AttestationResult AttestationClientImpl::DecryptMaaToken()

in client-library/src/Attestation/AttestationClient/lib/AttestationClientImpl.cpp [343:429]

• 72 lines of code
• 8 McCabe index (conditional complexity)

AttestationResult AttestationClientImpl::DecryptMaaToken(const std::string& jwt_token_encrypted,
                                                         std::string& jwt_token_decrypted) noexcept {

    AttestationResult result(AttestationResult::ErrorCode::SUCCESS);

    jwt_token_decrypted = std::string();

    //Validate jwt_token to make sure its not empty.
    if(jwt_token_encrypted.empty()){
        CLIENT_LOG_ERROR("Invalid JWT");
        result.code_ = AttestationResult::ErrorCode::ERROR_JWT_DECRYPTION_FAILED;
        result.description_ = std::string("Invalid JWT");
        return result;
    }
    
    std::string jwt = jwt_token_encrypted;

    // Decode the encrypted jwt since its base64url encoded by the service.
    attest::Buffer jwt_encrypted_decoded = attest::base64::base64url_to_binary(jwt);
    std::string jwt_encrypted_str(jwt_encrypted_decoded.begin(), jwt_encrypted_decoded.end());

    Json::Value response;
    Json::Reader reader;
    bool success = reader.parse(jwt_encrypted_str.c_str(), response);
    if(!success) {
        CLIENT_LOG_ERROR("Failed to parse AAS response");
        result.code_ = AttestationResult::ErrorCode::ERROR_JWT_DECRYPTION_FAILED;
        result.description_ = std::string("Failed to parse AAS response");
        return result;
    }

    attest::Buffer encrypted_inner_key;
    std::string err;
    if(!GetEncryptedInnerKey(response,
                              encrypted_inner_key,
                              err)){
        CLIENT_LOG_ERROR("Failed to get encrypted inner key from AAS response");
        result.code_ = AttestationResult::ErrorCode::ERROR_JWT_DECRYPTION_FAILED;
        result.description_ = err;
        return result;
    }

    EncryptionParameters encryption_params;
    if(!GetEncryptionParameters(response,
                                encryption_params,
                                err)) {
        CLIENT_LOG_ERROR("Failed to get encryption parameters for decryption");
        result.code_ = AttestationResult::ErrorCode::ERROR_JWT_DECRYPTION_FAILED;
        result.description_ = err;
        return result;
    }

    attest::Buffer decrypted_key;
    // MAA uses RSA-ES with SHA256 as the encryption algorithm.
    if((result = DecryptInnerKey(encrypted_inner_key,
                                 decrypted_key,
                                 attest::RsaScheme::RsaEs,
                                 attest::RsaHashAlg::RsaSha256)).code_ !=
                                                            AttestationResult::ErrorCode::SUCCESS) {
        CLIENT_LOG_ERROR("Failed to decrypt inner key");
        return result;
    }

    CLIENT_LOG_INFO("Successfully Decrypted inner key");

    attest::Buffer jwt_encrypted;
    if(!GetEncryptedJwt(response,
                        jwt_encrypted,
                        err)) {
        CLIENT_LOG_ERROR("Failed to get encrypted jwt from response");
        result.code_ = AttestationResult::ErrorCode::ERROR_JWT_DECRYPTION_FAILED;
        result.description_ = err;
        return result;
    }

    if(!DecryptJwt(encryption_params,
                   decrypted_key,
                   jwt_encrypted,
                   jwt_token_decrypted,
                   err)) {
        CLIENT_LOG_ERROR("Failed to decrypt jwt");
        result.code_ = AttestationResult::ErrorCode::ERROR_JWT_DECRYPTION_FAILED;
        result.description_ = err;
        return result;
    }
    return result;
}