From 3b33bd60b8f787a49e6c6211b84188cb0604a71c Mon Sep 17 00:00:00 2001
From: Cyrus <24922493+cyrus-dev@users.noreply.github.com>
Date: Tue, 11 May 2021 09:44:10 -0400
Subject: [PATCH] The main change in this commit adjusts how the base and
 support rim are pulled for validation in the environment with multiple Base
 and Support RIMs per device/manufacturer/model.

---
 ...stractAttestationCertificateAuthority.java |  2 --
 .../SupplyChainValidationServiceImpl.java     | 33 ++++++++++++-------
 ...eferenceManifestDetailsPageController.java |  5 ++-
 3 files changed, 26 insertions(+), 14 deletions(-)

diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
index f2df3250..acd3d396 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
@@ -794,7 +794,6 @@ public abstract class AbstractAttestationCertificateAuthority
                             .byHashCode(Hex.encodeHexString(messageDigest.digest(
                                     logFile.toByteArray())))
                             .getRIM();
-
                     if (support == null) {
                         support = new SupportReferenceManifest(
                                 String.format("%s.rimel",
@@ -837,7 +836,6 @@ public abstract class AbstractAttestationCertificateAuthority
                             .byHashCode(Hex.encodeHexString(messageDigest.digest(
                                     swidFile.toByteArray())))
                             .getRIM();
-
                     if (dbBaseRim == null) {
                         dbBaseRim = new BaseReferenceManifest(
                                 String.format("%s.swidtag",
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
index 77f0bee0..efa273b6 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
@@ -370,28 +370,30 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
         String model = device.getDeviceInfo()
                 .getHardwareInfo().getProductName();
         ReferenceManifest validationObject = null;
-        ReferenceManifest baseReferenceManifest = null;
+        Set<BaseReferenceManifest> baseReferenceManifests = null;
+        BaseReferenceManifest baseReferenceManifest = null;
         ReferenceManifest supportReferenceManifest = null;
         ReferenceManifest measurement = null;
         ReferenceDigestRecord digestRecord = null;
 
-        baseReferenceManifest = BaseReferenceManifest.select(referenceManifestManager)
-                .byManufacturer(manufacturer).getRIM();
-        supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager)
-                .byManufacturer(manufacturer).getRIM();
+        baseReferenceManifests = BaseReferenceManifest.select(referenceManifestManager)
+                .byDeviceName(device.getDeviceInfo().getNetworkInfo().getHostname()).getRIMs();
+
         measurement = EventLogMeasurements.select(referenceManifestManager)
                 .byManufacturer(manufacturer).includeArchived().getRIM();
 
+        for (BaseReferenceManifest bRim : baseReferenceManifests) {
+            if (!bRim.isSwidSupplemental() && !bRim.isSwidPatch()) {
+                baseReferenceManifest = bRim;
+            }
+        }
+
         validationObject = baseReferenceManifest;
         String failedString = "";
         if (baseReferenceManifest == null) {
             failedString = "Base Reference Integrity Manifest\n";
             passed = false;
         }
-        if (supportReferenceManifest == null) {
-            failedString += "Support Reference Integrity Manifest\n";
-            passed = false;
-        }
         if (measurement == null) {
             failedString += "Bios measurement";
             passed = false;
@@ -409,13 +411,22 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                             new ByteArrayInputStream(baseReferenceManifest.getRimBytes()));
 
             for (SwidResource swidRes : resources) {
+                supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager)
+                        .byRimHash(swidRes.getHashValue()).getRIM();
                 if (swidRes.getName().equals(supportReferenceManifest.getFileName())) {
                     referenceManifestValidator.validateSupportRimHash(
                             supportReferenceManifest.getRimBytes(), swidRes.getHashValue());
+                } else {
+                    supportReferenceManifest = null;
                 }
             }
+            if (supportReferenceManifest == null) {
+                fwStatus = new AppraisalStatus(FAIL,
+                        "Support Reference Integrity Manifest\n");
+                passed = false;
+            }
 
-            if (!referenceManifestValidator.isSignatureValid()) {
+            if (passed && !referenceManifestValidator.isSignatureValid()) {
                 passed = false;
                 fwStatus = new AppraisalStatus(FAIL,
                         "Firmware validation failed: Signature validation "
@@ -471,7 +482,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                         } else {
                             StringBuilder sb = pcrPolicy.validatePcrs(storedPcrs);
                             if (sb.length() > 0) {
-                                validationObject = supportReferenceManifest;
+                                validationObject = baseReferenceManifest;
                                 level = Level.ERROR;
                                 fwStatus = new AppraisalStatus(FAIL, sb.toString());
                             } else {
diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
index f6eb53d9..e257ec7a 100644
--- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
+++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
@@ -288,6 +288,8 @@ public class ReferenceManifestDetailsPageController
             }
         }
 
+        // Let's pull the supply chain validation
+
         data.put("associatedRim", baseRim.getAssociatedRim());
         data.put("swidFiles", resources);
         if (support != null && (!baseRim.isSwidSupplemental()
@@ -337,7 +339,8 @@ public class ReferenceManifestDetailsPageController
                     .select(referenceManifestManager)
                     .byRimType(ReferenceManifest.BASE_RIM).getRIMs();
             for (BaseReferenceManifest baseRim : baseRims) {
-                if (baseRim != null && baseRim.getAssociatedRim().equals(support.getId())) {
+                if (baseRim != null && baseRim.getAssociatedRim() != null
+                        && baseRim.getAssociatedRim().equals(support.getId())) {
                     support.setAssociatedRim(baseRim.getId());
                     try {
                         referenceManifestManager.update(support);