Enhance EvidenceHanlder Interface to handle multiple RefVal and TAIDs

Fixes #206

Signed-off-by: Yogesh Deshpande <[email protected]>

handler/evidence_rpc.go

@@ -82,7 +82,7 @@ func (s *RPCServer) SynthKeysFromTrustAnchor(args SynthKeysArgs, resp *[]string)
 	return err
 }
 
-func (s *RPCServer) GetTrustAnchorID(data []byte, resp *string) error {
+func (s *RPCServer) GetTrustAnchorIDs(data []byte, resp *[]string) error {
 	var (
 		err   error
 		token proto.AttestationToken
@@ -93,14 +93,14 @@ func (s *RPCServer) GetTrustAnchorID(data []byte, resp *string) error {
 		return fmt.Errorf("unmarshaling attestation token: %w", err)
 	}
 
-	*resp, err = s.Impl.GetTrustAnchorID(&token)
+	*resp, err = s.Impl.GetTrustAnchorIDs(&token)
 
 	return err
 }
 
 type ExtractClaimsArgs struct {
-	Token       []byte
-	TrustAnchor string
+	Token        []byte
+	TrustAnchors []string
 }
 
 func (s *RPCServer) ExtractClaims(args ExtractClaimsArgs, resp *[]byte) error {
@@ -111,7 +111,7 @@ func (s *RPCServer) ExtractClaims(args ExtractClaimsArgs, resp *[]byte) error {
 		return fmt.Errorf("unmarshaling token: %w", err)
 	}
 
-	extracted, err := s.Impl.ExtractClaims(&token, args.TrustAnchor)
+	extracted, err := s.Impl.ExtractClaims(&token, args.TrustAnchors)
 	if err != nil {
 		return err
 	}
@@ -123,7 +123,7 @@ func (s *RPCServer) ExtractClaims(args ExtractClaimsArgs, resp *[]byte) error {
 
 type ValidateEvidenceIntegrityArgs struct {
 	Token        []byte
-	TrustAnchor  string
+	TrustAnchors []string
 	Endorsements []string
 }
 
@@ -135,7 +135,7 @@ func (s *RPCServer) ValidateEvidenceIntegrity(args ValidateEvidenceIntegrityArgs
 		return fmt.Errorf("unmarshaling token: %w", err)
 	}
 
-	err = s.Impl.ValidateEvidenceIntegrity(&token, args.TrustAnchor, args.Endorsements)
+	err = s.Impl.ValidateEvidenceIntegrity(&token, args.TrustAnchors, args.Endorsements)
 
 	return err
 }
@@ -262,28 +262,28 @@ func (s *RPCClient) SynthKeysFromTrustAnchor(tenantID string, ta *Endorsement) (
 	return resp, nil
 }
 
-func (s *RPCClient) GetTrustAnchorID(token *proto.AttestationToken) (string, error) {
+func (s *RPCClient) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) {
 	var (
 		err  error
 		data []byte
-		resp string
+		resp []string
 	)
 
 	data, err = json.Marshal(token)
 	if err != nil {
-		return "", fmt.Errorf("marshaling token: %w", err)
+		return []string{""}, fmt.Errorf("marshaling token: %w", err)
 	}
 
-	err = s.client.Call("Plugin.GetTrustAnchorID", data, &resp)
+	err = s.client.Call("Plugin.GetTrustAnchorIDs", data, &resp)
 	if err != nil {
 		err = ParseError(err)
-		return "", fmt.Errorf("Plugin.GetTrustAnchorID RPC call failed: %w", err) // nolint
+		return []string{""}, fmt.Errorf("Plugin.GetTrustAnchorIDs RPC call failed: %w", err) // nolint
 	}
 
 	return resp, nil
 }
 
-func (s *RPCClient) ExtractEvidence(token *proto.AttestationToken, trustAnchor string) (*ExtractedClaims, error) {
+func (s *RPCClient) ExtractEvidence(token *proto.AttestationToken, trustAnchors []string) (*ExtractedClaims, error) {
 	var (
 		err       error
 		args      ExtractClaimsArgs
@@ -295,7 +295,7 @@ func (s *RPCClient) ExtractEvidence(token *proto.AttestationToken, trustAnchor s
 	if err != nil {
 		return nil, fmt.Errorf("marshaling token: %w", err)
 	}
-	args.TrustAnchor = trustAnchor
+	args.TrustAnchors = trustAnchors
 
 	err = s.client.Call("Plugin.ExtractEvidence", args, &resp)
 	if err != nil {
@@ -313,7 +313,7 @@ func (s *RPCClient) ExtractEvidence(token *proto.AttestationToken, trustAnchor s
 
 func (s *RPCClient) ValidateEvidenceIntegrity(
 	token *proto.AttestationToken,
-	trustAnchor string,
+	trustAnchors []string,
 	endorsements []string,
 ) error {
 	var (
@@ -326,7 +326,7 @@ func (s *RPCClient) ValidateEvidenceIntegrity(
 	if err != nil {
 		return fmt.Errorf("marshaling token: %w", err)
 	}
-	args.TrustAnchor = trustAnchor
+	args.TrustAnchors = trustAnchors
 	args.Endorsements = endorsements
 
 	err = s.client.Call("Plugin.ValidateEvidenceIntegrity", args, &resp)
@@ -360,7 +360,7 @@ func (s *RPCClient) AppraiseEvidence(ec *proto.EvidenceContext, endorsements []s
 	return &result, err
 }
 
-func (s *RPCClient) ExtractClaims(token *proto.AttestationToken, trustAnchor string) (*ExtractedClaims, error) {
+func (s *RPCClient) ExtractClaims(token *proto.AttestationToken, trustAnchors []string) (*ExtractedClaims, error) {
 	var (
 		err             error
 		args            ExtractClaimsArgs
@@ -372,7 +372,7 @@ func (s *RPCClient) ExtractClaims(token *proto.AttestationToken, trustAnchor str
 		return nil, fmt.Errorf("marshaling token: %w", err)
 	}
 
-	args.TrustAnchor = trustAnchor
+	args.TrustAnchors = trustAnchors
 
 	var resp []byte
 	err = s.client.Call("Plugin.ExtractClaims", args, &resp)

handler/ievidencehandler.go

@@ -14,22 +14,22 @@ import (
 type IEvidenceHandler interface {
 	plugin.IPluggable
 
-	// GetTrustAnchorID returns a string ID used to retrieve a trust anchor
-	// for this token. The trust anchor may be necessary to validate the
-	// token and/or extract its claims (if it is encrypted).
-	GetTrustAnchorID(token *proto.AttestationToken) (string, error)
+	// GetTrustAnchorIDs returns an array of trust anchor strings(handles) used to retrieve a
+	// set of trust anchors for this token. The trust anchors may be necessary to validate the
+	// entire token and/or extract its claims (if it is encrypted).
+	GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error)
 
 	// ExtractClaims parses the attestation token and returns claims
 	// extracted therefrom.
 	ExtractClaims(
 		token *proto.AttestationToken,
-		trustAnchor string,
+		trustAnchors []string,
 	) (*ExtractedClaims, error)
 
 	// ValidateEvidenceIntegrity verifies the structural integrity and validity of the
 	// token. The exact checks performed are scheme-specific, but they
 	// would typically involve, at the least, verifying the token's
-	// signature using the provided trust anchor and endorsements. If the
+	// signature using the provided trust anchors and endorsements. If the
 	// validation fails, an error detailing what went wrong is returned.
 	// Note: key material required to  validate the token would typically be
 	//       provisioned as a Trust Anchor. However, depending on the
@@ -44,7 +44,7 @@ type IEvidenceHandler interface {
 	// (i.e. signature not matching).
 	ValidateEvidenceIntegrity(
 		token *proto.AttestationToken,
-		trustAnchor string,
+		trustAnchors []string,
 		endorsementsStrings []string,
 	) error
 
@@ -65,14 +65,14 @@ type IEvidenceHandler interface {
 }
 
 // ExtractedClaims contains a map of claims extracted from an attestation
-// token along with the corresponding ReferenceID that is used to fetch
+// token along with the corresponding ReferenceIDs that are used to fetch
 // the associated endorsements.
 //
 //	ReferenceID is the key used to fetch all the Endorsements
 //	generated from claims extracted from the token
 type ExtractedClaims struct {
-	ClaimsSet   map[string]interface{} `json:"claims-set"`
-	ReferenceID string                 `json:"reference-id"`
+	ClaimsSet    map[string]interface{} `json:"claims-set"`
+	ReferenceIDs []string               `json:"reference-ids"`
 	// please refer issue #106 for unprocessed claim set
 }
 

proto/evidence.proto

@@ -7,7 +7,7 @@ option go_package = "github.com/veraison/services/proto";
 
 message EvidenceContext {
   string tenant_id = 1 [json_name = "tenant-id"];
-  string trust_anchor_id = 2 [json_name = "trust-anchor-id"];
-  string reference_id = 3 [json_name = "reference-id"];
+  repeated string trust_anchor_ids = 2 [json_name = "trust-anchor-ids"];
+  repeated string reference_ids = 3 [json_name = "reference-ids"];
   google.protobuf.Struct evidence = 5;
 }

scheme/cca-ssd-platform/evidence_handler.go

@@ -46,13 +46,17 @@ func (s EvidenceHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.E
 	return arm.SynthKeysFromTrustAnchors(SchemeName, tenantID, ta)
 }
 
-func (s EvidenceHandler) GetTrustAnchorID(token *proto.AttestationToken) (string, error) {
-	return arm.GetTrustAnchorID(SchemeName, token)
+func (s EvidenceHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) {
+	ta, err := arm.GetTrustAnchorID(SchemeName, token)
+	if err != nil {
+		return nil, err
+	}
+	return []string{ta}, nil
 }
 
 func (s EvidenceHandler) ExtractClaims(
 	token *proto.AttestationToken,
-	trustAnchor string,
+	trustAnchors []string,
 ) (*handler.ExtractedClaims, error) {
 
 	var ccaToken ccatoken.Evidence
@@ -80,12 +84,12 @@ func (s EvidenceHandler) ExtractClaims(
 		"realm":    realmClaimsSet,
 	}
 
-	extracted.ReferenceID = arm.RefValLookupKey(
+	extracted.ReferenceIDs = []string{arm.RefValLookupKey(
 		SchemeName,
 		token.TenantId,
 		arm.MustImplIDString(ccaToken.PlatformClaims),
-	)
-	log.Debugf("extracted Reference ID Key = %s", extracted.ReferenceID)
+	)}
+	log.Debugf("extracted Reference ID Key = %s", extracted.ReferenceIDs)
 	return &extracted, nil
 }
 
@@ -95,7 +99,7 @@ func (s EvidenceHandler) ExtractClaims(
 // realm token.
 func (s EvidenceHandler) ValidateEvidenceIntegrity(
 	token *proto.AttestationToken,
-	trustAnchor string,
+	trustAnchors []string,
 	endorsementsStrings []string,
 ) error {
 	var (
@@ -125,7 +129,7 @@ func (s EvidenceHandler) ValidateEvidenceIntegrity(
 		)
 	}
 
-	pk, err := arm.GetPublicKeyFromTA(SchemeName, trustAnchor)
+	pk, err := arm.GetPublicKeyFromTA(SchemeName, trustAnchors[0])
 	if err != nil {
 		return fmt.Errorf("could not get public key from trust anchor: %w", err)
 	}

scheme/cca-ssd-platform/evidence_handler_test.go

@@ -27,7 +27,7 @@ var testNonce = []byte{
 	0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42,
 }
 
-func Test_GetTrustAnchorID_ok(t *testing.T) {
+func Test_GetTrustAnchorIDs_ok(t *testing.T) {
 	tokenBytes, err := os.ReadFile("test/cca-token.cbor")
 	require.NoError(t, err)
 
@@ -37,11 +37,11 @@ func Test_GetTrustAnchorID_ok(t *testing.T) {
 		Nonce:    testNonce,
 	}
 
-	expectedTaID := "CCA_SSD_PLATFORM://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC"
+	expectedTaID := []string{"CCA_SSD_PLATFORM://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC"}
 
 	scheme := &EvidenceHandler{}
 
-	taID, err := scheme.GetTrustAnchorID(&token)
+	taID, err := scheme.GetTrustAnchorIDs(&token)
 	require.NoError(t, err)
 	assert.Equal(t, expectedTaID, taID)
 }
@@ -169,8 +169,9 @@ func Test_ExtractVerifiedClaims_ok(t *testing.T) {
 		Data:     tokenBytes,
 		Nonce:    testNonce,
 	}
+	ta := string(taEndValBytes)
 
-	extracted, err := scheme.ExtractClaims(&token, string(taEndValBytes))
+	extracted, err := scheme.ExtractClaims(&token, []string{ta})
 	platformClaims := extracted.ClaimsSet["platform"].(map[string]interface{})
 
 	require.NoError(t, err)
@@ -198,8 +199,9 @@ func Test_ValidateEvidenceIntegrity_ok(t *testing.T) {
 		Data:     tokenBytes,
 		Nonce:    testNonce,
 	}
+	ta := string(taEndValBytes)
 
-	err = scheme.ValidateEvidenceIntegrity(&token, string(taEndValBytes), nil)
+	err = scheme.ValidateEvidenceIntegrity(&token, []string{ta}, nil)
 
 	assert.NoError(t, err)
 }
@@ -220,7 +222,8 @@ func Test_ValidateEvidenceIntegrity_invalid_key(t *testing.T) {
 	}
 	expectedErr := `could not get public key from trust anchor: could not decode subject public key info: unsupported key type: "PRIVATE KEY"`
 
-	err = scheme.ValidateEvidenceIntegrity(&token, string(taEndValBytes), nil)
+	ta := string(taEndValBytes)
+	err = scheme.ValidateEvidenceIntegrity(&token, []string{ta}, nil)
 	assert.EqualError(t, err, expectedErr)
 }
 

scheme/cca-ssd-platform/test/extracted.json

@@ -52,7 +52,7 @@
 	    "cca-realm-public-key-hash-algo-id": "sha-512"
 	  }
   },
-  "reference-id": "CCA_SSD_PLATFORM://1/BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=/AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY",
-  "trust-anchor-id": "CCA_SSD_PLATFORM://1/BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=/",
+  "reference-ids": ["CCA_SSD_PLATFORM://1/BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=/AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY"],
+  "trust-anchor-ids": ["CCA_SSD_PLATFORM://1/BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=/"],
   "tenant-id": "1"
 }