Add TLS support for Registrar communication

.github/workflows/mockoon.yaml

@@ -8,7 +8,7 @@ name: "Mockoon Tests"
     branches: [master]
 
 jobs:
-  mockoon-tests:
+  mockoon-verifier-tests:
     runs-on: ubuntu-latest
     container:
       image: quay.io/keylime/keylime-ci:latest
@@ -24,5 +24,93 @@ jobs:
           port: 3000
       - name: Set git safe.directory for the working directory
         run: git config --system --add safe.directory "$PWD"
-      - name: Mockoon tests custom script execution
+      - name: Mockoon verifier tests custom script execution
         run: bash tests/mockoon_tests.sh
+
+  mockoon-registrar-tests:
+    runs-on: ubuntu-latest
+    container:
+      image: quay.io/keylime/keylime-ci:latest
+    steps:
+      - uses: actions/checkout@v5
+      - name: NPM installation
+        run: dnf install -y npm
+      - name: Pre-Mockoon system debugging
+        run: |
+          echo "======== PRE-MOCKOON SYSTEM STATE ========"
+          echo "Available system tools:"
+          command -v lsof && echo "✓ lsof available" ||
+            echo "✗ lsof not available"
+          command -v netstat && echo "✓ netstat available" ||
+            echo "✗ netstat not available"
+          command -v ss && echo "✓ ss available" ||
+            echo "✗ ss available"
+          command -v curl && echo "✓ curl available" ||
+            echo "✗ curl not available"
+          command -v docker && echo "✓ docker available" ||
+            echo "✗ docker not available"
+
+          echo ""
+          echo "Current processes using port 3001 (should be none):"
+          lsof -i :3001 2>/dev/null || echo "No processes using port 3001"
+
+          echo ""
+          echo "All listening ports:"
+          netstat -tulpn 2>/dev/null | head -20 ||
+            ss -tulpn 2>/dev/null | head -20 ||
+            echo "Cannot list ports"
+
+          echo ""
+          echo "Current user and environment:"
+          echo "User: $(whoami)"
+          echo "UID: $(id -u)"
+          echo "Groups: $(id -G)"
+          echo "HOME: $HOME"
+          echo "PWD: $PWD"
+          echo "CI: ${CI:-not_set}"
+          echo "GITHUB_ACTIONS: ${GITHUB_ACTIONS:-not_set}"
+
+          echo ""
+          echo "Container/system info:"
+          echo "Hostname: $(hostname)"
+          uname -a
+          cat /etc/os-release | head -5
+          echo "======== END PRE-MOCKOON SYSTEM STATE ========"
+      - name: Run Mockoon CLI
+        uses: mockoon/cli-action@v2
+        with:
+          version: latest
+          data-file: keylime-push-model-agent/test-data/registrar.json
+          port: 3001
+      - name: Post-Mockoon system debugging
+        run: |
+          echo "======== POST-MOCKOON SYSTEM STATE ========"
+          echo "Processes using port 3001 after Mockoon start:"
+          lsof -i :3001 2>/dev/null ||
+            echo "No processes using port 3001 (unexpected!)"
+
+          echo ""
+          echo "Mockoon-related processes:"
+          ps aux | grep -i mockoon | grep -v grep ||
+            echo "No mockoon processes found"
+
+          echo ""
+          echo "Node.js processes:"
+          ps aux | grep -E "(node|npm)" | grep -v grep ||
+            echo "No node/npm processes found"
+
+          echo ""
+          echo "Test HTTP connectivity to port 3001:"
+          curl -sI --connect-timeout 5 http://localhost:3001 2>/dev/null ||
+            echo "Failed to connect to port 3001"
+
+          echo ""
+          echo "Network connections:"
+          netstat -tulpn 2>/dev/null | grep ':3001' ||
+            ss -tulpn 2>/dev/null | grep ':3001' ||
+            echo "No port 3001 connections found"
+          echo "======== END POST-MOCKOON SYSTEM STATE ========"
+      - name: Set git safe.directory for the working directory
+        run: git config --system --add safe.directory "$PWD"
+      - name: Mockoon registrar tests custom script execution
+        run: bash tests/mockoon_registrar_tests.sh

keylime-agent/src/main.rs

@@ -515,11 +515,12 @@ async fn main() -> Result<()> {
 
     // Load or generate mTLS key pair (separate from payload keys)
     // The mTLS key is always persistent, stored at the configured path.
+    // Uses ECC P-256 by default for better security and performance
     let key_path = Path::new(&config.server_key);
     let (mtls_pub, mtls_priv) = crypto::load_or_generate_key(
         key_path,
         Some(config.server_key_password.as_ref()),
-        keylime::algorithms::EncryptionAlgorithm::Rsa2048,
+        keylime::algorithms::EncryptionAlgorithm::Ecc256,
         false, // Don't validate algorithm for mTLS keys (for backward compatibility)
     )?;
 
@@ -608,6 +609,12 @@ async fn main() -> Result<()> {
         registrar_port: config.registrar_port,
         enable_iak_idevid: config.enable_iak_idevid,
         ek_handle: config.ek_handle.clone(),
+        // Pull model agent does not use TLS for registrar communication
+        registrar_ca_cert: None,
+        registrar_client_cert: None,
+        registrar_client_key: None,
+        registrar_insecure: None,
+        registrar_timeout: None,
     };
 
     let aa = AgentRegistration {

keylime-push-model-agent/src/main.rs

@@ -3,7 +3,7 @@
 use anyhow::Result;
 use clap::Parser;
 use keylime::config::PushModelConfigTrait;
-use log::{debug, error, info};
+use log::{debug, error, info, warn};
 mod attestation;
 mod auth;
 mod context_info_handler;
@@ -175,11 +175,46 @@ async fn run(args: &Args) -> Result<()> {
     };
     let attestation_client =
         attestation::AttestationClient::new(&neg_config)?;
+
+    // Create Registrar TLS config from configuration
+    let registrar_tls_config = if config.registrar_tls_enabled() {
+        let ca_cert = config.registrar_tls_ca_cert();
+        let client_cert = config.registrar_tls_client_cert();
+        let client_key = config.registrar_tls_client_key();
+
+        info!("Registrar TLS enabled: true");
+        debug!("Registrar CA certificate: {}", ca_cert);
+        debug!("Registrar client certificate: {}", client_cert);
+        debug!("Registrar client key: {}", client_key);
+
+        // Only use TLS if all certificate paths are provided
+        if !ca_cert.is_empty()
+            && !client_cert.is_empty()
+            && !client_key.is_empty()
+        {
+            info!("Registrar TLS configuration complete - using HTTPS");
+            Some(registration::RegistrarTlsConfig {
+                ca_cert: Some(ca_cert.to_string()),
+                client_cert: Some(client_cert.to_string()),
+                client_key: Some(client_key.to_string()),
+                insecure: None,
+                timeout: Some(args.timeout),
+            })
+        } else {
+            warn!("Registrar TLS is enabled but certificate paths are not configured. Using plain HTTP.");
+            None
+        }
+    } else {
+        info!("Registrar TLS enabled: false - using plain HTTP");
+        None
+    };
+
     let mut state_machine = state_machine::StateMachine::new(
         attestation_client,
         neg_config,
         ctx_info,
         args.attestation_interval_seconds,
+        registrar_tls_config,
     );
     state_machine.run().await;
     Ok(())