keylimectl: Disable hostname checking in clients

This is necessary because keylime certificates don't properly set the
Subject Alternative Name (SAN).

Signed-off-by: Anderson Toshiyuki Sasaki <[email protected]>

Author: ansasaki

keylimectl/src/client/base.rs

@@ -131,11 +131,13 @@ impl BaseClient {
     /// - Client certificate and key (if specified)
     /// - Server certificate verification (can be disabled for testing)
     /// - Connection timeout from config
+    /// - Hostname verification disabled (required for Keylime certificates)
     /// - HTTP/2 and connection pooling
     ///
     /// # Security Notes
     ///
     /// - Client certificates enable mutual TLS authentication
+    /// - Hostname verification is disabled for Keylime certificate compatibility
     /// - Server certificate verification should only be disabled for testing
     /// - Invalid certificates will cause connection failures
     ///
@@ -153,7 +155,8 @@ impl BaseClient {
                config.tls.verify_server_cert, config.tls.client_cert, config.tls.client_key, config.tls.trusted_ca);
 
         let mut builder = reqwest::Client::builder()
-            .timeout(Duration::from_secs(config.client.timeout));
+            .timeout(Duration::from_secs(config.client.timeout))
+            .danger_accept_invalid_hostnames(true); // Required for Keylime certificates
 
         // Configure TLS
         if !config.tls.verify_server_cert {

keylimectl/src/client/registrar.rs

@@ -62,9 +62,6 @@ use log::{debug, info, warn};
 use reqwest::{Method, StatusCode};
 use serde_json::Value;
 
-/// Unknown API version constant for when version detection fails
-pub const UNKNOWN_API_VERSION: &str = "unknown";
-
 /// Supported API versions in order from oldest to newest (fallback tries newest first)
 pub const SUPPORTED_API_VERSIONS: &[&str] =
     &["2.0", "2.1", "2.2", "2.3", "3.0"];
@@ -375,12 +372,11 @@ impl RegistrarClient {
             }
         }
 
-        // If all versions failed, set to unknown and continue with default
+        // If all versions failed, continue with default version
         warn!(
             "Could not detect registrar API version, using default: {}",
             self.api_version
         );
-        self.api_version = UNKNOWN_API_VERSION.to_string();
         Ok(())
     }
 
@@ -1081,10 +1077,6 @@ mod tests {
             }
         }
 
-        #[test]
-        fn test_unknown_api_version_constant() {
-            assert_eq!(UNKNOWN_API_VERSION, "unknown");
-        }
 
         #[test]
         fn test_response_structure_deserialization() {
@@ -1174,8 +1166,8 @@ mod tests {
             client.api_version = "2.0".to_string();
             assert_eq!(client.api_version, "2.0");
 
-            client.api_version = UNKNOWN_API_VERSION.to_string();
-            assert_eq!(client.api_version, "unknown");
+            client.api_version = "3.0".to_string();
+            assert_eq!(client.api_version, "3.0");
         }
 
         #[test]
@@ -1225,12 +1217,8 @@ mod tests {
         #[allow(clippy::const_is_empty)]
         fn test_version_constants_consistency() {
             // Ensure our constants are consistent with expected patterns
-            assert!(!UNKNOWN_API_VERSION.is_empty()); // Known constant value
             assert!(!SUPPORTED_API_VERSIONS.is_empty()); // Known constant value
 
-            // UNKNOWN_API_VERSION should not be in SUPPORTED_API_VERSIONS
-            assert!(!SUPPORTED_API_VERSIONS.contains(&UNKNOWN_API_VERSION));
-
             // All supported versions should be valid version strings
             for version in SUPPORTED_API_VERSIONS {
                 assert!(!version.is_empty());
@@ -1334,7 +1322,6 @@ mod tests {
                 SUPPORTED_API_VERSIONS,
                 verifier::SUPPORTED_API_VERSIONS
             );
-            assert_eq!(UNKNOWN_API_VERSION, verifier::UNKNOWN_API_VERSION);
         }
 
         #[test]

keylimectl/src/client/verifier.rs

@@ -61,9 +61,6 @@ use log::{debug, info, warn};
 use reqwest::{Method, StatusCode};
 use serde_json::Value;
 
-/// Unknown API version constant for when version detection fails
-pub const UNKNOWN_API_VERSION: &str = "unknown";
-
 /// Supported API versions in order from oldest to newest (fallback tries newest first)
 pub const SUPPORTED_API_VERSIONS: &[&str] =
     &["2.0", "2.1", "2.2", "2.3", "3.0"];
@@ -367,12 +364,11 @@ impl VerifierClient {
             }
         }
 
-        // If all versions failed, set to unknown and continue with default
+        // If all versions failed, continue with default version
         warn!(
             "Could not detect verifier API version, using default: {}",
             self.api_version
         );
-        self.api_version = UNKNOWN_API_VERSION.to_string();
         Ok(())
     }
 
@@ -1528,10 +1524,6 @@ mod tests {
             }
         }
 
-        #[test]
-        fn test_unknown_api_version_constant() {
-            assert_eq!(UNKNOWN_API_VERSION, "unknown");
-        }
 
         #[test]
         fn test_response_structure_deserialization() {
@@ -1621,8 +1613,8 @@ mod tests {
             client.api_version = "2.0".to_string();
             assert_eq!(client.api_version, "2.0");
 
-            client.api_version = UNKNOWN_API_VERSION.to_string();
-            assert_eq!(client.api_version, "unknown");
+            client.api_version = "3.0".to_string();
+            assert_eq!(client.api_version, "3.0");
         }
 
         #[test]
@@ -1672,12 +1664,8 @@ mod tests {
         #[allow(clippy::const_is_empty)]
         fn test_version_constants_consistency() {
             // Ensure our constants are consistent with expected patterns
-            assert!(!UNKNOWN_API_VERSION.is_empty()); // Known constant value
             assert!(!SUPPORTED_API_VERSIONS.is_empty()); // Known constant value
 
-            // UNKNOWN_API_VERSION should not be in SUPPORTED_API_VERSIONS
-            assert!(!SUPPORTED_API_VERSIONS.contains(&UNKNOWN_API_VERSION));
-
             // All supported versions should be valid version strings
             for version in SUPPORTED_API_VERSIONS {
                 assert!(!version.is_empty());