std::string Util::GetMAAToken()

in cvm-securekey-release-app/AttestationUtil.cpp [354:435]

• 68 lines of code
• 10 McCabe index (conditional complexity)

std::string Util::GetMAAToken(const std::string &attestation_url, const std::string &nonce)
{
    TRACE_OUT("Entering Util::GetMAAToken()");

    std::string attest_server_url;
    attest_server_url.assign(attestation_url);
    if (attest_server_url.empty())
    {
        // use the default attestation url
        attest_server_url.assign(Constants::DEFAULT_ATTESTATION_URL);
    }

    std::string nonce_token;
    nonce_token.assign(nonce);
    if (nonce_token.empty())
    {
        // use some random nonce
        nonce_token.assign(Constants::NONCE);
    }

    AttestationClient *attestation_client = nullptr;
    AttestationLogger *log_handle = new Logger(Util::get_trace());

    // Initialize attestation client
    if (!Initialize(log_handle, &attestation_client))
    {
        std::cerr << "Failed to create attestation client object" << std::endl;
        Uninitialize();
        exit(-1);
    }

    // parameters for the Attest call
    attest::ClientParameters params = {};
    params.attestation_endpoint_url = (PBYTE)attest_server_url.c_str();
    std::string client_payload_str = "{\"nonce\": \"" + nonce_token + "\"}"; // nonce is optional
    params.client_payload = (PBYTE)client_payload_str.c_str();
    params.version = CLIENT_PARAMS_VERSION;
    PBYTE jwt = nullptr;
    attest::AttestationResult result;

    bool is_cvm = false;
    bool attestation_success = true;
    std::string jwt_str;
    if ((result = attestation_client->Attest(params, &jwt)).code_ != attest::AttestationResult::ErrorCode::SUCCESS)
    {
        attestation_success = false;
    }

    if (attestation_success)
    {
        jwt_str = std::string(reinterpret_cast<char *>(jwt));
        std::vector<std::string> tokens;
        boost::split(tokens, jwt_str, [](char c)
                     { return c == '.'; });
        if (tokens.size() < 3)
        {
            std::cerr << "Invalid JWT token" << std::endl;
            exit(-1);
        }

        json attestation_claims = json::parse(base64_decode(tokens[1]));
        try
        {
            std::string attestation_type = attestation_claims["x-ms-isolation-tee"]["x-ms-attestation-type"].get<std::string>();
            std::string compliance_status = attestation_claims["x-ms-isolation-tee"]["x-ms-compliance-status"].get<std::string>();
            if (boost::iequals(attestation_type, "sevsnpvm") &&
                boost::iequals(compliance_status, "azure-compliant-cvm"))
            {
                is_cvm = true;
            }
        }
        catch (...)
        {
        } // sevsnp claim does not exist in the token

        attestation_client->Free(jwt);
        Uninitialize();
    }

    TRACE_OUT("Exiting Util::GetMAAToken()");
    return jwt_str;
}