Add hardware ID to decent cert managers

contracts/Constants.sol

@@ -33,20 +33,22 @@ library OIDs {
     // Decent OIDs
     //   Root OIDs
     bytes32 constant OID_DECENT_EXT_VER =
-        0x6982f5c89a94ffdfaaab8591c1b5f7c2f782b01e010000000000000000000000;
-    bytes32 constant OID_DECENT_PLATFORM_ID  =
-        0x6982f5c89a94ffdfaaab8591c1b5f7c2f782b01e020000000000000000000000;
+        0x2B0601040183E445010101000000000000000000000000000000000000000000;
+    bytes32 constant OID_DECENT_PLATFORM_TYPE  =
+        0x2B0601040183E445010102000000000000000000000000000000000000000000;
     bytes32 constant OID_DECENT_HASHED_KEYS  =
-        0x6982f5c89a94ffdfaaab8591c1b5f7c2f782b01e040000000000000000000000;
+        0x2B0601040183E445010104000000000000000000000000000000000000000000;
     bytes32 constant OID_DECENT_APP_HASH  =
-        0x6982f5c89a94ffdfaaab8591c1b5f7c2f782b01e050000000000000000000000;
+        0x2B0601040183E445010105000000000000000000000000000000000000000000;
     bytes32 constant OID_DECENT_AUTH_LIST  =
-        0x6982f5c89a94ffdfaaab8591c1b5f7c2f782b01e060000000000000000000000;
+        0x2B0601040183E445010106000000000000000000000000000000000000000000;
+    bytes32 constant OID_DECENT_PLATFORM_ID  =
+        0x2B0601040183E445010107000000000000000000000000000000000000000000;
     //   Platform specific OIDs
     bytes32 constant OID_DECENT_STD_REP_DATA =
-        0x6982f5c89a94ffdfaaab8591c1b5f7c2f782b01e030101000000000000000000;
+        0x2B0601040183E445010103010100000000000000000000000000000000000000;
     bytes32 constant OID_DECENT_ATTESTATION  =
-        0x6982f5c89a94ffdfaaab8591c1b5f7c2f782b01e030102000000000000000000;
+        0x2B0601040183E445010103010200000000000000000000000000000000000000;
 }
 
 library Names {

contracts/DecentAppCert.sol

@@ -97,7 +97,7 @@ library DecentAppCert {
         X509Extension.ExtEntry[] memory extEntries =
             new X509Extension.ExtEntry[](5);
         extEntries[0].extnID = OIDs.OID_DECENT_EXT_VER;
-        extEntries[1].extnID = OIDs.OID_DECENT_PLATFORM_ID;
+        extEntries[1].extnID = OIDs.OID_DECENT_PLATFORM_TYPE;
         extEntries[2].extnID = OIDs.OID_DECENT_APP_HASH;
         extEntries[3].extnID = OIDs.OID_DECENT_AUTH_LIST;
 

contracts/DecentServerCert.sol

@@ -35,6 +35,7 @@ library DecentServerCert {
         bool isVerified;
         address serverKeyAddr;
         bytes32 enclaveHash;
+        bytes32 platformId; // the fingerprint of the platform
     }
 
     //===== functions =====
@@ -269,12 +270,13 @@ library DecentServerCert {
 
         // extracting extensions
         X509Extension.ExtEntry[] memory extEntries =
-            new X509Extension.ExtEntry[](5);
+            new X509Extension.ExtEntry[](6);
         extEntries[0].extnID = OIDs.OID_DECENT_EXT_VER;
-        extEntries[1].extnID = OIDs.OID_DECENT_PLATFORM_ID;
+        extEntries[1].extnID = OIDs.OID_DECENT_PLATFORM_TYPE;
         extEntries[2].extnID = OIDs.OID_DECENT_HASHED_KEYS;
         extEntries[3].extnID = OIDs.OID_DECENT_STD_REP_DATA;
         extEntries[4].extnID = OIDs.OID_DECENT_ATTESTATION;
+        extEntries[5].extnID = OIDs.OID_DECENT_PLATFORM_ID;
 
         X509Extension.extractNeededExtensions(
             certDer,
@@ -315,6 +317,10 @@ library DecentServerCert {
             require(false, "Unsupported platform");
         }
 
+        // Platform ID
+        require(extEntries[5].isParsed, "Platform ID not found");
+        cert.platformId = extEntries[5].extnValue.readBytes32(0);
+
         // Decent server public key
         extractDecentServerKey(cert, certNodes, certDer, keyRing);
 

contracts/DecentServerCertMgr.sol

@@ -88,4 +88,22 @@ contract DecentServerCertMgr {
             bytes32(0);
     }
 
+    /**
+     * Get the platform ID of a Decent Server
+     * @param svrKeyAddr Address derived from the Decent Server public key
+     * @return bytes32 Platform ID of the Decent Server
+     */
+     function getPlatformId(address svrKeyAddr)
+        external
+        view
+        returns (bytes32)
+    {
+        DecentServerCert.DecentServerCertObj storage cert =
+            m_serverCerts[svrKeyAddr];
+
+        require(cert.isVerified, "Server not verified");
+
+        return cert.platformId;
+    }
+
 }

contracts/Interface_DecentServerCertMgr.sol

@@ -35,4 +35,14 @@ interface Interface_DecentServerCertMgr {
         view
         returns (bytes32);
 
+    /**
+     * Get the platform ID of a Decent Server
+     * @param svrKeyAddr Address derived from the Decent Server public key
+     * @return bytes32 Platform ID of the Decent Server
+     */
+     function getPlatformId(address svrKeyAddr)
+        external
+        view
+        returns (bytes32);
+
 }

libs/ens-contracts/BytesUtils.sol

@@ -216,6 +216,22 @@ library BytesUtils {
         }
     }
 
+    /*
+     * @dev Returns the 64-bit number at the specified index of self.
+     * @param self The byte string.
+     * @param idx The index into the bytes
+     * @return The specified 64 bits of the string, interpreted as an integer.
+     */
+    function readUint64(
+        bytes memory self,
+        uint256 idx
+    ) internal pure returns (uint64 ret) {
+        require(idx + 8 <= self.length);
+        assembly {
+            ret := and(mload(add(add(self, 8), idx)), 0xFFFFFFFFFFFFFFFF)
+        }
+    }
+
     /*
      * @dev Returns the 32 byte value at the specified index of self.
      * @param self The byte string.

tests/DecentCommon/04_X509Extension.sol

@@ -21,7 +21,7 @@ contract X509Extension_proxy {
             new X509Extension.ExtEntry[](3);
 
         extEntries[0].extnID = OIDs.OID_DECENT_EXT_VER;
-        extEntries[1].extnID = OIDs.OID_DECENT_PLATFORM_ID;
+        extEntries[1].extnID = OIDs.OID_DECENT_PLATFORM_TYPE;
         extEntries[2].extnID = OIDs.OID_DECENT_HASHED_KEYS;
 
         uint256 idx;
@@ -33,7 +33,7 @@ contract X509Extension_proxy {
         Assert.equal(idx, 2, "wrong index");
 
         idx = X509Extension.findIdxOfExtEntry(
-            OIDs.OID_DECENT_PLATFORM_ID,
+            OIDs.OID_DECENT_PLATFORM_TYPE,
             extEntries
         );
         Assert.equal(idx, 1, "wrong index");
@@ -62,7 +62,7 @@ contract X509Extension_proxy {
             new X509Extension.ExtEntry[](3);
 
         extEntries[0].extnID = OIDs.OID_DECENT_EXT_VER;
-        extEntries[1].extnID = OIDs.OID_DECENT_PLATFORM_ID;
+        extEntries[1].extnID = OIDs.OID_DECENT_PLATFORM_TYPE;
         extEntries[2].extnID = OIDs.OID_NAME_CN;
 
         bytes memory certDer = TestCerts.DECENT_SVR_CERT_DER;

tests/DecentServer/01_DecentServerCert.sol

@@ -56,6 +56,7 @@ contract DecentServerCertBasics_proxy {
 
     constructor() {
         m_quoteStatusMap[keccak256("OK")] = true;
+        m_quoteStatusMap[keccak256("GROUP_OUT_OF_DATE")] = true;
         m_quoteStatusMap[keccak256("CONFIGURATION_NEEDED")] = true;
         m_quoteStatusMap[keccak256("SW_HARDENING_NEEDED")] = true;
         m_quoteStatusMap[keccak256("CONFIGURATION_AND_SW_HARDENING_NEEDED")] = true;
@@ -157,6 +158,7 @@ contract DecentServerCertCerts_proxy {
 
     constructor() {
         m_quoteStatusMap[keccak256("OK")] = true;
+        m_quoteStatusMap[keccak256("GROUP_OUT_OF_DATE")] = true;
         m_quoteStatusMap[keccak256("CONFIGURATION_NEEDED")] = true;
         m_quoteStatusMap[keccak256("SW_HARDENING_NEEDED")] = true;
         m_quoteStatusMap[keccak256("CONFIGURATION_AND_SW_HARDENING_NEEDED")] = true;
@@ -217,6 +219,11 @@ contract DecentServerCertCerts_proxy {
             TestCerts.DECENT_SVR_CERT_KEY_ADDR,
             "serverKeyAddr mismatch"
         );
+        Assert.equal(
+            cert.platformId,
+            TestCerts.DECENT_SVR_CERT_PLAT_ID,
+            "serverKeyAddr mismatch"
+        );
     }
 
 }

tests/DecentServer/03_DecentServerCertMgr_test.sol

@@ -69,6 +69,14 @@ contract DecentServerCertMgr_testSuit {
             TestCerts.DECENT_SVR_CERT_ENCL_HASH,
             "encHash not match"
         );
+
+        bytes32 platId = decentServerCertMgr.getPlatformId(TestCerts.DECENT_SVR_CERT_KEY_ADDR);
+
+        Assert.equal(
+            platId,
+            TestCerts.DECENT_SVR_CERT_PLAT_ID,
+            "platform ID not match"
+        );
     }
 
     function verifyCertTest() public {
@@ -93,6 +101,14 @@ contract DecentServerCertMgr_testSuit {
             TestCerts.DECENT_SVR_CERT_ENCL_HASH,
             "encHash not match"
         );
+
+        bytes32 platId = decentServerCertMgr.getPlatformId(TestCerts.DECENT_SVR_CERT_KEY_ADDR);
+
+        Assert.equal(
+            platId,
+            TestCerts.DECENT_SVR_CERT_PLAT_ID,
+            "platform ID not match"
+        );
     }
 
     function verifyInvalidCertTest() public {

tests/Ecdsa/01_LibSecp256k1Sha256.sol

@@ -141,24 +141,31 @@ contract LibSecp256k1Sha256_proxy {
             certNodes.loadCertNodes(certDer);
 
             address addr = TestCerts.DECENT_SVR_CERT_KEY_ADDR;
+            uint8   v = TestCerts.DECENT_SVR_CERT_SIGN_V;
             bytes32 r = TestCerts.DECENT_SVR_CERT_SIGN_R;
             bytes32 s = TestCerts.DECENT_SVR_CERT_SIGN_S;
 
             bytes memory tbsBytes = certDer.allBytesAt(certNodes.tbs.root);
             bytes32 tbsHash = sha256(tbsBytes);
 
             Assert.equal(
-                ecrecover(tbsHash, 28, r, s),
+                tbsHash,
+                TestCerts.DECENT_SVR_CERT_HASH,
+                "[server cert]tbsHash!=DECENT_SVR_CERT_HASH"
+            );
+
+            Assert.equal(
+                ecrecover(tbsHash, v, r, s),
                 addr,
-                "ecrecover()!=addr"
+                "[server cert]ecrecover()!=addr"
             );
             Assert.ok(
                 LibSecp256k1Sha256.verifySignMsg(addr, tbsBytes, r, s),
-                "verifySignMsg!=true"
+                "[server cert]verifySignMsg!=true"
             );
             Assert.ok(
                 LibSecp256k1Sha256.verifySignHash(addr, tbsHash, r, s),
-                "verifySignHash!=true"
+                "[server cert]verifySignHash!=true"
             );
         }
 
@@ -170,24 +177,31 @@ contract LibSecp256k1Sha256_proxy {
             certNodes.loadCertNodes(certDer);
 
             address addr = TestCerts.DECENT_SVR_CERT_KEY_ADDR;
+            uint8   v = TestCerts.DECENT_APP_CERT_SIGN_V;
             bytes32 r = TestCerts.DECENT_APP_CERT_SIGN_R;
             bytes32 s = TestCerts.DECENT_APP_CERT_SIGN_S;
 
             bytes memory tbsBytes = certDer.allBytesAt(certNodes.tbs.root);
             bytes32 tbsHash = sha256(tbsBytes);
 
             Assert.equal(
-                ecrecover(tbsHash, 27, r, s),
+                tbsHash,
+                TestCerts.DECENT_APP_CERT_HASH,
+                "[server cert]tbsHash!=DECENT_APP_CERT_HASH"
+            );
+
+            Assert.equal(
+                ecrecover(tbsHash, v, r, s),
                 addr,
-                "ecrecover()!=addr"
+                "[app cert]ecrecover()!=addr"
             );
             Assert.ok(
                 LibSecp256k1Sha256.verifySignMsg(addr, tbsBytes, r, s),
-                "verifySignMsg!=true"
+                "[app cert]verifySignMsg!=true"
             );
             Assert.ok(
                 LibSecp256k1Sha256.verifySignHash(addr, tbsHash, r, s),
-                "verifySignHash!=true"
+                "[app cert]verifySignHash!=true"
             );
         }
 

tests/Ecdsa/01_LibSecp256k1Sha256_test.sol

@@ -138,17 +138,16 @@ contract LibSecp256k1Sha256_testSuite {
 
     function ecrecoverGasEval() public {
         address addr = TestCerts.DECENT_SVR_CERT_KEY_ADDR;
-        uint8 recId = 27;
 
+        uint8   v = TestCerts.DECENT_APP_CERT_SIGN_V;
         bytes32 r = TestCerts.DECENT_APP_CERT_SIGN_R;
         bytes32 s = TestCerts.DECENT_APP_CERT_SIGN_S;
 
-        bytes32 msgHash =
-            0x43c4bb5ebe59f2bfa5d1d90cb04f49c2d814f2be48a00055c014fefccf9de381;
+        bytes32 msgHash =  TestCerts.DECENT_APP_CERT_HASH;
 
         address actAddr;
         uint256 gasUsed = gasleft();
-        actAddr = ecrecover(msgHash, recId, r, s);
+        actAddr = ecrecover(msgHash, v, r, s);
         gasUsed = gasUsed - gasleft();
 
         Assert.equal(actAddr, addr, "ecrecover returns a diff addr");