diff --git a/Cargo.lock b/Cargo.lock index 4029bcd158..49db2ea53d 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -412,7 +412,7 @@ dependencies = [ "env_logger 0.10.2", "jsonwebtoken", "jwt-simple", - "kbs-types", + "kbs-types 0.5.3 (git+https://github.com/huoqifeng/kbs-types.git?branch=s390x-se)", "lazy_static", "log", "mobc", @@ -535,7 +535,7 @@ dependencies = [ "env_logger 0.10.2", "futures", "hex", - "kbs-types", + "kbs-types 0.5.3 (git+https://github.com/huoqifeng/kbs-types.git?branch=s390x-se)", "lazy_static", "log", "openssl", @@ -575,7 +575,7 @@ dependencies = [ "csv-rs", "hyper", "hyper-tls", - "kbs-types", + "kbs-types 0.5.3 (registry+https://github.com/rust-lang/crates.io-index)", "log", "nix", "occlum_dcap", @@ -1283,7 +1283,7 @@ dependencies = [ "anyhow", "base64 0.21.7", "ctr", - "kbs-types", + "kbs-types 0.5.3 (registry+https://github.com/rust-lang/crates.io-index)", "rand", "rsa 0.9.6", "serde", @@ -2429,6 +2429,15 @@ dependencies = [ "serde_json", ] +[[package]] +name = "kbs-types" +version = "0.5.3" +source = "git+https://github.com/huoqifeng/kbs-types.git?branch=s390x-se#681d9ea3bea0e4465d67f004234f628dbced1007" +dependencies = [ + "serde", + "serde_json", +] + [[package]] name = "kbs_protocol" version = "0.1.0" @@ -2440,7 +2449,7 @@ dependencies = [ "base64 0.21.7", "crypto", "jwt-simple", - "kbs-types", + "kbs-types 0.5.3 (registry+https://github.com/rust-lang/crates.io-index)", "log", "reqwest", "resource_uri", @@ -5276,7 +5285,7 @@ dependencies = [ "eventlog-rs", "hex", "jsonwebtoken", - "kbs-types", + "kbs-types 0.5.3 (git+https://github.com/huoqifeng/kbs-types.git?branch=s390x-se)", "log", "openssl", "rstest", diff --git a/attestation-service/attestation-service/src/lib.rs b/attestation-service/attestation-service/src/lib.rs index b420ddd12e..901abed2e7 100644 --- a/attestation-service/attestation-service/src/lib.rs +++ b/attestation-service/attestation-service/src/lib.rs @@ -14,7 +14,7 @@ use crate::token::AttestationTokenBroker; use anyhow::{anyhow, Context, Result}; use config::Config; -pub use kbs_types::{Attestation, Challenge, Tee}; +pub use kbs_types::{Attestation, Tee}; use log::debug; use policy_engine::{PolicyEngine, PolicyEngineType, SetPolicyInput}; use rvps::RvpsApi; @@ -240,9 +240,9 @@ impl AttestationService { self.rvps.verify_and_extract(message).await } - pub async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result { + pub async fn generate_challenge_extra_params(&self, tee: Tee) -> Result { let verifier = verifier::to_verifier(&tee)?; - verifier.generate_challenge(nonce).await + verifier.generate_challenge_extra_params().await } } diff --git a/attestation-service/verifier/src/lib.rs b/attestation-service/verifier/src/lib.rs index 1a26e1b8a1..d5618d47ac 100644 --- a/attestation-service/verifier/src/lib.rs +++ b/attestation-service/verifier/src/lib.rs @@ -2,7 +2,7 @@ use std::cmp::Ordering; use anyhow::*; use async_trait::async_trait; -use kbs_types::{Challenge, Tee}; +use kbs_types::Tee; use log::warn; pub mod sample; @@ -167,15 +167,10 @@ pub trait Verifier { expected_init_data_hash: &InitDataHash, ) -> Result; - async fn generate_challenge( + async fn generate_challenge_extra_params( &self, - nonce: &str, - ) -> Result { - - Ok(Challenge { - nonce: String::from(nonce), - extra_params: String::new(), - }) + ) -> Result { + Ok(String::new()) } } diff --git a/attestation-service/verifier/src/se/mod.rs b/attestation-service/verifier/src/se/mod.rs index 5309eade66..20f3a78485 100644 --- a/attestation-service/verifier/src/se/mod.rs +++ b/attestation-service/verifier/src/se/mod.rs @@ -7,7 +7,6 @@ use super::*; use async_trait::async_trait; use anyhow::anyhow; use base64::prelude::*; -use kbs_types::Challenge; use crate::{InitDataHash, ReportData}; use crate::se::seattest::FakeSeAttest; use crate::se::seattest::SeFakeVerifier; @@ -31,10 +30,9 @@ impl Verifier for SeVerifier { .map_err(|e| anyhow!("Se Verifier: {:?}", e)) } - async fn generate_challenge( + async fn generate_challenge_extra_params( &self, - nonce: &str, - ) -> Result { + ) -> Result { // TODO replace FakeSeAttest with real crate let attester = FakeSeAttest::default(); @@ -47,10 +45,8 @@ impl Verifier for SeVerifier { let extra_params = attester.create(hkds, &certk, &signk, &arpk) .await .context("Create SE attestation request failed: {:?}")?; - Ok(Challenge { - nonce: String::from(nonce), - extra_params: BASE64_STANDARD.encode(extra_params), - }) + + Ok(BASE64_STANDARD.encode(extra_params)) } } diff --git a/kbs/src/api/src/attestation/coco/builtin.rs b/kbs/src/api/src/attestation/coco/builtin.rs index 3d4bf0309c..b9d017f60e 100644 --- a/kbs/src/api/src/attestation/coco/builtin.rs +++ b/kbs/src/api/src/attestation/coco/builtin.rs @@ -9,7 +9,7 @@ use attestation_service::{ config::Config as AsConfig, policy_engine::SetPolicyInput, AttestationService, Data, HashAlgorithm, }; -use kbs_types::{Attestation, Challenge, Tee}; +use kbs_types::{Attestation, Tee}; use serde_json::json; use tokio::sync::RwLock; @@ -46,14 +46,11 @@ impl Attest for BuiltInCoCoAs { .await } - async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result { + async fn generate_challenge_extra_params(&self, tee: Tee) -> Result { self.inner .read() .await - .generate_challenge( - tee, - nonce, - ) + .generate_challenge_extra_params(tee) .await } } diff --git a/kbs/src/api/src/attestation/coco/grpc.rs b/kbs/src/api/src/attestation/coco/grpc.rs index 166905d777..a76f08bbd3 100644 --- a/kbs/src/api/src/attestation/coco/grpc.rs +++ b/kbs/src/api/src/attestation/coco/grpc.rs @@ -126,11 +126,8 @@ impl Attest for GrpcClientPool { Ok(token) } - async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result { - Ok(Challenge { - nonce: String::from(nonce), - extra_params: String::new(), - }) + async fn generate_challenge_extra_params(&self, tee: Tee) -> Result { + Ok(String::new()) } } diff --git a/kbs/src/api/src/attestation/intel_trust_authority/mod.rs b/kbs/src/api/src/attestation/intel_trust_authority/mod.rs index f77d51a0a7..698961c5bc 100644 --- a/kbs/src/api/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/api/src/attestation/intel_trust_authority/mod.rs @@ -122,6 +122,10 @@ impl Attest for IntelTrustAuthority { Ok(resp_data.token.clone()) } + + async fn generate_challenge_extra_params(&self, tee: Tee) -> Result { + Ok(String::new()) + } } impl IntelTrustAuthority { diff --git a/kbs/src/api/src/attestation/mod.rs b/kbs/src/api/src/attestation/mod.rs index d229119352..059d698a85 100644 --- a/kbs/src/api/src/attestation/mod.rs +++ b/kbs/src/api/src/attestation/mod.rs @@ -10,7 +10,7 @@ use attestation_service::config::Config as AsConfig; use coco::grpc::*; #[cfg(feature = "intel-trust-authority-as")] use intel_trust_authority::*; -use kbs_types::{Challenge, Request, Tee}; +use kbs_types::{Request, Tee}; #[cfg(feature = "coco-as")] #[allow(missing_docs)] @@ -34,7 +34,7 @@ pub trait Attest: Send + Sync { async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result; /// generate the challenge payload to pass to attester based on Tee and nonce - async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result; + async fn generate_challenge_extra_params(&self, tee: Tee) -> Result; } /// Attestation Service @@ -93,14 +93,14 @@ impl AttestationService { } } - pub async fn generate_challenge(&self, tee: Tee, nonce: &str) -> Result { + pub async fn generate_challenge_extra_params(&self, tee: Tee) -> Result { match self { #[cfg(feature = "coco-as-grpc")] - AttestationService::CoCoASgRPC(inner) => inner.generate_challenge(tee, nonce).await, + AttestationService::CoCoASgRPC(inner) => inner.generate_challenge_extra_params(tee).await, #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] - AttestationService::CoCoASBuiltIn(inner) => inner.generate_challenge(tee, nonce).await, + AttestationService::CoCoASBuiltIn(inner) => inner.generate_challenge_extra_params(tee).await, #[cfg(feature = "intel-trust-authority-as")] - AttestationService::IntelTA(inner) => inner.generate_challenge(tee, nonce).await, + AttestationService::IntelTA(inner) => inner.generate_challenge_extra_params(tee).await, } } } diff --git a/kbs/src/api/src/http/attest.rs b/kbs/src/api/src/http/attest.rs index 122da410c9..3ba3ab430b 100644 --- a/kbs/src/api/src/http/attest.rs +++ b/kbs/src/api/src/http/attest.rs @@ -10,18 +10,8 @@ use anyhow::anyhow; use base64::engine::general_purpose::{STANDARD, URL_SAFE_NO_PAD}; use base64::Engine; use log::{error, info}; -use rand::{thread_rng, Rng}; use serde_json::json; - -fn nonce() -> Result { - let mut nonce: Vec = vec![0; 32]; - - thread_rng() - .try_fill(&mut nonce[..]) - .map_err(anyhow::Error::from)?; - - Ok(STANDARD.encode(&nonce)) -} +use kbs_types::Challenge; /// POST /auth pub(crate) async fn auth( @@ -32,12 +22,11 @@ pub(crate) async fn auth( ) -> Result { info!("request: {:?}", &request); - let nonce = nonce()?; - let challenge = attestation_service.generate_challenge(request.tee, nonce.as_str()) + let extra_params = attestation_service.generate_challenge_extra_params(request.tee) .await .unwrap(); - let session = SessionStatus::auth(request.0, **timeout, &challenge) + let session = SessionStatus::auth(request.0, **timeout, extra_params) .map_err(|e| Error::FailedAuthentication(format!("Session: {e}")))?; let response = HttpResponse::Ok() diff --git a/kbs/src/api/src/session.rs b/kbs/src/api/src/session.rs index 44b8cc5436..758fbe13c8 100644 --- a/kbs/src/api/src/session.rs +++ b/kbs/src/api/src/session.rs @@ -9,14 +9,24 @@ use actix_web::cookie::{ use anyhow::{bail, Result}; use base64::engine::general_purpose::STANDARD; use base64::Engine; +use rand::{thread_rng, Rng}; use kbs_types::{Challenge, Request}; use log::warn; -// use rand::{thread_rng, Rng}; use semver::Version; use uuid::Uuid; pub(crate) static KBS_SESSION_ID: &str = "kbs-session-id"; +fn nonce() -> Result { + let mut nonce: Vec = vec![0; 32]; + + thread_rng() + .try_fill(&mut nonce[..]) + .map_err(anyhow::Error::from)?; + + Ok(STANDARD.encode(&nonce)) +} + /// Finite State Machine model for RCAR handshake pub(crate) enum SessionStatus { Authed { @@ -53,7 +63,7 @@ macro_rules! impl_member { } impl SessionStatus { - pub fn auth(request: Request, timeout: i64, challenge: &Challenge) -> Result { + pub fn auth(request: Request, timeout: i64, extra_params: String) -> Result { let version = Version::parse(&request.version).map_err(anyhow::Error::from)?; if !crate::VERSION_REQ.matches(&version) { bail!("Invalid Request version {}", request.version); @@ -64,7 +74,10 @@ impl SessionStatus { Ok(Self::Authed { request, - *challenge, + challenge: Challenge { + nonce: nonce()?, + extra_params: extra_params, + }, id, timeout, })