mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-24 07:06:46 +00:00
check for signature type validity; if not valid, don't process and don't print
This commit is contained in:
parent
a903b0e448
commit
99f93d521a
@ -161,10 +161,10 @@ public class UefiSignatureData {
|
|||||||
sigInfo = status;
|
sigInfo = status;
|
||||||
} else {
|
} else {
|
||||||
if (signatureType.getVendorTableReference().equals("EFI_CERT_SHA256_GUID")) {
|
if (signatureType.getVendorTableReference().equals("EFI_CERT_SHA256_GUID")) {
|
||||||
sigInfo += "UEFI Signature Owner = " + efiVarGuid.toString() + "\n";
|
sigInfo += " UEFI Signature Owner = " + efiVarGuid.toString() + "\n";
|
||||||
sigInfo += " Binary Hash = " + HexUtils.byteArrayToHexString(binaryHash) + "\n";
|
sigInfo += " Binary Hash = " + HexUtils.byteArrayToHexString(binaryHash) + "\n";
|
||||||
} else {
|
} else {
|
||||||
sigInfo += "UEFI Signature Owner = " + efiVarGuid.toString() + "\n";
|
sigInfo += " UEFI Signature Owner = " + efiVarGuid.toString() + "\n";
|
||||||
sigInfo += cert.toString();
|
sigInfo += cert.toString();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -47,11 +47,16 @@ public class UefiSignatureList {
|
|||||||
/**
|
/**
|
||||||
* Signature validity.
|
* Signature validity.
|
||||||
*/
|
*/
|
||||||
private boolean valid = true;
|
@Getter
|
||||||
|
private boolean signatureTypeValid = false;
|
||||||
/**
|
/**
|
||||||
* Current status.
|
* Data validity.
|
||||||
*/
|
*/
|
||||||
private String status = "Signature List is Valid";
|
private boolean dataValid = true;
|
||||||
|
/**
|
||||||
|
* Current status of Signature List data.
|
||||||
|
*/
|
||||||
|
private String dataStatus = "Signature List data validity is undetermined yet";
|
||||||
/**
|
/**
|
||||||
* Array List of Signature found in the list.
|
* Array List of Signature found in the list.
|
||||||
*/
|
*/
|
||||||
@ -110,17 +115,23 @@ public class UefiSignatureList {
|
|||||||
lists.read(guid);
|
lists.read(guid);
|
||||||
signatureType = new UefiGuid(guid);
|
signatureType = new UefiGuid(guid);
|
||||||
|
|
||||||
|
// if signatureType is invalid, don't even process any of the data
|
||||||
|
// however, if signatureTYpe is valid, but some of the data later on is invalid, that will
|
||||||
|
// be caught when UefiSignatureData is processed
|
||||||
if (!isValidSigListGUID(signatureType)) {
|
if (!isValidSigListGUID(signatureType)) {
|
||||||
processSignatureData(lists);
|
//processSignatureData(lists);
|
||||||
|
signatureTypeValid = false;
|
||||||
} else { // valid SigData Processing
|
} else { // valid SigData Processing
|
||||||
byte[] lSize = new byte[UefiConstants.SIZE_4];
|
signatureTypeValid = true;
|
||||||
|
|
||||||
|
byte[] lSize = new byte[UefiConstants.SIZE_4]; // signature list size
|
||||||
lists.read(lSize);
|
lists.read(lSize);
|
||||||
listSize = HexUtils.leReverseInt(lSize);
|
listSize = HexUtils.leReverseInt(lSize);
|
||||||
|
|
||||||
byte[] hSize = new byte[UefiConstants.SIZE_4];
|
byte[] hSize = new byte[UefiConstants.SIZE_4]; // signature header size
|
||||||
lists.read(hSize);
|
lists.read(hSize);
|
||||||
|
|
||||||
byte[] sSize = new byte[UefiConstants.SIZE_4];
|
byte[] sSize = new byte[UefiConstants.SIZE_4]; // signature size
|
||||||
lists.read(sSize);
|
lists.read(sSize);
|
||||||
signatureSize = listSize - UefiConstants.SIZE_28;
|
signatureSize = listSize - UefiConstants.SIZE_28;
|
||||||
sigData = new byte[signatureSize];
|
sigData = new byte[signatureSize];
|
||||||
@ -143,8 +154,8 @@ public class UefiSignatureList {
|
|||||||
while (efiSigDataIS.available() > 0) {
|
while (efiSigDataIS.available() > 0) {
|
||||||
UefiSignatureData tmpSigData = new UefiSignatureData(efiSigDataIS, signatureType);
|
UefiSignatureData tmpSigData = new UefiSignatureData(efiSigDataIS, signatureType);
|
||||||
if (!tmpSigData.isValid()) {
|
if (!tmpSigData.isValid()) {
|
||||||
valid = false;
|
dataValid = false;
|
||||||
status = tmpSigData.getStatus();
|
dataStatus = tmpSigData.getStatus();
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
sigList.add(tmpSigData);
|
sigList.add(tmpSigData);
|
||||||
@ -165,8 +176,8 @@ public class UefiSignatureList {
|
|||||||
while (sigDataIS.available() > 0) {
|
while (sigDataIS.available() > 0) {
|
||||||
UefiSignatureData tmpigData = new UefiSignatureData(sigDataIS, signatureType);
|
UefiSignatureData tmpigData = new UefiSignatureData(sigDataIS, signatureType);
|
||||||
if (!tmpigData.isValid()) {
|
if (!tmpigData.isValid()) {
|
||||||
valid = false;
|
dataValid = false;
|
||||||
status = tmpigData.getStatus();
|
dataStatus = tmpigData.getStatus();
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
sigList.add(tmpigData);
|
sigList.add(tmpigData);
|
||||||
@ -201,15 +212,21 @@ public class UefiSignatureList {
|
|||||||
*/
|
*/
|
||||||
public String toString() {
|
public String toString() {
|
||||||
StringBuilder sigInfo = new StringBuilder();
|
StringBuilder sigInfo = new StringBuilder();
|
||||||
sigInfo.append("UEFI Signature List Type = " + signatureType.toString() + "\n");
|
|
||||||
sigInfo.append("Number if items = " + numberOfCerts + "\n");
|
|
||||||
|
|
||||||
for (int i = 0; i < sigList.size(); i++) {
|
if (!signatureTypeValid) {
|
||||||
UefiSignatureData certData = sigList.get(i);
|
sigInfo.append(" *** Unknown UEFI Signature Type encountered: " + signatureType.toString() + "\n");
|
||||||
sigInfo.append(certData.toString());
|
|
||||||
}
|
}
|
||||||
if (!valid) {
|
else {
|
||||||
sigInfo.append("*** Invalid UEFI Signature data encountered: " + status + "\n");
|
sigInfo.append(" UEFI Signature List Type = " + signatureType.toString() + "\n");
|
||||||
|
sigInfo.append(" Number if items (certs, hashes, etc) = " + numberOfCerts + "\n");
|
||||||
|
|
||||||
|
for (int i = 0; i < sigList.size(); i++) {
|
||||||
|
UefiSignatureData certData = sigList.get(i);
|
||||||
|
sigInfo.append(certData.toString());
|
||||||
|
}
|
||||||
|
if (!dataValid) {
|
||||||
|
sigInfo.append(" *** Invalid UEFI Signature data encountered: " + dataStatus + "\n");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return sigInfo.toString();
|
return sigInfo.toString();
|
||||||
}
|
}
|
||||||
|
@ -38,6 +38,14 @@ public class UefiVariable {
|
|||||||
*/
|
*/
|
||||||
@Getter
|
@Getter
|
||||||
private String efiVarName = "";
|
private String efiVarName = "";
|
||||||
|
/**
|
||||||
|
* Encountered invalid UEFI Signature List
|
||||||
|
*/
|
||||||
|
private boolean invalidSignatureListEncountered = false;
|
||||||
|
/**
|
||||||
|
* Invalid UEFI Signature List
|
||||||
|
*/
|
||||||
|
private String invalidSignatureListStatus = "";
|
||||||
/**
|
/**
|
||||||
* UEFI defined Boot Variable.
|
* UEFI defined Boot Variable.
|
||||||
*/
|
*/
|
||||||
@ -122,7 +130,7 @@ public class UefiVariable {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Processes the data as a UEFI defined Signature List.
|
* Processes the data as a list of UEFI defined Signature Lists.
|
||||||
*
|
*
|
||||||
* @param data the bye array holding the Signature List.
|
* @param data the bye array holding the Signature List.
|
||||||
* @throws java.security.cert.CertificateException If there a problem
|
* @throws java.security.cert.CertificateException If there a problem
|
||||||
@ -138,6 +146,12 @@ public class UefiVariable {
|
|||||||
while (certData.available() > 0) {
|
while (certData.available() > 0) {
|
||||||
UefiSignatureList list;
|
UefiSignatureList list;
|
||||||
list = new UefiSignatureList(certData);
|
list = new UefiSignatureList(certData);
|
||||||
|
// efiVariableSigListContents += list.toString();
|
||||||
|
if(!list.isSignatureTypeValid()) {
|
||||||
|
invalidSignatureListEncountered = true;
|
||||||
|
invalidSignatureListStatus = list.toString();
|
||||||
|
break;
|
||||||
|
}
|
||||||
certSuperList.add(list);
|
certSuperList.add(list);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -150,11 +164,11 @@ public class UefiVariable {
|
|||||||
public String toString() {
|
public String toString() {
|
||||||
StringBuilder efiVariable = new StringBuilder();
|
StringBuilder efiVariable = new StringBuilder();
|
||||||
efiVariable.append("UEFI Variable Name:" + efiVarName + "\n");
|
efiVariable.append("UEFI Variable Name:" + efiVarName + "\n");
|
||||||
efiVariable.append("UEFI_GUID = " + uefiVarGuid.toString() + "\n ");
|
efiVariable.append("UEFI Variable GUID = " + uefiVarGuid.toString() + "\n");
|
||||||
if (efiVarName != "") {
|
if (efiVarName != "") {
|
||||||
efiVariable.append("UEFI Variable Contents => " + "\n ");
|
efiVariable.append("UEFI Variable Contents => " + "\n");
|
||||||
}
|
}
|
||||||
String tmpName = efiVarName;
|
String tmpName = "";
|
||||||
if (efiVarName.contains("Boot00")) {
|
if (efiVarName.contains("Boot00")) {
|
||||||
tmpName = "Boot00";
|
tmpName = "Boot00";
|
||||||
} else {
|
} else {
|
||||||
@ -165,6 +179,11 @@ public class UefiVariable {
|
|||||||
case "MokList":
|
case "MokList":
|
||||||
efiVariable.append(printCert(uefiVariableData, 0));
|
efiVariable.append(printCert(uefiVariableData, 0));
|
||||||
break;
|
break;
|
||||||
|
case "PK":
|
||||||
|
case "KEK":
|
||||||
|
case "db":
|
||||||
|
case "dbx":
|
||||||
|
break;
|
||||||
case "Boot00":
|
case "Boot00":
|
||||||
efiVariable.append(bootv.toString());
|
efiVariable.append(bootv.toString());
|
||||||
break;
|
break;
|
||||||
@ -177,14 +196,19 @@ public class UefiVariable {
|
|||||||
default:
|
default:
|
||||||
if (!tmpName.isEmpty()) {
|
if (!tmpName.isEmpty()) {
|
||||||
efiVariable.append(String.format("Data not provided for "
|
efiVariable.append(String.format("Data not provided for "
|
||||||
+ "UEFI variable named %s ", tmpName));
|
+ "UEFI variable named %s \n", tmpName));
|
||||||
} else {
|
} else {
|
||||||
efiVariable.append("Data not provided ");
|
efiVariable.append("Data not provided \n");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
for (UefiSignatureList uefiSigList : certSuperList) {
|
for (UefiSignatureList uefiSigList : certSuperList) {
|
||||||
efiVariable.append(uefiSigList.toString());
|
efiVariable.append(uefiSigList.toString());
|
||||||
}
|
}
|
||||||
|
if(invalidSignatureListEncountered) {
|
||||||
|
efiVariable.append(invalidSignatureListStatus);
|
||||||
|
efiVariable.append("*** Encountered invalid Signature Type - " +
|
||||||
|
"Stopped processing of this event data\n");
|
||||||
|
}
|
||||||
return efiVariable.toString();
|
return efiVariable.toString();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -80,14 +80,14 @@ public class UefiX509Cert {
|
|||||||
public String toString() {
|
public String toString() {
|
||||||
X509Certificate x509Cert = (X509Certificate) cert;
|
X509Certificate x509Cert = (X509Certificate) cert;
|
||||||
String certData = "";
|
String certData = "";
|
||||||
certData += " Certificate Serial Number = "
|
certData += " Certificate Serial Number = "
|
||||||
+ x509Cert.getSerialNumber().toString(UefiConstants.SIZE_16) + "\n";
|
+ x509Cert.getSerialNumber().toString(UefiConstants.SIZE_16) + "\n";
|
||||||
certData += " Subject DN = " + x509Cert.getSubjectX500Principal().getName() + "\n";
|
certData += " Subject DN = " + x509Cert.getSubjectX500Principal().getName() + "\n";
|
||||||
certData += " Issuer DN = " + x509Cert.getIssuerX500Principal().getName() + "\n";
|
certData += " Issuer DN = " + x509Cert.getIssuerX500Principal().getName() + "\n";
|
||||||
certData += " Not Before Date = " + x509Cert.getNotBefore() + "\n";
|
certData += " Not Before Date = " + x509Cert.getNotBefore() + "\n";
|
||||||
certData += " Not After Date = " + x509Cert.getNotAfter() + "\n";
|
certData += " Not After Date = " + x509Cert.getNotAfter() + "\n";
|
||||||
certData += " Signature Algorithm = " + x509Cert.getSigAlgName() + "\n";
|
certData += " Signature Algorithm = " + x509Cert.getSigAlgName() + "\n";
|
||||||
certData += " SHA1 Fingerprint = " + getSHA1FingerPrint() + "\n";
|
certData += " SHA1 Fingerprint = " + getSHA1FingerPrint() + "\n";
|
||||||
return certData;
|
return certData;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -11,6 +11,7 @@ import java.security.cert.CertificateException;
|
|||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
|
|
||||||
import hirs.utils.tpm.eventlog.TCGEventLog;
|
import hirs.utils.tpm.eventlog.TCGEventLog;
|
||||||
import hirs.utils.tpm.eventlog.TpmPcrEvent;
|
import hirs.utils.tpm.eventlog.TpmPcrEvent;
|
||||||
import hirs.utils.HexUtils;
|
import hirs.utils.HexUtils;
|
||||||
@ -50,7 +51,7 @@ final class Main {
|
|||||||
try {
|
try {
|
||||||
outputStream = new FileOutputStream(commander.getOutputFileName());
|
outputStream = new FileOutputStream(commander.getOutputFileName());
|
||||||
System.out.print("Writing to output file: " + commander.getOutputFileName()
|
System.out.print("Writing to output file: " + commander.getOutputFileName()
|
||||||
+ "\n");
|
+ "\n");
|
||||||
} catch (Exception e) {
|
} catch (Exception e) {
|
||||||
System.out.print("Error opening output file" + commander.getOutputFileName()
|
System.out.print("Error opening output file" + commander.getOutputFileName()
|
||||||
+ "\nError was " + e.getMessage());
|
+ "\nError was " + e.getMessage());
|
||||||
@ -217,7 +218,7 @@ final class Main {
|
|||||||
}
|
}
|
||||||
} catch (IOException e) {
|
} catch (IOException e) {
|
||||||
System.out.print("Error writing to output file: " + commander.getOutputFileName()
|
System.out.print("Error writing to output file: " + commander.getOutputFileName()
|
||||||
+ "\n error was: " + e.toString() + "\n");
|
+ "\n error was: " + e.toString() + "\n");
|
||||||
e.printStackTrace();
|
e.printStackTrace();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -248,7 +249,7 @@ final class Main {
|
|||||||
eventLog2.getEventList(), commander.getPcrNumber());
|
eventLog2.getEventList(), commander.getPcrNumber());
|
||||||
if (errors.isEmpty() && !bHexFlag) {
|
if (errors.isEmpty() && !bHexFlag) {
|
||||||
sb.append("\nEvent Log " + logFileName1 + " MATCHED EventLog " + logFileName2
|
sb.append("\nEvent Log " + logFileName1 + " MATCHED EventLog " + logFileName2
|
||||||
+ "\n");
|
+ "\n");
|
||||||
} else {
|
} else {
|
||||||
if (!errors.isEmpty() && !bHexFlag) {
|
if (!errors.isEmpty() && !bHexFlag) {
|
||||||
sb.append("\nEvent Log " + logFileName1
|
sb.append("\nEvent Log " + logFileName1
|
||||||
@ -333,6 +334,7 @@ final class Main {
|
|||||||
}
|
}
|
||||||
return matchFound;
|
return matchFound;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Diagnostic method for detecting flag settings.
|
* Diagnostic method for detecting flag settings.
|
||||||
*/
|
*/
|
||||||
|
Loading…
Reference in New Issue
Block a user