datachainlab
diff --git a/‎crates/collaterals/src/certs.rs‎
Lines changed: 34 additions & 16 deletions b/‎crates/collaterals/src/certs.rs‎
Lines changed: 34 additions & 16 deletions
diff --git a/‎crates/collaterals/src/tcb_info.rs‎
Lines changed: 175 additions & 1 deletion b/‎crates/collaterals/src/tcb_info.rs‎
Lines changed: 175 additions & 1 deletion
diff --git a/‎crates/pcs/src/client.rs‎
Lines changed: 10 additions & 11 deletions b/‎crates/pcs/src/client.rs‎
Lines changed: 10 additions & 11 deletions
diff --git a/‎crates/quote-verifier/data/qv_collateral.bin‎
12.1 KB b/‎crates/quote-verifier/data/qv_collateral.bin‎
12.1 KB
@@ -4,7 +4,9 @@ use crate::{
 };
 use anyhow::bail;
 use dcap_types::cert::{
-    SgxExtensions, SGX_PCK_CERT_CN, SGX_PCK_PLATFORM_CA_CN, SGX_PCK_PROCESSOR_CA_CN,
+    SgxExtensions, INTEL_SGX_COUNTRY_NAME, INTEL_SGX_LOCALITY_NAME, INTEL_SGX_ORGANIZATION_NAME,
+    INTEL_SGX_PCK_CERT_COMMON_NAME, INTEL_SGX_PCK_PLATFORM_CA_COMMON_NAME,
+    INTEL_SGX_PCK_PROCESSOR_CA_COMMON_NAME, INTEL_SGX_STATE_OR_PROVINCE_NAME,
 };
 use openssl::{
     asn1::{Asn1Integer, Asn1Object, Asn1OctetString, Asn1Time},
@@ -202,20 +204,20 @@ pub enum PckCa {
 impl PckCa {
     /// Create a PckCa from the CN of the certificate
     pub fn from_cn(cn: &str) -> Result<Self, anyhow::Error> {
-        if cn == SGX_PCK_PROCESSOR_CA_CN {
+        if cn == INTEL_SGX_PCK_PROCESSOR_CA_COMMON_NAME {
             Ok(PckCa::Processor)
-        } else if cn == SGX_PCK_PLATFORM_CA_CN {
+        } else if cn == INTEL_SGX_PCK_PLATFORM_CA_COMMON_NAME {
             Ok(PckCa::Platform)
         } else {
-            bail!("Invalid PCK CA CN: {}", cn)
+            bail!("Invalid PCK CA CN: {}", cn);
         }
     }
 
     /// Get the CN of the PckCa
     pub fn cn(&self) -> &'static str {
         match self {
-            PckCa::Processor => SGX_PCK_PROCESSOR_CA_CN,
-            PckCa::Platform => SGX_PCK_PLATFORM_CA_CN,
+            PckCa::Processor => INTEL_SGX_PCK_PROCESSOR_CA_COMMON_NAME,
+            PckCa::Platform => INTEL_SGX_PCK_PLATFORM_CA_COMMON_NAME,
         }
     }
 
@@ -255,11 +257,11 @@ pub fn gen_pck_cert_ca(
     builder.append_extension(
         KeyUsage::new()
             .critical()
-            .digital_signature()
-            .non_repudiation()
+            .key_cert_sign()
+            .crl_sign()
             .build()?,
     )?;
-    builder.append_extension(BasicConstraints::new().critical().build()?)?;
+    builder.append_extension(BasicConstraints::new().critical().ca().pathlen(0).build()?)?;
 
     let ctx = builder.x509v3_context(Some(root_cert), None);
     builder.append_extension(
@@ -298,7 +300,7 @@ pub fn gen_pck_cert(
         Asn1Integer::from_bn(BigNum::from_slice(calc_skid(pck_cert_pkey).as_slice())?.as_ref())?
             .as_ref(),
     )?;
-    builder.set_subject_name(build_x509_name(SGX_PCK_CERT_CN)?.as_ref())?;
+    builder.set_subject_name(build_x509_name(INTEL_SGX_PCK_CERT_COMMON_NAME)?.as_ref())?;
     builder.set_pubkey(pck_cert_pkey)?;
 
     builder.set_not_before(&validity.not_before())?;
@@ -460,13 +462,29 @@ impl Validity {
     }
 }
 
-fn build_x509_name(cn: &str) -> Result<X509Name, ErrorStack> {
+pub fn build_x509_name(cn: &str) -> Result<X509Name, ErrorStack> {
+    let mut builder = X509Name::builder()?;
+    builder.append_entry_by_text("CN", cn)?;
+    builder.append_entry_by_text("O", INTEL_SGX_ORGANIZATION_NAME)?;
+    builder.append_entry_by_text("L", INTEL_SGX_LOCALITY_NAME)?;
+    builder.append_entry_by_text("ST", INTEL_SGX_STATE_OR_PROVINCE_NAME)?;
+    builder.append_entry_by_text("C", INTEL_SGX_COUNTRY_NAME)?;
+    Ok(builder.build())
+}
+
+pub fn build_x509_name_with_values(
+    cn: &str,
+    o: &str,
+    l: &str,
+    st: &str,
+    c: &str,
+) -> Result<X509Name, ErrorStack> {
     let mut builder = X509Name::builder()?;
     builder.append_entry_by_text("CN", cn)?;
-    builder.append_entry_by_text("O", "Intel Corporation")?;
-    builder.append_entry_by_text("L", "Santa Clara")?;
-    builder.append_entry_by_text("ST", "CA")?;
-    builder.append_entry_by_text("C", "US")?;
+    builder.append_entry_by_text("O", o)?;
+    builder.append_entry_by_text("L", l)?;
+    builder.append_entry_by_text("ST", st)?;
+    builder.append_entry_by_text("C", c)?;
     Ok(builder.build())
 }
 
@@ -477,7 +495,7 @@ fn calc_skid(pubkey: &PKeyRef<Private>) -> Vec<u8> {
 }
 
 #[allow(deprecated)]
-fn gen_skid(pubkey: &PKeyRef<Private>) -> X509Extension {
+pub fn gen_skid(pubkey: &PKeyRef<Private>) -> X509Extension {
     let skid = calc_skid(pubkey);
     X509Extension::new(
         None,
 
@@ -1,6 +1,6 @@
 use dcap_types::tcb_info::{
     TcbComponent, TcbInfoV3, TcbInfoV3Inner, TcbInfoV3TcbLevel, TcbInfoV3TcbLevelItem, TdxModule,
-    TdxModuleIdentities,
+    TdxModuleIdentities, TdxModuleIdentitiesTcbLevel, TdxModuleIdentitiesTcbLevelItem,
 };
 use openssl::pkey::{PKeyRef, Private};
 
@@ -264,3 +264,177 @@ pub fn gen_tcb_components(svns: &[u8; 16]) -> [TcbComponent; 16] {
         .try_into()
         .unwrap()
 }
+
+pub struct TdxModuleBuilder {
+    pub obj: TdxModule,
+}
+
+impl TdxModuleBuilder {
+    pub fn new() -> Self {
+        Self {
+            obj: TdxModule {
+                mrsigner: hex::encode([0; 48]),
+                attributes: hex::encode([0; 8]),
+                attributes_mask: hex::encode([0; 8]),
+            },
+        }
+    }
+
+    pub fn mrsigner(self, mrsigner: [u8; 48]) -> Self {
+        Self {
+            obj: TdxModule {
+                mrsigner: hex::encode(mrsigner),
+                ..self.obj
+            },
+        }
+    }
+
+    pub fn attributes(self, attributes: [u8; 8]) -> Self {
+        Self {
+            obj: TdxModule {
+                attributes: hex::encode(attributes),
+                ..self.obj
+            },
+        }
+    }
+
+    pub fn attributes_mask(self, attributes_mask: [u8; 8]) -> Self {
+        Self {
+            obj: TdxModule {
+                attributes_mask: hex::encode(attributes_mask),
+                ..self.obj
+            },
+        }
+    }
+
+    pub fn build(self) -> TdxModule {
+        self.obj
+    }
+}
+
+pub struct TdxModuleIdentitiesBuilder {
+    pub obj: TdxModuleIdentities,
+}
+
+impl TdxModuleIdentitiesBuilder {
+    pub fn new() -> Self {
+        Self {
+            obj: TdxModuleIdentities {
+                id: "TDX_01".to_string(),
+                mrsigner: hex::encode([0; 48]),
+                attributes: hex::encode([0; 8]),
+                attributes_mask: hex::encode([0; 8]),
+                tcb_levels: vec![],
+            },
+        }
+    }
+
+    pub fn id(self, id: u8) -> Self {
+        Self {
+            obj: TdxModuleIdentities {
+                id: format!("TDX_{:02X}", id),
+                ..self.obj
+            },
+        }
+    }
+
+    pub fn mrsigner(self, mrsigner: [u8; 48]) -> Self {
+        Self {
+            obj: TdxModuleIdentities {
+                mrsigner: hex::encode(mrsigner),
+                ..self.obj
+            },
+        }
+    }
+
+    pub fn attributes(self, attributes: [u8; 8]) -> Self {
+        Self {
+            obj: TdxModuleIdentities {
+                attributes: hex::encode(attributes),
+                ..self.obj
+            },
+        }
+    }
+
+    pub fn attributes_mask(self, attributes_mask: [u8; 8]) -> Self {
+        Self {
+            obj: TdxModuleIdentities {
+                attributes_mask: hex::encode(attributes_mask),
+                ..self.obj
+            },
+        }
+    }
+
+    pub fn tcb_levels(self, tcb_levels: Vec<TdxModuleIdentitiesTcbLevelItem>) -> Self {
+        Self {
+            obj: TdxModuleIdentities {
+                tcb_levels,
+                ..self.obj
+            },
+        }
+    }
+
+    pub fn build(self) -> TdxModuleIdentities {
+        self.obj
+    }
+}
+
+pub struct TdxModuleIdentitiesTcbLevelItemBuilder {
+    pub obj: TdxModuleIdentitiesTcbLevelItem,
+}
+
+impl TdxModuleIdentitiesTcbLevelItemBuilder {
+    pub fn new() -> Self {
+        Self {
+            obj: TdxModuleIdentitiesTcbLevelItem {
+                tcb: TdxModuleIdentitiesTcbLevel::default(),
+                tcb_date: chrono::Utc::now().to_rfc3339(),
+                tcb_status: "UpToDate".to_string(),
+                advisory_ids: None,
+            },
+        }
+    }
+
+    pub fn tcb(self, tcb: TdxModuleIdentitiesTcbLevel) -> Self {
+        Self {
+            obj: TdxModuleIdentitiesTcbLevelItem { tcb, ..self.obj },
+        }
+    }
+
+    pub fn tcb_date(self, tcb_date: i64) -> Self {
+        Self {
+            obj: TdxModuleIdentitiesTcbLevelItem {
+                tcb_date: chrono::DateTime::from_timestamp(tcb_date, 0)
+                    .unwrap()
+                    .to_rfc3339(),
+                ..self.obj
+            },
+        }
+    }
+
+    pub fn tcb_status(self, tcb_status: &str) -> Self {
+        Self {
+            obj: TdxModuleIdentitiesTcbLevelItem {
+                tcb_status: tcb_status.to_string(),
+                ..self.obj
+            },
+        }
+    }
+
+    pub fn advisory_ids(self, advisory_ids: &[&str]) -> Self {
+        Self {
+            obj: TdxModuleIdentitiesTcbLevelItem {
+                advisory_ids: if advisory_ids.is_empty() {
+                    None
+                } else {
+                    Some(advisory_ids.iter().map(|s| s.to_string()).collect())
+                },
+                ..self.obj
+            },
+        }
+    }
+
+    pub fn build(self) -> TdxModuleIdentitiesTcbLevelItem {
+        self.obj
+    }
+}
@@ -1,5 +1,7 @@
 use anyhow::{anyhow, bail, Error};
-use dcap_quote_verifier::cert::{get_x509_subject_cn, parse_certchain};
+use dcap_quote_verifier::cert::{
+    is_sgx_pck_platform_ca_dn, is_sgx_pck_processor_ca_dn, parse_certchain,
+};
 use dcap_quote_verifier::collateral::QvCollateral;
 use dcap_quote_verifier::sgx_extensions::extract_sgx_extensions;
 use dcap_types::quotes::CertData;
@@ -97,17 +99,14 @@ impl PCSClient {
         let qe_identity_json =
             http_get(format!("{base_url}/qe/identity?update={update_policy}"))?.text()?;
 
-        let pck_crl_url = match get_x509_subject_cn(pck_cert_issuer).as_str() {
-            "Intel SGX PCK Platform CA" => {
-                format!("{pcs_url}/sgx/certification/v4/pckcrl?ca=platform&encoding=der")
-            }
-            "Intel SGX PCK Processor CA" => {
-                format!("{pcs_url}/sgx/certification/v4/pckcrl?ca=processor&encoding=der")
-            }
-            cn => {
-                bail!("unknown PCK issuer: {}", cn);
-            }
+        let pck_crl_url = if is_sgx_pck_platform_ca_dn(pck_cert_issuer.subject())? {
+            format!("{pcs_url}/sgx/certification/v4/pckcrl?ca=platform&encoding=der")
+        } else if is_sgx_pck_processor_ca_dn(pck_cert_issuer.subject())? {
+            format!("{pcs_url}/sgx/certification/v4/pckcrl?ca=processor&encoding=der")
+        } else {
+            bail!("unknown PCK issuer");
         };
+
         let sgx_pck_crl_der = http_get(pck_crl_url)?.bytes()?.to_vec();
 
         let sgx_root_cert_der = http_get(format!(