use cw_client::{CliClient, CwClient}; use der::DecodePem; use mc_attestation_verifier::SignedTcbInfo; use p256::ecdsa::VerifyingKey; use quartz_tcbinfo_msgs::ExecuteMsg; use quoted_string::strip_dquotes; use reqwest::Url; use serde_json::{json, Value}; use std::collections::HashMap; use std::{fs, path::Path}; use x509_cert::Certificate; type TcbInfo = String; type Fmspc = String; type Update = String; const TCB_SIGNER: &str = include_str!("../tcb_signer.pem"); async fn get_tcbinfo(fmspc: Fmspc, update: Update) -> String { let url = format!("https://api.trustedservices.intel.com/sgx/certification/v4/tcb?fmspc={fmspc}&update={update}"); let body: String = reqwest::get(url) .await .expect("url retrieval failed") .text() .await .expect("could not read https response"); body } async fn get_fmspc_list() -> Vec { let body: String = reqwest::get("https://api.trustedservices.intel.com/sgx/certification/v4/fmspcs") .await .expect("url retrieval failed") .text() .await .expect("could not read https response"); let fmspc_data: Vec = serde_json::from_str(&body).expect("could not convert to JSON"); let mut fmspc_list: Vec = Vec::new(); for item in fmspc_data.iter() { let fmspc: String = format!("{}", item["fmspc"]); fmspc_list.push(strip_dquotes(&fmspc).unwrap().to_string()); } println!("{:?}", fmspc_list); fmspc_list } async fn upsert_tcbinfo() -> Result<(), &'static str> { let mut store: HashMap = if Path::new("./standard").exists() { let data = fs::read_to_string("./standard").expect("Unable to read file"); serde_json::from_str(&data).unwrap() } else { fs::File::create("./standard").expect("couldn't create file"); HashMap::new() }; let certificate = TCB_SIGNER.to_string(); let parsed_certificate = Certificate::from_pem(certificate.clone()).expect("failed to parse PEM"); let fmspc_list = get_fmspc_list().await; let key = VerifyingKey::from_sec1_bytes( parsed_certificate .tbs_certificate .subject_public_key_info .subject_public_key .as_bytes() .expect("Failed to parse public key"), ) .expect("Failed to decode public key"); for fmspc in fmspc_list { let tcbinfo = get_tcbinfo(fmspc.clone(), "standard".to_string()).await; assert!(verify_signature(tcbinfo.clone(), key)); let store_entry = if store.contains_key(&fmspc) { &store[&fmspc] } else {""}; if *store_entry != tcbinfo { println!("updating local TCBInfo for FMSPC: {fmspc}"); store.insert(fmspc.clone(), tcbinfo.clone()); println!("updating on-chain TCBInfo for FMSPC: {fmspc}"); let testnet = Url::parse("https://rpc-falcron.pion-1.ntrn.tech") .expect("couldn't parse network URL"); let contract_address = "neutron1r4m59786vmxrx866585ze5ugjx9egcyja0nuxhn2y6d7ht6680sspa89zk" .parse() .expect("failed to parse contract address"); let chain_id = tendermint::chain::id::Id::try_from("pion-1").expect("invalid chain id"); let sender = "ajinkya"; let client = CliClient::neutrond(testnet); let execute_msg = ExecuteMsg { tcb_info: tcbinfo.to_string(), certificate: certificate.clone(), time: None, }; let res = client .tx_execute( &contract_address, &chain_id, 400000, &sender, json!(execute_msg), "11000untrn", ) .await; println!("done: {res:?}"); std::thread::sleep(std::time::Duration::from_secs(5)); } else { println!("TCBInfo for FMSPC: {fmspc} up to date") } } let serialized = serde_json::to_string(&store).unwrap(); fs::write("./standard", serialized).expect("Unable to write file"); Ok(()) // } // } } fn verify_signature(tcbinfo: String, key: VerifyingKey) -> bool { let signed_tcbinfo = SignedTcbInfo::try_from(tcbinfo.as_ref()).expect("tcbinfo string parsing failed"); signed_tcbinfo .verify(Some(&key), None) .expect("could not verify signature"); true } #[tokio::main] pub async fn main() { upsert_tcbinfo().await.expect("TCBInfo update failed"); }