From 3e18ed8abb1eef07399da1215d12c7fe9e687a0a Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Tue, 23 Mar 2021 11:27:30 -0400 Subject: [PATCH 01/12] This small update changes where the string array of pcrs is pulled in the validation of the quote. Previously it is from the device info report but now it is from the bios measurement log file from the client. --- .../SupplyChainValidationServiceImpl.java | 88 ++++++++++--------- 1 file changed, 47 insertions(+), 41 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 13dca0ab..0ede67c3 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -1,24 +1,39 @@ package hirs.attestationca.service; -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.security.KeyStore; -import java.security.KeyStoreException; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateException; - +import hirs.appraiser.Appraiser; +import hirs.appraiser.SupplyChainAppraiser; +import hirs.data.persist.AppraisalStatus; +import hirs.data.persist.ArchivableEntity; import hirs.data.persist.BaseReferenceManifest; +import hirs.data.persist.Device; +import hirs.data.persist.DeviceInfoReport; import hirs.data.persist.EventLogMeasurements; +import hirs.data.persist.PCRPolicy; +import hirs.data.persist.ReferenceManifest; +import hirs.data.persist.SupplyChainPolicy; +import hirs.data.persist.SupplyChainValidation; +import hirs.data.persist.SupplyChainValidationSummary; import hirs.data.persist.SupportReferenceManifest; import hirs.data.persist.SwidResource; import hirs.data.persist.TPMMeasurementRecord; -import hirs.data.persist.PCRPolicy; -import hirs.data.persist.ArchivableEntity; +import hirs.data.persist.certificate.Certificate; +import hirs.data.persist.certificate.CertificateAuthorityCredential; +import hirs.data.persist.certificate.EndorsementCredential; +import hirs.data.persist.certificate.PlatformCredential; +import hirs.persist.AppraiserManager; +import hirs.persist.CertificateManager; +import hirs.persist.CrudManager; +import hirs.persist.DBManagerException; +import hirs.persist.PersistenceConfiguration; +import hirs.persist.PolicyManager; +import hirs.persist.ReferenceManifestManager; import hirs.tpm.eventlog.TCGEventLog; import hirs.tpm.eventlog.TpmPcrEvent; import hirs.utils.BouncyCastleUtils; import hirs.utils.ReferenceManifestValidator; +import hirs.validation.CredentialValidator; import hirs.validation.SupplyChainCredentialValidator; +import org.apache.logging.log4j.Level; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.bouncycastle.util.encoders.Hex; @@ -26,42 +41,24 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Import; import org.springframework.stereotype.Service; +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.Collections; +import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; -import java.util.List; -import java.util.Set; import java.util.LinkedList; +import java.util.List; +import java.util.Map; +import java.util.Set; import java.util.UUID; import java.util.stream.Collectors; -import org.apache.logging.log4j.Level; -import hirs.appraiser.Appraiser; -import hirs.appraiser.SupplyChainAppraiser; -import hirs.data.persist.AppraisalStatus; -import hirs.data.persist.Device; -import hirs.data.persist.DeviceInfoReport; -import hirs.data.persist.SupplyChainPolicy; -import hirs.data.persist.SupplyChainValidation; -import hirs.data.persist.SupplyChainValidationSummary; -import hirs.data.persist.certificate.Certificate; -import hirs.data.persist.certificate.CertificateAuthorityCredential; -import hirs.data.persist.certificate.EndorsementCredential; -import hirs.data.persist.certificate.PlatformCredential; -import hirs.data.persist.ReferenceManifest; -import hirs.persist.AppraiserManager; -import hirs.persist.CertificateManager; -import hirs.persist.ReferenceManifestManager; -import hirs.persist.CrudManager; -import hirs.persist.DBManagerException; -import hirs.persist.PersistenceConfiguration; -import hirs.persist.PolicyManager; -import hirs.validation.CredentialValidator; - -import java.util.HashMap; -import java.util.Map; - import static hirs.data.persist.AppraisalStatus.Status.FAIL; import static hirs.data.persist.AppraisalStatus.Status.PASS; @@ -539,6 +536,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe AppraisalStatus fwStatus = new AppraisalStatus(FAIL, SupplyChainCredentialValidator.FIRMWARE_VALID); SupportReferenceManifest sRim = null; + EventLogMeasurements eventLog = null; // check if the policy is enabled if (policy.isFirmwareValidationEnabled()) { @@ -550,17 +548,25 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe sRim = SupportReferenceManifest.select( this.referenceManifestManager) .byManufacturer(manufacturer).getRIM(); + eventLog = EventLogMeasurements + .select(this.referenceManifestManager) + .byManufacturer(manufacturer).getRIM(); if (sRim == null) { fwStatus = new AppraisalStatus(FAIL, String.format("Firmware Quote validation failed: " - + "No associated RIM file could be found for %s", + + "No associated Support RIM file " + + "could be found for %s", + manufacturer)); + } else if (eventLog == null) { + fwStatus = new AppraisalStatus(FAIL, + String.format("Firmware Quote validation failed: " + + "No associated Client Log file " + + "could be found for %s", manufacturer)); } else { baseline = sRim.getExpectedPCRList(); - String pcrContent = new String(device.getDeviceInfo() - .getTPMInfo().getPcrValues()); - String[] storedPcrs = buildStoredPcrs(pcrContent, baseline[0].length()); + String[] storedPcrs = eventLog.getExpectedPCRList(); PCRPolicy pcrPolicy = policy.getPcrPolicy(); pcrPolicy.setBaselinePcrs(baseline); // grab the quote From c290ba25be737273c67fd0712b0a3e25cea2c748 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Tue, 23 Mar 2021 13:13:17 -0400 Subject: [PATCH 02/12] Modified how unmatched log events are tested. Now it uses the reference event value from the database. --- .../SupplyChainValidationServiceImpl.java | 36 ++++++++++++++----- .../SupplyChainValidationServiceImplTest.java | 36 +++++++++++++++---- .../persist/DBReferenceDigestManager.java | 31 ++++++++++++++++ .../hirs/persist/ReferenceDigestManager.java | 9 +++++ config/checkstyle/sun_checks.xml | 5 ++- 5 files changed, 101 insertions(+), 16 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 0ede67c3..2cb861ef 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -9,6 +9,8 @@ import hirs.data.persist.Device; import hirs.data.persist.DeviceInfoReport; import hirs.data.persist.EventLogMeasurements; import hirs.data.persist.PCRPolicy; +import hirs.data.persist.ReferenceDigestRecord; +import hirs.data.persist.ReferenceDigestValue; import hirs.data.persist.ReferenceManifest; import hirs.data.persist.SupplyChainPolicy; import hirs.data.persist.SupplyChainValidation; @@ -26,6 +28,8 @@ import hirs.persist.CrudManager; import hirs.persist.DBManagerException; import hirs.persist.PersistenceConfiguration; import hirs.persist.PolicyManager; +import hirs.persist.ReferenceDigestManager; +import hirs.persist.ReferenceEventManager; import hirs.persist.ReferenceManifestManager; import hirs.tpm.eventlog.TCGEventLog; import hirs.tpm.eventlog.TpmPcrEvent; @@ -76,6 +80,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe private PolicyManager policyManager; private AppraiserManager appraiserManager; private ReferenceManifestManager referenceManifestManager; + private ReferenceDigestManager referenceDigestManager; + private ReferenceEventManager referenceEventManager; private CertificateManager certificateManager; private CredentialValidator supplyChainCredentialValidator; private CrudManager supplyChainValidatorSummaryManager; @@ -92,20 +98,27 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe * @param referenceManifestManager the RIM manager * @param supplyChainValidatorSummaryManager the summary manager * @param supplyChainCredentialValidator the credential validator + * @param referenceDigestManager the digest manager + * @param referenceEventManager the even manager */ @Autowired + @SuppressWarnings("ParameterNumberCheck") public SupplyChainValidationServiceImpl( final PolicyManager policyManager, final AppraiserManager appraiserManager, final CertificateManager certificateManager, final ReferenceManifestManager referenceManifestManager, final CrudManager supplyChainValidatorSummaryManager, - final CredentialValidator supplyChainCredentialValidator) { + final CredentialValidator supplyChainCredentialValidator, + final ReferenceDigestManager referenceDigestManager, + final ReferenceEventManager referenceEventManager) { this.policyManager = policyManager; this.appraiserManager = appraiserManager; this.certificateManager = certificateManager; this.referenceManifestManager = referenceManifestManager; this.supplyChainValidatorSummaryManager = supplyChainValidatorSummaryManager; this.supplyChainCredentialValidator = supplyChainCredentialValidator; + this.referenceDigestManager = referenceDigestManager; + this.referenceEventManager = referenceEventManager; } /** @@ -354,10 +367,13 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe AppraisalStatus fwStatus = null; String manufacturer = device.getDeviceInfo() .getHardwareInfo().getManufacturer(); + String model = device.getDeviceInfo() + .getHardwareInfo().getProductName(); ReferenceManifest validationObject = null; ReferenceManifest baseReferenceManifest = null; ReferenceManifest supportReferenceManifest = null; ReferenceManifest measurement = null; + ReferenceDigestRecord digestRecord = null; baseReferenceManifest = BaseReferenceManifest.select(referenceManifestManager) .byManufacturer(manufacturer).getRIM(); @@ -465,18 +481,22 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe // part 2 of firmware validation check: bios measurements // vs baseline tcg event log // find the measurement - TCGEventLog tcgEventLog; TCGEventLog tcgMeasurementLog; + digestRecord = this.referenceDigestManager.getRecord(manufacturer, model); LinkedList tpmPcrEvents = new LinkedList<>(); + List eventValue; + HashMap eventValueMap = new HashMap<>(); try { if (measurement.getPlatformManufacturer().equals(manufacturer)) { tcgMeasurementLog = new TCGEventLog(measurement.getRimBytes()); - tcgEventLog = new TCGEventLog( - supportReferenceManifest.getRimBytes()); - for (TpmPcrEvent tpe : tcgEventLog.getEventList()) { - if (!tpe.eventCompare( - tcgMeasurementLog.getEventByNumber( - tpe.getEventNumber()))) { + eventValue = this.referenceEventManager + .getValuesByRecordId(digestRecord); + for (ReferenceDigestValue rdv : eventValue) { + eventValueMap.put(rdv.getDigestValue(), rdv); + } + + for (TpmPcrEvent tpe : tcgMeasurementLog.getEventList()) { + if (!eventValueMap.containsKey(tpe.getEventDigestStr())) { tpmPcrEvents.add(tpe); } } diff --git a/HIRS_AttestationCA/src/test/java/hirs/attestationca/service/SupplyChainValidationServiceImplTest.java b/HIRS_AttestationCA/src/test/java/hirs/attestationca/service/SupplyChainValidationServiceImplTest.java index 91dab44c..a0efed69 100644 --- a/HIRS_AttestationCA/src/test/java/hirs/attestationca/service/SupplyChainValidationServiceImplTest.java +++ b/HIRS_AttestationCA/src/test/java/hirs/attestationca/service/SupplyChainValidationServiceImplTest.java @@ -23,6 +23,8 @@ import hirs.persist.DBDeviceManager; import hirs.persist.DeviceGroupManager; import hirs.persist.DeviceManager; import hirs.persist.PolicyManager; +import hirs.persist.ReferenceDigestManager; +import hirs.persist.ReferenceEventManager; import hirs.validation.CredentialValidator; import hirs.validation.SupplyChainCredentialValidator; import org.mockito.ArgumentCaptor; @@ -87,6 +89,12 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest @Mock private CrudManager supplyChainValidationSummaryDBManager; + @Mock + private ReferenceDigestManager referenceDigestManager; + + @Mock + private ReferenceEventManager referenceEventManager; + @InjectMocks private SupplyChainValidationServiceImpl service; @@ -400,7 +408,9 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest realCertMan, null, supplyChainValidationSummaryDBManager, - supplyChainCredentialValidator + supplyChainCredentialValidator, + referenceDigestManager, + referenceEventManager ); CertificateAuthorityCredential globalSignCaCert = new CertificateAuthorityCredential( @@ -460,7 +470,9 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest realCertMan, null, supplyChainValidationSummaryDBManager, - supplyChainCredentialValidator + supplyChainCredentialValidator, + referenceDigestManager, + referenceEventManager ); CertificateAuthorityCredential rootCa = new CertificateAuthorityCredential( @@ -506,7 +518,9 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest realCertMan, null, supplyChainValidationSummaryDBManager, - supplyChainCredentialValidator + supplyChainCredentialValidator, + referenceDigestManager, + referenceEventManager ); EndorsementCredential endorsementCredential = new EndorsementCredential( @@ -542,7 +556,9 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest realCertMan, null, supplyChainValidationSummaryDBManager, - supplyChainCredentialValidator + supplyChainCredentialValidator, + referenceDigestManager, + referenceEventManager ); CertificateAuthorityCredential globalSignCaCert = new CertificateAuthorityCredential( @@ -602,7 +618,9 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest realCertMan, null, supplyChainValidationSummaryDBManager, - supplyChainCredentialValidator + supplyChainCredentialValidator, + referenceDigestManager, + referenceEventManager ); CertificateAuthorityCredential intelCa = new CertificateAuthorityCredential( @@ -648,7 +666,9 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest realCertMan, null, supplyChainValidationSummaryDBManager, - supplyChainCredentialValidator + supplyChainCredentialValidator, + referenceDigestManager, + referenceEventManager ); CertificateAuthorityCredential globalSignCaCert = new CertificateAuthorityCredential( @@ -699,7 +719,9 @@ public class SupplyChainValidationServiceImplTest extends SpringPersistenceTest realCertMan, null, supplyChainValidationSummaryDBManager, - new SupplyChainCredentialValidator() + new SupplyChainCredentialValidator(), + referenceDigestManager, + referenceEventManager ); CertificateAuthorityCredential stmEkRootCa = new CertificateAuthorityCredential( diff --git a/HIRS_Utils/src/main/java/hirs/persist/DBReferenceDigestManager.java b/HIRS_Utils/src/main/java/hirs/persist/DBReferenceDigestManager.java index 7ab13f5c..a7177511 100644 --- a/HIRS_Utils/src/main/java/hirs/persist/DBReferenceDigestManager.java +++ b/HIRS_Utils/src/main/java/hirs/persist/DBReferenceDigestManager.java @@ -77,6 +77,37 @@ public class DBReferenceDigestManager extends DBManager return dbRecord; } + @Override + public ReferenceDigestRecord getRecord(final String manufacturer, final String model) { + LOGGER.debug("Getting record for {} ~ {}", manufacturer, model); + if (manufacturer == null || model == null) { + LOGGER.error("No reference to get record from db {} ~ {}", manufacturer, model); + return null; + } + + ReferenceDigestRecord dbRecord = null; + Transaction tx = null; + Session session = getFactory().getCurrentSession(); + try { + LOGGER.debug("retrieving referenceDigestRecord from db"); + tx = session.beginTransaction(); + dbRecord = (ReferenceDigestRecord) session.createCriteria(ReferenceDigestRecord.class) + .add(Restrictions.eq("manufacturer", + manufacturer)).add(Restrictions.eq("model", + model)).uniqueResult(); + tx.commit(); + } catch (Exception ex) { + final String msg = "unable to retrieve object"; + LOGGER.error(msg, ex); + if (tx != null) { + LOGGER.debug("rolling back transaction"); + tx.rollback(); + } + throw new DBManagerException(msg, ex); + } + return dbRecord; + } + @Override public ReferenceDigestRecord getRecordById(final ReferenceDigestRecord referenceDigestRecord) { LOGGER.debug("Getting record for {}", referenceDigestRecord); diff --git a/HIRS_Utils/src/main/java/hirs/persist/ReferenceDigestManager.java b/HIRS_Utils/src/main/java/hirs/persist/ReferenceDigestManager.java index d858782c..b65cb4d8 100644 --- a/HIRS_Utils/src/main/java/hirs/persist/ReferenceDigestManager.java +++ b/HIRS_Utils/src/main/java/hirs/persist/ReferenceDigestManager.java @@ -28,6 +28,15 @@ public interface ReferenceDigestManager { */ ReferenceDigestRecord getRecord(ReferenceDigestRecord referenceDigestRecord); + /** + * Persists a new Reference Digest. + * + * @param manufacturer the string of the manufacturer + * @param model the string of the model + * @return the persisted ReferenceDigestRecord + */ + ReferenceDigestRecord getRecord(String manufacturer, String model); + /** * Persists a new Reference Digest. * diff --git a/config/checkstyle/sun_checks.xml b/config/checkstyle/sun_checks.xml index 9fafc73e..61d5ad0c 100644 --- a/config/checkstyle/sun_checks.xml +++ b/config/checkstyle/sun_checks.xml @@ -123,7 +123,10 @@ - + + + + From a6c6fbfb314117f47a81223f036753bc21b8bb5e Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Thu, 25 Mar 2021 13:28:31 -0400 Subject: [PATCH 03/12] Made some changes for using just the RIM Hash to pull support rims from the database to associated with the swid tag. Changed the rim hash from and int to a string. --- ...stractAttestationCertificateAuthority.java | 34 ++++++-- ...eferenceManifestDetailsPageController.java | 45 +++++------ .../data/persist/BaseReferenceManifest.java | 46 +---------- .../hirs/data/persist/ReferenceManifest.java | 78 ++++++++++++++++--- .../persist/SupportReferenceManifest.java | 20 +++++ .../persist/ReferenceManifestSelector.java | 7 +- 6 files changed, 141 insertions(+), 89 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index 8a3361b9..ea9af574 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -94,7 +94,6 @@ import java.security.interfaces.RSAPublicKey; import java.security.spec.InvalidKeySpecException; import java.security.spec.MGF1ParameterSpec; import java.security.spec.RSAPublicKeySpec; -import java.util.Arrays; import java.util.Calendar; import java.util.Date; import java.util.HashSet; @@ -713,7 +712,8 @@ public abstract class AbstractAttestationCertificateAuthority * @return a HIRS Utils DeviceInfoReport representation of device info */ @SuppressWarnings("methodlength") - private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim claim) { + private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim claim) + throws NoSuchAlgorithmException { ProvisionerTpm2.DeviceInfo dv = claim.getDv(); // Get network info @@ -778,16 +778,21 @@ public abstract class AbstractAttestationCertificateAuthority String fileName = ""; Pattern pattern = Pattern.compile("([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)"); Matcher matcher; + MessageDigest messageDigest = MessageDigest.getInstance("SHA-256"); if (dv.getSwidfileCount() > 0) { for (ByteString swidFile : dv.getSwidfileList()) { try { dbBaseRim = BaseReferenceManifest.select(referenceManifestManager) .includeArchived() - .byHashCode(Arrays.hashCode(swidFile.toByteArray())) + .byHashCode(Hex.encodeHexString(messageDigest.digest( + swidFile.toByteArray()))) .getRIM(); if (dbBaseRim == null) { + /** + * This has to change, each log file can't have the same name + */ dbBaseRim = new BaseReferenceManifest( String.format("%s.swidtag", clientName), @@ -829,10 +834,14 @@ public abstract class AbstractAttestationCertificateAuthority try { support = SupportReferenceManifest.select(referenceManifestManager) .includeArchived() - .byHashCode(Arrays.hashCode(logFile.toByteArray())) + .byHashCode(Hex.encodeHexString(messageDigest.digest( + logFile.toByteArray()))) .getRIM(); if (support == null) { + /** + * This has to change, each log file can't have the same name + */ support = new SupportReferenceManifest( String.format("%s.rimel", clientName), @@ -856,6 +865,15 @@ public abstract class AbstractAttestationCertificateAuthority this.referenceManifestManager.update(support); } + // all of this has to be moved somewhere else + /** + * Because the log file we get isn't promised to be the baseline support rim. + * If it is a patch of supplemental we have to check that the baseline + * has been done + * and those entires can't become the baseline + * + * However, we don't know which log file is what until we link them to a swidtag + */ ReferenceDigestRecord dbObj = new ReferenceDigestRecord(support, hw.getManufacturer(), hw.getProductName()); // this is where we update or create the log @@ -937,7 +955,13 @@ public abstract class AbstractAttestationCertificateAuthority } private Device processDeviceInfo(final ProvisionerTpm2.IdentityClaim claim) { - DeviceInfoReport deviceInfoReport = parseDeviceInfo(claim); + DeviceInfoReport deviceInfoReport = null; + + try { + deviceInfoReport = parseDeviceInfo(claim); + } catch (NoSuchAlgorithmException noSaEx) { + LOG.error(noSaEx); + } if (deviceInfoReport == null) { LOG.error("Failed to deserialize Device Info Report"); diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java index f0af64ea..180e4909 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java @@ -1,5 +1,9 @@ package hirs.attestationca.portal.page.controllers; +import hirs.attestationca.portal.page.Page; +import hirs.attestationca.portal.page.PageController; +import hirs.attestationca.portal.page.PageMessages; +import hirs.attestationca.portal.page.params.ReferenceManifestDetailsPageParams; import hirs.data.persist.BaseReferenceManifest; import hirs.data.persist.EventLogMeasurements; import hirs.data.persist.ReferenceManifest; @@ -10,23 +14,6 @@ import hirs.persist.CertificateManager; import hirs.persist.DBManagerException; import hirs.persist.ReferenceManifestManager; import hirs.tpm.eventlog.TCGEventLog; -import hirs.attestationca.portal.page.Page; -import hirs.attestationca.portal.page.PageController; -import hirs.attestationca.portal.page.PageMessages; -import hirs.attestationca.portal.page.params.ReferenceManifestDetailsPageParams; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateException; -import java.util.Arrays; -import java.util.HashMap; -import java.util.LinkedList; -import java.util.List; -import java.util.ArrayList; -import java.util.Set; -import java.util.UUID; - import hirs.tpm.eventlog.TpmPcrEvent; import hirs.utils.ReferenceManifestValidator; import org.apache.logging.log4j.LogManager; @@ -37,6 +24,18 @@ import org.springframework.ui.Model; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.servlet.ModelAndView; +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.CertificateException; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashMap; +import java.util.LinkedList; +import java.util.List; +import java.util.Set; +import java.util.UUID; + /** * Controller for the Reference Manifest Details page. */ @@ -187,16 +186,8 @@ public class ReferenceManifestDetailsPageController } else { data.put("swidCorpus", "False"); } - if (baseRim.isSwidPatch() == 1) { - data.put("swidPatch", "True"); - } else { - data.put("swidPatch", "False"); - } - if (baseRim.isSwidSupplemental() == 1) { - data.put("swidSupplemental", "True"); - } else { - data.put("swidSupplemental", "False"); - } + data.put("swidPatch", baseRim.isSwidPatch()); + data.put("swidSupplemental", baseRim.isSwidSupplemental()); data.put("swidTagId", baseRim.getTagId()); // Entity data.put("entityName", baseRim.getEntityName()); diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java b/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java index e8fefe5d..23be60c1 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java @@ -45,10 +45,6 @@ public class BaseReferenceManifest extends ReferenceManifest { @Column private int swidCorpus = 0; @Column - private int swidPatch = 0; - @Column - private int swidSupplemental = 0; - @Column private String colloquialVersion = null; @Column private String product = null; @@ -159,8 +155,8 @@ public class BaseReferenceManifest extends ReferenceManifest { setTagId(si.getTagId()); this.swidName = si.getName(); this.swidCorpus = si.isCorpus() ? 1 : 0; - this.swidPatch = si.isPatch() ? 1 : 0; - this.swidSupplemental = si.isSupplemental() ? 1 : 0; + this.setSwidPatch(si.isPatch()); + this.setSwidSupplemental(si.isSupplemental()); this.swidVersion = si.getVersion(); if (si.getTagVersion() != null) { this.setSwidTagVersion(si.getTagVersion().toString()); @@ -475,42 +471,6 @@ public class BaseReferenceManifest extends ReferenceManifest { this.swidCorpus = swidCorpus; } - /** - * Getter for the patch flag. - * - * @return int flag for the patch flag - */ - public int isSwidPatch() { - return swidPatch; - } - - /** - * Setter for the patch flag. - * - * @param swidPatch int value - */ - public void setSwidPatch(final int swidPatch) { - this.swidPatch = swidPatch; - } - - /** - * Getter for the supplemental flag. - * - * @return int flag for the supplemental flag - */ - public int isSwidSupplemental() { - return swidSupplemental; - } - - /** - * Setter for the supplemental flag. - * - * @param swidSupplemental int value - */ - public void setSwidSupplemental(final int swidSupplemental) { - this.swidSupplemental = swidSupplemental; - } - /** * Getter for the Entity Name. * @@ -822,7 +782,7 @@ public class BaseReferenceManifest extends ReferenceManifest { return String.format("ReferenceManifest{swidName=%s," + "platformManufacturer=%s," + " platformModel=%s," - + "tagId=%s, rimHash=%d}", + + "tagId=%s, rimHash=%s}", swidName, this.getPlatformManufacturer(), this.getPlatformModel(), getTagId(), this.getRimHash()); } diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java b/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java index 98c05e0d..30977b82 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java @@ -1,23 +1,25 @@ package hirs.data.persist; -import java.util.Arrays; -import java.util.UUID; -import javax.persistence.Access; -import javax.persistence.AccessType; -import javax.persistence.Column; -import javax.persistence.Entity; - import com.fasterxml.jackson.annotation.JsonIgnore; import com.google.common.base.Preconditions; +import org.apache.commons.codec.binary.Hex; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.hibernate.annotations.Type; +import javax.persistence.Access; +import javax.persistence.AccessType; +import javax.persistence.Column; +import javax.persistence.Entity; import javax.persistence.Table; import javax.xml.XMLConstants; import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlRootElement; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.Arrays; +import java.util.UUID; /** * This class represents the Reference Integrity Manifest object that will be @@ -68,7 +70,7 @@ public abstract class ReferenceManifest extends ArchivableEntity { public static final String RIM_HASH_FIELD = "rimHash"; @Column(nullable = false) @JsonIgnore - private final int rimHash; + private final String rimHash; @Column(columnDefinition = "blob", nullable = false) @JsonIgnore private byte[] rimBytes; @@ -77,6 +79,10 @@ public abstract class ReferenceManifest extends ArchivableEntity { @Column private String tagId = null; @Column + private boolean swidPatch = false; + @Column + private boolean swidSupplemental = false; + @Column private String platformManufacturer = null; @Column private String platformManufacturerId = null; @@ -96,7 +102,7 @@ public abstract class ReferenceManifest extends ArchivableEntity { protected ReferenceManifest() { super(); this.rimBytes = null; - this.rimHash = 0; + this.rimHash = ""; this.rimType = null; this.platformManufacturer = null; this.platformManufacturerId = null; @@ -118,7 +124,19 @@ public abstract class ReferenceManifest extends ArchivableEntity { "Cannot construct a RIM from an empty byte array"); this.rimBytes = rimBytes.clone(); - this.rimHash = Arrays.hashCode(this.rimBytes); + + MessageDigest digest = null; + try { + digest = MessageDigest.getInstance("SHA-256"); + } catch (NoSuchAlgorithmException noSaEx) { + LOGGER.error(noSaEx); + } + if (digest == null) { + this.rimHash = ""; + } else { + this.rimHash = Hex.encodeHexString( + digest.digest(rimBytes)); + } } /** @@ -245,6 +263,42 @@ public abstract class ReferenceManifest extends ArchivableEntity { this.tagId = tagId; } + /** + * Getter for the patch flag. + * + * @return int flag for the patch flag + */ + public boolean isSwidPatch() { + return swidPatch; + } + + /** + * Setter for the patch flag. + * + * @param swidPatch int value + */ + public void setSwidPatch(final boolean swidPatch) { + this.swidPatch = swidPatch; + } + + /** + * Getter for the supplemental flag. + * + * @return int flag for the supplemental flag + */ + public boolean isSwidSupplemental() { + return swidSupplemental; + } + + /** + * Setter for the supplemental flag. + * + * @param swidSupplemental int value + */ + public void setSwidSupplemental(final boolean swidSupplemental) { + this.swidSupplemental = swidSupplemental; + } + /** * Getter for the associated RIM DB ID. * @return UUID for the rim @@ -279,13 +333,13 @@ public abstract class ReferenceManifest extends ArchivableEntity { * * @return int representation of the hash value */ - public int getRimHash() { + public String getRimHash() { return rimHash; } @Override public int hashCode() { - return getRimHash(); + return Arrays.hashCode(this.rimBytes); } @Override diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/SupportReferenceManifest.java b/HIRS_Utils/src/main/java/hirs/data/persist/SupportReferenceManifest.java index 51c663a2..f04de700 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/SupportReferenceManifest.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/SupportReferenceManifest.java @@ -78,6 +78,26 @@ public class SupportReferenceManifest extends ReferenceManifest { setFieldValue(PLATFORM_MODEL, model); return this; } + + /** + * Specify the file name that rims should have. + * @param fileName the name of the file associated with the rim + * @return this instance + */ + public Selector byFileName(final String fileName) { + setFieldValue(RIM_FILENAME_FIELD, fileName); + return this; + } + + /** + * Specify the RIM hash associated with the support RIM. + * @param rimHash the hash of the file associated with the rim + * @return this instance + */ + public Selector byRimHash(final String rimHash) { + setFieldValue(RIM_HASH_FIELD, rimHash); + return this; + } } /** diff --git a/HIRS_Utils/src/main/java/hirs/persist/ReferenceManifestSelector.java b/HIRS_Utils/src/main/java/hirs/persist/ReferenceManifestSelector.java index 3b363e35..0ff4bcf9 100644 --- a/HIRS_Utils/src/main/java/hirs/persist/ReferenceManifestSelector.java +++ b/HIRS_Utils/src/main/java/hirs/persist/ReferenceManifestSelector.java @@ -37,8 +37,11 @@ public abstract class ReferenceManifestSelector { * String representing the database field for the model. */ public static final String PLATFORM_MODEL = "platformModel"; + /** + * String representing the database field for the filename. + */ + public static final String RIM_FILENAME_FIELD = "fileName"; private static final String RIM_TYPE_FIELD = "rimType"; - private static final String RIM_FILENAME_FIELD = "fileName"; private final ReferenceManifestManager referenceManifestManager; private final Class referenceTypeClass; @@ -100,7 +103,7 @@ public abstract class ReferenceManifestSelector { * @param rimHash the hash code of the bytes to query for * @return this instance (for chaining further calls) */ - public ReferenceManifestSelector byHashCode(final int rimHash) { + public ReferenceManifestSelector byHashCode(final String rimHash) { setFieldValue(hirs.data.persist.ReferenceManifest.RIM_HASH_FIELD, rimHash); return this; } From 4911742c7abeea2bda9630b6f9ff5325cc9b3e89 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Tue, 30 Mar 2021 06:35:14 -0400 Subject: [PATCH 04/12] This is a checkout of some changes to the resource management for swid tags so that the file name listed is associated with the stored support RIMS. --- ...stractAttestationCertificateAuthority.java | 212 +++++++++++------- ...eferenceManifestDetailsPageController.java | 9 +- .../hirs/data/persist/ReferenceManifest.java | 5 +- .../java/hirs/data/persist/SwidResource.java | 115 +--------- 4 files changed, 138 insertions(+), 203 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index ea9af574..0f803df7 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -94,9 +94,11 @@ import java.security.interfaces.RSAPublicKey; import java.security.spec.InvalidKeySpecException; import java.security.spec.MGF1ParameterSpec; import java.security.spec.RSAPublicKeySpec; +import java.util.ArrayList; import java.util.Calendar; import java.util.Date; import java.util.HashSet; +import java.util.List; import java.util.Set; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -706,6 +708,8 @@ public abstract class AbstractAttestationCertificateAuthority return (RSAPublicKey) assemblePublicKey(modulus); } + private static final int NUM_OF_VARIABLES = 5; + /** * Converts a protobuf DeviceInfo object to a HIRS Utils DeviceInfoReport object. * @param claim the protobuf serialized identity claim containing the device info @@ -774,12 +778,56 @@ public abstract class AbstractAttestationCertificateAuthority dv.getHw().getProductName()); ReferenceManifest dbBaseRim = null; ReferenceManifest support; + EventLogMeasurements measurements; String tagId = ""; String fileName = ""; Pattern pattern = Pattern.compile("([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)"); Matcher matcher; MessageDigest messageDigest = MessageDigest.getInstance("SHA-256"); + /** + * We need to do a series of things when getting swid/log files from client + * 1. Store what is sent if, it doesn't exist + * and if it does exist, update if needed + * 2. take the file name from the swid file and update the support RIMs + * 3. Update the support rim with swid tag information + */ + + if (dv.getLogfileCount() > 0) { + for (ByteString logFile : dv.getLogfileList()) { + try { + support = SupportReferenceManifest.select(referenceManifestManager) + .includeArchived() + .byHashCode(Hex.encodeHexString(messageDigest.digest( + logFile.toByteArray()))) + .getRIM(); + + if (support == null) { + support = new SupportReferenceManifest( + String.format("%s.rimel", + clientName), + logFile.toByteArray()); + support.setPlatformManufacturer(dv.getHw().getManufacturer()); + support.setPlatformModel(dv.getHw().getProductName()); + support.setFileName(String.format("%s_[%s].rimel", clientName, + support.getRimHash().substring( + support.getRimHash().length() - NUM_OF_VARIABLES))); + this.referenceManifestManager.save(support); + } else { + LOG.info("Client provided Support RIM already loaded in database."); + support.restore(); + support.resetCreateTime(); + this.referenceManifestManager.update(support); + } + } catch (IOException ioEx) { + LOG.error(ioEx); + } + } + } else { + LOG.warn("Device did not send support RIM file..."); + } + + List archie = new ArrayList<>(); if (dv.getSwidfileCount() > 0) { for (ByteString swidFile : dv.getSwidfileList()) { try { @@ -809,12 +857,34 @@ public abstract class AbstractAttestationCertificateAuthority String.format("%s.swidtag", clientName), swidFile.toByteArray()); - break; + } + // now update support rim + SupportReferenceManifest dbSupport = SupportReferenceManifest + .select(referenceManifestManager) + .byRimHash(swid.getHashValue()).getRIM(); + if (dbSupport == null) { + LOG.error("Why is this happening?"); + // I could do this, and then when the actual + // support comes in just update the byte field + } + if (dbSupport != null && !dbSupport.isUpdated()) { + LOG.error("We found the old support"); + dbSupport.setFileName(swid.getName()); + dbSupport.setSwidTagVersion(base.getSwidTagVersion()); + // I might create a get for the bytes of the swidtag file + // so that I can set that instead of the rim ID + dbSupport.setTagId(base.getTagId()); + dbSupport.setSwidPatch(dbBaseRim.isSwidPatch()); + dbSupport.setSwidSupplemental(dbBaseRim.isSwidSupplemental()); + // might want to expand so that the record digest value know + // if it was a patch or supplemental + dbSupport.setUpdated(true); + this.referenceManifestManager.update(dbSupport); } } this.referenceManifestManager.save(dbBaseRim); } else { - LOG.info("Client provided Base RIM already loaded in database."); + LOG.error("Client provided Base RIM already loaded in database."); dbBaseRim.restore(); dbBaseRim.resetCreateTime(); this.referenceManifestManager.update(dbBaseRim); @@ -825,88 +895,64 @@ public abstract class AbstractAttestationCertificateAuthority LOG.error(ioEx); } } + + for (ByteString swidFile : dv.getSwidfileList()) { + + String hashStr = swidFile.toString(); + LOG.error(SupportReferenceManifest.select(referenceManifestManager) + .includeArchived() + .byHashCode(Hex.encodeHexString(messageDigest.digest( + swidFile.toByteArray()))) + .getRIM()); + } } else { LOG.warn("Device did not send swid tag file..."); } - if (dv.getLogfileCount() > 0) { - for (ByteString logFile : dv.getLogfileList()) { - try { - support = SupportReferenceManifest.select(referenceManifestManager) - .includeArchived() - .byHashCode(Hex.encodeHexString(messageDigest.digest( - logFile.toByteArray()))) - .getRIM(); + if (true) { + Set dbSupportRims = SupportReferenceManifest + .select(referenceManifestManager).getRIMs(); - if (support == null) { - /** - * This has to change, each log file can't have the same name - */ - support = new SupportReferenceManifest( - String.format("%s.rimel", - clientName), - logFile.toByteArray()); - support.setPlatformManufacturer(dv.getHw().getManufacturer()); - support.setPlatformModel(dv.getHw().getProductName()); - support.setTagId(tagId); - this.referenceManifestManager.save(support); - } else { - LOG.info("Client provided Support RIM already loaded in database."); - if (dbBaseRim != null) { - support.setPlatformManufacturer(dbBaseRim.getPlatformManufacturer()); - support.setPlatformModel(dbBaseRim.getPlatformModel()); - support.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); - support.setAssociatedRim(dbBaseRim.getId()); - support.setTagId(dbBaseRim.getTagId()); + for (SupportReferenceManifest dbSupport : dbSupportRims) { + // all of this has to be moved somewhere else + /** + * Because the log file we get isn't promised to be the baseline support rim. + * If it is a patch of supplemental we have to check that the baseline + * has been done + * and those entries can't become the baseline + * + * However, we don't know which log file is what until we link them to a swidtag + */ + ReferenceDigestRecord dbObj = new ReferenceDigestRecord(dbSupport, + hw.getManufacturer(), hw.getProductName()); + // this is where we update or create the log + ReferenceDigestRecord rdr = this.referenceDigestManager.getRecord(dbObj); + + // Handle baseline digest records + // is there already a baseline? + if (rdr == null) { + // doesn't exist, store + rdr = referenceDigestManager.saveRecord(dbObj); + } // right now this will not deal with updating + + if (this.referenceEventManager.getValuesByRecordId(rdr).isEmpty()) { + try { + TCGEventLog logProcessor = new TCGEventLog(dbSupport.getRimBytes()); + ReferenceDigestValue rdv; + for (TpmPcrEvent tpe : logProcessor.getEventList()) { + rdv = new ReferenceDigestValue(rdr.getId(), tpe.getEventNumber(), + tpe.getEventDigestStr(), tpe.getEventTypeStr(), false); + this.referenceEventManager.saveValue(rdv); } - - support.restore(); - support.resetCreateTime(); - this.referenceManifestManager.update(support); + } catch (CertificateException cEx) { + LOG.error(cEx); + } catch (NoSuchAlgorithmException noSaEx) { + LOG.error(noSaEx); + } catch (IOException e) { + e.printStackTrace(); } - - // all of this has to be moved somewhere else - /** - * Because the log file we get isn't promised to be the baseline support rim. - * If it is a patch of supplemental we have to check that the baseline - * has been done - * and those entires can't become the baseline - * - * However, we don't know which log file is what until we link them to a swidtag - */ - ReferenceDigestRecord dbObj = new ReferenceDigestRecord(support, - hw.getManufacturer(), hw.getProductName()); - // this is where we update or create the log - ReferenceDigestRecord rdr = this.referenceDigestManager.getRecord(dbObj); - - // Handle baseline digest records - // is there already a baseline? - if (rdr == null) { - // doesn't exist, store - rdr = referenceDigestManager.saveRecord(dbObj); - } // right now this will not deal with updating - - if (this.referenceEventManager.getValuesByRecordId(rdr).isEmpty()) { - try { - TCGEventLog logProcessor = new TCGEventLog(support.getRimBytes()); - ReferenceDigestValue rdv; - for (TpmPcrEvent tpe : logProcessor.getEventList()) { - rdv = new ReferenceDigestValue(rdr.getId(), tpe.getEventNumber(), - tpe.getEventDigestStr(), tpe.getEventTypeStr(), false); - this.referenceEventManager.saveValue(rdv); - } - } catch (CertificateException cEx) { - LOG.error(cEx); - } catch (NoSuchAlgorithmException noSaEx) { - LOG.error(noSaEx); - } - } - } catch (IOException ioEx) { - LOG.error(ioEx); } } - } else { - LOG.warn("Device did not send support RIM file..."); } if (dv.hasLivelog()) { @@ -915,19 +961,19 @@ public abstract class AbstractAttestationCertificateAuthority clientName); try { // find previous version. If it exists, delete it - support = EventLogMeasurements.select(referenceManifestManager) + measurements = EventLogMeasurements.select(referenceManifestManager) .byManufacturer(dv.getHw().getManufacturer()) .includeArchived().getRIM(); - if (support != null) { + if (measurements != null) { LOG.info("Previous bios measurement log found and being replaced..."); - this.referenceManifestManager.delete(support); + this.referenceManifestManager.delete(measurements); } - support = new EventLogMeasurements(fileName, + measurements = new EventLogMeasurements(fileName, dv.getLivelog().toByteArray()); - support.setPlatformManufacturer(dv.getHw().getManufacturer()); - support.setPlatformModel(dv.getHw().getProductName()); - support.setTagId(tagId); - this.referenceManifestManager.save(support); + measurements.setPlatformManufacturer(dv.getHw().getManufacturer()); + measurements.setPlatformModel(dv.getHw().getProductName()); + measurements.setTagId(tagId); + this.referenceManifestManager.save(measurements); } catch (IOException ioEx) { LOG.error(ioEx); } diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java index 180e4909..a7c9a3c1 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java @@ -28,7 +28,6 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.security.NoSuchAlgorithmException; import java.security.cert.CertificateException; -import java.util.ArrayList; import java.util.Arrays; import java.util.HashMap; import java.util.LinkedList; @@ -225,12 +224,12 @@ public class ReferenceManifestDetailsPageController .getRIM(); if (support != null) { baseRim.setAssociatedRim(support.getId()); - logProcessor = new TCGEventLog(support.getRimBytes()); +// logProcessor = new TCGEventLog(support.getRimBytes()); } } else { support = SupportReferenceManifest.select(referenceManifestManager) .byEntityId(baseRim.getAssociatedRim()).getRIM(); - logProcessor = new TCGEventLog(support.getRimBytes()); +// logProcessor = new TCGEventLog(support.getRimBytes()); } // going to have to pull the filename and grab that from the DB // to get the id to make the link @@ -244,11 +243,7 @@ public class ReferenceManifestDetailsPageController } else { data.put("supportRimHashValid", false); } - swidRes.setPcrValues(Arrays.asList( - logProcessor.getExpectedPCRValues())); break; - } else { - swidRes.setPcrValues(new ArrayList<>()); } } diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java b/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java index 30977b82..939fc1e2 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java @@ -367,7 +367,8 @@ public abstract class ReferenceManifest extends ArchivableEntity { @Override public String toString() { return String.format("Filename->%s%nPlatform Manufacturer->%s%n" - + "Platform Model->%s%nRIM Type->%s", this.getFileName(), - this.platformManufacturer, this.platformModel, this.getRimType()); + + "Platform Model->%s%nRIM Type->%s%nRIM Hash->%s", this.getFileName(), + this.platformManufacturer, this.platformModel, this.getRimType(), + this.getRimHash()); } } diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/SwidResource.java b/HIRS_Utils/src/main/java/hirs/data/persist/SwidResource.java index 8679ae53..4b02ac2d 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/SwidResource.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/SwidResource.java @@ -3,27 +3,14 @@ package hirs.data.persist; import com.google.common.base.Preconditions; import hirs.data.persist.baseline.TpmWhiteListBaseline; import hirs.data.persist.enums.DigestAlgorithm; -import hirs.tpm.eventlog.TCGEventLog; import hirs.utils.xjc.File; -import java.io.IOException; -import java.util.Map; -import java.util.List; -import java.util.LinkedHashMap; -import java.util.Collections; -import java.math.BigInteger; -import java.nio.file.Files; -import java.nio.file.NoSuchFileException; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CertificateException; -import java.text.DecimalFormat; -import java.util.Arrays; -import javax.xml.namespace.QName; -import org.apache.commons.codec.DecoderException; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import javax.xml.namespace.QName; +import java.math.BigInteger; +import java.util.Map; + /** * This object is used to represent the content of a Swid Tags Directory * section. @@ -32,20 +19,8 @@ public class SwidResource { private static final Logger LOGGER = LogManager.getLogger(SwidResource.class); - private static final String CATALINA_HOME = System.getProperty("catalina.base"); - private static final String TOMCAT_UPLOAD_DIRECTORY - = "/webapps/HIRS_AttestationCAPortal/upload/"; - - /** - * String holder for location for storing binaries. - */ - public static final String RESOURCE_UPLOAD_FOLDER - = CATALINA_HOME + TOMCAT_UPLOAD_DIRECTORY; - private String name, size; - private String rimFormat, rimType, rimUriGlobal, hashValue; - private List pcrValues; private TpmWhiteListBaseline tpmWhiteList; private DigestAlgorithm digest = DigestAlgorithm.SHA1; private boolean validFileSize = false; @@ -60,7 +35,6 @@ public class SwidResource { rimType = null; rimUriGlobal = null; hashValue = null; - pcrValues = null; } /** @@ -102,23 +76,7 @@ public class SwidResource { } this.digest = digest; - parsePcrValues(); tpmWhiteList = new TpmWhiteListBaseline(this.name); - if (!pcrValues.isEmpty()) { - int i = 0; - for (String pcr : pcrValues) { - if (this.digest == null) { - // determine by length of pcr value - this.digest = AbstractDigest.getDigestAlgorithm(pcr); - } - try { - tpmWhiteList.addToBaseline( - new TPMMeasurementRecord(i++, pcr)); - } catch (DecoderException deEx) { - LOGGER.error(deEx); - } - } - } } /** @@ -175,24 +133,6 @@ public class SwidResource { return hashValue; } - /** - * Getter for the list of PCR Values. - * - * @return an unmodifiable list - */ - public List getPcrValues() { - return Collections.unmodifiableList(pcrValues); - } - - /** - * Setter for the list of associated PCR Values. - * - * @param pcrValues a collection of PCRs - */ - public void setPcrValues(final List pcrValues) { - this.pcrValues = pcrValues; - } - /** * flag for if the file sizes match with the swidtag. * @return true if they match @@ -200,51 +140,4 @@ public class SwidResource { public boolean isValidFileSize() { return validFileSize; } - - /** - * Getter for a generated map of the PCR values. - * - * @return mapping of PCR# to the actual value. - */ - public LinkedHashMap getPcrMap() { - LinkedHashMap innerMap = new LinkedHashMap<>(); - DecimalFormat df = new DecimalFormat("00"); - - if (!this.pcrValues.isEmpty()) { - long iterate = 0; - String pcrNum; - for (String string : this.pcrValues) { - pcrNum = df.format(iterate++); - innerMap.put(String.format("PCR%s:", pcrNum), string); - } - } - - return innerMap; - } - - private void parsePcrValues() { - TCGEventLog logProcessor = new TCGEventLog(); - - try { - Path logPath = Paths.get(String.format("%s/%s", - SwidResource.RESOURCE_UPLOAD_FOLDER, - this.getName())); - if (Files.exists(logPath)) { - logProcessor = new TCGEventLog( - Files.readAllBytes(logPath)); - } - this.setPcrValues(Arrays.asList( - logProcessor.getExpectedPCRValues())); - } catch (NoSuchFileException nsfEx) { - LOGGER.error(String.format("File Not found!: %s", - this.getName())); - LOGGER.error(nsfEx); - } catch (IOException ioEx) { - LOGGER.error(ioEx); - } catch (CertificateException cEx) { - LOGGER.error(cEx); - } catch (NoSuchAlgorithmException naEx) { - LOGGER.error(naEx); - } - } } From ea5b85b703d4598a3a5146aee24a19576e1db355 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 2 Apr 2021 06:34:47 -0400 Subject: [PATCH 05/12] Updated the code to now display the var swidtag and rimel. However there are issues with the examples. This commit has fixes for how the pcr values are pulled for display on the base RIM page. --- ...stractAttestationCertificateAuthority.java | 106 +++++++++--------- ...eferenceManifestDetailsPageController.java | 33 +++++- .../main/webapp/WEB-INF/jsp/rim-details.jsp | 16 +-- .../data/persist/BaseReferenceManifest.java | 22 +--- .../hirs/data/persist/ReferenceManifest.java | 20 ++++ 5 files changed, 107 insertions(+), 90 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index 0f803df7..4bc30f07 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -94,11 +94,9 @@ import java.security.interfaces.RSAPublicKey; import java.security.spec.InvalidKeySpecException; import java.security.spec.MGF1ParameterSpec; import java.security.spec.RSAPublicKeySpec; -import java.util.ArrayList; import java.util.Calendar; import java.util.Date; import java.util.HashSet; -import java.util.List; import java.util.Set; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -773,10 +771,10 @@ public abstract class AbstractAttestationCertificateAuthority } // check for RIM Base and Support files, if they don't exists in the database, load them - String clientName = String.format("%s_%s", + String defaultClientName = String.format("%s_%s", dv.getHw().getManufacturer(), dv.getHw().getProductName()); - ReferenceManifest dbBaseRim = null; + BaseReferenceManifest dbBaseRim = null; ReferenceManifest support; EventLogMeasurements measurements; String tagId = ""; @@ -805,19 +803,21 @@ public abstract class AbstractAttestationCertificateAuthority if (support == null) { support = new SupportReferenceManifest( String.format("%s.rimel", - clientName), + defaultClientName), logFile.toByteArray()); support.setPlatformManufacturer(dv.getHw().getManufacturer()); support.setPlatformModel(dv.getHw().getProductName()); - support.setFileName(String.format("%s_[%s].rimel", clientName, + support.setFileName(String.format("%s_[%s].rimel", defaultClientName, support.getRimHash().substring( support.getRimHash().length() - NUM_OF_VARIABLES))); this.referenceManifestManager.save(support); } else { LOG.info("Client provided Support RIM already loaded in database."); - support.restore(); - support.resetCreateTime(); - this.referenceManifestManager.update(support); + if (support.isArchived()) { + support.restore(); + support.resetCreateTime(); + this.referenceManifestManager.update(support); + } } } catch (IOException ioEx) { LOG.error(ioEx); @@ -827,9 +827,9 @@ public abstract class AbstractAttestationCertificateAuthority LOG.warn("Device did not send support RIM file..."); } - List archie = new ArrayList<>(); if (dv.getSwidfileCount() > 0) { for (ByteString swidFile : dv.getSwidfileList()) { + fileName = ""; try { dbBaseRim = BaseReferenceManifest.select(referenceManifestManager) .includeArchived() @@ -838,91 +838,79 @@ public abstract class AbstractAttestationCertificateAuthority .getRIM(); if (dbBaseRim == null) { - /** - * This has to change, each log file can't have the same name - */ dbBaseRim = new BaseReferenceManifest( String.format("%s.swidtag", - clientName), + defaultClientName), swidFile.toByteArray()); - BaseReferenceManifest base = (BaseReferenceManifest) dbBaseRim; - for (SwidResource swid : base.parseResource()) { + // get file name to use + for (SwidResource swid : dbBaseRim.parseResource()) { matcher = pattern.matcher(swid.getName()); if (matcher.matches()) { //found the file name int dotIndex = swid.getName().lastIndexOf("."); - clientName = swid.getName().substring(0, dotIndex); + fileName = swid.getName().substring(0, dotIndex); dbBaseRim = new BaseReferenceManifest( String.format("%s.swidtag", - clientName), + fileName), swidFile.toByteArray()); } + // now update support rim SupportReferenceManifest dbSupport = SupportReferenceManifest .select(referenceManifestManager) .byRimHash(swid.getHashValue()).getRIM(); - if (dbSupport == null) { - LOG.error("Why is this happening?"); - // I could do this, and then when the actual - // support comes in just update the byte field - } if (dbSupport != null && !dbSupport.isUpdated()) { - LOG.error("We found the old support"); dbSupport.setFileName(swid.getName()); - dbSupport.setSwidTagVersion(base.getSwidTagVersion()); + dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); // I might create a get for the bytes of the swidtag file // so that I can set that instead of the rim ID - dbSupport.setTagId(base.getTagId()); + dbSupport.setTagId(dbBaseRim.getTagId()); + dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); + dbSupport.setSwidVersion(dbBaseRim.getSwidVersion()); dbSupport.setSwidPatch(dbBaseRim.isSwidPatch()); dbSupport.setSwidSupplemental(dbBaseRim.isSwidSupplemental()); - // might want to expand so that the record digest value know - // if it was a patch or supplemental + dbBaseRim.setAssociatedRim(dbSupport.getId()); dbSupport.setUpdated(true); this.referenceManifestManager.update(dbSupport); + break; } } this.referenceManifestManager.save(dbBaseRim); } else { - LOG.error("Client provided Base RIM already loaded in database."); - dbBaseRim.restore(); - dbBaseRim.resetCreateTime(); - this.referenceManifestManager.update(dbBaseRim); + LOG.info("Client provided Base RIM already loaded in database."); + /** + * Leaving this as is for now, however can there be a condition + * in which the provisioner sends swidtags without support rims? + */ + if (dbBaseRim.isArchived()) { + dbBaseRim.restore(); + dbBaseRim.resetCreateTime(); + this.referenceManifestManager.update(dbBaseRim); + } } - tagId = dbBaseRim.getTagId(); } catch (IOException ioEx) { LOG.error(ioEx); } } - - for (ByteString swidFile : dv.getSwidfileList()) { - - String hashStr = swidFile.toString(); - LOG.error(SupportReferenceManifest.select(referenceManifestManager) - .includeArchived() - .byHashCode(Hex.encodeHexString(messageDigest.digest( - swidFile.toByteArray()))) - .getRIM()); - } } else { LOG.warn("Device did not send swid tag file..."); } - if (true) { - Set dbSupportRims = SupportReferenceManifest + Set dbSupportRims = SupportReferenceManifest .select(referenceManifestManager).getRIMs(); - for (SupportReferenceManifest dbSupport : dbSupportRims) { - // all of this has to be moved somewhere else - /** - * Because the log file we get isn't promised to be the baseline support rim. - * If it is a patch of supplemental we have to check that the baseline - * has been done - * and those entries can't become the baseline - * - * However, we don't know which log file is what until we link them to a swidtag - */ + for (SupportReferenceManifest dbSupport : dbSupportRims) { + /** + * Because the log file we get isn't promised to be the baseline support rim. + * If it is a patch of supplemental we have to check that the baseline + * has been done + * and those entries can't become the baseline + * + * However, we don't know which log file is what until we link them to a swidtag + */ + if (!dbSupport.isSwidPatch() && !dbSupport.isSwidSupplemental()) { ReferenceDigestRecord dbObj = new ReferenceDigestRecord(dbSupport, hw.getManufacturer(), hw.getProductName()); // this is where we update or create the log @@ -952,13 +940,19 @@ public abstract class AbstractAttestationCertificateAuthority e.printStackTrace(); } } + } else { + // what to do about patch and supplemental + LOG.error(String.format("%s is a patch? %b", dbSupport.getFileName(), + dbSupport.isSwidPatch())); + LOG.error(String.format("%s is a supplemental? %b", dbSupport.getFileName(), + dbSupport.isSwidSupplemental())); } } if (dv.hasLivelog()) { LOG.info("Device sent bios measurement log..."); fileName = String.format("%s.measurement", - clientName); + defaultClientName); try { // find previous version. If it exists, delete it measurements = EventLogMeasurements.select(referenceManifestManager) diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java index a7c9a3c1..464f6e72 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java @@ -99,7 +99,9 @@ public class ReferenceManifestDetailsPageController LOGGER.error(uuidError, iaEx); } catch (Exception ioEx) { LOGGER.error(ioEx); - LOGGER.trace(ioEx); + for (StackTraceElement ste : ioEx.getStackTrace()) { + LOGGER.debug(ste.toString()); + } } if (data.isEmpty()) { String notFoundMessage = "Unable to find RIM with ID: " + params.getId(); @@ -185,8 +187,16 @@ public class ReferenceManifestDetailsPageController } else { data.put("swidCorpus", "False"); } - data.put("swidPatch", baseRim.isSwidPatch()); - data.put("swidSupplemental", baseRim.isSwidSupplemental()); + if (baseRim.isSwidPatch()) { + data.put("swidPatch", "True"); + } else { + data.put("swidPatch", "False"); + } + if (baseRim.isSwidSupplemental()) { + data.put("swidSupplemental", "True"); + } else { + data.put("swidSupplemental", "False"); + } data.put("swidTagId", baseRim.getTagId()); // Entity data.put("entityName", baseRim.getEntityName()); @@ -195,9 +205,16 @@ public class ReferenceManifestDetailsPageController data.put("entityThumbprint", baseRim.getEntityThumbprint()); // Link data.put("linkHref", baseRim.getLinkHref()); + for (BaseReferenceManifest bRim : BaseReferenceManifest + .select(referenceManifestManager).getRIMs()) { + if (baseRim.getLinkHref().contains(bRim.getTagId())) { + data.put("linkHrefLink", bRim.getId().toString()); + break; + } else { + data.put("linkHrefLink", ""); + } + } data.put("linkRel", baseRim.getLinkRel()); - data.put("supportRimId", ""); - data.put("supportRimTagId", ""); data.put("platformManufacturer", baseRim.getPlatformManufacturer()); data.put("platformManufacturerId", baseRim.getPlatformManufacturerId()); data.put("platformModel", baseRim.getPlatformModel()); @@ -216,7 +233,7 @@ public class ReferenceManifestDetailsPageController List resources = baseRim.parseResource(); TCGEventLog logProcessor = null; - ReferenceManifest support = null; + SupportReferenceManifest support = null; if (baseRim.getAssociatedRim() == null) { support = SupportReferenceManifest.select(referenceManifestManager) @@ -249,6 +266,10 @@ public class ReferenceManifestDetailsPageController data.put("associatedRim", baseRim.getAssociatedRim()); data.put("swidFiles", resources); + if (support != null && (!baseRim.isSwidSupplemental() + && !baseRim.isSwidPatch())) { + data.put("pcrList", support.getExpectedPCRList()); + } RIM_VALIDATOR.validateXmlSignature(new ByteArrayInputStream(baseRim.getRimBytes())); data.put("signatureValid", RIM_VALIDATOR.isSignatureValid()); diff --git a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp index 05571e35..88086700 100644 --- a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp +++ b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/rim-details.jsp @@ -326,7 +326,7 @@
Link