mssun commented on a change in pull request #198: Refactor remote attestation
code
URL: https://github.com/apache/incubator-teaclave/pull/198#discussion_r361924769
##########
File path: teaclave_attestation/src/quote.rs
##########
@@ -228,136 +232,139 @@ pub struct SgxQuote {
pub body: SgxQuoteBody,
}
-pub(crate) fn extract_sgx_quote_from_mra_cert(
- cert_der: &[u8],
-) -> Result<SgxQuote, CertVerificationError> {
- // Before we reach here, Webpki already verifed the cert is properly signed
- use super::cert::*;
-
- let x509 = yasna::parse_der(cert_der, |reader| X509::load(reader))
- .map_err(|_| CertVerificationError::InvalidCertFormat)?;
-
- let tbs_cert: <TbsCert as Asn1Ty>::ValueTy = x509.0;
-
- let pub_key: <PubKey as Asn1Ty>::ValueTy =
((((((tbs_cert.1).1).1).1).1).1).0;
- let pub_k = (pub_key.1).0;
+impl SgxQuote {
+ pub fn extract_from_cert(cert_der: &[u8], ias_report_ca_cert: &[u8]) ->
Result<SgxQuote> {
+ // Before we reach here, Webpki already verifed the cert is properly
signed
+ use super::cert::*;
+
+ let x509 = yasna::parse_der(cert_der, |reader| X509::load(reader))
+ .map_err(|_| CertVerificationError::InvalidCertFormat)?;
+
+ let tbs_cert: <TbsCert as Asn1Ty>::ValueTy = x509.0;
+
+ let pub_key: <PubKey as Asn1Ty>::ValueTy =
((((((tbs_cert.1).1).1).1).1).1).0;
+ let pub_k = (pub_key.1).0;
+
+ let sgx_ra_cert_ext: <SgxRaCertExt as Asn1Ty>::ValueTy =
+ (((((((tbs_cert.1).1).1).1).1).1).1).0;
+
+ let payload: Vec<u8> = ((sgx_ra_cert_ext.0).1).0;
+
+ // Extract each field
+ let mut iter = payload.split(|x| *x == 0x7C);
+ let attn_report_raw = iter
+ .next()
+ .ok_or_else(||
Error::new(CertVerificationError::InvalidCertFormat))?;
+ let sig_raw = iter
+ .next()
+ .ok_or_else(||
Error::new(CertVerificationError::InvalidCertFormat))?;
+ let sig = base64::decode(&sig_raw)?;
+ let sig_cert_raw = iter
+ .next()
+ .ok_or_else(||
Error::new(CertVerificationError::InvalidCertFormat))?;
+ let sig_cert_dec = base64::decode_config(&sig_cert_raw,
base64::STANDARD)?;
+
+ let sig_cert = webpki::EndEntityCert::from(&sig_cert_dec)
+ .map_err(|_| CertVerificationError::InvalidCertFormat)?;
+
+ // Verify if the signing cert is issued by Intel CA
+ let mut ias_ca_stripped = ias_report_ca_cert.to_vec();
+ ias_ca_stripped.retain(|&x| x != 0x0d && x != 0x0a);
+ let head_len = "-----BEGIN CERTIFICATE-----".len();
+ let tail_len = "-----END CERTIFICATE-----".len();
+ let full_len = ias_ca_stripped.len();
+ let ias_ca_core: &[u8] = &ias_ca_stripped[head_len..full_len -
tail_len];
+ let ias_cert_dec = base64::decode_config(ias_ca_core, base64::STANDARD)
+ .map_err(|_| CertVerificationError::InvalidCertFormat)?;
+
+ let mut ca_reader = BufReader::new(&ias_report_ca_cert[..]);
+
+ let mut root_store = rustls::RootCertStore::empty();
+ root_store
+ .add_pem_file(&mut ca_reader)
+ .expect("Failed to add CA");
+
+ let trust_anchors: Vec<webpki::TrustAnchor> = root_store
+ .roots
+ .iter()
+ .map(|cert| cert.to_trust_anchor())
+ .collect();
+
+ let chain: Vec<&[u8]> = vec![&ias_cert_dec];
+
+ let now_func = webpki::Time::try_from(SystemTime::now())
+ .map_err(|_| CertVerificationError::WebpkiFailure)?;
+
+ sig_cert
+ .verify_is_valid_tls_server_cert(
+ SUPPORTED_SIG_ALGS,
+ &webpki::TLSServerTrustAnchors(&trust_anchors),
+ &chain,
+ now_func,
+ )
+ .map_err(|_| CertVerificationError::WebpkiFailure)?;
+
+ // Verify the signature against the signing cert
+ sig_cert
+ .verify_signature(&webpki::RSA_PKCS1_2048_8192_SHA256,
&attn_report_raw, &sig)
+ .map_err(|_| CertVerificationError::WebpkiFailure)?;
+
+ // Verify attestation report
+ let attn_report: Value = serde_json::from_slice(attn_report_raw)
+ .map_err(|_| CertVerificationError::BadAttnReport)?;
+
+ // 1. Check timestamp is within 24H (90day is recommended by Intel)
+ let quote_freshness = {
+ let time = attn_report["timestamp"]
+ .as_str()
+ .ok_or_else(||
Error::new(CertVerificationError::BadAttnReport))?;
+ let time_fixed = String::from(time) + "+0000";
+ let date_time = DateTime::parse_from_str(&time_fixed,
"%Y-%m-%dT%H:%M:%S%.f%z")?;
+ let ts = date_time.naive_utc();
+ let now =
DateTime::<chrono::offset::Utc>::from(SystemTime::now()).naive_utc();
+ u64::try_from((now - ts).num_seconds())?
+ };
- let sgx_ra_cert_ext: <SgxRaCertExt as Asn1Ty>::ValueTy =
(((((((tbs_cert.1).1).1).1).1).1).1).0;
+ // 2. Get quote status
+ let quote_status = {
+ let status_string = attn_report["isvEnclaveQuoteStatus"]
+ .as_str()
+ .ok_or_else(||
Error::new(CertVerificationError::BadAttnReport))?;
- let payload: Vec<u8> = ((sgx_ra_cert_ext.0).1).0;
+ SgxQuoteStatus::from(status_string)
+ };
- use crate::rpc::sgx::fail::MayfailTrace;
+ // 3. Get quote body
+ let quote_body = {
+ let quote_encoded = attn_report["isvEnclaveQuoteBody"]
+ .as_str()
+ .ok_or_else(||
Error::new(CertVerificationError::BadAttnReport))?;
+ let quote_raw = base64::decode(&(quote_encoded.as_bytes()))?;
+ SgxQuoteBody::parse_from(quote_raw.as_slice())
+ .ok_or_else(||
Error::new(CertVerificationError::BadAttnReport))?
+ };
- // Extract each field
- let mut iter = payload.split(|x| *x == 0x7C);
- let (attn_report_raw, sig, sig_cert_dec) = mayfail! {
- attn_report_raw =<< iter.next();
- sig_raw =<< iter.next();
- sig =<< base64::decode(&sig_raw);
- sig_cert_raw =<< iter.next();
- sig_cert_dec =<< base64::decode_config(&sig_cert_raw,
base64::STANDARD);
- ret (attn_report_raw, sig, sig_cert_dec)
- }
- .map_err(|_| CertVerificationError::InvalidCertFormat)?;
-
- let sig_cert = webpki::EndEntityCert::from(&sig_cert_dec)
- .map_err(|_| CertVerificationError::InvalidCertFormat)?;
-
- // Verify if the signing cert is issued by Intel CA
- let ias_report_ca = BUILD_CONFIG.ias_root_ca_cert;
- let mut ias_ca_stripped = ias_report_ca.to_vec();
- ias_ca_stripped.retain(|&x| x != 0x0d && x != 0x0a);
- let head_len = "-----BEGIN CERTIFICATE-----".len();
- let tail_len = "-----END CERTIFICATE-----".len();
- let full_len = ias_ca_stripped.len();
- let ias_ca_core: &[u8] = &ias_ca_stripped[head_len..full_len - tail_len];
- let ias_cert_dec = base64::decode_config(ias_ca_core, base64::STANDARD)
- .map_err(|_| CertVerificationError::InvalidCertFormat)?;
-
- let mut ca_reader = BufReader::new(&ias_report_ca[..]);
-
- let mut root_store = rustls::RootCertStore::empty();
- root_store
- .add_pem_file(&mut ca_reader)
- .expect("Failed to add CA");
-
- let trust_anchors: Vec<webpki::TrustAnchor> = root_store
- .roots
- .iter()
- .map(|cert| cert.to_trust_anchor())
- .collect();
-
- let chain: Vec<&[u8]> = vec![&ias_cert_dec];
-
- let now_func = webpki::Time::try_from(SystemTime::now())
- .map_err(|_| CertVerificationError::WebpkiFailure)?;
-
- sig_cert
- .verify_is_valid_tls_server_cert(
- SUPPORTED_SIG_ALGS,
- &webpki::TLSServerTrustAnchors(&trust_anchors),
- &chain,
- now_func,
- )
- .map_err(|_| CertVerificationError::WebpkiFailure)?;
-
- // Verify the signature against the signing cert
- sig_cert
- .verify_signature(&webpki::RSA_PKCS1_2048_8192_SHA256,
&attn_report_raw, &sig)
- .map_err(|_| CertVerificationError::WebpkiFailure)?;
-
- // Verify attestation report
- let attn_report: Value = serde_json::from_slice(attn_report_raw)
- .map_err(|_| CertVerificationError::BadAttnReport)?;
-
- // 1. Check timestamp is within 24H (90day is recommended by Intel)
- let quote_freshness = mayfail! {
- time =<< attn_report["timestamp"].as_str();
- let time_fixed = String::from(time) + "+0000";
- date_time =<< DateTime::parse_from_str(&time_fixed,
"%Y-%m-%dT%H:%M:%S%.f%z");
- let ts = date_time.naive_utc();
- let now =
DateTime::<chrono::offset::Utc>::from(SystemTime::now()).naive_utc();
- secs =<< u64::try_from((now - ts).num_seconds());
- ret secs
- }
- .map_err(|_| CertVerificationError::BadAttnReport)?;
+ let raw_pub_k = pub_k.to_bytes();
Review comment:
Ok, this can be done in the next round of polishing. Let me first move to
RPC and come back later.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
