diff --git a/crates/collaterals/src/certs.rs b/crates/collaterals/src/certs.rs index 3c8aaf1..a971a90 100644 --- a/crates/collaterals/src/certs.rs +++ b/crates/collaterals/src/certs.rs @@ -1,6 +1,11 @@ -use crate::{sgx_extensions::sgx_extensions_to_bytes, utils::gen_key}; +use crate::{ + sgx_extensions::{sgx_extensions_to_bytes, SgxExtensionsBuilder}, + utils::gen_key, +}; use anyhow::bail; -use dcap_types::cert::SgxExtensions; +use dcap_types::cert::{ + SgxExtensions, SGX_PCK_CERT_CN, SGX_PCK_PLATFORM_CA_CN, SGX_PCK_PROCESSOR_CA_CN, +}; use openssl::{ asn1::{Asn1Integer, Asn1Object, Asn1OctetString, Asn1Time}, bn::BigNum, @@ -19,6 +24,17 @@ pub struct RootCa { pub crl: X509Crl, } +impl RootCa { + pub fn with_new_crl(&self, revoked_certs: Vec) -> Result { + let crl = gen_crl(&self.cert, &self.key, revoked_certs, None)?; + Ok(RootCa { + cert: self.cert.clone(), + key: self.key.clone(), + crl, + }) + } +} + pub fn gen_sgx_intel_root_ca( root_pkey: &PKey, validity: Validity, @@ -75,7 +91,7 @@ pub fn gen_root_ca( &root_key, root_cert_validity.unwrap_or_else(Validity::long_duration), )?; - let crl = gen_crl(&root_cert, &root_key, &[], crl_validity)?; + let crl = gen_crl(&root_cert, &root_key, vec![], crl_validity)?; Ok(RootCa { cert: root_cert, key: root_key, @@ -86,7 +102,7 @@ pub fn gen_root_ca( pub fn gen_crl( issuer_cert: &X509Ref, issuer_pkey: &PKeyRef, - revoked_certs: &[X509], + revoked_certs: Vec, crl_validity: Option, ) -> Result { let mut crl = X509Crl::new(issuer_cert, None)?; @@ -95,7 +111,7 @@ pub fn gen_crl( crl.set_next_update(&validity.not_after())?; crl.increment_crl_number()?; for cert in revoked_certs { - crl.revoke(cert)?; + crl.revoke(&cert)?; } crl.sign(issuer_pkey, MessageDigest::sha256())?; Ok(crl) @@ -104,7 +120,7 @@ pub fn gen_crl( pub fn gen_crl_der( issuer_cert: &X509Ref, issuer_pkey: &PKeyRef, - revoked_certs: &[X509], + revoked_certs: Vec, crl_validity: Option, ) -> Result, anyhow::Error> { Ok(gen_crl(issuer_cert, issuer_pkey, revoked_certs, crl_validity)?.to_der()?) @@ -177,28 +193,33 @@ pub fn gen_tcb_certchain( }) } -#[derive(Debug, Clone, Copy)] +#[derive(Debug, Clone, Copy, PartialEq, Eq)] pub enum PckCa { Processor, Platform, } impl PckCa { + /// Create a PckCa from the CN of the certificate pub fn from_cn(cn: &str) -> Result { - match cn { - "Intel SGX PCK Processor CA" => Ok(PckCa::Processor), - "Intel SGX PCK Platform CA" => Ok(PckCa::Platform), - _ => bail!("Invalid PCK CA CN: {}", cn), + if cn == SGX_PCK_PROCESSOR_CA_CN { + Ok(PckCa::Processor) + } else if cn == SGX_PCK_PLATFORM_CA_CN { + Ok(PckCa::Platform) + } else { + bail!("Invalid PCK CA CN: {}", cn) } } + /// Get the CN of the PckCa pub fn cn(&self) -> &'static str { match self { - PckCa::Processor => "Intel SGX PCK Processor CA", - PckCa::Platform => "Intel SGX PCK Platform CA", + PckCa::Processor => SGX_PCK_PROCESSOR_CA_CN, + PckCa::Platform => SGX_PCK_PLATFORM_CA_CN, } } + /// Get the type of the PckCa pub fn ca_type(&self) -> &'static str { match self { PckCa::Processor => "processor", @@ -277,7 +298,7 @@ pub fn gen_pck_cert( Asn1Integer::from_bn(BigNum::from_slice(calc_skid(pck_cert_pkey).as_slice())?.as_ref())? .as_ref(), )?; - builder.set_subject_name(build_x509_name("Intel SGX PCK Certificate")?.as_ref())?; + builder.set_subject_name(build_x509_name(SGX_PCK_CERT_CN)?.as_ref())?; builder.set_pubkey(pck_cert_pkey)?; builder.set_not_before(&validity.not_before())?; @@ -326,6 +347,40 @@ pub struct PckCertchain { pub pck_cert_crl: X509Crl, } +impl PckCertchain { + /// Generate a new PCK certificate and CRL + /// If `revoked` is true, the `self.pck_cert`` will be revoked in the CRL + pub fn gen_new_pck_cert(&self, revoked: bool) -> PckCertchain { + let pck_cert_key = gen_key(); + let pck_cert = gen_pck_cert( + &self.pck_cert_ca, + &self.pck_cert_ca_key, + &pck_cert_key, + &SgxExtensionsBuilder::new().build(), + Validity::new_with_duration(1, 60 * 60 * 24 * 365), + ) + .unwrap(); + let pck_cert_crl = gen_crl( + &self.pck_cert_ca, + &self.pck_cert_ca_key, + if revoked { + vec![self.pck_cert.clone()] + } else { + vec![] + }, + None, + ) + .unwrap(); + PckCertchain { + pck_cert_ca: self.pck_cert_ca.clone(), + pck_cert_ca_key: self.pck_cert_ca_key.clone(), + pck_cert, + pck_cert_key, + pck_cert_crl, + } + } +} + /// Generate Intel SGX Root CA and PCK Processor/Platform CA and PCK certificates and private keys and CRLs for testing pub fn gen_pck_certchain( root_ca: &RootCa, @@ -354,7 +409,7 @@ pub fn gen_pck_certchain( let pck_cert_crl = gen_crl( &pck_cert_ca, &pck_cert_ca_key, - &[], + vec![], pck_cert_ca_crl_validity, )?; Ok(PckCertchain { diff --git a/crates/quote-verifier/src/collaterals.rs b/crates/quote-verifier/src/collaterals.rs index 7c89004..3d315a3 100644 --- a/crates/quote-verifier/src/collaterals.rs +++ b/crates/quote-verifier/src/collaterals.rs @@ -10,7 +10,7 @@ use crate::Result; * IntelCollateral is a struct that holds the collateral data that is required to verify the * authenticity of the quote. This includes the TCBInfo, QEIdentity, certificates and CRLs. */ -#[derive(Clone, Debug)] +#[derive(Clone, Debug, Default)] pub struct IntelCollateral { /// TCBInfo in JSON format /// ref. https://api.portal.trustedservices.intel.com/content/documentation.html#pcs-tcb-info-model-v3 diff --git a/crates/quote-verifier/src/crl.rs b/crates/quote-verifier/src/crl.rs index db2c095..3aba8ca 100644 --- a/crates/quote-verifier/src/crl.rs +++ b/crates/quote-verifier/src/crl.rs @@ -1,47 +1,74 @@ -use crate::cert::get_crl_uri; use crate::{verifier::ValidityIntersection, Result}; -use anyhow::bail; +use anyhow::{bail, Context}; +use dcap_types::cert::{SGX_PCK_PLATFORM_CA_CN, SGX_PCK_PROCESSOR_CA_CN, SGX_ROOT_CA_CN}; use x509_parser::{certificate::X509Certificate, revocation_list::CertificateRevocationList}; +/// The type of CRL #[derive(Debug, PartialEq, Eq)] pub enum CrlType { + /// Intel SGX Root CA CRL. Issued by "Intel SGX Root CA" SgxRootCa, + /// Intel SGX PCK Processor CA CRL. Issued by "Intel SGX PCK Processor CA" SgxPckProcessor, + /// Intel SGX PCK Platform CA CRL. Issued by "Intel SGX PCK Platform CA" SgxPckPlatform, } +/// The CRLs issued by Intel SGX Root CA and Intel SGX PCK CA (Processor/Platform) #[derive(Debug)] pub struct IntelSgxCrls<'a> { + /// The CRL issued by Intel SGX Root CA pub sgx_root_ca_crl: CertificateRevocationList<'a>, + /// The CRL issued by Intel SGX PCK CA (Processor/Platform) pub sgx_pck_crl: CertificateRevocationList<'a>, + /// The type of the CRL issued by Intel SGX PCK CA (Processor/Platform) pub sgx_pck_crl_type: CrlType, } impl<'a> IntelSgxCrls<'a> { + /// Create a new Intel SGX CRLs + /// We assume that the signature of the CRLs are already verified + /// + /// # Arguments + /// - `sgx_root_ca_crl`: The CRL issued by Intel SGX Root CA. + /// - `sgx_pck_crl`: The CRL issued by Intel SGX PCK CA (Processor/Platform) pub fn new( sgx_root_ca_crl: CertificateRevocationList<'a>, sgx_pck_crl: CertificateRevocationList<'a>, ) -> crate::Result { - let sgx_root_ca_crl_type = - get_crl_type_from_issuer_cn(get_crl_issuer_cn(&sgx_root_ca_crl)?)?; + let sgx_root_ca_crl_type = get_crl_type_from_crl(&sgx_root_ca_crl)?; if sgx_root_ca_crl_type != CrlType::SgxRootCa { - bail!("Unexpected CRL issuer: {:?}", sgx_root_ca_crl_type); + bail!( + "Expected CRL type {:?}, got {:?}", + CrlType::SgxRootCa, + sgx_root_ca_crl_type + ); } - let sgx_pck_crl_type = get_crl_type_from_issuer_cn(get_crl_issuer_cn(&sgx_pck_crl)?)?; + let sgx_pck_crl_type = get_crl_type_from_crl(&sgx_pck_crl)?; match sgx_pck_crl_type { CrlType::SgxPckProcessor | CrlType::SgxPckPlatform => Ok(Self { sgx_root_ca_crl, sgx_pck_crl, sgx_pck_crl_type, }), - t => bail!("Unexpected CRL issuer: {:?}", t), + t => bail!( + "Expected CRL type {:?} or {:?}, got {:?}", + CrlType::SgxPckProcessor, + CrlType::SgxPckPlatform, + t + ), } } + /// Check if the certificate is revoked + /// We assume that the signature of the CRLs are already verified and the certificate is valid and the CRLs are valid in the current time + /// + /// # Arguments + /// - `cert`: The certificate to check if it is revoked pub fn is_cert_revoked(&self, cert: &X509Certificate) -> Result { - let crl = match get_crl_type(cert) { - Some(CrlType::SgxRootCa) => &self.sgx_root_ca_crl, - Some(CrlType::SgxPckProcessor) => { + let crl = match get_crl_type_from_cert(cert)? { + CrlType::SgxRootCa => &self.sgx_root_ca_crl, + CrlType::SgxPckProcessor => { if self.sgx_pck_crl_type != CrlType::SgxPckProcessor { bail!( "CRL type mismatch: expected {:?}, got {:?}", @@ -51,7 +78,7 @@ impl<'a> IntelSgxCrls<'a> { } &self.sgx_pck_crl } - Some(CrlType::SgxPckPlatform) => { + CrlType::SgxPckPlatform => { if self.sgx_pck_crl_type != CrlType::SgxPckPlatform { bail!( "CRL type mismatch: expected {:?}, got {:?}", @@ -61,14 +88,22 @@ impl<'a> IntelSgxCrls<'a> { } &self.sgx_pck_crl } - None => bail!("Unknown CRL URI"), }; // check if the cert is revoked given the crl + // NOTE: We assume that the each revoked certificate entry's `revocation_date` is older than or equal to the `last_update` of the CRL + // ref. https://github.com/intel/SGX-TDX-DCAP-QuoteVerificationLibrary/blob/20a199db982c2fa68d9d5aa971a4c8f6f78014bd/Src/AttestationLibrary/src/PckParser/CrlStore.cpp#L130 Ok(crl .iter_revoked_certificates() .any(|entry| entry.user_certificate == cert.tbs_certificate.serial)) } + /// Check the validity of the CRLs in the current time + /// + /// # Arguments + /// - `current_time`: The current time in seconds since UNIX epoch + /// + /// # Returns + /// - The intersection of the validity periods of the CRLs pub fn check_validity(&self, current_time: u64) -> Result { let mut max_last_update = u64::MIN; let mut min_next_update = u64::MAX; @@ -105,39 +140,156 @@ impl<'a> IntelSgxCrls<'a> { } } -/// Get the CRL type based on the CRL URI -fn get_crl_type(cert: &X509Certificate) -> Option { - let crl_uri = get_crl_uri(cert)?; - if crl_uri.contains("https://certificates.trustedservices.intel.com/IntelSGXRootCA.der") { - Some(CrlType::SgxRootCa) - } else if crl_uri - .contains("https://api.trustedservices.intel.com/sgx/certification/v3/pckcrl?ca=processor") - || crl_uri.contains( - "https://api.trustedservices.intel.com/sgx/certification/v4/pckcrl?ca=processor", - ) - { - Some(CrlType::SgxPckProcessor) - } else if crl_uri - .contains("https://api.trustedservices.intel.com/sgx/certification/v3/pckcrl?ca=platform") - || crl_uri.contains( - "https://api.trustedservices.intel.com/sgx/certification/v4/pckcrl?ca=platform", - ) - { - Some(CrlType::SgxPckPlatform) - } else { - None - } +/// Get the CRL type of the certificate +/// We assume that the issuer of the certificate issues the only one type of CRL +/// ref. p.5 https://download.01.org/intel-sgx/sgx-dcap/1.22/linux/docs/SGX_PCK_Certificate_CRL_Spec-1.4.pdf +fn get_crl_type_from_cert(cert: &X509Certificate) -> Result { + let issuer_cn = cert + .issuer() + .iter_common_name() + .next() + .context("No common name in the issuer")? + .as_str()?; + get_crl_type_from_issuer_cn(issuer_cn) } +/// Get the type of the CRL from the issuer common name of the CRL +/// We assume that the issuer of the crl issues the only one type of CRL +/// ref. p.5 https://download.01.org/intel-sgx/sgx-dcap/1.22/linux/docs/SGX_PCK_Certificate_CRL_Spec-1.4.pdf +fn get_crl_type_from_crl(crl: &CertificateRevocationList) -> Result { + get_crl_type_from_issuer_cn( + crl.issuer() + .iter_common_name() + .next() + .context("No common name in the issuer")? + .as_str()?, + ) +} + +/// Get the type of the CRL from the issuer common name fn get_crl_type_from_issuer_cn(issuer: &str) -> Result { - match issuer { - "Intel SGX Root CA" => Ok(CrlType::SgxRootCa), - "Intel SGX PCK Processor CA" => Ok(CrlType::SgxPckProcessor), - "Intel SGX PCK Platform CA" => Ok(CrlType::SgxPckPlatform), - _ => bail!("Unknown CRL issuer: {}", issuer), + if issuer == SGX_ROOT_CA_CN { + Ok(CrlType::SgxRootCa) + } else if issuer == SGX_PCK_PROCESSOR_CA_CN { + Ok(CrlType::SgxPckProcessor) + } else if issuer == SGX_PCK_PLATFORM_CA_CN { + Ok(CrlType::SgxPckPlatform) + } else { + bail!("Unknown CRL issuer: {}", issuer); } } -fn get_crl_issuer_cn<'a>(crl: &'a CertificateRevocationList) -> Result<&'a str> { - Ok(crl.issuer().iter_common_name().next().unwrap().as_str()?) +#[cfg(test)] +mod tests { + use super::*; + use crate::collaterals::IntelCollateral; + use dcap_collaterals::{ + certs::{gen_pck_certchain, gen_root_ca, PckCa}, + sgx_extensions::SgxExtensionsBuilder, + }; + use x509_parser::prelude::FromDer; + + #[test] + fn test_intel_sgx_crls() { + let root_ca = gen_root_ca(None, None).unwrap(); + for ca_type in [PckCa::Processor, PckCa::Platform] { + let pck_certchain = gen_pck_certchain( + &root_ca, + ca_type, + &SgxExtensionsBuilder::new().build(), + None, + None, + None, + ) + .unwrap(); + + // Test the case where the type of the given CRLs are correct + { + let collateral = IntelCollateral { + sgx_intel_root_ca_crl_der: root_ca.crl.to_der().unwrap(), + sgx_pck_crl_der: pck_certchain.pck_cert_crl.to_der().unwrap(), + ..Default::default() + }; + + // Error - Root CA CRL and PCK Platform CRL + let res = IntelSgxCrls::new( + collateral.get_sgx_pck_crl().unwrap(), + collateral.get_sgx_pck_crl().unwrap(), + ); + assert!(res.is_err(), "{:?}", res.ok()); + + // Error - Root CA CRL and Root CA CRL + let res = IntelSgxCrls::new( + collateral.get_sgx_intel_root_ca_crl().unwrap(), + collateral.get_sgx_intel_root_ca_crl().unwrap(), + ); + assert!(res.is_err(), "{:?}", res.ok()); + + // OK - Root CA CRL and PCK Processor CRL + let res = IntelSgxCrls::new( + collateral.get_sgx_intel_root_ca_crl().unwrap(), + collateral.get_sgx_pck_crl().unwrap(), + ); + assert!(res.is_ok(), "{:?}", res.err()); + let crls = res.unwrap(); + assert_eq!( + crls.sgx_pck_crl_type, + if ca_type == PckCa::Processor { + CrlType::SgxPckProcessor + } else { + CrlType::SgxPckPlatform + } + ); + let pck_cert_der = pck_certchain.pck_cert.to_der().unwrap(); + let (_, pck_cert) = X509Certificate::from_der(pck_cert_der.as_ref()).unwrap(); + let res = crls.is_cert_revoked(&pck_cert); + assert!(res.is_ok(), "{:?}", res.err()); + assert!(!res.unwrap(), "PCK cert should not be revoked"); + } + + // Test the case where the PCK cert is revoked + { + let pck_certchain2 = pck_certchain.gen_new_pck_cert(true); + let collateral = IntelCollateral { + sgx_intel_root_ca_crl_der: root_ca.crl.to_der().unwrap(), + sgx_pck_crl_der: pck_certchain2.pck_cert_crl.to_der().unwrap(), + ..Default::default() + }; + let res = IntelSgxCrls::new( + collateral.get_sgx_intel_root_ca_crl().unwrap(), + collateral.get_sgx_pck_crl().unwrap(), + ); + assert!(res.is_ok(), "{:?}", res.err()); + let crls = res.unwrap(); + let pck_cert_der = pck_certchain.pck_cert.to_der().unwrap(); + let (_, pck_cert) = X509Certificate::from_der(pck_cert_der.as_ref()).unwrap(); + let res = crls.is_cert_revoked(&pck_cert); + assert!(res.is_ok(), "{:?}", res.err()); + assert!(res.unwrap(), "PCK cert should be revoked"); + } + + // Test the case where the PCK CA cert is revoked + { + let root_ca2 = root_ca + .with_new_crl(vec![pck_certchain.pck_cert_ca.clone()]) + .unwrap(); + let collateral = IntelCollateral { + sgx_intel_root_ca_crl_der: root_ca2.crl.to_der().unwrap(), + sgx_pck_crl_der: pck_certchain.pck_cert_crl.to_der().unwrap(), + ..Default::default() + }; + let res = IntelSgxCrls::new( + collateral.get_sgx_intel_root_ca_crl().unwrap(), + collateral.get_sgx_pck_crl().unwrap(), + ); + assert!(res.is_ok(), "{:?}", res.err()); + let crls = res.unwrap(); + let pck_cert_ca_der = pck_certchain.pck_cert_ca.to_der().unwrap(); + let (_, pck_cert_ca) = X509Certificate::from_der(pck_cert_ca_der.as_ref()).unwrap(); + let res = crls.is_cert_revoked(&pck_cert_ca); + assert!(res.is_ok(), "{:?}", res.err()); + assert!(res.unwrap(), "PCK CA cert should be revoked"); + } + } + } } diff --git a/crates/quote-verifier/src/pck.rs b/crates/quote-verifier/src/pck.rs index 2d47e24..24d3420 100644 --- a/crates/quote-verifier/src/pck.rs +++ b/crates/quote-verifier/src/pck.rs @@ -3,6 +3,7 @@ use crate::crl::IntelSgxCrls; use crate::verifier::ValidityIntersection; use crate::Result; use anyhow::{bail, Context}; +use dcap_types::cert::{SGX_PCK_CERT_CN, SGX_PCK_PLATFORM_CA_CN, SGX_PCK_PROCESSOR_CA_CN}; use x509_parser::certificate::X509Certificate; /** @@ -28,11 +29,9 @@ pub fn validate_pck_cert<'a>( let pck_subject_cn = get_x509_subject_cn(pck_leaf_cert); let pck_issuer_cn = get_x509_issuer_cn(pck_leaf_cert); - if pck_subject_cn != "Intel SGX PCK Certificate" { + if pck_subject_cn != SGX_PCK_CERT_CN { bail!("PCK Leaf Cert is not a PCK Cert"); - } else if pck_issuer_cn != "Intel SGX PCK Processor CA" - && pck_issuer_cn != "Intel SGX PCK Platform CA" - { + } else if pck_issuer_cn != SGX_PCK_PROCESSOR_CA_CN && pck_issuer_cn != SGX_PCK_PLATFORM_CA_CN { bail!("PCK Issuer Cert is not a PCK CA Cert"); } @@ -113,7 +112,7 @@ mod tests { let pck_ca_crl = gen_crl_der( &pck_certchain.pck_cert_ca, &pck_certchain.pck_cert_ca_key, - &[pck_certchain.pck_cert.clone()], + vec![pck_certchain.pck_cert.clone()], None, ) .unwrap(); @@ -142,7 +141,7 @@ mod tests { let root_ca_crl = gen_crl_der( &root_ca.cert, &root_ca.key, - &[pck_certchain.pck_cert_ca.clone()], + vec![pck_certchain.pck_cert_ca.clone()], None, ) .unwrap(); diff --git a/crates/quote-verifier/src/tcbinfo.rs b/crates/quote-verifier/src/tcbinfo.rs index 897b96c..9233659 100644 --- a/crates/quote-verifier/src/tcbinfo.rs +++ b/crates/quote-verifier/src/tcbinfo.rs @@ -3,6 +3,7 @@ use crate::crypto::verify_p256_signature_bytes; use crate::verifier::ValidityIntersection; use crate::Result; use anyhow::{bail, Context}; +use dcap_types::cert::SGX_TCB_SIGNING_CERT_CN; use dcap_types::tcbinfo::TcbInfoV3; use dcap_types::{SGX_TEE_TYPE, TDX_TEE_TYPE}; use x509_parser::prelude::X509Certificate; @@ -28,7 +29,7 @@ pub fn validate_tcb_signing_certificate( intel_sgx_root_cert: &X509Certificate, intel_crls: &IntelSgxCrls, ) -> Result { - if get_x509_subject_cn(tcb_signing_cert) != "Intel SGX TCB Signing" { + if get_x509_subject_cn(tcb_signing_cert) != SGX_TCB_SIGNING_CERT_CN { bail!("Invalid TCB Signing Cert Subject"); } else if get_x509_issuer_cn(tcb_signing_cert) != get_x509_subject_cn(intel_sgx_root_cert) { bail!("TCB Signing Cert and Root Cert do not match"); @@ -153,7 +154,7 @@ mod tests { let root_ca_crl = gen_crl_der( &root_ca.cert, &root_ca.key, - &[tcb_certchain.cert.clone()], + vec![tcb_certchain.cert.clone()], None, ) .unwrap(); @@ -180,7 +181,7 @@ mod tests { let pck_ca_crl = gen_crl_der( &pck_certchain.pck_cert_ca, &pck_certchain.pck_cert_ca_key, - &[tcb_certchain.cert.clone()], + vec![tcb_certchain.cert.clone()], None, ) .unwrap(); diff --git a/crates/types/src/cert.rs b/crates/types/src/cert.rs index 1219360..bbdf966 100644 --- a/crates/types/src/cert.rs +++ b/crates/types/src/cert.rs @@ -1,5 +1,11 @@ use serde::{Deserialize, Serialize}; +pub const SGX_ROOT_CA_CN: &str = "Intel SGX Root CA"; +pub const SGX_PCK_PLATFORM_CA_CN: &str = "Intel SGX PCK Platform CA"; +pub const SGX_PCK_PROCESSOR_CA_CN: &str = "Intel SGX PCK Processor CA"; +pub const SGX_PCK_CERT_CN: &str = "Intel SGX PCK Certificate"; +pub const SGX_TCB_SIGNING_CERT_CN: &str = "Intel SGX TCB Signing"; + #[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)] #[serde(rename_all = "camelCase")] pub struct SgxExtensionTcbLevel { diff --git a/zkvm/risc0/artifacts/dcap-quote-verifier b/zkvm/risc0/artifacts/dcap-quote-verifier index 34428b5..6d657bb 100644 Binary files a/zkvm/risc0/artifacts/dcap-quote-verifier and b/zkvm/risc0/artifacts/dcap-quote-verifier differ diff --git a/zkvm/risc0/src/methods.rs b/zkvm/risc0/src/methods.rs index a7620f4..241db02 100644 --- a/zkvm/risc0/src/methods.rs +++ b/zkvm/risc0/src/methods.rs @@ -1,4 +1,4 @@ -pub const DCAP_QUOTE_VERIFIER_ID: [u32; 8] = [1431900809, 3770780031, 3053255185, 442616749, 2525666630, 3278113115, 2914535527, 4088667128]; -pub const DCAP_QUOTE_VERIFIER_ID_STR: &str = "891259557f89c1e011fafcb5adcb611a469d8a965b0964c36748b8adf81bb4f3"; +pub const DCAP_QUOTE_VERIFIER_ID: [u32; 8] = [508812682, 2193709382, 583002842, 3917890841, 2979487546, 1082187849, 1316345039, 1446235349]; +pub const DCAP_QUOTE_VERIFIER_ID_STR: &str = "8add531e4659c182daeabf22194586e93a5f97b149e08040cfd4754ed5cc3356"; pub const DCAP_QUOTE_VERIFIER_ELF: &[u8] = include_bytes!("../artifacts/dcap-quote-verifier");