UID2-2799 Verify attestation url for Azure (#183)

* Add verification for attestion url

* Add unit tests for verifying attestation url

* Rename `attestationUrl` to `allowedAttestationUrl`

* Encode and decode attestationUrl

* Rename `allowedAttestationUrl` to `attestationUrl`

* Pass in attestation token to the policy validator constructor

* Remove slf4j

* Add policy validator test

* Rename final variable in gcp policy test to `ATTESTATION_URL`

* Address comments

* Handle new core with previous operator change

* [CI Pipeline] Released Snapshot version: 7.1.13-SNAPSHOT

---------

Co-authored-by: Release Workflow <[email protected]>

Author: cYKatherine

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>com.uid2</groupId>
     <artifactId>uid2-shared</artifactId>
-    <version>7.1.0-8e67b3a537</version>
+    <version>7.1.13-SNAPSHOT</version>
     <name>${project.groupId}:${project.artifactId}</name>
     <description>Library for all the shared uid2 operations</description>
     <url>https://github.com/IABTechLab/uid2docs</url>

src/main/java/com/uid2/shared/secure/AzureCCCoreAttestationService.java

@@ -25,8 +25,8 @@ public class AzureCCCoreAttestationService implements ICoreAttestationService {
 
     private final IPolicyValidator policyValidator;
 
-    public AzureCCCoreAttestationService(String maaServerBaseUrl) {
-        this(new MaaTokenSignatureValidator(maaServerBaseUrl), new PolicyValidator());
+    public AzureCCCoreAttestationService(String maaServerBaseUrl, String attestationUrl) {
+        this(new MaaTokenSignatureValidator(maaServerBaseUrl), new PolicyValidator(attestationUrl));
     }
 
     // used in UT
@@ -58,8 +58,7 @@ public void attest(byte[] attestationRequest, byte[] publicKey, Handler<AsyncRes
         }
         catch (AttestationClientException ace){
             handler.handle(Future.succeededFuture(new AttestationResult(ace)));
-        }
-        catch (AttestationException ae) {
+        } catch (AttestationException ae) {
             handler.handle(Future.failedFuture(ae));
         } catch (Exception ex) {
             handler.handle(Future.failedFuture(new AttestationException(ex)));

src/main/java/com/uid2/shared/secure/azurecc/MaaTokenSignatureValidator.java

@@ -86,6 +86,7 @@ public MaaTokenPayload validate(String tokenString) throws AttestationException
 
         if(runtime != null){
             var runtimeDataBuilder = RuntimeData.builder();
+            runtimeDataBuilder.attestationUrl(tryGetField(runtime, "attestationUrl", String.class));
             runtimeDataBuilder.location(tryGetField(runtime, "location", String.class));
             runtimeDataBuilder.publicKey(tryGetField(runtime, "publicKey", String.class));
             tokenPayloadBuilder.runtimeData(runtimeDataBuilder.build());

src/main/java/com/uid2/shared/secure/azurecc/PolicyValidator.java

@@ -4,15 +4,22 @@
 import com.uid2.shared.secure.AttestationClientException;
 import com.uid2.shared.secure.AttestationException;
 import com.uid2.shared.secure.AttestationFailure;
+import com.uid2.shared.util.UrlEquivalenceValidator;
 
 public class PolicyValidator implements IPolicyValidator{
     private static final String LOCATION_CHINA = "china";
     private static final String LOCATION_EU = "europe";
+    private String attestationUrl;
+
+    public PolicyValidator(String attestationUrl) {
+        this.attestationUrl = attestationUrl;
+    }
     @Override
     public String validate(MaaTokenPayload maaTokenPayload, String publicKey) throws AttestationException {
         verifyVM(maaTokenPayload);
         verifyLocation(maaTokenPayload);
         verifyPublicKey(maaTokenPayload, publicKey);
+        verifyAttestationUrl(maaTokenPayload);
         return maaTokenPayload.getCcePolicyDigest();
     }
 
@@ -23,14 +30,23 @@ private void verifyPublicKey(MaaTokenPayload maaTokenPayload, String publicKey)
         var runtimePublicKey = maaTokenPayload.getRuntimeData().getPublicKey();
         if(!publicKey.equals(runtimePublicKey)){
             throw new AttestationClientException(
-                    String.format("Public key in payload is not match expected value. More info: runtime(%s), expected(%s)",
+                    String.format("Public key in payload does not match expected value. More info: runtime(%s), expected(%s)",
                             runtimePublicKey,
                             publicKey
                     ),
                     AttestationFailure.BAD_FORMAT);
         }
     }
 
+    private void verifyAttestationUrl(MaaTokenPayload maaTokenPayload) throws AttestationException {
+        String decodedRuntimeAttestationUrl = maaTokenPayload.getRuntimeData().getDecodedAttestationUrl();
+        if (decodedRuntimeAttestationUrl == null) {
+            return;
+        } else if (!UrlEquivalenceValidator.areUrlsEquivalent(decodedRuntimeAttestationUrl, this.attestationUrl)) {
+            throw new AttestationClientException("The given attestation URL is unknown. Given URL: " + decodedRuntimeAttestationUrl, AttestationFailure.UNKNOWN_ATTESTATION_URL);
+        }
+    }
+
     private void verifyVM(MaaTokenPayload maaTokenPayload) throws AttestationException {
         if(!maaTokenPayload.isSevSnpVM()){
             throw new AttestationClientException("Not in SevSnp VM", AttestationFailure.BAD_FORMAT);

src/main/java/com/uid2/shared/secure/azurecc/RuntimeData.java

@@ -1,11 +1,22 @@
 package com.uid2.shared.secure.azurecc;
 
+import com.amazonaws.util.Base64;
 import lombok.Builder;
 import lombok.Value;
 
+import java.nio.charset.StandardCharsets;
+
 @Value
 @Builder(toBuilder = true)
 public class RuntimeData {
+    private String attestationUrl;
     private String location;
     private String publicKey;
+
+    public String getDecodedAttestationUrl() {
+        if (attestationUrl != null) {
+            return new String(Base64.decode(attestationUrl), StandardCharsets.UTF_8);
+        }
+        return null;
+    }
 }

src/test/java/com/uid2/shared/secure/AzureCCCoreAttestationServiceTest.java

@@ -3,6 +3,7 @@
 import com.uid2.shared.secure.azurecc.IMaaTokenSignatureValidator;
 import com.uid2.shared.secure.azurecc.IPolicyValidator;
 import com.uid2.shared.secure.azurecc.MaaTokenPayload;
+import com.uid2.shared.secure.azurecc.RuntimeData;
 import io.vertx.core.AsyncResult;
 import io.vertx.core.Handler;
 import org.junit.jupiter.api.BeforeEach;
@@ -13,7 +14,10 @@
 import org.mockito.junit.jupiter.MockitoSettings;
 import org.mockito.quality.Strictness;
 
+import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+import java.util.Base64;
 
 import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.ArgumentMatchers.any;
@@ -22,13 +26,21 @@
 @ExtendWith(MockitoExtension.class)
 @MockitoSettings(strictness = Strictness.LENIENT)
 class AzureCCCoreAttestationServiceTest {
+    private static byte[] encodeStringUnicodeAttestationEndpoint(String data) {
+        // buffer.array() may include extra empty bytes at the end. This returns only the bytes that have data
+        ByteBuffer buffer = StandardCharsets.UTF_8.encode(data);
+        return Arrays.copyOf(buffer.array(), buffer.limit());
+    }
     private static final String ATTESTATION_REQUEST = "test-attestation-request";
 
     private static final String PUBLIC_KEY = "test-public-key";
 
     private static final String ENCLAVE_ID = "test-enclave";
+    private static final String ATTESTATION_URL = "https://example.com";
+    private static final String ENCODED_ATTESTATION_URL = Base64.getEncoder().encodeToString(encodeStringUnicodeAttestationEndpoint(ATTESTATION_URL));
+    private static final RuntimeData RUNTIME_DATA = RuntimeData.builder().attestationUrl(ENCODED_ATTESTATION_URL).build();
 
-    private static final MaaTokenPayload VALID_TOKEN_PAYLOAD = MaaTokenPayload.builder().build();
+    private static final MaaTokenPayload VALID_TOKEN_PAYLOAD = MaaTokenPayload.builder().runtimeData(RUNTIME_DATA).build();
     @Mock
     private IMaaTokenSignatureValidator alwaysPassTokenValidator;
 
@@ -82,7 +94,7 @@ public void testSignatureCheckFailed_ServerError() throws AttestationException {
     }
 
     @Test
-    public void testPolicyCheckFailed_ClientError() throws AttestationException {
+    public void testPolicyCheckSuccess_ClientError() throws AttestationException {
         var errorStr = "policy validation failed";
         when(alwaysFailPolicyValidator.validate(any(), any())).thenThrow(new AttestationClientException(errorStr, AttestationFailure.BAD_PAYLOAD));
         var provider = new AzureCCCoreAttestationService(alwaysFailTokenValidator, alwaysFailPolicyValidator);

src/test/java/com/uid2/shared/secure/azurecc/PolicyValidatorTest.java

@@ -1,26 +1,40 @@
 package com.uid2.shared.secure.azurecc;
 
+import com.uid2.shared.secure.AttestationClientException;
 import com.uid2.shared.secure.AttestationException;
+import com.uid2.shared.secure.AttestationFailure;
 import org.junit.jupiter.api.Test;
 
+import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+import java.util.Base64;
+
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 class PolicyValidatorTest {
+    private static byte[] encodeStringUnicodeAttestationEndpoint(String data) {
+        // buffer.array() may include extra empty bytes at the end. This returns only the bytes that have data
+        ByteBuffer buffer = StandardCharsets.UTF_8.encode(data);
+        return Arrays.copyOf(buffer.array(), buffer.limit());
+    }
     private static final String PUBLIC_KEY = "public_key";
     private static final String CCE_POLICY_DIGEST = "digest";
+    private static final String ATTESTATION_URL = "https://example.com";
+    private static final String ENCODED_ATTESTATION_URL = Base64.getEncoder().encodeToString(encodeStringUnicodeAttestationEndpoint(ATTESTATION_URL));
 
     @Test
     public void testValidationSuccess() throws AttestationException {
-        var validator = new PolicyValidator();
+        var validator = new PolicyValidator(ATTESTATION_URL);
         var payload = generateBasicPayload();
         var enclaveId = validator.validate(payload, PUBLIC_KEY);
         assertEquals(CCE_POLICY_DIGEST, enclaveId);
     }
 
     @Test
     public void testValidationFailure_VMInfo() throws AttestationException {
-        var validator = new PolicyValidator();
+        var validator = new PolicyValidator(ATTESTATION_URL);
         var newPayload = generateBasicPayload()
                 .toBuilder()
                 .attestationType("dummy")
@@ -30,7 +44,7 @@ public void testValidationFailure_VMInfo() throws AttestationException {
 
     @Test
     public void testValidationFailure_UVMInfo() throws AttestationException {
-        var validator = new PolicyValidator();
+        var validator = new PolicyValidator(ATTESTATION_URL);
         var newPayload = generateBasicPayload()
                 .toBuilder()
                 .complianceStatus("dummy")
@@ -40,7 +54,7 @@ public void testValidationFailure_UVMInfo() throws AttestationException {
 
     @Test
     public void testValidationFailure_VMDebug() throws AttestationException {
-        var validator = new PolicyValidator();
+        var validator = new PolicyValidator(ATTESTATION_URL);
         var newPayload = generateBasicPayload()
                 .toBuilder()
                 .vmDebuggable(true)
@@ -54,7 +68,7 @@ public void testValidationFailure_PublicKeyNotMatch() throws AttestationExceptio
                 .toBuilder()
                 .publicKey("dummy")
                 .build();
-        var validator = new PolicyValidator();
+        var validator = new PolicyValidator(ATTESTATION_URL);
         var newPayload = generateBasicPayload()
                 .toBuilder()
                 .runtimeData(newRunTimeData)
@@ -68,7 +82,7 @@ public void testValidationFailure_LocationNotSupported() throws AttestationExcep
                 .toBuilder()
                 .location("West Europe")
                 .build();
-        var validator = new PolicyValidator();
+        var validator = new PolicyValidator(ATTESTATION_URL);
         var newPayload = generateBasicPayload()
                 .toBuilder()
                 .runtimeData(newRunTimeData)
@@ -89,7 +103,26 @@ private MaaTokenPayload generateBasicPayload() {
     private RuntimeData generateBasicRuntimeData(){
         return RuntimeData.builder()
                 .publicKey(PUBLIC_KEY)
+                .attestationUrl(ENCODED_ATTESTATION_URL)
                 .location("East US")
                 .build();
     }
+
+    @Test
+    public void testValidationSuccess_SameAttestationUrl() throws AttestationException {
+        var validator = new PolicyValidator(ATTESTATION_URL);
+        var payload = generateBasicPayload();
+        var enclaveId = validator.validate(payload, PUBLIC_KEY);
+        assertEquals(CCE_POLICY_DIGEST, enclaveId);
+    }
+
+    @Test
+    public void testValidationFailure_DifferentAttestationUrl() {
+        var validator = new PolicyValidator("https://someother.uidapi.com");
+        var payload = generateBasicPayload();
+        Throwable t = assertThrows(AttestationException.class, ()-> validator.validate(payload, PUBLIC_KEY));
+        assertEquals("The given attestation URL is unknown. Given URL: " + ATTESTATION_URL, t.getMessage());
+        assertEquals(AttestationFailure.UNKNOWN_ATTESTATION_URL, ((AttestationClientException)t).getAttestationFailure());
+
+    }
 }