mobilecoinfoundation · nick-mobilecoin · Jul 25, 2023 · Jun 1, 2023 · Jul 25, 2023
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/attest/ake/Cargo.toml b/attest/ake/Cargo.toml
@@ -26,6 +26,7 @@ mc-crypto-noise = { path = "../../crypto/noise", default-features = false }
 aead = "0.5"
 digest = "0.10"
 displaydoc = { version = "0.2", default-features = false }
+mc-attestation-verifier = "0.2.0"
 prost = { version = "0.11", default-features = false, features = ["prost-derive"] }
 rand_core = "0.6"
 serde = { version = "1.0", default-features = false, features = ["alloc"] }

diff --git a/attest/ake/src/event.rs b/attest/ake/src/event.rs
@@ -6,7 +6,7 @@ use crate::mealy::{Input as MealyInput, Output as MealyOutput};
 use alloc::vec::Vec;
 use core::marker::PhantomData;
 use mc_attest_core::VerificationReport;
-use mc_attest_verifier::Verifier;
+use mc_attestation_verifier::TrustedIdentity;
 use mc_crypto_keys::Kex;
 use mc_crypto_noise::{
     HandshakeIX, HandshakeNX, HandshakePattern, NoiseCipher, NoiseDigest, ProtocolName,
@@ -223,8 +223,8 @@ where
     pub(crate) local_identity: KexAlgo::Private,
     /// This is the local node's ias report.
     pub(crate) ias_report: VerificationReport,
-    /// This is the verifier used to examine the initiator's IAS report
-    pub(crate) verifier: Verifier,
+    /// The identities that the initiator's IAS report must conform to
+    pub(crate) identities: Vec<TrustedIdentity>,
 
     /// The auth request input, including payload, if any
     pub(crate) data: AuthRequestOutput<HandshakeIX, KexAlgo, Cipher, DigestAlgo>,
@@ -248,12 +248,12 @@ where
         data: AuthRequestOutput<HandshakeIX, KexAlgo, Cipher, DigestAlgo>,
         local_identity: KexAlgo::Private,
         ias_report: VerificationReport,
-        verifier: Verifier,
+        identities: impl Into<Vec<TrustedIdentity>>,
     ) -> Self {
         Self {
             local_identity,
             ias_report,
-            verifier,
+            identities: identities.into(),
             data,
         }
     }
@@ -287,14 +287,14 @@ impl MealyOutput for AuthResponseOutput {}
 /// The authentication response is combined with a verifier for the initiator.
 pub struct AuthResponseInput {
     pub(crate) data: Vec<u8>,
-    pub(crate) verifier: Verifier,
+    pub(crate) identities: Vec<TrustedIdentity>,
 }
 
 impl AuthResponseInput {
-    pub fn new(data: AuthResponseOutput, verifier: Verifier) -> Self {
+    pub fn new(data: AuthResponseOutput, identity: impl Into<Vec<TrustedIdentity>>) -> Self {
         Self {
             data: data.0,
-            verifier,
+            identities: identity.into(),
         }
     }
 }

diff --git a/attest/ake/src/initiator.rs b/attest/ake/src/initiator.rs
@@ -8,6 +8,7 @@ use crate::{
 };
 use alloc::vec::Vec;
 use mc_attest_core::{ReportDataMask, VerificationReport};
+use mc_attest_verifier::{Verifier, DEBUG_ENCLAVE};
 use mc_crypto_keys::{Kex, ReprBytes};
 use mc_crypto_noise::{
     HandshakeIX, HandshakeNX, HandshakeOutput, HandshakePattern, HandshakeState, HandshakeStatus,
@@ -162,7 +163,9 @@ where
                 let remote_report = VerificationReport::decode(output.payload.as_slice())
                     .map_err(|_e| Error::ReportDeserialization)?;
 
-                let mut verifier = input.verifier;
+                let identities = input.identities;
+                let mut verifier = Verifier::default();
+                verifier.identities(&identities).debug(DEBUG_ENCLAVE);
 
                 // We are not returning the report data and instead returning the raw report
                 // since that also includes the signature and certificate chain.

diff --git a/attest/ake/src/lib.rs b/attest/ake/src/lib.rs
@@ -37,7 +37,7 @@ mod test {
     use aes_gcm::Aes256Gcm;
     use mc_attest_core::Quote;
     use mc_attest_net::{Client, RaClient};
-    use mc_attest_verifier::{MrSignerVerifier, Verifier, IAS_SIM_ROOT_ANCHORS};
+    use mc_attestation_verifier::{TrustedIdentity, TrustedMrSignerIdentity};
     use mc_crypto_keys::{X25519Private, X25519Public, X25519};
     use mc_util_encodings::{FromBase64, ToX64};
     use mc_util_from_random::FromRandom;
@@ -78,17 +78,14 @@ mod test {
             .report_body()
             .expect("Could not retrieve report body from cached report");
 
-        // Construct a report verifier that will check the MRSIGNER, product ID, and
-        // security version
-        let mr_signer = MrSignerVerifier::new(
+        let mr_signer = TrustedIdentity::from(TrustedMrSignerIdentity::new(
             report_body.mr_signer(),
-            report_body.product_id(),
+            report_body.product_id().into(),
             report_body.security_version(),
-        );
-
-        let mut verifier = Verifier::new(&[IAS_SIM_ROOT_ANCHORS])
-            .expect("Could not construct verifier with sim root anchors");
-        verifier.mr_signer(mr_signer).debug(true);
+            [] as [&str; 0],
+            [] as [&str; 0],
+        ));
+        let identities = [mr_signer];
 
         let initiator = Start::new(RESPONDER_ID_STR.into());
         let responder = Start::new(RESPONDER_ID_STR.into());
@@ -101,15 +98,19 @@ mod test {
 
         // initiator = authpending, responder = start
 
-        let auth_request_input =
-            NodeAuthRequestInput::new(auth_request_output, identity, ias_report, verifier.clone());
+        let auth_request_input = NodeAuthRequestInput::new(
+            auth_request_output,
+            identity,
+            ias_report,
+            identities.clone(),
+        );
         let (responder, auth_response_output) = responder
             .try_next(&mut csprng, auth_request_input)
             .expect("Responder could not process auth request");
 
         // initiator = authpending, responder = ready
 
-        let auth_response_input = AuthResponseInput::new(auth_response_output, verifier);
+        let auth_response_input = AuthResponseInput::new(auth_response_output, identities);
         let (initiator, _) = initiator
             .try_next(&mut csprng, auth_response_input)
             .expect("Initiator not process auth response");

diff --git a/attest/ake/src/responder.rs b/attest/ake/src/responder.rs
@@ -9,6 +9,7 @@ use crate::{
 };
 use alloc::vec::Vec;
 use mc_attest_core::{ReportDataMask, VerificationReport};
+use mc_attest_verifier::{Verifier, DEBUG_ENCLAVE};
 use mc_crypto_keys::{Kex, ReprBytes};
 use mc_crypto_noise::{
     HandshakeIX, HandshakeNX, HandshakePattern, HandshakeState, HandshakeStatus, NoiseCipher,
@@ -139,7 +140,9 @@ where
                 input.local_identity,
             )?;
 
-        let mut verifier = input.verifier;
+        let identities = input.identities;
+        let mut verifier = Verifier::default();
+        verifier.identities(&identities).debug(DEBUG_ENCLAVE);
 
         // Parse the received IAS report
         let remote_report = VerificationReport::decode(payload.as_slice())

diff --git a/attest/verifier/Cargo.toml b/attest/verifier/Cargo.toml
@@ -27,8 +27,6 @@ ias-dev = []
 
 [dependencies]
 mc-attest-core = { path = "../core", default-features = false }
-mc-attest-verifier-config = { path = "config", default-features = false }
-mc-attestation-verifier = "0.2.0"
 mc-common = { path = "../../common", default-features = false }
 mc-sgx-core-types = "0.7.2"
 mc-sgx-css = { path = "../../sgx/css", default-features = false }
@@ -38,6 +36,7 @@ cfg-if = "1.0"
 displaydoc = { version = "0.2", default-features = false }
 hex_fmt = "0.3"
 mbedtls = { version = "0.8.1", default-features = false, features = ["no_std_deps"] }
+mc-attestation-verifier = "0.2.0"
 serde = { version = "1.0", default-features = false, features = ["alloc", "derive"] }
 sha2 = { version = "0.10", default-features = false }