scheme/tpm-enacttrust: validate TA on submission

Evidence handler for tpm-enacttrust expects the provisioned trust anchor to be a base64-encoded PKIX public key. Add validation on the provisioning side to make sure that that is the case. Signed-off-by: Sergei Trofimov <[email protected]>
veraison · Aug 30, 2023 · 6a82613 · 6a82613
1 parent 5e25310
commit 6a82613
Show file tree

Hide file tree

Showing 6 changed files with 100 additions and 1 deletion.
diff --git a/integration-tests/data/endorsements/comid-enacttrust-badta.json b/integration-tests/data/endorsements/comid-enacttrust-badta.json
@@ -0,0 +1,33 @@
+{
+  "tag-identity": {
+    "id": "00000000-0000-0000-0000-000000000000"
+  },
+  "entities": [
+    {
+      "name": "EnactTrust",
+      "regid": "https://enacttrust.com",
+      "roles": [
+        "tagCreator",
+        "creator",
+        "maintainer"
+      ]
+    }
+  ],
+  "triples": {
+    "attester-verification-keys": [
+      {
+        "environment": {
+          "instance": {
+            "type": "uuid",
+            "value": "7df7714e-aa04-4638-bcbf-434b1dd720f1"
+          }
+        },
+        "verification-keys": [
+          {
+            "key": "@@@@"
+          }
+        ]
+      }
+    ]
+  }
+}
diff --git a/integration-tests/tests/common.yaml b/integration-tests/tests/common.yaml
@@ -28,3 +28,4 @@ variables:
     # ../data/endorsements/README.md). The CoRIM name is the first one in the list.
     full: [full, ta, refval]
     mini: [mini, ta, refval]
+    mini-bad: [mini, badta]
diff --git a/integration-tests/tests/test_enacttrust_badkey.tavern.yaml b/integration-tests/tests/test_enacttrust_badkey.tavern.yaml
@@ -0,0 +1,38 @@
+test_name: enacttrust-badkey
+
+marks:
+  - parametrize:
+      key:
+        #  Attestation scheme -- this is used to indicate how test cases should
+        #  be constructed (e.g. how the evidence token will be compiled.
+        - scheme
+        # Some attestation schemes (currently, only PSA) may support multiple
+        # profiles. If a scheme does not support multiple profiles, specify it
+        # as '_'.
+        - profile
+        # The name of the endorsements spec within common.yaml
+        - endorsements
+        # Signing keys that will be used to construct the evidence. How this is
+        # used is dependent on the scheme.
+        - signing
+      vals:
+        - [enacttrust, _, mini-bad, ec.p256.enacttrust]
+
+includes:
+  - !include common.yaml
+
+stages:
+  - name: submit post request to the provisioning service successfully
+    request:
+      method: POST
+      url: http://{provisioning-service}/endorsement-provisioning/v1/submit
+      headers:
+        content-type: '{endorsements-content-type}' # set via hook
+      file_body: __generated__/endorsements/corim-{scheme}-{endorsements}.cbor
+    response:
+      status_code: 200
+      json:
+        status: failed
+        failure-reason: 'submit endorsement returned error: submit endorsements failed: RPC server returned error: plugin "unsigned-corim (TPM EnactTrust profile)" returned error: bad key in CoMID at index 0: could not base64-decode ak-pub: illegal base64 data at input byte 0'
+        # NOTE: the commented version below is for builtin plugins.
+        #failure-reason: 'submit endorsement returned error: submit endorsements failed: bad key in CoMID at index 0: could not base64-decode ak-pub: illegal base64 data at input byte 0'
diff --git a/integration-tests/utils/generators.py b/integration-tests/utils/generators.py
@@ -15,13 +15,16 @@ def generate_endorsements(test):
     spec = test.test_vars['endorsements']
 
     if isinstance(spec, str):
+        tag = spec
         spec = test.common_vars['endorsements'][spec]
+    else:
+        tag = spec[0]
 
     corim_template_name = 'corim-{}-{}.json'.format(scheme, spec[0])
     corim_template = f'data/endorsements/{corim_template_name}'
     comid_templates = ['data/endorsements/comid-{}-{}.json'.format(scheme, c)
                        for c in spec[1:]]
-    output_path = f'{GENDIR}/endorsements/corim-{scheme}-{spec[0]}.cbor'
+    output_path = f'{GENDIR}/endorsements/corim-{scheme}-{tag}.cbor'
 
     generate_corim(corim_template, comid_templates, output_path)
 

diff --git a/integration-tests/utils/hooks.py b/integration-tests/utils/hooks.py
@@ -29,6 +29,10 @@ def setup_enacttrust_badnode(test, variables):
     generate_endorsements(test)
     generate_evidence_from_test(test)
 
+def setup_enacttrust_badkey(test, variables):
+    _set_content_types(test, variables)
+    generate_endorsements(test)
+
 
 def _set_content_types(test, variables):
     scheme = test.test_vars['scheme']

diff --git a/scheme/tpm-enacttrust/extractor.go b/scheme/tpm-enacttrust/extractor.go
@@ -3,6 +3,8 @@
 package tpm_enacttrust
 
 import (
+	"crypto/x509"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -88,6 +90,10 @@ func (o Extractor) TaExtractor(avk comid.AttestVerifKey) (*handler.Endorsement,
 
 	akPub := avk.VerifKeys[0].Key
 
+	if err := checkKey(akPub); err != nil {
+		return nil, err
+	}
+
 	taAttrs, err := makeTaAttrs(instanceAttrs, akPub)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create trust anchor raw public key: %w", err)
@@ -114,3 +120,17 @@ func makeTaAttrs(i InstanceAttributes, key string) (json.RawMessage, error) {
 	}
 	return msg, nil
 }
+
+func checkKey(inKey string) error {
+	buf, err := base64.StdEncoding.DecodeString(inKey)
+	if err != nil {
+		return fmt.Errorf("could not base64-decode ak-pub: %v", err)
+	}
+
+	_, err = x509.ParsePKIXPublicKey(buf)
+	if err != nil {
+		return fmt.Errorf("could not parse PKIX public key: %v", err)
+	}
+
+	return nil
+}