Skip to content

Commit

Permalink
VERIFIER: receive from js the whitelist db name
Browse files Browse the repository at this point in the history
  • Loading branch information
@AleCla97
AleCla97 committed May 2, 2024
1 parent d35ddac commit 7d3af5a
Show file tree
Hide file tree
Showing 5 changed files with 91 additions and 29 deletions.
10 changes: 1 addition & 9 deletions TODO
View file
Original file line number Diff line number Diff line change
@@ -1,20 +1,12 @@

1
join service output integrity report and agent untrusted

2
agent ip from socket => https://stackoverflow.com/questions/2283494/get-ip-address-of-an-interface-on-linux
goldevalues creation rework
exclude list with regex
dashboard

3

OEM server with golden value for the verifiers to download
parameter for config file path
debug print level
file log
support multi db
support for other attestation schemes
PCR configurables at agent side and send them to js

sleep value for verifier thread as config params
45 changes: 36 additions & 9 deletions src/join_service/join_service.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ struct ak_db_entry {
char uuid[1024];
char ip[100];
unsigned char ak_pem[1024];
char whitelist[1024];
int confirmed;
int validity;
bool Continue;
Expand Down Expand Up @@ -169,8 +170,9 @@ static struct ak_db_entry *retrieve_ak(char *uuid){
strcpy(ak_entry->uuid, (char *) sqlite3_column_text(res, 0));
strcpy((char *) ak_entry->ak_pem, (char *) sqlite3_column_text(res, 1));
strcpy(ak_entry->ip, (char *) sqlite3_column_text(res, 2));
ak_entry->validity = atoi((char *) sqlite3_column_text(res, 3));
ak_entry->confirmed = atoi((char *) sqlite3_column_text(res, 4));
strcpy(ak_entry->whitelist, (char *) sqlite3_column_text(res, 3));
ak_entry->validity = atoi((char *) sqlite3_column_text(res, 4));
ak_entry->confirmed = atoi((char *) sqlite3_column_text(res, 5));
#ifdef DEBUG
printf("%s: ", sqlite3_column_text(res, 0));
printf("%s\n", sqlite3_column_text(res, 1));
Expand Down Expand Up @@ -269,7 +271,7 @@ void *queue_manager(void *vargp){

fprintf(stdout, "INFO: Request attestation of agent uuid %s\n from verifier id %d\n", ak_entry->uuid, id);

snprintf(object, 4096, "{\"uuid\":\"%s\",\"ak_pem\":\"%s\",\"ip_addr\":\"%s\"}", ak_entry->uuid, ak_entry->ak_pem, ak_entry->ip);
snprintf(object, 4096, "{\"uuid\":\"%s\",\"ak_pem\":\"%s\",\"ip_addr\":\"%s\",\"whitelist_uri\":\"%s\"}", ak_entry->uuid, ak_entry->ak_pem, ak_entry->ip, ak_entry->whitelist);

mqtt_publish(c_mqtt, topic, object);

Expand Down Expand Up @@ -510,8 +512,8 @@ static int save_ak(struct ak_db_entry *ak_entry){
sqlite3 *db;
sqlite3_stmt *res;
char *sql = "SELECT * FROM attesters_credentials WHERE uuid=?;";
char *sql1 = "INSERT INTO attesters_credentials values (?, ?, ?, ?, ?);";
char *sql2 = "UPDATE attesters_credentials SET ak_pub=?, ip=? WHERE uuid=?;";
char *sql1 = "INSERT INTO attesters_credentials values (?, ?, ?, ?, ?, ?);";
char *sql2 = "UPDATE attesters_credentials SET ak_pub=?, ip=?, whitelist=? WHERE uuid=?;";
int rc = sqlite3_open_v2(js_config.db, &db, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE | SQLITE_OPEN_URI, NULL);

if (rc != SQLITE_OK) {
Expand Down Expand Up @@ -552,12 +554,17 @@ static int save_ak(struct ak_db_entry *ak_entry){
sqlite3_close(db);
return -1;
}
rc = sqlite3_bind_int(res, 4, ak_entry->validity);
rc = sqlite3_bind_text(res, 4, (char *) ak_entry->whitelist, -1, SQLITE_TRANSIENT);
if (rc != SQLITE_OK ) {
sqlite3_close(db);
return -1;
}
rc = sqlite3_bind_int(res, 5, ak_entry->confirmed);
rc = sqlite3_bind_int(res, 5, ak_entry->validity);
if (rc != SQLITE_OK ) {
sqlite3_close(db);
return -1;
}
rc = sqlite3_bind_int(res, 6, ak_entry->confirmed);
if (rc != SQLITE_OK ) {
sqlite3_close(db);
return -1;
Expand Down Expand Up @@ -588,7 +595,12 @@ static int save_ak(struct ak_db_entry *ak_entry){
sqlite3_close(db);
return -1;
}
rc = sqlite3_bind_text(res, 3, ak_entry->uuid, -1, SQLITE_TRANSIENT);
rc = sqlite3_bind_text(res, 3, ak_entry->whitelist, -1, SQLITE_TRANSIENT);
if (rc != SQLITE_OK ) {
sqlite3_close(db);
return -1;
}
rc = sqlite3_bind_text(res, 4, ak_entry->uuid, -1, SQLITE_TRANSIENT);
if (rc != SQLITE_OK ) {
sqlite3_close(db);
return -1;
Expand Down Expand Up @@ -671,14 +683,16 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data)
"ek_cert_b64": "aaaaaaaaa",
"ak_pub_b64": "aaaaaaaa",
"ak_name_b64": "aaaaaaaa",
"ip_addr": "ip:port"
"ip_addr": "ip:port",
"whitelist_uri":"aaaaaa"
}
*/
unsigned char* uuid = (unsigned char *) mg_json_get_str(hm->body, "$.uuid");
unsigned char* ek_cert_b64 = (unsigned char *) mg_json_get_str(hm->body, "$.ek_cert_b64");
unsigned char* ak_pub_b64 = (unsigned char *) mg_json_get_str(hm->body, "$.ak_pub_b64");
unsigned char* ak_name_b64 = (unsigned char *) mg_json_get_str(hm->body, "$.ak_name_b64");
char* ip_addr = mg_json_get_str(hm->body, "$.ip_addr");
char* whitelist_uri = mg_json_get_str(hm->body, "$.whitelist_uri");
size_t ek_cert_len = B64DECODE_OUT_SAFESIZE(strlen((char *) ek_cert_b64));
size_t ak_name_len = B64DECODE_OUT_SAFESIZE(strlen((char *) ak_name_b64));

Expand All @@ -695,6 +709,8 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data)
free(ek_cert_b64);
free(ak_pub_b64);
free(ak_name_b64);
free(ip_addr);
free(whitelist_uri);
mg_http_reply(c, 500, NULL, "\n");
return;
}
Expand All @@ -712,6 +728,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data)
free(ek_cert_b64);
free(ak_pub_b64);
free(ip_addr);
free(whitelist_uri);
mg_http_reply(c, 500, NULL, "\n");
return;
}
Expand All @@ -726,6 +743,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data)
free(ek_cert_b64);
free(ip_addr);
free(ak_pub_b64);
free(whitelist_uri);
return;
}
else {
Expand Down Expand Up @@ -755,6 +773,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data)
free(ak_pub_b64);
free(ak_name_b64);
free(ip_addr);
free(whitelist_uri);
mg_http_reply(c, 500, NULL, "\n");
return;
}
Expand All @@ -767,6 +786,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data)
free(ek_cert_b64);
free(ak_pub_b64);
free(ip_addr);
free(whitelist_uri);
mg_http_reply(c, 500, NULL, "\n");
return;
}
Expand All @@ -779,6 +799,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data)
free(ak_name_b64);
free(ek_cert_buff);
free(ip_addr);
free(whitelist_uri);
mg_http_reply(c, 500, NULL, "\n");
return;
}
Expand All @@ -791,6 +812,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data)
free(ak_pub_b64);
free(ak_name_b64);
free(ip_addr);
free(whitelist_uri);
mg_http_reply(c, 500, NULL, "\n");
return;
}
Expand Down Expand Up @@ -828,6 +850,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data)
free(ak_name_buff);
free(out_buf);
free(ip_addr);
free(whitelist_uri);
mg_http_reply(c, 500, NULL, "\n");
return;
}
Expand All @@ -842,6 +865,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data)
free(out_buf);
free(mkcred_out_b64);
free(ip_addr);
free(whitelist_uri);
mg_http_reply(c, 500, NULL, "\n");
return;
}
Expand All @@ -850,6 +874,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data)
strcpy((char *) ak.ak_pem, (char *) ak_pub_b64);
strcpy(ak.uuid, (char *) uuid);
strcpy(ak.ip, ip_addr);
strcpy(ak.whitelist, whitelist_uri);
ak.confirmed = 0;
ak.validity = 0;

Expand All @@ -865,6 +890,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data)
free(ek_cert_b64);
free(ak_pub_b64);
free(ip_addr);
free(whitelist_uri);
}
else if (mg_http_match_uri(hm, API_CONFIRM_CREDENTIAL) && !strncmp(hm->method.ptr, POST, hm->method.len)) {
/* receive and verify the value calculated by the attester with tpm_activatecredential */
Expand Down Expand Up @@ -1167,6 +1193,7 @@ static int init_database(void){
uuid text NOT NULL,\
ak_pub text NOT NULL,\
ip text NOT NULL,\
whitelist text NOT NULL,\
validity INT NOT NULL,\
confirmed INT NOT NULL,\
PRIMARY KEY (uuid)\
Expand Down
10 changes: 5 additions & 5 deletions src/tpm_quote.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -586,7 +586,7 @@ int verify_ima_log(tpm_challenge_reply *rply, sqlite3 *db, agent_list *agent){

/*No new event in the agent*/
if(rply->ima_log_size == 0 && agent->pcr10_sha256 != NULL && agent->pcr10_sha1 != NULL){
fprintf(stdout, "INFO: No IMA log received, compare the old PCR10 with received one:\n");
fprintf(stdout, "INFO: No IMA log received, compare the old PCR10 with received one\n");
goto PCR10;
}
else if(agent->pcr10_sha256 != NULL && agent->pcr10_sha1 != NULL){
Expand Down Expand Up @@ -638,10 +638,10 @@ int verify_ima_log(tpm_challenge_reply *rply, sqlite3 *db, agent_list *agent){
//verify that (name,hash) present in in golden values db
ret = check_goldenvalue(db, file_hash, path_name);
if(ret != 0){
printf("Event name: %s and hash value %s not found from golden values db!\n", path_name, file_hash);
free(path_name);
ret = GOLDEN_VALUE_MISMATCH;
goto error;
//printf("Event name: %s and hash value %s not found from golden values db!\n", path_name, file_hash);
//free(path_name);
//ret = GOLDEN_VALUE_MISMATCH;
//goto error;
}

free(path_name);
Expand Down
2 changes: 1 addition & 1 deletion src/verifier/verifier.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ int ra_challenge_verify(tpm_challenge_reply *rpl, agent_list *agent_data)
if (ret != 0){
fprintf(stderr, "ERROR: Untrusted agent. Reason: %s\n", get_error(ret));
} else {
fprintf(stdout, "INFO: Successful verification of IMA log and PCR10. Trust status: trusted \n");
fprintf(stdout, "INFO: Successful verification of IMA log and PCR10.\n Trusted agent\n");
}

end:
Expand Down
53 changes: 48 additions & 5 deletions src/verifier/verifier_http.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,33 @@ void create_attestation_thread(agent_list * agent);
int add_agent_data(agent_list * ptr);
int update_agent_data(agent_list * ptr);

bool parse_whitelist(char * gv, char * whitelist_uri){
struct stat st = {0};
struct mg_str whitelist_uri_str = mg_str(whitelist_uri);
char buff[1025];

if(mg_strstr(whitelist_uri_str, mg_str("file://")) != NULL){
snprintf(buff, 1025, "%s%s",verifier_config.whitelist_path, whitelist_uri_str.ptr + 7 );

if (stat(buff, &st) == -1) {
/*TODO DOWNLOAD WHITELIST*/
printf("ERROR missing whitelist file %s\n", buff);
return false;
}

snprintf(gv, 2048, "file:%s", buff);
return true;
} else
if (mg_strstr(whitelist_uri_str, mg_str("http")) != NULL){
/*TODO DOWNLOAD WHITELIST*/
printf("ERROR donwload wihitelist no implmented yet\n");
return false;
}

printf("ERROR unknow URI format file %s\n", whitelist_uri_str.ptr);
return false;
}

static void mqtt_handler(struct mg_connection *c, int ev, void *ev_data) {
if (ev == MG_EV_OPEN) {
MG_INFO(("%lu CREATED", c->id));
Expand All @@ -47,23 +74,28 @@ static void mqtt_handler(struct mg_connection *c, int ev, void *ev_data) {
MG_INFO(("%lu CONNECTED", c->id));
} else if (ev == MG_EV_MQTT_MSG) {
// When we get echo response, print it
char gv[2048];
struct mg_mqtt_message *mm = (struct mg_mqtt_message *) ev_data;
MG_INFO(("%lu RECEIVED %.*s <- %.*s", c->id, (int) mm->data.len,
mm->data.ptr, (int) mm->topic.len, mm->topic.ptr));
/*
{
"uuid": "aaaaaaaaa",
"ip_port": "aaaaaaaaa",
"ak_pub_b64": "aaaaaaaa"
"ak_pub_b64": "aaaaaaaa",
"whitelist_uri": "aaaaaaaa"
}
*/

char* uuid = mg_json_get_str(mm->data, "$.uuid");
char* ak_pub = mg_json_get_str(mm->data, "$.ak_pem");
char* ip_addr = mg_json_get_str(mm->data, "$.ip_addr");
char* whitelist_uri = mg_json_get_str(mm->data, "$.whitelist_uri");

agent_list *last_ptr = agent_list_find_uuid(uuid);

parse_whitelist(gv, whitelist_uri);

if(last_ptr != NULL){
last_ptr->running = false;
last_ptr->continue_polling = false;
Expand All @@ -72,7 +104,7 @@ static void mqtt_handler(struct mg_connection *c, int ev, void *ev_data) {
strcpy(last_ptr->ip_addr, ip_addr);
strcpy(last_ptr->ak_pub, ak_pub);
strcpy(last_ptr->uuid, uuid);
strcpy(last_ptr->gv_path, "file:/var/embrave/verifier/goldenvalues.db");/*TODO configurable*/
strcpy(last_ptr->gv_path, gv);

last_ptr->running = true;
last_ptr->max_connection_retry_number = 0;
Expand All @@ -84,7 +116,7 @@ static void mqtt_handler(struct mg_connection *c, int ev, void *ev_data) {
strcpy(last_ptr->ip_addr, ip_addr);
strcpy(last_ptr->ak_pub, ak_pub);
strcpy(last_ptr->uuid, uuid);
strcpy(last_ptr->gv_path, "file:/var/embrave/verifier/goldenvalues.db"); /*TODO configurable*/
strcpy(last_ptr->gv_path, gv);

last_ptr->running = true;
last_ptr->max_connection_retry_number = 0;
Expand All @@ -97,6 +129,7 @@ static void mqtt_handler(struct mg_connection *c, int ev, void *ev_data) {
free(uuid);
free(ak_pub);
free(ip_addr);
//free(whitelist);

} else if (ev == MG_EV_CLOSE) {
MG_INFO(("%lu CLOSED", c->id));
Expand Down Expand Up @@ -368,7 +401,7 @@ static void request_join_verifier(struct mg_connection *c, int ev, void *ev_data
#endif
int status = mg_http_status(hm);
if(status == 403){ /* forbidden */
/*TODO ERRORI*/
/*TODO errors*/
fprintf(stderr, "ERROR: join service response code is not 403 (forbidden)\n");
c->is_draining = 1; // Tell mongoose to close this connection
Continue = false; // Tell event loop to stop
Expand Down Expand Up @@ -584,6 +617,7 @@ static int init_database(void){
char *uuid = ( char *)sqlite3_column_text(res, 0);
char *ak = ( char *)sqlite3_column_text(res, 1);
char *ip = ( char *)sqlite3_column_text(res, 2);
char *whitelist = ( char *)sqlite3_column_text(res, 3);

agent_list *last_ptr;
last_ptr = agent_list_new();
Expand All @@ -592,7 +626,7 @@ static int init_database(void){
strcpy(last_ptr->ip_addr, ip);
strcpy(last_ptr->ak_pub, ak);
strcpy(last_ptr->uuid, uuid);
strcpy(last_ptr->gv_path, "file:/var/embrave/verifier/goldenvalues.db");
strcpy(last_ptr->gv_path, whitelist);
last_ptr->running = true;
last_ptr->max_connection_retry_number = 1;

Expand Down Expand Up @@ -660,6 +694,15 @@ int main(int argc, char *argv[]) {
exit(err);
}

if (stat(verifier_config.whitelist_path, &st) == -1) {
if(!mkdir(verifier_config.whitelist_path, 0711)) {
fprintf(stdout, "INFO: %s directory successfully created\n", verifier_config.whitelist_path);
}
else {
fprintf(stderr, "ERROR: cannot create %s directory\n", verifier_config.whitelist_path);
}
}

snprintf(mqtt_conn, 280, "http://%s:%d", verifier_config.mqtt_broker_ip, verifier_config.mqtt_broker_port);

c_mqtt = mqtt_connect(&mgr_mqtt, mqtt_handler, "verifier", mqtt_conn);
Expand Down

0 comments on commit 7d3af5a

Please sign in to comment.