WIP move PCK cert chain verification to attestation pallet

crates/shared/src/types.rs

@@ -153,10 +153,9 @@ pub trait AttestationHandler<AccountId> {
     fn verify_quote(
         attestee: &AccountId,
         x25519_public_key: X25519PublicKey,
-        provisioning_certification_key: BoundedVecEncodedVerifyingKey,
         quote: Vec<u8>,
         context: QuoteContext,
-    ) -> Result<(), sp_runtime::DispatchError>;
+    ) -> Result<BoundedVecEncodedVerifyingKey, sp_runtime::DispatchError>;
 
     /// Indicate to the attestation handler that a quote is desired.
     ///
@@ -171,11 +170,10 @@ impl<AccountId> AttestationHandler<AccountId> for () {
     fn verify_quote(
         _attestee: &AccountId,
         _x25519_public_key: X25519PublicKey,
-        _provisioning_certification_key: BoundedVecEncodedVerifyingKey,
         _quote: Vec<u8>,
         _context: QuoteContext,
-    ) -> Result<(), sp_runtime::DispatchError> {
-        Ok(())
+    ) -> Result<BoundedVecEncodedVerifyingKey, sp_runtime::DispatchError> {
+        Ok(sp_runtime::BoundedVec::new())
     }
 
     fn request_quote(_attestee: &AccountId, _nonce: [u8; 32]) {}

pallets/attestation/Cargo.toml

@@ -28,7 +28,10 @@ entropy-shared={ version="0.3.0", path="../../crates/shared", features=[
   "wasm-no-std",
 ], default-features=false }
 pallet-staking-extension={ version="0.3.0", path="../staking", default-features=false }
-tdx-quote="0.0.1"
+tdx-quote={ git="https://github.com/entropyxyz/tdx-quote.git", branch="peg/cert-chain-getter" }
+x509-verify       ={ version="0.4.6", features=["x509"] }
+spki              ="0.7.3"
+p256              ={ version="0.13.2", default-features=false, features=["ecdsa"] }
 
 [dev-dependencies]
 pallet-session                 ={ version="29.0.0", default-features=false }
@@ -39,7 +42,7 @@ pallet-timestamp               ={ version="28.0.0", default-features=false }
 sp-npos-elections              ={ version="27.0.0", default-features=false }
 frame-election-provider-support={ version="29.0.0", default-features=false }
 pallet-staking-reward-curve    ={ version="11.0.0" }
-tdx-quote                      ={ version="0.0.1", features=["mock"] }
+tdx-quote={ git="https://github.com/entropyxyz/tdx-quote.git", branch="peg/cert-chain-getter", features=["mock"] }
 rand_core                      ="0.6.4"
 
 [features]

pallets/attestation/src/lib.rs

@@ -39,6 +39,8 @@ pub mod benchmarking;
 
 pub mod weights;
 
+mod pck;
+
 #[cfg(test)]
 mod mock;
 
@@ -54,6 +56,7 @@ pub mod pallet {
     use sp_runtime::traits::TrailingZeroInput;
     use sp_std::vec::Vec;
 
+    use pck::PckCertChainVerifier;
     use rand_chacha::{
         rand_core::{RngCore, SeedableRng},
         ChaCha20Rng, ChaChaRng,
@@ -77,6 +80,8 @@ pub mod pallet {
         type WeightInfo: WeightInfo;
         /// Something that provides randomness in the runtime.
         type Randomness: Randomness<Self::Hash, BlockNumberFor<Self>>;
+        /// A type that verifies a provisioning certification key (PCK) certificate chain.
+        type PckCertChainVerifier: PckCertChainVerifier;
     }
 
     #[pallet::genesis_config]
@@ -203,10 +208,10 @@ pub mod pallet {
         fn verify_quote(
             attestee: &T::AccountId,
             x25519_public_key: entropy_shared::X25519PublicKey,
-            provisioning_certification_key: entropy_shared::BoundedVecEncodedVerifyingKey,
+            // provisioning_certification_key: entropy_shared::BoundedVecEncodedVerifyingKey,
             quote: Vec<u8>,
             context: QuoteContext,
-        ) -> Result<(), DispatchError> {
+        ) -> Result<entropy_shared::BoundedVecEncodedVerifyingKey, DispatchError> {
             // Check that we were expecting a quote from this validator by getting the associated
             // nonce from PendingAttestations.
             let nonce =
@@ -229,6 +234,14 @@ pub mod pallet {
             let accepted_mrtd_values = pallet_parameters::Pallet::<T>::accepted_mrtd_values();
             ensure!(accepted_mrtd_values.contains(&mrtd_value), Error::<T>::BadMrtdValue);
 
+            let pck_certificate_chain = quote.pck_cert_chain().ok_or(Error::<T>::NoPckCertChain)?;
+            let provisioning_certification_key =
+                T::PckCertChainVerifier::verify_pck_certificate_chain(pck_certificate_chain)
+                    .map_err(|error| {
+                        let e: Error<T> = error.into();
+                        e
+                    })?;
+
             // Check that the attestation public key is signed with the PCK
             let provisioning_certification_key = decode_verifying_key(
                 &provisioning_certification_key

pallets/staking/Cargo.toml

@@ -28,9 +28,6 @@ sp-runtime        ={ version="32.0.0", default-features=false }
 sp-staking        ={ version="27.0.0", default-features=false }
 sp-std            ={ version="14.0.0", default-features=false }
 sp-consensus-babe ={ version="0.33.0", default-features=false }
-x509-verify       ={ version="0.4.6", features=["x509"] }
-spki              ="0.7.3"
-p256              ={ version="0.13.2", default-features=false, features=["ecdsa"] }
 rand              ={ version="0.8.5", default-features=false, features=["alloc"] }
 
 pallet-parameters={ version="0.3.0", path="../parameters", default-features=false }

pallets/staking/src/lib.rs

@@ -41,8 +41,6 @@ use serde::{Deserialize, Serialize};
 
 pub use crate::weights::WeightInfo;
 
-pub mod pck;
-
 #[cfg(test)]
 mod mock;
 
@@ -70,7 +68,6 @@ pub mod pallet {
         DefaultNoBound,
     };
     use frame_system::pallet_prelude::*;
-    use pck::PckCertChainVerifier;
     use rand_chacha::{
         rand_core::{RngCore, SeedableRng},
         ChaCha20Rng, ChaChaRng,
@@ -97,9 +94,6 @@ pub mod pallet {
         /// The weight information of this pallet.
         type WeightInfo: WeightInfo;
 
-        /// A type that verifies a provisioning certification key (PCK) certificate chain.
-        type PckCertChainVerifier: PckCertChainVerifier;
-
         /// Something that provides randomness in the runtime.
         type Randomness: Randomness<Self::Hash, BlockNumberFor<Self>>;
 
@@ -352,16 +346,16 @@ pub mod pallet {
         FailedAttestationCheck,
     }
 
-    impl<T> From<pck::PckParseVerifyError> for Error<T> {
-        fn from(error: pck::PckParseVerifyError) -> Self {
-            match error {
-                pck::PckParseVerifyError::Parse => Error::<T>::PckCertificateParse,
-                pck::PckParseVerifyError::Verify => Error::<T>::PckCertificateVerify,
-                pck::PckParseVerifyError::BadPublicKey => Error::<T>::PckCertificateBadPublicKey,
-                pck::PckParseVerifyError::NoCertificate => Error::<T>::PckCertificateNoCertificate,
-            }
-        }
-    }
+    // impl<T> From<pck::PckParseVerifyError> for Error<T> {
+    //     fn from(error: pck::PckParseVerifyError) -> Self {
+    //         match error {
+    //             pck::PckParseVerifyError::Parse => Error::<T>::PckCertificateParse,
+    //             pck::PckParseVerifyError::Verify => Error::<T>::PckCertificateVerify,
+    //             pck::PckParseVerifyError::BadPublicKey => Error::<T>::PckCertificateBadPublicKey,
+    //             pck::PckParseVerifyError::NoCertificate => Error::<T>::PckCertificateNoCertificate,
+    //         }
+    //     }
+    // }
 
     #[pallet::event]
     #[pallet::generate_deposit(pub(super) fn deposit_event)]
@@ -432,7 +426,6 @@ pub mod pallet {
                         <T::AttestationHandler as entropy_shared::AttestationHandler<_>>::verify_quote(
                             &server_info.tss_account.clone(),
                             server_info.x25519_public_key,
-                            server_info.provisioning_certification_key.clone(),
                             quote,
                             QuoteContext::ChangeEndpoint,
                         )
@@ -471,7 +464,6 @@ pub mod pallet {
             origin: OriginFor<T>,
             tss_account: T::AccountId,
             x25519_public_key: X25519PublicKey,
-            pck_certificate_chain: Vec<Vec<u8>>,
             quote: Vec<u8>,
         ) -> DispatchResultWithPostInfo {
             let who = ensure_signed(origin)?;
@@ -491,30 +483,19 @@ pub mod pallet {
                 Error::<T>::NoChangingThresholdAccountWhenSigner
             );
 
-            let provisioning_certification_key =
-                T::PckCertChainVerifier::verify_pck_certificate_chain(pck_certificate_chain)
-                    .map_err(|error| {
-                        let e: Error<T> = error.into();
-                        e
-                    })?;
-
             let new_server_info: ServerInfo<T::AccountId> = ThresholdServers::<T>::try_mutate(
                 &validator_id,
                 |maybe_server_info| {
                     if let Some(server_info) = maybe_server_info {
                         // Before we modify the `server_info`, we want to check that the validator is
                         // still running TDX hardware.
-                        ensure!(
+                        let provisioning_certification_key =
                             <T::AttestationHandler as entropy_shared::AttestationHandler<_>>::verify_quote(
                                 &tss_account.clone(),
                                 x25519_public_key,
-                                provisioning_certification_key.clone(),
                                 quote,
                                 QuoteContext::ChangeThresholdAccounts,
-                            )
-                            .is_ok(),
-                            Error::<T>::FailedAttestationCheck
-                        );
+                            ).map_err(|_| Error::<T>::FailedAttestationCheck)?;
 
                         server_info.tss_account = tss_account;
                         server_info.x25519_public_key = x25519_public_key;
@@ -633,14 +614,14 @@ pub mod pallet {
         ) -> DispatchResult {
             let who = ensure_signed(origin.clone())?;
 
-            let provisioning_certification_key =
-                T::PckCertChainVerifier::verify_pck_certificate_chain(
-                    joining_server_info.pck_certificate_chain,
-                )
-                .map_err(|error| {
-                    let e: Error<T> = error.into();
-                    e
-                })?;
+            // let provisioning_certification_key =
+            //     T::PckCertChainVerifier::verify_pck_certificate_chain(
+            //         joining_server_info.pck_certificate_chain,
+            //     )
+            //     .map_err(|error| {
+            //         let e: Error<T> = error.into();
+            //         e
+            //     })?;
 
             let server_info = ServerInfo::<T::AccountId> {
                 tss_account: joining_server_info.tss_account,
@@ -662,7 +643,6 @@ pub mod pallet {
                 <T::AttestationHandler as entropy_shared::AttestationHandler<_>>::verify_quote(
                     &server_info.tss_account.clone(),
                     server_info.x25519_public_key,
-                    server_info.provisioning_certification_key.clone(),
                     quote,
                     QuoteContext::Validate,
                 )