opensource/cocos
1
0
Fork 0
mirror of https://github.com/ultravioletrs/cocos.git synced 2026-06-23 04:10:25 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
de50b6d2d45cbec1e422245c848c1ab465cec3f3
cocos/pkg/attestation/eat/jwt_encoder.go
T
Sammy Kerata Oina de50b6d2d4 COCOS-560 - EAT (#561) 
* feat: Implement EAT (Evidence Attestation Token) generation and verification for attestation responses, replacing raw quotes with EAT tokens in the attestation service and protobuf.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* style: standardize comment formatting and fix a debug log format specifier.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* fix pkg test

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Introduce named constants for OEM IDs and use them in attestation claim extraction.

Signed-off-by: SammyOina <sammyoina@gmail.com>

* feat: Implement and test minimum length validation for EAT nonce in `NewEATClaims`.

Signed-off-by: SammyOina <sammyoina@gmail.com>

* feat: Add EATClaims.Sanitize method and integrate it into the validator to enforce claim dependencies.

Signed-off-by: SammyOina <sammyoina@gmail.com>

* feat: Add Signature field to SNPExtensions and TDXExtensions for enhanced claim validation

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Update dependencies and improve code structure in attestation package

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Introduce comprehensive test suites for EAT, ATLS, TDX, Azure SNP, and vTPM attestation, and improve EAT decoder robustness.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Add encryption and admin keys, an encrypted algorithm file, and update go.mod to use go-jose/v4.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: add new encryption and KBS admin keys while improving TDX attestation test error handling.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Add new KBS admin and encryption keys, an encrypted linear regression algorithm, and refactor TDX test error message checks.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Implement Azure SNP attestation policy, update certificate verification, and add key management.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* refactor: replace hardcoded string literals with variables in Azure SNP attestation tests.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

* feat: Refactor TDX EAT claims to use individual RTMR fields with `tdx_` prefixes and add an `IntUse` field.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>

---------

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
Signed-off-by: SammyOina <sammyoina@gmail.com>
2026-02-11 16:16:35 +01:00

101 lines
2.5 KiB
Go
Raw Blame History

// Copyright (c) Ultraviolet
// SPDX-License-Identifier: Apache-2.0
package eat
import (
"crypto/ecdsa"
"crypto/elliptic"
"crypto/rand"
"fmt"
"time"
"github.com/golang-jwt/jwt/v5"
)
// JWTEncoder encodes EAT claims to JWT format.
type JWTEncoder struct {
signingKey *ecdsa.PrivateKey
issuer string
}
// NewJWTEncoder creates a new JWT encoder.
func NewJWTEncoder(signingKey *ecdsa.PrivateKey, issuer string) *JWTEncoder {
return &JWTEncoder{
signingKey: signingKey,
issuer: issuer,
}
}
// Encode encodes EAT claims to JWT string.
func (e *JWTEncoder) Encode(claims *EATClaims) (string, error) {
// Set standard JWT claims
now := time.Now()
claims.Issuer = e.issuer
claims.IssuedAt = now.Unix()
claims.ExpiresAt = now.Add(5 * time.Minute).Unix() // 5 minute validity
// Create JWT token with custom claims
token := jwt.NewWithClaims(jwt.SigningMethodES256, &jwtClaims{claims})
// Sign the token
tokenString, err := token.SignedString(e.signingKey)
if err != nil {
return "", fmt.Errorf("failed to sign JWT: %w", err)
}
return tokenString, nil
}
// jwtClaims wraps EATClaims for JWT encoding.
type jwtClaims struct {
*EATClaims
}
// GetExpirationTime implements jwt.Claims interface.
func (c *jwtClaims) GetExpirationTime() (*jwt.NumericDate, error) {
if c.ExpiresAt == 0 {
return nil, nil
}
return jwt.NewNumericDate(time.Unix(c.ExpiresAt, 0)), nil
}
// GetIssuedAt implements jwt.Claims interface.
func (c *jwtClaims) GetIssuedAt() (*jwt.NumericDate, error) {
if c.IssuedAt == 0 {
return nil, nil
}
return jwt.NewNumericDate(time.Unix(c.IssuedAt, 0)), nil
}
// GetNotBefore implements jwt.Claims interface.
func (c *jwtClaims) GetNotBefore() (*jwt.NumericDate, error) {
return nil, nil
}
// GetIssuer implements jwt.Claims interface.
func (c *jwtClaims) GetIssuer() (string, error) {
return c.Issuer, nil
}
// GetSubject implements jwt.Claims interface.
func (c *jwtClaims) GetSubject() (string, error) {
return c.Subject, nil
}
// GetAudience implements jwt.Claims interface.
func (c *jwtClaims) GetAudience() (jwt.ClaimStrings, error) {
return nil, nil
}
// EncodeToJWT is a convenience function to encode EAT claims to JWT.
func EncodeToJWT(claims *EATClaims, signingKey *ecdsa.PrivateKey, issuer string) (string, error) {
encoder := NewJWTEncoder(signingKey, issuer)
return encoder.Encode(claims)
}
// GenerateSigningKey generates a new ECDSA signing key.
func GenerateSigningKey() (*ecdsa.PrivateKey, error) {
return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
}
Reference in New Issue View Git Blame Copy Permalink