IntelHostTrustPolicyFactory.java

/*
 * Copyright (C) 2013 Intel Corporation
 * All rights reserved.
 */
package com.intel.mtwilson.policy.impl.vendor;

import com.intel.mtwilson.as.data.MwAssetTagCertificate;
import com.intel.mtwilson.policy.impl.JpaPolicyReader;
import com.intel.mtwilson.as.data.TblHosts;
import com.intel.dcsg.cpg.x509.X509Util;
import com.intel.mtwilson.model.Bios;
import com.intel.mtwilson.model.Vmm;
import com.intel.mtwilson.policy.Rule;
import com.intel.mtwilson.policy.impl.TrustMarker;
import com.intel.mtwilson.policy.impl.VendorHostTrustPolicyFactory;
import com.intel.mtwilson.policy.rule.AikCertificateTrusted;
import com.intel.mtwilson.util.ResourceFinder;
import java.io.FileInputStream;
import java.io.InputStream;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.commons.io.IOUtils;

/**
 * Needs to create a policy to check AIK Certificate is signed by trusted Privacy CA
 * @author jbuhacoff
 */
public class IntelHostTrustPolicyFactory implements VendorHostTrustPolicyFactory {
    private static final org.slf4j.Logger log = org.slf4j.LoggerFactory.getLogger(IntelHostTrustPolicyFactory.class);
    private X509Certificate[] cacerts = null;
    private JpaPolicyReader reader;
    public IntelHostTrustPolicyFactory(JpaPolicyReader util) {
        this.reader = util;
    }

    @Override
    public Set<Rule> loadTrustRulesForBios(Bios bios, TblHosts host) {
        if( cacerts == null ) {
            cacerts = loadTrustedAikCertificateAuthorities();
        }
        HashSet<Rule> rules = new HashSet<>();
        AikCertificateTrusted aikcert = new AikCertificateTrusted(cacerts);
        aikcert.setMarkers(TrustMarker.BIOS.name());
        rules.add(aikcert);
        Set<Rule> pcrConstantRules = reader.loadPcrMatchesConstantRulesForBios(bios, host);
        rules.addAll(pcrConstantRules);
        return rules;
    }

    @Override
    public Set<Rule> loadTrustRulesForVmm(Vmm vmm, TblHosts host) {
        if( cacerts == null ) {
            cacerts = loadTrustedAikCertificateAuthorities();
        }
        HashSet<Rule> rules = new HashSet<>();
        AikCertificateTrusted aikcert = new AikCertificateTrusted(cacerts);
        aikcert.setMarkers(TrustMarker.VMM.name());
        rules.add(aikcert);
        // first, load the list of pcr's marked for this host's vmm mle 
        Set<Rule> pcrConstantRules = reader.loadPcrMatchesConstantRulesForVmm(vmm, host);
        rules.addAll(pcrConstantRules);

        // Next we need to add all the modules
        if( host.getVmmMleId().getRequiredManifestList().contains("19") ) {
            Set<Rule> pcrEventLogRules = reader.loadPcrEventLogIncludesRuleForVmm(vmm, host);
            rules.addAll(pcrEventLogRules);
        }
        return rules;    
    }

    // Since the open source tBoot does not support PCR 22, we will not support it here.
    @Override
    public Set<Rule> loadTrustRulesForLocation(String location, TblHosts host) {
        throw new UnsupportedOperationException("Not supported yet.");
    }

    @Override
    public Set<Rule> loadComparisonRulesForVmm(Vmm vmm, TblHosts host) {
        HashSet<Rule> rules = new HashSet<>();
        // first, load the list of pcr's marked for this host's vmm mle 
        Set<Rule> pcrConstantRules = reader.loadPcrMatchesConstantRulesForVmm(vmm, host);
        rules.addAll(pcrConstantRules);

        // Next we need to add all the modules
        if( host.getVmmMleId().getRequiredManifestList().contains("19") ) {
            Set<Rule> pcrEventLogRules = reader.loadPcrEventLogIncludesRuleForVmm(vmm, host);
            rules.addAll(pcrEventLogRules);
        }
        return rules;    
    }

    private X509Certificate[] loadTrustedAikCertificateAuthorities() {
        HashSet<X509Certificate> pcaList = new HashSet<>();
        try (InputStream privacyCaIn = new FileInputStream(ResourceFinder.getFile("PrivacyCA.list.pem"))) {
            List<X509Certificate> privacyCaCerts = X509Util.decodePemCertificates(IOUtils.toString(privacyCaIn));
            pcaList.addAll(privacyCaCerts);
            //IOUtils.closeQuietly(privacyCaIn);
            log.debug("Added {} certificates from PrivacyCA.list.pem", privacyCaCerts.size());
        } catch(Exception ex) {
            log.warn("Cannot load PrivacyCA.list.pem", ex);            
        }
        
        try (InputStream privacyCaIn = new FileInputStream(ResourceFinder.getFile("PrivacyCA.pem"))) {
            X509Certificate privacyCaCert = X509Util.decodeDerCertificate(IOUtils.toByteArray(privacyCaIn));
            pcaList.add(privacyCaCert);
            //IOUtils.closeQuietly(privacyCaIn);
            log.debug("Added certificate from PrivacyCA.pem");
        } catch(Exception ex) {
            log.warn("Cannot load PrivacyCA.pem", ex);            
        }
        X509Certificate[] cas = pcaList.toArray(new X509Certificate[0]);
        return cas;
    }
    
    @Override
    public Set<Rule> loadTrustRulesForAssetTag(MwAssetTagCertificate atagCert, TblHosts host) {
        return reader.loadPcrMatchesConstantRulesForAssetTag(atagCert, host);
    }

}