Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kbs: token: configuration cleanup #483

Merged
merged 3 commits into from
Aug 29, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 27 additions & 20 deletions kbs/src/token/coco.rs
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ use anyhow::*;
use async_trait::async_trait;
use base64::engine::general_purpose::URL_SAFE_NO_PAD;
use base64::Engine;
use log::warn;
use openssl::hash::MessageDigest;
use openssl::pkey::PKey;
use openssl::rsa::Rsa;
Expand All @@ -17,26 +18,29 @@ use openssl::x509::{X509StoreContext, X509};
use serde_json::Value;

pub struct CoCoAttestationTokenVerifier {
trusted_certs: Option<X509Store>,
trusted_certs: X509Store,
}

impl CoCoAttestationTokenVerifier {
pub fn new(config: &AttestationTokenVerifierConfig) -> Result<Self> {
let trusted_certs = match &config.trusted_certs_paths {
Some(paths) => {
let mut store_builder = X509StoreBuilder::new()?;
for path in paths {
let trust_cert_pem = std::fs::read(path)
.map_err(|e| anyhow!("Load trusted certificate failed: {e}"))?;
let trust_cert = X509::from_pem(&trust_cert_pem)?;
store_builder.add_cert(trust_cert.to_owned())?;
}
Some(store_builder.build())
}
None => None,
};
let mut store_builder = X509StoreBuilder::new()?;

// check all files in trusted_certs_paths but don't exit (only warn).
// the result can be an empty trust store.
for path in &config.trusted_certs_paths {
std::fs::read(path).map_or_else(
|e| warn!("Failed to read trusted certificate: {e}"),
|pem| {
let _ = X509::from_pem(&pem)
.and_then(|certs| store_builder.add_cert(certs.to_owned()))
.map_err(|e| warn!("Failed to add certificate to trust store: {e}"));
},
);
}

Ok(Self { trusted_certs })
Ok(Self {
trusted_certs: store_builder.build(),
})
}
}

Expand Down Expand Up @@ -90,8 +94,8 @@ impl AttestationTokenVerifier for CoCoAttestationTokenVerifier {
}
}

let Some(trusted_store) = &self.trusted_certs else {
log::warn!("No Trusted Certificate in Config, skip verification of JWK cert of Attestation Token");
if self.trusted_certs.all_certificates().is_empty() {
warn!("No Trusted Certificate in Config, skip verification of JWK cert of Attestation Token");
mythi marked this conversation as resolved.
Show resolved Hide resolved
return Ok(serde_json::to_string(&claims_value)?);
};

Expand All @@ -116,9 +120,12 @@ impl AttestationTokenVerifier for CoCoAttestationTokenVerifier {
untrusted_stack.push(cert.clone())?;
}
let mut context = X509StoreContext::new()?;
if !context.init(trusted_store, &cert_chain[0], &untrusted_stack, |ctx| {
ctx.verify_cert()
})? {
if !context.init(
&self.trusted_certs,
&cert_chain[0],
&untrusted_stack,
|ctx| ctx.verify_cert(),
)? {
bail!("Untrusted certificate in Attestation Token JWK");
};

Expand Down
23 changes: 5 additions & 18 deletions kbs/src/token/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
use anyhow::*;
use async_trait::async_trait;
use serde::Deserialize;
use std::fmt;
use std::sync::Arc;
use strum::EnumString;
use tokio::sync::RwLock;
Expand All @@ -19,26 +18,20 @@ pub trait AttestationTokenVerifier {
async fn verify(&self, token: String) -> Result<String>;
}

#[derive(Deserialize, Debug, Clone, EnumString)]
#[derive(Deserialize, Default, Debug, Clone, EnumString)]
pub enum AttestationTokenVerifierType {
#[default]
CoCo,
}

#[derive(Deserialize, Debug, Clone)]
pub struct AttestationTokenVerifierConfig {
#[serde(default)]
pub attestation_token_type: AttestationTokenVerifierType,

// Trusted Certificates file (PEM format) path to verify Attestation Token Signature.
pub trusted_certs_paths: Option<Vec<String>>,
}

impl Default for AttestationTokenVerifierConfig {
fn default() -> Self {
Self {
attestation_token_type: AttestationTokenVerifierType::CoCo,
trusted_certs_paths: None,
}
}
#[serde(default)]
pub trusted_certs_paths: Vec<String>,
}

pub fn create_token_verifier(
Expand All @@ -51,9 +44,3 @@ pub fn create_token_verifier(
as Arc<RwLock<dyn AttestationTokenVerifier + Send + Sync>>),
}
}

impl fmt::Display for AttestationTokenVerifierType {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
write!(f, "{:?}", self)
}
}
Loading