Add CRL decode and verification

Author: nick-mobilecoin

verifier/data/tests/README.md

@@ -2,7 +2,15 @@
 
 * `root_ca.pem` - Root CA of a certificate chain. This is a copy of an Intel
   root CA which was in an actual hardware quote.
-* `intermediate_ca.pem` - Intermediate CA in a certificate chain. This is a copy
-  of an Intel intermediate CA which was in an actual hardware quote.
+* `processor_ca.pem` - Processor CA in a certificate chain. This is a copy
+  of an Intel intermediate CA which was in an actual hardware quote. There are
+  two types of certificate chains "processor" and "platform". "Platform" isn't
+  currently used by Intel.
 * `leaf_cert.pem` - Leaf of a certificate chain. This is a copy of an Intel
   leaf certificate which was in an actual hardware quote.
+* `root_crl.pem` - CRL for the root CA of a certificate chain. This was
+  retrieved via the CRL Distribution Points URI in the root CA,
+  <https://certificates.trustedservices.intel.com/IntelSGXRootCA.der>
+* `processor_crl.pem` - CRL for the processor CA in a certificate chain. This
+  was retrieved from
+  <https://api.trustedservices.intel.com/sgx/certification/v4/pckcrl?ca=processor>.

verifier/data/tests/intermediate_ca.pem verifier/data/tests/processor_ca.pem

@@ -0,0 +1,9 @@
+-----BEGIN X509 CRL-----
+MIIBKzCB0QIBATAKBggqhkjOPQQDAjBxMSMwIQYDVQQDDBpJbnRlbCBTR1ggUENL
+IFByb2Nlc3NvciBDQTEaMBgGA1UECgwRSW50ZWwgQ29ycG9yYXRpb24xFDASBgNV
+BAcMC1NhbnRhIENsYXJhMQswCQYDVQQIDAJDQTELMAkGA1UEBhMCVVMXDTIzMDQy
+MTIyMDAzNloXDTIzMDUyMTIyMDAzNlqgLzAtMAoGA1UdFAQDAgEBMB8GA1UdIwQY
+MBaAFNDoqtp11/kuSReYPHsUZdDV8llNMAoGCCqGSM49BAMCA0kAMEYCIQCS4Aod
+Y76yImk36lD/U+zHgYWsTNOxgMGAlpoDdDGQDQIhANQMOFTfpB58Pnb6LXs4M5hj
+lHpqqWyfsASPMeV8stnc
+-----END X509 CRL-----

verifier/data/tests/processor_crl.pem

@@ -0,0 +1,9 @@
+-----BEGIN X509 CRL-----
+MIIBITCByAIBATAKBggqhkjOPQQDAjBoMRowGAYDVQQDDBFJbnRlbCBTR1ggUm9v
+dCBDQTEaMBgGA1UECgwRSW50ZWwgQ29ycG9yYXRpb24xFDASBgNVBAcMC1NhbnRh
+IENsYXJhMQswCQYDVQQIDAJDQTELMAkGA1UEBhMCVVMXDTIzMDQwMzEwMjI1MVoX
+DTI0MDQwMjEwMjI1MVqgLzAtMAoGA1UdFAQDAgEBMB8GA1UdIwQYMBaAFCJlDNZa
+nTSJ84O0lVK/UBs5JwasMAoGCCqGSM49BAMCA0gAMEUCIFFXfUfZ+6FXtl8etfRl
+e7xeVsyvc1oD8blj1wSAWrEYAiEAk5AV7BY25+r6X0JsHkAmR8ZzEytoUMq9aM72
+utdoKgM=
+-----END X509 CRL-----

verifier/data/tests/root_crl.pem

@@ -3,6 +3,7 @@
 // TODO: Remove dead_code exception once this is connected up to the rest of the codebase
 #![allow(dead_code)]
 mod certs;
+mod crl;
 mod error;
 
 pub use error::Error;

verifier/src/x509.rs

@@ -9,10 +9,6 @@ use p256::ecdsa::{Signature, VerifyingKey};
 use x509_cert::der::{Decode, Encode};
 use x509_cert::Certificate as X509Certificate;
 
-/// Offset from the start of a certificate to the "to be signed" (TBS) portion
-/// of the certificate.
-const TBS_OFFSET: usize = 4;
-
 /// A certificate whose signature has not been verified.
 #[derive(Debug, PartialEq, Eq)]
 pub struct UnverifiedCertificate<'a> {
@@ -24,7 +20,7 @@ pub struct UnverifiedCertificate<'a> {
     // operations and it's more ergonomic to fail fast than fail later for a
     // bad key or signature
     signature: Signature,
-    key: VerifyingKey,
+    pub(crate) key: VerifyingKey,
 }
 
 /// A certificate whose signature has been verified.
@@ -65,9 +61,14 @@ impl<'a> UnverifiedCertificate<'a> {
     }
 
     fn verify_signature(&self, key: &VerifyingKey) -> Result<()> {
-        let tbs_length = self.certificate.tbs_certificate.encoded_len()?;
-        let tbs_size = u32::from(tbs_length) as usize;
-        let tbs_contents = &self.der_bytes[TBS_OFFSET..tbs_size + TBS_OFFSET];
+        let tbs_size = u32::from(self.certificate.tbs_certificate.encoded_len()?) as usize;
+        let signature_size = u32::from(self.certificate.signature.encoded_len()?) as usize;
+        let algorithm_size =
+            u32::from(self.certificate.signature_algorithm.encoded_len()?) as usize;
+        let overall_size = u32::from(self.certificate.encoded_len()?) as usize;
+
+        let tbs_offset = overall_size - (tbs_size + signature_size + algorithm_size);
+        let tbs_contents = &self.der_bytes[tbs_offset..tbs_size + tbs_offset];
         key.verify(tbs_contents, &self.signature)
             .map_err(|_| Error::SignatureVerification)?;
         Ok(())
@@ -129,12 +130,12 @@ mod test {
     use yare::parameterized;
 
     const LEAF_CERT: &str = include_str!("../../data/tests/leaf_cert.pem");
-    const INTERMEDIATE_CA: &str = include_str!("../../data/tests/intermediate_ca.pem");
+    const PROCESSOR_CA: &str = include_str!("../../data/tests/processor_ca.pem");
     const ROOT_CA: &str = include_str!("../../data/tests/root_ca.pem");
 
     #[parameterized(
         root = { ROOT_CA },
-        intermediate = { INTERMEDIATE_CA },
+        processor = { PROCESSOR_CA },
         leaf = { LEAF_CERT },
     )]
     fn try_from_der(pem: &str) {
@@ -150,7 +151,7 @@ mod test {
             pem_rfc7468::decode_vec(pem.as_bytes()).expect("Failed to decode DER from PEM");
         assert!(matches!(
             UnverifiedCertificate::try_from(&der_bytes.as_slice()[1..]),
-            Err(Error::CertificateDecoding(_))
+            Err(Error::DerDecoding(_))
         ));
     }
 
@@ -227,8 +228,7 @@ mod test {
         let root_cert = UnverifiedCertificate::try_from(der_bytes.as_slice())
             .expect("Failed to decode certificate from DER");
 
-        let intermediate = INTERMEDIATE_CA;
-        let (_, der_bytes) = pem_rfc7468::decode_vec(intermediate.as_bytes())
+        let (_, der_bytes) = pem_rfc7468::decode_vec(PROCESSOR_CA.as_bytes())
             .expect("Failed to decode DER from PEM");
         let cert = UnverifiedCertificate::try_from(der_bytes.as_slice())
             .expect("Failed to decode certificate from DER");
@@ -245,7 +245,7 @@ mod test {
 
     #[test]
     fn verify_leaf_certificate() {
-        let intermediate = INTERMEDIATE_CA;
+        let intermediate = PROCESSOR_CA;
         let (_, der_bytes) = pem_rfc7468::decode_vec(intermediate.as_bytes())
             .expect("Failed to decode DER from PEM");
         let intermediate_cert = UnverifiedCertificate::try_from(der_bytes.as_slice())
@@ -269,7 +269,7 @@ mod test {
 
     #[test]
     fn verify_certificate_fails_with_wrong_key() {
-        let intermediate = INTERMEDIATE_CA;
+        let intermediate = PROCESSOR_CA;
         let (_, der_bytes) = pem_rfc7468::decode_vec(intermediate.as_bytes())
             .expect("Failed to decode DER from PEM");
         let intermediate_cert = UnverifiedCertificate::try_from(der_bytes.as_slice())