From 8140458af08266c768a5c4556ab09ea24c9b7022 Mon Sep 17 00:00:00 2001 From: Jiale Zhang Date: Wed, 3 Jan 2024 15:08:42 +0800 Subject: [PATCH 1/3] AA: Extract GetToken logic as a crate Signed-off-by: Jiale Zhang --- Cargo.lock | 14 +++++ Cargo.toml | 1 + attestation-agent/lib/Cargo.toml | 7 ++- .../lib/src/{token.rs => config.rs} | 56 ++++++------------- attestation-agent/lib/src/lib.rs | 39 +++++++------ attestation-agent/token/Cargo.toml | 19 +++++++ attestation-agent/token/src/kbs.rs | 38 +++++++++++++ attestation-agent/token/src/lib.rs | 14 +++++ 8 files changed, 128 insertions(+), 60 deletions(-) rename attestation-agent/lib/src/{token.rs => config.rs} (65%) create mode 100644 attestation-agent/token/Cargo.toml create mode 100644 attestation-agent/token/src/kbs.rs create mode 100644 attestation-agent/token/src/lib.rs diff --git a/Cargo.lock b/Cargo.lock index 871faa174..9cb4db7ef 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -261,6 +261,7 @@ dependencies = [ "serde", "serde_json", "strum", + "token", "tokio", "toml 0.8.8", "tonic", @@ -5801,6 +5802,19 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" +[[package]] +name = "token" +version = "0.1.0" +dependencies = [ + "anyhow", + "async-trait", + "kbs_protocol", + "serde", + "serde_json", + "tokio", + "toml 0.8.8", +] + [[package]] name = "tokio" version = "1.35.0" diff --git a/Cargo.toml b/Cargo.toml index 8ba980820..fa2ef200d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -7,6 +7,7 @@ members = [ "attestation-agent/kbc", "attestation-agent/kbs_protocol", "attestation-agent/attester", + "attestation-agent/token", "attestation-agent/deps/resource_uri", "attestation-agent/deps/crypto", "attestation-agent/deps/sev", diff --git a/attestation-agent/lib/Cargo.toml b/attestation-agent/lib/Cargo.toml index 2aa5c7ce3..c391ae28c 100644 --- a/attestation-agent/lib/Cargo.toml +++ b/attestation-agent/lib/Cargo.toml @@ -16,6 +16,7 @@ resource_uri.workspace = true serde.workspace = true serde_json.workspace = true strum.workspace = true +token = { path = "../token", optional = true } tokio = { workspace = true, features = ["fs"] } toml.workspace = true tonic = { workspace = true, optional = true } @@ -24,9 +25,11 @@ tonic = { workspace = true, optional = true } tokio = { workspace = true, features = ["macros", "rt-multi-thread"] } [features] -default = ["sample_kbc", "rust-crypto"] +default = ["sample_kbc", "rust-crypto", "kbs_as"] -cc_kbc = ["kbc/cc_kbc", "kbs_protocol/background_check"] +kbs_as = ["token/kbs"] + +cc_kbc = ["kbc/cc_kbc", "kbs_as"] all-attesters = ["kbc/all-attesters", "kbs_protocol?/all-attesters", "attester/all-attesters"] tdx-attester = ["kbc/tdx-attester", "kbs_protocol/tdx-attester", "attester/tdx-attester"] sgx-attester = ["kbc/sgx-attester", "kbs_protocol/sgx-attester", "attester/sgx-attester"] diff --git a/attestation-agent/lib/src/token.rs b/attestation-agent/lib/src/config.rs similarity index 65% rename from attestation-agent/lib/src/token.rs rename to attestation-agent/lib/src/config.rs index 0b206c0ca..a7adae5dd 100644 --- a/attestation-agent/lib/src/token.rs +++ b/attestation-agent/lib/src/config.rs @@ -4,9 +4,8 @@ // use anyhow::{anyhow, Context, Result}; -use kbs_protocol::{evidence_provider::NativeEvidenceProvider, KbsClientBuilder}; use log::debug; -use serde::{Deserialize, Serialize}; +use serde::Deserialize; use std::env; use std::path::Path; use std::sync::OnceLock; @@ -14,50 +13,21 @@ use tokio::fs; const PEER_POD_CONFIG_PATH: &str = "/run/peerpod/daemon.json"; -#[derive(Serialize)] -struct Message { - token: String, - tee_keypair: String, -} - static KATA_AGENT_CONFIG_PATH: OnceLock = OnceLock::new(); -pub(crate) async fn get_kbs_token() -> Result> { - let evidence_provider = Box::new(NativeEvidenceProvider::new()?); - +#[allow(dead_code)] +pub async fn get_host_url() -> Result { // Check for /run/peerpod/daemon.json to see if we are in a peer pod // If so we need to read from the agent-config file, not /proc/cmdline let kbc_params = match Path::new(PEER_POD_CONFIG_PATH).exists() { - true => get_kbc_params_from_config_file().await?, - false => get_kbc_params_from_cmdline().await?, - }; - - let kbs_host_url = extract_kbs_host_url(&kbc_params)?; - - let mut client = - KbsClientBuilder::with_evidence_provider(evidence_provider, &kbs_host_url).build()?; - - let (token, tee_keypair) = client.get_token().await?; - let message = Message { - token: token.content, - tee_keypair: tee_keypair.to_pkcs1_pem()?.to_string(), + true => get_aa_params_from_kata_agent_config_file().await?, + false => get_aa_params_from_kernel_cmdline().await?, }; - let res = serde_json::to_vec(&message)?; - Ok(res) + extract_host_url(&kbc_params) } -fn extract_kbs_host_url(kbc_params: &str) -> Result { - let kbs_host = kbc_params - .split("::") - .last() - .ok_or(anyhow!("illegal input `agent.aa_kbc_params` format",))? - .to_string(); - - Ok(kbs_host) -} - -pub(crate) async fn get_kbc_params_from_cmdline() -> Result { +async fn get_aa_params_from_kernel_cmdline() -> Result { let cmdline = fs::read_to_string("/proc/cmdline").await?; let kbc_params = cmdline .split_ascii_whitespace() @@ -71,7 +41,7 @@ pub(crate) async fn get_kbc_params_from_cmdline() -> Result { Ok(kbc_params) } -pub(crate) async fn get_kbc_params_from_config_file() -> Result { +async fn get_aa_params_from_kata_agent_config_file() -> Result { // We only care about the aa_kbc_params value at the moment #[derive(Debug, Deserialize)] struct AgentConfig { @@ -95,3 +65,13 @@ pub(crate) async fn get_kbc_params_from_config_file() -> Result { .aa_kbc_params .ok_or(anyhow!("no `aa_kbc_params` found in {path}!")) } + +fn extract_host_url(kbc_params: &str) -> Result { + let kbs_host = kbc_params + .split("::") + .last() + .ok_or(anyhow!("illegal input `agent.aa_kbc_params` format",))? + .to_string(); + + Ok(kbs_host) +} diff --git a/attestation-agent/lib/src/lib.rs b/attestation-agent/lib/src/lib.rs index 44258d226..6dff4ce5d 100644 --- a/attestation-agent/lib/src/lib.rs +++ b/attestation-agent/lib/src/lib.rs @@ -14,10 +14,10 @@ use kbc::{AnnotationPacket, KbcCheckInfo, KbcInstance, KbcModuleList}; use resource_uri::ResourceUri; use std::collections::HashMap; -#[cfg(feature = "cc_kbc")] -mod token; -#[cfg(feature = "cc_kbc")] -use token::get_kbs_token; +mod config; + +#[cfg(any(feature = "cc_kbc", feature = "kbs_as"))] +use token::GetToken; /// Attestation Agent (AA for short) is a rust library crate for attestation procedure /// in confidential containers. It provides kinds of service APIs that need to make @@ -174,23 +174,22 @@ impl AttestationAPIs for AttestationAgent { .await } + #[allow(unused_variables)] + #[allow(unreachable_code)] async fn get_token(&mut self, _token_type: &str) -> Result> { - #[cfg(feature = "cc_kbc")] - { - let token = match _token_type { - "kbs" => get_kbs_token().await?, - typ => bail!("Unsupported token type {typ}"), - }; - - Ok(token) - } - - // TODO: remove the feature flags after refactoring AA. Currently, kbs_host_url - // is only set by user in aa_kbc_params when cc_kbc is enabled. - #[cfg(not(feature = "cc_kbc"))] - { - bail!("unimplemented!"); - } + let token = match _token_type { + #[cfg(any(feature = "cc_kbc", feature = "kbs_as"))] + "kbs" => { + let kbs_host_url = config::get_host_url().await?; + let kbs_token = token::kbs::KbsTokenGetter::default() + .get_token(kbs_host_url) + .await?; + kbs_token + } + typ => bail!("Unsupported token type {typ}"), + }; + + Ok(token) } /// Get TEE hardware signed evidence that includes the runtime data. diff --git a/attestation-agent/token/Cargo.toml b/attestation-agent/token/Cargo.toml new file mode 100644 index 000000000..c2890b229 --- /dev/null +++ b/attestation-agent/token/Cargo.toml @@ -0,0 +1,19 @@ +[package] +name = "token" +version = "0.1.0" +edition = "2021" + +# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html + +[dependencies] +anyhow.workspace = true +async-trait.workspace = true +serde.workspace = true +serde_json.workspace = true +kbs_protocol = { path = "../kbs_protocol", optional = true } +tokio = { workspace = true, features = ["fs"] } +toml.workspace = true + +[features] +default = ["kbs"] +kbs = ["kbs_protocol/background_check"] diff --git a/attestation-agent/token/src/kbs.rs b/attestation-agent/token/src/kbs.rs new file mode 100644 index 000000000..f77dccc4e --- /dev/null +++ b/attestation-agent/token/src/kbs.rs @@ -0,0 +1,38 @@ +// Copyright (c) 2023 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +use super::GetToken; +use anyhow::*; +use async_trait::async_trait; +use kbs_protocol::{evidence_provider::NativeEvidenceProvider, KbsClientBuilder}; +use serde::Serialize; + +#[derive(Serialize)] +struct Message { + token: String, + tee_keypair: String, +} + +#[derive(Default)] +pub struct KbsTokenGetter {} + +#[async_trait] +impl GetToken for KbsTokenGetter { + async fn get_token(&self, kbs_host_url: String) -> Result> { + let evidence_provider = Box::new(NativeEvidenceProvider::new()?); + + let mut client = + KbsClientBuilder::with_evidence_provider(evidence_provider, &kbs_host_url).build()?; + + let (token, tee_keypair) = client.get_token().await?; + let message = Message { + token: token.content, + tee_keypair: tee_keypair.to_pkcs1_pem()?.to_string(), + }; + + let res = serde_json::to_vec(&message)?; + Ok(res) + } +} diff --git a/attestation-agent/token/src/lib.rs b/attestation-agent/token/src/lib.rs new file mode 100644 index 000000000..c884f68a8 --- /dev/null +++ b/attestation-agent/token/src/lib.rs @@ -0,0 +1,14 @@ +// Copyright (c) 2023 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// +use anyhow::Result; +use async_trait::async_trait; + +#[cfg(feature = "kbs")] +pub mod kbs; + +#[async_trait] +pub trait GetToken { + async fn get_token(&self, service_url: String) -> Result>; +} From 98207c060de414e7d2d7e628b041473e0172733e Mon Sep 17 00:00:00 2001 From: Jiale Zhang Date: Tue, 16 Jan 2024 17:24:04 +0800 Subject: [PATCH 2/3] AA: Add Config file mechanism Signed-off-by: Jiale Zhang --- attestation-agent/app/src/grpc.rs | 6 ++++-- attestation-agent/app/src/rpc/mod.rs | 2 +- attestation-agent/app/src/ttrpc.rs | 4 ++-- attestation-agent/lib/src/config.rs | 20 ++++++++++++++++++++ attestation-agent/lib/src/lib.rs | 20 ++++++++++++-------- 5 files changed, 39 insertions(+), 13 deletions(-) diff --git a/attestation-agent/app/src/grpc.rs b/attestation-agent/app/src/grpc.rs index 49b4db057..9df9b7ccb 100644 --- a/attestation-agent/app/src/grpc.rs +++ b/attestation-agent/app/src/grpc.rs @@ -13,8 +13,10 @@ const DEFAULT_GETRESOURCE_ADDR: &str = "127.0.0.1:50001"; const DEFAULT_ATTESTATION_AGENT_ADDR: &str = "127.0.0.1:50002"; lazy_static! { - pub static ref ASYNC_ATTESTATION_AGENT: Arc> = - Arc::new(tokio::sync::Mutex::new(AttestationAgent::new())); + pub static ref ASYNC_ATTESTATION_AGENT: Arc>> = + Arc::new(tokio::sync::Mutex::new(AttestationAgent::<'static>::new( + None + ))); } #[derive(Debug, Parser)] diff --git a/attestation-agent/app/src/rpc/mod.rs b/attestation-agent/app/src/rpc/mod.rs index 04707fe9f..75fcde669 100644 --- a/attestation-agent/app/src/rpc/mod.rs +++ b/attestation-agent/app/src/rpc/mod.rs @@ -21,7 +21,7 @@ const PROTOCOL: &str = "grpc"; lazy_static! { pub static ref ABOUT: String = { - let aa_about = AttestationAgent::new().about(); + let aa_about = AttestationAgent::new(None).about(); format!("Protocol: {PROTOCOL}\n{aa_about}") }; } diff --git a/attestation-agent/app/src/ttrpc.rs b/attestation-agent/app/src/ttrpc.rs index 7325ca335..a9448b664 100644 --- a/attestation-agent/app/src/ttrpc.rs +++ b/attestation-agent/app/src/ttrpc.rs @@ -32,8 +32,8 @@ const DEFAULT_ATTESTATION_SOCKET_ADDR: &str = concatcp!( ); lazy_static! { - pub static ref ASYNC_ATTESTATION_AGENT: Arc> = - Arc::new(Mutex::new(AttestationAgent::new())); + pub static ref ASYNC_ATTESTATION_AGENT: Arc>> = + Arc::new(Mutex::new(AttestationAgent::<'static>::new(None))); } #[derive(Debug, Parser)] diff --git a/attestation-agent/lib/src/config.rs b/attestation-agent/lib/src/config.rs index a7adae5dd..764d0bfcc 100644 --- a/attestation-agent/lib/src/config.rs +++ b/attestation-agent/lib/src/config.rs @@ -7,14 +7,34 @@ use anyhow::{anyhow, Context, Result}; use log::debug; use serde::Deserialize; use std::env; +use std::fs::File; use std::path::Path; use std::sync::OnceLock; use tokio::fs; const PEER_POD_CONFIG_PATH: &str = "/run/peerpod/daemon.json"; +pub const DEFAULT_AA_CONFIG_PATH: &str = "/etc/attestation.toml"; static KATA_AGENT_CONFIG_PATH: OnceLock = OnceLock::new(); +#[derive(Clone, Debug, Deserialize)] +#[allow(dead_code)] +pub struct Config { + /// URL Address of Attestation Service + pub as_url: String, +} + +impl TryFrom<&Path> for Config { + type Error = anyhow::Error; + fn try_from(config_path: &Path) -> Result { + let file = File::open(config_path) + .map_err(|e| anyhow!("failed to open AA config file {}", e.to_string()))?; + + serde_json::from_reader::(file) + .map_err(|e| anyhow!("failed to parse AA config file {}", e.to_string())) + } +} + #[allow(dead_code)] pub async fn get_host_url() -> Result { // Check for /run/peerpod/daemon.json to see if we are in a peer pod diff --git a/attestation-agent/lib/src/lib.rs b/attestation-agent/lib/src/lib.rs index 6dff4ce5d..cc2385da9 100644 --- a/attestation-agent/lib/src/lib.rs +++ b/attestation-agent/lib/src/lib.rs @@ -12,7 +12,7 @@ use async_trait::async_trait; use attester::{detect_tee_type, BoxedAttester}; use kbc::{AnnotationPacket, KbcCheckInfo, KbcInstance, KbcModuleList}; use resource_uri::ResourceUri; -use std::collections::HashMap; +use std::{collections::HashMap, path::Path}; mod config; @@ -31,7 +31,7 @@ use token::GetToken; /// use attestation_agent::AttestationAgent; /// use attestation_agent::AttestationAPIs; /// -/// let mut aa = AttestationAgent::new(); +/// let mut aa = AttestationAgent::new(None); /// /// let key_result = aa.decrypt_image_layer_annotation( /// "sample_kbc", @@ -88,22 +88,26 @@ pub trait AttestationAPIs { ) -> Result<()>; } +#[allow(dead_code)] /// Attestation agent to provide attestation service. -pub struct AttestationAgent { +pub struct AttestationAgent<'a> { + config_file_path: &'a Path, kbc_module_list: KbcModuleList, kbc_instance_map: HashMap, } -impl Default for AttestationAgent { +impl<'a> Default for AttestationAgent<'a> { fn default() -> Self { - Self::new() + Self::new(None) } } -impl AttestationAgent { +impl<'a> AttestationAgent<'a> { /// Create a new instance of [AttestationAgent]. - pub fn new() -> Self { + pub fn new(config_path: Option<&'a str>) -> Self { + let config_path = config_path.unwrap_or(config::DEFAULT_AA_CONFIG_PATH); AttestationAgent { + config_file_path: &Path::new(config_path), kbc_module_list: KbcModuleList::new(), kbc_instance_map: HashMap::new(), } @@ -135,7 +139,7 @@ impl AttestationAgent { } #[async_trait] -impl AttestationAPIs for AttestationAgent { +impl<'a> AttestationAPIs for AttestationAgent<'a> { async fn decrypt_image_layer_annotation( &mut self, kbc_name: &str, From c04e77ef5c306a55e569e4c39d12d00b1d606ef0 Mon Sep 17 00:00:00 2001 From: Jiale Zhang Date: Thu, 18 Jan 2024 17:39:28 +0800 Subject: [PATCH 3/3] AA: support get CoCo AS Attestation Token Signed-off-by: Jiale Zhang --- Cargo.lock | 3 ++ attestation-agent/lib/Cargo.toml | 18 +++++----- attestation-agent/lib/src/lib.rs | 16 ++++++++- attestation-agent/token/Cargo.toml | 16 ++++++++- attestation-agent/token/src/coco_as.rs | 48 ++++++++++++++++++++++++++ attestation-agent/token/src/lib.rs | 3 ++ 6 files changed, 94 insertions(+), 10 deletions(-) create mode 100644 attestation-agent/token/src/coco_as.rs diff --git a/Cargo.lock b/Cargo.lock index 9cb4db7ef..b32bd2933 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5808,7 +5808,10 @@ version = "0.1.0" dependencies = [ "anyhow", "async-trait", + "attester", + "base64 0.21.5", "kbs_protocol", + "reqwest", "serde", "serde_json", "tokio", diff --git a/attestation-agent/lib/Cargo.toml b/attestation-agent/lib/Cargo.toml index c391ae28c..9673c645f 100644 --- a/attestation-agent/lib/Cargo.toml +++ b/attestation-agent/lib/Cargo.toml @@ -25,17 +25,19 @@ tonic = { workspace = true, optional = true } tokio = { workspace = true, features = ["macros", "rt-multi-thread"] } [features] -default = ["sample_kbc", "rust-crypto", "kbs_as"] +default = ["sample_kbc", "rust-crypto", "coco_as"] kbs_as = ["token/kbs"] -cc_kbc = ["kbc/cc_kbc", "kbs_as"] -all-attesters = ["kbc/all-attesters", "kbs_protocol?/all-attesters", "attester/all-attesters"] -tdx-attester = ["kbc/tdx-attester", "kbs_protocol/tdx-attester", "attester/tdx-attester"] -sgx-attester = ["kbc/sgx-attester", "kbs_protocol/sgx-attester", "attester/sgx-attester"] -az-snp-vtpm-attester = ["kbc/az-snp-vtpm-attester", "kbs_protocol/az-snp-vtpm-attester", "attester/az-snp-vtpm-attester"] -az-tdx-vtpm-attester = ["kbc/az-tdx-vtpm-attester", "kbs_protocol/az-tdx-vtpm-attester", "attester/az-tdx-vtpm-attester"] -snp-attester = ["kbc/snp-attester", "kbs_protocol/snp-attester", "attester/snp-attester"] +coco_as = ["token/coco_as"] + +cc_kbc = ["kbc/cc_kbc", "kbs_as", "coco_as"] +all-attesters = ["kbc/all-attesters", "kbs_protocol?/all-attesters", "attester/all-attesters", "token?/all-attesters"] +tdx-attester = ["kbc/tdx-attester", "kbs_protocol/tdx-attester", "attester/tdx-attester", "token?/tdx"] +sgx-attester = ["kbc/sgx-attester", "kbs_protocol/sgx-attester", "attester/sgx-attester", "token?/sgx"] +az-snp-vtpm-attester = ["kbc/az-snp-vtpm-attester", "kbs_protocol/az-snp-vtpm-attester", "attester/az-snp-vtpm-attester", "token?/az-snp-vtpm"] +az-tdx-vtpm-attester = ["kbc/az-tdx-vtpm-attester", "kbs_protocol/az-tdx-vtpm-attester", "attester/az-tdx-vtpm-attester", "token?/az-tdx-vtpm"] +snp-attester = ["kbc/snp-attester", "kbs_protocol/snp-attester", "attester/snp-attester", "token?/snp"] sample_kbc = ["kbc/sample_kbc"] eaa_kbc = ["kbc/eaa_kbc"] diff --git a/attestation-agent/lib/src/lib.rs b/attestation-agent/lib/src/lib.rs index cc2385da9..d53a09a9c 100644 --- a/attestation-agent/lib/src/lib.rs +++ b/attestation-agent/lib/src/lib.rs @@ -16,7 +16,7 @@ use std::{collections::HashMap, path::Path}; mod config; -#[cfg(any(feature = "cc_kbc", feature = "kbs_as"))] +#[cfg(any(feature = "coco_as", feature = "kbs_as"))] use token::GetToken; /// Attestation Agent (AA for short) is a rust library crate for attestation procedure @@ -190,6 +190,20 @@ impl<'a> AttestationAPIs for AttestationAgent<'a> { .await?; kbs_token } + #[cfg(feature = "coco_as")] + "coco_as" => { + let as_url = match config::get_host_url().await { + Ok(url) => url, + Err(_) => { + let config = config::Config::try_from(self.config_file_path)?; + config.as_url.clone() + } + }; + let coco_as_token = token::coco_as::CoCoASTokenGetter::default() + .get_token(as_url) + .await?; + coco_as_token + } typ => bail!("Unsupported token type {typ}"), }; diff --git a/attestation-agent/token/Cargo.toml b/attestation-agent/token/Cargo.toml index c2890b229..8bc21a284 100644 --- a/attestation-agent/token/Cargo.toml +++ b/attestation-agent/token/Cargo.toml @@ -8,12 +8,26 @@ edition = "2021" [dependencies] anyhow.workspace = true async-trait.workspace = true +attester = { path = "../attester", optional = true, default-features = false } +base64.workspace = true serde.workspace = true serde_json.workspace = true kbs_protocol = { path = "../kbs_protocol", optional = true } +reqwest = { version = "0.11", features = ["json"], optional = true } tokio = { workspace = true, features = ["fs"] } toml.workspace = true [features] -default = ["kbs"] +default = ["kbs", "coco_as"] + kbs = ["kbs_protocol/background_check"] +coco_as = ["reqwest", "attester"] + +all-attesters = ["attester?/all-attesters"] +tdx = ["attester?/tdx-attester"] +sgx = ["attester?/sgx-attester"] +az-snp-vtpm = ["attester?/az-snp-vtpm-attester"] +az-tdx-vtpm = ["attester?/az-tdx-vtpm-attester"] +snp = ["attester?/snp-attester"] +csv = ["attester?/csv-attester"] +cca = ["attester?/cca-attester"] diff --git a/attestation-agent/token/src/coco_as.rs b/attestation-agent/token/src/coco_as.rs new file mode 100644 index 000000000..2346322d6 --- /dev/null +++ b/attestation-agent/token/src/coco_as.rs @@ -0,0 +1,48 @@ +// Copyright (c) 2024 Alibaba Cloud +// +// SPDX-License-Identifier: Apache-2.0 +// + +use super::GetToken; +use anyhow::*; +use async_trait::async_trait; +use base64::engine::general_purpose::URL_SAFE_NO_PAD; +use base64::Engine; + +#[derive(Default)] +pub struct CoCoASTokenGetter {} + +#[async_trait] +impl GetToken for CoCoASTokenGetter { + async fn get_token(&self, as_url: String) -> Result> { + let tee_type = attester::detect_tee_type(); + let attester = attester::BoxedAttester::try_from(tee_type)?; + let evidence = attester.get_evidence(vec![]).await?; + + let request_body = serde_json::json!({ + "tee": serde_json::to_string(&tee_type)?, + "evidence": URL_SAFE_NO_PAD.encode(evidence.as_bytes()), + }); + + let client = reqwest::Client::new(); + let res = client + .post(as_url) + .header("Content-Type", "application/json") + .json(&request_body) + .send() + .await?; + + match res.status() { + reqwest::StatusCode::OK => { + let token = res.text().await?; + Ok(token.as_bytes().to_vec()) + } + _ => { + bail!( + "Rmote Attestation Failed, AS Response: {:?}", + res.text().await? + ); + } + } + } +} diff --git a/attestation-agent/token/src/lib.rs b/attestation-agent/token/src/lib.rs index c884f68a8..eeb33a679 100644 --- a/attestation-agent/token/src/lib.rs +++ b/attestation-agent/token/src/lib.rs @@ -8,6 +8,9 @@ use async_trait::async_trait; #[cfg(feature = "kbs")] pub mod kbs; +#[cfg(feature = "coco_as")] +pub mod coco_as; + #[async_trait] pub trait GetToken { async fn get_token(&self, service_url: String) -> Result>;