diff --git a/Cargo.lock b/Cargo.lock index ca9cf35d28..d37af47e2d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -532,7 +532,7 @@ dependencies = [ "env_logger 0.10.2", "futures", "hex", - "kbs-types", + "kbs-types 0.7.0", "lazy_static", "log", "openssl", @@ -574,7 +574,7 @@ dependencies = [ "hex", "hyper 0.14.28", "hyper-tls 0.5.0", - "kbs-types", + "kbs-types 0.6.0", "log", "nix", "occlum_dcap", @@ -1374,7 +1374,7 @@ dependencies = [ "anyhow", "base64 0.21.7", "ctr", - "kbs-types", + "kbs-types 0.6.0", "rand", "rsa 0.9.6", "serde", @@ -2735,7 +2735,7 @@ dependencies = [ "env_logger 0.10.2", "jsonwebtoken", "jwt-simple 0.11.9", - "kbs-types", + "kbs-types 0.7.0", "kms", "lazy_static", "log", @@ -2790,6 +2790,16 @@ dependencies = [ "serde_json", ] +[[package]] +name = "kbs-types" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9b6441ed73b0faa50707d4de41c6b45c76654b661b96aaf7b26a41331eedc0a5" +dependencies = [ + "serde", + "serde_json", +] + [[package]] name = "kbs_protocol" version = "0.1.0" @@ -2801,7 +2811,7 @@ dependencies = [ "base64 0.21.7", "crypto", "jwt-simple 0.12.9", - "kbs-types", + "kbs-types 0.6.0", "log", "reqwest 0.12.4", "resource_uri", @@ -5917,7 +5927,7 @@ dependencies = [ "intel-tee-quote-verification-rs", "jsonwebkey", "jsonwebtoken", - "kbs-types", + "kbs-types 0.7.0", "log", "openssl", "rstest", diff --git a/Cargo.toml b/Cargo.toml index 3d7bd6bbc9..9490d6fb1b 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -30,7 +30,7 @@ env_logger = "0.10.0" hex = "0.4.3" jwt-simple = "0.11" kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev="9bd6f06a9704e01808e91abde130dffb20e632a5", default-features = false } -kbs-types = "0.6.0" +kbs-types = "0.7.0" kms = { git = "https://github.com/confidential-containers/guest-components.git", rev="9bd6f06a9704e01808e91abde130dffb20e632a5", default-features = false } jsonwebtoken = { version = "9", default-features = false } log = "0.4.17" @@ -49,4 +49,4 @@ thiserror = "1.0" tokio = { version = "1", features = ["full"] } tempfile = "3.4.0" tonic = "0.11" -tonic-build = "0.11" \ No newline at end of file +tonic-build = "0.11" diff --git a/kbs/src/attestation/coco/builtin.rs b/kbs/src/attestation/coco/builtin.rs index 1433b5f702..88860dafa7 100644 --- a/kbs/src/attestation/coco/builtin.rs +++ b/kbs/src/attestation/coco/builtin.rs @@ -47,7 +47,11 @@ impl Attest for BuiltInCoCoAs { .await } - async fn generate_challenge(&self, tee: Tee, tee_parameters: String) -> Result { + async fn generate_challenge( + &self, + tee: Tee, + tee_parameters: serde_json::Value, + ) -> Result { let nonce = match tee { Tee::Se => { self.inner diff --git a/kbs/src/attestation/coco/grpc.rs b/kbs/src/attestation/coco/grpc.rs index 93fefe3f2f..c58b3784ec 100644 --- a/kbs/src/attestation/coco/grpc.rs +++ b/kbs/src/attestation/coco/grpc.rs @@ -124,7 +124,11 @@ impl Attest for GrpcClientPool { Ok(token) } - async fn generate_challenge(&self, tee: Tee, tee_parameters: String) -> Result { + async fn generate_challenge( + &self, + tee: Tee, + tee_parameters: serde_json::Value, + ) -> Result { let nonce = match tee { Tee::Se => { let mut inner = HashMap::new(); diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs index 2eac0ac656..616b036bac 100644 --- a/kbs/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/attestation/intel_trust_authority/mod.rs @@ -66,7 +66,7 @@ impl Attest for IntelTrustAuthority { let attestation = serde_json::from_str::(attestation) .map_err(|e| anyhow!("Deserialize Attestation failed: {:?}", e))?; let evidence = - serde_json::from_str::(&attestation.tee_evidence) + serde_json::from_value::(attestation.tee_evidence) .map_err(|e| anyhow!("Deserialize supported TEE Evidence failed: {:?}", e))?; let runtime_data = json!({ diff --git a/kbs/src/attestation/mod.rs b/kbs/src/attestation/mod.rs index 87982340a2..cbca938439 100644 --- a/kbs/src/attestation/mod.rs +++ b/kbs/src/attestation/mod.rs @@ -41,7 +41,11 @@ pub trait Attest: Send + Sync { async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result; /// generate the Challenge to pass to attester based on Tee and nonce - async fn generate_challenge(&self, _tee: Tee, _tee_parameters: String) -> Result { + async fn generate_challenge( + &self, + _tee: Tee, + _tee_parameters: serde_json::Value, + ) -> Result { let mut nonce: Vec = vec![0; 32]; thread_rng() @@ -51,7 +55,7 @@ pub trait Attest: Send + Sync { let nonce = STANDARD.encode(&nonce); Ok(Challenge { nonce, - extra_params: String::new(), + extra_params: serde_json::Value::String(String::new()), }) } } @@ -112,7 +116,11 @@ impl AttestationService { } } - pub async fn generate_challenge(&self, tee: Tee, tee_parameters: String) -> Result { + pub async fn generate_challenge( + &self, + tee: Tee, + tee_parameters: serde_json::Value, + ) -> Result { match self { #[cfg(feature = "coco-as-grpc")] AttestationService::CoCoASgRPC(inner) => { diff --git a/kbs/src/http/resource.rs b/kbs/src/http/resource.rs index c0f17265b3..2fbf840e23 100644 --- a/kbs/src/http/resource.rs +++ b/kbs/src/http/resource.rs @@ -189,10 +189,17 @@ const RSA_ALGORITHM: &str = "RSA1_5"; const AES_GCM_256_ALGORITHM: &str = "A256GCM"; pub(crate) fn jwe(tee_pub_key: TeePubKey, payload_data: Vec) -> Result { - if tee_pub_key.alg != *RSA_ALGORITHM { + let TeePubKey::RSA { alg, k_mod, k_exp } = tee_pub_key else { + raise_error!(Error::JWEFailed(format!( + "key type is not TeePubKey::RSA but {:?}", + tee_pub_key + ))); + }; + + if alg != *RSA_ALGORITHM { raise_error!(Error::JWEFailed(format!( "algorithm is not {RSA_ALGORITHM} but {}", - tee_pub_key.alg + alg ))); } @@ -207,11 +214,11 @@ pub(crate) fn jwe(tee_pub_key: TeePubKey, payload_data: Vec) -> Result