Enhancements to ACA certificate generation

nsacyber · Oct 22, 2024 · 2c86bf2 · 2c86bf2
1 parent d908fda
commit 2c86bf2
Show file tree

Hide file tree

Showing 6 changed files with 47 additions and 24 deletions.
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java
@@ -116,7 +116,7 @@ protected X509Certificate generateCredential(final PublicKey publicKey,
                         + "Unable to issue certificates");
             }
 
-            ContentSigner signer = new JcaContentSignerBuilder("SHA1WithRSA")
+            ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSA")
                     .setProvider("BC").build(getPrivateKey());
             X509CertificateHolder holder = builder.build(signer);
             return new JcaX509CertificateConverter()

diff --git a/...ionCA/src/main/java/hirs/attestationca/persist/provision/CertificateRequestProcessor.java b/...ionCA/src/main/java/hirs/attestationca/persist/provision/CertificateRequestProcessor.java
@@ -160,16 +160,14 @@ public byte[] processCertificateRequest(final byte[] certificateRequest) {
                             attestationCertificate);
                     byte[] derEncodedLdevidCertificate = ProvisionUtils.getDerEncodedCertificate(
                             ldevidCertificate);
+                    String pemEncodedAttestationCertificate = ProvisionUtils.getPemEncodedCertificate(
+                            attestationCertificate);
+                    String pemEncodedLdevidCertificate = ProvisionUtils.getPemEncodedCertificate(
+                            ldevidCertificate);
 
                     // We validated the nonce and made use of the identity claim so state can be deleted
                     tpm2ProvisionerStateRepository.delete(tpm2ProvisionerState);
 
-                    // Package the signed certificates into a response
-                    ByteString certificateBytes = ByteString
-                            .copyFrom(derEncodedAttestationCertificate);
-                    ByteString ldevidCertificateBytes = ByteString
-                            .copyFrom(derEncodedLdevidCertificate);
-
                     boolean generateAtt = saveAttestationCertificate(certificateRepository, derEncodedAttestationCertificate,
                             endorsementCredential, platformCredentials, device, false);
                     boolean generateLDevID = saveAttestationCertificate(certificateRepository, derEncodedLdevidCertificate,
@@ -178,10 +176,10 @@ public byte[] processCertificateRequest(final byte[] certificateRequest) {
                     ProvisionerTpm2.CertificateResponse.Builder builder = ProvisionerTpm2.CertificateResponse.
                             newBuilder().setStatus(ProvisionerTpm2.ResponseStatus.PASS);
                     if (generateAtt) {
-                        builder = builder.setCertificate(certificateBytes);
+                        builder = builder.setCertificate(pemEncodedAttestationCertificate);
                     }
                     if (generateLDevID) {
-                        builder = builder.setLdevidCertificate(ldevidCertificateBytes);
+                        builder = builder.setLdevidCertificate(pemEncodedLdevidCertificate);
                     }
                     ProvisionerTpm2.CertificateResponse response = builder.build();
 
@@ -190,20 +188,19 @@ public byte[] processCertificateRequest(final byte[] certificateRequest) {
                 else {
                     byte[] derEncodedAttestationCertificate = ProvisionUtils.getDerEncodedCertificate(
                             attestationCertificate);
+                    String pemEncodedAttestationCertificate = ProvisionUtils.getPemEncodedCertificate(
+                            attestationCertificate);
 
                     // We validated the nonce and made use of the identity claim so state can be deleted
                     tpm2ProvisionerStateRepository.delete(tpm2ProvisionerState);
 
-                    // Package the signed certificates into a response
-                    ByteString certificateBytes = ByteString
-                            .copyFrom(derEncodedAttestationCertificate);
                     ProvisionerTpm2.CertificateResponse.Builder builder = ProvisionerTpm2.CertificateResponse.
                             newBuilder().setStatus(ProvisionerTpm2.ResponseStatus.PASS);
 
                     boolean generateAtt = saveAttestationCertificate(certificateRepository, derEncodedAttestationCertificate,
                             endorsementCredential, platformCredentials, device, false);
                     if (generateAtt) {
-                        builder = builder.setCertificate(certificateBytes);
+                        builder = builder.setCertificate(pemEncodedAttestationCertificate);
                     }
                     ProvisionerTpm2.CertificateResponse response = builder.build();
 

diff --git a/...testationCA/src/main/java/hirs/attestationca/persist/provision/helper/ProvisionUtils.java b/...testationCA/src/main/java/hirs/attestationca/persist/provision/helper/ProvisionUtils.java
@@ -18,6 +18,7 @@
 import lombok.extern.log4j.Log4j2;
 import org.apache.commons.codec.binary.Hex;
 import org.apache.commons.lang3.ArrayUtils;
+import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
 
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
@@ -28,6 +29,8 @@
 import javax.crypto.spec.OAEPParameterSpec;
 import javax.crypto.spec.PSource;
 import javax.crypto.spec.SecretKeySpec;
+import java.io.IOException;
+import java.io.StringWriter;
 import java.math.BigInteger;
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
@@ -107,6 +110,29 @@ public static byte[] getDerEncodedCertificate(final X509Certificate certificate)
         }
     }
 
+    /**
+     * Helper method to extract a PEM encoded certificate from an X509 certificate.
+     *
+     * @param certificate the X509 certificate to be converted to PEM encoding
+     * @throws {@link UnexpectedServerException} if error occurs during encoding retrieval
+     * @return the string representing the PEM encoded certificate
+     */
+    public static String getPemEncodedCertificate(final X509Certificate certificate) {
+        try {
+            final StringWriter stringWriter = new StringWriter();
+            final JcaPEMWriter pemWriter = new JcaPEMWriter(stringWriter);
+            pemWriter.writeObject(certificate);
+            pemWriter.flush();
+            pemWriter.close();
+            return stringWriter.toString();
+        } catch (IOException ioEx) {
+            log.error("Error converting certificate to PEM Encoding.", ioEx);
+            throw new UnexpectedServerException(
+                    "Encountered error while converting X509 Certificate to PEM Encoding: "
+                            + ioEx.getMessage(), ioEx);
+        }
+    }
+
     /**
      * Parse public key from public data segment generated by TPM 2.0.
      * @param publicArea the public area segment to parse

diff --git a/HIRS_Provisioner.NET/hirs/Resources/ProvisionerTpm2.proto b/HIRS_Provisioner.NET/hirs/Resources/ProvisionerTpm2.proto
@@ -95,8 +95,8 @@ message CertificateRequest {
 }
 
 message CertificateResponse {
-  optional bytes certificate = 1;
+  optional string certificate = 1;
   optional ResponseStatus status = 2 [default = FAIL];
-  optional bytes ldevidCertificate = 3;
+  optional string ldevidCertificate = 3;
 }
 
diff --git a/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs b/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs
@@ -297,7 +297,7 @@ public async Task<int> Provision(IHirsAcaTpm tpm) {
                     tpm.GetQuote(CommandTpm.DefaultAkHandle, Tpm2Lib.TpmAlgId.Sha256, recoveredSecret, out CommandTpmQuoteResponse ctqr, selectPcrs);
                     Log.Information("----> Nonce successfully decrypted. Sending attestation certificate request");
                     CertificateRequest akCertReq = acaClient.CreateAkCertificateRequest(recoveredSecret, ctqr);
-                    byte[] certificate;
+                    string certificate;
                     Log.Debug("Communicate certificate request to the ACA.");
                     CertificateResponse cr = await acaClient.PostCertificateRequest(akCertReq);
                     Log.Debug("Response received from the ACA regarding the certificate request.");
@@ -311,34 +311,34 @@ public async Task<int> Provision(IHirsAcaTpm tpm) {
                         }
                     }
                     if (cr.HasCertificate) {
-                        certificate = cr.Certificate.ToByteArray(); // contains certificate
+                        certificate = cr.Certificate.ToString(); // contains certificate
                         String certificateDirPath = settings.certificate_output_directory;
                         if (certificateDirPath != null) {
                             String certificateFilePath = FormatCertificatePath(dv, certificateDirPath, DefaultAKCertFileName);
                             try {
-                                File.WriteAllBytes(certificateFilePath, certificate);
+                                File.WriteAllText(certificateFilePath, certificate);
                                 Log.Debug("Attestation key certificate written to local file system: {0}", certificateFilePath);
                             }
                             catch (Exception) {
                                 Log.Debug("Failed to write attestation key certificate to local file system.");
                             }
                         }
-                        Log.Debug("Printing attestation key certificate: " + BitConverter.ToString(certificate));
+                        Log.Debug("Printing attestation key certificate: " + certificate);
                     }
                     if (cr.HasLdevidCertificate) {
-                        certificate = cr.LdevidCertificate.ToByteArray(); // contains certificate
+                        certificate = cr.LdevidCertificate.ToString(); // contains certificate
                         String certificateDirPath = settings.certificate_output_directory;
                         if (certificateDirPath != null) {
                             String certificateFilePath = FormatCertificatePath(dv, certificateDirPath, DefaultLDevIDCertFileName);
                             try {
-                                File.WriteAllBytes(certificateFilePath, certificate);
+                                File.WriteAllText(certificateFilePath, certificate);
                                 Log.Debug("LDevID certificate written to local file system: {0}", certificateFilePath);
                             }
                             catch (Exception) {
                                 Log.Debug("Failed to write LDevID certificate to local file system.");
                             }
                         }
-                        Log.Debug("Printing LDevID certificate: " + BitConverter.ToString(certificate));
+                        Log.Debug("Printing LDevID certificate: " + certificate);
                     }
                 } else {
                     result = ClientExitCodes.MAKE_CREDENTIAL_BLOB_MALFORMED;

diff --git a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto
@@ -95,8 +95,8 @@ message CertificateRequest {
 }
 
 message CertificateResponse {
-  optional bytes certificate = 1;
+  optional string certificate = 1;
   optional ResponseStatus status = 2 [default = FAIL];
-  optional bytes ldevidCertificate = 3;
+  optional string ldevidCertificate = 3;
 }