From 78e308e67d1f1c48a9bb470fb897db4adf8a6fe6 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Wed, 5 Jan 2022 07:36:21 -0500 Subject: [PATCH 1/3] The provisioner was throwing an error to the standard printout because of protobuf. This had to do with the recent change to checking the Identity Claim Response and the use of the has_credentialBlob check. --- HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index c7e90f3e..9c96428c 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -143,10 +143,16 @@ int provision() { RestfulClientProvisioner provisioner; string response = provisioner.sendIdentityClaim(identityClaim); hirs::pb::IdentityClaimResponse icr; - if (!icr.ParseFromString(response) || !icr.has_credential_blob()) { - cout << "----> Provisioning failed." << endl; - cout << "The ACA did not send make credential information." << endl; - return 0; + + try { + if (response == "" || !icr.has_credential_blob()) { + logger.error("The ACA did not send make credential blob."); + cout << "----> Provisioning failed." << endl; + cout << "The ACA did not send make credential information." << endl; + return 0; + } + } catch (const google::protobuf::FatalException& e) { + logger.error(e.what()); } string nonceBlob = icr.credential_blob(); From 5858e363134ddc6b009b7d268b58fd750b30dea9 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Wed, 5 Jan 2022 16:49:27 -0500 Subject: [PATCH 2/3] Updated the implementation to return a blank identity claim response. The provisioner tests the blob and if it is empty, exit --- ...stractAttestationCertificateAuthority.java | 10 ++++++++-- HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 19 ++++++++++--------- 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index 1a2b6387..d0753103 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -439,10 +439,11 @@ public abstract class AbstractAttestationCertificateAuthority } } + ByteString blobStr = ByteString.copyFrom(new byte[]{}); if (validationResult == AppraisalStatus.Status.PASS) { RSAPublicKey akPub = parsePublicKey(claim.getAkPublicArea().toByteArray()); byte[] nonce = generateRandomBytes(NONCE_LENGTH); - ByteString blobStr = tpm20MakeCredential(ekPub, akPub, nonce); + blobStr = tpm20MakeCredential(ekPub, akPub, nonce); SupplyChainPolicy scp = this.supplyChainValidationService.getPolicy(); String pcrQuoteMask = PCR_QUOTE_MASK; @@ -465,7 +466,12 @@ public abstract class AbstractAttestationCertificateAuthority } else { LOG.error("Supply chain validation did not succeed. Result is: " + validationResult); - return new byte[]{}; + // empty response + ProvisionerTpm2.IdentityClaimResponse response + = ProvisionerTpm2.IdentityClaimResponse.newBuilder() + .setCredentialBlob(blobStr) + .build(); + return response.toByteArray(); } } diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index 9c96428c..73669dc2 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -144,18 +144,19 @@ int provision() { string response = provisioner.sendIdentityClaim(identityClaim); hirs::pb::IdentityClaimResponse icr; - try { - if (response == "" || !icr.has_credential_blob()) { - logger.error("The ACA did not send make credential blob."); - cout << "----> Provisioning failed." << endl; - cout << "The ACA did not send make credential information." << endl; - return 0; - } - } catch (const google::protobuf::FatalException& e) { - logger.error(e.what()); + if (!icr.ParseFromString(response) || !icr.has_credential_blob()) { + logger.error("The ACA did not send make credential blob."); + cout << "----> Provisioning failed." << endl; + cout << "The ACA did not send make credential information." << endl; + return 0; } string nonceBlob = icr.credential_blob(); + if (nonceBlob == "") { + cout << "----> Provisioning failed." << endl; + cout << "The ACA did not send make credential information." << endl; + return 0; + } // activateIdentity requires we read makeCredential output from a file cout << "----> Received response. Attempting to decrypt nonce" << endl; From d510e3f460b1c9a43b33f6c2d38530bc88ddf1e6 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 7 Jan 2022 10:19:48 -0500 Subject: [PATCH 3/3] Updated error message print out. --- HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp index 73669dc2..2f5aea23 100644 --- a/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp +++ b/HIRS_ProvisionerTPM2/src/TPM2_Provisioner.cpp @@ -154,7 +154,7 @@ int provision() { string nonceBlob = icr.credential_blob(); if (nonceBlob == "") { cout << "----> Provisioning failed." << endl; - cout << "The ACA did not send make credential information." << endl; + cout << "The ACA sent empty credential information." << endl; return 0; }