diff options
author | Andreas Steffen <andreas.steffen@strongswan.org> | 2012-07-30 20:44:15 +0200 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2012-07-30 20:49:42 +0200 |
commit | e0c66bebcfc7a711a30452a9d1561cd5ff03a457 (patch) | |
tree | d8fd1c16b3df8c3f9974e802fa6888c70aa4d092 /src/libpts | |
parent | 63ac6d00b0b40042b7edce487a86f79940fe6f4a (diff) | |
download | strongswan-e0c66bebcfc7a711a30452a9d1561cd5ff03a457.tar.bz2 strongswan-e0c66bebcfc7a711a30452a9d1561cd5ff03a457.tar.xz |
extended and documented ipsec attest
Diffstat (limited to 'src/libpts')
-rw-r--r-- | src/libpts/plugins/imv_attestation/attest.c | 5 | ||||
-rw-r--r-- | src/libpts/plugins/imv_attestation/attest_db.c | 123 | ||||
-rw-r--r-- | src/libpts/plugins/imv_attestation/attest_db.h | 5 | ||||
-rw-r--r-- | src/libpts/plugins/imv_attestation/attest_usage.c | 20 |
4 files changed, 107 insertions, 46 deletions
diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c index 17c39e7f6..a202d128f 100644 --- a/src/libpts/plugins/imv_attestation/attest.c +++ b/src/libpts/plugins/imv_attestation/attest.c @@ -137,6 +137,8 @@ static void do_args(int argc, char *argv[]) { "product", required_argument, NULL, 'P' }, { "relative", no_argument, NULL, 'R' }, { "rel", no_argument, NULL, 'R' }, + { "sequence", required_argument, NULL, 'S' }, + { "seq", required_argument, NULL, 'S' }, { "sha1", no_argument, NULL, '1' }, { "sha256", no_argument, NULL, '2' }, { "sha384", no_argument, NULL, '3' }, @@ -261,6 +263,9 @@ static void do_args(int argc, char *argv[]) case 'R': attest->set_relative(attest); continue; + case 'S': + attest->set_sequence(attest, atoi(optarg)); + continue; case '1': attest->set_algo(attest, PTS_MEAS_ALGO_SHA1); continue; diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c index 1ce3cf8e2..0235aaf86 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.c +++ b/src/libpts/plugins/imv_attestation/attest_db.c @@ -117,6 +117,11 @@ struct private_attest_db_t { bool relative; /** + * Sequence number for ordering entries + */ + int seq_no; + + /** * File measurement hash algorithm */ pts_meas_algorithms_t algo; @@ -186,7 +191,7 @@ METHOD(attest_db_t, set_component, bool, e = this->db->query(this->db, "SELECT id FROM components " "WHERE vendor_id = ? AND name = ? AND qualifier = ?", - DB_INT, vid, DB_INT, name, DB_INT, qualifier, DB_INT); + DB_UINT, vid, DB_INT, name, DB_INT, qualifier, DB_INT); if (e) { if (e->enumerate(e, &this->cid)) @@ -242,7 +247,7 @@ METHOD(attest_db_t, set_cid, bool, e = this->db->query(this->db, "SELECT vendor_id, name, qualifier " "FROM components WHERE id = ?", - DB_INT, cid, DB_INT, DB_INT, DB_INT); + DB_UINT, cid, DB_INT, DB_INT, DB_INT); if (e) { if (e->enumerate(e, &vid, &name, &qualifier)) @@ -327,7 +332,7 @@ METHOD(attest_db_t, set_did, bool, this->did = did; e = this->db->query(this->db, "SELECT path FROM files WHERE id = ?", - DB_INT, did, DB_TEXT); + DB_UINT, did, DB_TEXT); if (e) { if (e->enumerate(e, &dir)) @@ -405,7 +410,7 @@ METHOD(attest_db_t, set_fid, bool, this->fid = fid; e = this->db->query(this->db, "SELECT path FROM files WHERE id = ?", - DB_INT, fid, DB_TEXT); + DB_UINT, fid, DB_TEXT); if (e) { if (e->enumerate(e, &file)) @@ -489,7 +494,7 @@ METHOD(attest_db_t, set_kid, bool, this->kid = kid; e = this->db->query(this->db, "SELECT keyid, owner FROM keys WHERE id = ?", - DB_INT, kid, DB_BLOB, DB_TEXT); + DB_UINT, kid, DB_BLOB, DB_TEXT); if (e) { if (e->enumerate(e, &key, &owner)) @@ -566,7 +571,7 @@ METHOD(attest_db_t, set_pid, bool, this->pid = pid; e = this->db->query(this->db, "SELECT name FROM products WHERE id = ?", - DB_INT, pid, DB_TEXT); + DB_UINT, pid, DB_TEXT); if (e) { if (e->enumerate(e, &product)) @@ -595,6 +600,12 @@ METHOD(attest_db_t, set_relative, void, this->relative = TRUE; } +METHOD(attest_db_t, set_sequence, void, + private_attest_db_t *this, int seq_no) +{ + this->seq_no = seq_no; +} + METHOD(attest_db_t, set_owner, void, private_attest_db_t *this, char *owner) { @@ -607,16 +618,29 @@ METHOD(attest_db_t, list_components, void, { enumerator_t *e; pts_comp_func_name_t *cfn; - int cid, vid, name, qualifier, count = 0; + int seq_no, cid, vid, name, qualifier, count = 0; if (this->kid) { e = this->db->query(this->db, - "SELECT c.id, c.vendor_id, c.name, c.qualifier " + "SELECT kc.seq_no, c.id, c.vendor_id, c.name, c.qualifier " "FROM components AS c " "JOIN key_component AS kc ON c.id = kc.component " - "WHERE kc.key = ? ORDER BY c.vendor_id, c.name, c.qualifier", - DB_INT, this->kid, DB_INT, DB_INT, DB_INT, DB_INT); + "WHERE kc.key = ? ORDER BY kc.seq_no", + DB_UINT, this->kid, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT); + if (e) + { + while (e->enumerate(e, &cid, &seq_no, &vid, &name, &qualifier)) + { + cfn = pts_comp_func_name_create(vid, name, qualifier); + printf("%4d: #%-2d %s\n", seq_no, cid, print_cfn(cfn)); + cfn->destroy(cfn); + count++; + } + e->destroy(e); + printf("%d component%s found for key %#B\n", count, + (count == 1) ? "" : "s", &this->key); + } } else { @@ -624,24 +648,18 @@ METHOD(attest_db_t, list_components, void, "SELECT id, vendor_id, name, qualifier FROM components " "ORDER BY vendor_id, name, qualifier", DB_INT, DB_INT, DB_INT, DB_INT); - } - if (e) - { - while (e->enumerate(e, &cid, &vid, &name, &qualifier)) - { - cfn = pts_comp_func_name_create(vid, name, qualifier); - printf("%4d: %s\n", cid, print_cfn(cfn)); - cfn->destroy(cfn); - count++; - } - e->destroy(e); - - printf("%d component%s found", count, (count == 1) ? "" : "s"); - if (this->key_set) + if (e) { - printf(" for key %#B", &this->key); + while (e->enumerate(e, &cid, &vid, &name, &qualifier)) + { + cfn = pts_comp_func_name_create(vid, name, qualifier); + printf("%4d: %s\n", cid, print_cfn(cfn)); + cfn->destroy(cfn); + count++; + } + e->destroy(e); + printf("%d component%s found\n", count, (count == 1) ? "" : "s"); } - printf("\n"); } } @@ -659,7 +677,7 @@ METHOD(attest_db_t, list_keys, void, "SELECT k.id, k.keyid, k.owner FROM keys AS k " "JOIN key_component AS kc ON k.id = kc.key " "WHERE kc.component = ? ORDER BY k.keyid", - DB_INT, this->cid, DB_INT, DB_BLOB, DB_TEXT); + DB_UINT, this->cid, DB_INT, DB_BLOB, DB_TEXT); if (e) { while (e->enumerate(e, &kid, &keyid, &owner)) @@ -708,7 +726,7 @@ METHOD(attest_db_t, list_files, void, "FROM files AS f " "JOIN product_file AS pf ON f.id = pf.file " "WHERE pf.product = ? ORDER BY f.path", - DB_INT, this->pid, DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT); + DB_UINT, this->pid, DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT); if (e) { while (e->enumerate(e, &fid, &type, &file, &meas, &meta)) @@ -761,7 +779,7 @@ METHOD(attest_db_t, list_products, void, "FROM products AS p " "JOIN product_file AS pf ON p.id = pf.product " "WHERE pf.file = ? ORDER BY p.name", - DB_INT, this->fid, DB_INT, DB_TEXT, DB_INT, DB_INT); + DB_UINT, this->fid, DB_INT, DB_TEXT, DB_INT, DB_INT); if (e) { while (e->enumerate(e, &pid, &product, &meas, &meta)) @@ -812,7 +830,7 @@ static void get_directory(private_attest_db_t *this, int did, char **directory) { e = this->db->query(this->db, "SELECT path from files WHERE id = ?", - DB_INT, did, DB_TEXT); + DB_UINT, did, DB_TEXT); if (e) { if (e->enumerate(e, &dir)) @@ -875,7 +893,7 @@ METHOD(attest_db_t, list_hashes, void, "JOIN files AS f ON f.id = fh.file " "WHERE fh.algo = ? AND fh.product = ? " "ORDER BY fh.directory, f.path", - DB_INT, this->algo, DB_INT, this->pid, + DB_INT, this->algo, DB_UINT, this->pid, DB_INT, DB_TEXT, DB_BLOB, DB_INT); if (e) { @@ -910,7 +928,7 @@ METHOD(attest_db_t, list_hashes, void, "JOIN products AS p ON p.id = fh.product " "WHERE fh.algo = ? AND fh.file = ? AND fh.directory = ?" "ORDER BY p.name", - DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->did, + DB_INT, this->algo, DB_UINT, this->fid, DB_UINT, this->did, DB_TEXT, DB_BLOB, DB_INT); if (e) { @@ -983,7 +1001,7 @@ METHOD(attest_db_t, list_measurements, void, "JOIN keys AS k ON k.id = ch.key " "WHERE ch.algo = ? AND ch.key = ? AND ch.component = ? " "ORDER BY seq_no", - DB_INT, this->algo, DB_INT, this->kid, DB_INT, this->cid, + DB_INT, this->algo, DB_UINT, this->kid, DB_UINT, this->cid, DB_INT, DB_INT, DB_BLOB, DB_TEXT); if (e) { @@ -994,7 +1012,7 @@ METHOD(attest_db_t, list_measurements, void, printf("%4d: %#B '%s'\n", this->kid, &this->key, owner); kid_old = this->kid; } - printf("%5d %02d %#B\n", seq_no, pcr, &hash); + printf("%7d %02d %#B\n", seq_no, pcr, &hash); count++; } e->destroy(e); @@ -1012,7 +1030,7 @@ METHOD(attest_db_t, list_measurements, void, "JOIN keys AS k ON k.id = ch.key " "WHERE ch.algo = ? AND ch.component = ? " "ORDER BY keyid, seq_no", - DB_INT, this->algo, DB_INT, this->cid, + DB_INT, this->algo, DB_UINT, this->cid, DB_INT, DB_INT, DB_BLOB, DB_INT, DB_BLOB, DB_TEXT); if (e) { @@ -1023,7 +1041,7 @@ METHOD(attest_db_t, list_measurements, void, printf("%4d: %#B '%s'\n", kid, &keyid, owner); kid_old = kid; } - printf("%5d %02d %#B\n", seq_no, pcr, &hash); + printf("%7d %02d %#B\n", seq_no, pcr, &hash); count++; } e->destroy(e); @@ -1043,7 +1061,7 @@ METHOD(attest_db_t, list_measurements, void, "JOIN components AS c ON c.id = ch.component " "WHERE ch.algo = ? AND ch.key = ? " "ORDER BY vendor_id, name, qualifier, seq_no", - DB_INT, this->algo, DB_INT, this->kid, DB_INT, DB_INT, DB_BLOB, + DB_INT, this->algo, DB_UINT, this->kid, DB_INT, DB_INT, DB_BLOB, DB_INT, DB_INT, DB_INT, DB_INT); if (e) { @@ -1082,7 +1100,7 @@ bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo, e = this->db->query(this->db, "SELECT hash FROM file_hashes WHERE algo = ? " "AND file = ? AND directory = ? AND product = ? and key = 0", - DB_INT, algo, DB_INT, fid, DB_INT, did, DB_INT, this->pid, DB_BLOB); + DB_INT, algo, DB_UINT, fid, DB_UINT, did, DB_UINT, this->pid, DB_BLOB); if (!e) { printf("file_hashes query failed\n"); @@ -1099,7 +1117,7 @@ bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo, "INSERT INTO file_hashes " "(file, directory, product, key, algo, hash) " "VALUES (?, ?, ?, 0, ?, ?)", - DB_INT, fid, DB_INT, did, DB_INT, this->pid, + DB_UINT, fid, DB_UINT, did, DB_UINT, this->pid, DB_INT, algo, DB_BLOB, measurement) == 1) { label = "created"; @@ -1121,11 +1139,16 @@ METHOD(attest_db_t, add, bool, if (this->kid && this->cid) { success = this->db->execute(this->db, NULL, - "INSERT INTO key_component (key, component) VALUES (?, ?)", - DB_UINT, this->kid, DB_UINT, this->cid) == 1; + "INSERT INTO key_component (key, component, seq_no) " + "VALUES (?, ?, ?)", + DB_UINT, this->kid, DB_UINT, this->cid, + DB_UINT, this->seq_no) == 1; - printf("key/component pair (%d/%d) %sinserted into database\n", - this->kid, this->cid, success ? "" : "could not be "); + printf("key/component pair (%d/%d) %sinserted into database at " + "position %d\n", this->kid, this->cid, + success ? "" : "could not be ", this->seq_no); + + return success; } /* add directory or file measurement for a given product */ @@ -1250,6 +1273,19 @@ METHOD(attest_db_t, delete, bool, { bool success; + /* delete key/component pair */ + if (this->kid && this->cid) + { + success = this->db->execute(this->db, NULL, + "DELETE FROM key_component " + "WHERE key = ? AND component = ?", + DB_UINT, this->kid, DB_UINT, this->cid) > 0; + + printf("key/component pair (%d/%d) %sdeleted from database\n", + this->kid, this->cid, success ? "" : "could not be "); + return success; + } + /* delete a file measurement hash for a given product */ if (this->algo && this->pid && this->fid) { @@ -1379,6 +1415,7 @@ attest_db_t *attest_db_create(char *uri) .set_pid = _set_pid, .set_algo = _set_algo, .set_relative = _set_relative, + .set_sequence = _set_sequence, .set_owner = _set_owner, .list_products = _list_products, .list_files = _list_files, diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h index 4e7991a3d..e32a368d8 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.h +++ b/src/libpts/plugins/imv_attestation/attest_db.h @@ -136,6 +136,11 @@ struct attest_db_t { void (*set_relative)(attest_db_t *this); /** + * Set the sequence number + */ + void (*set_sequence)(attest_db_t *this, int seq_no); + + /** * Set owner [user/host] of an AIK * * @param owner user/host name diff --git a/src/libpts/plugins/imv_attestation/attest_usage.c b/src/libpts/plugins/imv_attestation/attest_usage.c index e58f821e0..3e6e888ef 100644 --- a/src/libpts/plugins/imv_attestation/attest_usage.c +++ b/src/libpts/plugins/imv_attestation/attest_usage.c @@ -40,7 +40,7 @@ Usage:\n\ Show a list of measurement hashes for a given software product or\n\ its primary key as an optional selector.\n\ \n\ - ipsec attest --hashes [--sha1|--sha256|--sha384] [--file <path>|--fid <id>]\n\ + ipsec attest --hashes [--sha1|--sha1-ima|--sha256|--sha384] [--file <path>|--fid <id>]\n\ Show a list of measurement hashes for a given file or\n\ its primary key as an optional selector.\n\ \n\ @@ -52,11 +52,11 @@ Usage:\n\ Show a list of AIK key digests with a component or\n\ its primary key as an optional selector.\n\ \n\ - ipsec attest --measurements [--sha1|--sha256|--sha384] [--component <cfn>|--cid <id>]\n\ + ipsec attest --measurements --sha1|--sha256|--sha384 [--component <cfn>|--cid <id>]\n\ Show a list of component measurements for a given component or\n\ its primary key as an optional selector.\n\ \n\ - ipsec attest --measurements [--sha1|--sha256|--sha384] [--key <digest>|--kid <id>|--aik <path>]\n\ + ipsec attest --measurements --sha1|--sha256|--sha384 [--key <digest>|--kid <id>|--aik <path>]\n\ Show a list of component measurements for a given AIK or\n\ its primary key as an optional selector.\n\ \n\ @@ -67,6 +67,13 @@ Usage:\n\ ipsec attest --add [--owner <name>] --key <digest>|--aik <path>\n\ Add an AIK public key digest entry preceded by an optional owner name\n\ \n\ + ipsec attest --add --product <name>|--pid <id> --sha1|--sha1-ima|--sha256|--sha384\n\ + [--relative|--rel] --dir <path>|--file <path>\n\ + Add hashes of a single file or all files in a directory under absolute or relative filenames\n\ + \n\ + ipsec attest --add --key <digest|--kid <id> --component <cfn>|--cid <id> --sequence <no>|--seq <no>\n\ + Add an ordered key/component entry\n\ + \n\ ipsec attest --del --file <path>|--fid <id>|--dir <path>|--did <id>\n\ Delete a file or directory entry referenced either by value or primary key\n\ \n\ @@ -75,6 +82,13 @@ Usage:\n\ \n\ ipsec attest --del --key <digest>|--kid <id>|--aik <path>\n\ Delete an AIK entry referenced either by value or primary key\n\ + \n\ + ipsec attest --del --key <digest|--kid <id> --component <cfn>|--cid <id>\n\ + Delete a key/component entry\n\ + \n\ + ipsec attest --del --product <name>|--pid <id> --sha1|--sha1-ima|--sha256|--sha384\n\ + [--dir <path>|--did <id>] --file <path>|--fid <id>\n\ + Delete a file hash given an absolute or relative filename\n\ \n"); } |