Merge pull request #756 from fortanix/raoul/rte-447-pckcrl

[RTE-447] pckcrl

Author: raoulstrackx

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "dcap-artifact-retrieval"
-version = "0.3.7"
+version = "0.4.0"
 authors = ["Fortanix, Inc."]
 license = "MPL-2.0"
 edition = "2018"

intel-sgx/dcap-artifact-retrieval/Cargo.toml

@@ -8,7 +8,7 @@
 use std::path::{Path, PathBuf};
 
 use clap::clap_app;
-use pcs::PckID;
+use pcs::{PckID, DcapArtifactIssuer};
 use reqwest::Url;
 use rustc_serialize::hex::ToHex;
 use serde::de::{value, IntoDeserializer};
@@ -132,12 +132,19 @@ fn download_dcap_artifacts(
         }
     }
     let pckcrl = prov_client
-        .pckcrl()
-        .and_then(|crl| crl.write_to_file(output_dir).map_err(|e| e.into()))?;
+        .pckcrl(DcapArtifactIssuer::PCKProcessorCA)
+        .and_then(|crl| crl.write_to_file_as(output_dir, DcapArtifactIssuer::PCKProcessorCA).map_err(|e| e.into()))?;
     if verbose {
         println!("==[ generic ]==");
         println!("   pckcrl:      {}", pckcrl);
     }
+
+    let pckcrl = prov_client
+        .pckcrl(DcapArtifactIssuer::PCKPlatformCA)
+        .and_then(|crl| crl.write_to_file_as(output_dir, DcapArtifactIssuer::PCKPlatformCA).map_err(|e| e.into()))?;
+    if verbose {
+        println!("   pckcrl:      {}", pckcrl);
+    }
     Ok(())
 }
 

intel-sgx/dcap-artifact-retrieval/src/cli.rs

@@ -197,7 +197,7 @@ mod tests {
     use pcs::PckID;
 
     use crate::provisioning_client::{
-        test_helpers, AzureProvisioningClientBuilder, PcsVersion, ProvisioningClient,
+        test_helpers, AzureProvisioningClientBuilder, DcapArtifactIssuer, PcsVersion, ProvisioningClient,
     };
     use crate::reqwest_client;
 
@@ -228,7 +228,7 @@ mod tests {
                 )
                 .unwrap();
 
-            let pck = pck.verify(&root_cas).unwrap();
+            let pck = pck.verify(&root_cas, None).unwrap();
             assert_eq!(
                 test_helpers::get_cert_subject(&pck.ca_chain().last().unwrap()),
                 "Intel SGX Root CA"
@@ -248,7 +248,8 @@ mod tests {
         let client = AzureProvisioningClientBuilder::new(PcsVersion::V3)
             .set_retry_timeout(TIME_RETRY_TIMEOUT)
             .build(reqwest_client());
-        assert!(client.pckcrl().is_ok());
+        assert!(client.pckcrl(DcapArtifactIssuer::PCKProcessorCA).is_ok());
+        assert!(client.pckcrl(DcapArtifactIssuer::PCKPlatformCA).is_ok());
     }
 
     #[test]

intel-sgx/dcap-artifact-retrieval/src/provisioning_client/azure.rs

@@ -12,7 +12,7 @@
 //! - <https://download.01.org/intel-sgx/dcap-1.1/linux/docs/Intel_SGX_PCK_Certificate_CRL_Spec-1.1.pdf>
 
 use pcs::{
-    CpuSvn, EncPpid, Fmspc, PceId, PceIsvsvn, PckCert, PckCerts, PckCrl, QeId, QeIdentitySigned,
+    CpuSvn, DcapArtifactIssuer, EncPpid, Fmspc, PceId, PceIsvsvn, PckCert, PckCerts, PckCrl, QeId, QeIdentitySigned,
     TcbInfo, RawTcbEvaluationDataNumbers, Unverified,
 };
 use rustc_serialize::hex::ToHex;
@@ -269,9 +269,10 @@ impl PckCrlApi {
 }
 
 impl<'inp> PckCrlService<'inp> for PckCrlApi {
-    fn build_input(&'inp self) -> <Self as ProvisioningServiceApi<'inp>>::Input {
+    fn build_input(&'inp self, ca: DcapArtifactIssuer) -> <Self as ProvisioningServiceApi<'inp>>::Input {
         PckCrlIn {
             api_version: self.api_version.clone(),
+            ca,
         }
     }
 }
@@ -280,12 +281,19 @@ impl<'inp> PckCrlService<'inp> for PckCrlApi {
 /// See: <https://api.portal.trustedservices.intel.com/documentation#pcs-revocation-v4>
 impl<'inp> ProvisioningServiceApi<'inp> for PckCrlApi {
     type Input = PckCrlIn;
-    type Output = PckCrl;
+    type Output = PckCrl<Unverified>;
 
     fn build_request(&self, input: &Self::Input) -> Result<(String, Vec<(String, String)>), Error> {
+        let ca = match input.ca {
+            DcapArtifactIssuer::PCKProcessorCA => "processor",
+            DcapArtifactIssuer::PCKPlatformCA => "platform",
+            DcapArtifactIssuer::SGXRootCA => {
+                return Err(Error::PCSError(StatusCode::BadRequest, "Invalid ca parameter"));
+            },
+        };
         let url = format!(
-            "{}/sgx/certification/v{}/pckcrl?ca=processor&encoding=pem",
-            INTEL_BASE_URL, input.api_version as u8,
+            "{}/sgx/certification/v{}/pckcrl?ca={}&encoding=pem",
+            INTEL_BASE_URL, input.api_version as u8, ca,
         );
         Ok((url, Vec::new()))
     }
@@ -565,7 +573,7 @@ mod tests {
     use std::path::PathBuf;
     use std::time::Duration;
 
-    use pcs::{EnclaveIdentity, Fmspc, PckID, Platform, TcbEvaluationDataNumbers, RawTcbEvaluationDataNumbers};
+    use pcs::{DcapArtifactIssuer, EnclaveIdentity, Fmspc, PckID, Platform, TcbEvaluationDataNumbers, RawTcbEvaluationDataNumbers};
 
     use crate::provisioning_client::{
         test_helpers, IntelProvisioningClientBuilder, PcsVersion, ProvisioningClient,
@@ -704,6 +712,8 @@ mod tests {
                 intel_builder.set_api_key(pcs_api_key());
             }
             let client = intel_builder.build(reqwest_client());
+            let crl_processor = client.pckcrl(DcapArtifactIssuer::PCKProcessorCA).unwrap().crl_as_pem().to_owned();
+            let crl_platform = client.pckcrl(DcapArtifactIssuer::PCKPlatformCA).unwrap().crl_as_pem().to_owned();
             for pckid in PckID::parse_file(&PathBuf::from(PCKID_TEST_FILE).as_path())
                 .unwrap()
                 .iter()
@@ -717,7 +727,9 @@ mod tests {
                         None,
                     )
                     .unwrap();
-                let pck = pck.verify(&root_cas).unwrap();
+                let pck = pck.clone().verify(&root_cas, Some(&crl_processor))
+                    .or(pck.clone().verify(&root_cas, Some(&crl_platform)))
+                    .unwrap();
 
                 // The cache should be populated after initial service call
                 {
@@ -746,7 +758,7 @@ mod tests {
                         pck.fmspc().unwrap(),
                         cached_pck
                             .clone()
-                            .verify(&root_cas)
+                            .verify(&root_cas, None)
                             .unwrap()
                             .fmspc()
                             .unwrap()
@@ -769,7 +781,7 @@ mod tests {
                     pck.fmspc().unwrap(),
                     pck_from_service
                         .clone()
-                        .verify(&root_cas)
+                        .verify(&root_cas, None)
                         .unwrap()
                         .fmspc()
                         .unwrap()
@@ -877,55 +889,59 @@ mod tests {
 
     #[test]
     pub fn pckcrl() {
-        for api_version in [PcsVersion::V3, PcsVersion::V4] {
-            let mut intel_builder = IntelProvisioningClientBuilder::new(api_version)
-                .set_retry_timeout(TIME_RETRY_TIMEOUT);
-            if api_version == PcsVersion::V3 {
-                intel_builder.set_api_key(pcs_api_key());
+        for ca in [DcapArtifactIssuer::PCKProcessorCA, DcapArtifactIssuer::PCKPlatformCA] {
+            for api_version in [PcsVersion::V3, PcsVersion::V4] {
+                let mut intel_builder = IntelProvisioningClientBuilder::new(api_version)
+                    .set_retry_timeout(TIME_RETRY_TIMEOUT);
+                if api_version == PcsVersion::V3 {
+                    intel_builder.set_api_key(pcs_api_key());
+                }
+                let client = intel_builder.build(reqwest_client());
+                assert!(client
+                    .pckcrl(ca)
+                    .and_then(|crl| { Ok(crl.write_to_file(OUTPUT_TEST_DIR).unwrap()) })
+                    .is_ok());
             }
-            let client = intel_builder.build(reqwest_client());
-            assert!(client
-                .pckcrl()
-                .and_then(|crl| { Ok(crl.write_to_file(OUTPUT_TEST_DIR).unwrap()) })
-                .is_ok());
         }
     }
 
     #[test]
     pub fn pckcrl_cached() {
-        for api_version in [PcsVersion::V3, PcsVersion::V4] {
-            let mut intel_builder = IntelProvisioningClientBuilder::new(api_version)
-                .set_retry_timeout(TIME_RETRY_TIMEOUT);
-            if api_version == PcsVersion::V3 {
-                intel_builder.set_api_key(pcs_api_key());
-            }
-            let client = intel_builder.build(reqwest_client());
-            let pckcrl = client.pckcrl().unwrap();
+        for ca in [DcapArtifactIssuer::PCKProcessorCA, DcapArtifactIssuer::PCKPlatformCA] {
+            for api_version in [PcsVersion::V3, PcsVersion::V4] {
+                let mut intel_builder = IntelProvisioningClientBuilder::new(api_version)
+                    .set_retry_timeout(TIME_RETRY_TIMEOUT);
+                if api_version == PcsVersion::V3 {
+                    intel_builder.set_api_key(pcs_api_key());
+                }
+                let client = intel_builder.build(reqwest_client());
+                let pckcrl = client.pckcrl(ca).unwrap();
 
-            // The cache should be populated after initial service call
-            {
-                let mut cache = client.pckcrl_service.cache.lock().unwrap();
+                // The cache should be populated after initial service call
+                {
+                    let mut cache = client.pckcrl_service.cache.lock().unwrap();
 
-                assert!(cache.len() > 0);
+                    assert!(cache.len() > 0);
 
-                let (cached_pckcrl, _) = {
-                    let mut hasher = DefaultHasher::new();
-                    let input = client.pckcrl_service.pcs_service().build_input();
-                    input.hash(&mut hasher);
+                    let (cached_pckcrl, _) = {
+                        let mut hasher = DefaultHasher::new();
+                        let input = client.pckcrl_service.pcs_service().build_input(ca);
+                        input.hash(&mut hasher);
 
-                    cache
-                        .get_mut(&hasher.finish())
-                        .expect("Can't find key in cache")
-                        .to_owned()
-                };
+                        cache
+                            .get_mut(&hasher.finish())
+                            .expect("Can't find key in cache")
+                            .to_owned()
+                    };
 
-                assert_eq!(pckcrl, cached_pckcrl);
-            }
+                    assert_eq!(pckcrl, cached_pckcrl);
+                }
 
-            // Second service call should return value from cache
-            let pckcrl_from_service = client.pckcrl().unwrap();
+                // Second service call should return value from cache
+                let pckcrl_from_service = client.pckcrl(ca).unwrap();
 
-            assert_eq!(pckcrl, pckcrl_from_service);
+                assert_eq!(pckcrl, pckcrl_from_service);
+            }
         }
     }
 

intel-sgx/dcap-artifact-retrieval/src/provisioning_client/intel.rs

@@ -15,7 +15,7 @@ use std::time::{Duration, SystemTime};
 use lru_cache::LruCache;
 use num_enum::TryFromPrimitive;
 use pcs::{
-    CpuSvn, EncPpid, Fmspc, PceId, PceIsvsvn, PckCert, PckCerts, PckCrl, PckID, QeId,
+    CpuSvn, DcapArtifactIssuer, EncPpid, Fmspc, PceId, PceIsvsvn, PckCert, PckCerts, PckCrl, PckID, QeId,
     QeIdentitySigned, TcbInfo, RawTcbEvaluationDataNumbers, Unverified,
 };
 #[cfg(feature = "reqwest")]
@@ -191,6 +191,7 @@ pub trait PckCertService<'inp>:
 #[derive(Hash)]
 pub struct PckCrlIn {
     api_version: PcsVersion,
+    ca: DcapArtifactIssuer,
 }
 
 impl WithApiVersion for PckCrlIn {
@@ -200,9 +201,9 @@ impl WithApiVersion for PckCrlIn {
 }
 
 pub trait PckCrlService<'inp>:
-    ProvisioningServiceApi<'inp, Input = PckCrlIn, Output = PckCrl>
+    ProvisioningServiceApi<'inp, Input = PckCrlIn, Output = PckCrl<Unverified>>
 {
-    fn build_input(&'inp self) -> <Self as ProvisioningServiceApi<'inp>>::Input;
+    fn build_input(&'inp self, ca: DcapArtifactIssuer) -> <Self as ProvisioningServiceApi<'inp>>::Input;
 }
 
 #[derive(Hash)]
@@ -467,7 +468,7 @@ pub struct Client<F: for<'a> Fetcher<'a>> {
     pckcerts_service: CachedService<PckCerts, dyn for<'a> PckCertsService<'a> + Sync + Send>,
     pckcert_service:
         CachedService<PckCert<Unverified>, dyn for<'a> PckCertService<'a> + Sync + Send>,
-    pckcrl_service: CachedService<PckCrl, dyn for<'a> PckCrlService<'a> + Sync + Send>,
+    pckcrl_service: CachedService<PckCrl<Unverified>, dyn for<'a> PckCrlService<'a> + Sync + Send>,
     qeid_service: CachedService<QeIdentitySigned, dyn for<'a> QeIdService<'a> + Sync + Send>,
     tcbinfo_service: CachedService<TcbInfo, dyn for<'a> TcbInfoService<'a> + Sync + Send>,
     tcb_evaluation_data_numbers_service: CachedService<RawTcbEvaluationDataNumbers, dyn for<'a> TcbEvaluationDataNumbersService<'a> + Sync + Send>,
@@ -563,7 +564,7 @@ pub trait ProvisioningClient {
 
     fn tcbinfo(&self, fmspc: &Fmspc, evaluation_data_number: Option<u16>) -> Result<TcbInfo, Error>;
 
-    fn pckcrl(&self) -> Result<PckCrl, Error>;
+    fn pckcrl(&self, ca: DcapArtifactIssuer) -> Result<PckCrl<Unverified>, Error>;
 
     fn qe_identity(&self, evaluation_data_number: Option<u16>) -> Result<QeIdentitySigned, Error>;
 
@@ -652,8 +653,8 @@ impl<F: for<'a> Fetcher<'a>> ProvisioningClient for Client<F> {
         self.tcbinfo_service.call_service(&self.fetcher, &input)
     }
 
-    fn pckcrl(&self) -> Result<PckCrl, Error> {
-        let input = self.pckcrl_service.pcs_service().build_input();
+    fn pckcrl(&self, ca: DcapArtifactIssuer) -> Result<PckCrl<Unverified>, Error> {
+        let input = self.pckcrl_service.pcs_service().build_input(ca);
         self.pckcrl_service.call_service(&self.fetcher, &input)
     }