mirror of
https://github.com/nsacyber/HIRS.git
synced 2024-12-20 05:28:22 +00:00
771d5588d5
modifications to the provisioner code for testing and updated the Restful base mapping
162 lines
6.0 KiB
C++
162 lines
6.0 KiB
C++
/**
|
|
* Copyright (C) 2017-2018, U.S. Government
|
|
*/
|
|
#include <HirsRuntimeException.h>
|
|
#include <RestfulClientProvisioner.h>
|
|
#include <Utils.h>
|
|
#include <Properties.h>
|
|
|
|
#include <cpr/cpr.h>
|
|
|
|
#include <sstream>
|
|
#include <string>
|
|
#include <utility>
|
|
|
|
using hirs::exception::HirsRuntimeException;
|
|
using hirs::log::Logger;
|
|
using hirs::pb::IdentityClaim;
|
|
using hirs::pb::IdentityClaimResponse;
|
|
using hirs::pb::CertificateRequest;
|
|
using hirs::pb::CertificateResponse;
|
|
using hirs::properties::Properties;
|
|
using hirs::json_utils::JSONFieldParser;
|
|
using hirs::string_utils::binaryToHex;
|
|
using std::string;
|
|
using std::stringstream;
|
|
using std::to_string;
|
|
|
|
const Logger RestfulClientProvisioner::LOGGER = Logger::getDefaultLogger();
|
|
const char * const RestfulClientProvisioner::PROP_FILE_LOC =
|
|
"/etc/hirs/hirs-site.config";
|
|
const char * const RestfulClientProvisioner::PROP_ACA_FQDN
|
|
= "ATTESTATION_CA_FQDN";
|
|
const char * const RestfulClientProvisioner::PROP_ACA_PORT
|
|
= "ATTESTATION_CA_PORT";
|
|
const char * const RestfulClientProvisioner::ACA_ERROR_FIELDNAME
|
|
= "error";
|
|
|
|
RestfulClientProvisioner::RestfulClientProvisioner() {
|
|
Properties props(PROP_FILE_LOC);
|
|
acaAddress = props.get(PROP_ACA_FQDN, "localhost");
|
|
port = std::stoi(props.get(PROP_ACA_PORT, "8443"));
|
|
}
|
|
|
|
RestfulClientProvisioner::RestfulClientProvisioner(
|
|
const std::string& acaAddress, int acaPort)
|
|
: acaAddress(acaAddress), port(acaPort) {
|
|
}
|
|
|
|
string RestfulClientProvisioner::getAcaAddress() {
|
|
return acaAddress;
|
|
}
|
|
|
|
string RestfulClientProvisioner::sendIdentityClaim(
|
|
IdentityClaim identityClaim) {
|
|
{
|
|
stringstream logStream;
|
|
logStream << "Sending the identity claim to " << acaAddress
|
|
<< " on port " << port;
|
|
LOGGER.info(logStream.str());
|
|
}
|
|
|
|
string identityClaimByteString;
|
|
identityClaim.SerializeToString(&identityClaimByteString);
|
|
|
|
// Send serialized Identity Claim to ACA
|
|
LOGGER.info("Sending Serialized Identity Claim Binary");
|
|
auto r = cpr::Post(cpr::Url{"https://" + acaAddress + ":" + to_string(port)
|
|
+ "/HIRS_AttestationCA/portal/"
|
|
+ "client/identity-claim-tpm2/"
|
|
+ "process"},
|
|
cpr::Body{identityClaimByteString},
|
|
cpr::Header{{"Content-Type",
|
|
"application/octet-stream"},
|
|
{"Accept",
|
|
"application/octet-stream, application/json"}},
|
|
cpr::VerifySsl{false});
|
|
|
|
// Check ACA response, should be 200 if successful
|
|
if (r.status_code == 200) {
|
|
if (r.text.size() == 0) {
|
|
return "";
|
|
}
|
|
|
|
IdentityClaimResponse response;
|
|
try {
|
|
response.ParseFromString(r.text);
|
|
} catch (const google::protobuf::FatalException& e) {
|
|
LOGGER.error(e.what());
|
|
stringstream errormsg;
|
|
errormsg << "Provisioning failed. IdentityClaimResponse "
|
|
<< "did not contain credential_blob.";
|
|
throw HirsRuntimeException(errormsg.str(),
|
|
"RestfulClientProvisioner::sendIdentityClaim");
|
|
}
|
|
|
|
// Convert the nonce blob to hex for logging
|
|
string blobHex = binaryToHex(response.credential_blob());
|
|
stringstream logStream;
|
|
logStream << "Received nonce blob: " << blobHex;
|
|
LOGGER.info(logStream.str());
|
|
|
|
// Return the response
|
|
return response.SerializeAsString();
|
|
|
|
} else {
|
|
stringstream errormsg;
|
|
errormsg << "Error communicating with ACA server. "
|
|
<< "Received response code: " << to_string(r.status_code)
|
|
<< "\n\nError message from ACA was: "
|
|
<< JSONFieldParser::parseJsonStringField(r.text,
|
|
ACA_ERROR_FIELDNAME);
|
|
throw HirsRuntimeException(errormsg.str(),
|
|
"RestfulClientProvisioner::sendIdentityClaim");
|
|
}
|
|
}
|
|
|
|
string RestfulClientProvisioner::sendAttestationCertificateRequest(
|
|
CertificateRequest certificateRequest) {
|
|
string certificateRequestByteString;
|
|
certificateRequest.SerializeToString(&certificateRequestByteString);
|
|
|
|
// Send serialized certificate request to ACA
|
|
LOGGER.info("Sending Serialized DeviceInfo Binary");
|
|
auto r = cpr::Post(cpr::Url{"https://" + acaAddress + ":" + to_string(port)
|
|
+ "/HIRS_AttestationCA/portal/client"
|
|
+ "/request-certificate-tpm2"},
|
|
cpr::Body{certificateRequestByteString},
|
|
cpr::Header{{"Content-Type",
|
|
"application/octet-stream"},
|
|
{"Accept",
|
|
"application/octet-stream, application/json"}},
|
|
cpr::VerifySsl{false});
|
|
|
|
// Check ACA response, should be 200 if successful
|
|
if (r.status_code == 200) {
|
|
CertificateResponse response;
|
|
response.ParseFromString(r.text);
|
|
|
|
{
|
|
// Convert the certificate to hex for logging
|
|
string certificateHex = binaryToHex(response.certificate());
|
|
stringstream logStream;
|
|
logStream << "Received public certificate: " << certificateHex;
|
|
LOGGER.info(logStream.str());
|
|
}
|
|
|
|
// Return the public attestation certificate
|
|
// return response.certificate();
|
|
return response.SerializeAsString();
|
|
|
|
} else {
|
|
stringstream errormsg;
|
|
errormsg << "Error communicating with ACA server. "
|
|
<< "Received response code: " << to_string(r.status_code)
|
|
<< "\n\nError message from ACA was: "
|
|
<< JSONFieldParser::parseJsonStringField(r.text,
|
|
ACA_ERROR_FIELDNAME);
|
|
throw HirsRuntimeException(errormsg.str(),
|
|
"RestfulClientProvisioner::sendAttestationCertificateRequest");
|
|
}
|
|
}
|