imc-os: Derive device ID from private key bound to smartcard or TPM

diff --git a/conf/plugins/imc-os.opt b/conf/plugins/imc-os.opt
index 4f559f2b9d6feb5993395b79b3aebae760db2166..6c1da5e8981b8cb3c3cf64e4066ec2b6706fca2b 100644 (file)
--- a/conf/plugins/imc-os.opt
+++ b/conf/plugins/imc-os.opt
@@ -6,6 +6,10 @@ libimcv.plugins.imc-os.device_id =
        Manually set the client device ID in hexadecimal format
    (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31)
 
+libimcv.plugins.imc-os.device_handle =
+       Manually set handle to a private key bound to a smartcard or TPM
+    (e.g. 0x81010004)
+
 libimcv.plugins.imc-os.device_pubkey =
        Manually set the path to the client device public key
     (e.g. /etc/pts/aikPub.der)

diff --git a/src/libimcv/plugins/imc_os/imc_os.c b/src/libimcv/plugins/imc_os/imc_os.c
index cabcd0a9e78437435097e36b70961f57f92d8eef..d7b508ab99ef112adeb1d3c30dc7b320027b8062 100644 (file)
--- a/src/libimcv/plugins/imc_os/imc_os.c
+++ b/src/libimcv/plugins/imc_os/imc_os.c
@@ -239,9 +239,10 @@ static void add_default_pwd_enabled(imc_msg_t *msg)
 static void add_device_id(imc_msg_t *msg)
 {
        pa_tnc_attr_t *attr;
-       chunk_t value = chunk_empty, keyid;
-       char *name, *device_id, *cert_path;
+       chunk_t chunk, value = chunk_empty, keyid;
+       char *name, *device_id, *device_handle, *cert_path;
        certificate_t *cert = NULL;
+       private_key_t *privkey = NULL;
        public_key_t *pubkey;
 
        /* Get the device ID as a character string */
@@ -252,6 +253,32 @@ static void add_device_id(imc_msg_t *msg)
                value = chunk_clone(chunk_from_str(device_id));
        }
 
+       if (value.len == 0)
+       {
+               /* Derive the device ID from a private key bound to a smartcard or TPM */
+               device_handle = lib->settings->get_str(lib->settings,
+                                               "%s.plugins.imc-os.device_handle", NULL, lib->ns);
+               if (device_handle)
+               {
+                       chunk = chunk_from_hex(
+                                       chunk_create(device_handle, strlen(device_handle)), NULL);
+                       privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+                                                                                BUILD_PKCS11_KEYID, chunk, BUILD_END);
+                       free(chunk.ptr);
+
+                       if (privkey)
+                       {
+                               if (privkey->get_fingerprint(privkey, KEYID_PUBKEY_INFO_SHA1,
+                                                                                        &keyid))
+                               {
+                                       value = chunk_to_hex(keyid, NULL, FALSE);
+                               }
+                               privkey->destroy(privkey);
+
+                       }
+               }
+       }
+
        if (value.len == 0)
        {
                /* Derive the device ID from a raw public key */