Add certificates and certificate checking for IDevID and IAK keys

[Isaac-Matthews]

This is the next set of PRs to enable the use of IDevIDs and IAKs as proposed in enhancement 81.
The previous PRs added IDevID and IAK creation, sending, storing and using to verify: keylime PR, rust-keylime PR
The modifications to the Keylime repositories are:

Keylime
Columns for IDevID and IAK certificates
Config to require IDevID and IAK
IDevID and IAK certificate checks
Tests for cert checks

Rust-Keylime
IDevID and IAK certificate config options
Loading and sending IDevID and IAK certificates from paths

In this PR the certificates must be loaded from path. In future, the ability to load from TPM nvram will need to be added.

[codecov]

Codecov Report

Merging #669 (e1688ba) into master (39e869c) will decrease coverage by 1.36%.
Report is 1 commits behind head on master.
The diff coverage is 41.66%.

Additional details and impacted files

Flag	Coverage Δ
e2e-testsuite	54.21% <41.66%> (-1.45%)	⬇️
upstream-unit-tests	53.27% <34.14%> (-0.19%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
keylime-agent/src/main.rs	62.78% <ø> (-27.55%)	⬇️
keylime-agent/src/registrar_agent.rs	96.07% <80.00%> (-1.75%)	⬇️
keylime-agent/src/config.rs	78.38% <84.21%> (-0.25%)	⬇️
keylime-agent/src/crypto.rs	71.13% <0.00%> (-11.29%)	⬇️

... and 4 files with indirect coverage changes

[stefanberger]

I have the registrar in the mode that it requires iak + idevid. On the registrar I now see this here when starting the agent with the first line from my debugging added:

2023-11-02 17:52:14.047 - keylime.registrar - ERROR - idevid_cert: None iak_cert: None
2023-11-02 17:52:14.047 - keylime.registrar - WARNING - POST for d432fbb3-d2f1-4a97-9ef7-75bd81c00000 returning 400 response. Error: argument should be a bytes-like object or ASCII string, not 'NoneType'
2023-11-02 17:52:14.048 - keylime.registrar - ERROR - argument should be a bytes-like object or ASCII string, not 'NoneType'
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/keylime/registrar_common.py", line 339, in do_POST
    base64.b64decode(idevid_cert), base64.b64decode(iak_cert), config.get("tenant", "tpm_cert_store")
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/base64.py", line 83, in b64decode
    s = _bytes_from_decode_data(s)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/base64.py", line 45, in _bytes_from_decode_data
    raise TypeError("argument should be a bytes-like object or ASCII "
TypeError: argument should be a bytes-like object or ASCII string, not 'NoneType'

The agent then terminates:

# keylime_agent
Error: Registrar { addr: "http://127.0.0.1:8890/v2.0/agents/d432fbb3-d2f1-4a97-9ef7-75bd81c00000", code: 400 }

The relevant part from the config file is:

# Enable IDevID and IAK usage and set their algorithms.
# Choosing a template will override the name and asymmetric algorithm choices.
# Templates are specified in the TCG document found here, section 7.3.4:
# https://trustedcomputinggroup.org/wp-content/uploads/TPM-2p0-Keys-for-Device-Identity-and-Attestation_
#
# Accepted values:
# iak_idevid_asymmetric_alg:   rsa, ecc
# iak_idevid_name_alg:        sha256, sm3_256, sha384, sha512
# iak_idevid_template:        H-1, H-2, H-3, H-4, H-5
# Leave template as "" in order to use asymmetric and name algorithm options
enable_iak_idevid = true
iak_idevid_asymmetric_alg = "ecc"
iak_idevid_name_alg = "sha384"
iak_idevid_template = "H-3"

# The name of the file containing the X509 IAK certificate.
# If set as "default", the "iak-cert.crt" value is used
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override iak_cert, set KEYLIME_AGENT_IAK_CERT environment variable.
iak_cert = "/root/iak.crt"

# The name of the file containing the X509 IDevID certificate.
# If set as "default", the "idevid-cert.crt" value is used
# If a relative path is set, it will be considered relative from the keylime_dir.
# If an absolute path is set, it is used without change.
#
# To override idevid_cert, set KEYLIME_AGENT_IDEVID_CERT environment variable.
idevid_cert = "/root/idevid.crt"

The two files are here:

# ls -l *.crt
-rw-r--r--. 1 root root 843 Nov  2 17:50 iak.crt
-rw-r--r--. 1 root root 843 Nov  2 17:50 idevid.crt
# openssl verify -CAfile /var/lib/keylime/tpm_cert_store/bundle.pem iak.crt
iak.crt: OK
# openssl verify -CAfile /var/lib/keylime/tpm_cert_store/bundle.pem idevid.crt
idevid.crt: OK

It doesn't seem to read the files, otherwise iak_cert and idevid_cert should not be None on the registrar side.
I have to set enable_iak_idevid = true in the agent config file. I suppose the other parameters do not matter in case of files, though I think I have them correct.

Regarding the other parameters: The better identification for the certs to use would IMO be something like rsa-2048, nist-p256, nist-p384, etc. where each one implies all of RSA or ECC, the name hash that's associated with it, and the template identifier, and also in the future the NVRAM location. What would happen if someone was using a wrong combination of RSA + name_alg and template? I also don't think people should have to look at the specs to figure out H-1 vs H-3 etc.

[ansasaki]

The two files are here:

# ls -l *.crt
-rw-r--r--. 1 root root 843 Nov  2 17:50 iak.crt
-rw-r--r--. 1 root root 843 Nov  2 17:50 idevid.crt
# openssl verify -CAfile /var/lib/keylime/tpm_cert_store/bundle.pem iak.crt
iak.crt: OK
# openssl verify -CAfile /var/lib/keylime/tpm_cert_store/bundle.pem idevid.crt
idevid.crt: OK

Shouldn't these certificates be respectively in /root/iak.crt and /root/idevid.crt? These are the paths you set in the configuration file.

It doesn't seem to read the files, otherwise iak_cert and idevid_cert should not be None on the registrar side. I have to set enable_iak_idevid = true in the agent config file. I suppose the other parameters do not matter in case of files, though I think I have them correct.

Regarding the other parameters: The better identification for the certs to use would IMO be something like rsa-2048, nist-p256, nist-p384, etc. where each one implies all of RSA or ECC, the name hash that's associated with it, and the template identifier. What would happen if someone was using a wrong combination of RSA + name_alg and template? I also don't think people should have to look at the specs to figure out H-1 vs H-3 etc.

About this, I agree that we shouldn't expect the users to know that H-1 translates to by heart. At least a table with the meaning of this should be added as comments in the configuration file (and if added, also add to the comment to the templates in keylime/keylime repo)

[stefanberger]

The two files are here:

# ls -l *.crt
-rw-r--r--. 1 root root 843 Nov  2 17:50 iak.crt
-rw-r--r--. 1 root root 843 Nov  2 17:50 idevid.crt
# openssl verify -CAfile /var/lib/keylime/tpm_cert_store/bundle.pem iak.crt
iak.crt: OK
# openssl verify -CAfile /var/lib/keylime/tpm_cert_store/bundle.pem idevid.crt
idevid.crt: OK

Shouldn't these certificates be respectively in /root/iak.crt and /root/idevid.crt? These are the paths you set in the configuration file.

They are at these locations. Sorry, didn't show full path:

# ls -l /root/*.crt
-rw-r--r--. 1 root root 843 Nov  2 17:50 /root/iak.crt
-rw-r--r--. 1 root root 843 Nov  2 17:50 /root/idevid.crt

[Isaac-Matthews]

It doesn't seem to read the files, otherwise iak_cert and idevid_cert should not be None on the registrar side.
I have to set enable_iak_idevid = true in the agent config file. I suppose the other parameters do not matter in case of files, though I think I have them correct.

That seems to be a bug with it not using a custom path to specify the certs, I will take a look at this

Regarding the other parameters: The better identification for the certs to use would IMO be something like rsa-2048, nist-p256, nist-p384, etc. where each one implies all of RSA or ECC, the name hash that's associated with it, and the template identifier, and also in the future the NVRAM location. What would happen if someone was using a wrong combination of RSA + name_alg and template? I also don't think people should have to look at the specs to figure out H-1 vs H-3 etc.

About this, I agree that we shouldn't expect the users to know that H-1 translates to by heart. At least a table with the meaning of this should be added as comments in the configuration file (and if added, also add to the comment to the templates in keylime/keylime repo)

I can add a table with more detail in the various configuration files etc. For clarity though, the user does not need to match H-n to any algorithms, if a template is specified (eg. H-3) and the user leaves/incorrectly modifies the name_alg and asymmetric_alg (eg. rsa, sha256) fields they are just ignored anyway as a template is being used, so the name and asym algs specified in the template take precedence. I did mention this in the config file but I can add more info maybe just above the template field for extra clarity.

[stefanberger]

I can add a table with more detail in the various configuration files etc. For clarity though, the user does not need to match H-n to any algorithms, if a template is specified (eg. H-3) and the user leaves/incorrectly modifies the name_alg and asymmetric_alg (eg. rsa, sha256) fields they are just ignored anyway as a template is being used, so the name and asym algs specified in the template take precedence. I did mention this in the config file but I can add more info maybe just above the template field for extra clarity.

Where does one get the certificates from today? The TCG spec doesn't define it for infrastructure support and so far there are no (publicly known) NVRAM locations, either. If there's a way to get it from multiple source, should the agent not just take the best (strongest) key it can find, so work its way from trying to use a nist-p521 down to an rsa-2048 key?

[Isaac-Matthews]

I think currently an IDevID cert would be provided alongside a device on purchase, and would be stored in an inventory system, along with probably somewhere on the device. There is no spec for this as you said so it is up to the user at the moment to know where their certs are and point keylime at them or add them to the keylime directory. As far as I know there would not be multiple sources.

When an NVRAM spec becomes available we will be able to make this much more automatic for users going forward.

[Isaac-Matthews]

@stefanberger
I can't seem to recreate the issue you had. I have tried alternative paths and filenames but still get the registration. Looking back through the rust I don't think it can be a path issue actually but something else going on. Presumably you haven't set your environmental variables for these config options as that could be overwriting?

[Isaac-Matthews]

@stefanberger sorry for the spam but I have just had a thought. Could you attach the journalctl logs for the agent? Also are you using DER certs for the IAK and IDevID? PEM will not work (DER is specified by the spec but I suppose we should at least add an informative message even if that isn't the issue if not just enable using PEM IDevIDs and IAKs.)

[Isaac-Matthews]

I have added a fix for rsapss, and allowed the use of pem idevid and iak certs. Could you check if you are still getting issues after these changes?

[stefanberger]

I have added a fix for rsapss, and allowed the use of pem idevid and iak certs. Could you check if you are still getting issues after these changes?

I have DER certs that I read from the NVRAM locations of swtpm. The problems are still the same, the registrar only gets None.

[stefanberger]

Here are my two base64-encoded certs:

iak.crt:

MIIDRzCCAa+gAwIBAgICAckwDQYJKoZIhvcNAQELBQAwGDEWMBQGA1UEAxMNc3d0cG0tbG9jYWxj
YTAgFw0yMzExMDIyMTExMzNaGA85OTk5MTIzMTIzNTk1OVowRDFCMEAGA1UEBRM5ZmVkb3JhMzkt
a2V5bGltZS1kZXY6NjQ4YzRjNmMtNzI5Ny00YmQ2LTk4ZDQtZGY0NmNjZDBmNDU0MHYwEAYHKoZI
zj0CAQYFK4EEACIDYgAE9OhoYIS78pJqlaKJnFB50+Hr+B2y3haPwsPZWztZRxTaOY/N8VI/Yw+D
ELIS0Uriw5Ein8ovN+IOtCJ8T03BWfX8lEEbdunt7ym4f4ycfDToIqJbLctXZGwIiDMXMv2po4Ga
MIGXMFYGA1UdEQEB/wRMMEqgSAYIKwYBBQUHCASgPDA6BgVngQUBAgQxSUJNOjM5ZWQ4NGNiZmYx
MmFmZTMxY2M3NTczNDk4Y2M2ODc4MTk1MzljYmQ6MDFjNjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQY
MBaAFDnthMv/Eq/jHMdXNJjMaHgZU5y9MA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOC
AYEAJuGzNAZyoCsBFYy98lQtCCsDWaAbZmO4flrIuKXNn/NglxMd/GxaVT0fCpLuprOEAo9+dfQL
yXAMh3FOHRUOLWwREkyE6vjKwTjk5rhkBps9YPBbV09zx2oroKkCK8cxq5TVufvWkOaAJ19t2fPf
fi/abP3zr7e3n9iGPe3se6nxkGuIFBCU1/D2FbRseqwKIF1ondmz9clR0A4m/UnFYkM4MC35+qsL
+l6Z5fi1S8JC85TVM6+yTfCip2003THrjxUN9nWakeOrZ9hu0jqQJntzPca2i3RrkCkU9frCVfdc
s6OaRI/21/l41z5ah9JQIQY3qXWt1ZWkEQwjyGmWBvn7PV28ftaRLpzbMTWBHjbHUaVjiSngbdOj
PutcRWmsRHuSwdDNniu4pKp0NVsrfYLjBs92sn16Noxm052yg9i9hajyhNwrHNYsR8eVtnl+Q2P3
L3j3mdcFQBQZ8xXf6OyQbNPUPhSQlE00EeFxcYxa0vsCyPrcdHOsKc1uBS96

idevid.crt:

MIIDRzCCAa+gAwIBAgICAcowDQYJKoZIhvcNAQELBQAwGDEWMBQGA1UEAxMNc3d0cG0tbG9jYWxj
YTAgFw0yMzExMDIyMTExMzNaGA85OTk5MTIzMTIzNTk1OVowRDFCMEAGA1UEBRM5ZmVkb3JhMzkt
a2V5bGltZS1kZXY6NjQ4YzRjNmMtNzI5Ny00YmQ2LTk4ZDQtZGY0NmNjZDBmNDU0MHYwEAYHKoZI
zj0CAQYFK4EEACIDYgAEuVegFaF5BauK5DLHQdqj7AYThmzMqI7GiHAKdIR1HsYROkBNCgJxaNNu
CuZIZkspIC5Miz+nbSF9kHSAWtzYFiZv2wyF7aXNjaZtMPZsasgf4pWKyG4Yp9yk7AL8jc57o4Ga
MIGXMFYGA1UdEQEB/wRMMEqgSAYIKwYBBQUHCASgPDA6BgVngQUBAgQxSUJNOjM5ZWQ4NGNiZmYx
MmFmZTMxY2M3NTczNDk4Y2M2ODc4MTk1MzljYmQ6MDFjNjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQY
MBaAFDnthMv/Eq/jHMdXNJjMaHgZU5y9MA4GA1UdDwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOC
AYEAVvKXyEAkeEP5nKuQL1n5MWngwhHgxGDMF2x98Htvyw2Xyq1P4CdEDFZUVdkNNe6dGfOdggCf
NRS7oI7fcLEU5IR9UU+P/ib9VMifpnjB4VXwHfhw2GcP0yjYy5y7FJgJf+JWEPIiETDlaINn6unq
WfEVgfEHEDlrtPPXoWH2dmYTh3CFrf2nvt9lVCjmUCd8JVofs75/KwGDJ3yKD0+vJiu36/d7ixe/
8F75Eesp9TmFXbBbYDCUcWDARpMPz4SevuWf9Y37341eUFcZSznInTPfa78TocfxCFbBoWSS1poF
5KOWnsiz09F1IeMn4if9FQhQXioLNZOAcdL0z/EN/K3zc9F7K+VhlSuMjIZTeJ0JhuwM1+8TYw3q
rthgL6Kip2LE0PhekoPjHIWy3KZwFlTZnVhQV7f4W/C4uLtEqqEx40YJ9jA3Xr6a69T31w/vuE51
98/VfNRmviWdA5BkbW9t20SYWJa1cpNxqTEtZGAiut3TEutfxf3yppWchHDw

[stefanberger]

It works for me now. Certs need to be put into directories where the keylime user has access to, so /root/iak.crt doesn't work...

[Isaac-Matthews]

/packit retest-failed

[stefanberger]

LGTM

[Isaac-Matthews]

/packit retest-failed