include="Google.Protobuf.Tools" Version="3.20.1">
<PrivateAssets>all</PrivateAssets> <!-- These assets will be consumed but won't flow to the parent project -->
</PackageReference>
<PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="6.0.0" />
<PackageReference Include="Microsoft.TSS" Version="2.1.1" />
<PackageReference Include="Mono.Posix.NETStandard" Version="1.0.0" />
<PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
<PackageReference Include="paccor.HardwareManifestPlugin" Version="1.0.0" />
<PackageReference Include="paccor.HardwareManifestPluginManager" Version="1.0.0" />
<PackageReference Include="paccor.paccor_scripts" Version="1.0.1" />
<PackageReference Include="Packaging.Targets" Version="0.1.220">
<PrivateAssets>all</PrivateAssets> <!-- These assets will be consumed but won't flow to the parent project -->
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
</PackageReference>
<PackageReference Include="Serilog" Version="2.11.0" />
<PackageReference Include="Serilog.Settings.Configuration" Version="3.3.0" />
<PackageReference Include="Serilog.Sinks.Console" Version="4.0.1" />
<PackageReference Include="Serilog.Sinks.File" Version="5.0.0" />
<PackageReference Include="System.Management" Version="6.0.0" />
<PackageReference Include="System.Security.Principal.Windows" Version="5.0.0" />
<PackageReference Include="WiX" Version="3.11.2">
<PrivateAssets>all</PrivateAssets> <!-- These assets will be consumed but won't flow to the parent project -->
</PackageReference>
</ItemGroup>
<ItemGroup>
<Protobuf Include="**/*.proto" />
</ItemGroup>
<ItemGroup>
<None Update="appsettings.json">
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
<ExcludeFromSingleFile>true</ExcludeFromSingleFile>
</None>
</ItemGroup>
<Target Name="BuildProto" BeforeTargets="PreBuildEvent">
<PropertyGroup>
<FOLDER_PROTO>$(ProjectDir)Resources</FOLDER_PROTO>
<FOLDER_OUT>$(ProjectDir)generated</FOLDER_OUT>
</PropertyGroup>
<PropertyGroup>
<protoc Condition="'$([System.Runtime.InteropServices.RuntimeInformation]::IsOSPlatform($([System.Runtime.InteropServices.OSPlatform]::Linux)))' And '$([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture)'=='X64'">$(protoc_linux64)</protoc>
<protoc Condition="'$([System.Runtime.InteropServices.RuntimeInformation]::IsOSPlatform($([System.Runtime.InteropServices.OSPlatform]::Linux)))' And '$([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture)'=='X86'">$(protoc_linux86)</protoc>
<protoc Condition="'$([System.Runtime.InteropServices.RuntimeInformation]::IsOSPlatform($([System.Runtime.InteropServices.OSPlatform]::OSX)))' And '$([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture)'=='X64'">$(protoc_macosx64)</protoc>
<protoc Condition="'$([System.Runtime.InteropServices.RuntimeInformation]::IsOSPlatform($([System.Runtime.InteropServices.OSPlatform]::OSX)))' And '$([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture)'=='X86'">$(protoc_macosx86)</protoc>
<protoc Condition="'$([System.Runtime.InteropServices.RuntimeInformation]::IsOSPlatform($([System.Runtime.InteropServices.OSPlatform]::Windows)))' And '$([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture)'=='X64'">$(protoc_windows64)</protoc>
<protoc Condition="'$([System.Runtime.InteropServices.RuntimeInformation]::IsOSPlatform($([System.Runtime.InteropServices.OSPlatform]::Windows)))' And '$([System.Runtime.InteropServices.RuntimeInformation]::OSArchitecture)'=='X86'">$(protoc_windows86)</protoc>
</PropertyGroup>
<ItemGroup>
<Compile Condition="!Exists('$(FOLDER_OUT)')" Include="generated/ProvisionerTpm2.cs" /> <!-- Necessary to include the proto file(s) compiled during this prebuild phase, if they didn't exist before. CANNOT use wildcards! -->
</ItemGroup>
<Exec Condition="!Exists('$(FOLDER_OUT)')" Command="mkdir $(FOLDER_OUT)" />
<Exec Condition="'$([System.Runtime.InteropServices.RuntimeInformation]::IsOSPlatform($([System.Runtime.InteropServices.OSPlatform]::Windows)))'" Command="for /f %%i in ('dir /s /b $(FOLDER_PROTO)\*.proto') do ( $(protoc) -I=$(FOLDER_PROTO) --csharp_out=$(FOLDER_OUT) %%i )" />
<Exec Condition="'$([System.Runtime.InteropServices.RuntimeInformation]::IsOSPlatform($([System.Runtime.InteropServices.OSPlatform]::Linux)))'" Command="for file in `ls -1R $(FOLDER_PROTO)/*.proto` ; do $(protoc) -I=$(FOLDER_PROTO) --csharp_out=$(FOLDER_OUT) $file; done " />
</Target>
<Import Project="$(NuGetPackageRoot)paccor.paccor_scripts/1.0.1/contentFiles/any/net6.0/resources/paccor.paccor_scripts.targets" Condition="Exists('$(NuGetPackageRoot)paccor.paccor_scripts/1.0.1/contentFiles/any/net6.0/resources/paccor.paccor_scripts.targets')" />
<Target Name="ImportPaccorScripts" BeforeTargets="PreBuildEvent">
<ItemGroup>
<PaccorScriptsLinux Include="$(dotnet_paccor_scripts_directory)/*" />
<PaccorScriptsWindows Include="$(dotnet_paccor_scripts_windows_directory)/*" />
</ItemGroup>
<Message Text="Adding files to plugins/scripts: @(PaccorScriptsLinux)" Importance="high" />
<Message Text="Adding files to plugins/scripts/windows: @(PaccorScriptsWindows)" Importance="high" />
<Copy SourceFiles="@(PaccorScriptsLinux)" DestinationFolder="$(ProjectDir)/plugins/scripts/" />
<Copy SourceFiles="@(PaccorScriptsWindows)" DestinationFolder="$(ProjectDir)/plugins/scripts/windows/" />
<ItemGroup>
<Content Include="plugins\**\*.*">
<CopyToOutputDirectory>Always</CopyToOutputDirectory>
<CopyToPublishDirectory>Always</CopyToPublishDirectory>
<ExcludeFromSingleFile>true</ExcludeFromSingleFile>
</Content>
</ItemGroup>
</Target>
</Project>

35
HIRS_Provisioner.NET/hirs/Resources/Product.wxs Normal file
View File

@ -0,0 +1,35 @@
<?xml version="1.0" encoding="UTF-8"?>
<Wix xmlns="http://schemas.microsoft.com/wix/2006/wi">
<Product Id="*" Name="$(var.SetupProductName)" Manufacturer="$(var.SetupProductManufacturer)" Language="$(var.SetupProductLanguage)" Version="$(var.SetupProductVersion)">
<Package InstallerVersion="200" Compressed="yes" InstallScope="perMachine" />
<!--
Because we don't have a way (yet) to create unique product codes, we can't include the MajorUpgrade element, either
<MajorUpgrade DowngradeErrorMessage="A newer version of [ProductName] is already installed." />
-->
<MediaTemplate EmbedCab="yes" />
<Feature Id="$(var.SetupFeatureId)" Title="$(var.SetupFeatureName)" Level="1">
<ComponentGroupRef Id="ProductComponents" />
<Component Directory='INSTALLFOLDER'>
<RegistryValue Root='HKLM' Key='Software\HIRS' Name='InstallFolder' Value='[INSTALLFOLDER]' Type='string' />
<Environment Id='UpdatePath' Name='PATH' Action='set' System='yes' Part='last' Value='[INSTALLFOLDER]' />
</Component>
</Feature>
</Product>
<Fragment>
<Directory Id="TARGETDIR" Name="SourceDir">
<Directory Id="ProgramFilesFolder">
<Directory Id="INSTALLFOLDER" Name="$(var.SetupInstallFolderName)" />
</Directory>
</Directory>
</Fragment>
<Fragment>
<ComponentGroup Id="ProductComponents" Directory="INSTALLFOLDER">
<ComponentGroupRef Id="SourceComponentGroup" />
</ComponentGroup>
</Fragment>
</Wix>

100
HIRS_Provisioner.NET/hirs/Resources/ProvisionerTpm2.proto Normal file
View File

@ -0,0 +1,100 @@
syntax = "proto2";
package hirs.pb;
option java_package="hirs.attestationca.configuration.provisionerTpm2";
message FirmwareInfo {
required string biosVendor = 1;
required string biosVersion = 2;
required string biosReleaseDate = 3;
}
message HardwareInfo {
required string manufacturer = 1;
required string productName = 2;
required string productVersion = 3;
required string systemSerialNumber = 4;
repeated ComponentInfo chassisInfo = 5;
repeated ComponentInfo baseboardInfo = 6;
repeated ComponentInfo processorInfo = 7;
repeated ComponentInfo biosOrUefiInfo = 8;
repeated ComponentInfo nicInfo = 9;
repeated ComponentInfo hardDriveInfo = 10;
repeated ComponentInfo memoryInfo = 11;
}
message ComponentInfo {
required string manufacturer = 1;
required string model = 2;
optional string serialNumber = 3;
optional string revision = 4;
}
message NetworkInfo {
required string hostname = 1;
required string ipAddress = 2;
required string macAddress = 3;
}
message OsInfo {
required string osName = 1;
required string osVersion = 2;
required string osArch = 3;
required string distribution = 4;
required string distributionRelease = 5;
}
message TpmInfo {
required string tpmMake = 1;
required string tpmVersionMajor = 2;
required string tpmVersionMinor = 3;
required string tpmRevMajor = 4;
required string tpmRevMinor = 5;
}
message DeviceInfo {
required FirmwareInfo fw = 1;
required HardwareInfo hw = 2;
required NetworkInfo nw = 3;
required OsInfo os = 4;
optional bytes pcrslist = 5;
repeated bytes logfile = 6;
repeated bytes swidfile = 7;
optional bytes livelog = 8;
}
message IdentityClaim {
required DeviceInfo dv = 1;
required bytes ak_public_area = 2;
required bytes ek_public_area = 3;
optional bytes endorsement_credential = 4;
repeated bytes platform_credential = 5;
optional string client_version = 6;
optional string paccorOutput = 7;
}
message TpmQuote {
required string success = 1;
}
enum ResponseStatus {
PASS = 0;
FAIL = 1;
}
message IdentityClaimResponse {
optional bytes credential_blob = 1;
optional string pcr_mask = 2;
optional ResponseStatus status = 3 [default = FAIL];
}
message CertificateRequest {
required bytes nonce = 1;
optional bytes quote = 2;
}
message CertificateResponse {
optional bytes certificate = 1;
optional ResponseStatus status = 2 [default = FAIL];
}

38
HIRS_Provisioner.NET/hirs/appsettings.json Normal file
View File

@ -0,0 +1,38 @@
{
"auto_detect_tpm": "TRUE",
"aca_address_port": "https://127.0.0.1:8443",
"efi_prefix": "",
"paccor_output_file": "",
"event_log_file": "",
"hardware_manifest_collectors": "paccor_scripts",
"Serilog": {
"Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ],
"Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ],
"MinimumLevel": {
"Default": "Debug",
"Override": {
"Microsoft": "Warning",
"System": "Warning"
}
},
"WriteTo": [
{
"Name": "Console",
"Args": {
"outputTemplate": "{Message}{NewLine}",
"theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console",
"restrictedToMinimumLevel": "Information"
}
},
{
"Name": "File",
"Args": {
"path": "hirs.log",
"rollingInterval": "Day",
"retainedFileCountLimit": 5
}
}
]
}
}

69
HIRS_Provisioner.NET/hirs/src/Program.cs Normal file
View File

@ -0,0 +1,69 @@
using CommandLine;
using Serilog;
using System;
using System.Collections.Generic;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Threading.Tasks;
namespace hirs {
class Program {
public static readonly string VERSION = "17";
static async Task<int> Main(string[] args) {
ClientExitCodes result = 0;
try {
Settings settings = Settings.LoadSettingsFromDefaultFile();
settings.SetUpLog();
Log.Information("Starting hirs version " + VERSION);
if (!IsRunningAsAdmin()) {
result = ClientExitCodes.NOT_PRIVILEGED;
Log.Warning("The HIRS provisioner is not running as administrator.");
}
settings.CompleteSetUp();
CLI cli = new();
Log.Debug("Parsing CLI args.");
ParserResult<CLI> cliParseResult =
CommandLine.Parser.Default.ParseArguments<CLI>(args)
.WithParsed(parsed => cli = parsed)
.WithNotParsed(HandleParseError);
if (cliParseResult.Tag == ParserResultType.NotParsed) {
// Help text requested, or parsing failed. Exit.
Log.Warning("Could not parse command line arguments. Set --tcp --sim, --tcp <ip>:<port>, --nix, or --win. See documentation for further assistance.");
} else {
Provisioner p = new(settings, cli);
IHirsAcaTpm tpm = p.ConnectTpm();
p.UseClassicDeviceInfoCollector();
result = (ClientExitCodes)await p.Provision(tpm);
Log.Information("----> Provisioning " + (result == 0 ? "successful" : "failed") + ".");
}
} catch (Exception e) {
result = ClientExitCodes.FAIL;
Log.Fatal(e, "Application stopped.");
}
Log.CloseAndFlush();
return (int)result;
}
private static void HandleParseError(IEnumerable<Error> errs) {
//handle errors
Log.Error("There was a CLI error: " + errs.ToString());
}
private static bool IsRunningAsAdmin() {
bool isAdmin = false;
try {
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) {
WindowsIdentity user = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new(user);
isAdmin = principal.IsInRole(WindowsBuiltInRole.Administrator);
} else {
isAdmin = Mono.Unix.Native.Syscall.geteuid() == 0;
}
} catch { }
return isAdmin;
}
}
}

130
HIRS_Provisioner.NET/hirs/src/client/Client.cs Normal file
View File

@ -0,0 +1,130 @@
using Google.Protobuf;
using Hirs.Pb; // Imports ProvisionerTpm2.proto (compiled and generated by protobuf)
using Serilog;
using System;
using System.Buffers.Text;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Threading;
using System.Threading.Tasks;
namespace hirs {
public class Client : IHirsAcaClient {
public static readonly string POST_IDENTITY_CLAIM_PATH = "HIRS_AttestationCA/identity-claim-tpm2/process";
public static readonly string POST_REQUEST_CERT_TPM2_PATH = "HIRS_AttestationCA/request-certificate-tpm2";
private readonly Uri uri;
private static readonly HttpClientHandler handler = new() {
ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
}; // TODO: Overhaul ACA security
private readonly HttpClient client;
/**
* This method will create an HttpClient that will accept any server certificate.
*/
public Client(string address) {
uri = new(address);
client = new HttpClient(handler);
}
public Client(string address, HttpClient httpClient) {
uri = new(address);
client = httpClient;
}
public async Task<IdentityClaimResponse> PostIdentityClaim(IdentityClaim identityClaim) {
MemoryStream stream = new(identityClaim.ToByteArray());
// serialize to stream
stream.Seek(0, SeekOrigin.Begin);
Uri full_address = new(uri.AbsoluteUri + POST_IDENTITY_CLAIM_PATH);
// send data via HTTP
StreamContent streamContent = new(stream);
streamContent.Headers.TryAddWithoutValidation("Content-Type", "application/octet-stream");
streamContent.Headers.TryAddWithoutValidation("Accept", "application/octet-stream, application/json");
IdentityClaimResponse icr = null;
try {
Log.Debug("Attempting to send IdentityClaim to " + full_address);
HttpResponseMessage response = await client.PostAsync(full_address, streamContent).ConfigureAwait(continueOnCapturedContext: false);
Log.Debug(response.ToString());
if (response.StatusCode == HttpStatusCode.OK) {
byte[] contentBytes = await response.Content.ReadAsByteArrayAsync();
icr = IdentityClaimResponse.Parser.ParseFrom(contentBytes);
Log.Debug("IdentityClaim delivery succeeded.");
} else {
Log.Debug("IdentityClaim delivery failed.");
Log.Debug("Request reason phrase: " + response.ReasonPhrase);
Log.Debug("Request content: " + response.Content);
}
} catch (Exception e) {
Log.Debug(e, "Error during post of the identity claim.");
}
return icr;
}
public IdentityClaim CreateIdentityClaim(DeviceInfo dv, byte[] akPublicArea, byte[] ekPublicArea,
byte[] endorsementCredential, List<byte[]> platformCredentials,
string paccoroutput) {
IdentityClaim identityClaim = new();
identityClaim.Dv = dv;
identityClaim.AkPublicArea = ByteString.CopyFrom(akPublicArea);
identityClaim.EkPublicArea = ByteString.CopyFrom(ekPublicArea);
identityClaim.EndorsementCredential = ByteString.CopyFrom(endorsementCredential);
if (platformCredentials != null) {
foreach (byte[] platformCertificate in platformCredentials) {
identityClaim.PlatformCredential.Add(ByteString.CopyFrom(platformCertificate));
}
}
identityClaim.PaccorOutput = paccoroutput;
return identityClaim;
}
public async Task<CertificateResponse> PostCertificateRequest(CertificateRequest certReq) {
MemoryStream stream = new(certReq.ToByteArray());
// serialize to stream
stream.Seek(0, SeekOrigin.Begin);
Uri full_address = new(uri.AbsoluteUri + POST_REQUEST_CERT_TPM2_PATH);
// send data via HTTP
StreamContent streamContent = new(stream);
streamContent.Headers.TryAddWithoutValidation("Content-Type", "application/octet-stream");
streamContent.Headers.TryAddWithoutValidation("Accept", "application/octet-stream, application/json");
CertificateResponse cr = null;
try {
Log.Debug("Attempting to send the Certificate Request to " + full_address);
HttpResponseMessage response = await client.PostAsync(full_address, streamContent).ConfigureAwait(continueOnCapturedContext: false);
Log.Debug(response.ToString());
if (response.StatusCode == HttpStatusCode.OK) {
byte[] contentBytes = await response.Content.ReadAsByteArrayAsync();
cr = CertificateResponse.Parser.ParseFrom(contentBytes);
Log.Debug("Certificate Response recevied.");
} else {
Log.Debug("Certificate Response failed.");
Log.Debug("Request reason phrase: " + response.ReasonPhrase);
Log.Debug("Request content: " + response.Content);
}
} catch (Exception e) {
Log.Debug(e, "Error during post of the certificate request.");
}
return cr;
}
public CertificateRequest CreateAkCertificateRequest(byte[] secret, CommandTpmQuoteResponse ctqr) {
CertificateRequest akCertReq = new();
akCertReq.Nonce = ByteString.CopyFrom(secret);
CommandTpmQuoteResponse.formatQuoteInfoSigForAca(ctqr.quoted, ctqr.signature, out string quoteInfoSigStr);
akCertReq.Quote = ByteString.CopyFromUtf8(quoteInfoSigStr);
//formatPcrValuesForAca(pcrValues, out string pcrValuesStr);
//akCertReq.Pcrslist = ByteString.CopyFromUtf8(pcrValuesStr);
return akCertReq;
}
}
}

53
HIRS_Provisioner.NET/hirs/src/client/IHirsAcaClient.cs Normal file
View File

@ -0,0 +1,53 @@
using Hirs.Pb;
using System;
using System.Collections.Generic;
using System.Text;
using System.Threading.Tasks;
namespace hirs {
public interface IHirsAcaClient {
/// <summary>
/// Send the <see cref="IdentityClaim"/> to the ACA. The claim is delivered
/// asynchronously to the ACA. However, the client will wait for the response.
/// </summary>
/// <param name="identityClaim">Evidence about the client.</param>
/// <returns>The <see cref="Task"/>&lt;<see cref="IdentityClaimResponse"/>&gt; from the
/// ACA. The response is wrapped in a Task.</returns>
Task<IdentityClaimResponse> PostIdentityClaim(IdentityClaim identityClaim);
/// <summary>
/// Send the <see cref="CertificateRequest"/> to the ACA. The request is delivered
/// asynchronously to the ACA. However, the client will wait for the response.
/// </summary>
/// <param name="certReq">The request for a certificate. Should contain evidence from
/// client to enable nonce verification.</param>
/// <returns>The <see cref="Task"/>&lt;<see cref="CertificateResponse"/>&gt; from the ACA.
/// The response is wrapped in a Task. It will contain a certificate or the reason why
/// the certificate request was rejected.</returns>
Task<CertificateResponse> PostCertificateRequest(CertificateRequest certReq);
/// <summary>
/// Collect client evidence regarding a Device into an object that can be interpreted by
/// the ACA.
/// </summary>
/// <param name="dv">Facts about the Device.</param>
/// <param name="akPublicArea">The public AK retrieved as a TPM2B_PUBLIC.</param>
/// <param name="ekPublicArea">The public EK retrieved as a TPM2B_PUBLIC.</param>
/// <param name="endorsementCredential">The public EK certificate, encoded in DER or
/// PEM.</param>
/// <param name="platformCredentials">Any platform certificates relevant to the Device,
/// encoded in DER or PEM.</param>
/// <param name="paccoroutput">Platform Manifest in a JSON format.</param>
/// <returns>An <see cref="IdentityClaim"/> object that can be sent to the ACA.</returns>
IdentityClaim CreateIdentityClaim(DeviceInfo dv, byte[] akPublicArea, byte[] ekPublicArea,
byte[] endorsementCredential,
List<byte[]> platformCredentials, string paccoroutput);
/// <summary>
/// Collect answers to verification requirements regarding a Device into an object that
/// can be interpreted by the ACA.
/// </summary>
/// <param name="secret">Verification data.</param>
/// <param name="ctqr">TPM Quote data from the client Device.</param>
/// <returns>A <see cref="CertificateRequest"/> object that can be sent to the
/// ACA.</returns>
CertificateRequest CreateAkCertificateRequest(byte[] secret, CommandTpmQuoteResponse ctqr);
}
}

179
HIRS_Provisioner.NET/hirs/src/client/TbsWrapper.cs Normal file
View File

@ -0,0 +1,179 @@
using Serilog;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Text;
namespace hirs {
class TbsWrapper {
public class NativeMethods {
[DllImport("tbs.dll", CharSet = CharSet.Unicode)]
internal static extern TBS_RESULT
Tbsi_Context_Create(
ref TBS_CONTEXT_PARAMS ContextParams,
ref UIntPtr Context);
[DllImport("tbs.dll", CharSet = CharSet.Unicode)]
internal static extern TBS_RESULT
Tbsip_Context_Close(
UIntPtr Context);
[DllImport("tbs.dll", CharSet = CharSet.Unicode)]
internal static extern TBS_RESULT
Tbsi_Get_OwnerAuth(
UIntPtr Context,
[System.Runtime.InteropServices.MarshalAs(UnmanagedType.U4), In]
TBS_OWNERAUTH_TYPE OwnerAuthType,
[System.Runtime.InteropServices.MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 3), In, Out]
byte[] OutBuffer,
ref uint OutBufferSize);
[DllImport("tbs.dll", CharSet = CharSet.Unicode)]
internal static extern TBS_RESULT
Tbsi_Get_TCG_Log(
UIntPtr Context,
[System.Runtime.InteropServices.MarshalAs(UnmanagedType.LPArray, SizeParamIndex = 2), In, Out]
byte[] pOutputBuf,
ref uint pOutputBufLen);
}
public enum TBS_RESULT : uint {
TBS_SUCCESS = 0,
TBS_E_BLOCKED = 0x80280400,
TBS_E_INTERNAL_ERROR = 0x80284001,
TBS_E_BAD_PARAMETER = 0x80284002,
TBS_E_INSUFFICIENT_BUFFER = 0x80284005,
TBS_E_COMMAND_CANCELED = 0x8028400D,
TBS_E_OWNERAUTH_NOT_FOUND = 0x80284015
}
public enum TBS_OWNERAUTH_TYPE : uint {
TBS_OWNERAUTH_TYPE_FULL = 1,
TBS_OWNERAUTH_TYPE_ADMIN = 2,
TBS_OWNERAUTH_TYPE_USER = 3,
TBS_OWNERAUTH_TYPE_ENDORSEMENT = 4,
TBS_OWNERAUTH_TYPE_ENDORSEMENT_20 = 12,
TBS_OWNERAUTH_TYPE_STORAGE_20 = 13
}
[StructLayout(LayoutKind.Sequential)]
public struct TBS_CONTEXT_PARAMS {
public TBS_CONTEXT_VERSION Version;
public TBS_CONTEXT_CREATE_FLAGS Flags;
}
public enum TBS_CONTEXT_VERSION : uint {
ONE = 1,
TWO = 2
}
public enum TBS_CONTEXT_CREATE_FLAGS : uint {
RequestRaw = 0x00000001,
IncludeTpm12 = 0x00000002,
IncludeTpm20 = 0x00000004,
}
// This method is only intended to be called from Windows.
[System.Diagnostics.CodeAnalysis.SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "<Pending>")]
public static bool GetOwnerAuthFromOS(out byte[] ownerAuth) {
ownerAuth = Array.Empty<byte>();
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new(identity);
if (!principal.IsInRole(WindowsBuiltInRole.Administrator)) {
Log.Error("GetOwnerAuthFromOS: run the client with Administrator privileges");
return false;
}
// open context
TbsWrapper.TBS_CONTEXT_PARAMS contextParams;
UIntPtr tbsContext = UIntPtr.Zero;
contextParams.Version = TbsWrapper.TBS_CONTEXT_VERSION.TWO;
contextParams.Flags = TbsWrapper.TBS_CONTEXT_CREATE_FLAGS.IncludeTpm20;
TbsWrapper.TBS_RESULT result = TbsWrapper.NativeMethods.Tbsi_Context_Create(ref contextParams, ref tbsContext);
if (result != TbsWrapper.TBS_RESULT.TBS_SUCCESS) {
return false;
}
if (tbsContext == UIntPtr.Zero) {
return false;
}
// get owner auth size
uint ownerAuthSize = 0;
TbsWrapper.TBS_OWNERAUTH_TYPE ownerType = TbsWrapper.TBS_OWNERAUTH_TYPE.TBS_OWNERAUTH_TYPE_STORAGE_20;
result = TbsWrapper.NativeMethods.Tbsi_Get_OwnerAuth(tbsContext, ownerType, ownerAuth, ref ownerAuthSize);
if (result != TbsWrapper.TBS_RESULT.TBS_SUCCESS &&
result != TbsWrapper.TBS_RESULT.TBS_E_INSUFFICIENT_BUFFER) {
ownerType = TbsWrapper.TBS_OWNERAUTH_TYPE.TBS_OWNERAUTH_TYPE_FULL;
result = TbsWrapper.NativeMethods.Tbsi_Get_OwnerAuth(tbsContext, ownerType, ownerAuth, ref ownerAuthSize);
if (result != TbsWrapper.TBS_RESULT.TBS_SUCCESS &&
result != TbsWrapper.TBS_RESULT.TBS_E_INSUFFICIENT_BUFFER) {
Log.Debug("Failed to get ownerAuthSize.");
return false;
}
}
// get owner auth itself
ownerAuth = new byte[ownerAuthSize];
result = TbsWrapper.NativeMethods.Tbsi_Get_OwnerAuth(tbsContext, ownerType, ownerAuth, ref ownerAuthSize);
if (result != TbsWrapper.TBS_RESULT.TBS_SUCCESS) {
Log.Debug("Failed to get ownerAuth.");
return false;
}
TbsWrapper.NativeMethods.Tbsip_Context_Close(tbsContext);
return true;
}
// This method is only intended to be called from Windows.
[System.Diagnostics.CodeAnalysis.SuppressMessage("Interoperability", "CA1416:Validate platform compatibility", Justification = "<Pending>")]
public static bool GetEventLog(out byte[] eventLog) {
eventLog = Array.Empty<byte>();
WindowsIdentity identity = WindowsIdentity.GetCurrent();
WindowsPrincipal principal = new(identity);
if (!principal.IsInRole(WindowsBuiltInRole.Administrator)) {
Log.Debug("GetEventLog: run the client with Administrator privileges");
return false;
}
// open context
TbsWrapper.TBS_CONTEXT_PARAMS contextParams;
UIntPtr tbsContext = UIntPtr.Zero;
contextParams.Version = TbsWrapper.TBS_CONTEXT_VERSION.TWO;
contextParams.Flags = TbsWrapper.TBS_CONTEXT_CREATE_FLAGS.IncludeTpm12 | TbsWrapper.TBS_CONTEXT_CREATE_FLAGS.IncludeTpm20;
TbsWrapper.TBS_RESULT result = TbsWrapper.NativeMethods.Tbsi_Context_Create(ref contextParams, ref tbsContext);
if (result != TbsWrapper.TBS_RESULT.TBS_SUCCESS) {
return false;
}
if (tbsContext == UIntPtr.Zero) {
return false;
}
// Two calls needed
// First gets the log size
uint eventLogSize = 0;
Log.Debug("Attempting to get the event log size from Tbsi.");
result = TbsWrapper.NativeMethods.Tbsi_Get_TCG_Log(tbsContext, eventLog, ref eventLogSize);
if (result != TbsWrapper.TBS_RESULT.TBS_SUCCESS &&
result != TbsWrapper.TBS_RESULT.TBS_E_INSUFFICIENT_BUFFER) {
Log.Debug("Failed to get eventLogSize.");
return false;
}
// Second gets the log
Log.Debug("Attempting to get the event log from Tbsi.");
eventLog = new byte[eventLogSize];
result = TbsWrapper.NativeMethods.Tbsi_Get_TCG_Log(tbsContext, eventLog, ref eventLogSize);
if (result != TbsWrapper.TBS_RESULT.TBS_SUCCESS) {
Log.Debug("Failed to get eventLog.");
return false;
}
TbsWrapper.NativeMethods.Tbsip_Context_Close(tbsContext);
return true;
}
}
}

39
HIRS_Provisioner.NET/hirs/src/config/CLI.cs Normal file
View File

@ -0,0 +1,39 @@
using CommandLine;
namespace hirs {
public class CLI {
[Option("tcp", SetName="type", Default = false, HelpText = "Connect to the TPM by IP. Use the format ip:port. By default will connect to " + CommandTpm.DefaultSimulatorNamePort + ".")]
public bool Tcp {
get; set;
}
[Option("win", SetName = "type", Default = false, HelpText = "Connect to a Windows TPM device.")]
public bool Win {
get; set;
}
[Option("nix", SetName = "type", Default = false, HelpText = "Connect to a Linux TPM device.")]
public bool Nix {
get; set;
}
[Option("sim", Default = false, HelpText = "Notify the program of intent to connect to a TPM simulator.")]
public bool Sim {
get; set;
}
[Option("ip", Default = CommandTpm.DefaultSimulatorNamePort, HelpText = "IP of the TPM Device. Use the format ip:port.")]
public string Ip {
get; set;
}
[Option("replaceAK", Default = false, HelpText = "Clear any existing hirs AK and create a new one.")]
public bool ReplaceAK {
get; set;
}
public static string[] SplitArgs(string argString) {
return argString.SplitArgs(true);
}
}
}

18
HIRS_Provisioner.NET/hirs/src/config/ClientExitCodes.cs Normal file
View File

@ -0,0 +1,18 @@

namespace hirs {
public enum ClientExitCodes {
SUCCESS = 0, // Full successful program completion
FAIL = 1, // Unknown/Generic failure resulting in exit
USER_ERROR = 20, // Generic user error
MISSING_CONFIG = 21, // Config file missing
ACA_UNREACHABLE = 22, // Nothing found at the address specified
NOT_PRIVILEGED = 23, // Client not run as root
EXTERNAL_APP_ERROR = 40, // Generic external application error
TPM_ERROR = 41, // Encountered error with the TPM, log the TPM Return Code
HW_COLLECTION_ERROR = 42, // Encountered error when gathering hardware details
PROVISIONING_ERROR = 60, // Generic provisioning error |
PASS_1_STATUS_FAIL = 61,
PASS_2_STATUS_FAIL = 62,
MAKE_CREDENTIAL_BLOB_MALFORMED = 63 // The TPM2_MakeCredential blob was not correct
}
}

547
HIRS_Provisioner.NET/hirs/src/config/Settings.cs Normal file
View File

@ -0,0 +1,547 @@
using HardwareManifestPlugin;
using HardwareManifestPluginManager;
using Microsoft.Extensions.Configuration;
using Serilog;
using System;
using System.IO;
using System.Linq;
using System.Runtime.InteropServices;
using System.Collections.Generic;
namespace hirs {
public class Settings {
public enum Options {
paccor_output_file,
aca_address_port,
efi_prefix,
auto_detect_tpm,
event_log_file,
hardware_manifest_collectors,
hardware_manifest_collection_swid_enforced,
linux_bios_vendor_file,
linux_bios_version_file,
linux_bios_date_file,
linux_sys_vendor_file,
linux_product_name_file,
linux_product_version_file,
linux_product_serial_file
}
private static readonly string DEFAULT_SETTINGS_FILE = "appsettings.json";
private static readonly string EFI_ARTIFACT_PATH_COMPAT = "/boot/tcg/";
private static readonly string EFI_ARTIFACT_PATH = "/EFI/tcg/";
private static readonly string EFI_ARTIFACT_LINUX_PREFIX = "/boot/efi";
private readonly string settingsFile;
private readonly IConfiguration configFromSettingsFile;
// Storage of options collected from the settingsFile, with some default values
public virtual string paccor_output {
get; private set;
}
public virtual Uri aca_address_port {
get; private set;
}
public string efi_prefix {
get; private set;
}
public bool auto_detect_tpm {
get; private set;
}
public virtual byte[] event_log {
get; private set;
}
public virtual string linux_bios_vendor {
get; private set;
}
public virtual string linux_bios_version {
get; private set;
}
public virtual string linux_bios_date {
get; private set;
}
public virtual string linux_sys_vendor {
get; private set;
}
public virtual string linux_product_name {
get; private set;
}
public virtual string linux_product_version {
get; private set;
}
public virtual string linux_product_serial {
get; private set;
}
private List<IHardwareManifest> hardwareManifests = new();
private Dictionary<string, string> hardware_manifest_collectors_with_args = new();
private bool hardware_manifest_collection_swid_enforced = false;
private Settings() : this(Settings.DEFAULT_SETTINGS_FILE) { }
/// <summary>
/// </summary>
/// <param name="file">The path to the appsettings.json file on the file system.</param>
private Settings(string file) {
settingsFile = file;
configFromSettingsFile = ReadSettingsFile();
}
public static Settings LoadSettingsFromDefaultFile() {
return new(DEFAULT_SETTINGS_FILE);
}
/// <summary>
/// </summary>
/// <param name="path">The path to the settings JSON file on the file system.</param>
public static Settings LoadSettingsFromFile(string path) {
Settings settings = new(path);
return settings;
}
private static string GetBasePath() {
return AppContext.BaseDirectory;
}
private IConfiguration ReadSettingsFile() {
string basePath = GetBasePath();
IConfiguration configuration = new ConfigurationBuilder()
.SetBasePath(basePath)
.AddJsonFile(settingsFile, false, true)
.Build();
return configuration;
}
public void SetUpLog() {
Log.Logger = new LoggerConfiguration().ReadFrom.Configuration(configFromSettingsFile).CreateLogger();
Log.Debug("Reading settings file: " + Path.GetFullPath(Path.Combine(GetBasePath(), settingsFile)));
}
public void CompleteSetUp() {
try {
ConfigureHardwareManifestManagement();
IngestPaccorDataFromFile();
ParseAcaAddress();
CheckAutoDetectTpm();
CheckEfiPrefix();
IngestEventLogFromFile();
StoreCustomDeviceInfoCollectorOptions();
} catch (Exception e) {
if (Log.Logger == null) {
Console.WriteLine("Could not set up logging.");
}
Log.Error(e, "Error reading the settings file.");
throw;
}
}
#region Hardware Manifest
private void ConfigureHardwareManifestManagement() {
if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.hardware_manifest_collectors.ToString()])) {
Log.Debug("Configuring Hardware Manifest Plugin Manager");
string hardware_manifest_collectors = $"{ configFromSettingsFile[Options.hardware_manifest_collectors.ToString()] }";
hardware_manifest_collectors_with_args = ParseHardwareManifestCollectorsString(hardware_manifest_collectors);
// Collectors are identified by Name.
// Multiple collectors can be identified with a comma delimiter between collector names.
// There is a field in the HardwareManifestPlugin Interface that must match this Name.
// Each Name can be optionally followed by a space and command-line style arguments.
// Those arguments must not break the JSON encoding of the settings file.
// ex: collector1_name -a --b=c,collector2_name,collector3_name
// If SWID enforcement is enabled, Collectors must also pass validation prior to loading.
// Once loaded, the command-line arguments are passed directly to the collector by the Configure method of the Interface.
List<string> names = hardware_manifest_collectors_with_args.Keys.ToList();
if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.hardware_manifest_collection_swid_enforced.ToString()])) {
string hardware_manifest_collection_swid_enforced_str = $"{ configFromSettingsFile[Options.hardware_manifest_collection_swid_enforced.ToString()] }";
hardware_manifest_collection_swid_enforced = Boolean.Parse(hardware_manifest_collection_swid_enforced_str);
Log.Debug("SWID enforcement of Hardware Manifest Plugins are " + (hardware_manifest_collection_swid_enforced ? "en" : "dis") + "abled in settings.");
}
hardwareManifests = HardwareManifestPluginManagerUtils.LoadPlugins(names, hardware_manifest_collection_swid_enforced);
CleanHardwareManifestCollectors();
Log.Debug("Finished configuring the Hardware Manifest Plugin Manager.");
} else {
Log.Debug("Hardware Manifest Plugin Manager will not be used. No collectors were identified in settings.");
}
}
private static Dictionary<string, string> ParseHardwareManifestCollectorsString(string hardware_manifest_collectors) {
Dictionary<string, string> dict = new();
List<string> names = hardware_manifest_collectors.Split(',').Select(s => s.Trim()).ToList();
foreach (string name in names) {
string[] parts = name.Split(' ', 2); // split on first space
dict.Add(parts[0], parts.Length == 2 ? parts[1] : "");
}
return dict;
}
private void CleanHardwareManifestCollectors() {
List<string> names = hardwareManifests.Select(x => x.Name).ToList();
Dictionary<string, string> dict = new();
foreach (string name in names) {
dict.Add(name, hardware_manifest_collectors_with_args[name]);
}
hardware_manifest_collectors_with_args.Clear();
hardware_manifest_collectors_with_args = dict;
}
public virtual string RunHardwareManifestCollectors() {
Log.Debug("Gathering data from loaded hardware manifest collectors.");
string manifestJson = "";
foreach (IHardwareManifest manifest in hardwareManifests) {
try {
Log.Debug(" Configuring " + manifest.Name);
if (hardware_manifest_collectors_with_args.ContainsKey(manifest.Name)) {
manifest.Configure(CLI.SplitArgs(hardware_manifest_collectors_with_args[manifest.Name]));
}
// TODO: Combine JSON Better
// OR Return proto objects
Log.Debug(" Gathering from " + manifest.Name);
manifestJson = string.Join(manifestJson, manifest.GatherHardwareManifestAsJsonString());
} catch (Exception e) {
Log.Debug($"Problem retrieving hardware manifest from {manifest.Name}.", e.InnerException);
}
}
//TODO: Verify JSON?
return manifestJson;
}
#endregion
#region Ingest paccor data from file
private void IngestPaccorDataFromFile() {
if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.paccor_output_file.ToString()])) {
Log.Debug("Checking location of the paccor output file.");
string paccor_output_path = $"{ configFromSettingsFile[Options.paccor_output_file.ToString()] }";
if (DoesFileExist(paccor_output_path, out paccor_output_path)) {
if (HasHardwareManifestPlugins()) {
Log.Warning("The settings file specified hardware manifest collectors and a paccor output file. Fresh data is preferred over data from a file. If you want to use the file data, clear the collectors field from the settings file.");
} else {
Log.Debug("Retrieving components from " + Options.paccor_output_file.ToString() + ".");
paccor_output = File.ReadAllText(paccor_output_path);
if (string.IsNullOrWhiteSpace(paccor_output)) {
Log.Warning(Options.paccor_output_file.ToString() + " Paccor output was empty. Cannot perform Platform Attribute validation.");
} else {
Log.Debug("Output file contains:\n" + paccor_output);
}
}
}
} else {
Log.Debug(Options.paccor_output_file.ToString() + " not set in the settings file.");
}
}
#endregion
#region ACA Address
private void ParseAcaAddress() {
if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.aca_address_port.ToString()])) {
Log.Debug("Parsing the ACA Address.");
string aca_address_port_str = $"{ configFromSettingsFile[Options.aca_address_port.ToString()] }";
if (!string.IsNullOrWhiteSpace(aca_address_port_str)) {
aca_address_port = new Uri(aca_address_port_str);
Log.Debug(" Found " + aca_address_port);
}
}
if (!HasAcaAddress()) {
Log.Error(Options.aca_address_port.ToString() + " not set in the settings file. No HIRS ACA server to talk to. Looking for the format: \"https://<aca_server>:<port>\"");
}
}
#endregion
#region Auto Detect TPM
private void CheckAutoDetectTpm() {
if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.auto_detect_tpm.ToString()])) {
Log.Debug("Checking Auto Detect TPM setting.");
string auto_detect_tpm_str = $"{ configFromSettingsFile[Options.auto_detect_tpm.ToString()] }";
try {
auto_detect_tpm = Boolean.Parse(auto_detect_tpm_str);
Log.Debug(" Auto Detect TPM is " + (auto_detect_tpm ? "en" : "dis") + "abled.");
} catch (FormatException) {
auto_detect_tpm = false;
Log.Warning(Options.auto_detect_tpm.ToString() + " did not contain a readable true/false setting. Setting to default of false.");
}
} else {
auto_detect_tpm = false;
Log.Debug(Options.auto_detect_tpm.ToString() + " not set in the settings file. Setting to default of false.");
}
}
#endregion
#region EFI
private void CheckEfiPrefix() {
if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.efi_prefix.ToString()])) {
Log.Debug("Checking EFI Prefix setting.");
efi_prefix = $"{ configFromSettingsFile[Options.efi_prefix.ToString()] }";
if (string.IsNullOrWhiteSpace(efi_prefix)) { // If not explicitly set in appsettings, try to use default EFI location on Linux
if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux)) {
efi_prefix = EFI_ARTIFACT_LINUX_PREFIX + EFI_ARTIFACT_PATH;
}
} else {
if (!Directory.Exists(efi_prefix)) {
Log.Debug(Options.efi_prefix.ToString() + ": " + efi_prefix + " did not exist.");
efi_prefix = null;
}
}
}
if (efi_prefix == null) {
Log.Warning(Options.efi_prefix.ToString() + " not set in the settings file. Will not attempt to scan for artifacts in EFI.");
} else {
Log.Debug(" Will scan for artifacts in " + efi_prefix);
}
}
public virtual List<byte[]> gatherPlatformCertificatesFromEFI() {
// According to FIM: EFIPREFIX/boot/tcg/{cert,pccert,platform}
List<byte[]> platformCerts = null;
if (!string.IsNullOrWhiteSpace(efi_prefix)) {
EnumerationOptions enumOpts = new EnumerationOptions();
enumOpts.MatchCasing = MatchCasing.CaseInsensitive;
enumOpts.RecurseSubdirectories = true;
List<FileInfo> files = new List<FileInfo>();
string[] paths = { "cert", "pccert", "platform" };
foreach (string subdir in paths) {
string path = efi_prefix + EFI_ARTIFACT_PATH + subdir;
if (Directory.Exists(path)) {
files.AddRange(new DirectoryInfo(path).GetFiles("*base*", enumOpts));
files.AddRange(new DirectoryInfo(path).GetFiles("*delta*", enumOpts));
} else {
path = efi_prefix + EFI_ARTIFACT_PATH_COMPAT + subdir;
if (Directory.Exists(path)) {
files.AddRange(new DirectoryInfo(path).GetFiles("*base*", enumOpts));
files.AddRange(new DirectoryInfo(path).GetFiles("*delta*", enumOpts));
}
}
}
if (files.Count > 0) { // if none found, don't initialize platformCerts
// At least one base platform cert found
platformCerts = new List<byte[]>();
foreach (FileInfo file in files) {
platformCerts.Add(File.ReadAllBytes(file.FullName));
Log.Debug("gatherPlatformCertificatesFromEFI: Gathering " + file.FullName);
}
}
} else {
Log.Warning("gatherPlatformCertificatesFromEFI was called without verifying HasEfiPrefix.");
}
Log.Debug("Found " + (platformCerts == null ? 0 : platformCerts.Count) + " platform certs.");
return platformCerts;
}
public virtual List<byte[]> gatherRIMBasesFromEFI() {
// According to PC Client RIM
List<byte[]> baseRims = null;
// /boot/tcg/manifest/swidtag Base RIM Files
// <name of the tag creator> + <product name> + <RIM version>.swidtag
if (!string.IsNullOrWhiteSpace(efi_prefix)) {
EnumerationOptions enumOpts = new EnumerationOptions();
enumOpts.MatchCasing = MatchCasing.CaseInsensitive;
enumOpts.RecurseSubdirectories = true;
List<FileInfo> files = new List<FileInfo>();
string[] paths = { "manifest", "swidtag" };
string ext = "*swidtag";
foreach (string subdir in paths) {
string path = efi_prefix + EFI_ARTIFACT_PATH + subdir;
if (Directory.Exists(path)) {
files.AddRange(new DirectoryInfo(path).GetFiles(ext, enumOpts));
} else {
path = efi_prefix + EFI_ARTIFACT_PATH_COMPAT + subdir;
if (Directory.Exists(path)) {
files.AddRange(new DirectoryInfo(path).GetFiles(ext, enumOpts));
}
}
}
if (files.Count() > 0) { // if none found, don't initialize baseRims
// At least one base platform cert found
baseRims = new List<byte[]>();
foreach (FileInfo file in files) {
baseRims.Add(File.ReadAllBytes(file.FullName));
Log.Debug("gatherRIMBasesFromEFI: Gathering " + file.FullName);
}
}
} else {
Log.Warning("gatherRIMBasesFromEFI was called without verifying HasEfiPrefix.");
}
Log.Debug("Found " + (baseRims == null ? 0 : baseRims.Count) + " base RIMs.");
return baseRims;
}
public virtual List<byte[]> gatherSupportRIMELsFromEFI() {
// According to PC Client RIM
List<byte[]> supportRimELs = null;
// /boot/tcg/manifest/rim Support RIM Files
// <name of the tag creator> + <product name> + <product version>.rimel
if (!string.IsNullOrWhiteSpace(efi_prefix)) {
EnumerationOptions enumOpts = new EnumerationOptions();
enumOpts.MatchCasing = MatchCasing.CaseInsensitive;
enumOpts.RecurseSubdirectories = true;
List<FileInfo> files = new List<FileInfo>();
string[] paths = { "manifest", "rim" };
string ext = "*rimel";
foreach (string subdir in paths) {
string path = efi_prefix + EFI_ARTIFACT_PATH + subdir;
if (Directory.Exists(path)) {
files.AddRange(new DirectoryInfo(path).GetFiles(ext, enumOpts));
} else {
path = efi_prefix + EFI_ARTIFACT_PATH_COMPAT + subdir;
if (Directory.Exists(path)) {
files.AddRange(new DirectoryInfo(path).GetFiles(ext, enumOpts));
}
}
}
if (files.Count() > 0) { // if none found, don't initialize baseRims
// At least one base platform cert found
supportRimELs = new List<byte[]>();
foreach (FileInfo file in files) {
supportRimELs.Add(File.ReadAllBytes(file.FullName));
Log.Debug("gatherSupportRIMELsFromEFI: Gathering " + file.FullName);
}
}
} else {
Log.Warning("gatherSupportRIMELsFromEFI was called without verifying HasEfiPrefix.");
}
Log.Debug("Found " + (supportRimELs == null ? 0 : supportRimELs.Count) + " support rimel files.");
return supportRimELs;
}
public virtual List<byte[]> gatherSupportRIMPCRsFromEFI() {
// According to PC Client RIM
List<byte[]> supportRimPCRs = null;
// /boot/tcg/manifest/rim Support RIM Files
// <name of the tag creator> + <product name> + <product version>.rimpcr
if (!string.IsNullOrWhiteSpace(efi_prefix)) {
EnumerationOptions enumOpts = new EnumerationOptions();
enumOpts.MatchCasing = MatchCasing.CaseInsensitive;
enumOpts.RecurseSubdirectories = true;
List<FileInfo> files = new List<FileInfo>();
string[] paths = { "manifest", "rim" };
string ext = "*rimpcr";
foreach (string subdir in paths) {
string path = efi_prefix + EFI_ARTIFACT_PATH + subdir;
if (Directory.Exists(path)) {
files.AddRange(new DirectoryInfo(path).GetFiles(ext, enumOpts));
} else {
path = efi_prefix + EFI_ARTIFACT_PATH_COMPAT + subdir;
if (Directory.Exists(path)) {
files.AddRange(new DirectoryInfo(path).GetFiles(ext, enumOpts));
}
}
}
if (files.Count() > 0) { // if none found, don't initialize baseRims
// At least one base platform cert found
supportRimPCRs = new List<byte[]>();
foreach (FileInfo file in files) {
supportRimPCRs.Add(File.ReadAllBytes(file.FullName));
Log.Debug("gatherSupportRIMPCRsFromEFI: Gathering " + file.FullName);
}
}
} else {
Log.Warning("gatherSupportRIMPCRsFromEFI was called without verifying HasEfiPrefix.");
}
Log.Debug("Found " + (supportRimPCRs == null ? 0 : supportRimPCRs.Count) + " support rimpcr files.");
return supportRimPCRs;
}
#endregion
#region Ingest Event Log from File
private void IngestEventLogFromFile() {
if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.event_log_file.ToString()])) {
Log.Debug("Checking location of the event log.");
string event_log_path = $"{ configFromSettingsFile[Options.event_log_file.ToString()] }";
if (DoesFileExist(event_log_path, out event_log_path)) {
Log.Debug("Retrieving the Event Log. ");
event_log = File.ReadAllBytes(event_log_path);
if (event_log == null || event_log.Length == 0) {
Log.Warning(Options.event_log_file.ToString() + " The event log was empty.");
}
}
} else {
Log.Debug(Options.event_log_file.ToString() + " not set in the settings file.");
}
}
#endregion
#region Store Custom Device Info Collector Options
private void StoreCustomDeviceInfoCollectorOptions() {
if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.linux_bios_vendor_file.ToString()])) {
Log.Debug("Custom bios vendor file specified for the Device Info Collector on Linux.");
string path = $"{ configFromSettingsFile[Options.linux_bios_vendor_file.ToString()] }";
linux_bios_vendor = ReadFileText(path);
}
if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.linux_bios_version_file.ToString()])) {
Log.Debug("Custom bios version file specified for the Device Info Collector on Linux.");
string path = $"{ configFromSettingsFile[Options.linux_bios_version_file.ToString()] }";
linux_bios_version = ReadFileText(path);
}
if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.linux_sys_vendor_file.ToString()])) {
Log.Debug("Custom hardware manufacturer file specified for the Device Info Collector on Linux.");
string path = $"{ configFromSettingsFile[Options.linux_sys_vendor_file.ToString()] }";
linux_sys_vendor = ReadFileText(path);
}
if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.linux_product_name_file.ToString()])) {
Log.Debug("Custom hardware product name file specified for the Device Info Collector on Linux.");
string path = $"{ configFromSettingsFile[Options.linux_product_name_file.ToString()] }";
linux_product_name = ReadFileText(path);
}
if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.linux_product_version_file.ToString()])) {
Log.Debug("Custom hardware product version file specified for the Device Info Collector on Linux.");
string path = $"{ configFromSettingsFile[Options.linux_product_version_file.ToString()] }";
linux_product_version = ReadFileText(path);
}
if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.linux_product_serial_file.ToString()])) {
Log.Debug("Custom hardware product serial file specified for the Device Info Collector on Linux.");
string path = $"{ configFromSettingsFile[Options.linux_product_serial_file.ToString()] }";
linux_product_serial = ReadFileText(path);
}
}
#endregion
public static bool DoesFileExist(string path, out string out_full_path) {
bool found = false;
out_full_path = "";
if (!string.IsNullOrWhiteSpace(path)) {
out_full_path = Path.GetFullPath(path);
found = File.Exists(out_full_path);
if (!found) {
Log.Debug(" File identified in settings did not exist: " + out_full_path);
} else {
Log.Debug(" File exists: " + out_full_path);
}
}
return found;
}
public static string ReadFileText(string path) {
string text = "";
if (DoesFileExist(path, out string full_path)) {
Log.Debug(" Reading file: " + full_path + ".");
text = File.ReadAllText(full_path);
Log.Debug(" " + (string.IsNullOrWhiteSpace(text) ? "File was empty." : text));
}
return text;
}
public bool HasHardwareManifestPlugins() {
return hardwareManifests.Count > 0;
}
public bool HasPaccorOutputFromFile() {
return !string.IsNullOrEmpty(paccor_output);
}
public bool HasAcaAddress() {
return aca_address_port != null;
}
public bool HasEfiPrefix() {
return !string.IsNullOrEmpty(efi_prefix);
}
public bool IsAutoDetectTpmEnabled() {
return auto_detect_tpm;
}
public bool HasEventLogFromFile() {
return event_log != null && event_log.Length > 0;
}
}
}

250
HIRS_Provisioner.NET/hirs/src/deviceInfo/ClassicDeviceInfoCollector.cs Normal file
View File

@ -0,0 +1,250 @@
using Hirs.Pb;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Management;
using System.Net;
using System.Net.NetworkInformation;
using System.Net.Sockets;
using System.Runtime.InteropServices;
using System.Text;
using System.IO;
using Serilog;
namespace hirs {
public class ClassicDeviceInfoCollector : IHirsDeviceInfoCollector {
public static readonly string NOT_SPECIFIED = "Not Specified";
public static readonly string LINUX_DEFAULT_BIOS_VENDOR_PATH = "/sys/class/dmi/id/bios_vendor";
public static readonly string LINUX_DEFAULT_BIOS_VERSION_PATH = "/sys/class/dmi/id/bios_version";
public static readonly string LINUX_DEFAULT_BIOS_DATE_PATH = "/sys/class/dmi/id/bios_date";
public static readonly string LINUX_DEFAULT_SYS_VENDOR_PATH = "/sys/class/dmi/id/sys_vendor";
public static readonly string LINUX_DEFAULT_PRODUCT_NAME_PATH = "/sys/class/dmi/id/product_name";
public static readonly string LINUX_DEFAULT_PRODUCT_VERSION_PATH = "/sys/class/dmi/id/product_version";
public static readonly string LINUX_DEFAULT_PRODUCT_SERIAL_PATH = "/sys/class/dmi/id/product_serial";
private readonly Settings? settings;
public ClassicDeviceInfoCollector() {
settings = null;
}
public ClassicDeviceInfoCollector(Settings settings) {
this.settings = settings;
}
public static string FileToString(string path, string def) {
string result;
try {
result = File.ReadAllText(path).Trim();
} catch {
result = def;
}
if (string.IsNullOrWhiteSpace(result)) {
result = def;
}
return result;
}
public DeviceInfo CollectDeviceInfo(string acaAddress) {
DeviceInfo dv = new();
dv.Fw = CollectFirmwareInfo();
dv.Hw = CollectHardwareInfo();
dv.Nw = CollectNetworkInfo(acaAddress);
dv.Os = CollectOsInfo();
return dv;
}
public FirmwareInfo CollectFirmwareInfo() {
FirmwareInfo fw = new();
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) {
ManagementScope myScope = new("root\\CIMV2");
ManagementObjectSearcher s = new("SELECT * FROM Win32_BIOS");
fw.BiosVendor = NOT_SPECIFIED;
fw.BiosVersion = NOT_SPECIFIED;
fw.BiosReleaseDate = NOT_SPECIFIED;
foreach (ManagementObject o in s.Get()) {
string manufacturer = (string)o.GetPropertyValue("Manufacturer");
string version = (string)o.GetPropertyValue("Version");
string releasedate = (string)o.GetPropertyValue("ReleaseDate");
fw.BiosVendor = string.IsNullOrEmpty(manufacturer) ? NOT_SPECIFIED : manufacturer;
fw.BiosVersion = string.IsNullOrEmpty(version) ? NOT_SPECIFIED : version;
fw.BiosReleaseDate = string.IsNullOrEmpty(releasedate) ? NOT_SPECIFIED : releasedate;
break;
}
} else if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux)) {
if (settings != null) {
if (!string.IsNullOrEmpty(settings.linux_bios_vendor)) {
fw.BiosVendor = settings.linux_bios_vendor.Trim();
}
if (!string.IsNullOrEmpty(settings.linux_bios_version)) {
fw.BiosVersion = settings.linux_bios_version.Trim();
}
if (!string.IsNullOrEmpty(settings.linux_bios_date)) {
fw.BiosReleaseDate = settings.linux_bios_date.Trim();
}
}
if (string.IsNullOrEmpty(fw.BiosVendor)) {
fw.BiosVendor = FileToString(LINUX_DEFAULT_BIOS_VENDOR_PATH, NOT_SPECIFIED);
}
if (string.IsNullOrEmpty(fw.BiosVersion)) {
fw.BiosVersion = FileToString(LINUX_DEFAULT_BIOS_VERSION_PATH, NOT_SPECIFIED);
}
if (string.IsNullOrEmpty(fw.BiosReleaseDate)) {
fw.BiosReleaseDate = FileToString(LINUX_DEFAULT_BIOS_DATE_PATH, NOT_SPECIFIED);
}
} else if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX)) {
// tbd
} else {
// tbd
}
Log.Debug("Bios Vendor: " + fw.BiosVendor);
Log.Debug("Bios Version: " + fw.BiosVersion);
Log.Debug("Bios Date: " + fw.BiosReleaseDate);
return fw;
}
public HardwareInfo CollectHardwareInfo() {
HardwareInfo hw = new();
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) {
ManagementScope myScope = new("root\\CIMV2");
ManagementObjectSearcher s = new("SELECT * FROM Win32_ComputerSystemProduct");
hw.Manufacturer = NOT_SPECIFIED;
hw.ProductName = NOT_SPECIFIED;
hw.ProductVersion = NOT_SPECIFIED;
hw.SystemSerialNumber = NOT_SPECIFIED;
foreach (ManagementObject o in s.Get()) {
string vendor = (string)o.GetPropertyValue("Vendor");
string name = (string)o.GetPropertyValue("Name");
string version = (string)o.GetPropertyValue("Version");
string identifyingnumber = (string)o.GetPropertyValue("IdentifyingNumber");
hw.Manufacturer = string.IsNullOrWhiteSpace(vendor) ? NOT_SPECIFIED : vendor;
hw.ProductName = string.IsNullOrWhiteSpace(name) ? NOT_SPECIFIED : name;
hw.ProductVersion = string.IsNullOrWhiteSpace(version) ? NOT_SPECIFIED : version;
hw.SystemSerialNumber = string.IsNullOrWhiteSpace(identifyingnumber) ? NOT_SPECIFIED : identifyingnumber;
break;
}
} else if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux)) {
if (settings != null) {
if (!string.IsNullOrEmpty(settings.linux_sys_vendor)) {
hw.Manufacturer = settings.linux_sys_vendor.Trim();
}
if (!string.IsNullOrEmpty(settings.linux_product_name)) {
hw.ProductName = settings.linux_product_name.Trim();
}
if (!string.IsNullOrEmpty(settings.linux_product_version)) {
hw.ProductVersion = settings.linux_product_version.Trim();
}
if (!string.IsNullOrEmpty(settings.linux_product_serial)) {
hw.SystemSerialNumber = settings.linux_product_serial.Trim();
}
}
if (string.IsNullOrEmpty(hw.Manufacturer)) {
hw.Manufacturer = FileToString(LINUX_DEFAULT_SYS_VENDOR_PATH, NOT_SPECIFIED);
}
if (string.IsNullOrEmpty(hw.ProductName)) {
hw.ProductName = FileToString(LINUX_DEFAULT_PRODUCT_NAME_PATH, NOT_SPECIFIED);
}
if (string.IsNullOrEmpty(hw.ProductVersion)) {
hw.ProductVersion = FileToString(LINUX_DEFAULT_PRODUCT_VERSION_PATH, NOT_SPECIFIED);
}
if (string.IsNullOrEmpty(hw.SystemSerialNumber)) {
hw.SystemSerialNumber = FileToString(LINUX_DEFAULT_PRODUCT_SERIAL_PATH, NOT_SPECIFIED);
}
} else if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX)) {
// tbd
} else {
// tbd
}
Log.Debug("System Manufacturer: " + hw.Manufacturer);
Log.Debug("Product Name: " + hw.ProductName);
Log.Debug("Product Version: " + hw.ProductVersion);
Log.Debug("System Serial Number: " + hw.SystemSerialNumber);
return hw;
}
public NetworkInfo CollectNetworkInfo(string acaAddress) {
NetworkInfo nw = new();
NetworkInterface iface = NetworkInterface
.GetAllNetworkInterfaces()
.Where(nic => nic.OperationalStatus == OperationalStatus.Up && nic.NetworkInterfaceType != NetworkInterfaceType.Loopback)
.FirstOrDefault();
nw.MacAddress = iface.GetPhysicalAddress().ToString();
nw.ClearIpAddress();
// First attempt to find local ip by connecting ACA
if (string.IsNullOrWhiteSpace(acaAddress)) {
Uri uri = new(acaAddress);
try {
Socket socket = new(AddressFamily.InterNetwork, SocketType.Dgram, 0);
socket.Connect(uri.Host, uri.Port);
IPEndPoint endPoint = socket.LocalEndPoint as IPEndPoint;
nw.IpAddress = endPoint.Address.ToString();
} catch {
Log.Debug("Not connected to the internet. Trying another search.");
}
}
// Second attempt to find local ip by scanning first interface that is up and not a loopback address
if (!nw.HasIpAddress) {
foreach (UnicastIPAddressInformation ip in iface.GetIPProperties().UnicastAddresses) {
if (ip.Address.AddressFamily == AddressFamily.InterNetwork) {
nw.IpAddress = ip.Address.ToString();
break;
}
}
}
// Search for hostname
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) {
nw.Hostname = Dns.GetHostName().ToLower();
string domainName = IPGlobalProperties.GetIPGlobalProperties().DomainName;
if (!string.IsNullOrWhiteSpace(domainName)) {
nw.Hostname = nw.Hostname + "." + domainName;
}
} else if (nw.HasIpAddress) {
nw.Hostname = Dns.GetHostEntry(nw.IpAddress).HostName;
} else {
nw.Hostname = Dns.GetHostName();
}
Log.Debug("Network Info IP: " + nw.IpAddress);
Log.Debug("Network Info MAC: " + nw.MacAddress);
Log.Debug("Network Info Hostname: " + nw.Hostname);
return nw;
}
public OsInfo CollectOsInfo() {
OsInfo info = new();
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) {
info.OsName = OSPlatform.Windows.ToString();
} else if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux)) {
info.OsName = OSPlatform.Linux.ToString();
} else if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX)) {
info.OsName = OSPlatform.OSX.ToString();
} else {
info.OsName = RuntimeInformation.OSDescription;
}
info.OsVersion = RuntimeInformation.OSDescription;
info.OsArch = RuntimeInformation.OSArchitecture.ToString();
info.Distribution = RuntimeInformation.FrameworkDescription;
info.DistributionRelease = RuntimeInformation.FrameworkDescription;
Log.Debug("OS Name: " + info.OsName);
Log.Debug("OS Version: " + info.OsVersion);
Log.Debug("Architecture: " + info.OsArch);
Log.Debug("Distribution: " + info.Distribution);
Log.Debug("Distribution Release: " + info.DistributionRelease);
return info;
}
}
}

10
HIRS_Provisioner.NET/hirs/src/deviceInfo/IHirsDeviceInfoCollector.cs Normal file
View File

@ -0,0 +1,10 @@
using Hirs.Pb;
using System;
using System.Collections.Generic;
using System.Text;
namespace hirs {
public interface IHirsDeviceInfoCollector {
DeviceInfo CollectDeviceInfo(string address);
}
}

15
HIRS_Provisioner.NET/hirs/src/provisioner/IHirsProvisioner.cs Normal file
View File

@ -0,0 +1,15 @@
using System;
using System.Collections.Generic;
using System.Text;
using System.Threading.Tasks;
namespace hirs {
public interface IHirsProvisioner {
void SetSettings(Settings settings);
void SetCLI(CLI cli);
IHirsAcaTpm ConnectTpm();
void SetClient(IHirsAcaClient clientWithAddress);
void SetDeviceInfoCollector(IHirsDeviceInfoCollector collector);
Task<int> Provision(IHirsAcaTpm tpm);
}
}

296
HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs Normal file
View File

@ -0,0 +1,296 @@
using Google.Protobuf;
using Hirs.Pb;
using Serilog;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.InteropServices;
using System.Threading.Tasks;
namespace hirs {
public class Provisioner : IHirsProvisioner {
private CLI cli = null;
private Settings settings = null;
private IHirsDeviceInfoCollector deviceInfoCollector = null;
private IHirsAcaClient acaClient = null;
public Provisioner() {
}
public Provisioner(Settings settings, CLI cli) {
SetSettings(settings);
SetCLI(cli);
}
public void SetSettings(Settings settings) {
if (settings == null) {
Log.Error("Unknown error. Settings were supposed to have been parsed.");
}
this.settings = settings!;
}
public void SetCLI(CLI cli) {
if (cli == null) {
Log.Error("Unknown error. CLI arguments were supposed to have been parsed.");
}
this.cli = cli;
}
public IHirsAcaTpm ConnectTpm() {
IHirsAcaTpm tpm = null;
// If tpm device type is set on the command line
if (cli.Nix) {
tpm = new CommandTpm(CommandTpm.Devices.NIX);
} else if (cli.Tcp && cli.Ip != null) {
string[] split = cli.Ip.Split(":");
if (split.Length == 2) {
tpm = new CommandTpm(cli.Sim, split[0], Int32.Parse(split[1]));
Log.Debug("Connected to TPM via TCP at " + cli.Ip);
} else {
Log.Error("ip input should have the format servername:port. The given input was '" + cli.Ip + "'.");
}
} else if (cli.Win) {
tpm = new CommandTpm(CommandTpm.Devices.WIN);
}
// If command line not set, check if auto detect is enabled
if ((tpm == null) && settings.IsAutoDetectTpmEnabled()) {
Log.Debug("Auto Detect TPM is Enabled. Starting search for the TPM.");
if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) {
try {
tpm = new CommandTpm(CommandTpm.Devices.WIN);
Log.Debug("Auto Detect found a WIN TPM Device.");
} catch (Exception) {
Log.Debug("No WIN TPM Device found by auto detect.");
}
} else if (RuntimeInformation.IsOSPlatform(OSPlatform.Linux)) {
try {
tpm = new CommandTpm(CommandTpm.Devices.NIX);
Log.Debug("Auto Detect found a Linux TPM Device.");
} catch (Exception) {
Log.Debug("No Linux TPM Device found by auto detect.");
}
}
// if tpm still null, try set up TcpTpmDevice on sim, catch exception
if (tpm == null) {
try {
string[] split = CommandTpm.DefaultSimulatorNamePort.Split(":");
tpm = new CommandTpm(true, split[0], Int32.Parse(split[1]));
Log.Debug("Auto Detect found a TPM simulator at " + CommandTpm.DefaultSimulatorNamePort + ".");
} catch (Exception) {
Log.Debug("No TPM simulator found by auto detect.");
}
}
} else if ((tpm != null) && settings.IsAutoDetectTpmEnabled()) {
Log.Debug("Auto detect TPM was enabled in settings, but command line options were also given. Using command line options.");
}
// If TPM is still not set up, offer help message
if (tpm == null) {
Log.Fatal(
"To connect to a TPM device on Windows, add the command line argument --win\n" +
"To connect to a TPM device on LINUX, add the command line argument --nix\n" +
"To connect to a TPM via TCP, add the command line arguments --tcp <address>:<port>\n" +
"To connect to a TPM simulator at the default TCP socket of " + CommandTpm.DefaultSimulatorNamePort + ", add the command line arguments --tcp --sim\n" +
"To connect to a TPM simulator at any other socket, add the command line arguments --tcp --sim <address>:<port>\n");
}
return tpm;
}
public void UseBuiltInClient(string addr) {
acaClient = new Client(addr);
}
public void SetClient(IHirsAcaClient client) {
acaClient = client;
}
public void UseClassicDeviceInfoCollector() {
deviceInfoCollector = new ClassicDeviceInfoCollector(settings);
}
public void SetDeviceInfoCollector(IHirsDeviceInfoCollector collector) {
if (collector == null) {
UseClassicDeviceInfoCollector();
} else {
deviceInfoCollector = collector;
}
}
public async Task<int> Provision(IHirsAcaTpm tpm) {
ClientExitCodes result = ClientExitCodes.SUCCESS;
if (tpm != null) {
Log.Information("--> Provisioning");
Log.Information("----> Gathering Endorsement Key Certificate.");
byte[] ekc = tpm.GetCertificateFromNvIndex(CommandTpm.DefaultEkcNvIndex);
if (ekc.Length == 0) {
Log.Information("------> No Endorsement Key Certificate found at the expected index. The ACA may have one uploaded for this TPM.");
}
Log.Debug("Checking EK PUBLIC");
tpm.CreateEndorsementKey(CommandTpm.DefaultEkHandle); // Will not create key if obj already exists at handle
byte[] ekPublicArea = tpm.ReadPublicArea(CommandTpm.DefaultEkHandle, out byte[] name, out byte[] qualifiedName);
Log.Information("----> " + (cli.ReplaceAK ? "Creating new" : "Verifying existence of") + " Attestation Key.");
tpm.CreateAttestationKey(CommandTpm.DefaultEkHandle, CommandTpm.DefaultAkHandle, cli.ReplaceAK);
Log.Debug("Gathering AK PUBLIC.");
byte[] akPublicArea = tpm.ReadPublicArea(CommandTpm.DefaultAkHandle, out name, out qualifiedName);
List<byte[]> pcs = null, baseRims = null, supportRimELs = null, supportRimPCRs = null;
if (settings.HasEfiPrefix()) {
Log.Information("----> Gathering artifacts from EFI.");
pcs = settings.gatherPlatformCertificatesFromEFI();
baseRims = settings.gatherRIMBasesFromEFI();
supportRimELs = settings.gatherSupportRIMELsFromEFI();
supportRimPCRs = settings.gatherSupportRIMPCRsFromEFI();
}
Log.Debug("Setting up the Client.");
Uri acaAddress = settings.aca_address_port;
if (acaClient == null) {
UseBuiltInClient(acaAddress.AbsoluteUri);
}
Log.Information("----> Collecting device information.");
DeviceInfo dv = deviceInfoCollector.CollectDeviceInfo(acaAddress.AbsoluteUri);
if (baseRims != null) {
foreach (byte[] baseRim in baseRims) {
dv.Swidfile.Add(ByteString.CopyFrom(baseRim));
}
}
if (supportRimELs != null) {
foreach (byte[] supportRimEL in supportRimELs) {
dv.Logfile.Add(ByteString.CopyFrom(supportRimEL));
}
}
if (supportRimPCRs != null) {
foreach (byte[] supportRimPCR in supportRimPCRs) {
dv.Logfile.Add(ByteString.CopyFrom(supportRimPCR));
}
}
Log.Debug("Gathering hardware component information:");
string manifest = "";
if (settings.HasHardwareManifestPlugins()) {
manifest = settings.RunHardwareManifestCollectors();
} else if (settings.HasPaccorOutputFromFile()) {
manifest = settings.paccor_output;
} else {
Log.Warning("No hardware collectors nor paccor output file were identified.");
}
Log.Debug("Hardware component information that will be sent to the ACA: " + manifest);
Log.Debug("Gathering the event log.");
byte[] eventLog;
if (settings.HasEventLogFromFile()) {
Log.Debug(" Using the event log identified in settings.");
eventLog = settings.event_log;
} else {
Log.Debug(" Attempting to collect the event log from the system.");
eventLog = tpm.GetEventLog();
}
if (eventLog != null) {
Log.Debug("Event log gathered is " + eventLog.Length + " bytes.");
dv.Livelog = ByteString.CopyFrom(eventLog);
}
Log.Debug("Gathering PCR data from the TPM.");
string pcrsList, pcrsSha1, pcrsSha256;
CommandTpm.FormatPcrValuesForAca(tpm.GetPcrList(Tpm2Lib.TpmAlgId.Sha1), "sha1", out pcrsSha1);
CommandTpm.FormatPcrValuesForAca(tpm.GetPcrList(Tpm2Lib.TpmAlgId.Sha256), "sha256", out pcrsSha256);
pcrsList = pcrsSha1 + pcrsSha256;
Log.Debug("Result of formatting pcr values for the ACA:");
Log.Debug("\n" + pcrsList);
dv.Pcrslist = ByteString.CopyFromUtf8(pcrsList);
Log.Debug("Create identity claim");
IdentityClaim idClaim = acaClient.CreateIdentityClaim(dv, akPublicArea, ekPublicArea, ekc, pcs, manifest);
Log.Information("----> Sending identity claim to Attestation CA");
IdentityClaimResponse icr = await acaClient.PostIdentityClaim(idClaim);
Log.Information("----> Received response. Attempting to decrypt nonce");
if (icr.HasStatus) {
if (icr.Status == ResponseStatus.Pass) {
Log.Debug("The ACA accepted the identity claim.");
} else {
Log.Debug("The ACA did not accept the identity claim. See details on the ACA.");
result = ClientExitCodes.PASS_1_STATUS_FAIL;
return (int)result;
}
}
byte[] integrityHMAC = null, encIdentity = null, encryptedSecret = null;
if (icr.HasCredentialBlob) {
byte[] credentialBlob = icr.CredentialBlob.ToByteArray(); // look for the nonce
Log.Debug("ACA delivered IdentityClaimResponse credentialBlob " + BitConverter.ToString(credentialBlob));
int credentialBlobLen = credentialBlob[0] | (credentialBlob[1] << 8);
int integrityHmacLen = (credentialBlob[2] << 8) | credentialBlob[3];
integrityHMAC = new byte[integrityHmacLen];
Array.Copy(credentialBlob, 4, integrityHMAC, 0, integrityHmacLen);
int encIdentityLen = credentialBlobLen - integrityHmacLen - 2;
encIdentity = new byte[encIdentityLen];
Array.Copy(credentialBlob, 4 + integrityHmacLen, encIdentity, 0, encIdentityLen);
// The following offsets are bound tightly to the way makecredential is implemented on the ACA.
int encryptedSecretLen = credentialBlob[134] | (credentialBlob[135] << 8);
encryptedSecret = new byte[encryptedSecretLen];
Array.Copy(credentialBlob, 136, encryptedSecret, 0, encryptedSecretLen);
Log.Debug("Prepared values to give to activateCredential.");
Log.Debug(" integrityHMAC: " + BitConverter.ToString(integrityHMAC));
Log.Debug(" encIdentity: " + BitConverter.ToString(encIdentity));
Log.Debug(" encryptedSecret: " + BitConverter.ToString(encryptedSecret));
} else {
result = ClientExitCodes.MAKE_CREDENTIAL_BLOB_MALFORMED;
Log.Error("The response from the ACA did not contain a CredentialBlob.");
}
if (integrityHMAC != null && encIdentity != null && encryptedSecret != null) {
Log.Debug("Executing activateCredential.");
byte[] recoveredSecret = tpm.ActivateCredential(CommandTpm.DefaultAkHandle, CommandTpm.DefaultEkHandle, integrityHMAC, encIdentity, encryptedSecret);
Log.Debug("Gathering quote.");
uint[] selectPcrs = null;
if (icr.HasPcrMask) {
// For now, the ACA will send a comma separated selection of PCRs as a string
try {
selectPcrs = icr.PcrMask.Split(',').Select(uint.Parse).ToList().ToArray();
} catch (Exception) {
Log.Warning("PcrMask was included in the IdentityClaimResponse, but could not be parsed." +
"Collecting quote over default PCR selection.");
Log.Debug("This PcrMask could not be parsed: " + icr.PcrMask);
}
}
tpm.GetQuote(CommandTpm.DefaultAkHandle, Tpm2Lib.TpmAlgId.Sha256, recoveredSecret, out CommandTpmQuoteResponse ctqr, selectPcrs);
Log.Information("----> Nonce successfully decrypted. Sending attestation certificate request");
CertificateRequest akCertReq = acaClient.CreateAkCertificateRequest(recoveredSecret, ctqr);
byte[] certificate;
Log.Debug("Communicate certificate request to the ACA.");
CertificateResponse cr = await acaClient.PostCertificateRequest(akCertReq);
Log.Debug("Response received from the ACA regarding the certificate request.");
if (cr.HasStatus) {
if (cr.Status == ResponseStatus.Pass) {
Log.Debug("ACA returned a positive response to the Certificate Request.");
} else {
Log.Debug("The ACA did not return any certificates. See details on the ACA.");
result = ClientExitCodes.PASS_2_STATUS_FAIL;
return (int)result;
}
}
if (cr.HasCertificate) {
certificate = cr.Certificate.ToByteArray(); // contains certificate
Log.Debug("Printing attestation key certificate: " + BitConverter.ToString(certificate));
}
} else {
result = ClientExitCodes.MAKE_CREDENTIAL_BLOB_MALFORMED;
Log.Error("Credential elements could not be extracted from the ACA's response.");
}
} else {
result = ClientExitCodes.TPM_ERROR;
Log.Error("Could not provision because the TPM object was null.");
}
return (int)result;
}
}
}

497
HIRS_Provisioner.NET/hirs/src/tpm/CommandTpm.cs Normal file
View File

@ -0,0 +1,497 @@
using Serilog;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Runtime.InteropServices;
using System.Security.Principal;
using Tpm2Lib;
namespace hirs {
public class CommandTpm : IHirsAcaTpm {
public enum Devices {
NIX,
TCP,
WIN
}
/// <summary>
/// If using a TCP connection, the default DNS name/IP address for the
/// simulator.
/// </summary>
public const string DefaultSimulatorNamePort = "127.0.0.1:2321";
public const uint DefaultEkcNvIndex = 0x1c00002;
public const uint DefaultEkHandle = 0x81010001;
public const uint DefaultAkHandle = 0x81010002;
private readonly Tpm2 tpm;
private readonly Boolean simulator;
private List<AuthSession> sessionTracking = new List<AuthSession>();
/**
* For TCP TpmDevices
*/
public CommandTpm(Boolean sim, string ip, int port) {
simulator = sim;
Tpm2Device tpmDevice = new TcpTpmDevice(ip, port);
tpm = TpmSetupByType(tpmDevice);
}
/**
* For a TPM device on Linux and Windows
*/
public CommandTpm(Devices dev) {
Tpm2Device tpmDevice = null;
switch (dev) {
case Devices.NIX:
// LinuxTpmDevice will first try to connect tpm2-abrmd and second try to connect directly to device
StringWriter writer = new();
Console.SetOut(writer);
// The LinuxTpmDevice will print to Console/Stdout an error when it cannot find a resource manager
// This will redirect the Console messages
tpmDevice = new LinuxTpmDevice();
// Reset the Console messages
Console.SetOut(new StreamWriter(Console.OpenStandardOutput()));
break;
case Devices.WIN:
tpmDevice = new TbsDevice();
break;
default:
Log.Error("Unknown option selected in CommandTpm(Devices) constructor.");
break;
}
tpm = TpmSetupByType(tpmDevice);
}
public CommandTpm(Tpm2 tpm) {
this.tpm = tpm;
}
~CommandTpm() {
if (tpm != null) {
tpm.Dispose();
}
}
public byte[] GetCertificateFromNvIndex(uint index) {
Log.Debug("GetCertificateFromNvIndex 0x" + index.ToString("X"));
byte[] certificate = Array.Empty<byte>();
TpmHandle nvHandle = new(index);
try {
byte[] nvName; // not used for this function. have to collect from NvReadPublic.
NvPublic obj = tpm.NvReadPublic(nvHandle, out nvName);
if (obj != null) {
byte[] indexData = NvBufferedRead(TpmHandle.RhOwner, nvHandle, obj.dataSize, 0);
if (indexData != null) {
certificate = ExtractFirstCertificate(indexData); // the nvIndex could contain random fill around the certificate
if (certificate != null) {
Log.Debug("GetCertificateFromNvIndex: Read: " + BitConverter.ToString(certificate));
} else {
Log.Debug("GetCertificateFromNvIndex: No certificate found within data at index.");
}
} else {
Log.Debug("GetCertificateFromNvIndex: Could not read any data.");
}
} else {
Log.Debug("GetCertificateFromNvIndex: Nothing found at index: " + DefaultEkcNvIndex);
}
} catch (TpmException e) {
Log.Debug(e, "GetCertificateFromNvIndex TPM error");
}
return certificate;
}
private byte[] NvBufferedRead(TpmHandle authHandle, TpmHandle nvIndex, ushort size, ushort offset) {
ushort maxReadSize = 256;
byte[] buffer = new byte[size];
ushort ptr = 0;
while (offset < size) {
int q = Math.DivRem(size - offset, maxReadSize, out int r);
ushort sizeToRead = q > 0 ? maxReadSize : (ushort)r;
byte[] block = tpm.NvRead(authHandle, nvIndex, sizeToRead, offset);
Array.Copy(block, 0, buffer, ptr, sizeToRead);
offset += sizeToRead;
ptr += sizeToRead;
}
return buffer;
}
private static byte[] ExtractFirstCertificate(byte[] data) {
byte[] extracted = null;
if (data != null) {
// search for first instance of 30 82
int pos = 0;
bool found = false;
while (pos < (data.Length - 1)) {
if (data[pos] == 0x30) {
if (data[pos + 1] == 0x82) {
found = true;
break;
}
}
pos++;
}
// find the size of the structure.
// 30 82 means the size will be described in next 2 bytes
// Data from NV should be BIG ENDIAN since 3082 was found in step 1.
int size = 0;
if (found && data.Length > (pos + 3)) {
byte[] sizeBuffer = new byte[2];
sizeBuffer[0] = data[pos + 3];
sizeBuffer[1] = data[pos + 2];
size = 4 + BitConverter.ToInt16(sizeBuffer); // 4 bytes added to final count for pos+3
}
// copy the structure to the output buffer
if (size > 0) {
extracted = new byte[size];
Array.Copy(data, pos, extracted, 0, size);
}
}
return extracted;
}
// allows client to access the readpublic function
public TpmPublic ReadPublicArea(uint handleInt, out byte[] name, out byte[] qualifiedName) {
TpmHandle handle = new(handleInt);
TpmPublic obj = null;
name = null;
qualifiedName = null;
try {
obj = tpm.ReadPublic(handle, out byte[] localName, out byte[] localQualifiedName);
name = localName;
qualifiedName = localQualifiedName;
} catch {
// Don't think I need an exception here. Let the calling method throw if needed.
}
return obj;
}
public static TpmPublic GenerateEKTemplateL1() {
TpmAlgId nameAlg = TpmAlgId.Sha256;
ObjectAttr attributes = ObjectAttr.FixedTPM | ObjectAttr.FixedParent | ObjectAttr.SensitiveDataOrigin | ObjectAttr.AdminWithPolicy | ObjectAttr.Restricted | ObjectAttr.Decrypt;
byte[] auth_policy = { // Template L-1
0x83, 0x71, 0x97, 0x67, 0x44, 0x84,
0xB3, 0xF8, 0x1A, 0x90, 0xCC, 0x8D,
0x46, 0xA5, 0xD7, 0x24, 0xFD, 0x52,
0xD7, 0x6E, 0x06, 0x52, 0x0B, 0x64,
0xF2, 0xA1, 0xDA, 0x1B, 0x33, 0x14,
0x69, 0xAA
};
// ASYM: RSA 2048 with NULL scheme, SYM: AES-128 with CFB mode
RsaParms rsa = new(new SymDefObject(TpmAlgId.Aes, 128, TpmAlgId.Cfb), new NullAsymScheme(), 2048, 0);
// unique buffer must be filled with 0 for the EK Template L-1.
byte[] zero256 = new byte[256];
Array.Fill<byte>(zero256, 0x00);
Tpm2bPublicKeyRsa unique = new(zero256);
TpmPublic inPublic = new(nameAlg, attributes, auth_policy, rsa, unique);
return inPublic;
}
public void CreateEndorsementKey(uint ekHandleInt) {
TpmHandle ekHandle = new(ekHandleInt);
TpmPublic existingObject;
try {
existingObject = tpm.ReadPublic(ekHandle, out byte[] name, out byte[] qualifiedName);
Log.Debug("EK already exists.");
return;
} catch (TpmException) {
Log.Debug("Verified EK does not exist at expected handle. Creating EK.");
}
SensitiveCreate inSens = new(); // key password (no params = no key password)
TpmPublic inPublic = CommandTpm.GenerateEKTemplateL1();
TpmHandle newTransientEkHandle = tpm.CreatePrimary(TpmRh.Endorsement, inSens, inPublic,
new byte[] { }, new PcrSelection[] { }, out TpmPublic outPublic,
out CreationData creationData, out byte[] creationHash, out TkCreation ticket);
Log.Debug("New EK Handle: " + BitConverter.ToString(newTransientEkHandle));
Log.Debug("New EK PUB Name: " + BitConverter.ToString(outPublic.GetName()));
Log.Debug("New EK PUB 2BREP: " + BitConverter.ToString(outPublic.GetTpm2BRepresentation()));
// Make the object persistent
tpm.EvictControl(TpmRh.Owner, newTransientEkHandle, ekHandle);
Log.Debug("Successfully made the new EK persistent at handle " + BitConverter.ToString(ekHandle) + ".");
tpm.FlushContext(newTransientEkHandle);
Log.Debug("Flushed the context for the transient EK.");
}
private static RsaParms AkRsaParms() {
TpmAlgId digestAlg = TpmAlgId.Sha256;
RsaParms parms = new(new SymDefObject(TpmAlgId.Null, 0, TpmAlgId.Null), new SchemeRsassa(digestAlg), 2048, 0);
return parms;
}
private static ObjectAttr AkAttributes() {
ObjectAttr attrib = ObjectAttr.Restricted | ObjectAttr.Sign | ObjectAttr.FixedParent | ObjectAttr.FixedTPM
| ObjectAttr.SensitiveDataOrigin | ObjectAttr.UserWithAuth;
return attrib;
}
private static TpmPublic GenerateAKTemplate(TpmAlgId nameAlg) {
RsaParms rsa = AkRsaParms();
ObjectAttr attributes = AkAttributes();
TpmPublic inPublic = new(nameAlg, attributes, null, rsa, new Tpm2bPublicKeyRsa());
return inPublic;
}
public void CreateAttestationKey(uint ekHandleInt, uint akHandleInt, bool replace) {
TpmHandle ekHandle = new(ekHandleInt);
TpmHandle akHandle = new(akHandleInt);
TpmPublic existingObject = null;
try {
existingObject = tpm.ReadPublic(akHandle, out byte[] name, out byte[] qualifiedName);
} catch { }
if (!replace && existingObject != null) {
// Do Nothing
Log.Debug("AK exists at expected handle. Flag to not replace the AK is set in the settings file.");
return;
} else if (replace && existingObject != null) {
// Clear the object and continue
tpm.EvictControl(TpmRh.Owner, akHandle, akHandle);
Log.Debug("Removed previous AK.");
}
// Create a new key and make it persistent at akHandle
TpmAlgId nameAlg = TpmAlgId.Sha256;
SensitiveCreate inSens = new();
TpmPublic inPublic = GenerateAKTemplate(nameAlg);
var policyEK = new PolicyTree(nameAlg);
policyEK.SetPolicyRoot(new TpmPolicySecret(TpmRh.Endorsement, false, 0, null, null));
AuthSession sessEK = tpm.StartAuthSessionEx(TpmSe.Policy, nameAlg);
sessEK.RunPolicy(tpm, policyEK);
TpmPrivate kAK = tpm[sessEK].Create(ekHandle, inSens, inPublic, null, null, out TpmPublic outPublic,
out CreationData creationData, out byte[] creationHash, out TkCreation ticket);
Log.Debug("New AK PUB Name: " + BitConverter.ToString(outPublic.GetName()));
Log.Debug("New AK PUB 2BREP: " + BitConverter.ToString(outPublic.GetTpm2BRepresentation()));
Log.Debug("New AK PUB unique: " + BitConverter.ToString((Tpm2bPublicKeyRsa)(outPublic.unique)));
tpm.FlushContext(sessEK);
sessEK = tpm.StartAuthSessionEx(TpmSe.Policy, nameAlg);
sessEK.RunPolicy(tpm, policyEK);
TpmHandle hAK = tpm[sessEK].Load(ekHandle, kAK, outPublic);
tpm.EvictControl(TpmRh.Owner, hAK, akHandle);
Log.Debug("Created and persisted new AK at handle 0x" + akHandle.handle.ToString("X") + ".");
tpm.FlushContext(sessEK);
}
public Tpm2bDigest[] GetPcrList(TpmAlgId pcrBankDigestAlg, uint[] pcrs = null) {
if (pcrs == null) {
pcrs = new uint[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 };
}
Log.Debug("Retrieving PCR LIST for pcrs: " + string.Join(",", pcrs));
PcrSelection[] pcrSelection = new PcrSelection[] {
new PcrSelection(pcrBankDigestAlg, pcrs, (uint)pcrs.Length)
};
Tpm2bDigest[] pcrValues = MultiplePcrRead(pcrSelection[0]);
return pcrValues;
}
// qualifying data hashed with SHA256, quote set to use RSASSA scheme with SHA256-- TODO: enable usage of ECC and other digest alg
// if no pcrs are requested (parameter pcrs == null), all pcrs wil be returned. The function does not check if any pcr is available before asking for the quote
public void GetQuote(uint akHandleInt, TpmAlgId pcrBankDigestAlg, byte[] nonce, out CommandTpmQuoteResponse ctqr, uint[] pcrs = null) {
TpmHandle akHandle = new(akHandleInt);
if (pcrs == null) {
pcrs = new uint[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 };
}
Log.Debug("Retrieving TPM quote for pcrs: " + string.Join(",", pcrs));
PcrSelection[] pcrSelection = new PcrSelection[] {
new PcrSelection(pcrBankDigestAlg, pcrs, (uint)pcrs.Length)
};
// for test only
TpmHash qualifyingData = TpmHash.FromData(TpmAlgId.Sha256, nonce);
Attest localQuotedInfo = tpm.Quote(akHandle, qualifyingData, new SchemeRsassa(TpmAlgId.Sha256), pcrSelection, out ISignatureUnion localQuoteSig);
Tpm2bDigest[] localPcrValues = MultiplePcrRead(pcrSelection[0]);
TpmPublic pub = tpm.ReadPublic(akHandle, out byte[] name, out byte[] qualifiedName);
bool verified = pub.VerifyQuote(TpmAlgId.Sha256, pcrSelection, localPcrValues, qualifyingData, localQuotedInfo, localQuoteSig, qualifiedName);
Log.Debug("Quote " + (verified ? "was" : "was not") + " verified.");
ctqr = null;
if (verified) {
ctqr = new CommandTpmQuoteResponse(localQuotedInfo, localQuoteSig, localPcrValues);
}
}
public Tpm2bDigest[] MultiplePcrRead(PcrSelection pcrs) {
if (pcrs == null) {
return Array.Empty<Tpm2bDigest>();
}
List<Tpm2bDigest> pcrValues = new();
const int MAX_NUM_PCRS_PER_READ = 8; // anticipate TPM has a limit on the number of PCRs read at a time
Queue<uint> selectedPcrs = new(pcrs.GetSelectedPcrs());
while (selectedPcrs.Count() > 0) {
int numPcrsToRead = (selectedPcrs.Count > MAX_NUM_PCRS_PER_READ) ? MAX_NUM_PCRS_PER_READ : selectedPcrs.Count;
List<uint> subset = new();
for (int i = 0; i < numPcrsToRead; i++) {
subset.Add(selectedPcrs.Dequeue());
}
PcrSelection selection = new(pcrs.hash, subset.ToArray());
PcrSelection[] pcrsIn = { // Need to wrap into an array
selection
};
uint count = tpm.PcrRead(pcrsIn, out PcrSelection[] pcrsOut, out Tpm2bDigest[] pcrValuesRetrieved); // TODO incorporate check on count to handle race condition
if (pcrValuesRetrieved != null && pcrValuesRetrieved.Length > 0) {
pcrValues.AddRange(pcrValuesRetrieved);
}
}
return pcrValues.ToArray();
}
public byte[] ActivateCredential(uint akHandleInt, uint ekHandleInt, byte[] integrityHMAC, byte[] encIdentity, byte[] encryptedSecret) {
byte[] recoveredSecret;
TpmHandle ekHandle = new(ekHandleInt);
TpmHandle akHandle = new(akHandleInt);
IdObject credentialBlob = new(integrityHMAC, encIdentity);
TpmAlgId nameAlg = TpmAlgId.Sha256;
var policyEK = new PolicyTree(nameAlg);
policyEK.SetPolicyRoot(new TpmPolicySecret(TpmRh.Endorsement, false, 0, null, null));
AuthSession sessEK = tpm.StartAuthSessionEx(TpmSe.Policy, nameAlg);
sessEK.RunPolicy(tpm, policyEK);
AuthSession sessAK = tpm.StartAuthSessionEx(TpmSe.None, nameAlg);
recoveredSecret = tpm[sessAK, sessEK].ActivateCredential(akHandle, ekHandle, credentialBlob, encryptedSecret);
Log.Debug("encryptedSecret: " + BitConverter.ToString(encryptedSecret));
tpm.FlushContext(sessEK);
tpm.FlushContext(sessAK);
return recoveredSecret;
}
public byte[] GetEventLog() {
byte[] eventLog = null;
if (tpm._GetUnderlyingDevice().GetType() == typeof(TbsDevice)) { // if windows TPM
if (!TbsWrapper.GetEventLog(out eventLog)) {
eventLog = null;
Log.Debug("Could not retrieve the event log from Tbsi");
}
}
if (eventLog == null) {
if (tpm._GetUnderlyingDevice().GetType() == typeof(TcpTpmDevice) && RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) { // if TCP TPM on Windows
// attempt to read from the measuredboot log folder
string windir = System.Environment.GetEnvironmentVariable("windir");
string path = windir + "\\Logs\\MeasuredBoot\\";
DirectoryInfo directory = new(path);
FileInfo mostRecent = directory.GetFiles()
.OrderByDescending(f => f.LastWriteTime)
.FirstOrDefault();
if (mostRecent != null && File.Exists(mostRecent.FullName)) {
eventLog = File.ReadAllBytes(mostRecent.FullName);
} else {
Log.Debug("Windows boot configuration log does not exist at expected location");
}
} else if (tpm._GetUnderlyingDevice().GetType() == typeof(LinuxTpmDevice) || (tpm._GetUnderlyingDevice().GetType() == typeof(TcpTpmDevice) && RuntimeInformation.IsOSPlatform(OSPlatform.Linux))) { // if Linux TPM or TCP TPM on Linux
// attempt to read from the binary_bios_measurements file created by the kernel
string path = "/sys/kernel/security/tpm0/binary_bios_measurements";
if (File.Exists(path)) {
eventLog = File.ReadAllBytes(path);
} else {
Log.Debug("Linux bios measurements log does not exist at expected location");
}
}
}
return eventLog;
}
private Tpm2 TpmSetupByType(Tpm2Device tpmDevice) {
try {
tpmDevice.Connect();
} catch (AggregateException e) {
Log.Error(e, "tpmSetupByType: Error connecting to tpmDevice");
throw e;
}
Tpm2 tpm = new(tpmDevice);
if (tpmDevice is TcpTpmDevice) {
//
// If we are using the simulator, we have to do a few things the
// firmware would usually do. These actions have to occur after
// the connection has been established.
//
if (simulator) {
uint rc = 0;
try {
rc = tpm.PcrRead(new PcrSelection[] { new PcrSelection(TpmAlgId.Sha1, new uint[] { 0 }) }, out _, out _);
} catch (TpmException e) {
if (e.RawResponse == TpmRc.Initialize) {
Log.Debug("TPM simulator not initialized. Running startup with clear.");
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
} else {
Log.Debug("TPM simulator already initialized. Skipping TPM2_Startup.");
}
}
}
} else if (tpmDevice is TbsDevice) {
/**
* For device TPMs on Windows, we have to use Windows Identity
*/
// ask windows for owner auth
byte[] ownerAuth;
if (TbsWrapper.GetOwnerAuthFromOS(out ownerAuth)) {
// if found, ownerauth will be delivered with the tpm object
tpm.OwnerAuth = ownerAuth;
} else {
Log.Warning("Could not retrieve owner auth from registry. Trying empty auth.");
}
} else if (tpmDevice is LinuxTpmDevice) {
}
return tpm;
}
//TODO Fix ACA so that I don't have to re-format data in this way
public static void FormatPcrValuesForAca(Tpm2bDigest[] pcrValues, string algName, out string pcrValuesStr) {
pcrValuesStr = "";
if (pcrValues != null && pcrValues.Length > 0) {
pcrValuesStr = algName + " :\n";
}
for (int i = 0; i < pcrValues.Length; i++) {
Tpm2bDigest pcrValue = pcrValues[i];
pcrValuesStr += " " + i;
pcrValuesStr += ((i > 9) ? " " : " ") + ": ";
pcrValuesStr += BitConverter.ToString(pcrValue.buffer).Replace("-", "").ToLower().Trim() + "\n";
}
}
}
}

30
HIRS_Provisioner.NET/hirs/src/tpm/CommandTpmQuoteResponse.cs Normal file
View File

@ -0,0 +1,30 @@
using System;
using System.Collections.Generic;
using System.Text;
using Tpm2Lib;
namespace hirs {
public class CommandTpmQuoteResponse : Tpm2QuoteResponse {
private readonly Attest quoted1;
private readonly ISignatureUnion signature1;
private readonly Tpm2bDigest[] pcrValues1;
public CommandTpmQuoteResponse(Attest quoted, ISignatureUnion signature, Tpm2bDigest[] pcrValues) {
quoted1 = quoted;
signature1 = signature;
pcrValues1 = pcrValues != null ? (Tpm2bDigest[])pcrValues.Clone() : null;
}
public new Attest quoted => quoted1;
public new ISignatureUnion signature => signature1;
public Tpm2bDigest[] pcrValues => pcrValues1;
//TODO Fix ACA so that I don't have to re-format data in this way
public static void formatQuoteInfoSigForAca(Attest quoteInfo, ISignatureUnion quoteSig, out string quoteInfoSigStr) {
quoteInfoSigStr = "quoted:";
quoteInfoSigStr += BitConverter.ToString(quoteInfo.GetTpm2BRepresentation()).Replace("-", "").ToLower().Trim();
quoteInfoSigStr += "signature:";
quoteInfoSigStr += BitConverter.ToString(((SignatureRsassa)quoteSig).GetTpm2BRepresentation()).Replace("-", "").ToLower().Trim();
}
}
}

18
HIRS_Provisioner.NET/hirs/src/tpm/IHirsAcaTpm.cs Normal file
View File

@ -0,0 +1,18 @@
using System;
using System.Collections.Generic;
using System.Text;
using Tpm2Lib;
namespace hirs {
public interface IHirsAcaTpm {
byte[] GetCertificateFromNvIndex(uint index);
TpmPublic ReadPublicArea(uint handleInt, out byte[] name, out byte[] qualifiedName);
void CreateEndorsementKey(uint ekHandleInt);
void CreateAttestationKey(uint ekHandleInt, uint akHandleInt, bool replace);
Tpm2bDigest[] GetPcrList(TpmAlgId pcrBankDigestAlg, uint[] pcrs = null);
void GetQuote(uint akHandleInt, TpmAlgId pcrBankDigestAlg, byte[] nonce, out CommandTpmQuoteResponse ctqr, uint[] pcrs = null);
byte[] ActivateCredential(uint akHandleInt, uint ekHandleInt, byte[] integrityHMAC, byte[] encIdentity, byte[] encryptedSecret);
byte[] GetEventLog();
}
}

37
HIRS_Provisioner.NET/hirsTest/Resources/test/settings_test/appsettings.json Normal file
View File

@ -0,0 +1,37 @@
{
"auto_detect_tpm": "FALSE",
"aca_address_port": "https://127.0.0.1:8443",
"efi_prefix": "./Resources/test/settings_test/efi/",
"paccor_output_file": "./Resources/test/settings_test/component_list",
"event_log_file": "./Resources/test/settings_test/event_log",
"hardware_manifest_collectors": "",
"Serilog": {
"Using": [ "Serilog.Sinks.Console", "Serilog.Sinks.File" ],
"Enrich": [ "FromLogContext", "WithMachineName", "WithProcessId", "WithThreadId" ],
"MinimumLevel": {
"Default": "Debug",
"Override": {
"Microsoft": "Warning",
"System": "Warning"
}
},
"WriteTo": [
{
"Name": "Console",
"Args": {
"outputTemplate": "[{Timestamp:HH:mm:ss} {SourceContext} [{Level}] {Message}{NewLine}{Exception}",
"theme": "Serilog.Sinks.SystemConsole.Themes.SystemConsoleTheme::Grayscale, Serilog.Sinks.Console"
}
},
{
"Name": "File",
"Args": {
"path": "hirs.log",
"rollingInterval": "Day",
"retainedFileCountLimit": 5
}
}
]
}
}

1
HIRS_Provisioner.NET/hirsTest/Resources/test/settings_test/component_list Normal file
View File

@ -0,0 +1 @@
component list

1
HIRS_Provisioner.NET/hirsTest/Resources/test/settings_test/efi/boot/tcg/cert/Mfg.Serial.BASE.cer Normal file
View File

@ -0,0 +1 @@
Base Platform Cert Serial

1
HIRS_Provisioner.NET/hirsTest/Resources/test/settings_test/efi/boot/tcg/cert/platform/Mfg.Serial.ver2.base.cer Normal file
View File

@ -0,0 +1 @@
Delta Platform Certificate Serial

1
HIRS_Provisioner.NET/hirsTest/Resources/test/settings_test/efi/boot/tcg/manifest/rim/Mfg.Model.1.rimel Normal file
View File

@ -0,0 +1 @@
RIM EL Model 1

1
HIRS_Provisioner.NET/hirsTest/Resources/test/settings_test/efi/boot/tcg/manifest/rim/Mfg.Model.1.rimpcr Normal file
View File

@ -0,0 +1 @@
RIM PCR Model 1

1
HIRS_Provisioner.NET/hirsTest/Resources/test/settings_test/efi/boot/tcg/manifest/swidtag/Mfg.Model.1.swidtag Normal file
View File

@ -0,0 +1 @@
RIM Swidtag Model 1

0
HIRS_Provisioner.NET/hirsTest/Resources/test/settings_test/efi/boot/tcg/other/notread.base.pem Normal file
View File

0
HIRS_Provisioner.NET/hirsTest/Resources/test/settings_test/efi/boot/tcg/other/notread.delta.cer Normal file
View File

0
HIRS_Provisioner.NET/hirsTest/Resources/test/settings_test/efi/boot/tcg/other/notread.rimel Normal file
View File

0
HIRS_Provisioner.NET/hirsTest/Resources/test/settings_test/efi/boot/tcg/other/notread.rimpcr Normal file
View File

0
HIRS_Provisioner.NET/hirsTest/Resources/test/settings_test/efi/boot/tcg/other/notread.swidtag Normal file
View File

1
HIRS_Provisioner.NET/hirsTest/Resources/test/settings_test/efi/boot/tcg/pccert/Mfg.Model.ver1.delta.pem Normal file
View File

@ -0,0 +1 @@
Delta Platform Certificiate Model

1
HIRS_Provisioner.NET/hirsTest/Resources/test/settings_test/event_log Normal file
View File

@ -0,0 +1 @@
event log

38
HIRS_Provisioner.NET/hirsTest/hirsTest.csproj Normal file
View File

@ -0,0 +1,38 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net6.0</TargetFramework>
<IsPackable>false</IsPackable>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="FakeItEasy" Version="7.3.1" />
<PackageReference Include="FakeItEasy.Analyzer.CSharp" Version="6.1.0">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
</PackageReference>
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.1.0" />
<PackageReference Include="coverlet.collector" Version="3.1.2">
<PrivateAssets>all</PrivateAssets>
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
</PackageReference>
<PackageReference Include="NUnit" Version="3.13.3" />
<PackageReference Include="NUnit.Analyzers" Version="3.3.0" />
<PackageReference Include="NUnit3TestAdapter" Version="4.2.1" />
</ItemGroup>
<ItemGroup>
<Content Include="Resources\**">
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
</Content>
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\hirs\HIRS_Provisioner.NET.csproj" />
</ItemGroup>
<ProjectExtensions><VisualStudio><UserProperties resources_4settings_3test_4appsettings_1json__JsonSchema="" /></VisualStudio></ProjectExtensions>
</Project>

53
HIRS_Provisioner.NET/hirsTest/src/client/ClientTests.cs Normal file
View File

@ -0,0 +1,53 @@
using hirs;
using Hirs.Pb;
using NUnit.Framework;
using System.Collections.Generic;
using System.Text;
using Tpm2Lib;
namespace hirsTest {
public class ClientTests {
public static readonly string localhost = "https://127.0.0.1:8443/";
[Test]
public void TestCreateIdentityClaim() {
IHirsAcaClient client = new Client(ClientTests.localhost);
DeviceInfo dv = new DeviceInfo();
byte[] akPub = new byte[] { };
byte[] ekPub = new byte[] { };
byte[] ekc = new byte[] { };
List<byte[]> pcs = new List<byte[]>();
pcs.Add(new byte[] { });
string componentList= "";
IdentityClaim obj = client.CreateIdentityClaim(dv, akPub, ekPub, ekc, pcs, componentList);
Assert.Multiple(() => {
Assert.That(obj.Dv, Is.Not.Null);
Assert.That(obj.HasAkPublicArea, Is.True);
Assert.That(obj.HasEkPublicArea, Is.True);
Assert.That(obj.HasEndorsementCredential, Is.True);
Assert.That(obj.PlatformCredential, Has.Count.EqualTo(1));
Assert.That(obj.HasPaccorOutput, Is.True);
});
}
[Test]
public void TestCreateAkCertificateRequest() {
IHirsAcaClient client = new Client(ClientTests.localhost);
byte[] secret = Encoding.UTF8.GetBytes("secret");
Attest quoted = new Attest(Generated.None, Encoding.UTF8.GetBytes("QUALIFIED SIGNER"), Encoding.UTF8.GetBytes("EXTRA DATA"), new ClockInfo(0, 0, 0, 0), 0, new QuoteInfo());
ISignatureUnion signature = new SignatureRsassa();
Tpm2bDigest[] pcrValues = new Tpm2bDigest[] { new Tpm2bDigest(Encoding.UTF8.GetBytes("SHA1 DIGEST1")) };
CommandTpmQuoteResponse ctqr = new CommandTpmQuoteResponse(quoted, signature, pcrValues);
CertificateRequest obj = client.CreateAkCertificateRequest(secret, ctqr);
Assert.Multiple(() => {
Assert.That(obj.HasNonce, Is.True);
Assert.That(obj.HasQuote, Is.True);
});
}
}
}

59
HIRS_Provisioner.NET/hirsTest/src/config/SettingsTests.cs Normal file
View File

@ -0,0 +1,59 @@
using hirs;
using NUnit.Framework;
using System.Collections.Generic;
using System.Text;
namespace hirsTest {
public class SettingsTests {
[Test]
public void TestConstructorWithAppsettings() {
Settings settings = Settings.LoadSettingsFromFile("./Resources/test/settings_test/appsettings.json");
settings.SetUpLog();
settings.CompleteSetUp();
Assert.Multiple(() => {
Assert.That(settings.IsAutoDetectTpmEnabled(), Is.False);
Assert.That(settings.HasAcaAddress(), Is.True);
Assert.That(settings.aca_address_port.ToString(), Is.EqualTo("https://127.0.0.1:8443/"));
Assert.That(settings.HasEfiPrefix(), Is.True);
Assert.That(settings.HasPaccorOutputFromFile(), Is.True);
Assert.That(settings.HasEventLogFromFile(), Is.True);
});
const string baseSerial = "Base Platform Cert Serial\n";
const string deltaSerial = "Delta Platform Certificate Serial\n";
const string deltaModel = "Delta Platform Certificiate Model\n";
const string swidtagModel = "RIM Swidtag Model 1\n";
const string rimelModel = "RIM EL Model 1\n";
const string rimpcrModel = "RIM PCR Model 1\n";
const string eventLogModel = "event log\n";
const string componentList = "component list\n";
string paccorOutput = settings.paccor_output;
List<byte[]> platformCerts = settings.gatherPlatformCertificatesFromEFI();
List<byte[]> rims = settings.gatherRIMBasesFromEFI();
List<byte[]> rimELs = settings.gatherSupportRIMELsFromEFI();
List<byte[]> rimPCRs = settings.gatherSupportRIMPCRsFromEFI();
byte[] eventLog = settings.event_log;
//Assert.Multiple(() => {
Assert.That(paccorOutput, Is.EqualTo(componentList));
Assert.That(platformCerts, Has.Count.EqualTo(3));
Assert.That(platformCerts[0], Is.EqualTo(Encoding.ASCII.GetBytes(baseSerial)));
Assert.That(platformCerts[1], Is.EqualTo(Encoding.ASCII.GetBytes(deltaSerial)));
Assert.That(platformCerts[2], Is.EqualTo(Encoding.ASCII.GetBytes(deltaModel)));
Assert.That(rims, Has.Count.EqualTo(1));
Assert.That(rims[0], Is.EqualTo(Encoding.ASCII.GetBytes(swidtagModel)));
Assert.That(rimELs, Has.Count.EqualTo(1));
Assert.That(rimELs[0], Is.EqualTo(Encoding.ASCII.GetBytes(rimelModel)));
Assert.That(rimPCRs, Has.Count.EqualTo(1));
Assert.That(rimPCRs[0], Is.EqualTo(Encoding.ASCII.GetBytes(rimpcrModel)));
Assert.That(Encoding.ASCII.GetString(eventLog), Is.EqualTo(eventLogModel));
//});
}
}
}

123
HIRS_Provisioner.NET/hirsTest/src/provisioner/ProvisionerTests.cs Normal file
View File

@ -0,0 +1,123 @@
using Hirs.Pb;
using hirs;
using FakeItEasy;
using NUnit.Framework;
using System;
using System.Text;
using System.Threading.Tasks;
using Tpm2Lib;
namespace hirsTest {
public class ProvisionerTests {
[Test]
public async Task TestGoodAsync() {
const string address = "https://127.0.0.1:8443/";
byte[] ekCert = Encoding.UTF8.GetBytes("EK CERTIFICATE");
byte[] secret = Encoding.UTF8.GetBytes("AuthCredential Secret");
byte[] acaIssuedCert = Encoding.UTF8.GetBytes("ACA ISSUED CERTIFICATE");
byte[] integrityHMAC = Convert.FromBase64String("VAtedc1RlNA1w0XfrtwmhE0ILBlILP6163Tur5HRIo0=");
byte[] encIdentity = Convert.FromBase64String("6e2oGBsK3H9Vzbj667ZsjnVOtvpSpQ==");
byte[] encryptedSecret = Convert.FromBase64String("NekvnOX8RPRdyd0/cxBI4FTCuNkiu0KAnS28yT7yYJUL5Lwfcv5ctEK6zQA0fq0IsX5TlAYSidGKxrAilOSwALJmJ+m7sMiXwMKrZn1cd4gzXObZEQimQoWgSEQbPO7rfpUn1UfI8K5SzmUFUTxc5X3D8zFonaEBp6QCjtdLegKGgioCDcQFdz20Y0PFAa1Itug7YbZdCFpfit570eQQinmqdVryiNyn6CLQdMgIejuBxoEpoTSWszB5eFKEdn5g/+8wcvhp6RpNBQ0hikF+6688TOVK/j8n3JDwKVltJ/WNHjVO+lxa2aLIMJRgs5ZRuzuz6OSMf10KqJjSWZE04w==");
byte[] credentialBlob = Convert.FromBase64String("OAAAIFQLXnXNUZTQNcNF367cJoRNCCwZSCz+tet07q+R0SKN6e2oGBsK3H9Vzbj667ZsjnVOtvpSpQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATXpL5zl/ET0XcndP3MQSOBUwrjZIrtCgJ0tvMk+8mCVC+S8H3L+XLRCus0ANH6tCLF+U5QGEonRisawIpTksACyZifpu7DIl8DCq2Z9XHeIM1zm2REIpkKFoEhEGzzu636VJ9VHyPCuUs5lBVE8XOV9w/MxaJ2hAaekAo7XS3oChoIqAg3EBXc9tGNDxQGtSLboO2G2XQhaX4ree9HkEIp5qnVa8ojcp+gi0HTICHo7gcaBKaE0lrMweXhShHZ+YP/vMHL4aekaTQUNIYpBfuuvPEzlSv4/J9yQ8ClZbSf1jR41TvpcWtmiyDCUYLOWUbs7s+jkjH9dCqiY0lmRNOM=");
TpmPublic ekPublic = CommandTpm.GenerateEKTemplateL1();
TpmPublic akPublic = new(TpmAlgId.Sha256, ObjectAttr.None, System.Text.Encoding.UTF8.GetBytes("AK PUBLIC AUTH POLICY"), new RsaParms(new SymDefObject(TpmAlgId.Null, 0, TpmAlgId.Null), new SchemeRsassa(TpmAlgId.Sha256), 2048, 0), new Tpm2bPublicKeyRsa());
Tpm2bDigest[] sha1Values = new Tpm2bDigest[] { new Tpm2bDigest(System.Text.Encoding.UTF8.GetBytes("SHA1 DIGEST1")) };
Tpm2bDigest[] sha256Values = new Tpm2bDigest[] { new Tpm2bDigest(System.Text.Encoding.UTF8.GetBytes("SHA256 DIGEST1")) };
DeviceInfo dv = new();
string paccorOutput = "paccor output";
CommandTpmQuoteResponse ctqr = null;
IdentityClaimResponse idClaimResp = new();
idClaimResp.Status = ResponseStatus.Pass;
idClaimResp.CredentialBlob = Google.Protobuf.ByteString.CopyFrom(credentialBlob);
CertificateResponse certResp = new();
certResp.Status = ResponseStatus.Pass;
certResp.Certificate = Google.Protobuf.ByteString.CopyFrom(acaIssuedCert);
IHirsAcaTpm tpm = A.Fake<IHirsAcaTpm>();
byte[] name = null, qualifiedName = null;
A.CallTo(() => tpm.GetCertificateFromNvIndex(CommandTpm.DefaultEkcNvIndex)).Returns(ekCert);
A.CallTo(() => tpm.CreateEndorsementKey(CommandTpm.DefaultEkHandle)).DoesNothing();
A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultEkHandle, out name, out qualifiedName)).Returns(ekPublic);
A.CallTo(() => tpm.CreateAttestationKey(CommandTpm.DefaultEkHandle, CommandTpm.DefaultAkHandle, false)).DoesNothing();
A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultAkHandle, out name, out qualifiedName)).Returns(akPublic);
//A.CallTo(() => tpm.getPcrList(TpmAlgId.Sha1, A<uint[]>.Ignored)).Returns(sha1Values);
//A.CallTo(() => tpm.getPcrList(TpmAlgId.Sha256, A<uint[]>.Ignored)).Returns(sha256Values);
A.CallTo(() => tpm.GetQuote(CommandTpm.DefaultAkHandle, TpmAlgId.Sha256, secret, out ctqr, A<uint[]>.Ignored)).DoesNothing();
IHirsDeviceInfoCollector collector = A.Fake<IHirsDeviceInfoCollector>();
A.CallTo(() => collector.CollectDeviceInfo(address)).Returns(dv);
IHirsAcaClient client = A.Fake<IHirsAcaClient>();
IdentityClaim idClaim = client.CreateIdentityClaim(dv, akPublic, ekPublic, ekCert, null, paccorOutput);
CertificateRequest certReq = client.CreateAkCertificateRequest(secret, ctqr);
A.CallTo(() => client.PostIdentityClaim(idClaim)).Returns(Task.FromResult<IdentityClaimResponse>(idClaimResp));
A.CallTo(() => client.PostCertificateRequest(certReq)).Returns(Task.FromResult<CertificateResponse>(certResp));
Settings settings = Settings.LoadSettingsFromFile("./Resources/test/settings_test/appsettings.json");
settings.SetUpLog();
settings.CompleteSetUp();
CLI cli = A.Fake<CLI>();
IHirsProvisioner p = A.Fake<Provisioner>();
p.SetSettings(settings);
p.SetCLI(cli);
p.SetClient(client);
p.SetDeviceInfoCollector(collector); // Give the provisioner the mocked collector
int result = await p.Provision(tpm);
A.CallTo(() => tpm.ActivateCredential(CommandTpm.DefaultAkHandle, CommandTpm.DefaultEkHandle, A<byte[]>.That.IsSameSequenceAs(integrityHMAC), A<byte[]>.That.IsSameSequenceAs(encIdentity), A<byte[]>.That.IsSameSequenceAs(encryptedSecret))).MustHaveHappenedOnceExactly();
Assert.That(result, Is.EqualTo(0));
}
[Test]
public async Task TestIssueWithIdentityClaimResponse() {
const string address = "https://127.0.0.1:8443/";
byte[] ekCert = Encoding.UTF8.GetBytes("EK CERTIFICATE");
byte[] acaIssuedCert = Encoding.UTF8.GetBytes("ACA ISSUED CERTIFICATE");
TpmPublic ekPublic = CommandTpm.GenerateEKTemplateL1();
TpmPublic akPublic = new(TpmAlgId.Sha256, ObjectAttr.None, System.Text.Encoding.UTF8.GetBytes("AK PUBLIC AUTH POLICY"), new RsaParms(new SymDefObject(TpmAlgId.Null, 0, TpmAlgId.Null), new SchemeRsassa(TpmAlgId.Sha256), 2048, 0), new Tpm2bPublicKeyRsa());
Tpm2bDigest[] sha1Values = new Tpm2bDigest[] { new Tpm2bDigest(System.Text.Encoding.UTF8.GetBytes("SHA1 DIGEST1")) };
Tpm2bDigest[] sha256Values = new Tpm2bDigest[] { new Tpm2bDigest(System.Text.Encoding.UTF8.GetBytes("SHA256 DIGEST1")) };
DeviceInfo dv = new();
string paccorOutput = "paccor output";
IdentityClaimResponse idClaimResp = new();
idClaimResp.ClearCredentialBlob();
IHirsAcaTpm tpm = A.Fake<IHirsAcaTpm>();
byte[] name = null, qualifiedName = null;
A.CallTo(() => tpm.GetCertificateFromNvIndex(CommandTpm.DefaultEkcNvIndex)).Returns(ekCert);
A.CallTo(() => tpm.CreateEndorsementKey(CommandTpm.DefaultEkHandle)).DoesNothing();
A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultEkHandle, out name, out qualifiedName)).Returns(ekPublic);
A.CallTo(() => tpm.CreateAttestationKey(CommandTpm.DefaultEkHandle, CommandTpm.DefaultAkHandle, false)).DoesNothing();
A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultAkHandle, out name, out qualifiedName)).Returns(ekPublic);
A.CallTo(() => tpm.GetPcrList(TpmAlgId.Sha1, A<uint[]>.Ignored)).Returns(sha1Values);
A.CallTo(() => tpm.GetPcrList(TpmAlgId.Sha256, A<uint[]>.Ignored)).Returns(sha256Values);
IHirsDeviceInfoCollector collector = A.Fake<IHirsDeviceInfoCollector>();
A.CallTo(() => collector.CollectDeviceInfo(address)).Returns(dv);
IHirsAcaClient client = A.Fake<IHirsAcaClient>();
IdentityClaim idClaim = client.CreateIdentityClaim(dv, akPublic, ekPublic, ekCert, null, paccorOutput);
A.CallTo(() => client.PostIdentityClaim(idClaim)).WithAnyArguments().Returns(Task.FromResult<IdentityClaimResponse>(idClaimResp));
Settings settings = Settings.LoadSettingsFromFile("./Resources/test/settings_test/appsettings.json");
settings.SetUpLog();
settings.CompleteSetUp();
CLI cli = A.Fake<CLI>();
IHirsProvisioner p = A.Fake<Provisioner>();
p.SetSettings(settings);
p.SetCLI(cli);
p.SetClient(client);
p.SetDeviceInfoCollector(collector); // Give the provisioner the mocked collector
int result = await p.Provision(tpm);
Assert.That(result, Is.EqualTo((int)ClientExitCodes.MAKE_CREDENTIAL_BLOB_MALFORMED));
}
}
}

16
HIRS_Provisioner.NET/tools/pcrextend/pcrextend.csproj Normal file
View File

@ -0,0 +1,16 @@
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>net6.0</TargetFramework>
<ImplicitUsings>enable</ImplicitUsings>
<Nullable>enable</Nullable>
<Version>0.1.0</Version>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="CommandLineParser" Version="2.8.0" />
<PackageReference Include="Microsoft.TSS" Version="2.1.1" />
</ItemGroup>
</Project>

42
HIRS_Provisioner.NET/tools/pcrextend/src/Program.cs Normal file
View File

@ -0,0 +1,42 @@
using CommandLine;
namespace pcrextend {
class Program {
static void Main(string[] args) {
bool result = false;
try {
CLI cli = new();
ParserResult<CLI> cliParseResult =
CommandLine.Parser.Default.ParseArguments<CLI>(args)
.WithParsed(parsed => cli = parsed)
.WithNotParsed(HandleParseError);
if (cliParseResult.Tag == ParserResultType.Parsed) {
// filter pci index
int pcr = cli.Pcr;
if (pcr < 0 || pcr > 23) {
Console.WriteLine("Unknown PCR index: " + pcr + ". Should be from 0 to 23.");
return;
}
PcrExtendTool p = new(cli);
CommandTpmSimulator? tpm = p.connectTpm();
if (tpm != null) {
result = p.Extend(tpm);
}
Console.WriteLine("PCR Extend " + (result ? "" : "un") + "successful.");
}
} catch (Exception e) {
Console.WriteLine("Application stopped.");
Console.WriteLine(e.ToString());
Console.WriteLine(e.StackTrace);
}
}
private static void HandleParseError(IEnumerable<Error> errs) {
if (!errs.IsHelp() && !errs.IsVersion()) {
//handle errors
Console.WriteLine("There was a CLI error: " + errs.ToString());
}
}
}
}

29
HIRS_Provisioner.NET/tools/pcrextend/src/config/CLI.cs Normal file
View File

@ -0,0 +1,29 @@
using CommandLine;
namespace pcrextend {
public class CLI {
// These fields are controlled by the CommandLineParser library.
// CS8618 is not relevant at this time.
// Non-nullable field must contain a non-null value when exiting constructor.
#pragma warning disable CS8618
[Option('i', "ip", Default = CommandTpmSimulator.DefaultSimulatorNamePort, HelpText = "IP of the TPM Simulator. Use the format ip:port.")]
public string Ip {
get; set;
}
[Option('p', "pcr", HelpText = "PCR Index 0 thru 23")]
public short Pcr {
get; set;
}
[Option('a', "hashalg", HelpText = "sha1, sha256, sha384, or sha512. OR their ID Values in decimal (4, 11, 12, 13) or in hex (0x4, 0xB, 0xC, 0xD).")]
public string HashAlg {
get; set;
}
[Option('d', "digests", HelpText = "Comma separated digest values in hex. e.g. AB,34F53,9785")]
public string Digests {
get; set;
}
#pragma warning restore CS8618
}
}

55
HIRS_Provisioner.NET/tools/pcrextend/src/tool/PcrExtendTool.cs Normal file
View File

@ -0,0 +1,55 @@
namespace pcrextend {
public class PcrExtendTool {
private CLI? cli = null;
public PcrExtendTool(CLI cli) {
SetCLI(cli);
}
public void SetCLI(CLI cli) {
this.cli = cli;
}
public CommandTpmSimulator? connectTpm() {
CommandTpmSimulator? tpm = null;
if (cli != null && cli.Ip != null) {
string[] split = cli.Ip.Split(":");
if (split.Length == 2) {
try {
tpm = new CommandTpmSimulator(split[0], Int32.Parse(split[1]));
} catch (Exception) {
Console.WriteLine("No tpm found at " + cli.Ip);
}
} else {
Console.WriteLine("ip input should have the format servername:port. The given input was '" + cli.Ip + "'.");
}
}
return tpm;
}
public bool Extend(CommandTpmSimulator tpm) {
bool result = false;
if (tpm != null && cli != null) {
// parse hashAlg
string hashAlg = cli.HashAlg;
if (hashAlg.StartsWith("0x", StringComparison.OrdinalIgnoreCase) || hashAlg.EndsWith("h")) {
hashAlg = hashAlg.Replace("0x", "");
hashAlg = hashAlg.TrimEnd('h');
hashAlg = "" + Convert.ToInt64(hashAlg, 16);
}
string digestCSV = cli.Digests;
digestCSV = digestCSV.ToUpper().Replace("0X", "").Replace("H", "");
string[] digestArray = digestCSV.Split(",");
List<byte[]> digestList = new();
foreach (string digest in digestArray) {
digestList.Add(Convert.FromHexString(digest));
}
tpm.pcrextend(cli.Pcr, hashAlg, digestList);
result = true;
}
return result;
}
}
}

69
HIRS_Provisioner.NET/tools/pcrextend/src/tpm/CommandTpmSimulator.cs Normal file
View File

@ -0,0 +1,69 @@
using Tpm2Lib;
namespace pcrextend {
public class CommandTpmSimulator {
/// <summary>
/// If using a TCP connection, the default DNS name/IP address for the
/// simulator.
/// </summary>
public const string DefaultSimulatorNamePort = "127.0.0.1:2321";
private readonly Tpm2 tpm;
private readonly Boolean simulator;
/**
* For TCP TpmDevices
*/
public CommandTpmSimulator(string ip, int port) {
simulator = true;
Tpm2Device tpmDevice = new TcpTpmDevice(ip, port);
Console.WriteLine("Connecting to TPM at " + ip + ":" + port);
tpm = tpmSetupByType(tpmDevice);
}
~CommandTpmSimulator() {
if (tpm != null) {
tpm.Dispose();
}
}
public void pcrextend(int pcr, string hashAlgStr, List<byte[]> digestList) {
TpmHandle pcrHandle = TpmHandle.Pcr(pcr);
TpmAlgId hashAlg = Enum.Parse<TpmAlgId>(hashAlgStr, true);
List<TpmHash> digests = new();
foreach (byte[] digest in digestList) {
digests.Add(new TpmHash(hashAlg, digest));
}
tpm.PcrExtend(pcrHandle, digests.ToArray());
}
private Tpm2 tpmSetupByType(Tpm2Device tpmDevice) {
tpmDevice.Connect();
Tpm2 tpm = new Tpm2(tpmDevice);
if (tpmDevice is TcpTpmDevice) {
//
// If we are using the simulator, we have to do a few things the
// firmware would usually do. These actions have to occur after
// the connection has been established.
//
if (simulator) {
uint rc = 0;
try {
rc = tpm.PcrRead(new PcrSelection[] { new PcrSelection(TpmAlgId.Sha1, new uint[] { 0 }) }, out _, out _);
} catch (TpmException e) {
if (e.RawResponse == TpmRc.Initialize) {
Console.WriteLine("TPM simulator not initialized. Running startup with clear.");
tpmDevice.PowerCycle();
tpm.Startup(Su.Clear);
} else {
Console.WriteLine("TPM simulator already initialized. Skipping TPM2_Startup.");
}
}
}
}
return tpm;
}
}
}

5
HIRS_Utils/config/spotbugs/spotbugs-exclude.xml
View File

@ -2,7 +2,10 @@
<!-- Docs at http://findbugs.sourceforge.net/manual/filter.html -->
<FindBugsFilter>
<Match>
<Package name="~hirs\.utils.*" />
<Package name="~hirs\.utils.xjc.*" />
</Match>
<Match>
<Package name="~hirs\.utils.rim.*" />
</Match>
<Match>
<!-- https://github.com/spotbugs/spotbugs/pull/2748 -->

79
HIRS_Utils/src/main/java/hirs/utils/VersionHelper.java
View File

@ -2,54 +2,117 @@ package hirs.utils;
import com.google.common.base.Charsets;
import com.google.common.io.Resources;
import lombok.extern.log4j.Log4j2;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.Reader;
import java.net.URL;
import java.nio.file.FileSystems;
import java.nio.file.Files;
import java.nio.file.Path;
/**
* Utility class to get the current version from the VERSION file.
*/
@Log4j2
public final class VersionHelper {
private static final String VERSION_FILENAME = "VERSION";
private static final String OPT_PREFIX = "/opt";
private static final String ETC_PREFIX = "/etc";
private static final String VERSION = "VERSION";
private VersionHelper() {
// intentionally blank, should never be instantiated
}
/**
* Get the current version of HIRS_Portal that is installed.
* Get the current version of HIRS_AttestationPortal that is installed.
*
* @return A string representing the current version.
*/
public static String getVersion() {
return getVersion(VERSION_FILENAME);
if (Files.exists(FileSystems.getDefault().getPath(OPT_PREFIX,
"hirs", "aca", VERSION))) {
return getVersion(FileSystems.getDefault().getPath(OPT_PREFIX,
"hirs", "aca", VERSION));
} else if (Files.exists(FileSystems.getDefault().getPath(ETC_PREFIX,
"hirs", "aca", VERSION))) {
return getVersion(FileSystems.getDefault().getPath(ETC_PREFIX,
"hirs", "aca", VERSION));
}
return getVersion(VERSION);
}
/**
* Get the current version of HIRS_Portal that is installed.
* Get the current version of HIRS_AttestationCAPortal that is installed.
*
* @param filename
* that contains the version
* @param filename that contains the version
* @return A string representing the current version.
*/
public static String getVersion(final Path filename) {
String version;
try {
version = getFileContents(filename.toString());
} catch (IOException ioEx) {
log.error(ioEx.getMessage());
version = "";
}
return version;
}
/**
* Get the current version of HIRS_AttestationCAPortal that is installed.
*
* @param filename that contains the version
* @return A string representing the current version.
*/
public static String getVersion(final String filename) {
String version;
try {
version = getFileContents(filename);
} catch (Exception e) {
version = getResourceContents(filename);
} catch (Exception ex) {
version = "";
log.error(ex.getMessage());
}
return version;
}
/**
* Read the symbolic link to VERSION in the top level HIRS directory.
*
* @param filename "VERSION"
* @return the version number from the file
* @throws IOException
*/
private static String getFileContents(final String filename) throws IOException {
final char[] buffer = new char[8192];
final StringBuilder result = new StringBuilder();
InputStream inputStream = new FileInputStream(filename);
try (Reader reader = new InputStreamReader(inputStream, Charsets.UTF_8)) {
int charsRead;
while ((charsRead = reader.read(buffer, 0, buffer.length)) > 0) {
result.append(buffer, 0, charsRead);
}
}
return result.toString();
}
/**
* Read the symbolic link to VERSION in the top level HIRS directory.
*
* @param filename "VERSION"
* @return the version number from the file
* @throws IOException
*/
private static String getResourceContents(final String filename) throws IOException {
URL url = Resources.getResource(filename);
return Resources.toString(url, Charsets.UTF_8).trim();
}

7
HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java
View File

@ -210,7 +210,7 @@ public class ReferenceManifestValidator {
log.error("Cannot validate RIM, signature element not found!");
return false;
}
if (trustStoreFile != null && !trustStoreFile.isEmpty()) {
if (trustStore == null && trustStoreFile != null && !trustStoreFile.isEmpty()) {
trustStore = parseCertificatesFromPem(trustStoreFile);
}
NodeList certElement = rim.getElementsByTagName("X509Certificate");
@ -251,6 +251,9 @@ public class ReferenceManifestValidator {
*/
public boolean validateSwidtagFile(String path) {
Element fileElement = (Element) rim.getElementsByTagName("File").item(0);
if (trustStoreFile != null && !trustStoreFile.isEmpty()) {
trustStore = parseCertificatesFromPem(trustStoreFile);
}
X509Certificate signingCert = null;
try {
signingCert = getCertFromTruststore();
@ -337,7 +340,7 @@ public class ReferenceManifestValidator {
private String getHashValue(final String filepath, final String sha) {
try {
MessageDigest md = MessageDigest.getInstance(sha);
byte[] bytes = md.digest(Files.readAllBytes(Paths.get(filepath)));
byte[] bytes = Files.readAllBytes(Paths.get(filepath));
return getHashValue(bytes, sha);
} catch (NoSuchAlgorithmException e) {
log.warn(e.getMessage());

Some files were not shown because too many files have changed in this diff Show More