chore: add public key challenge in ic_tee_identity

ldclabs · Nov 22, 2024 · c1fc624 · c1fc624
1 parent 12c0079
commit c1fc624
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 8 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/src/ic_tee_identity/Cargo.toml b/src/ic_tee_identity/Cargo.toml
@@ -23,6 +23,7 @@ serde_bytes = { workspace = true }
 ic-stable-structures = { workspace = true }
 ic-canister-sig-creation = { workspace = true }
 ic-certification = { workspace = true }
+ic-crypto-standalone-sig-verifier = { workspace = true }
 getrandom = { version = "0.2", features = ["custom"] }
 ic_tee_cdk = { path = "../ic_tee_cdk", version = "0.1" }
 ic_tee_nitro_attestation = { path = "../ic_tee_nitro_attestation", version = "0.1" }
diff --git a/src/ic_tee_identity/src/api.rs b/src/ic_tee_identity/src/api.rs
@@ -1,6 +1,9 @@
 use candid::Principal;
 use ciborium::from_reader;
 use ic_canister_sig_creation::delegation_signature_msg;
+use ic_crypto_standalone_sig_verifier::{
+    user_public_key_from_bytes, verify_basic_sig_by_public_key,
+};
 use ic_tee_cdk::{
     canister_user_key, AttestationUserRequest, Delegation, SignInParams, SignInResponse,
     SignedDelegation,
@@ -38,11 +41,25 @@ fn sign_in(kind: String, attestation: ByteBuf) -> Result<SignInResponse, String>
     let pubkey: ByteBuf = attestation
         .public_key
         .ok_or_else(|| "missing public key".to_string())?;
+    let user_data: ByteBuf = attestation
+        .user_data
+        .ok_or_else(|| "missing user data".to_string())?;
+    let sig: ByteBuf = attestation
+        .nonce
+        .ok_or_else(|| "missing nonce".to_string())?;
+
+    let (pk, _) = user_public_key_from_bytes(pubkey.as_slice())
+        .map_err(|err| format!("invalid public key: {:?}", err))?;
+    verify_basic_sig_by_public_key(
+        pk.algorithm_id,
+        user_data.as_slice(),
+        sig.as_slice(),
+        &pk.key,
+    )
+    .map_err(|err| format!("challenge verification failed: {:?}", err))?;
 
-    let req: AttestationUserRequest<SignInParams> = attestation.user_data.map_or_else(
-        || Err("missing user data".to_string()),
-        |data| from_reader(data.as_slice()).map_err(|err| format!("invalid user data: {:?}", err)),
-    )?;
+    let req: AttestationUserRequest<SignInParams> =
+        from_reader(user_data.as_slice()).map_err(|err| format!("invalid user data: {:?}", err))?;
     if req.method != "sign_in" {
         return Err("invalid attestation user request method".to_string());
     }
@@ -51,7 +68,7 @@ fn sign_in(kind: String, attestation: ByteBuf) -> Result<SignInResponse, String>
         Some(SignInParams { id_scope }) => {
             if id_scope == "image" {
                 canister_user_key(ic_cdk::id(), &kind, pcr0.as_slice(), None)
-            } else if id_scope == "enclave" {
+            } else if id_scope == "instance" {
                 canister_user_key(
                     ic_cdk::id(),
                     &kind,

diff --git a/src/ic_tee_nitro_gateway/src/main.rs b/src/ic_tee_nitro_gateway/src/main.rs
@@ -45,7 +45,7 @@ struct Cli {
     #[clap(long, value_parser)]
     session_expires_in_ms: Option<u64>,
 
-    // id_scope should be "image" or "enclave", default is "image"
+    // id_scope should be "image" or "instance", default is "image"
     #[clap(long, value_parser)]
     id_scope: Option<String>,
 
@@ -117,12 +117,13 @@ async fn serve(cli: Cli) -> Result<()> {
 
     let user_req = to_cbor_bytes(&user_req);
     let session_key = TEEIdentity::new_session();
-    let public_key = session_key.1.clone();
+    let public_key = session_key.1.clone(); // der encoded public key
+    let sig = session_key.0.sign(&user_req);
 
     let doc = sign_attestation(AttestationRequest {
         public_key: Some(public_key.into()),
         user_data: Some(user_req.clone().into()),
-        nonce: None,
+        nonce: Some(sig.to_bytes().to_vec().into()), // use signature as nonce for challenge
     })
     .map_err(anyhow::Error::msg)?;