Return missing measurements if verify_measurements fails (#343)

If we fail to verify the measurements it's useful to know which
measurements were missing from the corpus. Return this information.

Author: labbott

Cargo.lock

@@ -18,5 +18,6 @@ sha3.workspace = true
 static_assertions.workspace = true
 
 [features]
+testing = []
 default = ["std"]
 std = ["der/std", "der/derive", "der/oid", "getrandom", "hex", "rats-corim", "sha3/oid", "thiserror" ]

attest-data/Cargo.toml

@@ -192,6 +192,16 @@ pub enum Measurement {
     Sha3_256(Sha3_256Digest),
 }
 
+impl Measurement {
+    // This is useful for unit tesitng purposes. The name here
+    // is intentional to indicate that this is unchecked and if you
+    // are using it anywhere besides unit tests something has gone wrong!
+    #[cfg(any(test, feature = "testing"))]
+    pub fn fake(bytes: [u8; 32]) -> Self {
+        Measurement::Sha3_256(Sha3_256Digest::from(bytes))
+    }
+}
+
 impl Default for Measurement {
     fn default() -> Self {
         Measurement::Sha3_256(Sha3_256Digest::default())

attest-data/src/lib.rs

@@ -10,6 +10,7 @@ attest-data = { path = "../attest-data", features = ["std"] }
 const-oid.workspace = true
 ed25519-dalek = { workspace = true, features = ["std"] }
 env_logger.workspace = true
+hex = { workspace = true }
 hubpack.workspace = true
 libipcc = { workspace = true, optional = true }
 log.workspace = true
@@ -20,6 +21,11 @@ tempfile.workspace = true
 thiserror.workspace = true
 x509-cert = { workspace = true, default-features = true }
 
+
+[dev-dependencies]
+attest-data = { path = "../attest-data", features = ["std", "testing"] }
+
 [features]
+testing = []
 ipcc = ["libipcc"]
 mock = ["ed25519-dalek/pem"]

verifier/Cargo.toml

@@ -404,6 +404,7 @@ pub enum MeasurementSetError {
 /// This is a collection to represent the measurements received from an
 /// attestor. These measurements will come from the measurement log and the
 /// DiceTcbInfo extension(s) in the attestation cert chain / pki path.
+#[derive(Debug, PartialEq)]
 pub struct MeasurementSet(HashSet<Measurement>);
 
 /// Construct a MeasurementSet from the provided artifacts. The
@@ -458,6 +459,22 @@ impl MeasurementSet {
     pub fn is_subset(&self, corpus: &ReferenceMeasurements) -> bool {
         self.0.is_subset(&corpus.0)
     }
+
+    /// Return the actual differences from the corpus, useful for debugging
+    pub fn difference(
+        &self,
+        corpus: &ReferenceMeasurements,
+    ) -> Option<MeasurementSet> {
+        if self.is_subset(corpus) {
+            None
+        } else {
+            let mut measurements = HashSet::new();
+            for measurement in self.0.difference(&corpus.0) {
+                measurements.insert(*measurement);
+            }
+            Some(MeasurementSet(measurements))
+        }
+    }
 }
 
 impl std::iter::IntoIterator for MeasurementSet {
@@ -602,8 +619,8 @@ pub fn verify_attestation(
 /// process.
 #[derive(Debug, Error)]
 pub enum VerifyMeasurementsError {
-    #[error("Measurements are not a subset of reference measurements")]
-    NotSubset,
+    #[error("Measurements are not a subset of reference measurements: {0}")]
+    NotSubset(MeasurementSet),
 }
 
 /// This function implements the core of our attestation appraisal policy.
@@ -613,10 +630,13 @@ pub fn verify_measurements(
     measurements: &MeasurementSet,
     corpus: &ReferenceMeasurements,
 ) -> Result<(), VerifyMeasurementsError> {
-    if measurements.is_subset(corpus) {
-        Ok(())
+    // This should be equivallent to measurements.subset(corpus) but
+    // give us the entries that are not in the corpus for debugging
+    // purposes
+    if let Some(diff) = measurements.difference(corpus) {
+        Err(VerifyMeasurementsError::NotSubset(diff))
     } else {
-        Err(VerifyMeasurementsError::NotSubset)
+        Ok(())
     }
 }
 
@@ -785,4 +805,72 @@ ezRrVF9+9OkCymi+xqWG8UN87sN/9Qk=
 
         assert!(res.is_err());
     }
+
+    const MEASUREMENT_A: [u8; 32] = [0x1; 32];
+    const MEASUREMENT_B: [u8; 32] = [0x2; 32];
+    const MEASUREMENT_C: [u8; 32] = [0x3; 32];
+
+    #[test]
+    fn basic_measurement_set_tests() {
+        let measurement_a = Measurement::fake(MEASUREMENT_A);
+        let measurement_b = Measurement::fake(MEASUREMENT_B);
+        let measurement_c = Measurement::fake(MEASUREMENT_C);
+
+        let mut corpus = HashSet::new();
+
+        corpus.insert(measurement_a);
+        corpus.insert(measurement_b);
+        corpus.insert(measurement_c);
+
+        let corpus = ReferenceMeasurements(corpus);
+
+        let mut set_a = HashSet::new();
+        set_a.insert(measurement_a);
+        let set_a = MeasurementSet(set_a);
+
+        assert!(set_a.is_subset(&corpus));
+
+        let mut set_b = HashSet::new();
+        set_b.insert(measurement_b);
+        let set_b = MeasurementSet(set_b);
+
+        assert!(set_b.is_subset(&corpus));
+
+        let mut set_c = HashSet::new();
+        set_c.insert(measurement_c);
+        let set_c = MeasurementSet(set_c);
+
+        assert!(verify_measurements(&set_c, &corpus).is_ok());
+    }
+
+    #[test]
+    fn missing_measurement_set_tests() {
+        let measurement_a = Measurement::fake(MEASUREMENT_A);
+        let measurement_b = Measurement::fake(MEASUREMENT_B);
+        let measurement_c = Measurement::fake(MEASUREMENT_C);
+
+        let mut corpus = HashSet::new();
+
+        corpus.insert(measurement_a);
+        corpus.insert(measurement_b);
+
+        let corpus = ReferenceMeasurements(corpus);
+
+        let mut set_c = HashSet::new();
+        set_c.insert(measurement_c);
+        let set_c = MeasurementSet(set_c);
+
+        let mut other_c = HashSet::new();
+        other_c.insert(measurement_c);
+        let other_c = MeasurementSet(other_c);
+
+        match verify_measurements(&set_c, &corpus) {
+            Ok(()) => panic!("expected an error"),
+            Err(e) => match e {
+                VerifyMeasurementsError::NotSubset(set) => {
+                    assert!(other_c == set)
+                }
+            },
+        }
+    }
 }