fix functions and docs

Signed-off-by: Jun Kimura <jun.kimura@datachain.jp>

Author: bluele

crates/quote-verifier/src/lib.rs

@@ -24,9 +24,9 @@ mod quote_verifier_tests {
     use crate::cert::verify_crl_signature;
     use crate::collaterals::IntelCollateral;
     use crate::crypto::keccak256sum;
-    use crate::quotes::{version_3::verify_quote_dcapv3, version_4::verify_quote_dcapv4};
+    use crate::quotes::{version_3::verify_quote_v3, version_4::verify_quote_v4};
     use crate::tcbinfo::validate_tcbinfov3;
-    use crate::verifier::VerifiedOutput;
+    use crate::verifier::QuoteVerificationOutput;
     use dcap_types::quotes::{version_3::QuoteV3, version_4::QuoteV4};
     use dcap_types::tcbinfo::TcbInfoV3;
     use dcap_types::utils::{parse_crl_der, parse_pem, parse_x509_der, pem_to_der};
@@ -96,7 +96,7 @@ mod quote_verifier_tests {
         let res = QuoteV3::from_bytes(&dcap_quote_bytes);
         assert!(res.is_ok(), "failed to parse quotev3: {:?}", res.err());
         let dcap_quote = res.unwrap();
-        let res = verify_quote_dcapv3(&dcap_quote, &collaterals, 1737458686);
+        let res = verify_quote_v3(&dcap_quote, &collaterals, 1737458686);
         assert!(res.is_ok(), "verification failed: {:?}", res.err());
         let verified_output = res.unwrap();
         assert_eq!(verified_output.quote_version, 3);
@@ -124,7 +124,7 @@ mod quote_verifier_tests {
             "invalid `not_after_min`"
         );
         let bz = verified_output.to_bytes();
-        let res = VerifiedOutput::from_bytes(&bz);
+        let res = QuoteVerificationOutput::from_bytes(&bz);
         assert!(
             res.is_ok(),
             "failed to parse verified output: {:?}",
@@ -154,12 +154,12 @@ mod quote_verifier_tests {
         assert!(res.is_ok(), "failed to parse quotev4: {:?}", res.err());
         let dcap_quote = res.unwrap();
 
-        let res = verify_quote_dcapv4(&dcap_quote, &collaterals, 1737467060);
+        let res = verify_quote_v4(&dcap_quote, &collaterals, 1737467060);
         assert!(res.is_ok(), "verification failed: {:?}", res.err());
         let verified_output = res.unwrap();
         assert_eq!(verified_output.tcb_status, Status::TcbOutOfDate);
         let bz = verified_output.to_bytes();
-        let res = VerifiedOutput::from_bytes(&bz);
+        let res = QuoteVerificationOutput::from_bytes(&bz);
         assert!(
             res.is_ok(),
             "failed to parse verified output: {:?}",

crates/quote-verifier/src/quotes/mod.rs

@@ -29,13 +29,13 @@ use x509_parser::certificate::X509Certificate;
 
 /// The TCB info of the QE
 #[derive(Debug, Clone, PartialEq, Eq)]
-pub struct QETCB {
+pub struct QeTcb {
     pub tcb_evaluation_data_number: u32,
     pub tcb_status: EnclaveIdentityV2TcbStatus,
     pub advisory_ids: Vec<String>,
 }
 
-/// common_verify_and_fetch_tcb is a common function that verifies the quote and fetches the TCB info
+/// Verify the quote and return the TCB info of the QE, SGX extensions from the PCK leaf certificate, TCB info of the platform, and the validity intersection of all collaterals
 ///
 /// # Arguments
 ///
@@ -53,12 +53,12 @@ pub struct QETCB {
 /// # Returns
 ///
 /// * A tuple containing:
-/// * The TCB status of the QE
+/// * The TCB info of the QE
 /// * The SGX extensions from the PCK leaf certificate
-/// * The TCB info
+/// * The TCB info of the platform
 /// * The validity intersection of all collaterals
 #[allow(clippy::too_many_arguments)]
-fn common_verify_and_fetch_tcb(
+fn verify_quote_common(
     quote_header: &QuoteHeader,
     quote_body: &QuoteBody,
     ecdsa_attestation_signature: &[u8; 64],
@@ -69,7 +69,7 @@ fn common_verify_and_fetch_tcb(
     qe_cert_data: &CertData,
     collaterals: &IntelCollateral,
     current_time: u64,
-) -> Result<(QETCB, SgxExtensions, TcbInfo, ValidityIntersection)> {
+) -> Result<(QeTcb, SgxExtensions, TcbInfo, ValidityIntersection)> {
     // get the certchain embedded in the ecda quote signature data
     // this can be one of 5 types, and we only support type 5
     // https://github.com/intel/SGXDataCenterAttestationPrimitives/blob/aa239d25a437a28f3f4de92c38f5b6809faac842/QuoteGeneration/quote_wrapper/common/inc/sgx_quote_3.h#L63C4-L63C112
@@ -163,6 +163,12 @@ fn common_verify_and_fetch_tcb(
 
     if !validity.validate() {
         bail!("Validity intersection provided from collaterals is invalid");
+    } else if !validity.validate_time(current_time) {
+        bail!(
+            "certificates are expired: validity={} current_time={}",
+            validity,
+            current_time
+        );
     }
 
     Ok((qe_tcb, pck_cert_sgx_extensions, tcb_info, validity))
@@ -194,7 +200,7 @@ fn verify_qe_report(
     qeidentityv2: &EnclaveIdentityV2,
     pck_leaf_cert: &X509Certificate,
     qe_report_signature: &[u8; 64],
-) -> Result<QETCB> {
+) -> Result<QeTcb> {
     // validate QEReport then get TCB Status
     if !validate_qe_report_data(
         &qe_report.report_data,
@@ -219,7 +225,7 @@ fn verify_qe_report(
     let (tcb_status, advisory_ids) =
         get_qe_tcbstatus(qe_report.isv_svn, &qeidentityv2.enclave_identity.tcb_levels)?;
 
-    Ok(QETCB {
+    Ok(QeTcb {
         tcb_evaluation_data_number: qeidentityv2.enclave_identity.tcb_evaluation_data_number,
         tcb_status,
         advisory_ids,
@@ -234,8 +240,7 @@ fn verify_quote_attestation(
     ecdsa_attestation_signature: &[u8; 64],
 ) -> Result<()> {
     // verify the signature for attestation body
-    let mut data = Vec::new();
-    data.extend_from_slice(&quote_header.to_bytes());
+    let mut data = quote_header.to_bytes().to_vec();
     match quote_body {
         QuoteBody::SGXQuoteBody(body) => data.extend_from_slice(&body.to_bytes()),
         QuoteBody::TD10QuoteBody(body) => data.extend_from_slice(&body.to_bytes()),

crates/quote-verifier/src/quotes/version_3.rs

@@ -1,29 +1,33 @@
-use super::{
-    check_quote_header, common_verify_and_fetch_tcb, converge_tcb_status_with_qe_tcb, Result,
-};
+use super::{check_quote_header, converge_tcb_status_with_qe_tcb, verify_quote_common, Result};
 use crate::{
     cert::{get_sgx_tdx_fmspc_tcbstatus_v3, merge_advisory_ids},
     collaterals::IntelCollateral,
     crypto::keccak256sum,
-    verifier::VerifiedOutput,
+    verifier::QuoteVerificationOutput,
     VERIFIER_VERSION,
 };
-use anyhow::{bail, Context};
+use anyhow::Context;
 use core::cmp::min;
 use dcap_types::{
     quotes::{body::QuoteBody, version_3::QuoteV3},
     tcbinfo::TcbInfo,
 };
 
-pub fn verify_quote_dcapv3(
+/// Verify the given DCAP quote v3 and return the verification output.
+///
+/// # Arguments
+/// - `quote`: The quote to be verified
+/// - `collateral`: The collateral data to be used for verification
+/// - `current_time`: The current time in seconds since the Unix epoch
+pub fn verify_quote_v3(
     quote: &QuoteV3,
-    collaterals: &IntelCollateral,
+    collateral: &IntelCollateral,
     current_time: u64,
-) -> Result<VerifiedOutput> {
+) -> Result<QuoteVerificationOutput> {
     check_quote_header(&quote.header, 3).context("invalid quote header")?;
 
     let quote_body = QuoteBody::SGXQuoteBody(quote.isv_enclave_report);
-    let (qe_status, sgx_extensions, tcb_info, validity) = common_verify_and_fetch_tcb(
+    let (qe_status, sgx_extensions, tcb_info, validity) = verify_quote_common(
         &quote.header,
         &quote_body,
         &quote.signature.isv_enclave_report_signature,
@@ -32,21 +36,14 @@ pub fn verify_quote_dcapv3(
         &quote.signature.qe_report_signature,
         &quote.signature.qe_auth_data.data,
         &quote.signature.qe_cert_data,
-        collaterals,
+        collateral,
         current_time,
     )?;
-    if !validity.validate_time(current_time) {
-        bail!(
-            "certificates are expired: validity={} current_time={}",
-            validity,
-            current_time
-        );
-    }
     let TcbInfo::V3(tcb_info_v3) = tcb_info;
     let (tcb_status, _, tcb_advisory_ids) =
         get_sgx_tdx_fmspc_tcbstatus_v3(quote.header.tee_type, None, &sgx_extensions, &tcb_info_v3)?;
 
-    Ok(VerifiedOutput {
+    Ok(QuoteVerificationOutput {
         version: VERIFIER_VERSION,
         quote_version: quote.header.version,
         tee_type: quote.header.tee_type,
@@ -56,7 +53,7 @@ pub fn verify_quote_dcapv3(
             tcb_info_v3.tcb_info.tcb_evaluation_data_number,
         ),
         fmspc: sgx_extensions.fmspc,
-        sgx_intel_root_ca_hash: keccak256sum(collaterals.sgx_intel_root_ca_der.as_ref()),
+        sgx_intel_root_ca_hash: keccak256sum(collateral.sgx_intel_root_ca_der.as_ref()),
         validity,
         quote_body,
         advisory_ids: merge_advisory_ids(tcb_advisory_ids, qe_status.advisory_ids),
@@ -176,7 +173,7 @@ mod tests {
         };
 
         let current_time = 1730000000;
-        let res = verify_quote_dcapv3(&quote, &collateral, current_time);
+        let res = verify_quote_v3(&quote, &collateral, current_time);
         assert!(res.is_ok(), "{:?}", res);
         let output = res.unwrap();
         assert_eq!(output.min_tcb_evaluation_data_number, 1);

crates/quote-verifier/src/quotes/version_4.rs

@@ -1,12 +1,10 @@
-use super::{
-    check_quote_header, common_verify_and_fetch_tcb, converge_tcb_status_with_qe_tcb, Result,
-};
+use super::{check_quote_header, converge_tcb_status_with_qe_tcb, verify_quote_common, Result};
 use crate::{
     cert::{get_sgx_tdx_fmspc_tcbstatus_v3, merge_advisory_ids},
     collaterals::IntelCollateral,
     crypto::sha256sum,
     tdx_module::{converge_tcb_status_with_tdx_module_tcb, get_tdx_module_identity_and_tcb},
-    verifier::VerifiedOutput,
+    verifier::QuoteVerificationOutput,
     VERIFIER_VERSION,
 };
 use anyhow::{bail, Context};
@@ -17,11 +15,17 @@ use dcap_types::{
     TcbInfoV3TcbStatus, TdxModuleTcbValidationStatus, SGX_TEE_TYPE,
 };
 
-pub fn verify_quote_dcapv4(
+/// Verify the given DCAP quote v4 and return the verification output.
+///
+/// # Arguments
+/// - `quote`: The quote to be verified
+/// - `collaterals`: The collateral data to be used for verification
+/// - `current_time`: The current time in seconds since the Unix epoch
+pub fn verify_quote_v4(
     quote: &QuoteV4,
     collaterals: &IntelCollateral,
     current_time: u64,
-) -> Result<VerifiedOutput> {
+) -> Result<QuoteVerificationOutput> {
     check_quote_header(&quote.header, 4).context("invalid quote header")?;
 
     // we'll now proceed to verify the qe
@@ -39,7 +43,7 @@ pub fn verify_quote_dcapv4(
         );
     };
 
-    let (qe_tcb, sgx_extensions, tcb_info, validity) = common_verify_and_fetch_tcb(
+    let (qe_tcb, sgx_extensions, tcb_info, validity) = verify_quote_common(
         &quote.header,
         &quote.quote_body,
         &quote.signature.quote_signature,
@@ -52,13 +56,6 @@ pub fn verify_quote_dcapv4(
         current_time,
     )?;
 
-    if !validity.validate_time(current_time) {
-        bail!(
-            "certificates are expired: validity={} current_time={}",
-            validity,
-            current_time
-        );
-    }
     let TcbInfo::V3(tcb_info_v3) = tcb_info;
     let (quote_tdx_body, tee_tcb_svn) = if let QuoteBody::TD10QuoteBody(body) = &quote.quote_body {
         (Some(body), body.tee_tcb_svn)
@@ -112,7 +109,7 @@ pub fn verify_quote_dcapv4(
         advisory_ids = merge_advisory_ids(advisory_ids, tdx_module_advisory_ids);
     }
 
-    Ok(VerifiedOutput {
+    Ok(QuoteVerificationOutput {
         version: VERIFIER_VERSION,
         quote_version: quote.header.version,
         tee_type: quote.header.tee_type,

crates/quote-verifier/src/verifier.rs

@@ -101,9 +101,9 @@ impl TryFrom<&Validity> for ValidityIntersection {
     }
 }
 
-/// VerifiedOutput is the output of the dcap quote verifier.
+/// QuoteVerificationOutput is the output of the quote verification process.
 #[derive(Debug, Clone, PartialEq, Eq)]
-pub struct VerifiedOutput {
+pub struct QuoteVerificationOutput {
     /// verifier version
     /// length: 2 bytes
     pub version: u16,
@@ -136,11 +136,13 @@ pub struct VerifiedOutput {
     pub advisory_ids: Vec<String>,
 }
 
-impl VerifiedOutput {
+impl QuoteVerificationOutput {
+    /// Calculate the hash of the verification output.
     pub fn hash(&self) -> [u8; 32] {
         keccak256sum(&self.to_bytes())
     }
 
+    /// Serialize the verification output to bytes.
     pub fn to_bytes(&self) -> Vec<u8> {
         let mut output_vec = Vec::new();
 
@@ -168,7 +170,8 @@ impl VerifiedOutput {
         output_vec
     }
 
-    pub fn from_bytes(slice: &[u8]) -> Result<VerifiedOutput> {
+    /// Deserialize the verification output from bytes.
+    pub fn from_bytes(slice: &[u8]) -> Result<QuoteVerificationOutput> {
         let mut version = [0; 2];
         version.copy_from_slice(&slice[0..2]);
         let version = u16::from_be_bytes(version);
@@ -215,7 +218,7 @@ impl VerifiedOutput {
 
         let advisory_ids = <Vec<String>>::abi_decode(&slice[advisory_ids_offset..], true)?;
 
-        Ok(VerifiedOutput {
+        Ok(QuoteVerificationOutput {
             version,
             quote_version: u16::from_be_bytes(quote_version),
             tee_type: u32::from_be_bytes(tee_type),

zkvm/risc0/artifacts/dcap-quote-verifier

@@ -1,6 +1,6 @@
 use dcap_quote_verifier::collaterals::IntelCollateral;
 use dcap_quote_verifier::types::quotes::version_3::QuoteV3;
-use dcap_quote_verifier::quotes::version_3::verify_quote_dcapv3;
+use dcap_quote_verifier::quotes::version_3::verify_quote_v3;
 use risc0_zkvm::guest::env;
 
 fn main() {
@@ -10,7 +10,7 @@ fn main() {
     let collaterals = IntelCollateral::from_bytes(&collaterals).unwrap();
 
     env::commit_slice(
-        verify_quote_dcapv3(&quote, &collaterals, current_time)
+        verify_quote_v3(&quote, &collaterals, current_time)
             .unwrap()
             .to_bytes()
             .as_slice(),

zkvm/risc0/guest/src/bin/main.rs

@@ -6,7 +6,7 @@ pub use methods::*;
 #[cfg(test)]
 mod tests {
     use super::*;
-    use dcap_quote_verifier::verifier::VerifiedOutput;
+    use dcap_quote_verifier::verifier::QuoteVerificationOutput;
     use risc0_zkvm::{ExecutorEnv, LocalProver, Prover, ProverOpts, VerifierContext};
 
     #[test]
@@ -33,7 +33,7 @@ mod tests {
         let res = res.unwrap();
         println!("proving stats: {:?}", res.stats);
 
-        let res = VerifiedOutput::from_bytes(&res.receipt.journal.bytes);
+        let res = QuoteVerificationOutput::from_bytes(&res.receipt.journal.bytes);
         assert!(res.is_ok(), "Verifier failed: {:?}", res.err().unwrap());
         println!("verifier output: {:?}", res.unwrap());
     }

zkvm/risc0/src/lib.rs

@@ -1,4 +1,4 @@
 
-pub const DCAP_QUOTE_VERIFIER_ID: [u32; 8] = [927428042, 1559589155, 2728204900, 3879470470, 2705950934, 683452413, 3440644992, 2443300394];
-pub const DCAP_QUOTE_VERIFIER_ID_STR: &str = "ca6d47372371f55c641a9da286053ce7d68849a1fda7bc28801314cd2acea191";
+pub const DCAP_QUOTE_VERIFIER_ID: [u32; 8] = [1431900809, 3770780031, 3053255185, 442616749, 2525666630, 3278113115, 2914535527, 4088667128];
+pub const DCAP_QUOTE_VERIFIER_ID_STR: &str = "891259557f89c1e011fafcb5adcb611a469d8a965b0964c36748b8adf81bb4f3";
 pub const DCAP_QUOTE_VERIFIER_ELF: &[u8] = include_bytes!("../artifacts/dcap-quote-verifier");