confidential-containers · Xynnn007 · Sep 27, 2024 · Sep 27, 2024 · Sep 27, 2024 · Sep 27, 2024
@@ -10,7 +10,7 @@ edition.workspace = true
 default = ["coco-as-builtin", "resource", "opa", "rustls"]
 
 # Feature that allows to access resources from KBS
-resource = ["rsa", "dep:openssl", "reqwest", "aes-gcm", "jsonwebtoken"]
+resource = ["rsa", "reqwest", "aes-gcm", "jsonwebtoken"]
 
 # Support a backend attestation service for KBS
 as = []
@@ -36,17 +36,11 @@ coco-as-grpc = ["coco-as", "mobc", "tonic", "tonic-build", "prost"]
 # Use Intel TA as backend attestation service
 intel-trust-authority-as = ["as", "reqwest", "resource", "az-cvm-vtpm"]
 
-# Use pure rust crypto stack for KBS
-rustls = ["actix-web/rustls", "dep:rustls", "dep:rustls-pemfile"]
-
-# Use openssl crypto stack for KBS
-openssl = ["actix-web/openssl", "dep:openssl"]
-
 # Use aliyun KMS as KBS backend
 aliyun = ["kms/aliyun"]
 
 [dependencies]
-actix-web.workspace = true
+actix-web = { workspace = true, features = ["openssl"] }
 actix-web-httpauth.workspace = true
 aes-gcm = { version = "0.10.1", optional = true }
 anyhow.workspace = true
@@ -69,8 +63,6 @@ rand = "0.8.5"
 regorus.workspace = true
 reqwest = { workspace = true, features = ["json"], optional = true }
 rsa = { version = "0.9.2", optional = true, features = ["sha2"] }
-rustls = { version = "0.20.8", optional = true }
-rustls-pemfile = { version = "1.0.4", optional = true }
 scc = "2"
 semver = "1.0.16"
 serde = { workspace = true, features = ["derive"] }
@@ -81,7 +73,7 @@ time = { version = "0.3.23", features = ["std"] }
 tokio.workspace = true
 tonic = { workspace = true, optional = true }
 uuid = { version = "1.2.2", features = ["serde", "v4"] }
-openssl = { version = "0.10.46", optional = true }
+openssl = "0.10.55"
 az-cvm-vtpm = { version = "0.7.0", default-features = false, optional = true }
 
 [dev-dependencies]

@@ -4,8 +4,7 @@
 
 use crate::attestation::backend::{generic_generate_challenge, make_nonce};
 use crate::token::{
-    jwk::JwkAttestationTokenVerifier, AttestationTokenVerifier, AttestationTokenVerifierConfig,
-    AttestationTokenVerifierType,
+    jwk::JwkAttestationTokenVerifier, AttestationTokenVerifierConfig, AttestationTokenVerifierType,
 };
 use anyhow::*;
 use async_trait::async_trait;
@@ -15,8 +14,7 @@ use kbs_types::Challenge;
 use kbs_types::{Attestation, Tee};
 use reqwest::header::{ACCEPT, CONTENT_TYPE};
 use serde::{Deserialize, Serialize};
-use serde_json::from_value;
-use serde_json::json;
+use serde_json::{from_value, json};
 use strum::{AsRefStr, Display, EnumString};
 
 use super::backend::Attest;
@@ -182,7 +180,7 @@ impl Attest for IntelTrustAuthority {
             .await
             .context("Failed to verify attestation token")?;
 
-        let claims = serde_json::from_str::<Claims>(&token)
+        let claims = serde_json::from_value::<Claims>(token)
             .context("Failed to deserialize attestation token claims")?;
 
         // check unmatched policy
@@ -279,8 +277,10 @@ impl Attest for IntelTrustAuthority {
 impl IntelTrustAuthority {
     pub async fn new(config: IntelTrustAuthorityConfig) -> Result<Self> {
         let token_verifier = JwkAttestationTokenVerifier::new(&AttestationTokenVerifierConfig {
-            attestation_token_type: AttestationTokenVerifierType::Jwk,
-            trusted_certs_paths: vec![config.certs_file.clone()],
+            r#type: AttestationTokenVerifierType::Ita,
+            trusted_certs_paths: vec![],
+            trusted_jwk_sets: vec![config.certs_file.clone()],
+            insecure_key: true,
         })
         .await
         .context("Failed to initialize token verifier")?;

@@ -0,0 +1,30 @@
+// Copyright (c) 2024 by Alibaba.
+// Licensed under the Apache License, Version 2.0, see LICENSE for details.
+// SPDX-License-Identifier: Apache-2.0
+
+use log::error;
+use strum::AsRefStr;
+use thiserror::Error;
+
+pub type Result<T> = std::result::Result<T, Error>;
+
+#[derive(Error, AsRefStr, Debug)]
+pub enum Error {
+    #[error("Failed to verify Attestation Token")]
+    TokenVerificationFailed {
+        #[source]
+        source: anyhow::Error,
+    },
+
+    #[error("Failed to initialize Token Verifier")]
+    TokenVerifierInitialization {
+        #[source]
+        source: anyhow::Error,
+    },
+
+    #[error("Tee public key is not found inside the claims of token")]
+    NoTeePubKeyClaimFound,
+
+    #[error("Failed to parse Tee public key")]
+    TeePubKeyParseFailed,
+}