From 13e8074e88795917d02f5402a4bccc02260505a3 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Wed, 9 Feb 2022 07:35:46 -0500 Subject: [PATCH 01/12] Updated the database size of the bytes field in the ReferenceManifest table. --- .../src/main/java/hirs/data/persist/ReferenceManifest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java b/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java index aa490e45..18f4827c 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceManifest.java @@ -68,7 +68,7 @@ public abstract class ReferenceManifest extends ArchivableEntity { private static final Logger LOGGER = LogManager.getLogger(ReferenceManifest.class); - @Column(columnDefinition = "blob", nullable = false) + @Column(columnDefinition = "mediumblob", nullable = false) @JsonIgnore private byte[] rimBytes; @Column(nullable = false) From 2db5b86da1c48cbe155400ad4aad4524e429fca1 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 11 Feb 2022 07:32:07 -0500 Subject: [PATCH 02/12] Some minor updates. Fixed a null pointer exception in the SupplyChainValidationServiceImpl. Updated warnings when files are missing from the device claim --- .../AbstractAttestationCertificateAuthority.java | 11 +++++++---- .../service/SupplyChainValidationServiceImpl.java | 9 +++++---- .../java/hirs/data/persist/ReferenceDigestRecord.java | 2 +- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index d0753103..e5c6756f 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -840,7 +840,8 @@ public abstract class AbstractAttestationCertificateAuthority } } } else { - LOG.warn("Device did not send support RIM file..."); + LOG.warn(String.format("%s did not send support RIM file...", + dv.getNw().getHostname())); } if (dv.getSwidfileCount() > 0) { @@ -876,7 +877,8 @@ public abstract class AbstractAttestationCertificateAuthority } } } else { - LOG.warn("Device did not send swid tag file..."); + LOG.warn(String.format("%s did not send swid tag file...", + dv.getNw().getHostname())); } //update Support RIMs and Base RIMs. @@ -952,7 +954,8 @@ public abstract class AbstractAttestationCertificateAuthority LOG.error(ioEx); } } else { - LOG.warn("Device did not send bios measurement log..."); + LOG.warn(String.format("Device did not send bios measurement log...", + dv.getNw().getHostname())); } // Get TPM info, currently unimplemented @@ -1885,7 +1888,7 @@ public abstract class AbstractAttestationCertificateAuthority generateCertificate = scp.isIssueAttestationCertificate(); if (issuedAc != null && scp.isGenerateOnExpiration()) { if (issuedAc.getEndValidity().after(currentDate)) { - // so the issued AC is expired + // so the issued AC is not expired // however are we within the threshold days = daysBetween(currentDate, issuedAc.getEndValidity()); if (days < Integer.parseInt(scp.getReissueThreshold())) { diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 1f4dbb6d..51a054fa 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -389,7 +389,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe Set baseReferenceManifests = null; BaseReferenceManifest baseReferenceManifest = null; ReferenceManifest supportReferenceManifest = null; - ReferenceManifest measurement = null; + EventLogMeasurements measurement = null; ReferenceDigestRecord digestRecord = null; baseReferenceManifests = BaseReferenceManifest.select(referenceManifestManager) @@ -581,9 +581,10 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe } else { fwStatus = new AppraisalStatus(FAIL, String.format("Firmware Validation failed: " + "%s for %s can not be found", failedString, manufacturer)); - EventLogMeasurements eventLog = (EventLogMeasurements) measurement; - eventLog.setOverallValidationResult(fwStatus.getAppStatus()); - this.referenceManifestManager.update(eventLog); + if (measurement != null) { + measurement.setOverallValidationResult(fwStatus.getAppStatus()); + this.referenceManifestManager.update(measurement); + } } return buildValidationRecord(SupplyChainValidation.ValidationType.FIRMWARE, diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceDigestRecord.java b/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceDigestRecord.java index 43cec77d..1f299ac2 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceDigestRecord.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/ReferenceDigestRecord.java @@ -30,7 +30,7 @@ public class ReferenceDigestRecord extends ArchivableEntity { private String model; @Column(nullable = false) private String deviceName; - @Column(columnDefinition = "blob", nullable = true) + @Column(columnDefinition = "mediumblob", nullable = true) private byte[] valueBlob; /** From 1f2be7ce18a9118461629e9ae44ce51de46f5477 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 11 Feb 2022 08:01:28 -0500 Subject: [PATCH 03/12] Updated the live log information if the base and support rim are not uploaded together. --- .../AbstractAttestationCertificateAuthority.java | 11 ++++++++++- .../controllers/ReferenceManifestPageController.java | 10 ++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java index e5c6756f..82f9570b 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/AbstractAttestationCertificateAuthority.java @@ -950,11 +950,20 @@ public abstract class AbstractAttestationCertificateAuthority this.referenceManifestManager.update(rim); } } + + for (BaseReferenceManifest baseRim : BaseReferenceManifest + .select(referenceManifestManager).getRIMs()) { + if (baseRim.getPlatformManufacturer().equals(dv.getHw().getManufacturer()) + && baseRim.getPlatformModel().equals(dv.getHw().getProductName())) { + baseRim.setEventLogHash(temp.getHexDecHash()); + this.referenceManifestManager.update(baseRim); + } + } } catch (IOException ioEx) { LOG.error(ioEx); } } else { - LOG.warn(String.format("Device did not send bios measurement log...", + LOG.warn(String.format("%s did not send bios measurement log...", dv.getNw().getHostname())); } diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java index ccb9d9b2..ae46811e 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java @@ -10,6 +10,7 @@ import hirs.attestationca.portal.page.PageController; import hirs.attestationca.portal.page.PageMessages; import hirs.attestationca.portal.page.params.NoPageParams; import hirs.data.persist.BaseReferenceManifest; +import hirs.data.persist.EventLogMeasurements; import hirs.data.persist.ReferenceManifest; import hirs.data.persist.SupportReferenceManifest; import hirs.data.persist.SwidResource; @@ -257,6 +258,15 @@ public class ReferenceManifestPageController } } } + + for (EventLogMeasurements liveLog : EventLogMeasurements + .select(referenceManifestManager).getRIMs()) { + if (liveLog.getPlatformManufacturer().equals(base.getPlatformManufacturer()) + && liveLog.getPlatformModel().equals(base.getPlatformModel())) { + rim.setEventLogHash(liveLog.getEventLogHash()); + break; + } + } } storeManifest(file.getOriginalFilename(), From c99622bbeae02b447f12d75d3e1b5aae65833869 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 11 Feb 2022 08:06:23 -0500 Subject: [PATCH 04/12] Removed conditional checks for tcg file locations in post install script --- .../package/rpm-post-install.sh | 20 ++++--------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index 538009ed..7f78eec5 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -49,22 +49,10 @@ CREDENTIALS_LOCATION="$TCG_DIRECTORY/cert/platform/" BINARY_BIOS_MEASUREMENTS="/sys/kernel/security/tpm0/binary_bios_measurements" touch "$TCG_TEMP_FILE" -if [ -d "$RIM_FILE_LOCATION" ]; then - echo "tcg.rim.dir=$RIM_FILE_LOCATION" > "$TCG_TEMP_FILE" -fi - -if [ -d "$SWIDTAG_FILE_LOCATION" ]; then - echo "tcg.swidtag.dir=$SWIDTAG_FILE_LOCATION" >> "$TCG_TEMP_FILE" -fi - -if [ -d "$CREDENTIALS_LOCATION" ]; then - echo "tcg.cert.dir=$CREDENTIALS_LOCATION" >> "$TCG_TEMP_FILE" -fi - -if [ -f "$BINARY_BIOS_MEASUREMENTS" ]; then - echo "tcg.event.file=$BINARY_BIOS_MEASUREMENTS" >> "$TCG_TEMP_FILE" -fi - +echo "tcg.rim.dir=$RIM_FILE_LOCATION" > "$TCG_TEMP_FILE" +echo "tcg.swidtag.dir=$SWIDTAG_FILE_LOCATION" >> "$TCG_TEMP_FILE" +echo "tcg.cert.dir=$CREDENTIALS_LOCATION" >> "$TCG_TEMP_FILE" +echo "tcg.event.file=$BINARY_BIOS_MEASUREMENTS" >> "$TCG_TEMP_FILE" if [ ! -f "$TCG_BOOT_FILE" ]; then install -m 644 $TCG_TEMP_FILE $TCG_BOOT_FILE From fc3f59adcef567d148f8b7e0318cf0158499bf2e Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Fri, 11 Feb 2022 09:09:39 -0500 Subject: [PATCH 05/12] Updated RIM lookup to use manufacturer and model instead of deviceName --- .../service/SupplyChainValidationServiceImpl.java | 10 ++++++++-- .../java/hirs/data/persist/BaseReferenceManifest.java | 11 +++++++++++ .../java/hirs/data/persist/EventLogMeasurements.java | 11 +++++++++++ 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 51a054fa..d56cdea2 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -393,10 +393,11 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe ReferenceDigestRecord digestRecord = null; baseReferenceManifests = BaseReferenceManifest.select(referenceManifestManager) - .byDeviceName(device.getDeviceInfo().getNetworkInfo().getHostname()).getRIMs(); + .byModel(model).getRIMs(); for (BaseReferenceManifest bRim : baseReferenceManifests) { - if (!bRim.isSwidSupplemental() && !bRim.isSwidPatch()) { + if (bRim.getPlatformManufacturer().equals(manufacturer) + && !bRim.isSwidSupplemental() && !bRim.isSwidPatch()) { baseReferenceManifest = bRim; } } @@ -408,6 +409,11 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe } else { measurement = EventLogMeasurements.select(referenceManifestManager) .byHexDecHash(baseReferenceManifest.getEventLogHash()).getRIM(); + + if (measurement == null) { + measurement = EventLogMeasurements.select(referenceManifestManager) + .byModel(baseReferenceManifest.getPlatformModel()).getRIM(); + } } if (measurement == null) { diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java b/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java index 1ca317b3..aea0d04d 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/BaseReferenceManifest.java @@ -110,6 +110,17 @@ public class BaseReferenceManifest extends ReferenceManifest { return this; } + /** + * Specify the platform model that rims must have to be considered + * as matching. + * @param model string for the model + * @return this instance + */ + public Selector byModel(final String model) { + setFieldValue(PLATFORM_MODEL, model); + return this; + } + /** * Specify the device name that rims must have to be considered * as matching. diff --git a/HIRS_Utils/src/main/java/hirs/data/persist/EventLogMeasurements.java b/HIRS_Utils/src/main/java/hirs/data/persist/EventLogMeasurements.java index 9a3920b8..66b053cf 100644 --- a/HIRS_Utils/src/main/java/hirs/data/persist/EventLogMeasurements.java +++ b/HIRS_Utils/src/main/java/hirs/data/persist/EventLogMeasurements.java @@ -61,6 +61,17 @@ public class EventLogMeasurements extends ReferenceManifest { return this; } + /** + * Specify the platform model that rims must have to be considered + * as matching. + * @param model string for the model + * @return this instance + */ + public Selector byModel(final String model) { + setFieldValue(PLATFORM_MODEL, model); + return this; + } + /** * Specify the device name that rims must have to be considered * as matching. From caa2a7c55b27fe1a0efebc4558e6e70896fe34f8 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Mon, 14 Feb 2022 10:26:07 -0500 Subject: [PATCH 06/12] Removed the RIM controller tests --- .../SupplyChainValidationServiceImpl.java | 2 +- ...enceManifestDetailsPageControllerTest.java | 108 ---------- .../ReferenceManifestPageControllerTest.java | 191 ------------------ 3 files changed, 1 insertion(+), 300 deletions(-) delete mode 100644 HIRS_AttestationCAPortal/src/test/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageControllerTest.java delete mode 100644 HIRS_AttestationCAPortal/src/test/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageControllerTest.java diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index d56cdea2..c4625135 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -479,7 +479,7 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe if (passed && supportReferenceManifest == null) { fwStatus = new AppraisalStatus(FAIL, - "Support Reference Integrity Manifest can not be found\n"); + "Support Reference Integrity Manifest can not be found"); passed = false; } diff --git a/HIRS_AttestationCAPortal/src/test/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageControllerTest.java b/HIRS_AttestationCAPortal/src/test/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageControllerTest.java deleted file mode 100644 index 17b5187d..00000000 --- a/HIRS_AttestationCAPortal/src/test/java/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageControllerTest.java +++ /dev/null @@ -1,108 +0,0 @@ -package hirs.attestationca.portal.page.controllers; - -import hirs.data.persist.BaseReferenceManifest; -import hirs.data.persist.ReferenceManifest; -import hirs.persist.DBReferenceManifestManager; -import hirs.attestationca.portal.page.Page; -import hirs.attestationca.portal.page.PageController; -import hirs.attestationca.portal.page.PageControllerTest; -import java.io.IOException; -import java.net.URISyntaxException; -import java.nio.file.Path; -import java.nio.file.Paths; -import java.nio.file.Files; -import java.util.Map; -import static org.hamcrest.Matchers.hasItem; -import static org.hamcrest.Matchers.hasProperty; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.test.annotation.DirtiesContext; -import org.springframework.test.annotation.Rollback; -import org.springframework.test.web.servlet.MvcResult; -import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.model; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; -import org.testng.Assert; -import org.testng.annotations.BeforeClass; -import org.testng.annotations.Test; - -/** - * Integration tests that test the URL End Points of - * EndorsementKeyCredentialsPageController. - */ -@DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_CLASS) -public class ReferenceManifestDetailsPageControllerTest extends PageControllerTest { - - private static final String GOOD_RIM_FILE = "/rims/generated_good.swidtag"; - private static final String ID = "046b6c7f-0b8a-43b9-b35d-6489e6daee91"; - - @Autowired - private DBReferenceManifestManager referenceManifestManager; - private ReferenceManifest referenceManifest; - - - /** - * Prepares tests. - * - * @throws IOException if test resources are not found - */ - @BeforeClass - public void prepareTests() throws IOException { - Path fPath; - try { - fPath = Paths.get(this.getClass().getResource(GOOD_RIM_FILE).toURI()); - } catch (URISyntaxException e) { - throw new IOException("Could not resolve path URI", e); - } - referenceManifest = new BaseReferenceManifest(Files.readAllBytes(fPath)); - referenceManifestManager.save(referenceManifest); - } - - /** - * Constructor. - */ - public ReferenceManifestDetailsPageControllerTest() { - super(Page.RIM_DETAILS); - } - - /** - * Tests initial page when the Reference Integrity Manifest - * was not found. - * @throws Exception if an exception occurs - */ - @Test - public void testInitPage() throws Exception { - // Get error message - getMockMvc() - .perform(MockMvcRequestBuilders.get("/" + getPage().getViewName()) - .param("id", ID)) - .andExpect(status().isOk()) - .andExpect(model().attribute(PageController.MESSAGES_ATTRIBUTE, - hasProperty("error", hasItem("Unable to find RIM with ID: " + ID)))) - .andReturn(); - } - - /** - * Tests initial page for an Reference Integrity Manifest. - * - * @throws Exception if an exception occurs - */ - @Test - @Rollback - @SuppressWarnings("unchecked") - public void testInitPageRim() throws Exception { - MvcResult result = getMockMvc() - .perform(MockMvcRequestBuilders.get("/" + getPage().getViewName()) - .param("id", referenceManifest.getId().toString()) - .param("swidTagId", referenceManifest.getTagId())) - .andExpect(status().isOk()) - .andExpect(model().attributeExists(PolicyPageController.INITIAL_DATA)) - .andReturn(); - - // Obtain initialData HashMap - Map initialData = (Map) result - .getModelAndView() - .getModel() - .get(PolicyPageController.INITIAL_DATA); - Assert.assertEquals(initialData.get("swidTagId"), referenceManifest.getTagId()); - } -} diff --git a/HIRS_AttestationCAPortal/src/test/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageControllerTest.java b/HIRS_AttestationCAPortal/src/test/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageControllerTest.java deleted file mode 100644 index 16208c99..00000000 --- a/HIRS_AttestationCAPortal/src/test/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageControllerTest.java +++ /dev/null @@ -1,191 +0,0 @@ -package hirs.attestationca.portal.page.controllers; - -import hirs.data.persist.BaseReferenceManifest; -import hirs.data.persist.ReferenceManifest; -import hirs.persist.ReferenceManifestManager; -import hirs.attestationca.portal.page.Page; -import hirs.attestationca.portal.page.PageControllerTest; -import hirs.attestationca.portal.page.PageMessages; -import java.io.IOException; -import java.util.Set; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.core.io.ClassPathResource; -import org.springframework.mock.web.MockMultipartFile; -import org.springframework.test.annotation.DirtiesContext; -import org.springframework.test.annotation.Rollback; -import org.springframework.test.web.servlet.MvcResult; -import org.springframework.test.web.servlet.request.MockMvcRequestBuilders; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; -import org.springframework.web.servlet.FlashMap; -import org.testng.Assert; -import org.testng.annotations.BeforeMethod; -import org.testng.annotations.Test; - -/** - * Integration tests that test the URL End Points of - * ReferenceManifestPageController. - */ -@DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_EACH_TEST_METHOD) -public class ReferenceManifestPageControllerTest extends PageControllerTest { - - private static final String GOOD_RIM_FILE = "generated_good.swidtag"; - private static final String BAD_RIM_FILE = "generated_bad.swidtag"; - - @Autowired - private ReferenceManifestManager referenceManifestManager; - private MockMultipartFile validRimFile; - private MockMultipartFile nonValidRimFile; - - /** - * Constructor. - */ - public ReferenceManifestPageControllerTest() { - super(Page.REFERENCE_MANIFESTS); - } - - /** - * Prepares tests. - * - * @throws IOException if test resources are not found - */ - @BeforeMethod - public void prepareTests() throws IOException { - // create a multi part file for the controller upload - validRimFile = new MockMultipartFile("file", GOOD_RIM_FILE, "", - new ClassPathResource("rims/" + GOOD_RIM_FILE).getInputStream()); - nonValidRimFile = new MockMultipartFile("file", BAD_RIM_FILE, "", - new ClassPathResource("rims/" + BAD_RIM_FILE).getInputStream()); - } - - private void archiveTestCert(final ReferenceManifest referenceManifest) throws Exception { - // now, archive the record - getMockMvc().perform(MockMvcRequestBuilders - .post("/reference-manifests/delete") - .param("id", referenceManifest.getId().toString())) - .andExpect(status().is3xxRedirection()) - .andReturn(); - - Set records - = referenceManifestManager.get(BaseReferenceManifest - .select(referenceManifestManager).includeArchived()); - Assert.assertEquals(records.size(), 1); - - Assert.assertTrue(records.iterator().next().isArchived()); - } - - /** - * Tests uploading a RIM that is a Reference Integrity Manifest, and - * archiving it. - * - * @throws Exception if an exception occurs - */ - @Test - @Rollback - public void uploadAndArchiveValidRim() throws Exception { - ReferenceManifest rim = uploadTestRim(); - archiveTestRim(rim); - } - - /** - * Tests uploading a rim that is not a valid Reference Integrity Manifest, - * which results in failure. - * - * @throws Exception if an exception occurs - */ - @Test - @Rollback - public void uploadNonValidRim() throws Exception { - MvcResult result = getMockMvc().perform(MockMvcRequestBuilders - .fileUpload("/reference-manifests/upload") - .file(nonValidRimFile)) - .andExpect(status().is3xxRedirection()) - .andReturn(); - - // verify redirection messages - FlashMap flashMap = result.getFlashMap(); - PageMessages pageMessages = (PageMessages) flashMap.get("messages"); - Assert.assertEquals(pageMessages.getSuccess().size(), 0); - Assert.assertEquals(pageMessages.getError().size(), 1); - } - - /** - * Tests that uploading a RIM when an identical RIM is archived will cause - * the existing RIM to be unarchived and updated. - * - * @throws Exception if an exception occurs - */ - @Test - @Rollback - public void uploadCausesUnarchive() throws Exception { - ReferenceManifest rim = uploadTestRim(); - archiveTestCert(rim); - - // upload the same cert again - MvcResult result = getMockMvc().perform(MockMvcRequestBuilders - .fileUpload("/reference-manifests/upload") - .file(validRimFile)) - .andExpect(status().is3xxRedirection()) - .andReturn(); - - // verify redirection messages - FlashMap flashMap = result.getFlashMap(); - PageMessages pageMessages = (PageMessages) flashMap.get("messages"); - Assert.assertEquals(pageMessages.getSuccess().size(), 1); - Assert.assertEquals(pageMessages.getError().size(), 0); - Assert.assertEquals(pageMessages.getSuccess().get(0), - "Pre-existing RIM found and unarchived (generated_good.swidtag): "); - - // verify the cert was actually stored - Set records = referenceManifestManager.get(BaseReferenceManifest.select( - referenceManifestManager)); - Assert.assertEquals(records.size(), 1); - - ReferenceManifest newRim = records.iterator().next(); - - // verify that the rim was unarchived - Assert.assertFalse(newRim.isArchived()); - // verify that the createTime was updated - Assert.assertTrue(newRim.getCreateTime().getTime() > rim.getCreateTime().getTime()); - } - - private ReferenceManifest uploadTestRim() throws Exception { - MvcResult result = getMockMvc().perform(MockMvcRequestBuilders - .fileUpload("/reference-manifests/upload") - .file(validRimFile)) - .andExpect(status().is3xxRedirection()) - .andReturn(); - - // verify redirection messages - FlashMap flashMap = result.getFlashMap(); - PageMessages pageMessages = (PageMessages) flashMap.get("messages"); - Assert.assertEquals(pageMessages.getSuccess().size(), 1); - Assert.assertEquals(pageMessages.getError().size(), 0); - - // verify the cert was actually stored - Set records - = referenceManifestManager.get(BaseReferenceManifest - .select(referenceManifestManager)); - Assert.assertEquals(records.size(), 1); - - ReferenceManifest rim = records.iterator().next(); - Assert.assertFalse(rim.isArchived()); - - return rim; - } - - private void archiveTestRim(final ReferenceManifest rim) throws Exception { - // now, archive the record - getMockMvc().perform(MockMvcRequestBuilders - .post("/reference-manifests/delete") - .param("id", rim.getId().toString())) - .andExpect(status().is3xxRedirection()) - .andReturn(); - - Set records - = referenceManifestManager.get(BaseReferenceManifest - .select(referenceManifestManager).includeArchived()); - Assert.assertEquals(records.size(), 1); - - Assert.assertTrue(records.iterator().next().isArchived()); - } -} From d353854835c8e25a948b4c698d5110f7445065f6 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Mon, 14 Feb 2022 10:34:21 -0500 Subject: [PATCH 07/12] Updated the post install to only do it if the file doesn't exist --- HIRS_ProvisionerTPM2/package/rpm-post-install.sh | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh index 7f78eec5..2cf047b8 100644 --- a/HIRS_ProvisionerTPM2/package/rpm-post-install.sh +++ b/HIRS_ProvisionerTPM2/package/rpm-post-install.sh @@ -48,15 +48,12 @@ SWIDTAG_FILE_LOCATION="$TCG_DIRECTORY/manifest/swidtag/" CREDENTIALS_LOCATION="$TCG_DIRECTORY/cert/platform/" BINARY_BIOS_MEASUREMENTS="/sys/kernel/security/tpm0/binary_bios_measurements" -touch "$TCG_TEMP_FILE" -echo "tcg.rim.dir=$RIM_FILE_LOCATION" > "$TCG_TEMP_FILE" -echo "tcg.swidtag.dir=$SWIDTAG_FILE_LOCATION" >> "$TCG_TEMP_FILE" -echo "tcg.cert.dir=$CREDENTIALS_LOCATION" >> "$TCG_TEMP_FILE" -echo "tcg.event.file=$BINARY_BIOS_MEASUREMENTS" >> "$TCG_TEMP_FILE" - if [ ! -f "$TCG_BOOT_FILE" ]; then + touch "$TCG_TEMP_FILE" + echo "tcg.rim.dir=$RIM_FILE_LOCATION" > "$TCG_TEMP_FILE" + echo "tcg.swidtag.dir=$SWIDTAG_FILE_LOCATION" >> "$TCG_TEMP_FILE" + echo "tcg.cert.dir=$CREDENTIALS_LOCATION" >> "$TCG_TEMP_FILE" + echo "tcg.event.file=$BINARY_BIOS_MEASUREMENTS" >> "$TCG_TEMP_FILE" install -m 644 $TCG_TEMP_FILE $TCG_BOOT_FILE -else - echo $TCG_TEMP_FILE > $TCG_BOOT_FILE fi From 81068850bd4819b1b56da5f225e14bf841634c73 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Mon, 14 Feb 2022 14:46:15 -0500 Subject: [PATCH 08/12] Added change to the null condition check for the policy threshold --- .../page/controllers/PolicyPageController.java | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java index f6f3e43c..503df0f8 100644 --- a/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java +++ b/HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/PolicyPageController.java @@ -473,13 +473,14 @@ public class PolicyPageController extends PageController { if (generateCertificateEnabled) { threshold = ppModel.getThresholdValue(); - if (threshold == null) { - threshold = SupplyChainPolicy.YEAR; - } } else { threshold = ppModel.getReissueThreshold(); } + if (threshold == null || threshold.isEmpty()) { + threshold = SupplyChainPolicy.YEAR; + } + policy.setReissueThreshold(threshold); } else { generateCertificateEnabled = false; @@ -542,13 +543,14 @@ public class PolicyPageController extends PageController { if (generateDevIdCertificateEnabled) { threshold = ppModel.getDevIdThresholdValue(); - if (threshold == null) { - threshold = SupplyChainPolicy.YEAR; - } } else { threshold = ppModel.getDevIdReissueThreshold(); } + if (threshold == null || threshold.isEmpty()) { + threshold = SupplyChainPolicy.YEAR; + } + policy.setDevIdReissueThreshold(threshold); } else { generateDevIdCertificateEnabled = false; From e16f0092942984e3c72c0853fe1c0e97b48f5cc8 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Tue, 15 Feb 2022 10:03:25 -0500 Subject: [PATCH 09/12] Removed if check for the matching file name of the support RIM from the Base RIMs meta data. Only keying off hash. --- .../service/SupplyChainValidationServiceImpl.java | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index c4625135..43321504 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -462,12 +462,10 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe for (SwidResource swidRes : resources) { supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager) .byHexDecHash(swidRes.getHashValue()).getRIM(); - if (supportReferenceManifest != null - && swidRes.getName().equals(supportReferenceManifest.getFileName())) { + if (supportReferenceManifest != null) { + // Removed the filename check from this if statement referenceManifestValidator.validateSupportRimHash( supportReferenceManifest.getRimBytes(), swidRes.getHashValue()); - } else { - supportReferenceManifest = null; } } From 0f839ebd087f1d3cc6a2985e50e651124312bf4f Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Tue, 15 Feb 2022 11:17:07 -0500 Subject: [PATCH 10/12] This is a test commit. Changes will be removed. --- .../service/SupplyChainValidationServiceImpl.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 43321504..25070dec 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -459,13 +459,18 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe } } + LOGGER.error(String.format("CYRUS - # of resources (ie support rims) - %d", resources.size()); + for (SwidResource swidRes : resources) { + LOGGER.error(String.format("CYRUS - Looking for hash %s", swidRes.getHashValue())); supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager) .byHexDecHash(swidRes.getHashValue()).getRIM(); if (supportReferenceManifest != null) { // Removed the filename check from this if statement referenceManifestValidator.validateSupportRimHash( supportReferenceManifest.getRimBytes(), swidRes.getHashValue()); + } else { + LOGGER.error("CYRUS - Didn't find support rim by hash"); } } From 99ba840a5447014481faa4b33e8fa61d9c6cf32e Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Tue, 15 Feb 2022 11:25:25 -0500 Subject: [PATCH 11/12] Fixed debug statement --- .../service/SupplyChainValidationServiceImpl.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index 25070dec..d2c56286 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -459,7 +459,8 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe } } - LOGGER.error(String.format("CYRUS - # of resources (ie support rims) - %d", resources.size()); + LOGGER.error(String.format("CYRUS - # of resources (ie support rims) - %d", + resources.size())); for (SwidResource swidRes : resources) { LOGGER.error(String.format("CYRUS - Looking for hash %s", swidRes.getHashValue())); From 6abd87a19278080bd5a180d6e65e5289734b0863 Mon Sep 17 00:00:00 2001 From: Cyrus <24922493+cyrus-dev@users.noreply.github.com> Date: Tue, 15 Feb 2022 13:43:33 -0500 Subject: [PATCH 12/12] Removed debug statements --- .../service/SupplyChainValidationServiceImpl.java | 6 ------ 1 file changed, 6 deletions(-) diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java index d2c56286..43321504 100644 --- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java +++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/service/SupplyChainValidationServiceImpl.java @@ -459,19 +459,13 @@ public class SupplyChainValidationServiceImpl implements SupplyChainValidationSe } } - LOGGER.error(String.format("CYRUS - # of resources (ie support rims) - %d", - resources.size())); - for (SwidResource swidRes : resources) { - LOGGER.error(String.format("CYRUS - Looking for hash %s", swidRes.getHashValue())); supportReferenceManifest = SupportReferenceManifest.select(referenceManifestManager) .byHexDecHash(swidRes.getHashValue()).getRIM(); if (supportReferenceManifest != null) { // Removed the filename check from this if statement referenceManifestValidator.validateSupportRimHash( supportReferenceManifest.getRimBytes(), swidRes.getHashValue()); - } else { - LOGGER.error("CYRUS - Didn't find support rim by hash"); } }