From 95c5e40f89717b69a2a0d88020d77355072b3991 Mon Sep 17 00:00:00 2001
From: iadgovuser29 <33426478+iadgovuser29@users.noreply.github.com>
Date: Tue, 23 Nov 2021 22:01:16 -0500
Subject: [PATCH] Utilize protobuf to parse claim response. Work on array
 handling on ACA.

---
 ...stractAttestationCertificateAuthority.java |  2 +-
 .../SupplyChainValidationServiceImpl.java     |  8 ++---
 .../src/ProvisionerTpm2.proto                 |  2 +-
 .../src/RestfulClientProvisioner.cpp          | 31 ++++++++++---------
 HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 17 +++++-----
 .../java/hirs/data/persist/PCRPolicy.java     | 16 +++++-----
 6 files changed, 39 insertions(+), 37 deletions(-)

diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
index 637e0702..451bfae1 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
@@ -458,7 +458,7 @@ public abstract class AbstractAttestationCertificateAuthority
             // Package response
             ProvisionerTpm2.IdentityClaimResponse response
                     = ProvisionerTpm2.IdentityClaimResponse.newBuilder()
-                    .setCredentialBlob(blobStr).setMask(pcrQuoteMask)
+                    .setCredentialBlob(blobStr).setPcrMask(pcrQuoteMask)
                     .build();
 
             return response.toByteArray();
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
index 913f6e00..1f4dbb6d 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
@@ -520,9 +520,9 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                                         + "provide pcr values.", device.getName()));
                     } else {
                         // we have a full set of PCR values
-                        int algorithmLength = baseline[0].length();
-                        String[] storedPcrs = buildStoredPcrs(pcrContent, algorithmLength);
-                        pcrPolicy.validatePcrs(storedPcrs);
+                        //int algorithmLength = baseline[0].length();
+                        //String[] storedPcrs = buildStoredPcrs(pcrContent, algorithmLength);
+                        //pcrPolicy.validatePcrs(storedPcrs);
 
                         // part 2 of firmware validation check: bios measurements
                         // vs baseline tcg event log
@@ -606,7 +606,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
         SupplyChainValidationSummary summary = null;
         Level level = Level.ERROR;
         AppraisalStatus fwStatus = new AppraisalStatus(FAIL,
-                SupplyChainCredentialValidator.FIRMWARE_VALID);
+                "Unknown exception caught during quote validation.");
         SupportReferenceManifest sRim = null;
         EventLogMeasurements eventLog = null;
 
diff --git a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto
index 62dadc2a..fdf30985 100644
--- a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto
+++ b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto
@@ -79,7 +79,7 @@ message TpmQuote {
 
 message IdentityClaimResponse {
   required bytes credential_blob = 1;
-  required string mask = 2;
+  optional string pcr_mask = 2;
 }
 
 message CertificateRequest {
diff --git a/HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp b/HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp
index 229a9a87..1f77c53f 100644
--- a/HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp
+++ b/HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp
@@ -60,7 +60,6 @@ string RestfulClientProvisioner::sendIdentityClaim(
     }
 
     string identityClaimByteString;
-    string result;
     identityClaim.SerializeToString(&identityClaimByteString);
 
     // Send serialized Identity Claim to ACA
@@ -82,21 +81,25 @@ string RestfulClientProvisioner::sendIdentityClaim(
         }
 
         IdentityClaimResponse response;
-        response.ParseFromString(r.text);
-
-        {
-            // Convert the nonce blob to hex for logging
-            string blobHex = binaryToHex(response.credential_blob());
-            stringstream responses;
-            responses << response.credential_blob() << ";" << response.mask();
-            stringstream logStream;
-            result = responses.str();
-            logStream << "Received nonce blob: " << blobHex;
-            LOGGER.info(logStream.str());
+        try {
+            response.ParseFromString(r.text);
+        } catch (const google::protobuf::FatalException& e) {
+            LOGGER.error(e.what());
+            stringstream errormsg;
+            errormsg << "Provisioning failed. IdentityClaimResponse "
+                     << "did not contain credential_blob.";
+            throw HirsRuntimeException(errormsg.str(),
+                                "RestfulClientProvisioner::sendIdentityClaim");
         }
 
-        // Return the wrapped nonce blob
-        return result;
+        // Convert the nonce blob to hex for logging
+        string blobHex = binaryToHex(response.credential_blob());
+        stringstream logStream;
+        logStream << "Received nonce blob: " << blobHex;
+        LOGGER.info(logStream.str());
+
+        // Return the response
+        return response.SerializeAsString();
 
     } else {
         stringstream errormsg;
diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
index 63555d63..be8fffb7 100644
--- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
+++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
@@ -130,16 +130,15 @@ int provision() {
     identityClaim.set_paccoroutput(paccorOutputString);
     RestfulClientProvisioner provisioner;
     string response = provisioner.sendIdentityClaim(identityClaim);
-    vector<string> response_vector = hirs::string_utils::split(response, ';');
-
-    string nonceBlob = response_vector.at(0);
-    string mask = response_vector.at(1);
-    if (nonceBlob == "" || mask == "") {
+    hirs::pb::IdentityClaimResponse icr;
+    if (!icr.ParseFromString(response) || !icr.has_credential_blob()) {
         cout << "----> Provisioning failed." << endl;
-        cout << "Please refer to the Attestation CA for details." << endl;
+        cout << "The ACA did not send make credential information." << endl;
         return 0;
     }
 
+    string nonceBlob = icr.credential_blob();
+
     // activateIdentity requires we read makeCredential output from a file
     cout << "----> Received response. Attempting to decrypt nonce" << endl;
     try {
@@ -157,8 +156,10 @@ int provision() {
     hirs::pb::CertificateRequest certificateRequest;
     certificateRequest.set_nonce(decryptedNonce);
     certificateRequest.set_quote(tpm2.getQuote(
-                mask,
-                decryptedNonce));
+          icr.has_pcr_mask()
+            ? icr.pcr_mask()
+            : "0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23",
+          decryptedNonce));
 
     const string& akCertificateByteString
             = provisioner.sendAttestationCertificateRequest(certificateRequest);
diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
index 4e8f1263..2312d345 100644
--- a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
+++ b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
@@ -13,7 +13,7 @@ import javax.persistence.Column;
 import javax.persistence.Entity;
 import java.nio.charset.StandardCharsets;
 import java.security.NoSuchAlgorithmException;
-import java.util.Arrays;
+import java.util.ArrayList;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
@@ -171,20 +171,19 @@ public final class PCRPolicy extends Policy {
         short localityAtRelease = 0;
         String quoteString = new String(tpmQuote, StandardCharsets.UTF_8);
         int pcrMaskSelection = PcrSelection.ALL_PCRS_ON;
-        int recordLength = baselinePcrs.length;
 
         if (enableIgnoreIma) {
             pcrMaskSelection = IMA_MASK;
-            recordLength--;
         }
 
-        TPMMeasurementRecord[] measurements = new TPMMeasurementRecord[recordLength];
+        ArrayList<TPMMeasurementRecord> measurements = new ArrayList<>();
+
         try {
-            for (int i = 0; i <= TPMMeasurementRecord.MAX_PCR_ID; i++) {
-                if (i == 10 && enableIgnoreIma) {
+            for (int i = 0; i < storedPcrs.length; i++) {
+                if (i == IMA_PCR && enableIgnoreIma) {
                     LOGGER.info("Ignore IMA PCR policy is enabled.");
                 } else {
-                    measurements[i] = new TPMMeasurementRecord(i, storedPcrs[i]);
+                    measurements.add(new TPMMeasurementRecord(i, storedPcrs[i]));
                 }
             }
         } catch (DecoderException deEx) {
@@ -193,8 +192,7 @@ public final class PCRPolicy extends Policy {
 
         PcrSelection pcrSelection = new PcrSelection(pcrMaskSelection);
         PcrComposite pcrComposite = new PcrComposite(
-                pcrSelection,
-                Arrays.asList(measurements));
+                pcrSelection, measurements);
         PcrInfoShort pcrInfoShort = new PcrInfoShort(pcrSelection,
                 localityAtRelease,
                 tpmQuote, pcrComposite);