From 2e9c4063bc6af00fcf7f750ccf87c7c435f25ba9 Mon Sep 17 00:00:00 2001 From: xuraoqing Date: Fri, 6 Jun 2025 09:42:05 +0800 Subject: [PATCH] attestation service Do not hardcode the token path --- ...rvice-Do-not-hardcode-the-token-path.patch | 71 +++++++++++++++++++ secGear.spec | 6 +- 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 0104-attestation-service-Do-not-hardcode-the-token-path.patch diff --git a/0104-attestation-service-Do-not-hardcode-the-token-path.patch b/0104-attestation-service-Do-not-hardcode-the-token-path.patch new file mode 100644 index 0000000..1a23fdf --- /dev/null +++ b/0104-attestation-service-Do-not-hardcode-the-token-path.patch @@ -0,0 +1,71 @@ +From 7a8f2b712685d442ae15b68109bcbc3686ceade6 Mon Sep 17 00:00:00 2001 +From: huyubiao +Date: Thu, 17 Apr 2025 17:14:07 +0800 +Subject: [PATCH] attestation-service: Do not hardcode the token path. + +--- + .../attestation-service/token/src/lib.rs | 23 ++++++++++--------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/service/attestation/attestation-service/token/src/lib.rs b/service/attestation/attestation-service/token/src/lib.rs +index 92f427f..11a8869 100644 +--- a/service/attestation/attestation-service/token/src/lib.rs ++++ b/service/attestation/attestation-service/token/src/lib.rs +@@ -17,9 +17,10 @@ use jsonwebtoken::{ + }; + use serde::{Deserialize, Serialize}; + use serde_json::Value; +-use std::path::Path; + use thiserror; + ++const PRIVATE_KEY_PATH: &str = "/etc/attestation/attestation-service/token/private.pem"; ++ + #[derive(thiserror::Error, Debug)] + pub enum SignError { + #[error("get unix time fail:{0:?}")] +@@ -40,17 +41,23 @@ pub struct TokenSignConfig { + pub nbf: usize, // 生效时刻 + pub valid_duration: usize, // 有效时间 + pub alg: SignAlg, +- pub key: String, ++ pub key: Vec, + } + + impl Default for TokenSignConfig { + fn default() -> Self { ++ let default_key = std::fs::read(PRIVATE_KEY_PATH) ++ .map_err(|err| { ++ SignError::ReadKeyFail(format!("Failed to read {PRIVATE_KEY_PATH}: {err}")) ++ }) ++ .unwrap(); ++ + TokenSignConfig { + iss: "oeas".to_string(), + nbf: 0, + valid_duration: 300, + alg: SignAlg::PS256, +- key: "/etc/attestation/attestation-service/token/private.pem".to_string(), ++ key: default_key, + } + } + } +@@ -111,14 +118,8 @@ impl TokenSigner { + alg + ))); + } +- if !Path::new(&self.config.key).exists() { +- return Err(SignError::UnsupportAlg(format!( +- "token verfify failed, {:?} cert not exist", +- self.config.key +- ))); +- } +- let key = std::fs::read(&self.config.key).unwrap(); +- let key_value: EncodingKey = match EncodingKey::from_rsa_pem(&key) { ++ ++ let key_value: EncodingKey = match EncodingKey::from_rsa_pem(&self.config.key) { + Ok(val) => val, + _ => { + return Err(SignError::ReadKeyFail(format!("get key from input error"))); +-- +2.43.0 + diff --git a/secGear.spec b/secGear.spec index 9e6c200..04604a6 100644 --- a/secGear.spec +++ b/secGear.spec @@ -1,6 +1,6 @@ Name: secGear Version: 0.1.0 -Release: 61 +Release: 62 Summary: secGear is an SDK to develop confidential computing apps based on hardware enclave features @@ -113,6 +113,7 @@ Patch99: 0100-challenge-may-generate-by-requester-so-aa-and-as-may.patch Patch100: 0101-generate-random-by-ra_tls-itself.patch Patch101: 0102-Add-support-for-UEFI-measured-boot-attestation.patch Patch102: 0103-fix-ima-attestation-log-and-add-pcr-check.patch +Patch103: 0104-attestation-service-Do-not-hardcode-the-token-path.patch BuildRequires: gcc python automake autoconf libtool BUildRequires: glibc glibc-devel cmake ocaml-dune rpm gcc-c++ compat-openssl11-libs compat-openssl11-devel @@ -355,6 +356,9 @@ popd systemctl restart rsyslog %changelog +* Fri Jun 6 2025 xuraoqing - 0.1.0-62 +- attestation service Do not hardcode the token path + * Fri May 23 2025 SPYFAMILY - 0.1.0-61 - fix ima attestation log and add pcr check -- Gitee