diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index 46686746..3d57dab2 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -515,9 +515,9 @@ public abstract class AbstractAttestationCertificateAuthority if (request.getQuote() != null && !request.getQuote().isEmpty()) { parseTPMQuote(request.getQuote().toStringUtf8()); } - if (request.getPcrslist() != null && !request.getPcrslist().isEmpty()) { - this.pcrValues = request.getPcrslist().toStringUtf8(); - } +// if (request.getPcrslist() != null && !request.getPcrslist().isEmpty()) { +// this.pcrValues = request.getPcrslist().toStringUtf8(); +// } // Get device name and device String deviceName = claim.getDv().getNw().getHostname(); @@ -1477,7 +1477,6 @@ public abstract class AbstractAttestationCertificateAuthority IssuedAttestationCertificate attCert = new IssuedAttestationCertificate( derEncodedAttestationCertificate, endorsementCredential, platformCredentials); attCert.setDevice(device); - attCert.setPcrValues(savePcrValues(pcrValues, device.getName())); certificateManager.save(attCert); } catch (Exception e) { LOG.error("Error saving generated Attestation Certificate to database.", e); diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationService.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationService.java index f3d6de85..f3007bab 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationService.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationService.java @@ -25,4 +25,12 @@ public interface SupplyChainValidationService { SupplyChainValidationSummary validateSupplyChain(EndorsementCredential ec, Set pc, Device device); + + /** + * A supplemental method that handles validating just the quote post main validation. + * + * @param device the associated device. + * @return True if validation is successful, false otherwise. + */ + SupplyChainValidationSummary validateQuote(Device device); } diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index b6ffbcc1..86516e1f 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -127,6 +127,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe List validations = new LinkedList<>(); Map deltaMapping = new HashMap<>(); SupplyChainValidation platformScv = null; + LOGGER.info("Validating supply chain."); // Validate the Endorsement Credential if (policy.isEcValidationEnabled()) { @@ -260,6 +261,77 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe return summary; } + /** + * A supplemental method that handles validating just the quote post main validation. + * + * @param device the associated device. + * @return True if validation is successful, false otherwise. + */ + @Override + public SupplyChainValidationSummary validateQuote(final Device device) { + final Appraiser supplyChainAppraiser = appraiserManager.getAppraiser( + SupplyChainAppraiser.NAME); + SupplyChainPolicy policy = (SupplyChainPolicy) policyManager.getDefaultPolicy( + supplyChainAppraiser); + SupplyChainValidation quoteScv = null; + SupplyChainValidationSummary summary = supplyChainValidatorSummaryManager.get(device.getId()); + Level level = Level.ERROR; + AppraisalStatus fwStatus = new AppraisalStatus(FAIL, + SupplyChainCredentialValidator.FIRMWARE_VALID); + + // If the device already failed, then ignore + if (summary.getOverallValidationResult() == PASS) { + // check if the policy is enabled + if (policy.isFirmwareValidationEnabled()) { + String[] baseline = new String[Integer.SIZE]; + String manufacturer = device.getDeviceInfo() + .getHardwareInfo().getManufacturer(); + + // need to get pcrs + ReferenceManifest rim = ReferenceManifest.select( + this.referenceManifestManager) + .byManufacturer(manufacturer) + .getRIM(); + + if (rim == null) { + fwStatus = new AppraisalStatus(FAIL, + String.format("Firmware Quote validation failed: " + + "No associated RIM file could be found for %s", + manufacturer)); + } else { + List swids = rim.parseResource(); + for (SwidResource swid : swids) { + baseline = swid.getPcrValues() + .toArray(new String[swid.getPcrValues().size()]); + } + + PCRPolicy pcrPolicy = policy.getPcrPolicy(); + + pcrPolicy.setBaselinePcrs(baseline); + // grab the quote +// byte[] hash = device.getDeviceInfo().getTPMInfo().getTpmQuoteHash(); +// byte[] signature = device.getDeviceInfo().getTPMInfo().getTpmQuoteHash(); +// +// if (!pcrPolicy.validateQuote(hash)) { +// quoteScv = buildValidationRecord(SupplyChainValidation.ValidationType.FIRMWARE, +// fwStatus.getAppStatus(), +// "Firmware validation of TPM Quote failed.", rim, level); +// } + } + } + } + + // Generate validation summary, save it, and return it. + summary.getValidations().add(quoteScv); //verify + try { + supplyChainValidatorSummaryManager.save(summary); + } catch (DBManagerException ex) { + LOGGER.error("Failed to save Supply Chain summary", ex); + } + + return summary; + } + /** * This method is a sub set of the validate supply chain method and focuses * on the specific multibase validation check for a delta chain. This method @@ -349,7 +421,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe pcrPolicy.setBaselinePcrs(baseline); if (attCert != null) { - Path pcrPath = Paths.get(attCert.getPcrValues()); + Path pcrPath = Paths.get(""); String pcrContent = ""; if (Files.exists(pcrPath)) { try { diff --git a/HIRS_ProvisionerTPM2/src/CommandTpm2.cpp b/HIRS_ProvisionerTPM2/src/CommandTpm2.cpp index f2976299..226e42a4 100644 --- a/HIRS_ProvisionerTPM2/src/CommandTpm2.cpp +++ b/HIRS_ProvisionerTPM2/src/CommandTpm2.cpp @@ -558,7 +558,7 @@ string CommandTpm2::getQuote(const string& pcr_selection, * Method to get the full list of pcrs from the TPM. * */ -string CommandTpm2::getPcrsList() { +string CommandTpm2::getPcrList() { string pcrslist; stringstream argsStream; diff --git a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto index f0bb5868..9f34d2a2 100644 --- a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto +++ b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto @@ -57,6 +57,7 @@ message DeviceInfo { required HardwareInfo hw = 2; required NetworkInfo nw = 3; required OsInfo os = 4; + optional bytes pcrslist = 5; } message IdentityClaim { @@ -80,7 +81,6 @@ message IdentityClaimResponse { message CertificateRequest { required bytes nonce = 1; optional bytes quote = 2; - optional bytes pcrslist = 3; } message CertificateResponse { diff --git a/HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp b/HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp index 4969d146..e734f588 100644 --- a/HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp @@ -98,7 +98,7 @@ string RestfulClientProvisioner::sendIdentityClaim( stringstream errormsg; errormsg << "Error communicating with ACA server. " << "Received response code: " << to_string(r.status_code) - << "\n\nError message fom ACA was: " + << "\n\nError message from ACA was: " << JSONFieldParser::parseJsonStringField(r.text, ACA_ERROR_FIELDNAME); throw HirsRuntimeException(errormsg.str(), diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index c8e78851..835e4be2 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -64,6 +64,7 @@ int provision() { // collect device info cout << "----> Collecting device information" << endl; hirs::pb::DeviceInfo dv = DeviceInfoCollector::collectDeviceInfo(); + dv.set_pcrslist(tpm2.getPcrList()); // send identity claim cout << "----> Sending identity claim to Attestation CA" << endl; @@ -106,10 +107,14 @@ int provision() { "14,15,16,17,18,19,20,21,22,23", decryptedNonce)); - certificateRequest.set_pcrslist(tpm2.getPcrsList()); const string& akCertificateByteString = provisioner.sendAttestationCertificateRequest(certificateRequest); + if (akCertificateByteString == "") { + cout << "----> Provisioning failed."; + cout << "Please refer to the Attestation CA for details." << endl; + return 0; + } cout << "----> Storing attestation key certificate" << endl; tpm2.storeAKCertificate(akCertificateByteString); return 1; diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/certificate/IssuedAttestationCertificate.java b/HIRS_Utils/src/main/java/hirs/data/persist/certificate/IssuedAttestationCertificate.java index b24eafa0..3782daee 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/certificate/IssuedAttestationCertificate.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/certificate/IssuedAttestationCertificate.java @@ -10,7 +10,6 @@ import java.util.Set; import java.util.UUID; import javax.persistence.Entity; import javax.persistence.FetchType; -import javax.persistence.Column; import javax.persistence.JoinColumn; import javax.persistence.ManyToMany; import javax.persistence.ManyToOne; @@ -21,8 +20,6 @@ import javax.persistence.ManyToOne; @Entity public class IssuedAttestationCertificate extends DeviceAssociatedCertificate { - private static final int MAX_CERT_LENGTH_BYTES = 1024; - /** * AIC label that must be used. */ @@ -36,9 +33,6 @@ public class IssuedAttestationCertificate extends DeviceAssociatedCertificate { @JoinColumn(name = "pc_id") private Set platformCredentials; - @Column(nullable = true, length = MAX_CERT_LENGTH_BYTES) - private String pcrValues; - /** * This class enables the retrieval of IssuedAttestationCertificate by their attributes. */ @@ -129,20 +123,4 @@ public class IssuedAttestationCertificate extends DeviceAssociatedCertificate { public Set getPlatformCredentials() { return Collections.unmodifiableSet(platformCredentials); } - - /** - * Getter for the pcrValues passed up by the client. - * @return a string blob of pcrs - */ - public String getPcrValues() { - return pcrValues; - } - - /** - * Setter for the pcrValues passed up by the client. - * @param pcrValues to be stored. - */ - public void setPcrValues(final String pcrValues) { - this.pcrValues = pcrValues; - } }