diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/libpts/plugins/imv_attestation/attest.c | 51 | ||||
| -rw-r--r-- | src/libpts/plugins/imv_attestation/attest_db.c | 5 | ||||
| -rw-r--r-- | src/libpts/plugins/imv_attestation/attest_db.h | 2 | ||||
| -rw-r--r-- | src/libpts/plugins/imv_attestation/attest_usage.c | 6 |
4 files changed, 54 insertions, 10 deletions
diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c index 82c1f186f..9200820e8 100644 --- a/src/libpts/plugins/imv_attestation/attest.c +++ b/src/libpts/plugins/imv_attestation/attest.c @@ -34,7 +34,7 @@ /** * global debug output variables */ -static int debug_level = 0; +static int debug_level = 2; static bool stderr_quiet = TRUE; /** @@ -121,10 +121,11 @@ static void do_args(int argc, char *argv[]) { "keys", no_argument, NULL, 'k' }, { "products", no_argument, NULL, 'p' }, { "hashes", no_argument, NULL, 'H' }, - { "measurements", no_argument, NULL, 'M' }, + { "measurements", no_argument, NULL, 'm' }, { "add", no_argument, NULL, 'a' }, { "delete", no_argument, NULL, 'd' }, { "del", no_argument, NULL, 'd' }, + { "aik", required_argument, NULL, 'A' }, { "component", required_argument, NULL, 'C' }, { "comp", required_argument, NULL, 'C' }, { "directory", required_argument, NULL, 'D' }, @@ -167,7 +168,7 @@ static void do_args(int argc, char *argv[]) case 'H': op = OP_HASHES; continue; - case 'M': + case 'm': op = OP_MEASUREMENTS; continue; case 'a': @@ -176,6 +177,43 @@ static void do_args(int argc, char *argv[]) case 'd': op = OP_DEL; continue; + case 'A': + { + certificate_t *aik_cert; + public_key_t *aik_key; + chunk_t aik; + + aik_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, + CERT_X509, BUILD_FROM_FILE, optarg, BUILD_END); + if (!aik_cert) + { + printf("AIK certificate '%s' could not be loaded\n", optarg); + exit(EXIT_FAILURE); + } + aik_key = aik_cert->get_public_key(aik_cert); + aik_cert->destroy(aik_cert); + + if (!aik_key) + { + printf("AIK public key could not be retrieved\n"); + exit(EXIT_FAILURE); + } + if (!aik_key->get_fingerprint(aik_key, KEYID_PUBKEY_INFO_SHA1, + &aik)) + { + printf("AIK fingerprint could not be computed\n"); + aik_key->destroy(aik_key); + exit(EXIT_FAILURE); + } + aik = chunk_clone(aik); + aik_key->destroy(aik_key); + + if (!attest->set_key(attest, aik, op == OP_ADD)) + { + exit(EXIT_FAILURE); + } + continue; + } case 'C': if (!attest->set_component(attest, optarg, op == OP_ADD)) { @@ -195,11 +233,16 @@ static void do_args(int argc, char *argv[]) } continue; case 'K': - if (!attest->set_key(attest, optarg, op == OP_ADD)) + { + chunk_t aik; + + aik = chunk_from_hex(chunk_create(optarg, strlen(optarg)), NULL); + if (!attest->set_key(attest, aik, op == OP_ADD)) { exit(EXIT_FAILURE); } continue; + } case 'O': attest->set_owner(attest, optarg); continue; diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c index 10c719bff..eef97bf76 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.c +++ b/src/libpts/plugins/imv_attestation/attest_db.c @@ -402,7 +402,7 @@ METHOD(attest_db_t, set_fid, bool, } METHOD(attest_db_t, set_key, bool, - private_attest_db_t *this, char *key, bool create) + private_attest_db_t *this, chunk_t key, bool create) { enumerator_t *e; char *owner; @@ -412,7 +412,7 @@ METHOD(attest_db_t, set_key, bool, printf("key has already been set\n"); return FALSE; } - this->key = chunk_from_hex(chunk_create(key, strlen(key)), NULL); + this->key = key; e = this->db->query(this->db, "SELECT id, owner FROM keys WHERE keyid= ?", DB_BLOB, this->key, DB_INT, DB_TEXT); @@ -420,6 +420,7 @@ METHOD(attest_db_t, set_key, bool, { if (e->enumerate(e, &this->kid, &owner)) { + free(this->owner); this->owner = strdup(owner); this->key_set = TRUE; } diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h index 80a8f4cd4..9c9a9dcba 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.h +++ b/src/libpts/plugins/imv_attestation/attest_db.h @@ -91,7 +91,7 @@ struct attest_db_t { * @param create if TRUE create database entry if it doesn't exist * @return TRUE if successful */ - bool (*set_key)(attest_db_t *this, char *key, bool create); + bool (*set_key)(attest_db_t *this, chunk_t key, bool create); /** * Set primary key of the AIK to be queried diff --git a/src/libpts/plugins/imv_attestation/attest_usage.c b/src/libpts/plugins/imv_attestation/attest_usage.c index 952b88b89..e58f821e0 100644 --- a/src/libpts/plugins/imv_attestation/attest_usage.c +++ b/src/libpts/plugins/imv_attestation/attest_usage.c @@ -56,7 +56,7 @@ Usage:\n\ Show a list of component measurements for a given component or\n\ its primary key as an optional selector.\n\ \n\ - ipsec attest --measurements [--sha1|--sha256|--sha384] [--key <digest>|--kid <id>]\n\ + ipsec attest --measurements [--sha1|--sha256|--sha384] [--key <digest>|--kid <id>|--aik <path>]\n\ Show a list of component measurements for a given AIK or\n\ its primary key as an optional selector.\n\ \n\ @@ -64,7 +64,7 @@ Usage:\n\ Add a file, directory, product or component entry\n\ Component <cfn> entries must be of the form <vendor_id>/<name>-<qualifier>\n\ \n\ - ipsec attest --add [--owner <name>] --key <digest>\n\ + ipsec attest --add [--owner <name>] --key <digest>|--aik <path>\n\ Add an AIK public key digest entry preceded by an optional owner name\n\ \n\ ipsec attest --del --file <path>|--fid <id>|--dir <path>|--did <id>\n\ @@ -73,7 +73,7 @@ Usage:\n\ ipsec attest --del --product <name>|--pid <id>|--component <cfn>|--cid <id>\n\ Delete a product or component entry referenced either by value or primary key\n\ \n\ - ipsec attest --del --key <digest>|--kid <id>\n\ + ipsec attest --del --key <digest>|--kid <id>|--aik <path>\n\ Delete an AIK entry referenced either by value or primary key\n\ \n"); } |