From 4d04f737ea42fb5eda97202ca7dde27ba8f1587e Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Thu, 8 Aug 2024 15:07:35 +0300 Subject: [PATCH 1/3] kbs: token: drop unused impl Display for tokenverifier Signed-off-by: Mikko Ylinen --- kbs/src/token/mod.rs | 7 ------- 1 file changed, 7 deletions(-) diff --git a/kbs/src/token/mod.rs b/kbs/src/token/mod.rs index a448daa17..d33a2af92 100644 --- a/kbs/src/token/mod.rs +++ b/kbs/src/token/mod.rs @@ -5,7 +5,6 @@ use anyhow::*; use async_trait::async_trait; use serde::Deserialize; -use std::fmt; use std::sync::Arc; use strum::EnumString; use tokio::sync::RwLock; @@ -51,9 +50,3 @@ pub fn create_token_verifier( as Arc>), } } - -impl fmt::Display for AttestationTokenVerifierType { - fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result { - write!(f, "{:?}", self) - } -} From 4e40278353f6ec38ab67c7742fd2cc7d7887bf3d Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Wed, 28 Aug 2024 11:17:22 +0300 Subject: [PATCH 2/3] kbs: token: Derive Default for AttestationTokenVerifierType Signed-off-by: Mikko Ylinen --- kbs/src/token/mod.rs | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/kbs/src/token/mod.rs b/kbs/src/token/mod.rs index d33a2af92..006731b29 100644 --- a/kbs/src/token/mod.rs +++ b/kbs/src/token/mod.rs @@ -18,13 +18,15 @@ pub trait AttestationTokenVerifier { async fn verify(&self, token: String) -> Result; } -#[derive(Deserialize, Debug, Clone, EnumString)] +#[derive(Deserialize, Default, Debug, Clone, EnumString)] pub enum AttestationTokenVerifierType { + #[default] CoCo, } #[derive(Deserialize, Debug, Clone)] pub struct AttestationTokenVerifierConfig { + #[serde(default)] pub attestation_token_type: AttestationTokenVerifierType, // Trusted Certificates file (PEM format) path to verify Attestation Token Signature. From 9eee06b0884734075bd15909ce6d57c66d653d24 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Wed, 28 Aug 2024 11:22:03 +0300 Subject: [PATCH 3/3] kbs: token: drop Option from trusted cert fields The defaults for AttestationTokenVerifierConfig are now automatically generated so the impl Default can be dropped. Signed-off-by: Mikko Ylinen --- kbs/src/token/coco.rs | 47 +++++++++++++++++++++++++------------------ kbs/src/token/mod.rs | 12 ++--------- 2 files changed, 29 insertions(+), 30 deletions(-) diff --git a/kbs/src/token/coco.rs b/kbs/src/token/coco.rs index fc9979026..73316099b 100644 --- a/kbs/src/token/coco.rs +++ b/kbs/src/token/coco.rs @@ -7,6 +7,7 @@ use anyhow::*; use async_trait::async_trait; use base64::engine::general_purpose::URL_SAFE_NO_PAD; use base64::Engine; +use log::warn; use openssl::hash::MessageDigest; use openssl::pkey::PKey; use openssl::rsa::Rsa; @@ -17,26 +18,29 @@ use openssl::x509::{X509StoreContext, X509}; use serde_json::Value; pub struct CoCoAttestationTokenVerifier { - trusted_certs: Option, + trusted_certs: X509Store, } impl CoCoAttestationTokenVerifier { pub fn new(config: &AttestationTokenVerifierConfig) -> Result { - let trusted_certs = match &config.trusted_certs_paths { - Some(paths) => { - let mut store_builder = X509StoreBuilder::new()?; - for path in paths { - let trust_cert_pem = std::fs::read(path) - .map_err(|e| anyhow!("Load trusted certificate failed: {e}"))?; - let trust_cert = X509::from_pem(&trust_cert_pem)?; - store_builder.add_cert(trust_cert.to_owned())?; - } - Some(store_builder.build()) - } - None => None, - }; + let mut store_builder = X509StoreBuilder::new()?; + + // check all files in trusted_certs_paths but don't exit (only warn). + // the result can be an empty trust store. + for path in &config.trusted_certs_paths { + std::fs::read(path).map_or_else( + |e| warn!("Failed to read trusted certificate: {e}"), + |pem| { + let _ = X509::from_pem(&pem) + .and_then(|certs| store_builder.add_cert(certs.to_owned())) + .map_err(|e| warn!("Failed to add certificate to trust store: {e}")); + }, + ); + } - Ok(Self { trusted_certs }) + Ok(Self { + trusted_certs: store_builder.build(), + }) } } @@ -90,8 +94,8 @@ impl AttestationTokenVerifier for CoCoAttestationTokenVerifier { } } - let Some(trusted_store) = &self.trusted_certs else { - log::warn!("No Trusted Certificate in Config, skip verification of JWK cert of Attestation Token"); + if self.trusted_certs.all_certificates().is_empty() { + warn!("No Trusted Certificate in Config, skip verification of JWK cert of Attestation Token"); return Ok(serde_json::to_string(&claims_value)?); }; @@ -116,9 +120,12 @@ impl AttestationTokenVerifier for CoCoAttestationTokenVerifier { untrusted_stack.push(cert.clone())?; } let mut context = X509StoreContext::new()?; - if !context.init(trusted_store, &cert_chain[0], &untrusted_stack, |ctx| { - ctx.verify_cert() - })? { + if !context.init( + &self.trusted_certs, + &cert_chain[0], + &untrusted_stack, + |ctx| ctx.verify_cert(), + )? { bail!("Untrusted certificate in Attestation Token JWK"); }; diff --git a/kbs/src/token/mod.rs b/kbs/src/token/mod.rs index 006731b29..b0160ded3 100644 --- a/kbs/src/token/mod.rs +++ b/kbs/src/token/mod.rs @@ -30,16 +30,8 @@ pub struct AttestationTokenVerifierConfig { pub attestation_token_type: AttestationTokenVerifierType, // Trusted Certificates file (PEM format) path to verify Attestation Token Signature. - pub trusted_certs_paths: Option>, -} - -impl Default for AttestationTokenVerifierConfig { - fn default() -> Self { - Self { - attestation_token_type: AttestationTokenVerifierType::CoCo, - trusted_certs_paths: None, - } - } + #[serde(default)] + pub trusted_certs_paths: Vec, } pub fn create_token_verifier(