mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-18 12:46:30 +00:00
IdentityClaimProcessor rename dbBaseRim -> baseRim. Checkstyle changes.
This commit is contained in:
parent
775ab4acc6
commit
b0712958b9
@ -1,6 +1,5 @@
|
||||
package hirs.attestationca.persist.provision;
|
||||
|
||||
import com.fasterxml.jackson.databind.ser.Serializers;
|
||||
import com.google.protobuf.ByteString;
|
||||
import hirs.attestationca.configuration.provisionerTpm2.ProvisionerTpm2;
|
||||
import hirs.attestationca.persist.entity.manager.CertificateRepository;
|
||||
@ -69,24 +68,23 @@ import java.util.regex.Pattern;
|
||||
|
||||
@Log4j2
|
||||
public class IdentityClaimProcessor extends AbstractProcessor {
|
||||
private static final String PCR_QUOTE_MASK = "0,1,2,3,4,5,6,7,8,9,10,11,12,13,"
|
||||
+ "14,15,16,17,18,19,20,21,22,23";
|
||||
|
||||
private static final int NUM_OF_VARIABLES = 5;
|
||||
/**
|
||||
* Number of bytes to include in the TPM2.0 nonce.
|
||||
*/
|
||||
public static final int NONCE_LENGTH = 20;
|
||||
private static final String PCR_QUOTE_MASK = "0,1,2,3,4,5,6,7,8,9,10,11,12,13,"
|
||||
+ "14,15,16,17,18,19,20,21,22,23";
|
||||
private static final int NUM_OF_VARIABLES = 5;
|
||||
private static final int MAC_BYTES = 6;
|
||||
|
||||
private SupplyChainValidationService supplyChainValidationService;
|
||||
private CertificateRepository certificateRepository;
|
||||
private ComponentResultRepository componentResultRepository;
|
||||
private ComponentInfoRepository componentInfoRepository;
|
||||
private ReferenceManifestRepository referenceManifestRepository;
|
||||
private ReferenceDigestValueRepository referenceDigestValueRepository;
|
||||
private DeviceRepository deviceRepository;
|
||||
private TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository;
|
||||
private final SupplyChainValidationService supplyChainValidationService;
|
||||
private final CertificateRepository certificateRepository;
|
||||
private final ComponentResultRepository componentResultRepository;
|
||||
private final ComponentInfoRepository componentInfoRepository;
|
||||
private final ReferenceManifestRepository referenceManifestRepository;
|
||||
private final ReferenceDigestValueRepository referenceDigestValueRepository;
|
||||
private final DeviceRepository deviceRepository;
|
||||
private final TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository;
|
||||
|
||||
/**
|
||||
* Constructor.
|
||||
@ -116,8 +114,8 @@ public class IdentityClaimProcessor extends AbstractProcessor {
|
||||
* Basic implementation of the ACA processIdentityClaimTpm2 method. Parses the claim,
|
||||
* stores the device info, performs supply chain validation, generates a nonce,
|
||||
* and wraps that nonce with the make credential process before returning it to the client.
|
||||
* attCert.setPcrValues(pcrValues);
|
||||
|
||||
* attCert.setPcrValues(pcrValues);
|
||||
*
|
||||
* @param identityClaim the request to process, cannot be null
|
||||
* @return an identity claim response for the specified request containing a wrapped blob
|
||||
*/
|
||||
@ -147,7 +145,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
|
||||
}
|
||||
}
|
||||
|
||||
ByteString blobStr = ByteString.copyFrom(new byte[]{});
|
||||
ByteString blobStr = ByteString.copyFrom(new byte[] {});
|
||||
if (validationResult == AppraisalStatus.Status.PASS) {
|
||||
RSAPublicKey akPub = ProvisionUtils.parsePublicKey(claim.getAkPublicArea().toByteArray());
|
||||
byte[] nonce = ProvisionUtils.generateRandomBytes(NONCE_LENGTH);
|
||||
@ -195,7 +193,8 @@ public class IdentityClaimProcessor extends AbstractProcessor {
|
||||
private AppraisalStatus.Status doSupplyChainValidation(
|
||||
final ProvisionerTpm2.IdentityClaim claim, final PublicKey ekPub) {
|
||||
// attempt to find an endorsement credential to validate
|
||||
EndorsementCredential endorsementCredential = parseEcFromIdentityClaim(claim, ekPub, certificateRepository);
|
||||
EndorsementCredential endorsementCredential =
|
||||
parseEcFromIdentityClaim(claim, ekPub, certificateRepository);
|
||||
|
||||
// attempt to find platform credentials to validate
|
||||
List<PlatformCredential> platformCredentials = parsePcsFromIdentityClaim(claim,
|
||||
@ -283,6 +282,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
|
||||
|
||||
/**
|
||||
* Converts a protobuf DeviceInfo object to a HIRS Utils DeviceInfoReport object.
|
||||
*
|
||||
* @param claim the protobuf serialized identity claim containing the device info
|
||||
* @return a HIRS Utils DeviceInfoReport representation of device info
|
||||
*/
|
||||
@ -348,7 +348,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
|
||||
String defaultClientName = String.format("%s_%s",
|
||||
dv.getHw().getManufacturer(),
|
||||
dv.getHw().getProductName());
|
||||
BaseReferenceManifest dbBaseRim = null;
|
||||
BaseReferenceManifest baseRim = null;
|
||||
SupportReferenceManifest support = null;
|
||||
EventLogMeasurements measurements;
|
||||
boolean isReplacement = false;
|
||||
@ -357,60 +357,60 @@ public class IdentityClaimProcessor extends AbstractProcessor {
|
||||
String fileName = "";
|
||||
Pattern pattern = Pattern.compile("([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)");
|
||||
Matcher matcher;
|
||||
MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
|
||||
MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
|
||||
|
||||
if (dv.getSwidfileCount() > 0) {
|
||||
for (ByteString swidFile : dv.getSwidfileList()) {
|
||||
try {
|
||||
dbBaseRim = (BaseReferenceManifest) referenceManifestRepository
|
||||
baseRim = (BaseReferenceManifest) referenceManifestRepository
|
||||
.findByBase64Hash(Base64.getEncoder()
|
||||
.encodeToString(messageDigest
|
||||
.digest(swidFile.toByteArray())));
|
||||
if (dbBaseRim == null) {
|
||||
if (baseRim == null) {
|
||||
/*
|
||||
Either the swidFile does not have a corresponding base RIM in the backend
|
||||
or it was deleted. Check if there is a replacement by comparing tagId against
|
||||
all other base RIMs, and then set the corresponding support rim's deviceName.
|
||||
*/
|
||||
dbBaseRim = new BaseReferenceManifest(
|
||||
baseRim = new BaseReferenceManifest(
|
||||
String.format("%s.swidtag",
|
||||
defaultClientName),
|
||||
swidFile.toByteArray());
|
||||
List<BaseReferenceManifest> baseRims = referenceManifestRepository.findAllBaseRims();
|
||||
for (BaseReferenceManifest bRim : baseRims) {
|
||||
if (bRim.getTagId().equals(dbBaseRim.getTagId())) {
|
||||
dbBaseRim = bRim;
|
||||
replacementRimId = dbBaseRim.getAssociatedRim().toString();
|
||||
if (bRim.getTagId().equals(baseRim.getTagId())) {
|
||||
baseRim = bRim;
|
||||
replacementRimId = baseRim.getAssociatedRim().toString();
|
||||
isReplacement = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
dbBaseRim.setDeviceName(dv.getNw().getHostname());
|
||||
this.referenceManifestRepository.save(dbBaseRim);
|
||||
} else if (dbBaseRim.isArchived()) {
|
||||
baseRim.setDeviceName(dv.getNw().getHostname());
|
||||
this.referenceManifestRepository.save(baseRim);
|
||||
} else if (baseRim.isArchived()) {
|
||||
/*
|
||||
This block accounts for RIMs that may have been soft-deleted (archived)
|
||||
in an older version of the ACA.
|
||||
*/
|
||||
List<ReferenceManifest> rims = referenceManifestRepository.findByArchiveFlag(false);
|
||||
for (ReferenceManifest rim : rims) {
|
||||
if (rim.isBase() && rim.getTagId().equals(dbBaseRim.getTagId()) &&
|
||||
rim.getCreateTime().after(dbBaseRim.getCreateTime())) {
|
||||
dbBaseRim.setDeviceName(null);
|
||||
dbBaseRim = (BaseReferenceManifest) rim;
|
||||
dbBaseRim.setDeviceName(dv.getNw().getHostname());
|
||||
if (rim.isBase() && rim.getTagId().equals(baseRim.getTagId()) &&
|
||||
rim.getCreateTime().after(baseRim.getCreateTime())) {
|
||||
baseRim.setDeviceName(null);
|
||||
baseRim = (BaseReferenceManifest) rim;
|
||||
baseRim.setDeviceName(dv.getNw().getHostname());
|
||||
}
|
||||
}
|
||||
if (dbBaseRim.isArchived()) {
|
||||
if (baseRim.isArchived()) {
|
||||
throw new Exception("Unable to locate an unarchived base RIM.");
|
||||
} else {
|
||||
this.referenceManifestRepository.save(dbBaseRim);
|
||||
this.referenceManifestRepository.save(baseRim);
|
||||
}
|
||||
} else {
|
||||
dbBaseRim.setDeviceName(dv.getNw().getHostname());
|
||||
this.referenceManifestRepository.save(dbBaseRim);
|
||||
baseRim.setDeviceName(dv.getNw().getHostname());
|
||||
this.referenceManifestRepository.save(baseRim);
|
||||
}
|
||||
tagId = dbBaseRim.getTagId();
|
||||
tagId = baseRim.getTagId();
|
||||
} catch (UnmarshalException e) {
|
||||
log.error(e);
|
||||
} catch (Exception ex) {
|
||||
@ -425,9 +425,10 @@ public class IdentityClaimProcessor extends AbstractProcessor {
|
||||
if (dv.getLogfileCount() > 0) {
|
||||
for (ByteString logFile : dv.getLogfileList()) {
|
||||
try {
|
||||
support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType(
|
||||
support =
|
||||
(SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType(
|
||||
Hex.encodeHexString(messageDigest.digest(logFile.toByteArray())),
|
||||
ReferenceManifest.SUPPORT_RIM);
|
||||
ReferenceManifest.SUPPORT_RIM);
|
||||
if (support == null) {
|
||||
/*
|
||||
Either the logFile does not have a corresponding support RIM in the backend
|
||||
@ -496,39 +497,41 @@ public class IdentityClaimProcessor extends AbstractProcessor {
|
||||
|
||||
//update Support RIMs and Base RIMs.
|
||||
for (ByteString swidFile : dv.getSwidfileList()) {
|
||||
dbBaseRim = (BaseReferenceManifest) referenceManifestRepository
|
||||
baseRim = (BaseReferenceManifest) referenceManifestRepository
|
||||
.findByBase64Hash(Base64.getEncoder().encodeToString(messageDigest.digest(
|
||||
swidFile.toByteArray())));
|
||||
if (dbBaseRim != null) {
|
||||
if (baseRim != null) {
|
||||
// get file name to use
|
||||
for (SwidResource swid : dbBaseRim.getFileResources()) {
|
||||
for (SwidResource swid : baseRim.getFileResources()) {
|
||||
matcher = pattern.matcher(swid.getName());
|
||||
if (matcher.matches()) {
|
||||
//found the file name
|
||||
int dotIndex = swid.getName().lastIndexOf(".");
|
||||
fileName = swid.getName().substring(0, dotIndex);
|
||||
dbBaseRim.setFileName(String.format("%s.swidtag",
|
||||
baseRim.setFileName(String.format("%s.swidtag",
|
||||
fileName));
|
||||
}
|
||||
|
||||
// now update support rim
|
||||
SupportReferenceManifest dbSupport = (SupportReferenceManifest) referenceManifestRepository
|
||||
.findByHexDecHashAndRimType(swid.getHashValue(), ReferenceManifest.SUPPORT_RIM);
|
||||
SupportReferenceManifest dbSupport =
|
||||
(SupportReferenceManifest) referenceManifestRepository
|
||||
.findByHexDecHashAndRimType(swid.getHashValue(),
|
||||
ReferenceManifest.SUPPORT_RIM);
|
||||
if (dbSupport != null) {
|
||||
dbSupport.setFileName(swid.getName());
|
||||
dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion());
|
||||
dbSupport.setTagId(dbBaseRim.getTagId());
|
||||
dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion());
|
||||
dbSupport.setSwidVersion(dbBaseRim.getSwidVersion());
|
||||
dbSupport.setSwidPatch(dbBaseRim.isSwidPatch());
|
||||
dbSupport.setSwidSupplemental(dbBaseRim.isSwidSupplemental());
|
||||
dbBaseRim.setAssociatedRim(dbSupport.getId());
|
||||
dbSupport.setSwidTagVersion(baseRim.getSwidTagVersion());
|
||||
dbSupport.setTagId(baseRim.getTagId());
|
||||
dbSupport.setSwidTagVersion(baseRim.getSwidTagVersion());
|
||||
dbSupport.setSwidVersion(baseRim.getSwidVersion());
|
||||
dbSupport.setSwidPatch(baseRim.isSwidPatch());
|
||||
dbSupport.setSwidSupplemental(baseRim.isSwidSupplemental());
|
||||
baseRim.setAssociatedRim(dbSupport.getId());
|
||||
dbSupport.setUpdated(true);
|
||||
dbSupport.setAssociatedRim(dbBaseRim.getId());
|
||||
dbSupport.setAssociatedRim(baseRim.getId());
|
||||
this.referenceManifestRepository.save(dbSupport);
|
||||
}
|
||||
}
|
||||
this.referenceManifestRepository.save(dbBaseRim);
|
||||
this.referenceManifestRepository.save(baseRim);
|
||||
}
|
||||
}
|
||||
|
||||
@ -564,15 +567,15 @@ public class IdentityClaimProcessor extends AbstractProcessor {
|
||||
|
||||
this.referenceManifestRepository.save(measurements);
|
||||
|
||||
for (BaseReferenceManifest baseRim : baseRims) {
|
||||
if (baseRim != null) {
|
||||
for (BaseReferenceManifest bRim : baseRims) {
|
||||
if (bRim != null) {
|
||||
// pull the base versions of the swidtag and rimel and set the
|
||||
// event log hash for use during provision
|
||||
SupportReferenceManifest sBaseRim = referenceManifestRepository
|
||||
.getSupportRimEntityById(baseRim.getAssociatedRim());
|
||||
baseRim.setEventLogHash(temp.getHexDecHash());
|
||||
.getSupportRimEntityById(bRim.getAssociatedRim());
|
||||
bRim.setEventLogHash(temp.getHexDecHash());
|
||||
sBaseRim.setEventLogHash(temp.getHexDecHash());
|
||||
referenceManifestRepository.save(baseRim);
|
||||
referenceManifestRepository.save(bRim);
|
||||
referenceManifestRepository.save(sBaseRim);
|
||||
}
|
||||
}
|
||||
@ -584,7 +587,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
|
||||
dv.getNw().getHostname()));
|
||||
}
|
||||
|
||||
// Get TPM info, currently unimplemented
|
||||
// Get TPM info, currently unimplemented
|
||||
TPMInfo tpmInfo = new TPMInfo(DeviceInfoEnums.NOT_SPECIFIED,
|
||||
(short) 0,
|
||||
(short) 0,
|
||||
@ -628,7 +631,8 @@ public class IdentityClaimProcessor extends AbstractProcessor {
|
||||
}
|
||||
|
||||
if (baseSupportRim != null
|
||||
&& referenceDigestValueRepository.findBySupportRimHash(baseSupportRim.getHexDecHash()).isEmpty()) {
|
||||
&& referenceDigestValueRepository.findBySupportRimHash(baseSupportRim.getHexDecHash())
|
||||
.isEmpty()) {
|
||||
try {
|
||||
TCGEventLog logProcessor = new TCGEventLog(baseSupportRim.getRimBytes());
|
||||
ReferenceDigestValue rdv;
|
||||
@ -688,7 +692,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
|
||||
log.error(String.format("Patching value does not exist (%s)",
|
||||
patchedValue));
|
||||
} else {
|
||||
// WIP - Until we get patch examples
|
||||
// WIP - Until we get patch examples
|
||||
dbRdv.setPatched(true);
|
||||
}
|
||||
}
|
||||
@ -721,7 +725,7 @@ public class IdentityClaimProcessor extends AbstractProcessor {
|
||||
}
|
||||
|
||||
private int handleDeviceComponents(final String hostName, final String paccorString) {
|
||||
int deviceComponents = 0 ;
|
||||
int deviceComponents = 0;
|
||||
Map<Integer, ComponentInfo> componentInfoMap = new HashMap<>();
|
||||
try {
|
||||
List<ComponentInfo> componentInfos = SupplyChainCredentialValidator
|
||||
|
Loading…
Reference in New Issue
Block a user