Merge pull request #187 from IABTechLab/tjm-UID2-2808-attest-core-url

Attest Core URL as passed in by the operators

Author: thomasm-ttd

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>com.uid2</groupId>
     <artifactId>uid2-shared</artifactId>
-    <version>6.1.8-6e6866128b</version>
+    <version>6.1.19-SNAPSHOT</version>
     <name>${project.groupId}:${project.artifactId}</name>
     <description>Library for all the shared uid2 operations</description>
     <url>https://github.com/IABTechLab/uid2docs</url>
@@ -33,6 +33,14 @@
         <url>https://github.com/IABTechLab/uid2-shared</url>
     </scm>
 
+    <repositories>
+        <repository>
+            <id>snapshots-repo</id>
+            <url>https://s01.oss.sonatype.org/content/repositories/snapshots</url>
+            <releases><enabled>false</enabled></releases>
+            <snapshots><enabled>true</enabled></snapshots>
+        </repository>
+    </repositories>
     <distributionManagement>
         <snapshotRepository>
             <id>ossrh</id>
@@ -71,7 +79,7 @@
         <dependency>
             <groupId>com.uid2</groupId>
             <artifactId>uid2-attestation-api</artifactId>
-            <version>1.5.0-676519b018</version>
+            <version>2.0.0-f968aec0e3</version>
         </dependency>
         <dependency>
             <groupId>io.vertx</groupId>

src/main/java/com/uid2/shared/attest/AttestationTokenRetriever.java

@@ -14,13 +14,11 @@
 import java.io.IOException;
 import java.net.*;
 import java.net.http.HttpResponse;
+import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.security.*;
 import java.time.Instant;
-import java.util.Base64;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Objects;
+import java.util.*;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.concurrent.locks.Lock;
@@ -37,6 +35,7 @@ public class AttestationTokenRetriever {
     private final AtomicReference<String> coreJwt;
     private final Handler<Pair<Integer, String>> responseWatcher;
     private final String attestationEndpoint;
+    private final byte[] encodedAttestationEndpoint;
     private final IClock clock;
     private final Vertx vertx;
     private final URLConnectionHttpClient httpClient;
@@ -71,6 +70,7 @@ public AttestationTokenRetriever(Vertx vertx,
                                      int attestCheckMilliseconds) {
         this.vertx = vertx;
         this.attestationEndpoint = attestationEndpoint;
+        this.encodedAttestationEndpoint = this.encodeStringUnicodeAttestationEndpoint(attestationEndpoint);
         this.clientApiToken = clientApiToken;
         this.appVersion = appVersion;
         this.attestationProvider = attestationProvider;
@@ -153,7 +153,7 @@ public void attest() throws IOException, AttestationTokenRetrieverException {
             KeyPair keyPair = generateKeyPair();
             byte[] publicKey = keyPair.getPublic().getEncoded();
             JsonObject requestJson = JsonObject.of(
-                    "attestation_request", Base64.getEncoder().encodeToString(attestationProvider.getAttestationRequest(publicKey)),
+                    "attestation_request", Base64.getEncoder().encodeToString(attestationProvider.getAttestationRequest(publicKey, this.encodedAttestationEndpoint)),
                     "public_key", Base64.getEncoder().encodeToString(publicKey),
                     "application_name", appVersion.getAppName(),
                     "application_version", appVersion.getAppVersion()
@@ -289,4 +289,10 @@ private void notifyResponseWatcher(int statusCode, String responseBody) {
     public boolean attested() {
         return this.attestationToken.get() != null && this.clock.now().isBefore(this.attestationTokenExpiresAt);
     }
+
+    private byte[] encodeStringUnicodeAttestationEndpoint(String data) {
+        // buffer.array() may include extra empty bytes at the end. This returns only the bytes that have data
+        ByteBuffer buffer = StandardCharsets.UTF_8.encode(data);
+        return Arrays.copyOf(buffer.array(), buffer.limit());
+    }
 }

src/main/java/com/uid2/shared/attest/NoAttestationProvider.java

@@ -4,7 +4,7 @@
 
 public class NoAttestationProvider implements IAttestationProvider {
     @Override
-    public byte[] getAttestationRequest(byte[] publicKey) {
+    public byte[] getAttestationRequest(byte[] publicKey, byte[] userData) {
         byte[] req = {0};
         return req;
     }

src/main/java/com/uid2/shared/attest/UidCoreClient.java

@@ -20,31 +20,27 @@ public class UidCoreClient implements IUidCoreClient, DownloadCloudStorage {
     private final URLConnectionHttpClient httpClient;
     private String userToken;
     private final String appVersionHeader;
-    private final boolean enforceHttps;
     private boolean allowContentFromLocalFileSystem = false;
     private final AttestationTokenRetriever attestationTokenRetriever;
 
 
-    public static UidCoreClient createNoAttest(String userToken, boolean enforceHttps, AttestationTokenRetriever attestationTokenRetriever) {
-        return new UidCoreClient(userToken, CloudUtils.defaultProxy, enforceHttps, attestationTokenRetriever, null);
+    public static UidCoreClient createNoAttest(String userToken, AttestationTokenRetriever attestationTokenRetriever) {
+        return new UidCoreClient(userToken, CloudUtils.defaultProxy, attestationTokenRetriever, null);
     }
 
     public UidCoreClient(String userToken,
                          Proxy proxy,
-                         boolean enforceHttps,
                          AttestationTokenRetriever attestationTokenRetriever) {
-        this(userToken, proxy, enforceHttps, attestationTokenRetriever, null);
+        this(userToken, proxy, attestationTokenRetriever, null);
     }
 
     public UidCoreClient(String userToken,
                          Proxy proxy,
-                         boolean enforceHttps,
                          AttestationTokenRetriever attestationTokenRetriever,
                          URLConnectionHttpClient httpClient) {
         this.proxy = proxy;
         this.userToken = userToken;
         this.contentStorage = new PreSignedURLStorage(proxy);
-        this.enforceHttps = enforceHttps;
         if (httpClient == null) {
             this.httpClient = new URLConnectionHttpClient(proxy);
         } else {
@@ -116,9 +112,6 @@ private InputStream getWithAttest(String path) throws IOException, AttestationTo
 
     private HttpResponse<String> sendHttpRequest(String path, String attestationToken) throws IOException {
         URI uri = URI.create(path);
-        if (this.enforceHttps && !"https".equalsIgnoreCase(uri.getScheme())) {
-            throw new IOException("UidCoreClient requires HTTPS connection");
-        }
 
         HashMap<String, String> headers = new HashMap<>();
         headers.put(Const.Http.AppVersionHeader, this.appVersionHeader);

src/main/java/com/uid2/shared/attest/UidOptOutClient.java

@@ -8,21 +8,19 @@
 
 public class UidOptOutClient extends UidCoreClient {
     public static UidOptOutClient createNoAttest(String userToken, boolean enforceHttps, AttestationTokenRetriever attestationTokenRetriever) {
-        return new UidOptOutClient(userToken, CloudUtils.defaultProxy, enforceHttps, attestationTokenRetriever, null);
+        return new UidOptOutClient(userToken, CloudUtils.defaultProxy, attestationTokenRetriever, null);
     }
 
     public UidOptOutClient(String userToken,
                          Proxy proxy,
-                         boolean enforceHttps,
                          AttestationTokenRetriever attestationTokenRetriever) {
-        super(userToken, proxy, enforceHttps, attestationTokenRetriever, null);
+        super(userToken, proxy, attestationTokenRetriever, null);
     }
     public UidOptOutClient(String userToken,
                            Proxy proxy,
-                           boolean enforceHttps,
                            AttestationTokenRetriever attestationTokenRetriever,
                            URLConnectionHttpClient httpClient) {
-        super(userToken, proxy, enforceHttps, attestationTokenRetriever, httpClient);
+        super(userToken, proxy, attestationTokenRetriever, httpClient);
     }
 
     @Override

src/main/java/com/uid2/shared/secure/AttestationFailure.java

@@ -6,6 +6,7 @@ public enum AttestationFailure {
     BAD_PAYLOAD,
     BAD_CERTIFICATE,
     FORBIDDEN_ENCLAVE,
+    UNKNOWN_ATTESTATION_URL,
     UNKNOWN;
 
     public String explain() {
@@ -20,6 +21,8 @@ public String explain() {
                 return "Cannot verify the certificate chain";
             case FORBIDDEN_ENCLAVE:
                 return "The enclave identifier is unknown";
+            case UNKNOWN_ATTESTATION_URL:
+                return "The given attestation URL is unknown";
             default:
                 return "Unknown reason";
         }

src/main/java/com/uid2/shared/secure/AzureCCAttestationProvider.java renamed to src/main/java/com/uid2/shared/secure/AzureCCCoreAttestationService.java

@@ -17,20 +17,20 @@
 
 // CC stands for Confidential Container
 @Slf4j
-public class AzureCCAttestationProvider implements IAttestationProvider {
+public class AzureCCCoreAttestationService implements ICoreAttestationService {
 
     private final Set<String> allowedEnclaveIds = new HashSet<>();
 
     private final IMaaTokenSignatureValidator tokenSignatureValidator;
 
     private final IPolicyValidator policyValidator;
 
-    public AzureCCAttestationProvider(String maaServerBaseUrl) {
+    public AzureCCCoreAttestationService(String maaServerBaseUrl) {
         this(new MaaTokenSignatureValidator(maaServerBaseUrl), new PolicyValidator());
     }
 
     // used in UT
-    protected AzureCCAttestationProvider(IMaaTokenSignatureValidator tokenSignatureValidator, IPolicyValidator policyValidator) {
+    protected AzureCCCoreAttestationService(IMaaTokenSignatureValidator tokenSignatureValidator, IPolicyValidator policyValidator) {
         this.tokenSignatureValidator = tokenSignatureValidator;
         this.policyValidator = policyValidator;
     }

src/main/java/com/uid2/shared/secure/GcpOidcAttestationProvider.java renamed to src/main/java/com/uid2/shared/secure/GcpOidcCoreAttestationService.java

@@ -10,21 +10,21 @@
 import java.nio.charset.StandardCharsets;
 import java.util.*;
 
-public class GcpOidcAttestationProvider implements IAttestationProvider{
-    private static final Logger LOGGER = LoggerFactory.getLogger(GcpOidcAttestationProvider.class);
+public class GcpOidcCoreAttestationService implements ICoreAttestationService {
+    private static final Logger LOGGER = LoggerFactory.getLogger(GcpOidcCoreAttestationService.class);
 
     private final ITokenSignatureValidator tokenSignatureValidator;
 
     private final List<IPolicyValidator> supportedPolicyValidators;
 
     private final Set<String> allowedEnclaveIds = new HashSet<>();
 
-    public GcpOidcAttestationProvider(){
+    public GcpOidcCoreAttestationService(){
         this(new TokenSignatureValidator(), Arrays.asList(new PolicyValidator()));
     }
 
     // used in UT
-    protected GcpOidcAttestationProvider(ITokenSignatureValidator tokenSignatureValidator, List<IPolicyValidator> supportedPolicyValidators){
+    protected GcpOidcCoreAttestationService(ITokenSignatureValidator tokenSignatureValidator, List<IPolicyValidator> supportedPolicyValidators){
         this.tokenSignatureValidator = tokenSignatureValidator;
         this.supportedPolicyValidators = supportedPolicyValidators;
     }

src/main/java/com/uid2/shared/secure/GcpVmidAttestationProvider.java renamed to src/main/java/com/uid2/shared/secure/GcpVmidCoreAttestationService.java

@@ -17,14 +17,14 @@
 import java.nio.charset.StandardCharsets;
 import java.util.*;
 
-public class GcpVmidAttestationProvider implements IAttestationProvider {
-    private static final Logger LOGGER = LoggerFactory.getLogger(GcpVmidAttestationProvider.class);
+public class GcpVmidCoreAttestationService implements ICoreAttestationService {
+    private static final Logger LOGGER = LoggerFactory.getLogger(GcpVmidCoreAttestationService.class);
 
     private final InstanceDocumentVerifier idVerifier = new InstanceDocumentVerifier();
     private final VmConfigVerifier vmConfigVerifier;
     private final Set<String> allowedVmConfigIds = new HashSet<>();
 
-    public GcpVmidAttestationProvider(GoogleCredentials credentials, Set<String> enclaveParams) throws Exception {
+    public GcpVmidCoreAttestationService(GoogleCredentials credentials, Set<String> enclaveParams) throws Exception {
         LoadBalancerRegistry.getDefaultRegistry().register(new PickFirstLoadBalancerProvider());
         this.vmConfigVerifier = new VmConfigVerifier(credentials, enclaveParams);
         LOGGER.info("Using Google Service Account: " + credentials.toString());

src/main/java/com/uid2/shared/secure/IAttestationProvider.java renamed to src/main/java/com/uid2/shared/secure/ICoreAttestationService.java

@@ -1,14 +1,11 @@
 package com.uid2.shared.secure;
 
-import com.uid2.shared.secure.AttestationException;
-import com.uid2.shared.secure.AttestationResult;
-
 import java.util.Collection;
 
 import io.vertx.core.AsyncResult;
 import io.vertx.core.Handler;
 
-public interface IAttestationProvider {
+public interface ICoreAttestationService {
     void attest(
         byte[] attestationRequest,
         byte[] publicKey,

src/main/java/com/uid2/shared/secure/NitroAttestationProvider.java renamed to src/main/java/com/uid2/shared/secure/NitroCoreAttestationService.java

@@ -2,7 +2,6 @@
 
 import com.uid2.shared.secure.nitro.AttestationDocument;
 import com.uid2.shared.secure.nitro.AttestationRequest;
-import com.uid2.shared.secure.IAttestationProvider;
 
 import java.util.Arrays;
 import java.util.Base64;
@@ -11,16 +10,23 @@
 import java.util.Set;
 import java.util.stream.Collectors;
 
+import com.uid2.shared.util.UrlEquivalenceValidator;
 import io.vertx.core.AsyncResult;
 import io.vertx.core.Future;
 import io.vertx.core.Handler;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
-public class NitroAttestationProvider implements IAttestationProvider {
+public class NitroCoreAttestationService implements ICoreAttestationService {
 
+    private final String attestationUrl;
     private Set<NitroEnclaveIdentifier> allowedEnclaveIds;
-    private ICertificateProvider certificateProvider;
+    private final ICertificateProvider certificateProvider;
 
-    public NitroAttestationProvider(ICertificateProvider certificateProvider) {
+    private static final Logger LOGGER = LoggerFactory.getLogger(NitroCoreAttestationService.class);
+
+    public NitroCoreAttestationService(ICertificateProvider certificateProvider, String attestationUrl) {
+        this.attestationUrl = attestationUrl;
         this.allowedEnclaveIds = new HashSet<>();
         this.certificateProvider = certificateProvider;
     }
@@ -49,6 +55,11 @@ private AttestationResult attestInternal(byte[] publicKey, AttestationRequest aR
             return new AttestationResult(AttestationFailure.BAD_CERTIFICATE);
         }
 
+        String givenAttestationUrl = aDoc.getUserDataString();
+        if (!UrlEquivalenceValidator.areUrlsEquivalent(this.attestationUrl, givenAttestationUrl, LOGGER)) {
+            return new AttestationResult(AttestationFailure.UNKNOWN_ATTESTATION_URL);
+        }
+
         NitroEnclaveIdentifier id = NitroEnclaveIdentifier.fromRaw(aDoc.getPcr(0));
         if (!allowedEnclaveIds.contains(id)) {
             return new AttestationResult(AttestationFailure.FORBIDDEN_ENCLAVE);

src/main/java/com/uid2/shared/secure/TrustedAttestationProvider.java renamed to src/main/java/com/uid2/shared/secure/TrustedCoreAttestationService.java

@@ -7,8 +7,8 @@
 import java.util.Collection;
 import java.util.Collections;
 
-public class TrustedAttestationProvider implements IAttestationProvider {
-    public TrustedAttestationProvider() {}
+public class TrustedCoreAttestationService implements ICoreAttestationService {
+    public TrustedCoreAttestationService() {}
 
     @Override
     public void attest(byte[] attestationRequest, byte[] publicKey, Handler<AsyncResult<AttestationResult>> handler) {

src/main/java/com/uid2/shared/secure/gcpoidc/PolicyValidator.java

@@ -30,11 +30,13 @@ public class PolicyValidator implements IPolicyValidator {
 
     private static final List<String> REQUIRED_ENV_OVERRIDES = ImmutableList.of(
             ENV_ENVIRONMENT,
-            ENV_OPERATOR_API_KEY_SECRET_NAME
+            ENV_OPERATOR_API_KEY_SECRET_NAME,
+            ENV_CORE_ENDPOINT,
+            ENV_OPT_OUT_ENDPOINT
     );
 
     private static final Map<Environment, List<String>> OPTIONAL_ENV_OVERRIDES_MAP = ImmutableMap.of(
-            Environment.Integration, ImmutableList.of(ENV_CORE_ENDPOINT, ENV_OPT_OUT_ENDPOINT)
+            Environment.Integration, ImmutableList.of()
     );
 
     @Override

src/main/java/com/uid2/shared/secure/nitro/AttestationDocument.java

@@ -6,6 +6,7 @@
 
 import java.io.ByteArrayInputStream;
 import java.math.BigInteger;
+import java.nio.charset.StandardCharsets;
 import java.security.cert.CertPath;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
@@ -46,6 +47,7 @@ public static AttestationDocument createFrom(byte[] data) throws CborException {
     private List<byte[]> cabundle;
     private byte[] publicKey;
     private byte[] userData;
+    private String userDataString;
     private byte[] nonce;
 
     private AttestationDocument() {}
@@ -96,6 +98,7 @@ private void loadUserData(DataItem d) {
             this.userData = null;
         } else {
             this.userData = ((ByteString) d).getBytes();
+            this.userDataString = new String(this.userData, StandardCharsets.UTF_8);
         }
     }
 
@@ -146,6 +149,10 @@ public byte[] getUserData() {
         return userData;
     }
 
+    public String getUserDataString() {
+        return userDataString;
+    }
+
     public byte[] getNonce() {
         return nonce;
     }