Merge pull request #34 from veraison/fix-binding

Explicitly check that binding has failed

Author: kevinzs2048

src/main.rs

@@ -4,7 +4,8 @@ use ccatoken::store::{
 };
 use ccatoken::token;
 use clap::Parser;
-use ear::TrustVector;
+use ear::claim::TRUSTWORTHY_INSTANCE;
+use ear::{TrustTier, TrustVector};
 use serde_json::value::RawValue;
 use std::error::Error;
 use std::fs;
@@ -127,6 +128,19 @@ fn verify(args: &VerifyArgs) -> Result<(TrustVector, TrustVector), Box<dyn Error
     Ok(e.get_trust_vectors())
 }
 
+fn trust_vector_status(tv: TrustVector) -> TrustTier {
+    let mut status = TrustTier::None;
+
+    for claim in tv {
+        let claim_tier = claim.tier();
+        if status < claim_tier {
+            status = claim_tier
+        }
+    }
+
+    status
+}
+
 fn golden(args: &GoldenArgs) -> Result<(), Box<dyn Error>> {
     let c: Vec<u8> = fs::read(&args.evidence)?;
 
@@ -137,6 +151,14 @@ fn golden(args: &GoldenArgs) -> Result<(), Box<dyn Error>> {
     let cpak = map_str_to_cpak(&e.platform_claims, &j)?;
     e.verify_with_cpak(cpak)?;
 
+    let (platform_tvec, realm_tvec) = e.get_trust_vectors();
+    if platform_tvec.instance_identity != TRUSTWORTHY_INSTANCE {
+        return Err("platform is not trustworthy".into());
+    }
+    if realm_tvec.instance_identity != TRUSTWORTHY_INSTANCE {
+        return Err("realm is not trustworthy".into());
+    }
+
     let rv = map_evidence_to_refval(&e)?;
     fs::write(&args.rvstore, rv)?;
 
@@ -192,7 +214,7 @@ fn map_evidence_to_realm_refval(p: &token::Realm) -> Result<RealmRefValue, Box<d
     };
 
     for (i, other) in p.rem.iter().enumerate() {
-        v.rem[i].value = other.clone();
+        v.rem[i].value.clone_from(other);
     }
 
     Ok(v)

src/token/evidence.rs

@@ -22,7 +22,6 @@ use openssl::error::ErrorStack;
 use openssl::hash::{Hasher, MessageDigest};
 use openssl::nid::Nid;
 use serde::Deserialize;
-use std::fs;
 
 const CBOR_TAG: u64 = 399;
 const PLATFORM_LABEL: i128 = 44234;
@@ -467,10 +466,14 @@ impl Evidence {
 
         match self.check_binding() {
             Err(_) => {
-                /* swallow error */
                 return Ok(());
             }
-            _ => { /* we are done */ }
+            _ => {
+                // early return on binder errors
+                if self.realm_tvec.instance_identity.get() == CRYPTO_VALIDATION_FAILED {
+                    return Ok(());
+                }
+            }
         }
 
         self.realm_tvec.instance_identity.set(TRUSTWORTHY_INSTANCE);
@@ -487,6 +490,10 @@ impl Evidence {
         assert!(!self.realm.bytes.is_empty(), "Realm Token is Mandatory");
         self.verify_realm_token()?;
         self.check_binding()?;
+        // early return on binder errors
+        if self.realm_tvec.instance_identity.get() == CRYPTO_VALIDATION_FAILED {
+            return Ok(());
+        }
         self.realm_tvec.instance_identity.set(TRUSTWORTHY_INSTANCE);
         Ok(())
     }
@@ -521,13 +528,17 @@ impl Evidence {
 
         let mut hasher = hasher_from_alg(realm_pub_key_hash_alg.as_str())?;
 
-        hasher
-            .update(&realm_pub_key)
-            .map_err(|e| Error::HashCalculateFail(format!("{e:?}")))?;
+        hasher.update(&realm_pub_key).map_err(|e| {
+            self.realm_tvec.set_all(VERIFIER_MALFUNCTION);
+
+            Error::HashCalculateFail(format!("{e:?}"))
+        })?;
 
-        let sum = hasher
-            .finish()
-            .map_err(|e| Error::HashCalculateFail(format!("{:?}", e)))?;
+        let sum = hasher.finish().map_err(|e| {
+            self.realm_tvec.set_all(VERIFIER_MALFUNCTION);
+
+            Error::HashCalculateFail(format!("{e:?}"))
+        })?;
 
         if sum.to_vec() != *platform_nonce {
             self.realm_tvec.set_all(CRYPTO_VALIDATION_FAILED);
@@ -595,9 +606,11 @@ mod tests {
 
     const TEST_CCA_TOKEN_1_OK: &[u8; 1222] = include_bytes!("../../testdata/cca-token-01.cbor");
     const TEST_CCA_TOKEN_2_OK: &[u8; 1125] = include_bytes!("../../testdata/cca-token-02.cbor");
+    const TEST_CCA_TOKEN_BUG_33: &[u8; 2507] = include_bytes!("../../testdata/bug-33-repro.cbor");
     const TEST_CCA_RVS_OK: &str = include_str!("../../testdata/rv.json");
     const TEST_TA_2_OK: &str = include_str!("../../testdata/ta-02-ok.json");
     const TEST_TA_2_BAD: &str = include_str!("../../testdata/ta-02-bad.json");
+    const TEST_TA_TFA: &str = include_str!("../../testdata/ta-tfa.json");
 
     #[test]
     fn decode_good_token() {
@@ -688,4 +701,20 @@ mod tests {
             serde_json::to_string_pretty(&evidence.realm_tvec).unwrap()
         );
     }
+
+    #[test]
+    fn bug_33_regression() {
+        let mut evidence = Evidence::decode(&TEST_CCA_TOKEN_BUG_33.to_vec())
+            .expect("decoding TEST_CCA_TOKEN_BUG_33");
+
+        let mut tas = MemoTrustAnchorStore::new();
+        tas.load_json(TEST_TA_TFA).expect("loading trust anchors");
+
+        let r = evidence.verify(&tas);
+
+        assert!(r.is_ok());
+
+        assert!(evidence.realm_tvec.instance_identity.get() == CRYPTO_VALIDATION_FAILED);
+        assert!(evidence.platform_tvec.instance_identity.get() == TRUSTWORTHY_INSTANCE);
+    }
 }

testdata/bug-33-repro.cbor

@@ -0,0 +1,12 @@
+[
+  {
+    "pkey": {
+      "crv": "P-384",
+      "kty": "EC",
+      "x": "IShnxS4rlQiwpCCpBWDzlNLfqiG911FP8akBr-fh94uxHU5m-Kijivp2r2oxxN6M",
+      "y": "hM4tr8mWQli1P61xh3T0ViDREbF26DGOEYfbAjWjGNN7pZf-6A4OTHYqEryz6m7U"
+    },
+    "implementation-id": "7f454c4602010100000000000000000003003e00010000005058000000000000",
+    "instance-id": "0107060504030201000f0e0d0c0b0a090817161514131211101f1e1d1c1b1a1918"
+  }
+]