add support for "hash_ek" UUID creation

Signed-off-by: Thore Sommer <[email protected]>
keylime · May 26, 2022 · c9e9c08 · c9e9c08
1 parent aa6b8e5
commit c9e9c08
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 7 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -29,6 +29,8 @@ hex = "0.4"
 libc = "0.2.43"
 log = "0.4"
 openssl = "0.10.15"
+picky-asn1-der = "0.3.1"
+picky-asn1-x509 = "0.6.1"
 pretty_env_logger = "0.4"
 reqwest = {version = "0.11", features = ["json"]}
 rust-ini = "0.17"

diff --git a/src/common.rs b/src/common.rs
@@ -6,6 +6,11 @@ use crate::error::{Error, Result};
 use crate::permissions;
 use ini::Ini;
 use log::*;
+use openssl::{
+    hash::{hash, MessageDigest},
+    pkey::PKey,
+};
+use picky_asn1_x509::SubjectPublicKeyInfo;
 use serde::{Deserialize, Serialize};
 use serde_json::{json, Value};
 use std::convert::TryFrom;
@@ -15,7 +20,9 @@ use std::fmt::Debug;
 use std::fs::File;
 use std::path::{Path, PathBuf};
 use std::str::FromStr;
-use tss_esapi::{structures::PcrSlot, utils::TpmsContext};
+use tss_esapi::{
+    structures::PcrSlot, structures::Public, utils::TpmsContext,
+};
 use uuid::Uuid;
 
 /*
@@ -380,6 +387,19 @@ impl KeylimeConfig {
             run_as,
         })
     }
+
+    // Update function for the uuid if it is set to "hash_ek"
+    pub fn set_ek_uuid(&mut self, ek_pub: Public) -> Result<()> {
+        // Converting Public TPM key to PEM
+        let key = SubjectPublicKeyInfo::try_from(ek_pub)?;
+        let key_der = picky_asn1_der::to_vec(&key)?;
+        let openssl_key = PKey::public_key_from_der(&key_der)?;
+        let pem = openssl_key.public_key_to_pem()?;
+
+        let mut hash = hash(MessageDigest::sha256(), &pem)?;
+        self.agent_uuid = hex::encode(hash);
+        Ok(())
+    }
 }
 
 // Default test configuration. This should match the defaults in keylime.conf
@@ -437,7 +457,8 @@ fn get_uuid(agent_uuid_config: &str) -> String {
             "openstack".into()
         }
         "hash_ek" => {
-            info!("hash_ek placeholder...");
+            info!("Using hashed EK as UUID");
+            // DO NOT change this to something else. It is used by KeylimeConfig to later set the correct value.
             "hash_ek".into()
         }
         "generate" => {

diff --git a/src/error.rs b/src/error.rs
@@ -78,6 +78,8 @@ pub(crate) enum Error {
     Persist(#[from] tempfile::PersistError),
     #[error("Error joining threads: {0}")]
     Join(#[from] tokio::task::JoinError),
+    #[error("Asn1DerError: {0}")]
+    PickyAsn1(#[from] picky_asn1_der::Asn1DerError),
     #[error("{0}")]
     Other(String),
 }

diff --git a/src/main.rs b/src/main.rs
@@ -389,7 +389,7 @@ async fn main() -> Result<()> {
     };
 
     // Load config
-    let config = KeylimeConfig::build()?;
+    let mut config = KeylimeConfig::build()?;
 
     // The agent cannot run when a payload script is defined, but mTLS is disabled and insecure
     // payloads are not explicitly enabled
@@ -497,6 +497,10 @@ async fn main() -> Result<()> {
         }
     };
 
+    if config.agent_uuid == "hash_ek" {
+        config.set_ek_uuid(ek_result.public)?;
+    }
+
     info!("Agent UUID: {}", config.agent_uuid);
 
     // Generate key pair for secure transmission of u, v keys. The u, v