diff --git a/kbs/src/api/src/attestation/coco/builtin.rs b/kbs/src/api/src/attestation/coco/builtin.rs index 0064bacb36..1ab23e62d2 100644 --- a/kbs/src/api/src/attestation/coco/builtin.rs +++ b/kbs/src/api/src/attestation/coco/builtin.rs @@ -8,7 +8,7 @@ use async_trait::async_trait; use attestation_service::{ config::Config as AsConfig, policy_engine::SetPolicyInput, AttestationService, }; -use kbs_types::Tee; +use kbs_types::{Attestation, Tee}; pub struct Native { inner: AttestationService, @@ -16,18 +16,39 @@ pub struct Native { #[async_trait] impl Attest for Native { - async fn set_policy(&mut self, input: SetPolicyInput) -> Result<()> { - self.inner.set_policy(input).await + async fn set_policy(&mut self, input: &str) -> Result<()> { + let req: SetPolicyInput = + serde_json::from_str(input).context("parse set policy request")?; + self.inner.set_policy(req).await } + async fn verify(&mut self, tee: Tee, nonce: &str, attestation: &str) -> Result { - self.inner.evaluate(tee, nonce, attestation).await + let attestation: Attestation = + serde_json::from_str(attestation).context("parse Attestation")?; + let runtime_data = vec![ + nonce.as_bytes().to_vec(), + attestation.tee_pubkey.k_mod.as_bytes().to_vec(), + attestation.tee_pubkey.k_exp.as_bytes().to_vec(), + ]; + + // TODO: configure policy used in AS + // here we specify the policy as `default`. + self.inner + .evaluate( + attestation.tee_evidence.as_bytes().to_vec(), + tee, + runtime_data, + vec![], + vec!["default".to_string()], + ) + .await } } impl Native { - pub fn new(config: &AsConfig) -> Result { + pub async fn new(config: &AsConfig) -> Result { Ok(Self { - inner: AttestationService::new(config.clone())?, + inner: AttestationService::new(config.clone()).await?, }) } } diff --git a/kbs/src/api/src/attestation/coco/grpc.rs b/kbs/src/api/src/attestation/coco/grpc.rs index 0406e66259..e7d05ec2d8 100644 --- a/kbs/src/api/src/attestation/coco/grpc.rs +++ b/kbs/src/api/src/attestation/coco/grpc.rs @@ -5,7 +5,8 @@ use crate::attestation::Attest; use anyhow::*; use async_trait::async_trait; -use kbs_types::Tee; +use base64::{engine::general_purpose::STANDARD, Engine}; +use kbs_types::{Attestation, Tee}; use log::info; use serde::Deserialize; use tonic::transport::Channel; @@ -71,9 +72,9 @@ impl Grpc { #[async_trait] impl Attest for Grpc { - async fn set_policy(&mut self, input: as_types::SetPolicyInput) -> Result<()> { + async fn set_policy(&mut self, input: &str) -> Result<()> { let req = tonic::Request::new(SetPolicyRequest { - input: serde_json::to_string(&input)?, + input: input.to_string(), }); let _ = self @@ -86,10 +87,21 @@ impl Attest for Grpc { } async fn verify(&mut self, tee: Tee, nonce: &str, attestation: &str) -> Result { + let attestation: Attestation = + serde_json::from_str(attestation).context("parse Attestation")?; + let runtime_data = vec![ + STANDARD.encode(nonce), + STANDARD.encode(attestation.tee_pubkey.k_mod), + STANDARD.encode(attestation.tee_pubkey.k_exp), + ]; + + let evidence = STANDARD.encode(attestation.tee_evidence); let req = tonic::Request::new(AttestationRequest { tee: to_grpc_tee(tee) as i32, - nonce: String::from(nonce), - evidence: String::from(attestation), + evidence, + runtime_data, + init_data: Vec::new(), + policy_ids: vec!["default".to_string()], }); let token = self diff --git a/kbs/src/api/src/attestation/mod.rs b/kbs/src/api/src/attestation/mod.rs index 61f18d5e90..298cefc104 100644 --- a/kbs/src/api/src/attestation/mod.rs +++ b/kbs/src/api/src/attestation/mod.rs @@ -8,7 +8,6 @@ use anyhow::*; use async_trait::async_trait; #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] use attestation_service::config::Config as AsConfig; -use attestation_service::policy_engine::SetPolicyInput; #[cfg(feature = "coco-as-grpc")] use coco::grpc::GrpcConfig; use kbs_types::Tee; @@ -28,7 +27,7 @@ pub mod amber; #[async_trait] pub trait Attest: Send + Sync { /// Set Attestation Policy - async fn set_policy(&mut self, _input: SetPolicyInput) -> Result<()> { + async fn set_policy(&mut self, _input: &str) -> Result<()> { Err(anyhow!("Set Policy API is unimplemented")) } @@ -44,9 +43,9 @@ pub struct AttestationService(pub Arc>); impl AttestationService { /// Create and initialize AttestationService. #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] - pub fn new(config: &AsConfig) -> Result { + pub async fn new(config: &AsConfig) -> Result { let attestation_service: Arc> = - Arc::new(Mutex::new(coco::builtin::Native::new(config)?)); + Arc::new(Mutex::new(coco::builtin::Native::new(config).await?)); Ok(Self(attestation_service)) } diff --git a/kbs/src/api/src/http/config.rs b/kbs/src/api/src/http/config.rs index 906794a708..9c3c6b5018 100644 --- a/kbs/src/api/src/http/config.rs +++ b/kbs/src/api/src/http/config.rs @@ -2,19 +2,19 @@ // Licensed under the Apache License, Version 2.0, see LICENSE for details. // SPDX-License-Identifier: Apache-2.0 -use attestation_service::policy_engine::SetPolicyInput; - use super::*; #[cfg(feature = "as")] /// POST /attestation-policy pub(crate) async fn attestation_policy( request: HttpRequest, - input: web::Json, + input: web::Bytes, user_pub_key: web::Data>, insecure: web::Data, attestation_service: web::Data, ) -> Result { + use serde_json::Value; + if !insecure.get_ref() { let user_pub_key = user_pub_key .as_ref() @@ -26,11 +26,14 @@ pub(crate) async fn attestation_policy( })?; } + let set_policy_request = String::from_utf8(input.as_ref().to_vec()) + .map_err(|e| Error::PolicyEndpoint(format!("Illegal input SetPolicy request: {e}")))?; + attestation_service .0 .lock() .await - .set_policy(input.into_inner()) + .set_policy(&set_policy_request) .await .map_err(|e| Error::PolicyEndpoint(format!("Set policy error {e}")))?; diff --git a/kbs/src/kbs/src/main.rs b/kbs/src/kbs/src/main.rs index 64fae44d53..2c14d30430 100644 --- a/kbs/src/kbs/src/main.rs +++ b/kbs/src/kbs/src/main.rs @@ -43,7 +43,7 @@ async fn main() -> Result<()> { let attestation_service = { cfg_if::cfg_if! { if #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))] { - AttestationService::new(&kbs_config.as_config.unwrap_or_default())? + AttestationService::new(&kbs_config.as_config.unwrap_or_default()).await? } else if #[cfg(feature = "coco-as-grpc")] { AttestationService::new(&kbs_config.grpc_config.unwrap_or_default()).await? } else if #[cfg(feature = "amber-as")] { diff --git a/kbs/tools/client/src/lib.rs b/kbs/tools/client/src/lib.rs index 8e9228ddd5..7946664c5c 100644 --- a/kbs/tools/client/src/lib.rs +++ b/kbs/tools/client/src/lib.rs @@ -5,7 +5,6 @@ //! KBS client SDK. use anyhow::{anyhow, bail, Result}; -use as_types::SetPolicyInput; use base64::engine::general_purpose::STANDARD; use base64::Engine; use jwt_simple::prelude::{Claims, Duration, Ed25519KeyPair, EdDSAKeyPairLike}; @@ -13,6 +12,7 @@ use kbs_protocol::evidence_provider::NativeEvidenceProvider; use kbs_protocol::token_provider::TestTokenProvider; use kbs_protocol::KbsClientBuilder; use kbs_protocol::KbsClientCapabilities; +use serde::Deserialize; use serde::Serialize; const KBS_URL_PREFIX: &str = "kbs/v0"; @@ -104,6 +104,13 @@ pub async fn get_resource_with_attestation( Ok(resource_bytes) } +#[derive(Serialize, Deserialize, Debug, Clone)] +pub struct SetPolicyInput { + pub r#type: String, + pub policy_id: String, + pub policy: String, +} + /// Set attestation policy /// Input parameters: /// - url: KBS server root URL.