Verify Qe3

fortanix · Jan 22, 2025 · 2c245bf · 2c245bf
1 parent 70c7577
commit 2c245bf
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 5 deletions.
diff --git a/intel-sgx/pcs/src/iso8601.rs b/intel-sgx/pcs/src/iso8601.rs
@@ -4,6 +4,14 @@ use serde::de;
 
 const ISO8601_FORMAT: &'static str = "%Y-%m-%dT%H:%M:%SZ";
 
+pub fn serialize<S>(timestamp: &DateTime<Utc>, serializer: S) -> ::std::result::Result<S::Ok, S::Error>
+    where
+        S: ::serde::Serializer,
+{
+    let timestamp = timestamp.format(ISO8601_FORMAT).to_string();
+    serializer.serialize_str(&timestamp)
+}
+
 pub fn deserialize<'de, D: Deserializer<'de>>(deserializer: D) -> Result<DateTime<Utc>, D::Error> {
     let timestamp = String::deserialize(deserializer)?;
     let timestamp = NaiveDateTime::parse_from_str(&timestamp, &ISO8601_FORMAT).map_err(de::Error::custom)?;

diff --git a/intel-sgx/pcs/src/lib.rs b/intel-sgx/pcs/src/lib.rs
@@ -90,6 +90,9 @@ quick_error! {
         InvalidQe3Id(err: MbedError){
             display("Invalid QE3 ID: {}", err)
         }
+        Qe3NotValid(err: String){
+            display("Invalid QE3: {}", err)
+        }
         InvalidFormatQe3Identity{
             display("Invalid QE3 Identity format")
         }

diff --git a/intel-sgx/pcs/src/qe_identity.rs b/intel-sgx/pcs/src/qe_identity.rs
@@ -9,6 +9,7 @@ use std::convert::TryInto;
 use std::marker::PhantomData;
 use std::path::PathBuf;
 
+use chrono::{DateTime, Utc};
 use serde::{de, Deserialize, Deserializer, Serialize};
 use serde_json::value::RawValue;
 use sgx_isa::{Attributes, Miscselect};
@@ -47,8 +48,10 @@ impl TcbLevel {
 pub struct QeIdentity<V: VerificationType = Verified> {
     version: u16,
     id: String,
-    issue_date: String,
-    next_update: String,
+    #[serde(with = "crate::iso8601")]
+    issue_date: DateTime<Utc>,
+    #[serde(with = "crate::iso8601")]
+    next_update: DateTime<Utc>,
     tcb_evaluation_data_number: u64,
     #[serde(deserialize_with = "miscselect_deserializer", serialize_with = "miscselect_serializer")]
     miscselect: Miscselect,
@@ -79,8 +82,10 @@ impl<'de> Deserialize<'de> for QeIdentity<Unverified> {
         struct Dummy {
             version: u16,
             id: String,
-            issue_date: String,
-            next_update: String,
+            #[serde(with = "crate::iso8601")]
+            issue_date: DateTime<Utc>,
+            #[serde(with = "crate::iso8601")]
+            next_update: DateTime<Utc>,
             tcb_evaluation_data_number: u64,
             #[serde(deserialize_with = "miscselect_deserializer", serialize_with = "miscselect_serializer")]
             miscselect: Miscselect,
@@ -339,9 +344,20 @@ impl QeIdentitySigned {
             tcb_levels,
             type_: PhantomData,
         } = serde_json::from_str(&self.raw_enclave_identity).map_err(|e| Error::ParseError(e))?;
+
         if version != 2 {
             return Err(Error::UnknownQeIdentityVersion(version));
         }
+
+        let now = Utc::now();
+        if now < issue_date {
+            return Err(Error::Qe3NotValid(format!("QE3 only valid from {}", issue_date)))
+        }
+
+        if next_update < now {
+            return Err(Error::Qe3NotValid(format!("QE3 expired on {}", next_update)))
+        }
+
         Ok(QeIdentity::<Verified> {
             version,
             id,
@@ -363,6 +379,7 @@ impl QeIdentitySigned {
 #[cfg(feature = "verify")]
 #[cfg(test)]
 mod tests {
+    use crate::Error;
     #[cfg(not(target_env = "sgx"))]
     use crate::qe_identity::QeIdentitySigned;
 
@@ -373,7 +390,10 @@ mod tests {
 
         let root_cert = include_bytes!("../tests/data/root_SGX_CA_der.cert");
         let root_certs = [&root_cert[..]];
-        assert!(qe_id.verify(&root_certs).is_ok());
+        match qe_id.verify(&root_certs) {
+            Err(Error::Qe3NotValid(msg)) => assert_eq!(msg, "QE3 expired on 2020-06-17 17:49:21 UTC"),
+            e => assert!(false, "wrong result: {:?}", e),
+        }
     }
 
     #[test]