Adding Realm Endorsement Decoder Plugin

Signed-off-by: Yogesh Deshpande <[email protected]>
veraison · Dec 1, 2023 · 74b8a5e · 74b8a5e
1 parent ee62874
commit 74b8a5e
Show file tree

Hide file tree

Showing 5 changed files with 138 additions and 2 deletions.
diff --git a/go.mod b/go.mod
@@ -30,7 +30,7 @@ require (
 	github.com/tbaehler/gin-keycloak v1.5.0
 	github.com/veraison/ccatoken v1.1.0
 	github.com/veraison/cmw v0.1.0
-	github.com/veraison/corim v1.1.2-0.20230912171018-eeb7bd486d3c
+	github.com/veraison/corim v1.1.2-0.20231201124143-c98741c914fc
 	github.com/veraison/dice v0.0.1
 	github.com/veraison/ear v1.1.3-0.20231130183426-c7759f6f0da6
 	github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53

diff --git a/go.sum b/go.sum
@@ -1069,6 +1069,8 @@ github.com/veraison/cmw v0.1.0 h1:vD6tBlGPROCW/HlDcG1jh+XUJi5ihrjXatKZBjrv8mU=
 github.com/veraison/cmw v0.1.0/go.mod h1:WoBrlgByc6C1FeHhdze1/bQx1kv5d1sWKO5ezEf4Hs4=
 github.com/veraison/corim v1.1.2-0.20230912171018-eeb7bd486d3c h1:do1Yj0d4uq+Sd4PusgE8pfLfSKejJfaWukyjYTi8Ro0=
 github.com/veraison/corim v1.1.2-0.20230912171018-eeb7bd486d3c/go.mod h1:Vn9+tCyN2ljpQxYvM6rwu3hNqdVbWrdQ9hqMa1Jfxb0=
+github.com/veraison/corim v1.1.2-0.20231201124143-c98741c914fc h1:MWuahPPqlbrFGDPT5jgf+gKUYFuj7mGu8qk/xJeKToU=
+github.com/veraison/corim v1.1.2-0.20231201124143-c98741c914fc/go.mod h1:Vn9+tCyN2ljpQxYvM6rwu3hNqdVbWrdQ9hqMa1Jfxb0=
 github.com/veraison/dice v0.0.1 h1:dOm7ByDN/r4WlDsGkEUXzdPMXgTvAPTAksQ8+BwBrD4=
 github.com/veraison/dice v0.0.1/go.mod h1:QPMLc5LVMj08VZ+HNMYk4XxWoVYGAUBVm8Rd5V1hzxs=
 github.com/veraison/ear v1.1.3-0.20231130164136-ea589b65f3bf h1:hZUe1o0rpGQz67rQyMsXp4SneKQUhveKXDNlkZ461nQ=

diff --git a/scheme/cca-realm/classattributes.go b/scheme/cca-realm/classattributes.go
@@ -0,0 +1,51 @@
+// Copyright 2022-2023 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package cca_realm
+
+import (
+	"fmt"
+
+	"github.com/veraison/corim/comid"
+)
+
+type ClassAttributes struct {
+	UUID   string
+	Vendor string
+	Model  string
+}
+
+// extract mandatory ImplID and optional vendor & model
+func (o *ClassAttributes) FromEnvironment(e comid.Environment) error {
+	class := e.Class
+
+	if class == nil {
+		return fmt.Errorf("expecting class in environment")
+	}
+
+	classID := class.ClassID
+
+	if classID == nil {
+		return fmt.Errorf("expecting class-id in class")
+	}
+
+	uuID, err := classID.GetUUID()
+	if err != nil {
+		return fmt.Errorf("could not extract uu-id from class-id: %w", err)
+	}
+
+	if err := uuID.Valid(); err != nil {
+		return fmt.Errorf("no valid uu-id: %w", err)
+	}
+
+	o.UUID = uuID.String()
+
+	if class.Vendor != nil {
+		o.Vendor = *class.Vendor
+	}
+
+	if class.Model != nil {
+		o.Model = *class.Model
+	}
+
+	return nil
+}
diff --git a/scheme/cca-realm/corim_extractor.go b/scheme/cca-realm/corim_extractor.go
@@ -0,0 +1,82 @@
+// Copyright 2023 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package cca_realm
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/veraison/corim/comid"
+	"github.com/veraison/services/handler"
+)
+
+type CorimExtractor struct{}
+
+func (o CorimExtractor) RefValExtractor(
+	rv comid.ReferenceValue,
+) ([]*handler.Endorsement, error) {
+	var classAttrs ClassAttributes
+
+	if err := classAttrs.FromEnvironment(rv.Environment); err != nil {
+		return nil, fmt.Errorf("could not extract Realm class attributes: %w", err)
+	}
+
+	rvs := make([]*handler.Endorsement, 0, len(rv.Measurements))
+
+	for i, m := range rv.Measurements {
+
+		d := m.Val.Digests
+
+		if d == nil {
+			return nil, fmt.Errorf("measurement value has no digests")
+		}
+		if len(*d) != 1 {
+			return nil, fmt.Errorf("expecting exactly one digest")
+		}
+		algID := (*d)[0].AlgIDToString()
+		measurementValue := (*d)[0].HashValue
+
+		attrs, err := makeRefValAttrs(&classAttrs, algID, measurementValue)
+		if err != nil {
+			return nil, fmt.Errorf("measurement[%d].digest[%d]: %w", i, j, err)
+		}
+
+		rv := &handler.Endorsement{
+			Scheme:     SchemeName,
+			Type:       handler.EndorsementType_REFERENCE_VALUE,
+			Attributes: attrs,
+		}
+
+		rvs = append(rvs, rv)
+
+	}
+
+	if len(rvs) == 0 {
+		return nil, fmt.Errorf("no measurements found")
+	}
+
+	return rvs, nil
+}
+
+func makeRefValAttrs(cAttr *ClassAttributes, algID string, digest []byte) (json.RawMessage, error) {
+
+	var attrs = map[string]interface{}{
+		"cca-realm.vendor":      cAttr.Vendor,
+		"cca-realm.model":       cAttr.Model,
+		"cca-realm-id":          cAttr.UUID,
+		"cca-realm.alg-id":      algID,
+		"cca-realm.measurement": digest,
+	}
+	data, err := json.Marshal(attrs)
+	if err != nil {
+		return nil, fmt.Errorf("unable to marshal reference value attributes: %w", err)
+	}
+	return data, nil
+}
+
+func (o CorimExtractor) TaExtractor(
+	avk comid.AttestVerifKey,
+) (*handler.Endorsement, error) {
+
+	return nil, fmt.Errorf("cca realm endorsements does not have a Trust Anchor")
+}
diff --git a/scheme/cca-realm/endorsement_handler.go b/scheme/cca-realm/endorsement_handler.go
@@ -4,6 +4,7 @@ package cca_realm
 
 import (
 	"github.com/veraison/services/handler"
+	"github.com/veraison/services/scheme/common"
 )
 
 type EndorsementHandler struct{}
@@ -29,5 +30,5 @@ func (o EndorsementHandler) GetSupportedMediaTypes() []string {
 }
 
 func (o EndorsementHandler) Decode(data []byte) (*handler.EndorsementHandlerResponse, error) {
-	return nil, nil
+	return common.UnsignedCorimDecoder(data, &CorimExtractor{})
 }