mirror of
https://github.com/signalapp/libsignal.git
synced 2024-09-19 19:42:19 +02:00
SVR3: Support tpm2snp enclave on gcp
This commit is contained in:
parent
d3be245091
commit
1ea1ac2085
35
rust/attest/res/goog_akcert_root.pem
Normal file
35
rust/attest/res/goog_akcert_root.pem
Normal file
@ -0,0 +1,35 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIGATCCA+mgAwIBAgIUAKZdpPnjKPOANcOnPU9yQyvfFdwwDQYJKoZIhvcNAQEL
|
||||
BQAwfjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcT
|
||||
DU1vdW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2dsZSBMTEMxFTATBgNVBAsTDEdv
|
||||
b2dsZSBDbG91ZDEWMBQGA1UEAxMNRUsvQUsgQ0EgUm9vdDAgFw0yMjA3MDgwMDQw
|
||||
MzRaGA8yMTIyMDcwODA1NTcyM1owfjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
|
||||
bGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxEzARBgNVBAoTCkdvb2ds
|
||||
ZSBMTEMxFTATBgNVBAsTDEdvb2dsZSBDbG91ZDEWMBQGA1UEAxMNRUsvQUsgQ0Eg
|
||||
Um9vdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ0l9VCoyJZLSol8
|
||||
KyhNpbS7pBnuicE6ptrdtxAWIR2TnLxSgxNFiR7drtofxI0ruceoCIpsa9NHIKrz
|
||||
3sM/N/E8mFNHiJAuyVf3pPpmDpLJZQ1qe8yHkpGSs3Kj3s5YYWtEecCVfzNs4MtK
|
||||
vGfA+WKB49A6Noi8R9R1GonLIN6wSXX3kP1ibRn0NGgdqgfgRe5HC3kKAhjZ6scT
|
||||
8Eb1SGlaByGzE5WoGTnNbyifkyx9oUZxXVJsqv2q611W3apbPxcgev8z5JXQUbrr
|
||||
Q7EbO0StK1DsKRsKLuD+YLxjrBRQ4UeIN5WHp6G0vgYiOptHm6YKZxQemO/kVMLR
|
||||
zsm1AYH7eNOFekcBIKRjSqpk5m4ud04qum6f0hBj3iE/Pe+DvIbVhLh9ItAunISG
|
||||
QPA9dYEgfA/qWir+pU7LV3phpLeGhull8G/zYmQhF3heg0buIR70aavzT8iLAQrx
|
||||
VMNRZJEGMwIN/tq8YiT3+3EZIcSqq6GAGjiuVw3NIsXC3+CuSJGQ5GbDp49Lc6VW
|
||||
PHeWeFvwSUGgxKXq5r1+PRsoYgK6S4hhecgXEX5c7Rta6TcFlEFb0XK9fpy1dr89
|
||||
LeFGxUBpdDvKxDRLMm3FQen8rmR/PSReEcJsaqbUP/q7Pc7k0RfF9Mb6AfPZfnqg
|
||||
pYJQ+IFSr9EjRSW1wPcL03zoTP47AgMBAAGjdTBzMA4GA1UdDwEB/wQEAwIBBjAQ
|
||||
BgNVHSUECTAHBgVngQUIATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRJ50pb
|
||||
Vin1nXm3pjA8A7KP5xTdTDAfBgNVHSMEGDAWgBRJ50pbVin1nXm3pjA8A7KP5xTd
|
||||
TDANBgkqhkiG9w0BAQsFAAOCAgEAlfHRvOB3CJoLTl1YG/AvjGoZkpNMyp5X5je1
|
||||
ICCQ68b296En9hIUlcYY/+nuEPSPUjDA3izwJ8DAfV4REgpQzqoh6XhR3TgyfHXj
|
||||
J6DC7puzEgtzF1+wHShUpBoe3HKuL4WhB3rvwk2SEsudBu92o9BuBjcDJ/GW5GRt
|
||||
pD/H71HAE8rI9jJ41nS0FvkkjaX0glsntMVUXiwcta8GI0QOE2ijsJBwk41uQGt0
|
||||
YOj2SGlEwNAC5DBTB5kZ7+6X9xGE6/c+M3TAA0ONoX18rNfif94cCx/mPYOs8pUk
|
||||
ANRAQ4aTRBvpBrryGT8R1ahTBkMeRQG3tdsLHRT8fJCFUANd5WLWsi83005y/WuM
|
||||
z8/gFKc0PL+F+MubCsJ1ODPTRscH93QlS4zEMg5hDAIks+fDoRJ2QiROqo7GAqbT
|
||||
c7STKfGcr9+pa63na7f3oy1sZPWPdxB8tx5z3lghiPP3ktQx/yK/1Fwf1hgxJHFy
|
||||
/2UcaGuOXRRRTPyEnppZp82Kigs9aPHWtaVm2/LrXX2fvT9iM/k0CovNAj8rztHx
|
||||
sUEoA0xJnSOJNPpe9PRdjsTj7/u3Xu6hQLNNidBHgI3Hcmi704HMMd/3yZ424OOr
|
||||
S32ylpeU1oeQHFrLE6hYX4/ttMETbmESIKd2rTgstPotSvkuB5TljbKYPR+lq7hQ
|
||||
av16U4E=
|
||||
-----END CERTIFICATE-----
|
@ -1,33 +0,0 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIFsDCCA5igAwIBAgIQUfQx2iySCIpOKeDZKd5KpzANBgkqhkiG9w0BAQwFADBp
|
||||
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTow
|
||||
OAYDVQQDEzFBenVyZSBWaXJ0dWFsIFRQTSBSb290IENlcnRpZmljYXRlIEF1dGhv
|
||||
cml0eSAyMDIzMB4XDTIzMDYwMTE4MDg1M1oXDTQ4MDYwMTE4MTU0MVowaTELMAkG
|
||||
A1UEBhMCVVMxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE6MDgGA1UE
|
||||
AxMxQXp1cmUgVmlydHVhbCBUUE0gUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkg
|
||||
MjAyMzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALoMMwvdRJ7+bW00
|
||||
adKE1VemNqJS+268Ure8QcfZXVOsVO22+PL9WRoPnWo0r5dVoomYGbobh4HC72s9
|
||||
sGY6BGRe+Ui2LMwuWnirBtOjaJ34r1ZieNMcVNJT/dXW5HN/HLlm/gSKlWzqCEx6
|
||||
gFFAQTvyYl/5jYI4Oe05zJ7ojgjK/6ZHXpFysXnyUITJ9qgjn546IJh/G5OMC3mD
|
||||
fFU7A/GAi+LYaOHSzXj69Lk1vCftNq9DcQHtB7otO0VxFkRLaULcfu/AYHM7FC/S
|
||||
q6cJb9Au8K/IUhw/5lJSXZawLJwHpcEYzETm2blad0VHsACaLNucZL5wBi8GEusQ
|
||||
9Wo8W1p1rUCMp89pufxa3Ar9sYZvWeJlvKggWcQVUlhvvIZEnT+fteEvwTdoajl5
|
||||
qSvZbDPGCPjb91rSznoiLq8XqgQBBFjnEiTL+ViaZmyZPYUsBvBY3lKXB1l2hgga
|
||||
hfBIag4j0wcgqlL82SL7pAdGjq0Fou6SKgHnkkrV5CNxUBBVMNCwUoj5mvEjd5mF
|
||||
7XPgfM98qNABb2Aqtfl+VuCkU/G1XvFoTqS9AkwbLTGFMS9+jCEU2rw6wnKuGv1T
|
||||
x9iuSdNvsXt8stx4fkVeJvnFpJeAIwBZVgKRSTa3w3099k0mW8qGiMnwCI5SfdZ2
|
||||
SJyD4uEmszsnieE6wAWd1tLLg1jvAgMBAAGjVDBSMA4GA1UdDwEB/wQEAwIBhjAP
|
||||
BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRL/iZalMH2M8ODSCbd8+WwZLKqlTAQ
|
||||
BgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQwFAAOCAgEALgNAyg8I0ANNO/8I
|
||||
2BhpTOsbywN2YSmShAmig5h4sCtaJSM1dRXwA+keY6PCXQEt/PRAQAiHNcOF5zbu
|
||||
OU1Bw/Z5Z7k9okt04eu8CsS2Bpc+POg9js6lBtmigM5LWJCH1goMD0kJYpzkaCzx
|
||||
1TdD3yjo0xSxgGhabk5Iu1soD3OxhUyIFcxaluhwkiVINt3Jhy7G7VJTlEwkk21A
|
||||
oOrQxUsJH0f2GXjYShS1r9qLPzLf7ykcOm62jHGmLZVZujBzLIdNk1bljP9VuGW+
|
||||
cISBwzkNeEMMFufcL2xh6s/oiUnXicFWvG7E6ioPnayYXrHy3Rh68XLnhfpzeCzv
|
||||
bz/I4yMV38qGo/cAY2OJpXUuuD/ZbI5rT+lRBEkDW1kxHP8cpwkRwGopV8+gX2KS
|
||||
UucIIN4l8/rrNDEX8T0b5U+BUqiO7Z5YnxCya/H0ZIwmQnTlLRTU2fW+OGG+xyIr
|
||||
jMi/0l6/yWPUkIAkNtvS/yO7USRVLPbtGVk3Qre6HcqacCXzEjINcJhGEVg83Y8n
|
||||
M+Y+a9J0lUnHytMSFZE85h88OseRS2QwqjozUo2j1DowmhSSUv9Na5Ae22ycciBk
|
||||
EZSq8a4rSlwqthaELNpeoTLUk6iVoUkK/iLvaMvrkdj9yJY1O/gvlfN2aiNTST/2
|
||||
bd+PA4RBToG9rXn6vNkUWdbLibU=
|
||||
-----END CERTIFICATE-----
|
@ -16,7 +16,7 @@ pub const ENCLAVE_ID_SVR2_STAGING: &[u8] =
|
||||
pub const ENCLAVE_ID_SVR3_SGX_STAGING: &[u8] =
|
||||
&hex!("6ac35d9eef8d11f4e6276656f4081925770922e01b7c4d80a51de87d001ac259");
|
||||
pub const ENCLAVE_ID_SVR3_NITRO_STAGING: &[u8] = b"24e56baa.52b91975.ec540f3f";
|
||||
pub const ENCLAVE_ID_SVR3_TPM2SNP_STAGING: &[u8] = b"0.20240319.160523";
|
||||
pub const ENCLAVE_ID_SVR3_TPM2SNP_STAGING: &[u8] = b"0.20240411.210730";
|
||||
|
||||
pub const ENCLAVE_ID_SVR3_SGX_PROD: &[u8] =
|
||||
&hex!("0000000000000000000000000000000000000000000000000000000000000000");
|
||||
@ -47,10 +47,10 @@ pub(crate) const TPM2SNP_EXPECTED_PCRS: SmallMap<&'static [u8], &'static tpm2snp
|
||||
(2, hex!("3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969")),
|
||||
(3, hex!("3d458cfe55cc03ea1f443f1562beec8df51c75e14a9fcf9a7234a13f198e7969")),
|
||||
(4, hex!("6038382cdf539eb64d05c804c510e22b81e2c71fb171c9616ab14504f3654bb1")),
|
||||
(5, hex!("076726dc15276afd9cc9d7574340e1de96934782939e5a8cbac1ca5158061404")),
|
||||
(7, hex!("ba313dc4774eb6ddcc01945c2b57dbfb1afc296de9ff8105f916b4f55afa848a")),
|
||||
(8, hex!("5315286db60934c840f5a894dd79e36a12b6cfa4ffe199f929d0b8f4be9e5aa9")),
|
||||
(9, hex!("0fde941f5c73bfc4b19d53a5db1abc886c4c1308d665194d373677a55f683c2e")),
|
||||
(5, hex!("4e871c2923a78a62db4afde169145ad46c633f871f7a5d14b68153d81d1de4d3")),
|
||||
(7, hex!("590471a4fbd0c881c4fdc6349bc697e4df18c660c3ae3de9cb29028f8ef77280")),
|
||||
(8, hex!("497c436dde91431c96e19e14036cce3a0a70e0dd007b6dcc01f07fbab228c56c")),
|
||||
(9, hex!("9afeee52dee64ac16107982f37f70ffde99126b56e6c1de17c3cb105e4ea6d97")),
|
||||
(11, hex!("0000000000000000000000000000000000000000000000000000000000000000")),
|
||||
(12, hex!("0000000000000000000000000000000000000000000000000000000000000000")),
|
||||
(13, hex!("0000000000000000000000000000000000000000000000000000000000000000")),
|
||||
@ -122,9 +122,9 @@ pub(crate) static EXPECTED_RAFT_CONFIG: SmallMap<&'static [u8], &'static RaftCon
|
||||
(
|
||||
ENCLAVE_ID_SVR3_TPM2SNP_STAGING,
|
||||
&RaftConfig {
|
||||
group_id: 2616274069462536786,
|
||||
group_id: 8812204445911365918,
|
||||
min_voting_replicas: 3,
|
||||
max_voting_replicas: 5,
|
||||
max_voting_replicas: 9,
|
||||
super_majority: 0,
|
||||
},
|
||||
),
|
||||
|
@ -23,7 +23,7 @@ mod tpm2;
|
||||
|
||||
pub(crate) use tpm2::{Error as Tpm2Error, PcrMap};
|
||||
|
||||
const MSFT_AKCERT_ROOT_PEM: &[u8] = include_bytes!("../res/msft_akcert_root.pem");
|
||||
const GOOG_AKCERT_ROOT_PEM: &[u8] = include_bytes!("../res/goog_akcert_root.pem");
|
||||
|
||||
pub fn new_handshake(enclave: &[u8], attestation_msg: &[u8], now: SystemTime) -> Result<Handshake> {
|
||||
let expected_raft_config = expected_raft_config(enclave, None)?;
|
||||
@ -58,7 +58,17 @@ fn attest(
|
||||
endorsements: &svr3::AsnpEndorsements,
|
||||
now: SystemTime,
|
||||
) -> Result<svr::AttestationData> {
|
||||
let ak_cert_pk = verify_ak_cert(evidence, endorsements, now)?;
|
||||
attest_with_root(enclave, evidence, endorsements, now, GOOG_AKCERT_ROOT_PEM)
|
||||
}
|
||||
|
||||
fn attest_with_root(
|
||||
enclave: &[u8],
|
||||
evidence: &svr3::AsnpEvidence,
|
||||
endorsements: &svr3::AsnpEndorsements,
|
||||
now: SystemTime,
|
||||
root_pem: &[u8],
|
||||
) -> Result<svr::AttestationData> {
|
||||
let ak_cert_pk = verify_ak_cert(evidence, endorsements, now, root_pem)?;
|
||||
let runtime_pk = verify_snp_report(evidence, endorsements, now)?;
|
||||
if !(ak_cert_pk.n() == runtime_pk.n() && ak_cert_pk.e() == runtime_pk.e()) {
|
||||
return Err(Error::AttestationDataError {
|
||||
@ -80,10 +90,11 @@ fn verify_ak_cert(
|
||||
evidence: &svr3::AsnpEvidence,
|
||||
endorsements: &svr3::AsnpEndorsements,
|
||||
now: SystemTime,
|
||||
root_pem: &[u8],
|
||||
) -> Result<Rsa<Public>> {
|
||||
let akcert = X509::from_der(&evidence.akcert_der).expect("valid cert der");
|
||||
let chain = {
|
||||
let root = X509::from_pem(MSFT_AKCERT_ROOT_PEM).expect("Invalid MSFT root certificate");
|
||||
let root = X509::from_pem(root_pem).expect("Invalid root certificate");
|
||||
let intermediate = X509::from_der(&endorsements.intermediate_der).expect("valid cert der");
|
||||
CertChain::new([akcert.clone(), intermediate, root])?
|
||||
};
|
||||
@ -212,14 +223,15 @@ mod test {
|
||||
svr3::AsnpEvidence::decode(attestation.evidence.as_slice()).expect("valid evidence");
|
||||
let endorsements = svr3::AsnpEndorsements::decode(attestation.endorsement.as_slice())
|
||||
.expect("valid endorsements");
|
||||
attest(
|
||||
attest_with_root(
|
||||
ENCLAVE_ID_SVR3_TPM2SNP_STAGING,
|
||||
&evidence,
|
||||
&endorsements,
|
||||
SystemTime::UNIX_EPOCH + VALID_TIMESTAMP,
|
||||
GOOG_AKCERT_ROOT_PEM,
|
||||
)
|
||||
.expect("can attest asnp");
|
||||
}
|
||||
|
||||
const VALID_TIMESTAMP: Duration = Duration::from_millis(1710875945000);
|
||||
const VALID_TIMESTAMP: Duration = Duration::from_millis(1712946543000);
|
||||
}
|
||||
|
Binary file not shown.
Binary file not shown.
@ -123,13 +123,11 @@ pub const DOMAIN_CONFIG_SVR3_TPM2SNP: DomainConfig = DomainConfig {
|
||||
proxy_path: "/svr3-tpm2snp",
|
||||
};
|
||||
|
||||
const TPM2SNP_TEST_SERVER_CERT: RootCertificates =
|
||||
RootCertificates::FromDer(include_bytes!("../res/tpm2snp_test_server_cert.cer"));
|
||||
pub const DOMAIN_CONFIG_SVR3_TPM2SNP_STAGING: DomainConfig = DomainConfig {
|
||||
hostname: "backend3.svr3.staging.signal.org",
|
||||
ip_v4: &[ip_addr!(v4, "13.88.30.76")],
|
||||
ip_v6: &[],
|
||||
cert: &TPM2SNP_TEST_SERVER_CERT,
|
||||
cert: &RootCertificates::Signal,
|
||||
proxy_path: "/svr3-tpm2snp-staging",
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user