register aik certificate via ipsec attest
This commit is contained in:
parent
84da59f609
commit
cb4da3f610
22
configure.in
22
configure.in
|
@ -799,25 +799,25 @@ ADD_PLUGIN([pkcs11], [s libcharon pki])
|
|||
ADD_PLUGIN([aes], [s libcharon pluto openac scepclient pki scripts])
|
||||
ADD_PLUGIN([des], [s libcharon pluto openac scepclient pki scripts])
|
||||
ADD_PLUGIN([blowfish], [s libcharon pluto openac scepclient pki scripts])
|
||||
ADD_PLUGIN([sha1], [s libcharon pluto openac scepclient pki scripts medsrv])
|
||||
ADD_PLUGIN([sha2], [s libcharon pluto openac scepclient pki scripts medsrv])
|
||||
ADD_PLUGIN([sha1], [s libcharon pluto openac scepclient pki scripts medsrv attest])
|
||||
ADD_PLUGIN([sha2], [s libcharon pluto openac scepclient pki scripts medsrv attest])
|
||||
ADD_PLUGIN([md4], [s libcharon openac manager scepclient pki])
|
||||
ADD_PLUGIN([md5], [s libcharon pluto openac scepclient pki scripts])
|
||||
ADD_PLUGIN([random], [s libcharon pluto openac scepclient pki scripts medsrv])
|
||||
ADD_PLUGIN([x509], [s libcharon pluto openac scepclient pki scripts])
|
||||
ADD_PLUGIN([md5], [s libcharon pluto openac scepclient pki scripts attest])
|
||||
ADD_PLUGIN([random], [s libcharon pluto openac scepclient pki scripts medsrv attest])
|
||||
ADD_PLUGIN([x509], [s libcharon pluto openac scepclient pki scripts attest])
|
||||
ADD_PLUGIN([revocation], [s libcharon])
|
||||
ADD_PLUGIN([constraints], [s libcharon])
|
||||
ADD_PLUGIN([pubkey], [s libcharon])
|
||||
ADD_PLUGIN([pkcs1], [s libcharon pluto openac scepclient pki scripts manager medsrv])
|
||||
ADD_PLUGIN([pkcs1], [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
|
||||
ADD_PLUGIN([pgp], [s libcharon pluto])
|
||||
ADD_PLUGIN([dnskey], [s pluto])
|
||||
ADD_PLUGIN([pem], [s libcharon pluto openac scepclient pki scripts manager medsrv])
|
||||
ADD_PLUGIN([pem], [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
|
||||
ADD_PLUGIN([padlock], [s libcharon])
|
||||
ADD_PLUGIN([openssl], [s libcharon pluto openac scepclient pki scripts manager medsrv])
|
||||
ADD_PLUGIN([gcrypt], [s libcharon pluto openac scepclient pki scripts manager medsrv])
|
||||
ADD_PLUGIN([af-alg], [s libcharon pluto openac scepclient pki scripts medsrv])
|
||||
ADD_PLUGIN([openssl], [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
|
||||
ADD_PLUGIN([gcrypt], [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
|
||||
ADD_PLUGIN([af-alg], [s libcharon pluto openac scepclient pki scripts medsrv attest])
|
||||
ADD_PLUGIN([fips-prf], [s libcharon])
|
||||
ADD_PLUGIN([gmp], [s libcharon pluto openac scepclient pki scripts manager medsrv])
|
||||
ADD_PLUGIN([gmp], [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
|
||||
ADD_PLUGIN([agent], [s libcharon])
|
||||
ADD_PLUGIN([xcbc], [s libcharon])
|
||||
ADD_PLUGIN([hmac], [s libcharon pluto scripts])
|
||||
|
|
|
@ -34,7 +34,7 @@
|
|||
/**
|
||||
* global debug output variables
|
||||
*/
|
||||
static int debug_level = 0;
|
||||
static int debug_level = 2;
|
||||
static bool stderr_quiet = TRUE;
|
||||
|
||||
/**
|
||||
|
@ -121,10 +121,11 @@ static void do_args(int argc, char *argv[])
|
|||
{ "keys", no_argument, NULL, 'k' },
|
||||
{ "products", no_argument, NULL, 'p' },
|
||||
{ "hashes", no_argument, NULL, 'H' },
|
||||
{ "measurements", no_argument, NULL, 'M' },
|
||||
{ "measurements", no_argument, NULL, 'm' },
|
||||
{ "add", no_argument, NULL, 'a' },
|
||||
{ "delete", no_argument, NULL, 'd' },
|
||||
{ "del", no_argument, NULL, 'd' },
|
||||
{ "aik", required_argument, NULL, 'A' },
|
||||
{ "component", required_argument, NULL, 'C' },
|
||||
{ "comp", required_argument, NULL, 'C' },
|
||||
{ "directory", required_argument, NULL, 'D' },
|
||||
|
@ -167,7 +168,7 @@ static void do_args(int argc, char *argv[])
|
|||
case 'H':
|
||||
op = OP_HASHES;
|
||||
continue;
|
||||
case 'M':
|
||||
case 'm':
|
||||
op = OP_MEASUREMENTS;
|
||||
continue;
|
||||
case 'a':
|
||||
|
@ -176,6 +177,43 @@ static void do_args(int argc, char *argv[])
|
|||
case 'd':
|
||||
op = OP_DEL;
|
||||
continue;
|
||||
case 'A':
|
||||
{
|
||||
certificate_t *aik_cert;
|
||||
public_key_t *aik_key;
|
||||
chunk_t aik;
|
||||
|
||||
aik_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
|
||||
CERT_X509, BUILD_FROM_FILE, optarg, BUILD_END);
|
||||
if (!aik_cert)
|
||||
{
|
||||
printf("AIK certificate '%s' could not be loaded\n", optarg);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
aik_key = aik_cert->get_public_key(aik_cert);
|
||||
aik_cert->destroy(aik_cert);
|
||||
|
||||
if (!aik_key)
|
||||
{
|
||||
printf("AIK public key could not be retrieved\n");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
if (!aik_key->get_fingerprint(aik_key, KEYID_PUBKEY_INFO_SHA1,
|
||||
&aik))
|
||||
{
|
||||
printf("AIK fingerprint could not be computed\n");
|
||||
aik_key->destroy(aik_key);
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
aik = chunk_clone(aik);
|
||||
aik_key->destroy(aik_key);
|
||||
|
||||
if (!attest->set_key(attest, aik, op == OP_ADD))
|
||||
{
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
continue;
|
||||
}
|
||||
case 'C':
|
||||
if (!attest->set_component(attest, optarg, op == OP_ADD))
|
||||
{
|
||||
|
@ -195,11 +233,16 @@ static void do_args(int argc, char *argv[])
|
|||
}
|
||||
continue;
|
||||
case 'K':
|
||||
if (!attest->set_key(attest, optarg, op == OP_ADD))
|
||||
{
|
||||
chunk_t aik;
|
||||
|
||||
aik = chunk_from_hex(chunk_create(optarg, strlen(optarg)), NULL);
|
||||
if (!attest->set_key(attest, aik, op == OP_ADD))
|
||||
{
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
continue;
|
||||
}
|
||||
case 'O':
|
||||
attest->set_owner(attest, optarg);
|
||||
continue;
|
||||
|
|
|
@ -402,7 +402,7 @@ METHOD(attest_db_t, set_fid, bool,
|
|||
}
|
||||
|
||||
METHOD(attest_db_t, set_key, bool,
|
||||
private_attest_db_t *this, char *key, bool create)
|
||||
private_attest_db_t *this, chunk_t key, bool create)
|
||||
{
|
||||
enumerator_t *e;
|
||||
char *owner;
|
||||
|
@ -412,7 +412,7 @@ METHOD(attest_db_t, set_key, bool,
|
|||
printf("key has already been set\n");
|
||||
return FALSE;
|
||||
}
|
||||
this->key = chunk_from_hex(chunk_create(key, strlen(key)), NULL);
|
||||
this->key = key;
|
||||
|
||||
e = this->db->query(this->db, "SELECT id, owner FROM keys WHERE keyid= ?",
|
||||
DB_BLOB, this->key, DB_INT, DB_TEXT);
|
||||
|
@ -420,6 +420,7 @@ METHOD(attest_db_t, set_key, bool,
|
|||
{
|
||||
if (e->enumerate(e, &this->kid, &owner))
|
||||
{
|
||||
free(this->owner);
|
||||
this->owner = strdup(owner);
|
||||
this->key_set = TRUE;
|
||||
}
|
||||
|
|
|
@ -91,7 +91,7 @@ struct attest_db_t {
|
|||
* @param create if TRUE create database entry if it doesn't exist
|
||||
* @return TRUE if successful
|
||||
*/
|
||||
bool (*set_key)(attest_db_t *this, char *key, bool create);
|
||||
bool (*set_key)(attest_db_t *this, chunk_t key, bool create);
|
||||
|
||||
/**
|
||||
* Set primary key of the AIK to be queried
|
||||
|
|
|
@ -56,7 +56,7 @@ Usage:\n\
|
|||
Show a list of component measurements for a given component or\n\
|
||||
its primary key as an optional selector.\n\
|
||||
\n\
|
||||
ipsec attest --measurements [--sha1|--sha256|--sha384] [--key <digest>|--kid <id>]\n\
|
||||
ipsec attest --measurements [--sha1|--sha256|--sha384] [--key <digest>|--kid <id>|--aik <path>]\n\
|
||||
Show a list of component measurements for a given AIK or\n\
|
||||
its primary key as an optional selector.\n\
|
||||
\n\
|
||||
|
@ -64,7 +64,7 @@ Usage:\n\
|
|||
Add a file, directory, product or component entry\n\
|
||||
Component <cfn> entries must be of the form <vendor_id>/<name>-<qualifier>\n\
|
||||
\n\
|
||||
ipsec attest --add [--owner <name>] --key <digest>\n\
|
||||
ipsec attest --add [--owner <name>] --key <digest>|--aik <path>\n\
|
||||
Add an AIK public key digest entry preceded by an optional owner name\n\
|
||||
\n\
|
||||
ipsec attest --del --file <path>|--fid <id>|--dir <path>|--did <id>\n\
|
||||
|
@ -73,7 +73,7 @@ Usage:\n\
|
|||
ipsec attest --del --product <name>|--pid <id>|--component <cfn>|--cid <id>\n\
|
||||
Delete a product or component entry referenced either by value or primary key\n\
|
||||
\n\
|
||||
ipsec attest --del --key <digest>|--kid <id>\n\
|
||||
ipsec attest --del --key <digest>|--kid <id>|--aik <path>\n\
|
||||
Delete an AIK entry referenced either by value or primary key\n\
|
||||
\n");
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue