Crate attestation_verifier

Expand description

§attestation_verifier

Minimal Rust crate for verifying Intel TDX quotes with DCAP.

It is focused on the one thing you want to publish as a reusable crate:

verify raw quote bytes
verify raw quote hex
verify the common wrapped payload shape {"tdx":{"quote":"..."}}
verify the hex-encoded form of that wrapped payload, which matches the quote_hex field in this repo’s example.json
extract report_data from a raw quote

The crate fetches Intel collaterals through PCCS using dcap-qvl. By default it reads PCCS_URL from the environment and falls back to PHALA_PCCS_URL.

§Install

[dependencies]
attestation_verifier = "0.1"

§Examples

Verify a raw quote hex string:

use attestation_verifier::verify_quote_hex;

async fn demo() -> attestation_verifier::Result<()> {
    verify_quote_hex("0x...").await?;
    Ok(())
}

Verify a wrapped TDX JSON payload:

use attestation_verifier::verify_tdx_quote_json;

async fn demo() -> attestation_verifier::Result<()> {
    let payload = r#"{"tdx":{"quote":"BASE64_QUOTE_HERE"}}"#;
    verify_tdx_quote_json(payload).await?;
    Ok(())
}

Verify the wrapped hex payload used by example.json:

use attestation_verifier::verify_tdx_quote_json_hex;

async fn demo() -> attestation_verifier::Result<()> {
    verify_tdx_quote_json_hex("7b226...").await?;
    Ok(())
}

Extract report_data as hex:

use attestation_verifier::{extract_report_data_hex, decode_tdx_quote_json_hex};

fn demo() -> attestation_verifier::Result<String> {
    let quote = decode_tdx_quote_json_hex("7b226...")?;
    extract_report_data_hex(&quote)
}

§Local Example

This repo includes example.json. The relevant field is:

tdx_attestation.quote_hex

That field is not raw quote hex. It is hex-encoded JSON containing a base64 quote, so the matching API is:

use attestation_verifier::verify_tdx_quote_json_hex;

If you want the report_data from that same field, use:

use attestation_verifier::{decode_tdx_quote_json_hex, extract_report_data_hex};

§Notes

Verification requires network access to a PCCS endpoint.
The default test suite stays offline. The live verification test is marked ignored.
If you want a different PCCS, set PCCS_URL or create Verifier::new("https://your-pccs").

Structs§

Verifier: Minimal verifier for Intel TDX quotes.

Enums§

AttestationError

Constants§

PHALA_PCCS_URL: Default PCCS URL (Phala Network’s PCCS server). This is the recommended default for most users as it provides better availability and lower rate limits compared to Intel’s PCS.
REPORT_DATA_LEN
TDX_TEE_TYPE

Functions§

decode_quote_base64: Decodes a raw quote from base64.
decode_quote_hex: Decodes a raw quote from hex.
decode_tdx_quote_json: Decodes a TDX JSON payload shaped like {"tdx":{"quote":"..."}}.
decode_tdx_quote_json_hex: Decodes a hex-encoded TDX JSON payload shaped like {"tdx":{"quote":"..."}}.
extract_report_data: Extracts the 64-byte TDX report data from a raw quote.
extract_report_data_hex: Extracts the TDX report data from a raw quote and returns it as lowercase hex.
verify_quote: Verifies a raw TDX quote with the default verifier.
verify_quote_base64: Verifies a raw TDX quote base64 string with the default verifier.
verify_quote_hex: Verifies a raw TDX quote hex string with the default verifier.
verify_tdx_quote_json: Verifies a TDX JSON payload shaped like {"tdx":{"quote":"..."}} with the default verifier.
verify_tdx_quote_json_hex: Verifies a hex-encoded TDX JSON payload shaped like {"tdx":{"quote":"..."}} with the default verifier.

Type Aliases§

Result