On-chain DCAP verifier without cert validation (#24)

bisenzone-cw-mvp/packages/quartz-tee-ra/Cargo.toml

@@ -13,3 +13,13 @@ num-bigint = "0.4.4"
 serde_json = "1.0.108"
 sha2 = "0.10.8"
 thiserror = { version = "1.0.49" }
+
+der = { version = "0.7.9", default-features = false }
+displaydoc = { version = "0.2.4", default-features = false }
+mc-sgx-core-types = { git = "https://github.com/hu55a1n1/sgx" }
+mc-sgx-dcap-types = { git = "https://github.com/hu55a1n1/sgx" }
+mc-sgx-dcap-sys-types = { git = "https://github.com/hu55a1n1/sgx" }
+mc-attestation-verifier = { git = "https://github.com/hu55a1n1/attestation" }
+serde = { version = "1.0.198", default-features = false }
+x509-cert = { version = "0.2.5", default-features = false }
+zeroize = { version = "1.7.0", default-features = false }

bisenzone-cw-mvp/packages/quartz-tee-ra/data/DcapRootCACert.pem

@@ -0,0 +1,16 @@
+-----BEGIN CERTIFICATE-----
+MIICjzCCAjSgAwIBAgIUImUM1lqdNInzg7SVUr9QGzknBqwwCgYIKoZIzj0EAwIw
+aDEaMBgGA1UEAwwRSW50ZWwgU0dYIFJvb3QgQ0ExGjAYBgNVBAoMEUludGVsIENv
+cnBvcmF0aW9uMRQwEgYDVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExCzAJ
+BgNVBAYTAlVTMB4XDTE4MDUyMTEwNDUxMFoXDTQ5MTIzMTIzNTk1OVowaDEaMBgG
+A1UEAwwRSW50ZWwgU0dYIFJvb3QgQ0ExGjAYBgNVBAoMEUludGVsIENvcnBvcmF0
+aW9uMRQwEgYDVQQHDAtTYW50YSBDbGFyYTELMAkGA1UECAwCQ0ExCzAJBgNVBAYT
+AlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEC6nEwMDIYZOj/iPWsCzaEKi7
+1OiOSLRFhWGjbnBVJfVnkY4u3IjkDYYL0MxO4mqsyYjlBalTVYxFP2sJBK5zlKOB
+uzCBuDAfBgNVHSMEGDAWgBQiZQzWWp00ifODtJVSv1AbOScGrDBSBgNVHR8ESzBJ
+MEegRaBDhkFodHRwczovL2NlcnRpZmljYXRlcy50cnVzdGVkc2VydmljZXMuaW50
+ZWwuY29tL0ludGVsU0dYUm9vdENBLmRlcjAdBgNVHQ4EFgQUImUM1lqdNInzg7SV
+Ur9QGzknBqwwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQEwCgYI
+KoZIzj0EAwIDSQAwRgIhAOW/5QkR+S9CiSDcNoowLuPRLsWGf/Yi7GSX94BgwTwg
+AiEA4J0lrHoMs+Xo5o/sX6O9QWxHRAvZUGOdRQ7cvqRXaqI=
+-----END CERTIFICATE-----

bisenzone-cw-mvp/packages/quartz-tee-ra/src/intel_sgx.rs

@@ -1,5 +1,6 @@
 use thiserror::Error;
 
+pub mod dcap;
 pub mod epid;
 
 #[derive(Error, Debug)]

bisenzone-cw-mvp/packages/quartz-tee-ra/src/intel_sgx/dcap.rs

@@ -0,0 +1,130 @@
+pub mod certificate_chain;
+pub mod mc_attest_verifier;
+pub mod mc_attest_verifier_types;
+
+/// Root anchor PEM file for use with DCAP
+pub const DCAP_ROOT_ANCHOR: &str = include_str!("../../data/DcapRootCACert.pem");
+
+pub use mc_attest_verifier::dcap::DcapVerifier;
+pub use mc_attest_verifier_types::verification::EnclaveReportDataContents;
+pub use mc_attestation_verifier::*;
+pub use mc_sgx_dcap_sys_types::sgx_ql_qve_collateral_t;
+pub use mc_sgx_dcap_types::{CertificationData, Collateral};
+pub use x509_cert::Certificate;
+
+#[cfg(test)]
+mod tests {
+    use hex_literal::hex;
+    use mc_sgx_dcap_types::Quote3;
+
+    #[test]
+    fn test_quote_parse() {
+        let quote_bytes = hex!(
+            "03000200000000000a000f00939a7233f79c4ca9940a0db3957f0607ce4\
+        8836fd48a951172fe155220a719bd00000000141402070180010000000000000000000000000000000000000000\
+        00000000000000000000000000000000000000000005000000000000000700000000000000dc43f8c42d8e5f52c\
+        8bbd68f426242153f0be10630ff8cca255129a3ca03d27300000000000000000000000000000000000000000000\
+        000000000000000000001cf2e52911410fbf3f199056a98d58795a559a2e800933f7fcd13d048462271c0000000\
+        0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\
+        0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\
+        0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\
+        00000000000000000000000000000000000000009113b0be77ed5d0d68680ec77206b8d587ed40679b71321ccdd\
+        5405e4d54a682000000000000000000000000000000000000000000000000000000000000000044100000552c9b\
+        321744cf259b8c239213413ca4226ea8a705ad6eabb505bb4f3a8850f1ed9f2ff3d9e17ba8be8cc69a0d911575a\
+        813392202bddaa7b971d406704989e0be6177e039634cfbca4739ac246fda7df8c312a98f30f57b63f3c8921fce\
+        51d90a93031f97f769637be9b028e7b007a4e458d4fa717befbd81b069050825801314140207018001000000000\
+        0000000000000000000000000000000000000000000000000000000000000000000000000150000000000000007\
+        0000000000000096b347a64e5a045e27369c26e6dcda51fd7c850e9b3a3a79e718f43261dee1e40000000000000\
+        0000000000000000000000000000000000000000000000000008c4f5775d796503e96137f77c68a829a0056ac8d\
+        ed70140b081b094490c57bff0000000000000000000000000000000000000000000000000000000000000000000\
+        0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\
+        000000000000000000000000000000000001000a000000000000000000000000000000000000000000000000000\
+        00000000000000000000000000000000000000000000000000000000000000000000000b0f056c5355f6c770413\
+        938c2a41ed1b5c34ecb35f85fa539f16cca7a30d6da900000000000000000000000000000000000000000000000\
+        00000000000000000010a4d552582e428f8fd138cbb5f8af51050776f2c487996147d4ebfb5c817ba733905f30a\
+        f7b4f340eaf0fdf2bb64dcb045d56f1609a1b042e6f5aeed09175c2000000102030405060708090a0b0c0d0e0f1\
+        01112131415161718191a1b1c1d1e1f0500dc0d00002d2d2d2d2d424547494e2043455254494649434154452d2d\
+        2d2d2d0a4d4949456a544343424453674177494241674956414a5172493559365a78484836785034424941715a4\
+        e6b326e4c7a594d416f4743437147534d343942414d430a4d484578497a416842674e5642414d4d476b6c756447\
+        567349464e48574342515130736755484a765932567a6332397949454e424d526f77474159445651514b0a44424\
+        64a626e526c6243424462334a7762334a6864476c76626a45554d424947413155454277774c5532467564474567\
+        51327868636d4578437a414a42674e560a4241674d416b4e424d517377435159445651514745774a56557a41654\
+        67730794d7a45784d5441784e7a45334d4452614677307a4d4445784d5441784e7a45330a4d4452614d48417849\
+        6a416742674e5642414d4d47556c756447567349464e4857434251513073675132567964476c6d61574e6864475\
+        578476a415942674e560a42416f4d45556c756447567349454e76636e4276636d4630615739754d525177456759\
+        4456515148444174545957353059534244624746795954454c4d416b470a413155454341774351304578437a414\
+        a42674e5642415954416c56544d466b77457759484b6f5a497a6a3043415159494b6f5a497a6a30444151634451\
+        6741450a77625468574d583134443163657835317875614958456771517a69636e744b7a48454a32536f31336e3\
+        84a427050314a67383673764263462f7070715a554e710a68524b4642667469584c6d4f536c614955784e6e5136\
+        4f434171677767674b6b4d42384741315564497751594d426141464e446f71747031312f6b75535265590a50487\
+        3555a644456386c6c4e4d477747413155644877526c4d474d77596142666f463247573268306448427a4f693876\
+        595842704c6e527964584e305a57527a0a5a584a3261574e6c63793570626e526c6243356a62323076633264344\
+        c324e6c636e52705a6d6c6a5958527062323476646a517663474e7259334a7350324e680a5058427962324e6c63\
+        334e7663695a6c626d4e765a476c755a7a316b5a584977485159445652304f42425945464a57566e41395a63736\
+        f3753356b6a2f647a4a0a594f3034534175644d41344741315564447745422f775145417749477744414d42674e\
+        5648524d4241663845416a41414d4949423141594a4b6f5a496876684e0a4151304242494942785443434163457\
+        74867594b4b6f5a496876684e41513042415151514d6d5867725757774c59554164456d6c766c36615344434341\
+        5751470a43697147534962345451454e41514977676746554d42414743797147534962345451454e41514942416\
+        745554d42414743797147534962345451454e415149430a416745554d42414743797147534962345451454e4151\
+        4944416745434d42414743797147534962345451454e41514945416745454d42414743797147534962340a54514\
+        54e41514946416745424d42454743797147534962345451454e41514947416749416744415142677371686b6947\
+        2b4530424451454342774942414441510a42677371686b69472b453042445145434341494241444151426773716\
+        86b69472b45304244514543435149424144415142677371686b69472b453042445145430a436749424144415142\
+        677371686b69472b45304244514543437749424144415142677371686b69472b453042445145434441494241444\
+        15142677371686b69470a2b45304244514543445149424144415142677371686b69472b45304244514543446749\
+        424144415142677371686b69472b4530424451454344774942414441510a42677371686b69472b4530424451454\
+        3454149424144415142677371686b69472b45304244514543455149424454416642677371686b69472b45304244\
+        5145430a4567515146425143424147414141414141414141414141414144415142676f71686b69472b453042445\
+        14544424149414144415542676f71686b69472b4530420a44514545424159416b473668414141774477594b4b6f\
+        5a496876684e4151304242516f424144414b42676771686b6a4f5051514441674e4841444245416942560a6e584\
+        667364277466a6945474230417162424e702b4b56734a477245744f4f49666e6f365450387031414967536c4430\
+        574e39595261575968346534656835330a314637434537664964724f55414c5177757632735948513d0a2d2d2d2\
+        d2d454e442043455254494649434154452d2d2d2d2d0a2d2d2d2d2d424547494e2043455254494649434154452d\
+        2d2d2d2d0a4d4949436d444343416a36674177494241674956414e446f71747031312f6b7553526559504873555\
+        a644456386c6c4e4d416f4743437147534d343942414d430a4d476778476a415942674e5642414d4d45556c7564\
+        47567349464e48574342536232393049454e424d526f77474159445651514b4442464a626e526c624342440a623\
+        34a7762334a6864476c76626a45554d424947413155454277774c553246756447456751327868636d4578437a41\
+        4a42674e564241674d416b4e424d5173770a435159445651514745774a56557a4165467730784f4441314d6a457\
+        84d4455774d5442614677307a4d7a41314d6a45784d4455774d5442614d484578497a41680a42674e5642414d4d\
+        476b6c756447567349464e48574342515130736755484a765932567a6332397949454e424d526f7747415944565\
+        1514b4442464a626e526c0a6243424462334a7762334a6864476c76626a45554d424947413155454277774c5532\
+        46756447456751327868636d4578437a414a42674e564241674d416b4e420a4d517377435159445651514745774\
+        a56557a425a4d424d4742797147534d34394167454743437147534d34394177454841304941424c39712b4e4d70\
+        32494f670a74646c31626b2f75575a352b5447516d38614369387a373866732b664b435133642b75447a586e565\
+        44154325a68444369667949754a77764e33774e427039690a484253534d4a4d4a72424f6a676273776762677748\
+        7759445652306a42426777466f4155496d554d316c71644e496e7a6737535655723951477a6b6e427177770a556\
+        759445652306642457377535442486f45576751345a426148523063484d364c79396a5a584a3061575a70593246\
+        305a584d7564484a316333526c5a484e6c0a636e5a705932567a4c6d6c75644756734c6d4e766253394a626e526\
+        c62464e4857464a76623352445153356b5a584977485159445652304f42425945464e446f0a71747031312f6b75\
+        53526559504873555a644456386c6c4e4d41344741315564447745422f77514541774942426a415342674e56485\
+        24d4241663845434441470a4151482f416745414d416f4743437147534d343942414d43413067414d4555434951\
+        434a6754627456714f795a316d336a716941584d365159613672357357530a34792f4737793875494a477864774\
+        9675271507642534b7a7a516167424c517135733541373070646f6961524a387a2f3075447a344e675639316b3d\
+        0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a2d2d2d2d2d424547494e20434552544946494\
+        34154452d2d2d2d2d0a4d4949436a7a4343416a53674177494241674955496d554d316c71644e496e7a67375356\
+        55723951477a6b6e42717777436759494b6f5a497a6a3045417749770a614445614d42674741315545417777525\
+        35735305a5777675530645949464a766233516751304578476a415942674e5642416f4d45556c75644756734945\
+        4e760a636e4276636d4630615739754d52517745675944565151484441745459573530595342446247467959544\
+        54c4d416b47413155454341774351304578437a414a0a42674e5642415954416c56544d423458445445344d4455\
+        794d5445774e4455784d466f58445451354d54497a4d54497a4e546b314f566f77614445614d4267470a4131554\
+        541777752535735305a5777675530645949464a766233516751304578476a415942674e5642416f4d45556c7564\
+        47567349454e76636e4276636d46300a615739754d5251774567594456515148444174545957353059534244624\
+        746795954454c4d416b47413155454341774351304578437a414a42674e56424159540a416c56544d466b774577\
+        59484b6f5a497a6a3043415159494b6f5a497a6a3044415163445167414543366e45774d4449595a4f6a2f69505\
+        773437a61454b69370a314f694f534c52466857476a626e42564a66566e6b59347533496a6b4459594c304d784f\
+        346d717379596a6c42616c54565978465032734a424b357a6c4b4f420a757a43427544416642674e5648534d454\
+        7444157674251695a517a575770303069664f44744a5653763141624f5363477244425342674e5648523845537a\
+        424a0a4d45656752614244686b466f64485277637a6f764c324e6c636e52705a6d6c6a5958526c63793530636e5\
+        67a6447566b63325679646d6c6a5a584d75615735300a5a577775593239744c306c756447567355306459556d39\
+        7664454e424c6d526c636a416442674e564851344546675155496d554d316c71644e496e7a673753560a5572395\
+        1477a6b6e4271777744675944565230504151482f42415144416745474d42494741315564457745422f7751494d\
+        4159424166384341514577436759490a4b6f5a497a6a3045417749445351417752674968414f572f35516b522b5\
+        33943695344634e6f6f774c7550524c735747662f59693747535839344267775477670a41694541344a306c7248\
+        6f4d732b586f356f2f7358364f39515778485241765a55474f6452513763767152586171493d0a2d2d2d2d2d454\
+        e442043455254494649434154452d2d2d2d2d0a00"
+        );
+        let _quote: Quote3<Vec<u8>> = Quote3::try_from(quote_bytes.to_vec())
+            .expect("Failed to parse quote")
+            .into();
+    }
+}

bisenzone-cw-mvp/packages/quartz-tee-ra/src/intel_sgx/dcap/certificate_chain.rs

@@ -0,0 +1,17 @@
+use der::DateTime;
+use mc_attestation_verifier::{CertificateChainVerifier, CertificateChainVerifierError};
+use x509_cert::{crl::CertificateList, Certificate};
+
+#[derive(Debug, Clone, serde::Serialize, serde::Deserialize, Eq, PartialEq)]
+pub struct TlsCertificateChainVerifier;
+
+impl CertificateChainVerifier for TlsCertificateChainVerifier {
+    fn verify_certificate_chain<'a, 'b>(
+        &self,
+        _certificate_chain: impl IntoIterator<Item = &'a Certificate>,
+        _crls: impl IntoIterator<Item = &'b CertificateList>,
+        _time: impl Into<Option<DateTime>>,
+    ) -> Result<(), CertificateChainVerifierError> {
+        todo!()
+    }
+}

bisenzone-cw-mvp/packages/quartz-tee-ra/src/intel_sgx/dcap/mc_attest_verifier.rs

@@ -0,0 +1,4 @@
+// Trimmed down version of the `mc_attest_verifier` crate (for DCAP verification only) ->
+// https://github.com/hu55a1n1/mobilecoin/blob/a1eba594f5b1ebe3d2b0736cf76d38120f84a4a0/attest/verifier
+
+pub mod dcap;

bisenzone-cw-mvp/packages/quartz-tee-ra/src/intel_sgx/dcap/mc_attest_verifier/dcap.rs

@@ -0,0 +1,82 @@
+// Copyright (c) 2023 The MobileCoin Foundation
+
+//! Verify the contents of a Quote3.
+
+use der::DateTime;
+use mc_attestation_verifier::{
+    Accessor, And, AndOutput, Evidence, EvidenceValue, EvidenceVerifier, ReportDataVerifier,
+    TrustedIdentity, VerificationOutput, Verifier,
+};
+use mc_sgx_core_types::ReportData;
+
+// use super::DCAP_ROOT_ANCHOR;
+use super::super::certificate_chain::TlsCertificateChainVerifier;
+use super::super::mc_attest_verifier_types::verification::EnclaveReportDataContents;
+
+#[derive(Debug)]
+pub struct DcapVerifier {
+    verifier: And<EvidenceVerifier<TlsCertificateChainVerifier>, ReportDataHashVerifier>,
+}
+
+type DcapVerifierOutput = AndOutput<EvidenceValue, ReportData>;
+
+impl DcapVerifier {
+    /// Create a new instance of the DcapVerifier.
+    ///
+    /// # Arguments
+    /// * `trusted_identities` - The allowed identities that can be used in an
+    ///   enclave. Verification will succeed if any of these match.
+    /// * `time` - The time to use to verify the validity of the certificates
+    ///   and collateral. If time is provided, verification will fail if this
+    ///   time is before or after any of the validity periods. Otherwise, time
+    ///   validation of certificates will be skipped.
+    pub fn new<I, ID>(
+        trusted_identities: I,
+        time: impl Into<Option<DateTime>>,
+        report_data: EnclaveReportDataContents,
+    ) -> Self
+    where
+        I: IntoIterator<Item = ID>,
+        ID: Into<TrustedIdentity>,
+    {
+        let certificate_verifier = TlsCertificateChainVerifier;
+        let verifier = And::new(
+            EvidenceVerifier::new(certificate_verifier, trusted_identities, time),
+            ReportDataHashVerifier::new(report_data),
+        );
+        Self { verifier }
+    }
+
+    /// Verify the `evidence`
+    pub fn verify(&self, evidence: &Evidence<Vec<u8>>) -> VerificationOutput<DcapVerifierOutput> {
+        self.verifier.verify(evidence)
+    }
+}
+
+#[derive(Debug, Clone)]
+pub struct ReportDataHashVerifier {
+    report_data_verifier: ReportDataVerifier,
+}
+
+impl ReportDataHashVerifier {
+    pub fn new(report_data: EnclaveReportDataContents) -> Self {
+        let mut expected_report_data_bytes = [0u8; 64];
+        expected_report_data_bytes[..32].copy_from_slice(report_data.sha256().as_ref());
+        let mut mask = [0u8; 64];
+        mask[..32].copy_from_slice([0xffu8; 32].as_ref());
+        let report_data_verifier =
+            ReportDataVerifier::new(expected_report_data_bytes.into(), mask.into());
+
+        Self {
+            report_data_verifier,
+        }
+    }
+}
+
+impl<E: Accessor<ReportData>> Verifier<E> for ReportDataHashVerifier {
+    type Value = ReportData;
+
+    fn verify(&self, evidence: &E) -> VerificationOutput<Self::Value> {
+        self.report_data_verifier.verify(evidence)
+    }
+}

bisenzone-cw-mvp/packages/quartz-tee-ra/src/intel_sgx/dcap/mc_attest_verifier_types.rs

@@ -0,0 +1,4 @@
+// Heavily trimmed down version of the `mc-attest-verifier-types` crate
+// https://github.com/hu55a1n1/mobilecoin/blob/89d90c427bf9cf637a124c0afad266d52b573dc8/attest/verifier/types/src/verification.rs
+
+pub mod verification;

bisenzone-cw-mvp/packages/quartz-tee-ra/src/intel_sgx/dcap/mc_attest_verifier_types/verification.rs

@@ -0,0 +1,60 @@
+// Copyright (c) 2018-2022 The MobileCoin Foundation
+
+//! Attestation Verification Report type.
+
+use core::fmt::Debug;
+
+use mc_sgx_core_types::QuoteNonce;
+use serde::{Deserialize, Serialize};
+use sha2::{Digest, Sha256};
+
+/// Structure for holding the contents of the Enclave's Report Data.
+/// The Enclave Quote's ReportData member contains a SHA256 hash of this
+/// structure's contents.
+#[derive(Debug, Clone, Serialize, Deserialize, Eq, PartialEq)]
+pub struct EnclaveReportDataContents {
+    nonce: QuoteNonce,
+    custom_identity: Option<[u8; 32]>,
+}
+
+impl EnclaveReportDataContents {
+    /// Create a new EnclaveReportDataContents.
+    ///
+    /// # Arguments
+    /// * `nonce` - The nonce provided from the enclave when generating the
+    ///   Report.
+    /// * `key` - The public key of the enclave. Previously this was bytes 0..32
+    ///   of the enclave's [`ReportData`](mc-sgx-core-types::ReportData).
+    /// * `custom_identity` - The custom identity of the enclave. Previously
+    ///   this was bytes 32..64 of the enclave's
+    ///   [`ReportData`](mc-sgx-core-types::ReportData).
+    pub fn new(nonce: QuoteNonce, custom_identity: impl Into<Option<[u8; 32]>>) -> Self {
+        Self {
+            nonce,
+            custom_identity: custom_identity.into(),
+        }
+    }
+
+    /// Get the nonce
+    pub fn nonce(&self) -> &QuoteNonce {
+        &self.nonce
+    }
+
+    ///  Get the custom identity
+    pub fn custom_identity(&self) -> Option<&[u8; 32]> {
+        self.custom_identity.as_ref()
+    }
+
+    /// Returns a SHA256 hash of the contents of this structure.
+    ///
+    /// This is the value that is stored in bytes 0..32 of the enclave's
+    /// [`ReportData`](mc-sgx-core-types::ReportData).
+    pub fn sha256(&self) -> [u8; 32] {
+        let mut hasher = Sha256::new();
+        hasher.update(&self.nonce);
+        if let Some(custom_identity) = &self.custom_identity {
+            hasher.update(custom_identity);
+        }
+        hasher.finalize().into()
+    }
+}