Utilize protobuf to parse claim response. Work on array handling on ACA.

This commit is contained in:
iadgovuser29 2021-11-23 22:01:16 -05:00
parent 483099a273
commit 95c5e40f89
6 changed files with 39 additions and 37 deletions

View File

@ -458,7 +458,7 @@ public abstract class AbstractAttestationCertificateAuthority
// Package response
ProvisionerTpm2.IdentityClaimResponse response
= ProvisionerTpm2.IdentityClaimResponse.newBuilder()
.setCredentialBlob(blobStr).setMask(pcrQuoteMask)
.setCredentialBlob(blobStr).setPcrMask(pcrQuoteMask)
.build();
return response.toByteArray();

View File

@ -520,9 +520,9 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
+ "provide pcr values.", device.getName()));
} else {
// we have a full set of PCR values
int algorithmLength = baseline[0].length();
String[] storedPcrs = buildStoredPcrs(pcrContent, algorithmLength);
pcrPolicy.validatePcrs(storedPcrs);
//int algorithmLength = baseline[0].length();
//String[] storedPcrs = buildStoredPcrs(pcrContent, algorithmLength);
//pcrPolicy.validatePcrs(storedPcrs);
// part 2 of firmware validation check: bios measurements
// vs baseline tcg event log
@ -606,7 +606,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
SupplyChainValidationSummary summary = null;
Level level = Level.ERROR;
AppraisalStatus fwStatus = new AppraisalStatus(FAIL,
SupplyChainCredentialValidator.FIRMWARE_VALID);
"Unknown exception caught during quote validation.");
SupportReferenceManifest sRim = null;
EventLogMeasurements eventLog = null;

View File

@ -79,7 +79,7 @@ message TpmQuote {
message IdentityClaimResponse {
required bytes credential_blob = 1;
required string mask = 2;
optional string pcr_mask = 2;
}
message CertificateRequest {

View File

@ -60,7 +60,6 @@ string RestfulClientProvisioner::sendIdentityClaim(
}
string identityClaimByteString;
string result;
identityClaim.SerializeToString(&identityClaimByteString);
// Send serialized Identity Claim to ACA
@ -82,21 +81,25 @@ string RestfulClientProvisioner::sendIdentityClaim(
}
IdentityClaimResponse response;
response.ParseFromString(r.text);
{
// Convert the nonce blob to hex for logging
string blobHex = binaryToHex(response.credential_blob());
stringstream responses;
responses << response.credential_blob() << ";" << response.mask();
stringstream logStream;
result = responses.str();
logStream << "Received nonce blob: " << blobHex;
LOGGER.info(logStream.str());
try {
response.ParseFromString(r.text);
} catch (const google::protobuf::FatalException& e) {
LOGGER.error(e.what());
stringstream errormsg;
errormsg << "Provisioning failed. IdentityClaimResponse "
<< "did not contain credential_blob.";
throw HirsRuntimeException(errormsg.str(),
"RestfulClientProvisioner::sendIdentityClaim");
}
// Return the wrapped nonce blob
return result;
// Convert the nonce blob to hex for logging
string blobHex = binaryToHex(response.credential_blob());
stringstream logStream;
logStream << "Received nonce blob: " << blobHex;
LOGGER.info(logStream.str());
// Return the response
return response.SerializeAsString();
} else {
stringstream errormsg;

View File

@ -130,16 +130,15 @@ int provision() {
identityClaim.set_paccoroutput(paccorOutputString);
RestfulClientProvisioner provisioner;
string response = provisioner.sendIdentityClaim(identityClaim);
vector<string> response_vector = hirs::string_utils::split(response, ';');
string nonceBlob = response_vector.at(0);
string mask = response_vector.at(1);
if (nonceBlob == "" || mask == "") {
hirs::pb::IdentityClaimResponse icr;
if (!icr.ParseFromString(response) || !icr.has_credential_blob()) {
cout << "----> Provisioning failed." << endl;
cout << "Please refer to the Attestation CA for details." << endl;
cout << "The ACA did not send make credential information." << endl;
return 0;
}
string nonceBlob = icr.credential_blob();
// activateIdentity requires we read makeCredential output from a file
cout << "----> Received response. Attempting to decrypt nonce" << endl;
try {
@ -157,8 +156,10 @@ int provision() {
hirs::pb::CertificateRequest certificateRequest;
certificateRequest.set_nonce(decryptedNonce);
certificateRequest.set_quote(tpm2.getQuote(
mask,
decryptedNonce));
icr.has_pcr_mask()
? icr.pcr_mask()
: "0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23",
decryptedNonce));
const string& akCertificateByteString
= provisioner.sendAttestationCertificateRequest(certificateRequest);

View File

@ -13,7 +13,7 @@ import javax.persistence.Column;
import javax.persistence.Entity;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.ArrayList;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
@ -171,20 +171,19 @@ public final class PCRPolicy extends Policy {
short localityAtRelease = 0;
String quoteString = new String(tpmQuote, StandardCharsets.UTF_8);
int pcrMaskSelection = PcrSelection.ALL_PCRS_ON;
int recordLength = baselinePcrs.length;
if (enableIgnoreIma) {
pcrMaskSelection = IMA_MASK;
recordLength--;
}
TPMMeasurementRecord[] measurements = new TPMMeasurementRecord[recordLength];
ArrayList<TPMMeasurementRecord> measurements = new ArrayList<>();
try {
for (int i = 0; i <= TPMMeasurementRecord.MAX_PCR_ID; i++) {
if (i == 10 && enableIgnoreIma) {
for (int i = 0; i < storedPcrs.length; i++) {
if (i == IMA_PCR && enableIgnoreIma) {
LOGGER.info("Ignore IMA PCR policy is enabled.");
} else {
measurements[i] = new TPMMeasurementRecord(i, storedPcrs[i]);
measurements.add(new TPMMeasurementRecord(i, storedPcrs[i]));
}
}
} catch (DecoderException deEx) {
@ -193,8 +192,7 @@ public final class PCRPolicy extends Policy {
PcrSelection pcrSelection = new PcrSelection(pcrMaskSelection);
PcrComposite pcrComposite = new PcrComposite(
pcrSelection,
Arrays.asList(measurements));
pcrSelection, measurements);
PcrInfoShort pcrInfoShort = new PcrInfoShort(pcrSelection,
localityAtRelease,
tpmQuote, pcrComposite);