Add CoRIM Decoding logic to CCA Realms

Signed-off-by: Yogesh Deshpande <[email protected]>
veraison · Dec 1, 2023 · fea2ab2 · fea2ab2
1 parent be236df
commit fea2ab2
Show file tree

Hide file tree

Showing 5 changed files with 76 additions and 24 deletions.
diff --git a/scheme/cca-realm/corim_extractor.go b/scheme/cca-realm/corim_extractor.go
@@ -21,51 +21,55 @@ func (o CorimExtractor) RefValExtractor(
 		return nil, fmt.Errorf("could not extract Realm class attributes: %w", err)
 	}
 
-	rvs := make([]*handler.Endorsement, 0, len(rv.Measurements))
-
-	for i, m := range rv.Measurements {
+	// For Realm's we only expect one Reference Value
+	rvs := make([]*handler.Endorsement, 0, 1)
+	var measurements [][]byte
+	var algID string
+	for _, m := range rv.Measurements {
 
 		d := m.Val.Digests
 
 		if d == nil {
 			return nil, fmt.Errorf("measurement value has no digests")
 		}
-		if len(*d) != 1 {
-			return nil, fmt.Errorf("expecting exactly one digest")
+		k := len(*d)
+		if k < 1 {
+			return nil, fmt.Errorf("expecting atleast one digest")
 		}
-		algID := (*d)[0].AlgIDToString()
+		algID = (*d)[0].AlgIDToString()
 		measurementValue := (*d)[0].HashValue
 
-		attrs, err := makeRefValAttrs(&classAttrs, algID, measurementValue)
-		if err != nil {
-			return nil, fmt.Errorf("measurement[%d].digest: %w", i, err)
-		}
-
-		rv := &handler.Endorsement{
-			Scheme:     SchemeName,
-			Type:       handler.EndorsementType_REFERENCE_VALUE,
-			Attributes: attrs,
-		}
+		measurements = append(measurements, measurementValue)
+	}
 
-		rvs = append(rvs, rv)
+	attrs, err := makeRefValAttrs(&classAttrs, algID, measurements)
+	if err != nil {
+		return nil, fmt.Errorf("attributes error: %w", err)
+	}
 
+	ev := &handler.Endorsement{
+		Scheme:     SchemeName,
+		Type:       handler.EndorsementType_REFERENCE_VALUE,
+		Attributes: attrs,
 	}
 
+	rvs = append(rvs, ev)
+
 	if len(rvs) == 0 {
 		return nil, fmt.Errorf("no measurements found")
 	}
 
 	return rvs, nil
 }
 
-func makeRefValAttrs(cAttr *ClassAttributes, algID string, digest []byte) (json.RawMessage, error) {
+func makeRefValAttrs(cAttr *ClassAttributes, algID string, measurements [][]byte) (json.RawMessage, error) {
 
 	var attrs = map[string]interface{}{
-		"cca-realm.vendor":      cAttr.Vendor,
-		"cca-realm.model":       cAttr.Model,
-		"cca-realm-id":          cAttr.UUID,
-		"cca-realm.alg-id":      algID,
-		"cca-realm.measurement": digest,
+		"cca-realm.vendor":            cAttr.Vendor,
+		"cca-realm.model":             cAttr.Model,
+		"cca-realm.id":                cAttr.UUID,
+		"cca-realm.alg-id":            algID,
+		"cca-realm.measurement-array": measurements,
 	}
 	data, err := json.Marshal(attrs)
 	if err != nil {

diff --git a/scheme/cca-realm/endorsement_handler_test.go b/scheme/cca-realm/endorsement_handler_test.go
@@ -3,9 +3,11 @@
 package cca_realm
 
 import (
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestDecoder_GetAttestationScheme(t *testing.T) {
@@ -63,3 +65,12 @@ func TestDecoder_Decode_invalid_data(t *testing.T) {
 
 	assert.EqualError(t, err, expectedErr)
 }
+
+func TestDecoder_Decode_CoRIM_ok(t *testing.T) {
+	d := &EndorsementHandler{}
+	endBytes, err := os.ReadFile("test/corim-cca-realm.cbor")
+	require.NoError(t, err)
+
+	_, err = d.Decode(endBytes)
+	require.NoError(t, err)
+}
diff --git a/scheme/cca-realm/evidence_handler.go b/scheme/cca-realm/evidence_handler.go
@@ -6,6 +6,8 @@ package cca_realm
 import (
 	"encoding/json"
 	"fmt"
+	"net/url"
+	"strings"
 
 	"github.com/veraison/ccatoken"
 	"github.com/veraison/ear"
@@ -19,6 +21,14 @@ import (
 
 type EvidenceHandler struct{}
 
+type RealmAttr struct {
+	Vendor           string   `json:"cca-realm.vendor"`
+	Model            string   `json:"cca-realm.model"`
+	RealmID          string   `json:"cca-realm.id"`
+	AlgID            string   `json:"cca-realm.alg-id"`
+	MeasurementArray [][]byte `json:"cca-realm.measurement-array"`
+}
+
 func (s EvidenceHandler) GetName() string {
 	return "cca-realm-evidence-handler"
 }
@@ -35,8 +45,30 @@ func (s EvidenceHandler) SynthKeysFromRefValue(
 	tenantID string,
 	refVal *handler.Endorsement,
 ) ([]string, error) {
-	return arm.SynthKeysFromRefValue(SchemeName, tenantID, refVal)
+	var realm RealmAttr
+
+	attr := refVal.Attributes
+	err := json.Unmarshal(attr, &realm)
+	if err != nil {
 
+		return nil, fmt.Errorf("unable to UnMarshal Realm Attributes %w", err)
+	}
+	lookupKey := RefValLookupKey(SchemeName, tenantID, realm.RealmID)
+	log.Debugf("Scheme %s Plugin Reference Value Look Up Key= %s\n", SchemeName, lookupKey)
+
+	return []string{lookupKey}, nil
+}
+
+func RefValLookupKey(schemeName, tenantID, uuID string) string {
+	absPath := []string{uuID}
+
+	u := url.URL{
+		Scheme: schemeName,
+		Host:   tenantID,
+		Path:   strings.Join(absPath, "/"),
+	}
+
+	return u.String()
 }
 
 func (s EvidenceHandler) SynthKeysFromTrustAnchor(tenantID string, ta *handler.Endorsement) ([]string, error) {
@@ -49,6 +81,7 @@ func (s EvidenceHandler) GetTrustAnchorID(token *proto.AttestationToken) (string
 	return "", nil
 }
 
+// TO DO COMPLETE THIS
 func (s EvidenceHandler) ExtractClaims(
 	token *proto.AttestationToken,
 	trustAnchor string,
@@ -74,6 +107,9 @@ func (s EvidenceHandler) ExtractClaims(
 			"could not convert realm claims: %w", err))
 	}
 
+	/* FROM THE REALM CLAIM SET GET THE REALM INITIAL MEASUREMENTS */
+	/* THAT WILL BE THE INPUT TO THE REFERENCE ID */
+
 	extracted.ClaimsSet = map[string]interface{}{
 		"platform": platformClaimsSet,
 		"realm":    realmClaimsSet,
@@ -84,6 +120,7 @@ func (s EvidenceHandler) ExtractClaims(
 		token.TenantId,
 		arm.MustImplIDString(ccaToken.PlatformClaims),
 	)
+
 	log.Debugf("extracted Reference ID Key = %s", extracted.ReferenceID)
 	return &extracted, nil
 }

diff --git a/scheme/cca-realm/test/corim-cca-realm.cbor b/scheme/cca-realm/test/corim-cca-realm.cbor
diff --git a/scheme/cca-realm/test/corim_endorsement.cbor b/scheme/cca-realm/test/corim_endorsement.cbor