datachainlab · bluele · Feb 13, 2025 · Feb 12, 2025
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -15,6 +15,9 @@ jobs:
       - uses: Swatinem/rust-cache@v2
       - run: cargo test
       - run: cargo test --manifest-path=./zkvm/risc0/Cargo.toml -- --nocapture
+      - run: cargo fmt --all --check && cargo clippy --locked --tests -- -D warnings
+      - run: cargo fmt --all --check && cargo clippy --locked --tests -- -D warnings
+        working-directory: zkvm/risc0
 
   reproducible-build:
     runs-on: ubuntu-24.04

diff --git a/crates/collaterals/src/certs.rs b/crates/collaterals/src/certs.rs
@@ -28,7 +28,7 @@ pub fn gen_sgx_intel_root_ca(
     builder.set_version(0x2)?;
     builder.set_issuer_name(&name)?;
     builder.set_serial_number(
-        Asn1Integer::from_bn(BigNum::from_slice(&calc_skid(root_pkey).as_slice())?.as_ref())?
+        Asn1Integer::from_bn(BigNum::from_slice(calc_skid(root_pkey).as_slice())?.as_ref())?
             .as_ref(),
     )?;
     builder.set_subject_name(&name)?;
@@ -37,7 +37,7 @@ pub fn gen_sgx_intel_root_ca(
 
     builder.set_pubkey(root_pkey)?;
 
-    builder.append_extension(gen_skid(&root_pkey))?;
+    builder.append_extension(gen_skid(root_pkey))?;
 
     builder.append_extension(gen_crl_distribution_points(
         "https://certificates.trustedservices.intel.com/IntelSGXRootCA.der",
@@ -73,7 +73,7 @@ pub fn gen_root_ca(
     let root_key = gen_key();
     let root_cert = gen_sgx_intel_root_ca(
         &root_key,
-        root_cert_validity.unwrap_or_else(|| Validity::long_duration()),
+        root_cert_validity.unwrap_or_else(Validity::long_duration),
     )?;
     let crl = gen_crl(&root_cert, &root_key, &[], crl_validity)?;
     Ok(RootCa {
@@ -90,7 +90,7 @@ pub fn gen_crl(
     crl_validity: Option<Validity>,
 ) -> Result<X509Crl, anyhow::Error> {
     let mut crl = X509Crl::new(issuer_cert, None)?;
-    let validity = crl_validity.unwrap_or_else(|| Validity::long_duration());
+    let validity = crl_validity.unwrap_or_else(Validity::long_duration);
     crl.set_last_update(&validity.not_before())?;
     crl.set_next_update(&validity.not_after())?;
     crl.increment_crl_number()?;
@@ -120,10 +120,8 @@ pub fn gen_tcb_signing_ca(
     builder.set_version(0x2)?;
     builder.set_issuer_name(root_cert.subject_name())?;
     builder.set_serial_number(
-        Asn1Integer::from_bn(
-            BigNum::from_slice(&calc_skid(tcb_signing_pkey).as_slice())?.as_ref(),
-        )?
-        .as_ref(),
+        Asn1Integer::from_bn(BigNum::from_slice(calc_skid(tcb_signing_pkey).as_slice())?.as_ref())?
+            .as_ref(),
     )?;
     builder.set_subject_name(build_x509_name("Intel SGX TCB Signing")?.as_ref())?;
 
@@ -132,7 +130,7 @@ pub fn gen_tcb_signing_ca(
 
     builder.set_pubkey(tcb_signing_pkey)?;
 
-    builder.append_extension(gen_skid(&tcb_signing_pkey))?;
+    builder.append_extension(gen_skid(tcb_signing_pkey))?;
     builder.append_extension(gen_crl_distribution_points(
         "https://certificates.trustedservices.intel.com/IntelSGXRootCA.der",
     ))?;
@@ -171,7 +169,7 @@ pub fn gen_tcb_certchain(
         &root_ca.cert,
         &root_ca.key,
         &tcb_signing_key,
-        tcb_signing_ca_cert_validity.unwrap_or_else(|| Validity::long_duration()),
+        tcb_signing_ca_cert_validity.unwrap_or_else(Validity::long_duration),
     )?;
     Ok(TcbCertchain {
         cert: tcb_signing_cert,
@@ -220,18 +218,16 @@ pub fn gen_pck_cert_ca(
     builder.set_version(0x2)?;
     builder.set_issuer_name(root_cert.subject_name())?;
     builder.set_serial_number(
-        Asn1Integer::from_bn(
-            BigNum::from_slice(&calc_skid(pck_cert_ca_pkey).as_slice())?.as_ref(),
-        )?
-        .as_ref(),
+        Asn1Integer::from_bn(BigNum::from_slice(calc_skid(pck_cert_ca_pkey).as_slice())?.as_ref())?
+            .as_ref(),
     )?;
     builder.set_subject_name(build_x509_name(pck_ca.cn())?.as_ref())?;
     builder.set_pubkey(pck_cert_ca_pkey)?;
 
     builder.set_not_before(&validity.not_before())?;
     builder.set_not_after(&validity.not_after())?;
 
-    builder.append_extension(gen_skid(&pck_cert_ca_pkey))?;
+    builder.append_extension(gen_skid(pck_cert_ca_pkey))?;
     builder.append_extension(gen_crl_distribution_points(
         "https://certificates.trustedservices.intel.com/IntelSGXRootCA.der",
     ))?;
@@ -267,7 +263,6 @@ pub fn gen_pck_cert(
         pck_ca_cert
             .subject_name()
             .entries()
-            .into_iter()
             .next()
             .ok_or_else(|| anyhow::anyhow!("No subject name"))?
             .data()
@@ -279,7 +274,7 @@ pub fn gen_pck_cert(
     builder.set_version(0x2)?;
     builder.set_issuer_name(pck_ca_cert.subject_name())?;
     builder.set_serial_number(
-        Asn1Integer::from_bn(BigNum::from_slice(&calc_skid(pck_cert_pkey).as_slice())?.as_ref())?
+        Asn1Integer::from_bn(BigNum::from_slice(calc_skid(pck_cert_pkey).as_slice())?.as_ref())?
             .as_ref(),
     )?;
     builder.set_subject_name(build_x509_name("Intel SGX PCK Certificate")?.as_ref())?;
@@ -288,7 +283,7 @@ pub fn gen_pck_cert(
     builder.set_not_before(&validity.not_before())?;
     builder.set_not_after(&validity.not_after())?;
 
-    builder.append_extension(gen_skid(&pck_cert_pkey))?;
+    builder.append_extension(gen_skid(pck_cert_pkey))?;
     builder.append_extension(gen_crl_distribution_points(
         format!(
             "https://api.trustedservices.intel.com/sgx/certification/v3/pckcrl?ca={}&encoding=der",
@@ -346,15 +341,15 @@ pub fn gen_pck_certchain(
         &root_ca.cert,
         &root_ca.key,
         &pck_cert_ca_key,
-        pck_cert_ca_validity.unwrap_or_else(|| Validity::long_duration()),
+        pck_cert_ca_validity.unwrap_or_else(Validity::long_duration),
     )?;
     let pck_cert_key = gen_key();
     let pck_cert = gen_pck_cert(
         &pck_cert_ca,
         &pck_cert_ca_key,
         &pck_cert_key,
         sgx_extensions,
-        pck_cert_validity.unwrap_or_else(|| Validity::long_duration()),
+        pck_cert_validity.unwrap_or_else(Validity::long_duration),
     )?;
     let pck_cert_crl = gen_crl(
         &pck_cert_ca,

diff --git a/crates/collaterals/src/lib.rs b/crates/collaterals/src/lib.rs
@@ -1,3 +1,4 @@
+#![allow(clippy::new_without_default)]
 pub mod certs;
 pub mod enclave_identity;
 pub mod enclave_report;

diff --git a/crates/collaterals/src/utils.rs b/crates/collaterals/src/utils.rs
@@ -27,15 +27,15 @@ pub fn sign(pkey: &PKeyRef<Private>, msg: &[u8]) -> Result<Vec<u8>, anyhow::Erro
     signer.update(msg)?;
     EcdsaSignature::from_der(signer.sign_to_vec()?.as_slice())
         .map_err(|e| anyhow::anyhow!("Failed to decode ASN.1 signature: {}", e))
-        .and_then(|asn_sig| {
+        .map(|asn_sig| {
             let mut sig = vec![];
             let r = asn_sig.r.as_bytes();
             let s = asn_sig.s.as_bytes();
             sig.extend_from_slice(&vec![0; 32 - r.len()]);
             sig.extend_from_slice(r);
             sig.extend_from_slice(&vec![0; 32 - s.len()]);
             sig.extend_from_slice(s);
-            Ok(sig)
+            sig
         })
 }
 
@@ -52,7 +52,7 @@ pub fn p256_prvkey_to_pubkey_bytes(pkey: &PKeyRef<Private>) -> Result<[u8; 64],
     Ok(pubkey)
 }
 
-pub fn parse_cert_der<'a>(cert_der: &'a [u8]) -> Result<X509Certificate<'a>, anyhow::Error> {
+pub fn parse_cert_der(cert_der: &[u8]) -> Result<X509Certificate, anyhow::Error> {
     let (_, c) = X509Certificate::from_der(cert_der)?;
     Ok(c)
 }

diff --git a/crates/quote-verifier/src/cert.rs b/crates/quote-verifier/src/cert.rs
@@ -1,14 +1,14 @@
-use anyhow::bail;
-use x509_parser::oid_registry::OID_X509_EXT_CRL_DISTRIBUTION_POINTS;
-use x509_parser::prelude::*;
-
 use crate::crypto::verify_p256_signature_der;
+use anyhow::bail;
+use core::str::FromStr;
 use dcap_types::cert::{SgxExtensionTcbLevel, SgxExtensions};
 use dcap_types::tcbinfo::{TcbComponent, TcbInfoV3};
 use dcap_types::TcbInfoV3TcbStatus;
 use dcap_types::{SGX_TEE_TYPE, TDX_TEE_TYPE};
+use x509_parser::oid_registry::OID_X509_EXT_CRL_DISTRIBUTION_POINTS;
+use x509_parser::prelude::*;
 
-pub fn parse_certchain<'a>(pem_certs: &'a [Pem]) -> crate::Result<Vec<X509Certificate<'a>>> {
+pub fn parse_certchain(pem_certs: &[Pem]) -> crate::Result<Vec<X509Certificate>> {
     Ok(pem_certs
         .iter()
         .map(|pem| pem.parse_x509())
@@ -45,9 +45,9 @@ pub fn verify_crl_signature(
 }
 
 // verify_certchain_signature just verify that the certchain signature matches, any other checks will be done by the caller
-pub fn verify_certchain_signature<'a, 'b>(
-    certs: &[&X509Certificate<'a>],
-    root_cert: &X509Certificate<'b>,
+pub fn verify_certchain_signature(
+    certs: &[&X509Certificate],
+    root_cert: &X509Certificate,
 ) -> crate::Result<()> {
     // verify that the cert chain is valid
     let mut iter = certs.iter();
@@ -143,18 +143,17 @@ pub fn get_sgx_tdx_fmspc_tcbstatus_v3(
     let extension_pcesvn = tcb.pcesvn;
 
     for tcb_level in tcbinfov3.tcb_info.tcb_levels.iter() {
-        if sgx_tcb_status.is_none() {
-            if match_sgxtcbcomp(tcb, &tcb_level.tcb.sgxtcbcomponents)
-                && extension_pcesvn >= tcb_level.tcb.pcesvn
-            {
-                sgx_tcb_status = Some(TcbInfoV3TcbStatus::from_str(tcb_level.tcb_status.as_str())?);
-                if !is_tdx {
-                    return Ok((
-                        sgx_tcb_status.unwrap(),
-                        None,
-                        tcb_level.advisory_ids.clone().unwrap_or_default(),
-                    ));
-                }
+        if sgx_tcb_status.is_none()
+            && match_sgxtcbcomp(tcb, &tcb_level.tcb.sgxtcbcomponents)
+            && extension_pcesvn >= tcb_level.tcb.pcesvn
+        {
+            sgx_tcb_status = Some(TcbInfoV3TcbStatus::from_str(tcb_level.tcb_status.as_str())?);
+            if !is_tdx {
+                return Ok((
+                    sgx_tcb_status.unwrap(),
+                    None,
+                    tcb_level.advisory_ids.clone().unwrap_or_default(),
+                ));
             }
         }
         if is_tdx && sgx_tcb_status.is_some() {
@@ -204,7 +203,7 @@ fn match_tdxtcbcomp(tee_tcb_svn: &[u8; 16], tdxtcbcomponents: &[TcbComponent; 16
 pub fn merge_advisory_ids(advisory_ids: Vec<String>, advisory_ids2: Vec<String>) -> Vec<String> {
     let mut ids = advisory_ids
         .into_iter()
-        .chain(advisory_ids2.into_iter())
+        .chain(advisory_ids2)
         .collect::<Vec<_>>();
     ids.sort();
     ids.dedup();

diff --git a/crates/quote-verifier/src/collaterals.rs b/crates/quote-verifier/src/collaterals.rs
@@ -86,7 +86,7 @@ impl IntelCollateral {
         let sgx_intel_root_ca_crl_der_len = u32::from_le_bytes(slice[16..20].try_into()?) as usize;
         let sgx_pck_crl_der_len = u32::from_le_bytes(slice[20..24].try_into()?) as usize;
 
-        let mut offset = 4 * 6 as usize;
+        let mut offset = 4 * 6usize;
 
         if slice.len()
             < offset
@@ -146,22 +146,22 @@ impl IntelCollateral {
     }
 
     /// Returns the SGX Intel Root CA certificate
-    pub fn get_sgx_intel_root_ca<'a>(&'a self) -> Result<X509Certificate<'a>> {
+    pub fn get_sgx_intel_root_ca(&self) -> Result<X509Certificate> {
         parse_x509_der(&self.sgx_intel_root_ca_der)
     }
 
     /// Returns the SGX TCB Signing certificate
-    pub fn get_sgx_tcb_signing<'a>(&'a self) -> Result<X509Certificate<'a>> {
+    pub fn get_sgx_tcb_signing(&self) -> Result<X509Certificate> {
         parse_x509_der(&self.sgx_tcb_signing_der)
     }
 
     /// Returns the SGX Intel Root CA CRL
-    pub fn get_sgx_intel_root_ca_crl<'a>(&'a self) -> Result<CertificateRevocationList<'a>> {
+    pub fn get_sgx_intel_root_ca_crl(&self) -> Result<CertificateRevocationList> {
         parse_crl_der(&self.sgx_intel_root_ca_crl_der)
     }
 
     /// Returns the SGX PCK Platform/Processor CA CRL
-    pub fn get_sgx_pck_crl<'a>(&'a self) -> Result<CertificateRevocationList<'a>> {
+    pub fn get_sgx_pck_crl(&self) -> Result<CertificateRevocationList> {
         parse_crl_der(&self.sgx_pck_crl_der)
     }
 }
diff --git a/crates/quote-verifier/src/crl.rs b/crates/quote-verifier/src/crl.rs
@@ -1,6 +1,6 @@
 use crate::cert::get_crl_uri;
 use crate::{verifier::ValidityIntersection, Result};
-use anyhow::{anyhow, bail};
+use anyhow::bail;
 use x509_parser::{certificate::X509Certificate, revocation_list::CertificateRevocationList};
 
 #[derive(Debug, PartialEq, Eq)]
@@ -99,12 +99,8 @@ impl<'a> IntelSgxCrls<'a> {
             }
         }
         Ok(ValidityIntersection {
-            not_before_max: max_last_update
-                .try_into()
-                .map_err(|e| anyhow!("Failed to convert max_last_update to u64: {}", e))?,
-            not_after_min: min_next_update
-                .try_into()
-                .map_err(|e| anyhow!("Failed to convert min_next_update to u64: {}", e))?,
+            not_before_max: max_last_update,
+            not_after_min: min_next_update,
         })
     }
 }

diff --git a/crates/quote-verifier/src/crypto.rs b/crates/quote-verifier/src/crypto.rs
@@ -10,7 +10,7 @@ use sha3::Keccak256;
 // The public_key is the public key (in uncompressed form [4][x][y]) of the entity that signed the data. (65 bytes)
 // Returns true if the signature is valid, false otherwise.
 pub fn verify_p256_signature_bytes(data: &[u8], signature: &[u8], public_key: &[u8]) -> Result<()> {
-    let signature = Signature::from_bytes(signature.try_into()?)?;
+    let signature = Signature::from_bytes(signature.into())?;
     let verifying_key = VerifyingKey::from_sec1_bytes(public_key)?;
     Ok(verifying_key.verify(data, &signature)?)
 }

diff --git a/crates/quote-verifier/src/enclave_identity.rs b/crates/quote-verifier/src/enclave_identity.rs
@@ -2,6 +2,7 @@ use crate::crypto::verify_p256_signature_bytes;
 use crate::verifier::ValidityIntersection;
 use crate::Result;
 use anyhow::{bail, Context};
+use core::str::FromStr;
 use dcap_types::enclave_identity::EnclaveIdentityV2TcbLevelItem;
 use dcap_types::{enclave_identity::EnclaveIdentityV2, EnclaveIdentityV2TcbStatus};
 use dcap_types::{SGX_TEE_TYPE, TDX_TEE_TYPE};

diff --git a/crates/quote-verifier/src/pck.rs b/crates/quote-verifier/src/pck.rs
@@ -25,8 +25,8 @@ pub fn validate_pck_cert<'a>(
     intel_sgx_root_cert: &X509Certificate<'_>,
     intel_crls: &IntelSgxCrls,
 ) -> Result<ValidityIntersection> {
-    let pck_subject_cn = get_x509_subject_cn(&pck_leaf_cert);
-    let pck_issuer_cn = get_x509_issuer_cn(&pck_leaf_cert);
+    let pck_subject_cn = get_x509_subject_cn(pck_leaf_cert);
+    let pck_issuer_cn = get_x509_issuer_cn(pck_leaf_cert);
 
     if pck_subject_cn != "Intel SGX PCK Certificate" {
         bail!("PCK Leaf Cert is not a PCK Cert");
@@ -37,14 +37,14 @@ pub fn validate_pck_cert<'a>(
     }
 
     // we'll check what kind of cert is it, and validate the appropriate CRL
-    if pck_issuer_cn != get_x509_subject_cn(&pck_issuer_cert) {
+    if pck_issuer_cn != get_x509_subject_cn(pck_issuer_cert) {
         bail!("PCK Leaf Cert and Issuer Cert do not match");
-    } else if get_x509_issuer_cn(&pck_issuer_cert) != get_x509_subject_cn(intel_sgx_root_cert) {
+    } else if get_x509_issuer_cn(pck_issuer_cert) != get_x509_subject_cn(intel_sgx_root_cert) {
         bail!("PCK Issuer Cert and Root Cert do not match");
     }
 
     // verify that the cert chain signatures are valid
-    verify_certchain_signature(&[&pck_leaf_cert, &pck_issuer_cert], intel_sgx_root_cert)
+    verify_certchain_signature(&[pck_leaf_cert, pck_issuer_cert], intel_sgx_root_cert)
         .context("Invalid PCK Chain")?;
 
     if intel_crls.is_cert_revoked(pck_leaf_cert)? {

diff --git a/crates/quote-verifier/src/quotes/mod.rs b/crates/quote-verifier/src/quotes/mod.rs
@@ -50,6 +50,7 @@ use x509_parser::certificate::X509Certificate;
 /// * The SGX extensions from the PCK leaf certificate
 /// * The TCB info
 /// * The validity intersection of all collaterals
+#[allow(clippy::too_many_arguments)]
 fn common_verify_and_fetch_tcb(
     quote_header: &QuoteHeader,
     quote_body: &QuoteBody,
@@ -62,7 +63,8 @@ fn common_verify_and_fetch_tcb(
     collaterals: &IntelCollateral,
     current_time: u64,
 ) -> Result<(
-    (EnclaveIdentityV2TcbStatus, Vec<String>),
+    EnclaveIdentityV2TcbStatus,
+    Vec<String>,
     SgxExtensions,
     TcbInfo,
     ValidityIntersection,
@@ -170,7 +172,8 @@ fn common_verify_and_fetch_tcb(
     }
 
     Ok((
-        (qe_tcb_status, advisory_ids),
+        qe_tcb_status,
+        advisory_ids,
         pck_cert_sgx_extensions,
         tcb_info,
         validity,
@@ -225,10 +228,7 @@ fn verify_qe_report(
 
     // https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/29bd3b0a3b46c1159907d656b45f378f97e7e686/Src/AttestationLibrary/src/Verifiers/EnclaveReportVerifier.cpp#L92
     // https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/7e5b2a13ca5472de8d97dd7d7024c2ea5af9a6ba/Src/AttestationLibrary/src/Verifiers/QuoteVerifier.cpp#L286
-    Ok(get_qe_tcbstatus(
-        qe_report.isv_svn,
-        &qeidentityv2.enclave_identity.tcb_levels,
-    )?)
+    get_qe_tcbstatus(qe_report.isv_svn, &qeidentityv2.enclave_identity.tcb_levels)
 }
 
 /// Verify the attestation signature for the quote (header + body) using the attestation public key