From 0af9acdfea7d470317d161db4d36990a3f3f88ae Mon Sep 17 00:00:00 2001
From: Preston Ong <preston4896@me.com>
Date: Fri, 7 Feb 2025 10:41:41 +0800
Subject: [PATCH] assert dcap certificate chain to strictly contain 3 X509
 Certificates

---
 contracts/bases/X509ChainBase.sol | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/contracts/bases/X509ChainBase.sol b/contracts/bases/X509ChainBase.sol
index bc3af03..6d656cf 100644
--- a/contracts/bases/X509ChainBase.sol
+++ b/contracts/bases/X509ChainBase.sol
@@ -15,6 +15,8 @@ abstract contract X509ChainBase is P256Verifier {
     using BytesUtils for bytes;
     using LibString for bytes;
 
+    uint8 constant PCK_CERT_CHAIN_LENGTH = 3;
+
     string constant PLATFORM_ISSUER_NAME = "Intel SGX PCK Platform CA";
     string constant PROCESSOR_ISSUER_NAME = "Intel SGX PCK Processor CA";
 
@@ -62,21 +64,27 @@ abstract contract X509ChainBase is P256Verifier {
         view
         returns (bool)
     {
+        require(certs.length == PCK_CERT_CHAIN_LENGTH, "Invalid PCK certificate chain length");
+        
         X509CRLHelper crlHelper = X509CRLHelper(crlHelperAddr);
-        uint256 n = certs.length;
         bool certRevoked;
         bool certNotExpired;
         bool verified;
         bool certChainCanBeTrusted;
-        for (uint256 i = 0; i < n; i++) {
+        for (uint256 i = 0; i < PCK_CERT_CHAIN_LENGTH; i++) {
             X509CertObj memory issuer;
-            if (i == n - 1) {
-                // rootCA
+            if (i == PCK_CERT_CHAIN_LENGTH - 1) {
+                // the last cert must be the root CA
                 issuer = certs[i];
+                bytes32 issuerPubKeyHash = keccak256(issuer.subjectPublicKey);
+                certChainCanBeTrusted = issuerPubKeyHash == ROOTCA_PUBKEY_HASH;
+                if (!certChainCanBeTrusted) {
+                    break;
+                }
             } else {
                 issuer = certs[i + 1];
                 bytes memory crl;
-                if (i == n - 2) {
+                if (i == PCK_CERT_CHAIN_LENGTH - 2) {
                     (, crl) = pccsRouter.getCrl(CA.ROOT);
                 } else if (i == 0) {
                     string memory issuerName = certs[i].issuerCommonName;
@@ -107,13 +115,6 @@ abstract contract X509ChainBase is P256Verifier {
                     break;
                 }
             }
-
-            bytes32 issuerPubKeyHash = keccak256(issuer.subjectPublicKey);
-
-            if (issuerPubKeyHash == ROOTCA_PUBKEY_HASH) {
-                certChainCanBeTrusted = true;
-                break;
-            }
         }
         return !certRevoked && certNotExpired && verified && certChainCanBeTrusted;
     }