attestedtls: libapi refactoring

Signed-off-by: Simon Ott <simon.ott@aisec.fraunhofer.de>

Author: smo4201

attestedhttp/client.go

@@ -57,15 +57,15 @@ type Transport struct {
 	// as we enforce aTLS as the underlying transport protocol
 
 	// Additional aTLS parameters
-	Attest        atls.AttestSelect
-	MutualTls     bool
-	CmcAddr       string
-	CmcApi        string
-	ApiSerializer ar.Serializer
-	Cmc           *cmc.Cmc
-	CmcPolicies   []byte
-	ReadTimeout   time.Duration
-	ResultCb      func(result *ar.VerificationResult)
+	Attest          atls.AttestSelect
+	MutualTls       bool
+	CmcAddr         string
+	CmcApi          string
+	ApiSerializer   ar.Serializer
+	LibApiCmcConfig *cmc.Config
+	CmcPolicies     []byte
+	ReadTimeout     time.Duration
+	ResultCb        func(result *ar.VerificationResult)
 }
 
 // Wrapper for net/http Client
@@ -191,7 +191,7 @@ func prepareClient(c *Client) error {
 				conn, err := atls.Dial("tcp", addr, c.Transport.TLSClientConfig,
 					atls.WithApiSerializer(c.Transport.ApiSerializer),
 					atls.WithAttest(c.Transport.Attest),
-					atls.WithLibApiCmc(c.Transport.Cmc),
+					atls.WithLibApiCmcConfig(c.Transport.LibApiCmcConfig),
 					atls.WithCmcAddr(c.Transport.CmcAddr),
 					atls.WithCmcApi(c.Transport.CmcApi),
 					atls.WithCmcPolicies(c.Transport.CmcPolicies),

attestedhttp/server.go

@@ -30,14 +30,14 @@ type Server struct {
 	*http.Server
 
 	// Additional aTLS parameters
-	Attest        atls.AttestSelect
-	MutualTls     bool
-	CmcAddr       string
-	CmcApi        string
-	ApiSerializer ar.Serializer
-	Cmc           *cmc.Cmc
-	CmcPolicies   []byte
-	ResultCb      func(result *ar.VerificationResult)
+	Attest          atls.AttestSelect
+	MutualTls       bool
+	CmcAddr         string
+	CmcApi          string
+	ApiSerializer   ar.Serializer
+	LibApiCmcConfig *cmc.Config
+	CmcPolicies     []byte
+	ResultCb        func(result *ar.VerificationResult)
 }
 
 func (s *Server) ListenAndServe() error {
@@ -55,7 +55,7 @@ func (s *Server) ListenAndServe() error {
 		atls.WithMtls(s.MutualTls),
 		atls.WithAttest(s.Attest),
 		atls.WithResultCb(s.ResultCb),
-		atls.WithLibApiCmc(s.Cmc))
+		atls.WithLibApiCmcConfig(s.LibApiCmcConfig))
 	if err != nil {
 		log.Fatalf("Failed to listen for connections: %v", err)
 	}

attestedtls/config.go

@@ -47,8 +47,7 @@ const (
 	timeoutSec          = 10
 )
 
-// Struct that holds information on cmc address and port
-// to be used by Listener and DialConfig
+// CmcConfig holds the relevant parameters to interact with the cmcd
 type CmcConfig struct {
 	CmcAddr       string
 	CmcApi        CmcApi
@@ -58,7 +57,7 @@ type CmcConfig struct {
 	Mtls          bool
 	Attest        AttestSelect
 	ResultCb      func(result *ar.VerificationResult)
-	Cmc           *cmc.Cmc
+	LibApiConfig  *cmc.Config
 }
 
 type CmcApi interface {
@@ -164,9 +163,9 @@ func WithResultCb(cb func(result *ar.VerificationResult)) ConnectionOption[CmcCo
 
 // WithLibApiCmc takes a CMC object. This is only required for the Lib API, where
 // the CMC is integrated directly into binary (instead of using the cmcd)
-func WithLibApiCmc(cmc *cmc.Cmc) ConnectionOption[CmcConfig] {
+func WithLibApiCmcConfig(config *cmc.Config) ConnectionOption[CmcConfig] {
 	return func(c *CmcConfig) error {
-		c.Cmc = cmc
+		c.LibApiConfig = config
 		return nil
 	}
 }

attestedtls/libapi.go

@@ -32,7 +32,9 @@ import (
 	"github.com/Fraunhofer-AISEC/cmc/internal"
 )
 
-type LibApi struct{}
+type LibApi struct {
+	cmc *cmc.Cmc
+}
 
 func init() {
 	CmcApis["libapi"] = LibApi{}
@@ -41,17 +43,25 @@ func init() {
 // Obtains attestation report from CMCd
 func (a LibApi) obtainAR(cc *CmcConfig, chbindings []byte, cached []string) ([]byte, map[string][]byte, []string, error) {
 
-	if cc == nil || cc.Cmc == nil {
+	if cc == nil {
 		return nil, nil, nil, errors.New("internal error: cmc is nil")
 	}
 
-	if len(cc.Cmc.Drivers) == 0 {
+	if a.cmc == nil {
+		cmc, err := cmc.NewCmc(cc.LibApiConfig)
+		if err != nil {
+			return nil, nil, nil, fmt.Errorf("failed to initialize CMC: %v", err)
+		}
+		a.cmc = cmc
+	}
+
+	if len(a.cmc.Drivers) == 0 {
 		return nil, nil, nil, errors.New("no drivers configured")
 	}
 
 	log.Debug("Prover: Generating Attestation Report with nonce: ", hex.EncodeToString(chbindings))
 
-	report, metadata, cacheMisses, err := cmc.Generate(chbindings, cached, cc.Cmc)
+	report, metadata, cacheMisses, err := cmc.Generate(chbindings, cached, a.cmc)
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("failed to generate attestation report: %w", err)
 	}
@@ -74,10 +84,18 @@ func (a LibApi) verifyAR(
 	metadata map[string][]byte,
 ) error {
 
-	if cc == nil || cc.Cmc == nil {
+	if cc == nil {
 		return errors.New("internal error: cmc is nil")
 	}
 
+	if a.cmc == nil {
+		cmc, err := cmc.NewCmc(cc.LibApiConfig)
+		if err != nil {
+			return fmt.Errorf("failed to initialize CMC: %v", err)
+		}
+		a.cmc = cmc
+	}
+
 	req := &api.VerificationRequest{
 		Nonce:       nonce,
 		Report:      report,
@@ -89,7 +107,7 @@ func (a LibApi) verifyAR(
 
 	log.Debug("Verifier: verifying attestation report")
 	result, err := cmc.Verify(req.Report, req.Nonce, req.Policies,
-		req.Peer, req.CacheMisses, req.Metadata, cc.Cmc)
+		req.Peer, req.CacheMisses, req.Metadata, a.cmc)
 	if err != nil {
 		return fmt.Errorf("failed to verify: %w", err)
 	}
@@ -113,14 +131,22 @@ func (a LibApi) verifyAR(
 
 func (a LibApi) fetchSignature(cc *CmcConfig, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
 
-	if cc == nil || cc.Cmc == nil {
+	if cc == nil {
 		return nil, errors.New("internal error: cmc is nil")
 	}
 
-	if len(cc.Cmc.Drivers) == 0 {
+	if a.cmc == nil {
+		cmc, err := cmc.NewCmc(cc.LibApiConfig)
+		if err != nil {
+			return nil, fmt.Errorf("failed to initialize CMC: %v", err)
+		}
+		a.cmc = cmc
+	}
+
+	if len(a.cmc.Drivers) == 0 {
 		return nil, errors.New("no drivers configured")
 	}
-	d := cc.Cmc.Drivers[0]
+	d := a.cmc.Drivers[0]
 
 	// Get key handle from (hardware) interface
 	tlsKeyPriv, _, err := d.GetKeyHandles(ar.IK)
@@ -140,14 +166,22 @@ func (a LibApi) fetchSignature(cc *CmcConfig, digest []byte, opts crypto.SignerO
 
 func (a LibApi) fetchCerts(cc *CmcConfig) ([][]byte, error) {
 
-	if cc == nil || cc.Cmc == nil {
+	if cc == nil {
 		return nil, errors.New("internal error: cmc is nil")
 	}
 
-	if len(cc.Cmc.Drivers) == 0 {
+	if a.cmc == nil {
+		cmc, err := cmc.NewCmc(cc.LibApiConfig)
+		if err != nil {
+			return nil, fmt.Errorf("failed to initialize CMC: %v", err)
+		}
+		a.cmc = cmc
+	}
+
+	if len(a.cmc.Drivers) == 0 {
 		return nil, errors.New("no drivers configured")
 	}
-	d := cc.Cmc.Drivers[0]
+	d := a.cmc.Drivers[0]
 
 	certChain, err := d.GetCertChain(ar.IK)
 	if err != nil {
@@ -162,13 +196,21 @@ func (a LibApi) fetchCerts(cc *CmcConfig) ([][]byte, error) {
 // Fetches the peer cache from the cmcd
 func (a LibApi) fetchPeerCache(cc *CmcConfig, fingerprint string) ([]string, error) {
 
-	if cc == nil || cc.Cmc == nil {
+	if cc == nil {
 		return nil, errors.New("internal error: cmc is nil")
 	}
 
+	if a.cmc == nil {
+		cmc, err := cmc.NewCmc(cc.LibApiConfig)
+		if err != nil {
+			return nil, fmt.Errorf("failed to initialize CMC: %v", err)
+		}
+		a.cmc = cmc
+	}
+
 	log.Debugf("Fetching peer cache for peer: %v", fingerprint)
 
-	c, ok := cc.Cmc.CachedPeerMetadata[fingerprint]
+	c, ok := a.cmc.CachedPeerMetadata[fingerprint]
 	if !ok {
 		log.Tracef("No data cached for peer %v", fingerprint)
 		return nil, nil

cmcctl/http.go

@@ -68,7 +68,7 @@ func request(c *config) error {
 			atls.WithCmcAddr(c.CmcAddr),
 			atls.WithCmcApi(c.Api),
 			atls.WithApiSerializer(c.apiSerializer),
-			atls.WithLibApiCmc(getLibApiCmcObj(c)))
+			atls.WithLibApiCmcConfig(&c.Config))
 		if err != nil {
 			return fmt.Errorf("failed to get TLS Certificate: %v", err)
 		}
@@ -93,13 +93,13 @@ func request(c *config) error {
 		IdleConnTimeout: 60 * time.Second,
 		TLSClientConfig: tlsConfig,
 
-		Attest:        c.attest,
-		MutualTls:     c.Mtls,
-		CmcAddr:       c.CmcAddr,
-		CmcApi:        c.Api,
-		ApiSerializer: c.apiSerializer,
-		Cmc:           getLibApiCmcObj(c),
-		CmcPolicies:   c.policies,
+		Attest:          c.attest,
+		MutualTls:       c.Mtls,
+		CmcAddr:         c.CmcAddr,
+		CmcApi:          c.Api,
+		ApiSerializer:   c.apiSerializer,
+		LibApiCmcConfig: &c.Config,
+		CmcPolicies:     c.policies,
 		ResultCb: func(result *ar.VerificationResult) {
 			// Publish the attestation result asynchronously if publishing address was specified and
 			// and attestation was performed
@@ -174,7 +174,7 @@ func serve(c *config) error {
 		atls.WithCmcAddr(c.CmcAddr),
 		atls.WithCmcApi(c.Api),
 		atls.WithApiSerializer(c.apiSerializer),
-		atls.WithLibApiCmc(getLibApiCmcObj(c)))
+		atls.WithLibApiCmcConfig(&c.Config))
 	if err != nil {
 		return fmt.Errorf("failed to get TLS Certificate: %v", err)
 	}
@@ -206,13 +206,13 @@ func serve(c *config) error {
 			Addr:      c.Addr,
 			TLSConfig: tlsConfig,
 		},
-		Attest:        c.attest,
-		MutualTls:     c.Mtls,
-		CmcAddr:       c.CmcAddr,
-		CmcApi:        c.Api,
-		ApiSerializer: c.apiSerializer,
-		Cmc:           getLibApiCmcObj(c),
-		CmcPolicies:   c.policies,
+		Attest:          c.attest,
+		MutualTls:       c.Mtls,
+		CmcAddr:         c.CmcAddr,
+		CmcApi:          c.Api,
+		ApiSerializer:   c.apiSerializer,
+		LibApiCmcConfig: &c.Config,
+		CmcPolicies:     c.policies,
 		ResultCb: func(result *ar.VerificationResult) {
 			if c.attest == atls.Attest_Mutual || c.attest == atls.Attest_Client {
 				// Publish the attestation result if publishing address was specified

cmcctl/libapi.go

@@ -23,7 +23,6 @@ import (
 
 	"crypto/rand"
 	"fmt"
-	"strings"
 
 	"github.com/Fraunhofer-AISEC/cmc/api"
 	"github.com/Fraunhofer-AISEC/cmc/cmc"
@@ -155,24 +154,3 @@ func (a LibApi) updateMetadata(c *config) error {
 
 	return nil
 }
-
-func getLibApiCmcObj(c *config) *cmc.Cmc {
-	if !strings.EqualFold(c.Api, "libapi") {
-		return nil
-	}
-
-	api, ok := apis["libapi"].(LibApi)
-	if !ok {
-		log.Fatalf("internal error: failed to retrieve libapi")
-	}
-
-	if api.cmc == nil {
-		cmc, err := cmc.NewCmc(&c.Config)
-		if err != nil {
-			log.Fatalf("failed to initialize CMC: %v", err)
-		}
-		api.cmc = cmc
-	}
-
-	return api.cmc
-}

cmcctl/tls.go

@@ -49,7 +49,7 @@ func dial(c *config) error {
 			atls.WithCmcAddr(c.CmcAddr),
 			atls.WithCmcApi(c.Api),
 			atls.WithApiSerializer(c.apiSerializer),
-			atls.WithLibApiCmc(getLibApiCmcObj(c)))
+			atls.WithLibApiCmcConfig(&c.Config))
 		if err != nil {
 			return fmt.Errorf("failed to get TLS Certificate: %w", err)
 		}
@@ -85,7 +85,7 @@ func dial(c *config) error {
 				go pub.PublishResultAsync(c.Publish, c.publishToken, c.ResultFile, result, wg)
 			}
 		}),
-		atls.WithLibApiCmc(getLibApiCmcObj(c)))
+		atls.WithLibApiCmcConfig(&c.Config))
 	if err != nil {
 		return fmt.Errorf("failed to dial server: %v", err)
 	}
@@ -128,7 +128,7 @@ func listen(c *config) error {
 		atls.WithCmcAddr(c.CmcAddr),
 		atls.WithCmcApi(c.Api),
 		atls.WithApiSerializer(c.apiSerializer),
-		atls.WithLibApiCmc(getLibApiCmcObj(c)))
+		atls.WithLibApiCmcConfig(&c.Config))
 	if err != nil {
 		return fmt.Errorf("failed to get TLS Certificate: %w", err)
 	}
@@ -167,7 +167,7 @@ func listen(c *config) error {
 				go pub.PublishResult(c.Publish, c.publishToken, c.ResultFile, result)
 			}
 		}),
-		atls.WithLibApiCmc(getLibApiCmcObj(c)))
+		atls.WithLibApiCmcConfig(&c.Config))
 	if err != nil {
 		return fmt.Errorf("failed to listen for connections: %w", err)
 	}