This code finishes up validating the pcrs against the provided tpm quote. However this will cause a second summary object to display if firmware validation is enabled. This is because the summary manager isn't able to get or update the previously saved summary.

2025-02-20 17:52:47 +00:00 · 2020-08-28 12:24:02 -04:00 · 2020-08-28 12:24:02 -04:00 · 792a248ba0
commit 792a248ba0
parent 5fe19c5904
4 changed files with 20 additions and 32 deletions
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java
@ -166,7 +166,6 @@ public abstract class AbstractAttestationCertificateAuthority
    private String tpmQuoteHash = "";
    private String tpmQuoteSignature = "";
    private String pcrValues;
-    private SupplyChainValidationSummary savedSummary;

    /**
     * Constructor.
@ -453,7 +452,6 @@ public abstract class AbstractAttestationCertificateAuthority
        // perform supply chain validation
        SupplyChainValidationSummary summary = supplyChainValidationService.validateSupplyChain(
                endorsementCredential, platformCredentials, device);
-        savedSummary = summary;
        // update the validation result in the device
        AppraisalStatus.Status validationResult = summary.getOverallValidationResult();
        device.setSupplyChainStatus(validationResult);
@ -471,7 +469,7 @@ public abstract class AbstractAttestationCertificateAuthority
    private AppraisalStatus.Status doQuoteValidation(final Device device) {
        // perform supply chain validation
        SupplyChainValidationSummary scvs = supplyChainValidationService.validateQuote(
-                device, savedSummary);
+                device);
        AppraisalStatus.Status validationResult;

        // either validation wasn't enabled or device already failed
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationService.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationService.java
@ -30,9 +30,7 @@ public interface SupplyChainValidationService {
     * A supplemental method that handles validating just the quote post main validation.
     *
     * @param device the associated device.
-     * @param summary the associated device summary
     * @return True if validation is successful, false otherwise.
     */
-    SupplyChainValidationSummary validateQuote(Device device,
-                                               SupplyChainValidationSummary summary);
+    SupplyChainValidationSummary validateQuote(Device device);
 }
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
@ -393,18 +393,16 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
     * A supplemental method that handles validating just the quote post main validation.
     *
     * @param device the associated device.
-     * @param summary the associated device summary
     * @return True if validation is successful, false otherwise.
     */
    @Override
-    public SupplyChainValidationSummary validateQuote(final Device device,
-                                                      final SupplyChainValidationSummary summary) {
+    public SupplyChainValidationSummary validateQuote(final Device device) {
        final Appraiser supplyChainAppraiser = appraiserManager.getAppraiser(
                SupplyChainAppraiser.NAME);
        SupplyChainPolicy policy = (SupplyChainPolicy) policyManager.getDefaultPolicy(
                supplyChainAppraiser);
        SupplyChainValidation quoteScv = null;
-        SupplyChainValidationSummary newSummary = null;
+        SupplyChainValidationSummary summary = null;
        Level level = Level.ERROR;
        AppraisalStatus fwStatus = new AppraisalStatus(FAIL,
                SupplyChainCredentialValidator.FIRMWARE_VALID);
@ -431,33 +429,33 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                    baseline = swid.getPcrValues()
                            .toArray(new String[swid.getPcrValues().size()]);
                }
-                int algorithmLength = baseline[0].length();
+
                String pcrContent = new String(device.getDeviceInfo().getTPMInfo().getPcrValues());
-                String[] storedPcrs = buildStoredPcrs(pcrContent, algorithmLength);
+                String[] storedPcrs = buildStoredPcrs(pcrContent, baseline[0].length());
                PCRPolicy pcrPolicy = policy.getPcrPolicy();
                pcrPolicy.setBaselinePcrs(baseline);
                // grab the quote
                byte[] hash = device.getDeviceInfo().getTPMInfo().getTpmQuoteHash();
-                byte[] signature = device.getDeviceInfo().getTPMInfo().getTpmQuoteHash();
-                if (!pcrPolicy.validateQuote(hash, storedPcrs)) {
-                    quoteScv = buildValidationRecord(SupplyChainValidation
-                                    .ValidationType.FIRMWARE,
-                            fwStatus.getAppStatus(),
-                            "Firmware validation of TPM Quote failed.", rim, level);
+                if (pcrPolicy.validateQuote(hash, storedPcrs)) {
+                    level = Level.INFO;
+                    fwStatus = new AppraisalStatus(PASS,
+                            SupplyChainCredentialValidator.FIRMWARE_VALID);
+                    fwStatus.setMessage("Firmware validation of TPM Quote successful.");
+
+                } else {
+                    fwStatus.setMessage("Firmware validation of TPM Quote failed.");
                }
            }

+            quoteScv = buildValidationRecord(SupplyChainValidation
+                            .ValidationType.FIRMWARE,
+                    fwStatus.getAppStatus(), fwStatus.getMessage(), rim, level);
+
            // Generate validation summary, save it, and return it.
            List<SupplyChainValidation> validations = new ArrayList<>();
-            validations.addAll(summary.getValidations());
            validations.add(quoteScv);
-            newSummary = new SupplyChainValidationSummary(device, validations);
-
-            try {
-                supplyChainValidatorSummaryManager.save(summary);
-            } catch (DBManagerException ex) {
-                LOGGER.error("Failed to save Supply Chain summary", ex);
-            }
+            summary = new SupplyChainValidationSummary(device, validations);
+            supplyChainValidatorSummaryManager.save(summary);
        }

        return summary;
--- a/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
+++ b/HIRS_Utils/src/main/java/hirs/data/persist/PCRPolicy.java
@ -123,12 +123,6 @@ public final class PCRPolicy extends Policy {
            String calculatedString = Hex.encodeHexString(
                    pcrInfoShort.getCalculatedDigest());
            validated = quoteString.contains(calculatedString);
-            if (validated) {
-                LOGGER.error("This is matching: ");
-
-            } else {
-                LOGGER.error("This is NOT matching: ");
-            }
        } catch (NoSuchAlgorithmException naEx) {
            LOGGER.error(naEx);
        }