From 7dc0312be37fa2b6d4eed2dc7ecb346744007f93 Mon Sep 17 00:00:00 2001 From: Ajinkya Kulkarni Date: Wed, 4 Dec 2024 20:22:13 +0100 Subject: [PATCH] add local signature verification --- Cargo.lock | 26 +++++++++++++++++++++++ crates/utils/tcbinfo-updater/Cargo.toml | 6 +++++- crates/utils/tcbinfo-updater/src/main.rs | 27 +++++++++++++++++++++--- 3 files changed, 55 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 043743f..64282f9 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5710,12 +5710,16 @@ dependencies = [ "bincode", "cosmrs", "cw-client", + "der", + "mc-attestation-verifier", + "p256", "quartz-tcbinfo-msgs 0.1.0", "quoted-string", "reqwest 0.12.8", "serde_json", "tendermint", "tokio", + "x509-cert", ] [[package]] @@ -6012,6 +6016,27 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" +[[package]] +name = "tls_codec" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b5e78c9c330f8c85b2bae7c8368f2739157db9991235123aa1b15ef9502bfb6a" +dependencies = [ + "tls_codec_derive", + "zeroize", +] + +[[package]] +name = "tls_codec_derive" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8d9ef545650e79f30233c0003bcc2504d7efac6dad25fca40744de773fe2049c" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.85", +] + [[package]] name = "tokio" version = "1.41.0" @@ -6970,6 +6995,7 @@ dependencies = [ "const-oid", "der", "spki", + "tls_codec", ] [[package]] diff --git a/crates/utils/tcbinfo-updater/Cargo.toml b/crates/utils/tcbinfo-updater/Cargo.toml index 2a65a11..ee82d5c 100644 --- a/crates/utils/tcbinfo-updater/Cargo.toml +++ b/crates/utils/tcbinfo-updater/Cargo.toml @@ -18,4 +18,8 @@ bincode = {version = "1.3.3"} quartz-tcbinfo-msgs = {path = "../../contracts/tcbinfo/msgs"} tendermint.workspace = true cosmrs.workspace = true -tokio = {version = "1", features = ["full"]} \ No newline at end of file +tokio = {version = "1", features = ["full"]} +mc-attestation-verifier.workspace = true +p256.workspace = true +x509-cert = "0.2.5" +der.workspace = true diff --git a/crates/utils/tcbinfo-updater/src/main.rs b/crates/utils/tcbinfo-updater/src/main.rs index ba6f060..8df9612 100644 --- a/crates/utils/tcbinfo-updater/src/main.rs +++ b/crates/utils/tcbinfo-updater/src/main.rs @@ -1,6 +1,10 @@ use quoted_string::strip_dquotes; +use mc_attestation_verifier::SignedTcbInfo; +use p256::ecdsa::VerifyingKey; use serde_json::{json, Value}; use std::collections::HashMap; +use x509_cert::Certificate; +use der::DecodePem; use std::fs; use cw_client::{CliClient, CwClient}; use reqwest::Url; @@ -45,11 +49,22 @@ async fn get_fmspc_list() -> Vec { async fn upsert_tcbinfo() -> Result<(), &'static str> { let data = fs::read_to_string("./standard").expect("Unable to read file"); let mut store: HashMap = serde_json::from_str(&data).unwrap(); - + let certificate = TCB_SIGNER.to_string(); + let parsed_certificate = Certificate::from_pem(certificate.clone()).expect("failed to parse PEM"); let fmspc_list = get_fmspc_list().await; + let key = VerifyingKey::from_sec1_bytes( + parsed_certificate + .tbs_certificate + .subject_public_key_info + .subject_public_key + .as_bytes() + .expect("Failed to parse public key"), + ) + .expect("Failed to decode public key"); + for fmspc in fmspc_list { let tcbinfo = get_tcbinfo(fmspc.clone(), "standard".to_string()).await; - println!("{tcbinfo:?}"); + verify_signature(tcbinfo.clone(), key); let store_entry = &store[&fmspc]; if *store_entry != tcbinfo { println!("updating local TCBInfo for FMSPC: {fmspc}"); @@ -62,7 +77,7 @@ async fn upsert_tcbinfo() -> Result<(), &'static str> { let client = CliClient::neutrond(testnet); let execute_msg = ExecuteMsg { tcb_info: tcbinfo.to_string(), - certificate: TCB_SIGNER.to_string(), + certificate: certificate.clone(), time: None, }; let res = @@ -82,6 +97,12 @@ async fn upsert_tcbinfo() -> Result<(), &'static str> { // } } +fn verify_signature (tcbinfo: Value, key: VerifyingKey) { + let signed_tcbinfo = SignedTcbInfo::try_from(tcbinfo.as_str().expect("failed to parse tcbinfo json")).expect("tcbinfo string parsing failed"); + signed_tcbinfo.verify(Some(&key), None).expect("could not verify signature"); + +} + #[tokio::main] pub async fn main() { upsert_tcbinfo().await.expect("TCBInfo update failed");