diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureData.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureData.java index 35d218645..0a2fa74bd 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureData.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureData.java @@ -161,10 +161,10 @@ public String toString() { sigInfo = status; } else { if (signatureType.getVendorTableReference().equals("EFI_CERT_SHA256_GUID")) { - sigInfo += "UEFI Signature Owner = " + efiVarGuid.toString() + "\n"; - sigInfo += " Binary Hash = " + HexUtils.byteArrayToHexString(binaryHash) + "\n"; + sigInfo += " UEFI Signature Owner = " + efiVarGuid.toString() + "\n"; + sigInfo += " Binary Hash = " + HexUtils.byteArrayToHexString(binaryHash) + "\n"; } else { - sigInfo += "UEFI Signature Owner = " + efiVarGuid.toString() + "\n"; + sigInfo += " UEFI Signature Owner = " + efiVarGuid.toString() + "\n"; sigInfo += cert.toString(); } } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java index 459b4443d..75bf70c96 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiSignatureList.java @@ -47,11 +47,16 @@ public class UefiSignatureList { /** * Signature validity. */ - private boolean valid = true; + @Getter + private boolean signatureTypeValid = false; + /** + * Data validity. + */ + private boolean dataValid = true; /** - * Current status. + * Current status of Signature List data. */ - private String status = "Signature List is Valid"; + private String dataStatus = "Signature List data validity is undetermined yet"; /** * Array List of Signature found in the list. */ @@ -110,17 +115,23 @@ public class UefiSignatureList { lists.read(guid); signatureType = new UefiGuid(guid); + // if signatureType is invalid, don't even process any of the data + // however, if signatureTYpe is valid, but some of the data later on is invalid, that will + // be caught when UefiSignatureData is processed if (!isValidSigListGUID(signatureType)) { - processSignatureData(lists); + //processSignatureData(lists); + signatureTypeValid = false; } else { // valid SigData Processing - byte[] lSize = new byte[UefiConstants.SIZE_4]; + signatureTypeValid = true; + + byte[] lSize = new byte[UefiConstants.SIZE_4]; // signature list size lists.read(lSize); listSize = HexUtils.leReverseInt(lSize); - byte[] hSize = new byte[UefiConstants.SIZE_4]; + byte[] hSize = new byte[UefiConstants.SIZE_4]; // signature header size lists.read(hSize); - byte[] sSize = new byte[UefiConstants.SIZE_4]; + byte[] sSize = new byte[UefiConstants.SIZE_4]; // signature size lists.read(sSize); signatureSize = listSize - UefiConstants.SIZE_28; sigData = new byte[signatureSize]; @@ -143,8 +154,8 @@ private void processSignatureList(final byte[] efiSigData) while (efiSigDataIS.available() > 0) { UefiSignatureData tmpSigData = new UefiSignatureData(efiSigDataIS, signatureType); if (!tmpSigData.isValid()) { - valid = false; - status = tmpSigData.getStatus(); + dataValid = false; + dataStatus = tmpSigData.getStatus(); break; } sigList.add(tmpSigData); @@ -165,8 +176,8 @@ private void processSignatureData(final ByteArrayInputStream sigDataIS) while (sigDataIS.available() > 0) { UefiSignatureData tmpigData = new UefiSignatureData(sigDataIS, signatureType); if (!tmpigData.isValid()) { - valid = false; - status = tmpigData.getStatus(); + dataValid = false; + dataStatus = tmpigData.getStatus(); break; } sigList.add(tmpigData); @@ -201,15 +212,21 @@ public boolean isValidSigListGUID(final UefiGuid guid) { */ public String toString() { StringBuilder sigInfo = new StringBuilder(); - sigInfo.append("UEFI Signature List Type = " + signatureType.toString() + "\n"); - sigInfo.append("Number if items = " + numberOfCerts + "\n"); - for (int i = 0; i < sigList.size(); i++) { - UefiSignatureData certData = sigList.get(i); - sigInfo.append(certData.toString()); + if (!signatureTypeValid) { + sigInfo.append(" *** Unknown UEFI Signature Type encountered: " + signatureType.toString() + "\n"); } - if (!valid) { - sigInfo.append("*** Invalid UEFI Signature data encountered: " + status + "\n"); + else { + sigInfo.append(" UEFI Signature List Type = " + signatureType.toString() + "\n"); + sigInfo.append(" Number if items (certs, hashes, etc) = " + numberOfCerts + "\n"); + + for (int i = 0; i < sigList.size(); i++) { + UefiSignatureData certData = sigList.get(i); + sigInfo.append(certData.toString()); + } + if (!dataValid) { + sigInfo.append(" *** Invalid UEFI Signature data encountered: " + dataStatus + "\n"); + } } return sigInfo.toString(); } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java index 5600cd402..10b81d11e 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiVariable.java @@ -38,6 +38,14 @@ public class UefiVariable { */ @Getter private String efiVarName = ""; + /** + * Encountered invalid UEFI Signature List + */ + private boolean invalidSignatureListEncountered = false; + /** + * Invalid UEFI Signature List + */ + private String invalidSignatureListStatus = ""; /** * UEFI defined Boot Variable. */ @@ -122,7 +130,7 @@ public UefiVariable(final byte[] variableData) } /** - * Processes the data as a UEFI defined Signature List. + * Processes the data as a list of UEFI defined Signature Lists. * * @param data the bye array holding the Signature List. * @throws java.security.cert.CertificateException If there a problem @@ -138,6 +146,12 @@ private void processSigList(final byte[] data) while (certData.available() > 0) { UefiSignatureList list; list = new UefiSignatureList(certData); +// efiVariableSigListContents += list.toString(); + if(!list.isSignatureTypeValid()) { + invalidSignatureListEncountered = true; + invalidSignatureListStatus = list.toString(); + break; + } certSuperList.add(list); } } @@ -150,11 +164,11 @@ private void processSigList(final byte[] data) public String toString() { StringBuilder efiVariable = new StringBuilder(); efiVariable.append("UEFI Variable Name:" + efiVarName + "\n"); - efiVariable.append("UEFI_GUID = " + uefiVarGuid.toString() + "\n "); + efiVariable.append("UEFI Variable GUID = " + uefiVarGuid.toString() + "\n"); if (efiVarName != "") { - efiVariable.append("UEFI Variable Contents => " + "\n "); + efiVariable.append("UEFI Variable Contents => " + "\n"); } - String tmpName = efiVarName; + String tmpName = ""; if (efiVarName.contains("Boot00")) { tmpName = "Boot00"; } else { @@ -165,6 +179,11 @@ public String toString() { case "MokList": efiVariable.append(printCert(uefiVariableData, 0)); break; + case "PK": + case "KEK": + case "db": + case "dbx": + break; case "Boot00": efiVariable.append(bootv.toString()); break; @@ -177,14 +196,19 @@ public String toString() { default: if (!tmpName.isEmpty()) { efiVariable.append(String.format("Data not provided for " - + "UEFI variable named %s ", tmpName)); + + "UEFI variable named %s \n", tmpName)); } else { - efiVariable.append("Data not provided "); + efiVariable.append("Data not provided \n"); } } for (UefiSignatureList uefiSigList : certSuperList) { efiVariable.append(uefiSigList.toString()); } + if(invalidSignatureListEncountered) { + efiVariable.append(invalidSignatureListStatus); + efiVariable.append("*** Encountered invalid Signature Type - " + + "Stopped processing of this event data\n"); + } return efiVariable.toString(); } diff --git a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiX509Cert.java b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiX509Cert.java index 478aba90f..f8b3b13ed 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiX509Cert.java +++ b/HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiX509Cert.java @@ -80,14 +80,14 @@ public String getSHA1FingerPrint() { public String toString() { X509Certificate x509Cert = (X509Certificate) cert; String certData = ""; - certData += " Certificate Serial Number = " + certData += " Certificate Serial Number = " + x509Cert.getSerialNumber().toString(UefiConstants.SIZE_16) + "\n"; - certData += " Subject DN = " + x509Cert.getSubjectX500Principal().getName() + "\n"; - certData += " Issuer DN = " + x509Cert.getIssuerX500Principal().getName() + "\n"; - certData += " Not Before Date = " + x509Cert.getNotBefore() + "\n"; - certData += " Not After Date = " + x509Cert.getNotAfter() + "\n"; - certData += " Signature Algorithm = " + x509Cert.getSigAlgName() + "\n"; - certData += " SHA1 Fingerprint = " + getSHA1FingerPrint() + "\n"; + certData += " Subject DN = " + x509Cert.getSubjectX500Principal().getName() + "\n"; + certData += " Issuer DN = " + x509Cert.getIssuerX500Principal().getName() + "\n"; + certData += " Not Before Date = " + x509Cert.getNotBefore() + "\n"; + certData += " Not After Date = " + x509Cert.getNotAfter() + "\n"; + certData += " Signature Algorithm = " + x509Cert.getSigAlgName() + "\n"; + certData += " SHA1 Fingerprint = " + getSHA1FingerPrint() + "\n"; return certData; } } diff --git a/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java b/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java index 31cc2cfef..6d41143a3 100644 --- a/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java +++ b/tools/tcg_eventlog_tool/src/main/java/hirs/tcg_eventlog/Main.java @@ -11,6 +11,7 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; + import hirs.utils.tpm.eventlog.TCGEventLog; import hirs.utils.tpm.eventlog.TpmPcrEvent; import hirs.utils.HexUtils; @@ -50,7 +51,7 @@ public static void main(final String[] args) { try { outputStream = new FileOutputStream(commander.getOutputFileName()); System.out.print("Writing to output file: " + commander.getOutputFileName() - + "\n"); + + "\n"); } catch (Exception e) { System.out.print("Error opening output file" + commander.getOutputFileName() + "\nError was " + e.getMessage()); @@ -217,7 +218,7 @@ private static void writeOut(final String data) { } } catch (IOException e) { System.out.print("Error writing to output file: " + commander.getOutputFileName() - + "\n error was: " + e.toString() + "\n"); + + "\n error was: " + e.toString() + "\n"); e.printStackTrace(); } } @@ -248,7 +249,7 @@ public static String compareLogs(final String logFileName1, final String logFile eventLog2.getEventList(), commander.getPcrNumber()); if (errors.isEmpty() && !bHexFlag) { sb.append("\nEvent Log " + logFileName1 + " MATCHED EventLog " + logFileName2 - + "\n"); + + "\n"); } else { if (!errors.isEmpty() && !bHexFlag) { sb.append("\nEvent Log " + logFileName1 @@ -333,6 +334,7 @@ private static boolean digestMatch(final Collection eventLog, } return matchFound; } + /** * Diagnostic method for detecting flag settings. */