diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c2222fee..f8c9368b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,6 +8,7 @@ jobs: runs-on: ubuntu-latest env: GO111MODULE: on + CI_PIPELINE: true steps: - uses: actions/setup-go@v3 with: @@ -39,4 +40,4 @@ jobs: - name: Run tests run: | go version - make -w test + make -w test CI_PIPELINE=${{ env.CI_PIPELINE }} diff --git a/auth/problem.go b/auth/problem.go index 51e5dee9..49945830 100644 --- a/auth/problem.go +++ b/auth/problem.go @@ -1,3 +1,5 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 package auth import ( diff --git a/builtin/schemes.gen.go b/builtin/schemes.gen.go index 0cd446b5..bd4f179a 100644 --- a/builtin/schemes.gen.go +++ b/builtin/schemes.gen.go @@ -12,9 +12,13 @@ import ( var plugins = []plugin.IPluggable{ &scheme1.EvidenceHandler{}, &scheme1.EndorsementHandler{}, + &scheme1.StoreHandler{}, &scheme2.EvidenceHandler{}, + &scheme2.StoreHandler{}, &scheme3.EvidenceHandler{}, &scheme3.EndorsementHandler{}, + &scheme3.StoreHandler{}, &scheme4.EvidenceHandler{}, &scheme4.EndorsementHandler{}, + &scheme4.StoreHandler{}, } diff --git a/end-to-end/input/corim-src/build-endorsements.sh b/end-to-end/input/corim-src/build-endorsements.sh index 4298df17..f824a088 100755 --- a/end-to-end/input/corim-src/build-endorsements.sh +++ b/end-to-end/input/corim-src/build-endorsements.sh @@ -1,4 +1,6 @@ #!/bin/bash +# Copyright 2024 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 set -e TEMP_DIR=/tmp/veraison-end-to-end diff --git a/handler/README.md b/handler/README.md index a488c2b8..4f8a64d4 100644 --- a/handler/README.md +++ b/handler/README.md @@ -1,6 +1,6 @@ -This package defines [`IEvidenceHandler`](ievidencehandler.go) and -[`IEndorsementHandler`](iendorsementhandler.go) [pluggable](../plugin/README.md) +This package defines [`IEvidenceHandler`](ievidencehandler.go), +[`IEndorsementHandler`](iendorsementhandler.go) and [`IStoreHandler`](istorehandler.go) [pluggable](../plugin/README.md) interfaces and associated RPC channels. These are used to add new attestation scheme to Veraison services. Additionally, the package defines a [couple of wrappers](plugin.go) around `plugin.RegisterImplementation` for registering -implementations of these two interfaces. +implementations of these three interfaces. diff --git a/handler/endorsement.go b/handler/endorsement.go index 01e2b9a1..79a9ec9b 100644 --- a/handler/endorsement.go +++ b/handler/endorsement.go @@ -1,4 +1,4 @@ -// Copyright 2023 Contributors to the Veraison project. +// Copyright 2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package handler diff --git a/handler/endorsement_rpc.go b/handler/endorsement_rpc.go index 3b014681..97766368 100644 --- a/handler/endorsement_rpc.go +++ b/handler/endorsement_rpc.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package handler diff --git a/handler/error_test.go b/handler/error_test.go index 8c91cf51..79ccc0bb 100644 --- a/handler/error_test.go +++ b/handler/error_test.go @@ -1,4 +1,4 @@ -// Copyright 2023 Contributors to the Veraison project. +// Copyright 2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package handler diff --git a/handler/evidence_rpc.go b/handler/evidence_rpc.go index c7b4f679..c6b1ed0c 100644 --- a/handler/evidence_rpc.go +++ b/handler/evidence_rpc.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package handler @@ -45,59 +45,6 @@ func (s *RPCServer) GetSupportedMediaTypes(args interface{}, resp *[]string) err return nil } -type SynthKeysArgs struct { - TenantID string - EndorsementJSON []byte -} - -func (s *RPCServer) SynthKeysFromRefValue(args SynthKeysArgs, resp *[]string) error { - var ( - err error - swComp Endorsement - ) - - err = json.Unmarshal(args.EndorsementJSON, &swComp) - if err != nil { - return fmt.Errorf("unmarshaling software component: %w", err) - } - - *resp, err = s.Impl.SynthKeysFromRefValue(args.TenantID, &swComp) - - return err -} - -func (s *RPCServer) SynthKeysFromTrustAnchor(args SynthKeysArgs, resp *[]string) error { - var ( - err error - ta Endorsement - ) - - err = json.Unmarshal(args.EndorsementJSON, &ta) - if err != nil { - return fmt.Errorf("unmarshaling trust anchor: %w", err) - } - - *resp, err = s.Impl.SynthKeysFromTrustAnchor(args.TenantID, &ta) - - return err -} - -func (s *RPCServer) GetTrustAnchorIDs(data []byte, resp *[]string) error { - var ( - err error - token proto.AttestationToken - ) - - err = json.Unmarshal(data, &token) - if err != nil { - return fmt.Errorf("unmarshaling attestation token: %w", err) - } - - *resp, err = s.Impl.GetTrustAnchorIDs(&token) - - return err -} - type ExtractClaimsArgs struct { Token []byte TrustAnchors []string @@ -216,73 +163,6 @@ func (s *RPCClient) GetSupportedMediaTypes() []string { return resp } -func (s *RPCClient) SynthKeysFromRefValue(tenantID string, swComp *Endorsement) ([]string, error) { - var ( - err error - resp []string - args SynthKeysArgs - ) - - args.TenantID = tenantID - - args.EndorsementJSON, err = json.Marshal(swComp) - if err != nil { - return nil, fmt.Errorf("marshaling software component: %w", err) - } - - err = s.client.Call("Plugin.SynthKeysFromRefValue", args, &resp) - if err != nil { - err = ParseError(err) - return nil, fmt.Errorf("Plugin.SynthKeysFromRefValue RPC call failed: %w", err) // nolint - } - - return resp, nil -} - -func (s *RPCClient) SynthKeysFromTrustAnchor(tenantID string, ta *Endorsement) ([]string, error) { - var ( - err error - resp []string - args SynthKeysArgs - ) - - args.TenantID = tenantID - - args.EndorsementJSON, err = json.Marshal(ta) - if err != nil { - return nil, fmt.Errorf("marshaling trust anchor: %w", err) - } - - err = s.client.Call("Plugin.SynthKeysFromTrustAnchor", args, &resp) - if err != nil { - err = ParseError(err) - return nil, fmt.Errorf("Plugin.SynthKeysFromTrustAnchor RPC call failed: %w", err) // nolint - } - - return resp, nil -} - -func (s *RPCClient) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { - var ( - err error - data []byte - resp []string - ) - - data, err = json.Marshal(token) - if err != nil { - return []string{""}, fmt.Errorf("marshaling token: %w", err) - } - - err = s.client.Call("Plugin.GetTrustAnchorIDs", data, &resp) - if err != nil { - err = ParseError(err) - return []string{""}, fmt.Errorf("Plugin.GetTrustAnchorIDs RPC call failed: %w", err) // nolint - } - - return resp, nil -} - func (s *RPCClient) ExtractEvidence(token *proto.AttestationToken, trustAnchors []string) (*ExtractedClaims, error) { var ( err error diff --git a/handler/idecoder_manager.go b/handler/idecoder_manager.go index ff24adce..534d5010 100644 --- a/handler/idecoder_manager.go +++ b/handler/idecoder_manager.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package handler diff --git a/handler/iendorsementhandler.go b/handler/iendorsementhandler.go index 839ef5ac..cad5ee6f 100644 --- a/handler/iendorsementhandler.go +++ b/handler/iendorsementhandler.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package handler diff --git a/handler/ievidencehandler.go b/handler/ievidencehandler.go index 5beca027..06345bc1 100644 --- a/handler/ievidencehandler.go +++ b/handler/ievidencehandler.go @@ -1,4 +1,4 @@ -// Copyright 2021-2023 Contributors to the Veraison project. +// Copyright 2021-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package handler @@ -10,15 +10,10 @@ import ( // IEvidenceHandler defines the interface to functionality for working with // attestation scheme specific evidence tokens. This includes validating token -// integrity, and extracting an appraising claims. +// integrity, extracting and appraising claims. type IEvidenceHandler interface { plugin.IPluggable - // GetTrustAnchorIDs returns an array of trust anchor identifiers used - // to retrieve the trust anchors associated with this token. The trust anchors may be necessary to validate the - // entire token and/or extract its claims (if it is encrypted). - GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) - // ExtractClaims parses the attestation token and returns claims // extracted therefrom. ExtractClaims( @@ -48,20 +43,12 @@ type IEvidenceHandler interface { endorsementsStrings []string, ) error - // AppraiseEvidence evaluates the specified EvidenceContext against + // AppraiseEvidence evaluates the specified EvidenceContext against // the specified endorsements, and returns an AttestationResult. AppraiseEvidence( ec *proto.EvidenceContext, endorsements []string, ) (*ear.AttestationResult, error) - - // SynthKeysFromRefValue synthesizes lookup key(s) for the - // provided reference value endorsement. - SynthKeysFromRefValue(tenantID string, refVal *Endorsement) ([]string, error) - - // SynthKeysFromTrustAnchor synthesizes lookup key(s) for the provided - // trust anchor. - SynthKeysFromTrustAnchor(tenantID string, ta *Endorsement) ([]string, error) } // ExtractedClaims contains a map of claims extracted from an attestation diff --git a/handler/istorehandler.go b/handler/istorehandler.go new file mode 100644 index 00000000..093e4beb --- /dev/null +++ b/handler/istorehandler.go @@ -0,0 +1,29 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package handler + +import ( + "github.com/veraison/services/plugin" + "github.com/veraison/services/proto" +) + +// IStoreHandler defines the interface to functionality for working with +// attestation scheme specific store interfaces. This includes extracting +// Trust Anchor IDs from attestation token, and synthesizing, +// Reference Value and TrustAnchor Keys from supplied endorsements +type IStoreHandler interface { + plugin.IPluggable + + // GetTrustAnchorIDs returns an array of trust anchor identifiers used + // to retrieve the trust anchors associated with this token. The trust anchors may be necessary to validate the + // entire token and/or extract its claims (if it is encrypted). + GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) + + // SynthKeysFromRefValue synthesizes lookup key(s) for the + // provided reference value endorsement. + SynthKeysFromRefValue(tenantID string, refVal *Endorsement) ([]string, error) + + // SynthKeysFromTrustAnchor synthesizes lookup key(s) for the provided + // trust anchor. + SynthKeysFromTrustAnchor(tenantID string, ta *Endorsement) ([]string, error) +} diff --git a/handler/plugin.go b/handler/plugin.go index e235cdf7..ba515958 100644 --- a/handler/plugin.go +++ b/handler/plugin.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package handler @@ -19,3 +19,10 @@ func RegisterEvidenceHandler(i IEvidenceHandler) { panic(err) } } + +func RegisterStoreHandler(i IStoreHandler) { + err := plugin.RegisterImplementation("store-handler", i, StoreHandlerRPC) + if err != nil { + panic(err) + } +} diff --git a/handler/result.go b/handler/result.go index 23836215..4dfc38c9 100644 --- a/handler/result.go +++ b/handler/result.go @@ -1,4 +1,4 @@ -// Copyright 2023 Contributors to the Veraison project. +// Copyright 2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package handler diff --git a/handler/store_rpc.go b/handler/store_rpc.go new file mode 100644 index 00000000..f0c8d34d --- /dev/null +++ b/handler/store_rpc.go @@ -0,0 +1,233 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package handler + +import ( + "encoding/json" + "fmt" + "net/rpc" + + "github.com/veraison/services/plugin" + "github.com/veraison/services/proto" +) + +/* + Server-side RPC adapter around the Decoder plugin implementation + (plugin-side) +*/ + +var StoreHandlerRPC = &plugin.RPCChannel[IStoreHandler]{ + GetClient: getStoreClient, + GetServer: getStoreServer, +} + +func getStoreClient(c *rpc.Client) interface{} { + return &StoreRPCClient{client: c} +} + +func getStoreServer(i IStoreHandler) interface{} { + return &StoreRPCServer{Impl: i} +} + +type StoreRPCServer struct { + Impl IStoreHandler +} + + +func (s *StoreRPCServer) GetName(args interface{}, resp *string) error { + *resp = s.Impl.GetName() + return nil +} + +func (s *StoreRPCServer) GetAttestationScheme(args interface{}, resp *string) error { + *resp = s.Impl.GetAttestationScheme() + return nil +} + +func (s *StoreRPCServer) GetSupportedMediaTypes(args interface{}, resp *[]string) error { + *resp = s.Impl.GetSupportedMediaTypes() + return nil +} + +type SynthKeysArgs struct { + TenantID string + EndorsementJSON []byte +} + +func (s *StoreRPCServer) SynthKeysFromRefValue(args SynthKeysArgs, resp *[]string) error { + var ( + err error + swComp Endorsement + ) + + err = json.Unmarshal(args.EndorsementJSON, &swComp) + if err != nil { + return fmt.Errorf("unmarshaling software component: %w", err) + } + + *resp, err = s.Impl.SynthKeysFromRefValue(args.TenantID, &swComp) + + return err +} + +func (s *StoreRPCServer) SynthKeysFromTrustAnchor(args SynthKeysArgs, resp *[]string) error { + var ( + err error + ta Endorsement + ) + + err = json.Unmarshal(args.EndorsementJSON, &ta) + if err != nil { + return fmt.Errorf("unmarshaling trust anchor: %w", err) + } + + *resp, err = s.Impl.SynthKeysFromTrustAnchor(args.TenantID, &ta) + + return err +} + +func (s *StoreRPCServer) GetTrustAnchorIDs(data []byte, resp *[]string) error { + var ( + err error + token proto.AttestationToken + ) + + err = json.Unmarshal(data, &token) + if err != nil { + return fmt.Errorf("unmarshaling attestation token: %w", err) + } + + *resp, err = s.Impl.GetTrustAnchorIDs(&token) + + return err +} + +/* + RPC client + (plugin caller side) +*/ + +type StoreRPCClient struct { + client *rpc.Client +} + +func (c StoreRPCClient) Close() error { + var ( + unused0 interface{} + unused1 interface{} + ) + + return c.client.Call("Plugin.Close", unused0, unused1) +} + +func (c StoreRPCClient) GetName() string { + var ( + err error + resp string + unused interface{} + ) + + err = c.client.Call("Plugin.GetName", &unused, &resp) + if err != nil { + return "" + } + + return resp +} + +func (c StoreRPCClient) GetAttestationScheme() string { + var ( + err error + resp string + unused interface{} + ) + + err = c.client.Call("Plugin.GetAttestationScheme", &unused, &resp) + if err != nil { + return "" + } + + return resp +} + +func (c StoreRPCClient) GetSupportedMediaTypes() []string { + var ( + err error + resp []string + unused interface{} + ) + + err = c.client.Call("Plugin.GetSupportedMediaTypes", &unused, &resp) + if err != nil { + return nil + } + + return resp +} + +func (s *StoreRPCClient) SynthKeysFromRefValue(tenantID string, swComp *Endorsement) ([]string, error) { + var ( + err error + resp []string + args SynthKeysArgs + ) + + args.TenantID = tenantID + + args.EndorsementJSON, err = json.Marshal(swComp) + if err != nil { + return nil, fmt.Errorf("marshaling software component: %w", err) + } + + err = s.client.Call("Plugin.SynthKeysFromRefValue", args, &resp) + if err != nil { + err = ParseError(err) + return nil, fmt.Errorf("Plugin.SynthKeysFromRefValue RPC call failed: %w", err) // nolint + } + + return resp, nil +} + +func (s *StoreRPCClient) SynthKeysFromTrustAnchor(tenantID string, ta *Endorsement) ([]string, error) { + var ( + err error + resp []string + args SynthKeysArgs + ) + + args.TenantID = tenantID + + args.EndorsementJSON, err = json.Marshal(ta) + if err != nil { + return nil, fmt.Errorf("marshaling trust anchor: %w", err) + } + + err = s.client.Call("Plugin.SynthKeysFromTrustAnchor", args, &resp) + if err != nil { + err = ParseError(err) + return nil, fmt.Errorf("Plugin.SynthKeysFromTrustAnchor RPC call failed: %w", err) // nolint + } + + return resp, nil +} + +func (s *StoreRPCClient) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { + var ( + err error + data []byte + resp []string + ) + + data, err = json.Marshal(token) + if err != nil { + return []string{""}, fmt.Errorf("marshaling token: %w", err) + } + + err = s.client.Call("Plugin.GetTrustAnchorIDs", data, &resp) + if err != nil { + err = ParseError(err) + return []string{""}, fmt.Errorf("Plugin.GetTrustAnchorIDs RPC call failed: %w", err) // nolint + } + + return resp, nil +} diff --git a/mk/test.mk b/mk/test.mk index d928c98a..7f84b496 100644 --- a/mk/test.mk +++ b/mk/test.mk @@ -11,6 +11,8 @@ TEST_ARGS ?= -v -cover -race MOCKGEN := $(shell go env GOPATH)/bin/mockgen +COPYRIGHT_FLAGS ?= +CI_PIPELINE ?= define MOCK_template mock_$(1): $(1) @@ -51,7 +53,7 @@ realtest: _mocks ; go test $(TEST_ARGS) $(GOPKG) .PHONY: realtest ifdef CI_PIPELINE - COPYRIGHT_FLAGS += --no-year-check +COPYRIGHT_FLAGS += --no-year-check endif checkcopyrights: ; python3 $(THIS_DIR)../scripts/check-copyright $(COPYRIGHT_FLAGS) . diff --git a/proto/appraisal_context.pb.go b/proto/appraisal_context.pb.go index 976d7309..868a0ec7 100644 --- a/proto/appraisal_context.pb.go +++ b/proto/appraisal_context.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.26.0 -// protoc v3.21.6 +// protoc v3.21.12 // source: appraisal_context.proto package proto diff --git a/proto/evidence.pb.go b/proto/evidence.pb.go index 45fd89ad..3ff8b2c1 100644 --- a/proto/evidence.pb.go +++ b/proto/evidence.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.26.0 -// protoc v3.21.6 +// protoc v3.21.12 // source: evidence.proto package proto diff --git a/proto/state.pb.go b/proto/state.pb.go index c9d74b53..af9535fa 100644 --- a/proto/state.pb.go +++ b/proto/state.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.26.0 -// protoc v3.21.6 +// protoc v3.21.12 // source: state.proto package proto diff --git a/proto/token.pb.go b/proto/token.pb.go index 0bdc1068..e814a950 100644 --- a/proto/token.pb.go +++ b/proto/token.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.26.0 -// protoc v3.21.6 +// protoc v3.21.12 // source: token.proto package proto diff --git a/proto/vts.pb.go b/proto/vts.pb.go index 613fc7d3..36e16e8c 100644 --- a/proto/vts.pb.go +++ b/proto/vts.pb.go @@ -1,7 +1,7 @@ // Code generated by protoc-gen-go. DO NOT EDIT. // versions: // protoc-gen-go v1.26.0 -// protoc v3.21.6 +// protoc v3.21.12 // source: vts.proto package proto diff --git a/scheme/README.md b/scheme/README.md index d7ea8b5e..f6a44c29 100644 --- a/scheme/README.md +++ b/scheme/README.md @@ -20,10 +20,12 @@ schemes. Currently the following schemes are implemented: > for how to convert them to the new framework. Supporting a new attestation scheme requires defining how to provision -endorsements (if any) and how to process evidence tokens. The former is done by -implementing [`IEndorsementHandler`](../decoder/iendorsementdecoder.go), and the -latter by implementing [`IEvidenceHandler`](../decoder/ievidencedecoder.go). -Finally, an executable should be created that [registers](../decoder/plugin.go) +endorsements (if any) by implementing [`IEndorsementHandler`](../handler/iendorsementhandler.go), +how to process evidence tokens by implementing [`IEvidenceHandler`](../handler/ievidencehandler.go) and +defining the suitable store interface [`IStoreHandler`](../handler/istorehandler.go) +required by both `IEndorsementHandler` & `IEvidenceHandler`. + +Finally, an executable should be created that [registers](../handler/plugin.go) and serves them. ``` @@ -46,10 +48,16 @@ type MyEndrosementHandler struct {} // Implementation of IEndrosementHandler for MyEndrosementHandler // ... +type MyStoreHandler struct {} + +// ... +// Implementation of IStoreHandler for MyStoreHandler +// ... func main() { handler.RegisterEndorsementHandler(&MyEndorsementHandler{}) handler.RegisterEvidenceHandler(&MyEvidenceHandler{}) + handler.RegisterStoreHandler(&MyStoreHandler{}) plugin.Serve() } diff --git a/scheme/cca-ssd-platform/evidence_handler.go b/scheme/cca-ssd-platform/evidence_handler.go index 123ad822..ef3d099a 100644 --- a/scheme/cca-ssd-platform/evidence_handler.go +++ b/scheme/cca-ssd-platform/evidence_handler.go @@ -1,4 +1,4 @@ -// Copyright 2021-2023 Contributors to the Veraison project. +// Copyright 2021-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package cca_ssd_platform @@ -33,27 +33,6 @@ func (s EvidenceHandler) GetSupportedMediaTypes() []string { return EvidenceMediaTypes } -func (s EvidenceHandler) SynthKeysFromRefValue( - tenantID string, - refVal *handler.Endorsement, -) ([]string, error) { - return arm.SynthKeysFromRefValue(SchemeName, tenantID, refVal) - -} - -func (s EvidenceHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { - - return arm.SynthKeysFromTrustAnchors(SchemeName, tenantID, ta) -} - -func (s EvidenceHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { - ta, err := arm.GetTrustAnchorID(SchemeName, token) - if err != nil { - return []string{""}, err - } - return []string{ta}, nil -} - func (s EvidenceHandler) ExtractClaims( token *proto.AttestationToken, trustAnchors []string, diff --git a/scheme/cca-ssd-platform/evidence_handler_test.go b/scheme/cca-ssd-platform/evidence_handler_test.go index da740ace..fb4b6936 100644 --- a/scheme/cca-ssd-platform/evidence_handler_test.go +++ b/scheme/cca-ssd-platform/evidence_handler_test.go @@ -1,4 +1,4 @@ -// Copyright 2021-2023 Contributors to the Veraison project. +// Copyright 2021-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package cca_ssd_platform @@ -12,71 +12,9 @@ import ( "github.com/stretchr/testify/require" "github.com/veraison/ear" - "github.com/veraison/services/handler" "github.com/veraison/services/proto" ) -var testNonce = []byte{ - 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, - 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, - 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, - 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, - 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, - 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, - 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, - 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, -} - -func Test_GetTrustAnchorIDs_ok(t *testing.T) { - tokenBytes, err := os.ReadFile("test/cca-token.cbor") - require.NoError(t, err) - - token := proto.AttestationToken{ - TenantId: "1", - Data: tokenBytes, - Nonce: testNonce, - } - - expectedTaID := []string{"CCA_SSD_PLATFORM://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC"} - - scheme := &EvidenceHandler{} - - taID, err := scheme.GetTrustAnchorIDs(&token) - require.NoError(t, err) - assert.Equal(t, expectedTaID, taID) -} - -func Test_SynthKeysFromTrustAnchor_ok(t *testing.T) { - endorsementsBytes, err := os.ReadFile("test/ta-endorsements.json") - require.NoError(t, err) - - var endors handler.Endorsement - err = json.Unmarshal(endorsementsBytes, &endors) - require.NoError(t, err) - expectedKey := "CCA_SSD_PLATFORM://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI" - - scheme := &EvidenceHandler{} - key_list, err := scheme.SynthKeysFromTrustAnchor("1", &endors) - require.NoError(t, err) - assert.Equal(t, expectedKey, key_list[0]) - -} - -func Test_SynthKeysFromRefValue_ok(t *testing.T) { - endorsementsBytes, err := os.ReadFile("test/refval-endorsements.json") - require.NoError(t, err) - - var endors handler.Endorsement - err = json.Unmarshal(endorsementsBytes, &endors) - require.NoError(t, err) - expectedKey := "CCA_SSD_PLATFORM://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" - - scheme := &EvidenceHandler{} - key_list, err := scheme.SynthKeysFromRefValue("1", &endors) - require.NoError(t, err) - assert.Equal(t, expectedKey, key_list[0]) -} - func Test_AppraiseEvidence_ok(t *testing.T) { // nolint: dupl extractedBytes, err := os.ReadFile("test/extracted.json") require.NoError(t, err) diff --git a/scheme/cca-ssd-platform/plugin/Makefile b/scheme/cca-ssd-platform/plugin/Makefile index 37f7dc14..33a74ffc 100644 --- a/scheme/cca-ssd-platform/plugin/Makefile +++ b/scheme/cca-ssd-platform/plugin/Makefile @@ -2,6 +2,7 @@ ifndef COMBINED_PLUGINS SUBDIR += endorsement-handler SUBDIR += evidence-handler + SUBDIR += store-handler else SUBDIR += combined endif diff --git a/scheme/cca-ssd-platform/plugin/combined/main.go b/scheme/cca-ssd-platform/plugin/combined/main.go index 57db6987..1bf088c9 100644 --- a/scheme/cca-ssd-platform/plugin/combined/main.go +++ b/scheme/cca-ssd-platform/plugin/combined/main.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package main @@ -11,5 +11,6 @@ import ( func main() { handler.RegisterEndorsementHandler(&scheme.EndorsementHandler{}) handler.RegisterEvidenceHandler(&scheme.EvidenceHandler{}) + handler.RegisterStoreHandler(&scheme.StoreHandler{}) plugin.Serve() } diff --git a/scheme/cca-ssd-platform/plugin/store-handler/Makefile b/scheme/cca-ssd-platform/plugin/store-handler/Makefile new file mode 100644 index 00000000..b8571ede --- /dev/null +++ b/scheme/cca-ssd-platform/plugin/store-handler/Makefile @@ -0,0 +1,11 @@ +# Copyright 2024 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 + +PLUGIN := ../../../bin/cca-store-handler.plugin +GOPKG := github.com/veraison/services/scheme/cca-ssd-platform +SRCS := main.go + +include ../../../../mk/common.mk +include ../../../../mk/plugin.mk +include ../../../../mk/lint.mk +include ../../../../mk/test.mk diff --git a/scheme/cca-ssd-platform/plugin/store-handler/main.go b/scheme/cca-ssd-platform/plugin/store-handler/main.go new file mode 100644 index 00000000..be166510 --- /dev/null +++ b/scheme/cca-ssd-platform/plugin/store-handler/main.go @@ -0,0 +1,14 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/plugin" + scheme "github.com/veraison/services/scheme/cca-ssd-platform" +) + +func main() { + handler.RegisterStoreHandler(&scheme.StoreHandler{}) + plugin.Serve() +} diff --git a/scheme/cca-ssd-platform/store_handler.go b/scheme/cca-ssd-platform/store_handler.go new file mode 100644 index 00000000..887e6cc4 --- /dev/null +++ b/scheme/cca-ssd-platform/store_handler.go @@ -0,0 +1,45 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + +package cca_ssd_platform + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" + "github.com/veraison/services/scheme/common/arm" +) + +type StoreHandler struct{} + +func (s StoreHandler) GetName() string { + return "cca-store-handler" +} + +func (s StoreHandler) GetAttestationScheme() string { + return SchemeName +} + +func (s StoreHandler) GetSupportedMediaTypes() []string { + return nil +} + +func (s StoreHandler) SynthKeysFromRefValue( + tenantID string, + refVal *handler.Endorsement, +) ([]string, error) { + return arm.SynthKeysFromRefValue(SchemeName, tenantID, refVal) + +} + +func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { + + return arm.SynthKeysFromTrustAnchors(SchemeName, tenantID, ta) +} + +func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { + ta, err := arm.GetTrustAnchorID(SchemeName, token) + if err != nil { + return []string{""}, err + } + return []string{ta}, nil +} diff --git a/scheme/cca-ssd-platform/store_handler_test.go b/scheme/cca-ssd-platform/store_handler_test.go new file mode 100644 index 00000000..9b61c6ea --- /dev/null +++ b/scheme/cca-ssd-platform/store_handler_test.go @@ -0,0 +1,77 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + +package cca_ssd_platform + +import ( + "encoding/json" + "os" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" +) + +var testNonce = []byte{ + 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, + 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, + 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, + 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, + 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, + 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, + 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, + 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, 0x41, 0x42, +} + +func Test_GetTrustAnchorIDs_ok(t *testing.T) { + tokenBytes, err := os.ReadFile("test/cca-token.cbor") + require.NoError(t, err) + + token := proto.AttestationToken{ + TenantId: "1", + Data: tokenBytes, + Nonce: testNonce, + } + + expectedTaID := []string{"CCA_SSD_PLATFORM://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC"} + + scheme := &StoreHandler{} + + taID, err := scheme.GetTrustAnchorIDs(&token) + require.NoError(t, err) + assert.Equal(t, expectedTaID, taID) +} + +func Test_SynthKeysFromTrustAnchor_ok(t *testing.T) { + endorsementsBytes, err := os.ReadFile("test/ta-endorsements.json") + require.NoError(t, err) + + var endors handler.Endorsement + err = json.Unmarshal(endorsementsBytes, &endors) + require.NoError(t, err) + expectedKey := "CCA_SSD_PLATFORM://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI" + + scheme := &StoreHandler{} + key_list, err := scheme.SynthKeysFromTrustAnchor("1", &endors) + require.NoError(t, err) + assert.Equal(t, expectedKey, key_list[0]) + +} + +func Test_SynthKeysFromRefValue_ok(t *testing.T) { + endorsementsBytes, err := os.ReadFile("test/refval-endorsements.json") + require.NoError(t, err) + + var endors handler.Endorsement + err = json.Unmarshal(endorsementsBytes, &endors) + require.NoError(t, err) + expectedKey := "CCA_SSD_PLATFORM://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" + + scheme := &StoreHandler{} + key_list, err := scheme.SynthKeysFromRefValue("1", &endors) + require.NoError(t, err) + assert.Equal(t, expectedKey, key_list[0]) +} diff --git a/scheme/parsec-cca/evidence_handler_test.go b/scheme/parsec-cca/evidence_handler_test.go index 9f93ef50..5c92cd8a 100644 --- a/scheme/parsec-cca/evidence_handler_test.go +++ b/scheme/parsec-cca/evidence_handler_test.go @@ -1,4 +1,4 @@ -// Copyright 2023 Contributors to the Veraison project. +// Copyright 2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package parsec_cca @@ -12,28 +12,9 @@ import ( "github.com/stretchr/testify/require" "github.com/veraison/ear" - "github.com/veraison/services/handler" "github.com/veraison/services/proto" ) -func Test_GetTrustAnchorIDs_ok(t *testing.T) { - tokenBytes, err := os.ReadFile("test/evidence/evidence.cbor") - require.NoError(t, err) - - token := proto.AttestationToken{ - TenantId: "1", - Data: tokenBytes, - } - - expectedTaID := "PARSEC_CCA://1/f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=/AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY" - - handler := &EvidenceHandler{} - - taIDs, err := handler.GetTrustAnchorIDs(&token) - require.NoError(t, err) - assert.Equal(t, expectedTaID, taIDs[0]) -} - func Test_ExtractClaims_ok(t *testing.T) { tokenBytes, err := os.ReadFile("test/evidence/evidence.cbor") require.NoError(t, err) @@ -206,37 +187,6 @@ func Test_AppraiseEvidence_ok(t *testing.T) { assert.Equal(t, attestation.TrustVector.Configuration, ear.ApprovedConfigClaim) } -func Test_SynthKeysFromTrustAnchor_ok(t *testing.T) { - endorsementsBytes, err := os.ReadFile("test/evidence/ta_endorsements.json") - require.NoError(t, err) - - var endors handler.Endorsement - err = json.Unmarshal(endorsementsBytes, &endors) - require.NoError(t, err) - expectedKey := "PARSEC_CCA://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI" - - scheme := &EvidenceHandler{} - key_list, err := scheme.SynthKeysFromTrustAnchor("1", &endors) - require.NoError(t, err) - assert.Equal(t, expectedKey, key_list[0]) - -} - -func Test_SynthKeysFromRefValue_ok(t *testing.T) { - endorsementsBytes, err := os.ReadFile("test/evidence/refval_endorsement.json") - require.NoError(t, err) - - var endors handler.Endorsement - err = json.Unmarshal(endorsementsBytes, &endors) - require.NoError(t, err) - expectedKey := "PARSEC_CCA://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" - - scheme := &EvidenceHandler{} - key_list, err := scheme.SynthKeysFromRefValue("1", &endors) - require.NoError(t, err) - assert.Equal(t, expectedKey, key_list[0]) -} - func Test_GetName_ok(t *testing.T) { scheme := &EvidenceHandler{} expectedName := "parsec-cca-evidence-handler" diff --git a/scheme/parsec-cca/plugin/Makefile b/scheme/parsec-cca/plugin/Makefile index 3f2ad321..b05ea59a 100644 --- a/scheme/parsec-cca/plugin/Makefile +++ b/scheme/parsec-cca/plugin/Makefile @@ -4,6 +4,7 @@ ifndef COMBINED_PLUGINS SUBDIR += endorsement-handler SUBDIR += evidence-handler + SUBDIR += store-handler else SUBDIR += combined endif diff --git a/scheme/parsec-cca/plugin/combined/main.go b/scheme/parsec-cca/plugin/combined/main.go index 4e83285a..769fae7d 100644 --- a/scheme/parsec-cca/plugin/combined/main.go +++ b/scheme/parsec-cca/plugin/combined/main.go @@ -1,4 +1,4 @@ -// Copyright 2023 Contributors to the Veraison project. +// Copyright 2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package main @@ -11,5 +11,6 @@ import ( func main() { handler.RegisterEndorsementHandler(&scheme.EndorsementHandler{}) handler.RegisterEvidenceHandler(&scheme.EvidenceHandler{}) + handler.RegisterStoreHandler(&scheme.StoreHandler{}) plugin.Serve() } diff --git a/scheme/parsec-cca/plugin/store-handler/Makefile b/scheme/parsec-cca/plugin/store-handler/Makefile new file mode 100644 index 00000000..ccfd3512 --- /dev/null +++ b/scheme/parsec-cca/plugin/store-handler/Makefile @@ -0,0 +1,11 @@ +# Copyright 2024 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 + +PLUGIN := ../../../bin/parsec-cca-store-handler.plugin +GOPKG := github.com/veraison/services/scheme/parsec-cca +SRCS := main.go + +include ../../../../mk/common.mk +include ../../../../mk/plugin.mk +include ../../../../mk/lint.mk +include ../../../../mk/test.mk diff --git a/scheme/parsec-cca/plugin/store-handler/main.go b/scheme/parsec-cca/plugin/store-handler/main.go new file mode 100644 index 00000000..7f57556c --- /dev/null +++ b/scheme/parsec-cca/plugin/store-handler/main.go @@ -0,0 +1,14 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/plugin" + scheme "github.com/veraison/services/scheme/parsec-cca" +) + +func main() { + handler.RegisterStoreHandler(&scheme.StoreHandler{}) + plugin.Serve() +} diff --git a/scheme/parsec-cca/store_handler.go b/scheme/parsec-cca/store_handler.go new file mode 100644 index 00000000..9d909c15 --- /dev/null +++ b/scheme/parsec-cca/store_handler.go @@ -0,0 +1,44 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package parsec_cca + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" + "github.com/veraison/services/scheme/common/arm" +) + +type StoreHandler struct{} + +func (s StoreHandler) GetName() string { + return "parsec-cca-store-handler" +} + +func (s StoreHandler) GetAttestationScheme() string { + return SchemeName +} + +func (s StoreHandler) GetSupportedMediaTypes() []string { + return nil +} + +func (s StoreHandler) SynthKeysFromRefValue( + tenantID string, + refVal *handler.Endorsement, +) ([]string, error) { + + return arm.SynthKeysFromRefValue(SchemeName, tenantID, refVal) +} + +func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { + + return arm.SynthKeysFromTrustAnchors(SchemeName, tenantID, ta) +} + +func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { + ta, err := arm.GetTrustAnchorID(SchemeName, token) + if err != nil { + return []string{""}, err + } + return []string{ta}, nil +} diff --git a/scheme/parsec-cca/store_handler_test.go b/scheme/parsec-cca/store_handler_test.go new file mode 100644 index 00000000..ed254cde --- /dev/null +++ b/scheme/parsec-cca/store_handler_test.go @@ -0,0 +1,64 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package parsec_cca + +import ( + "encoding/json" + "os" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" +) + +func Test_GetTrustAnchorIDs_ok(t *testing.T) { + tokenBytes, err := os.ReadFile("test/evidence/evidence.cbor") + require.NoError(t, err) + + token := proto.AttestationToken{ + TenantId: "1", + Data: tokenBytes, + } + + expectedTaID := "PARSEC_CCA://1/f0VMRgIBAQAAAAAAAAAAAAMAPgABAAAAUFgAAAAAAAA=/AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY" + + handler := &StoreHandler{} + + taIDs, err := handler.GetTrustAnchorIDs(&token) + require.NoError(t, err) + assert.Equal(t, expectedTaID, taIDs[0]) +} + +func Test_SynthKeysFromTrustAnchor_ok(t *testing.T) { + endorsementsBytes, err := os.ReadFile("test/evidence/ta_endorsements.json") + require.NoError(t, err) + + var endors handler.Endorsement + err = json.Unmarshal(endorsementsBytes, &endors) + require.NoError(t, err) + expectedKey := "PARSEC_CCA://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=/Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI" + + scheme := &StoreHandler{} + key_list, err := scheme.SynthKeysFromTrustAnchor("1", &endors) + require.NoError(t, err) + assert.Equal(t, expectedKey, key_list[0]) + +} + +func Test_SynthKeysFromRefValue_ok(t *testing.T) { + endorsementsBytes, err := os.ReadFile("test/evidence/refval_endorsement.json") + require.NoError(t, err) + + var endors handler.Endorsement + err = json.Unmarshal(endorsementsBytes, &endors) + require.NoError(t, err) + expectedKey := "PARSEC_CCA://1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" + + scheme := &StoreHandler{} + key_list, err := scheme.SynthKeysFromRefValue("1", &endors) + require.NoError(t, err) + assert.Equal(t, expectedKey, key_list[0]) +} diff --git a/scheme/parsec-tpm/corim_test_vectors.go b/scheme/parsec-tpm/corim_test_vectors.go index f36ab2e3..7335416d 100644 --- a/scheme/parsec-tpm/corim_test_vectors.go +++ b/scheme/parsec-tpm/corim_test_vectors.go @@ -1,3 +1,5 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 package parsec_tpm // automatically generated from: diff --git a/scheme/parsec-tpm/evidence_handler_test.go b/scheme/parsec-tpm/evidence_handler_test.go index b8b6f580..f87395ee 100644 --- a/scheme/parsec-tpm/evidence_handler_test.go +++ b/scheme/parsec-tpm/evidence_handler_test.go @@ -1,4 +1,4 @@ -// Copyright 2023 Contributors to the Veraison project. +// Copyright 2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package parsec_tpm @@ -11,28 +11,9 @@ import ( "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" - "github.com/veraison/services/handler" "github.com/veraison/services/proto" ) -func Test_GetTrustAnchorIDs_ok(t *testing.T) { - tokenBytes, err := os.ReadFile("test/evidence/evidence.cbor") - require.NoError(t, err) - - token := proto.AttestationToken{ - TenantId: "1", - Data: tokenBytes, - } - - expectedTaID := "PARSEC_TPM://1/AYiFVFnuuemzSkbrSMs58vaqadoEUioybRI9XFAfziEM" - - handler := &EvidenceHandler{} - - taIDs, err := handler.GetTrustAnchorIDs(&token) - require.NoError(t, err) - assert.Equal(t, []string{expectedTaID}, taIDs) -} - func Test_ExtractClaims_ok(t *testing.T) { tokenBytes, err := os.ReadFile("test/evidence/evidence.cbor") require.NoError(t, err) @@ -224,37 +205,6 @@ func Test_AppraiseEvidence_ok(t *testing.T) { require.NoError(t, err) } -func Test_SynthKeysFromTrustAnchor_ok(t *testing.T) { - endorsementsBytes, err := os.ReadFile("test/evidence/ta_endorsements.json") - require.NoError(t, err) - - var endors handler.Endorsement - err = json.Unmarshal(endorsementsBytes, &endors) - require.NoError(t, err) - expectedKey := "PARSEC_TPM://1/AagIEsUMYDNxd1p5UuAACkxJGfJf9rcUZ/oyRFHDcAxn" - - scheme := &EvidenceHandler{} - key_list, err := scheme.SynthKeysFromTrustAnchor("1", &endors) - require.NoError(t, err) - assert.Equal(t, expectedKey, key_list[0]) - -} - -func Test_SynthKeysFromRefValue_ok(t *testing.T) { - endorsementsBytes, err := os.ReadFile("test/evidence/refval-endorsements.json") - require.NoError(t, err) - - var endors handler.Endorsement - err = json.Unmarshal(endorsementsBytes, &endors) - require.NoError(t, err) - expectedKey := "PARSEC_TPM://1/cd1f0e55-26f9-460d-b9d8-f7fde171787c" - - scheme := &EvidenceHandler{} - key_list, err := scheme.SynthKeysFromRefValue("1", &endors) - require.NoError(t, err) - assert.Equal(t, expectedKey, key_list[0]) -} - func Test_GetName_ok(t *testing.T) { scheme := &EvidenceHandler{} expectedName := "parsec-tpm-evidence-handler" diff --git a/scheme/parsec-tpm/plugin/Makefile b/scheme/parsec-tpm/plugin/Makefile index 3f2ad321..fc79bb8d 100644 --- a/scheme/parsec-tpm/plugin/Makefile +++ b/scheme/parsec-tpm/plugin/Makefile @@ -1,9 +1,10 @@ -# Copyright 2023 Contributors to the Veraison project. +# Copyright 2024 Contributors to the Veraison project. # SPDX-License-Identifier: Apache-2.0 ifndef COMBINED_PLUGINS SUBDIR += endorsement-handler SUBDIR += evidence-handler + SUBDIR += store-handler else SUBDIR += combined endif diff --git a/scheme/parsec-tpm/plugin/combined/main.go b/scheme/parsec-tpm/plugin/combined/main.go index 7ecf5f9e..7c44e4f1 100644 --- a/scheme/parsec-tpm/plugin/combined/main.go +++ b/scheme/parsec-tpm/plugin/combined/main.go @@ -1,4 +1,4 @@ -// Copyright 2023 Contributors to the Veraison project. +// Copyright 2023-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package main @@ -11,5 +11,6 @@ import ( func main() { handler.RegisterEndorsementHandler(&scheme.EndorsementHandler{}) handler.RegisterEvidenceHandler(&scheme.EvidenceHandler{}) + handler.RegisterStoreHandler(&scheme.StoreHandler{}) plugin.Serve() } diff --git a/scheme/parsec-tpm/plugin/store-handler/Makefile b/scheme/parsec-tpm/plugin/store-handler/Makefile new file mode 100644 index 00000000..cb8b47c8 --- /dev/null +++ b/scheme/parsec-tpm/plugin/store-handler/Makefile @@ -0,0 +1,11 @@ +# Copyright 2024 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 + +PLUGIN := ../../../bin/parsec-tpm-store-handler.plugin +GOPKG := github.com/veraison/services/scheme/parsec-tpm +SRCS := main.go + +include ../../../../mk/common.mk +include ../../../../mk/plugin.mk +include ../../../../mk/lint.mk +include ../../../../mk/test.mk diff --git a/scheme/parsec-tpm/plugin/store-handler/main.go b/scheme/parsec-tpm/plugin/store-handler/main.go new file mode 100644 index 00000000..8d6ffeb2 --- /dev/null +++ b/scheme/parsec-tpm/plugin/store-handler/main.go @@ -0,0 +1,14 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/plugin" + scheme "github.com/veraison/services/scheme/parsec-tpm" +) + +func main() { + handler.RegisterStoreHandler(&scheme.StoreHandler{}) + plugin.Serve() +} diff --git a/scheme/parsec-tpm/store_handler.go b/scheme/parsec-tpm/store_handler.go new file mode 100644 index 00000000..88199684 --- /dev/null +++ b/scheme/parsec-tpm/store_handler.go @@ -0,0 +1,51 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package parsec_tpm + +import ( + "encoding/base64" + "errors" + + "github.com/veraison/parsec/tpm" + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" +) + +type StoreHandler struct{} + +func (s StoreHandler) GetName() string { + return "parsec-tpm-store-handler" +} + +func (s StoreHandler) GetAttestationScheme() string { + return SchemeName +} + +func (s StoreHandler) GetSupportedMediaTypes() []string { + return nil +} + +func (s StoreHandler) SynthKeysFromRefValue(tenantID string, refVals *handler.Endorsement) ([]string, error) { + return synthKeysFromAttr(ScopeRefValues, tenantID, refVals.Attributes) +} + +func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { + return synthKeysFromAttr(ScopeTrustAnchor, tenantID, ta.Attributes) +} + +func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { + var ev tpm.Evidence + err := ev.FromCBOR(token.Data) + if err != nil { + return []string{""}, handler.BadEvidence(err) + } + + kat := ev.Kat + if kat == nil { + return []string{""}, errors.New("no key attestation token to fetch Key ID") + } + kid := *kat.KID + instance_id := base64.StdEncoding.EncodeToString(kid) + return []string{tpmLookupKey(ScopeTrustAnchor, token.TenantId, "", instance_id)}, nil + +} diff --git a/scheme/parsec-tpm/store_handler_test.go b/scheme/parsec-tpm/store_handler_test.go new file mode 100644 index 00000000..26ff2d64 --- /dev/null +++ b/scheme/parsec-tpm/store_handler_test.go @@ -0,0 +1,64 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package parsec_tpm + +import ( + "encoding/json" + "os" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" +) + +func Test_GetTrustAnchorIDs_ok(t *testing.T) { + tokenBytes, err := os.ReadFile("test/evidence/evidence.cbor") + require.NoError(t, err) + + token := proto.AttestationToken{ + TenantId: "1", + Data: tokenBytes, + } + + expectedTaID := "PARSEC_TPM://1/AYiFVFnuuemzSkbrSMs58vaqadoEUioybRI9XFAfziEM" + + handler := &StoreHandler{} + + taIDs, err := handler.GetTrustAnchorIDs(&token) + require.NoError(t, err) + assert.Equal(t, []string{expectedTaID}, taIDs) +} + +func Test_SynthKeysFromTrustAnchor_ok(t *testing.T) { + endorsementsBytes, err := os.ReadFile("test/evidence/ta_endorsements.json") + require.NoError(t, err) + + var endors handler.Endorsement + err = json.Unmarshal(endorsementsBytes, &endors) + require.NoError(t, err) + expectedKey := "PARSEC_TPM://1/AagIEsUMYDNxd1p5UuAACkxJGfJf9rcUZ/oyRFHDcAxn" + + scheme := &StoreHandler{} + key_list, err := scheme.SynthKeysFromTrustAnchor("1", &endors) + require.NoError(t, err) + assert.Equal(t, expectedKey, key_list[0]) + +} + +func Test_SynthKeysFromRefValue_ok(t *testing.T) { + endorsementsBytes, err := os.ReadFile("test/evidence/refval-endorsements.json") + require.NoError(t, err) + + var endors handler.Endorsement + err = json.Unmarshal(endorsementsBytes, &endors) + require.NoError(t, err) + expectedKey := "PARSEC_TPM://1/cd1f0e55-26f9-460d-b9d8-f7fde171787c" + + scheme := &StoreHandler{} + key_list, err := scheme.SynthKeysFromRefValue("1", &endors) + require.NoError(t, err) + assert.Equal(t, expectedKey, key_list[0]) +} diff --git a/scheme/psa-iot/evidence_handler.go b/scheme/psa-iot/evidence_handler.go index ece14f50..d2a2e26c 100644 --- a/scheme/psa-iot/evidence_handler.go +++ b/scheme/psa-iot/evidence_handler.go @@ -1,4 +1,4 @@ -// Copyright 2021-2023 Contributors to the Veraison project. +// Copyright 2021-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package psa_iot @@ -31,28 +31,6 @@ func (s EvidenceHandler) GetSupportedMediaTypes() []string { return EvidenceMediaTypes } -func (s EvidenceHandler) SynthKeysFromRefValue( - tenantID string, - refValue *handler.Endorsement, -) ([]string, error) { - - return arm.SynthKeysFromRefValue(SchemeName, tenantID, refValue) -} - -func (s EvidenceHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { - - return arm.SynthKeysFromTrustAnchors(SchemeName, tenantID, ta) -} - -func (s EvidenceHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { - taID, err := arm.GetTrustAnchorID(SchemeName, token) - if err != nil { - return []string{""}, err - } - - return []string{taID}, nil -} - func (s EvidenceHandler) ExtractClaims( token *proto.AttestationToken, trustAnchors []string, diff --git a/scheme/psa-iot/evidence_handler_test.go b/scheme/psa-iot/evidence_handler_test.go index 9c138454..4ddd214b 100644 --- a/scheme/psa-iot/evidence_handler_test.go +++ b/scheme/psa-iot/evidence_handler_test.go @@ -1,4 +1,4 @@ -// Copyright 2021-2023 Contributors to the Veraison project. +// Copyright 2021-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package psa_iot @@ -21,26 +21,6 @@ var testNonce = []byte{ 0x1f, 0x1e, 0x1d, 0x1c, 0x1b, 0x1a, 0x19, 0x18, } -func Test_GetTrustAnchorIDs_ok(t *testing.T) { - tokenBytes, err := os.ReadFile("test/psa-token.cbor") - require.NoError(t, err) - - token := proto.AttestationToken{ - TenantId: "1", - Data: tokenBytes, - Nonce: testNonce, - } - - expectedTaID := "PSA_IOT://1/BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=/AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY" - - handler := &EvidenceHandler{} - - taIDs, err := handler.GetTrustAnchorIDs(&token) - require.NoError(t, err) - assert.Equal(t, 1, len(taIDs)) - assert.Equal(t, expectedTaID, taIDs[0]) -} - func Test_ExtractVerifiedClaimsInteg_ok(t *testing.T) { tokenBytes, err := os.ReadFile("test/psaintegtoken.cbor") require.NoError(t, err) diff --git a/scheme/psa-iot/plugin/Makefile b/scheme/psa-iot/plugin/Makefile index 37f7dc14..33a74ffc 100644 --- a/scheme/psa-iot/plugin/Makefile +++ b/scheme/psa-iot/plugin/Makefile @@ -2,6 +2,7 @@ ifndef COMBINED_PLUGINS SUBDIR += endorsement-handler SUBDIR += evidence-handler + SUBDIR += store-handler else SUBDIR += combined endif diff --git a/scheme/psa-iot/plugin/combined/main.go b/scheme/psa-iot/plugin/combined/main.go index 378a103d..e1a33e49 100644 --- a/scheme/psa-iot/plugin/combined/main.go +++ b/scheme/psa-iot/plugin/combined/main.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package main @@ -11,5 +11,6 @@ import ( func main() { handler.RegisterEndorsementHandler(&scheme.EndorsementHandler{}) handler.RegisterEvidenceHandler(&scheme.EvidenceHandler{}) + handler.RegisterStoreHandler(&scheme.StoreHandler{}) plugin.Serve() } diff --git a/scheme/psa-iot/plugin/store-handler/Makefile b/scheme/psa-iot/plugin/store-handler/Makefile new file mode 100644 index 00000000..174feb7e --- /dev/null +++ b/scheme/psa-iot/plugin/store-handler/Makefile @@ -0,0 +1,11 @@ +# Copyright 2024 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 + +PLUGIN := ../../../bin/psa-store-handler.plugin +GOPKG := github.com/veraison/services/scheme/psa-iot +SRCS := main.go + +include ../../../../mk/common.mk +include ../../../../mk/plugin.mk +include ../../../../mk/lint.mk +include ../../../../mk/test.mk diff --git a/scheme/psa-iot/plugin/store-handler/main.go b/scheme/psa-iot/plugin/store-handler/main.go new file mode 100644 index 00000000..abf120ba --- /dev/null +++ b/scheme/psa-iot/plugin/store-handler/main.go @@ -0,0 +1,14 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/plugin" + scheme "github.com/veraison/services/scheme/psa-iot" +) + +func main() { + handler.RegisterStoreHandler(&scheme.StoreHandler{}) + plugin.Serve() +} diff --git a/scheme/psa-iot/store_handler.go b/scheme/psa-iot/store_handler.go new file mode 100644 index 00000000..c60d18e2 --- /dev/null +++ b/scheme/psa-iot/store_handler.go @@ -0,0 +1,44 @@ +// Copyright 2021-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + +package psa_iot + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" + "github.com/veraison/services/scheme/common/arm" +) + +type StoreHandler struct{} + +func (s StoreHandler) GetName() string { + return "psa-store-handler" +} + +func (s StoreHandler) GetAttestationScheme() string { + return SchemeName +} + +func (s StoreHandler) GetSupportedMediaTypes() []string { + return nil +} + +func (s StoreHandler) SynthKeysFromRefValue( + tenantID string, + refValue *handler.Endorsement, +) ([]string, error) { + return arm.SynthKeysFromRefValue(SchemeName, tenantID, refValue) +} + +func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { + return arm.SynthKeysFromTrustAnchors(SchemeName, tenantID, ta) +} + +func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { + taID, err := arm.GetTrustAnchorID(SchemeName, token) + if err != nil { + return []string{""}, err + } + + return []string{taID}, nil +} diff --git a/scheme/psa-iot/store_handler_test.go b/scheme/psa-iot/store_handler_test.go new file mode 100644 index 00000000..789f1a25 --- /dev/null +++ b/scheme/psa-iot/store_handler_test.go @@ -0,0 +1,67 @@ +// Copyright 2021-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + +package psa_iot + +import ( + "encoding/json" + "os" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" +) + +func Test_GetTrustAnchorIDs_ok(t *testing.T) { + tokenBytes, err := os.ReadFile("test/psa-token.cbor") + require.NoError(t, err) + + token := proto.AttestationToken{ + TenantId: "1", + Data: tokenBytes, + Nonce: testNonce, + } + + expectedTaID := "PSA_IOT://1/BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=/AQcGBQQDAgEADw4NDAsKCQgXFhUUExIREB8eHRwbGhkY" + + handler := &StoreHandler{} + + taIDs, err := handler.GetTrustAnchorIDs(&token) + require.NoError(t, err) + assert.Equal(t, 1, len(taIDs)) + assert.Equal(t, expectedTaID, taIDs[0]) +} + +func Test_SynthKeysFromTrustAnchor_ok(t *testing.T) { + endorsementsBytes, err := os.ReadFile("test/ta-endorsements.json") + require.NoError(t, err) + + var endors handler.Endorsement + err = json.Unmarshal(endorsementsBytes, &endors) + require.NoError(t, err) + expectedKey := "PSA_IOT://1/76543210fedcba9817161514131211101f1e1d1c1b1a1918/Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI" + + scheme := &StoreHandler{} + key_list, err := scheme.SynthKeysFromTrustAnchor("1", &endors) + require.NoError(t, err) + assert.Equal(t, expectedKey, key_list[0]) + +} + +func Test_SynthKeysFromRefValue_ok(t *testing.T) { + endorsementsBytes, err := os.ReadFile("test/endorsements.json") + require.NoError(t, err) + + var endors handler.Endorsement + err = json.Unmarshal(endorsementsBytes, &endors) + require.NoError(t, err) + expectedKey := "PSA_IOT://1/76543210fedcba9817161514131211101f1e1d1c1b1a1918" + + scheme := &StoreHandler{} + key_list, err := scheme.SynthKeysFromRefValue("1", &endors) + require.NoError(t, err) + assert.Equal(t, expectedKey, key_list[0]) +} diff --git a/scheme/psa-iot/test/endorsements.json b/scheme/psa-iot/test/endorsements.json index b083a33a..459eaebb 100644 --- a/scheme/psa-iot/test/endorsements.json +++ b/scheme/psa-iot/test/endorsements.json @@ -4,7 +4,7 @@ "attributes":{ "PSA_IOT.hw-model":"RoadRunner", "PSA_IOT.hw-vendor":"ACME", - "psa.impl-id":"76543210fedcba9817161514131211101f1e1d1c1b1a1918", + "PSA_IOT.impl-id":"76543210fedcba9817161514131211101f1e1d1c1b1a1918", "PSA_IOT.measurement-desc":"sha-256", "PSA_IOT.measurement-type":"BL", "PSA_IOT.measurement-value":"BwYFBAMCAQAPDg0MCwoJCBcWFRQTEhEQHx4dHBsaGRg=", diff --git a/scheme/psa-iot/test/ta-endorsements.json b/scheme/psa-iot/test/ta-endorsements.json index 942233aa..1f10799d 100644 --- a/scheme/psa-iot/test/ta-endorsements.json +++ b/scheme/psa-iot/test/ta-endorsements.json @@ -5,7 +5,7 @@ "attributes":{ "PSA_IOT.hw-model":"RoadRunner", "PSA_IOT.hw-vendor":"ACME", - "psa.impl-id":"76543210fedcba9817161514131211101f1e1d1c1b1a1918", + "PSA_IOT.impl-id":"76543210fedcba9817161514131211101f1e1d1c1b1a1918", "PSA_IOT.iak-pub":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETl4iCZ47zrRbRG0TVf0dw7VFlHtv\n18HInYhnmMNybo+A1wuECyVqrDSmLt4QQzZPBECV8ANHS5HgGCCSr7E/Lg==\n-----END PUBLIC KEY-----", "PSA_IOT.inst-id":"Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI" } diff --git a/scheme/psa-iot/test_vectors.go b/scheme/psa-iot/test_vectors.go index fc8f4a7e..bec29962 100644 --- a/scheme/psa-iot/test_vectors.go +++ b/scheme/psa-iot/test_vectors.go @@ -1,3 +1,5 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 package psa_iot // automatically generated from: diff --git a/scheme/riot/evidence_handler.go b/scheme/riot/evidence_handler.go index 82d6e4bc..bb2143df 100644 --- a/scheme/riot/evidence_handler.go +++ b/scheme/riot/evidence_handler.go @@ -1,4 +1,4 @@ -// Copyright 2021-2023 Contributors to the Veraison project. +// Copyright 2021-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package riot @@ -33,18 +33,6 @@ func (s EvidenceHandler) GetSupportedMediaTypes() []string { return EvidenceMediaTypes } -func (s EvidenceHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { - return []string{"dice://"}, nil -} - -func (s EvidenceHandler) SynthKeysFromRefValue(tenantID string, swComp *handler.Endorsement) ([]string, error) { - return nil, errors.New("TODO") -} - -func (s EvidenceHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { - return nil, errors.New("TODO") -} - func (s EvidenceHandler) ExtractClaims( token *proto.AttestationToken, trustAnchors []string, diff --git a/scheme/riot/evidence_handler_test.go b/scheme/riot/evidence_handler_test.go index 64b7bc68..bb0ed0a1 100644 --- a/scheme/riot/evidence_handler_test.go +++ b/scheme/riot/evidence_handler_test.go @@ -1,4 +1,4 @@ -// Copyright 2021-2023 Contributors to the Veraison project. +// Copyright 2021-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package riot diff --git a/scheme/riot/plugin/Makefile b/scheme/riot/plugin/Makefile index 5f6a0deb..8375f5bb 100644 --- a/scheme/riot/plugin/Makefile +++ b/scheme/riot/plugin/Makefile @@ -1,6 +1,7 @@ ifndef COMBINED_PLUGINS SUBDIR += evidence-handler + SUBDIR += store-handler else SUBDIR += combined endif diff --git a/scheme/riot/plugin/combined/main.go b/scheme/riot/plugin/combined/main.go index 983a9704..d637ed3e 100644 --- a/scheme/riot/plugin/combined/main.go +++ b/scheme/riot/plugin/combined/main.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package main @@ -10,5 +10,6 @@ import ( func main() { handler.RegisterEvidenceHandler(&scheme.EvidenceHandler{}) + handler.RegisterStoreHandler(&scheme.StoreHandler{}) plugin.Serve() } diff --git a/scheme/riot/plugin/store-handler/Makefile b/scheme/riot/plugin/store-handler/Makefile new file mode 100644 index 00000000..cbaf5abe --- /dev/null +++ b/scheme/riot/plugin/store-handler/Makefile @@ -0,0 +1,11 @@ +# Copyright 2024 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 + +PLUGIN := ../../../bin/riot.plugin +GOPKG := github.com/veraison/services/scheme/riot +SRCS := main.go + +include ../../../../mk/common.mk +include ../../../../mk/plugin.mk +include ../../../../mk/lint.mk +include ../../../../mk/test.mk diff --git a/scheme/riot/plugin/store-handler/main.go b/scheme/riot/plugin/store-handler/main.go new file mode 100644 index 00000000..905f3ea4 --- /dev/null +++ b/scheme/riot/plugin/store-handler/main.go @@ -0,0 +1,14 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/plugin" + scheme "github.com/veraison/services/scheme/riot" +) + +func main() { + handler.RegisterStoreHandler(&scheme.StoreHandler{}) + plugin.Serve() +} diff --git a/scheme/riot/store_handler.go b/scheme/riot/store_handler.go new file mode 100644 index 00000000..6fad429b --- /dev/null +++ b/scheme/riot/store_handler.go @@ -0,0 +1,38 @@ +// Copyright 2021-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + +package riot + +import ( + "errors" + + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" +) + +type StoreHandler struct { +} + +func (s StoreHandler) GetName() string { + return "riot-store-handler" +} + +func (s StoreHandler) GetAttestationScheme() string { + return SchemeName +} + +func (s StoreHandler) GetSupportedMediaTypes() []string { + return nil +} + +func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { + return []string{"dice://"}, nil +} + +func (s StoreHandler) SynthKeysFromRefValue(tenantID string, swComp *handler.Endorsement) ([]string, error) { + return nil, errors.New("TODO") +} + +func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { + return nil, errors.New("TODO") +} diff --git a/scheme/tpm-enacttrust/evidence_handler.go b/scheme/tpm-enacttrust/evidence_handler.go index 378f8919..b39e4a3d 100644 --- a/scheme/tpm-enacttrust/evidence_handler.go +++ b/scheme/tpm-enacttrust/evidence_handler.go @@ -1,4 +1,4 @@ -// Copyright 2021-2023 Contributors to the Veraison project. +// Copyright 2021-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package tpm_enacttrust @@ -32,44 +32,6 @@ func (s EvidenceHandler) GetSupportedMediaTypes() []string { return EvidenceMediaTypes } -func (s EvidenceHandler) SynthKeysFromRefValue( - tenantID string, - swComp *handler.Endorsement, -) ([]string, error) { - return synthKeysFromAttrs("software component", tenantID, swComp.Attributes) -} - -func (s EvidenceHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { - return synthKeysFromAttrs("trust anchor", tenantID, ta.Attributes) -} - -func (s EvidenceHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { - supported := false - for _, mt := range EvidenceMediaTypes { - if token.MediaType == mt { - supported = true - break - } - } - - if !supported { - err := handler.BadEvidence( - "wrong media type: expect %q, but found %q", - strings.Join(EvidenceMediaTypes, ", "), - token.MediaType, - ) - return []string{""}, err - } - - var decoded Token - - if err := decoded.Decode(token.Data); err != nil { - return nil, handler.BadEvidence(err) - } - - return []string{tpmEnactTrustLookupKey(token.TenantId, decoded.NodeId.String())}, nil -} - func (s EvidenceHandler) ExtractClaims( token *proto.AttestationToken, trustAnchors []string, diff --git a/scheme/tpm-enacttrust/evidence_handler_test.go b/scheme/tpm-enacttrust/evidence_handler_test.go index 50335f6d..000ea145 100644 --- a/scheme/tpm-enacttrust/evidence_handler_test.go +++ b/scheme/tpm-enacttrust/evidence_handler_test.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package tpm_enacttrust @@ -27,23 +27,6 @@ func Test_DecodeAttestationData_ok(t *testing.T) { assert.Equal(t, uint64(0x7), decoded.AttestationData.FirmwareVersion) } -func Test_GetTrustAnchorIds_ok(t *testing.T) { - data, err := os.ReadFile("test/tokens/basic.token") - require.NoError(t, err) - - ta := proto.AttestationToken{ - TenantId: "0", - MediaType: "application/vnd.enacttrust.tpm-evidence", - Data: data, - } - - var s EvidenceHandler - - taIDs, err := s.GetTrustAnchorIDs(&ta) - require.NoError(t, err) - assert.Equal(t, "TPM_ENACTTRUST://0/7df7714e-aa04-4638-bcbf-434b1dd720f1", taIDs[0]) -} - func readPublicKeyBytes(path string) ([]byte, error) { buf, err := os.ReadFile(path) if err != nil { diff --git a/scheme/tpm-enacttrust/plugin/Makefile b/scheme/tpm-enacttrust/plugin/Makefile index 37f7dc14..33a74ffc 100644 --- a/scheme/tpm-enacttrust/plugin/Makefile +++ b/scheme/tpm-enacttrust/plugin/Makefile @@ -2,6 +2,7 @@ ifndef COMBINED_PLUGINS SUBDIR += endorsement-handler SUBDIR += evidence-handler + SUBDIR += store-handler else SUBDIR += combined endif diff --git a/scheme/tpm-enacttrust/plugin/combined/main.go b/scheme/tpm-enacttrust/plugin/combined/main.go index 824d9afc..e37a08a1 100644 --- a/scheme/tpm-enacttrust/plugin/combined/main.go +++ b/scheme/tpm-enacttrust/plugin/combined/main.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package main @@ -11,5 +11,6 @@ import ( func main() { handler.RegisterEndorsementHandler(&scheme.EndorsementHandler{}) handler.RegisterEvidenceHandler(&scheme.EvidenceHandler{}) + handler.RegisterStoreHandler(&scheme.StoreHandler{}) plugin.Serve() } diff --git a/scheme/tpm-enacttrust/plugin/store-handler/Makefile b/scheme/tpm-enacttrust/plugin/store-handler/Makefile new file mode 100644 index 00000000..2bd8a9ee --- /dev/null +++ b/scheme/tpm-enacttrust/plugin/store-handler/Makefile @@ -0,0 +1,11 @@ +# Copyright 2024 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 + +PLUGIN := ../../../bin/tpm-enacttrust-store-handler.plugin +GOPKG := github.com/veraison/services/scheme/tpm-enacttrust +SRCS := main.go + +include ../../../../mk/common.mk +include ../../../../mk/plugin.mk +include ../../../../mk/lint.mk +include ../../../../mk/test.mk diff --git a/scheme/tpm-enacttrust/plugin/store-handler/main.go b/scheme/tpm-enacttrust/plugin/store-handler/main.go new file mode 100644 index 00000000..3722f960 --- /dev/null +++ b/scheme/tpm-enacttrust/plugin/store-handler/main.go @@ -0,0 +1,14 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/plugin" + scheme "github.com/veraison/services/scheme/tpm-enacttrust" +) + +func main() { + handler.RegisterStoreHandler(&scheme.StoreHandler{}) + plugin.Serve() +} diff --git a/scheme/tpm-enacttrust/store_handler.go b/scheme/tpm-enacttrust/store_handler.go new file mode 100644 index 00000000..5cc401c0 --- /dev/null +++ b/scheme/tpm-enacttrust/store_handler.go @@ -0,0 +1,64 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + +package tpm_enacttrust + +import ( + "strings" + + "github.com/veraison/services/handler" + "github.com/veraison/services/proto" +) + +type StoreHandler struct { +} + +func (s StoreHandler) GetName() string { + return "tpm-enacttrust-store-handler" +} + +func (s StoreHandler) GetAttestationScheme() string { + return SchemeName +} + +func (s StoreHandler) GetSupportedMediaTypes() []string { + return nil +} + +func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { + supported := false + for _, mt := range EvidenceMediaTypes { + if token.MediaType == mt { + supported = true + break + } + } + + if !supported { + err := handler.BadEvidence( + "wrong media type: expect %q, but found %q", + strings.Join(EvidenceMediaTypes, ", "), + token.MediaType, + ) + return []string{""}, err + } + + var decoded Token + + if err := decoded.Decode(token.Data); err != nil { + return nil, handler.BadEvidence(err) + } + + return []string{tpmEnactTrustLookupKey(token.TenantId, decoded.NodeId.String())}, nil +} + +func (s StoreHandler) SynthKeysFromRefValue( + tenantID string, + swComp *handler.Endorsement, +) ([]string, error) { + return synthKeysFromAttrs("software component", tenantID, swComp.Attributes) +} + +func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { + return synthKeysFromAttrs("trust anchor", tenantID, ta.Attributes) +} diff --git a/scheme/tpm-enacttrust/store_handler_test.go b/scheme/tpm-enacttrust/store_handler_test.go new file mode 100644 index 00000000..5b633a43 --- /dev/null +++ b/scheme/tpm-enacttrust/store_handler_test.go @@ -0,0 +1,29 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package tpm_enacttrust + +import ( + "os" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "github.com/veraison/services/proto" +) + +func Test_GetTrustAnchorIds_ok(t *testing.T) { + data, err := os.ReadFile("test/tokens/basic.token") + require.NoError(t, err) + + ta := proto.AttestationToken{ + TenantId: "0", + MediaType: "application/vnd.enacttrust.tpm-evidence", + Data: data, + } + + var s StoreHandler + + taIDs, err := s.GetTrustAnchorIDs(&ta) + require.NoError(t, err) + assert.Equal(t, "TPM_ENACTTRUST://0/7df7714e-aa04-4638-bcbf-434b1dd720f1", taIDs[0]) +} diff --git a/scheme/tpm-enacttrust/test_vectors.go b/scheme/tpm-enacttrust/test_vectors.go index b341b34c..775cdda5 100644 --- a/scheme/tpm-enacttrust/test_vectors.go +++ b/scheme/tpm-enacttrust/test_vectors.go @@ -1,3 +1,5 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 package tpm_enacttrust // automatically generated from ComidTpmEnactTrustAKOne.json diff --git a/verification/cmd/verification-service/README.md b/verification/cmd/verification-service/README.md index 8adc881e..51b8733a 100644 --- a/verification/cmd/verification-service/README.md +++ b/verification/cmd/verification-service/README.md @@ -10,7 +10,7 @@ configuration: ### Verification service configuration -- `listen-addr` (optional): the address, in the form `:` the provisioning +- `listen-addr` (optional): the address, in the form `:` the verification server will be listening on. If not specified, this defaults to `localhost:8080`. diff --git a/vts/cmd/vts-service/main.go b/vts/cmd/vts-service/main.go index 438ca683..7db9b3cc 100644 --- a/vts/cmd/vts-service/main.go +++ b/vts/cmd/vts-service/main.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package main @@ -66,6 +66,7 @@ func main() { log.Info("loading attestation schemes") var evPluginManager plugin.IManager[handler.IEvidenceHandler] var endPluginManager plugin.IManager[handler.IEndorsementHandler] + var storePluginManager plugin.IManager[handler.IStoreHandler] psubs, err := config.GetSubs(subs["plugin"], "*go-plugin", "*builtin") if err != nil { @@ -95,6 +96,14 @@ func main() { if err != nil { log.Fatalf("could not create endorsement PluginManagerWithLoader: %v", err) } + storePluginManager, err = plugin.CreateGoPluginManagerWithLoader( + loader, + "store-handler", + log.Named("plugin"), + handler.StoreHandlerRPC) + if err != nil { + log.Fatalf("could not create store PluginManagerWithLoader: %v", err) + } } else if config.SchemeLoader == "builtin" { loader, err := builtin.CreateBuiltinLoader( psubs["builtin"].AllSettings(), @@ -114,6 +123,12 @@ func main() { if err != nil { log.Fatalf("could not create BuiltinManagerWithLoader: %v", err) } + storePluginManager, err = builtin.CreateBuiltinManagerWithLoader[handler.IStoreHandler]( + loader, log.Named("builtin"), + "store-handler") + if err != nil { + log.Fatalf("could not create BuiltinManagerWithLoader: %v", err) + } } else { log.Panicw("invalid SchemeLoader value", "SchemeLoader", config.SchemeLoader) } @@ -136,11 +151,11 @@ func main() { log.Info("initializing service") // from this point onwards taStore, enStore, evPluginManager, endPluginManager, - // policyManager and earSigner are owned by vts + // storePluginManager, policyManager and earSigner are owned by vts vts := trustedservices.NewGRPC(taStore, enStore, - evPluginManager, endPluginManager, policyManager, earSigner, log.Named("vts")) + evPluginManager, endPluginManager, storePluginManager, policyManager, earSigner, log.Named("vts")) - if err = vts.Init(subs["vts"], evPluginManager, endPluginManager); err != nil { + if err = vts.Init(subs["vts"], evPluginManager, endPluginManager, storePluginManager); err != nil { log.Fatalf("VTS initialisation failed: %v", err) } diff --git a/vts/trustedservices/itrustedservices.go b/vts/trustedservices/itrustedservices.go index 30b8145d..e01f7946 100644 --- a/vts/trustedservices/itrustedservices.go +++ b/vts/trustedservices/itrustedservices.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package trustedservices @@ -10,7 +10,12 @@ import ( ) type ITrustedServices interface { - Init(cfg *viper.Viper, pm plugin.IManager[handler.IEvidenceHandler], em plugin.IManager[handler.IEndorsementHandler]) error + Init( + cfg *viper.Viper, + evm plugin.IManager[handler.IEvidenceHandler], + endm plugin.IManager[handler.IEndorsementHandler], + stm plugin.IManager[handler.IStoreHandler], + ) error Close() error Run() error diff --git a/vts/trustedservices/trustedservices_grpc.go b/vts/trustedservices/trustedservices_grpc.go index 3ff2088e..5b960f3b 100644 --- a/vts/trustedservices/trustedservices_grpc.go +++ b/vts/trustedservices/trustedservices_grpc.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 Contributors to the Veraison project. +// Copyright 2022-2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package trustedservices @@ -54,12 +54,13 @@ func NewGRPCConfig() *GRPCConfig { type GRPC struct { ServerAddress string - TaStore kvstore.IKVStore - EnStore kvstore.IKVStore - EvPluginManager plugin.IManager[handler.IEvidenceHandler] - EndPluginManager plugin.IManager[handler.IEndorsementHandler] - PolicyManager *policymanager.PolicyManager - EarSigner earsigner.IEarSigner + TaStore kvstore.IKVStore + EnStore kvstore.IKVStore + EvPluginManager plugin.IManager[handler.IEvidenceHandler] + EndPluginManager plugin.IManager[handler.IEndorsementHandler] + StorePluginManager plugin.IManager[handler.IStoreHandler] + PolicyManager *policymanager.PolicyManager + EarSigner earsigner.IEarSigner Server *grpc.Server Socket net.Listener @@ -73,18 +74,20 @@ func NewGRPC( taStore, enStore kvstore.IKVStore, evpluginManager plugin.IManager[handler.IEvidenceHandler], endpluginManager plugin.IManager[handler.IEndorsementHandler], + storepluginManager plugin.IManager[handler.IStoreHandler], policyManager *policymanager.PolicyManager, earSigner earsigner.IEarSigner, logger *zap.SugaredLogger, ) ITrustedServices { return &GRPC{ - TaStore: taStore, - EnStore: enStore, - EvPluginManager: evpluginManager, - EndPluginManager: endpluginManager, - PolicyManager: policyManager, - EarSigner: earSigner, - logger: logger, + TaStore: taStore, + EnStore: enStore, + EvPluginManager: evpluginManager, + EndPluginManager: endpluginManager, + StorePluginManager: storepluginManager, + PolicyManager: policyManager, + EarSigner: earSigner, + logger: logger, } } @@ -97,7 +100,12 @@ func (o *GRPC) Run() error { return o.Server.Serve(o.Socket) } -func (o *GRPC) Init(v *viper.Viper, evm plugin.IManager[handler.IEvidenceHandler], endm plugin.IManager[handler.IEndorsementHandler]) error { +func (o *GRPC) Init( + v *viper.Viper, + evm plugin.IManager[handler.IEvidenceHandler], + endm plugin.IManager[handler.IEndorsementHandler], + stm plugin.IManager[handler.IStoreHandler], +) error { var err error cfg := GRPCConfig{ServerAddress: DefaultVTSAddr} @@ -109,6 +117,7 @@ func (o *GRPC) Init(v *viper.Viper, evm plugin.IManager[handler.IEvidenceHandler o.EvPluginManager = evm o.EndPluginManager = endm + o.StorePluginManager = stm if cfg.ListenAddress != "" { o.ServerAddress = cfg.ListenAddress @@ -140,11 +149,15 @@ func (o *GRPC) Close() error { } if err := o.EvPluginManager.Close(); err != nil { - o.logger.Errorf("plugin manager shutdown failed: %v", err) + o.logger.Errorf("evidence plugin manager shutdown failed: %v", err) } if err := o.EndPluginManager.Close(); err != nil { - o.logger.Errorf("plugin manager shutdown failed: %v", err) + o.logger.Errorf("endorsement plugin manager shutdown failed: %v", err) + } + + if err := o.StorePluginManager.Close(); err != nil { + o.logger.Errorf("store plugin manager shutdown failed: %v", err) } if err := o.TaStore.Close(); err != nil { @@ -238,11 +251,11 @@ func (o *GRPC) addRefValues(ctx context.Context, refVal *handler.Endorsement) er var ( err error keys []string - handler handler.IEvidenceHandler + handler handler.IStoreHandler val []byte ) - handler, err = o.EvPluginManager.LookupByAttestationScheme(refVal.Scheme) + handler, err = o.StorePluginManager.LookupByAttestationScheme(refVal.Scheme) if err != nil { return err } @@ -277,7 +290,7 @@ func (o *GRPC) addTrustAnchor( var ( err error keys []string - handler handler.IEvidenceHandler + handler handler.IStoreHandler val []byte ) @@ -287,7 +300,7 @@ func (o *GRPC) addTrustAnchor( return errors.New("nil trust anchor in request") } - handler, err = o.EvPluginManager.LookupByAttestationScheme(req.Scheme) + handler, err = o.StorePluginManager.LookupByAttestationScheme(req.Scheme) if err != nil { return err } @@ -330,7 +343,16 @@ func (o *GRPC) GetAttestation( return o.finalize(appraisal, err) } - appraisal, err := o.initEvidenceContext(handler, token) + scheme := handler.GetAttestationScheme() + stHandler, err := o.StorePluginManager.LookupByAttestationScheme(scheme) + if err != nil { + appraisal := appraisal.New(token.TenantId, token.Nonce, "ERROR") + appraisal.SetAllClaims(ear.UnexpectedEvidenceClaim) + appraisal.AddPolicyClaim("problem", "could not resolve scheme name") + return o.finalize(appraisal, err) + } + + appraisal, err := o.initEvidenceContext(stHandler, token) if err != nil { return o.finalize(appraisal, err) } @@ -405,7 +427,7 @@ func (o *GRPC) GetAttestation( } func (c *GRPC) initEvidenceContext( - handler handler.IEvidenceHandler, + handler handler.IStoreHandler, token *proto.AttestationToken, ) (*appraisal.Appraisal, error) { var err error