Add suit-ciphersuites to QueryRequest (#183)

Signed-off-by: Dave Thaler <dthaler@microsoft.com>
dthaler · Jul 22, 2023 · 8cbcc19 · 8cbcc19
1 parent 089b1a3
commit 8cbcc19
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 3 deletions.
diff --git a/protocol/TeepAgentLib/TeepAgent.cpp b/protocol/TeepAgentLib/TeepAgent.cpp
@@ -198,12 +198,12 @@ static teep_error_code_t TeepAgentComposeQueryResponse(_Inout_ QCBORDecodeContex
                 }
             }
 
-            // Parse the supported-cipher-suites.
+            // Parse the supported-teep-cipher-suites.
             {
                 bool found = false;
                 QCBORDecode_GetNext(decodeContext, &item);
                 if (item.uDataType != QCBOR_TYPE_ARRAY) {
-                    REPORT_TYPE_ERROR(errorMessage, "supported-cipher-suites", QCBOR_TYPE_ARRAY, item);
+                    REPORT_TYPE_ERROR(errorMessage, "supported-teep-cipher-suites", QCBOR_TYPE_ARRAY, item);
                     return TeepAgentComposeError(errorToken, TEEP_ERR_PERMANENT_ERROR, errorMessage.str(), errorResponse);
                 }
                 uint16_t cipherSuiteCount = item.val.uCount;
@@ -259,6 +259,47 @@ static teep_error_code_t TeepAgentComposeQueryResponse(_Inout_ QCBORDecodeContex
                 QCBOREncode_CloseArray(&context);
             }
 
+            // Parse the supported-eat-suit-cipher-suites.
+            {
+                bool found = false;
+                QCBORDecode_GetNext(decodeContext, &item);
+                if (item.uDataType != QCBOR_TYPE_ARRAY) {
+                    REPORT_TYPE_ERROR(errorMessage, "supported-eat-suit-cipher-suites", QCBOR_TYPE_ARRAY, item);
+                    return TeepAgentComposeError(errorToken, TEEP_ERR_PERMANENT_ERROR, errorMessage.str(), errorResponse);
+                }
+                uint16_t cipherSuiteCount = item.val.uCount;
+                for (uint16_t cipherSuiteIndex = 0; cipherSuiteIndex < cipherSuiteCount; cipherSuiteIndex++) {
+                    // Parse an array of cipher suite operations.
+                    QCBORDecode_GetNext(decodeContext, &item);
+                    if (item.uDataType != QCBOR_TYPE_ARRAY || item.val.uCount != 2) {
+                        REPORT_TYPE_ERROR(errorMessage, "cipher suite operation pair", QCBOR_TYPE_ARRAY, item);
+                        return TeepAgentComposeError(errorToken, TEEP_ERR_PERMANENT_ERROR, errorMessage.str(), errorResponse);
+                    }
+                    QCBORDecode_GetNext(decodeContext, &item);
+                    if (item.uDataType != QCBOR_TYPE_INT64) {
+                        REPORT_TYPE_ERROR(errorMessage, "cose type", QCBOR_TYPE_INT64, item);
+                        return TeepAgentComposeError(errorToken, TEEP_ERR_PERMANENT_ERROR, errorMessage.str(), errorResponse);
+                    }
+                    int64_t coseAuthenticationAlgorithm = item.val.int64;
+
+                    QCBORDecode_GetNext(decodeContext, &item);
+                    if (item.uDataType != QCBOR_TYPE_INT64) {
+                        REPORT_TYPE_ERROR(errorMessage, "cose algorithm", QCBOR_TYPE_INT64, item);
+                        return TeepAgentComposeError(errorToken, TEEP_ERR_PERMANENT_ERROR, errorMessage.str(), errorResponse);
+                    }
+
+                    int64_t coseEncryptionAlgorithm = item.val.int64;
+                    if (coseAuthenticationAlgorithm == T_COSE_ALGORITHM_ES256 &&
+                        coseEncryptionAlgorithm == T_COSE_ALGORITHM_A128GCM) {
+                        found = true;
+                    }
+                }
+                if (!found) {
+                    // TODO: include suit-sha256-es256-ecdh-a128gcm or suit-sha256-eddsa-ecdh-a128gcm depending on configuration.
+                    return TEEP_ERR_UNSUPPORTED_CIPHER_SUITES;
+                }
+            }
+
             // Parse the data-item-requested.
             QCBORDecode_GetNext(decodeContext, &item);
             if (item.uDataType != QCBOR_TYPE_INT64) {

diff --git a/protocol/TeepTamLib/TeepTamMessageHandler.cpp b/protocol/TeepTamLib/TeepTamMessageHandler.cpp
@@ -63,7 +63,7 @@ teep_error_code_t TamComposeQueryRequest(
         }
         QCBOREncode_CloseMap(&context);
 
-        // Add supported cipher suites.
+        // Add supported TEEP cipher suites.
         QCBOREncode_OpenArray(&context);
         {
             // Add teep-cipher-suite-sign1-es256.
@@ -94,6 +94,27 @@ teep_error_code_t TamComposeQueryRequest(
         }
         QCBOREncode_CloseArray(&context);
 
+        // Add supported EAT-SUIT cipher suites.
+        QCBOREncode_OpenArray(&context);
+        {
+            // Add suit-sha256-es256-ecdh-a128gcm.
+            QCBOREncode_OpenArray(&context);
+            {
+                QCBOREncode_AddInt64(&context, T_COSE_ALGORITHM_ES256);
+                QCBOREncode_AddInt64(&context, T_COSE_ALGORITHM_A128GCM);
+            }
+            QCBOREncode_CloseArray(&context);
+
+            // Add suit-sha256-eddsa-ecdh-a128gcm.
+            QCBOREncode_OpenArray(&context);
+            {
+                QCBOREncode_AddInt64(&context, T_COSE_ALGORITHM_EDDSA);
+                QCBOREncode_AddInt64(&context, T_COSE_ALGORITHM_A128GCM);
+            }
+            QCBOREncode_CloseArray(&context);
+        }
+        QCBOREncode_CloseArray(&context);
+
         // Add data-item-requested.
         QCBOREncode_AddUInt64(&context, TEEP_ATTESTATION | TEEP_TRUSTED_COMPONENTS);
     }