KBS: apply API changing for CoCo-AS

Signed-off-by: Xynnn007 <[email protected]>
confidential-containers · Nov 11, 2023 · 29bf516 · 29bf516
1 parent 902c571
commit 29bf516
Show file tree

Hide file tree

Showing 6 changed files with 63 additions and 21 deletions.
diff --git a/kbs/src/api/src/attestation/coco/builtin.rs b/kbs/src/api/src/attestation/coco/builtin.rs
@@ -8,26 +8,47 @@ use async_trait::async_trait;
 use attestation_service::{
     config::Config as AsConfig, policy_engine::SetPolicyInput, AttestationService,
 };
-use kbs_types::Tee;
+use kbs_types::{Attestation, Tee};
 
 pub struct Native {
     inner: AttestationService,
 }
 
 #[async_trait]
 impl Attest for Native {
-    async fn set_policy(&mut self, input: SetPolicyInput) -> Result<()> {
-        self.inner.set_policy(input).await
+    async fn set_policy(&mut self, input: &str) -> Result<()> {
+        let req: SetPolicyInput =
+            serde_json::from_str(input).context("parse set policy request")?;
+        self.inner.set_policy(req).await
     }
+
     async fn verify(&mut self, tee: Tee, nonce: &str, attestation: &str) -> Result<String> {
-        self.inner.evaluate(tee, nonce, attestation).await
+        let attestation: Attestation =
+            serde_json::from_str(attestation).context("parse Attestation")?;
+        let runtime_data = vec![
+            nonce.as_bytes().to_vec(),
+            attestation.tee_pubkey.k_mod.as_bytes().to_vec(),
+            attestation.tee_pubkey.k_exp.as_bytes().to_vec(),
+        ];
+
+        // TODO: configure policy used in AS
+        // here we specify the policy as `default`.
+        self.inner
+            .evaluate(
+                attestation.tee_evidence.as_bytes().to_vec(),
+                tee,
+                runtime_data,
+                vec![],
+                vec!["default".to_string()],
+            )
+            .await
     }
 }
 
 impl Native {
-    pub fn new(config: &AsConfig) -> Result<Self> {
+    pub async fn new(config: &AsConfig) -> Result<Self> {
         Ok(Self {
-            inner: AttestationService::new(config.clone())?,
+            inner: AttestationService::new(config.clone()).await?,
         })
     }
 }
diff --git a/kbs/src/api/src/attestation/coco/grpc.rs b/kbs/src/api/src/attestation/coco/grpc.rs
@@ -5,7 +5,8 @@
 use crate::attestation::Attest;
 use anyhow::*;
 use async_trait::async_trait;
-use kbs_types::Tee;
+use base64::{engine::general_purpose::STANDARD, Engine};
+use kbs_types::{Attestation, Tee};
 use log::info;
 use serde::Deserialize;
 use tonic::transport::Channel;
@@ -71,9 +72,9 @@ impl Grpc {
 
 #[async_trait]
 impl Attest for Grpc {
-    async fn set_policy(&mut self, input: as_types::SetPolicyInput) -> Result<()> {
+    async fn set_policy(&mut self, input: &str) -> Result<()> {
         let req = tonic::Request::new(SetPolicyRequest {
-            input: serde_json::to_string(&input)?,
+            input: input.to_string(),
         });
 
         let _ = self
@@ -86,10 +87,21 @@ impl Attest for Grpc {
     }
 
     async fn verify(&mut self, tee: Tee, nonce: &str, attestation: &str) -> Result<String> {
+        let attestation: Attestation =
+            serde_json::from_str(attestation).context("parse Attestation")?;
+        let runtime_data = vec![
+            STANDARD.encode(nonce),
+            STANDARD.encode(attestation.tee_pubkey.k_mod),
+            STANDARD.encode(attestation.tee_pubkey.k_exp),
+        ];
+
+        let evidence = STANDARD.encode(attestation.tee_evidence);
         let req = tonic::Request::new(AttestationRequest {
             tee: to_grpc_tee(tee) as i32,
-            nonce: String::from(nonce),
-            evidence: String::from(attestation),
+            evidence,
+            runtime_data,
+            init_data: Vec::new(),
+            policy_ids: vec!["default".to_string()],
         });
 
         let token = self

diff --git a/kbs/src/api/src/attestation/mod.rs b/kbs/src/api/src/attestation/mod.rs
@@ -8,7 +8,6 @@ use anyhow::*;
 use async_trait::async_trait;
 #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))]
 use attestation_service::config::Config as AsConfig;
-use attestation_service::policy_engine::SetPolicyInput;
 #[cfg(feature = "coco-as-grpc")]
 use coco::grpc::GrpcConfig;
 use kbs_types::Tee;
@@ -28,7 +27,7 @@ pub mod amber;
 #[async_trait]
 pub trait Attest: Send + Sync {
     /// Set Attestation Policy
-    async fn set_policy(&mut self, _input: SetPolicyInput) -> Result<()> {
+    async fn set_policy(&mut self, _input: &str) -> Result<()> {
         Err(anyhow!("Set Policy API is unimplemented"))
     }
 
@@ -44,9 +43,9 @@ pub struct AttestationService(pub Arc<Mutex<dyn Attest>>);
 impl AttestationService {
     /// Create and initialize AttestationService.
     #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))]
-    pub fn new(config: &AsConfig) -> Result<Self> {
+    pub async fn new(config: &AsConfig) -> Result<Self> {
         let attestation_service: Arc<Mutex<dyn Attest>> =
-            Arc::new(Mutex::new(coco::builtin::Native::new(config)?));
+            Arc::new(Mutex::new(coco::builtin::Native::new(config).await?));
 
         Ok(Self(attestation_service))
     }

diff --git a/kbs/src/api/src/http/config.rs b/kbs/src/api/src/http/config.rs
@@ -2,19 +2,19 @@
 // Licensed under the Apache License, Version 2.0, see LICENSE for details.
 // SPDX-License-Identifier: Apache-2.0
 
-use attestation_service::policy_engine::SetPolicyInput;
-
 use super::*;
 
 #[cfg(feature = "as")]
 /// POST /attestation-policy
 pub(crate) async fn attestation_policy(
     request: HttpRequest,
-    input: web::Json<SetPolicyInput>,
+    input: web::Bytes,
     user_pub_key: web::Data<Option<Ed25519PublicKey>>,
     insecure: web::Data<bool>,
     attestation_service: web::Data<AttestationService>,
 ) -> Result<HttpResponse> {
+    use serde_json::Value;
+
     if !insecure.get_ref() {
         let user_pub_key = user_pub_key
             .as_ref()
@@ -26,11 +26,14 @@ pub(crate) async fn attestation_policy(
         })?;
     }
 
+    let set_policy_request = String::from_utf8(input.as_ref().to_vec())
+        .map_err(|e| Error::PolicyEndpoint(format!("Illegal input SetPolicy request: {e}")))?;
+
     attestation_service
         .0
         .lock()
         .await
-        .set_policy(input.into_inner())
+        .set_policy(&set_policy_request)
         .await
         .map_err(|e| Error::PolicyEndpoint(format!("Set policy error {e}")))?;
 

diff --git a/kbs/src/kbs/src/main.rs b/kbs/src/kbs/src/main.rs
@@ -43,7 +43,7 @@ async fn main() -> Result<()> {
     let attestation_service = {
         cfg_if::cfg_if! {
             if #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] {
-                AttestationService::new(&kbs_config.as_config.unwrap_or_default())?
+                AttestationService::new(&kbs_config.as_config.unwrap_or_default()).await?
             } else if #[cfg(feature = "coco-as-grpc")] {
                 AttestationService::new(&kbs_config.grpc_config.unwrap_or_default()).await?
             } else if #[cfg(feature = "amber-as")] {

diff --git a/kbs/tools/client/src/lib.rs b/kbs/tools/client/src/lib.rs
@@ -5,14 +5,14 @@
 //! KBS client SDK.
 
 use anyhow::{anyhow, bail, Result};
-use as_types::SetPolicyInput;
 use base64::engine::general_purpose::STANDARD;
 use base64::Engine;
 use jwt_simple::prelude::{Claims, Duration, Ed25519KeyPair, EdDSAKeyPairLike};
 use kbs_protocol::evidence_provider::NativeEvidenceProvider;
 use kbs_protocol::token_provider::TestTokenProvider;
 use kbs_protocol::KbsClientBuilder;
 use kbs_protocol::KbsClientCapabilities;
+use serde::Deserialize;
 use serde::Serialize;
 
 const KBS_URL_PREFIX: &str = "kbs/v0";
@@ -104,6 +104,13 @@ pub async fn get_resource_with_attestation(
     Ok(resource_bytes)
 }
 
+#[derive(Serialize, Deserialize, Debug, Clone)]
+pub struct SetPolicyInput {
+    pub r#type: String,
+    pub policy_id: String,
+    pub policy: String,
+}
+
 /// Set attestation policy
 /// Input parameters:
 /// - url: KBS server root URL.