config: Make IAK and IDevID certificates optional

When IAK/IDevID are enabled, but the paths to the certificates are
explicitly configured as the empty string, continue normally and
register without IAK and IDevID certificates.

This is to make it possible to use IAK and IDevID without the
certificates, in case the user does the public key matching check
separately.

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>

Author: ansasaki

keylime-agent/src/config.rs

@@ -501,34 +501,39 @@ fn config_translate_keywords(
         &config.agent.agent_data_path,
         keylime_dir,
         DEFAULT_AGENT_DATA_PATH,
+        false,
     );
 
     let mut ima_ml_path = config_get_file_path(
         "ima_ml_path",
         &config.agent.ima_ml_path,
         root_path,
         DEFAULT_IMA_ML_PATH,
+        false,
     );
 
     let mut measuredboot_ml_path = config_get_file_path(
         "measuredboot_ml_path",
         &config.agent.measuredboot_ml_path,
         root_path,
         DEFAULT_MEASUREDBOOT_ML_PATH,
+        false,
     );
 
     let mut server_key = config_get_file_path(
         "server_key",
         &config.agent.server_key,
         keylime_dir,
         DEFAULT_SERVER_KEY,
+        false,
     );
 
     let mut server_cert = config_get_file_path(
         "server_cert",
         &config.agent.server_cert,
         keylime_dir,
         DEFAULT_SERVER_CERT,
+        false,
     );
 
     let trusted_client_ca: String =
@@ -540,6 +545,7 @@ fn config_translate_keywords(
                     t,
                     keylime_dir,
                     DEFAULT_TRUSTED_CLIENT_CA,
+                    false,
                 )
             })
             .collect::<Vec<_>>()
@@ -550,13 +556,15 @@ fn config_translate_keywords(
         &config.agent.iak_cert,
         keylime_dir,
         DEFAULT_IAK_CERT,
+        true,
     );
 
     let mut idevid_cert = config_get_file_path(
         "idevid_cert",
         &config.agent.idevid_cert,
         keylime_dir,
         DEFAULT_IDEVID_CERT,
+        true,
     );
 
     let ek_handle = match config.agent.ek_handle.as_ref() {
@@ -630,6 +638,7 @@ fn config_translate_keywords(
         &config.agent.revocation_cert,
         keylime_dir,
         &format!("secure/unzipped/{DEFAULT_REVOCATION_CERT}"),
+        false,
     );
 
     Ok(KeylimeConfig {
@@ -657,18 +666,23 @@ fn config_translate_keywords(
 /// Expand a file path from the configuration file.
 ///
 /// If the string is set as "default", return the provided default path relative from the provided work_dir.
-/// If the string is empty, use again the default value
+/// If the string is empty, use the default value unless the 'leave_empty' is 'true'
 /// If the string is a relative path, return the path relative from the provided work_dir
 /// If the string is an absolute path, return the path without change.
 fn config_get_file_path(
     option: &str,
     path: &str,
     work_dir: &Path,
     default: &str,
+    leave_empty: bool,
 ) -> String {
     match path {
         "default" => work_dir.join(default).display().to_string(),
         "" => {
+            if leave_empty {
+                return "".to_string();
+            }
+
             warn!("Empty string provided in configuration option {option}, using default {default}");
             work_dir.join(default).display().to_string()
         }
@@ -1107,7 +1121,7 @@ mod tests {
 
         let translated: Vec<String> = list
             .iter()
-            .map(|e| config_get_file_path("test", e, workdir, default))
+            .map(|e| config_get_file_path("test", e, workdir, default, false))
             .collect();
 
         assert_eq!(
@@ -1122,5 +1136,13 @@ mod tests {
             ],
             translated
         );
+
+        let translated =
+            config_get_file_path("test", "", workdir, "default", true);
+        assert_eq!("", translated);
+
+        let translated =
+            config_get_file_path("test", "", workdir, "default", false);
+        assert_eq!("/workdir/default", translated);
     }
 }

keylime-agent/src/main.rs

@@ -436,22 +436,30 @@ async fn main() -> Result<()> {
 
     // If using IAK/IDevID is enabled, obtain IAK/IDevID and respective certificates
     let mut device_id = if config.agent.enable_iak_idevid {
-        Some(
-            DeviceIDBuilder::new()
-                .iak_handle(&config.agent.iak_handle)
-                .iak_cert_path(&config.agent.iak_cert)
-                .iak_password(&config.agent.iak_password)
-                .iak_template(&config.agent.iak_idevid_template)
-                .iak_asym_alg(&config.agent.iak_idevid_asymmetric_alg)
-                .iak_hash_alg(&config.agent.iak_idevid_name_alg)
-                .idevid_handle(&config.agent.idevid_handle)
-                .idevid_cert_path(&config.agent.idevid_cert)
-                .idevid_password(&config.agent.idevid_password)
-                .idevid_template(&config.agent.iak_idevid_template)
-                .idevid_asym_alg(&config.agent.iak_idevid_asymmetric_alg)
-                .idevid_hash_alg(&config.agent.iak_idevid_name_alg)
-                .build(&mut ctx)?,
-        )
+        let mut builder = DeviceIDBuilder::new()
+            .iak_handle(&config.agent.iak_handle)
+            .iak_password(&config.agent.iak_password)
+            .iak_default_template(config::DEFAULT_IAK_IDEVID_TEMPLATE)
+            .iak_template(&config.agent.iak_idevid_template)
+            .iak_asym_alg(&config.agent.iak_idevid_asymmetric_alg)
+            .iak_hash_alg(&config.agent.iak_idevid_name_alg)
+            .idevid_handle(&config.agent.idevid_handle)
+            .idevid_cert_path(&config.agent.idevid_cert)
+            .idevid_password(&config.agent.idevid_password)
+            .idevid_default_template(config::DEFAULT_IAK_IDEVID_TEMPLATE)
+            .idevid_template(&config.agent.iak_idevid_template)
+            .idevid_asym_alg(&config.agent.iak_idevid_asymmetric_alg)
+            .idevid_hash_alg(&config.agent.iak_idevid_name_alg);
+
+        if !&config.agent.iak_cert.is_empty() {
+            builder = builder.iak_cert_path(&config.agent.iak_cert);
+        }
+
+        if !&config.agent.idevid_cert.is_empty() {
+            builder = builder.idevid_cert_path(&config.agent.idevid_cert);
+        }
+
+        Some(builder.build(&mut ctx)?)
     } else {
         None
     };
@@ -617,15 +625,15 @@ async fn main() -> Result<()> {
                 ek_result.ek_cert,
                 &PublicBuffer::try_from(ak.public)?.marshall()?,
                 Some(
-                    &PublicBuffer::try_from(dev_id.iak.public.clone())?
+                    &PublicBuffer::try_from(dev_id.iak_pubkey.clone())?
                         .marshall()?,
                 ),
                 Some(
-                    &PublicBuffer::try_from(dev_id.idevid.public.clone())?
+                    &PublicBuffer::try_from(dev_id.idevid_pubkey.clone())?
                         .marshall()?,
                 ),
-                Some(dev_id.idevid_cert.clone()),
-                Some(dev_id.iak_cert.clone()),
+                dev_id.idevid_cert.clone(),
+                dev_id.iak_cert.clone(),
                 Some(attest.marshall()?),
                 Some(signature.marshall()?),
                 mtls_cert,