attest displays dates either in local time or UTC
[strongswan.git] / src / libpts / plugins / imv_attestation / attest.c
1 /*
2 * Copyright (C) 2011-2012 Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #define _GNU_SOURCE
17 #include <getopt.h>
18 #include <unistd.h>
19 #include <stdio.h>
20 #include <string.h>
21 #include <errno.h>
22 #include <syslog.h>
23
24 #include <library.h>
25 #include <utils/debug.h>
26
27 #include <imcv.h>
28 #include <libpts.h>
29 #include <pts/pts_meas_algo.h>
30
31 #include "attest_db.h"
32 #include "attest_usage.h"
33
34 /**
35 * global debug output variables
36 */
37 static int debug_level = 1;
38 static bool stderr_quiet = TRUE;
39
40 /**
41 * attest dbg function
42 */
43 static void attest_dbg(debug_t group, level_t level, char *fmt, ...)
44 {
45 int priority = LOG_INFO;
46 char buffer[8192];
47 char *current = buffer, *next;
48 va_list args;
49
50 if (level <= debug_level)
51 {
52 if (!stderr_quiet)
53 {
54 va_start(args, fmt);
55 vfprintf(stderr, fmt, args);
56 fprintf(stderr, "\n");
57 va_end(args);
58 }
59
60 /* write in memory buffer first */
61 va_start(args, fmt);
62 vsnprintf(buffer, sizeof(buffer), fmt, args);
63 va_end(args);
64
65 /* do a syslog with every line */
66 while (current)
67 {
68 next = strchr(current, '\n');
69 if (next)
70 {
71 *(next++) = '\0';
72 }
73 syslog(priority, "%s\n", current);
74 current = next;
75 }
76 }
77 }
78
79 /**
80 * global attestation database object
81 */
82 attest_db_t *attest;
83
84 /**
85 * atexit handler to close db on shutdown
86 */
87 static void cleanup(void)
88 {
89 attest->destroy(attest);
90 libpts_deinit();
91 libimcv_deinit();
92 closelog();
93 }
94
95 static void do_args(int argc, char *argv[])
96 {
97 enum {
98 OP_UNDEF,
99 OP_USAGE,
100 OP_KEYS,
101 OP_COMPONENTS,
102 OP_DEVICES,
103 OP_FILES,
104 OP_HASHES,
105 OP_MEASUREMENTS,
106 OP_PACKAGES,
107 OP_PRODUCTS,
108 OP_ADD,
109 OP_DEL,
110 } op = OP_UNDEF;
111
112 /* reinit getopt state */
113 optind = 0;
114
115 while (TRUE)
116 {
117 int c;
118
119 struct option long_opts[] = {
120 { "help", no_argument, NULL, 'h' },
121 { "components", no_argument, NULL, 'c' },
122 { "devices", no_argument, NULL, 'e' },
123 { "files", no_argument, NULL, 'f' },
124 { "keys", no_argument, NULL, 'k' },
125 { "packages", no_argument, NULL, 'g' },
126 { "products", no_argument, NULL, 'p' },
127 { "hashes", no_argument, NULL, 'H' },
128 { "measurements", no_argument, NULL, 'm' },
129 { "add", no_argument, NULL, 'a' },
130 { "delete", no_argument, NULL, 'd' },
131 { "del", no_argument, NULL, 'd' },
132 { "aik", required_argument, NULL, 'A' },
133 { "blacklist", no_argument, NULL, 'B' },
134 { "component", required_argument, NULL, 'C' },
135 { "comp", required_argument, NULL, 'C' },
136 { "directory", required_argument, NULL, 'D' },
137 { "dir", required_argument, NULL, 'D' },
138 { "file", required_argument, NULL, 'F' },
139 { "sha1-ima", no_argument, NULL, 'I' },
140 { "package", required_argument, NULL, 'G' },
141 { "key", required_argument, NULL, 'K' },
142 { "owner", required_argument, NULL, 'O' },
143 { "product", required_argument, NULL, 'P' },
144 { "relative", no_argument, NULL, 'R' },
145 { "rel", no_argument, NULL, 'R' },
146 { "sequence", required_argument, NULL, 'S' },
147 { "seq", required_argument, NULL, 'S' },
148 { "utc", no_argument, NULL, 'U' },
149 { "version", required_argument, NULL, 'V' },
150 { "security", no_argument, NULL, 'Y' },
151 { "sha1", no_argument, NULL, '1' },
152 { "sha256", no_argument, NULL, '2' },
153 { "sha384", no_argument, NULL, '3' },
154 { "did", required_argument, NULL, '4' },
155 { "fid", required_argument, NULL, '5' },
156 { "pid", required_argument, NULL, '6' },
157 { "cid", required_argument, NULL, '7' },
158 { "kid", required_argument, NULL, '8' },
159 { "gid", required_argument, NULL, '9' },
160 { 0,0,0,0 }
161 };
162
163 c = getopt_long(argc, argv, "", long_opts, NULL);
164 switch (c)
165 {
166 case EOF:
167 break;
168 case 'h':
169 op = OP_USAGE;
170 break;
171 case 'c':
172 op = OP_COMPONENTS;
173 continue;
174 case 'e':
175 op = OP_DEVICES;
176 continue;
177 case 'f':
178 op = OP_FILES;
179 continue;
180 case 'g':
181 op = OP_PACKAGES;
182 continue;
183 case 'k':
184 op = OP_KEYS;
185 continue;
186 case 'p':
187 op = OP_PRODUCTS;
188 continue;
189 case 'H':
190 op = OP_HASHES;
191 continue;
192 case 'm':
193 op = OP_MEASUREMENTS;
194 continue;
195 case 'a':
196 op = OP_ADD;
197 continue;
198 case 'd':
199 op = OP_DEL;
200 continue;
201 case 'A':
202 {
203 certificate_t *aik_cert;
204 public_key_t *aik_key;
205 chunk_t aik;
206
207 aik_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
208 CERT_X509, BUILD_FROM_FILE, optarg, BUILD_END);
209 if (!aik_cert)
210 {
211 printf("AIK certificate '%s' could not be loaded\n", optarg);
212 exit(EXIT_FAILURE);
213 }
214 aik_key = aik_cert->get_public_key(aik_cert);
215 aik_cert->destroy(aik_cert);
216
217 if (!aik_key)
218 {
219 printf("AIK public key could not be retrieved\n");
220 exit(EXIT_FAILURE);
221 }
222 if (!aik_key->get_fingerprint(aik_key, KEYID_PUBKEY_INFO_SHA1,
223 &aik))
224 {
225 printf("AIK fingerprint could not be computed\n");
226 aik_key->destroy(aik_key);
227 exit(EXIT_FAILURE);
228 }
229 aik = chunk_clone(aik);
230 aik_key->destroy(aik_key);
231
232 if (!attest->set_key(attest, aik, op == OP_ADD))
233 {
234 exit(EXIT_FAILURE);
235 }
236 continue;
237 }
238 case 'B':
239 attest->set_security(attest, OS_PACKAGE_STATE_BLACKLIST);
240 continue;
241 case 'C':
242 if (!attest->set_component(attest, optarg, op == OP_ADD))
243 {
244 exit(EXIT_FAILURE);
245 }
246 continue;
247 case 'D':
248 if (!attest->set_directory(attest, optarg, op == OP_ADD))
249 {
250 exit(EXIT_FAILURE);
251 }
252 continue;
253 case 'F':
254 if (!attest->set_file(attest, optarg, op == OP_ADD))
255 {
256 exit(EXIT_FAILURE);
257 }
258 continue;
259 case 'G':
260 if (!attest->set_package(attest, optarg, op == OP_ADD))
261 {
262 exit(EXIT_FAILURE);
263 }
264 continue;
265 case 'I':
266 attest->set_algo(attest, PTS_MEAS_ALGO_SHA1_IMA);
267 continue;
268 case 'K':
269 {
270 chunk_t aik;
271
272 aik = chunk_from_hex(chunk_create(optarg, strlen(optarg)), NULL);
273 if (!attest->set_key(attest, aik, op == OP_ADD))
274 {
275 exit(EXIT_FAILURE);
276 }
277 continue;
278 }
279 case 'O':
280 attest->set_owner(attest, optarg);
281 continue;
282 case 'P':
283 if (!attest->set_product(attest, optarg, op == OP_ADD))
284 {
285 exit(EXIT_FAILURE);
286 }
287 continue;
288 case 'R':
289 attest->set_relative(attest);
290 continue;
291 case 'S':
292 attest->set_sequence(attest, atoi(optarg));
293 continue;
294 case 'U':
295 attest->set_utc(attest);
296 continue;
297 case 'V':
298 if (!attest->set_version(attest, optarg))
299 {
300 exit(EXIT_FAILURE);
301 }
302 continue;
303 case 'Y':
304 attest->set_security(attest, OS_PACKAGE_STATE_SECURITY);
305 continue;
306 case '1':
307 attest->set_algo(attest, PTS_MEAS_ALGO_SHA1);
308 continue;
309 case '2':
310 attest->set_algo(attest, PTS_MEAS_ALGO_SHA256);
311 continue;
312 case '3':
313 attest->set_algo(attest, PTS_MEAS_ALGO_SHA384);
314 continue;
315 case '4':
316 if (!attest->set_did(attest, atoi(optarg)))
317 {
318 exit(EXIT_FAILURE);
319 }
320 continue;
321 case '5':
322 if (!attest->set_fid(attest, atoi(optarg)))
323 {
324 exit(EXIT_FAILURE);
325 }
326 continue;
327 case '6':
328 if (!attest->set_pid(attest, atoi(optarg)))
329 {
330 exit(EXIT_FAILURE);
331 }
332 continue;
333 case '7':
334 if (!attest->set_cid(attest, atoi(optarg)))
335 {
336 exit(EXIT_FAILURE);
337 }
338 continue;
339 case '8':
340 if (!attest->set_kid(attest, atoi(optarg)))
341 {
342 exit(EXIT_FAILURE);
343 }
344 continue;
345 case '9':
346 if (!attest->set_gid(attest, atoi(optarg)))
347 {
348 exit(EXIT_FAILURE);
349 }
350 continue;
351 }
352 break;
353 }
354
355 switch (op)
356 {
357 case OP_USAGE:
358 usage();
359 break;
360 case OP_PACKAGES:
361 attest->list_packages(attest);
362 break;
363 case OP_PRODUCTS:
364 attest->list_products(attest);
365 break;
366 case OP_KEYS:
367 attest->list_keys(attest);
368 break;
369 case OP_COMPONENTS:
370 attest->list_components(attest);
371 break;
372 case OP_DEVICES:
373 attest->list_devices(attest);
374 break;
375 case OP_FILES:
376 attest->list_files(attest);
377 break;
378 case OP_HASHES:
379 attest->list_hashes(attest);
380 break;
381 case OP_MEASUREMENTS:
382 attest->list_measurements(attest);
383 break;
384 case OP_ADD:
385 attest->add(attest);
386 break;
387 case OP_DEL:
388 attest->delete(attest);
389 break;
390 default:
391 usage();
392 exit(EXIT_FAILURE);
393 }
394 }
395
396 int main(int argc, char *argv[])
397 {
398 char *uri;
399
400 /* enable attest debugging hook */
401 dbg = attest_dbg;
402 openlog("attest", 0, LOG_DEBUG);
403
404 atexit(library_deinit);
405
406 /* initialize library */
407 if (!library_init(NULL))
408 {
409 exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
410 }
411 if (!lib->plugins->load(lib->plugins, NULL,
412 lib->settings->get_str(lib->settings, "attest.load", PLUGINS)))
413 {
414 exit(SS_RC_INITIALIZATION_FAILED);
415 }
416
417 uri = lib->settings->get_str(lib->settings, "attest.database", NULL);
418 if (!uri)
419 {
420 fprintf(stderr, "database URI attest.database not set.\n");
421 exit(SS_RC_INITIALIZATION_FAILED);
422 }
423 attest = attest_db_create(uri);
424 if (!attest)
425 {
426 exit(SS_RC_INITIALIZATION_FAILED);
427 }
428 atexit(cleanup);
429 libimcv_init();
430 libpts_init();
431
432 do_args(argc, argv);
433
434 exit(EXIT_SUCCESS);
435 }
436