CDH/image: fix unwrap key logic

1. Fix the place of AnnotationPacket. The old code points to a wrong place that was never test so we never found that. 2. Fix the provider comparation logic. The scheme of KBS should be `kbs` rather than `Kbs`. Signed-off-by: Xynnn007 <[email protected]>
confidential-containers · Jan 12, 2024 · 85ad504 · 85ad504
1 parent fce13da
commit 85ad504
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 8 deletions.
diff --git a/confidential-data-hub/hub/src/bin/confidential-data-hub/server/message.rs b/confidential-data-hub/hub/src/bin/confidential-data-hub/server/message.rs
@@ -10,8 +10,6 @@ use std::collections::HashMap;
 use std::str;
 use std::vec::Vec;
 
-const ANNOTATION_KEY_NAME: &str = "attestation-agent";
-
 #[derive(Serialize, Deserialize, Debug, PartialEq, Default, Clone)]
 pub struct KeyProviderInput {
     // Operation is either "keywrap" or "keyunwrap"
@@ -26,10 +24,8 @@ impl KeyProviderInput {
     pub fn get_annotation(&self) -> Result<Vec<u8>> {
         let annotation_base64 = self
             .keyunwrapparams
-            .dc
+            .annotation
             .as_ref()
-            .and_then(|dc| dc.parameters.get(ANNOTATION_KEY_NAME))
-            .and_then(|paras| paras.get(0))
             .ok_or_else(|| anyhow!("Illegal UnwrapKey request: no AnnotationPacket given."))?;
 
         let engine = base64::engine::general_purpose::STANDARD;

diff --git a/confidential-data-hub/image/src/annotation_packet/v2.rs b/confidential-data-hub/image/src/annotation_packet/v2.rs
@@ -57,7 +57,7 @@ fn default_version() -> String {
 }
 
 fn default_provider() -> String {
-    VaultProvider::Kbs.as_ref().to_string()
+    VaultProvider::Kbs.as_ref().to_lowercase().to_string()
 }
 
 impl TryInto<super::v1::AnnotationPacket> for AnnotationPacketV2 {
@@ -70,7 +70,7 @@ impl TryInto<super::v1::AnnotationPacket> for AnnotationPacketV2 {
             )));
         }
 
-        if self.provider != VaultProvider::Kbs.as_ref() {
+        if self.provider != VaultProvider::Kbs.as_ref().to_lowercase() {
             return Err(Error::ConvertAnnotationPacketFailed(String::from(
                 "Provider must be `kbs`.",
             )));

diff --git a/confidential-data-hub/kms/src/plugins/mod.rs b/confidential-data-hub/kms/src/plugins/mod.rs
@@ -3,6 +3,8 @@
 // SPDX-License-Identifier: Apache-2.0
 //
 
+use std::str::FromStr;
+
 use strum::{AsRefStr, EnumString};
 
 use crate::{Decrypter, Error, Getter, ProviderSettings, Result};
@@ -59,7 +61,7 @@ pub async fn new_getter(
     provider_name: &str,
     _provider_settings: ProviderSettings,
 ) -> Result<Box<dyn Getter>> {
-    let provider = VaultProvider::try_from(provider_name)
+    let provider = VaultProvider::from_str(provider_name)
         .map_err(|_| Error::UnsupportedProvider(provider_name.to_string()))?;
     match provider {
         VaultProvider::Kbs => Ok(Box::new(kbs::KbcClient::new().await?) as Box<dyn Getter>),