feat(lead verifier): verification API support

Add transparent support for the "lead verifier" mode where the usual
challenge-response API accepts verification requests for composite
evidence and dispatches them to the CE handler endpoint in VTS.

The existing verification API logic is extended to:

1. Advertise collection types during content negotiation, as well as via
   the discovery interface.
2. Recognise requests for collection types that do not have an
   associated scheme plugin, and forward them to the CE handler.

Signed-off-by: Thomas Fossati <[email protected]>

Author: thomas-fossati

api/api.go

@@ -8,11 +8,17 @@ import "mime"
 // parameters) and returns it in normalized form, i.e., with lowercase type,
 // subtype and, optionally, parameter name.  An error is returned if the
 // supplied media type is invalid.
-func NormalizeMediaType(mt string) (string, error) {
+// If dropParams is true, any parameters in the supplied media type are
+// discarded in the returned normalized media type.
+func NormalizeMediaType(mt string, dropParams bool) (string, error) {
 	m, p, err := mime.ParseMediaType(mt)
 	if err != nil {
 		return "", err
 	}
 
+	if dropParams {
+		p = nil
+	}
+
 	return mime.FormatMediaType(m, p), nil
 }

capability/well-known.go

@@ -11,12 +11,13 @@ const (
 )
 
 type WellKnownInfo struct {
-	PublicKey    jwk.Key           `json:"ear-verification-key,omitempty"`
-	MediaTypes   []string          `json:"media-types,omitempty"`
-	Schemes      []string          `json:"attestation-schemes,omitempty"`
-	Version      string            `json:"version"`
-	ServiceState string            `json:"service-state"`
-	ApiEndpoints map[string]string `json:"api-endpoints"`
+	PublicKey                   jwk.Key           `json:"ear-verification-key,omitempty"`
+	MediaTypes                  []string          `json:"media-types,omitempty"`
+	CompositeEvidenceMediaTypes []string          `json:"composite-evidence-media-types,omitempty"`
+	Schemes                     []string          `json:"attestation-schemes,omitempty"`
+	Version                     string            `json:"version"`
+	ServiceState                string            `json:"service-state"`
+	ApiEndpoints                map[string]string `json:"api-endpoints"`
 }
 
 var ssTrans = map[string]string{
@@ -38,19 +39,21 @@ func ServiceStateToAPI(ss string) string {
 func NewWellKnownInfoObj(
 	key jwk.Key,
 	mediaTypes []string,
+	compositeEvidenceMediaTypes []string,
 	schemes []string,
 	version string,
 	serviceState string,
 	endpoints map[string]string,
 ) (*WellKnownInfo, error) {
 	// MUST be kept in sync with proto/state.proto
 	obj := &WellKnownInfo{
-		PublicKey:    key,
-		MediaTypes:   mediaTypes,
-		Schemes:      schemes,
-		Version:      version,
-		ServiceState: ServiceStateToAPI(serviceState),
-		ApiEndpoints: endpoints,
+		PublicKey:                   key,
+		MediaTypes:                  mediaTypes,
+		CompositeEvidenceMediaTypes: compositeEvidenceMediaTypes,
+		Schemes:                     schemes,
+		Version:                     version,
+		ServiceState:                ServiceStateToAPI(serviceState),
+		ApiEndpoints:                endpoints,
 	}
 
 	return obj, nil

management/api/handler.go

@@ -256,6 +256,7 @@ func (o Handler) GetManagementWellKnownInfo(c *gin.Context) {
 	obj, err := capability.NewWellKnownInfoObj(
 		nil, // key
 		nil, // media types
+		nil, // composite evidence media types
 		o.Manager.SupportedSchemes,
 		config.Version,
 		"SERVICE_STATUS_READY",

provisioning/api/handler.go

@@ -207,7 +207,7 @@ func (o *Handler) GetWellKnownProvisioningInfo(c *gin.Context) {
 	endpoints := getProvisioningEndpoints()
 
 	// Get final object with well known information
-	obj, err := capability.NewWellKnownInfoObj(nil, mediaTypes, nil, version, state, endpoints)
+	obj, err := capability.NewWellKnownInfoObj(nil, mediaTypes, nil, nil, version, state, endpoints)
 	if err != nil {
 		ReportProblem(c,
 			http.StatusInternalServerError,

provisioning/provisioner/provisioner.go

@@ -27,7 +27,8 @@ func New(vtsClient vtsclient.IVTSClient) IProvisioner {
 }
 
 func (p *Provisioner) IsSupportedMediaType(mt string) (bool, error) {
-	normalizedMediaType, err := api.NormalizeMediaType(mt)
+	dropParams := false
+	normalizedMediaType, err := api.NormalizeMediaType(mt, dropParams)
 	if err != nil {
 		return false, fmt.Errorf("%w: validation failed for %s (%v)", ErrInputParam, mt, err)
 	}

verification/api/handler.go

@@ -357,7 +357,7 @@ func (o *Handler) SubmitEvidence(c *gin.Context) {
 		}
 	}
 
-	isSupported, err := o.Verifier.IsSupportedMediaType(mediaType)
+	isSupportedMediaType, err := o.Verifier.IsSupportedMediaType(mediaType)
 	if err != nil {
 		status := http.StatusInternalServerError
 		if errors.Unwrap(err) == verifier.ErrInputParam {
@@ -368,6 +368,19 @@ func (o *Handler) SubmitEvidence(c *gin.Context) {
 		return
 	}
 
+	isSupportedCompositeEvidenceMediaType, err := o.Verifier.IsSupportedCompositeEvidenceMediaType(mediaType)
+	if err != nil {
+		status := http.StatusInternalServerError
+		if errors.Unwrap(err) == verifier.ErrInputParam {
+			status = http.StatusBadRequest
+		}
+
+		ReportProblem(c, status, fmt.Sprintf("could not check composite evidence media type with verifier: %v", err))
+		return
+	}
+
+	isSupported := isSupportedMediaType || isSupportedCompositeEvidenceMediaType
+
 	if !isSupported {
 		supportedMediaTypes, err := o.Verifier.SupportedMediaTypes()
 		if err != nil {
@@ -379,6 +392,18 @@ func (o *Handler) SubmitEvidence(c *gin.Context) {
 			return
 		}
 
+		supportedCompositeEvidenceMediaTypes, err := o.Verifier.SupportedCompositeEvidenceMediaTypes()
+		if err != nil {
+			ReportProblem(c,
+				http.StatusInternalServerError,
+				fmt.Sprintf("could not get supported composite evidence media types from verifier: %v",
+					err),
+			)
+			return
+		}
+
+		supportedMediaTypes = append(supportedMediaTypes, supportedCompositeEvidenceMediaTypes...)
+
 		c.Header("Accept", strings.Join(supportedMediaTypes, ", "))
 		ReportProblem(c,
 			http.StatusUnsupportedMediaType,
@@ -411,8 +436,16 @@ func (o *Handler) SubmitEvidence(c *gin.Context) {
 	// reported if something in the verifier or the connection goes wrong.
 	// Any problems with the evidence are expected to be reported via the
 	// attestation result.
-	attestationResult, err := o.Verifier.ProcessEvidence(tenantID, session.Nonce,
-		evidence, mediaType)
+	var attestationResult []byte
+
+	if isSupportedMediaType {
+		attestationResult, err = o.Verifier.ProcessEvidence(tenantID, session.Nonce,
+			evidence, mediaType)
+	} else if isSupportedCompositeEvidenceMediaType {
+		attestationResult, err = o.Verifier.ProcessCompositeEvidence(tenantID, session.Nonce,
+			evidence, mediaType)
+	}
+
 	if err != nil {
 		o.logger.Error(err)
 		session.SetStatus(StatusFailed)
@@ -474,11 +507,27 @@ func (o *Handler) NewChallengeResponse(c *gin.Context) {
 	if err != nil {
 		ReportProblem(c,
 			http.StatusInternalServerError,
-			fmt.Sprintf("could not get media types form verifier: %v", err),
+			fmt.Sprintf("could not get media types from verifier: %v", err),
 		)
 		return
 	}
 
+	// In lead-verifier mode, we need to get the supported collection media types
+	// from the verifier as well, to be able to create sessions that can accept
+	// composite evidence.
+	supportedCollectionMediaTypes, err := o.Verifier.SupportedCompositeEvidenceMediaTypes()
+	if err != nil {
+		ReportProblem(c,
+			http.StatusInternalServerError,
+			fmt.Sprintf("could not get collection media types from verifier: %v", err),
+		)
+		return
+	}
+
+	// Note that if the node is not a lead-verifier, the supported collection
+	// media types list is empty, which makes the following a no-op.
+	supportedMediaTypes = append(supportedMediaTypes, supportedCollectionMediaTypes...)
+
 	id, session, err := newSession(nonce, supportedMediaTypes, ConfigSessionTTL)
 	if err != nil {
 		ReportProblem(c,
@@ -529,15 +578,20 @@ func (o *Handler) getVerificationMediaTypes() ([]string, error) {
 	return o.Verifier.SupportedMediaTypes()
 }
 
+func (o *Handler) getSupportedCompositeEvidenceMediaTypes() ([]string, error) {
+	return o.Verifier.SupportedCompositeEvidenceMediaTypes()
+}
+
 func (o *Handler) getVerificationServerVersionAndState() (string, string, error) {
 	vtsState, err := o.Verifier.GetVTSState()
 	if err != nil {
 		return "", "", err
 	}
+
 	version := vtsState.ServerVersion
 	state := vtsState.Status.String()
-	return version, state, nil
 
+	return version, state, nil
 }
 
 func getVerificationEndpoints() map[string]string {
@@ -574,6 +628,16 @@ func (o *Handler) GetWellKnownVerificationInfo(c *gin.Context) {
 		return
 	}
 
+	// Get verification composite evidence media types
+	compositeEvidenceMediaTypes, err := o.getSupportedCompositeEvidenceMediaTypes()
+	if err != nil {
+		ReportProblem(c,
+			http.StatusInternalServerError,
+			err.Error(),
+		)
+		return
+	}
+
 	// Get verification server version and state
 	version, state, err := o.getVerificationServerVersionAndState()
 	if err != nil {
@@ -588,7 +652,7 @@ func (o *Handler) GetWellKnownVerificationInfo(c *gin.Context) {
 	endpoints := getVerificationEndpoints()
 
 	// Get final object with well known information
-	obj, err := capability.NewWellKnownInfoObj(key, mediaTypes, nil, version, state, endpoints)
+	obj, err := capability.NewWellKnownInfoObj(key, mediaTypes, compositeEvidenceMediaTypes, nil, version, state, endpoints)
 	if err != nil {
 		ReportProblem(c,
 			http.StatusInternalServerError,