From fa7615a7d2bdbacd5ea7de20ab5f1861c88bd9b8 Mon Sep 17 00:00:00 2001 From: peg Date: Tue, 23 Jun 2026 11:09:35 +0200 Subject: [PATCH] Bump dcap-qvl to 0.5.2 --- Cargo.lock | 221 +++++++++++++++--- Cargo.toml | 2 +- crates/attestation/src/azure/mod.rs | 17 +- crates/attestation/src/dcap.rs | 31 ++- .../mock-tdx/assets/mock-dcap-collateral.yaml | 58 ++--- crates/mock-tdx/assets/mock-pck-chain.pem | 12 +- crates/mock-tdx/assets/mock-root-ca.der | Bin 400 -> 400 bytes crates/mock-tdx/src/lib.rs | 13 +- crates/mock-tdx/src/main.rs | 8 +- crates/pccs/src/lib.rs | 11 +- 10 files changed, 261 insertions(+), 112 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 18e3ed4..1171263 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -341,7 +341,7 @@ dependencies = [ "anyhow", "az-tdx-vtpm", "base64 0.22.1", - "dcap-qvl 0.3.12 (git+https://github.com/Phala-Network/dcap-qvl.git?rev=f1dcc65371e941a7b83e3234833d23a1fb232ab1)", + "dcap-qvl 0.5.2", "hex", "http 1.4.0", "mock-tdx", @@ -701,19 +701,20 @@ dependencies = [ [[package]] name = "borsh" -version = "1.6.0" +version = "1.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d1da5ab77c1437701eeff7c88d968729e7766172279eab0676857b3d63af7a6f" +checksum = "2f3f6da4992df95bbcd9af42a6c7dcb994498fc9048230405f3b36ff7cd3f145" dependencies = [ "borsh-derive", + "bytes", "cfg_aliases", ] [[package]] name = "borsh-derive" -version = "1.6.0" +version = "1.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0686c856aa6aac0c4498f936d7d6a02df690f614c03e4d906d1018062b5c5e2c" +checksum = "3ae8fb4fb5740e4b2c4884ff95f5f32f5e8479db1e8fd8eb49ddbe09eb09bb7c" dependencies = [ "once_cell", "proc-macro-crate", @@ -840,6 +841,17 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724" +[[package]] +name = "chacha20" +version = "0.10.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6f8d983286843e49675a4b7a2d174efe136dc93a18d69130dd18198a6c167601" +dependencies = [ + "cfg-if", + "cpufeatures 0.3.0", + "rand_core 0.10.1", +] + [[package]] name = "chrono" version = "0.4.44" @@ -1000,6 +1012,16 @@ dependencies = [ "unicode-segmentation", ] +[[package]] +name = "core-foundation" +version = "0.9.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "core-foundation" version = "0.10.1" @@ -1252,8 +1274,9 @@ dependencies = [ [[package]] name = "dcap-qvl" -version = "0.3.12" -source = "git+https://github.com/Phala-Network/dcap-qvl.git?rev=f1dcc65371e941a7b83e3234833d23a1fb232ab1#f1dcc65371e941a7b83e3234833d23a1fb232ab1" +version = "0.5.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92a14fb8954c867d6855e44d98eab18e769816357738406691ebe60d8fdd005d" dependencies = [ "anyhow", "asn1_der", @@ -1271,7 +1294,7 @@ dependencies = [ "p256", "parity-scale-codec", "pem", - "reqwest 0.12.28", + "reqwest 0.13.4", "ring", "rustls-pki-types", "scale-info", @@ -1459,7 +1482,7 @@ source = "git+https://github.com/Dstack-TEE/dstack.git?rev=07d2cf6bd376a3c56f855 dependencies = [ "anyhow", "cc-eventlog 0.5.11", - "dcap-qvl 0.3.12 (registry+https://github.com/rust-lang/crates.io-index)", + "dcap-qvl 0.3.12", "dstack-types", "errify", "ez-hash", @@ -1903,6 +1926,7 @@ dependencies = [ "cfg-if", "libc", "r-efi 6.0.0", + "rand_core 0.10.1", "wasip2", "wasip3", ] @@ -1968,6 +1992,30 @@ version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b07f60793ff0a4d9cef0f18e63b5357e06209987153a64648c972c1e5aff336f" +[[package]] +name = "hickory-net" +version = "0.26.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e2295ed2f9c31e471e1428a8f88a3f0e1f4b27c15049592138d1eebe9c35b183" +dependencies = [ + "async-trait", + "cfg-if", + "data-encoding", + "futures-channel", + "futures-io", + "futures-util", + "hickory-proto 0.26.1", + "idna", + "ipnet", + "jni", + "rand 0.10.1", + "thiserror 2.0.18", + "tinyvec", + "tokio", + "tracing", + "url", +] + [[package]] name = "hickory-proto" version = "0.25.2" @@ -1993,6 +2041,26 @@ dependencies = [ "url", ] +[[package]] +name = "hickory-proto" +version = "0.26.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0bab31817bfb44672a252e97fe81cd0c18d1b2cf892108922f6818820df8c643" +dependencies = [ + "data-encoding", + "idna", + "ipnet", + "jni", + "once_cell", + "prefix-trie", + "rand 0.10.1", + "ring", + "thiserror 2.0.18", + "tinyvec", + "tracing", + "url", +] + [[package]] name = "hickory-resolver" version = "0.25.2" @@ -2001,7 +2069,7 @@ checksum = "dc62a9a99b0bfb44d2ab95a7208ac952d31060efc16241c87eaf36406fecf87a" dependencies = [ "cfg-if", "futures-util", - "hickory-proto", + "hickory-proto 0.25.2", "ipconfig", "moka", "once_cell", @@ -2014,6 +2082,32 @@ dependencies = [ "tracing", ] +[[package]] +name = "hickory-resolver" +version = "0.26.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f0d58d28879ceecde6607729660c2667a081ccdc082e082675042793960f178c" +dependencies = [ + "cfg-if", + "futures-util", + "hickory-net", + "hickory-proto 0.26.1", + "ipconfig", + "ipnet", + "jni", + "moka", + "ndk-context", + "once_cell", + "parking_lot", + "rand 0.10.1", + "resolv-conf", + "smallvec", + "system-configuration", + "thiserror 2.0.18", + "tokio", + "tracing", +] + [[package]] name = "hkdf" version = "0.12.4" @@ -2340,6 +2434,9 @@ name = "ipnet" version = "2.12.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2" +dependencies = [ + "serde", +] [[package]] name = "iri-string" @@ -2444,11 +2541,12 @@ dependencies = [ [[package]] name = "js-sys" -version = "0.3.91" +version = "0.3.102" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b49715b7073f385ba4bc528e5747d02e66cb39c6146efb66b781f131f0fb399c" +checksum = "03d04c30968dffe80775bd4d7fb676131cd04a1fb46d2686dbffbaec2d9dfd31" dependencies = [ - "once_cell", + "cfg-if", + "futures-util", "wasm-bindgen", ] @@ -2647,7 +2745,7 @@ name = "mock-tdx" version = "0.0.1" dependencies = [ "axum", - "dcap-qvl 0.3.12 (git+https://github.com/Phala-Network/dcap-qvl.git?rev=f1dcc65371e941a7b83e3234833d23a1fb232ab1)", + "dcap-qvl 0.5.2", "hex", "p256", "parity-scale-codec", @@ -2681,6 +2779,12 @@ dependencies = [ "uuid", ] +[[package]] +name = "ndk-context" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "27b02d87554356db9e9a873add8782d4ea6e3e58ea071a9adb9a2e8ddb884a8b" + [[package]] name = "nested-tls" version = "0.0.1" @@ -3005,7 +3109,7 @@ name = "pccs" version = "0.0.1" dependencies = [ "anyhow", - "dcap-qvl 0.3.12 (git+https://github.com/Phala-Network/dcap-qvl.git?rev=f1dcc65371e941a7b83e3234833d23a1fb232ab1)", + "dcap-qvl 0.5.2", "hex", "mock-tdx", "rcgen 0.14.7", @@ -3178,6 +3282,17 @@ dependencies = [ "zerocopy", ] +[[package]] +name = "prefix-trie" +version = "0.8.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4cf6e3177f0684016a5c209b00882e15f8bdd3f3bb48f0491df10cd102d0c6e7" +dependencies = [ + "either", + "ipnet", + "num-traits", +] + [[package]] name = "prettyplease" version = "0.2.37" @@ -3313,7 +3428,7 @@ dependencies = [ "anyhow", "bon", "cc-eventlog 0.5.11", - "dcap-qvl 0.3.12 (registry+https://github.com/rust-lang/crates.io-index)", + "dcap-qvl 0.3.12", "dstack-attest", "dstack-types", "elliptic-curve", @@ -3369,6 +3484,17 @@ dependencies = [ "rand_core 0.9.5", ] +[[package]] +name = "rand" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d2e8e8bcc7961af1fdac401278c6a831614941f6164ee3bf4ce61b7edb162207" +dependencies = [ + "chacha20", + "getrandom 0.4.2", + "rand_core 0.10.1", +] + [[package]] name = "rand_chacha" version = "0.3.1" @@ -3407,6 +3533,12 @@ dependencies = [ "getrandom 0.3.4", ] +[[package]] +name = "rand_core" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "63b8176103e19a2643978565ca18b50549f6101881c443590420e4dc998a3c69" + [[package]] name = "rayon" version = "1.11.0" @@ -3525,7 +3657,7 @@ dependencies = [ "futures-channel", "futures-core", "futures-util", - "hickory-resolver", + "hickory-resolver 0.25.2", "http 1.4.0", "http-body", "http-body-util", @@ -3565,6 +3697,7 @@ dependencies = [ "base64 0.22.1", "bytes", "futures-core", + "hickory-resolver 0.26.1", "http 1.4.0", "http-body", "http-body-util", @@ -3573,6 +3706,7 @@ dependencies = [ "hyper-util", "js-sys", "log", + "once_cell", "percent-encoding", "pin-project-lite", "quinn", @@ -3744,7 +3878,7 @@ version = "0.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "26d1e2536ce4f35f4846aa13bff16bd0ff40157cdb14cc056c7b14ba41233ba0" dependencies = [ - "core-foundation", + "core-foundation 0.10.1", "core-foundation-sys", "jni", "log", @@ -3870,7 +4004,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b7f4bc775c73d9a02cde8bf7b2ec4c9d12743edf609006c7facc23998404cd1d" dependencies = [ "bitflags 2.11.0", - "core-foundation", + "core-foundation 0.10.1", "core-foundation-sys", "libc", "security-framework-sys", @@ -4243,6 +4377,27 @@ dependencies = [ "syn", ] +[[package]] +name = "system-configuration" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a13f3d0daba03132c0aa9767f98351b3488edc2c100cda2d2ec2b04f3d8d3c8b" +dependencies = [ + "bitflags 2.11.0", + "core-foundation 0.9.4", + "system-configuration-sys", +] + +[[package]] +name = "system-configuration-sys" +version = "0.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8e1d1b10ced5ca923a1fcb8d03e96b8d3268065d724548c0211415ff6ac6bac4" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "tagptr" version = "0.2.0" @@ -4855,9 +5010,9 @@ dependencies = [ [[package]] name = "wasm-bindgen" -version = "0.2.114" +version = "0.2.125" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6532f9a5c1ece3798cb1c2cfdba640b9b3ba884f5db45973a6f442510a87d38e" +checksum = "8ddb3f79143bced6de84270411622a2699cee572fc0875aeaf1e7867cf9fca1a" dependencies = [ "cfg-if", "once_cell", @@ -4868,23 +5023,19 @@ dependencies = [ [[package]] name = "wasm-bindgen-futures" -version = "0.4.64" +version = "0.4.75" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e9c5522b3a28661442748e09d40924dfb9ca614b21c00d3fd135720e48b67db8" +checksum = "503b14d284f2c8dac03b819967e155ea753f573586193b2b2c95990cb5d69280" dependencies = [ - "cfg-if", - "futures-util", "js-sys", - "once_cell", "wasm-bindgen", - "web-sys", ] [[package]] name = "wasm-bindgen-macro" -version = "0.2.114" +version = "0.2.125" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "18a2d50fcf105fb33bb15f00e7a77b772945a2ee45dcf454961fd843e74c18e6" +checksum = "4e21a184b13fb19e157296e2c46056aec9092264fab83e4ba59e68c61b323c3d" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -4892,9 +5043,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.114" +version = "0.2.125" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "03ce4caeaac547cdf713d280eda22a730824dd11e6b8c3ca9e42247b25c631e3" +checksum = "fecefd9c35bd935a20fc3fc344b5f29138961e4f47fb03297d88f2587afb5ebd" dependencies = [ "bumpalo", "proc-macro2", @@ -4905,9 +5056,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-shared" -version = "0.2.114" +version = "0.2.125" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "75a326b8c223ee17883a4251907455a2431acc2791c98c26279376490c378c16" +checksum = "23939e44bb9a5d7576fa2b563dc2e136628f1224e88a8deed09e04858b77871f" dependencies = [ "unicode-ident", ] @@ -4948,9 +5099,9 @@ dependencies = [ [[package]] name = "web-sys" -version = "0.3.91" +version = "0.3.102" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "854ba17bb104abfb26ba36da9729addc7ce7f06f5c0f90f3c391f8461cca21f9" +checksum = "a6430a72df5eb332242960fe84b3002a241163998241eb596d4f739b9757061d" dependencies = [ "js-sys", "wasm-bindgen", diff --git a/Cargo.toml b/Cargo.toml index 7b56e67..5bf2756 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -26,5 +26,5 @@ reqwest = { version = "0.13.4", default-features = false, features = ["rustls"] rustls = { version = "0.23.37", default-features = false, features = ["brotli"] } tokio = { version = "1.50.0", features = ["default"] } tokio-rustls = { version = "0.26.4", default-features = false } -dcap-qvl = { git = "https://github.com/Phala-Network/dcap-qvl.git", rev = "f1dcc65371e941a7b83e3234833d23a1fb232ab1" } +dcap-qvl = "0.5.2" pccs = { path = "crates/pccs" } diff --git a/crates/attestation/src/azure/mod.rs b/crates/attestation/src/azure/mod.rs index 42c88ed..91d5648 100644 --- a/crates/attestation/src/azure/mod.rs +++ b/crates/attestation/src/azure/mod.rs @@ -663,16 +663,13 @@ mod test_utils { let quote_bytes = BASE64_URL_SAFE.decode(&attestation_document.tdx_quote_base64).unwrap(); let quote = dcap_qvl::quote::Quote::parse("e_bytes).unwrap(); - let ca = quote.ca().unwrap(); - let fmspc = hex::encode_upper(quote.fmspc().unwrap()); - let collateral = dcap_qvl::collateral::get_collateral_for_fmspc( - PCS_URL, - fmspc.clone(), - ca, - false, // TDX, not SGX. - ) - .await - .unwrap(); + let ca = dcap_qvl::intel::quote_ca("e).unwrap().as_id_str(); + let fmspc = hex::encode_upper(dcap_qvl::intel::quote_fmspc("e).unwrap()); + let collateral = dcap_qvl::collateral::CollateralClient::with_default_http(PCS_URL) + .unwrap() + .fetch_for_fmspc_without_pck_chain(&fmspc, ca, false) + .await + .unwrap(); let timestamp = std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH).unwrap().as_secs(); diff --git a/crates/attestation/src/dcap.rs b/crates/attestation/src/dcap.rs index dca2c10..4567b95 100644 --- a/crates/attestation/src/dcap.rs +++ b/crates/attestation/src/dcap.rs @@ -2,7 +2,8 @@ //! verification use dcap_qvl::{ QuoteCollateralV3, - collateral::get_collateral_for_fmspc, + collateral::CollateralClient, + intel::{quote_ca, quote_fmspc}, quote::{Quote, Report}, tcb_info::TcbInfo, }; @@ -87,8 +88,8 @@ pub fn verify_dcap_attestation_with_timestamp_sync( ) -> Result { let quote = Quote::parse(&input)?; - let ca = quote.ca()?; - let fmspc = hex::encode_upper(quote.fmspc()?); + let ca = quote_ca("e)?.as_id_str(); + let fmspc = hex::encode_upper(quote_fmspc("e)?); let collateral = if let Some(given_collateral) = collateral { given_collateral @@ -121,8 +122,8 @@ pub async fn verify_dcap_attestation_with_given_timestamp( ) -> Result { let quote = Quote::parse(&input)?; - let ca = quote.ca()?; - let fmspc = hex::encode_upper(quote.fmspc()?); + let ca = quote_ca("e)?.as_id_str(); + let fmspc = hex::encode_upper(quote_fmspc("e)?); let collateral = if let Some(given_collateral) = collateral { given_collateral @@ -130,13 +131,9 @@ pub async fn verify_dcap_attestation_with_given_timestamp( let (collateral, _is_fresh) = pccs.get_collateral(fmspc.clone(), ca, now).await?; collateral } else { - get_collateral_for_fmspc( - PCS_URL, - fmspc.clone(), - ca, - false, // Indicates not SGX - ) - .await? + CollateralClient::with_default_http(PCS_URL)? + .fetch_for_fmspc_without_pck_chain(&fmspc, ca, false) + .await? }; verify_dcap_attestation_with_collateral_and_timestamp( @@ -159,7 +156,7 @@ fn verify_dcap_attestation_with_collateral_and_timestamp( ) -> Result { tracing::info!("Verifying DCAP attestation: {quote:?}"); - let fmspc = hex::encode_upper(quote.fmspc()?); + let fmspc = hex::encode_upper(quote_fmspc("e)?); // Override outdated TCB only if we are on Azure and the FMSPC is known to // be outdated @@ -211,8 +208,8 @@ pub async fn verify_dcap_attestation( pccs: Option, ) -> Result { let quote = Quote::parse(&input)?; - let ca = quote.ca()?; - let fmspc = hex::encode_upper(quote.fmspc()?); + let ca = quote_ca("e)?.as_id_str(); + let fmspc = hex::encode_upper(quote_fmspc("e)?); let now = std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH)?.as_secs(); let collateral = if let Some(ref pccs) = pccs { let (collateral, _is_fresh) = pccs.get_collateral(fmspc, ca, now).await?; @@ -238,8 +235,8 @@ pub fn verify_dcap_attestation_sync( pccs: Pccs, ) -> Result { let quote = Quote::parse(&input)?; - let ca = quote.ca()?; - let fmspc = hex::encode_upper(quote.fmspc()?); + let ca = quote_ca("e)?.as_id_str(); + let fmspc = hex::encode_upper(quote_fmspc("e)?); let now = std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH)?.as_secs(); let collateral = pccs.get_collateral_sync(fmspc, ca, now)?; let verifier = mock_tdx::mock_dcap_verifier(); diff --git a/crates/mock-tdx/assets/mock-dcap-collateral.yaml b/crates/mock-tdx/assets/mock-dcap-collateral.yaml index 65edd7b..da2e1ba 100644 --- a/crates/mock-tdx/assets/mock-dcap-collateral.yaml +++ b/crates/mock-tdx/assets/mock-dcap-collateral.yaml @@ -7,8 +7,8 @@ pck_crl_issuer_chain: | U3LfYiHqOhN1V+Rz/dtnVfBb1QfDxTP86ckShaNjMGEwHwYDVR0jBBgwFoAUdoBa Y6aYDBgHVCShPzJ3LQLXxxswDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBS/y6K3 QqgHu7crUi+kaUxGBP9o6zAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0kA - MEYCIQCvhCZKzOyaNkad7y1vBE4SKtT8nRZqCx/Y82ugmDoAjgIhAIs/9uHaNmOD - Uip8B/h+JVgIm8FoNs5EOc5D/PkyoEKk + MEYCIQD89W1J6retVRfhlatWf1dGo2eGTeNLt0boodhEQWsh0gIhALy/gS3FYKvW + uGlyLQIAgkmXdONSk3Zr/9KWsRlUzSZ3 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBjDCCATKgAwIBAgIBATAKBggqhkjOPQQDAjAdMRswGQYDVQQDDBJNb2NrIElu @@ -17,14 +17,14 @@ pck_crl_issuer_chain: | BwNCAAQCF+YX8LZEOSgnj5aZnmmiOk8sFSvfbWzfZuW4AoLU7RlKfevLl3EtLdo8 qFqodlpW9F/HWFmWUvKJfGUwbleUo2MwYTAfBgNVHSMEGDAWgBR2gFpjppgMGAdU JKE/MnctAtfHGzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFHaAWmOmmAwYB1Qk - oT8ydy0C18cbMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhANOM - o5zM6NZ93Iewr2S2g0MiM+6mMJaJNDfY5pXp82amAiBXJ1pB709SgQCgRmICY6GJ - LsG1gRFnBX+0dG80hRXdPA== + oT8ydy0C18cbMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIwO + 8YQHeXcarVp8UjFEbRCISwPyngJ86p4X2rr6XyGzAiBexJXkCBh/H7vmk4Jicih9 + 5iKbc/dtGsAlXBmRNaN6rg== -----END CERTIFICATE----- root_ca_crl: >- - 3081d5307d020101300a06082a8648ce3d040302301d311b301906035504030c124d6f636b20496e74656c20526f6f74204341170d3235303130313030303030305a170d3435303130313030303030305aa02f302d301f0603551d2304183016801476805a63a6980c18075424a13f32772d02d7c71b300a0603551d140403020101300a06082a8648ce3d0403020348003045022034caddb53533343cde3c792b6a4457ce1685d07fda266591d276774ace219a3f022100a26423311d592db905ef49ab329ffce8b1ef4e0e0fd05b56f4085789038b035b + 3081d4307d020101300a06082a8648ce3d040302301d311b301906035504030c124d6f636b20496e74656c20526f6f74204341170d3235303130313030303030305a170d3435303130313030303030305aa02f302d301f0603551d2304183016801476805a63a6980c18075424a13f32772d02d7c71b300a0603551d140403020101300a06082a8648ce3d040302034700304402206882efeeaaeaf781785bc9ce78adf44c1300c20a70ef771ea24527226cc0ea9b02202abf57f738870145387f777edacdfc39eb777e5babb279f1b696c4f35d389853 pck_crl: >- - 3081dc308184020101300a06082a8648ce3d04030230243122302006035504030c194d6f636b20496e74656c20544342205369676e696e67204341170d3235303130313030303030305a170d3435303130313030303030305aa02f302d301f0603551d23041830168014bfcba2b742a807bbb72b522fa4694c4604ff68eb300a0603551d140403020102300a06082a8648ce3d040302034700304402205062b6aee1fea13dea47a816f419df3da4af7f71a2a98887d027c72d983366f2022030f8baae33ab09b7d9826ad238761e6e365079671d1e1cb31ee1e339d8da4249 + 3081dc308184020101300a06082a8648ce3d04030230243122302006035504030c194d6f636b20496e74656c20544342205369676e696e67204341170d3235303130313030303030305a170d3435303130313030303030305aa02f302d301f0603551d23041830168014bfcba2b742a807bbb72b522fa4694c4604ff68eb300a0603551d140403020102300a06082a8648ce3d040302034700304402201d3c43e36db05a848e7839f43f86246c618a7860318b1ce0484d692eda71b79602202aac417042ae47d9cb6a7b19a4649e46ef6c1434aa1160f3f60eea1989c59a00 tcb_info_issuer_chain: | -----BEGIN CERTIFICATE----- MIIBlzCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAkMSIwIAYDVQQDDBlNb2NrIElu @@ -34,8 +34,8 @@ tcb_info_issuer_chain: | EFInErC1p8/wgWhUhphKlOaDHtrEbnNg+p2DSnqBoaNjMGEwHwYDVR0jBBgwFoAU v8uit0KoB7u3K1IvpGlMRgT/aOswDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBST 7j5t5QAoWFiJAKg4c8ROKT5hpTAPBgNVHRMBAf8EBTADAQEAMAoGCCqGSM49BAMC - A0kAMEYCIQCAhGx8v+2u1fXhC8xMtzeouG654iUvC684nd3q7TBHMwIhAKqvK38E - Mu8JWo589cyxCqsAErRhSodsqUcW/MyDC0hL + A0kAMEYCIQDi3oq/vQ4ZQD8i6MFGb/STIjwx7v8fX3xGmj5jHtGAWwIhAJ+sKdZe + fTxpwah87AqNRNKOue0fCesiwV1KWYSFcrMB -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBlDCCATmgAwIBAgIBAjAKBggqhkjOPQQDAjAdMRswGQYDVQQDDBJNb2NrIElu @@ -45,8 +45,8 @@ tcb_info_issuer_chain: | U3LfYiHqOhN1V+Rz/dtnVfBb1QfDxTP86ckShaNjMGEwHwYDVR0jBBgwFoAUdoBa Y6aYDBgHVCShPzJ3LQLXxxswDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBS/y6K3 QqgHu7crUi+kaUxGBP9o6zAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0kA - MEYCIQCvhCZKzOyaNkad7y1vBE4SKtT8nRZqCx/Y82ugmDoAjgIhAIs/9uHaNmOD - Uip8B/h+JVgIm8FoNs5EOc5D/PkyoEKk + MEYCIQD89W1J6retVRfhlatWf1dGo2eGTeNLt0boodhEQWsh0gIhALy/gS3FYKvW + uGlyLQIAgkmXdONSk3Zr/9KWsRlUzSZ3 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBjDCCATKgAwIBAgIBATAKBggqhkjOPQQDAjAdMRswGQYDVQQDDBJNb2NrIElu @@ -55,13 +55,13 @@ tcb_info_issuer_chain: | BwNCAAQCF+YX8LZEOSgnj5aZnmmiOk8sFSvfbWzfZuW4AoLU7RlKfevLl3EtLdo8 qFqodlpW9F/HWFmWUvKJfGUwbleUo2MwYTAfBgNVHSMEGDAWgBR2gFpjppgMGAdU JKE/MnctAtfHGzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFHaAWmOmmAwYB1Qk - oT8ydy0C18cbMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhANOM - o5zM6NZ93Iewr2S2g0MiM+6mMJaJNDfY5pXp82amAiBXJ1pB709SgQCgRmICY6GJ - LsG1gRFnBX+0dG80hRXdPA== + oT8ydy0C18cbMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIwO + 8YQHeXcarVp8UjFEbRCISwPyngJ86p4X2rr6XyGzAiBexJXkCBh/H7vmk4Jicih9 + 5iKbc/dtGsAlXBmRNaN6rg== -----END CERTIFICATE----- -tcb_info: "{\"id\":\"TDX\",\"version\":3,\"issueDate\":\"2025-01-01T00:00:00Z\",\"nextUpdate\":\"2045-01-01T00:00:00Z\",\"fmspc\":\"00906EA10000\",\"pceId\":\"0000\",\"tcbType\":0,\"tcbEvaluationDataNumber\":1,\"tcbLevels\":[{\"tcb\":{\"sgxtcbcomponents\":[{\"svn\":11},{\"svn\":11},{\"svn\":2},{\"svn\":2},{\"svn\":255},{\"svn\":1},{\"svn\":0},{\"svn\":0},{\"svn\":0},{\"svn\":0},{\"svn\":0},{\"svn\":0},{\"svn\":0},{\"svn\":0},{\"svn\":0},{\"svn\":0}],\"tdxtcbcomponents\":[{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1}],\"pcesvn\":13},\"tcbDate\":\"2025-01-01T00:00:00Z\",\"tcbStatus\":\"UpToDate\",\"advisoryIDs\":[]}]}" +tcb_info: "{\"id\":\"TDX\",\"version\":3,\"issueDate\":\"2025-01-01T00:00:00Z\",\"nextUpdate\":\"2045-01-01T00:00:00Z\",\"fmspc\":\"00906EA10000\",\"pceId\":\"0000\",\"tcbType\":0,\"tcbEvaluationDataNumber\":1,\"tcbLevels\":[{\"tcb\":{\"sgxtcbcomponents\":[{\"svn\":11},{\"svn\":11},{\"svn\":2},{\"svn\":2},{\"svn\":255},{\"svn\":1},{\"svn\":0},{\"svn\":0},{\"svn\":0},{\"svn\":0},{\"svn\":0},{\"svn\":0},{\"svn\":0},{\"svn\":0},{\"svn\":0},{\"svn\":0}],\"tdxtcbcomponents\":[{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1},{\"svn\":1}],\"pcesvn\":13},\"tcbDate\":\"2025-01-01T00:00:00Z\",\"tcbStatus\":\"UpToDate\",\"advisoryIDs\":[]}],\"tdxModule\":{\"mrsigner\":\"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\",\"attributes\":\"0000000000000000\",\"attributesMask\":\"FFFFFFFFFFFFFFFF\"},\"tdxModuleIdentities\":[]}" tcb_info_signature: >- - 81deffe35b79b7d7cfa1b4f7a62cf2f661f7d47c1d53838f8c48199ebbd14af77605f8a9bf060aafc48624a5a70be20307bb9e622345fd59f40966967ff1bce1 + 4bdc0625ab48e3bdd7b3c93b03151ceef35472640bb4741cc0aa327e2c0277c8771a7961c476f5a87aded364546bd6ff803b0c2a1a48a2c5867afc59b610d324 qe_identity_issuer_chain: | -----BEGIN CERTIFICATE----- MIIBlzCCATygAwIBAgIBAzAKBggqhkjOPQQDAjAkMSIwIAYDVQQDDBlNb2NrIElu @@ -71,8 +71,8 @@ qe_identity_issuer_chain: | EFInErC1p8/wgWhUhphKlOaDHtrEbnNg+p2DSnqBoaNjMGEwHwYDVR0jBBgwFoAU v8uit0KoB7u3K1IvpGlMRgT/aOswDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBST 7j5t5QAoWFiJAKg4c8ROKT5hpTAPBgNVHRMBAf8EBTADAQEAMAoGCCqGSM49BAMC - A0kAMEYCIQCAhGx8v+2u1fXhC8xMtzeouG654iUvC684nd3q7TBHMwIhAKqvK38E - Mu8JWo589cyxCqsAErRhSodsqUcW/MyDC0hL + A0kAMEYCIQDi3oq/vQ4ZQD8i6MFGb/STIjwx7v8fX3xGmj5jHtGAWwIhAJ+sKdZe + fTxpwah87AqNRNKOue0fCesiwV1KWYSFcrMB -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBlDCCATmgAwIBAgIBAjAKBggqhkjOPQQDAjAdMRswGQYDVQQDDBJNb2NrIElu @@ -82,8 +82,8 @@ qe_identity_issuer_chain: | U3LfYiHqOhN1V+Rz/dtnVfBb1QfDxTP86ckShaNjMGEwHwYDVR0jBBgwFoAUdoBa Y6aYDBgHVCShPzJ3LQLXxxswDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBS/y6K3 QqgHu7crUi+kaUxGBP9o6zAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0kA - MEYCIQCvhCZKzOyaNkad7y1vBE4SKtT8nRZqCx/Y82ugmDoAjgIhAIs/9uHaNmOD - Uip8B/h+JVgIm8FoNs5EOc5D/PkyoEKk + MEYCIQD89W1J6retVRfhlatWf1dGo2eGTeNLt0boodhEQWsh0gIhALy/gS3FYKvW + uGlyLQIAgkmXdONSk3Zr/9KWsRlUzSZ3 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBjDCCATKgAwIBAgIBATAKBggqhkjOPQQDAjAdMRswGQYDVQQDDBJNb2NrIElu @@ -92,9 +92,9 @@ qe_identity_issuer_chain: | BwNCAAQCF+YX8LZEOSgnj5aZnmmiOk8sFSvfbWzfZuW4AoLU7RlKfevLl3EtLdo8 qFqodlpW9F/HWFmWUvKJfGUwbleUo2MwYTAfBgNVHSMEGDAWgBR2gFpjppgMGAdU JKE/MnctAtfHGzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFHaAWmOmmAwYB1Qk - oT8ydy0C18cbMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhANOM - o5zM6NZ93Iewr2S2g0MiM+6mMJaJNDfY5pXp82amAiBXJ1pB709SgQCgRmICY6GJ - LsG1gRFnBX+0dG80hRXdPA== + oT8ydy0C18cbMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIwO + 8YQHeXcarVp8UjFEbRCISwPyngJ86p4X2rr6XyGzAiBexJXkCBh/H7vmk4Jicih9 + 5iKbc/dtGsAlXBmRNaN6rg== -----END CERTIFICATE----- qe_identity: "{\"id\":\"TD_QE\",\"version\":2,\"issueDate\":\"2025-01-01T00:00:00Z\",\"nextUpdate\":\"2045-01-01T00:00:00Z\",\"tcbEvaluationDataNumber\":1,\"miscselect\":\"00000000\",\"miscselectMask\":\"FFFFFFFF\",\"attributes\":\"00000000000000000000000000000000\",\"attributesMask\":\"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF\",\"mrsigner\":\"5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A5A\",\"isvprodid\":2,\"tcbLevels\":[{\"tcb\":{\"isvsvn\":11},\"tcbDate\":\"2025-01-01T00:00:00Z\",\"tcbStatus\":\"UpToDate\",\"advisoryIDs\":[]}]}" qe_identity_signature: >- @@ -117,9 +117,9 @@ pck_certificate_chain: | MBAGCyqGSIb4TQENAQIOAgEAMBAGCyqGSIb4TQENAQIPAgEAMBAGCyqGSIb4TQEN AQIQAgEAMBAGCyqGSIb4TQENAQIRAgENMB8GCyqGSIb4TQENAQISBBALCwIC/wEA AAAAAAAAAAAAMBAGCiqGSIb4TQENAQMEAgAAMBQGCiqGSIb4TQENAQQEBgCQbqEA - ADAPBgoqhkiG+E0BDQEFCgEAMAoGCCqGSM49BAMCA0gAMEUCID830FZbEZLj3Zwv - +45GtB9pkIWKWgKXr/582kNwIagiAiEAttIFwEKZhgyjPIWgQsa0g31aUvKgtl31 - 9CfxzKBt/Qs= + ADAPBgoqhkiG+E0BDQEFCgEAMAoGCCqGSM49BAMCA0gAMEUCIGBFEVX91x8zqkUb + cslsijmXtQ4gQu+q5Tz34a2dh9bYAiEAmOWX5gciKT5b4ZoGC7Eou+FRAGBpg5rB + 42O85NOsLgg= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBjDCCATKgAwIBAgIBATAKBggqhkjOPQQDAjAdMRswGQYDVQQDDBJNb2NrIElu @@ -128,7 +128,7 @@ pck_certificate_chain: | BwNCAAQCF+YX8LZEOSgnj5aZnmmiOk8sFSvfbWzfZuW4AoLU7RlKfevLl3EtLdo8 qFqodlpW9F/HWFmWUvKJfGUwbleUo2MwYTAfBgNVHSMEGDAWgBR2gFpjppgMGAdU JKE/MnctAtfHGzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFHaAWmOmmAwYB1Qk - oT8ydy0C18cbMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhANOM - o5zM6NZ93Iewr2S2g0MiM+6mMJaJNDfY5pXp82amAiBXJ1pB709SgQCgRmICY6GJ - LsG1gRFnBX+0dG80hRXdPA== + oT8ydy0C18cbMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIwO + 8YQHeXcarVp8UjFEbRCISwPyngJ86p4X2rr6XyGzAiBexJXkCBh/H7vmk4Jicih9 + 5iKbc/dtGsAlXBmRNaN6rg== -----END CERTIFICATE----- diff --git a/crates/mock-tdx/assets/mock-pck-chain.pem b/crates/mock-tdx/assets/mock-pck-chain.pem index b6b41c0..f9a97a0 100644 --- a/crates/mock-tdx/assets/mock-pck-chain.pem +++ b/crates/mock-tdx/assets/mock-pck-chain.pem @@ -15,9 +15,9 @@ SIb4TQENAQILAgEAMBAGCyqGSIb4TQENAQIMAgEAMBAGCyqGSIb4TQENAQINAgEA MBAGCyqGSIb4TQENAQIOAgEAMBAGCyqGSIb4TQENAQIPAgEAMBAGCyqGSIb4TQEN AQIQAgEAMBAGCyqGSIb4TQENAQIRAgENMB8GCyqGSIb4TQENAQISBBALCwIC/wEA AAAAAAAAAAAAMBAGCiqGSIb4TQENAQMEAgAAMBQGCiqGSIb4TQENAQQEBgCQbqEA -ADAPBgoqhkiG+E0BDQEFCgEAMAoGCCqGSM49BAMCA0gAMEUCID830FZbEZLj3Zwv -+45GtB9pkIWKWgKXr/582kNwIagiAiEAttIFwEKZhgyjPIWgQsa0g31aUvKgtl31 -9CfxzKBt/Qs= +ADAPBgoqhkiG+E0BDQEFCgEAMAoGCCqGSM49BAMCA0gAMEUCIGBFEVX91x8zqkUb +cslsijmXtQ4gQu+q5Tz34a2dh9bYAiEAmOWX5gciKT5b4ZoGC7Eou+FRAGBpg5rB +42O85NOsLgg= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIBjDCCATKgAwIBAgIBATAKBggqhkjOPQQDAjAdMRswGQYDVQQDDBJNb2NrIElu @@ -26,7 +26,7 @@ GQYDVQQDDBJNb2NrIEludGVsIFJvb3QgQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMB BwNCAAQCF+YX8LZEOSgnj5aZnmmiOk8sFSvfbWzfZuW4AoLU7RlKfevLl3EtLdo8 qFqodlpW9F/HWFmWUvKJfGUwbleUo2MwYTAfBgNVHSMEGDAWgBR2gFpjppgMGAdU JKE/MnctAtfHGzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0OBBYEFHaAWmOmmAwYB1Qk -oT8ydy0C18cbMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhANOM -o5zM6NZ93Iewr2S2g0MiM+6mMJaJNDfY5pXp82amAiBXJ1pB709SgQCgRmICY6GJ -LsG1gRFnBX+0dG80hRXdPA== +oT8ydy0C18cbMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIhAIwO +8YQHeXcarVp8UjFEbRCISwPyngJ86p4X2rr6XyGzAiBexJXkCBh/H7vmk4Jicih9 +5iKbc/dtGsAlXBmRNaN6rg== -----END CERTIFICATE----- diff --git a/crates/mock-tdx/assets/mock-root-ca.der b/crates/mock-tdx/assets/mock-root-ca.der index fa502522c2fb8953b34a49ec602a421b06188dab..1cb78da3d041d98a67f36a537fbc1d011ed148e9 100644 GIT binary patch delta 74 zcmV-Q0JZ;+1CRr-P60xU4)KHsd3PGET6|J5L~Rg=O9S$r0(|P87uve|Um>#sAYR0k g dcap_qvl::verify::QuoteVerifier { - dcap_qvl::verify::QuoteVerifier::new( - EMBEDDED_ROOT_CA_DER.to_vec(), - dcap_qvl::verify::rustcrypto::backend(), - ) + dcap_qvl::verify::QuoteVerifier::new(EMBEDDED_ROOT_CA_DER.to_vec()) } /// Get mock collateral for verifying generated mock quotes @@ -257,8 +256,8 @@ mod tests { let collateral = mock_collateral(); let tcb_info: TcbInfo = serde_json::from_str(&collateral.tcb_info).unwrap(); - assert_eq!(hex::encode_upper(quote.fmspc().unwrap()), tcb_info.fmspc); - assert_eq!(quote.ca().unwrap(), "processor"); + assert_eq!(hex::encode_upper(quote_fmspc("e).unwrap()), tcb_info.fmspc); + assert_eq!(quote_ca("e).unwrap().as_id_str(), "processor"); let verifier = mock_dcap_verifier(); let verified = verifier.verify("e_bytes, &collateral, FIXTURE_TIME).unwrap(); @@ -296,7 +295,7 @@ mod tests { let quote_bytes = generate_mock_tdx_quote([0xEF; 64]).unwrap(); let quote = Quote::parse("e_bytes).unwrap(); - assert_eq!(hex::encode_upper(quote.fmspc().unwrap()), tcb_info.fmspc); + assert_eq!(hex::encode_upper(quote_fmspc("e).unwrap()), tcb_info.fmspc); assert_eq!(quote.header.pce_svn, tcb_info.tcb_levels[0].tcb.pce_svn); verifier.verify("e_bytes, &collateral, FIXTURE_TIME).unwrap(); diff --git a/crates/mock-tdx/src/main.rs b/crates/mock-tdx/src/main.rs index b730bfa..133e589 100644 --- a/crates/mock-tdx/src/main.rs +++ b/crates/mock-tdx/src/main.rs @@ -6,7 +6,7 @@ use std::{ use dcap_qvl::{ QuoteCollateralV3, intel::{PckExtension, parse_pck_extension}, - tcb_info::{Tcb, TcbComponents, TcbInfo, TcbLevel, TcbStatus}, + tcb_info::{Tcb, TcbComponents, TcbInfo, TcbLevel, TcbStatus, TdxModule}, }; use p256::{ SecretKey, @@ -277,6 +277,12 @@ fn mock_tcb_info( tcb_status: TcbStatus::UpToDate, advisory_ids: Vec::new(), }], + tdx_module: Some(TdxModule { + mrsigner: "00".repeat(48), + attributes: "00".repeat(8), + attributes_mask: "FF".repeat(8), + }), + tdx_module_identities: Vec::new(), } } diff --git a/crates/pccs/src/lib.rs b/crates/pccs/src/lib.rs index 774443b..ea63b05 100644 --- a/crates/pccs/src/lib.rs +++ b/crates/pccs/src/lib.rs @@ -9,7 +9,7 @@ use std::{ time::{SystemTime, UNIX_EPOCH}, }; -use dcap_qvl::{QuoteCollateralV3, collateral::get_collateral_for_fmspc, tcb_info::TcbInfo}; +use dcap_qvl::{QuoteCollateralV3, collateral::CollateralClient, tcb_info::TcbInfo}; use thiserror::Error; use time::{OffsetDateTime, format_description::well_known::Rfc3339}; use tokio::{ @@ -424,11 +424,10 @@ async fn fetch_collateral( fmspc: String, ca: &'static str, ) -> Result { - get_collateral_for_fmspc( - url, fmspc, ca, false, // Indicates not SGX - ) - .await - .map_err(Into::into) + CollateralClient::with_default_http(url)? + .fetch_for_fmspc_without_pck_chain(&fmspc, ca, false) + .await + .map_err(Into::into) } /// Extracts the earliest next update timestamp from collateral metadata