From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Sun, 10 Dec 2017 10:51:03 +0000 (+0100)
Subject: imc-os: Derive device ID from private key bound to smartcard or TPM
X-Git-Tag: 5.6.2dr2~3
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=acfd590ab6c5721710eb94c36b2152a05c19b73a;p=thirdparty%2Fstrongswan.git

imc-os: Derive device ID from private key bound to smartcard or TPM
---

diff --git a/conf/plugins/imc-os.opt b/conf/plugins/imc-os.opt
index 4f559f2b9d..6c1da5e898 100644
--- a/conf/plugins/imc-os.opt
+++ b/conf/plugins/imc-os.opt
@@ -6,6 +6,10 @@ libimcv.plugins.imc-os.device_id =
 	Manually set the client device ID in hexadecimal format
    (e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31)
 
+libimcv.plugins.imc-os.device_handle =
+	Manually set handle to a private key bound to a smartcard or TPM
+    (e.g. 0x81010004)
+
 libimcv.plugins.imc-os.device_pubkey =
 	Manually set the path to the client device public key
     (e.g. /etc/pts/aikPub.der)
diff --git a/src/libimcv/plugins/imc_os/imc_os.c b/src/libimcv/plugins/imc_os/imc_os.c
index cabcd0a9e7..d7b508ab99 100644
--- a/src/libimcv/plugins/imc_os/imc_os.c
+++ b/src/libimcv/plugins/imc_os/imc_os.c
@@ -239,9 +239,10 @@ static void add_default_pwd_enabled(imc_msg_t *msg)
 static void add_device_id(imc_msg_t *msg)
 {
 	pa_tnc_attr_t *attr;
-	chunk_t value = chunk_empty, keyid;
-	char *name, *device_id, *cert_path;
+	chunk_t chunk, value = chunk_empty, keyid;
+	char *name, *device_id, *device_handle, *cert_path;
 	certificate_t *cert = NULL;
+	private_key_t *privkey = NULL;
 	public_key_t *pubkey;
 
 	/* Get the device ID as a character string */
@@ -252,6 +253,32 @@ static void add_device_id(imc_msg_t *msg)
 		value = chunk_clone(chunk_from_str(device_id));
 	}
 
+	if (value.len == 0)
+	{
+		/* Derive the device ID from a private key bound to a smartcard or TPM */
+		device_handle = lib->settings->get_str(lib->settings,
+						"%s.plugins.imc-os.device_handle", NULL, lib->ns);
+		if (device_handle)
+		{
+			chunk = chunk_from_hex(
+					chunk_create(device_handle, strlen(device_handle)), NULL);
+			privkey = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+										 BUILD_PKCS11_KEYID, chunk, BUILD_END);
+			free(chunk.ptr);
+
+			if (privkey)
+			{
+				if (privkey->get_fingerprint(privkey, KEYID_PUBKEY_INFO_SHA1,
+											 &keyid))
+				{
+					value = chunk_to_hex(keyid, NULL, FALSE);
+				}
+				privkey->destroy(privkey);
+
+			}
+		}
+	}
+
 	if (value.len == 0)
 	{
 		/* Derive the device ID from a raw public key */