Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TOB] DEV-3785: ID-6 #18

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[TOB] DEV-3785: ID-6 #18

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 13 additions & 12 deletions contracts/bases/X509ChainBase.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ abstract contract X509ChainBase is P256Verifier {
using BytesUtils for bytes;
using LibString for bytes;

uint8 constant PCK_CERT_CHAIN_LENGTH = 3;

string constant PLATFORM_ISSUER_NAME = "Intel SGX PCK Platform CA";
string constant PROCESSOR_ISSUER_NAME = "Intel SGX PCK Processor CA";

Expand Down Expand Up @@ -62,21 +64,27 @@ abstract contract X509ChainBase is P256Verifier {
view
returns (bool)
{
require(certs.length == PCK_CERT_CHAIN_LENGTH, "Invalid PCK certificate chain length");

X509CRLHelper crlHelper = X509CRLHelper(crlHelperAddr);
uint256 n = certs.length;
bool certRevoked;
bool certNotExpired;
bool verified;
bool certChainCanBeTrusted;
for (uint256 i = 0; i < n; i++) {
for (uint256 i = 0; i < PCK_CERT_CHAIN_LENGTH; i++) {
X509CertObj memory issuer;
if (i == n - 1) {
// rootCA
if (i == PCK_CERT_CHAIN_LENGTH - 1) {
// the last cert must be the root CA
issuer = certs[i];
bytes32 issuerPubKeyHash = keccak256(issuer.subjectPublicKey);
certChainCanBeTrusted = issuerPubKeyHash == ROOTCA_PUBKEY_HASH;
if (!certChainCanBeTrusted) {
break;
}
} else {
issuer = certs[i + 1];
bytes memory crl;
if (i == n - 2) {
if (i == PCK_CERT_CHAIN_LENGTH - 2) {
(, crl) = pccsRouter.getCrl(CA.ROOT);
} else if (i == 0) {
string memory issuerName = certs[i].issuerCommonName;
Expand Down Expand Up @@ -107,13 +115,6 @@ abstract contract X509ChainBase is P256Verifier {
break;
}
}

bytes32 issuerPubKeyHash = keccak256(issuer.subjectPublicKey);

if (issuerPubKeyHash == ROOTCA_PUBKEY_HASH) {
certChainCanBeTrusted = true;
break;
}
}
return !certRevoked && certNotExpired && verified && certChainCanBeTrusted;
}
Expand Down