Modify log messages so that validation failures from certs in the keystore that are not actually in the chain do not raise undue attention

2024-12-19 04:58:00 +00:00 · 2021-11-17 10:15:31 -05:00 · 2021-11-17 10:15:31 -05:00 · 1eca360a4d
commit 1eca360a4d
parent 23a086c925
2 changed files with 11 additions and 8 deletions
--- a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
+++ b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
@ -197,6 +197,9 @@ public final class PCRPolicy extends Policy {
            String calculatedString = Hex.encodeHexString(
                    pcrInfoShort.getCalculatedDigest());
            validated = quoteString.contains(calculatedString);
+            if (!validated) {
+                LOGGER.warn(calculatedString + " not found in " + quoteString);
+            }
        } catch (NoSuchAlgorithmException naEx) {
            LOGGER.error(naEx);
        }
--- a/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java
+++ b/HIRS_Utils/src/main/java/hirs/validation/SupplyChainCredentialValidator.java
@ -91,7 +91,7 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
            "Platform credential attributes validated";

    /**
-     * AppraisalStatus message for a valid platform credential appraisal.
+     * AppraisalStatus message for a valid firmware appraisal.
     */
    public static final String FIRMWARE_VALID = "Firmware validated";

@ -1630,15 +1630,15 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
            cert.verify(signingCert.getPublicKey(), BouncyCastleProvider.PROVIDER_NAME);
            return true;
        } catch (InvalidKeyException e) {
-            LOGGER.warn("Incorrect key given to validate this cert's signature");
+            LOGGER.info("Incorrect key given to validate this cert's signature");
        } catch (CertificateException e) {
-            LOGGER.warn("Encoding error while validating this cert's signature");
+            LOGGER.info("Encoding error while validating this cert's signature");
        } catch (NoSuchAlgorithmException e) {
-            LOGGER.warn("Unsupported signature algorithm found during validation");
+            LOGGER.info("Unsupported signature algorithm found during validation");
        } catch (NoSuchProviderException e) {
-            LOGGER.warn("Incorrect provider for cert signature validation");
+            LOGGER.info("Incorrect provider for cert signature validation");
        } catch (SignatureException e) {
-            LOGGER.warn(String.format("%s.verify(%s)", cert.getSubjectDN(),
+            LOGGER.info(String.format("%s.verify(%s)", cert.getSubjectDN(),
                    signingCert.getSubjectDN()));
        }
        return false;
@ -1685,8 +1685,8 @@ public final class SupplyChainCredentialValidator implements CredentialValidator
                    new JcaContentVerifierProviderBuilder().setProvider("BC").build(signingKey);
            return cert.isSignatureValid(contentVerifierProvider);
        } catch (OperatorCreationException | CertException e) {
-            LOGGER.error("Exception thrown while verifying certificate", e);
-            LOGGER.error(String.format("%s.isSignatureValid(%s)", cert.getSerialNumber(),
+            LOGGER.info("Exception thrown while verifying certificate", e);
+            LOGGER.info(String.format("%s.isSignatureValid(%s)", cert.getSerialNumber(),
                    signingKey.getFormat()));
            return false;
        }