Skip to content

Commit

Permalink
address comments
Browse files Browse the repository at this point in the history
  • Loading branch information
@joyqvq
joyqvq committed Dec 17, 2024
1 parent 8110d80 commit 8a3d511
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 48 deletions.
4 changes: 1 addition & 3 deletions crates/sui-types/benches/nitro_attestation_bench.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,7 @@ fn nitro_attestation_benchmark(c: &mut Criterion) {
attestation_verify_inner(
&attestation_data,
&public_key,
&pcr0,
&pcr1,
&pcr2,
&[&pcr0, &pcr1, &pcr2],
timestamp,
)
})
Expand Down
40 changes: 14 additions & 26 deletions crates/sui-types/src/nitro_attestation.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,20 +66,15 @@ impl From<NitroError> for SuiError {
pub fn attestation_verify_inner(
attestation_bytes: &[u8],
enclave_vk: &[u8],
pcr0: &[u8],
pcr1: &[u8],
pcr2: &[u8],
pcrs: &[&[u8]],
timestamp: u64,
) -> SuiResult<()> {
// Parse attestation into a valid cose sign1 object with valid header.
let cose_sign1 = CoseSign1::parse_and_validate(attestation_bytes)?;

// Parse attestation document payload and verify cert against AWS root of trust.
let doc = AttestationDocument::parse_and_validate_payload(
&cose_sign1.payload,
timestamp,
&[pcr0, pcr1, pcr2],
)?;
let doc =
AttestationDocument::parse_and_validate_payload(&cose_sign1.payload, timestamp, pcrs)?;

// Extract public key from cert and signature as P384.
let signature = Signature::from_slice(&cose_sign1.signature).expect("Invalid signature");
Expand All @@ -95,7 +90,7 @@ pub fn attestation_verify_inner(

// Verify the signature against the public key and the canonical message.
verifying_key
.verify(&cose_sign1.to_canonical(), &signature)
.verify(&cose_sign1.to_signed_message(), &signature)
.map_err(|_| NitroError::InvalidSignature)?;

// Verify the user data equals to the enclave public key.
Expand All @@ -105,7 +100,7 @@ pub fn attestation_verify_inner(
}

// Verify the pcrs.
doc.validate_pcrs(&[pcr0, pcr1, pcr2])
doc.validate_pcrs(pcrs)
.map_err(|_| NitroError::InvalidPcrs)?;
Ok(())
}
Expand Down Expand Up @@ -285,14 +280,10 @@ impl CoseSign1 {

/// Validate protected header, payload and signature length.
pub fn validate_header(&self) -> Result<(), NitroError> {
let is_valid = {
let mut is_valid = true;
is_valid &= Self::is_valid_protected_header(self.protected.as_slice());
is_valid &= (1..16384).contains(&self.payload.len());
is_valid &= self.signature.len() == 96;
is_valid
};
if !is_valid {
if !(Self::is_valid_protected_header(self.protected.as_slice())
&& (1..16384).contains(&self.payload.len())
&& self.signature.len() == 96)
{
return Err(NitroError::InvalidCoseSign1(
"invalid cbor header".to_string(),
));
Expand All @@ -313,16 +304,15 @@ impl CoseSign1 {
let value: Value = ciborium::de::from_reader(bytes).expect("valid cbor");
match value {
Value::Map(vec) => match &vec[..] {
[(Value::Integer(key), Value::Integer(val))] => {
key == &expected_key && val == &expected_val
}
[(Value::Integer(expected_key), Value::Integer(expected_val))] => true,
_ => false,
},
_ => false,
}
}

fn to_canonical(&self) -> Vec<u8> {
/// This is the content that the signature is committed over.
fn to_signed_message(&self) -> Vec<u8> {
let value = Value::Array(vec![
Value::Text("Signature1".to_string()),
Value::Bytes(self.protected.as_slice().to_vec()),
Expand Down Expand Up @@ -540,11 +530,9 @@ impl AttestationDocument {
Ok(())
}

/// Validate the PCRs against the expected PCRs. todo: add docs
/// Validate the PCRs against the expected PCRs.
fn validate_pcrs(&self, expected_pcrs: &[&[u8]]) -> Result<(), NitroError> {
// only pcr0, pcr1, pcr2 are checked
assert!(expected_pcrs.len() == 3);
for (i, expected_pcr) in expected_pcrs.iter().enumerate().take(3) {
for (i, expected_pcr) in expected_pcrs.iter().enumerate() {
if self.pcrs[i] != *expected_pcr {
return Err(NitroError::InvalidPcrs);
}
Expand Down
Loading

0 comments on commit 8a3d511

Please sign in to comment.