1use serde::{Serialize, Deserialize};
2use x509_parser::{certificate::X509Certificate, revocation_list::CertificateRevocationList};
3
4use crate::utils::cert::{get_crl_uri, is_cert_revoked, parse_x509_der_multi, pem_to_der};
5
6use super::collaterals::IntelCollateral;
7
8#[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
9#[serde(rename_all = "camelCase")]
10pub struct SgxExtensionTcbLevel {
11 pub sgxtcbcomp01svn: u8,
12 pub sgxtcbcomp02svn: u8,
13 pub sgxtcbcomp03svn: u8,
14 pub sgxtcbcomp04svn: u8,
15 pub sgxtcbcomp05svn: u8,
16 pub sgxtcbcomp06svn: u8,
17 pub sgxtcbcomp07svn: u8,
18 pub sgxtcbcomp08svn: u8,
19 pub sgxtcbcomp09svn: u8,
20 pub sgxtcbcomp10svn: u8,
21 pub sgxtcbcomp11svn: u8,
22 pub sgxtcbcomp12svn: u8,
23 pub sgxtcbcomp13svn: u8,
24 pub sgxtcbcomp14svn: u8,
25 pub sgxtcbcomp15svn: u8,
26 pub sgxtcbcomp16svn: u8,
27 pub pcesvn: u16,
28 pub cpusvn: [u8; 16]
29}
30
31
32#[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
33pub struct SgxExtensions {
34 pub ppid: [u8; 16],
35 pub tcb: SgxExtensionTcbLevel,
36 pub pceid: [u8; 2],
37 pub fmspc: [u8; 6],
38 pub sgx_type: u32,
39 pub platform_instance_id: Option<[u8; 16]>,
40 pub configuration: Option<PckPlatformConfiguration>,
41}
42
43#[derive(Default, Debug, Clone, PartialEq, Serialize, Deserialize)]
44pub struct PckPlatformConfiguration {
45 pub dynamic_platform: Option<bool>,
46 pub cached_keys: Option<bool>,
47 pub smt_enabled: Option<bool>,
48}
49
50#[derive(Debug)]
51pub struct IntelSgxCrls<'a> {
52 pub sgx_root_ca_crl: Option<CertificateRevocationList<'a>>,
53 pub sgx_pck_processor_crl: Option<CertificateRevocationList<'a>>,
54 pub sgx_pck_platform_crl: Option<CertificateRevocationList<'a>>,
55}
56
57impl<'a> IntelSgxCrls<'a> {
58 pub fn new(sgx_root_ca_crl: Option<CertificateRevocationList<'a>>, sgx_pck_processor_crl: Option<CertificateRevocationList<'a>>, sgx_pck_platform_crl: Option<CertificateRevocationList<'a>>) -> Self {
59 Self {
60 sgx_root_ca_crl,
61 sgx_pck_processor_crl,
62 sgx_pck_platform_crl,
63 }
64 }
65
66 pub fn from_collaterals(collaterals: &'a IntelCollateral) -> Self {
67 let sgx_root_ca_crl = collaterals.get_sgx_intel_root_ca_crl();
68 let sgx_pck_processor_crl = collaterals.get_sgx_pck_processor_crl();
69 let sgx_pck_platform_crl = collaterals.get_sgx_pck_platform_crl();
70
71 Self::new(sgx_root_ca_crl, sgx_pck_processor_crl, sgx_pck_platform_crl)
72 }
73
74 pub fn is_cert_revoked(&self, cert: &X509Certificate) -> bool {
75 let crl = match get_crl_uri(cert) {
76 Some(crl_uri) => {
77 if crl_uri.contains("https://api.trustedservices.intel.com/sgx/certification/v3/pckcrl?ca=platform")
78 || crl_uri.contains("https://api.trustedservices.intel.com/sgx/certification/v4/pckcrl?ca=platform") {
79 self.sgx_pck_platform_crl.as_ref()
80 } else if crl_uri.contains("https://api.trustedservices.intel.com/sgx/certification/v3/pckcrl?ca=processor")
81 || crl_uri.contains("https://api.trustedservices.intel.com/sgx/certification/v4/pckcrl?ca=processor") {
82 self.sgx_pck_processor_crl.as_ref()
83 } else if crl_uri.contains("https://certificates.trustedservices.intel.com/IntelSGXRootCA.der") {
84 self.sgx_root_ca_crl.as_ref()
85 } else {
86 panic!("Unknown CRL URI: {}", crl_uri);
87 }
88 },
89 None => {
90 panic!("No CRL URI found in certificate");
91 }
92 }.unwrap();
93
94 is_cert_revoked(cert, crl)
96 }
97}
98
99#[derive(Debug, Clone)]
100pub struct Certificates {
101 pub certs_der: Vec<u8>,
102}
103
104impl Certificates {
105 pub fn from_der(certs_der: &[u8]) -> Self {
106 Self {
107 certs_der: certs_der.to_vec(),
108 }
109 }
110
111 pub fn from_pem(pem_bytes: &[u8]) -> Self {
112 let certs_der = pem_to_der(pem_bytes);
113 Self::from_der(&certs_der)
114 }
115
116 pub fn get_certs(&self) -> Vec<X509Certificate> {
117 let certs = parse_x509_der_multi(&self.certs_der);
118 certs
119 }
120}