check if AIK certificate is trusted

2011-09-07 11:00:46 +02:00 · 2011-09-07 11:00:46 +02:00 · 85a276e985
parent 8b5219dd61
commit 85a276e985
3 changed files with 45 additions and 17 deletions
--- a/src/libimcv/plugins/imv_attestation/imv_attestation.c
+++ b/src/libimcv/plugins/imv_attestation/imv_attestation.c
@ -44,6 +44,7 @@
 #include <pen/pen.h>
 #include <debug.h>
 #include <utils/linked_list.h>
+#include <credentials/credential_manager.h>

 /* IMV definitions */

@ -75,6 +76,11 @@ static pts_database_t *pts_db;
 */
 static pts_creds_t *pts_creds;

+/**
+ * PTS credential manager
+ */
+static credential_manager_t *pts_credmgr;
+
 /**
 * List of id's for the files that are requested for measurement
 */
@ -129,15 +135,22 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
 		supported_algorithms &= ~PTS_MEAS_ALGO_SHA256;
 	}

-	/* attach file measurement database */
-	uri = lib->settings->get_str(lib->settings,
-				"libimcv.plugins.imv-attestation.database", NULL);
-	pts_db = pts_database_create(uri);
+	/* create a PTS credential manager */
+	pts_credmgr = credential_manager_create();

 	/* create PTS credential set */
 	cadir = lib->settings->get_str(lib->settings,
 				"libimcv.plugins.imv-attestation.cadir", NULL);
 	pts_creds = pts_creds_create(cadir);
+	if (pts_creds)
+	{
+		pts_credmgr->add_set(pts_credmgr, pts_creds->get_set(pts_creds));
+	}
+
+	/* attach file measurement database */
+	uri = lib->settings->get_str(lib->settings,
+				"libimcv.plugins.imv-attestation.database", NULL);
+	pts_db = pts_database_create(uri);

 	return TNC_RESULT_SUCCESS;
 }
@ -446,7 +459,8 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
 				case TCG_PTS_AIK:
 				{
 					tcg_pts_attr_aik_t *attr_cast;
-					certificate_t *aik;
+					certificate_t *aik, *issuer;
+					enumerator_t *e;

 					attr_cast = (tcg_pts_attr_aik_t*)attr;
 					aik = attr_cast->get_aik(attr_cast);
@ -456,6 +470,17 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
 						break;
 					}
 					pts->set_aik(pts, aik);
+					e = pts_credmgr->create_trusted_enumerator(pts_credmgr,
+								KEY_ANY, aik->get_issuer(aik), FALSE);
+					while (e->enumerate(e, &issuer))
+					{
+						if (aik->issued_by(aik, issuer))
+						{
+							DBG1(DBG_IMV, "AIK certificate is trusted");
+							break;
+						}
+					}
+					e->destroy(e);
 					break;
 				}
 	
@ -701,8 +726,13 @@ TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
 		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
+	if (pts_creds)
+	{
+		pts_credmgr->remove_set(pts_credmgr, pts_creds->get_set(pts_creds));
+		pts_creds->destroy(pts_creds);
+	}
 	DESTROY_IF(pts_db);
-	DESTROY_IF(pts_creds);
+	pts_credmgr->destroy(pts_credmgr);
 	requested_files->destroy(requested_files);
 	imv_attestation->destroy(imv_attestation);
 	imv_attestation = NULL;
--- a/src/libimcv/tcg/pts/pts_creds.c
+++ b/src/libimcv/tcg/pts/pts_creds.c
@ -41,10 +41,10 @@ struct private_pts_creds_t {

 };

-METHOD(pts_creds_t, verify, bool,
-	private_pts_creds_t *this, certificate_t *cert)
+METHOD(pts_creds_t, get_set, credential_set_t*,
+	private_pts_creds_t *this)
 {
-	return FALSE;
+	return &this->creds->set;
 }


@ -123,7 +123,7 @@ pts_creds_t *pts_creds_create(char *path)

 	INIT(this,
 		.public = {
-			.verify = _verify,
+			.get_set = _get_set,
 			.destroy = _destroy,
 		},
 		.creds = mem_cred_create(),
--- a/src/libimcv/tcg/pts/pts_creds.h
+++ b/src/libimcv/tcg/pts/pts_creds.h
@ -24,21 +24,19 @@
 typedef struct pts_creds_t pts_creds_t;

 #include <library.h>
+#include <credentials/credential_set.h>

 /**
 * Class implementing a PTS credentials set
- *
 */
 struct pts_creds_t {

-/**
-	 * Verify an AIK certificate
+	/**
+	 * Get the credential set
 	 *
-	 * @cert				certificate to be verified
-	 * @return				TRUE if valid and trusted
+	 * @return				credential set
 	 */
-	bool (*verify)(pts_creds_t *this, certificate_t *cert);
-	
+	credential_set_t* (*get_set)(pts_creds_t *this);

 	/**
 	 * Destroys a pts_creds_t object.