From e77018ddfd7f90cd2fead2261b73acd50836c951 Mon Sep 17 00:00:00 2001
From: Cyrus <24922493+cyrus-dev@users.noreply.github.com>
Date: Fri, 8 Apr 2022 16:27:43 -0400
Subject: [PATCH 1/5] Added a null pointer check to the parsing of the suppor
RIM section that looks to use the platform manufacturer and model fields to
search for a Base RIM when those values are null.
---
.../ReferenceManifestPageController.java | 63 +++++++++----------
1 file changed, 28 insertions(+), 35 deletions(-)
diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java
index d9a78a16..48ba934a 100644
--- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java
+++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java
@@ -225,17 +225,8 @@ public class ReferenceManifestPageController
});
supportRims.stream().forEach((rim) -> {
LOGGER.info(String.format("Storing event log %s", rim.getFileName()));
- storeManifest(messages, rim, false);
- });
- for (ReferenceManifest rim : baseRims) {
- // store first then update
- storeManifest(messages, rim, false);
- }
-
- for (ReferenceManifest rim : supportRims) {
- // store the rimels
storeManifest(messages, rim, true);
- }
+ });
// Prep a map to associated the swidtag payload hash to the swidtag.
// pass it in to update support rims that either were uploaded
@@ -657,33 +648,35 @@ public class ReferenceManifestPageController
// So first we'll have to pull values based on support rim
// get by support rim id NEXT
- tpmEvents = referenceEventManager.getValuesByRimId(dbSupport);
- baseRim = findBaseRim(dbSupport);
- if (tpmEvents.isEmpty()) {
- ReferenceDigestValue rdv;
- try {
- logProcessor = new TCGEventLog(dbSupport.getRimBytes());
- for (TpmPcrEvent tpe : logProcessor.getEventList()) {
- rdv = new ReferenceDigestValue(baseRim.getId(),
- dbSupport.getId(), dbSupport.getPlatformManufacturer(),
- dbSupport.getPlatformModel(), tpe.getPcrIndex(),
- tpe.getEventDigestStr(), tpe.getEventTypeStr(),
- false, false, updated, tpe.getEventContent());
+ if (dbSupport.getPlatformManufacturer() != null) {
+ tpmEvents = referenceEventManager.getValuesByRimId(dbSupport);
+ baseRim = findBaseRim(dbSupport);
+ if (tpmEvents.isEmpty()) {
+ ReferenceDigestValue rdv;
+ try {
+ logProcessor = new TCGEventLog(dbSupport.getRimBytes());
+ for (TpmPcrEvent tpe : logProcessor.getEventList()) {
+ rdv = new ReferenceDigestValue(baseRim.getId(),
+ dbSupport.getId(), dbSupport.getPlatformManufacturer(),
+ dbSupport.getPlatformModel(), tpe.getPcrIndex(),
+ tpe.getEventDigestStr(), tpe.getEventTypeStr(),
+ false, false, updated, tpe.getEventContent());
- this.referenceEventManager.saveValue(rdv);
+ this.referenceEventManager.saveValue(rdv);
+ }
+ } catch (CertificateException e) {
+ e.printStackTrace();
+ } catch (NoSuchAlgorithmException e) {
+ e.printStackTrace();
+ } catch (IOException e) {
+ e.printStackTrace();
}
- } catch (CertificateException e) {
- e.printStackTrace();
- } catch (NoSuchAlgorithmException e) {
- e.printStackTrace();
- } catch (IOException e) {
- e.printStackTrace();
- }
- } else {
- for (ReferenceDigestValue rdv : tpmEvents) {
- if (!rdv.isUpdated()) {
- rdv.updateInfo(dbSupport, baseRim.getId());
- this.referenceEventManager.updateEvent(rdv);
+ } else {
+ for (ReferenceDigestValue rdv : tpmEvents) {
+ if (!rdv.isUpdated()) {
+ rdv.updateInfo(dbSupport, baseRim.getId());
+ this.referenceEventManager.updateEvent(rdv);
+ }
}
}
}
From 8b365bed34f44a450852f5e33addba0b401e5ec0 Mon Sep 17 00:00:00 2001
From: Cyrus <24922493+cyrus-dev@users.noreply.github.com>
Date: Thu, 14 Apr 2022 06:35:49 -0400
Subject: [PATCH 2/5] This is a re-creation of tls-settings-update #366
---
.../main/java/hirs/provisioner/ProvisionerApplication.java | 2 +-
HIRS_Utils/src/main/resources/persistence.properties | 2 +-
package/scripts/common/db_create.sh | 3 ++-
package/scripts/common/secure_mysql.sql | 6 ++++++
package/scripts/common/ssl_configure.sh | 4 ++--
5 files changed, 12 insertions(+), 5 deletions(-)
create mode 100644 package/scripts/common/secure_mysql.sql
diff --git a/HIRS_Provisioner/src/main/java/hirs/provisioner/ProvisionerApplication.java b/HIRS_Provisioner/src/main/java/hirs/provisioner/ProvisionerApplication.java
index 920fc3df..c2f7c494 100644
--- a/HIRS_Provisioner/src/main/java/hirs/provisioner/ProvisionerApplication.java
+++ b/HIRS_Provisioner/src/main/java/hirs/provisioner/ProvisionerApplication.java
@@ -68,7 +68,7 @@ public final class ProvisionerApplication {
}
// enable TLS 1.1 and 1.2
- System.setProperty("https.protocols", "TLSv1.2,TLSv1.1");
+ System.setProperty("https.protocols", "TLSv1.2");
// initialize the context
new AnnotationConfigApplicationContext(ProvisionerConfiguration.class);
diff --git a/HIRS_Utils/src/main/resources/persistence.properties b/HIRS_Utils/src/main/resources/persistence.properties
index 24584f43..9984c2d8 100644
--- a/HIRS_Utils/src/main/resources/persistence.properties
+++ b/HIRS_Utils/src/main/resources/persistence.properties
@@ -1,6 +1,6 @@
# Properties used to create JDBC connection
# WARNING: DO NOT USE "disableSslHostnameVerification=true" FOR A REMOTE DATABASE
-persistence.db.url = jdbc:mariadb://localhost/hirs_db?autoReconnect=true&useSSL=true&requireSSL=true&enabledSslProtocolSuites=TLSv1&disableSslHostnameVerification=true
+persistence.db.url = jdbc:mariadb://localhost/hirs_db?autoReconnect=true&useSSL=true&requireSSL=true&enabledSslProtocolSuites=TLSv1.2&disableSslHostnameVerification=true
persistence.db.username = hirs_db
persistence.db.password = hirs_db
persistence.db.driverClass = org.mariadb.jdbc.Driver
diff --git a/package/scripts/common/db_create.sh b/package/scripts/common/db_create.sh
index 68967c04..0c605775 100644
--- a/package/scripts/common/db_create.sh
+++ b/package/scripts/common/db_create.sh
@@ -37,4 +37,5 @@ else
exit 1
fi
-mysql -u root < $DB_CREATE_SCRIPT
+mysql -fu root < $DB_CREATE_SCRIPT
+mysql -fu root < /opt/hirs/scripts/common/secure_mysql.sql
diff --git a/package/scripts/common/secure_mysql.sql b/package/scripts/common/secure_mysql.sql
new file mode 100644
index 00000000..3221740c
--- /dev/null
+++ b/package/scripts/common/secure_mysql.sql
@@ -0,0 +1,6 @@
+UPDATE mysql.user SET Password=PASSWORD('root') WHERE User='root';
+DELETE FROM mysql.user WHERE User='';
+DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
+DROP DATABASE IF EXISTS test;
+DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
+FLUSH PRIVILEGES
\ No newline at end of file
diff --git a/package/scripts/common/ssl_configure.sh b/package/scripts/common/ssl_configure.sh
index 6ebf0703..3dc49c55 100755
--- a/package/scripts/common/ssl_configure.sh
+++ b/package/scripts/common/ssl_configure.sh
@@ -137,10 +137,10 @@ if [[ $1 = "server" ]]; then
VERCMP_STATUS=$?
if [[ $VERCMP_STATUS -eq 0 ]] || [[ $VERCMP_STATUS -eq 12 ]]; then
# Tomcat v 6.0.38 or newer
- sed -i "s/.*<\/Service>/<\/Service>/" $CATALINA_HOME/conf/server.xml
+ sed -i "s/.*<\/Service>/<\/Service>/" $CATALINA_HOME/conf/server.xml
elif [[ $VERCMP_STATUS -eq 11 ]]; then
# Older than Tomcat 6.0.38
- sed -i "s/.*<\/Service>/<\/Service>/" $CATALINA_HOME/conf/server.xml
+ sed -i "s/.*<\/Service>/<\/Service>/" $CATALINA_HOME/conf/server.xml
else
echo "Unknown rpmdev-vercmp exit code: ${VERCMP_STATUS}"
exit 1
From 45ceb4d3d2d5082714f5c3a4fc65f118ce216ed5 Mon Sep 17 00:00:00 2001
From: Cyrus <24922493+cyrus-dev@users.noreply.github.com>
Date: Thu, 14 Apr 2022 07:52:06 -0400
Subject: [PATCH 3/5] Updated CI scripts
---
.ci/system-tests/sys_test_common.sh | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/.ci/system-tests/sys_test_common.sh b/.ci/system-tests/sys_test_common.sh
index ad972340..128713fd 100644
--- a/.ci/system-tests/sys_test_common.sh
+++ b/.ci/system-tests/sys_test_common.sh
@@ -21,34 +21,34 @@ fi
# clear all policy settings
setPolicyNone() {
-docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=0, enablePcAttributeValidation=0, enablePcValidation=0,
+docker exec $aca_container mysql -u root -p root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=0, enablePcAttributeValidation=0, enablePcValidation=0,
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
}
# Policy Settings for tests ...
setPolicyEkOnly() {
-docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=0,
+docker exec $aca_container mysql -u root -p root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=0,
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
}
setPolicyEkPc_noAttCheck() {
-docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=1,
+docker exec $aca_container mysql -u root -p root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=1,
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
}
setPolicyEkPc() {
-docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
+docker exec $aca_container mysql -u root -p root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
}
setPolicyEkPcFw() {
-docker exec $aca_container mysql -u root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
+docker exec $aca_container mysql -u root -p root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
enableUtcValidation=0, enableFirmwareValidation=1, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=1, enableIgnoretBoot=0;"
}
# Clear all ACA DB items including policy
clearAcaDb() {
-docker exec $aca_container mysql -u root -e "use hirs_db; set foreign_key_checks=0; truncate Alert;truncate AlertBaselineIds;truncate
+docker exec $aca_container mysql -u root -p root -e "use hirs_db; set foreign_key_checks=0; truncate Alert;truncate AlertBaselineIds;truncate
AppraisalResult;truncate Certificate;truncate Certificate_Certificate;truncate CertificatesUsedToValidate;truncate
ComponentInfo;truncate Device;truncate DeviceInfoReport;truncate IMADeviceState;truncate IMAMeasurementRecord;truncate
ImaBlacklistRecord;truncate ImaIgnoreSetRecord;truncate IntegrityReport;truncate IntegrityReports_Reports_Join;truncate
From 1eaf04f15ab5cc0f032a8c954a80b3de96043381 Mon Sep 17 00:00:00 2001
From: Cyrus <24922493+cyrus-dev@users.noreply.github.com>
Date: Thu, 14 Apr 2022 08:54:32 -0400
Subject: [PATCH 4/5] Another attempt to correct test log in
---
.ci/system-tests/sys_test_common.sh | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/.ci/system-tests/sys_test_common.sh b/.ci/system-tests/sys_test_common.sh
index 128713fd..9e80f4e4 100644
--- a/.ci/system-tests/sys_test_common.sh
+++ b/.ci/system-tests/sys_test_common.sh
@@ -21,28 +21,28 @@ fi
# clear all policy settings
setPolicyNone() {
-docker exec $aca_container mysql -u root -p root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=0, enablePcAttributeValidation=0, enablePcValidation=0,
+docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=0, enablePcAttributeValidation=0, enablePcValidation=0,
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
}
# Policy Settings for tests ...
setPolicyEkOnly() {
-docker exec $aca_container mysql -u root -p root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=0,
+docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=0,
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
}
setPolicyEkPc_noAttCheck() {
-docker exec $aca_container mysql -u root -p root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=1,
+docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=0, enablePcValidation=1,
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
}
setPolicyEkPc() {
-docker exec $aca_container mysql -u root -p root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
+docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
enableUtcValidation=0, enableFirmwareValidation=0, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=0, enableIgnoretBoot=0;"
}
setPolicyEkPcFw() {
-docker exec $aca_container mysql -u root -p root -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
+docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChainPolicy set enableEcValidation=1, enablePcAttributeValidation=1, enablePcValidation=1,
enableUtcValidation=0, enableFirmwareValidation=1, enableExpiredCertificateValidation=0, enableIgnoreGpt=0, enableIgnoreIma=1, enableIgnoretBoot=0;"
}
From 1254fd76ddcf6519ba438ad52cac993459e0c7d5 Mon Sep 17 00:00:00 2001
From: Cyrus <24922493+cyrus-dev@users.noreply.github.com>
Date: Thu, 14 Apr 2022 09:09:49 -0400
Subject: [PATCH 5/5] Missed one entry
---
.ci/system-tests/sys_test_common.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.ci/system-tests/sys_test_common.sh b/.ci/system-tests/sys_test_common.sh
index 9e80f4e4..2db556c3 100644
--- a/.ci/system-tests/sys_test_common.sh
+++ b/.ci/system-tests/sys_test_common.sh
@@ -48,7 +48,7 @@ docker exec $aca_container mysql -u root -proot -D hirs_db -e "Update SupplyChai
# Clear all ACA DB items including policy
clearAcaDb() {
-docker exec $aca_container mysql -u root -p root -e "use hirs_db; set foreign_key_checks=0; truncate Alert;truncate AlertBaselineIds;truncate
+docker exec $aca_container mysql -u root -proot -e "use hirs_db; set foreign_key_checks=0; truncate Alert;truncate AlertBaselineIds;truncate
AppraisalResult;truncate Certificate;truncate Certificate_Certificate;truncate CertificatesUsedToValidate;truncate
ComponentInfo;truncate Device;truncate DeviceInfoReport;truncate IMADeviceState;truncate IMAMeasurementRecord;truncate
ImaBlacklistRecord;truncate ImaIgnoreSetRecord;truncate IntegrityReport;truncate IntegrityReports_Reports_Join;truncate