Skip to content

Commit

Permalink
Code cleanup and improved test coverage for the AWS Nitro plugins
Browse files Browse the repository at this point in the history
  • Loading branch information
dreemkiller committed Nov 13, 2022
1 parent 4c4bb09 commit 51eba16
Show file tree
Hide file tree
Showing 5 changed files with 66 additions and 37 deletions.
8 changes: 0 additions & 8 deletions provisioning/plugins/corim-nitro-decoder/classattributes.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,14 +28,6 @@ func (o *NitroClassAttributes) FromEnvironment(e comid.Environment) error {
return fmt.Errorf("expecting class-id in class")
}

// implID, err := classID.GetImplID()
// if err != nil {
// return fmt.Errorf("could not extract implementation-id from class-id: %w", err)
// }

// //o.ImplID, _ = implID.MarshalJSON()
// o.ImplID = implID[:]

if class.Vendor != nil {
o.Vendor = *class.Vendor
}
Expand Down
3 changes: 0 additions & 3 deletions provisioning/plugins/corim-nitro-decoder/decoder.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
package main

import (
"fmt"
"github.com/veraison/services/provisioning/decoder"
plugin_common "github.com/veraison/services/provisioning/plugins/common"
)
Expand Down Expand Up @@ -34,8 +33,6 @@ func (o Decoder) GetSupportedMediaTypes() []string {
}

func (o Decoder) Decode(data []byte) (*decoder.EndorsementDecoderResponse, error) {
fmt.Println("provisioning.plugins.corim-nitro-decoder.decoder.go.Decoder.Decode calling plugin_common.UnsignedCorimDecoder")
result,err := plugin_common.UnsignedCorimDecoder(data, Extractor{})
fmt.Printf("provisionin.plugins.corim-nitro-decoder.Decoder received response from UnsignedCorimDecoder:%v, %v\n", result, err)
return result, err
}
2 changes: 0 additions & 2 deletions provisioning/plugins/corim-nitro-decoder/extractor.go
Original file line number Diff line number Diff line change
Expand Up @@ -123,8 +123,6 @@ func (o Extractor) TaExtractor(avk comid.AttestVerifKey) (*proto.Endorsement, er

func makeTaAttrs(i NitroInstanceAttributes, c NitroClassAttributes, key string) (*structpb.Struct, error) {
taID := map[string]interface{}{
//"nitro.impl-id": c.ImplID,
//"psa.inst-id": []byte(i.InstID),
"nitro.iak-pub": key,
}

Expand Down
62 changes: 52 additions & 10 deletions vts/plugins/scheme-aws-nitro/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
//"encoding/base64"
"encoding/json"
"encoding/pem"
"flag"
"fmt"
"net/url"
"time"
Expand Down Expand Up @@ -46,19 +47,28 @@ func (s Scheme) GetSupportedMediaTypes() []string {
}
}

// GetTrustAnchorID returns a string ID used to retrieve a trust anchor
// for this token. The trust anchor may be necessary to validate the
// token and/or extract its claims (if it is encrypted).
func (s Scheme) GetTrustAnchorID(token *proto.AttestationToken) (string, error) {

return nitroTaLookupKey(token.TenantId), nil
}

// ExtractClaims parses the attestation token and returns claims
// extracted therefrom.
func (s Scheme) ExtractClaims(token *proto.AttestationToken, trustAnchor string) (*scheme.ExtractedClaims, error) {
return s.extractClaimsImpl(token, trustAnchor, time.Now())
}

/// Same as ExtractClaims, but allows the caller to set an alternate "current time" to allow
/// tests to use saved attestation document data without triggering certificate expiry errors.
/// THIS FUNCTION SHOULD ONLY BE USED IN TESTING
func (s Scheme) ExtractClaimsTest(token *proto.AttestationToken, trustAnchor string, testTime time.Time) (*scheme.ExtractedClaims, error) {
return s.extractClaimsImpl(token, trustAnchor, testTime)
}

/// Implementation of the functionality for ExtracClaims and ExtracClaimsTest
func (s Scheme) extractClaimsImpl(token *proto.AttestationToken, trustAnchor string, now time.Time) (*scheme.ExtractedClaims, error) {
ta_unmarshalled := make(map[string]interface{})

Expand Down Expand Up @@ -98,7 +108,12 @@ func (s Scheme) extractClaimsImpl(token *proto.AttestationToken, trustAnchor str

token_data := token.Data

document, err := nitro_eclave_attestation_document.AuthenticateDocumentTest(token_data, *cert, now)
var document *nitro_eclave_attestation_document.AttestationDocument
if flag.Lookup("test.v") == nil {
document, err = nitro_eclave_attestation_document.AuthenticateDocument(token_data, *cert)
} else {
document, err = nitro_eclave_attestation_document.AuthenticateDocumentTest(token_data, *cert, now)
}
if err != nil {
new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims call to AuthenticateDocument failed:%v", err)
return nil, new_err
Expand All @@ -116,6 +131,9 @@ func (s Scheme) extractClaimsImpl(token *proto.AttestationToken, trustAnchor str
return &extracted, nil
}

// AppraiseEvidence evaluates the specified EvidenceContext against
// the specified endorsements, and returns an AttestationResult wrapped
// in an AppraisalContext.
func (s Scheme) AppraiseEvidence(
ec *proto.EvidenceContext, endorsementsStrings []string,
) (*proto.AppraisalContext, error) {
Expand Down Expand Up @@ -154,23 +172,43 @@ func (s Scheme) ValidateEvidenceIntegrity(
trustAnchor string,
endorsementsStrings []string,
) error {
return s.validateEvidenceIntegrityImpl(token, trustAnchor, endorsementsStrings, time.Now())
}

/// Same as ValidateEvidenceIntegrity, but allows the caller to set an alternate "current time" to allow
/// tests to use saved attestation document data without triggering certificate expiry errors.
/// THIS FUNCTION SHOULD ONLY BE USED IN TESTING
func (s Scheme) ValidateEvidenceIntegrityTest(
token *proto.AttestationToken,
trustAnchor string,
endorsementsStrings []string,
testTime time.Time,
) error {
return s.validateEvidenceIntegrityImpl(token, trustAnchor, endorsementsStrings, testTime)
}

func (s Scheme) validateEvidenceIntegrityImpl(token *proto.AttestationToken,
trustAnchor string,
endorsementsStrings []string,
now time.Time,
) error {

ta_unmarshalled := make(map[string]interface{})

err := json.Unmarshal([]byte(trustAnchor), &ta_unmarshalled)
if err != nil {
new_err := fmt.Errorf("ExtractVerifiedClaims call to json.Unmarshall failed:%v", err)
new_err := fmt.Errorf("ValidateEvidenceIntegrityImpl call to json.Unmarshall failed:%v", err)
return new_err
}
contents, ok := ta_unmarshalled["attributes"].(map[string]interface{})
if !ok {
new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims cast of %v to map[string]interface{} failed", ta_unmarshalled["attributes"])
new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl cast of %v to map[string]interface{} failed", ta_unmarshalled["attributes"])
return new_err
}

cert_pem, ok := contents["nitro.iak-pub"].(string)
cert_pem, ok := contents["key"].(string)
if !ok {
new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims cast of %v to string failed", contents["nitro.iak-pub"])
new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl cast of %v to string failed", contents["nitro.iak-pub"])
return new_err
}

Expand All @@ -180,27 +218,31 @@ func (s Scheme) ValidateEvidenceIntegrity(
cert_pem_bytes := []byte(cert_pem)
cert_block, _ := pem.Decode(cert_pem_bytes)
if cert_block == nil {
new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims call to pem.Decode failed, but I don't know why")
new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl call to pem.Decode failed, but I don't know why")
return new_err
}

cert_der := cert_block.Bytes
cert, err := x509.ParseCertificate(cert_der)
if err != nil {
new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims call to x509.ParseCertificate failed:%v", err)
new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl call to x509.ParseCertificate failed:%v", err)
return new_err
}

// token_data, err := base64.StdEncoding.DecodeString(string(token.Data))
// if err != nil {
// new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims call to base64.StdEncoding.DecodeString failed:%v", err)
// new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl call to base64.StdEncoding.DecodeString failed:%v", err)
// return nil, new_err
// }
token_data := token.Data

_, err = nitro_eclave_attestation_document.AuthenticateDocument(token_data, *cert)
if flag.Lookup("test.v") == nil {
_, err = nitro_eclave_attestation_document.AuthenticateDocument(token_data, *cert)
} else {
_, err = nitro_eclave_attestation_document.AuthenticateDocumentTest(token_data, *cert, now)
}
if err != nil {
new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims call to AuthenticateDocument failed:%v", err)
new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl call to AuthenticateDocument failed:%v", err)
return new_err
}
return nil
Expand Down
28 changes: 14 additions & 14 deletions vts/plugins/scheme-aws-nitro/main_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -117,25 +117,25 @@ func Test_ExtractVerifiedClaims_ok(t *testing.T) {
assert.EqualError(t, err, `scheme-aws-nitro.Scheme.ExtractVerifiedClaims call to AuthenticateDocument failed:AuthenticateDocument::Verify failed:verification error`)
}

// func Test_ValidateEvidenceIntegrity_ok(t *testing.T) {
// tokenBytes, err := os.ReadFile("test/psa-token.cbor")
// require.NoError(t, err)
func Test_ValidateEvidenceIntegrity_ok(t *testing.T) {
tokenBytes, err := os.ReadFile("test/aws_nitro_document.cbor")
require.NoError(t, err)

// taEndValBytes, err := os.ReadFile("test/ta-endorsements.json")
// require.NoError(t, err)
taEndValBytes, err := os.ReadFile("test/ta-endorsements.json")
require.NoError(t, err)

// scheme := &Scheme{}
scheme := &Scheme{}

// token := proto.AttestationToken{
// TenantId: "1",
// Format: proto.AttestationFormat_PSA_IOT,
// Data: tokenBytes,
// }
token := proto.AttestationToken{
TenantId: "1",
Format: proto.AttestationFormat_AWS_NITRO,
Data: tokenBytes,
}

// err = scheme.ValidateEvidenceIntegrity(&token, string(taEndValBytes), nil)
err = scheme.ValidateEvidenceIntegrityTest(&token, string(taEndValBytes), nil, testTime)

// assert.NoError(t, err)
// }
assert.NoError(t, err)
}

// func Test_AppraiseEvidence_ok(t *testing.T) {
// extractedBytes, err := os.ReadFile("test/extracted.json")
Expand Down

0 comments on commit 51eba16

Please sign in to comment.