Blame SOURCES/0004-Do-not-use-default-values-that-need-reading-the-conf.patch

c49324
From 76cbd7bbcce1793db9a3d64d962cfdb518ef4eff Mon Sep 17 00:00:00 2001
c49324
From: Sergio Correia <scorreia@redhat.com>
c49324
Date: Tue, 15 Nov 2022 07:09:13 -0300
c49324
Subject: [PATCH 4/4] Do not use default values that need reading the config in
c49324
 methods
c49324
c49324
Following up from the recent refactoring that moved the EK validation
c49324
to cert_utils, in a few places were added default method values that
c49324
were reading the configuration files directly.
c49324
c49324
It was not such a great idea becasue it then made those config files as
c49324
required to even import the modules.
c49324
c49324
Example "from keylime import cert_utils" now also requires that the
c49324
tenant configuration be available for getting the path for the TPM
c49324
cert store.
c49324
c49324
Let's stop doing that.
c49324
c49324
Signed-off-by: Sergio Correia <scorreia@redhat.com>
c49324
---
c49324
 keylime/cert_utils.py       | 5 +++--
c49324
 keylime/tenant.py           | 2 +-
c49324
 keylime/tpm/tpm_abstract.py | 2 +-
c49324
 keylime/tpm/tpm_main.py     | 4 ++--
c49324
 keylime/tpm_ek_ca.py        | 6 +++---
c49324
 5 files changed, 10 insertions(+), 9 deletions(-)
c49324
c49324
diff --git a/keylime/cert_utils.py b/keylime/cert_utils.py
c49324
index d2fc54d..3576c64 100644
c49324
--- a/keylime/cert_utils.py
c49324
+++ b/keylime/cert_utils.py
c49324
@@ -12,7 +12,7 @@ from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
c49324
 from pyasn1.codec.der import decoder, encoder
c49324
 from pyasn1_modules import pem, rfc2459
c49324
 
c49324
-from keylime import config, keylime_logging, tpm_ek_ca
c49324
+from keylime import keylime_logging, tpm_ek_ca
c49324
 
c49324
 # Issue #944 -- python-cryptography won't parse malformed certs,
c49324
 # such as some Nuvoton ones we have encountered in the field.
c49324
@@ -56,9 +56,10 @@ def x509_pem_cert(pem_cert_data: str):
c49324
         return x509.load_der_x509_certificate(data=encoder.encode(pyasn1_cert), backend=default_backend())
c49324
 
c49324
 
c49324
-def verify_ek(ekcert, tpm_cert_store=config.get("tenant", "tpm_cert_store")):
c49324
+def verify_ek(ekcert: bytes, tpm_cert_store: str) -> bool:
c49324
     """Verify that the provided EK certificate is signed by a trusted root
c49324
     :param ekcert: The Endorsement Key certificate in DER format
c49324
+    :param tpm_cert_store: The path for the TPM certificate store
c49324
     :returns: True if the certificate can be verified, False otherwise
c49324
     """
c49324
     try:
c49324
diff --git a/keylime/tenant.py b/keylime/tenant.py
c49324
index dd9c09c..118f8c4 100644
c49324
--- a/keylime/tenant.py
c49324
+++ b/keylime/tenant.py
c49324
@@ -430,7 +430,7 @@ class Tenant:
c49324
             elif ekcert is None:
c49324
                 logger.warning("No EK cert provided, require_ek_cert option in config set to True")
c49324
                 return False
c49324
-            elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert)):
c49324
+            elif not self.tpm_instance.verify_ek(base64.b64decode(ekcert), config.get("tenant", "tpm_cert_store")):
c49324
                 logger.warning("Invalid EK certificate")
c49324
                 return False
c49324
 
c49324
diff --git a/keylime/tpm/tpm_abstract.py b/keylime/tpm/tpm_abstract.py
c49324
index ff41837..df6222c 100644
c49324
--- a/keylime/tpm/tpm_abstract.py
c49324
+++ b/keylime/tpm/tpm_abstract.py
c49324
@@ -97,7 +97,7 @@ class AbstractTPM(metaclass=ABCMeta):
c49324
         pass
c49324
 
c49324
     @abstractmethod
c49324
-    def verify_ek(self, ekcert):
c49324
+    def verify_ek(self, ekcert, tpm_cert_store):
c49324
         pass
c49324
 
c49324
     @abstractmethod
c49324
diff --git a/keylime/tpm/tpm_main.py b/keylime/tpm/tpm_main.py
c49324
index 35f0a2f..09af0d0 100644
c49324
--- a/keylime/tpm/tpm_main.py
c49324
+++ b/keylime/tpm/tpm_main.py
c49324
@@ -776,12 +776,12 @@ class tpm(tpm_abstract.AbstractTPM):
c49324
                 os.remove(sesspath)
c49324
         return key
c49324
 
c49324
-    def verify_ek(self, ekcert):
c49324
+    def verify_ek(self, ekcert, tpm_cert_store):
c49324
         """Verify that the provided EK certificate is signed by a trusted root
c49324
         :param ekcert: The Endorsement Key certificate in DER format
c49324
         :returns: True if the certificate can be verified, false otherwise
c49324
         """
c49324
-        return cert_utils.verify_ek(ekcert)
c49324
+        return cert_utils.verify_ek(ekcert, tpm_cert_store)
c49324
 
c49324
     def get_tpm_manufacturer(self, output=None):
c49324
         vendorStr = None
c49324
diff --git a/keylime/tpm_ek_ca.py b/keylime/tpm_ek_ca.py
c49324
index fb66c07..bc84571 100644
c49324
--- a/keylime/tpm_ek_ca.py
c49324
+++ b/keylime/tpm_ek_ca.py
c49324
@@ -1,13 +1,13 @@
c49324
 import glob
c49324
 import os
c49324
 
c49324
-from keylime import config, keylime_logging
c49324
+from keylime import keylime_logging
c49324
 
c49324
 logger = keylime_logging.init_logging("tpm_ek_ca")
c49324
 trusted_certs = {}
c49324
 
c49324
 
c49324
-def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
c49324
+def check_tpm_cert_store(tpm_cert_store):
c49324
     if not os.path.isdir(tpm_cert_store):
c49324
         logger.error("The directory %s does not exist.", tpm_cert_store)
c49324
         raise Exception(f"The directory {tpm_cert_store} does not exist.")
c49324
@@ -20,7 +20,7 @@ def check_tpm_cert_store(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
c49324
         raise Exception(f"The directory {tpm_cert_store} does not contain " f"any .pem files")
c49324
 
c49324
 
c49324
-def cert_loader(tpm_cert_store=config.get("tenant", "tpm_cert_store")):
c49324
+def cert_loader(tpm_cert_store):
c49324
     file_list = glob.glob(os.path.join(tpm_cert_store, "*.pem"))
c49324
     my_trusted_certs = {}
c49324
     for file_path in file_list:
c49324
-- 
c49324
2.38.1
c49324