kbs: api_server: let attestation-service to create nonce

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
confidential-containers · May 29, 2024 · 1e3b172 · 1e3b172
1 parent fdbaa41
commit 1e3b172
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 17 deletions.
diff --git a/kbs/src/api/src/attestation/mod.rs b/kbs/src/api/src/attestation/mod.rs
@@ -12,6 +12,10 @@ use coco::grpc::*;
 use intel_trust_authority::*;
 use kbs_types::Tee;
 
+use base64::engine::general_purpose::STANDARD;
+use base64::Engine;
+use rand::{thread_rng, Rng};
+
 #[cfg(feature = "coco-as")]
 #[allow(missing_docs)]
 pub mod coco;
@@ -29,6 +33,17 @@ pub trait Attest: Send + Sync {
         Err(anyhow!("Set Policy API is unimplemented"))
     }
 
+    /// Get nonce from AS
+    async fn nonce(&self) -> Result<String> {
+        let mut nonce: Vec<u8> = vec![0; 32];
+
+        thread_rng()
+            .try_fill(&mut nonce[..])
+            .map_err(anyhow::Error::from)?;
+
+        Ok(STANDARD.encode(&nonce))
+    }
+
     /// Verify Attestation Evidence
     /// Return Attestation Results Token
     async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result<String>;
@@ -68,6 +83,17 @@ impl AttestationService {
         Ok(Self::IntelTA(ta_client))
     }
 
+    pub async fn nonce(&self) -> Result<String> {
+        match self {
+            #[cfg(feature = "coco-as-grpc")]
+            AttestationService::CoCoASgRPC(inner) => inner.nonce().await,
+            #[cfg(any(feature = "coco-as-builtin", feature = "coco-as-builtin-no-verifier"))]
+            AttestationService::CoCoASBuiltIn(inner) => inner.nonce().await,
+            #[cfg(feature = "intel-trust-authority-as")]
+            AttestationService::IntelTA(inner) => inner.nonce().await,
+        }
+    }
+
     pub async fn verify(&self, tee: Tee, nonce: &str, attestation: &str) -> Result<String> {
         match self {
             #[cfg(feature = "coco-as-grpc")]

diff --git a/kbs/src/api/src/http/attest.rs b/kbs/src/api/src/http/attest.rs
@@ -17,12 +17,17 @@ pub(crate) async fn auth(
     request: web::Json<Request>,
     map: web::Data<SessionMap>,
     timeout: web::Data<i64>,
-    _attestation_service: web::Data<Arc<AttestationService>>,
+    attestation_service: web::Data<Arc<AttestationService>>,
 ) -> Result<HttpResponse> {
     info!("Auth API called.");
     debug!("Auth Request: {:?}", &request);
 
-    let session = SessionStatus::auth(request.0, **timeout)
+    let nonce = attestation_service
+        .nonce()
+        .await
+        .map_err(|e| Error::FailedAuthentication(e.to_string()))?;
+
+    let session = SessionStatus::auth(request.0, **timeout, nonce)
         .map_err(|e| Error::FailedAuthentication(format!("Session: {e}")))?;
 
     let response = HttpResponse::Ok()

diff --git a/kbs/src/api/src/session.rs b/kbs/src/api/src/session.rs
@@ -7,26 +7,13 @@ use actix_web::cookie::{
     Cookie,
 };
 use anyhow::{bail, Result};
-use base64::engine::general_purpose::STANDARD;
-use base64::Engine;
 use kbs_types::{Challenge, Request};
 use log::warn;
-use rand::{thread_rng, Rng};
 use semver::Version;
 use uuid::Uuid;
 
 pub(crate) static KBS_SESSION_ID: &str = "kbs-session-id";
 
-fn nonce() -> Result<String> {
-    let mut nonce: Vec<u8> = vec![0; 32];
-
-    thread_rng()
-        .try_fill(&mut nonce[..])
-        .map_err(anyhow::Error::from)?;
-
-    Ok(STANDARD.encode(&nonce))
-}
-
 /// Finite State Machine model for RCAR handshake
 pub(crate) enum SessionStatus {
     Authed {
@@ -64,7 +51,7 @@ macro_rules! impl_member {
 }
 
 impl SessionStatus {
-    pub fn auth(request: Request, timeout: i64) -> Result<Self> {
+    pub fn auth(request: Request, timeout: i64, nonce: String) -> Result<Self> {
         let version = Version::parse(&request.version).map_err(anyhow::Error::from)?;
         if !crate::VERSION_REQ.matches(&version) {
             bail!("Invalid Request version {}", request.version);
@@ -76,7 +63,7 @@ impl SessionStatus {
         Ok(Self::Authed {
             request,
             challenge: Challenge {
-                nonce: nonce()?,
+                nonce: nonce.clone(),
                 extra_params: String::new(),
             },
             id,