mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-26 07:16:08 -05:00
verify: use fixed user data
This commit is contained in:
Thomas Tendyck
Thomas Tendyck
parent
85f33b2140
commit
f0f109a1ea
@ -97,18 +97,12 @@ func (v *verifyCmd) verify(cmd *cobra.Command, fileHandler file.Handler, verifyC
|
||||
return err
|
||||
}
|
||||
v.log.Debugf("Generated random nonce: %x", nonce)
|
||||
userData, err := crypto.GenerateRandomBytes(32)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
v.log.Debugf("Generated random user data: %x", userData)
|
||||
|
||||
if err := verifyClient.Verify(
|
||||
cmd.Context(),
|
||||
flags.endpoint,
|
||||
&verifyproto.GetAttestationRequest{
|
||||
Nonce: nonce,
|
||||
UserData: userData,
|
||||
Nonce: nonce,
|
||||
},
|
||||
validators.V(cmd),
|
||||
); err != nil {
|
||||
@ -231,8 +225,8 @@ func (v *constellationVerifier) Verify(
|
||||
return fmt.Errorf("validating attestation: %w", err)
|
||||
}
|
||||
|
||||
if !bytes.Equal(signedData, req.UserData) {
|
||||
return errors.New("signed data in attestation does not match provided user data")
|
||||
if !bytes.Equal(signedData, []byte(constants.ConstellationVerifyServiceUserData)) {
|
||||
return errors.New("signed data in attestation does not match expected user data")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -181,25 +181,22 @@ func TestVerify(t *testing.T) {
|
||||
func TestVerifyClient(t *testing.T) {
|
||||
testCases := map[string]struct {
|
||||
attestationDoc atls.FakeAttestationDoc
|
||||
userData []byte
|
||||
nonce []byte
|
||||
attestationErr error
|
||||
wantErr bool
|
||||
}{
|
||||
"success": {
|
||||
attestationDoc: atls.FakeAttestationDoc{
|
||||
UserData: []byte("user data"),
|
||||
UserData: []byte(constants.ConstellationVerifyServiceUserData),
|
||||
Nonce: []byte("nonce"),
|
||||
},
|
||||
userData: []byte("user data"),
|
||||
nonce: []byte("nonce"),
|
||||
nonce: []byte("nonce"),
|
||||
},
|
||||
"attestation error": {
|
||||
attestationDoc: atls.FakeAttestationDoc{
|
||||
UserData: []byte("user data"),
|
||||
UserData: []byte(constants.ConstellationVerifyServiceUserData),
|
||||
Nonce: []byte("nonce"),
|
||||
},
|
||||
userData: []byte("user data"),
|
||||
nonce: []byte("nonce"),
|
||||
attestationErr: errors.New("error"),
|
||||
wantErr: true,
|
||||
@ -209,18 +206,16 @@ func TestVerifyClient(t *testing.T) {
|
||||
UserData: []byte("wrong user data"),
|
||||
Nonce: []byte("nonce"),
|
||||
},
|
||||
userData: []byte("user data"),
|
||||
nonce: []byte("nonce"),
|
||||
wantErr: true,
|
||||
nonce: []byte("nonce"),
|
||||
wantErr: true,
|
||||
},
|
||||
"nonce does not match": {
|
||||
attestationDoc: atls.FakeAttestationDoc{
|
||||
UserData: []byte("user data"),
|
||||
UserData: []byte(constants.ConstellationVerifyServiceUserData),
|
||||
Nonce: []byte("wrong nonce"),
|
||||
},
|
||||
userData: []byte("user data"),
|
||||
nonce: []byte("nonce"),
|
||||
wantErr: true,
|
||||
nonce: []byte("nonce"),
|
||||
wantErr: true,
|
||||
},
|
||||
}
|
||||
|
||||
@ -248,8 +243,7 @@ func TestVerifyClient(t *testing.T) {
|
||||
|
||||
verifier := &constellationVerifier{dialer: dialer, log: logger.NewTest(t)}
|
||||
request := &verifyproto.GetAttestationRequest{
|
||||
UserData: tc.userData,
|
||||
Nonce: tc.nonce,
|
||||
Nonce: tc.nonce,
|
||||
}
|
||||
|
||||
err = verifier.Verify(context.Background(), addr, request, atls.NewFakeValidator(oid.Dummy{}))
|
||||
|
||||
@ -104,7 +104,7 @@ func getAttestation(ctx context.Context, addr string) ([]byte, error) {
|
||||
}
|
||||
|
||||
client := verifyproto.NewAPIClient(conn)
|
||||
res, err := client.GetAttestation(ctx, &verifyproto.GetAttestationRequest{Nonce: nonce, UserData: nonce})
|
||||
res, err := client.GetAttestation(ctx, &verifyproto.GetAttestationRequest{Nonce: nonce})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
@ -27,6 +27,8 @@ const (
|
||||
ConstellationMasterSecretKey = "mastersecret"
|
||||
// ConstellationSaltKey is the name of the key for the salt in the master secret kubernetes secret.
|
||||
ConstellationSaltKey = "salt"
|
||||
// ConstellationVerifyServiceUserData is the user data that the verification service includes in the attestation.
|
||||
ConstellationVerifyServiceUserData = "VerifyService"
|
||||
|
||||
//
|
||||
// Ports.
|
||||
|
||||
@ -16,6 +16,7 @@ import (
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/edgelesssys/constellation/v2/internal/constants"
|
||||
"github.com/edgelesssys/constellation/v2/internal/logger"
|
||||
"github.com/edgelesssys/constellation/v2/verify/verifyproto"
|
||||
"go.uber.org/zap"
|
||||
@ -107,13 +108,9 @@ func (s *Server) GetAttestation(ctx context.Context, req *verifyproto.GetAttesta
|
||||
log.Errorf("Received attestation request with empty nonce")
|
||||
return nil, status.Error(codes.InvalidArgument, "nonce is required to issue attestation")
|
||||
}
|
||||
if len(req.UserData) == 0 {
|
||||
log.Errorf("Received attestation request with empty user data")
|
||||
return nil, status.Error(codes.InvalidArgument, "user data is required to issue attestation")
|
||||
}
|
||||
|
||||
log.Infof("Creating attestation")
|
||||
statement, err := s.issuer.Issue(req.UserData, req.Nonce)
|
||||
statement, err := s.issuer.Issue([]byte(constants.ConstellationVerifyServiceUserData), req.Nonce)
|
||||
if err != nil {
|
||||
return nil, status.Errorf(codes.Internal, "issuing attestation statement: %v", err)
|
||||
}
|
||||
@ -132,12 +129,6 @@ func (s *Server) getAttestationHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
http.Error(w, "nonce parameter is required exactly once", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
userDataB64 := r.URL.Query()["userData"]
|
||||
if len(userDataB64) != 1 || userDataB64[0] == "" {
|
||||
log.Errorf("Received attestation request with empty or multiple user data parameter")
|
||||
http.Error(w, "userData parameter is required exactly once", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
nonce, err := base64.URLEncoding.DecodeString(nonceB64[0])
|
||||
if err != nil {
|
||||
@ -145,15 +136,9 @@ func (s *Server) getAttestationHTTP(w http.ResponseWriter, r *http.Request) {
|
||||
http.Error(w, fmt.Sprintf("invalid base64 encoding for nonce: %v", err), http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
userData, err := base64.URLEncoding.DecodeString(userDataB64[0])
|
||||
if err != nil {
|
||||
log.With(zap.Error(err)).Errorf("Received attestation request with invalid user data")
|
||||
http.Error(w, fmt.Sprintf("invalid base64 encoding for userData: %v", err), http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
log.Infof("Creating attestation")
|
||||
quote, err := s.issuer.Issue(userData, nonce)
|
||||
quote, err := s.issuer.Issue([]byte(constants.ConstellationVerifyServiceUserData), nonce)
|
||||
if err != nil {
|
||||
http.Error(w, fmt.Sprintf("issuing attestation statement: %v", err), http.StatusInternalServerError)
|
||||
return
|
||||
|
||||
@ -11,7 +11,6 @@ import (
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"net"
|
||||
"net/http"
|
||||
@ -83,30 +82,19 @@ func TestGetAttestationGRPC(t *testing.T) {
|
||||
"success": {
|
||||
issuer: stubIssuer{attestation: []byte("quote")},
|
||||
request: &verifyproto.GetAttestationRequest{
|
||||
Nonce: []byte("nonce"),
|
||||
UserData: []byte("userData"),
|
||||
Nonce: []byte("nonce"),
|
||||
},
|
||||
},
|
||||
"issuer fails": {
|
||||
issuer: stubIssuer{issueErr: errors.New("issuer error")},
|
||||
request: &verifyproto.GetAttestationRequest{
|
||||
Nonce: []byte("nonce"),
|
||||
UserData: []byte("userData"),
|
||||
Nonce: []byte("nonce"),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
"no nonce": {
|
||||
issuer: stubIssuer{attestation: []byte("quote")},
|
||||
request: &verifyproto.GetAttestationRequest{
|
||||
UserData: []byte("userData"),
|
||||
},
|
||||
wantErr: true,
|
||||
},
|
||||
"no userData": {
|
||||
issuer: stubIssuer{attestation: []byte("quote")},
|
||||
request: &verifyproto.GetAttestationRequest{
|
||||
Nonce: []byte("nonce"),
|
||||
},
|
||||
issuer: stubIssuer{attestation: []byte("quote")},
|
||||
request: &verifyproto.GetAttestationRequest{},
|
||||
wantErr: true,
|
||||
},
|
||||
}
|
||||
@ -138,67 +126,26 @@ func TestGetAttestationHTTP(t *testing.T) {
|
||||
wantErr bool
|
||||
}{
|
||||
"success": {
|
||||
request: fmt.Sprintf(
|
||||
"?nonce=%s&userData=%s",
|
||||
base64.URLEncoding.EncodeToString([]byte("nonce")),
|
||||
base64.URLEncoding.EncodeToString([]byte("userData")),
|
||||
),
|
||||
issuer: stubIssuer{attestation: []byte("quote")},
|
||||
request: "?nonce=" + base64.URLEncoding.EncodeToString([]byte("nonce")),
|
||||
issuer: stubIssuer{attestation: []byte("quote")},
|
||||
},
|
||||
"invalid nonce in query": {
|
||||
request: fmt.Sprintf(
|
||||
"?nonce=not-base-64&userData=%s",
|
||||
base64.URLEncoding.EncodeToString([]byte("userData")),
|
||||
),
|
||||
request: "?nonce=not-base-64",
|
||||
issuer: stubIssuer{attestation: []byte("quote")},
|
||||
wantErr: true,
|
||||
},
|
||||
"no nonce in query": {
|
||||
request: fmt.Sprintf(
|
||||
"?userData=%s",
|
||||
base64.URLEncoding.EncodeToString([]byte("userData")),
|
||||
),
|
||||
request: "?foo=bar",
|
||||
issuer: stubIssuer{attestation: []byte("quote")},
|
||||
wantErr: true,
|
||||
},
|
||||
"empty nonce in query": {
|
||||
request: fmt.Sprintf(
|
||||
"?nonce=&userData=%s",
|
||||
base64.URLEncoding.EncodeToString([]byte("userData")),
|
||||
),
|
||||
issuer: stubIssuer{attestation: []byte("quote")},
|
||||
wantErr: true,
|
||||
},
|
||||
"invalid userData in query": {
|
||||
request: fmt.Sprintf(
|
||||
"?nonce=%s&userData=not-base-64",
|
||||
base64.URLEncoding.EncodeToString([]byte("nonce")),
|
||||
),
|
||||
issuer: stubIssuer{attestation: []byte("quote")},
|
||||
wantErr: true,
|
||||
},
|
||||
"no userData in query": {
|
||||
request: fmt.Sprintf(
|
||||
"?nonce=%s",
|
||||
base64.URLEncoding.EncodeToString([]byte("nonce")),
|
||||
),
|
||||
issuer: stubIssuer{attestation: []byte("quote")},
|
||||
wantErr: true,
|
||||
},
|
||||
"empty userData in query": {
|
||||
request: fmt.Sprintf(
|
||||
"?nonce=%s&userData=",
|
||||
base64.URLEncoding.EncodeToString([]byte("nonce")),
|
||||
),
|
||||
request: "?nonce=",
|
||||
issuer: stubIssuer{attestation: []byte("quote")},
|
||||
wantErr: true,
|
||||
},
|
||||
"issuer fails": {
|
||||
request: fmt.Sprintf(
|
||||
"?nonce=%s&userData=%s",
|
||||
base64.URLEncoding.EncodeToString([]byte("nonce")),
|
||||
base64.URLEncoding.EncodeToString([]byte("userData")),
|
||||
),
|
||||
request: "?nonce=" + base64.URLEncoding.EncodeToString([]byte("nonce")),
|
||||
issuer: stubIssuer{issueErr: errors.New("errors")},
|
||||
wantErr: true,
|
||||
},
|
||||
|
||||
@ -25,8 +25,8 @@ type GetAttestationRequest struct {
|
||||
sizeCache protoimpl.SizeCache
|
||||
unknownFields protoimpl.UnknownFields
|
||||
|
||||
UserData []byte `protobuf:"bytes,1,opt,name=user_data,json=userData,proto3" json:"user_data,omitempty"`
|
||||
Nonce []byte `protobuf:"bytes,2,opt,name=nonce,proto3" json:"nonce,omitempty"`
|
||||
// bytes user_data = 1; removed
|
||||
Nonce []byte `protobuf:"bytes,2,opt,name=nonce,proto3" json:"nonce,omitempty"`
|
||||
}
|
||||
|
||||
func (x *GetAttestationRequest) Reset() {
|
||||
@ -61,13 +61,6 @@ func (*GetAttestationRequest) Descriptor() ([]byte, []int) {
|
||||
return file_verify_proto_rawDescGZIP(), []int{0}
|
||||
}
|
||||
|
||||
func (x *GetAttestationRequest) GetUserData() []byte {
|
||||
if x != nil {
|
||||
return x.UserData
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (x *GetAttestationRequest) GetNonce() []byte {
|
||||
if x != nil {
|
||||
return x.Nonce
|
||||
@ -126,25 +119,23 @@ var File_verify_proto protoreflect.FileDescriptor
|
||||
|
||||
var file_verify_proto_rawDesc = []byte{
|
||||
0x0a, 0x0c, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x06,
|
||||
0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x22, 0x4a, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74,
|
||||
0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x22, 0x2d, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74,
|
||||
0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
|
||||
0x1b, 0x0a, 0x09, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01,
|
||||
0x28, 0x0c, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x44, 0x61, 0x74, 0x61, 0x12, 0x14, 0x0a, 0x05,
|
||||
0x6e, 0x6f, 0x6e, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x6e, 0x6f, 0x6e,
|
||||
0x63, 0x65, 0x22, 0x3a, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61,
|
||||
0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x20, 0x0a, 0x0b,
|
||||
0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28,
|
||||
0x0c, 0x52, 0x0b, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x32, 0x56,
|
||||
0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x4f, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x65,
|
||||
0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1d, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79,
|
||||
0x2e, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52,
|
||||
0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1e, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x2e,
|
||||
0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65,
|
||||
0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x3c, 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
|
||||
0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73,
|
||||
0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76,
|
||||
0x32, 0x2f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x2f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x70,
|
||||
0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||
0x14, 0x0a, 0x05, 0x6e, 0x6f, 0x6e, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05,
|
||||
0x6e, 0x6f, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x65,
|
||||
0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12,
|
||||
0x20, 0x0a, 0x0b, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01,
|
||||
0x20, 0x01, 0x28, 0x0c, 0x52, 0x0b, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f,
|
||||
0x6e, 0x32, 0x56, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x4f, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x41,
|
||||
0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1d, 0x2e, 0x76, 0x65, 0x72,
|
||||
0x69, 0x66, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69,
|
||||
0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1e, 0x2e, 0x76, 0x65, 0x72, 0x69,
|
||||
0x66, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f,
|
||||
0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x3c, 0x5a, 0x3a, 0x67, 0x69, 0x74,
|
||||
0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73,
|
||||
0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f,
|
||||
0x6e, 0x2f, 0x76, 0x32, 0x2f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x2f, 0x76, 0x65, 0x72, 0x69,
|
||||
0x66, 0x79, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
|
||||
}
|
||||
|
||||
var (
|
||||
|
||||
@ -9,7 +9,7 @@ service API {
|
||||
}
|
||||
|
||||
message GetAttestationRequest {
|
||||
bytes user_data = 1;
|
||||
// bytes user_data = 1; removed
|
||||
bytes nonce = 2;
|
||||
}
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user