Use rsa2048 WK #175
Open
Use rsa2048 WK #175
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Multiple changes;
- The python implementation is converted to a Flask app.
- The attestation API is altered. There remains a single input tarball and
single output tarball, but rather than the request body _being_ the
input tarball, we now expect an HTTP POST request encoded in
conventional form (multipart/form-data) that includes a field called
"quote" containing the input tarball (a source filename attribute is
expected). I.e. the encoded form should contain a section like;
Content-Disposition: form-data; name="quote"; filename="whatever"
To use from 'curl', you would;
curl -X -POST -F quote=@"mytarball.tar" <URL>
whereas previously you would have been using;
curl -X -POST --data-binary @"mytarball.tar" <URL>
- sbin/tpm2-attest (i.e. the client) is adjusted in the manner described
in the previous point.
- The extra required package (python3-flask) is added to the
"requirements" target of the top-level Makefile.
Signed-off-by: Geoff Thorpe <[email protected]>
If the client's EK isn't enrolled, it manifests as an obscure failure to open a directory. This changes it to catch the unenrolled-EK case and report it as such. Signed-off-by: Geoff Thorpe <[email protected]>
Signed-off-by: Geoff Thorpe <[email protected]>
Signed-off-by: Geoff Thorpe <[email protected]>
Signed-off-by: Geoff Thorpe <[email protected]>
HCP Refactoring, last remaining safeboot patches
- add GENCERT_HTTPS_CLIENT to control the existing "https-client" OID.
- add GENCERT_HTTPS_SERVER and add the corresponding OID too.
- add GENCERT_PKINIT_CLIENT to replace GENCERT_INCLUDE_SAN_PKINIT.
- add GENCERT_PKINIT_KDC and add the corresponding OID too.
- insist on exactly one of
GENCERT_{PKINIT_{CLIENT,KDC},HTTPS_{CLIENT,SERVER}
- add GENCERT_OUTPUT to control the naming of output files.
- support derivative scripts, such that they define a 'gencert_override'
function before including 'gencert', that can tweak values after
defaults and config-file processing is done.
- add derivations gencert-{pkinit,https-{client,server}}
- the heimdal cert-generation code-path is broken with current upstream
versions, so add some tentative fixes but mark the code as TBD.
- tweak the encoding of Kerberos principals based on MIT documentation,
including the addition of KDC (server) "krbtgt" encoding.
Signed-off-by: Geoffrey Thorpe <[email protected]>
Previously if a 'genprog' generated more than one "sensitive" file, only the first one got treated as sensitive, the remainder became "public". The comments suggested otherwise, so this patch fixes it accordingly. Signed-off-by: Geoffrey Thorpe <[email protected]>
Signed-off-by: Geoffrey Thorpe <[email protected]>
In particular, the failure case when attesting with a TPM that isn't yet enrolled (or more likely, whose enrollment hasn't yet replicated to the attestsvc instance) is made much more concise. Also, we use 404 for that case, whereas 403 for other (less expected) failures. Signed-off-by: Geoffrey Thorpe <[email protected]>
When an individual genprog breaks (because of code or configuration), it is easier to find if the enrollment transaction bails out right where the error occurred. Instead, having enrollments continue and succeed (but be incomplete) causes future assumptions to fail, when the root cause may be far less obvious. This patch changes attest-enroll to return success only if _all_ of the implied actions succeed. Signed-off-by: Geoffrey Thorpe <[email protected]>
Previously, a genprog was expected to produce a single line of output (to stdout) specifying "<public|sensitive> [files...]" or "skip". This allows the genprog to produce multiple files, but only if they are of the same type (public or sensitive). With this change, attest-enroll will process multiple lines of output, one at a time. Signed-off-by: Geoffrey Thorpe <[email protected]>
Signed-off-by: Geoffrey Thorpe <[email protected]>
The server now returns the 404 status code when attestation failed (only) because of there being no enrollment for the client's TPM. Other errors return 400. Also, the logging is tied up a little bit. Signed-off-by: Geoff Thorpe <[email protected]>
This now captures the status code as well as the output when attesting. If the status code is a 404, tpm2-attest exits with 2 rather than 1, allowing a caller/user to distinguish. (This is necessary when implementing retry logic that should wait for enrollments to propagate but not for other error conditions to resolve themselves with time.) Signed-off-by: Geoff Thorpe <[email protected]>
Signed-off-by: Geoffrey Thorpe <[email protected]>
Signed-off-by: Geoffrey Thorpe <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Some TPMs don't support
secp384r1.