ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2024-12-20 05:28:22 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

check for signature type validity; if not valid, don't process and don't print

Browse Source
This commit is contained in:
iadgovuser58 2024-05-08 17:41:10 -04:00
parent a903b0e448
commit 99f93d521a
5 changed files with 80 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureData.java
View File

@ -161,10 +161,10 @@ public class UefiSignatureData {
sigInfo = status; sigInfo = status;
} else { } else {
if (signatureType.getVendorTableReference().equals("EFI_CERT_SHA256_GUID")) { if (signatureType.getVendorTableReference().equals("EFI_CERT_SHA256_GUID")) {
sigInfo += "UEFI Signature Owner = " + efiVarGuid.toString() + "\n"; sigInfo += " UEFI Signature Owner = " + efiVarGuid.toString() + "\n";
sigInfo += " Binary Hash = " + HexUtils.byteArrayToHexString(binaryHash) + "\n"; sigInfo += " Binary Hash = " + HexUtils.byteArrayToHexString(binaryHash) + "\n";
} else { } else {
sigInfo += "UEFI Signature Owner = " + efiVarGuid.toString() + "\n"; sigInfo += " UEFI Signature Owner = " + efiVarGuid.toString() + "\n";
sigInfo += cert.toString(); sigInfo += cert.toString();
} }
} }

47
HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java
View File

@ -47,11 +47,16 @@ public class UefiSignatureList {
/** /**
* Signature validity. * Signature validity.
*/ */
private boolean valid = true; @Getter
private boolean signatureTypeValid = false;
/** /**
* Current status. * Data validity.
*/ */
private String status = "Signature List is Valid"; private boolean dataValid = true;
/**
* Current status of Signature List data.
*/
private String dataStatus = "Signature List data validity is undetermined yet";
/** /**
* Array List of Signature found in the list. * Array List of Signature found in the list.
*/ */
@ -110,17 +115,23 @@ public class UefiSignatureList {
lists.read(guid); lists.read(guid);
signatureType = new UefiGuid(guid); signatureType = new UefiGuid(guid);
// if signatureType is invalid, don't even process any of the data
// however, if signatureTYpe is valid, but some of the data later on is invalid, that will
// be caught when UefiSignatureData is processed
if (!isValidSigListGUID(signatureType)) { if (!isValidSigListGUID(signatureType)) {
processSignatureData(lists); //processSignatureData(lists);
signatureTypeValid = false;
} else { // valid SigData Processing } else { // valid SigData Processing
byte[] lSize = new byte[UefiConstants.SIZE_4]; signatureTypeValid = true;
byte[] lSize = new byte[UefiConstants.SIZE_4]; // signature list size
lists.read(lSize); lists.read(lSize);
listSize = HexUtils.leReverseInt(lSize); listSize = HexUtils.leReverseInt(lSize);
byte[] hSize = new byte[UefiConstants.SIZE_4]; byte[] hSize = new byte[UefiConstants.SIZE_4]; // signature header size
lists.read(hSize); lists.read(hSize);
byte[] sSize = new byte[UefiConstants.SIZE_4]; byte[] sSize = new byte[UefiConstants.SIZE_4]; // signature size
lists.read(sSize); lists.read(sSize);
signatureSize = listSize - UefiConstants.SIZE_28; signatureSize = listSize - UefiConstants.SIZE_28;
sigData = new byte[signatureSize]; sigData = new byte[signatureSize];
@ -143,8 +154,8 @@ public class UefiSignatureList {
while (efiSigDataIS.available() > 0) { while (efiSigDataIS.available() > 0) {
UefiSignatureData tmpSigData = new UefiSignatureData(efiSigDataIS, signatureType); UefiSignatureData tmpSigData = new UefiSignatureData(efiSigDataIS, signatureType);
if (!tmpSigData.isValid()) { if (!tmpSigData.isValid()) {
valid = false; dataValid = false;
status = tmpSigData.getStatus(); dataStatus = tmpSigData.getStatus();
break; break;
} }
sigList.add(tmpSigData); sigList.add(tmpSigData);
@ -165,8 +176,8 @@ public class UefiSignatureList {
while (sigDataIS.available() > 0) { while (sigDataIS.available() > 0) {
UefiSignatureData tmpigData = new UefiSignatureData(sigDataIS, signatureType); UefiSignatureData tmpigData = new UefiSignatureData(sigDataIS, signatureType);
if (!tmpigData.isValid()) { if (!tmpigData.isValid()) {
valid = false; dataValid = false;
status = tmpigData.getStatus(); dataStatus = tmpigData.getStatus();
break; break;
} }
sigList.add(tmpigData); sigList.add(tmpigData);
@ -201,15 +212,21 @@ public class UefiSignatureList {
*/ */
public String toString() { public String toString() {
StringBuilder sigInfo = new StringBuilder(); StringBuilder sigInfo = new StringBuilder();
sigInfo.append("UEFI Signature List Type = " + signatureType.toString() + "\n");
sigInfo.append("Number if items = " + numberOfCerts + "\n"); if (!signatureTypeValid) {
sigInfo.append(" *** Unknown UEFI Signature Type encountered: " + signatureType.toString() + "\n");
}
else {
sigInfo.append(" UEFI Signature List Type = " + signatureType.toString() + "\n");
sigInfo.append(" Number if items (certs, hashes, etc) = " + numberOfCerts + "\n");
for (int i = 0; i < sigList.size(); i++) { for (int i = 0; i < sigList.size(); i++) {
UefiSignatureData certData = sigList.get(i); UefiSignatureData certData = sigList.get(i);
sigInfo.append(certData.toString()); sigInfo.append(certData.toString());
} }
if (!valid) { if (!dataValid) {
sigInfo.append("*** Invalid UEFI Signature data encountered: " + status + "\n"); sigInfo.append(" *** Invalid UEFI Signature data encountered: " + dataStatus + "\n");
}
} }
return sigInfo.toString(); return sigInfo.toString();
} }

36
HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java
View File

@ -38,6 +38,14 @@ public class UefiVariable {
*/ */
@Getter @Getter
private String efiVarName = ""; private String efiVarName = "";
/**
* Encountered invalid UEFI Signature List
*/
private boolean invalidSignatureListEncountered = false;
/**
* Invalid UEFI Signature List
*/
private String invalidSignatureListStatus = "";
/** /**
* UEFI defined Boot Variable. * UEFI defined Boot Variable.
*/ */
@ -122,7 +130,7 @@ public class UefiVariable {
} }
/** /**
* Processes the data as a UEFI defined Signature List. * Processes the data as a list of UEFI defined Signature Lists.
* *
* @param data the bye array holding the Signature List. * @param data the bye array holding the Signature List.
* @throws java.security.cert.CertificateException If there a problem * @throws java.security.cert.CertificateException If there a problem
@ -138,6 +146,12 @@ public class UefiVariable {
while (certData.available() > 0) { while (certData.available() > 0) {
UefiSignatureList list; UefiSignatureList list;
list = new UefiSignatureList(certData); list = new UefiSignatureList(certData);
// efiVariableSigListContents += list.toString();
if(!list.isSignatureTypeValid()) {
invalidSignatureListEncountered = true;
invalidSignatureListStatus = list.toString();
break;
}
certSuperList.add(list); certSuperList.add(list);
} }
} }
@ -150,11 +164,11 @@ public class UefiVariable {
public String toString() { public String toString() {
StringBuilder efiVariable = new StringBuilder(); StringBuilder efiVariable = new StringBuilder();
efiVariable.append("UEFI Variable Name:" + efiVarName + "\n"); efiVariable.append("UEFI Variable Name:" + efiVarName + "\n");
efiVariable.append("UEFI_GUID = " + uefiVarGuid.toString() + "\n "); efiVariable.append("UEFI Variable GUID = " + uefiVarGuid.toString() + "\n");
if (efiVarName != "") { if (efiVarName != "") {
efiVariable.append("UEFI Variable Contents => " + "\n "); efiVariable.append("UEFI Variable Contents => " + "\n");
} }
String tmpName = efiVarName; String tmpName = "";
if (efiVarName.contains("Boot00")) { if (efiVarName.contains("Boot00")) {
tmpName = "Boot00"; tmpName = "Boot00";
} else { } else {
@ -165,6 +179,11 @@ public class UefiVariable {
case "MokList": case "MokList":
efiVariable.append(printCert(uefiVariableData, 0)); efiVariable.append(printCert(uefiVariableData, 0));
break; break;
case "PK":
case "KEK":
case "db":
case "dbx":
break;
case "Boot00": case "Boot00":
efiVariable.append(bootv.toString()); efiVariable.append(bootv.toString());
break; break;
@ -177,14 +196,19 @@ public class UefiVariable {
default: default:
if (!tmpName.isEmpty()) { if (!tmpName.isEmpty()) {
efiVariable.append(String.format("Data not provided for " efiVariable.append(String.format("Data not provided for "
+ "UEFI variable named %s ", tmpName)); + "UEFI variable named %s \n", tmpName));
} else { } else {
efiVariable.append("Data not provided "); efiVariable.append("Data not provided \n");
} }
} }
for (UefiSignatureList uefiSigList : certSuperList) { for (UefiSignatureList uefiSigList : certSuperList) {
efiVariable.append(uefiSigList.toString()); efiVariable.append(uefiSigList.toString());
} }
if(invalidSignatureListEncountered) {
efiVariable.append(invalidSignatureListStatus);
efiVariable.append("*** Encountered invalid Signature Type - " +
"Stopped processing of this event data\n");
}
return efiVariable.toString(); return efiVariable.toString();
} }

2
tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java
View File

@ -11,6 +11,7 @@ import java.security.cert.CertificateException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collection; import java.util.Collection;
import hirs.utils.tpm.eventlog.TCGEventLog; import hirs.utils.tpm.eventlog.TCGEventLog;
import hirs.utils.tpm.eventlog.TpmPcrEvent; import hirs.utils.tpm.eventlog.TpmPcrEvent;
import hirs.utils.HexUtils; import hirs.utils.HexUtils;
@ -333,6 +334,7 @@ final class Main {
} }
return matchFound; return matchFound;
} }
/** /**
* Diagnostic method for detecting flag settings. * Diagnostic method for detecting flag settings.
*/ */