beautified AIK verification
authorAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 7 Sep 2011 23:13:36 +0000 (01:13 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 8 Sep 2011 10:20:58 +0000 (12:20 +0200)
src/libimcv/plugins/imv_attestation/imv_attestation.c

index de93b9c..6f5bd4b 100644 (file)
@@ -453,6 +453,7 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
                                        tcg_pts_attr_aik_t *attr_cast;
                                        certificate_t *aik, *issuer;
                                        enumerator_t *e;
+                                       bool trusted = FALSE;
 
                                        attr_cast = (tcg_pts_attr_aik_t*)attr;
                                        aik = attr_cast->get_aik(attr_cast);
@@ -461,18 +462,24 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
                                                /* TODO generate error attribute */
                                                break;
                                        }
-                                       pts->set_aik(pts, aik);
-                                       e = pts_credmgr->create_trusted_enumerator(pts_credmgr,
-                                                               KEY_ANY, aik->get_issuer(aik), FALSE);
-                                       while (e->enumerate(e, &issuer))
+                                       if (aik->get_type(aik) == CERT_X509)
                                        {
-                                               if (aik->issued_by(aik, issuer))
+                                               DBG1(DBG_IMV, "verifying AIK certificate");
+                                               e = pts_credmgr->create_trusted_enumerator(pts_credmgr,
+                                                                       KEY_ANY, aik->get_issuer(aik), FALSE);
+                                               while (e->enumerate(e, &issuer))
                                                {
-                                                       DBG1(DBG_IMV, "AIK certificate is trusted");
-                                                       break;
+                                                       if (aik->issued_by(aik, issuer))
+                                                       {
+                                                               trusted = TRUE;
+                                                               break;
+                                                       }
                                                }
+                                               e->destroy(e);
+                                               DBG1(DBG_IMV, "AIK certificate is %strusted",
+                                                                          trusted ? "" : "not ");
                                        }
-                                       e->destroy(e);
+                                       pts->set_aik(pts, aik);
                                        break;
                                }