From 2e3614ff7ebe0c7e3fd9d0c87dd1bec1931c9fc0 Mon Sep 17 00:00:00 2001
From: Xynnn007 <xynnn@linux.alibaba.com>
Date: Sun, 10 Sep 2023 18:59:11 +0800
Subject: [PATCH] cdh/hub: impl unwrap_key api for hub

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
---
 confidential-data-hub/hub/Cargo.toml   |  7 ++++---
 confidential-data-hub/hub/src/error.rs |  3 +++
 confidential-data-hub/hub/src/hub.rs   | 11 +++++++++--
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/confidential-data-hub/hub/Cargo.toml b/confidential-data-hub/hub/Cargo.toml
index 3d2c28937..db21cede3 100644
--- a/confidential-data-hub/hub/Cargo.toml
+++ b/confidential-data-hub/hub/Cargo.toml
@@ -15,6 +15,7 @@ anyhow = { workspace = true, optional = true }
 async-trait.workspace = true
 base64.workspace = true
 clap = { workspace = true, features = [ "derive" ], optional = true }
+image = { path = "../image", default-features = false }
 kms = { path = "../kms", default-features = false }
 lazy_static.workspace = true
 log.workspace = true
@@ -33,12 +34,12 @@ ttrpc-codegen = { workspace = true, optional = true }
 default = ["kbs"]
 
 # support aliyun stacks (KMS, ..)
-aliyun = ["secret/aliyun"]
+aliyun = ["image/aliyun", "secret/aliyun"]
 
 # support coco-KBS to provide confidential resources
-kbs = ["kms/kbs", "secret/kbs"]
+kbs = ["image/kbs", "kms/kbs", "secret/kbs"]
 
 # support sev to provide confidential resources
-sev = ["kms/sev", "dep:sev", "secret/sev"]
+sev = ["image/sev", "kms/sev", "dep:sev", "secret/sev"]
 
 bin = ["anyhow", "clap", "protobuf", "tokio/signal", "ttrpc", "ttrpc-codegen"]
diff --git a/confidential-data-hub/hub/src/error.rs b/confidential-data-hub/hub/src/error.rs
index f2c06c58e..15169480d 100644
--- a/confidential-data-hub/hub/src/error.rs
+++ b/confidential-data-hub/hub/src/error.rs
@@ -12,6 +12,9 @@ pub enum Error {
     #[error("get resource failed: {0}")]
     GetResource(String),
 
+    #[error("decrypt image (unwrap key) failed: {0}")]
+    ImageDecryption(String),
+
     #[error("init Hub failed: {0}")]
     InitializationFailed(String),
 
diff --git a/confidential-data-hub/hub/src/hub.rs b/confidential-data-hub/hub/src/hub.rs
index 61ad8c0e2..704fc75fb 100644
--- a/confidential-data-hub/hub/src/hub.rs
+++ b/confidential-data-hub/hub/src/hub.rs
@@ -5,6 +5,7 @@
 
 use async_trait::async_trait;
 use base64::{engine::general_purpose::STANDARD, Engine};
+use image::AnnotationPacket;
 use kms::{Annotations, ProviderSettings};
 use secret::secret::Secret;
 
@@ -49,8 +50,14 @@ impl DataHub for Hub {
         Ok(res)
     }
 
-    async fn unwrap_key(&self, _annotation: &[u8]) -> Result<Vec<u8>> {
-        todo!()
+    async fn unwrap_key(&self, annotation_packet: &[u8]) -> Result<Vec<u8>> {
+        let annotation_packet: AnnotationPacket = serde_json::from_slice(annotation_packet)
+            .map_err(|e| Error::ImageDecryption(format!("illegal AnnotationPacket format: {e}")))?;
+        let lek = annotation_packet
+            .unwrap_key()
+            .await
+            .map_err(|e| Error::ImageDecryption(format!("unwrap key failed: {e}")))?;
+        Ok(lek)
     }
 
     async fn get_resource(&self, uri: String) -> Result<Vec<u8>> {