diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java index 2b95045a..ae54125b 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java @@ -1,6 +1,5 @@ package hirs.attestationca.persist.provision; -import com.fasterxml.jackson.databind.ser.Serializers; import com.google.protobuf.ByteString; import hirs.attestationca.configuration.provisionerTpm2.ProvisionerTpm2; import hirs.attestationca.persist.entity.manager.CertificateRepository; @@ -69,24 +68,23 @@ import java.util.regex.Pattern; @Log4j2 public class IdentityClaimProcessor extends AbstractProcessor { - private static final String PCR_QUOTE_MASK = "0,1,2,3,4,5,6,7,8,9,10,11,12,13," - + "14,15,16,17,18,19,20,21,22,23"; - - private static final int NUM_OF_VARIABLES = 5; /** * Number of bytes to include in the TPM2.0 nonce. */ public static final int NONCE_LENGTH = 20; + private static final String PCR_QUOTE_MASK = "0,1,2,3,4,5,6,7,8,9,10,11,12,13," + + "14,15,16,17,18,19,20,21,22,23"; + private static final int NUM_OF_VARIABLES = 5; private static final int MAC_BYTES = 6; - private SupplyChainValidationService supplyChainValidationService; - private CertificateRepository certificateRepository; - private ComponentResultRepository componentResultRepository; - private ComponentInfoRepository componentInfoRepository; - private ReferenceManifestRepository referenceManifestRepository; - private ReferenceDigestValueRepository referenceDigestValueRepository; - private DeviceRepository deviceRepository; - private TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository; + private final SupplyChainValidationService supplyChainValidationService; + private final CertificateRepository certificateRepository; + private final ComponentResultRepository componentResultRepository; + private final ComponentInfoRepository componentInfoRepository; + private final ReferenceManifestRepository referenceManifestRepository; + private final ReferenceDigestValueRepository referenceDigestValueRepository; + private final DeviceRepository deviceRepository; + private final TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository; /** * Constructor. @@ -116,8 +114,8 @@ public class IdentityClaimProcessor extends AbstractProcessor { * Basic implementation of the ACA processIdentityClaimTpm2 method. Parses the claim, * stores the device info, performs supply chain validation, generates a nonce, * and wraps that nonce with the make credential process before returning it to the client. - * attCert.setPcrValues(pcrValues); - + * attCert.setPcrValues(pcrValues); + * * @param identityClaim the request to process, cannot be null * @return an identity claim response for the specified request containing a wrapped blob */ @@ -147,7 +145,7 @@ public class IdentityClaimProcessor extends AbstractProcessor { } } - ByteString blobStr = ByteString.copyFrom(new byte[]{}); + ByteString blobStr = ByteString.copyFrom(new byte[] {}); if (validationResult == AppraisalStatus.Status.PASS) { RSAPublicKey akPub = ProvisionUtils.parsePublicKey(claim.getAkPublicArea().toByteArray()); byte[] nonce = ProvisionUtils.generateRandomBytes(NONCE_LENGTH); @@ -195,7 +193,8 @@ public class IdentityClaimProcessor extends AbstractProcessor { private AppraisalStatus.Status doSupplyChainValidation( final ProvisionerTpm2.IdentityClaim claim, final PublicKey ekPub) { // attempt to find an endorsement credential to validate - EndorsementCredential endorsementCredential = parseEcFromIdentityClaim(claim, ekPub, certificateRepository); + EndorsementCredential endorsementCredential = + parseEcFromIdentityClaim(claim, ekPub, certificateRepository); // attempt to find platform credentials to validate List platformCredentials = parsePcsFromIdentityClaim(claim, @@ -283,6 +282,7 @@ public class IdentityClaimProcessor extends AbstractProcessor { /** * Converts a protobuf DeviceInfo object to a HIRS Utils DeviceInfoReport object. + * * @param claim the protobuf serialized identity claim containing the device info * @return a HIRS Utils DeviceInfoReport representation of device info */ @@ -348,7 +348,7 @@ public class IdentityClaimProcessor extends AbstractProcessor { String defaultClientName = String.format("%s_%s", dv.getHw().getManufacturer(), dv.getHw().getProductName()); - BaseReferenceManifest dbBaseRim = null; + BaseReferenceManifest baseRim = null; SupportReferenceManifest support = null; EventLogMeasurements measurements; boolean isReplacement = false; @@ -357,60 +357,60 @@ public class IdentityClaimProcessor extends AbstractProcessor { String fileName = ""; Pattern pattern = Pattern.compile("([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)"); Matcher matcher; - MessageDigest messageDigest = MessageDigest.getInstance("SHA-256"); + MessageDigest messageDigest = MessageDigest.getInstance("SHA-256"); if (dv.getSwidfileCount() > 0) { for (ByteString swidFile : dv.getSwidfileList()) { try { - dbBaseRim = (BaseReferenceManifest) referenceManifestRepository + baseRim = (BaseReferenceManifest) referenceManifestRepository .findByBase64Hash(Base64.getEncoder() .encodeToString(messageDigest .digest(swidFile.toByteArray()))); - if (dbBaseRim == null) { + if (baseRim == null) { /* Either the swidFile does not have a corresponding base RIM in the backend or it was deleted. Check if there is a replacement by comparing tagId against all other base RIMs, and then set the corresponding support rim's deviceName. */ - dbBaseRim = new BaseReferenceManifest( + baseRim = new BaseReferenceManifest( String.format("%s.swidtag", defaultClientName), swidFile.toByteArray()); List baseRims = referenceManifestRepository.findAllBaseRims(); for (BaseReferenceManifest bRim : baseRims) { - if (bRim.getTagId().equals(dbBaseRim.getTagId())) { - dbBaseRim = bRim; - replacementRimId = dbBaseRim.getAssociatedRim().toString(); + if (bRim.getTagId().equals(baseRim.getTagId())) { + baseRim = bRim; + replacementRimId = baseRim.getAssociatedRim().toString(); isReplacement = true; break; } } - dbBaseRim.setDeviceName(dv.getNw().getHostname()); - this.referenceManifestRepository.save(dbBaseRim); - } else if (dbBaseRim.isArchived()) { + baseRim.setDeviceName(dv.getNw().getHostname()); + this.referenceManifestRepository.save(baseRim); + } else if (baseRim.isArchived()) { /* This block accounts for RIMs that may have been soft-deleted (archived) in an older version of the ACA. */ List rims = referenceManifestRepository.findByArchiveFlag(false); for (ReferenceManifest rim : rims) { - if (rim.isBase() && rim.getTagId().equals(dbBaseRim.getTagId()) && - rim.getCreateTime().after(dbBaseRim.getCreateTime())) { - dbBaseRim.setDeviceName(null); - dbBaseRim = (BaseReferenceManifest) rim; - dbBaseRim.setDeviceName(dv.getNw().getHostname()); + if (rim.isBase() && rim.getTagId().equals(baseRim.getTagId()) && + rim.getCreateTime().after(baseRim.getCreateTime())) { + baseRim.setDeviceName(null); + baseRim = (BaseReferenceManifest) rim; + baseRim.setDeviceName(dv.getNw().getHostname()); } } - if (dbBaseRim.isArchived()) { + if (baseRim.isArchived()) { throw new Exception("Unable to locate an unarchived base RIM."); } else { - this.referenceManifestRepository.save(dbBaseRim); + this.referenceManifestRepository.save(baseRim); } } else { - dbBaseRim.setDeviceName(dv.getNw().getHostname()); - this.referenceManifestRepository.save(dbBaseRim); + baseRim.setDeviceName(dv.getNw().getHostname()); + this.referenceManifestRepository.save(baseRim); } - tagId = dbBaseRim.getTagId(); + tagId = baseRim.getTagId(); } catch (UnmarshalException e) { log.error(e); } catch (Exception ex) { @@ -425,9 +425,10 @@ public class IdentityClaimProcessor extends AbstractProcessor { if (dv.getLogfileCount() > 0) { for (ByteString logFile : dv.getLogfileList()) { try { - support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType( + support = + (SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType( Hex.encodeHexString(messageDigest.digest(logFile.toByteArray())), - ReferenceManifest.SUPPORT_RIM); + ReferenceManifest.SUPPORT_RIM); if (support == null) { /* Either the logFile does not have a corresponding support RIM in the backend @@ -496,39 +497,41 @@ public class IdentityClaimProcessor extends AbstractProcessor { //update Support RIMs and Base RIMs. for (ByteString swidFile : dv.getSwidfileList()) { - dbBaseRim = (BaseReferenceManifest) referenceManifestRepository + baseRim = (BaseReferenceManifest) referenceManifestRepository .findByBase64Hash(Base64.getEncoder().encodeToString(messageDigest.digest( swidFile.toByteArray()))); - if (dbBaseRim != null) { + if (baseRim != null) { // get file name to use - for (SwidResource swid : dbBaseRim.getFileResources()) { + for (SwidResource swid : baseRim.getFileResources()) { matcher = pattern.matcher(swid.getName()); if (matcher.matches()) { //found the file name int dotIndex = swid.getName().lastIndexOf("."); fileName = swid.getName().substring(0, dotIndex); - dbBaseRim.setFileName(String.format("%s.swidtag", + baseRim.setFileName(String.format("%s.swidtag", fileName)); } // now update support rim - SupportReferenceManifest dbSupport = (SupportReferenceManifest) referenceManifestRepository - .findByHexDecHashAndRimType(swid.getHashValue(), ReferenceManifest.SUPPORT_RIM); + SupportReferenceManifest dbSupport = + (SupportReferenceManifest) referenceManifestRepository + .findByHexDecHashAndRimType(swid.getHashValue(), + ReferenceManifest.SUPPORT_RIM); if (dbSupport != null) { dbSupport.setFileName(swid.getName()); - dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); - dbSupport.setTagId(dbBaseRim.getTagId()); - dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion()); - dbSupport.setSwidVersion(dbBaseRim.getSwidVersion()); - dbSupport.setSwidPatch(dbBaseRim.isSwidPatch()); - dbSupport.setSwidSupplemental(dbBaseRim.isSwidSupplemental()); - dbBaseRim.setAssociatedRim(dbSupport.getId()); + dbSupport.setSwidTagVersion(baseRim.getSwidTagVersion()); + dbSupport.setTagId(baseRim.getTagId()); + dbSupport.setSwidTagVersion(baseRim.getSwidTagVersion()); + dbSupport.setSwidVersion(baseRim.getSwidVersion()); + dbSupport.setSwidPatch(baseRim.isSwidPatch()); + dbSupport.setSwidSupplemental(baseRim.isSwidSupplemental()); + baseRim.setAssociatedRim(dbSupport.getId()); dbSupport.setUpdated(true); - dbSupport.setAssociatedRim(dbBaseRim.getId()); + dbSupport.setAssociatedRim(baseRim.getId()); this.referenceManifestRepository.save(dbSupport); } } - this.referenceManifestRepository.save(dbBaseRim); + this.referenceManifestRepository.save(baseRim); } } @@ -564,15 +567,15 @@ public class IdentityClaimProcessor extends AbstractProcessor { this.referenceManifestRepository.save(measurements); - for (BaseReferenceManifest baseRim : baseRims) { - if (baseRim != null) { + for (BaseReferenceManifest bRim : baseRims) { + if (bRim != null) { // pull the base versions of the swidtag and rimel and set the // event log hash for use during provision SupportReferenceManifest sBaseRim = referenceManifestRepository - .getSupportRimEntityById(baseRim.getAssociatedRim()); - baseRim.setEventLogHash(temp.getHexDecHash()); + .getSupportRimEntityById(bRim.getAssociatedRim()); + bRim.setEventLogHash(temp.getHexDecHash()); sBaseRim.setEventLogHash(temp.getHexDecHash()); - referenceManifestRepository.save(baseRim); + referenceManifestRepository.save(bRim); referenceManifestRepository.save(sBaseRim); } } @@ -584,7 +587,7 @@ public class IdentityClaimProcessor extends AbstractProcessor { dv.getNw().getHostname())); } - // Get TPM info, currently unimplemented + // Get TPM info, currently unimplemented TPMInfo tpmInfo = new TPMInfo(DeviceInfoEnums.NOT_SPECIFIED, (short) 0, (short) 0, @@ -628,7 +631,8 @@ public class IdentityClaimProcessor extends AbstractProcessor { } if (baseSupportRim != null - && referenceDigestValueRepository.findBySupportRimHash(baseSupportRim.getHexDecHash()).isEmpty()) { + && referenceDigestValueRepository.findBySupportRimHash(baseSupportRim.getHexDecHash()) + .isEmpty()) { try { TCGEventLog logProcessor = new TCGEventLog(baseSupportRim.getRimBytes()); ReferenceDigestValue rdv; @@ -688,7 +692,7 @@ public class IdentityClaimProcessor extends AbstractProcessor { log.error(String.format("Patching value does not exist (%s)", patchedValue)); } else { - // WIP - Until we get patch examples + // WIP - Until we get patch examples dbRdv.setPatched(true); } } @@ -721,7 +725,7 @@ public class IdentityClaimProcessor extends AbstractProcessor { } private int handleDeviceComponents(final String hostName, final String paccorString) { - int deviceComponents = 0 ; + int deviceComponents = 0; Map componentInfoMap = new HashMap<>(); try { List componentInfos = SupplyChainCredentialValidator