mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-02-20 17:52:47 +00:00
SupplyCahinValidationService did not like the additions of a method returning a SupplyChainValidation, switched to Summary and it worked. This was the cause of the DB crashing.
This commit is contained in:
Cyrus
parent
025ebc8908
commit
ee294e4562
@ -515,9 +515,9 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
if (request.getQuote() != null && !request.getQuote().isEmpty()) {
|
||||
parseTPMQuote(request.getQuote().toStringUtf8());
|
||||
}
|
||||
if (request.getPcrslist() != null && !request.getPcrslist().isEmpty()) {
|
||||
this.pcrValues = request.getPcrslist().toStringUtf8();
|
||||
}
|
||||
// if (request.getPcrslist() != null && !request.getPcrslist().isEmpty()) {
|
||||
// this.pcrValues = request.getPcrslist().toStringUtf8();
|
||||
// }
|
||||
|
||||
// Get device name and device
|
||||
String deviceName = claim.getDv().getNw().getHostname();
|
||||
@ -1477,7 +1477,6 @@ public abstract class AbstractAttestationCertificateAuthority
|
||||
IssuedAttestationCertificate attCert = new IssuedAttestationCertificate(
|
||||
derEncodedAttestationCertificate, endorsementCredential, platformCredentials);
|
||||
attCert.setDevice(device);
|
||||
attCert.setPcrValues(savePcrValues(pcrValues, device.getName()));
|
||||
certificateManager.save(attCert);
|
||||
} catch (Exception e) {
|
||||
LOG.error("Error saving generated Attestation Certificate to database.", e);
|
||||
|
||||
@ -25,4 +25,12 @@ public interface SupplyChainValidationService {
|
||||
SupplyChainValidationSummary validateSupplyChain(EndorsementCredential ec,
|
||||
Set<PlatformCredential> pc,
|
||||
Device device);
|
||||
|
||||
/**
|
||||
* A supplemental method that handles validating just the quote post main validation.
|
||||
*
|
||||
* @param device the associated device.
|
||||
* @return True if validation is successful, false otherwise.
|
||||
*/
|
||||
SupplyChainValidationSummary validateQuote(Device device);
|
||||
}
|
||||
|
||||
@ -127,6 +127,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
||||
List<SupplyChainValidation> validations = new LinkedList<>();
|
||||
Map<PlatformCredential, SupplyChainValidation> deltaMapping = new HashMap<>();
|
||||
SupplyChainValidation platformScv = null;
|
||||
LOGGER.info("Validating supply chain.");
|
||||
|
||||
// Validate the Endorsement Credential
|
||||
if (policy.isEcValidationEnabled()) {
|
||||
@ -260,6 +261,77 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
||||
return summary;
|
||||
}
|
||||
|
||||
/**
|
||||
* A supplemental method that handles validating just the quote post main validation.
|
||||
*
|
||||
* @param device the associated device.
|
||||
* @return True if validation is successful, false otherwise.
|
||||
*/
|
||||
@Override
|
||||
public SupplyChainValidationSummary validateQuote(final Device device) {
|
||||
final Appraiser supplyChainAppraiser = appraiserManager.getAppraiser(
|
||||
SupplyChainAppraiser.NAME);
|
||||
SupplyChainPolicy policy = (SupplyChainPolicy) policyManager.getDefaultPolicy(
|
||||
supplyChainAppraiser);
|
||||
SupplyChainValidation quoteScv = null;
|
||||
SupplyChainValidationSummary summary = supplyChainValidatorSummaryManager.get(device.getId());
|
||||
Level level = Level.ERROR;
|
||||
AppraisalStatus fwStatus = new AppraisalStatus(FAIL,
|
||||
SupplyChainCredentialValidator.FIRMWARE_VALID);
|
||||
|
||||
// If the device already failed, then ignore
|
||||
if (summary.getOverallValidationResult() == PASS) {
|
||||
// check if the policy is enabled
|
||||
if (policy.isFirmwareValidationEnabled()) {
|
||||
String[] baseline = new String[Integer.SIZE];
|
||||
String manufacturer = device.getDeviceInfo()
|
||||
.getHardwareInfo().getManufacturer();
|
||||
|
||||
// need to get pcrs
|
||||
ReferenceManifest rim = ReferenceManifest.select(
|
||||
this.referenceManifestManager)
|
||||
.byManufacturer(manufacturer)
|
||||
.getRIM();
|
||||
|
||||
if (rim == null) {
|
||||
fwStatus = new AppraisalStatus(FAIL,
|
||||
String.format("Firmware Quote validation failed: "
|
||||
+ "No associated RIM file could be found for %s",
|
||||
manufacturer));
|
||||
} else {
|
||||
List<SwidResource> swids = rim.parseResource();
|
||||
for (SwidResource swid : swids) {
|
||||
baseline = swid.getPcrValues()
|
||||
.toArray(new String[swid.getPcrValues().size()]);
|
||||
}
|
||||
|
||||
PCRPolicy pcrPolicy = policy.getPcrPolicy();
|
||||
|
||||
pcrPolicy.setBaselinePcrs(baseline);
|
||||
// grab the quote
|
||||
// byte[] hash = device.getDeviceInfo().getTPMInfo().getTpmQuoteHash();
|
||||
// byte[] signature = device.getDeviceInfo().getTPMInfo().getTpmQuoteHash();
|
||||
//
|
||||
// if (!pcrPolicy.validateQuote(hash)) {
|
||||
// quoteScv = buildValidationRecord(SupplyChainValidation.ValidationType.FIRMWARE,
|
||||
// fwStatus.getAppStatus(),
|
||||
// "Firmware validation of TPM Quote failed.", rim, level);
|
||||
// }
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Generate validation summary, save it, and return it.
|
||||
summary.getValidations().add(quoteScv); //verify
|
||||
try {
|
||||
supplyChainValidatorSummaryManager.save(summary);
|
||||
} catch (DBManagerException ex) {
|
||||
LOGGER.error("Failed to save Supply Chain summary", ex);
|
||||
}
|
||||
|
||||
return summary;
|
||||
}
|
||||
|
||||
/**
|
||||
* This method is a sub set of the validate supply chain method and focuses
|
||||
* on the specific multibase validation check for a delta chain. This method
|
||||
@ -349,7 +421,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
|
||||
pcrPolicy.setBaselinePcrs(baseline);
|
||||
|
||||
if (attCert != null) {
|
||||
Path pcrPath = Paths.get(attCert.getPcrValues());
|
||||
Path pcrPath = Paths.get("");
|
||||
String pcrContent = "";
|
||||
if (Files.exists(pcrPath)) {
|
||||
try {
|
||||
|
||||
@ -558,7 +558,7 @@ string CommandTpm2::getQuote(const string& pcr_selection,
|
||||
* Method to get the full list of pcrs from the TPM.
|
||||
*
|
||||
*/
|
||||
string CommandTpm2::getPcrsList() {
|
||||
string CommandTpm2::getPcrList() {
|
||||
string pcrslist;
|
||||
stringstream argsStream;
|
||||
|
||||
|
||||
@ -57,6 +57,7 @@ message DeviceInfo {
|
||||
required HardwareInfo hw = 2;
|
||||
required NetworkInfo nw = 3;
|
||||
required OsInfo os = 4;
|
||||
optional bytes pcrslist = 5;
|
||||
}
|
||||
|
||||
message IdentityClaim {
|
||||
@ -80,7 +81,6 @@ message IdentityClaimResponse {
|
||||
message CertificateRequest {
|
||||
required bytes nonce = 1;
|
||||
optional bytes quote = 2;
|
||||
optional bytes pcrslist = 3;
|
||||
}
|
||||
|
||||
message CertificateResponse {
|
||||
|
||||
@ -98,7 +98,7 @@ string RestfulClientProvisioner::sendIdentityClaim(
|
||||
stringstream errormsg;
|
||||
errormsg << "Error communicating with ACA server. "
|
||||
<< "Received response code: " << to_string(r.status_code)
|
||||
<< "\n\nError message fom ACA was: "
|
||||
<< "\n\nError message from ACA was: "
|
||||
<< JSONFieldParser::parseJsonStringField(r.text,
|
||||
ACA_ERROR_FIELDNAME);
|
||||
throw HirsRuntimeException(errormsg.str(),
|
||||
|
||||
@ -64,6 +64,7 @@ int provision() {
|
||||
// collect device info
|
||||
cout << "----> Collecting device information" << endl;
|
||||
hirs::pb::DeviceInfo dv = DeviceInfoCollector::collectDeviceInfo();
|
||||
dv.set_pcrslist(tpm2.getPcrList());
|
||||
|
||||
// send identity claim
|
||||
cout << "----> Sending identity claim to Attestation CA" << endl;
|
||||
@ -106,10 +107,14 @@ int provision() {
|
||||
"14,15,16,17,18,19,20,21,22,23",
|
||||
decryptedNonce));
|
||||
|
||||
certificateRequest.set_pcrslist(tpm2.getPcrsList());
|
||||
const string& akCertificateByteString
|
||||
= provisioner.sendAttestationCertificateRequest(certificateRequest);
|
||||
|
||||
if (akCertificateByteString == "") {
|
||||
cout << "----> Provisioning failed.";
|
||||
cout << "Please refer to the Attestation CA for details." << endl;
|
||||
return 0;
|
||||
}
|
||||
cout << "----> Storing attestation key certificate" << endl;
|
||||
tpm2.storeAKCertificate(akCertificateByteString);
|
||||
return 1;
|
||||
|
||||
@ -10,7 +10,6 @@ import java.util.Set;
|
||||
import java.util.UUID;
|
||||
import javax.persistence.Entity;
|
||||
import javax.persistence.FetchType;
|
||||
import javax.persistence.Column;
|
||||
import javax.persistence.JoinColumn;
|
||||
import javax.persistence.ManyToMany;
|
||||
import javax.persistence.ManyToOne;
|
||||
@ -21,8 +20,6 @@ import javax.persistence.ManyToOne;
|
||||
@Entity
|
||||
public class IssuedAttestationCertificate extends DeviceAssociatedCertificate {
|
||||
|
||||
private static final int MAX_CERT_LENGTH_BYTES = 1024;
|
||||
|
||||
/**
|
||||
* AIC label that must be used.
|
||||
*/
|
||||
@ -36,9 +33,6 @@ public class IssuedAttestationCertificate extends DeviceAssociatedCertificate {
|
||||
@JoinColumn(name = "pc_id")
|
||||
private Set<PlatformCredential> platformCredentials;
|
||||
|
||||
@Column(nullable = true, length = MAX_CERT_LENGTH_BYTES)
|
||||
private String pcrValues;
|
||||
|
||||
/**
|
||||
* This class enables the retrieval of IssuedAttestationCertificate by their attributes.
|
||||
*/
|
||||
@ -129,20 +123,4 @@ public class IssuedAttestationCertificate extends DeviceAssociatedCertificate {
|
||||
public Set<PlatformCredential> getPlatformCredentials() {
|
||||
return Collections.unmodifiableSet(platformCredentials);
|
||||
}
|
||||
|
||||
/**
|
||||
* Getter for the pcrValues passed up by the client.
|
||||
* @return a string blob of pcrs
|
||||
*/
|
||||
public String getPcrValues() {
|
||||
return pcrValues;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for the pcrValues passed up by the client.
|
||||
* @param pcrValues to be stored.
|
||||
*/
|
||||
public void setPcrValues(final String pcrValues) {
|
||||
this.pcrValues = pcrValues;
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user