Implement changes for registrar call #158
Conversation
lkatalin
force-pushed
the
registrar
branch
2 times, most recently
from
2c70672 to
d7e990b
Compare
lkatalin
force-pushed
the
registrar
branch
5 times, most recently
from
3fc62de to
152c848
Compare
|
This looks good from my POV! |
src/registrar_agent.rs
Outdated
|
|
||
| #[derive(Debug, Serialize, Deserialize)] | ||
| pub struct Register<'a> { | ||
| ek: &'a [u8], |
There was a problem hiding this comment.
This is an str, since it's PEM encoded
src/registrar_agent.rs
Outdated
| ekcert: &'a [u8], | ||
| #[serde(serialize_with = "serialize_as_base64")] | ||
| ek_tpm: &'a [u8], | ||
| aik: &'a [u8], |
src/registrar_agent.rs
Outdated
| .json(&data) | ||
| .send() | ||
| .await? | ||
| .json() |
There was a problem hiding this comment.
This will fail if the server returned an error, because then code is non-200 and status is not success, and it won't have a results block.
There was a problem hiding this comment.
I moved the status code check to be before this .json() is called and just used the built-in reqwest::StatusCode method.
|
@puiterwijk Let me know when you have a good idea of the changes you have / want on this one in addition to your comments above. |
lkatalin
force-pushed
the
registrar
branch
2 times, most recently
from
b914ab6 to
01e6c2a
Compare
lkatalin
force-pushed
the
registrar
branch
2 times, most recently
from
2f81d37 to
5fa2f9a
Compare
src/registrar_agent.rs
Outdated
| let resp = reqwest::Client::new().put(&addr).json(&data).send().await?; | ||
|
|
||
| if !resp.status().is_success() { | ||
| return Err(anyhow!( |
There was a problem hiding this comment.
Maybe it makes sense to use one of our custom error types here instead of anyhow? I could see a case for either.
There was a problem hiding this comment.
I ended up using a custom type so that we can check the status codes.
| config_get("/etc/keylime.conf", "cloud_agent", "agent_uuid")?; | ||
| let agent_uuid = get_uuid(&agent_uuid_config); | ||
|
|
||
| { |
There was a problem hiding this comment.
@puiterwijk What is the purpose of this bracket? I believe this is from your changes.
There was a problem hiding this comment.
that does not look like a strange scope, is the compiler not complaining about this?
There was a problem hiding this comment.
So, that was a bracket I put in place to make the scope for keyblob smaller. That means that outside of the closing bracket, the keyblob is no longer valid.
Given that the Rust compiler calls drop as soon as something goes out of scope, that means that as soon as the closing bracket is hit, the keyblob is erased from memory (since it's Zeroize).
There was a problem hiding this comment.
This was basically because this activation step is in the main() function, which keeps running until the entire agent terminates.
And I didn't want to have secrets lingering in memory during the full runtime.
There was a problem hiding this comment.
That makes sense! Good thinking.
Signed-off-by: Lily Sturmann <[email protected]> Co-authored-by: Luke Hinds <[email protected]>
Signed-off-by: Lily Sturmann <[email protected]> Co-authored-by: Luke Hinds <[email protected]>, Patrick Uiterwijk <[email protected]>
Signed-off-by: Lily Sturmann <[email protected]> Co-authored-by: Luke Hinds <[email protected]>
Signed-off-by: Lily Sturmann <[email protected]> Co-authored-by: Patrick Uiterwijk <[email protected]>
Signed-off-by: Lily Sturmann <[email protected]> Co-authored-by: Luke Hinds <[email protected]>, Patrick Uiterwijk <[email protected]>
|
I've added some unit testing for |
| config_get("/etc/keylime.conf", "cloud_agent", "agent_uuid")?; | ||
| let agent_uuid = get_uuid(&agent_uuid_config); | ||
|
|
||
| { |
There was a problem hiding this comment.
that does not look like a strange scope, is the compiler not complaining about this?
| &auth_tag, | ||
| ) | ||
| .await?; | ||
| } |
There was a problem hiding this comment.
This is the closing bracket: after we activate, we no longer need keyblob.
There was a problem hiding this comment.
Yeah, I did notice it created its own scope that lasted until this line, I just wasn't sure why.
This PR adds relevant prerequisites and then uses
create_ek()to retrieve the EK cert and pubkey and adds functions to retrieve the AK pubkey as well. It sends all of this data to the registrar. Much of it was written or co-written by @lukehinds so I have included him on those commits. Supersedes #149 .Fixes #119
Fixes #95
@lukehinds @puiterwijk I'm especially interested in making sure thecreate_ak()function is correct.Currently needs to be rebased on Update error handling for revocation scripts #162 to pass CI.
TODO: I can also add unit testing with
reqwest_mock.