check if TNC client has a valid and registered AIK
This commit is contained in:
parent
de4a0c8376
commit
32aee74c73
|
@ -354,6 +354,14 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
|
|||
|
||||
/* check the IMV state for the next PA-TNC attributes to send */
|
||||
result = send_message(connection_id);
|
||||
if (result != TNC_RESULT_SUCCESS)
|
||||
{
|
||||
state->set_recommendation(state,
|
||||
TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
|
||||
TNC_IMV_EVALUATION_RESULT_ERROR);
|
||||
return imv_attestation->provide_recommendation(imv_attestation,
|
||||
connection_id);
|
||||
}
|
||||
|
||||
if (attestation_state->get_handshake_state(attestation_state) ==
|
||||
IMV_ATTESTATION_STATE_END)
|
||||
|
|
|
@ -207,7 +207,7 @@ bool imv_attestation_build(linked_list_t *attr_list,
|
|||
pts_component_t *comp;
|
||||
pts_comp_func_name_t *comp_name;
|
||||
chunk_t keyid;
|
||||
int vid, name, qualifier;
|
||||
int kid, vid, name, qualifier;
|
||||
u_int8_t flags;
|
||||
u_int32_t depth;
|
||||
bool first = TRUE, first_component = TRUE;
|
||||
|
@ -224,15 +224,19 @@ bool imv_attestation_build(linked_list_t *attr_list,
|
|||
}
|
||||
if (!pts->get_aik_keyid(pts, &keyid))
|
||||
{
|
||||
break;
|
||||
DBG1(DBG_IMV, "retrieval of AIK keyid failed");
|
||||
return FALSE;
|
||||
}
|
||||
if (!pts_db)
|
||||
{
|
||||
DBG1(DBG_PTS, "pts database not available");
|
||||
DBG1(DBG_IMV, "pts database not available");
|
||||
break;
|
||||
}
|
||||
|
||||
enumerator = pts_db->create_comp_evid_enumerator(pts_db, keyid);
|
||||
if (pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
enumerator = pts_db->create_comp_evid_enumerator(pts_db, kid);
|
||||
if (!enumerator)
|
||||
{
|
||||
break;
|
||||
|
|
|
@ -178,6 +178,10 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
|
|||
e->destroy(e);
|
||||
DBG1(DBG_IMV, "AIK certificate is %strusted",
|
||||
trusted ? "" : "not ");
|
||||
if (!trusted)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
}
|
||||
pts->set_aik(pts, aik);
|
||||
break;
|
||||
|
|
|
@ -97,19 +97,42 @@ METHOD(pts_database_t, create_file_hash_enumerator, enumerator_t*,
|
|||
return e;
|
||||
}
|
||||
|
||||
METHOD(pts_database_t, create_comp_evid_enumerator, enumerator_t*,
|
||||
private_pts_database_t *this, chunk_t keyid)
|
||||
METHOD(pts_database_t, check_aik_keyid, status_t,
|
||||
private_pts_database_t *this, chunk_t keyid, int *kid)
|
||||
{
|
||||
enumerator_t *e;
|
||||
|
||||
/* look for all entries belonging to a product in the components table */
|
||||
/* If the AIK is registered get the primary key */
|
||||
e = this->db->query(this->db,
|
||||
"SELECT id FROM keys WHERE keyid = ?", DB_BLOB, keyid, DB_INT);
|
||||
if (!e)
|
||||
{
|
||||
DBG1(DBG_PTS, "no database query enumerator returned");
|
||||
return FAILED;
|
||||
}
|
||||
if (!e->enumerate(e, kid))
|
||||
{
|
||||
DBG1(DBG_PTS, "AIK %#B is not registered in database", &keyid);
|
||||
e->destroy(e);
|
||||
return FAILED;
|
||||
}
|
||||
e->destroy(e);
|
||||
|
||||
return SUCCESS;
|
||||
}
|
||||
|
||||
METHOD(pts_database_t, create_comp_evid_enumerator, enumerator_t*,
|
||||
private_pts_database_t *this, int kid)
|
||||
{
|
||||
enumerator_t *e;
|
||||
|
||||
/* look for all entries belonging to an AIK in the components table */
|
||||
e = this->db->query(this->db,
|
||||
"SELECT c.vendor_id, c.name, c.qualifier, kc.depth "
|
||||
"FROM components AS c "
|
||||
"JOIN key_component AS kc ON c.id = kc.component "
|
||||
"JOIN keys AS k ON k.id = kc.key "
|
||||
"WHERE k.keyid = ? ORDER BY kc.seq_no",
|
||||
DB_BLOB, keyid, DB_INT, DB_INT, DB_INT, DB_INT);
|
||||
"WHERE kc.key = ? ORDER BY kc.seq_no",
|
||||
DB_INT, kid, DB_INT, DB_INT, DB_INT, DB_INT);
|
||||
return e;
|
||||
}
|
||||
|
||||
|
@ -200,21 +223,10 @@ METHOD(pts_database_t, get_comp_measurement_count, status_t,
|
|||
/* Initialize count */
|
||||
*count = 0;
|
||||
|
||||
/* If the AIK is registered get the primary key */
|
||||
e = this->db->query(this->db,
|
||||
"SELECT id FROM keys WHERE keyid = ?", DB_BLOB, keyid, DB_INT);
|
||||
if (!e)
|
||||
if (_check_aik_keyid(this, keyid, kid) != SUCCESS)
|
||||
{
|
||||
DBG1(DBG_PTS, "no database query enumerator returned");
|
||||
return FAILED;
|
||||
}
|
||||
if (!e->enumerate(e, kid))
|
||||
{
|
||||
DBG1(DBG_PTS, "AIK %#B is not registered in database", &keyid);
|
||||
e->destroy(e);
|
||||
return FAILED;
|
||||
}
|
||||
e->destroy(e);
|
||||
|
||||
/* Get the primary key of the Component Functional Name */
|
||||
e = this->db->query(this->db,
|
||||
|
@ -277,6 +289,7 @@ pts_database_t *pts_database_create(char *uri)
|
|||
.create_file_meta_enumerator = _create_file_meta_enumerator,
|
||||
.create_comp_evid_enumerator = _create_comp_evid_enumerator,
|
||||
.create_file_hash_enumerator = _create_file_hash_enumerator,
|
||||
.check_aik_keyid = _check_aik_keyid,
|
||||
.check_comp_measurement = _check_comp_measurement,
|
||||
.insert_comp_measurement = _insert_comp_measurement,
|
||||
.delete_comp_measurements = _delete_comp_measurements,
|
||||
|
|
|
@ -64,14 +64,22 @@ struct pts_database_t {
|
|||
char *product, pts_meas_algorithms_t algo,
|
||||
int id, bool is_dir);
|
||||
|
||||
/**
|
||||
* Check if an AIK given by its keyid is registered in the database
|
||||
*
|
||||
* @param keyid AIK keyid (SHA-1 hash of the AIK public key info)
|
||||
* @param kid Primary key of AIK entry in keys table
|
||||
* @return SUCCESS if AIK is present, FAILED otherwise
|
||||
*/
|
||||
status_t (*check_aik_keyid)(pts_database_t *this, chunk_t keyid, int *kid);
|
||||
|
||||
/**
|
||||
* Get functional components to request evidence of
|
||||
*
|
||||
* @param keyid SHA-1 hash of AIK public key info
|
||||
* @param kid Primary key of AIK entry in keys table
|
||||
* @return Enumerator over all matching components
|
||||
*/
|
||||
enumerator_t* (*create_comp_evid_enumerator)(pts_database_t *this,
|
||||
chunk_t keyid);
|
||||
enumerator_t* (*create_comp_evid_enumerator)(pts_database_t *this, int kid);
|
||||
|
||||
/**
|
||||
* Check a functional component measurement against value stored in database
|
||||
|
|
Loading…
Reference in New Issue