Skip to content

Commit

Permalink
misc: clean up comments, logs, and errors
Browse files Browse the repository at this point in the history
Assorted fixes to text. No functional changes.

Signed-off-by: Tobin Feldman-Fitzthum <tobin@ibm.com>
  • Loading branch information
fitzthum authored and Xynnn007 committed Dec 4, 2024
1 parent c8bb601 commit 0d2464a
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 14 deletions.
6 changes: 3 additions & 3 deletions kbs/src/error.rs
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ impl ResponseError for Error {
let mut detail = String::new();

// The write macro here will only raise error when OOM of the string.
write!(&mut detail, "{}", self).expect("written error response failed");
write!(&mut detail, "{}", self).expect("Failed to write error");
let info = ErrorInformation {
error_type: format!("{ERROR_TYPE_PREFIX}/{}", self.as_ref()),
detail,
Expand All @@ -91,9 +91,9 @@ impl ResponseError for Error {
// All the fields inside the ErrorInfo are printable characters, so this
// error cannot happen.
// A test covering all the possible error types are given to ensure this.
let body = serde_json::to_string(&info).expect("serialize error response failed");
let body = serde_json::to_string(&info).expect("Failed to serialize error");

// Due to the definition of KBS attestation protocol, we set the http code.
// Per the KBS protocol, errors should yield 401 or 404 reponses
let mut res = match self {
Error::IllegalAccessedPath { .. } | Error::PluginNotFound { .. } => {
HttpResponse::NotFound()
Expand Down
2 changes: 1 addition & 1 deletion kbs/src/token/error.rs
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ pub enum Error {
source: anyhow::Error,
},

#[error("Tee public key is not found inside the claims of token")]
#[error("Tee public key not found in Attestation Token")]
NoTeePubKeyClaimFound,

#[error("Failed to parse Tee public key")]
Expand Down
27 changes: 17 additions & 10 deletions kbs/src/token/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -31,22 +31,27 @@ pub struct AttestationTokenVerifierConfig {
/// This field will default to an empty vector.
pub extra_teekey_paths: Vec<String>,

/// Trusted Certificates file (PEM format) paths use to verify Attestation
/// Token Signature.
/// File paths of trusted certificates in PEM format used to verify
/// the signature of the Attestation Token.
#[serde(default)]
pub trusted_certs_paths: Vec<String>,

/// Urls (file:// and https:// schemes accepted) pointing to a local JWKSet file
/// URLs (file:// and https:// schemes accepted) pointing to a local JWKSet file
/// or to an OpenID configuration url giving a pointer to JWKSet certificates
/// (for "Jwk") to verify Attestation Token Signature.
#[serde(default)]
pub trusted_jwk_sets: Vec<String>,

/// Whether a JWK that directly comes from the JWT token is allowed to verify
/// the signature. This is insecure as it will not check the endorsement of
/// the JWK. If this option is set to false, the JWK will be looked up from
/// the key store configured during launching the KBS with kid field in the JWT,
/// or be checked against the configured trusted CA certs.
/// Whether the token signing key is (not) validated.
/// If true, the attestation token can be modified in flight.
/// This should only be set to true for testing.
/// While the token signature is still validated, the provenance of the
/// signing key is not checked and the key could be replaced.
///
/// When false, the key must be endorsed by the certificates or JWK sets
/// specified above.
///
/// Default: false
#[serde(default = "bool::default")]
pub insecure_key: bool,
}
Expand Down Expand Up @@ -81,8 +86,10 @@ impl TokenVerifier {
})
}

/// Different attestation service would embed tee public key
/// in different parts of the claims.
/// Different types of attestation tokens store the tee public key in
/// different places.
/// Try extracting the key from multiple built-in paths as well as any extras
/// specified in the config file.
pub fn extract_tee_public_key(&self, claim: Value) -> Result<TeePubKey> {
for path in &self.extra_teekey_paths {
if let Some(pkey_value) = claim.pointer(path) {
Expand Down

0 comments on commit 0d2464a

Please sign in to comment.