fix: wasm bindings

tinfoilanalytics · Jan 16, 2025 · a3a28f4 · a3a28f4
1 parent 2dbd27e
commit a3a28f4
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 57 deletions.
diff --git a/vendor/github.com/in-toto/in-toto-golang/in_toto/util_unix.go b/vendor/github.com/in-toto/in-toto-golang/in_toto/util_unix.go
diff --git a/wasm/index.html b/wasm/index.html
@@ -31,23 +31,23 @@ <h1 class="text-3xl font-bold text-gray-800 mb-4">Tinfoil Verifier</h1>
                             id="digest"
                             class="border border-gray-300 rounded-md p-2.5 w-full focus:ring-2 focus:ring-blue-500 focus:border-blue-500 transition-colors"
                             type="text"
-                            value="6d87ba0d92af58c1d740b8aa7d2c3521d8cff96a520502a8b748c3a744ae015f">
+                            value="8d21787fb469f42965028e89053edb289151619eac93fc5a207c31f8a3b76d55">
                 </div>
                 <div class="w-[35%]">
                     <label for="repo" class="block text-sm font-medium text-gray-700 mb-2">Repo:</label>
                     <input
                             id="repo"
                             class="border border-gray-300 rounded-md p-2.5 w-full focus:ring-2 focus:ring-blue-500 focus:border-blue-500 transition-colors"
                             type="text"
-                            value="tinfoilanalytics/nitro-private-inference-image">
+                            value="tinfoilanalytics/nitro-enclave-build-demo">
                 </div>
                 <div class="w-[20%]">
                     <label for="domain" class="block text-sm font-medium text-gray-700 mb-2">URL:</label>
                     <input
                             id="domain"
                             class="border border-gray-300 rounded-md p-2.5 w-full focus:ring-2 focus:ring-blue-500 focus:border-blue-500 transition-colors"
                             type="text"
-                            value="inference.tinfoil.sh">
+                            value="inference-enclave.tinfoil.sh">
                 </div>
                 <div class="w-[10%] flex items-end">
                     <button 

diff --git a/wasm/main.go b/wasm/main.go
@@ -5,12 +5,9 @@ package main
 
 import (
 	_ "embed"
-	"encoding/base64"
 	"syscall/js"
 
-	"github.com/blocky/nitrite"
-
-	"github.com/tinfoilanalytics/verifier/pkg/models"
+	"github.com/tinfoilanalytics/verifier/pkg/attestation"
 	"github.com/tinfoilanalytics/verifier/pkg/sigstore"
 )
 
@@ -19,13 +16,13 @@ import (
 //go:embed trusted_root.json
 var trustedRootBytes []byte
 
-func verifySigstore() js.Func {
+func verifyCode() js.Func {
 	return js.FuncOf(func(this js.Value, args []js.Value) any {
 		digest := args[0].String()
 		bundleBytes := []byte(args[1].String())
 		repo := args[2].String()
 
-		sigstoreMeasurements, err := sigstore.VerifyMeasurementAttestation(
+		measurement, err := sigstore.VerifyMeasurementAttestation(
 			trustedRootBytes,
 			bundleBytes,
 			digest,
@@ -35,27 +32,22 @@ func verifySigstore() js.Func {
 			panic(err)
 		}
 
-		return sigstoreMeasurements.String()
+		return measurement.Fingerprint()
 	})
 }
 
-func verifyNitro() js.Func {
+func verifyEnclave() js.Func {
 	return js.FuncOf(func(this js.Value, args []js.Value) any {
-		attDocBytes, err := base64.StdEncoding.DecodeString(args[0].String())
-		if err != nil {
-			panic(err)
-		}
-
-		att, err := nitrite.Verify(attDocBytes, nitrite.VerifyOptions{})
+		measurement, _, err := attestation.VerifyAttestationJSON([]byte(args[0].String()))
 		if err != nil {
 			panic(err)
 		}
-		return models.MeasurementFromDoc(att.Document).String()
+		return measurement.Fingerprint()
 	})
 }
 
 func main() {
-	js.Global().Set("verifySigstore", verifySigstore())
-	js.Global().Set("verifyNitro", verifyNitro())
+	js.Global().Set("verifySigstore", verifyCode())
+	js.Global().Set("verifyNitro", verifyEnclave())
 	<-make(chan struct{})
 }
diff --git a/wasm/verifier.js b/wasm/verifier.js
@@ -4,7 +4,7 @@ function updateLinks() {
     let domain = document.getElementById("domain").value;
 
     let bundleURL = "https://api.github.com/repos/" + repo + "/attestations/sha256:" + digest;
-    let attestationURL = `https://${domain}/.well-known/nitro-attestation`;
+    let attestationURL = `https://${domain}/.well-known/tinfoil-attestation`;
 
     let bundleLink = document.getElementById("bundleLink");
     let attestationLink = document.getElementById("attestationLink");
@@ -45,7 +45,6 @@ function verify() {
         let sigstorePromise = fetch(bundleURL)
             .catch(error => {
                 addLog("Failed to fetch attestation bundle from Sigstore: " + error);
-                addLog("Verification failed");
                 throw error;
             })
             .then(response => {
@@ -59,18 +58,15 @@ function verify() {
             .then(data => {
                 let bundle = data.attestations[0].bundle;
                 addLog("Verifying sigstore signature");
-                let sigstoreMeasurements = JSON.parse(verifySigstore(digest, JSON.stringify(bundle), repo));
-                addLog("Sigstore PCR0: " + sigstoreMeasurements.PCR0);
-                addLog("Sigstore PCR1: " + sigstoreMeasurements.PCR1);
-                addLog("Sigstore PCR2: " + sigstoreMeasurements.PCR2);
-                return sigstoreMeasurements;
+                let sigstoreMeasurement = verifySigstore(digest, JSON.stringify(bundle), repo);
+                addLog("Sigstore: " + sigstoreMeasurement);
+                return sigstoreMeasurement;
             });
 
         addLog("Fetching nitro attestation");
         let nitroPromise = fetch(attestationURL)
             .catch(error => {
                 addLog("Failed to fetch nitro attestation: " + error);
-                addLog("Verification failed");
                 throw error;
             })
             .then(response => {
@@ -79,36 +75,21 @@ function verify() {
                     addLog(error);
                     throw new Error(error);
                 }
-                return response.json();
+                return response.text();
             })
             .then(nitroAttestation => {
-                let nitroMeasurements = JSON.parse(verifyNitro(nitroAttestation));
-                addLog("Nitro PCR0: " + nitroMeasurements.PCR0);
-                addLog("Nitro PCR1: " + nitroMeasurements.PCR1);
-                addLog("Nitro PCR2: " + nitroMeasurements.PCR2);
-                return nitroMeasurements;
+                let nitroMeasurement = verifyNitro(nitroAttestation);
+                addLog("Nitro: " + nitroMeasurement);
+                return nitroMeasurement;
             });
 
         // Wait for both to finish and print both
         Promise.all([sigstorePromise, nitroPromise])
-            .then(([sigstoreMeasurements, nitroMeasurements]) => {
-                let failed = false;
-                for (let i = 0; i < 3; i++) {
-                    let sigstorePCR = sigstoreMeasurements["PCR" + i];
-                    let nitroPCR = nitroMeasurements["PCR" + i];
-
-                    if (sigstorePCR !== nitroPCR) {
-                        addLog(`PCR${i} mismatch`);
-                        failed = true;
-                    } else {
-                        addLog(`PCR${i} match`);
-                    }
-                }
-
-                if (failed) {
-                    addLog("Verification failed");
-                } else {
+            .then(([sigstoreMeasurement, nitroMeasurement]) => {
+                if (sigstoreMeasurement === nitroMeasurement) {
                     addLog("Verification successful! ✅");
+                } else {
+                    throw new Error("Verification failed: measurements do not match");
                 }
             })
             .catch(error => {