def do_cvdelete(self):
params = f'/agents/{self.agent_uuid}'
response = httpclient_requests.request("DELETE", "%s"%(self.cloudverifier_ip), self.cloudverifier_port, params=params, context=self.context)
if response == 503:
logger.error(f"Cannot connect to Verifier at {self.cloudverifier_ip} with Port {self.cloudverifier_port}. Connection refused.")
exit()
elif response == 504:
logger.error(f"Verifier at {self.cloudverifier_ip} with Port {self.cloudverifier_port} timed out.")
exit()
if response.status == 202:
deleted = False
for _ in range(12):
response = httpclient_requests.request("GET", "%s"%(self.cloudverifier_ip), self.cloudverifier_port, params=params, context=self.context)
if response.status == 404:
deleted=True
break
time.sleep(.4)
if deleted:
logger.info(f"CV completed deletion of agent {self.agent_uuid}")
else:
logger.error(f"Timed out waiting for delete of agent {self.agent_uuid} to complete at CV")
exit()
elif response.status == 200:
logger.info(f"Agent {self.agent_uuid} deleted from the CV")
else:
response_body = json.loads(response.read().decode())
keylime_logging.log_http_response(logger,logging.ERROR,response_body)
def test_023_agent_keys_vkey_post(self):
"""Test agent's POST /v2/keys/vkey Interface"""
# CV should do this (during CV POST/PUT test)
# Running this test might hide problems with the CV sending the V key
global public_key
self.assertIsNotNone(
self.V, "Required value not set. Previous step may have failed?")
self.assertIsNotNone(
public_key,
"Required value not set. Previous step may have failed?")
encrypted_V = crypto.rsa_encrypt(crypto.rsa_import_pubkey(public_key),
str(self.V))
b64_encrypted_V = base64.b64encode(encrypted_V)
data = {'encrypted_key': b64_encrypted_V}
v_json_message = json.dumps(data)
params = f"/v{self.api_version}/keys/vkey"
response = httpclient_requests.request("POST",
"%s" %
tenant_templ.cloudagent_ip,
tenant_templ.cloudagent_port,
params=params,
data=v_json_message)
self.assertEqual(response.status, 200,
"Non-successful Agent vkey post return code!")
json_response = json.loads(response.read().decode())
# Ensure response is well-formed
self.assertIn("results", json_response, "Malformed response body!")
def test_024_agent_keys_ukey_post(self):
"""Test agents's POST /v2/keys/ukey Interface"""
global public_key
self.assertIsNotNone(public_key, "Required value not set. Previous step may have failed?")
self.assertIsNotNone(self.U, "Required value not set. Previous step may have failed?")
self.assertIsNotNone(self.auth_tag, "Required value not set. Previous step may have failed?")
self.assertIsNotNone(self.payload, "Required value not set. Previous step may have failed?")
encrypted_U = crypto.rsa_encrypt(crypto.rsa_import_pubkey(public_key),self.U)
b64_encrypted_u = base64.b64encode(encrypted_U)
data = {
'encrypted_key': b64_encrypted_u,
'auth_tag': self.auth_tag,
'payload': self.payload
}
u_yaml_message = json.dumps(data)
params = '/v%s/keys/ukey'% self.api_version
response = httpclient_requests.request("POST", "%s"%tenant_templ.cloudagent_ip,tenant_templ.cloudagent_port, params=params, data=u_yaml_message)
self.assertEqual(response.status, 200, "Non-successful Agent ukey post return code!")
json_response = json.loads(response.read().decode())
# Ensure response is well-formed
self.assertIn("results", json_response, "Malformed response body!")
def test_010_reg_agent_post(self):
"""Test registrar's POST /v2/agents/{UUID} Interface"""
global keyblob, aik, vtpm, ek
# Change CWD for TPM-related operations
cwd = os.getcwd()
common.ch_dir(common.WORK_DIR, None)
secdir = secure_mount.mount()
# Initialize the TPM with AIK
(ek, ekcert, aik, ek_tpm,
aik_name) = tpm.tpm_init(self_activate=False,
config_pw=config.get('cloud_agent',
'tpm_ownerpassword'))
vtpm = tpm.is_vtpm()
# Seed RNG (root only)
if common.REQUIRE_ROOT:
tpm.init_system_rand()
# Handle virtualized and emulated TPMs
if ekcert is None:
if vtpm:
ekcert = 'virtual'
elif tpm.is_emulator():
ekcert = 'emulator'
# Get back to our original CWD
common.ch_dir(cwd, None)
data = {
'ek': ek,
'ekcert': ekcert,
'aik': aik,
'aik_name': aik_name,
'ek_tpm': ek_tpm,
'tpm_version': tpm.get_tpm_version(),
}
v_json_message = json.dumps(data)
params = f"/v{self.api_version}/agents/{tenant_templ.agent_uuid}"
response = httpclient_requests.request(
"POST",
"%s" % tenant_templ.registrar_ip,
tenant_templ.registrar_boot_port,
params=params,
data=v_json_message,
context=None)
self.assertEqual(response.status, 200,
"Non-successful Registrar agent Add return code!")
json_response = json.loads(response.read().decode())
# Ensure response is well-formed
self.assertIn("results", json_response, "Malformed response body!")
self.assertIn("blob", json_response["results"],
"Malformed response body!")
keyblob = json_response["results"]["blob"]
self.assertIsNotNone(keyblob, "Malformed response body!")
def test_020_agent_keys_pubkey_get(self):
"""Test agent's GET /v2/keys/pubkey Interface"""
# We want a real cloud agent to communicate with!
launch_cloudagent()
time.sleep(10)
params = f"/v{self.api_version}/keys/pubkey"
response = httpclient_requests.request("GET",
"%s" %
tenant_templ.cloudagent_ip,
tenant_templ.cloudagent_port,
params=params)
self.assertEqual(response.status, 200,
"Non-successful Agent pubkey return code!")
json_response = json.loads(response.read().decode())
# Ensure response is well-formed
self.assertIn("results", json_response, "Malformed response body!")
self.assertIn("pubkey", json_response["results"],
"Malformed response body!")
global public_key
public_key = json_response["results"]["pubkey"]
self.assertNotEqual(public_key, None, "Malformed response body!")
def do_cvstatus(self,listing=False):
"""initiaite v, agent_id and ip
initiate the cloudinit sequence"""
states = cloud_verifier_common.CloudAgent_Operational_State.STR_MAPPINGS
#print('states:', states)
agent_uuid = ""
if not listing:
agent_uuid=self.agent_uuid
params = f'/agents/{agent_uuid}'
response = httpclient_requests.request("GET", "%s"%(self.cloudverifier_ip), self.cloudverifier_port, params=params, context=self.context)
if response == 503:
logger.error(f"Cannot connect to Verifier at {self.cloudverifier_ip} with Port {self.cloudverifier_port}. Connection refused.")
exit()
elif response == 504:
logger.error(f"Verifier at {self.cloudverifier_ip} with Port {self.cloudverifier_port} timed out.")
exit()
if response.status == 404:
logger.error(f"Agent {agent_uuid} does not exist on the verifier. Please try to add or update agent")
exit()
if response.status != 200:
logger.error(f"Status command response: {response.status}. Unexpected response from Cloud Verifier.")
exit()
else:
response_json = json.loads(response.read().decode())
if not listing:
operational_state = response_json["results"]["operational_state"]
logger.info(f'Agent Status: "{states[operational_state]}"')
else:
agent_array = response_json["results"]["uuids"]
logger.info(f'Agents: "{agent_array}"')
def test_011_reg_agent_activate_put(self):
"""Test registrar's PUT /v2/agents/{UUID}/activate Interface"""
global keyblob, aik
self.assertIsNotNone(
keyblob, "Required value not set. Previous step may have failed?")
self.assertIsNotNone(
aik, "Required value not set. Previous step may have failed?")
key = tpm.activate_identity(keyblob)
data = {
'auth_tag': crypto.do_hmac(key, tenant_templ.agent_uuid),
}
v_json_message = json.dumps(data)
params = f"/v{self.api_version}/agents/{tenant_templ.agent_uuid}/activate"
response = httpclient_requests.request(
"PUT",
"%s" % tenant_templ.registrar_ip,
tenant_templ.registrar_boot_port,
params=params,
data=v_json_message,
context=None)
print('response:', response)
self.assertEqual(
response.status, 200,
"Non-successful Registrar agent Activate return code!")
json_response = json.loads(response.read().decode())
# Ensure response is well-formed
self.assertIn("results", json_response, "Malformed response body!")
def doRegisterAgent(registrar_ip,registrar_port,agent_id,tpm_version,pub_ek,ekcert,pub_aik,pub_ek_tpm=None,aik_name=None):
data = {
'ek': pub_ek,
'ekcert': ekcert,
'aik': pub_aik,
'aik_name': aik_name,
'ek_tpm': pub_ek_tpm,
'tpm_version': tpm_version,
}
v_json_message = json.dumps(data)
params = '/agents/%s'% (agent_id)
response = httpclient_requests.request("POST", "%s"%(registrar_ip), registrar_port, params=params, data=v_json_message, context=None)
response_body = json.loads(response.read().decode("utf-8"))
if response.status != 200:
logger.error("Error: unexpected http response code from Registrar Server: " + str(response.status))
keylime_logging.log_http_response(logger,logging.ERROR,response_body)
return None
logger.info("Agent registration requested for %s"%agent_id)
if "results" not in response_body:
logger.critical("Error: unexpected http response body from Registrar Server: %s"%str(response.status))
return None
if "blob" not in response_body["results"]:
logger.critical("Error: did not receive blob from Registrar Server: %s"%str(response.status))
return None
return response_body["results"]["blob"]
def do_cvstop(self):
# params = '/agents/%s/stop'% (self.agent_uuid)
params = f'/agents/{self.agent_uuid}/stop'
response = httpclient_requests.request("PUT",
"%s" % (self.cloudverifier_ip),
self.cloudverifier_port,
params=params,
data=b'',
context=self.context)
if response == 503:
logger.error(
f"Cannot connect to Verifier at {self.cloudverifier_ip} with Port {self.cloudverifier_port}. Connection refused."
)
exit()
elif response == 504:
logger.error(
f"Verifier at {self.cloudverifier_ip} with Port {self.cloudverifier_port} timed out."
)
exit()
response_body = json.loads(response.read().decode())
if response.status != 200:
keylime_logging.log_http_response(logger, logging.ERROR,
response_body)
else:
logger.info(f"Agent {self.agent_uuid} stopped")
def test_012_reg_agent_vactivate_put(self):
"""Test registrar's PUT /v2/agents/{UUID}/vactivate Interface"""
global keyblob, aik, ek
self.assertIsNotNone(
keyblob, "Required value not set. Previous step may have failed?")
self.assertIsNotNone(
aik, "Required value not set. Previous step may have failed?")
self.assertIsNotNone(
ek, "Required value not set. Previous step may have failed?")
key = tpm.activate_identity(keyblob)
deepquote = tpm.create_deep_quote(
hashlib.sha1(key).hexdigest(), tenant_templ.agent_uuid + aik + ek)
data = {
'deepquote': deepquote,
}
v_json_message = json.dumps(data)
params = '/v%s/agents/%s/vactivate' % self.api_version, tenant_templ.agent_uuid
response = httpclient_requests.request(
"PUT",
"%s" % tenant_templ.registrar_ip,
tenant_templ.registrar_tls_boot_port,
params=params,
data=v_json_message,
context=tenant_templ.context)
self.assertEqual(
response.status, 200,
"Non-successful Registrar agent vActivate return code!")
json_response = json.loads(response.read().decode())
# Ensure response is well-formed
self.assertIn("results", json_response, "Malformed response body!")
def do_cvreactivate(self):
#params = '/agents/%s/reactivate'% (self.agent_uuid)
params = f'/agents/{self.agent_uuid}/reactivate'
response = httpclient_requests.request("PUT",
"%s" % (self.cloudverifier_ip),
self.cloudverifier_port,
params=params,
data=b'',
context=self.context)
if response == 503:
logger.error(
f"Cannot connect to Verifier at {self.cloudverifier_ip} with Port {self.cloudverifier_port}. Connection refused."
)
exit()
elif response == 504:
logger.error(
f"Verifier at {self.cloudverifier_ip} with Port {self.cloudverifier_port} timed out."
)
exit()
response_body = json.loads(response.read().decode())
if response.status != 200:
keylime_logging.log_http_response(logger, logging.ERROR,
response_body)
raise UserError(
"Update command response: %d Unexpected response from Cloud Verifier."
% response.status)
else:
logger.info(f"Agent {self.agent_uuid} re-activated")
def test_030_cv_agent_post(self):
"""Test CV's POST /v2/agents/{UUID} Interface"""
self.assertIsNotNone(self.V, "Required value not set. Previous step may have failed?")
b64_v = base64.b64encode(self.V)
data = {
'v': b64_v,
'cloudagent_ip': tenant_templ.cloudagent_ip,
'cloudagent_port': tenant_templ.cloudagent_port,
'tpm_policy': json.dumps(self.tpm_policy),
'vtpm_policy':json.dumps(self.vtpm_policy),
'ima_whitelist':json.dumps(self.ima_whitelist),
'metadata':json.dumps(self.metadata),
'revocation_key':self.revocation_key,
'accept_tpm_hash_algs': config.get('tenant','accept_tpm_hash_algs').split(','),
'accept_tpm_encryption_algs': config.get('tenant','accept_tpm_encryption_algs').split(','),
'accept_tpm_signing_algs': config.get('tenant','accept_tpm_signing_algs').split(','),
}
yaml_message = json.dumps(data)
params = f"/v{self.api_version}/agents/{tenant_templ.agent_uuid}"
response = httpclient_requests.request("POST", "%s"%(tenant_templ.cloudverifier_ip),tenant_templ.cloudverifier_port, params=params, data=yaml_message, context=tenant_templ.context)
self.assertEqual(response.status, 200, "Non-successful CV agent Post return code!")
json_response = json.loads(response.read().decode())
# Ensure response is well-formed
self.assertIn("results", json_response, "Malformed response body!")
time.sleep(10)
def test_022_agent_quotes_identity_get(self):
"""Test agent's GET /v2/quotes/identity Interface"""
global aik
self.assertIsNotNone(aik, "Required value not set. Previous step may have failed?")
nonce = tpm_abstract.TPM_Utilities.random_password(20)
numretries = config.getint('tenant','max_retries')
while numretries >= 0:
params = f"/v{self.api_version}/quotes/identity?nonce={nonce}"
response = httpclient_requests.request("GET", "%s"%tenant_templ.cloudagent_ip,tenant_templ.cloudagent_port, params=params, data=None, context=None)
if response.status == 200:
break
numretries-=1
time.sleep(config.getint('tenant','max_retries'))
self.assertEqual(response.status, 200, "Non-successful Agent identity return code!")
json_response = json.loads(response.read().decode())
# Ensure response is well-formed
self.assertIn("results", json_response, "Malformed response body!")
self.assertIn("quote", json_response["results"], "Malformed response body!")
self.assertIn("pubkey", json_response["results"], "Malformed response body!")
# Check the quote identity
self.assertTrue(tpm.check_quote(tenant_templ.agent_uuid,nonce,json_response["results"]["pubkey"],json_response["results"]["quote"],aik),
"Invalid quote!")
def test_014_reg_agent_get(self):
"""Test registrar's GET /v2/agents/{UUID} Interface"""
global aik
params = f"/v{self.api_version}/agents/{tenant_templ.agent_uuid}"
response = httpclient_requests.request(
"GET",
"%s" % (tenant_templ.registrar_ip),
tenant_templ.registrar_tls_boot_port,
params=params,
data=None,
context=tenant_templ.context)
self.assertEqual(response.status, 200,
"Non-successful Registrar agent return code!")
json_response = json.loads(response.read().decode())
# Ensure response is well-formed
self.assertIn("results", json_response, "Malformed response body!")
self.assertIn("aik", json_response["results"],
"Malformed response body!")
self.assertIn("ek", json_response["results"],
"Malformed response body!")
self.assertIn("ekcert", json_response["results"],
"Malformed response body!")
aik = json_response["results"]["aik"]
def getKeys(registrar_ip,registrar_port,agent_id):
global context
#make absolutely sure you don't ask for AIKs unauthenticated
if context is None or context.verify_mode != ssl.CERT_REQUIRED:
raise Exception("It is unsafe to use this interface to query AIKs with out server authenticated TLS")
try:
params = '/agents/%s'% (agent_id)
response = httpclient_requests.request("GET", "%s"%(registrar_ip), registrar_port, params=params, context=context)
response_body = json.loads(response.read().decode())
if response.status != 200:
logger.critical("Error: unexpected http response code from Registrar Server: %s"%str(response.status))
keylime_logging.log_http_response(logger,logging.CRITICAL,response_body)
return None
if "results" not in response_body:
logger.critical("Error: unexpected http response body from Registrar Server: %s"%str(response.status))
return None
if "aik" not in response_body["results"]:
logger.critical("Error: did not receive aik from Registrar Server: %s"%str(response.status))
return None
return response_body["results"]
except Exception as e:
logger.exception(e)
return None
def test_015_reg_agent_delete(self):
"""Test registrar's DELETE /v2/agents/{UUID} Interface"""
params = f"/v{self.api_version}/agents/{tenant_templ.agent_uuid}"
response = httpclient_requests.request("DELETE", "%s"%(tenant_templ.registrar_ip),tenant_templ.registrar_tls_boot_port, params=params, context=tenant_templ.context)
self.assertEqual(response.status, 200, "Non-successful Registrar Delete return code!")
json_response = json.loads(response.read().decode())
# Ensure response is well-formed
self.assertIn("results", json_response, "Malformed response body!")
def doRegistrarDelete(registrar_ip,registrar_port, agent_id):
global context
params = '/agents/%s'% (agent_id)
response = httpclient_requests.request("DELETE", "%s"%(registrar_ip), registrar_port, params=params, context=None)
response_body = json.loads(response)
if response.status == 200:
logger.debug("Registrar deleted.")
else:
logger.warn("Status command response: " + str(response.status) + " Unexpected response from registrar.")
keylime_logging.log_http_response(logger,logging.WARNING,response_body)
def do_cv(self):
"""initiaite v, agent_id and ip
initiate the cloudinit sequence"""
b64_v = base64.b64encode(self.V).decode('utf-8')
logger.debug("b64_v:" + b64_v)
data = {
'v': b64_v,
'cloudagent_ip': self.cv_cloudagent_ip,
'cloudagent_port': self.cloudagent_port,
'providerverifier_ip': self.providerverifier_ip,
'providerverifier_port': self.providerverifier_port,
'need_provider_quote': self.need_provider_quote,
'tpm_policy': json.dumps(self.tpm_policy),
'vtpm_policy': json.dumps(self.vtpm_policy),
'ima_whitelist': json.dumps(self.ima_whitelist),
'metadata': json.dumps(self.metadata),
'revocation_key': self.revocation_key,
'accept_tpm_hash_algs': self.accept_tpm_hash_algs,
'accept_tpm_encryption_algs': self.accept_tpm_encryption_algs,
'accept_tpm_signing_algs': self.accept_tpm_signing_algs,
}
json_message = json.dumps(data)
params = f'/agents/{self.agent_uuid}'
#params = '/agents/%s'% (self.agent_uuid)
response = httpclient_requests.request("POST",
"%s" % (self.cloudverifier_ip),
self.cloudverifier_port,
params=params,
data=json_message,
context=self.context)
if response == 503:
logger.error(
f"Cannot connect to Verifier at {self.cloudverifier_ip} with Port {self.cloudverifier_port}. Connection refused."
)
exit()
elif response == 504:
logger.error(
f"Verifier at {self.cloudverifier_ip} with Port {self.cloudverifier_port} timed out."
)
exit()
if response.status == 409:
# this is a conflict, need to update or delete it
logger.error(
"Agent %s already existed at CV. Please use delete or update."
% self.agent_uuid)
exit()
elif response.status != 200:
keylime_logging.log_http_response(logger, logging.ERROR,
response.read().decode()())
logger.error(
f"POST command response: {response.status} Unexpected response from Cloud Verifier: {response.read().decode()}"
)
exit()
def test_031_cv_agent_put(self):
"""Test CV's PUT /v2/agents/{UUID} Interface"""
#TODO: this should actually test PUT functionality (e.g., make agent fail and then PUT back up)
params = f"/v{self.api_version}/agents/{tenant_templ.agent_uuid}"
response = httpclient_requests.request("PUT", "%s"%(tenant_templ.cloudverifier_ip),tenant_templ.cloudverifier_port, params=params, data=b'', context=tenant_templ.context)
self.assertEqual(response.status, 200, "Non-successful CV agent Post return code!")
json_response = json.loads(response.read().decode())
# Ensure response is well-formed
self.assertIn("results", json_response, "Malformed response body!")
def do_verify(self):
challenge = TPM_Utilities.random_password(20)
numtries = 0
while True:
try:
params = f'/keys/verify?challenge={challenge}'
response = httpclient_requests.request("GET",
"%s" %
(self.cloudagent_ip),
self.cloudagent_port,
params=params)
except Exception as e:
if response == 503 or 504:
numtries += 1
maxr = config.getint('tenant', 'max_retries')
if numtries >= maxr:
logger.error(
f"Cannot establish connection to agent on {self.cloudagent_ip} with port {self.cloudagent_port}"
)
exit()
retry = config.getfloat('tenant', 'retry_interval')
logger.info(
f"Verifier connection to agent at {self.cloudagent_ip} refused {numtries}/{maxr} times, trying again in {retry} seconds..."
)
time.sleep(retry)
continue
else:
raise (e)
response_body = json.loads(response.read().decode())
if response.status == 200:
if "results" not in response_body or 'hmac' not in response_body[
'results']:
logger.critical(
f"Error: unexpected http response body from Cloud Agent: {response.status}"
)
break
mac = response_body['results']['hmac']
ex_mac = crypto.do_hmac(self.K, challenge)
if mac == ex_mac:
logger.info("Key derivation successful")
else:
logger.error("Key derivation failed")
else:
keylime_logging.log_http_response(logger, logging.ERROR,
response_body)
retry = config.getfloat('tenant', 'retry_interval')
logger.warning(
f"Key derivation not yet complete...trying again in {retry} seconds...Ctrl-C to stop"
)
time.sleep(retry)
continue
break
def test_050_cv_agent_delete(self):
"""Test CV's DELETE /v2/agents/{UUID} Interface"""
time.sleep(5)
params = f"/v{self.api_version}/agents/{tenant_templ.agent_uuid}"
response = httpclient_requests.request("DELETE", "%s"%tenant_templ.cloudverifier_ip,tenant_templ.cloudverifier_port, params=params, context=tenant_templ.context)
self.assertEqual(response.status, 202, "Non-successful CV agent Delete return code!")
json_response = json.loads(response.read().decode())
# Ensure response is well-formed
self.assertIn("results", json_response, "Malformed response body!")
def test_013_reg_agents_get(self):
"""Test registrar's GET /v2/agents Interface"""
params = f"/v{self.api_version}/agents/"
response = httpclient_requests.request("GET", "%s"%tenant_templ.registrar_ip,tenant_templ.registrar_tls_boot_port, params=params, context=tenant_templ.context)
self.assertEqual(response.status, 200, "Non-successful Registrar agent List return code!")
json_response = json.loads(response.read().decode())
# Ensure response is well-formed
self.assertIn("results", json_response, "Malformed response body!")
self.assertIn("uuids", json_response["results"], "Malformed response body!")
# We registered exactly one agent so far
self.assertEqual(1, len(json_response["results"]["uuids"]), "Incorrect system state!")
def test_032_cv_agents_get(self):
"""Test CV's GET /v2/agents Interface"""
params = f"/v{self.api_version}/agents/"
response = httpclient_requests.request("GET", "%s"%tenant_templ.cloudverifier_ip,tenant_templ.cloudverifier_port, params=params, context=tenant_templ.context)
self.assertEqual(response.status, 200, "Non-successful CV agent List return code!")
json_response = json.loads(response.read().decode())
# Ensure response is well-formed
self.assertIn("results", json_response, "Malformed response body!")
self.assertIn("uuids", json_response["results"], "Malformed response body!")
# Be sure our agent is registered
self.assertEqual(1, len(json_response["results"]["uuids"]))
def test_033_cv_agent_get(self):
"""Test CV's GET /v2/agents/{UUID} Interface"""
params = f"/v{self.api_version}/agents/{tenant_templ.agent_uuid}"
response = httpclient_requests.request("GET", "%s"%tenant_templ.cloudverifier_ip,tenant_templ.cloudverifier_port, params=params, context=tenant_templ.context)
self.assertEqual(response.status, 200, "Non-successful CV agent return code!")
json_response = json.loads(response.read().decode())
# Ensure response is well-formed
self.assertIn("results", json_response, "Malformed response body!")
# Check a few of the important properties are present
self.assertIn("operational_state", json_response["results"], "Malformed response body!")
self.assertIn("ip", json_response["results"], "Malformed response body!")
self.assertIn("port", json_response["results"], "Malformed response body!")
def test_040_agent_quotes_integrity_get(self):
"""Test agent's GET /v2/quotes/integrity Interface"""
global public_key, aik
self.assertIsNotNone(
aik, "Required value not set. Previous step may have failed?")
nonce = tpm_abstract.TPM_Utilities.random_password(20)
mask = self.tpm_policy["mask"]
vmask = self.vtpm_policy["mask"]
partial = "1"
if public_key is None:
partial = "0"
params = f"/v{self.api_version}/quotes/integrity?nonce={nonce}&mask={mask}&vmask={vmask}&partial={partial}"
response = httpclient_requests.request("GET",
"%s" %
tenant_templ.cloudagent_ip,
tenant_templ.cloudagent_port,
params=params)
self.assertEqual(response.status, 200,
"Non-successful Agent Integrity Get return code!")
json_response = json.loads(response.read().decode())
# Ensure response is well-formed
self.assertIn("results", json_response, "Malformed response body!")
self.assertIn("quote", json_response["results"],
"Malformed response body!")
if public_key is None:
self.assertIn("pubkey", json_response["results"],
"Malformed response body!")
public_key = json_response["results"]["pubkey"]
self.assertIn("tpm_version", json_response["results"],
"Malformed response body!")
self.assertIn("hash_alg", json_response["results"],
"Malformed response body!")
quote = json_response["results"]["quote"]
tpm_version = json_response["results"]["tpm_version"]
hash_alg = json_response["results"]["hash_alg"]
validQuote = tpm.check_quote(tenant_templ.agent_uuid,
nonce,
public_key,
quote,
aik,
self.tpm_policy,
hash_alg=hash_alg)
self.assertTrue(validQuote)
def doActivateAgent(registrar_ip,registrar_port,agent_id,key):
data = {
'auth_tag': crypto.do_hmac(key,agent_id),
}
v_json_message = json.dumps(data)
params = '/agents/%s/activate'% (agent_id)
response = httpclient_requests.request("PUT", "%s"%(registrar_ip), registrar_port, params=params, data=v_json_message, context=None)
response_body = json.loads(response.read().decode())
if response.status == 200:
logger.info("Registration activated for agent %s."%agent_id)
return True
else:
logger.error("Error: unexpected http response code from Registrar Server: " + str(response.status))
keylime_logging.log_http_response(logger,logging.ERROR,response_body)
return False
def do_quote(self):
"""initiaite v, agent_id and ip
initiate the cloudinit sequence"""
self.nonce = TPM_Utilities.random_password(20)
numtries = 0
response = None
# Note: We need a specific retry handler (perhaps in common), no point having localised unless we have too.
while True:
try:
#params = '/quotes/identity?nonce=%s'%(self.nonce)
params = f'/quotes/identity?nonce={self.nonce}'
response = httpclient_requests.request("GET",
"%s" %
(self.cloudagent_ip),
self.cloudagent_port,
params=params,
context=None)
response_body = json.loads(response.read().decode())
except Exception as e:
if response == 503 or response == 504:
numtries += 1
maxr = config.getint('tenant', 'max_retries')
if numtries >= maxr:
logger.error(
f"tenant cannot establish connection to agent on {self.cloudagent_ip} with port {self.cloudagent_port}"
)
exit()
retry = config.getfloat('tenant', 'retry_interval')
logger.info(
f"tenant connection to agent at {self.cloudagent_ip} refused {numtries}/{maxr} times, trying again in {retry} seconds..."
)
time.sleep(retry)
continue
else:
raise (e)
break
try:
if response is not None and response.status != 200:
raise UserError(
"Status command response: %d Unexpected response from Cloud Agent."
% response.status)
if "results" not in response_body:
raise UserError(
"Error: unexpected http response body from Cloud Agent: %s"
% str(response.status))
quote = response_body["results"]["quote"]
logger.debug(f"agent_quote received quote: {quote}")
public_key = response_body["results"]["pubkey"]
logger.debug(f"agent_quote received public key: {public_key}")
# Get tpm_version, hash_alg
tpm_version = response_body["results"]["tpm_version"]
logger.debug(
f"agent_quote received tpm version: {str(tpm_version)}")
# Ensure hash_alg is in accept_tpm_hash_algs list
hash_alg = response_body["results"]["hash_alg"]
logger.debug(f"agent_quote received hash algorithm: {hash_alg}")
if not Hash_Algorithms.is_accepted(
hash_alg,
config.get('tenant', 'accept_tpm_hash_algs').split(',')):
raise UserError(
"TPM Quote is using an unaccepted hash algorithm: %s" %
hash_alg)
# Ensure enc_alg is in accept_tpm_encryption_algs list
enc_alg = response_body["results"]["enc_alg"]
logger.debug(
f"agent_quote received encryption algorithm: {enc_alg}")
if not Encrypt_Algorithms.is_accepted(
enc_alg,
config.get('tenant',
'accept_tpm_encryption_algs').split(',')):
raise UserError(
"TPM Quote is using an unaccepted encryption algorithm: %s"
% enc_alg)
# Ensure sign_alg is in accept_tpm_encryption_algs list
sign_alg = response_body["results"]["sign_alg"]
logger.debug(f"agent_quote received signing algorithm: {sign_alg}")
if not Sign_Algorithms.is_accepted(
sign_alg,
config.get('tenant',
'accept_tpm_signing_algs').split(',')):
raise UserError(
"TPM Quote is using an unaccepted signing algorithm: %s" %
sign_alg)
if not self.validate_tpm_quote(public_key, quote, tpm_version,
hash_alg):
raise UserError(
"TPM Quote from cloud agent is invalid for nonce: %s" %
self.nonce)
logger.info(f"Quote from {self.cloudagent_ip} validated")
# encrypt U with the public key
# encrypted_U = crypto.rsa_encrypt(crypto.rsa_import_pubkey(public_key),str(self.U))
encrypted_U = crypto.rsa_encrypt(
crypto.rsa_import_pubkey(public_key), self.U)
b64_encrypted_u = base64.b64encode(encrypted_U)
logger.debug("b64_encrypted_u: " + b64_encrypted_u.decode('utf-8'))
data = {
'encrypted_key': b64_encrypted_u,
'auth_tag': self.auth_tag
}
if self.payload is not None:
data['payload'] = self.payload
u_json_message = json.dumps(data)
# post encrypted U back to CloudAgent
params = '/keys/ukey'
response = httpclient_requests.request("POST",
"%s" % (self.cloudagent_ip),
self.cloudagent_port,
params=params,
data=u_json_message)
if response == 503:
logger.error(
f"Cannot connect to Agent at {self.cloudagent_ip} with Port {self.cloudagent_port}. Connection refused."
)
exit()
elif response == 504:
logger.error(
f"Verifier at {self.cloudverifier_ip} with Port {self.cloudverifier_port} timed out."
)
exit()
if response.status != 200:
keylime_logging.log_http_response(logger, logging.ERROR,
response_body)
raise UserError(
"Posting of Encrypted U to the Cloud Agent failed with response code %d"
% response.status)
except Exception as e:
self.do_cvstop()
raise e
