Use attest database in tnc/tnccs-20-os scenario

testing/hosts/default/etc/pts/data.sql

@@ -0,0 +1,107 @@
+/* Products */
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Debian 7.0'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Debian 7.0 i686'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Debian 7.0 x86_64'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.04'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.04 i686'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.04 x86_64'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.10'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.10 i686'
+);
+
+INSERT INTO products (
+  name
+) VALUES (
+ 'Ubuntu 12.10 x86_64'
+);
+
+/* Packages */
+
+INSERT INTO packages (
+  name
+) VALUES (
+ 'libssl-dev'
+);
+
+INSERT INTO packages (
+  name
+) VALUES (
+ 'libssl1.0.0'
+);
+
+INSERT INTO packages (
+  name
+) VALUES (
+ 'libssl1.0.0-dbg'
+);
+
+INSERT INTO packages (
+  name
+) VALUES (
+ 'openssl'
+);
+
+/* Versions */
+
+INSERT INTO versions (
+  package, product, release, time
+) values (
+  1, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) values (
+  2, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) values (
+  3, 1, '1.0.1e-2', 1366531494
+);
+
+INSERT INTO versions (
+  package, product, release, time
+) values (
+  4, 1, '1.0.1e-2', 1366531494
+);

testing/hosts/default/etc/pts/tables.sql

@@ -0,0 +1,146 @@
+/* PTS SQLite database */
+
+DROP TABLE IF EXISTS files;
+CREATE TABLE files (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  path TEXT NOT NULL
+);
+DROP INDEX IF EXISTS files_path;
+CREATE INDEX files_path ON files (
+  path
+);
+
+DROP TABLE IF EXISTS products;
+CREATE TABLE products (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL
+);
+DROP INDEX IF EXISTS products_name;
+CREATE INDEX products_name ON products (
+  name
+);
+
+DROP TABLE IF EXISTS product_file;
+CREATE TABLE product_file (
+  product INTEGER NOT NULL,
+  file INTEGER NOT NULL,
+  measurement INTEGER DEFAULT 0,
+  metadata INTEGER DEFAULT 0,
+  PRIMARY KEY (product, file)
+);
+
+DROP TABLE IF EXISTS file_hashes;
+CREATE TABLE file_hashes (
+  file INTEGER NOT NULL,
+  directory INTEGER DEFAULT 0,
+  product INTEGER NOT NULL,
+  key INTEGER DEFAULT 0,
+  algo INTEGER NOT NULL,
+  hash BLOB NOT NULL,
+  PRIMARY KEY(file, directory, product, algo)
+);
+
+DROP TABLE IF EXISTS keys;
+CREATE TABLE keys (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  keyid BLOB NOT NULL,
+  owner TEXT NOT NULL
+);
+DROP INDEX IF EXISTS keys_keyid;
+CREATE INDEX keys_keyid ON keys (
+  keyid
+);
+DROP INDEX IF EXISTS keys_owner;
+CREATE INDEX keys_owner ON keys (
+  owner
+);
+
+DROP TABLE IF EXISTS components;
+CREATE TABLE components (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  vendor_id INTEGER NOT NULL,
+  name INTEGER NOT NULL,
+  qualifier INTEGER DEFAULT 0
+);
+
+
+DROP TABLE IF EXISTS key_component;
+CREATE TABLE key_component (
+  key INTEGER NOT NULL,
+  component INTEGER NOT NULL,
+  depth INTEGER DEFAULT 0,
+  seq_no INTEGER DEFAULT 0,
+  PRIMARY KEY (key, component)
+);
+
+
+DROP TABLE IF EXISTS component_hashes;
+CREATE TABLE component_hashes (
+  component INTEGER NOT NULL,
+  key INTEGER NOT NULL,
+  seq_no INTEGER NOT NULL,
+  pcr INTEGER NOT NULL,
+  algo INTEGER NOT NULL,
+  hash BLOB NOT NULL,
+  PRIMARY KEY(component, key, seq_no, algo)
+);
+
+DROP TABLE IF EXISTS packages;
+CREATE TABLE packages (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  name TEXT NOT NULL
+);
+DROP INDEX IF EXISTS packages_name;
+CREATE INDEX packages_name ON packages (
+  name
+);
+
+DROP TABLE IF EXISTS versions;
+CREATE TABLE versions (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  package INTEGER NOT NULL,
+  product INTEGER NOT NULL,
+  release TEXT NOT NULL,
+  security INTEGER DEFAULT 0,
+  time INTEGER DEFAULT 0
+);
+DROP INDEX IF EXISTS versions_release;
+CREATE INDEX versions_release ON versions (
+  release
+);
+DROP INDEX IF EXISTS versions_package_product;
+CREATE INDEX versions_package_product ON versions (
+  package, product
+);
+
+DROP TABLE IF EXISTS devices;
+CREATE TABLE devices (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  value BLOB NOT NULL
+);
+DROP INDEX IF EXISTS devices_id;
+CREATE INDEX devices_value ON devices (
+  value
+);
+
+DROP TABLE IF EXISTS device_infos;
+CREATE TABLE device_infos (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  device INTEGER NOT NULL,
+  time INTEGER NOT NULL,
+  ar_id INTEGER DEFAULT 0,
+  product INTEGER DEFAULT 0,
+  count INTEGER DEFAULT 0,
+  count_update INTEGER DEFAULT 0,
+  count_blacklist INTEGER DEFAULT 0,
+  flags INTEGER DEFAULT 0
+);
+
+DROP TABLE IF EXISTS identities;
+CREATE TABLE identities (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  data BLOB NOT NULL,
+  UNIQUE (type, data)
+);

testing/tests/tnc/tnccs-20-os/evaltest.dat

@@ -6,8 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: ipsec attest --devices 2> /dev/null::Debian 7.0 x86_64.*carol@strongswan.org::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec attest --devices 2> /dev/null::Windows 1.2.3.*dave@strongswan.org::YES
 moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
@@ -16,4 +18,3 @@ carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
 dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
-

testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf

@@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
   multiple_authentication=no
   plugins {
     eap-ttls {
@@ -18,7 +18,14 @@ charon {
 libimcv {
   plugins {
     imv-os {
+      database = sqlite:///etc/pts/config.db
       request_installed_packages = yes 
     }
   }
 }
+
+attest {
+  load = random nonce openssl sqlite
+  database = sqlite:///etc/pts/config.db
+}
+

testing/tests/tnc/tnccs-20-os/posttest.dat

@@ -5,3 +5,4 @@ moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
 dave::iptables-restore < /etc/iptables.flush
 carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::rm /etc/pts/config.db

testing/tests/tnc/tnccs-20-os/pretest.dat

@@ -2,6 +2,8 @@ moon::iptables-restore < /etc/iptables.rules
 carol::iptables-restore < /etc/iptables.rules
 dave::iptables-restore < /etc/iptables.rules
 carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+moon::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db
 moon::cat /etc/tnc_config
 carol::cat /etc/tnc_config
 dave::cat /etc/tnc_config
@@ -12,3 +14,5 @@ carol::sleep 1
 carol::ipsec up home
 dave::ipsec up home
 dave::sleep 1
+moon::ipsec attest --packages --product 'Debian 7.0'
+moon::ipsec attest --devices