mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-24 07:06:46 +00:00
check for signature type validity; if not valid, don't process and don't print
This commit is contained in:
parent
a903b0e448
commit
99f93d521a
@ -161,10 +161,10 @@ public class UefiSignatureData {
|
||||
sigInfo = status;
|
||||
} else {
|
||||
if (signatureType.getVendorTableReference().equals("EFI_CERT_SHA256_GUID")) {
|
||||
sigInfo += "UEFI Signature Owner = " + efiVarGuid.toString() + "\n";
|
||||
sigInfo += " Binary Hash = " + HexUtils.byteArrayToHexString(binaryHash) + "\n";
|
||||
sigInfo += " UEFI Signature Owner = " + efiVarGuid.toString() + "\n";
|
||||
sigInfo += " Binary Hash = " + HexUtils.byteArrayToHexString(binaryHash) + "\n";
|
||||
} else {
|
||||
sigInfo += "UEFI Signature Owner = " + efiVarGuid.toString() + "\n";
|
||||
sigInfo += " UEFI Signature Owner = " + efiVarGuid.toString() + "\n";
|
||||
sigInfo += cert.toString();
|
||||
}
|
||||
}
|
||||
|
@ -47,11 +47,16 @@ public class UefiSignatureList {
|
||||
/**
|
||||
* Signature validity.
|
||||
*/
|
||||
private boolean valid = true;
|
||||
@Getter
|
||||
private boolean signatureTypeValid = false;
|
||||
/**
|
||||
* Current status.
|
||||
* Data validity.
|
||||
*/
|
||||
private String status = "Signature List is Valid";
|
||||
private boolean dataValid = true;
|
||||
/**
|
||||
* Current status of Signature List data.
|
||||
*/
|
||||
private String dataStatus = "Signature List data validity is undetermined yet";
|
||||
/**
|
||||
* Array List of Signature found in the list.
|
||||
*/
|
||||
@ -110,17 +115,23 @@ public class UefiSignatureList {
|
||||
lists.read(guid);
|
||||
signatureType = new UefiGuid(guid);
|
||||
|
||||
// if signatureType is invalid, don't even process any of the data
|
||||
// however, if signatureTYpe is valid, but some of the data later on is invalid, that will
|
||||
// be caught when UefiSignatureData is processed
|
||||
if (!isValidSigListGUID(signatureType)) {
|
||||
processSignatureData(lists);
|
||||
//processSignatureData(lists);
|
||||
signatureTypeValid = false;
|
||||
} else { // valid SigData Processing
|
||||
byte[] lSize = new byte[UefiConstants.SIZE_4];
|
||||
signatureTypeValid = true;
|
||||
|
||||
byte[] lSize = new byte[UefiConstants.SIZE_4]; // signature list size
|
||||
lists.read(lSize);
|
||||
listSize = HexUtils.leReverseInt(lSize);
|
||||
|
||||
byte[] hSize = new byte[UefiConstants.SIZE_4];
|
||||
byte[] hSize = new byte[UefiConstants.SIZE_4]; // signature header size
|
||||
lists.read(hSize);
|
||||
|
||||
byte[] sSize = new byte[UefiConstants.SIZE_4];
|
||||
byte[] sSize = new byte[UefiConstants.SIZE_4]; // signature size
|
||||
lists.read(sSize);
|
||||
signatureSize = listSize - UefiConstants.SIZE_28;
|
||||
sigData = new byte[signatureSize];
|
||||
@ -143,8 +154,8 @@ public class UefiSignatureList {
|
||||
while (efiSigDataIS.available() > 0) {
|
||||
UefiSignatureData tmpSigData = new UefiSignatureData(efiSigDataIS, signatureType);
|
||||
if (!tmpSigData.isValid()) {
|
||||
valid = false;
|
||||
status = tmpSigData.getStatus();
|
||||
dataValid = false;
|
||||
dataStatus = tmpSigData.getStatus();
|
||||
break;
|
||||
}
|
||||
sigList.add(tmpSigData);
|
||||
@ -165,8 +176,8 @@ public class UefiSignatureList {
|
||||
while (sigDataIS.available() > 0) {
|
||||
UefiSignatureData tmpigData = new UefiSignatureData(sigDataIS, signatureType);
|
||||
if (!tmpigData.isValid()) {
|
||||
valid = false;
|
||||
status = tmpigData.getStatus();
|
||||
dataValid = false;
|
||||
dataStatus = tmpigData.getStatus();
|
||||
break;
|
||||
}
|
||||
sigList.add(tmpigData);
|
||||
@ -201,15 +212,21 @@ public class UefiSignatureList {
|
||||
*/
|
||||
public String toString() {
|
||||
StringBuilder sigInfo = new StringBuilder();
|
||||
sigInfo.append("UEFI Signature List Type = " + signatureType.toString() + "\n");
|
||||
sigInfo.append("Number if items = " + numberOfCerts + "\n");
|
||||
|
||||
for (int i = 0; i < sigList.size(); i++) {
|
||||
UefiSignatureData certData = sigList.get(i);
|
||||
sigInfo.append(certData.toString());
|
||||
if (!signatureTypeValid) {
|
||||
sigInfo.append(" *** Unknown UEFI Signature Type encountered: " + signatureType.toString() + "\n");
|
||||
}
|
||||
if (!valid) {
|
||||
sigInfo.append("*** Invalid UEFI Signature data encountered: " + status + "\n");
|
||||
else {
|
||||
sigInfo.append(" UEFI Signature List Type = " + signatureType.toString() + "\n");
|
||||
sigInfo.append(" Number if items (certs, hashes, etc) = " + numberOfCerts + "\n");
|
||||
|
||||
for (int i = 0; i < sigList.size(); i++) {
|
||||
UefiSignatureData certData = sigList.get(i);
|
||||
sigInfo.append(certData.toString());
|
||||
}
|
||||
if (!dataValid) {
|
||||
sigInfo.append(" *** Invalid UEFI Signature data encountered: " + dataStatus + "\n");
|
||||
}
|
||||
}
|
||||
return sigInfo.toString();
|
||||
}
|
||||
|
@ -38,6 +38,14 @@ public class UefiVariable {
|
||||
*/
|
||||
@Getter
|
||||
private String efiVarName = "";
|
||||
/**
|
||||
* Encountered invalid UEFI Signature List
|
||||
*/
|
||||
private boolean invalidSignatureListEncountered = false;
|
||||
/**
|
||||
* Invalid UEFI Signature List
|
||||
*/
|
||||
private String invalidSignatureListStatus = "";
|
||||
/**
|
||||
* UEFI defined Boot Variable.
|
||||
*/
|
||||
@ -122,7 +130,7 @@ public class UefiVariable {
|
||||
}
|
||||
|
||||
/**
|
||||
* Processes the data as a UEFI defined Signature List.
|
||||
* Processes the data as a list of UEFI defined Signature Lists.
|
||||
*
|
||||
* @param data the bye array holding the Signature List.
|
||||
* @throws java.security.cert.CertificateException If there a problem
|
||||
@ -138,6 +146,12 @@ public class UefiVariable {
|
||||
while (certData.available() > 0) {
|
||||
UefiSignatureList list;
|
||||
list = new UefiSignatureList(certData);
|
||||
// efiVariableSigListContents += list.toString();
|
||||
if(!list.isSignatureTypeValid()) {
|
||||
invalidSignatureListEncountered = true;
|
||||
invalidSignatureListStatus = list.toString();
|
||||
break;
|
||||
}
|
||||
certSuperList.add(list);
|
||||
}
|
||||
}
|
||||
@ -150,11 +164,11 @@ public class UefiVariable {
|
||||
public String toString() {
|
||||
StringBuilder efiVariable = new StringBuilder();
|
||||
efiVariable.append("UEFI Variable Name:" + efiVarName + "\n");
|
||||
efiVariable.append("UEFI_GUID = " + uefiVarGuid.toString() + "\n ");
|
||||
efiVariable.append("UEFI Variable GUID = " + uefiVarGuid.toString() + "\n");
|
||||
if (efiVarName != "") {
|
||||
efiVariable.append("UEFI Variable Contents => " + "\n ");
|
||||
efiVariable.append("UEFI Variable Contents => " + "\n");
|
||||
}
|
||||
String tmpName = efiVarName;
|
||||
String tmpName = "";
|
||||
if (efiVarName.contains("Boot00")) {
|
||||
tmpName = "Boot00";
|
||||
} else {
|
||||
@ -165,6 +179,11 @@ public class UefiVariable {
|
||||
case "MokList":
|
||||
efiVariable.append(printCert(uefiVariableData, 0));
|
||||
break;
|
||||
case "PK":
|
||||
case "KEK":
|
||||
case "db":
|
||||
case "dbx":
|
||||
break;
|
||||
case "Boot00":
|
||||
efiVariable.append(bootv.toString());
|
||||
break;
|
||||
@ -177,14 +196,19 @@ public class UefiVariable {
|
||||
default:
|
||||
if (!tmpName.isEmpty()) {
|
||||
efiVariable.append(String.format("Data not provided for "
|
||||
+ "UEFI variable named %s ", tmpName));
|
||||
+ "UEFI variable named %s \n", tmpName));
|
||||
} else {
|
||||
efiVariable.append("Data not provided ");
|
||||
efiVariable.append("Data not provided \n");
|
||||
}
|
||||
}
|
||||
for (UefiSignatureList uefiSigList : certSuperList) {
|
||||
efiVariable.append(uefiSigList.toString());
|
||||
}
|
||||
if(invalidSignatureListEncountered) {
|
||||
efiVariable.append(invalidSignatureListStatus);
|
||||
efiVariable.append("*** Encountered invalid Signature Type - " +
|
||||
"Stopped processing of this event data\n");
|
||||
}
|
||||
return efiVariable.toString();
|
||||
}
|
||||
|
||||
|
@ -80,14 +80,14 @@ public class UefiX509Cert {
|
||||
public String toString() {
|
||||
X509Certificate x509Cert = (X509Certificate) cert;
|
||||
String certData = "";
|
||||
certData += " Certificate Serial Number = "
|
||||
certData += " Certificate Serial Number = "
|
||||
+ x509Cert.getSerialNumber().toString(UefiConstants.SIZE_16) + "\n";
|
||||
certData += " Subject DN = " + x509Cert.getSubjectX500Principal().getName() + "\n";
|
||||
certData += " Issuer DN = " + x509Cert.getIssuerX500Principal().getName() + "\n";
|
||||
certData += " Not Before Date = " + x509Cert.getNotBefore() + "\n";
|
||||
certData += " Not After Date = " + x509Cert.getNotAfter() + "\n";
|
||||
certData += " Signature Algorithm = " + x509Cert.getSigAlgName() + "\n";
|
||||
certData += " SHA1 Fingerprint = " + getSHA1FingerPrint() + "\n";
|
||||
certData += " Subject DN = " + x509Cert.getSubjectX500Principal().getName() + "\n";
|
||||
certData += " Issuer DN = " + x509Cert.getIssuerX500Principal().getName() + "\n";
|
||||
certData += " Not Before Date = " + x509Cert.getNotBefore() + "\n";
|
||||
certData += " Not After Date = " + x509Cert.getNotAfter() + "\n";
|
||||
certData += " Signature Algorithm = " + x509Cert.getSigAlgName() + "\n";
|
||||
certData += " SHA1 Fingerprint = " + getSHA1FingerPrint() + "\n";
|
||||
return certData;
|
||||
}
|
||||
}
|
||||
|
@ -11,6 +11,7 @@ import java.security.cert.CertificateException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
|
||||
import hirs.utils.tpm.eventlog.TCGEventLog;
|
||||
import hirs.utils.tpm.eventlog.TpmPcrEvent;
|
||||
import hirs.utils.HexUtils;
|
||||
@ -50,7 +51,7 @@ final class Main {
|
||||
try {
|
||||
outputStream = new FileOutputStream(commander.getOutputFileName());
|
||||
System.out.print("Writing to output file: " + commander.getOutputFileName()
|
||||
+ "\n");
|
||||
+ "\n");
|
||||
} catch (Exception e) {
|
||||
System.out.print("Error opening output file" + commander.getOutputFileName()
|
||||
+ "\nError was " + e.getMessage());
|
||||
@ -217,7 +218,7 @@ final class Main {
|
||||
}
|
||||
} catch (IOException e) {
|
||||
System.out.print("Error writing to output file: " + commander.getOutputFileName()
|
||||
+ "\n error was: " + e.toString() + "\n");
|
||||
+ "\n error was: " + e.toString() + "\n");
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
@ -248,7 +249,7 @@ final class Main {
|
||||
eventLog2.getEventList(), commander.getPcrNumber());
|
||||
if (errors.isEmpty() && !bHexFlag) {
|
||||
sb.append("\nEvent Log " + logFileName1 + " MATCHED EventLog " + logFileName2
|
||||
+ "\n");
|
||||
+ "\n");
|
||||
} else {
|
||||
if (!errors.isEmpty() && !bHexFlag) {
|
||||
sb.append("\nEvent Log " + logFileName1
|
||||
@ -333,6 +334,7 @@ final class Main {
|
||||
}
|
||||
return matchFound;
|
||||
}
|
||||
|
||||
/**
|
||||
* Diagnostic method for detecting flag settings.
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user