def test_invalid(self):
"""Check and invalid hexadecimal number."""
self.assertFalse(validators.valid_hex("123xyz"))
def test_valid_upper(self):
"""Check a valid upper case hexadecimal number."""
self.assertTrue(validators.valid_hex("123ABC"))
def test_valid_lower(self):
"""Check a valid lower case hexadecimal number."""
self.assertTrue(validators.valid_hex("123abc"))
def test_empty(self):
"""Check that the empty string is not valid."""
self.assertFalse(validators.valid_hex(""))
def test_none(self):
"""Check that None is not valid."""
self.assertFalse(validators.valid_hex(None))
def do_GET(self):
"""This method services the GET request typically from either the Tenant or the Cloud Verifier.
Only tenant and cloudverifier uri's are supported. Both requests require a nonce parameter.
The Cloud verifier requires an additional mask paramter. If the uri or parameters are incorrect, a 400 response is returned.
"""
logger.info("GET invoked from %s with uri: %s", self.client_address,
self.path)
rest_params = web_util.get_restful_params(self.path)
if rest_params is None:
web_util.echo_json_response(
self, 405,
"Not Implemented: Use /version, /keys/ or /quotes/ interfaces")
return
if "version" in rest_params:
version_info = {
"supported_version": keylime_api_version.current_version()
}
web_util.echo_json_response(self, 200, "Success", version_info)
return
if not rest_params["api_version"]:
web_util.echo_json_response(self, 400, "API Version not supported")
return
if "keys" in rest_params and rest_params["keys"] == "verify":
if self.server.K is None:
logger.info(
"GET key challenge returning 400 response. bootstrap key not available"
)
web_util.echo_json_response(
self, 400, "Bootstrap key not yet available.")
return
if "challenge" not in rest_params:
logger.info(
"GET key challenge returning 400 response. No challenge provided"
)
web_util.echo_json_response(self, 400,
"No challenge provided.")
return
challenge = rest_params["challenge"]
response = {}
response["hmac"] = crypto.do_hmac(self.server.K, challenge)
web_util.echo_json_response(self, 200, "Success", response)
logger.info("GET key challenge returning 200 response.")
# If agent pubkey requested
elif "keys" in rest_params and rest_params["keys"] == "pubkey":
response = {}
response["pubkey"] = self.server.rsapublickey_exportable
web_util.echo_json_response(self, 200, "Success", response)
logger.info("GET pubkey returning 200 response.")
return
elif "quotes" in rest_params:
nonce = rest_params.get("nonce", None)
pcrmask = rest_params.get("mask", None)
ima_ml_entry = rest_params.get("ima_ml_entry", "0")
# if the query is not messed up
if nonce is None:
logger.warning(
"GET quote returning 400 response. nonce not provided as an HTTP parameter in request"
)
web_util.echo_json_response(
self, 400,
"nonce not provided as an HTTP parameter in request")
return
# Sanitization assurance (for tpm.run() tasks below)
if not (nonce.isalnum() and
(pcrmask is None or validators.valid_hex(pcrmask))
and ima_ml_entry.isalnum()):
logger.warning(
"GET quote returning 400 response. parameters should be strictly alphanumeric"
)
web_util.echo_json_response(
self, 400, "parameters should be strictly alphanumeric")
return
if len(nonce) > tpm_instance.MAX_NONCE_SIZE:
logger.warning(
"GET quote returning 400 response. Nonce is too long (max size %i): %i",
tpm_instance.MAX_NONCE_SIZE,
len(nonce),
)
web_util.echo_json_response(
self, 400,
f"Nonce is too long (max size {tpm_instance.MAX_NONCE_SIZE}): {len(nonce)}"
)
return
hash_alg = tpm_instance.defaults["hash"]
quote = tpm_instance.create_quote(
nonce, self.server.rsapublickey_exportable, pcrmask, hash_alg)
imaMask = pcrmask
# Allow for a partial quote response (without pubkey)
enc_alg = tpm_instance.defaults["encrypt"]
sign_alg = tpm_instance.defaults["sign"]
if "partial" in rest_params and (rest_params["partial"] is None
or rest_params["partial"] == "1"):
response = {
"quote": quote,
"hash_alg": hash_alg,
"enc_alg": enc_alg,
"sign_alg": sign_alg,
}
else:
response = {
"quote": quote,
"hash_alg": hash_alg,
"enc_alg": enc_alg,
"sign_alg": sign_alg,
"pubkey": self.server.rsapublickey_exportable,
}
response["boottime"] = self.server.boottime
# return a measurement list if available
if TPM_Utilities.check_mask(imaMask, config.IMA_PCR):
ima_ml_entry = int(ima_ml_entry)
if ima_ml_entry > self.server.next_ima_ml_entry:
ima_ml_entry = 0
ml, nth_entry, num_entries = ima.read_measurement_list(
self.server.ima_log_file, ima_ml_entry)
if num_entries > 0:
response["ima_measurement_list"] = ml
response["ima_measurement_list_entry"] = nth_entry
self.server.next_ima_ml_entry = num_entries
# similar to how IMA log retrievals are triggered by IMA_PCR, we trigger boot logs with MEASUREDBOOT_PCRs
# other possibilities would include adding additional data to rest_params to trigger boot log retrievals
# generally speaking, retrieving the 15Kbytes of a boot log does not seem significant compared to the
# potential Mbytes of an IMA measurement list.
if TPM_Utilities.check_mask(imaMask, config.MEASUREDBOOT_PCRS[0]):
if not self.server.tpm_log_file_data:
logger.warning("TPM2 event log not available: %s",
config.MEASUREDBOOT_ML)
else:
response[
"mb_measurement_list"] = self.server.tpm_log_file_data
web_util.echo_json_response(self, 200, "Success", response)
logger.info("GET %s quote returning 200 response.",
rest_params["quotes"])
return
else:
logger.warning("GET returning 400 response. uri not supported: %s",
self.path)
web_util.echo_json_response(self, 400, "uri not supported")
return