Skip to content

Commit

Permalink
Verifier: Refactor errors in csv module
Browse files Browse the repository at this point in the history
Fixes: confidential-containers#231
Signed-off-by: Kartik Joshi <[email protected]>
  • Loading branch information
kartikjoshi21 committed Feb 15, 2024
1 parent 6a9be1c commit 61cf6be
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 9 deletions.
2 changes: 2 additions & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions attestation-service/verifier/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ cca-verifier = [ "ear", "veraison-apiclient" ]

[dependencies]
anyhow.workspace = true
thiserror.workspace = true
asn1-rs = { version = "0.5.1", optional = true }
async-trait.workspace = true
az-snp-vtpm = { version = "0.5.1", default-features = false, features = ["verifier"], optional = true }
Expand All @@ -30,6 +31,7 @@ csv-rs = { git = "https://github.com/openanolis/csv-rs", rev = "b74aa8c", option
eventlog-rs = { version = "0.1.3", optional = true }
hex.workspace = true
jsonwebtoken = "8"
jsonwebkey = "0.3.5"
kbs-types.workspace = true
log.workspace = true
openssl = { version = "0.10.55", optional = true }
Expand Down
45 changes: 36 additions & 9 deletions attestation-service/verifier/src/csv/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@
// SPDX-License-Identifier: Apache-2.0
//

use anyhow::{Context, Result};
use anyhow::Result;
use thiserror::Error;
use log::{debug, warn};
extern crate serde;
use self::serde::{Deserialize, Serialize};
Expand Down Expand Up @@ -31,6 +32,32 @@ struct CsvEvidence {
serial_number: Vec<u8>,
}

#[derive(Error, Debug)]
pub enum CsvError {
#[error("REPORT_DATA is different from that in CSV Quote")]
ReportDataMismatch,
#[error("Serde json error: Deserialize Quote failed")]
SerdeJson(#[from] serde_json::Error),
#[error("IO error")]
IO(#[from] std::io::Error),
#[error("HRK cert Signature verification failed: {0}")]
HRKSignatureVerification(String),
#[error("HSK cert Signature validation failed: {0}")]
HSKSignatureValidation(String),
#[error("CEK cert Signature validation failed: {0}")]
CEKSignatureValidation(String),
#[error("PEK cert Signature validation failed: {0}")]
PEKSignatureValidation(String),
#[error("Attestation Report Signature validation failed: {0}")]
AttestationReportSignatureValidation(String),
#[error("Parse TEE evidence failed: {0}")]
ParseTeeEvidence(String),
#[error("Verify report signature failed: {0}")]
VerifyReportSignature(String),
#[error("anyhow error")]
Anyhow(#[from] anyhow::Error),
}

pub const HRK: &[u8] = include_bytes!("hrk.cert");

#[derive(Debug, Default)]
Expand All @@ -45,7 +72,7 @@ impl Verifier for CsvVerifier {
expected_init_data_hash: &InitDataHash,
) -> Result<TeeEvidenceParsedClaim> {
let tee_evidence =
serde_json::from_slice::<CsvEvidence>(evidence).context("Deserialize Quote failed.")?;
serde_json::from_slice::<CsvEvidence>(evidence)?;

verify_report_signature(&tee_evidence.attestation_report, &tee_evidence.cert_chain)?;

Expand All @@ -71,29 +98,29 @@ impl Verifier for CsvVerifier {
fn verify_report_signature(
attestation_report: &AttestationReport,
cert_chain: &CertificateChain,
) -> Result<()> {
) -> Result<(), CsvError> {
// Verify certificate chain
let hrk = ca::Certificate::decode(&mut &HRK[..], ())?;
(&hrk, &hrk)
.verify()
.context("HRK cert Signature validation failed.")?;
.map_err(|err| CsvError::HRKSignatureVerification(err.to_string()))?;
(&hrk, &cert_chain.hsk)
.verify()
.context("HSK cert Signature validation failed.")?;
.map_err(|err| CsvError::HSKSignatureValidation(err.to_string()))?;
(&cert_chain.hsk, &cert_chain.cek)
.verify()
.context("CEK cert Signature validation failed.")?;
.map_err(|err| CsvError::CEKSignatureValidation(err.to_string()))?;
(&cert_chain.cek, &cert_chain.pek)
.verify()
.context("PEK cert Signature validation failed.")?;
.map_err(|err| CsvError::PEKSignatureValidation(err.to_string()))?;

// Verify the TEE Hardware signature.

(&cert_chain.pek, attestation_report)
.verify()
.context("Attestation Report Signature validation failed.")?;
.map_err(|err| CsvError::AttestationReportSignatureValidation(err.to_string()))?;

Ok(())
Ok(()).map_err(|err| CsvError::VerifyReportSignature(err.to_string()))
}

fn xor_with_anonce(data: &mut [u8], anonce: &u32) {
Expand Down

0 comments on commit 61cf6be

Please sign in to comment.