From 3028a1b7d75839f5c78497001b76cbdc7531652a Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Wed, 31 Jul 2024 10:56:15 +0300 Subject: [PATCH 1/4] kbs_protocol: fix typo with UnAuthorized error Signed-off-by: Mikko Ylinen --- attestation-agent/kbs_protocol/src/error.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/attestation-agent/kbs_protocol/src/error.rs b/attestation-agent/kbs_protocol/src/error.rs index d46d42889..930dc3244 100644 --- a/attestation-agent/kbs_protocol/src/error.rs +++ b/attestation-agent/kbs_protocol/src/error.rs @@ -42,6 +42,6 @@ pub enum Error { #[error("KBS resource not found: {0}")] ResourceNotFound(String), - #[error("request unautorized")] + #[error("request unauthorized")] UnAuthorized, } From f422030af59424598b9c18335314a3ca8351e727 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Wed, 31 Jul 2024 10:57:31 +0300 Subject: [PATCH 2/4] kbs_protocol: handle ProtocolVersion error The RCAR client code currently ignores any errors for "request". Such errors can still happen, e.g., when 'version' field is rejected by KBS. Without catching errors we try to decode the Challenge json body but it actually contains the error information in it which results in decode errors instead. KBS added a new ProtocolVersion error which is now catched by the RCAR client code. The error is reported to the user if the client and server use incompatible versions. Signed-off-by: Mikko Ylinen --- .../kbs_protocol/src/client/rcar_client.rs | 24 ++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/attestation-agent/kbs_protocol/src/client/rcar_client.rs b/attestation-agent/kbs_protocol/src/client/rcar_client.rs index 23a2c8b4e..be688d0e7 100644 --- a/attestation-agent/kbs_protocol/src/client/rcar_client.rs +++ b/attestation-agent/kbs_protocol/src/client/rcar_client.rs @@ -109,16 +109,34 @@ impl KbsClient> { debug!("send auth request to {auth_endpoint}"); - let challenge = self + let resp = self .http_client .post(auth_endpoint) .header("Content-Type", "application/json") .json(&request) .send() - .await? - .json::() .await?; + match resp.status() { + reqwest::StatusCode::OK => { + debug!("KBS request OK"); + } + reqwest::StatusCode::UNAUTHORIZED => { + let error_info = resp.json::().await?; + bail!( + "KBS request unauthorized, ErrorInformation: {:?}", + error_info + ); + } + _ => { + bail!( + "KBS Server Internal Failed, Response: {:?}", + resp.text().await? + ); + } + } + + let challenge = resp.json::().await?; debug!("get challenge: {challenge:#?}"); let tee_pubkey = self.tee_key.export_pubkey()?; let runtime_data = json!({ From b28be70af58a4061a77201aa2f9f546f36806949 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Wed, 31 Jul 2024 11:00:10 +0300 Subject: [PATCH 3/4] kbs_protocol: skip RCAR client tests when ProtocolVersion error occurs The current setup with trustee repo for KBS server and guest-components repo for kbs_protocol client code has a cyclic dependency problem. test_client test uses "KBS latest" container image which won't work if any RCAR client code changes that change the protocol semantics are made. The suggested approach to break the cyclic dependency is to get the RCAR client changes merged first with a KBS protocol version bump. The RCAR client test is modified to skip the checks in case the "KBS latest" server returns ProtocolVersion error. Following this, the corresponding KBS server changes are made in trustee repo with an update to both kbs_protocol for kbs-client builds and the server supported protocol version. Signed-off-by: Mikko Ylinen --- .../kbs_protocol/src/client/rcar_client.rs | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/attestation-agent/kbs_protocol/src/client/rcar_client.rs b/attestation-agent/kbs_protocol/src/client/rcar_client.rs index be688d0e7..9fa4d1d0c 100644 --- a/attestation-agent/kbs_protocol/src/client/rcar_client.rs +++ b/attestation-agent/kbs_protocol/src/client/rcar_client.rs @@ -363,10 +363,19 @@ mod test { .try_into() .expect("resource uri"); - let resource = client - .get_resource(resource_uri) - .await - .expect("get resource"); + let resource = match client.get_resource(resource_uri).await { + Ok(resource) => resource, + Err(e) => { + // Skip the test if the kbs server returned ProtocolVersion error. Any other + // error is treated as a failure. + assert!(e + .to_string() + .contains("KBS Client Protocol Version Mismatch")); + println!("NOTE: the test is skipped due to KBS protocol incompatibility."); + return (); + } + }; + assert_eq!(resource, CONTENT); let (token, key) = client.get_token().await.expect("get token"); From e573dd174a4ae3fa698e13e380fc3504f0641294 Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Thu, 25 Jul 2024 12:55:30 +0300 Subject: [PATCH 4/4] chore(deps): Bump kbs-types from 0.6.0 to 0.7.0 kbs-types introduces a break in JSON semantics so we bump the kbs protocol version from 0.1.0 to 0.1.1. Signed-off-by: Mikko Ylinen --- Cargo.lock | 4 ++-- Cargo.toml | 2 +- attestation-agent/kbs_protocol/src/client/mod.rs | 2 +- attestation-agent/kbs_protocol/src/client/rcar_client.rs | 4 ++-- attestation-agent/kbs_protocol/src/keypair.rs | 5 ++--- 5 files changed, 8 insertions(+), 9 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 5055c004e..aefb7a3b3 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3075,9 +3075,9 @@ dependencies = [ [[package]] name = "kbs-types" -version = "0.6.0" +version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "febd73b2b1df274ea454d81ddf76f596af9754410b7ed6f988f2e1782a175da3" +checksum = "9b6441ed73b0faa50707d4de41c6b45c76654b661b96aaf7b26a41331eedc0a5" dependencies = [ "serde", "serde_json", diff --git a/Cargo.toml b/Cargo.toml index d01757083..e96b53e42 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -38,7 +38,7 @@ env_logger = "0.11.3" hex = "0.4.3" hmac = "0.12.1" jwt-simple = { version = "0.12", default-features = false, features = ["pure-rust"] } -kbs-types = "0.6.0" +kbs-types = "0.7.0" lazy_static = "1.4.0" log = "0.4.22" nix = "0.28" diff --git a/attestation-agent/kbs_protocol/src/client/mod.rs b/attestation-agent/kbs_protocol/src/client/mod.rs index c9077f6c9..5febb6911 100644 --- a/attestation-agent/kbs_protocol/src/client/mod.rs +++ b/attestation-agent/kbs_protocol/src/client/mod.rs @@ -48,7 +48,7 @@ pub struct KbsClient { pub(crate) token: Option, } -pub const KBS_PROTOCOL_VERSION: &str = "0.1.0"; +pub const KBS_PROTOCOL_VERSION: &str = "0.1.1"; pub const KBS_GET_RESOURCE_MAX_ATTEMPT: u64 = 3; diff --git a/attestation-agent/kbs_protocol/src/client/rcar_client.rs b/attestation-agent/kbs_protocol/src/client/rcar_client.rs index 9fa4d1d0c..7c4b453d3 100644 --- a/attestation-agent/kbs_protocol/src/client/rcar_client.rs +++ b/attestation-agent/kbs_protocol/src/client/rcar_client.rs @@ -104,7 +104,7 @@ impl KbsClient> { let request = Request { version: String::from(KBS_PROTOCOL_VERSION), tee, - extra_params: String::new(), + extra_params: serde_json::Value::String(String::new()), }; debug!("send auth request to {auth_endpoint}"); @@ -153,7 +153,7 @@ impl KbsClient> { let attest_endpoint = format!("{}/{KBS_PREFIX}/attest", self.kbs_host_url); let attest = Attestation { tee_pubkey, - tee_evidence: evidence, + tee_evidence: serde_json::from_str(&evidence)?, // TODO: change attesters to return Value? }; debug!("send attest request."); diff --git a/attestation-agent/kbs_protocol/src/keypair.rs b/attestation-agent/kbs_protocol/src/keypair.rs index 12670a83e..897724e3e 100644 --- a/attestation-agent/kbs_protocol/src/keypair.rs +++ b/attestation-agent/kbs_protocol/src/keypair.rs @@ -7,7 +7,7 @@ use anyhow::{Context, Result}; use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine}; use crypto::{ - rsa::{PaddingMode, RSAKeyPair, RSA_KTY}, + rsa::{PaddingMode, RSAKeyPair}, WrapType, }; use kbs_types::{Response, TeePubKey}; @@ -31,11 +31,10 @@ impl TeeKeyPair { let k_mod = URL_SAFE_NO_PAD.encode(self.keypair.n()); let k_exp = URL_SAFE_NO_PAD.encode(self.keypair.e()); - Ok(TeePubKey { + Ok(TeePubKey::RSA { alg: PaddingMode::PKCS1v15.as_ref().to_string(), k_mod, k_exp, - kty: RSA_KTY.to_string(), }) }