Skip to content

Add client certificates to push-attestation prototype #984

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ansasaki merged 1 commit into from
Apr 23, 2025
Merged

Add client certificates to push-attestation prototype #984

ansasaki merged 1 commit into from
Apr 23, 2025

Conversation

@ansasaki
Copy link
Contributor

@ansasaki ansasaki commented Apr 23, 2025

This replaces the usage of default-tls feature from reqwest with native-tls, which uses OpenSSL as backend on Linux.

Add 'anyhow' crate as dependency to add context information to user facing errors.

This also disables the hostname verification because the certificates generated by the verifier don't have the Subject Alternative Name (SAN) set properly, making the certificates to fail hostname verification

@ansasaki
Add client certificates to push-attestation prototype
89f1802 
This replaces the usage of `default-tls` feature from reqwest with
`native-tls`, which uses OpenSSL as backend on Linux.

Add 'anyhow' crate as dependency to add context information to user
facing errors.

This also disables the hostname verification because the certificates
generated by the verifier don't have the Subject Alternative Name (SAN)
set properly, making the certificates to fail hostname verification

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
sergio-correia
sergio-correia approved these changes Apr 23, 2025
View reviewed changes
Copy link
Contributor

@sergio-correia sergio-correia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, looks good to me.

Cargo.toml
predicates = { version = "3.1.3" }
pretty_env_logger = "0.5"
reqwest = {version = "0.12", default-features = false, features = ["json", "default-tls"]}
reqwest = {version = "0.12", default-features = false, features = ["json", "native-tls"]}
Copy link
Contributor

@sergio-correia sergio-correia Apr 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. I was under the impression we had to use native-tls explictly instead of default-tls, since we have the goal to use openssl on Linux, as default-tls might change its backend in the future.

@codecov
Copy link

codecov bot commented Apr 23, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 63.71%. Comparing base (2227423) to head (89f1802).
Report is 1 commits behind head on master.

Additional details and impacted files
Flag Coverage Δ
e2e-testsuite 63.71% <100.00%> (+0.13%) ⬆️
upstream-unit-tests 63.71% <100.00%> (+0.13%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
keylime-push-model-agent/src/main.rs 89.53% <100.00%> (+3.82%) ⬆️

... and 6 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

sarroutbi
sarroutbi approved these changes Apr 23, 2025
View reviewed changes
Copy link
Contributor

@sarroutbi sarroutbi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general, changes LGTM.

The only issue I see is get_https_client function seems to be too long. I would define some intermediate functions for the new code, such as:

  • load_certificate
  • load_client_identity

Up to you, @ansasaki . You can push directly and we can refactor it once working.

Thanks!

@ansasaki
Copy link
Contributor Author

ansasaki commented Apr 23, 2025

The only issue I see is get_https_client function seems to be too long. I would define some intermediate functions for the new code, such as:

* load_certificate

* load_client_identity

Up to you, @ansasaki . You can push directly and we can refactor it once working.

Thanks!

I think it should be possible to move this utility functions (load certificates from files and create the reqwest certificate structures) to the keylime lib, but I'll leave this to a future PR. I think I'll just merge as it is now

@ansasaki ansasaki merged commit 5adedcf into keylime:master Apr 23, 2025
19 of 20 checks passed
@ansasaki ansasaki deleted the prototype-fix-cert branch April 23, 2025 14:41
@sarroutbi sarroutbi mentioned this pull request May 16, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sarroutbi sarroutbi sarroutbi approved these changes

@sergio-correia sergio-correia sergio-correia approved these changes

@ueno ueno Awaiting requested review from ueno

Assignees

@ueno ueno

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ansasaki @sarroutbi @sergio-correia @ueno