Skip to content

Commit

Permalink
[tools/RA-TLS] Copy quote from X.509 cert into a separate object
Browse files Browse the repository at this point in the history
Previously, `extract_quote_and_verify_pubkey()` returned a pointer to
the SGX quote located inside the X.509 certificate. This is a confusing
pattern, so this commit introduces a copy operation, to copy the SGX
quote into a newly allocated object whose ownership is passed to the
callers of this func.

Signed-off-by: Dmitrii Kuvaiskii <[email protected]>
  • Loading branch information
Dmitrii Kuvaiskii committed Jul 24, 2024
1 parent 72668bb commit 139f642
Show file tree
Hide file tree
Showing 5 changed files with 16 additions and 6 deletions.
3 changes: 2 additions & 1 deletion tools/sgx/ra-tls/ra_tls_attest.c
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,8 @@ static int generate_x509(mbedtls_pk_context* pk, const uint8_t* quote, size_t qu
goto out;

/* finally, embed the quote into the generated certificate (as X.509 extension) */
ret = mbedtls_x509write_crt_set_extension(writecrt, (const char*)g_quote_oid, g_quote_oid_size,
ret = mbedtls_x509write_crt_set_extension(writecrt, (const char*)g_quote_oid,
sizeof(g_quote_oid),
/*critical=*/0, quote, quote_size);
if (ret < 0)
goto out;
Expand Down
1 change: 0 additions & 1 deletion tools/sgx/ra-tls/ra_tls_common.h
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
#define OID(N) \
{ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF8, 0x4D, 0x8A, 0x39, (N) }
static const uint8_t g_quote_oid[] = OID(0x06);
static const size_t g_quote_oid_size = sizeof(g_quote_oid);

bool getenv_allow_outdated_tcb(void);
bool getenv_allow_hw_config_needed(void);
Expand Down
11 changes: 9 additions & 2 deletions tools/sgx/ra-tls/ra_tls_verify_common.c
Original file line number Diff line number Diff line change
Expand Up @@ -227,7 +227,7 @@ int extract_quote_and_verify_pubkey(mbedtls_x509_crt* crt, sgx_quote_t** out_quo
sgx_quote_t* quote;
size_t quote_size;
int ret = find_oid_in_cert_extensions(crt->v3_ext.p, crt->v3_ext.len, g_quote_oid,
g_quote_oid_size, (uint8_t**)&quote, &quote_size);
sizeof(g_quote_oid), (uint8_t**)&quote, &quote_size);
if (ret < 0)
return ret;

Expand All @@ -239,7 +239,14 @@ int extract_quote_and_verify_pubkey(mbedtls_x509_crt* crt, sgx_quote_t** out_quo
if (ret < 0)
return ret;

*out_quote = quote;
/* quote returned by find_oid_in_cert_extensions() is a pointer somewhere inside of the X.509
* cert object; let's copy it into a newly allocated object to make tracing ownership easier */
sgx_quote_t* allocated_quote = malloc(quote_size);
if (!allocated_quote)
return MBEDTLS_ERR_X509_ALLOC_FAILED;
memcpy(allocated_quote, quote, quote_size);

*out_quote = allocated_quote;
*out_quote_size = quote_size;
return 0;
}
Expand Down
3 changes: 2 additions & 1 deletion tools/sgx/ra-tls/ra_tls_verify_dcap.c
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,7 @@ int ra_tls_verify_callback(void* data, mbedtls_x509_crt* crt, int depth, uint32_
struct ra_tls_verify_callback_results* results = (struct ra_tls_verify_callback_results*)data;

int ret;
sgx_quote_t* quote = NULL;

uint8_t* supplemental_data = NULL;
uint32_t supplemental_data_size = 0;
Expand All @@ -124,7 +125,6 @@ int ra_tls_verify_callback(void* data, mbedtls_x509_crt* crt, int depth, uint32_
results->err_loc = AT_EXTRACT_QUOTE;

/* extract SGX quote from "quote" OID extension from crt */
sgx_quote_t* quote;
size_t quote_size;
ret = extract_quote_and_verify_pubkey(crt, &quote, &quote_size);
if (ret < 0) {
Expand Down Expand Up @@ -263,6 +263,7 @@ int ra_tls_verify_callback(void* data, mbedtls_x509_crt* crt, int depth, uint32_
results->err_loc = AT_NONE;
ret = 0;
out:
free(quote);
free(supplemental_data);
return ret;
}
4 changes: 3 additions & 1 deletion tools/sgx/ra-tls/ra_tls_verify_epid.c
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,8 @@ int ra_tls_verify_callback(void* data, mbedtls_x509_crt* crt, int depth, uint32_
struct ra_tls_verify_callback_results* results = (struct ra_tls_verify_callback_results*)data;

int ret;
sgx_quote_t* quote = NULL;

struct ias_context_t* ias = NULL;
char* ias_pub_key_pem = NULL;

Expand Down Expand Up @@ -168,7 +170,6 @@ int ra_tls_verify_callback(void* data, mbedtls_x509_crt* crt, int depth, uint32_
results->err_loc = AT_EXTRACT_QUOTE;

/* extract SGX quote from "quote" OID extension from crt */
sgx_quote_t* quote;
size_t quote_size;
ret = extract_quote_and_verify_pubkey(crt, &quote, &quote_size);
if (ret < 0) {
Expand Down Expand Up @@ -281,6 +282,7 @@ int ra_tls_verify_callback(void* data, mbedtls_x509_crt* crt, int depth, uint32_
if (ias)
ias_cleanup(ias);

free(quote);
free(ias_pub_key_pem);
free(quote_from_ias);
free(report_data);
Expand Down

0 comments on commit 139f642

Please sign in to comment.