Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-51321

keylime does not use CA certificates from configuration when verifying revocation notification webhook certificate

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-10.0.beta
    • rhel-10.0.beta
    • keylime
    • None
    • keylime-7.9.0-7.el10
    • No
    • None
    • 1
    • rhel-sst-security-special-projects
    • ssg_security
    • 26
    • None
    • False
    • Hide

      None

      Show
      None
    • Yes
    • SECENGSP Cycle 7
      • keylime notifier should read trusted CA certificates both from system trust store and verifier trusted_server_ca configuration.
    • Pass
    • Automated
    • Feature
    • Hide
      Feature, enhancement (describe the feature or enhancement from the user’s point of view):
      Reason (why has the feature or enhancement been implemented):
      Result (what is the current user experience):
      Show
      Feature, enhancement (describe the feature or enhancement from the user’s point of view): Reason (why has the feature or enhancement been implemented): Result (what is the current user experience):
    • Proposed
    • None

      What were you trying to do that didn't work?

      When verifying the revocation notification webhook server certificate, keylime does not include the certificates provided via the 'trusted_server_ca' configuration option. Only the system installed CA certificates are used

      Please provide the package NVR for which bug is seen:

      keylime-7.3.0-13.el9_3.src.rpm

      How reproducible:

      always

      Steps to reproduce

      1. Setup a webhook server to receive revocation notifications using TLS. For example:

      $ openssl s_server -cert cert.crt -key private.pem -port 8080 &

      1. Add the revocation notification webhook server CA certificate to the 'trusted_server_ca' list in the verifier configuration (by modifying /etc/keylime/verifier.conf or adding a snippet in /etc/keylime/verifier.conf.d/
      2. Configure the verifier to send revocation notifications to the webhook by setting the following options in the configuration

      enabled_revocation_notifications = ['agent', 'webhook']

      webhook_url = "localhost:8080"

      1. Start the Keylime verifier, Keylime registrar, and Keylime agent. Enroll the agent to the verifier using the Keylime tenant. Make the agent to fail attestation by running a script not included in the runtime policy

      Expected results

      The verifier successfully establish a TLS connection to the revocation notification webhook server by verifying the presented certificate with the CA certificate configured via the 'trusted_server_ca' option. The revocation notification webhook server receives the revocation notification normally.

      Actual results

      The verifier fails to establish a TLS connection to the revocation notification webhook server due to certificate verification failure. The webhook server CA certificate added to the 'trusted_server_ca' option in the configuration is ignored.

              ksrot@redhat.com Karel Srot
              ansasaki@redhat.com Anderson Sasaki
              Anderson Sasaki Anderson Sasaki
              Karel Srot Karel Srot
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: