kbs: simplify tee-pubkey reading from the attestation token

Signed-off-by: Mikko Ylinen <[email protected]>
confidential-containers · Jun 13, 2024 · 142965e · 142965e
1 parent 25582b0
commit 142965e
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 21 deletions.
diff --git a/kbs/src/api/src/attestation/mod.rs b/kbs/src/api/src/attestation/mod.rs
@@ -14,6 +14,12 @@ use intel_trust_authority::*;
 use kbs_types::{Challenge, Tee};
 use rand::{thread_rng, Rng};
 
+// TODO: make it user configurable?
+#[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))]
+pub const TOKEN_TEE_PUBKEY_PATH: &str = "/customized_claims/runtime_data/tee-pubkey";
+#[cfg(feature = "intel-trust-authority-as")]
+pub const TOKEN_TEE_PUBKEY_PATH: &str = "/attester_runtime_data/tee-pubkey";
+
 #[cfg(feature = "coco-as")]
 #[allow(missing_docs)]
 pub mod coco;

diff --git a/kbs/src/api/src/http/resource.rs b/kbs/src/api/src/http/resource.rs
@@ -15,6 +15,7 @@ use rsa::{BigUint, Pkcs1v15Encrypt, RsaPublicKey};
 use serde::Deserialize;
 use serde_json::{json, Deserializer, Value};
 
+use crate::attestation;
 use crate::raise_error;
 
 use super::*;
@@ -46,27 +47,11 @@ pub(crate) async fn get_resource(
         Error::AttestationClaimsParseFailed(format!("illegal attestation claims: {e}"))
     })?;
 
-    let pkey_value = claims
-        .get("customized_claims")
-        .ok_or(Error::AttestationClaimsParseFailed(String::from(
-            "No `customized_claims` in the attestation claims thus no `tee-pubkey`",
-        )))?
-        .as_object()
-        .ok_or(Error::AttestationClaimsParseFailed(String::from(
-            "`customized_claims` should be a JSON map",
-        )))?
-        .get("runtime_data")
-        .ok_or(Error::AttestationClaimsParseFailed(String::from(
-            "No `runtime_data` in the attestation claims thus no `tee-pubkey`",
-        )))?
-        .as_object()
-        .ok_or(Error::AttestationClaimsParseFailed(String::from(
-            "`runtime_data` should be a JSON map",
-        )))?
-        .get("tee-pubkey")
-        .ok_or(Error::AttestationClaimsParseFailed(String::from(
-            "No `tee-pubkey` in the attestation claims",
-        )))?;
+    let pkey_value = claims.pointer(attestation::TOKEN_TEE_PUBKEY_PATH).ok_or(
+        Error::AttestationClaimsParseFailed(String::from(
+            "Failed to find `tee-pubkey` in the attestation claims",
+        )),
+    )?;
     let pubkey = TeePubKey::deserialize(pkey_value).map_err(|e| {
         Error::AttestationClaimsParseFailed(format!("illegal attestation claims: {e}"))
     })?;