verify_ra_cert: extracted verify_ra_report

scrtlabs · Feb 19, 2024 · ac809ac · ac809ac
1 parent 5d67634
commit ac809ac
Showing 1 changed file with 53 additions and 40 deletions.
diff --git a/cosmwasm/enclaves/execute/src/registration/cert.rs b/cosmwasm/enclaves/execute/src/registration/cert.rs
@@ -284,29 +284,11 @@ pub fn verify_ra_cert(
     Ok(pk)
 }
 
-/// # Verifies remote attestation cert
-///
-/// Logic:
-/// 1. Extract public key
-/// 2. Extract netscape comment - where the attestation report is located
-/// 3. Parse the report itself (verify it is signed by intel)
-/// 4. Extract public key from report body
-/// 5. Verify enclave signature (mr enclave/signer)
-///
-#[cfg(feature = "SGX_MODE_HW")]
-pub fn verify_ra_cert(
-    cert_der: &[u8],
+pub fn verify_ra_report(
+    report_mr_signer : [u8;32],
+    report_mr_enclave : [u8;32],
     override_verify_type: Option<SigningMethod>,
-    check_tcb_version: bool,
-) -> Result<Vec<u8>, NodeAuthResult> {
-    let report = AttestationReport::from_cert(cert_der).map_err(|_| NodeAuthResult::InvalidCert)?;
-
-    // this is a small hack - override_verify_type is only used when verifying the master certificate
-    // and in that case we don't care about checking vulns etc. Master certificate will also have
-    // a bad GID in prod, so there's no reason to verify it
-    if override_verify_type.is_none() {
-        verify_quote_status(&report, &report.advisory_ids)?;
-    }
+) -> NodeAuthResult {
 
     let signing_method: SigningMethod = match override_verify_type {
         Some(method) => method,
@@ -319,12 +301,6 @@ pub fn verify_ra_cert(
             let this_mr_enclave = get_mr_enclave();
             let this_mr_signer = MRSIGNER;
 
-            let crate::registration::report::SgxEnclaveReport {
-                mr_enclave: report_mr_enclave,
-                mr_signer: report_mr_signer,
-                ..
-            } = report.sgx_quote_body.isv_enclave_report;
-
             if report_mr_enclave != this_mr_enclave || report_mr_signer != this_mr_signer {
                 error!(
                     "Got a different mr_enclave or mr_signer than expected. Invalid certificate"
@@ -337,30 +313,67 @@ pub fn verify_ra_cert(
                     "mr_signer: received: {:?} \n expected: {:?}",
                     report_mr_signer, this_mr_signer
                 );
-                return Err(NodeAuthResult::MrEnclaveMismatch);
-            }
-
-            if check_tcb_version {
-                // todo: change this to a parameters or const when we migrate the code to main
-                if report.tcb_eval_data_number < 16 {
-                    info!("Got an outdated certificate");
-                    return Err(NodeAuthResult::GroupOutOfDate);
-                }
+                return NodeAuthResult::MrEnclaveMismatch;
             }
         }
         SigningMethod::MRSIGNER => {
-            if report.sgx_quote_body.isv_enclave_report.mr_signer != MRSIGNER {
+            if report_mr_signer != MRSIGNER {
                 error!("Got a different mrsigner than expected. Invalid certificate");
                 warn!(
                     "received: {:?} \n expected: {:?}",
-                    report.sgx_quote_body.isv_enclave_report.mr_signer, MRSIGNER
+                    report_mr_signer, MRSIGNER
                 );
-                return Err(NodeAuthResult::MrSignerMismatch);
+                return NodeAuthResult::MrSignerMismatch;
             }
         }
         SigningMethod::NONE => {}
     }
 
+    NodeAuthResult::Success
+}
+
+
+/// # Verifies remote attestation cert
+///
+/// Logic:
+/// 1. Extract public key
+/// 2. Extract netscape comment - where the attestation report is located
+/// 3. Parse the report itself (verify it is signed by intel)
+/// 4. Extract public key from report body
+/// 5. Verify enclave signature (mr enclave/signer)
+///
+#[cfg(feature = "SGX_MODE_HW")]
+pub fn verify_ra_cert(
+    cert_der: &[u8],
+    override_verify_type: Option<SigningMethod>,
+    check_tcb_version: bool,
+) -> Result<Vec<u8>, NodeAuthResult> {
+    let report = AttestationReport::from_cert(cert_der).map_err(|_| NodeAuthResult::InvalidCert)?;
+
+    // this is a small hack - override_verify_type is only used when verifying the master certificate
+    // and in that case we don't care about checking vulns etc. Master certificate will also have
+    // a bad GID in prod, so there's no reason to verify it
+    if override_verify_type.is_none() {
+        verify_quote_status(&report, &report.advisory_ids)?;
+    }
+
+    let res = verify_ra_report(
+        report.sgx_quote_body.isv_enclave_report.mr_signer,
+        report.sgx_quote_body.isv_enclave_report.mr_enclave,
+        override_verify_type);
+
+    if res != NodeAuthResult::Success {
+        return Err(res);
+    }
+
+    if check_tcb_version {
+        // todo: change this to a parameters or const when we migrate the code to main
+        if report.tcb_eval_data_number < 16 {
+            info!("Got an outdated certificate");
+            return Err(NodeAuthResult::GroupOutOfDate);
+        }
+    }
+
     let report_public_key = report.sgx_quote_body.isv_enclave_report.report_data[0..32].to_vec();
     Ok(report_public_key)
 }