diff --git a/go.mod b/go.mod index f098f754..ed613b82 100644 --- a/go.mod +++ b/go.mod @@ -31,14 +31,14 @@ require ( github.com/spf13/viper v1.13.0 github.com/stretchr/testify v1.9.0 github.com/tbaehler/gin-keycloak v1.6.1 - github.com/veraison/ccatoken v1.1.0 + github.com/veraison/ccatoken v1.3.1 github.com/veraison/cmw v0.1.0 - github.com/veraison/corim v1.1.3-0.20240814105452-be7ec4829479 + github.com/veraison/corim v1.1.3-0.20240911154934-4f141ee6d1e7 github.com/veraison/dice v0.0.1 github.com/veraison/ear v1.1.2 github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53 - github.com/veraison/parsec v0.1.1-0.20230915122508-f31e6c9be40e - github.com/veraison/psatoken v1.2.0 + github.com/veraison/parsec v0.2.1-0.20240912163334-0368b9c16228 + github.com/veraison/psatoken v1.2.1-0.20240912124429-aec3ece7886e go.uber.org/zap v1.23.0 golang.org/x/text v0.14.0 google.golang.org/grpc v1.64.0 @@ -101,7 +101,7 @@ require ( github.com/twitchyliquid64/golang-asm v0.15.1 // indirect github.com/ugorji/go/codec v1.2.11 // indirect github.com/vektah/gqlparser/v2 v2.4.6 // indirect - github.com/veraison/go-cose v1.1.1-0.20230825153510-da0f9a62ade7 + github.com/veraison/go-cose v1.3.0-rc.1 github.com/veraison/swid v1.1.1-0.20230911094910-8ffdd07a22ca github.com/x448/float16 v0.8.4 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect diff --git a/go.sum b/go.sum index 7a7b4f35..3b4dce08 100644 --- a/go.sum +++ b/go.sum @@ -912,9 +912,7 @@ github.com/danieljoos/wincred v1.1.0/go.mod h1:XYlo+eRTsVA9aHGp7NGjFkPla4m+DCL7h github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc= github.com/decred/dcrd/crypto/blake256 v1.0.1/go.mod h1:2OfgNZ5wDpcsFmHmCK5gZTPcCXqlm2ArzUIkw9czNJo= -github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0/go.mod h1:DZGJHZMqrU4JJqFAWUS2UO1+lbSKsdiOoYi9Zzey7Fc= github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 h1:8UrgZ3GkP4i/CLijOJx79Yu+etlyjdBU4sfcs2WYQMs= github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0= github.com/denisbrodbeck/machineid v1.0.1 h1:geKr9qtkB876mXguW2X6TU4ZynleN6ezuMSRhl4D7AQ= @@ -995,7 +993,6 @@ github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmV github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa/go.mod h1:KnogPXtdwXqoenmZCw6S+25EAm2MkxbG0deNDu4cbSA= github.com/fxamacker/cbor/v2 v2.2.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= github.com/fxamacker/cbor/v2 v2.3.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= -github.com/fxamacker/cbor/v2 v2.4.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= github.com/fxamacker/cbor/v2 v2.5.0 h1:oHsG0V/Q6E/wqTS2O1Cozzsy69nqCiguo5Q1a1ADivE= github.com/fxamacker/cbor/v2 v2.5.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo= github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA= @@ -1371,7 +1368,6 @@ github.com/lestrrat-go/httprc v1.0.4 h1:bAZymwoZQb+Oq8MEbyipag7iSq6YIga8Wj6GOiJG github.com/lestrrat-go/httprc v1.0.4/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo= github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI= github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4= -github.com/lestrrat-go/jwx/v2 v2.0.8/go.mod h1:zLxnyv9rTlEvOUHbc48FAfIL8iYu2hHvIRaTFGc8mT0= github.com/lestrrat-go/jwx/v2 v2.0.11 h1:ViHMnaMeaO0qV16RZWBHM7GTrAnX2aFLVKofc7FuKLQ= github.com/lestrrat-go/jwx/v2 v2.0.11/go.mod h1:ZtPtMFlrfDrH2Y0iwfa3dRFn8VzwBrB+cyrm3IBWdDg= github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= @@ -1729,26 +1725,24 @@ github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtX github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= github.com/vektah/gqlparser/v2 v2.4.6 h1:Yjzp66g6oVq93Jihbi0qhGnf/6zIWjcm8H6gA27zstE= github.com/vektah/gqlparser/v2 v2.4.6/go.mod h1:flJWIR04IMQPGz+BXLrORkrARBxv/rtyIAFvd/MceW0= -github.com/veraison/ccatoken v1.1.0 h1:U0Z5fOQRsdz3ksvvxVzTITczo+kfRxIlkWahJNP6Irs= -github.com/veraison/ccatoken v1.1.0/go.mod h1:qh/KBwsrhPyGJqttlh8PU56wt1rPkUCX9A3ZAA/53Nc= +github.com/veraison/ccatoken v1.3.1 h1:zUHXr2mPprxMYv5Mm2mumxzQZ3I9wy7QGayXqa9Rv/E= +github.com/veraison/ccatoken v1.3.1/go.mod h1:vMqdbW4H/8A3oT+24qssuIK3Aefy06XqzTELGg+gWAg= github.com/veraison/cmw v0.1.0 h1:vD6tBlGPROCW/HlDcG1jh+XUJi5ihrjXatKZBjrv8mU= github.com/veraison/cmw v0.1.0/go.mod h1:WoBrlgByc6C1FeHhdze1/bQx1kv5d1sWKO5ezEf4Hs4= -github.com/veraison/corim v1.1.3-0.20240814105452-be7ec4829479 h1:dcKW+Nugh2Cs/ihz6xAmmTfi4v5flaLTg6MiZ8gN3N8= -github.com/veraison/corim v1.1.3-0.20240814105452-be7ec4829479/go.mod h1:sYmwruIqD5+83OcvMg6WUDTTWq8AWM6QbVQhbE9VFQM= +github.com/veraison/corim v1.1.3-0.20240911154934-4f141ee6d1e7 h1:sq9OVQgwpRJDFrQDGAOMs5p22Hp1zfDYRkeb+EVJWTU= +github.com/veraison/corim v1.1.3-0.20240911154934-4f141ee6d1e7/go.mod h1:Wj3a6bSo7+3peVGjwGayHDALILh4PHMngDhgBYUbVLk= github.com/veraison/dice v0.0.1 h1:dOm7ByDN/r4WlDsGkEUXzdPMXgTvAPTAksQ8+BwBrD4= github.com/veraison/dice v0.0.1/go.mod h1:QPMLc5LVMj08VZ+HNMYk4XxWoVYGAUBVm8Rd5V1hzxs= github.com/veraison/ear v1.1.2 h1:Xs41FqAG8IyJaceqNFcX2+nf51Et1uyhmCJV8SZqw/8= github.com/veraison/ear v1.1.2/go.mod h1:O3yKgZR04DWKHHiNxfXCMX9ky0cLVoC67TFks6JwEhI= -github.com/veraison/eat v0.0.0-20210331113810-3da8a4dd42ff/go.mod h1:+kxt8iuFiVvKRs2VQ1Ho7bbAScXAB/kHFFuP5Biw19I= github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53 h1:5gnX2TrGd/Xz8DOp2OaLtg/jLoIubSUTrgz6iZ58pJ4= github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53/go.mod h1:+kxt8iuFiVvKRs2VQ1Ho7bbAScXAB/kHFFuP5Biw19I= -github.com/veraison/go-cose v1.0.0-rc.1/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4= -github.com/veraison/go-cose v1.1.1-0.20230825153510-da0f9a62ade7 h1:KcKzBthSrSZIUEWBjVvkuk/DE3PyYFbXZxhx5byGFtc= -github.com/veraison/go-cose v1.1.1-0.20230825153510-da0f9a62ade7/go.mod h1:t6V8WJzHm1PD5HNsuDjW3KLv577uWb6UTzbZGvdQHD8= -github.com/veraison/parsec v0.1.1-0.20230915122508-f31e6c9be40e h1:6flWRGWeW9X2GOtegx2MqwRzO4z2DIrk3nm5FH7sGyM= -github.com/veraison/parsec v0.1.1-0.20230915122508-f31e6c9be40e/go.mod h1:IXiVM4dsJNsB2PB1NkK5AE0gUvOzsxLgOpuPo9KHs0M= -github.com/veraison/psatoken v1.2.0 h1:PeHy6YUbhFE9Z9xaQBoAMpMWUEqSHrF2JgfcwMTmFIA= -github.com/veraison/psatoken v1.2.0/go.mod h1:2tHLoYMOIS4V4mO8MJT4VstRtpO50FLmhoOR35FyIr4= +github.com/veraison/go-cose v1.3.0-rc.1 h1:j7mMBdwkbq4c+pgEZVbbWG8UwVIgGHPp6+TAAYJj+UY= +github.com/veraison/go-cose v1.3.0-rc.1/go.mod h1:df09OV91aHoQWLmy1KsDdYiagtXgyAwAl8vFeFn1gMc= +github.com/veraison/parsec v0.2.1-0.20240912163334-0368b9c16228 h1:oMCBfNZ8yxeMHelMg/H8uLrBLRvipjAwBL0d5/F9bvY= +github.com/veraison/parsec v0.2.1-0.20240912163334-0368b9c16228/go.mod h1:hobpAGxGmjCyluLHTNMdgJYficPXno4HZWKJSuUwZ7w= +github.com/veraison/psatoken v1.2.1-0.20240912124429-aec3ece7886e h1:W1OWcrRvfN0EWyldcpFgwl9xdKBbZUlk5pnbLTcR8Ec= +github.com/veraison/psatoken v1.2.1-0.20240912124429-aec3ece7886e/go.mod h1:bXUwdYAGcRoclxe73JmO8Z9ngV9KDHqW20afM9Q0FKo= github.com/veraison/swid v1.1.1-0.20230911094910-8ffdd07a22ca h1:osmCKwWO/xM68Kz+rIXio1DNzEY2NdJOpGpoy5r8NlE= github.com/veraison/swid v1.1.1-0.20230911094910-8ffdd07a22ca/go.mod h1:d5jt76uMNbTfQ+f2qU4Lt8RvWOTsv6PFgstIM1QdMH0= github.com/vishvananda/netlink v0.0.0-20181108222139-023a6dafdcdf/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk= @@ -1884,7 +1878,6 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= diff --git a/proto/appraisal_context.pb.go b/proto/appraisal_context.pb.go index 868a0ec7..bc04eddb 100644 --- a/proto/appraisal_context.pb.go +++ b/proto/appraisal_context.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.26.0 -// protoc v3.21.12 +// protoc-gen-go v1.28.1 +// protoc v5.27.3 // source: appraisal_context.proto package proto diff --git a/proto/evidence.pb.go b/proto/evidence.pb.go index 3ff8b2c1..72e27ad1 100644 --- a/proto/evidence.pb.go +++ b/proto/evidence.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.26.0 -// protoc v3.21.12 +// protoc-gen-go v1.28.1 +// protoc v5.27.3 // source: evidence.proto package proto diff --git a/proto/state.pb.go b/proto/state.pb.go index af9535fa..057baddf 100644 --- a/proto/state.pb.go +++ b/proto/state.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.26.0 -// protoc v3.21.12 +// protoc-gen-go v1.28.1 +// protoc v5.27.3 // source: state.proto package proto diff --git a/proto/token.pb.go b/proto/token.pb.go index e814a950..604133a5 100644 --- a/proto/token.pb.go +++ b/proto/token.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.26.0 -// protoc v3.21.12 +// protoc-gen-go v1.28.1 +// protoc v5.27.3 // source: token.proto package proto diff --git a/proto/vts.pb.go b/proto/vts.pb.go index 36e16e8c..7f8b7d85 100644 --- a/proto/vts.pb.go +++ b/proto/vts.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: -// protoc-gen-go v1.26.0 -// protoc v3.21.12 +// protoc-gen-go v1.28.1 +// protoc v5.27.3 // source: vts.proto package proto diff --git a/proto/vts_grpc.pb.go b/proto/vts_grpc.pb.go index 93ba75d8..fdc60431 100644 --- a/proto/vts_grpc.pb.go +++ b/proto/vts_grpc.pb.go @@ -1,4 +1,8 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. +// versions: +// - protoc-gen-go-grpc v1.2.0 +// - protoc v5.27.3 +// source: vts.proto package proto diff --git a/provisioning/api/handler.go b/provisioning/api/handler.go index b62f0aa0..d4b2e811 100644 --- a/provisioning/api/handler.go +++ b/provisioning/api/handler.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package api diff --git a/provisioning/provisioner/provisioner.go b/provisioning/provisioner/provisioner.go index d8e570e0..507a710e 100644 --- a/provisioning/provisioner/provisioner.go +++ b/provisioning/provisioner/provisioner.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package provisioner diff --git a/scheme/arm-cca/evidence_handler.go b/scheme/arm-cca/evidence_handler.go index b4de00fd..0df93b71 100644 --- a/scheme/arm-cca/evidence_handler.go +++ b/scheme/arm-cca/evidence_handler.go @@ -36,20 +36,18 @@ func (s EvidenceHandler) ExtractClaims( token *proto.AttestationToken, trustAnchors []string, ) (map[string]interface{}, error) { - - var ccaToken ccatoken.Evidence - - if err := ccaToken.FromCBOR(token.Data); err != nil { + ccaToken, err := ccatoken.DecodeAndValidateEvidenceFromCBOR(token.Data) + if err != nil { return nil, handler.BadEvidence(err) } - platformClaimsSet, err := common.ClaimsToMap(ccaToken.PlatformClaims) + platformClaimsSet, err := common.ClaimsToMap(common.CcaPlatformWrapper{ccaToken.PlatformClaims}) // nolint:govet if err != nil { return nil, handler.BadEvidence(fmt.Errorf( "could not convert platform claims: %w", err)) } - realmClaimsSet, err := common.ClaimsToMap(ccaToken.RealmClaims) + realmClaimsSet, err := common.ClaimsToMap(common.CcaRealmWrapper{ccaToken.RealmClaims}) // nolint:govet if err != nil { return nil, handler.BadEvidence(fmt.Errorf( "could not convert realm claims: %w", err)) @@ -72,11 +70,8 @@ func (s EvidenceHandler) ValidateEvidenceIntegrity( trustAnchors []string, endorsementsStrings []string, ) error { - var ( - ccaToken ccatoken.Evidence - ) - - if err := ccaToken.FromCBOR(token.Data); err != nil { + ccaToken, err := ccatoken.DecodeAndValidateEvidenceFromCBOR(token.Data) + if err != nil { return handler.BadEvidence(err) } diff --git a/scheme/arm-cca/platform.go b/scheme/arm-cca/platform.go index 8f77190a..03df32f5 100644 --- a/scheme/arm-cca/platform.go +++ b/scheme/arm-cca/platform.go @@ -6,8 +6,8 @@ package arm_cca import ( "fmt" + "github.com/veraison/ccatoken/platform" "github.com/veraison/ear" - "github.com/veraison/psatoken" "github.com/veraison/services/handler" "github.com/veraison/services/scheme/common" "github.com/veraison/services/scheme/common/arm" @@ -17,7 +17,7 @@ func platformAppraisal( claimsMap map[string]interface{}, endorsements []handler.Endorsement, ) (*ear.Appraisal, error) { - claims, err := common.MapToClaims(claimsMap) + claims, err := common.MapToCCAPlatformClaims(claimsMap) if err != nil { return nil, fmt.Errorf("unable to get claims from platform claims map: %w", err) } @@ -31,9 +31,9 @@ func platformAppraisal( return nil, handler.BadEvidence(err) } - lifeCycle := psatoken.CcaLifeCycleToState(rawLifeCycle) - if lifeCycle == psatoken.CcaStateSecured || - lifeCycle == psatoken.CcaStateNonCcaPlatformDebug { + lifeCycle := platform.LifeCycleToState(rawLifeCycle) + if lifeCycle == platform.StateSecured || + lifeCycle == platform.StateNonCCAPlatformDebug { trustVector.InstanceIdentity = ear.TrustworthyInstanceClaim trustVector.RuntimeOpaque = ear.ApprovedRuntimeClaim trustVector.StorageOpaque = ear.HwKeysEncryptedSecretsClaim diff --git a/scheme/arm-cca/realm.go b/scheme/arm-cca/realm.go index 5b54e228..f29ee373 100644 --- a/scheme/arm-cca/realm.go +++ b/scheme/arm-cca/realm.go @@ -9,7 +9,7 @@ import ( "errors" "fmt" - "github.com/veraison/ccatoken" + ccatokenrealm "github.com/veraison/ccatoken/realm" "github.com/veraison/ear" "github.com/veraison/services/handler" "github.com/veraison/services/log" @@ -79,7 +79,7 @@ func realmAppraisal( return &appraisal, nil } -func matchRim(claims ccatoken.IClaims, endorsement *handler.Endorsement) bool { +func matchRim(claims ccatokenrealm.IClaims, endorsement *handler.Endorsement) bool { // get RIM Claim from Evidence Claims rimClaim, err := claims.GetInitialMeasurement() if err != nil { @@ -104,7 +104,7 @@ func matchRim(claims ccatoken.IClaims, endorsement *handler.Endorsement) bool { return true } -func matchRpv(claims ccatoken.IClaims, endorsement *handler.Endorsement) error { +func matchRpv(claims ccatokenrealm.IClaims, endorsement *handler.Endorsement) error { pvClaim, err := claims.GetPersonalizationValue() if err != nil { return fmt.Errorf("matchRpv failed: %w", err) @@ -122,7 +122,7 @@ func matchRpv(claims ccatoken.IClaims, endorsement *handler.Endorsement) error { return nil } -func matchREMs(claims ccatoken.IClaims, endorsement *handler.Endorsement) bool { +func matchREMs(claims ccatokenrealm.IClaims, endorsement *handler.Endorsement) bool { remMatch := false remsClaim, err := claims.GetExtensibleMeasurements() if err != nil { diff --git a/scheme/arm-cca/store_handler.go b/scheme/arm-cca/store_handler.go index cfea7ad8..537a4fbf 100644 --- a/scheme/arm-cca/store_handler.go +++ b/scheme/arm-cca/store_handler.go @@ -46,8 +46,7 @@ func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endo } func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { - var evidence ccatoken.Evidence - err := evidence.FromCBOR(token.Data) + evidence, err := ccatoken.DecodeAndValidateEvidenceFromCBOR(token.Data) if err != nil { return []string{""}, handler.BadEvidence(err) } diff --git a/scheme/common/arm/handlers.go b/scheme/common/arm/handlers.go index 13061e48..c6859eae 100644 --- a/scheme/common/arm/handlers.go +++ b/scheme/common/arm/handlers.go @@ -10,6 +10,7 @@ import ( "encoding/json" "fmt" + "github.com/veraison/ccatoken/platform" "github.com/veraison/psatoken" "github.com/veraison/services/handler" "github.com/veraison/services/log" @@ -63,7 +64,9 @@ func GetPlatformReferenceIDs( tenantID string, claims map[string]interface{}, ) ([]string, error) { - platformClaims, err := common.MapToClaims(claims) + // Using the PSA specialisation here is ok because Implementation ID is + // mandatory and shared by both PSA and CCA platform. + platformClaims, err := common.MapToPSAClaims(claims) if err != nil { return nil, err } @@ -105,13 +108,21 @@ func GetTrustAnchorID(scheme string, tenantID string, claims psatoken.IClaims) ( func MatchSoftware(scheme string, evidence psatoken.IClaims, endorsements []handler.Endorsement) bool { var attr SwAttr - evidenceComponents := make(map[string]psatoken.SwComponent) + evidenceComponents := make(map[string]psatoken.ISwComponent) swComps, err := evidence.GetSoftwareComponents() if err != nil { return false } for _, c := range swComps { - key := base64.StdEncoding.EncodeToString(*c.MeasurementValue) + (*c.MeasurementType) + mval, err := c.GetMeasurementValue() + if err != nil { + return false + } + mtyp, err := c.GetMeasurementType() + if err != nil { + return false + } + key := base64.StdEncoding.EncodeToString(mval) + mtyp evidenceComponents[key] = c } matched := false @@ -131,10 +142,14 @@ func MatchSoftware(scheme string, evidence psatoken.IClaims, endorsements []hand break } - log.Debugf("MeasurementType Evidence: %s, Endorsement: %s", *evComp.MeasurementType, attr.MeasurementType) - typeMatched := attr.MeasurementType == "" || attr.MeasurementType == *evComp.MeasurementType - sigMatched := attr.SignerID == nil || bytes.Equal(attr.SignerID, *evComp.SignerID) - versionMatched := attr.Version == "" || attr.Version == *evComp.Version + evCompMeasurementType, _ := evComp.GetMeasurementType() + evCompSignerID, _ := evComp.GetSignerID() + evCompVersion, _ := evComp.GetVersion() + + log.Debugf("MeasurementType Evidence: %s, Endorsement: %s", evCompMeasurementType, attr.MeasurementType) + typeMatched := attr.MeasurementType == "" || attr.MeasurementType == evCompMeasurementType + sigMatched := attr.SignerID == nil || bytes.Equal(attr.SignerID, evCompSignerID) + versionMatched := attr.Version == "" || attr.Version == evCompVersion if !(typeMatched && sigMatched && versionMatched) { matched = false @@ -176,7 +191,7 @@ func GetPublicKeyFromTA(scheme string, trustAnchor string) (crypto.PublicKey, er return pk, nil } -func MatchPlatformConfig(scheme string, evidence psatoken.IClaims, endorsements []handler.Endorsement) bool { +func MatchPlatformConfig(scheme string, evidence platform.IClaims, endorsements []handler.Endorsement) bool { var attr CcaPlatformCfg pfConfig, err := evidence.GetConfig() if err != nil { diff --git a/scheme/common/cca/realm/realm_utils.go b/scheme/common/cca/realm/realm_utils.go index 80c94479..d81c2ebd 100644 --- a/scheme/common/cca/realm/realm_utils.go +++ b/scheme/common/cca/realm/realm_utils.go @@ -10,7 +10,7 @@ import ( "net/url" "strings" - "github.com/veraison/ccatoken" + "github.com/veraison/ccatoken/realm" "github.com/veraison/services/log" ) @@ -72,15 +72,17 @@ func GetREMs(attr json.RawMessage) ([][]byte, error) { return rems, nil } -func MapToRealmClaims(in map[string]interface{}) (ccatoken.IClaims, error) { - realmClaims := &ccatoken.RealmClaims{} +func MapToRealmClaims(in map[string]interface{}) (realm.IClaims, error) { data, err := json.Marshal(in) if err != nil { return nil, err } - if err := realmClaims.FromJSON(data); err != nil { + + realmClaims, err := realm.DecodeClaimsFromJSON(data) + if err != nil { return nil, err } + return realmClaims, nil } diff --git a/scheme/common/utils.go b/scheme/common/utils.go index 35c1afb8..f3d78ebd 100644 --- a/scheme/common/utils.go +++ b/scheme/common/utils.go @@ -10,15 +10,41 @@ import ( "errors" "fmt" + "github.com/veraison/ccatoken/platform" + "github.com/veraison/ccatoken/realm" "github.com/veraison/psatoken" ) +type CcaPlatformWrapper struct { + C platform.IClaims +} + +func (o CcaPlatformWrapper) MarshalJSON() ([]byte, error) { + return platform.ValidateAndEncodeClaimsToJSON(o.C) +} + +type CcaRealmWrapper struct { + C realm.IClaims +} + +func (o CcaRealmWrapper) MarshalJSON() ([]byte, error) { + return realm.ValidateAndEncodeClaimsToJSON(o.C) +} + +type PsaPlatformWrapper struct { + C psatoken.IClaims +} + +func (o PsaPlatformWrapper) MarshalJSON() ([]byte, error) { + return psatoken.ValidateAndEncodeClaimsToJSON(o.C) +} + type ClaimMapper interface { - ToJSON() ([]byte, error) + MarshalJSON() ([]byte, error) } func ClaimsToMap(mapper ClaimMapper) (map[string]interface{}, error) { - data, err := mapper.ToJSON() + data, err := mapper.MarshalJSON() if err != nil { return nil, err } @@ -29,13 +55,22 @@ func ClaimsToMap(mapper ClaimMapper) (map[string]interface{}, error) { return out, err } -func MapToClaims(in map[string]interface{}) (psatoken.IClaims, error) { +func MapToPSAClaims(in map[string]interface{}) (psatoken.IClaims, error) { + data, err := json.Marshal(in) + if err != nil { + return nil, err + } + + return psatoken.DecodeAndValidateClaimsFromJSON(data) +} + +func MapToCCAPlatformClaims(in map[string]interface{}) (platform.IClaims, error) { data, err := json.Marshal(in) if err != nil { return nil, err } - return psatoken.DecodeJSONClaims(data) + return platform.DecodeAndValidateClaimsFromJSON(data) } func GetImplID(scheme string, attr json.RawMessage) (string, error) { diff --git a/scheme/parsec-cca/evidence_handler.go b/scheme/parsec-cca/evidence_handler.go index a8c2f0b9..8d47431b 100644 --- a/scheme/parsec-cca/evidence_handler.go +++ b/scheme/parsec-cca/evidence_handler.go @@ -8,10 +8,10 @@ import ( "errors" "fmt" + cca_platform "github.com/veraison/ccatoken/platform" "github.com/veraison/ear" "github.com/veraison/go-cose" parsec_cca "github.com/veraison/parsec/cca" - "github.com/veraison/psatoken" "github.com/veraison/services/handler" "github.com/veraison/services/log" "github.com/veraison/services/proto" @@ -61,12 +61,13 @@ func (s EvidenceHandler) ExtractClaims( kat["akpub"] = base64.StdEncoding.EncodeToString(ck) claimsSet["kat"] = kat - pmap, err := common.ClaimsToMap(evidence.Pat.PlatformClaims) + + pmap, err := common.ClaimsToMap(common.CcaPlatformWrapper{evidence.Pat.PlatformClaims}) // nolint:govet if err != nil { return nil, handler.BadEvidence(err) } claimsSet["cca.platform"] = pmap - rmap, err := common.ClaimsToMap(evidence.Pat.RealmClaims) + rmap, err := common.ClaimsToMap(common.CcaRealmWrapper{evidence.Pat.RealmClaims}) // nolint:govet if err != nil { return nil, handler.BadEvidence(err) } @@ -162,7 +163,7 @@ func populateAttestationResult( return handler.BadEvidence(errors.New("no cca platform in the evidence")) } pmap := cp.(map[string]interface{}) - claims, err := common.MapToClaims(pmap) + claims, err := common.MapToCCAPlatformClaims(pmap) if err != nil { return handler.BadEvidence(err) } @@ -172,9 +173,9 @@ func populateAttestationResult( return handler.BadEvidence(err) } - lifeCycle := psatoken.CcaLifeCycleToState(rawLifeCycle) - if lifeCycle == psatoken.CcaStateSecured || - lifeCycle == psatoken.CcaStateNonCcaPlatformDebug { + lifeCycle := cca_platform.LifeCycleToState(rawLifeCycle) + if lifeCycle == cca_platform.StateSecured || + lifeCycle == cca_platform.StateNonCCAPlatformDebug { appraisal.TrustVector.InstanceIdentity = ear.TrustworthyInstanceClaim appraisal.TrustVector.RuntimeOpaque = ear.ApprovedRuntimeClaim appraisal.TrustVector.StorageOpaque = ear.HwKeysEncryptedSecretsClaim diff --git a/scheme/psa-iot/evidence_handler.go b/scheme/psa-iot/evidence_handler.go index 559bf9e3..f574d34a 100644 --- a/scheme/psa-iot/evidence_handler.go +++ b/scheme/psa-iot/evidence_handler.go @@ -35,13 +35,13 @@ func (s EvidenceHandler) ExtractClaims( token *proto.AttestationToken, trustAnchors []string, ) (map[string]interface{}, error) { - var psaToken psatoken.Evidence + psaToken, err := psatoken.DecodeAndValidateEvidenceFromCOSE(token.Data) - if err := psaToken.FromCOSE(token.Data); err != nil { + if err != nil { return nil, handler.BadEvidence(err) } - claimsSet, err := common.ClaimsToMap(psaToken.Claims) + claimsSet, err := common.ClaimsToMap(common.PsaPlatformWrapper{psaToken.Claims}) // nolint:govet if err != nil { return nil, handler.BadEvidence(err) } @@ -54,11 +54,8 @@ func (s EvidenceHandler) ValidateEvidenceIntegrity( trustAnchors []string, endorsementsStrings []string, ) error { - var ( - psaToken psatoken.Evidence - ) - - if err := psaToken.FromCOSE(token.Data); err != nil { + psaToken, err := psatoken.DecodeAndValidateEvidenceFromCOSE(token.Data) + if err != nil { return handler.BadEvidence(err) } @@ -113,7 +110,7 @@ func populateAttestationResult( evidence map[string]interface{}, endorsements []handler.Endorsement, ) error { - claims, err := common.MapToClaims(evidence) + claims, err := common.MapToPSAClaims(evidence) if err != nil { return handler.BadEvidence(err) } @@ -129,8 +126,8 @@ func populateAttestationResult( return handler.BadEvidence(err) } - lifeCycle := psatoken.PsaLifeCycleToState(rawLifeCycle) - if lifeCycle == psatoken.PsaStateSecured || lifeCycle == psatoken.PsaStateNonPsaRotDebug { + lifeCycle := psatoken.LifeCycleToState(rawLifeCycle) + if lifeCycle == psatoken.StateSecured || lifeCycle == psatoken.StateNonPSAROTDebug { appraisal.TrustVector.InstanceIdentity = ear.TrustworthyInstanceClaim appraisal.TrustVector.RuntimeOpaque = ear.ApprovedRuntimeClaim appraisal.TrustVector.StorageOpaque = ear.HwKeysEncryptedSecretsClaim diff --git a/scheme/psa-iot/scheme.go b/scheme/psa-iot/scheme.go index aad091b5..794acb44 100644 --- a/scheme/psa-iot/scheme.go +++ b/scheme/psa-iot/scheme.go @@ -1,4 +1,4 @@ -// Copyright 2023 Contributors to the Veraison project. +// Copyright 2023-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package psa_iot diff --git a/scheme/psa-iot/store_handler.go b/scheme/psa-iot/store_handler.go index 0f23e74e..eb7aa000 100644 --- a/scheme/psa-iot/store_handler.go +++ b/scheme/psa-iot/store_handler.go @@ -36,12 +36,11 @@ func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endo } func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { - var psaToken psatoken.Evidence - - err := psaToken.FromCOSE(token.Data) + psaToken, err := psatoken.DecodeAndValidateEvidenceFromCOSE(token.Data) if err != nil { return []string{""}, handler.BadEvidence(err) } + claims := psaToken.Claims taID, err := arm.GetTrustAnchorID(SchemeName, token.TenantId, claims) diff --git a/scheme/tpm-enacttrust/scheme.go b/scheme/tpm-enacttrust/scheme.go index 7e4baaf7..7e627702 100644 --- a/scheme/tpm-enacttrust/scheme.go +++ b/scheme/tpm-enacttrust/scheme.go @@ -1,4 +1,4 @@ -// Copyright 2023 Contributors to the Veraison project. +// Copyright 2023-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package tpm_enacttrust diff --git a/verification/api/handler.go b/verification/api/handler.go index 6176b6dd..a74d1ee5 100644 --- a/verification/api/handler.go +++ b/verification/api/handler.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package api diff --git a/verification/verifier/verifier.go b/verification/verifier/verifier.go index 34f18f87..a06ac743 100644 --- a/verification/verifier/verifier.go +++ b/verification/verifier/verifier.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package verifier