From 206f974440d4012760cf4260e4e7d0ca1240583b Mon Sep 17 00:00:00 2001 From: "Derek D. Miller" Date: Sat, 12 Nov 2022 12:52:24 -0600 Subject: [PATCH 1/7] Added vts and provisioning plugins for AWS Nitro enclave attestation documents Signed-off-by: Derek D. Miller --- go.mod | 13 +- go.sum | 9 + proto/attestation_format.pb.go | 15 +- proto/attestation_format.proto | 3 + provisioning/plugins/Makefile | 1 + .../plugins/corim-nitro-decoder/Makefile | 15 + .../plugins/corim-nitro-decoder/README.md | 36 +++ .../corim-nitro-decoder/classattributes.go | 48 +++ .../plugins/corim-nitro-decoder/decoder.go | 41 +++ .../corim-nitro-decoder/decoder_test.go | 109 +++++++ .../plugins/corim-nitro-decoder/extractor.go | 140 +++++++++ .../corim-nitro-decoder/instanceattributes.go | 16 + .../plugins/corim-nitro-decoder/main.go | 27 ++ .../corim-nitro-decoder/swcompattributes.go | 60 ++++ .../test-harness/AWSNitroComid.cbor | Bin 0 -> 825 bytes .../test-harness/AWSNitroComid.json | 40 +++ .../test-harness/AWSNitroComidDualKey.cbor | Bin 0 -> 1542 bytes .../test-harness/AWSNitroComidDualKey.json | 43 +++ .../test-harness/AWSNitroComidNoImplId.cbor | Bin 0 -> 805 bytes .../test-harness/AWSNitroComidNoImplId.json | 36 +++ .../test-harness/corimMini.json | 3 + .../test-harness/gen_vectors.sh | 20 ++ .../test-harness/unsigned_corim.cbor | Bin 0 -> 852 bytes .../test-harness/unsigned_corim_dual_key.cbor | Bin 0 -> 1569 bytes .../unsigned_corim_no_impl_id.cbor | Bin 0 -> 832 bytes .../corim-nitro-decoder/test_vectors.go | 125 ++++++++ vts/plugins/Makefile | 1 + vts/plugins/scheme-aws-nitro/Makefile | 11 + vts/plugins/scheme-aws-nitro/main.go | 274 ++++++++++++++++++ vts/plugins/scheme-aws-nitro/main_test.go | 179 ++++++++++++ .../test/aws_nitro_document.cbor | Bin 0 -> 4461 bytes .../test/aws_nitro_document_bad_sig.cbor | Bin 0 -> 4461 bytes .../test/ta-endorsements.json | 7 + 33 files changed, 1262 insertions(+), 10 deletions(-) create mode 100644 provisioning/plugins/corim-nitro-decoder/Makefile create mode 100644 provisioning/plugins/corim-nitro-decoder/README.md create mode 100644 provisioning/plugins/corim-nitro-decoder/classattributes.go create mode 100644 provisioning/plugins/corim-nitro-decoder/decoder.go create mode 100644 provisioning/plugins/corim-nitro-decoder/decoder_test.go create mode 100644 provisioning/plugins/corim-nitro-decoder/extractor.go create mode 100644 provisioning/plugins/corim-nitro-decoder/instanceattributes.go create mode 100644 provisioning/plugins/corim-nitro-decoder/main.go create mode 100644 provisioning/plugins/corim-nitro-decoder/swcompattributes.go create mode 100644 provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComid.cbor create mode 100644 provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComid.json create mode 100644 provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComidDualKey.cbor create mode 100644 provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComidDualKey.json create mode 100644 provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComidNoImplId.cbor create mode 100644 provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComidNoImplId.json create mode 100644 provisioning/plugins/corim-nitro-decoder/test-harness/corimMini.json create mode 100755 provisioning/plugins/corim-nitro-decoder/test-harness/gen_vectors.sh create mode 100644 provisioning/plugins/corim-nitro-decoder/test-harness/unsigned_corim.cbor create mode 100644 provisioning/plugins/corim-nitro-decoder/test-harness/unsigned_corim_dual_key.cbor create mode 100644 provisioning/plugins/corim-nitro-decoder/test-harness/unsigned_corim_no_impl_id.cbor create mode 100644 provisioning/plugins/corim-nitro-decoder/test_vectors.go create mode 100644 vts/plugins/scheme-aws-nitro/Makefile create mode 100644 vts/plugins/scheme-aws-nitro/main.go create mode 100644 vts/plugins/scheme-aws-nitro/main_test.go create mode 100644 vts/plugins/scheme-aws-nitro/test/aws_nitro_document.cbor create mode 100644 vts/plugins/scheme-aws-nitro/test/aws_nitro_document_bad_sig.cbor create mode 100644 vts/plugins/scheme-aws-nitro/test/ta-endorsements.json diff --git a/go.mod b/go.mod index 65c93232..6465186c 100644 --- a/go.mod +++ b/go.mod @@ -6,11 +6,14 @@ require ( github.com/DATA-DOG/go-sqlmock v1.5.0 github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d github.com/denisbrodbeck/machineid v1.0.1 + github.com/fatih/color v1.13.0 github.com/gin-gonic/gin v1.8.1 github.com/go-playground/assert/v2 v2.0.1 github.com/golang/mock v1.6.0 + github.com/golang/protobuf v1.5.2 github.com/google/go-tpm v0.3.3 github.com/google/uuid v1.3.0 + github.com/hashicorp/go-hclog v1.2.0 github.com/hashicorp/go-plugin v1.4.4 github.com/jellydator/ttlcache/v3 v3.0.0 github.com/mattn/go-sqlite3 v1.14.14 @@ -18,10 +21,12 @@ require ( github.com/moogar0880/problems v0.1.1 github.com/olekukonko/tablewriter v0.0.5 github.com/open-policy-agent/opa v0.43.1 + github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9 github.com/spf13/cobra v1.5.0 github.com/spf13/jwalterweatherman v1.1.0 github.com/spf13/viper v1.9.0 - github.com/stretchr/testify v1.8.0 + github.com/stretchr/testify v1.8.1 + github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20221112151611-0893a6c14411 github.com/veraison/corim v0.0.0-20220801100627-a48aacbd333c github.com/veraison/dice v0.0.1 github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff @@ -37,7 +42,6 @@ require ( github.com/agnivade/levenshtein v1.0.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d // indirect - github.com/fatih/color v1.13.0 // indirect github.com/fsnotify/fsnotify v1.5.4 // indirect github.com/fxamacker/cbor/v2 v2.4.0 // indirect github.com/ghodss/yaml v1.0.0 // indirect @@ -47,8 +51,7 @@ require ( github.com/go-playground/validator/v10 v10.10.0 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/goccy/go-json v0.9.7 // indirect - github.com/golang/protobuf v1.5.2 // indirect - github.com/hashicorp/go-hclog v1.2.0 // indirect + github.com/golang/glog v1.0.0 // indirect github.com/hashicorp/hcl v1.0.0 // indirect github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect github.com/inconshreveable/mousetrap v1.0.0 // indirect @@ -65,12 +68,12 @@ require ( github.com/mattn/go-isatty v0.0.14 // indirect github.com/mattn/go-runewidth v0.0.9 // indirect github.com/mitchellh/go-testing-interface v1.0.0 // indirect + github.com/mitchellh/protoc-gen-go-json v1.1.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/oklog/run v1.0.0 // indirect github.com/pelletier/go-toml v1.9.5 // indirect github.com/pelletier/go-toml/v2 v2.0.5 // indirect - github.com/petar-dambovaliev/aho-corasick v0.0.0-20211021192214-5ab2d9280aa9 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect diff --git a/go.sum b/go.sum index de6da40a..ba2af063 100644 --- a/go.sum +++ b/go.sum @@ -778,6 +778,8 @@ github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A= +github.com/mitchellh/protoc-gen-go-json v1.1.0 h1:lEi1xtXyYKDwA8EB5u27+UUZOTznC4JpqVOKZwCGJUo= +github.com/mitchellh/protoc-gen-go-json v1.1.0/go.mod h1:pACAKlMtBf4SMFbVswcjwNwWwlci6Vn841H5jPRcE9I= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= github.com/moby/sys/mountinfo v0.4.0/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A= @@ -1022,6 +1024,7 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v0.0.0-20180303142811-b89eecf5ca5d/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= @@ -1033,6 +1036,8 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals= github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= +github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs= github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0= @@ -1055,6 +1060,10 @@ github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtX github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/vektah/gqlparser/v2 v2.4.6 h1:Yjzp66g6oVq93Jihbi0qhGnf/6zIWjcm8H6gA27zstE= github.com/vektah/gqlparser/v2 v2.4.6/go.mod h1:flJWIR04IMQPGz+BXLrORkrARBxv/rtyIAFvd/MceW0= +github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20220902142425-b49cd6e96cf5 h1:TamshIh803Xw8wEYgIuqRQjbUfaMSHMDsMtBH4TOpzw= +github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20220902142425-b49cd6e96cf5/go.mod h1:EXpO454Q3yOKVoNc7ECuLRfP7cmTmuhPwtuFYbkxWBk= +github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20221112151611-0893a6c14411 h1:QHBX9m8HlqC+qhc/gGLdHA+8hfwsNY/s8lBiVnzAde0= +github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20221112151611-0893a6c14411/go.mod h1:JRldyv/2U+D7c5yI1HP9iY/Aa7j3TnhwpUvC1ZwE+Lw= github.com/veraison/apiclient v0.0.2/go.mod h1:H8YDx1ixM24GYP/aLbhq+HJsej0lVUqFCRIL5Uu4B0o= github.com/veraison/corim v0.0.0-20220801100627-a48aacbd333c h1:+qOmTV5aI475VuNXDfy8Klg8m2ovSISmdZlS63w0J64= github.com/veraison/corim v0.0.0-20220801100627-a48aacbd333c/go.mod h1:FOUHHZ7fOyWKk4oKUjO5Zw5gnkjz0rtzcJDvUZZFRSg= diff --git a/proto/attestation_format.pb.go b/proto/attestation_format.pb.go index bbe70628..33dab3bf 100644 --- a/proto/attestation_format.pb.go +++ b/proto/attestation_format.pb.go @@ -34,6 +34,8 @@ const ( AttestationFormat_TCG_DICE AttestationFormat = 2 // TPM EnactTrust AttestationFormat_TPM_ENACTTRUST AttestationFormat = 3 + // AWS Nitro Enclaves + AttestationFormat_AWS_NITRO AttestationFormat = 4 ) // Enum value maps for AttestationFormat. @@ -43,12 +45,14 @@ var ( 1: "PSA_IOT", 2: "TCG_DICE", 3: "TPM_ENACTTRUST", + 4: "AWS_NITRO", } AttestationFormat_value = map[string]int32{ "UNKNOWN_FORMAT": 0, "PSA_IOT": 1, "TCG_DICE": 2, "TPM_ENACTTRUST": 3, + "AWS_NITRO": 4, } ) @@ -84,15 +88,16 @@ var File_attestation_format_proto protoreflect.FileDescriptor var file_attestation_format_proto_rawDesc = []byte{ 0x0a, 0x18, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5f, 0x66, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x05, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x2a, 0x56, 0x0a, 0x11, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, + 0x6f, 0x2a, 0x65, 0x0a, 0x11, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6f, 0x72, 0x6d, 0x61, 0x74, 0x12, 0x12, 0x0a, 0x0e, 0x55, 0x4e, 0x4b, 0x4e, 0x4f, 0x57, 0x4e, 0x5f, 0x46, 0x4f, 0x52, 0x4d, 0x41, 0x54, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x50, 0x53, 0x41, 0x5f, 0x49, 0x4f, 0x54, 0x10, 0x01, 0x12, 0x0c, 0x0a, 0x08, 0x54, 0x43, 0x47, 0x5f, 0x44, 0x49, 0x43, 0x45, 0x10, 0x02, 0x12, 0x12, 0x0a, 0x0e, 0x54, 0x50, 0x4d, 0x5f, 0x45, 0x4e, 0x41, - 0x43, 0x54, 0x54, 0x52, 0x55, 0x53, 0x54, 0x10, 0x03, 0x42, 0x24, 0x5a, 0x22, 0x67, 0x69, 0x74, - 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x76, 0x65, 0x72, 0x61, 0x69, 0x73, 0x6f, 0x6e, - 0x2f, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, - 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x43, 0x54, 0x54, 0x52, 0x55, 0x53, 0x54, 0x10, 0x03, 0x12, 0x0d, 0x0a, 0x09, 0x41, 0x57, 0x53, + 0x5f, 0x4e, 0x49, 0x54, 0x52, 0x4f, 0x10, 0x04, 0x42, 0x24, 0x5a, 0x22, 0x67, 0x69, 0x74, 0x68, + 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x76, 0x65, 0x72, 0x61, 0x69, 0x73, 0x6f, 0x6e, 0x2f, + 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/proto/attestation_format.proto b/proto/attestation_format.proto index 2f11ef51..dc91631e 100644 --- a/proto/attestation_format.proto +++ b/proto/attestation_format.proto @@ -18,5 +18,8 @@ enum AttestationFormat { // TPM EnactTrust TPM_ENACTTRUST = 3; + + // AWS Nitro Enclaves + AWS_NITRO = 4; } diff --git a/provisioning/plugins/Makefile b/provisioning/plugins/Makefile index ce87dbba..cfda8df0 100644 --- a/provisioning/plugins/Makefile +++ b/provisioning/plugins/Makefile @@ -4,5 +4,6 @@ SUBDIR += common SUBDIR += corim-psa-decoder SUBDIR += corim-tpm-enacttrust-decoder +SUBDIR += corim-nitro-decoder include ../../mk/subdir.mk diff --git a/provisioning/plugins/corim-nitro-decoder/Makefile b/provisioning/plugins/corim-nitro-decoder/Makefile new file mode 100644 index 00000000..42b810cf --- /dev/null +++ b/provisioning/plugins/corim-nitro-decoder/Makefile @@ -0,0 +1,15 @@ +# Copyright 2022 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 + +PLUGIN := ../bin/veraison-provisining-decoder-corim-nitro +GOPKG := github.com/veraison/services/provisioning/plugins/corim-nitro-decoder +SRCS := $(wildcard *.go) + +all-hook-pre all-test-pre all-lint-pre: + $(MAKE) -C ../../../proto protogen + $(MAKE) -C ../../decoder protogen + +include ../../../mk/common.mk +include ../../../mk/plugin.mk +include ../../../mk/lint.mk +include ../../../mk/test.mk \ No newline at end of file diff --git a/provisioning/plugins/corim-nitro-decoder/README.md b/provisioning/plugins/corim-nitro-decoder/README.md new file mode 100644 index 00000000..044ae7fe --- /dev/null +++ b/provisioning/plugins/corim-nitro-decoder/README.md @@ -0,0 +1,36 @@ +# Endorsement Store Interface + +## Reference Value + +```json +{ + "scheme": "AWS_NITRO", + "type": "REFERENCE_VALUE", + "attributes": { + "psa.hw-model": "RoadRunner", + "psa.hw-vendor": "ACME", + "psa.impl-id": "IllXTnRaUzFwYlhCc1pXMWxiblJoZEdsdmJpMXBaQzB3TURBd01EQXdNREU9Ig==", + "psa.measurement-desc": 1, + "psa.measurement-type": "BL", + "psa.measurement-value": "h0KPxSKAPTEGXnvOPPA/5HUJZjHl4Hu9eg/eYMTPJcc=", + "psa.signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=", + "psa.version": "2.1.0" + } +} +``` + +## Trust Anchor + +```json +{ + "scheme": "AWS_NITRO", + "type": "VERIFICATION_KEY", + "attributes": { + "psa.hw-model": "RoadRunner", + "psa.hw-vendor": "ACME", + "psa.iak-pub": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6Vwqe7hy3O8Ypa+BUETLUjBNU3rEXVUyt9XHR7HJWLG7XTKQd9i1kVRXeBPDLFnfYru1/euxRnJM7H9UoFDLdA==", + "psa.impl-id": "IllXTnRaUzFwYlhCc1pXMWxiblJoZEdsdmJpMXBaQzB3TURBd01EQXdNREU9Ig==", + "psa.inst-id": "AUyj5PUL8kjDl4cCDWj/0FyIdndRvyZFypI/V6mL7NKW" + } +} +``` \ No newline at end of file diff --git a/provisioning/plugins/corim-nitro-decoder/classattributes.go b/provisioning/plugins/corim-nitro-decoder/classattributes.go new file mode 100644 index 00000000..3b4fc6eb --- /dev/null +++ b/provisioning/plugins/corim-nitro-decoder/classattributes.go @@ -0,0 +1,48 @@ +// Copyright 2022 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "fmt" + + "github.com/veraison/corim/comid" +) + +type NitroClassAttributes struct { + //ImplID []byte + Vendor string + Model string +} + +// extract mandatory ImplID and optional vendor & model +func (o *NitroClassAttributes) FromEnvironment(e comid.Environment) error { + class := e.Class + + if class == nil { + return fmt.Errorf("expecting class in environment") + } + + classID := class.ClassID + + if classID == nil { + return fmt.Errorf("expecting class-id in class") + } + + // implID, err := classID.GetImplID() + // if err != nil { + // return fmt.Errorf("could not extract implementation-id from class-id: %w", err) + // } + + // //o.ImplID, _ = implID.MarshalJSON() + // o.ImplID = implID[:] + + if class.Vendor != nil { + o.Vendor = *class.Vendor + } + + if class.Model != nil { + o.Model = *class.Model + } + + return nil +} \ No newline at end of file diff --git a/provisioning/plugins/corim-nitro-decoder/decoder.go b/provisioning/plugins/corim-nitro-decoder/decoder.go new file mode 100644 index 00000000..d876b0a6 --- /dev/null +++ b/provisioning/plugins/corim-nitro-decoder/decoder.go @@ -0,0 +1,41 @@ +// Copyright 2022 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "fmt" + "github.com/veraison/services/provisioning/decoder" + plugin_common "github.com/veraison/services/provisioning/plugins/common" +) + +const ( + SupportedMediaType = "application/corim-unsigned+cbor; profile=http://aws.com/nitro" + PluginName = "unsigned-corim (AWS Nitro profile)" +) + +type Decoder struct{} + +func (o Decoder) Init(params decoder.Params) error { + return nil // no-op +} + +func (o Decoder) Close() error { + return nil // no-op +} + +func (o Decoder) GetName() string { + return PluginName +} + +func (o Decoder) GetSupportedMediaTypes() []string { + return []string{ + SupportedMediaType, + } +} + +func (o Decoder) Decode(data []byte) (*decoder.EndorsementDecoderResponse, error) { + fmt.Println("provisioning.plugins.corim-nitro-decoder.decoder.go.Decoder.Decode calling plugin_common.UnsignedCorimDecoder") + result,err := plugin_common.UnsignedCorimDecoder(data, Extractor{}) + fmt.Printf("provisionin.plugins.corim-nitro-decoder.Decoder received response from UnsignedCorimDecoder:%v, %v\n", result, err) + return result, err +} \ No newline at end of file diff --git a/provisioning/plugins/corim-nitro-decoder/decoder_test.go b/provisioning/plugins/corim-nitro-decoder/decoder_test.go new file mode 100644 index 00000000..ca82a78e --- /dev/null +++ b/provisioning/plugins/corim-nitro-decoder/decoder_test.go @@ -0,0 +1,109 @@ +// Copyright 2022 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + +package main + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/veraison/corim/comid" +) + +func TestDecoder_GetName(t *testing.T) { + d := &Decoder{} + + expected := PluginName + + actual := d.GetName() + + assert.Equal(t, expected, actual) +} + +func TestDecoder_GetSupportedMediaTypes(t *testing.T) { + d := &Decoder{} + + expected := []string{ + SupportedMediaType, + } + + actual := d.GetSupportedMediaTypes() + + assert.Equal(t, expected, actual) +} + +func TestDecoder_Init(t *testing.T) { + d := &Decoder{} + + assert.Nil(t, d.Init(nil)) +} + +func TestDecoder_Close(t *testing.T) { + d := &Decoder{} + + assert.Nil(t, d.Close()) +} + +func TestDecoder_Decode_empty_data(t *testing.T) { + d := &Decoder{} + + emptyData := []byte{} + + expectedErr := `empty data` + + _, err := d.Decode(emptyData) + + assert.EqualError(t, err, expectedErr) +} + +func TestDecoder_Decode_invalid_data(t *testing.T) { + d := &Decoder{} + + invalidCbor := []byte("invalid CBOR") + + expectedErr := `CBOR decoding failed: cbor: cannot unmarshal UTF-8 text string into Go value of type corim.UnsignedCorim` + + _, err := d.Decode(invalidCbor) + + assert.EqualError(t, err, expectedErr) +} + +func TestDecoder_Decode_OK(t *testing.T) { + tvs := []string{ + unsignedCorim, + } + + d := &Decoder{} + + for _, tv := range tvs { + data := comid.MustHexDecode(t, tv) + _, err := d.Decode(data) + assert.NoError(t, err) + } +} + +func TestDecoder_Decode_negative_tests(t *testing.T) { + tvs := []struct { + desc string + input string + expectedErr string + }{ + { + desc: "multiple verification keys", + input: unsignedCorimDualKey, + expectedErr: `bad key in CoMID at index 0: expecting exactly one IAK public key`, + }, + { + desc: "no implementation id specified in the measurement", + input: unsignedCorimNoImplId, + expectedErr: `bad key in CoMID at index 0: could not extract PSA class attributes: expecting class-id in class`, + }, + } + + for _, tv := range tvs { + data := comid.MustHexDecode(t, tv.input) + d := &Decoder{} + _, err := d.Decode(data) + assert.EqualError(t, err, tv.expectedErr) + } +} diff --git a/provisioning/plugins/corim-nitro-decoder/extractor.go b/provisioning/plugins/corim-nitro-decoder/extractor.go new file mode 100644 index 00000000..ba41054b --- /dev/null +++ b/provisioning/plugins/corim-nitro-decoder/extractor.go @@ -0,0 +1,140 @@ +// Copyright 2022 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "errors" + "fmt" + + "github.com/veraison/services/proto" + "github.com/veraison/corim/comid" + structpb "google.golang.org/protobuf/types/known/structpb" +) + +type Extractor struct{} + +func (o Extractor) SwCompExtractor(rv comid.ReferenceValue) ([]*proto.Endorsement, error) { + var nitroClassAttrs NitroClassAttributes + + if err := nitroClassAttrs.FromEnvironment(rv.Environment); err != nil { + return nil, fmt.Errorf("could not extract PSA class attributes: %w", err) + } + + // Each measurement is encoded in a measurement-map of a CoMID + // reference-triple-record. Since a measurement-map can encode one or more + // measurements, a single reference-triple-record can carry as many + // measurements as needed, provided they belong to the same PSA RoT + // identified in the subject of the "reference value" triple. A single + // reference-triple-record SHALL completely describe the updatable PSA RoT. + swComponents := make([]*proto.Endorsement, 0, len(rv.Measurements)) + + for i, m := range rv.Measurements { + var nitroSwCompAttrs NitroSwCompAttributes + + if err := nitroSwCompAttrs.FromMeasurement(m); err != nil { + return nil, fmt.Errorf("extracting measurement at index %d: %w", i, err) + } + + swAttrs, err := makeSwAttrs(nitroClassAttrs, nitroSwCompAttrs) + if err != nil { + return nil, fmt.Errorf("failed to create software component attributes: %w", err) + } + + swComponent := proto.Endorsement{ + Scheme: proto.AttestationFormat_AWS_NITRO, + Type: proto.EndorsementType_REFERENCE_VALUE, + Attributes: swAttrs, + } + + swComponents = append(swComponents, &swComponent) + } + + if len(swComponents) == 0 { + return nil, fmt.Errorf("no software components found") + } + + return swComponents, nil +} + +func makeSwAttrs(c NitroClassAttributes, s NitroSwCompAttributes) (*structpb.Struct, error) { + swAttrs := map[string]interface{}{ + //"psa.impl-id": c.ImplID, + "psa.signer-id": s.SignerID, + "psa.measurement-value": s.MeasurementValue, + "psa.measurement-desc": s.AlgID, + } + + if c.Vendor != "" { + swAttrs["psa.hw-vendor"] = c.Vendor + } + + if c.Model != "" { + swAttrs["psa.hw-model"] = c.Model + } + + if s.MeasurementType != "" { + swAttrs["psa.measurement-type"] = s.MeasurementType + } + + if s.Version != "" { + swAttrs["psa.version"] = s.Version + } + + return structpb.NewStruct(swAttrs) +} + +func (o Extractor) TaExtractor(avk comid.AttestVerifKey) (*proto.Endorsement, error) { + // extract instance ID + var psaInstanceAttrs NitroInstanceAttributes + + if err := psaInstanceAttrs.FromEnvironment(avk.Environment); err != nil { + return nil, fmt.Errorf("could not extract PSA instance-id: %w", err) + } + + // extract implementation ID + var nitroClassAttrs NitroClassAttributes + + if err := nitroClassAttrs.FromEnvironment(avk.Environment); err != nil { + return nil, fmt.Errorf("could not extract PSA class attributes: %w", err) + } + + // extract IAK pub + if len(avk.VerifKeys) != 1 { + return nil, errors.New("expecting exactly one IAK public key") + } + + iakPub := avk.VerifKeys[0].Key + + // TODO(tho) check that format of IAK pub is as expected + + taAttrs, err := makeTaAttrs(psaInstanceAttrs, nitroClassAttrs, iakPub) + if err != nil { + return nil, fmt.Errorf("failed to create trust anchor attributes: %w", err) + } + + ta := &proto.Endorsement{ + Scheme: proto.AttestationFormat_AWS_NITRO, + Type: proto.EndorsementType_VERIFICATION_KEY, + Attributes: taAttrs, + } + + return ta, nil +} + +func makeTaAttrs(i NitroInstanceAttributes, c NitroClassAttributes, key string) (*structpb.Struct, error) { + taID := map[string]interface{}{ + //"nitro.impl-id": c.ImplID, + //"psa.inst-id": []byte(i.InstID), + "nitro.iak-pub": key, + } + + if c.Vendor != "" { + taID["nitro.hw-vendor"] = c.Vendor + } + + if c.Model != "" { + taID["nitro.hw-model"] = c.Model + } + + return structpb.NewStruct(taID) +} \ No newline at end of file diff --git a/provisioning/plugins/corim-nitro-decoder/instanceattributes.go b/provisioning/plugins/corim-nitro-decoder/instanceattributes.go new file mode 100644 index 00000000..71e1eb48 --- /dev/null +++ b/provisioning/plugins/corim-nitro-decoder/instanceattributes.go @@ -0,0 +1,16 @@ +// Copyright 2022 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "github.com/veraison/corim/comid" +) + +type NitroInstanceAttributes struct { +// InstID eat.UEID nothing in here for now +} + +func (o *NitroInstanceAttributes) FromEnvironment(e comid.Environment) error { + // nothing to do here for now + return nil +} \ No newline at end of file diff --git a/provisioning/plugins/corim-nitro-decoder/main.go b/provisioning/plugins/corim-nitro-decoder/main.go new file mode 100644 index 00000000..43dde24c --- /dev/null +++ b/provisioning/plugins/corim-nitro-decoder/main.go @@ -0,0 +1,27 @@ +// Copyright 2022 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "github.com/hashicorp/go-plugin" + "github.com/veraison/services/provisioning/decoder" +) + +func main() { + var handshakeConfig = plugin.HandshakeConfig{ + ProtocolVersion: 1, + MagicCookieKey: "VERAISON_PROVISIONING_DECODER_PLUGIN", + MagicCookieValue: "VERAISON", + } + + var pluginMap = map[string]plugin.Plugin{ + "decoder": &decoder.Plugin{ + Impl: &Decoder{}, + }, + } + + plugin.Serve(&plugin.ServeConfig{ + HandshakeConfig: handshakeConfig, + Plugins: pluginMap, + }) +} diff --git a/provisioning/plugins/corim-nitro-decoder/swcompattributes.go b/provisioning/plugins/corim-nitro-decoder/swcompattributes.go new file mode 100644 index 00000000..ac3f1968 --- /dev/null +++ b/provisioning/plugins/corim-nitro-decoder/swcompattributes.go @@ -0,0 +1,60 @@ +// Copyright 2022 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "fmt" + + "github.com/veraison/corim/comid" +) + +type NitroSwCompAttributes struct { + MeasurementType string + Version string + SignerID []byte + AlgID uint64 + MeasurementValue []byte +} + +func (o *NitroSwCompAttributes) FromMeasurement(m comid.Measurement) error { + + if m.Key == nil { + return fmt.Errorf("measurement key is not present") + } + + // extract psa-swcomp-id from mkey + if !m.Key.IsSet() { + return fmt.Errorf("measurement key is not set") + } + + id, err := m.Key.GetPSARefValID() + if err != nil { + return fmt.Errorf("failed extracting psa-swcomp-id: %w", err) + } + + o.SignerID = id.SignerID + + if id.Label != nil { + o.MeasurementType = *id.Label + } + + if id.Version != nil { + o.Version = *id.Version + } + + // extract digest and alg-id from mval + d := m.Val.Digests + + if d == nil { + return fmt.Errorf("measurement value has no digests") + } + + if len(*d) != 1 { + return fmt.Errorf("expecting exactly one digest") + } + + o.AlgID = (*d)[0].HashAlgID + o.MeasurementValue = (*d)[0].HashValue + + return nil +} \ No newline at end of file diff --git a/provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComid.cbor b/provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComid.cbor new file mode 100644 index 0000000000000000000000000000000000000000..5ea8ce91fd94946eabce892a6d352510edc53dd3 GIT binary patch literal 825 zcmXw0J(Jo-80MH1`2qO>XD)}1@M&2LB(2$S}i_xXCCcdaW6Ss_dHLz5KlI;UeOJuC ze!WTB4{uu$a2Ho!f4)!4a(DPe5CVR97UV%wY@bC%-hR=#YX9)qet7=adfWQ?#Gqf^ zH*bE_zQ6wV_vihGKR;fb`R!Q0E%(L4W2X;@ z+aW3E*0wWZ93@Pf7QWW3yBKi77Z#ookf}hlF-!?^9CB0|pu8d`;7I;ZqkIsW+n)JEwK$=h|rX+MRr()VSj)IE-dQuW+Xv=6XP-nj82iN zQnu^lg`c{aT?^2$ z0D;W`$53d%^4xDs`*@U4J43FhEVGf>iCr#-*U_$Lx#|&_MKO0nY z(PR5cK9uxz;s4YkC6v?O#dM5~ctE literal 0 HcmV?d00001 diff --git a/provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComid.json b/provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComid.json new file mode 100644 index 00000000..9b5e2b55 --- /dev/null +++ b/provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComid.json @@ -0,0 +1,40 @@ +{ + "lang": "en-GB", + "tag-identity": { + "id": "fb6789c3-147d-4e5f-8be0-4452b93c3767", + "version": 0 + }, + "entities": [ + { + "name": "AWS", + "regid": "https://aws.amazon.com", + "roles": [ + "tagCreator", + "creator", + "maintainer" + ] + } + ], + "triples": { + "attester-verification-keys": [ + { + "environment": { + "class": { + "id": { + "type": "uuid", + "value": "51d1a77a-9908-49e0-92df-e9c872a9b0bd" + }, + "vendor": "AWS", + "model": "Nitro" + } + }, + "verification-keys": [ + { + "key": "MIICETCCAZagAwIBAgIRAPkxdWgbkK/hHUbMtOTn+FYwCgYIKoZIzj0EAwMwSTELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkFtYXpvbjEMMAoGA1UECwwDQVdTMRswGQYDVQQDDBJhd3Mubml0cm8tZW5jbGF2ZXMwHhcNMTkxMDI4MTMyODA1WhcNNDkxMDI4MTQyODA1WjBJMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQLDANBV1MxGzAZBgNVBAMMEmF3cy5uaXRyby1lbmNsYXZlczB2MBAGByqGSM49AgEGBSuBBAAiA2IABPwCVOumCMHzaHDimtqQvkY4MpJzbolL//Zy2YlES1BR5TSksfbb48C8WBoyt7F2Bw7eEtaaP+ohG2bnUs990d0JX28TcPQXCEPZ3BABIeTPYwEoCWZEh8l5YoQwTcU/9KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkCW1DdkFR+eWw5b6cp3PmanfS5YwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2kAMGYCMQCjfy+Rocm9Xue4YnwWmNJVA44fA0P5W2OpYow9OYCVRaEevL8uO1XYru5xtMPWrfMCMQCi85sWBbJwKKXdS6BptQFuZbT73o/gBh1qUxl/nNr12UO8Yfwr6wPLb+6NIwLz3/Y=" + } + ] + } + ] + } + } + \ No newline at end of file diff --git a/provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComidDualKey.cbor b/provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComidDualKey.cbor new file mode 100644 index 0000000000000000000000000000000000000000..5eb9a57171a602c968890226f735f0fb124a90ea GIT binary patch literal 1542 zcmeHFy^h;P7}N8QL0s%ER}>{J#ijVSYz&g3$P-0TCy}=z0T)iH zAYHnY2OBWlrA^_=joWnY;x^CV#*&4+MBsMteKX&DGp}25ynUj=tB02HIr;Vd_b>G4 zzkO27zka$&+Am+VBH%8rKK^i@mgVm7qaXzQ@HEJSrr17>ioE?x>#F_eq5bmbht{js z$HxZ!`%Ux5ciN}l|M~aB{_UUduFm`ISiddz#c8H)e;}HMu!Rutg9LC5f$99=k7%qNcBV1t0}MK?LgxndgU!-`OT_Hx#qDW`KC zksQ?q_?Np0!TG2c)p8YhW*yezCd~B%^ZZTJK#4%0!un2Kkp2)PScQuULI7@oqycDf zlij2Vi_J_B{90lgybz%&TZ`~E`QCVgqvlF{q4zHtK&&Y%AY9TYOoPT3>jmth& zK%%PW{1CeMhJYwQ$^cOrA{4Dxb;m5CeCSnipKZCD>k|j``zz2jWLKK+Siy&Lh8#1% z@%?O2%|(yxEBROw!`-jQnd5dKA6ytt_;l(m7uRrC(oyAy)=jSv5}1m2_HiR@^}Q(B i^8s7&{WUjcVdq-c_^jy(?Ag~c!*6B&R_6afnZE$y2m4n5 literal 0 HcmV?d00001 diff --git a/provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComidDualKey.json b/provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComidDualKey.json new file mode 100644 index 00000000..92fa92e3 --- /dev/null +++ b/provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComidDualKey.json @@ -0,0 +1,43 @@ +{ + "lang": "en-GB", + "tag-identity": { + "id": "fb6789c3-147d-4e5f-8be0-4452b93c3767", + "version": 0 + }, + "entities": [ + { + "name": "AWS", + "regid": "https://aws.amazon.com", + "roles": [ + "tagCreator", + "creator", + "maintainer" + ] + } + ], + "triples": { + "attester-verification-keys": [ + { + "environment": { + "class": { + "id": { + "type": "uuid", + "value": "51d1a77a-9908-49e0-92df-e9c872a9b0bd" + }, + "vendor": "AWS", + "model": "Nitro" + } + }, + "verification-keys": [ + { + "key": "MIICETCCAZagAwIBAgIRAPkxdWgbkK/hHUbMtOTn+FYwCgYIKoZIzj0EAwMwSTELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkFtYXpvbjEMMAoGA1UECwwDQVdTMRswGQYDVQQDDBJhd3Mubml0cm8tZW5jbGF2ZXMwHhcNMTkxMDI4MTMyODA1WhcNNDkxMDI4MTQyODA1WjBJMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQLDANBV1MxGzAZBgNVBAMMEmF3cy5uaXRyby1lbmNsYXZlczB2MBAGByqGSM49AgEGBSuBBAAiA2IABPwCVOumCMHzaHDimtqQvkY4MpJzbolL//Zy2YlES1BR5TSksfbb48C8WBoyt7F2Bw7eEtaaP+ohG2bnUs990d0JX28TcPQXCEPZ3BABIeTPYwEoCWZEh8l5YoQwTcU/9KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkCW1DdkFR+eWw5b6cp3PmanfS5YwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2kAMGYCMQCjfy+Rocm9Xue4YnwWmNJVA44fA0P5W2OpYow9OYCVRaEevL8uO1XYru5xtMPWrfMCMQCi85sWBbJwKKXdS6BptQFuZbT73o/gBh1qUxl/nNr12UO8Yfwr6wPLb+6NIwLz3/Y=" + }, + { + "key": "BIICETCCAZagAwIBAgIRAPkxdWgbkK/hHUbMtOTn+FYwCgYIKoZIzj0EAwMwSTELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkFtYXpvbjEMMAoGA1UECwwDQVdTMRswGQYDVQQDDBJhd3Mubml0cm8tZW5jbGF2ZXMwHhcNMTkxMDI4MTMyODA1WhcNNDkxMDI4MTQyODA1WjBJMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQLDANBV1MxGzAZBgNVBAMMEmF3cy5uaXRyby1lbmNsYXZlczB2MBAGByqGSM49AgEGBSuBBAAiA2IABPwCVOumCMHzaHDimtqQvkY4MpJzbolL//Zy2YlES1BR5TSksfbb48C8WBoyt7F2Bw7eEtaaP+ohG2bnUs990d0JX28TcPQXCEPZ3BABIeTPYwEoCWZEh8l5YoQwTcU/9KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkCW1DdkFR+eWw5b6cp3PmanfS5YwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2kAMGYCMQCjfy+Rocm9Xue4YnwWmNJVA44fA0P5W2OpYow9OYCVRaEevL8uO1XYru5xtMPWrfMCMQCi85sWBbJwKKXdS6BptQFuZbT73o/gBh1qUxl/nNr12UO8Yfwr6wPLb+6NIwLz3/Y=" + } + ] + } + ] + } + } + \ No newline at end of file diff --git a/provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComidNoImplId.cbor b/provisioning/plugins/corim-nitro-decoder/test-harness/AWSNitroComidNoImplId.cbor new file mode 100644 index 0000000000000000000000000000000000000000..037c39f721ef995f0cb9129d3434335f5330d730 GIT binary patch literal 805 zcmXw0&C-%k7*?lC=mOe1g`oJ;)Z(1O5m65U@^{!YfC!(6_$hdVnHFEIny$j?CR(@Y z5?Xd2ZPJ{!&phw*^FH4iQM7w0!{()-{fR&Qc>Z2}_xZPEe19{DTTfpbA#j$>UoTEc zQS6VeInHOtSAOQ#`R-MiXRVKoX6xCd_4MJ=_|m*_Tao%u9P+12qiX#mih{6-5b*pM zFa?5GF@TnyS56$HGcK7}0Vx*du05s<#Z;N)o>Ff*7%;+?CY}?J%7C{pObD`Va+YeK z!dSH-$O%lx1$FnQV1o$(`9B_FOw#R@NsJ?tbt>7qE=h2jth%HOvTY~KhK1*dn?N25 zo=eyy2~}dIXCf&*Vv=eh0p7V{s`MYz@7M-TiGF10t|?lnvbB^;Wfo}1VhlXe_)8je_dP6jH zU|to2u>jd1!iDc^?L3i%U}qgiqt2=`b%miBYPyTC=5--}N@Qx3;T$<0PKH~N<~lP& ziyO^UM6Sz7?Ap!fm_VO!5LgT_47nPtZv7^D507KrN|D1$t8{F%BZrAWKiqe<%-^k- zB4yI;H%3Rh-|G^HW%;%rLigSf5D5q=ATmWnN1JukHu5kVxn&D_=e-kdW;-_Qr9XP3)c662(G= zsDO%cxk!kPmV%1rQXoWkskn5|Qvn4D5$(};Uf=nmWxVVD{-^RIeEpLjp8WLLZ#Vz6 zALuJLzqJ4QvK7bMw^Z1EY#DziAASGY`}%tyzm&{xZ?2Qh!?RWd+(rAv8~15h?hbEr zT)+-bgFI-8?bE2pJ0G^%omU?_4<9_Xp0!@QX^@}4YCeCWz5MjoKc4Tu{^q;(ncs=^ z+j3t#Jhtl2bF67dwh#h-kN~DZkZ2|_vg6WC!feW=V>`s<+}d^(%1}bJY2j*0F$TqdcZe~GI7uEKoNi}GRVyW%=j6~Xr~8>f+ut?Y;;ZGbIY&n3XSCrp?A$H)a+!wDt_hAx__ z%qEWA$OZ&lTL9R9v{^P_?O%m%em5zYOxADvkq&16XyDX zdj2MApnxGzVST4A@L&WIS%r%VLI7@opaEzw^hdqATYW`stV!OK8!}aWpCmMLn|_fhh)R= zLjbkdGANS^% literal 0 HcmV?d00001 diff --git a/provisioning/plugins/corim-nitro-decoder/test-harness/unsigned_corim_dual_key.cbor b/provisioning/plugins/corim-nitro-decoder/test-harness/unsigned_corim_dual_key.cbor new file mode 100644 index 0000000000000000000000000000000000000000..0231b5f290bef73fe2e481741206ed2026e8ed89 GIT binary patch literal 1569 zcmeHFzpvX=7)>IC%HEBIg(+$sJMnu-Rfc=7f5b_yV>|wJtxA>cIQEOn}2=Zh@$l!88&Yk+TZb4Ki~dbefafj!FYE6JZ@b-X@tO;HD7#k zl@!HhcaLFwy1VOVex0xHhI!Wdve9gPaMQZ};->MW@#0fW|NV#h+gr-($FKf)zWwp( zPtD_gD^f3tZGM=kTFaW_}NQp6bK@8%Gtf^N@EZ0xA4 z6T#MXL4c!V-o<5*tvX@WFFc1|2C~F?E~djIRI!=vv7q#@iL0pqSm%JL!he{4!j^D^ z^&LegPFbWQ+p0wkgU(4eKFB$25@mxD>-6a5s67!5=h`gZ%Qf&$cVjGOQa7yl(szw2 zsMuAIsXO9&tFVR~hCqhZr98vE0fD>9P%%f2Cno(BPja1_p~VcwD#C|k1bXmhbWETR83-&2s0f)F%#Z$t zdQX&M-Aa+e3iDJl+L1%~;4Iv9wai~HW;~(7@i#_CJMHTNh-LYhA3`VJ5MTjtDZny8 zSVzl6)i&}l8@OfEBWvnp>c|GY-U4(q-r=SjlGDMIAlvZ8=xWk0r>sl1CBHAQ=4==E z$Z^rXzlKX`d|U_Ka$ipnaw)bW(R2 S^4YsG!}n!=U*`Wong0bVQ3vt> literal 0 HcmV?d00001 diff --git a/provisioning/plugins/corim-nitro-decoder/test-harness/unsigned_corim_no_impl_id.cbor b/provisioning/plugins/corim-nitro-decoder/test-harness/unsigned_corim_no_impl_id.cbor new file mode 100644 index 0000000000000000000000000000000000000000..fc42cb85e727e34d439c12f8646212c48819fe04 GIT binary patch literal 832 zcmXw0y|SA|7?orfd4P0oTzWs}knaKb`aD@=M65JKcxVU!Z zapmz7TqiG)I*n6g(#DOaD80^V63vweQ}3mdqbtTqm9T?^_XY7wzAk-lb)^JABP? z0XsYo@}McU&!Zymyl%BSj~_bsuO3<-+GlPj)^5suasSY&J0FRvB5WZ9{2&2Lg&Zd(~I(9>AT`ORAj;T2pgx7 zMy%{eBy~V6QqLv8yC+PO{>O|9wuTd892mN2Dws_iyTLjEy^C*hvUB+~&PNq7*tyHu zdnTRYIy^Zl4e&3y3BkGCk7}_BJhKjKeiP=}fqMQXYM?+MP+)zlEXZI460E>Q1t9=8 zKu`hH8FJ=Tj>xzP#?nn*-Wqoq9gy9m35(5)Sp#VV2n8kYz7#HTmzQpeq&>R<;1WvaKWu25~NC#$wVR{EC~n|1frlQs8vA$ z<$*wzXGKw{+FGD>1F3*Qt$~7|MMO{wR1vG#iKvB&@12~}_fB&%f81Z@J99Jl^S$>s zTju5Ax%RpK#`q#hNT?`MiUvwV(NiQez!HmKjw|*R2?U6kDWst?1i)Mt8|Ar*fRKp_ zS*TbfS%=CMVxI*bOfE~Jkc427AS8^6!{N8A-LK+`!jK60NgN;854Kk?v`s5qdy<;{ zuc}>JJ(q3x+SFZN$@-69X~C@lxsZO0d9l2_hyhxh=uZ`M)&afS~S?NHz^ zmJd&FO?c3O2D|4BmY%$4Y`Prwo!30;MH4CFW9@-y&LtiL1WcmghsXz>D~S%gdwDI- zs}7xM;yYNanxN%6l{J@n;#c1}S>-*!xX{FsL&i}!s`B$^Nlq}Cr1@RQnoG1amuPD) z(a~I@tGPr^a|uOriN59%1I;CdnoEKaG(sT}OAvtq^@rkt655Cz_*?>nhae-hv+7TG zFI9t!NL`G8E?L_-c|q+=B7p!Bcfxu=hfMG#l1(9BAJ`Nas{?I{uAe|2B$2ICgvwwe zV4z;qqG0bNVFY+nJ9r1a0 z;(lwW>1``;q4Mfsr|B728gMpUFMBu6&$j|pK*2J%GR5Ox5g~vBdg{oKNF+ey%8`{O z1mOS*fu*j!`6P zk()={2towHNSR2AZt;iAFb<7@5}z^5qA_j|jtrviKGAOF^+V||ozGT{Oc5*`UE2Qw z85K+zu9?Z$7{NRkFt{+2!3As#Bi3-pdL90qxB5WsUqCCnztH}!KPc=@R@3fsFD_$` zT$bYf>S=^3WuEu)k2_ceB~P30R-WfuGR~AlX&JPd+{|)+U`G{quBeN<-l7v2Y8v+2 zc(X`*=oJdg!qF^PgHZy3tmj?Ce(yJN^^kvZ$I^iE?`_#V29^hF79G86Ciekk9t)zmm!U-_b{Eg!by9QBwlEe=dVVx{Xi}5zt{r=_=B_jd+GI^?k7wOI zLK1Tv9{0Rzn7)^6vl%`+-<8%XxAXhSny?`XTDu^?jF!Ex?a~4hz3N}DqX`t#@xp(z zZ58>6KZ3*?z~mh?+JKC)fK3Ttqh50$S^)EevB~)ptU}cDin4%O8xp+NruOK|OvUPQ z-}k_hs;_55L;(T>xq-QBk^_Piim>S}E|^zoqgy@=iICFeOuFFpBvE@A2@P?<7F`5F z7LNlEgyt&ZFlj7?P(d=YTZ*D(`!9N}Zk#8U51M zaf)-BLDacSeVaP(%H?;23*>1eV^&r{<`Y2$YE*Ca zleh0G3)()pb!1}yC$!!I&I3F)4`#fbpX}EmjLpv!*bPh{rk2U&!VE5xi|yH&Y(y;N z(y>u4kp4$@|1#;{>(Qfj6K?`-3gqYU{x0G}Q?qc*&yA{cGkgN*%R61>(XHK8x~6Rv zsgoRQ_R8#so*yi$Mx=Yx5Nft^4u5psIj}xy|8pVeaaGc=fbZ)>C&%t<4?2h zs-HE`ZIpyFnb^?uIIU}c!?hbTA5}Rq@)I9`#Lh8nfFEUpF**O!1`+Xt;;iFa@0A$y z3p!qX)~Jk+a(~YTi3!6#hyfcwWUf3nJUR4@4=`+L?>0iT_g$fO#Jk_e@CK9P%7z&t zlqM8n?^-ODm_rjV5fKfrnJgdxJRwKSe9s%}a6klsIc^_w>K?S{7M8IWkDo$Uh1WNnZT9BahqVp*LrTmRo3Mj4Yz;HquNDK%6C2%Qp5$!m z4$Zi9DH>_Pjk3o-3CwpUVgMFkFyER8yb1q#yXFrJl%WNS>yOzU*DYG%WRX>LV20b> zid_$IQ~TlK@?{Tae{FexV9l|VIenf93oG+3Y;j@VvMX*_RGD>skF?UmKGrs?tMcIH z%l)mzch>H|s5IZz%8wMB&kf(Uhr0C1G5ex*s(eQMC#kMtZiq3bMyA&++tW>IE(adzF7t}Zylki)iSJt<7AcfUkicLx z=BXr7jz$EE1PTG)HrCZBA?Eb`{E+Q2VXamn%X+=64cIE**d@`2p0xRiZBbdM3_{g#c7SrpVY)e+9{eHlKXgN5@s@R=X`AjAB>h0(sV)6P$j;&l#BaM9v7*{$8^PA}VM*bVftm>BV(Xe% h_5ot#4vTn8ox7~&8|eksZC$l{LuOhUN+pqve*nkB42}Q* literal 0 HcmV?d00001 diff --git a/vts/plugins/scheme-aws-nitro/test/aws_nitro_document_bad_sig.cbor b/vts/plugins/scheme-aws-nitro/test/aws_nitro_document_bad_sig.cbor new file mode 100644 index 0000000000000000000000000000000000000000..d820c18e4c7b3cda82a8025981b29b316c822c88 GIT binary patch literal 4461 zcmd6qc~lek7RQsx!WMQxB(f_~Y{G9Q3yGqL3NE-+L_(?3WHOPI5S9dl3Ib736x6Dq zfbu|~%Cn+WsJ690>jqK*MSTqv1T7+hTA+$p#WxYPQ1QK!bNb$CPUesM%Y0{U=6=5S z{$}(10wT{bKhTs|A`J@{N6WBasW^6;lmXZhG0b(xzha>fm9Rt%OpXGW$L3&scQFvL zFcBM*h^6Z=g;L_T(2K=mOO?_vJQ9XQ&?)U%oPxa2_s(v-Yv8ch%Qr^HNq*D$*{Rf3cRV2hAncueByfW9ePss} z{EPMdlUtJRbz-5Oc|+wV?wFddfc@vU%zoBPiTXfyaJp-m*B}X(X!#)vfcGl06aP*@ z>(iQpr!I$I@(Kg zwU_8=FVWXtVxYZ*roF^adx??u5@YQpp(qxmluD$iP>BUXi9iKyzzzcZ-eioTT0?9jI1E5DG`ID*UkiQ>n4oo$HE=@l`s0fkD*D1s0 zun92IEb7p7{4k+XDZ^l6V5nKqr%}DagrDN4(D19`3kEcjSAZYP2kx4PL<8eA1|}BG zSdaUj0W*c`6->EQ85OQ+7BXQBrU14R4G{!}0Utp)FvtDFkq`y|<{$uk2$J{wFA|;& zJVp}cjFa$qoowu%05QOXs`K)pLPRQMdNP^dND>jqJ0?6Sn!J$kMP1d4=acfYA^Pfw zu%nH4J?M?BhjS{|n5(4<+L;8^*7#&-<)LUK=cAi@9o$qM{wEgoF3a@U+i^}nJLXI* zxRvl*Q(a$sksF=g2)oS4y4Xap>wez1VL_n{paUA7xs5rI_<{@p0x-}-#$+-HqE?Tt zG%17tFbFJj?<-7mood}VxvFC5K^n;@95&*$57hxEHCKbw^j60SKdzDUb0`tf91=bGMqJCalSi@#iSFVC+rYk2tM z%X1Z$QCCAyp(t7|mSLL%Aq$*CQ=lSdjj(7+7=oii=(~=0*!cWd{!7=B)uU4ci^i7r zzd%L@lSXQ0Ha@-xrUg)M@j5SA5XPE-HK6a=ZGBz#2JK7NcX-W_BaT^PU4;(zUW7;YzDsaJYHI zZxeOrsed*hI{ear5?%Bp^S9K-i8h0!=RJQboD1dv<2SXZ01}P>u+c0SkuAv+c1^7? zR8tmoWu47>8g;NCyX2;C)=MAT7;9L;0U@T2e)=RS0Z8z27bd!WR#5xh+OE^0c+34) z{Yg9QNb`n*&=OJlEPhg^cY*DhD&|c8pGqG@mY=P?V-0GVztsu&= z^55Hbwo`3B@tc%*p!tz{-WlPu={=;n@CO-A(7?^dfzVl;iz@u^e$B<5?y9nrSp$v7 zpRBr7G1C0Te+)OOhtoO0$l#B`6`yFtKZ!GW`jEzxbllpXe=pK9H zD}qh8Pbcw=*O&YL=$tN<9V(5?{ahZY=vjBlqyBugB9LSSRHO+w#ksF3POCOM@Z#cz z+Ns-iR)lPu+BQ0|{}WoT0p|lghYusK=O^c72;=iJ4fX&tMyO@+cre0a@$fx6i-Sr; zJSINMg|h$1?w=<8TRnQrZsJv-OM?Qu-rhyLYibs+`T3gq>zRH*%oSa3^O?4uYJKze zs`M$&b$jHF!%q)XG-A@iZI(gTHnqlwp7-7x@!(odzh`mzMCP=moUTRReAI1N?;)6O z+ub;Ou*W2YU^cm_`C&%)zNX7pXFaHKK?;-af#j}nY(N}igK;_k!v;}_Lz0|hTke#Z z3W_>ke0oil7~}bt4U&^ad=LlLgXnxkeq?I+D<9z4GTv;27;n2mj*#$fw>+Z@Djh8TW;Q2Q|B5CZ(Px? zCsd)Q3vUgk{J>j1le7EmMe_6`mxuK%5-`$J^g0Cme(xK+nPGBiiAC!W^YCMSf2XtJ z{hAYIRt@)B^@}SwOD0ZZsv{elPPh1S9V6O@0wEP{i;eg}8L@^1;a97{mdV#V;~wR0 z>&%`17&#OlE$O<$Mj29x>)6u?4Rjz zyK3h>!g~X7Y31_!bH1^@JGka(+T4Ecq(#*QXE(cXesU;nT3nrTWw)%_%Q4wHw(iI@tGf_YtZ(4uq`{j2SgDLHq$HR7%R-pmgEXY;0c3VmI=J(5rmk!oNv6k4@ i#dG$PqqkcnTI=0rw_MFEvTg6K-xD^=+E^xyzW#5=#0-xB literal 0 HcmV?d00001 diff --git a/vts/plugins/scheme-aws-nitro/test/ta-endorsements.json b/vts/plugins/scheme-aws-nitro/test/ta-endorsements.json new file mode 100644 index 00000000..b8c9784a --- /dev/null +++ b/vts/plugins/scheme-aws-nitro/test/ta-endorsements.json @@ -0,0 +1,7 @@ +{ + "scheme":"AWS_NITRO", + "type":"VERIFICATION_KEY", + "attributes":{ + "key": "MIICETCCAZagAwIBAgIRAPkxdWgbkK/hHUbMtOTn+FYwCgYIKoZIzj0EAwMwSTELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkFtYXpvbjEMMAoGA1UECwwDQVdTMRswGQYDVQQDDBJhd3Mubml0cm8tZW5jbGF2ZXMwHhcNMTkxMDI4MTMyODA1WhcNNDkxMDI4MTQyODA1WjBJMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQLDANBV1MxGzAZBgNVBAMMEmF3cy5uaXRyby1lbmNsYXZlczB2MBAGByqGSM49AgEGBSuBBAAiA2IABPwCVOumCMHzaHDimtqQvkY4MpJzbolL//Zy2YlES1BR5TSksfbb48C8WBoyt7F2Bw7eEtaaP+ohG2bnUs990d0JX28TcPQXCEPZ3BABIeTPYwEoCWZEh8l5YoQwTcU/9KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkCW1DdkFR+eWw5b6cp3PmanfS5YwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2kAMGYCMQCjfy+Rocm9Xue4YnwWmNJVA44fA0P5W2OpYow9OYCVRaEevL8uO1XYru5xtMPWrfMCMQCi85sWBbJwKKXdS6BptQFuZbT73o/gBh1qUxl/nNr12UO8Yfwr6wPLb+6NIwLz3/Y=" + } +} \ No newline at end of file From e61cd60efea7678bf244127428b8b23646c2ad70 Mon Sep 17 00:00:00 2001 From: "Derek D. Miller" Date: Sat, 12 Nov 2022 18:47:57 -0600 Subject: [PATCH 2/7] Code cleanup and improved test coverage for the AWS Nitro plugins Signed-off-by: Derek D. Miller --- .../corim-nitro-decoder/classattributes.go | 8 --- .../plugins/corim-nitro-decoder/decoder.go | 3 - .../plugins/corim-nitro-decoder/extractor.go | 2 - vts/plugins/scheme-aws-nitro/main.go | 62 ++++++++++++++++--- vts/plugins/scheme-aws-nitro/main_test.go | 28 ++++----- 5 files changed, 66 insertions(+), 37 deletions(-) diff --git a/provisioning/plugins/corim-nitro-decoder/classattributes.go b/provisioning/plugins/corim-nitro-decoder/classattributes.go index 3b4fc6eb..9d08da42 100644 --- a/provisioning/plugins/corim-nitro-decoder/classattributes.go +++ b/provisioning/plugins/corim-nitro-decoder/classattributes.go @@ -28,14 +28,6 @@ func (o *NitroClassAttributes) FromEnvironment(e comid.Environment) error { return fmt.Errorf("expecting class-id in class") } - // implID, err := classID.GetImplID() - // if err != nil { - // return fmt.Errorf("could not extract implementation-id from class-id: %w", err) - // } - - // //o.ImplID, _ = implID.MarshalJSON() - // o.ImplID = implID[:] - if class.Vendor != nil { o.Vendor = *class.Vendor } diff --git a/provisioning/plugins/corim-nitro-decoder/decoder.go b/provisioning/plugins/corim-nitro-decoder/decoder.go index d876b0a6..901a48d6 100644 --- a/provisioning/plugins/corim-nitro-decoder/decoder.go +++ b/provisioning/plugins/corim-nitro-decoder/decoder.go @@ -3,7 +3,6 @@ package main import ( - "fmt" "github.com/veraison/services/provisioning/decoder" plugin_common "github.com/veraison/services/provisioning/plugins/common" ) @@ -34,8 +33,6 @@ func (o Decoder) GetSupportedMediaTypes() []string { } func (o Decoder) Decode(data []byte) (*decoder.EndorsementDecoderResponse, error) { - fmt.Println("provisioning.plugins.corim-nitro-decoder.decoder.go.Decoder.Decode calling plugin_common.UnsignedCorimDecoder") result,err := plugin_common.UnsignedCorimDecoder(data, Extractor{}) - fmt.Printf("provisionin.plugins.corim-nitro-decoder.Decoder received response from UnsignedCorimDecoder:%v, %v\n", result, err) return result, err } \ No newline at end of file diff --git a/provisioning/plugins/corim-nitro-decoder/extractor.go b/provisioning/plugins/corim-nitro-decoder/extractor.go index ba41054b..db5c8e66 100644 --- a/provisioning/plugins/corim-nitro-decoder/extractor.go +++ b/provisioning/plugins/corim-nitro-decoder/extractor.go @@ -123,8 +123,6 @@ func (o Extractor) TaExtractor(avk comid.AttestVerifKey) (*proto.Endorsement, er func makeTaAttrs(i NitroInstanceAttributes, c NitroClassAttributes, key string) (*structpb.Struct, error) { taID := map[string]interface{}{ - //"nitro.impl-id": c.ImplID, - //"psa.inst-id": []byte(i.InstID), "nitro.iak-pub": key, } diff --git a/vts/plugins/scheme-aws-nitro/main.go b/vts/plugins/scheme-aws-nitro/main.go index 9846d744..8945d96c 100644 --- a/vts/plugins/scheme-aws-nitro/main.go +++ b/vts/plugins/scheme-aws-nitro/main.go @@ -8,6 +8,7 @@ import ( //"encoding/base64" "encoding/json" "encoding/pem" + "flag" "fmt" "net/url" "time" @@ -46,19 +47,28 @@ func (s Scheme) GetSupportedMediaTypes() []string { } } +// GetTrustAnchorID returns a string ID used to retrieve a trust anchor +// for this token. The trust anchor may be necessary to validate the +// token and/or extract its claims (if it is encrypted). func (s Scheme) GetTrustAnchorID(token *proto.AttestationToken) (string, error) { return nitroTaLookupKey(token.TenantId), nil } +// ExtractClaims parses the attestation token and returns claims +// extracted therefrom. func (s Scheme) ExtractClaims(token *proto.AttestationToken, trustAnchor string) (*scheme.ExtractedClaims, error) { return s.extractClaimsImpl(token, trustAnchor, time.Now()) } +/// Same as ExtractClaims, but allows the caller to set an alternate "current time" to allow +/// tests to use saved attestation document data without triggering certificate expiry errors. +/// THIS FUNCTION SHOULD ONLY BE USED IN TESTING func (s Scheme) ExtractClaimsTest(token *proto.AttestationToken, trustAnchor string, testTime time.Time) (*scheme.ExtractedClaims, error) { return s.extractClaimsImpl(token, trustAnchor, testTime) } +/// Implementation of the functionality for ExtracClaims and ExtracClaimsTest func (s Scheme) extractClaimsImpl(token *proto.AttestationToken, trustAnchor string, now time.Time) (*scheme.ExtractedClaims, error) { ta_unmarshalled := make(map[string]interface{}) @@ -98,7 +108,12 @@ func (s Scheme) extractClaimsImpl(token *proto.AttestationToken, trustAnchor str token_data := token.Data - document, err := nitro_eclave_attestation_document.AuthenticateDocumentTest(token_data, *cert, now) + var document *nitro_eclave_attestation_document.AttestationDocument + if flag.Lookup("test.v") == nil { + document, err = nitro_eclave_attestation_document.AuthenticateDocument(token_data, *cert) + } else { + document, err = nitro_eclave_attestation_document.AuthenticateDocumentTest(token_data, *cert, now) + } if err != nil { new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims call to AuthenticateDocument failed:%v", err) return nil, new_err @@ -116,6 +131,9 @@ func (s Scheme) extractClaimsImpl(token *proto.AttestationToken, trustAnchor str return &extracted, nil } +// AppraiseEvidence evaluates the specified EvidenceContext against +// the specified endorsements, and returns an AttestationResult wrapped +// in an AppraisalContext. func (s Scheme) AppraiseEvidence( ec *proto.EvidenceContext, endorsementsStrings []string, ) (*proto.AppraisalContext, error) { @@ -154,23 +172,43 @@ func (s Scheme) ValidateEvidenceIntegrity( trustAnchor string, endorsementsStrings []string, ) error { + return s.validateEvidenceIntegrityImpl(token, trustAnchor, endorsementsStrings, time.Now()) +} + +/// Same as ValidateEvidenceIntegrity, but allows the caller to set an alternate "current time" to allow +/// tests to use saved attestation document data without triggering certificate expiry errors. +/// THIS FUNCTION SHOULD ONLY BE USED IN TESTING +func (s Scheme) ValidateEvidenceIntegrityTest( + token *proto.AttestationToken, + trustAnchor string, + endorsementsStrings []string, + testTime time.Time, +) error { + return s.validateEvidenceIntegrityImpl(token, trustAnchor, endorsementsStrings, testTime) +} + +func (s Scheme) validateEvidenceIntegrityImpl(token *proto.AttestationToken, + trustAnchor string, + endorsementsStrings []string, + now time.Time, +) error { ta_unmarshalled := make(map[string]interface{}) err := json.Unmarshal([]byte(trustAnchor), &ta_unmarshalled) if err != nil { - new_err := fmt.Errorf("ExtractVerifiedClaims call to json.Unmarshall failed:%v", err) + new_err := fmt.Errorf("ValidateEvidenceIntegrityImpl call to json.Unmarshall failed:%v", err) return new_err } contents, ok := ta_unmarshalled["attributes"].(map[string]interface{}) if !ok { - new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims cast of %v to map[string]interface{} failed", ta_unmarshalled["attributes"]) + new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl cast of %v to map[string]interface{} failed", ta_unmarshalled["attributes"]) return new_err } - cert_pem, ok := contents["nitro.iak-pub"].(string) + cert_pem, ok := contents["key"].(string) if !ok { - new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims cast of %v to string failed", contents["nitro.iak-pub"]) + new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl cast of %v to string failed", contents["nitro.iak-pub"]) return new_err } @@ -180,27 +218,31 @@ func (s Scheme) ValidateEvidenceIntegrity( cert_pem_bytes := []byte(cert_pem) cert_block, _ := pem.Decode(cert_pem_bytes) if cert_block == nil { - new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims call to pem.Decode failed, but I don't know why") + new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl call to pem.Decode failed, but I don't know why") return new_err } cert_der := cert_block.Bytes cert, err := x509.ParseCertificate(cert_der) if err != nil { - new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims call to x509.ParseCertificate failed:%v", err) + new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl call to x509.ParseCertificate failed:%v", err) return new_err } // token_data, err := base64.StdEncoding.DecodeString(string(token.Data)) // if err != nil { - // new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims call to base64.StdEncoding.DecodeString failed:%v", err) + // new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl call to base64.StdEncoding.DecodeString failed:%v", err) // return nil, new_err // } token_data := token.Data - _, err = nitro_eclave_attestation_document.AuthenticateDocument(token_data, *cert) + if flag.Lookup("test.v") == nil { + _, err = nitro_eclave_attestation_document.AuthenticateDocument(token_data, *cert) + } else { + _, err = nitro_eclave_attestation_document.AuthenticateDocumentTest(token_data, *cert, now) + } if err != nil { - new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims call to AuthenticateDocument failed:%v", err) + new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl call to AuthenticateDocument failed:%v", err) return new_err } return nil diff --git a/vts/plugins/scheme-aws-nitro/main_test.go b/vts/plugins/scheme-aws-nitro/main_test.go index 54e187fb..c8ba78dd 100644 --- a/vts/plugins/scheme-aws-nitro/main_test.go +++ b/vts/plugins/scheme-aws-nitro/main_test.go @@ -117,25 +117,25 @@ func Test_ExtractVerifiedClaims_ok(t *testing.T) { assert.EqualError(t, err, `scheme-aws-nitro.Scheme.ExtractVerifiedClaims call to AuthenticateDocument failed:AuthenticateDocument::Verify failed:verification error`) } -// func Test_ValidateEvidenceIntegrity_ok(t *testing.T) { -// tokenBytes, err := os.ReadFile("test/psa-token.cbor") -// require.NoError(t, err) +func Test_ValidateEvidenceIntegrity_ok(t *testing.T) { + tokenBytes, err := os.ReadFile("test/aws_nitro_document.cbor") + require.NoError(t, err) -// taEndValBytes, err := os.ReadFile("test/ta-endorsements.json") -// require.NoError(t, err) + taEndValBytes, err := os.ReadFile("test/ta-endorsements.json") + require.NoError(t, err) -// scheme := &Scheme{} + scheme := &Scheme{} -// token := proto.AttestationToken{ -// TenantId: "1", -// Format: proto.AttestationFormat_PSA_IOT, -// Data: tokenBytes, -// } + token := proto.AttestationToken{ + TenantId: "1", + Format: proto.AttestationFormat_AWS_NITRO, + Data: tokenBytes, + } -// err = scheme.ValidateEvidenceIntegrity(&token, string(taEndValBytes), nil) + err = scheme.ValidateEvidenceIntegrityTest(&token, string(taEndValBytes), nil, testTime) -// assert.NoError(t, err) -// } + assert.NoError(t, err) +} // func Test_AppraiseEvidence_ok(t *testing.T) { // extractedBytes, err := os.ReadFile("test/extracted.json") From e42b31987b6de8531409b586fadef8acd8964d00 Mon Sep 17 00:00:00 2001 From: "Derek D. Miller" Date: Sat, 12 Nov 2022 19:22:45 -0600 Subject: [PATCH 3/7] Added more test cases for the VTS Nitro plugin Signed-off-by: Derek D. Miller --- vts/plugins/scheme-aws-nitro/main.go | 10 +- vts/plugins/scheme-aws-nitro/main_test.go | 116 +++++++----------- .../scheme-aws-nitro/test/endorsements.json | 8 ++ .../scheme-aws-nitro/test/extracted.json | 22 ++++ 4 files changed, 82 insertions(+), 74 deletions(-) create mode 100644 vts/plugins/scheme-aws-nitro/test/endorsements.json create mode 100644 vts/plugins/scheme-aws-nitro/test/extracted.json diff --git a/vts/plugins/scheme-aws-nitro/main.go b/vts/plugins/scheme-aws-nitro/main.go index 8945d96c..4bc55120 100644 --- a/vts/plugins/scheme-aws-nitro/main.go +++ b/vts/plugins/scheme-aws-nitro/main.go @@ -10,12 +10,12 @@ import ( "encoding/pem" "flag" "fmt" - "net/url" - "time" "github.com/hashicorp/go-plugin" nitro_eclave_attestation_document "github.com/veracruz-project/go-nitro-enclave-attestation-document" "github.com/veraison/services/proto" "github.com/veraison/services/scheme" + "net/url" + "time" ) type Endorsements struct { @@ -107,7 +107,7 @@ func (s Scheme) extractClaimsImpl(token *proto.AttestationToken, trustAnchor str } token_data := token.Data - + var document *nitro_eclave_attestation_document.AttestationDocument if flag.Lookup("test.v") == nil { document, err = nitro_eclave_attestation_document.AuthenticateDocument(token_data, *cert) @@ -131,7 +131,7 @@ func (s Scheme) extractClaimsImpl(token *proto.AttestationToken, trustAnchor str return &extracted, nil } -// AppraiseEvidence evaluates the specified EvidenceContext against +// AppraiseEvidence evaluates the specified EvidenceContext against // the specified endorsements, and returns an AttestationResult wrapped // in an AppraisalContext. func (s Scheme) AppraiseEvidence( @@ -313,4 +313,4 @@ func main() { HandshakeConfig: handshakeConfig, Plugins: pluginMap, }) -} \ No newline at end of file +} diff --git a/vts/plugins/scheme-aws-nitro/main_test.go b/vts/plugins/scheme-aws-nitro/main_test.go index c8ba78dd..6eb38c81 100644 --- a/vts/plugins/scheme-aws-nitro/main_test.go +++ b/vts/plugins/scheme-aws-nitro/main_test.go @@ -4,7 +4,7 @@ package main import ( - //"encoding/json" + "encoding/json" "os" "testing" "time" @@ -58,64 +58,64 @@ func Test_GetTrustAnchorID_ok(t *testing.T) { // } func Test_ExtractVerifiedClaims_ok(t *testing.T) { - tokenBytes, err := os.ReadFile("test/aws_nitro_document.cbor") - require.NoError(t, err) + tokenBytes, err := os.ReadFile("test/aws_nitro_document.cbor") + require.NoError(t, err) - taEndValBytes, err := os.ReadFile("test/ta-endorsements.json") - require.NoError(t, err) + taEndValBytes, err := os.ReadFile("test/ta-endorsements.json") + require.NoError(t, err) - scheme := &Scheme{} + scheme := &Scheme{} - token := proto.AttestationToken{ - TenantId: "1", - Format: proto.AttestationFormat_AWS_NITRO, - Data: tokenBytes, - } + token := proto.AttestationToken{ + TenantId: "1", + Format: proto.AttestationFormat_AWS_NITRO, + Data: tokenBytes, + } - extracted, err := scheme.ExtractClaimsTest(&token, string(taEndValBytes), testTime) + extracted, err := scheme.ExtractClaimsTest(&token, string(taEndValBytes), testTime) - require.NoError(t, err) - expectedPcr0 := [48]byte { - 34, 249, 225, 201, 73, 32, 141, 165, 94, 176, 27, 155, 159, 200, 143, 135, + require.NoError(t, err) + expectedPcr0 := [48]byte{ + 34, 249, 225, 201, 73, 32, 141, 165, 94, 176, 27, 155, 159, 200, 143, 135, 69, 79, 119, 186, 19, 63, 13, 130, 50, 11, 80, 150, 33, 201, 36, 130, 21, 42, 153, 208, 161, 35, 53, 185, 113, 120, 192, 45, 111, 151, 125, 1, } - assert.Equal(t, expectedPcr0[:], extracted.ClaimsSet["PCR0"].([]byte)) + assert.Equal(t, expectedPcr0[:], extracted.ClaimsSet["PCR0"].([]byte)) - expectedNonce := [32]byte { + expectedNonce := [32]byte{ 198, 120, 200, 97, 53, 222, 83, 157, 24, 58, 207, 245, 136, 134, 217, 141, 251, 152, 35, 4, 26, 249, 249, 52, 191, 144, 154, 192, 248, 217, 98, 69, } - nonce := extracted.ClaimsSet["nonce"].([]byte) - assert.Equal(t, expectedNonce[:], nonce) + nonce := extracted.ClaimsSet["nonce"].([]byte) + assert.Equal(t, expectedNonce[:], nonce) - expectedUserData := [32]byte { + expectedUserData := [32]byte{ 124, 55, 16, 128, 121, 179, 232, 163, 109, 138, 121, 112, 222, 29, 109, 79, 241, 70, 30, 14, 53, 217, 85, 124, 77, 120, 157, 245, 224, 87, 102, 32, } user_data := extracted.ClaimsSet["user_data"].([]byte) assert.Equal(t, expectedUserData[:], user_data) - } +} - func Test_ExtractVerifiedClaims_bad_signature(t *testing.T) { +func Test_ExtractVerifiedClaims_bad_signature(t *testing.T) { tokenBytes, err := os.ReadFile("test/aws_nitro_document_bad_sig.cbor") - require.NoError(t, err) + require.NoError(t, err) - taEndValBytes, err := os.ReadFile("test/ta-endorsements.json") - require.NoError(t, err) + taEndValBytes, err := os.ReadFile("test/ta-endorsements.json") + require.NoError(t, err) - scheme := &Scheme{} + scheme := &Scheme{} - token := proto.AttestationToken{ - TenantId: "1", - Format: proto.AttestationFormat_AWS_NITRO, - Data: tokenBytes, - } + token := proto.AttestationToken{ + TenantId: "1", + Format: proto.AttestationFormat_AWS_NITRO, + Data: tokenBytes, + } - _, err = scheme.ExtractClaimsTest(&token, string(taEndValBytes), testTime) + _, err = scheme.ExtractClaimsTest(&token, string(taEndValBytes), testTime) - assert.EqualError(t, err, `scheme-aws-nitro.Scheme.ExtractVerifiedClaims call to AuthenticateDocument failed:AuthenticateDocument::Verify failed:verification error`) - } + assert.EqualError(t, err, `scheme-aws-nitro.Scheme.ExtractVerifiedClaims call to AuthenticateDocument failed:AuthenticateDocument::Verify failed:verification error`) +} func Test_ValidateEvidenceIntegrity_ok(t *testing.T) { tokenBytes, err := os.ReadFile("test/aws_nitro_document.cbor") @@ -137,43 +137,21 @@ func Test_ValidateEvidenceIntegrity_ok(t *testing.T) { assert.NoError(t, err) } -// func Test_AppraiseEvidence_ok(t *testing.T) { -// extractedBytes, err := os.ReadFile("test/extracted.json") -// require.NoError(t, err) - -// var ec proto.EvidenceContext -// err = json.Unmarshal(extractedBytes, &ec) -// require.NoError(t, err) - -// endorsementsBytes, err := os.ReadFile("test/endorsements.json") -// require.NoError(t, err) - -// scheme := &Scheme{} - -// attestation, err := scheme.AppraiseEvidence(&ec, []string{string(endorsementsBytes)}) -// require.NoError(t, err) - -// assert.Equal(t, proto.TrustTier_AFFIRMING, attestation.Result.Status) -// } - -// func Test_AppraiseEvidenceMultEndorsement_ok(t *testing.T) { -// extractedBytes, err := os.ReadFile("test/extracted.json") -// require.NoError(t, err) +func Test_AppraiseEvidence_ok(t *testing.T) { + extractedBytes, err := os.ReadFile("test/extracted.json") + require.NoError(t, err) -// var ec proto.EvidenceContext -// err = json.Unmarshal(extractedBytes, &ec) -// require.NoError(t, err) + var ec proto.EvidenceContext + err = json.Unmarshal(extractedBytes, &ec) + require.NoError(t, err) -// var endorsemementsArray []string -// endorsementsBytes, err := os.ReadFile("test/mult-endorsements.json") -// require.NoError(t, err) -// err = json.Unmarshal(endorsementsBytes, &endorsemementsArray) -// require.NoError(t, err) + endorsementsBytes, err := os.ReadFile("test/endorsements.json") + require.NoError(t, err) -// scheme := &Scheme{} + scheme := &Scheme{} -// attestation, err := scheme.AppraiseEvidence(&ec, endorsemementsArray) -// require.NoError(t, err) + attestation, err := scheme.AppraiseEvidence(&ec, []string{string(endorsementsBytes)}) + require.NoError(t, err) -// assert.Equal(t, proto.TrustTier_AFFIRMING, attestation.Result.Status) -// } + assert.Equal(t, proto.TrustTier_AFFIRMING, attestation.Result.Status) +} diff --git a/vts/plugins/scheme-aws-nitro/test/endorsements.json b/vts/plugins/scheme-aws-nitro/test/endorsements.json new file mode 100644 index 00000000..c3d1326b --- /dev/null +++ b/vts/plugins/scheme-aws-nitro/test/endorsements.json @@ -0,0 +1,8 @@ +{ + "scheme": "AWS_NITRO", + "type": "VERIFICATION_KEY", + "attributes": { + "key": "MIICETCCAZagAwIBAgIRAPkxdWgbkK/hHUbMtOTn+FYwCgYIKoZIzj0EAwMwSTELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkFtYXpvbjEMMAoGA1UECwwDQVdTMRswGQYDVQQDDBJhd3Mubml0cm8tZW5jbGF2ZXMwHhcNMTkxMDI4MTMyODA1WhcNNDkxMDI4MTQyODA1WjBJMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQLDANBV1MxGzAZBgNVBAMMEmF3cy5uaXRyby1lbmNsYXZlczB2MBAGByqGSM49AgEGBSuBBAAiA2IABPwCVOumCMHzaHDimtqQvkY4MpJzbolL//Zy2YlES1BR5TSksfbb48C8WBoyt7F2Bw7eEtaaP+ohG2bnUs990d0JX28TcPQXCEPZ3BABIeTPYwEoCWZEh8l5YoQwTcU/9KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkCW1DdkFR+eWw5b6cp3PmanfS5YwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2kAMGYCMQCjfy+Rocm9Xue4YnwWmNJVA44fA0P5W2OpYow9OYCVRaEevL8uO1XYru5xtMPWrfMCMQCi85sWBbJwKKXdS6BptQFuZbT73o/gBh1qUxl/nNr12UO8Yfwr6wPLb+6NIwLz3/Y=" + } +} + diff --git a/vts/plugins/scheme-aws-nitro/test/extracted.json b/vts/plugins/scheme-aws-nitro/test/extracted.json new file mode 100644 index 00000000..8fc17ad1 --- /dev/null +++ b/vts/plugins/scheme-aws-nitro/test/extracted.json @@ -0,0 +1,22 @@ +{ + "evidence": { + "PCR0": [34, 249, 225, 201, 73, 32, 141, 165, 94, 176, 27, 155, 159, 200, 143, 135, 69, 79, 119, 186, 19, 63, 13, 130, 50, 11, 80, 150, 33, 201, 36, 130, 21, 42, 153, 208, 161, 35, 53, 185, 113, 120, 192, 45, 111, 151, 125, 1], + "PCR1":[188, 223, 5, 254, 252, 202, 168, 229, 91, 242, 200, 214, 222, 233, 231, 155, 191, 243, 30, 52, 191, 40, 169, 154, 161, 158, 107, 41, 195, 126, 232, 11, 33, 74, 65, 75, 118, 7, 35, 110, 223, 38, 252, 183, 134, 84, 230, 63], + "PCR10":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], + "PCR11":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], + "PCR12":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], + "PCR13":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], + "PCR14":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], + "PCR15":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], + "PCR2":[0, 148, 62, 168, 89, 20, 15, 237, 116, 225, 2, 95, 228, 26, 237, 179, 135, 128, 234, 229, 101, 107, 63, 158, 249, 180, 176, 230, 17, 19, 80, 49, 85, 68, 219, 62, 252, 218, 5, 114, 81, 8, 247, 43, 42, 177, 65, 247], + "PCR3":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], + "PCR4":[69, 84, 4, 35, 57, 230, 161, 221, 250, 200, 157, 183, 218, 88, 35, 29, 86, 25, 7, 55, 41, 52, 67, 51, 175, 240, 85, 66, 154, 190, 236, 107, 0, 111, 129, 177, 157, 17, 118, 0, 27, 130, 145, 248, 133, 40, 49, 6], + "PCR5":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], + "PCR6":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], + "PCR7":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], + "PCR8":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], + "PCR9":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0], + "nonce":[198, 120, 200, 97, 53, 222, 83, 157, 24, 58, 207, 245, 136, 134, 217, 141, 251, 152, 35, 4, 26, 249, 249, 52, 191, 144, 154, 192, 248, 217, 98, 69], + "user_data":[124, 55, 16, 128, 121, 179, 232, 163, 109, 138, 121, 112, 222, 29, 109, 79, 241, 70, 30, 14, 53, 217, 85, 124, 77, 120, 157, 245, 224, 87, 102, 32] + } +} From 08e530e4ad45f64442a003ff233dd2413937b3ec Mon Sep 17 00:00:00 2001 From: "Derek D. Miller" Date: Sun, 13 Nov 2022 19:44:09 -0600 Subject: [PATCH 4/7] Removed some possibly unneeded code from the AWS Nitro plugins Signed-off-by: Derek D. Miller --- .../plugins/corim-nitro-decoder/extractor.go | 134 +++++++++--------- .../corim-nitro-decoder/swcompattributes.go | 62 ++++---- 2 files changed, 99 insertions(+), 97 deletions(-) diff --git a/provisioning/plugins/corim-nitro-decoder/extractor.go b/provisioning/plugins/corim-nitro-decoder/extractor.go index db5c8e66..f46518ed 100644 --- a/provisioning/plugins/corim-nitro-decoder/extractor.go +++ b/provisioning/plugins/corim-nitro-decoder/extractor.go @@ -6,81 +6,83 @@ import ( "errors" "fmt" - "github.com/veraison/services/proto" "github.com/veraison/corim/comid" + "github.com/veraison/services/proto" structpb "google.golang.org/protobuf/types/known/structpb" ) type Extractor struct{} func (o Extractor) SwCompExtractor(rv comid.ReferenceValue) ([]*proto.Endorsement, error) { - var nitroClassAttrs NitroClassAttributes - - if err := nitroClassAttrs.FromEnvironment(rv.Environment); err != nil { - return nil, fmt.Errorf("could not extract PSA class attributes: %w", err) - } - - // Each measurement is encoded in a measurement-map of a CoMID - // reference-triple-record. Since a measurement-map can encode one or more - // measurements, a single reference-triple-record can carry as many - // measurements as needed, provided they belong to the same PSA RoT - // identified in the subject of the "reference value" triple. A single - // reference-triple-record SHALL completely describe the updatable PSA RoT. - swComponents := make([]*proto.Endorsement, 0, len(rv.Measurements)) - - for i, m := range rv.Measurements { - var nitroSwCompAttrs NitroSwCompAttributes - - if err := nitroSwCompAttrs.FromMeasurement(m); err != nil { - return nil, fmt.Errorf("extracting measurement at index %d: %w", i, err) - } - - swAttrs, err := makeSwAttrs(nitroClassAttrs, nitroSwCompAttrs) - if err != nil { - return nil, fmt.Errorf("failed to create software component attributes: %w", err) - } - - swComponent := proto.Endorsement{ - Scheme: proto.AttestationFormat_AWS_NITRO, - Type: proto.EndorsementType_REFERENCE_VALUE, - Attributes: swAttrs, - } - - swComponents = append(swComponents, &swComponent) - } - - if len(swComponents) == 0 { - return nil, fmt.Errorf("no software components found") - } - - return swComponents, nil + return nil, fmt.Errorf("Not implemented, not needed?") + // var nitroClassAttrs NitroClassAttributes + + // if err := nitroClassAttrs.FromEnvironment(rv.Environment); err != nil { + // return nil, fmt.Errorf("could not extract PSA class attributes: %w", err) + // } + + // // Each measurement is encoded in a measurement-map of a CoMID + // // reference-triple-record. Since a measurement-map can encode one or more + // // measurements, a single reference-triple-record can carry as many + // // measurements as needed, provided they belong to the same PSA RoT + // // identified in the subject of the "reference value" triple. A single + // // reference-triple-record SHALL completely describe the updatable PSA RoT. + // swComponents := make([]*proto.Endorsement, 0, len(rv.Measurements)) + + // for i, m := range rv.Measurements { + // var nitroSwCompAttrs NitroSwCompAttributes + + // if err := nitroSwCompAttrs.FromMeasurement(m); err != nil { + // return nil, fmt.Errorf("extracting measurement at index %d: %w", i, err) + // } + + // swAttrs, err := makeSwAttrs(nitroClassAttrs, nitroSwCompAttrs) + // if err != nil { + // return nil, fmt.Errorf("failed to create software component attributes: %w", err) + // } + + // swComponent := proto.Endorsement{ + // Scheme: proto.AttestationFormat_AWS_NITRO, + // Type: proto.EndorsementType_REFERENCE_VALUE, + // Attributes: swAttrs, + // } + + // swComponents = append(swComponents, &swComponent) + // } + + // if len(swComponents) == 0 { + // return nil, fmt.Errorf("no software components found") + // } + + // return swComponents, nil } func makeSwAttrs(c NitroClassAttributes, s NitroSwCompAttributes) (*structpb.Struct, error) { - swAttrs := map[string]interface{}{ - //"psa.impl-id": c.ImplID, - "psa.signer-id": s.SignerID, - "psa.measurement-value": s.MeasurementValue, - "psa.measurement-desc": s.AlgID, - } - - if c.Vendor != "" { - swAttrs["psa.hw-vendor"] = c.Vendor - } - - if c.Model != "" { - swAttrs["psa.hw-model"] = c.Model - } - - if s.MeasurementType != "" { - swAttrs["psa.measurement-type"] = s.MeasurementType - } - - if s.Version != "" { - swAttrs["psa.version"] = s.Version - } - - return structpb.NewStruct(swAttrs) + return nil, fmt.Errorf("Not implemented, not needed?") + // swAttrs := map[string]interface{}{ + // //"psa.impl-id": c.ImplID, + // "psa.signer-id": s.SignerID, + // "psa.measurement-value": s.MeasurementValue, + // "psa.measurement-desc": s.AlgID, + // } + + // if c.Vendor != "" { + // swAttrs["psa.hw-vendor"] = c.Vendor + // } + + // if c.Model != "" { + // swAttrs["psa.hw-model"] = c.Model + // } + + // if s.MeasurementType != "" { + // swAttrs["psa.measurement-type"] = s.MeasurementType + // } + + // if s.Version != "" { + // swAttrs["psa.version"] = s.Version + // } + + // return structpb.NewStruct(swAttrs) } func (o Extractor) TaExtractor(avk comid.AttestVerifKey) (*proto.Endorsement, error) { @@ -135,4 +137,4 @@ func makeTaAttrs(i NitroInstanceAttributes, c NitroClassAttributes, key string) } return structpb.NewStruct(taID) -} \ No newline at end of file +} diff --git a/provisioning/plugins/corim-nitro-decoder/swcompattributes.go b/provisioning/plugins/corim-nitro-decoder/swcompattributes.go index ac3f1968..933051ee 100644 --- a/provisioning/plugins/corim-nitro-decoder/swcompattributes.go +++ b/provisioning/plugins/corim-nitro-decoder/swcompattributes.go @@ -17,44 +17,44 @@ type NitroSwCompAttributes struct { } func (o *NitroSwCompAttributes) FromMeasurement(m comid.Measurement) error { + return fmt.Errorf("Not implemented, not needed?") + // if m.Key == nil { + // return fmt.Errorf("measurement key is not present") + // } - if m.Key == nil { - return fmt.Errorf("measurement key is not present") - } + // // extract psa-swcomp-id from mkey + // if !m.Key.IsSet() { + // return fmt.Errorf("measurement key is not set") + // } - // extract psa-swcomp-id from mkey - if !m.Key.IsSet() { - return fmt.Errorf("measurement key is not set") - } + // id, err := m.Key.GetPSARefValID() + // if err != nil { + // return fmt.Errorf("failed extracting psa-swcomp-id: %w", err) + // } - id, err := m.Key.GetPSARefValID() - if err != nil { - return fmt.Errorf("failed extracting psa-swcomp-id: %w", err) - } + // o.SignerID = id.SignerID - o.SignerID = id.SignerID + // if id.Label != nil { + // o.MeasurementType = *id.Label + // } - if id.Label != nil { - o.MeasurementType = *id.Label - } + // if id.Version != nil { + // o.Version = *id.Version + // } - if id.Version != nil { - o.Version = *id.Version - } + // // extract digest and alg-id from mval + // d := m.Val.Digests - // extract digest and alg-id from mval - d := m.Val.Digests + // if d == nil { + // return fmt.Errorf("measurement value has no digests") + // } - if d == nil { - return fmt.Errorf("measurement value has no digests") - } + // if len(*d) != 1 { + // return fmt.Errorf("expecting exactly one digest") + // } - if len(*d) != 1 { - return fmt.Errorf("expecting exactly one digest") - } + // o.AlgID = (*d)[0].HashAlgID + // o.MeasurementValue = (*d)[0].HashValue - o.AlgID = (*d)[0].HashAlgID - o.MeasurementValue = (*d)[0].HashValue - - return nil -} \ No newline at end of file + // return nil +} From f1b8839264fba783bfa541d771a9f36c050fd46f Mon Sep 17 00:00:00 2001 From: "Derek D. Miller" Date: Mon, 28 Nov 2022 16:42:11 -0600 Subject: [PATCH 5/7] Added document generation to the AWS Nitro tests Signed-off-by: Derek D. Miller --- go.mod | 2 +- go.sum | 2 + vts/plugins/scheme-aws-nitro/main.go | 72 +----- vts/plugins/scheme-aws-nitro/main_test.go | 228 ++++++++++++++---- .../test/ta-endorsements.json | 2 +- 5 files changed, 191 insertions(+), 115 deletions(-) diff --git a/go.mod b/go.mod index 6465186c..401aa40a 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( github.com/spf13/jwalterweatherman v1.1.0 github.com/spf13/viper v1.9.0 github.com/stretchr/testify v1.8.1 - github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20221112151611-0893a6c14411 + github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20221128190504-3eeb9fee39cb github.com/veraison/corim v0.0.0-20220801100627-a48aacbd333c github.com/veraison/dice v0.0.1 github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff diff --git a/go.sum b/go.sum index ba2af063..3dab069f 100644 --- a/go.sum +++ b/go.sum @@ -1064,6 +1064,8 @@ github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-2022090 github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20220902142425-b49cd6e96cf5/go.mod h1:EXpO454Q3yOKVoNc7ECuLRfP7cmTmuhPwtuFYbkxWBk= github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20221112151611-0893a6c14411 h1:QHBX9m8HlqC+qhc/gGLdHA+8hfwsNY/s8lBiVnzAde0= github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20221112151611-0893a6c14411/go.mod h1:JRldyv/2U+D7c5yI1HP9iY/Aa7j3TnhwpUvC1ZwE+Lw= +github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20221128190504-3eeb9fee39cb h1:wveFlH73+Tqm5NM9nSGoyeTnU4JsH5ARcrcETMD+T3M= +github.com/veracruz-project/go-nitro-enclave-attestation-document v0.0.0-20221128190504-3eeb9fee39cb/go.mod h1:JRldyv/2U+D7c5yI1HP9iY/Aa7j3TnhwpUvC1ZwE+Lw= github.com/veraison/apiclient v0.0.2/go.mod h1:H8YDx1ixM24GYP/aLbhq+HJsej0lVUqFCRIL5Uu4B0o= github.com/veraison/corim v0.0.0-20220801100627-a48aacbd333c h1:+qOmTV5aI475VuNXDfy8Klg8m2ovSISmdZlS63w0J64= github.com/veraison/corim v0.0.0-20220801100627-a48aacbd333c/go.mod h1:FOUHHZ7fOyWKk4oKUjO5Zw5gnkjz0rtzcJDvUZZFRSg= diff --git a/vts/plugins/scheme-aws-nitro/main.go b/vts/plugins/scheme-aws-nitro/main.go index 4bc55120..5a284767 100644 --- a/vts/plugins/scheme-aws-nitro/main.go +++ b/vts/plugins/scheme-aws-nitro/main.go @@ -5,17 +5,15 @@ package main import ( "crypto/x509" - //"encoding/base64" "encoding/json" "encoding/pem" - "flag" "fmt" + "net/url" + "github.com/hashicorp/go-plugin" - nitro_eclave_attestation_document "github.com/veracruz-project/go-nitro-enclave-attestation-document" + nitro_enclave_attestation_document "github.com/veracruz-project/go-nitro-enclave-attestation-document" "github.com/veraison/services/proto" "github.com/veraison/services/scheme" - "net/url" - "time" ) type Endorsements struct { @@ -58,18 +56,6 @@ func (s Scheme) GetTrustAnchorID(token *proto.AttestationToken) (string, error) // ExtractClaims parses the attestation token and returns claims // extracted therefrom. func (s Scheme) ExtractClaims(token *proto.AttestationToken, trustAnchor string) (*scheme.ExtractedClaims, error) { - return s.extractClaimsImpl(token, trustAnchor, time.Now()) -} - -/// Same as ExtractClaims, but allows the caller to set an alternate "current time" to allow -/// tests to use saved attestation document data without triggering certificate expiry errors. -/// THIS FUNCTION SHOULD ONLY BE USED IN TESTING -func (s Scheme) ExtractClaimsTest(token *proto.AttestationToken, trustAnchor string, testTime time.Time) (*scheme.ExtractedClaims, error) { - return s.extractClaimsImpl(token, trustAnchor, testTime) -} - -/// Implementation of the functionality for ExtracClaims and ExtracClaimsTest -func (s Scheme) extractClaimsImpl(token *proto.AttestationToken, trustAnchor string, now time.Time) (*scheme.ExtractedClaims, error) { ta_unmarshalled := make(map[string]interface{}) err := json.Unmarshal([]byte(trustAnchor), &ta_unmarshalled) @@ -89,9 +75,6 @@ func (s Scheme) extractClaimsImpl(token *proto.AttestationToken, trustAnchor str return nil, new_err } - // golang standard library pem.Decode function cannot handle PEM data without a header, so I have to add one to make it happy. - // Yes, this is stupid - cert_pem = "-----BEGIN CERTIFICATE-----\n" + cert_pem + "\n-----END CERTIFICATE-----\n" cert_pem_bytes := []byte(cert_pem) cert_block, _ := pem.Decode(cert_pem_bytes) if cert_block == nil { @@ -108,12 +91,10 @@ func (s Scheme) extractClaimsImpl(token *proto.AttestationToken, trustAnchor str token_data := token.Data - var document *nitro_eclave_attestation_document.AttestationDocument - if flag.Lookup("test.v") == nil { - document, err = nitro_eclave_attestation_document.AuthenticateDocument(token_data, *cert) - } else { - document, err = nitro_eclave_attestation_document.AuthenticateDocumentTest(token_data, *cert, now) - } + var document *nitro_enclave_attestation_document.AttestationDocument + + document, err = nitro_enclave_attestation_document.AuthenticateDocument(token_data[1:], *cert) + if err != nil { new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims call to AuthenticateDocument failed:%v", err) return nil, new_err @@ -172,27 +153,6 @@ func (s Scheme) ValidateEvidenceIntegrity( trustAnchor string, endorsementsStrings []string, ) error { - return s.validateEvidenceIntegrityImpl(token, trustAnchor, endorsementsStrings, time.Now()) -} - -/// Same as ValidateEvidenceIntegrity, but allows the caller to set an alternate "current time" to allow -/// tests to use saved attestation document data without triggering certificate expiry errors. -/// THIS FUNCTION SHOULD ONLY BE USED IN TESTING -func (s Scheme) ValidateEvidenceIntegrityTest( - token *proto.AttestationToken, - trustAnchor string, - endorsementsStrings []string, - testTime time.Time, -) error { - return s.validateEvidenceIntegrityImpl(token, trustAnchor, endorsementsStrings, testTime) -} - -func (s Scheme) validateEvidenceIntegrityImpl(token *proto.AttestationToken, - trustAnchor string, - endorsementsStrings []string, - now time.Time, -) error { - ta_unmarshalled := make(map[string]interface{}) err := json.Unmarshal([]byte(trustAnchor), &ta_unmarshalled) @@ -212,9 +172,6 @@ func (s Scheme) validateEvidenceIntegrityImpl(token *proto.AttestationToken, return new_err } - // golang standard library pem.Decode function cannot handle PEM data without a header, so I have to add one to make it happy. - // Yes, this is stupid - cert_pem = "-----BEGIN CERTIFICATE-----\n" + cert_pem + "\n-----END CERTIFICATE-----\n" cert_pem_bytes := []byte(cert_pem) cert_block, _ := pem.Decode(cert_pem_bytes) if cert_block == nil { @@ -229,18 +186,9 @@ func (s Scheme) validateEvidenceIntegrityImpl(token *proto.AttestationToken, return new_err } - // token_data, err := base64.StdEncoding.DecodeString(string(token.Data)) - // if err != nil { - // new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl call to base64.StdEncoding.DecodeString failed:%v", err) - // return nil, new_err - // } token_data := token.Data - if flag.Lookup("test.v") == nil { - _, err = nitro_eclave_attestation_document.AuthenticateDocument(token_data, *cert) - } else { - _, err = nitro_eclave_attestation_document.AuthenticateDocumentTest(token_data, *cert, now) - } + _, err = nitro_enclave_attestation_document.AuthenticateDocument(token_data[1:], *cert) if err != nil { new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl call to AuthenticateDocument failed:%v", err) return new_err @@ -248,13 +196,13 @@ func (s Scheme) validateEvidenceIntegrityImpl(token *proto.AttestationToken, return nil } -func claimsToMap(doc *nitro_eclave_attestation_document.AttestationDocument) (out map[string]interface{}, err error) { +func claimsToMap(doc *nitro_enclave_attestation_document.AttestationDocument) (out map[string]interface{}, err error) { out = make(map[string]interface{}) for index, this_pcr := range doc.PCRs { var key = fmt.Sprintf("PCR%v", index) out[key] = this_pcr } - out["user_data"] = doc.User_Data + out["user_data"] = doc.UserData out["nonce"] = doc.Nonce return out, nil diff --git a/vts/plugins/scheme-aws-nitro/main_test.go b/vts/plugins/scheme-aws-nitro/main_test.go index 6eb38c81..05a6174e 100644 --- a/vts/plugins/scheme-aws-nitro/main_test.go +++ b/vts/plugins/scheme-aws-nitro/main_test.go @@ -4,11 +4,21 @@ package main import ( + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/x509" + "crypto/x509/pkix" "encoding/json" + "encoding/pem" + "fmt" + "math/big" "os" + "strings" "testing" "time" + nitro_enclave_attestation_document "github.com/veracruz-project/go-nitro-enclave-attestation-document" "github.com/veraison/services/proto" "github.com/stretchr/testify/assert" @@ -17,8 +27,119 @@ import ( var testTime time.Time = time.Date(2022, 11, 9, 23, 0, 0, 0, time.UTC) +func generateValidTimeRange(expired bool) (time.Time, time.Time) { + var notBefore time.Time + var notAfter time.Time + if expired { + notBefore = time.Now().Add(-time.Hour * 24) + notAfter = time.Now().Add(-time.Hour * 1) + } else { + notBefore = time.Now() + notAfter = time.Now().Add(time.Hour * 24 * 180) + } + return notBefore, notAfter +} + +func generateCertsAndKeys(endCertExpired bool, caCertExpired bool) (*ecdsa.PrivateKey, []byte, *x509.Certificate, []byte, error) { + caKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + return nil, nil, nil, nil, fmt.Errorf("failed to generate CA key:%v", err) + } + + caNotBefore, caNotAfter := generateValidTimeRange(caCertExpired) + caTemplate := x509.Certificate{ + SerialNumber: big.NewInt(1), + Subject: pkix.Name{ + Organization: []string{"Acme Co"}, + }, + NotBefore: caNotBefore, + NotAfter: caNotAfter, + + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, + IsCA: true, + BasicConstraintsValid: true, + } + + caCertDer, err := x509.CreateCertificate(rand.Reader, &caTemplate, &caTemplate, &caKey.PublicKey, caKey) + if err != nil { + return nil, nil, nil, nil, fmt.Errorf("Failed to generate CA Certificate:%v", err) + } + caCert, err := x509.ParseCertificate(caCertDer) + if err != nil { + return nil, nil, nil, nil, fmt.Errorf("Failed to convert CA Cert der to certificate:%v", err) + } + + endKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + if err != nil { + return nil, nil, nil, nil, fmt.Errorf("Failed to generate end key:%v", err) + } + + endNotBefore, endNotAfter := generateValidTimeRange(endCertExpired) + endTemplate := x509.Certificate{ + SerialNumber: big.NewInt(1), + Subject: pkix.Name{ + Organization: []string{"Acme Co"}, + }, + NotBefore: endNotBefore, + NotAfter: endNotAfter, + + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}, + KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign, + BasicConstraintsValid: true, + } + endCertDer, err := x509.CreateCertificate(rand.Reader, &endTemplate, caCert, &endKey.PublicKey, caKey) + if err != nil { + return nil, nil, nil, nil, fmt.Errorf("Failed to generate end certificate:%v", err) + } + return endKey, endCertDer, caCert, caCertDer, nil +} + +const NUM_PCRS = 16 + +func generateRandomSlice(size int32) []byte { + result := make([]byte, size) + rand.Read(result) + return result +} + +func generatePCRs() (map[int32][]byte, error) { + pcrs := make(map[int32][]byte) + for i := int32(0); i < NUM_PCRS; i++ { + pcrs[i] = generateRandomSlice(96) + } + return pcrs, nil +} + +func genTaEndorsements(caCertDer []byte) ([]byte, error) { + taEndValBytes, err := os.ReadFile("test/ta-endorsements.json") + if err != nil { + return nil, fmt.Errorf("os.ReadFile failed:%v\n", err) + } + var pemCertBlock = &pem.Block{ + Type: "CERTIFICATE", + Bytes: caCertDer, + } + caCertPem := string(pem.EncodeToMemory(pemCertBlock)) + caCertJson, err := json.Marshal(caCertPem) + if err != nil { + return nil, fmt.Errorf("json.Marshal failed:%v", err) + } + taEndValString := string(taEndValBytes) + taEndValString = strings.Replace(taEndValString, "\"\"", string(caCertJson), 1) + taEndValBytes = []byte(taEndValString) + return taEndValBytes, nil +} + func Test_GetTrustAnchorID_ok(t *testing.T) { - tokenBytes, err := os.ReadFile("test/aws_nitro_document.cbor") + privateKey, endCertDer, _, caCertDer, err := generateCertsAndKeys(false, false) + require.NoError(t, err) + + PCRs, err := generatePCRs() + require.NoError(t, err) + userData := generateRandomSlice(32) + nonce := generateRandomSlice(32) + tokenBytes, err := nitro_enclave_attestation_document.GenerateDocument(PCRs, userData, nonce, endCertDer, [][]byte{caCertDer}, privateKey) require.NoError(t, err) token := proto.AttestationToken{ @@ -36,32 +157,18 @@ func Test_GetTrustAnchorID_ok(t *testing.T) { assert.Equal(t, expectedTaID, taID) } -// func Test_ExtractVerifiedClaimsInteg_ok(t *testing.T) { -// tokenBytes, err := os.ReadFile("test/psaintegtoken.cbor") -// require.NoError(t, err) - -// taEndValBytes, err := os.ReadFile("test/ta-integ-endorsements.json") -// require.NoError(t, err) - -// scheme := &Scheme{} - -// token := proto.AttestationToken{ -// TenantId: "0", -// Format: proto.AttestationFormat_PSA_IOT, -// Data: tokenBytes, -// } - -// _, err = scheme.ExtractClaims(&token, string(taEndValBytes)) - -// require.NoError(t, err) - -// } - func Test_ExtractVerifiedClaims_ok(t *testing.T) { - tokenBytes, err := os.ReadFile("test/aws_nitro_document.cbor") + privateKey, endCertDer, _, caCertDer, err := generateCertsAndKeys(false, false) require.NoError(t, err) - taEndValBytes, err := os.ReadFile("test/ta-endorsements.json") + PCRs, err := generatePCRs() + require.NoError(t, err) + userData := generateRandomSlice(32) + nonce := generateRandomSlice(32) + tokenBytes, err := nitro_enclave_attestation_document.GenerateDocument(PCRs, userData, nonce, endCertDer, [][]byte{caCertDer}, privateKey) + require.NoError(t, err) + + taEndValBytes, err := genTaEndorsements(caCertDer) require.NoError(t, err) scheme := &Scheme{} @@ -72,36 +179,48 @@ func Test_ExtractVerifiedClaims_ok(t *testing.T) { Data: tokenBytes, } - extracted, err := scheme.ExtractClaimsTest(&token, string(taEndValBytes), testTime) + extracted, err := scheme.ExtractClaims(&token, string(taEndValBytes)) require.NoError(t, err) - expectedPcr0 := [48]byte{ - 34, 249, 225, 201, 73, 32, 141, 165, 94, 176, 27, 155, 159, 200, 143, 135, - 69, 79, 119, 186, 19, 63, 13, 130, 50, 11, 80, 150, 33, 201, 36, 130, - 21, 42, 153, 208, 161, 35, 53, 185, 113, 120, 192, 45, 111, 151, 125, 1, - } - assert.Equal(t, expectedPcr0[:], extracted.ClaimsSet["PCR0"].([]byte)) - - expectedNonce := [32]byte{ - 198, 120, 200, 97, 53, 222, 83, 157, 24, 58, 207, 245, 136, 134, 217, 141, - 251, 152, 35, 4, 26, 249, 249, 52, 191, 144, 154, 192, 248, 217, 98, 69, - } - nonce := extracted.ClaimsSet["nonce"].([]byte) - assert.Equal(t, expectedNonce[:], nonce) - - expectedUserData := [32]byte{ - 124, 55, 16, 128, 121, 179, 232, 163, 109, 138, 121, 112, 222, 29, 109, 79, - 241, 70, 30, 14, 53, 217, 85, 124, 77, 120, 157, 245, 224, 87, 102, 32, - } - user_data := extracted.ClaimsSet["user_data"].([]byte) - assert.Equal(t, expectedUserData[:], user_data) + assert.Equal(t, PCRs[0][:], extracted.ClaimsSet["PCR0"].([]byte)) + assert.Equal(t, PCRs[1][:], extracted.ClaimsSet["PCR1"].([]byte)) + assert.Equal(t, PCRs[2][:], extracted.ClaimsSet["PCR2"].([]byte)) + assert.Equal(t, PCRs[3][:], extracted.ClaimsSet["PCR3"].([]byte)) + assert.Equal(t, PCRs[4][:], extracted.ClaimsSet["PCR4"].([]byte)) + assert.Equal(t, PCRs[5][:], extracted.ClaimsSet["PCR5"].([]byte)) + assert.Equal(t, PCRs[6][:], extracted.ClaimsSet["PCR6"].([]byte)) + assert.Equal(t, PCRs[7][:], extracted.ClaimsSet["PCR7"].([]byte)) + assert.Equal(t, PCRs[8][:], extracted.ClaimsSet["PCR8"].([]byte)) + assert.Equal(t, PCRs[9][:], extracted.ClaimsSet["PCR9"].([]byte)) + assert.Equal(t, PCRs[10][:], extracted.ClaimsSet["PCR10"].([]byte)) + assert.Equal(t, PCRs[11][:], extracted.ClaimsSet["PCR11"].([]byte)) + assert.Equal(t, PCRs[12][:], extracted.ClaimsSet["PCR12"].([]byte)) + assert.Equal(t, PCRs[13][:], extracted.ClaimsSet["PCR13"].([]byte)) + assert.Equal(t, PCRs[14][:], extracted.ClaimsSet["PCR14"].([]byte)) + assert.Equal(t, PCRs[15][:], extracted.ClaimsSet["PCR15"].([]byte)) + + receivedNonce := extracted.ClaimsSet["nonce"].([]byte) + assert.Equal(t, nonce[:], receivedNonce[:]) + + receivedUserData := extracted.ClaimsSet["user_data"].([]byte) + assert.Equal(t, userData[:], receivedUserData[:]) } func Test_ExtractVerifiedClaims_bad_signature(t *testing.T) { - tokenBytes, err := os.ReadFile("test/aws_nitro_document_bad_sig.cbor") + privateKey, endCertDer, _, caCertDer, err := generateCertsAndKeys(false, false) require.NoError(t, err) - taEndValBytes, err := os.ReadFile("test/ta-endorsements.json") + PCRs, err := generatePCRs() + require.NoError(t, err) + userData := generateRandomSlice(32) + nonce := generateRandomSlice(32) + tokenBytes, err := nitro_enclave_attestation_document.GenerateDocument(PCRs, userData, nonce, endCertDer, [][]byte{caCertDer}, privateKey) + require.NoError(t, err) + + // modify the signature to make it fail + tokenBytes[len(tokenBytes)-1] ^= tokenBytes[len(tokenBytes)-1] + + taEndValBytes, err := genTaEndorsements(caCertDer) require.NoError(t, err) scheme := &Scheme{} @@ -112,16 +231,23 @@ func Test_ExtractVerifiedClaims_bad_signature(t *testing.T) { Data: tokenBytes, } - _, err = scheme.ExtractClaimsTest(&token, string(taEndValBytes), testTime) + _, err = scheme.ExtractClaims(&token, string(taEndValBytes)) assert.EqualError(t, err, `scheme-aws-nitro.Scheme.ExtractVerifiedClaims call to AuthenticateDocument failed:AuthenticateDocument::Verify failed:verification error`) } func Test_ValidateEvidenceIntegrity_ok(t *testing.T) { - tokenBytes, err := os.ReadFile("test/aws_nitro_document.cbor") + privateKey, endCertDer, _, caCertDer, err := generateCertsAndKeys(false, false) require.NoError(t, err) - taEndValBytes, err := os.ReadFile("test/ta-endorsements.json") + PCRs, err := generatePCRs() + require.NoError(t, err) + userData := generateRandomSlice(32) + nonce := generateRandomSlice(32) + tokenBytes, err := nitro_enclave_attestation_document.GenerateDocument(PCRs, userData, nonce, endCertDer, [][]byte{caCertDer}, privateKey) + require.NoError(t, err) + + taEndValBytes, err := genTaEndorsements(caCertDer) require.NoError(t, err) scheme := &Scheme{} @@ -132,7 +258,7 @@ func Test_ValidateEvidenceIntegrity_ok(t *testing.T) { Data: tokenBytes, } - err = scheme.ValidateEvidenceIntegrityTest(&token, string(taEndValBytes), nil, testTime) + err = scheme.ValidateEvidenceIntegrity(&token, string(taEndValBytes), nil) assert.NoError(t, err) } diff --git a/vts/plugins/scheme-aws-nitro/test/ta-endorsements.json b/vts/plugins/scheme-aws-nitro/test/ta-endorsements.json index b8c9784a..a22e1501 100644 --- a/vts/plugins/scheme-aws-nitro/test/ta-endorsements.json +++ b/vts/plugins/scheme-aws-nitro/test/ta-endorsements.json @@ -2,6 +2,6 @@ "scheme":"AWS_NITRO", "type":"VERIFICATION_KEY", "attributes":{ - "key": "MIICETCCAZagAwIBAgIRAPkxdWgbkK/hHUbMtOTn+FYwCgYIKoZIzj0EAwMwSTELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkFtYXpvbjEMMAoGA1UECwwDQVdTMRswGQYDVQQDDBJhd3Mubml0cm8tZW5jbGF2ZXMwHhcNMTkxMDI4MTMyODA1WhcNNDkxMDI4MTQyODA1WjBJMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQLDANBV1MxGzAZBgNVBAMMEmF3cy5uaXRyby1lbmNsYXZlczB2MBAGByqGSM49AgEGBSuBBAAiA2IABPwCVOumCMHzaHDimtqQvkY4MpJzbolL//Zy2YlES1BR5TSksfbb48C8WBoyt7F2Bw7eEtaaP+ohG2bnUs990d0JX28TcPQXCEPZ3BABIeTPYwEoCWZEh8l5YoQwTcU/9KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkCW1DdkFR+eWw5b6cp3PmanfS5YwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2kAMGYCMQCjfy+Rocm9Xue4YnwWmNJVA44fA0P5W2OpYow9OYCVRaEevL8uO1XYru5xtMPWrfMCMQCi85sWBbJwKKXdS6BptQFuZbT73o/gBh1qUxl/nNr12UO8Yfwr6wPLb+6NIwLz3/Y=" + "key": "" } } \ No newline at end of file From d3ddbf1a86cc589f4039a23bebd2ef3e76fb00f6 Mon Sep 17 00:00:00 2001 From: "Derek D. Miller" Date: Mon, 28 Nov 2022 16:53:59 -0600 Subject: [PATCH 6/7] Removed some no-longer-needed test files Signed-off-by: Derek D. Miller --- .../test/aws_nitro_document.cbor | Bin 4461 -> 0 bytes .../test/aws_nitro_document_bad_sig.cbor | Bin 4461 -> 0 bytes 2 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 vts/plugins/scheme-aws-nitro/test/aws_nitro_document.cbor delete mode 100644 vts/plugins/scheme-aws-nitro/test/aws_nitro_document_bad_sig.cbor diff --git a/vts/plugins/scheme-aws-nitro/test/aws_nitro_document.cbor b/vts/plugins/scheme-aws-nitro/test/aws_nitro_document.cbor deleted file mode 100644 index 614525d65b8f9de31f7994113149350007929d07..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4461 zcmd6qc~lek7RQsx!WMQxB(f_aHsLqfNEAg>aKWu25~NC#$wVR{EC~n|1frlQs8vA$ z<$*wzXGKw{+FGD>1F3*Qt$~7|MMO{wR1vG#iKvB&@12~}_fB&%f81Z@J99Jl^S$>s zTju5Ax%RpK#`q#hNT?`MiUvwV(NiQez!HmKjw|*R2?U6kDWst?1i)Mt8|Ar*fRKp_ zS*TbfS%=CMVxI*bOfE~Jkc427AS8^6!{N8A-LK+`!jK60NgN;854Kk?v`s5qdy<;{ zuc}>JJ(q3x+SFZN$@-69X~C@lxsZO0d9l2_hyhxh=uZ`M)&afS~S?NHz^ zmJd&FO?c3O2D|4BmY%$4Y`Prwo!30;MH4CFW9@-y&LtiL1WcmghsXz>D~S%gdwDI- zs}7xM;yYNanxN%6l{J@n;#c1}S>-*!xX{FsL&i}!s`B$^Nlq}Cr1@RQnoG1amuPD) z(a~I@tGPr^a|uOriN59%1I;CdnoEKaG(sT}OAvtq^@rkt655Cz_*?>nhae-hv+7TG zFI9t!NL`G8E?L_-c|q+=B7p!Bcfxu=hfMG#l1(9BAJ`Nas{?I{uAe|2B$2ICgvwwe zV4z;qqG0bNVFY+nJ9r1a0 z;(lwW>1``;q4Mfsr|B728gMpUFMBu6&$j|pK*2J%GR5Ox5g~vBdg{oKNF+ey%8`{O z1mOS*fu*j!`6P zk()={2towHNSR2AZt;iAFb<7@5}z^5qA_j|jtrviKGAOF^+V||ozGT{Oc5*`UE2Qw z85K+zu9?Z$7{NRkFt{+2!3As#Bi3-pdL90qxB5WsUqCCnztH}!KPc=@R@3fsFD_$` zT$bYf>S=^3WuEu)k2_ceB~P30R-WfuGR~AlX&JPd+{|)+U`G{quBeN<-l7v2Y8v+2 zc(X`*=oJdg!qF^PgHZy3tmj?Ce(yJN^^kvZ$I^iE?`_#V29^hF79G86Ciekk9t)zmm!U-_b{Eg!by9QBwlEe=dVVx{Xi}5zt{r=_=B_jd+GI^?k7wOI zLK1Tv9{0Rzn7)^6vl%`+-<8%XxAXhSny?`XTDu^?jF!Ex?a~4hz3N}DqX`t#@xp(z zZ58>6KZ3*?z~mh?+JKC)fK3Ttqh50$S^)EevB~)ptU}cDin4%O8xp+NruOK|OvUPQ z-}k_hs;_55L;(T>xq-QBk^_Piim>S}E|^zoqgy@=iICFeOuFFpBvE@A2@P?<7F`5F z7LNlEgyt&ZFlj7?P(d=YTZ*D(`!9N}Zk#8U51M zaf)-BLDacSeVaP(%H?;23*>1eV^&r{<`Y2$YE*Ca zleh0G3)()pb!1}yC$!!I&I3F)4`#fbpX}EmjLpv!*bPh{rk2U&!VE5xi|yH&Y(y;N z(y>u4kp4$@|1#;{>(Qfj6K?`-3gqYU{x0G}Q?qc*&yA{cGkgN*%R61>(XHK8x~6Rv zsgoRQ_R8#so*yi$Mx=Yx5Nft^4u5psIj}xy|8pVeaaGc=fbZ)>C&%t<4?2h zs-HE`ZIpyFnb^?uIIU}c!?hbTA5}Rq@)I9`#Lh8nfFEUpF**O!1`+Xt;;iFa@0A$y z3p!qX)~Jk+a(~YTi3!6#hyfcwWUf3nJUR4@4=`+L?>0iT_g$fO#Jk_e@CK9P%7z&t zlqM8n?^-ODm_rjV5fKfrnJgdxJRwKSe9s%}a6klsIc^_w>K?S{7M8IWkDo$Uh1WNnZT9BahqVp*LrTmRo3Mj4Yz;HquNDK%6C2%Qp5$!m z4$Zi9DH>_Pjk3o-3CwpUVgMFkFyER8yb1q#yXFrJl%WNS>yOzU*DYG%WRX>LV20b> zid_$IQ~TlK@?{Tae{FexV9l|VIenf93oG+3Y;j@VvMX*_RGD>skF?UmKGrs?tMcIH z%l)mzch>H|s5IZz%8wMB&kf(Uhr0C1G5ex*s(eQMC#kMtZiq3bMyA&++tW>IE(adzF7t}Zylki)iSJt<7AcfUkicLx z=BXr7jz$EE1PTG)HrCZBA?Eb`{E+Q2VXamn%X+=64cIE**d@`2p0xRiZBbdM3_{g#c7SrpVY)e+9{eHlKXgN5@s@R=X`AjAB>h0(sV)6P$j;&l#BaM9v7*{$8^PA}VM*bVftm>BV(Xe% h_5ot#4vTn8ox7~&8|eksZC$l{LuOhUN+pqve*nkB42}Q* diff --git a/vts/plugins/scheme-aws-nitro/test/aws_nitro_document_bad_sig.cbor b/vts/plugins/scheme-aws-nitro/test/aws_nitro_document_bad_sig.cbor deleted file mode 100644 index d820c18e4c7b3cda82a8025981b29b316c822c88..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4461 zcmd6qc~lek7RQsx!WMQxB(f_~Y{G9Q3yGqL3NE-+L_(?3WHOPI5S9dl3Ib736x6Dq zfbu|~%Cn+WsJ690>jqK*MSTqv1T7+hTA+$p#WxYPQ1QK!bNb$CPUesM%Y0{U=6=5S z{$}(10wT{bKhTs|A`J@{N6WBasW^6;lmXZhG0b(xzha>fm9Rt%OpXGW$L3&scQFvL zFcBM*h^6Z=g;L_T(2K=mOO?_vJQ9XQ&?)U%oPxa2_s(v-Yv8ch%Qr^HNq*D$*{Rf3cRV2hAncueByfW9ePss} z{EPMdlUtJRbz-5Oc|+wV?wFddfc@vU%zoBPiTXfyaJp-m*B}X(X!#)vfcGl06aP*@ z>(iQpr!I$I@(Kg zwU_8=FVWXtVxYZ*roF^adx??u5@YQpp(qxmluD$iP>BUXi9iKyzzzcZ-eioTT0?9jI1E5DG`ID*UkiQ>n4oo$HE=@l`s0fkD*D1s0 zun92IEb7p7{4k+XDZ^l6V5nKqr%}DagrDN4(D19`3kEcjSAZYP2kx4PL<8eA1|}BG zSdaUj0W*c`6->EQ85OQ+7BXQBrU14R4G{!}0Utp)FvtDFkq`y|<{$uk2$J{wFA|;& zJVp}cjFa$qoowu%05QOXs`K)pLPRQMdNP^dND>jqJ0?6Sn!J$kMP1d4=acfYA^Pfw zu%nH4J?M?BhjS{|n5(4<+L;8^*7#&-<)LUK=cAi@9o$qM{wEgoF3a@U+i^}nJLXI* zxRvl*Q(a$sksF=g2)oS4y4Xap>wez1VL_n{paUA7xs5rI_<{@p0x-}-#$+-HqE?Tt zG%17tFbFJj?<-7mood}VxvFC5K^n;@95&*$57hxEHCKbw^j60SKdzDUb0`tf91=bGMqJCalSi@#iSFVC+rYk2tM z%X1Z$QCCAyp(t7|mSLL%Aq$*CQ=lSdjj(7+7=oii=(~=0*!cWd{!7=B)uU4ci^i7r zzd%L@lSXQ0Ha@-xrUg)M@j5SA5XPE-HK6a=ZGBz#2JK7NcX-W_BaT^PU4;(zUW7;YzDsaJYHI zZxeOrsed*hI{ear5?%Bp^S9K-i8h0!=RJQboD1dv<2SXZ01}P>u+c0SkuAv+c1^7? zR8tmoWu47>8g;NCyX2;C)=MAT7;9L;0U@T2e)=RS0Z8z27bd!WR#5xh+OE^0c+34) z{Yg9QNb`n*&=OJlEPhg^cY*DhD&|c8pGqG@mY=P?V-0GVztsu&= z^55Hbwo`3B@tc%*p!tz{-WlPu={=;n@CO-A(7?^dfzVl;iz@u^e$B<5?y9nrSp$v7 zpRBr7G1C0Te+)OOhtoO0$l#B`6`yFtKZ!GW`jEzxbllpXe=pK9H zD}qh8Pbcw=*O&YL=$tN<9V(5?{ahZY=vjBlqyBugB9LSSRHO+w#ksF3POCOM@Z#cz z+Ns-iR)lPu+BQ0|{}WoT0p|lghYusK=O^c72;=iJ4fX&tMyO@+cre0a@$fx6i-Sr; zJSINMg|h$1?w=<8TRnQrZsJv-OM?Qu-rhyLYibs+`T3gq>zRH*%oSa3^O?4uYJKze zs`M$&b$jHF!%q)XG-A@iZI(gTHnqlwp7-7x@!(odzh`mzMCP=moUTRReAI1N?;)6O z+ub;Ou*W2YU^cm_`C&%)zNX7pXFaHKK?;-af#j}nY(N}igK;_k!v;}_Lz0|hTke#Z z3W_>ke0oil7~}bt4U&^ad=LlLgXnxkeq?I+D<9z4GTv;27;n2mj*#$fw>+Z@Djh8TW;Q2Q|B5CZ(Px? zCsd)Q3vUgk{J>j1le7EmMe_6`mxuK%5-`$J^g0Cme(xK+nPGBiiAC!W^YCMSf2XtJ z{hAYIRt@)B^@}SwOD0ZZsv{elPPh1S9V6O@0wEP{i;eg}8L@^1;a97{mdV#V;~wR0 z>&%`17&#OlE$O<$Mj29x>)6u?4Rjz zyK3h>!g~X7Y31_!bH1^@JGka(+T4Ecq(#*QXE(cXesU;nT3nrTWw)%_%Q4wHw(iI@tGf_YtZ(4uq`{j2SgDLHq$HR7%R-pmgEXY;0c3VmI=J(5rmk!oNv6k4@ i#dG$PqqkcnTI=0rw_MFEvTg6K-xD^=+E^xyzW#5=#0-xB From aab1f15c78b1c9b3e24911f4c6582dd2b453320a Mon Sep 17 00:00:00 2001 From: "Derek D. Miller" Date: Wed, 14 Dec 2022 15:25:08 -0600 Subject: [PATCH 7/7] Renamed some fields. Added check for null SoftwareId Signed-off-by: Derek D. Miller --- .../plugins/corim-nitro-decoder/README.md | 26 +++++++++---------- .../plugins/corim-nitro-decoder/extractor.go | 8 +++--- .../corim-nitro-decoder/test_vectors.go | 3 +-- vts/plugins/scheme-aws-nitro/main.go | 19 +++++++------- .../scheme-aws-nitro/test/endorsements.json | 2 +- .../test/ta-endorsements.json | 2 +- vts/trustedservices/trustedservices_grpc.go | 10 ++++--- 7 files changed, 36 insertions(+), 34 deletions(-) diff --git a/provisioning/plugins/corim-nitro-decoder/README.md b/provisioning/plugins/corim-nitro-decoder/README.md index 044ae7fe..836e40f0 100644 --- a/provisioning/plugins/corim-nitro-decoder/README.md +++ b/provisioning/plugins/corim-nitro-decoder/README.md @@ -7,14 +7,14 @@ "scheme": "AWS_NITRO", "type": "REFERENCE_VALUE", "attributes": { - "psa.hw-model": "RoadRunner", - "psa.hw-vendor": "ACME", - "psa.impl-id": "IllXTnRaUzFwYlhCc1pXMWxiblJoZEdsdmJpMXBaQzB3TURBd01EQXdNREU9Ig==", - "psa.measurement-desc": 1, - "psa.measurement-type": "BL", - "psa.measurement-value": "h0KPxSKAPTEGXnvOPPA/5HUJZjHl4Hu9eg/eYMTPJcc=", - "psa.signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=", - "psa.version": "2.1.0" + "nitro.hw-model": "RoadRunner", + "nitro.hw-vendor": "ACME", + "nitro.impl-id": "IllXTnRaUzFwYlhCc1pXMWxiblJoZEdsdmJpMXBaQzB3TURBd01EQXdNREU9Ig==", + "nitro.measurement-desc": 1, + "nitro.measurement-type": "BL", + "nitro.measurement-value": "h0KPxSKAPTEGXnvOPPA/5HUJZjHl4Hu9eg/eYMTPJcc=", + "nitro.signer-id": "rLsRx+TaIXIFUjzkzhokWuGiOa48a/2eeHH35di66Gs=", + "nitro.version": "2.1.0" } } ``` @@ -26,11 +26,11 @@ "scheme": "AWS_NITRO", "type": "VERIFICATION_KEY", "attributes": { - "psa.hw-model": "RoadRunner", - "psa.hw-vendor": "ACME", - "psa.iak-pub": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6Vwqe7hy3O8Ypa+BUETLUjBNU3rEXVUyt9XHR7HJWLG7XTKQd9i1kVRXeBPDLFnfYru1/euxRnJM7H9UoFDLdA==", - "psa.impl-id": "IllXTnRaUzFwYlhCc1pXMWxiblJoZEdsdmJpMXBaQzB3TURBd01EQXdNREU9Ig==", - "psa.inst-id": "AUyj5PUL8kjDl4cCDWj/0FyIdndRvyZFypI/V6mL7NKW" + "nitro.hw-model": "RoadRunner", + "nitro.hw-vendor": "ACME", + "nitro.cert": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE6Vwqe7hy3O8Ypa+BUETLUjBNU3rEXVUyt9XHR7HJWLG7XTKQd9i1kVRXeBPDLFnfYru1/euxRnJM7H9UoFDLdA==", + "nitro.impl-id": "IllXTnRaUzFwYlhCc1pXMWxiblJoZEdsdmJpMXBaQzB3TURBd01EQXdNREU9Ig==", + "nitro.inst-id": "AUyj5PUL8kjDl4cCDWj/0FyIdndRvyZFypI/V6mL7NKW" } } ``` \ No newline at end of file diff --git a/provisioning/plugins/corim-nitro-decoder/extractor.go b/provisioning/plugins/corim-nitro-decoder/extractor.go index f46518ed..c0636c57 100644 --- a/provisioning/plugins/corim-nitro-decoder/extractor.go +++ b/provisioning/plugins/corim-nitro-decoder/extractor.go @@ -105,11 +105,11 @@ func (o Extractor) TaExtractor(avk comid.AttestVerifKey) (*proto.Endorsement, er return nil, errors.New("expecting exactly one IAK public key") } - iakPub := avk.VerifKeys[0].Key + cert := avk.VerifKeys[0].Key // TODO(tho) check that format of IAK pub is as expected - taAttrs, err := makeTaAttrs(psaInstanceAttrs, nitroClassAttrs, iakPub) + taAttrs, err := makeTaAttrs(psaInstanceAttrs, nitroClassAttrs, cert) if err != nil { return nil, fmt.Errorf("failed to create trust anchor attributes: %w", err) } @@ -123,9 +123,9 @@ func (o Extractor) TaExtractor(avk comid.AttestVerifKey) (*proto.Endorsement, er return ta, nil } -func makeTaAttrs(i NitroInstanceAttributes, c NitroClassAttributes, key string) (*structpb.Struct, error) { +func makeTaAttrs(i NitroInstanceAttributes, c NitroClassAttributes, cert string) (*structpb.Struct, error) { taID := map[string]interface{}{ - "nitro.iak-pub": key, + "nitro.cert": cert, } if c.Vendor != "" { diff --git a/provisioning/plugins/corim-nitro-decoder/test_vectors.go b/provisioning/plugins/corim-nitro-decoder/test_vectors.go index 7c236a01..826c0cd4 100644 --- a/provisioning/plugins/corim-nitro-decoder/test_vectors.go +++ b/provisioning/plugins/corim-nitro-decoder/test_vectors.go @@ -35,7 +35,6 @@ b0bd016341575302654e6974726f81a1007902c84d49494345544343415a 622b364e49774c7a332f593d ` - // automatically generated from AWSNitroComidDualKey.json var unsignedCorimDualKey = ` a200505c57e8f446cd421b91c908cf93e13cfc0181590609d901faa40065 @@ -122,4 +121,4 @@ a200505c57e8f446cd421b91c908cf93e13cfc0181590328d901faa40065 585972753578744d505772664d434d5143693835735742624a774b4b5864 53364270745146755a625437336f2f674268317155786c2f6e4e72313255 4f38596677723677504c622b364e49774c7a332f593d -` \ No newline at end of file +` diff --git a/vts/plugins/scheme-aws-nitro/main.go b/vts/plugins/scheme-aws-nitro/main.go index 5a284767..29ec7b61 100644 --- a/vts/plugins/scheme-aws-nitro/main.go +++ b/vts/plugins/scheme-aws-nitro/main.go @@ -68,10 +68,9 @@ func (s Scheme) ExtractClaims(token *proto.AttestationToken, trustAnchor string) new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims cast of %v to map[string]interface{} failed", ta_unmarshalled["attributes"]) return nil, new_err } - - cert_pem, ok := contents["key"].(string) + cert_pem, ok := contents["nitro.cert"].(string) if !ok { - new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims cast of %v to string failed", contents["nitro.iak-pub"]) + new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ExtractVerifiedClaims cast of %v to string failed", contents["nitro.cert"]) return nil, new_err } @@ -157,32 +156,32 @@ func (s Scheme) ValidateEvidenceIntegrity( err := json.Unmarshal([]byte(trustAnchor), &ta_unmarshalled) if err != nil { - new_err := fmt.Errorf("ValidateEvidenceIntegrityImpl call to json.Unmarshall failed:%v", err) + new_err := fmt.Errorf("ValidateEvidenceIntegrity call to json.Unmarshall failed:%v", err) return new_err } contents, ok := ta_unmarshalled["attributes"].(map[string]interface{}) if !ok { - new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl cast of %v to map[string]interface{} failed", ta_unmarshalled["attributes"]) + new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrity cast of %v to map[string]interface{} failed", ta_unmarshalled["attributes"]) return new_err } - cert_pem, ok := contents["key"].(string) + cert_pem, ok := contents["nitro.cert"].(string) if !ok { - new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl cast of %v to string failed", contents["nitro.iak-pub"]) + new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrity cast of %v to string failed", contents["nitro.cert"]) return new_err } cert_pem_bytes := []byte(cert_pem) cert_block, _ := pem.Decode(cert_pem_bytes) if cert_block == nil { - new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl call to pem.Decode failed, but I don't know why") + new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrity call to pem.Decode failed, but I don't know why") return new_err } cert_der := cert_block.Bytes cert, err := x509.ParseCertificate(cert_der) if err != nil { - new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl call to x509.ParseCertificate failed:%v", err) + new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrity call to x509.ParseCertificate failed:%v", err) return new_err } @@ -190,7 +189,7 @@ func (s Scheme) ValidateEvidenceIntegrity( _, err = nitro_enclave_attestation_document.AuthenticateDocument(token_data[1:], *cert) if err != nil { - new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrityImpl call to AuthenticateDocument failed:%v", err) + new_err := fmt.Errorf("scheme-aws-nitro.Scheme.ValidateEvidenceIntegrity call to AuthenticateDocument failed:%v", err) return new_err } return nil diff --git a/vts/plugins/scheme-aws-nitro/test/endorsements.json b/vts/plugins/scheme-aws-nitro/test/endorsements.json index c3d1326b..0b66aae7 100644 --- a/vts/plugins/scheme-aws-nitro/test/endorsements.json +++ b/vts/plugins/scheme-aws-nitro/test/endorsements.json @@ -2,7 +2,7 @@ "scheme": "AWS_NITRO", "type": "VERIFICATION_KEY", "attributes": { - "key": "MIICETCCAZagAwIBAgIRAPkxdWgbkK/hHUbMtOTn+FYwCgYIKoZIzj0EAwMwSTELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkFtYXpvbjEMMAoGA1UECwwDQVdTMRswGQYDVQQDDBJhd3Mubml0cm8tZW5jbGF2ZXMwHhcNMTkxMDI4MTMyODA1WhcNNDkxMDI4MTQyODA1WjBJMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQLDANBV1MxGzAZBgNVBAMMEmF3cy5uaXRyby1lbmNsYXZlczB2MBAGByqGSM49AgEGBSuBBAAiA2IABPwCVOumCMHzaHDimtqQvkY4MpJzbolL//Zy2YlES1BR5TSksfbb48C8WBoyt7F2Bw7eEtaaP+ohG2bnUs990d0JX28TcPQXCEPZ3BABIeTPYwEoCWZEh8l5YoQwTcU/9KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkCW1DdkFR+eWw5b6cp3PmanfS5YwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2kAMGYCMQCjfy+Rocm9Xue4YnwWmNJVA44fA0P5W2OpYow9OYCVRaEevL8uO1XYru5xtMPWrfMCMQCi85sWBbJwKKXdS6BptQFuZbT73o/gBh1qUxl/nNr12UO8Yfwr6wPLb+6NIwLz3/Y=" + "nitro.cert": "MIICETCCAZagAwIBAgIRAPkxdWgbkK/hHUbMtOTn+FYwCgYIKoZIzj0EAwMwSTELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkFtYXpvbjEMMAoGA1UECwwDQVdTMRswGQYDVQQDDBJhd3Mubml0cm8tZW5jbGF2ZXMwHhcNMTkxMDI4MTMyODA1WhcNNDkxMDI4MTQyODA1WjBJMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQLDANBV1MxGzAZBgNVBAMMEmF3cy5uaXRyby1lbmNsYXZlczB2MBAGByqGSM49AgEGBSuBBAAiA2IABPwCVOumCMHzaHDimtqQvkY4MpJzbolL//Zy2YlES1BR5TSksfbb48C8WBoyt7F2Bw7eEtaaP+ohG2bnUs990d0JX28TcPQXCEPZ3BABIeTPYwEoCWZEh8l5YoQwTcU/9KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkCW1DdkFR+eWw5b6cp3PmanfS5YwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2kAMGYCMQCjfy+Rocm9Xue4YnwWmNJVA44fA0P5W2OpYow9OYCVRaEevL8uO1XYru5xtMPWrfMCMQCi85sWBbJwKKXdS6BptQFuZbT73o/gBh1qUxl/nNr12UO8Yfwr6wPLb+6NIwLz3/Y=" } } diff --git a/vts/plugins/scheme-aws-nitro/test/ta-endorsements.json b/vts/plugins/scheme-aws-nitro/test/ta-endorsements.json index a22e1501..84d09f8d 100644 --- a/vts/plugins/scheme-aws-nitro/test/ta-endorsements.json +++ b/vts/plugins/scheme-aws-nitro/test/ta-endorsements.json @@ -2,6 +2,6 @@ "scheme":"AWS_NITRO", "type":"VERIFICATION_KEY", "attributes":{ - "key": "" + "nitro.cert": "" } } \ No newline at end of file diff --git a/vts/trustedservices/trustedservices_grpc.go b/vts/trustedservices/trustedservices_grpc.go index 62d40dca..4b460395 100644 --- a/vts/trustedservices/trustedservices_grpc.go +++ b/vts/trustedservices/trustedservices_grpc.go @@ -313,9 +313,13 @@ func (o *GRPC) GetAttestation( o.logger.Debugw("constructed evidence context", "software-id", ec.SoftwareId, "trust-anchor-id", ec.TrustAnchorId) - endorsements, err := o.EnStore.Get(ec.SoftwareId) - if err != nil && !errors.Is(err, kvstore.ErrKeyNotFound) { - return nil, err + var endorsements []string + if ec.SoftwareId != "" { + endorsements, err = o.EnStore.Get(ec.SoftwareId) + if err != nil && !errors.Is(err, kvstore.ErrKeyNotFound) { + + return nil, err + } } if len(endorsements) > 0 {