Add TLS support for Registrar communication

This change enables TLS-based communication with the Registrar service
in the push model agent, providing secure registration and activation.

Key changes:
- Added registrar_tls_enabled, registrar_tls_ca_cert,
  registrar_tls_client_cert, and registrar_tls_client_key configuration
  options with empty defaults for backwards compatibility
- Updated RegistrarClientBuilder to accept TLS configuration parameters
  (ca_certificate, certificate, key, insecure, timeout)
- Modified RegistrarClient to use HTTPS client when TLS is configured,
  falling back to plain HTTP when TLS parameters are not provided
- Refactored to use single ResilientClient for all HTTP/HTTPS requests
  instead of maintaining separate client instances
- Added RegistrarTlsConfig struct in push model agent to manage TLS
  configuration from config file
- Updated StateMachine to accept and pass registrar_tls_config to
  registration functions

Backwards compatibility:
- Defaults to plain HTTP when registrar_tls_enabled is false (default)
- Defaults to plain HTTP when TLS certificate paths are empty (default)
- TLS only enabled when all three certificate paths are provided AND
  registrar_tls_enabled is true
- Pull model agent unchanged - maintains existing behavior with None
  values for all new TLS fields

The implementation separates Registrar TLS configuration from Verifier
TLS configuration, allowing each service to be secured independently
based on deployment requirements.

Co-Authored-By: Claude <[email protected]>
Signed-off-by: Sergio Arroutbi <[email protected]>

Author: sarroutbi

keylime-agent/src/main.rs

@@ -617,6 +617,12 @@ async fn main() -> Result<()> {
         registrar_port: config.registrar_port,
         enable_iak_idevid: config.enable_iak_idevid,
         ek_handle: config.ek_handle.clone(),
+        // Pull model agent does not use TLS for registrar communication
+        registrar_ca_cert: None,
+        registrar_client_cert: None,
+        registrar_client_key: None,
+        registrar_insecure: None,
+        registrar_timeout: None,
     };
 
     let aa = AgentRegistration {

keylime-push-model-agent/src/main.rs

@@ -3,7 +3,7 @@
 use anyhow::Result;
 use clap::Parser;
 use keylime::config::PushModelConfigTrait;
-use log::{debug, error, info};
+use log::{debug, error, info, warn};
 mod attestation;
 mod auth;
 mod context_info_handler;
@@ -175,11 +175,39 @@ async fn run(args: &Args) -> Result<()> {
     };
     let attestation_client =
         attestation::AttestationClient::new(&neg_config)?;
+
+    // Create Registrar TLS config from configuration
+    let registrar_tls_config = if config.registrar_tls_enabled() {
+        let ca_cert = config.registrar_tls_ca_cert();
+        let client_cert = config.registrar_tls_client_cert();
+        let client_key = config.registrar_tls_client_key();
+
+        // Only use TLS if all certificate paths are provided
+        if !ca_cert.is_empty()
+            && !client_cert.is_empty()
+            && !client_key.is_empty()
+        {
+            Some(registration::RegistrarTlsConfig {
+                ca_cert: Some(ca_cert.to_string()),
+                client_cert: Some(client_cert.to_string()),
+                client_key: Some(client_key.to_string()),
+                insecure: None,
+                timeout: Some(args.timeout),
+            })
+        } else {
+            warn!("Registrar TLS is enabled but certificate paths are not configured. Using plain HTTP.");
+            None
+        }
+    } else {
+        None
+    };
+
     let mut state_machine = state_machine::StateMachine::new(
         attestation_client,
         neg_config,
         ctx_info,
         args.attestation_interval_seconds,
+        registrar_tls_config,
     );
     state_machine.run().await;
     Ok(())

keylime-push-model-agent/src/registration.rs

@@ -8,12 +8,24 @@ use keylime::{
     error::Result,
 };
 
+pub struct RegistrarTlsConfig {
+    pub ca_cert: Option<String>,
+    pub client_cert: Option<String>,
+    pub client_key: Option<String>,
+    pub insecure: Option<bool>,
+    pub timeout: Option<u64>,
+}
+
 pub async fn check_registration(
     context_info: Option<context_info::ContextInfo>,
+    tls_config: Option<RegistrarTlsConfig>,
 ) -> Result<()> {
     if context_info.is_some() {
-        crate::registration::register_agent(&mut context_info.unwrap())
-            .await?;
+        crate::registration::register_agent(
+            &mut context_info.unwrap(),
+            tls_config,
+        )
+        .await?;
     }
     Ok(())
 }
@@ -41,9 +53,23 @@ fn get_retry_config() -> Option<RetryConfig> {
 
 pub async fn register_agent(
     context_info: &mut context_info::ContextInfo,
+    tls_config: Option<RegistrarTlsConfig>,
 ) -> Result<()> {
     let config = keylime::config::get_config();
 
+    let (ca_cert, client_cert, client_key, insecure, timeout) =
+        if let Some(tls) = tls_config {
+            (
+                tls.ca_cert,
+                tls.client_cert,
+                tls.client_key,
+                tls.insecure,
+                tls.timeout,
+            )
+        } else {
+            (None, None, None, None, None)
+        };
+
     let ac = AgentRegistrationConfig {
         contact_ip: config.contact_ip().to_string(),
         contact_port: config.contact_port(),
@@ -55,6 +81,11 @@ pub async fn register_agent(
             .ek_handle()
             .expect("failed to get ek_handle")
             .to_string(),
+        registrar_ca_cert: ca_cert,
+        registrar_client_cert: client_cert,
+        registrar_client_key: client_key,
+        registrar_insecure: insecure,
+        registrar_timeout: timeout,
     };
 
     let cert_config = cert::CertificateConfig {
@@ -111,7 +142,7 @@ mod tests {
 
         let tmpdir = tempfile::tempdir().expect("failed to create tempdir");
         let _config = get_testing_config(tmpdir.path(), None);
-        let result = check_registration(None).await;
+        let result = check_registration(None, None).await;
         assert!(result.is_ok());
     }
 
@@ -136,7 +167,7 @@ mod tests {
 
         let mut context_info = ContextInfo::new_from_str(alg_config)
             .expect("Failed to create context info from string");
-        let result = register_agent(&mut context_info).await;
+        let result = register_agent(&mut context_info, None).await;
         assert!(result.is_err());
         assert!(context_info.flush_context().is_ok());
     }

keylime-push-model-agent/src/state_machine.rs

@@ -6,6 +6,7 @@ use crate::attestation::{
 };
 #[cfg(not(all(test, feature = "testing")))]
 use crate::registration;
+use crate::registration::RegistrarTlsConfig;
 #[cfg(test)]
 use crate::DEFAULT_ATTESTATION_INTERVAL_SECONDS;
 use anyhow::anyhow;
@@ -31,6 +32,7 @@ pub struct StateMachine<'a> {
     negotiation_config: NegotiationConfig<'a>,
     context_info: Option<ContextInfo>,
     measurement_interval: Duration,
+    registrar_tls_config: Option<RegistrarTlsConfig>,
 }
 
 impl<'a> StateMachine<'a> {
@@ -39,6 +41,7 @@ impl<'a> StateMachine<'a> {
         negotiation_config: NegotiationConfig<'a>,
         context_info: Option<ContextInfo>,
         attestation_interval_seconds: u64,
+        registrar_tls_config: Option<RegistrarTlsConfig>,
     ) -> Self {
         let initial_state = State::Unregistered;
         let measurement_interval =
@@ -50,6 +53,7 @@ impl<'a> StateMachine<'a> {
             negotiation_config,
             context_info,
             measurement_interval,
+            registrar_tls_config,
         }
     }
 
@@ -104,8 +108,11 @@ impl<'a> StateMachine<'a> {
     }
 
     async fn register(&mut self) {
-        let res =
-            registration::check_registration(self.context_info.clone()).await;
+        let res = registration::check_registration(
+            self.context_info.clone(),
+            self.registrar_tls_config.take(),
+        )
+        .await;
 
         match res {
             Ok(()) => {
@@ -263,6 +270,14 @@ mod registration {
     use keylime::context_info::ContextInfo;
     use std::sync::{Arc, Mutex, OnceLock};
 
+    pub struct RegistrarTlsConfig {
+        pub ca_cert: Option<String>,
+        pub client_cert: Option<String>,
+        pub client_key: Option<String>,
+        pub insecure: Option<bool>,
+        pub timeout: Option<u64>,
+    }
+
     static MOCK_RESULT: OnceLock<Arc<Mutex<Result<(), String>>>> =
         OnceLock::new();
 
@@ -272,6 +287,7 @@ mod registration {
 
     pub async fn check_registration(
         _context_info: Option<ContextInfo>,
+        _tls_config: Option<RegistrarTlsConfig>,
     ) -> anyhow::Result<()> {
         let result = get_mock_result().lock().unwrap().clone();
         result.map_err(|e| anyhow!(e))
@@ -425,6 +441,7 @@ mod tpm_tests {
                         neg_config.clone(),
                         None,
                         DEFAULT_ATTESTATION_INTERVAL_SECONDS,
+                        None,
                     ),
                     guard,
                 );
@@ -437,6 +454,7 @@ mod tpm_tests {
                 neg_config.clone(),
                 Some(context_info),
                 DEFAULT_ATTESTATION_INTERVAL_SECONDS,
+                None,
             ),
             guard,
         )
@@ -611,9 +629,11 @@ mod tpm_tests {
         let mut context_info = sm.context_info.clone().unwrap();
 
         registration::set_mock_result(Ok(()));
-        let res =
-            registration::check_registration(Some(context_info.clone()))
-                .await;
+        let res = registration::check_registration(
+            Some(context_info.clone()),
+            None,
+        )
+        .await;
 
         match res {
             Ok(()) => {
@@ -654,8 +674,11 @@ mod tpm_tests {
                 agent_data_path: "".to_string(),
             })
             .expect("This test requires TPM access with proper permissions");
-        let _ = registration::check_registration(Some(context_info.clone()))
-            .await;
+        let _ = registration::check_registration(
+            Some(context_info.clone()),
+            None,
+        )
+        .await;
 
         let mock_server = MockServer::start().await;
 
@@ -704,6 +727,7 @@ mod tpm_tests {
             neg_config,
             Some(context_info.clone()),
             DEFAULT_ATTESTATION_INTERVAL_SECONDS,
+            None,
         );
 
         // We can't easily test the full run() method since it loops indefinitely.
@@ -766,6 +790,7 @@ mod tests {
             test_config,
             None,
             DEFAULT_ATTESTATION_INTERVAL_SECONDS,
+            None,
         );
 
         // Should start in Unregistered state when no context info is provided.
@@ -793,6 +818,7 @@ mod tests {
             test_config,
             None,
             DEFAULT_ATTESTATION_INTERVAL_SECONDS,
+            None,
         );
 
         let debug_output = format!("{:?}", state_machine.get_current_state());
@@ -816,6 +842,7 @@ mod tests {
             test_config,
             None,
             DEFAULT_ATTESTATION_INTERVAL_SECONDS,
+            None,
         );
 
         // Start in Unregistered state.
@@ -852,6 +879,7 @@ mod tests {
             test_config,
             None,
             DEFAULT_ATTESTATION_INTERVAL_SECONDS,
+            None,
         );
 
         // Should start in Unregistered state.
@@ -878,6 +906,7 @@ mod tests {
             test_config,
             None,
             DEFAULT_ATTESTATION_INTERVAL_SECONDS,
+            None,
         );
 
         // Verify that context_info is None when not provided.
@@ -901,6 +930,7 @@ mod tests {
             test_config,
             None,
             DEFAULT_ATTESTATION_INTERVAL_SECONDS,
+            None,
         );
 
         // Test that the configuration references are stored correctly.
@@ -928,6 +958,7 @@ mod tests {
             test_config,
             None,
             DEFAULT_ATTESTATION_INTERVAL_SECONDS,
+            None,
         );
 
         // Manually set to Failed state to test error handling.
@@ -959,6 +990,7 @@ mod tests {
             test_config,
             None,
             DEFAULT_ATTESTATION_INTERVAL_SECONDS,
+            None,
         );
 
         // Manually set to Failed state to test error handling.
@@ -985,6 +1017,7 @@ mod tests {
             test_config1,
             None,
             DEFAULT_ATTESTATION_INTERVAL_SECONDS,
+            None,
         );
         assert!(matches!(
             state_machine1.get_current_state(),
@@ -1000,6 +1033,7 @@ mod tests {
             test_config2,
             None,
             DEFAULT_ATTESTATION_INTERVAL_SECONDS,
+            None,
         );
         assert!(matches!(
             state_machine2.get_current_state(),
@@ -1024,6 +1058,7 @@ mod tests {
             test_config,
             None,
             DEFAULT_ATTESTATION_INTERVAL_SECONDS,
+            None,
         );
 
         // Test that avoid_tpm is properly configured through the test config.
@@ -1051,6 +1086,7 @@ mod tests {
             test_config,
             None,
             DEFAULT_ATTESTATION_INTERVAL_SECONDS,
+            None,
         );
 
         // Set a test error and verify debug formatting works.
@@ -1083,6 +1119,7 @@ mod tests {
             test_config,
             None,
             DEFAULT_ATTESTATION_INTERVAL_SECONDS,
+            None,
         );
 
         // Test with valid seconds_to_next_attestation field in meta object.