feat: auto handle attestation type on the validator side (#33)

* feat: auto handle attestation type on the validator side

* fix: indentation

* chore: readds but deprecates validator attestation type flag

---------

Co-authored-by: Frieder Paape <[email protected]>
Co-authored-by: fnerdman <[email protected]>

Author: 3 people

cmd/proxy-client/main.go

@@ -27,8 +27,7 @@ var flags []cli.Flag = []cli.Flag{
 	},
 	&cli.StringFlag{
 		Name:  "server-attestation-type",
-		Value: string(proxy.AttestationAzureTDX),
-		Usage: "type of attestation to expect and verify (" + proxy.AvailableAttestationTypes + ")",
+		Usage: "Deprecated and not used. Server attestation types are set via the measurements file.",
 	},
 	&cli.StringFlag{
 		Name:  "server-measurements",
@@ -37,7 +36,7 @@ var flags []cli.Flag = []cli.Flag{
 	&cli.BoolFlag{
 		Name:  "verify-tls",
 		Value: false,
-		Usage: "verify server's TLS certificate instead of server's attestation. Only valid for server-attestation-type=none.",
+		Usage: "verify server's TLS certificate instead of server's attestation. Only valid when not specifying measurements.",
 	},
 	&cli.StringFlag{
 		Name:  "tls-ca-certificate",
@@ -96,20 +95,18 @@ func runClient(cCtx *cli.Context) error {
 		Version: common.Version,
 	})
 
-	if cCtx.String("server-attestation-type") != "none" && verifyTLS {
-		log.Error("invalid combination of --verify-tls and --server-attestation-type passed (only 'none' is allowed)")
-		return errors.New("invalid combination of --verify-tls and --server-attestation-type passed (only 'none' is allowed)")
+	if cCtx.String("server-attestation-type") != "" {
+		log.Warn("DEPRECATED: --server-attestation-type is deprecated and will be removed in a future version")
 	}
 
-	clientAttestationType, err := proxy.ParseAttestationType(cCtx.String("client-attestation-type"))
-	if err != nil {
-		log.With("attestation-type", cCtx.String("client-attestation-type")).Error("invalid client-attestation-type passed, see --help")
-		return err
+	if serverMeasurements != "" && verifyTLS {
+		log.Error("invalid combination of --verify-tls and --server-measurements passed (cannot add server measurements and verify default TLS at the same time)")
+		return errors.New("invalid combination of --verify-tls and --server-measurements passed (cannot add server measurements and verify default TLS at the same time)")
 	}
 
-	serverAttestationType, err := proxy.ParseAttestationType(cCtx.String("server-attestation-type"))
+	clientAttestationType, err := proxy.ParseAttestationType(cCtx.String("client-attestation-type"))
 	if err != nil {
-		log.With("attestation-type", cCtx.String("server-attestation-type")).Error("invalid server-attestation-type passed, see --help")
+		log.With("attestation-type", cCtx.String("client-attestation-type")).Error("invalid client-attestation-type passed, see --help")
 		return err
 	}
 
@@ -119,9 +116,9 @@ func runClient(cCtx *cli.Context) error {
 		return err
 	}
 
-	validators, err := proxy.CreateAttestationValidators(log, serverAttestationType, serverMeasurements)
+	validators, err := proxy.CreateAttestationValidatorsFromFile(log, serverMeasurements)
 	if err != nil {
-		log.Error("could not create attestation validators", "err", err)
+		log.Error("could not create attestation validators from file", "err", err)
 		return err
 	}
 

cmd/proxy-server/main.go

@@ -55,9 +55,7 @@ var flags []cli.Flag = []cli.Flag{
 	},
 	&cli.StringFlag{
 		Name:    "client-attestation-type",
-		EnvVars: []string{"CLIENT_ATTESTATION_TYPE"},
-		Value:   string(proxy.AttestationNone),
-		Usage:   "type of attestation to expect and verify (" + proxy.AvailableAttestationTypes + ")",
+		Usage:   "Deprecated and not used. Client attestation types are set via the measurements file.",
 	},
 	&cli.StringFlag{
 		Name:    "client-measurements",
@@ -123,6 +121,10 @@ func runServer(cCtx *cli.Context) error {
 		Version: common.Version,
 	})
 
+	if cCtx.String("client-attestation-type") != "" {
+		log.Warn("DEPRECATED: --client-attestation-type is deprecated and will be removed in a future version")
+	}
+
 	useRegularTLS := certFile != "" || keyFile != ""
 	if serverAttestationTypeFlag != "none" && useRegularTLS {
 		return errors.New("invalid combination of --tls-certificate-path, --tls-private-key-path and --server-attestation-type flags passed (only 'none' is allowed)")
@@ -138,15 +140,9 @@ func runServer(cCtx *cli.Context) error {
 		return err
 	}
 
-	clientAttestationType, err := proxy.ParseAttestationType(cCtx.String("client-attestation-type"))
-	if err != nil {
-		log.With("attestation-type", cCtx.String("client-attestation-type")).Error("invalid client-attestation-type passed, see --help")
-		return err
-	}
-
-	validators, err := proxy.CreateAttestationValidators(log, clientAttestationType, clientMeasurements)
+	validators, err := proxy.CreateAttestationValidatorsFromFile(log, clientMeasurements)
 	if err != nil {
-		log.Error("could not create attestation validators", "err", err)
+		log.Error("could not create attestation validators from file", "err", err)
 		return err
 	}
 

proxy/atls_config.go

@@ -83,8 +83,8 @@ func CreateAttestationIssuer(log *slog.Logger, attestationType AttestationType)
 	}
 }
 
-func CreateAttestationValidators(log *slog.Logger, attestationType AttestationType, jsonMeasurementsPath string) ([]atls.Validator, error) {
-	if attestationType == AttestationNone {
+func CreateAttestationValidatorsFromFile(log *slog.Logger, jsonMeasurementsPath string) ([]atls.Validator, error) {
+	if jsonMeasurementsPath == "" {
 		return nil, nil
 	}
 
@@ -99,26 +99,42 @@ func CreateAttestationValidators(log *slog.Logger, attestationType AttestationTy
 		return nil, err
 	}
 
-	switch attestationType {
-	case AttestationAzureTDX:
-		validators := []atls.Validator{}
-		for _, measurement := range parsedMeasurements {
+	// Group validators by attestation type
+	validatorsByType := make(map[AttestationType][]atls.Validator)
+
+	for _, measurement := range parsedMeasurements {
+		attestationType, err := ParseAttestationType(measurement.AttestationType)
+		if err != nil {
+			return nil, fmt.Errorf("invalid attestation type %s in measurements file", measurement.AttestationType)
+		}
+
+		switch attestationType {
+		case AttestationAzureTDX:
 			attConfig := config.DefaultForAzureTDX()
 			attConfig.SetMeasurements(measurement.Measurements)
-			validators = append(validators, azure_tdx.NewValidator(attConfig, AttestationLogger{Log: log}))
-		}
-		return []atls.Validator{NewMultiValidator(validators)}, nil
-	case AttestationDCAPTDX:
-		validators := []atls.Validator{}
-		for _, measurement := range parsedMeasurements {
+			validatorsByType[attestationType] = append(
+				validatorsByType[attestationType],
+				azure_tdx.NewValidator(attConfig, AttestationLogger{Log: log}),
+			)
+		case AttestationDCAPTDX:
 			attConfig := &config.QEMUTDX{Measurements: measurements.DefaultsFor(cloudprovider.QEMU, variant.QEMUTDX{})}
 			attConfig.SetMeasurements(measurement.Measurements)
-			validators = append(validators, dcap_tdx.NewValidator(attConfig, AttestationLogger{Log: log}))
+			validatorsByType[attestationType] = append(
+				validatorsByType[attestationType],
+				dcap_tdx.NewValidator(attConfig, AttestationLogger{Log: log}),
+			)
+		default:
+			return nil, fmt.Errorf("unsupported attestation type %s in measurements file", measurement.AttestationType)
 		}
-		return []atls.Validator{NewMultiValidator(validators)}, nil
-	default:
-		return nil, errors.New("invalid attestation-type passed in")
 	}
+
+	// Create a MultiValidator for each attestation type
+	var validators []atls.Validator
+	for _, typeValidators := range validatorsByType {
+		validators = append(validators, NewMultiValidator(typeValidators))
+	}
+
+	return validators, nil
 }
 
 func ExtractMeasurementsFromExtension(ext *pkix.Extension, v variant.Variant) (map[uint32][]byte, error) {