def notify_error(agent, msgtype='revocation'): if not config.getboolean('cloud_verifier', 'revocation_notifier'): return # prepare the revocation message: revocation = { 'type': msgtype, 'ip': agent['ip'], 'agent_id': agent['agent_id'], 'port': agent['port'], 'tpm_policy': agent['tpm_policy'], 'vtpm_policy': agent['vtpm_policy'], 'meta_data': agent['meta_data'], 'event_time': time.asctime() } tosend = {'msg': json.dumps(revocation).encode('utf-8')} # also need to load up private key for signing revocations if agent['revocation_key'] != "": signing_key = crypto.rsa_import_privkey(agent['revocation_key']) tosend['signature'] = crypto.rsa_sign(signing_key, tosend['msg']) else: tosend['signature'] = "none" revocation_notifier.notify(tosend)
def prepare_error(agent, msgtype="revocation", event=None): # prepare the revocation message: revocation = { "type": msgtype, "ip": agent["ip"], "agent_id": agent["agent_id"], "port": agent["port"], "tpm_policy": agent["tpm_policy"], "meta_data": agent["meta_data"], "event_time": time.asctime(), } if event: revocation["event_id"] = event.event_id revocation["severity_label"] = event.severity_label.name revocation["context"] = event.context tosend = {"msg": json.dumps(revocation).encode("utf-8")} # also need to load up private key for signing revocations if agent["revocation_key"] != "": signing_key = crypto.rsa_import_privkey(agent["revocation_key"]) tosend["signature"] = crypto.rsa_sign(signing_key, tosend["msg"]) else: tosend["signature"] = "none" return tosend
def __init__(self, server_address, RequestHandlerClass, agent_uuid): """Constructor overridden to provide ability to pass configuration arguments to the server""" secdir = secure_mount.mount() keyname = "%s/%s" % (secdir, config.get('cloud_agent', 'rsa_keyname')) # read or generate the key depending on configuration if os.path.isfile(keyname): # read in private key logger.debug("Using existing key in %s" % keyname) f = open(keyname, "rb") rsa_key = crypto.rsa_import_privkey(f.read()) else: logger.debug("key not found, generating a new one") rsa_key = crypto.rsa_generate(2048) with open(keyname, "wb") as f: f.write(crypto.rsa_export_privkey(rsa_key)) self.rsaprivatekey = rsa_key self.rsapublickey_exportable = crypto.rsa_export_pubkey( self.rsaprivatekey) #attempt to get a U value from the TPM NVRAM nvram_u = tpm.read_key_nvram() if nvram_u is not None: logger.info("Existing U loaded from TPM NVRAM") self.add_U(nvram_u) http.server.HTTPServer.__init__(self, server_address, RequestHandlerClass) self.enc_keyname = config.get('cloud_agent', 'enc_keyname') self.agent_uuid = agent_uuid
def test_rsa(self): message = b"a secret message!" private = rsa_generate(2048) pubkeypem = rsa_export_pubkey(private) pubkey = rsa_import_pubkey(pubkeypem) keypem = rsa_export_privkey(private) key = rsa_import_privkey(keypem) ciphertext = rsa_encrypt(pubkey, message) plain = rsa_decrypt(key, ciphertext) self.assertEqual(plain, message)
def __init__(self, server_address, RequestHandlerClass, agent_uuid): """Constructor overridden to provide ability to pass configuration arguments to the server""" secdir = secure_mount.mount() keyname = os.path.join(secdir, config.get('cloud_agent', 'rsa_keyname')) certname = os.path.join(secdir, config.get('cloud_agent', 'mtls_cert')) # read or generate the key depending on configuration if os.path.isfile(keyname): # read in private key logger.debug("Using existing key in %s", keyname) f = open(keyname, "rb") rsa_key = crypto.rsa_import_privkey(f.read()) else: logger.debug("key not found, generating a new one") rsa_key = crypto.rsa_generate(2048) with open(keyname, "wb") as f: f.write(crypto.rsa_export_privkey(rsa_key)) self.rsakey_path = keyname self.rsaprivatekey = rsa_key self.rsapublickey_exportable = crypto.rsa_export_pubkey( self.rsaprivatekey) if os.path.isfile(certname): logger.debug("Using existing mTLS cert in %s", certname) with open(certname, "rb") as f: mtls_cert = x509.load_pem_x509_certificate(f.read()) else: logger.debug("No mTLS certificate found generating a new one") with open(certname, "wb") as f: # By default generate a TLS certificate valid for 5 years valid_util = datetime.datetime.utcnow() + datetime.timedelta( days=(360 * 5)) mtls_cert = crypto.generate_selfsigned_cert( agent_uuid, rsa_key, valid_util) f.write(mtls_cert.public_bytes(serialization.Encoding.PEM)) self.mtls_cert_path = certname self.mtls_cert = mtls_cert # attempt to get a U value from the TPM NVRAM nvram_u = tpm_instance.read_key_nvram() if nvram_u is not None: logger.info("Existing U loaded from TPM NVRAM") self.add_U(nvram_u) http.server.HTTPServer.__init__(self, server_address, RequestHandlerClass) self.enc_keyname = config.get('cloud_agent', 'enc_keyname') self.agent_uuid = agent_uuid
def notify_error(agent, msgtype='revocation', event=None): send_mq = config.getboolean('cloud_verifier', 'revocation_notifier') send_webhook = config.getboolean('cloud_verifier', 'revocation_notifier_webhook', fallback=False) if not (send_mq or send_webhook): return # prepare the revocation message: revocation = { 'type': msgtype, 'ip': agent['ip'], 'agent_id': agent['agent_id'], 'port': agent['port'], 'tpm_policy': agent['tpm_policy'], 'vtpm_policy': agent['vtpm_policy'], 'meta_data': agent['meta_data'], 'event_time': time.asctime() } if event: revocation['event_id'] = event.event_id revocation['severity_label'] = event.severity_label.name revocation['context'] = event.context tosend = {'msg': json.dumps(revocation).encode('utf-8')} # also need to load up private key for signing revocations if agent['revocation_key'] != "": signing_key = crypto.rsa_import_privkey(agent['revocation_key']) tosend['signature'] = crypto.rsa_sign(signing_key, tosend['msg']) else: tosend['signature'] = "none" if send_mq: revocation_notifier.notify(tosend) if send_webhook: revocation_notifier.notify_webhook(tosend)
def notify_error(agent, msgtype="revocation", event=None): send_mq = config.getboolean("cloud_verifier", "revocation_notifier") send_webhook = config.getboolean("cloud_verifier", "revocation_notifier_webhook", fallback=False) if not (send_mq or send_webhook): return # prepare the revocation message: revocation = { "type": msgtype, "ip": agent["ip"], "agent_id": agent["agent_id"], "port": agent["port"], "tpm_policy": agent["tpm_policy"], "meta_data": agent["meta_data"], "event_time": time.asctime(), } if event: revocation["event_id"] = event.event_id revocation["severity_label"] = event.severity_label.name revocation["context"] = event.context tosend = {"msg": json.dumps(revocation).encode("utf-8")} # also need to load up private key for signing revocations if agent["revocation_key"] != "": signing_key = crypto.rsa_import_privkey(agent["revocation_key"]) tosend["signature"] = crypto.rsa_sign(signing_key, tosend["msg"]) else: tosend["signature"] = "none" if send_mq: revocation_notifier.notify(tosend) if send_webhook: revocation_notifier.notify_webhook(tosend)
def __init__(self, server_address, RequestHandlerClass, agent_uuid, contact_ip, ima_log_file, tpm_log_file_data): """Constructor overridden to provide ability to pass configuration arguments to the server""" # Find the locations for the U/V transport and mTLS key and certificate. # They are either relative to secdir (/var/lib/keylime/secure) or absolute paths. secdir = secure_mount.mount() keyname = config.get("cloud_agent", "rsa_keyname") if not os.path.isabs(keyname): keyname = os.path.join(secdir, keyname) # read or generate the key depending on configuration if os.path.isfile(keyname): # read in private key logger.info("Using existing key in %s", keyname) with open(keyname, "rb") as f: rsa_key = crypto.rsa_import_privkey(f.read()) else: logger.info( "Key for U/V transport and mTLS certificate not found, generating a new one" ) rsa_key = crypto.rsa_generate(2048) with open(keyname, "wb") as f: f.write(crypto.rsa_export_privkey(rsa_key)) self.rsakey_path = keyname self.rsaprivatekey = rsa_key self.rsapublickey_exportable = crypto.rsa_export_pubkey( self.rsaprivatekey) self.mtls_cert_enabled = config.getboolean("cloud_agent", "mtls_cert_enabled", fallback=False) if self.mtls_cert_enabled: certname = config.get("cloud_agent", "mtls_cert") if not os.path.isabs(certname): certname = os.path.join(secdir, certname) if os.path.isfile(certname): logger.info("Using existing mTLS cert in %s", certname) with open(certname, "rb") as f: mtls_cert = x509.load_pem_x509_certificate( f.read(), backend=default_backend()) else: logger.info("No mTLS certificate found, generating a new one") agent_ips = [server_address[0]] if contact_ip is not None: agent_ips.append(contact_ip) with open(certname, "wb") as f: # By default generate a TLS certificate valid for 5 years valid_util = datetime.datetime.utcnow( ) + datetime.timedelta(days=(360 * 5)) mtls_cert = crypto.generate_selfsigned_cert( agent_uuid, rsa_key, valid_util, agent_ips) f.write(mtls_cert.public_bytes(serialization.Encoding.PEM)) self.mtls_cert_path = certname self.mtls_cert = mtls_cert else: self.mtls_cert_path = None self.mtls_cert = None logger.info( "WARNING: mTLS disabled, Tenant and Verifier will reach out to agent via HTTP" ) self.revocation_cert_path = config.get("cloud_agent", "revocation_cert") if self.revocation_cert_path == "default": self.revocation_cert_path = os.path.join( secdir, "unzipped/RevocationNotifier-cert.crt") elif self.revocation_cert_path[0] != "/": # if it is a relative, convert to absolute in work_dir self.revocation_cert_path = os.path.abspath( os.path.join(config.WORK_DIR, self.revocation_cert_path)) # attempt to get a U value from the TPM NVRAM nvram_u = tpm_instance.read_key_nvram() if nvram_u is not None: logger.info("Existing U loaded from TPM NVRAM") self.add_U(nvram_u) http.server.HTTPServer.__init__(self, server_address, RequestHandlerClass) self.enc_keyname = config.get("cloud_agent", "enc_keyname") self.agent_uuid = agent_uuid self.ima_log_file = ima_log_file self.tpm_log_file_data = tpm_log_file_data