Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Verifier: IBM SE add generate_challenge_extra_params
Browse files Browse the repository at this point in the history
Signed-off-by: Qi Feng Huo <huoqif@cn.ibm.com>
Qi Feng Huo committed Mar 8, 2024
1 parent 52f0b09 commit 99c53c9
Showing 11 changed files with 76 additions and 76 deletions.
21 changes: 15 additions & 6 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions attestation-service/attestation-service/src/lib.rs
Original file line number Diff line number Diff line change
@@ -14,7 +14,7 @@ use crate::token::AttestationTokenBroker;

use anyhow::{anyhow, Context, Result};
use config::Config;
pub use kbs_types::{Attestation, Challenge, Tee};
pub use kbs_types::{Attestation, Tee};
use log::debug;
use policy_engine::{PolicyEngine, PolicyEngineType, SetPolicyInput};
use rvps::RvpsApi;
@@ -240,9 +240,9 @@ impl AttestationService {
self.rvps.verify_and_extract(message).await
}

pub async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result<Challenge> {
pub async fn generate_challenge_extra_params(&self, tee: Tee) -> Result<String> {
let verifier = verifier::to_verifier(&tee)?;
verifier.generate_challenge(nonce).await
verifier.generate_challenge_extra_params().await
}
}

13 changes: 4 additions & 9 deletions attestation-service/verifier/src/lib.rs
Original file line number Diff line number Diff line change
@@ -2,7 +2,7 @@ use std::cmp::Ordering;

use anyhow::*;
use async_trait::async_trait;
use kbs_types::{Challenge, Tee};
use kbs_types::Tee;
use log::warn;

pub mod sample;
@@ -167,15 +167,10 @@ pub trait Verifier {
expected_init_data_hash: &InitDataHash,
) -> Result<TeeEvidenceParsedClaim>;

async fn generate_challenge(
async fn generate_challenge_extra_params(
&self,
nonce: &str,
) -> Result<Challenge> {

Ok(Challenge {
nonce: String::from(nonce),
extra_params: String::new(),
})
) -> Result<String> {
Ok(String::new())
}
}

16 changes: 6 additions & 10 deletions attestation-service/verifier/src/se/mod.rs
Original file line number Diff line number Diff line change
@@ -7,7 +7,6 @@ use super::*;
use async_trait::async_trait;
use anyhow::anyhow;
use base64::prelude::*;
use kbs_types::Challenge;
use crate::{InitDataHash, ReportData};
use crate::se::seattest::FakeSeAttest;
use crate::se::seattest::SeFakeVerifier;
@@ -31,10 +30,9 @@ impl Verifier for SeVerifier {
.map_err(|e| anyhow!("Se Verifier: {:?}", e))
}

async fn generate_challenge(
async fn generate_challenge_extra_params(
&self,
nonce: &str,
) -> Result<Challenge> {
) -> Result<String> {

// TODO replace FakeSeAttest with real crate
let attester = FakeSeAttest::default();
@@ -47,17 +45,15 @@ impl Verifier for SeVerifier {
let extra_params = attester.create(hkds, &certk, &signk, &arpk)
.await
.context("Create SE attestation request failed: {:?}")?;
Ok(Challenge {
nonce: String::from(nonce),
extra_params: BASE64_STANDARD.encode(extra_params),
})

Ok(BASE64_STANDARD.encode(extra_params))
}
}

async fn verify_evidence(
evidence: &[u8],
expected_report_data: &ReportData<'_>,
expected_init_data_hash: &InitDataHash<'_>,
_expected_report_data: &ReportData<'_>,
_expected_init_data_hash: &InitDataHash<'_>,
) -> Result<TeeEvidenceParsedClaim> {
// TODO replace FakeSeAttest with real crate
let attester = FakeSeAttest::default();
28 changes: 14 additions & 14 deletions attestation-service/verifier/src/se/seattest.rs
Original file line number Diff line number Diff line change
@@ -13,37 +13,37 @@ pub struct FakeSeAttest {}
pub trait SeFakeVerifier {
async fn create(
&self,
hkdFiles: Vec<String>,
certFile: &String,
signingFile: &String,
arpkFile: &String,
_hkd_files: Vec<String>,
_cert_file: &String,

Check failure on line 17 in attestation-service/verifier/src/se/seattest.rs

GitHub Actions / Check

writing `&String` instead of `&str` involves a new object where a slice will do
_signing_file: &String,

Check failure on line 18 in attestation-service/verifier/src/se/seattest.rs

GitHub Actions / Check

writing `&String` instead of `&str` involves a new object where a slice will do
_arpk_file: &String,

Check failure on line 19 in attestation-service/verifier/src/se/seattest.rs

GitHub Actions / Check

writing `&String` instead of `&str` involves a new object where a slice will do
) -> Result<Vec<u8>>;

async fn verify(
&self,
evidence: &[u8],
arpkFile: &String,
hdr: &String,
_evidence: &[u8],
_arpk_file: &String,

Check failure on line 25 in attestation-service/verifier/src/se/seattest.rs

GitHub Actions / Check

writing `&String` instead of `&str` involves a new object where a slice will do
_hdr: &String,

Check failure on line 26 in attestation-service/verifier/src/se/seattest.rs

GitHub Actions / Check

writing `&String` instead of `&str` involves a new object where a slice will do
) -> Result<Vec<u8>>;
}

#[async_trait::async_trait]
impl SeFakeVerifier for FakeSeAttest {
async fn create(
&self,
hkdFiles: Vec<String>,
certFile: &String,
signingFile: &String,
arpkFile: &String,
_hkd_files: Vec<String>,
_cert_file: &String,
_signing_file: &String,
_arpk_file: &String,
) -> Result<Vec<u8>> {
Result::Ok(Vec::new())
}

async fn verify(
&self,
evidence: &[u8],
arpkFile: &String,
hdr: &String,
_evidence: &[u8],
_arpk_file: &String,
_hkd_files: &String,
) -> Result<Vec<u8>> {
Result::Ok(Vec::new())
}
9 changes: 3 additions & 6 deletions kbs/src/api/src/attestation/coco/builtin.rs
Original file line number Diff line number Diff line change
@@ -9,7 +9,7 @@ use attestation_service::{
config::Config as AsConfig, policy_engine::SetPolicyInput, AttestationService, Data,
HashAlgorithm,
};
use kbs_types::{Attestation, Challenge, Tee};
use kbs_types::{Attestation, Tee};
use serde_json::json;
use tokio::sync::RwLock;

@@ -46,14 +46,11 @@ impl Attest for BuiltInCoCoAs {
.await
}

async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result<Challenge> {
async fn generate_challenge_extra_params(&self, tee: Tee) -> Result<String> {
self.inner
.read()
.await
.generate_challenge(
tee,
nonce,
)
.generate_challenge_extra_params(tee)
.await
}
}
7 changes: 2 additions & 5 deletions kbs/src/api/src/attestation/coco/grpc.rs
Original file line number Diff line number Diff line change
@@ -126,11 +126,8 @@ impl Attest for GrpcClientPool {
Ok(token)
}

async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result<Challenge> {
Ok(Challenge {
nonce: String::from(nonce),
extra_params: String::new(),
})
async fn generate_challenge_extra_params(&self, tee: Tee) -> Result<String> {
Ok(String::new())
}
}

4 changes: 4 additions & 0 deletions kbs/src/api/src/attestation/intel_trust_authority/mod.rs
Original file line number Diff line number Diff line change
@@ -122,6 +122,10 @@ impl Attest for IntelTrustAuthority {

Ok(resp_data.token.clone())
}

async fn generate_challenge_extra_params(&self, tee: Tee) -> Result<String> {
Ok(String::new())
}
}

impl IntelTrustAuthority {
12 changes: 6 additions & 6 deletions kbs/src/api/src/attestation/mod.rs
Original file line number Diff line number Diff line change
@@ -10,7 +10,7 @@ use attestation_service::config::Config as AsConfig;
use coco::grpc::*;
#[cfg(feature = "intel-trust-authority-as")]
use intel_trust_authority::*;
use kbs_types::{Challenge, Request, Tee};
use kbs_types::Tee;

#[cfg(feature = "coco-as")]
#[allow(missing_docs)]
@@ -34,7 +34,7 @@ pub trait Attest: Send + Sync {
async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result<String>;

/// generate the challenge payload to pass to attester based on Tee and nonce
async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result<Challenge>;
async fn generate_challenge_extra_params(&self, tee: Tee) -> Result<String>;
}

/// Attestation Service
@@ -93,14 +93,14 @@ impl AttestationService {
}
}

pub async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result<Challenge> {
pub async fn generate_challenge_extra_params(&self, tee: Tee) -> Result<String> {
match self {
#[cfg(feature = "coco-as-grpc")]
AttestationService::CoCoASgRPC(inner) => inner.generate_challenge(tee, nonce).await,
AttestationService::CoCoASgRPC(inner) => inner.generate_challenge_extra_params(tee).await,
#[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))]
AttestationService::CoCoASBuiltIn(inner) => inner.generate_challenge(tee, nonce).await,
AttestationService::CoCoASBuiltIn(inner) => inner.generate_challenge_extra_params(tee).await,
#[cfg(feature = "intel-trust-authority-as")]
AttestationService::IntelTA(inner) => inner.generate_challenge(tee, nonce).await,
AttestationService::IntelTA(inner) => inner.generate_challenge_extra_params(tee).await,
}
}
}
17 changes: 3 additions & 14 deletions kbs/src/api/src/http/attest.rs
Original file line number Diff line number Diff line change
@@ -10,18 +10,8 @@ use anyhow::anyhow;
use base64::engine::general_purpose::{STANDARD, URL_SAFE_NO_PAD};
use base64::Engine;
use log::{error, info};
use rand::{thread_rng, Rng};
use serde_json::json;

fn nonce() -> Result<String> {
let mut nonce: Vec<u8> = vec![0; 32];

thread_rng()
.try_fill(&mut nonce[..])
.map_err(anyhow::Error::from)?;

Ok(STANDARD.encode(&nonce))
}
use kbs_types::Challenge;

/// POST /auth
pub(crate) async fn auth(
@@ -32,12 +22,11 @@ pub(crate) async fn auth(
) -> Result<HttpResponse> {
info!("request: {:?}", &request);

let nonce = nonce()?;
let challenge = attestation_service.generate_challenge(request.tee, nonce.as_str())
let extra_params = attestation_service.generate_challenge_extra_params(request.tee)
.await
.unwrap();

let session = SessionStatus::auth(request.0, **timeout, &challenge)
let session = SessionStatus::auth(request.0, **timeout, extra_params)
.map_err(|e| Error::FailedAuthentication(format!("Session: {e}")))?;

let response = HttpResponse::Ok()
19 changes: 16 additions & 3 deletions kbs/src/api/src/session.rs
Original file line number Diff line number Diff line change
@@ -9,14 +9,24 @@ use actix_web::cookie::{
use anyhow::{bail, Result};
use base64::engine::general_purpose::STANDARD;
use base64::Engine;
use rand::{thread_rng, Rng};
use kbs_types::{Challenge, Request};
use log::warn;
// use rand::{thread_rng, Rng};
use semver::Version;
use uuid::Uuid;

pub(crate) static KBS_SESSION_ID: &str = "kbs-session-id";

fn nonce() -> Result<String> {
let mut nonce: Vec<u8> = vec![0; 32];

thread_rng()
.try_fill(&mut nonce[..])
.map_err(anyhow::Error::from)?;

Ok(STANDARD.encode(&nonce))
}

/// Finite State Machine model for RCAR handshake
pub(crate) enum SessionStatus {
Authed {
@@ -53,7 +63,7 @@ macro_rules! impl_member {
}

impl SessionStatus {
pub fn auth(request: Request, timeout: i64, challenge: &Challenge) -> Result<Self> {
pub fn auth(request: Request, timeout: i64, extra_params: String) -> Result<Self> {
let version = Version::parse(&request.version).map_err(anyhow::Error::from)?;
if !crate::VERSION_REQ.matches(&version) {
bail!("Invalid Request version {}", request.version);
@@ -64,7 +74,10 @@ impl SessionStatus {

Ok(Self::Authed {
request,
*challenge,
challenge: Challenge {
nonce: nonce()?,
extra_params: extra_params,
},
id,
timeout,
})

0 comments on commit 99c53c9

Please sign in to comment.