Example 1 with TpmIdentityRequest
use of gov.niarl.his.privacyca.TpmIdentityRequest in project OpenAttestation by OpenAttestation.
the class CreateIdentity method createIdentity.
/**
* Entry point into the program. See class description for required properties file elements.
*
*/
public static void createIdentity() throws Exception {
//Properties file
// Define properties file strings
final String OWNER_AUTH = "TpmOwnerAuth";
final String HIS_IDENTITY_LABEL = "HisIdentityLabel";
final String HIS_IDENTITY_INDEX = "HisIdentityIndex";
final String HIS_IDENTITY_AUTH = "HisIdentityAuth";
final String PRIVACY_CA_CERT = "PrivacyCaCertFile";
final String PRIVACY_CA_URL = "PrivacyCaUrl";
final String TRUST_STORE = "TrustStore";
final String CLIENT_PATH = "ClientPath";
final String EC_STORAGE = "ecStorage";
final String EC_LOCATION = "ecLocation";
// Instantiate variables to be set by properties file
byte[] TpmOwnerAuth = null;
String HisIdentityLabel = "";
int HisIdentityIndex = 0;
byte[] HisIdentityAuth = null;
String PrivacyCaCertFile = "";
String PrivacyCaUrl = "";
String TrustStore = "";
String ClientPath = "";
String ecStorageFileName = "";
String ecStorage = "";
// Set properties file name
String homeFolder = "";
String tpmOwnerAuth = "";
// Read the properties file, setting any defaults where it makes sense
FileInputStream PropertyFile = null;
try {
File propFile = ResourceFinder.getFile("hisprovisioner.properties");
PropertyFile = new FileInputStream(propFile);
Properties HisProvisionerProperties = new Properties();
HisProvisionerProperties.load(new InputStreamReader(PropertyFile, "UTF-8"));
homeFolder = propFile.getAbsolutePath();
homeFolder = homeFolder.substring(0, homeFolder.indexOf("hisprovisioner.properties"));
log.info("Home folder : " + homeFolder);
tpmOwnerAuth = HisProvisionerProperties.getProperty(OWNER_AUTH, "");
if (tpmOwnerAuth != null) {
TpmOwnerAuth = Hex.decodeHex(tpmOwnerAuth.toCharArray());
}
// else if (tpmOwnerAuth.length() == 40) {
// log.info("owner authentication is hex code formatted");
// TpmOwnerAuth = TpmUtils.hexStringToByteArray(tpmOwnerAuth);
//} else {
// log.info("illegal owner authentication detected! accepted owner authentication is 20 or 40 long characters");
//}
//TpmOwnerAuth = TpmUtils.hexStringToByteArray(HisProvisionerProperties.getProperty(OWNER_AUTH));
HisIdentityLabel = HisProvisionerProperties.getProperty(HIS_IDENTITY_LABEL, "");
HisIdentityIndex = Integer.parseInt(HisProvisionerProperties.getProperty(HIS_IDENTITY_INDEX, "0"));
HisIdentityAuth = TpmUtils.hexStringToByteArray(HisProvisionerProperties.getProperty(HIS_IDENTITY_AUTH, ""));
PrivacyCaCertFile = HisProvisionerProperties.getProperty(PRIVACY_CA_CERT, "");
PrivacyCaUrl = HisProvisionerProperties.getProperty(PRIVACY_CA_URL, "");
// TrustStore = HisProvisionerProperties.getProperty(TRUST_STORE, "TrustStore.jks");
ClientPath = HisProvisionerProperties.getProperty(CLIENT_PATH, "");
ecStorage = HisProvisionerProperties.getProperty(EC_STORAGE, "NVRAM");
ecStorageFileName = HisProvisionerProperties.getProperty(EC_LOCATION, ".") + System.getProperty("file.separator") + "EC.cer";
} catch (FileNotFoundException e) {
// If the properties file is not found, display error
throw new PrivacyCAException("Error finding HIS Provisioner properties file (HISprovisionier.properties); using defaults.", e);
} catch (IOException e) {
// If propertied file cannot be read, display error
throw new PrivacyCAException("Error loading HIS Provisioner properties file (HISprovisionier.properties); using defaults.");
} catch (NumberFormatException e) {
throw new PrivacyCAException(e);
} finally {
if (PropertyFile != null)
try {
PropertyFile.close();
} catch (IOException e) {
log.log(Level.SEVERE, "Error while closing the property file ", e);
}
}
// Check to see if any of the values were not populated with acceptable values
String errorString = "Properties file \"" + homeFolder + "hisprovisioner.properties contains errors:\n";
boolean hasErrors = false;
if (TpmOwnerAuth == null) {
// || TpmOwnerAuth.length != 20){
errorString += " - \"TpmOwnerAuth\" value must be set representing the TPM owner authentication\n";
hasErrors = true;
}
if (HisIdentityLabel.length() == 0) {
errorString += " - \"HisIdentityLabel\" value must be the subject name for the AIK certificate\n";
hasErrors = true;
}
if (HisIdentityIndex == 0) {
errorString += " - \"HisIdentityIndex\" value must be the index for AIK storage\n";
hasErrors = true;
}
if (HisIdentityAuth == null || HisIdentityAuth.length != 20) {
errorString += " - \"HisIdentityAuth\" value must be a 40 hexidecimal digit (20 byte) value representing the AIK authentication\n";
hasErrors = true;
}
if (PrivacyCaCertFile.length() == 0) {
errorString += " - \"PrivacyCaCertFile\" value must be the name of the Privacy CA certificate file\n";
hasErrors = true;
}
if (PrivacyCaUrl.length() == 0) {
errorString += " - \"PrivacyCaUrl\" value must be the name of the URL of the Privacy CA web service\n";
hasErrors = true;
}
// }
if (ClientPath.length() == 0) {
errorString += " - \"ClientPath\" value must be the path that will be used for installing the HIS Client\n";
hasErrors = true;
}
// If there were errors that prevent the rest of the class from running, display the error specifics and exit with an error code.
if (hasErrors) {
// System.out.println(errorString);
throw new PrivacyCAException(errorString);
}
//System.out.println("Trust store to use :" + System.getProperty("javax.net.ssl.trustStore"));
//System.setProperty("javax.net.ssl.trustStore", "./" + TrustStore);
/*
// looks like this is already being done somewhere else:
// check if an identity already exists; if so, do not attempt to create it. if administrator wants to create a new identity, the existing identity must first be deleted from disk. this version of trust agent supports only a single identity.
File aikcertFile = new File(homeFolder + ClientPath + File.separator+"aikcert.cer");
if( aikcertFile.exists() && aikcertFile.isFile() && aikcertFile.canRead() ) {
log.info("Identity already exists");
return;
}
*/
//Provision an identity for HIS
log.info("Performing HIS identity provisioning...");
FileOutputStream pcaFileOut = null;
try {
byte[] srkAuth = TpmUtils.hexStringToByteArray("0000000000000000000000000000000000000000");
boolean requiresAuthSha = false;
byte[] ownerAuthRaw = TpmOwnerAuth;
byte[] keyAuthRaw = HisIdentityAuth;
byte[] srkAuthRaw = srkAuth;
if (requiresAuthSha) {
ownerAuthRaw = TpmUtils.sha1hash(TpmOwnerAuth);
keyAuthRaw = TpmUtils.sha1hash(HisIdentityAuth);
srkAuthRaw = TpmUtils.sha1hash(srkAuth);
}
X509Certificate pcaCert = TpmUtils.certFromFile(homeFolder + PrivacyCaCertFile);
boolean shortcut = true;
byte[] ekCert = null;
if (ecStorage.equalsIgnoreCase("file")) {
File ecFile = new File(ecStorageFileName);
FileInputStream ecFileIn = new FileInputStream(ecFile);
ekCert = new byte[ecFileIn.available()];
ecFileIn.read(ekCert);
log.info("--read EC from file--");
ecFileIn.close();
} else {
ekCert = TpmModule.getCredential(TpmOwnerAuth, "EC");
}
TpmIdentityRequest encryptedEkCert = new TpmIdentityRequest(ekCert, (RSAPublicKey) pcaCert.getPublicKey(), false);
TpmIdentity newId = TpmModule.collateIdentityRequest(TpmOwnerAuth, HisIdentityAuth, HisIdentityLabel, new TpmPubKey((RSAPublicKey) pcaCert.getPublicKey(), 3, 1).toByteArray(), HisIdentityIndex, (X509Certificate) null, !shortcut);
// HttpsURLConnection.setDefaultHostnameVerifier(new NopX509HostnameVerifier()); // XXX TODO Bug #497 need to allow caller to specify a TlsPolicy // disabled for testing issue #541
IHisPrivacyCAWebService2 hisPrivacyCAWebService2 = HisPrivacyCAWebServices2ClientInvoker.getHisPrivacyCAWebService2(PrivacyCaUrl);
byte[] encrypted1 = hisPrivacyCAWebService2.identityRequestGetChallenge(newId.getIdentityRequest(), encryptedEkCert.toByteArray());
if (encrypted1.length == 1) {
throw new PrivacyCAException("Identity request was rejected by Privacy CA in phase 1 of process");
}
//TpmKey aik = new TpmKey(newId.getAikBlob());
//return os type. win:0; linux:1; other:-1
int os = IdentityOS.osType();
byte[] asym1 = new byte[256];
System.arraycopy(encrypted1, 0, asym1, 0, asym1.length);
byte[] sym1 = new byte[encrypted1.length - 256];
System.arraycopy(encrypted1, 256, sym1, 0, sym1.length);
byte[] decrypted1;
if (os == 1) {
//linux
decrypted1 = TpmModule.activateIdentity(ownerAuthRaw, keyAuthRaw, asym1, sym1, HisIdentityIndex);
} else
//decrypted1 = TpmModuleJava.ActivateIdentity(asym1, sym1, aik, keyAuthRaw, srkAuthRaw, ownerAuthRaw); //Comments temporarily due to TSSCoreService.jar compiling issue
decrypted1 = TpmModule.activateIdentity(ownerAuthRaw, keyAuthRaw, asym1, sym1, HisIdentityIndex);
TpmIdentityRequest encryptedChallenge = new TpmIdentityRequest(decrypted1, (RSAPublicKey) pcaCert.getPublicKey(), false);
byte[] encrypted2 = hisPrivacyCAWebService2.identityRequestSubmitResponse(encryptedChallenge.toByteArray());
if (encrypted2.length == 1) {
log.warning("Identity request was rejected by Privacy CA in phase 2 of process");
throw new Exception("Identity request was rejected by Privacy CA in phase 2 of process");
}
byte[] asym2 = new byte[256];
System.arraycopy(encrypted2, 0, asym2, 0, asym2.length);
byte[] sym2 = new byte[encrypted2.length - 256];
System.arraycopy(encrypted2, 256, sym2, 0, sym2.length);
byte[] decrypted2;
byte[] aikblob;
if (os == 1) {
//linux
decrypted2 = TpmModule.activateIdentity(ownerAuthRaw, keyAuthRaw, asym2, sym2, HisIdentityIndex);
aikblob = newId.getAikBlob();
writecert(homeFolder + ClientPath, decrypted2, "/aikcert.cer");
writeFile(homeFolder + ClientPath, aikblob, "/aikblob.dat");
} else {
//decrypted1 = TpmModuleJava.ActivateIdentity(asym1, sym1, aik, keyAuthRaw, srkAuthRaw, ownerAuthRaw);
//decrypted2 = TpmModuleJava.ActivateIdentity(asym2, sym2, aik, keyAuthRaw, srkAuthRaw, ownerAuthRaw);//Comments temporarily due to TSSCoreService.jar compiling issue
decrypted2 = TpmModule.activateIdentity(ownerAuthRaw, keyAuthRaw, asym2, sym2, HisIdentityIndex);
writecert(homeFolder + ClientPath, decrypted2, "/aikcert.cer");
}
} catch (Exception e) {
throw new PrivacyCAException("FAILED", e);
} finally {
if (pcaFileOut != null)
try {
pcaFileOut.close();
} catch (IOException e) {
log.log(Level.SEVERE, "Error while closing pcaFileOut", e);
}
}
log.info("DONE");
}
Also used :
IHisPrivacyCAWebService2(gov.niarl.his.webservices.hisPrivacyCAWebService2.IHisPrivacyCAWebService2)
InputStreamReader(java.io.InputStreamReader)
FileNotFoundException(java.io.FileNotFoundException)
IOException(java.io.IOException)
Properties(java.util.Properties)
FileInputStream(java.io.FileInputStream)
X509Certificate(java.security.cert.X509Certificate)
IOException(java.io.IOException)
FileNotFoundException(java.io.FileNotFoundException)
CertificateException(javax.security.cert.CertificateException)
TpmPubKey(gov.niarl.his.privacyca.TpmPubKey)
FileOutputStream(java.io.FileOutputStream)
File(java.io.File)
TpmIdentityRequest(gov.niarl.his.privacyca.TpmIdentityRequest)
TpmIdentity(gov.niarl.his.privacyca.TpmIdentity)
Aggregations
TpmIdentity (gov.niarl.his.privacyca.TpmIdentity)1
TpmIdentityRequest (gov.niarl.his.privacyca.TpmIdentityRequest)1
TpmPubKey (gov.niarl.his.privacyca.TpmPubKey)1
IHisPrivacyCAWebService2 (gov.niarl.his.webservices.hisPrivacyCAWebService2.IHisPrivacyCAWebService2)1
File (java.io.File)1
FileInputStream (java.io.FileInputStream)1
FileNotFoundException (java.io.FileNotFoundException)1
FileOutputStream (java.io.FileOutputStream)1
IOException (java.io.IOException)1
InputStreamReader (java.io.InputStreamReader)1
X509Certificate (java.security.cert.X509Certificate)1
Properties (java.util.Properties)1
CertificateException (javax.security.cert.CertificateException)1
