@super-protocol/sdk-js 3.4.0-beta.21 → 3.4.0-beta.22
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cjs/certificates/helper.js +3 -3
- package/dist/cjs/certificates/types.d.ts +1 -1
- package/dist/cjs/tee/OrderReportService.js +2 -3
- package/dist/cjs/tee/TeeCertificateService.d.ts +14 -13
- package/dist/cjs/tee/TeeCertificateService.js +52 -49
- package/dist/mjs/certificates/helper.js +3 -3
- package/dist/mjs/certificates/types.d.ts +1 -1
- package/dist/mjs/tee/OrderReportService.js +2 -3
- package/dist/mjs/tee/TeeCertificateService.d.ts +14 -13
- package/dist/mjs/tee/TeeCertificateService.js +51 -45
- package/package.json +1 -1
|
@@ -139,7 +139,7 @@ class CertificatesHelper {
|
|
|
139
139
|
const verifyResult = await chainEngine.verify();
|
|
140
140
|
if (!verifyResult.result) {
|
|
141
141
|
return {
|
|
142
|
-
|
|
142
|
+
isValid: false,
|
|
143
143
|
errorMessage: verifyResult.resultMessage,
|
|
144
144
|
};
|
|
145
145
|
}
|
|
@@ -157,12 +157,12 @@ class CertificatesHelper {
|
|
|
157
157
|
throw new Error('Some of certificates do not belong to chain');
|
|
158
158
|
}
|
|
159
159
|
return {
|
|
160
|
-
|
|
160
|
+
isValid: true,
|
|
161
161
|
};
|
|
162
162
|
}
|
|
163
163
|
catch (err) {
|
|
164
164
|
return {
|
|
165
|
-
|
|
165
|
+
isValid: false,
|
|
166
166
|
errorMessage: err.message,
|
|
167
167
|
};
|
|
168
168
|
}
|
|
@@ -65,8 +65,7 @@ class OrderReportService {
|
|
|
65
65
|
};
|
|
66
66
|
}
|
|
67
67
|
static async validateOrderReport(orderReport) {
|
|
68
|
-
|
|
69
|
-
await teeCertificateService.validateTeeReportCertChain(orderReport.certificate);
|
|
68
|
+
await TeeCertificateService_js_1.TeeCertificateService.validateTeeCertChainOrFail(orderReport.certificate);
|
|
70
69
|
const workloadInfoHashFromCert = helper_js_1.CertificatesHelper.getExtensionValue(orderReport.certificate, constants_js_1.OID_CUSTOM_EXTENSION_ORDER_REPORT_WORKLOAD_INFO_HASH);
|
|
71
70
|
if (!workloadInfoHashFromCert) {
|
|
72
71
|
throw new Error(`WorkloadInfoHash is missing in certificate!`);
|
|
@@ -98,4 +97,4 @@ class OrderReportService {
|
|
|
98
97
|
}
|
|
99
98
|
}
|
|
100
99
|
exports.OrderReportService = OrderReportService;
|
|
101
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
100
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiT3JkZXJSZXBvcnRTZXJ2aWNlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL3RlZS9PcmRlclJlcG9ydFNlcnZpY2UudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7O0FBQUEsK0JBQWlDO0FBQ2pDLGdEQUF3QjtBQUN4QixtREFPZ0M7QUFHaEMsNERBQTJEO0FBQzNELGtEQUF1RjtBQUN2RixvRkFBOEU7QUFDOUUseURBQStEO0FBQy9ELHlFQUFtRTtBQUVuRSxNQUFNLFdBQVcsR0FBRyxJQUFBLGdCQUFTLEVBQUMsY0FBSSxDQUFDLElBQUksQ0FBQyxDQUFDO0FBQ3pDLE1BQU0sWUFBWSxHQUFHLElBQUEsZ0JBQVMsRUFBQyxjQUFJLENBQUMsS0FBSyxDQUFDLENBQUM7QUFFM0MsTUFBYSxrQkFBa0I7SUFDN0IsTUFBTSxDQUFDLEtBQUssQ0FBQyxNQUFNLENBQUMsV0FBd0I7UUFDMUMsTUFBTSxFQUFFLEtBQUssRUFBRSxHQUFHLDhCQUFrQixDQUFDLGtCQUFrQixDQUFDLFdBQVcsQ0FBQyxXQUFXLENBQUMsQ0FBQztRQUNqRixNQUFNLFFBQVEsR0FBRyw4QkFBa0IsQ0FBQyxhQUFhLENBQUMsS0FBSyxDQUFDLENBQUM7UUFFekQsTUFBTSxnQkFBZ0IsR0FBcUI7WUFDekMsWUFBWSxFQUFFLFFBQVE7WUFDdEIsWUFBWSxFQUFFO2dCQUNaLFdBQVcsRUFBRSxXQUFXLENBQUMsWUFBWSxDQUFDLFdBQVcsQ0FBQyxHQUFHLENBQUMsQ0FBQyxFQUFFLEVBQUUsRUFBRSxDQUFDLENBQUM7b0JBQzdELElBQUksRUFBRSxFQUFFLENBQUMsSUFBSTtvQkFDYixJQUFJLEVBQUUsRUFBRSxDQUFDLElBQUk7b0JBQ2IsSUFBSSxFQUFFLElBQUksQ0FBQyxZQUFZLENBQUMsRUFBRSxDQUFDLElBQUksQ0FBQztvQkFDaEMsZ0JBQWdCLEVBQUUsSUFBSSxDQUFDLFlBQVksQ0FBQyxFQUFFLENBQUMsZ0JBQWdCLENBQUM7b0JBQ3hELFFBQVEsRUFBRSxJQUFJLENBQUMsWUFBWSxDQUFDLEVBQUUsQ0FBQyxRQUFRLENBQUM7aUJBQ3pDLENBQUMsQ0FBQztnQkFDSCxPQUFPLEVBQUUsV0FBVyxDQUFDLFlBQVksQ0FBQyxPQUFPO2FBQzFDO1NBQ0YsQ0FBQztRQUVGLE1BQU0sT0FBTyxHQUFHLGlDQUFnQixDQUFDLE1BQU0sQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDO1FBQ25FLE1BQU0sVUFBVSxHQUFHLE1BQU0sV0FBVyxDQUFDLE9BQU8sRUFBRSxFQUFFLEtBQUssRUFBRSxDQUFDLEVBQUUsQ0FBQyxDQUFDO1FBRTVELE9BQU8sVUFBVSxDQUFDO0lBQ3BCLENBQUM7SUFFRCxNQUFNLENBQUMsS0FBSyxDQUFDLE1BQU0sQ0FBQyxrQkFBMEI7UUFDNUMsTUFBTSxZQUFZLEdBQUcsTUFBTSxZQUFZLENBQUMsa0JBQWtCLENBQUMsQ0FBQztRQUM1RCxNQUFNLGdCQUFnQixHQUFHLGlDQUFnQixDQUFDLE1BQU0sQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUUvRCxNQUFNLFFBQVEsR0FBRyw4QkFBa0IsQ0FBQyxhQUFhLENBQUMsZ0JBQWdCLENBQUMsWUFBWSxDQUFDLENBQUM7UUFFakYsSUFBSSxDQUFDLGdCQUFnQixDQUFDLFlBQVksRUFBRSxDQUFDO1lBQ25DLE1BQU0sSUFBSSxLQUFLLENBQUMsMENBQTBDLENBQUMsQ0FBQztRQUM5RCxDQUFDO1FBRUQsTUFBTSxXQUFXLEdBQWtCLGdCQUFnQixDQUFDLFlBQVksQ0FBQyxXQUFXLENBQUMsR0FBRyxDQUFDLENBQUMsT0FBTyxFQUFFLEVBQUU7WUFDM0YsTUFBTSxNQUFNLEdBQWdCO2dCQUMxQixJQUFJLEVBQUUsT0FBTyxDQUFDLElBQWU7Z0JBQzdCLElBQUksRUFBRSxPQUFPLENBQUMsSUFBSTtnQkFDbEIsSUFBSSxFQUFFLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFFO2FBQzNDLENBQUM7WUFDRixJQUFJLE9BQU8sQ0FBQyxnQkFBZ0IsRUFBRSxDQUFDO2dCQUM3QixNQUFNLENBQUMsZ0JBQWdCLEdBQUcsSUFBSSxDQUFDLGdCQUFnQixDQUFDLE9BQU8sQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDO1lBQzVFLENBQUM7WUFDRCxJQUFJLE9BQU8sQ0FBQyxRQUFRLEVBQUUsQ0FBQztnQkFDckIsTUFBTSxDQUFDLFFBQVEsR0FBRyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsT0FBTyxDQUFDLFFBQVEsQ0FBQyxDQUFDO1lBQzVELENBQUM7WUFDRCxPQUFPLE1BQU0sQ0FBQztRQUNoQixDQUFDLENBQUMsQ0FBQztRQUVILE9BQU87WUFDTCxXQUFXLEVBQUUsUUFBUTtZQUNyQixZQUFZLEVBQUU7Z0JBQ1osV0FBVztnQkFDWCxPQUFPLEVBQUUsZ0JBQWdCLENBQUMsWUFBYSxDQUFDLE9BQU87YUFDaEQ7U0FDRixDQUFDO0lBQ0osQ0FBQztJQUVELE1BQU0sQ0FBQyxLQUFLLENBQUMsbUJBQW1CLENBQUMsV0FBd0I7UUFDdkQsTUFBTSxnREFBcUIsQ0FBQywwQkFBMEIsQ0FBQyxXQUFXLENBQUMsV0FBVyxDQUFDLENBQUM7UUFFaEYsTUFBTSx3QkFBd0IsR0FBRyw4QkFBa0IsQ0FBQyxpQkFBaUIsQ0FDbkUsV0FBVyxDQUFDLFdBQVcsRUFDdkIsbUVBQW9ELENBQ3JELENBQUM7UUFDRixJQUFJLENBQUMsd0JBQXdCLEVBQUUsQ0FBQztZQUM5QixNQUFNLElBQUksS0FBSyxDQUFDLDZDQUE2QyxDQUFDLENBQUM7UUFDakUsQ0FBQztRQUNELE1BQU0sZ0JBQWdCLEdBQUcsTUFBTSxJQUFBLDRDQUFtQixFQUFDLFdBQVcsQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUU3RSxNQUFNLFdBQVcsR0FDZixNQUFNLENBQUMsT0FBTyxDQUNaLHdCQUF3QixFQUN4QixNQUFNLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLElBQUksRUFBRSxnQkFBZ0IsQ0FBQyxRQUFRLENBQUMsQ0FDOUQsS0FBSyxDQUFDLENBQUM7UUFDVixJQUFJLENBQUMsV0FBVyxFQUFFLENBQUM7WUFDakIsTUFBTSxJQUFJLEtBQUssQ0FDYiwyRkFBMkYsQ0FDNUYsQ0FBQztRQUNKLENBQUM7SUFDSCxDQUFDO0lBRU8sTUFBTSxDQUFDLFlBQVksQ0FBQyxJQUFXO1FBQ3JDLElBQUksQ0FBQyxJQUFJLEVBQUUsQ0FBQztZQUNWLE9BQU87UUFDVCxDQUFDO1FBRUQsT0FBTztZQUNMLElBQUksRUFBRSxJQUFJLENBQUMsSUFBSTtZQUNmLElBQUksRUFBRSxNQUFNLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxJQUFJLEVBQUUsSUFBSSxDQUFDLFFBQVEsQ0FBQztTQUM1QyxDQUFDO0lBQ0osQ0FBQztJQUVPLE1BQU0sQ0FBQyxnQkFBZ0IsQ0FBQyxVQUFrQztRQUNoRSxJQUFJLENBQUMsVUFBVSxFQUFFLENBQUM7WUFDaEIsT0FBTztRQUNULENBQUM7UUFFRCxPQUFPO1lBQ0wsSUFBSSxFQUFFLFVBQVUsQ0FBQyxJQUFxQjtZQUN0QyxJQUFJLEVBQUUsTUFBTSxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLENBQUMsUUFBUSxDQUFDLGlCQUFRLENBQUMsR0FBRyxDQUFDO1lBQ3pELFFBQVEsRUFBRSxpQkFBUSxDQUFDLEdBQUc7U0FDdkIsQ0FBQztJQUNKLENBQUM7Q0FDRjtBQXpHRCxnREF5R0MifQ==
|
|
@@ -1,15 +1,16 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
1
|
+
export declare enum ValidateTeeCertChainErrorCode {
|
|
2
|
+
CERT_CHAIN_IS_INVALID = "CERT_CHAIN_IS_INVALID",
|
|
3
|
+
NOT_ALLOWED_CHALLENGE = "NOT_ALLOWED_CHALLENGE",
|
|
4
|
+
CHALLENGE_IS_INVALID = "CHALLENGE_IS_INVALID"
|
|
5
|
+
}
|
|
6
|
+
export interface ValidateTeeCertChainResult {
|
|
7
|
+
isValid: boolean;
|
|
8
|
+
errorCode?: string;
|
|
9
|
+
errorMessage?: string;
|
|
10
|
+
}
|
|
8
11
|
export declare class TeeCertificateService {
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
private validateChallengeSgx;
|
|
14
|
-
private validateChallengeTdxAndSnp;
|
|
12
|
+
static validateTeeCertChainOrFail(certsPem: string): Promise<void>;
|
|
13
|
+
static validateTeeCertChain(certsPem: string): Promise<ValidateTeeCertChainResult>;
|
|
14
|
+
private static validateChallengeSgx;
|
|
15
|
+
private static validateChallengeTdxAndSnp;
|
|
15
16
|
}
|
|
@@ -1,67 +1,70 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
-
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
-
};
|
|
5
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
-
exports.TeeCertificateService = void 0;
|
|
7
|
-
const node_forge_1 = __importDefault(require("node-forge"));
|
|
8
|
-
const QuoteParser_js_1 = require("./QuoteParser.js");
|
|
9
|
-
const QuoteValidator_js_1 = require("./QuoteValidator.js");
|
|
3
|
+
exports.TeeCertificateService = exports.ValidateTeeCertChainErrorCode = void 0;
|
|
10
4
|
const constants_js_1 = require("../constants.js");
|
|
11
5
|
const pki_common_1 = require("@super-protocol/pki-common");
|
|
12
6
|
const TeeSignatureVerifier_js_1 = require("./TeeSignatureVerifier.js");
|
|
13
7
|
const errors_js_1 = require("./errors.js");
|
|
14
8
|
const index_js_1 = require("../certificates/index.js");
|
|
9
|
+
var ValidateTeeCertChainErrorCode;
|
|
10
|
+
(function (ValidateTeeCertChainErrorCode) {
|
|
11
|
+
ValidateTeeCertChainErrorCode["CERT_CHAIN_IS_INVALID"] = "CERT_CHAIN_IS_INVALID";
|
|
12
|
+
ValidateTeeCertChainErrorCode["NOT_ALLOWED_CHALLENGE"] = "NOT_ALLOWED_CHALLENGE";
|
|
13
|
+
ValidateTeeCertChainErrorCode["CHALLENGE_IS_INVALID"] = "CHALLENGE_IS_INVALID";
|
|
14
|
+
})(ValidateTeeCertChainErrorCode || (exports.ValidateTeeCertChainErrorCode = ValidateTeeCertChainErrorCode = {}));
|
|
15
15
|
class TeeCertificateService {
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
return Buffer.from(publicKeyDer, 'binary');
|
|
22
|
-
}
|
|
23
|
-
async parseAndValidateCertificate(certificatePem, sgxApiUrl) {
|
|
24
|
-
const pem = Buffer.isBuffer(certificatePem) ? certificatePem.toString() : certificatePem;
|
|
25
|
-
const certificate = node_forge_1.default.pki.certificateFromPem(pem);
|
|
26
|
-
const extensions = certificate.extensions;
|
|
27
|
-
const quote = extensions.find((ext) => ext.id === this.certOidQuote);
|
|
28
|
-
const quoteBuffer = Buffer.from(quote.value, 'binary');
|
|
29
|
-
const validator = new QuoteValidator_js_1.QuoteValidator(sgxApiUrl);
|
|
30
|
-
await validator.checkQuote(quoteBuffer, this.getCertificatePublicKey(certificate));
|
|
31
|
-
const parser = new QuoteParser_js_1.TeeSgxParser();
|
|
32
|
-
const parsedQuote = parser.parseQuote(quoteBuffer);
|
|
33
|
-
const report = parser.parseReport(parsedQuote.report);
|
|
34
|
-
return {
|
|
35
|
-
userData: Buffer.from(parsedQuote.header.userData),
|
|
36
|
-
mrEnclave: Buffer.from(report.mrEnclave),
|
|
37
|
-
mrSigner: Buffer.from(report.mrSigner),
|
|
38
|
-
dataHash: Buffer.from(report.dataHash),
|
|
39
|
-
};
|
|
16
|
+
static async validateTeeCertChainOrFail(certsPem) {
|
|
17
|
+
const result = await TeeCertificateService.validateTeeCertChain(certsPem);
|
|
18
|
+
if (!result.isValid) {
|
|
19
|
+
throw new Error(result.errorMessage);
|
|
20
|
+
}
|
|
40
21
|
}
|
|
41
|
-
async
|
|
42
|
-
const {
|
|
43
|
-
if (!
|
|
44
|
-
|
|
22
|
+
static async validateTeeCertChain(certsPem) {
|
|
23
|
+
const { isValid, errorMessage } = await index_js_1.CertificatesHelper.validateCertChain(certsPem, constants_js_1.SUPERPROTOCOL_CA);
|
|
24
|
+
if (!isValid) {
|
|
25
|
+
return {
|
|
26
|
+
isValid: false,
|
|
27
|
+
errorCode: ValidateTeeCertChainErrorCode.CERT_CHAIN_IS_INVALID,
|
|
28
|
+
errorMessage: `Cert chain is invalid! (${errorMessage})`,
|
|
29
|
+
};
|
|
45
30
|
}
|
|
46
31
|
const sortedCerts = index_js_1.CertificatesHelper.sortCertsFromLeafToRoot(certsPem);
|
|
47
32
|
const challenges = sortedCerts.map((cert) => index_js_1.CertificatesHelper.getExtensionValue(cert, pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_TYPE)?.toString('binary'));
|
|
48
33
|
if (challenges.some((challenge) => !challenge || challenge === pki_common_1.ChallengeType.Untrusted)) {
|
|
49
|
-
|
|
34
|
+
return {
|
|
35
|
+
isValid: false,
|
|
36
|
+
errorCode: ValidateTeeCertChainErrorCode.NOT_ALLOWED_CHALLENGE,
|
|
37
|
+
errorMessage: `Cert chain has cert without or Untrusted challenge`,
|
|
38
|
+
};
|
|
50
39
|
}
|
|
51
40
|
const leafCertChallengeType = challenges[0];
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
41
|
+
try {
|
|
42
|
+
switch (leafCertChallengeType) {
|
|
43
|
+
case pki_common_1.ChallengeType.SGXDCAP:
|
|
44
|
+
TeeCertificateService.validateChallengeSgx(certsPem);
|
|
45
|
+
break;
|
|
46
|
+
case pki_common_1.ChallengeType.TDX:
|
|
47
|
+
case pki_common_1.ChallengeType.AMDSEV:
|
|
48
|
+
await TeeCertificateService.validateChallengeTdxAndSnp(certsPem);
|
|
49
|
+
break;
|
|
50
|
+
default:
|
|
51
|
+
return {
|
|
52
|
+
isValid: false,
|
|
53
|
+
errorCode: ValidateTeeCertChainErrorCode.NOT_ALLOWED_CHALLENGE,
|
|
54
|
+
errorMessage: `Challenge type ${leafCertChallengeType || `[none]`} is missing or not allowed!`,
|
|
55
|
+
};
|
|
56
|
+
}
|
|
57
|
+
}
|
|
58
|
+
catch (err) {
|
|
59
|
+
return {
|
|
60
|
+
isValid: false,
|
|
61
|
+
errorCode: ValidateTeeCertChainErrorCode.CHALLENGE_IS_INVALID,
|
|
62
|
+
errorMessage: `Challenge is not valid! (${err.message})`,
|
|
63
|
+
};
|
|
62
64
|
}
|
|
65
|
+
return { isValid: true };
|
|
63
66
|
}
|
|
64
|
-
validateChallengeSgx(certPem) {
|
|
67
|
+
static validateChallengeSgx(certPem) {
|
|
65
68
|
const mrSignerBinaryString = index_js_1.CertificatesHelper.getExtensionValue(certPem, pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID);
|
|
66
69
|
if (!mrSignerBinaryString) {
|
|
67
70
|
throw new Error(`SGX challenge signature is wrong!`);
|
|
@@ -73,7 +76,7 @@ class TeeCertificateService {
|
|
|
73
76
|
throw new Error(`SGX challenge signature is wrong!`);
|
|
74
77
|
}
|
|
75
78
|
}
|
|
76
|
-
async validateChallengeTdxAndSnp(certPem) {
|
|
79
|
+
static async validateChallengeTdxAndSnp(certPem) {
|
|
77
80
|
const mrEnclaveBinaryString = index_js_1.CertificatesHelper.getExtensionValue(certPem, pki_common_1.OID_CUSTOM_EXTENSION_CHALLENGE_ID);
|
|
78
81
|
if (!mrEnclaveBinaryString) {
|
|
79
82
|
throw new Error(`Challenge id is missing in certificate!`);
|
|
@@ -91,4 +94,4 @@ class TeeCertificateService {
|
|
|
91
94
|
}
|
|
92
95
|
}
|
|
93
96
|
exports.TeeCertificateService = TeeCertificateService;
|
|
94
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
97
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiVGVlQ2VydGlmaWNhdGVTZXJ2aWNlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL3RlZS9UZWVDZXJ0aWZpY2F0ZVNlcnZpY2UudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBQUEsa0RBQW1EO0FBQ25ELDJEQUtvQztBQUNwQyx1RUFBaUU7QUFDakUsMkNBQW9EO0FBQ3BELHVEQUE4RDtBQUU5RCxJQUFZLDZCQUlYO0FBSkQsV0FBWSw2QkFBNkI7SUFDdkMsZ0ZBQStDLENBQUE7SUFDL0MsZ0ZBQStDLENBQUE7SUFDL0MsOEVBQTZDLENBQUE7QUFDL0MsQ0FBQyxFQUpXLDZCQUE2Qiw2Q0FBN0IsNkJBQTZCLFFBSXhDO0FBT0QsTUFBYSxxQkFBcUI7SUFDaEMsTUFBTSxDQUFDLEtBQUssQ0FBQywwQkFBMEIsQ0FBQyxRQUFnQjtRQUN0RCxNQUFNLE1BQU0sR0FBRyxNQUFNLHFCQUFxQixDQUFDLG9CQUFvQixDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBQzFFLElBQUksQ0FBQyxNQUFNLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDcEIsTUFBTSxJQUFJLEtBQUssQ0FBQyxNQUFNLENBQUMsWUFBWSxDQUFDLENBQUM7UUFDdkMsQ0FBQztJQUNILENBQUM7SUFFRCxNQUFNLENBQUMsS0FBSyxDQUFDLG9CQUFvQixDQUFDLFFBQWdCO1FBQ2hELE1BQU0sRUFBRSxPQUFPLEVBQUUsWUFBWSxFQUFFLEdBQUcsTUFBTSw2QkFBa0IsQ0FBQyxpQkFBaUIsQ0FDMUUsUUFBUSxFQUNSLCtCQUFnQixDQUNqQixDQUFDO1FBRUYsSUFBSSxDQUFDLE9BQU8sRUFBRSxDQUFDO1lBQ2IsT0FBTztnQkFDTCxPQUFPLEVBQUUsS0FBSztnQkFDZCxTQUFTLEVBQUUsNkJBQTZCLENBQUMscUJBQXFCO2dCQUM5RCxZQUFZLEVBQUUsMkJBQTJCLFlBQVksR0FBRzthQUN6RCxDQUFDO1FBQ0osQ0FBQztRQUVELE1BQU0sV0FBVyxHQUFHLDZCQUFrQixDQUFDLHVCQUF1QixDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBRXpFLE1BQU0sVUFBVSxHQUFHLFdBQVcsQ0FBQyxHQUFHLENBQUMsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUMxQyw2QkFBa0IsQ0FBQyxpQkFBaUIsQ0FBQyxJQUFJLEVBQUUsZ0RBQW1DLENBQUMsRUFBRSxRQUFRLENBQ3ZGLFFBQVEsQ0FDVCxDQUNGLENBQUM7UUFDRixJQUFJLFVBQVUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxTQUFTLEVBQUUsRUFBRSxDQUFDLENBQUMsU0FBUyxJQUFJLFNBQVMsS0FBSywwQkFBYSxDQUFDLFNBQVMsQ0FBQyxFQUFFLENBQUM7WUFDeEYsT0FBTztnQkFDTCxPQUFPLEVBQUUsS0FBSztnQkFDZCxTQUFTLEVBQUUsNkJBQTZCLENBQUMscUJBQXFCO2dCQUM5RCxZQUFZLEVBQUUsb0RBQW9EO2FBQ25FLENBQUM7UUFDSixDQUFDO1FBRUQsTUFBTSxxQkFBcUIsR0FBRyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFFNUMsSUFBSSxDQUFDO1lBQ0gsUUFBUSxxQkFBcUIsRUFBRSxDQUFDO2dCQUM5QixLQUFLLDBCQUFhLENBQUMsT0FBTztvQkFDeEIscUJBQXFCLENBQUMsb0JBQW9CLENBQUMsUUFBUSxDQUFDLENBQUM7b0JBQ3JELE1BQU07Z0JBQ1IsS0FBSywwQkFBYSxDQUFDLEdBQUcsQ0FBQztnQkFDdkIsS0FBSywwQkFBYSxDQUFDLE1BQU07b0JBQ3ZCLE1BQU0scUJBQXFCLENBQUMsMEJBQTBCLENBQUMsUUFBUSxDQUFDLENBQUM7b0JBQ2pFLE1BQU07Z0JBRVI7b0JBQ0UsT0FBTzt3QkFDTCxPQUFPLEVBQUUsS0FBSzt3QkFDZCxTQUFTLEVBQUUsNkJBQTZCLENBQUMscUJBQXFCO3dCQUM5RCxZQUFZLEVBQUUsa0JBQWtCLHFCQUFxQixJQUFJLFFBQVEsNkJBQTZCO3FCQUMvRixDQUFDO1lBQ04sQ0FBQztRQUNILENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsT0FBTztnQkFDTCxPQUFPLEVBQUUsS0FBSztnQkFDZCxTQUFTLEVBQUUsNkJBQTZCLENBQUMsb0JBQW9CO2dCQUM3RCxZQUFZLEVBQUUsNEJBQTZCLEdBQWEsQ0FBQyxPQUFPLEdBQUc7YUFDcEUsQ0FBQztRQUNKLENBQUM7UUFFRCxPQUFPLEVBQUUsT0FBTyxFQUFFLElBQUksRUFBRSxDQUFDO0lBQzNCLENBQUM7SUFFTyxNQUFNLENBQUMsb0JBQW9CLENBQUMsT0FBZTtRQUNqRCxNQUFNLG9CQUFvQixHQUFHLDZCQUFrQixDQUFDLGlCQUFpQixDQUMvRCxPQUFPLEVBQ1AscURBQXdDLENBQ3pDLENBQUM7UUFDRixJQUFJLENBQUMsb0JBQW9CLEVBQUUsQ0FBQztZQUMxQixNQUFNLElBQUksS0FBSyxDQUFDLG1DQUFtQyxDQUFDLENBQUM7UUFDdkQsQ0FBQztRQUVELElBQUksQ0FBQztZQUNILDhDQUFvQixDQUFDLG9CQUFvQixDQUFDLG9CQUFvQixDQUFDLENBQUM7UUFDbEUsQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixNQUFNLElBQUksS0FBSyxDQUFDLG1DQUFtQyxDQUFDLENBQUM7UUFDdkQsQ0FBQztJQUNILENBQUM7SUFFTyxNQUFNLENBQUMsS0FBSyxDQUFDLDBCQUEwQixDQUFDLE9BQWU7UUFDN0QsTUFBTSxxQkFBcUIsR0FBRyw2QkFBa0IsQ0FBQyxpQkFBaUIsQ0FDaEUsT0FBTyxFQUNQLDhDQUFpQyxDQUNsQyxDQUFDO1FBQ0YsSUFBSSxDQUFDLHFCQUFxQixFQUFFLENBQUM7WUFDM0IsTUFBTSxJQUFJLEtBQUssQ0FBQyx5Q0FBeUMsQ0FBQyxDQUFDO1FBQzdELENBQUM7UUFFRCxJQUFJLENBQUM7WUFDSCxNQUFNLDhDQUFvQixDQUFDLDBCQUEwQixDQUFDLHFCQUFxQixDQUFDLENBQUM7UUFDL0UsQ0FBQztRQUFDLE9BQU8sR0FBRyxFQUFFLENBQUM7WUFDYixNQUFNLE9BQU8sR0FBRywyQkFBMkIsQ0FBQztZQUM1QyxJQUFJLEdBQUcsWUFBWSxpQ0FBcUIsRUFBRSxDQUFDO2dCQUN6QyxNQUFNLElBQUksS0FBSyxDQUFDLEdBQUcsT0FBTyxJQUFJLEdBQUcsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO1lBQy9DLENBQUM7WUFDRCxNQUFNLElBQUksS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDO1FBQzNCLENBQUM7SUFDSCxDQUFDO0NBQ0Y7QUF0R0Qsc0RBc0dDIn0=
|
|
@@ -110,7 +110,7 @@ export class CertificatesHelper {
|
|
|
110
110
|
const verifyResult = await chainEngine.verify();
|
|
111
111
|
if (!verifyResult.result) {
|
|
112
112
|
return {
|
|
113
|
-
|
|
113
|
+
isValid: false,
|
|
114
114
|
errorMessage: verifyResult.resultMessage,
|
|
115
115
|
};
|
|
116
116
|
}
|
|
@@ -128,12 +128,12 @@ export class CertificatesHelper {
|
|
|
128
128
|
throw new Error('Some of certificates do not belong to chain');
|
|
129
129
|
}
|
|
130
130
|
return {
|
|
131
|
-
|
|
131
|
+
isValid: true,
|
|
132
132
|
};
|
|
133
133
|
}
|
|
134
134
|
catch (err) {
|
|
135
135
|
return {
|
|
136
|
-
|
|
136
|
+
isValid: false,
|
|
137
137
|
errorMessage: err.message,
|
|
138
138
|
};
|
|
139
139
|
}
|
|
@@ -59,8 +59,7 @@ export class OrderReportService {
|
|
|
59
59
|
};
|
|
60
60
|
}
|
|
61
61
|
static async validateOrderReport(orderReport) {
|
|
62
|
-
|
|
63
|
-
await teeCertificateService.validateTeeReportCertChain(orderReport.certificate);
|
|
62
|
+
await TeeCertificateService.validateTeeCertChainOrFail(orderReport.certificate);
|
|
64
63
|
const workloadInfoHashFromCert = CertificatesHelper.getExtensionValue(orderReport.certificate, OID_CUSTOM_EXTENSION_ORDER_REPORT_WORKLOAD_INFO_HASH);
|
|
65
64
|
if (!workloadInfoHashFromCert) {
|
|
66
65
|
throw new Error(`WorkloadInfoHash is missing in certificate!`);
|
|
@@ -91,4 +90,4 @@ export class OrderReportService {
|
|
|
91
90
|
};
|
|
92
91
|
}
|
|
93
92
|
}
|
|
94
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
93
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiT3JkZXJSZXBvcnRTZXJ2aWNlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL3RlZS9PcmRlclJlcG9ydFNlcnZpY2UudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLFNBQVMsRUFBRSxNQUFNLE1BQU0sQ0FBQztBQUNqQyxPQUFPLElBQUksTUFBTSxNQUFNLENBQUM7QUFDeEIsT0FBTyxFQUNMLFFBQVEsR0FNVCxNQUFNLHdCQUF3QixDQUFDO0FBR2hDLE9BQU8sRUFBRSxnQkFBZ0IsRUFBRSxNQUFNLHlCQUF5QixDQUFDO0FBQzNELE9BQU8sRUFBRSxvREFBb0QsRUFBRSxNQUFNLGlCQUFpQixDQUFDO0FBQ3ZGLE9BQU8sRUFBRSxtQkFBbUIsRUFBRSxNQUFNLHlDQUF5QyxDQUFDO0FBQzlFLE9BQU8sRUFBRSxrQkFBa0IsRUFBRSxNQUFNLDJCQUEyQixDQUFDO0FBQy9ELE9BQU8sRUFBRSxxQkFBcUIsRUFBRSxNQUFNLDRCQUE0QixDQUFDO0FBRW5FLE1BQU0sV0FBVyxHQUFHLFNBQVMsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLENBQUM7QUFDekMsTUFBTSxZQUFZLEdBQUcsU0FBUyxDQUFDLElBQUksQ0FBQyxLQUFLLENBQUMsQ0FBQztBQUUzQyxNQUFNLE9BQU8sa0JBQWtCO0lBQzdCLE1BQU0sQ0FBQyxLQUFLLENBQUMsTUFBTSxDQUFDLFdBQXdCO1FBQzFDLE1BQU0sRUFBRSxLQUFLLEVBQUUsR0FBRyxrQkFBa0IsQ0FBQyxrQkFBa0IsQ0FBQyxXQUFXLENBQUMsV0FBVyxDQUFDLENBQUM7UUFDakYsTUFBTSxRQUFRLEdBQUcsa0JBQWtCLENBQUMsYUFBYSxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBRXpELE1BQU0sZ0JBQWdCLEdBQXFCO1lBQ3pDLFlBQVksRUFBRSxRQUFRO1lBQ3RCLFlBQVksRUFBRTtnQkFDWixXQUFXLEVBQUUsV0FBVyxDQUFDLFlBQVksQ0FBQyxXQUFXLENBQUMsR0FBRyxDQUFDLENBQUMsRUFBRSxFQUFFLEVBQUUsQ0FBQyxDQUFDO29CQUM3RCxJQUFJLEVBQUUsRUFBRSxDQUFDLElBQUk7b0JBQ2IsSUFBSSxFQUFFLEVBQUUsQ0FBQyxJQUFJO29CQUNiLElBQUksRUFBRSxJQUFJLENBQUMsWUFBWSxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUM7b0JBQ2hDLGdCQUFnQixFQUFFLElBQUksQ0FBQyxZQUFZLENBQUMsRUFBRSxDQUFDLGdCQUFnQixDQUFDO29CQUN4RCxRQUFRLEVBQUUsSUFBSSxDQUFDLFlBQVksQ0FBQyxFQUFFLENBQUMsUUFBUSxDQUFDO2lCQUN6QyxDQUFDLENBQUM7Z0JBQ0gsT0FBTyxFQUFFLFdBQVcsQ0FBQyxZQUFZLENBQUMsT0FBTzthQUMxQztTQUNGLENBQUM7UUFFRixNQUFNLE9BQU8sR0FBRyxnQkFBZ0IsQ0FBQyxNQUFNLENBQUMsZ0JBQWdCLENBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQztRQUNuRSxNQUFNLFVBQVUsR0FBRyxNQUFNLFdBQVcsQ0FBQyxPQUFPLEVBQUUsRUFBRSxLQUFLLEVBQUUsQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUU1RCxPQUFPLFVBQVUsQ0FBQztJQUNwQixDQUFDO0lBRUQsTUFBTSxDQUFDLEtBQUssQ0FBQyxNQUFNLENBQUMsa0JBQTBCO1FBQzVDLE1BQU0sWUFBWSxHQUFHLE1BQU0sWUFBWSxDQUFDLGtCQUFrQixDQUFDLENBQUM7UUFDNUQsTUFBTSxnQkFBZ0IsR0FBRyxnQkFBZ0IsQ0FBQyxNQUFNLENBQUMsWUFBWSxDQUFDLENBQUM7UUFFL0QsTUFBTSxRQUFRLEdBQUcsa0JBQWtCLENBQUMsYUFBYSxDQUFDLGdCQUFnQixDQUFDLFlBQVksQ0FBQyxDQUFDO1FBRWpGLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxZQUFZLEVBQUUsQ0FBQztZQUNuQyxNQUFNLElBQUksS0FBSyxDQUFDLDBDQUEwQyxDQUFDLENBQUM7UUFDOUQsQ0FBQztRQUVELE1BQU0sV0FBVyxHQUFrQixnQkFBZ0IsQ0FBQyxZQUFZLENBQUMsV0FBVyxDQUFDLEdBQUcsQ0FBQyxDQUFDLE9BQU8sRUFBRSxFQUFFO1lBQzNGLE1BQU0sTUFBTSxHQUFnQjtnQkFDMUIsSUFBSSxFQUFFLE9BQU8sQ0FBQyxJQUFlO2dCQUM3QixJQUFJLEVBQUUsT0FBTyxDQUFDLElBQUk7Z0JBQ2xCLElBQUksRUFBRSxJQUFJLENBQUMsZ0JBQWdCLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBRTthQUMzQyxDQUFDO1lBQ0YsSUFBSSxPQUFPLENBQUMsZ0JBQWdCLEVBQUUsQ0FBQztnQkFDN0IsTUFBTSxDQUFDLGdCQUFnQixHQUFHLElBQUksQ0FBQyxnQkFBZ0IsQ0FBQyxPQUFPLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztZQUM1RSxDQUFDO1lBQ0QsSUFBSSxPQUFPLENBQUMsUUFBUSxFQUFFLENBQUM7Z0JBQ3JCLE1BQU0sQ0FBQyxRQUFRLEdBQUcsSUFBSSxDQUFDLGdCQUFnQixDQUFDLE9BQU8sQ0FBQyxRQUFRLENBQUMsQ0FBQztZQUM1RCxDQUFDO1lBQ0QsT0FBTyxNQUFNLENBQUM7UUFDaEIsQ0FBQyxDQUFDLENBQUM7UUFFSCxPQUFPO1lBQ0wsV0FBVyxFQUFFLFFBQVE7WUFDckIsWUFBWSxFQUFFO2dCQUNaLFdBQVc7Z0JBQ1gsT0FBTyxFQUFFLGdCQUFnQixDQUFDLFlBQWEsQ0FBQyxPQUFPO2FBQ2hEO1NBQ0YsQ0FBQztJQUNKLENBQUM7SUFFRCxNQUFNLENBQUMsS0FBSyxDQUFDLG1CQUFtQixDQUFDLFdBQXdCO1FBQ3ZELE1BQU0scUJBQXFCLENBQUMsMEJBQTBCLENBQUMsV0FBVyxDQUFDLFdBQVcsQ0FBQyxDQUFDO1FBRWhGLE1BQU0sd0JBQXdCLEdBQUcsa0JBQWtCLENBQUMsaUJBQWlCLENBQ25FLFdBQVcsQ0FBQyxXQUFXLEVBQ3ZCLG9EQUFvRCxDQUNyRCxDQUFDO1FBQ0YsSUFBSSxDQUFDLHdCQUF3QixFQUFFLENBQUM7WUFDOUIsTUFBTSxJQUFJLEtBQUssQ0FBQyw2Q0FBNkMsQ0FBQyxDQUFDO1FBQ2pFLENBQUM7UUFDRCxNQUFNLGdCQUFnQixHQUFHLE1BQU0sbUJBQW1CLENBQUMsV0FBVyxDQUFDLFlBQVksQ0FBQyxDQUFDO1FBRTdFLE1BQU0sV0FBVyxHQUNmLE1BQU0sQ0FBQyxPQUFPLENBQ1osd0JBQXdCLEVBQ3hCLE1BQU0sQ0FBQyxJQUFJLENBQUMsZ0JBQWdCLENBQUMsSUFBSSxFQUFFLGdCQUFnQixDQUFDLFFBQVEsQ0FBQyxDQUM5RCxLQUFLLENBQUMsQ0FBQztRQUNWLElBQUksQ0FBQyxXQUFXLEVBQUUsQ0FBQztZQUNqQixNQUFNLElBQUksS0FBSyxDQUNiLDJGQUEyRixDQUM1RixDQUFDO1FBQ0osQ0FBQztJQUNILENBQUM7SUFFTyxNQUFNLENBQUMsWUFBWSxDQUFDLElBQVc7UUFDckMsSUFBSSxDQUFDLElBQUksRUFBRSxDQUFDO1lBQ1YsT0FBTztRQUNULENBQUM7UUFFRCxPQUFPO1lBQ0wsSUFBSSxFQUFFLElBQUksQ0FBQyxJQUFJO1lBQ2YsSUFBSSxFQUFFLE1BQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLElBQUksRUFBRSxJQUFJLENBQUMsUUFBUSxDQUFDO1NBQzVDLENBQUM7SUFDSixDQUFDO0lBRU8sTUFBTSxDQUFDLGdCQUFnQixDQUFDLFVBQWtDO1FBQ2hFLElBQUksQ0FBQyxVQUFVLEVBQUUsQ0FBQztZQUNoQixPQUFPO1FBQ1QsQ0FBQztRQUVELE9BQU87WUFDTCxJQUFJLEVBQUUsVUFBVSxDQUFDLElBQXFCO1lBQ3RDLElBQUksRUFBRSxNQUFNLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxRQUFRLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQztZQUN6RCxRQUFRLEVBQUUsUUFBUSxDQUFDLEdBQUc7U0FDdkIsQ0FBQztJQUNKLENBQUM7Q0FDRiJ9
|
|
@@ -1,15 +1,16 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
1
|
+
export declare enum ValidateTeeCertChainErrorCode {
|
|
2
|
+
CERT_CHAIN_IS_INVALID = "CERT_CHAIN_IS_INVALID",
|
|
3
|
+
NOT_ALLOWED_CHALLENGE = "NOT_ALLOWED_CHALLENGE",
|
|
4
|
+
CHALLENGE_IS_INVALID = "CHALLENGE_IS_INVALID"
|
|
5
|
+
}
|
|
6
|
+
export interface ValidateTeeCertChainResult {
|
|
7
|
+
isValid: boolean;
|
|
8
|
+
errorCode?: string;
|
|
9
|
+
errorMessage?: string;
|
|
10
|
+
}
|
|
8
11
|
export declare class TeeCertificateService {
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
private validateChallengeSgx;
|
|
14
|
-
private validateChallengeTdxAndSnp;
|
|
12
|
+
static validateTeeCertChainOrFail(certsPem: string): Promise<void>;
|
|
13
|
+
static validateTeeCertChain(certsPem: string): Promise<ValidateTeeCertChainResult>;
|
|
14
|
+
private static validateChallengeSgx;
|
|
15
|
+
private static validateChallengeTdxAndSnp;
|
|
15
16
|
}
|
|
@@ -1,61 +1,67 @@
|
|
|
1
|
-
import forge from 'node-forge';
|
|
2
|
-
import { TeeSgxParser } from './QuoteParser.js';
|
|
3
|
-
import { QuoteValidator } from './QuoteValidator.js';
|
|
4
1
|
import { SUPERPROTOCOL_CA } from '../constants.js';
|
|
5
2
|
import { ChallengeType, OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID, OID_CUSTOM_EXTENSION_CHALLENGE_ID, OID_CUSTOM_EXTENSION_CHALLENGE_TYPE, } from '@super-protocol/pki-common';
|
|
6
3
|
import { TeeSignatureVerifier } from './TeeSignatureVerifier.js';
|
|
7
4
|
import { InvalidSignatureError } from './errors.js';
|
|
8
5
|
import { CertificatesHelper } from '../certificates/index.js';
|
|
6
|
+
export var ValidateTeeCertChainErrorCode;
|
|
7
|
+
(function (ValidateTeeCertChainErrorCode) {
|
|
8
|
+
ValidateTeeCertChainErrorCode["CERT_CHAIN_IS_INVALID"] = "CERT_CHAIN_IS_INVALID";
|
|
9
|
+
ValidateTeeCertChainErrorCode["NOT_ALLOWED_CHALLENGE"] = "NOT_ALLOWED_CHALLENGE";
|
|
10
|
+
ValidateTeeCertChainErrorCode["CHALLENGE_IS_INVALID"] = "CHALLENGE_IS_INVALID";
|
|
11
|
+
})(ValidateTeeCertChainErrorCode || (ValidateTeeCertChainErrorCode = {}));
|
|
9
12
|
export class TeeCertificateService {
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
return Buffer.from(publicKeyDer, 'binary');
|
|
16
|
-
}
|
|
17
|
-
async parseAndValidateCertificate(certificatePem, sgxApiUrl) {
|
|
18
|
-
const pem = Buffer.isBuffer(certificatePem) ? certificatePem.toString() : certificatePem;
|
|
19
|
-
const certificate = forge.pki.certificateFromPem(pem);
|
|
20
|
-
const extensions = certificate.extensions;
|
|
21
|
-
const quote = extensions.find((ext) => ext.id === this.certOidQuote);
|
|
22
|
-
const quoteBuffer = Buffer.from(quote.value, 'binary');
|
|
23
|
-
const validator = new QuoteValidator(sgxApiUrl);
|
|
24
|
-
await validator.checkQuote(quoteBuffer, this.getCertificatePublicKey(certificate));
|
|
25
|
-
const parser = new TeeSgxParser();
|
|
26
|
-
const parsedQuote = parser.parseQuote(quoteBuffer);
|
|
27
|
-
const report = parser.parseReport(parsedQuote.report);
|
|
28
|
-
return {
|
|
29
|
-
userData: Buffer.from(parsedQuote.header.userData),
|
|
30
|
-
mrEnclave: Buffer.from(report.mrEnclave),
|
|
31
|
-
mrSigner: Buffer.from(report.mrSigner),
|
|
32
|
-
dataHash: Buffer.from(report.dataHash),
|
|
33
|
-
};
|
|
13
|
+
static async validateTeeCertChainOrFail(certsPem) {
|
|
14
|
+
const result = await TeeCertificateService.validateTeeCertChain(certsPem);
|
|
15
|
+
if (!result.isValid) {
|
|
16
|
+
throw new Error(result.errorMessage);
|
|
17
|
+
}
|
|
34
18
|
}
|
|
35
|
-
async
|
|
36
|
-
const {
|
|
37
|
-
if (!
|
|
38
|
-
|
|
19
|
+
static async validateTeeCertChain(certsPem) {
|
|
20
|
+
const { isValid, errorMessage } = await CertificatesHelper.validateCertChain(certsPem, SUPERPROTOCOL_CA);
|
|
21
|
+
if (!isValid) {
|
|
22
|
+
return {
|
|
23
|
+
isValid: false,
|
|
24
|
+
errorCode: ValidateTeeCertChainErrorCode.CERT_CHAIN_IS_INVALID,
|
|
25
|
+
errorMessage: `Cert chain is invalid! (${errorMessage})`,
|
|
26
|
+
};
|
|
39
27
|
}
|
|
40
28
|
const sortedCerts = CertificatesHelper.sortCertsFromLeafToRoot(certsPem);
|
|
41
29
|
const challenges = sortedCerts.map((cert) => CertificatesHelper.getExtensionValue(cert, OID_CUSTOM_EXTENSION_CHALLENGE_TYPE)?.toString('binary'));
|
|
42
30
|
if (challenges.some((challenge) => !challenge || challenge === ChallengeType.Untrusted)) {
|
|
43
|
-
|
|
31
|
+
return {
|
|
32
|
+
isValid: false,
|
|
33
|
+
errorCode: ValidateTeeCertChainErrorCode.NOT_ALLOWED_CHALLENGE,
|
|
34
|
+
errorMessage: `Cert chain has cert without or Untrusted challenge`,
|
|
35
|
+
};
|
|
44
36
|
}
|
|
45
37
|
const leafCertChallengeType = challenges[0];
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
38
|
+
try {
|
|
39
|
+
switch (leafCertChallengeType) {
|
|
40
|
+
case ChallengeType.SGXDCAP:
|
|
41
|
+
TeeCertificateService.validateChallengeSgx(certsPem);
|
|
42
|
+
break;
|
|
43
|
+
case ChallengeType.TDX:
|
|
44
|
+
case ChallengeType.AMDSEV:
|
|
45
|
+
await TeeCertificateService.validateChallengeTdxAndSnp(certsPem);
|
|
46
|
+
break;
|
|
47
|
+
default:
|
|
48
|
+
return {
|
|
49
|
+
isValid: false,
|
|
50
|
+
errorCode: ValidateTeeCertChainErrorCode.NOT_ALLOWED_CHALLENGE,
|
|
51
|
+
errorMessage: `Challenge type ${leafCertChallengeType || `[none]`} is missing or not allowed!`,
|
|
52
|
+
};
|
|
53
|
+
}
|
|
54
|
+
}
|
|
55
|
+
catch (err) {
|
|
56
|
+
return {
|
|
57
|
+
isValid: false,
|
|
58
|
+
errorCode: ValidateTeeCertChainErrorCode.CHALLENGE_IS_INVALID,
|
|
59
|
+
errorMessage: `Challenge is not valid! (${err.message})`,
|
|
60
|
+
};
|
|
56
61
|
}
|
|
62
|
+
return { isValid: true };
|
|
57
63
|
}
|
|
58
|
-
validateChallengeSgx(certPem) {
|
|
64
|
+
static validateChallengeSgx(certPem) {
|
|
59
65
|
const mrSignerBinaryString = CertificatesHelper.getExtensionValue(certPem, OID_CUSTOM_EXTENSION_CHALLENGE_COMMON_ID);
|
|
60
66
|
if (!mrSignerBinaryString) {
|
|
61
67
|
throw new Error(`SGX challenge signature is wrong!`);
|
|
@@ -67,7 +73,7 @@ export class TeeCertificateService {
|
|
|
67
73
|
throw new Error(`SGX challenge signature is wrong!`);
|
|
68
74
|
}
|
|
69
75
|
}
|
|
70
|
-
async validateChallengeTdxAndSnp(certPem) {
|
|
76
|
+
static async validateChallengeTdxAndSnp(certPem) {
|
|
71
77
|
const mrEnclaveBinaryString = CertificatesHelper.getExtensionValue(certPem, OID_CUSTOM_EXTENSION_CHALLENGE_ID);
|
|
72
78
|
if (!mrEnclaveBinaryString) {
|
|
73
79
|
throw new Error(`Challenge id is missing in certificate!`);
|
|
@@ -84,4 +90,4 @@ export class TeeCertificateService {
|
|
|
84
90
|
}
|
|
85
91
|
}
|
|
86
92
|
}
|
|
87
|
-
//# sourceMappingURL=data:application/json;base64,
|
|
93
|
+
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiVGVlQ2VydGlmaWNhdGVTZXJ2aWNlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL3RlZS9UZWVDZXJ0aWZpY2F0ZVNlcnZpY2UudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxFQUFFLGdCQUFnQixFQUFFLE1BQU0saUJBQWlCLENBQUM7QUFDbkQsT0FBTyxFQUNMLGFBQWEsRUFDYix3Q0FBd0MsRUFDeEMsaUNBQWlDLEVBQ2pDLG1DQUFtQyxHQUNwQyxNQUFNLDRCQUE0QixDQUFDO0FBQ3BDLE9BQU8sRUFBRSxvQkFBb0IsRUFBRSxNQUFNLDJCQUEyQixDQUFDO0FBQ2pFLE9BQU8sRUFBRSxxQkFBcUIsRUFBRSxNQUFNLGFBQWEsQ0FBQztBQUNwRCxPQUFPLEVBQUUsa0JBQWtCLEVBQUUsTUFBTSwwQkFBMEIsQ0FBQztBQUU5RCxNQUFNLENBQU4sSUFBWSw2QkFJWDtBQUpELFdBQVksNkJBQTZCO0lBQ3ZDLGdGQUErQyxDQUFBO0lBQy9DLGdGQUErQyxDQUFBO0lBQy9DLDhFQUE2QyxDQUFBO0FBQy9DLENBQUMsRUFKVyw2QkFBNkIsS0FBN0IsNkJBQTZCLFFBSXhDO0FBT0QsTUFBTSxPQUFPLHFCQUFxQjtJQUNoQyxNQUFNLENBQUMsS0FBSyxDQUFDLDBCQUEwQixDQUFDLFFBQWdCO1FBQ3RELE1BQU0sTUFBTSxHQUFHLE1BQU0scUJBQXFCLENBQUMsb0JBQW9CLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDMUUsSUFBSSxDQUFDLE1BQU0sQ0FBQyxPQUFPLEVBQUUsQ0FBQztZQUNwQixNQUFNLElBQUksS0FBSyxDQUFDLE1BQU0sQ0FBQyxZQUFZLENBQUMsQ0FBQztRQUN2QyxDQUFDO0lBQ0gsQ0FBQztJQUVELE1BQU0sQ0FBQyxLQUFLLENBQUMsb0JBQW9CLENBQUMsUUFBZ0I7UUFDaEQsTUFBTSxFQUFFLE9BQU8sRUFBRSxZQUFZLEVBQUUsR0FBRyxNQUFNLGtCQUFrQixDQUFDLGlCQUFpQixDQUMxRSxRQUFRLEVBQ1IsZ0JBQWdCLENBQ2pCLENBQUM7UUFFRixJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDYixPQUFPO2dCQUNMLE9BQU8sRUFBRSxLQUFLO2dCQUNkLFNBQVMsRUFBRSw2QkFBNkIsQ0FBQyxxQkFBcUI7Z0JBQzlELFlBQVksRUFBRSwyQkFBMkIsWUFBWSxHQUFHO2FBQ3pELENBQUM7UUFDSixDQUFDO1FBRUQsTUFBTSxXQUFXLEdBQUcsa0JBQWtCLENBQUMsdUJBQXVCLENBQUMsUUFBUSxDQUFDLENBQUM7UUFFekUsTUFBTSxVQUFVLEdBQUcsV0FBVyxDQUFDLEdBQUcsQ0FBQyxDQUFDLElBQUksRUFBRSxFQUFFLENBQzFDLGtCQUFrQixDQUFDLGlCQUFpQixDQUFDLElBQUksRUFBRSxtQ0FBbUMsQ0FBQyxFQUFFLFFBQVEsQ0FDdkYsUUFBUSxDQUNULENBQ0YsQ0FBQztRQUNGLElBQUksVUFBVSxDQUFDLElBQUksQ0FBQyxDQUFDLFNBQVMsRUFBRSxFQUFFLENBQUMsQ0FBQyxTQUFTLElBQUksU0FBUyxLQUFLLGFBQWEsQ0FBQyxTQUFTLENBQUMsRUFBRSxDQUFDO1lBQ3hGLE9BQU87Z0JBQ0wsT0FBTyxFQUFFLEtBQUs7Z0JBQ2QsU0FBUyxFQUFFLDZCQUE2QixDQUFDLHFCQUFxQjtnQkFDOUQsWUFBWSxFQUFFLG9EQUFvRDthQUNuRSxDQUFDO1FBQ0osQ0FBQztRQUVELE1BQU0scUJBQXFCLEdBQUcsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBRTVDLElBQUksQ0FBQztZQUNILFFBQVEscUJBQXFCLEVBQUUsQ0FBQztnQkFDOUIsS0FBSyxhQUFhLENBQUMsT0FBTztvQkFDeEIscUJBQXFCLENBQUMsb0JBQW9CLENBQUMsUUFBUSxDQUFDLENBQUM7b0JBQ3JELE1BQU07Z0JBQ1IsS0FBSyxhQUFhLENBQUMsR0FBRyxDQUFDO2dCQUN2QixLQUFLLGFBQWEsQ0FBQyxNQUFNO29CQUN2QixNQUFNLHFCQUFxQixDQUFDLDBCQUEwQixDQUFDLFFBQVEsQ0FBQyxDQUFDO29CQUNqRSxNQUFNO2dCQUVSO29CQUNFLE9BQU87d0JBQ0wsT0FBTyxFQUFFLEtBQUs7d0JBQ2QsU0FBUyxFQUFFLDZCQUE2QixDQUFDLHFCQUFxQjt3QkFDOUQsWUFBWSxFQUFFLGtCQUFrQixxQkFBcUIsSUFBSSxRQUFRLDZCQUE2QjtxQkFDL0YsQ0FBQztZQUNOLENBQUM7UUFDSCxDQUFDO1FBQUMsT0FBTyxHQUFHLEVBQUUsQ0FBQztZQUNiLE9BQU87Z0JBQ0wsT0FBTyxFQUFFLEtBQUs7Z0JBQ2QsU0FBUyxFQUFFLDZCQUE2QixDQUFDLG9CQUFvQjtnQkFDN0QsWUFBWSxFQUFFLDRCQUE2QixHQUFhLENBQUMsT0FBTyxHQUFHO2FBQ3BFLENBQUM7UUFDSixDQUFDO1FBRUQsT0FBTyxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsQ0FBQztJQUMzQixDQUFDO0lBRU8sTUFBTSxDQUFDLG9CQUFvQixDQUFDLE9BQWU7UUFDakQsTUFBTSxvQkFBb0IsR0FBRyxrQkFBa0IsQ0FBQyxpQkFBaUIsQ0FDL0QsT0FBTyxFQUNQLHdDQUF3QyxDQUN6QyxDQUFDO1FBQ0YsSUFBSSxDQUFDLG9CQUFvQixFQUFFLENBQUM7WUFDMUIsTUFBTSxJQUFJLEtBQUssQ0FBQyxtQ0FBbUMsQ0FBQyxDQUFDO1FBQ3ZELENBQUM7UUFFRCxJQUFJLENBQUM7WUFDSCxvQkFBb0IsQ0FBQyxvQkFBb0IsQ0FBQyxvQkFBb0IsQ0FBQyxDQUFDO1FBQ2xFLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsTUFBTSxJQUFJLEtBQUssQ0FBQyxtQ0FBbUMsQ0FBQyxDQUFDO1FBQ3ZELENBQUM7SUFDSCxDQUFDO0lBRU8sTUFBTSxDQUFDLEtBQUssQ0FBQywwQkFBMEIsQ0FBQyxPQUFlO1FBQzdELE1BQU0scUJBQXFCLEdBQUcsa0JBQWtCLENBQUMsaUJBQWlCLENBQ2hFLE9BQU8sRUFDUCxpQ0FBaUMsQ0FDbEMsQ0FBQztRQUNGLElBQUksQ0FBQyxxQkFBcUIsRUFBRSxDQUFDO1lBQzNCLE1BQU0sSUFBSSxLQUFLLENBQUMseUNBQXlDLENBQUMsQ0FBQztRQUM3RCxDQUFDO1FBRUQsSUFBSSxDQUFDO1lBQ0gsTUFBTSxvQkFBb0IsQ0FBQywwQkFBMEIsQ0FBQyxxQkFBcUIsQ0FBQyxDQUFDO1FBQy9FLENBQUM7UUFBQyxPQUFPLEdBQUcsRUFBRSxDQUFDO1lBQ2IsTUFBTSxPQUFPLEdBQUcsMkJBQTJCLENBQUM7WUFDNUMsSUFBSSxHQUFHLFlBQVkscUJBQXFCLEVBQUUsQ0FBQztnQkFDekMsTUFBTSxJQUFJLEtBQUssQ0FBQyxHQUFHLE9BQU8sSUFBSSxHQUFHLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQztZQUMvQyxDQUFDO1lBQ0QsTUFBTSxJQUFJLEtBQUssQ0FBQyxPQUFPLENBQUMsQ0FBQztRQUMzQixDQUFDO0lBQ0gsQ0FBQztDQUNGIn0=
|