Certificate V2 sgx_attestation_key type element validation

- Implemented HSMCertificateV2ElementSGXAttestationKey's key and is_valid methods - HSMCertificateV2ElementSGXAttestationKey's message now returns an instance of SgxReportBody - HSMCertificateV2ElementX509 now parses the raw certificate into an cryptography x509 certificate object - Implemented HSMCertificateV2ElementX509's get_pubkey method - Added cryptography dependency to middleware docker image - Added and updated unit tests - Incidentally removing some garbage
rsksmart · Jan 2, 2025 · 2525f84 · 2525f84
1 parent 0b62d17
commit 2525f84
Show file tree

Hide file tree

Showing 8 changed files with 695 additions and 393 deletions.
diff --git a/docker/mware/requirements.txt b/docker/mware/requirements.txt
@@ -810,3 +810,33 @@ yapf==0.40.2 \
 zipp==3.19.2 \
     --hash=sha256:bf1dcf6450f873a13e952a29504887c89e6de7506209e5b1bcc3460135d4de19 \
     --hash=sha256:f091755f667055f2d02b32c53771a7a6c8b47e1fdbc4b72a8b9072b3eef8015c
+cryptography==44.0.0 \
+    --hash=sha256:1923cb251c04be85eec9fda837661c67c1049063305d6be5721643c22dd4e2b7 \
+    --hash=sha256:37d76e6863da3774cd9db5b409a9ecfd2c71c981c38788d3fcfaf177f447b731 \
+    --hash=sha256:3c672a53c0fb4725a29c303be906d3c1fa99c32f58abe008a82705f9ee96f40b \
+    --hash=sha256:404fdc66ee5f83a1388be54300ae978b2efd538018de18556dde92575e05defc \
+    --hash=sha256:4ac4c9f37eba52cb6fbeaf5b59c152ea976726b865bd4cf87883a7e7006cc543 \
+    --hash=sha256:60eb32934076fa07e4316b7b2742fa52cbb190b42c2df2863dbc4230a0a9b385 \
+    --hash=sha256:62901fb618f74d7d81bf408c8719e9ec14d863086efe4185afd07c352aee1d2c \
+    --hash=sha256:660cb7312a08bc38be15b696462fa7cc7cd85c3ed9c576e81f4dc4d8b2b31591 \
+    --hash=sha256:708ee5f1bafe76d041b53a4f95eb28cdeb8d18da17e597d46d7833ee59b97ede \
+    --hash=sha256:761817a3377ef15ac23cd7834715081791d4ec77f9297ee694ca1ee9c2c7e5eb \
+    --hash=sha256:831c3c4d0774e488fdc83a1923b49b9957d33287de923d58ebd3cec47a0ae43f \
+    --hash=sha256:84111ad4ff3f6253820e6d3e58be2cc2a00adb29335d4cacb5ab4d4d34f2a123 \
+    --hash=sha256:8b3e6eae66cf54701ee7d9c83c30ac0a1e3fa17be486033000f2a73a12ab507c \
+    --hash=sha256:9abcc2e083cbe8dde89124a47e5e53ec38751f0d7dfd36801008f316a127d7ba \
+    --hash=sha256:9e6fc8a08e116fb7c7dd1f040074c9d7b51d74a8ea40d4df2fc7aa08b76b9e6c \
+    --hash=sha256:a01956ddfa0a6790d594f5b34fc1bfa6098aca434696a03cfdbe469b8ed79285 \
+    --hash=sha256:abc998e0c0eee3c8a1904221d3f67dcfa76422b23620173e28c11d3e626c21bd \
+    --hash=sha256:b15492a11f9e1b62ba9d73c210e2416724633167de94607ec6069ef724fad092 \
+    --hash=sha256:be4ce505894d15d5c5037167ffb7f0ae90b7be6f2a98f9a5c3442395501c32fa \
+    --hash=sha256:c5eb858beed7835e5ad1faba59e865109f3e52b3783b9ac21e7e47dc5554e289 \
+    --hash=sha256:cd4e834f340b4293430701e772ec543b0fbe6c2dea510a5286fe0acabe153a02 \
+    --hash=sha256:d2436114e46b36d00f8b72ff57e598978b37399d2786fd39793c36c6d5cb1c64 \
+    --hash=sha256:eb33480f1bad5b78233b0ad3e1b0be21e8ef1da745d8d2aecbb20671658b9053 \
+    --hash=sha256:eca27345e1214d1b9f9490d200f9db5a874479be914199194e746c893788d417 \
+    --hash=sha256:ed3534eb1090483c96178fcb0f8893719d96d5274dfde98aa6add34614e97c8e \
+    --hash=sha256:f3f6fdfa89ee2d9d496e2c087cebef9d4fcbb0ad63c40e821b39f74bf48d9c5e \
+    --hash=sha256:f53c2c87e0fb4b0c00fa9571082a057e37690a8f12233306161c8f4b819960b7 \
+    --hash=sha256:f5e7cb1e5e56ca0933b4873c0220a78b773b24d40d186b6738080b73d3d0a756 \
+    --hash=sha256:f677e1268c4e23420c3acade68fac427fffcb8d19d7df95ed7ad17cdef8404f4
diff --git a/middleware/admin/certificate_v2.py b/middleware/admin/certificate_v2.py
@@ -25,9 +25,12 @@
 import base64
 import ecdsa
 import hashlib
+from cryptography import x509
+from cryptography.hazmat.primitives.serialization import PublicFormat, Encoding
+from cryptography.hazmat.primitives.asymmetric.ec import SECP256R1
 from .certificate_v1 import HSMCertificate
 from .utils import is_nonempty_hex_string
-from sgx.envelope import SgxQuote
+from sgx.envelope import SgxQuote, SgxReportBody
 
 
 class HSMCertificateV2Element:
@@ -163,11 +166,11 @@ def _init_with_map(self, element_map):
 
     @property
     def message(self):
-        return self._message.hex()
+        return SgxReportBody(self._message)
 
     @property
     def key(self):
-        return self._key.hex()
+        return ecdsa.VerifyingKey.from_string(self._key, ecdsa.NIST256p)
 
     @property
     def auth_data(self):
@@ -178,7 +181,20 @@ def signature(self):
         return self._signature.hex()
 
     def is_valid(self, certifier):
-        return True
+        try:
+            # Validate report data
+            expected = hashlib.sha256(self.key.to_string() + self._auth_data).digest()
+            if expected != self.message.report_data.field[:len(expected)]:
+                return False
+
+            # Verify signature against the certifier
+            return certifier.get_pubkey().verify_digest(
+                self._signature,
+                hashlib.sha256(self._message).digest(),
+                ecdsa.util.sigdecode_der,
+            )
+        except Exception:
+            return False
 
     def get_pubkey(self):
         return ecdsa.VerifyingKey.from_string(self._key, ecdsa.NIST256p)
@@ -187,15 +203,18 @@ def to_dict(self):
         return {
             "name": self.name,
             "type": "sgx_attestation_key",
-            "message": self.message,
-            "key": self.key,
+            "message": self.message.get_raw_data().hex(),
+            "key": self.key.to_string("uncompressed").hex(),
             "auth_data": self.auth_data,
             "signature": self.signature,
             "signed_by": self.signed_by,
         }
 
 
 class HSMCertificateV2ElementX509(HSMCertificateV2Element):
+    HEADER_BEGIN = "-----BEGIN CERTIFICATE-----"
+    HEADER_END = "-----END CERTIFICATE-----"
+
     @classmethod
     def from_pemfile(kls, pem_path, name, signed_by):
         return kls.from_pem(Path(pem_path).read_text(), name, signed_by)
@@ -205,14 +224,15 @@ def from_pem(kls, pem_str, name, signed_by):
         return kls({
             "name": name,
             "message": re.sub(r"[\s\n\r]+", " ", pem_str)
-                         .replace("-----END CERTIFICATE-----", "")
-                         .replace("-----BEGIN CERTIFICATE-----", "")
+                         .replace(kls.HEADER_END, "")
+                         .replace(kls.HEADER_BEGIN, "")
                          .strip().encode(),
             "signed_by": signed_by,
         })
 
     def __init__(self, element_map):
         self._init_with_map(element_map)
+        self._certificate = None
 
     def _init_with_map(self, element_map):
         super()._init_with_map(element_map)
@@ -226,11 +246,29 @@ def _init_with_map(self, element_map):
     def message(self):
         return base64.b64encode(self._message).decode("ASCII")
 
+    @property
+    def certificate(self):
+        if self._certificate is None:
+            self._certificate = x509.load_pem_x509_certificate((
+                self.HEADER_BEGIN + self.message + self.HEADER_END).encode())
+        return self._certificate
+
     def is_valid(self, certifier):
         return True
 
     def get_pubkey(self):
-        return None
+        try:
+            public_key = self.certificate.public_key()
+
+            if not isinstance(public_key.curve, SECP256R1):
+                raise ValueError("Certificate does not have a NIST P-256 public key")
+
+            public_bytes = public_key.public_bytes(
+                Encoding.X962, PublicFormat.CompressedPoint)
+
+            return ecdsa.VerifyingKey.from_string(public_bytes, ecdsa.NIST256p)
+        except Exception as e:
+            raise ValueError(f"Error gathering public key from certificate: {str(e)}")
 
     def to_dict(self):
         return {

diff --git a/middleware/da.json b/middleware/da.json