fix: fix tee sign in

Cargo.toml

@@ -18,7 +18,7 @@ strip = true
 opt-level = 's'
 
 [workspace.package]
-version = "0.2.8"
+version = "0.2.9"
 edition = "2021"
 repository = "https://github.com/ldclabs/ic-tee"
 keywords = ["tee", "canister", "icp", "nitro"]

src/ic_tee_cli/src/main.rs

@@ -36,7 +36,6 @@ use std::{path::Path, sync::Arc};
 
 static LOCAL_HOST: &str = "http://127.0.0.1:4943";
 static IC_HOST: &str = "https://icp-api.io";
-static SETTING_KEY_ID: &str = "id_ed25519";
 static SETTING_KEY_TLS: &str = "tls";
 static COSE_SECRET_PERMANENT_KEY: &str = "v1";
 
@@ -68,7 +67,7 @@ pub enum Commands {
     /// derive the principal with canister and seeds
     IdentityDerive {
         /// TEE kind to derive the principal
-        #[arg(long, default_value = "Nitro")]
+        #[arg(long, default_value = "NITRO")]
         kind: String,
 
         #[arg(long)]

src/ic_tee_identity/src/api.rs

@@ -30,7 +30,7 @@ fn whoami() -> Principal {
 fn sign_in(kind: String, attestation: ByteBuf) -> Result<SignInResponse, String> {
     let attestation = match kind.as_str() {
         "NITRO" => parse_and_verify(attestation.as_slice())?,
-        _ => Err("unsupported attestation kind".to_string())?,
+        _ => Err(format!("unsupported attestation kind: {}", kind))?,
     };
 
     let now_ms = ic_cdk::api::time() / MILLISECONDS;

src/ic_tee_nitro_gateway/src/main.rs

@@ -216,24 +216,33 @@ async fn bootstrap(cli: Cli) -> Result<(), BoxError> {
     };
 
     let principal = tee_agent.get_principal();
-    log::info!(target: LOG_TARGET, "start to get master_secret");
+    log::info!(target: LOG_TARGET, "start to get my_master_secret");
     // should replace with vetkey in the future
-    let master_secret = tee_agent
+    let admin_master_secret = tee_agent
         .get_cose_encrypted_key(&SettingPath {
             ns: namespace.clone(),
-            user_owned: true,
+            user_owned: false,
+            key: COSE_SECRET_PERMANENT_KEY.as_bytes().to_vec().into(),
+            subject: Some(principal),
+            ..Default::default()
+        })
+        .await?;
+    let my_master_secret = tee_agent
+        .get_cose_encrypted_key(&SettingPath {
+            ns: namespace.clone(),
+            user_owned: true, // admin can't read user owned master_secret
             key: COSE_SECRET_PERMANENT_KEY.as_bytes().to_vec().into(),
             subject: Some(principal),
             ..Default::default()
         })
         .await?;
     log::info!(target: LOG_TARGET,
             elapsed = start.elapsed().as_millis() as u64;
-            "get master_secret");
+            "get my_master_secret");
 
     log::info!(target: LOG_TARGET, "start to get_or_set_root_secret");
     let root_secret =
-        get_or_set_root_secret(&tee_agent, &start, namespace.clone(), &master_secret).await?;
+        get_or_set_root_secret(&tee_agent, &start, namespace.clone(), &my_master_secret).await?;
 
     let info = TEEAppInformation {
         id: principal,
@@ -283,7 +292,8 @@ async fn bootstrap(cli: Cli) -> Result<(), BoxError> {
                 None
             } else {
                 log::info!(target: LOG_TARGET, "start to get_tls");
-                let tls = get_tls(&tee_agent, &start, namespace.clone(), &master_secret).await?;
+                let tls =
+                    get_tls(&tee_agent, &start, namespace.clone(), &admin_master_secret).await?;
                 let config = RustlsConfig::from_pem(tls.crt.to_vec(), tls.key.to_vec()).await?;
                 Some(config)
             };