wip

Signed-off-by: Thomas Fossati <[email protected]>

Author: thomas-fossati

api/api.go

@@ -8,11 +8,17 @@ import "mime"
 // parameters) and returns it in normalized form, i.e., with lowercase type,
 // subtype and, optionally, parameter name.  An error is returned if the
 // supplied media type is invalid.
-func NormalizeMediaType(mt string) (string, error) {
+// If dropParams is true, any parameters in the supplied media type are
+// discarded in the returned normalized media type.
+func NormalizeMediaType(mt string, dropParams bool) (string, error) {
 	m, p, err := mime.ParseMediaType(mt)
 	if err != nil {
 		return "", err
 	}
 
+	if dropParams {
+		p = nil
+	}
+
 	return mime.FormatMediaType(m, p), nil
 }

capability/well-known.go

@@ -11,12 +11,13 @@ const (
 )
 
 type WellKnownInfo struct {
-	PublicKey    jwk.Key           `json:"ear-verification-key,omitempty"`
-	MediaTypes   []string          `json:"media-types,omitempty"`
-	Schemes      []string          `json:"attestation-schemes,omitempty"`
-	Version      string            `json:"version"`
-	ServiceState string            `json:"service-state"`
-	ApiEndpoints map[string]string `json:"api-endpoints"`
+	PublicKey                   jwk.Key           `json:"ear-verification-key,omitempty"`
+	MediaTypes                  []string          `json:"media-types,omitempty"`
+	CompositeEvidenceMediaTypes []string          `json:"composite-evidence-media-types,omitempty"`
+	Schemes                     []string          `json:"attestation-schemes,omitempty"`
+	Version                     string            `json:"version"`
+	ServiceState                string            `json:"service-state"`
+	ApiEndpoints                map[string]string `json:"api-endpoints"`
 }
 
 var ssTrans = map[string]string{
@@ -38,19 +39,21 @@ func ServiceStateToAPI(ss string) string {
 func NewWellKnownInfoObj(
 	key jwk.Key,
 	mediaTypes []string,
+	compositeEvidenceMediaTypes []string,
 	schemes []string,
 	version string,
 	serviceState string,
 	endpoints map[string]string,
 ) (*WellKnownInfo, error) {
 	// MUST be kept in sync with proto/state.proto
 	obj := &WellKnownInfo{
-		PublicKey:    key,
-		MediaTypes:   mediaTypes,
-		Schemes:      schemes,
-		Version:      version,
-		ServiceState: ServiceStateToAPI(serviceState),
-		ApiEndpoints: endpoints,
+		PublicKey:                   key,
+		MediaTypes:                  mediaTypes,
+		CompositeEvidenceMediaTypes: compositeEvidenceMediaTypes,
+		Schemes:                     schemes,
+		Version:                     version,
+		ServiceState:                ServiceStateToAPI(serviceState),
+		ApiEndpoints:                endpoints,
 	}
 
 	return obj, nil

management/api/handler.go

@@ -256,6 +256,7 @@ func (o Handler) GetManagementWellKnownInfo(c *gin.Context) {
 	obj, err := capability.NewWellKnownInfoObj(
 		nil, // key
 		nil, // media types
+		nil, // composite evidence media types
 		o.Manager.SupportedSchemes,
 		config.Version,
 		"SERVICE_STATUS_READY",

provisioning/api/handler.go

@@ -207,7 +207,7 @@ func (o *Handler) GetWellKnownProvisioningInfo(c *gin.Context) {
 	endpoints := getProvisioningEndpoints()
 
 	// Get final object with well known information
-	obj, err := capability.NewWellKnownInfoObj(nil, mediaTypes, nil, version, state, endpoints)
+	obj, err := capability.NewWellKnownInfoObj(nil, mediaTypes, nil, nil, version, state, endpoints)
 	if err != nil {
 		ReportProblem(c,
 			http.StatusInternalServerError,

provisioning/provisioner/provisioner.go

@@ -27,7 +27,8 @@ func New(vtsClient vtsclient.IVTSClient) IProvisioner {
 }
 
 func (p *Provisioner) IsSupportedMediaType(mt string) (bool, error) {
-	normalizedMediaType, err := api.NormalizeMediaType(mt)
+	dropParams := false
+	normalizedMediaType, err := api.NormalizeMediaType(mt, dropParams)
 	if err != nil {
 		return false, fmt.Errorf("%w: validation failed for %s (%v)", ErrInputParam, mt, err)
 	}

verification/api/handler.go

@@ -357,7 +357,7 @@ func (o *Handler) SubmitEvidence(c *gin.Context) {
 		}
 	}
 
-	isSupported, err := o.Verifier.IsSupportedMediaType(mediaType)
+	isSupportedMediaType, err := o.Verifier.IsSupportedMediaType(mediaType)
 	if err != nil {
 		status := http.StatusInternalServerError
 		if errors.Unwrap(err) == verifier.ErrInputParam {
@@ -368,6 +368,19 @@ func (o *Handler) SubmitEvidence(c *gin.Context) {
 		return
 	}
 
+	isSupportedCompositeEvidenceMediaType, err := o.Verifier.IsSupportedCompositeEvidenceMediaType(mediaType)
+	if err != nil {
+		status := http.StatusInternalServerError
+		if errors.Unwrap(err) == verifier.ErrInputParam {
+			status = http.StatusBadRequest
+		}
+
+		ReportProblem(c, status, fmt.Sprintf("could not check composite evidence media type with verifier: %v", err))
+		return
+	}
+
+	isSupported := isSupportedMediaType || isSupportedCompositeEvidenceMediaType
+
 	if !isSupported {
 		supportedMediaTypes, err := o.Verifier.SupportedMediaTypes()
 		if err != nil {
@@ -379,6 +392,18 @@ func (o *Handler) SubmitEvidence(c *gin.Context) {
 			return
 		}
 
+		supportedCompositeEvidenceMediaTypes, err := o.Verifier.SupportedCompositeEvidenceMediaTypes()
+		if err != nil {
+			ReportProblem(c,
+				http.StatusInternalServerError,
+				fmt.Sprintf("could not get supported composite evidence media types from verifier: %v",
+					err),
+			)
+			return
+		}
+
+		supportedMediaTypes = append(supportedMediaTypes, supportedCompositeEvidenceMediaTypes...)
+
 		c.Header("Accept", strings.Join(supportedMediaTypes, ", "))
 		ReportProblem(c,
 			http.StatusUnsupportedMediaType,
@@ -411,8 +436,16 @@ func (o *Handler) SubmitEvidence(c *gin.Context) {
 	// reported if something in the verifier or the connection goes wrong.
 	// Any problems with the evidence are expected to be reported via the
 	// attestation result.
-	attestationResult, err := o.Verifier.ProcessEvidence(tenantID, session.Nonce,
-		evidence, mediaType)
+	var attestationResult []byte
+
+	if isSupportedMediaType {
+		attestationResult, err = o.Verifier.ProcessEvidence(tenantID, session.Nonce,
+			evidence, mediaType)
+	} else if isSupportedCompositeEvidenceMediaType {
+		attestationResult, err = o.Verifier.ProcessCompositeEvidence(tenantID, session.Nonce,
+			evidence, mediaType)
+	}
+
 	if err != nil {
 		o.logger.Error(err)
 		session.SetStatus(StatusFailed)
@@ -474,11 +507,27 @@ func (o *Handler) NewChallengeResponse(c *gin.Context) {
 	if err != nil {
 		ReportProblem(c,
 			http.StatusInternalServerError,
-			fmt.Sprintf("could not get media types form verifier: %v", err),
+			fmt.Sprintf("could not get media types from verifier: %v", err),
 		)
 		return
 	}
 
+	// In lead-verifier mode, we need to get the supported collection media types
+	// from the verifier as well, to be able to create sessions that can accept
+	// composite evidence.
+	supportedCollectionMediaTypes, err := o.Verifier.SupportedCompositeEvidenceMediaTypes()
+	if err != nil {
+		ReportProblem(c,
+			http.StatusInternalServerError,
+			fmt.Sprintf("could not get collection media types from verifier: %v", err),
+		)
+		return
+	}
+
+	// Note that if the node is not a lead-verifier, the supported collection
+	// media types list is empty, which makes the following a no-op.
+	supportedMediaTypes = append(supportedMediaTypes, supportedCollectionMediaTypes...)
+
 	id, session, err := newSession(nonce, supportedMediaTypes, ConfigSessionTTL)
 	if err != nil {
 		ReportProblem(c,
@@ -529,15 +578,20 @@ func (o *Handler) getVerificationMediaTypes() ([]string, error) {
 	return o.Verifier.SupportedMediaTypes()
 }
 
+func (o *Handler) getSupportedCompositeEvidenceMediaTypes() ([]string, error) {
+	return o.Verifier.SupportedCompositeEvidenceMediaTypes()
+}
+
 func (o *Handler) getVerificationServerVersionAndState() (string, string, error) {
 	vtsState, err := o.Verifier.GetVTSState()
 	if err != nil {
 		return "", "", err
 	}
+
 	version := vtsState.ServerVersion
 	state := vtsState.Status.String()
-	return version, state, nil
 
+	return version, state, nil
 }
 
 func getVerificationEndpoints() map[string]string {
@@ -574,6 +628,16 @@ func (o *Handler) GetWellKnownVerificationInfo(c *gin.Context) {
 		return
 	}
 
+	// Get verification composite evidence media types
+	compositeEvidenceMediaTypes, err := o.getSupportedCompositeEvidenceMediaTypes()
+	if err != nil {
+		ReportProblem(c,
+			http.StatusInternalServerError,
+			err.Error(),
+		)
+		return
+	}
+
 	// Get verification server version and state
 	version, state, err := o.getVerificationServerVersionAndState()
 	if err != nil {
@@ -588,7 +652,7 @@ func (o *Handler) GetWellKnownVerificationInfo(c *gin.Context) {
 	endpoints := getVerificationEndpoints()
 
 	// Get final object with well known information
-	obj, err := capability.NewWellKnownInfoObj(key, mediaTypes, nil, version, state, endpoints)
+	obj, err := capability.NewWellKnownInfoObj(key, mediaTypes, compositeEvidenceMediaTypes, nil, version, state, endpoints)
 	if err != nil {
 		ReportProblem(c,
 			http.StatusInternalServerError,

verification/api/handler_test.go

@@ -222,6 +222,9 @@ func TestHandler_NewChallengeResponse_NoNonceParameters(t *testing.T) {
 	v.EXPECT().
 		SupportedMediaTypes().
 		Return(testSupportedMediaTypes, nil)
+	v.EXPECT().
+		SupportedCompositeEvidenceMediaTypes().
+		Return([]string{}, nil)
 
 	h := NewHandler(sm, v)
 
@@ -262,6 +265,9 @@ func TestHandler_NewChallengeResponse_NonceParameter(t *testing.T) {
 	v.EXPECT().
 		SupportedMediaTypes().
 		Return(testSupportedMediaTypes, nil)
+	v.EXPECT().
+		SupportedCompositeEvidenceMediaTypes().
+		Return([]string{}, nil)
 
 	h := NewHandler(sm, v)
 
@@ -308,6 +314,9 @@ func TestHandler_NewChallengeResponse_NonceSizeParameter(t *testing.T) {
 	v.EXPECT().
 		SupportedMediaTypes().
 		Return(testSupportedMediaTypes, nil)
+	v.EXPECT().
+		SupportedCompositeEvidenceMediaTypes().
+		Return([]string{}, nil)
 
 	h := NewHandler(sm, v)
 
@@ -364,6 +373,9 @@ func TestHandler_NewChallengeResponse_SetSessionFailure(t *testing.T) {
 	v.EXPECT().
 		SupportedMediaTypes().
 		Return(testSupportedMediaTypes, nil)
+	v.EXPECT().
+		SupportedCompositeEvidenceMediaTypes().
+		Return([]string{}, nil)
 
 	h := NewHandler(sm, v)
 
@@ -445,6 +457,12 @@ func TestHandler_SubmitEvidence_unsupported_evidence_format(t *testing.T) {
 	v.EXPECT().
 		IsSupportedMediaType(testUnsupportedMediaType).
 		Return(false, nil)
+	v.EXPECT().
+		SupportedCompositeEvidenceMediaTypes().
+		Return([]string{}, nil)
+	v.EXPECT().
+		IsSupportedCompositeEvidenceMediaType(testUnsupportedMediaType).
+		Return(false, nil)
 
 	h := NewHandler(sm, v)
 
@@ -486,6 +504,9 @@ func TestHandler_SubmitEvidence_bad_session_id_url(t *testing.T) {
 	v.EXPECT().
 		IsSupportedMediaType(testSupportedMediaTypeA).
 		Return(true, nil)
+	v.EXPECT().
+		IsSupportedCompositeEvidenceMediaType(testSupportedMediaTypeA).
+		Return(false, nil)
 
 	h := NewHandler(sm, v)
 
@@ -531,6 +552,9 @@ func TestHandler_SubmitEvidence_session_not_found(t *testing.T) {
 	v.EXPECT().
 		IsSupportedMediaType(testSupportedMediaTypeA).
 		Return(true, nil)
+	v.EXPECT().
+		IsSupportedCompositeEvidenceMediaType(testSupportedMediaTypeA).
+		Return(false, nil)
 
 	h := NewHandler(sm, v)
 
@@ -612,6 +636,9 @@ func TestHandler_SubmitEvidence_process_evidence_failed(t *testing.T) {
 	v.EXPECT().
 		IsSupportedMediaType(testSupportedMediaTypeA).
 		Return(true, nil)
+	v.EXPECT().
+		IsSupportedCompositeEvidenceMediaType(testSupportedMediaTypeA).
+		Return(false, nil)
 	v.EXPECT().
 		ProcessEvidence(tenantID, testNonce, []byte(testJSONBody), testSupportedMediaTypeA).
 		Return(nil, errors.New(vmErr))
@@ -655,6 +682,9 @@ func TestHandler_SubmitEvidence_process_ok_sync(t *testing.T) {
 	v.EXPECT().
 		IsSupportedMediaType(testSupportedMediaTypeA).
 		Return(true, nil)
+	v.EXPECT().
+		IsSupportedCompositeEvidenceMediaType(testSupportedMediaTypeA).
+		Return(false, nil)
 	v.EXPECT().
 		ProcessEvidence(tenantID, testNonce, []byte(testJSONBody), testSupportedMediaTypeA).
 		Return([]byte(testResult), nil)
@@ -698,6 +728,9 @@ func TestHandler_SubmitEvidence_process_ok_async(t *testing.T) {
 	v.EXPECT().
 		IsSupportedMediaType(testSupportedMediaTypeA).
 		Return(true, nil)
+	v.EXPECT().
+		IsSupportedCompositeEvidenceMediaType(testSupportedMediaTypeA).
+		Return(false, nil)
 	v.EXPECT().
 		ProcessEvidence(tenantID, testNonce, []byte(testJSONBody), testSupportedMediaTypeA).
 		Return(nil, nil)
@@ -948,6 +981,9 @@ func TestHandler_GetWellKnownVerificationInfo_ok(t *testing.T) {
 	v.EXPECT().
 		SupportedMediaTypes().
 		Return(supportedMediaTypes, nil)
+	v.EXPECT().
+		SupportedCompositeEvidenceMediaTypes().
+		Return([]string{}, nil)
 	v.EXPECT().
 		GetVTSState().
 		Return(&testGoodServiceState, nil)
@@ -1058,6 +1094,9 @@ func TestHandler_GetWellKnownVerificationInfo_GetVTSState_fail(t *testing.T) {
 	v.EXPECT().
 		SupportedMediaTypes().
 		Return(supportedMediaTypes, nil)
+	v.EXPECT().
+		SupportedCompositeEvidenceMediaTypes().
+		Return([]string{}, nil)
 	v.EXPECT().
 		GetVTSState().
 		Return(nil, errors.New("blah"))
@@ -1141,6 +1180,9 @@ func TestHandler_SubmitEvidence_good_CMW(t *testing.T) {
 	v.EXPECT().
 		IsSupportedMediaType(testSupportedMediaTypeA).
 		Return(true, nil)
+	v.EXPECT().
+		IsSupportedCompositeEvidenceMediaType(testSupportedMediaTypeA).
+		Return(false, nil)
 	v.EXPECT().
 		ProcessEvidence(tenantID, testNonce, []byte(testJSONBody), testSupportedMediaTypeA).
 		Return([]byte(testResult), nil)