From 90115e3e469e4128d2d09ddf1563950dd72e1e3e Mon Sep 17 00:00:00 2001 From: "James O. D. Hunt" Date: Mon, 29 Jul 2024 11:55:56 +0100 Subject: [PATCH] kbs: ita: Set hash algorithm based on TEE type If the TEE specifies the hash algorithms it can use [1], add the appropriate hash algorithm to the returned `Challenge` [2]. For backwards compatibility, do not return the selected hash algorithm if the TEE does not provide the list of hash algorithms it can use. Partially-fixes: #242. [1] - In the optional `extra-params.supported-hash-algorithms` list. [2] - In `extra-params.selected-hash-algorithm`. Signed-off-by: James O. D. Hunt --- Cargo.lock | 26 +- attestation-service/src/lib.rs | 4 +- .../attestation/intel_trust_authority/mod.rs | 311 +++++++++++++++++- kbs/src/attestation/mod.rs | 23 +- 4 files changed, 340 insertions(+), 24 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 3229e8ee1..d444ff0f3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -516,7 +516,7 @@ dependencies = [ "tempfile", "thiserror", "tokio", - "toml 0.8.15", + "toml 0.8.19", ] [[package]] @@ -2824,7 +2824,7 @@ dependencies = [ "strum", "thiserror", "tokio", - "toml 0.8.15", + "toml 0.8.19", "tonic 0.9.2", "tonic-build 0.9.2", "url", @@ -2839,11 +2839,11 @@ checksum = "d4345964bb142484797b161f473a503a434de77149dd8c7427788c6e13379388" [[package]] name = "lazy_static" -version = "1.4.0" +version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" +checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe" dependencies = [ - "spin 0.5.2", + "spin 0.9.8", ] [[package]] @@ -5508,9 +5508,9 @@ dependencies = [ [[package]] name = "toml" -version = "0.8.15" +version = "0.8.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ac2caab0bf757388c6c0ae23b3293fdb463fee59434529014f85e3263b995c28" +checksum = "a1ed1f98e3fdc28d6d910e6737ae6ab1a93bf1985935a1193e68f93eeb68d24e" dependencies = [ "serde", "serde_spanned", @@ -5520,18 +5520,18 @@ dependencies = [ [[package]] name = "toml_datetime" -version = "0.6.6" +version = "0.6.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4badfd56924ae69bcc9039335b2e017639ce3f9b001c393c1b2d1ef846ce2cbf" +checksum = "0dd7358ecb8fc2f8d014bf86f6f638ce72ba252a2c3a2572f2a795f1d23efb41" dependencies = [ "serde", ] [[package]] name = "toml_edit" -version = "0.22.16" +version = "0.22.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "278f3d518e152219c994ce877758516bca5e118eaed6996192a774fb9fbf0788" +checksum = "583c44c02ad26b0c3f3066fe629275e50627026c51ac2e595cca4c230ce1ce1d" dependencies = [ "indexmap 2.2.6", "serde", @@ -6322,9 +6322,9 @@ checksum = "bec47e5bfd1bff0eeaf6d8b485cc1074891a197ab4225d504cb7a1ab88b02bf0" [[package]] name = "winnow" -version = "0.6.13" +version = "0.6.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "59b5e5f6c299a3c7890b876a2a587f3115162487e704907d9b6cd29473052ba1" +checksum = "68a9bda4691f099d435ad181000724da8e5899daa10713c2d432552b9ccd3a6f" dependencies = [ "memchr", ] diff --git a/attestation-service/src/lib.rs b/attestation-service/src/lib.rs index 7307ac77a..d2f44ccb2 100644 --- a/attestation-service/src/lib.rs +++ b/attestation-service/src/lib.rs @@ -22,7 +22,7 @@ use serde_json::{json, Value}; use serde_variant::to_variant_name; use sha2::{Digest, Sha256, Sha384, Sha512}; use std::{collections::HashMap, str::FromStr}; -use strum::{AsRefStr, EnumString}; +use strum::{AsRefStr, Display, EnumString}; use thiserror::Error; use tokio::fs; use verifier::{InitDataHash, ReportData}; @@ -30,7 +30,7 @@ use verifier::{InitDataHash, ReportData}; use crate::utils::flatten_claims; /// Hash algorithms used to calculate runtime/init data binding -#[derive(EnumString, AsRefStr)] +#[derive(Display, EnumString, AsRefStr)] pub enum HashAlgorithm { #[strum(ascii_case_insensitive)] Sha256, diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs index 6ec6289eb..a87d3f406 100644 --- a/kbs/src/attestation/intel_trust_authority/mod.rs +++ b/kbs/src/attestation/intel_trust_authority/mod.rs @@ -3,6 +3,7 @@ // SPDX-License-Identifier: Apache-2.0 use super::Attest; +use crate::attestation::{generic_generate_challenge, make_nonce}; use crate::token::{ jwk::JwkAttestationTokenVerifier, AttestationTokenVerifier, AttestationTokenVerifierConfig, AttestationTokenVerifierType, @@ -10,10 +11,30 @@ use crate::token::{ use anyhow::*; use async_trait::async_trait; use base64::{engine::general_purpose::STANDARD, Engine}; +use kbs_types::Challenge; use kbs_types::{Attestation, Tee}; use reqwest::header::{ACCEPT, CONTENT_TYPE}; use serde::{Deserialize, Serialize}; use serde_json::json; +use strum::{AsRefStr, Display, EnumString}; + +const SUPPORTED_HASH_ALGORITHMS_JSON_KEY: &str = "supported-hash-algorithms"; +const SELECTED_HASH_ALGORITHM_JSON_KEY: &str = "selected-hash-algorithm"; + +const ERR_NO_TEE_ALGOS: &str = "ITA: TEE does not support any hash algorithms"; +const ERR_INVALID_TEE: &str = "ITA: Unknown TEE specified"; + +#[derive(Display, EnumString, AsRefStr)] +pub enum HashAlgorithm { + #[strum(ascii_case_insensitive)] + Sha256, + + #[strum(ascii_case_insensitive)] + Sha384, + + #[strum(ascii_case_insensitive)] + Sha512, +} #[derive(Deserialize, Debug)] struct IntelTrustAuthorityTeeEvidence { @@ -60,7 +81,7 @@ pub struct IntelTrustAuthority { impl Attest for IntelTrustAuthority { async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result { if tee != Tee::Tdx && tee != Tee::Sgx { - bail!("Intel Trust Authority: TEE {tee:?} is not supported."); + bail!("ITA: TEE {tee:?} is not supported."); } // get quote let attestation = serde_json::from_str::(attestation) @@ -131,6 +152,87 @@ impl Attest for IntelTrustAuthority { Ok(resp_data.token.clone()) } + + async fn generate_challenge( + &self, + tee: Tee, + tee_parameters: serde_json::Value, + ) -> Result { + log::debug!("ITA: generate_challenge: tee: {tee:?}, tee_parameters: {tee_parameters:?}"); + + if tee_parameters.is_null() { + log::debug!( + "ITA: generate_challenge: no TEE parameters so falling back to legacy behaviour" + ); + + return generic_generate_challenge(tee, tee_parameters).await; + } + + let mut supported_hash_algorithms = vec![]; + + let Some(hash_algorithms_found) = tee_parameters.get(SUPPORTED_HASH_ALGORITHMS_JSON_KEY) + else { + log::info!("ITA: generate_challenge: no TEE hash parameters, so falling back to legacy behaviour"); + + return generic_generate_challenge(tee, tee_parameters).await; + }; + + let Some(algorithms) = hash_algorithms_found.as_array() else { + return Err(anyhow!( + "ITA: expected array, found {hash_algorithms_found:?}" + )); + }; + + let hash_algorithms: Vec = algorithms + .iter() + .filter_map(|s| Some(s.as_str()?.to_lowercase())) + .collect(); + + supported_hash_algorithms.append(&mut hash_algorithms.clone()); + + if supported_hash_algorithms.is_empty() { + log::debug!("ITA: generate_challenge: no tee algorithms available"); + + bail!(ERR_NO_TEE_ALGOS); + } + + log::debug!( + "ITA: generate_challenge: supported_hash_algorithms: {supported_hash_algorithms:?}" + ); + + let hash_algorithm: String = match tee { + Tee::Sgx => { + let needed_algorithm = HashAlgorithm::Sha256.as_ref().to_string().to_lowercase(); + + if supported_hash_algorithms.contains(&needed_algorithm) { + needed_algorithm + } else { + bail!("ITA: SGX TEE does not support {needed_algorithm}"); + } + } + Tee::Tdx => { + let needed_algorithm = HashAlgorithm::Sha512.as_ref().to_string().to_lowercase(); + + if supported_hash_algorithms.contains(&needed_algorithm) { + needed_algorithm + } else { + bail!("ITA: TDX TEE does not support {needed_algorithm}"); + } + } + _ => bail!(ERR_INVALID_TEE), + }; + + let extra_params = json!({ + SELECTED_HASH_ALGORITHM_JSON_KEY: hash_algorithm, + }); + + let nonce = make_nonce().await?; + + Ok(Challenge { + nonce, + extra_params, + }) + } } impl IntelTrustAuthority { @@ -148,3 +250,210 @@ impl IntelTrustAuthority { }) } } + +#[cfg(test)] +mod tests { + use super::*; + use rstest::*; + use serde_json::Value; + use std::io::Write; + use tempfile::NamedTempFile; + + // Generate the contents for an ITA certificates file and return it as + // a JSON string. + fn create_certs_file_json_string() -> String { + let data = json!({ "keys": [ + { + "alg": "PS384", + "e": "AQAB", + "kid": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "kty": "RSA", + "n": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "x5c": [ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + ] + }, + { + "alg": "RS256", + "e": "AQAB", + "kid": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "kty": "RSA", + "n": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "x5c": [ + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" + ] + }]}).to_string(); + + data + } + + #[rstest] + #[tokio::test] + #[case( + Tee::Tdx, + json!({}), + Ok(Challenge{ + nonce: "".into(), + extra_params: "".into() + }) + )] + #[tokio::test] + #[case( + Tee::Tdx, + json!(null), + Ok(Challenge{ + nonce: "".into(), + extra_params: "".into() + }) + )] + #[tokio::test] + #[case( + Tee::Tdx, + json!(""), + Ok(Challenge{ + nonce: "".into(), + extra_params: "".into() + }) + )] + #[tokio::test] + #[case( + Tee::Tdx, + json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: []}), + Err(anyhow!(ERR_NO_TEE_ALGOS)) + )] + #[tokio::test] + #[case( + Tee::Sgx, + json!({}), + Ok(Challenge{ + nonce: "".into(), + extra_params: "".into() + }) + )] + #[tokio::test] + #[case( + Tee::Sgx, + json!(null), + Ok(Challenge{ + nonce: "".into(), + extra_params: "".into() + }) + )] + #[tokio::test] + #[case( + Tee::Sgx, + json!(""), + Ok(Challenge{ + nonce: "".into(), + extra_params: "".into() + }) + )] + #[tokio::test] + #[case( + Tee::Sgx, + json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: []}), + Err(anyhow!(ERR_NO_TEE_ALGOS)) + )] + #[tokio::test] + #[case( + Tee::Tdx, + json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha256.to_string()]}), + Err(anyhow!("ITA: TDX TEE does not support sha512")) + )] + #[tokio::test] + #[case( + Tee::Sgx, + json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha512.to_string()]}), + Err(anyhow!("ITA: SGX TEE does not support sha256")) + )] + #[tokio::test] + #[case( + Tee::Tdx, + json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha512.to_string()]}), + Ok(Challenge{ + nonce: "".into(), + extra_params: json!({SELECTED_HASH_ALGORITHM_JSON_KEY: HashAlgorithm::Sha512.to_string()})}) + )] + #[tokio::test] + #[case( + Tee::Tdx, + json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha256.to_string(), HashAlgorithm::Sha512.to_string()]}), + Ok(Challenge{ + nonce: "".into(), + extra_params: json!({SELECTED_HASH_ALGORITHM_JSON_KEY: HashAlgorithm::Sha512.to_string()})}) + )] + #[tokio::test] + #[case( + Tee::Sgx, + json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha256.to_string()]}), + Ok(Challenge{ + nonce: "".into(), + extra_params: json!({SELECTED_HASH_ALGORITHM_JSON_KEY: HashAlgorithm::Sha256.to_string()})}) + )] + #[tokio::test] + #[case( + Tee::Sgx, + json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha256.to_string(), HashAlgorithm::Sha512.to_string()]}), + Ok(Challenge{ + nonce: "".into(), + extra_params: json!({SELECTED_HASH_ALGORITHM_JSON_KEY: HashAlgorithm::Sha256.to_string()})}) + )] + async fn test_ita_generate_challenge( + #[case] tee: Tee, + #[case] params: Value, + #[case] expected_result: Result, + ) { + let mut file = NamedTempFile::new().unwrap(); + let certs_file = "file://".to_owned() + &file.path().display().to_string(); + + let json = create_certs_file_json_string(); + + file.write_all(json.as_bytes()) + .expect("failed to write certs file data"); + + let cfg = IntelTrustAuthorityConfig { + base_url: "".into(), + api_key: "".into(), + certs_file, + allow_unmatched_policy: None, + }; + + let msg = format!( + "test: certs file json: {json:?}, cfg: {cfg:?}, tee: {tee:?}, params: {params:?}, expected result: {expected_result:?}" + ); + + let ita = IntelTrustAuthority::new(cfg).await.unwrap(); + + let actual_result = ita.generate_challenge(tee, params).await; + + let msg = format!("{msg}, actual result: {actual_result:?}"); + + if std::env::var("DEBUG").is_ok() { + println!("DEBUG: {}", msg); + } + + // Note: for now we simply check for error, not the type of error returned. + if expected_result.is_err() { + assert!(actual_result.is_err(), "{msg}"); + return; + } + + // Only compare the params as the nonce will have a generated value. + let expected_extra_params = expected_result + .unwrap() + .extra_params + .to_string() + .to_lowercase(); + let actual_extra_params = actual_result + .unwrap() + .extra_params + .to_string() + .to_lowercase(); + + assert_eq!(actual_extra_params, expected_extra_params, "{}", msg); + } +} diff --git a/kbs/src/attestation/mod.rs b/kbs/src/attestation/mod.rs index b49dfa106..6141304f8 100644 --- a/kbs/src/attestation/mod.rs +++ b/kbs/src/attestation/mod.rs @@ -40,6 +40,18 @@ pub async fn make_nonce() -> Result { Ok(STANDARD.encode(&nonce)) } +pub(crate) async fn generic_generate_challenge( + _tee: Tee, + _tee_parameters: serde_json::Value, +) -> Result { + let nonce = make_nonce().await?; + + Ok(Challenge { + nonce, + extra_params: serde_json::Value::String(String::new()), + }) +} + /// Interface for Attestation Services. /// /// Attestation Service implementations should implement this interface. @@ -57,15 +69,10 @@ pub trait Attest: Send + Sync { /// generate the Challenge to pass to attester based on Tee and nonce async fn generate_challenge( &self, - _tee: Tee, - _tee_parameters: serde_json::Value, + tee: Tee, + tee_parameters: serde_json::Value, ) -> Result { - let nonce = make_nonce().await?; - - Ok(Challenge { - nonce, - extra_params: serde_json::Value::String(String::new()), - }) + generic_generate_challenge(tee, tee_parameters).await } }