This is an automated email from the ASF dual-hosted git repository.
hsun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
The following commit(s) were added to refs/heads/master by this push:
new 1c42f6c8 Check the binding of the server certificate with the sgx quote
1c42f6c8 is described below
commit 1c42f6c8273fcddcbd0614f53b1db90da9c089de
Author: sunhe05 <[email protected]>
AuthorDate: Thu Mar 23 02:27:28 2023 +0000
Check the binding of the server certificate with the sgx quote
The fix is reported from https://github.com/mithril-security/poison-tea.
---
sdk/python/teaclave.py | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/sdk/python/teaclave.py b/sdk/python/teaclave.py
index 1dad6159..2fec9cd8 100644
--- a/sdk/python/teaclave.py
+++ b/sdk/python/teaclave.py
@@ -199,6 +199,21 @@ class TeaclaveService:
quote = report['isvEnclaveQuoteBody']
quote = base64.b64decode(quote)
+ # get report_data from the quote
+ report_data = quote[368:368 + 64]
+ # get EC pub key from the certificate
+ pub_key = cert.public_key().public_bytes(
+ cryptography.hazmat.primitives.serialization.Encoding.X962,
+ cryptography.hazmat.primitives.serialization.PublicFormat.
+ UncompressedPoint)
+
+ # verify whether the certificate is bound to the quote
+ assert (pub_key[0] == 4)
+ if pub_key[1:] != report_data:
+ raise TeaclaveException(
+ "Failed to verify the certificate agaist the report data in
the quote"
+ )
+
# get mr_enclave and mr_signer from the quote
mr_enclave = quote[112:112 + 32].hex()
mr_signer = quote[176:176 + 32].hex()
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
