Skip to content
Permalink
Browse files Browse the repository at this point in the history
tenant, verifier: let the tenant provide the AK and mTLS certificate
This eliminates the need for the verifier to connect to the registrar.

Signed-off-by: Thore Sommer <mail@thson.de>
  • Loading branch information
THS-on authored and mpeters committed May 4, 2022
1 parent 7631bbf commit bd5de71
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 17 deletions.
21 changes: 4 additions & 17 deletions keylime/cloud_verifier_tornado.py
Expand Up @@ -19,7 +19,6 @@

from keylime import config
from keylime import json
from keylime import registrar_client
from keylime.agentstates import AgentAttestStates
from keylime.common import states, validators, retry
from keylime.db.verifier_db import VerfierMain
Expand Down Expand Up @@ -444,6 +443,8 @@ def post(self):
agent_data['accept_tpm_encryption_algs'] = json_body['accept_tpm_encryption_algs']
agent_data['accept_tpm_signing_algs'] = json_body['accept_tpm_signing_algs']
agent_data['supported_version'] = json_body['supported_version']
agent_data['ak_tpm'] = json_body['ak_tpm']
agent_data['mtls_cert'] = json_body.get('mtls_cert', None)
agent_data['hash_alg'] = ""
agent_data['enc_alg'] = ""
agent_data['sign_alg'] = ""
Expand All @@ -457,22 +458,8 @@ def post(self):
agent_data['verifier_ip'] = config.get('cloud_verifier', 'cloudverifier_ip')
agent_data['verifier_port'] = config.get('cloud_verifier', 'cloudverifier_port')

# We fetch the registrar data directly here because we require it for connecting to the agent
# using mTLS
registrar_client.init_client_tls('cloud_verifier')
registrar_data = registrar_client.getData(config.get("cloud_verifier", "registrar_ip"),
config.get("cloud_verifier", "registrar_port"), agent_id)
if registrar_data is None:
web_util.echo_json_response(self, 400,
f"Data for agent {agent_id} could not be found in registrar!")
logger.warning("Data for agent %s could not be found in registrar!", agent_id)
return

agent_data['mtls_cert'] = registrar_data.get('mtls_cert', None)
agent_data['ak_tpm'] = registrar_data['aik_tpm']

# TODO: Always error for v1.0 version after initial upgrade
if registrar_data.get('mtls_cert', None) is None and agent_data['supported_version'] != "1.0":
if agent_data['mtls_cert'] is None and agent_data['supported_version'] != "1.0":
web_util.echo_json_response(self, 400, "mTLS certificate for agent is required!")
return

Expand Down Expand Up @@ -510,7 +497,7 @@ def post(self):

# Prepare SSLContext for mTLS connections
agent_mtls_cert_enabled = config.getboolean('cloud_verifier', 'agent_mtls_cert_enabled', fallback=False)
mtls_cert = registrar_data.get('mtls_cert', None)
mtls_cert = agent_data['mtls_cert']
agent_data['ssl_context'] = None
if agent_mtls_cert_enabled and mtls_cert:
agent_data['ssl_context'] = web_util.generate_agent_mtls_context(mtls_cert, self.mtls_options)
Expand Down
2 changes: 2 additions & 0 deletions keylime/tenant.py
Expand Up @@ -631,6 +631,8 @@ def do_cv(self):
'accept_tpm_hash_algs': self.accept_tpm_hash_algs,
'accept_tpm_encryption_algs': self.accept_tpm_encryption_algs,
'accept_tpm_signing_algs': self.accept_tpm_signing_algs,
'ak_tpm': self.registrar_data['aik_tpm'],
'mtls_cert': self.registrar_data.get('mtls_cert', None),
'supported_version': self.supported_version,
}
json_message = json.dumps(data)
Expand Down

0 comments on commit bd5de71

Please sign in to comment.