added a PTS credential set

4 files changed, 208 insertions, 2 deletions

diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am
index 553038bad..dcb341305 100644
--- a/src/libimcv/Makefile.am
+++ b/src/libimcv/Makefile.am
@@ -31,7 +31,8 @@ libimcv_la_SOURCES = \
 	tcg/tcg_pts_attr_file_meas.h tcg/tcg_pts_attr_file_meas.c \
 	tcg/pts/pts.h tcg/pts/pts.c \
 	tcg/pts/pts_error.h tcg/pts/pts_error.c \
-	tcg/pts/pts_proto_caps.h tcg/pts/pts_funct_comp_name.h tcg/pts/fake_ek_cert.h\
+	tcg/pts/pts_proto_caps.h tcg/pts/pts_funct_comp_name.h \
+	tcg/pts/pts_creds.h tcg/pts/pts_creds.c \
 	tcg/pts/pts_database.h tcg/pts/pts_database.c \
 	tcg/pts/pts_file_meas.h tcg/pts/pts_file_meas.c \
 	tcg/pts/pts_meas_algo.h tcg/pts/pts_meas_algo.c
diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation.c b/src/libimcv/plugins/imv_attestation/imv_attestation.c
index 0bf705d54..a559e219b 100644
--- a/src/libimcv/plugins/imv_attestation/imv_attestation.c
+++ b/src/libimcv/plugins/imv_attestation/imv_attestation.c
@@ -21,6 +21,7 @@
 #include <ietf/ietf_attr_pa_tnc_error.h>
 
 #include <tcg/pts/pts_database.h>
+#include <tcg/pts/pts_creds.h>
 #include <tcg/pts/pts_error.h>
 
 #include <tcg/tcg_attr.h>
@@ -69,6 +70,11 @@ static pts_meas_algorithms_t supported_algorithms = 0;
 static pts_database_t *pts_db;
 
 /**
+ * PTS credentials
+ */
+static pts_creds_t *pts_creds;
+
+/**
  * List of id's for the files that are requested for measurement
  */
 static linked_list_t *requested_files;
@@ -81,7 +87,7 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
 							  TNC_Version max_version,
 							  TNC_Version *actual_version)
 {
-	char *hash_alg, *uri;
+	char *hash_alg, *uri, *cadir;
 
 	if (imv_attestation)
 	{
@@ -127,6 +133,11 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
 				"libimcv.plugins.imv-attestation.database", NULL);
 	pts_db = pts_database_create(uri);
 
+	/* create PTS credential set */
+	cadir = lib->settings->get_str(lib->settings,
+				"libimcv.plugins.imv-attestation.cadir", NULL);
+	pts_creds = pts_creds_create(cadir);
+
 	return TNC_RESULT_SUCCESS;
 }
 
@@ -681,6 +692,7 @@ TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
 	DESTROY_IF(pts_db);
+	DESTROY_IF(pts_creds);
 	imv_attestation->destroy(imv_attestation);
 	imv_attestation = NULL;
 
diff --git a/src/libimcv/tcg/pts/pts_creds.c b/src/libimcv/tcg/pts/pts_creds.c
new file mode 100644
index 000000000..1a8211ceb
--- /dev/null
+++ b/src/libimcv/tcg/pts/pts_creds.c
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pts_creds.h"
+
+#include <debug.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/sets/mem_cred.h>
+
+#include <sys/stat.h>
+
+typedef struct private_pts_creds_t private_pts_creds_t;
+
+/**
+ * Private data of a pts_creds_t object.
+ *
+ */
+struct private_pts_creds_t {
+
+	/**
+	 * Public pts_creds_t interface.
+	 */
+	pts_creds_t public;
+
+	/**
+	 * Credential set
+	 */
+	mem_cred_t *creds;
+
+};
+
+METHOD(pts_creds_t, verify, bool,
+	private_pts_creds_t *this, certificate_t *cert)
+{
+	return FALSE;
+}
+
+
+METHOD(pts_creds_t, destroy, void,
+	private_pts_creds_t *this)
+{
+	this->creds->destroy(this->creds);
+	free(this);
+}
+
+/**
+ * Load trusted PTS CA certificates from a directory
+ */
+static void load_cacerts(private_pts_creds_t *this, char *path)
+{
+	enumerator_t *enumerator;
+	struct stat st;
+	char *file;
+
+	DBG1(DBG_TNC, "loading PTS ca certificates from '%s'", path);
+
+	enumerator = enumerator_create_directory(path);
+	if (!enumerator)
+	{
+		return;
+	}
+
+	while (enumerator->enumerate(enumerator, NULL, &file, &st))
+	{
+		certificate_t *cert;
+
+		if (!S_ISREG(st.st_mode))
+		{
+			/* skip special file */
+			continue;
+		}
+		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+								  BUILD_FROM_FILE, file, BUILD_END);
+		if (cert)
+		{
+			x509_t *x509 = (x509_t*)cert;
+
+			if (!(x509->get_flags(x509) & X509_CA))
+			{
+				DBG1(DBG_TNC, "  ca certificate \"%Y\" lacks ca basic constraint"
+							  ", discarded", cert->get_subject(cert));
+				cert->destroy(cert);
+			}
+			else
+			{
+				DBG1(DBG_TNC, "  loaded ca certificate \"%Y\" from '%s'",
+							  cert->get_subject(cert), file);
+				this->creds->add_cert(this->creds, TRUE, cert);
+			}
+		}
+		else
+		{
+			DBG1(DBG_TNC, "  loading ca certificate from '%s' failed", file);
+		}
+	}
+	enumerator->destroy(enumerator);
+}
+
+/**
+ * See header
+ */
+pts_creds_t *pts_creds_create(char *path)
+{
+	private_pts_creds_t *this;
+
+	if (!path)
+	{
+		DBG1(DBG_TNC, "no PTS cacerts directory defined");
+		return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.verify = _verify,
+			.destroy = _destroy,
+		},
+		.creds = mem_cred_create(),
+	);
+
+	load_cacerts(this, path);
+
+	return &this->public;
+}
+
diff --git a/src/libimcv/tcg/pts/pts_creds.h b/src/libimcv/tcg/pts/pts_creds.h
new file mode 100644
index 000000000..d5ae1762b
--- /dev/null
+++ b/src/libimcv/tcg/pts/pts_creds.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pts_creds pts_creds
+ * @{ @ingroup pts
+ */
+
+#ifndef PTS_CREDS_H_
+#define PTS_CREDS_H_
+
+typedef struct pts_creds_t pts_creds_t;
+
+#include <library.h>
+
+/**
+ * Class implementing a PTS credentials set
+ *
+ */
+struct pts_creds_t {
+
+/**
+	 * Verify an AIK certificate
+	 *
+	 * @cert				certificate to be verified
+	 * @return				TRUE if valid and trusted
+	 */
+	bool (*verify)(pts_creds_t *this, certificate_t *cert);
+	
+
+	/**
+	 * Destroys a pts_creds_t object.
+	 */
+	void (*destroy)(pts_creds_t *this);
+
+};
+
+/**
+ * Creates an pts_creds_t object
+ *
+ * @param path				path to the PTS cacerts directory
+ */
+pts_creds_t* pts_creds_create(char *path);
+
+#endif /** PTS_CREDS_H_ @}*/