Updated most of Supply Chain Validation impl. Didn't get further with

the persistence configuration. Updated some of the Reference digest values. Will need to dig more into pulling information based on columns (if criteria)
2025-03-26 05:47:49 +00:00 · 2022-08-03 21:08:14 -04:00 · 2022-08-03 21:08:14 -04:00 · 81aeaf85c0
commit 81aeaf85c0
parent 9221befdf0
17 changed files with 381 additions and 92 deletions
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/configuration/PersistenceConfiguration.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/configuration/PersistenceConfiguration.java
@ -6,11 +6,7 @@ import hirs.attestationca.service.DeviceServiceImpl;
 import hirs.attestationca.service.PolicyServiceImpl;
 import hirs.attestationca.service.ReferenceDigestValueServiceImpl;
 import hirs.attestationca.service.ReferenceManifestServiceImpl;
-import hirs.attestationca.servicemanager.DBManager;
-import hirs.attestationca.servicemanager.DBPortalInfoManager;
 import hirs.data.persist.SupplyChainValidationSummary;
-import hirs.persist.CrudManager;
-import hirs.persist.PortalInfoManager;
 import hirs.persist.service.CertificateService;
 import hirs.persist.service.DeviceService;
 import hirs.persist.service.PolicyService;
@ -134,14 +130,13 @@ public class PersistenceConfiguration {
     * @return {@link hirs.attestationca.servicemanager.DBManager}
     */
    @Bean
-    public CrudManager<SupplyChainValidationSummary> supplyChainValidationSummaryManager() {
-        DbServiceImpl<SupplyChainValidationSummary> manager
-                = new DbServiceImpl<>(
-                SupplyChainValidationSummary.class,
+    public DbServiceImpl<SupplyChainValidationSummary> supplyChainValidationSummaryManager() {
+        DbServiceImpl<SupplyChainValidationSummary> serviceImpl
+                = new DbServiceImpl<SupplyChainValidationSummary>(
                entityManager
        );
-        setDbServiceRetrySettings(manager);
-        return manager;
+        setDbServiceRetrySettings(serviceImpl);
+        return serviceImpl;
    }

    /**
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/repository/AppraiserRepository.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/repository/AppraiserRepository.java
@ -0,0 +1,14 @@
+package hirs.attestationca.repository;
+
+import hirs.appraiser.Appraiser;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+import java.util.UUID;
+
+/**
+ * Setting up for new creation for CRUD operations.
+ */
+@Repository
+public interface AppraiserRepository extends JpaRepository<Appraiser, UUID> {
+}
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/AppraiserServiceImpl.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/AppraiserServiceImpl.java
@ -0,0 +1,110 @@
+package hirs.attestationca.service;
+
+import hirs.appraiser.Appraiser;
+import hirs.attestationca.repository.AppraiserRepository;
+import hirs.persist.AppraiserManagerException;
+import hirs.persist.DBManagerException;
+import hirs.persist.service.AppraiserService;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.retry.RetryCallback;
+import org.springframework.retry.RetryContext;
+import org.springframework.stereotype.Service;
+
+import javax.persistence.EntityManager;
+import java.util.List;
+import java.util.UUID;
+
+/**
+ * A <code>AppraiserServiceImpl</code> manages <code>Appraiser</code>s. A
+ * <code>AppraiserServiceImpl</code> is used to store and manage certificates. It has
+ * support for the basic create, read, update, and delete methods.
+ */
+@Service
+public class AppraiserServiceImpl extends DbServiceImpl<Appraiser>
+        implements AppraiserService {
+    private static final Logger LOGGER = LogManager.getLogger();
+    @Autowired
+    private AppraiserRepository appraiserRepository;
+
+    /**
+     * Default constructor.
+     * @param em entity manager for jpa hibernate events
+     */
+    public AppraiserServiceImpl(final EntityManager em) {
+    }
+
+    @Override
+    public Appraiser saveAppraiser(final Appraiser appraiser) throws AppraiserManagerException {
+        LOGGER.debug("saving appraiser: {}", appraiser);
+
+        return getRetryTemplate().execute(new RetryCallback<Appraiser,
+                DBManagerException>() {
+            @Override
+            public Appraiser doWithRetry(final RetryContext context)
+                    throws DBManagerException {
+                return appraiserRepository.save(appraiser);
+            }
+        });
+    }
+
+    @Override
+    public void updateAppraiser(final Appraiser appraiser) throws AppraiserManagerException {
+        LOGGER.debug("updating appraiser: {}", appraiser);
+        Appraiser dBAppraiser;
+
+        if (appraiser.getId() == null) {
+            LOGGER.debug("Appraiser not found: {}", appraiser);
+            dBAppraiser = appraiser;
+        } else {
+            // will not return null, throws and exception
+            dBAppraiser = appraiserRepository.getReferenceById(
+                    UUID.fromString(appraiser.getId().toString()));
+
+            // run through things that aren't equal and update
+
+            if (!dBAppraiser.getName().equals(appraiser.getName())) {
+                dBAppraiser.setName(appraiser.getName());
+            }
+
+        }
+
+        saveAppraiser(dBAppraiser);
+    }
+
+    @Override
+    public Appraiser getAppraiser(final String name) throws AppraiserManagerException {
+        LOGGER.debug("retrieve appraiser: {}", name);
+
+        return getRetryTemplate().execute(new RetryCallback<Appraiser,
+                DBManagerException>() {
+            @Override
+            public Appraiser doWithRetry(final RetryContext context)
+                    throws DBManagerException {
+                List<Appraiser> appraiserList = appraiserRepository.findAll();
+                for (Appraiser appraiser : appraiserList) {
+                    if (appraiser.getName().equals(name)) {
+                        return appraiser;
+                    }
+                }
+                return null;            }
+        });
+    }
+
+    @Override
+    public final void deleteAppraiser(final Appraiser appraiser)
+            throws AppraiserManagerException {
+        LOGGER.debug("Deleting appraiser by name: {}", appraiser.getName());
+
+        getRetryTemplate().execute(new RetryCallback<Void, DBManagerException>() {
+            @Override
+            public Void doWithRetry(final RetryContext context)
+                    throws DBManagerException {
+                appraiserRepository.delete(appraiser);
+                appraiserRepository.flush();
+                return null;
+            }
+        });
+    }
+}
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/CertificateServiceImpl.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/CertificateServiceImpl.java
@ -48,7 +48,7 @@ public class CertificateServiceImpl extends DbServiceImpl<Certificate>
    public CertificateServiceImpl(final EntityManager em) {
    }

-                                  @Override
+    @Override
    public Certificate saveCertificate(final Certificate certificate) {
        LOGGER.debug("Saving certificate: {}", certificate);

--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/DbServiceImpl.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/DbServiceImpl.java
@ -10,6 +10,7 @@ import org.springframework.retry.policy.SimpleRetryPolicy;
 import org.springframework.retry.support.RetryTemplate;
 import org.springframework.stereotype.Service;

+import javax.persistence.EntityManager;
 import java.util.HashMap;
 import java.util.Map;

@ -35,6 +36,7 @@ public class DbServiceImpl<T> {

    // structure for retrying methods in the database
    private RetryTemplate retryTemplate;
+    private EntityManager em;

    /**
     * Creates a new <code>DbServiceImpl</code> that uses the default database. The
@ -45,6 +47,16 @@ public class DbServiceImpl<T> {
        setRetryTemplate(DEFAULT_MAX_RETRY_ATTEMPTS, DEFAULT_RETRY_WAIT_TIME_MS);
    }

+    /**
+     * Creates a new <code>DbServiceImpl</code> that uses the default database. The
+     * default database is used to store all of the objects.
+     *
+     */
+    public DbServiceImpl(final EntityManager em) {
+        setRetryTemplate(DEFAULT_MAX_RETRY_ATTEMPTS, DEFAULT_RETRY_WAIT_TIME_MS);
+        this.em = em;
+    }
+
    /**
     * Set the parameters used to retry database transactions.  The retry template will
     * retry transactions that throw a LockAcquisitionException or StaleObjectStateException.
@ -86,4 +98,12 @@ public class DbServiceImpl<T> {
    public void addRetryListener(final RetryListener retryListener) {
        retryTemplate.registerListener(retryListener);
    }
+
+    /**
+     * Getter for the EntityManager.
+     * @return instance of the manager
+     */
+    public final EntityManager getEm() {
+        return em;
+    }
 }
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/PolicyServiceImpl.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/PolicyServiceImpl.java
@ -1,21 +1,30 @@
 package hirs.attestationca.service;

 import hirs.FilteredRecordsList;
+import hirs.appraiser.Appraiser;
 import hirs.attestationca.repository.PolicyRepository;
 import hirs.data.persist.policy.Policy;
 import hirs.persist.CriteriaModifier;
 import hirs.persist.DBManagerException;
 import hirs.persist.OrderedQuery;
+import hirs.persist.PolicyMapper;
 import hirs.persist.service.DefaultService;
 import hirs.persist.service.PolicyService;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
+import org.hibernate.Session;
+import org.hibernate.Transaction;
+import org.hibernate.query.Query;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.retry.RetryCallback;
 import org.springframework.retry.RetryContext;
 import org.springframework.stereotype.Service;

 import javax.persistence.EntityManager;
+import javax.persistence.criteria.CriteriaBuilder;
+import javax.persistence.criteria.CriteriaQuery;
+import javax.persistence.criteria.Predicate;
+import javax.persistence.criteria.Root;
 import java.util.List;
 import java.util.Map;
 import java.util.UUID;
@ -37,6 +46,7 @@ public class PolicyServiceImpl extends DbServiceImpl<Policy> implements DefaultS
     * Default Constructor.
     */
    public PolicyServiceImpl(final EntityManager em) {
+        super(em);
    }

    @Override
@ -111,6 +121,53 @@ public class PolicyServiceImpl extends DbServiceImpl<Policy> implements DefaultS
        return savePolicy(dbPolicy);
    }

+    @Override
+    public final Policy getDefaultPolicy(final Appraiser appraiser) {
+        if (appraiser == null) {
+            LOGGER.error("cannot get default policy for null appraiser");
+            return null;
+        }
+
+        Policy ret = null;
+        Transaction tx = null;
+        Session session =  getEm().unwrap(org.hibernate.Session.class);
+        try {
+            tx = session.beginTransaction();
+            LOGGER.debug("retrieving policy mapper from db where appraiser = {}",
+                    appraiser);
+            CriteriaBuilder criteriaBuilder = session.getCriteriaBuilder();
+            CriteriaQuery<PolicyMapper> criteriaQuery = criteriaBuilder
+                    .createQuery(PolicyMapper.class);
+            Root<PolicyMapper> root = criteriaQuery.from(PolicyMapper.class);
+            Predicate recordPredicate = criteriaBuilder.and(
+                    criteriaBuilder.equal(root.get("appraiser"), appraiser));
+            criteriaQuery.select(root).where(recordPredicate);
+            Query<PolicyMapper> query = session.createQuery(criteriaQuery);
+            List<PolicyMapper> results = query.getResultList();
+            PolicyMapper mapper = null;
+            if (results != null && !results.isEmpty()) {
+                mapper = results.get(0);
+            }
+
+            if (mapper == null) {
+                LOGGER.debug("no policy mapper found for appraiser {}",
+                        appraiser);
+            } else {
+                ret = mapper.getPolicy();
+            }
+            session.getTransaction().commit();
+        } catch (Exception e) {
+            final String msg = "unable to get default policy";
+            LOGGER.error(msg, e);
+            if (tx != null) {
+                LOGGER.debug("rolling back transaction");
+                tx.rollback();
+            }
+            throw new DBManagerException(msg, e);
+        }
+        return ret;
+    }
+
    @Override
    public FilteredRecordsList getOrderedList(
            final Class<Policy> clazz, final String columnToOrder,
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/ReferenceDigestValueServiceImpl.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/ReferenceDigestValueServiceImpl.java
@ -16,6 +16,7 @@ import org.springframework.retry.RetryContext;
 import org.springframework.stereotype.Service;

 import javax.persistence.EntityManager;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.UUID;
@ -113,6 +114,14 @@ public class ReferenceDigestValueServiceImpl extends DbServiceImpl<ReferenceDige
        return saveDigestValue(dbDigestValue);
    }

+    @Override
+    public List<ReferenceDigestValue> getValuesByRimId(final UUID uuid) {
+        // this isn't right, it will look for the ids in the wrong column (CYRUYS)
+        // need to figure out repo search based on criteria associated with a specific column
+
+        return new LinkedList<>(this.referenceDigestValueRepository.findAllById(uuid));
+    }
+
    @Override
    public FilteredRecordsList getOrderedList(
            final Class<ReferenceDigestValue> clazz, final String columnToOrder,
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java
@ -22,14 +22,13 @@ import hirs.data.persist.certificate.EndorsementCredential;
 import hirs.data.persist.certificate.PlatformCredential;
 import hirs.data.persist.policy.PCRPolicy;
 import hirs.data.persist.policy.SupplyChainPolicy;
-import hirs.persist.AppraiserManager;
 import hirs.persist.CrudManager;
 import hirs.persist.DBManagerException;
-import hirs.persist.PolicyManager;
-import hirs.persist.ReferenceDigestManager;
-import hirs.persist.ReferenceEventManager;
-import hirs.persist.ReferenceManifestManager;
+import hirs.persist.service.AppraiserService;
 import hirs.persist.service.CertificateService;
+import hirs.persist.service.PolicyService;
+import hirs.persist.service.ReferenceDigestValueService;
+import hirs.persist.service.ReferenceManifestService;
 import hirs.tpm.eventlog.TCGEventLog;
 import hirs.tpm.eventlog.TpmPcrEvent;
 import hirs.utils.BouncyCastleUtils;
@ -76,11 +75,11 @@ import static hirs.data.persist.AppraisalStatus.Status.PASS;
@Import(PersistenceConfiguration.class)
 public class SupplyChainValidationServiceImpl implements SupplyChainValidationService {

-    private PolicyManager policyManager;
-    private AppraiserManager appraiserManager;
-    private ReferenceManifestManager referenceManifestManager;
-    private ReferenceDigestManager referenceDigestManager;
-    private ReferenceEventManager referenceEventManager;
+    private PolicyService policyService;
+    private AppraiserService appraiserService;
+    private ReferenceManifestService referenceManifestService;
+//    private ReferenceDigestValue referenceDigestManager;
+    private ReferenceDigestValueService referenceDigestValueService;
    private CertificateService certificateService;
    private CredentialValidator supplyChainCredentialValidator;
    private CrudManager<SupplyChainValidationSummary> supplyChainValidatorSummaryManager;
@ -101,33 +100,30 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
    /**
     * Constructor.
     *
-     * @param policyManager                      the policy manager
-     * @param appraiserManager                   the appraiser manager
+     * @param policyService                      the policy service
+     * @param appraiserService                   the appraiser service
     * @param certificateService                 the cert service
-     * @param referenceManifestManager           the RIM manager
+     * @param referenceManifestService           the RIM service
     * @param supplyChainValidatorSummaryManager the summary manager
     * @param supplyChainCredentialValidator     the credential validator
-     * @param referenceDigestManager             the digest manager
-     * @param referenceEventManager              the even manager
+     * @param referenceDigestValueService        the event service
     */
    @Autowired
    @SuppressWarnings("ParameterNumberCheck")
    public SupplyChainValidationServiceImpl(
-            final PolicyManager policyManager, final AppraiserManager appraiserManager,
+            final PolicyService policyService, final AppraiserService appraiserService,
            final CertificateService certificateService,
-            final ReferenceManifestManager referenceManifestManager,
+            final ReferenceManifestService referenceManifestService,
            final CrudManager<SupplyChainValidationSummary> supplyChainValidatorSummaryManager,
            final CredentialValidator supplyChainCredentialValidator,
-            final ReferenceDigestManager referenceDigestManager,
-            final ReferenceEventManager referenceEventManager) {
-        this.policyManager = policyManager;
-        this.appraiserManager = appraiserManager;
+            final ReferenceDigestValueService referenceDigestValueService) {
+        this.policyService = policyService;
+        this.appraiserService = appraiserService;
        this.certificateService = certificateService;
-        this.referenceManifestManager = referenceManifestManager;
+        this.referenceManifestService = referenceManifestService;
        this.supplyChainValidatorSummaryManager = supplyChainValidatorSummaryManager;
        this.supplyChainCredentialValidator = supplyChainCredentialValidator;
-        this.referenceDigestManager = referenceDigestManager;
-        this.referenceEventManager = referenceEventManager;
+        this.referenceDigestValueService = referenceDigestValueService;
    }

    /**
@ -136,9 +132,9 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
     * @return supply chain policy
     */
    public SupplyChainPolicy getPolicy() {
-        final Appraiser supplyChainAppraiser = appraiserManager.getAppraiser(
+        final Appraiser supplyChainAppraiser = appraiserService.getAppraiser(
                SupplyChainAppraiser.NAME);
-        return (SupplyChainPolicy) policyManager.getDefaultPolicy(
+        return (SupplyChainPolicy) policyService.getDefaultPolicy(
                supplyChainAppraiser);
    }

@ -157,9 +153,9 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
    public SupplyChainValidationSummary validateSupplyChain(final EndorsementCredential ec,
                                                            final Set<PlatformCredential> pcs,
                                                            final Device device) {
-        final Appraiser supplyChainAppraiser = appraiserManager.getAppraiser(
+        final Appraiser supplyChainAppraiser = appraiserService.getAppraiser(
                SupplyChainAppraiser.NAME);
-        SupplyChainPolicy policy = (SupplyChainPolicy) policyManager.getDefaultPolicy(
+        SupplyChainPolicy policy = (SupplyChainPolicy) policyService.getDefaultPolicy(
                supplyChainAppraiser);
        boolean acceptExpiredCerts = policy.isExpiredCertificateValidationEnabled();
        PlatformCredential baseCredential = null;
@ -390,7 +386,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
        ReferenceManifest supportReferenceManifest = null;
        EventLogMeasurements measurement = null;

-        baseReferenceManifests = BaseReferenceManifest.select(referenceManifestManager)
+        baseReferenceManifests = BaseReferenceManifest.select(referenceManifestService)
                .byModel(model).getRIMs();

        for (BaseReferenceManifest bRim : baseReferenceManifests) {
@ -405,11 +401,11 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
            failedString = "Base Reference Integrity Manifest\n";
            passed = false;
        } else {
-            measurement = EventLogMeasurements.select(referenceManifestManager)
+            measurement = EventLogMeasurements.select(referenceManifestService)
                    .byHexDecHash(baseReferenceManifest.getEventLogHash()).getRIM();

            if (measurement == null) {
-                measurement = EventLogMeasurements.select(referenceManifestManager)
+                measurement = EventLogMeasurements.select(referenceManifestService)
                        .byModel(baseReferenceManifest.getPlatformModel()).getRIM();
            }
        }
@ -458,7 +454,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
            }

            for (SwidResource swidRes : resources) {
-                supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager)
+                supportReferenceManifest = SupportReferenceManifest.select(referenceManifestService)
                        .byHexDecHash(swidRes.getHashValue()).getRIM();
                if (supportReferenceManifest != null) {
                    // Removed the filename check from this if statement
@ -536,8 +532,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                        try {
                            if (measurement.getPlatformManufacturer().equals(manufacturer)) {
                                tcgMeasurementLog = new TCGEventLog(measurement.getRimBytes());
-                                eventValue = this.referenceEventManager
-                                        .getValuesByRimId(baseReferenceManifest);
+                                eventValue = this.referenceDigestValueService
+                                        .getValuesByRimId(baseReferenceManifest.getId());
                                for (ReferenceDigestValue rdv : eventValue) {
                                    eventValueMap.put(rdv.getDigestValue(), rdv);
                                }
@ -578,13 +574,14 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe

            EventLogMeasurements eventLog = (EventLogMeasurements) measurement;
            eventLog.setOverallValidationResult(fwStatus.getAppStatus());
-            this.referenceManifestManager.update(eventLog);
+            this.referenceManifestService.updateReferenceManifest(eventLog, eventLog.getId());
        } else {
            fwStatus = new AppraisalStatus(FAIL, String.format("Firmware Validation failed: "
                    + "%s for %s can not be found", failedString, manufacturer));
            if (measurement != null) {
                measurement.setOverallValidationResult(fwStatus.getAppStatus());
-                this.referenceManifestManager.update(measurement);
+                this.referenceManifestService.updateReferenceManifest(
+                        measurement, measurement.getId());
            }
        }

@ -600,9 +597,9 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
     */
    @Override
    public SupplyChainValidationSummary validateQuote(final Device device) {
-        final Appraiser supplyChainAppraiser = appraiserManager.getAppraiser(
+        final Appraiser supplyChainAppraiser = appraiserService.getAppraiser(
                SupplyChainAppraiser.NAME);
-        SupplyChainPolicy policy = (SupplyChainPolicy) policyManager.getDefaultPolicy(
+        SupplyChainPolicy policy = (SupplyChainPolicy) policyService.getDefaultPolicy(
                supplyChainAppraiser);
        SupplyChainValidation quoteScv = null;
        SupplyChainValidationSummary summary = null;
@ -620,7 +617,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe

            try {
                Set<SupportReferenceManifest> supportRims = SupportReferenceManifest
-                        .select(this.referenceManifestManager)
+                        .select(this.referenceManifestService)
                        .byManufacturerModel(
                                device.getDeviceInfo().getHardwareInfo().getManufacturer(),
                                device.getDeviceInfo().getHardwareInfo().getProductName())
@ -631,7 +628,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                    }
                }
                eventLog = EventLogMeasurements
-                        .select(this.referenceManifestManager)
+                        .select(this.referenceManifestService)
                        .byHexDecHash(sRim.getEventLogHash()).getRIM();

                if (sRim == null) {
@ -663,7 +660,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe
                                + "\nPCR hash and Quote hash do not match.");
                    }
                    eventLog.setOverallValidationResult(fwStatus.getAppStatus());
-                    this.referenceManifestManager.update(eventLog);
+                    this.referenceManifestService.updateReferenceManifest(
+                            eventLog, eventLog.getId());
                }
            } catch (Exception ex) {
                LOGGER.error(ex);
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/servicemanager/DBPolicyManager.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/servicemanager/DBPolicyManager.java
@ -417,8 +417,7 @@ public class DBPolicyManager extends DBManager<Policy> implements PolicyManager
     *         there is none
     */
    @Override
-    public final Policy getPolicy(final Appraiser appraiser,
-            final DeviceGroup deviceGroup) {
+    public final Policy getPolicy(final Appraiser appraiser) {
        if (appraiser == null) {
            LOGGER.error("cannot get policy for null appraiser");
            return null;
@ -430,14 +429,13 @@ public class DBPolicyManager extends DBManager<Policy> implements PolicyManager
        try {
            tx = session.beginTransaction();
            LOGGER.debug("retrieving policy mapper from db where appraiser = "
-                    + "{} and device group = {}", appraiser, deviceGroup);
+                    + "{}", appraiser);
            CriteriaBuilder criteriaBuilder = session.getCriteriaBuilder();
            CriteriaQuery<PolicyMapper> criteriaQuery = criteriaBuilder
                    .createQuery(PolicyMapper.class);
            Root<PolicyMapper> root = criteriaQuery.from(PolicyMapper.class);
            Predicate recordPredicate = criteriaBuilder.and(
-                    criteriaBuilder.equal(root.get("appraiser"), appraiser),
-                    criteriaBuilder.equal(root.get("deviceGroup"), deviceGroup));
+                    criteriaBuilder.equal(root.get("appraiser"), appraiser));
            criteriaQuery.select(root).where(recordPredicate);
            Query<PolicyMapper> query = session.createQuery(criteriaQuery);
            List<PolicyMapper> results = query.getResultList();
@ -447,8 +445,7 @@ public class DBPolicyManager extends DBManager<Policy> implements PolicyManager
            }

            if (mapper == null) {
-                LOGGER.debug("no policy mapper found for appraiser {} and "
-                    + "device group {}", appraiser, deviceGroup);
+                LOGGER.debug("no policy mapper found for appraiser {}", appraiser);
            } else {
                ret = mapper.getPolicy();
            }
--- a/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java
+++ b/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java
@ -1,8 +1,8 @@
 package hirs.data.persist;

 import com.fasterxml.jackson.annotation.JsonIgnore;
-import hirs.persist.ReferenceManifestManager;
 import hirs.persist.ReferenceManifestSelector;
+import hirs.persist.service.ReferenceManifestService;
 import hirs.utils.xjc.BaseElement;
 import hirs.utils.xjc.Directory;
 import hirs.utils.xjc.FilesystemItem;
@ -96,14 +96,14 @@ public class BaseReferenceManifest extends ReferenceManifest {
    public static class Selector extends ReferenceManifestSelector<BaseReferenceManifest> {
        /**
         * Construct a new ReferenceManifestSelector that will use
-         * the given (@link ReferenceManifestManager}
+         * the given (@link ReferenceManifestService}
         * to retrieve one or may BaseReferenceManifest.
         *
-         * @param referenceManifestManager the reference manifest manager to be used to retrieve
+         * @param referenceManifestService the reference manifest manager to be used to retrieve
         * reference manifests.
         */
-        public Selector(final ReferenceManifestManager referenceManifestManager) {
-            super(referenceManifestManager, BaseReferenceManifest.class);
+        public Selector(final ReferenceManifestService referenceManifestService) {
+            super(referenceManifestService, BaseReferenceManifest.class);
        }

        /**
@ -289,12 +289,12 @@ public class BaseReferenceManifest extends ReferenceManifest {
    /**
     * Get a Selector for use in retrieving ReferenceManifest.
     *
-     * @param rimMan the ReferenceManifestManager to be used to retrieve
+     * @param rimService the ReferenceManifestService to be used to retrieve
     * persisted RIMs
     * @return a Selector instance to use for retrieving RIMs
     */
-    public static Selector select(final ReferenceManifestManager rimMan) {
-        return new Selector(rimMan);
+    public static Selector select(final ReferenceManifestService rimService) {
+        return new Selector(rimService);
    }

    /**
--- a/HIRS_Utils/src/main/java/hirs/data/persist/EventLogMeasurements.java
+++ b/HIRS_Utils/src/main/java/hirs/data/persist/EventLogMeasurements.java
@ -1,8 +1,8 @@
 package hirs.data.persist;

 import com.fasterxml.jackson.annotation.JsonIgnore;
-import hirs.persist.ReferenceManifestManager;
 import hirs.persist.ReferenceManifestSelector;
+import hirs.persist.service.ReferenceManifestService;
 import hirs.tpm.eventlog.TCGEventLog;
 import hirs.tpm.eventlog.TpmPcrEvent;
 import org.apache.logging.log4j.LogManager;
@ -40,14 +40,14 @@ public class EventLogMeasurements extends ReferenceManifest {
    public static class Selector extends ReferenceManifestSelector<EventLogMeasurements> {
        /**
         * Construct a new ReferenceManifestSelector that
-         * will use the given (@link ReferenceManifestManager}
+         * will use the given (@link ReferenceManifestService}
         * to retrieve one or may SupportReferenceManifest.
         *
-         * @param referenceManifestManager the reference manifest manager to be used to retrieve
+         * @param referenceManifestService the reference manifest manager to be used to retrieve
         * reference manifests.
         */
-        public Selector(final ReferenceManifestManager referenceManifestManager) {
-            super(referenceManifestManager, EventLogMeasurements.class, false);
+        public Selector(final ReferenceManifestService referenceManifestService) {
+            super(referenceManifestService, EventLogMeasurements.class, false);
        }

        /**
@ -131,12 +131,12 @@ public class EventLogMeasurements extends ReferenceManifest {
    /**
     * Get a Selector for use in retrieving ReferenceManifest.
     *
-     * @param rimMan the ReferenceManifestManager to be used to retrieve
+     * @param rimService the ReferenceManifestService to be used to retrieve
     * persisted RIMs
     * @return a Selector instance to use for retrieving RIMs
     */
-    public static Selector select(final ReferenceManifestManager rimMan) {
-        return new Selector(rimMan);
+    public static Selector select(final ReferenceManifestService rimService) {
+        return new Selector(rimService);
    }

    /**
--- a/HIRS_Utils/src/main/java/hirs/data/persist/SupportReferenceManifest.java
+++ b/HIRS_Utils/src/main/java/hirs/data/persist/SupportReferenceManifest.java
@ -1,8 +1,8 @@
 package hirs.data.persist;

 import com.fasterxml.jackson.annotation.JsonIgnore;
-import hirs.persist.ReferenceManifestManager;
 import hirs.persist.ReferenceManifestSelector;
+import hirs.persist.service.ReferenceManifestService;
 import hirs.tpm.eventlog.TCGEventLog;
 import hirs.tpm.eventlog.TpmPcrEvent;
 import org.apache.logging.log4j.LogManager;
@ -40,11 +40,11 @@ public class SupportReferenceManifest extends ReferenceManifest {
         * use the given (@link ReferenceManifestManager}
         * to retrieve one or may SupportReferenceManifest.
         *
-         * @param referenceManifestManager the reference manifest manager to be used to retrieve
+         * @param referenceManifestService the reference manifest manager to be used to retrieve
         * reference manifests.
         */
-        public Selector(final ReferenceManifestManager referenceManifestManager) {
-            super(referenceManifestManager, SupportReferenceManifest.class);
+        public Selector(final ReferenceManifestService referenceManifestService) {
+            super(referenceManifestService, SupportReferenceManifest.class);
        }

        /**
@ -141,12 +141,12 @@ public class SupportReferenceManifest extends ReferenceManifest {
    /**
     * Get a Selector for use in retrieving ReferenceManifest.
     *
-     * @param rimMan the ReferenceManifestManager to be used to retrieve
+     * @param rimService the ReferenceManifestService to be used to retrieve
     * persisted RIMs
     * @return a Selector instance to use for retrieving RIMs
     */
-    public static Selector select(final ReferenceManifestManager rimMan) {
-        return new Selector(rimMan);
+    public static Selector select(final ReferenceManifestService rimService) {
+        return new Selector(rimService);
    }

    /**
--- a/HIRS_Utils/src/main/java/hirs/persist/ReferenceManifestSelector.java
+++ b/HIRS_Utils/src/main/java/hirs/persist/ReferenceManifestSelector.java
@ -3,6 +3,7 @@ package hirs.persist;
 import com.google.common.base.Preconditions;
 import hirs.data.persist.ReferenceManifest;
 import hirs.data.persist.certificate.Certificate;
+import hirs.persist.service.ReferenceManifestService;
 import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;

@ -45,7 +46,7 @@ public abstract class ReferenceManifestSelector<T extends ReferenceManifest> {
    public static final String RIM_FILENAME_FIELD = "fileName";
    private static final String RIM_TYPE_FIELD = "rimType";

-    private final ReferenceManifestManager referenceManifestManager;
+    private final ReferenceManifestService referenceManifestService;
    private final Class<T> referenceTypeClass;

    private final Map<String, Object> fieldValueSelections;
@ -54,26 +55,26 @@ public abstract class ReferenceManifestSelector<T extends ReferenceManifest> {
    /**
     * Default Constructor.
     *
-     * @param referenceManifestManager the RIM manager to be used to retrieve RIMs
+     * @param referenceManifestService the RIM service to be used to retrieve RIMs
     * @param referenceTypeClass the type of Reference Manifest to process.
     */
-    public ReferenceManifestSelector(final ReferenceManifestManager referenceManifestManager,
+    public ReferenceManifestSelector(final ReferenceManifestService referenceManifestService,
                                     final Class<T> referenceTypeClass) {
-        this(referenceManifestManager, referenceTypeClass, true);
+        this(referenceManifestService, referenceTypeClass, true);
    }

    /**
     * Standard Constructor for the Selector.
     *
-     * @param referenceManifestManager the RIM manager to be used to retrieve RIMs
+     * @param referenceManifestService the RIM service to be used to retrieve RIMs
     * @param referenceTypeClass the type of Reference Manifest to process.
     * @param excludeArchivedRims true if excluding archived RIMs
     */
-    public ReferenceManifestSelector(final ReferenceManifestManager referenceManifestManager,
+    public ReferenceManifestSelector(final ReferenceManifestService referenceManifestService,
                                     final Class<T> referenceTypeClass,
            final boolean excludeArchivedRims) {
        Preconditions.checkArgument(
-                referenceManifestManager != null,
+                referenceManifestService != null,
                "reference manifest manager cannot be null"
        );

@ -82,7 +83,7 @@ public abstract class ReferenceManifestSelector<T extends ReferenceManifest> {
                "type cannot be null"
        );

-        this.referenceManifestManager = referenceManifestManager;
+        this.referenceManifestService = referenceManifestService;
        this.referenceTypeClass = referenceTypeClass;
        this.excludeArchivedRims = excludeArchivedRims;
        this.fieldValueSelections = new HashMap<>();
@ -218,7 +219,7 @@ public abstract class ReferenceManifestSelector<T extends ReferenceManifest> {

    // construct and execute query
    private Set<T> execute() {
-        Set<T> results = this.referenceManifestManager.get(this);
+        Set<T> results = this.referenceManifestService.get(this);
        return results;
    }

--- a/HIRS_Utils/src/main/java/hirs/persist/service/AppraiserService.java
+++ b/HIRS_Utils/src/main/java/hirs/persist/service/AppraiserService.java
@ -0,0 +1,65 @@
+package hirs.persist.service;
+
+import hirs.appraiser.Appraiser;
+import hirs.persist.AppraiserManagerException;
+
+/**
+ * A <code>AppraiserService</code> manages <code>Appraiser</code>s. A
+ * <code>AppraiserService</code> is used to store and manage Appraisers. It has
+ * support for the basic create, read, update, and delete methods.
+ */
+public interface AppraiserService {
+    /**
+     * Stores a new <code>Appraiser</code>. This stores a new
+     * <code>Appraiser</code> to be managed by the <code>AppraiserManager</code>
+     * . If the <code>Appraiser</code> is successfully saved then a reference to
+     * it is returned.
+     *
+     * @param appraiser
+     *            appraiser to save
+     * @return reference to saved appraiser
+     * @throws hirs.persist.AppraiserManagerException
+     *             if the appraiser has previously been saved or unexpected
+     *             error occurs
+     */
+    Appraiser saveAppraiser(Appraiser appraiser)
+            throws AppraiserManagerException;
+
+    /**
+     * Updates an <code>Appraiser</code>. This updates the <code>Appraiser</code>
+     * that is managed so subsequent calls to get this <code>Appraiser</code>
+     * will return the values set by the incoming <code>Appraiser</code>.
+     *
+     * @param appraiser
+     *            appraiser
+     * @throws AppraiserManagerException
+     *             if unable to update the appraiser
+     */
+    void updateAppraiser(Appraiser appraiser) throws AppraiserManagerException;
+
+    /**
+     * Retrieves the <code>Appraiser</code> identified by <code>name</code>. If
+     * the <code>Appraiser</code> cannot be found then null is returned.
+     *
+     * @param name
+     *            name of the <code>Appraiser</code>
+     * @return <code>Appraiser</code> whose name is <code>name</code> or null
+     *         if not found
+     * @throws AppraiserManagerException
+     *             if unable to retrieve the appraiser
+     */
+    Appraiser getAppraiser(String name) throws AppraiserManagerException;
+
+    /**
+     * Deletes the <code>Appraiser</code> identified by <code>name</code>. If
+     * the <code>Appraiser</code> is found and deleted then true is returned,
+     * otherwise false.
+     *
+     * @param appraiser
+     *            name of the <code>Appraiser</code> to delete
+     * @throws AppraiserManagerException
+     *             if unable to delete the appraiser for any reason other than
+     *             not found
+     */
+    void deleteAppraiser(Appraiser appraiser) throws AppraiserManagerException;
+}
--- a/HIRS_Utils/src/main/java/hirs/persist/service/DefaultService.java
+++ b/HIRS_Utils/src/main/java/hirs/persist/service/DefaultService.java
@ -1,5 +1,7 @@
 package hirs.persist.service;

+import hirs.persist.OrderedQuery;
+
 import java.util.List;
 import java.util.UUID;

@ -9,7 +11,7 @@ import java.util.UUID;
 * support for the basic create, read, update, and delete methods.
 * @param <T> class type
 */
-public interface DefaultService<T> {
+public interface DefaultService<T> extends OrderedQuery<T> {

    /**
     * Returns a list of all <code>T</code>. This searches through
--- a/HIRS_Utils/src/main/java/hirs/persist/service/PolicyService.java
+++ b/HIRS_Utils/src/main/java/hirs/persist/service/PolicyService.java
@ -1,5 +1,6 @@
 package hirs.persist.service;

+import hirs.appraiser.Appraiser;
 import hirs.data.persist.policy.Policy;

 import java.util.UUID;
@ -29,4 +30,15 @@ public interface PolicyService {
     * @return a Policy object
     */
    Policy updatePolicy(Policy policy, UUID uuid);
+
+    /**
+     * Returns the default <code>Policy</code> for the <code>Appraiser</code>.
+     * If the default <code>Policy</code> has not been set then this returns
+     * null.
+     *
+     * @param appraiser
+     *            appraiser
+     * @return default policy
+     */
+    Policy getDefaultPolicy(Appraiser appraiser);
 }
--- a/HIRS_Utils/src/main/java/hirs/persist/service/ReferenceDigestValueService.java
+++ b/HIRS_Utils/src/main/java/hirs/persist/service/ReferenceDigestValueService.java
@ -2,6 +2,7 @@ package hirs.persist.service;

 import hirs.data.persist.ReferenceDigestValue;

+import java.util.List;
 import java.util.UUID;

 /**
@ -29,4 +30,12 @@ public interface ReferenceDigestValueService {
     * @return a ReferenceDigestValue object
     */
    ReferenceDigestValue updateDigestValue(ReferenceDigestValue digestValue, UUID uuid);
+
+    /**
+     * Persists a new Reference Digest value.
+     *
+     * @param uuid associated with the base rim or potentially support rim.
+     * @return the persisted list of ReferenceDigestValue
+     */
+    List<ReferenceDigestValue> getValuesByRimId(UUID uuid);
 }