From 71280f2c7fdf0e85e1a303df94f1ff0ad1edb1ed Mon Sep 17 00:00:00 2001 From: Qi Feng Huo Date: Thu, 7 Mar 2024 16:54:47 +0800 Subject: [PATCH] Verifier: IBM SE add generate_challenge_extra_params Signed-off-by: Qi Feng Huo --- .../attestation-service/src/lib.rs | 6 +++--- attestation-service/verifier/src/lib.rs | 13 ++++--------- attestation-service/verifier/src/se/mod.rs | 12 ++++-------- kbs/src/api/src/attestation/coco/builtin.rs | 9 +++------ kbs/src/api/src/attestation/coco/grpc.rs | 7 ++----- kbs/src/api/src/attestation/mod.rs | 12 ++++++------ kbs/src/api/src/http/attest.rs | 17 +++-------------- kbs/src/api/src/session.rs | 19 ++++++++++++++++--- 8 files changed, 41 insertions(+), 54 deletions(-) diff --git a/attestation-service/attestation-service/src/lib.rs b/attestation-service/attestation-service/src/lib.rs index b420ddd12e..901abed2e7 100644 --- a/attestation-service/attestation-service/src/lib.rs +++ b/attestation-service/attestation-service/src/lib.rs @@ -14,7 +14,7 @@ use crate::token::AttestationTokenBroker; use anyhow::{anyhow, Context, Result}; use config::Config; -pub use kbs_types::{Attestation, Challenge, Tee}; +pub use kbs_types::{Attestation, Tee}; use log::debug; use policy_engine::{PolicyEngine, PolicyEngineType, SetPolicyInput}; use rvps::RvpsApi; @@ -240,9 +240,9 @@ impl AttestationService { self.rvps.verify_and_extract(message).await } - pub async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result { + pub async fn generate_challenge_extra_params(&self, tee: Tee) -> Result { let verifier = verifier::to_verifier(&tee)?; - verifier.generate_challenge(nonce).await + verifier.generate_challenge_extra_params().await } } diff --git a/attestation-service/verifier/src/lib.rs b/attestation-service/verifier/src/lib.rs index 1a26e1b8a1..d5618d47ac 100644 --- a/attestation-service/verifier/src/lib.rs +++ b/attestation-service/verifier/src/lib.rs @@ -2,7 +2,7 @@ use std::cmp::Ordering; use anyhow::*; use async_trait::async_trait; -use kbs_types::{Challenge, Tee}; +use kbs_types::Tee; use log::warn; pub mod sample; @@ -167,15 +167,10 @@ pub trait Verifier { expected_init_data_hash: &InitDataHash, ) -> Result; - async fn generate_challenge( + async fn generate_challenge_extra_params( &self, - nonce: &str, - ) -> Result { - - Ok(Challenge { - nonce: String::from(nonce), - extra_params: String::new(), - }) + ) -> Result { + Ok(String::new()) } } diff --git a/attestation-service/verifier/src/se/mod.rs b/attestation-service/verifier/src/se/mod.rs index 5309eade66..20f3a78485 100644 --- a/attestation-service/verifier/src/se/mod.rs +++ b/attestation-service/verifier/src/se/mod.rs @@ -7,7 +7,6 @@ use super::*; use async_trait::async_trait; use anyhow::anyhow; use base64::prelude::*; -use kbs_types::Challenge; use crate::{InitDataHash, ReportData}; use crate::se::seattest::FakeSeAttest; use crate::se::seattest::SeFakeVerifier; @@ -31,10 +30,9 @@ impl Verifier for SeVerifier { .map_err(|e| anyhow!("Se Verifier: {:?}", e)) } - async fn generate_challenge( + async fn generate_challenge_extra_params( &self, - nonce: &str, - ) -> Result { + ) -> Result { // TODO replace FakeSeAttest with real crate let attester = FakeSeAttest::default(); @@ -47,10 +45,8 @@ impl Verifier for SeVerifier { let extra_params = attester.create(hkds, &certk, &signk, &arpk) .await .context("Create SE attestation request failed: {:?}")?; - Ok(Challenge { - nonce: String::from(nonce), - extra_params: BASE64_STANDARD.encode(extra_params), - }) + + Ok(BASE64_STANDARD.encode(extra_params)) } } diff --git a/kbs/src/api/src/attestation/coco/builtin.rs b/kbs/src/api/src/attestation/coco/builtin.rs index 3d4bf0309c..b9d017f60e 100644 --- a/kbs/src/api/src/attestation/coco/builtin.rs +++ b/kbs/src/api/src/attestation/coco/builtin.rs @@ -9,7 +9,7 @@ use attestation_service::{ config::Config as AsConfig, policy_engine::SetPolicyInput, AttestationService, Data, HashAlgorithm, }; -use kbs_types::{Attestation, Challenge, Tee}; +use kbs_types::{Attestation, Tee}; use serde_json::json; use tokio::sync::RwLock; @@ -46,14 +46,11 @@ impl Attest for BuiltInCoCoAs { .await } - async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result { + async fn generate_challenge_extra_params(&self, tee: Tee) -> Result { self.inner .read() .await - .generate_challenge( - tee, - nonce, - ) + .generate_challenge_extra_params(tee) .await } } diff --git a/kbs/src/api/src/attestation/coco/grpc.rs b/kbs/src/api/src/attestation/coco/grpc.rs index 166905d777..90ca990c9b 100644 --- a/kbs/src/api/src/attestation/coco/grpc.rs +++ b/kbs/src/api/src/attestation/coco/grpc.rs @@ -126,11 +126,8 @@ impl Attest for GrpcClientPool { Ok(token) } - async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result { - Ok(Challenge { - nonce: String::from(nonce), - extra_params: String::new(), - }) + async fn generate_challenge_extra_params(&self, tee: Tee) -> Result { + String::new() } } diff --git a/kbs/src/api/src/attestation/mod.rs b/kbs/src/api/src/attestation/mod.rs index d229119352..059d698a85 100644 --- a/kbs/src/api/src/attestation/mod.rs +++ b/kbs/src/api/src/attestation/mod.rs @@ -10,7 +10,7 @@ use attestation_service::config::Config as AsConfig; use coco::grpc::*; #[cfg(feature = "intel-trust-authority-as")] use intel_trust_authority::*; -use kbs_types::{Challenge, Request, Tee}; +use kbs_types::{Request, Tee}; #[cfg(feature = "coco-as")] #[allow(missing_docs)] @@ -34,7 +34,7 @@ pub trait Attest: Send + Sync { async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result; /// generate the challenge payload to pass to attester based on Tee and nonce - async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result; + async fn generate_challenge_extra_params(&self, tee: Tee) -> Result; } /// Attestation Service @@ -93,14 +93,14 @@ impl AttestationService { } } - pub async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result { + pub async fn generate_challenge_extra_params(&self, tee: Tee) -> Result { match self { #[cfg(feature = "coco-as-grpc")] - AttestationService::CoCoASgRPC(inner) => inner.generate_challenge(tee, nonce).await, + AttestationService::CoCoASgRPC(inner) => inner.generate_challenge_extra_params(tee).await, #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] - AttestationService::CoCoASBuiltIn(inner) => inner.generate_challenge(tee, nonce).await, + AttestationService::CoCoASBuiltIn(inner) => inner.generate_challenge_extra_params(tee).await, #[cfg(feature = "intel-trust-authority-as")] - AttestationService::IntelTA(inner) => inner.generate_challenge(tee, nonce).await, + AttestationService::IntelTA(inner) => inner.generate_challenge_extra_params(tee).await, } } } diff --git a/kbs/src/api/src/http/attest.rs b/kbs/src/api/src/http/attest.rs index 122da410c9..3ba3ab430b 100644 --- a/kbs/src/api/src/http/attest.rs +++ b/kbs/src/api/src/http/attest.rs @@ -10,18 +10,8 @@ use anyhow::anyhow; use base64::engine::general_purpose::{STANDARD, URL_SAFE_NO_PAD}; use base64::Engine; use log::{error, info}; -use rand::{thread_rng, Rng}; use serde_json::json; - -fn nonce() -> Result { - let mut nonce: Vec = vec![0; 32]; - - thread_rng() - .try_fill(&mut nonce[..]) - .map_err(anyhow::Error::from)?; - - Ok(STANDARD.encode(&nonce)) -} +use kbs_types::Challenge; /// POST /auth pub(crate) async fn auth( @@ -32,12 +22,11 @@ pub(crate) async fn auth( ) -> Result { info!("request: {:?}", &request); - let nonce = nonce()?; - let challenge = attestation_service.generate_challenge(request.tee, nonce.as_str()) + let extra_params = attestation_service.generate_challenge_extra_params(request.tee) .await .unwrap(); - let session = SessionStatus::auth(request.0, **timeout, &challenge) + let session = SessionStatus::auth(request.0, **timeout, extra_params) .map_err(|e| Error::FailedAuthentication(format!("Session: {e}")))?; let response = HttpResponse::Ok() diff --git a/kbs/src/api/src/session.rs b/kbs/src/api/src/session.rs index 44b8cc5436..758fbe13c8 100644 --- a/kbs/src/api/src/session.rs +++ b/kbs/src/api/src/session.rs @@ -9,14 +9,24 @@ use actix_web::cookie::{ use anyhow::{bail, Result}; use base64::engine::general_purpose::STANDARD; use base64::Engine; +use rand::{thread_rng, Rng}; use kbs_types::{Challenge, Request}; use log::warn; -// use rand::{thread_rng, Rng}; use semver::Version; use uuid::Uuid; pub(crate) static KBS_SESSION_ID: &str = "kbs-session-id"; +fn nonce() -> Result { + let mut nonce: Vec = vec![0; 32]; + + thread_rng() + .try_fill(&mut nonce[..]) + .map_err(anyhow::Error::from)?; + + Ok(STANDARD.encode(&nonce)) +} + /// Finite State Machine model for RCAR handshake pub(crate) enum SessionStatus { Authed { @@ -53,7 +63,7 @@ macro_rules! impl_member { } impl SessionStatus { - pub fn auth(request: Request, timeout: i64, challenge: &Challenge) -> Result { + pub fn auth(request: Request, timeout: i64, extra_params: String) -> Result { let version = Version::parse(&request.version).map_err(anyhow::Error::from)?; if !crate::VERSION_REQ.matches(&version) { bail!("Invalid Request version {}", request.version); @@ -64,7 +74,10 @@ impl SessionStatus { Ok(Self::Authed { request, - *challenge, + challenge: Challenge { + nonce: nonce()?, + extra_params: extra_params, + }, id, timeout, })