Added the new status for the state of the provision

This commit is contained in:
Cyrus 2022-02-18 10:16:32 -05:00
parent 4e7f451af0
commit acef2ea5b8
2 changed files with 15 additions and 1 deletions

View File

@ -128,6 +128,8 @@ public abstract class AbstractAttestationCertificateAuthority
= CATALINA_HOME + TOMCAT_UPLOAD_DIRECTORY;
private static final String PCR_QUOTE_MASK = "0,1,2,3,4,5,6,7,8,9,10,11,12,13,"
+ "14,15,16,17,18,19,20,21,22,23";
private static final byte STATUS_PASS = 0;
private static final byte STATUS_FAIL = 1;
/**
* Number of bytes to include in the TPM2.0 nonce.
@ -440,12 +442,14 @@ public abstract class AbstractAttestationCertificateAuthority
}
ByteString blobStr = ByteString.copyFrom(new byte[]{});
byte[] status = new byte[1];
if (validationResult == AppraisalStatus.Status.PASS) {
RSAPublicKey akPub = parsePublicKey(claim.getAkPublicArea().toByteArray());
byte[] nonce = generateRandomBytes(NONCE_LENGTH);
blobStr = tpm20MakeCredential(ekPub, akPub, nonce);
SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy();
String pcrQuoteMask = PCR_QUOTE_MASK;
status[0] = STATUS_PASS;
String strNonce = HexUtils.byteArrayToHexString(nonce);
LOG.info("Sending nonce: " + strNonce);
@ -460,16 +464,19 @@ public abstract class AbstractAttestationCertificateAuthority
ProvisionerTpm2.IdentityClaimResponse response
= ProvisionerTpm2.IdentityClaimResponse.newBuilder()
.setCredentialBlob(blobStr).setPcrMask(pcrQuoteMask)
.setProvisionStatus(ByteString.copyFrom(status))
.build();
return response.toByteArray();
} else {
LOG.error("Supply chain validation did not succeed. Result is: "
+ validationResult);
status[0] = STATUS_FAIL;
// empty response
ProvisionerTpm2.IdentityClaimResponse response
= ProvisionerTpm2.IdentityClaimResponse.newBuilder()
.setCredentialBlob(blobStr)
.setProvisionStatus(ByteString.copyFrom(status))
.build();
return response.toByteArray();
}
@ -624,6 +631,7 @@ public abstract class AbstractAttestationCertificateAuthority
device = this.deviceRegister.saveOrUpdateDevice(dvReport);
}
byte[] status = new byte[1];
AppraisalStatus.Status validationResult = doQuoteValidation(device);
if (validationResult == AppraisalStatus.Status.PASS) {
// Create signed, attestation certificate
@ -631,6 +639,7 @@ public abstract class AbstractAttestationCertificateAuthority
endorsementCredential, platformCredentials, deviceName);
byte[] derEncodedAttestationCertificate = getDerEncodedCertificate(
attestationCertificate);
status[0] = STATUS_PASS;
// We validated the nonce and made use of the identity claim so state can be deleted
tpm2ProvisionerStateDBManager.delete(tpm2ProvisionerState);
@ -640,6 +649,7 @@ public abstract class AbstractAttestationCertificateAuthority
.copyFrom(derEncodedAttestationCertificate);
ProvisionerTpm2.CertificateResponse response = ProvisionerTpm2.CertificateResponse
.newBuilder().setCertificate(certificateBytes)
.setProvisionStatus(ByteString.copyFrom(status))
.build();
saveAttestationCertificate(derEncodedAttestationCertificate, endorsementCredential,
@ -650,8 +660,10 @@ public abstract class AbstractAttestationCertificateAuthority
LOG.error("Supply chain validation did not succeed. "
+ "Firmware Quote Validation failed. Result is: "
+ validationResult);
status[0] = STATUS_FAIL;
ProvisionerTpm2.CertificateResponse response = ProvisionerTpm2.CertificateResponse
.newBuilder().setCertificate(ByteString.EMPTY).build();
.newBuilder().setCertificate(ByteString.EMPTY)
.setProvisionStatus(ByteString.copyFrom(status)).build();
return response.toByteArray();
}
} else {

View File

@ -80,6 +80,7 @@ message TpmQuote {
message IdentityClaimResponse {
required bytes credential_blob = 1;
optional string pcr_mask = 2;
optional bytes provision_status = 3;
}
message CertificateRequest {
@ -89,5 +90,6 @@ message CertificateRequest {
message CertificateResponse {
required bytes certificate = 1;
optional bytes provision_status = 3;
}