uid2-shared/src/main/java/com/uid2/shared/secure/azurecc/PolicyValidator.java at 63feab1c8367efba43c36047253873108d60d4b1 · IABTechLab/uid2-shared · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
package com.uid2.shared.secure.azurecc;

import com.google.common.base.Strings;
import com.uid2.shared.secure.AttestationClientException;
import com.uid2.shared.secure.AttestationException;
import com.uid2.shared.secure.AttestationFailure;
import com.uid2.shared.util.UrlEquivalenceValidator;

public class PolicyValidator implements IPolicyValidator{
    private static final String LOCATION_CHINA = "china";
    private static final String LOCATION_EU = "europe";
    private String attestationUrl;

    public PolicyValidator(String attestationUrl) {
        this.attestationUrl = attestationUrl;
    }
    @Override
    public String validate(MaaTokenPayload maaTokenPayload, String publicKey) throws AttestationClientException {
        verifyVM(maaTokenPayload);
        verifyLocation(maaTokenPayload);
        verifyPublicKey(maaTokenPayload, publicKey);
        verifyAttestationUrl(maaTokenPayload);
        return maaTokenPayload.getCcePolicyDigest();
    }

    private void verifyPublicKey(MaaTokenPayload maaTokenPayload, String publicKey) throws AttestationClientException {
        if(Strings.isNullOrEmpty(publicKey)){
            throw new AttestationClientException("public key to check is null or empty", AttestationFailure.BAD_FORMAT);
        }
        var runtimePublicKey = maaTokenPayload.getRuntimeData().getPublicKey();
        if(!publicKey.equals(runtimePublicKey)){
            throw new AttestationClientException(
                    String.format("Public key in payload does not match expected value. More info: runtime(%s), expected(%s)",
                            runtimePublicKey,
                            publicKey
                    ),
                    AttestationFailure.BAD_FORMAT);
        }
    }

    private void verifyAttestationUrl(MaaTokenPayload maaTokenPayload) throws AttestationClientException {
        String decodedRuntimeAttestationUrl = maaTokenPayload.getRuntimeData().getDecodedAttestationUrl();
        if (decodedRuntimeAttestationUrl == null) {
            return;
        } else if (!UrlEquivalenceValidator.areUrlsEquivalent(decodedRuntimeAttestationUrl, this.attestationUrl)) {
            // throw new AttestationClientException("The given attestation URL is unknown. Given URL: " + decodedRuntimeAttestationUrl, AttestationFailure.UNKNOWN_ATTESTATION_URL);
            return;
        }
    }

    private void verifyVM(MaaTokenPayload maaTokenPayload) throws AttestationClientException {
        if(!maaTokenPayload.isSevSnpVM()){
            throw new AttestationClientException("Not in SevSnp VM", AttestationFailure.BAD_FORMAT);
        }
        if(!maaTokenPayload.isUtilityVMCompliant()){
            throw new AttestationClientException("Not run in Azure Compliance Utility VM", AttestationFailure.BAD_FORMAT);
        }
        if(maaTokenPayload.isVmDebuggable()){
            throw new AttestationClientException("The underlying hardware should not run in debug mode", AttestationFailure.BAD_FORMAT);
        }
    }

    private void verifyLocation(MaaTokenPayload maaTokenPayload) throws AttestationClientException {
        var location = maaTokenPayload.getRuntimeData().getLocation();
        if(Strings.isNullOrEmpty(location)){
            throw new AttestationClientException("Location is not specified.", AttestationFailure.BAD_PAYLOAD);
        }
        var lowerCaseLocation = location.toLowerCase();
        if(lowerCaseLocation.contains(LOCATION_CHINA) ||
           lowerCaseLocation.contains(LOCATION_EU)){
            throw new AttestationClientException("Location is not supported. Value: " + location, AttestationFailure.BAD_PAYLOAD);
        }
    }
}