From 69c673adb73123c7d8c83420bd5788ebd7b6f887 Mon Sep 17 00:00:00 2001
From: iadgovuser59 <133057011+iadgovuser59@users.noreply.github.com>
Date: Fri, 19 Jul 2024 18:31:56 -0400
Subject: [PATCH 1/8] Implementing LDevID generation

---
 .../AttestationCertificateAuthority.java      |   2 +-
 .../entity/manager/CertificateRepository.java |   2 +
 .../IssuedAttestationCertificate.java         |  12 +-
 .../persist/provision/AbstractProcessor.java  |  28 ++--
 .../CertificateRequestProcessor.java          |  22 +++-
 .../AbstractUserdefinedEntityTest.java        |   2 +-
 .../WEB-INF/jsp/issued-certificates.jsp       |  11 ++
 .../src/main/webapp/WEB-INF/jsp/policy.jsp    |   2 +-
 .../src/main/webapp/common/common.js          |   2 +-
 .../portal/page/PageControllerTest.java       |   2 +-
 .../hirs/Resources/ProvisionerTpm2.proto      |   4 +-
 .../hirs/src/client/Client.cs                 |   3 +-
 .../hirs/src/client/IHirsAcaClient.cs         |   4 +-
 HIRS_Provisioner.NET/hirs/src/config/CLI.cs   |   5 +
 .../hirs/src/config/Settings.cs               |   2 +-
 .../hirs/src/provisioner/Provisioner.cs       |  38 +++++-
 .../hirs/src/tpm/CommandTpm.cs                | 120 +++++++++++++++++-
 .../hirs/src/tpm/IHirsAcaTpm.cs               |   2 +
 .../hirsTest/src/client/ClientTests.cs        |   4 +-
 .../src/provisioner/ProvisionerTests.cs       |  18 ++-
 .../src/ProvisionerTpm2.proto                 |   2 +
 21 files changed, 253 insertions(+), 34 deletions(-)

diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/AttestationCertificateAuthority.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/AttestationCertificateAuthority.java
index c1b898db2..6ca834f8b 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/AttestationCertificateAuthority.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/AttestationCertificateAuthority.java
@@ -114,7 +114,7 @@ public AttestationCertificateAuthority(
 
         this.certificateRequestHandler = new CertificateRequestProcessor(supplyChainValidationService,
                 certificateRepository, deviceRepository,
-                privateKey, acaCertificate, validDays, tpm2ProvisionerStateRepository);
+                privateKey, acaCertificate, validDays, tpm2ProvisionerStateRepository, policyRepository);
         this.identityClaimHandler = new IdentityClaimProcessor(supplyChainValidationService,
                 certificateRepository, componentResultRepository, componentInfoRepository,
                 referenceManifestRepository, referenceDigestValueRepository,
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/CertificateRepository.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/CertificateRepository.java
index 900a30a64..cfdfd10ac 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/CertificateRepository.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/manager/CertificateRepository.java
@@ -4,6 +4,7 @@
 import hirs.attestationca.persist.entity.userdefined.certificate.EndorsementCredential;
 import hirs.attestationca.persist.entity.userdefined.certificate.IssuedAttestationCertificate;
 import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential;
+import org.springframework.data.domain.Sort;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.data.jpa.repository.Query;
 import org.springframework.stereotype.Repository;
@@ -35,5 +36,6 @@ public interface CertificateRepository extends JpaRepository<Certificate, UUID>
     Certificate findByCertificateHash(int certificateHash, String dType);
     EndorsementCredential findByPublicKeyModulusHexValue(String publicKeyModulusHexValue);
     IssuedAttestationCertificate findByDeviceId(UUID deviceId);
+    List<IssuedAttestationCertificate> findByDeviceIdAndIsLDevID(UUID deviceId, boolean isLDevID, Sort sort);
     Certificate findByCertificateHash(int certificateHash);
 }
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/IssuedAttestationCertificate.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/IssuedAttestationCertificate.java
index e37bd7c80..8c4c0e418 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/IssuedAttestationCertificate.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/entity/userdefined/certificate/IssuedAttestationCertificate.java
@@ -1,5 +1,6 @@
 package hirs.attestationca.persist.entity.userdefined.certificate;
 
+import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
 import jakarta.persistence.FetchType;
 import jakarta.persistence.JoinColumn;
@@ -35,6 +36,9 @@ public class IssuedAttestationCertificate extends DeviceAssociatedCertificate {
     @JoinColumn(name = "pc_id")
     private List<PlatformCredential> platformCredentials;
 
+    @Column
+    public boolean isLDevID;
+
     /**
      * Constructor.
      * @param certificateBytes the issued certificate bytes
@@ -44,11 +48,12 @@ public class IssuedAttestationCertificate extends DeviceAssociatedCertificate {
      */
     public IssuedAttestationCertificate(final byte[] certificateBytes,
                                         final EndorsementCredential endorsementCredential,
-                                        final List<PlatformCredential> platformCredentials)
+                                        final List<PlatformCredential> platformCredentials, boolean isLDevID)
             throws IOException {
         super(certificateBytes);
         this.endorsementCredential = endorsementCredential;
         this.platformCredentials = new ArrayList<>(platformCredentials);
+        this.isLDevID = isLDevID;
     }
 
     /**
@@ -60,9 +65,10 @@ public IssuedAttestationCertificate(final byte[] certificateBytes,
      */
     public IssuedAttestationCertificate(final Path certificatePath,
                                         final EndorsementCredential endorsementCredential,
-                                        final List<PlatformCredential> platformCredentials)
+                                        final List<PlatformCredential> platformCredentials,
+                                        final boolean isLDevID)
             throws IOException {
-        this(readBytes(certificatePath), endorsementCredential, platformCredentials);
+        this(readBytes(certificatePath), endorsementCredential, platformCredentials, isLDevID);
     }
 
     public List<PlatformCredential> getPlatformCredentials() {
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java
index 5a305d970..6c83221e7 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java
@@ -9,6 +9,7 @@
 import hirs.attestationca.persist.entity.userdefined.PolicySettings;
 import hirs.attestationca.persist.entity.userdefined.certificate.EndorsementCredential;
 import hirs.attestationca.persist.entity.userdefined.certificate.IssuedAttestationCertificate;
+import hirs.attestationca.persist.entity.userdefined.certificate.IssuedLDevIDCertificate;
 import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential;
 import hirs.attestationca.persist.exceptions.CertificateProcessingException;
 import hirs.attestationca.persist.provision.helper.CredentialManagementHelper;
@@ -27,6 +28,7 @@
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.OperatorCreationException;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.springframework.data.domain.Sort;
 
 import java.io.IOException;
 import java.math.BigInteger;
@@ -234,6 +236,7 @@ private EndorsementCredential getEndorsementCredential(
      * @param endorsementCredential the endorsement credential used to generate the AC
      * @param platformCredentials the platform credentials used to generate the AC
      * @param device the device to which the attestation certificate is tied
+     * @param isLDevID whether the certificate is a ldevid
      * @throws {@link CertificateProcessingException} if error occurs in persisting the Attestation
      *                                             Certificate
      */
@@ -241,8 +244,8 @@ public void saveAttestationCertificate(final CertificateRepository certificateRe
                                            final byte[] derEncodedAttestationCertificate,
                                             final EndorsementCredential endorsementCredential,
                                             final List<PlatformCredential> platformCredentials,
-                                            final Device device) {
-        IssuedAttestationCertificate issuedAc;
+                                            final Device device, boolean isLDevID) {
+        List<IssuedAttestationCertificate> issuedAc;
         boolean generateCertificate = true;
         PolicyRepository scp = getPolicyRepository();
         PolicySettings policySettings;
@@ -251,19 +254,25 @@ public void saveAttestationCertificate(final CertificateRepository certificateRe
         try {
             // save issued certificate
             IssuedAttestationCertificate attCert = new IssuedAttestationCertificate(
-                    derEncodedAttestationCertificate, endorsementCredential, platformCredentials);
+                    derEncodedAttestationCertificate, endorsementCredential, platformCredentials, isLDevID);
 
             if (scp != null) {
                 policySettings = scp.findByName("Default");
-                issuedAc = certificateRepository.findByDeviceId(device.getId());
 
-                generateCertificate = policySettings.isIssueAttestationCertificate();
-                if (issuedAc != null && policySettings.isGenerateOnExpiration()) {
-                    if (issuedAc.getEndValidity().after(currentDate)) {
+                Sort sortCriteria = Sort.by(Sort.Direction.DESC, "endValidity");
+                issuedAc = certificateRepository.findByDeviceIdAndIsLDevID(device.getId(), isLDevID, sortCriteria);
+
+                generateCertificate = isLDevID ? policySettings.isIssueDevIdCertificate()
+                        : policySettings.isIssueAttestationCertificate();
+
+                if (issuedAc != null && (isLDevID ? policySettings.isDevIdExpirationFlag()
+                        : policySettings.isGenerateOnExpiration())) {
+                    if (issuedAc.get(0).getEndValidity().after(currentDate)) {
                         // so the issued AC is not expired
                         // however are we within the threshold
-                        days = ProvisionUtils.daysBetween(currentDate, issuedAc.getEndValidity());
-                        if (days < Integer.parseInt(policySettings.getReissueThreshold())) {
+                        days = ProvisionUtils.daysBetween(currentDate, issuedAc.get(0).getEndValidity());
+                        if (days < Integer.parseInt(isLDevID ? policySettings.getDevIdReissueThreshold()
+                                : policySettings.getReissueThreshold())) {
                             generateCertificate = true;
                         } else {
                             generateCertificate = false;
@@ -271,6 +280,7 @@ public void saveAttestationCertificate(final CertificateRepository certificateRe
                     }
                 }
             }
+
             if (generateCertificate) {
                 attCert.setDeviceId(device.getId());
                 attCert.setDeviceName(device.getName());
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/CertificateRequestProcessor.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/CertificateRequestProcessor.java
index 793187f97..fb9cd00e8 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/CertificateRequestProcessor.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/CertificateRequestProcessor.java
@@ -5,6 +5,7 @@
 import hirs.attestationca.configuration.provisionerTpm2.ProvisionerTpm2;
 import hirs.attestationca.persist.entity.manager.CertificateRepository;
 import hirs.attestationca.persist.entity.manager.DeviceRepository;
+import hirs.attestationca.persist.entity.manager.PolicyRepository;
 import hirs.attestationca.persist.entity.manager.TPM2ProvisionerStateRepository;
 import hirs.attestationca.persist.entity.tpm.TPM2ProvisionerState;
 import hirs.attestationca.persist.entity.userdefined.Device;
@@ -44,6 +45,7 @@ public class CertificateRequestProcessor extends AbstractProcessor {
      * @param acaCertificate object used to create credential
      * @param validDays int for the time in which a certificate is valid.
      * @param tpm2ProvisionerStateRepository db connector for provisioner state.
+     * @param policyRepository db connector for policies.
      */
     public CertificateRequestProcessor(final SupplyChainValidationService supplyChainValidationService,
                                        final CertificateRepository certificateRepository,
@@ -51,13 +53,15 @@ public CertificateRequestProcessor(final SupplyChainValidationService supplyChai
                                        final PrivateKey privateKey,
                                        final X509Certificate acaCertificate,
                                        final int validDays,
-                                       final TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository) {
+                                       final TPM2ProvisionerStateRepository tpm2ProvisionerStateRepository,
+                                       final PolicyRepository policyRepository) {
         super(privateKey, validDays);
         this.supplyChainValidationService = supplyChainValidationService;
         this.certificateRepository = certificateRepository;
         this.deviceRepository = deviceRepository;
         this.acaCertificate = acaCertificate;
         this.tpm2ProvisionerStateRepository = tpm2ProvisionerStateRepository;
+        setPolicyRepository(policyRepository);
     }
 
     /**
@@ -107,6 +111,9 @@ public byte[] processCertificateRequest(final byte[] certificateRequest) {
             List<PlatformCredential> platformCredentials = parsePcsFromIdentityClaim(claim,
                     endorsementCredential, certificateRepository);
 
+            // Get LDevID public key if it exists
+            RSAPublicKey ldevidPub = ProvisionUtils.parsePublicKey(claim.getLdevidPublicArea().toByteArray());
+
             // Get device name and device
             String deviceName = claim.getDv().getNw().getHostname();
             Device device = deviceRepository.findByName(deviceName);
@@ -142,22 +149,31 @@ public byte[] processCertificateRequest(final byte[] certificateRequest) {
                 // Create signed, attestation certificate
                 X509Certificate attestationCertificate = generateCredential(akPub,
                         endorsementCredential, platformCredentials, deviceName, acaCertificate);
+                X509Certificate ldevidCertificate = generateCredential(ldevidPub,
+                        endorsementCredential, platformCredentials, deviceName, acaCertificate);
                 byte[] derEncodedAttestationCertificate = ProvisionUtils.getDerEncodedCertificate(
                         attestationCertificate);
+                byte[] derEncodedLdevidCertificate = ProvisionUtils.getDerEncodedCertificate(
+                        ldevidCertificate);
 
                 // We validated the nonce and made use of the identity claim so state can be deleted
                 tpm2ProvisionerStateRepository.delete(tpm2ProvisionerState);
 
-                // Package the signed certificate into a response
+                // Package the signed certificates into a response
                 ByteString certificateBytes = ByteString
                         .copyFrom(derEncodedAttestationCertificate);
+                ByteString ldevidCertificateBytes = ByteString
+                        .copyFrom(derEncodedLdevidCertificate);
                 ProvisionerTpm2.CertificateResponse response = ProvisionerTpm2.CertificateResponse
                         .newBuilder().setCertificate(certificateBytes)
+                        .setLdevidCertificate(ldevidCertificateBytes)
                         .setStatus(ProvisionerTpm2.ResponseStatus.PASS)
                         .build();
 
                 saveAttestationCertificate(certificateRepository, derEncodedAttestationCertificate,
-                        endorsementCredential, platformCredentials, device);
+                        endorsementCredential, platformCredentials, device, false);
+                saveAttestationCertificate(certificateRepository, derEncodedLdevidCertificate,
+                        endorsementCredential, platformCredentials, device, true);
 
                 return response.toByteArray();
             } else {
diff --git a/HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/AbstractUserdefinedEntityTest.java b/HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/AbstractUserdefinedEntityTest.java
index 01f1c7fb3..56ff99c82 100644
--- a/HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/AbstractUserdefinedEntityTest.java
+++ b/HIRS_AttestationCA/src/test/java/hirs/attestationca/persist/entity/userdefined/AbstractUserdefinedEntityTest.java
@@ -160,7 +160,7 @@ public static <T extends ArchivableEntity> Certificate getTestCertificate(
                 return new PlatformCredential(certPath);
             case "IssuedAttestationCertificate":
                 return new IssuedAttestationCertificate(certPath,
-                        endorsementCredential, platformCredentials);
+                        endorsementCredential, platformCredentials, false);
             default:
                 throw new IllegalArgumentException(
                         String.format("Unknown certificate class %s", certificateClass.getName())
diff --git a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/issued-certificates.jsp b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/issued-certificates.jsp
index 0c37bc8c4..c82a00ca3 100644
--- a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/issued-certificates.jsp
+++ b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/issued-certificates.jsp
@@ -26,6 +26,7 @@
                 <thead>
                     <tr>
                         <th rowspan="2">Hostname</th>
+                        <th rowspan="2">Type</th>
                         <th rowspan="2">Issuer</th>
                         <th rowspan="2">Valid (begin)</th>
                         <th rowspan="2">Valid (end)</th>
@@ -51,6 +52,16 @@
                                 return full.deviceName;
                             }
                         },
+                        {
+                            data: 'isLDevID',
+                            searchable:false,
+                            render: function (data, type, full, meta) {
+                                if (data === true) {
+                                    return "LDevID";
+                                }
+                                return "AK";
+                            }
+                        },
                         {data: 'issuer'},
                         {
                             data: 'beginValidity',
diff --git a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp
index 077638da5..64ed88e90 100644
--- a/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp
+++ b/HIRS_AttestationCAPortal/src/main/webapp/WEB-INF/jsp/policy.jsp
@@ -189,7 +189,7 @@
             <br />
 
             <%-- Generate LDevID Certificate--%>
-            <div class="aca-input-box" style="display: none">
+            <div class="aca-input-box">
                 <form:form method="POST" modelAttribute="initialData" action="policy/update-issue-devid">
                     <li>Generate LDevID Certificate: ${initialData.issueDevIdCertificate ? 'Enabled' : 'Disabled'}
                         <my:editor id="issuedDevIdCertificatePolicyEditor" label="Edit Settings">
diff --git a/HIRS_AttestationCAPortal/src/main/webapp/common/common.js b/HIRS_AttestationCAPortal/src/main/webapp/common/common.js
index 3258ee066..26f5cf6ae 100644
--- a/HIRS_AttestationCAPortal/src/main/webapp/common/common.js
+++ b/HIRS_AttestationCAPortal/src/main/webapp/common/common.js
@@ -215,4 +215,4 @@ function formatCertificateDate(dateText) {
     }
 
     return new Date(date).toUTCString();
-}
+}
\ No newline at end of file
diff --git a/HIRS_AttestationCAPortal/src/test/java/hirs/attestationca/portal/page/PageControllerTest.java b/HIRS_AttestationCAPortal/src/test/java/hirs/attestationca/portal/page/PageControllerTest.java
index 597ef7ab9..7b70a1b92 100644
--- a/HIRS_AttestationCAPortal/src/test/java/hirs/attestationca/portal/page/PageControllerTest.java
+++ b/HIRS_AttestationCAPortal/src/test/java/hirs/attestationca/portal/page/PageControllerTest.java
@@ -169,7 +169,7 @@ public <T extends Certificate> Certificate getTestCertificate(
                 return new CertificateAuthorityCredential(fPath);
             case "IssuedAttestationCertificate":
                 return new IssuedAttestationCertificate(fPath,
-                        endorsementCredential, platformCredentials);
+                        endorsementCredential, platformCredentials, false);
             default:
                 throw new IllegalArgumentException(
                         String.format("Unknown certificate class %s", certificateClass.getName())
diff --git a/HIRS_Provisioner.NET/hirs/Resources/ProvisionerTpm2.proto b/HIRS_Provisioner.NET/hirs/Resources/ProvisionerTpm2.proto
index 719965603..53e125256 100644
--- a/HIRS_Provisioner.NET/hirs/Resources/ProvisionerTpm2.proto
+++ b/HIRS_Provisioner.NET/hirs/Resources/ProvisionerTpm2.proto
@@ -70,7 +70,8 @@ message IdentityClaim {
   optional bytes endorsement_credential = 4;
   repeated bytes platform_credential = 5;
   optional string client_version = 6;
-  optional string paccorOutput = 7;
+  optional string paccorOutput = 7; 
+  optional bytes ldevid_public_area = 8;
 }
 
 message TpmQuote {
@@ -96,5 +97,6 @@ message CertificateRequest {
 message CertificateResponse {
   optional bytes certificate = 1;
   optional ResponseStatus status = 2 [default = FAIL];
+  optional bytes ldevidCertificate = 3;
 }
 
diff --git a/HIRS_Provisioner.NET/hirs/src/client/Client.cs b/HIRS_Provisioner.NET/hirs/src/client/Client.cs
index f075ae2c8..8f60cb0e5 100644
--- a/HIRS_Provisioner.NET/hirs/src/client/Client.cs
+++ b/HIRS_Provisioner.NET/hirs/src/client/Client.cs
@@ -69,7 +69,7 @@ public async Task<IdentityClaimResponse> PostIdentityClaim(IdentityClaim identit
 
         public IdentityClaim CreateIdentityClaim(DeviceInfo dv, byte[] akPublicArea, byte[] ekPublicArea,
                                        byte[] endorsementCredential, List<byte[]> platformCredentials,
-                                       string paccoroutput) {
+                                       string paccoroutput, byte[] ldevidPublicArea) {
             IdentityClaim identityClaim = new();
             identityClaim.Dv = dv;
             identityClaim.AkPublicArea = ByteString.CopyFrom(akPublicArea);
@@ -81,6 +81,7 @@ public IdentityClaim CreateIdentityClaim(DeviceInfo dv, byte[] akPublicArea, byt
                 }
             }
             identityClaim.PaccorOutput = paccoroutput;
+            identityClaim.LdevidPublicArea = ByteString.CopyFrom(ldevidPublicArea);
             
             return identityClaim;
         }
diff --git a/HIRS_Provisioner.NET/hirs/src/client/IHirsAcaClient.cs b/HIRS_Provisioner.NET/hirs/src/client/IHirsAcaClient.cs
index 837beafeb..1b1942497 100644
--- a/HIRS_Provisioner.NET/hirs/src/client/IHirsAcaClient.cs
+++ b/HIRS_Provisioner.NET/hirs/src/client/IHirsAcaClient.cs
@@ -36,10 +36,12 @@ public interface IHirsAcaClient {
         /// <param name="platformCredentials">Any platform certificates relevant to the Device,
         /// encoded in DER or PEM.</param>
         /// <param name="paccoroutput">Platform Manifest in a JSON format.</param>
+        /// <param name="ldevidPublicArea">The public LDevID retrieved as a TPM2B_PUBLIC.</param>
         /// <returns>An <see cref="IdentityClaim"/> object that can be sent to the ACA.</returns>
         IdentityClaim CreateIdentityClaim(DeviceInfo dv, byte[] akPublicArea, byte[] ekPublicArea,
                                        byte[] endorsementCredential,
-                                       List<byte[]> platformCredentials, string paccoroutput);
+                                       List<byte[]> platformCredentials, string paccoroutput,
+                                       byte[] ldevidPublicArea);
         /// <summary>
         /// Collect answers to verification requirements regarding a Device into an object that
         /// can be interpreted by the ACA.
diff --git a/HIRS_Provisioner.NET/hirs/src/config/CLI.cs b/HIRS_Provisioner.NET/hirs/src/config/CLI.cs
index 33168c882..588214f0a 100644
--- a/HIRS_Provisioner.NET/hirs/src/config/CLI.cs
+++ b/HIRS_Provisioner.NET/hirs/src/config/CLI.cs
@@ -32,6 +32,11 @@ public bool ReplaceAK {
             get; set;
         }
 
+        [Option("replaceLDevID", Default = false, HelpText = "Clear any existing hirs LDevID and create a new one.")]
+        public bool ReplaceLDevID {
+            get; set;
+        }
+
         public static string[] SplitArgs(string argString) {
             return argString.SplitArgs(true);
         }
diff --git a/HIRS_Provisioner.NET/hirs/src/config/Settings.cs b/HIRS_Provisioner.NET/hirs/src/config/Settings.cs
index d9bd28dce..3b7ece227 100644
--- a/HIRS_Provisioner.NET/hirs/src/config/Settings.cs
+++ b/HIRS_Provisioner.NET/hirs/src/config/Settings.cs
@@ -270,7 +270,7 @@ private void CheckAutoDetectTpm() {
 
         #region EFI
         private void CheckEfiPrefix() {
-            if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.efi_prefix.ToString()])) {
+            if (configFromSettingsFile[Options.efi_prefix.ToString()] != null) {
                 Log.Debug("Checking EFI Prefix setting.");
                 efi_prefix = $"{ configFromSettingsFile[Options.efi_prefix.ToString()] }";
                 if (string.IsNullOrWhiteSpace(efi_prefix)) { // If not explicitly set in appsettings, try to use default EFI location on Linux
diff --git a/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs b/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs
index adb651550..8c11fc395 100644
--- a/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs
+++ b/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs
@@ -16,7 +16,7 @@ public class Provisioner : IHirsProvisioner {
         private IHirsAcaClient acaClient = null;
         
         private const string DefaultCertFileName = "attestationkey.pem";
-
+        private const string DefaultLDevIDCertFileName = "ldevid.pem";
 
         public Provisioner() {
         }
@@ -140,6 +140,16 @@ public async Task<int> Provision(IHirsAcaTpm tpm) {
 
                 Log.Debug("Gathering AK PUBLIC.");
                 byte[] akPublicArea = tpm.ReadPublicArea(CommandTpm.DefaultAkHandle, out name, out qualifiedName);
+                
+                Log.Debug("Checking SRK PUBLIC");
+                tpm.CreateStorageRootKey(CommandTpm.DefaultSrkHandle); // Will not create key if obj already exists at handle
+                byte[] srkPublicArea = tpm.ReadPublicArea(CommandTpm.DefaultSrkHandle, out byte[] name2, out byte[] qualifiedName2);
+
+                Log.Information("----> " + (cli.ReplaceLDevID ? "Creating new" : "Verifying existence of") + " LDevID Key.");
+                tpm.CreateLDevIDKey(CommandTpm.DefaultSrkHandle, CommandTpm.DefaultLDevIDHandle, cli.ReplaceLDevID);
+
+                Log.Debug("Gathering LDevID PUBLIC.");
+                byte[] ldevidPublicArea = tpm.ReadPublicArea(CommandTpm.DefaultLDevIDHandle, out name, out qualifiedName);
 
                 List<byte[]> pcs = null, baseRims = null, supportRimELs = null, supportRimPCRs = null;
                 if (settings.HasEfiPrefix()) {
@@ -210,7 +220,7 @@ public async Task<int> Provision(IHirsAcaTpm tpm) {
                 dv.Pcrslist = ByteString.CopyFromUtf8(pcrsList);
 
                 Log.Debug("Create identity claim");
-                IdentityClaim idClaim = acaClient.CreateIdentityClaim(dv, akPublicArea, ekPublicArea, ekc, pcs, manifest);
+                IdentityClaim idClaim = acaClient.CreateIdentityClaim(dv, akPublicArea, ekPublicArea, ekc, pcs, manifest, ldevidPublicArea);
 
                 Log.Information("----> Sending identity claim to Attestation CA");
                 IdentityClaimResponse icr = await acaClient.PostIdentityClaim(idClaim);
@@ -284,20 +294,38 @@ public async Task<int> Provision(IHirsAcaTpm tpm) {
                         certificate = cr.Certificate.ToByteArray(); // contains certificate
                         String certificateDirPath = settings.efi_prefix;
                         if (certificateDirPath != null) {
-                            String certificateFilePath =  certificateFilePath = certificateDirPath + DefaultCertFileName;
+                            String certificateFilePath = certificateDirPath + DefaultCertFileName;
                             try {
                                 if (!Directory.Exists(certificateDirPath)) {
                                     Directory.CreateDirectory(certificateDirPath);
                                 }
                                 File.WriteAllBytes(certificateFilePath, certificate);
-                                Log.Debug("Certificate written to local file system: ", certificateFilePath);
+                                Log.Debug("Attestation key certificate written to local file system: {0}", certificateFilePath);
                             }
                             catch (Exception) {
-                                Log.Debug("Failed to write certificate to local file system.");
+                                Log.Debug("Failed to write attestation key certificate to local file system.");
                             }
                         }
                         Log.Debug("Printing attestation key certificate: " + BitConverter.ToString(certificate));
                     }
+                    if (cr.HasLdevidCertificate) {
+                        certificate = cr.LdevidCertificate.ToByteArray(); // contains certificate
+                        String certificateDirPath = settings.efi_prefix;
+                        if (certificateDirPath != null) {
+                            String certificateFilePath = certificateDirPath + DefaultLDevIDCertFileName;
+                            try {
+                                if (!Directory.Exists(certificateDirPath)) {
+                                    Directory.CreateDirectory(certificateDirPath);
+                                }
+                                File.WriteAllBytes(certificateFilePath, certificate);
+                                Log.Debug("LDevID certificate written to local file system: {0}", certificateFilePath);
+                            }
+                            catch (Exception) {
+                                Log.Debug("Failed to write LDevID certificate to local file system.");
+                            }
+                        }
+                        Log.Debug("Printing LDevID certificate: " + BitConverter.ToString(certificate));
+                    }
                 } else {
                     result = ClientExitCodes.MAKE_CREDENTIAL_BLOB_MALFORMED;
                     Log.Error("Credential elements could not be extracted from the ACA's response.");
diff --git a/HIRS_Provisioner.NET/hirs/src/tpm/CommandTpm.cs b/HIRS_Provisioner.NET/hirs/src/tpm/CommandTpm.cs
index 82af26a31..344a7e4cb 100644
--- a/HIRS_Provisioner.NET/hirs/src/tpm/CommandTpm.cs
+++ b/HIRS_Provisioner.NET/hirs/src/tpm/CommandTpm.cs
@@ -1,4 +1,5 @@
-using Serilog;
+using Newtonsoft.Json.Converters;
+using Serilog;
 using System;
 using System.Collections.Generic;
 using System.Diagnostics;
@@ -25,6 +26,8 @@ public enum Devices {
         public const uint DefaultEkcNvIndex = 0x1c00002;
         public const uint DefaultEkHandle = 0x81010001;
         public const uint DefaultAkHandle = 0x81010002;
+        public const uint DefaultSrkHandle = 0x81000001;
+        public const uint DefaultLDevIDHandle = 0x81000002;
         
         private readonly Tpm2 tpm;
 
@@ -197,6 +200,20 @@ public static TpmPublic GenerateEKTemplateL1() {
             return inPublic;
         }
 
+        public static TpmPublic GenerateSRKTemplateL1() {
+            TpmAlgId nameAlg = TpmAlgId.Sha256;
+            ObjectAttr attributes = ObjectAttr.FixedTPM | ObjectAttr.FixedParent | ObjectAttr.SensitiveDataOrigin | ObjectAttr.UserWithAuth | ObjectAttr.Restricted | ObjectAttr.Decrypt | ObjectAttr.NoDA;
+            byte[] auth_policy = null;
+            // ASYM: RSA 2048 with NULL scheme, SYM: AES-128 with CFB mode
+            RsaParms rsa = new(new SymDefObject(TpmAlgId.Aes, 128, TpmAlgId.Cfb), new NullAsymScheme(), 2048, 0);
+            // unique buffer must be filled with 0 for the EK Template L-1.
+            byte[] zero256 = new byte[256];
+            Array.Fill<byte>(zero256, 0x00);
+            Tpm2bPublicKeyRsa unique = new(zero256);
+            TpmPublic inPublic = new(nameAlg, attributes, auth_policy, rsa, unique);
+            return inPublic;
+        }
+
         public void CreateEndorsementKey(uint ekHandleInt) {
             TpmHandle ekHandle = new(ekHandleInt);
 
@@ -247,6 +264,25 @@ private static TpmPublic GenerateAKTemplate(TpmAlgId nameAlg) {
             return inPublic;
         }
 
+        private static RsaParms LDevIDRSAParms() {
+            TpmAlgId digestAlg = TpmAlgId.Sha256;
+            RsaParms parms = new(new SymDefObject(TpmAlgId.Null, 0, TpmAlgId.Null), new SchemeRsassa(digestAlg), 2048, 0);
+            return parms;
+        }
+
+        private static ObjectAttr LDevIDAttributes() {
+            ObjectAttr attrib =  ObjectAttr.Sign | ObjectAttr.FixedParent | ObjectAttr.FixedTPM
+                    | ObjectAttr.SensitiveDataOrigin | ObjectAttr.UserWithAuth;
+            return attrib;
+        }
+
+        private static TpmPublic GenerateLDevIDTemplate(TpmAlgId nameAlg) {
+            RsaParms rsa = LDevIDRSAParms();
+            ObjectAttr attributes = LDevIDAttributes();
+            TpmPublic inPublic = new(nameAlg, attributes, null, rsa, new Tpm2bPublicKeyRsa());
+            return inPublic;
+        }
+
         public void CreateAttestationKey(uint ekHandleInt, uint akHandleInt, bool replace) {
             TpmHandle ekHandle = new(ekHandleInt);
             TpmHandle akHandle = new(akHandleInt);
@@ -298,6 +334,88 @@ public void CreateAttestationKey(uint ekHandleInt, uint akHandleInt, bool replac
             tpm.FlushContext(sessEK);
         }
 
+        public void CreateStorageRootKey(uint srkHandleInt) {
+            TpmHandle srkHandle = new(srkHandleInt);
+
+            TpmPublic existingObject;
+            try {
+                existingObject = tpm.ReadPublic(srkHandle, out byte[] name, out byte[] qualifiedName);
+                Log.Debug("SRK already exists.");
+                return;
+            } catch (TpmException) {
+                Log.Debug("Verified SRK does not exist at expected handle. Creating SRK.");
+            }
+
+            SensitiveCreate inSens = new(); // key password (no params = no key password)
+            TpmPublic inPublic = CommandTpm.GenerateSRKTemplateL1(); 
+
+            TpmHandle newTransientSrkHandle = tpm.CreatePrimary(TpmRh.Owner, inSens, inPublic,
+                                                new byte[] { }, new PcrSelection[] { }, out TpmPublic outPublic,
+                                                out CreationData creationData, out byte[] creationHash, out TkCreation ticket);
+
+            Log.Debug("New SRK Handle: " + BitConverter.ToString(newTransientSrkHandle));
+            Log.Debug("New SRK PUB Name: " + BitConverter.ToString(outPublic.GetName()));
+            Log.Debug("New SRK PUB 2BREP: " + BitConverter.ToString(outPublic.GetTpm2BRepresentation()));
+
+            // Make the object persistent
+            tpm.EvictControl(TpmRh.Owner, newTransientSrkHandle, srkHandle);
+            Log.Debug("Successfully made the new SRK persistent at handle " + BitConverter.ToString(srkHandle) + ".");
+
+            tpm.FlushContext(newTransientSrkHandle);
+            Log.Debug("Flushed the context for the transient SRK.");
+        }
+
+        public void CreateLDevIDKey(uint srkHandleInt, uint ldevidHandleInt, bool replace) {
+            TpmHandle srkHandle = new(srkHandleInt);
+            TpmHandle ldevidHandle = new(ldevidHandleInt);
+
+            TpmPublic existingObject = null;
+            try {
+                existingObject = tpm.ReadPublic(ldevidHandle, out byte[] name, out byte[] qualifiedName);
+            } catch { }
+
+            if (!replace && existingObject != null) {
+                // Do Nothing
+                Log.Debug("LDevID exists at expected handle. Flag to not replace the LDevID is set in the settings file.");
+                return;
+            } else if (replace && existingObject != null) {
+                // Clear the object and continue
+                tpm.EvictControl(TpmRh.Owner, ldevidHandle, ldevidHandle);
+                Log.Debug("Removed previous LDevID.");
+            }  
+
+            // Create a new key and make it persistent at ldevidHandle
+            TpmAlgId nameAlg = TpmAlgId.Sha256;
+
+            SensitiveCreate inSens = new();
+            TpmPublic inPublic = GenerateLDevIDTemplate(nameAlg);
+
+            /*var policySRK = new PolicyTree(nameAlg);
+            policySRK.SetPolicyRoot(new TpmPolicySecret(TpmRh.Owner, false, 0, null, null));
+
+            AuthSession sessSRK = tpm.StartAuthSessionEx(TpmSe.Policy, nameAlg);
+            sessSRK.RunPolicy(tpm, policySRK);*/
+
+            TpmPrivate kLDevID = tpm.Create(srkHandle, inSens, inPublic, null, null, out TpmPublic outPublic,
+                                            out CreationData creationData, out byte[] creationHash, out TkCreation ticket);
+
+            Log.Debug("New LDevID PUB Name: " + BitConverter.ToString(outPublic.GetName()));
+            Log.Debug("New LDevID PUB 2BREP: " + BitConverter.ToString(outPublic.GetTpm2BRepresentation()));
+            Log.Debug("New LDevID PUB unique: " + BitConverter.ToString((Tpm2bPublicKeyRsa)(outPublic.unique)));
+
+            /*tpm.FlushContext(sessSRK);
+
+            sessSRK = tpm.StartAuthSessionEx(TpmSe.Policy, nameAlg);
+            sessSRK.RunPolicy(tpm, policySRK);*/
+
+            TpmHandle hLDevID = tpm.Load(srkHandle, kLDevID, outPublic);
+
+            tpm.EvictControl(TpmRh.Owner, hLDevID, ldevidHandle);
+            Log.Debug("Created and persisted new LDevID at handle 0x" + ldevidHandle.handle.ToString("X") + ".");
+
+            //tpm.FlushContext(sessSRK);
+        }
+
         public Tpm2bDigest[] GetPcrList(TpmAlgId pcrBankDigestAlg, uint[] pcrs = null) {
             if (pcrs == null) {
                 pcrs = new uint[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23 };
diff --git a/HIRS_Provisioner.NET/hirs/src/tpm/IHirsAcaTpm.cs b/HIRS_Provisioner.NET/hirs/src/tpm/IHirsAcaTpm.cs
index 9749ee9fe..624442638 100644
--- a/HIRS_Provisioner.NET/hirs/src/tpm/IHirsAcaTpm.cs
+++ b/HIRS_Provisioner.NET/hirs/src/tpm/IHirsAcaTpm.cs
@@ -9,6 +9,8 @@ public interface IHirsAcaTpm {
         TpmPublic ReadPublicArea(uint handleInt, out byte[] name, out byte[] qualifiedName);
         void CreateEndorsementKey(uint ekHandleInt);
         void CreateAttestationKey(uint ekHandleInt, uint akHandleInt, bool replace);
+        void CreateStorageRootKey(uint srkHandleInt);
+        void CreateLDevIDKey(uint srkHandleInt, uint ldevidHandleInt, bool replace);
         Tpm2bDigest[] GetPcrList(TpmAlgId pcrBankDigestAlg, uint[] pcrs = null);
         void GetQuote(uint akHandleInt, TpmAlgId pcrBankDigestAlg, byte[] nonce, out CommandTpmQuoteResponse ctqr, uint[] pcrs = null);
         byte[] ActivateCredential(uint akHandleInt, uint ekHandleInt, byte[] integrityHMAC, byte[] encIdentity, byte[] encryptedSecret);
diff --git a/HIRS_Provisioner.NET/hirsTest/src/client/ClientTests.cs b/HIRS_Provisioner.NET/hirsTest/src/client/ClientTests.cs
index 9529efdeb..64fb03926 100644
--- a/HIRS_Provisioner.NET/hirsTest/src/client/ClientTests.cs
+++ b/HIRS_Provisioner.NET/hirsTest/src/client/ClientTests.cs
@@ -16,12 +16,13 @@ public void TestCreateIdentityClaim() {
             DeviceInfo dv = new DeviceInfo();
             byte[] akPub = new byte[] { };
             byte[] ekPub = new byte[] { };
+            byte[] ldevidPub = new byte[] { };
             byte[] ekc = new byte[] { };
             List<byte[]> pcs = new List<byte[]>();
             pcs.Add(new byte[] { });
             string componentList= "";
 
-            IdentityClaim obj = client.CreateIdentityClaim(dv, akPub, ekPub, ekc, pcs, componentList);
+            IdentityClaim obj = client.CreateIdentityClaim(dv, akPub, ekPub, ekc, pcs, componentList, ldevidPub);
             Assert.Multiple(() => {
                 Assert.That(obj.Dv, Is.Not.Null);
                 Assert.That(obj.HasAkPublicArea, Is.True);
@@ -29,6 +30,7 @@ public void TestCreateIdentityClaim() {
                 Assert.That(obj.HasEndorsementCredential, Is.True);
                 Assert.That(obj.PlatformCredential, Has.Count.EqualTo(1));
                 Assert.That(obj.HasPaccorOutput, Is.True);
+                Assert.That(obj.HasLdevidPublicArea, Is.True);
             });
         }
 
diff --git a/HIRS_Provisioner.NET/hirsTest/src/provisioner/ProvisionerTests.cs b/HIRS_Provisioner.NET/hirsTest/src/provisioner/ProvisionerTests.cs
index 4236c62fc..b60e777ca 100644
--- a/HIRS_Provisioner.NET/hirsTest/src/provisioner/ProvisionerTests.cs
+++ b/HIRS_Provisioner.NET/hirsTest/src/provisioner/ProvisionerTests.cs
@@ -21,6 +21,8 @@ public async Task TestGoodAsync() {
             byte[] credentialBlob = Convert.FromBase64String("OAAAIFQLXnXNUZTQNcNF367cJoRNCCwZSCz+tet07q+R0SKN6e2oGBsK3H9Vzbj667ZsjnVOtvpSpQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATXpL5zl/ET0XcndP3MQSOBUwrjZIrtCgJ0tvMk+8mCVC+S8H3L+XLRCus0ANH6tCLF+U5QGEonRisawIpTksACyZifpu7DIl8DCq2Z9XHeIM1zm2REIpkKFoEhEGzzu636VJ9VHyPCuUs5lBVE8XOV9w/MxaJ2hAaekAo7XS3oChoIqAg3EBXc9tGNDxQGtSLboO2G2XQhaX4ree9HkEIp5qnVa8ojcp+gi0HTICHo7gcaBKaE0lrMweXhShHZ+YP/vMHL4aekaTQUNIYpBfuuvPEzlSv4/J9yQ8ClZbSf1jR41TvpcWtmiyDCUYLOWUbs7s+jkjH9dCqiY0lmRNOM=");
             TpmPublic ekPublic = CommandTpm.GenerateEKTemplateL1();
             TpmPublic akPublic = new(TpmAlgId.Sha256, ObjectAttr.None, System.Text.Encoding.UTF8.GetBytes("AK PUBLIC AUTH POLICY"), new RsaParms(new SymDefObject(TpmAlgId.Null, 0, TpmAlgId.Null), new SchemeRsassa(TpmAlgId.Sha256), 2048, 0), new Tpm2bPublicKeyRsa());
+            TpmPublic srkPublic = CommandTpm.GenerateSRKTemplateL1();
+            TpmPublic ldevidPublic = new(TpmAlgId.Sha256, ObjectAttr.None, System.Text.Encoding.UTF8.GetBytes("LDEVID PUBLIC AUTH POLICY"), new RsaParms(new SymDefObject(TpmAlgId.Null, 0, TpmAlgId.Null), new SchemeRsassa(TpmAlgId.Sha256), 2048, 0), new Tpm2bPublicKeyRsa());
             Tpm2bDigest[] sha1Values = new Tpm2bDigest[] { new Tpm2bDigest(System.Text.Encoding.UTF8.GetBytes("SHA1 DIGEST1")) };
             Tpm2bDigest[] sha256Values = new Tpm2bDigest[] { new Tpm2bDigest(System.Text.Encoding.UTF8.GetBytes("SHA256 DIGEST1")) };
             DeviceInfo dv = new();
@@ -33,7 +35,7 @@ public async Task TestGoodAsync() {
             CertificateResponse certResp = new();
             certResp.Status = ResponseStatus.Pass;
             certResp.Certificate = Google.Protobuf.ByteString.CopyFrom(acaIssuedCert);
-
+            
             IHirsAcaTpm tpm = A.Fake<IHirsAcaTpm>();
             byte[] name = null, qualifiedName = null;
             A.CallTo(() => tpm.GetCertificateFromNvIndex(CommandTpm.DefaultEkcNvIndex)).Returns(ekCert);
@@ -41,6 +43,10 @@ public async Task TestGoodAsync() {
             A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultEkHandle, out name, out qualifiedName)).Returns(ekPublic);
             A.CallTo(() => tpm.CreateAttestationKey(CommandTpm.DefaultEkHandle, CommandTpm.DefaultAkHandle, false)).DoesNothing();
             A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultAkHandle, out name, out qualifiedName)).Returns(akPublic);
+            A.CallTo(() => tpm.CreateStorageRootKey(CommandTpm.DefaultSrkHandle)).DoesNothing();
+            A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultSrkHandle, out name, out qualifiedName)).Returns(srkPublic);
+            A.CallTo(() => tpm.CreateLDevIDKey(CommandTpm.DefaultSrkHandle, CommandTpm.DefaultLDevIDHandle, false)).DoesNothing();
+            A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultLDevIDHandle, out name, out qualifiedName)).Returns(ldevidPublic);
             //A.CallTo(() => tpm.getPcrList(TpmAlgId.Sha1, A<uint[]>.Ignored)).Returns(sha1Values);
             //A.CallTo(() => tpm.getPcrList(TpmAlgId.Sha256, A<uint[]>.Ignored)).Returns(sha256Values);
             A.CallTo(() => tpm.GetQuote(CommandTpm.DefaultAkHandle, TpmAlgId.Sha256, secret, out ctqr, A<uint[]>.Ignored)).DoesNothing();
@@ -49,7 +55,7 @@ public async Task TestGoodAsync() {
             A.CallTo(() => collector.CollectDeviceInfo(address)).Returns(dv);
 
             IHirsAcaClient client = A.Fake<IHirsAcaClient>();
-            IdentityClaim idClaim = client.CreateIdentityClaim(dv, akPublic, ekPublic, ekCert, null, paccorOutput);
+            IdentityClaim idClaim = client.CreateIdentityClaim(dv, akPublic, ekPublic, ekCert, null, paccorOutput, ldevidPublic);
             CertificateRequest certReq = client.CreateAkCertificateRequest(secret, ctqr);
             A.CallTo(() => client.PostIdentityClaim(idClaim)).Returns(Task.FromResult<IdentityClaimResponse>(idClaimResp));
             A.CallTo(() => client.PostCertificateRequest(certReq)).Returns(Task.FromResult<CertificateResponse>(certResp));
@@ -79,6 +85,8 @@ public async Task TestIssueWithIdentityClaimResponse() {
             byte[] acaIssuedCert = Encoding.UTF8.GetBytes("ACA ISSUED CERTIFICATE");
             TpmPublic ekPublic = CommandTpm.GenerateEKTemplateL1();
             TpmPublic akPublic = new(TpmAlgId.Sha256, ObjectAttr.None, System.Text.Encoding.UTF8.GetBytes("AK PUBLIC AUTH POLICY"), new RsaParms(new SymDefObject(TpmAlgId.Null, 0, TpmAlgId.Null), new SchemeRsassa(TpmAlgId.Sha256), 2048, 0), new Tpm2bPublicKeyRsa());
+            TpmPublic srkPublic = CommandTpm.GenerateSRKTemplateL1();
+            TpmPublic ldevidPublic = new(TpmAlgId.Sha256, ObjectAttr.None, System.Text.Encoding.UTF8.GetBytes("LDEVID PUBLIC AUTH POLICY"), new RsaParms(new SymDefObject(TpmAlgId.Null, 0, TpmAlgId.Null), new SchemeRsassa(TpmAlgId.Sha256), 2048, 0), new Tpm2bPublicKeyRsa());
             Tpm2bDigest[] sha1Values = new Tpm2bDigest[] { new Tpm2bDigest(System.Text.Encoding.UTF8.GetBytes("SHA1 DIGEST1")) };
             Tpm2bDigest[] sha256Values = new Tpm2bDigest[] { new Tpm2bDigest(System.Text.Encoding.UTF8.GetBytes("SHA256 DIGEST1")) };
             DeviceInfo dv = new();
@@ -93,6 +101,10 @@ public async Task TestIssueWithIdentityClaimResponse() {
             A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultEkHandle, out name, out qualifiedName)).Returns(ekPublic);
             A.CallTo(() => tpm.CreateAttestationKey(CommandTpm.DefaultEkHandle, CommandTpm.DefaultAkHandle, false)).DoesNothing();
             A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultAkHandle, out name, out qualifiedName)).Returns(ekPublic);
+            A.CallTo(() => tpm.CreateStorageRootKey(CommandTpm.DefaultSrkHandle)).DoesNothing();
+            A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultSrkHandle, out name, out qualifiedName)).Returns(srkPublic);
+            A.CallTo(() => tpm.CreateLDevIDKey(CommandTpm.DefaultSrkHandle, CommandTpm.DefaultLDevIDHandle, false)).DoesNothing();
+            A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultLDevIDHandle, out name, out qualifiedName)).Returns(ldevidPublic);
             A.CallTo(() => tpm.GetPcrList(TpmAlgId.Sha1, A<uint[]>.Ignored)).Returns(sha1Values);
             A.CallTo(() => tpm.GetPcrList(TpmAlgId.Sha256, A<uint[]>.Ignored)).Returns(sha256Values);
 
@@ -100,7 +112,7 @@ public async Task TestIssueWithIdentityClaimResponse() {
             A.CallTo(() => collector.CollectDeviceInfo(address)).Returns(dv);
 
             IHirsAcaClient client = A.Fake<IHirsAcaClient>();
-            IdentityClaim idClaim = client.CreateIdentityClaim(dv, akPublic, ekPublic, ekCert, null, paccorOutput);
+            IdentityClaim idClaim = client.CreateIdentityClaim(dv, akPublic, ekPublic, ekCert, null, paccorOutput, ldevidPublic);
             A.CallTo(() => client.PostIdentityClaim(idClaim)).WithAnyArguments().Returns(Task.FromResult<IdentityClaimResponse>(idClaimResp));
 
             Settings settings = Settings.LoadSettingsFromFile("./Resources/test/settings_test/appsettings.json");
diff --git a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto
index 719965603..aa432b9eb 100644
--- a/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto
+++ b/HIRS_ProvisionerTPM2/src/ProvisionerTpm2.proto
@@ -71,6 +71,7 @@ message IdentityClaim {
   repeated bytes platform_credential = 5;
   optional string client_version = 6;
   optional string paccorOutput = 7;
+  optional bytes ldevid_public_area = 8;
 }
 
 message TpmQuote {
@@ -96,5 +97,6 @@ message CertificateRequest {
 message CertificateResponse {
   optional bytes certificate = 1;
   optional ResponseStatus status = 2 [default = FAIL];
+  optional bytes ldevidCertificate = 3;
 }
 

From abb6200662eb71a8e2ecc1cb3d51274f4a426a33 Mon Sep 17 00:00:00 2001
From: iadgovuser59 <133057011+iadgovuser59@users.noreply.github.com>
Date: Mon, 22 Jul 2024 09:28:25 -0400
Subject: [PATCH 2/8] Removing unused reference

---
 .../hirs/attestationca/persist/provision/AbstractProcessor.java  | 1 -
 1 file changed, 1 deletion(-)

diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java
index 6c83221e7..ff718f3e7 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java
@@ -9,7 +9,6 @@
 import hirs.attestationca.persist.entity.userdefined.PolicySettings;
 import hirs.attestationca.persist.entity.userdefined.certificate.EndorsementCredential;
 import hirs.attestationca.persist.entity.userdefined.certificate.IssuedAttestationCertificate;
-import hirs.attestationca.persist.entity.userdefined.certificate.IssuedLDevIDCertificate;
 import hirs.attestationca.persist.entity.userdefined.certificate.PlatformCredential;
 import hirs.attestationca.persist.exceptions.CertificateProcessingException;
 import hirs.attestationca.persist.provision.helper.CredentialManagementHelper;

From 8b92b31e5c256b9c340fb5a90a2e097829f4d0e4 Mon Sep 17 00:00:00 2001
From: iadgovuser29 <33426478+iadgovuser29@users.noreply.github.com>
Date: Fri, 26 Jul 2024 11:47:17 -0400
Subject: [PATCH 3/8] Minor addition to gitignore

---
 .gitignore | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 1b6f15f82..2c53397cb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,4 @@
-# compiled python for systems tests
+# compiled python for systems testsG
 *.pyc
 *.pydevproject
 
@@ -146,4 +146,5 @@ HIRS_Provisioner.NET/**/.vs
 HIRS_Provisioner.NET/**/bin
 HIRS_Provisioner.NET/**/generated
 HIRS_Provisioner.NET/**/obj
+HIRS_Provisioner.NET/**/plugins
 HIRS_Provisioner.NET/**/PublishProfiles

From b152a3421cf1e67c113f3be8d650b10b62d57b89 Mon Sep 17 00:00:00 2001
From: iadgovuser59 <133057011+iadgovuser59@users.noreply.github.com>
Date: Mon, 5 Aug 2024 10:58:27 -0400
Subject: [PATCH 4/8] Saving LDevID to local key files

---
 .../persist/provision/AbstractProcessor.java  |  7 +-
 .../CertificateRequestProcessor.java          | 85 +++++++++++++------
 HIRS_Provisioner.NET/hirs/appsettings.json    |  1 +
 .../hirs/src/client/Client.cs                 |  4 +-
 .../hirs/src/config/Settings.cs               | 31 ++++++-
 .../hirs/src/provisioner/Provisioner.cs       | 11 ++-
 .../hirs/src/tpm/CommandTpm.cs                | 50 ++++-------
 .../hirs/src/tpm/IHirsAcaTpm.cs               |  3 +-
 .../src/provisioner/ProvisionerTests.cs       |  6 +-
 9 files changed, 126 insertions(+), 72 deletions(-)

diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java
index ff718f3e7..0f59637a5 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/AbstractProcessor.java
@@ -236,10 +236,11 @@ private EndorsementCredential getEndorsementCredential(
      * @param platformCredentials the platform credentials used to generate the AC
      * @param device the device to which the attestation certificate is tied
      * @param isLDevID whether the certificate is a ldevid
+     * @return whether the certificate was saved successfully
      * @throws {@link CertificateProcessingException} if error occurs in persisting the Attestation
      *                                             Certificate
      */
-    public void saveAttestationCertificate(final CertificateRepository certificateRepository,
+    public boolean saveAttestationCertificate(final CertificateRepository certificateRepository,
                                            final byte[] derEncodedAttestationCertificate,
                                             final EndorsementCredential endorsementCredential,
                                             final List<PlatformCredential> platformCredentials,
@@ -264,7 +265,7 @@ public void saveAttestationCertificate(final CertificateRepository certificateRe
                 generateCertificate = isLDevID ? policySettings.isIssueDevIdCertificate()
                         : policySettings.isIssueAttestationCertificate();
 
-                if (issuedAc != null && (isLDevID ? policySettings.isDevIdExpirationFlag()
+                if (issuedAc != null && issuedAc.size() > 0 && (isLDevID ? policySettings.isDevIdExpirationFlag()
                         : policySettings.isGenerateOnExpiration())) {
                     if (issuedAc.get(0).getEndValidity().after(currentDate)) {
                         // so the issued AC is not expired
@@ -291,6 +292,8 @@ public void saveAttestationCertificate(final CertificateRepository certificateRe
                     "Encountered error while storing Attestation Certificate: "
                             + e.getMessage(), e);
         }
+
+        return generateCertificate;
     }
 
     private List<PlatformCredential> getPlatformCredentials(final CertificateRepository certificateRepository,
diff --git a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/CertificateRequestProcessor.java b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/CertificateRequestProcessor.java
index fb9cd00e8..571e8ae04 100644
--- a/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/CertificateRequestProcessor.java
+++ b/HIRS_AttestationCA/src/main/java/hirs/attestationca/persist/provision/CertificateRequestProcessor.java
@@ -112,7 +112,10 @@ public byte[] processCertificateRequest(final byte[] certificateRequest) {
                     endorsementCredential, certificateRepository);
 
             // Get LDevID public key if it exists
-            RSAPublicKey ldevidPub = ProvisionUtils.parsePublicKey(claim.getLdevidPublicArea().toByteArray());
+            RSAPublicKey ldevidPub = null;
+            if (claim.hasLdevidPublicArea()) {
+                ldevidPub = ProvisionUtils.parsePublicKey(claim.getLdevidPublicArea().toByteArray());
+            }
 
             // Get device name and device
             String deviceName = claim.getDv().getNw().getHostname();
@@ -149,33 +152,63 @@ public byte[] processCertificateRequest(final byte[] certificateRequest) {
                 // Create signed, attestation certificate
                 X509Certificate attestationCertificate = generateCredential(akPub,
                         endorsementCredential, platformCredentials, deviceName, acaCertificate);
-                X509Certificate ldevidCertificate = generateCredential(ldevidPub,
-                        endorsementCredential, platformCredentials, deviceName, acaCertificate);
-                byte[] derEncodedAttestationCertificate = ProvisionUtils.getDerEncodedCertificate(
-                        attestationCertificate);
-                byte[] derEncodedLdevidCertificate = ProvisionUtils.getDerEncodedCertificate(
-                        ldevidCertificate);
-
-                // We validated the nonce and made use of the identity claim so state can be deleted
-                tpm2ProvisionerStateRepository.delete(tpm2ProvisionerState);
-
-                // Package the signed certificates into a response
-                ByteString certificateBytes = ByteString
-                        .copyFrom(derEncodedAttestationCertificate);
-                ByteString ldevidCertificateBytes = ByteString
-                        .copyFrom(derEncodedLdevidCertificate);
-                ProvisionerTpm2.CertificateResponse response = ProvisionerTpm2.CertificateResponse
-                        .newBuilder().setCertificate(certificateBytes)
-                        .setLdevidCertificate(ldevidCertificateBytes)
-                        .setStatus(ProvisionerTpm2.ResponseStatus.PASS)
-                        .build();
+                if (ldevidPub != null) {
+                    // Create signed LDevID certificate
+                    X509Certificate ldevidCertificate = generateCredential(ldevidPub,
+                            endorsementCredential, platformCredentials, deviceName, acaCertificate);
+                    byte[] derEncodedAttestationCertificate = ProvisionUtils.getDerEncodedCertificate(
+                            attestationCertificate);
+                    byte[] derEncodedLdevidCertificate = ProvisionUtils.getDerEncodedCertificate(
+                            ldevidCertificate);
 
-                saveAttestationCertificate(certificateRepository, derEncodedAttestationCertificate,
-                        endorsementCredential, platformCredentials, device, false);
-                saveAttestationCertificate(certificateRepository, derEncodedLdevidCertificate,
-                        endorsementCredential, platformCredentials, device, true);
+                    // We validated the nonce and made use of the identity claim so state can be deleted
+                    tpm2ProvisionerStateRepository.delete(tpm2ProvisionerState);
 
-                return response.toByteArray();
+                    // Package the signed certificates into a response
+                    ByteString certificateBytes = ByteString
+                            .copyFrom(derEncodedAttestationCertificate);
+                    ByteString ldevidCertificateBytes = ByteString
+                            .copyFrom(derEncodedLdevidCertificate);
+
+                    boolean generateAtt = saveAttestationCertificate(certificateRepository, derEncodedAttestationCertificate,
+                            endorsementCredential, platformCredentials, device, false);
+                    boolean generateLDevID = saveAttestationCertificate(certificateRepository, derEncodedLdevidCertificate,
+                            endorsementCredential, platformCredentials, device, true);
+
+                    ProvisionerTpm2.CertificateResponse.Builder builder = ProvisionerTpm2.CertificateResponse.
+                            newBuilder().setStatus(ProvisionerTpm2.ResponseStatus.PASS);
+                    if (generateAtt) {
+                        builder = builder.setCertificate(certificateBytes);
+                    }
+                    if (generateLDevID) {
+                        builder = builder.setLdevidCertificate(ldevidCertificateBytes);
+                    }
+                    ProvisionerTpm2.CertificateResponse response = builder.build();
+
+                    return response.toByteArray();
+                }
+                else {
+                    byte[] derEncodedAttestationCertificate = ProvisionUtils.getDerEncodedCertificate(
+                            attestationCertificate);
+
+                    // We validated the nonce and made use of the identity claim so state can be deleted
+                    tpm2ProvisionerStateRepository.delete(tpm2ProvisionerState);
+
+                    // Package the signed certificates into a response
+                    ByteString certificateBytes = ByteString
+                            .copyFrom(derEncodedAttestationCertificate);
+                    ProvisionerTpm2.CertificateResponse.Builder builder = ProvisionerTpm2.CertificateResponse.
+                            newBuilder().setStatus(ProvisionerTpm2.ResponseStatus.PASS);
+
+                    boolean generateAtt = saveAttestationCertificate(certificateRepository, derEncodedAttestationCertificate,
+                            endorsementCredential, platformCredentials, device, false);
+                    if (generateAtt) {
+                        builder = builder.setCertificate(certificateBytes);
+                    }
+                    ProvisionerTpm2.CertificateResponse response = builder.build();
+
+                    return response.toByteArray();
+                }
             } else {
                 log.error("Supply chain validation did not succeed. "
                         + "Firmware Quote Validation failed. Result is: "
diff --git a/HIRS_Provisioner.NET/hirs/appsettings.json b/HIRS_Provisioner.NET/hirs/appsettings.json
index 854d682eb..61accf75a 100644
--- a/HIRS_Provisioner.NET/hirs/appsettings.json
+++ b/HIRS_Provisioner.NET/hirs/appsettings.json
@@ -2,6 +2,7 @@
   "auto_detect_tpm":  "TRUE",
   "aca_address_port": "https://127.0.0.1:8443",
   "efi_prefix": "",
+  "ldevid_prefix": "",
   "paccor_output_file": "",
   "event_log_file":  "",
   "hardware_manifest_collectors": "paccor_scripts",
diff --git a/HIRS_Provisioner.NET/hirs/src/client/Client.cs b/HIRS_Provisioner.NET/hirs/src/client/Client.cs
index 8f60cb0e5..9536b72be 100644
--- a/HIRS_Provisioner.NET/hirs/src/client/Client.cs
+++ b/HIRS_Provisioner.NET/hirs/src/client/Client.cs
@@ -69,7 +69,7 @@ public async Task<IdentityClaimResponse> PostIdentityClaim(IdentityClaim identit
 
         public IdentityClaim CreateIdentityClaim(DeviceInfo dv, byte[] akPublicArea, byte[] ekPublicArea,
                                        byte[] endorsementCredential, List<byte[]> platformCredentials,
-                                       string paccoroutput, byte[] ldevidPublicArea) {
+                                       string paccoroutput, byte[] ldevidPublicArea = null) {
             IdentityClaim identityClaim = new();
             identityClaim.Dv = dv;
             identityClaim.AkPublicArea = ByteString.CopyFrom(akPublicArea);
@@ -81,7 +81,7 @@ public IdentityClaim CreateIdentityClaim(DeviceInfo dv, byte[] akPublicArea, byt
                 }
             }
             identityClaim.PaccorOutput = paccoroutput;
-            identityClaim.LdevidPublicArea = ByteString.CopyFrom(ldevidPublicArea);
+            if (ldevidPublicArea != null) identityClaim.LdevidPublicArea = ByteString.CopyFrom(ldevidPublicArea);
             
             return identityClaim;
         }
diff --git a/HIRS_Provisioner.NET/hirs/src/config/Settings.cs b/HIRS_Provisioner.NET/hirs/src/config/Settings.cs
index 3b7ece227..95e122257 100644
--- a/HIRS_Provisioner.NET/hirs/src/config/Settings.cs
+++ b/HIRS_Provisioner.NET/hirs/src/config/Settings.cs
@@ -24,7 +24,8 @@ public enum Options {
             linux_sys_vendor_file,
             linux_product_name_file,
             linux_product_version_file,
-            linux_product_serial_file
+            linux_product_serial_file,
+            ldevid_prefix
         }
 
         private static readonly string DEFAULT_SETTINGS_FILE = "appsettings.json";
@@ -72,6 +73,9 @@ public virtual string linux_product_version {
         public virtual string linux_product_serial {
             get; private set;
         }
+        public virtual string ldevid_prefix {
+            get; private set;
+        }
         private List<IHardwareManifest> hardwareManifests = new();
         private Dictionary<string, string> hardware_manifest_collectors_with_args = new();
         private bool hardware_manifest_collection_swid_enforced = false;
@@ -126,6 +130,8 @@ public void CompleteSetUp() {
 
                 CheckEfiPrefix();
 
+                CheckLDevIDPrefix();
+
                 IngestEventLogFromFile();
 
                 StoreCustomDeviceInfoCollectorOptions();
@@ -268,9 +274,30 @@ private void CheckAutoDetectTpm() {
         }
         #endregion
 
+        #region
+        private void CheckLDevIDPrefix() {
+            if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.ldevid_prefix.ToString()])) {
+                Log.Debug("Checking LDevID Prefix setting.");
+                ldevid_prefix = $"{ configFromSettingsFile[Options.ldevid_prefix.ToString()] }";
+                if (!string.IsNullOrWhiteSpace(ldevid_prefix)) {
+                    if (!Directory.Exists(ldevid_prefix)) {
+                        Log.Debug(Options.ldevid_prefix.ToString() + ": " + ldevid_prefix + " did not exist.");
+                        ldevid_prefix = null;
+                    }
+                }
+            }
+            if (ldevid_prefix == null) {
+                Log.Warning(Options.ldevid_prefix.ToString() + " not set in the settings file. Defaulting to the current working directory.");
+                ldevid_prefix = "";
+            } else {
+                Log.Debug("  Will scan for LDevID keys in " + ldevid_prefix);
+            }
+        }
+        #endregion
+
         #region EFI
         private void CheckEfiPrefix() {
-            if (configFromSettingsFile[Options.efi_prefix.ToString()] != null) {
+            if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.efi_prefix.ToString()])) {
                 Log.Debug("Checking EFI Prefix setting.");
                 efi_prefix = $"{ configFromSettingsFile[Options.efi_prefix.ToString()] }";
                 if (string.IsNullOrWhiteSpace(efi_prefix)) { // If not explicitly set in appsettings, try to use default EFI location on Linux
diff --git a/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs b/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs
index 8c11fc395..d8a856a2f 100644
--- a/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs
+++ b/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs
@@ -15,6 +15,9 @@ public class Provisioner : IHirsProvisioner {
         private IHirsDeviceInfoCollector deviceInfoCollector = null;
         private IHirsAcaClient acaClient = null;
         
+        private const string DefaultLDevIDPubKeyFileName = "ldevid.pub";
+        private const string DefaultLDevIDPrivKeyFileName = "ldevid.priv";
+
         private const string DefaultCertFileName = "attestationkey.pem";
         private const string DefaultLDevIDCertFileName = "ldevid.pem";
 
@@ -146,10 +149,12 @@ public async Task<int> Provision(IHirsAcaTpm tpm) {
                 byte[] srkPublicArea = tpm.ReadPublicArea(CommandTpm.DefaultSrkHandle, out byte[] name2, out byte[] qualifiedName2);
 
                 Log.Information("----> " + (cli.ReplaceLDevID ? "Creating new" : "Verifying existence of") + " LDevID Key.");
-                tpm.CreateLDevIDKey(CommandTpm.DefaultSrkHandle, CommandTpm.DefaultLDevIDHandle, cli.ReplaceLDevID);
+                string ldevidPubPath = settings.ldevid_prefix + DefaultLDevIDPubKeyFileName;
+                string ldevidPrivPath = settings.ldevid_prefix + DefaultLDevIDPrivKeyFileName;
+                tpm.CreateLDevIDKey(CommandTpm.DefaultSrkHandle, ldevidPubPath, ldevidPrivPath, cli.ReplaceLDevID);
 
                 Log.Debug("Gathering LDevID PUBLIC.");
-                byte[] ldevidPublicArea = tpm.ReadPublicArea(CommandTpm.DefaultLDevIDHandle, out name, out qualifiedName);
+                byte[] ldevidPublicArea = tpm.ConvertLDevIDPublic(ldevidPubPath);
 
                 List<byte[]> pcs = null, baseRims = null, supportRimELs = null, supportRimPCRs = null;
                 if (settings.HasEfiPrefix()) {
@@ -281,7 +286,7 @@ public async Task<int> Provision(IHirsAcaTpm tpm) {
                     Log.Debug("Communicate certificate request to the ACA.");
                     CertificateResponse cr = await acaClient.PostCertificateRequest(akCertReq);
                     Log.Debug("Response received from the ACA regarding the certificate request.");
-                    if (cr.HasStatus) {
+                     if (cr.HasStatus) {
                         if (cr.Status == ResponseStatus.Pass) {
                             Log.Debug("ACA returned a positive response to the Certificate Request.");
                         } else {
diff --git a/HIRS_Provisioner.NET/hirs/src/tpm/CommandTpm.cs b/HIRS_Provisioner.NET/hirs/src/tpm/CommandTpm.cs
index 344a7e4cb..b8d5679cd 100644
--- a/HIRS_Provisioner.NET/hirs/src/tpm/CommandTpm.cs
+++ b/HIRS_Provisioner.NET/hirs/src/tpm/CommandTpm.cs
@@ -27,7 +27,6 @@ public enum Devices {
         public const uint DefaultEkHandle = 0x81010001;
         public const uint DefaultAkHandle = 0x81010002;
         public const uint DefaultSrkHandle = 0x81000001;
-        public const uint DefaultLDevIDHandle = 0x81000002;
         
         private readonly Tpm2 tpm;
 
@@ -266,7 +265,7 @@ private static TpmPublic GenerateAKTemplate(TpmAlgId nameAlg) {
 
         private static RsaParms LDevIDRSAParms() {
             TpmAlgId digestAlg = TpmAlgId.Sha256;
-            RsaParms parms = new(new SymDefObject(TpmAlgId.Null, 0, TpmAlgId.Null), new SchemeRsassa(digestAlg), 2048, 0);
+            RsaParms parms = new(new SymDefObject(TpmAlgId.Null, 0, TpmAlgId.Null), null, 2048, 0);
             return parms;
         }
 
@@ -365,37 +364,21 @@ public void CreateStorageRootKey(uint srkHandleInt) {
             Log.Debug("Flushed the context for the transient SRK.");
         }
 
-        public void CreateLDevIDKey(uint srkHandleInt, uint ldevidHandleInt, bool replace) {
+        public void CreateLDevIDKey(uint srkHandleInt, string pubPath, string privPath, bool replace) {
             TpmHandle srkHandle = new(srkHandleInt);
-            TpmHandle ldevidHandle = new(ldevidHandleInt);
-
-            TpmPublic existingObject = null;
-            try {
-                existingObject = tpm.ReadPublic(ldevidHandle, out byte[] name, out byte[] qualifiedName);
-            } catch { }
 
-            if (!replace && existingObject != null) {
+            if (!replace && File.Exists(privPath) && File.Exists(pubPath)) {
                 // Do Nothing
-                Log.Debug("LDevID exists at expected handle. Flag to not replace the LDevID is set in the settings file.");
+                Log.Debug("LDevID exists at local file system path. Flag to not replace the LDevID is set in the settings file.");
                 return;
-            } else if (replace && existingObject != null) {
-                // Clear the object and continue
-                tpm.EvictControl(TpmRh.Owner, ldevidHandle, ldevidHandle);
-                Log.Debug("Removed previous LDevID.");
-            }  
+            }
 
-            // Create a new key and make it persistent at ldevidHandle
+            // Create a new transient key
             TpmAlgId nameAlg = TpmAlgId.Sha256;
 
             SensitiveCreate inSens = new();
             TpmPublic inPublic = GenerateLDevIDTemplate(nameAlg);
 
-            /*var policySRK = new PolicyTree(nameAlg);
-            policySRK.SetPolicyRoot(new TpmPolicySecret(TpmRh.Owner, false, 0, null, null));
-
-            AuthSession sessSRK = tpm.StartAuthSessionEx(TpmSe.Policy, nameAlg);
-            sessSRK.RunPolicy(tpm, policySRK);*/
-
             TpmPrivate kLDevID = tpm.Create(srkHandle, inSens, inPublic, null, null, out TpmPublic outPublic,
                                             out CreationData creationData, out byte[] creationHash, out TkCreation ticket);
 
@@ -403,17 +386,20 @@ public void CreateLDevIDKey(uint srkHandleInt, uint ldevidHandleInt, bool replac
             Log.Debug("New LDevID PUB 2BREP: " + BitConverter.ToString(outPublic.GetTpm2BRepresentation()));
             Log.Debug("New LDevID PUB unique: " + BitConverter.ToString((Tpm2bPublicKeyRsa)(outPublic.unique)));
 
-            /*tpm.FlushContext(sessSRK);
+            Tpm2bPublic ldevidPublic = new Tpm2bPublic(outPublic);
 
-            sessSRK = tpm.StartAuthSessionEx(TpmSe.Policy, nameAlg);
-            sessSRK.RunPolicy(tpm, policySRK);*/
-
-            TpmHandle hLDevID = tpm.Load(srkHandle, kLDevID, outPublic);
-
-            tpm.EvictControl(TpmRh.Owner, hLDevID, ldevidHandle);
-            Log.Debug("Created and persisted new LDevID at handle 0x" + ldevidHandle.handle.ToString("X") + ".");
+            File.WriteAllBytes(pubPath, ldevidPublic);
+            File.WriteAllBytes(privPath, kLDevID);
+            Log.Debug("Created new LDevID at local file system paths.");
+            Log.Debug("    LDevID Pub Path: {0}", pubPath);
+            Log.Debug("    LDevID Priv Path: {0}", privPath);
+        }
 
-            //tpm.FlushContext(sessSRK);
+        public byte[] ConvertLDevIDPublic(string ldevidPubPath) {
+            byte[] ldevidPubBytes = File.ReadAllBytes(ldevidPubPath);
+            var marshaller = new Marshaller(ldevidPubBytes, DataRepresentation.Tpm);
+            Tpm2bPublic ldevidPublic = marshaller.Get<Tpm2bPublic>();
+            return ldevidPublic.publicArea;
         }
 
         public Tpm2bDigest[] GetPcrList(TpmAlgId pcrBankDigestAlg, uint[] pcrs = null) {
diff --git a/HIRS_Provisioner.NET/hirs/src/tpm/IHirsAcaTpm.cs b/HIRS_Provisioner.NET/hirs/src/tpm/IHirsAcaTpm.cs
index 624442638..bc532397c 100644
--- a/HIRS_Provisioner.NET/hirs/src/tpm/IHirsAcaTpm.cs
+++ b/HIRS_Provisioner.NET/hirs/src/tpm/IHirsAcaTpm.cs
@@ -10,7 +10,8 @@ public interface IHirsAcaTpm {
         void CreateEndorsementKey(uint ekHandleInt);
         void CreateAttestationKey(uint ekHandleInt, uint akHandleInt, bool replace);
         void CreateStorageRootKey(uint srkHandleInt);
-        void CreateLDevIDKey(uint srkHandleInt, uint ldevidHandleInt, bool replace);
+        void CreateLDevIDKey(uint srkHandleInt, string pubPath, string privPath, bool replace);
+        byte[] ConvertLDevIDPublic(string ldevidPubPath);
         Tpm2bDigest[] GetPcrList(TpmAlgId pcrBankDigestAlg, uint[] pcrs = null);
         void GetQuote(uint akHandleInt, TpmAlgId pcrBankDigestAlg, byte[] nonce, out CommandTpmQuoteResponse ctqr, uint[] pcrs = null);
         byte[] ActivateCredential(uint akHandleInt, uint ekHandleInt, byte[] integrityHMAC, byte[] encIdentity, byte[] encryptedSecret);
diff --git a/HIRS_Provisioner.NET/hirsTest/src/provisioner/ProvisionerTests.cs b/HIRS_Provisioner.NET/hirsTest/src/provisioner/ProvisionerTests.cs
index b60e777ca..ca44e6b5b 100644
--- a/HIRS_Provisioner.NET/hirsTest/src/provisioner/ProvisionerTests.cs
+++ b/HIRS_Provisioner.NET/hirsTest/src/provisioner/ProvisionerTests.cs
@@ -45,8 +45,7 @@ public async Task TestGoodAsync() {
             A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultAkHandle, out name, out qualifiedName)).Returns(akPublic);
             A.CallTo(() => tpm.CreateStorageRootKey(CommandTpm.DefaultSrkHandle)).DoesNothing();
             A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultSrkHandle, out name, out qualifiedName)).Returns(srkPublic);
-            A.CallTo(() => tpm.CreateLDevIDKey(CommandTpm.DefaultSrkHandle, CommandTpm.DefaultLDevIDHandle, false)).DoesNothing();
-            A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultLDevIDHandle, out name, out qualifiedName)).Returns(ldevidPublic);
+            A.CallTo(() => tpm.CreateLDevIDKey(CommandTpm.DefaultSrkHandle, "", "", false)).DoesNothing();
             //A.CallTo(() => tpm.getPcrList(TpmAlgId.Sha1, A<uint[]>.Ignored)).Returns(sha1Values);
             //A.CallTo(() => tpm.getPcrList(TpmAlgId.Sha256, A<uint[]>.Ignored)).Returns(sha256Values);
             A.CallTo(() => tpm.GetQuote(CommandTpm.DefaultAkHandle, TpmAlgId.Sha256, secret, out ctqr, A<uint[]>.Ignored)).DoesNothing();
@@ -103,8 +102,7 @@ public async Task TestIssueWithIdentityClaimResponse() {
             A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultAkHandle, out name, out qualifiedName)).Returns(ekPublic);
             A.CallTo(() => tpm.CreateStorageRootKey(CommandTpm.DefaultSrkHandle)).DoesNothing();
             A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultSrkHandle, out name, out qualifiedName)).Returns(srkPublic);
-            A.CallTo(() => tpm.CreateLDevIDKey(CommandTpm.DefaultSrkHandle, CommandTpm.DefaultLDevIDHandle, false)).DoesNothing();
-            A.CallTo(() => tpm.ReadPublicArea(CommandTpm.DefaultLDevIDHandle, out name, out qualifiedName)).Returns(ldevidPublic);
+            A.CallTo(() => tpm.CreateLDevIDKey(CommandTpm.DefaultSrkHandle, "", "", false)).DoesNothing();
             A.CallTo(() => tpm.GetPcrList(TpmAlgId.Sha1, A<uint[]>.Ignored)).Returns(sha1Values);
             A.CallTo(() => tpm.GetPcrList(TpmAlgId.Sha256, A<uint[]>.Ignored)).Returns(sha256Values);
 

From 14724efe6d4c5d307e8720215588cd2593409f15 Mon Sep 17 00:00:00 2001
From: iadgovuser59 <133057011+iadgovuser59@users.noreply.github.com>
Date: Wed, 7 Aug 2024 22:35:14 -0400
Subject: [PATCH 5/8] Refining certificate paths

---
 HIRS_Provisioner.NET/hirs/appsettings.json    |  2 +-
 .../hirs/src/config/Settings.cs               | 30 ++++++++--------
 .../hirs/src/provisioner/Provisioner.cs       | 34 ++++++++++++-------
 3 files changed, 37 insertions(+), 29 deletions(-)

diff --git a/HIRS_Provisioner.NET/hirs/appsettings.json b/HIRS_Provisioner.NET/hirs/appsettings.json
index 61accf75a..a5b215d16 100644
--- a/HIRS_Provisioner.NET/hirs/appsettings.json
+++ b/HIRS_Provisioner.NET/hirs/appsettings.json
@@ -2,7 +2,7 @@
   "auto_detect_tpm":  "TRUE",
   "aca_address_port": "https://127.0.0.1:8443",
   "efi_prefix": "",
-  "ldevid_prefix": "",
+  "cert_prefix": "",
   "paccor_output_file": "",
   "event_log_file":  "",
   "hardware_manifest_collectors": "paccor_scripts",
diff --git a/HIRS_Provisioner.NET/hirs/src/config/Settings.cs b/HIRS_Provisioner.NET/hirs/src/config/Settings.cs
index 95e122257..3c58993c0 100644
--- a/HIRS_Provisioner.NET/hirs/src/config/Settings.cs
+++ b/HIRS_Provisioner.NET/hirs/src/config/Settings.cs
@@ -25,7 +25,7 @@ public enum Options {
             linux_product_name_file,
             linux_product_version_file,
             linux_product_serial_file,
-            ldevid_prefix
+            cert_prefix
         }
 
         private static readonly string DEFAULT_SETTINGS_FILE = "appsettings.json";
@@ -73,7 +73,7 @@ public virtual string linux_product_version {
         public virtual string linux_product_serial {
             get; private set;
         }
-        public virtual string ldevid_prefix {
+        public virtual string cert_prefix {
             get; private set;
         }
         private List<IHardwareManifest> hardwareManifests = new();
@@ -130,7 +130,7 @@ public void CompleteSetUp() {
 
                 CheckEfiPrefix();
 
-                CheckLDevIDPrefix();
+                CheckCertPrefix();
 
                 IngestEventLogFromFile();
 
@@ -275,22 +275,22 @@ private void CheckAutoDetectTpm() {
         #endregion
 
         #region
-        private void CheckLDevIDPrefix() {
-            if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.ldevid_prefix.ToString()])) {
-                Log.Debug("Checking LDevID Prefix setting.");
-                ldevid_prefix = $"{ configFromSettingsFile[Options.ldevid_prefix.ToString()] }";
-                if (!string.IsNullOrWhiteSpace(ldevid_prefix)) {
-                    if (!Directory.Exists(ldevid_prefix)) {
-                        Log.Debug(Options.ldevid_prefix.ToString() + ": " + ldevid_prefix + " did not exist.");
-                        ldevid_prefix = null;
+        private void CheckCertPrefix() {
+            if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.cert_prefix.ToString()])) {
+                Log.Debug("Checking Certificate Prefix setting.");
+                cert_prefix = $"{ configFromSettingsFile[Options.cert_prefix.ToString()] }";
+                if (!string.IsNullOrWhiteSpace(cert_prefix)) {
+                    if (!Directory.Exists(cert_prefix)) {
+                        Log.Debug(Options.cert_prefix.ToString() + ": " + cert_prefix + " did not exist.");
+                        cert_prefix = null;
                     }
                 }
             }
-            if (ldevid_prefix == null) {
-                Log.Warning(Options.ldevid_prefix.ToString() + " not set in the settings file. Defaulting to the current working directory.");
-                ldevid_prefix = "";
+            if (cert_prefix == null) {
+                Log.Warning(Options.cert_prefix.ToString() + " not set in the settings file. Defaulting to the current working directory.");
+                cert_prefix = "";
             } else {
-                Log.Debug("  Will scan for LDevID keys in " + ldevid_prefix);
+                Log.Debug("  Will scan for certificates in " + cert_prefix);
             }
         }
         #endregion
diff --git a/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs b/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs
index d8a856a2f..2d47ed48e 100644
--- a/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs
+++ b/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs
@@ -5,6 +5,7 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Runtime.InteropServices;
+using System.Text;
 using System.Threading.Tasks;
 
 namespace hirs {
@@ -18,7 +19,7 @@ public class Provisioner : IHirsProvisioner {
         private const string DefaultLDevIDPubKeyFileName = "ldevid.pub";
         private const string DefaultLDevIDPrivKeyFileName = "ldevid.priv";
 
-        private const string DefaultCertFileName = "attestationkey.pem";
+        private const string DefaultAKCertFileName = "ak.pem";
         private const string DefaultLDevIDCertFileName = "ldevid.pem";
 
         public Provisioner() {
@@ -125,6 +126,19 @@ public void SetDeviceInfoCollector(IHirsDeviceInfoCollector collector) {
             }
         }
 
+        public static string FormatCertificatePath(DeviceInfo dv, string certificateDirPath, string certificateFileName) {
+            StringBuilder sb = new StringBuilder();
+            sb.Append(certificateDirPath);
+            if (dv.Hw.HasSystemSerialNumber && !dv.Hw.SystemSerialNumber.Equals(ClassicDeviceInfoCollector.NOT_SPECIFIED)) {
+                sb.AppendFormat("{0}-", dv.Hw.SystemSerialNumber);
+            }
+            if (dv.Hw.HasManufacturer && !dv.Hw.Manufacturer.Equals(ClassicDeviceInfoCollector.NOT_SPECIFIED)) {
+                sb.AppendFormat("{0}-", dv.Hw.Manufacturer);
+            }
+            sb.Append(certificateFileName);
+            return sb.ToString();
+        }
+
         public async Task<int> Provision(IHirsAcaTpm tpm) {
             ClientExitCodes result = ClientExitCodes.SUCCESS;
             if (tpm != null) {
@@ -149,8 +163,8 @@ public async Task<int> Provision(IHirsAcaTpm tpm) {
                 byte[] srkPublicArea = tpm.ReadPublicArea(CommandTpm.DefaultSrkHandle, out byte[] name2, out byte[] qualifiedName2);
 
                 Log.Information("----> " + (cli.ReplaceLDevID ? "Creating new" : "Verifying existence of") + " LDevID Key.");
-                string ldevidPubPath = settings.ldevid_prefix + DefaultLDevIDPubKeyFileName;
-                string ldevidPrivPath = settings.ldevid_prefix + DefaultLDevIDPrivKeyFileName;
+                string ldevidPubPath = settings.cert_prefix + DefaultLDevIDPubKeyFileName;
+                string ldevidPrivPath = settings.cert_prefix + DefaultLDevIDPrivKeyFileName;
                 tpm.CreateLDevIDKey(CommandTpm.DefaultSrkHandle, ldevidPubPath, ldevidPrivPath, cli.ReplaceLDevID);
 
                 Log.Debug("Gathering LDevID PUBLIC.");
@@ -297,13 +311,10 @@ public async Task<int> Provision(IHirsAcaTpm tpm) {
                     }
                     if (cr.HasCertificate) {
                         certificate = cr.Certificate.ToByteArray(); // contains certificate
-                        String certificateDirPath = settings.efi_prefix;
+                        String certificateDirPath = settings.cert_prefix;
                         if (certificateDirPath != null) {
-                            String certificateFilePath = certificateDirPath + DefaultCertFileName;
+                            String certificateFilePath = FormatCertificatePath(dv, certificateDirPath, DefaultAKCertFileName);
                             try {
-                                if (!Directory.Exists(certificateDirPath)) {
-                                    Directory.CreateDirectory(certificateDirPath);
-                                }
                                 File.WriteAllBytes(certificateFilePath, certificate);
                                 Log.Debug("Attestation key certificate written to local file system: {0}", certificateFilePath);
                             }
@@ -315,13 +326,10 @@ public async Task<int> Provision(IHirsAcaTpm tpm) {
                     }
                     if (cr.HasLdevidCertificate) {
                         certificate = cr.LdevidCertificate.ToByteArray(); // contains certificate
-                        String certificateDirPath = settings.efi_prefix;
+                        String certificateDirPath = settings.cert_prefix;
                         if (certificateDirPath != null) {
-                            String certificateFilePath = certificateDirPath + DefaultLDevIDCertFileName;
+                            String certificateFilePath = FormatCertificatePath(dv, certificateDirPath, DefaultLDevIDCertFileName);
                             try {
-                                if (!Directory.Exists(certificateDirPath)) {
-                                    Directory.CreateDirectory(certificateDirPath);
-                                }
                                 File.WriteAllBytes(certificateFilePath, certificate);
                                 Log.Debug("LDevID certificate written to local file system: {0}", certificateFilePath);
                             }

From e8e0704267b043a2bfaef75a6c2dda2bbf5528f8 Mon Sep 17 00:00:00 2001
From: iadgovuser59 <133057011+iadgovuser59@users.noreply.github.com>
Date: Wed, 7 Aug 2024 22:56:36 -0400
Subject: [PATCH 6/8] Check for hardware info

---
 .../hirs/src/provisioner/Provisioner.cs              | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs b/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs
index 2d47ed48e..587d94f7d 100644
--- a/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs
+++ b/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs
@@ -129,11 +129,13 @@ public void SetDeviceInfoCollector(IHirsDeviceInfoCollector collector) {
         public static string FormatCertificatePath(DeviceInfo dv, string certificateDirPath, string certificateFileName) {
             StringBuilder sb = new StringBuilder();
             sb.Append(certificateDirPath);
-            if (dv.Hw.HasSystemSerialNumber && !dv.Hw.SystemSerialNumber.Equals(ClassicDeviceInfoCollector.NOT_SPECIFIED)) {
-                sb.AppendFormat("{0}-", dv.Hw.SystemSerialNumber);
-            }
-            if (dv.Hw.HasManufacturer && !dv.Hw.Manufacturer.Equals(ClassicDeviceInfoCollector.NOT_SPECIFIED)) {
-                sb.AppendFormat("{0}-", dv.Hw.Manufacturer);
+            if (dv?.Hw != null) {
+                if (dv.Hw.HasSystemSerialNumber && !dv.Hw.SystemSerialNumber.Equals(ClassicDeviceInfoCollector.NOT_SPECIFIED)) {
+                    sb.AppendFormat("{0}-", dv.Hw.SystemSerialNumber);
+                }
+                if (dv.Hw.HasManufacturer && !dv.Hw.Manufacturer.Equals(ClassicDeviceInfoCollector.NOT_SPECIFIED)) {
+                    sb.AppendFormat("{0}-", dv.Hw.Manufacturer);
+                }
             }
             sb.Append(certificateFileName);
             return sb.ToString();

From f18aa60cb8f301294217fa36cdaec18ed33b0d9c Mon Sep 17 00:00:00 2001
From: iadgovuser59 <133057011+iadgovuser59@users.noreply.github.com>
Date: Thu, 15 Aug 2024 09:49:08 -0400
Subject: [PATCH 7/8] Further refining certificate paths

---
 .../hirs/Directory.Build.targets              |  2 +-
 HIRS_Provisioner.NET/hirs/appsettings.json    |  2 +-
 .../hirs/src/config/Settings.cs               | 36 +++++++++++--------
 .../hirs/src/provisioner/Provisioner.cs       | 23 ++++++------
 4 files changed, 34 insertions(+), 29 deletions(-)

diff --git a/HIRS_Provisioner.NET/hirs/Directory.Build.targets b/HIRS_Provisioner.NET/hirs/Directory.Build.targets
index 7609cfe1f..71c6d238c 100644
--- a/HIRS_Provisioner.NET/hirs/Directory.Build.targets
+++ b/HIRS_Provisioner.NET/hirs/Directory.Build.targets
@@ -19,7 +19,7 @@
   <Target Name="SetWixPath" BeforeTargets="Msi">
     <PropertyGroup>
       <ProductSourceFilePath>$(MSBuildThisFileDirectory)\Resources\Product.wxs</ProductSourceFilePath>
-      <WixInstallPath>$(NuGetPackageRoot)wix\3.14.0\tools\</WixInstallPath>
+      <WixInstallPath>$(NuGetPackageRoot)wix\3.14.1\tools\</WixInstallPath>
       <Heat>$(WixInstallPath)heat.exe</Heat>
       <Candle>$(WixInstallPath)candle.exe</Candle>
       <Light>$(WixInstallPath)light.exe</Light>
diff --git a/HIRS_Provisioner.NET/hirs/appsettings.json b/HIRS_Provisioner.NET/hirs/appsettings.json
index a5b215d16..bbc2324e3 100644
--- a/HIRS_Provisioner.NET/hirs/appsettings.json
+++ b/HIRS_Provisioner.NET/hirs/appsettings.json
@@ -2,7 +2,7 @@
   "auto_detect_tpm":  "TRUE",
   "aca_address_port": "https://127.0.0.1:8443",
   "efi_prefix": "",
-  "cert_prefix": "",
+  "certificate_output_directory": "",
   "paccor_output_file": "",
   "event_log_file":  "",
   "hardware_manifest_collectors": "paccor_scripts",
diff --git a/HIRS_Provisioner.NET/hirs/src/config/Settings.cs b/HIRS_Provisioner.NET/hirs/src/config/Settings.cs
index 3c58993c0..339ebfc21 100644
--- a/HIRS_Provisioner.NET/hirs/src/config/Settings.cs
+++ b/HIRS_Provisioner.NET/hirs/src/config/Settings.cs
@@ -25,7 +25,7 @@ public enum Options {
             linux_product_name_file,
             linux_product_version_file,
             linux_product_serial_file,
-            cert_prefix
+            certificate_output_directory
         }
 
         private static readonly string DEFAULT_SETTINGS_FILE = "appsettings.json";
@@ -73,7 +73,7 @@ public virtual string linux_product_version {
         public virtual string linux_product_serial {
             get; private set;
         }
-        public virtual string cert_prefix {
+        public virtual string certificate_output_directory {
             get; private set;
         }
         private List<IHardwareManifest> hardwareManifests = new();
@@ -130,7 +130,7 @@ public void CompleteSetUp() {
 
                 CheckEfiPrefix();
 
-                CheckCertPrefix();
+                CheckCertificateOutputDirectory();
 
                 IngestEventLogFromFile();
 
@@ -275,22 +275,28 @@ private void CheckAutoDetectTpm() {
         #endregion
 
         #region
-        private void CheckCertPrefix() {
-            if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.cert_prefix.ToString()])) {
-                Log.Debug("Checking Certificate Prefix setting.");
-                cert_prefix = $"{ configFromSettingsFile[Options.cert_prefix.ToString()] }";
-                if (!string.IsNullOrWhiteSpace(cert_prefix)) {
-                    if (!Directory.Exists(cert_prefix)) {
-                        Log.Debug(Options.cert_prefix.ToString() + ": " + cert_prefix + " did not exist.");
-                        cert_prefix = null;
+        private void CheckCertificateOutputDirectory() {
+            if (!string.IsNullOrWhiteSpace(configFromSettingsFile[Options.certificate_output_directory.ToString()])) {
+                Log.Debug("Checking Certificate Output Directory setting.");
+                certificate_output_directory = $"{ configFromSettingsFile[Options.certificate_output_directory.ToString()] }";
+                if (!string.IsNullOrWhiteSpace(certificate_output_directory)) {
+                    if (HasEfiPrefix()) {
+                        certificate_output_directory = Path.GetFullPath(Path.Join(efi_prefix, certificate_output_directory));
+                        if (!Directory.Exists(certificate_output_directory)) {
+                            Log.Debug(Options.certificate_output_directory.ToString() + ": " + certificate_output_directory + " did not exist.");
+                            certificate_output_directory = null;
+                        }
+                    }
+                    else {
+                        certificate_output_directory = null;
                     }
                 }
             }
-            if (cert_prefix == null) {
-                Log.Warning(Options.cert_prefix.ToString() + " not set in the settings file. Defaulting to the current working directory.");
-                cert_prefix = "";
+            if (certificate_output_directory == null) {
+                Log.Warning(Options.certificate_output_directory.ToString() + " not set in the settings file. Defaulting to the current working directory.");
+                certificate_output_directory = "";
             } else {
-                Log.Debug("  Will scan for certificates in " + cert_prefix);
+                Log.Debug("  Will write certificates to " + certificate_output_directory);
             }
         }
         #endregion
diff --git a/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs b/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs
index 587d94f7d..065244e76 100644
--- a/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs
+++ b/HIRS_Provisioner.NET/hirs/src/provisioner/Provisioner.cs
@@ -128,7 +128,6 @@ public void SetDeviceInfoCollector(IHirsDeviceInfoCollector collector) {
 
         public static string FormatCertificatePath(DeviceInfo dv, string certificateDirPath, string certificateFileName) {
             StringBuilder sb = new StringBuilder();
-            sb.Append(certificateDirPath);
             if (dv?.Hw != null) {
                 if (dv.Hw.HasSystemSerialNumber && !dv.Hw.SystemSerialNumber.Equals(ClassicDeviceInfoCollector.NOT_SPECIFIED)) {
                     sb.AppendFormat("{0}-", dv.Hw.SystemSerialNumber);
@@ -138,7 +137,7 @@ public static string FormatCertificatePath(DeviceInfo dv, string certificateDirP
                 }
             }
             sb.Append(certificateFileName);
-            return sb.ToString();
+            return Path.GetFullPath(Path.Join(certificateDirPath, sb.ToString()));
         }
 
         public async Task<int> Provision(IHirsAcaTpm tpm) {
@@ -164,14 +163,6 @@ public async Task<int> Provision(IHirsAcaTpm tpm) {
                 tpm.CreateStorageRootKey(CommandTpm.DefaultSrkHandle); // Will not create key if obj already exists at handle
                 byte[] srkPublicArea = tpm.ReadPublicArea(CommandTpm.DefaultSrkHandle, out byte[] name2, out byte[] qualifiedName2);
 
-                Log.Information("----> " + (cli.ReplaceLDevID ? "Creating new" : "Verifying existence of") + " LDevID Key.");
-                string ldevidPubPath = settings.cert_prefix + DefaultLDevIDPubKeyFileName;
-                string ldevidPrivPath = settings.cert_prefix + DefaultLDevIDPrivKeyFileName;
-                tpm.CreateLDevIDKey(CommandTpm.DefaultSrkHandle, ldevidPubPath, ldevidPrivPath, cli.ReplaceLDevID);
-
-                Log.Debug("Gathering LDevID PUBLIC.");
-                byte[] ldevidPublicArea = tpm.ConvertLDevIDPublic(ldevidPubPath);
-
                 List<byte[]> pcs = null, baseRims = null, supportRimELs = null, supportRimPCRs = null;
                 if (settings.HasEfiPrefix()) {
                     Log.Information("----> Gathering artifacts from EFI.");
@@ -240,6 +231,14 @@ public async Task<int> Provision(IHirsAcaTpm tpm) {
                 Log.Debug("\n" + pcrsList);
                 dv.Pcrslist = ByteString.CopyFromUtf8(pcrsList);
 
+                Log.Information("----> " + (cli.ReplaceLDevID ? "Creating new" : "Verifying existence of") + " LDevID Key.");
+                string ldevidPubPath = FormatCertificatePath(dv, settings.certificate_output_directory, DefaultLDevIDPubKeyFileName);
+                string ldevidPrivPath = FormatCertificatePath(dv, settings.certificate_output_directory, DefaultLDevIDPrivKeyFileName);
+                tpm.CreateLDevIDKey(CommandTpm.DefaultSrkHandle, ldevidPubPath, ldevidPrivPath, cli.ReplaceLDevID);
+
+                Log.Debug("Gathering LDevID PUBLIC.");
+                byte[] ldevidPublicArea = tpm.ConvertLDevIDPublic(ldevidPubPath);
+
                 Log.Debug("Create identity claim");
                 IdentityClaim idClaim = acaClient.CreateIdentityClaim(dv, akPublicArea, ekPublicArea, ekc, pcs, manifest, ldevidPublicArea);
 
@@ -313,7 +312,7 @@ public async Task<int> Provision(IHirsAcaTpm tpm) {
                     }
                     if (cr.HasCertificate) {
                         certificate = cr.Certificate.ToByteArray(); // contains certificate
-                        String certificateDirPath = settings.cert_prefix;
+                        String certificateDirPath = settings.certificate_output_directory;
                         if (certificateDirPath != null) {
                             String certificateFilePath = FormatCertificatePath(dv, certificateDirPath, DefaultAKCertFileName);
                             try {
@@ -328,7 +327,7 @@ public async Task<int> Provision(IHirsAcaTpm tpm) {
                     }
                     if (cr.HasLdevidCertificate) {
                         certificate = cr.LdevidCertificate.ToByteArray(); // contains certificate
-                        String certificateDirPath = settings.cert_prefix;
+                        String certificateDirPath = settings.certificate_output_directory;
                         if (certificateDirPath != null) {
                             String certificateFilePath = FormatCertificatePath(dv, certificateDirPath, DefaultLDevIDCertFileName);
                             try {

From 886b62e8e8334f553d52a4cf326e29bf2b687bda Mon Sep 17 00:00:00 2001
From: iadgovuser59 <133057011+iadgovuser59@users.noreply.github.com>
Date: Mon, 19 Aug 2024 12:34:21 -0400
Subject: [PATCH 8/8] Further refining certificate paths.

---
 .../hirs/src/config/Settings.cs               | 41 +++++++++++++++----
 1 file changed, 32 insertions(+), 9 deletions(-)

diff --git a/HIRS_Provisioner.NET/hirs/src/config/Settings.cs b/HIRS_Provisioner.NET/hirs/src/config/Settings.cs
index 339ebfc21..637692b0a 100644
--- a/HIRS_Provisioner.NET/hirs/src/config/Settings.cs
+++ b/HIRS_Provisioner.NET/hirs/src/config/Settings.cs
@@ -32,6 +32,7 @@ public enum Options {
         private static readonly string EFI_ARTIFACT_PATH_COMPAT = "/boot/tcg/";
         private static readonly string EFI_ARTIFACT_PATH = "/EFI/tcg/";
         private static readonly string EFI_ARTIFACT_LINUX_PREFIX = "/boot/efi";
+        private static readonly string DEFAULT_CERTIFICATE_OUTPUT_PATH = "/EFI/hirs";
 
         private readonly string settingsFile;
         private readonly IConfiguration configFromSettingsFile;
@@ -280,21 +281,43 @@ private void CheckCertificateOutputDirectory() {
                 Log.Debug("Checking Certificate Output Directory setting.");
                 certificate_output_directory = $"{ configFromSettingsFile[Options.certificate_output_directory.ToString()] }";
                 if (!string.IsNullOrWhiteSpace(certificate_output_directory)) {
-                    if (HasEfiPrefix()) {
-                        certificate_output_directory = Path.GetFullPath(Path.Join(efi_prefix, certificate_output_directory));
-                        if (!Directory.Exists(certificate_output_directory)) {
-                            Log.Debug(Options.certificate_output_directory.ToString() + ": " + certificate_output_directory + " did not exist.");
+                    // Attempt to write to Certificate Output Directory
+                    if (!Directory.Exists(certificate_output_directory)) {
+                        try {
+                            Directory.CreateDirectory(certificate_output_directory);
+                            Log.Debug("  Created directory: " + certificate_output_directory);
+                        }
+                        catch (Exception e) {
+                            Log.Debug("  Could not create directory: " + certificate_output_directory);
                             certificate_output_directory = null;
                         }
                     }
-                    else {
-                        certificate_output_directory = null;
-                    }
                 }
             }
             if (certificate_output_directory == null) {
-                Log.Warning(Options.certificate_output_directory.ToString() + " not set in the settings file. Defaulting to the current working directory.");
-                certificate_output_directory = "";
+                if (HasEfiPrefix()) {
+                    certificate_output_directory = Path.GetFullPath(Path.Join(efi_prefix, DEFAULT_CERTIFICATE_OUTPUT_PATH));
+                    Log.Debug("  Certificate Output Directory not set. Attempting to use EFI Prefix setting.");
+                    // Attempt to write to default EFI path (fallback)
+                    if (!Directory.Exists(certificate_output_directory)) {
+                        try {
+                            Directory.CreateDirectory(certificate_output_directory);
+                            Log.Debug("  Created directory: " + certificate_output_directory);
+                        }
+                        catch (Exception e) {
+                            Log.Debug("  Could not create directory: " + certificate_output_directory);
+                            certificate_output_directory = null;
+                        }
+                    }
+                }
+                if (certificate_output_directory == null) {
+                    // Use current working directory (fallback)
+                    Log.Warning(Options.certificate_output_directory.ToString() + " not set in the settings file. Defaulting to current working directory.");
+                    certificate_output_directory = "";
+                }
+                else {
+                    Log.Debug("  Will write certificates to " + certificate_output_directory);
+                }
             } else {
                 Log.Debug("  Will write certificates to " + certificate_output_directory);
             }