Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add utility to verify attestation #20017

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat: add utility to verify attestation #20017

wants to merge 7 commits into from

Conversation

joyqvq
Copy link
Contributor

@joyqvq joyqvq commented Oct 24, 2024

Description

Describe the changes or additions included in this PR.

Test plan

How did you test the new or updated feature?


Release notes

Check each box that your changes affect. If none of the boxes relate to your changes, release notes aren't required.

For each box you select, include information after the relevant heading that describes the impact of your changes that a user might notice and any actions they must take to implement updates.

  • Protocol:
  • Nodes (Validators and Full nodes):
  • Indexer:
  • JSON-RPC:
  • GraphQL:
  • CLI:
  • Rust SDK:
  • REST API:

Copy link

vercel bot commented Oct 24, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
sui-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Dec 20, 2024 8:39pm
3 Skipped Deployments
Name Status Preview Comments Updated (UTC)
multisig-toolkit ⬜️ Ignored (Inspect) Visit Preview Dec 20, 2024 8:39pm
sui-kiosk ⬜️ Ignored (Inspect) Visit Preview Dec 20, 2024 8:39pm
sui-typescript-docs ⬜️ Ignored (Inspect) Visit Preview Dec 20, 2024 8:39pm

@joyqvq joyqvq force-pushed the joy/attestation branch 2 times, most recently from f056421 to de1eacd Compare October 31, 2024 21:31
@joyqvq joyqvq temporarily deployed to sui-typescript-aws-kms-test-env October 31, 2024 21:31 — with GitHub Actions Inactive
@joyqvq joyqvq temporarily deployed to sui-typescript-aws-kms-test-env October 31, 2024 22:41 — with GitHub Actions Inactive
@joyqvq joyqvq temporarily deployed to sui-typescript-aws-kms-test-env October 31, 2024 22:45 — with GitHub Actions Inactive
@joyqvq joyqvq temporarily deployed to sui-typescript-aws-kms-test-env November 1, 2024 18:11 — with GitHub Actions Inactive
@joyqvq joyqvq temporarily deployed to sui-typescript-aws-kms-test-env November 1, 2024 19:16 — with GitHub Actions Inactive
@joyqvq joyqvq temporarily deployed to sui-typescript-aws-kms-test-env November 1, 2024 19:23 — with GitHub Actions Inactive
@joyqvq joyqvq temporarily deployed to sui-typescript-aws-kms-test-env November 1, 2024 21:55 — with GitHub Actions Inactive
@joyqvq joyqvq temporarily deployed to sui-typescript-aws-kms-test-env November 1, 2024 22:18 — with GitHub Actions Inactive
@joyqvq joyqvq temporarily deployed to sui-typescript-aws-kms-test-env November 1, 2024 22:18 — with GitHub Actions Inactive
@joyqvq joyqvq temporarily deployed to sui-typescript-aws-kms-test-env November 1, 2024 23:56 — with GitHub Actions Inactive
@joyqvq joyqvq temporarily deployed to sui-typescript-aws-kms-test-env November 4, 2024 22:07 — with GitHub Actions Inactive
@joyqvq
Copy link
Contributor Author

joyqvq commented Dec 17, 2024

Adding a blocking review just to ensure we have consensus across teams before we land this

feel free to review this pr as is and i will address before merging. while i understand we should align across teams, this pr itself should be self contained and reviewed since it doesnt expose to move interfaces.

@bmwill
Copy link
Contributor

bmwill commented Dec 17, 2024

Adding a blocking review just to ensure we have consensus across teams before we land this

feel free to review this pr as is and i will address before merging. while i understand we should align across teams, this pr itself should be self contained and reviewed since it doesnt expose to move interfaces.

Oh i didn't realize that, I thought the move interface was still a part of the pr. I'll remove my gating review then

@bmwill bmwill dismissed their stale review December 17, 2024 20:13

dismiss

crates/sui-types/src/nitro_attestation.rs Outdated Show resolved Hide resolved
crates/sui-types/src/nitro_attestation.rs Outdated Show resolved Hide resolved
let cose_sign1 = CoseSign1::parse_and_validate(attestation_bytes)?;

// Parse attestation document payload and verify cert against AWS root of trust.
let doc =
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's move this parsing to after the sig verification (to reduce the risk of complex parsing)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the public key used for verifying signature is parsed from the cert in the doc

/// Given an attestation document bytes, deserialize and verify its validity according to
/// <https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html>
/// and check the user_data is consistent with the enclave public key.
pub fn attestation_verify_inner(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's change this function to return SuiResult and only give it the attestation_bytes and timestamp? later we could expose both in move to developers using something like
Struct NitroAttestation { user_data: vector<u8>, pcrs: vector<Pcr> }

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree that the move interface can take i the struct, but shouldn't the native function take the raw types?

Copy link
Contributor

@benr-ml benr-ml Dec 22, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, the native function will take and return raw types, something like attestation_verify_inner(attetation_bytes, timestamp) -> SuiResult<vec<u8>, vec<vec<u8>>)>.
Later the move struct would be the object we will construct in the function that calls the native function, i.e.
public fun create_nitro_attestation(bytes, bytes...): NitroAttestation { // call native function to get user data and pcrs -> construct NitroAttestation


// Verify certificate signature.
let verifying_key = match issuer_cert.public_key().parsed() {
Ok(PublicKey::EC(ec)) => VerifyingKey::from_sec1_bytes(ec.data()).map_err(|_| {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The previous implementation worked with any signature scheme for the cert chain, no? is it safe to assume that future cert chains will use p384 as well? i think it's ok, but let's document the right reference for that.


/// Validate the certificate chain against the root of trust.
fn validate_cert_chain(cert_chain: &[&[u8]], now_ms: u64) -> Result<(), NitroError> {
if cert_chain.is_empty() || cert_chain.len() > 20 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's change it to 10 now to be on the safer side

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants