diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 44050fa..36472d3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -15,6 +15,9 @@ jobs: - uses: Swatinem/rust-cache@v2 - run: cargo test - run: cargo test --manifest-path=./zkvm/risc0/Cargo.toml -- --nocapture + - run: cargo fmt --all --check && cargo clippy --locked --tests -- -D warnings + - run: cargo fmt --all --check && cargo clippy --locked --tests -- -D warnings + working-directory: zkvm/risc0 reproducible-build: runs-on: ubuntu-24.04 diff --git a/crates/collaterals/src/certs.rs b/crates/collaterals/src/certs.rs index 5f00b33..3c8aaf1 100644 --- a/crates/collaterals/src/certs.rs +++ b/crates/collaterals/src/certs.rs @@ -28,7 +28,7 @@ pub fn gen_sgx_intel_root_ca( builder.set_version(0x2)?; builder.set_issuer_name(&name)?; builder.set_serial_number( - Asn1Integer::from_bn(BigNum::from_slice(&calc_skid(root_pkey).as_slice())?.as_ref())? + Asn1Integer::from_bn(BigNum::from_slice(calc_skid(root_pkey).as_slice())?.as_ref())? .as_ref(), )?; builder.set_subject_name(&name)?; @@ -37,7 +37,7 @@ pub fn gen_sgx_intel_root_ca( builder.set_pubkey(root_pkey)?; - builder.append_extension(gen_skid(&root_pkey))?; + builder.append_extension(gen_skid(root_pkey))?; builder.append_extension(gen_crl_distribution_points( "https://certificates.trustedservices.intel.com/IntelSGXRootCA.der", @@ -73,7 +73,7 @@ pub fn gen_root_ca( let root_key = gen_key(); let root_cert = gen_sgx_intel_root_ca( &root_key, - root_cert_validity.unwrap_or_else(|| Validity::long_duration()), + root_cert_validity.unwrap_or_else(Validity::long_duration), )?; let crl = gen_crl(&root_cert, &root_key, &[], crl_validity)?; Ok(RootCa { @@ -90,7 +90,7 @@ pub fn gen_crl( crl_validity: Option, ) -> Result { let mut crl = X509Crl::new(issuer_cert, None)?; - let validity = crl_validity.unwrap_or_else(|| Validity::long_duration()); + let validity = crl_validity.unwrap_or_else(Validity::long_duration); crl.set_last_update(&validity.not_before())?; crl.set_next_update(&validity.not_after())?; crl.increment_crl_number()?; @@ -120,10 +120,8 @@ pub fn gen_tcb_signing_ca( builder.set_version(0x2)?; builder.set_issuer_name(root_cert.subject_name())?; builder.set_serial_number( - Asn1Integer::from_bn( - BigNum::from_slice(&calc_skid(tcb_signing_pkey).as_slice())?.as_ref(), - )? - .as_ref(), + Asn1Integer::from_bn(BigNum::from_slice(calc_skid(tcb_signing_pkey).as_slice())?.as_ref())? + .as_ref(), )?; builder.set_subject_name(build_x509_name("Intel SGX TCB Signing")?.as_ref())?; @@ -132,7 +130,7 @@ pub fn gen_tcb_signing_ca( builder.set_pubkey(tcb_signing_pkey)?; - builder.append_extension(gen_skid(&tcb_signing_pkey))?; + builder.append_extension(gen_skid(tcb_signing_pkey))?; builder.append_extension(gen_crl_distribution_points( "https://certificates.trustedservices.intel.com/IntelSGXRootCA.der", ))?; @@ -171,7 +169,7 @@ pub fn gen_tcb_certchain( &root_ca.cert, &root_ca.key, &tcb_signing_key, - tcb_signing_ca_cert_validity.unwrap_or_else(|| Validity::long_duration()), + tcb_signing_ca_cert_validity.unwrap_or_else(Validity::long_duration), )?; Ok(TcbCertchain { cert: tcb_signing_cert, @@ -220,10 +218,8 @@ pub fn gen_pck_cert_ca( builder.set_version(0x2)?; builder.set_issuer_name(root_cert.subject_name())?; builder.set_serial_number( - Asn1Integer::from_bn( - BigNum::from_slice(&calc_skid(pck_cert_ca_pkey).as_slice())?.as_ref(), - )? - .as_ref(), + Asn1Integer::from_bn(BigNum::from_slice(calc_skid(pck_cert_ca_pkey).as_slice())?.as_ref())? + .as_ref(), )?; builder.set_subject_name(build_x509_name(pck_ca.cn())?.as_ref())?; builder.set_pubkey(pck_cert_ca_pkey)?; @@ -231,7 +227,7 @@ pub fn gen_pck_cert_ca( builder.set_not_before(&validity.not_before())?; builder.set_not_after(&validity.not_after())?; - builder.append_extension(gen_skid(&pck_cert_ca_pkey))?; + builder.append_extension(gen_skid(pck_cert_ca_pkey))?; builder.append_extension(gen_crl_distribution_points( "https://certificates.trustedservices.intel.com/IntelSGXRootCA.der", ))?; @@ -267,7 +263,6 @@ pub fn gen_pck_cert( pck_ca_cert .subject_name() .entries() - .into_iter() .next() .ok_or_else(|| anyhow::anyhow!("No subject name"))? .data() @@ -279,7 +274,7 @@ pub fn gen_pck_cert( builder.set_version(0x2)?; builder.set_issuer_name(pck_ca_cert.subject_name())?; builder.set_serial_number( - Asn1Integer::from_bn(BigNum::from_slice(&calc_skid(pck_cert_pkey).as_slice())?.as_ref())? + Asn1Integer::from_bn(BigNum::from_slice(calc_skid(pck_cert_pkey).as_slice())?.as_ref())? .as_ref(), )?; builder.set_subject_name(build_x509_name("Intel SGX PCK Certificate")?.as_ref())?; @@ -288,7 +283,7 @@ pub fn gen_pck_cert( builder.set_not_before(&validity.not_before())?; builder.set_not_after(&validity.not_after())?; - builder.append_extension(gen_skid(&pck_cert_pkey))?; + builder.append_extension(gen_skid(pck_cert_pkey))?; builder.append_extension(gen_crl_distribution_points( format!( "https://api.trustedservices.intel.com/sgx/certification/v3/pckcrl?ca={}&encoding=der", @@ -346,7 +341,7 @@ pub fn gen_pck_certchain( &root_ca.cert, &root_ca.key, &pck_cert_ca_key, - pck_cert_ca_validity.unwrap_or_else(|| Validity::long_duration()), + pck_cert_ca_validity.unwrap_or_else(Validity::long_duration), )?; let pck_cert_key = gen_key(); let pck_cert = gen_pck_cert( @@ -354,7 +349,7 @@ pub fn gen_pck_certchain( &pck_cert_ca_key, &pck_cert_key, sgx_extensions, - pck_cert_validity.unwrap_or_else(|| Validity::long_duration()), + pck_cert_validity.unwrap_or_else(Validity::long_duration), )?; let pck_cert_crl = gen_crl( &pck_cert_ca, diff --git a/crates/collaterals/src/lib.rs b/crates/collaterals/src/lib.rs index ea3b902..f12bf38 100644 --- a/crates/collaterals/src/lib.rs +++ b/crates/collaterals/src/lib.rs @@ -1,3 +1,4 @@ +#![allow(clippy::new_without_default)] pub mod certs; pub mod enclave_identity; pub mod enclave_report; diff --git a/crates/collaterals/src/utils.rs b/crates/collaterals/src/utils.rs index 3cd4925..8317f74 100644 --- a/crates/collaterals/src/utils.rs +++ b/crates/collaterals/src/utils.rs @@ -27,7 +27,7 @@ pub fn sign(pkey: &PKeyRef, msg: &[u8]) -> Result, anyhow::Erro signer.update(msg)?; EcdsaSignature::from_der(signer.sign_to_vec()?.as_slice()) .map_err(|e| anyhow::anyhow!("Failed to decode ASN.1 signature: {}", e)) - .and_then(|asn_sig| { + .map(|asn_sig| { let mut sig = vec![]; let r = asn_sig.r.as_bytes(); let s = asn_sig.s.as_bytes(); @@ -35,7 +35,7 @@ pub fn sign(pkey: &PKeyRef, msg: &[u8]) -> Result, anyhow::Erro sig.extend_from_slice(r); sig.extend_from_slice(&vec![0; 32 - s.len()]); sig.extend_from_slice(s); - Ok(sig) + sig }) } @@ -52,7 +52,7 @@ pub fn p256_prvkey_to_pubkey_bytes(pkey: &PKeyRef) -> Result<[u8; 64], Ok(pubkey) } -pub fn parse_cert_der<'a>(cert_der: &'a [u8]) -> Result, anyhow::Error> { +pub fn parse_cert_der(cert_der: &[u8]) -> Result { let (_, c) = X509Certificate::from_der(cert_der)?; Ok(c) } diff --git a/crates/quote-verifier/src/cert.rs b/crates/quote-verifier/src/cert.rs index 89466b5..68a7558 100644 --- a/crates/quote-verifier/src/cert.rs +++ b/crates/quote-verifier/src/cert.rs @@ -1,14 +1,14 @@ -use anyhow::bail; -use x509_parser::oid_registry::OID_X509_EXT_CRL_DISTRIBUTION_POINTS; -use x509_parser::prelude::*; - use crate::crypto::verify_p256_signature_der; +use anyhow::bail; +use core::str::FromStr; use dcap_types::cert::{SgxExtensionTcbLevel, SgxExtensions}; use dcap_types::tcbinfo::{TcbComponent, TcbInfoV3}; use dcap_types::TcbInfoV3TcbStatus; use dcap_types::{SGX_TEE_TYPE, TDX_TEE_TYPE}; +use x509_parser::oid_registry::OID_X509_EXT_CRL_DISTRIBUTION_POINTS; +use x509_parser::prelude::*; -pub fn parse_certchain<'a>(pem_certs: &'a [Pem]) -> crate::Result>> { +pub fn parse_certchain(pem_certs: &[Pem]) -> crate::Result> { Ok(pem_certs .iter() .map(|pem| pem.parse_x509()) @@ -45,9 +45,9 @@ pub fn verify_crl_signature( } // verify_certchain_signature just verify that the certchain signature matches, any other checks will be done by the caller -pub fn verify_certchain_signature<'a, 'b>( - certs: &[&X509Certificate<'a>], - root_cert: &X509Certificate<'b>, +pub fn verify_certchain_signature( + certs: &[&X509Certificate], + root_cert: &X509Certificate, ) -> crate::Result<()> { // verify that the cert chain is valid let mut iter = certs.iter(); @@ -143,18 +143,17 @@ pub fn get_sgx_tdx_fmspc_tcbstatus_v3( let extension_pcesvn = tcb.pcesvn; for tcb_level in tcbinfov3.tcb_info.tcb_levels.iter() { - if sgx_tcb_status.is_none() { - if match_sgxtcbcomp(tcb, &tcb_level.tcb.sgxtcbcomponents) - && extension_pcesvn >= tcb_level.tcb.pcesvn - { - sgx_tcb_status = Some(TcbInfoV3TcbStatus::from_str(tcb_level.tcb_status.as_str())?); - if !is_tdx { - return Ok(( - sgx_tcb_status.unwrap(), - None, - tcb_level.advisory_ids.clone().unwrap_or_default(), - )); - } + if sgx_tcb_status.is_none() + && match_sgxtcbcomp(tcb, &tcb_level.tcb.sgxtcbcomponents) + && extension_pcesvn >= tcb_level.tcb.pcesvn + { + sgx_tcb_status = Some(TcbInfoV3TcbStatus::from_str(tcb_level.tcb_status.as_str())?); + if !is_tdx { + return Ok(( + sgx_tcb_status.unwrap(), + None, + tcb_level.advisory_ids.clone().unwrap_or_default(), + )); } } if is_tdx && sgx_tcb_status.is_some() { @@ -204,7 +203,7 @@ fn match_tdxtcbcomp(tee_tcb_svn: &[u8; 16], tdxtcbcomponents: &[TcbComponent; 16 pub fn merge_advisory_ids(advisory_ids: Vec, advisory_ids2: Vec) -> Vec { let mut ids = advisory_ids .into_iter() - .chain(advisory_ids2.into_iter()) + .chain(advisory_ids2) .collect::>(); ids.sort(); ids.dedup(); diff --git a/crates/quote-verifier/src/collaterals.rs b/crates/quote-verifier/src/collaterals.rs index 08d6280..7c89004 100644 --- a/crates/quote-verifier/src/collaterals.rs +++ b/crates/quote-verifier/src/collaterals.rs @@ -86,7 +86,7 @@ impl IntelCollateral { let sgx_intel_root_ca_crl_der_len = u32::from_le_bytes(slice[16..20].try_into()?) as usize; let sgx_pck_crl_der_len = u32::from_le_bytes(slice[20..24].try_into()?) as usize; - let mut offset = 4 * 6 as usize; + let mut offset = 4 * 6usize; if slice.len() < offset @@ -146,22 +146,22 @@ impl IntelCollateral { } /// Returns the SGX Intel Root CA certificate - pub fn get_sgx_intel_root_ca<'a>(&'a self) -> Result> { + pub fn get_sgx_intel_root_ca(&self) -> Result { parse_x509_der(&self.sgx_intel_root_ca_der) } /// Returns the SGX TCB Signing certificate - pub fn get_sgx_tcb_signing<'a>(&'a self) -> Result> { + pub fn get_sgx_tcb_signing(&self) -> Result { parse_x509_der(&self.sgx_tcb_signing_der) } /// Returns the SGX Intel Root CA CRL - pub fn get_sgx_intel_root_ca_crl<'a>(&'a self) -> Result> { + pub fn get_sgx_intel_root_ca_crl(&self) -> Result { parse_crl_der(&self.sgx_intel_root_ca_crl_der) } /// Returns the SGX PCK Platform/Processor CA CRL - pub fn get_sgx_pck_crl<'a>(&'a self) -> Result> { + pub fn get_sgx_pck_crl(&self) -> Result { parse_crl_der(&self.sgx_pck_crl_der) } } diff --git a/crates/quote-verifier/src/crl.rs b/crates/quote-verifier/src/crl.rs index a4602d1..db2c095 100644 --- a/crates/quote-verifier/src/crl.rs +++ b/crates/quote-verifier/src/crl.rs @@ -1,6 +1,6 @@ use crate::cert::get_crl_uri; use crate::{verifier::ValidityIntersection, Result}; -use anyhow::{anyhow, bail}; +use anyhow::bail; use x509_parser::{certificate::X509Certificate, revocation_list::CertificateRevocationList}; #[derive(Debug, PartialEq, Eq)] @@ -99,12 +99,8 @@ impl<'a> IntelSgxCrls<'a> { } } Ok(ValidityIntersection { - not_before_max: max_last_update - .try_into() - .map_err(|e| anyhow!("Failed to convert max_last_update to u64: {}", e))?, - not_after_min: min_next_update - .try_into() - .map_err(|e| anyhow!("Failed to convert min_next_update to u64: {}", e))?, + not_before_max: max_last_update, + not_after_min: min_next_update, }) } } diff --git a/crates/quote-verifier/src/crypto.rs b/crates/quote-verifier/src/crypto.rs index 1639756..632d243 100644 --- a/crates/quote-verifier/src/crypto.rs +++ b/crates/quote-verifier/src/crypto.rs @@ -10,7 +10,7 @@ use sha3::Keccak256; // The public_key is the public key (in uncompressed form [4][x][y]) of the entity that signed the data. (65 bytes) // Returns true if the signature is valid, false otherwise. pub fn verify_p256_signature_bytes(data: &[u8], signature: &[u8], public_key: &[u8]) -> Result<()> { - let signature = Signature::from_bytes(signature.try_into()?)?; + let signature = Signature::from_bytes(signature.into())?; let verifying_key = VerifyingKey::from_sec1_bytes(public_key)?; Ok(verifying_key.verify(data, &signature)?) } diff --git a/crates/quote-verifier/src/enclave_identity.rs b/crates/quote-verifier/src/enclave_identity.rs index b91a651..6986f89 100644 --- a/crates/quote-verifier/src/enclave_identity.rs +++ b/crates/quote-verifier/src/enclave_identity.rs @@ -2,6 +2,7 @@ use crate::crypto::verify_p256_signature_bytes; use crate::verifier::ValidityIntersection; use crate::Result; use anyhow::{bail, Context}; +use core::str::FromStr; use dcap_types::enclave_identity::EnclaveIdentityV2TcbLevelItem; use dcap_types::{enclave_identity::EnclaveIdentityV2, EnclaveIdentityV2TcbStatus}; use dcap_types::{SGX_TEE_TYPE, TDX_TEE_TYPE}; diff --git a/crates/quote-verifier/src/pck.rs b/crates/quote-verifier/src/pck.rs index 00fc223..2d47e24 100644 --- a/crates/quote-verifier/src/pck.rs +++ b/crates/quote-verifier/src/pck.rs @@ -25,8 +25,8 @@ pub fn validate_pck_cert<'a>( intel_sgx_root_cert: &X509Certificate<'_>, intel_crls: &IntelSgxCrls, ) -> Result { - let pck_subject_cn = get_x509_subject_cn(&pck_leaf_cert); - let pck_issuer_cn = get_x509_issuer_cn(&pck_leaf_cert); + let pck_subject_cn = get_x509_subject_cn(pck_leaf_cert); + let pck_issuer_cn = get_x509_issuer_cn(pck_leaf_cert); if pck_subject_cn != "Intel SGX PCK Certificate" { bail!("PCK Leaf Cert is not a PCK Cert"); @@ -37,14 +37,14 @@ pub fn validate_pck_cert<'a>( } // we'll check what kind of cert is it, and validate the appropriate CRL - if pck_issuer_cn != get_x509_subject_cn(&pck_issuer_cert) { + if pck_issuer_cn != get_x509_subject_cn(pck_issuer_cert) { bail!("PCK Leaf Cert and Issuer Cert do not match"); - } else if get_x509_issuer_cn(&pck_issuer_cert) != get_x509_subject_cn(intel_sgx_root_cert) { + } else if get_x509_issuer_cn(pck_issuer_cert) != get_x509_subject_cn(intel_sgx_root_cert) { bail!("PCK Issuer Cert and Root Cert do not match"); } // verify that the cert chain signatures are valid - verify_certchain_signature(&[&pck_leaf_cert, &pck_issuer_cert], intel_sgx_root_cert) + verify_certchain_signature(&[pck_leaf_cert, pck_issuer_cert], intel_sgx_root_cert) .context("Invalid PCK Chain")?; if intel_crls.is_cert_revoked(pck_leaf_cert)? { diff --git a/crates/quote-verifier/src/quotes/mod.rs b/crates/quote-verifier/src/quotes/mod.rs index b1c3b9b..8df689b 100644 --- a/crates/quote-verifier/src/quotes/mod.rs +++ b/crates/quote-verifier/src/quotes/mod.rs @@ -50,6 +50,7 @@ use x509_parser::certificate::X509Certificate; /// * The SGX extensions from the PCK leaf certificate /// * The TCB info /// * The validity intersection of all collaterals +#[allow(clippy::too_many_arguments)] fn common_verify_and_fetch_tcb( quote_header: &QuoteHeader, quote_body: &QuoteBody, @@ -62,7 +63,8 @@ fn common_verify_and_fetch_tcb( collaterals: &IntelCollateral, current_time: u64, ) -> Result<( - (EnclaveIdentityV2TcbStatus, Vec), + EnclaveIdentityV2TcbStatus, + Vec, SgxExtensions, TcbInfo, ValidityIntersection, @@ -170,7 +172,8 @@ fn common_verify_and_fetch_tcb( } Ok(( - (qe_tcb_status, advisory_ids), + qe_tcb_status, + advisory_ids, pck_cert_sgx_extensions, tcb_info, validity, @@ -225,10 +228,7 @@ fn verify_qe_report( // https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/29bd3b0a3b46c1159907d656b45f378f97e7e686/Src/AttestationLibrary/src/Verifiers/EnclaveReportVerifier.cpp#L92 // https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/7e5b2a13ca5472de8d97dd7d7024c2ea5af9a6ba/Src/AttestationLibrary/src/Verifiers/QuoteVerifier.cpp#L286 - Ok(get_qe_tcbstatus( - qe_report.isv_svn, - &qeidentityv2.enclave_identity.tcb_levels, - )?) + get_qe_tcbstatus(qe_report.isv_svn, &qeidentityv2.enclave_identity.tcb_levels) } /// Verify the attestation signature for the quote (header + body) using the attestation public key diff --git a/crates/quote-verifier/src/quotes/version_3.rs b/crates/quote-verifier/src/quotes/version_3.rs index f0905ec..35a1be7 100644 --- a/crates/quote-verifier/src/quotes/version_3.rs +++ b/crates/quote-verifier/src/quotes/version_3.rs @@ -22,7 +22,7 @@ pub fn verify_quote_dcapv3( check_quote_header("e.header, 3).context("invalid quote header")?; let quote_body = QuoteBody::SGXQuoteBody(quote.isv_enclave_report); - let ((qe_tcb_status, qe_advisory_ids), sgx_extensions, tcb_info, validity) = + let (qe_tcb_status, qe_advisory_ids, sgx_extensions, tcb_info, validity) = common_verify_and_fetch_tcb( "e.header, "e_body, diff --git a/crates/quote-verifier/src/quotes/version_4.rs b/crates/quote-verifier/src/quotes/version_4.rs index b60c996..a877b1b 100644 --- a/crates/quote-verifier/src/quotes/version_4.rs +++ b/crates/quote-verifier/src/quotes/version_4.rs @@ -38,7 +38,7 @@ pub fn verify_quote_dcapv4( ); }; - let ((qe_tcb_status, qe_advisory_ids), sgx_extensions, tcb_info, validity) = + let (qe_tcb_status, qe_advisory_ids, sgx_extensions, tcb_info, validity) = common_verify_and_fetch_tcb( "e.header, "e.quote_body, diff --git a/crates/quote-verifier/src/sgx_extensions.rs b/crates/quote-verifier/src/sgx_extensions.rs index a8183ee..d578e0f 100644 --- a/crates/quote-verifier/src/sgx_extensions.rs +++ b/crates/quote-verifier/src/sgx_extensions.rs @@ -15,7 +15,7 @@ pub fn extract_sgx_extensions<'a>(pck_cert: &'a X509Certificate<'a>) -> Result(sgx_extensions_bytes: &'a [u8]) -> Result { +pub fn parse_sgx_extensions(sgx_extensions_bytes: &[u8]) -> Result { // p.11-14 https://download.01.org/intel-sgx/sgx-dcap/1.22/linux/docs/SGX_PCK_Certificate_CRL_Spec-1.4.pdf // : diff --git a/crates/quote-verifier/src/tcbinfo.rs b/crates/quote-verifier/src/tcbinfo.rs index f47e9fc..897b96c 100644 --- a/crates/quote-verifier/src/tcbinfo.rs +++ b/crates/quote-verifier/src/tcbinfo.rs @@ -34,10 +34,10 @@ pub fn validate_tcb_signing_certificate( bail!("TCB Signing Cert and Root Cert do not match"); } // check that the tcb signing cert is signed by the root cert - verify_certificate(&tcb_signing_cert, &intel_sgx_root_cert) + verify_certificate(tcb_signing_cert, intel_sgx_root_cert) .context("Invalid TCB Signing Cert")?; // check that the tcb signing cert is not revoked by the `self.sgx_root_ca_crl` CRL - if intel_crls.is_cert_revoked(&tcb_signing_cert)? { + if intel_crls.is_cert_revoked(tcb_signing_cert)? { bail!("TCB Signing Cert revoked"); } diff --git a/crates/quote-verifier/src/tdx_module.rs b/crates/quote-verifier/src/tdx_module.rs index 8a64cff..57ba3d1 100644 --- a/crates/quote-verifier/src/tdx_module.rs +++ b/crates/quote-verifier/src/tdx_module.rs @@ -1,8 +1,8 @@ -use anyhow::bail; - use crate::Result; +use anyhow::bail; use dcap_types::tcbinfo::TcbInfoV3; use dcap_types::{TcbInfoV3TcbStatus, TdxModuleTcbStatus, TdxModuleTcbValidationStatus}; +use std::str::FromStr; // https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/7e5b2a13ca5472de8d97dd7d7024c2ea5af9a6ba/Src/AttestationLibrary/src/Verifiers/Checks/TdxModuleCheck.cpp#L62-L97 pub fn get_tdx_module_identity_and_tcb( diff --git a/crates/types/src/lib.rs b/crates/types/src/lib.rs index 6b4a9cb..449ef45 100644 --- a/crates/types/src/lib.rs +++ b/crates/types/src/lib.rs @@ -1,7 +1,7 @@ use anyhow::bail; use core::fmt::Display; +use core::str::FromStr; use serde::{Deserialize, Serialize}; -use std::str::FromStr; pub mod cert; pub mod enclave_identity; @@ -50,8 +50,10 @@ pub enum EnclaveIdentityV2TcbStatus { Revoked, // equivalent to STATUS_SGX_ENCLAVE_REPORT_ISVSVN_REVOKED } -impl EnclaveIdentityV2TcbStatus { - pub fn from_str(s: &str) -> Result { +impl FromStr for EnclaveIdentityV2TcbStatus { + type Err = anyhow::Error; + + fn from_str(s: &str) -> Result { Ok(match s { "UpToDate" => Self::UpToDate, "OutOfDate" => Self::OutOfDate, @@ -112,8 +114,10 @@ pub enum TcbInfoV3TcbStatus { Revoked, } -impl TcbInfoV3TcbStatus { - pub fn from_str(s: &str) -> Result { +impl FromStr for TcbInfoV3TcbStatus { + type Err = anyhow::Error; + + fn from_str(s: &str) -> Result { Ok(match s { "UpToDate" => Self::UpToDate, "SWHardeningNeeded" => Self::SWHardeningNeeded, @@ -151,8 +155,10 @@ pub enum TdxModuleTcbStatus { Revoked, } -impl TdxModuleTcbStatus { - pub fn from_str(s: &str) -> Result { +impl FromStr for TdxModuleTcbStatus { + type Err = anyhow::Error; + + fn from_str(s: &str) -> Result { Ok(match s { "UpToDate" => Self::UpToDate, "OutOfDate" => Self::OutOfDate, diff --git a/crates/types/src/quotes/mod.rs b/crates/types/src/quotes/mod.rs index 640c290..3431577 100644 --- a/crates/types/src/quotes/mod.rs +++ b/crates/types/src/quotes/mod.rs @@ -174,6 +174,7 @@ impl CertData { } } +#[allow(clippy::large_enum_variant)] pub enum CertDataType { Unused, Type1(Vec), diff --git a/crates/types/src/utils.rs b/crates/types/src/utils.rs index 194f1e8..d49c703 100644 --- a/crates/types/src/utils.rs +++ b/crates/types/src/utils.rs @@ -19,20 +19,20 @@ pub fn parse_pem(raw_bytes: &[u8]) -> Result, PEMError> { Pem::iter_from_buffer(raw_bytes).collect() } -pub fn parse_crl_der<'a>(raw_bytes: &'a [u8]) -> crate::Result> { +pub fn parse_crl_der(raw_bytes: &[u8]) -> crate::Result { let (_, crl) = CertificateRevocationList::from_der(raw_bytes)?; Ok(crl) } -pub fn parse_x509_der<'a>(raw_bytes: &'a [u8]) -> crate::Result> { +pub fn parse_x509_der(raw_bytes: &[u8]) -> crate::Result { let (_, cert) = X509Certificate::from_der(raw_bytes)?; Ok(cert) } -pub fn parse_x509_der_multi<'a>(raw_bytes: &'a [u8]) -> crate::Result>> { +pub fn parse_x509_der_multi(raw_bytes: &[u8]) -> crate::Result> { let mut certs = Vec::new(); let mut i = raw_bytes; - while i.len() > 0 { + while !i.is_empty() { let (j, cert) = X509Certificate::from_der(i)?; certs.push(cert); i = j; diff --git a/zkvm/risc0/artifacts/dcap-quote-verifier b/zkvm/risc0/artifacts/dcap-quote-verifier index c7dfbce..509394f 100644 Binary files a/zkvm/risc0/artifacts/dcap-quote-verifier and b/zkvm/risc0/artifacts/dcap-quote-verifier differ diff --git a/zkvm/risc0/build.rs b/zkvm/risc0/build.rs index 05a1957..6034722 100644 --- a/zkvm/risc0/build.rs +++ b/zkvm/risc0/build.rs @@ -1,6 +1,13 @@ use risc0_binfmt::compute_image_id; use risc0_build::{embed_method_metadata_with_options, DockerOptions, GuestOptions}; -use std::{collections::HashMap, env, fs::File, io::Write, path::PathBuf, str::FromStr}; +use std::{ + collections::HashMap, + env, + fs::File, + io::Write, + path::{Path, PathBuf}, + str::FromStr, +}; fn main() { println!("cargo:rerun-if-env-changed=ZKDCAP_RISC0_BUILD"); @@ -51,7 +58,7 @@ pub const DCAP_QUOTE_VERIFIER_ELF: &[u8] = include_bytes!("../artifacts/dcap-quo .unwrap(); } -fn get_correct_elf_path(elf_path: &PathBuf) -> String { +fn get_correct_elf_path(elf_path: &Path) -> String { elf_path .parent() .unwrap() diff --git a/zkvm/risc0/src/methods.rs b/zkvm/risc0/src/methods.rs index 5f296f7..5717c0d 100644 --- a/zkvm/risc0/src/methods.rs +++ b/zkvm/risc0/src/methods.rs @@ -1,3 +1,3 @@ -pub const DCAP_QUOTE_VERIFIER_ID: [u32; 8] = [143255245, 43779504, 3390353771, 3444607845, 3967455919, 975508729, 2112201669, 1925387058]; +pub const DCAP_QUOTE_VERIFIER_ID: [u32; 8] = [1310702660, 1468422329, 87586300, 1252053983, 3549838645, 1249629134, 1412581844, 922648141]; pub const DCAP_QUOTE_VERIFIER_ELF: &[u8] = include_bytes!("../artifacts/dcap-quote-verifier");