Cosmian · ThibsG · Mar 29, 2024 · Mar 29, 2024
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -19,15 +19,18 @@ asn1-rs = "0.5"
 asn1 = "0.15"
 bincode = "1.3"
 const-oid = "0.9"
-curve25519-dalek = "3.2"
 der = { version = "0.7", features = ["alloc", "derive", "flagset", "oid"] }
 ecdsa = { version = "0.16", features = ["sha2", "spki"] }
 elliptic-curve = "0.13"
 hex = { version = "0.4", features = ["serde"] }
 hkdf = "0.12"
 log = "0.4"
 openssl = { version = "0.10", features = ["vendored"] }
-reqwest = { version = "0.11", default-features = false, features = ["json", "rustls-tls", "blocking"] }
+reqwest = { version = "0.12", default-features = false, features = [
+    "json",
+    "rustls-tls",
+    "blocking",
+] }
 rand = "0.8"
 rand_chacha = "0.3"
 rsa = "0.9"

diff --git a/crate/maa_client/Cargo.toml b/crate/maa_client/Cargo.toml
@@ -4,14 +4,14 @@ version = "0.1.0"
 edition = "2021"
 
 [dependencies]
-base64 = "0.21"
+base64 = "0.22"
 hex = { workspace = true }
 jose-jwk = { version = "0.1", features = ["rsa"] }
 jose-jws = "0.1"
 jwt-simple = "0.12"
 reqwest = { workspace = true }
 rsa = "0.9"
-serde = {version = "1.0", features = ["derive"] }
+serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 thiserror = { workspace = true }
 x509-cert = "0.2"
diff --git a/crate/ratls/src/verify.rs b/crate/ratls/src/verify.rs
@@ -119,13 +119,13 @@ mod tests {
         let mrenclave = mrenclave.as_slice().try_into().unwrap();
         let public_signer_key = include_str!("../data/signer-key.pem");
 
-        assert!(verify_ratls(
+        verify_ratls(
             cert,
             Some(&mut TeePolicy::Sgx(
-                SgxQuoteVerificationPolicy::new(mrenclave, public_signer_key).unwrap()
-            ))
+                SgxQuoteVerificationPolicy::new(mrenclave, public_signer_key).unwrap(),
+            )),
         )
-        .is_ok());
+        .unwrap();
     }
 
     #[test]
@@ -136,23 +136,23 @@ mod tests {
             hex::decode(b"c2c84b9364fc9f0f54b04534768c860c6e0e386ad98b96e8b98eca46ac8971d05c531ba48373f054c880cfd1f4a0a84e")
                 .unwrap().try_into().unwrap();
 
-        assert!(verify_ratls(
+        verify_ratls(
             cert,
             Some(&mut TeePolicy::Sev(SevQuoteVerificationPolicy::new(
-                measurement
-            )))
+                measurement,
+            ))),
         )
-        .is_ok());
+        .unwrap();
     }
 
     #[test]
     fn test_ratls_tdx_verify_ratls() {
         let cert = include_bytes!("../data/tdx-cert.ratls.pem");
 
-        assert!(verify_ratls(
+        verify_ratls(
             cert,
-            Some(&mut TeePolicy::Tdx(TdxQuoteVerificationPolicy::new()))
+            Some(&mut TeePolicy::Tdx(TdxQuoteVerificationPolicy::new())),
         )
-        .is_ok());
+        .unwrap();
     }
 }
diff --git a/crate/sev_quote/Cargo.toml b/crate/sev_quote/Cargo.toml
@@ -18,15 +18,15 @@ log = { workspace = true }
 reqwest = { workspace = true }
 serde = { workspace = true }
 serde-hex = { workspace = true }
-sev = { git = "https://github.com/virtee/sev", rev = "6a176a5f6068d30ac629fe59c13634a55076e7ae", features = [ # TODO: update after releasing
+sev = { git = "https://github.com/virtee/sev", version = "3.1", features = [
     "snp",
     "openssl",
     "sev",
 ] }
 sha2 = { workspace = true }
 thiserror = { workspace = true }
-uuid = { version = "1.3", features = ["serde", "v4"] }
+uuid = { version = "1.8", features = ["serde", "v4"] }
 x509-parser = { workspace = true }
 
 [dev-dependencies]
-env_logger = "0.10"
+env_logger = "0.11"
diff --git a/crate/sev_quote/src/quote.rs b/crate/sev_quote/src/quote.rs
@@ -111,11 +111,11 @@ pub fn verify_quote(quote: &Quote, policy: &SevQuoteVerificationPolicy) -> Resul
     // Check the policy
     verify_quote_policy(&quote.report, policy)?;
 
+    println!("{:?}", quote.certs);
     // Try to build the Chain object by dealing with various cases.
-    let vlek = quote
-        .certs
-        .iter()
-        .find(|item| item.cert_type == CertType::OTHER(AWS_VLEK_TYPE));
+    let vlek = quote.certs.iter().find(|item| {
+        item.cert_type == CertType::OTHER(AWS_VLEK_TYPE) || item.cert_type == CertType::VLEK
+    });
     let ark = quote
         .certs
         .iter()
@@ -132,21 +132,25 @@ pub fn verify_quote(quote: &Quote, policy: &SevQuoteVerificationPolicy) -> Resul
     let chain = match (vlek, ark, ask, vcek) {
         (Some(vlek), _, _, _) => Ok(Chain {
             ca: bytes_to_chain(&fetch_amd_vlek_cert_chain(KDS_CERT_SITE, SEV_PROD_NAME)?)?,
-            vcek: Certificate::from_der(&vlek.data)?,
+            vek: Certificate::from_der(&vlek.data)?,
         }),
         (None, Some(ark), Some(ask), Some(vcek)) => Ok(Chain {
             ca: ca::Chain::from_der(&ark.data, &ask.data)?,
-            vcek: Certificate::from_der(&vcek.data)?,
+            vek: Certificate::from_der(&vcek.data)?,
         }),
         (None, None, None, None) => Ok(Chain {
             ca: bytes_to_chain(&fetch_amd_vcek_cert_chain(KDS_CERT_SITE, SEV_PROD_NAME)?)?,
-            vcek: Certificate::from_der(&fetch_vcek(
+            vek: Certificate::from_der(&fetch_vcek(
                 KDS_CERT_SITE,
                 SEV_PROD_NAME,
                 &quote.report.chip_id,
                 quote.report.reported_tcb,
             )?)?,
         }),
+        (_, _, _, Some(vcek)) => Ok(Chain {
+            ca: bytes_to_chain(&fetch_amd_vcek_cert_chain(KDS_CERT_SITE, SEV_PROD_NAME)?)?,
+            vek: Certificate::from_der(&vcek.data)?,
+        }),
         (_, _, _, _) => Err(Error::Unimplemented(
             "Unhandled combination of ARK/ASK/VCEK/VLEK certificates".to_owned(),
         )),
@@ -162,7 +166,7 @@ pub fn verify_quote(quote: &Quote, policy: &SevQuoteVerificationPolicy) -> Resul
     let crl = fetch_revocation_list(KDS_CERT_SITE, SEV_PROD_NAME)?;
     verify_revocation_list(&chain, &crl)?;
 
-    let vcek_pem = chain.vcek.to_pem()?;
+    let vcek_pem = chain.vek.to_pem()?;
     let (rem, pem) = parse_x509_pem(&vcek_pem)?;
 
     if !rem.is_empty() || &pem.label != "CERTIFICATE" {

diff --git a/crate/sev_quote/src/verify.rs b/crate/sev_quote/src/verify.rs
@@ -47,7 +47,7 @@ pub(crate) fn verify_revocation_list(chain: &Chain, crl: &[u8]) -> Result<(), Er
     }
 
     // Verify VCEK is not revoked
-    let vcek = &chain.vcek.to_der()?;
+    let vcek = &chain.vek.to_der()?;
     let (_, cert) = X509Certificate::from_der(vcek)?;
 
     let is_revoked = crl
@@ -67,7 +67,7 @@ pub(crate) fn verify_revocation_list(chain: &Chain, crl: &[u8]) -> Result<(), Er
 pub(crate) fn verify_chain_certificates(cert_chain: &Chain) -> Result<(), Error> {
     let ark = &cert_chain.ca.ark;
     let ask = &cert_chain.ca.ask;
-    let vcek = &cert_chain.vcek;
+    let vcek = &cert_chain.vek;
 
     if (ark, ark).verify().is_err() {
         return Err(Error::VerificationFailure(

diff --git a/crate/sgx_quote/Cargo.toml b/crate/sgx_quote/Cargo.toml
@@ -17,7 +17,7 @@ log = { workspace = true }
 p256 = { workspace = true }
 rsa = { workspace = true }
 pccs_client = { path = "../pccs_client" }
-scroll = { version = "0.11", features = ["derive"] }
+scroll = { version = "0.12", features = ["derive"] }
 serde = { workspace = true }
 serde_json = { workspace = true }
 serde-hex = { workspace = true }
@@ -27,4 +27,4 @@ thiserror = { workspace = true }
 x509-parser = { workspace = true, features = ["verify"] }
 
 [dev-dependencies]
-env_logger = "0.10"
+env_logger = "0.11"
diff --git a/crate/tdx_quote/Cargo.toml b/crate/tdx_quote/Cargo.toml
@@ -12,15 +12,15 @@ crate-type = ["cdylib", "rlib"]
 [dependencies]
 hex = { workspace = true }
 log = { workspace = true }
-nix = { version = "0.27", features = ["ioctl"] }
+nix = { version = "0.28", features = ["ioctl"] }
 p256 = { workspace = true }
 pccs_client = { path = "../pccs_client" }
-scroll = { version = "0.11", features = ["derive"] }
+scroll = { version = "0.12", features = ["derive"] }
 serde = { workspace = true }
 serde-hex = { workspace = true }
 sgx_quote = { path = "../sgx_quote" }
 sha2 = { workspace = true }
 thiserror = { workspace = true }
 
 [dev-dependencies]
-env_logger = "0.10"
+env_logger = "0.11"
diff --git a/crate/tee_attestation/Cargo.toml b/crate/tee_attestation/Cargo.toml
@@ -11,12 +11,12 @@ crate-type = ["cdylib", "rlib"]
 
 [dependencies]
 azure_sev_quote = { path = "../azure_sev_quote" }
-sha2 = "0.10"
+sha2 = { workspace = true }
 sev_quote = { path = "../sev_quote" }
 serde = { workspace = true }
 sgx_quote = { path = "../sgx_quote" }
 tdx_quote = { path = "../tdx_quote" }
 thiserror = { workspace = true }
 
 [dev-dependencies]
-env_logger = "0.10"
+env_logger = "0.11"
diff --git a/crate/tpm_quote/Cargo.toml b/crate/tpm_quote/Cargo.toml
@@ -12,7 +12,7 @@ thiserror = { workspace = true }
 tss-esapi = "7.4"
 
 [dev-dependencies]
-env_logger = "0.10"
+env_logger = "0.11"
 log = "0.4"
 test-log = { version = "0.2", features = ["trace"] }
 tracing-subscriber = { version = "0.3", default-features = false, features = [