Error handling

Author: ameba23

src/attestation/measurements.rs

@@ -92,8 +92,15 @@ impl Measurements {
         let measurements_map: HashMap<u32, String> = serde_json::from_str(input)?;
         let measurements_map: HashMap<u32, [u8; 48]> = measurements_map
             .into_iter()
-            .map(|(k, v)| (k, hex::decode(v).unwrap().try_into().unwrap()))
-            .collect();
+            .map(|(k, v)| {
+                Ok((
+                    k,
+                    hex::decode(v)?
+                        .try_into()
+                        .map_err(|_| MeasurementFormatError::BadLength)?,
+                ))
+            })
+            .collect::<Result<_, MeasurementFormatError>>()?;
 
         Ok(Self {
             platform: PlatformMeasurements {
@@ -127,6 +134,14 @@ pub enum MeasurementFormatError {
     MissingValue(String),
     #[error("Invalid header value: {0}")]
     BadHeaderValue(#[from] InvalidHeaderValue),
+    #[error("IO: {0}")]
+    Io(#[from] std::io::Error),
+    #[error("Attestation type not valid")]
+    AttestationTypeNotValid,
+    #[error("Hex: {0}")]
+    Hex(#[from] hex::FromHexError),
+    #[error("Expected 48 byte value")]
+    BadLength,
 }
 
 #[derive(Clone, Debug)]
@@ -137,7 +152,9 @@ pub struct MeasurementRecord {
 }
 
 /// Given the path to a JSON file containing measurements, return a [Vec<MeasurementRecord>]
-pub async fn get_measurements_from_file(measurement_file: PathBuf) -> AttestationVerifier {
+pub async fn get_measurements_from_file(
+    measurement_file: PathBuf,
+) -> Result<AttestationVerifier, MeasurementFormatError> {
     #[derive(Debug, Deserialize)]
     struct MeasurementRecordSimple {
         measurement_id: String,
@@ -150,47 +167,42 @@ pub async fn get_measurements_from_file(measurement_file: PathBuf) -> Attestatio
         expected: String,
     }
 
-    let measurements_json = tokio::fs::read(measurement_file).await.unwrap();
+    let measurements_json = tokio::fs::read(measurement_file).await?;
     let measurements_simple: Vec<MeasurementRecordSimple> =
-        serde_json::from_slice(&measurements_json).unwrap();
+        serde_json::from_slice(&measurements_json)?;
     let mut measurements = Vec::new();
     for measurement in measurements_simple {
         measurements.push(MeasurementRecord {
             measurement_id: measurement.measurement_id,
             attestation_type: AttestationType::parse_from_str(&measurement.attestation_type)
-                .unwrap(),
+                .map_err(|_| MeasurementFormatError::AttestationTypeNotValid)?,
             measurements: Measurements {
                 platform: PlatformMeasurements {
-                    mrtd: hex::decode(&measurement.measurements["0"].expected)
-                        .unwrap()
+                    mrtd: hex::decode(&measurement.measurements["0"].expected)?
                         .try_into()
-                        .unwrap(),
-                    rtmr0: hex::decode(&measurement.measurements["1"].expected)
-                        .unwrap()
+                        .map_err(|_| MeasurementFormatError::BadLength)?,
+                    rtmr0: hex::decode(&measurement.measurements["1"].expected)?
                         .try_into()
-                        .unwrap(),
+                        .map_err(|_| MeasurementFormatError::BadLength)?,
                 },
                 cvm_image: CvmImageMeasurements {
-                    rtmr1: hex::decode(&measurement.measurements["2"].expected)
-                        .unwrap()
+                    rtmr1: hex::decode(&measurement.measurements["2"].expected)?
                         .try_into()
-                        .unwrap(),
-                    rtmr2: hex::decode(&measurement.measurements["3"].expected)
-                        .unwrap()
+                        .map_err(|_| MeasurementFormatError::BadLength)?,
+                    rtmr2: hex::decode(&measurement.measurements["3"].expected)?
                         .try_into()
-                        .unwrap(),
-                    rtmr3: hex::decode(&measurement.measurements["4"].expected)
-                        .unwrap()
+                        .map_err(|_| MeasurementFormatError::BadLength)?,
+                    rtmr3: hex::decode(&measurement.measurements["4"].expected)?
                         .try_into()
-                        .unwrap(),
+                        .map_err(|_| MeasurementFormatError::BadLength)?,
                 },
             },
         });
     }
 
-    AttestationVerifier {
+    Ok(AttestationVerifier {
         accepted_measurements: measurements,
-    }
+    })
 }
 
 #[cfg(test)]
@@ -199,6 +211,8 @@ mod tests {
 
     #[tokio::test]
     async fn test_read_measurements_file() {
-        get_measurements_from_file("test-assets/measurements.json".into()).await;
+        get_measurements_from_file("test-assets/measurements.json".into())
+            .await
+            .unwrap();
     }
 }

src/attestation/mod.rs

@@ -155,8 +155,7 @@ impl AttestationVerifier {
         exporter: [u8; 32],
     ) -> Result<Option<Measurements>, AttestationError> {
         let attestation_type =
-            AttestationType::parse_from_str(&attestation_payload.attestation_type).unwrap();
-        println!("handling {attestation_type}");
+            AttestationType::parse_from_str(&attestation_payload.attestation_type)?;
 
         let measurements = match attestation_type {
             AttestationType::DcapTdx => {
@@ -188,22 +187,6 @@ impl AttestationVerifier {
     }
 }
 
-// /// Defines how to verify a quote
-// pub trait QuoteVerifier: Sync + Send + 'static {
-//     /// Type of attestation used
-//     fn attestation_type(&self) -> AttestationType;
-//
-//     /// Verify the given attestation payload
-//     fn verify_attestation(
-//         &self,
-//         input: Vec<u8>,
-//         cert_chain: &[CertificateDer<'_>],
-//         exporter: [u8; 32],
-//     ) -> Pin<
-//         Box<dyn Future<Output = Result<Option<Measurements>, AttestationError>> + Send + 'static>,
-//     >;
-// }
-
 /// Quote generation using configfs_tsm
 #[derive(Clone)]
 pub struct DcapTdxQuoteGenerator {
@@ -323,31 +306,6 @@ impl QuoteGenerator for NoQuoteGenerator {
     }
 }
 
-/// For no CVM platform (eg: for one-sided remote-attested TLS)
-// #[derive(Clone)]
-// pub struct NoQuoteVerifier;
-//
-// impl QuoteVerifier for NoQuoteVerifier {
-//     /// Type of attestation used
-//     fn attestation_type(&self) -> AttestationType {
-//         AttestationType::None
-//     }
-//
-//     /// Ensure that an empty attestation is given
-//     async fn verify_attestation(
-//         &self,
-//         input: Vec<u8>,
-//         _cert_chain: &[CertificateDer<'_>],
-//         _exporter: [u8; 32],
-//     ) -> Result<Option<Measurements>, AttestationError> {
-//         if input.is_empty() {
-//             Ok(None)
-//         } else {
-//             Err(AttestationError::AttestationGivenWhenNoneExpected)
-//         }
-//     }
-// }
-
 /// Create a mock quote for testing on non-confidential hardware
 #[cfg(test)]
 fn generate_quote(input: [u8; 64]) -> Result<Vec<u8>, QuoteGenerationError> {

src/lib.rs

@@ -188,8 +188,7 @@ impl ProxyServer {
                 &cert_chain,
                 exporter,
                 local_quote_generator,
-            )?)
-            .unwrap()
+            )?)?
         } else {
             Vec::new()
         };
@@ -209,8 +208,7 @@ impl ProxyServer {
 
         let (measurements, remote_attestation_type) = if attestation_verifier.has_remote_attestion()
         {
-            let remote_attestation_payload: AttesationPayload =
-                serde_json::from_slice(&buf).unwrap();
+            let remote_attestation_payload: AttesationPayload = serde_json::from_slice(&buf)?;
 
             let remote_attestation_type = remote_attestation_payload.attestation_type.clone();
             (
@@ -502,9 +500,9 @@ impl ProxyClient {
         let mut buf = vec![0; length];
         tls_stream.read_exact(&mut buf).await?;
 
-        let remote_attestation_payload: AttesationPayload = serde_json::from_slice(&buf).unwrap();
+        let remote_attestation_payload: AttesationPayload = serde_json::from_slice(&buf)?;
         let remote_attestation_type =
-            AttestationType::parse_from_str(&remote_attestation_payload.attestation_type).unwrap();
+            AttestationType::parse_from_str(&remote_attestation_payload.attestation_type)?;
 
         let measurements = attestation_verifier
             .verify_attestation(remote_attestation_payload, &remote_cert_chain, exporter)
@@ -515,8 +513,7 @@ impl ProxyClient {
                 &cert_chain.ok_or(ProxyError::NoClientAuth)?,
                 exporter,
                 local_quote_generator,
-            )?)
-            .unwrap()
+            )?)?
         } else {
             Vec::new()
         };
@@ -637,7 +634,7 @@ async fn get_tls_cert_with_config(
     let mut buf = vec![0; length];
     tls_stream.read_exact(&mut buf).await?;
 
-    let remote_attestation_payload: AttesationPayload = serde_json::from_slice(&buf).unwrap();
+    let remote_attestation_payload: AttesationPayload = serde_json::from_slice(&buf)?;
 
     let _measurements = attestation_verifier
         .verify_attestation(remote_attestation_payload, &remote_cert_chain, exporter)
@@ -667,6 +664,8 @@ pub enum ProxyError {
     BadDnsName(#[from] tokio_rustls::rustls::pki_types::InvalidDnsNameError),
     #[error("HTTP: {0}")]
     Hyper(#[from] hyper::Error),
+    #[error("JSON: {0}")]
+    Json(#[from] serde_json::Error),
 }
 
 /// Given a byte array, encode its length as a 4 byte big endian u32

src/main.rs

@@ -55,11 +55,6 @@ enum CliCommand {
         // Name:  "tls-ca-certificate",
         // Usage: "additional CA certificate to verify against (PEM) [default=no additional TLS certs]. Only valid with --verify-tls.",
         //
-        // Name:    "override-azurev6-tcbinfo",
-        // Value:   false,
-        // EnvVars: []string{"OVERRIDE_AZUREV6_TCBINFO"},
-        // Usage:   "Allows Azure's V6 instance outdated SEAM Loader",
-        //
         // Name:    "dev-dummy-dcap",
         // EnvVars: []string{"DEV_DUMMY_DCAP"},
         // Usage:   "URL of the remote dummy DCAP service. Only with --client-attestation-type dummy.",
@@ -94,13 +89,6 @@ enum CliCommand {
         // Value:   "",
         // Usage:   "address to listen on for health checks",
         //
-        //
-        //
-        // Name:    "override-azurev6-tcbinfo",
-        // Value:   false,
-        // EnvVars: []string{"OVERRIDE_AZUREV6_TCBINFO"},
-        // Usage:   "Allows Azure's V6 instance outdated SEAM Loader",
-        //
         // Name:    "dev-dummy-dcap",
         // EnvVars: []string{"DEV_DUMMY_DCAP"},
         // Usage:   "URL of the remote dummy DCAP service. Only with --server-attestation-type dummy.",
@@ -143,7 +131,9 @@ async fn main() -> anyhow::Result<()> {
             };
 
             let attestation_verifier = match server_measurements {
-                Some(server_measurements) => get_measurements_from_file(server_measurements).await,
+                Some(server_measurements) => {
+                    get_measurements_from_file(server_measurements).await?
+                }
                 None => AttestationVerifier::do_not_verify(),
             };
 
@@ -187,7 +177,9 @@ async fn main() -> anyhow::Result<()> {
             let local_attestation_generator = server_attestation_type.get_quote_generator()?;
 
             let attestation_verifier = match client_measurements {
-                Some(client_measurements) => get_measurements_from_file(client_measurements).await,
+                Some(client_measurements) => {
+                    get_measurements_from_file(client_measurements).await?
+                }
                 None => AttestationVerifier::do_not_verify(),
             };
 
@@ -212,7 +204,9 @@ async fn main() -> anyhow::Result<()> {
             server_measurements,
         } => {
             let attestation_verifier = match server_measurements {
-                Some(server_measurements) => get_measurements_from_file(server_measurements).await,
+                Some(server_measurements) => {
+                    get_measurements_from_file(server_measurements).await?
+                }
                 None => AttestationVerifier::do_not_verify(),
             };
             let cert_chain = get_tls_cert(server, attestation_verifier).await?;