added a PTS credential set
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 5 Sep 2011 16:19:50 +0000 (18:19 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 8 Sep 2011 10:08:17 +0000 (12:08 +0200)
src/libimcv/Makefile.am
src/libimcv/plugins/imv_attestation/imv_attestation.c
src/libimcv/tcg/pts/pts_creds.c [new file with mode: 0644]
src/libimcv/tcg/pts/pts_creds.h [new file with mode: 0644]

index 553038b..dcb3413 100644 (file)
@@ -31,7 +31,8 @@ libimcv_la_SOURCES = \
        tcg/tcg_pts_attr_file_meas.h tcg/tcg_pts_attr_file_meas.c \
        tcg/pts/pts.h tcg/pts/pts.c \
        tcg/pts/pts_error.h tcg/pts/pts_error.c \
-       tcg/pts/pts_proto_caps.h tcg/pts/pts_funct_comp_name.h tcg/pts/fake_ek_cert.h\
+       tcg/pts/pts_proto_caps.h tcg/pts/pts_funct_comp_name.h \
+       tcg/pts/pts_creds.h tcg/pts/pts_creds.c \
        tcg/pts/pts_database.h tcg/pts/pts_database.c \
        tcg/pts/pts_file_meas.h tcg/pts/pts_file_meas.c \
        tcg/pts/pts_meas_algo.h tcg/pts/pts_meas_algo.c
index 0bf705d..a559e21 100644 (file)
@@ -21,6 +21,7 @@
 #include <ietf/ietf_attr_pa_tnc_error.h>
 
 #include <tcg/pts/pts_database.h>
+#include <tcg/pts/pts_creds.h>
 #include <tcg/pts/pts_error.h>
 
 #include <tcg/tcg_attr.h>
@@ -69,6 +70,11 @@ static pts_meas_algorithms_t supported_algorithms = 0;
 static pts_database_t *pts_db;
 
 /**
+ * PTS credentials
+ */
+static pts_creds_t *pts_creds;
+
+/**
  * List of id's for the files that are requested for measurement
  */
 static linked_list_t *requested_files;
@@ -81,7 +87,7 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
                                                          TNC_Version max_version,
                                                          TNC_Version *actual_version)
 {
-       char *hash_alg, *uri;
+       char *hash_alg, *uri, *cadir;
 
        if (imv_attestation)
        {
@@ -127,6 +133,11 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
                                "libimcv.plugins.imv-attestation.database", NULL);
        pts_db = pts_database_create(uri);
 
+       /* create PTS credential set */
+       cadir = lib->settings->get_str(lib->settings,
+                               "libimcv.plugins.imv-attestation.cadir", NULL);
+       pts_creds = pts_creds_create(cadir);
+
        return TNC_RESULT_SUCCESS;
 }
 
@@ -681,6 +692,7 @@ TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
                return TNC_RESULT_NOT_INITIALIZED;
        }
        DESTROY_IF(pts_db);
+       DESTROY_IF(pts_creds);
        imv_attestation->destroy(imv_attestation);
        imv_attestation = NULL;
 
diff --git a/src/libimcv/tcg/pts/pts_creds.c b/src/libimcv/tcg/pts/pts_creds.c
new file mode 100644 (file)
index 0000000..1a8211c
--- /dev/null
@@ -0,0 +1,136 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pts_creds.h"
+
+#include <debug.h>
+#include <credentials/certificates/x509.h>
+#include <credentials/sets/mem_cred.h>
+
+#include <sys/stat.h>
+
+typedef struct private_pts_creds_t private_pts_creds_t;
+
+/**
+ * Private data of a pts_creds_t object.
+ *
+ */
+struct private_pts_creds_t {
+
+       /**
+        * Public pts_creds_t interface.
+        */
+       pts_creds_t public;
+
+       /**
+        * Credential set
+        */
+       mem_cred_t *creds;
+
+};
+
+METHOD(pts_creds_t, verify, bool,
+       private_pts_creds_t *this, certificate_t *cert)
+{
+       return FALSE;
+}
+
+
+METHOD(pts_creds_t, destroy, void,
+       private_pts_creds_t *this)
+{
+       this->creds->destroy(this->creds);
+       free(this);
+}
+
+/**
+ * Load trusted PTS CA certificates from a directory
+ */
+static void load_cacerts(private_pts_creds_t *this, char *path)
+{
+       enumerator_t *enumerator;
+       struct stat st;
+       char *file;
+
+       DBG1(DBG_TNC, "loading PTS ca certificates from '%s'", path);
+
+       enumerator = enumerator_create_directory(path);
+       if (!enumerator)
+       {
+               return;
+       }
+
+       while (enumerator->enumerate(enumerator, NULL, &file, &st))
+       {
+               certificate_t *cert;
+
+               if (!S_ISREG(st.st_mode))
+               {
+                       /* skip special file */
+                       continue;
+               }
+               cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+                                                                 BUILD_FROM_FILE, file, BUILD_END);
+               if (cert)
+               {
+                       x509_t *x509 = (x509_t*)cert;
+
+                       if (!(x509->get_flags(x509) & X509_CA))
+                       {
+                               DBG1(DBG_TNC, "  ca certificate \"%Y\" lacks ca basic constraint"
+                                                         ", discarded", cert->get_subject(cert));
+                               cert->destroy(cert);
+                       }
+                       else
+                       {
+                               DBG1(DBG_TNC, "  loaded ca certificate \"%Y\" from '%s'",
+                                                         cert->get_subject(cert), file);
+                               this->creds->add_cert(this->creds, TRUE, cert);
+                       }
+               }
+               else
+               {
+                       DBG1(DBG_TNC, "  loading ca certificate from '%s' failed", file);
+               }
+       }
+       enumerator->destroy(enumerator);
+}
+
+/**
+ * See header
+ */
+pts_creds_t *pts_creds_create(char *path)
+{
+       private_pts_creds_t *this;
+
+       if (!path)
+       {
+               DBG1(DBG_TNC, "no PTS cacerts directory defined");
+               return NULL;
+       }
+
+       INIT(this,
+               .public = {
+                       .verify = _verify,
+                       .destroy = _destroy,
+               },
+               .creds = mem_cred_create(),
+       );
+
+       load_cacerts(this, path);
+
+       return &this->public;
+}
+
diff --git a/src/libimcv/tcg/pts/pts_creds.h b/src/libimcv/tcg/pts/pts_creds.h
new file mode 100644 (file)
index 0000000..d5ae176
--- /dev/null
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pts_creds pts_creds
+ * @{ @ingroup pts
+ */
+
+#ifndef PTS_CREDS_H_
+#define PTS_CREDS_H_
+
+typedef struct pts_creds_t pts_creds_t;
+
+#include <library.h>
+
+/**
+ * Class implementing a PTS credentials set
+ *
+ */
+struct pts_creds_t {
+
+/**
+        * Verify an AIK certificate
+        *
+        * @cert                                certificate to be verified
+        * @return                              TRUE if valid and trusted
+        */
+       bool (*verify)(pts_creds_t *this, certificate_t *cert);
+       
+
+       /**
+        * Destroys a pts_creds_t object.
+        */
+       void (*destroy)(pts_creds_t *this);
+
+};
+
+/**
+ * Creates an pts_creds_t object
+ *
+ * @param path                         path to the PTS cacerts directory
+ */
+pts_creds_t* pts_creds_create(char *path);
+
+#endif /** PTS_CREDS_H_ @}*/