extended and documented ipsec attest

author: Andreas Steffen <andreas.steffen@strongswan.org> 2012-07-30 20:44:15 +0200
committer: Andreas Steffen <andreas.steffen@strongswan.org> 2012-07-30 20:49:42 +0200
commit: e0c66bebcfc7a711a30452a9d1561cd5ff03a457 (patch)
tree: d8fd1c16b3df8c3f9974e802fa6888c70aa4d092 /src/libpts
parent: 63ac6d00b0b40042b7edce487a86f79940fe6f4a (diff)
download: strongswan-e0c66bebcfc7a711a30452a9d1561cd5ff03a457.tar.bz2
strongswan-e0c66bebcfc7a711a30452a9d1561cd5ff03a457.tar.xz
4 files changed, 107 insertions, 46 deletions
diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c
index 17c39e7f6..a202d128f 100644
--- a/src/libpts/plugins/imv_attestation/attest.c
+++ b/src/libpts/plugins/imv_attestation/attest.c
@@ -137,6 +137,8 @@ static void do_args(int argc, char *argv[])
 			{ "product", required_argument, NULL, 'P' },
 			{ "relative", no_argument, NULL, 'R' },
 			{ "rel", no_argument, NULL, 'R' },
+			{ "sequence", required_argument, NULL, 'S' },
+			{ "seq", required_argument, NULL, 'S' },
 			{ "sha1", no_argument, NULL, '1' },
 			{ "sha256", no_argument, NULL, '2' },
 			{ "sha384", no_argument, NULL, '3' },
@@ -261,6 +263,9 @@ static void do_args(int argc, char *argv[])
 			case 'R':
 				attest->set_relative(attest);
 				continue;
+			case 'S':
+				attest->set_sequence(attest, atoi(optarg));
+				continue;
 			case '1':
 				attest->set_algo(attest, PTS_MEAS_ALGO_SHA1);
 				continue;
diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c
index 1ce3cf8e2..0235aaf86 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.c
+++ b/src/libpts/plugins/imv_attestation/attest_db.c
@@ -117,6 +117,11 @@ struct private_attest_db_t {
 	bool relative;
 
 	/**
+	 * Sequence number for ordering entries
+	 */
+	int seq_no;
+
+	/**
 	 * File measurement hash algorithm
 	 */
 	pts_meas_algorithms_t algo;
@@ -186,7 +191,7 @@ METHOD(attest_db_t, set_component, bool,
 	e = this->db->query(this->db,
 					   "SELECT id FROM components "
 					   "WHERE vendor_id = ? AND name = ? AND qualifier = ?",
-						DB_INT, vid, DB_INT, name, DB_INT, qualifier, DB_INT);
+						DB_UINT, vid, DB_INT, name, DB_INT, qualifier, DB_INT);
 	if (e)
 	{
 		if (e->enumerate(e, &this->cid))
@@ -242,7 +247,7 @@ METHOD(attest_db_t, set_cid, bool,
 
 	e = this->db->query(this->db, "SELECT vendor_id, name, qualifier "
 								  "FROM components WHERE id = ?",
-						DB_INT, cid, DB_INT, DB_INT, DB_INT);
+						DB_UINT, cid, DB_INT, DB_INT, DB_INT);
 	if (e)
 	{
 		if (e->enumerate(e, &vid, &name, &qualifier))
@@ -327,7 +332,7 @@ METHOD(attest_db_t, set_did, bool,
 	this->did = did;
 
 	e = this->db->query(this->db, "SELECT path FROM files WHERE id = ?",
-						DB_INT, did, DB_TEXT);
+						DB_UINT, did, DB_TEXT);
 	if (e)
 	{
 		if (e->enumerate(e, &dir))
@@ -405,7 +410,7 @@ METHOD(attest_db_t, set_fid, bool,
 	this->fid = fid;
 
 	e = this->db->query(this->db, "SELECT path FROM files WHERE id = ?",
-						DB_INT, fid, DB_TEXT);
+						DB_UINT, fid, DB_TEXT);
 	if (e)
 	{
 		if (e->enumerate(e, &file))
@@ -489,7 +494,7 @@ METHOD(attest_db_t, set_kid, bool,
 	this->kid = kid;
 
 	e = this->db->query(this->db, "SELECT keyid, owner FROM keys WHERE id = ?",
-						DB_INT, kid, DB_BLOB, DB_TEXT);
+						DB_UINT, kid, DB_BLOB, DB_TEXT);
 	if (e)
 	{
 		if (e->enumerate(e, &key, &owner))
@@ -566,7 +571,7 @@ METHOD(attest_db_t, set_pid, bool,
 	this->pid = pid;
 
 	e = this->db->query(this->db, "SELECT name FROM products WHERE id = ?",
-						DB_INT, pid, DB_TEXT);
+						DB_UINT, pid, DB_TEXT);
 	if (e)
 	{
 		if (e->enumerate(e, &product))
@@ -595,6 +600,12 @@ METHOD(attest_db_t, set_relative, void,
 	this->relative = TRUE;
 }
 
+METHOD(attest_db_t, set_sequence, void,
+	private_attest_db_t *this, int seq_no)
+{
+	this->seq_no = seq_no;
+}
+
 METHOD(attest_db_t, set_owner, void,
 	private_attest_db_t *this, char *owner)
 {
@@ -607,16 +618,29 @@ METHOD(attest_db_t, list_components, void,
 {
 	enumerator_t *e;
 	pts_comp_func_name_t *cfn;
-	int cid, vid, name, qualifier, count = 0;
+	int seq_no, cid, vid, name, qualifier, count = 0;
 
 	if (this->kid)
 	{
 		e = this->db->query(this->db,
-				"SELECT c.id, c.vendor_id, c.name, c.qualifier "
+				"SELECT kc.seq_no, c.id, c.vendor_id, c.name, c.qualifier "
 				"FROM components AS c "
 				"JOIN key_component AS kc ON c.id = kc.component "
-				"WHERE kc.key = ? ORDER BY c.vendor_id, c.name, c.qualifier",
-				DB_INT, this->kid, DB_INT, DB_INT, DB_INT, DB_INT);
+				"WHERE kc.key = ? ORDER BY kc.seq_no",
+				DB_UINT, this->kid, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT);
+		if (e)
+		{
+			while (e->enumerate(e,  &cid, &seq_no, &vid, &name, &qualifier))
+			{
+				cfn   = pts_comp_func_name_create(vid, name, qualifier);
+				printf("%4d: #%-2d %s\n", seq_no, cid, print_cfn(cfn));
+				cfn->destroy(cfn);
+				count++;
+			}
+			e->destroy(e);
+			printf("%d component%s found for key %#B\n", count,
+				  (count == 1) ? "" : "s", &this->key);
+		}
 	}
 	else
 	{
@@ -624,24 +648,18 @@ METHOD(attest_db_t, list_components, void,
 				"SELECT id, vendor_id, name, qualifier FROM components "
 				"ORDER BY vendor_id, name, qualifier",
 				DB_INT, DB_INT, DB_INT, DB_INT);
-	}
-	if (e)
-	{
-		while (e->enumerate(e, &cid, &vid, &name, &qualifier))
-		{
-			cfn   = pts_comp_func_name_create(vid, name, qualifier);
-			printf("%4d: %s\n", cid, print_cfn(cfn));
-			cfn->destroy(cfn);
-			count++;
-		}
-		e->destroy(e);
-
-		printf("%d component%s found", count, (count == 1) ? "" : "s");
-		if (this->key_set)
+		if (e)
 		{
-			printf(" for key %#B", &this->key);
+			while (e->enumerate(e,  &cid, &vid, &name, &qualifier))
+			{
+				cfn   = pts_comp_func_name_create(vid, name, qualifier);
+				printf("%4d: %s\n", cid, print_cfn(cfn));
+				cfn->destroy(cfn);
+				count++;
+			}
+			e->destroy(e);
+			printf("%d component%s found\n", count, (count == 1) ? "" : "s");
 		}
-		printf("\n");
 	}
 }
 
@@ -659,7 +677,7 @@ METHOD(attest_db_t, list_keys, void,
 				"SELECT k.id, k.keyid, k.owner FROM keys AS k "
 				"JOIN key_component AS kc ON k.id = kc.key "
 				"WHERE kc.component = ? ORDER BY k.keyid",
-				DB_INT, this->cid, DB_INT, DB_BLOB, DB_TEXT);
+				DB_UINT, this->cid, DB_INT, DB_BLOB, DB_TEXT);
 		if (e)
 		{
 			while (e->enumerate(e, &kid, &keyid, &owner))
@@ -708,7 +726,7 @@ METHOD(attest_db_t, list_files, void,
 				"FROM files AS f "
 				"JOIN product_file AS pf ON f.id = pf.file "
 				"WHERE pf.product = ? ORDER BY f.path",
-				DB_INT, this->pid, DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT);
+				DB_UINT, this->pid, DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT);
 		if (e)
 		{
 			while (e->enumerate(e, &fid, &type, &file, &meas, &meta))
@@ -761,7 +779,7 @@ METHOD(attest_db_t, list_products, void,
 				"FROM products AS p "
 				"JOIN product_file AS pf ON p.id = pf.product "
 				"WHERE pf.file = ? ORDER BY p.name",
-				DB_INT, this->fid, DB_INT, DB_TEXT, DB_INT, DB_INT);
+				DB_UINT, this->fid, DB_INT, DB_TEXT, DB_INT, DB_INT);
 		if (e)
 		{
 			while (e->enumerate(e, &pid, &product, &meas, &meta))
@@ -812,7 +830,7 @@ static void get_directory(private_attest_db_t *this, int did, char **directory)
 	{
 		e = this->db->query(this->db,
 				"SELECT path from files WHERE id = ?",
-				DB_INT, did, DB_TEXT);
+				DB_UINT, did, DB_TEXT);
 		if (e)
 		{
 			if (e->enumerate(e, &dir))
@@ -875,7 +893,7 @@ METHOD(attest_db_t, list_hashes, void,
 				"JOIN files AS f ON f.id = fh.file "
 				"WHERE fh.algo = ? AND fh.product = ? "
 				"ORDER BY fh.directory, f.path",
-				DB_INT, this->algo, DB_INT, this->pid,
+				DB_INT, this->algo, DB_UINT, this->pid,
 				DB_INT, DB_TEXT, DB_BLOB, DB_INT);
 		if (e)
 		{
@@ -910,7 +928,7 @@ METHOD(attest_db_t, list_hashes, void,
 				"JOIN products AS p ON p.id = fh.product "
 				"WHERE fh.algo = ? AND fh.file = ? AND fh.directory = ?"
 				"ORDER BY p.name",
-				DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->did,
+				DB_INT, this->algo, DB_UINT, this->fid, DB_UINT, this->did,
 				DB_TEXT, DB_BLOB, DB_INT);
 		if (e)
 		{
@@ -983,7 +1001,7 @@ METHOD(attest_db_t, list_measurements, void,
 				"JOIN keys AS k ON k.id = ch.key "
 				"WHERE ch.algo = ? AND ch.key = ? AND ch.component = ? "
 				"ORDER BY seq_no",
-				DB_INT, this->algo, DB_INT, this->kid, DB_INT, this->cid,
+				DB_INT, this->algo, DB_UINT, this->kid, DB_UINT, this->cid,
 				DB_INT, DB_INT, DB_BLOB, DB_TEXT);
 		if (e)
 		{
@@ -994,7 +1012,7 @@ METHOD(attest_db_t, list_measurements, void,
 					printf("%4d: %#B '%s'\n", this->kid, &this->key, owner);
 					kid_old = this->kid;
 				}
-				printf("%5d %02d %#B\n", seq_no, pcr, &hash);
+				printf("%7d %02d %#B\n", seq_no, pcr, &hash);
 				count++;
 			}
 			e->destroy(e);
@@ -1012,7 +1030,7 @@ METHOD(attest_db_t, list_measurements, void,
 				"JOIN keys AS k ON k.id = ch.key "
 				"WHERE ch.algo = ? AND ch.component = ? "
 				"ORDER BY keyid, seq_no",
-				DB_INT, this->algo, DB_INT, this->cid,
+				DB_INT, this->algo, DB_UINT, this->cid,
 				DB_INT, DB_INT, DB_BLOB, DB_INT, DB_BLOB, DB_TEXT);
 		if (e)
 		{
@@ -1023,7 +1041,7 @@ METHOD(attest_db_t, list_measurements, void,
 					printf("%4d: %#B '%s'\n", kid, &keyid, owner);
 					kid_old = kid;
 				}
-				printf("%5d %02d %#B\n", seq_no, pcr, &hash);
+				printf("%7d %02d %#B\n", seq_no, pcr, &hash);
 				count++;
 			}
 			e->destroy(e);
@@ -1043,7 +1061,7 @@ METHOD(attest_db_t, list_measurements, void,
 				"JOIN components AS c ON c.id = ch.component "
 				"WHERE ch.algo = ? AND ch.key = ? "
 				"ORDER BY vendor_id, name, qualifier, seq_no",
-				DB_INT, this->algo, DB_INT, this->kid, DB_INT, DB_INT, DB_BLOB,
+				DB_INT, this->algo, DB_UINT, this->kid, DB_INT, DB_INT, DB_BLOB,
 				DB_INT, DB_INT, DB_INT, DB_INT);
 		if (e)
 		{
@@ -1082,7 +1100,7 @@ bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo,
 	e = this->db->query(this->db,
 		"SELECT hash FROM file_hashes WHERE algo = ? "
 		"AND file = ? AND directory = ? AND product = ? and key = 0",
-		DB_INT, algo, DB_INT, fid, DB_INT, did, DB_INT, this->pid, DB_BLOB);
+		DB_INT, algo, DB_UINT, fid, DB_UINT, did, DB_UINT, this->pid, DB_BLOB);
 	if (!e)
 	{
 		printf("file_hashes query failed\n");
@@ -1099,7 +1117,7 @@ bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo,
 			"INSERT INTO file_hashes "
 			"(file, directory, product, key, algo, hash) "
 			"VALUES (?, ?, ?, 0, ?, ?)",
-			DB_INT, fid, DB_INT, did, DB_INT, this->pid,
+			DB_UINT, fid, DB_UINT, did, DB_UINT, this->pid,
 			DB_INT, algo, DB_BLOB, measurement) == 1)
 		{
 			label = "created";
@@ -1121,11 +1139,16 @@ METHOD(attest_db_t, add, bool,
 	if (this->kid && this->cid)
 	{
 		success = this->db->execute(this->db, NULL,
-					"INSERT INTO key_component (key, component) VALUES (?, ?)",
-					DB_UINT, this->kid, DB_UINT, this->cid) == 1;
+					"INSERT INTO key_component (key, component, seq_no) "
+					"VALUES (?, ?, ?)",
+					DB_UINT, this->kid, DB_UINT, this->cid,
+					DB_UINT, this->seq_no) == 1;
 
-		printf("key/component pair (%d/%d) %sinserted into database\n",
-				this->kid, this->cid, success ? "" : "could not be ");
+		printf("key/component pair (%d/%d) %sinserted into database at "
+			   "position %d\n", this->kid, this->cid,
+			    success ? "" : "could not be ", this->seq_no);
+
+		return success;
 	}
 
 	/* add directory or file measurement for a given product */
@@ -1250,6 +1273,19 @@ METHOD(attest_db_t, delete, bool,
 {
 	bool success;
 
+	/* delete key/component pair */
+	if (this->kid && this->cid)
+	{
+		success = this->db->execute(this->db, NULL,
+								"DELETE FROM key_component "
+								"WHERE key = ? AND component = ?",
+								DB_UINT, this->kid, DB_UINT, this->cid) > 0;
+
+		printf("key/component pair (%d/%d) %sdeleted from database\n",
+				this->kid, this->cid, success ? "" : "could not be ");
+		return success;
+	}
+
 	/* delete a file measurement hash for a given product */
 	if (this->algo && this->pid && this->fid)
 	{
@@ -1379,6 +1415,7 @@ attest_db_t *attest_db_create(char *uri)
 			.set_pid = _set_pid,
 			.set_algo = _set_algo,
 			.set_relative = _set_relative,
+			.set_sequence = _set_sequence,
 			.set_owner = _set_owner,
 			.list_products = _list_products,
 			.list_files = _list_files,
diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h
index 4e7991a3d..e32a368d8 100644
--- a/src/libpts/plugins/imv_attestation/attest_db.h
+++ b/src/libpts/plugins/imv_attestation/attest_db.h
@@ -136,6 +136,11 @@ struct attest_db_t {
 	void (*set_relative)(attest_db_t *this);
 
 	/**
+	 * Set the sequence number
+	 */
+	void (*set_sequence)(attest_db_t *this, int seq_no);
+
+	/**
 	 * Set owner [user/host] of an AIK
 	 *
 	 * @param owner			user/host name
diff --git a/src/libpts/plugins/imv_attestation/attest_usage.c b/src/libpts/plugins/imv_attestation/attest_usage.c
index e58f821e0..3e6e888ef 100644
--- a/src/libpts/plugins/imv_attestation/attest_usage.c
+++ b/src/libpts/plugins/imv_attestation/attest_usage.c
@@ -40,7 +40,7 @@ Usage:\n\
     Show a list of measurement hashes for a given software product or\n\
     its primary key as an optional selector.\n\
   \n\
-  ipsec attest --hashes [--sha1|--sha256|--sha384] [--file <path>|--fid <id>]\n\
+  ipsec attest --hashes [--sha1|--sha1-ima|--sha256|--sha384] [--file <path>|--fid <id>]\n\
     Show a list of measurement hashes for a given file or\n\
     its primary key as an optional selector.\n\
   \n\
@@ -52,11 +52,11 @@ Usage:\n\
     Show a list of AIK key digests with a component or\n\
     its primary key as an optional selector.\n\
   \n\
-  ipsec attest --measurements [--sha1|--sha256|--sha384] [--component <cfn>|--cid <id>]\n\
+  ipsec attest --measurements --sha1|--sha256|--sha384 [--component <cfn>|--cid <id>]\n\
     Show a list of component measurements for a given component or\n\
     its primary key as an optional selector.\n\
   \n\
-  ipsec attest --measurements [--sha1|--sha256|--sha384] [--key <digest>|--kid <id>|--aik <path>]\n\
+  ipsec attest --measurements --sha1|--sha256|--sha384 [--key <digest>|--kid <id>|--aik <path>]\n\
     Show a list of component measurements for a given AIK or\n\
     its primary key as an optional selector.\n\
   \n\
@@ -67,6 +67,13 @@ Usage:\n\
   ipsec attest --add [--owner <name>] --key <digest>|--aik <path>\n\
     Add an AIK public key digest entry preceded by an optional owner name\n\
   \n\
+  ipsec attest --add --product <name>|--pid <id> --sha1|--sha1-ima|--sha256|--sha384\n\
+              [--relative|--rel] --dir <path>|--file <path>\n\
+    Add hashes of a single file or all files in a directory under absolute or relative filenames\n\
+  \n\
+  ipsec attest --add --key <digest|--kid <id> --component <cfn>|--cid <id> --sequence <no>|--seq <no>\n\
+    Add an ordered key/component entry\n\
+  \n\
   ipsec attest --del --file <path>|--fid <id>|--dir <path>|--did <id>\n\
     Delete a file or directory entry referenced either by value or primary key\n\
   \n\
@@ -75,6 +82,13 @@ Usage:\n\
   \n\
   ipsec attest --del --key <digest>|--kid <id>|--aik <path>\n\
     Delete an AIK entry referenced either by value or primary key\n\
+  \n\
+  ipsec attest --del --key <digest|--kid <id> --component <cfn>|--cid <id>\n\
+    Delete a key/component entry\n\
+  \n\
+  ipsec attest --del --product <name>|--pid <id> --sha1|--sha1-ima|--sha256|--sha384\n\
+               [--dir <path>|--did <id>] --file <path>|--fid <id>\n\
+    Delete a file hash given an absolute or relative filename\n\
   \n");
 }
author	Andreas Steffen <andreas.steffen@strongswan.org>	2012-07-30 20:44:15 +0200
committer	Andreas Steffen <andreas.steffen@strongswan.org>	2012-07-30 20:49:42 +0200
commit	e0c66bebcfc7a711a30452a9d1561cd5ff03a457 (patch)
tree	d8fd1c16b3df8c3f9974e802fa6888c70aa4d092 /src/libpts
parent	63ac6d00b0b40042b7edce487a86f79940fe6f4a (diff)
download	strongswan-e0c66bebcfc7a711a30452a9d1561cd5ff03a457.tar.bz2 strongswan-e0c66bebcfc7a711a30452a9d1561cd5ff03a457.tar.xz