def test_ca_util(self): providers = ['openssl'] if shutil.which("cfssl") is not None: providers.append('cfssl') for ssl_provider in providers: ca_util.setpassword("42") try: # Create directory to be our working dir. working_dir = tempfile.mkdtemp() # Set the provider. config.CA_IMPL = ssl_provider # cmd_init() ca_util.cmd_init(working_dir) # cmd_mkcert() ca_util.cmd_mkcert(working_dir, "foo bar") # cmd_certpkg() ca_util.cmd_certpkg(working_dir, "foo bar") # cmd_revoke() ca_util.cmd_revoke(working_dir, "foo bar") # cmd_regencrl() ca_util.cmd_regencrl(working_dir) except Exception as e: self.fail(e) finally: # Remove temporary directory. shutil.rmtree(working_dir)
def test_ca_util(self): ca_util.setpassword("42") try: # Create directory to be our working dir. working_dir = tempfile.mkdtemp() # cmd_init() ca_util.cmd_init(working_dir) # cmd_mkcert() ca_util.cmd_mkcert(working_dir, "foo bar") # cmd_certpkg() ca_util.cmd_certpkg(working_dir, "foo bar") # cmd_revoke() ca_util.cmd_revoke(working_dir, "foo bar") # cmd_regencrl() ca_util.cmd_regencrl(working_dir) except Exception as e: self.fail(e) finally: # Remove temporary directory. shutil.rmtree(working_dir)
def init_mtls(section='cloud_verifier', generatedir='cv_ca'): if not config.getboolean('general', "enable_tls"): logger.warning( "Warning: TLS is currently disabled, keys will be sent in the clear! This should only be used for testing." ) return None logger.info("Setting up TLS...") my_cert = config.get(section, 'my_cert') ca_cert = config.get(section, 'ca_cert') my_priv_key = config.get(section, 'private_key') my_key_pw = config.get(section, 'private_key_pw') tls_dir = config.get(section, 'tls_dir') if tls_dir == 'generate': if my_cert != 'default' or my_priv_key != 'default' or ca_cert != 'default': raise Exception( "To use tls_dir=generate, options ca_cert, my_cert, and private_key must all be set to 'default'" ) if generatedir[0] != '/': generatedir = os.path.abspath('%s/%s' % (config.WORK_DIR, generatedir)) tls_dir = generatedir ca_path = "%s/cacert.crt" % (tls_dir) if os.path.exists(ca_path): logger.info( "Existing CA certificate found in %s, not generating a new one" % (tls_dir)) else: logger.info( "Generating a new CA in %s and a client certificate for connecting" % tls_dir) logger.info("use keylime_ca -d %s to manage this CA" % tls_dir) if not os.path.exists(tls_dir): os.makedirs(tls_dir, 0o700) if my_key_pw == 'default': logger.warning( "CAUTION: using default password for CA, please set private_key_pw to a strong password" ) ca_util.setpassword(my_key_pw) ca_util.cmd_init(tls_dir) ca_util.cmd_mkcert(tls_dir, socket.gethostname()) ca_util.cmd_mkcert(tls_dir, 'client') if tls_dir == 'CV': if section != 'registrar': raise Exception( "You only use the CV option to tls_dir for the registrar not %s" % section) tls_dir = os.path.abspath('%s/%s' % (config.WORK_DIR, 'cv_ca')) if not os.path.exists("%s/cacert.crt" % (tls_dir)): raise Exception( "It appears that the verifier has not yet created a CA and certificates, please run the verifier first" ) # if it is relative path, convert to absolute in WORK_DIR if tls_dir[0] != '/': tls_dir = os.path.abspath('%s/%s' % (config.WORK_DIR, tls_dir)) if ca_cert == 'default': ca_path = "%s/cacert.crt" % (tls_dir) elif not os.path.isabs(ca_cert): ca_path = "%s/%s" % (tls_dir, ca_cert) else: ca_path = ca_cert if my_cert == 'default': my_cert = "%s/%s-cert.crt" % (tls_dir, socket.gethostname()) elif not os.path.isabs(my_cert): my_cert = "%s/%s" % (tls_dir, my_cert) else: pass if my_priv_key == 'default': my_priv_key = "%s/%s-private.pem" % (tls_dir, socket.gethostname()) elif not os.path.isabs(my_priv_key): my_priv_key = "%s/%s" % (tls_dir, my_priv_key) try: context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) context.load_verify_locations(cafile=ca_path) context.load_cert_chain(certfile=my_cert, keyfile=my_priv_key, password=my_key_pw) if (config.has_option(section, 'check_client_cert') and config.getboolean(section, 'check_client_cert')): context.verify_mode = ssl.CERT_REQUIRED except ssl.SSLError as exc: if exc.reason == 'EE_KEY_TOO_SMALL': logger.error('Higher key strength is required for keylime ' 'running on this system. If keylime is responsible ' 'to generate the certificate, please raise the value ' 'of configuration option [ca]cert_bits, remove ' 'generated certificate and re-run keylime service') raise exc return context
def init_add(self, args): # command line options can overwrite config values if "agent_ip" in args: self.cloudagent_ip = args["agent_ip"] if 'agent_port' in args and args['agent_port'] is not None: self.cloudagent_port = args['agent_port'] if 'cv_agent_ip' in args and args['cv_agent_ip'] is not None: self.cv_cloudagent_ip = args['cv_agent_ip'] else: self.cv_cloudagent_ip = self.cloudagent_ip # Make sure all keys exist in dictionary if "file" not in args: args["file"] = None if "keyfile" not in args: args["keyfile"] = None if "payload" not in args: args["payload"] = None if "ca_dir" not in args: args["ca_dir"] = None if "incl_dir" not in args: args["incl_dir"] = None if "ca_dir_pw" not in args: args["ca_dir_pw"] = None # Set up accepted algorithms self.accept_tpm_hash_algs = config.get( 'tenant', 'accept_tpm_hash_algs').split(',') self.accept_tpm_encryption_algs = config.get( 'tenant', 'accept_tpm_encryption_algs').split(',') self.accept_tpm_signing_algs = config.get( 'tenant', 'accept_tpm_signing_algs').split(',') # Set up PCR values tpm_policy = config.get('tenant', 'tpm_policy') if "tpm_policy" in args and args["tpm_policy"] is not None: tpm_policy = args["tpm_policy"] self.tpm_policy = TPM_Utilities.readPolicy(tpm_policy) logger.info(f"TPM PCR Mask from policy is {self.tpm_policy['mask']}") vtpm_policy = config.get('tenant', 'vtpm_policy') if "vtpm_policy" in args and args["vtpm_policy"] is not None: vtpm_policy = args["vtpm_policy"] self.vtpm_policy = TPM_Utilities.readPolicy(vtpm_policy) logger.info(f"TPM PCR Mask from policy is {self.vtpm_policy['mask']}") # Read command-line path string IMA whitelist wl_data = None if "ima_whitelist" in args and args["ima_whitelist"] is not None: # Auto-enable IMA (or-bit mask) self.tpm_policy['mask'] = "0x%X" % ( int(self.tpm_policy['mask'], 0) + (1 << common.IMA_PCR)) if type(args["ima_whitelist"]) in [str, str]: if args["ima_whitelist"] == "default": args["ima_whitelist"] = config.get('tenant', 'ima_whitelist') wl_data = ima.read_whitelist(args["ima_whitelist"]) elif type(args["ima_whitelist"]) is list: wl_data = args["ima_whitelist"] else: raise UserError("Invalid whitelist provided") # Read command-line path string IMA exclude list excl_data = None if "ima_exclude" in args and args["ima_exclude"] is not None: if type(args["ima_exclude"]) in [str, str]: if args["ima_exclude"] == "default": args["ima_exclude"] = config.get('tenant', 'ima_excludelist') excl_data = ima.read_excllist(args["ima_exclude"]) elif type(args["ima_exclude"]) is list: excl_data = args["ima_exclude"] else: raise UserError("Invalid exclude list provided") # Set up IMA if TPM_Utilities.check_mask(self.tpm_policy['mask'], common.IMA_PCR) or \ TPM_Utilities.check_mask(self.vtpm_policy['mask'], common.IMA_PCR): # Process IMA whitelists self.ima_whitelist = ima.process_whitelists(wl_data, excl_data) # if none if (args["file"] is None and args["keyfile"] is None and args["ca_dir"] is None): raise UserError( "You must specify one of -k, -f, or --cert to specify the key/contents to be securely delivered to the agent" ) if args["keyfile"] is not None: if args["file"] is not None or args["ca_dir"] is not None: raise UserError( "You must specify one of -k, -f, or --cert to specify the key/contents to be securely delivered to the agent" ) # read the keys in if type(args["keyfile"]) is dict and "data" in args["keyfile"]: if type(args["keyfile"]["data"]) is list and len( args["keyfile"]["data"]) == 1: keyfile = args["keyfile"]["data"][0] if keyfile is None: raise UserError("Invalid key file contents") f = io.StringIO(keyfile) else: raise UserError("Invalid key file provided") else: f = open(args["keyfile"], 'r') self.K = base64.b64decode(f.readline()) self.U = base64.b64decode(f.readline()) self.V = base64.b64decode(f.readline()) f.close() # read the payload in (opt.) if type(args["payload"]) is dict and "data" in args["payload"]: if type(args["payload"]["data"]) is list and len( args["payload"]["data"]) > 0: self.payload = args["payload"]["data"][0] else: if args["payload"] is not None: f = open(args["payload"], 'r') self.payload = f.read() f.close() if args["file"] is not None: if args["keyfile"] is not None or args["ca_dir"] is not None: raise UserError( "You must specify one of -k, -f, or --cert to specify the key/contents to be securely delivered to the agent" ) if type(args["file"]) is dict and "data" in args["file"]: if type(args["file"]["data"]) is list and len( args["file"]["data"]) > 0: contents = args["file"]["data"][0] if contents is None: raise UserError("Invalid file payload contents") else: raise UserError("Invalid file payload provided") else: with open(args["file"], 'r') as f: contents = f.read() ret = user_data_encrypt.encrypt(contents) self.K = ret['k'] self.U = ret['u'] self.V = ret['v'] self.payload = ret['ciphertext'] if args["ca_dir"] is None and args["incl_dir"] is not None: raise UserError( "--include option is only valid when used with --cert") if args["ca_dir"] is not None: if args["file"] is not None or args["keyfile"] is not None: raise UserError( "You must specify one of -k, -f, or --cert to specify the key/contents to be securely delivered to the agent" ) if args["ca_dir"] == 'default': args["ca_dir"] = common.CA_WORK_DIR if "ca_dir_pw" in args and args["ca_dir_pw"] is not None: ca_util.setpassword(args["ca_dir_pw"]) if not os.path.exists(args["ca_dir"]) or not os.path.exists( "%s/cacert.crt" % args["ca_dir"]): logger.warning(" CA directory does not exist. Creating...") ca_util.cmd_init(args["ca_dir"]) if not os.path.exists("%s/%s-private.pem" % (args["ca_dir"], self.agent_uuid)): ca_util.cmd_mkcert(args["ca_dir"], self.agent_uuid) cert_pkg, serial, subject = ca_util.cmd_certpkg( args["ca_dir"], self.agent_uuid) # support revocation if not os.path.exists( "%s/RevocationNotifier-private.pem" % args["ca_dir"]): ca_util.cmd_mkcert(args["ca_dir"], "RevocationNotifier") rev_package, _, _ = ca_util.cmd_certpkg(args["ca_dir"], "RevocationNotifier") # extract public and private keys from package sf = io.BytesIO(rev_package) with zipfile.ZipFile(sf) as zf: privkey = zf.read("RevocationNotifier-private.pem") cert = zf.read("RevocationNotifier-cert.crt") # put the cert of the revoker into the cert package sf = io.BytesIO(cert_pkg) with zipfile.ZipFile(sf, 'a', compression=zipfile.ZIP_STORED) as zf: zf.writestr('RevocationNotifier-cert.crt', cert) # add additional files to zip if args["incl_dir"] is not None: if type(args["incl_dir"]) is dict and "data" in args[ "incl_dir"] and "name" in args["incl_dir"]: if type(args["incl_dir"]["data"]) is list and type( args["incl_dir"]["name"]) is list: if len(args["incl_dir"]["data"]) != len( args["incl_dir"]["name"]): raise UserError("Invalid incl_dir provided") for i in range(len(args["incl_dir"]["data"])): zf.writestr( os.path.basename( args["incl_dir"]["name"][i]), args["incl_dir"]["data"][i]) else: if os.path.exists(args["incl_dir"]): files = next(os.walk(args["incl_dir"]))[2] for filename in files: with open( "%s/%s" % (args["incl_dir"], filename), 'rb') as f: zf.writestr(os.path.basename(f.name), f.read()) else: logger.warn( f'Specified include directory {args["incl_dir"]} does not exist. Skipping...' ) cert_pkg = sf.getvalue() # put the private key into the data to be send to the CV self.revocation_key = privkey # encrypt up the cert package ret = user_data_encrypt.encrypt(cert_pkg) self.K = ret['k'] self.U = ret['u'] self.V = ret['v'] self.metadata = {'cert_serial': serial, 'subject': subject} self.payload = ret['ciphertext'] if self.payload is not None and len(self.payload) > config.getint( 'tenant', 'max_payload_size'): raise UserError("Payload size %s exceeds max size %d" % (len( self.payload), config.getint('tenant', 'max_payload_size')))
def init_add(self, args): """ Set up required values. Command line options can overwrite these config values Arguments: args {[string]} -- agent_ip|agent_port|cv_agent_ip """ if "agent_ip" in args: self.agent_ip = args["agent_ip"] if 'agent_port' in args and args['agent_port'] is not None: self.agent_port = args['agent_port'] if 'cv_agent_ip' in args and args['cv_agent_ip'] is not None: self.cv_cloudagent_ip = args['cv_agent_ip'] else: self.cv_cloudagent_ip = self.agent_ip # Make sure all keys exist in dictionary if "file" not in args: args["file"] = None if "keyfile" not in args: args["keyfile"] = None if "payload" not in args: args["payload"] = None if "ca_dir" not in args: args["ca_dir"] = None if "incl_dir" not in args: args["incl_dir"] = None if "ca_dir_pw" not in args: args["ca_dir_pw"] = None # Set up accepted algorithms self.accept_tpm_hash_algs = config.get( 'tenant', 'accept_tpm_hash_algs').split(',') self.accept_tpm_encryption_algs = config.get( 'tenant', 'accept_tpm_encryption_algs').split(',') self.accept_tpm_signing_algs = config.get( 'tenant', 'accept_tpm_signing_algs').split(',') self.process_allowlist(args) # if none if (args["file"] is None and args["keyfile"] is None and args["ca_dir"] is None): raise UserError( "You must specify one of -k, -f, or --cert to specify the key/contents to be securely delivered to the agent") if args["keyfile"] is not None: if args["file"] is not None or args["ca_dir"] is not None: raise UserError( "You must specify one of -k, -f, or --cert to specify the key/contents to be securely delivered to the agent") # read the keys in if isinstance(args["keyfile"], dict) and "data" in args["keyfile"]: if isinstance(args["keyfile"]["data"], list) and len(args["keyfile"]["data"]) == 1: keyfile = args["keyfile"]["data"][0] if keyfile is None: raise UserError("Invalid key file contents") f = io.StringIO(keyfile) else: raise UserError("Invalid key file provided") else: f = open(args["keyfile"], 'r') self.K = base64.b64decode(f.readline()) self.U = base64.b64decode(f.readline()) self.V = base64.b64decode(f.readline()) f.close() # read the payload in (opt.) if isinstance(args["payload"], dict) and "data" in args["payload"]: if isinstance(args["payload"]["data"], list) and len(args["payload"]["data"]) > 0: self.payload = args["payload"]["data"][0] else: if args["payload"] is not None: f = open(args["payload"], 'r') self.payload = f.read() f.close() if args["file"] is not None: if args["keyfile"] is not None or args["ca_dir"] is not None: raise UserError( "You must specify one of -k, -f, or --cert to specify the key/contents to be securely delivered to the agent") if isinstance(args["file"], dict) and "data" in args["file"]: if isinstance(args["file"]["data"], list) and len(args["file"]["data"]) > 0: contents = args["file"]["data"][0] if contents is None: raise UserError("Invalid file payload contents") else: raise UserError("Invalid file payload provided") else: with open(args["file"], 'r') as f: contents = f.read() ret = user_data_encrypt.encrypt(contents) self.K = ret['k'] self.U = ret['u'] self.V = ret['v'] self.payload = ret['ciphertext'] if args["ca_dir"] is None and args["incl_dir"] is not None: raise UserError( "--include option is only valid when used with --cert") if args["ca_dir"] is not None: if args["file"] is not None or args["keyfile"] is not None: raise UserError( "You must specify one of -k, -f, or --cert to specify the key/contents to be securely delivered to the agent") if args["ca_dir"] == 'default': args["ca_dir"] = config.CA_WORK_DIR if "ca_dir_pw" in args and args["ca_dir_pw"] is not None: ca_util.setpassword(args["ca_dir_pw"]) if not os.path.exists(args["ca_dir"]) or not os.path.exists("%s/cacert.crt" % args["ca_dir"]): logger.warning("CA directory does not exist. Creating...") ca_util.cmd_init(args["ca_dir"]) if not os.path.exists("%s/%s-private.pem" % (args["ca_dir"], self.agent_uuid)): ca_util.cmd_mkcert(args["ca_dir"], self.agent_uuid) cert_pkg, serial, subject = ca_util.cmd_certpkg( args["ca_dir"], self.agent_uuid) # support revocation if not os.path.exists("%s/RevocationNotifier-private.pem" % args["ca_dir"]): ca_util.cmd_mkcert(args["ca_dir"], "RevocationNotifier") rev_package, _, _ = ca_util.cmd_certpkg( args["ca_dir"], "RevocationNotifier") # extract public and private keys from package sf = io.BytesIO(rev_package) with zipfile.ZipFile(sf) as zf: privkey = zf.read("RevocationNotifier-private.pem") cert = zf.read("RevocationNotifier-cert.crt") # put the cert of the revoker into the cert package sf = io.BytesIO(cert_pkg) with zipfile.ZipFile(sf, 'a', compression=zipfile.ZIP_STORED) as zf: zf.writestr('RevocationNotifier-cert.crt', cert) # add additional files to zip if args["incl_dir"] is not None: if isinstance(args["incl_dir"], dict) and "data" in args["incl_dir"] and "name" in args["incl_dir"]: if isinstance(args["incl_dir"]["data"], list) and isinstance(args["incl_dir"]["name"], list): if len(args["incl_dir"]["data"]) != len(args["incl_dir"]["name"]): raise UserError("Invalid incl_dir provided") for i in range(len(args["incl_dir"]["data"])): zf.writestr(os.path.basename( args["incl_dir"]["name"][i]), args["incl_dir"]["data"][i]) else: if os.path.exists(args["incl_dir"]): files = next(os.walk(args["incl_dir"]))[2] for filename in files: with open("%s/%s" % (args["incl_dir"], filename), 'rb') as f: zf.writestr( os.path.basename(f.name), f.read()) else: logger.warning('Specified include directory %s does not exist. Skipping...', args["incl_dir"]) cert_pkg = sf.getvalue() # put the private key into the data to be send to the CV self.revocation_key = privkey # encrypt up the cert package ret = user_data_encrypt.encrypt(cert_pkg) self.K = ret['k'] self.U = ret['u'] self.V = ret['v'] self.metadata = {'cert_serial': serial, 'subject': subject} self.payload = ret['ciphertext'] if self.payload is not None and len(self.payload) > config.getint('tenant', 'max_payload_size'): raise UserError("Payload size %s exceeds max size %d" % ( len(self.payload), config.getint('tenant', 'max_payload_size')))
def init_mtls(section="cloud_verifier", generatedir="cv_ca", logger=None): """ Generates mTLS SSLContext for either the cloud verifier or the registrar. """ if not config.getboolean("general", "enable_tls"): logger.warning( "Warning: TLS is currently disabled, keys will be sent in the clear! This should only be used for testing." ) return None if logger: logger.info("Setting up TLS...") my_cert = config.get(section, "my_cert") ca_cert = config.get(section, "ca_cert") my_priv_key = config.get(section, "private_key") my_key_pw = config.get(section, "private_key_pw") tls_dir = config.get(section, "tls_dir") if tls_dir == "generate": if my_cert != "default" or my_priv_key != "default" or ca_cert != "default": raise Exception( "To use tls_dir=generate, options ca_cert, my_cert, and private_key must all be set to 'default'" ) if generatedir[0] != "/": generatedir = os.path.abspath( os.path.join(config.WORK_DIR, generatedir)) tls_dir = generatedir ca_path = os.path.join(tls_dir, "cacert.crt") if os.path.exists(ca_path): if logger: logger.info( "Existing CA certificate found in %s, not generating a new one", tls_dir) else: if logger: logger.info( "Generating a new CA in %s and a client certificate for connecting", tls_dir) logger.info("use keylime_ca -d %s to manage this CA", tls_dir) if not os.path.exists(tls_dir): os.makedirs(tls_dir, 0o700) if my_key_pw == "default": if logger: logger.warning( "CAUTION: using default password for CA, please set private_key_pw to a strong password" ) ca_util.setpassword(my_key_pw) ca_util.cmd_init(tls_dir) ca_util.cmd_mkcert(tls_dir, socket.gethostname()) ca_util.cmd_mkcert(tls_dir, "client") if tls_dir == "CV": if section != "registrar": raise Exception( f"You only use the CV option to tls_dir for the registrar not {section}" ) tls_dir = os.path.abspath(os.path.join(config.WORK_DIR, "cv_ca")) if not os.path.exists(os.path.join(tls_dir, "cacert.crt")): raise Exception( "It appears that the verifier has not yet created a CA and certificates, please run the verifier first" ) # if it is relative path, convert to absolute in WORK_DIR if tls_dir[0] != "/": tls_dir = os.path.abspath(os.path.join(config.WORK_DIR, tls_dir)) if ca_cert == "default": ca_path = os.path.join(tls_dir, "cacert.crt") elif not os.path.isabs(ca_cert): ca_path = os.path.join(tls_dir, ca_cert) else: ca_path = ca_cert if my_cert == "default": my_cert = os.path.join(tls_dir, f"{socket.gethostname()}-cert.crt") elif not os.path.isabs(my_cert): my_cert = os.path.join(tls_dir, my_cert) else: pass if my_priv_key == "default": my_priv_key = os.path.join(tls_dir, f"{socket.gethostname()}-private.pem") elif not os.path.isabs(my_priv_key): my_priv_key = os.path.join(tls_dir, my_priv_key) check_client_cert = config.has_option( section, "check_client_cert") and config.getboolean( section, "check_client_cert") context = generate_mtls_context(my_cert, my_priv_key, ca_path, check_client_cert, my_key_pw, logger=logger) return context, (my_cert, my_priv_key, my_key_pw)
def init_add(self, args): """ Set up required values. Command line options can overwrite these config values Arguments: args {[string]} -- agent_ip|agent_port|cv_agent_ip """ if "agent_ip" in args: self.agent_ip = args["agent_ip"] if 'agent_port' in args and args['agent_port'] is not None: self.agent_port = args['agent_port'] if 'cv_agent_ip' in args and args['cv_agent_ip'] is not None: self.cv_cloudagent_ip = args['cv_agent_ip'] else: self.cv_cloudagent_ip = self.agent_ip # Make sure all keys exist in dictionary if "file" not in args: args["file"] = None if "keyfile" not in args: args["keyfile"] = None if "payload" not in args: args["payload"] = None if "ca_dir" not in args: args["ca_dir"] = None if "incl_dir" not in args: args["incl_dir"] = None if "ca_dir_pw" not in args: args["ca_dir_pw"] = None # Set up accepted algorithms self.accept_tpm_hash_algs = config.get( 'tenant', 'accept_tpm_hash_algs').split(',') self.accept_tpm_encryption_algs = config.get( 'tenant', 'accept_tpm_encryption_algs').split(',') self.accept_tpm_signing_algs = config.get( 'tenant', 'accept_tpm_signing_algs').split(',') # Set up PCR values tpm_policy = config.get('tenant', 'tpm_policy') if "tpm_policy" in args and args["tpm_policy"] is not None: tpm_policy = args["tpm_policy"] self.tpm_policy = TPM_Utilities.readPolicy(tpm_policy) logger.info(f"TPM PCR Mask from policy is {self.tpm_policy['mask']}") vtpm_policy = config.get('tenant', 'vtpm_policy') if "vtpm_policy" in args and args["vtpm_policy"] is not None: vtpm_policy = args["vtpm_policy"] self.vtpm_policy = TPM_Utilities.readPolicy(vtpm_policy) logger.info(f"TPM PCR Mask from policy is {self.vtpm_policy['mask']}") if args.get("ima_sign_verification_keys") is not None: # Auto-enable IMA (or-bit mask) self.tpm_policy['mask'] = "0x%X" % (int(self.tpm_policy['mask'], 0) | (1 << config.IMA_PCR)) # Add all IMA file signing verification keys to a keyring ima_keyring = ima_file_signatures.ImaKeyring() for filename in args["ima_sign_verification_keys"]: pubkey = ima_file_signatures.get_pubkey_from_file(filename) if not pubkey: raise UserError("File '%s' is not a file with a key" % filename) ima_keyring.add_pubkey(pubkey) self.ima_sign_verification_keys = ima_keyring.to_string() # Read command-line path string allowlist al_data = None if "allowlist" in args and args["allowlist"] is not None: self.enforce_pcrs(list(self.tpm_policy.keys()), [config.IMA_PCR], "IMA") # Auto-enable IMA (or-bit mask) self.tpm_policy['mask'] = "0x%X" % (int(self.tpm_policy['mask'], 0) | (1 << config.IMA_PCR)) if isinstance(args["allowlist"], str): if args["allowlist"] == "default": args["allowlist"] = config.get('tenant', 'allowlist') al_data = ima.read_allowlist(args["allowlist"]) elif isinstance(args["allowlist"], list): al_data = args["allowlist"] else: raise UserError("Invalid allowlist provided") # Read command-line path string IMA exclude list excl_data = None if "ima_exclude" in args and args["ima_exclude"] is not None: if isinstance(args["ima_exclude"], str): if args["ima_exclude"] == "default": args["ima_exclude"] = config.get('tenant', 'ima_excludelist') excl_data = ima.read_excllist(args["ima_exclude"]) elif isinstance(args["ima_exclude"], list): excl_data = args["ima_exclude"] else: raise UserError("Invalid exclude list provided") # Set up IMA if TPM_Utilities.check_mask(self.tpm_policy['mask'], config.IMA_PCR) or \ TPM_Utilities.check_mask(self.vtpm_policy['mask'], config.IMA_PCR): # Process allowlists self.allowlist = ima.process_allowlists(al_data, excl_data) # Read command-line path string TPM2 event log template if "mb_refstate" in args and args["mb_refstate"] is not None: self.enforce_pcrs(list(self.tpm_policy.keys()), config.MEASUREDBOOT_PCRS, "measured boot") # Auto-enable TPM2 event log (or-bit mask) for _pcr in config.MEASUREDBOOT_PCRS: self.tpm_policy['mask'] = "0x%X" % (int( self.tpm_policy['mask'], 0) | (1 << _pcr)) logger.info( f"TPM PCR Mask automatically modified is {self.tpm_policy['mask']} to include IMA/Event log PCRs" ) if isinstance(args["mb_refstate"], str): if args["mb_refstate"] == "default": args["mb_refstate"] = config.get('tenant', 'mb_refstate') al_data = 'test' elif isinstance(args["mb_refstate"], list): al_data = args["mb_refstate"] else: raise UserError( "Invalid measured boot reference state (intended state) provided" ) # if none if (args["file"] is None and args["keyfile"] is None and args["ca_dir"] is None): raise UserError( "You must specify one of -k, -f, or --cert to specify the key/contents to be securely delivered to the agent" ) if args["keyfile"] is not None: if args["file"] is not None or args["ca_dir"] is not None: raise UserError( "You must specify one of -k, -f, or --cert to specify the key/contents to be securely delivered to the agent" ) # read the keys in if isinstance(args["keyfile"], dict) and "data" in args["keyfile"]: if isinstance(args["keyfile"]["data"], list) and len( args["keyfile"]["data"]) == 1: keyfile = args["keyfile"]["data"][0] if keyfile is None: raise UserError("Invalid key file contents") f = io.StringIO(keyfile) else: raise UserError("Invalid key file provided") else: f = open(args["keyfile"], 'r') self.K = base64.b64decode(f.readline()) self.U = base64.b64decode(f.readline()) self.V = base64.b64decode(f.readline()) f.close() # read the payload in (opt.) if isinstance(args["payload"], dict) and "data" in args["payload"]: if isinstance(args["payload"]["data"], list) and len(args["payload"]["data"]) > 0: self.payload = args["payload"]["data"][0] else: if args["payload"] is not None: f = open(args["payload"], 'r') self.payload = f.read() f.close() if args["file"] is not None: if args["keyfile"] is not None or args["ca_dir"] is not None: raise UserError( "You must specify one of -k, -f, or --cert to specify the key/contents to be securely delivered to the agent" ) if isinstance(args["file"], dict) and "data" in args["file"]: if isinstance(args["file"]["data"], list) and len(args["file"]["data"]) > 0: contents = args["file"]["data"][0] if contents is None: raise UserError("Invalid file payload contents") else: raise UserError("Invalid file payload provided") else: with open(args["file"], 'r') as f: contents = f.read() ret = user_data_encrypt.encrypt(contents) self.K = ret['k'] self.U = ret['u'] self.V = ret['v'] self.payload = ret['ciphertext'] if args["ca_dir"] is None and args["incl_dir"] is not None: raise UserError( "--include option is only valid when used with --cert") if args["ca_dir"] is not None: if args["file"] is not None or args["keyfile"] is not None: raise UserError( "You must specify one of -k, -f, or --cert to specify the key/contents to be securely delivered to the agent" ) if args["ca_dir"] == 'default': args["ca_dir"] = config.CA_WORK_DIR if "ca_dir_pw" in args and args["ca_dir_pw"] is not None: ca_util.setpassword(args["ca_dir_pw"]) if not os.path.exists(args["ca_dir"]) or not os.path.exists( "%s/cacert.crt" % args["ca_dir"]): logger.warning(" CA directory does not exist. Creating...") ca_util.cmd_init(args["ca_dir"]) if not os.path.exists("%s/%s-private.pem" % (args["ca_dir"], self.agent_uuid)): ca_util.cmd_mkcert(args["ca_dir"], self.agent_uuid) cert_pkg, serial, subject = ca_util.cmd_certpkg( args["ca_dir"], self.agent_uuid) # support revocation if not os.path.exists( "%s/RevocationNotifier-private.pem" % args["ca_dir"]): ca_util.cmd_mkcert(args["ca_dir"], "RevocationNotifier") rev_package, _, _ = ca_util.cmd_certpkg(args["ca_dir"], "RevocationNotifier") # extract public and private keys from package sf = io.BytesIO(rev_package) with zipfile.ZipFile(sf) as zf: privkey = zf.read("RevocationNotifier-private.pem") cert = zf.read("RevocationNotifier-cert.crt") # put the cert of the revoker into the cert package sf = io.BytesIO(cert_pkg) with zipfile.ZipFile(sf, 'a', compression=zipfile.ZIP_STORED) as zf: zf.writestr('RevocationNotifier-cert.crt', cert) # add additional files to zip if args["incl_dir"] is not None: if isinstance(args["incl_dir"], dict) and "data" in args[ "incl_dir"] and "name" in args["incl_dir"]: if isinstance(args["incl_dir"]["data"], list) and isinstance( args["incl_dir"]["name"], list): if len(args["incl_dir"]["data"]) != len( args["incl_dir"]["name"]): raise UserError("Invalid incl_dir provided") for i in range(len(args["incl_dir"]["data"])): zf.writestr( os.path.basename( args["incl_dir"]["name"][i]), args["incl_dir"]["data"][i]) else: if os.path.exists(args["incl_dir"]): files = next(os.walk(args["incl_dir"]))[2] for filename in files: with open( "%s/%s" % (args["incl_dir"], filename), 'rb') as f: zf.writestr(os.path.basename(f.name), f.read()) else: logger.warning( f'Specified include directory {args["incl_dir"]} does not exist. Skipping...' ) cert_pkg = sf.getvalue() # put the private key into the data to be send to the CV self.revocation_key = privkey # encrypt up the cert package ret = user_data_encrypt.encrypt(cert_pkg) self.K = ret['k'] self.U = ret['u'] self.V = ret['v'] self.metadata = {'cert_serial': serial, 'subject': subject} self.payload = ret['ciphertext'] if self.payload is not None and len(self.payload) > config.getint( 'tenant', 'max_payload_size'): raise UserError("Payload size %s exceeds max size %d" % (len( self.payload), config.getint('tenant', 'max_payload_size')))