diff options
Diffstat (limited to 'src/libimcv')
| -rw-r--r-- | src/libimcv/Makefile.am | 3 | ||||
| -rw-r--r-- | src/libimcv/plugins/imv_attestation/imv_attestation.c | 14 | ||||
| -rw-r--r-- | src/libimcv/tcg/pts/pts_creds.c | 136 | ||||
| -rw-r--r-- | src/libimcv/tcg/pts/pts_creds.h | 57 |
4 files changed, 208 insertions, 2 deletions
diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am index 553038bad..dcb341305 100644 --- a/src/libimcv/Makefile.am +++ b/src/libimcv/Makefile.am @@ -31,7 +31,8 @@ libimcv_la_SOURCES = \ tcg/tcg_pts_attr_file_meas.h tcg/tcg_pts_attr_file_meas.c \ tcg/pts/pts.h tcg/pts/pts.c \ tcg/pts/pts_error.h tcg/pts/pts_error.c \ - tcg/pts/pts_proto_caps.h tcg/pts/pts_funct_comp_name.h tcg/pts/fake_ek_cert.h\ + tcg/pts/pts_proto_caps.h tcg/pts/pts_funct_comp_name.h \ + tcg/pts/pts_creds.h tcg/pts/pts_creds.c \ tcg/pts/pts_database.h tcg/pts/pts_database.c \ tcg/pts/pts_file_meas.h tcg/pts/pts_file_meas.c \ tcg/pts/pts_meas_algo.h tcg/pts/pts_meas_algo.c diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation.c b/src/libimcv/plugins/imv_attestation/imv_attestation.c index 0bf705d54..a559e219b 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation.c @@ -21,6 +21,7 @@ #include <ietf/ietf_attr_pa_tnc_error.h> #include <tcg/pts/pts_database.h> +#include <tcg/pts/pts_creds.h> #include <tcg/pts/pts_error.h> #include <tcg/tcg_attr.h> @@ -69,6 +70,11 @@ static pts_meas_algorithms_t supported_algorithms = 0; static pts_database_t *pts_db; /** + * PTS credentials + */ +static pts_creds_t *pts_creds; + +/** * List of id's for the files that are requested for measurement */ static linked_list_t *requested_files; @@ -81,7 +87,7 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id, TNC_Version max_version, TNC_Version *actual_version) { - char *hash_alg, *uri; + char *hash_alg, *uri, *cadir; if (imv_attestation) { @@ -127,6 +133,11 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id, "libimcv.plugins.imv-attestation.database", NULL); pts_db = pts_database_create(uri); + /* create PTS credential set */ + cadir = lib->settings->get_str(lib->settings, + "libimcv.plugins.imv-attestation.cadir", NULL); + pts_creds = pts_creds_create(cadir); + return TNC_RESULT_SUCCESS; } @@ -681,6 +692,7 @@ TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id) return TNC_RESULT_NOT_INITIALIZED; } DESTROY_IF(pts_db); + DESTROY_IF(pts_creds); imv_attestation->destroy(imv_attestation); imv_attestation = NULL; diff --git a/src/libimcv/tcg/pts/pts_creds.c b/src/libimcv/tcg/pts/pts_creds.c new file mode 100644 index 000000000..1a8211ceb --- /dev/null +++ b/src/libimcv/tcg/pts/pts_creds.c @@ -0,0 +1,136 @@ +/* + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pts_creds.h" + +#include <debug.h> +#include <credentials/certificates/x509.h> +#include <credentials/sets/mem_cred.h> + +#include <sys/stat.h> + +typedef struct private_pts_creds_t private_pts_creds_t; + +/** + * Private data of a pts_creds_t object. + * + */ +struct private_pts_creds_t { + + /** + * Public pts_creds_t interface. + */ + pts_creds_t public; + + /** + * Credential set + */ + mem_cred_t *creds; + +}; + +METHOD(pts_creds_t, verify, bool, + private_pts_creds_t *this, certificate_t *cert) +{ + return FALSE; +} + + +METHOD(pts_creds_t, destroy, void, + private_pts_creds_t *this) +{ + this->creds->destroy(this->creds); + free(this); +} + +/** + * Load trusted PTS CA certificates from a directory + */ +static void load_cacerts(private_pts_creds_t *this, char *path) +{ + enumerator_t *enumerator; + struct stat st; + char *file; + + DBG1(DBG_TNC, "loading PTS ca certificates from '%s'", path); + + enumerator = enumerator_create_directory(path); + if (!enumerator) + { + return; + } + + while (enumerator->enumerate(enumerator, NULL, &file, &st)) + { + certificate_t *cert; + + if (!S_ISREG(st.st_mode)) + { + /* skip special file */ + continue; + } + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, file, BUILD_END); + if (cert) + { + x509_t *x509 = (x509_t*)cert; + + if (!(x509->get_flags(x509) & X509_CA)) + { + DBG1(DBG_TNC, " ca certificate \"%Y\" lacks ca basic constraint" + ", discarded", cert->get_subject(cert)); + cert->destroy(cert); + } + else + { + DBG1(DBG_TNC, " loaded ca certificate \"%Y\" from '%s'", + cert->get_subject(cert), file); + this->creds->add_cert(this->creds, TRUE, cert); + } + } + else + { + DBG1(DBG_TNC, " loading ca certificate from '%s' failed", file); + } + } + enumerator->destroy(enumerator); +} + +/** + * See header + */ +pts_creds_t *pts_creds_create(char *path) +{ + private_pts_creds_t *this; + + if (!path) + { + DBG1(DBG_TNC, "no PTS cacerts directory defined"); + return NULL; + } + + INIT(this, + .public = { + .verify = _verify, + .destroy = _destroy, + }, + .creds = mem_cred_create(), + ); + + load_cacerts(this, path); + + return &this->public; +} + diff --git a/src/libimcv/tcg/pts/pts_creds.h b/src/libimcv/tcg/pts/pts_creds.h new file mode 100644 index 000000000..d5ae1762b --- /dev/null +++ b/src/libimcv/tcg/pts/pts_creds.h @@ -0,0 +1,57 @@ +/* + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pts_creds pts_creds + * @{ @ingroup pts + */ + +#ifndef PTS_CREDS_H_ +#define PTS_CREDS_H_ + +typedef struct pts_creds_t pts_creds_t; + +#include <library.h> + +/** + * Class implementing a PTS credentials set + * + */ +struct pts_creds_t { + +/** + * Verify an AIK certificate + * + * @cert certificate to be verified + * @return TRUE if valid and trusted + */ + bool (*verify)(pts_creds_t *this, certificate_t *cert); + + + /** + * Destroys a pts_creds_t object. + */ + void (*destroy)(pts_creds_t *this); + +}; + +/** + * Creates an pts_creds_t object + * + * @param path path to the PTS cacerts directory + */ +pts_creds_t* pts_creds_create(char *path); + +#endif /** PTS_CREDS_H_ @}*/ |