routex-settlement 0.2.0 → 0.2.1

package/index.js

@@ -9,6 +9,7 @@ import { sha256 } from '@noble/hashes/sha2.js';
 import { AsnConvert } from '@peculiar/asn1-schema';
 import { SubjectPublicKeyInfo } from '@peculiar/asn1-x509';
 import * as x509 from '@peculiar/x509';
+import { fromBER, Integer, IA5String } from 'asn1js';
 
 /******************************************************************************
 Copyright (c) Microsoft Corporation.
@@ -46,14 +47,17 @@ const REQUIREMENTS = {
     Genoa: {
         minCommittedVersion: [0x1, 0x37, 0x31],
         minCommittedTcbSnp: 0x1b,
+        minMitVector: (1 << 0) | (1 << 1),
     },
     Milan: {
         minCommittedVersion: [0x1, 0x37, 0x23],
         minCommittedTcbSnp: 0x1b,
+        minMitVector: 1 << 1,
     },
     Turin: {
         minCommittedVersion: [0x1, 0x37, 0x41],
         minCommittedTcbSnp: 0x04,
+        minMitVector: (1 << 0) | (1 << 1) | (1 << 2) | (1 << 4) | (1 << 5),
     },
 };
 const YAXI_SIGNING_KEYS = {
@@ -366,46 +370,28 @@ function verifyAttestation(response, requirements, signingKeys) {
         }
     });
 }
-function _verifyTcbVersion(attestationReport, vcekTcb) {
+function parseTcbVersion(tcbBytes, product) {
+    if (product === "Turin") {
+        return {
+            fmc: tcbBytes[0],
+            bootloader: tcbBytes[1],
+            tee: tcbBytes[2],
+            snp: tcbBytes[3],
+            microcode: tcbBytes[7],
+        };
+    }
+    return {
+        bootloader: tcbBytes[0],
+        tee: tcbBytes[1],
+        snp: tcbBytes[6],
+        microcode: tcbBytes[7],
+        fmc: 0,
+    };
+}
+function _verifyTcbVersion(attestationReport, product, vcekTcb) {
     return __awaiter(this, void 0, void 0, function* () {
-        const versionBytes = attestationReport.slice(0, 4);
-        const version = new DataView(versionBytes.buffer).getInt32(0, true);
-        let turinLike;
-        switch (version) {
-            case 0:
-            case 1:
-                throw new Error("Unsupported Attestation Report Version");
-            case 2: {
-                const chipId = attestationReport.slice(REPORT_OFFSETS.chipId, REPORT_OFFSETS.chipId + 64);
-                if (equalBytes(chipId, new Uint8Array(64))) {
-                    throw new Error("Could not derive CPU family: MASK_CHIP_ID enabled");
-                }
-                turinLike = equalBytes(chipId.slice(8), new Uint8Array(56));
-                break;
-            }
-            default: // from version 3 onwards CPUID_FAM_ID field should exist
-                turinLike = attestationReport[REPORT_OFFSETS.cpuIdFamily] == 0x1a;
-        }
         const reportedTcb = attestationReport.slice(REPORT_OFFSETS.reportedTcb, REPORT_OFFSETS.reportedTcb + 8);
-        let tcb;
-        if (turinLike) {
-            tcb = {
-                microcode: reportedTcb[7],
-                snp: reportedTcb[3],
-                tee: reportedTcb[2],
-                bootloader: reportedTcb[1],
-                fmc: reportedTcb[0],
-            };
-        }
-        else {
-            tcb = {
-                microcode: reportedTcb[7],
-                snp: reportedTcb[6],
-                tee: reportedTcb[1],
-                bootloader: reportedTcb[0],
-                fmc: 0,
-            };
-        }
+        const tcb = parseTcbVersion(reportedTcb, product);
         if (!(tcb.microcode === vcekTcb.microcode &&
             tcb.snp === vcekTcb.snp &&
             tcb.tee === vcekTcb.tee &&
@@ -422,6 +408,10 @@ function _verifyReport(attestationReport, vcekChain, requirementsMap) {
         }
         const { product, publicKey, vcekTcb } = yield _verifyVcekChain(vcekChain, requirementsMap);
         const requirements = requirementsMap[product];
+        const sigAlgo = attestationReport[REPORT_OFFSETS.sigAlgo];
+        if (sigAlgo !== 0x1) {
+            throw new Error(`Verification failed: Unsupported signature algorithm ${sigAlgo}, only ECDSA P-384 with SHA-384 (0x1) is supported`);
+        }
         if (!equalBytes(attestationReport.slice(REPORT_OFFSETS.signatureR + 48, REPORT_OFFSETS.signatureR + 72), new Uint8Array(24)) ||
             !equalBytes(attestationReport.slice(REPORT_OFFSETS.signatureS + 48, REPORT_OFFSETS.signatureS + 72), new Uint8Array(24))) {
             throw new Error("Unexpected signature bits");
@@ -450,18 +440,49 @@ function _verifyReport(attestationReport, vcekChain, requirementsMap) {
             0) {
             throw new Error("Verification failed: Alias check complete is false");
         }
-        if (attestationReport[REPORT_OFFSETS.committedMajor] <
-            requirements.minCommittedVersion[0] ||
-            attestationReport[REPORT_OFFSETS.committedMinor] <
-                requirements.minCommittedVersion[1] ||
-            attestationReport[REPORT_OFFSETS.committedBuild] <
-                requirements.minCommittedVersion[2]) {
+        const debugAllowed = attestationReport[REPORT_OFFSETS.policy + Math.floor(GUEST_POLICY_BITS.debugAllowed / 8)] &
+            (1 << GUEST_POLICY_BITS.debugAllowed % 8);
+        if (debugAllowed) {
+            throw new Error("Verification failed: Debug mode is enabled in guest policy");
+        }
+        const vmpl = new DataView(attestationReport.buffer, attestationReport.byteOffset + REPORT_OFFSETS.vmpl, 4).getUint32(0, true);
+        if (vmpl > 3) {
+            throw new Error(`Verification failed: Unexpected VMPL ${vmpl}`);
+        }
+        const signingKey = (attestationReport[REPORT_OFFSETS.keyInfo] >> KEY_INFO_BITS.signingKey) &
+            ((1 << 3) - 1);
+        if (signingKey !== 0) {
+            throw new Error("Verification failed: Report is not signed by a VCEK");
+        }
+        const reportedVersion = (attestationReport[REPORT_OFFSETS.committedMajor] << 16) |
+            (attestationReport[REPORT_OFFSETS.committedMinor] << 8) |
+            attestationReport[REPORT_OFFSETS.committedBuild];
+        const requiredVersion = (requirements.minCommittedVersion[0] << 16) |
+            (requirements.minCommittedVersion[1] << 8) |
+            requirements.minCommittedVersion[2];
+        if (reportedVersion < requiredVersion) {
             throw new Error("Verification failed: Firmware version too small");
         }
-        if (attestationReport[REPORT_OFFSETS.committedTcbSnp] <
-            requirements.minCommittedTcbSnp) {
+        const committedTcb = parseTcbVersion(attestationReport.slice(REPORT_OFFSETS.committedTcb, REPORT_OFFSETS.committedTcb + 8), product);
+        if (committedTcb.snp < requirements.minCommittedTcbSnp) {
             throw new Error("Verification failed: SNP patch level too small");
         }
+        if (requirements.minMitVector !== undefined) {
+            const reportView = new DataView(attestationReport.buffer, attestationReport.byteOffset, attestationReport.byteLength);
+            const reportVersion = reportView.getUint32(REPORT_OFFSETS.version, true);
+            const min = BigInt(requirements.minMitVector);
+            const checkMitVector = (offset, label) => {
+                if (reportVersion < 5) {
+                    throw new Error(`Verification failed: ${label} mitigation vector not present in report`);
+                }
+                const value = reportView.getBigUint64(offset, true);
+                if ((value & min) !== min) {
+                    throw new Error(`Verification failed: ${label} mitigation vector required bits not set`);
+                }
+            };
+            checkMitVector(REPORT_OFFSETS.currentMitVector, "Current");
+            checkMitVector(REPORT_OFFSETS.launchMitVector, "Launch");
+        }
         const cpuModel = attestationReport[REPORT_OFFSETS.cpuIdModel];
         const cpuStep = attestationReport[REPORT_OFFSETS.cpuIdStep];
         let requiredMicrocode;
@@ -473,7 +494,7 @@ function _verifyReport(attestationReport, vcekChain, requirementsMap) {
                 }
                 else if (cpuModel === 1 && cpuStep === 2) {
                     // Milan-X
-                    requiredMicrocode = 0x45;
+                    requiredMicrocode = 0x47;
                 }
                 break;
             }
@@ -497,29 +518,29 @@ function _verifyReport(attestationReport, vcekChain, requirementsMap) {
             case "Turin":
                 if (cpuModel === 2 && cpuStep === 1) {
                     // Turin Classic
-                    requiredMicrocode = 0x50;
+                    requiredMicrocode = 0x51;
                 }
                 else if (cpuModel === 0x11 && cpuStep === 0) {
                     // Turin Dense
-                    requiredMicrocode = 0x4d;
-                }
-                else if (cpuModel > 2 ||
-                    (cpuModel === 2 && cpuStep > 1) ||
-                    (cpuModel === 0x11 && cpuStep > 0)) {
-                    // Accept any newer models/steppings for Turin
-                    requiredMicrocode = 0;
+                    requiredMicrocode = 0x4e;
                 }
         }
         if (requiredMicrocode === undefined) {
             throw new Error("Verification failed: Report doesn't match any known CPU family");
         }
-        const reportedMicrocode = attestationReport.slice(REPORT_OFFSETS.reportedTcb, REPORT_OFFSETS.reportedTcb + 8)[7];
-        if (reportedMicrocode < requiredMicrocode) {
-            throw new Error("Verification failed: Reported microcode version too small");
+        if (committedTcb.microcode < requiredMicrocode) {
+            throw new Error("Verification failed: Committed microcode version too small");
         }
-        yield _verifyTcbVersion(attestationReport, vcekTcb);
+        yield _verifyTcbVersion(attestationReport, product, vcekTcb);
     });
 }
+function readExtensionInt(ext) {
+    const { result } = fromBER(ext);
+    if (!(result instanceof Integer)) {
+        throw new Error("Expected ASN.1 INTEGER");
+    }
+    return result.valueBlock.valueDec;
+}
 function _verifyVcekChain(vcek, requirements) {
     return __awaiter(this, void 0, void 0, function* () {
         let cert;
@@ -540,19 +561,20 @@ function _verifyVcekChain(vcek, requirements) {
             }
             return new Uint8Array(ext.value);
         };
-        const productIA5String = find_extension("1.3.6.1.4.1.3704.1.2", "product name");
-        if (productIA5String[0] !== 0x16) {
-            throw new Error(`Unexpected product extension: ${productIA5String}`);
+        const productExtension = find_extension("1.3.6.1.4.1.3704.1.2", "product name");
+        const { result: productIA5String } = fromBER(productExtension);
+        if (!(productIA5String instanceof IA5String)) {
+            throw new Error("Expected ASN.1 IA5String for product extension");
         }
-        const product = String.fromCharCode(...productIA5String.slice(2)).split("-", 1)[0];
+        const product = productIA5String.valueBlock.value.split("-", 1)[0];
         if (!Object.prototype.hasOwnProperty.call(requirements, product)) {
             throw new Error(`Unexpected product: ${product}`);
         }
         const subjectPublicKeyInfo = AsnConvert.parse(chain[0].publicKey.rawData, SubjectPublicKeyInfo);
-        const bootloader = find_extension("1.3.6.1.4.1.3704.1.3.1", "bootloader version")[2];
-        const tee = find_extension("1.3.6.1.4.1.3704.1.3.2", "TEE")[2];
-        const snp = find_extension("1.3.6.1.4.1.3704.1.3.3", "SNP version")[2];
-        const microcode = find_extension("1.3.6.1.4.1.3704.1.3.8", "microcode")[2];
+        const bootloader = readExtensionInt(find_extension("1.3.6.1.4.1.3704.1.3.1", "bootloader version"));
+        const tee = readExtensionInt(find_extension("1.3.6.1.4.1.3704.1.3.2", "TEE"));
+        const snp = readExtensionInt(find_extension("1.3.6.1.4.1.3704.1.3.3", "SNP version"));
+        const microcode = readExtensionInt(find_extension("1.3.6.1.4.1.3704.1.3.8", "microcode"));
         const tcb = {
             bootloader: bootloader,
             tee: tee,
@@ -562,7 +584,7 @@ function _verifyVcekChain(vcek, requirements) {
         };
         const fmc = chain[0].extensions.find((ext) => ext.type == "1.3.6.1.4.1.3704.1.3.9");
         if (fmc) {
-            tcb.fmc = new Uint8Array(fmc.value)[2];
+            tcb.fmc = readExtensionInt(new Uint8Array(fmc.value));
         }
         return {
             product: product,
@@ -593,24 +615,35 @@ function _getSealNonce(ephemeralPublicKey, recipientPublicKey) {
         .digest();
 }
 const REPORT_OFFSETS = {
+    version: 0,
+    policy: 8,
+    vmpl: 48,
+    sigAlgo: 52,
     platInfo: 64,
+    keyInfo: 72,
     reportData: 80,
     measurement: 144,
     reportedTcb: 384,
-    cpuIdFamily: 392,
     cpuIdModel: 393,
     cpuIdStep: 394,
-    chipId: 416,
-    committedTcbSnp: 486,
+    committedTcb: 480,
     committedBuild: 492,
     committedMinor: 493,
     committedMajor: 494,
+    launchMitVector: 504,
+    currentMitVector: 512,
     signatureR: 672,
     signatureS: 744,
 };
 const PLATFORM_INFO_BITS = {
     aliasCheckComplete: 5,
 };
+const GUEST_POLICY_BITS = {
+    debugAllowed: 19,
+};
+const KEY_INFO_BITS = {
+    signingKey: 2,
+};
 function bytesToUtf8(bytes) {
     return __awaiter(this, void 0, void 0, function* () {
         return new TextDecoder().decode(bytes);
@@ -622,6 +655,7 @@ if (typeof process !== "undefined" && process.env.NODE_ENV === "test") {
     _testing$1.YAXI_SIGNING_KEYS = YAXI_SIGNING_KEYS;
     _testing$1.verifyReport = _verifyReport;
     _testing$1.verifyTcbVersion = _verifyTcbVersion;
+    _testing$1.readExtensionInt = readExtensionInt;
 }
 
 class KeySettlement {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "routex-settlement",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Key settlement for the YAXI routex client",
   "homepage": "https://yaxi.tech",
   "author": "YAXI GmbH",
@@ -15,7 +15,7 @@
     "util.d.ts"
   ],
   "scripts": {
-    "build": "rollup --input index.ts --dir . --plugin typescript --external @noble/ciphers/chacha.js,@noble/curves/ed25519.js,@noble/curves/nist.js,@noble/curves/utils.js,@noble/hashes/blake2.js,@noble/hashes/hkdf.js,@noble/hashes/sha2.js,@noble/hashes/utils.js,@peculiar/asn1-schema,@peculiar/asn1-x509,@peculiar/x509",
+    "build": "rollup --input index.ts --dir . --plugin typescript --external @noble/ciphers/chacha.js,@noble/curves/ed25519.js,@noble/curves/nist.js,@noble/curves/utils.js,@noble/hashes/blake2.js,@noble/hashes/hkdf.js,@noble/hashes/sha2.js,@noble/hashes/utils.js,@peculiar/asn1-schema,@peculiar/asn1-x509,@peculiar/x509,asn1js",
     "clean": "tsc --build --clean",
     "fmt": "prettier --write .",
     "lint": "eslint",
@@ -27,7 +27,8 @@
     "@noble/hashes": "^2.0.0",
     "@peculiar/asn1-schema": "^2.3.15",
     "@peculiar/asn1-x509": "^2.3.15",
-    "@peculiar/x509": "^1.12.3"
+    "@peculiar/x509": "^1.12.3",
+    "asn1js": "^3.0.6"
   },
   "devDependencies": {
     "@eslint/js": "^9.21.0",

package/util.d.ts

@@ -30,6 +30,7 @@ type Requirements = {
     [id: string]: {
         minCommittedVersion: [number, number, number];
         minCommittedTcbSnp: number;
+        minMitVector?: number;
     };
 };
 export declare function verifyAttestation(response: SettlementResponse, requirements?: Requirements, signingKeys?: typeof YAXI_SIGNING_KEYS): Promise<void>;