Add Realm Personalization Value

Signed-off-by: Yogesh Deshpande <[email protected]>
veraison · May 17, 2024 · b7e1e5b · b7e1e5b
1 parent 86c4206
commit b7e1e5b
Show file tree

Hide file tree

Showing 7 changed files with 140 additions and 36 deletions.
diff --git a/scheme/cca-realm-provisioning/README.md b/scheme/cca-realm-provisioning/README.md
@@ -12,8 +12,9 @@ used to launch a Realm.
     "attributes": {
         "CCA_REALM.vendor": "Workload Client Ltd",
         "CCA_REALM.class-id": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C",
-        "CCA_REALM-realm-initial-measurement": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1",
+        "CCA_REALM.realm-initial-measurement": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1",
         "CCA_REALM.hash-alg-id": "sha-384",
+        "CCA_REALM.realm-personalization-value":"5Fty9cDAtXLbTY06t+l/No/3TmI0eoJN7LZ6hOUiTXXkW3L1wMC1cttNjTq36X82j/dOYjR6gk3stnqE5SJNdQ==",
         "CCA_REALM.measurements": [
             {
                 "rim": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1"

diff --git a/scheme/cca-realm-provisioning/corim_extractor.go b/scheme/cca-realm-provisioning/corim_extractor.go
@@ -65,8 +65,8 @@ func makeRefValAttrs(cAttr *ClassAttributes,
 
 	var attrs = map[string]interface{}{
 		"CCA_REALM.vendor":                      cAttr.Vendor,
-		"CCA_REALM-class-id":                    cAttr.UUID,
-		"CCA_REALM-realm-initial-measurement":   rAttr.Rim,
+		"CCA_REALM.class-id":                    cAttr.UUID,
+		"CCA_REALM.realm-initial-measurement":   rAttr.Rim,
 		"CCA_REALM.hash-alg-id":                 rAttr.HashAlgID,
 		"CCA_REALM.realm-personalization-value": rAttr.Rpv,
 		"CCA_REALM.rim":                         rAttr.Rim,

diff --git a/scheme/cca-realm-provisioning/store_handler.go b/scheme/cca-realm-provisioning/store_handler.go
@@ -5,13 +5,11 @@ package cca_realm_provisioning
 
 import (
 	"fmt"
-	"net/url"
-	"strings"
 
 	"github.com/veraison/services/handler"
 	"github.com/veraison/services/log"
 	"github.com/veraison/services/proto"
-	"github.com/veraison/services/scheme/common"
+	"github.com/veraison/services/scheme/common/arm"
 )
 
 type StoreHandler struct{}
@@ -41,27 +39,12 @@ func (s StoreHandler) SynthKeysFromRefValue(
 	refVal *handler.Endorsement,
 ) ([]string, error) {
 
-	instID, err := common.GetInstID(SchemeName, refVal.Attributes)
+	lookupKey, err := arm.SynthKeyFromRefVal(SchemeName, tenantID, refVal)
 	if err != nil {
-		return nil, fmt.Errorf("unable to get instance id for synthesize reference value: %w", err)
+		return nil, fmt.Errorf("unable to SynthKeyFromRefVal for scheme %s: %w", SchemeName, err)
 	}
-
-	lookupKey := refValLookupKey(SchemeName, tenantID, instID)
 	log.Debugf("Scheme %s Plugin RefVal Look Up Key= %s\n", SchemeName, lookupKey)
 	return []string{lookupKey}, nil
-
-}
-
-func refValLookupKey(schemeName, tenantID, instID string) string {
-	absPath := []string{instID}
-
-	u := url.URL{
-		Scheme: schemeName,
-		Host:   tenantID,
-		Path:   strings.Join(absPath, "/"),
-	}
-
-	return u.String()
 }
 
 func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) {

diff --git a/scheme/cca-realm-provisioning/store_handler_test.go b/scheme/cca-realm-provisioning/store_handler_test.go
@@ -49,17 +49,33 @@ func Test_GetTrustAnchorID_nok(t *testing.T) {
 	assert.EqualError(t, err, expectedErr)
 }
 
-func Test_SynthKeysFromRefValue_ok(t *testing.T) {
-	endorsementsBytes, err := os.ReadFile("test/store/refvalEndorsements.json")
-	require.NoError(t, err)
+func Test_SynthKeysFromRefValue1_ok(t *testing.T) {
+	tvs := []struct {
+		desc        string
+		input       string
+		expectedKey string
+	}{
+		{
+			desc:        "no realm personalization in reference value",
+			input:       "test/store/refvalEndorsementsNoRpv.json",
+			expectedKey: "CCA_REALM://1/QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1",
+		},
+		{
+			desc:        "complete reference value with rim and personalization value",
+			input:       "test/store/refvalEndorsements.json",
+			expectedKey: "CCA_REALM://1/QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1/5Fty9cDAtXLbTY06t+l/No/3TmI0eoJN7LZ6hOUiTXXkW3L1wMC1cttNjTq36X82j/dOYjR6gk3stnqE5SJNdQ==",
+		},
+	}
 
-	var endors handler.Endorsement
-	err = json.Unmarshal(endorsementsBytes, &endors)
-	require.NoError(t, err)
-	expectedKey := "CCA_REALM://1/QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1"
-
-	scheme := &StoreHandler{}
-	key_list, err := scheme.SynthKeysFromRefValue("1", &endors)
-	require.NoError(t, err)
-	assert.Equal(t, expectedKey, key_list[0])
+	for _, tv := range tvs {
+		endorsementsBytes, err := os.ReadFile(tv.input)
+		require.NoError(t, err)
+		var endors handler.Endorsement
+		err = json.Unmarshal(endorsementsBytes, &endors)
+		require.NoError(t, err)
+		scheme := &StoreHandler{}
+		key, err := scheme.SynthKeysFromRefValue("1", &endors)
+		require.NoError(t, err)
+		assert.Equal(t, tv.expectedKey, key[0])
+	}
 }
diff --git a/scheme/cca-realm-provisioning/test/store/refvalEndorsements.json b/scheme/cca-realm-provisioning/test/store/refvalEndorsements.json
@@ -4,8 +4,9 @@
     "attributes": {
         "CCA_REALM.vendor": "Worload Client Ltd",
         "CCA_REALM.class-id": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C",
-        "CCA_REALM.inst-id": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1",
+        "CCA_REALM.realm-initial-measurement": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1",
         "CCA_REALM.hash-alg-id": "sha-384",
+        "CCA_REALM.realm-personalization-value": "5Fty9cDAtXLbTY06t+l/No/3TmI0eoJN7LZ6hOUiTXXkW3L1wMC1cttNjTq36X82j/dOYjR6gk3stnqE5SJNdQ==",
         "CCA_REALM.measurements": [
             {
                 "rim": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1"

diff --git a/scheme/cca-realm-provisioning/test/store/refvalEndorsementsNoRpv.json b/scheme/cca-realm-provisioning/test/store/refvalEndorsementsNoRpv.json
@@ -0,0 +1,28 @@
+{
+    "scheme": "CCA_REALM",
+    "type": "REFERENCE_VALUE",
+    "attributes": {
+        "CCA_REALM.vendor": "Worload Client Ltd",
+        "CCA_REALM.class-id": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C",
+        "CCA_REALM.realm-initial-measurement": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1",
+        "CCA_REALM.hash-alg-id": "sha-384",
+        "CCA_REALM.realm-personalization-value": "",
+        "CCA_REALM.measurements": [
+            {
+                "rim": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1"
+            },
+            {
+                "rem0": "IQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4"
+            },
+            {
+                "rem1": "JQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4"
+            },
+            {
+                "rem2": "MQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4"
+            },
+            {
+                "rem3": "NQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4"
+            }
+        ]
+    }
+}
diff --git a/scheme/common/arm/realm.go b/scheme/common/arm/realm.go
@@ -0,0 +1,75 @@
+// Copyright 2024 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package arm
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"net/url"
+	"strings"
+
+	"github.com/veraison/services/handler"
+	"github.com/veraison/services/log"
+)
+
+func GetRim(scheme string, attr json.RawMessage) (string, error) {
+	var at map[string]interface{}
+	err := json.Unmarshal(attr, &at)
+	if err != nil {
+		return "", fmt.Errorf("unable to get Instance ID: %w", err)
+	}
+	key := scheme + ".realm-initial-measurement"
+	rim, ok := at[key].(string)
+	if !ok {
+		return "", errors.New("unable to get realm initial measurements")
+	}
+	return rim, nil
+}
+
+func GetRpv(scheme string, attr json.RawMessage) (string, error) {
+	var at map[string]interface{}
+	err := json.Unmarshal(attr, &at)
+	if err != nil {
+		return "", fmt.Errorf("unable to get Instance ID: %w", err)
+	}
+	key := scheme + ".realm-personalization-value"
+	rpv, ok := at[key].(string)
+	if !ok {
+		return "", errors.New("unable to get realm personalization value")
+	}
+	return rpv, nil
+}
+
+func SynthKeyFromRefVal(scheme string, tenantID string, refVal *handler.Endorsement) (string, error) {
+	if refVal == nil {
+		return "", errors.New("no reference value in SynthKeyFromRefVal")
+	}
+	rim, err := GetRim(scheme, refVal.Attributes)
+	if err != nil {
+		return "", fmt.Errorf("unable to get rim: %w", err)
+	}
+	rpv, err := GetRpv(scheme, refVal.Attributes)
+	if err != nil {
+		return "", fmt.Errorf("unable to get rpv: %w", err)
+	}
+	lookupKey := refValLookupKey(scheme, tenantID, rim, rpv)
+	log.Debugf("Scheme %s realm RefVal Look Up Key= %s\n", scheme, lookupKey)
+	return lookupKey, nil
+}
+
+func refValLookupKey(schemeName, tenantID, rim string, rpv string) string {
+	var absPath []string
+	if rpv != "" {
+		absPath = []string{rim, rpv}
+	} else {
+		absPath = []string{rim}
+	}
+
+	u := url.URL{
+		Scheme: schemeName,
+		Host:   tenantID,
+		Path:   strings.Join(absPath, "/"),
+	}
+	return u.String()
+}