Search in sources :

Example 11 with PcrManifest

use of com.intel.mountwilson.manifest.data.PcrManifest in project OpenAttestation by OpenAttestation.

the class TAHelper method getQuoteInformationForHost.

public HashMap<String, PcrManifest> getQuoteInformationForHost(String hostname, TrustAgentSecureClient client, String pcrList) throws Exception {
    //  XXX BUG #497  START CODE SNIPPET MOVED TO INTEL HOST AGENT   
    String nonce = generateNonce();
    String sessionId = generateSessionId();
    ClientRequestType clientRequestType = client.getQuote(nonce, pcrList);
    log.info("got response from server [" + hostname + "] " + clientRequestType);
    String quote = clientRequestType.getQuote();
    log.info("extracted quote from response: " + quote);
    saveQuote(quote, sessionId);
    log.info("saved quote with session id: " + sessionId);
    // we only need to save the certificate when registring the host ... when we are just getting a quote we need to verify it using the previously saved AIK.
    if (trustedAik == null) {
        String aikCertificate = clientRequestType.getAikcert();
        log.info("extracted aik cert from response: " + aikCertificate);
        saveCertificate(aikCertificate, sessionId);
        log.info("saved host-provided AIK certificate with session id: " + sessionId);
    } else {
        // XXX we only need to save the certificate when registring the host ... when we are just getting a quote we don't need it            
        saveCertificate(trustedAik, sessionId);
        log.info("extracted aik cert from database: " + trustedAik);
        log.info("saved database-provided trusted AIK certificate with session id: " + sessionId);
    }
    saveNonce(nonce, sessionId);
    log.info("TAHelper - src: saved nonce with session id: " + sessionId);
    createRSAKeyFile(sessionId);
    log.info("created RSA key file for session id: " + sessionId);
    // issue #879
    byte[] eventLogBytes = Base64.decodeBase64(clientRequestType.getEventLog());
    HashMap<String, PcrManifest> pcrMap;
    if (eventLogBytes != null) {
        String decodedEventLog = new String(eventLogBytes);
        pcrMap = verifyQuoteAndGetPcr(sessionId, decodedEventLog);
        log.info("Got PCR map");
    } else {
        pcrMap = verifyQuoteAndGetPcr(sessionId, null);
        log.info("Got PCR map");
    }
    return pcrMap;
//log.log(Level.INFO, "PCR map = "+pcrMap); // need to untaint this first
}
Also used : PcrManifest(com.intel.mountwilson.manifest.data.PcrManifest) ClientRequestType(com.intel.mountwilson.ta.data.ClientRequestType)

Example 12 with PcrManifest

use of com.intel.mountwilson.manifest.data.PcrManifest in project OpenAttestation by OpenAttestation.

the class HostBO method addHost.

public String addHost(TxtHost host) {
    String certificate = null;
    String location = null;
    String ipAddress = null;
    HashMap<String, ? extends IManifest> pcrMap = null;
    try {
        ipAddress = InetAddress.getByName(host.getHostName().toString()).getHostAddress();
        if (!ipAddress.equalsIgnoreCase(host.getIPAddress().toString())) {
            throw new ASException(ErrorCode.AS_HOST_IPADDRESS_NOT_MATCHED, host.getHostName().toString(), host.getIPAddress().toString());
        }
        checkForDuplicate(host);
        getBiosAndVMM(host);
        log.info("Getting Server Identity.");
        TblHosts tblHosts = new TblHosts();
        tblHosts.setTlsPolicyName("TRUST_FIRST_CERTIFICATE");
        tblHosts.setTlsKeystore(null);
        tblHosts.setAddOnConnectionInfo(host.getAddOn_Connection_String());
        if (host.getHostName() != null) {
            tblHosts.setName(host.getHostName().toString());
        }
        if (host.getIPAddress() != null) {
            tblHosts.setIPAddress(host.getIPAddress().toString());
        }
        if (host.getPort() != null) {
            tblHosts.setPort(host.getPort());
        } else {
            throw new ASException(ErrorCode.PORT_MISSING, host.getHostName().toString(), host.getIPAddress().toString());
        }
        if (canFetchAIKCertificateForHost(host.getVmm().getName())) {
            // datatype.Vmm
            if (!host.getAddOn_Connection_String().toLowerCase().contains("citrix")) {
                certificate = getAIKCertificateForHost(tblHosts, host);
                // we have to check that the aik certificate was signed by a trusted privacy ca
                X509Certificate hostAikCert = X509Util.decodePemCertificate(certificate);
                hostAikCert.checkValidity();
                // read privacy ca certificate
                InputStream privacyCaIn = new FileInputStream(ResourceFinder.getFile("PrivacyCA.cer"));
                // XXX TODO currently we only support one privacy CA cert...
                // in the future we should read a PEM format file with possibly multiple trusted privacy ca certs
                X509Certificate privacyCaCert = X509Util.decodeDerCertificate(IOUtils.toByteArray(privacyCaIn));
                IOUtils.closeQuietly(privacyCaIn);
                privacyCaCert.checkValidity();
                // verify the trusted privacy ca signed this aik cert
                hostAikCert.verify(privacyCaCert.getPublicKey());
            // NoSuchAlgorithmException,InvalidKeyException,NoSuchProviderException,SignatureException
            }
        } else {
            // ESX host so get the location for the host and store in the table
            pcrMap = getHostPcrManifest(tblHosts, host);
            // BUG #497 sending both the new TblHosts record and the TxtHost object just to get the TlsPolicy into
            // the initial call so that with the trust_first_certificate policy we will obtain the host certificate now while adding it
            log.info("Getting location for host from VCenter");
            location = getLocation(pcrMap);
        }
        HostAgentFactory factory = new HostAgentFactory();
        HostAgent agent = factory.getHostAgent(tblHosts);
        log.info("Saving Host in database with TlsPolicyName {} and TlsKeystoreLength {}", tblHosts.getTlsPolicyName(), tblHosts.getTlsKeystore() == null ? "null" : tblHosts.getTlsKeystore().length);
        Map<String, String> attributes = agent.getHostAttributes();
        String hostUuidAttr = attributes.get("Host_UUID");
        //if ((attributes != null) && (!attributes.isEmpty()) && (hostUuidAttr != null))
        if (!attributes.isEmpty() && hostUuidAttr != null)
            tblHosts.setHardwareUuid(hostUuidAttr.toLowerCase().trim());
        //                        
        log.debug("Saving the host details in the DB");
        // retrieve the complete manifest and get module info inserted into database
        // We only handle module info for PCR 19
        HashMap<String, ? extends IManifest> pcrs = getHostPcrManifest(tblHosts, host);
        List<TblHostSpecificManifest> tblHostSpecificManifests = null;
        if (vmmMleId.getRequiredManifestList().contains(MODULE_PCR)) {
            if (pcrs != null) {
                PcrManifest pcr19 = (PcrManifest) pcrs.get(MODULE_PCR);
                addModuleWhiteList(pcr19, tblHosts, host, hostUuidAttr);
                log.info("Host specific modules would be retrieved from the host that extends into PCR 19.");
                String hostType = host.getVendor();
                tblHostSpecificManifests = createHostSpecificManifestRecords(vmmMleId, pcrs, hostType);
            }
        } else {
            log.info("Host specific modules will not be configured since PCR 19 is not selected for attestation");
        }
        //saveHostInDatabase(tblHosts, host, certificate, location, pcrMap);
        biosMleId = findBiosMleForHost(host);
        vmmMleId = findVmmMleForHost(host);
        saveHostInDatabase(tblHosts, host, certificate, location, pcrMap, tblHostSpecificManifests, biosMleId, vmmMleId);
        // Now that the host has been registered successfully, let us see if there is an asset tag certificated configured for the host
        // to which the host has to be associated
        //attributes);
        associateAssetTagCertForHost(host, agent.getHostAttributes(), tblHosts);
    } catch (ASException ase) {
        throw ase;
    } catch (CryptographyException e) {
        throw new ASException(e, ErrorCode.AS_ENCRYPTION_ERROR, e.getCause() == null ? e.getMessage() : e.getCause().getMessage());
    } catch (Exception e) {
        log.debug("beggining stack trace --------------");
        e.printStackTrace();
        log.debug("end stack trace --------------");
        throw new ASException(e);
    }
    return "true";
}
Also used : FileInputStream(java.io.FileInputStream) InputStream(java.io.InputStream) X509Certificate(java.security.cert.X509Certificate) FileInputStream(java.io.FileInputStream) ASException(com.intel.mountwilson.as.common.ASException) NoResultException(javax.persistence.NoResultException) NonexistentEntityException(com.intel.mtwilson.as.controller.exceptions.NonexistentEntityException) IllegalOrphanException(com.intel.mtwilson.as.controller.exceptions.IllegalOrphanException) CryptographyException(com.intel.mtwilson.crypto.CryptographyException) IOException(java.io.IOException) UnknownHostException(java.net.UnknownHostException) CryptographyException(com.intel.mtwilson.crypto.CryptographyException) PcrManifest(com.intel.mountwilson.manifest.data.PcrManifest) TblHosts(com.intel.mtwilson.as.data.TblHosts) TblHostSpecificManifest(com.intel.mtwilson.as.data.TblHostSpecificManifest) HostAgent(com.intel.mtwilson.agent.HostAgent) HostAgentFactory(com.intel.mtwilson.agent.HostAgentFactory) ASException(com.intel.mountwilson.as.common.ASException)

Example 13 with PcrManifest

use of com.intel.mountwilson.manifest.data.PcrManifest in project OpenAttestation by OpenAttestation.

the class HostTrustBO method verifyAssetTagTrust.

private boolean verifyAssetTagTrust(TblHosts host, TblMle mle, HashMap<String, ? extends IManifest> pcrManifestMap, MwAssetTagCertificate atagCert) {
    String certSha1 = Sha1Digest.valueOf(atagCert.getPCREvent()).toString();
    IManifest pcrMf = pcrManifestMap.get("22");
    PcrManifest goodKnownValue = (PcrManifest) pcrManifestMap.get("22");
    boolean trustStatus;
    if (goodKnownValue != null) {
        log.debug("Checking PCR 22: {} - {}", certSha1, goodKnownValue.getPcrValue());
        trustStatus = certSha1.toUpperCase().equalsIgnoreCase(goodKnownValue.getPcrValue().toUpperCase());
    } else {
        log.debug("goodKnownValue is null");
        trustStatus = false;
    }
    String pcr = "22";
    log.info(String.format("PCR %s Host Trust status %s", pcr, String.valueOf(trustStatus)));
    if (pcrMf != null)
        logTrustStatus(host, mle, pcrMf);
    else {
        log.info("PCR Manifest is null, unable to log Trust Status");
    }
    return trustStatus;
}
Also used : PcrManifest(com.intel.mountwilson.manifest.data.PcrManifest) IManifest(com.intel.mountwilson.manifest.data.IManifest)

Example 14 with PcrManifest

use of com.intel.mountwilson.manifest.data.PcrManifest in project OpenAttestation by OpenAttestation.

the class PcrGKVStrategy method getPcrManifestMap.

private HashMap<String, ? extends IManifest> getPcrManifestMap(TblMle mle) {
    HashMap<String, IManifest> pcrManifests = new HashMap<String, IManifest>();
    for (TblPcrManifest pcrMf : mle.getTblPcrManifestCollection()) {
        // Call query method to avoid the objects from the cache
        pcrMf = getPcrManifestJpaController().findPcrManifestById(pcrMf.getId());
        pcrManifests.put(pcrMf.getName().trim(), new PcrManifest(Integer.valueOf(pcrMf.getName()), pcrMf.getValue().trim()));
        log.info("{} - {}", new Object[] { pcrMf.getName(), pcrMf.getValue() });
    }
    return pcrManifests;
}
Also used : HashMap(java.util.HashMap) PcrManifest(com.intel.mountwilson.manifest.data.PcrManifest) TblPcrManifest(com.intel.mtwilson.as.data.TblPcrManifest) TblPcrManifest(com.intel.mtwilson.as.data.TblPcrManifest) IManifest(com.intel.mountwilson.manifest.data.IManifest)

Example 15 with PcrManifest

use of com.intel.mountwilson.manifest.data.PcrManifest in project OpenAttestation by OpenAttestation.

the class PcrGKVStrategyTest method testGetBiosGoodKnownManifest.

@Test
public void testGetBiosGoodKnownManifest() {
    when(mleJpaController.findBiosMle(anyString(), anyString(), anyString())).thenReturn(mockFindBiosMle());
    TblPcrManifest pcr = new TblPcrManifest(1, "0", "31B97D97B4679917EC3C1D943635693FFBAB4143");
    when(pcrManifestJpaController.findPcrManifestById(any(Integer.class))).thenReturn(pcr);
    HashMap<String, IManifest> pcrManifests = (HashMap<String, IManifest>) gkvstrategy.getBiosGoodKnownManifest("DELL", "A08", "DELL");
    assertNotNull(pcrManifests);
    assertEquals(pcrManifests.size(), 1);
    PcrManifest pcrMf = (PcrManifest) pcrManifests.get("0");
    assertNotNull(pcrMf);
    assertEquals(pcrMf.getPcrNumber(), 0);
    assertEquals(pcrMf.getPcrValue(), "31B97D97B4679917EC3C1D943635693FFBAB4143");
}
Also used : HashMap(java.util.HashMap) PcrManifest(com.intel.mountwilson.manifest.data.PcrManifest) TblPcrManifest(com.intel.mtwilson.as.data.TblPcrManifest) Matchers.anyString(org.mockito.Matchers.anyString) TblPcrManifest(com.intel.mtwilson.as.data.TblPcrManifest) IManifest(com.intel.mountwilson.manifest.data.IManifest) Test(org.junit.Test)

Aggregations

PcrManifest (com.intel.mountwilson.manifest.data.PcrManifest)18 IManifest (com.intel.mountwilson.manifest.data.IManifest)8 HashMap (java.util.HashMap)8 TblPcrManifest (com.intel.mtwilson.as.data.TblPcrManifest)6 ASException (com.intel.mountwilson.as.common.ASException)5 IOException (java.io.IOException)5 Matchers.anyString (org.mockito.Matchers.anyString)4 TblHosts (com.intel.mtwilson.as.data.TblHosts)3 UnknownHostException (java.net.UnknownHostException)3 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)3 ArrayList (java.util.ArrayList)3 XMLOutputFactory (javax.xml.stream.XMLOutputFactory)3 XMLStreamException (javax.xml.stream.XMLStreamException)3 XMLStreamWriter (javax.xml.stream.XMLStreamWriter)3 TAHelper (com.intel.mountwilson.manifest.helper.TAHelper)2 TblHostSpecificManifest (com.intel.mtwilson.as.data.TblHostSpecificManifest)2 TblTaLog (com.intel.mtwilson.as.data.TblTaLog)2 CryptographyException (com.intel.mtwilson.crypto.CryptographyException)2 Measurement (com.intel.mtwilson.util.model.Measurement)2 PcrEventLog (com.intel.mtwilson.util.model.PcrEventLog)2