check if TNC client has a valid and registered AIK

diff --git a/src/libpts/plugins/imv_attestation/imv_attestation.c b/src/libpts/plugins/imv_attestation/imv_attestation.c
index 010687011bb1849b23355db3ee0d0236e37735df..6bd5984e0b9a74d0b4f143192a28740e6b5107f3 100644 (file)
--- a/src/libpts/plugins/imv_attestation/imv_attestation.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation.c
@@ -354,6 +354,14 @@ static TNC_Result receive_message(TNC_IMVID imv_id,
 
        /* check the IMV state for the next PA-TNC attributes to send */
        result = send_message(connection_id);
+       if (result != TNC_RESULT_SUCCESS)
+       {
+               state->set_recommendation(state,
+                                                               TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+                                                               TNC_IMV_EVALUATION_RESULT_ERROR);
+               return imv_attestation->provide_recommendation(imv_attestation,
+                                                                                                          connection_id);
+       }
 
        if (attestation_state->get_handshake_state(attestation_state) ==
                IMV_ATTESTATION_STATE_END)

diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.c b/src/libpts/plugins/imv_attestation/imv_attestation_build.c
index 4ad58a67a472105181cde8d181ede0b5d59fb20c..4f2cc1e954b58dc6677d49385bdcde5a268ebea7 100644 (file)
--- a/src/libpts/plugins/imv_attestation/imv_attestation_build.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.c
@@ -207,7 +207,7 @@ bool imv_attestation_build(linked_list_t *attr_list,
                        pts_component_t *comp;
                        pts_comp_func_name_t *comp_name;
                        chunk_t keyid;
-                       int vid, name, qualifier;
+                       int kid, vid, name, qualifier;
                        u_int8_t flags;
                        u_int32_t depth;
                        bool first = TRUE, first_component = TRUE;
@@ -224,15 +224,19 @@ bool imv_attestation_build(linked_list_t *attr_list,
                        }
                        if (!pts->get_aik_keyid(pts, &keyid))
                        {
-                               break;
+                               DBG1(DBG_IMV, "retrieval of AIK keyid failed");
+                               return FALSE;
                        }
                        if (!pts_db)
                        {
-                               DBG1(DBG_PTS, "pts database not available");
+                               DBG1(DBG_IMV, "pts database not available");
                                break;
                        }
-                       
-                       enumerator = pts_db->create_comp_evid_enumerator(pts_db, keyid);
+                       if (pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS)
+                       {
+                               return FALSE;
+                       }
+                       enumerator = pts_db->create_comp_evid_enumerator(pts_db, kid);
                        if (!enumerator)
                        {
                                break;

diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
index 660d082523dd3807795b40517c13518bdcf3d305..a742b6697a6b24102dd990efb25c19c703dcc434 100644 (file)
--- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
@@ -178,6 +178,10 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                e->destroy(e);
                                DBG1(DBG_IMV, "AIK certificate is %strusted",
                                                           trusted ? "" : "not ");
+                               if (!trusted)
+                               {
+                                       return FALSE;
+                               }
                        }
                        pts->set_aik(pts, aik);
                        break;

diff --git a/src/libpts/pts/pts_database.c b/src/libpts/pts/pts_database.c
index aedabc83fb7901c8f84f4cb1c3e2aca47d0dc647..282755c0acffe27deccf436d6b267094093b6270 100644 (file)
--- a/src/libpts/pts/pts_database.c
+++ b/src/libpts/pts/pts_database.c
@@ -97,19 +97,42 @@ METHOD(pts_database_t, create_file_hash_enumerator, enumerator_t*,
        return e;
 }
 
+METHOD(pts_database_t, check_aik_keyid, status_t,
+       private_pts_database_t *this, chunk_t keyid, int *kid)
+{
+       enumerator_t *e;
+
+       /* If the AIK is registered get the primary key */
+       e = this->db->query(this->db,
+                               "SELECT id FROM keys WHERE keyid = ?", DB_BLOB, keyid, DB_INT);
+       if (!e)
+       {
+               DBG1(DBG_PTS, "no database query enumerator returned");
+               return FAILED;
+       }
+       if (!e->enumerate(e, kid))
+       {
+               DBG1(DBG_PTS, "AIK %#B is not registered in database", &keyid);
+               e->destroy(e);
+               return FAILED;
+       }
+       e->destroy(e);
+
+       return SUCCESS;
+}
+
 METHOD(pts_database_t, create_comp_evid_enumerator, enumerator_t*,
-       private_pts_database_t *this, chunk_t keyid)
+       private_pts_database_t *this, int kid)
 {
        enumerator_t *e;
 
-       /* look for all entries belonging to a product in the components table */
+       /* look for all entries belonging to an AIK in the components table */
        e = this->db->query(this->db,
                                "SELECT c.vendor_id, c.name, c.qualifier, kc.depth "
                                "FROM components AS c "
                                "JOIN key_component AS kc ON c.id = kc.component "
-                               "JOIN keys AS k ON k.id = kc.key "
-                               "WHERE k.keyid = ? ORDER BY kc.seq_no",
-                               DB_BLOB, keyid, DB_INT, DB_INT, DB_INT, DB_INT);
+                               "WHERE kc.key = ? ORDER BY kc.seq_no",
+                               DB_INT, kid, DB_INT, DB_INT, DB_INT, DB_INT);
        return e;
 }
 
@@ -200,21 +223,10 @@ METHOD(pts_database_t, get_comp_measurement_count, status_t,
        /* Initialize count */
        *count = 0;
 
-       /* If the AIK is registered get the primary key */
-       e = this->db->query(this->db,
-                               "SELECT id FROM keys WHERE keyid = ?", DB_BLOB, keyid, DB_INT);
-       if (!e)
+       if (_check_aik_keyid(this, keyid, kid) != SUCCESS)
        {
-               DBG1(DBG_PTS, "no database query enumerator returned");
-               return FAILED;
-       }
-       if (!e->enumerate(e, kid))
-       {
-               DBG1(DBG_PTS, "AIK %#B is not registered in database", &keyid);
-               e->destroy(e);
                return FAILED;
        }
-       e->destroy(e);
 
        /* Get the primary key of the Component Functional Name */
        e = this->db->query(this->db,
@@ -277,6 +289,7 @@ pts_database_t *pts_database_create(char *uri)
                        .create_file_meta_enumerator = _create_file_meta_enumerator,
                        .create_comp_evid_enumerator = _create_comp_evid_enumerator,
                        .create_file_hash_enumerator = _create_file_hash_enumerator,
+                       .check_aik_keyid = _check_aik_keyid,
                        .check_comp_measurement = _check_comp_measurement,
                        .insert_comp_measurement = _insert_comp_measurement,
                        .delete_comp_measurements = _delete_comp_measurements,

diff --git a/src/libpts/pts/pts_database.h b/src/libpts/pts/pts_database.h
index a9f5fa4510a1e5d89e0d5bec9801a4b8b575e077..a9a68ac76b42b55568891358ae9dfaf59eae4c60 100644 (file)
--- a/src/libpts/pts/pts_database.h
+++ b/src/libpts/pts/pts_database.h
@@ -64,14 +64,22 @@ struct pts_database_t {
                                                                char *product, pts_meas_algorithms_t algo,
                                                                int id, bool is_dir);
 
+       /**
+       * Check if an AIK given by its keyid is registered in the database
+       *
+       * @param keyid                  AIK keyid (SHA-1 hash of the AIK public key info)
+       * @param kid                    Primary key of AIK entry in keys table
+       * @return                               SUCCESS if AIK is present, FAILED otherwise
+       */
+       status_t (*check_aik_keyid)(pts_database_t *this, chunk_t keyid, int *kid);
+
        /**
        * Get functional components to request evidence of
        *
-       * @param keyid                  SHA-1 hash of AIK public key info
+       * @param kid                    Primary key of AIK entry in keys table
        * @return                               Enumerator over all matching components
        */
-       enumerator_t* (*create_comp_evid_enumerator)(pts_database_t *this,
-                                                                                                chunk_t keyid);
+       enumerator_t* (*create_comp_evid_enumerator)(pts_database_t *this, int kid);
 
        /**
        * Check a functional component measurement against value stored in database