diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceDigestValueRepository.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceDigestValueRepository.java
index 0cdda1b0..87632ce1 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceDigestValueRepository.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceDigestValueRepository.java
@@ -13,12 +13,11 @@ public interface ReferenceDigestValueRepository extends JpaRepository<ReferenceD
@Query(value = "SELECT * FROM ReferenceDigestValue", nativeQuery = true)
List<ReferenceDigestValue> listAll();
- @Query(value = "SELECT * FROM ReferenceDigestValue WHERE model = ?1", nativeQuery = true)
- List<ReferenceDigestValue> listByModel(String model);
- @Query(value = "SELECT * FROM ReferenceDigestValue WHERE manufacturer = ?1", nativeQuery = true)
- List<ReferenceDigestValue> listByManufacturer(String manufacturer);
+ List<ReferenceDigestValue> findByModel(String model);
+ List<ReferenceDigestValue> findByManufacturer(String manufacturer);
@Query(value = "SELECT * FROM ReferenceDigestValue WHERE baseRimId = '?1' OR supportRimId = '?1'", nativeQuery = true)
List<ReferenceDigestValue> getValuesByRimId(UUID associatedRimId);
@Query(value = "SELECT * FROM ReferenceDigestValue WHERE supportRimId = '?1'", nativeQuery = true)
- List<ReferenceDigestValue> getValuesBySupportRimId(UUID supportRimId);
+ List<ReferenceDigestValue> findBySupportRimId(UUID supportRimId);
+ List<ReferenceDigestValue> findBySupportRimHash(String supportRimHash);
}
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceManifestRepository.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceManifestRepository.java
index 136d9b83..80782394 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceManifestRepository.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/ReferenceManifestRepository.java
@@ -14,14 +14,12 @@ import java.util.UUID;
@Repository
public interface ReferenceManifestRepository extends JpaRepository<ReferenceManifest, UUID> {
- @Query(value = "SELECT * FROM ReferenceManifest WHERE hexDecHash = ?1", nativeQuery = true)
- ReferenceManifest findByHash(String rimHash);
- @Query(value = "SELECT * FROM ReferenceManifest WHERE hexDecHash = ?1 AND rimType = ?2", nativeQuery = true)
- ReferenceManifest findByHash(String rimHash, String rimType);
+ ReferenceManifest findByHexDecHash(String hexDecHash);
+ ReferenceManifest findByHexDecHashAndRimType(String hexDecHash, String rimType);
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND platformModel = ?2 AND rimType = 'Base'", nativeQuery = true)
List<BaseReferenceManifest> getBaseByManufacturerModel(String manufacturer, String model);
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformManufacturer = ?1 AND DTYPE = ?2", nativeQuery = true)
- List<ReferenceManifest> getByManufacturer(String manufacturer, String dType);
+ ReferenceManifest getByManufacturer(String manufacturer, String dType);
@Query(value = "SELECT * FROM ReferenceManifest WHERE platformModel = ?1 AND DTYPE = ?2", nativeQuery = true)
ReferenceManifest getByModel(String model, String dType);
@Query(value = "SELECT * FROM ReferenceManifest WHERE DTYPE = 'BaseReferenceManifest'", nativeQuery = true)
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/EventLogMeasurements.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/EventLogMeasurements.java
index b3987b29..4d400121 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/EventLogMeasurements.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/EventLogMeasurements.java
@@ -3,8 +3,6 @@ package hirs.attestationca.persist.entity.userdefined.rim;
import com.fasterxml.jackson.annotation.JsonIgnore;
import hirs.attestationca.persist.entity.userdefined.ReferenceManifest;
import hirs.attestationca.persist.enums.AppraisalStatus;
-import hirs.attestationca.persist.service.ReferenceManifestServiceImpl;
-import hirs.attestationca.persist.service.selector.ReferenceManifestSelector;
import hirs.utils.tpm.eventlog.TCGEventLog;
import hirs.utils.tpm.eventlog.TpmPcrEvent;
import jakarta.persistence.Column;
@@ -41,66 +39,6 @@ public class EventLogMeasurements extends ReferenceManifest {
@Getter @Setter
private AppraisalStatus.Status overallValidationResult = AppraisalStatus.Status.FAIL;
- /**
- * This class enables the retrieval of SupportReferenceManifest by their attributes.
- */
- public static class Selector extends ReferenceManifestSelector<EventLogMeasurements> {
- /**
- * Construct a new ReferenceManifestSelector that
- * will use the given (@link ReferenceManifestService}
- * to retrieve one or may SupportReferenceManifest.
- *
- * @param referenceManifestManager the reference manifest manager to be used to retrieve
- * reference manifests.
- */
- public Selector(final ReferenceManifestServiceImpl referenceManifestManager) {
- super(referenceManifestManager, EventLogMeasurements.class, false);
- }
-
- /**
- * Specify the platform manufacturer that rims must have to be considered
- * as matching.
- * @param manufacturer string for the manufacturer
- * @return this instance
- */
- public Selector byManufacturer(final String manufacturer) {
- setFieldValue(PLATFORM_MANUFACTURER, manufacturer);
- return this;
- }
-
- /**
- * Specify the platform model that rims must have to be considered
- * as matching.
- * @param model string for the model
- * @return this instance
- */
- public Selector byModel(final String model) {
- setFieldValue(PLATFORM_MODEL, model);
- return this;
- }
-
- /**
- * Specify the device name that rims must have to be considered
- * as matching.
- * @param deviceName string for the deviceName
- * @return this instance
- */
- public Selector byDeviceName(final String deviceName) {
- setFieldValue("deviceName", deviceName);
- return this;
- }
-
- /**
- * Specify the RIM hash associated with the Event Log.
- * @param hexDecHash the hash of the file associated with the rim
- * @return this instance
- */
- public Selector byHexDecHash(final String hexDecHash) {
- setFieldValue(HEX_DEC_HASH_FIELD, hexDecHash);
- return this;
- }
- }
-
/**
* Support constructor for the RIM object.
*
@@ -135,17 +73,6 @@ public class EventLogMeasurements extends ReferenceManifest {
this.pcrHash = 0;
}
- /**
- * Get a Selector for use in retrieving ReferenceManifest.
- *
- * @param rimMan the ReferenceManifestService to be used to retrieve
- * persisted RIMs
- * @return a Selector instance to use for retrieving RIMs
- */
- public static Selector select(final ReferenceManifestServiceImpl rimMan) {
- return new Selector(rimMan);
- }
-
/**
* Getter method for the expected PCR values contained within the support
* RIM.
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/ReferenceDigestValue.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/ReferenceDigestValue.java
index 3d1129d7..be8106ef 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/ReferenceDigestValue.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/rim/ReferenceDigestValue.java
@@ -1,6 +1,6 @@
package hirs.attestationca.persist.entity.userdefined.rim;
-import hirs.attestationca.persist.entity.ArchivableEntity;
+import hirs.attestationca.persist.entity.AbstractEntity;
import jakarta.persistence.Access;
import jakarta.persistence.AccessType;
import jakarta.persistence.Column;
@@ -26,7 +26,7 @@ import java.util.UUID;
@EqualsAndHashCode(callSuper=false)
@Table(name = "ReferenceDigestValue")
@Access(AccessType.FIELD)
-public class ReferenceDigestValue extends ArchivableEntity {
+public class ReferenceDigestValue extends AbstractEntity {
@JdbcTypeCode(java.sql.Types.VARCHAR)
@Column
@@ -43,6 +43,8 @@ public class ReferenceDigestValue extends ArchivableEntity {
@Column(nullable = false)
private String digestValue;
@Column(nullable = false)
+ private String supportRimHash;
+ @Column(nullable = false)
private String eventType;
@Column(columnDefinition = "blob", nullable = true)
private byte[] contentBlob;
@@ -64,6 +66,7 @@ public class ReferenceDigestValue extends ArchivableEntity {
this.model = "";
this.pcrIndex = -1;
this.digestValue = "";
+ this.supportRimHash = "";
this.eventType = "";
this.matchFail = false;
this.patched = false;
@@ -79,6 +82,7 @@ public class ReferenceDigestValue extends ArchivableEntity {
* @param model the specific device type
* @param pcrIndex the event number
* @param digestValue the key digest value
+ * @param supportRimHash the support file's hash value
* @param eventType the event type to store
* @param matchFail the status of the baseline check
* @param patched the status of the value being updated to patch
@@ -88,6 +92,7 @@ public class ReferenceDigestValue extends ArchivableEntity {
public ReferenceDigestValue(final UUID baseRimId, final UUID supportRimId,
final String manufacturer, final String model,
final int pcrIndex, final String digestValue,
+ final String supportRimHash,
final String eventType, final boolean matchFail,
final boolean patched, final boolean updated,
final byte[] contentBlob) {
@@ -97,6 +102,7 @@ public class ReferenceDigestValue extends ArchivableEntity {
this.model = model;
this.pcrIndex = pcrIndex;
this.digestValue = digestValue;
+ this.supportRimHash = supportRimHash;
this.eventType = eventType;
this.matchFail = matchFail;
this.patched = patched;
diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle
index 0221c25e..49746e8c 100644
--- a/HIRS_AttestationCAPortal/build.gradle
+++ b/HIRS_AttestationCAPortal/build.gradle
@@ -60,13 +60,13 @@ dependencies {
testImplementation libs.testng
}
-//war {
-// from(buildDir) {
-// include 'VERSION'
-// into 'WEB-INF/classes'
-// }
-// archiveFileName = 'HIRS_AttestationCAPortal.war'
-//}
+war {
+ from(buildDir) {
+ include 'VERSION'
+ into 'WEB-INF/classes'
+ }
+ archiveFileName = 'HIRS_AttestationCAPortal.war'
+}
ospackage {
packageName = 'HIRS_AttestationCA'
diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
index 901c53c0..37bf6ac3 100644
--- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
+++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
@@ -29,7 +29,6 @@ import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.servlet.ModelAndView;
import java.io.IOException;
-import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
@@ -234,8 +233,8 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
data.put("pcUriLocal", baseRim.getPcURILocal());
data.put("rimLinkHash", baseRim.getRimLinkHash());
if (baseRim.getRimLinkHash() != null) {
- ReferenceManifest rim = referenceManifestRepository.findByHash(baseRim.getRimLinkHash(),
- "BaseReferenceManifest");
+ ReferenceManifest rim = referenceManifestRepository.findByHexDecHashAndRimType(
+ baseRim.getRimLinkHash(), ReferenceManifest.BASE_RIM);
if (rim != null) {
data.put("rimLinkId", rim.getId());
data.put("linkHashValid", true);
@@ -247,27 +246,12 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
List<SwidResource> resources = baseRim.getFileResources();
TCGEventLog logProcessor = null;
- List<ReferenceManifest> subManifests;
SupportReferenceManifest support = null;
if (baseRim.getAssociatedRim() == null) {
- /**
- * Need to have parsing implemented
- */
-// referenceManifestRepository.findByHash("hexDecHash", "Support");
- subManifests = referenceManifestRepository
+ support = (SupportReferenceManifest) referenceManifestRepository
.getByManufacturer(baseRim.getPlatformManufacturer(),
"SupportReferenceManifest");
- String fileString = new String(baseRim.getRimBytes(), StandardCharsets.UTF_8);
-
- for (ReferenceManifest rim : subManifests) {
- if (rim instanceof SupportReferenceManifest) {
- support = (SupportReferenceManifest) rim;
- if (fileString.contains(rim.getHexDecHash())) {
- break;
- }
- }
- }
if (support != null) {
baseRim.setAssociatedRim(support.getId());
}
@@ -314,8 +298,8 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
data.replace("signatureValid", true);
break;
}
- } catch (SupplyChainValidatorException scvEx) {
- log.warn("Error verifying cert chain: " + scvEx.getMessage());
+ } catch (SupplyChainValidatorException e) {
+ log.error("Error verifying cert chain: " + e.getMessage());
}
}
}
@@ -329,8 +313,6 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
}
} catch (NullPointerException e) {
log.error("Unable to link signing certificate: " + e.getMessage());
- } catch (Exception ex) {
- log.warn(ex.getMessage());
}
return data;
}
@@ -373,8 +355,8 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
// testing this independent of the above if statement because the above
// starts off checking if associated rim is null; that is irrelevant for
// this statement.
- measurements = (EventLogMeasurements) referenceManifestRepository.findByHash(support.getHexDecHash(),
- "EventLogMeasurements");
+ measurements = (EventLogMeasurements) referenceManifestRepository.findByHexDecHashAndRimType(support.getHexDecHash(),
+ ReferenceManifest.MEASUREMENT_RIM);
if (support.isSwidPatch()) {
data.put("swidPatch", "True");
@@ -525,7 +507,7 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
data.put("validationResult", measurements.getOverallValidationResult());
data.put("swidBase", true);
- List<ReferenceDigestValue> eventValues = new ArrayList<>();
+ List<ReferenceDigestValue> eventValues = new LinkedList<>();
if (measurements.getDeviceName() != null) {
supports.addAll(referenceManifestRepository.byDeviceName(measurements
.getDeviceName()));
@@ -545,7 +527,7 @@ public class ReferenceManifestDetailsPageController extends PageController<Refer
data.put("associatedRim", base.getId());
}
- eventValues.addAll(referenceDigestValueRepository.getValuesByRimId(base.getId()));
+ eventValues.addAll(referenceDigestValueRepository.findBySupportRimId(baseSupport.getId()));
}
}
diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java
index 749bff73..72b5594f 100644
--- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java
+++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java
@@ -221,26 +221,25 @@ public class ReferenceManifestPageController extends PageController<NoPageParams
try {
ReferenceManifest referenceManifest = getRimFromDb(id);
+ List<ReferenceDigestValue> values = new LinkedList<>();
if (referenceManifest == null) {
String notFoundMessage = "Unable to locate RIM with ID: " + id;
messages.addError(notFoundMessage);
log.warn(notFoundMessage);
} else {
+ // if support rim, update associated events
+ values = referenceDigestValueRepository.findBySupportRimHash(
+ referenceManifest.getHexDecHash());
+
+ for (ReferenceDigestValue value : values) {
+ referenceDigestValueRepository.delete(value);
+ }
+
referenceManifestRepository.delete(referenceManifest);
String deleteCompletedMessage = "RIM successfully deleted";
messages.addInfo(deleteCompletedMessage);
log.info(deleteCompletedMessage);
-
- // if support rim, update associated events
- if (referenceManifest instanceof SupportReferenceManifest) {
- List<ReferenceDigestValue> values = referenceDigestValueRepository
- .getValuesByRimId(referenceManifest.getId());
-
- for (ReferenceDigestValue value : values) {
- referenceDigestValueRepository.delete(value);
- }
- }
}
} catch (IllegalArgumentException iaEx) {
String uuidError = "Failed to parse ID from: " + id;
@@ -396,6 +395,8 @@ public class ReferenceManifestPageController extends PageController<NoPageParams
byte[] fileBytes = new byte[0];
String fileName = file.getOriginalFilename();
+ BaseReferenceManifest baseRim;
+ SupportReferenceManifest supportRim;
// build the manifest from the uploaded bytes
try {
@@ -409,9 +410,18 @@ public class ReferenceManifestPageController extends PageController<NoPageParams
try {
if (supportRIM) {
- supportRims.add(new SupportReferenceManifest(fileName, fileBytes));
+ supportRim = new SupportReferenceManifest(fileName, fileBytes);
+ if (referenceManifestRepository.findByHexDecHashAndRimType(supportRim.getHexDecHash(),
+ supportRim.getRimType()) == null) {
+ supportRims.add(supportRim);
+ messages.addInfo("Saved Reference Manifest " + fileName);
+ }
} else {
- baseRims.add(new BaseReferenceManifest(fileName, fileBytes));
+ baseRim = new BaseReferenceManifest(fileName, fileBytes);
+ if (referenceManifestRepository.findByHexDecHashAndRimType(baseRim.getHexDecHash(),
+ baseRim.getRimType()) == null) {
+ baseRims.add(baseRim);
+ }
}
} catch (IOException ioEx) {
final String failMessage
@@ -489,7 +499,7 @@ public class ReferenceManifestPageController extends PageController<NoPageParams
// So first we'll have to pull values based on support rim
// get by support rim id NEXT
if (dbSupport.getPlatformManufacturer() != null) {
- tpmEvents = referenceDigestValueRepository.getValuesBySupportRimId(dbSupport.getAssociatedRim());
+ tpmEvents = referenceDigestValueRepository.findBySupportRimId(dbSupport.getId());
baseRim = findBaseRim(dbSupport);
if (tpmEvents.isEmpty()) {
try {
@@ -498,8 +508,9 @@ public class ReferenceManifestPageController extends PageController<NoPageParams
newRdv = new ReferenceDigestValue(baseRim.getId(),
dbSupport.getId(), dbSupport.getPlatformManufacturer(),
dbSupport.getPlatformModel(), tpe.getPcrIndex(),
- tpe.getEventDigestStr(), tpe.getEventTypeStr(),
- false, false, true, tpe.getEventContent());
+ tpe.getEventDigestStr(), dbSupport.getHexDecHash(),
+ tpe.getEventTypeStr(),false, false,
+ true, tpe.getEventContent());
this.referenceDigestValueRepository.save(newRdv);
}
diff --git a/HIRS_AttestationCAPortal/src/main/resources/application.properties b/HIRS_AttestationCAPortal/src/main/resources/application.properties
index c1ffcf6a..8cdec2dc 100644
--- a/HIRS_AttestationCAPortal/src/main/resources/application.properties
+++ b/HIRS_AttestationCAPortal/src/main/resources/application.properties
@@ -3,30 +3,33 @@
#spring.mvc.view.prefix=/WEB-INF/jsp/
#spring.mvc.view.suffix=.jsp
+# Logging Config (tomcat may have further config)
logging.level.org.springframework=INFO
logging.level.org.apache.catalina=DEBUG
+
+# Database Config
spring.jpa.hibernate.ddl-auto=update
spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
spring.datasource.username=hirs_db
-spring.datasource.password=hirs_db
jakarta.persistence.sharedCache.mode = UNSPECIFIED
-
spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
#spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
#spring.datasource.driverClassName=com.mysql.cj.jdbc.Driver
-server.tomcat.accesslog.enabled=true
-server.tomcat.accesslog.directory=logs
-server.tomcat.accesslog.file-date-format=yyyy-MM-dd
-server.tomcat.accesslog.prefix=access_log
-server.tomcat.accesslog.suffix=.log
-server.tomcat.accesslog.rotate=true
-
+# Tomcat Config
+server.tomcat.additional-tld-skip-patterns=jakarta.persistence-api*.jar, jakarta.xml.bind-api*.jar, txw2*.jar, *commons*.jar, *annotations*.jar, *checker*.jar, *lombok*.jar, *jsr*.jar, *guava*.jar, *access*.jar, *activation*.jar, *bcprov*.jar, *bcmail*.jar, *bcutil*.jar, *bcpkix*.jar, *json*.jar
server.tomcat.basedir=/opt/embeddedtomcat
server.servlet.register-default-servlet=true
server.servlet.context-path=/HIRS_AttestationCAPortal
spring.mvc.servlet.path=/portal
+server.tomcat.accesslog.enabled=true
+server.tomcat.accesslog.directory=/var/log/hirs
+server.tomcat.accesslog.file-date-format=yyyy-MM-dd
+server.tomcat.accesslog.prefix=Tomcat_accesslog_
+server.tomcat.accesslog.suffix=.log
+server.tomcat.accesslog.rotate=true
+
#jdbc.driverClassName = com.mysql.cj.jdbc.Driver
#jdbc.url = jdbc:mysql://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
#jdbc.username = root
@@ -34,3 +37,6 @@ spring.mvc.servlet.path=/portal
#entitymanager.packagesToScan: hirs.attestationca.portal.page.controllers
#spring.jpa.hibernate.ddl-auto=update
#spring.jpa.show-sql=true
+
+# DB dfault password.
+spring.datasource.password=hirs_db
diff --git a/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml b/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml
index 5c4aadef..bbc5413c 100644
--- a/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml
+++ b/HIRS_AttestationCAPortal/src/main/resources/log4j2-spring.xml
@@ -4,7 +4,7 @@
<Console name="STDOUT" target="SYSTEM_OUT">
<PatternLayout pattern="%d{yyyy-MM-dd HH:mm:ss} [%C.%M] %-5p : %m%n"/>
</Console>
- <RollingFile name="FILE" fileName="./logs/HIRS_AttestationCA_Portal.log"
+ <RollingFile name="FILE" fileName="/var/log/hirs/HIRS_AttestationCA_Portal.log"
filePattern="./logs/HIRS_AttestationCA_Portal.log-%d{yyyy-MM-dd}-%i.log" >
<PatternLayout>
<pattern>%d{yyyy-MM-dd HH:mm:ss} [%C.%M] %-5p : %m%n</pattern>
diff --git a/HIRS_Utils/build.gradle b/HIRS_Utils/build.gradle
index f9da4779..3d77e493 100644
--- a/HIRS_Utils/build.gradle
+++ b/HIRS_Utils/build.gradle
@@ -41,17 +41,14 @@ dependencies {
implementation 'org.apache.logging.log4j:log4j-core:2.19.0'
implementation 'org.apache.logging.log4j:log4j-api:2.19.0'
implementation 'org.glassfish.jaxb:jaxb-runtime:4.0.1'
-
- implementation 'org.junit.jupiter:junit-jupiter-api:5.9.3'
- implementation 'org.junit.jupiter:junit-jupiter-engine:5.9.3'
-
+
+ testImplementation 'org.junit.jupiter:junit-jupiter:5.9.3'
+ testImplementation 'org.junit.platform:junit-platform-launcher:1.9.3'
+ testImplementation 'org.hamcrest:hamcrest:2.2'
+
compileOnly libs.lombok
annotationProcessor libs.lombok
- //testImplementation 'org.junit.jupiter:junit-jupiter-api:5.6.0'
- //testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine'
- testImplementation 'org.junit.platform:junit-platform-launcher:1.9.3'
- testImplementation 'org.hamcrest:hamcrest:2.2'
}
test {
@@ -62,11 +59,11 @@ jar {
duplicatesStrategy = DuplicatesStrategy.EXCLUDE
manifest {
attributes(
- 'Class-Path': configurations.runtimeClasspath.files.collect { it.getName() }.join(' ')
- )
+ 'Class-Path': configurations.runtimeClasspath.files.collect { it.getName() }.join(' ')
+ )
}
- //jar name format: [archiveBaseName]-[archiveAppendix]-[archiveVersion]-[archiveClassifier].[archiveExtension]
- archiveVersion = jarVersion
+ //jar name format: [archiveBaseName]-[archiveAppendix]-[archiveVersion]-[archiveClassifier].[archiveExtension]
+ archiveVersion = jarVersion
}
//task generateXjcLibrary(type:Exec) {
@@ -74,4 +71,4 @@ jar {
//
// commandLine './genXjcLibrary.sh'
//}
-//compileJava.dependsOn generateXjcLibrary
+//compileJava.dependsOn generateXjcLibrary
\ No newline at end of file
diff --git a/HIRS_Utils/src/test/java/hirs/tpm/eventlog/uefi/UefiProcessingTest.java b/HIRS_Utils/src/test/java/hirs/tpm/eventlog/uefi/UefiProcessingTest.java
new file mode 100644
index 00000000..183af293
--- /dev/null
+++ b/HIRS_Utils/src/test/java/hirs/tpm/eventlog/uefi/UefiProcessingTest.java
@@ -0,0 +1,171 @@
+package hirs.tpm.eventlog.uefi;
+
+import java.io.IOException;
+import java.net.URISyntaxException;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+
+import com.eclipsesource.json.JsonObject;
+import hirs.utils.JsonUtils;
+import hirs.utils.tpm.eventlog.uefi.*;
+import org.apache.commons.io.IOUtils;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import hirs.utils.HexUtils;
+
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+/**
+ * Class for testing TCG Event Log processing of UEFI defined Data.
+ */
+public class UefiProcessingTest {
+ // Variable files collected using an Event Parsing tool
+ private static final String JSON_FILE = "/tcgeventlog/uefi/vendor-table.json";
+ private static final String UEFI_VARIABLE_BOOT = "/tcgeventlog/uefi/EV_EFI_VARIABLE_BOOT.txt";
+ private static final String UEFI_VARIABLE_BOOT_SECURE_BOOT
+ = "/tcgeventlog/uefi/EV_EFI_VAR_SECURE_BOOT.txt";
+ private static final String UEFI_VARIABLE_BOOT_DRIVER_CONFIG_KEK
+ = "/tcgeventlog/uefi/EV_EFI_VARIABLE_DRIVER_CONFIG_KEK.txt";
+ private static final String UEFI_GPT_EVENT = "/tcgeventlog/uefi/EV_EFI_GPT_EVENT.txt";
+ private static final String UEFI_FW_BLOB = "/tcgeventlog/uefi/EFI_PLATFORM_FIRMWARE_BLOB.txt";
+ private static final String UEFI_DEVICE_PATH = "/tcgeventlog/uefi/EFI_DEVICE_PATH.txt";
+
+ private static final Logger LOGGER
+ = LogManager.getLogger(UefiProcessingTest.class);
+
+ /**
+ * Initializes a <code>SessionFactory</code>.
+ * The factory is used for an in-memory database that is used for testing.
+ */
+ @BeforeAll
+ public static final void setup() {
+ LOGGER.debug("retrieving session factory");
+ }
+
+ /**
+ * Closes the <code>SessionFactory</code> from setup.
+ */
+ @AfterAll
+ public static final void tearDown() {
+ LOGGER.debug("closing session factory");
+ }
+
+ /**
+ * Tests the processing of UEFI Variables.
+ *
+ * @throws IOException when processing the test fails.
+ * @throws NoSuchAlgorithmException if non TCG Algorithm is encountered.
+ * @throws CertificateException if parsing issue for X509 cert is encountered.
+ * @throws URISyntaxException File location exception
+ */
+ @Test
+ public final void testUefiVariables() throws IOException,
+ CertificateException, NoSuchAlgorithmException, URISyntaxException {
+ LOGGER.debug("Testing the parsing of UEFI Variables");
+ Path jsonPath = Paths.get(this.getClass()
+ .getResource(JSON_FILE).toURI());
+ String uefiTxt = IOUtils.toString(this.getClass().getResourceAsStream(UEFI_VARIABLE_BOOT),
+ "UTF-8");
+ byte[] uefiVariableBytes = HexUtils.hexStringToByteArray(uefiTxt);
+ UefiVariable uefiVariable = new UefiVariable(uefiVariableBytes);
+ UefiGuid guid = uefiVariable.getUefiVarGuid();
+ String varName = uefiVariable.getEfiVarName();
+ JsonObject jsonObject = JsonUtils.getSpecificJsonObject(jsonPath, "VendorTable");
+ String guidStr = jsonObject.getString(
+ guid.toStringNoLookup().toLowerCase(), "Unknown GUID reference");
+ Assertions.assertEquals("EFI_Global_Variable", guidStr);
+ Assertions.assertEquals("BootOrder", varName);
+
+ uefiTxt = IOUtils.toString(this.getClass()
+ .getResourceAsStream(UEFI_VARIABLE_BOOT_SECURE_BOOT),
+ "UTF-8");
+ uefiVariableBytes = HexUtils.hexStringToByteArray(uefiTxt);
+ uefiVariable = new UefiVariable(uefiVariableBytes);
+ guid = uefiVariable.getUefiVarGuid();
+ varName = uefiVariable.getEfiVarName();
+ guidStr = jsonObject.getString(
+ guid.toStringNoLookup().toLowerCase(), "Unknown GUID reference");
+ Assertions.assertEquals("EFI_Global_Variable", guidStr);
+ Assertions.assertEquals("SecureBoot", varName);
+
+ uefiTxt = IOUtils.toString(this.getClass().getResourceAsStream(
+ UEFI_VARIABLE_BOOT_DRIVER_CONFIG_KEK), "UTF-8");
+ uefiVariableBytes = HexUtils.hexStringToByteArray(uefiTxt);
+ uefiVariable = new UefiVariable(uefiVariableBytes);
+ varName = uefiVariable.getEfiVarName();
+ Assertions.assertEquals("KEK", varName);
+ }
+
+ /**
+ * Tests the processing of a UEFI defined GPT Partition event.
+ *
+ * @throws IOException when processing the test fails.
+ * @throws NoSuchAlgorithmException if non TCG Algorithm is encountered.
+ * @throws CertificateException if parsing issue for X509 cert is encountered.
+ * @throws URISyntaxException File location exception
+ */
+ @Test
+ public final void testUefiPartiton() throws IOException,
+ CertificateException, NoSuchAlgorithmException, URISyntaxException {
+ LOGGER.debug("Testing the parsing of GPT Data");
+ Path jsonPath = Paths.get(this.getClass()
+ .getResource(JSON_FILE).toURI());
+ String uefiTxt = IOUtils.toString(this.getClass().getResourceAsStream(UEFI_GPT_EVENT),
+ "UTF-8");
+ byte[] uefiPartitionBytes = HexUtils.hexStringToByteArray(uefiTxt);
+ UefiPartition gptPart = new UefiPartition(uefiPartitionBytes);
+ String gptPartName = gptPart.getPartitionName();
+ UefiGuid gptTypeuid = gptPart.getPartitionTypeGUID();
+ UefiGuid gptUniqueGuid = gptPart.getUniquePartitionGUID();
+ JsonObject jsonObject = JsonUtils.getSpecificJsonObject(jsonPath, "VendorTable");
+ String guidStr = jsonObject.getString(
+ gptTypeuid.toStringNoLookup().toLowerCase(), "Unknown GUID reference");
+ Assertions.assertEquals("EFI System Partition", guidStr);
+ Assertions.assertEquals("8ca7623c-041e-4fab-8c12-f49a86b85d73 : Unknown GUID reference",
+ gptUniqueGuid.toString());
+ Assertions.assertEquals("EFI system partition", gptPartName);
+ }
+
+ /**
+ * Tests the processing of a UEFI defined GPT Partition event.
+ *
+ * @throws IOException when processing the test fails.
+ * @throws NoSuchAlgorithmException if non TCG Algorithm is encountered.
+ * @throws CertificateException if parsing issue for X509 cert is encountered.
+ */
+ @Test
+ public final void testUefiFirmwareBlob() throws IOException,
+ CertificateException, NoSuchAlgorithmException {
+ LOGGER.debug("Testing the parsing of Uefi Firmware Blob");
+ String uefiTxt = IOUtils.toString(this.getClass()
+ .getResourceAsStream(UEFI_FW_BLOB), "UTF-8");
+ byte[] uefiFwBlobBytes = HexUtils.hexStringToByteArray(uefiTxt);
+ UefiFirmware uefiFWBlob = new UefiFirmware(uefiFwBlobBytes);
+ int fwAddress = uefiFWBlob.getPhysicalBlobAddress();
+ int fwLength = uefiFWBlob.getBlobLength();
+ Assertions.assertEquals(1797287936, fwAddress);
+ Assertions.assertEquals(851968, fwLength);
+ }
+
+ /**
+ * Tests the processing of a UEFI defined Device Path.
+ *
+ * @throws IOException when processing the test fails.
+ * @throws URISyntaxException File location exception
+ */
+ @Test
+ public final void testUefiDevicePath() throws IOException, URISyntaxException {
+ LOGGER.debug("Testing the parsing of Uefi Device Path");
+ String uefiTxt = IOUtils.toString(this.getClass().getResourceAsStream(UEFI_DEVICE_PATH),
+ "UTF-8");
+ byte[] uefiFwBlobBytes = HexUtils.hexStringToByteArray(uefiTxt);
+ UefiDevicePath uefiDevPath = new UefiDevicePath(uefiFwBlobBytes);
+ String devPathType = uefiDevPath.getType();
+ Assertions.assertEquals("Media Device Path", devPathType);
+ }
+}
\ No newline at end of file
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/events/EvBootServicesApplication.txt b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvBootServicesApplication.txt
new file mode 100644
index 00000000..802c5d14
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvBootServicesApplication.txt
@@ -0,0 +1 @@
+1820d45800000000e0b405000000000000000000000000002c00000000000000040714002ce2edb630defa45bb09ca202c1654b7040614001ae3e1159d9f844c82fb1a707fc0f63b7fff0400
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/events/EvEfiGptPartition.txt b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvEfiGptPartition.txt
new file mode 100644
index 00000000..1cd7e09d
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvEfiGptPartition.txt
@@ -0,0 +1 @@
+4546492050415254000001005c000000a071310c000000000100000000000000af44f21b0000000022000000000000008e44f21b000000006fe7c34e23793e4cb040e8080f1b888302000000000000008000000080000000d0be05490500000000000000a4bb94ded106404da16abfd50179d6ac8787cc4223db454e9981701adc801dc70008000000000000ffa70f000000000001000000000000804200610073006900630020006400610074006100200070006100720074006900740069006f006e00000000000000000000000000000000000000000000000000000000000000000028732ac11ff8d211ba4b00a0c93ec93b3c62a78c1e04ab4f8c12f49a86b85d7300a80f0000000000ffc712000000000000000000000000804500460049002000730079007300740065006d00200070006100720074006900740069006f006e00000000000000000000000000000000000000000000000000000000000000000016e3c9e35c0bb84d817df92df00215aeffcf90d80c32454fb6cfa4d8bee6d9cb00c8120000000000ffc71a000000000000000000000000804d006900630072006f0073006f0066007400200072006500730065007200760065006400200070006100720074006900740069006f006e0000000000000000000000000000000000a2a0d0ebe5b9334487c068b6b72699c71c4c250c124b884ab88442a31866a34800c81a0000000000ff3ff81a0000000000000000000000004200610073006900630020006400610074006100200070006100720074006900740069006f006e000000000000000000000000000000000000000000000000000000000000000000a4bb94ded106404da16abfd50179d6ac92e459bc0fb29549b1488ded030c7ec20040f81a00000000ff3ff21b0000000001000000000000804200610073006900630020006400610074006100200070006100720074006900740069006f006e000000a70afc7f00007051864ba8020000c091dc4ba8020000bf3a758076450000
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/events/EvEfiSpecId.txt b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvEfiSpecId.txt
new file mode 100644
index 00000000..841a1be6
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvEfiSpecId.txt
@@ -0,0 +1 @@
+53706563204944204576656e743033000000000000020002010000000b00200000
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/events/EvHandoffTables.txt b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvHandoffTables.txt
new file mode 100644
index 00000000..ef759b94
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvHandoffTables.txt
@@ -0,0 +1 @@
+01000000000000004415fdf294972c4a992ee5bbcf20e3940000676300000000
\ No newline at end of file
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/events/EvPostCode.txt b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvPostCode.txt
new file mode 100644
index 00000000..b76c680f
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/events/EvPostCode.txt
@@ -0,0 +1 @@
+414350492044415441
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EFI_DEVICE_PATH.txt b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EFI_DEVICE_PATH.txt
new file mode 100644
index 00000000..7802a6f4
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EFI_DEVICE_PATH.txt
@@ -0,0 +1 @@
+040714002ce2edb630defa45bb09ca202c1654b7040614001ae3e1159d9f844c82fb1a707fc0f63b7fff0400
\ No newline at end of file
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EFI_PLATFORM_FIRMWARE_BLOB.txt b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EFI_PLATFORM_FIRMWARE_BLOB.txt
new file mode 100644
index 00000000..ceab9816
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EFI_PLATFORM_FIRMWARE_BLOB.txt
@@ -0,0 +1 @@
+0070206b0000000000000d0000000000
\ No newline at end of file
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_GPT_EVENT.txt b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_GPT_EVENT.txt
new file mode 100644
index 00000000..f82c5911
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_GPT_EVENT.txt
@@ -0,0 +1 @@
+28732ac11ff8d211ba4b00a0c93ec93b3c62a78c1e04ab4f8c12f49a86b85d7300a80f0000000000ffc712000000000000000000000000804500460049002000730079007300740065006d00200070006100720074006900740069006f006e000000000000000000000000000000000000000000000000000000000000000000
\ No newline at end of file
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VARIABLE_BOOT.txt b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VARIABLE_BOOT.txt
new file mode 100644
index 00000000..8b6b3d49
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VARIABLE_BOOT.txt
@@ -0,0 +1 @@
+61dfe48bca93d211aa0d00e098032b8c09000000000000000c0000000000000042006f006f0074004f007200640065007200040003000200000001000500
\ No newline at end of file
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VARIABLE_DRIVER_CONFIG_KEK.txt b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VARIABLE_DRIVER_CONFIG_KEK.txt
new file mode 100644
index 00000000..b0b75029
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VARIABLE_DRIVER_CONFIG_KEK.txt
@@ -0,0 +1 @@
+61dfe48bca93d211aa0d00e098032b8c030000000000000000000000000000004b0045004b00
\ No newline at end of file
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VAR_SECURE_BOOT.txt b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VAR_SECURE_BOOT.txt
new file mode 100644
index 00000000..bf6b6d07
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/EV_EFI_VAR_SECURE_BOOT.txt
@@ -0,0 +1 @@
+61dfe48bca93d211aa0d00e098032b8c0a00000000000000010000000000000053006500630075007200650042006f006f00740000
diff --git a/HIRS_Utils/src/test/resources/tcgeventlog/uefi/vendor-table.json b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/vendor-table.json
new file mode 100644
index 00000000..d411dd50
--- /dev/null
+++ b/HIRS_Utils/src/test/resources/tcgeventlog/uefi/vendor-table.json
@@ -0,0 +1,233 @@
+{
+ "VendorTable": {
+ "_comment_1": "UUIDS listed in the UEFI Specification",
+ "eb9d2d30-2d88-11d3-9a16-0090273fc14d": "ACPI_TABLE_GUID",
+ "eb9d2d32-2d88-11d3-9a16-0090273fc14d": "SAL_SYSTEM_TABLE_GUID",
+ "eb9d2d31-2d88-11d3-9a16-0090273fc14d": "SMBIOS_TABLE_GUID",
+ "f2fd1544-9794-4a2c-992e-e5bbcf20e394": "SMBIOS3_TABLE_GUID",
+ "eb9d2d2f-2d88-11d3-9a16-0090273fc14d": "MPS_TABLE_GUID",
+ "8868e871-e4f1-11d3-bc22-0080c73c8881": "EFI_ACPI_TABLE_GUID",
+ "87367f87-1119-41ce-aaec-8be01101f558": "EFI_JSON_CONFIG_DATA_TABLE_GUID",
+ "35e7a725-8dd2-4cac-8011-33cda8109056": "EFI_JSON_CAPSULE_DATA_TABLE_GUID",
+ "dbc461c3-b3de-422a-b9b4-9886fd49a1e5": "EFI_JSON_CAPSULE_RESULT_TABLE_GUID",
+ "77ab535a-45fc-624b-5560-f7b281d1f96e": "EFI_VIRTUAL_DISK_GUID",
+ "3d5abd30-4175-87Ce-6d64-d2ADe523C4bb": "EFI_VIRTUAL_CD_GUID",
+ "5Cea02c9-4d07-69d3-269f-4496Fbe096f9": "EFI_PERSISTENT_VIRTUAL_DISK_GUID",
+ "08018188-42cd-bb48-100f-5387D53ded3d": "EFI_PERSISTENT_VIRTUAL_CD_GUID",
+ "_comment_2": "DXE GUIds from https://github.com/linuxboot/linuxboot/blob/master/boards/qemu/image-files.txt",
+ "fc510ee7-ffdc-11d4-bd41-0080c73c8881": "DXE Apriori-FVRECOVERY",
+ "1b45cc0a-156a-428a-62af-49864da0e6e6": "PEI Apriori file name",
+ "80cf7257-87ab-47f9-a3fe-d50b76d89541": "PcdDxe",
+ "b601f8c4-43b7-4784-95b1-f4226cb40cee": "RuntimeDxe",
+ "f80697e9-7fd6-4665-8646-88e33ef71dfc": "SecurityStubDxe",
+ "1a1e4886-9517-440e-9fde-3be44cee2136": "CpuDxe",
+ "11a6edf6-a9be-426d-a6cc-b22fe51d9224": "PciHotPlugInitDxe",
+ "128fb770-5e79-4176-9e51-9bb268a17dd1": "PciHostBridgeDxe",
+ "93b80004-9fb3-11d4-9a3a-0090273fc14d": "PCI Bus Driver - PciBusDxe",
+ "9b680fce-ad6b-4f3a-b60b-f59899003443": "DevicePathDxe",
+ "f9d88642-0737-49bc-81b5-6889cd57d9ea": "SmbiosDxe",
+ "4110465d-5ff3-4f4b-b580-24ed0d06747a": "SmbiosPlatformDxe",
+ "9622e42c-8e38-4a08-9e8f-54f784652f6b": "AcpiTableDxe",
+ "49970331-e3fa-4637-9abc-3b7868676970": "AcpiPlatform",
+ "7e374e25-8e01-4fee-87f2-390c23c606cd": "ACPI data",
+ "bdce85bb-fbaa-4f4e-9264-501a2c249581": "S3SaveStateDxe",
+ "d9dcc5df-4007-435e-9098-8970935504b2": "PlatformDxe",
+ "8657015b-ea43-440d-949a-af3be365c0fc": "IoMmuDxe",
+ "cbd2e4d5-7068-4ff5-b462-9822b4ad8d60": "VariableRuntimeDxe",
+ "_comment_3": "PIWG Dxe driver Files (FvFile)from https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/1272444",
+ "70d57d67-7f05-494d-a014-b75d7345b700": "Storage Security Command Driver",
+ "3acc966d-8e33-45c6-b4fe-62724bcd15a9": "AHCI Bus Driver",
+ "67bbc344-84bc-4e5c-b4df-f5e4a00e1f3a": "Host Controller Driver",
+ "86edaae5-073c-4c89-b949-8984ac8a55f3": "MMC/SD Media Device Driver",
+ "9e863906-a40f-4875-977F-5b93ff237fc6": "Serial Terminal Driver",
+ "a6cc6bc8-2ada-46C3-bba4-e99672CC9530": "PCI Serial Driver",
+ "69fd8e47-a161-4550-b01a-5594ceb2b2b2": "PCI IDE/ATAPI Bus Driver",
+ "51ccf399-4fdf-4e55-a45b-e123f84d456a": "Platform Console Management Driver",
+ "6b38f7b4-ad98-40e9-9093-aca2b5a253c4": "Generic Disk I/O Driver",
+ "2d2e62cf-9ecf-43b7-8219-94e7fC713dfe": "Usb Keyboard Driver",
+ "9fb4b4a7-42C0-4bcd-8540-9bcc6711f83e": "Usb Mass Storage Driver",
+ "e3752948-b9a1-4770-90c4-df41c38986be": "QEMU Video Driver",
+ "240612B7-a063-11d4-9a3a-0090273fc14d": "Usb Bus Driver",
+ "bdfe430e-8F2a-4db0-9991-6f856594777e": "Usb Ehci Driver",
+ "2fb92efa-2ee0-4bae-9eB6-7464125E1EF7": "Usb Ehci Driver",
+ "a92cdb4b-82f1-4e0b-a516-8a655d371524": "Virtio Network Driver",
+ "4579b72d-7ec4-4dd4-8486-083c86b182a7": "iSCSI Driver",
+ "3b1deaB5-c75d-442e-9238-8e2ffb62b0bb": "UEFI PXE Base Code Driver",
+ "6b6963ab-906d-4a65-a7ca-bd40e5d6af2b": "UDP Network Service Driver",
+ "6d6963ab-906d-4a65-a7ca-bd40e5d6af4d": "Tcp Network Service Driver",
+ "dc3641b8-2fa8-4ed3-bc1f-f9962a03454b": "MTFTP4 Network Service Driver",
+ "9fb1a1f3-3b71-4324-b39a-745cbb015fff": "IP4 Network Service Driver",
+ "26841bde-920a-4e7a-9Fbe-637f477143a6": "IP4 CONFIG Network Service Driver",
+ "94734718-0bbc-47fb-96a5-ee7a5ae6a2ad": "DHCP Protocol Driver",
+ "529d3f93-e8e9-4e73-b1e1-bdf6a9d50113": "ARP Network Service Driver",
+ "e4f61863-fe2c-4b56-a8d4-08519bc439df": "VLAN Configuration Driver",
+ "a2f436ea-a127-4ef8-957c-8048606ff670": "Simple Network Protocol Driver",
+ "961578fe-b6b7-44c3-af35-6bc705cd2b1f": "FAT File System Driver",
+ "0abd8284-6da3-4616-971a-83a5148067ba": "ISA Floppy Driver",
+ "3dc82376-637b-40a6-a8fc-a565417f2c38": "PS/2 Keyboard Driver",
+ "93b80003-9fb3-11d4-9a3a-0090273fc14d": "ISA Serial Driver",
+ "240612b5-a063-11d4-9a3a-0090273fc14a": "ISA Bus Driver",
+ "99549f44-49bb-4820-b9d2-901329412d67": "IDE Controller Init Driver",
+ "0a66e322-3740-4cce-ad62-bd172cecca35": "Scsi Disk Driver",
+ "1fa1f39e-feff-4aae-bd7b-38a070a3b609": "Partition Driver",
+ "9e863906-a40f-4875-977f-5b93ff237fc6": "Serial Terminal Driver",
+ "cccb0c28-4b24-11d5-9a5a-0090273fc14d": "Graphics Console Driver",
+ "408edcec-cf6d-477c-a5a8-b4844e3de281": "Console Splitter Driver",
+ "fab5d4f4-83c0-4aaf-8480-442d11df6cea": "Virtio SCSI Host Driver",
+ "11d92dfb-3Ca9-4f93-ba2e-4780ed3e03b5": "Virtio Block Driver",
+ "33cb97af-6c33-4c42-986b-07581fa366d4": "Block MMIO to Block IO Driver",
+ "_comment_4": "PIWG Volumes (Fv)",
+ "a881d567-6cb0-4eee-8435-2e72d33e45B5": "PIWG Default Volume",
+ "_comment_5": "UEFI UUIDS for Certificates",
+ "3c5766e8-269c-4e34-aa14-ed776e85b3b6": "EFI_CERT_RSA2048_GUID",
+ "e2b36190-879b-4a3d-ad8d-f2e7bba32784": "EFI_CERT_RSA2048_SHA256_GUID",
+ "c1c41626-504c-4092-aca9-41f936934328": "EFI_CERT_SHA256_GUID",
+ "826ca512-cf10-4ac9-b187-be01496631bd": "EFI_CERT_SHA1_GUID",
+ "67f8444f-8743-48f1-a328-1eaab8736080": "EFI_CERT_RSA2048_SHA1_GUID",
+ "a5c059a1-94e4-4aa7-87b5-ab155c2bf072": "EFI_CERT_X509_GUID",
+ "0b6e5233-a65c-44c9-9407-d9ab83bfc8bd": "EFI_CERT_SHA224_GUID",
+ "ff3e5307-9fd0-48c9-85f1-8ad56c701e01": "EFI_CERT_SHA384_GUID",
+ "093e0fae-a6c4-4f50-9f1b-d41e2b89c19a": "EFI_CERT_SHA512_GUID",
+ "3bd2a492-96c0-4079-b420-fcf98ef103ed": "EFI_CERT_X509_SHA256_GUID",
+ "7076876e-80c2-4ee6-aad2-28b349a6865b": "EFI_CERT_X509_SHA384_GUID",
+ "446dbf63-2502-4cda-bcfa-2465d2b0fe9d": "EFI_CERT_X509_SHA512_GUID",
+ "a7717414-c616-4977-9420-844712a735bf": "EFI_CERT_TYPE_RSA2048_SHA256_GUID",
+ "_comment_6": "UEFI defined variables",
+ "452e8ced-dfff-4b8c-ae01-5118862e682c": "EFI_CERT_EXTERNAL_MANAGEMENT_GUID",
+ "d719b2cb-3d3a-4596-a3bc-dad00e67656f": "EFI_IMAGE_SECURITY_DATABASE_GUID",
+ "4aafd29d-68df-49ee-8aa9-347d375665a7": "EFI_CERT_TYPE_PKCS7_GUID",
+ "c12a7328-f81f-11d2-ba4b-00a0c93ec93b": "EFI System Partition",
+ "024DEE41-33E7-11D3-9D69-0008C781F39F": "Partition containing a legacy MBR",
+ "_comment_7": "RHBoot UEFI Application UUIDs From listed in RHBoot (RHShim) https://github.com/rhboot/efivar/blob/master/src/guids.txt",
+ "0abba7dc-e516-4167-bbf5-4d9d1c739416": "fwupdate:",
+ "3b8c8162-188c-46a4-aec9-be43f1d65697": "ux_capsule",
+ "605dab50-e046-4300-abb6-3dd810dd8b23": "RH_Shim",
+ "8be4df61-93ca-11d2-aa0d-00e098032b8c": "EFI_Global_Variable",
+ "91376aff-cba6-42be-949d-06fde81128e8": "GRUB",
+ "_comment_8": "Partition Table GUIDs",
+ "0fc63daf-8483-4772-8e79-3d69d8477de4": "Linux filesystem data",
+ "e6d6d379-f507-44c2-a23c-238f2a3df928": "Logical Volume Manager (LVM) partition",
+ "4f68bce3-e8cd-4db1-96e7-fbcaf984b709": "Root partition (x86-64)",
+ "a19d880f-05fc-4d3b-a006-743f0f84911e": "RAID partition",
+ "933ac7e1-2eb4-4f13-b844-0e14e2aef915": "/home partition[ (x86-64)",
+ "ebd0a0a2-b9e5-4433-87c0-68b6b72699c7": "GPT Basic data partition",
+ "_comment_9": "RHBoot Lenovo specific UUIDS",
+ "3cc24e96-22c7-41d8-8863-8e39dcdcc2cf": "lenovo",
+ "82988420-7467-4490-9059-feb448dd1963": "lenovo_me_config",
+ "f7e615b-0d45-4f80-88dc-26b234958560": "lenovo_diag",
+ "665d3f60-ad3e-4cad-8e26-db46eee9f1b5": "lenovo_rescue",
+ "721c8b66-426c-4e86-8e99-3457c46ab0b9": "lenovo_setup",
+ "f46ee6f4-4785-43a3-923d-7f786c3c8479": "lenovo_startup_interrupt",
+ "126a762d-5758-4fca-8531-201a7f57f850": "lenovo_boot_menu",
+ "a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380": "lenovo_diag_splash",
+ "_comment_10": "Company UUIDs (From Internet searches)",
+ "77fa9abd-0359-4d32-bd60-28f4e78f784b": "Microsoft Inc.",
+ "f5a96b31-dba0-4faa-a42a-7a0c9832768e": "HPE Inc.",
+ "2879c886-57ee-45cc-b126-f92f24f906b9": "SUSE Certificate",
+ "70564dce-9afc-4ee3-85fc-949649d7e45c": "Dell Inc.",
+ "_comment_11": "Intel GUIDS",
+ "bfcc0833-2125-42d1-8c6d-13821e23c078": "Intel(R) Desktop Boards",
+ "80b3ad5b-9880-4af9-a645-e56a68be89de": "Intel(R) CISD FW Update",
+ "_comment_12": "Microsoft GUIDS",
+ "e3c9e316-0b5c-4db8-817d-f92df00215ae": "Microsoft Reserved Partition (MSR)",
+ "5808c8aa-7e8f-42e0-85d2-e1e90434cfb3": "Logical Disk Manager (LDM) metadata partition ",
+ "af9b60a0-1431-4f62-bc68-3311714a69ad": "Logical Disk Manager data partition",
+ "de94bba4-06d1-4d40-a16a-bfd50179d6ac": "Windows Recovery Environment",
+ "9f25ee7a-e7b7-11db-94b5-f7e662935912": "Windows Boot Loader",
+ "_comment_13": "Linux specific GUIDS",
+ "0fc63daf-8483-4772-8e79-3d69d8477de": "Linux filesystem data",
+ "44479540-f297-41b2-9af7-d131d5f0458a4": "Root partition (x86)",
+ "69dad710-2ce4-4e3c-b16c-21a1d49abed3": "Root partition (32-bit ARM)",
+ "b921b045-1df0-41c3-af44-4c6f280d3fae": "Root partition (64-bit ARM/AArch64)",
+ "0657fd6d-a4ab-43c4-84e5-0933c84b4f4f": "Swap partition",
+ "3b8f8425-20e0-4f3b-907f-1a25a76f98e8": "/srv (server data) partition",
+ "7ffec5c9-2d00-49b7-8941-3ea10a5586b7": "Plain dm-crypt partitiont",
+ "ca7d7ccb-63ed-4c53-861c-1742536059cc": "LUKS partition",
+ "_comment_14": "Linux Boot GUIDS https://github.com/linuxboot/linuxboot/blob/master/boards/s2600wf/vendor-files.txt",
+ "9cfd802c-09a1-43d6-8217-aa49c1f90d2c": "Intel Management Engine BIOS Extension (Mebx)",
+ "b62efbbb-3923-4cb9-a6e8-db818e828a80": "Intel Management Engine BIOS Extension (Mebx) Setup Browser",
+ "9ce4325e-003e-11e3-b582-b8ac6f199a57": "Non-Volatile Dual In-line Memory Module (NVDIMM) Driver",
+ "ea9de6d5-7839-46f7-9e63-4de8b00e2e5d": "NVM DIMM Human Interface Infrastructure (HII)",
+ "56a1b86f-0d4a-485d-87de-ad0eba1c8c2a": "IBM C Video Gop",
+ "a1f436ea-a127-4ef8-957c-8048606ff670": "SnpDxe",
+ "a210f973-229d-4f4d-aa37-9895e6c9eaba": "DpcDxe",
+ "025bbfc7-e6a9-4b8b-82ad-6815a1aeaf4a": "MNP Network Service Driver - MnpDxe",
+ "b44b2005-42bc-41c9-80af-abd7dc7d6923": "RSTesSATAEFI",
+ "15e1e31a-9f9d-4c84-82fb-1a707fc0f63b": "RSTeSATAEFI",
+ "2cc25173-bd9f-4c89-89cc-29256a3fd9c3": "RSTesSATALegacy",
+ "bd5d4ca5-674f-4584-8cf9-ce4ea1f54dd1": "RSTeSATALegacy",
+ "_comment_15": "WinNt GUIDs, add if they are still found in use https://sourceforge.net/p/uefinotes/wiki/FV%20Sources/?version=3",
+ "fc5c7020-1a48-4198-9be2-ead5abc8cf2f": "BdsDxe",
+ "d0893f05-b06d-4161-b947-9be9b85ac3a1": "SnpNt32Dxe",
+ "9b3ada4f-ae56-4c24-8Dea-f03b7558ae50": "PcdPeim",
+ "34c8c28F-b61c-45a2-8f2e-89e46becc63b": "PeiVariable",
+ "fe5cea76-4f72-49e8-986f-2cd899dffe5d": "FaultTolerantWriteDxe",
+ "_comment_16": "Linux Boot Image files UEFI Platform Initialization (PI) specifications Driver Execution Environment (DXE) Architectural protocols and platform modules https://github.com/linuxboot/linuxboot/blob/master/boards/winterfell/image-files.txt",
+ "5ae3f37e-4eae-41ae-8240-35465b5e81eb": "CORE_DXE",
+ "cbc59c4a-383a-41eb-a8ee-4498aea567e4": "DXE Runtime",
+ "3c1de39f-d207-408a-aacc-731cfb7f1dd7": "DXE PciBus",
+ "80e66e0a-ccd1-43fa-a7b1-2d5ee0f13910": "DXE PciRootBridge",
+ "9f3a0016-ae55-4288-829d-d22fd344c347": "DXE AmiBoardInfo",
+ "13ac6dd0-73d0-11d4-b06b-00aa00bd6de7": "DXE EBC",
+ "e03abadf-e536-4e88-b3a0-b77f78eb34fe": "CPU DXE",
+ "b7d19491-e55a-470d-8508-85a5dfa41974": "SBDXE",
+ "e23f86e1-056e-4888-b685-cfcd67c179d4": "DXE SBRun",
+ "e4ecd0b2-e277-4f2b-becb-e4d75c9a812e": "NBDXE",
+ "5ad34ba6-f024-2149-52e4-da0398e2bb9": "DXE Services Table",
+ "_comment_17": "ACPI configuration and tables",
+ "750890a6-7acf-4f4f-81bd-b400c2bea95a": "AcpiModeEnable",
+ "d4c05cd1-5eae-431d-a095-13a9e5822045": "MPST",
+ "db93cb2c-bf1c-431a-abc8-8737bc2afc1f": "PRAD-ACPI-table",
+ "3bc5b795-a4e0-4d56-9321-316d18a7aefe": "PRAD",
+ "16d0a23e-c09c-407d-a14a-ad058fdd0ca1": "ACPI",
+ "26a2481e-4424-46a2-9943-cc4039ead8f8": "S3Save",
+ "efd652cc-0e99-40f0-96c0-e08c089070fc": "S3Restore",
+ "8c783970-f02a-4a4d-af09-8797a51eec8d": "PowerManagement",
+ "299141bb-211a-48a5-92c0-6f9a0a3a006e0": "PowerManagement-ACPI-table",
+ "2df10014-cf21-4280-8c3f-e539b8ee5150": "PpmPolicyInitDxe",
+ "4b680e2d-0d63-4f62-b930-7ae995b9b3a3": "SmBusDxe",
+ "_comment_18": "SMM handlers",
+ "4a37320b-3fb3-4365-9730-9e89c600395d": "SmmDispatcher",
+ "753630c9-fae5-47a9-bbbf-88d621cd7282": "SmmChildDispatcher",
+ "be216ba8-38c4-4535-a6ca-5dca5b43addf": "SmiVariable",
+ "a56897a1-a77f-4600-84db-22b0a801fa9a": "SmmRuntime",
+ "d2596f82-f0e1-49fa-95bc-62012c795728": "SmmBase Data",
+ "69009842-63f2-43db-964b-efad1c39ec85": "SmmBase Data",
+ "d0632c90-afd7-4492-b186-257c63143c61": "SmmBase",
+ "7e2d983f-f703-4a29-9761-77b51f5354ed": "SmmCommunicate",
+ "_comment_19": "CMOS and NVRAM handlers",
+ "6869c5b3-ac8d-4973-8b37-e354dbf34add": "CmosManagerSmm",
+ "842a454a-75e5-408b-8b1c-36420e4e3f21": "NvramSmi",
+ "5446c293-339b-47cd-b719-585de39408cc": "PostReport",
+ "71ca9ca1-325d-4bfe-afa3-2ec5c94a8680": "DmAcpi",
+ "cef68c66-06ab-4fb3-a3ed-5ffa885b5725": "SMBiosBoard",
+ "b13edd38-684c-41ed-a305-d7b7e32497df": "SMBios64",
+ "ded7956d-7e20-4f20-91a1-190439b04d5b": "SmbiosGetFlashData64",
+ "daf4bf89-ce71-4917-b522-c89d32fbc59f": "SmbiosStaticData",
+ "_comment_20": "Apple GUIDS",
+ "48465300-0000-11aa-aa11-00306543ecac": "Apple Hierarchical File System Plus (HFS+) partition ",
+ "7c3457ef-0000-11aa-aa11-00306543ecac": "Apple APFS container",
+ "55465300-0000-11aa-aa11-00306543ecac": "Apple UFS container",
+ "52414944-0000-11aa-aa11-00306543ecac": "Apple RAID partition",
+ "4c616265-6c00-11aa-aa11-00306543ecac": "Apple Label",
+ "53746f72-6167-11aa-aa11-00306543ecac": "Apple Core Storage Container",
+ "6a898cc3-1dd2-11b2-99a6-080020736631": "ZFS Partition",
+ "_comment_21": "Chrome OS GUIDS",
+ "2568845d-2332-4675-bc39-8fa5a4748d15": "Chrome OS kernel ",
+ "3cb8e202-3b7e-47dd-8a3c-7ff2a13cfcec": "Chrome OS rootfs ",
+ "2e0a753d-9e48-43b0-8337-b15192cb1b5e": "Chrome OS future use ",
+ "_comment_22": "Android GUIDS",
+ "fe3a2a5d-4f32-41a7-b725-accc3285a309": "Android Bootloader",
+ "114eaffe-1552-4022-b26e-9b053604cf84": "Android Bootloader 2",
+ "49a4d17f-93a3-45c1-a0de-f50b2ebe2599": "Android Boot",
+ "4177c722-9e92-4aab-8644-43502bfd5506": "Android Recovery",
+ "38f428e6-d326-425d-9140-6e0ea133647c": "Android System",
+ "bd59408b-4514-490d-bf12-9878d963f378": "Android Config",
+ "8f68cc74-c5e5-48da-be91-a0c8c15e9c80": "Android Factory",
+ "ac6d7924-eb71-4df8-b48d-e267b27148ff": "Android OEM",
+ "_comment_23": "MISC GUIDs",
+ "5023b95c-db26-429b-a648-bd47664c8012": "Built-in EFI Shell",
+ "610a0202-d308-00c4-0000-000004300d06": "Mystery UUID",
+ "00000000-0000-0000-0000-000000000000": "Empty UUID"
+ }
+}
diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh
new file mode 100644
index 00000000..a77d10af
--- /dev/null
+++ b/package/scripts/aca/aca_bootRun.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+#####################################################################################
+#
+# Script to run ACA using the gradle spring pluing bootRun command with password set
+#
+#
+####################################################################################
+
+CONFIG_FILE="/etc/hirs/aca/application.properties"
+
+echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index"
+
+./gradlew bootRun --args="--spring.config.location=$CONFIG_FILE"
\ No newline at end of file
diff --git a/package/scripts/aca/aca_property_setup.sh b/package/scripts/aca/aca_property_setup.sh
deleted file mode 100644
index fd05779a..00000000
--- a/package/scripts/aca/aca_property_setup.sh
+++ /dev/null
@@ -1,27 +0,0 @@
-#!/bin/bash
-
-# Create aca.poperties file
-
-pki_password=$1
-
-rm -f /etc/hirs/aca.properties
-aca_prop_file="/etc/hirs/aca.properties"
-
-echo '# *** ACA Directories ***
-aca.directories.root = /etc/hirs/
-aca.directories.certificates = ${aca.directories.root}/certificates' > $aca_prop_file
-
-echo '# *** Certificate and Key Properties ***
-aca.setup.keys.rsa.keySize = 3072
-aca.setup.keys.ecc.keySize = 512
-aca.setup.certificates.validity = 3652
-aca.setup.certificates.subjectName = HIRS_AttestationCA
-aca.setup.certificates.expiration = ${aca.setup.certificates.validity}' >> $aca_prop_file
-
-echo '# *** Keystore properties ***
-aca.keyStore.alias = HIRS_ACA_KEY
-aca.keyStore.rsa.alias = hirs_leaf_ca1_rsa_3072_sha384
-aca.keyStore.ecc.alias = hirs_leaf_ca1_ecc_512_sha384
-aca.keyStore.location = ${aca.directories.certificates}/keyStore.jks
-aca.keyStore.password = '$pki_password >> $aca_prop_file
-
diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh
index 240dd683..93edfa3d 100644
--- a/package/scripts/aca/aca_setup.sh
+++ b/package/scripts/aca/aca_setup.sh
@@ -1,23 +1,50 @@
#!/bin/bash
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+SPRING_PROP_FILE='../../../HIRS_AttestationCAPortal/src/main/resources/application.properties'
+HIRS_CONF_DIR=/etc/hirs/aca
+LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
+LOG_DIR="/var/log/hirs/"
+HIRS_PROP_DIR="/opt/hirs/default-properties"
+COMP_JSON='../../../HIRS_AttestationCA/src/main/resources/component-class.json'
+VENDOR_TABLE='../../../HIRS_AttestationCA/src/main/resources/vendor-table.json'
+LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
+echo "LOG_FILE is $LOG_FILE"
-pushd $SCRIPT_DIR
+if [ "$EUID" -ne 0 ]
+ then echo "The first time this script is run, this script requires root. Please run as root"
+ exit 1
+fi
-sh ../db/db_create.sh
+mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR
+
+echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE"
+
+pushd $SCRIPT_DIR &>/dev/null
+
+
+# Copy HIRS configuration and data files if not a package install
+if [ -f $SPRING_PROP_FILE ]; then
+ cp -n $SPRING_PROP_FILE $HIRS_CONF_DIR/.
+ cp -n $COMP_JSON $HIRS_PROP_DIR/.
+ cp -n $VENDOR_TABLE $HIRS_PROP_DIR/.
+fi
+
+sh ../db/db_create.sh $LOG_FILE
if [ $? -eq 0 ]; then
- echo "ACA database setup complete"
+ echo "ACA database setup complete" | tee -a "$LOG_FILE"
else
- echo "Error setting up ACA DB"
+ echo "Error setting up ACA DB" | tee -a "$LOG_FILE"
exit 1
fi
-sh ../pki/pki_setup.sh
+sh ../pki/pki_setup.sh $LOG_FILE
if [ $? -eq 0 ]; then
- echo "ACA PKI setup complete"
+ echo "ACA PKI setup complete" | tee -a "$LOG_FILE"
else
- echo "Error setting up ACA PKI"
+ echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
exit 1
fi
- echo "ACA setup complete"
-popd
+ echo "ACA setup complete" | tee -a "$LOG_FILE"
+
+popd &>/dev/null
\ No newline at end of file
diff --git a/package/scripts/pki/.prop.file b/package/scripts/pki/.prop.file
deleted file mode 100644
index 1c47967e..00000000
--- a/package/scripts/pki/.prop.file
+++ /dev/null
@@ -1,9 +0,0 @@
-# *** ACA Directories ***
-aca.directories.root = /etc/hirs/
-aca.directories.certificates = ${aca.directories.root}/certificates
-# *** Certificate and Key Properties ***
-aca.setup.keys.rsa.keySize = 3072
-aca.setup.keys.ecc.keySize = 512
-aca.setup.certificates.validity = 3652
-aca.setup.certificates.subjectName = HIRS_AttestationCA
-aca.setup.certificates.expiration = ${aca.setup.certificates.validity}
diff --git a/package/scripts/pki/ca.conf b/package/scripts/pki/ca.conf
index 767cfcf3..cc1b92bc 100644
--- a/package/scripts/pki/ca.conf
+++ b/package/scripts/pki/ca.conf
@@ -23,6 +23,11 @@ organizationalUnitName = optional
commonName = optional
emailAddress = optional
+[ alternate_names ]
+DNS.1 = localhost
+DNS.2 = localhost.localdomain
+DNS.3 = 127.0.0.1
+
[ ca_extensions ]
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
basicConstraints = critical,CA:true,pathlen:1
@@ -35,19 +40,17 @@ crlDistributionPoints = URI:https://example.com/crl
[ server_extensions ]
keyUsage = critical,digitalSignature,keyEncipherment
-basicConstraints = CA:false
extendedKeyUsage = serverAuth,clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
-authorityInfoAccess = caIssuers;URI:https://example.com/certs
+authorityInfoAccess = caIssuers;URI:https://example.com/certs
crlDistributionPoints = URI:https://example.com/crl
+subjectAltName = @alternate_names
[ signer_extensions ]
keyUsage = critical,digitalSignature,nonRepudiation,keyEncipherment
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
-basicConstraints = critical,CA:false
keyUsage = critical, digitalSignature
authorityInfoAccess = caIssuers;URI:https://example.com/certs/
-crlDistributionPoints = URI:https://example.com/crl
-
+crlDistributionPoints = URI:https://example.com/crl
\ No newline at end of file
diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh
index bf2dd514..0b3b114b 100644
--- a/package/scripts/pki/pki_chain_gen.sh
+++ b/package/scripts/pki/pki_chain_gen.sh
@@ -20,6 +20,7 @@ ASYM_ALG=$2
ASYM_SIZE=$3
HASH_ALG=$4
PASS=$5
+LOG_FILE=$6
ROOT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test root ca"
INT_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test intermediate ca"
LEAF_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" test ca"
@@ -32,13 +33,17 @@ KEYSTORE=KeyStore.jks
# Parameter check
if [ -z "${ACTOR}" ] || [ -z "${ASYM_ALG}" ] || [ -z "${ASYM_SIZE}" ] || [ -z "${HASH_ALG}" ] || [ "${ACTOR}" == "-h" ] || [ "${ACTOR}" == "--help" ]; then
- echo "parameter missing to pki_chain_gen.sh, exiting pki setup"
+ echo "parameter missing to pki_chain_gen.sh, exiting pki setup" | tee -a "$LOG_FILE"
exit 1;
fi
if ! { [ $ASYM_ALG == "rsa" ] || [ $ASYM_ALG == "ecc" ]; }; then
- echo "$ASYM_ALG is an unsupported assymetric algorithm, exiting pki setup"
- exit 1
+ echo "$ASYM_ALG is an unsupported assymetric algorithm, exiting pki setup" | tee -a "$LOG_FILE"
+ exit 1;
+fi
+
+if [ -z ${LOG_FILE} ]; then
+ LOG_FILE="/dev/null"
fi
case $ASYM_SIZE in
@@ -52,7 +57,7 @@ case $ASYM_SIZE in
3072) KSIZE=3k;;
4096) KSIZE=4k;;
*)
- echo "$ASYM_SIZE is an unsupported key size, exiting pki setup"
+ echo "$ASYM_SIZE is an unsupported key size, exiting pki setup" | tee -a "$LOG_FILE"
exit 1;;
esac
@@ -76,21 +81,37 @@ TLS_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$NAME" portal"
# Add check for existing folder and halt if it exists
if [ -d "$ACTOR_ALT"/"$CERT_FOLDER" ]; then
- echo "Folder for $CERT_FOLDER exists, exiting..."
+ echo "Folder for $CERT_FOLDER exists, exiting..." | tee -a "$LOG_FILE"
exit 1;
fi
# Intialize sub folders
-#echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..."
+echo "Creating PKI for $ACTOR_ALT using $KSIZE $ASYM_ALG and $HASH_ALG..." | tee -a "$LOG_FILE"
mkdir -p "$ACTOR_ALT" "$ACTOR_ALT"/"$CERT_FOLDER" "$ACTOR_ALT"/ca/certs
cp ca.conf "$ACTOR_ALT"/.
pushd "$ACTOR_ALT" &> /dev/null
touch ca/db
+touch openssl-san.cnf
if [ ! -f "ca/serial.txt" ]; then
- echo "01" > ca/serial.txt
+ echo "01" > ca/serial.txt | tee -a "$LOG_FILE"
fi
+# Function to add Cert to Truststore and key to Keystore
+add_to_stores () {
+ CERT_PATH=$1
+ ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
+ echo "Addding $ALIAS to the $TRUSTSTORE and $KEYSTORE" | tee -a "$LOG_FILE"
+ # Add the cert and key to the key store. make a p12 file to import into te keystore
+ openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
+ # Use the p12 file to import into a java keystore via keytool
+ keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1
+ # Import the cert into a java trust store via keytool
+ keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
+ # Remove the temp p1 file.
+ rm tmpkey.p12
+}
+
# Function to create an Intermediate Key, CSR, and Certificate
# PARMS:
# 1. Cert Type String
@@ -101,27 +122,23 @@ create_cert () {
CERT_PATH="$1"
ISSUER="$2"
SUBJ_DN="$3"
+ EXTENSION="$4"
ISSUER_KEY="$ISSUER".key
ISSUER_CERT="$ISSUER".pem
ALIAS=${CERT_PATH#*/} # Use filename without path as an alias
- if [ "$CERT_TYPE" == "rim_signer" ]; then
- EXTENSION="signer_extensions"
- else
- EXTENSION="ca_extensions"
- fi
-
- echo "Creating cert for "$CERT_TYPE" using $ISSUER_KEY with a DN="$SUBJ_DN"..."
+ echo "Creating cert using "$ISSUER_KEY" with a DN="$SUBJ_DN"..." | tee -a "$LOG_FILE"
if [ "$ASYM_ALG" == "rsa" ]; then
openssl req -newkey rsa:"$ASYM_SIZE" \
-keyout "$CERT_PATH".key \
-out "$CERT_PATH".csr -subj "$SUBJ_DN" \
- -passout pass:"$PASS" &> /dev/null
+ -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
else
- openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key &> /dev/null
- openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" &> /dev/null
+ openssl ecparam -genkey -name "$ECC_NAME" -out "$CERT_PATH".key >> "$LOG_FILE" 2>&1
+ openssl req -new -key "$CERT_PATH".key -out "$CERT_PATH".csr -$HASH_ALG -subj "$SUBJ_DN" >> "$LOG_FILE" 2>&1
fi
+
openssl ca -config ca.conf \
-keyfile "$ISSUER_KEY" \
-md $HASH_ALG \
@@ -131,17 +148,18 @@ create_cert () {
-in "$CERT_PATH".csr \
-passin pass:"$PASS" \
-batch \
- -notext &> /dev/null
+ -notext >> "$LOG_FILE" 2>&1
# Increment the cert serial number
- awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt &> /dev/null
+ SERIAL=$(awk -F',' '{printf("%s\t%d\n",$1,$2+1)}' ./ca/serial.txt)
+ echo "Cert Serial Number = $SERIAL" >> "$LOG_FILE";
# remove csr file
rm -f "$CERT_PATH".csr
# Add the cert and key to the key store. make a p12 file to import into te keystore
- openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -passout pass:$PASS
+ openssl pkcs12 -export -in "$CERT_PATH".pem -inkey "$CERT_PATH".key -out tmpkey.p12 -passin pass:"$PASS" -aes256 -passout pass:$PASS >> "$LOG_FILE" 2>&1
# Use the p12 file to import into a java keystore via keytool
- keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias "$ALIAS" &> /dev/null
+ keytool -importkeystore -srckeystore tmpkey.p12 -destkeystore $KEYSTORE -srcstoretype pkcs12 -srcstorepass $PASS -deststoretype jks -deststorepass $PASS -noprompt -alias 1 -destalias -J-Dcom.redhat.fips=false "$ALIAS" >> "$LOG_FILE" 2>&1
# Import the cert into a java trust store via keytool
- keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" &> /dev/null
+ keytool -import -keystore $TRUSTSTORE -storepass $PASS -file "$CERT_PATH".pem -noprompt -alias "$ALIAS" -J-Dcom.redhat.fips=false >> "$LOG_FILE" 2>&1
# Remove the temp p1 file.
rm tmpkey.p12
}
@@ -149,53 +167,58 @@ create_cert () {
create_cert_chain () {
# Create an intermediate CA, Sign with Root CA
- create_cert "$PKI_INT" "$PKI_ROOT" "$INT_DN"
+ create_cert "$PKI_INT" "$PKI_ROOT" "$INT_DN" "ca_extensions"
# Create a Leaf CA (CA1), Sign with intermediate CA
- create_cert "$PKI_CA1" "$PKI_INT" "$LEAF_DN"1
+ create_cert "$PKI_CA1" "$PKI_INT" "$LEAF_DN"1 "ca_extensions"
# Create a Leaf CA (CA2), Sign with intermediate CA
- create_cert "$PKI_CA2" "$PKI_INT" "$LEAF_DN"2
+ create_cert "$PKI_CA2" "$PKI_INT" "$LEAF_DN"2 "ca_extensions"
# Create a Leaf CA (CA3), Sign with intermediate CA
- create_cert "$PKI_CA3" "$PKI_INT" "$LEAF_DN"3
+ create_cert "$PKI_CA3" "$PKI_INT" "$LEAF_DN"3 "ca_extensions"
# Create a RIM Signer
- create_cert "$RIM_SIGNER" "$PKI_CA2" "$SIGNER_DN"
+ create_cert "$RIM_SIGNER" "$PKI_CA2" "$SIGNER_DN" "signer_extensions"
# Create a ACA Sever Cert for TLS use
- create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN"
+ create_cert "$TLS_SERVER" "$PKI_CA3" "$TLS_DN" "server_extensions"
# Create Cert trust store by adding the Intermediate and root certs
cat "$PKI_CA1.pem" "$PKI_CA2.pem" "$PKI_CA3.pem" "$PKI_INT.pem" "$PKI_ROOT.pem" > "$TRUST_STORE_FILE"
# echo "Checking signer cert using tust store..."
- openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem
+ openssl verify -CAfile "$TRUST_STORE_FILE" $RIM_SIGNER.pem | tee -a "$LOG_FILE"
}
-if [ "$ASYM_ALG" == "rsa" ]; then
+if [ "$ASYM_ALG" == "rsa" ]; then
# Create Root CA key pair and self signed cert
- openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" &> /dev/null
-
+ echo "Generating RSA Root CA ...." | tee -a "$LOG_FILE"
+ openssl genrsa -out "$PKI_ROOT".key -passout pass:"$PASS" "$ASYM_SIZE" >> "$LOG_FILE" 2>&1
+
# Create a self signed CA certificate
openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
-extensions ca_extensions -out "$PKI_ROOT".pem \
- -passout pass:"$PASS" &> /dev/null
+ -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
+ # Add the CA root cert to the Trust and Key stores
+ add_to_stores $PKI_ROOT
# Create an intermediate CA, 2 Leaf CAs, and Signer Certs
- create_cert_chain
+ create_cert_chain
fi
if [ "$ASYM_ALG" == "ecc" ]; then
# Create Root CA key pair and self signed cert
- openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key
+ echo "Generating Ecc Root CA ...." | tee -a "$LOG_FILE"
+ openssl ecparam -genkey -name "$ECC_NAME" -out "$PKI_ROOT".key >> "$LOG_FILE" 2>&1
# Create a self signed CA certificate
openssl req -new -config ca.conf -x509 -days 3650 -key "$PKI_ROOT".key -subj "$ROOT_DN" \
-extensions ca_extensions -out "$PKI_ROOT".pem \
- -passout pass:"$PASS"
+ -passout pass:"$PASS" >> "$LOG_FILE" 2>&1
+ # Add the CA root cert to the Trust and Key stores
+ add_to_stores $PKI_ROOT
# Create an intermediate CA, 2 Leaf CAs, and Signer Certs
create_cert_chain
-fi
-
+fi
\ No newline at end of file
diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh
index 6a69f104..a6492ae2 100644
--- a/package/scripts/pki/pki_setup.sh
+++ b/package/scripts/pki/pki_setup.sh
@@ -6,48 +6,59 @@
#
############################################################################################
+PROP_FILE=/etc/hirs/aca/application.properties
+LOG_FILE=$1
+
# Capture location of the script to allow from invocation from any location
SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+echo "SCRIPT_DIR is $SCRIPT_DIR" | tee -a "$LOG_FILE"
+
+# Check for sudo or root user
+if [ "$EUID" -ne 0 ]
+ then echo "The first time this script is run, this script requires root. Please run as root" | tee -a "$LOG_FILE"
+ exit 1
+fi
+
# Set HIRS PKI password
if [ -z $HIRS_PKI_PWD ]; then
# Create a 32 character random password
PKI_PASS=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
- #PKI_PASS="xrb204k"
-fi
-
-# Create an ACA properties file using the new password
-pushd $SCRIPT_DIR &> /dev/null
- if [ ! -f "/etc/hirs/aca/aca.properties" ]; then
- if [ -d /opt/hirs/scripts/aca ]; then
- ACA_SETUP_DIR="/opt/hirs/scripts/aca"
- else
- ACA_SETUP_DIR=="$SCRIPT_DIR/../aca"
- fi
- echo "ACA_SETUP_DIR is $ACA_SETUP_DIR"
- sh $ACA_SETUP_DIR/aca_property_setup.sh $PKI_PASS
+ echo "Using randomly generated password" | tee -a "$LOG_FILE"
else
- echo "aca property file exists, skipping"
- fi
-
-popd &> /dev/null
+ PKI_PASS=$HIRS_PKI_PWD
+ echo "Using system supplied password" | tee -a "$LOG_FILE"
+fi
# Create Cert Chains
if [ ! -d "/etc/hirs/certificates" ]; then
- if [ -d /opt/hirs/scripts/pki ]; then
+ if [ -d "/opt/hirs/scripts/pki" ]; then
PKI_SETUP_DIR="/opt/hirs/scripts/pki"
else
- PKI_SETUP_DIR=="$SCRIPT_DIR/../pki"
+ PKI_SETUP_DIR="$SCRIPT_DIR"
fi
- echo "PKI_SETUP_DIR is $PKI_SETUP_DIR"
+ echo "PKI_SETUP_DIR is $PKI_SETUP_DIR" | tee -a "$LOG_FILE"
+
+ mkdir -p /etc/hirs/certificates/ | tee -a "$LOG_FILE"
- mkdir -p /etc/hirs/certificates/
-
pushd /etc/hirs/certificates/ &> /dev/null
cp $PKI_SETUP_DIR/ca.conf .
- sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS"
- sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS"
+ sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "rsa" "3072" "sha384" "$PKI_PASS" "$LOG_FILE"
+ sh $PKI_SETUP_DIR/pki_chain_gen.sh "HIRS" "ecc" "512" "sha384" "$PKI_PASS" "$LOG_FILE"
popd &> /dev/null
+
+ # Add tomcat TLS support to the application.properties file
+ echo "# Tomcat TLS support">> $PROP_FILE
+ echo "server.port=8443">> $PROP_FILE
+ echo "server.ssl.enabled=true">> $PROP_FILE
+ echo "server.ssl.trust-store-type=JKS">> $PROP_FILE
+ echo "server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks">> $PROP_FILE
+ echo "server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
+ echo "server.ssl.key-store-type=JKS">> $PROP_FILE
+ echo "server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks">> $PROP_FILE
+ echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
+ echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
+ echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
else
- echo "/etc/hirs/certificates exists, skipping"
+ echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"
fi