cdh/hub: impl unwrap_key api for hub

Signed-off-by: Xynnn007 <[email protected]>
confidential-containers · Nov 16, 2023 · 2e3614f · 2e3614f
1 parent 235aea1
commit 2e3614f
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 5 deletions.
diff --git a/confidential-data-hub/hub/Cargo.toml b/confidential-data-hub/hub/Cargo.toml
@@ -15,6 +15,7 @@ anyhow = { workspace = true, optional = true }
 async-trait.workspace = true
 base64.workspace = true
 clap = { workspace = true, features = [ "derive" ], optional = true }
+image = { path = "../image", default-features = false }
 kms = { path = "../kms", default-features = false }
 lazy_static.workspace = true
 log.workspace = true
@@ -33,12 +34,12 @@ ttrpc-codegen = { workspace = true, optional = true }
 default = ["kbs"]
 
 # support aliyun stacks (KMS, ..)
-aliyun = ["secret/aliyun"]
+aliyun = ["image/aliyun", "secret/aliyun"]
 
 # support coco-KBS to provide confidential resources
-kbs = ["kms/kbs", "secret/kbs"]
+kbs = ["image/kbs", "kms/kbs", "secret/kbs"]
 
 # support sev to provide confidential resources
-sev = ["kms/sev", "dep:sev", "secret/sev"]
+sev = ["image/sev", "kms/sev", "dep:sev", "secret/sev"]
 
 bin = ["anyhow", "clap", "protobuf", "tokio/signal", "ttrpc", "ttrpc-codegen"]
diff --git a/confidential-data-hub/hub/src/error.rs b/confidential-data-hub/hub/src/error.rs
@@ -12,6 +12,9 @@ pub enum Error {
     #[error("get resource failed: {0}")]
     GetResource(String),
 
+    #[error("decrypt image (unwrap key) failed: {0}")]
+    ImageDecryption(String),
+
     #[error("init Hub failed: {0}")]
     InitializationFailed(String),
 

diff --git a/confidential-data-hub/hub/src/hub.rs b/confidential-data-hub/hub/src/hub.rs
@@ -5,6 +5,7 @@
 
 use async_trait::async_trait;
 use base64::{engine::general_purpose::STANDARD, Engine};
+use image::AnnotationPacket;
 use kms::{Annotations, ProviderSettings};
 use secret::secret::Secret;
 
@@ -49,8 +50,14 @@ impl DataHub for Hub {
         Ok(res)
     }
 
-    async fn unwrap_key(&self, _annotation: &[u8]) -> Result<Vec<u8>> {
-        todo!()
+    async fn unwrap_key(&self, annotation_packet: &[u8]) -> Result<Vec<u8>> {
+        let annotation_packet: AnnotationPacket = serde_json::from_slice(annotation_packet)
+            .map_err(|e| Error::ImageDecryption(format!("illegal AnnotationPacket format: {e}")))?;
+        let lek = annotation_packet
+            .unwrap_key()
+            .await
+            .map_err(|e| Error::ImageDecryption(format!("unwrap key failed: {e}")))?;
+        Ok(lek)
     }
 
     async fn get_resource(&self, uri: String) -> Result<Vec<u8>> {