Some additional updates and changes while debugging

HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/AbstractEntity.java

@@ -40,7 +40,7 @@ public abstract class AbstractEntity implements Serializable {
     @Column (name = "create_time")
     @ColumnDefault(value = "CURRENT_TIMESTAMP")
     @Generated(GenerationTime.INSERT)
-    private Date createTime;
+    private Date createTime = new Date();
 
     /**
      * Default empty constructor is required for Hibernate. It is protected to

HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/attributes/ComponentClass.java

@@ -30,7 +30,7 @@ public class ComponentClass {
     private static final String TCG_COMPONENT_REGISTRY = "2.23.133.18.3.1";
     private static final String SMBIOS_COMPONENT_REGISTRY = "2.23.133.18.3.3";
     private static final Path JSON_PATH = FileSystems.getDefault()
-            .getPath("/etc", "hirs/aca", "default-properties", "component-class.json");
+            .getPath("/opt", "hirs", "default-properties", "component-class.json");
 
     private static final String OTHER_STRING = "Other";
     private static final String UNKNOWN_STRING = "Unknown";

HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractRequestHandler.java

@@ -233,8 +233,8 @@ public class AbstractRequestHandler {
                                             final Device device) {
         IssuedAttestationCertificate issuedAc;
         boolean generateCertificate = true;
-        PolicyRepository scp = this.getPolicyRepository();
-        PolicySettings policySettings = scp.findByName("Default");
+        PolicyRepository scp = getPolicyRepository();
+        PolicySettings policySettings;
         Date currentDate = new Date();
         int days;
         try {
@@ -243,6 +243,7 @@ public class AbstractRequestHandler {
                     derEncodedAttestationCertificate, endorsementCredential, platformCredentials);
 
             if (scp != null) {
+                policySettings = scp.findByName("Default");
                 issuedAc = certificateRepository.findByDeviceId(device.getId());
 
                 generateCertificate = policySettings.isIssueAttestationCertificate();

HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/SupplyChainValidationService.java

@@ -105,9 +105,9 @@ public class SupplyChainValidationService {
                 .ValidationType.PLATFORM_CREDENTIAL;
         log.info("Beginning Supply Chain Validation...");
 
-        log.info("Beginning Endorsement Credential Validation...");
         // Validate the Endorsement Credential
         if (getPolicySettings().isEcValidationEnabled()) {
+            log.info("Beginning Endorsement Credential Validation...");
             validations.add(ValidationManager.evaluateEndorsementCredentialStatus(ec, this.caCredentialRepository, acceptExpiredCerts));
             // store the device with the credential
             if (ec != null) {
@@ -116,9 +116,9 @@ public class SupplyChainValidationService {
             }
         }
 
-        log.info("Beginning Platform Credential Validation...");
         // Validate Platform Credential signatures
         if (getPolicySettings().isPcValidationEnabled()) {
+            log.info("Beginning Platform Credential Validation...");
             // Ensure there are platform credentials to validate
             if (pcs == null || pcs.isEmpty()) {
                 log.error("There were no Platform Credentials to validate.");
@@ -143,7 +143,6 @@ public class SupplyChainValidationService {
                     }
                     pc.setDeviceId(device.getId());
                     this.certificateRepository.save(pc);
-
                 }
 
                 // check that the delta certificates validity date is after
@@ -179,10 +178,10 @@ public class SupplyChainValidationService {
             }
         }
 
-        log.info("Beginning Platform Attributes Validation...");
         // Validate Platform Credential attributes
         if (getPolicySettings().isPcAttributeValidationEnabled()
                 && pcErrorMessage.isEmpty()) {
+            log.info("Beginning Platform Attributes Validation...");
             // Ensure there are platform credentials to validate
             SupplyChainValidation attributeScv = null;
             String attrErrorMessage = "";
@@ -233,8 +232,8 @@ public class SupplyChainValidationService {
             }
         }
 
-        log.info("Beginning Firmware Validation...");
         if (getPolicySettings().isFirmwareValidationEnabled()) {
+            log.info("Beginning Firmware Validation...");
             // may need to associated with device to pull the correct info
             // compare tpm quote with what is pulled from RIM associated file
             validations.add(ValidationManager.evaluateFirmwareStatus(device, getPolicySettings(),

HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/CredentialValidator.java

@@ -47,6 +47,19 @@ public class CredentialValidator extends SupplyChainCredentialValidator {
             return new AppraisalStatus(FAIL, message);
         }
 
+        boolean keyInStore = false;
+        try {
+            keyInStore = trustStore.size() < 1;
+        } catch (KeyStoreException ksEx) {
+            log.error(ksEx.getMessage());
+        }
+
+        if (keyInStore) {
+            message = baseErrorMessage + "keys in the trust store";
+            log.error(message);
+            return new AppraisalStatus(FAIL, message);
+        }
+
         try {
             X509Certificate verifiableCert = ec.getX509Certificate();
 

HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/validation/SupplyChainCredentialValidator.java

@@ -3,15 +3,11 @@ package hirs.attestationca.persist.validation;
 import com.fasterxml.jackson.core.JsonFactory;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import hirs.attestationca.persist.entity.userdefined.certificate.ComponentResult;
-import hirs.attestationca.persist.entity.userdefined.certificate.attributes.ComponentIdentifier;
-import hirs.attestationca.persist.entity.userdefined.certificate.attributes.V2.ComponentIdentifierV2;
 import hirs.attestationca.persist.entity.userdefined.info.ComponentInfo;
 import lombok.NoArgsConstructor;
 import lombok.extern.log4j.Log4j2;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.util.Strings;
-import org.bouncycastle.asn1.DERUTF8String;
 import org.bouncycastle.asn1.x500.X500Name;
 import org.bouncycastle.cert.CertException;
 import org.bouncycastle.cert.X509AttributeCertificateHolder;

HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ValidationReportsPageController.java

@@ -2,13 +2,11 @@ package hirs.attestationca.portal.page.controllers;
 
 import com.google.gson.JsonArray;
 import com.google.gson.JsonObject;
-import hirs.attestationca.persist.CriteriaModifier;
 import hirs.attestationca.persist.FilteredRecordsList;
 import hirs.attestationca.persist.entity.manager.CertificateRepository;
 import hirs.attestationca.persist.entity.manager.DeviceRepository;
 import hirs.attestationca.persist.entity.manager.PlatformCertificateRepository;
 import hirs.attestationca.persist.entity.manager.SupplyChainValidationSummaryRepository;
-import hirs.attestationca.persist.entity.userdefined.Certificate;
 import hirs.attestationca.persist.entity.userdefined.Device;
 import hirs.attestationca.persist.entity.userdefined.SupplyChainValidationSummary;
 import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential;
@@ -16,18 +14,13 @@ import hirs.attestationca.persist.entity.userdefined.certificate.attributes.Comp
 import hirs.attestationca.persist.entity.userdefined.certificate.attributes.V2.ComponentIdentifierV2;
 import hirs.attestationca.portal.datatables.DataTableInput;
 import hirs.attestationca.portal.datatables.DataTableResponse;
-import hirs.attestationca.portal.datatables.OrderedListQueryDataTableAdapter;
 import hirs.attestationca.portal.page.Page;
 import hirs.attestationca.portal.page.PageController;
 import hirs.attestationca.portal.page.params.NoPageParams;
 import jakarta.persistence.EntityManager;
-import jakarta.persistence.criteria.CriteriaBuilder;
-import jakarta.persistence.criteria.CriteriaQuery;
-import jakarta.persistence.criteria.Root;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import lombok.extern.log4j.Log4j2;
-import org.hibernate.Session;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.domain.PageRequest;
 import org.springframework.data.domain.Pageable;
@@ -43,7 +36,6 @@ import org.springframework.web.servlet.ModelAndView;
 import java.io.BufferedWriter;
 import java.io.IOException;
 import java.io.OutputStreamWriter;
-import java.lang.ref.Reference;
 import java.nio.charset.StandardCharsets;
 import java.time.LocalDate;
 import java.time.LocalDateTime;
@@ -52,7 +44,6 @@ import java.time.format.DateTimeFormatter;
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.List;
-import java.util.UUID;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -128,20 +119,6 @@ public class ValidationReportsPageController extends PageController<NoPageParams
         String orderColumnName = input.getOrderColumnName();
         log.debug("Ordering on column: " + orderColumnName);
 
-        // define an alias so the composite object, device, can be used by the
-        // datatables / query. This is necessary so the device.name property can
-        // be used.
-        CriteriaModifier criteriaModifier = new CriteriaModifier() {
-            @Override
-            public void modify(final CriteriaQuery criteriaQuery) {
-                Session session = entityManager.unwrap(Session.class);
-                CriteriaBuilder cb = session.getCriteriaBuilder();
-                Root<Certificate> scvRoot = criteriaQuery.from(Reference.class);
-
-                criteriaQuery.select(scvRoot).distinct(true).where(cb.isNull(scvRoot.get(Certificate.ARCHIVE_FIELD)));
-            }
-        };
-
         FilteredRecordsList<SupplyChainValidationSummary> records = new FilteredRecordsList<>();
         int currentPage = input.getStart() / input.getLength();
         Pageable paging = PageRequest.of(currentPage, input.getLength(), Sort.by(orderColumnName));
@@ -153,12 +130,6 @@ public class ValidationReportsPageController extends PageController<NoPageParams
         records.setRecordsTotal(input.getLength());
         records.setRecordsFiltered(supplyChainValidatorSummaryRepository.count());
 
-//        FilteredRecordsList<SupplyChainValidationSummary> records =
-//                OrderedListQueryDataTableAdapter.getOrderedList(
-//                        SupplyChainValidationSummary.class,
-//                        supplyChainValidatorSummaryRepository, input, orderColumnName,
-//                        criteriaModifier);
-
         return new DataTableResponse<>(records, input);
     }
 

HIRS_Utils/src/main/java/hirs/utils/tpm/eventlog/uefi/UefiGuid.java

@@ -23,8 +23,8 @@ public class UefiGuid {
      */
     private static final int UUID_EPOCH_DIVISOR = 10000;
 
-    private static final Path JSON_PATH = FileSystems.getDefault().getPath("/etc",
-            "hirs/aca", "default-properties", "vendor-table.json");
+    private static final Path JSON_PATH = FileSystems.getDefault().getPath("/opt",
+            "hirs", "default-properties", "vendor-table.json");
     private JsonObject uefiVendorRef;
     /**
      * guid byte array.