make TNC Access Requestor ID available to IMVs

9 files changed, 130 insertions, 42 deletions

diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c
index 78e584dfb..2eec0ecde 100644
--- a/src/libimcv/imv/imv_agent.c
+++ b/src/libimcv/imv/imv_agent.c
@@ -73,6 +73,11 @@ struct private_imv_agent_t {
 	rwlock_t *connection_lock;
 
 	/**
+	 * Access Requestor ID
+	 */
+	identification_t *ar_id;
+
+	/**
 	 * Inform a TNCS about the set of message types the IMV is able to receive
 	 *
 	 * @param imv_id			IMV ID assigned by TNCS
@@ -445,7 +450,6 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 		int tcg_id_type, tcg_subject_type, tcg_auth_type;
 		chunk_t id_value;
 		id_type_t ike_type;
-		identification_t *id;
 
 		id_type = tnc_id->get_identity_type(tnc_id);
 		id_value = tnc_id->get_identity_value(tnc_id);
@@ -468,12 +472,14 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 				ike_type = ID_IPV6_ADDR;
 				break;
 			case TNC_ID_FQDN:
-			case TNC_ID_USER_NAME:
 				ike_type = ID_FQDN;
 				break;
 			case TNC_ID_RFC822_ADDR:
 				ike_type = ID_RFC822_ADDR;
 				break;
+			case TNC_ID_USER_NAME:
+				ike_type = ID_USER_ID;
+				break;
 			case TNC_ID_DER_ASN1_DN:
 				ike_type = ID_DER_ASN1_DN;
 				break;
@@ -486,11 +492,10 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 				break;
 		}
 
-		id = identification_create_from_encoding(ike_type, id_value);
-		DBG2(DBG_IMV, "%N identity '%Y' authenticated by %N",
-					   TNC_Subject_names, tcg_subject_type, id,
-					   TNC_Authentication_names, tcg_auth_type);
-		id->destroy(id);
+		this->ar_id = identification_create_from_encoding(ike_type, id_value);
+		DBG2(DBG_IMV, "  %N AR identity '%Y' authenticated by %N",
+			 TNC_Subject_names, tcg_subject_type, this->ar_id,
+			 TNC_Authentication_names, tcg_auth_type);
 	}
 	enumerator->destroy(enumerator);
 
@@ -593,6 +598,12 @@ METHOD(imv_agent_t, get_id, TNC_IMVID,
 	return	this->id;
 }
 
+METHOD(imv_agent_t, get_ar_id, identification_t*,
+	private_imv_agent_t *this)
+{
+	return	this->ar_id;
+}
+
 METHOD(imv_agent_t, reserve_additional_ids, TNC_Result,
 	private_imv_agent_t *this, int count)
 {
@@ -782,6 +793,7 @@ METHOD(imv_agent_t, destroy, void,
 	private_imv_agent_t *this)
 {
 	DBG1(DBG_IMV, "IMV %u \"%s\" terminated", this->id, this->name);
+	DESTROY_IF(this->ar_id);
 	this->additional_ids->destroy(this->additional_ids);
 	this->connections->destroy_offset(this->connections,
 									  offsetof(imv_state_t, destroy));
@@ -816,6 +828,7 @@ imv_agent_t *imv_agent_create(const char *name,
 			.get_state = _get_state,
 			.get_name = _get_name,
 			.get_id = _get_id,
+			.get_ar_id = _get_ar_id,
 			.reserve_additional_ids = _reserve_additional_ids,
 			.count_additional_ids = _count_additional_ids,
 			.create_id_enumerator = _create_id_enumerator,
diff --git a/src/libimcv/imv/imv_agent.h b/src/libimcv/imv/imv_agent.h
index 4d0716f90..737caa173 100644
--- a/src/libimcv/imv/imv_agent.h
+++ b/src/libimcv/imv/imv_agent.h
@@ -152,6 +152,13 @@ struct imv_agent_t {
 	TNC_IMVID (*get_id)(imv_agent_t *this);
 
 	/**
+	 * Get Access Requestor ID
+	 *
+	 * return					Access Requestor ID
+	 */
+	identification_t* (*get_ar_id)(imv_agent_t *this);
+
+	/**
 	 * Reserve additional IMV IDs from TNCS
 	 *
 	 * @param count				number of additional IMV IDs to be assigned
diff --git a/src/libimcv/plugins/imv_os/imv_os.c b/src/libimcv/plugins/imv_os/imv_os.c
index ecc6cfc4f..68b14abfb 100644
--- a/src/libimcv/plugins/imv_os/imv_os.c
+++ b/src/libimcv/plugins/imv_os/imv_os.c
@@ -390,7 +390,7 @@ static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
 		device_id = os_state->get_device_id(os_state);
 		if (os_db && device_id)
 		{
-			os_db->set_device_info(os_db, device_id,
+			os_db->set_device_info(os_db, device_id, imv_os->get_ar_id(imv_os),
 						os_state->get_info(os_state, NULL, NULL, NULL),
 						count, count_update, count_blacklist, os_settings);
 		}
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c
index c6db9953f..730099af4 100644
--- a/src/libimcv/plugins/imv_os/imv_os_database.c
+++ b/src/libimcv/plugins/imv_os/imv_os_database.c
@@ -214,12 +214,14 @@ METHOD(imv_os_database_t, get_device_id, int,
 }
 
 METHOD(imv_os_database_t, set_device_info, void,
-	private_imv_os_database_t *this,  int device_id, char *os_info,
-	int count, int count_update, int count_blacklist, u_int flags)
+	private_imv_os_database_t *this,  int device_id, identification_t *ar_id,
+	char *os_info, int count, int count_update, int count_blacklist,
+	u_int flags)
 {
 	enumerator_t *e;
 	time_t last_time;
-	int pid = 0, last_pid = 0, last_count_update = 0, last_count_blacklist = 0;
+	int pid = 0, last_pid = 0, iid = 0, last_iid;
+	int last_count_update = 0, last_count_blacklist = 0;
 	u_int last_flags;
 	bool found = FALSE;
 
@@ -233,26 +235,47 @@ METHOD(imv_os_database_t, set_device_info, void,
 		e->destroy(e);
 	}
 
-	/* if OS ifo string has not been found - register it */
+	/* if OS info string has not been found - register it */
 	if (!pid)
 	{
 		this->db->execute(this->db, &pid,
 			"INSERT INTO products (name) VALUES (?)", DB_TEXT, os_info);
 	}
 
+	/* get primary key of AR identity if it exists */
+	e = this->db->query(this->db,
+			"SELECT id FROM identities WHERE type = ? AND data = ?",
+			 DB_INT,  ar_id->get_type(ar_id),
+			 DB_BLOB, ar_id->get_encoding(ar_id), DB_INT);
+	if (e)
+	{
+		e->enumerate(e, &iid);
+		e->destroy(e);
+	}
+
+	/* if AR identity has not been found - register it */
+	if (!iid)
+	{
+		this->db->execute(this->db, &iid,
+			"INSERT INTO identities (type, data) VALUES (?, ?)",
+			 DB_INT,  ar_id->get_type(ar_id),
+			 DB_BLOB, ar_id->get_encoding(ar_id));
+	}
+
 	/* get latest device info record if it exists */
 	e = this->db->query(this->db,
-			"SELECT time, product, count_update, count_blacklist, flags "
+			"SELECT time, ar_id, product, count_update, count_blacklist, flags "
 			"FROM device_infos WHERE device = ? ORDER BY time DESC",
-			 DB_INT, device_id, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT);
+			 DB_INT, device_id, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_UINT);
 	if (e)
 	{
-		found = e->enumerate(e, &last_time, &last_pid, &last_count_update,
-								&last_count_blacklist, &last_flags);
+		found = e->enumerate(e, &last_time, &last_iid, &last_pid,
+								&last_count_update, &last_count_blacklist,
+								&last_flags);
 		e->destroy(e);
 	}
 	if (found && !last_count_update && !last_count_blacklist && !last_flags &&
-		pid == last_pid)
+		iid == last_iid && pid == last_pid)
 	{
 		/* update device info */
 		this->db->execute(this->db, NULL,
@@ -266,9 +289,10 @@ METHOD(imv_os_database_t, set_device_info, void,
 	{
 		/* insert device info */
 		this->db->execute(this->db, NULL,
-			"INSERT INTO device_infos (device, time, product, count, "
-			"count_update, count_blacklist, flags) VALUES (?, ?, ?, ?, ?, ?, ?)",
-			 DB_INT, device_id, DB_UINT, time(NULL), DB_INT, pid,
+			"INSERT INTO device_infos (device, time, ar_id, product, count, "
+			"count_update, count_blacklist, flags) "
+			"VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
+			 DB_INT, device_id, DB_UINT, time(NULL), DB_INT, iid, DB_INT, pid,
 			 DB_INT, count, DB_INT, count_update, DB_INT, count_blacklist,
 			 DB_UINT, flags);
 	}
diff --git a/src/libimcv/plugins/imv_os/imv_os_database.h b/src/libimcv/plugins/imv_os/imv_os_database.h
index b5e1b6583..790467f33 100644
--- a/src/libimcv/plugins/imv_os/imv_os_database.h
+++ b/src/libimcv/plugins/imv_os/imv_os_database.h
@@ -52,13 +52,15 @@ struct imv_os_database_t {
 	* Set health infos for a given  device
 	*
 	* @param device_id				Device ID primary key
+	* @param ar_id					Access Requestor ID
 	* @param os_info				OS info string
 	* @param count					Number of installed packages
 	* @param count_update			Number of packages to be updated
 	* @param count_blacklist		Number of blacklisted packages
 	* @param flags					Various flags, e.g. illegal OS settings
 	*/
-	void (*set_device_info)(imv_os_database_t *this, int device_id, char *os_info,
+	void (*set_device_info)(imv_os_database_t *this, int device_id,
+							identification_t *ar_id, char *os_info,
 							int count, int count_update, int count_blacklist,
 							u_int flags);
 
diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c
index 91e9766d0..5885e26a1 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.c
+++ b/src/libpts/plugins/imv_attestation/attest_db.c
@@ -804,26 +804,29 @@ METHOD(attest_db_t, list_components, void,
 METHOD(attest_db_t, list_devices, void,
 	private_attest_db_t *this)
 {
-	enumerator_t *e;
-	chunk_t value;
+	enumerator_t *e, *e_ar;
+	chunk_t value, ar_data;
 	char *product;
 	time_t timestamp;
-	int id, last_id = 0, device_count = 0;
+	int id, last_id = 0, iid = 0, last_iid = 0, device_count = 0;
 	int count, count_update, count_blacklist;
+	id_type_t ar_type;
+	identification_t *ar_id = NULL;
 	u_int tstamp, flags = 0;
 
 	e = this->db->query(this->db,
 			"SELECT d.id, d.value, i.time, i.count, i.count_update, "
-			"i.count_blacklist, i.flags, p.name FROM devices AS d "
+			"i.count_blacklist, i.flags, i.ar_id, p.name FROM devices AS d "
 			"JOIN device_infos AS i ON d.id = i.device "
 			"JOIN products AS p ON p.id = i.product "
 			"ORDER BY d.value, i.time DESC",
-			 DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT, DB_TEXT);
+			 DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT,
+			 DB_INT, DB_TEXT);
 
 	if (e)
 	{
 		while (e->enumerate(e, &id, &value, &tstamp, &count, &count_update,
-							   &count_blacklist, &flags, &product))
+							   &count_blacklist, &flags, &iid, &product))
 		{
 			if (id != last_id)
 			{
@@ -832,10 +835,35 @@ METHOD(attest_db_t, list_devices, void,
 				last_id = id;
 			}
 			timestamp = tstamp;
-			printf("      %T, %4d, %3d, %3d, %1u, '%s'\n", &timestamp, this->utc,
+			printf("      %T, %4d, %3d, %3d, %1u, '%s'", &timestamp, this->utc,
 				   count, count_update, count_blacklist, flags, product);
+			if (iid)
+			{
+				if (iid != last_iid)
+				{
+					DESTROY_IF(ar_id);
+					ar_id = NULL;
+
+					e_ar = this->db->query(this->db,
+								"SELECT type, data FROM identities "
+								"WHERE id = ?", DB_INT, iid, DB_INT, DB_BLOB);
+					if (e_ar->enumerate(e_ar, &ar_type, &ar_data))
+					{
+						ar_id = identification_create_from_encoding(ar_type,
+																	ar_data);
+					}
+					e_ar->destroy(e_ar);
+				}
+				if (ar_id)
+				{
+					printf(" %Y", ar_id);
+				}
+			}
+			printf("\n");
 		}
 		e->destroy(e);
+		DESTROY_IF(ar_id);
+
 		printf("%d device%s found\n", device_count,
 									 (device_count == 1) ? "" : "s");
 	}
diff --git a/src/libpts/plugins/imv_attestation/tables.sql b/src/libpts/plugins/imv_attestation/tables.sql
index 8a79ea7cf..0c038d365 100644
--- a/src/libpts/plugins/imv_attestation/tables.sql
+++ b/src/libpts/plugins/imv_attestation/tables.sql
@@ -126,13 +126,21 @@ CREATE INDEX devices_value ON devices (
 
 DROP TABLE IF EXISTS device_infos;
 CREATE TABLE device_infos (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
   device INTEGER NOT NULL,
   time INTEGER NOT NULL,
+  ar_id INTEGER DEFAULT 0,
   product INTEGER DEFAULT 0,
   count INTEGER DEFAULT 0,
   count_update INTEGER DEFAULT 0,
   count_blacklist INTEGER DEFAULT 0,
-  flags INTEGER DEFAULT 0,
-  PRIMARY KEY (device, time)
+  flags INTEGER DEFAULT 0
 );
 
+DROP TABLE IF EXISTS identities;
+CREATE TABLE identities (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  data BLOB NOT NULL,
+  UNIQUE (type, data)
+);
diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c
index 2669c2da6..4176320dc 100644
--- a/src/libstrongswan/utils/identification.c
+++ b/src/libstrongswan/utils/identification.c
@@ -49,10 +49,10 @@ ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID,
 	"ID_DER_ASN1_DN",
 	"ID_DER_ASN1_GN",
 	"ID_KEY_ID");
-ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID,
+ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_USER_ID, ID_KEY_ID,
 	"ID_DER_ASN1_GN_URI",
-	"ID_MYID");
-ENUM_END(id_type_names, ID_MYID);
+	"ID_USER_ID");
+ENUM_END(id_type_names, ID_USER_ID);
 
 /**
  * coding of X.501 distinguished name
@@ -790,6 +790,7 @@ int identification_printf_hook(printf_hook_data_t *data,
 		case ID_FQDN:
 		case ID_RFC822_ADDR:
 		case ID_DER_ASN1_GN_URI:
+		case ID_USER_ID:
 			chunk_printable(this->encoded, &proper, '?');
 			snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr);
 			chunk_free(&proper);
@@ -812,9 +813,6 @@ int identification_printf_hook(printf_hook_data_t *data,
 				snprintf(buf, sizeof(buf), "%#B", &this->encoded);
 			}
 			break;
-		case ID_MYID:
-			snprintf(buf, sizeof(buf), "%%myid");
-			break;
 		default:
 			snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type);
 			break;
@@ -873,6 +871,7 @@ static private_identification_t *identification_create(id_type_t type)
 			break;
 		case ID_FQDN:
 		case ID_RFC822_ADDR:
+		case ID_USER_ID:
 			this->public.matches = _matches_string;
 			this->public.equals = _equals_strcasecmp;
 			this->public.contains_wildcards = _contains_wildcards_memchr;
@@ -1023,9 +1022,16 @@ identification_t * identification_create_from_data(chunk_t data)
 {
 	char buf[data.len + 1];
 
-	/* use string constructor */
-	snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr);
-	return identification_create_from_string(buf);
+	if (is_asn1(data))
+	{
+		return identification_create_from_encoding(ID_DER_ASN1_DN, data);
+	}
+	else
+	{
+		/* use string constructor */
+		snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr);
+		return identification_create_from_string(buf);
+	}
 }
 
 /*
diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h
index cdf229127..00d740765 100644
--- a/src/libstrongswan/utils/identification.h
+++ b/src/libstrongswan/utils/identification.h
@@ -126,14 +126,14 @@ enum id_type_t {
 	ID_KEY_ID = 11,
 
 	/**
-	 * private type which represents a GeneralName of type URI
+	 * Private ID type which represents a GeneralName of type URI
 	 */
 	ID_DER_ASN1_GN_URI = 201,
 
 	/**
-	 * Private ID used by the pluto daemon for opportunistic encryption
+	 * Private ID type which represents a user ID
 	 */
-	ID_MYID = 203,
+	ID_USER_ID = 202
 };
 
 /**