COCOS-394 Cloud Provider Attestation Service Integration (#421)

* Add token measurement command Add Azure cloud attestation fetching Add ability to fetch azure attestation token Remove gcp changes Remove gcp changes Add Azure attestation support Modify pipeline proto checks Update protoc version Fix failing CI fetch token as a file Convert jwt to json Small bug fix -- correct file name for attestation token Fix failing CI Modify protoc version Update protoc version Update protoc version Update protoc version Add changes to allow passing vtpm nonce Add PR review changes to refactor the code Refactor name change to AttestationResult Refactor name change to AttestationResult Return report as json Format files properly Fix attestaton changes Modify changes based on PR review Add more test coverage Correct bug in Server test Rename "FetchAttestationResult" to "AttestationResult" Send token as part of stream Fix CI NOISSUE - Add DisconnectReq message and TTL support for VM creation (#428) * feat: Add DisconnectReq message and TTL support for VM creation - Introduced DisconnectReq message in cvms.proto to handle disconnection requests. - Enhanced CreateReq in manager.proto to include a TTL field for virtual machines. - Updated CLI to accept TTL as a command-line flag during VM creation. - Modified manager service to remove VMs after the specified TTL duration. - Adjusted gRPC client connection handling in agent main.go to support new client structure. - Added mock implementation for gRPC client to facilitate testing. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix: Mark server URL flag as required with error handling Signed-off-by: Sammy Oina <sammyoina@gmail.com> --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com> COCOS-407 - Add support for Linux IMA (#429) * Added a feature which enables users to fetch IMA measurements and verify them * Added a feature which enables users to fetch IMA measurements and verify them * fixed lint error * fixed according to comments * fixed according to comments * fixed according to comments * fixed according to comments * final bug fix Add token measurement command Add Azure cloud attestation fetching Add ability to fetch azure attestation token Remove gcp changes Remove gcp changes Add Azure attestation support Modify pipeline proto checks Update protoc version Fix failing CI fetch token as a file Convert jwt to json Small bug fix -- correct file name for attestation token Fix failing CI Modify protoc version Update protoc version Update protoc version Update protoc version Add changes to allow passing vtpm nonce Add PR review changes to refactor the code Refactor name change to AttestationResult Refactor name change to AttestationResult Return report as json Format files properly Fix attestaton changes Modify changes based on PR review Add more test coverage Correct bug in Server test Rename "FetchAttestationResult" to "AttestationResult" Send token as part of stream Fix CI Rebase changes to main Refactor after rebase * Add Azure attestation * COCOS-395 - Cloud Provider Firmware Integration (#415) * add CC platform identification capability * add token verification * add snp azure * add azure snp report verification * fix linter errors * fix agent tests * expand the CC provider * fix azure atls * rebase branch * add nonce check for azure token * rename package attestations * remove alias attestations --------- Co-authored-by: Ubuntu <azureuser@UVCTestCVM.bu0p0zdolasezg1jifpyqhaxuc.dx.internal.cloudapp.net> * Add token measurement command Add Azure cloud attestation fetching Add ability to fetch azure attestation token Remove gcp changes Remove gcp changes Add Azure attestation support Modify pipeline proto checks Update protoc version Fix failing CI fetch token as a file Convert jwt to json Small bug fix -- correct file name for attestation token Fix failing CI Modify protoc version Update protoc version Update protoc version Update protoc version Add changes to allow passing vtpm nonce Add PR review changes to refactor the code Refactor name change to AttestationResult Refactor name change to AttestationResult Return report as json Format files properly Fix attestaton changes Modify changes based on PR review Add more test coverage Correct bug in Server test Rename "FetchAttestationResult" to "AttestationResult" Send token as part of stream Fix CI NOISSUE - Add DisconnectReq message and TTL support for VM creation (#428) * feat: Add DisconnectReq message and TTL support for VM creation - Introduced DisconnectReq message in cvms.proto to handle disconnection requests. - Enhanced CreateReq in manager.proto to include a TTL field for virtual machines. - Updated CLI to accept TTL as a command-line flag during VM creation. - Modified manager service to remove VMs after the specified TTL duration. - Adjusted gRPC client connection handling in agent main.go to support new client structure. - Added mock implementation for gRPC client to facilitate testing. Signed-off-by: Sammy Oina <sammyoina@gmail.com> * fix: Mark server URL flag as required with error handling Signed-off-by: Sammy Oina <sammyoina@gmail.com> --------- Signed-off-by: Sammy Oina <sammyoina@gmail.com> COCOS-407 - Add support for Linux IMA (#429) * Added a feature which enables users to fetch IMA measurements and verify them * Added a feature which enables users to fetch IMA measurements and verify them * fixed lint error * fixed according to comments * fixed according to comments * fixed according to comments * fixed according to comments * final bug fix Add token measurement command Add Azure cloud attestation fetching Add ability to fetch azure attestation token Remove gcp changes Remove gcp changes Add Azure attestation support Modify pipeline proto checks Update protoc version Fix failing CI fetch token as a file Convert jwt to json Small bug fix -- correct file name for attestation token Fix failing CI Modify protoc version Update protoc version Update protoc version Update protoc version Add changes to allow passing vtpm nonce Add PR review changes to refactor the code Refactor name change to AttestationResult Refactor name change to AttestationResult Return report as json Format files properly Fix attestaton changes Modify changes based on PR review Add more test coverage Correct bug in Server test Rename "FetchAttestationResult" to "AttestationResult" Send token as part of stream Fix CI Rebase changes to main Refactor after rebase * Rebase with main * Modify tests to accomodate changes * Use env vars appropriately * Use env vars appropriately * Use caps in err name --------- Co-authored-by: Danko Miladinovic <72250944+danko-miladinovic@users.noreply.github.com> Co-authored-by: Ubuntu <azureuser@UVCTestCVM.bu0p0zdolasezg1jifpyqhaxuc.dx.internal.cloudapp.net>
2026-06-23 04:10:25 +00:00 · 2025-05-21 13:01:49 +03:00
parent 3102114ff3
commit 94c169febb
32 changed files with 1424 additions and 288 deletions
@@ -3,6 +3,7 @@
 package cli

 import (
+	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
@@ -32,29 +33,31 @@ import (
 )

 const (
-	defaultMinimumTcb       = 0
-	defaultMinimumLaunchTcb = 0
-	defaultMinimumGuestSvn  = 0
-	defaultGuestPolicy      = 0x0000000000030000
-	defaultMinimumBuild     = 0
-	defaultCheckCrl         = false
-	defaultTimeout          = 2 * time.Minute
-	defaultMaxRetryDelay    = 30 * time.Second
-	defaultRequireAuthor    = false
-	defaultRequireIdBlock   = false
-	defaultMinVersion       = "0.0"
-	size16                  = 16
-	size32                  = 32
-	size48                  = 48
-	size64                  = 64
-	attestationFilePath     = "attestation.bin"
-	vtpmFilePath            = "../quote.dat"
-	attestationJson         = "attestation.json"
-	sevProductNameMilan     = "Milan"
-	sevProductNameGenoa     = "Genoa"
-	FormatBinaryPB          = "binarypb"
-	FormatTextProto         = "textproto"
-	exampleJSONConfig       = `
+	defaultMinimumTcb         = 0
+	defaultMinimumLaunchTcb   = 0
+	defaultMinimumGuestSvn    = 0
+	defaultGuestPolicy        = 0x0000000000030000
+	defaultMinimumBuild       = 0
+	defaultCheckCrl           = false
+	defaultTimeout            = 2 * time.Minute
+	defaultMaxRetryDelay      = 30 * time.Second
+	defaultRequireAuthor      = false
+	defaultRequireIdBlock     = false
+	defaultMinVersion         = "0.0"
+	size16                    = 16
+	size32                    = 32
+	size48                    = 48
+	size64                    = 64
+	attestationFilePath       = "attestation.bin"
+	azureAttestResultFilePath = "azure_attest_result.json"
+	azureAttestTokenFilePath  = "azure_attest_token.jwt"
+	vtpmFilePath              = "../quote.dat"
+	attestationReportJson     = "attestation.json"
+	sevProductNameMilan       = "Milan"
+	sevProductNameGenoa       = "Genoa"
+	FormatBinaryPB            = "binarypb"
+	FormatTextProto           = "textproto"
+	exampleJSONConfig         = `
 	{
 		"rootOfTrust":{
 		   "product":"test_product",
@@ -107,41 +110,44 @@ const (
 		}
 	}
 	`
-	SNP     = "snp"
-	VTPM    = "vtpm"
-	SNPvTPM = "snp-vtpm"
-	CCNone  = "none"
-	CCAzure = "azure"
-	CCGCP   = "gcp"
+	SNP        = "snp"
+	VTPM       = "vtpm"
+	SNPvTPM    = "snp-vtpm"
+	AzureToken = "azure-token"
+	CCNone     = "none"
+	CCAzure    = "azure"
+	CCGCP      = "gcp"
 )

 var (
-	mode                    string
-	cfg                     = check.Config{Policy: &check.Policy{}, RootOfTrust: &check.RootOfTrust{}}
-	cfgString               string
-	timeout                 time.Duration
-	maxRetryDelay           time.Duration
-	platformInfo            string
-	stepping                string
-	trustedAuthorKeys       []string
-	trustedAuthorHashes     []string
-	trustedIdKeys           []string
-	trustedIdKeyHashes      []string
-	attestationFile         string
-	tpmAttestationFile      string
-	attestationRaw          []byte
-	empty16                 = [size16]byte{}
-	empty32                 = [size32]byte{}
-	empty64                 = [size64]byte{}
-	defaultReportIdMa       = []byte{255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255}
-	errReportSize           = errors.New("attestation contents too small")
-	ErrBadAttestation       = errors.New("attestation file is corrupted or in wrong format")
-	output                  string
-	nonce                   []byte
-	format                  string
-	teeNonce                []byte
-	getTextProtoAttestation bool
-	cloud                   string
+	mode                          string
+	cfg                           = check.Config{Policy: &check.Policy{}, RootOfTrust: &check.RootOfTrust{}}
+	cfgString                     string
+	timeout                       time.Duration
+	maxRetryDelay                 time.Duration
+	platformInfo                  string
+	stepping                      string
+	trustedAuthorKeys             []string
+	trustedAuthorHashes           []string
+	trustedIdKeys                 []string
+	trustedIdKeyHashes            []string
+	attestationFile               string
+	tpmAttestationFile            string
+	attestationRaw                []byte
+	empty16                       = [size16]byte{}
+	empty32                       = [size32]byte{}
+	empty64                       = [size64]byte{}
+	defaultReportIdMa             = []byte{255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255}
+	errReportSize                 = errors.New("attestation contents too small")
+	ErrBadAttestation             = errors.New("attestation file is corrupted or in wrong format")
+	output                        string
+	nonce                         []byte
+	format                        string
+	teeNonce                      []byte
+	tokenNonce                    []byte
+	getTextProtoAttestationReport bool
+	getAzureTokenJWT              bool
+	cloud                         string
 )

 var errEmptyFile = errors.New("input file is empty")
@@ -180,11 +186,12 @@ func (cli *CLI) NewGetAttestationCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:       "get",
 		Short:     "Retrieve attestation information from agent. The argument of the command must be the type of the report (snp or vtpm or snp-vtpm).",
-		ValidArgs: []cobra.Completion{SNP, VTPM, SNPvTPM},
+		ValidArgs: []cobra.Completion{SNP, VTPM, SNPvTPM, AzureToken},
 		Example: fmt.Sprintf(`Based on attestation report type:
 		get %s --tee <512 bit hex value>
 		get %s --vtpm <256 bit hex value>
-		get %s --tee <512 bit hex value> --vtpm <256 bit hex value>`, SNP, VTPM, SNPvTPM),
+		get %s --tee <512 bit hex value> --vtpm <256 bit hex value>
+		get %s --token <256 bit hex value>`, SNP, VTPM, SNPvTPM, AzureToken),
 		Args: cobra.ExactArgs(1),
 		Run: func(cmd *cobra.Command, args []string) {
 			if cli.connectErr != nil {
@@ -209,6 +216,9 @@ func (cli *CLI) NewGetAttestationCmd() *cobra.Command {
 			case SNPvTPM:
 				cmd.Println("Fetching SEV-SNP and vTPM report")
 				attType = attestation.SNPvTPM
+			case AzureToken:
+				cmd.Println("Fetching Azure token")
+				attType = attestation.AzureToken
 			}

 			if (attType == attestation.VTPM || attType == attestation.SNPvTPM) && len(nonce) == 0 {
@@ -223,8 +233,14 @@ func (cli *CLI) NewGetAttestationCmd() *cobra.Command {
 				return
 			}

+			if (attType == attestation.AzureToken) && len(tokenNonce) == 0 {
+				msg := color.New(color.FgRed).Sprint("Token nonce must be defined for Azure attestation ❌ ")
+				cmd.Println(msg)
+				return
+			}
+
 			var fixedReportData [quoteprovider.Nonce]byte
-			if attType != attestation.VTPM {
+			if attType == attestation.SNP || attType == attestation.SNPvTPM {
 				if len(teeNonce) > quoteprovider.Nonce {
 					msg := color.New(color.FgRed).Sprintf("nonce must be a hex encoded string of length lesser or equal %d bytes ❌ ", quoteprovider.Nonce)
 					cmd.Println(msg)
@@ -236,18 +252,28 @@ func (cli *CLI) NewGetAttestationCmd() *cobra.Command {

 			var fixedVtpmNonceByte [vtpm.Nonce]byte
 			if attType != attestation.SNP {
-				if len(nonce) > vtpm.Nonce {
+				if (len(nonce) > vtpm.Nonce) || (len(tokenNonce) > vtpm.Nonce) {
 					msg := color.New(color.FgRed).Sprintf("vTPM nonce must be a hex encoded string of length lesser or equal %d bytes ❌ ", vtpm.Nonce)
 					cmd.Println(msg)
 					return
 				}
-
-				copy(fixedVtpmNonceByte[:], nonce)
+				if attType == attestation.AzureToken {
+					copy(fixedVtpmNonceByte[:], tokenNonce)
+				} else {
+					copy(fixedVtpmNonceByte[:], nonce)
+				}
 			}

 			filename := attestationFilePath
-			if getTextProtoAttestation {
-				filename = attestationJson
+
+			if attType == attestation.AzureToken {
+				filename = azureAttestResultFilePath
+			}
+
+			if getTextProtoAttestationReport {
+				filename = attestationReportJson
+			} else if getAzureTokenJWT {
+				filename = azureAttestTokenFilePath
 			}

 			attestationFile, err := os.Create(filename)
@@ -256,9 +282,21 @@ func (cli *CLI) NewGetAttestationCmd() *cobra.Command {
 				return
 			}

-			if err := cli.agentSDK.Attestation(cmd.Context(), fixedReportData, fixedVtpmNonceByte, int(attType), attestationFile); err != nil {
-				printError(cmd, "Failed to get attestation due to error: %v ❌ ", err)
-				return
+			var returnJsonAzureToken bool
+
+			if attType == attestation.AzureToken {
+				err := cli.agentSDK.AttestationResult(cmd.Context(), fixedVtpmNonceByte, int(attType), attestationFile)
+				if err != nil {
+					printError(cmd, "Failed to get attestation result due to error: %v ❌", err)
+					return
+				}
+				returnJsonAzureToken = !getAzureTokenJWT
+			} else {
+				err := cli.agentSDK.Attestation(cmd.Context(), fixedReportData, fixedVtpmNonceByte, int(attType), attestationFile)
+				if err != nil {
+					printError(cmd, "Failed to get attestation due to error: %v ❌", err)
+					return
+				}
 			}

 			if err := attestationFile.Close(); err != nil {
@@ -266,7 +304,7 @@ func (cli *CLI) NewGetAttestationCmd() *cobra.Command {
 				return
 			}

-			if getTextProtoAttestation {
+			if getTextProtoAttestationReport || returnJsonAzureToken {
 				result, err := os.ReadFile(filename)
 				if err != nil {
 					printError(cmd, "Error reading attestation file: %v ❌ ", err)
@@ -276,6 +314,11 @@ func (cli *CLI) NewGetAttestationCmd() *cobra.Command {
 				switch attestationType {
 				case SNP:
 					result, err = attesationToJSON(result)
+					if err != nil {
+						printError(cmd, "Error converting SNP attestation to JSON: %v ❌", err)
+						return
+					}
+
 				case VTPM, SNPvTPM:
 					marshalOptions := prototext.MarshalOptions{
 						Multiline: true,
@@ -284,15 +327,17 @@ func (cli *CLI) NewGetAttestationCmd() *cobra.Command {
 					var attvTPM tpmAttest.Attestation
 					err = proto.Unmarshal(result, &attvTPM)
 					if err != nil {
-						printError(cmd, "failed to unmarshal the attestation report: %v ❌ ", ErrBadAttestation)
+						printError(cmd, "Failed to unmarshal the attestation report: %v ❌", err)
+						return
 					}
-
 					result = []byte(marshalOptions.Format(&attvTPM))
-				}

-				if err != nil {
-					printError(cmd, "Error converting attestation to textproto: %v ❌ ", err)
-					return
+				case AzureToken:
+					result, err = decodeJWTToJSON(result)
+					if err != nil {
+						printError(cmd, "Error decoding Azure token: %v ❌", err)
+						return
+					}
 				}

 				if err := os.WriteFile(filename, result, 0o644); err != nil {
@@ -305,9 +350,11 @@ func (cli *CLI) NewGetAttestationCmd() *cobra.Command {
 		},
 	}

-	cmd.Flags().BoolVarP(&getTextProtoAttestation, "textproto", "p", false, "Get attestation in textproto format")
-	cmd.Flags().BytesHexVarP(&teeNonce, "tee", "e", []byte{}, "Define the nonce for the SNP attestation report (must be used with attestation type snp and snp-vtpm)")
-	cmd.Flags().BytesHexVarP(&nonce, "vtpm", "t", []byte{}, "Define the nonce for the vTPM attestation report (must be used with attestation type vtpm and snp-vtpm)")
+	cmd.Flags().BoolVarP(&getAzureTokenJWT, "azurejwt", "t", false, "Get azure attestation token as jwt format")
+	cmd.Flags().BoolVarP(&getTextProtoAttestationReport, "reporttextproto", "r", false, "Get attestation report in textproto format")
+	cmd.Flags().BytesHexVar(&teeNonce, "tee", []byte{}, "Define the nonce for the SNP attestation report (must be used with attestation type snp and snp-vtpm)")
+	cmd.Flags().BytesHexVar(&nonce, "vtpm", []byte{}, "Define the nonce for the vTPM attestation report (must be used with attestation type vtpm and snp-vtpm)")
+	cmd.Flags().BytesHexVar(&tokenNonce, "token", []byte{}, "Define the nonce for the Azure attestation token (must be used with attestation type azure-token)")

 	return cmd
 }
@@ -1036,3 +1083,47 @@ func validateFieldLength(fieldName string, field []byte, expectedLength int) err
 	}
 	return nil
 }
+
+func decodeJWTToJSON(tokenBytes []byte) ([]byte, error) {
+	token := string(tokenBytes) // convert to string
+	parts := strings.Split(token, ".")
+	if len(parts) < 2 {
+		return nil, fmt.Errorf("invalid JWT: must have at least 2 parts")
+	}
+
+	decode := func(seg string) (map[string]interface{}, error) {
+		// Add padding if missing
+		if m := len(seg) % 4; m != 0 {
+			seg += strings.Repeat("=", 4-m)
+		}
+
+		data, err := base64.URLEncoding.DecodeString(seg)
+		if err != nil {
+			return nil, err
+		}
+
+		var result map[string]interface{}
+		if err := json.Unmarshal(data, &result); err != nil {
+			return nil, err
+		}
+
+		return result, nil
+	}
+
+	header, err := decode(parts[0])
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode header: %v", err)
+	}
+
+	payload, err := decode(parts[1])
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode payload: %v", err)
+	}
+
+	combined := map[string]interface{}{
+		"header":  header,
+		"payload": payload,
+	}
+
+	return json.MarshalIndent(combined, "", "  ")
+}
@@ -49,6 +49,7 @@ func TestNewGetAttestationCmd(t *testing.T) {

 	teeNonce := hex.EncodeToString(bytes.Repeat([]byte{0x00}, quoteprovider.Nonce))
 	vtpmNonce := hex.EncodeToString(bytes.Repeat([]byte{0x00}, vtpm.Nonce))
+	tokenNonce := hex.EncodeToString(bytes.Repeat([]byte{0x00}, vtpm.Nonce))

 	testCases := []struct {
 		name         string
@@ -102,7 +103,7 @@ func TestNewGetAttestationCmd(t *testing.T) {
 		},
 		{
 			name:         "invalid vTPM data size",
-			args:         []string{"vtpm", "-t", hex.EncodeToString(bytes.Repeat([]byte{0x00}, 33))},
+			args:         []string{"vtpm", "--vtpm", hex.EncodeToString(bytes.Repeat([]byte{0x00}, 33))},
 			mockResponse: nil,
 			mockError:    errors.New("error"),
 			expectedErr:  "vTPM nonce must be a hex encoded string of length lesser or equal 32 bytes",
@@ -116,39 +117,60 @@ func TestNewGetAttestationCmd(t *testing.T) {
 		},
 		{
 			name:         "failed to get attestation",
-			args:         []string{"snp", "-e", teeNonce},
+			args:         []string{"snp", "--tee", teeNonce},
 			mockResponse: nil,
 			mockError:    errors.New("error"),
 			expectedErr:  "Failed to get attestation due to error",
 		},
 		{
 			name:         "Textproto report error",
-			args:         []string{"snp", "-e", teeNonce, "--textproto"},
+			args:         []string{"snp", "--tee", teeNonce, "--reporttextproto"},
 			mockResponse: []byte("mock attestation"),
 			mockError:    nil,
-			expectedErr:  "Error converting attestation to textproto",
+			expectedErr:  "Fetching SEV-SNP attestation report\nError converting SNP attestation to JSON: attestation contents too small : attestation contents too small (0x10 bytes). Want at least 0x4a0 bytes ❌\n",
 		},
 		{
 			name:         "successful Textproto report",
-			args:         []string{"snp", "-e", teeNonce, "--textproto"},
+			args:         []string{"snp", "--tee", teeNonce, "--reporttextproto"},
 			mockResponse: validattestation,
 			mockError:    nil,
 			expectedOut:  "Attestation result retrieved and saved successfully!",
 		},
 		{
 			name:         "connection error",
-			args:         []string{"snp", "-e", teeNonce},
+			args:         []string{"snp", "--tee", teeNonce},
 			mockResponse: nil,
 			mockError:    errors.New("failed to connect to agent"),
 			expectedErr:  "Failed to connect to agent",
 		},
+		{
+			name:         "successful Azure token retrieval",
+			args:         []string{"azure-token", "--token", tokenNonce},
+			mockResponse: []byte("eyJhbGciOiAiUlMyNTYifQ.eyJzdWIiOiAidGVzdC11c2VyIn0.signature"),
+			mockError:    nil,
+			expectedOut:  "Fetching Azure token\nAttestation result retrieved and saved successfully!\n",
+		},
+		{
+			name:         "failed to retrieve Azure token",
+			args:         []string{"azure-token", "--token", tokenNonce},
+			mockResponse: nil,
+			mockError:    errors.New("error"),
+			expectedErr:  "Fetching Azure token\nFailed to get attestation result due to error: error ❌\n",
+		},
+		{
+			name:         "invalid token nonce size",
+			args:         []string{"azure-token", "--token", hex.EncodeToString(bytes.Repeat([]byte{0x00}, 33))},
+			mockResponse: nil,
+			mockError:    errors.New("error"),
+			expectedErr:  "Fetching Azure token\nvTPM nonce must be a hex encoded string of length lesser or equal 32 bytes ❌ \n",
+		},
 	}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Cleanup(func() {
 				os.Remove(attestationFilePath)
-				os.Remove(attestationJson)
+				os.Remove(attestationReportJson)
 			})
 			mockSDK := new(mocks.SDK)
 			cli := &CLI{agentSDK: mockSDK}
@@ -164,6 +186,11 @@ func TestNewGetAttestationCmd(t *testing.T) {
 				require.NoError(t, err)
 			})

+			mockSDK.On("AttestationResult", mock.Anything, [vtpm.Nonce]byte(bytes.Repeat([]byte{0x00}, vtpm.Nonce)), mock.Anything, mock.Anything).Return(tc.mockError).Run(func(args mock.Arguments) {
+				_, err := args.Get(3).(*os.File).Write(tc.mockResponse)
+				require.NoError(t, err)
+			})
+
 			cmd.SetArgs(tc.args)
 			err := cmd.Execute()

@@ -627,3 +654,56 @@ func TestRoundTrip(t *testing.T) {
 	require.NoError(t, err)
 	require.NotNil(t, roundTripReport)
 }
+
+func TestDecodeJWTToJSON(t *testing.T) {
+	tests := []struct {
+		name     string
+		input    []byte
+		err      error
+		validate func(t *testing.T, output []byte)
+	}{
+		{
+			name: "Valid JWT",
+			input: []byte("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9." +
+				"eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ." +
+				"SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"),
+			err: nil,
+			validate: func(t *testing.T, output []byte) {
+				assert.NotEmpty(t, output)
+				assert.Contains(t, string(output), `"header"`)
+				assert.Contains(t, string(output), `"payload"`)
+			},
+		},
+		{
+			name:  "Invalid JWT - one part",
+			input: []byte("justonepart"),
+			err:   fmt.Errorf("invalid JWT: must have at least 2 parts"),
+			validate: func(t *testing.T, output []byte) {
+				assert.Nil(t, output)
+			},
+		},
+		{
+			name:  "Invalid Base64",
+			input: []byte("bad@@@.header"),
+			err:   errors.New("illegal base64 data"),
+			validate: func(t *testing.T, output []byte) {
+				assert.Nil(t, output)
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := decodeJWTToJSON(tt.input)
+
+			if tt.err != nil {
+				assert.Error(t, err)
+				assert.Contains(t, err.Error(), tt.err.Error())
+			} else {
+				assert.NoError(t, err)
+			}
+
+			tt.validate(t, got)
+		})
+	}
+}