handler: add GetRefValueIDs to IStoreHandler

Move reference value ID extraction from evidence into store handler.
Prior to this, it was done inside evidence handler as part of claims
extraction.

This ensure that ID generation on both provisioning and verification
paths is handled in the same place, and is symmetrical with trust anchor
ID generation.

This also means that ExtractClaims method is now responsible _only_ for
claim extraction. ExtractedClaims structure is removed, and the method
now returns the map[string]interface{} claims set (ExtractedClaims
combined that with reference IDs).

Signed-off-by: Sergei Trofimov <[email protected]>

Author: setrofim

handler/evidence_rpc.go

@@ -163,12 +163,15 @@ func (s *RPCClient) GetSupportedMediaTypes() []string {
 	return resp
 }
 
-func (s *RPCClient) ExtractEvidence(token *proto.AttestationToken, trustAnchors []string) (*ExtractedClaims, error) {
+func (s *RPCClient) ExtractEvidence(
+	token *proto.AttestationToken,
+	trustAnchors []string,
+) (map[string]interface{}, error) {
 	var (
 		err       error
 		args      ExtractClaimsArgs
 		resp      []byte
-		extracted ExtractedClaims
+		extracted map[string]interface{}
 	)
 
 	args.Token, err = json.Marshal(token)
@@ -188,7 +191,7 @@ func (s *RPCClient) ExtractEvidence(token *proto.AttestationToken, trustAnchors
 		return nil, fmt.Errorf("unmarshaling extracted evidence: %w", err)
 	}
 
-	return &extracted, nil
+	return extracted, nil
 }
 
 func (s *RPCClient) ValidateEvidenceIntegrity(
@@ -240,11 +243,14 @@ func (s *RPCClient) AppraiseEvidence(ec *proto.EvidenceContext, endorsements []s
 	return &result, err
 }
 
-func (s *RPCClient) ExtractClaims(token *proto.AttestationToken, trustAnchors []string) (*ExtractedClaims, error) {
+func (s *RPCClient) ExtractClaims(
+	token *proto.AttestationToken,
+	trustAnchors []string,
+) (map[string]interface{}, error) {
 	var (
 		err             error
 		args            ExtractClaimsArgs
-		extractedClaims ExtractedClaims
+		extractedClaims map[string]interface{}
 	)
 
 	args.Token, err = json.Marshal(token)
@@ -266,5 +272,5 @@ func (s *RPCClient) ExtractClaims(token *proto.AttestationToken, trustAnchors []
 		return nil, fmt.Errorf("unmarshaling extracted claims: %w", err)
 	}
 
-	return &extractedClaims, nil
+	return extractedClaims, nil
 }

handler/ievidencehandler.go

@@ -19,7 +19,7 @@ type IEvidenceHandler interface {
 	ExtractClaims(
 		token *proto.AttestationToken,
 		trustAnchors []string,
-	) (*ExtractedClaims, error)
+	) (map[string]interface{}, error)
 
 	// ValidateEvidenceIntegrity verifies the structural integrity and validity of the
 	// token. The exact checks performed are scheme-specific, but they
@@ -50,21 +50,3 @@ type IEvidenceHandler interface {
 		endorsements []string,
 	) (*ear.AttestationResult, error)
 }
-
-// ExtractedClaims contains a map of claims extracted from an attestation
-// token along with the corresponding ReferenceIDs that are used to fetch
-// the associated endorsements.
-//
-//	ReferenceID is the key used to fetch all the Endorsements
-//	generated from claims extracted from the token
-type ExtractedClaims struct {
-	ClaimsSet    map[string]interface{} `json:"claims-set"`
-	ReferenceIDs []string               `json:"reference-ids"`
-	// please refer issue #106 for unprocessed claim set
-}
-
-func NewExtractedClaims() *ExtractedClaims {
-	return &ExtractedClaims{
-		ClaimsSet: make(map[string]interface{}),
-	}
-}

handler/istorehandler.go

@@ -14,11 +14,20 @@ import (
 type IStoreHandler interface {
 	plugin.IPluggable
 
-	// GetTrustAnchorIDs returns an array of trust anchor identifiers used
+	// GetTrustAnchorIDs returns a slice of trust anchor identifiers used
 	// to retrieve the trust anchors associated with this token. The trust anchors may be necessary to validate the
 	// entire token and/or extract its claims (if it is encrypted).
 	GetTrustAnchorIDs(token *proto.AttestationToken) ([]string, error)
 
+	// GetRefValueIDs returns a slice of identifiers used to retrieve
+	// reference values for an attestation scheme, using the claims
+	// extracted from attestation token and the associated trust anchors.
+	GetRefValueIDs(
+		tenantID string,
+		trustAnchors []string,
+		claims map[string]interface{},
+	) ([]string, error)
+
 	// SynthKeysFromRefValue synthesizes lookup key(s) for the
 	// provided reference value endorsement.
 	SynthKeysFromRefValue(tenantID string, refVal *Endorsement) ([]string, error)

handler/store_rpc.go

@@ -101,6 +101,28 @@ func (s *StoreRPCServer) GetTrustAnchorIDs(data []byte, resp *[]string) error {
 	return err
 }
 
+type GetRefValueIDsArgs struct {
+	TenantID string
+	TrustAnchors []string
+	Claims []byte
+}
+
+func (s *StoreRPCServer) GetRefValueIDs(args GetRefValueIDsArgs, resp *[]string) error {
+	var claims map[string]interface{}
+
+	err := json.Unmarshal(args.Claims, &claims)
+	if err != nil {
+		return fmt.Errorf("unmarshaling token: %w", err)
+	}
+
+	*resp, err = s.Impl.GetRefValueIDs(args.TenantID, args.TrustAnchors, claims)
+	if err != nil {
+		return err
+	}
+
+	return err
+}
+
 /*
   RPC client
   (plugin caller side)
@@ -230,3 +252,32 @@ func (s *StoreRPCClient) GetTrustAnchorIDs(token *proto.AttestationToken) ([]str
 
 	return resp, nil
 }
+
+func (s *StoreRPCClient) GetRefValueIDs(
+	tenantID string,
+	trustAnchors []string,
+	claims map[string]interface{},
+) ([]string, error) {
+	var (
+		err error
+		resp []string
+	)
+
+	args := GetRefValueIDsArgs{
+		TenantID: tenantID,
+		TrustAnchors: trustAnchors,
+	}
+
+	args.Claims, err = json.Marshal(claims)
+	if err != nil {
+		return nil, err
+	}
+
+	err = s.client.Call("Plugin.GetRefValueIDs", args, &resp)
+	if err != nil {
+		err = ParseError(err)
+		return nil, fmt.Errorf("Plugin.GetRefValueIDs RPC call failed: %w", err) // nolint
+	}
+
+	return resp, nil
+}

scheme/cca-ssd-platform/evidence_handler.go

@@ -36,15 +36,14 @@ func (s EvidenceHandler) GetSupportedMediaTypes() []string {
 func (s EvidenceHandler) ExtractClaims(
 	token *proto.AttestationToken,
 	trustAnchors []string,
-) (*handler.ExtractedClaims, error) {
+) (map[string]interface{}, error) {
 
 	var ccaToken ccatoken.Evidence
 
 	if err := ccaToken.FromCBOR(token.Data); err != nil {
 		return nil, handler.BadEvidence(err)
 	}
 
-	var extracted handler.ExtractedClaims
 
 	platformClaimsSet, err := common.ClaimsToMap(ccaToken.PlatformClaims)
 	if err != nil {
@@ -58,18 +57,12 @@ func (s EvidenceHandler) ExtractClaims(
 			"could not convert realm claims: %w", err))
 	}
 
-	extracted.ClaimsSet = map[string]interface{}{
+	claims := map[string]interface{}{
 		"platform": platformClaimsSet,
 		"realm":    realmClaimsSet,
 	}
 
-	extracted.ReferenceIDs = []string{arm.RefValLookupKey(
-		SchemeName,
-		token.TenantId,
-		arm.MustImplIDString(ccaToken.PlatformClaims),
-	)}
-	log.Debugf("extracted Reference ID Key = %s", extracted.ReferenceIDs)
-	return &extracted, nil
+	return claims, nil
 }
 
 // ValidateEvidenceIntegrity, decodes CCA collection and then invokes Verify API of ccatoken library

scheme/cca-ssd-platform/evidence_handler_test.go

@@ -110,7 +110,7 @@ func Test_ExtractVerifiedClaims_ok(t *testing.T) {
 	ta := string(taEndValBytes)
 
 	extracted, err := scheme.ExtractClaims(&token, []string{ta})
-	platformClaims := extracted.ClaimsSet["platform"].(map[string]interface{})
+	platformClaims := extracted["platform"].(map[string]interface{})
 
 	require.NoError(t, err)
 	assert.Equal(t, "http://arm.com/CCA-SSD/1.0.0",

scheme/cca-ssd-platform/store_handler.go

@@ -4,8 +4,11 @@
 package cca_ssd_platform
 
 import (
+	"fmt"
+
 	"github.com/veraison/services/handler"
 	"github.com/veraison/services/proto"
+	"github.com/veraison/services/scheme/common"
 	"github.com/veraison/services/scheme/common/arm"
 )
 
@@ -43,3 +46,25 @@ func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string
 	}
 	return []string{ta}, nil
 }
+
+func (s StoreHandler) GetRefValueIDs(
+	tenantID string,
+	trustAnchors []string,
+	claims map[string]interface{},
+) ([]string, error) {
+	platformClaimsMap, ok := claims["platform"].(map[string]interface{})
+	if !ok {
+		return nil, fmt.Errorf("claims to do not contain platform map: %v", claims)
+	}
+
+	platformClaims, err := common.MapToClaims(platformClaimsMap)
+	if err != nil {
+		return nil, err
+	}
+
+	return []string{arm.RefValLookupKey(
+		SchemeName,
+		tenantID,
+		arm.MustImplIDString(platformClaims),
+	)}, nil
+}

scheme/parsec-cca/evidence_handler.go

@@ -38,9 +38,11 @@ func (s EvidenceHandler) GetSupportedMediaTypes() []string {
 	return EvidenceMediaTypes
 }
 
-func (s EvidenceHandler) ExtractClaims(token *proto.AttestationToken, trustAnchors []string) (*handler.ExtractedClaims, error) {
+func (s EvidenceHandler) ExtractClaims(
+	token *proto.AttestationToken,
+	trustAnchors []string,
+) (map[string]interface{}, error) {
 	var (
-		extracted handler.ExtractedClaims
 		evidence  parsec_cca.Evidence
 		claimsSet = make(map[string]interface{})
 		kat       = make(map[string]interface{})
@@ -70,15 +72,7 @@ func (s EvidenceHandler) ExtractClaims(token *proto.AttestationToken, trustAncho
 	}
 	claimsSet["cca.realm"] = rmap
 
-	extracted.ClaimsSet = claimsSet
-
-	extracted.ReferenceIDs = []string{arm.RefValLookupKey(
-		SchemeName,
-		token.TenantId,
-		arm.MustImplIDString(evidence.Pat.PlatformClaims),
-	)}
-	log.Debugf("extracted Reference ID Key = %s", extracted.ReferenceIDs)
-	return &extracted, nil
+	return claimsSet, nil
 }
 
 func (s EvidenceHandler) ValidateEvidenceIntegrity(token *proto.AttestationToken, trustAnchors []string, endorsements []string) error {

scheme/parsec-cca/store_handler.go

@@ -3,8 +3,11 @@
 package parsec_cca
 
 import (
+	"fmt"
+
 	"github.com/veraison/services/handler"
 	"github.com/veraison/services/proto"
+	"github.com/veraison/services/scheme/common"
 	"github.com/veraison/services/scheme/common/arm"
 )
 
@@ -42,3 +45,25 @@ func (s StoreHandler) GetTrustAnchorIDs(token *proto.AttestationToken) ([]string
 	}
 	return []string{ta}, nil
 }
+
+func (s StoreHandler) GetRefValueIDs(
+	tenantID string,
+	trustAnchors []string,
+	claims map[string]interface{},
+) ([]string, error) {
+	platformClaimsMap, ok := claims["cca.platform"].(map[string]interface{})
+	if !ok {
+		return nil, fmt.Errorf("claims to do not contain patform map: %v", claims)
+	}
+
+	platformClaims, err := common.MapToClaims(platformClaimsMap)
+	if err != nil {
+		return nil, err
+	}
+
+	return []string{arm.RefValLookupKey(
+		SchemeName,
+		tenantID,
+		arm.MustImplIDString(platformClaims),
+	)}, nil
+}

scheme/parsec-tpm/common.go

@@ -0,0 +1,9 @@
+// Copyright 2024 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package parsec_tpm
+
+const (
+	ScopeTrustAnchor = "trust anchor"
+	ScopeRefValues   = "ref values"
+)
+