diff --git a/handler/ievidencehandler.go b/handler/ievidencehandler.go index 46778a99..acb0712c 100644 --- a/handler/ievidencehandler.go +++ b/handler/ievidencehandler.go @@ -1,4 +1,4 @@ -// Copyright 2021-2023 Contributors to the Veraison project. +// Copyright 2021-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package handler diff --git a/handler/plugin.go b/handler/plugin.go index e235cdf7..7c76876d 100644 --- a/handler/plugin.go +++ b/handler/plugin.go @@ -19,3 +19,10 @@ func RegisterEvidenceHandler(i IEvidenceHandler) { panic(err) } } + +func RegisterStoreHandler(i IStoreHandler) { + err := plugin.RegisterImplementation("store-handler", i, StoreHandlerRPC) + if err != nil { + panic(err) + } +} diff --git a/scheme/cca-ssd-platform/evidence_handler_test.go b/scheme/cca-ssd-platform/evidence_handler_test.go index da740ace..6c5f6797 100644 --- a/scheme/cca-ssd-platform/evidence_handler_test.go +++ b/scheme/cca-ssd-platform/evidence_handler_test.go @@ -12,71 +12,9 @@ import ( "github.com/stretchr/testify/require" "github.com/veraison/ear" - "github.com/veraison/services/handler" "github.com/veraison/services/proto" ) -var testNonce = []byte{ - 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, - 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, - 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, - 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, - 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, - 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, - 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, - 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, -} - -func Test_GetTrustAnchorIDs_ok(t *testing.T) { - tokenBytes, err := os.ReadFile("test/cca-token.cbor") - require.NoError(t, err) - - token := proto.AttestationToken{ - TenantId: "1", - Data: tokenBytes, - Nonce: testNonce, - } - - expectedTaID := []string{"CCA_SSD_PLATFORM://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC"} - - scheme := &EvidenceHandler{} - - taID, err := scheme.GetTrustAnchorIDs(&token) - require.NoError(t, err) - assert.Equal(t, expectedTaID, taID) -} - -func Test_SynthKeysFromTrustAnchor_ok(t *testing.T) { - endorsementsBytes, err := os.ReadFile("test/ta-endorsements.json") - require.NoError(t, err) - - var endors handler.Endorsement - err = json.Unmarshal(endorsementsBytes, &endors) - require.NoError(t, err) - expectedKey := "CCA_SSD_PLATFORM://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI" - - scheme := &EvidenceHandler{} - key_list, err := scheme.SynthKeysFromTrustAnchor("1", &endors) - require.NoError(t, err) - assert.Equal(t, expectedKey, key_list[0]) - -} - -func Test_SynthKeysFromRefValue_ok(t *testing.T) { - endorsementsBytes, err := os.ReadFile("test/refval-endorsements.json") - require.NoError(t, err) - - var endors handler.Endorsement - err = json.Unmarshal(endorsementsBytes, &endors) - require.NoError(t, err) - expectedKey := "CCA_SSD_PLATFORM://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" - - scheme := &EvidenceHandler{} - key_list, err := scheme.SynthKeysFromRefValue("1", &endors) - require.NoError(t, err) - assert.Equal(t, expectedKey, key_list[0]) -} - func Test_AppraiseEvidence_ok(t *testing.T) { // nolint: dupl extractedBytes, err := os.ReadFile("test/extracted.json") require.NoError(t, err) diff --git a/scheme/cca-ssd-platform/plugin/Makefile b/scheme/cca-ssd-platform/plugin/Makefile index 37f7dc14..33a74ffc 100644 --- a/scheme/cca-ssd-platform/plugin/Makefile +++ b/scheme/cca-ssd-platform/plugin/Makefile @@ -2,6 +2,7 @@ ifndef COMBINED_PLUGINS SUBDIR += endorsement-handler SUBDIR += evidence-handler + SUBDIR += store-handler else SUBDIR += combined endif diff --git a/scheme/cca-ssd-platform/plugin/combined/main.go b/scheme/cca-ssd-platform/plugin/combined/main.go index 57db6987..45960c9f 100644 --- a/scheme/cca-ssd-platform/plugin/combined/main.go +++ b/scheme/cca-ssd-platform/plugin/combined/main.go @@ -11,5 +11,6 @@ import ( func main() { handler.RegisterEndorsementHandler(&scheme.EndorsementHandler{}) handler.RegisterEvidenceHandler(&scheme.EvidenceHandler{}) + handler.RegisterStoreHandler(&scheme.StoreHandler{}) plugin.Serve() } diff --git a/scheme/cca-ssd-platform/plugin/store-handler/Makefile b/scheme/cca-ssd-platform/plugin/store-handler/Makefile new file mode 100644 index 00000000..3e67a556 --- /dev/null +++ b/scheme/cca-ssd-platform/plugin/store-handler/Makefile @@ -0,0 +1,11 @@ +# Copyright 2021 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 + +PLUGIN := ../../../bin/cca-store-handler.plugin +GOPKG := github.com/veraison/services/scheme/cca-ssd-platform +SRCS := main.go + +include ../../../../mk/common.mk +include ../../../../mk/plugin.mk +include ../../../../mk/lint.mk +include ../../../../mk/test.mk diff --git a/scheme/cca-ssd-platform/plugin/store-handler/main.go b/scheme/cca-ssd-platform/plugin/store-handler/main.go new file mode 100644 index 00000000..be166510 --- /dev/null +++ b/scheme/cca-ssd-platform/plugin/store-handler/main.go @@ -0,0 +1,14 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/plugin" + scheme "github.com/veraison/services/scheme/cca-ssd-platform" +) + +func main() { + handler.RegisterStoreHandler(&scheme.StoreHandler{}) + plugin.Serve() +} diff --git a/scheme/cca-ssd-platform/store_handler.go b/scheme/cca-ssd-platform/store_handler.go new file mode 100644 index 00000000..9c0d42b3 --- /dev/null +++ b/scheme/cca-ssd-platform/store_handler.go @@ -0,0 +1,45 @@ +// Copyright 2021-2023 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + +package cca_ssd_platform + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" + "github.com/veraison/services/scheme/common/arm" +) + +type StoreHandler struct{} + +func (s StoreHandler) GetName() string { + return "cca-store-handler" +} + +func (s StoreHandler) GetAttestationScheme() string { + return SchemeName +} + +func (s StoreHandler) GetSupportedMediaTypes() []string { + return nil +} + +func (s StoreHandler) SynthKeysFromRefValue( + tenantID string, + refVal *handler.Endorsement, +) ([]string, error) { + return arm.SynthKeysFromRefValue(SchemeName, tenantID, refVal) + +} + +func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { + + return arm.SynthKeysFromTrustAnchors(SchemeName, tenantID, ta) +} + +func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { + ta, err := arm.GetTrustAnchorID(SchemeName, token) + if err != nil { + return []string{""}, err + } + return []string{ta}, nil +} diff --git a/scheme/cca-ssd-platform/store_handler_test.go b/scheme/cca-ssd-platform/store_handler_test.go new file mode 100644 index 00000000..356d66a9 --- /dev/null +++ b/scheme/cca-ssd-platform/store_handler_test.go @@ -0,0 +1,77 @@ +// Copyright 2021-2023 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + +package cca_ssd_platform + +import ( + "encoding/json" + "os" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" +) + +var testNonce = []byte{ + 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, + 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, + 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, + 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, + 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, + 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, + 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, + 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, +} + +func Test_GetTrustAnchorIDs_ok(t *testing.T) { + tokenBytes, err := os.ReadFile("test/cca-token.cbor") + require.NoError(t, err) + + token := proto.AttestationToken{ + TenantId: "1", + Data: tokenBytes, + Nonce: testNonce, + } + + expectedTaID := []string{"CCA_SSD_PLATFORM://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC"} + + scheme := &StoreHandler{} + + taID, err := scheme.GetTrustAnchorIDs(&token) + require.NoError(t, err) + assert.Equal(t, expectedTaID, taID) +} + +func Test_SynthKeysFromTrustAnchor_ok(t *testing.T) { + endorsementsBytes, err := os.ReadFile("test/ta-endorsements.json") + require.NoError(t, err) + + var endors handler.Endorsement + err = json.Unmarshal(endorsementsBytes, &endors) + require.NoError(t, err) + expectedKey := "CCA_SSD_PLATFORM://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI" + + scheme := &StoreHandler{} + key_list, err := scheme.SynthKeysFromTrustAnchor("1", &endors) + require.NoError(t, err) + assert.Equal(t, expectedKey, key_list[0]) + +} + +func Test_SynthKeysFromRefValue_ok(t *testing.T) { + endorsementsBytes, err := os.ReadFile("test/refval-endorsements.json") + require.NoError(t, err) + + var endors handler.Endorsement + err = json.Unmarshal(endorsementsBytes, &endors) + require.NoError(t, err) + expectedKey := "CCA_SSD_PLATFORM://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" + + scheme := &StoreHandler{} + key_list, err := scheme.SynthKeysFromRefValue("1", &endors) + require.NoError(t, err) + assert.Equal(t, expectedKey, key_list[0]) +} diff --git a/scheme/parsec-cca/evidence_handler_test.go b/scheme/parsec-cca/evidence_handler_test.go index 9f93ef50..8941d2cb 100644 --- a/scheme/parsec-cca/evidence_handler_test.go +++ b/scheme/parsec-cca/evidence_handler_test.go @@ -12,28 +12,9 @@ import ( "github.com/stretchr/testify/require" "github.com/veraison/ear" - "github.com/veraison/services/handler" "github.com/veraison/services/proto" ) -func Test_GetTrustAnchorIDs_ok(t *testing.T) { - tokenBytes, err := os.ReadFile("test/evidence/evidence.cbor") - require.NoError(t, err) - - token := proto.AttestationToken{ - TenantId: "1", - Data: tokenBytes, - } - - expectedTaID := "PARSEC_CCA://1/f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=/AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY" - - handler := &EvidenceHandler{} - - taIDs, err := handler.GetTrustAnchorIDs(&token) - require.NoError(t, err) - assert.Equal(t, expectedTaID, taIDs[0]) -} - func Test_ExtractClaims_ok(t *testing.T) { tokenBytes, err := os.ReadFile("test/evidence/evidence.cbor") require.NoError(t, err) @@ -206,37 +187,6 @@ func Test_AppraiseEvidence_ok(t *testing.T) { assert.Equal(t, attestation.TrustVector.Configuration, ear.ApprovedConfigClaim) } -func Test_SynthKeysFromTrustAnchor_ok(t *testing.T) { - endorsementsBytes, err := os.ReadFile("test/evidence/ta_endorsements.json") - require.NoError(t, err) - - var endors handler.Endorsement - err = json.Unmarshal(endorsementsBytes, &endors) - require.NoError(t, err) - expectedKey := "PARSEC_CCA://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI" - - scheme := &EvidenceHandler{} - key_list, err := scheme.SynthKeysFromTrustAnchor("1", &endors) - require.NoError(t, err) - assert.Equal(t, expectedKey, key_list[0]) - -} - -func Test_SynthKeysFromRefValue_ok(t *testing.T) { - endorsementsBytes, err := os.ReadFile("test/evidence/refval_endorsement.json") - require.NoError(t, err) - - var endors handler.Endorsement - err = json.Unmarshal(endorsementsBytes, &endors) - require.NoError(t, err) - expectedKey := "PARSEC_CCA://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" - - scheme := &EvidenceHandler{} - key_list, err := scheme.SynthKeysFromRefValue("1", &endors) - require.NoError(t, err) - assert.Equal(t, expectedKey, key_list[0]) -} - func Test_GetName_ok(t *testing.T) { scheme := &EvidenceHandler{} expectedName := "parsec-cca-evidence-handler" diff --git a/scheme/parsec-cca/plugin/Makefile b/scheme/parsec-cca/plugin/Makefile index 3f2ad321..b05ea59a 100644 --- a/scheme/parsec-cca/plugin/Makefile +++ b/scheme/parsec-cca/plugin/Makefile @@ -4,6 +4,7 @@ ifndef COMBINED_PLUGINS SUBDIR += endorsement-handler SUBDIR += evidence-handler + SUBDIR += store-handler else SUBDIR += combined endif diff --git a/scheme/parsec-cca/plugin/combined/main.go b/scheme/parsec-cca/plugin/combined/main.go index 4e83285a..c6b68123 100644 --- a/scheme/parsec-cca/plugin/combined/main.go +++ b/scheme/parsec-cca/plugin/combined/main.go @@ -11,5 +11,6 @@ import ( func main() { handler.RegisterEndorsementHandler(&scheme.EndorsementHandler{}) handler.RegisterEvidenceHandler(&scheme.EvidenceHandler{}) + handler.RegisterStoreHandler(&scheme.StoreHandler{}) plugin.Serve() } diff --git a/scheme/parsec-cca/plugin/store-handler/Makefile b/scheme/parsec-cca/plugin/store-handler/Makefile new file mode 100644 index 00000000..2313fee5 --- /dev/null +++ b/scheme/parsec-cca/plugin/store-handler/Makefile @@ -0,0 +1,11 @@ +# Copyright 2021 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 + +PLUGIN := ../../../bin/parsec-cca-store-handler.plugin +GOPKG := github.com/veraison/services/scheme/parsec-cca +SRCS := main.go + +include ../../../../mk/common.mk +include ../../../../mk/plugin.mk +include ../../../../mk/lint.mk +include ../../../../mk/test.mk diff --git a/scheme/parsec-cca/plugin/store-handler/main.go b/scheme/parsec-cca/plugin/store-handler/main.go new file mode 100644 index 00000000..7f57556c --- /dev/null +++ b/scheme/parsec-cca/plugin/store-handler/main.go @@ -0,0 +1,14 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/plugin" + scheme "github.com/veraison/services/scheme/parsec-cca" +) + +func main() { + handler.RegisterStoreHandler(&scheme.StoreHandler{}) + plugin.Serve() +} diff --git a/scheme/parsec-cca/store_handler.go b/scheme/parsec-cca/store_handler.go new file mode 100644 index 00000000..b4feeb4c --- /dev/null +++ b/scheme/parsec-cca/store_handler.go @@ -0,0 +1,44 @@ +// Copyright 2023 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package parsec_cca + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" + "github.com/veraison/services/scheme/common/arm" +) + +type StoreHandler struct{} + +func (s StoreHandler) GetName() string { + return "parsec-cca-store-handler" +} + +func (s StoreHandler) GetAttestationScheme() string { + return SchemeName +} + +func (s StoreHandler) GetSupportedMediaTypes() []string { + return nil +} + +func (s StoreHandler) SynthKeysFromRefValue( + tenantID string, + refVal *handler.Endorsement, +) ([]string, error) { + + return arm.SynthKeysFromRefValue(SchemeName, tenantID, refVal) +} + +func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { + + return arm.SynthKeysFromTrustAnchors(SchemeName, tenantID, ta) +} + +func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { + ta, err := arm.GetTrustAnchorID(SchemeName, token) + if err != nil { + return []string{""}, err + } + return []string{ta}, nil +} diff --git a/scheme/parsec-cca/store_handler_test.go b/scheme/parsec-cca/store_handler_test.go new file mode 100644 index 00000000..ec0959b4 --- /dev/null +++ b/scheme/parsec-cca/store_handler_test.go @@ -0,0 +1,64 @@ +// Copyright 2023 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package parsec_cca + +import ( + "encoding/json" + "os" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" +) + +func Test_GetTrustAnchorIDs_ok(t *testing.T) { + tokenBytes, err := os.ReadFile("test/evidence/evidence.cbor") + require.NoError(t, err) + + token := proto.AttestationToken{ + TenantId: "1", + Data: tokenBytes, + } + + expectedTaID := "PARSEC_CCA://1/f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=/AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY" + + handler := &StoreHandler{} + + taIDs, err := handler.GetTrustAnchorIDs(&token) + require.NoError(t, err) + assert.Equal(t, expectedTaID, taIDs[0]) +} + +func Test_SynthKeysFromTrustAnchor_ok(t *testing.T) { + endorsementsBytes, err := os.ReadFile("test/evidence/ta_endorsements.json") + require.NoError(t, err) + + var endors handler.Endorsement + err = json.Unmarshal(endorsementsBytes, &endors) + require.NoError(t, err) + expectedKey := "PARSEC_CCA://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI" + + scheme := &StoreHandler{} + key_list, err := scheme.SynthKeysFromTrustAnchor("1", &endors) + require.NoError(t, err) + assert.Equal(t, expectedKey, key_list[0]) + +} + +func Test_SynthKeysFromRefValue_ok(t *testing.T) { + endorsementsBytes, err := os.ReadFile("test/evidence/refval_endorsement.json") + require.NoError(t, err) + + var endors handler.Endorsement + err = json.Unmarshal(endorsementsBytes, &endors) + require.NoError(t, err) + expectedKey := "PARSEC_CCA://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" + + scheme := &StoreHandler{} + key_list, err := scheme.SynthKeysFromRefValue("1", &endors) + require.NoError(t, err) + assert.Equal(t, expectedKey, key_list[0]) +} diff --git a/scheme/parsec-tpm/evidence_handler_test.go b/scheme/parsec-tpm/evidence_handler_test.go index b8b6f580..3d867949 100644 --- a/scheme/parsec-tpm/evidence_handler_test.go +++ b/scheme/parsec-tpm/evidence_handler_test.go @@ -11,28 +11,9 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/veraison/services/handler" "github.com/veraison/services/proto" ) -func Test_GetTrustAnchorIDs_ok(t *testing.T) { - tokenBytes, err := os.ReadFile("test/evidence/evidence.cbor") - require.NoError(t, err) - - token := proto.AttestationToken{ - TenantId: "1", - Data: tokenBytes, - } - - expectedTaID := "PARSEC_TPM://1/AYiFVFnuuemzSkbrSMs58vaqadoEUioybRI9XFAfziEM" - - handler := &EvidenceHandler{} - - taIDs, err := handler.GetTrustAnchorIDs(&token) - require.NoError(t, err) - assert.Equal(t, []string{expectedTaID}, taIDs) -} - func Test_ExtractClaims_ok(t *testing.T) { tokenBytes, err := os.ReadFile("test/evidence/evidence.cbor") require.NoError(t, err) @@ -224,37 +205,6 @@ func Test_AppraiseEvidence_ok(t *testing.T) { require.NoError(t, err) } -func Test_SynthKeysFromTrustAnchor_ok(t *testing.T) { - endorsementsBytes, err := os.ReadFile("test/evidence/ta_endorsements.json") - require.NoError(t, err) - - var endors handler.Endorsement - err = json.Unmarshal(endorsementsBytes, &endors) - require.NoError(t, err) - expectedKey := "PARSEC_TPM://1/AagIEsUMYDNxd1p5UuAACkxJGfJf9rcUZ/oyRFHDcAxn" - - scheme := &EvidenceHandler{} - key_list, err := scheme.SynthKeysFromTrustAnchor("1", &endors) - require.NoError(t, err) - assert.Equal(t, expectedKey, key_list[0]) - -} - -func Test_SynthKeysFromRefValue_ok(t *testing.T) { - endorsementsBytes, err := os.ReadFile("test/evidence/refval-endorsements.json") - require.NoError(t, err) - - var endors handler.Endorsement - err = json.Unmarshal(endorsementsBytes, &endors) - require.NoError(t, err) - expectedKey := "PARSEC_TPM://1/cd1f0e55-26f9-460d-b9d8-f7fde171787c" - - scheme := &EvidenceHandler{} - key_list, err := scheme.SynthKeysFromRefValue("1", &endors) - require.NoError(t, err) - assert.Equal(t, expectedKey, key_list[0]) -} - func Test_GetName_ok(t *testing.T) { scheme := &EvidenceHandler{} expectedName := "parsec-tpm-evidence-handler" diff --git a/scheme/parsec-tpm/plugin/Makefile b/scheme/parsec-tpm/plugin/Makefile index 3f2ad321..b05ea59a 100644 --- a/scheme/parsec-tpm/plugin/Makefile +++ b/scheme/parsec-tpm/plugin/Makefile @@ -4,6 +4,7 @@ ifndef COMBINED_PLUGINS SUBDIR += endorsement-handler SUBDIR += evidence-handler + SUBDIR += store-handler else SUBDIR += combined endif diff --git a/scheme/parsec-tpm/plugin/combined/main.go b/scheme/parsec-tpm/plugin/combined/main.go index 7ecf5f9e..738d5887 100644 --- a/scheme/parsec-tpm/plugin/combined/main.go +++ b/scheme/parsec-tpm/plugin/combined/main.go @@ -11,5 +11,6 @@ import ( func main() { handler.RegisterEndorsementHandler(&scheme.EndorsementHandler{}) handler.RegisterEvidenceHandler(&scheme.EvidenceHandler{}) + handler.RegisterStoreHandler(&scheme.StoreHandler{}) plugin.Serve() } diff --git a/scheme/parsec-tpm/plugin/store-handler/Makefile b/scheme/parsec-tpm/plugin/store-handler/Makefile new file mode 100644 index 00000000..8a812b75 --- /dev/null +++ b/scheme/parsec-tpm/plugin/store-handler/Makefile @@ -0,0 +1,11 @@ +# Copyright 2021 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 + +PLUGIN := ../../../bin/parsec-tpm-store-handler.plugin +GOPKG := github.com/veraison/services/scheme/parsec-tpm +SRCS := main.go + +include ../../../../mk/common.mk +include ../../../../mk/plugin.mk +include ../../../../mk/lint.mk +include ../../../../mk/test.mk diff --git a/scheme/parsec-tpm/plugin/store-handler/main.go b/scheme/parsec-tpm/plugin/store-handler/main.go new file mode 100644 index 00000000..8d6ffeb2 --- /dev/null +++ b/scheme/parsec-tpm/plugin/store-handler/main.go @@ -0,0 +1,14 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/plugin" + scheme "github.com/veraison/services/scheme/parsec-tpm" +) + +func main() { + handler.RegisterStoreHandler(&scheme.StoreHandler{}) + plugin.Serve() +} diff --git a/scheme/parsec-tpm/store_handler.go b/scheme/parsec-tpm/store_handler.go new file mode 100644 index 00000000..e44ed8f4 --- /dev/null +++ b/scheme/parsec-tpm/store_handler.go @@ -0,0 +1,51 @@ +// Copyright 2023 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package parsec_tpm + +import ( + "encoding/base64" + "errors" + + "github.com/veraison/parsec/tpm" + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" +) + +type StoreHandler struct{} + +func (s StoreHandler) GetName() string { + return "parsec-tpm-store-handler" +} + +func (s StoreHandler) GetAttestationScheme() string { + return SchemeName +} + +func (s StoreHandler) GetSupportedMediaTypes() []string { + return nil +} + +func (s StoreHandler) SynthKeysFromRefValue(tenantID string, refVals *handler.Endorsement) ([]string, error) { + return synthKeysFromAttr(ScopeRefValues, tenantID, refVals.Attributes) +} + +func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { + return synthKeysFromAttr(ScopeTrustAnchor, tenantID, ta.Attributes) +} + +func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { + var ev tpm.Evidence + err := ev.FromCBOR(token.Data) + if err != nil { + return []string{""}, handler.BadEvidence(err) + } + + kat := ev.Kat + if kat == nil { + return []string{""}, errors.New("no key attestation token to fetch Key ID") + } + kid := *kat.KID + instance_id := base64.StdEncoding.EncodeToString(kid) + return []string{tpmLookupKey(ScopeTrustAnchor, token.TenantId, "", instance_id)}, nil + +} diff --git a/scheme/parsec-tpm/store_handler_test.go b/scheme/parsec-tpm/store_handler_test.go new file mode 100644 index 00000000..8e07f076 --- /dev/null +++ b/scheme/parsec-tpm/store_handler_test.go @@ -0,0 +1,64 @@ +// Copyright 2023 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package parsec_tpm + +import ( + "encoding/json" + "os" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" +) + +func Test_GetTrustAnchorIDs_ok(t *testing.T) { + tokenBytes, err := os.ReadFile("test/evidence/evidence.cbor") + require.NoError(t, err) + + token := proto.AttestationToken{ + TenantId: "1", + Data: tokenBytes, + } + + expectedTaID := "PARSEC_TPM://1/AYiFVFnuuemzSkbrSMs58vaqadoEUioybRI9XFAfziEM" + + handler := &StoreHandler{} + + taIDs, err := handler.GetTrustAnchorIDs(&token) + require.NoError(t, err) + assert.Equal(t, []string{expectedTaID}, taIDs) +} + +func Test_SynthKeysFromTrustAnchor_ok(t *testing.T) { + endorsementsBytes, err := os.ReadFile("test/evidence/ta_endorsements.json") + require.NoError(t, err) + + var endors handler.Endorsement + err = json.Unmarshal(endorsementsBytes, &endors) + require.NoError(t, err) + expectedKey := "PARSEC_TPM://1/AagIEsUMYDNxd1p5UuAACkxJGfJf9rcUZ/oyRFHDcAxn" + + scheme := &StoreHandler{} + key_list, err := scheme.SynthKeysFromTrustAnchor("1", &endors) + require.NoError(t, err) + assert.Equal(t, expectedKey, key_list[0]) + +} + +func Test_SynthKeysFromRefValue_ok(t *testing.T) { + endorsementsBytes, err := os.ReadFile("test/evidence/refval-endorsements.json") + require.NoError(t, err) + + var endors handler.Endorsement + err = json.Unmarshal(endorsementsBytes, &endors) + require.NoError(t, err) + expectedKey := "PARSEC_TPM://1/cd1f0e55-26f9-460d-b9d8-f7fde171787c" + + scheme := &StoreHandler{} + key_list, err := scheme.SynthKeysFromRefValue("1", &endors) + require.NoError(t, err) + assert.Equal(t, expectedKey, key_list[0]) +}