From f0f109a1ea559d59d0b85f621cbc9d58f852dbed Mon Sep 17 00:00:00 2001 From: Thomas Tendyck Date: Tue, 17 Jan 2023 15:28:07 +0100 Subject: [PATCH] verify: use fixed user data --- cli/internal/cmd/verify.go | 12 ++---- cli/internal/cmd/verify_test.go | 24 ++++------- hack/pcr-reader/main.go | 2 +- internal/constants/constants.go | 2 + verify/server/server.go | 21 ++-------- verify/server/server_test.go | 73 +++++---------------------------- verify/verifyproto/verify.pb.go | 45 ++++++++------------ verify/verifyproto/verify.proto | 2 +- 8 files changed, 47 insertions(+), 134 deletions(-) diff --git a/cli/internal/cmd/verify.go b/cli/internal/cmd/verify.go index 5ca98d328..3747fb97e 100644 --- a/cli/internal/cmd/verify.go +++ b/cli/internal/cmd/verify.go @@ -97,18 +97,12 @@ func (v *verifyCmd) verify(cmd *cobra.Command, fileHandler file.Handler, verifyC return err } v.log.Debugf("Generated random nonce: %x", nonce) - userData, err := crypto.GenerateRandomBytes(32) - if err != nil { - return err - } - v.log.Debugf("Generated random user data: %x", userData) if err := verifyClient.Verify( cmd.Context(), flags.endpoint, &verifyproto.GetAttestationRequest{ - Nonce: nonce, - UserData: userData, + Nonce: nonce, }, validators.V(cmd), ); err != nil { @@ -231,8 +225,8 @@ func (v *constellationVerifier) Verify( return fmt.Errorf("validating attestation: %w", err) } - if !bytes.Equal(signedData, req.UserData) { - return errors.New("signed data in attestation does not match provided user data") + if !bytes.Equal(signedData, []byte(constants.ConstellationVerifyServiceUserData)) { + return errors.New("signed data in attestation does not match expected user data") } return nil } diff --git a/cli/internal/cmd/verify_test.go b/cli/internal/cmd/verify_test.go index 76854a194..dcd58b60a 100644 --- a/cli/internal/cmd/verify_test.go +++ b/cli/internal/cmd/verify_test.go @@ -181,25 +181,22 @@ func TestVerify(t *testing.T) { func TestVerifyClient(t *testing.T) { testCases := map[string]struct { attestationDoc atls.FakeAttestationDoc - userData []byte nonce []byte attestationErr error wantErr bool }{ "success": { attestationDoc: atls.FakeAttestationDoc{ - UserData: []byte("user data"), + UserData: []byte(constants.ConstellationVerifyServiceUserData), Nonce: []byte("nonce"), }, - userData: []byte("user data"), - nonce: []byte("nonce"), + nonce: []byte("nonce"), }, "attestation error": { attestationDoc: atls.FakeAttestationDoc{ - UserData: []byte("user data"), + UserData: []byte(constants.ConstellationVerifyServiceUserData), Nonce: []byte("nonce"), }, - userData: []byte("user data"), nonce: []byte("nonce"), attestationErr: errors.New("error"), wantErr: true, @@ -209,18 +206,16 @@ func TestVerifyClient(t *testing.T) { UserData: []byte("wrong user data"), Nonce: []byte("nonce"), }, - userData: []byte("user data"), - nonce: []byte("nonce"), - wantErr: true, + nonce: []byte("nonce"), + wantErr: true, }, "nonce does not match": { attestationDoc: atls.FakeAttestationDoc{ - UserData: []byte("user data"), + UserData: []byte(constants.ConstellationVerifyServiceUserData), Nonce: []byte("wrong nonce"), }, - userData: []byte("user data"), - nonce: []byte("nonce"), - wantErr: true, + nonce: []byte("nonce"), + wantErr: true, }, } @@ -248,8 +243,7 @@ func TestVerifyClient(t *testing.T) { verifier := &constellationVerifier{dialer: dialer, log: logger.NewTest(t)} request := &verifyproto.GetAttestationRequest{ - UserData: tc.userData, - Nonce: tc.nonce, + Nonce: tc.nonce, } err = verifier.Verify(context.Background(), addr, request, atls.NewFakeValidator(oid.Dummy{})) diff --git a/hack/pcr-reader/main.go b/hack/pcr-reader/main.go index f74e9a063..135f94f8b 100644 --- a/hack/pcr-reader/main.go +++ b/hack/pcr-reader/main.go @@ -104,7 +104,7 @@ func getAttestation(ctx context.Context, addr string) ([]byte, error) { } client := verifyproto.NewAPIClient(conn) - res, err := client.GetAttestation(ctx, &verifyproto.GetAttestationRequest{Nonce: nonce, UserData: nonce}) + res, err := client.GetAttestation(ctx, &verifyproto.GetAttestationRequest{Nonce: nonce}) if err != nil { return nil, err } diff --git a/internal/constants/constants.go b/internal/constants/constants.go index 67889ebf3..04edc1e81 100644 --- a/internal/constants/constants.go +++ b/internal/constants/constants.go @@ -27,6 +27,8 @@ const ( ConstellationMasterSecretKey = "mastersecret" // ConstellationSaltKey is the name of the key for the salt in the master secret kubernetes secret. ConstellationSaltKey = "salt" + // ConstellationVerifyServiceUserData is the user data that the verification service includes in the attestation. + ConstellationVerifyServiceUserData = "VerifyService" // // Ports. diff --git a/verify/server/server.go b/verify/server/server.go index 0842be892..e1c23d9fe 100644 --- a/verify/server/server.go +++ b/verify/server/server.go @@ -16,6 +16,7 @@ import ( "sync" "time" + "github.com/edgelesssys/constellation/v2/internal/constants" "github.com/edgelesssys/constellation/v2/internal/logger" "github.com/edgelesssys/constellation/v2/verify/verifyproto" "go.uber.org/zap" @@ -107,13 +108,9 @@ func (s *Server) GetAttestation(ctx context.Context, req *verifyproto.GetAttesta log.Errorf("Received attestation request with empty nonce") return nil, status.Error(codes.InvalidArgument, "nonce is required to issue attestation") } - if len(req.UserData) == 0 { - log.Errorf("Received attestation request with empty user data") - return nil, status.Error(codes.InvalidArgument, "user data is required to issue attestation") - } log.Infof("Creating attestation") - statement, err := s.issuer.Issue(req.UserData, req.Nonce) + statement, err := s.issuer.Issue([]byte(constants.ConstellationVerifyServiceUserData), req.Nonce) if err != nil { return nil, status.Errorf(codes.Internal, "issuing attestation statement: %v", err) } @@ -132,12 +129,6 @@ func (s *Server) getAttestationHTTP(w http.ResponseWriter, r *http.Request) { http.Error(w, "nonce parameter is required exactly once", http.StatusBadRequest) return } - userDataB64 := r.URL.Query()["userData"] - if len(userDataB64) != 1 || userDataB64[0] == "" { - log.Errorf("Received attestation request with empty or multiple user data parameter") - http.Error(w, "userData parameter is required exactly once", http.StatusBadRequest) - return - } nonce, err := base64.URLEncoding.DecodeString(nonceB64[0]) if err != nil { @@ -145,15 +136,9 @@ func (s *Server) getAttestationHTTP(w http.ResponseWriter, r *http.Request) { http.Error(w, fmt.Sprintf("invalid base64 encoding for nonce: %v", err), http.StatusBadRequest) return } - userData, err := base64.URLEncoding.DecodeString(userDataB64[0]) - if err != nil { - log.With(zap.Error(err)).Errorf("Received attestation request with invalid user data") - http.Error(w, fmt.Sprintf("invalid base64 encoding for userData: %v", err), http.StatusBadRequest) - return - } log.Infof("Creating attestation") - quote, err := s.issuer.Issue(userData, nonce) + quote, err := s.issuer.Issue([]byte(constants.ConstellationVerifyServiceUserData), nonce) if err != nil { http.Error(w, fmt.Sprintf("issuing attestation statement: %v", err), http.StatusInternalServerError) return diff --git a/verify/server/server_test.go b/verify/server/server_test.go index e0fdde2ed..7e7d662ed 100644 --- a/verify/server/server_test.go +++ b/verify/server/server_test.go @@ -11,7 +11,6 @@ import ( "encoding/base64" "encoding/json" "errors" - "fmt" "io" "net" "net/http" @@ -83,30 +82,19 @@ func TestGetAttestationGRPC(t *testing.T) { "success": { issuer: stubIssuer{attestation: []byte("quote")}, request: &verifyproto.GetAttestationRequest{ - Nonce: []byte("nonce"), - UserData: []byte("userData"), + Nonce: []byte("nonce"), }, }, "issuer fails": { issuer: stubIssuer{issueErr: errors.New("issuer error")}, request: &verifyproto.GetAttestationRequest{ - Nonce: []byte("nonce"), - UserData: []byte("userData"), + Nonce: []byte("nonce"), }, wantErr: true, }, "no nonce": { - issuer: stubIssuer{attestation: []byte("quote")}, - request: &verifyproto.GetAttestationRequest{ - UserData: []byte("userData"), - }, - wantErr: true, - }, - "no userData": { - issuer: stubIssuer{attestation: []byte("quote")}, - request: &verifyproto.GetAttestationRequest{ - Nonce: []byte("nonce"), - }, + issuer: stubIssuer{attestation: []byte("quote")}, + request: &verifyproto.GetAttestationRequest{}, wantErr: true, }, } @@ -138,67 +126,26 @@ func TestGetAttestationHTTP(t *testing.T) { wantErr bool }{ "success": { - request: fmt.Sprintf( - "?nonce=%s&userData=%s", - base64.URLEncoding.EncodeToString([]byte("nonce")), - base64.URLEncoding.EncodeToString([]byte("userData")), - ), - issuer: stubIssuer{attestation: []byte("quote")}, + request: "?nonce=" + base64.URLEncoding.EncodeToString([]byte("nonce")), + issuer: stubIssuer{attestation: []byte("quote")}, }, "invalid nonce in query": { - request: fmt.Sprintf( - "?nonce=not-base-64&userData=%s", - base64.URLEncoding.EncodeToString([]byte("userData")), - ), + request: "?nonce=not-base-64", issuer: stubIssuer{attestation: []byte("quote")}, wantErr: true, }, "no nonce in query": { - request: fmt.Sprintf( - "?userData=%s", - base64.URLEncoding.EncodeToString([]byte("userData")), - ), + request: "?foo=bar", issuer: stubIssuer{attestation: []byte("quote")}, wantErr: true, }, "empty nonce in query": { - request: fmt.Sprintf( - "?nonce=&userData=%s", - base64.URLEncoding.EncodeToString([]byte("userData")), - ), - issuer: stubIssuer{attestation: []byte("quote")}, - wantErr: true, - }, - "invalid userData in query": { - request: fmt.Sprintf( - "?nonce=%s&userData=not-base-64", - base64.URLEncoding.EncodeToString([]byte("nonce")), - ), - issuer: stubIssuer{attestation: []byte("quote")}, - wantErr: true, - }, - "no userData in query": { - request: fmt.Sprintf( - "?nonce=%s", - base64.URLEncoding.EncodeToString([]byte("nonce")), - ), - issuer: stubIssuer{attestation: []byte("quote")}, - wantErr: true, - }, - "empty userData in query": { - request: fmt.Sprintf( - "?nonce=%s&userData=", - base64.URLEncoding.EncodeToString([]byte("nonce")), - ), + request: "?nonce=", issuer: stubIssuer{attestation: []byte("quote")}, wantErr: true, }, "issuer fails": { - request: fmt.Sprintf( - "?nonce=%s&userData=%s", - base64.URLEncoding.EncodeToString([]byte("nonce")), - base64.URLEncoding.EncodeToString([]byte("userData")), - ), + request: "?nonce=" + base64.URLEncoding.EncodeToString([]byte("nonce")), issuer: stubIssuer{issueErr: errors.New("errors")}, wantErr: true, }, diff --git a/verify/verifyproto/verify.pb.go b/verify/verifyproto/verify.pb.go index e2d9e7d81..85e1747f9 100644 --- a/verify/verifyproto/verify.pb.go +++ b/verify/verifyproto/verify.pb.go @@ -25,8 +25,8 @@ type GetAttestationRequest struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - UserData []byte `protobuf:"bytes,1,opt,name=user_data,json=userData,proto3" json:"user_data,omitempty"` - Nonce []byte `protobuf:"bytes,2,opt,name=nonce,proto3" json:"nonce,omitempty"` + // bytes user_data = 1; removed + Nonce []byte `protobuf:"bytes,2,opt,name=nonce,proto3" json:"nonce,omitempty"` } func (x *GetAttestationRequest) Reset() { @@ -61,13 +61,6 @@ func (*GetAttestationRequest) Descriptor() ([]byte, []int) { return file_verify_proto_rawDescGZIP(), []int{0} } -func (x *GetAttestationRequest) GetUserData() []byte { - if x != nil { - return x.UserData - } - return nil -} - func (x *GetAttestationRequest) GetNonce() []byte { if x != nil { return x.Nonce @@ -126,25 +119,23 @@ var File_verify_proto protoreflect.FileDescriptor var file_verify_proto_rawDesc = []byte{ 0x0a, 0x0c, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x06, - 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x22, 0x4a, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, + 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x22, 0x2d, 0x0a, 0x15, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, - 0x1b, 0x0a, 0x09, 0x75, 0x73, 0x65, 0x72, 0x5f, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x0c, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x44, 0x61, 0x74, 0x61, 0x12, 0x14, 0x0a, 0x05, - 0x6e, 0x6f, 0x6e, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, 0x6e, 0x6f, 0x6e, - 0x63, 0x65, 0x22, 0x3a, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x20, 0x0a, 0x0b, - 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x0c, 0x52, 0x0b, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x32, 0x56, - 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x4f, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x65, - 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1d, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, - 0x2e, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, - 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1e, 0x2e, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x2e, - 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, - 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x3c, 0x5a, 0x3a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, 0x73, 0x79, 0x73, - 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, - 0x32, 0x2f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x2f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x14, 0x0a, 0x05, 0x6e, 0x6f, 0x6e, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x05, + 0x6e, 0x6f, 0x6e, 0x63, 0x65, 0x22, 0x3a, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x65, + 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, + 0x20, 0x0a, 0x0b, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x01, + 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0b, 0x61, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x32, 0x56, 0x0a, 0x03, 0x41, 0x50, 0x49, 0x12, 0x4f, 0x0a, 0x0e, 0x47, 0x65, 0x74, 0x41, + 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1d, 0x2e, 0x76, 0x65, 0x72, + 0x69, 0x66, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, + 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1e, 0x2e, 0x76, 0x65, 0x72, 0x69, + 0x66, 0x79, 0x2e, 0x47, 0x65, 0x74, 0x41, 0x74, 0x74, 0x65, 0x73, 0x74, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x3c, 0x5a, 0x3a, 0x67, 0x69, 0x74, + 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x65, 0x64, 0x67, 0x65, 0x6c, 0x65, 0x73, 0x73, + 0x73, 0x79, 0x73, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x74, 0x65, 0x6c, 0x6c, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x2f, 0x76, 0x32, 0x2f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x2f, 0x76, 0x65, 0x72, 0x69, + 0x66, 0x79, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/verify/verifyproto/verify.proto b/verify/verifyproto/verify.proto index 95ec79128..794f3809d 100644 --- a/verify/verifyproto/verify.proto +++ b/verify/verifyproto/verify.proto @@ -9,7 +9,7 @@ service API { } message GetAttestationRequest { - bytes user_data = 1; + // bytes user_data = 1; removed bytes nonce = 2; }