feat: Remote Attestation with CMC and tpm2d support (#540)

* Current CMC RAT implementation state * Disabled local maven repository * Adapted idscp2server URI in XML, cleanup * Added RA suite properties * Fixed code style, added PCR mask config property * Removed tpm2d stuff, updated IDSCP2 and CMC adapter * Fixed RA suite properties/parameters * Separate RA suites for client/server * Implemented jul (java.util.logging) to log4j, local maven repo workaround * Provide locally patched CMC RA adapter * Code style fixes and license fix * Added/documented app default properties * Updated netty due to CVE-2021-43797 * Replaced Docker layer with config by volume mount in docker-compose.yml * Disabled IDSCP2 by default and provided documentation * Removed local artifacts as Maven Central is back up for now * docs: update README.md * chore(deps): bump camel-idscp2 from 0.8.1 to 0.9.0 * chore(deps): bump camel-idscp2 from 0.9.0 to 0.9.1 * docs: update configuration.md and CHANGELOG.md * chore(deps): bump camel-idscp2 from 0.9.1 to 0.9.2 * docs: update README.md * chore(deps): add protobuf-java-util and protobuf-kotlin version management to pom.xml (v3.19.4) * chore: update version to v7.0.1-ra Co-authored-by: jpampus <[email protected]>
FraunhoferISST · Feb 14, 2022 · 467cc6e · 467cc6e
1 parent fe85943
commit 467cc6e
Show file tree

Hide file tree

Showing 20 changed files with 369 additions and 31 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -1,3 +1,5 @@
 **
 !pom.xml
 !src/main/**
+!target/*.jar
+!mvn-local
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,17 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [7.0.1-RA] - 2022-02-14
+
+### Added
+- Add `mvn-local` directory and allow the usage of locally published artifacts in the `pom.xml`.
+- Add maven dependencies for velocity, idscp2-tpm2d, idscp2-cmc, grpc-netty, and netty.
+- Add functionality to run the Connector with remote attestation.
+
+### Changed
+- Update `.dockerignore`, `docker-compose.yml` and `Dockerfile`.
+- Increase camel-idscp2 version from 0.6.0 to 0.9.1.
+
 ## [7.0.1] - 2022-02-07
 
 ### Added

diff --git a/Dockerfile b/Dockerfile
@@ -1,3 +1,5 @@
+# syntax = docker/dockerfile:experimental
+
 #
 # Copyright 2020 Fraunhofer Institute for Software and Systems Engineering
 #
@@ -18,14 +20,17 @@
 FROM maven:3-eclipse-temurin-17 AS builder
 WORKDIR /app
 COPY pom.xml .
+COPY mvn-local ./mvn-local
 ## Dependencies
-RUN mvn -e -B dependency:resolve && \
+RUN --mount=type=cache,target=/root/.m2 \
+    mvn -e -B dependency:resolve && \
     mvn -e -B dependency:resolve-plugins
 ## Classes
 COPY src/main/java ./src/main/java
 COPY src/main/resources ./src/main/resources
 ## Build
-RUN mvn -e -B clean package -DskipTests -Dmaven.javadoc.skip=true && \
+RUN --mount=type=cache,target=/root/.m2 \
+    mvn -e -B clean package -DskipTests -Dmaven.javadoc.skip=true && \
     java -Djarmode=layertools -jar /app/target/dataspaceconnector.jar extract
 
 # JRE
@@ -54,4 +59,4 @@ COPY --from=builder /app/application/ ./
 EXPOSE 8080
 EXPOSE 29292
 USER nonroot
-ENTRYPOINT ["java","org.springframework.boot.loader.JarLauncher"]
+ENTRYPOINT ["java","org.springframework.boot.loader.JarLauncher","-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager"]
diff --git a/README.md b/README.md
@@ -1,9 +1,16 @@
-<h4 align="center" >
-    <span style="color:red">WARNING: UPDATE TO V7.0.0</span><br>
+<h1 align="center" >
+    <span style="color:red">WARNING: UPDATE TO V7.X.X</span><br>
     Before updating, please read
     <a href="https://international-data-spaces-association.github.io/DataspaceConnector/Deployment/DatabaseMigration">this</a>
     guide!
-</h4>
+</h1>
+
+<h3 align="center" >
+    Please note that we will no longer implement any new features or bug fixes.
+    We will only maintain security-critical dependencies.
+    For further developments, please take a look at the
+    <a href="https://github.com/eclipse-dataspaceconnector">Eclipse project</a>.
+</h3>
 
 <h1 align="center">
   <br>
@@ -126,6 +133,7 @@ with significant contributions, comments, and support by (in alphabetical order)
 * [Gökhan Kahriman](https://github.com/goekhanKahriman), [Fraunhofer ISST](https://www.isst.fraunhofer.de/en.html)
 * [Haydar Qarawlus](https://github.com/hqarawlus), [Fraunhofer ISST](https://www.isst.fraunhofer.de/en.html)
 * [Johannes Pieperbeck](https://github.com/jpieperbeck), [Fraunhofer ISST](https://www.isst.fraunhofer.de/en.html)
+* [Michael Lux](https://github.com/milux), [Fraunhofer AISEC](https://www.aisec.fraunhofer.de/en.html)
 * [Omar Luiz Barreto Silva](https://github.com/ob-silva), [Fraunhofer ISST](https://www.isst.fraunhofer.de/en.html)
 * [René Brinkhege](https://github.com/renebrinkhege), [Fraunhofer ISST](https://www.isst.fraunhofer.de/en.html)
 * [Steffen Biehs](https://github.com/steffen-biehs), [Fraunhofer ISST](https://www.isst.fraunhofer.de/en.html)

diff --git a/charts/dataspace-connector/Chart.yaml b/charts/dataspace-connector/Chart.yaml
@@ -22,7 +22,7 @@ version: 0.3.1
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "7.0.1"
+appVersion: "7.0.1-ra"
 
 dependencies:
   - name: postgresql

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -32,9 +32,13 @@ services:
   connector:
     build:
       context: .
+    # Must be "consumer-core" for IDSCP2 test setup to work properly with cert.p12
     container_name: 'connector-container'
+    volumes:
+      - ./src/main/resources/conf:/app/src/main/resources/conf
     ports:
       - 8080:8080
+      - 29292:29292
     env_file:
       - ./connector.env
     networks:

diff --git a/docs/pages/deployment/configuration.md b/docs/pages/deployment/configuration.md
@@ -503,19 +503,48 @@ shacl.validation=true
 
 ---
 
+### IDSCP2 Usage and Remote Attestation
+
 As the IDS Messaging Services provide the connector with the ability to communicate via IDS multipart
-messages, the IDSCPv2 dependency allows to send and receive the same messages via the IDSCP
-protocol. For this and the underlying Camel, some more settings need to be set and can be modified
-accordingly:
+messages, the IDSCP2 dependency allows to send and receive the same messages via the IDSCP2
+protocol. For this and the underlying Apache Camel framework, some more settings need to be set
+and can be modified accordingly:
 
 ```properties
-## Camel
-camel.springboot.main-run-controller=true
-camel.truststore.path=classpath:conf/truststore.p12
-
-## IDSCP
-application.http.base-url=https://localhost:8080
+## IDSCP2
 idscp2.enabled=false
-idscp2.keystore=./src/main/resources/conf/keystore-localhost.p12
+idscp2.keystore=./src/main/resources/conf/cert.p12
 idscp2.truststore=./src/main/resources/conf/truststore.p12
+
+## IDSCP2 CMC RA
+## Expected and featured RA suites of server/client routes in the DSC
+idscp2.supported-ra-suites-server=Dummy|CMC
+idscp2.expected-ra-suites-server=Dummy
+idscp2.supported-ra-suites-client=Dummy|CMC
+idscp2.expected-ra-suites-client=CMC
+## Set this to the IP address or hostname the machine/container running the cmcd
+idscp2.cmc-host=172.22.0.1
 ```
+
+Setting `idscp2.enabled` to `true` will activate IDSCP2 support, using the default port 29292 as
+IDSCP2 server port.
+
+The `idscp2.[keystore/truststore]` properties define paths to the keystore and truststore in use.
+The provided example keystore (`cert.p12`) is issued for hostname `consumer-core`, which has to be
+set in `docker-compose.yml`, or elsewhere, accordingly.
+
+The `idscp2.[supported/expected]-ra-suites-[client/server]` properties specify the supported and
+expected remote attestation mechanisms for client and server, respectively.
+The default configuration specifies both the "Dummy" remote "attestation" (which does nothing), and
+the remote attestation using the Container Measurement Component (CMC), whereas the client expects
+the server to supply CMC RA, and the server does not request RA from the client.
+If you want to use remote attestation via the CMC, please consult the
+[README in the CMC Repo](https://github.com/Fraunhofer-AISEC/cmc) for setup directions.
+
+In order for the IDSCP2 RA adapter to communicate with the CMC, the host (and optionally port)
+of the CMC server has to be specified via the `idscp2.cmc-host` property. This can be a little
+tricky in containerized environments, the example specifies a typical host IP address in a
+Docker (Compose) network, but _should **NOT** be expected to work out of the box!_
+Please use `docker inspect` or similar to check the actual subnet and modify the property
+accordingly! Another port but the default port 9955 can optionally be specified using the format
+`<host/ip>:<port>`.
diff --git a/mvn-local/.gitignore b/mvn-local/.gitignore
@@ -0,0 +1,2 @@
+*.jar.*
+*.pom.*
diff --git a/mvn-local/README b/mvn-local/README
@@ -0,0 +1,2 @@
+Local, unreleased maven2 dependencies may be placed in this directory
+in order to be picked up by maven during build.
diff --git a/mvnw b/mvnw
diff --git a/openapi.yaml b/openapi.yaml
@@ -25,7 +25,7 @@ info:
   license:
     name: "Apache License, Version 2.0"
     url: https://www.apache.org/licenses/LICENSE-2.0.txt
-  version: 7.0.1
+  version: 7.0.1-ra
 servers:
   - url: https://localhost:8080
     description: Generated server url

diff --git a/pom.xml b/pom.xml
@@ -85,7 +85,7 @@
 
 	<properties>
 		<!-- General -->
-		<revision>7.0.1</revision>
+		<revision>7.0.1-ra</revision>
 		<email>[email protected]</email>
 
 		<!-- Build info -->
@@ -106,8 +106,13 @@
 		<jaeger.version>3.3.1</jaeger.version>
 		<freemarker.version>2.3.31</freemarker.version>
 		<camel.version>3.15.0</camel.version>
-		<idscp2.version>0.6.0</idscp2.version>
+		<idscp2.version>0.9.2</idscp2.version>
 		<protobuf.version>3.19.4</protobuf.version>
+		<velocity.version>1.7</velocity.version>
+		<idscp2-tpm2d.version>0.2.2</idscp2-tpm2d.version>
+		<idscp2-cmc.version>0.8.1</idscp2-cmc.version>
+		<grpc-netty.version>1.42.1</grpc-netty.version>
+		<netty.version>4.1.72.Final</netty.version>
 
 		<!-- Plugins -->
 		<maven-enforcer-plugin.version>3.0.0</maven-enforcer-plugin.version>
@@ -510,6 +515,18 @@
 			<version>${protobuf.version}</version>
 		</dependency>
 
+		<dependency>
+			<groupId>com.google.protobuf</groupId>
+			<artifactId>protobuf-java-util</artifactId>
+			<version>${protobuf.version}</version>
+		</dependency>
+
+		<dependency>
+			<groupId>com.google.protobuf</groupId>
+			<artifactId>protobuf-kotlin</artifactId>
+			<version>${protobuf.version}</version>
+		</dependency>
+
 		<dependency>
 			<groupId>de.fhg.aisec.ids</groupId>
 			<artifactId>camel-idscp2</artifactId>
@@ -534,6 +551,31 @@
             </exclusions>
         </dependency>
 
+		<dependency>
+			<groupId>de.fhg.aisec.ids</groupId>
+			<artifactId>idscp2-ra-cmc</artifactId>
+			<version>${idscp2-cmc.version}</version>
+		</dependency>
+
+		<dependency>
+			<groupId>io.netty</groupId>
+			<artifactId>netty-bom</artifactId>
+			<version>${netty.version}</version>
+			<type>pom</type>
+		</dependency>
+
+		<dependency>
+			<groupId>io.grpc</groupId>
+			<artifactId>grpc-netty</artifactId>
+			<version>${grpc-netty.version}</version>
+		</dependency>
+
+		<dependency>
+			<groupId>org.apache.logging.log4j</groupId>
+			<artifactId>log4j-jul</artifactId>
+			<version>${log4j2.version}</version>
+		</dependency>
+
 	</dependencies>
 
 	<repositories>
@@ -569,6 +611,18 @@
 				<enabled>true</enabled>
 			</releases>
 		</repository>
+		<!-- Enables usage of locally published artifacts -->
+		<repository>
+			<id>maven-local</id>
+			<name>Local m2 Repository</name>
+			<url>file://mvn-local</url>
+			<snapshots>
+				<enabled>false</enabled>
+			</snapshots>
+			<releases>
+				<enabled>true</enabled>
+			</releases>
+		</repository>
 	</repositories>
 
 	<dependencyManagement>
@@ -776,6 +830,7 @@
 						<licenseSet>
 							<header>scripts/ci/license/header.txt</header>
 							<excludes>
+								<exclude>mvn-local/**</exclude>
 								<exclude>**/README</exclude>
 								<exclude>src/test/resources/**</exclude>
 								<exclude>src/main/resources/**</exclude>

diff --git a/src/main/java/io/dataspaceconnector/common/routing/ParameterUtils.java b/src/main/java/io/dataspaceconnector/common/routing/ParameterUtils.java
@@ -144,7 +144,9 @@ private ParameterUtils() { }
     public static String getIdscp2ClientUri(final String recipient) {
         return "idscp2client://" + recipient + "?awaitResponse=true"
                 + "&sslContextParameters=#serverSslContext"
-                + "&useIdsMessages=true";
+                + "&useIdsMessages=true"
+                + "&supportedRaSuites=#supportedRaSuitesClient"
+                + "&expectedRaSuites=#expectedRaSuitesClient";
     }
 
 }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		Local, unreleased maven2 dependencies may be placed in this directory
		in order to be picked up by maven during build.