WIP - read remote measurements from JSON file

Author: ameba23

Cargo.lock

@@ -26,6 +26,7 @@ http-body-util = "0.1.3"
 bytes = "1.10.1"
 http = "1.3.1"
 serde_json = "1.0.145"
+serde = "1.0.228"
 
 [dev-dependencies]
 rcgen = "0.14.5"

Cargo.toml

@@ -1,7 +1,5 @@
 use std::{
-    collections::HashMap,
-    fmt::{self, Display, Formatter},
-    time::SystemTimeError,
+    collections::HashMap, fmt::{self, Display, Formatter}, path::PathBuf, sync::Arc, time::SystemTimeError
 };
 
 use configfs_tsm::QuoteGenerationError;
@@ -15,6 +13,9 @@ use tdx_quote::QuoteParseError;
 use thiserror::Error;
 use tokio_rustls::rustls::pki_types::CertificateDer;
 use x509_parser::prelude::*;
+use serde::Deserialize;
+
+use crate::test_helpers::default_measurements;
 
 /// For fetching collateral directly from intel, if no PCCS is specified
 const PCS_URL: &str = "https://api.trustedservices.intel.com";
@@ -79,6 +80,39 @@ pub enum MeasurementFormatError {
     BadHeaderValue(#[from] InvalidHeaderValue),
 }
 
+#[derive(Debug)]
+pub struct MeasurementRecord {
+    measurement_id: String,
+    attestation_type: AttestationType,
+    measurements: Measurements,
+}
+
+#[derive(Debug, Deserialize)]
+struct MeasurementRecordSimple {
+    measurement_id: String,
+    attestation_type: String,
+    measurements: HashMap<String, MeasurementEntry>,
+}
+
+#[derive(Debug, Deserialize)]
+struct MeasurementEntry {
+    expected: String,
+}
+
+pub async fn get_measurements_from_file(measurement_file: PathBuf) -> Vec<MeasurementRecord> {
+    let measurements_json = tokio::fs::read(measurement_file).await.unwrap();
+    let measurements_simple: Vec<MeasurementRecordSimple> = serde_json::from_slice(&measurements_json).unwrap();
+    let measurements = Vec::new();
+    for measurement in measurements_simple {
+        measurements.push(MeasurementRecord {
+            measurement_id: measurement.measurement_id,
+            attestation_type: AttestationType::from_str(&measurement.attestation_type).unwrap(),
+            measurements: Measurements { platform: PlatformMeasurements { mrtd: (), rtmr0: () }, cvm_image: CvmImageMeasurements { rtmr1: (), rtmr2: (), rtmr3: () } }
+        });
+    }
+    measurements
+}
+
 /// Type of attestaion used
 /// Only supported (or soon-to-be supported) types are given
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
@@ -106,6 +140,26 @@ impl AttestationType {
             AttestationType::GcpTdx => "gcp-tdx",
         }
     }
+
+    pub fn from_str(input: &str) -> Result<Self, AttestationError> {
+       match input {
+           "none" => Ok(Self::None),
+           "dummy" => Ok(Self::Dummy),
+           "azure-tdx" => Ok(Self::AzureTdx),
+           "qemu-tdx" => Ok(Self::QemuTdx),
+           "gcp-tdx" => Ok(Self::GcpTdx),
+           _ => Err(AttestationError::AttestationTypeNotSupported)
+       }
+    }
+
+    pub fn get_quote_generator(&self) -> Result<Arc<dyn QuoteGenerator>, AttestationError> {
+        match self {
+            AttestationType::None => Ok(Arc::new(NoQuoteGenerator)),
+            AttestationType::AzureTdx => Err(AttestationError::AttestationTypeNotSupported),
+            AttestationType::Dummy => Err(AttestationError::AttestationTypeNotSupported),
+            _ => Ok(Arc::new(DcapTdxQuoteGenerator { attestation_type: *self })),
+        }
+    }
 }
 
 impl Display for AttestationType {
@@ -115,7 +169,7 @@ impl Display for AttestationType {
 }
 
 /// Defines how to generate a quote
-pub trait QuoteGenerator: Clone + Send + 'static {
+pub trait QuoteGenerator: Send + Sync + 'static {
     /// Type of attestation used
     fn attestation_type(&self) -> AttestationType;
 
@@ -441,4 +495,6 @@ pub enum AttestationError {
     DcapQvl(#[from] anyhow::Error),
     #[error("Quote parse: {0}")]
     QuoteParse(#[from] QuoteParseError),
+    #[error("Attestation type not supported")]
+    AttestationTypeNotSupported,
 }

src/attestation.rs

@@ -47,26 +47,24 @@ pub struct TlsCertAndKey {
 }
 
 /// Inner struct used by [ProxyClient] and [ProxyServer]
-struct Proxy<L, R>
+struct Proxy<R>
 where
-    L: QuoteGenerator,
     R: QuoteVerifier,
 {
     /// The underlying TCP listener
     listener: TcpListener,
     /// Quote generation type to use (including none)
-    local_quote_generator: L,
+    local_quote_generator: Arc<dyn QuoteGenerator>,
     /// Verifier for remote attestation (including none)
     remote_quote_verifier: R,
 }
 
 /// A TLS over TCP server which provides an attestation before forwarding traffic to a given target address
-pub struct ProxyServer<L, R>
+pub struct ProxyServer<R>
 where
-    L: QuoteGenerator,
     R: QuoteVerifier,
 {
-    inner: Proxy<L, R>,
+    inner: Proxy<R>,
     /// The certificate chain
     cert_chain: Vec<CertificateDer<'static>>,
     /// For accepting TLS connections
@@ -75,12 +73,12 @@ where
     target: SocketAddr,
 }
 
-impl<L: QuoteGenerator, R: QuoteVerifier> ProxyServer<L, R> {
+impl<R: QuoteVerifier> ProxyServer<R> {
     pub async fn new(
         cert_and_key: TlsCertAndKey,
         local: impl ToSocketAddrs,
         target: SocketAddr,
-        local_quote_generator: L,
+        local_quote_generator: Arc<dyn QuoteGenerator>,
         remote_quote_verifier: R,
         client_auth: bool,
     ) -> Result<Self, ProxyError> {
@@ -121,7 +119,7 @@ impl<L: QuoteGenerator, R: QuoteVerifier> ProxyServer<L, R> {
         server_config: Arc<ServerConfig>,
         local: impl ToSocketAddrs,
         target: SocketAddr,
-        local_quote_generator: L,
+        local_quote_generator: Arc<dyn QuoteGenerator>,
         remote_quote_verifier: R,
     ) -> Result<Self, ProxyError> {
         let acceptor = tokio_rustls::TlsAcceptor::from(server_config);
@@ -177,7 +175,7 @@ impl<L: QuoteGenerator, R: QuoteVerifier> ProxyServer<L, R> {
         acceptor: TlsAcceptor,
         target: SocketAddr,
         cert_chain: Vec<CertificateDer<'static>>,
-        local_quote_generator: L,
+        local_quote_generator: Arc<dyn QuoteGenerator>,
         remote_quote_verifier: R,
     ) -> Result<(), ProxyError> {
         let mut tls_stream = acceptor.accept(inbound).await?;
@@ -303,25 +301,24 @@ fn full<T: Into<Bytes>>(chunk: T) -> BoxBody<Bytes, hyper::Error> {
         .boxed()
 }
 
-pub struct ProxyClient<L, R>
+pub struct ProxyClient<R>
 where
-    L: QuoteGenerator,
     R: QuoteVerifier,
 {
-    inner: Proxy<L, R>,
+    inner: Proxy<R>,
     connector: TlsConnector,
     /// The host and port of the proxy server
     target: String,
     /// Certificate chain for client auth
     cert_chain: Option<Vec<CertificateDer<'static>>>,
 }
 
-impl<L: QuoteGenerator, R: QuoteVerifier> ProxyClient<L, R> {
+impl<R: QuoteVerifier> ProxyClient<R> {
     pub async fn new(
         cert_and_key: Option<TlsCertAndKey>,
         address: impl ToSocketAddrs,
         server_name: String,
-        local_quote_generator: L,
+        local_quote_generator: Arc<dyn QuoteGenerator>,
         remote_quote_verifier: R,
     ) -> Result<Self, ProxyError> {
         if local_quote_generator.attestation_type() != AttestationType::None
@@ -363,7 +360,7 @@ impl<L: QuoteGenerator, R: QuoteVerifier> ProxyClient<L, R> {
         client_config: Arc<ClientConfig>,
         local: impl ToSocketAddrs,
         target_name: String,
-        local_quote_generator: L,
+        local_quote_generator: Arc<dyn QuoteGenerator>,
         remote_quote_verifier: R,
         cert_chain: Option<Vec<CertificateDer<'static>>>,
     ) -> Result<Self, ProxyError> {
@@ -423,7 +420,7 @@ impl<L: QuoteGenerator, R: QuoteVerifier> ProxyClient<L, R> {
         connector: TlsConnector,
         target: String,
         cert_chain: Option<Vec<CertificateDer<'static>>>,
-        local_quote_generator: L,
+        local_quote_generator: Arc<dyn QuoteGenerator>,
         remote_quote_verifier: R,
     ) -> Result<(), ProxyError> {
         let http = Builder::new();
@@ -467,7 +464,7 @@ impl<L: QuoteGenerator, R: QuoteVerifier> ProxyClient<L, R> {
         connector: TlsConnector,
         target: String,
         cert_chain: Option<Vec<CertificateDer<'static>>>,
-        local_quote_generator: L,
+        local_quote_generator: Arc<dyn QuoteGenerator>,
         remote_quote_verifier: R,
     ) -> Result<
         (
@@ -528,7 +525,7 @@ impl<L: QuoteGenerator, R: QuoteVerifier> ProxyClient<L, R> {
         connector: TlsConnector,
         target: String,
         cert_chain: Option<Vec<CertificateDer<'static>>>,
-        local_quote_generator: L,
+        local_quote_generator: Arc<dyn QuoteGenerator>,
         remote_quote_verifier: R,
     ) -> Result<Response<BoxBody<bytes::Bytes, hyper::Error>>, ProxyError> {
         let remote_attestation_type = remote_quote_verifier.attestation_type();
@@ -710,9 +707,9 @@ mod tests {
             server_config,
             "127.0.0.1:0",
             target_addr,
-            DcapTdxQuoteGenerator {
+            Arc::new(DcapTdxQuoteGenerator {
                 attestation_type: AttestationType::Dummy,
-            },
+            }),
             NoQuoteVerifier,
         )
         .await
@@ -739,7 +736,7 @@ mod tests {
             client_config,
             "127.0.0.1:0".to_string(),
             proxy_addr.to_string(),
-            NoQuoteGenerator,
+            Arc::new(NoQuoteGenerator),
             quote_verifier,
             None,
         )
@@ -807,9 +804,9 @@ mod tests {
             server_tls_server_config,
             "127.0.0.1:0",
             target_addr,
-            DcapTdxQuoteGenerator {
+            Arc::new(DcapTdxQuoteGenerator {
                 attestation_type: AttestationType::Dummy,
-            },
+            }),
             quote_verifier.clone(),
         )
         .await
@@ -825,9 +822,9 @@ mod tests {
             client_tls_client_config,
             "127.0.0.1:0",
             proxy_addr.to_string(),
-            DcapTdxQuoteGenerator {
+            Arc::new(DcapTdxQuoteGenerator {
                 attestation_type: AttestationType::Dummy,
-            },
+            }),
             quote_verifier,
             Some(client_cert_chain),
         )
@@ -876,9 +873,9 @@ mod tests {
             server_config,
             "127.0.0.1:0",
             target_addr,
-            DcapTdxQuoteGenerator {
+            Arc::new(DcapTdxQuoteGenerator {
                 attestation_type: AttestationType::Dummy,
-            },
+            }),
             NoQuoteVerifier,
         )
         .await