diff --git a/Cargo.lock b/Cargo.lock index 0a0f6270d3..c226475bff 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -103,7 +103,7 @@ dependencies = [ "actix-utils", "futures-core", "futures-util", - "mio", + "mio 0.8.11", "socket2", "tokio", "tracing", @@ -499,14 +499,15 @@ checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0" [[package]] name = "attestation-agent" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" dependencies = [ "anyhow", "async-trait", "attester", - "base64 0.21.7", + "base64 0.22.1", "config", "const_format", + "kbs-types", "log", "serde", "serde_json", @@ -562,13 +563,13 @@ dependencies = [ [[package]] name = "attester" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" dependencies = [ "anyhow", "async-trait", "az-snp-vtpm 0.6.0", "az-tdx-vtpm 0.6.0", - "base64 0.21.7", + "base64 0.22.1", "codicon", "csv-rs", "hex", @@ -1368,11 +1369,11 @@ checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7" [[package]] name = "crypto" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" dependencies = [ "aes-gcm", "anyhow", - "base64 0.21.7", + "base64 0.22.1", "ctr", "kbs-types", "rand", @@ -2782,9 +2783,9 @@ dependencies = [ [[package]] name = "kbs-types" -version = "0.6.0" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "febd73b2b1df274ea454d81ddf76f596af9754410b7ed6f988f2e1782a175da3" +checksum = "9b6441ed73b0faa50707d4de41c6b45c76654b661b96aaf7b26a41331eedc0a5" dependencies = [ "serde", "serde_json", @@ -2793,12 +2794,12 @@ dependencies = [ [[package]] name = "kbs_protocol" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" dependencies = [ "anyhow", "async-trait", "attester", - "base64 0.21.7", + "base64 0.22.1", "crypto", "jwt-simple 0.12.9", "kbs-types", @@ -2817,12 +2818,12 @@ dependencies = [ [[package]] name = "kms" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" dependencies = [ "anyhow", "async-trait", "attestation-agent", - "base64 0.21.7", + "base64 0.22.1", "chrono", "const_format", "hex", @@ -2965,9 +2966,9 @@ dependencies = [ [[package]] name = "log" -version = "0.4.21" +version = "0.4.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "90ed8c1e510134f979dbc4f070f87d4313098b704861a105fe34231c70a3901c" +checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24" [[package]] name = "matchit" @@ -3043,6 +3044,18 @@ dependencies = [ "windows-sys 0.48.0", ] +[[package]] +name = "mio" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4569e456d394deccd22ce1c1913e6ea0e54519f577285001215d33557431afe4" +dependencies = [ + "hermit-abi 0.3.9", + "libc", + "wasi", + "windows-sys 0.52.0", +] + [[package]] name = "mobc" version = "0.8.4" @@ -3228,16 +3241,6 @@ dependencies = [ "libm", ] -[[package]] -name = "num_cpus" -version = "1.16.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43" -dependencies = [ - "hermit-abi 0.3.9", - "libc", -] - [[package]] name = "num_threads" version = "0.1.7" @@ -4253,7 +4256,7 @@ dependencies = [ [[package]] name = "resource_uri" version = "0.1.0" -source = "git+https://github.com/confidential-containers/guest-components.git?rev=9bd6f06a9704e01808e91abde130dffb20e632a5#9bd6f06a9704e01808e91abde130dffb20e632a5" +source = "git+https://github.com/confidential-containers/guest-components.git?rev=cd16b445291ad401b4b53664266983f4927a370e#cd16b445291ad401b4b53664266983f4927a370e" dependencies = [ "anyhow", "serde", @@ -5354,21 +5357,20 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.38.1" +version = "1.39.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb2caba9f80616f438e09748d5acda951967e1ea58508ef53d9c6402485a46df" +checksum = "daa4fb1bc778bd6f04cbfc4bb2d06a7396a8f299dc33ea1900cedaa316f467b1" dependencies = [ "backtrace", "bytes", "libc", - "mio", - "num_cpus", + "mio 1.0.1", "parking_lot 0.12.2", "pin-project-lite", "signal-hook-registry", "socket2", "tokio-macros", - "windows-sys 0.48.0", + "windows-sys 0.52.0", ] [[package]] @@ -5383,9 +5385,9 @@ dependencies = [ [[package]] name = "tokio-macros" -version = "2.3.0" +version = "2.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f5ae998a069d4b5aba8ee9dad856af7d520c3699e6159b185c2acd48155d39a" +checksum = "693d596312e88961bc67d7f1f97af8a70227d9f90c31bba5806eec004978d752" dependencies = [ "proc-macro2", "quote", diff --git a/Cargo.toml b/Cargo.toml index 3d7bd6bbc9..a82cd37414 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -29,9 +29,9 @@ config = "0.13.3" env_logger = "0.10.0" hex = "0.4.3" jwt-simple = "0.11" -kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev="9bd6f06a9704e01808e91abde130dffb20e632a5", default-features = false } -kbs-types = "0.6.0" -kms = { git = "https://github.com/confidential-containers/guest-components.git", rev="9bd6f06a9704e01808e91abde130dffb20e632a5", default-features = false } +kbs_protocol = { git = "https://github.com/confidential-containers/guest-components.git", rev="cd16b445291ad401b4b53664266983f4927a370e", default-features = false } +kbs-types = "0.7.0" +kms = { git = "https://github.com/confidential-containers/guest-components.git", rev="cd16b445291ad401b4b53664266983f4927a370e", default-features = false } jsonwebtoken = { version = "9", default-features = false } log = "0.4.17" prost = "0.12" @@ -49,4 +49,4 @@ thiserror = "1.0" tokio = { version = "1", features = ["full"] } tempfile = "3.4.0" tonic = "0.11" -tonic-build = "0.11" \ No newline at end of file +tonic-build = "0.11" diff --git a/kbs/src/attestation/coco/builtin.rs b/kbs/src/attestation/coco/builtin.rs index c5a194e8fe..cc0bdcf9dc 100644 --- a/kbs/src/attestation/coco/builtin.rs +++ b/kbs/src/attestation/coco/builtin.rs @@ -34,7 +34,7 @@ impl Attest for BuiltInCoCoAs { .read() .await .evaluate( - attestation.tee_evidence.into_bytes(), + attestation.tee_evidence.to_string().into_bytes(), tee, Some(Data::Structured(runtime_data_plaintext)), HashAlgorithm::Sha384, @@ -45,13 +45,17 @@ impl Attest for BuiltInCoCoAs { .await } - async fn generate_challenge(&self, tee: Tee, tee_parameters: String) -> Result { + async fn generate_challenge( + &self, + tee: Tee, + tee_parameters: serde_json::Value, + ) -> Result { let nonce = match tee { Tee::Se => { self.inner .read() .await - .generate_supplemental_challenge(tee, tee_parameters) + .generate_supplemental_challenge(tee, tee_parameters.to_string()) .await? } _ => make_nonce().await?, @@ -59,7 +63,7 @@ impl Attest for BuiltInCoCoAs { let challenge = Challenge { nonce, - extra_params: String::new(), + extra_params: serde_json::Value::String(String::new()), }; Ok(challenge) diff --git a/kbs/src/attestation/coco/grpc.rs b/kbs/src/attestation/coco/grpc.rs index 0d61f271bd..903dbf3440 100644 --- a/kbs/src/attestation/coco/grpc.rs +++ b/kbs/src/attestation/coco/grpc.rs @@ -105,7 +105,7 @@ impl Attest for GrpcClientPool { .to_string(); let req = tonic::Request::new(AttestationRequest { tee, - evidence: URL_SAFE_NO_PAD.encode(attestation.tee_evidence), + evidence: URL_SAFE_NO_PAD.encode(attestation.tee_evidence.to_string()), runtime_data_hash_algorithm: COCO_AS_HASH_ALGORITHM.into(), init_data_hash_algorithm: COCO_AS_HASH_ALGORITHM.into(), runtime_data: Some(RuntimeData::StructuredRuntimeData(runtime_data_plaintext)), @@ -124,12 +124,16 @@ impl Attest for GrpcClientPool { Ok(token) } - async fn generate_challenge(&self, tee: Tee, tee_parameters: String) -> Result { + async fn generate_challenge( + &self, + tee: Tee, + tee_parameters: serde_json::Value, + ) -> Result { let nonce = match tee { Tee::Se => { let mut inner = HashMap::new(); inner.insert(String::from("tee"), String::from("se")); - inner.insert(String::from("tee_params"), tee_parameters); + inner.insert(String::from("tee_params"), tee_parameters.to_string()); let req = tonic::Request::new(ChallengeRequest { inner }); let mut client = { self.pool.lock().await.get().await? }; @@ -145,7 +149,7 @@ impl Attest for GrpcClientPool { let challenge = Challenge { nonce, - extra_params: String::new(), + extra_params: serde_json::Value::String(String::new()), }; Ok(challenge) diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs index 2eac0ac656..616b036bac 100644 --- a/kbs/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/attestation/intel_trust_authority/mod.rs @@ -66,7 +66,7 @@ impl Attest for IntelTrustAuthority { let attestation = serde_json::from_str::(attestation) .map_err(|e| anyhow!("Deserialize Attestation failed: {:?}", e))?; let evidence = - serde_json::from_str::(&attestation.tee_evidence) + serde_json::from_value::(attestation.tee_evidence) .map_err(|e| anyhow!("Deserialize supported TEE Evidence failed: {:?}", e))?; let runtime_data = json!({ diff --git a/kbs/src/attestation/mod.rs b/kbs/src/attestation/mod.rs index bacdd56405..e306f78039 100644 --- a/kbs/src/attestation/mod.rs +++ b/kbs/src/attestation/mod.rs @@ -55,12 +55,16 @@ pub trait Attest: Send + Sync { async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result; /// generate the Challenge to pass to attester based on Tee and nonce - async fn generate_challenge(&self, _tee: Tee, _tee_parameters: String) -> Result { + async fn generate_challenge( + &self, + _tee: Tee, + _tee_parameters: serde_json::Value, + ) -> Result { let nonce = make_nonce().await?; Ok(Challenge { nonce, - extra_params: String::new(), + extra_params: serde_json::Value::String(String::new()), }) } } @@ -121,7 +125,11 @@ impl AttestationService { } } - pub async fn generate_challenge(&self, tee: Tee, tee_parameters: String) -> Result { + pub async fn generate_challenge( + &self, + tee: Tee, + tee_parameters: serde_json::Value, + ) -> Result { match self { #[cfg(feature = "coco-as-grpc")] AttestationService::CoCoASgRPC(inner) => { diff --git a/kbs/src/http/attest.rs b/kbs/src/http/attest.rs index 5089fc00de..49b2d7f998 100644 --- a/kbs/src/http/attest.rs +++ b/kbs/src/http/attest.rs @@ -16,7 +16,7 @@ use serde_json::json; static KBS_MAJOR_VERSION: u64 = 0; static KBS_MINOR_VERSION: u64 = 1; -static KBS_PATCH_VERSION: u64 = 0; +static KBS_PATCH_VERSION: u64 = 1; lazy_static! { static ref VERSION_REQ: VersionReq = { diff --git a/kbs/src/http/resource.rs b/kbs/src/http/resource.rs index c0f17265b3..abf8aed54d 100644 --- a/kbs/src/http/resource.rs +++ b/kbs/src/http/resource.rs @@ -189,10 +189,17 @@ const RSA_ALGORITHM: &str = "RSA1_5"; const AES_GCM_256_ALGORITHM: &str = "A256GCM"; pub(crate) fn jwe(tee_pub_key: TeePubKey, payload_data: Vec) -> Result { - if tee_pub_key.alg != *RSA_ALGORITHM { + let TeePubKey::RSA { alg, k_mod, k_exp } = tee_pub_key else { + raise_error!(Error::JWEFailed(format!( + "key type is not TeePubKey::RSA but {:?}", + tee_pub_key + ))); + }; + + if alg != *RSA_ALGORITHM { raise_error!(Error::JWEFailed(format!( "algorithm is not {RSA_ALGORITHM} but {}", - tee_pub_key.alg + alg ))); } @@ -207,11 +214,11 @@ pub(crate) fn jwe(tee_pub_key: TeePubKey, payload_data: Vec) -> Result