Fix mock pck cert chain verifying

pallets/staking/Cargo.toml

@@ -30,6 +30,7 @@ sp-std            ={ version="14.0.0", default-features=false }
 sp-consensus-babe ={ version="0.33.0", default-features=false }
 x509-verify       ={ version="0.4.6", features=["x509"] }
 spki              ="0.7.3"
+p256              ={ version = "0.13.2", default-features = false, features = ["ecdsa"] }
 
 pallet-parameters={ version="0.2.0", path="../parameters", default-features=false }
 entropy-shared={ version="0.2.0", path="../../crates/shared", features=[

pallets/staking/src/lib.rs

@@ -41,7 +41,7 @@ use serde::{Deserialize, Serialize};
 
 pub use crate::weights::WeightInfo;
 
-mod pck;
+pub mod pck;
 
 #[cfg(test)]
 mod mock;
@@ -121,6 +121,20 @@ pub mod pallet {
         pub endpoint: TssServerURL,
         pub provisioning_certification_key: VerifyingKey,
     }
+
+    #[derive(Encode, Decode, Clone, Eq, PartialEq, RuntimeDebug, TypeInfo)]
+    pub struct JoiningServerInfo<AccountId> {
+        pub tss_account: AccountId,
+        pub x25519_public_key: X25519PublicKey,
+        pub endpoint: TssServerURL,
+        pub pck_certificate_chain: Vec<Vec<u8>>,
+    }
+
+    // impl From<JoiningServerInfo> for ServerInfo {
+    //     fn from(joining_server_info: JoiningServerInfo) -> Self {
+    //     }
+    // }
+
     /// Info that is requiered to do a proactive refresh
     #[derive(Clone, Encode, Decode, Eq, PartialEq, RuntimeDebug, TypeInfo, Default)]
     pub struct RefreshInfo {
@@ -498,21 +512,20 @@ pub mod pallet {
         pub fn validate(
             origin: OriginFor<T>,
             prefs: ValidatorPrefs,
-            tss_account: T::AccountId,
-            x25519_public_key: X25519PublicKey,
-            endpoint: TssServerURL,
-            pck_cert: Vec<u8>,
-            provider_cert: Vec<u8>,
+            joining_server_info: JoiningServerInfo<T::AccountId>,
         ) -> DispatchResult {
             let who = ensure_signed(origin.clone())?;
-            let pck =
-                T::PckCertChainVerifier::verify_pck_cert_chain(pck_cert, provider_cert).unwrap();
+
+            let provisioning_certification_key =
+                T::PckCertChainVerifier::verify_pck_certificate_chain(
+                    joining_server_info.pck_certificate_chain,
+                )
+                .unwrap();
             let server_info = ServerInfo::<T::AccountId> {
-                tss_account,
-                x25519_public_key,
-                endpoint,
-                // TODO convert to a compressed public key
-                provisioning_certification_key: pck[..33].to_vec().try_into().unwrap(),
+                tss_account: joining_server_info.tss_account,
+                x25519_public_key: joining_server_info.x25519_public_key,
+                endpoint: joining_server_info.endpoint,
+                provisioning_certification_key,
             };
             ensure!(
                 server_info.endpoint.len() as u32 <= T::MaxEndpointLength::get(),

pallets/staking/src/mock.rs

@@ -38,6 +38,7 @@ use sp_std::vec;
 
 use crate as pallet_staking_extension;
 use pallet_staking_extension::pck::MockPckCertChainVerifyer;
+
 type Block = frame_system::mocking::MockBlock<Test>;
 type BlockNumber = u64;
 

pallets/staking/src/pck/mock.rs

@@ -1,12 +1,18 @@
 use super::{CompressedVerifyingKey, PckCertChainVerifier, PckParseVerifyError};
+use sp_runtime::BoundedVec;
 
 pub struct MockPckCertChainVerifyer {}
 
 impl PckCertChainVerifier for MockPckCertChainVerifyer {
-    fn verify_pck_cert_chain(
-        pck_cert: Vec<u8>,
-        _provider_cert: Vec<u8>,
+    fn verify_pck_certificate_chain(
+        _pck_certificate_chain: Vec<Vec<u8>>,
     ) -> Result<CompressedVerifyingKey, PckParseVerifyError> {
-        Ok(pck_cert.try_into().unwrap())
+        // TODO we want them to give a tss account id, from which we derive a keypair
+        // let mut pck_seeder = StdRng::from_seed(tss_accound_id);
+        // let pck_secret = p256::SigningKey::random(&mut pck_seeder);
+        // let pck_public = VerifyingKey::from(&pck_secret);
+        // let pck_public = pck_public.to_encoded_point(true).as_bytes().to_vec();
+        // Ok(pck_public.try_into().unwrap())
+        Ok(BoundedVec::with_max_capacity())
     }
 }

pallets/staking/src/pck/mod.rs

@@ -20,9 +20,8 @@ use core::array::TryFromSliceError;
 use sp_std::vec::Vec;
 
 pub trait PckCertChainVerifier {
-    fn verify_pck_cert_chain(
-        pck_cert: Vec<u8>,
-        provider_cert: Vec<u8>,
+    fn verify_pck_certificate_chain(
+        pck_certificate_chain: Vec<Vec<u8>>,
     ) -> Result<CompressedVerifyingKey, PckParseVerifyError>;
 }
 

pallets/staking/src/pck/production.rs

@@ -0,0 +1,81 @@
+// Copyright (C) 2023 Entropy Cryptography Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+use super::{CompressedVerifyingKey, PckCertChainVerifier, PckParseVerifyError};
+
+/// Intel's root public key together with metadata, encoded as der
+const INTEL_ROOT_CA_PK_DER: [u8; 91] = [
+    48, 89, 48, 19, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 8, 42, 134, 72, 206, 61, 3, 1, 7, 3, 66,
+    0, 4, 11, 169, 196, 192, 192, 200, 97, 147, 163, 254, 35, 214, 176, 44, 218, 16, 168, 187, 212,
+    232, 142, 72, 180, 69, 133, 97, 163, 110, 112, 85, 37, 245, 103, 145, 142, 46, 220, 136, 228,
+    13, 134, 11, 208, 204, 78, 226, 106, 172, 201, 136, 229, 5, 169, 83, 85, 140, 69, 63, 107, 9,
+    4, 174, 115, 148,
+];
+
+use sp_std::vec::Vec;
+use spki::{
+    der::{asn1::BitString, Any},
+    SubjectPublicKeyInfo,
+};
+use x509_verify::{
+    der::{Decode, Encode},
+    x509_cert::Certificate,
+    Signature, VerifyInfo, VerifyingKey,
+};
+
+pub struct ProductionPckCertChainVerifyer {}
+
+impl PckCertChainVerifier for ProductionPckCertChainVerifyer {
+    fn verify_pck_certificate_chain(
+        pck_certificate_chain: Vec<Vec<u8>>,
+    ) -> Result<CompressedVerifyingKey, PckParseVerifyError> {
+        // TODO validate chain of arbitrary length
+        let pck = parse_pck_cert_chain(
+            pck_certificate_chain.get(0).unwrap().to_vec(),
+            pck_certificate_chain.get(1).unwrap().to_vec(),
+        )?;
+        // TODO compress public key
+        Ok(pck[..33].to_vec().try_into().unwrap())
+    }
+}
+
+/// Given a cerificate and a public key, verify the certificate
+fn verify_cert(subject: &Certificate, issuer_pk: VerifyingKey) -> Result<(), PckParseVerifyError> {
+    let verify_info = VerifyInfo::new(
+        subject.tbs_certificate.to_der().unwrap().into(),
+        Signature::new(&subject.signature_algorithm, subject.signature.as_bytes().unwrap()),
+    );
+    Ok(issuer_pk.verify(&verify_info)?)
+}
+
+/// Validate PCK and provider certificates and if valid return the PCK
+/// These certificates will be provided by a joining validator
+pub fn parse_pck_cert_chain(
+    pck: Vec<u8>,
+    pck_provider: Vec<u8>,
+) -> Result<[u8; 65], PckParseVerifyError> {
+    let pck = Certificate::from_der(&pck)?;
+    let provider = Certificate::from_der(&pck_provider)?;
+    let root_pk: SubjectPublicKeyInfo<Any, BitString> =
+        SubjectPublicKeyInfo::from_der(&INTEL_ROOT_CA_PK_DER)?;
+    verify_cert(&provider, root_pk.try_into()?)?;
+
+    let provider_verifying_key: VerifyingKey =
+        provider.tbs_certificate.subject_public_key_info.try_into()?;
+    verify_cert(&pck, provider_verifying_key)?;
+
+    let pck_key = pck.tbs_certificate.subject_public_key_info.subject_public_key;
+
+    Ok(pck_key.as_bytes().ok_or(PckParseVerifyError::BadPublicKey)?.try_into()?)
+}