Skip to content

Commit

Permalink
DO NOT MERGE: only for test
Browse files Browse the repository at this point in the history
Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
  • Loading branch information
Xynnn007 committed Dec 16, 2024
1 parent 4547427 commit 352e0c7
Show file tree
Hide file tree
Showing 11 changed files with 196 additions and 52 deletions.
27 changes: 24 additions & 3 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 3 additions & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,9 @@ hmac = "0.12.1"
jwt-simple = { version = "0.12", default-features = false, features = [
"pure-rust",
] }
kbs-types = { git = "https://github.com/virtee/kbs-types.git", rev = "a704036" }
# TODO: change this rev to official repo
# Once https://github.com/virtee/kbs-types/pull/53 gets merged
kbs-types = { git = "https://github.com/Xynnn007/kbs-types.git", rev = "f56c565" }
lazy_static = "1.5.0"
log = "0.4.22"
nix = "0.29"
Expand Down
7 changes: 5 additions & 2 deletions attestation-agent/deps/crypto/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,14 @@ edition = "2021"

[dependencies]
aes-gcm = { workspace = true, optional = true }
aes-kw = "0.2.1"
anyhow.workspace = true
base64.workspace = true
concat-kdf = "0.1.0"
ctr = { workspace = true, optional = true }
kbs-types.workspace = true
openssl = { workspace = true, features = ["vendored"], optional = true}
openssl = { workspace = true, features = ["vendored"], optional = true }
p256 = { version = "0.13.1", features = ["ecdh"] }
rand.workspace = true
rsa = { workspace = true, optional = true }
serde.workspace = true
Expand All @@ -26,4 +29,4 @@ rstest.workspace = true
[features]
default = ["rust-crypto"]
rust-crypto = ["dep:aes-gcm", "ctr", "rsa"]
openssl = ["dep:openssl"]
openssl = ["dep:openssl"]
32 changes: 31 additions & 1 deletion attestation-agent/deps/crypto/src/asymmetric.rs
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,12 @@ pub mod rsa {
/// more information.
#[derive(EnumString, AsRefStr)]
pub enum PaddingMode {
#[strum(serialize = "RSA-OAEP")]
/// RSAES OAEP using SHA-256 and MGF1 with SHA-256
#[strum(serialize = "RSA-OAEP-256")]
OAEP,

/// RSA PKCS#1 v1.5
#[deprecated]
#[strum(serialize = "RSA1_5")]
PKCS1v15,

Check failure on line 25 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (stable, ubuntu-24.04)

use of deprecated unit variant `asymmetric::rsa::PaddingMode::PKCS1v15`

Check warning on line 25 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (stable)

use of deprecated unit variant `asymmetric::rsa::PaddingMode::PKCS1v15`

Check warning on line 25 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (stable)

use of deprecated unit variant `asymmetric::rsa::PaddingMode::PKCS1v15`

Check warning on line 25 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (stable, ubuntu-24.04)

use of deprecated unit variant `asymmetric::rsa::PaddingMode::PKCS1v15`

Check warning on line 25 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (stable, ubuntu-24.04)

use of deprecated unit variant `asymmetric::rsa::PaddingMode::PKCS1v15`

Check warning on line 25 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (1.76.0)

use of deprecated unit variant `asymmetric::rsa::PaddingMode::PKCS1v15`

Check warning on line 25 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (1.76.0)

use of deprecated unit variant `asymmetric::rsa::PaddingMode::PKCS1v15`

Check failure on line 25 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (stable, ubuntu-24.04)

use of deprecated unit variant `asymmetric::rsa::PaddingMode::PKCS1v15`

Check failure on line 25 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (stable, ubuntu-24.04)

use of deprecated unit variant `asymmetric::rsa::PaddingMode::PKCS1v15`

Check failure on line 25 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (ubuntu-24.04, stable)

use of deprecated unit variant `asymmetric::rsa::PaddingMode::PKCS1v15`

Check failure on line 25 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (1.76.0, ubuntu-24.04)

use of deprecated unit variant `asymmetric::rsa::PaddingMode::PKCS1v15`

Check failure on line 25 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (1.76.0, ubuntu-24.04)

use of deprecated unit variant `asymmetric::rsa::PaddingMode::PKCS1v15`

Check failure on line 25 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (stable, s390x)

use of deprecated unit variant `asymmetric::rsa::PaddingMode::PKCS1v15`

Check failure on line 25 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (s390x, stable)

use of deprecated unit variant `asymmetric::rsa::PaddingMode::PKCS1v15`

Check warning on line 25 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (stable, s390x)

use of deprecated unit variant `asymmetric::rsa::PaddingMode::PKCS1v15`

Check warning on line 25 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (stable, s390x)

use of deprecated unit variant `asymmetric::rsa::PaddingMode::PKCS1v15`
}
Expand All @@ -26,3 +29,30 @@ pub mod rsa {

pub const RSA_KTY: &str = "RSA";
}

pub mod ec {
#[cfg(feature = "openssl")]
pub use crate::native::ec::*;

Check warning on line 35 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (stable)

unused import: `crate::native::ec::*`

Check warning on line 35 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (stable, ubuntu-24.04)

unused import: `crate::native::ec::*`

Check warning on line 35 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (1.76.0)

unused import: `crate::native::ec::*`

Check failure on line 35 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (stable, ubuntu-24.04)

unused import: `crate::native::ec::*`

Check failure on line 35 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (ubuntu-24.04, stable)

unused import: `crate::native::ec::*`

Check failure on line 35 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (1.76.0, ubuntu-24.04)

unused import: `crate::native::ec::*`

Check failure on line 35 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (stable, s390x)

unused import: `crate::native::ec::*`

Check failure on line 35 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (s390x, stable)

unused import: `crate::native::ec::*`

Check warning on line 35 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (stable, s390x)

unused import: `crate::native::ec::*`

#[cfg(all(feature = "rust-crypto", not(feature = "openssl")))]
pub use crate::rust::ec::*;

Check failure on line 38 in attestation-agent/deps/crypto/src/asymmetric.rs

View workflow job for this annotation

GitHub Actions / Check (stable, ubuntu-24.04)

unused import: `crate::rust::ec::*`

/// The elliptic curve key type
pub const EC_KTY: &str = "EC";

/// Definations of different key wrapping algorithms. Refer to
/// <https://datatracker.ietf.org/doc/html/rfc7518> for
/// more information.
#[derive(EnumString, AsRefStr)]
pub enum KeyWrapAlgorithm {
/// ECDH-ES using Concat KDF and CEK wrapped with "A256KW"
#[strum(serialize = "ECDH-ES+A256KW")]
EcdhEsA256Kw,
}

#[derive(EnumString, AsRefStr)]
pub enum Curve {
#[strum(serialize = "P-256")]
P256,
}
}
1 change: 1 addition & 0 deletions attestation-agent/deps/crypto/src/native/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,5 @@
pub mod aes256ctr;
pub mod aes256gcm;

pub mod ec;

Check failure on line 11 in attestation-agent/deps/crypto/src/native/mod.rs

View workflow job for this annotation

GitHub Actions / Check (stable)

file not found for module `ec`

Check failure on line 11 in attestation-agent/deps/crypto/src/native/mod.rs

View workflow job for this annotation

GitHub Actions / Check (stable, ubuntu-24.04)

file not found for module `ec`

Check failure on line 11 in attestation-agent/deps/crypto/src/native/mod.rs

View workflow job for this annotation

GitHub Actions / Check (1.76.0)

file not found for module `ec`

Check failure on line 11 in attestation-agent/deps/crypto/src/native/mod.rs

View workflow job for this annotation

GitHub Actions / Check (stable, ubuntu-24.04)

file not found for module `ec`

Check failure on line 11 in attestation-agent/deps/crypto/src/native/mod.rs

View workflow job for this annotation

GitHub Actions / Check (ubuntu-24.04, stable)

file not found for module `ec`

Check failure on line 11 in attestation-agent/deps/crypto/src/native/mod.rs

View workflow job for this annotation

GitHub Actions / Check (1.76.0, ubuntu-24.04)

file not found for module `ec`

Check failure on line 11 in attestation-agent/deps/crypto/src/native/mod.rs

View workflow job for this annotation

GitHub Actions / Check (stable, s390x)

file not found for module `ec`

Check failure on line 11 in attestation-agent/deps/crypto/src/native/mod.rs

View workflow job for this annotation

GitHub Actions / Check (s390x, stable)

file not found for module `ec`

Check failure on line 11 in attestation-agent/deps/crypto/src/native/mod.rs

View workflow job for this annotation

GitHub Actions / Check (stable, s390x)

file not found for module `ec`
pub mod rsa;
1 change: 1 addition & 0 deletions attestation-agent/deps/crypto/src/native/rsa.rs
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ impl RSAKeyPair {
.private_key
.private_decrypt(&cipher_text, &mut plaintext, Padding::PKCS1_OAEP)
.map_err(|e| anyhow!("RSA key decrypt OAEP failed: {:?}", e))?,
#[allow(deprecated)]
PaddingMode::PKCS1v15 => self
.private_key
.private_decrypt(&cipher_text, &mut plaintext, Padding::PKCS1)
Expand Down
2 changes: 2 additions & 0 deletions attestation-agent/deps/crypto/src/rust/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,6 @@
pub mod aes256ctr;
pub mod aes256gcm;

pub mod ec;

Check failure on line 11 in attestation-agent/deps/crypto/src/rust/mod.rs

View workflow job for this annotation

GitHub Actions / Check (stable, ubuntu-24.04)

file not found for module `ec`
pub mod rsa;

1 change: 1 addition & 0 deletions attestation-agent/deps/crypto/src/rust/rsa.rs
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ impl RSAKeyPair {
.private_key
.decrypt(Oaep::new::<sha2::Sha256>(), &cipher_text)
.map_err(|e| anyhow!("RSA key decrypt OAEP failed: {:?}", e)),
#[allow(deprecated)]
PaddingMode::PKCS1v15 => self
.private_key
.decrypt(Pkcs1v15Encrypt, &cipher_text)
Expand Down
2 changes: 2 additions & 0 deletions attestation-agent/deps/crypto/src/symmetric.rs
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ use crate::native::*;
#[cfg(all(feature = "rust-crypto", not(feature = "openssl")))]
use crate::rust::*;

pub const AES_GCM_256_KEY_BITS: u32 = 256;

/// Supported WrapType, s.t. encryption algorithm using to encrypt the
/// [PLBCO](https://github.com/confidential-containers/guest-components/blob/main/attestation-agent/docs/IMPLEMENTATION.md#encryption-and-decryption-of-container-image).
/// TODO: Support more kinds of en/decryption schemes.
Expand Down
41 changes: 19 additions & 22 deletions attestation-agent/kbs_protocol/src/client/rcar_client.rs
Original file line number Diff line number Diff line change
Expand Up @@ -406,28 +406,25 @@ mod test {
kbs_config.push("test/kbs-config.toml");
policy.push("test/policy.rego");

let image = GenericImage::new(
"ghcr.io/confidential-containers/staged-images/kbs",
"latest",
)
.with_exposed_port(8085)
.with_volume(
tmp.path().as_os_str().to_string_lossy(),
"/opt/confidential-containers/kbs/repository",
)
.with_volume(
start_kbs_script.into_os_string().to_string_lossy(),
"/usr/local/bin/start_kbs.sh",
)
.with_volume(
kbs_config.into_os_string().to_string_lossy(),
"/etc/kbs-config.toml",
)
.with_volume(
policy.into_os_string().to_string_lossy(),
"/opa/confidential-containers/kbs/policy.rego",
)
.with_entrypoint("/usr/local/bin/start_kbs.sh");
let image = GenericImage::new("xynnn007/kbs", "ec-aead")
.with_exposed_port(8085)
.with_volume(
tmp.path().as_os_str().to_string_lossy(),
"/opt/confidential-containers/kbs/repository",
)
.with_volume(
start_kbs_script.into_os_string().to_string_lossy(),
"/usr/local/bin/start_kbs.sh",
)
.with_volume(
kbs_config.into_os_string().to_string_lossy(),
"/etc/kbs-config.toml",
)
.with_volume(
policy.into_os_string().to_string_lossy(),
"/opa/confidential-containers/kbs/policy.rego",
)
.with_entrypoint("/usr/local/bin/start_kbs.sh");
let kbs = docker.run(image);

tokio::time::sleep(Duration::from_secs(10)).await;
Expand Down
Loading

0 comments on commit 352e0c7

Please sign in to comment.