setter/getter interfaces for key attestation (#33)

* setter/getter interfaces for key attestation

Fix #30

Signed-off-by: Thomas Fossati <[email protected]>

* better document the types returned by GetKeyAttestation

Signed-off-by: Thomas Fossati <[email protected]>

---------

Signed-off-by: Thomas Fossati <[email protected]>

ear_appraisal.go

@@ -3,7 +3,15 @@
 
 package ear
 
-import "errors"
+import (
+ "crypto/ecdsa"
+ "crypto/ed25519"
+ "crypto/rsa"
+ "crypto/x509"
+ "encoding/base64"
+ "errors"
+ "fmt"
+)
 
 // Appraisal represents the result of an evidence appraisal
 // by the verifier. It wraps the AR4SI trustworthiness vector together with
@@ -26,6 +34,63 @@ type AppraisalExtensions struct {
  VeraisonKeyAttestation *map[string]interface{} `json:"ear.veraison.key-attestation,omitempty"`
 }
 
+// SetKeyAttestation sets the value of `akpub` in the
+// "ear.veraison.key-attestation" claim.
+// The following key types are currently supported: *rsa.PublicKey,
+// *ecdsa.PublicKey, ed25519.PublicKey (not a pointer).
+// Unsupported key types result in an error.
+func (o *AppraisalExtensions) SetKeyAttestation(pub any) error {
+ switch v := pub.(type) {
+ case *rsa.PublicKey, *ecdsa.PublicKey, ed25519.PublicKey:
+ default:
+ return fmt.Errorf("unsupported type for public key: %T", v)
+ }
+
+ k, err := x509.MarshalPKIXPublicKey(pub)
+ if err != nil {
+ return fmt.Errorf("unable to marshal public key: %w", err)
+ }
+
+ akpub := base64.RawURLEncoding.EncodeToString(k)
+
+ o.VeraisonKeyAttestation = &map[string]interface{}{
+ "akpub": akpub,
+ }
+
+ return nil
+}
+
+// GetKeyAttestation returns the decoded public key carried in the
+// "ear.veraison.key-attestation" claim.
+// The returned key type is one supported by x509.ParsePKIXPublicKey.
+func (o AppraisalExtensions) GetKeyAttestation() (any, error) {
+ if o.VeraisonKeyAttestation == nil {
+ return nil, errors.New(`"ear.veraison.key-attestation" claim not found`)
+ }
+
+ v, ok := (*o.VeraisonKeyAttestation)["akpub"]
+ if !ok {
+ return nil, errors.New(`"akpub" claim not found in "ear.veraison.key-attestation"`)
+ }
+
+ akpub, ok := v.(string)
+ if !ok {
+ return nil, errors.New(`"ear.veraison.key-attestation" malformed: "akpub" must be string`)
+ }
+
+ k, err := base64.RawURLEncoding.DecodeString(akpub)
+ if err != nil {
+ return nil, fmt.Errorf(`"ear.veraison.key-attestation" malformed: decoding "akpub": %w`, err)
+ }
+
+ pub, err := x509.ParsePKIXPublicKey(k)
+ if err != nil {
+ return nil, fmt.Errorf(`parsing "akpub" failed: %w`, err)
+ }
+
+ return pub, nil
+}
+
 // UpdateStatusFromTrustVector ensure that Status trustworthiness is not
 // higher than is warranted by trust vector claims. For every claim that has
 // been made (i.e. is not in TrustTierNone), if the claim's trust tier is lower

ear_appraisal_test.go

@@ -0,0 +1,91 @@
+// Copyright 2023 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+
+package ear
+
+import (
+ "crypto/ecdsa"
+ "crypto/elliptic"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+)
+
+func TestAppraisalExtensions_SetGetKeyAttestation_ok(t *testing.T) {
+ expected := AppraisalExtensions{
+ VeraisonKeyAttestation: &map[string]interface{}{
+ "akpub": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5RdiYwpZP40Li_hp_m47n60p8D54WK84zV2sxXs7LtkBoN79R9Q",
+ },
+ }
+
+ kp, err := ecdsa.GenerateKey(elliptic.P256(), new(zeroSource))
+ require.NoError(t, err)
+ tv := kp.Public()
+
+ actual := AppraisalExtensions{}
+
+ err = actual.SetKeyAttestation(tv)
+ assert.NoError(t, err)
+ assert.Equal(t, expected, actual)
+
+ pub, err := actual.GetKeyAttestation()
+ assert.NoError(t, err)
+ assert.Equal(t, tv, pub)
+}
+
+func TestAppraisalExtensions_SetKeyAttestation_fail_unsupported_key_type(t *testing.T) {
+ tv := "MFkwWwYHKo"
+
+ actual := AppraisalExtensions{}
+ err := actual.SetKeyAttestation(tv)
+ assert.EqualError(t, err, "unsupported type for public key: string")
+}
+
+func TestAppraisalExtensions_GetKeyAttestation_fail_no_claim(t *testing.T) {
+ tv := AppraisalExtensions{}
+
+ _, err := tv.GetKeyAttestation()
+ assert.EqualError(t, err, `"ear.veraison.key-attestation" claim not found`)
+}
+
+func TestAppraisalExtensions_GetKeyAttestation_fail_akpub_missing(t *testing.T) {
+ tv := AppraisalExtensions{
+ VeraisonKeyAttestation: &map[string]interface{}{},
+ }
+
+ _, err := tv.GetKeyAttestation()
+ assert.EqualError(t, err, `"akpub" claim not found in "ear.veraison.key-attestation"`)
+}
+
+func TestAppraisalExtensions_GetKeyAttestation_fail_akpub_truncated(t *testing.T) {
+ tv := AppraisalExtensions{
+ VeraisonKeyAttestation: &map[string]interface{}{
+ "akpub": "MFkwEwYHKo",
+ },
+ }
+
+ _, err := tv.GetKeyAttestation()
+ assert.EqualError(t, err, `parsing "akpub" failed: asn1: syntax error: data truncated`)
+}
+
+func TestAppraisalExtensions_GetKeyAttestation_fail_akpub_not_a_string(t *testing.T) {
+ tv := AppraisalExtensions{
+ VeraisonKeyAttestation: &map[string]interface{}{
+ "akpub": 141245,
+ },
+ }
+
+ _, err := tv.GetKeyAttestation()
+ assert.EqualError(t, err, `"ear.veraison.key-attestation" malformed: "akpub" must be string`)
+}
+
+func TestAppraisalExtensions_GetKeyAttestation_fail_akpub_no_b64url(t *testing.T) {
+ tv := AppraisalExtensions{
+ VeraisonKeyAttestation: &map[string]interface{}{
+ "akpub": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9Q==",
+ },
+ }
+ _, err := tv.GetKeyAttestation()
+ assert.EqualError(t, err, `"ear.veraison.key-attestation" malformed: decoding "akpub": illegal base64 data at input byte 84`)
+}

test_utils.go

@@ -0,0 +1,15 @@
+// Copyright 2023 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+
+package ear
+
+// zeroSource is an io.Reader that returns an unlimited number of zero bytes.
+type zeroSource struct{}
+
+func (zeroSource) Read(b []byte) (n int, err error) {
+ for i := range b {
+ b[i] = 0
+ }
+
+ return len(b), nil
+}