config: Make IAK and IDevID certificates optional

When IAK/IDevID are enabled, but the paths to the certificates are explicitly configured as the empty string, continue normally and register without IAK and IDevID certificates. This is to make it possible to use IAK and IDevID without the certificates, in case the user does the public key matching check separately. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
keylime · Dec 12, 2024 · 223b9ee · 223b9ee
1 parent 123dc7d
commit 223b9ee
Show file tree

Hide file tree

Showing 4 changed files with 259 additions and 80 deletions.
diff --git a/keylime-agent/src/config.rs b/keylime-agent/src/config.rs
@@ -501,34 +501,39 @@ fn config_translate_keywords(
         &config.agent.agent_data_path,
         keylime_dir,
         DEFAULT_AGENT_DATA_PATH,
+        false,
     );
 
     let mut ima_ml_path = config_get_file_path(
         "ima_ml_path",
         &config.agent.ima_ml_path,
         root_path,
         DEFAULT_IMA_ML_PATH,
+        false,
     );
 
     let mut measuredboot_ml_path = config_get_file_path(
         "measuredboot_ml_path",
         &config.agent.measuredboot_ml_path,
         root_path,
         DEFAULT_MEASUREDBOOT_ML_PATH,
+        false,
     );
 
     let mut server_key = config_get_file_path(
         "server_key",
         &config.agent.server_key,
         keylime_dir,
         DEFAULT_SERVER_KEY,
+        false,
     );
 
     let mut server_cert = config_get_file_path(
         "server_cert",
         &config.agent.server_cert,
         keylime_dir,
         DEFAULT_SERVER_CERT,
+        false,
     );
 
     let trusted_client_ca: String =
@@ -540,6 +545,7 @@ fn config_translate_keywords(
                     t,
                     keylime_dir,
                     DEFAULT_TRUSTED_CLIENT_CA,
+                    false,
                 )
             })
             .collect::<Vec<_>>()
@@ -550,13 +556,15 @@ fn config_translate_keywords(
         &config.agent.iak_cert,
         keylime_dir,
         DEFAULT_IAK_CERT,
+        true,
     );
 
     let mut idevid_cert = config_get_file_path(
         "idevid_cert",
         &config.agent.idevid_cert,
         keylime_dir,
         DEFAULT_IDEVID_CERT,
+        true,
     );
 
     let ek_handle = match config.agent.ek_handle.as_ref() {
@@ -630,6 +638,7 @@ fn config_translate_keywords(
         &config.agent.revocation_cert,
         keylime_dir,
         &format!("secure/unzipped/{DEFAULT_REVOCATION_CERT}"),
+        false,
     );
 
     Ok(KeylimeConfig {
@@ -657,18 +666,23 @@ fn config_translate_keywords(
 /// Expand a file path from the configuration file.
 ///
 /// If the string is set as "default", return the provided default path relative from the provided work_dir.
-/// If the string is empty, use again the default value
+/// If the string is empty, use the default value unless the 'leave_empty' is 'true'
 /// If the string is a relative path, return the path relative from the provided work_dir
 /// If the string is an absolute path, return the path without change.
 fn config_get_file_path(
     option: &str,
     path: &str,
     work_dir: &Path,
     default: &str,
+    leave_empty: bool,
 ) -> String {
     match path {
         "default" => work_dir.join(default).display().to_string(),
         "" => {
+            if leave_empty {
+                return "".to_string();
+            }
+
             warn!("Empty string provided in configuration option {option}, using default {default}");
             work_dir.join(default).display().to_string()
         }
@@ -1107,7 +1121,7 @@ mod tests {
 
         let translated: Vec<String> = list
             .iter()
-            .map(|e| config_get_file_path("test", e, workdir, default))
+            .map(|e| config_get_file_path("test", e, workdir, default, false))
             .collect();
 
         assert_eq!(
@@ -1122,5 +1136,13 @@ mod tests {
             ],
             translated
         );
+
+        let translated =
+            config_get_file_path("test", "", workdir, "default", true);
+        assert_eq!("", translated);
+
+        let translated =
+            config_get_file_path("test", "", workdir, "default", false);
+        assert_eq!("/workdir/default", translated);
     }
 }
diff --git a/keylime-agent/src/main.rs b/keylime-agent/src/main.rs
@@ -436,22 +436,30 @@ async fn main() -> Result<()> {
 
     // If using IAK/IDevID is enabled, obtain IAK/IDevID and respective certificates
     let mut device_id = if config.agent.enable_iak_idevid {
-        Some(
-            DeviceIDBuilder::new()
-                .iak_handle(&config.agent.iak_handle)
-                .iak_cert_path(&config.agent.iak_cert)
-                .iak_password(&config.agent.iak_password)
-                .iak_template(&config.agent.iak_idevid_template)
-                .iak_asym_alg(&config.agent.iak_idevid_asymmetric_alg)
-                .iak_hash_alg(&config.agent.iak_idevid_name_alg)
-                .idevid_handle(&config.agent.idevid_handle)
-                .idevid_cert_path(&config.agent.idevid_cert)
-                .idevid_password(&config.agent.idevid_password)
-                .idevid_template(&config.agent.iak_idevid_template)
-                .idevid_asym_alg(&config.agent.iak_idevid_asymmetric_alg)
-                .idevid_hash_alg(&config.agent.iak_idevid_name_alg)
-                .build(&mut ctx)?,
-        )
+        let mut builder = DeviceIDBuilder::new()
+            .iak_handle(&config.agent.iak_handle)
+            .iak_password(&config.agent.iak_password)
+            .iak_default_template(config::DEFAULT_IAK_IDEVID_TEMPLATE)
+            .iak_template(&config.agent.iak_idevid_template)
+            .iak_asym_alg(&config.agent.iak_idevid_asymmetric_alg)
+            .iak_hash_alg(&config.agent.iak_idevid_name_alg)
+            .idevid_handle(&config.agent.idevid_handle)
+            .idevid_cert_path(&config.agent.idevid_cert)
+            .idevid_password(&config.agent.idevid_password)
+            .idevid_default_template(config::DEFAULT_IAK_IDEVID_TEMPLATE)
+            .idevid_template(&config.agent.iak_idevid_template)
+            .idevid_asym_alg(&config.agent.iak_idevid_asymmetric_alg)
+            .idevid_hash_alg(&config.agent.iak_idevid_name_alg);
+
+        if !&config.agent.iak_cert.is_empty() {
+            builder = builder.iak_cert_path(&config.agent.iak_cert);
+        }
+
+        if !&config.agent.idevid_cert.is_empty() {
+            builder = builder.idevid_cert_path(&config.agent.idevid_cert);
+        }
+
+        Some(builder.build(&mut ctx)?)
     } else {
         None
     };
@@ -617,15 +625,15 @@ async fn main() -> Result<()> {
                 ek_result.ek_cert,
                 &PublicBuffer::try_from(ak.public)?.marshall()?,
                 Some(
-                    &PublicBuffer::try_from(dev_id.iak.public.clone())?
+                    &PublicBuffer::try_from(dev_id.iak_pubkey.clone())?
                         .marshall()?,
                 ),
                 Some(
-                    &PublicBuffer::try_from(dev_id.idevid.public.clone())?
+                    &PublicBuffer::try_from(dev_id.idevid_pubkey.clone())?
                         .marshall()?,
                 ),
-                Some(dev_id.idevid_cert.clone()),
-                Some(dev_id.iak_cert.clone()),
+                dev_id.idevid_cert.clone(),
+                dev_id.iak_cert.clone(),
                 Some(attest.marshall()?),
                 Some(signature.marshall()?),
                 mtls_cert,