chore: better CRL fetching and parsing

Signed-off-by: Richard Zak <richard@profian.com>
enarx · Dec 19, 2022 · ccf8424 · ccf8424
1 parent 3a7f476
commit ccf8424
Show file tree

Hide file tree

Showing 5 changed files with 107 additions and 42 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -54,6 +54,7 @@ gdbstub = { workspace = true, features = ["std"], optional = true }
 
 [target.'cfg(all(target_os = "linux", target_arch = "x86_64"))'.dependencies]
 const-default = { workspace = true }
+der = { workspace = true }
 goblin = { workspace = true, features = ["elf32", "endian_fd", "std"], default-features = false }
 iocuddle = { workspace = true }
 kvm-bindings = { workspace = true }
@@ -72,6 +73,7 @@ sgx = { workspace = true, features = ["rcrypto"] }
 static_assertions = { workspace = true }
 ureq = { workspace = true }
 vdso = { workspace = true }
+x509-cert = { workspace = true }
 x86_64 = { workspace = true, features = ["instructions"] }
 
 # binary dependencies
@@ -145,6 +147,7 @@ colorful = { version = "0.2.0", default-features = false }
 const-default = { version = "1.0.0", default-features = false }
 const-oid = { version = "0.9.0", default-features = false }
 crt0stack = { version = "0.1.0", default-features = false }
+der = { version = "0.6.1", features = ["std"], default-features = false }
 dirs = { version = "4.0.0", default-features = false }
 drawbridge-client = { version = "0.2.2", default-features = false }
 drawbridge-server = { version = "0.2.2", default-features = false }

diff --git a/src/cli/platform/caching.rs b/src/cli/platform/caching.rs
@@ -1,34 +1,18 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use anyhow::Context;
-use std::fs::OpenOptions;
-use std::path::Path;
 
-use sha2::{Digest, Sha256};
-
-/// Fetch a URL and save the contents as the hash of the URL
-pub fn save_file(url: &str, dest: &Path) -> anyhow::Result<()> {
-    let mut response = ureq::get(url)
+/// Fetch a URL and return the bytes
+pub fn fetch_file(url: &str) -> anyhow::Result<Vec<u8>> {
+    let mut reader = ureq::get(url)
         .call()
         .context(format!("retrieving CRL {url} from server"))?
         .into_reader();
 
-    let mut dest = dest.to_path_buf();
-    dest.push(hex::encode(Sha256::digest(url)));
-
-    let mut file = OpenOptions::new()
-        .create(true)
-        .write(true)
-        .open(&dest)
-        .context(format!(
-            "opening destination file {:?} for saving CRL {url}",
-            dest.display()
-        ))?;
-
-    std::io::copy(&mut response, &mut file).context(format!(
-        "saving CRL {url} to destination file {:?}",
-        dest.display()
-    ))?;
+    let mut bytes = vec![];
+    reader
+        .read_to_end(&mut bytes)
+        .context("reading bytes buffer")?;
 
-    Ok(())
+    Ok(bytes)
 }
diff --git a/src/cli/platform/sgx/crl.rs b/src/cli/platform/sgx/crl.rs
@@ -1,13 +1,22 @@
 // SPDX-License-Identifier: Apache-2.0
 
+use super::super::caching::fetch_file;
+
+use std::fs::OpenOptions;
+use std::io::Write;
 use std::io::{self, ErrorKind};
 use std::path::PathBuf;
 use std::process::ExitCode;
 
-use super::super::caching::save_file;
-
 use anyhow::Context;
 use clap::Args;
+#[allow(unused_imports)]
+use der::{Decode, Encode};
+use x509_cert::crl::CertificateList;
+#[allow(unused_imports)]
+use x509_cert::der::Decode as _; // required for Musl target
+#[allow(unused_imports)]
+use x509_cert::der::Encode as _; // required for Musl target
 
 const CERT_CRL: &str = "https://certificates.trustedservices.intel.com/IntelSGXRootCA.der";
 const PROCESSOR_CRL: &str =
@@ -22,10 +31,42 @@ pub struct CrlCache {}
 
 impl CrlCache {
     pub fn execute(self) -> anyhow::Result<ExitCode> {
-        let dir = sgx_cache_dir()?;
-        save_file(CERT_CRL, &dir)?;
-        save_file(PROCESSOR_CRL, &dir)?;
-        save_file(PLATFORM_CRL, &dir)?;
+        let mut dest_file = sgx_cache_dir()?;
+        dest_file.push("crls.der");
+
+        let crls = [
+            fetch_file(CERT_CRL)
+                .context(format!("fetching {CERT_CRL}"))
+                .unwrap(),
+            fetch_file(PROCESSOR_CRL)
+                .context(format!("fetching {PROCESSOR_CRL}"))
+                .unwrap(),
+            fetch_file(PLATFORM_CRL)
+                .context(format!("fetching {PLATFORM_CRL}"))
+                .unwrap(),
+        ];
+
+        let crls = [
+            CertificateList::from_der(&crls[0])?,
+            CertificateList::from_der(&crls[1])?,
+            CertificateList::from_der(&crls[2])?,
+        ];
+
+        let crls = crls
+            .to_vec()
+            .context("converting Intel CRLs to DER encoding")?;
+
+        OpenOptions::new()
+            .create(true)
+            .write(true)
+            .truncate(true)
+            .open(&dest_file)
+            .context(format!(
+                "opening destination file {dest_file:?} for saving Intel CRLs"
+            ))?
+            .write_all(&crls)
+            .context(format!("writing Intel CRLs to file {dest_file:?}"))?;
+
         Ok(ExitCode::SUCCESS)
     }
 }

diff --git a/src/cli/platform/snp/crl.rs b/src/cli/platform/snp/crl.rs
@@ -1,11 +1,21 @@
 // SPDX-License-Identifier: Apache-2.0
 
-use super::super::caching::save_file;
+use super::super::caching::fetch_file;
 use crate::backend::sev::snp::vcek::sev_cache_dir;
 
+use std::fs::OpenOptions;
+use std::io::Write;
 use std::process::ExitCode;
 
+use anyhow::Context;
 use clap::Args;
+#[allow(unused_imports)]
+use der::{Decode, Encode};
+use x509_cert::crl::CertificateList;
+#[allow(unused_imports)]
+use x509_cert::der::Decode as _; // required for Musl target
+#[allow(unused_imports)]
+use x509_cert::der::Encode as _; // required for Musl target
 
 const GENOA: &str = "https://kdsintf.amd.com/vcek/v1/Genoa/crl";
 const MILAN: &str = "https://kdsintf.amd.com/vcek/v1/Milan/crl";
@@ -17,9 +27,34 @@ pub struct CrlCache {}
 
 impl CrlCache {
     pub fn execute(self) -> anyhow::Result<ExitCode> {
-        let dir = sev_cache_dir()?;
-        save_file(GENOA, &dir)?;
-        save_file(MILAN, &dir)?;
+        let mut dest_file = sev_cache_dir()?;
+        dest_file.push("crls.der");
+
+        let crls = [
+            fetch_file(GENOA).context(format!("fetching {GENOA}"))?,
+            fetch_file(MILAN).context(format!("fetching {MILAN}"))?,
+        ];
+
+        let crls = [
+            CertificateList::from_der(&crls[0])?,
+            CertificateList::from_der(&crls[1])?,
+        ];
+
+        let crls = crls
+            .to_vec()
+            .context("converting AMD CRLs to DER encoding")?;
+
+        OpenOptions::new()
+            .create(true)
+            .write(true)
+            .truncate(true)
+            .open(&dest_file)
+            .context(format!(
+                "opening destination file {dest_file:?} for saving AMD CRLs"
+            ))?
+            .write_all(&crls)
+            .context(format!("writing AMD CRLs to file {dest_file:?}"))?;
+
         Ok(ExitCode::SUCCESS)
     }
 }