Add send data to registrar, receive key blob, activate agent

Signed-off-by: Lily Sturmann <[email protected]> Co-authored-by: Luke Hinds <[email protected]>, Patrick Uiterwijk <[email protected]>
keylime · Mar 3, 2021 · 2f81d37 · 2f81d37
1 parent 93dd8fb
commit 2f81d37
Showing 1 changed file with 61 additions and 8 deletions.
diff --git a/src/main.rs b/src/main.rs
@@ -30,11 +30,6 @@
 //  missing_docs: there is many functions missing documentations for now
 #![allow(unused, missing_docs)]
 
-use log::*;
-
-use futures::future::TryFutureExt;
-use futures::try_join;
-
 mod cmd_exec;
 mod common;
 mod crypto;
@@ -49,14 +44,26 @@ mod tpm;
 
 use actix_web::{web, App, HttpServer};
 use common::config_get;
+use error::{Error, Result};
+use futures::future::TryFutureExt;
+use futures::try_join;
+use log::*;
+use openssl::{hash::MessageDigest, pkey::PKey, sign::Signer};
+use std::convert::TryFrom;
 use std::fs::File;
 use std::io::BufReader;
 use std::io::Read;
 use std::path::Path;
+use tss_esapi::{
+    constants::algorithm::AsymmetricAlgorithm,
+    interface_types::resource_handles::Hierarchy,
+    utils::{
+        self, AsymSchemeUnion, ObjectAttributes, Tpm2BPublicBuilder,
+        TpmsEccParmsBuilder,
+    },
+};
 use uuid::Uuid;
 
-use error::{Error, Result};
-
 static NOTFOUND: &[u8] = b"Not Found";
 
 fn get_uuid(agent_uuid_config: &str) -> String {
@@ -96,11 +103,57 @@ async fn main() -> Result<()> {
         warn!("INSECURE: The security of Keylime is NOT linked to a hardware root of trust.");
         warn!("INSECURE: Only use Keylime in this mode for testing or debugging purposes.");
     }
+
+    // Gather EK and AK key values and certs
+    let (ek_handle, ek_cert, ek_tpm2b_pub) =
+        tpm::create_ek(&mut ctx, Some(AsymmetricAlgorithm::Rsa))?;
+
+    let (ak_handle, ak_name, ak_tpm2b_pub) =
+        tpm::create_ak(&mut ctx, ek_handle)?;
+
+    // Gather configs
     let cloudagent_ip =
         config_get("/etc/keylime.conf", "cloud_agent", "cloudagent_ip")?;
     let cloudagent_port =
         config_get("/etc/keylime.conf", "cloud_agent", "cloudagent_port")?;
-    info!("Starting server...");
+    let registrar_ip =
+        config_get("/etc/keylime.conf", "registrar", "registrar_ip")?;
+    let registrar_port =
+        config_get("/etc/keylime.conf", "registrar", "registrar_port")?;
+    let agent_uuid_config =
+        config_get("/etc/keylime.conf", "cloud_agent", "agent_uuid")?;
+    let agent_uuid = get_uuid(&agent_uuid_config);
+
+    {
+        // Request keyblob material
+        let keyblob = registrar_agent::do_register_agent(
+            &registrar_ip,
+            &registrar_port,
+            &agent_uuid,
+            &ek_tpm2b_pub,
+            &ek_cert,
+            &ak_tpm2b_pub,
+        )
+        .await?;
+        let key = tpm::activate_credential(
+            &mut ctx, keyblob, ak_handle, ek_handle,
+        )?;
+        let mackey = base64::encode(key.value());
+        let mackey = PKey::hmac(&mackey.as_bytes())?;
+        let mut signer = Signer::new(MessageDigest::sha384(), &mackey)?;
+        signer.update(agent_uuid.as_bytes());
+        let auth_tag = signer.sign_to_vec()?;
+        let auth_tag = hex::encode(&auth_tag);
+
+        registrar_agent::do_activate_agent(
+            &registrar_ip,
+            &registrar_port,
+            &agent_uuid,
+            &auth_tag,
+        )
+        .await?;
+    }
+
     let actix_server = HttpServer::new(move || {
         App::new()
             .service(