mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-01-18 10:46:39 +00:00
Utilize protobuf to parse claim response. Work on array handling on ACA.
This commit is contained in:
parent
483099a273
commit
95c5e40f89
@ -458,7 +458,7 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
// Package response
|
||||
ProvisionerTpm2.IdentityClaimResponse response
|
||||
= ProvisionerTpm2.IdentityClaimResponse.newBuilder()
|
||||
.setCredentialBlob(blobStr).setMask(pcrQuoteMask)
|
||||
.setCredentialBlob(blobStr).setPcrMask(pcrQuoteMask)
|
||||
.build();
|
||||
|
||||
return response.toByteArray();
|
||||
|
@ -520,9 +520,9 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
||||
+ "provide pcr values.", device.getName()));
|
||||
} else {
|
||||
// we have a full set of PCR values
|
||||
int algorithmLength = baseline[0].length();
|
||||
String[] storedPcrs = buildStoredPcrs(pcrContent, algorithmLength);
|
||||
pcrPolicy.validatePcrs(storedPcrs);
|
||||
//int algorithmLength = baseline[0].length();
|
||||
//String[] storedPcrs = buildStoredPcrs(pcrContent, algorithmLength);
|
||||
//pcrPolicy.validatePcrs(storedPcrs);
|
||||
|
||||
// part 2 of firmware validation check: bios measurements
|
||||
// vs baseline tcg event log
|
||||
@ -606,7 +606,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
||||
SupplyChainValidationSummary summary = null;
|
||||
Level level = Level.ERROR;
|
||||
AppraisalStatus fwStatus = new AppraisalStatus(FAIL,
|
||||
SupplyChainCredentialValidator.FIRMWARE_VALID);
|
||||
"Unknown exception caught during quote validation.");
|
||||
SupportReferenceManifest sRim = null;
|
||||
EventLogMeasurements eventLog = null;
|
||||
|
||||
|
@ -79,7 +79,7 @@ message TpmQuote {
|
||||
|
||||
message IdentityClaimResponse {
|
||||
required bytes credential_blob = 1;
|
||||
required string mask = 2;
|
||||
optional string pcr_mask = 2;
|
||||
}
|
||||
|
||||
message CertificateRequest {
|
||||
|
@ -60,7 +60,6 @@ string RestfulClientProvisioner::sendIdentityClaim(
|
||||
}
|
||||
|
||||
string identityClaimByteString;
|
||||
string result;
|
||||
identityClaim.SerializeToString(&identityClaimByteString);
|
||||
|
||||
// Send serialized Identity Claim to ACA
|
||||
@ -82,21 +81,25 @@ string RestfulClientProvisioner::sendIdentityClaim(
|
||||
}
|
||||
|
||||
IdentityClaimResponse response;
|
||||
try {
|
||||
response.ParseFromString(r.text);
|
||||
|
||||
{
|
||||
// Convert the nonce blob to hex for logging
|
||||
string blobHex = binaryToHex(response.credential_blob());
|
||||
stringstream responses;
|
||||
responses << response.credential_blob() << ";" << response.mask();
|
||||
stringstream logStream;
|
||||
result = responses.str();
|
||||
logStream << "Received nonce blob: " << blobHex;
|
||||
LOGGER.info(logStream.str());
|
||||
} catch (const google::protobuf::FatalException& e) {
|
||||
LOGGER.error(e.what());
|
||||
stringstream errormsg;
|
||||
errormsg << "Provisioning failed. IdentityClaimResponse "
|
||||
<< "did not contain credential_blob.";
|
||||
throw HirsRuntimeException(errormsg.str(),
|
||||
"RestfulClientProvisioner::sendIdentityClaim");
|
||||
}
|
||||
|
||||
// Return the wrapped nonce blob
|
||||
return result;
|
||||
// Convert the nonce blob to hex for logging
|
||||
string blobHex = binaryToHex(response.credential_blob());
|
||||
stringstream logStream;
|
||||
logStream << "Received nonce blob: " << blobHex;
|
||||
LOGGER.info(logStream.str());
|
||||
|
||||
// Return the response
|
||||
return response.SerializeAsString();
|
||||
|
||||
} else {
|
||||
stringstream errormsg;
|
||||
|
@ -130,16 +130,15 @@ int provision() {
|
||||
identityClaim.set_paccoroutput(paccorOutputString);
|
||||
RestfulClientProvisioner provisioner;
|
||||
string response = provisioner.sendIdentityClaim(identityClaim);
|
||||
vector<string> response_vector = hirs::string_utils::split(response, ';');
|
||||
|
||||
string nonceBlob = response_vector.at(0);
|
||||
string mask = response_vector.at(1);
|
||||
if (nonceBlob == "" || mask == "") {
|
||||
hirs::pb::IdentityClaimResponse icr;
|
||||
if (!icr.ParseFromString(response) || !icr.has_credential_blob()) {
|
||||
cout << "----> Provisioning failed." << endl;
|
||||
cout << "Please refer to the Attestation CA for details." << endl;
|
||||
cout << "The ACA did not send make credential information." << endl;
|
||||
return 0;
|
||||
}
|
||||
|
||||
string nonceBlob = icr.credential_blob();
|
||||
|
||||
// activateIdentity requires we read makeCredential output from a file
|
||||
cout << "----> Received response. Attempting to decrypt nonce" << endl;
|
||||
try {
|
||||
@ -157,7 +156,9 @@ int provision() {
|
||||
hirs::pb::CertificateRequest certificateRequest;
|
||||
certificateRequest.set_nonce(decryptedNonce);
|
||||
certificateRequest.set_quote(tpm2.getQuote(
|
||||
mask,
|
||||
icr.has_pcr_mask()
|
||||
? icr.pcr_mask()
|
||||
: "0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23",
|
||||
decryptedNonce));
|
||||
|
||||
const string& akCertificateByteString
|
||||
|
@ -13,7 +13,7 @@ import javax.persistence.Column;
|
||||
import javax.persistence.Entity;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.util.Arrays;
|
||||
import java.util.ArrayList;
|
||||
import java.util.LinkedList;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
@ -171,20 +171,19 @@ public final class PCRPolicy extends Policy {
|
||||
short localityAtRelease = 0;
|
||||
String quoteString = new String(tpmQuote, StandardCharsets.UTF_8);
|
||||
int pcrMaskSelection = PcrSelection.ALL_PCRS_ON;
|
||||
int recordLength = baselinePcrs.length;
|
||||
|
||||
if (enableIgnoreIma) {
|
||||
pcrMaskSelection = IMA_MASK;
|
||||
recordLength--;
|
||||
}
|
||||
|
||||
TPMMeasurementRecord[] measurements = new TPMMeasurementRecord[recordLength];
|
||||
ArrayList<TPMMeasurementRecord> measurements = new ArrayList<>();
|
||||
|
||||
try {
|
||||
for (int i = 0; i <= TPMMeasurementRecord.MAX_PCR_ID; i++) {
|
||||
if (i == 10 && enableIgnoreIma) {
|
||||
for (int i = 0; i < storedPcrs.length; i++) {
|
||||
if (i == IMA_PCR && enableIgnoreIma) {
|
||||
LOGGER.info("Ignore IMA PCR policy is enabled.");
|
||||
} else {
|
||||
measurements[i] = new TPMMeasurementRecord(i, storedPcrs[i]);
|
||||
measurements.add(new TPMMeasurementRecord(i, storedPcrs[i]));
|
||||
}
|
||||
}
|
||||
} catch (DecoderException deEx) {
|
||||
@ -193,8 +192,7 @@ public final class PCRPolicy extends Policy {
|
||||
|
||||
PcrSelection pcrSelection = new PcrSelection(pcrMaskSelection);
|
||||
PcrComposite pcrComposite = new PcrComposite(
|
||||
pcrSelection,
|
||||
Arrays.asList(measurements));
|
||||
pcrSelection, measurements);
|
||||
PcrInfoShort pcrInfoShort = new PcrInfoShort(pcrSelection,
|
||||
localityAtRelease,
|
||||
tpmQuote, pcrComposite);
|
||||
|
Loading…
Reference in New Issue
Block a user