Skip to content

Commit

Permalink
Consolidated attestation exceptions
Browse files Browse the repository at this point in the history
  • Loading branch information
@thomasm-ttd
thomasm-ttd committed Oct 14, 2024
1 parent a25e6b1 commit 872082a
Show file tree
Hide file tree
Showing 10 changed files with 40 additions and 40 deletions.
3 changes: 3 additions & 0 deletions pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -285,6 +285,9 @@
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>3.2.5</version>
<configuration>
<argLine>-XX:+EnableDynamicAgentLoading</argLine>
</configuration>
</plugin>
<plugin>
<groupId>org.sonatype.plugins</groupId>
Expand Down
12 changes: 7 additions & 5 deletions src/main/java/com/uid2/shared/secure/AttestationClientException.java
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,12 @@
package com.uid2.shared.secure;

public class AttestationClientException extends AttestationException
{
import lombok.Getter;

@Getter
public class AttestationClientException extends AttestationException {
// This exception should be used when the error is as a result of invalid or bad data from the caller.
// It will result in a return code in the 400s

private final AttestationFailure attestationFailure;

public AttestationClientException(Throwable cause) {
Expand All @@ -14,7 +19,4 @@ public AttestationClientException(String message, AttestationFailure attestation
this.attestationFailure = attestationFailure;
}

public AttestationFailure getAttestationFailure() {
return this.attestationFailure;
}
}
4 changes: 4 additions & 0 deletions src/main/java/com/uid2/shared/secure/AttestationException.java
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
package com.uid2.shared.secure;

public class AttestationException extends Exception {
// Used to indicate an error in the processing of Attestation due to internal server errors
// It will result in a response code of 500.
// If the error is as a result in invalid input from the caller, use the AttestationClientException

private final boolean isClientError;

public boolean IsClientError() {
Expand Down
2 changes: 1 addition & 1 deletion src/main/java/com/uid2/shared/secure/AttestationResult.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ public AttestationResult(AttestationFailure reasonToFail) {
}

public AttestationResult(AttestationClientException exception) {
this.failure = AttestationFailure.UNKNOWN;
this.failure = exception.getAttestationFailure();
this.publicKey = null;
this.enclaveId = "Failed attestation, enclave Id unknown";
this.attestationClientException = exception;
Expand Down
10 changes: 0 additions & 10 deletions src/main/java/com/uid2/shared/secure/BadFormatException.java
View file

This file was deleted.

5 changes: 3 additions & 2 deletions src/main/java/com/uid2/shared/secure/NitroCoreAttestationService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
public class NitroCoreAttestationService implements ICoreAttestationService {

private final String attestationUrl;
private Set<NitroEnclaveIdentifier> allowedEnclaveIds;
private final Set<NitroEnclaveIdentifier> allowedEnclaveIds;
private final ICertificateProvider certificateProvider;

private static final Logger LOGGER = LoggerFactory.getLogger(NitroCoreAttestationService.class);
Expand All @@ -37,6 +37,8 @@ public void attest(byte[] attestationRequest, byte[] publicKey, Handler<AsyncRes
AttestationRequest aReq = AttestationRequest.createFrom(attestationRequest);
AttestationDocument aDoc = aReq.getAttestationDocument();
handler.handle(Future.succeededFuture(attestInternal(publicKey, aReq, aDoc)));
} catch (AttestationClientException ace) {
handler.handle(Future.succeededFuture(new AttestationResult(ace)));
} catch (Exception e) {
handler.handle(Future.failedFuture(new AttestationException(e)));
}
Expand Down Expand Up @@ -105,5 +107,4 @@ public void addIdentifier(NitroEnclaveIdentifier id) {
public void removeIdentifier(NitroEnclaveIdentifier id) {
this.allowedEnclaveIds.remove(id);
}

}
2 changes: 1 addition & 1 deletion src/main/java/com/uid2/shared/secure/azurecc/MaaTokenSignatureValidator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ public MaaTokenPayload validate(String tokenString) throws AttestationException
} catch (TokenVerifier.VerificationException e) {
throw new AttestationClientException("Fail to validate the token signature, error: " + e.getMessage(), AttestationFailure.BAD_PAYLOAD);
} catch (IOException e) {
throw new AttestationException("Fail to parse token, error: " + e.getMessage());
throw new AttestationClientException("Fail to parse token, error: " + e.getMessage(), AttestationFailure.BAD_PAYLOAD);
}

// Parse Payload
Expand Down
10 changes: 5 additions & 5 deletions src/main/java/com/uid2/shared/secure/azurecc/PolicyValidator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,15 @@ public PolicyValidator(String attestationUrl) {
this.attestationUrl = attestationUrl;
}
@Override
public String validate(MaaTokenPayload maaTokenPayload, String publicKey) throws AttestationException {
public String validate(MaaTokenPayload maaTokenPayload, String publicKey) throws AttestationClientException {
verifyVM(maaTokenPayload);
verifyLocation(maaTokenPayload);
verifyPublicKey(maaTokenPayload, publicKey);
verifyAttestationUrl(maaTokenPayload);
return maaTokenPayload.getCcePolicyDigest();
}

private void verifyPublicKey(MaaTokenPayload maaTokenPayload, String publicKey) throws AttestationException {
private void verifyPublicKey(MaaTokenPayload maaTokenPayload, String publicKey) throws AttestationClientException {
if(Strings.isNullOrEmpty(publicKey)){
throw new AttestationClientException("public key to check is null or empty", AttestationFailure.BAD_FORMAT);
}
Expand All @@ -38,7 +38,7 @@ private void verifyPublicKey(MaaTokenPayload maaTokenPayload, String publicKey)
}
}

private void verifyAttestationUrl(MaaTokenPayload maaTokenPayload) throws AttestationException {
private void verifyAttestationUrl(MaaTokenPayload maaTokenPayload) throws AttestationClientException {
String decodedRuntimeAttestationUrl = maaTokenPayload.getRuntimeData().getDecodedAttestationUrl();
if (decodedRuntimeAttestationUrl == null) {
return;
Expand All @@ -47,7 +47,7 @@ private void verifyAttestationUrl(MaaTokenPayload maaTokenPayload) throws Attest
}
}

private void verifyVM(MaaTokenPayload maaTokenPayload) throws AttestationException {
private void verifyVM(MaaTokenPayload maaTokenPayload) throws AttestationClientException {
if(!maaTokenPayload.isSevSnpVM()){
throw new AttestationClientException("Not in SevSnp VM", AttestationFailure.BAD_FORMAT);
}
Expand All @@ -59,7 +59,7 @@ private void verifyVM(MaaTokenPayload maaTokenPayload) throws AttestationExcepti
}
}

private void verifyLocation(MaaTokenPayload maaTokenPayload) throws AttestationException {
private void verifyLocation(MaaTokenPayload maaTokenPayload) throws AttestationClientException {
var location = maaTokenPayload.getRuntimeData().getLocation();
if(Strings.isNullOrEmpty(location)){
throw new AttestationClientException("Location is not specified.", AttestationFailure.BAD_PAYLOAD);
Expand Down
23 changes: 11 additions & 12 deletions src/main/java/com/uid2/shared/secure/gcpoidc/TokenSignatureValidator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@
import com.google.api.client.util.Clock;
import com.google.auth.oauth2.TokenVerifier;
import com.google.common.base.Strings;
import com.uid2.shared.secure.AttestationException;
import com.uid2.shared.secure.AttestationClientException;
import com.uid2.shared.secure.AttestationFailure;

import java.io.IOException;
import java.security.PublicKey;
Expand Down Expand Up @@ -51,7 +52,7 @@ protected TokenSignatureValidator(PublicKey publicKeyOverride, Clock clockOverri
}

@Override
public TokenPayload validate(String tokenString) throws AttestationException {
public TokenPayload validate(String tokenString) throws AttestationClientException {
if (Strings.isNullOrEmpty(tokenString)) {
throw new IllegalArgumentException("tokenString can not be null or empty");
}
Expand All @@ -65,9 +66,9 @@ public TokenPayload validate(String tokenString) throws AttestationException {
signature = tokenVerifier.verify(tokenString);
}
} catch (TokenVerifier.VerificationException e) {
throw new AttestationException("Fail to validate the token signature, error: " + e.getMessage());
throw new AttestationClientException("Fail to validate the token signature, error: " + e.getMessage(), AttestationFailure.BAD_CERTIFICATE);
} catch (IOException e) {
throw new AttestationException("Fail to parse token, error: " + e.getMessage());
throw new AttestationClientException("Fail to parse token, error: " + e.getMessage(), AttestationFailure.BAD_PAYLOAD);
}

// Parse Payload
Expand All @@ -78,20 +79,20 @@ public TokenPayload validate(String tokenString) throws AttestationException {
tokenPayloadBuilder.dbgStat(tryGetField(rawPayload, "dbgstat", String.class));
tokenPayloadBuilder.swName(tryGetField(rawPayload, "swname", String.class));
var swVersion = tryGetField(rawPayload, "swversion", List.class);
if(swVersion != null && !swVersion.isEmpty()){
if (swVersion != null && !swVersion.isEmpty()) {
tokenPayloadBuilder.swVersion(tryConvert(swVersion.get(0), String.class));
}

var subModsDetails = tryGetField(rawPayload,"submods", Map.class);
var subModsDetails = tryGetField(rawPayload, "submods", Map.class);

if(subModsDetails != null){
if (subModsDetails != null) {
var confidential_space = tryGetField(subModsDetails, "confidential_space", Map.class);
if(confidential_space != null){
if (confidential_space != null) {
tokenPayloadBuilder.csSupportedAttributes(tryGetField(confidential_space, "support_attributes", List.class));
}

var container = tryGetField(subModsDetails, "container", Map.class);
if(container != null){
if (container != null) {
tokenPayloadBuilder.workloadImageReference(tryGetField(container, "image_reference", String.class));
tokenPayloadBuilder.workloadImageDigest(tryGetField(container, "image_digest", String.class));
tokenPayloadBuilder.restartPolicy(tryGetField(container, "restart_policy", String.class));
Expand All @@ -101,14 +102,12 @@ public TokenPayload validate(String tokenString) throws AttestationException {
}

var gce = tryGetField(subModsDetails, "gce", Map.class);
if(gce != null){
if (gce != null) {
var gceZone = tryGetField(gce, "zone", String.class);
tokenPayloadBuilder.gceZone(gceZone);
}
}

return tokenPayloadBuilder.build();
}


}
9 changes: 5 additions & 4 deletions src/main/java/com/uid2/shared/secure/nitro/AttestationRequest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@
import co.nstant.in.cbor.model.ByteString;
import co.nstant.in.cbor.model.DataItem;
import co.nstant.in.cbor.model.UnicodeString;
import com.uid2.shared.secure.BadFormatException;
import com.uid2.shared.secure.AttestationClientException;
import com.uid2.shared.secure.AttestationFailure;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
Expand All @@ -22,7 +23,7 @@ public class AttestationRequest {
private byte[] protectedHeader;
private byte[] signature;

public static AttestationRequest createFrom(byte[] data) throws BadFormatException {
public static AttestationRequest createFrom(byte[] data) throws AttestationClientException {
try {
AttestationRequest aReq = new AttestationRequest();
ByteArrayInputStream stream = new ByteArrayInputStream(data);
Expand All @@ -34,11 +35,11 @@ public static AttestationRequest createFrom(byte[] data) throws BadFormatExcepti
aReq.signature = ((ByteString) dataItems.get(3)).getBytes();
return aReq;
} catch (CborException ce) {
throw new BadFormatException(ce.getMessage(), ce);
throw new AttestationClientException(ce.getMessage(), AttestationFailure.BAD_FORMAT);
}
}

public static AttestationRequest createFrom(String base64data) throws BadFormatException {
public static AttestationRequest createFrom(String base64data) throws AttestationClientException {
return createFrom(Base64.getDecoder().decode(base64data));
}

Expand Down

0 comments on commit 872082a

Please sign in to comment.