diff --git a/scheme/cca-realm/corim_extractor.go b/scheme/cca-realm/corim_extractor.go index 61c1254c..f1e6009c 100644 --- a/scheme/cca-realm/corim_extractor.go +++ b/scheme/cca-realm/corim_extractor.go @@ -21,36 +21,40 @@ func (o CorimExtractor) RefValExtractor( return nil, fmt.Errorf("could not extract Realm class attributes: %w", err) } - rvs := make([]*handler.Endorsement, 0, len(rv.Measurements)) - - for i, m := range rv.Measurements { + // For Realm's we only expect one Reference Value + rvs := make([]*handler.Endorsement, 0, 1) + var measurements [][]byte + var algID string + for _, m := range rv.Measurements { d := m.Val.Digests if d == nil { return nil, fmt.Errorf("measurement value has no digests") } - if len(*d) != 1 { - return nil, fmt.Errorf("expecting exactly one digest") + k := len(*d) + if k < 1 { + return nil, fmt.Errorf("expecting atleast one digest") } - algID := (*d)[0].AlgIDToString() + algID = (*d)[0].AlgIDToString() measurementValue := (*d)[0].HashValue - attrs, err := makeRefValAttrs(&classAttrs, algID, measurementValue) - if err != nil { - return nil, fmt.Errorf("measurement[%d].digest: %w", i, err) - } - - rv := &handler.Endorsement{ - Scheme: SchemeName, - Type: handler.EndorsementType_REFERENCE_VALUE, - Attributes: attrs, - } + measurements = append(measurements, measurementValue) + } - rvs = append(rvs, rv) + attrs, err := makeRefValAttrs(&classAttrs, algID, measurements) + if err != nil { + return nil, fmt.Errorf("attributes error: %w", err) + } + ev := &handler.Endorsement{ + Scheme: SchemeName, + Type: handler.EndorsementType_REFERENCE_VALUE, + Attributes: attrs, } + rvs = append(rvs, ev) + if len(rvs) == 0 { return nil, fmt.Errorf("no measurements found") } @@ -58,14 +62,14 @@ func (o CorimExtractor) RefValExtractor( return rvs, nil } -func makeRefValAttrs(cAttr *ClassAttributes, algID string, digest []byte) (json.RawMessage, error) { +func makeRefValAttrs(cAttr *ClassAttributes, algID string, measurements [][]byte) (json.RawMessage, error) { var attrs = map[string]interface{}{ - "cca-realm.vendor": cAttr.Vendor, - "cca-realm.model": cAttr.Model, - "cca-realm-id": cAttr.UUID, - "cca-realm.alg-id": algID, - "cca-realm.measurement": digest, + "cca-realm.vendor": cAttr.Vendor, + "cca-realm.model": cAttr.Model, + "cca-realm.id": cAttr.UUID, + "cca-realm.alg-id": algID, + "cca-realm.measurement-array": measurements, } data, err := json.Marshal(attrs) if err != nil { diff --git a/scheme/cca-realm/endorsement_handler_test.go b/scheme/cca-realm/endorsement_handler_test.go index f3547edd..eb6e5753 100644 --- a/scheme/cca-realm/endorsement_handler_test.go +++ b/scheme/cca-realm/endorsement_handler_test.go @@ -3,9 +3,11 @@ package cca_realm import ( + "os" "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) func TestDecoder_GetAttestationScheme(t *testing.T) { @@ -63,3 +65,12 @@ func TestDecoder_Decode_invalid_data(t *testing.T) { assert.EqualError(t, err, expectedErr) } + +func TestDecoder_Decode_CoRIM_ok(t *testing.T) { + d := &EndorsementHandler{} + endBytes, err := os.ReadFile("test/corim-cca-realm.cbor") + require.NoError(t, err) + + _, err = d.Decode(endBytes) + require.NoError(t, err) +} diff --git a/scheme/cca-realm/evidence_handler.go b/scheme/cca-realm/evidence_handler.go index 933cf060..a9c10b95 100644 --- a/scheme/cca-realm/evidence_handler.go +++ b/scheme/cca-realm/evidence_handler.go @@ -6,6 +6,8 @@ package cca_realm import ( "encoding/json" "fmt" + "net/url" + "strings" "github.com/veraison/ccatoken" "github.com/veraison/ear" @@ -19,6 +21,14 @@ import ( type EvidenceHandler struct{} +type RealmAttr struct { + Vendor string `json:"cca-realm.vendor"` + Model string `json:"cca-realm.model"` + RealmID string `json:"cca-realm.id"` + AlgID string `json:"cca-realm.alg-id"` + MeasurementArray [][]byte `json:"cca-realm.measurement-array"` +} + func (s EvidenceHandler) GetName() string { return "cca-realm-evidence-handler" } @@ -35,8 +45,30 @@ func (s EvidenceHandler) SynthKeysFromRefValue( tenantID string, refVal *handler.Endorsement, ) ([]string, error) { - return arm.SynthKeysFromRefValue(SchemeName, tenantID, refVal) + var realm RealmAttr + + attr := refVal.Attributes + err := json.Unmarshal(attr, &realm) + if err != nil { + return nil, fmt.Errorf("unable to UnMarshal Realm Attributes %w", err) + } + lookupKey := RefValLookupKey(SchemeName, tenantID, realm.RealmID) + log.Debugf("Scheme %s Plugin Reference Value Look Up Key= %s\n", SchemeName, lookupKey) + + return []string{lookupKey}, nil +} + +func RefValLookupKey(schemeName, tenantID, uuID string) string { + absPath := []string{uuID} + + u := url.URL{ + Scheme: schemeName, + Host: tenantID, + Path: strings.Join(absPath, "/"), + } + + return u.String() } func (s EvidenceHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { @@ -49,6 +81,7 @@ func (s EvidenceHandler) GetTrustAnchorID(token *proto.AttestationToken) (string return "", nil } +// TO DO COMPLETE THIS func (s EvidenceHandler) ExtractClaims( token *proto.AttestationToken, trustAnchor string, @@ -74,6 +107,9 @@ func (s EvidenceHandler) ExtractClaims( "could not convert realm claims: %w", err)) } + /* FROM THE REALM CLAIM SET GET THE REALM INITIAL MEASUREMENTS */ + /* THAT WILL BE THE INPUT TO THE REFERENCE ID */ + extracted.ClaimsSet = map[string]interface{}{ "platform": platformClaimsSet, "realm": realmClaimsSet, @@ -84,6 +120,7 @@ func (s EvidenceHandler) ExtractClaims( token.TenantId, arm.MustImplIDString(ccaToken.PlatformClaims), ) + log.Debugf("extracted Reference ID Key = %s", extracted.ReferenceID) return &extracted, nil } diff --git a/scheme/cca-realm/test/corim-cca-realm.cbor b/scheme/cca-realm/test/corim-cca-realm.cbor new file mode 100644 index 00000000..cb3e3607 Binary files /dev/null and b/scheme/cca-realm/test/corim-cca-realm.cbor differ diff --git a/scheme/cca-realm/test/corim_endorsement.cbor b/scheme/cca-realm/test/corim_endorsement.cbor new file mode 100644 index 00000000..e69de29b