Add KEYLIME_DIR support for verifier TLS certificates in push model agent

The push model agent previously had hardcoded CLI argument defaults for
verifier TLS certificates that ignored the KEYLIME_DIR environment
variable. This change adds proper KEYLIME_DIR support by introducing new
config options that follow the same pattern used for registrar TLS
certificates.

Changes:
- Add verifier_tls_ca_cert, verifier_tls_client_cert, and
  verifier_tls_client_key config fields
- Make push model agent CLI args optional and use config values as
  defaults
- Update keylime-agent.conf with documentation for new options
- Path resolution now respects KEYLIME_DIR for verifier certificates

Backward compatibility:
- CLI arguments continue to work and override config values
- Without KEYLIME_DIR, paths resolve to /var/lib/keylime/cv_ca/* (same
  as before)
- With KEYLIME_DIR, paths resolve to $KEYLIME_DIR/cv_ca/* (new
  capability)

Assisted-by: Claude 4.5 Sonnet
Signed-off-by: Sergio Correia <[email protected]>

Author: sergio-correia

keylime-agent.conf

@@ -390,3 +390,16 @@ enable_authentication = false
 # Verifier URL (Push Model specific).
 # Verifier URL containing schema, host and port
 verifier_url = "https://localhost:8881"
+
+# Verifier client TLS certificates (Push Model specific)
+# These certificates are used by the push model agent to authenticate with the verifier.
+# If set as "default", the paths below are used relative to keylime_dir.
+# If a relative path is set, it will be considered relative from the keylime_dir.
+# If an absolute path is set, it is used without change.
+#
+# To override verifier_tls_ca_cert, set KEYLIME_AGENT_VERIFIER_TLS_CA_CERT environment variable.
+# To override verifier_tls_client_cert, set KEYLIME_AGENT_VERIFIER_TLS_CLIENT_CERT environment variable.
+# To override verifier_tls_client_key, set KEYLIME_AGENT_VERIFIER_TLS_CLIENT_KEY environment variable.
+verifier_tls_ca_cert = "default"      # default: cv_ca/cacert.crt
+verifier_tls_client_cert = "default"  # default: cv_ca/client-cert.crt
+verifier_tls_client_key = "default"   # default: cv_ca/client-private.pem

keylime-push-model-agent/src/main.rs

@@ -44,22 +44,17 @@ struct Args {
     #[arg(long, default_value = url_selector::DEFAULT_API_VERSION)]
     api_version: Option<String>,
     /// CA certificate file
-    #[arg(long, default_value = "/var/lib/keylime/cv_ca/cacert.crt")]
-    ca_certificate: String,
+    /// If not provided, uses verifier_tls_ca_cert from config (default: $KEYLIME_DIR/cv_ca/cacert.crt)
+    #[arg(long)]
+    ca_certificate: Option<String>,
     /// Client certificate file
-    #[arg(
-        short,
-        long,
-        default_value = "/var/lib/keylime/cv_ca/client-cert.crt"
-    )]
-    certificate: String,
+    /// If not provided, uses verifier_tls_client_cert from config (default: $KEYLIME_DIR/cv_ca/client-cert.crt)
+    #[arg(short, long)]
+    certificate: Option<String>,
     /// Client private key file
-    #[arg(
-        short,
-        long,
-        default_value = "/var/lib/keylime/cv_ca/client-private.pem"
-    )]
-    key: String,
+    /// If not provided, uses verifier_tls_client_key from config (default: $KEYLIME_DIR/cv_ca/client-private.pem)
+    #[arg(short, long)]
+    key: Option<String>,
     /// json file
     #[arg(short, long, default_missing_value = "")]
     json_file: Option<String>,
@@ -237,16 +232,25 @@ async fn run(
     debug!("Negotiations request URL: {negotiations_request_url}");
     let neg_config = attestation::NegotiationConfig {
         avoid_tpm,
-        ca_certificate: &args.ca_certificate,
-        client_certificate: &args.certificate,
+        ca_certificate: args
+            .ca_certificate
+            .as_deref()
+            .unwrap_or(config.verifier_tls_ca_cert()),
+        client_certificate: args
+            .certificate
+            .as_deref()
+            .unwrap_or(config.verifier_tls_client_cert()),
         enable_authentication: config.enable_authentication(),
         agent_id: &agent_identifier,
         ima_log_path: Some(config.ima_ml_path.as_str()),
         initial_delay_ms: config
             .exponential_backoff_initial_delay
             .unwrap_or(1000),
         insecure: args.insecure,
-        key: &args.key,
+        key: args
+            .key
+            .as_deref()
+            .unwrap_or(config.verifier_tls_client_key()),
         max_delay_ms: config.exponential_backoff_max_delay,
         max_retries: config.exponential_backoff_max_retries.unwrap_or(5),
         timeout: args.timeout,
@@ -634,9 +638,9 @@ mod tests {
             registrar_url: "".to_string(),
             verifier_url: Some("".to_string()),
             timeout: 0,
-            ca_certificate: "".to_string(),
-            certificate: "".to_string(),
-            key: "".to_string(),
+            ca_certificate: Some("".to_string()),
+            certificate: Some("".to_string()),
+            key: Some("".to_string()),
             insecure: None,
             agent_identifier: None,
             json_file: None,
@@ -669,9 +673,9 @@ mod tests {
             registrar_url: "".to_string(),
             verifier_url: Some("".to_string()),
             timeout: 0,
-            ca_certificate: "".to_string(),
-            certificate: "".to_string(),
-            key: "".to_string(),
+            ca_certificate: Some("".to_string()),
+            certificate: Some("".to_string()),
+            key: Some("".to_string()),
             insecure: None,
             agent_identifier: None,
             json_file: None,

keylime/src/config/base.rs

@@ -119,6 +119,12 @@ pub static DEFAULT_PUSH_EK_HANDLE: &str = "";
 pub static DEFAULT_VERIFIER_URL: &str = "https://localhost:8881";
 pub static DEFAULT_REGISTRAR_URL: &str = "http://localhost:8888";
 
+// Verifier client TLS certificate defaults (Push Model)
+// These are relative to KEYLIME_DIR, just like DEFAULT_TRUSTED_CLIENT_CA
+pub static DEFAULT_VERIFIER_TLS_CA_CERT: &str = "cv_ca/cacert.crt";
+pub static DEFAULT_VERIFIER_TLS_CLIENT_CERT: &str = "cv_ca/client-cert.crt";
+pub static DEFAULT_VERIFIER_TLS_CLIENT_KEY: &str = "cv_ca/client-private.pem";
+
 #[derive(Clone, Debug, Deserialize, Serialize, PartialEq)]
 pub struct AgentConfig {
     pub agent_data_path: String,
@@ -188,6 +194,9 @@ pub struct AgentConfig {
     pub registrar_api_versions: String,
     pub uefi_logs_evidence_version: String,
     pub verifier_url: String,
+    pub verifier_tls_ca_cert: String,
+    pub verifier_tls_client_cert: String,
+    pub verifier_tls_client_key: String,
 
     // TLS security options
     /// Accept invalid TLS certificates (INSECURE - for testing only)
@@ -362,6 +371,9 @@ impl Default for AgentConfig {
             uefi_logs_evidence_version: DEFAULT_UEFI_LOGS_EVIDENCE_VERSION
                 .to_string(),
             verifier_url: DEFAULT_VERIFIER_URL.to_string(),
+            verifier_tls_ca_cert: "default".to_string(),
+            verifier_tls_client_cert: "default".to_string(),
+            verifier_tls_client_key: "default".to_string(),
 
             // TLS security defaults - SECURE by default
             tls_accept_invalid_certs: false,
@@ -498,6 +510,30 @@ pub(crate) fn config_translate_keywords(
         true,
     );
 
+    let verifier_tls_ca_cert = config_get_file_path(
+        "verifier_tls_ca_cert",
+        &config.verifier_tls_ca_cert,
+        keylime_dir,
+        DEFAULT_VERIFIER_TLS_CA_CERT,
+        false,
+    );
+
+    let verifier_tls_client_cert = config_get_file_path(
+        "verifier_tls_client_cert",
+        &config.verifier_tls_client_cert,
+        keylime_dir,
+        DEFAULT_VERIFIER_TLS_CLIENT_CERT,
+        false,
+    );
+
+    let verifier_tls_client_key = config_get_file_path(
+        "verifier_tls_client_key",
+        &config.verifier_tls_client_key,
+        keylime_dir,
+        DEFAULT_VERIFIER_TLS_CLIENT_KEY,
+        false,
+    );
+
     let ek_handle = match config.ek_handle.as_ref() {
         "generate" => "".to_string(),
         "" => "".to_string(),
@@ -668,6 +704,9 @@ pub(crate) fn config_translate_keywords(
         payload_key,
         trusted_client_ca,
         uuid,
+        verifier_tls_ca_cert,
+        verifier_tls_client_cert,
+        verifier_tls_client_key,
         ..config.clone()
     })
 }

keylime/src/config/env.rs

@@ -166,6 +166,18 @@ mod test {
             ),
             ("KEYLIME_AGENT_UUID", "override_uuid"),
             ("KEYLIME_AGENT_VERSION", "override_version"),
+            (
+                "KEYLIME_AGENT_VERIFIER_TLS_CA_CERT",
+                "override_verifier_tls_ca_cert",
+            ),
+            (
+                "KEYLIME_AGENT_VERIFIER_TLS_CLIENT_CERT",
+                "override_verifier_tls_client_cert",
+            ),
+            (
+                "KEYLIME_AGENT_VERIFIER_TLS_CLIENT_KEY",
+                "override_verifier_tls_client_key",
+            ),
         ]);
 
         // Get the configuration using a temporary directory as `keylime_dir`

keylime/src/config/push_model.rs

@@ -63,6 +63,9 @@ pub struct PushModelConfig {
     uefi_logs_evidence_version: String,
     uuid: String,
     verifier_url: String,
+    verifier_tls_ca_cert: String,
+    verifier_tls_client_cert: String,
+    verifier_tls_client_key: String,
 }
 
 #[cfg(feature = "testing")]
@@ -190,4 +193,36 @@ mod tests {
             DEFAULT_ENABLE_AUTHENTICATION
         );
     }
+
+    #[test]
+    fn test_verifier_tls_cert_paths_default() {
+        let tmpdir = tempfile::tempdir().expect("failed to create tmpdir");
+        let config = get_testing_config(tmpdir.path(), None);
+
+        // Verify default paths are resolved correctly relative to keylime_dir
+        assert_eq!(
+            config.verifier_tls_ca_cert(),
+            tmpdir
+                .path()
+                .join(DEFAULT_VERIFIER_TLS_CA_CERT)
+                .display()
+                .to_string()
+        );
+        assert_eq!(
+            config.verifier_tls_client_cert(),
+            tmpdir
+                .path()
+                .join(DEFAULT_VERIFIER_TLS_CLIENT_CERT)
+                .display()
+                .to_string()
+        );
+        assert_eq!(
+            config.verifier_tls_client_key(),
+            tmpdir
+                .path()
+                .join(DEFAULT_VERIFIER_TLS_CLIENT_KEY)
+                .display()
+                .to_string()
+        );
+    }
 }