From d2de33e1fc96a31f904b3a97e3ddeda8c8bd9a4b Mon Sep 17 00:00:00 2001 From: Yogesh Deshpande Date: Wed, 1 May 2024 12:35:35 -0400 Subject: [PATCH 1/7] CCA Realm Provisioning Plugin Signed-off-by: Yogesh Deshpande --- go.mod | 2 +- go.sum | 7 +- scheme/Makefile | 1 + scheme/cca-realm-provisioning/Makefile | 15 +++ scheme/cca-realm-provisioning/README.md | 40 ++++++ .../cca-realm-provisioning/classattributes.go | 52 +++++++ .../cca-realm-provisioning/corim_extractor.go | 89 ++++++++++++ .../corim_test_vectors.go | 127 ++++++++++++++++++ .../endorsement_handler.go | 34 +++++ .../endorsement_handler_test.go | 119 ++++++++++++++++ .../instanceattributes.go | 29 ++++ scheme/cca-realm-provisioning/plugin/Makefile | 10 ++ .../plugin/combined/Makefile | 11 ++ .../plugin/combined/main.go | 14 ++ .../plugin/endorsement-handler/Makefile | 11 ++ .../plugin/endorsement-handler/main.go | 14 ++ .../plugin/store-handler/Makefile | 11 ++ .../plugin/store-handler/main.go | 14 ++ .../cca-realm-provisioning/realmattributes.go | 81 +++++++++++ scheme/cca-realm-provisioning/scheme.go | 11 ++ .../cca-realm-provisioning/store_handler.go | 78 +++++++++++ .../store_handler_test.go | 65 +++++++++ .../test/corim/Makefile | 10 ++ .../test/corim/build-test-vectors.sh | 43 ++++++ .../test/corim/comidCcaRealm.json | 75 +++++++++++ .../test/corim/comidCcaRealmInvalidClass.json | 75 +++++++++++ .../corim/comidCcaRealmInvalidInstance.json | 75 +++++++++++ .../test/corim/comidCcaRealmNoClass.json | 68 ++++++++++ .../test/corim/comidCcaRealmNoInstance.json | 71 ++++++++++ .../test/corim/corimCcaRealm.json | 19 +++ .../test/store/refvalEndorsements.json | 27 ++++ 31 files changed, 1295 insertions(+), 3 deletions(-) create mode 100644 scheme/cca-realm-provisioning/Makefile create mode 100644 scheme/cca-realm-provisioning/README.md create mode 100644 scheme/cca-realm-provisioning/classattributes.go create mode 100644 scheme/cca-realm-provisioning/corim_extractor.go create mode 100644 scheme/cca-realm-provisioning/corim_test_vectors.go create mode 100644 scheme/cca-realm-provisioning/endorsement_handler.go create mode 100644 scheme/cca-realm-provisioning/endorsement_handler_test.go create mode 100644 scheme/cca-realm-provisioning/instanceattributes.go create mode 100644 scheme/cca-realm-provisioning/plugin/Makefile create mode 100644 scheme/cca-realm-provisioning/plugin/combined/Makefile create mode 100644 scheme/cca-realm-provisioning/plugin/combined/main.go create mode 100644 scheme/cca-realm-provisioning/plugin/endorsement-handler/Makefile create mode 100644 scheme/cca-realm-provisioning/plugin/endorsement-handler/main.go create mode 100644 scheme/cca-realm-provisioning/plugin/store-handler/Makefile create mode 100644 scheme/cca-realm-provisioning/plugin/store-handler/main.go create mode 100644 scheme/cca-realm-provisioning/realmattributes.go create mode 100644 scheme/cca-realm-provisioning/scheme.go create mode 100644 scheme/cca-realm-provisioning/store_handler.go create mode 100644 scheme/cca-realm-provisioning/store_handler_test.go create mode 100644 scheme/cca-realm-provisioning/test/corim/Makefile create mode 100755 scheme/cca-realm-provisioning/test/corim/build-test-vectors.sh create mode 100644 scheme/cca-realm-provisioning/test/corim/comidCcaRealm.json create mode 100644 scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidClass.json create mode 100644 scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidInstance.json create mode 100644 scheme/cca-realm-provisioning/test/corim/comidCcaRealmNoClass.json create mode 100644 scheme/cca-realm-provisioning/test/corim/comidCcaRealmNoInstance.json create mode 100644 scheme/cca-realm-provisioning/test/corim/corimCcaRealm.json create mode 100644 scheme/cca-realm-provisioning/test/store/refvalEndorsements.json diff --git a/go.mod b/go.mod index fe1e58ed..fa2f0968 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/tbaehler/gin-keycloak v1.5.0 github.com/veraison/ccatoken v1.1.0 github.com/veraison/cmw v0.1.0 - github.com/veraison/corim v1.1.2 + github.com/veraison/corim v1.1.3-0.20240429160003-7b04d8b96e76 github.com/veraison/dice v0.0.1 github.com/veraison/ear v1.1.2 github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53 diff --git a/go.sum b/go.sum index 81c0f816..bdfa87b6 100644 --- a/go.sum +++ b/go.sum @@ -625,6 +625,7 @@ github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9 github.com/hashicorp/go-plugin v1.4.4 h1:NVdrSdFRt3SkZtNckJ6tog7gbpRrcbOjQi/rgF7JYWQ= github.com/hashicorp/go-plugin v1.4.4/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s= github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= +github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= @@ -1063,8 +1064,10 @@ github.com/veraison/ccatoken v1.1.0 h1:U0Z5fOQRsdz3ksvvxVzTITczo+kfRxIlkWahJNP6I github.com/veraison/ccatoken v1.1.0/go.mod h1:qh/KBwsrhPyGJqttlh8PU56wt1rPkUCX9A3ZAA/53Nc= github.com/veraison/cmw v0.1.0 h1:vD6tBlGPROCW/HlDcG1jh+XUJi5ihrjXatKZBjrv8mU= github.com/veraison/cmw v0.1.0/go.mod h1:WoBrlgByc6C1FeHhdze1/bQx1kv5d1sWKO5ezEf4Hs4= -github.com/veraison/corim v1.1.2 h1:JIk6ZK/OzKEb0FJUFHSnmkn67yyGy+5NChYax0bwttA= -github.com/veraison/corim v1.1.2/go.mod h1:yoN6+vVQJgzS926nheCbJi68SvOlN0CpiPuTxYSe5FU= +github.com/veraison/corim v1.1.3-0.20240423112400-92efbf346d05 h1:UDu2uBWhd17Hx+NqvvaXVjApk3PwbkDt+K7H0Xy+RKY= +github.com/veraison/corim v1.1.3-0.20240423112400-92efbf346d05/go.mod h1:yoN6+vVQJgzS926nheCbJi68SvOlN0CpiPuTxYSe5FU= +github.com/veraison/corim v1.1.3-0.20240429160003-7b04d8b96e76 h1:kB1KvHDnKO7YubQ0Bs3DMjZrC2r9JmaXCDfzeGJCEb0= +github.com/veraison/corim v1.1.3-0.20240429160003-7b04d8b96e76/go.mod h1:yoN6+vVQJgzS926nheCbJi68SvOlN0CpiPuTxYSe5FU= github.com/veraison/dice v0.0.1 h1:dOm7ByDN/r4WlDsGkEUXzdPMXgTvAPTAksQ8+BwBrD4= github.com/veraison/dice v0.0.1/go.mod h1:QPMLc5LVMj08VZ+HNMYk4XxWoVYGAUBVm8Rd5V1hzxs= github.com/veraison/ear v1.1.2 h1:Xs41FqAG8IyJaceqNFcX2+nf51Et1uyhmCJV8SZqw/8= diff --git a/scheme/Makefile b/scheme/Makefile index 7771f757..0683e01f 100644 --- a/scheme/Makefile +++ b/scheme/Makefile @@ -8,6 +8,7 @@ SUBDIR += psa-iot SUBDIR += tpm-enacttrust SUBDIR += parsec-tpm SUBDIR += parsec-cca +SUBDIR += cca-realm-provisioning clean: ; $(RM) -rf ./bin diff --git a/scheme/cca-realm-provisioning/Makefile b/scheme/cca-realm-provisioning/Makefile new file mode 100644 index 00000000..3b26e359 --- /dev/null +++ b/scheme/cca-realm-provisioning/Makefile @@ -0,0 +1,15 @@ + +# Copyright 2024 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 +.DEFAULT_GOAL := test + +GOPKG := github.com/veraison/services/scheme/cca-realm-provisioning +SRCS := $(wildcard *.go) + +SUBDIR += plugin + +include ../../mk/common.mk +include ../../mk/lint.mk +include ../../mk/pkg.mk +include ../../mk/subdir.mk +include ../../mk/test.mk diff --git a/scheme/cca-realm-provisioning/README.md b/scheme/cca-realm-provisioning/README.md new file mode 100644 index 00000000..ce1d43ed --- /dev/null +++ b/scheme/cca-realm-provisioning/README.md @@ -0,0 +1,40 @@ +# Endorsement Store Interface + +## Reference Value + +In CCA_Realm scheme the Realm instance is uniquely identified by the values of Realm initial measurements, +used to launch a Realm. + +```json +{ + "scheme": "CCA_REALM", + "type": "REFERENCE_VALUE", + "attributes": { + "CCA_REALM.vendor": "Worload Client Ltd", + "CCA_REALM.class-id": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C", + "CCA_REALM.inst-id": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1", + "CCA_REALM.hash-alg-id": "sha-384", + "CCA_REALM.measurements": [ + { + "rim": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1" + }, + { + "rem0": "IQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + }, + { + "rem1": "JQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + }, + { + "rem2": "MQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + }, + { + "rem3": "NQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + } + ] + } +} +``` + +## Trust Anchor + +CCA_Realm scheme has no explicit Trust Anchor to provision, as they are supplied inline in the Realm attestation token \ No newline at end of file diff --git a/scheme/cca-realm-provisioning/classattributes.go b/scheme/cca-realm-provisioning/classattributes.go new file mode 100644 index 00000000..b19d7822 --- /dev/null +++ b/scheme/cca-realm-provisioning/classattributes.go @@ -0,0 +1,52 @@ +// Copyright 2022-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package cca_realm_provisioning + +import ( + "errors" + "fmt" + + "github.com/veraison/corim/comid" + "github.com/veraison/services/log" +) + +type ClassAttributes struct { + UUID string + Vendor string +} + +// extract class variables from environment +func (o *ClassAttributes) FromEnvironment(e comid.Environment) error { + class := e.Class + + if class == nil { + log.Debug("no class in the environment") + return nil + } + + classID := class.ClassID + + if classID == nil { + log.Debug("no classID in the environment") + } + if classID != nil { + uuID, err := classID.GetUUID() + if err != nil { + return fmt.Errorf("could not extract uu-id from class-id: %w", err) + } + + if err := uuID.Valid(); err != nil { + return fmt.Errorf("no valid uu-id: %w", err) + } + + o.UUID = uuID.String() + } + + if class.Vendor != nil { + o.Vendor = *class.Vendor + } else { + return errors.New("class is neither UUID or Vendor Name") + } + + return nil +} diff --git a/scheme/cca-realm-provisioning/corim_extractor.go b/scheme/cca-realm-provisioning/corim_extractor.go new file mode 100644 index 00000000..c484523b --- /dev/null +++ b/scheme/cca-realm-provisioning/corim_extractor.go @@ -0,0 +1,89 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package cca_realm_provisioning + +import ( + "encoding/json" + "fmt" + + "github.com/veraison/corim/comid" + "github.com/veraison/services/handler" +) + +type CorimExtractor struct{} + +func (o CorimExtractor) RefValExtractor( + rv comid.ReferenceValue, +) ([]*handler.Endorsement, error) { + var classAttrs ClassAttributes + var instAttrs InstanceAttributes + + if err := classAttrs.FromEnvironment(rv.Environment); err != nil { + return nil, fmt.Errorf("could not extract Realm class attributes: %w", err) + } + + if err := instAttrs.FromEnvironment(rv.Environment); err != nil { + return nil, fmt.Errorf("could not extract Realm instance attributes: %w", err) + } + + // Each measurement is encoded in a measurement-map of a CoMID + // reference-triple-record. Since a measurement-map can encode one or more + // measurements, a single reference-triple-record can carry as many + // measurements as needed. However for Realm Instance, only one measurement + // record is set, with both the "rim" & "rem" measurements carried in an + // integrity register + refVals := make([]*handler.Endorsement, 0, len(rv.Measurements)) + + var refVal *handler.Endorsement + for _, m := range rv.Measurements { + var rAttr RealmAttributes + if err := rAttr.FromMeasurement(m); err != nil { + return nil, fmt.Errorf("unable to extract realm reference attributes from measurement: %w", err) + } + refAttrs, err := makeRefValAttrs(&classAttrs, &instAttrs, &rAttr) + if err != nil { + return nil, fmt.Errorf("unable to make reference attributes: %w", err) + } + refVal = &handler.Endorsement{ + Scheme: "CCA_REALM", + Type: handler.EndorsementType_REFERENCE_VALUE, + Attributes: refAttrs, + } + refVals = append(refVals, refVal) + } + + if len(refVals) == 0 { + return nil, fmt.Errorf("no measurements found") + } + + return refVals, nil +} + +func makeRefValAttrs(cAttr *ClassAttributes, + iAttr *InstanceAttributes, + rAttr *RealmAttributes) (json.RawMessage, error) { + + var attrs = map[string]interface{}{ + "CCA_REALM.vendor": cAttr.Vendor, + "CCA_REALM-class-id": cAttr.UUID, + "CCA_REALM-instance-id": rAttr.Rim, + "CCA_REALM.hash-alg-id": rAttr.HashAlgID, + "CCA_REALM.rim": rAttr.Rim, + "CCA_REALM.rem0": rAttr.Rem[0], + "CCA_REALM.rem1": rAttr.Rem[1], + "CCA_REALM.rem2": rAttr.Rem[2], + "CCA_REALM.rem3": rAttr.Rem[3], + } + + data, err := json.Marshal(attrs) + if err != nil { + return nil, fmt.Errorf("unable to marshal reference value attributes: %w", err) + } + return data, nil +} + +func (o CorimExtractor) TaExtractor( + avk comid.AttestVerifKey, +) (*handler.Endorsement, error) { + return nil, fmt.Errorf("cca realm endorsements does not have a Trust Anchor") +} diff --git a/scheme/cca-realm-provisioning/corim_test_vectors.go b/scheme/cca-realm-provisioning/corim_test_vectors.go new file mode 100644 index 00000000..ca8bb5eb --- /dev/null +++ b/scheme/cca-realm-provisioning/corim_test_vectors.go @@ -0,0 +1,127 @@ +// Copyright 2022-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + +package cca_realm_provisioning + +// automatically generated from: +// comidCcaRealm.json and corimCcaRealm.json +var unsignedCorimcomidCcaRealm = ` +a500505c57e8f446cd421b91c908cf93e13cfc01815901eed901faa40065 +656e2d474201a1005043bbe37f2e614b33aed353cff1428b160281a30074 +576f726b6c6f616420436c69656e74204c74642e01d820781e6874747073 +3a2f2f776f726b6c6f6164636c69656e742e6578616d706c650283000102 +04a1008182a200a200d82550cd1f0e5526f9460db9d8f7fde171787c0173 +576f726b6c6f616420436c69656e74204c746401d9023058304284b5694c +a6c0d2cf4789a0b95ac8025c818de52304364be7cd2981b2d2edc685b322 +277ec25819962413d8c9b2c1f581a101a10ea56372696d81820758304284 +b5694ca6c0d2cf4789a0b95ac8025c818de52304364be7cd2981b2d2edc6 +85b322277ec25819962413d8c9b2c1f56472656d3081820758302107bbe7 +61fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba615ab +f6514cf35e5a9ea55a032d068a786472656d3181820758302507bbe761fc +a52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba615abf651 +4cf35e5a9ea55a032d068a786472656d3281820758303107bbe761fca52d +95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba615abf6514cf3 +5e5a9ea55a032d068a786472656d3381820758303507bbe761fca52d9513 +6a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba615abf6514cf35e5a +9ea55a032d068a780381781a687474703a2f2f61726d2e636f6d2f636361 +2f7265616c6d2f3104a200c11a61ce480001c11a695467800581a3006941 +434d45204c74642e01d8206c61636d652e6578616d706c65028101 +` + +// automatically generated from: +// comidCcaRealmNoClass.json and corimCcaRealm.json +var unsignedCorimcomidCcaRealmNoClass = ` +a500505c57e8f446cd421b91c908cf93e13cfc01815901c3d901faa40065 +656e2d474201a1005043bbe37f2e614b33aed353cff1428b160281a30074 +576f726b6c6f616420436c69656e74204c74642e01d820781e6874747073 +3a2f2f776f726b6c6f6164636c69656e742e6578616d706c650283000102 +04a1008182a101d9023058304284b5694ca6c0d2cf4789a0b95ac8025c81 +8de52304364be7cd2981b2d2edc685b322277ec25819962413d8c9b2c1f5 +81a101a10ea56372696d81820758304284b5694ca6c0d2cf4789a0b95ac8 +025c818de52304364be7cd2981b2d2edc685b322277ec25819962413d8c9 +b2c1f56472656d3081820758302107bbe761fca52d95136a1354db7a4dd5 +7b1b26be0d3da71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a +786472656d3181820758302507bbe761fca52d95136a1354db7a4dd57b1b +26be0d3da71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a7864 +72656d3281820758303107bbe761fca52d95136a1354db7a4dd57b1b26be +0d3da71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a78647265 +6d3381820758303507bbe761fca52d95136a1354db7a4dd57b1b26be0d3d +a71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a780381781a68 +7474703a2f2f61726d2e636f6d2f6363612f7265616c6d2f3104a200c11a +61ce480001c11a695467800581a3006941434d45204c74642e01d8206c61 +636d652e6578616d706c65028101 +` + +// automatically generated from: +// comidCcaRealmNoInstance.json and corimCcaRealm.json +var unsignedCorimcomidCcaRealmNoInstance = ` +a500505c57e8f446cd421b91c908cf93e13cfc01815901b8d901faa40065 +656e2d474201a1005043bbe37f2e614b33aed353cff1428b160281a30074 +576f726b6c6f616420436c69656e74204c74642e01d820781e6874747073 +3a2f2f776f726b6c6f6164636c69656e742e6578616d706c650283000102 +04a1008182a100a200d82550cd1f0e5526f9460db9d8f7fde171787c0173 +576f726b6c6f616420436c69656e74204c746481a101a10ea56372696d81 +820758304284b5694ca6c0d2cf4789a0b95ac8025c818de52304364be7cd +2981b2d2edc685b322277ec25819962413d8c9b2c1f56472656d30818207 +58302107bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb239 +86b34ba615abf6514cf35e5a9ea55a032d068a786472656d318182075830 +2507bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b3 +4ba615abf6514cf35e5a9ea55a032d068a786472656d3281820758303107 +bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba6 +15abf6514cf35e5a9ea55a032d068a786472656d3381820758303507bbe7 +61fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba615ab +f6514cf35e5a9ea55a032d068a780381781a687474703a2f2f61726d2e63 +6f6d2f6363612f7265616c6d2f3104a200c11a61ce480001c11a69546780 +0581a3006941434d45204c74642e01d8206c61636d652e6578616d706c65 +028101 +` + +// automatically generated from: +// comidCcaRealmInvalidInstance.json and corimCcaRealm.json +var unsignedCorimcomidCcaRealmInvalidInstance = ` +a500505c57e8f446cd421b91c908cf93e13cfc01815901dfd901faa40065 +656e2d474201a1005043bbe37f2e614b33aed353cff1428b160281a30074 +576f726b6c6f616420436c69656e74204c74642e01d820781e6874747073 +3a2f2f776f726b6c6f6164636c69656e742e6578616d706c650283000102 +04a1008182a200a200d82550cd1f0e5526f9460db9d8f7fde171787c0173 +576f726b6c6f616420436c69656e74204c746401d90226582101ceebae7b +8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f150881a1 +01a10ea56372696d81820758304284b5694ca6c0d2cf4789a0b95ac8025c +818de52304364be7cd2981b2d2edc685b322277ec25819962413d8c9b2c1 +f56472656d3081820758302107bbe761fca52d95136a1354db7a4dd57b1b +26be0d3da71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a7864 +72656d3181820758302507bbe761fca52d95136a1354db7a4dd57b1b26be +0d3da71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a78647265 +6d3281820758303107bbe761fca52d95136a1354db7a4dd57b1b26be0d3d +a71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a786472656d33 +81820758303507bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d +9eb23986b34ba615abf6514cf35e5a9ea55a032d068a780381781a687474 +703a2f2f61726d2e636f6d2f6363612f7265616c6d2f3104a200c11a61ce +480001c11a695467800581a3006941434d45204c74642e01d8206c61636d +652e6578616d706c65028101 +` + +// automatically generated from: +// comidCcaRealmInvalidClass.json and corimCcaRealm.json +var unsignedCorimcomidCcaRealmInvalidClass = ` +a500505c57e8f446cd421b91c908cf93e13cfc01815901f1d901faa40065 +656e2d474201a1005043bbe37f2e614b33aed353cff1428b160281a30074 +576f726b6c6f616420436c69656e74204c74642e01d820781e6874747073 +3a2f2f776f726b6c6f6164636c69656e742e6578616d706c650283000102 +04a1008182a200a200d90258582061636d652d696d706c656d656e746174 +696f6e2d69642d303030303030303031016441434d4501d9023058304284 +b5694ca6c0d2cf4789a0b95ac8025c818de52304364be7cd2981b2d2edc6 +85b322277ec25819962413d8c9b2c1f581a101a10ea56372696d81820758 +304284b5694ca6c0d2cf4789a0b95ac8025c818de52304364be7cd2981b2 +d2edc685b322277ec25819962413d8c9b2c1f56472656d30818207583021 +07bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34b +a615abf6514cf35e5a9ea55a032d068a786472656d3181820758302507bb +e761fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba615 +abf6514cf35e5a9ea55a032d068a786472656d3281820758303107bbe761 +fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba615abf6 +514cf35e5a9ea55a032d068a786472656d3381820758303507bbe761fca5 +2d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba615abf6514c +f35e5a9ea55a032d068a780381781a687474703a2f2f61726d2e636f6d2f +6363612f7265616c6d2f3104a200c11a61ce480001c11a695467800581a3 +006941434d45204c74642e01d8206c61636d652e6578616d706c65028101 +` diff --git a/scheme/cca-realm-provisioning/endorsement_handler.go b/scheme/cca-realm-provisioning/endorsement_handler.go new file mode 100644 index 00000000..d68f09d6 --- /dev/null +++ b/scheme/cca-realm-provisioning/endorsement_handler.go @@ -0,0 +1,34 @@ +// Copyright 2022-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package cca_realm_provisioning + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/scheme/common" +) + +type EndorsementHandler struct{} + +func (o EndorsementHandler) Init(params handler.EndorsementHandlerParams) error { + return nil // no-op +} + +func (o EndorsementHandler) Close() error { + return nil // no-op +} + +func (o EndorsementHandler) GetName() string { + return "unsigned-corim (CCA realm profile)" +} + +func (o EndorsementHandler) GetAttestationScheme() string { + return SchemeName +} + +func (o EndorsementHandler) GetSupportedMediaTypes() []string { + return EndorsementMediaTypes +} + +func (o EndorsementHandler) Decode(data []byte) (*handler.EndorsementHandlerResponse, error) { + return common.UnsignedCorimDecoder(data, &CorimExtractor{}) +} diff --git a/scheme/cca-realm-provisioning/endorsement_handler_test.go b/scheme/cca-realm-provisioning/endorsement_handler_test.go new file mode 100644 index 00000000..9a5ceaf7 --- /dev/null +++ b/scheme/cca-realm-provisioning/endorsement_handler_test.go @@ -0,0 +1,119 @@ +// Copyright 2022-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package cca_realm_provisioning + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/veraison/corim/comid" +) + +func TestDecoder_Decode_OK(t *testing.T) { + tvs := []string{ + unsignedCorimcomidCcaRealm, + unsignedCorimcomidCcaRealmNoClass, + } + + d := &EndorsementHandler{} + + for _, tv := range tvs { + data := comid.MustHexDecode(t, tv) + _, err := d.Decode(data) + assert.NoError(t, err) + } +} + +func TestDecoder_Decode_negative_tests(t *testing.T) { + tvs := []struct { + desc string + input string + expectedErr string + }{ + { + desc: "no realm instance identity in corim", + input: unsignedCorimcomidCcaRealmNoInstance, + expectedErr: "bad software component in CoMID at index 0: could not extract Realm instance attributes: expecting instance in environment", + }, + { + desc: "invalid instance identity in corim", + input: unsignedCorimcomidCcaRealmInvalidInstance, + expectedErr: "bad software component in CoMID at index 0: could not extract Realm instance attributes: expecting instance as bytes for CCA Realm", + }, + { + desc: "invalid class identity in corim", + input: unsignedCorimcomidCcaRealmInvalidClass, + expectedErr: "bad software component in CoMID at index 0: could not extract Realm class attributes: could not extract uu-id from class-id: class-id type is: *comid.TaggedImplID", + }, + } + + for _, tv := range tvs { + data := comid.MustHexDecode(t, tv.input) + d := &EndorsementHandler{} + _, err := d.Decode(data) + assert.EqualError(t, err, tv.expectedErr) + } +} + +func TestDecoder_GetAttestationScheme(t *testing.T) { + d := &EndorsementHandler{} + + expected := SchemeName + + actual := d.GetAttestationScheme() + + assert.Equal(t, expected, actual) +} + +func TestDecoder_GetSupportedMediaTypes(t *testing.T) { + d := &EndorsementHandler{} + + expected := EndorsementMediaTypes + + actual := d.GetSupportedMediaTypes() + + assert.Equal(t, expected, actual) +} + +func TestDecoder_Init(t *testing.T) { + d := &EndorsementHandler{} + + assert.Nil(t, d.Init(nil)) +} + +func TestDecoder_Close(t *testing.T) { + d := &EndorsementHandler{} + + assert.Nil(t, d.Close()) +} + +func TestDecoder_GetName_ok(t *testing.T) { + d := &EndorsementHandler{} + expectedName := "unsigned-corim (CCA realm profile)" + name := d.GetName() + assert.Equal(t, name, expectedName) +} + +func TestDecoder_Decode_empty_data(t *testing.T) { + d := &EndorsementHandler{} + + emptyData := []byte{} + + expectedErr := `empty data` + + _, err := d.Decode(emptyData) + + assert.EqualError(t, err, expectedErr) +} + +func TestDecoder_Decode_invalid_data(t *testing.T) { + d := &EndorsementHandler{} + + invalidCbor := []byte("invalid CBOR") + + expectedErr := `CBOR decoding failed: expected map (CBOR Major Type 5), found Major Type 3` + + _, err := d.Decode(invalidCbor) + + assert.EqualError(t, err, expectedErr) +} diff --git a/scheme/cca-realm-provisioning/instanceattributes.go b/scheme/cca-realm-provisioning/instanceattributes.go new file mode 100644 index 00000000..dc154135 --- /dev/null +++ b/scheme/cca-realm-provisioning/instanceattributes.go @@ -0,0 +1,29 @@ +// Copyright 2022-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package cca_realm_provisioning + +import ( + "errors" + + "github.com/veraison/corim/comid" +) + +type InstanceAttributes struct { + InstID string +} + +func (o *InstanceAttributes) FromEnvironment(e comid.Environment) error { + var err error + + if e.Instance == nil { + return errors.New("expecting instance in environment") + } + + if e.Instance.Type() != "bytes" { + return errors.New("expecting instance as bytes for CCA Realm") + } + b := e.Instance.Bytes() + + o.InstID = string(b) + return err +} diff --git a/scheme/cca-realm-provisioning/plugin/Makefile b/scheme/cca-realm-provisioning/plugin/Makefile new file mode 100644 index 00000000..598a498a --- /dev/null +++ b/scheme/cca-realm-provisioning/plugin/Makefile @@ -0,0 +1,10 @@ + +ifndef COMBINED_PLUGINS + SUBDIR += endorsement-handler + SUBDIR += store-handler +else + SUBDIR += combined +endif + +include ../../../mk/common.mk +include ../../../mk/subdir.mk \ No newline at end of file diff --git a/scheme/cca-realm-provisioning/plugin/combined/Makefile b/scheme/cca-realm-provisioning/plugin/combined/Makefile new file mode 100644 index 00000000..38179414 --- /dev/null +++ b/scheme/cca-realm-provisioning/plugin/combined/Makefile @@ -0,0 +1,11 @@ +# Copyright 2024 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 + +PLUGIN := ../../../bin/cca-realm.plugin +GOPKG := github.com/veraison/services/scheme/cca-realm-provisioning +SRCS := main.go + +include ../../../../mk/common.mk +include ../../../../mk/plugin.mk +include ../../../../mk/lint.mk +include ../../../../mk/test.mk diff --git a/scheme/cca-realm-provisioning/plugin/combined/main.go b/scheme/cca-realm-provisioning/plugin/combined/main.go new file mode 100644 index 00000000..95dadb9d --- /dev/null +++ b/scheme/cca-realm-provisioning/plugin/combined/main.go @@ -0,0 +1,14 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/plugin" + scheme "github.com/veraison/services/scheme/cca-realm-provisioning" +) + +func main() { + handler.RegisterEndorsementHandler(&scheme.EndorsementHandler{}) + plugin.Serve() +} diff --git a/scheme/cca-realm-provisioning/plugin/endorsement-handler/Makefile b/scheme/cca-realm-provisioning/plugin/endorsement-handler/Makefile new file mode 100644 index 00000000..f6f2f6da --- /dev/null +++ b/scheme/cca-realm-provisioning/plugin/endorsement-handler/Makefile @@ -0,0 +1,11 @@ +# Copyright 2024 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 + +PLUGIN := ../../../bin/cca-realm-endorsement-handler.plugin +GOPKG := github.com/veraison/services/scheme/cca-realm-provisioning +SRCS := main.go + +include ../../../../mk/common.mk +include ../../../../mk/plugin.mk +include ../../../../mk/lint.mk +include ../../../../mk/test.mk diff --git a/scheme/cca-realm-provisioning/plugin/endorsement-handler/main.go b/scheme/cca-realm-provisioning/plugin/endorsement-handler/main.go new file mode 100644 index 00000000..552fc7e4 --- /dev/null +++ b/scheme/cca-realm-provisioning/plugin/endorsement-handler/main.go @@ -0,0 +1,14 @@ +// Copyright 2022-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/plugin" + scheme "github.com/veraison/services/scheme/cca-realm-provisioning" +) + +func main() { + handler.RegisterEndorsementHandler(&scheme.EndorsementHandler{}) + plugin.Serve() +} diff --git a/scheme/cca-realm-provisioning/plugin/store-handler/Makefile b/scheme/cca-realm-provisioning/plugin/store-handler/Makefile new file mode 100644 index 00000000..28d5d4a2 --- /dev/null +++ b/scheme/cca-realm-provisioning/plugin/store-handler/Makefile @@ -0,0 +1,11 @@ +# Copyright 2024 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 + +PLUGIN := ../../../bin/cca-realm-store-handler.plugin +GOPKG := github.com/veraison/services/scheme/cca-realm-provisioning +SRCS := main.go + +include ../../../../mk/common.mk +include ../../../../mk/plugin.mk +include ../../../../mk/lint.mk +include ../../../../mk/test.mk diff --git a/scheme/cca-realm-provisioning/plugin/store-handler/main.go b/scheme/cca-realm-provisioning/plugin/store-handler/main.go new file mode 100644 index 00000000..56bde9c0 --- /dev/null +++ b/scheme/cca-realm-provisioning/plugin/store-handler/main.go @@ -0,0 +1,14 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package main + +import ( + "github.com/veraison/services/handler" + "github.com/veraison/services/plugin" + scheme "github.com/veraison/services/scheme/cca-realm-provisioning" +) + +func main() { + handler.RegisterStoreHandler(&scheme.StoreHandler{}) + plugin.Serve() +} diff --git a/scheme/cca-realm-provisioning/realmattributes.go b/scheme/cca-realm-provisioning/realmattributes.go new file mode 100644 index 00000000..9a6eb64a --- /dev/null +++ b/scheme/cca-realm-provisioning/realmattributes.go @@ -0,0 +1,81 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package cca_realm_provisioning + +import ( + "errors" + "fmt" + "strings" + + "github.com/veraison/corim/comid" +) + +type RealmAttributes struct { + Rim []byte + Rem [4][]byte + HashAlgID string +} + +func (o *RealmAttributes) FromMeasurement(m comid.Measurement) error { + if err := o.extractRegisterIndexes(m.Val.IntegrityRegisters); err != nil { + return fmt.Errorf("extracting measurement: %w", err) + } + + return nil +} + +func (o *RealmAttributes) extractRealmDigest(digests comid.Digests) (algID string, hash []byte, err error) { + + if err := digests.Valid(); err != nil { + return "", nil, fmt.Errorf("invalid digest: %v", err) + } + if len(digests) != 1 { + return "", nil, fmt.Errorf("invalid number %d for digest", len(digests)) + } + + return digests[0].AlgIDToString(), digests[0].HashValue, nil +} + +func (o *RealmAttributes) extractRegisterIndexes(r *comid.IntegrityRegisters) error { + for k, val := range r.M { + a, d, err := o.extractRealmDigest(val) + if err != nil { + return errors.New("unable to extract digest for ") + } + switch t := k.(type) { + case string: + key := strings.ToLower(t) + if !o.isCompatibleAlgID(a) { + return fmt.Errorf("incompatible AlgID %s for key %s", a, key) + } + switch key { + case "rim": + o.HashAlgID = a + o.Rim = d + case "rem0": + o.Rem[0] = d + case "rem1": + o.Rem[1] = d + case "rem2": + o.Rem[2] = d + case "rem3": + o.Rem[3] = d + default: + return fmt.Errorf("unexpected register index: %s", key) + } + default: + return fmt.Errorf("unexpected type for index: %T", t) + } + } + return nil +} + +func (o RealmAttributes) isCompatibleAlgID(hashAlgID string) bool { + compatible := true + if o.HashAlgID != "" { + if hashAlgID != o.HashAlgID { + compatible = false + } + } + return compatible +} diff --git a/scheme/cca-realm-provisioning/scheme.go b/scheme/cca-realm-provisioning/scheme.go new file mode 100644 index 00000000..67a33a65 --- /dev/null +++ b/scheme/cca-realm-provisioning/scheme.go @@ -0,0 +1,11 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package cca_realm_provisioning + +const SchemeName = "CCA_REALM" + +var ( + EndorsementMediaTypes = []string{ + "application/corim-unsigned+cbor; profile=http://arm.com/cca/realm/1", + } +) diff --git a/scheme/cca-realm-provisioning/store_handler.go b/scheme/cca-realm-provisioning/store_handler.go new file mode 100644 index 00000000..88385a45 --- /dev/null +++ b/scheme/cca-realm-provisioning/store_handler.go @@ -0,0 +1,78 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + +package cca_realm_provisioning + +import ( + "fmt" + "net/url" + "strings" + + "github.com/veraison/services/handler" + "github.com/veraison/services/log" + "github.com/veraison/services/proto" + "github.com/veraison/services/scheme/common" +) + +type StoreHandler struct{} + +type RealmAttr struct { + ClassID string `json:"CCA_REALM.class-id"` + Vendor string `json:"CCA_REALM.vendor"` + Instance string `json:"CCA_REALM.inst-id"` + HashAlgID string `json:"CCA_REALM.hash-alg-id"` + MeasurementValue [5][]byte `json:"CCA_REALM.measurements"` +} + +func (s StoreHandler) GetName() string { + return "cca-realm-store-handler" +} + +func (s StoreHandler) GetAttestationScheme() string { + return SchemeName +} + +func (s StoreHandler) GetSupportedMediaTypes() []string { + return nil +} + +func (s StoreHandler) SynthKeysFromRefValue( + tenantID string, + refVal *handler.Endorsement, +) ([]string, error) { + + instID, err := common.GetInstID(SchemeName, refVal.Attributes) + if err != nil { + return nil, fmt.Errorf("unable to synthesize reference value abs-path: %w", err) + } + + lookupKey := RefValLookupKey(SchemeName, tenantID, instID) + log.Debugf("Scheme %s Plugin TA Look Up Key= %s\n", SchemeName, lookupKey) + return []string{lookupKey}, nil + +} + +func RefValLookupKey(schemeName, tenantID, instID string) string { + absPath := []string{instID} + + u := url.URL{ + Scheme: schemeName, + Host: tenantID, + Path: strings.Join(absPath, "/"), + } + + return u.String() +} + +func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { + + return nil, fmt.Errorf("unexpected SynthKeysFromTrustAnchor() invocation for scheme: %s", SchemeName) +} + +func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error) { + return nil, fmt.Errorf("unexpected GetTrustAnchorIDs() invocation for scheme: %s", SchemeName) +} + +func (s StoreHandler) GetRefValueIDs(tenantID string, trustAnchors []string, claims map[string]interface{}) ([]string, error) { + return nil, fmt.Errorf("unexpected GetRefValueIDs() invocation for scheme: %s", SchemeName) +} diff --git a/scheme/cca-realm-provisioning/store_handler_test.go b/scheme/cca-realm-provisioning/store_handler_test.go new file mode 100644 index 00000000..5d90df75 --- /dev/null +++ b/scheme/cca-realm-provisioning/store_handler_test.go @@ -0,0 +1,65 @@ +// Copyright 2021-2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 + +package cca_realm_provisioning + +import ( + "encoding/json" + "os" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + "github.com/veraison/services/handler" +) + +func Test_GetName_ok(t *testing.T) { + expectedName := "cca-realm-store-handler" + handler := &StoreHandler{} + name := handler.GetName() + assert.Equal(t, expectedName, name) +} + +func Test_GetAttestationScheme(t *testing.T) { + expectedScheme := "CCA_REALM" + handler := &StoreHandler{} + name := handler.GetAttestationScheme() + assert.Equal(t, expectedScheme, name) +} + +func Test_GetSupportedMediaTypes(t *testing.T) { + handler := &StoreHandler{} + mt := handler.GetSupportedMediaTypes() + assert.Nil(t, mt) +} + +func Test_SynthKeysFromTrustAnchor_nok(t *testing.T) { + scheme := &StoreHandler{} + expectedErr := "unexpected SynthKeysFromTrustAnchor() invocation for scheme: CCA_REALM" + _, err := scheme.SynthKeysFromTrustAnchor("1", nil) + assert.NotNil(t, err) + assert.EqualError(t, err, expectedErr) +} + +func Test_GetTrustAnchorID_nok(t *testing.T) { + scheme := &StoreHandler{} + expectedErr := "unexpected GetTrustAnchorIDs() invocation for scheme: CCA_REALM" + _, err := scheme.GetTrustAnchorIDs(nil) + assert.NotNil(t, err) + assert.EqualError(t, err, expectedErr) +} + +func Test_SynthKeysFromRefValue_ok(t *testing.T) { + endorsementsBytes, err := os.ReadFile("test/store/refvalEndorsements.json") + require.NoError(t, err) + + var endors handler.Endorsement + err = json.Unmarshal(endorsementsBytes, &endors) + require.NoError(t, err) + expectedKey := "CCA_REALM://1/QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1" + + scheme := &StoreHandler{} + key_list, err := scheme.SynthKeysFromRefValue("1", &endors) + require.NoError(t, err) + assert.Equal(t, expectedKey, key_list[0]) +} diff --git a/scheme/cca-realm-provisioning/test/corim/Makefile b/scheme/cca-realm-provisioning/test/corim/Makefile new file mode 100644 index 00000000..104ebcfc --- /dev/null +++ b/scheme/cca-realm-provisioning/test/corim/Makefile @@ -0,0 +1,10 @@ +OUTPUT := ../../corim_test_vectors.go + +DEPS := $(wildcard Comid*.json) + +all: $(OUTPUT) + +$(OUTPUT): $(DEPS) + env TV_DOT_GO=$(OUTPUT) ./build-test-vectors.sh + +clean: ; $(RM) -f *.cbor \ No newline at end of file diff --git a/scheme/cca-realm-provisioning/test/corim/build-test-vectors.sh b/scheme/cca-realm-provisioning/test/corim/build-test-vectors.sh new file mode 100755 index 00000000..2e9e027d --- /dev/null +++ b/scheme/cca-realm-provisioning/test/corim/build-test-vectors.sh @@ -0,0 +1,43 @@ +#!/bin/bash +# Copyright 2022-2024 Contributors to the Veraison project. +# SPDX-License-Identifier: Apache-2.0 + +set -eu +set -o pipefail + +# function generate_go_test_vector constructs CBOR test vector using +# supplied comid and corim json template and saves them in a file +# $1 file name for comid json template, example one of COMID_TEMPLATES +# $2 file name for corim json template, example CORIM_TEMPLATE +# $3 a qualifier for each cbor test vector name +# $4 name of the file where the generated CBOR test vectors are aggregated +generate_go_test_vector () { + echo "generating test vector using $1 $2" + cocli comid create -t $1.json + cocli corim create -m $1.cbor -t $2 -o corim$1.cbor + echo "// automatically generated from:" >> $4 + echo "// $1.json and $2" >> $4 + echo "var $3$1 = "'`' >> $4 + cat corim$1.cbor | xxd -p >> $4 + echo '`' >> $4 +} + +CORIM_TEMPLATE="corimCcaRealm.json" + +COMID_TEMPLATES= +COMID_TEMPLATES="${COMID_TEMPLATES} comidCcaRealm" +COMID_TEMPLATES="${COMID_TEMPLATES} comidCcaRealmNoClass" +COMID_TEMPLATES="${COMID_TEMPLATES} comidCcaRealmNoInstance" +COMID_TEMPLATES="${COMID_TEMPLATES} comidCcaRealmInvalidInstance" +COMID_TEMPLATES="${COMID_TEMPLATES} comidCcaRealmInvalidClass" + +TV_DOT_GO=${TV_DOT_GO?must be set in the environment.} + +printf "package cca_realm\n\n" > ${TV_DOT_GO} + +for t in ${COMID_TEMPLATES} +do + generate_go_test_vector $t $CORIM_TEMPLATE "unsignedCorim" $TV_DOT_GO +done + +gofmt -w $TV_DOT_GO diff --git a/scheme/cca-realm-provisioning/test/corim/comidCcaRealm.json b/scheme/cca-realm-provisioning/test/corim/comidCcaRealm.json new file mode 100644 index 00000000..965d9fd2 --- /dev/null +++ b/scheme/cca-realm-provisioning/test/corim/comidCcaRealm.json @@ -0,0 +1,75 @@ +{ + "lang": "en-GB", + "tag-identity": { + "id": "43BBE37F-2E61-4B33-AED3-53CFF1428B16", + "version": 0 + }, + "entities": [ + { + "name": "Workload Client Ltd.", + "regid": "https://workloadclient.example", + "roles": [ + "tagCreator", + "creator", + "maintainer" + ] + } + ], + "triples": { + "reference-values": [ + { + "environment": { + "class": { + "id": { + "type": "uuid", + "value": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C" + }, + "vendor": "Workload Client Ltd" + }, + "instance": { + "type": "bytes", + "value": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1" + } + }, + "measurements": [ + { + "value": { + "integrity-registers": { + "rim": { + "key-type": "text", + "value": [ + "sha-384;QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1" + ] + }, + "rem0": { + "key-type": "text", + "value": [ + "sha-384;IQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + }, + "rem1": { + "key-type": "text", + "value": [ + "sha-384;JQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + }, + "rem2": { + "key-type": "text", + "value": [ + "sha-384;MQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + }, + "rem3": { + "key-type": "text", + "value": [ + "sha-384;NQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + } + } + } + } + ] + } + ] + } +} \ No newline at end of file diff --git a/scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidClass.json b/scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidClass.json new file mode 100644 index 00000000..27479678 --- /dev/null +++ b/scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidClass.json @@ -0,0 +1,75 @@ +{ + "lang": "en-GB", + "tag-identity": { + "id": "43BBE37F-2E61-4B33-AED3-53CFF1428B16", + "version": 0 + }, + "entities": [ + { + "name": "Workload Client Ltd.", + "regid": "https://workloadclient.example", + "roles": [ + "tagCreator", + "creator", + "maintainer" + ] + } + ], + "triples": { + "reference-values": [ + { + "environment": { + "class": { + "id": { + "type": "psa.impl-id", + "value": "YWNtZS1pbXBsZW1lbnRhdGlvbi1pZC0wMDAwMDAwMDE=" + }, + "vendor": "ACME" + }, + "instance": { + "type": "bytes", + "value": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1" + } + }, + "measurements": [ + { + "value": { + "integrity-registers": { + "rim": { + "key-type": "text", + "value": [ + "sha-384;QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1" + ] + }, + "rem0": { + "key-type": "text", + "value": [ + "sha-384;IQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + }, + "rem1": { + "key-type": "text", + "value": [ + "sha-384;JQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + }, + "rem2": { + "key-type": "text", + "value": [ + "sha-384;MQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + }, + "rem3": { + "key-type": "text", + "value": [ + "sha-384;NQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + } + } + } + } + ] + } + ] + } +} \ No newline at end of file diff --git a/scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidInstance.json b/scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidInstance.json new file mode 100644 index 00000000..f451e5be --- /dev/null +++ b/scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidInstance.json @@ -0,0 +1,75 @@ +{ + "lang": "en-GB", + "tag-identity": { + "id": "43BBE37F-2E61-4B33-AED3-53CFF1428B16", + "version": 0 + }, + "entities": [ + { + "name": "Workload Client Ltd.", + "regid": "https://workloadclient.example", + "roles": [ + "tagCreator", + "creator", + "maintainer" + ] + } + ], + "triples": { + "reference-values": [ + { + "environment": { + "class": { + "id": { + "type": "uuid", + "value": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C" + }, + "vendor": "Workload Client Ltd" + }, + "instance": { + "type": "ueid", + "value": "Ac7rrnuJJ6MiflMDz14PH3s0u1Qq1yUKwD+83jbsLxUI" + } + }, + "measurements": [ + { + "value": { + "integrity-registers": { + "rim": { + "key-type": "text", + "value": [ + "sha-384;QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1" + ] + }, + "rem0": { + "key-type": "text", + "value": [ + "sha-384;IQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + }, + "rem1": { + "key-type": "text", + "value": [ + "sha-384;JQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + }, + "rem2": { + "key-type": "text", + "value": [ + "sha-384;MQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + }, + "rem3": { + "key-type": "text", + "value": [ + "sha-384;NQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + } + } + } + } + ] + } + ] + } +} \ No newline at end of file diff --git a/scheme/cca-realm-provisioning/test/corim/comidCcaRealmNoClass.json b/scheme/cca-realm-provisioning/test/corim/comidCcaRealmNoClass.json new file mode 100644 index 00000000..9324d73e --- /dev/null +++ b/scheme/cca-realm-provisioning/test/corim/comidCcaRealmNoClass.json @@ -0,0 +1,68 @@ +{ + "lang": "en-GB", + "tag-identity": { + "id": "43BBE37F-2E61-4B33-AED3-53CFF1428B16", + "version": 0 + }, + "entities": [ + { + "name": "Workload Client Ltd.", + "regid": "https://workloadclient.example", + "roles": [ + "tagCreator", + "creator", + "maintainer" + ] + } + ], + "triples": { + "reference-values": [ + { + "environment": { + "instance": { + "type": "bytes", + "value": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1" + } + }, + "measurements": [ + { + "value": { + "integrity-registers": { + "rim": { + "key-type": "text", + "value": [ + "sha-384;QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1" + ] + }, + "rem0": { + "key-type": "text", + "value": [ + "sha-384;IQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + }, + "rem1": { + "key-type": "text", + "value": [ + "sha-384;JQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + }, + "rem2": { + "key-type": "text", + "value": [ + "sha-384;MQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + }, + "rem3": { + "key-type": "text", + "value": [ + "sha-384;NQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + } + } + } + } + ] + } + ] + } +} \ No newline at end of file diff --git a/scheme/cca-realm-provisioning/test/corim/comidCcaRealmNoInstance.json b/scheme/cca-realm-provisioning/test/corim/comidCcaRealmNoInstance.json new file mode 100644 index 00000000..0e32cc81 --- /dev/null +++ b/scheme/cca-realm-provisioning/test/corim/comidCcaRealmNoInstance.json @@ -0,0 +1,71 @@ +{ + "lang": "en-GB", + "tag-identity": { + "id": "43BBE37F-2E61-4B33-AED3-53CFF1428B16", + "version": 0 + }, + "entities": [ + { + "name": "Workload Client Ltd.", + "regid": "https://workloadclient.example", + "roles": [ + "tagCreator", + "creator", + "maintainer" + ] + } + ], + "triples": { + "reference-values": [ + { + "environment": { + "class": { + "id": { + "type": "uuid", + "value": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C" + }, + "vendor": "Workload Client Ltd" + } + }, + "measurements": [ + { + "value": { + "integrity-registers": { + "rim": { + "key-type": "text", + "value": [ + "sha-384;QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1" + ] + }, + "rem0": { + "key-type": "text", + "value": [ + "sha-384;IQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + }, + "rem1": { + "key-type": "text", + "value": [ + "sha-384;JQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + }, + "rem2": { + "key-type": "text", + "value": [ + "sha-384;MQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + }, + "rem3": { + "key-type": "text", + "value": [ + "sha-384;NQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + ] + } + } + } + } + ] + } + ] + } +} \ No newline at end of file diff --git a/scheme/cca-realm-provisioning/test/corim/corimCcaRealm.json b/scheme/cca-realm-provisioning/test/corim/corimCcaRealm.json new file mode 100644 index 00000000..8dfd86d0 --- /dev/null +++ b/scheme/cca-realm-provisioning/test/corim/corimCcaRealm.json @@ -0,0 +1,19 @@ +{ + "corim-id": "5c57e8f4-46cd-421b-91c9-08cf93e13cfc", + "profiles": [ + "http://arm.com/cca/realm/1" + ], + "validity": { + "not-before": "2021-12-31T00:00:00Z", + "not-after": "2025-12-31T00:00:00Z" + }, + "entities": [ + { + "name": "ACME Ltd.", + "regid": "acme.example", + "roles": [ + "manifestCreator" + ] + } + ] +} \ No newline at end of file diff --git a/scheme/cca-realm-provisioning/test/store/refvalEndorsements.json b/scheme/cca-realm-provisioning/test/store/refvalEndorsements.json new file mode 100644 index 00000000..b53685a1 --- /dev/null +++ b/scheme/cca-realm-provisioning/test/store/refvalEndorsements.json @@ -0,0 +1,27 @@ +{ + "scheme": "CCA_REALM", + "type": "REFERENCE_VALUE", + "attributes": { + "CCA_REALM.vendor": "Worload Client Ltd", + "CCA_REALM.class-id": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C", + "CCA_REALM.inst-id": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1", + "CCA_REALM.hash-alg-id": "sha-384", + "CCA_REALM.measurements": [ + { + "rim": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1" + }, + { + "rem0": "IQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + }, + { + "rem1": "JQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + }, + { + "rem2": "MQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + }, + { + "rem3": "NQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + } + ] + } +} \ No newline at end of file From e4afbd17eae254e384b675de401229f1ad7bedd0 Mon Sep 17 00:00:00 2001 From: Yogesh Deshpande Date: Wed, 15 May 2024 18:36:06 +0100 Subject: [PATCH 2/7] Incorporating some review comments Signed-off-by: Yogesh Deshpande --- scheme/cca-realm-provisioning/README.md | 4 ++-- .../cca-realm-provisioning/classattributes.go | 11 ++++----- .../cca-realm-provisioning/corim_extractor.go | 24 +++++++++---------- .../corim_test_vectors.go | 2 +- .../endorsement_handler.go | 2 +- .../endorsement_handler_test.go | 2 +- .../instanceattributes.go | 2 +- 7 files changed, 23 insertions(+), 24 deletions(-) diff --git a/scheme/cca-realm-provisioning/README.md b/scheme/cca-realm-provisioning/README.md index ce1d43ed..11ee34fb 100644 --- a/scheme/cca-realm-provisioning/README.md +++ b/scheme/cca-realm-provisioning/README.md @@ -10,9 +10,9 @@ used to launch a Realm. "scheme": "CCA_REALM", "type": "REFERENCE_VALUE", "attributes": { - "CCA_REALM.vendor": "Worload Client Ltd", + "CCA_REALM.vendor": "Workload Client Ltd", "CCA_REALM.class-id": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C", - "CCA_REALM.inst-id": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1", + "CCA_REALM-realm-initial-measurement": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1", "CCA_REALM.hash-alg-id": "sha-384", "CCA_REALM.measurements": [ { diff --git a/scheme/cca-realm-provisioning/classattributes.go b/scheme/cca-realm-provisioning/classattributes.go index b19d7822..ebb9207e 100644 --- a/scheme/cca-realm-provisioning/classattributes.go +++ b/scheme/cca-realm-provisioning/classattributes.go @@ -1,4 +1,4 @@ -// Copyright 2022-2024 Contributors to the Veraison project. +// Copyright 2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package cca_realm_provisioning @@ -28,18 +28,17 @@ func (o *ClassAttributes) FromEnvironment(e comid.Environment) error { if classID == nil { log.Debug("no classID in the environment") - } - if classID != nil { - uuID, err := classID.GetUUID() + } else { + UUID, err := classID.GetUUID() if err != nil { return fmt.Errorf("could not extract uu-id from class-id: %w", err) } - if err := uuID.Valid(); err != nil { + if err := UUID.Valid(); err != nil { return fmt.Errorf("no valid uu-id: %w", err) } - o.UUID = uuID.String() + o.UUID = UUID.String() } if class.Vendor != nil { diff --git a/scheme/cca-realm-provisioning/corim_extractor.go b/scheme/cca-realm-provisioning/corim_extractor.go index c484523b..cd22fe12 100644 --- a/scheme/cca-realm-provisioning/corim_extractor.go +++ b/scheme/cca-realm-provisioning/corim_extractor.go @@ -26,11 +26,11 @@ func (o CorimExtractor) RefValExtractor( return nil, fmt.Errorf("could not extract Realm instance attributes: %w", err) } - // Each measurement is encoded in a measurement-map of a CoMID + // Measurements are encoded in a measurement-map of a CoMID // reference-triple-record. Since a measurement-map can encode one or more // measurements, a single reference-triple-record can carry as many - // measurements as needed. However for Realm Instance, only one measurement - // record is set, with both the "rim" & "rem" measurements carried in an + // measurements as needed. Hence for a Realm Instance, all the measurements + // which comprise of both the "rim" & "rem" measurements are carried in an // integrity register refVals := make([]*handler.Endorsement, 0, len(rv.Measurements)) @@ -64,15 +64,15 @@ func makeRefValAttrs(cAttr *ClassAttributes, rAttr *RealmAttributes) (json.RawMessage, error) { var attrs = map[string]interface{}{ - "CCA_REALM.vendor": cAttr.Vendor, - "CCA_REALM-class-id": cAttr.UUID, - "CCA_REALM-instance-id": rAttr.Rim, - "CCA_REALM.hash-alg-id": rAttr.HashAlgID, - "CCA_REALM.rim": rAttr.Rim, - "CCA_REALM.rem0": rAttr.Rem[0], - "CCA_REALM.rem1": rAttr.Rem[1], - "CCA_REALM.rem2": rAttr.Rem[2], - "CCA_REALM.rem3": rAttr.Rem[3], + "CCA_REALM.vendor": cAttr.Vendor, + "CCA_REALM-class-id": cAttr.UUID, + "CCA_REALM-realm-initial-measurement": rAttr.Rim, + "CCA_REALM.hash-alg-id": rAttr.HashAlgID, + "CCA_REALM.rim": rAttr.Rim, + "CCA_REALM.rem0": rAttr.Rem[0], + "CCA_REALM.rem1": rAttr.Rem[1], + "CCA_REALM.rem2": rAttr.Rem[2], + "CCA_REALM.rem3": rAttr.Rem[3], } data, err := json.Marshal(attrs) diff --git a/scheme/cca-realm-provisioning/corim_test_vectors.go b/scheme/cca-realm-provisioning/corim_test_vectors.go index ca8bb5eb..07e9b33c 100644 --- a/scheme/cca-realm-provisioning/corim_test_vectors.go +++ b/scheme/cca-realm-provisioning/corim_test_vectors.go @@ -1,4 +1,4 @@ -// Copyright 2022-2024 Contributors to the Veraison project. +// Copyright 2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package cca_realm_provisioning diff --git a/scheme/cca-realm-provisioning/endorsement_handler.go b/scheme/cca-realm-provisioning/endorsement_handler.go index d68f09d6..88309317 100644 --- a/scheme/cca-realm-provisioning/endorsement_handler.go +++ b/scheme/cca-realm-provisioning/endorsement_handler.go @@ -1,4 +1,4 @@ -// Copyright 2022-2024 Contributors to the Veraison project. +// Copyright 2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package cca_realm_provisioning diff --git a/scheme/cca-realm-provisioning/endorsement_handler_test.go b/scheme/cca-realm-provisioning/endorsement_handler_test.go index 9a5ceaf7..6f1068e6 100644 --- a/scheme/cca-realm-provisioning/endorsement_handler_test.go +++ b/scheme/cca-realm-provisioning/endorsement_handler_test.go @@ -1,4 +1,4 @@ -// Copyright 2022-2024 Contributors to the Veraison project. +// Copyright 2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package cca_realm_provisioning diff --git a/scheme/cca-realm-provisioning/instanceattributes.go b/scheme/cca-realm-provisioning/instanceattributes.go index dc154135..989d94db 100644 --- a/scheme/cca-realm-provisioning/instanceattributes.go +++ b/scheme/cca-realm-provisioning/instanceattributes.go @@ -1,4 +1,4 @@ -// Copyright 2022-2024 Contributors to the Veraison project. +// Copyright 2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package cca_realm_provisioning From 2abfea9a33d4bc74585d2bf946519e09b247d98e Mon Sep 17 00:00:00 2001 From: Yogesh Deshpande Date: Wed, 15 May 2024 18:39:38 +0100 Subject: [PATCH 3/7] Correcting Copyright Header Template Signed-off-by: Yogesh Deshpande --- .../cca-realm-provisioning/plugin/endorsement-handler/main.go | 2 +- scheme/cca-realm-provisioning/store_handler_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scheme/cca-realm-provisioning/plugin/endorsement-handler/main.go b/scheme/cca-realm-provisioning/plugin/endorsement-handler/main.go index 552fc7e4..95dadb9d 100644 --- a/scheme/cca-realm-provisioning/plugin/endorsement-handler/main.go +++ b/scheme/cca-realm-provisioning/plugin/endorsement-handler/main.go @@ -1,4 +1,4 @@ -// Copyright 2022-2024 Contributors to the Veraison project. +// Copyright 2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package main diff --git a/scheme/cca-realm-provisioning/store_handler_test.go b/scheme/cca-realm-provisioning/store_handler_test.go index 5d90df75..2331cfd3 100644 --- a/scheme/cca-realm-provisioning/store_handler_test.go +++ b/scheme/cca-realm-provisioning/store_handler_test.go @@ -1,4 +1,4 @@ -// Copyright 2021-2024 Contributors to the Veraison project. +// Copyright 2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 package cca_realm_provisioning From 0c71082144310a8bb3f2df529de3769c1e3d8981 Mon Sep 17 00:00:00 2001 From: Yogesh Deshpande Date: Thu, 16 May 2024 15:05:07 +0100 Subject: [PATCH 4/7] More review comments! Signed-off-by: Yogesh Deshpande --- .../cca-realm-provisioning/plugin/combined/main.go | 1 + scheme/cca-realm-provisioning/realmattributes.go | 14 +++----------- scheme/cca-realm-provisioning/store_handler.go | 6 +++--- 3 files changed, 7 insertions(+), 14 deletions(-) diff --git a/scheme/cca-realm-provisioning/plugin/combined/main.go b/scheme/cca-realm-provisioning/plugin/combined/main.go index 95dadb9d..b6757ca0 100644 --- a/scheme/cca-realm-provisioning/plugin/combined/main.go +++ b/scheme/cca-realm-provisioning/plugin/combined/main.go @@ -10,5 +10,6 @@ import ( func main() { handler.RegisterEndorsementHandler(&scheme.EndorsementHandler{}) + handler.RegisterStoreHandler(&scheme.StoreHandler{}) plugin.Serve() } diff --git a/scheme/cca-realm-provisioning/realmattributes.go b/scheme/cca-realm-provisioning/realmattributes.go index 9a6eb64a..42b62889 100644 --- a/scheme/cca-realm-provisioning/realmattributes.go +++ b/scheme/cca-realm-provisioning/realmattributes.go @@ -3,7 +3,6 @@ package cca_realm_provisioning import ( - "errors" "fmt" "strings" @@ -25,12 +24,11 @@ func (o *RealmAttributes) FromMeasurement(m comid.Measurement) error { } func (o *RealmAttributes) extractRealmDigest(digests comid.Digests) (algID string, hash []byte, err error) { - if err := digests.Valid(); err != nil { return "", nil, fmt.Errorf("invalid digest: %v", err) } if len(digests) != 1 { - return "", nil, fmt.Errorf("invalid number %d for digest", len(digests)) + return "", nil, fmt.Errorf("expecting 1 digest, got %d", len(digests)) } return digests[0].AlgIDToString(), digests[0].HashValue, nil @@ -40,7 +38,7 @@ func (o *RealmAttributes) extractRegisterIndexes(r *comid.IntegrityRegisters) er for k, val := range r.M { a, d, err := o.extractRealmDigest(val) if err != nil { - return errors.New("unable to extract digest for ") + return fmt.Errorf("unable to extract realm digest: %v", err) } switch t := k.(type) { case string: @@ -71,11 +69,5 @@ func (o *RealmAttributes) extractRegisterIndexes(r *comid.IntegrityRegisters) er } func (o RealmAttributes) isCompatibleAlgID(hashAlgID string) bool { - compatible := true - if o.HashAlgID != "" { - if hashAlgID != o.HashAlgID { - compatible = false - } - } - return compatible + return o.HashAlgID == "" || hashAlgID == o.HashAlgID } diff --git a/scheme/cca-realm-provisioning/store_handler.go b/scheme/cca-realm-provisioning/store_handler.go index 88385a45..80ffca5e 100644 --- a/scheme/cca-realm-provisioning/store_handler.go +++ b/scheme/cca-realm-provisioning/store_handler.go @@ -46,13 +46,13 @@ func (s StoreHandler) SynthKeysFromRefValue( return nil, fmt.Errorf("unable to synthesize reference value abs-path: %w", err) } - lookupKey := RefValLookupKey(SchemeName, tenantID, instID) - log.Debugf("Scheme %s Plugin TA Look Up Key= %s\n", SchemeName, lookupKey) + lookupKey := refValLookupKey(SchemeName, tenantID, instID) + log.Debugf("Scheme %s Plugin RefVal Look Up Key= %s\n", SchemeName, lookupKey) return []string{lookupKey}, nil } -func RefValLookupKey(schemeName, tenantID, instID string) string { +func refValLookupKey(schemeName, tenantID, instID string) string { absPath := []string{instID} u := url.URL{ From 12644ada3316f91cdb0057857c1b5e0351283311 Mon Sep 17 00:00:00 2001 From: Yogesh Deshpande Date: Fri, 17 May 2024 11:04:32 +0100 Subject: [PATCH 5/7] Add Realm Personalization support Signed-off-by: Yogesh Deshpande --- .../cca-realm-provisioning/corim_extractor.go | 19 +++--- .../corim_test_vectors.go | 63 ++++++++++-------- .../cca-realm-provisioning/realmattributes.go | 22 ++++++ .../cca-realm-provisioning/store_handler.go | 2 +- .../test/corim/build-test-vectors.sh | 2 +- .../test/corim/comidCcaRealm.cbor | Bin 0 -> 561 bytes .../test/corim/comidCcaRealm.json | 4 ++ .../test/corim/comidCcaRealmInvalidClass.cbor | Bin 0 -> 564 bytes .../test/corim/comidCcaRealmInvalidClass.json | 4 ++ .../corim/comidCcaRealmInvalidInstance.cbor | Bin 0 -> 476 bytes .../test/corim/comidCcaRealmNoClass.cbor | Bin 0 -> 448 bytes .../test/corim/comidCcaRealmNoInstance.cbor | Bin 0 -> 437 bytes .../test/corim/corimcomidCcaRealm.cbor | Bin 0 -> 667 bytes .../corim/corimcomidCcaRealmInvalidClass.cbor | Bin 0 -> 670 bytes .../corimcomidCcaRealmInvalidInstance.cbor | Bin 0 -> 582 bytes .../test/corim/corimcomidCcaRealmNoClass.cbor | Bin 0 -> 554 bytes .../corim/corimcomidCcaRealmNoInstance.cbor | Bin 0 -> 543 bytes 17 files changed, 76 insertions(+), 40 deletions(-) create mode 100644 scheme/cca-realm-provisioning/test/corim/comidCcaRealm.cbor create mode 100644 scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidClass.cbor create mode 100644 scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidInstance.cbor create mode 100644 scheme/cca-realm-provisioning/test/corim/comidCcaRealmNoClass.cbor create mode 100644 scheme/cca-realm-provisioning/test/corim/comidCcaRealmNoInstance.cbor create mode 100644 scheme/cca-realm-provisioning/test/corim/corimcomidCcaRealm.cbor create mode 100644 scheme/cca-realm-provisioning/test/corim/corimcomidCcaRealmInvalidClass.cbor create mode 100644 scheme/cca-realm-provisioning/test/corim/corimcomidCcaRealmInvalidInstance.cbor create mode 100644 scheme/cca-realm-provisioning/test/corim/corimcomidCcaRealmNoClass.cbor create mode 100644 scheme/cca-realm-provisioning/test/corim/corimcomidCcaRealmNoInstance.cbor diff --git a/scheme/cca-realm-provisioning/corim_extractor.go b/scheme/cca-realm-provisioning/corim_extractor.go index cd22fe12..40a14ef5 100644 --- a/scheme/cca-realm-provisioning/corim_extractor.go +++ b/scheme/cca-realm-provisioning/corim_extractor.go @@ -64,15 +64,16 @@ func makeRefValAttrs(cAttr *ClassAttributes, rAttr *RealmAttributes) (json.RawMessage, error) { var attrs = map[string]interface{}{ - "CCA_REALM.vendor": cAttr.Vendor, - "CCA_REALM-class-id": cAttr.UUID, - "CCA_REALM-realm-initial-measurement": rAttr.Rim, - "CCA_REALM.hash-alg-id": rAttr.HashAlgID, - "CCA_REALM.rim": rAttr.Rim, - "CCA_REALM.rem0": rAttr.Rem[0], - "CCA_REALM.rem1": rAttr.Rem[1], - "CCA_REALM.rem2": rAttr.Rem[2], - "CCA_REALM.rem3": rAttr.Rem[3], + "CCA_REALM.vendor": cAttr.Vendor, + "CCA_REALM-class-id": cAttr.UUID, + "CCA_REALM-realm-initial-measurement": rAttr.Rim, + "CCA_REALM.hash-alg-id": rAttr.HashAlgID, + "CCA_REALM.realm-personalization-value": rAttr.Rpv, + "CCA_REALM.rim": rAttr.Rim, + "CCA_REALM.rem0": rAttr.Rem[0], + "CCA_REALM.rem1": rAttr.Rem[1], + "CCA_REALM.rem2": rAttr.Rem[2], + "CCA_REALM.rem3": rAttr.Rem[3], } data, err := json.Marshal(attrs) diff --git a/scheme/cca-realm-provisioning/corim_test_vectors.go b/scheme/cca-realm-provisioning/corim_test_vectors.go index 07e9b33c..cae963c0 100644 --- a/scheme/cca-realm-provisioning/corim_test_vectors.go +++ b/scheme/cca-realm-provisioning/corim_test_vectors.go @@ -1,31 +1,33 @@ // Copyright 2024 Contributors to the Veraison project. // SPDX-License-Identifier: Apache-2.0 - package cca_realm_provisioning // automatically generated from: // comidCcaRealm.json and corimCcaRealm.json var unsignedCorimcomidCcaRealm = ` -a500505c57e8f446cd421b91c908cf93e13cfc01815901eed901faa40065 +a500505c57e8f446cd421b91c908cf93e13cfc0181590234d901faa40065 656e2d474201a1005043bbe37f2e614b33aed353cff1428b160281a30074 576f726b6c6f616420436c69656e74204c74642e01d820781e6874747073 3a2f2f776f726b6c6f6164636c69656e742e6578616d706c650283000102 04a1008182a200a200d82550cd1f0e5526f9460db9d8f7fde171787c0173 576f726b6c6f616420436c69656e74204c746401d9023058304284b5694c a6c0d2cf4789a0b95ac8025c818de52304364be7cd2981b2d2edc685b322 -277ec25819962413d8c9b2c1f581a101a10ea56372696d81820758304284 -b5694ca6c0d2cf4789a0b95ac8025c818de52304364be7cd2981b2d2edc6 -85b322277ec25819962413d8c9b2c1f56472656d3081820758302107bbe7 -61fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba615ab -f6514cf35e5a9ea55a032d068a786472656d3181820758302507bbe761fc -a52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba615abf651 -4cf35e5a9ea55a032d068a786472656d3281820758303107bbe761fca52d -95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba615abf6514cf3 -5e5a9ea55a032d068a786472656d3381820758303507bbe761fca52d9513 -6a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba615abf6514cf35e5a -9ea55a032d068a780381781a687474703a2f2f61726d2e636f6d2f636361 -2f7265616c6d2f3104a200c11a61ce480001c11a695467800581a3006941 -434d45204c74642e01d8206c61636d652e6578616d706c65028101 +277ec25819962413d8c9b2c1f581a101a204d902305840e45b72f5c0c0b5 +72db4d8d3ab7e97f368ff74e62347a824decb67a84e5224d75e45b72f5c0 +c0b572db4d8d3ab7e97f368ff74e62347a824decb67a84e5224d750ea563 +72696d81820758304284b5694ca6c0d2cf4789a0b95ac8025c818de52304 +364be7cd2981b2d2edc685b322277ec25819962413d8c9b2c1f56472656d +3081820758302107bbe761fca52d95136a1354db7a4dd57b1b26be0d3da7 +1d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a786472656d3181 +820758302507bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d9e +b23986b34ba615abf6514cf35e5a9ea55a032d068a786472656d32818207 +58303107bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb239 +86b34ba615abf6514cf35e5a9ea55a032d068a786472656d338182075830 +3507bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b3 +4ba615abf6514cf35e5a9ea55a032d068a780381781a687474703a2f2f61 +726d2e636f6d2f6363612f7265616c6d2f3104a200c11a61ce480001c11a +695467800581a3006941434d45204c74642e01d8206c61636d652e657861 +6d706c65028101 ` // automatically generated from: @@ -104,24 +106,27 @@ a71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a786472656d33 // automatically generated from: // comidCcaRealmInvalidClass.json and corimCcaRealm.json var unsignedCorimcomidCcaRealmInvalidClass = ` -a500505c57e8f446cd421b91c908cf93e13cfc01815901f1d901faa40065 +a500505c57e8f446cd421b91c908cf93e13cfc0181590237d901faa40065 656e2d474201a1005043bbe37f2e614b33aed353cff1428b160281a30074 576f726b6c6f616420436c69656e74204c74642e01d820781e6874747073 3a2f2f776f726b6c6f6164636c69656e742e6578616d706c650283000102 04a1008182a200a200d90258582061636d652d696d706c656d656e746174 696f6e2d69642d303030303030303031016441434d4501d9023058304284 b5694ca6c0d2cf4789a0b95ac8025c818de52304364be7cd2981b2d2edc6 -85b322277ec25819962413d8c9b2c1f581a101a10ea56372696d81820758 -304284b5694ca6c0d2cf4789a0b95ac8025c818de52304364be7cd2981b2 -d2edc685b322277ec25819962413d8c9b2c1f56472656d30818207583021 -07bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34b -a615abf6514cf35e5a9ea55a032d068a786472656d3181820758302507bb -e761fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba615 -abf6514cf35e5a9ea55a032d068a786472656d3281820758303107bbe761 -fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba615abf6 -514cf35e5a9ea55a032d068a786472656d3381820758303507bbe761fca5 -2d95136a1354db7a4dd57b1b26be0d3da71d9eb23986b34ba615abf6514c -f35e5a9ea55a032d068a780381781a687474703a2f2f61726d2e636f6d2f -6363612f7265616c6d2f3104a200c11a61ce480001c11a695467800581a3 -006941434d45204c74642e01d8206c61636d652e6578616d706c65028101 +85b322277ec25819962413d8c9b2c1f581a101a204d902305840e45b72f5 +c0c0b572db4d8d3ab7e97f368ff74e62347a824decb67a84e5224d75e45b +72f5c0c0b572db4d8d3ab7e97f368ff74e62347a824decb67a84e5224d75 +0ea56372696d81820758304284b5694ca6c0d2cf4789a0b95ac8025c818d +e52304364be7cd2981b2d2edc685b322277ec25819962413d8c9b2c1f564 +72656d3081820758302107bbe761fca52d95136a1354db7a4dd57b1b26be +0d3da71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a78647265 +6d3181820758302507bbe761fca52d95136a1354db7a4dd57b1b26be0d3d +a71d9eb23986b34ba615abf6514cf35e5a9ea55a032d068a786472656d32 +81820758303107bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d +9eb23986b34ba615abf6514cf35e5a9ea55a032d068a786472656d338182 +0758303507bbe761fca52d95136a1354db7a4dd57b1b26be0d3da71d9eb2 +3986b34ba615abf6514cf35e5a9ea55a032d068a780381781a687474703a +2f2f61726d2e636f6d2f6363612f7265616c6d2f3104a200c11a61ce4800 +01c11a695467800581a3006941434d45204c74642e01d8206c61636d652e +6578616d706c65028101 ` diff --git a/scheme/cca-realm-provisioning/realmattributes.go b/scheme/cca-realm-provisioning/realmattributes.go index 42b62889..1c3a1bb4 100644 --- a/scheme/cca-realm-provisioning/realmattributes.go +++ b/scheme/cca-realm-provisioning/realmattributes.go @@ -7,15 +7,20 @@ import ( "strings" "github.com/veraison/corim/comid" + "github.com/veraison/services/log" ) type RealmAttributes struct { Rim []byte Rem [4][]byte HashAlgID string + Rpv []byte } func (o *RealmAttributes) FromMeasurement(m comid.Measurement) error { + if err := o.extractRealmPersonalizationValue(m.Val.RawValue); err != nil { + return fmt.Errorf("extracting rpv: %w", err) + } if err := o.extractRegisterIndexes(m.Val.IntegrityRegisters); err != nil { return fmt.Errorf("extracting measurement: %w", err) } @@ -71,3 +76,20 @@ func (o *RealmAttributes) extractRegisterIndexes(r *comid.IntegrityRegisters) er func (o RealmAttributes) isCompatibleAlgID(hashAlgID string) bool { return o.HashAlgID == "" || hashAlgID == o.HashAlgID } + +func (o *RealmAttributes) extractRealmPersonalizationValue(r *comid.RawValue) error { + var err error + if r == nil { + log.Debug("realm personalization value not present") + return nil + } + o.Rpv, err = r.GetBytes() + if err != nil { + return err + } else if len(o.Rpv) != 64 { + { + return fmt.Errorf("invalid length %d, for realm personalization value", len(o.Rpv)) + } + } + return nil +} diff --git a/scheme/cca-realm-provisioning/store_handler.go b/scheme/cca-realm-provisioning/store_handler.go index 80ffca5e..ce5e37d1 100644 --- a/scheme/cca-realm-provisioning/store_handler.go +++ b/scheme/cca-realm-provisioning/store_handler.go @@ -43,7 +43,7 @@ func (s StoreHandler) SynthKeysFromRefValue( instID, err := common.GetInstID(SchemeName, refVal.Attributes) if err != nil { - return nil, fmt.Errorf("unable to synthesize reference value abs-path: %w", err) + return nil, fmt.Errorf("unable to get instance id for synthesize reference value: %w", err) } lookupKey := refValLookupKey(SchemeName, tenantID, instID) diff --git a/scheme/cca-realm-provisioning/test/corim/build-test-vectors.sh b/scheme/cca-realm-provisioning/test/corim/build-test-vectors.sh index 2e9e027d..565cb535 100755 --- a/scheme/cca-realm-provisioning/test/corim/build-test-vectors.sh +++ b/scheme/cca-realm-provisioning/test/corim/build-test-vectors.sh @@ -33,7 +33,7 @@ COMID_TEMPLATES="${COMID_TEMPLATES} comidCcaRealmInvalidClass" TV_DOT_GO=${TV_DOT_GO?must be set in the environment.} -printf "package cca_realm\n\n" > ${TV_DOT_GO} +printf "package cca_realm_provisioning\n\n" > ${TV_DOT_GO} for t in ${COMID_TEMPLATES} do diff --git a/scheme/cca-realm-provisioning/test/corim/comidCcaRealm.cbor b/scheme/cca-realm-provisioning/test/corim/comidCcaRealm.cbor new file mode 100644 index 0000000000000000000000000000000000000000..cfb7660b48f32b81bcf73e7e5e1745430171c2e2 GIT binary patch literal 561 zcmZ3&keZsO>+Zz3kRiZ%_v3oKL~rADmxIrLbm|skYFx}v5}sd_os*xKqTrm9nVMIk z;8T*K$9O}bLN24Eq@dVJU%woxAQ>#Lms*jSTac5=)Xc!h#Ilf~v1t**B8D5P0cYj; zLe+k{@$S6w{qMuViW9g#>rStBc3wB1GV2Ww%eX7i2=KcJv zX5*$yZ;!QZR#LA!6d^fHMfk?aO$Wa=E@WK90@CU5B)aJ9fdgBMZu|CHZGTyB*8klv z$)u{u_szDdmZwU-rG(`9mL?Zv<~BC5lkSL=qSRaiuuetx-Om&MEY+PVoFyD`yUO=! zwY1tkUfboe^EO$wZT4O!y82t7&*!+Pc}t_1b=kTqKspVhuufAF Gbpikq6!w4s literal 0 HcmV?d00001 diff --git a/scheme/cca-realm-provisioning/test/corim/comidCcaRealm.json b/scheme/cca-realm-provisioning/test/corim/comidCcaRealm.json index 965d9fd2..115db6e0 100644 --- a/scheme/cca-realm-provisioning/test/corim/comidCcaRealm.json +++ b/scheme/cca-realm-provisioning/test/corim/comidCcaRealm.json @@ -34,6 +34,10 @@ "measurements": [ { "value": { + "raw-value": { + "type": "bytes", + "value": "5Fty9cDAtXLbTY06t+l/No/3TmI0eoJN7LZ6hOUiTXXkW3L1wMC1cttNjTq36X82j/dOYjR6gk3stnqE5SJNdQ==" + }, "integrity-registers": { "rim": { "key-type": "text", diff --git a/scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidClass.cbor b/scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidClass.cbor new file mode 100644 index 0000000000000000000000000000000000000000..879bf728c8fca9d06a8ec4da205680555984d34d GIT binary patch literal 564 zcmZ3&keZsO>+Zz3kRiZ%_v3oKL~rADmxIrLbm|skYFx}v5}sd_os*xKqTrm9nVMIk z;8T*K$9O}bLN24Eq@dVJU%woxAQ>#Lms*jSTac5=)Xc!h#Ilf~v1t**B8Hnx5fKWB z$+@YznIOqrph1ZxnfZCTnJKykP+-WI;^^$_%6OB>Ai}_@WoxF-vICdSyLT?w8Fhjw zrm^>_GK-n_^Rt?bn=ZXQ*1B0qz3xzicQqYWsL?m&?xEWZAaadzt9!Z-G9a#6|hGz9BZB}1nX QSf?QwI*q|PO-a-V08>%&)Bpeg literal 0 HcmV?d00001 diff --git a/scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidClass.json b/scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidClass.json index 27479678..6cb1696c 100644 --- a/scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidClass.json +++ b/scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidClass.json @@ -34,6 +34,10 @@ "measurements": [ { "value": { + "raw-value": { + "type": "bytes", + "value": "5Fty9cDAtXLbTY06t+l/No/3TmI0eoJN7LZ6hOUiTXXkW3L1wMC1cttNjTq36X82j/dOYjR6gk3stnqE5SJNdQ==" + }, "integrity-registers": { "rim": { "key-type": "text", diff --git a/scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidInstance.cbor b/scheme/cca-realm-provisioning/test/corim/comidCcaRealmInvalidInstance.cbor new file mode 100644 index 0000000000000000000000000000000000000000..a0774301a3e0a51d82c789e24b70252f9d744b0e GIT binary patch literal 476 zcmZ3&keZsO>+Zz3kRiZ%_v3oKL~rADmxIrLbm|skYFx}v5}sd_os*xKqTrm9nVMIk z;8T*K$9O}bLN24Eq@dVJU%woxAQ>#Lms*jSTac5=)Xc!h#Ilf~v1t**B8D5P0cYj; zLe+k{@$S6w{qMuViWiILdJ!BOOuN-a~qr3BMh8cwr2V)J8C)R{t(%q9>kdUoPE!%SadOkauPH^TxdvdJitM|eC;nNgJ5@MKIOKMf@6~E)wSBy{ z%Vp+Zz3kRiZ%_v3oKL~rADmxIrLbm|skYFx}v5}sd_os*xKqTrm9nVMIk z;8T*K$9O}bLN24Eq@dVJU%woxAQ>#Lms*jSTac5=)Xc!h#Ilf~v1uXWO(uf~1E-d) znLf)7TsrUGxnO7138t9F-lxheX5P=wYBp}V^!8ZmW+nByLlKhGRD^Gw+;s43<3h%T zd`pvyGIJZ7*h$x(Qk0r&0M@CcHSn-w$0wl qL|1+Zz3kRiZ%_v3oKL~rADmxIrLbm|skYFx}v5}sd_os*xKqTrm9nVMIk z;8T*K$9O}bLN24Eq@dVJU%woxAQ>#Lms*jSTac5=)Xc!h#Ilf~v1uX0B8D5P0cYj; zLe+k{@$S6w{qMuViWYF1-rR?ofo}G!@|+CpR7Zno^XSYXH`%$iDk|;-96uQ-!mH zLvC03Uagi^+sA9WTz1|j%eKwl%S2ay3-tLM7d3Bb6tgZ{R|QC?Ay}s>89I%?It|It LX$;nBN}^5xW9YWg literal 0 HcmV?d00001 diff --git a/scheme/cca-realm-provisioning/test/corim/corimcomidCcaRealm.cbor b/scheme/cca-realm-provisioning/test/corim/corimcomidCcaRealm.cbor new file mode 100644 index 0000000000000000000000000000000000000000..2f8d8fb0b04a95bdef70dfdccd002de32836f5c8 GIT binary patch literal 667 zcmZ3=5D*jo;)~l^C+UeNInGahX!D1$F_OvTCgZOq45_Jky6#Sl3mF2OcR#MzOY}Bg zcRBd{N2hKvrpCn#CE@u+**W=%DGJUxnW=dt3O*$%dW<&|D&#UsN(zdt^!3Z33X;L{ zdZ`tOxdl0?OwA08Oe_l-8k-g|EMmB!8gN#gFI4TP8}H5=-~T==tf*lu#$qz#O(uf~ z1E-d)nLf)7TsrUGxnO7138t9F-lxheX5P=wYBp}V^!8ZmW+nByLlKhGRD^Gw+;s43 z<3h$oEFhf@Poj&y9yqYI=(caK)%KV5X8qs&l1!?aeBW%VYI&;UTS`ctZ)tK-W^Q8> zJL!%{DN4;X0P9p_-~BxC&r;o~!db#0x2t@wR!ghxQ73a_g%l|2fia(0l&hDVpR1pooTy)v vnwXQTZ^*KU;hJ4xarc{W38K&)awpK zNKR7`zHxHX!LN-A85gmDbUHkVF8X@lz}BMMzP(o4U)G!TfA>o=scQ0lv#qM-sgiFg zA$h)~$wisDjZN&NJ0hhhHP-;FQ;~i5^Ta<(b*Bnv35VRS^1WIut+tQXcDd}lO_pt& zy_bou{ub!-IWB76(kNzKwyp}0PD8LxRWfuMfpr>^q0<Fbw66(ob@ z^-?Pma|?1(nVK0GnOGJwG&U__Sj2EcHQ=l~U#QwoH{P8$zW;q#SW&}RjKyTen@nmE zij3!8udD7dxU{g z%hpVvWd|;uckf)VGwK9WOk?j;Wfn8<=Vvt=H(h#rtaY=JdflN2$!RLWH%@Lk_%)>{ zHP-;FQ;~i5^Ta<(b*Bnv35VRS^1WIut+tQXcDd}lO_pt&y_bou{ub!-IWB76(kNzK zwyp}0PD8LxRWfuMfpr>^q0<Fbw66(ob@ z^-?Pma|?1(nVK0GnOGJwG&U_{yvbw`Vc^uVHPdI=flKGzI~VMXI>8jv*!xtO#mxKp zSkZ);nQD$yq6FceJQ;Je^4Zu1T*>^ur z{IgVds&JNY$n7fMtJTtK`*>}a%g)QSRn<931CDd7Uk+C=jZAtCnxF`r6%U&>Kn2wVmK(3c+P`? f@t{;@NO}V+Fh(;Soqb(l(U_B%oSO=dvqnY$T43i0 literal 0 HcmV?d00001 diff --git a/scheme/cca-realm-provisioning/test/corim/corimcomidCcaRealmNoInstance.cbor b/scheme/cca-realm-provisioning/test/corim/corimcomidCcaRealmNoInstance.cbor new file mode 100644 index 0000000000000000000000000000000000000000..baa9184f9933a7c493cf71ba25c4de5ff8e9c27d GIT binary patch literal 543 zcmZ3=5D*jo;)~l^C+UeNInGahX!D1$F_Lk|O~zkK7*bR7blsg87cvAm?|xjbm*{Q0 z?sD+?k51iUOpS{fO2YGtvUBniQxu$YGE?(P6nsij^cZg_RLEtNloS+O>Fbw66(ob@ z^-?Pma|?1(nVK0GnOGJwG&U_{Sj2EcHQ=l~U#QwoH{P8$zW;q#SW&}RjK$=}g^UaN zmL?Zv<~BC5M;JJ@Y|ZppcHq)^_s#`7qfRizH1cQqYWsL?m&?xEWZAaadzt9! zZ-G9a#6|hGz9BZB}1nXSf?QwI*q|PO-a26 AMgRZ+ literal 0 HcmV?d00001 From 86c4206a3b12abc4466f02914a7d6f529611653d Mon Sep 17 00:00:00 2001 From: Yogesh Deshpande Date: Fri, 17 May 2024 11:21:50 +0100 Subject: [PATCH 6/7] Add go modules Signed-off-by: Yogesh Deshpande --- go.mod | 2 +- go.sum | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/go.mod b/go.mod index fa2f0968..0f93c1a6 100644 --- a/go.mod +++ b/go.mod @@ -29,7 +29,7 @@ require ( github.com/tbaehler/gin-keycloak v1.5.0 github.com/veraison/ccatoken v1.1.0 github.com/veraison/cmw v0.1.0 - github.com/veraison/corim v1.1.3-0.20240429160003-7b04d8b96e76 + github.com/veraison/corim v1.1.3-0.20240513181923-a0e8f54e1f67 github.com/veraison/dice v0.0.1 github.com/veraison/ear v1.1.2 github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53 diff --git a/go.sum b/go.sum index bdfa87b6..b2402ec1 100644 --- a/go.sum +++ b/go.sum @@ -1068,6 +1068,8 @@ github.com/veraison/corim v1.1.3-0.20240423112400-92efbf346d05 h1:UDu2uBWhd17Hx+ github.com/veraison/corim v1.1.3-0.20240423112400-92efbf346d05/go.mod h1:yoN6+vVQJgzS926nheCbJi68SvOlN0CpiPuTxYSe5FU= github.com/veraison/corim v1.1.3-0.20240429160003-7b04d8b96e76 h1:kB1KvHDnKO7YubQ0Bs3DMjZrC2r9JmaXCDfzeGJCEb0= github.com/veraison/corim v1.1.3-0.20240429160003-7b04d8b96e76/go.mod h1:yoN6+vVQJgzS926nheCbJi68SvOlN0CpiPuTxYSe5FU= +github.com/veraison/corim v1.1.3-0.20240513181923-a0e8f54e1f67 h1:j67b84ttamX1ZJGlHnV/20NfBS05UdT3DonlDQ0eWnI= +github.com/veraison/corim v1.1.3-0.20240513181923-a0e8f54e1f67/go.mod h1:mmEA2yMATiwNCGD6xo2L7Afag7z2OdZTOz8QO6IvzNY= github.com/veraison/dice v0.0.1 h1:dOm7ByDN/r4WlDsGkEUXzdPMXgTvAPTAksQ8+BwBrD4= github.com/veraison/dice v0.0.1/go.mod h1:QPMLc5LVMj08VZ+HNMYk4XxWoVYGAUBVm8Rd5V1hzxs= github.com/veraison/ear v1.1.2 h1:Xs41FqAG8IyJaceqNFcX2+nf51Et1uyhmCJV8SZqw/8= From b7e1e5bbf4efbb2748d5237395f860082113aa86 Mon Sep 17 00:00:00 2001 From: Yogesh Deshpande Date: Fri, 17 May 2024 15:43:59 +0100 Subject: [PATCH 7/7] Add Realm Personalization Value Signed-off-by: Yogesh Deshpande --- scheme/cca-realm-provisioning/README.md | 3 +- .../cca-realm-provisioning/corim_extractor.go | 4 +- .../cca-realm-provisioning/store_handler.go | 23 +----- .../store_handler_test.go | 40 +++++++--- .../test/store/refvalEndorsements.json | 3 +- .../test/store/refvalEndorsementsNoRpv.json | 28 +++++++ scheme/common/arm/realm.go | 75 +++++++++++++++++++ 7 files changed, 140 insertions(+), 36 deletions(-) create mode 100644 scheme/cca-realm-provisioning/test/store/refvalEndorsementsNoRpv.json create mode 100644 scheme/common/arm/realm.go diff --git a/scheme/cca-realm-provisioning/README.md b/scheme/cca-realm-provisioning/README.md index 11ee34fb..29806a4e 100644 --- a/scheme/cca-realm-provisioning/README.md +++ b/scheme/cca-realm-provisioning/README.md @@ -12,8 +12,9 @@ used to launch a Realm. "attributes": { "CCA_REALM.vendor": "Workload Client Ltd", "CCA_REALM.class-id": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C", - "CCA_REALM-realm-initial-measurement": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1", + "CCA_REALM.realm-initial-measurement": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1", "CCA_REALM.hash-alg-id": "sha-384", + "CCA_REALM.realm-personalization-value":"5Fty9cDAtXLbTY06t+l/No/3TmI0eoJN7LZ6hOUiTXXkW3L1wMC1cttNjTq36X82j/dOYjR6gk3stnqE5SJNdQ==", "CCA_REALM.measurements": [ { "rim": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1" diff --git a/scheme/cca-realm-provisioning/corim_extractor.go b/scheme/cca-realm-provisioning/corim_extractor.go index 40a14ef5..e7054796 100644 --- a/scheme/cca-realm-provisioning/corim_extractor.go +++ b/scheme/cca-realm-provisioning/corim_extractor.go @@ -65,8 +65,8 @@ func makeRefValAttrs(cAttr *ClassAttributes, var attrs = map[string]interface{}{ "CCA_REALM.vendor": cAttr.Vendor, - "CCA_REALM-class-id": cAttr.UUID, - "CCA_REALM-realm-initial-measurement": rAttr.Rim, + "CCA_REALM.class-id": cAttr.UUID, + "CCA_REALM.realm-initial-measurement": rAttr.Rim, "CCA_REALM.hash-alg-id": rAttr.HashAlgID, "CCA_REALM.realm-personalization-value": rAttr.Rpv, "CCA_REALM.rim": rAttr.Rim, diff --git a/scheme/cca-realm-provisioning/store_handler.go b/scheme/cca-realm-provisioning/store_handler.go index ce5e37d1..b6ddeb66 100644 --- a/scheme/cca-realm-provisioning/store_handler.go +++ b/scheme/cca-realm-provisioning/store_handler.go @@ -5,13 +5,11 @@ package cca_realm_provisioning import ( "fmt" - "net/url" - "strings" "github.com/veraison/services/handler" "github.com/veraison/services/log" "github.com/veraison/services/proto" - "github.com/veraison/services/scheme/common" + "github.com/veraison/services/scheme/common/arm" ) type StoreHandler struct{} @@ -41,27 +39,12 @@ func (s StoreHandler) SynthKeysFromRefValue( refVal *handler.Endorsement, ) ([]string, error) { - instID, err := common.GetInstID(SchemeName, refVal.Attributes) + lookupKey, err := arm.SynthKeyFromRefVal(SchemeName, tenantID, refVal) if err != nil { - return nil, fmt.Errorf("unable to get instance id for synthesize reference value: %w", err) + return nil, fmt.Errorf("unable to SynthKeyFromRefVal for scheme %s: %w", SchemeName, err) } - - lookupKey := refValLookupKey(SchemeName, tenantID, instID) log.Debugf("Scheme %s Plugin RefVal Look Up Key= %s\n", SchemeName, lookupKey) return []string{lookupKey}, nil - -} - -func refValLookupKey(schemeName, tenantID, instID string) string { - absPath := []string{instID} - - u := url.URL{ - Scheme: schemeName, - Host: tenantID, - Path: strings.Join(absPath, "/"), - } - - return u.String() } func (s StoreHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) { diff --git a/scheme/cca-realm-provisioning/store_handler_test.go b/scheme/cca-realm-provisioning/store_handler_test.go index 2331cfd3..7f06e038 100644 --- a/scheme/cca-realm-provisioning/store_handler_test.go +++ b/scheme/cca-realm-provisioning/store_handler_test.go @@ -49,17 +49,33 @@ func Test_GetTrustAnchorID_nok(t *testing.T) { assert.EqualError(t, err, expectedErr) } -func Test_SynthKeysFromRefValue_ok(t *testing.T) { - endorsementsBytes, err := os.ReadFile("test/store/refvalEndorsements.json") - require.NoError(t, err) +func Test_SynthKeysFromRefValue1_ok(t *testing.T) { + tvs := []struct { + desc string + input string + expectedKey string + }{ + { + desc: "no realm personalization in reference value", + input: "test/store/refvalEndorsementsNoRpv.json", + expectedKey: "CCA_REALM://1/QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1", + }, + { + desc: "complete reference value with rim and personalization value", + input: "test/store/refvalEndorsements.json", + expectedKey: "CCA_REALM://1/QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1/5Fty9cDAtXLbTY06t+l/No/3TmI0eoJN7LZ6hOUiTXXkW3L1wMC1cttNjTq36X82j/dOYjR6gk3stnqE5SJNdQ==", + }, + } - var endors handler.Endorsement - err = json.Unmarshal(endorsementsBytes, &endors) - require.NoError(t, err) - expectedKey := "CCA_REALM://1/QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1" - - scheme := &StoreHandler{} - key_list, err := scheme.SynthKeysFromRefValue("1", &endors) - require.NoError(t, err) - assert.Equal(t, expectedKey, key_list[0]) + for _, tv := range tvs { + endorsementsBytes, err := os.ReadFile(tv.input) + require.NoError(t, err) + var endors handler.Endorsement + err = json.Unmarshal(endorsementsBytes, &endors) + require.NoError(t, err) + scheme := &StoreHandler{} + key, err := scheme.SynthKeysFromRefValue("1", &endors) + require.NoError(t, err) + assert.Equal(t, tv.expectedKey, key[0]) + } } diff --git a/scheme/cca-realm-provisioning/test/store/refvalEndorsements.json b/scheme/cca-realm-provisioning/test/store/refvalEndorsements.json index b53685a1..be641cac 100644 --- a/scheme/cca-realm-provisioning/test/store/refvalEndorsements.json +++ b/scheme/cca-realm-provisioning/test/store/refvalEndorsements.json @@ -4,8 +4,9 @@ "attributes": { "CCA_REALM.vendor": "Worload Client Ltd", "CCA_REALM.class-id": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C", - "CCA_REALM.inst-id": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1", + "CCA_REALM.realm-initial-measurement": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1", "CCA_REALM.hash-alg-id": "sha-384", + "CCA_REALM.realm-personalization-value": "5Fty9cDAtXLbTY06t+l/No/3TmI0eoJN7LZ6hOUiTXXkW3L1wMC1cttNjTq36X82j/dOYjR6gk3stnqE5SJNdQ==", "CCA_REALM.measurements": [ { "rim": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1" diff --git a/scheme/cca-realm-provisioning/test/store/refvalEndorsementsNoRpv.json b/scheme/cca-realm-provisioning/test/store/refvalEndorsementsNoRpv.json new file mode 100644 index 00000000..6d7a544e --- /dev/null +++ b/scheme/cca-realm-provisioning/test/store/refvalEndorsementsNoRpv.json @@ -0,0 +1,28 @@ +{ + "scheme": "CCA_REALM", + "type": "REFERENCE_VALUE", + "attributes": { + "CCA_REALM.vendor": "Worload Client Ltd", + "CCA_REALM.class-id": "CD1F0E55-26F9-460D-B9D8-F7FDE171787C", + "CCA_REALM.realm-initial-measurement": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1", + "CCA_REALM.hash-alg-id": "sha-384", + "CCA_REALM.realm-personalization-value": "", + "CCA_REALM.measurements": [ + { + "rim": "QoS1aUymwNLPR4mguVrIAlyBjeUjBDZL580pgbLS7caFsyInfsJYGZYkE9jJssH1" + }, + { + "rem0": "IQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + }, + { + "rem1": "JQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + }, + { + "rem2": "MQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + }, + { + "rem3": "NQe752H8pS2VE2oTVNt6TdV7Gya+DT2nHZ6yOYazS6YVq/ZRTPNeWp6lWgMtBop4" + } + ] + } +} \ No newline at end of file diff --git a/scheme/common/arm/realm.go b/scheme/common/arm/realm.go new file mode 100644 index 00000000..2a64941f --- /dev/null +++ b/scheme/common/arm/realm.go @@ -0,0 +1,75 @@ +// Copyright 2024 Contributors to the Veraison project. +// SPDX-License-Identifier: Apache-2.0 +package arm + +import ( + "encoding/json" + "errors" + "fmt" + "net/url" + "strings" + + "github.com/veraison/services/handler" + "github.com/veraison/services/log" +) + +func GetRim(scheme string, attr json.RawMessage) (string, error) { + var at map[string]interface{} + err := json.Unmarshal(attr, &at) + if err != nil { + return "", fmt.Errorf("unable to get Instance ID: %w", err) + } + key := scheme + ".realm-initial-measurement" + rim, ok := at[key].(string) + if !ok { + return "", errors.New("unable to get realm initial measurements") + } + return rim, nil +} + +func GetRpv(scheme string, attr json.RawMessage) (string, error) { + var at map[string]interface{} + err := json.Unmarshal(attr, &at) + if err != nil { + return "", fmt.Errorf("unable to get Instance ID: %w", err) + } + key := scheme + ".realm-personalization-value" + rpv, ok := at[key].(string) + if !ok { + return "", errors.New("unable to get realm personalization value") + } + return rpv, nil +} + +func SynthKeyFromRefVal(scheme string, tenantID string, refVal *handler.Endorsement) (string, error) { + if refVal == nil { + return "", errors.New("no reference value in SynthKeyFromRefVal") + } + rim, err := GetRim(scheme, refVal.Attributes) + if err != nil { + return "", fmt.Errorf("unable to get rim: %w", err) + } + rpv, err := GetRpv(scheme, refVal.Attributes) + if err != nil { + return "", fmt.Errorf("unable to get rpv: %w", err) + } + lookupKey := refValLookupKey(scheme, tenantID, rim, rpv) + log.Debugf("Scheme %s realm RefVal Look Up Key= %s\n", scheme, lookupKey) + return lookupKey, nil +} + +func refValLookupKey(schemeName, tenantID, rim string, rpv string) string { + var absPath []string + if rpv != "" { + absPath = []string{rim, rpv} + } else { + absPath = []string{rim} + } + + u := url.URL{ + Scheme: schemeName, + Host: tenantID, + Path: strings.Join(absPath, "/"), + } + return u.String() +}