From 61cf6be0f073168041784dda7a8706d5ef594d3f Mon Sep 17 00:00:00 2001 From: Kartik Joshi Date: Thu, 15 Feb 2024 17:46:54 +0530 Subject: [PATCH] Verifier: Refactor errors in csv module Fixes: #231 Signed-off-by: Kartik Joshi --- Cargo.lock | 2 + attestation-service/verifier/Cargo.toml | 2 + attestation-service/verifier/src/csv/mod.rs | 45 ++++++++++++++++----- 3 files changed, 40 insertions(+), 9 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 48f823558f..40366c728e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5215,6 +5215,7 @@ dependencies = [ "ear", "eventlog-rs", "hex", + "jsonwebkey", "jsonwebtoken", "kbs-types", "log", @@ -5228,6 +5229,7 @@ dependencies = [ "sgx-dcap-quoteverify-rs", "shadow-rs", "strum", + "thiserror", "tokio", "tonic-build", "veraison-apiclient", diff --git a/attestation-service/verifier/Cargo.toml b/attestation-service/verifier/Cargo.toml index 23d6d12efe..a4a3548f3a 100644 --- a/attestation-service/verifier/Cargo.toml +++ b/attestation-service/verifier/Cargo.toml @@ -16,6 +16,7 @@ cca-verifier = [ "ear", "veraison-apiclient" ] [dependencies] anyhow.workspace = true +thiserror.workspace = true asn1-rs = { version = "0.5.1", optional = true } async-trait.workspace = true az-snp-vtpm = { version = "0.5.1", default-features = false, features = ["verifier"], optional = true } @@ -30,6 +31,7 @@ csv-rs = { git = "https://github.com/openanolis/csv-rs", rev = "b74aa8c", option eventlog-rs = { version = "0.1.3", optional = true } hex.workspace = true jsonwebtoken = "8" +jsonwebkey = "0.3.5" kbs-types.workspace = true log.workspace = true openssl = { version = "0.10.55", optional = true } diff --git a/attestation-service/verifier/src/csv/mod.rs b/attestation-service/verifier/src/csv/mod.rs index 5756dd654a..ceca464414 100644 --- a/attestation-service/verifier/src/csv/mod.rs +++ b/attestation-service/verifier/src/csv/mod.rs @@ -3,7 +3,8 @@ // SPDX-License-Identifier: Apache-2.0 // -use anyhow::{Context, Result}; +use anyhow::Result; +use thiserror::Error; use log::{debug, warn}; extern crate serde; use self::serde::{Deserialize, Serialize}; @@ -31,6 +32,32 @@ struct CsvEvidence { serial_number: Vec, } +#[derive(Error, Debug)] +pub enum CsvError { + #[error("REPORT_DATA is different from that in CSV Quote")] + ReportDataMismatch, + #[error("Serde json error: Deserialize Quote failed")] + SerdeJson(#[from] serde_json::Error), + #[error("IO error")] + IO(#[from] std::io::Error), + #[error("HRK cert Signature verification failed: {0}")] + HRKSignatureVerification(String), + #[error("HSK cert Signature validation failed: {0}")] + HSKSignatureValidation(String), + #[error("CEK cert Signature validation failed: {0}")] + CEKSignatureValidation(String), + #[error("PEK cert Signature validation failed: {0}")] + PEKSignatureValidation(String), + #[error("Attestation Report Signature validation failed: {0}")] + AttestationReportSignatureValidation(String), + #[error("Parse TEE evidence failed: {0}")] + ParseTeeEvidence(String), + #[error("Verify report signature failed: {0}")] + VerifyReportSignature(String), + #[error("anyhow error")] + Anyhow(#[from] anyhow::Error), +} + pub const HRK: &[u8] = include_bytes!("hrk.cert"); #[derive(Debug, Default)] @@ -45,7 +72,7 @@ impl Verifier for CsvVerifier { expected_init_data_hash: &InitDataHash, ) -> Result { let tee_evidence = - serde_json::from_slice::(evidence).context("Deserialize Quote failed.")?; + serde_json::from_slice::(evidence)?; verify_report_signature(&tee_evidence.attestation_report, &tee_evidence.cert_chain)?; @@ -71,29 +98,29 @@ impl Verifier for CsvVerifier { fn verify_report_signature( attestation_report: &AttestationReport, cert_chain: &CertificateChain, -) -> Result<()> { +) -> Result<(), CsvError> { // Verify certificate chain let hrk = ca::Certificate::decode(&mut &HRK[..], ())?; (&hrk, &hrk) .verify() - .context("HRK cert Signature validation failed.")?; + .map_err(|err| CsvError::HRKSignatureVerification(err.to_string()))?; (&hrk, &cert_chain.hsk) .verify() - .context("HSK cert Signature validation failed.")?; + .map_err(|err| CsvError::HSKSignatureValidation(err.to_string()))?; (&cert_chain.hsk, &cert_chain.cek) .verify() - .context("CEK cert Signature validation failed.")?; + .map_err(|err| CsvError::CEKSignatureValidation(err.to_string()))?; (&cert_chain.cek, &cert_chain.pek) .verify() - .context("PEK cert Signature validation failed.")?; + .map_err(|err| CsvError::PEKSignatureValidation(err.to_string()))?; // Verify the TEE Hardware signature. (&cert_chain.pek, attestation_report) .verify() - .context("Attestation Report Signature validation failed.")?; + .map_err(|err| CsvError::AttestationReportSignatureValidation(err.to_string()))?; - Ok(()) + Ok(()).map_err(|err| CsvError::VerifyReportSignature(err.to_string())) } fn xor_with_anonce(data: &mut [u8], anonce: &u32) {