Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve KBS protocol version handling and bump the version to v0.1.1 due to kbs-types changes #628

Merged
merged 4 commits into from
Aug 6, 2024
Merged

Improve KBS protocol version handling and bump the version to v0.1.1 due to kbs-types changes #628

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3028a1b
kbs_protocol: fix typo with UnAuthorized error
mythi Jul 31, 2024
f422030
kbs_protocol: handle ProtocolVersion error
mythi Jul 31, 2024
b28be70
kbs_protocol: skip RCAR client tests when ProtocolVersion error occurs
mythi Jul 31, 2024
e573dd1
chore(deps): Bump kbs-types from 0.6.0 to 0.7.0
mythi Jul 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ env_logger = "0.11.3"
hex = "0.4.3"
hmac = "0.12.1"
jwt-simple = { version = "0.12", default-features = false, features = ["pure-rust"] }
kbs-types = "0.6.0"
kbs-types = "0.7.0"
lazy_static = "1.4.0"
log = "0.4.22"
nix = "0.28"
Expand Down
2 changes: 1 addition & 1 deletion attestation-agent/kbs_protocol/src/client/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ pub struct KbsClient<T> {
pub(crate) token: Option<Token>,
}

pub const KBS_PROTOCOL_VERSION: &str = "0.1.0";
pub const KBS_PROTOCOL_VERSION: &str = "0.1.1";

pub const KBS_GET_RESOURCE_MAX_ATTEMPT: u64 = 3;

Expand Down
45 changes: 36 additions & 9 deletions attestation-agent/kbs_protocol/src/client/rcar_client.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,21 +104,39 @@ impl KbsClient<Box<dyn EvidenceProvider>> {
let request = Request {
version: String::from(KBS_PROTOCOL_VERSION),
tee,
extra_params: String::new(),
extra_params: serde_json::Value::String(String::new()),
mkulke marked this conversation as resolved.
Show resolved Hide resolved
};

debug!("send auth request to {auth_endpoint}");

let challenge = self
let resp = self
.http_client
.post(auth_endpoint)
.header("Content-Type", "application/json")
.json(&request)
.send()
.await?
.json::<Challenge>()
.await?;

match resp.status() {
reqwest::StatusCode::OK => {
debug!("KBS request OK");
}
reqwest::StatusCode::UNAUTHORIZED => {
let error_info = resp.json::<ErrorInformation>().await?;
bail!(
"KBS request unauthorized, ErrorInformation: {:?}",
error_info
);
}
_ => {
bail!(
"KBS Server Internal Failed, Response: {:?}",
resp.text().await?
);
}
}

let challenge = resp.json::<Challenge>().await?;
debug!("get challenge: {challenge:#?}");
let tee_pubkey = self.tee_key.export_pubkey()?;
let runtime_data = json!({
Expand All @@ -135,7 +153,7 @@ impl KbsClient<Box<dyn EvidenceProvider>> {
let attest_endpoint = format!("{}/{KBS_PREFIX}/attest", self.kbs_host_url);
let attest = Attestation {
tee_pubkey,
tee_evidence: evidence,
tee_evidence: serde_json::from_str(&evidence)?, // TODO: change attesters to return Value?
mythi marked this conversation as resolved.
Show resolved Hide resolved
};

debug!("send attest request.");
Expand Down Expand Up @@ -345,10 +363,19 @@ mod test {
.try_into()
.expect("resource uri");

let resource = client
.get_resource(resource_uri)
.await
.expect("get resource");
let resource = match client.get_resource(resource_uri).await {
Ok(resource) => resource,
Err(e) => {
// Skip the test if the kbs server returned ProtocolVersion error. Any other
// error is treated as a failure.
assert!(e
.to_string()
.contains("KBS Client Protocol Version Mismatch"));
println!("NOTE: the test is skipped due to KBS protocol incompatibility.");
return ();
}
};

assert_eq!(resource, CONTENT);

let (token, key) = client.get_token().await.expect("get token");
Expand Down
2 changes: 1 addition & 1 deletion attestation-agent/kbs_protocol/src/error.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,6 @@ pub enum Error {
#[error("KBS resource not found: {0}")]
ResourceNotFound(String),

#[error("request unautorized")]
#[error("request unauthorized")]
UnAuthorized,
}
5 changes: 2 additions & 3 deletions attestation-agent/kbs_protocol/src/keypair.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ use anyhow::{Context, Result};

use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
use crypto::{
rsa::{PaddingMode, RSAKeyPair, RSA_KTY},
rsa::{PaddingMode, RSAKeyPair},
WrapType,
};
use kbs_types::{Response, TeePubKey};
Expand All @@ -31,11 +31,10 @@ impl TeeKeyPair {
let k_mod = URL_SAFE_NO_PAD.encode(self.keypair.n());
let k_exp = URL_SAFE_NO_PAD.encode(self.keypair.e());

Ok(TeePubKey {
Ok(TeePubKey::RSA {
alg: PaddingMode::PKCS1v15.as_ref().to_string(),
k_mod,
k_exp,
kty: RSA_KTY.to_string(),
})
}

Expand Down
Loading