Advisories-by-platform parsing (collateral)

[nick-mobilecoin]

The advisories are provided in json format via https://api.portal.trustedservices.intel.com/documentation#pcs-tcb-info-v4

for example

curl "https://api.trustedservices.intel.com/sgx/certification/v4/tcb?fmspc=00906ED50000"

The TCB format is specified in https://api.portal.trustedservices.intel.com/documentation#pcs-tcb-info-model-v3

The signature is over the tcbinfo contents so need to strip off the {tcbinfo: from the string.

We will want a JSON parser that doesn't walk down past the initial tcbInfo when looking for the signature.

Think the signing key comes from the request can see the chain with curl -v

TCB Test cases

• duplicate tcbInfo fields. Simulates a malicious actor appending another tcbInfo field to the json hoping the first tcbInfo get's verified

  {
    tcbInfo: {},
    signature: "",
    tcbInfo: {}
  }
       

• tcbInfo doesn't contain valid json. Ensures the parser that is looking for the root signature field errors properly and verification does not happen
• tcbInfo contains a signature field. Ensures that the root signature is used by the verification logic. Simulates a malicious actor nesting signed tcbInfo inside of the root tcbInfo

PRs

• Add TCB struct and parser #83
• Add parsing of the tcbInfo inner field #84
• Add verification of TCB data #85

[nick-mobilecoin]

Done in linked PRs