1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147

// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements.  See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership.  The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License.  You may obtain a copy of the License at
//
//   http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied.  See the License for the
// specific language governing permissions and limitations
// under the License.

//! This module provide attestation public APIs in server side.

use crate::key;
use crate::AttestationConfig;
use crate::AttestedTlsConfig;
use crate::EndorsedAttestationReport;

use std::sync::{Arc, RwLock};
use std::thread;
use std::time::{Duration, SystemTime};
#[allow(unused_imports)]
#[cfg(feature = "mesalock_sgx")]
use std::untrusted::time::SystemTimeEx;

use anyhow::{anyhow, Result};
use log::debug;
use teaclave_config::build::ATTESTATION_VALIDITY_SECS;

const CERT_ISSUER: &str = "Teaclave";
const CERT_SUBJECT: &str = "CN=Teaclave";

pub struct RemoteAttestation {
    attestation_config: Arc<AttestationConfig>,
    attested_tls_config: Option<Arc<RwLock<AttestedTlsConfig>>>,
}

impl RemoteAttestation {
    /// Construct a `RemoteAttestation` with attestation configuration.
    pub fn new(attestation_config: Arc<AttestationConfig>) -> Self {
        Self {
            attestation_config,
            attested_tls_config: None,
        }
    }

    /// Generate a endorsed attestation report.
    pub fn generate_and_endorse(self) -> Result<Self> {
        let attested_tls_config = Arc::new(RwLock::new(AttestedTlsConfig::new(
            &self.attestation_config,
        )?));
        let attestation_config_ref = self.attestation_config.clone();
        let attested_tls_config_ref = attested_tls_config.clone();
        thread::spawn(move || {
            AttestationFreshnessKeeper::new(attestation_config_ref, attested_tls_config_ref).start()
        });
        Ok(Self {
            attestation_config: self.attestation_config,
            attested_tls_config: Some(attested_tls_config),
        })
    }

    /// Construct a attested TLS config for TLS connection (RPC in Teaclave).
    pub fn attested_tls_config(&self) -> Option<Arc<RwLock<AttestedTlsConfig>>> {
        self.attested_tls_config.clone()
    }
}

impl AttestedTlsConfig {
    fn new(attestation_config: &AttestationConfig) -> Result<AttestedTlsConfig> {
        let key_pair = key::NistP256KeyPair::new()?;
        let report = match attestation_config {
            AttestationConfig::NoAttestation => EndorsedAttestationReport::default(),
            AttestationConfig::WithAttestation(config) => {
                EndorsedAttestationReport::new(config, key_pair.pub_k())?
            }
        };

        let extension = serde_json::to_vec(&report)?;
        let cert = key_pair.create_cert_with_extension(CERT_ISSUER, CERT_SUBJECT, &extension);
        let private_key = key_pair.private_key_into_der();
        let time = SystemTime::now();
        let validity = Duration::from_secs(ATTESTATION_VALIDITY_SECS);

        let attested_tls_config = AttestedTlsConfig {
            cert,
            private_key,
            time,
            validity,
        };

        debug!("{:?}", attested_tls_config);

        Ok(attested_tls_config)
    }
}

/// To keep attestation report fresh. Refresh current valid report periodically.
struct AttestationFreshnessKeeper {
    attestation_config: Arc<AttestationConfig>,
    attested_tls_config: Arc<RwLock<AttestedTlsConfig>>,
}

impl AttestationFreshnessKeeper {
    pub(crate) fn new(
        attestation_config: Arc<AttestationConfig>,
        attested_tls_config: Arc<RwLock<AttestedTlsConfig>>,
    ) -> Self {
        Self {
            attestation_config,
            attested_tls_config,
        }
    }

    /// Start the fresshness keeper which will periodically refresh it's
    /// `attested_tls_config`.
    pub(crate) fn start(&self) {
        debug!("AttestationFreshnessKeeper started");
        loop {
            thread::sleep(Duration::from_secs(ATTESTATION_VALIDITY_SECS));
            match self.refresh() {
                Ok(_) => debug!("Attestation report updated successfully"),
                Err(e) => debug!("Failed to refresh attestation report: {:?}", e),
            }
        }
    }

    /// Get updated report form attestation service and create an updated
    /// attested TLS config.
    fn refresh(&self) -> Result<()> {
        debug!("begin refresh");
        let updated_attested_tls_config = AttestedTlsConfig::new(&self.attestation_config)?;
        let lock = self.attested_tls_config.clone();
        let mut config = lock
            .write()
            .map_err(|_| anyhow!("Failed to get write lock"))?;
        *config = updated_attested_tls_config;
        debug!("refresh done");
        Ok(())
    }
}