use of com.intel.mountwilson.manifest.data.PcrManifest in project OpenAttestation by OpenAttestation.
the class TAHelper method getQuoteInformationForHost.
public HashMap<String, PcrManifest> getQuoteInformationForHost(String hostname, TrustAgentSecureClient client, String pcrList) throws Exception {
// XXX BUG #497 START CODE SNIPPET MOVED TO INTEL HOST AGENT
String nonce = generateNonce();
String sessionId = generateSessionId();
ClientRequestType clientRequestType = client.getQuote(nonce, pcrList);
log.info("got response from server [" + hostname + "] " + clientRequestType);
String quote = clientRequestType.getQuote();
log.info("extracted quote from response: " + quote);
saveQuote(quote, sessionId);
log.info("saved quote with session id: " + sessionId);
// we only need to save the certificate when registring the host ... when we are just getting a quote we need to verify it using the previously saved AIK.
if (trustedAik == null) {
String aikCertificate = clientRequestType.getAikcert();
log.info("extracted aik cert from response: " + aikCertificate);
saveCertificate(aikCertificate, sessionId);
log.info("saved host-provided AIK certificate with session id: " + sessionId);
} else {
// XXX we only need to save the certificate when registring the host ... when we are just getting a quote we don't need it
saveCertificate(trustedAik, sessionId);
log.info("extracted aik cert from database: " + trustedAik);
log.info("saved database-provided trusted AIK certificate with session id: " + sessionId);
}
saveNonce(nonce, sessionId);
log.info("TAHelper - src: saved nonce with session id: " + sessionId);
createRSAKeyFile(sessionId);
log.info("created RSA key file for session id: " + sessionId);
// issue #879
byte[] eventLogBytes = Base64.decodeBase64(clientRequestType.getEventLog());
HashMap<String, PcrManifest> pcrMap;
if (eventLogBytes != null) {
String decodedEventLog = new String(eventLogBytes);
pcrMap = verifyQuoteAndGetPcr(sessionId, decodedEventLog);
log.info("Got PCR map");
} else {
pcrMap = verifyQuoteAndGetPcr(sessionId, null);
log.info("Got PCR map");
}
return pcrMap;
//log.log(Level.INFO, "PCR map = "+pcrMap); // need to untaint this first
}
use of com.intel.mountwilson.manifest.data.PcrManifest in project OpenAttestation by OpenAttestation.
the class HostBO method addHost.
public String addHost(TxtHost host) {
String certificate = null;
String location = null;
String ipAddress = null;
HashMap<String, ? extends IManifest> pcrMap = null;
try {
ipAddress = InetAddress.getByName(host.getHostName().toString()).getHostAddress();
if (!ipAddress.equalsIgnoreCase(host.getIPAddress().toString())) {
throw new ASException(ErrorCode.AS_HOST_IPADDRESS_NOT_MATCHED, host.getHostName().toString(), host.getIPAddress().toString());
}
checkForDuplicate(host);
getBiosAndVMM(host);
log.info("Getting Server Identity.");
TblHosts tblHosts = new TblHosts();
tblHosts.setTlsPolicyName("TRUST_FIRST_CERTIFICATE");
tblHosts.setTlsKeystore(null);
tblHosts.setAddOnConnectionInfo(host.getAddOn_Connection_String());
if (host.getHostName() != null) {
tblHosts.setName(host.getHostName().toString());
}
if (host.getIPAddress() != null) {
tblHosts.setIPAddress(host.getIPAddress().toString());
}
if (host.getPort() != null) {
tblHosts.setPort(host.getPort());
} else {
throw new ASException(ErrorCode.PORT_MISSING, host.getHostName().toString(), host.getIPAddress().toString());
}
if (canFetchAIKCertificateForHost(host.getVmm().getName())) {
// datatype.Vmm
if (!host.getAddOn_Connection_String().toLowerCase().contains("citrix")) {
certificate = getAIKCertificateForHost(tblHosts, host);
// we have to check that the aik certificate was signed by a trusted privacy ca
X509Certificate hostAikCert = X509Util.decodePemCertificate(certificate);
hostAikCert.checkValidity();
// read privacy ca certificate
InputStream privacyCaIn = new FileInputStream(ResourceFinder.getFile("PrivacyCA.cer"));
// XXX TODO currently we only support one privacy CA cert...
// in the future we should read a PEM format file with possibly multiple trusted privacy ca certs
X509Certificate privacyCaCert = X509Util.decodeDerCertificate(IOUtils.toByteArray(privacyCaIn));
IOUtils.closeQuietly(privacyCaIn);
privacyCaCert.checkValidity();
// verify the trusted privacy ca signed this aik cert
hostAikCert.verify(privacyCaCert.getPublicKey());
// NoSuchAlgorithmException,InvalidKeyException,NoSuchProviderException,SignatureException
}
} else {
// ESX host so get the location for the host and store in the table
pcrMap = getHostPcrManifest(tblHosts, host);
// BUG #497 sending both the new TblHosts record and the TxtHost object just to get the TlsPolicy into
// the initial call so that with the trust_first_certificate policy we will obtain the host certificate now while adding it
log.info("Getting location for host from VCenter");
location = getLocation(pcrMap);
}
HostAgentFactory factory = new HostAgentFactory();
HostAgent agent = factory.getHostAgent(tblHosts);
log.info("Saving Host in database with TlsPolicyName {} and TlsKeystoreLength {}", tblHosts.getTlsPolicyName(), tblHosts.getTlsKeystore() == null ? "null" : tblHosts.getTlsKeystore().length);
Map<String, String> attributes = agent.getHostAttributes();
String hostUuidAttr = attributes.get("Host_UUID");
//if ((attributes != null) && (!attributes.isEmpty()) && (hostUuidAttr != null))
if (!attributes.isEmpty() && hostUuidAttr != null)
tblHosts.setHardwareUuid(hostUuidAttr.toLowerCase().trim());
//
log.debug("Saving the host details in the DB");
// retrieve the complete manifest and get module info inserted into database
// We only handle module info for PCR 19
HashMap<String, ? extends IManifest> pcrs = getHostPcrManifest(tblHosts, host);
List<TblHostSpecificManifest> tblHostSpecificManifests = null;
if (vmmMleId.getRequiredManifestList().contains(MODULE_PCR)) {
if (pcrs != null) {
PcrManifest pcr19 = (PcrManifest) pcrs.get(MODULE_PCR);
addModuleWhiteList(pcr19, tblHosts, host, hostUuidAttr);
log.info("Host specific modules would be retrieved from the host that extends into PCR 19.");
String hostType = host.getVendor();
tblHostSpecificManifests = createHostSpecificManifestRecords(vmmMleId, pcrs, hostType);
}
} else {
log.info("Host specific modules will not be configured since PCR 19 is not selected for attestation");
}
//saveHostInDatabase(tblHosts, host, certificate, location, pcrMap);
biosMleId = findBiosMleForHost(host);
vmmMleId = findVmmMleForHost(host);
saveHostInDatabase(tblHosts, host, certificate, location, pcrMap, tblHostSpecificManifests, biosMleId, vmmMleId);
// Now that the host has been registered successfully, let us see if there is an asset tag certificated configured for the host
// to which the host has to be associated
//attributes);
associateAssetTagCertForHost(host, agent.getHostAttributes(), tblHosts);
} catch (ASException ase) {
throw ase;
} catch (CryptographyException e) {
throw new ASException(e, ErrorCode.AS_ENCRYPTION_ERROR, e.getCause() == null ? e.getMessage() : e.getCause().getMessage());
} catch (Exception e) {
log.debug("beggining stack trace --------------");
e.printStackTrace();
log.debug("end stack trace --------------");
throw new ASException(e);
}
return "true";
}
use of com.intel.mountwilson.manifest.data.PcrManifest in project OpenAttestation by OpenAttestation.
the class HostTrustBO method verifyAssetTagTrust.
private boolean verifyAssetTagTrust(TblHosts host, TblMle mle, HashMap<String, ? extends IManifest> pcrManifestMap, MwAssetTagCertificate atagCert) {
String certSha1 = Sha1Digest.valueOf(atagCert.getPCREvent()).toString();
IManifest pcrMf = pcrManifestMap.get("22");
PcrManifest goodKnownValue = (PcrManifest) pcrManifestMap.get("22");
boolean trustStatus;
if (goodKnownValue != null) {
log.debug("Checking PCR 22: {} - {}", certSha1, goodKnownValue.getPcrValue());
trustStatus = certSha1.toUpperCase().equalsIgnoreCase(goodKnownValue.getPcrValue().toUpperCase());
} else {
log.debug("goodKnownValue is null");
trustStatus = false;
}
String pcr = "22";
log.info(String.format("PCR %s Host Trust status %s", pcr, String.valueOf(trustStatus)));
if (pcrMf != null)
logTrustStatus(host, mle, pcrMf);
else {
log.info("PCR Manifest is null, unable to log Trust Status");
}
return trustStatus;
}
use of com.intel.mountwilson.manifest.data.PcrManifest in project OpenAttestation by OpenAttestation.
the class PcrGKVStrategy method getPcrManifestMap.
private HashMap<String, ? extends IManifest> getPcrManifestMap(TblMle mle) {
HashMap<String, IManifest> pcrManifests = new HashMap<String, IManifest>();
for (TblPcrManifest pcrMf : mle.getTblPcrManifestCollection()) {
// Call query method to avoid the objects from the cache
pcrMf = getPcrManifestJpaController().findPcrManifestById(pcrMf.getId());
pcrManifests.put(pcrMf.getName().trim(), new PcrManifest(Integer.valueOf(pcrMf.getName()), pcrMf.getValue().trim()));
log.info("{} - {}", new Object[] { pcrMf.getName(), pcrMf.getValue() });
}
return pcrManifests;
}
use of com.intel.mountwilson.manifest.data.PcrManifest in project OpenAttestation by OpenAttestation.
the class PcrGKVStrategyTest method testGetBiosGoodKnownManifest.
@Test
public void testGetBiosGoodKnownManifest() {
when(mleJpaController.findBiosMle(anyString(), anyString(), anyString())).thenReturn(mockFindBiosMle());
TblPcrManifest pcr = new TblPcrManifest(1, "0", "31B97D97B4679917EC3C1D943635693FFBAB4143");
when(pcrManifestJpaController.findPcrManifestById(any(Integer.class))).thenReturn(pcr);
HashMap<String, IManifest> pcrManifests = (HashMap<String, IManifest>) gkvstrategy.getBiosGoodKnownManifest("DELL", "A08", "DELL");
assertNotNull(pcrManifests);
assertEquals(pcrManifests.size(), 1);
PcrManifest pcrMf = (PcrManifest) pcrManifests.get("0");
assertNotNull(pcrMf);
assertEquals(pcrMf.getPcrNumber(), 0);
assertEquals(pcrMf.getPcrValue(), "31B97D97B4679917EC3C1D943635693FFBAB4143");
}
Aggregations