From d6dd71e3a3fe8e822fbcaa0d88f19a0c3332cacd Mon Sep 17 00:00:00 2001

From: Sergio Correia <scorreia@redhat.com>

Date: Tue, 15 Nov 2022 07:09:13 -0300

Subject: [PATCH] Do not use default values that need reading the config in

 methods

Following up from the recent refactoring that moved the EK validation

to cert_utils, in a few places were added default method values that

were reading the configuration files directly.

It was not such a great idea becasue it then made those config files as

required to even import the modules.

Example "from keylime import cert_utils" now also requires that the

tenant configuration be available for getting the path for the TPM

cert store.

Let's stop doing that.

Signed-off-by: Sergio Correia <scorreia@redhat.com>

---

 keylime/cert_utils.py       | 5 +++--

 keylime/tenant.py           | 2 +-

 keylime/tpm/tpm_abstract.py | 2 +-

 keylime/tpm/tpm_main.py     | 4 ++--

 keylime/tpm_ek_ca.py        | 6 +++---

 5 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/keylime/cert_utils.py b/keylime/cert_utils.py

index d2fc54d..3576c64 100644

--- a/keylime/cert_utils.py

+++ b/keylime/cert_utils.py

@@ -12,7 +12,7 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey

 from pyasn1.codec.der import decoder, encoder

 from pyasn1_modules import pem, rfc2459

-from keylime import config, keylime_logging, tpm_ek_ca

+from keylime import keylime_logging, tpm_ek_ca

 # Issue #944 -- python-cryptography won't parse malformed certs,

 # such as some Nuvoton ones we have encountered in the field.

@@ -56,9 +56,10 @@ def x509_pem_cert(pem_cert_data: str):

         return x509.load_der_x509_certificate(data=encoder.encode(pyasn1_cert), backend=default_backend())

-def verify_ek(ekcert, tpm_cert_store=config.get("tenant", "tpm_cert_store")):

+def verify_ek(ekcert: bytes, tpm_cert_store: str) -> bool:

     """Verify that the provided EK certificate is signed by a trusted root

     :param ekcert: The Endorsement Key certificate in DER format

+    :param tpm_cert_store: The path for the TPM certificate store

     :returns: True if the certificate can be verified, False otherwise

     """

     try:

diff --git a/keylime/tenant.py b/keylime/tenant.py

index b574d04..076b849 100644

--- a/keylime/tenant.py

+++ b/keylime/tenant.py

@@ -430,7 +430,7 @@ class Tenant:

             elif ekcert is None:

                 logger.warning("No EK cert provided, require_ek_cert option in config set to True")

                 return False

-            elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert)):

+            elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert), config.get("tenant", "tpm_cert_store")):

                 logger.warning("Invalid EK certificate")

                 return False

diff --git a/keylime/tpm/tpm_abstract.py b/keylime/tpm/tpm_abstract.py

index ff41837..df6222c 100644

--- a/keylime/tpm/tpm_abstract.py

+++ b/keylime/tpm/tpm_abstract.py

@@ -97,7 +97,7 @@ class AbstractTPM(metaclass=ABCMeta):

         pass

     @abstractmethod

-    def verify_ek(self, ekcert):

+    def verify_ek(self, ekcert, tpm_cert_store):

         pass

     @abstractmethod

diff --git a/keylime/tpm/tpm_main.py b/keylime/tpm/tpm_main.py

index e1d1cf8..e244dfa 100644

--- a/keylime/tpm/tpm_main.py

+++ b/keylime/tpm/tpm_main.py

@@ -776,12 +776,12 @@ class tpm(tpm_abstract.AbstractTPM):

                 os.remove(sesspath)

         return key

-    def verify_ek(self, ekcert):

+    def verify_ek(self, ekcert, tpm_cert_store):

         """Verify that the provided EK certificate is signed by a trusted root

         :param ekcert: The Endorsement Key certificate in DER format

         :returns: True if the certificate can be verified, false otherwise

         """

-        return cert_utils.verify_ek(ekcert)

+        return cert_utils.verify_ek(ekcert, tpm_cert_store)

     def get_tpm_manufacturer(self, output=None):

         vendorStr = None

diff --git a/keylime/tpm_ek_ca.py b/keylime/tpm_ek_ca.py

index fb66c07..bc84571 100644

--- a/keylime/tpm_ek_ca.py

+++ b/keylime/tpm_ek_ca.py

@@ -1,13 +1,13 @@

 import glob

 import os

-from keylime import config, keylime_logging

+from keylime import keylime_logging

 logger = keylime_logging.init_logging("tpm_ek_ca")

 trusted_certs = {}

-def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):

+def check_tpm_cert_store(tpm_cert_store):

     if not os.path.isdir(tpm_cert_store):

         logger.error("The directory %s does not exist.", tpm_cert_store)

         raise Exception(f"The directory {tpm_cert_store} does not exist.")

@@ -20,7 +20,7 @@ def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):

         raise Exception(f"The directory {tpm_cert_store} does not contain " f"any .pem files")

-def cert_loader(tpm_cert_store=config.get("tenant", "tpm_cert_store")):

+def cert_loader(tpm_cert_store):

     file_list = glob.glob(os.path.join(tpm_cert_store, "*.pem"))

     my_trusted_certs = {}

     for file_path in file_list:

-- 

2.38.1