add local signature verification

Cargo.lock

@@ -5710,12 +5710,16 @@ dependencies = [
  "bincode",
  "cosmrs",
  "cw-client",
+ "der",
+ "mc-attestation-verifier",
+ "p256",
  "quartz-tcbinfo-msgs 0.1.0",
  "quoted-string",
  "reqwest 0.12.8",
  "serde_json",
  "tendermint",
  "tokio",
+ "x509-cert",
 ]
 
 [[package]]
@@ -6012,6 +6016,27 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
 
+[[package]]
+name = "tls_codec"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b5e78c9c330f8c85b2bae7c8368f2739157db9991235123aa1b15ef9502bfb6a"
+dependencies = [
+ "tls_codec_derive",
+ "zeroize",
+]
+
+[[package]]
+name = "tls_codec_derive"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8d9ef545650e79f30233c0003bcc2504d7efac6dad25fca40744de773fe2049c"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.85",
+]
+
 [[package]]
 name = "tokio"
 version = "1.41.0"
@@ -6970,6 +6995,7 @@ dependencies = [
  "const-oid",
  "der",
  "spki",
+ "tls_codec",
 ]
 
 [[package]]

crates/utils/tcbinfo-updater/Cargo.toml

@@ -18,4 +18,8 @@ bincode = {version = "1.3.3"}
 quartz-tcbinfo-msgs = {path = "../../contracts/tcbinfo/msgs"}
 tendermint.workspace = true
 cosmrs.workspace = true
-tokio = {version = "1", features = ["full"]}
+tokio = {version = "1", features = ["full"]}
+mc-attestation-verifier.workspace = true
+p256.workspace = true
+x509-cert = "0.2.5"
+der.workspace = true

crates/utils/tcbinfo-updater/src/main.rs

@@ -1,6 +1,10 @@
 use quoted_string::strip_dquotes;
+use mc_attestation_verifier::SignedTcbInfo;
+use p256::ecdsa::VerifyingKey;
 use serde_json::{json, Value};
 use std::collections::HashMap;
+use x509_cert::Certificate;
+use der::DecodePem;
 use std::fs;
 use cw_client::{CliClient, CwClient};
 use reqwest::Url;
@@ -45,11 +49,22 @@ async fn get_fmspc_list() -> Vec<Fmspc> {
 async fn upsert_tcbinfo() -> Result<(), &'static str>  {
     let data = fs::read_to_string("./standard").expect("Unable to read file");
     let mut store: HashMap<Fmspc, TcbInfo> = serde_json::from_str(&data).unwrap();
-
+    let   certificate = TCB_SIGNER.to_string();
+    let parsed_certificate = Certificate::from_pem(certificate.clone()).expect("failed to parse PEM");
     let fmspc_list = get_fmspc_list().await;
+       let key = VerifyingKey::from_sec1_bytes(
+        parsed_certificate
+            .tbs_certificate
+            .subject_public_key_info
+            .subject_public_key
+            .as_bytes()
+            .expect("Failed to parse public key"),
+    )
+        .expect("Failed to decode public key");
+    
     for fmspc in fmspc_list {
         let tcbinfo = get_tcbinfo(fmspc.clone(), "standard".to_string()).await;
-        println!("{tcbinfo:?}");
+        verify_signature(tcbinfo.clone(), key);
         let store_entry = &store[&fmspc];
         if *store_entry != tcbinfo {
             println!("updating local TCBInfo for FMSPC: {fmspc}");
@@ -62,7 +77,7 @@ async fn upsert_tcbinfo() -> Result<(), &'static str>  {
             let client = CliClient::neutrond(testnet);
             let execute_msg = ExecuteMsg {
                 tcb_info: tcbinfo.to_string(),
-                certificate: TCB_SIGNER.to_string(),
+              certificate: certificate.clone(),
                 time: None,
             };
             let res =
@@ -82,6 +97,12 @@ async fn upsert_tcbinfo() -> Result<(), &'static str>  {
     //   }
 }
 
+fn verify_signature (tcbinfo: Value, key: VerifyingKey)  {
+    let signed_tcbinfo = SignedTcbInfo::try_from(tcbinfo.as_str().expect("failed to parse tcbinfo json")).expect("tcbinfo string parsing failed");
+      signed_tcbinfo.verify(Some(&key), None).expect("could not verify signature");
+    
+}
+
 #[tokio::main]
 pub async fn main() {
     upsert_tcbinfo().await.expect("TCBInfo update failed");