-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.js
120 lines (105 loc) · 2.97 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
const https = require("node:https");
const sqvw = require("@fleek-platform/sgx-quote-verify-wasm");
function get(url) {
return new Promise((resolve, reject) => {
https
.get(url, (response) => {
let data = "";
response.on("data", (chunk) => {
data += chunk;
});
response.on("end", () => {
resolve({ data });
});
})
.on("error", (err) => {
reject(err);
});
});
}
function getWithHeader(url, headerName) {
return new Promise((resolve, reject) => {
https
.get(url, (response) => {
let data = "";
response.on("data", (chunk) => {
data += chunk;
});
response.on("end", () => {
const headerValue = response.headers[headerName];
if (headerValue) {
resolve({ data, headerValue });
} else {
reject(new Error(`Header "${headerName}" not found`));
}
});
})
.on("error", (err) => {
reject(err);
});
});
}
function getRootCaCrl(pccs_url) {
return get(`https://${pccs_url}/sgx/certification/v3/rootcacrl`);
}
function getPckCrl(pccs_url, ca_ident) {
return getWithHeader(
`https://${pccs_url}/sgx/certification/v4/pckcrl?ca=${ca_ident}`,
"sgx-pck-crl-issuer-chain",
);
}
function getTcb(pccs_url, fmspc) {
return getWithHeader(
`https://${pccs_url}/sgx/certification/v4/tcb?fmspc=${fmspc}`,
"tcb-info-issuer-chain",
);
}
function getQeIdentity(pccs_url) {
return getWithHeader(
`https://${pccs_url}/sgx/certification/v4/qe/identity`,
"sgx-enclave-identity-issuer-chain",
);
}
// This method takes in the pccs url, the SGX quote, the CA identifier ("processor" or "platform"), and the expected MREnclave,
// and performs a remote attestation.
function verify(pccsUrl, quote, caIdentifier, expectedMrenclave) {
return new Promise((resolve, reject) => {
if (caIdentifier != "processor" && caIdentifier != "platform") {
reject(new Error(`Invalid CA identifier: ${caIdentifier}`));
}
const fmspc = sqvw.get_fmspc_from_quote(quote);
Promise.all([
getRootCaCrl(pccsUrl),
getPckCrl(pccsUrl, caIdentifier),
getTcb(pccsUrl, fmspc),
getQeIdentity(pccsUrl),
])
.then((values) => {
const rootCaCrl = values[0]["data"];
const pckCrl = values[1]["data"];
const pckChain = values[1]["headerValue"];
const tcbInfo = values[2]["data"];
const tcbChain = values[2]["headerValue"];
const qeIdent = values[3]["data"];
const qeChain = values[3]["headerValue"];
const now = Date.now();
let res = sqvw.verify(
quote,
expectedMrenclave,
rootCaCrl,
pckChain,
pckCrl,
tcbChain,
tcbInfo,
qeChain,
qeIdent,
now.toString(),
);
resolve(res);
})
.catch((err) => {
reject(err);
});
});
}
exports.verify = verify;