From e4418ab7c52426ba6ce0fe8d3a0b0e22abaf8f0d Mon Sep 17 00:00:00 2001 From: hu55a1n1 Date: Mon, 27 May 2024 01:34:15 +0200 Subject: [PATCH 01/11] Ctor for TlsCertificateChainVerifier --- .../quartz-tee-ra/src/intel_sgx/dcap/certificate_chain.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap/certificate_chain.rs b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap/certificate_chain.rs index 7955730a..d9fa3c88 100644 --- a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap/certificate_chain.rs +++ b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap/certificate_chain.rs @@ -5,6 +5,13 @@ use x509_cert::{crl::CertificateList, Certificate}; #[derive(Debug, Clone, serde::Serialize, serde::Deserialize, Eq, PartialEq)] pub struct TlsCertificateChainVerifier; +impl TlsCertificateChainVerifier { + pub fn new(_root_ca: &str) -> Self { + // FIXME(hu55a1n1) + Self + } +} + impl CertificateChainVerifier for TlsCertificateChainVerifier { fn verify_certificate_chain<'a, 'b>( &self, From 817efd402eabfd92d623f2bf83bfa15d85f8d0c6 Mon Sep 17 00:00:00 2001 From: hu55a1n1 Date: Mon, 27 May 2024 01:34:35 +0200 Subject: [PATCH 02/11] Make DcapVerifierOutput public --- .../quartz-tee-ra/src/intel_sgx/dcap/mc_attest_verifier/dcap.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap/mc_attest_verifier/dcap.rs b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap/mc_attest_verifier/dcap.rs index 11698b6c..ec37d417 100644 --- a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap/mc_attest_verifier/dcap.rs +++ b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap/mc_attest_verifier/dcap.rs @@ -18,7 +18,7 @@ pub struct DcapVerifier { verifier: And, ReportDataHashVerifier>, } -type DcapVerifierOutput = AndOutput; +pub type DcapVerifierOutput = AndOutput; impl DcapVerifier { /// Create a new instance of the DcapVerifier. From c7a243f93201c4abac93536c898d476e0932bf75 Mon Sep 17 00:00:00 2001 From: hu55a1n1 Date: Mon, 27 May 2024 01:35:22 +0200 Subject: [PATCH 03/11] Provide entry-level func for DCAP RA verification --- .../quartz-tee-ra/src/intel_sgx/dcap.rs | 25 ++++++++++++++----- 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs index 9cde4a31..0da75892 100644 --- a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs +++ b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs @@ -5,12 +5,25 @@ pub mod mc_attest_verifier_types; /// Root anchor PEM file for use with DCAP pub const DCAP_ROOT_ANCHOR: &str = include_str!("../../data/DcapRootCACert.pem"); -pub use mc_attest_verifier::dcap::DcapVerifier; -pub use mc_attest_verifier_types::verification::EnclaveReportDataContents; -pub use mc_attestation_verifier::*; -pub use mc_sgx_dcap_sys_types::sgx_ql_qve_collateral_t; -pub use mc_sgx_dcap_types::{CertificationData, Collateral}; -pub use x509_cert::Certificate; +use mc_attestation_verifier::*; +use mc_sgx_dcap_types::{Collateral, Quote3}; + +use self::{ + mc_attest_verifier::dcap::{DcapVerifier, DcapVerifierOutput}, + mc_attest_verifier_types::verification::EnclaveReportDataContents, +}; + +pub fn verify( + quote: Quote3>, + collateral: Collateral, + identities: &[TrustedIdentity], +) -> VerificationOutput { + let report_data_contents = EnclaveReportDataContents::new([0x42u8; 16].into(), [0xAAu8; 32]); + let evidence = Evidence::new(quote, collateral).expect("Failed to get evidence"); + let verifier = DcapVerifier::new(identities, None, report_data_contents); + let verification = verifier.verify(&evidence); + verification +} #[cfg(test)] mod tests { From 2ce2ef976b80a353e22cd5c0f03a43d1ce87a273 Mon Sep 17 00:00:00 2001 From: hu55a1n1 Date: Mon, 27 May 2024 01:38:23 +0200 Subject: [PATCH 04/11] Relax #![forbid(unsafe_code)] on quartz-tee-ra temporarily --- cosmwasm/packages/quartz-tee-ra/src/lib.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cosmwasm/packages/quartz-tee-ra/src/lib.rs b/cosmwasm/packages/quartz-tee-ra/src/lib.rs index 75fac913..51952e01 100644 --- a/cosmwasm/packages/quartz-tee-ra/src/lib.rs +++ b/cosmwasm/packages/quartz-tee-ra/src/lib.rs @@ -13,7 +13,8 @@ unused_qualifications, warnings )] -#![forbid(unsafe_code)] +// FIXME(hu55a1n1) - uncomment once we have better wrappers for FFI structs and ctors +// #![forbid(unsafe_code)] pub mod intel_sgx; From 87e14dcc509e1681c55d164249505ebfda7b0dc8 Mon Sep 17 00:00:00 2001 From: hu55a1n1 Date: Mon, 27 May 2024 01:39:33 +0200 Subject: [PATCH 05/11] Import test files from mc --- .../data/fmspc_00906ED50000_2023_07_12.json | 1 + .../packages/quartz-tee-ra/data/hw_quote.dat | Bin 0 -> 4600 bytes .../quartz-tee-ra/data/processor_ca.pem | 16 ++++++++++++++++ .../quartz-tee-ra/data/processor_crl.der | Bin 0 -> 303 bytes .../quartz-tee-ra/data/qe_identity.json | 1 + .../packages/quartz-tee-ra/data/root_ca.pem | 16 ++++++++++++++++ .../packages/quartz-tee-ra/data/root_crl.der | Bin 0 -> 293 bytes .../packages/quartz-tee-ra/data/tcb_signer.pem | 16 ++++++++++++++++ 8 files changed, 50 insertions(+) create mode 100644 cosmwasm/packages/quartz-tee-ra/data/fmspc_00906ED50000_2023_07_12.json create mode 100644 cosmwasm/packages/quartz-tee-ra/data/hw_quote.dat create mode 100644 cosmwasm/packages/quartz-tee-ra/data/processor_ca.pem create mode 100644 cosmwasm/packages/quartz-tee-ra/data/processor_crl.der create mode 100644 cosmwasm/packages/quartz-tee-ra/data/qe_identity.json create mode 100644 cosmwasm/packages/quartz-tee-ra/data/root_ca.pem create mode 100644 cosmwasm/packages/quartz-tee-ra/data/root_crl.der create mode 100644 cosmwasm/packages/quartz-tee-ra/data/tcb_signer.pem diff --git a/cosmwasm/packages/quartz-tee-ra/data/fmspc_00906ED50000_2023_07_12.json b/cosmwasm/packages/quartz-tee-ra/data/fmspc_00906ED50000_2023_07_12.json new file mode 100644 index 00000000..c1399ae3 --- /dev/null +++ b/cosmwasm/packages/quartz-tee-ra/data/fmspc_00906ED50000_2023_07_12.json @@ -0,0 +1 @@ +{"tcbInfo":{"id":"SGX","version":3,"issueDate":"2023-07-12T19:56:44Z","nextUpdate":"2023-08-11T19:56:44Z","fmspc":"00906ED50000","pceId":"0000","tcbType":0,"tcbEvaluationDataNumber":15,"tcbLevels":[{"tcb":{"sgxtcbcomponents":[{"svn":20},{"svn":20},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":14},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":13},"tcbDate":"2023-02-15T00:00:00Z","tcbStatus":"SWHardeningNeeded","advisoryIDs":["INTEL-SA-00334","INTEL-SA-00615"]},{"tcb":{"sgxtcbcomponents":[{"svn":20},{"svn":20},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":13},"tcbDate":"2023-02-15T00:00:00Z","tcbStatus":"ConfigurationAndSWHardeningNeeded","advisoryIDs":["INTEL-SA-00219","INTEL-SA-00289","INTEL-SA-00334","INTEL-SA-00615"]},{"tcb":{"sgxtcbcomponents":[{"svn":19},{"svn":19},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":6},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":13},"tcbDate":"2021-11-10T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00614","INTEL-SA-00617","INTEL-SA-00219","INTEL-SA-00289","INTEL-SA-00334","INTEL-SA-00615"]},{"tcb":{"sgxtcbcomponents":[{"svn":19},{"svn":19},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":13},"tcbDate":"2021-11-10T00:00:00Z","tcbStatus":"OutOfDateConfigurationNeeded","advisoryIDs":["INTEL-SA-00161","INTEL-SA-00614","INTEL-SA-00617","INTEL-SA-00219","INTEL-SA-00289","INTEL-SA-00334","INTEL-SA-00615"]},{"tcb":{"sgxtcbcomponents":[{"svn":17},{"svn":17},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":6},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":11},"tcbDate":"2021-11-10T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00614","INTEL-SA-00617","INTEL-SA-00161","INTEL-SA-00219","INTEL-SA-00289","INTEL-SA-00334","INTEL-SA-00615"]},{"tcb":{"sgxtcbcomponents":[{"svn":17},{"svn":17},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":6},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":10},"tcbDate":"2020-11-11T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00161","INTEL-SA-00614","INTEL-SA-00617","INTEL-SA-00219","INTEL-SA-00289","INTEL-SA-00334","INTEL-SA-00615"]},{"tcb":{"sgxtcbcomponents":[{"svn":17},{"svn":17},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":11},"tcbDate":"2021-11-10T00:00:00Z","tcbStatus":"OutOfDateConfigurationNeeded","advisoryIDs":["INTEL-SA-00161","INTEL-SA-00614","INTEL-SA-00617","INTEL-SA-00219","INTEL-SA-00289","INTEL-SA-00334","INTEL-SA-00615"]},{"tcb":{"sgxtcbcomponents":[{"svn":17},{"svn":17},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":10},"tcbDate":"2020-11-11T00:00:00Z","tcbStatus":"OutOfDateConfigurationNeeded","advisoryIDs":["INTEL-SA-00477","INTEL-SA-00161","INTEL-SA-00614","INTEL-SA-00617","INTEL-SA-00219","INTEL-SA-00289","INTEL-SA-00334","INTEL-SA-00615"]},{"tcb":{"sgxtcbcomponents":[{"svn":15},{"svn":15},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":6},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":10},"tcbDate":"2020-06-10T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00381","INTEL-SA-00389","INTEL-SA-00477","INTEL-SA-00161","INTEL-SA-00614","INTEL-SA-00617","INTEL-SA-00219","INTEL-SA-00289","INTEL-SA-00334","INTEL-SA-00615"]},{"tcb":{"sgxtcbcomponents":[{"svn":15},{"svn":15},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":10},"tcbDate":"2020-06-10T00:00:00Z","tcbStatus":"OutOfDateConfigurationNeeded","advisoryIDs":["INTEL-SA-00161","INTEL-SA-00381","INTEL-SA-00389","INTEL-SA-00477","INTEL-SA-00614","INTEL-SA-00617","INTEL-SA-00219","INTEL-SA-00289","INTEL-SA-00334","INTEL-SA-00615"]},{"tcb":{"sgxtcbcomponents":[{"svn":14},{"svn":14},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":6},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":10},"tcbDate":"2019-12-11T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00320","INTEL-SA-00329","INTEL-SA-00161","INTEL-SA-00381","INTEL-SA-00389","INTEL-SA-00477","INTEL-SA-00614","INTEL-SA-00617","INTEL-SA-00219","INTEL-SA-00289","INTEL-SA-00334","INTEL-SA-00615"]},{"tcb":{"sgxtcbcomponents":[{"svn":14},{"svn":14},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":10},"tcbDate":"2019-12-11T00:00:00Z","tcbStatus":"OutOfDateConfigurationNeeded","advisoryIDs":["INTEL-SA-00161","INTEL-SA-00320","INTEL-SA-00329","INTEL-SA-00381","INTEL-SA-00389","INTEL-SA-00477","INTEL-SA-00614","INTEL-SA-00617","INTEL-SA-00219","INTEL-SA-00289","INTEL-SA-00334","INTEL-SA-00615"]},{"tcb":{"sgxtcbcomponents":[{"svn":13},{"svn":13},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":2},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":9},"tcbDate":"2019-11-13T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00161","INTEL-SA-00320","INTEL-SA-00329","INTEL-SA-00381","INTEL-SA-00389","INTEL-SA-00477","INTEL-SA-00614","INTEL-SA-00617","INTEL-SA-00219","INTEL-SA-00289","INTEL-SA-00334","INTEL-SA-00615"]},{"tcb":{"sgxtcbcomponents":[{"svn":13},{"svn":13},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":9},"tcbDate":"2019-11-13T00:00:00Z","tcbStatus":"OutOfDateConfigurationNeeded","advisoryIDs":["INTEL-SA-00219","INTEL-SA-00161","INTEL-SA-00320","INTEL-SA-00329","INTEL-SA-00381","INTEL-SA-00389","INTEL-SA-00477","INTEL-SA-00614","INTEL-SA-00617","INTEL-SA-00289","INTEL-SA-00334","INTEL-SA-00615"]},{"tcb":{"sgxtcbcomponents":[{"svn":2},{"svn":2},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":7},"tcbDate":"2019-05-15T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00220","INTEL-SA-00270","INTEL-SA-00293","INTEL-SA-00219","INTEL-SA-00161","INTEL-SA-00320","INTEL-SA-00329","INTEL-SA-00381","INTEL-SA-00389","INTEL-SA-00477","INTEL-SA-00614","INTEL-SA-00617","INTEL-SA-00289","INTEL-SA-00334","INTEL-SA-00615"]},{"tcb":{"sgxtcbcomponents":[{"svn":1},{"svn":1},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":7},"tcbDate":"2019-01-09T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00233","INTEL-SA-00220","INTEL-SA-00270","INTEL-SA-00293","INTEL-SA-00219","INTEL-SA-00161","INTEL-SA-00320","INTEL-SA-00329","INTEL-SA-00381","INTEL-SA-00389","INTEL-SA-00477","INTEL-SA-00614","INTEL-SA-00617","INTEL-SA-00289","INTEL-SA-00334","INTEL-SA-00615"]},{"tcb":{"sgxtcbcomponents":[{"svn":1},{"svn":1},{"svn":2},{"svn":4},{"svn":1},{"svn":128},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0},{"svn":0}],"pcesvn":6},"tcbDate":"2018-08-15T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00203","INTEL-SA-00233","INTEL-SA-00220","INTEL-SA-00270","INTEL-SA-00293","INTEL-SA-00219","INTEL-SA-00161","INTEL-SA-00320","INTEL-SA-00329","INTEL-SA-00381","INTEL-SA-00389","INTEL-SA-00477","INTEL-SA-00614","INTEL-SA-00617","INTEL-SA-00289","INTEL-SA-00334","INTEL-SA-00615"]}]},"signature":"f5e65f314c5770e755ff111c167d8704c295d262688b3e368549911ad809b4094611e88664b8358427acd02d1a94927a18405c7bca11ec8d88d9baa49b1e338e"} \ No newline at end of file diff --git a/cosmwasm/packages/quartz-tee-ra/data/hw_quote.dat b/cosmwasm/packages/quartz-tee-ra/data/hw_quote.dat new file mode 100644 index 0000000000000000000000000000000000000000..e02781ab52c00073ff467b5fbeef25dae8cbe486 GIT binary patch literal 4600 zcmdT{d#oH)9bO7;VfwI0D;7j*5EHz?oqgTiC8C@&b9Q#-?wQ$n?e0t^c6avf?E7)| z?#}LL0vZFQ(xj%mq!18PG!TT?B1EGG0V@(}O%S3`A`@BK6GPd&~CTUP{xy zJjrG!-+9dMcYcrWo6~(OeBL`Hekh^mK-sg9{b=jM{f4l9!ch+9( z-MpiE&F8-S-X+D0{(YiD?^yNXSMIs>q9ZRp^yK>e`o@ym zzwqLT_W!@nvm1Oq^vD(WzIw^S-+gq`u;1<+_(|ZIUpz4R$ldCJ+kf{;^Uyom zEqLFyKchp>{>|L;)zkj?vkfaRxOB^1`!3tI>*0gj19#a^J>^?5d;2v+vodO@042FK2h|d3@8>;QQx3_`=f{U%d8vSKHez-z!{sjFqcapLrIwX6?H5AKP&D$Iscg=@aLEa`SoTf9iryU%1lu{5qfSQg1-S@!}Q+ zDH@;P8K9vNN@1QyRgGaFE7`!|A+UKp-mAC{P!%(X0|A`?PF~GMXfx~BI$bpQ1Z34Al&wa*YUV_@5aMl_Mgy)23}}lP z2wIpzdc9ZVGF={teX9xkRwF^@v+*8QWCz&>n~~)t3uZNg9BinNEpUmUp`jE8wb4r{ z1~`m&D&qoS?o>kq^^AsLILB(di&?{wSQNo79}p8Qf?;PIqX_6&EUI7zEVyAF#|_rZ z3B)q9Z3Gjvsi8cE_PhnQqbzKYgYluo#fL^tX%~XwL4pP9oK+TP0%Ez)RLaEFu8|YU zSnd+j4VEH4@+=TodCV_Z#!M!Iova2lXj`3fttzEu9zxrmf5s3xA_IWNP+HN_*r;kn zyVHI?Lc4TR$;5FYZHA`ge!Cmwf{{tXU>t4e=z1p{EwyT)LQ76mOQ^@0Ly79(VJ6-U zHe9vPtmngn5I-%q!aUPq83uG@C+Uz#D0G#)-bu88PD_MJDbT!P%&GiAIH+Ks2OS86g5DNKrvY1JlrM9i1d| zkc=2@=2^|@tD?U(F{lT7G8*K)^(HW;D6g{0{jvyT8iFdh`3$K6V5E-0ZNvbtHkRN# zLmhvDB(}^SXM;@eV-KQ6Z?<(ZK|GZgzu91b%>WDm#|%51$``_#jEJ>-64*%caB9&6 zPbQAHL0AT#qL!IREra95I5lq)iR^LTEG>hl7x2X{$O{vTTvG@xVi;R|7b*oI&=Y_s z5dsnz8>5S>j9(l^zy{=gWR4lbNfb!7*o<75)d65ZdQl=J7|%7(;uwY;hQo0PNQh}0 zV5Bp=%<`0*WTyN=JCcu;+>Fx8o5^%d*DAB^ses+9_VRouRm+QmR#fI~U^*3}Ep&>t z)J#?oy4_f?M!9L&=w?h)8rZOs2o2+SQZ?%6a%w~yNMx5%$!KPInqeAVE2&N{&`bu1 zY^yWd4g~zQo~le6>10?FA?Bc0%p{FSLLW^j;GiU+c>q)K&V-2DL0+<{*!Dls=2D|IJIQ;ZxcPV`te*US*g3Yuk>sg#C%PjLET$Pr;XUZIjuRk47D z87NilLf5ei_7ZC08#)fuJ4KOix^`5}=reJdb8Ai5aU4pY>&+#Ix{j*BWD8|&Ic&l) zY9Uf%jHh$>Bhk!UqIk)a5c-9X!pdr-X6AS&>4jaPB?t|aAQ?+7pR(Z*L$GrU;i)4C zt8?U^R7mNUVu)c$hxBM=)KZo$U`DXD!fd7^4b4C!RP9ti4o}KPesU(#&8k#*=;xxt zSdSODLDAuDrIYSMb;@<+ybV)wC(@08DBUi$DtSeSxqg}iB`n&Rc%XJF^;>nl`c)U| zSO2g$Es=?N_5-~{Wa3e|G$#|iE0>o@!=p7$lp&D^Coc`hmEnB(jY~rmCUrZ+8gfKd zAK;NRlq1-ajN~V3wSbgqISZCk^9uK*O<%B_IvG_vZu)|#rADeYQFD-EB7}bltekpRSQj+5lWe6%?S5Ge6_|J zMvBG*DctCEheovy^K~s_3=-*JSAbIyw>~97s^>DW$AZ#GOQ{%fEXdkWu9&i$&9-T} zQj*wNA*1#KpdhIhH^ah_`b{b^q`FX`Fq*cNJY>tYM5~xo9LsI>Q$ewAHI=s6s8@+> zu3N(hZ8bA4`6{Scp7JBON$Qx0IhrEh7M`-3P0@2*)Jq_}5$_jC^G`LFD!s*7N{zRZ zrAiNR^Te>A^mt6ZRY>iQ6p@$KBat@$`NOI*a1@&_11al|$Tej`jWZRMwZvA-N%hi7 zs+;9XexnlQ)LcAFw6o^e6sRB&7U=p+vW2@7xmKj*@8%|@xSSm%70@?zPAV#L)arMX MT)xA9Sk3zW2Mw?<3jhEB literal 0 HcmV?d00001 diff --git a/cosmwasm/packages/quartz-tee-ra/data/processor_ca.pem b/cosmwasm/packages/quartz-tee-ra/data/processor_ca.pem new file mode 100644 index 00000000..691d932d --- /dev/null +++ b/cosmwasm/packages/quartz-tee-ra/data/processor_ca.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICmDCCAj6gAwIBAgIVANDoqtp11/kuSReYPHsUZdDV8llNMAoGCCqGSM49BAMC +MGgxGjAYBgNVBAMMEUludGVsIFNHWCBSb290IENBMRowGAYDVQQKDBFJbnRlbCBD +b3Jwb3JhdGlvbjEUMBIGA1UEBwwLU2FudGEgQ2xhcmExCzAJBgNVBAgMAkNBMQsw +CQYDVQQGEwJVUzAeFw0xODA1MjExMDUwMTBaFw0zMzA1MjExMDUwMTBaMHExIzAh +BgNVBAMMGkludGVsIFNHWCBQQ0sgUHJvY2Vzc29yIENBMRowGAYDVQQKDBFJbnRl +bCBDb3Jwb3JhdGlvbjEUMBIGA1UEBwwLU2FudGEgQ2xhcmExCzAJBgNVBAgMAkNB +MQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL9q+NMp2IOg +tdl1bk/uWZ5+TGQm8aCi8z78fs+fKCQ3d+uDzXnVTAT2ZhDCifyIuJwvN3wNBp9i +HBSSMJMJrBOjgbswgbgwHwYDVR0jBBgwFoAUImUM1lqdNInzg7SVUr9QGzknBqww +UgYDVR0fBEswSTBHoEWgQ4ZBaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMudHJ1c3RlZHNl +cnZpY2VzLmludGVsLmNvbS9JbnRlbFNHWFJvb3RDQS5kZXIwHQYDVR0OBBYEFNDo +qtp11/kuSReYPHsUZdDV8llNMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAG +AQH/AgEAMAoGCCqGSM49BAMCA0gAMEUCIQCJgTbtVqOyZ1m3jqiAXM6QYa6r5sWS +4y/G7y8uIJGxdwIgRqPvBSKzzQagBLQq5s5A70pdoiaRJ8z/0uDz4NgV91k= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/cosmwasm/packages/quartz-tee-ra/data/processor_crl.der b/cosmwasm/packages/quartz-tee-ra/data/processor_crl.der new file mode 100644 index 0000000000000000000000000000000000000000..978bd4d5360b9d719a17740ace341368b63190ae GIT binary patch literal 303 zcmXqLV$?QhyvW4JXu!qBq1EPb&X$Fl$)M0s*+7wvIh2K&N6Is=BsE7N*gZlaz}Z_N zpeR2%wYWIHNWt0BP|838q=<`05TeLAzo;O;D6u3nKhIFaKnNtq&chv?m{*dh;GC0K zlxWCpzzGuN;9&x4hjQ42nL>lbd5w$>OpFYTj0_Bn&7#0uQ#f~lzJV^#fy|+@B0%Q> z9V-uFE3-%#h&6~@c(LkM>Ghv_p5ilXszp*ST>TX3i|iX_PX+@wCPjux54dEL_ia+j zG=CNFKlsh@#@01Hmp3*XY?wBSxx{b+FHp%99*dCsOXOG;yGH3n< NmVU#hHJfhU0RVh3R>A-P literal 0 HcmV?d00001 diff --git a/cosmwasm/packages/quartz-tee-ra/data/qe_identity.json b/cosmwasm/packages/quartz-tee-ra/data/qe_identity.json new file mode 100644 index 00000000..356e202f --- /dev/null +++ b/cosmwasm/packages/quartz-tee-ra/data/qe_identity.json @@ -0,0 +1 @@ +{"enclaveIdentity":{"id":"QE","version":2,"issueDate":"2023-07-12T20:48:25Z","nextUpdate":"2023-08-11T20:48:25Z","tcbEvaluationDataNumber":15,"miscselect":"00000000","miscselectMask":"FFFFFFFF","attributes":"11000000000000000000000000000000","attributesMask":"FBFFFFFFFFFFFFFF0000000000000000","mrsigner":"8C4F5775D796503E96137F77C68A829A0056AC8DED70140B081B094490C57BFF","isvprodid":1,"tcbLevels":[{"tcb":{"isvsvn":8},"tcbDate":"2023-02-15T00:00:00Z","tcbStatus":"UpToDate"},{"tcb":{"isvsvn":6},"tcbDate":"2021-11-10T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00615"]},{"tcb":{"isvsvn":5},"tcbDate":"2020-11-11T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00477","INTEL-SA-00615"]},{"tcb":{"isvsvn":4},"tcbDate":"2019-11-13T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00334","INTEL-SA-00477","INTEL-SA-00615"]},{"tcb":{"isvsvn":2},"tcbDate":"2019-05-15T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00219","INTEL-SA-00293","INTEL-SA-00334","INTEL-SA-00477","INTEL-SA-00615"]},{"tcb":{"isvsvn":1},"tcbDate":"2018-08-15T00:00:00Z","tcbStatus":"OutOfDate","advisoryIDs":["INTEL-SA-00202","INTEL-SA-00219","INTEL-SA-00293","INTEL-SA-00334","INTEL-SA-00477","INTEL-SA-00615"]}]},"signature":"953add69a564b80c43adb9c9dbc888da81aad8af240cd7dfd751f0209d262a71d9240603a528cb766e9fc3278722e59a43f2a2e43b55c776a7b48acbe8cd61a3"} \ No newline at end of file diff --git a/cosmwasm/packages/quartz-tee-ra/data/root_ca.pem b/cosmwasm/packages/quartz-tee-ra/data/root_ca.pem new file mode 100644 index 00000000..408bd931 --- /dev/null +++ b/cosmwasm/packages/quartz-tee-ra/data/root_ca.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICjzCCAjSgAwIBAgIUImUM1lqdNInzg7SVUr9QGzknBqwwCgYIKoZIzj0EAwIw +aDEaMBgGA1UEAwwRSW50ZWwgU0dYIFJvb3QgQ0ExGjAYBgNVBAoMEUludGVsIENv +cnBvcmF0aW9uMRQwEgYDVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExCzAJ +BgNVBAYTAlVTMB4XDTE4MDUyMTEwNDUxMFoXDTQ5MTIzMTIzNTk1OVowaDEaMBgG +A1UEAwwRSW50ZWwgU0dYIFJvb3QgQ0ExGjAYBgNVBAoMEUludGVsIENvcnBvcmF0 +aW9uMRQwEgYDVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExCzAJBgNVBAYT +AlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEC6nEwMDIYZOj/iPWsCzaEKi7 +1OiOSLRFhWGjbnBVJfVnkY4u3IjkDYYL0MxO4mqsyYjlBalTVYxFP2sJBK5zlKOB +uzCBuDAfBgNVHSMEGDAWgBQiZQzWWp00ifODtJVSv1AbOScGrDBSBgNVHR8ESzBJ +MEegRaBDhkFodHRwczovL2NlcnRpZmljYXRlcy50cnVzdGVkc2VydmljZXMuaW50 +ZWwuY29tL0ludGVsU0dYUm9vdENBLmRlcjAdBgNVHQ4EFgQUImUM1lqdNInzg7SV +Ur9QGzknBqwwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwCgYI +KoZIzj0EAwIDSQAwRgIhAOW/5QkR+S9CiSDcNoowLuPRLsWGf/Yi7GSX94BgwTwg +AiEA4J0lrHoMs+Xo5o/sX6O9QWxHRAvZUGOdRQ7cvqRXaqI= +-----END CERTIFICATE----- \ No newline at end of file diff --git a/cosmwasm/packages/quartz-tee-ra/data/root_crl.der b/cosmwasm/packages/quartz-tee-ra/data/root_crl.der new file mode 100644 index 0000000000000000000000000000000000000000..4716247d51028dc7927eec58a667a986a360b8c5 GIT binary patch literal 293 zcmXqLVpKF}Ji)}sXu!qBq1EPb&X$Fl$sof}%0PmRIh2K&N6<5`BsE7N*gZlaC_leM z!PyZe#|4vf&Mzv+FG?)Q%+E6vF%SajW9Q)xPRuJwRB+BoEJ`%wHsAz_a_}$#wL>{< z!c3vT;=D%21||l^h6YAPriM{Kt_hH91m!N!H_!#Ti#b$Q1n4TD8|6W4Wflnou?7*P zRGw>5b4@xwH*c95v_C-FQk`uLvL~257z|vQ6avF*-EaP07``oDZtIuS>OFB`XVw=- zF@M~de4V8sYNG^`BE#efqHn~^p1=AP@026wpyqz8SXetF;MCrXbKiDd&(LB90I3d8 ALI3~& literal 0 HcmV?d00001 diff --git a/cosmwasm/packages/quartz-tee-ra/data/tcb_signer.pem b/cosmwasm/packages/quartz-tee-ra/data/tcb_signer.pem new file mode 100644 index 00000000..d7763ab6 --- /dev/null +++ b/cosmwasm/packages/quartz-tee-ra/data/tcb_signer.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICizCCAjKgAwIBAgIUfjiC1ftVKUpASY5FhAPpFJG99FUwCgYIKoZIzj0EAwIw +aDEaMBgGA1UEAwwRSW50ZWwgU0dYIFJvb3QgQ0ExGjAYBgNVBAoMEUludGVsIENv +cnBvcmF0aW9uMRQwEgYDVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExCzAJ +BgNVBAYTAlVTMB4XDTE4MDUyMTEwNTAxMFoXDTI1MDUyMTEwNTAxMFowbDEeMBwG +A1UEAwwVSW50ZWwgU0dYIFRDQiBTaWduaW5nMRowGAYDVQQKDBFJbnRlbCBDb3Jw +b3JhdGlvbjEUMBIGA1UEBwwLU2FudGEgQ2xhcmExCzAJBgNVBAgMAkNBMQswCQYD +VQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABENFG8xzydWRfK92bmGv +P+mAh91PEyV7Jh6FGJd5ndE9aBH7R3E4A7ubrlh/zN3C4xvpoouGlirMba+W2lju +ypajgbUwgbIwHwYDVR0jBBgwFoAUImUM1lqdNInzg7SVUr9QGzknBqwwUgYDVR0f +BEswSTBHoEWgQ4ZBaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMudHJ1c3RlZHNlcnZpY2Vz +LmludGVsLmNvbS9JbnRlbFNHWFJvb3RDQS5kZXIwHQYDVR0OBBYEFH44gtX7VSlK +QEmORYQD6RSRvfRVMA4GA1UdDwEB/wQEAwIGwDAMBgNVHRMBAf8EAjAAMAoGCCqG +SM49BAMCA0cAMEQCIB9C8wOAN/ImxDtGACV246KcqjagZOR0kyctyBrsGGJVAiAj +ftbrNGsGU8YH211dRiYNoPPu19Zp/ze8JmhujB0oBw== +-----END CERTIFICATE----- From 1c65b8429050daec3e9f820d688c0a3fa1c58cf6 Mon Sep 17 00:00:00 2001 From: hu55a1n1 Date: Mon, 27 May 2024 01:39:35 +0200 Subject: [PATCH 06/11] Impl faling test for cert validation --- Cargo.lock | 1 + cosmwasm/packages/quartz-tee-ra/Cargo.toml | 15 +++- .../quartz-tee-ra/src/intel_sgx/dcap.rs | 82 ++++++++++++++++++- 3 files changed, 96 insertions(+), 2 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 2572b3ff..9c07392a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2369,6 +2369,7 @@ dependencies = [ "cosmwasm-std", "der", "displaydoc", + "hex", "hex-literal", "mc-attestation-verifier", "mc-sgx-core-types", diff --git a/cosmwasm/packages/quartz-tee-ra/Cargo.toml b/cosmwasm/packages/quartz-tee-ra/Cargo.toml index 0ca99f57..dc1a281f 100644 --- a/cosmwasm/packages/quartz-tee-ra/Cargo.toml +++ b/cosmwasm/packages/quartz-tee-ra/Cargo.toml @@ -30,4 +30,17 @@ mc-sgx-dcap-sys-types.workspace = true # cosmos cosmwasm-schema.workspace = true -cosmwasm-std.workspace = true \ No newline at end of file +cosmwasm-std.workspace = true + +der = { version = "0.7.9", default-features = false } +displaydoc = { version = "0.2.4", default-features = false } +mc-sgx-core-types = { git = "https://github.com/informalsystems/sgx" } +mc-sgx-dcap-types = { git = "https://github.com/informalsystems/sgx" } +mc-sgx-dcap-sys-types = { git = "https://github.com/informalsystems/sgx" } +mc-attestation-verifier = { git = "https://github.com/informalsystems/attestation" } +serde = { version = "1.0.198", default-features = false } +x509-cert = { version = "0.2.5", default-features = false } +zeroize = { version = "1.7.0", default-features = false } + +[dev-dependencies] +hex = "0.4.3" diff --git a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs index 0da75892..22cb0358 100644 --- a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs +++ b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs @@ -27,8 +27,88 @@ pub fn verify( #[cfg(test)] mod tests { + use hex::FromHex; use hex_literal::hex; - use mc_sgx_dcap_types::Quote3; + use mc_attestation_verifier::{Evidence, EvidenceVerifier, TrustedMrEnclaveIdentity, Verifier}; + use mc_sgx_core_types::MrEnclave; + use mc_sgx_dcap_sys_types::sgx_ql_qve_collateral_t; + use mc_sgx_dcap_types::{Collateral, Quote3}; + + use crate::intel_sgx::dcap::certificate_chain::TlsCertificateChainVerifier; + + const TCB_INFO_JSON: &str = include_str!("../../data/fmspc_00906ED50000_2023_07_12.json"); + const QE_IDENTITY_JSON: &str = include_str!("../../data/qe_identity.json"); + + fn collateral(tcb_info: &str, qe_identity: &str) -> Collateral { + let mut sgx_collateral = sgx_ql_qve_collateral_t::default(); + + // SAFETY: Version is a union which is inherently unsafe + #[allow(unsafe_code)] + let version = unsafe { sgx_collateral.__bindgen_anon_1.__bindgen_anon_1.as_mut() }; + version.major_version = 3; + version.minor_version = 1; + + let pck_issuer_cert = include_str!("../../data/processor_ca.pem"); + let root_cert = include_str!("../../data/root_ca.pem"); + let mut pck_crl_chain = [pck_issuer_cert, root_cert].join("\n").as_bytes().to_vec(); + pck_crl_chain.push(0); + sgx_collateral.pck_crl_issuer_chain = pck_crl_chain.as_ptr() as _; + sgx_collateral.pck_crl_issuer_chain_size = pck_crl_chain.len() as u32; + + let mut root_crl = include_bytes!("../../data/root_crl.der").to_vec(); + root_crl.push(0); + sgx_collateral.root_ca_crl = root_crl.as_ptr() as _; + sgx_collateral.root_ca_crl_size = root_crl.len() as u32; + + let mut pck_crl = include_bytes!("../../data/processor_crl.der").to_vec(); + pck_crl.push(0); + sgx_collateral.pck_crl = pck_crl.as_ptr() as _; + sgx_collateral.pck_crl_size = pck_crl.len() as u32; + + let tcb_cert = include_str!("../../data/tcb_signer.pem"); + let mut tcb_chain = [tcb_cert, root_cert].join("\n").as_bytes().to_vec(); + tcb_chain.push(0); + sgx_collateral.tcb_info_issuer_chain = tcb_chain.as_ptr() as _; + sgx_collateral.tcb_info_issuer_chain_size = tcb_chain.len() as u32; + + sgx_collateral.tcb_info = tcb_info.as_ptr() as _; + sgx_collateral.tcb_info_size = tcb_info.len() as u32; + + // For live data the QE identity uses the same chain as the TCB info + sgx_collateral.qe_identity_issuer_chain = tcb_chain.as_ptr() as _; + sgx_collateral.qe_identity_issuer_chain_size = tcb_chain.len() as u32; + + sgx_collateral.qe_identity = qe_identity.as_ptr() as _; + sgx_collateral.qe_identity_size = qe_identity.len() as u32; + + Collateral::try_from(&sgx_collateral).expect("Failed to parse collateral") + } + + #[test] + fn evidence_verifier_succeeds_with_mbedtls_x509_verifier() { + let root_ca = include_str!("../../data/root_ca.pem"); + let certificate_verifier = TlsCertificateChainVerifier::new(root_ca); + let identities = [TrustedMrEnclaveIdentity::new( + MrEnclave::from_hex("840d61b0585dc8b4dc90f53af293c760fda06bee75978a6a86263ffb296423f4") + .unwrap(), + [""; 0], + ["INTEL-SA-00334", "INTEL-SA-00615"], + ) + .into()]; + let verifier = EvidenceVerifier::new(certificate_verifier, &identities, None); + let quote_bytes = include_bytes!("../../data/hw_quote.dat"); + let quote = Quote3::try_from(quote_bytes.as_ref()).expect("Failed to parse quote"); + let collateral = collateral(TCB_INFO_JSON, QE_IDENTITY_JSON); + let evidence: Evidence> = Evidence::new(quote, collateral) + .expect("Failed to create evidence") + .into(); + + let verification = verifier.verify(&evidence); + + assert_eq!(verification.is_success().unwrap_u8(), 1); + // let displayable = VerificationTreeDisplay::new(&verifier, verification); + // println!("\n{displayable}"); + } #[test] fn test_quote_parse() { From 641643b26a52ac8e2d10d99c9ec0c44702e2315c Mon Sep 17 00:00:00 2001 From: hu55a1n1 Date: Mon, 27 May 2024 12:34:04 +0200 Subject: [PATCH 07/11] Add tests for cert chain validation --- .../packages/quartz-tee-ra/data/leaf_cert.pem | 27 ++++++++ .../quartz-tee-ra/src/intel_sgx/dcap.rs | 2 +- .../src/intel_sgx/dcap/certificate_chain.rs | 64 +++++++++++++++++++ 3 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 cosmwasm/packages/quartz-tee-ra/data/leaf_cert.pem diff --git a/cosmwasm/packages/quartz-tee-ra/data/leaf_cert.pem b/cosmwasm/packages/quartz-tee-ra/data/leaf_cert.pem new file mode 100644 index 00000000..68729216 --- /dev/null +++ b/cosmwasm/packages/quartz-tee-ra/data/leaf_cert.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEjzCCBDSgAwIBAgIVAPtJxlxRlleZOb/spRh9U8K7AT/3MAoGCCqGSM49BAMC +MHExIzAhBgNVBAMMGkludGVsIFNHWCBQQ0sgUHJvY2Vzc29yIENBMRowGAYDVQQK +DBFJbnRlbCBDb3Jwb3JhdGlvbjEUMBIGA1UEBwwLU2FudGEgQ2xhcmExCzAJBgNV +BAgMAkNBMQswCQYDVQQGEwJVUzAeFw0yMjA2MTMyMTQ2MzRaFw0yOTA2MTMyMTQ2 +MzRaMHAxIjAgBgNVBAMMGUludGVsIFNHWCBQQ0sgQ2VydGlmaWNhdGUxGjAYBgNV +BAoMEUludGVsIENvcnBvcmF0aW9uMRQwEgYDVQQHDAtTYW50YSBDbGFyYTELMAkG +A1UECAwCQ0ExCzAJBgNVBAYTAlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE +j/Ee1lkGJofDX745Ks5qxqu7Mk7Mqcwkx58TCSTsabRCSvobSl/Ts8b0dltKUW3j +qRd+SxnPEWJ+jUw+SpzwWaOCAqgwggKkMB8GA1UdIwQYMBaAFNDoqtp11/kuSReY +PHsUZdDV8llNMGwGA1UdHwRlMGMwYaBfoF2GW2h0dHBzOi8vYXBpLnRydXN0ZWRz +ZXJ2aWNlcy5pbnRlbC5jb20vc2d4L2NlcnRpZmljYXRpb24vdjMvcGNrY3JsP2Nh +PXByb2Nlc3NvciZlbmNvZGluZz1kZXIwHQYDVR0OBBYEFKy9gk624HzNnDyCw7QW +nhmVfE31MA4GA1UdDwEB/wQEAwIGwDAMBgNVHRMBAf8EAjAAMIIB1AYJKoZIhvhN +AQ0BBIIBxTCCAcEwHgYKKoZIhvhNAQ0BAQQQ36FQl3ntUr3KUwbEFvmRGzCCAWQG +CiqGSIb4TQENAQIwggFUMBAGCyqGSIb4TQENAQIBAgERMBAGCyqGSIb4TQENAQIC +AgERMBAGCyqGSIb4TQENAQIDAgECMBAGCyqGSIb4TQENAQIEAgEEMBAGCyqGSIb4 +TQENAQIFAgEBMBEGCyqGSIb4TQENAQIGAgIAgDAQBgsqhkiG+E0BDQECBwIBBjAQ +BgsqhkiG+E0BDQECCAIBADAQBgsqhkiG+E0BDQECCQIBADAQBgsqhkiG+E0BDQEC +CgIBADAQBgsqhkiG+E0BDQECCwIBADAQBgsqhkiG+E0BDQECDAIBADAQBgsqhkiG ++E0BDQECDQIBADAQBgsqhkiG+E0BDQECDgIBADAQBgsqhkiG+E0BDQECDwIBADAQ +BgsqhkiG+E0BDQECEAIBADAQBgsqhkiG+E0BDQECEQIBCzAfBgsqhkiG+E0BDQEC +EgQQERECBAGABgAAAAAAAAAAADAQBgoqhkiG+E0BDQEDBAIAADAUBgoqhkiG+E0B +DQEEBAYAkG7VAAAwDwYKKoZIhvhNAQ0BBQoBADAKBggqhkjOPQQDAgNJADBGAiEA +1XJi0ht4hw8YtC6E4rYscp9bF+7UOhVGeKePA5TW2FQCIQCIUAaewOuWOIvstZN4 +V8Zu8NFCC4vFg+cZqO6QfezEaA== +-----END CERTIFICATE----- \ No newline at end of file diff --git a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs index 22cb0358..eb260aac 100644 --- a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs +++ b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs @@ -85,7 +85,7 @@ mod tests { } #[test] - fn evidence_verifier_succeeds_with_mbedtls_x509_verifier() { + fn evidence_verifier_succeeds_with_tls_x509_verifier() { let root_ca = include_str!("../../data/root_ca.pem"); let certificate_verifier = TlsCertificateChainVerifier::new(root_ca); let identities = [TrustedMrEnclaveIdentity::new( diff --git a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap/certificate_chain.rs b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap/certificate_chain.rs index d9fa3c88..6abb4469 100644 --- a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap/certificate_chain.rs +++ b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap/certificate_chain.rs @@ -22,3 +22,67 @@ impl CertificateChainVerifier for TlsCertificateChainVerifier { todo!() } } + +#[cfg(test)] +mod test { + use der::{Decode, DecodePem}; + + use super::*; + + const LEAF_CERT: &str = include_str!("../../../data/leaf_cert.pem"); + const PROCESSOR_CA: &str = include_str!("../../../data/processor_ca.pem"); + const ROOT_CA: &str = include_str!("../../../data/root_ca.pem"); + const PROCESSOR_CRL: &[u8] = include_bytes!("../../../data/processor_crl.der"); + const ROOT_CRL: &[u8] = include_bytes!("../../../data/root_crl.der"); + + #[test] + fn verify_valid_cert_chain() { + let chain = [LEAF_CERT, PROCESSOR_CA, ROOT_CA] + .iter() + .map(|cert| Certificate::from_pem(cert).expect("failed to parse cert")) + .collect::>(); + let crls = [ROOT_CRL, PROCESSOR_CRL] + .iter() + .map(|crl| CertificateList::from_der(crl).expect("failed to parse CRL")) + .collect::>(); + let verifier = TlsCertificateChainVerifier::new(ROOT_CA); + assert!(verifier + .verify_certificate_chain(chain.iter(), crls.iter(), None) + .is_ok()); + } + + #[test] + fn invalid_cert_chain() { + let chain = [LEAF_CERT, ROOT_CA] + .iter() + .map(|cert| Certificate::from_pem(cert).expect("failed to parse cert")) + .collect::>(); + let crls = [ROOT_CRL, PROCESSOR_CRL] + .iter() + .map(|crl| CertificateList::from_der(crl).expect("failed to parse CRL")) + .collect::>(); + let verifier = TlsCertificateChainVerifier::new(ROOT_CA); + assert_eq!( + verifier.verify_certificate_chain(chain.iter(), crls.iter(), None), + Err(CertificateChainVerifierError::SignatureVerification) + ); + } + + #[test] + fn unordered_cert_chain_succeeds() { + let chain = [PROCESSOR_CA, ROOT_CA, LEAF_CERT] + .iter() + .map(|cert| Certificate::from_pem(cert).expect("failed to parse cert")) + .collect::>(); + let crls = [ROOT_CRL, PROCESSOR_CRL] + .iter() + .map(|crl| CertificateList::from_der(crl).expect("failed to parse CRL")) + .collect::>(); + let verifier = TlsCertificateChainVerifier::new(ROOT_CA); + assert!(verifier + .verify_certificate_chain(chain.iter(), crls.iter(), None) + .is_ok()); + } + + // TODO(hu55a1n1) - add [PKITS tests](https://csrc.nist.gov/projects/pki-testing) +} From ecb016a211ec0bef9f11ffb0ca0c18f53d6edc44 Mon Sep 17 00:00:00 2001 From: hu55a1n1 Date: Mon, 27 May 2024 12:39:19 +0200 Subject: [PATCH 08/11] Ignore all newly added tests --- cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs | 1 + .../quartz-tee-ra/src/intel_sgx/dcap/certificate_chain.rs | 3 +++ 2 files changed, 4 insertions(+) diff --git a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs index eb260aac..2ba58c58 100644 --- a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs +++ b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs @@ -85,6 +85,7 @@ mod tests { } #[test] + #[ignore] fn evidence_verifier_succeeds_with_tls_x509_verifier() { let root_ca = include_str!("../../data/root_ca.pem"); let certificate_verifier = TlsCertificateChainVerifier::new(root_ca); diff --git a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap/certificate_chain.rs b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap/certificate_chain.rs index 6abb4469..3e376a61 100644 --- a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap/certificate_chain.rs +++ b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap/certificate_chain.rs @@ -36,6 +36,7 @@ mod test { const ROOT_CRL: &[u8] = include_bytes!("../../../data/root_crl.der"); #[test] + #[ignore] fn verify_valid_cert_chain() { let chain = [LEAF_CERT, PROCESSOR_CA, ROOT_CA] .iter() @@ -52,6 +53,7 @@ mod test { } #[test] + #[ignore] fn invalid_cert_chain() { let chain = [LEAF_CERT, ROOT_CA] .iter() @@ -69,6 +71,7 @@ mod test { } #[test] + #[ignore] fn unordered_cert_chain_succeeds() { let chain = [PROCESSOR_CA, ROOT_CA, LEAF_CERT] .iter() From b0a742b10f1da07da2ba2b496bce244be71d27ce Mon Sep 17 00:00:00 2001 From: hu55a1n1 Date: Mon, 27 May 2024 12:40:41 +0200 Subject: [PATCH 09/11] clippy fix --- cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs index 2ba58c58..f19b3648 100644 --- a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs +++ b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs @@ -21,8 +21,7 @@ pub fn verify( let report_data_contents = EnclaveReportDataContents::new([0x42u8; 16].into(), [0xAAu8; 32]); let evidence = Evidence::new(quote, collateral).expect("Failed to get evidence"); let verifier = DcapVerifier::new(identities, None, report_data_contents); - let verification = verifier.verify(&evidence); - verification + verifier.verify(&evidence) } #[cfg(test)] From 633179779608b29461e4d8b71dd2e2fbec19e3b0 Mon Sep 17 00:00:00 2001 From: hu55a1n1 Date: Mon, 27 May 2024 12:48:13 +0200 Subject: [PATCH 10/11] clippy fix --- cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs index f19b3648..956b7459 100644 --- a/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs +++ b/cosmwasm/packages/quartz-tee-ra/src/intel_sgx/dcap.rs @@ -90,12 +90,12 @@ mod tests { let certificate_verifier = TlsCertificateChainVerifier::new(root_ca); let identities = [TrustedMrEnclaveIdentity::new( MrEnclave::from_hex("840d61b0585dc8b4dc90f53af293c760fda06bee75978a6a86263ffb296423f4") - .unwrap(), + .expect("malformed MRENCLAVE hex"), [""; 0], ["INTEL-SA-00334", "INTEL-SA-00615"], ) .into()]; - let verifier = EvidenceVerifier::new(certificate_verifier, &identities, None); + let verifier = EvidenceVerifier::new(certificate_verifier, identities.as_ref(), None); let quote_bytes = include_bytes!("../../data/hw_quote.dat"); let quote = Quote3::try_from(quote_bytes.as_ref()).expect("Failed to parse quote"); let collateral = collateral(TCB_INFO_JSON, QE_IDENTITY_JSON); From 7ddb328e565069b1e9bd06aaaa93a811fd1d4630 Mon Sep 17 00:00:00 2001 From: hu55a1n1 Date: Thu, 20 Jun 2024 22:02:11 +0200 Subject: [PATCH 11/11] Fix Cargo.toml deps after rebase --- cosmwasm/packages/quartz-tee-ra/Cargo.toml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/cosmwasm/packages/quartz-tee-ra/Cargo.toml b/cosmwasm/packages/quartz-tee-ra/Cargo.toml index dc1a281f..8ed1199f 100644 --- a/cosmwasm/packages/quartz-tee-ra/Cargo.toml +++ b/cosmwasm/packages/quartz-tee-ra/Cargo.toml @@ -32,15 +32,5 @@ mc-sgx-dcap-sys-types.workspace = true cosmwasm-schema.workspace = true cosmwasm-std.workspace = true -der = { version = "0.7.9", default-features = false } -displaydoc = { version = "0.2.4", default-features = false } -mc-sgx-core-types = { git = "https://github.com/informalsystems/sgx" } -mc-sgx-dcap-types = { git = "https://github.com/informalsystems/sgx" } -mc-sgx-dcap-sys-types = { git = "https://github.com/informalsystems/sgx" } -mc-attestation-verifier = { git = "https://github.com/informalsystems/attestation" } -serde = { version = "1.0.198", default-features = false } -x509-cert = { version = "0.2.5", default-features = false } -zeroize = { version = "1.7.0", default-features = false } - [dev-dependencies] hex = "0.4.3"