register aik certificate via ipsec attest

5 files changed, 65 insertions, 21 deletions

diff --git a/configure.in b/configure.in
index 0eb1175ae..23223b0d9 100644
--- a/configure.in
+++ b/configure.in
@@ -799,25 +799,25 @@ ADD_PLUGIN([pkcs11],               [s libcharon pki])
 ADD_PLUGIN([aes],                  [s libcharon pluto openac scepclient pki scripts])
 ADD_PLUGIN([des],                  [s libcharon pluto openac scepclient pki scripts])
 ADD_PLUGIN([blowfish],             [s libcharon pluto openac scepclient pki scripts])
-ADD_PLUGIN([sha1],                 [s libcharon pluto openac scepclient pki scripts medsrv])
-ADD_PLUGIN([sha2],                 [s libcharon pluto openac scepclient pki scripts medsrv])
+ADD_PLUGIN([sha1],                 [s libcharon pluto openac scepclient pki scripts medsrv attest])
+ADD_PLUGIN([sha2],                 [s libcharon pluto openac scepclient pki scripts medsrv attest])
 ADD_PLUGIN([md4],                  [s libcharon openac manager scepclient pki])
-ADD_PLUGIN([md5],                  [s libcharon pluto openac scepclient pki scripts])
-ADD_PLUGIN([random],               [s libcharon pluto openac scepclient pki scripts medsrv])
-ADD_PLUGIN([x509],                 [s libcharon pluto openac scepclient pki scripts])
+ADD_PLUGIN([md5],                  [s libcharon pluto openac scepclient pki scripts attest])
+ADD_PLUGIN([random],               [s libcharon pluto openac scepclient pki scripts medsrv attest])
+ADD_PLUGIN([x509],                 [s libcharon pluto openac scepclient pki scripts attest])
 ADD_PLUGIN([revocation],           [s libcharon])
 ADD_PLUGIN([constraints],          [s libcharon])
 ADD_PLUGIN([pubkey],               [s libcharon])
-ADD_PLUGIN([pkcs1],                [s libcharon pluto openac scepclient pki scripts manager medsrv])
+ADD_PLUGIN([pkcs1],                [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
 ADD_PLUGIN([pgp],                  [s libcharon pluto])
 ADD_PLUGIN([dnskey],               [s pluto])
-ADD_PLUGIN([pem],                  [s libcharon pluto openac scepclient pki scripts manager medsrv])
+ADD_PLUGIN([pem],                  [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
 ADD_PLUGIN([padlock],              [s libcharon])
-ADD_PLUGIN([openssl],              [s libcharon pluto openac scepclient pki scripts manager medsrv])
-ADD_PLUGIN([gcrypt],               [s libcharon pluto openac scepclient pki scripts manager medsrv])
-ADD_PLUGIN([af-alg],               [s libcharon pluto openac scepclient pki scripts medsrv])
+ADD_PLUGIN([openssl],              [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
+ADD_PLUGIN([gcrypt],               [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
+ADD_PLUGIN([af-alg],               [s libcharon pluto openac scepclient pki scripts medsrv attest])
 ADD_PLUGIN([fips-prf],             [s libcharon])
-ADD_PLUGIN([gmp],                  [s libcharon pluto openac scepclient pki scripts manager medsrv])
+ADD_PLUGIN([gmp],                  [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
 ADD_PLUGIN([agent],                [s libcharon])
 ADD_PLUGIN([xcbc],                 [s libcharon])
 ADD_PLUGIN([hmac],                 [s libcharon pluto scripts])
diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c
index 82c1f186f..9200820e8 100644
--- a/src/libpts/plugins/imv_attestation/attest.c
+++ b/src/libpts/plugins/imv_attestation/attest.c
@@ -34,7 +34,7 @@
 /**
  * global debug output variables
  */
-static int debug_level = 0;
+static int debug_level = 2;
 static bool stderr_quiet = TRUE;
 
 /**
@@ -121,10 +121,11 @@ static void do_args(int argc, char *argv[])
 			{ "keys", no_argument, NULL, 'k' },
 			{ "products", no_argument, NULL, 'p' },
 			{ "hashes", no_argument, NULL, 'H' },
-			{ "measurements", no_argument, NULL, 'M' },
+			{ "measurements", no_argument, NULL, 'm' },
 			{ "add", no_argument, NULL, 'a' },
 			{ "delete", no_argument, NULL, 'd' },
 			{ "del", no_argument, NULL, 'd' },
+			{ "aik", required_argument, NULL, 'A' },
 			{ "component", required_argument, NULL, 'C' },
 			{ "comp", required_argument, NULL, 'C' },
 			{ "directory", required_argument, NULL, 'D' },
@@ -167,7 +168,7 @@ static void do_args(int argc, char *argv[])
 			case 'H':
 				op = OP_HASHES;
 				continue;
-			case 'M':
+			case 'm':
 				op = OP_MEASUREMENTS;
 				continue;
 			case 'a':
@@ -176,6 +177,43 @@ static void do_args(int argc, char *argv[])
 			case 'd':
 				op = OP_DEL;
 				continue;
+			case 'A':
+			{
+				certificate_t *aik_cert;
+				public_key_t *aik_key;
+				chunk_t aik;
+
+				aik_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+								CERT_X509, BUILD_FROM_FILE, optarg, BUILD_END);
+				if (!aik_cert)
+				{
+					printf("AIK certificate '%s' could not be loaded\n", optarg);
+					exit(EXIT_FAILURE);
+				}
+				aik_key = aik_cert->get_public_key(aik_cert);
+				aik_cert->destroy(aik_cert);
+
+				if (!aik_key)
+				{
+					printf("AIK public key could not be retrieved\n");
+					exit(EXIT_FAILURE);
+				}
+				if (!aik_key->get_fingerprint(aik_key, KEYID_PUBKEY_INFO_SHA1,
+											  &aik))
+				{
+					printf("AIK fingerprint could not be computed\n");
+					aik_key->destroy(aik_key);
+					exit(EXIT_FAILURE);
+				}
+				aik = chunk_clone(aik);
+				aik_key->destroy(aik_key);
+
+				if (!attest->set_key(attest, aik, op == OP_ADD))
+				{
+					exit(EXIT_FAILURE);
+				}
+				continue;
+			}
 			case 'C':
 				if (!attest->set_component(attest, optarg, op == OP_ADD))
 				{
@@ -195,11 +233,16 @@ static void do_args(int argc, char *argv[])
 				}
 				continue;
 			case 'K':
-				if (!attest->set_key(attest, optarg, op == OP_ADD))
+			{
+				chunk_t aik;
+
+				aik = chunk_from_hex(chunk_create(optarg, strlen(optarg)), NULL);
+				if (!attest->set_key(attest, aik, op == OP_ADD))
 				{
 					exit(EXIT_FAILURE);
 				}
 				continue;
+			}
 			case 'O':
 				attest->set_owner(attest, optarg);
 				continue;
diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c
index 10c719bff..eef97bf76 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.c
+++ b/src/libpts/plugins/imv_attestation/attest_db.c
@@ -402,7 +402,7 @@ METHOD(attest_db_t, set_fid, bool,
 }
 
 METHOD(attest_db_t, set_key, bool,
-	private_attest_db_t *this, char *key, bool create)
+	private_attest_db_t *this, chunk_t key, bool create)
 {
 	enumerator_t *e;
 	char *owner;
@@ -412,7 +412,7 @@ METHOD(attest_db_t, set_key, bool,
 		printf("key has already been set\n");
 		return FALSE;
 	}
-	this->key = chunk_from_hex(chunk_create(key, strlen(key)), NULL);
+	this->key = key;
 
 	e = this->db->query(this->db, "SELECT id, owner FROM keys WHERE keyid= ?",
 						DB_BLOB, this->key, DB_INT, DB_TEXT);
@@ -420,6 +420,7 @@ METHOD(attest_db_t, set_key, bool,
 	{
 		if (e->enumerate(e, &this->kid, &owner))
 		{
+			free(this->owner);
 			this->owner = strdup(owner);
 			this->key_set = TRUE;
 		}
diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h
index 80a8f4cd4..9c9a9dcba 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.h
+++ b/src/libpts/plugins/imv_attestation/attest_db.h
@@ -91,7 +91,7 @@ struct attest_db_t {
 	 * @param create		if TRUE create database entry if it doesn't exist
 	 * @return				TRUE if successful
 	 */
-	bool (*set_key)(attest_db_t *this, char *key, bool create);
+	bool (*set_key)(attest_db_t *this, chunk_t key, bool create);
 
 	/**
 	 * Set primary key of the AIK to be queried
diff --git a/src/libpts/plugins/imv_attestation/attest_usage.c b/src/libpts/plugins/imv_attestation/attest_usage.c
index 952b88b89..e58f821e0 100644
--- a/src/libpts/plugins/imv_attestation/attest_usage.c
+++ b/src/libpts/plugins/imv_attestation/attest_usage.c
@@ -56,7 +56,7 @@ Usage:\n\
     Show a list of component measurements for a given component or\n\
     its primary key as an optional selector.\n\
   \n\
-  ipsec attest --measurements [--sha1|--sha256|--sha384] [--key <digest>|--kid <id>]\n\
+  ipsec attest --measurements [--sha1|--sha256|--sha384] [--key <digest>|--kid <id>|--aik <path>]\n\
     Show a list of component measurements for a given AIK or\n\
     its primary key as an optional selector.\n\
   \n\
@@ -64,7 +64,7 @@ Usage:\n\
     Add a file, directory, product or component entry\n\
     Component <cfn> entries must be of the form <vendor_id>/<name>-<qualifier>\n\
   \n\
-  ipsec attest --add [--owner <name>] --key <digest>\n\
+  ipsec attest --add [--owner <name>] --key <digest>|--aik <path>\n\
     Add an AIK public key digest entry preceded by an optional owner name\n\
   \n\
   ipsec attest --del --file <path>|--fid <id>|--dir <path>|--did <id>\n\
@@ -73,7 +73,7 @@ Usage:\n\
   ipsec attest --del --product <name>|--pid <id>|--component <cfn>|--cid <id>\n\
     Delete a product or component entry referenced either by value or primary key\n\
   \n\
-  ipsec attest --del --key <digest>|--kid <id>\n\
+  ipsec attest --del --key <digest>|--kid <id>|--aik <path>\n\
     Delete an AIK entry referenced either by value or primary key\n\
   \n");
 }