AA/kbs_protocol: Update protocol version to 0.2.0 to fix JWE

Per RFC7516, the AEAD's auth tag should be included inside the JWE body.
Also, the AAD field should be calculated from the ProtectedHeader field
of JWE.

We fix this to align with trustee side.

Signed-off-by: Xynnn007 <[email protected]>

Cargo.toml

@@ -34,8 +34,10 @@ ctr = "0.9.2"
 env_logger = "0.11.5"
 hex = "0.4.3"
 hmac = "0.12.1"
-jwt-simple = { version = "0.12", default-features = false, features = ["pure-rust"] }
-kbs-types = "0.7.0"
+jwt-simple = { version = "0.12", default-features = false, features = [
+    "pure-rust",
+] }
+kbs-types = { git = "https://github.com/virtee/kbs-types.git", rev = "a704036" }
 lazy_static = "1.5.0"
 log = "0.4.22"
 nix = "0.29"

attestation-agent/deps/crypto/src/native/aes256gcm.rs

@@ -10,6 +10,19 @@ use openssl::symm::Cipher;
 
 const TAG_LENGTH: usize = 16;
 
+pub fn decrypt_with_aad(
+    encrypted_data: &[u8],
+    key: &[u8],
+    iv: &[u8],
+    aad: &[u8],
+    tag: &[u8],
+) -> Result<Vec<u8>> {
+    let cipher = Cipher::aes_256_gcm();
+
+    openssl::symm::decrypt_aead(cipher, key, Some(iv), aad, encrypted_data, tag)
+        .map_err(|e| anyhow!("{e:?}"))
+}
+
 pub fn decrypt(encrypted_data: &[u8], key: &[u8], iv: &[u8]) -> Result<Vec<u8>> {
     let cipher = Cipher::aes_256_gcm();
     if encrypted_data.len() < TAG_LENGTH {

attestation-agent/deps/crypto/src/rust/aes256gcm.rs

@@ -4,10 +4,27 @@
 //
 
 //! This mod implements aes-256-gcm encryption & decryption.
-
-use aes_gcm::{aead::Aead, Aes256Gcm, Key, KeyInit, Nonce};
+use aes_gcm::{aead::Aead, AeadInPlace, Aes256Gcm, Key, KeyInit, Nonce};
 use anyhow::*;
 
+pub fn decrypt_with_aad(
+    encrypted_data: &[u8],
+    key: &[u8],
+    iv: &[u8],
+    aad: &[u8],
+    tag: &[u8],
+) -> Result<Vec<u8>> {
+    let decrypting_key = Key::<Aes256Gcm>::from_slice(key);
+    let cipher = Aes256Gcm::new(decrypting_key);
+    let nonce = Nonce::from_slice(iv);
+    let mut plaintext = encrypted_data.to_vec();
+    cipher
+        .decrypt_in_place_detached(nonce, aad, &mut plaintext, tag.into())
+        .map_err(|e| anyhow!("aes-256-gcm decrypt failed: {:?}", e))?;
+
+    Ok(plaintext)
+}
+
 pub fn decrypt(encrypted_data: &[u8], key: &[u8], iv: &[u8]) -> Result<Vec<u8>> {
     let decrypting_key = Key::<Aes256Gcm>::from_slice(key);
     let cipher = Aes256Gcm::new(decrypting_key);

attestation-agent/deps/crypto/src/symmetric.rs

@@ -48,6 +48,17 @@ pub fn decrypt(
     }
 }
 
+/// Decrypt the given `ciphertext` with AES256-GCM algorithm.
+pub fn aes256gcm_decrypt(
+    key: Zeroizing<Vec<u8>>,
+    ciphertext: Vec<u8>,
+    iv: Vec<u8>,
+    aad: Vec<u8>,
+    tag: Vec<u8>,
+) -> Result<Vec<u8>> {
+    aes256gcm::decrypt_with_aad(&ciphertext, &key, &iv, &aad, &tag)
+}
+
 /// Encrypt the given `plaintext`.
 /// Note:
 /// - IV length for A256GCM: 12 bytes

attestation-agent/kbs_protocol/src/client/mod.rs

@@ -48,7 +48,7 @@ pub struct KbsClient<T> {
     pub(crate) token: Option<Token>,
 }
 
-pub const KBS_PROTOCOL_VERSION: &str = "0.1.1";
+pub const KBS_PROTOCOL_VERSION: &str = "0.2.0";
 
 pub const KBS_GET_RESOURCE_MAX_ATTEMPT: u64 = 3;
 

attestation-agent/kbs_protocol/src/client/rcar_client.rs

@@ -450,7 +450,7 @@ mod test {
                 assert!(
                     e.to_string()
                         .contains("KBS Client Protocol Version Mismatch"),
-                    "Actual error: {e:#?}"
+                    "{e:#?}"
                 );
                 println!("NOTE: the test is skipped due to KBS protocol incompatibility.");
                 return ();

attestation-agent/kbs_protocol/src/keypair.rs

@@ -6,12 +6,8 @@
 use anyhow::{Context, Result};
 
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
-use crypto::{
-    rsa::{PaddingMode, RSAKeyPair},
-    WrapType,
-};
+use crypto::rsa::{PaddingMode, RSAKeyPair};
 use kbs_types::{Response, TeePubKey};
-use serde::Deserialize;
 use zeroize::Zeroizing;
 
 #[derive(Clone, Debug)]
@@ -55,28 +51,21 @@ impl TeeKeyPair {
     }
 
     pub fn decrypt_response(&self, response: Response) -> Result<Vec<u8>> {
-        // deserialize the jose header and check that the key type matches
-        let protected: ProtectedHeader = serde_json::from_str(&response.protected)?;
-        let padding_mode = PaddingMode::try_from(&protected.alg[..])
+        let padding_mode = PaddingMode::try_from(&response.protected.alg[..])
             .context("Unsupported padding mode for wrapped key")?;
 
         // unwrap the wrapped key
-        let wrapped_symkey: Vec<u8> = URL_SAFE_NO_PAD.decode(&response.encrypted_key)?;
-        let symkey = self.decrypt(padding_mode, wrapped_symkey)?;
+        let symkey = self.decrypt(padding_mode, response.encrypted_key)?;
 
-        let iv = URL_SAFE_NO_PAD.decode(&response.iv)?;
-        let ciphertext = URL_SAFE_NO_PAD.decode(&response.ciphertext)?;
-
-        let plaintext = crypto::decrypt(Zeroizing::new(symkey), ciphertext, iv, protected.enc)?;
+        let aad = response.protected.generate_aad()?;
+        let plaintext = crypto::aes256gcm_decrypt(
+            Zeroizing::new(symkey),
+            response.ciphertext,
+            response.iv,
+            aad,
+            response.tag,
+        )?;
 
         Ok(plaintext)
     }
 }
-
-#[derive(Deserialize)]
-struct ProtectedHeader {
-    /// enryption algorithm for encrypted key
-    alg: String,
-    /// encryption algorithm for payload
-    enc: WrapType,
-}