Cleaning up interfaces

Author: raoulstrackx

Cargo.lock

@@ -10,7 +10,7 @@ serde_cbor = "0.11"
 # Required until PR36 is accepted
 # https://github.com/awslabs/aws-nitro-enclaves-cose/pull/36
 aws-nitro-enclaves-cose = { version = "0.5.0", git = "https://github.com/fortanix/aws-nitro-enclaves-cose.git", branch = "raoul/crypto_abstraction_pinned", default-features = false }
-mbedtls = { version = "0.8.2", features = ["rdrand", "std", "dsa", "time"], default-features = false, optional = true }
+mbedtls = { version = "0.8.2", features = ["rdrand", "std", "time"], default-features = false, optional = true }
 num-bigint = "0.4"
 serde = { version = "1.0", features = ["derive"] }
 serde_bytes = "0.11"

fortanix-vme/nitro-attestation-verify/Cargo.toml

@@ -22,7 +22,7 @@ use ::mbedtls::{alloc::List as MbedtlsList, x509::{Certificate, VerifyError}};
 mod mbedtls;
 
 #[cfg(feature = "mbedtls")]
-use crate::mbedtls::Mbedtls;
+pub use crate::mbedtls::Mbedtls;
 
 pub trait VerificationType {}
 

fortanix-vme/nitro-attestation-verify/src/lib.rs

@@ -13,7 +13,7 @@ use num_bigint::BigUint;
 use std::sync::Mutex;
 use std::ops::Deref;
 
-pub(crate) struct Mbedtls;
+pub struct Mbedtls;
 
 struct MdType(hash::Type);
 

fortanix-vme/nitro-attestation-verify/src/mbedtls.rs

@@ -1,6 +1,7 @@
 [package]
 name = "nsm"
 version = "0.1.0"
+authors = ["Raoul Strackx <[email protected]>"]
 edition = "2021"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

fortanix-vme/nsm/Cargo.toml

@@ -1,4 +1,4 @@
-pub use nitro_attestation_verify::{AttestationDocument, Unverified, NitroError as AttestationError};
+pub use nitro_attestation_verify::{AttestationDocument, Unverified, NitroError as AttestationError, Mbedtls};
 use nsm_io::{ErrorCode, Response, Request};
 pub use nsm_io::Digest;
 pub use serde_bytes::ByteBuf;
@@ -78,8 +78,8 @@ impl From<ErrorCode> for Error {
 
 #[derive(Debug, Eq, PartialEq)]
 pub struct Pcr {
-    pub locked: bool,
-    pub data: Vec<u8>,
+    locked: bool,
+    data: Vec<u8>,
 }
 
 impl Pcr {
@@ -89,6 +89,14 @@ impl Pcr {
             data,
         }
     }
+
+    pub fn locked(&self) -> bool {
+        self.locked
+    }
+
+    pub fn data(&self) -> &[u8] {
+        self.data.as_slice()
+    }
 }
 
 impl TryFrom<Response> for Pcr {
@@ -122,6 +130,42 @@ pub struct Description {
     pub digest: Digest,
 }
 
+impl Description {
+    pub fn version_major(&self) -> u16 {
+        self.version_major
+    }
+
+    /// Minor API changes are denoted by `minor_version`. Minor versions should be backwards compatible.
+    pub fn version_minor(&self) -> u16 {
+        self.version_minor
+    }
+
+    /// Patch version. These are security and stability updates and do not affect API.
+    pub fn version_patch(&self) -> u16 {
+        self.version_patch
+    }
+
+    /// `module_id` is an identifier for a singular NitroSecureModule
+    pub fn module_id(&self) -> &String {
+        &self.module_id
+    }
+
+    /// The maximum number of PCRs exposed by the NitroSecureModule.
+    pub fn max_pcrs(&self) -> u16 {
+        self.max_pcrs
+    }
+
+    /// The PCRs that are read-only.
+    pub fn locked_pcrs(&self) -> &BTreeSet<u16> {
+        &self.locked_pcrs
+    }
+
+    /// The digest of the PCR Bank
+    pub fn digest(&self) -> Digest {
+        self.digest
+    }
+}
+
 impl TryFrom<Response> for Description {
     type Error = Error;
 
@@ -167,7 +211,7 @@ impl Nsm {
             public_key,
         };
         match nsm_driver::nsm_process_request(self.0, req) {
-            Response::Attestation { document } => Ok(AttestationDocument::from_slice(document.as_slice())?),
+            Response::Attestation { document } => Ok(AttestationDocument::from_slice::<Mbedtls>(document.as_slice())?),
             Response::Error(code) => Err(code.into()),
             _ => Err(Error::InvalidResponse),
         }

fortanix-vme/nsm/src/lib.rs

@@ -6,43 +6,43 @@ fn main() {
     let nonce = ByteBuf::from(vec![3, 4, 5]);
     let pub_key = ByteBuf::from(vec![6, 7, 8]);
     let doc = nsm.attest(Some(user_data.clone()), Some(nonce.clone()), Some(pub_key.clone())).unwrap();
-    println!("#module_id: {}", doc.module_id);
-    println!("#timestamp: {}", doc.timestamp);
-    println!("digest: {}", doc.digest);
-    assert_eq!(doc.digest, "SHA384");
-    for (idx, val) in doc.pcrs.iter() {
+    println!("#module_id: {}", doc.module_id());
+    println!("#timestamp: {}", doc.timestamp());
+    println!("digest: {}", doc.digest());
+    assert_eq!(doc.digest(), "SHA384");
+    for (idx, val) in doc.pcrs().iter() {
         println!("# pcr{} = {:?}", idx, val);
     }
-    println!("#certificate: {}", pkix::pem::der_to_pem(&doc.certificate, pkix::pem::PEM_CERTIFICATE));
-    println!("#cabundle: {:?}", doc.cabundle.iter().map(|cert| pkix::pem::der_to_pem(cert, pkix::pem::PEM_CERTIFICATE)).collect::<Vec::<String>>());
-    println!("public_key: {:?}", pkix::pem::der_to_pem(doc.public_key.as_ref().unwrap(), pkix::pem::PEM_CERTIFICATE));
-    assert_eq!(doc.public_key.unwrap(), pub_key);
-    println!("user_data: {:?}", doc.user_data);
-    assert_eq!(doc.user_data.unwrap(), user_data);
-    println!("nonce: {:?}", doc.nonce);
-    assert_eq!(doc.nonce.unwrap(), nonce);
+    println!("#certificate: {}", pkix::pem::der_to_pem(&doc.certificate(), pkix::pem::PEM_CERTIFICATE));
+    println!("#cabundle: {:?}", doc.cabundle().iter().map(|cert| pkix::pem::der_to_pem(cert, pkix::pem::PEM_CERTIFICATE)).collect::<Vec::<String>>());
+    println!("public_key: {:?}", pkix::pem::der_to_pem(doc.public_key().as_ref().unwrap(), pkix::pem::PEM_CERTIFICATE));
+    assert_eq!(*doc.public_key().unwrap(), pub_key);
+    println!("user_data: {:?}", doc.user_data());
+    assert_eq!(*doc.user_data().unwrap(), user_data);
+    println!("nonce: {:?}", doc.nonce());
+    assert_eq!(*doc.nonce().unwrap(), nonce);
 
     for idx in 0..32 {
         let pcr = nsm.describe_pcr(idx).unwrap();
         println!("# pcr{} = {:?}", idx, pcr);
-        assert_eq!(pcr.locked, idx <= 15);
+        assert_eq!(pcr.locked(), idx <= 15);
     }
 
     let pcr16 = nsm.extend_pcr(16, vec![41, 41, 41]);
     println!("pcr16 = {:?}", pcr16);
     let pcr16 = nsm.extend_pcr(16, vec![42, 42, 42]);
     println!("pcr16 = {:?}", pcr16);
     println!("pcr16 = {:?}", nsm.describe_pcr(16));
-    assert_eq!(nsm.describe_pcr(16).unwrap().locked, false);
+    assert_eq!(nsm.describe_pcr(16).unwrap().locked(), false);
 
     nsm.lock_pcr(16).unwrap();
     println!("pcr16 = {:?}", nsm.describe_pcr(10));
-    assert_eq!(nsm.describe_pcr(16).unwrap().locked, true);
+    assert_eq!(nsm.describe_pcr(16).unwrap().locked(), true);
 
     nsm.lock_pcrs(18).unwrap();
     for pcr in 0..=18 {
         println!("#pcr{} = {:?}", pcr, nsm.describe_pcr(pcr));
-        assert_eq!(nsm.describe_pcr(pcr).map(|val| val.locked), Ok(pcr < 18));
+        assert_eq!(nsm.describe_pcr(pcr).map(|val| val.locked()), Ok(pcr < 18));
     }
 
     println!("# nsm description: {:#?}", nsm.describe().unwrap());
@@ -51,7 +51,7 @@ fn main() {
     assert_eq!(description.version_minor, 0);
     assert_eq!(description.version_patch, 0);
     assert_eq!(description.max_pcrs, 32);
-    assert_eq!(description.locked_pcrs.iter().count(), 18);
+    assert_eq!(description.locked_pcrs().iter().count(), 18);
     assert_eq!(description.digest, Digest::SHA384);
     assert!(nsm.get_random().is_ok());
 }