Change from passing verifier to passing measurements

Previously many interfaces that wished to attest to an enclave would create and pass a verifier down to the logic that would eventually try and verify the enclave's report. Now these interfaces pass in a `Vec<TrustedMeasurement>` with all of the measurements they wish to verify against. This isolates the logic for how an enclave report is verified to support different verification methods based on EPID vs DCAP.
mobilecoinfoundation · Jun 2, 2023 · 1ccb67c · 1ccb67c
1 parent 1c83f2f
commit 1ccb67c
Show file tree

Hide file tree

Showing 69 changed files with 631 additions and 455 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/attest/ake/Cargo.toml b/attest/ake/Cargo.toml
@@ -20,6 +20,7 @@ sgx-sim = [
 [dependencies]
 mc-attest-core = { path = "../../attest/core", default-features = false }
 mc-attest-verifier = { path = "../../attest/verifier", default-features = false }
+mc-attest-verifier-config = { path = "../../attest/verifier/config", default-features = false }
 mc-crypto-keys = { path = "../../crypto/keys", default-features = false }
 mc-crypto-noise = { path = "../../crypto/noise", default-features = false }
 

diff --git a/attest/ake/src/event.rs b/attest/ake/src/event.rs
@@ -6,7 +6,7 @@ use crate::mealy::{Input as MealyInput, Output as MealyOutput};
 use alloc::vec::Vec;
 use core::marker::PhantomData;
 use mc_attest_core::VerificationReport;
-use mc_attest_verifier::Verifier;
+use mc_attest_verifier_config::TrustedMeasurement;
 use mc_crypto_keys::Kex;
 use mc_crypto_noise::{
     HandshakeIX, HandshakeNX, HandshakePattern, NoiseCipher, NoiseDigest, ProtocolName,
@@ -223,8 +223,8 @@ where
     pub(crate) local_identity: KexAlgo::Private,
     /// This is the local node's ias report.
     pub(crate) ias_report: VerificationReport,
-    /// This is the verifier used to examine the initiator's IAS report
-    pub(crate) verifier: Verifier,
+    /// The measurements that the initiator's IAS report must conform to
+    pub(crate) measurements: Vec<TrustedMeasurement>,
 
     /// The auth request input, including payload, if any
     pub(crate) data: AuthRequestOutput<HandshakeIX, KexAlgo, Cipher, DigestAlgo>,
@@ -248,12 +248,12 @@ where
         data: AuthRequestOutput<HandshakeIX, KexAlgo, Cipher, DigestAlgo>,
         local_identity: KexAlgo::Private,
         ias_report: VerificationReport,
-        verifier: Verifier,
+        measurements: impl Into<Vec<TrustedMeasurement>>,
     ) -> Self {
         Self {
             local_identity,
             ias_report,
-            verifier,
+            measurements: measurements.into(),
             data,
         }
     }
@@ -287,14 +287,14 @@ impl MealyOutput for AuthResponseOutput {}
 /// The authentication response is combined with a verifier for the initiator.
 pub struct AuthResponseInput {
     pub(crate) data: Vec<u8>,
-    pub(crate) verifier: Verifier,
+    pub(crate) measurements: Vec<TrustedMeasurement>,
 }
 
 impl AuthResponseInput {
-    pub fn new(data: AuthResponseOutput, verifier: Verifier) -> Self {
+    pub fn new(data: AuthResponseOutput, measurements: impl Into<Vec<TrustedMeasurement>>) -> Self {
         Self {
             data: data.0,
-            verifier,
+            measurements: measurements.into(),
         }
     }
 }

diff --git a/attest/ake/src/initiator.rs b/attest/ake/src/initiator.rs
@@ -8,6 +8,7 @@ use crate::{
 };
 use alloc::vec::Vec;
 use mc_attest_core::{ReportDataMask, VerificationReport};
+use mc_attest_verifier::{Verifier, DEBUG_ENCLAVE};
 use mc_crypto_keys::{Kex, ReprBytes};
 use mc_crypto_noise::{
     HandshakeIX, HandshakeNX, HandshakeOutput, HandshakePattern, HandshakeState, HandshakeStatus,
@@ -162,7 +163,9 @@ where
                 let remote_report = VerificationReport::decode(output.payload.as_slice())
                     .map_err(|_e| Error::ReportDeserialization)?;
 
-                let mut verifier = input.verifier;
+                let measurements = input.measurements;
+                let mut verifier = Verifier::default();
+                verifier.measurements(&measurements).debug(DEBUG_ENCLAVE);
 
                 // We are not returning the report data and instead returning the raw report
                 // since that also includes the signature and certificate chain.

diff --git a/attest/ake/src/lib.rs b/attest/ake/src/lib.rs
@@ -37,7 +37,7 @@ mod test {
     use aes_gcm::Aes256Gcm;
     use mc_attest_core::Quote;
     use mc_attest_net::{Client, RaClient};
-    use mc_attest_verifier::{MrSignerVerifier, Verifier, IAS_SIM_ROOT_ANCHORS};
+    use mc_attest_verifier_config::{TrustedMeasurement, TrustedMrSignerMeasurement};
     use mc_crypto_keys::{X25519Private, X25519Public, X25519};
     use mc_util_encodings::{FromBase64, ToX64};
     use mc_util_from_random::FromRandom;
@@ -78,17 +78,14 @@ mod test {
             .report_body()
             .expect("Could not retrieve report body from cached report");
 
-        // Construct a report verifier that will check the MRSIGNER, product ID, and
-        // security version
-        let mr_signer = MrSignerVerifier::new(
-            report_body.mr_signer(),
+        let advisories: &[&str] = &[];
+        let mr_signer = TrustedMeasurement::from(TrustedMrSignerMeasurement::new(
+            &report_body.mr_signer().into(),
             report_body.product_id(),
             report_body.security_version(),
-        );
-
-        let mut verifier = Verifier::new(&[IAS_SIM_ROOT_ANCHORS])
-            .expect("Could not construct verifier with sim root anchors");
-        verifier.mr_signer(mr_signer).debug(true);
+            advisories,
+        ));
+        let measurements = [mr_signer];
 
         let initiator = Start::new(RESPONDER_ID_STR.into());
         let responder = Start::new(RESPONDER_ID_STR.into());
@@ -101,15 +98,19 @@ mod test {
 
         // initiator = authpending, responder = start
 
-        let auth_request_input =
-            NodeAuthRequestInput::new(auth_request_output, identity, ias_report, verifier.clone());
+        let auth_request_input = NodeAuthRequestInput::new(
+            auth_request_output,
+            identity,
+            ias_report,
+            measurements.clone(),
+        );
         let (responder, auth_response_output) = responder
             .try_next(&mut csprng, auth_request_input)
             .expect("Responder could not process auth request");
 
         // initiator = authpending, responder = ready
 
-        let auth_response_input = AuthResponseInput::new(auth_response_output, verifier);
+        let auth_response_input = AuthResponseInput::new(auth_response_output, measurements);
         let (initiator, _) = initiator
             .try_next(&mut csprng, auth_response_input)
             .expect("Initiator not process auth response");

diff --git a/attest/ake/src/responder.rs b/attest/ake/src/responder.rs
@@ -9,6 +9,7 @@ use crate::{
 };
 use alloc::vec::Vec;
 use mc_attest_core::{ReportDataMask, VerificationReport};
+use mc_attest_verifier::{Verifier, DEBUG_ENCLAVE};
 use mc_crypto_keys::{Kex, ReprBytes};
 use mc_crypto_noise::{
     HandshakeIX, HandshakeNX, HandshakePattern, HandshakeState, HandshakeStatus, NoiseCipher,
@@ -139,7 +140,9 @@ where
                 input.local_identity,
             )?;
 
-        let mut verifier = input.verifier;
+        let measurements = input.measurements;
+        let mut verifier = Verifier::default();
+        verifier.measurements(&measurements).debug(DEBUG_ENCLAVE);
 
         // Parse the received IAS report
         let remote_report = VerificationReport::decode(payload.as_slice())

diff --git a/attest/core/src/types/measurement.rs b/attest/core/src/types/measurement.rs
@@ -26,6 +26,12 @@ impl From<[u8; SGX_HASH_SIZE]> for MrEnclave {
     }
 }
 
+impl From<MrEnclave> for [u8; SGX_HASH_SIZE] {
+    fn from(mr_enclave: MrEnclave) -> Self {
+        mr_enclave.0.m
+    }
+}
+
 /// An opaque type for MRSIGNER values.
 ///
 /// A MRSIGNER value is a cryptographic hash of the public key an enclave
@@ -40,6 +46,12 @@ impl From<[u8; SGX_HASH_SIZE]> for MrSigner {
     }
 }
 
+impl From<MrSigner> for [u8; SGX_HASH_SIZE] {
+    fn from(mr_signer: MrSigner) -> Self {
+        mr_signer.0.m
+    }
+}
+
 impl_sgx_newtype_for_bytestruct! {
     MrEnclave, sgx_measurement_t, SGX_HASH_SIZE, m;
     MrSigner, sgx_measurement_t, SGX_HASH_SIZE, m;

diff --git a/attest/verifier/Cargo.toml b/attest/verifier/Cargo.toml
@@ -27,6 +27,7 @@ ias-dev = []
 
 [dependencies]
 mc-attest-core = { path = "../core", default-features = false }
+mc-attest-verifier-config = { path = "config", default-features = false }
 mc-common = { path = "../../common", default-features = false }
 mc-sgx-css = { path = "../../sgx/css", default-features = false }
 mc-sgx-types = { path = "../../sgx/types", default-features = false }