extended and documented ipsec attest
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 30 Jul 2012 18:44:15 +0000 (20:44 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 30 Jul 2012 18:49:42 +0000 (20:49 +0200)
src/libpts/plugins/imv_attestation/attest.c
src/libpts/plugins/imv_attestation/attest_db.c
src/libpts/plugins/imv_attestation/attest_db.h
src/libpts/plugins/imv_attestation/attest_usage.c

index 17c39e7..a202d12 100644 (file)
@@ -137,6 +137,8 @@ static void do_args(int argc, char *argv[])
                        { "product", required_argument, NULL, 'P' },
                        { "relative", no_argument, NULL, 'R' },
                        { "rel", no_argument, NULL, 'R' },
+                       { "sequence", required_argument, NULL, 'S' },
+                       { "seq", required_argument, NULL, 'S' },
                        { "sha1", no_argument, NULL, '1' },
                        { "sha256", no_argument, NULL, '2' },
                        { "sha384", no_argument, NULL, '3' },
@@ -261,6 +263,9 @@ static void do_args(int argc, char *argv[])
                        case 'R':
                                attest->set_relative(attest);
                                continue;
+                       case 'S':
+                               attest->set_sequence(attest, atoi(optarg));
+                               continue;
                        case '1':
                                attest->set_algo(attest, PTS_MEAS_ALGO_SHA1);
                                continue;
index 1ce3cf8..0235aaf 100644 (file)
@@ -117,6 +117,11 @@ struct private_attest_db_t {
        bool relative;
 
        /**
+        * Sequence number for ordering entries
+        */
+       int seq_no;
+
+       /**
         * File measurement hash algorithm
         */
        pts_meas_algorithms_t algo;
@@ -186,7 +191,7 @@ METHOD(attest_db_t, set_component, bool,
        e = this->db->query(this->db,
                                           "SELECT id FROM components "
                                           "WHERE vendor_id = ? AND name = ? AND qualifier = ?",
-                                               DB_INT, vid, DB_INT, name, DB_INT, qualifier, DB_INT);
+                                               DB_UINT, vid, DB_INT, name, DB_INT, qualifier, DB_INT);
        if (e)
        {
                if (e->enumerate(e, &this->cid))
@@ -242,7 +247,7 @@ METHOD(attest_db_t, set_cid, bool,
 
        e = this->db->query(this->db, "SELECT vendor_id, name, qualifier "
                                                                  "FROM components WHERE id = ?",
-                                               DB_INT, cid, DB_INT, DB_INT, DB_INT);
+                                               DB_UINT, cid, DB_INT, DB_INT, DB_INT);
        if (e)
        {
                if (e->enumerate(e, &vid, &name, &qualifier))
@@ -327,7 +332,7 @@ METHOD(attest_db_t, set_did, bool,
        this->did = did;
 
        e = this->db->query(this->db, "SELECT path FROM files WHERE id = ?",
-                                               DB_INT, did, DB_TEXT);
+                                               DB_UINT, did, DB_TEXT);
        if (e)
        {
                if (e->enumerate(e, &dir))
@@ -405,7 +410,7 @@ METHOD(attest_db_t, set_fid, bool,
        this->fid = fid;
 
        e = this->db->query(this->db, "SELECT path FROM files WHERE id = ?",
-                                               DB_INT, fid, DB_TEXT);
+                                               DB_UINT, fid, DB_TEXT);
        if (e)
        {
                if (e->enumerate(e, &file))
@@ -489,7 +494,7 @@ METHOD(attest_db_t, set_kid, bool,
        this->kid = kid;
 
        e = this->db->query(this->db, "SELECT keyid, owner FROM keys WHERE id = ?",
-                                               DB_INT, kid, DB_BLOB, DB_TEXT);
+                                               DB_UINT, kid, DB_BLOB, DB_TEXT);
        if (e)
        {
                if (e->enumerate(e, &key, &owner))
@@ -566,7 +571,7 @@ METHOD(attest_db_t, set_pid, bool,
        this->pid = pid;
 
        e = this->db->query(this->db, "SELECT name FROM products WHERE id = ?",
-                                               DB_INT, pid, DB_TEXT);
+                                               DB_UINT, pid, DB_TEXT);
        if (e)
        {
                if (e->enumerate(e, &product))
@@ -595,6 +600,12 @@ METHOD(attest_db_t, set_relative, void,
        this->relative = TRUE;
 }
 
+METHOD(attest_db_t, set_sequence, void,
+       private_attest_db_t *this, int seq_no)
+{
+       this->seq_no = seq_no;
+}
+
 METHOD(attest_db_t, set_owner, void,
        private_attest_db_t *this, char *owner)
 {
@@ -607,16 +618,29 @@ METHOD(attest_db_t, list_components, void,
 {
        enumerator_t *e;
        pts_comp_func_name_t *cfn;
-       int cid, vid, name, qualifier, count = 0;
+       int seq_no, cid, vid, name, qualifier, count = 0;
 
        if (this->kid)
        {
                e = this->db->query(this->db,
-                               "SELECT c.id, c.vendor_id, c.name, c.qualifier "
+                               "SELECT kc.seq_no, c.id, c.vendor_id, c.name, c.qualifier "
                                "FROM components AS c "
                                "JOIN key_component AS kc ON c.id = kc.component "
-                               "WHERE kc.key = ? ORDER BY c.vendor_id, c.name, c.qualifier",
-                               DB_INT, this->kid, DB_INT, DB_INT, DB_INT, DB_INT);
+                               "WHERE kc.key = ? ORDER BY kc.seq_no",
+                               DB_UINT, this->kid, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT);
+               if (e)
+               {
+                       while (e->enumerate(e,  &cid, &seq_no, &vid, &name, &qualifier))
+                       {
+                               cfn   = pts_comp_func_name_create(vid, name, qualifier);
+                               printf("%4d: #%-2d %s\n", seq_no, cid, print_cfn(cfn));
+                               cfn->destroy(cfn);
+                               count++;
+                       }
+                       e->destroy(e);
+                       printf("%d component%s found for key %#B\n", count,
+                                 (count == 1) ? "" : "s", &this->key);
+               }
        }
        else
        {
@@ -624,24 +648,18 @@ METHOD(attest_db_t, list_components, void,
                                "SELECT id, vendor_id, name, qualifier FROM components "
                                "ORDER BY vendor_id, name, qualifier",
                                DB_INT, DB_INT, DB_INT, DB_INT);
-       }
-       if (e)
-       {
-               while (e->enumerate(e, &cid, &vid, &name, &qualifier))
-               {
-                       cfn   = pts_comp_func_name_create(vid, name, qualifier);
-                       printf("%4d: %s\n", cid, print_cfn(cfn));
-                       cfn->destroy(cfn);
-                       count++;
-               }
-               e->destroy(e);
-
-               printf("%d component%s found", count, (count == 1) ? "" : "s");
-               if (this->key_set)
+               if (e)
                {
-                       printf(" for key %#B", &this->key);
+                       while (e->enumerate(e,  &cid, &vid, &name, &qualifier))
+                       {
+                               cfn   = pts_comp_func_name_create(vid, name, qualifier);
+                               printf("%4d: %s\n", cid, print_cfn(cfn));
+                               cfn->destroy(cfn);
+                               count++;
+                       }
+                       e->destroy(e);
+                       printf("%d component%s found\n", count, (count == 1) ? "" : "s");
                }
-               printf("\n");
        }
 }
 
@@ -659,7 +677,7 @@ METHOD(attest_db_t, list_keys, void,
                                "SELECT k.id, k.keyid, k.owner FROM keys AS k "
                                "JOIN key_component AS kc ON k.id = kc.key "
                                "WHERE kc.component = ? ORDER BY k.keyid",
-                               DB_INT, this->cid, DB_INT, DB_BLOB, DB_TEXT);
+                               DB_UINT, this->cid, DB_INT, DB_BLOB, DB_TEXT);
                if (e)
                {
                        while (e->enumerate(e, &kid, &keyid, &owner))
@@ -708,7 +726,7 @@ METHOD(attest_db_t, list_files, void,
                                "FROM files AS f "
                                "JOIN product_file AS pf ON f.id = pf.file "
                                "WHERE pf.product = ? ORDER BY f.path",
-                               DB_INT, this->pid, DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT);
+                               DB_UINT, this->pid, DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT);
                if (e)
                {
                        while (e->enumerate(e, &fid, &type, &file, &meas, &meta))
@@ -761,7 +779,7 @@ METHOD(attest_db_t, list_products, void,
                                "FROM products AS p "
                                "JOIN product_file AS pf ON p.id = pf.product "
                                "WHERE pf.file = ? ORDER BY p.name",
-                               DB_INT, this->fid, DB_INT, DB_TEXT, DB_INT, DB_INT);
+                               DB_UINT, this->fid, DB_INT, DB_TEXT, DB_INT, DB_INT);
                if (e)
                {
                        while (e->enumerate(e, &pid, &product, &meas, &meta))
@@ -812,7 +830,7 @@ static void get_directory(private_attest_db_t *this, int did, char **directory)
        {
                e = this->db->query(this->db,
                                "SELECT path from files WHERE id = ?",
-                               DB_INT, did, DB_TEXT);
+                               DB_UINT, did, DB_TEXT);
                if (e)
                {
                        if (e->enumerate(e, &dir))
@@ -875,7 +893,7 @@ METHOD(attest_db_t, list_hashes, void,
                                "JOIN files AS f ON f.id = fh.file "
                                "WHERE fh.algo = ? AND fh.product = ? "
                                "ORDER BY fh.directory, f.path",
-                               DB_INT, this->algo, DB_INT, this->pid,
+                               DB_INT, this->algo, DB_UINT, this->pid,
                                DB_INT, DB_TEXT, DB_BLOB, DB_INT);
                if (e)
                {
@@ -910,7 +928,7 @@ METHOD(attest_db_t, list_hashes, void,
                                "JOIN products AS p ON p.id = fh.product "
                                "WHERE fh.algo = ? AND fh.file = ? AND fh.directory = ?"
                                "ORDER BY p.name",
-                               DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->did,
+                               DB_INT, this->algo, DB_UINT, this->fid, DB_UINT, this->did,
                                DB_TEXT, DB_BLOB, DB_INT);
                if (e)
                {
@@ -983,7 +1001,7 @@ METHOD(attest_db_t, list_measurements, void,
                                "JOIN keys AS k ON k.id = ch.key "
                                "WHERE ch.algo = ? AND ch.key = ? AND ch.component = ? "
                                "ORDER BY seq_no",
-                               DB_INT, this->algo, DB_INT, this->kid, DB_INT, this->cid,
+                               DB_INT, this->algo, DB_UINT, this->kid, DB_UINT, this->cid,
                                DB_INT, DB_INT, DB_BLOB, DB_TEXT);
                if (e)
                {
@@ -994,7 +1012,7 @@ METHOD(attest_db_t, list_measurements, void,
                                        printf("%4d: %#B '%s'\n", this->kid, &this->key, owner);
                                        kid_old = this->kid;
                                }
-                               printf("%5d %02d %#B\n", seq_no, pcr, &hash);
+                               printf("%7d %02d %#B\n", seq_no, pcr, &hash);
                                count++;
                        }
                        e->destroy(e);
@@ -1012,7 +1030,7 @@ METHOD(attest_db_t, list_measurements, void,
                                "JOIN keys AS k ON k.id = ch.key "
                                "WHERE ch.algo = ? AND ch.component = ? "
                                "ORDER BY keyid, seq_no",
-                               DB_INT, this->algo, DB_INT, this->cid,
+                               DB_INT, this->algo, DB_UINT, this->cid,
                                DB_INT, DB_INT, DB_BLOB, DB_INT, DB_BLOB, DB_TEXT);
                if (e)
                {
@@ -1023,7 +1041,7 @@ METHOD(attest_db_t, list_measurements, void,
                                        printf("%4d: %#B '%s'\n", kid, &keyid, owner);
                                        kid_old = kid;
                                }
-                               printf("%5d %02d %#B\n", seq_no, pcr, &hash);
+                               printf("%7d %02d %#B\n", seq_no, pcr, &hash);
                                count++;
                        }
                        e->destroy(e);
@@ -1043,7 +1061,7 @@ METHOD(attest_db_t, list_measurements, void,
                                "JOIN components AS c ON c.id = ch.component "
                                "WHERE ch.algo = ? AND ch.key = ? "
                                "ORDER BY vendor_id, name, qualifier, seq_no",
-                               DB_INT, this->algo, DB_INT, this->kid, DB_INT, DB_INT, DB_BLOB,
+                               DB_INT, this->algo, DB_UINT, this->kid, DB_INT, DB_INT, DB_BLOB,
                                DB_INT, DB_INT, DB_INT, DB_INT);
                if (e)
                {
@@ -1082,7 +1100,7 @@ bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo,
        e = this->db->query(this->db,
                "SELECT hash FROM file_hashes WHERE algo = ? "
                "AND file = ? AND directory = ? AND product = ? and key = 0",
-               DB_INT, algo, DB_INT, fid, DB_INT, did, DB_INT, this->pid, DB_BLOB);
+               DB_INT, algo, DB_UINT, fid, DB_UINT, did, DB_UINT, this->pid, DB_BLOB);
        if (!e)
        {
                printf("file_hashes query failed\n");
@@ -1099,7 +1117,7 @@ bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo,
                        "INSERT INTO file_hashes "
                        "(file, directory, product, key, algo, hash) "
                        "VALUES (?, ?, ?, 0, ?, ?)",
-                       DB_INT, fid, DB_INT, did, DB_INT, this->pid,
+                       DB_UINT, fid, DB_UINT, did, DB_UINT, this->pid,
                        DB_INT, algo, DB_BLOB, measurement) == 1)
                {
                        label = "created";
@@ -1121,11 +1139,16 @@ METHOD(attest_db_t, add, bool,
        if (this->kid && this->cid)
        {
                success = this->db->execute(this->db, NULL,
-                                       "INSERT INTO key_component (key, component) VALUES (?, ?)",
-                                       DB_UINT, this->kid, DB_UINT, this->cid) == 1;
+                                       "INSERT INTO key_component (key, component, seq_no) "
+                                       "VALUES (?, ?, ?)",
+                                       DB_UINT, this->kid, DB_UINT, this->cid,
+                                       DB_UINT, this->seq_no) == 1;
 
-               printf("key/component pair (%d/%d) %sinserted into database\n",
-                               this->kid, this->cid, success ? "" : "could not be ");
+               printf("key/component pair (%d/%d) %sinserted into database at "
+                          "position %d\n", this->kid, this->cid,
+                           success ? "" : "could not be ", this->seq_no);
+
+               return success;
        }
 
        /* add directory or file measurement for a given product */
@@ -1250,6 +1273,19 @@ METHOD(attest_db_t, delete, bool,
 {
        bool success;
 
+       /* delete key/component pair */
+       if (this->kid && this->cid)
+       {
+               success = this->db->execute(this->db, NULL,
+                                                               "DELETE FROM key_component "
+                                                               "WHERE key = ? AND component = ?",
+                                                               DB_UINT, this->kid, DB_UINT, this->cid) > 0;
+
+               printf("key/component pair (%d/%d) %sdeleted from database\n",
+                               this->kid, this->cid, success ? "" : "could not be ");
+               return success;
+       }
+
        /* delete a file measurement hash for a given product */
        if (this->algo && this->pid && this->fid)
        {
@@ -1379,6 +1415,7 @@ attest_db_t *attest_db_create(char *uri)
                        .set_pid = _set_pid,
                        .set_algo = _set_algo,
                        .set_relative = _set_relative,
+                       .set_sequence = _set_sequence,
                        .set_owner = _set_owner,
                        .list_products = _list_products,
                        .list_files = _list_files,
index 4e7991a..e32a368 100644 (file)
@@ -136,6 +136,11 @@ struct attest_db_t {
        void (*set_relative)(attest_db_t *this);
 
        /**
+        * Set the sequence number
+        */
+       void (*set_sequence)(attest_db_t *this, int seq_no);
+
+       /**
         * Set owner [user/host] of an AIK
         *
         * @param owner                 user/host name
index e58f821..3e6e888 100644 (file)
@@ -40,7 +40,7 @@ Usage:\n\
     Show a list of measurement hashes for a given software product or\n\
     its primary key as an optional selector.\n\
   \n\
-  ipsec attest --hashes [--sha1|--sha256|--sha384] [--file <path>|--fid <id>]\n\
+  ipsec attest --hashes [--sha1|--sha1-ima|--sha256|--sha384] [--file <path>|--fid <id>]\n\
     Show a list of measurement hashes for a given file or\n\
     its primary key as an optional selector.\n\
   \n\
@@ -52,11 +52,11 @@ Usage:\n\
     Show a list of AIK key digests with a component or\n\
     its primary key as an optional selector.\n\
   \n\
-  ipsec attest --measurements [--sha1|--sha256|--sha384] [--component <cfn>|--cid <id>]\n\
+  ipsec attest --measurements --sha1|--sha256|--sha384 [--component <cfn>|--cid <id>]\n\
     Show a list of component measurements for a given component or\n\
     its primary key as an optional selector.\n\
   \n\
-  ipsec attest --measurements [--sha1|--sha256|--sha384] [--key <digest>|--kid <id>|--aik <path>]\n\
+  ipsec attest --measurements --sha1|--sha256|--sha384 [--key <digest>|--kid <id>|--aik <path>]\n\
     Show a list of component measurements for a given AIK or\n\
     its primary key as an optional selector.\n\
   \n\
@@ -67,6 +67,13 @@ Usage:\n\
   ipsec attest --add [--owner <name>] --key <digest>|--aik <path>\n\
     Add an AIK public key digest entry preceded by an optional owner name\n\
   \n\
+  ipsec attest --add --product <name>|--pid <id> --sha1|--sha1-ima|--sha256|--sha384\n\
+              [--relative|--rel] --dir <path>|--file <path>\n\
+    Add hashes of a single file or all files in a directory under absolute or relative filenames\n\
+  \n\
+  ipsec attest --add --key <digest|--kid <id> --component <cfn>|--cid <id> --sequence <no>|--seq <no>\n\
+    Add an ordered key/component entry\n\
+  \n\
   ipsec attest --del --file <path>|--fid <id>|--dir <path>|--did <id>\n\
     Delete a file or directory entry referenced either by value or primary key\n\
   \n\
@@ -75,6 +82,13 @@ Usage:\n\
   \n\
   ipsec attest --del --key <digest>|--kid <id>|--aik <path>\n\
     Delete an AIK entry referenced either by value or primary key\n\
+  \n\
+  ipsec attest --del --key <digest|--kid <id> --component <cfn>|--cid <id>\n\
+    Delete a key/component entry\n\
+  \n\
+  ipsec attest --del --product <name>|--pid <id> --sha1|--sha1-ima|--sha256|--sha384\n\
+               [--dir <path>|--did <id>] --file <path>|--fid <id>\n\
+    Delete a file hash given an absolute or relative filename\n\
   \n");
 }