in sdk/python/teaclave.py [0:0]
def _verify_report(self, as_root_ca_cert_path: str, enclave_info_path: str,
cert: Dict[str, Any], endpoint_name: str):
def load_certificates(pem_bytes):
start_line = b'-----BEGIN CERTIFICATE-----'
result = []
cert_slots = pem_bytes.split(start_line)
for single_pem_cert in cert_slots[1:]:
cert = load_certificate(FILETYPE_ASN1,
start_line + single_pem_cert)
result.append(cert)
return result
if os.environ.get('SGX_MODE') == 'SW':
return
cert = x509.load_der_x509_certificate(cert, default_backend())
if self._dump_report:
try:
with open(self._name + "_attestation_report.pem", "wb") as f:
f.write(
cert.public_bytes(cryptography.hazmat.primitives.
serialization.Encoding.PEM))
except:
raise TeaclaveException("Failed to dump attestation report")
try:
ext = json.loads(cert.extensions[0].value.value)
except:
raise TeaclaveException("Failed to load extensions")
report = bytes(ext["report"])
signature = bytes(ext["signature"])
try:
certs = [
load_certificate(FILETYPE_ASN1, bytes(c)) for c in ext["certs"]
]
except:
raise TeaclaveException(
"Failed to load singing certificate of the report")
# verify signing cert with AS root cert
try:
with open(as_root_ca_cert_path) as f:
as_root_ca_cert = f.read()
except:
raise TeaclaveException(
"Failed to open attestation service root certificate")
try:
as_root_ca_cert = load_certificate(FILETYPE_PEM, as_root_ca_cert)
except:
raise TeaclaveException(
"Failed to load attestation service root certificate")
store = X509Store()
store.add_cert(as_root_ca_cert)
client_cert = certs[0]
if len(certs) > 1:
for c in certs[1:]:
store.add_cert(c)
store_ctx = X509StoreContext(store, client_cert)
try:
store_ctx.verify_certificate()
# verify report's signature
crypto.verify(certs[0], signature, bytes(ext["report"]), 'sha256')
except:
raise TeaclaveException("Failed to verify report signature")
report = json.loads(report)
quote = report['isvEnclaveQuoteBody']
quote = base64.b64decode(quote)
# get report_data from the quote
report_data = quote[368:368 + 64]
# get EC pub key from the certificate
pub_key = cert.public_key().public_bytes(
cryptography.hazmat.primitives.serialization.Encoding.X962,
cryptography.hazmat.primitives.serialization.PublicFormat.
UncompressedPoint)
# verify whether the certificate is bound to the quote
assert (pub_key[0] == 4)
if pub_key[1:] != report_data:
raise TeaclaveException(
"Failed to verify the certificate agaist the report data in the quote"
)
# get mr_enclave and mr_signer from the quote
mr_enclave = quote[112:112 + 32].hex()
mr_signer = quote[176:176 + 32].hex()
# get enclave_info
try:
enclave_info = toml.load(enclave_info_path)
except:
raise TeaclaveException("Failed to load enclave info")
# verify mr_enclave and mr_signer
enclave_name = "teaclave_" + endpoint_name + "_service"
if mr_enclave != enclave_info[enclave_name]["mr_enclave"]:
raise Exception("Failed to verify mr_enclave")
if mr_signer != enclave_info[enclave_name]["mr_signer"]:
raise Exception("Failed to verify mr_signer")