diff --git a/.ci/system-tests/sys_test_common.sh b/.ci/system-tests/sys_test_common.sh index ad972340..2db556c3 100644 --- a/.ci/system-tests/sys_test_common.sh +++ b/.ci/system-tests/sys_test_common.sh @@ -21,34 +21,34 @@ fi # clear all policy settings setPolicyNone() { -docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=0, enablePcAttributeValidation=0, enablePcValidation=0, +docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=0, enablePcAttributeValidation=0, enablePcValidation=0, enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;" } # Policy Settings for tests ... setPolicyEkOnly() { -docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=0, +docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=0, enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;" } setPolicyEkPc_noAttCheck() { -docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=1, +docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=1, enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;" } setPolicyEkPc() { -docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1, +docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1, enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;" } setPolicyEkPcFw() { -docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1, +docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1, enableUtcValidation=0, enableFirmwareValidation=1, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=1, enableIgnoretBoot=0;" } # Clear all ACA DB items including policy clearAcaDb() { -docker exec $aca_container mysql -u root -e "use hirs_db; set foreign_key_checks=0; truncate Alert;truncate AlertBaselineIds;truncate +docker exec $aca_container mysql -u root -proot -e "use hirs_db; set foreign_key_checks=0; truncate Alert;truncate AlertBaselineIds;truncate AppraisalResult;truncate Certificate;truncate Certificate_Certificate;truncate CertificatesUsedToValidate;truncate ComponentInfo;truncate Device;truncate DeviceInfoReport;truncate IMADeviceState;truncate IMAMeasurementRecord;truncate ImaBlacklistRecord;truncate ImaIgnoreSetRecord;truncate IntegrityReport;truncate IntegrityReports_Reports_Join;truncate diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java index d9a78a16..48ba934a 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java @@ -225,17 +225,8 @@ public class ReferenceManifestPageController }); supportRims.stream().forEach((rim) -> { LOGGER.info(String.format("Storing event log %s", rim.getFileName())); - storeManifest(messages, rim, false); - }); - for (ReferenceManifest rim : baseRims) { - // store first then update - storeManifest(messages, rim, false); - } - - for (ReferenceManifest rim : supportRims) { - // store the rimels storeManifest(messages, rim, true); - } + }); // Prep a map to associated the swidtag payload hash to the swidtag. // pass it in to update support rims that either were uploaded @@ -657,33 +648,35 @@ public class ReferenceManifestPageController // So first we'll have to pull values based on support rim // get by support rim id NEXT - tpmEvents = referenceEventManager.getValuesByRimId(dbSupport); - baseRim = findBaseRim(dbSupport); - if (tpmEvents.isEmpty()) { - ReferenceDigestValue rdv; - try { - logProcessor = new TCGEventLog(dbSupport.getRimBytes()); - for (TpmPcrEvent tpe : logProcessor.getEventList()) { - rdv = new ReferenceDigestValue(baseRim.getId(), - dbSupport.getId(), dbSupport.getPlatformManufacturer(), - dbSupport.getPlatformModel(), tpe.getPcrIndex(), - tpe.getEventDigestStr(), tpe.getEventTypeStr(), - false, false, updated, tpe.getEventContent()); + if (dbSupport.getPlatformManufacturer() != null) { + tpmEvents = referenceEventManager.getValuesByRimId(dbSupport); + baseRim = findBaseRim(dbSupport); + if (tpmEvents.isEmpty()) { + ReferenceDigestValue rdv; + try { + logProcessor = new TCGEventLog(dbSupport.getRimBytes()); + for (TpmPcrEvent tpe : logProcessor.getEventList()) { + rdv = new ReferenceDigestValue(baseRim.getId(), + dbSupport.getId(), dbSupport.getPlatformManufacturer(), + dbSupport.getPlatformModel(), tpe.getPcrIndex(), + tpe.getEventDigestStr(), tpe.getEventTypeStr(), + false, false, updated, tpe.getEventContent()); - this.referenceEventManager.saveValue(rdv); + this.referenceEventManager.saveValue(rdv); + } + } catch (CertificateException e) { + e.printStackTrace(); + } catch (NoSuchAlgorithmException e) { + e.printStackTrace(); + } catch (IOException e) { + e.printStackTrace(); } - } catch (CertificateException e) { - e.printStackTrace(); - } catch (NoSuchAlgorithmException e) { - e.printStackTrace(); - } catch (IOException e) { - e.printStackTrace(); - } - } else { - for (ReferenceDigestValue rdv : tpmEvents) { - if (!rdv.isUpdated()) { - rdv.updateInfo(dbSupport, baseRim.getId()); - this.referenceEventManager.updateEvent(rdv); + } else { + for (ReferenceDigestValue rdv : tpmEvents) { + if (!rdv.isUpdated()) { + rdv.updateInfo(dbSupport, baseRim.getId()); + this.referenceEventManager.updateEvent(rdv); + } } } } diff --git a/HIRS_Provisioner/src/main/java/hirs/provisioner/ProvisionerApplication.java b/HIRS_Provisioner/src/main/java/hirs/provisioner/ProvisionerApplication.java index 920fc3df..c2f7c494 100644 --- a/HIRS_Provisioner/src/main/java/hirs/provisioner/ProvisionerApplication.java +++ b/HIRS_Provisioner/src/main/java/hirs/provisioner/ProvisionerApplication.java @@ -68,7 +68,7 @@ public final class ProvisionerApplication { } // enable TLS 1.1 and 1.2 - System.setProperty("https.protocols", "TLSv1.2,TLSv1.1"); + System.setProperty("https.protocols", "TLSv1.2"); // initialize the context new AnnotationConfigApplicationContext(ProvisionerConfiguration.class); diff --git a/HIRS_Utils/src/main/resources/persistence.properties b/HIRS_Utils/src/main/resources/persistence.properties index 24584f43..9984c2d8 100644 --- a/HIRS_Utils/src/main/resources/persistence.properties +++ b/HIRS_Utils/src/main/resources/persistence.properties @@ -1,6 +1,6 @@ # Properties used to create JDBC connection # WARNING: DO NOT USE "disableSslHostnameVerification=true" FOR A REMOTE DATABASE -persistence.db.url = jdbc:mariadb://localhost/hirs_db?autoReconnect=true&useSSL=true&requireSSL=true&enabledSslProtocolSuites=TLSv1&disableSslHostnameVerification=true +persistence.db.url = jdbc:mariadb://localhost/hirs_db?autoReconnect=true&useSSL=true&requireSSL=true&enabledSslProtocolSuites=TLSv1.2&disableSslHostnameVerification=true persistence.db.username = hirs_db persistence.db.password = hirs_db persistence.db.driverClass = org.mariadb.jdbc.Driver diff --git a/package/scripts/common/db_create.sh b/package/scripts/common/db_create.sh index 68967c04..0c605775 100644 --- a/package/scripts/common/db_create.sh +++ b/package/scripts/common/db_create.sh @@ -37,4 +37,5 @@ else exit 1 fi -mysql -u root < $DB_CREATE_SCRIPT +mysql -fu root < $DB_CREATE_SCRIPT +mysql -fu root < /opt/hirs/scripts/common/secure_mysql.sql diff --git a/package/scripts/common/secure_mysql.sql b/package/scripts/common/secure_mysql.sql new file mode 100644 index 00000000..3221740c --- /dev/null +++ b/package/scripts/common/secure_mysql.sql @@ -0,0 +1,6 @@ +UPDATE mysql.user SET Password=PASSWORD('root') WHERE User='root'; +DELETE FROM mysql.user WHERE User=''; +DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); +DROP DATABASE IF EXISTS test; +DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%'; +FLUSH PRIVILEGES \ No newline at end of file diff --git a/package/scripts/common/ssl_configure.sh b/package/scripts/common/ssl_configure.sh index 6ebf0703..3dc49c55 100755 --- a/package/scripts/common/ssl_configure.sh +++ b/package/scripts/common/ssl_configure.sh @@ -137,10 +137,10 @@ if [[ $1 = "server" ]]; then VERCMP_STATUS=$? if [[ $VERCMP_STATUS -eq 0 ]] || [[ $VERCMP_STATUS -eq 12 ]]; then # Tomcat v 6.0.38 or newer - sed -i "s/.*<\/Service>/<\/Service>/" $CATALINA_HOME/conf/server.xml + sed -i "s/.*<\/Service>/<\/Service>/" $CATALINA_HOME/conf/server.xml elif [[ $VERCMP_STATUS -eq 11 ]]; then # Older than Tomcat 6.0.38 - sed -i "s/.*<\/Service>/<\/Service>/" $CATALINA_HOME/conf/server.xml + sed -i "s/.*<\/Service>/<\/Service>/" $CATALINA_HOME/conf/server.xml else echo "Unknown rpmdev-vercmp exit code: ${VERCMP_STATUS}" exit 1