Split trait into generator and verifier

Author: ameba23

src/attestation.rs

@@ -10,8 +10,7 @@ use x509_parser::prelude::*;
 
 const PCS_URL: &str = "https://api.trustedservices.intel.com";
 
-/// Represents a CVM technology with quote generation and verification
-pub trait AttestationPlatform: Clone + Send + 'static {
+pub trait QuoteGenerator: Clone + Send + 'static {
     /// Whether this is CVM attestation. This should always return true except for the [NoAttestation] case.
     ///
     /// When false, allows TLS client to be configured without client authentication
@@ -23,6 +22,13 @@ pub trait AttestationPlatform: Clone + Send + 'static {
         cert_chain: &[CertificateDer<'_>],
         exporter: [u8; 32],
     ) -> Result<Vec<u8>, AttestationError>;
+}
+
+pub trait QuoteVerifier: Clone + Send + 'static {
+    /// Whether this is CVM attestation. This should always return true except for the [NoAttestation] case.
+    ///
+    /// When false, allows TLS client to be configured without client authentication
+    fn is_cvm(&self) -> bool;
 
     /// Verify the given attestation payload
     fn verify_attestation(
@@ -33,10 +39,33 @@ pub trait AttestationPlatform: Clone + Send + 'static {
     ) -> impl Future<Output = Result<(), AttestationError>> + Send;
 }
 
+// /// Represents a CVM technology with quote generation and verification
+// pub trait AttestationPlatform: Clone + Send + 'static {
+//     /// Whether this is CVM attestation. This should always return true except for the [NoAttestation] case.
+//     ///
+//     /// When false, allows TLS client to be configured without client authentication
+//     fn is_cvm(&self) -> bool;
+//
+//     /// Generate an attestation
+//     fn create_attestation(
+//         &self,
+//         cert_chain: &[CertificateDer<'_>],
+//         exporter: [u8; 32],
+//     ) -> Result<Vec<u8>, AttestationError>;
+//
+//     /// Verify the given attestation payload
+//     fn verify_attestation(
+//         &self,
+//         input: Vec<u8>,
+//         cert_chain: &[CertificateDer<'_>],
+//         exporter: [u8; 32],
+//     ) -> impl Future<Output = Result<(), AttestationError>> + Send;
+// }
+
 #[derive(Clone)]
-pub struct DcapTdxAttestation;
+pub struct DcapTdxQuoteGenerator;
 
-impl AttestationPlatform for DcapTdxAttestation {
+impl QuoteGenerator for DcapTdxQuoteGenerator {
     fn is_cvm(&self) -> bool {
         true
     }
@@ -50,6 +79,15 @@ impl AttestationPlatform for DcapTdxAttestation {
 
         Ok(generate_quote(quote_input)?)
     }
+}
+
+#[derive(Clone)]
+pub struct DcapTdxQuoteVerifier;
+
+impl QuoteVerifier for DcapTdxQuoteVerifier {
+    fn is_cvm(&self) -> bool {
+        true
+    }
 
     fn verify_attestation(
         &self,
@@ -59,25 +97,29 @@ impl AttestationPlatform for DcapTdxAttestation {
     ) -> impl Future<Output = Result<(), AttestationError>> + Send {
         async move {
             let quote_input = compute_report_input(cert_chain, exporter)?;
-
-            let now = std::time::SystemTime::now()
-                .duration_since(std::time::UNIX_EPOCH)
-                .unwrap()
-                .as_secs();
-            let quote = Quote::parse(&input).unwrap();
-            let ca = quote.ca().unwrap();
-            let fmspc = hex::encode_upper(quote.fmspc().unwrap());
-            let collateral = get_collateral_for_fmspc(PCS_URL, fmspc, ca, false)
-                .await
-                .unwrap();
-
             // In tests we use mock quotes which will fail to verify
             if cfg!(not(test)) {
+                let now = std::time::SystemTime::now()
+                    .duration_since(std::time::UNIX_EPOCH)
+                    .unwrap()
+                    .as_secs();
+                let quote = Quote::parse(&input).unwrap();
+                let ca = quote.ca().unwrap();
+                let fmspc = hex::encode_upper(quote.fmspc().unwrap());
+                let collateral = get_collateral_for_fmspc(PCS_URL, fmspc, ca, false)
+                    .await
+                    .unwrap();
                 let _verified_report = dcap_qvl::verify::verify(&input, &collateral, now).unwrap();
-            }
-            let quote = Quote::parse(&input).unwrap();
-            if get_quote_input_data(quote.report) != quote_input {
-                return Err(AttestationError::InputMismatch);
+
+                let quote = Quote::parse(&input).unwrap();
+                if get_quote_input_data(quote.report) != quote_input {
+                    return Err(AttestationError::InputMismatch);
+                }
+            } else {
+                let quote = tdx_quote::Quote::from_bytes(&input).unwrap();
+                if quote.report_input_data() != quote_input {
+                    return Err(AttestationError::InputMismatch);
+                }
             }
 
             Ok(())
@@ -109,9 +151,9 @@ pub fn compute_report_input(
 
 /// For no CVM platform (eg: for one-sided remote-attested TLS)
 #[derive(Clone)]
-pub struct NoAttestation;
+pub struct NoQuoteGenerator;
 
-impl AttestationPlatform for NoAttestation {
+impl QuoteGenerator for NoQuoteGenerator {
     fn is_cvm(&self) -> bool {
         false
     }
@@ -124,7 +166,16 @@ impl AttestationPlatform for NoAttestation {
     ) -> Result<Vec<u8>, AttestationError> {
         Ok(Vec::new())
     }
+}
 
+/// For no CVM platform (eg: for one-sided remote-attested TLS)
+#[derive(Clone)]
+pub struct NoQuoteVerifier;
+
+impl QuoteVerifier for NoQuoteVerifier {
+    fn is_cvm(&self) -> bool {
+        false
+    }
     /// Ensure that an empty attestation is given
     async fn verify_attestation(
         &self,

src/lib.rs

@@ -1,7 +1,10 @@
 mod attestation;
 
 use attestation::AttestationError;
-pub use attestation::{AttestationPlatform, DcapTdxAttestation, NoAttestation};
+pub use attestation::{
+    DcapTdxQuoteGenerator, DcapTdxQuoteVerifier, NoQuoteGenerator, NoQuoteVerifier, QuoteGenerator,
+    QuoteVerifier,
+};
 use thiserror::Error;
 use tokio_rustls::rustls::server::{VerifierBuilderError, WebPkiClientVerifier};
 
@@ -29,8 +32,8 @@ pub struct TlsCertAndKey {
 
 struct Proxy<L, R>
 where
-    L: AttestationPlatform,
-    R: AttestationPlatform,
+    L: QuoteGenerator,
+    R: QuoteVerifier,
 {
     /// The underlying TCP listener
     listener: TcpListener,
@@ -43,8 +46,8 @@ where
 /// A TLS over TCP server which provides an attestation before forwarding traffic to a given target address
 pub struct ProxyServer<L, R>
 where
-    L: AttestationPlatform,
-    R: AttestationPlatform,
+    L: QuoteGenerator,
+    R: QuoteVerifier,
 {
     inner: Proxy<L, R>,
     /// The certificate chain
@@ -55,7 +58,7 @@ where
     target: SocketAddr,
 }
 
-impl<L: AttestationPlatform, R: AttestationPlatform> ProxyServer<L, R> {
+impl<L: QuoteGenerator, R: QuoteVerifier> ProxyServer<L, R> {
     pub async fn new(
         cert_and_key: TlsCertAndKey,
         local: impl ToSocketAddrs,
@@ -215,8 +218,8 @@ impl<L: AttestationPlatform, R: AttestationPlatform> ProxyServer<L, R> {
 
 pub struct ProxyClient<L, R>
 where
-    L: AttestationPlatform,
-    R: AttestationPlatform,
+    L: QuoteGenerator,
+    R: QuoteVerifier,
 {
     inner: Proxy<L, R>,
     connector: TlsConnector,
@@ -226,7 +229,7 @@ where
     cert_chain: Option<Vec<CertificateDer<'static>>>,
 }
 
-impl<L: AttestationPlatform, R: AttestationPlatform> ProxyClient<L, R> {
+impl<L: QuoteGenerator, R: QuoteVerifier> ProxyClient<L, R> {
     pub async fn new(
         cert_and_key: Option<TlsCertAndKey>,
         address: impl ToSocketAddrs,
@@ -390,7 +393,7 @@ impl<L: AttestationPlatform, R: AttestationPlatform> ProxyClient<L, R> {
 }
 
 /// Just get the attested remote certificate, with no client authentication
-pub async fn get_tls_cert<R: AttestationPlatform>(
+pub async fn get_tls_cert<R: QuoteVerifier>(
     server_name: String,
     remote_attestation_platform: R,
 ) -> Result<Vec<CertificateDer<'static>>, ProxyError> {
@@ -406,7 +409,7 @@ pub async fn get_tls_cert<R: AttestationPlatform>(
     .await
 }
 
-async fn get_tls_cert_with_config<R: AttestationPlatform>(
+async fn get_tls_cert_with_config<R: QuoteVerifier>(
     server_name: String,
     remote_attestation_platform: R,
     client_config: Arc<ClientConfig>,
@@ -516,8 +519,8 @@ mod tests {
             server_config,
             "127.0.0.1:0",
             target_addr,
-            DcapTdxAttestation,
-            NoAttestation,
+            DcapTdxQuoteGenerator,
+            NoQuoteVerifier,
         )
         .await
         .unwrap();
@@ -532,8 +535,8 @@ mod tests {
             client_config,
             "127.0.0.1:0".to_string(),
             proxy_addr.to_string(),
-            NoAttestation,
-            DcapTdxAttestation,
+            NoQuoteGenerator,
+            DcapTdxQuoteVerifier,
             None,
         )
         .await
@@ -579,8 +582,8 @@ mod tests {
             server_tls_server_config,
             "127.0.0.1:0",
             target_addr,
-            DcapTdxAttestation,
-            DcapTdxAttestation,
+            DcapTdxQuoteGenerator,
+            DcapTdxQuoteVerifier,
         )
         .await
         .unwrap();
@@ -595,8 +598,8 @@ mod tests {
             client_tls_client_config,
             "127.0.0.1:0",
             proxy_addr.to_string(),
-            DcapTdxAttestation,
-            DcapTdxAttestation,
+            DcapTdxQuoteGenerator,
+            DcapTdxQuoteVerifier,
             Some(client_cert_chain),
         )
         .await
@@ -625,15 +628,13 @@ mod tests {
         let (cert_chain, private_key) = generate_certificate_chain("127.0.0.1".parse().unwrap());
         let (server_config, client_config) = generate_tls_config(cert_chain.clone(), private_key);
 
-        let local_attestation_platform = DcapTdxAttestation;
-
         let proxy_server = ProxyServer::new_with_tls_config(
             cert_chain,
             server_config,
             "127.0.0.1:0",
             target_addr,
-            local_attestation_platform,
-            NoAttestation,
+            DcapTdxQuoteGenerator,
+            NoQuoteVerifier,
         )
         .await
         .unwrap();
@@ -648,8 +649,8 @@ mod tests {
             client_config,
             "127.0.0.1:0",
             proxy_server_addr.to_string(),
-            NoAttestation,
-            DcapTdxAttestation,
+            NoQuoteGenerator,
+            DcapTdxQuoteVerifier,
             None,
         )
         .await
@@ -676,15 +677,13 @@ mod tests {
         let (cert_chain, private_key) = generate_certificate_chain("127.0.0.1".parse().unwrap());
         let (server_config, client_config) = generate_tls_config(cert_chain.clone(), private_key);
 
-        let local_attestation_platform = DcapTdxAttestation;
-
         let proxy_server = ProxyServer::new_with_tls_config(
             cert_chain.clone(),
             server_config,
             "127.0.0.1:0",
             target_addr,
-            local_attestation_platform,
-            NoAttestation,
+            DcapTdxQuoteGenerator,
+            NoQuoteVerifier,
         )
         .await
         .unwrap();
@@ -697,7 +696,7 @@ mod tests {
 
         let retrieved_chain = get_tls_cert_with_config(
             proxy_server_addr.to_string(),
-            DcapTdxAttestation,
+            DcapTdxQuoteVerifier,
             client_config,
         )
         .await

src/main.rs

@@ -4,7 +4,8 @@ use std::{fs::File, net::SocketAddr, path::PathBuf};
 use tokio_rustls::rustls::pki_types::{CertificateDer, PrivateKeyDer};
 
 use attested_tls_proxy::{
-    get_tls_cert, DcapTdxAttestation, NoAttestation, ProxyClient, ProxyServer, TlsCertAndKey,
+    get_tls_cert, DcapTdxQuoteGenerator, DcapTdxQuoteVerifier, NoQuoteGenerator, NoQuoteVerifier,
+    ProxyClient, ProxyServer, TlsCertAndKey,
 };
 
 #[derive(Parser, Debug, Clone)]
@@ -83,8 +84,8 @@ async fn main() -> anyhow::Result<()> {
                 tls_cert_and_chain,
                 address,
                 server,
-                NoAttestation,
-                DcapTdxAttestation,
+                NoQuoteGenerator,
+                DcapTdxQuoteVerifier,
             )
             .await?;
 
@@ -102,8 +103,8 @@ async fn main() -> anyhow::Result<()> {
             client_auth,
         } => {
             let tls_cert_and_chain = load_tls_cert_and_key(cert_chain, private_key)?;
-            let local_attestation = DcapTdxAttestation;
-            let remote_attestation = NoAttestation;
+            let local_attestation = DcapTdxQuoteGenerator;
+            let remote_attestation = NoQuoteVerifier;
 
             let server = ProxyServer::new(
                 tls_cert_and_chain,
@@ -122,7 +123,7 @@ async fn main() -> anyhow::Result<()> {
             }
         }
         CliCommand::GetTlsCert { server } => {
-            let cert_chain = get_tls_cert(server, DcapTdxAttestation).await?;
+            let cert_chain = get_tls_cert(server, DcapTdxQuoteVerifier).await?;
             println!("{}", certs_to_pem_string(&cert_chain)?);
         }
     }