ExternalVendorCode/HIRS
1
0
Fork 0
mirror of https://github.com/nsacyber/HIRS.git synced 2025-02-21 18:06:42 +00:00
Code Issues Actions 9 Packages Projects Releases Wiki Activity

SupplyCahinValidationService did not like the additions of a method returning a SupplyChainValidation, switched to Summary and it worked. This was the cause of the DB crashing.

Browse Source
This commit is contained in:
Cyrus 2020-08-25 11:36:37 -04:00
parent 025ebc8908
commit ee294e4562
8 changed files with 93 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
View File

@ -515,9 +515,9 @@ public abstract class AbstractAttestationCertificateAuthority
if (request.getQuote() != null && !request.getQuote().isEmpty()) { if (request.getQuote() != null && !request.getQuote().isEmpty()) {
parseTPMQuote(request.getQuote().toStringUtf8()); parseTPMQuote(request.getQuote().toStringUtf8());
} }
if (request.getPcrslist() != null && !request.getPcrslist().isEmpty()) { // if (request.getPcrslist() != null && !request.getPcrslist().isEmpty()) {
this.pcrValues = request.getPcrslist().toStringUtf8(); // this.pcrValues = request.getPcrslist().toStringUtf8();
} // }
// Get device name and device // Get device name and device
String deviceName = claim.getDv().getNw().getHostname(); String deviceName = claim.getDv().getNw().getHostname();
@ -1477,7 +1477,6 @@ public abstract class AbstractAttestationCertificateAuthority
IssuedAttestationCertificate attCert = new IssuedAttestationCertificate( IssuedAttestationCertificate attCert = new IssuedAttestationCertificate(
derEncodedAttestationCertificate, endorsementCredential, platformCredentials); derEncodedAttestationCertificate, endorsementCredential, platformCredentials);
attCert.setDevice(device); attCert.setDevice(device);
attCert.setPcrValues(savePcrValues(pcrValues, device.getName()));
certificateManager.save(attCert); certificateManager.save(attCert);
} catch (Exception e) { } catch (Exception e) {
LOG.error("Error saving generated Attestation Certificate to database.", e); LOG.error("Error saving generated Attestation Certificate to database.", e);

8
HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationService.java
View File

@ -25,4 +25,12 @@ public interface SupplyChainValidationService {
SupplyChainValidationSummary validateSupplyChain(EndorsementCredential ec, SupplyChainValidationSummary validateSupplyChain(EndorsementCredential ec,
Set<PlatformCredential> pc, Set<PlatformCredential> pc,
Device device); Device device);
/**
* A supplemental method that handles validating just the quote post main validation.
*
* @param device the associated device.
* @return True if validation is successful, false otherwise.
*/
SupplyChainValidationSummary validateQuote(Device device);
} }

74
HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
View File

@ -127,6 +127,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
List<SupplyChainValidation> validations = new LinkedList<>(); List<SupplyChainValidation> validations = new LinkedList<>();
Map<PlatformCredential, SupplyChainValidation> deltaMapping = new HashMap<>(); Map<PlatformCredential, SupplyChainValidation> deltaMapping = new HashMap<>();
SupplyChainValidation platformScv = null; SupplyChainValidation platformScv = null;
LOGGER.info("Validating supply chain.");
// Validate the Endorsement Credential // Validate the Endorsement Credential
if (policy.isEcValidationEnabled()) { if (policy.isEcValidationEnabled()) {
@ -260,6 +261,77 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
return summary; return summary;
} }
/**
* A supplemental method that handles validating just the quote post main validation.
*
* @param device the associated device.
* @return True if validation is successful, false otherwise.
*/
@Override
public SupplyChainValidationSummary validateQuote(final Device device) {
final Appraiser supplyChainAppraiser = appraiserManager.getAppraiser(
SupplyChainAppraiser.NAME);
SupplyChainPolicy policy = (SupplyChainPolicy) policyManager.getDefaultPolicy(
supplyChainAppraiser);
SupplyChainValidation quoteScv = null;
SupplyChainValidationSummary summary = supplyChainValidatorSummaryManager.get(device.getId());
Level level = Level.ERROR;
AppraisalStatus fwStatus = new AppraisalStatus(FAIL,
SupplyChainCredentialValidator.FIRMWARE_VALID);
// If the device already failed, then ignore
if (summary.getOverallValidationResult() == PASS) {
// check if the policy is enabled
if (policy.isFirmwareValidationEnabled()) {
String[] baseline = new String[Integer.SIZE];
String manufacturer = device.getDeviceInfo()
.getHardwareInfo().getManufacturer();
// need to get pcrs
ReferenceManifest rim = ReferenceManifest.select(
this.referenceManifestManager)
.byManufacturer(manufacturer)
.getRIM();
if (rim == null) {
fwStatus = new AppraisalStatus(FAIL,
String.format("Firmware Quote validation failed: "
+ "No associated RIM file could be found for %s",
manufacturer));
} else {
List<SwidResource> swids = rim.parseResource();
for (SwidResource swid : swids) {
baseline = swid.getPcrValues()
.toArray(new String[swid.getPcrValues().size()]);
}
PCRPolicy pcrPolicy = policy.getPcrPolicy();
pcrPolicy.setBaselinePcrs(baseline);
// grab the quote
// byte[] hash = device.getDeviceInfo().getTPMInfo().getTpmQuoteHash();
// byte[] signature = device.getDeviceInfo().getTPMInfo().getTpmQuoteHash();
//
// if (!pcrPolicy.validateQuote(hash)) {
// quoteScv = buildValidationRecord(SupplyChainValidation.ValidationType.FIRMWARE,
// fwStatus.getAppStatus(),
// "Firmware validation of TPM Quote failed.", rim, level);
// }
}
}
}
// Generate validation summary, save it, and return it.
summary.getValidations().add(quoteScv); //verify
try {
supplyChainValidatorSummaryManager.save(summary);
} catch (DBManagerException ex) {
LOGGER.error("Failed to save Supply Chain summary", ex);
}
return summary;
}
/** /**
* This method is a sub set of the validate supply chain method and focuses * This method is a sub set of the validate supply chain method and focuses
* on the specific multibase validation check for a delta chain. This method * on the specific multibase validation check for a delta chain. This method
@ -349,7 +421,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
pcrPolicy.setBaselinePcrs(baseline); pcrPolicy.setBaselinePcrs(baseline);
if (attCert != null) { if (attCert != null) {
Path pcrPath = Paths.get(attCert.getPcrValues()); Path pcrPath = Paths.get("");
String pcrContent = ""; String pcrContent = "";
if (Files.exists(pcrPath)) { if (Files.exists(pcrPath)) {
try { try {

2
HIRS_ProvisionerTPM2/src/CommandTpm2.cpp
View File

@ -558,7 +558,7 @@ string CommandTpm2::getQuote(const string& pcr_selection,
* Method to get the full list of pcrs from the TPM. * Method to get the full list of pcrs from the TPM.
* *
*/ */
string CommandTpm2::getPcrsList() { string CommandTpm2::getPcrList() {
string pcrslist; string pcrslist;
stringstream argsStream; stringstream argsStream;

2
HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto
View File

@ -57,6 +57,7 @@ message DeviceInfo {
required HardwareInfo hw = 2; required HardwareInfo hw = 2;
required NetworkInfo nw = 3; required NetworkInfo nw = 3;
required OsInfo os = 4; required OsInfo os = 4;
optional bytes pcrslist = 5;
} }
message IdentityClaim { message IdentityClaim {
@ -80,7 +81,6 @@ message IdentityClaimResponse {
message CertificateRequest { message CertificateRequest {
required bytes nonce = 1; required bytes nonce = 1;
optional bytes quote = 2; optional bytes quote = 2;
optional bytes pcrslist = 3;
} }
message CertificateResponse { message CertificateResponse {

2
HIRS_ProvisionerTPM2/src/RestfulClientProvisioner.cpp
View File

@ -98,7 +98,7 @@ string RestfulClientProvisioner::sendIdentityClaim(
stringstream errormsg; stringstream errormsg;
errormsg << "Error communicating with ACA server. " errormsg << "Error communicating with ACA server. "
<< "Received response code: " << to_string(r.status_code) << "Received response code: " << to_string(r.status_code)
<< "\n\nError message fom ACA was: " << "\n\nError message from ACA was: "
<< JSONFieldParser::parseJsonStringField(r.text, << JSONFieldParser::parseJsonStringField(r.text,
ACA_ERROR_FIELDNAME); ACA_ERROR_FIELDNAME);
throw HirsRuntimeException(errormsg.str(), throw HirsRuntimeException(errormsg.str(),

7
HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp
View File

@ -64,6 +64,7 @@ int provision() {
// collect device info // collect device info
cout << "----> Collecting device information" << endl; cout << "----> Collecting device information" << endl;
hirs::pb::DeviceInfo dv = DeviceInfoCollector::collectDeviceInfo(); hirs::pb::DeviceInfo dv = DeviceInfoCollector::collectDeviceInfo();
dv.set_pcrslist(tpm2.getPcrList());
// send identity claim // send identity claim
cout << "----> Sending identity claim to Attestation CA" << endl; cout << "----> Sending identity claim to Attestation CA" << endl;
@ -106,10 +107,14 @@ int provision() {
"14,15,16,17,18,19,20,21,22,23", "14,15,16,17,18,19,20,21,22,23",
decryptedNonce)); decryptedNonce));
certificateRequest.set_pcrslist(tpm2.getPcrsList());
const string& akCertificateByteString const string& akCertificateByteString
= provisioner.sendAttestationCertificateRequest(certificateRequest); = provisioner.sendAttestationCertificateRequest(certificateRequest);
if (akCertificateByteString == "") {
cout << "----> Provisioning failed.";
cout << "Please refer to the Attestation CA for details." << endl;
return 0;
}
cout << "----> Storing attestation key certificate" << endl; cout << "----> Storing attestation key certificate" << endl;
tpm2.storeAKCertificate(akCertificateByteString); tpm2.storeAKCertificate(akCertificateByteString);
return 1; return 1;

22
HIRS_Utils/src/main/java/hirs/data/persist/certificate/IssuedAttestationCertificate.java
View File

@ -10,7 +10,6 @@ import java.util.Set;
import java.util.UUID; import java.util.UUID;
import javax.persistence.Entity; import javax.persistence.Entity;
import javax.persistence.FetchType; import javax.persistence.FetchType;
import javax.persistence.Column;
import javax.persistence.JoinColumn; import javax.persistence.JoinColumn;
import javax.persistence.ManyToMany; import javax.persistence.ManyToMany;
import javax.persistence.ManyToOne; import javax.persistence.ManyToOne;
@ -21,8 +20,6 @@ import javax.persistence.ManyToOne;
@Entity @Entity
public class IssuedAttestationCertificate extends DeviceAssociatedCertificate { public class IssuedAttestationCertificate extends DeviceAssociatedCertificate {
private static final int MAX_CERT_LENGTH_BYTES = 1024;
/** /**
* AIC label that must be used. * AIC label that must be used.
*/ */
@ -36,9 +33,6 @@ public class IssuedAttestationCertificate extends DeviceAssociatedCertificate {
@JoinColumn(name = "pc_id") @JoinColumn(name = "pc_id")
private Set<PlatformCredential> platformCredentials; private Set<PlatformCredential> platformCredentials;
@Column(nullable = true, length = MAX_CERT_LENGTH_BYTES)
private String pcrValues;
/** /**
* This class enables the retrieval of IssuedAttestationCertificate by their attributes. * This class enables the retrieval of IssuedAttestationCertificate by their attributes.
*/ */
@ -129,20 +123,4 @@ public class IssuedAttestationCertificate extends DeviceAssociatedCertificate {
public Set<PlatformCredential> getPlatformCredentials() { public Set<PlatformCredential> getPlatformCredentials() {
return Collections.unmodifiableSet(platformCredentials); return Collections.unmodifiableSet(platformCredentials);
} }
/**
* Getter for the pcrValues passed up by the client.
* @return a string blob of pcrs
*/
public String getPcrValues() {
return pcrValues;
}
/**
* Setter for the pcrValues passed up by the client.
* @param pcrValues to be stored.
*/
public void setPcrValues(final String pcrValues) {
this.pcrValues = pcrValues;
}
} }