Merge pull request #635 from nsacyber/v3_provision-fixes

ACA Provisioning Clean up
nsacyber · Nov 30, 2023 · fa95eb4 · fa95eb4
2 parents 96bd8b9 + e1f846d
commit fa95eb4
Show file tree

Hide file tree

Showing 13 changed files with 43 additions and 43 deletions.
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/ArchivableEntity.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/ArchivableEntity.java
@@ -60,7 +60,6 @@ public final boolean isArchived() {
      *      false is archived time is already set, signifying the entity has been archived.
      */
     public final boolean archive() {
-        this.archiveFlag = false;
         if (this.archivedTime == null) {
             this.archivedTime = new Date();
             archiveFlag = true;

diff --git a/.../src/main/java/hirs/attestationca/persist/entity/manager/ReferenceManifestRepository.java b/.../src/main/java/hirs/attestationca/persist/entity/manager/ReferenceManifestRepository.java
@@ -43,6 +43,7 @@ public interface ReferenceManifestRepository extends JpaRepository<ReferenceMani
     List<SupportReferenceManifest> getSupportByManufacturerModel(String manufacturer, String model);
     @Query(value = "SELECT * FROM ReferenceManifest WHERE platformModel = ?1 AND DTYPE = 'EventLogMeasurements'", nativeQuery = true)
     EventLogMeasurements getLogByModel(String model);
+    List<ReferenceManifest> findByDeviceName(String deviceName);
     List<ReferenceManifest> findByArchiveFlag(boolean archiveFlag);
     Page<ReferenceManifest> findByArchiveFlag(boolean archiveFlag, Pageable pageable);
 }
diff --git a/...CA/src/main/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidation.java b/...CA/src/main/java/hirs/attestationca/persist/entity/userdefined/SupplyChainValidation.java
@@ -2,6 +2,7 @@
 
 import com.google.common.base.Preconditions;
 import hirs.attestationca.persist.entity.ArchivableEntity;
+import hirs.attestationca.persist.entity.userdefined.rim.BaseReferenceManifest;
 import hirs.attestationca.persist.enums.AppraisalStatus;
 import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
@@ -104,7 +105,7 @@ public SupplyChainValidation(final ValidationType validationType,
         this.certificatesUsed = new ArrayList<>();
         this.rimId = "";
         for (ArchivableEntity ae : certificatesUsed) {
-            if (ae instanceof ReferenceManifest) {
+            if (ae instanceof BaseReferenceManifest) {
                 this.rimId = ae.getId().toString();
                 break;
             } else {

diff --git a/...ionCA/src/main/java/hirs/attestationca/persist/entity/userdefined/info/ComponentInfo.java b/...ionCA/src/main/java/hirs/attestationca/persist/entity/userdefined/info/ComponentInfo.java
@@ -145,7 +145,7 @@ public static boolean isComplete(final String componentManufacturer,
                                      final String componentModel,
                                      final String componentSerial,
                                      final String componentRevision) {
-        return !(StringUtils.isEmpty(componentManufacturer)
+        return (StringUtils.isEmpty(componentManufacturer)
                 || StringUtils.isEmpty(componentModel));
     }
 }
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java
@@ -170,7 +170,8 @@ protected List<PlatformCredential> parsePcsFromIdentityClaim(
             for (ByteString platformCredential : identityClaim.getPlatformCredentialList()) {
                 if (!platformCredential.isEmpty()) {
                     platformCredentials.add(CredentialManagementHelper.storePlatformCredential(
-                            certificateRepository, platformCredential.toByteArray()));
+                            certificateRepository, platformCredential.toByteArray(),
+                            identityClaim.getDv().getNw().getHostname()));
                 }
             }
         } else if (endorsementCredential != null) {

diff --git a/...estationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java b/...estationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java
@@ -187,6 +187,7 @@ private AppraisalStatus.Status doSupplyChainValidation(
         // Parse and save device info
         Device device = processDeviceInfo(claim);
 
+        device.getDeviceInfo().setPaccorOutputString(claim.getPaccorOutput());
         // There are situations in which the claim is sent with no PCs
         // or a PC from the tpm which will be deprecated
         // this is to check what is in the platform object and pull
@@ -318,8 +319,9 @@ private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim cla
         if (dv.getLogfileCount() > 0) {
             for (ByteString logFile : dv.getLogfileList()) {
                 try {
-                    support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHash(
-                                    Hex.encodeHexString(messageDigest.digest(logFile.toByteArray())));
+                    support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType(
+                                    Hex.encodeHexString(messageDigest.digest(logFile.toByteArray())),
+                            ReferenceManifest.SUPPORT_RIM);
                     if (support == null) {
                         support = new SupportReferenceManifest(
                                 String.format("%s.rimel",
@@ -346,8 +348,7 @@ private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim cla
                 } catch (IOException ioEx) {
                     log.error(ioEx);
                 } catch (Exception ex) {
-                    log.error(String.format("Failed to load support rim: %s", messageDigest.digest(
-                            logFile.toByteArray()).toString()));
+                    log.error(String.format("Failed to load support rim: %s", ex.getMessage()));
                 }
             }
         } else {
@@ -381,6 +382,7 @@ private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim cla
                             this.referenceManifestRepository.save(dbBaseRim);
                         }
                     }
+                    tagId = dbBaseRim.getTagId();
                 } catch (IOException ioEx) {
                     log.error(ioEx);
                 }
@@ -409,7 +411,7 @@ private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim cla
 
                     // now update support rim
                     SupportReferenceManifest dbSupport = (SupportReferenceManifest) referenceManifestRepository
-                            .findByHexDecHash(swid.getHashValue());
+                            .findByHexDecHashAndRimType(swid.getHashValue(), ReferenceManifest.SUPPORT_RIM);
                     if (dbSupport != null) {
                         dbSupport.setFileName(swid.getName());
                         dbSupport.setSwidTagVersion(dbBaseRim.getSwidTagVersion());

diff --git a/...src/main/java/hirs/attestationca/persist/provision/helper/CredentialManagementHelper.java b/...src/main/java/hirs/attestationca/persist/provision/helper/CredentialManagementHelper.java
@@ -82,11 +82,12 @@ public static EndorsementCredential storeEndorsementCredential(
      * it is unarchived.
      * @param certificateRepository the certificate manager used for storage
      * @param platformBytes the raw PC bytes used for parsing
+     * @param deviceName the host name of the associated machine
      * @return the parsed, valid PC, or null if the provided bytes are not a valid EK.
      */
     public static PlatformCredential storePlatformCredential(
             final CertificateRepository certificateRepository,
-            final byte[] platformBytes) {
+            final byte[] platformBytes, final String deviceName) {
 
         if (certificateRepository == null) {
             throw new IllegalArgumentException("null certificate manager");
@@ -130,6 +131,7 @@ public static PlatformCredential storePlatformCredential(
                         }
                     }
                 }
+                platformCredential.setDeviceName(deviceName);
                 return (PlatformCredential) certificateRepository.save(platformCredential);
             } else if (existingCredential.isArchived()) {
                 // if the PC is stored in the DB and it's archived, unarchive.

diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/ValidationService.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/service/ValidationService.java
@@ -9,6 +9,7 @@
 import hirs.attestationca.persist.entity.userdefined.Certificate;
 import hirs.attestationca.persist.entity.userdefined.Device;
 import hirs.attestationca.persist.entity.userdefined.PolicySettings;
+import hirs.attestationca.persist.entity.userdefined.ReferenceManifest;
 import hirs.attestationca.persist.entity.userdefined.SupplyChainValidation;
 import hirs.attestationca.persist.entity.userdefined.certificate.CertificateAuthorityCredential;
 import hirs.attestationca.persist.entity.userdefined.certificate.ComponentResult;
@@ -187,6 +188,13 @@ public static SupplyChainValidation evaluateFirmwareStatus(
         final SupplyChainValidation.ValidationType validationType
                 = SupplyChainValidation.ValidationType.FIRMWARE;
 
+        List<ReferenceManifest> rims = rimRepo.findByDeviceName(device.getName());
+        ReferenceManifest baseRim = null;
+        for (ReferenceManifest rim : rims) {
+            if (rim.getRimType().equals(ReferenceManifest.BASE_RIM)) {
+                baseRim = rim;
+            }
+        }
         AppraisalStatus result = FirmwareScvValidator.validateFirmware(device, policySettings,
                 rimRepo, rdvRepo, caRepo);
         Level logLevel;
@@ -203,7 +211,7 @@ public static SupplyChainValidation evaluateFirmwareStatus(
                 logLevel = Level.ERROR;
         }
         return buildValidationRecord(validationType, result.getAppStatus(),
-                result.getMessage(), null, logLevel);
+                result.getMessage(), baseRim, logLevel);
     }
 
     /**

diff --git a/...testationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java b/...testationCA/src/main/java/hirs/attestationca/persist/validation/FirmwareScvValidator.java
@@ -66,8 +66,8 @@ public static AppraisalStatus validateFirmware(
             failedString = "Base Reference Integrity Manifest\n";
             passed = false;
         } else {
-            measurement = (EventLogMeasurements) referenceManifestRepository.findByHexDecHash(
-                    baseReferenceManifest.getEventLogHash());
+            measurement = (EventLogMeasurements) referenceManifestRepository.findByHexDecHashAndRimType(
+                    baseReferenceManifest.getEventLogHash(), ReferenceManifest.MEASUREMENT_RIM);
 
             if (measurement == null) {
                 measurement = referenceManifestRepository.byMeasurementDeviceName(
@@ -125,8 +125,8 @@ public static AppraisalStatus validateFirmware(
             }
 
             for (SwidResource swidRes : resources) {
-                supportReferenceManifest = referenceManifestRepository.findByHexDecHash(
-                        swidRes.getHashValue());
+                supportReferenceManifest = referenceManifestRepository.findByHexDecHashAndRimType(
+                        swidRes.getHashValue(), ReferenceManifest.SUPPORT_RIM);
                 if (supportReferenceManifest != null) {
                     // Removed the filename check from this if statement
                     referenceManifestValidator.validateSupportRimHash(

diff --git a/...A/src/main/java/hirs/attestationca/persist/validation/SupplyChainCredentialValidator.java b/...A/src/main/java/hirs/attestationca/persist/validation/SupplyChainCredentialValidator.java
@@ -342,7 +342,7 @@ public static List<ComponentInfo> getV2PaccorOutput(
 
     private static String getJSONNodeValueAsText(final JsonNode node, final String fieldName) {
         if (node.hasNonNull(fieldName)) {
-            return node.findValue(fieldName).asText();
+            return node.findValue(fieldName).textValue();
         }
         return null;
     }

diff --git a/...l/src/main/java/hirs/attestationca/portal/page/controllers/CertificatePageController.java b/...l/src/main/java/hirs/attestationca/portal/page/controllers/CertificatePageController.java
@@ -375,7 +375,7 @@ public RedirectView delete(
 
         try {
             UUID uuid = UUID.fromString(id);
-            Certificate certificate = getCertificateById(certificateType, uuid);
+            Certificate certificate = certificateRepository.getCertificate(uuid);
 
             if (certificate == null) {
                 // Use the term "record" here to avoid user confusion b/t cert and cred
@@ -749,29 +749,6 @@ private List<PlatformCredential> getCertificateByBoardSN(
         return associatedCertificates;
     }
 
-    private Certificate getCertificateById(final String certificateType, final UUID uuid) {
-        switch (certificateType) {
-            case PLATFORMCREDENTIAL:
-                if (platformCertificateRepository.existsById(uuid)) {
-                    return platformCertificateRepository.getReferenceById(uuid);
-                }
-            case ENDORSEMENTCREDENTIAL:
-                if (endorsementCredentialRepository.existsById(uuid)) {
-                    return endorsementCredentialRepository.getReferenceById(uuid);
-                }
-            case ISSUEDCERTIFICATES:
-                if (issuedCertificateRepository.existsById(uuid)) {
-                    return issuedCertificateRepository.getReferenceById(uuid);
-                }
-            case TRUSTCHAIN:
-                if (caCredentialRepository.existsById(uuid)) {
-                    return caCredentialRepository.getReferenceById(uuid);
-                }
-            default:
-                return null;
-        }
-    }
-
     /**
      * Parses an uploaded file into a certificate and populates the given model
      * with error messages if parsing fails.

diff --git a/...va/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java b/...va/hirs/attestationca/portal/page/controllers/ReferenceManifestDetailsPageController.java
@@ -271,7 +271,8 @@ private static HashMap<String, Object> getBaseRimInfo(
         // to get the id to make the link
         RIM_VALIDATOR.setRim(baseRim.getRimBytes());
         for (SwidResource swidRes : resources) {
-            support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHash(swidRes.getHashValue());
+            support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType(
+                    swidRes.getHashValue(), ReferenceManifest.SUPPORT_RIM);
 
             if (support != null && swidRes.getHashValue()
                     .equalsIgnoreCase(support.getHexDecHash())) {

diff --git a/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java b/HIRS_Utils/src/main/java/hirs/utils/rim/ReferenceManifestValidator.java
@@ -39,7 +39,13 @@
 import javax.xml.transform.stream.StreamSource;
 import javax.xml.validation.Schema;
 import javax.xml.validation.SchemaFactory;
-import java.io.*;
+import java.io.BufferedInputStream;
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.security.*;
@@ -204,7 +210,9 @@ public boolean validateXmlSignature(final PublicKey publicKey,
                 log.error("Cannot validate RIM, signature element not found!");
                 return false;
             }
-            trustStore = parseCertificatesFromPem(trustStoreFile);
+            if (trustStoreFile != null && !trustStoreFile.isEmpty()) {
+                trustStore = parseCertificatesFromPem(trustStoreFile);
+            }
             NodeList certElement = rim.getElementsByTagName("X509Certificate");
             if (certElement.getLength() > 0) {
                 X509Certificate embeddedCert = parseCertFromPEMString(