imc-os: Derive device ID from private key bound to smartcard or TPM
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 10 Dec 2017 10:51:03 +0000 (11:51 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 10 Dec 2017 10:51:50 +0000 (11:51 +0100)
conf/plugins/imc-os.opt
src/libimcv/plugins/imc_os/imc_os.c

index 4f559f2..6c1da5e 100644 (file)
@@ -6,6 +6,10 @@ libimcv.plugins.imc-os.device_id =
        Manually set the client device ID in hexadecimal format
    (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31)
 
+libimcv.plugins.imc-os.device_handle =
+       Manually set handle to a private key bound to a smartcard or TPM
+    (e.g. 0x81010004)
+
 libimcv.plugins.imc-os.device_pubkey =
        Manually set the path to the client device public key
     (e.g. /etc/pts/aikPub.der)
index cabcd0a..d7b508a 100644 (file)
@@ -239,9 +239,10 @@ static void add_default_pwd_enabled(imc_msg_t *msg)
 static void add_device_id(imc_msg_t *msg)
 {
        pa_tnc_attr_t *attr;
-       chunk_t value = chunk_empty, keyid;
-       char *name, *device_id, *cert_path;
+       chunk_t chunk, value = chunk_empty, keyid;
+       char *name, *device_id, *device_handle, *cert_path;
        certificate_t *cert = NULL;
+       private_key_t *privkey = NULL;
        public_key_t *pubkey;
 
        /* Get the device ID as a character string */
@@ -254,6 +255,32 @@ static void add_device_id(imc_msg_t *msg)
 
        if (value.len == 0)
        {
+               /* Derive the device ID from a private key bound to a smartcard or TPM */
+               device_handle = lib->settings->get_str(lib->settings,
+                                               "%s.plugins.imc-os.device_handle", NULL, lib->ns);
+               if (device_handle)
+               {
+                       chunk = chunk_from_hex(
+                                       chunk_create(device_handle, strlen(device_handle)), NULL);
+                       privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+                                                                                BUILD_PKCS11_KEYID, chunk, BUILD_END);
+                       free(chunk.ptr);
+
+                       if (privkey)
+                       {
+                               if (privkey->get_fingerprint(privkey, KEYID_PUBKEY_INFO_SHA1,
+                                                                                        &keyid))
+                               {
+                                       value = chunk_to_hex(keyid, NULL, FALSE);
+                               }
+                               privkey->destroy(privkey);
+
+                       }
+               }
+       }
+
+       if (value.len == 0)
+       {
                /* Derive the device ID from a raw public key */
                cert_path = lib->settings->get_str(lib->settings,
                                                        "%s.plugins.imc-os.device_pubkey", NULL, lib->ns);