remy.saksik@thalesgroup.com

amber-cli-tdx/README.md

@@ -1,74 +1,6 @@
 # Intel Project Amber Go TDX CLI
 This is the beta version of Go TDX CLI for integrating with Intel Project Amber V1 API.
 
-You can view Intel Project Amber API docs here: [https://intel.github.io/amber-docs/rest/overview/](https://intel.github.io/amber-docs/rest/overview/)
-
-## Prerequisites
-
-The Amber Client TDX CLI has dependency on Intel SGX DCAP. Install TDX Attestation library devel packages from Intel SGX DCAP.
-
-### For Ubuntu* OS
-Install the Debian package for `libtdx-attest-dev` following these steps:
-
-1. Add the following repository to your sources:
-    * For Ubuntu* 18.04:
-        ```sh
-        echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu bionic main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
-        ```
-    * For Ubuntu* 20.04:
-        ```sh
-        echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
-        ```
-    * For Ubuntu* 22.04:
-        ```sh
-        echo 'deb [signed-by=/etc/apt/keyrings/intel-sgx-keyring.asc arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
-        ```
-2. Get the Debian repo public key and add it to the list of trusted keys that are used by apt to authenticate packages:
-    * For Ubuntu* 18.04 and Ubuntu* 20.04:
-        ```sh
-        wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add
-        ```
-    * For Ubuntu* 22.04:
-        ```sh
-        wget https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key
-        cat intel-sgx-deb.key | sudo tee /etc/apt/keyrings/intel-sgx-keyring.asc > /dev/null
-        ```
-3. Update apt and install the *libtdx-attest-dev* package:
-    ```sh
-    sudo apt-get update
-    sudo apt-get install libtdx-attest-dev
-    ```
-
-### For RHEL* OS
-Install the RPM package for `libtdx-attest-devel` following these steps:
-
-1. Find RPM packages for DCAP libraries and services, which are currently provided in a single TAR archive at
-    ```
-    https://download.01.org/intel-sgx/latest/linux-latest/distro/<distro>/
-    ```
-2. Download the file `sgx_rpm_local_repo.tgz` to a selected folder, for example `/opt/intel`
-    ```sh
-    cd /opt/intel
-    sudo wget https://download.01.org/intel-sgx/latest/linux-latest/distro/<distro>/sgx_rpm_local_repo.tgz
-    ```
-3. Verify the downloaded repo file with the SHA value in this file:
-    https://download.01.org/intel-sgx/latest/dcap-latest/linux/SHA256SUM_dcap_<version>.cfg
-    ```sh
-    sha256sum sgx_rpm_local_repo.tgz
-    ```
-4. Expand the archive:
-    ```sh
-    sudo tar xvf sgx_rpm_local_repo.tgz
-    ```
-5. Add the RPM local repository to your local repository list
-    ```sh
-    sudo yum-config-manager --add-repo file://PATH_TO_LOCAL_REPO
-    ```
-6. Install all the latest packages using `sudo dnf --nogpgcheck install <package names>`
-    ```sh
-    sudo dnf --nogpgcheck install libtdx-attest-devel
-    ```
-
 ## Go Requirement
 
 Use <b>go1.17 or newer</b>.
@@ -83,13 +15,6 @@ cd amber-cli-tdx/
 make cli
 ```
 
-### Install prebuilt binary
-Install the latest version of the CLI with the following commands:
-
-```sh
-go get github.com/intel/amber/v1/client/tdx-cli
-```
-
 ## Usage
 
 Amber Client TDX CLI exposes help option to get a list of all the
@@ -106,6 +31,18 @@ export AMBER_URL=<amber api url>
 export AMBER_API_KEY=<amber attestation api key>
 amber-cli token --user-data <base64 encoded userdata> --policy-ids <comma separated amber attestation policy ids>
 ```
+OR
+```sh
+amber-cli token --pub-path <public key file path> --policy-ids <comma separated amber attestation policy ids>
+```
+
+### To verify an Amber signed token
+
+```sh
+export AMBER_URL=<amber api url>
+export AMBER_API_KEY=<amber attestation api key>
+amber-cli verify --token-path <token file path>
+```
 
 ### To get a TD quote with Nonce and UserData
 
@@ -126,7 +63,7 @@ amber-cli decrypt --key <base64 encoded private key> --in <base64 encoded encryp
 ### To create RSA keypair
 
 ```sh
-amber-cli create-key-pair
+amber-cli create-key-pair --pub-path <public key file path>
 ```
 
 ## License

amber-cli-tdx/cmd/quote.go

@@ -66,8 +66,7 @@ func getQuote(cmd *cobra.Command) error {
 		}
 	}
 
-	evLogParser := tdx.NewEventLogParser()
-	adapter, err := tdx.NewAdapter(userDataBytes, evLogParser)
+	adapter, err := tdx.NewAzureAdapter(userDataBytes, nil)
 	if err != nil {
 		return errors.Wrap(err, "Error while creating tdx adapter")
 	}
@@ -76,6 +75,6 @@ func getQuote(cmd *cobra.Command) error {
 		return errors.Wrap(err, "Failed to collect evidence")
 	}
 
-	fmt.Fprintln(os.Stdout, evidence.Evidence)
+	fmt.Fprintln(os.Stdout, base64.StdEncoding.EncodeToString(evidence.Evidence))
 	return nil
 }

amber-cli-tdx/cmd/token.go

@@ -133,8 +133,7 @@ func getToken(cmd *cobra.Command) error {
 		return err
 	}
 
-	evLogParser := tdx.NewEventLogParser()
-	adapter, err := tdx.NewAdapter(userDataBytes, evLogParser)
+	adapter, err := tdx.NewAzureAdapter(userDataBytes, nil)
 	if err != nil {
 		return errors.Wrap(err, "Error while creating tdx adapter")
 	}

amber-cli-tdx/cmd/token_verify.go

@@ -0,0 +1,105 @@
+/*
+ *   Copyright (c) 2022 Intel Corporation
+ *   All rights reserved.
+ *   SPDX-License-Identifier: BSD-3-Clause
+ */
+
+package cmd
+
+import (
+	"crypto/tls"
+	"encoding/base64"
+	"fmt"
+	"net/url"
+	"os"
+
+	"github.com/intel/amber/v1/client"
+	"github.com/intel/amber/v1/client/tdx-cli/constants"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+// verifyCmd represents the token command
+var verifyCmd = &cobra.Command{
+	Use:   constants.VerifyCmd,
+	Short: "Verify the amber token",
+	Long:  ``,
+	RunE: func(cmd *cobra.Command, args []string) error {
+		err := verifyToken(cmd)
+		if err != nil {
+			fmt.Fprintln(os.Stderr, err.Error())
+			return err
+		}
+
+		return nil
+	},
+}
+
+func init() {
+	rootCmd.AddCommand(verifyCmd)
+	verifyCmd.Flags().StringP(constants.VerifyTokenOption, "f", "", "Path to token file")
+}
+
+func verifyToken(cmd *cobra.Command) error {
+	var err error
+
+	viper.AutomaticEnv()
+	amberUrl := viper.GetString(constants.AmberUrlEnv)
+	if amberUrl == "" {
+		return errors.Errorf("%s is not set in env", constants.AmberUrlEnv)
+	} else {
+		_, err = url.ParseRequestURI(amberUrl)
+		if err != nil {
+			return errors.Wrap(err, "Invalid Amber URL")
+		}
+	}
+
+	amberApikey := viper.GetString(constants.AmberApiKeyEnv)
+	if amberApikey == "" {
+		return errors.Errorf("%s is not set in env", constants.AmberApiKeyEnv)
+	} else {
+		_, err = base64.URLEncoding.DecodeString(amberApikey)
+		if err != nil {
+			return errors.Wrap(err, "Invalid Api key, must be base64 string")
+		}
+	}
+
+	tokenPath, err := cmd.Flags().GetString(constants.VerifyTokenOption)
+	if err != nil {
+		return err
+	}
+
+	var token []byte
+	if tokenPath != "" {
+		token, err = os.ReadFile(tokenPath)
+		if err != nil {
+			return errors.Wrap(err, "Error reading token from file")
+		}
+
+	}
+
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: false,
+		MinVersion:         tls.VersionTLS12,
+	}
+
+	cfg := client.Config{
+		Url:    amberUrl,
+		TlsCfg: tlsConfig,
+		ApiKey: amberApikey,
+	}
+
+	amberClient, err := client.New(&cfg)
+	if err != nil {
+		return err
+	}
+
+	status, err := amberClient.VerifyToken(string(token))
+	if err != nil {
+		return err
+	}
+
+	fmt.Fprintln(os.Stdout, status)
+	return nil
+}