feat(lead verifier): veraison client plugin

Signed-off-by: Thomas Fossati <[email protected]>

Author: thomas-fossati

go.mod

@@ -159,6 +159,7 @@ require (
 	github.com/google/go-sev-guest v0.14.1
 	github.com/jraman567/go-gen-ref v1.2.3
 	github.com/pkg/errors v0.9.1
+	github.com/veraison/apiclient v0.4.0
 	github.com/veraison/ratsd v0.0.0-20251002182229-94bebd610d15
 )
 

go.sum

@@ -1221,6 +1221,8 @@ github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGr
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
 github.com/ugorji/go/codec v1.2.11 h1:BMaWp1Bb6fHwEtbplGBGJ498wD+LKlNSl25MjdZY4dU=
 github.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
+github.com/veraison/apiclient v0.4.0 h1:eH0a1beH3o5gVjSkYwbTiEw1YhmTo1Ce5i/IXZPCIiQ=
+github.com/veraison/apiclient v0.4.0/go.mod h1:pG8SKDEmpoAAeEIfPgAL8widwOPanue4luEA4pAzrl8=
 github.com/veraison/ccatoken v1.3.2-0.20250512122414-b26aba0635c4 h1:t2GQueIc1SrErZpprs2ll9ETaXln/nOCPVRq7OejzfQ=
 github.com/veraison/ccatoken v1.3.2-0.20250512122414-b26aba0635c4/go.mod h1:vMqdbW4H/8A3oT+24qssuIK3Aefy06XqzTELGg+gWAg=
 github.com/veraison/cmw v0.3.0 h1:Uu+Kf76sGseSBXPY6MIGo6CZAqkUUFDt7r6sBN7sB7k=

scheme/veraison-client/Makefile

@@ -6,6 +6,13 @@
 GOPKG := github.com/veraison/services/scheme/veraison-client
 SRCS := $(wildcard *.go)
 
+INTERFACES := iveraisonchallengeresponseclient.go
+INTERFACES += iveraisondiscoveryclient.go
+
+MOCKPKG := mocks
+
+lint-hook-pre: _mocks
+
 SUBDIR += plugin
 
 include ../../mk/common.mk

scheme/veraison-client/README.md

@@ -1,7 +1,44 @@
+# Veraison client plugin
+
+This plugin implements a Veraison API client that requests an appraisal of evidence from a verifier which exposes Veraison's challenge-response and discovery APIs.
+
+VTS can use this plugin in a node running in lead verifier mode when connecting to a downstream verifier, or to itself when the node is running in a hybrid lead/sub mode.
+
+The appraisal request is made in RP mode, which means that the client decides on the nonce to be used to determine the freshness of the supplied evidence.
+
+## Business logic
+
+The plugin is tasked with the following actions:
+
+* Receive component evidence and the nonce from the CE handler.
+* Get the verifier's public key and C-R session endpoint by querying the well-known interface.
+* Initiate a challenge-response session in RP mode with the configured verifier, supplying the component evidence and nonce.
+* Obtain an EAR from the verifier.
+* Verify the signature of the EAR.
+* Return the EAR appraisal to the CE Handler.
+
+## Configuration
+
+The clientCfg parameter supplied by the VTS contains the relevant connectivity and trust settings as a serialised JSON byte string.
+
+When de-serialised, the JSON object contains the following keys:
+
+* "url" (mandatory): the verifier’s discovery URL
+* "ca-certs" (optional): one or more files containing the trust anchors used to authenticate server certificates
+* "insecure" (optional): whether certificate verification can skip the trust-related settings
+
+Example:
+```json
+{
+  "url": "https://downstream-verifier.example:8443/.well-known/veraison/verification",
+  "ca-certs": [ "/path/to/ca1.pem", "/path/to/ca2.pem" ]
+}
+```
+
 :warning: :construction: :warning:
 
 Please note that this code is currently in an experimental phase and has not yet been tested as part of the integration test suite.
 It may stop working at any time without warning.
 If you encounter an issue, please report it as a [bug](https://github.com/veraison/services/issues/new?template=bug-report.md).
 
-:warning: :construction: :warning:
+:warning: :construction: :warning:

scheme/veraison-client/iveraisonchallengeresponseclient.go

@@ -0,0 +1,19 @@
+// Copyright 2026 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+
+package veraisonclient
+
+import "github.com/veraison/apiclient/verification"
+
+// IVeraisonChallengeResponseClient is an interface for dealing with Veraison's
+// apiclient/verification ChallengeResponseConfig objects
+type IVeraisonChallengeResponseClient interface {
+	Run() ([]byte, error)
+	SetNonce(nonce []byte) error
+	SetSessionURI(u string) error
+	SetEvidenceBuilder(eb verification.EvidenceBuilder) error
+	SetDeleteSession(v bool)
+	SetNonceSz(nonceSz uint) error
+	SetIsInsecure(v bool)
+	SetCerts(paths []string)
+}

scheme/veraison-client/iveraisondiscoveryclient.go

@@ -0,0 +1,15 @@
+// Copyright 2026 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+
+package veraisonclient
+
+import "github.com/veraison/apiclient/verification"
+
+// IVeraisonDiscoveryClient is an interface for dealing with Veraison's
+// // apiclient/verification discovery objects
+type IVeraisonDiscoveryClient interface {
+	Run() (*verification.DiscoveryObject, error)
+	SetDiscoveryURI(u string) error
+	SetIsInsecure()
+	SetCerts(paths []string) error
+}

scheme/veraison-client/mocks/mock_iveraisonchallengeresponseclient.go

@@ -1,4 +1,4 @@
-// Copyright 2025 Contributors to the Veraison project.
+// Copyright 2026 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 
 package main

scheme/veraison-client/mocks/mock_iveraisondiscoveryclient.go

@@ -1,4 +1,4 @@
-// Copyright 2025 Contributors to the Veraison project.
+// Copyright 2026 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 
 package main