131 lines
4.9 KiB
Diff
131 lines
4.9 KiB
Diff
From d6dd71e3a3fe8e822fbcaa0d88f19a0c3332cacd Mon Sep 17 00:00:00 2001
|
|
From: Sergio Correia <scorreia@redhat.com>
|
|
Date: Tue, 15 Nov 2022 07:09:13 -0300
|
|
Subject: [PATCH] Do not use default values that need reading the config in
|
|
methods
|
|
|
|
Following up from the recent refactoring that moved the EK validation
|
|
to cert_utils, in a few places were added default method values that
|
|
were reading the configuration files directly.
|
|
|
|
It was not such a great idea becasue it then made those config files as
|
|
required to even import the modules.
|
|
|
|
Example "from keylime import cert_utils" now also requires that the
|
|
tenant configuration be available for getting the path for the TPM
|
|
cert store.
|
|
|
|
Let's stop doing that.
|
|
|
|
Signed-off-by: Sergio Correia <scorreia@redhat.com>
|
|
---
|
|
keylime/cert_utils.py | 5 +++--
|
|
keylime/tenant.py | 2 +-
|
|
keylime/tpm/tpm_abstract.py | 2 +-
|
|
keylime/tpm/tpm_main.py | 4 ++--
|
|
keylime/tpm_ek_ca.py | 6 +++---
|
|
5 files changed, 10 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/keylime/cert_utils.py b/keylime/cert_utils.py
|
|
index d2fc54d..3576c64 100644
|
|
--- a/keylime/cert_utils.py
|
|
+++ b/keylime/cert_utils.py
|
|
@@ -12,7 +12,7 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
|
|
from pyasn1.codec.der import decoder, encoder
|
|
from pyasn1_modules import pem, rfc2459
|
|
|
|
-from keylime import config, keylime_logging, tpm_ek_ca
|
|
+from keylime import keylime_logging, tpm_ek_ca
|
|
|
|
# Issue #944 -- python-cryptography won't parse malformed certs,
|
|
# such as some Nuvoton ones we have encountered in the field.
|
|
@@ -56,9 +56,10 @@ def x509_pem_cert(pem_cert_data: str):
|
|
return x509.load_der_x509_certificate(data=encoder.encode(pyasn1_cert), backend=default_backend())
|
|
|
|
|
|
-def verify_ek(ekcert, tpm_cert_store=config.get("tenant", "tpm_cert_store")):
|
|
+def verify_ek(ekcert: bytes, tpm_cert_store: str) -> bool:
|
|
"""Verify that the provided EK certificate is signed by a trusted root
|
|
:param ekcert: The Endorsement Key certificate in DER format
|
|
+ :param tpm_cert_store: The path for the TPM certificate store
|
|
:returns: True if the certificate can be verified, False otherwise
|
|
"""
|
|
try:
|
|
diff --git a/keylime/tenant.py b/keylime/tenant.py
|
|
index b574d04..076b849 100644
|
|
--- a/keylime/tenant.py
|
|
+++ b/keylime/tenant.py
|
|
@@ -430,7 +430,7 @@ class Tenant:
|
|
elif ekcert is None:
|
|
logger.warning("No EK cert provided, require_ek_cert option in config set to True")
|
|
return False
|
|
- elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert)):
|
|
+ elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert), config.get("tenant", "tpm_cert_store")):
|
|
logger.warning("Invalid EK certificate")
|
|
return False
|
|
|
|
diff --git a/keylime/tpm/tpm_abstract.py b/keylime/tpm/tpm_abstract.py
|
|
index ff41837..df6222c 100644
|
|
--- a/keylime/tpm/tpm_abstract.py
|
|
+++ b/keylime/tpm/tpm_abstract.py
|
|
@@ -97,7 +97,7 @@ class AbstractTPM(metaclass=ABCMeta):
|
|
pass
|
|
|
|
@abstractmethod
|
|
- def verify_ek(self, ekcert):
|
|
+ def verify_ek(self, ekcert, tpm_cert_store):
|
|
pass
|
|
|
|
@abstractmethod
|
|
diff --git a/keylime/tpm/tpm_main.py b/keylime/tpm/tpm_main.py
|
|
index e1d1cf8..e244dfa 100644
|
|
--- a/keylime/tpm/tpm_main.py
|
|
+++ b/keylime/tpm/tpm_main.py
|
|
@@ -776,12 +776,12 @@ class tpm(tpm_abstract.AbstractTPM):
|
|
os.remove(sesspath)
|
|
return key
|
|
|
|
- def verify_ek(self, ekcert):
|
|
+ def verify_ek(self, ekcert, tpm_cert_store):
|
|
"""Verify that the provided EK certificate is signed by a trusted root
|
|
:param ekcert: The Endorsement Key certificate in DER format
|
|
:returns: True if the certificate can be verified, false otherwise
|
|
"""
|
|
- return cert_utils.verify_ek(ekcert)
|
|
+ return cert_utils.verify_ek(ekcert, tpm_cert_store)
|
|
|
|
def get_tpm_manufacturer(self, output=None):
|
|
vendorStr = None
|
|
diff --git a/keylime/tpm_ek_ca.py b/keylime/tpm_ek_ca.py
|
|
index fb66c07..bc84571 100644
|
|
--- a/keylime/tpm_ek_ca.py
|
|
+++ b/keylime/tpm_ek_ca.py
|
|
@@ -1,13 +1,13 @@
|
|
import glob
|
|
import os
|
|
|
|
-from keylime import config, keylime_logging
|
|
+from keylime import keylime_logging
|
|
|
|
logger = keylime_logging.init_logging("tpm_ek_ca")
|
|
trusted_certs = {}
|
|
|
|
|
|
-def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
|
|
+def check_tpm_cert_store(tpm_cert_store):
|
|
if not os.path.isdir(tpm_cert_store):
|
|
logger.error("The directory %s does not exist.", tpm_cert_store)
|
|
raise Exception(f"The directory {tpm_cert_store} does not exist.")
|
|
@@ -20,7 +20,7 @@ def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
|
|
raise Exception(f"The directory {tpm_cert_store} does not contain " f"any .pem files")
|
|
|
|
|
|
-def cert_loader(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
|
|
+def cert_loader(tpm_cert_store):
|
|
file_list = glob.glob(os.path.join(tpm_cert_store, "*.pem"))
|
|
my_trusted_certs = {}
|
|
for file_path in file_list:
|
|
--
|
|
2.38.1
|
|
|