Updated the provisioner to respond to failed status instead of blank

certificates. Updated the proto to use enum instead of bytes
2025-01-29 15:44:14 +00:00 · 2022-02-28 14:18:48 -05:00 · 2022-02-28 14:18:48 -05:00 · 7738a47b99
commit 7738a47b99
parent acef2ea5b8
4 changed files with 41 additions and 18 deletions
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
@ -442,14 +442,12 @@ public abstract class AbstractAttestationCertificateAuthority
        }

        ByteString blobStr = ByteString.copyFrom(new byte[]{});
-        byte[] status = new byte[1];
        if (validationResult == AppraisalStatus.Status.PASS) {
            RSAPublicKey akPub = parsePublicKey(claim.getAkPublicArea().toByteArray());
            byte[] nonce = generateRandomBytes(NONCE_LENGTH);
            blobStr = tpm20MakeCredential(ekPub, akPub, nonce);
            SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
            String pcrQuoteMask = PCR_QUOTE_MASK;
-            status[0] = STATUS_PASS;

            String strNonce = HexUtils.byteArrayToHexString(nonce);
            LOG.info("Sending nonce: " + strNonce);
@ -464,19 +462,17 @@ public abstract class AbstractAttestationCertificateAuthority
            ProvisionerTpm2.IdentityClaimResponse response
                    = ProvisionerTpm2.IdentityClaimResponse.newBuilder()
                    .setCredentialBlob(blobStr).setPcrMask(pcrQuoteMask)
-                    .setProvisionStatus(ByteString.copyFrom(status))
+                    .setStatus(ProvisionerTpm2.ResponseStatus.PASS)
                    .build();
-
            return response.toByteArray();
        } else {
            LOG.error("Supply chain validation did not succeed. Result is: "
                    + validationResult);
-            status[0] = STATUS_FAIL;
            // empty response
            ProvisionerTpm2.IdentityClaimResponse response
                    = ProvisionerTpm2.IdentityClaimResponse.newBuilder()
                    .setCredentialBlob(blobStr)
-                    .setProvisionStatus(ByteString.copyFrom(status))
+                    .setStatus(ProvisionerTpm2.ResponseStatus.FAIL)
                    .build();
            return response.toByteArray();
        }
@ -631,7 +627,6 @@ public abstract class AbstractAttestationCertificateAuthority
                device = this.deviceRegister.saveOrUpdateDevice(dvReport);
            }

-            byte[] status = new byte[1];
            AppraisalStatus.Status validationResult = doQuoteValidation(device);
            if (validationResult == AppraisalStatus.Status.PASS) {
                // Create signed, attestation certificate
@ -639,7 +634,6 @@ public abstract class AbstractAttestationCertificateAuthority
                        endorsementCredential, platformCredentials, deviceName);
                byte[] derEncodedAttestationCertificate = getDerEncodedCertificate(
                        attestationCertificate);
-                status[0] = STATUS_PASS;

                // We validated the nonce and made use of the identity claim so state can be deleted
                tpm2ProvisionerStateDBManager.delete(tpm2ProvisionerState);
@ -649,7 +643,7 @@ public abstract class AbstractAttestationCertificateAuthority
                        .copyFrom(derEncodedAttestationCertificate);
                ProvisionerTpm2.CertificateResponse response = ProvisionerTpm2.CertificateResponse
                        .newBuilder().setCertificate(certificateBytes)
-                        .setProvisionStatus(ByteString.copyFrom(status))
+                        .setStatus(ProvisionerTpm2.ResponseStatus.PASS)
                        .build();

                saveAttestationCertificate(derEncodedAttestationCertificate, endorsementCredential,
@ -660,10 +654,10 @@ public abstract class AbstractAttestationCertificateAuthority
                LOG.error("Supply chain validation did not succeed. "
                        + "Firmware Quote Validation failed. Result is: "
                        + validationResult);
-                status[0] = STATUS_FAIL;
                ProvisionerTpm2.CertificateResponse response = ProvisionerTpm2.CertificateResponse
-                        .newBuilder().setCertificate(ByteString.EMPTY)
-                        .setProvisionStatus(ByteString.copyFrom(status)).build();
+                        .newBuilder()
+                        .setStatus(ProvisionerTpm2.ResponseStatus.FAIL)
+                        .build();
                return response.toByteArray();
            }
        } else {
--- a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto
+++ b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto
@ -77,10 +77,15 @@ message TpmQuote {
  required string success = 1;
 }

+enum ResponseStatus {
+  PASS = 0;
+  FAIL = 1;
+}
+
 message IdentityClaimResponse {
-  required bytes credential_blob = 1;
+  optional bytes credential_blob = 1;
  optional string pcr_mask = 2;
-  optional bytes provision_status = 3;
+  optional ResponseStatus status = 3 [default = FAIL];
 }

 message CertificateRequest {
@ -89,7 +94,7 @@ message CertificateRequest {
 }

 message CertificateResponse {
-  required bytes certificate = 1;
-  optional bytes provision_status = 3;
+  optional bytes certificate = 1;
+  optional ResponseStatus status = 2 [default = FAIL];
 }

--- a/HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp
+++ b/HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp
@ -144,7 +144,8 @@ string RestfulClientProvisioner::sendAttestationCertificateRequest(
        }

        // Return the public attestation certificate
-        return response.certificate();
+//        return response.certificate();
+        return response.SerializeAsString();

    } else {
        stringstream errormsg;
--- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
+++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
@ -144,7 +144,21 @@ int provision() {
    string response = provisioner.sendIdentityClaim(identityClaim);
    hirs::pb::IdentityClaimResponse icr;

-    if (!icr.ParseFromString(response) || !icr.has_credential_blob()) {
+    if (!icr.ParseFromString(response) || !icr.has_status()) {
+        logger.error("The ACA did not send a provisioning status.");
+        cout << "----> Provisioning failed." << endl;
+        cout << "Please refer to the Attestation CA for details." << endl;
+        return 0;
+    }
+
+    if (icr.status() == hirs::pb::ResponseStatus::FAIL) {
+        logger.error("The ACA responded with a FAIL status.");
+        cout << "----> Provisioning failed." << endl;
+        cout << "Please refer to the Attestation CA for details." << endl;
+        return 0;
+    }
+
+    if (!icr.has_credential_blob()) {
        logger.error("The ACA did not send make credential blob.");
        cout << "----> Provisioning failed." << endl;
        cout << "The ACA did not send make credential information." << endl;
@ -183,6 +197,15 @@ int provision() {
    const string& akCertificateByteString
            = provisioner.sendAttestationCertificateRequest(certificateRequest);

+    hirs::pb::CertificateResponse cr;
+    if (!cr.ParseFromString(akCertificateByteString) && cr.has_status()) {
+        if (cr.status() == hirs::pb::ResponseStatus::FAIL) {
+            cout << "----> Provisioning the quote failed.";
+            cout << "Please refer to the Attestation CA for details." << endl;
+            return 0;
+        }
+    }
+
    if (akCertificateByteString == "") {
        cout << "----> Provisioning the quote failed.";
        cout << "Please refer to the Attestation CA for details." << endl;