ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-01-18 10:46:39 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Utilize protobuf to parse claim response. Work on array handling on ACA.

Browse Source
This commit is contained in:
iadgovuser29 2021-11-23 22:01:16 -05:00
parent 483099a273
commit 95c5e40f89
6 changed files with 39 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
View File

@ -458,7 +458,7 @@ public abstract class AbstractAttestationCertificateAuthority
// Package response // Package response
ProvisionerTpm2.IdentityClaimResponse response ProvisionerTpm2.IdentityClaimResponse response
= ProvisionerTpm2.IdentityClaimResponse.newBuilder() = ProvisionerTpm2.IdentityClaimResponse.newBuilder()
.setCredentialBlob(blobStr).setMask(pcrQuoteMask) .setCredentialBlob(blobStr).setPcrMask(pcrQuoteMask)
.build(); .build();
return response.toByteArray(); return response.toByteArray();

8
HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
View File

@ -520,9 +520,9 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
+ "provide pcr values.", device.getName())); + "provide pcr values.", device.getName()));
} else { } else {
// we have a full set of PCR values // we have a full set of PCR values
int algorithmLength = baseline[0].length(); //int algorithmLength = baseline[0].length();
String[] storedPcrs = buildStoredPcrs(pcrContent, algorithmLength); //String[] storedPcrs = buildStoredPcrs(pcrContent, algorithmLength);
pcrPolicy.validatePcrs(storedPcrs); //pcrPolicy.validatePcrs(storedPcrs);
// part 2 of firmware validation check: bios measurements // part 2 of firmware validation check: bios measurements
// vs baseline tcg event log // vs baseline tcg event log
@ -606,7 +606,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
SupplyChainValidationSummary summary = null; SupplyChainValidationSummary summary = null;
Level level = Level.ERROR; Level level = Level.ERROR;
AppraisalStatus fwStatus = new AppraisalStatus(FAIL, AppraisalStatus fwStatus = new AppraisalStatus(FAIL,
SupplyChainCredentialValidator.FIRMWARE_VALID); "Unknown exception caught during quote validation.");
SupportReferenceManifest sRim = null; SupportReferenceManifest sRim = null;
EventLogMeasurements eventLog = null; EventLogMeasurements eventLog = null;

2
HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto
View File

@ -79,7 +79,7 @@ message TpmQuote {
message IdentityClaimResponse { message IdentityClaimResponse {
required bytes credential_blob = 1; required bytes credential_blob = 1;
required string mask = 2; optional string pcr_mask = 2;
} }
message CertificateRequest { message CertificateRequest {

31
HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp
View File

@ -60,7 +60,6 @@ string RestfulClientProvisioner::sendIdentityClaim(
} }
string identityClaimByteString; string identityClaimByteString;
string result;
identityClaim.SerializeToString(&identityClaimByteString); identityClaim.SerializeToString(&identityClaimByteString);
// Send serialized Identity Claim to ACA // Send serialized Identity Claim to ACA
@ -82,21 +81,25 @@ string RestfulClientProvisioner::sendIdentityClaim(
} }
IdentityClaimResponse response; IdentityClaimResponse response;
response.ParseFromString(r.text); try {
response.ParseFromString(r.text);
{ } catch (const google::protobuf::FatalException& e) {
// Convert the nonce blob to hex for logging LOGGER.error(e.what());
string blobHex = binaryToHex(response.credential_blob()); stringstream errormsg;
stringstream responses; errormsg << "Provisioning failed. IdentityClaimResponse "
responses << response.credential_blob() << ";" << response.mask(); << "did not contain credential_blob.";
stringstream logStream; throw HirsRuntimeException(errormsg.str(),
result = responses.str(); "RestfulClientProvisioner::sendIdentityClaim");
logStream << "Received nonce blob: " << blobHex;
LOGGER.info(logStream.str());
} }
// Return the wrapped nonce blob // Convert the nonce blob to hex for logging
return result; string blobHex = binaryToHex(response.credential_blob());
stringstream logStream;
logStream << "Received nonce blob: " << blobHex;
LOGGER.info(logStream.str());
// Return the response
return response.SerializeAsString();
} else { } else {
stringstream errormsg; stringstream errormsg;

17
HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
View File

@ -130,16 +130,15 @@ int provision() {
identityClaim.set_paccoroutput(paccorOutputString); identityClaim.set_paccoroutput(paccorOutputString);
RestfulClientProvisioner provisioner; RestfulClientProvisioner provisioner;
string response = provisioner.sendIdentityClaim(identityClaim); string response = provisioner.sendIdentityClaim(identityClaim);
vector<string> response_vector = hirs::string_utils::split(response, ';'); hirs::pb::IdentityClaimResponse icr;
if (!icr.ParseFromString(response) || !icr.has_credential_blob()) {
string nonceBlob = response_vector.at(0);
string mask = response_vector.at(1);
if (nonceBlob == "" || mask == "") {
cout << "----> Provisioning failed." << endl; cout << "----> Provisioning failed." << endl;
cout << "Please refer to the Attestation CA for details." << endl; cout << "The ACA did not send make credential information." << endl;
return 0; return 0;
} }
string nonceBlob = icr.credential_blob();
// activateIdentity requires we read makeCredential output from a file // activateIdentity requires we read makeCredential output from a file
cout << "----> Received response. Attempting to decrypt nonce" << endl; cout << "----> Received response. Attempting to decrypt nonce" << endl;
try { try {
@ -157,8 +156,10 @@ int provision() {
hirs::pb::CertificateRequest certificateRequest; hirs::pb::CertificateRequest certificateRequest;
certificateRequest.set_nonce(decryptedNonce); certificateRequest.set_nonce(decryptedNonce);
certificateRequest.set_quote(tpm2.getQuote( certificateRequest.set_quote(tpm2.getQuote(
mask, icr.has_pcr_mask()
decryptedNonce)); ? icr.pcr_mask()
: "0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23",
decryptedNonce));
const string& akCertificateByteString const string& akCertificateByteString
= provisioner.sendAttestationCertificateRequest(certificateRequest); = provisioner.sendAttestationCertificateRequest(certificateRequest);

16
HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
View File

@ -13,7 +13,7 @@ import javax.persistence.Column;
import javax.persistence.Entity; import javax.persistence.Entity;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.util.Arrays; import java.util.ArrayList;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
@ -171,20 +171,19 @@ public final class PCRPolicy extends Policy {
short localityAtRelease = 0; short localityAtRelease = 0;
String quoteString = new String(tpmQuote, StandardCharsets.UTF_8); String quoteString = new String(tpmQuote, StandardCharsets.UTF_8);
int pcrMaskSelection = PcrSelection.ALL_PCRS_ON; int pcrMaskSelection = PcrSelection.ALL_PCRS_ON;
int recordLength = baselinePcrs.length;
if (enableIgnoreIma) { if (enableIgnoreIma) {
pcrMaskSelection = IMA_MASK; pcrMaskSelection = IMA_MASK;
recordLength--;
} }
TPMMeasurementRecord[] measurements = new TPMMeasurementRecord[recordLength]; ArrayList<TPMMeasurementRecord> measurements = new ArrayList<>();
try { try {
for (int i = 0; i <= TPMMeasurementRecord.MAX_PCR_ID; i++) { for (int i = 0; i < storedPcrs.length; i++) {
if (i == 10 && enableIgnoreIma) { if (i == IMA_PCR && enableIgnoreIma) {
LOGGER.info("Ignore IMA PCR policy is enabled."); LOGGER.info("Ignore IMA PCR policy is enabled.");
} else { } else {
measurements[i] = new TPMMeasurementRecord(i, storedPcrs[i]); measurements.add(new TPMMeasurementRecord(i, storedPcrs[i]));
} }
} }
} catch (DecoderException deEx) { } catch (DecoderException deEx) {
@ -193,8 +192,7 @@ public final class PCRPolicy extends Policy {
PcrSelection pcrSelection = new PcrSelection(pcrMaskSelection); PcrSelection pcrSelection = new PcrSelection(pcrMaskSelection);
PcrComposite pcrComposite = new PcrComposite( PcrComposite pcrComposite = new PcrComposite(
pcrSelection, pcrSelection, measurements);
Arrays.asList(measurements));
PcrInfoShort pcrInfoShort = new PcrInfoShort(pcrSelection, PcrInfoShort pcrInfoShort = new PcrInfoShort(pcrSelection,
localityAtRelease, localityAtRelease,
tpmQuote, pcrComposite); tpmQuote, pcrComposite);