File CVE-2022-1053-01.patch of Package keylime.30338

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2022-1053-01.patch of Package keylime.30338

From bd5de712acdd77860e7dc58969181e16c7a8dc5d Mon Sep 17 00:00:00 2001
From: Thore Sommer <mail@thson.de>
Date: Wed, 6 Apr 2022 16:08:38 +0200
Subject: [PATCH] tenant, verifier: let the tenant provide the AK and mTLS
 certificate

This eliminates the need for the verifier to connect to the registrar.

Signed-off-by: Thore Sommer <mail@thson.de>
---
 keylime/cloud_verifier_tornado.py | 21 ++++-----------------
 keylime/tenant.py                 |  2 ++
 2 files changed, 6 insertions(+), 17 deletions(-)

Index: keylime-v6.3.2/keylime/cloud_verifier_tornado.py
===================================================================
--- keylime-v6.3.2.orig/keylime/cloud_verifier_tornado.py
+++ keylime-v6.3.2/keylime/cloud_verifier_tornado.py
@@ -19,7 +19,6 @@ import tornado.web
 
 from keylime import config
 from keylime import json
-from keylime import registrar_client
 from keylime.agentstates import AgentAttestStates
 from keylime.common import states, validators, retry
 from keylime.db.verifier_db import VerfierMain
@@ -449,6 +448,8 @@ class AgentsHandler(BaseHandler):
                     agent_data['accept_tpm_encryption_algs'] = json_body['accept_tpm_encryption_algs']
                     agent_data['accept_tpm_signing_algs'] = json_body['accept_tpm_signing_algs']
                     agent_data['supported_version'] = json_body['supported_version']
+                    agent_data['ak_tpm'] = json_body['ak_tpm']
+                    agent_data['mtls_cert'] = json_body.get('mtls_cert', None)
                     agent_data['hash_alg'] = ""
                     agent_data['enc_alg'] = ""
                     agent_data['sign_alg'] = ""
@@ -462,22 +463,8 @@ class AgentsHandler(BaseHandler):
                     agent_data['verifier_ip'] = config.get('cloud_verifier', 'cloudverifier_ip')
                     agent_data['verifier_port'] = config.get('cloud_verifier', 'cloudverifier_port')
 
-                    # We fetch the registrar data directly here because we require it for connecting to the agent
-                    # using mTLS
-                    registrar_client.init_client_tls('cloud_verifier')
-                    registrar_data = registrar_client.getData(config.get("cloud_verifier", "registrar_ip"),
-                                                              config.get("cloud_verifier", "registrar_port"), agent_id)
-                    if registrar_data is None:
-                        web_util.echo_json_response(self, 400,
-                                                    f"Data for agent {agent_id} could not be found in registrar!")
-                        logger.warning("Data for agent %s could not be found in registrar!", agent_id)
-                        return
-
-                    agent_data['mtls_cert'] = registrar_data.get('mtls_cert', None)
-                    agent_data['ak_tpm'] = registrar_data['aik_tpm']
-
                     # TODO: Always error for v1.0 version after initial upgrade
-                    if registrar_data.get('mtls_cert', None) is None and agent_data['supported_version'] != "1.0":
+                    if agent_data['mtls_cert'] is None and agent_data['supported_version'] != "1.0":
                         web_util.echo_json_response(self, 400, "mTLS certificate for agent is required!")
                         return
 
@@ -515,7 +502,7 @@ class AgentsHandler(BaseHandler):
 
                         # Prepare SSLContext for mTLS connections
                         agent_mtls_cert_enabled = config.getboolean('cloud_verifier', 'agent_mtls_cert_enabled', fallback=False)
-                        mtls_cert = registrar_data.get('mtls_cert', None)
+                        mtls_cert = agent_data['mtls_cert']
                         agent_data['ssl_context'] = None
                         if agent_mtls_cert_enabled and mtls_cert:
                             agent_data['ssl_context'] = web_util.generate_agent_mtls_context(mtls_cert, self.mtls_options)
Index: keylime-v6.3.2/keylime/tenant.py
===================================================================
--- keylime-v6.3.2.orig/keylime/tenant.py
+++ keylime-v6.3.2/keylime/tenant.py
@@ -644,6 +644,8 @@ class Tenant():
             'accept_tpm_hash_algs': self.accept_tpm_hash_algs,
             'accept_tpm_encryption_algs': self.accept_tpm_encryption_algs,
             'accept_tpm_signing_algs': self.accept_tpm_signing_algs,
+            'ak_tpm': self.registrar_data['aik_tpm'],
+            'mtls_cert': self.registrar_data.get('mtls_cert', None),
             'supported_version': self.supported_version,
         }
         json_message = json.dumps(data)

Places

File CVE-2022-1053-01.patch of Package keylime.30338

Places