KBS: combine CoCo Token and Jwk Token verifier

.github/workflows/kbs-rust.yml

@@ -59,7 +59,7 @@ jobs:
 
     - name: KBS Build [Built-in CoCo AS, OpenSSL]
       working-directory: kbs
-      run: make HTTPS_CRYPTO=openssl
+      run: make
 
     - name: KBS Build [gRPC CoCo AS, RustTLS]
       working-directory: kbs

.github/workflows/push-kbs-image-to-ghcr.yml

@@ -25,15 +25,12 @@ jobs:
         include:
           - tag: kbs
             docker_file: kbs/docker/Dockerfile
-            https_crypto: openssl
             name: build-in AS
           - tag: kbs-grpc-as
             docker_file: kbs/docker/coco-as-grpc/Dockerfile
-            https_crypto: rustls
             name: gRPC AS
           - tag: kbs-ita-as
             docker_file: kbs/docker/intel-trust-authority/Dockerfile
-            https_crypto: rustls
             name: Intel Trust Authority AS
 
     runs-on: ${{ matrix.instance }}
@@ -56,12 +53,10 @@ jobs:
       run: |
         commit_sha=${{ github.sha }}
         arch=$(uname -m)
-        https_crypto=${{ matrix.https_crypto }}
-        [ "${arch}" = "s390x" ] && https_crypto=openssl
         DOCKER_BUILDKIT=1 docker build -f "${{ matrix.docker_file }}" --push \
           -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:${commit_sha}-${arch}" \
           -t "ghcr.io/confidential-containers/staged-images/${{ matrix.tag }}:latest-${arch}" \
-          --build-arg ARCH="${arch}" --build-arg HTTPS_CRYPTO="${https_crypto}" .
+          --build-arg ARCH="${arch}" .
 
   publish_multi_arch_image:
     needs: build_and_push

attestation-service/src/token/simple.rs

@@ -92,6 +92,7 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker {
         let header_value = json!({
             "typ": "JWT",
             "alg": SIMPLE_TOKEN_ALG,
+            "jwk": serde_json::from_str::<Value>(&self.pubkey_jwks()?)?["keys"][0].clone(),
         });
         let header_string = serde_json::to_string(&header_value)?;
         let header_b64 = URL_SAFE_NO_PAD.encode(header_string.as_bytes());
@@ -109,7 +110,6 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker {
             "iss": self.config.issuer_name.clone(),
             "iat": now.unix_timestamp(),
             "jti": id,
-            "jwk": serde_json::from_str::<Value>(&self.pubkey_jwks()?)?["keys"][0].clone(),
             "nbf": now.unix_timestamp(),
             "exp": exp.unix_timestamp(),
         })

deps/verifier/src/se/README.md

@@ -67,7 +67,7 @@ openssl pkey -in kbs.key -pubout -out kbs.pem
 
 - Build KBS
 ```bash
-cargo install --locked --debug --path kbs/src/kbs --no-default-features --features coco-as-builtin,openssl,resource,opa 
+cargo install --locked --debug --path kbs/src/kbs --no-default-features --features coco-as-builtin,resource,opa 
 ```
 
 - Prepare the material retrieved above, similar as:
@@ -101,7 +101,7 @@ auth_public_key = "/kbs/kbs.pem"
 insecure_http = true
 
 [attestation_token_config]
-attestation_token_type = "CoCo"
+insecure_key = true
 
 [as_config]
 work_dir = "/opt/confidential-containers/attestation-service"
@@ -128,7 +128,7 @@ export SE_SKIP_CERTS_VERIFICATION=true
 ## (Option 2) Launch KBS via docker-compose
 - Build the docker image
 ```
-DOCKER_BUILDKIT=1 docker build --build-arg HTTPS_CRYPTO="openssl" --build-arg ARCH="s390x" -t ghcr.io/confidential-containers/staged-images/kbs:latest . -f kbs/docker/Dockerfile
+DOCKER_BUILDKIT=1 docker build --build-arg --build-arg ARCH="s390x" -t ghcr.io/confidential-containers/staged-images/kbs:latest . -f kbs/docker/Dockerfile
 ```
 
 - Prepare a docker compose file, similar as:

kbs/Cargo.toml

@@ -7,10 +7,10 @@ documentation.workspace = true
 edition.workspace = true
 
 [features]
-default = ["coco-as-builtin", "resource", "opa", "rustls"]
+default = ["coco-as-builtin", "resource", "opa"]
 
 # Feature that allows to access resources from KBS
-resource = ["rsa", "dep:openssl", "reqwest", "aes-gcm", "jsonwebtoken"]
+resource = ["rsa", "reqwest", "aes-gcm", "jsonwebtoken"]
 
 # Support a backend attestation service for KBS
 as = []
@@ -36,17 +36,11 @@ coco-as-grpc = ["coco-as", "mobc", "tonic", "tonic-build", "prost"]
 # Use Intel TA as backend attestation service
 intel-trust-authority-as = ["as", "reqwest", "resource", "az-cvm-vtpm"]
 
-# Use pure rust crypto stack for KBS
-rustls = ["actix-web/rustls", "dep:rustls", "dep:rustls-pemfile"]
-
-# Use openssl crypto stack for KBS
-openssl = ["actix-web/openssl", "dep:openssl"]
-
 # Use aliyun KMS as KBS backend
 aliyun = ["kms/aliyun"]
 
 [dependencies]
-actix-web.workspace = true
+actix-web = { workspace = true, features = ["openssl"] }
 actix-web-httpauth.workspace = true
 aes-gcm = { version = "0.10.1", optional = true }
 anyhow.workspace = true
@@ -69,8 +63,6 @@ rand = "0.8.5"
 regorus.workspace = true
 reqwest = { workspace = true, features = ["json"], optional = true }
 rsa = { version = "0.9.2", optional = true, features = ["sha2"] }
-rustls = { version = "0.20.8", optional = true }
-rustls-pemfile = { version = "1.0.4", optional = true }
 scc = "2"
 semver = "1.0.16"
 serde = { workspace = true, features = ["derive"] }
@@ -81,7 +73,7 @@ time = { version = "0.3.23", features = ["std"] }
 tokio.workspace = true
 tonic = { workspace = true, optional = true }
 uuid = { version = "1.2.2", features = ["serde", "v4"] }
-openssl = { version = "0.10.46", optional = true }
+openssl = "0.10.55"
 az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true }
 
 [dev-dependencies]

kbs/Makefile

@@ -1,5 +1,4 @@
 AS_TYPE ?= coco-as
-HTTPS_CRYPTO ?= rustls
 POLICY_ENGINE ?=
 ALIYUN ?= false
 
@@ -39,16 +38,16 @@ build: background-check-kbs
 
 .PHONY: background-check-kbs
 background-check-kbs:
-	cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(HTTPS_CRYPTO),$(POLICY_ENGINE),$(FEATURES)
+	cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),resource,$(POLICY_ENGINE),$(FEATURES)
 
 .PHONY: passport-issuer-kbs
 passport-issuer-kbs:
-	cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(HTTPS_CRYPTO),$(FEATURES)
+	cargo build -p kbs --locked --release --no-default-features --features $(AS_FEATURE),$(FEATURES)
 	mv ../target/release/kbs ../target/release/issuer-kbs
 
 .PHONY: passport-resource-kbs
 passport-resource-kbs:
-	cargo build -p kbs --locked --release --no-default-features --features $(HTTPS_CRYPTO),resource,$(POLICY_ENGINE),$(FEATURES)
+	cargo build -p kbs --locked --release --no-default-features --features resource,$(POLICY_ENGINE),$(FEATURES)
 	mv ../target/release/kbs ../target/release/resource-kbs
 
 .PHONY: cli