From 6657837db52a2b2b50baf24d0651e6184285a1b3 Mon Sep 17 00:00:00 2001 From: flaxben Date: Fri, 31 May 2024 17:37:26 +0800 Subject: [PATCH 1/4] Brotli decompression support for DCAP --- go.mod | 1 + go.sum | 2 ++ pkg/dcap/cert.go | 6 +++--- pkg/dcap/verify.go | 21 ++++++++++++++++++--- 4 files changed, 24 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 3724280..673dafa 100644 --- a/go.mod +++ b/go.mod @@ -25,6 +25,7 @@ require ( github.com/Microsoft/go-winio v0.6.1 // indirect github.com/StackExchange/wmi v1.2.1 // indirect github.com/VictoriaMetrics/fastcache v1.12.1 // indirect + github.com/andybalholm/brotli v1.1.0 github.com/beorn7/perks v1.0.1 // indirect github.com/bits-and-blooms/bitset v1.10.0 // indirect github.com/btcsuite/btcd/btcec/v2 v2.2.0 // indirect diff --git a/go.sum b/go.sum index 3fc4de5..95c90c9 100644 --- a/go.sum +++ b/go.sum @@ -57,6 +57,8 @@ github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRF github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= github.com/allegro/bigcache v1.2.1-0.20190218064605-e24eb225f156 h1:eMwmnE/GDgah4HI848JfFxHt+iPb26b4zyfspmqY0/8= github.com/allegro/bigcache v1.2.1-0.20190218064605-e24eb225f156/go.mod h1:Cb/ax3seSYIx7SuZdm2G2xzfwmv3TPSk2ucNfQESPXM= +github.com/andybalholm/brotli v1.1.0 h1:eLKJA0d02Lf0mVpIDgYnqXcUn0GqVmEFny3VuID1U3M= +github.com/andybalholm/brotli v1.1.0/go.mod h1:sms7XGricyQI9K10gOSf56VKKWS4oLer58Q+mhRPtnY= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/aymerick/raymond v2.0.3-0.20180322193309-b565731e1464+incompatible/go.mod h1:osfaiScAUVup+UC9Nfq76eWqDhXlp+4UYaA8uhTBO6g= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= diff --git a/pkg/dcap/cert.go b/pkg/dcap/cert.go index 66af0d6..77523e3 100644 --- a/pkg/dcap/cert.go +++ b/pkg/dcap/cert.go @@ -126,7 +126,7 @@ func parseTCB(sgxExtMap map[string]asn1.RawValue, compSVNOIDs []asn1.ObjectIdent var sequence []Ext _, err := asn1.Unmarshal(pceSVNRaw.FullBytes, &sequence) if err != nil { - return tcb, errors.New(fmt.Sprintf("failed to unmarshal ASN.1 sequence: %w", err)) + return tcb, errors.New(fmt.Sprintf("failed to unmarshal ASN.1 sequence: %v", err)) } pceExtMap := make(map[string]asn1.RawValue) for i, ext := range sequence { @@ -134,7 +134,7 @@ func parseTCB(sgxExtMap map[string]asn1.RawValue, compSVNOIDs []asn1.ObjectIdent } pceSVN, err := parseUint16ASN1(sequence) if err != nil { - return tcb, errors.New(fmt.Sprintf("error parsing PCE SVN: %w", err)) + return tcb, errors.New(fmt.Sprintf("error parsing PCE SVN: %v", err)) } tcb.PceSVN = pceSVN var compSVNArray []byte @@ -150,7 +150,7 @@ func parseTCB(sgxExtMap map[string]asn1.RawValue, compSVNOIDs []asn1.ObjectIdent j := 0 for i := 0; i < len(compSVNArray); i++ { if j > len(tcb.CompSVNArray) { - return tcb, errors.New(fmt.Sprintf("error parsing Comp SVN: %w", err)) + return tcb, errors.New(fmt.Sprintf("error parsing Comp SVN: %v", err)) } if compSVNArray[i] > 0 { tcb.CompSVNArray[j] = compSVNArray[i] diff --git a/pkg/dcap/verify.go b/pkg/dcap/verify.go index 72c5c53..9310892 100644 --- a/pkg/dcap/verify.go +++ b/pkg/dcap/verify.go @@ -6,9 +6,12 @@ import ( "encoding/binary" "encoding/json" "fmt" - "github.com/carv-protocol/verifier/internal/conf" "io" + "io/ioutil" "os" + + "github.com/andybalholm/brotli" + "github.com/carv-protocol/verifier/internal/conf" ) func VerifyAttestation(data string, cf *conf.Bootstrap) (bool, error) { @@ -16,9 +19,12 @@ func VerifyAttestation(data string, cf *conf.Bootstrap) (bool, error) { if err != nil { return false, err } - + quoteByte, err := decompressDataWithBrotli(b64Data) + if err != nil { + return false, err + } var quote = Quote{} - var byteReader = bytes.NewReader(b64Data) + var byteReader = bytes.NewReader(quoteByte) err = binary.Read(byteReader, binary.BigEndian, "e) if err != nil { return false, err @@ -67,3 +73,12 @@ func TrustedLoad(path string) (TrusTEEInfo, error) { return info, nil } + +func decompressDataWithBrotli(compressedData []byte) ([]byte, error) { + reader := brotli.NewReader(bytes.NewReader(compressedData)) + decompressedData, err := ioutil.ReadAll(reader) + if err != nil { + return nil, err + } + return decompressedData, nil +} From 60b89fa3315c427c0c21a35129657c844980dd48 Mon Sep 17 00:00:00 2001 From: tyxben <15245012960@163.com> Date: Thu, 6 Jun 2024 21:30:32 +0800 Subject: [PATCH 2/4] fix the verify data bug in dcap --- pkg/dcap/verify.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/dcap/verify.go b/pkg/dcap/verify.go index 9310892..1b907ce 100644 --- a/pkg/dcap/verify.go +++ b/pkg/dcap/verify.go @@ -29,7 +29,7 @@ func VerifyAttestation(data string, cf *conf.Bootstrap) (bool, error) { if err != nil { return false, err } - quoteAuth, err := GetQuoteV3Auth(b64Data) + quoteAuth, err := GetQuoteV3Auth(quoteByte) if err != nil { return false, err } From c1375d014c851414f777f0ba5b6d4f6a082a26fa Mon Sep 17 00:00:00 2001 From: tyxben <15245012960@163.com> Date: Fri, 7 Jun 2024 11:45:33 +0800 Subject: [PATCH 3/4] fix b64Data to quoteData --- pkg/dcap/verify.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/dcap/verify.go b/pkg/dcap/verify.go index 1b907ce..d1e62d7 100644 --- a/pkg/dcap/verify.go +++ b/pkg/dcap/verify.go @@ -23,6 +23,7 @@ func VerifyAttestation(data string, cf *conf.Bootstrap) (bool, error) { if err != nil { return false, err } + var quote = Quote{} var byteReader = bytes.NewReader(quoteByte) err = binary.Read(byteReader, binary.BigEndian, "e) @@ -38,7 +39,7 @@ func VerifyAttestation(data string, cf *conf.Bootstrap) (bool, error) { if err != nil { return false, err } - err = quote.VerifyQuote(b64Data, &result, "eAuth, cf) + err = quote.VerifyQuote(quoteByte, &result, "eAuth, cf) if err != nil { return false, err } From 0354be0e630668c46b6ad0a1eab665407e73d17e Mon Sep 17 00:00:00 2001 From: tyxben <15245012960@163.com> Date: Wed, 26 Jun 2024 21:19:29 +0800 Subject: [PATCH 4/4] add verify_test.go to the commit --- .gitignore | 1 - configs/trusted.json | 4 +++- pkg/dcap/verify_test.go | 48 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 pkg/dcap/verify_test.go diff --git a/.gitignore b/.gitignore index 38a9c12..3c149fe 100644 --- a/.gitignore +++ b/.gitignore @@ -38,5 +38,4 @@ bin/ *.swp internal/scripts -*_test.go configs/config-test.yaml \ No newline at end of file diff --git a/configs/trusted.json b/configs/trusted.json index 70c1fce..1f8a4a2 100644 --- a/configs/trusted.json +++ b/configs/trusted.json @@ -5,7 +5,9 @@ "39ecc806c079565f3bdbfc653eac14743842626f005496d6b5ad879868869048", "9f51cfe28c770f6f1f9844042ea051d8030349880f6af640c786549dba86185a", "4603b9abe7d9d9ba8f14d3ad1dd359fdfb4269cfa04f48c19dee64455d6e3077", - "96895d38170328f738045ce3fb85cc782e90af693e328edf91029e6fc966ef98" + "96895d38170328f738045ce3fb85cc782e90af693e328edf91029e6fc966ef98", + "3d90da2a20ea35d2fa409fa147d7f5b966245bd98b5041c604dfdd0bd188e646", + "bf24f0aacf9a175765e52925aab88ca636cb87afeb39ef259305a06998acb5e3" ] } } diff --git a/pkg/dcap/verify_test.go b/pkg/dcap/verify_test.go new file mode 100644 index 0000000..e86e2af --- /dev/null +++ b/pkg/dcap/verify_test.go @@ -0,0 +1,48 @@ +package dcap + +import ( + "testing" + + "github.com/carv-protocol/verifier/internal/conf" +) + +func TestVerifyAttestation(t *testing.T) { + //t.Parallel() + type args struct { + data string + cf *conf.Bootstrap + } + tests := []struct { + name string + args args + want bool + wantErr bool + }{ + { + name: "Test case 1", + args: args{ + data: "G3kSEdWsHgA0UhbO328AT01Hmb/nbS7o95zLae++eSKiI9v+TyOGIWAo7SaoAUSxEmXiWOpn0ZtX+Z+/UBdFYtc6dY27cen2toigYYlstmHywCIdygYAu0Gvexm3QWL80ritSOFB8YADYMDrQOAAZCA9z439u0ChNgMOsT0zGAoa+XeeZeqFhDTIiH2ql+1K/Nnhg4CAgvz/P4AGEuj1nTVM8VK3nIetbXlJS1nXk1DFNR/dfM/7TJkOWWKb09B5Xvf/s4lRSs/ZE0Eru+8Hy5HzQ+3uuTPVfQnaItKjb6iYD7Iy4DgCun4emOaTXZuBpbuTkTnxAGzUXrC/oac0eTZsjKYmu3SEAQHcTgtcBVQTkTOdyOx4HVHsIxpIEGe2OnOmaurs1xQKHz/Rm2krMu/R/ta91by8lSFaMOfF6EXIJb+MRxcbqNU4vqB6njI9+OX/t5/IqRSfPeHvp9W2zZvidgvzESw+4yBkmIBlLPxL3fbop6oglg3SJmVQs/b9/e/46MXWDHYOnSR+ZyEFYanEqjgiyu5XkJWN3sCP7vLcn2SSSmnbabhnxFgIOiCHeWdltUtXKelBGFFzFVBdHeyp/g2IRMrn4/O9xvlgMz06vUh/1gnK2p7bWSpCWejB3lNxYXmAVkPiowsGPAw+rETKpP//xDsQAHdn0fr+ZAVfyfUyc4tUorICD9t0+niAy1ZpgkvWvCWI1Wfn8PV+mutu4y1fojhjGhyOot1VoStro/fau18N1bQkOoouilMK4n1FLyVO5UD2QD9swpwMSliubh9ThH6ghJDpt9qSpAMCgYFDQEJBw8DCwSMgIiGjoKKhY2BiYePg4uETEBIRQwJGSADAeE7+YUQZ9/+JaRhzh2MY0zs/AhCc002MMXJbBTVHUPGkcKyXgQ6dGMJuhFfLIbOmPRn2LeAaq4L/DSWfOoNCzTWoCW0FhgwuEgq1LqNsZZSZVolxKLiDSPRFsmKOUV7sbxUhImO6F0gxuEgoVjoEkdGpkKb9rZn9LfLwVpnWxyEwQspPEawFXvhNdQ0bTv1nkbuNkE+NZUFSKTkg0CUypp6A55o3hhqB01TobVP7ohM6iPlCkNrwJ7HMrrNOcCKQdUiLiGsOa10DIah3q2vYVxjF4UKphPoep35fM8WtvPRdkYe9CAfNbIJ/gCCnLIlUS1dXS7c5sH6sOpoIxFu2UK29xHTeB0aVND9NfaEfPEHXzdEBgkrAs4982w6j2k2TCZUCCYa+dxYJy4aKMox/b1zTLTQ4RAHi4Pv7zFbCvK/+5GONnCwOijZw+Le1/H7WTT/cDtEWWs04i9f73/kV3rNxtlX35F1Zc5wYf0Dm1fuOYLSI10k93Wjm7zulRCA4J7iDJ6T8dBsJygjMFIrSarH0x3Bs1glyv4fYAGJjoVSPx5SgB1J+ug03tCSoFQyr/I7qpr8Nh22o62kYPdPR+2hl1Nd0OrD0XJvpFxwufVfm4r3PVkaZ6Xdh2i9v6V+P2O7K3DX2WXkrTMfYZ/bbWxaTt0Td3vS/FbG7Il5oUDHHUNpCyr66+GPJ+nc5Lc5lzvW2Yw8qNAKECupQD16uy3u211Lf8meRHB/N/ZqCzXo+CWgNWdaBaIrmWurcyzSBYqgWtA0FgqcNhR2EgnMc6MKdD5fXjI0PpYEA4hx7BGPYKr1Vxd8DC4dSyv4exOjRtueUFJ7J7Mu02+xsNpYlDLd3BiJeWbGkPpRcK+WkAkGGx7/MPX4IKipAuDFQgKQxAoSSUgUA4MyVw/kEQ6Se9+bcshk1EJEUI8bGcLfRFBaee3pVg5awAVDgqgKoOXdhwICmPI0a1m81gBqjKRZN2bjBRQORDR3Q0FvNOTgFFGoB9W4+1/BDWFEFurBoiU9yTjZAUDLI0N3SKuBGIGWGb/DkD0oqMgRSc89m9mvmeQvgRcU1m1ZwNi7DIUaUesNwDrwVpHDLgjSVeCX9oESxobPTxggsKooLTzEJNdQghFyxK/EzpQ1/NsTVS7LksymHWVDfy9gf98t1NnTRRx294fDEnOhXNmXPSL48S+9MEOXD4ybfIfJSBWP5+pxYtw/wJas3L/Dz8/PzQ33yT0zDmDtBrToBj4D7jgg7c9cpdNMxr02bzbY3Sa/uYienSTk5tleJgMOSWxxBgYFg6sM6WMSmKxCCJv37wNInd/xthlFUmbbBqY8iRLnc4oByNAC4FvDoaOMTELgQHf0IkmgRo72jjUlM10uKLfzwDirQfDIsXUrjqRL2aRi9HOuLoaRB3YUPxQCn/lhf0Vhf1uMYEUpNVcsucEvgKy6ylVFEiFTM+Rah2YOhxhXXAb5NU8SwT2PhnDXVxVZGTgylpD4xAmVNpILUj9D892Uu+jwKgInf0+2jf62ji35N+iVMZatHjl8f85XG3n3d/J3X0yxpwxJf7+Hv7RmM6u4co09/iXu3B8f40ppZMS3vAXpPGL0JPCHlp9tIUEZgppBsSzll2c0w2lNAXm4ajQtYBVHNHgRFAKmIcPYNjSbkCnpU4R6R5uwEuQp2DN2tv6uApzZ6Wbh7mjS52OOB+si7hH3dwcOfHoy0qKNk0mf2AUyVUVnHHkb1NbHJLoBp7S17qclojBMaOyi3cwRlANAwoZkPNK7lcQELBOBp1at0AgvznubP9Nwaetau04Jly8SZm+Z7nx+NwiXdIjmCK5zFHVns21XNfRYuqkUEL2T1OZ/i9DYOVjJ826j4PEjmXZLQwtz2/76nnT8D1U2w6EYk/JKIRX8/+Pw6qd8oTR62ZNP5iu56swrYyzafAsiEQ3PHaimFL8ytBhBSH7BRZOUkppYgyVfEVPsk+QhnyEksVyLm03cJPz4vgnTQrW8VUKS0CkBKi4A5+4Adr69UC8KLMujm7S574mlP/9pfsAjaIPJCp8lYV11R6p7S67mw3kvenUlReIb4BNbl/vwWXY/2fZwWH2dnPl30t5r6vwCBVC63OKAcLQqoUKn1QKmRQ5zBtB4AGcnXouINDLL5Sp7DWWTjNiK1Pwzae+9C75mx07xof1mU2xZSOtYKwJZCyzX6x3YQz1k+rIb5M18Htsw+2xCOZcKCQyh/6/Ee5vs7/y/4+fn5+aHzVvkP", + cf: &conf.Bootstrap{ + Dacp: &conf.Dacp{ + TrustedPath: "../../configs/trusted.json", + TcbPath: "../../configs/tcb.json", + IdentityPath: "../../configs/identity.json", + }, + }, + }, + want: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := VerifyAttestation(tt.args.data, tt.args.cf) + if (err != nil) != tt.wantErr { + t.Errorf("VerifyAttestation() error = %v, wantErr %v", err, tt.wantErr) + return + } + if got != tt.want { + t.Errorf("VerifyAttestation() = %v, want %v", got, tt.want) + } + }) + } +}