Skip to content

Commit

Permalink
Verifier: IBM SE add generate_challenge_extra_params
Browse files Browse the repository at this point in the history 
Signed-off-by: Qi Feng Huo <[email protected]>
  • Loading branch information
Qi Feng Huo committed Mar 7, 2024
1 parent 52f0b09 commit 71280f2
Show file tree
Hide file tree
Showing 8 changed files with 41 additions and 54 deletions.
6 changes: 3 additions & 3 deletions attestation-service/attestation-service/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ use crate::token::AttestationTokenBroker;

use anyhow::{anyhow, Context, Result};
use config::Config;
pub use kbs_types::{Attestation, Challenge, Tee};
pub use kbs_types::{Attestation, Tee};
use log::debug;
use policy_engine::{PolicyEngine, PolicyEngineType, SetPolicyInput};
use rvps::RvpsApi;
Expand Down Expand Up @@ -240,9 +240,9 @@ impl AttestationService {
self.rvps.verify_and_extract(message).await
}

pub async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result<Challenge> {
pub async fn generate_challenge_extra_params(&self, tee: Tee) -> Result<String> {
let verifier = verifier::to_verifier(&tee)?;
verifier.generate_challenge(nonce).await
verifier.generate_challenge_extra_params().await
}
}

Expand Down
13 changes: 4 additions & 9 deletions attestation-service/verifier/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ use std::cmp::Ordering;

use anyhow::*;
use async_trait::async_trait;
use kbs_types::{Challenge, Tee};
use kbs_types::Tee;
use log::warn;

pub mod sample;
Expand Down Expand Up @@ -167,15 +167,10 @@ pub trait Verifier {
expected_init_data_hash: &InitDataHash,
) -> Result<TeeEvidenceParsedClaim>;

async fn generate_challenge(
async fn generate_challenge_extra_params(
&self,
nonce: &str,
) -> Result<Challenge> {

Ok(Challenge {
nonce: String::from(nonce),
extra_params: String::new(),
})
) -> Result<String> {
Ok(String::new())
}
}

Expand Down
12 changes: 4 additions & 8 deletions attestation-service/verifier/src/se/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ use super::*;
use async_trait::async_trait;
use anyhow::anyhow;
use base64::prelude::*;
use kbs_types::Challenge;
use crate::{InitDataHash, ReportData};
use crate::se::seattest::FakeSeAttest;
use crate::se::seattest::SeFakeVerifier;
Expand All @@ -31,10 +30,9 @@ impl Verifier for SeVerifier {
.map_err(|e| anyhow!("Se Verifier: {:?}", e))
}

async fn generate_challenge(
async fn generate_challenge_extra_params(
&self,
nonce: &str,
) -> Result<Challenge> {
) -> Result<String> {

// TODO replace FakeSeAttest with real crate
let attester = FakeSeAttest::default();
Expand All @@ -47,10 +45,8 @@ impl Verifier for SeVerifier {
let extra_params = attester.create(hkds, &certk, &signk, &arpk)
.await
.context("Create SE attestation request failed: {:?}")?;
Ok(Challenge {
nonce: String::from(nonce),
extra_params: BASE64_STANDARD.encode(extra_params),
})

Ok(BASE64_STANDARD.encode(extra_params))
}
}

Expand Down
9 changes: 3 additions & 6 deletions kbs/src/api/src/attestation/coco/builtin.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ use attestation_service::{
config::Config as AsConfig, policy_engine::SetPolicyInput, AttestationService, Data,
HashAlgorithm,
};
use kbs_types::{Attestation, Challenge, Tee};
use kbs_types::{Attestation, Tee};
use serde_json::json;
use tokio::sync::RwLock;

Expand Down Expand Up @@ -46,14 +46,11 @@ impl Attest for BuiltInCoCoAs {
.await
}

async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result<Challenge> {
async fn generate_challenge_extra_params(&self, tee: Tee) -> Result<String> {
self.inner
.read()
.await
.generate_challenge(
tee,
nonce,
)
.generate_challenge_extra_params(tee)
.await
}
}
Expand Down
7 changes: 2 additions & 5 deletions kbs/src/api/src/attestation/coco/grpc.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,11 +126,8 @@ impl Attest for GrpcClientPool {
Ok(token)
}

async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result<Challenge> {
Ok(Challenge {
nonce: String::from(nonce),
extra_params: String::new(),
})
async fn generate_challenge_extra_params(&self, tee: Tee) -> Result<String> {
String::new()
}
}

Expand Down
12 changes: 6 additions & 6 deletions kbs/src/api/src/attestation/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ use attestation_service::config::Config as AsConfig;
use coco::grpc::*;
#[cfg(feature = "intel-trust-authority-as")]
use intel_trust_authority::*;
use kbs_types::{Challenge, Request, Tee};
use kbs_types::{Request, Tee};

#[cfg(feature = "coco-as")]
#[allow(missing_docs)]
Expand All @@ -34,7 +34,7 @@ pub trait Attest: Send + Sync {
async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result<String>;

/// generate the challenge payload to pass to attester based on Tee and nonce
async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result<Challenge>;
async fn generate_challenge_extra_params(&self, tee: Tee) -> Result<String>;
}

/// Attestation Service
Expand Down Expand Up @@ -93,14 +93,14 @@ impl AttestationService {
}
}

pub async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result<Challenge> {
pub async fn generate_challenge_extra_params(&self, tee: Tee) -> Result<String> {
match self {
#[cfg(feature = "coco-as-grpc")]
AttestationService::CoCoASgRPC(inner) => inner.generate_challenge(tee, nonce).await,
AttestationService::CoCoASgRPC(inner) => inner.generate_challenge_extra_params(tee).await,
#[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))]
AttestationService::CoCoASBuiltIn(inner) => inner.generate_challenge(tee, nonce).await,
AttestationService::CoCoASBuiltIn(inner) => inner.generate_challenge_extra_params(tee).await,
#[cfg(feature = "intel-trust-authority-as")]
AttestationService::IntelTA(inner) => inner.generate_challenge(tee, nonce).await,
AttestationService::IntelTA(inner) => inner.generate_challenge_extra_params(tee).await,
}
}
}
17 changes: 3 additions & 14 deletions kbs/src/api/src/http/attest.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,18 +10,8 @@ use anyhow::anyhow;
use base64::engine::general_purpose::{STANDARD, URL_SAFE_NO_PAD};
use base64::Engine;
use log::{error, info};
use rand::{thread_rng, Rng};
use serde_json::json;

fn nonce() -> Result<String> {
let mut nonce: Vec<u8> = vec![0; 32];

thread_rng()
.try_fill(&mut nonce[..])
.map_err(anyhow::Error::from)?;

Ok(STANDARD.encode(&nonce))
}
use kbs_types::Challenge;

/// POST /auth
pub(crate) async fn auth(
Expand All @@ -32,12 +22,11 @@ pub(crate) async fn auth(
) -> Result<HttpResponse> {
info!("request: {:?}", &request);

let nonce = nonce()?;
let challenge = attestation_service.generate_challenge(request.tee, nonce.as_str())
let extra_params = attestation_service.generate_challenge_extra_params(request.tee)
.await
.unwrap();

let session = SessionStatus::auth(request.0, **timeout, &challenge)
let session = SessionStatus::auth(request.0, **timeout, extra_params)
.map_err(|e| Error::FailedAuthentication(format!("Session: {e}")))?;

let response = HttpResponse::Ok()
Expand Down
19 changes: 16 additions & 3 deletions kbs/src/api/src/session.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,24 @@ use actix_web::cookie::{
use anyhow::{bail, Result};
use base64::engine::general_purpose::STANDARD;
use base64::Engine;
use rand::{thread_rng, Rng};
use kbs_types::{Challenge, Request};
use log::warn;
// use rand::{thread_rng, Rng};
use semver::Version;
use uuid::Uuid;

pub(crate) static KBS_SESSION_ID: &str = "kbs-session-id";

fn nonce() -> Result<String> {
let mut nonce: Vec<u8> = vec![0; 32];

thread_rng()
.try_fill(&mut nonce[..])
.map_err(anyhow::Error::from)?;

Ok(STANDARD.encode(&nonce))
}

/// Finite State Machine model for RCAR handshake
pub(crate) enum SessionStatus {
Authed {
Expand Down Expand Up @@ -53,7 +63,7 @@ macro_rules! impl_member {
}

impl SessionStatus {
pub fn auth(request: Request, timeout: i64, challenge: &Challenge) -> Result<Self> {
pub fn auth(request: Request, timeout: i64, extra_params: String) -> Result<Self> {
let version = Version::parse(&request.version).map_err(anyhow::Error::from)?;
if !crate::VERSION_REQ.matches(&version) {
bail!("Invalid Request version {}", request.version);
Expand All @@ -64,7 +74,10 @@ impl SessionStatus {

Ok(Self::Authed {
request,
*challenge,
challenge: Challenge {
nonce: nonce()?,
extra_params: extra_params,
},
id,
timeout,
})
Expand Down

0 comments on commit 71280f2

Please sign in to comment.