wip

Signed-off-by: Thomas Fossati <[email protected]>

Author: thomas-fossati

api/api.go

@@ -8,11 +8,17 @@ import "mime"
 // parameters) and returns it in normalized form, i.e., with lowercase type,
 // subtype and, optionally, parameter name.  An error is returned if the
 // supplied media type is invalid.
-func NormalizeMediaType(mt string) (string, error) {
+// If dropParams is true, any parameters in the supplied media type are
+// discarded in the returned normalized media type.
+func NormalizeMediaType(mt string, dropParams bool) (string, error) {
 	m, p, err := mime.ParseMediaType(mt)
 	if err != nil {
 		return "", err
 	}
 
+	if dropParams {
+		p = nil
+	}
+
 	return mime.FormatMediaType(m, p), nil
 }

capability/well-known.go

@@ -11,12 +11,13 @@ const (
 )
 
 type WellKnownInfo struct {
-	PublicKey    jwk.Key           `json:"ear-verification-key,omitempty"`
-	MediaTypes   []string          `json:"media-types,omitempty"`
-	Schemes      []string          `json:"attestation-schemes,omitempty"`
-	Version      string            `json:"version"`
-	ServiceState string            `json:"service-state"`
-	ApiEndpoints map[string]string `json:"api-endpoints"`
+	PublicKey                   jwk.Key           `json:"ear-verification-key,omitempty"`
+	MediaTypes                  []string          `json:"media-types,omitempty"`
+	CompositeEvidenceMediaTypes []string          `json:"composite-evidence-media-types,omitempty"`
+	Schemes                     []string          `json:"attestation-schemes,omitempty"`
+	Version                     string            `json:"version"`
+	ServiceState                string            `json:"service-state"`
+	ApiEndpoints                map[string]string `json:"api-endpoints"`
 }
 
 var ssTrans = map[string]string{
@@ -38,19 +39,21 @@ func ServiceStateToAPI(ss string) string {
 func NewWellKnownInfoObj(
 	key jwk.Key,
 	mediaTypes []string,
+	compositeEvidenceMediaTypes []string,
 	schemes []string,
 	version string,
 	serviceState string,
 	endpoints map[string]string,
 ) (*WellKnownInfo, error) {
 	// MUST be kept in sync with proto/state.proto
 	obj := &WellKnownInfo{
-		PublicKey:    key,
-		MediaTypes:   mediaTypes,
-		Schemes:      schemes,
-		Version:      version,
-		ServiceState: ServiceStateToAPI(serviceState),
-		ApiEndpoints: endpoints,
+		PublicKey:                   key,
+		MediaTypes:                  mediaTypes,
+		CompositeEvidenceMediaTypes: compositeEvidenceMediaTypes,
+		Schemes:                     schemes,
+		Version:                     version,
+		ServiceState:                ServiceStateToAPI(serviceState),
+		ApiEndpoints:                endpoints,
 	}
 
 	return obj, nil

verification/api/handler.go

@@ -357,7 +357,7 @@ func (o *Handler) SubmitEvidence(c *gin.Context) {
 		}
 	}
 
-	isSupported, err := o.Verifier.IsSupportedMediaType(mediaType)
+	isSupportedMediaType, err := o.Verifier.IsSupportedMediaType(mediaType)
 	if err != nil {
 		status := http.StatusInternalServerError
 		if errors.Unwrap(err) == verifier.ErrInputParam {
@@ -368,6 +368,19 @@ func (o *Handler) SubmitEvidence(c *gin.Context) {
 		return
 	}
 
+	isSupportedCompositeEvidenceMediaType, err := o.Verifier.IsSupportedCompositeEvidenceMediaType(mediaType)
+	if err != nil {
+		status := http.StatusInternalServerError
+		if errors.Unwrap(err) == verifier.ErrInputParam {
+			status = http.StatusBadRequest
+		}
+
+		ReportProblem(c, status, fmt.Sprintf("could not check composite evidence media type with verifier: %v", err))
+		return
+	}
+
+	isSupported := isSupportedMediaType || isSupportedCompositeEvidenceMediaType
+
 	if !isSupported {
 		supportedMediaTypes, err := o.Verifier.SupportedMediaTypes()
 		if err != nil {
@@ -379,6 +392,18 @@ func (o *Handler) SubmitEvidence(c *gin.Context) {
 			return
 		}
 
+		supportedCompositeEvidenceMediaTypes, err := o.Verifier.SupportedCompositeEvidenceMediaTypes()
+		if err != nil {
+			ReportProblem(c,
+				http.StatusInternalServerError,
+				fmt.Sprintf("could not get supported composite evidence media types from verifier: %v",
+					err),
+			)
+			return
+		}
+
+		supportedMediaTypes = append(supportedMediaTypes, supportedCompositeEvidenceMediaTypes...)
+
 		c.Header("Accept", strings.Join(supportedMediaTypes, ", "))
 		ReportProblem(c,
 			http.StatusUnsupportedMediaType,
@@ -411,8 +436,16 @@ func (o *Handler) SubmitEvidence(c *gin.Context) {
 	// reported if something in the verifier or the connection goes wrong.
 	// Any problems with the evidence are expected to be reported via the
 	// attestation result.
-	attestationResult, err := o.Verifier.ProcessEvidence(tenantID, session.Nonce,
-		evidence, mediaType)
+	var attestationResult []byte
+
+	if isSupportedMediaType {
+		attestationResult, err = o.Verifier.ProcessEvidence(tenantID, session.Nonce,
+			evidence, mediaType)
+	} else if isSupportedCompositeEvidenceMediaType {
+		attestationResult, err = o.Verifier.ProcessCompositeEvidence(tenantID, session.Nonce,
+			evidence, mediaType)
+	}
+
 	if err != nil {
 		o.logger.Error(err)
 		session.SetStatus(StatusFailed)
@@ -474,11 +507,27 @@ func (o *Handler) NewChallengeResponse(c *gin.Context) {
 	if err != nil {
 		ReportProblem(c,
 			http.StatusInternalServerError,
-			fmt.Sprintf("could not get media types form verifier: %v", err),
+			fmt.Sprintf("could not get media types from verifier: %v", err),
 		)
 		return
 	}
 
+	// In lead-verifier mode, we need to get the supported collection media types
+	// from the verifier as well, to be able to create sessions that can accept
+	// composite evidence.
+	supportedCollectionMediaTypes, err := o.Verifier.SupportedCompositeEvidenceMediaTypes()
+	if err != nil {
+		ReportProblem(c,
+			http.StatusInternalServerError,
+			fmt.Sprintf("could not get collection media types from verifier: %v", err),
+		)
+		return
+	}
+
+	// Note that if the node is not a lead-verifier, the supported collection
+	// media types list is empty, which makes the following a no-op.
+	supportedMediaTypes = append(supportedMediaTypes, supportedCollectionMediaTypes...)
+
 	id, session, err := newSession(nonce, supportedMediaTypes, ConfigSessionTTL)
 	if err != nil {
 		ReportProblem(c,
@@ -529,15 +578,20 @@ func (o *Handler) getVerificationMediaTypes() ([]string, error) {
 	return o.Verifier.SupportedMediaTypes()
 }
 
+func (o *Handler) getSupportedCompositeEvidenceMediaTypes() ([]string, error) {
+	return o.Verifier.SupportedCompositeEvidenceMediaTypes()
+}
+
 func (o *Handler) getVerificationServerVersionAndState() (string, string, error) {
 	vtsState, err := o.Verifier.GetVTSState()
 	if err != nil {
 		return "", "", err
 	}
+
 	version := vtsState.ServerVersion
 	state := vtsState.Status.String()
-	return version, state, nil
 
+	return version, state, nil
 }
 
 func getVerificationEndpoints() map[string]string {
@@ -574,6 +628,16 @@ func (o *Handler) GetWellKnownVerificationInfo(c *gin.Context) {
 		return
 	}
 
+	// Get verification composite evidence media types
+	compositeEvidenceMediaTypes, err := o.getSupportedCompositeEvidenceMediaTypes()
+	if err != nil {
+		ReportProblem(c,
+			http.StatusInternalServerError,
+			err.Error(),
+		)
+		return
+	}
+
 	// Get verification server version and state
 	version, state, err := o.getVerificationServerVersionAndState()
 	if err != nil {
@@ -588,7 +652,7 @@ func (o *Handler) GetWellKnownVerificationInfo(c *gin.Context) {
 	endpoints := getVerificationEndpoints()
 
 	// Get final object with well known information
-	obj, err := capability.NewWellKnownInfoObj(key, mediaTypes, nil, version, state, endpoints)
+	obj, err := capability.NewWellKnownInfoObj(key, mediaTypes, compositeEvidenceMediaTypes, nil, version, state, endpoints)
 	if err != nil {
 		ReportProblem(c,
 			http.StatusInternalServerError,

verification/verifier/iverifier.go

@@ -10,6 +10,9 @@ type IVerifier interface {
 	GetVTSState() (*proto.ServiceState, error)
 	GetPublicKey() (*proto.PublicKey, error)
 	IsSupportedMediaType(mt string) (bool, error)
+	IsSupportedCompositeEvidenceMediaType(mt string) (bool, error)
 	SupportedMediaTypes() ([]string, error)
+	SupportedCompositeEvidenceMediaTypes() ([]string, error)
 	ProcessEvidence(tenantID string, nonce []byte, data []byte, mt string) ([]byte, error)
+	ProcessCompositeEvidence(tenantID string, nonce []byte, data []byte, mt string) ([]byte, error)
 }

verification/verifier/verifier.go

@@ -31,7 +31,8 @@ func (o *Verifier) GetVTSState() (*proto.ServiceState, error) {
 }
 
 func (o *Verifier) IsSupportedMediaType(mt string) (bool, error) {
-	mt, err := api.NormalizeMediaType(mt)
+	dropParams := false
+	mt, err := api.NormalizeMediaType(mt, dropParams)
 	if err != nil {
 		return false, fmt.Errorf("%w: validation failed for %s (%v)", ErrInputParam, mt, err)
 	}
@@ -53,6 +54,30 @@ func (o *Verifier) IsSupportedMediaType(mt string) (bool, error) {
 	return false, nil
 }
 
+func (o *Verifier) IsSupportedCompositeEvidenceMediaType(mt string) (bool, error) {
+	dropParams := true
+	mt, err := api.NormalizeMediaType(mt, dropParams)
+	if err != nil {
+		return false, fmt.Errorf("%w: validation failed for %s (%v)", ErrInputParam, mt, err)
+	}
+
+	mts, err := o.VTSClient.GetSupportedCompositeEvidenceMediaTypes(
+		context.Background(),
+		&emptypb.Empty{},
+	)
+	if err != nil {
+		return false, err
+	}
+
+	for _, v := range mts.MediaTypes {
+		if v == mt {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
 func (o *Verifier) SupportedMediaTypes() ([]string, error) {
 	mts, err := o.VTSClient.GetSupportedVerificationMediaTypes(
 		context.Background(),
@@ -92,3 +117,49 @@ func (o *Verifier) ProcessEvidence(
 func (o *Verifier) GetPublicKey() (*proto.PublicKey, error) {
 	return o.VTSClient.GetEARSigningPublicKey(context.Background(), &emptypb.Empty{})
 }
+
+func (o *Verifier) ProcessCompositeEvidence(
+	tenantID string,
+	nonce []byte,
+	data []byte,
+	mt string,
+) ([]byte, error) {
+	token := &proto.AttestationToken{
+		TenantId:  tenantID,
+		Data:      data,
+		MediaType: mt,
+		Nonce:     nonce,
+	}
+
+	appraisalCtx, err := o.VTSClient.GetCompositeAttestation(
+		context.Background(),
+		token,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return appraisalCtx.Result, nil
+}
+
+func (o *Verifier) SupportedCompositeEvidenceMediaTypes() ([]string, error) {
+	// TODO(tho) remove hardcoded list and uncomment gRPC call once VTS supports it
+	return []string{}, nil
+
+	// return []string{
+	// 	"application/cmw+cbor",
+	// 	"application/cmw+cose",
+	// 	"application/cmw+json",
+	// 	"application/cmw+jws",
+	// }, nil
+
+	// mts, err := o.VTSClient.GetSupportedCompositeEvidenceMediaTypes(
+	// 	context.Background(),
+	// 	&emptypb.Empty{},
+	// )
+	// if err != nil {
+	// 	return nil, err
+	// }
+
+	// return mts.GetMediaTypes(), nil
+}

vtsclient/vtsclient_grpc.go

@@ -277,7 +277,8 @@ func normalizeMediaTypeList(mts *proto.MediaTypeList) *proto.MediaTypeList {
 	var nmts []string // nolint:prealloc
 
 	for _, mt := range mts.GetMediaTypes() {
-		nmt, err := api.NormalizeMediaType(mt)
+		dropParams := false
+		nmt, err := api.NormalizeMediaType(mt, dropParams)
 		if err != nil {
 			// skip invalid media type
 			continue