From 12da72440b8ba9a7a332e980c6d332cc34a97821 Mon Sep 17 00:00:00 2001
From: "James O. D. Hunt" <james.o.hunt@intel.com>
Date: Mon, 29 Jul 2024 11:55:56 +0100
Subject: [PATCH] kbs: ita: Set hash algorithm based on TEE type

If the TEE specifies the hash algorithms it can use [1], add the appropriate
hash algorithm to the returned `Challenge` [2].

For backwards compatibility, do not return the selected hash algorithm
if the TEE does not provide the list of hash algorithms it can use.

Partially-fixes: #242.

[1] - In the optional `extra-params.supported-hash-algorithms` list.
[2] - In `extra-params.selected-hash-algorithm`.

Signed-off-by: James O. D. Hunt <james.o.hunt@intel.com>
---
 Cargo.lock                                    |  32 +-
 attestation-service/src/lib.rs                |   4 +-
 .../attestation/intel_trust_authority/mod.rs  | 311 +++++++++++++++++-
 kbs/src/attestation/mod.rs                    |  23 +-
 4 files changed, 343 insertions(+), 27 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index a0b7a8b0b..339231d00 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -516,7 +516,7 @@ dependencies = [
  "tempfile",
  "thiserror",
  "tokio",
- "toml 0.8.15",
+ "toml 0.8.19",
 ]
 
 [[package]]
@@ -2828,7 +2828,7 @@ dependencies = [
  "strum",
  "thiserror",
  "tokio",
- "toml 0.8.15",
+ "toml 0.8.19",
  "tonic 0.9.2",
  "tonic-build 0.9.2",
  "url",
@@ -2843,11 +2843,11 @@ checksum = "d4345964bb142484797b161f473a503a434de77149dd8c7427788c6e13379388"
 
 [[package]]
 name = "lazy_static"
-version = "1.4.0"
+version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"
+checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
 dependencies = [
- "spin 0.5.2",
+ "spin 0.9.8",
 ]
 
 [[package]]
@@ -2881,7 +2881,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0c2a198fb6b0eada2a8df47933734e6d35d350665a33a3593d7164fa52c75c19"
 dependencies = [
  "cfg-if",
- "windows-targets 0.48.5",
+ "windows-targets 0.52.5",
 ]
 
 [[package]]
@@ -4839,9 +4839,9 @@ dependencies = [
 
 [[package]]
 name = "serde_spanned"
-version = "0.6.6"
+version = "0.6.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "79e674e01f999af37c49f70a6ede167a8a60b2503e56c5599532a65baa5969a0"
+checksum = "eb5b1b31579f3811bf615c144393417496f152e12ac8b7663bf664f4a815306d"
 dependencies = [
  "serde",
 ]
@@ -5524,9 +5524,9 @@ dependencies = [
 
 [[package]]
 name = "toml"
-version = "0.8.15"
+version = "0.8.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ac2caab0bf757388c6c0ae23b3293fdb463fee59434529014f85e3263b995c28"
+checksum = "a1ed1f98e3fdc28d6d910e6737ae6ab1a93bf1985935a1193e68f93eeb68d24e"
 dependencies = [
  "serde",
  "serde_spanned",
@@ -5536,18 +5536,18 @@ dependencies = [
 
 [[package]]
 name = "toml_datetime"
-version = "0.6.6"
+version = "0.6.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4badfd56924ae69bcc9039335b2e017639ce3f9b001c393c1b2d1ef846ce2cbf"
+checksum = "0dd7358ecb8fc2f8d014bf86f6f638ce72ba252a2c3a2572f2a795f1d23efb41"
 dependencies = [
  "serde",
 ]
 
 [[package]]
 name = "toml_edit"
-version = "0.22.16"
+version = "0.22.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "278f3d518e152219c994ce877758516bca5e118eaed6996192a774fb9fbf0788"
+checksum = "583c44c02ad26b0c3f3066fe629275e50627026c51ac2e595cca4c230ce1ce1d"
 dependencies = [
  "indexmap 2.2.6",
  "serde",
@@ -6338,9 +6338,9 @@ checksum = "bec47e5bfd1bff0eeaf6d8b485cc1074891a197ab4225d504cb7a1ab88b02bf0"
 
 [[package]]
 name = "winnow"
-version = "0.6.13"
+version = "0.6.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "59b5e5f6c299a3c7890b876a2a587f3115162487e704907d9b6cd29473052ba1"
+checksum = "68a9bda4691f099d435ad181000724da8e5899daa10713c2d432552b9ccd3a6f"
 dependencies = [
  "memchr",
 ]
diff --git a/attestation-service/src/lib.rs b/attestation-service/src/lib.rs
index 7307ac77a..d2f44ccb2 100644
--- a/attestation-service/src/lib.rs
+++ b/attestation-service/src/lib.rs
@@ -22,7 +22,7 @@ use serde_json::{json, Value};
 use serde_variant::to_variant_name;
 use sha2::{Digest, Sha256, Sha384, Sha512};
 use std::{collections::HashMap, str::FromStr};
-use strum::{AsRefStr, EnumString};
+use strum::{AsRefStr, Display, EnumString};
 use thiserror::Error;
 use tokio::fs;
 use verifier::{InitDataHash, ReportData};
@@ -30,7 +30,7 @@ use verifier::{InitDataHash, ReportData};
 use crate::utils::flatten_claims;
 
 /// Hash algorithms used to calculate runtime/init data binding
-#[derive(EnumString, AsRefStr)]
+#[derive(Display, EnumString, AsRefStr)]
 pub enum HashAlgorithm {
     #[strum(ascii_case_insensitive)]
     Sha256,
diff --git a/kbs/src/attestation/intel_trust_authority/mod.rs b/kbs/src/attestation/intel_trust_authority/mod.rs
index 6ec6289eb..a87d3f406 100644
--- a/kbs/src/attestation/intel_trust_authority/mod.rs
+++ b/kbs/src/attestation/intel_trust_authority/mod.rs
@@ -3,6 +3,7 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use super::Attest;
+use crate::attestation::{generic_generate_challenge, make_nonce};
 use crate::token::{
     jwk::JwkAttestationTokenVerifier, AttestationTokenVerifier, AttestationTokenVerifierConfig,
     AttestationTokenVerifierType,
@@ -10,10 +11,30 @@ use crate::token::{
 use anyhow::*;
 use async_trait::async_trait;
 use base64::{engine::general_purpose::STANDARD, Engine};
+use kbs_types::Challenge;
 use kbs_types::{Attestation, Tee};
 use reqwest::header::{ACCEPT, CONTENT_TYPE};
 use serde::{Deserialize, Serialize};
 use serde_json::json;
+use strum::{AsRefStr, Display, EnumString};
+
+const SUPPORTED_HASH_ALGORITHMS_JSON_KEY: &str = "supported-hash-algorithms";
+const SELECTED_HASH_ALGORITHM_JSON_KEY: &str = "selected-hash-algorithm";
+
+const ERR_NO_TEE_ALGOS: &str = "ITA: TEE does not support any hash algorithms";
+const ERR_INVALID_TEE: &str = "ITA: Unknown TEE specified";
+
+#[derive(Display, EnumString, AsRefStr)]
+pub enum HashAlgorithm {
+    #[strum(ascii_case_insensitive)]
+    Sha256,
+
+    #[strum(ascii_case_insensitive)]
+    Sha384,
+
+    #[strum(ascii_case_insensitive)]
+    Sha512,
+}
 
 #[derive(Deserialize, Debug)]
 struct IntelTrustAuthorityTeeEvidence {
@@ -60,7 +81,7 @@ pub struct IntelTrustAuthority {
 impl Attest for IntelTrustAuthority {
     async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result<String> {
         if tee != Tee::Tdx && tee != Tee::Sgx {
-            bail!("Intel Trust Authority: TEE {tee:?} is not supported.");
+            bail!("ITA: TEE {tee:?} is not supported.");
         }
         // get quote
         let attestation = serde_json::from_str::<Attestation>(attestation)
@@ -131,6 +152,87 @@ impl Attest for IntelTrustAuthority {
 
         Ok(resp_data.token.clone())
     }
+
+    async fn generate_challenge(
+        &self,
+        tee: Tee,
+        tee_parameters: serde_json::Value,
+    ) -> Result<Challenge> {
+        log::debug!("ITA: generate_challenge: tee: {tee:?}, tee_parameters: {tee_parameters:?}");
+
+        if tee_parameters.is_null() {
+            log::debug!(
+                "ITA: generate_challenge: no TEE parameters so falling back to legacy behaviour"
+            );
+
+            return generic_generate_challenge(tee, tee_parameters).await;
+        }
+
+        let mut supported_hash_algorithms = vec![];
+
+        let Some(hash_algorithms_found) = tee_parameters.get(SUPPORTED_HASH_ALGORITHMS_JSON_KEY)
+        else {
+            log::info!("ITA: generate_challenge: no TEE hash parameters, so falling back to legacy behaviour");
+
+            return generic_generate_challenge(tee, tee_parameters).await;
+        };
+
+        let Some(algorithms) = hash_algorithms_found.as_array() else {
+            return Err(anyhow!(
+                "ITA: expected array, found {hash_algorithms_found:?}"
+            ));
+        };
+
+        let hash_algorithms: Vec<String> = algorithms
+            .iter()
+            .filter_map(|s| Some(s.as_str()?.to_lowercase()))
+            .collect();
+
+        supported_hash_algorithms.append(&mut hash_algorithms.clone());
+
+        if supported_hash_algorithms.is_empty() {
+            log::debug!("ITA: generate_challenge: no tee algorithms available");
+
+            bail!(ERR_NO_TEE_ALGOS);
+        }
+
+        log::debug!(
+            "ITA: generate_challenge: supported_hash_algorithms: {supported_hash_algorithms:?}"
+        );
+
+        let hash_algorithm: String = match tee {
+            Tee::Sgx => {
+                let needed_algorithm = HashAlgorithm::Sha256.as_ref().to_string().to_lowercase();
+
+                if supported_hash_algorithms.contains(&needed_algorithm) {
+                    needed_algorithm
+                } else {
+                    bail!("ITA: SGX TEE does not support {needed_algorithm}");
+                }
+            }
+            Tee::Tdx => {
+                let needed_algorithm = HashAlgorithm::Sha512.as_ref().to_string().to_lowercase();
+
+                if supported_hash_algorithms.contains(&needed_algorithm) {
+                    needed_algorithm
+                } else {
+                    bail!("ITA: TDX TEE does not support {needed_algorithm}");
+                }
+            }
+            _ => bail!(ERR_INVALID_TEE),
+        };
+
+        let extra_params = json!({
+            SELECTED_HASH_ALGORITHM_JSON_KEY: hash_algorithm,
+        });
+
+        let nonce = make_nonce().await?;
+
+        Ok(Challenge {
+            nonce,
+            extra_params,
+        })
+    }
 }
 
 impl IntelTrustAuthority {
@@ -148,3 +250,210 @@ impl IntelTrustAuthority {
         })
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use rstest::*;
+    use serde_json::Value;
+    use std::io::Write;
+    use tempfile::NamedTempFile;
+
+    // Generate the contents for an ITA certificates file and return it as
+    // a JSON string.
+    fn create_certs_file_json_string() -> String {
+        let data = json!({ "keys": [
+        {
+            "alg": "PS384",
+            "e": "AQAB",
+            "kid": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+            "kty": "RSA",
+            "n": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+            "x5c": [
+                "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+                "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+                "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
+          ]
+        },
+        {
+            "alg": "RS256",
+            "e": "AQAB",
+            "kid": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+            "kty": "RSA",
+            "n": "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+            "x5c": [
+                "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+                "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
+                "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
+          ]
+        }]}).to_string();
+
+        data
+    }
+
+    #[rstest]
+    #[tokio::test]
+    #[case(
+        Tee::Tdx,
+        json!({}),
+        Ok(Challenge{
+            nonce: "".into(),
+            extra_params: "".into()
+        })
+    )]
+    #[tokio::test]
+    #[case(
+        Tee::Tdx,
+        json!(null),
+        Ok(Challenge{
+            nonce: "".into(),
+            extra_params: "".into()
+        })
+    )]
+    #[tokio::test]
+    #[case(
+        Tee::Tdx,
+        json!(""),
+        Ok(Challenge{
+            nonce: "".into(),
+            extra_params: "".into()
+        })
+    )]
+    #[tokio::test]
+    #[case(
+        Tee::Tdx,
+        json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: []}),
+        Err(anyhow!(ERR_NO_TEE_ALGOS))
+    )]
+    #[tokio::test]
+    #[case(
+        Tee::Sgx,
+        json!({}),
+        Ok(Challenge{
+            nonce: "".into(),
+            extra_params: "".into()
+        })
+    )]
+    #[tokio::test]
+    #[case(
+        Tee::Sgx,
+        json!(null),
+        Ok(Challenge{
+            nonce: "".into(),
+            extra_params: "".into()
+        })
+    )]
+    #[tokio::test]
+    #[case(
+        Tee::Sgx,
+        json!(""),
+        Ok(Challenge{
+            nonce: "".into(),
+            extra_params: "".into()
+        })
+    )]
+    #[tokio::test]
+    #[case(
+        Tee::Sgx,
+        json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: []}),
+        Err(anyhow!(ERR_NO_TEE_ALGOS))
+    )]
+    #[tokio::test]
+    #[case(
+        Tee::Tdx,
+        json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha256.to_string()]}),
+        Err(anyhow!("ITA: TDX TEE does not support sha512"))
+    )]
+    #[tokio::test]
+    #[case(
+        Tee::Sgx,
+        json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha512.to_string()]}),
+        Err(anyhow!("ITA: SGX TEE does not support sha256"))
+    )]
+    #[tokio::test]
+    #[case(
+        Tee::Tdx,
+        json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha512.to_string()]}),
+        Ok(Challenge{
+            nonce: "".into(),
+            extra_params: json!({SELECTED_HASH_ALGORITHM_JSON_KEY: HashAlgorithm::Sha512.to_string()})})
+    )]
+    #[tokio::test]
+    #[case(
+        Tee::Tdx,
+        json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha256.to_string(), HashAlgorithm::Sha512.to_string()]}),
+        Ok(Challenge{
+            nonce: "".into(),
+            extra_params: json!({SELECTED_HASH_ALGORITHM_JSON_KEY: HashAlgorithm::Sha512.to_string()})})
+    )]
+    #[tokio::test]
+    #[case(
+        Tee::Sgx,
+        json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha256.to_string()]}),
+        Ok(Challenge{
+            nonce: "".into(),
+            extra_params: json!({SELECTED_HASH_ALGORITHM_JSON_KEY: HashAlgorithm::Sha256.to_string()})})
+    )]
+    #[tokio::test]
+    #[case(
+        Tee::Sgx,
+        json!({SUPPORTED_HASH_ALGORITHMS_JSON_KEY: [HashAlgorithm::Sha256.to_string(), HashAlgorithm::Sha512.to_string()]}),
+        Ok(Challenge{
+            nonce: "".into(),
+            extra_params: json!({SELECTED_HASH_ALGORITHM_JSON_KEY: HashAlgorithm::Sha256.to_string()})})
+    )]
+    async fn test_ita_generate_challenge(
+        #[case] tee: Tee,
+        #[case] params: Value,
+        #[case] expected_result: Result<Challenge>,
+    ) {
+        let mut file = NamedTempFile::new().unwrap();
+        let certs_file = "file://".to_owned() + &file.path().display().to_string();
+
+        let json = create_certs_file_json_string();
+
+        file.write_all(json.as_bytes())
+            .expect("failed to write certs file data");
+
+        let cfg = IntelTrustAuthorityConfig {
+            base_url: "".into(),
+            api_key: "".into(),
+            certs_file,
+            allow_unmatched_policy: None,
+        };
+
+        let msg = format!(
+            "test: certs file json: {json:?}, cfg: {cfg:?}, tee: {tee:?}, params: {params:?}, expected result: {expected_result:?}"
+        );
+
+        let ita = IntelTrustAuthority::new(cfg).await.unwrap();
+
+        let actual_result = ita.generate_challenge(tee, params).await;
+
+        let msg = format!("{msg}, actual result: {actual_result:?}");
+
+        if std::env::var("DEBUG").is_ok() {
+            println!("DEBUG: {}", msg);
+        }
+
+        // Note: for now we simply check for error, not the type of error returned.
+        if expected_result.is_err() {
+            assert!(actual_result.is_err(), "{msg}");
+            return;
+        }
+
+        // Only compare the params as the nonce will have a generated value.
+        let expected_extra_params = expected_result
+            .unwrap()
+            .extra_params
+            .to_string()
+            .to_lowercase();
+        let actual_extra_params = actual_result
+            .unwrap()
+            .extra_params
+            .to_string()
+            .to_lowercase();
+
+        assert_eq!(actual_extra_params, expected_extra_params, "{}", msg);
+    }
+}
diff --git a/kbs/src/attestation/mod.rs b/kbs/src/attestation/mod.rs
index b49dfa106..6141304f8 100644
--- a/kbs/src/attestation/mod.rs
+++ b/kbs/src/attestation/mod.rs
@@ -40,6 +40,18 @@ pub async fn make_nonce() -> Result<String> {
     Ok(STANDARD.encode(&nonce))
 }
 
+pub(crate) async fn generic_generate_challenge(
+    _tee: Tee,
+    _tee_parameters: serde_json::Value,
+) -> Result<Challenge> {
+    let nonce = make_nonce().await?;
+
+    Ok(Challenge {
+        nonce,
+        extra_params: serde_json::Value::String(String::new()),
+    })
+}
+
 /// Interface for Attestation Services.
 ///
 /// Attestation Service implementations should implement this interface.
@@ -57,15 +69,10 @@ pub trait Attest: Send + Sync {
     /// generate the Challenge to pass to attester based on Tee and nonce
     async fn generate_challenge(
         &self,
-        _tee: Tee,
-        _tee_parameters: serde_json::Value,
+        tee: Tee,
+        tee_parameters: serde_json::Value,
     ) -> Result<Challenge> {
-        let nonce = make_nonce().await?;
-
-        Ok(Challenge {
-            nonce,
-            extra_params: serde_json::Value::String(String::new()),
-        })
+        generic_generate_challenge(tee, tee_parameters).await
     }
 }