handler: add GetRefValueIDs to IStoreHandler

Move reference value ID extraction from evidence into store handler. Prior to this, it was done inside evidence handler as part of claims extraction. This ensure that ID generation on both provisioning and verification paths is handled in the same place, and is symmetrical with trust anchor ID generation. This also means that ExtractClaims method is now responsible _only_ for claim extraction. ExtractedClaims structure is removed, and the method now returns the map[string]interface{} claims set (ExtractedClaims combined that with reference IDs). Signed-off-by: Sergei Trofimov <[email protected]>
veraison · Apr 24, 2024 · e1ab557 · e1ab557
1 parent 5a76aff
commit e1ab557
Show file tree

Hide file tree

Showing 23 changed files with 286 additions and 155 deletions.
diff --git a/handler/evidence_rpc.go b/handler/evidence_rpc.go
@@ -163,12 +163,15 @@ func (s *RPCClient) GetSupportedMediaTypes() []string {
 	return resp
 }
 
-func (s *RPCClient) ExtractEvidence(token *proto.AttestationToken, trustAnchors []string) (*ExtractedClaims, error) {
+func (s *RPCClient) ExtractEvidence(
+	token *proto.AttestationToken,
+	trustAnchors []string,
+) (map[string]interface{}, error) {
 	var (
 		err       error
 		args      ExtractClaimsArgs
 		resp      []byte
-		extracted ExtractedClaims
+		extracted map[string]interface{}
 	)
 
 	args.Token, err = json.Marshal(token)
@@ -188,7 +191,7 @@ func (s *RPCClient) ExtractEvidence(token *proto.AttestationToken, trustAnchors
 		return nil, fmt.Errorf("unmarshaling extracted evidence: %w", err)
 	}
 
-	return &extracted, nil
+	return extracted, nil
 }
 
 func (s *RPCClient) ValidateEvidenceIntegrity(
@@ -240,11 +243,14 @@ func (s *RPCClient) AppraiseEvidence(ec *proto.EvidenceContext, endorsements []s
 	return &result, err
 }
 
-func (s *RPCClient) ExtractClaims(token *proto.AttestationToken, trustAnchors []string) (*ExtractedClaims, error) {
+func (s *RPCClient) ExtractClaims(
+	token *proto.AttestationToken,
+	trustAnchors []string,
+) (map[string]interface{}, error) {
 	var (
 		err             error
 		args            ExtractClaimsArgs
-		extractedClaims ExtractedClaims
+		extractedClaims map[string]interface{}
 	)
 
 	args.Token, err = json.Marshal(token)
@@ -266,5 +272,5 @@ func (s *RPCClient) ExtractClaims(token *proto.AttestationToken, trustAnchors []
 		return nil, fmt.Errorf("unmarshaling extracted claims: %w", err)
 	}
 
-	return &extractedClaims, nil
+	return extractedClaims, nil
 }
diff --git a/handler/ievidencehandler.go b/handler/ievidencehandler.go
@@ -19,7 +19,7 @@ type IEvidenceHandler interface {
 	ExtractClaims(
 		token *proto.AttestationToken,
 		trustAnchors []string,
-	) (*ExtractedClaims, error)
+	) (map[string]interface{}, error)
 
 	// ValidateEvidenceIntegrity verifies the structural integrity and validity of the
 	// token. The exact checks performed are scheme-specific, but they
@@ -50,21 +50,3 @@ type IEvidenceHandler interface {
 		endorsements []string,
 	) (*ear.AttestationResult, error)
 }
-
-// ExtractedClaims contains a map of claims extracted from an attestation
-// token along with the corresponding ReferenceIDs that are used to fetch
-// the associated endorsements.
-//
-//	ReferenceID is the key used to fetch all the Endorsements
-//	generated from claims extracted from the token
-type ExtractedClaims struct {
-	ClaimsSet    map[string]interface{} `json:"claims-set"`
-	ReferenceIDs []string               `json:"reference-ids"`
-	// please refer issue #106 for unprocessed claim set
-}
-
-func NewExtractedClaims() *ExtractedClaims {
-	return &ExtractedClaims{
-		ClaimsSet: make(map[string]interface{}),
-	}
-}
diff --git a/handler/istorehandler.go b/handler/istorehandler.go
@@ -14,11 +14,20 @@ import (
 type IStoreHandler interface {
 	plugin.IPluggable
 
-	// GetTrustAnchorIDs returns an array of trust anchor identifiers used
+	// GetTrustAnchorIDs returns a slice of trust anchor identifiers used
 	// to retrieve the trust anchors associated with this token. The trust anchors may be necessary to validate the
 	// entire token and/or extract its claims (if it is encrypted).
 	GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error)
 
+	// GetRefValueIDs returns a slice of refrence value identifiers used token
+	// to retrieve the reference values associated with the token from
+	// which the claims have been extracted.
+	GetRefValueIDs(
+		tenantID string,
+		trustAnchors []string,
+		claims map[string]interface{},
+	) ([]string, error)
+
 	// SynthKeysFromRefValue synthesizes lookup key(s) for the
 	// provided reference value endorsement.
 	SynthKeysFromRefValue(tenantID string, refVal *Endorsement) ([]string, error)

diff --git a/handler/store_rpc.go b/handler/store_rpc.go
@@ -101,6 +101,28 @@ func (s *StoreRPCServer) GetTrustAnchorIDs(data []byte, resp *[]string) error {
 	return err
 }
 
+type GetRefValueIDsArgs struct {
+	TenantID string
+	TrustAnchors []string
+	Claims []byte
+}
+
+func (s *StoreRPCServer) GetRefValueIDs(args GetRefValueIDsArgs, resp *[]string) error {
+	var claims map[string]interface{}
+
+	err := json.Unmarshal(args.Claims, &claims)
+	if err != nil {
+		return fmt.Errorf("unmarshaling token: %w", err)
+	}
+
+	*resp, err = s.Impl.GetRefValueIDs(args.TenantID, args.TrustAnchors, claims)
+	if err != nil {
+		return err
+	}
+
+	return err
+}
+
 /*
   RPC client
   (plugin caller side)
@@ -230,3 +252,32 @@ func (s *StoreRPCClient) GetTrustAnchorIDs(token *proto.AttestationToken) ([]str
 
 	return resp, nil
 }
+
+func (s *StoreRPCClient) GetRefValueIDs(
+	tenantID string,
+	trustAnchors []string,
+	claims map[string]interface{},
+) ([]string, error) {
+	var (
+		err error
+		resp []string
+	)
+
+	args := GetRefValueIDsArgs{
+		TenantID: tenantID,
+		TrustAnchors: trustAnchors,
+	}
+
+	args.Claims, err = json.Marshal(claims)
+	if err != nil {
+		return nil, err
+	}
+
+	err = s.client.Call("Plugin.GetRefValueIDs", args, &resp)
+	if err != nil {
+		err = ParseError(err)
+		return nil, fmt.Errorf("Plugin.GetRefValueIDs RPC call failed: %w", err) // nolint
+	}
+
+	return resp, nil
+}
diff --git a/scheme/cca-ssd-platform/evidence_handler.go b/scheme/cca-ssd-platform/evidence_handler.go
@@ -36,15 +36,14 @@ func (s EvidenceHandler) GetSupportedMediaTypes() []string {
 func (s EvidenceHandler) ExtractClaims(
 	token *proto.AttestationToken,
 	trustAnchors []string,
-) (*handler.ExtractedClaims, error) {
+) (map[string]interface{}, error) {
 
 	var ccaToken ccatoken.Evidence
 
 	if err := ccaToken.FromCBOR(token.Data); err != nil {
 		return nil, handler.BadEvidence(err)
 	}
 
-	var extracted handler.ExtractedClaims
 
 	platformClaimsSet, err := common.ClaimsToMap(ccaToken.PlatformClaims)
 	if err != nil {
@@ -58,18 +57,12 @@ func (s EvidenceHandler) ExtractClaims(
 			"could not convert realm claims: %w", err))
 	}
 
-	extracted.ClaimsSet = map[string]interface{}{
+	extracted := map[string]interface{}{
 		"platform": platformClaimsSet,
 		"realm":    realmClaimsSet,
 	}
 
-	extracted.ReferenceIDs = []string{arm.RefValLookupKey(
-		SchemeName,
-		token.TenantId,
-		arm.MustImplIDString(ccaToken.PlatformClaims),
-	)}
-	log.Debugf("extracted Reference ID Key = %s", extracted.ReferenceIDs)
-	return &extracted, nil
+	return extracted, nil
 }
 
 // ValidateEvidenceIntegrity, decodes CCA collection and then invokes Verify API of ccatoken library

diff --git a/scheme/cca-ssd-platform/evidence_handler_test.go b/scheme/cca-ssd-platform/evidence_handler_test.go
@@ -110,7 +110,7 @@ func Test_ExtractVerifiedClaims_ok(t *testing.T) {
 	ta := string(taEndValBytes)
 
 	extracted, err := scheme.ExtractClaims(&token, []string{ta})
-	platformClaims := extracted.ClaimsSet["platform"].(map[string]interface{})
+	platformClaims := extracted["platform"].(map[string]interface{})
 
 	require.NoError(t, err)
 	assert.Equal(t, "http://arm.com/CCA-SSD/1.0.0",

diff --git a/scheme/cca-ssd-platform/store_handler.go b/scheme/cca-ssd-platform/store_handler.go
@@ -4,8 +4,11 @@
 package cca_ssd_platform
 
 import (
+	"fmt"
+
 	"github.com/veraison/services/handler"
 	"github.com/veraison/services/proto"
+	"github.com/veraison/services/scheme/common"
 	"github.com/veraison/services/scheme/common/arm"
 )
 
@@ -43,3 +46,25 @@ func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string
 	}
 	return []string{ta}, nil
 }
+
+func (s StoreHandler) GetRefValueIDs(
+	tenantID string,
+	trustAnchors []string,
+	claims map[string]interface{},
+) ([]string, error) {
+	platformClaimsMap, ok := claims["platform"].(map[string]interface{})
+	if !ok {
+		return nil, fmt.Errorf("claims to do not contain patform map: %v", claims)
+	}
+
+	platformClaims, err := common.MapToClaims(platformClaimsMap)
+	if err != nil {
+		return nil, err
+	}
+
+	return []string{arm.RefValLookupKey(
+		SchemeName,
+		tenantID,
+		arm.MustImplIDString(platformClaims),
+	)}, nil
+}
diff --git a/scheme/parsec-cca/evidence_handler.go b/scheme/parsec-cca/evidence_handler.go
@@ -38,9 +38,11 @@ func (s EvidenceHandler) GetSupportedMediaTypes() []string {
 	return EvidenceMediaTypes
 }
 
-func (s EvidenceHandler) ExtractClaims(token *proto.AttestationToken, trustAnchors []string) (*handler.ExtractedClaims, error) {
+func (s EvidenceHandler) ExtractClaims(
+	token *proto.AttestationToken,
+	trustAnchors []string,
+) (map[string]interface{}, error) {
 	var (
-		extracted handler.ExtractedClaims
 		evidence  parsec_cca.Evidence
 		claimsSet = make(map[string]interface{})
 		kat       = make(map[string]interface{})
@@ -70,15 +72,7 @@ func (s EvidenceHandler) ExtractClaims(token *proto.AttestationToken, trustAncho
 	}
 	claimsSet["cca.realm"] = rmap
 
-	extracted.ClaimsSet = claimsSet
-
-	extracted.ReferenceIDs = []string{arm.RefValLookupKey(
-		SchemeName,
-		token.TenantId,
-		arm.MustImplIDString(evidence.Pat.PlatformClaims),
-	)}
-	log.Debugf("extracted Reference ID Key = %s", extracted.ReferenceIDs)
-	return &extracted, nil
+	return claimsSet, nil
 }
 
 func (s EvidenceHandler) ValidateEvidenceIntegrity(token *proto.AttestationToken, trustAnchors []string, endorsements []string) error {

diff --git a/scheme/parsec-cca/store_handler.go b/scheme/parsec-cca/store_handler.go
@@ -3,8 +3,11 @@
 package parsec_cca
 
 import (
+	"fmt"
+
 	"github.com/veraison/services/handler"
 	"github.com/veraison/services/proto"
+	"github.com/veraison/services/scheme/common"
 	"github.com/veraison/services/scheme/common/arm"
 )
 
@@ -42,3 +45,25 @@ func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string
 	}
 	return []string{ta}, nil
 }
+
+func (s StoreHandler) GetRefValueIDs(
+	tenantID string,
+	trustAnchors []string,
+	claims map[string]interface{},
+) ([]string, error) {
+	platformClaimsMap, ok := claims["cca.platform"].(map[string]interface{})
+	if !ok {
+		return nil, fmt.Errorf("claims to do not contain patform map: %v", claims)
+	}
+
+	platformClaims, err := common.MapToClaims(platformClaimsMap)
+	if err != nil {
+		return nil, err
+	}
+
+	return []string{arm.RefValLookupKey(
+		SchemeName,
+		tenantID,
+		arm.MustImplIDString(platformClaims),
+	)}, nil
+}
diff --git a/scheme/parsec-tpm/common.go b/scheme/parsec-tpm/common.go
@@ -0,0 +1,9 @@
+// Copyright 2024 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package parsec_tpm
+
+const (
+	ScopeTrustAnchor = "trust anchor"
+	ScopeRefValues   = "ref values"
+)
+