check if TNC client has a valid and registered AIK

src/libpts/plugins/imv_attestation/imv_attestation.c

@@ -354,6 +354,14 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 
 	/* check the IMV state for the next PA-TNC attributes to send */
 	result = send_message(connection_id);
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);
+		return imv_attestation->provide_recommendation(imv_attestation,
+													   connection_id);
+	}
 
 	if (attestation_state->get_handshake_state(attestation_state) ==
 		IMV_ATTESTATION_STATE_END)

src/libpts/plugins/imv_attestation/imv_attestation_build.c

@@ -207,7 +207,7 @@ bool imv_attestation_build(linked_list_t *attr_list,
 			pts_component_t *comp;
 			pts_comp_func_name_t *comp_name;
 			chunk_t keyid;
-			int vid, name, qualifier;
+			int kid, vid, name, qualifier;
 			u_int8_t flags;
 			u_int32_t depth;
 			bool first = TRUE, first_component = TRUE;
@@ -224,15 +224,19 @@ bool imv_attestation_build(linked_list_t *attr_list,
 			}
 			if (!pts->get_aik_keyid(pts, &keyid))
 			{
-				break;
+				DBG1(DBG_IMV, "retrieval of AIK keyid failed");
+				return FALSE;
 			}
 			if (!pts_db)
 			{
-				DBG1(DBG_PTS, "pts database not available");
+				DBG1(DBG_IMV, "pts database not available");
 				break;
 			}
-			
-			enumerator = pts_db->create_comp_evid_enumerator(pts_db, keyid);
+			if (pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS)
+			{
+				return FALSE;
+			}
+			enumerator = pts_db->create_comp_evid_enumerator(pts_db, kid);
 			if (!enumerator)
 			{
 				break;

src/libpts/plugins/imv_attestation/imv_attestation_process.c

@@ -178,6 +178,10 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 				e->destroy(e);
 				DBG1(DBG_IMV, "AIK certificate is %strusted",
 							   trusted ? "" : "not ");
+				if (!trusted)
+				{
+					return FALSE;
+				}
 			}
 			pts->set_aik(pts, aik);
 			break;

src/libpts/pts/pts_database.c

@@ -97,19 +97,42 @@ METHOD(pts_database_t, create_file_hash_enumerator, enumerator_t*,
 	return e;
 }
 
-METHOD(pts_database_t, create_comp_evid_enumerator, enumerator_t*,
-	private_pts_database_t *this, chunk_t keyid)
+METHOD(pts_database_t, check_aik_keyid, status_t,
+	private_pts_database_t *this, chunk_t keyid, int *kid)
 {
 	enumerator_t *e;
 
-	/* look for all entries belonging to a product in the components table */
+	/* If the AIK is registered get the primary key */
+	e = this->db->query(this->db,
+				"SELECT id FROM keys WHERE keyid = ?", DB_BLOB, keyid, DB_INT);
+	if (!e)
+	{
+		DBG1(DBG_PTS, "no database query enumerator returned");
+		return FAILED;
+	}
+	if (!e->enumerate(e, kid))
+	{
+		DBG1(DBG_PTS, "AIK %#B is not registered in database", &keyid);
+		e->destroy(e);
+		return FAILED;
+	}
+	e->destroy(e);
+
+	return SUCCESS;
+}
+
+METHOD(pts_database_t, create_comp_evid_enumerator, enumerator_t*,
+	private_pts_database_t *this, int kid)
+{
+	enumerator_t *e;
+
+	/* look for all entries belonging to an AIK in the components table */
 	e = this->db->query(this->db,
 				"SELECT c.vendor_id, c.name, c.qualifier, kc.depth "
  				"FROM components AS c "
 				"JOIN key_component AS kc ON c.id = kc.component "
-				"JOIN keys AS k ON k.id = kc.key "
-				"WHERE k.keyid = ? ORDER BY kc.seq_no",
-				DB_BLOB, keyid, DB_INT, DB_INT, DB_INT, DB_INT);
+				"WHERE kc.key = ? ORDER BY kc.seq_no",
+				DB_INT, kid, DB_INT, DB_INT, DB_INT, DB_INT);
 	return e;
 }
 
@@ -200,21 +223,10 @@ METHOD(pts_database_t, get_comp_measurement_count, status_t,
 	/* Initialize count */
 	*count = 0;
 
-	/* If the AIK is registered get the primary key */
-	e = this->db->query(this->db,
-				"SELECT id FROM keys WHERE keyid = ?", DB_BLOB, keyid, DB_INT);
-	if (!e)
+	if (_check_aik_keyid(this, keyid, kid) != SUCCESS)
 	{
-		DBG1(DBG_PTS, "no database query enumerator returned");
 		return FAILED;
 	}
-	if (!e->enumerate(e, kid))
-	{
-		DBG1(DBG_PTS, "AIK %#B is not registered in database", &keyid);
-		e->destroy(e);
-		return FAILED;
-	}
-	e->destroy(e);
 
 	/* Get the primary key of the Component Functional Name */
 	e = this->db->query(this->db,
@@ -277,6 +289,7 @@ pts_database_t *pts_database_create(char *uri)
 			.create_file_meta_enumerator = _create_file_meta_enumerator,
 			.create_comp_evid_enumerator = _create_comp_evid_enumerator,
 			.create_file_hash_enumerator = _create_file_hash_enumerator,
+			.check_aik_keyid = _check_aik_keyid,
 			.check_comp_measurement = _check_comp_measurement,
 			.insert_comp_measurement = _insert_comp_measurement,
 			.delete_comp_measurements = _delete_comp_measurements,

src/libpts/pts/pts_database.h

@@ -64,14 +64,22 @@ struct pts_database_t {
 								char *product, pts_meas_algorithms_t algo,
 								int id, bool is_dir);
 
+	/**
+	* Check if an AIK given by its keyid is registered in the database
+	*
+	* @param keyid			AIK keyid (SHA-1 hash of the AIK public key info)
+	* @param kid			Primary key of AIK entry in keys table
+	* @return				SUCCESS if AIK is present, FAILED otherwise
+	*/
+	status_t (*check_aik_keyid)(pts_database_t *this, chunk_t keyid, int *kid);
+
 	/**
 	* Get functional components to request evidence of
 	*
-	* @param keyid			SHA-1 hash of AIK public key info
+	* @param kid			Primary key of AIK entry in keys table
 	* @return				Enumerator over all matching components
 	*/
-	enumerator_t* (*create_comp_evid_enumerator)(pts_database_t *this,
-												 chunk_t keyid);
+	enumerator_t* (*create_comp_evid_enumerator)(pts_database_t *this, int kid);
 
 	/**
 	* Check a functional component measurement against value stored in database