Decode key used for image decryption

The key should be base64 encoded if it's from a kbs repository, KMS or file system instead of plain text. This align with other KBC module, such as `offline_fs_kbc`. Signed-off-by: Dave Chen <[email protected]>
confidential-containers · Dec 8, 2023 · 459b30f · 459b30f
1 parent 20ef805
commit 459b30f
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/attestation-agent/kbc/src/cc_kbc/mod.rs b/attestation-agent/kbc/src/cc_kbc/mod.rs
@@ -31,8 +31,8 @@ impl KbcInterface for Kbc {
 
     async fn decrypt_payload(&mut self, annotation_packet: AnnotationPacket) -> Result<Vec<u8>> {
         let key_data = self.kbs_client.get_resource(annotation_packet.kid).await?;
-        let key = Zeroizing::new(key_data);
-
+        let decoded_key = base64::engine::general_purpose::STANDARD.decode(key_data)?;
+        let key = Zeroizing::new(decoded_key);
         let wrap_type = WrapType::try_from(&annotation_packet.wrap_type[..])?;
         decrypt(
             key,