Consolidated attestation exceptions

Author: thomasm-ttd

pom.xml

@@ -285,6 +285,9 @@
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
                 <version>3.2.5</version>
+                <configuration>
+                    <argLine>-XX:+EnableDynamicAgentLoading</argLine>
+                </configuration>
             </plugin>
             <plugin>
                 <groupId>org.sonatype.plugins</groupId>

src/main/java/com/uid2/shared/secure/AttestationClientException.java

@@ -1,7 +1,12 @@
 package com.uid2.shared.secure;
 
-public class AttestationClientException extends AttestationException
-{
+import lombok.Getter;
+
+@Getter
+public class AttestationClientException extends AttestationException {
+    // This exception should be used when the error is as a result of invalid or bad data from the caller.
+    // It will result in a return code in the 400s
+
     private final AttestationFailure attestationFailure;
 
     public AttestationClientException(Throwable cause) {
@@ -14,7 +19,4 @@ public AttestationClientException(String message, AttestationFailure attestation
         this.attestationFailure = attestationFailure;
     }
 
-    public AttestationFailure getAttestationFailure() {
-        return this.attestationFailure;
-    }
 }

src/main/java/com/uid2/shared/secure/AttestationException.java

@@ -1,6 +1,10 @@
 package com.uid2.shared.secure;
 
 public class AttestationException extends Exception {
+    // Used to indicate an error in the processing of Attestation due to internal server errors
+    // It will result in a response code of 500.
+    // If the error is as a result in invalid input from the caller, use the AttestationClientException
+
     private final boolean isClientError;
 
     public boolean IsClientError() {

src/main/java/com/uid2/shared/secure/AttestationResult.java

@@ -16,7 +16,7 @@ public AttestationResult(AttestationFailure reasonToFail) {
     }
 
     public AttestationResult(AttestationClientException exception) {
-        this.failure = AttestationFailure.UNKNOWN;
+        this.failure = exception.getAttestationFailure();
         this.publicKey = null;
         this.enclaveId = "Failed attestation, enclave Id unknown";
         this.attestationClientException = exception;

src/main/java/com/uid2/shared/secure/BadFormatException.java

@@ -20,7 +20,7 @@
 public class NitroCoreAttestationService implements ICoreAttestationService {
 
     private final String attestationUrl;
-    private Set<NitroEnclaveIdentifier> allowedEnclaveIds;
+    private final Set<NitroEnclaveIdentifier> allowedEnclaveIds;
     private final ICertificateProvider certificateProvider;
 
     private static final Logger LOGGER = LoggerFactory.getLogger(NitroCoreAttestationService.class);
@@ -37,6 +37,8 @@ public void attest(byte[] attestationRequest, byte[] publicKey, Handler<AsyncRes
             AttestationRequest aReq = AttestationRequest.createFrom(attestationRequest);
             AttestationDocument aDoc = aReq.getAttestationDocument();
             handler.handle(Future.succeededFuture(attestInternal(publicKey, aReq, aDoc)));
+        } catch (AttestationClientException ace) {
+            handler.handle(Future.succeededFuture(new AttestationResult(ace)));
         } catch (Exception e) {
             handler.handle(Future.failedFuture(new AttestationException(e)));
         }
@@ -105,5 +107,4 @@ public void addIdentifier(NitroEnclaveIdentifier id) {
     public void removeIdentifier(NitroEnclaveIdentifier id) {
         this.allowedEnclaveIds.remove(id);
     }
-
 }

src/main/java/com/uid2/shared/secure/NitroCoreAttestationService.java

@@ -69,7 +69,7 @@ public MaaTokenPayload validate(String tokenString) throws AttestationException
         } catch (TokenVerifier.VerificationException e) {
             throw new AttestationClientException("Fail to validate the token signature, error: " + e.getMessage(), AttestationFailure.BAD_PAYLOAD);
         } catch (IOException e) {
-            throw new AttestationException("Fail to parse token, error: " + e.getMessage());
+            throw new AttestationClientException("Fail to parse token, error: " + e.getMessage(), AttestationFailure.BAD_PAYLOAD);
         }
 
         // Parse Payload

src/main/java/com/uid2/shared/secure/azurecc/MaaTokenSignatureValidator.java

@@ -15,15 +15,15 @@ public PolicyValidator(String attestationUrl) {
         this.attestationUrl = attestationUrl;
     }
     @Override
-    public String validate(MaaTokenPayload maaTokenPayload, String publicKey) throws AttestationException {
+    public String validate(MaaTokenPayload maaTokenPayload, String publicKey) throws AttestationClientException {
         verifyVM(maaTokenPayload);
         verifyLocation(maaTokenPayload);
         verifyPublicKey(maaTokenPayload, publicKey);
         verifyAttestationUrl(maaTokenPayload);
         return maaTokenPayload.getCcePolicyDigest();
     }
 
-    private void verifyPublicKey(MaaTokenPayload maaTokenPayload, String publicKey) throws AttestationException {
+    private void verifyPublicKey(MaaTokenPayload maaTokenPayload, String publicKey) throws AttestationClientException {
         if(Strings.isNullOrEmpty(publicKey)){
             throw new AttestationClientException("public key to check is null or empty", AttestationFailure.BAD_FORMAT);
         }
@@ -38,7 +38,7 @@ private void verifyPublicKey(MaaTokenPayload maaTokenPayload, String publicKey)
         }
     }
 
-    private void verifyAttestationUrl(MaaTokenPayload maaTokenPayload) throws AttestationException {
+    private void verifyAttestationUrl(MaaTokenPayload maaTokenPayload) throws AttestationClientException {
         String decodedRuntimeAttestationUrl = maaTokenPayload.getRuntimeData().getDecodedAttestationUrl();
         if (decodedRuntimeAttestationUrl == null) {
             return;
@@ -47,7 +47,7 @@ private void verifyAttestationUrl(MaaTokenPayload maaTokenPayload) throws Attest
         }
     }
 
-    private void verifyVM(MaaTokenPayload maaTokenPayload) throws AttestationException {
+    private void verifyVM(MaaTokenPayload maaTokenPayload) throws AttestationClientException {
         if(!maaTokenPayload.isSevSnpVM()){
             throw new AttestationClientException("Not in SevSnp VM", AttestationFailure.BAD_FORMAT);
         }
@@ -59,7 +59,7 @@ private void verifyVM(MaaTokenPayload maaTokenPayload) throws AttestationExcepti
         }
     }
 
-    private void verifyLocation(MaaTokenPayload maaTokenPayload) throws AttestationException {
+    private void verifyLocation(MaaTokenPayload maaTokenPayload) throws AttestationClientException {
         var location = maaTokenPayload.getRuntimeData().getLocation();
         if(Strings.isNullOrEmpty(location)){
             throw new AttestationClientException("Location is not specified.", AttestationFailure.BAD_PAYLOAD);

src/main/java/com/uid2/shared/secure/azurecc/PolicyValidator.java

@@ -5,7 +5,8 @@
 import com.google.api.client.util.Clock;
 import com.google.auth.oauth2.TokenVerifier;
 import com.google.common.base.Strings;
-import com.uid2.shared.secure.AttestationException;
+import com.uid2.shared.secure.AttestationClientException;
+import com.uid2.shared.secure.AttestationFailure;
 
 import java.io.IOException;
 import java.security.PublicKey;
@@ -51,7 +52,7 @@ protected TokenSignatureValidator(PublicKey publicKeyOverride, Clock clockOverri
     }
 
     @Override
-    public TokenPayload validate(String tokenString) throws AttestationException {
+    public TokenPayload validate(String tokenString) throws AttestationClientException {
         if (Strings.isNullOrEmpty(tokenString)) {
             throw new IllegalArgumentException("tokenString can not be null or empty");
         }
@@ -65,9 +66,9 @@ public TokenPayload validate(String tokenString) throws AttestationException {
                 signature = tokenVerifier.verify(tokenString);
             }
         } catch (TokenVerifier.VerificationException e) {
-            throw new AttestationException("Fail to validate the token signature, error: " + e.getMessage());
+            throw new AttestationClientException("Fail to validate the token signature, error: " + e.getMessage(), AttestationFailure.BAD_CERTIFICATE);
         } catch (IOException e) {
-            throw new AttestationException("Fail to parse token, error: " + e.getMessage());
+            throw new AttestationClientException("Fail to parse token, error: " + e.getMessage(), AttestationFailure.BAD_PAYLOAD);
         }
 
         // Parse Payload
@@ -78,20 +79,20 @@ public TokenPayload validate(String tokenString) throws AttestationException {
         tokenPayloadBuilder.dbgStat(tryGetField(rawPayload, "dbgstat", String.class));
         tokenPayloadBuilder.swName(tryGetField(rawPayload, "swname", String.class));
         var swVersion = tryGetField(rawPayload, "swversion", List.class);
-        if(swVersion != null && !swVersion.isEmpty()){
+        if (swVersion != null && !swVersion.isEmpty()) {
             tokenPayloadBuilder.swVersion(tryConvert(swVersion.get(0), String.class));
         }
 
-        var subModsDetails = tryGetField(rawPayload,"submods",  Map.class);
+        var subModsDetails = tryGetField(rawPayload, "submods", Map.class);
 
-        if(subModsDetails != null){
+        if (subModsDetails != null) {
             var confidential_space = tryGetField(subModsDetails, "confidential_space", Map.class);
-            if(confidential_space != null){
+            if (confidential_space != null) {
                 tokenPayloadBuilder.csSupportedAttributes(tryGetField(confidential_space, "support_attributes", List.class));
             }
 
             var container = tryGetField(subModsDetails, "container", Map.class);
-            if(container != null){
+            if (container != null) {
                 tokenPayloadBuilder.workloadImageReference(tryGetField(container, "image_reference", String.class));
                 tokenPayloadBuilder.workloadImageDigest(tryGetField(container, "image_digest", String.class));
                 tokenPayloadBuilder.restartPolicy(tryGetField(container, "restart_policy", String.class));
@@ -101,14 +102,12 @@ public TokenPayload validate(String tokenString) throws AttestationException {
             }
 
             var gce = tryGetField(subModsDetails, "gce", Map.class);
-            if(gce != null){
+            if (gce != null) {
                 var gceZone = tryGetField(gce, "zone", String.class);
                 tokenPayloadBuilder.gceZone(gceZone);
             }
         }
 
         return tokenPayloadBuilder.build();
     }
-
-
 }

src/main/java/com/uid2/shared/secure/gcpoidc/TokenSignatureValidator.java

@@ -7,7 +7,8 @@
 import co.nstant.in.cbor.model.ByteString;
 import co.nstant.in.cbor.model.DataItem;
 import co.nstant.in.cbor.model.UnicodeString;
-import com.uid2.shared.secure.BadFormatException;
+import com.uid2.shared.secure.AttestationClientException;
+import com.uid2.shared.secure.AttestationFailure;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
@@ -22,7 +23,7 @@ public class AttestationRequest {
     private byte[] protectedHeader;
     private byte[] signature;
 
-    public static AttestationRequest createFrom(byte[] data) throws BadFormatException {
+    public static AttestationRequest createFrom(byte[] data) throws AttestationClientException {
         try {
             AttestationRequest aReq = new AttestationRequest();
             ByteArrayInputStream stream = new ByteArrayInputStream(data);
@@ -34,11 +35,11 @@ public static AttestationRequest createFrom(byte[] data) throws BadFormatExcepti
             aReq.signature = ((ByteString) dataItems.get(3)).getBytes();
             return aReq;
         } catch (CborException ce) {
-            throw new BadFormatException(ce.getMessage(), ce);
+            throw new AttestationClientException(ce.getMessage(), AttestationFailure.BAD_FORMAT);
         }
     }
 
-    public static AttestationRequest createFrom(String base64data) throws BadFormatException {
+    public static AttestationRequest createFrom(String base64data) throws AttestationClientException {
         return createFrom(Base64.getDecoder().decode(base64data));
     }