ADD_PLUGIN([aes], [s libcharon pluto openac scepclient pki scripts])
ADD_PLUGIN([des], [s libcharon pluto openac scepclient pki scripts])
ADD_PLUGIN([blowfish], [s libcharon pluto openac scepclient pki scripts])
-ADD_PLUGIN([sha1], [s libcharon pluto openac scepclient pki scripts medsrv])
-ADD_PLUGIN([sha2], [s libcharon pluto openac scepclient pki scripts medsrv])
+ADD_PLUGIN([sha1], [s libcharon pluto openac scepclient pki scripts medsrv attest])
+ADD_PLUGIN([sha2], [s libcharon pluto openac scepclient pki scripts medsrv attest])
ADD_PLUGIN([md4], [s libcharon openac manager scepclient pki])
-ADD_PLUGIN([md5], [s libcharon pluto openac scepclient pki scripts])
-ADD_PLUGIN([random], [s libcharon pluto openac scepclient pki scripts medsrv])
-ADD_PLUGIN([x509], [s libcharon pluto openac scepclient pki scripts])
+ADD_PLUGIN([md5], [s libcharon pluto openac scepclient pki scripts attest])
+ADD_PLUGIN([random], [s libcharon pluto openac scepclient pki scripts medsrv attest])
+ADD_PLUGIN([x509], [s libcharon pluto openac scepclient pki scripts attest])
ADD_PLUGIN([revocation], [s libcharon])
ADD_PLUGIN([constraints], [s libcharon])
ADD_PLUGIN([pubkey], [s libcharon])
-ADD_PLUGIN([pkcs1], [s libcharon pluto openac scepclient pki scripts manager medsrv])
+ADD_PLUGIN([pkcs1], [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
ADD_PLUGIN([pgp], [s libcharon pluto])
ADD_PLUGIN([dnskey], [s pluto])
-ADD_PLUGIN([pem], [s libcharon pluto openac scepclient pki scripts manager medsrv])
+ADD_PLUGIN([pem], [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
ADD_PLUGIN([padlock], [s libcharon])
-ADD_PLUGIN([openssl], [s libcharon pluto openac scepclient pki scripts manager medsrv])
-ADD_PLUGIN([gcrypt], [s libcharon pluto openac scepclient pki scripts manager medsrv])
-ADD_PLUGIN([af-alg], [s libcharon pluto openac scepclient pki scripts medsrv])
+ADD_PLUGIN([openssl], [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
+ADD_PLUGIN([gcrypt], [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
+ADD_PLUGIN([af-alg], [s libcharon pluto openac scepclient pki scripts medsrv attest])
ADD_PLUGIN([fips-prf], [s libcharon])
-ADD_PLUGIN([gmp], [s libcharon pluto openac scepclient pki scripts manager medsrv])
+ADD_PLUGIN([gmp], [s libcharon pluto openac scepclient pki scripts manager medsrv attest])
ADD_PLUGIN([agent], [s libcharon])
ADD_PLUGIN([xcbc], [s libcharon])
ADD_PLUGIN([hmac], [s libcharon pluto scripts])
/**
* global debug output variables
*/
-static int debug_level = 0;
+static int debug_level = 2;
static bool stderr_quiet = TRUE;
/**
{ "keys", no_argument, NULL, 'k' },
{ "products", no_argument, NULL, 'p' },
{ "hashes", no_argument, NULL, 'H' },
- { "measurements", no_argument, NULL, 'M' },
+ { "measurements", no_argument, NULL, 'm' },
{ "add", no_argument, NULL, 'a' },
{ "delete", no_argument, NULL, 'd' },
{ "del", no_argument, NULL, 'd' },
+ { "aik", required_argument, NULL, 'A' },
{ "component", required_argument, NULL, 'C' },
{ "comp", required_argument, NULL, 'C' },
{ "directory", required_argument, NULL, 'D' },
case 'H':
op = OP_HASHES;
continue;
- case 'M':
+ case 'm':
op = OP_MEASUREMENTS;
continue;
case 'a':
case 'd':
op = OP_DEL;
continue;
+ case 'A':
+ {
+ certificate_t *aik_cert;
+ public_key_t *aik_key;
+ chunk_t aik;
+
+ aik_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+ CERT_X509, BUILD_FROM_FILE, optarg, BUILD_END);
+ if (!aik_cert)
+ {
+ printf("AIK certificate '%s' could not be loaded\n", optarg);
+ exit(EXIT_FAILURE);
+ }
+ aik_key = aik_cert->get_public_key(aik_cert);
+ aik_cert->destroy(aik_cert);
+
+ if (!aik_key)
+ {
+ printf("AIK public key could not be retrieved\n");
+ exit(EXIT_FAILURE);
+ }
+ if (!aik_key->get_fingerprint(aik_key, KEYID_PUBKEY_INFO_SHA1,
+ &aik))
+ {
+ printf("AIK fingerprint could not be computed\n");
+ aik_key->destroy(aik_key);
+ exit(EXIT_FAILURE);
+ }
+ aik = chunk_clone(aik);
+ aik_key->destroy(aik_key);
+
+ if (!attest->set_key(attest, aik, op == OP_ADD))
+ {
+ exit(EXIT_FAILURE);
+ }
+ continue;
+ }
case 'C':
if (!attest->set_component(attest, optarg, op == OP_ADD))
{
}
continue;
case 'K':
- if (!attest->set_key(attest, optarg, op == OP_ADD))
+ {
+ chunk_t aik;
+
+ aik = chunk_from_hex(chunk_create(optarg, strlen(optarg)), NULL);
+ if (!attest->set_key(attest, aik, op == OP_ADD))
{
exit(EXIT_FAILURE);
}
continue;
+ }
case 'O':
attest->set_owner(attest, optarg);
continue;
}
METHOD(attest_db_t, set_key, bool,
- private_attest_db_t *this, char *key, bool create)
+ private_attest_db_t *this, chunk_t key, bool create)
{
enumerator_t *e;
char *owner;
printf("key has already been set\n");
return FALSE;
}
- this->key = chunk_from_hex(chunk_create(key, strlen(key)), NULL);
+ this->key = key;
e = this->db->query(this->db, "SELECT id, owner FROM keys WHERE keyid= ?",
DB_BLOB, this->key, DB_INT, DB_TEXT);
{
if (e->enumerate(e, &this->kid, &owner))
{
+ free(this->owner);
this->owner = strdup(owner);
this->key_set = TRUE;
}
* @param create if TRUE create database entry if it doesn't exist
* @return TRUE if successful
*/
- bool (*set_key)(attest_db_t *this, char *key, bool create);
+ bool (*set_key)(attest_db_t *this, chunk_t key, bool create);
/**
* Set primary key of the AIK to be queried
Show a list of component measurements for a given component or\n\
its primary key as an optional selector.\n\
\n\
- ipsec attest --measurements [--sha1|--sha256|--sha384] [--key <digest>|--kid <id>]\n\
+ ipsec attest --measurements [--sha1|--sha256|--sha384] [--key <digest>|--kid <id>|--aik <path>]\n\
Show a list of component measurements for a given AIK or\n\
its primary key as an optional selector.\n\
\n\
Add a file, directory, product or component entry\n\
Component <cfn> entries must be of the form <vendor_id>/<name>-<qualifier>\n\
\n\
- ipsec attest --add [--owner <name>] --key <digest>\n\
+ ipsec attest --add [--owner <name>] --key <digest>|--aik <path>\n\
Add an AIK public key digest entry preceded by an optional owner name\n\
\n\
ipsec attest --del --file <path>|--fid <id>|--dir <path>|--did <id>\n\
ipsec attest --del --product <name>|--pid <id>|--component <cfn>|--cid <id>\n\
Delete a product or component entry referenced either by value or primary key\n\
\n\
- ipsec attest --del --key <digest>|--kid <id>\n\
+ ipsec attest --del --key <digest>|--kid <id>|--aik <path>\n\
Delete an AIK entry referenced either by value or primary key\n\
\n");
}