[WIP] First stage of changes to EvidenceHanlder Interface

Signed-off-by: Yogesh Deshpande <[email protected]>

handler/evidence_rpc.go

@@ -82,7 +82,7 @@ func (s *RPCServer) SynthKeysFromTrustAnchor(args SynthKeysArgs, resp *[]string)
 	return err
 }
 
-func (s *RPCServer) GetTrustAnchorID(data []byte, resp *string) error {
+func (s *RPCServer) GetTrustAnchorID(data []byte, resp *[]string) error {
 	var (
 		err   error
 		token proto.AttestationToken
@@ -100,7 +100,7 @@ func (s *RPCServer) GetTrustAnchorID(data []byte, resp *string) error {
 
 type ExtractClaimsArgs struct {
 	Token       []byte
-	TrustAnchor string
+	TrustAnchor []string
 }
 
 func (s *RPCServer) ExtractClaims(args ExtractClaimsArgs, resp *[]byte) error {
@@ -123,7 +123,7 @@ func (s *RPCServer) ExtractClaims(args ExtractClaimsArgs, resp *[]byte) error {
 
 type ValidateEvidenceIntegrityArgs struct {
 	Token        []byte
-	TrustAnchor  string
+	TrustAnchor  []string
 	Endorsements []string
 }
 
@@ -262,28 +262,28 @@ func (s *RPCClient) SynthKeysFromTrustAnchor(tenantID string, ta *Endorsement) (
 	return resp, nil
 }
 
-func (s *RPCClient) GetTrustAnchorID(token *proto.AttestationToken) (string, error) {
+func (s *RPCClient) GetTrustAnchorID(token *proto.AttestationToken) ([]string, error) {
 	var (
 		err  error
 		data []byte
-		resp string
+		resp []string
 	)
 
 	data, err = json.Marshal(token)
 	if err != nil {
-		return "", fmt.Errorf("marshaling token: %w", err)
+		return []string{""}, fmt.Errorf("marshaling token: %w", err)
 	}
 
 	err = s.client.Call("Plugin.GetTrustAnchorID", data, &resp)
 	if err != nil {
 		err = ParseError(err)
-		return "", fmt.Errorf("Plugin.GetTrustAnchorID RPC call failed: %w", err) // nolint
+		return []string{""}, fmt.Errorf("Plugin.GetTrustAnchorID RPC call failed: %w", err) // nolint
 	}
 
 	return resp, nil
 }
 
-func (s *RPCClient) ExtractEvidence(token *proto.AttestationToken, trustAnchor string) (*ExtractedClaims, error) {
+func (s *RPCClient) ExtractEvidence(token *proto.AttestationToken, trustAnchor []string) (*ExtractedClaims, error) {
 	var (
 		err       error
 		args      ExtractClaimsArgs
@@ -313,7 +313,7 @@ func (s *RPCClient) ExtractEvidence(token *proto.AttestationToken, trustAnchor s
 
 func (s *RPCClient) ValidateEvidenceIntegrity(
 	token *proto.AttestationToken,
-	trustAnchor string,
+	trustAnchor []string,
 	endorsements []string,
 ) error {
 	var (
@@ -360,7 +360,7 @@ func (s *RPCClient) AppraiseEvidence(ec *proto.EvidenceContext, endorsements []s
 	return &result, err
 }
 
-func (s *RPCClient) ExtractClaims(token *proto.AttestationToken, trustAnchor string) (*ExtractedClaims, error) {
+func (s *RPCClient) ExtractClaims(token *proto.AttestationToken, trustAnchor []string) (*ExtractedClaims, error) {
 	var (
 		err             error
 		args            ExtractClaimsArgs

handler/ievidencehandler.go

@@ -17,18 +17,19 @@ type IEvidenceHandler interface {
 	// GetTrustAnchorID returns a string ID used to retrieve a trust anchor
 	// for this token. The trust anchor may be necessary to validate the
 	// token and/or extract its claims (if it is encrypted).
-	GetTrustAnchorID(token *proto.AttestationToken) (string, error)
+	GetTrustAnchorID(token *proto.AttestationToken) ([]string, error)
 
 	// ExtractClaims parses the attestation token and returns claims
 	// extracted therefrom.
 	ExtractClaims(
 		token *proto.AttestationToken,
-		trustAnchor string,
+		trustAnchors []string,
 	) (*ExtractedClaims, error)
 
 	// ValidateEvidenceIntegrity verifies the structural integrity and validity of the
 	// token. The exact checks performed are scheme-specific, but they
-	// would typically involve, at the least, verifying the token's
+	//ines the interface to functionality for working with
+	// attestation sche/ would typically involve, at the least, verifying the token's
 	// signature using the provided trust anchor and endorsements. If the
 	// validation fails, an error detailing what went wrong is returned.
 	// Note: key material required to  validate the token would typically be
@@ -44,7 +45,7 @@ type IEvidenceHandler interface {
 	// (i.e. signature not matching).
 	ValidateEvidenceIntegrity(
 		token *proto.AttestationToken,
-		trustAnchor string,
+		trustAnchors []string,
 		endorsementsStrings []string,
 	) error
 
@@ -72,7 +73,7 @@ type IEvidenceHandler interface {
 //	generated from claims extracted from the token
 type ExtractedClaims struct {
 	ClaimsSet   map[string]interface{} `json:"claims-set"`
-	ReferenceID string                 `json:"reference-id"`
+	ReferenceID []string               `json:"reference-id"`
 	// please refer issue #106 for unprocessed claim set
 }
 

proto/evidence.proto

@@ -7,7 +7,7 @@ option go_package = "github.com/veraison/services/proto";
 
 message EvidenceContext {
   string tenant_id = 1 [json_name = "tenant-id"];
-  string trust_anchor_id = 2 [json_name = "trust-anchor-id"];
-  string reference_id = 3 [json_name = "reference-id"];
+  repeated string trust_anchor_id = 2 [json_name = "trust-anchor-id"];
+  repeated string reference_id = 3 [json_name = "reference-id"];
   google.protobuf.Struct evidence = 5;
 }

scheme/cca-ssd-platform/evidence_handler.go

@@ -46,13 +46,17 @@ func (s EvidenceHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.E
 	return arm.SynthKeysFromTrustAnchors(SchemeName, tenantID, ta)
 }
 
-func (s EvidenceHandler) GetTrustAnchorID(token *proto.AttestationToken) (string, error) {
-	return arm.GetTrustAnchorID(SchemeName, token)
+func (s EvidenceHandler) GetTrustAnchorID(token *proto.AttestationToken) ([]string, error) {
+	ta, err := arm.GetTrustAnchorID(SchemeName, token)
+	if err != nil {
+		return nil, err
+	}
+	return []string{ta}, nil
 }
 
 func (s EvidenceHandler) ExtractClaims(
 	token *proto.AttestationToken,
-	trustAnchor string,
+	trustAnchors []string,
 ) (*handler.ExtractedClaims, error) {
 
 	var ccaToken ccatoken.Evidence
@@ -80,11 +84,11 @@ func (s EvidenceHandler) ExtractClaims(
 		"realm":    realmClaimsSet,
 	}
 
-	extracted.ReferenceID = arm.RefValLookupKey(
+	extracted.ReferenceID = []string{arm.RefValLookupKey(
 		SchemeName,
 		token.TenantId,
 		arm.MustImplIDString(ccaToken.PlatformClaims),
-	)
+	)}
 	log.Debugf("extracted Reference ID Key = %s", extracted.ReferenceID)
 	return &extracted, nil
 }
@@ -95,7 +99,7 @@ func (s EvidenceHandler) ExtractClaims(
 // realm token.
 func (s EvidenceHandler) ValidateEvidenceIntegrity(
 	token *proto.AttestationToken,
-	trustAnchor string,
+	trustAnchors []string,
 	endorsementsStrings []string,
 ) error {
 	var (
@@ -125,7 +129,7 @@ func (s EvidenceHandler) ValidateEvidenceIntegrity(
 		)
 	}
 
-	pk, err := arm.GetPublicKeyFromTA(SchemeName, trustAnchor)
+	pk, err := arm.GetPublicKeyFromTA(SchemeName, trustAnchors[0])
 	if err != nil {
 		return fmt.Errorf("could not get public key from trust anchor: %w", err)
 	}

scheme/cca-ssd-platform/evidence_handler_test.go

@@ -37,7 +37,7 @@ func Test_GetTrustAnchorID_ok(t *testing.T) {
 		Nonce:    testNonce,
 	}
 
-	expectedTaID := "CCA_SSD_PLATFORM://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC"
+	expectedTaID := []string{"CCA_SSD_PLATFORM://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC"}
 
 	scheme := &EvidenceHandler{}
 
@@ -169,8 +169,9 @@ func Test_ExtractVerifiedClaims_ok(t *testing.T) {
 		Data:     tokenBytes,
 		Nonce:    testNonce,
 	}
+	ta := string(taEndValBytes)
 
-	extracted, err := scheme.ExtractClaims(&token, string(taEndValBytes))
+	extracted, err := scheme.ExtractClaims(&token, []string{ta})
 	platformClaims := extracted.ClaimsSet["platform"].(map[string]interface{})
 
 	require.NoError(t, err)
@@ -198,8 +199,9 @@ func Test_ValidateEvidenceIntegrity_ok(t *testing.T) {
 		Data:     tokenBytes,
 		Nonce:    testNonce,
 	}
+	ta := string(taEndValBytes)
 
-	err = scheme.ValidateEvidenceIntegrity(&token, string(taEndValBytes), nil)
+	err = scheme.ValidateEvidenceIntegrity(&token, []string{ta}, nil)
 
 	assert.NoError(t, err)
 }
@@ -220,7 +222,8 @@ func Test_ValidateEvidenceIntegrity_invalid_key(t *testing.T) {
 	}
 	expectedErr := `could not get public key from trust anchor: could not decode subject public key info: unsupported key type: "PRIVATE KEY"`
 
-	err = scheme.ValidateEvidenceIntegrity(&token, string(taEndValBytes), nil)
+	ta := string(taEndValBytes)
+	err = scheme.ValidateEvidenceIntegrity(&token, []string{ta}, nil)
 	assert.EqualError(t, err, expectedErr)
 }
 

scheme/parsec-cca/evidence_handler.go

@@ -51,11 +51,15 @@ func (s EvidenceHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.E
 	return arm.SynthKeysFromTrustAnchors(SchemeName, tenantID, ta)
 }
 
-func (s EvidenceHandler) GetTrustAnchorID(token *proto.AttestationToken) (string, error) {
-	return arm.GetTrustAnchorID(SchemeName, token)
+func (s EvidenceHandler) GetTrustAnchorID(token *proto.AttestationToken) ([]string, error) {
+	ta, err := arm.GetTrustAnchorID(SchemeName, token)
+	if err != nil {
+		return nil, err
+	}
+	return []string{ta}, nil
 }
 
-func (s EvidenceHandler) ExtractClaims(token *proto.AttestationToken, trustAnchor string) (*handler.ExtractedClaims, error) {
+func (s EvidenceHandler) ExtractClaims(token *proto.AttestationToken, trustAnchors []string) (*handler.ExtractedClaims, error) {
 	var (
 		extracted handler.ExtractedClaims
 		evidence  parsec_cca.Evidence
@@ -89,16 +93,16 @@ func (s EvidenceHandler) ExtractClaims(token *proto.AttestationToken, trustAncho
 
 	extracted.ClaimsSet = claimsSet
 
-	extracted.ReferenceID = arm.RefValLookupKey(
+	extracted.ReferenceID = []string{arm.RefValLookupKey(
 		SchemeName,
 		token.TenantId,
 		arm.MustImplIDString(evidence.Pat.PlatformClaims),
-	)
+	)}
 	log.Debugf("extracted Reference ID Key = %s", extracted.ReferenceID)
 	return &extracted, nil
 }
 
-func (s EvidenceHandler) ValidateEvidenceIntegrity(token *proto.AttestationToken, trustAnchor string, endorsements []string) error {
+func (s EvidenceHandler) ValidateEvidenceIntegrity(token *proto.AttestationToken, trustAnchors []string, endorsements []string) error {
 	var (
 		evidence parsec_cca.Evidence
 	)
@@ -107,7 +111,7 @@ func (s EvidenceHandler) ValidateEvidenceIntegrity(token *proto.AttestationToken
 		return handler.BadEvidence(err)
 	}
 
-	pk, err := arm.GetPublicKeyFromTA(SchemeName, trustAnchor)
+	pk, err := arm.GetPublicKeyFromTA(SchemeName, trustAnchors[0])
 	if err != nil {
 		return fmt.Errorf("could not get public key from trust anchor: %w", err)
 	}

scheme/parsec-cca/evidence_handler_test.go

@@ -29,9 +29,9 @@ func Test_GetTrustAnchorID_ok(t *testing.T) {
 
 	handler := &EvidenceHandler{}
 
-	taID, err := handler.GetTrustAnchorID(&token)
+	taIDs, err := handler.GetTrustAnchorID(&token)
 	require.NoError(t, err)
-	assert.Equal(t, expectedTaID, taID)
+	assert.Equal(t, expectedTaID, taIDs[0])
 }
 
 func Test_ExtractClaims_ok(t *testing.T) {
@@ -48,7 +48,8 @@ func Test_ExtractClaims_ok(t *testing.T) {
 		Data:     tokenBytes,
 	}
 
-	_, err = handler.ExtractClaims(&token, string(taEndValBytes))
+	ta := string(taEndValBytes)
+	_, err = handler.ExtractClaims(&token, []string{ta})
 	require.NoError(t, err)
 }
 
@@ -65,8 +66,8 @@ func Test_ExtractClaims_nok_bad_evidence(t *testing.T) {
 		TenantId: "0",
 		Data:     tokenBytes,
 	}
-
-	_, err = h.ExtractClaims(&token, string(taEndValBytes))
+	ta := string(taEndValBytes)
+	_, err = h.ExtractClaims(&token, []string{ta})
 	err1 := errors.Unwrap(err)
 	require.NotNil(t, err1)
 	assert.EqualError(t, err1, expectedErr)
@@ -83,7 +84,8 @@ func Test_ValidateEvidenceIntegrity_ok(t *testing.T) {
 		TenantId: "1",
 		Data:     tokenBytes,
 	}
-	err = h.ValidateEvidenceIntegrity(&token, string(taEndValBytes), nil)
+	ta := string(taEndValBytes)
+	err = h.ValidateEvidenceIntegrity(&token, []string{ta}, nil)
 	require.NoError(t, err)
 }
 
@@ -120,6 +122,7 @@ func Test_ValidateEvidenceIntegrity_nok(t *testing.T) {
 		require.NoError(t, err)
 
 		taEndValBytes, err := os.ReadFile(tv.input)
+		ta := string(taEndValBytes)
 		require.NoError(t, err)
 		h := &EvidenceHandler{}
 
@@ -128,7 +131,7 @@ func Test_ValidateEvidenceIntegrity_nok(t *testing.T) {
 			Data:     tokenBytes,
 		}
 
-		err = h.ValidateEvidenceIntegrity(&token, string(taEndValBytes), nil)
+		err = h.ValidateEvidenceIntegrity(&token, []string{ta}, nil)
 		assert.EqualError(t, err, tv.expectedErr)
 	}
 }