From 30547ba8872382dcbb5de3e39b21456bd06ddbd0 Mon Sep 17 00:00:00 2001 From: "Rawat, Arvind" Date: Fri, 7 Feb 2025 16:11:41 +0530 Subject: [PATCH 1/3] Moved attestation endpoint selection to GetToken. --- go-connector/attest.go | 9 ++------- go-connector/attest_evidence.go | 2 +- go-connector/attest_evidence_test.go | 2 +- go-connector/connector.go | 1 - go-connector/const.go | 5 +++-- go-connector/token.go | 7 +++++-- go-connector/token_test.go | 6 +++--- 7 files changed, 15 insertions(+), 17 deletions(-) diff --git a/go-connector/attest.go b/go-connector/attest.go index 7f2a300..25014de 100644 --- a/go-connector/attest.go +++ b/go-connector/attest.go @@ -1,5 +1,5 @@ /* - * Copyright (c) 2022-2024 Intel Corporation + * Copyright (c) 2022-2025 Intel Corporation * All rights reserved. * SPDX-License-Identifier: BSD-3-Clause */ @@ -24,12 +24,7 @@ func (connector *trustAuthorityConnector) Attest(args AttestArgs) (AttestRespons return response, errors.Errorf("Failed to collect evidence from adapter: %s", err) } - apiEndpoint := attestEndpoint - if evidence.Type == AzTdx { - apiEndpoint = attestAzureTdEndpoint - } - - tokenResponse, err := connector.GetToken(GetTokenArgs{nonceResponse.Nonce, evidence, args.PolicyIds, args.RequestId, apiEndpoint, args.TokenSigningAlg, args.PolicyMustMatch}) + tokenResponse, err := connector.GetToken(GetTokenArgs{nonceResponse.Nonce, evidence, args.PolicyIds, args.RequestId, args.TokenSigningAlg, args.PolicyMustMatch}) response.Token, response.Headers = tokenResponse.Token, tokenResponse.Headers if err != nil { return response, errors.Errorf("Failed to collect token from Trust Authority: %s", err) diff --git a/go-connector/attest_evidence.go b/go-connector/attest_evidence.go index 5ea07f2..6d285e1 100644 --- a/go-connector/attest_evidence.go +++ b/go-connector/attest_evidence.go @@ -31,7 +31,7 @@ func (ctr *trustAuthorityConnector) AttestEvidence(evidence interface{}, cloudPr if err != nil { return response, errors.Wrap(err, "Failed to parse API URL") } - url.Path = path.Join(url.Path, attestEndpoint) + url.Path = path.Join(url.Path, attestV2Endpoint) url.Path = path.Join(url.Path, cloudProvider) newRequest := func() (*http.Request, error) { diff --git a/go-connector/attest_evidence_test.go b/go-connector/attest_evidence_test.go index bfad458..700e2bb 100644 --- a/go-connector/attest_evidence_test.go +++ b/go-connector/attest_evidence_test.go @@ -15,7 +15,7 @@ func TestAttestEvidence(t *testing.T) { connector, mux, _, teardown := setup() defer teardown() - mux.HandleFunc(attestEndpoint, func(w http.ResponseWriter, r *http.Request) { + mux.HandleFunc(attestV2Endpoint, func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) w.Write([]byte(`{"token":"` + token + `"}`)) }) diff --git a/go-connector/connector.go b/go-connector/connector.go index 73a3e2b..150f350 100644 --- a/go-connector/connector.go +++ b/go-connector/connector.go @@ -58,7 +58,6 @@ type GetTokenArgs struct { Evidence *Evidence PolicyIds []uuid.UUID RequestId string - attestEndpoint string TokenSigningAlg string PolicyMustMatch bool } diff --git a/go-connector/const.go b/go-connector/const.go index 5b2dc4a..e0575f8 100644 --- a/go-connector/const.go +++ b/go-connector/const.go @@ -13,8 +13,9 @@ const ( HeaderTraceId = "trace-id" nonceEndpoint = "/appraisal/v2/nonce" - attestEndpoint = "/appraisal/v2/attest" - attestAzureTdEndpoint = "/appraisal/v2/attest/azure" + attestEndpoint = "/appraisal/v1/attest" + attestAzureTdEndpoint = "/appraisal/v1/attest/azure/tdxvm" + attestV2Endpoint = "/appraisal/v2/attest" mimeApplicationJson = "application/json" AtsCertChainMaxLen = 10 diff --git a/go-connector/token.go b/go-connector/token.go index 8aabca0..b2942a8 100644 --- a/go-connector/token.go +++ b/go-connector/token.go @@ -1,5 +1,5 @@ /* - * Copyright (c) 2022-2023 Intel Corporation + * Copyright (c) 2022-2025 Intel Corporation * All rights reserved. * SPDX-License-Identifier: BSD-3-Clause */ @@ -44,7 +44,10 @@ type AttestationTokenResponse struct { // GetToken is used to get attestation token from Intel Trust Authority func (connector *trustAuthorityConnector) GetToken(args GetTokenArgs) (GetTokenResponse, error) { - url := connector.cfg.ApiUrl + args.attestEndpoint + url := connector.cfg.ApiUrl + attestEndpoint + if args.Evidence.Type == AzTdx { + url = connector.cfg.ApiUrl + attestAzureTdEndpoint + } newRequest := func() (*http.Request, error) { tr := tokenRequest{ diff --git a/go-connector/token_test.go b/go-connector/token_test.go index e960ad9..aa14358 100644 --- a/go-connector/token_test.go +++ b/go-connector/token_test.go @@ -1,5 +1,5 @@ /* - * Copyright (c) 2022-2023 Intel Corporation + * Copyright (c) 2022-2025 Intel Corporation * All rights reserved. * SPDX-License-Identifier: BSD-3-Clause */ @@ -40,7 +40,7 @@ func TestGetToken(t *testing.T) { nonce := &VerifierNonce{} evidence := &Evidence{} - _, err := connector.GetToken(GetTokenArgs{nonce, evidence, nil, "req1", attestEndpoint, string(PS384), false}) + _, err := connector.GetToken(GetTokenArgs{nonce, evidence, nil, "req1", string(PS384), false}) if err != nil { t.Errorf("GetToken returned unexpected error: %v", err) } @@ -57,7 +57,7 @@ func TestGetToken_invalidToken(t *testing.T) { nonce := &VerifierNonce{} evidence := &Evidence{} - _, err := connector.GetToken(GetTokenArgs{nonce, evidence, nil, "req1", attestEndpoint, "", false}) + _, err := connector.GetToken(GetTokenArgs{nonce, evidence, nil, "req1", "", false}) if err == nil { t.Errorf("GetToken returned nil, expected error") } From 1cf93de98673fd5244781623f472df6e862e2dd9 Mon Sep 17 00:00:00 2001 From: "Rawat, Arvind" Date: Fri, 7 Feb 2025 16:20:52 +0530 Subject: [PATCH 2/3] Updated version in Makefile. --- tdx-cli/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tdx-cli/Makefile b/tdx-cli/Makefile index a8d87b5..af20327 100644 --- a/tdx-cli/Makefile +++ b/tdx-cli/Makefile @@ -4,7 +4,7 @@ APPNAME := trustauthority-cli GITCOMMIT := $(shell git describe --always) GITCOMMITDATE := $(shell git log -1 --date=short --pretty=format:%cd) -VERSION := v1.9.0 +VERSION := v1.9.1 cli: CGO_ENABLED=1 CGO_CFLAGS="-O2 -D_FORTIFY_SOURCE=2" go build -buildmode=pie -trimpath -ldflags "-s -linkmode=external -extldflags -Wl,-O1,-z,relro,-z,now \ From ea39ab7c3212aa35fd1107e92b5ea0b8797f97b4 Mon Sep 17 00:00:00 2001 From: "Rawat, Arvind" Date: Fri, 7 Feb 2025 18:21:08 +0530 Subject: [PATCH 3/3] Added NewTdxAdapter. --- go-tdx/tdx_adapter.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/go-tdx/tdx_adapter.go b/go-tdx/tdx_adapter.go index 31f0e67..0eac342 100644 --- a/go-tdx/tdx_adapter.go +++ b/go-tdx/tdx_adapter.go @@ -1,5 +1,5 @@ /* - * Copyright (c) 2022-2024 Intel Corporation + * Copyright (c) 2022-2025 Intel Corporation * All rights reserved. * SPDX-License-Identifier: BSD-3-Clause */ @@ -27,6 +27,15 @@ type compositeTdxEvidence struct { VerifierNonce *connector.VerifierNonce `json:"verifier_nonce,omitempty"` } +// NewTdxAdapter returns a new TDX Adapter instance +func NewTdxAdapter(udata []byte, withCcel bool) (connector.EvidenceAdapter, error) { + return &tdxAdapter{ + uData: udata, + withCcel: withCcel, + cfsQuoteProvider: &cfsQuoteProviderImpl{}, + }, nil +} + // CollectEvidence is used to get TDX quote using TDX Quote Generation service func (adapter *tdxAdapter) CollectEvidence(nonce []byte) (*connector.Evidence, error) {