diff --git a/base-image/Dockerfile b/base-image/Dockerfile index d77b74c..a851e6b 100644 --- a/base-image/Dockerfile +++ b/base-image/Dockerfile @@ -63,19 +63,6 @@ RUN cd /cvm-agent/cvmassistants/keyprovider/key-provider-agent \ RUN cd /cvm-agent/cvmassistants/secretprovider/secret-provider-agent \ && make all -# build attest-helper -RUN git clone https://github.com/guanzhi/GmSSL.git \ - && cd GmSSL \ - && git checkout GmSSL-v2 \ - && git checkout 5b904768 \ - && sed -i "s/qw\/glob/qw\/:glob/g" Configure \ - && sed -i "s/qw\/glob/qw\/:glob/g" test/build.info \ - && ./config --prefix=/opt/gmssl \ - && make install - -RUN cd /cvm-agent/cvmassistants/attest-helper \ - && go build - # Final image FROM ubuntu:20.04 @@ -161,13 +148,6 @@ RUN apt-get update \ COPY --from=build /cvm-agent/base-image/supervisord/supervisord.conf /etc/supervisor/ COPY --from=build /cvm-agent/apploader/conf/appload-supervisord.ini /workplace/supervisord/apploader -#get attest-helper -RUN mkdir -p /workplace/cvm-agent/cvmassistants/attest-helper \ - && mkdir -p /opt/gmssl - -COPY --from=build /cvm-agent/cvmassistants/attest-helper/attest-helper /workplace/cvm-agent/cvmassistants/attest-helper/attest-helper.bin -COPY --from=build /opt/gmssl /opt/gmssl - #install firewall RUN mkdir -p /workplace/cvm-agent/cvmassistants/firewall \ && mkdir -p /lib/modules \ diff --git a/cvmassistants/attest-helper/consts/err_codes.go b/cvmassistants/attest-helper/consts/err_codes.go deleted file mode 100644 index d7bfcff..0000000 --- a/cvmassistants/attest-helper/consts/err_codes.go +++ /dev/null @@ -1,8 +0,0 @@ -package consts - -const ( - // json - ERROR_CODE__JSON__UNMARSHAL_FAILED = 1105 - ERROR_CODE_GET_REPORT_FAILED = 2000 - ERROR_CODE_VERIFY_REPORT_FAILED = 2001 -) diff --git a/cvmassistants/attest-helper/controllers/attestion.go b/cvmassistants/attest-helper/controllers/attestion.go deleted file mode 100644 index 5485c3e..0000000 --- a/cvmassistants/attest-helper/controllers/attestion.go +++ /dev/null @@ -1,119 +0,0 @@ -package controllers - -import ( - "attest-helper/consts" - "attest-helper/report/attestation_c" - "encoding/base64" - "fmt" - "github.com/gin-gonic/gin" - "github.com/sirupsen/logrus" -) - -type ReportRes struct { - BaseRes - ReportData *attestation_c.ReportDetailInfo `json:"reportData"` -} - -type SealingKeyRes struct { - BaseRes - SealingKey string `json:"sealingKey"` -} - -type AttestationController struct { - DefaultController -} - -func (uc AttestationController) GetReport(c *gin.Context) { - var req attestation_c.ReportDetailInfo - if err := c.BindJSON(&req); err != nil { - message := fmt.Sprintf("get body error. %+v", err) - errMes := uc.HandleErrorStatusBadRequest(consts.ERROR_CODE__JSON__UNMARSHAL_FAILED, message, "", c) - logrus.Error(errMes) - return - } - - report, err := attestation_c.GetReport(req.UserData, false) - if err != nil { - message := fmt.Sprintf("get report failed, error: %s", err.Error()) - errMes := uc.HandleErrorStatusBadRequest(consts.ERROR_CODE_GET_REPORT_FAILED, message, "", c) - logrus.Error(errMes) - return - } - - reportDetail := attestation_c.GetReportDetailInfo(report) - - mesg, baseRes := uc.HandleSuccess(200, "get report successful", "", c) - - res := ReportRes{ - *baseRes, - reportDetail, - } - - c.JSON(200, res) - logrus.Info(mesg) -} - -func (uc AttestationController) VerifyReport(c *gin.Context) { - var req attestation_c.ReportDetailInfo - if err := c.BindJSON(&req); err != nil { - message := fmt.Sprintf("get body error. %+v", err) - errMes := uc.HandleErrorStatusBadRequest(consts.ERROR_CODE__JSON__UNMARSHAL_FAILED, message, "", c) - logrus.Error(errMes) - return - } - - reportByte, err := base64.StdEncoding.DecodeString(req.FullReport) - if err != nil { - message := fmt.Sprintf("decode report failed, error: %s", err.Error()) - errMes := uc.HandleErrorStatusBadRequest(consts.ERROR_CODE_VERIFY_REPORT_FAILED, message, "", c) - logrus.Error(errMes) - return - } - - report, err := attestation_c.UnmarshalCsvAttestationReport(reportByte) - if err != nil { - message := fmt.Sprintf("unmarsh report info failed, error: %s", err.Error()) - errMes := uc.HandleErrorStatusBadRequest(consts.ERROR_CODE_VERIFY_REPORT_FAILED, message, "", c) - logrus.Error(errMes) - return - } - - err = attestation_c.VerifyReport(report) - if err != nil { - message := fmt.Sprintf("verify report failed, error: %s", err.Error()) - errMes := uc.HandleErrorStatusBadRequest(consts.ERROR_CODE_GET_REPORT_FAILED, message, "", c) - logrus.Error(errMes) - return - } - - reportDetail := attestation_c.GetReportDetailInfo(report) - - mesg, baseRes := uc.HandleSuccess(200, "verify report successful", "", c) - - res := ReportRes{ - *baseRes, - reportDetail, - } - - c.JSON(200, res) - logrus.Info(mesg) -} - -func (uc AttestationController) GetSealingKey(c *gin.Context) { - sealingkey, err := attestation_c.GetSealingKey() - if err != nil { - message := fmt.Sprintf("get sealing key failed, error: %s", err.Error()) - errMes := uc.HandleErrorStatusBadRequest(consts.ERROR_CODE_GET_REPORT_FAILED, message, "", c) - logrus.Error(errMes) - return - } - - mesg, baseRes := uc.HandleSuccess(200, "get sealing key successful", "", c) - - res := SealingKeyRes{ - *baseRes, - sealingkey, - } - c.JSON(200, res) - logrus.Info(mesg) -} diff --git a/cvmassistants/attest-helper/controllers/default.go b/cvmassistants/attest-helper/controllers/default.go deleted file mode 100644 index cdc66e2..0000000 --- a/cvmassistants/attest-helper/controllers/default.go +++ /dev/null @@ -1,158 +0,0 @@ -package controllers - -import ( - "encoding/json" - "fmt" - "github.com/gin-gonic/gin" - "github.com/sirupsen/logrus" - "io" - "net/http" - "os" -) - -type BaseRes struct { - Code int `json:"code"` - Message string `json:"message"` -} - -type DataRes struct { - BaseRes - Data interface{} `json:"data,omitempty"` -} - -type IdRes struct { - BaseRes - Id string `json:"id,omitempty"` -} - -type RequestMessageData struct { - URI string - Method string - - User string - IP string - - ResponseStatus int - RequestBody string - RequestAuth string -} - -type KeyInfo struct { - FileId string `json:"fileId"` - Key string `json:"key"` - Type string `json:"type"` - CreateTime string `json:"createTime"` - UpdateTime string `json:"updateTime"` -} - -// -type SecretKeyRes struct { - BaseRes - Data KeyInfo `json:"data"` -} - -type KmsRes struct { - BaseRes - FileId string `json:"fileId"` -} - -func WriteFile(filename string, data []byte, perm os.FileMode) error { - f, err := os.OpenFile(filename, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, perm) - if err != nil { - return err - } - n, err := f.Write(data) - if err == nil && n < len(data) { - err = io.ErrShortWrite - } - if err1 := f.Close(); err == nil { - err = err1 - } - return err -} - -func ErrorRes(code int, message string) *BaseRes { - return &BaseRes{ - Code: code, - Message: message, - } -} - -type DefaultController struct { -} - -func (f *DefaultController) Prepare() { - -} - -func (f *DefaultController) HandleErrorStatusBadRequest(code int, message string, addition string, c *gin.Context) (errMesg string) { - var userName string - - clientIp := c.Request.Header.Get("X-Real-ip") - if clientIp == "" { - clientIp = c.ClientIP() - } - requestInfo, err := json.Marshal(RequestMessageData{ - URI: c.Request.URL.String(), - Method: c.Request.Method, - User: userName, - IP: clientIp, - ResponseStatus: code, - }) - if err != nil { - logrus.Errorf("err:", err.Error()) - return fmt.Sprintf("message: %s; addition: %s; request: %s", message, addition, err.Error()) - } - - c.JSON(http.StatusBadRequest, ErrorRes(code, message)) - return fmt.Sprintf("message: %s; addition: %s; request: %s", message, addition, requestInfo) -} - -func (f *DefaultController) HandleErrorStatusUnauthorized(code int, message string, addition string, c *gin.Context) (errMesg string) { - var userName string - - clientIp := c.Request.Header.Get("X-Real-ip") - if clientIp == "" { - clientIp = c.ClientIP() - } - requestInfo, err := json.Marshal(RequestMessageData{ - URI: c.Request.URL.String(), - Method: c.Request.Method, - User: userName, - IP: clientIp, - ResponseStatus: code, - }) - if err != nil { - logrus.Errorf("err:", err.Error()) - return fmt.Sprintf("message: %s; addition: %s; request: %s", message, addition, err.Error()) - } - c.JSON(http.StatusUnauthorized, ErrorRes(code, message)) - return fmt.Sprintf("message: %s; addition: %s; request: %s", message, addition, requestInfo) -} - -func (f *DefaultController) HandleSuccess(code int, message string, addition string, c *gin.Context) (info string, baseRes *BaseRes) { - var userName string - - baseRes = &BaseRes{ - code, - message, - } - - clientIp := c.Request.Header.Get("X-Real-ip") - if clientIp == "" { - clientIp = c.ClientIP() - } - requestInfo, err := json.Marshal(RequestMessageData{ - URI: c.Request.URL.String(), - Method: c.Request.Method, - User: userName, - IP: clientIp, - ResponseStatus: code, - }) - if err != nil { - logrus.Errorf("err:", err.Error()) - return fmt.Sprintf("message: %s; addition: %s; request: %s", message, addition, err.Error()), baseRes - } - - return fmt.Sprintf("message: %s; addition: %s; request: %s", message, addition, requestInfo), baseRes -} diff --git a/cvmassistants/attest-helper/go.mod b/cvmassistants/attest-helper/go.mod deleted file mode 100644 index 6370464..0000000 --- a/cvmassistants/attest-helper/go.mod +++ /dev/null @@ -1,34 +0,0 @@ -module attest-helper - -go 1.24 - -require ( - github.com/gin-gonic/gin v1.9.0 - github.com/sirupsen/logrus v1.9.0 -) - -require ( - github.com/bytedance/sonic v1.8.0 // indirect - github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 // indirect - github.com/gin-contrib/sse v0.1.0 // indirect - github.com/go-playground/locales v0.14.1 // indirect - github.com/go-playground/universal-translator v0.18.1 // indirect - github.com/go-playground/validator/v10 v10.11.2 // indirect - github.com/goccy/go-json v0.10.0 // indirect - github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/cpuid/v2 v2.0.9 // indirect - github.com/leodido/go-urn v1.2.1 // indirect - github.com/mattn/go-isatty v0.0.17 // indirect - github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421 // indirect - github.com/modern-go/reflect2 v1.0.2 // indirect - github.com/pelletier/go-toml/v2 v2.0.6 // indirect - github.com/twitchyliquid64/golang-asm v0.15.1 // indirect - github.com/ugorji/go/codec v1.2.9 // indirect - golang.org/x/arch v0.0.0-20210923205945-b76863e36670 // indirect - golang.org/x/crypto v0.5.0 // indirect - golang.org/x/net v0.7.0 // indirect - golang.org/x/sys v0.5.0 // indirect - golang.org/x/text v0.7.0 // indirect - google.golang.org/protobuf v1.28.1 // indirect - gopkg.in/yaml.v3 v3.0.1 // indirect -) diff --git a/cvmassistants/attest-helper/go.sum b/cvmassistants/attest-helper/go.sum deleted file mode 100644 index 770a00e..0000000 --- a/cvmassistants/attest-helper/go.sum +++ /dev/null @@ -1,89 +0,0 @@ -github.com/bytedance/sonic v1.5.0/go.mod h1:ED5hyg4y6t3/9Ku1R6dU/4KyJ48DZ4jPhfY1O2AihPM= -github.com/bytedance/sonic v1.8.0 h1:ea0Xadu+sHlu7x5O3gKhRpQ1IKiMrSiHttPF0ybECuA= -github.com/bytedance/sonic v1.8.0/go.mod h1:i736AoUSYt75HyZLoJW9ERYxcy6eaN6h4BZXU064P/U= -github.com/chenzhuoyu/base64x v0.0.0-20211019084208-fb5309c8db06/go.mod h1:DH46F32mSOjUmXrMHnKwZdA8wcEefY7UVqBKYGjpdQY= -github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 h1:qSGYFH7+jGhDF8vLC+iwCD4WpbV1EBDSzWkJODFLams= -github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311/go.mod h1:b583jCggY9gE99b6G5LEC39OIiVsWj+R97kbl5odCEk= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE= -github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI= -github.com/gin-gonic/gin v1.9.0 h1:OjyFBKICoexlu99ctXNR2gg+c5pKrKMuyjgARg9qeY8= -github.com/gin-gonic/gin v1.9.0/go.mod h1:W1Me9+hsUSyj3CePGrd1/QrKJMSJ1Tu/0hFEH89961k= -github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s= -github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4= -github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA= -github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY= -github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY= -github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= -github.com/go-playground/validator/v10 v10.11.2 h1:q3SHpufmypg+erIExEKUmsgmhDTyhcJ38oeKGACXohU= -github.com/go-playground/validator/v10 v10.11.2/go.mod h1:NieE624vt4SCTJtD87arVLvdmjPAeV8BQlHtMnw9D7s= -github.com/goccy/go-json v0.10.0 h1:mXKd9Qw4NuzShiRlOXKews24ufknHO7gx30lsDyokKA= -github.com/goccy/go-json v0.10.0/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= -github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= -github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= -github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= -github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/klauspost/cpuid/v2 v2.0.9 h1:lgaqFMSdTdQYdZ04uHyN2d/eKdOMyi2YLSvlQIBFYa4= -github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= -github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0= -github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk= -github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= -github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/leodido/go-urn v1.2.1 h1:BqpAaACuzVSgi/VLzGZIobT2z4v53pjosyNd9Yv6n/w= -github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ictyFfxY= -github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= -github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421 h1:ZqeYNhU3OHLH3mGKHDcjJRFFRrJa6eAM5H+CtDdOsPc= -github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M= -github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/pelletier/go-toml/v2 v2.0.6 h1:nrzqCb7j9cDFj2coyLNLaZuJTLjWjlaz6nvTvIwycIU= -github.com/pelletier/go-toml/v2 v2.0.6/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha2N+QD+EUNTek= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/rogpeppe/go-internal v1.8.0 h1:FCbCCtXNOY3UtUuHUYaghJg4y7Fd14rXifAYUAtL9R8= -github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE= -github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= -github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= -github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= -github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= -github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= -github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI= -github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08= -github.com/ugorji/go/codec v1.2.9 h1:rmenucSohSTiyL09Y+l2OCk+FrMxGMzho2+tjr5ticU= -github.com/ugorji/go/codec v1.2.9/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg= -golang.org/x/arch v0.0.0-20210923205945-b76863e36670 h1:18EFjUmQOcUvxNYSkA6jO9VAiXCnxFY6NyDX0bHDmkU= -golang.org/x/arch v0.0.0-20210923205945-b76863e36670/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8= -golang.org/x/crypto v0.5.0 h1:U/0M97KRkSFvyD/3FSmdP5W5swImpNgle/EHFhOsQPE= -golang.org/x/crypto v0.5.0/go.mod h1:NK/OQwhpMQP3MwtdjgLlYHnH9ebylxKWv3e0fK+mkQU= -golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= -golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= -golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= -golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w= -google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= -gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= -gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4= diff --git a/cvmassistants/attest-helper/main.go b/cvmassistants/attest-helper/main.go deleted file mode 100644 index 27fb742..0000000 --- a/cvmassistants/attest-helper/main.go +++ /dev/null @@ -1,34 +0,0 @@ -package main - -import ( - "attest-helper/routers" - "fmt" - "os" - "path" - "runtime" - - "github.com/sirupsen/logrus" -) - -func main() { - logrus.SetLevel(logrus.TraceLevel) - logrus.SetFormatter(&logrus.TextFormatter{ - FullTimestamp: true, - ForceColors: true, - CallerPrettyfier: func(f *runtime.Frame) (string, string) { - filename := path.Base(f.File) - return "", filename + ":" + fmt.Sprintf("%d", f.Line) - }, - }) - logrus.SetReportCaller(true) - - port := os.Getenv("port") - if port == "" { - port = "8080" - } - logrus.Info("attest-helper is running on port: ", port) - err := routers.InitRouters().Run(fmt.Sprintf(":%s", port)) - if err != nil { - panic("start server failed, error: " + err.Error()) - } -} diff --git a/cvmassistants/attest-helper/report/attestation_c/attestation.h b/cvmassistants/attest-helper/report/attestation_c/attestation.h deleted file mode 100644 index 11c6d1a..0000000 --- a/cvmassistants/attest-helper/report/attestation_c/attestation.h +++ /dev/null @@ -1,294 +0,0 @@ -#ifndef __ATTATESTATION_H__ -#define __ATTATESTATION_H__ - -#include -#include -#include - -// 0: output debug log, other not -int app_log_level; - -#define TIMEPRINT \ - do { \ - time_t now; \ - struct tm* ptime; \ - time(&now); \ - ptime = localtime(&now); \ - printf("[%d/%d/%d %02d:%02d:%02d]", 1900 + ptime->tm_year, \ - 1 + ptime->tm_mon, ptime->tm_mday, ptime->tm_hour, \ - ptime->tm_min, ptime->tm_sec); \ - } while (0); - -#define LOG_DEBUG(...) \ - do { \ - if (app_log_level) { \ - break; \ - } \ - TIMEPRINT \ - printf("[Debug]"); \ - printf("[%s:%d] ", __FILE__, __LINE__); \ - printf(__VA_ARGS__); \ - } while (0); - -#define LOG_WARING(...) \ - do { \ - TIMEPRINT \ - printf("[Waring]"); \ - printf("[%s:%d] ", __FILE__, __LINE__); \ - printf(__VA_ARGS__); \ - \ - } while (0); - -#define LOG_ERROR(...) \ - do { \ - TIMEPRINT \ - printf("[Error]"); \ - printf("[%s:%d] ", __FILE__, __LINE__); \ - printf(__VA_ARGS__); \ - } while (0); - -#define LOG_INFO(...) \ - do { \ - TIMEPRINT \ - printf("[Info]"); \ - printf("[%s:%d] ", __FILE__, __LINE__); \ - printf(__VA_ARGS__); \ - } while (0); - -#define ARK_FILENAME "./hrk.cert" -#define ASK_FILENAME "./hsk.cert" -#define CEK_FILENAME "./cek.cert" -#define HSK_CEK_FILENAME "hsk_cek.cert" - -#define HRK_CERT_SITE "https://cert.hygon.cn/hrk" -#define KDS_CERT_SITE "https://cert.hygon.cn/hsk_cek?snumber=" - -#define ATTESTATION_REPORT_FILE "./report.cert" - -#define SHA_LEN 32 -#define CERT_ECC_MAX_SIG_SIZE 72 -#define GUEST_ATTESTATION_NONCE_SIZE 16 -#define GUEST_ATTESTATION_DATA_SIZE 64 -#define VM_ID_SIZE 16 -#define VM_VERSION_SIZE 16 -#define SN_LEN 64 -#define USER_DATA_SIZE 64 -#define HASH_BLOCK_LEN 32 - -typedef enum _key_usage { - KEY_USAGE_TYPE_ARK = 0, - KEY_USAGE_TYPE_ASK = 0x13, - KEY_USAGE_TYPE_INVALID = 0x1000, - KEY_USAGE_TYPE_MIN = 0x1001, - KEY_USAGE_TYPE_OCA = 0x1001, - KEY_USAGE_TYPE_PEK = 0x1002, - KEY_USAGE_TYPE_PDH = 0x1003, - KEY_USAGE_TYPE_CEK = 0x1004, - KEY_USAGE_TYPE_MAX = 0x1004, -} key_usage_t; - -typedef struct _hash_block_u { - unsigned char block[SHA_LEN]; -} hash_block_u; - -/** - * struct csv_issue_cmd - CSV ioctl parameters - * - * @cmd: CSV commands to execute - * @opaque: pointer to the command structure - * @error: CSV FW return code on failure - */ -struct csv_issue_cmd { - uint32_t cmd; /* In */ - uint64_t data; /* In */ - uint32_t error; /* Out */ -} __attribute__((packed)); - -#define CSV_IOC_TYPE 'S' -#define CSV_ISSUE_CMD _IOWR(CSV_IOC_TYPE, 0x0, struct csv_issue_cmd) - -enum { - CSV_USER_CMD_FACTORY_RESET = 0, - CSV_USER_CMD_PDH_CERT_EXPORT = 5, - CSV_USER_CMD_GET_ID = 7, - CSV_USER_CMD_GET_ID2 = 8, - CSV_USER_CMD_ATTESTATION = 38, - CSV_USER_CMD_MAX, -}; - -/* verify */ -#define CERT_RSA_MAX_KEY_SIZE 256 -#define CERT_RSA_MAX_SIG_SIZE 512 -#define CERT_ECC_MAX_KEY_SIZE 72 -#define CERT_ECC_MAX_SIG_SIZE 72 -#define CERT_ECC_KEY_RESERVED_SIZE 880 -#define CERT_SM2_KEY_RESERVED_SIZE 624 -#define CERT_SM2_ROOT_KEY_RESERVED_SIZE 620 -#define CERT_ECC_SIG_RESERVED_SIZE 368 - -typedef enum _curve_id { - CURVE_ID_TYPE_INVALID = 0, - CURVE_ID_TYPE_MIN = 0X1, - CURVE_ID_TYPE_P256 = 0x1, - CURVE_ID_TYPE_P384 = 0x2, - CURVE_ID_TYPE_SM2_256 = 0x3, - CURVE_ID_TYPE_MAX = 0X3 -} curve_id_t; - -#define CSV_CERT_RSVD3_SIZE 624 -#define CSV_CERT_RSVD4_SIZE 368 -#define CSV_CERT_RSVD5_SIZE 368 -#define HIGON_USER_ID_SIZE 256 -#define SIZE_INT32 4 -#define SIZE_24 24 -#define SIZE_108 108 -#define SIZE_112 112 -#define ECC_POINT_SIZE 72 -#define CHIP_KEY_ID_LEN 16 -#define SM2_UID_SIZE_U 256 -#define ECC_LEN 32 // p-256 -#define ECC_KEY_BITS 256 - -#define ATTESTATION_REPORT_SIGNED_SIZE 180 -#define KVM_HC_VM_ATTESTATION 100 /* Specific to Hygon platform */ - -#pragma pack(push) -#pragma pack(1) -typedef struct _userid_u { - unsigned short len; - unsigned char uid[SM2_UID_SIZE_U - sizeof(unsigned short)]; -} userid_u; - -/** - * hash block data structure - * used to store the hash result value - */ -typedef struct _hash_block { - uint8_t block[HASH_BLOCK_LEN]; -} hash_block_t; - -typedef struct _chip_key_id { - uint8_t id[CHIP_KEY_ID_LEN]; -} chip_key_id_t; - -typedef struct _ecc_pubkey { - uint32_t curve_id; - uint32_t Qx[ECC_POINT_SIZE / SIZE_INT32]; - uint32_t Qy[ECC_POINT_SIZE / SIZE_INT32]; - uint32_t user_id[HIGON_USER_ID_SIZE / SIZE_INT32]; -} ecc_pubkey_t; - -typedef struct _ecc_signature { - uint32_t sig_r[ECC_POINT_SIZE / SIZE_INT32]; - uint32_t sig_s[ECC_POINT_SIZE / SIZE_INT32]; -} ecc_signature_t; - -struct _higon_root_cert { - uint32_t version; - chip_key_id_t key_id; - chip_key_id_t certifying_id; - uint32_t key_usage; - uint32_t reserved1[SIZE_24 / SIZE_INT32]; - union { - uint32_t pubkey[(SIZE_INT32 + ECC_POINT_SIZE * 2 + HIGON_USER_ID_SIZE) / SIZE_INT32]; - ecc_pubkey_t ecc_pubkey; - }; - uint32_t reserved2[SIZE_108 / SIZE_INT32]; - union { - uint32_t signature[ECC_POINT_SIZE * 2 / SIZE_INT32]; - ecc_signature_t ecc_sig; - }; - uint32_t reserved3[SIZE_112 / SIZE_INT32]; -}; - -struct _higon_csv_cert { - uint32_t version; - uint8_t api_major; - uint8_t api_minor; - uint8_t reserved1; - uint8_t reserved2; - uint32_t pubkey_usage; - uint32_t pubkey_algo; - union { - uint32_t pubkey[(SIZE_INT32 + ECC_POINT_SIZE * 2 + HIGON_USER_ID_SIZE) / SIZE_INT32]; - ecc_pubkey_t ecc_pubkey; - }; - uint32_t reserved3[CSV_CERT_RSVD3_SIZE / SIZE_INT32]; - uint32_t sig1_usage; - uint32_t sig1_algo; - union { - uint32_t sig1[ECC_POINT_SIZE * 2 / SIZE_INT32]; - ecc_signature_t ecc_sig1; - }; - uint32_t reserved4[CSV_CERT_RSVD4_SIZE / SIZE_INT32]; - uint32_t sig2_usage; - uint32_t sig2_algo; - union { - uint32_t sig2[ECC_POINT_SIZE * 2 / SIZE_INT32]; - ecc_signature_t ecc_sig2; - }; - uint32_t reserved5[CSV_CERT_RSVD5_SIZE / SIZE_INT32]; -}; -#pragma pack(pop) - -typedef struct _higon_root_cert CHIP_ROOT_CERT_t; -typedef struct _higon_csv_cert CSV_CERT_t; - -typedef struct _csv_cert_chain { - CSV_CERT_t pek_cert; - CSV_CERT_t oca_cert; - CSV_CERT_t cek_cert; -} CSV_CERT_CHAIN_t; - -typedef struct csv_attestation_report { - hash_block_t user_pubkey_digest; - uint8_t vm_id[VM_ID_SIZE]; - uint8_t vm_version[VM_VERSION_SIZE]; - uint8_t user_data[USER_DATA_SIZE]; - uint8_t mnonce[GUEST_ATTESTATION_NONCE_SIZE]; - hash_block_t measure; - uint32_t policy; - uint32_t sig_usage; - uint32_t sig_algo; - uint32_t anonce; - union { - uint32_t sig1[ECC_POINT_SIZE * 2 / SIZE_INT32]; - ecc_signature_t ecc_sig1; - }; - CSV_CERT_t pek_cert; - uint8_t sn[SN_LEN]; - uint8_t reserved2[32]; - hash_block_u mac; -} Csv_attestation_report; - -/** - * struct csv_user_data_pdh_cert_export - PDH_CERT_EXPORT command parameters - * - * @pdh_address: PDH certificate address - * @pdh_length: length of PDH certificate - * @cert_chain_address: PDH certificate chain - * @cert_chain_length: length of PDH certificate chain - */ -struct csv_user_data_pdh_cert_export { - uint64_t pdh_cert_address; /* In */ - uint32_t pdh_cert_length; /* In/Out */ - uint64_t cert_chain_address; /* In */ - uint32_t cert_chain_length; /* In/Out */ -} __attribute__((packed)); - -struct ecc_point_q { - curve_id_t curve_id; - unsigned char Qx[ECC_LEN]; - unsigned char Qy[ECC_LEN]; -}; - -struct ecdsa_sign { - unsigned char r[ECC_LEN]; - unsigned char s[ECC_LEN]; -}; - -int get_attestation_report_use_ioctl(Csv_attestation_report* report, const char* custom_data); -int full_verify_report(struct csv_attestation_report* report); -int get_attestation_report_use_vmmcall(Csv_attestation_report* report, const char* custom_data, unsigned int kvm_hc_vm_attestation); - -#endif /* __ATTATESTATION_H__ */ diff --git a/cvmassistants/attest-helper/report/attestation_c/get-attestation-ioctl.c b/cvmassistants/attest-helper/report/attestation_c/get-attestation-ioctl.c deleted file mode 100644 index c5bd69d..0000000 --- a/cvmassistants/attest-helper/report/attestation_c/get-attestation-ioctl.c +++ /dev/null @@ -1,139 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#include "attestation.h" - -#include "openssl/sm3.h" - -struct csv_attestation_user_data { - uint8_t data[GUEST_ATTESTATION_DATA_SIZE]; - uint8_t mnonce[GUEST_ATTESTATION_NONCE_SIZE]; - hash_block_u hash; -}; - -static void gen_random_bytes(void* buf, uint32_t len) { - uint32_t i; - uint8_t* buf_byte = (uint8_t*)buf; - - for (i = 0; i < len; i++) { - buf_byte[i] = rand() & 0xFF; - } -} - -static void csv_data_dump(const char* name, uint8_t* data, uint32_t len) { - printf("%s:", name); - int i; - for (i = 0; i < len; i++) { - unsigned char c = (unsigned char)data[i]; - printf("%02hhx", c); - } - printf("\n"); -} - -struct csv_guest_mem { - unsigned long va; - int size; -}; - -#define PAGE_SHIFT 12 -#define PAGE_SIZE (1 << PAGE_SHIFT) - -#define csv_guest_IOC_TYPE 'D' -#define GET_ATTESTATION_REPORT _IOWR(csv_guest_IOC_TYPE, 1, struct csv_guest_mem) - -int get_attestation_report_use_ioctl(Csv_attestation_report* report, const char* custom_data) { - setvbuf(stdout, NULL, _IONBF, 0); - if (!report) { - LOG_ERROR("NULL pointer for report\n"); - return -1; - } - - if (!custom_data) { - LOG_ERROR("NULL pointer for custom data"); - return -1; - } - - if (strlen(custom_data) > GUEST_ATTESTATION_DATA_SIZE) { - LOG_ERROR("custom size is too large, limit to %d \n", GUEST_ATTESTATION_DATA_SIZE); - return -1; - } - struct csv_attestation_user_data* user_data; - int user_data_len = PAGE_SIZE; - long ret; - int fd = 0; - struct csv_guest_mem mem = {0}; - - /* prepare user data */ - user_data = (struct csv_attestation_user_data*)malloc(user_data_len); - if (user_data == NULL) { - LOG_ERROR("NULL pointer for user_data\n"); - return -1; - } - memset((void*)user_data, 0x0, user_data_len); - - strncpy((char*)user_data->data, custom_data, GUEST_ATTESTATION_DATA_SIZE); - gen_random_bytes(user_data->mnonce, GUEST_ATTESTATION_NONCE_SIZE); - // compute hash and save to the private page - sm3((const unsigned char*)user_data, - GUEST_ATTESTATION_DATA_SIZE + GUEST_ATTESTATION_NONCE_SIZE, - (unsigned char*)&user_data->hash); - - fd = open("/dev/csv-guest", O_RDWR); - if (fd < 0) { - LOG_ERROR("open /dev/csv-guest failed\n"); - free(user_data); - return -1; - } - mem.va = (uint64_t)user_data; - LOG_DEBUG("mem.va: %lx\n", mem.va); - mem.size = user_data_len; - /* get attestation report */ - ret = ioctl(fd, GET_ATTESTATION_REPORT, &mem); - if (ret < 0) { - LOG_ERROR("ioctl GET_ATTESTATION_REPORT fail: %ld\n", ret); - goto error; - } - memcpy(report, user_data, sizeof(*report)); - - LOG_DEBUG("the import info of the report is as follow: \n"); - // retrieve mnonce, PEK cert and ChipId by report->anonce - static uint8_t g_user_data[USER_DATA_SIZE]; - int i,j; - j = sizeof(report->user_data) / sizeof(uint32_t); - for (i = 0; i < j; i++) - ((uint32_t *)g_user_data)[i] = ((uint32_t *)report->user_data)[i] ^ report->anonce; - printf("user data: %-64.64s \n", g_user_data); - - static uint8_t g_mnonce[GUEST_ATTESTATION_NONCE_SIZE]; - j = sizeof(report->mnonce) / sizeof(uint32_t); - for (i = 0; i < j; i++) - ((uint32_t *)g_mnonce)[i] = ((uint32_t *)report->mnonce)[i] ^ report->anonce; - csv_data_dump("monce", g_mnonce, GUEST_ATTESTATION_NONCE_SIZE); - - static uint8_t g_measure[HASH_BLOCK_LEN]; - j = sizeof(report->measure) / sizeof(uint32_t); - for (i = 0; i < j; i++) - ((uint32_t *)g_measure)[i] = ((uint32_t *)report->measure.block)[i] ^ report->anonce; - csv_data_dump("measure", g_measure, HASH_BLOCK_LEN); - - static uint8_t g_chip_id[SN_LEN]; - j = ((uint8_t *)&report->reserved2 - (uint8_t *)report->sn) / sizeof(uint32_t); - for (i = 0; i < j; i++) - ((uint32_t *)g_chip_id)[i] = ((uint32_t *)report->sn)[i] ^ report->anonce; - printf("chip_id: %-64.64s \n", g_chip_id); - LOG_INFO("get attestation report successful\n"); -error: - close(fd); - free(user_data); - return ret; -} diff --git a/cvmassistants/attest-helper/report/attestation_c/get-attestation-vmmcall.c b/cvmassistants/attest-helper/report/attestation_c/get-attestation-vmmcall.c deleted file mode 100644 index f94417c..0000000 --- a/cvmassistants/attest-helper/report/attestation_c/get-attestation-vmmcall.c +++ /dev/null @@ -1,222 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "attestation.h" - -#include "openssl/sm3.h" - -#define PAGE_SHIFT 12 -#define PAGE_SIZE (1 << PAGE_SHIFT) -#define PAGEMAP_LEN 8 - -struct csv_attestation_user_data { - uint8_t data[GUEST_ATTESTATION_DATA_SIZE]; - uint8_t mnonce[GUEST_ATTESTATION_NONCE_SIZE]; - hash_block_u hash; -}; - -static void gen_random_bytes(void* buf, uint32_t len) { - uint32_t i; - uint8_t* buf_byte = (uint8_t*)buf; - - for (i = 0; i < len; i++) { - buf_byte[i] = rand() & 0xFF; - } -} - -static void csv_data_dump(const char* name, uint8_t* data, uint32_t len) { - printf("%s:\n", name); - int i; - for (i = 0; i < len; i++) { - unsigned char c = (unsigned char)data[i]; - printf("%02hhx", c); - } - printf("\n"); -} - -static uint64_t va_to_pa(uint64_t va) { - FILE* pagemap; - uint64_t offset, pfn; - - pagemap = fopen("/proc/self/pagemap", "rb"); - if (!pagemap) { - LOG_ERROR("open pagemap fail\n"); - return 0; - } - - offset = va / PAGE_SIZE * PAGEMAP_LEN; - if (fseek(pagemap, offset, SEEK_SET) != 0) { - LOG_ERROR("seek pagemap fail\n"); - fclose(pagemap); - return 0; - } - - if (fread(&pfn, 1, PAGEMAP_LEN - 1, pagemap) != PAGEMAP_LEN - 1) { - LOG_ERROR("read pagemap fail\n"); - fclose(pagemap); - return 0; - } - - pfn &= 0x7FFFFFFFFFFFFF; - - return pfn << PAGE_SHIFT; -} - -static long hypercall(unsigned int nr, unsigned long p1, unsigned int len) { - long ret = 0; - - asm volatile("vmmcall" - : "=a"(ret) - : "a"(nr), "b"(p1), "c"(len) - : "memory"); - return ret; -} - -int compute_session_mac_and_verify(struct csv_attestation_report* report) { - hash_block_u hmac = {0}; - - int i, j = 0; - uint8_t mnonce[GUEST_ATTESTATION_NONCE_SIZE]; - j = sizeof(report->mnonce) / sizeof(uint32_t); - for (i = 0; i < j; i++) - ((uint32_t*)mnonce)[i] = ((uint32_t*)report->mnonce)[i] ^ report->anonce; - - - sm3_hmac((const unsigned char*)(&report->pek_cert), - sizeof(report->pek_cert) + SN_LEN + sizeof(report->reserved2), - mnonce, GUEST_ATTESTATION_NONCE_SIZE, (unsigned char*)(hmac.block)); - - if (memcmp(hmac.block, report->mac.block, sizeof(report->mac.block)) == 0) { - LOG_INFO("mac verify success\n"); - return 0; - } else { - LOG_ERROR("mac verify failed\n"); - return -1; - } -} - -// kvm_hc_vm_attestationhoskerne,>5.10100,5.112 -int get_attestation_report_use_vmmcall(Csv_attestation_report* report, const char* custom_data, unsigned int kvm_hc_vm_attestation) { - setvbuf(stdout, NULL, _IONBF, 0); - struct csv_attestation_user_data* user_data; - uint64_t user_data_pa; - long ret; - - if (!report) { - LOG_ERROR("NULL pointer for report\n"); - return -1; - } - - if (custom_data == NULL) { - LOG_ERROR("NULL pointer for user_data\n"); - return -1; - } - - /* prepare user data */ - user_data = mmap(NULL, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_NORESERVE, -1, 0); - if (user_data == MAP_FAILED) { - LOG_ERROR("mmap failed\n"); - return -1; - } - LOG_DEBUG("mmap %p\n", user_data); - strncpy((char*)user_data->data, custom_data, GUEST_ATTESTATION_DATA_SIZE); - gen_random_bytes(user_data->mnonce, GUEST_ATTESTATION_NONCE_SIZE); - - // compute hash and save to the private page - sm3((const unsigned char*)user_data, - GUEST_ATTESTATION_DATA_SIZE + GUEST_ATTESTATION_NONCE_SIZE, - (unsigned char*)&user_data->hash); - - /* call host to get attestation report */ - user_data_pa = va_to_pa((uint64_t)user_data); - LOG_DEBUG("user_data_pa: %lx\n", user_data_pa); - LOG_DEBUG("kvm_hc_vm_attestatio: %d\n", kvm_hc_vm_attestation); - - ret = hypercall(kvm_hc_vm_attestation, user_data_pa, PAGE_SIZE); - if (ret) { - LOG_ERROR("hypercall fail: %ld\n", ret); - munmap(user_data, PAGE_SIZE); - return -1; - } - memcpy(report, user_data, sizeof(*report)); - - LOG_DEBUG("the import info of the report is as follow: \n"); - // retrieve mnonce, PEK cert and ChipId by report->anonce - static uint8_t g_user_data[USER_DATA_SIZE] = {0}; - int i,j; - j = sizeof(report->user_data) / sizeof(uint32_t); - for (i = 0; i < j; i++) - ((uint32_t *)g_user_data)[i] = ((uint32_t *)report->user_data)[i] ^ report->anonce; - printf("data_string: %-64.64s \n", g_user_data); - - static uint8_t g_mnonce[GUEST_ATTESTATION_NONCE_SIZE]; - j = sizeof(report->mnonce) / sizeof(uint32_t); - for (i = 0; i < j; i++) - ((uint32_t *)g_mnonce)[i] = ((uint32_t *)report->mnonce)[i] ^ report->anonce; - csv_data_dump("monce", g_mnonce, GUEST_ATTESTATION_NONCE_SIZE); - - static uint8_t g_measure[HASH_BLOCK_LEN]; - j = sizeof(report->measure) / sizeof(uint32_t); - for (i = 0; i < j; i++) - ((uint32_t *)g_measure)[i] = ((uint32_t *)report->measure.block)[i] ^ report->anonce; - csv_data_dump("measure", g_measure, HASH_BLOCK_LEN); - - static uint8_t g_chip_id[SN_LEN]; - j = ((uint8_t *)&report->reserved2 - (uint8_t *)report->sn) / sizeof(uint32_t); - for (i = 0; i < j; i++) - ((uint32_t *)g_chip_id)[i] = ((uint32_t *)report->sn)[i] ^ report->anonce; - printf("chip_id: %-64.64s \n", g_chip_id); - LOG_INFO("get attestation report successful\n"); - - ret = compute_session_mac_and_verify(report); - if (ret) { - LOG_ERROR("PEK cert and ChipId have been tampered with\n"); - return ret; - } else { - LOG_INFO("check PEK cert and ChipId successfully\n"); - } - -// memset(report->reserved2, 0, sizeof(report->reserved2)); - munmap(user_data, PAGE_SIZE); - return 0; -} - -int save_report_to_file(struct csv_attestation_report* report, const char* path) { - if (!report) { - LOG_ERROR("no report\n"); - return -1; - } - if (!path || !*path) { - LOG_ERROR("no file\n"); - return -1; - } - - int fd = open(path, O_CREAT | O_WRONLY); - if (fd < 0) { - LOG_ERROR("open file %s fail %d\n", path, fd); - return fd; - } - - int len = 0, n; - - while (len < sizeof(*report)) { - n = write(fd, report + len, sizeof(*report)); - if (n == -1) { - LOG_ERROR("write file error\n"); - close(fd); - return n; - } - len += n; - } - - close(fd); - LOG_INFO("save report to %s successful\n", path); - return 0; -} diff --git a/cvmassistants/attest-helper/report/attestation_c/lib/libcrypto.so b/cvmassistants/attest-helper/report/attestation_c/lib/libcrypto.so deleted file mode 100644 index a7816c9..0000000 Binary files a/cvmassistants/attest-helper/report/attestation_c/lib/libcrypto.so and /dev/null differ diff --git a/cvmassistants/attest-helper/report/attestation_c/lib/libcrypto.so.1.1 b/cvmassistants/attest-helper/report/attestation_c/lib/libcrypto.so.1.1 deleted file mode 100644 index a7816c9..0000000 Binary files a/cvmassistants/attest-helper/report/attestation_c/lib/libcrypto.so.1.1 and /dev/null differ diff --git a/cvmassistants/attest-helper/report/attestation_c/report.go b/cvmassistants/attest-helper/report/attestation_c/report.go deleted file mode 100644 index 192068e..0000000 --- a/cvmassistants/attest-helper/report/attestation_c/report.go +++ /dev/null @@ -1,265 +0,0 @@ -package attestation_c - -/* -#cgo CFLAGS: -I/opt/gmssl/include/ -O0 -#cgo LDFLAGS: -L/opt/gmssl/lib -Wl,-rpath=/opt/gmssl/lib -lcrypto -ldl -#include "attestation.h" -*/ -import "C" -import ( - "bytes" - "encoding/base64" - "encoding/binary" - "encoding/hex" - "fmt" - "os" - "strconv" - "unsafe" - - "github.com/sirupsen/logrus" -) - -const SHA_LEN = 32 -const CERT_ECC_MAX_SIG_SIZE = 72 -const GUEST_ATTESTATION_NONCE_SIZE = 16 -const GUEST_ATTESTATION_DATA_SIZE = 64 -const VM_ID_SIZE = 16 -const VM_VERSION_SIZE = 16 -const SN_LEN = 64 -const USER_DATA_SIZE = 64 -const HASH_BLOCK_LEN = 32 - -const CSV_CERT_RSVD3_SIZE = 624 -const CSV_CERT_RSVD4_SIZE = 368 -const CSV_CERT_RSVD5_SIZE = 368 -const HIGON_USER_ID_SIZE = 256 -const SIZE_INT32 = 4 -const ECC_POINT_SIZE = 72 -const CHIP_KEY_ID_LEN = 16 - -type Hash_block_t struct { - Block [HASH_BLOCK_LEN]byte -} - -type chip_key_id_t struct { - ID [CHIP_KEY_ID_LEN]byte -} - -type ecc_pubkey_t struct { - CurveID uint32 - Qx [ECC_POINT_SIZE / SIZE_INT32]uint32 - Qy [ECC_POINT_SIZE / SIZE_INT32]uint32 - UserID [HIGON_USER_ID_SIZE / SIZE_INT32]uint32 -} - -type ecc_signature_t struct { - SigR [ECC_POINT_SIZE / SIZE_INT32]uint32 - SigS [ECC_POINT_SIZE / SIZE_INT32]uint32 -} - -type Higon_csv_cert struct { - Version uint32 - APIMajor byte - APIMinor byte - Reserved1 byte - Reserved2 byte - PubkeyUsage uint32 - PubkeyAlgo uint32 - Pubkey [SIZE_INT32 + ECC_POINT_SIZE*2 + HIGON_USER_ID_SIZE]byte - Reserved3 [CSV_CERT_RSVD3_SIZE]byte - Sig1Usage uint32 - Sig1Algo uint32 - Sig1 [ECC_POINT_SIZE * 2]byte - Reserved4 [CSV_CERT_RSVD4_SIZE]byte - Sig2Usage uint32 - Sig2Algo uint32 - Sig2 [ECC_POINT_SIZE * 2]byte - Reserved5 [CSV_CERT_RSVD5_SIZE]byte -} - -type CSV_CERT_t = Higon_csv_cert - -type csv_cert_chain_t struct { - PEKCert CSV_CERT_t - OCACert CSV_CERT_t - CEKCert CSV_CERT_t -} - -type CsvAttestationReport struct { - UserPubkeyDigest Hash_block_t - VMID [VM_ID_SIZE]byte - VMVersion [VM_VERSION_SIZE]byte - UserData [USER_DATA_SIZE]byte - MNonce [GUEST_ATTESTATION_NONCE_SIZE]byte - Measure Hash_block_t - Policy uint32 - SigUsage uint32 - SigAlgo uint32 - ANonce uint32 - Sig [ECC_POINT_SIZE * 2]byte - PEKCert CSV_CERT_t - SN [SN_LEN]byte - Reserved2 [32]byte - Mac Hash_block_t -} - -type ReportDetailInfo struct { - UserData string `json:"userData"` - Monce string `json:"monce"` - Measure string `json:"measure"` - VMId string `json:"vmId"` - VMVersion string `json:"vmVersion"` - ChipId string `json:"chipId"` - FullReport string `json:"fullReport"` -} - -func GetReport(userdata string, sealingkey bool) (*CsvAttestationReport, error) { - if len(userdata) > 64 { - return nil, fmt.Errorf("user data is limit to 64 byte") - } - var GoCsvAttestationReport CsvAttestationReport - //open debug log when get report - C.app_log_level = 0 - // KVM_HC_VM_ATTESTATIONhoskerne,>5.10100,5.112 - kvm_hc_vm_attestation_string := os.Getenv("KVM_HC_VM_ATTESTATION") - var kvm_hc_vm_attestation uint64 - if kvm_hc_vm_attestation_string == "" { - kvm_hc_vm_attestation = 100 - } else { - k, err := strconv.Atoi(kvm_hc_vm_attestation_string) - if err != nil { - return nil, fmt.Errorf("Convert KVM_HC_VM_ATTESTATION failed, it must be 100 or 12") - } - - if k != 100 && k != 12 { - return nil, fmt.Errorf("KVM_HC_VM_ATTESTATION must be 100 or 12, while input is %d", kvm_hc_vm_attestation) - } - kvm_hc_vm_attestation = uint64(k) - } - logrus.Debug("KVM_HC_VM_ATTESTATION is ", kvm_hc_vm_attestation) - CCsvAttestationReport := (*C.Csv_attestation_report)(unsafe.Pointer(&GoCsvAttestationReport)) - ret := C.get_attestation_report_use_vmmcall(CCsvAttestationReport, C.CString(userdata), C.uint(kvm_hc_vm_attestation)) - //ret := C.get_attestation_report_use_ioctl(CCsvAttestationReport, C.CString(userdata)) - if int(ret) != 0 { - return nil, fmt.Errorf("get attestation report failed, error: %d", int(ret)) - } - - if !sealingkey { - GoCsvAttestationReport.Reserved2 = [32]byte{} // clear sealing key - } - return &GoCsvAttestationReport, nil -} - -func VerifyReport(report *CsvAttestationReport) error { - if report == nil { - return fmt.Errorf("point of report is nil") - } - - //open debug log when verify report - C.app_log_level = 0 - CCsvAttestationReport := (*C.Csv_attestation_report)(unsafe.Pointer(report)) - ret := C.full_verify_report(CCsvAttestationReport) - - if int(ret) != 0 { - return fmt.Errorf("verify attestation report failed, error: %d", int(ret)) - } - - return nil -} - -func GetReportDetailInfo(d *CsvAttestationReport) *ReportDetailInfo { - rdi := new(ReportDetailInfo) - - buf, err := MarshalCsvAttestationReport(d) - if err != nil { - message := fmt.Sprintf("change report to binary failed: %s", err.Error()) - logrus.Error(message) - } - rdi.FullReport = base64.StdEncoding.EncodeToString(buf) - - var UserData [64]uint8 - j := unsafe.Sizeof(d.UserData) / unsafe.Sizeof(uint32(0)) - for i := 0; i < int(j); i++ { - tmp := (*uint32)(unsafe.Pointer(&d.UserData[i*4])) - *tmp ^= d.ANonce - copy(UserData[i*4:], (*[4]uint8)(unsafe.Pointer(tmp))[:]) - } - rdi.UserData = string(bytes.TrimRight(UserData[:], "\x00")) - - var measure [32]uint8 - j = unsafe.Sizeof(d.Measure) / unsafe.Sizeof(uint32(0)) - for i := 0; i < int(j); i++ { - tmp := (*uint32)(unsafe.Pointer(&d.Measure.Block[i*4])) - *tmp ^= d.ANonce - copy(measure[i*4:], (*[4]uint8)(unsafe.Pointer(tmp))[:]) - } - rdi.Measure = hex.EncodeToString(measure[:]) - - var mnonce [16]uint8 - j = unsafe.Sizeof(d.MNonce) / unsafe.Sizeof(uint32(0)) - for i := 0; i < int(j); i++ { - tmp := (*uint32)(unsafe.Pointer(&d.MNonce[i*4])) - *tmp ^= d.ANonce - copy(mnonce[i*4:], (*[4]uint8)(unsafe.Pointer(tmp))[:]) - } - rdi.Monce = hex.EncodeToString(mnonce[:]) - - var vmid [16]uint8 - j = unsafe.Sizeof(d.VMID) / unsafe.Sizeof(uint32(0)) - for i := 0; i < int(j); i++ { - tmp := (*uint32)(unsafe.Pointer(&d.VMID[i*4])) - *tmp ^= d.ANonce - copy(vmid[i*4:], (*[4]uint8)(unsafe.Pointer(tmp))[:]) - } - rdi.VMId = hex.EncodeToString(vmid[:]) - - var vmversion [16]uint8 - j = unsafe.Sizeof(d.VMVersion) / unsafe.Sizeof(uint32(0)) - for i := 0; i < int(j); i++ { - tmp := (*uint32)(unsafe.Pointer(&d.VMVersion[i*4])) - *tmp ^= d.ANonce - copy(vmversion[i*4:], (*[4]uint8)(unsafe.Pointer(tmp))[:]) - } - rdi.VMVersion = hex.EncodeToString(vmversion[:]) - - var chipID [64]uint8 - j = (uintptr(unsafe.Pointer(&d.Reserved2)) - uintptr(unsafe.Pointer(&d.SN))) / uintptr(unsafe.Sizeof(uint32(0))) - for i := 0; i < int(j); i++ { - chipID32 := (*uint32)(unsafe.Pointer(&d.SN[i*4])) - *chipID32 ^= d.ANonce - copy(chipID[i*4:], (*[4]uint8)(unsafe.Pointer(chipID32))[:]) - } - rdi.ChipId = string(bytes.TrimRight(chipID[:], "\x00")) - - return rdi -} - -func GetSealingKey() (sealingkey string, err error) { - report, err := GetReport("get-sealing-key", true) - if err != nil { - message := fmt.Sprintf("get sealing key failed, error: %s", err.Error()) - logrus.Error(message) - return "", err - } - - return hex.EncodeToString(report.Reserved2[:]), nil -} - -func MarshalCsvAttestationReport(d *CsvAttestationReport) ([]byte, error) { - buf := new(bytes.Buffer) - err := binary.Write(buf, binary.LittleEndian, d) - if err != nil { - return nil, err - } - return buf.Bytes(), nil -} - -func UnmarshalCsvAttestationReport(data []byte) (*CsvAttestationReport, error) { - buf := bytes.NewReader(data) - d := new(CsvAttestationReport) - err := binary.Read(buf, binary.LittleEndian, d) - if err != nil { - return nil, err - } - return d, nil -} diff --git a/cvmassistants/attest-helper/report/attestation_c/verify-attestation.c b/cvmassistants/attest-helper/report/attestation_c/verify-attestation.c deleted file mode 100644 index 803593d..0000000 --- a/cvmassistants/attest-helper/report/attestation_c/verify-attestation.c +++ /dev/null @@ -1,528 +0,0 @@ -#include -#include -#include -#include -#include -#include -#include - -#include "attestation.h" - -#include "openssl/conf.h" -#include "openssl/ec.h" -#include "openssl/err.h" -#include "openssl/evp.h" -#include "openssl/sm2.h" -#include "openssl/sm3.h" - -static void csv_report_dump_part(const char* name, uint8_t* section, uint32_t len) { - printf("report.%s:\n", name); - int i; - for (i = 0; i < len; i++) { - unsigned char c = (unsigned char)section[i]; - printf("%02hhx", c); - } - printf("\n"); -} - -static void invert_endian(unsigned char* buf, int len) { - for (int i = 0; i < len / 2; i++) { - unsigned int tmp = buf[i]; - buf[i] = buf[len - i - 1]; - buf[len - i - 1] = tmp; - } -} - -static int gmssl_sm2_verify(struct ecc_point_q Q, unsigned char* userid, unsigned int userid_len, const unsigned char* msg, unsigned int msg_len, struct ecdsa_sign* sig_in) { - int ret; - EC_KEY* eckey; - unsigned char dgst[ECC_LEN]; - long unsigned int dgstlen; - - if (!msg || !userid || !sig_in) { - LOG_ERROR("gmssl_sm2 dsa256_verify invalid input parameter\n") - return -1; - } - - invert_endian(sig_in->r, ECC_LEN); - invert_endian(sig_in->s, ECC_LEN); - - BIGNUM* bn_qx = BN_bin2bn(Q.Qx, 32, NULL); - BIGNUM* bn_qy = BN_bin2bn(Q.Qy, 32, NULL); - - eckey = EC_KEY_new(); - EC_GROUP* group256 = EC_GROUP_new_by_curve_name(NID_sm2p256v1); - EC_KEY_set_group(eckey, group256); - EC_POINT* ecpt_pubkey = EC_POINT_new(group256); - EC_POINT_set_affine_coordinates_GFp(group256, ecpt_pubkey, bn_qx, bn_qy, NULL); - EC_KEY_set_public_key(eckey, ecpt_pubkey); - - if (eckey == NULL) { - /* error */ - LOG_ERROR("EC_KEY_new_by_curve_name"); - EC_POINT_free(ecpt_pubkey); - return -1; - } - - dgstlen = sizeof(dgst); - SM2_compute_message_digest(EVP_sm3(), EVP_sm3(), msg, msg_len, (const char*)userid, - userid_len, dgst, &dgstlen, eckey); - - /* verify */ - ECDSA_SIG* s = ECDSA_SIG_new(); - BIGNUM* sig_r = BN_new(); - BIGNUM* sig_s = BN_new(); - BN_bin2bn(sig_in->r, 32, sig_r); - BN_bin2bn(sig_in->s, 32, sig_s); - ECDSA_SIG_set0(s, sig_r, sig_s); - LOG_DEBUG("Signature: r=%s, s=%s\n", BN_bn2hex(sig_r), BN_bn2hex(sig_s)); - - ret = SM2_do_verify(dgst, dgstlen, s, eckey); - - EC_POINT_free(ecpt_pubkey); - ECDSA_SIG_free(s); - EC_GROUP_free(group256); - EC_KEY_free(eckey); - - if (1 != ret) { - LOG_ERROR("SM2_do_verify fail!, ret=%d\n", ret); - return -1; - } else - LOG_INFO("SM2_do_verify success!\n"); - - return 0; -} - -static int csv_cert_verify(const char* data, uint32_t datalen, ecc_signature_t* signature, ecc_pubkey_t* pubkey) { - struct ecc_point_q Q; - - Q.curve_id = pubkey->curve_id; - memcpy(Q.Qx, pubkey->Qx, ECC_LEN); - memcpy(Q.Qy, pubkey->Qy, ECC_LEN); - invert_endian(Q.Qx, ECC_LEN); - invert_endian(Q.Qy, ECC_LEN); - - struct ecdsa_sign sig_in; - memcpy(sig_in.r, signature->sig_r, ECC_LEN); - memcpy(sig_in.s, signature->sig_s, ECC_LEN); - - return gmssl_sm2_verify(Q, ((userid_u*)pubkey->user_id)->uid, ((userid_u*)pubkey->user_id)->len, (const unsigned char*)data, datalen, &sig_in); -} - -int verify_hrk_cert_signature(CHIP_ROOT_CERT_t* hrk) { - struct ecc_point_q Q; - struct ecdsa_sign sig_in; - - uint32_t need_copy_len = 0; - uint8_t hrk_userid[256] = {0}; - userid_u* sm2_userid = (userid_u*)hrk_userid; - - ecc_pubkey_t* pubkey = &hrk->ecc_pubkey; - ecc_signature_t* signature = &hrk->ecc_sig; - - Q.curve_id = (curve_id_t)pubkey->curve_id; - memcpy(Q.Qx, pubkey->Qx, ECC_LEN); - memcpy(Q.Qy, pubkey->Qy, ECC_LEN); - invert_endian(Q.Qx, ECC_LEN); - invert_endian(Q.Qy, ECC_LEN); - - sm2_userid->len = ((userid_u*)pubkey->user_id)->len; - need_copy_len = sm2_userid->len; - if (sm2_userid->len > (256 - sizeof(uint16_t))) { - need_copy_len = 256 - sizeof(uint16_t); - } - memcpy(sm2_userid->uid, (uint8_t*)(((userid_u*)pubkey->user_id)->uid), need_copy_len); - - memcpy(sig_in.r, signature->sig_r, ECC_LEN); - memcpy(sig_in.s, signature->sig_s, ECC_LEN); - - return gmssl_sm2_verify(Q, sm2_userid->uid, sm2_userid->len, (const uint8_t*)hrk, 64 + 512, &sig_in); -} - -static int verify_hsk_cert_signature(CHIP_ROOT_CERT_t* hrk, CHIP_ROOT_CERT_t* hsk) { - struct ecc_point_q Q; - struct ecdsa_sign sig_in; - - uint32_t need_copy_len = 0; - uint8_t hrk_userid[256] = {0}; - userid_u* sm2_userid = (userid_u*)hrk_userid; - - ecc_pubkey_t* pubkey = (ecc_pubkey_t*)hrk->pubkey; - ecc_signature_t* signature = &hsk->ecc_sig; - - Q.curve_id = (curve_id_t)pubkey->curve_id; - memcpy(Q.Qx, pubkey->Qx, ECC_LEN); - memcpy(Q.Qy, pubkey->Qy, ECC_LEN); - invert_endian(Q.Qx, ECC_LEN); - invert_endian(Q.Qy, ECC_LEN); - - sm2_userid->len = ((userid_u*)pubkey->user_id)->len; - need_copy_len = sm2_userid->len; - if (sm2_userid->len > (256 - sizeof(uint16_t))) { - need_copy_len = 256 - sizeof(uint16_t); - } - memcpy(sm2_userid->uid, (uint8_t*)(((userid_u*)pubkey->user_id)->uid), need_copy_len); - - memcpy(sig_in.r, signature->sig_r, ECC_LEN); - memcpy(sig_in.s, signature->sig_s, ECC_LEN); - - return gmssl_sm2_verify(Q, sm2_userid->uid, sm2_userid->len, (const uint8_t*)hsk, 64 + 512, &sig_in); -} - -static int verify_cek_cert_signature(CHIP_ROOT_CERT_t* hsk, CSV_CERT_t* cek) { - struct ecc_point_q Q; - struct ecdsa_sign sig_in; - - uint32_t need_copy_len = 0; - uint8_t hrk_userid[256] = {0}; - userid_u* sm2_userid = (userid_u*)hrk_userid; - - ecc_pubkey_t* pubkey = (ecc_pubkey_t*)hsk->pubkey; - ecc_signature_t* signature; - - if (KEY_USAGE_TYPE_INVALID == cek->sig1_usage) { - signature = &cek->ecc_sig2; - } else { - signature = &cek->ecc_sig1; - } - - Q.curve_id = (curve_id_t)pubkey->curve_id; - memcpy(Q.Qx, pubkey->Qx, ECC_LEN); - memcpy(Q.Qy, pubkey->Qy, ECC_LEN); - invert_endian(Q.Qx, ECC_LEN); - invert_endian(Q.Qy, ECC_LEN); - - sm2_userid->len = ((userid_u*)pubkey->user_id)->len; - need_copy_len = sm2_userid->len; - if (sm2_userid->len > (256 - sizeof(uint16_t))) { - need_copy_len = 256 - sizeof(uint16_t); - } - memcpy(sm2_userid->uid, (uint8_t*)(((userid_u*)pubkey->user_id)->uid), need_copy_len); - - memcpy(sig_in.r, signature->sig_r, ECC_LEN); - memcpy(sig_in.s, signature->sig_s, ECC_LEN); - - return gmssl_sm2_verify(Q, sm2_userid->uid, sm2_userid->len, (const uint8_t*)cek, 16 + 1028, &sig_in); -} - -static int verify_pek_cert_with_cek_signature(CSV_CERT_t* cek, CSV_CERT_t* pek) { - struct ecc_point_q Q; - struct ecdsa_sign sig_in; - - uint32_t need_copy_len = 0; - uint8_t hrk_userid[256] = {0}; - userid_u* sm2_userid = (userid_u*)hrk_userid; - - ecc_pubkey_t* pubkey = &cek->ecc_pubkey; - ecc_signature_t* signature = &pek->ecc_sig1; - - Q.curve_id = (curve_id_t)pubkey->curve_id; - memcpy(Q.Qx, pubkey->Qx, ECC_LEN); - memcpy(Q.Qy, pubkey->Qy, ECC_LEN); - invert_endian(Q.Qx, ECC_LEN); - invert_endian(Q.Qy, ECC_LEN); - - sm2_userid->len = ((userid_u*)pubkey->user_id)->len; - need_copy_len = sm2_userid->len; - if (sm2_userid->len > (256 - sizeof(uint16_t))) { - need_copy_len = 256 - sizeof(uint16_t); - } - memcpy(sm2_userid->uid, (uint8_t*)(((userid_u*)pubkey->user_id)->uid), need_copy_len); - - memcpy(sig_in.r, signature->sig_r, ECC_LEN); - memcpy(sig_in.s, signature->sig_s, ECC_LEN); - - return gmssl_sm2_verify(Q, sm2_userid->uid, sm2_userid->len, (const uint8_t*)pek, 16 + 1028, &sig_in); -} - -static int load_data_from_file(const char* path, void* buff, size_t len) { - if (!path || !*path) { - LOG_ERROR("no file\n"); - return -ENOENT; - } - - int fd = open(path, O_RDONLY); - if (fd < 0) { - LOG_ERROR("open file %s fail %s\n", path, strerror(errno)); - return fd; - } - - int rlen = 0, n; - - while (rlen < len) { - n = read(fd, buff + rlen, len); - if (n == -1) { - LOG_ERROR("read file error\n"); - close(fd); - return n; - } - if (!n) { - break; - } - rlen += n; - } - - close(fd); - - return 0; -} - -int get_hrk_cert(char* cert_file) { - int cmd_ret = -1; - char command_buff[256]; - - sprintf(command_buff, "curl -o %s " HRK_CERT_SITE, cert_file); - cmd_ret = system(command_buff); - - return (int)cmd_ret; -} - -static int load_hrk_file(char* filename, void* buff, size_t len) { - int ret; - if (access(filename, F_OK) == -1) { - ret = get_hrk_cert(filename); - if (ret == -1) { - LOG_ERROR("Error:Download hrk failed\n"); - return ret; - } - LOG_INFO("Get hrk file from remote successful\n"); - } - - ret = load_data_from_file(filename, buff, len); - return ret; -} - -int get_hsk_cek_cert(char* cert_file, const char* chip_id) { - int cmd_ret = -1; - char command_buff[256]; - - sprintf(command_buff, "curl -o %s " KDS_CERT_SITE "%s", cert_file, chip_id); - cmd_ret = system(command_buff); - - return (int)cmd_ret; -} - -static int load_hsk_cek_file(const char* chip_id, void* hsk, size_t hsk_len, void* cek, size_t cek_len) { - int ret; - struct { - CHIP_ROOT_CERT_t hsk; - CSV_CERT_t cek; - } __attribute__((aligned(1))) HCK_file; - - char hsk_cek_file_name[1024]; - snprintf(hsk_cek_file_name, 1024, "%s_%s", chip_id, HSK_CEK_FILENAME); - if (access(hsk_cek_file_name, F_OK) == -1) { - ret = get_hsk_cek_cert(hsk_cek_file_name, chip_id); - if (ret == -1) { - LOG_ERROR("Error:Download hsk-cek failed\n"); - return ret; - } - LOG_INFO("Get hsk-cek file from remote successful\n"); - } - - ret = load_data_from_file(hsk_cek_file_name, &HCK_file, sizeof(HCK_file)); - if (ret) { - LOG_ERROR("Error: load HSK CEK file failed\n"); - return ret; - } - - memcpy(hsk, &HCK_file.hsk, hsk_len); - memcpy(cek, &HCK_file.cek, cek_len); - return 0; -} - -static int validate_cert_chain(struct csv_attestation_report* report, const char* chip_id, CSV_CERT_t* pek) { - CSV_CERT_t cek; - CHIP_ROOT_CERT_t hsk; - CHIP_ROOT_CERT_t hrk; - int success = 0; - int ret; - - do { - ret = load_hrk_file(ARK_FILENAME, &hrk, sizeof(CHIP_ROOT_CERT_t)); - if (ret) { - LOG_ERROR("hrk.cert doesn't exist or size isn't correct\n"); - break; - } - if (hrk.key_usage != KEY_USAGE_TYPE_ARK) { - LOG_ERROR("hrk.cert key_usage field isn't correct, please use command parse_cert to check hrk.cert\n"); - } - - ret = load_hsk_cek_file(chip_id, &hsk, sizeof(CHIP_ROOT_CERT_t), &cek, sizeof(CSV_CERT_t)); - if (ret) { - printf("Error:load hsk-cek cert failed\n"); - break; - } - if (hsk.key_usage != KEY_USAGE_TYPE_ASK) // Variable size - { - LOG_ERROR("hsk.cert key_usage field isn't correct, please use command parse_cert to check hsk.cert\n"); - break; - } - - if (cek.pubkey_usage != KEY_USAGE_TYPE_CEK) { - printf("cek.cert pub_key_usage field doesn't correct, please use command parse_cert to check cek.cert\n"); - break; - } - - if (cek.sig1_usage != KEY_USAGE_TYPE_ASK) { - LOG_ERROR("cek.cert sig_1_usage field isn't correct, please use command parse_cert to check cek.cert\n"); - break; - } - - if (cek.sig2_usage != KEY_USAGE_TYPE_INVALID) { - LOG_ERROR("cek.cert sig_2_usage field isn't correct, please use command parse_cert to check cek.cert\n"); - break; - } - - success = 1; - } while (0); - - if (!success) { - LOG_ERROR("Error:load error cert file\n"); - return -1; - } - - success = 0; - do { - ret = verify_hrk_cert_signature(&hrk); - if (ret) { - LOG_ERROR("hrk pubkey verify hrk cert failed\n"); - break; - } - LOG_INFO("hrk pubkey verify hrk cert successful\n"); - - ret = verify_hsk_cert_signature(&hrk, &hsk); - if (ret) { - printf("hrk pubkey verify hsk cert failed\n"); - break; - } - LOG_INFO("hrk pubkey verify hsk cert successful\n"); - - ret = verify_cek_cert_signature(&hsk, &cek); - if (ret) { - LOG_ERROR("hsk pubkey verify cek cert failed\n"); - break; - } - LOG_INFO("hsk pubkey verify cek cert successful\n"); - - ret = verify_pek_cert_with_cek_signature(&cek, pek); - if (ret) { - LOG_ERROR("cek pubkey and verify pek cert failed\n"); - break; - } - LOG_INFO("cek pubkey verify pek cert successful\n"); - - success = 1; - } while (0); - - if (success) { - LOG_INFO("validata cert chain successful\n"); - return 0; - } - - return -1; -} - -// full verify report will verify the cert chain and report -int full_verify_report(struct csv_attestation_report* report) { - setvbuf(stdout, NULL, _IONBF, 0); - if (NULL == report) { - LOG_ERROR("report is null\n"); - return -1; - } - int i, j = 0; - uint8_t chip_id[SN_LEN]; - j = ((uint8_t*)&report->reserved2 - (uint8_t*)report->sn) / sizeof(uint32_t); - for (i = 0; i < j; i++) - ((uint32_t*)chip_id)[i] = ((uint32_t*)report->sn)[i] ^ report->anonce; - - LOG_DEBUG("chip_id is %s\n", chip_id); - csv_report_dump_part("sn", report->sn, 64); - - int ret = 0; - CSV_CERT_t pek_cert; - j = ((uint8_t*)report->sn - (uint8_t*)&report->pek_cert) / sizeof(uint32_t); - for (i = 0; i < j; i++) - ((uint32_t*)&pek_cert)[i] = ((uint32_t*)&report->pek_cert)[i] ^ report->anonce; - ret = validate_cert_chain(report, (char*)chip_id, &pek_cert); - if (ret) { - LOG_ERROR("validata cert chain failed\n"); - return -1; - } - - ret = csv_cert_verify((const char*)report, ATTESTATION_REPORT_SIGNED_SIZE, &report->ecc_sig1, &pek_cert.ecc_pubkey); - if (0 == ret) { - LOG_INFO("verify report succussful\n"); - } else { - LOG_ERROR("verify report fail\n"); - } - return ret; -} - -// int main(int argc,char *argv[]) -// { -// struct csv_attestation_report report; -// int ret = 0; -// int i = 0; -// int j = 0; - -// int verify_chain; - -// if(argc < 2){ -// printf("Error:lack one parameter\n"); -// return -1; -// } - -// if(!strncasecmp(argv[1],"true",4)){ -// verify_chain = 1; -// }else if(!strncasecmp(argv[1],"false",5)){ -// verify_chain = 0; -// }else{ -// printf("Error:Invalid parameter\n"); -// return -1; -// } - -// printf("verify attestation report\n"); - -// printf("load attestation report from %s\n", ATTESTATION_REPORT_FILE); -// ret = load_data_from_file(ATTESTATION_REPORT_FILE,&report,sizeof(struct csv_attestation_report)); -// if (ret) { -// printf("load report from file fail\n"); -// return ret; -// } - -// // retrieve mnonce, PEK cert and ChipId by report->anonce -// j = sizeof(report.user_data) / sizeof(uint32_t); -// for (i = 0; i < j; i++) -// ((uint32_t *)g_user_data)[i] = ((uint32_t *)report.user_data)[i] ^ report.anonce; - -// j = sizeof(report.mnonce) / sizeof(uint32_t); -// for (i = 0; i < j; i++) -// ((uint32_t *)g_mnonce)[i] = ((uint32_t *)report.mnonce)[i] ^ report.anonce; - -// j = sizeof(report.measure) / sizeof(uint32_t); -// for (i = 0; i < j; i++) -// ((uint32_t *)g_measure)[i] = ((uint32_t *)report.measure.block)[i] ^ report.anonce; - -// j = ((uint8_t *)report.sn - (uint8_t *)&report.pek_cert) / sizeof(uint32_t); -// for (i = 0; i < j; i++) -// ((uint32_t *)&g_pek_cert)[i] = ((uint32_t *)&report.pek_cert)[i] ^ report.anonce; - -// j = ((uint8_t *)&report.reserved2 - (uint8_t *)report.sn) / sizeof(uint32_t); -// for (i = 0; i < j; i++) -// ((uint32_t *)g_chip_id)[i] = ((uint32_t *)report.sn)[i] ^ report.anonce; - -// if(verify_chain){ -// printf("\nValidate cert chain:\n"); -// ret = validate_cert_chain(&report); -// if(ret){ -// printf("validata cert chain failed\n\n"); -// return -1; -// } -// } - -// printf("verify report\n"); -// ret = csv_attestation_report_verify(&report); - -// return ret; -// } diff --git a/cvmassistants/attest-helper/routers/routers.go b/cvmassistants/attest-helper/routers/routers.go deleted file mode 100644 index 9f17b4f..0000000 --- a/cvmassistants/attest-helper/routers/routers.go +++ /dev/null @@ -1,20 +0,0 @@ -package routers - -import ( - "attest-helper/controllers" - "github.com/gin-gonic/gin" -) - -func InitRouters() *gin.Engine { - gin.SetMode(gin.ReleaseMode) - router := gin.Default() - - attest := router.Group("/v1/attest") - - attestationController := controllers.AttestationController{} - attest.POST("/report", attestationController.GetReport) - attest.POST("/verify", attestationController.VerifyReport) - attest.GET("/sealingkey",attestationController.GetSealingKey) - - return router -}