Skip to content

Commit e60148c

Browse files
chubtubchubtub
committed
Detect replacement RIM bundle and process accordingly during FW provisioning
1 parent 59f038c commit e60148c

File tree

2 files changed

+87
-45
lines changed

2 files changed

+87
-45
lines changed

HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/IdentityClaimProcessor.java

+86-42
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,7 @@
6262
import java.util.LinkedList;
6363
import java.util.List;
6464
import java.util.Map;
65+
import java.util.Optional;
6566
import java.util.regex.Matcher;
6667
import java.util.regex.Pattern;
6768

@@ -347,21 +348,97 @@ private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim cla
347348
dv.getHw().getManufacturer(),
348349
dv.getHw().getProductName());
349350
BaseReferenceManifest dbBaseRim = null;
350-
SupportReferenceManifest support;
351+
SupportReferenceManifest support = null;
351352
EventLogMeasurements measurements;
353+
boolean isReplacement = false;
352354
String tagId = "";
353355
String fileName = "";
354356
Pattern pattern = Pattern.compile("([^\\s]+(\\.(?i)(rimpcr|rimel|bin|log))$)");
355357
Matcher matcher;
356358
MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
357359

360+
if (dv.getSwidfileCount() > 0) {
361+
for (ByteString swidFile : dv.getSwidfileList()) {
362+
try {
363+
dbBaseRim = (BaseReferenceManifest) referenceManifestRepository
364+
.findByBase64Hash(Base64.getEncoder()
365+
.encodeToString(messageDigest
366+
.digest(swidFile.toByteArray())));
367+
if (dbBaseRim == null) {
368+
/*
369+
Either the swidFile does not have a corresponding base RIM in the backend
370+
or it was deleted. Check if there is a replacement by comparing tagId against
371+
all other base RIMs, and then set the corresponding support rim's deviceName.
372+
*/
373+
dbBaseRim = new BaseReferenceManifest(
374+
String.format("%s.swidtag",
375+
defaultClientName),
376+
swidFile.toByteArray());
377+
List<BaseReferenceManifest> baseRims = referenceManifestRepository.findAllBaseRims();
378+
for (BaseReferenceManifest bRim : baseRims) {
379+
if (bRim.getTagId().equals(dbBaseRim.getTagId())) {
380+
dbBaseRim = bRim;
381+
isReplacement = true;
382+
break;
383+
}
384+
}
385+
dbBaseRim.setDeviceName(dv.getNw().getHostname());
386+
this.referenceManifestRepository.save(dbBaseRim);
387+
Optional<ReferenceManifest> associatedRim =
388+
referenceManifestRepository.findById(dbBaseRim.getAssociatedRim());
389+
SupportReferenceManifest sRim = null;
390+
if (associatedRim.isPresent()) {
391+
sRim = (SupportReferenceManifest) associatedRim.get();
392+
}
393+
sRim.setDeviceName(dv.getNw().getHostname());
394+
this.referenceManifestRepository.save(sRim);
395+
} else if (dbBaseRim.isArchived()) {
396+
/*
397+
This block accounts for RIMs that may have been soft-deleted (archived)
398+
in an older version of the ACA.
399+
*/
400+
List<ReferenceManifest> rims = referenceManifestRepository.findByArchiveFlag(false);
401+
for (ReferenceManifest rim : rims) {
402+
if (rim.isBase() && rim.getTagId().equals(dbBaseRim.getTagId()) &&
403+
rim.getCreateTime().after(dbBaseRim.getCreateTime())) {
404+
dbBaseRim.setDeviceName(null);
405+
dbBaseRim = (BaseReferenceManifest) rim;
406+
dbBaseRim.setDeviceName(dv.getNw().getHostname());
407+
}
408+
}
409+
if (dbBaseRim.isArchived()) {
410+
throw new Exception("Unable to locate an unarchived base RIM.");
411+
} else {
412+
this.referenceManifestRepository.save(dbBaseRim);
413+
}
414+
} else {
415+
dbBaseRim.setDeviceName(dv.getNw().getHostname());
416+
this.referenceManifestRepository.save(dbBaseRim);
417+
}
418+
tagId = dbBaseRim.getTagId();
419+
} catch (UnmarshalException e) {
420+
log.error(e);
421+
} catch (Exception ex) {
422+
log.error(String.format("Failed to load base rim: %s", ex.getMessage()));
423+
}
424+
}
425+
} else {
426+
log.warn(String.format("%s did not send swid tag file...",
427+
dv.getNw().getHostname()));
428+
}
429+
358430
if (dv.getLogfileCount() > 0) {
359431
for (ByteString logFile : dv.getLogfileList()) {
360432
try {
361433
support = (SupportReferenceManifest) referenceManifestRepository.findByHexDecHashAndRimType(
362434
Hex.encodeHexString(messageDigest.digest(logFile.toByteArray())),
363435
ReferenceManifest.SUPPORT_RIM);
364-
if (support == null) {
436+
if (support == null && !isReplacement) {
437+
/*
438+
Either the logFile does not have a corresponding support RIM in the backend
439+
or it was deleted. The support RIM for a replacement base RIM is handled
440+
in the previous loop block.
441+
*/
365442
support = new SupportReferenceManifest(
366443
String.format("%s.rimel",
367444
defaultClientName),
@@ -377,6 +454,10 @@ private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim cla
377454
support.setDeviceName(dv.getNw().getHostname());
378455
this.referenceManifestRepository.save(support);
379456
} else if (support.isArchived()) {
457+
/*
458+
This block accounts for RIMs that may have been soft-deleted (archived)
459+
in an older version of the ACA.
460+
*/
380461
List<ReferenceManifest> rims = referenceManifestRepository.findByArchiveFlag(false);
381462
for (ReferenceManifest rim : rims) {
382463
if (rim.isSupport() &&
@@ -392,6 +473,9 @@ private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim cla
392473
} else {
393474
this.referenceManifestRepository.save(support);
394475
}
476+
} else {
477+
support.setDeviceName(dv.getNw().getHostname());
478+
this.referenceManifestRepository.save(support);
395479
}
396480
} catch (IOException ioEx) {
397481
log.error(ioEx);
@@ -404,46 +488,6 @@ private DeviceInfoReport parseDeviceInfo(final ProvisionerTpm2.IdentityClaim cla
404488
dv.getNw().getHostname()));
405489
}
406490

407-
if (dv.getSwidfileCount() > 0) {
408-
for (ByteString swidFile : dv.getSwidfileList()) {
409-
try {
410-
dbBaseRim = (BaseReferenceManifest) referenceManifestRepository
411-
.findByBase64Hash(Base64.getEncoder()
412-
.encodeToString(messageDigest
413-
.digest(swidFile.toByteArray())));
414-
if (dbBaseRim == null) {
415-
dbBaseRim = new BaseReferenceManifest(
416-
String.format("%s.swidtag",
417-
defaultClientName),
418-
swidFile.toByteArray());
419-
dbBaseRim.setDeviceName(dv.getNw().getHostname());
420-
this.referenceManifestRepository.save(dbBaseRim);
421-
} else if (dbBaseRim.isArchived()) {
422-
List<ReferenceManifest> rims = referenceManifestRepository.findByArchiveFlag(false);
423-
for (ReferenceManifest rim : rims) {
424-
if (rim.isBase() && rim.getTagId().equals(dbBaseRim.getTagId()) &&
425-
rim.getCreateTime().after(dbBaseRim.getCreateTime())) {
426-
dbBaseRim.setDeviceName(null);
427-
dbBaseRim = (BaseReferenceManifest) rim;
428-
dbBaseRim.setDeviceName(dv.getNw().getHostname());
429-
}
430-
}
431-
if (dbBaseRim.isArchived()) {
432-
throw new Exception("Unable to locate an unarchived base RIM.");
433-
}
434-
}
435-
tagId = dbBaseRim.getTagId();
436-
} catch (UnmarshalException e) {
437-
log.error(e);
438-
} catch (Exception ex) {
439-
log.error(String.format("Failed to load base rim: %s", ex.getMessage()));
440-
}
441-
}
442-
} else {
443-
log.warn(String.format("%s did not send swid tag file...",
444-
dv.getNw().getHostname()));
445-
}
446-
447491
//update Support RIMs and Base RIMs.
448492
for (ByteString swidFile : dv.getSwidfileList()) {
449493
dbBaseRim = (BaseReferenceManifest) referenceManifestRepository

HIRS_AttestationCAPortal/src/main/java/hirs/attestationca/portal/page/controllers/ReferenceManifestPageController.java

+1-3
Original file line numberDiff line numberDiff line change
@@ -239,9 +239,7 @@ public RedirectView delete(@RequestParam final String id,
239239
messages.addError(notFoundMessage);
240240
log.warn(notFoundMessage);
241241
} else {
242-
// if support rim, update associated events
243-
referenceManifest.archive();
244-
referenceManifestRepository.save(referenceManifest);
242+
referenceManifestRepository.delete(referenceManifest);
245243
String deleteCompletedMessage = "RIM successfully deleted";
246244
messages.addInfo(deleteCompletedMessage);
247245
log.info(deleteCompletedMessage);

0 commit comments

Comments
 (0)