make AR identities available to IMVs via IF-IMV 1.4 draft

src/libcharon/plugins/tnc_tnccs/Makefile.am

@@ -1,6 +1,7 @@
 
 INCLUDES = \
 	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtls \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs
 

src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c

@@ -20,7 +20,13 @@
 #include <tnc/imc/imc_manager.h>
 #include <tnc/imv/imv_manager.h>
 
+#include <tncif_identity.h>
+
+#include <tls.h>
+
 #include <utils/debug.h>
+#include <pen/pen.h>
+#include <bio/bio_writer.h>
 #include <collections/linked_list.h>
 #include <threading/rwlock.h>
 
@@ -443,6 +449,44 @@ static TNC_Result str_attribute(TNC_UInt32 buffer_len,
 	}
 }
 
+/**
+ * Write the value of a TNC identity list into the buffer
+ */
+static TNC_Result identity_attribute(TNC_UInt32 buffer_len,
+									 TNC_BufferReference buffer,
+									 TNC_UInt32 *value_len,
+									 linked_list_t *list)
+{
+	bio_writer_t *writer;
+	enumerator_t *enumerator;
+	u_int32_t count;
+	chunk_t value;
+	tncif_identity_t *tnc_id;
+	TNC_Result result = TNC_RESULT_INVALID_PARAMETER;
+
+	count = list->get_count(list);
+	writer = bio_writer_create(4 + TNCIF_IDENTITY_MIN_SIZE * count);
+	writer->write_uint32(writer, count);
+
+	enumerator = list->create_enumerator(list);
+	while (enumerator->enumerate(enumerator, &tnc_id))
+	{
+		tnc_id->build(tnc_id, writer);
+	}
+	enumerator->destroy(enumerator);
+
+	value = writer->get_buf(writer);
+	*value_len = value.len;
+	if (buffer && buffer_len >= value.len)
+	{
+		memcpy(buffer, value.ptr, value.len);
+		result = TNC_RESULT_SUCCESS;
+	}
+	writer->destroy(writer);
+
+	return result;
+}
+
 METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 	private_tnc_tnccs_manager_t *this, bool is_imc,
 									   TNC_UInt32 imcv_id,
@@ -488,6 +532,7 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 
 			/* these attributes are supported */
 			case TNC_ATTRIBUTEID_PRIMARY_IMV_ID:
+			case TNC_ATTRIBUTEID_AR_IDENTITIES:
 				attribute_match = TRUE;
 				break;
 
@@ -626,6 +671,64 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 										 "IF-T for Tunneled EAP");
  		case TNC_ATTRIBUTEID_IFT_VERSION:
 			return str_attribute(buffer_len, buffer, value_len, "1.1");
+		case TNC_ATTRIBUTEID_AR_IDENTITIES:
+		{
+			linked_list_t *list;
+			tls_t *tnccs;
+			identification_t *peer;
+			tncif_identity_t *tnc_id;
+			u_int32_t id_type, subject_type;
+			TNC_Result result;
+
+			list = linked_list_create();
+			tnccs = (tls_t*)entry->tnccs;
+			peer = tnccs->get_peer_id(tnccs);
+			if (peer)
+			{
+				switch (peer->get_type(peer))
+				{
+					case ID_IPV4_ADDR:
+						id_type = TNC_ID_IPV4_ADDR;
+						subject_type = TNC_SUBJECT_MACHINE;
+						break;
+					case ID_IPV6_ADDR:
+						id_type = TNC_ID_IPV6_ADDR;
+						subject_type = TNC_SUBJECT_MACHINE;
+						break;
+					case ID_FQDN:
+						id_type = TNC_ID_FQDN;
+						subject_type = TNC_SUBJECT_MACHINE;
+						break;
+					case ID_RFC822_ADDR:
+						id_type = TNC_ID_RFC822_ADDR;
+						subject_type = TNC_SUBJECT_USER;
+						break;
+					case ID_DER_ASN1_DN:
+						id_type = TNC_ID_DER_ASN1_DN;
+						subject_type = TNC_SUBJECT_UNKNOWN;
+						break;
+					case ID_DER_ASN1_GN:
+						id_type = TNC_ID_DER_ASN1_GN;
+						subject_type = TNC_SUBJECT_UNKNOWN;
+						break;
+					default:
+						id_type = TNC_ID_UNKNOWN;
+						subject_type = TNC_SUBJECT_UNKNOWN;
+				}
+				if (id_type != TNC_ID_UNKNOWN)
+				{
+					tnc_id = tncif_identity_create(
+								pen_type_create(PEN_TCG, id_type),
+								peer->get_encoding(peer),
+								pen_type_create(PEN_TCG, subject_type),
+								pen_type_create(PEN_TCG, TNC_AUTH_UNKNOWN));
+					list->insert_last(list, tnc_id);
+				}
+			}
+			result = identity_attribute(buffer_len, buffer, value_len, list);
+			list->destroy_offset(list, offsetof(tncif_identity_t, destroy));
+			return result;
+		}
 		default:
 			return TNC_RESULT_INVALID_PARAMETER;
 	 }

src/libcharon/plugins/tnccs_11/tnccs_11.c

@@ -505,6 +505,18 @@ METHOD(tls_t, is_server, bool,
 	return this->is_server;
 }
 
+METHOD(tls_t, get_server_id, identification_t*,
+	private_tnccs_11_t *this)
+{
+	return this->server;
+}
+
+METHOD(tls_t, get_peer_id, identification_t*,
+	private_tnccs_11_t *this)
+{
+	return this->peer;
+}
+
 METHOD(tls_t, get_purpose, tls_purpose_t,
 	private_tnccs_11_t *this)
 {
@@ -558,6 +570,8 @@ tls_t *tnccs_11_create(bool is_server, identification_t *server,
 			.process = _process,
 			.build = _build,
 			.is_server = _is_server,
+			.get_server_id = _get_server_id,
+			.get_peer_id = _get_peer_id,
 			.get_purpose = _get_purpose,
 			.is_complete = _is_complete,
 			.get_eap_msk = _get_eap_msk,

src/libcharon/plugins/tnccs_20/tnccs_20.c

@@ -769,6 +769,18 @@ METHOD(tls_t, is_server, bool,
 	return this->is_server;
 }
 
+METHOD(tls_t, get_server_id, identification_t*,
+	private_tnccs_20_t *this)
+{
+	return this->server;
+}
+
+METHOD(tls_t, get_peer_id, identification_t*,
+	private_tnccs_20_t *this)
+{
+	return this->peer;
+}
+
 METHOD(tls_t, get_purpose, tls_purpose_t,
 	private_tnccs_20_t *this)
 {
@@ -824,6 +836,8 @@ tls_t *tnccs_20_create(bool is_server, identification_t *server,
 			.process = _process,
 			.build = _build,
 			.is_server = _is_server,
+			.get_server_id = _get_server_id,
+			.get_peer_id = _get_peer_id,
 			.get_purpose = _get_purpose,
 			.is_complete = _is_complete,
 			.get_eap_msk = _get_eap_msk,

src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c

@@ -109,6 +109,18 @@ METHOD(tls_t, is_server, bool,
 	return TRUE;
 }
 
+METHOD(tls_t, get_server_id, identification_t*,
+	private_tnccs_dynamic_t *this)
+{
+	return this->server;
+}
+
+METHOD(tls_t, get_peer_id, identification_t*,
+	private_tnccs_dynamic_t *this)
+{
+	return this->peer;
+}
+
 METHOD(tls_t, get_purpose, tls_purpose_t,
 	private_tnccs_dynamic_t *this)
 {
@@ -149,6 +161,8 @@ tls_t *tnccs_dynamic_create(bool is_server, identification_t *server,
 			.process = _process,
 			.build = _build,
 			.is_server = _is_server,
+			.get_server_id = _get_server_id,
+			.get_peer_id = _get_peer_id,
 			.get_purpose = _get_purpose,
 			.is_complete = _is_complete,
 			.get_eap_msk = _get_eap_msk,

src/libimcv/imv/imv_agent.c

@@ -18,8 +18,11 @@
 #include "ietf/ietf_attr_assess_result.h"
 
 #include <tncif_names.h>
+#include <tncif_identity.h>
 
 #include <utils/debug.h>
+#include <collections/linked_list.h>
+#include <bio/bio_reader.h>
 #include <threading/rwlock.h>
 
 typedef struct private_imv_agent_t private_imv_agent_t;
@@ -352,12 +355,59 @@ static u_int32_t get_uint_attribute(private_imv_agent_t *this, TNC_ConnectionID
 	return 0;
  }
 
+/**
+ * Read a TNC identity attribute
+ */
+static linked_list_t* get_identity_attribute(private_imv_agent_t *this,
+											 TNC_ConnectionID id,
+											 TNC_AttributeID attribute_id)
+{
+	TNC_UInt32 len;
+	char buf[2048];
+	u_int32_t count;
+	tncif_identity_t *tnc_id;
+	bio_reader_t *reader;
+	linked_list_t *list;
+
+	list = linked_list_create();
+
+	if (!this->get_attribute ||
+		 this->get_attribute(this->id, id, attribute_id, sizeof(buf), buf, &len)
+				!= TNC_RESULT_SUCCESS || len > sizeof(buf))
+	{
+		return list;
+	}
+
+	reader = bio_reader_create(chunk_create(buf, len));
+	if (!reader->read_uint32(reader, &count))
+	{
+			goto end;
+	}
+	while (count--)
+	{
+		tnc_id = tncif_identity_create_empty();
+		if (!tnc_id->process(tnc_id, reader))
+		{
+			tnc_id->destroy(tnc_id);
+			goto end;
+		}
+		list->insert_last(list, tnc_id);
+	}
+
+end:
+	reader->destroy(reader);
+	return list;
+ }
+
 METHOD(imv_agent_t, create_state, TNC_Result,
 	private_imv_agent_t *this, imv_state_t *state)
 {
 	TNC_ConnectionID conn_id;
 	char *tnccs_p = NULL, *tnccs_v = NULL, *t_p = NULL, *t_v = NULL;
 	bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE;
+	linked_list_t *ar_identities;
+	enumerator_t *enumerator;
+	tncif_identity_t *tnc_id;
 	u_int32_t max_msg_len;
 
 	conn_id = state->get_connection_id(state);
@@ -378,6 +428,7 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 	t_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_PROTOCOL);
 	t_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_VERSION);
 	max_msg_len = get_uint_attribute(this, conn_id, TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE);
+	ar_identities = get_identity_attribute(this, conn_id, TNC_ATTRIBUTEID_AR_IDENTITIES);
 
 	state->set_flags(state, has_long, has_excl);
 	state->set_max_msg_len(state, max_msg_len);
@@ -389,6 +440,64 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 	DBG2(DBG_IMV, "  over %s %s with maximum PA-TNC message size of %u bytes",
 				  t_p ? t_p:"?", t_v ? t_v :"?", max_msg_len);
 
+	enumerator = ar_identities->create_enumerator(ar_identities);
+	while (enumerator->enumerate(enumerator, &tnc_id))
+	{
+		pen_type_t id_type, subject_type, auth_type;
+		int tcg_id_type, tcg_subject_type, tcg_auth_type;
+		chunk_t id_value;
+		id_type_t ike_type;
+		identification_t *id;
+
+		id_type = tnc_id->get_identity_type(tnc_id);
+		id_value = tnc_id->get_identity_value(tnc_id);
+		subject_type = tnc_id->get_subject_type(tnc_id);
+		auth_type = tnc_id->get_auth_type(tnc_id);
+
+		tcg_id_type =      (id_type.vendor_id == PEN_TCG) ?
+							id_type.type : TNC_ID_UNKNOWN;
+		tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ?
+							subject_type.type : TNC_SUBJECT_UNKNOWN;
+		tcg_auth_type =    (auth_type.vendor_id == PEN_TCG) ?
+							auth_type.type : TNC_AUTH_UNKNOWN;
+
+		switch (tcg_id_type)
+		{
+			case TNC_ID_IPV4_ADDR:
+				ike_type = ID_IPV4_ADDR;
+				break;
+			case TNC_ID_IPV6_ADDR:
+				ike_type = ID_IPV6_ADDR;
+				break;
+			case TNC_ID_FQDN:
+			case TNC_ID_USER_NAME:
+				ike_type = ID_FQDN;
+				break;
+			case TNC_ID_RFC822_ADDR:
+				ike_type = ID_RFC822_ADDR;
+				break;
+			case TNC_ID_DER_ASN1_DN:
+				ike_type = ID_DER_ASN1_DN;
+				break;
+			case TNC_ID_DER_ASN1_GN:
+				ike_type = ID_IPV4_ADDR;
+				break;
+			case TNC_ID_UNKNOWN:
+			default:
+				ike_type = ID_KEY_ID;
+				break;
+		}
+
+		id = identification_create_from_encoding(ike_type, id_value);
+		DBG2(DBG_IMV, "%N identity '%Y' authenticated by %N",
+					   TNC_Subject_names, tcg_subject_type, id,
+					   TNC_Authentication_names, tcg_auth_type);
+		id->destroy(id);
+	}
+	enumerator->destroy(enumerator);
+
+	ar_identities->destroy_offset(ar_identities,
+						   offsetof(tncif_identity_t, destroy));
 	free(tnccs_p);
 	free(tnccs_v);
 	free(t_p);

src/libtls/tls.c

@@ -359,6 +359,18 @@ METHOD(tls_t, is_server, bool,
 	return this->is_server;
 }
 
+METHOD(tls_t, get_server_id, identification_t*,
+	private_tls_t *this)
+{
+	return this->server;
+}
+
+METHOD(tls_t, get_peer_id, identification_t*,
+	private_tls_t *this)
+{
+	return this->peer;
+}
+
 METHOD(tls_t, get_version, tls_version_t,
 	private_tls_t *this)
 {
@@ -457,6 +469,8 @@ tls_t *tls_create(bool is_server, identification_t *server,
 			.process = _process,
 			.build = _build,
 			.is_server = _is_server,
+			.get_server_id = _get_server_id,
+			.get_peer_id = _get_peer_id,
 			.get_version = _get_version,
 			.set_version = _set_version,
 			.get_purpose = _get_purpose,

src/libtls/tls.h

@@ -192,6 +192,20 @@ struct tls_t {
 	 */
 	bool (*is_server)(tls_t *this);
 
+	/**
+	 * Return the server identity
+	 *
+	 * @return                     Server identity
+	 */
+	identification_t* (*get_server_id)(tls_t *this);
+
+	/**
+	 * Return the peer identity
+	 *
+	 * @return			Peer identity
+	 */
+	identification_t* (*get_peer_id)(tls_t *this);
+
 	/**
 	 * Get the negotiated TLS/SSL version.
 	 *

src/libtncif/Makefile.am

@@ -4,6 +4,7 @@ noinst_LTLIBRARIES = libtncif.la
 
 libtncif_la_SOURCES = \
 tncif.h tncifimc.h tncifimv.h tncif_names.h tncif_names.c \
+tncif_identity.h tncif_identity.c \
 tncif_pa_subtypes.h tncif_pa_subtypes.c
 
 EXTRA_DIST = Android.mk

src/libtncif/tncif_identity.c

@@ -0,0 +1,205 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tncif_identity.h"
+
+#include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
+#include <pen/pen.h>
+#include <utils/debug.h>
+
+typedef struct private_tncif_identity_t private_tncif_identity_t;
+
+/**
+ * TNC Identity List Attribute Format (TCG TNC IF-IMV 1.4 Draft)
+ *
+ *                      1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                        Identity Count                         |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |   RESERVED    |            Identity Type Vendor ID            |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                         Identity Type                         |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Identity Value Length                     |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                                                               |
+ *  ~                         Identity Value                        ~
+ *  |                                                               |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |   RESERVED    |            Subject Type Vendor ID             |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                         Subject Type                          |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |   RESERVED    |        Authentication Method Vendor ID        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     Authentication Method                     |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/**
+ * Private data of a tncif_identity_t object.
+ *
+ */
+struct private_tncif_identity_t {
+
+	/**
+	 * Public tncif_identity_t interface.
+	 */
+	tncif_identity_t public;
+
+	/**
+	 * Identity Type
+	 */
+	pen_type_t identity_type;
+
+	/**
+	 * Identity Value
+	 */
+	chunk_t identity_value;
+
+	/**
+	 * Subject Type
+	 */
+	pen_type_t subject_type;
+
+	/**
+	 * Authentication Type
+	 */
+	pen_type_t auth_type;
+};
+
+METHOD(tncif_identity_t, get_identity_type, pen_type_t,
+	private_tncif_identity_t *this)
+{
+	return this->identity_type;
+}
+
+METHOD(tncif_identity_t, get_identity_value, chunk_t,
+	private_tncif_identity_t *this)
+{
+	return this->identity_value;
+}
+
+METHOD(tncif_identity_t, get_subject_type, pen_type_t,
+	private_tncif_identity_t *this)
+{
+	return this->subject_type;
+}
+
+METHOD(tncif_identity_t, get_auth_type, pen_type_t,
+	private_tncif_identity_t *this)
+{
+	return this->auth_type;
+}
+
+METHOD(tncif_identity_t, build, void,
+	private_tncif_identity_t *this, bio_writer_t *writer)
+{
+	writer->write_uint32(writer, this->identity_type.vendor_id);
+	writer->write_uint32(writer, this->identity_type.type);
+	writer->write_data32(writer, this->identity_value);
+	writer->write_uint32(writer, this->subject_type.vendor_id);
+	writer->write_uint32(writer, this->subject_type.type);
+	writer->write_uint32(writer, this->auth_type.vendor_id);
+	writer->write_uint32(writer, this->auth_type.type);
+}
+
+METHOD(tncif_identity_t, process, bool,
+	private_tncif_identity_t *this, bio_reader_t *reader)
+{
+	u_int8_t reserved;
+	u_int32_t vendor_id, type;
+	chunk_t identity_value;
+
+	if (reader->remaining(reader) < TNCIF_IDENTITY_MIN_SIZE)
+	{
+		return FALSE;
+	}
+	reader->read_uint8 (reader, &reserved);
+	reader->read_uint24(reader, &vendor_id);
+	reader->read_uint32(reader, &type);
+	this->identity_type = pen_type_create(vendor_id, type);
+
+	if (!reader->read_data32(reader, &identity_value) ||
+		 reader->remaining(reader) < 16)
+	{
+		return FALSE;
+	}
+	this->identity_value = chunk_clone(identity_value);
+
+	reader->read_uint8 (reader, &reserved);
+	reader->read_uint24(reader, &vendor_id);
+	reader->read_uint32(reader, &type);
+	this->subject_type = pen_type_create(vendor_id, type);		
+
+	reader->read_uint8 (reader, &reserved);
+	reader->read_uint24(reader, &vendor_id);
+	reader->read_uint32(reader, &type);
+	this->auth_type = pen_type_create(vendor_id, type);
+
+	return TRUE;
+}
+
+METHOD(tncif_identity_t, destroy, void,
+	private_tncif_identity_t *this)
+{
+	free(this->identity_value.ptr);
+	free(this);
+}
+
+
+/**
+ * See header
+ */
+tncif_identity_t *tncif_identity_create_empty(void)
+{
+	private_tncif_identity_t *this;
+
+	INIT(this,
+		.public = {
+			.get_identity_type = _get_identity_type,
+			.get_identity_value = _get_identity_value,
+			.get_subject_type = _get_subject_type,
+			.get_auth_type = _get_auth_type,
+			.build = _build,
+			.process = _process,
+			.destroy = _destroy,
+		},
+	);
+
+	return &this->public;
+}
+
+/**
+ * See header
+ */
+tncif_identity_t *tncif_identity_create(pen_type_t identity_type,
+										chunk_t identity_value,
+										pen_type_t subject_type,
+										pen_type_t auth_type)
+{
+	private_tncif_identity_t *this;
+
+	this = (private_tncif_identity_t*)tncif_identity_create_empty();
+	this->identity_type = identity_type;
+	this->identity_value = chunk_clone(identity_value);
+	this->subject_type = subject_type;
+	this->auth_type = auth_type;
+
+	return &this->public;
+}
+

src/libtncif/tncif_identity.h

@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup libtncif libtncif
+ *
+ * @addtogroup libtncif
+ * TNC interface definitions
+ *
+ * @defgroup tnc_identities tnc_identities
+ * @{ @ingroup libtncif
+ */
+
+#ifndef TNCIF_IDENTITY_H_
+#define TNCIF_IDENTITY_H_
+
+#include <library.h>
+
+#include <pen/pen.h>
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+
+#define TNCIF_IDENTITY_MIN_SIZE			28
+
+typedef struct tncif_identity_t tncif_identity_t;
+
+/**
+ * Public interface of a TNC Identity object
+ */
+struct tncif_identity_t {
+
+	/**
+	 * Get the TNC Identity Type
+	 *
+	 * @return					TNC Identity Type
+	 */
+	pen_type_t (*get_identity_type)(tncif_identity_t *this);
+
+	/**
+	 * Get the TNC Identity Value
+	 *
+	 * @return					TNC Identity Value
+	 */
+	chunk_t (*get_identity_value)(tncif_identity_t *this);
+
+	/**
+	 * Get the TNC Subject Type
+	 *
+	 * @return					TNC Subject Type
+	 */
+	pen_type_t (*get_subject_type)(tncif_identity_t *this);
+
+	/**
+	 * Get the TNC Authentication Type
+	 *
+	 * @return					TNC Authentication Type
+	 */
+	pen_type_t (*get_auth_type)(tncif_identity_t *this);
+
+	/**
+	 * Build the IF-IMV TNC Identity attribute encoding
+	 *
+	 * @param writer			writer to write encoded data to
+	 */
+	void (*build)(tncif_identity_t *this, bio_writer_t *writer);
+
+	/**
+	 * Process the IF-IMV TNC Identity attribute encoding
+	 *
+	 * @param reader			reader to read encoded data from
+	 * @return					TRUE if successful
+	 */
+	bool (*process)(tncif_identity_t *this, bio_reader_t *reader);
+
+	/**
+	 * Destroys a tncif_identity_t object.
+	 */
+	void (*destroy)(tncif_identity_t *this);
+
+};
+
+/**
+ * Create an empty TNC Identity object
+ */
+tncif_identity_t* tncif_identity_create_empty(void);
+
+/**
+ * Create an TNC Identity object from its components
+ *
+ * @param identity_type			TNC Identity Type
+ * @param identity_value		TNC Identity Value
+ * @param subject_type			TNC Subject Type
+ * @param auth_type				TNC Authentication Type
+ */
+tncif_identity_t* tncif_identity_create(pen_type_t identity_type,
+										chunk_t identity_value,
+										pen_type_t subject_type,
+										pen_type_t auth_type);
+
+#endif /** TNCIF_IDENTITY_H_ @}*/

src/libtncif/tncif_names.c

@@ -45,3 +45,20 @@ ENUM(TNC_IMV_Evaluation_Result_names,
 	"error",
 	"don't know"
 );
+
+ENUM(TNC_Subject_names,
+	TNC_SUBJECT_UNKNOWN,
+	TNC_SUBJECT_USER,
+	"unknown",
+	"machine",
+	"user"
+);
+
+ENUM(TNC_Authentication_names,
+	TNC_AUTH_UNKNOWN,
+	TNC_AUTH_SIM,
+	"unknown method",
+	"certificate",
+	"password",
+	"SIM card"
+);

src/libtncif/tncif_names.h

@@ -30,5 +30,7 @@
 extern enum_name_t *TNC_Connection_State_names;
 extern enum_name_t *TNC_IMV_Action_Recommendation_names;
 extern enum_name_t *TNC_IMV_Evaluation_Result_names;
+extern enum_name_t *TNC_Subject_names;
+extern enum_name_t *TNC_Authentication_names;
 
 #endif /** TNCIF_NAME_H_ @}*/

src/libtncif/tncifimv.h

@@ -209,6 +209,31 @@ typedef TNC_Result (*TNC_IMV_ProvideBindFunctionPointer)(
 #define TNC_ATTRIBUTEID_SOH ((TNC_AttributeID) 0x00559706)
 #define TNC_ATTRIBUTEID_SSOH ((TNC_AttributeID) 0x00559707)
 #define TNC_ATTRIBUTEID_PRIMARY_IMV_ID ((TNC_AttributeID) 0x00559710)
+#define TNC_ATTRIBUTEID_AR_IDENTITIES ((TNC_AttributeID) 0x00559712)
+
+/* TNC Identity Types */
+
+#define TNC_ID_UNKNOWN 0
+#define TNC_ID_IPV4_ADDR 1
+#define TNC_ID_IPV6_ADDR 2
+#define TNC_ID_FQDN 3
+#define TNC_ID_RFC822_ADDR 4
+#define TNC_ID_USER_NAME 5
+#define TNC_ID_DER_ASN1_DN 6
+#define TNC_ID_DER_ASN1_GN 7
+
+/* TNC Subject Types */
+
+#define TNC_SUBJECT_UNKNOWN 0
+#define TNC_SUBJECT_MACHINE 1
+#define TNC_SUBJECT_USER 2
+
+/* TNC Authentication Types */
+
+#define TNC_AUTH_UNKNOWN 0
+#define TNC_AUTH_CERT 1
+#define TNC_AUTH_PASSWORD 2
+#define TNC_AUTH_SIM 3
 
 /* IMV Functions */