Coverage for tests/admin/test_verify_sgx_attestation.py: 100%
284 statements
« prev ^ index » next coverage.py v7.5.3, created at 2025-10-30 06:22 +0000
1# The MIT License (MIT)
2#
3# Copyright (c) 2021 RSK Labs Ltd
4#
5# Permission is hereby granted, free of charge, to any person obtaining a copy of
6# this software and associated documentation files (the "Software"), to deal in
7# the Software without restriction, including without limitation the rights to
8# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
9# of the Software, and to permit persons to whom the Software is furnished to do
10# so, subject to the following conditions:
11#
12# The above copyright notice and this permission notice shall be included in all
13# copies or substantial portions of the Software.
14#
15# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21# SOFTWARE.
23from types import SimpleNamespace
24from unittest import TestCase
25from unittest.mock import Mock, patch, call
26from parameterized import parameterized
27from admin.misc import AdminError
28from admin.pubkeys import PATHS
29from admin.verify_sgx_attestation import do_verify_attestation, DEFAULT_ROOT_AUTHORITY
30import ecdsa
31import secp256k1 as ec
32import hashlib
33import logging
35logging.disable(logging.CRITICAL)
38@patch("sys.stdout.write")
39@patch("admin.verify_sgx_attestation.head")
40@patch("admin.verify_sgx_attestation.validate_qeid_info")
41@patch("admin.verify_sgx_attestation.get_qeid_info")
42@patch("admin.verify_sgx_attestation.validate_tcb_info")
43@patch("admin.verify_sgx_attestation.get_tcb_info")
44@patch("admin.verify_sgx_attestation.HSMCertificate")
45@patch("admin.verify_sgx_attestation.load_pubkeys")
46@patch("admin.verify_sgx_attestation.get_sgx_root_of_trust")
47class TestVerifySgxAttestation(TestCase):
48 def setUp(self):
49 self.certification_path = 'certification-path'
50 self.pubkeys_path = 'pubkeys-path'
51 self.options = SimpleNamespace(**{
52 'attestation_certificate_file_path': self.certification_path,
53 'pubkeys_file_path': self.pubkeys_path,
54 'root_authority': None
55 })
57 paths = []
58 for path in PATHS.values():
59 paths.append(str(path))
61 self.public_keys = {}
62 self.expected_pubkeys_output = []
63 pubkeys_hash = hashlib.sha256()
64 path_name_padding = max(map(len, paths))
65 for path in sorted(paths):
66 pubkey = ecdsa.SigningKey.generate(curve=ecdsa.SECP256k1).get_verifying_key()
67 self.public_keys[path] = ec.PublicKey(
68 pubkey.to_string('compressed'), raw=True)
69 pubkeys_hash.update(pubkey.to_string('uncompressed'))
70 self.expected_pubkeys_output.append(
71 f"{(path + ':').ljust(path_name_padding+1)} "
72 f"{pubkey.to_string('compressed').hex()}"
73 )
74 self.expected_pubkeys_hash = pubkeys_hash.digest().hex()
76 self.powhsm_msg = \
77 b"POWHSM:5.6::" + \
78 b'plf' + \
79 bytes.fromhex('aa'*32) + \
80 bytes.fromhex(self.expected_pubkeys_hash) + \
81 bytes.fromhex('bb'*32) + \
82 bytes.fromhex('cc'*8) + \
83 bytes.fromhex('00'*7 + 'cd')
85 self.mock_sgx_quote = SimpleNamespace(**{
86 "report_body": SimpleNamespace(**{
87 "mrenclave": bytes.fromhex("aabbccdd"),
88 "mrsigner": bytes.fromhex("1122334455"),
89 })
90 })
92 self.mock_pck_collateral = {
93 "fmspc": "aabbccddeeff",
94 "other": "very",
95 "important": "stuff",
96 }
98 self.mock_qe_collateral = "qe-collateral"
100 self.validate_result = {"quote": {
101 "valid": True,
102 "value": {
103 "sgx_quote": self.mock_sgx_quote,
104 "message": self.powhsm_msg.hex(),
105 },
106 "tweak": None,
107 "collateral": {
108 "quoting_enclave": self.mock_pck_collateral,
109 "attestation": self.mock_qe_collateral,
110 },
111 }}
113 def configure_mocks(self, get_sgx_root_of_trust, load_pubkeys,
114 HSMCertificate, get_tcb_info, validate_tcb_info,
115 get_qeid_info, validate_qeid_info, head):
116 self.root_of_trust = Mock()
117 self.root_of_trust.is_valid.return_value = True
118 self.root_of_trust.certificate = "rot-certificate"
119 get_sgx_root_of_trust.return_value = self.root_of_trust
120 load_pubkeys.return_value = self.public_keys
121 self.mock_certificate = Mock()
122 self.mock_certificate.validate_and_get_values.return_value = self.validate_result
123 HSMCertificate.from_jsonfile.return_value = self.mock_certificate
124 self.get_tcb_info = get_tcb_info
125 get_tcb_info.return_value = {
126 "tcb_info": {
127 "tcbInfo": "the tcb info",
128 },
129 "warnings": ["w1", "w2"],
130 }
131 self.validate_tcb_info = validate_tcb_info
132 validate_tcb_info.return_value = {
133 "valid": True,
134 "status": "the status",
135 "date": "a date",
136 "advisories": ["adv-1", "adv-2"],
137 "edn": 123,
138 "svns": ["one: 34", "two: 17", "three: 87"],
139 }
140 self.get_qeid_info = get_qeid_info
141 get_qeid_info.return_value = {
142 "qeid_info": {
143 "enclaveIdentity": "the enclave identity"
144 },
145 "warnings": ["w3", "w4"],
146 }
147 self.validate_qeid_info = validate_qeid_info
148 validate_qeid_info.return_value = {
149 "valid": True,
150 "status": "another status",
151 "date": "another date",
152 "advisories": ["adv-3", "adv-4"],
153 "edn": 456,
154 "isvsvn": 789
155 }
157 @parameterized.expand([
158 ("default_root", None),
159 ("custom_root", "a-custom-root")
160 ])
161 def test_verify_attestation(self, get_sgx_root_of_trust, load_pubkeys,
162 HSMCertificate, get_tcb_info, validate_tcb_info,
163 get_qeid_info, validate_qeid_info,
164 head, _, __, custom_root):
165 self.configure_mocks(get_sgx_root_of_trust, load_pubkeys, HSMCertificate,
166 get_tcb_info, validate_tcb_info,
167 get_qeid_info, validate_qeid_info, head)
168 if custom_root:
169 self.options.root_authority = custom_root
171 with \
172 patch("admin.verify_sgx_attestation.HSMCertificateV2ElementX509") as \
173 HSMCertificateV2ElementX509, \
174 patch("admin.verify_sgx_attestation.X509CertificateValidator") as \
175 X509CertificateValidator, \
176 patch("admin.verify_sgx_attestation.get_sgx_extensions") as \
177 get_sgx_extensions, \
178 patch("admin.verify_sgx_attestation.get_intel_pcs_x509_crl") as \
179 get_intel_pcs_x509_crl:
181 X509CertificateValidator.return_value = "the-cert-validator"
183 do_verify_attestation(self.options)
185 X509CertificateValidator.assert_called_with(get_intel_pcs_x509_crl)
186 HSMCertificateV2ElementX509.set_collateral_getter.assert_called_with(
187 get_sgx_extensions)
188 HSMCertificateV2ElementX509.set_certificate_validator.assert_called_with(
189 "the-cert-validator")
191 if custom_root:
192 get_sgx_root_of_trust.assert_called_with(custom_root)
193 else:
194 get_sgx_root_of_trust.assert_called_with(DEFAULT_ROOT_AUTHORITY)
195 self.root_of_trust.is_valid.assert_called_with(self.root_of_trust)
196 load_pubkeys.assert_called_with(self.pubkeys_path)
197 HSMCertificate.from_jsonfile.assert_called_with(self.certification_path)
198 self.mock_certificate.validate_and_get_values \
199 .assert_called_with(self.root_of_trust)
200 self.get_tcb_info.assert_called_with(
201 "https://api.trustedservices.intel.com/sgx/certification/v4/tcb",
202 "aabbccddeeff",
203 "rot-certificate"
204 )
205 self.validate_tcb_info.assert_called_with(
206 self.mock_pck_collateral, "the tcb info")
207 self.get_qeid_info.assert_called_with(
208 "https://api.trustedservices.intel.com/sgx/certification/v4/qe/identity",
209 "rot-certificate"
210 )
211 self.validate_qeid_info.assert_called_with(
212 self.mock_qe_collateral, "the enclave identity")
214 self.assertEqual(head.call_args_list[1], call([
215 "powHSM verified with public keys:"
216 ] + self.expected_pubkeys_output + [
217 f"Hash: {self.expected_pubkeys_hash}",
218 "",
219 "Installed powHSM MRENCLAVE: aabbccdd",
220 "Installed powHSM MRSIGNER: 1122334455",
221 "Installed powHSM version: 5.6",
222 "Platform: plf",
223 f"UD value: {'aa'*32}",
224 f"Best block: {'bb'*32}",
225 f"Last transaction signed: {'cc'*8}",
226 "Timestamp: 205",
227 ], fill="-"))
228 self.assertEqual(head.call_args_list[2], call([
229 "TCB Information:",
230 "Status: the status",
231 "Issued: a date",
232 "Advisories: adv-1, adv-2",
233 "TCB evaluation data number: 123",
234 "SVNs:",
235 " - one: 34",
236 " - two: 17",
237 " - three: 87",
238 ], fill="-"))
240 def test_verify_attestation_err_get_root(self, get_sgx_root_of_trust, load_pubkeys,
241 HSMCertificate, get_tcb_info,
242 validate_tcb_info,
243 get_qeid_info, validate_qeid_info, head, _):
244 self.configure_mocks(get_sgx_root_of_trust, load_pubkeys, HSMCertificate,
245 get_tcb_info, validate_tcb_info,
246 get_qeid_info, validate_qeid_info, head)
247 get_sgx_root_of_trust.side_effect = ValueError("root of trust error")
249 with self.assertRaises(AdminError) as e:
250 do_verify_attestation(self.options)
251 self.assertIn("root of trust error", str(e.exception))
253 get_sgx_root_of_trust.assert_called_with(DEFAULT_ROOT_AUTHORITY)
254 self.root_of_trust.is_valid.assert_not_called()
255 load_pubkeys.assert_not_called()
256 HSMCertificate.from_jsonfile.assert_not_called()
257 self.mock_certificate.validate_and_get_values.assert_not_called()
258 self.get_tcb_info.assert_not_called()
259 self.validate_tcb_info.assert_not_called()
260 self.get_qeid_info.assert_not_called()
261 self.validate_qeid_info.assert_not_called()
263 def test_verify_attestation_err_root_invalid(self, get_sgx_root_of_trust,
264 load_pubkeys, HSMCertificate,
265 get_tcb_info, validate_tcb_info,
266 get_qeid_info, validate_qeid_info,
267 head, _):
268 self.configure_mocks(get_sgx_root_of_trust, load_pubkeys, HSMCertificate,
269 get_tcb_info, validate_tcb_info,
270 get_qeid_info, validate_qeid_info, head)
271 self.root_of_trust.is_valid.return_value = False
273 with self.assertRaises(AdminError) as e:
274 do_verify_attestation(self.options)
275 self.assertIn("self-signed root of trust", str(e.exception))
277 get_sgx_root_of_trust.assert_called_with(DEFAULT_ROOT_AUTHORITY)
278 self.root_of_trust.is_valid.assert_called_with(self.root_of_trust)
279 load_pubkeys.assert_not_called()
280 HSMCertificate.from_jsonfile.assert_not_called()
281 self.mock_certificate.validate_and_get_values.assert_not_called()
282 self.get_tcb_info.assert_not_called()
283 self.validate_tcb_info.assert_not_called()
284 self.get_qeid_info.assert_not_called()
285 self.validate_qeid_info.assert_not_called()
287 def test_verify_attestation_err_load_pubkeys(self, get_sgx_root_of_trust,
288 load_pubkeys, HSMCertificate,
289 get_tcb_info, validate_tcb_info,
290 get_qeid_info, validate_qeid_info,
291 head, _):
292 self.configure_mocks(get_sgx_root_of_trust, load_pubkeys, HSMCertificate,
293 get_tcb_info, validate_tcb_info,
294 get_qeid_info, validate_qeid_info, head)
295 load_pubkeys.side_effect = ValueError("pubkeys error")
297 with self.assertRaises(AdminError) as e:
298 do_verify_attestation(self.options)
299 self.assertIn("pubkeys error", str(e.exception))
301 get_sgx_root_of_trust.assert_called_with(DEFAULT_ROOT_AUTHORITY)
302 self.root_of_trust.is_valid.assert_called_with(self.root_of_trust)
303 load_pubkeys.assert_called_with(self.pubkeys_path)
304 HSMCertificate.from_jsonfile.assert_not_called()
305 self.mock_certificate.validate_and_get_values.assert_not_called()
306 self.get_tcb_info.assert_not_called()
307 self.validate_tcb_info.assert_not_called()
308 self.get_qeid_info.assert_not_called()
309 self.validate_qeid_info.assert_not_called()
311 def test_verify_attestation_err_load_cert(self, get_sgx_root_of_trust, load_pubkeys,
312 HSMCertificate, get_tcb_info,
313 validate_tcb_info,
314 get_qeid_info, validate_qeid_info, head, _):
315 self.configure_mocks(get_sgx_root_of_trust, load_pubkeys, HSMCertificate,
316 get_tcb_info, validate_tcb_info,
317 get_qeid_info, validate_qeid_info, head)
318 HSMCertificate.from_jsonfile.side_effect = ValueError("load cert error")
320 with self.assertRaises(AdminError) as e:
321 do_verify_attestation(self.options)
322 self.assertIn("load cert error", str(e.exception))
324 get_sgx_root_of_trust.assert_called_with(DEFAULT_ROOT_AUTHORITY)
325 self.root_of_trust.is_valid.assert_called_with(self.root_of_trust)
326 load_pubkeys.assert_called_with(self.pubkeys_path)
327 HSMCertificate.from_jsonfile.assert_called_with(self.certification_path)
328 self.mock_certificate.validate_and_get_values.assert_not_called()
329 self.get_tcb_info.assert_not_called()
330 self.validate_tcb_info.assert_not_called()
331 self.get_qeid_info.assert_not_called()
332 self.validate_qeid_info.assert_not_called()
334 def test_verify_attestation_validation_noquote(self, get_sgx_root_of_trust,
335 load_pubkeys, HSMCertificate,
336 get_tcb_info, validate_tcb_info,
337 get_qeid_info, validate_qeid_info,
338 head, _):
339 self.configure_mocks(get_sgx_root_of_trust, load_pubkeys, HSMCertificate,
340 get_tcb_info, validate_tcb_info,
341 get_qeid_info, validate_qeid_info, head)
342 self.mock_certificate.validate_and_get_values.return_value = {"something": "else"}
344 with self.assertRaises(AdminError) as e:
345 do_verify_attestation(self.options)
346 self.assertIn("does not contain", str(e.exception))
348 get_sgx_root_of_trust.assert_called_with(DEFAULT_ROOT_AUTHORITY)
349 self.root_of_trust.is_valid.assert_called_with(self.root_of_trust)
350 load_pubkeys.assert_called_with(self.pubkeys_path)
351 HSMCertificate.from_jsonfile.assert_called_with(self.certification_path)
352 self.mock_certificate.validate_and_get_values \
353 .assert_called_with(self.root_of_trust)
354 self.get_tcb_info.assert_not_called()
355 self.validate_tcb_info.assert_not_called()
356 self.get_qeid_info.assert_not_called()
357 self.validate_qeid_info.assert_not_called()
359 def test_verify_attestation_validation_failed(self, get_sgx_root_of_trust,
360 load_pubkeys, HSMCertificate,
361 get_tcb_info, validate_tcb_info,
362 get_qeid_info, validate_qeid_info,
363 head, _):
364 self.configure_mocks(get_sgx_root_of_trust, load_pubkeys, HSMCertificate,
365 get_tcb_info, validate_tcb_info,
366 get_qeid_info, validate_qeid_info, head)
367 self.mock_certificate.validate_and_get_values.return_value = {
368 "quote": {
369 "valid": False,
370 "failed_element": "the failed element",
371 }
372 }
374 with self.assertRaises(AdminError) as e:
375 do_verify_attestation(self.options)
376 self.assertIn("the failed element", str(e.exception))
378 get_sgx_root_of_trust.assert_called_with(DEFAULT_ROOT_AUTHORITY)
379 self.root_of_trust.is_valid.assert_called_with(self.root_of_trust)
380 load_pubkeys.assert_called_with(self.pubkeys_path)
381 HSMCertificate.from_jsonfile.assert_called_with(self.certification_path)
382 self.mock_certificate.validate_and_get_values \
383 .assert_called_with(self.root_of_trust)
384 self.get_tcb_info.assert_not_called()
385 self.validate_tcb_info.assert_not_called()
386 self.get_qeid_info.assert_not_called()
387 self.validate_qeid_info.assert_not_called()
389 def test_verify_attestation_get_tcb_err(self, get_sgx_root_of_trust, load_pubkeys,
390 HSMCertificate, get_tcb_info,
391 validate_tcb_info,
392 get_qeid_info, validate_qeid_info, head, _):
393 self.configure_mocks(get_sgx_root_of_trust, load_pubkeys, HSMCertificate,
394 get_tcb_info, validate_tcb_info,
395 get_qeid_info, validate_qeid_info, head)
396 self.get_tcb_info.side_effect = RuntimeError("oops tcb info")
398 with self.assertRaises(AdminError) as e:
399 do_verify_attestation(self.options)
400 self.assertIn("While trying to verify TCB", str(e.exception))
401 self.assertIn("oops tcb info", str(e.exception))
403 get_sgx_root_of_trust.assert_called_with(DEFAULT_ROOT_AUTHORITY)
404 self.root_of_trust.is_valid.assert_called_with(self.root_of_trust)
405 load_pubkeys.assert_called_with(self.pubkeys_path)
406 HSMCertificate.from_jsonfile.assert_called_with(self.certification_path)
407 self.mock_certificate.validate_and_get_values \
408 .assert_called_with(self.root_of_trust)
409 self.get_tcb_info.assert_called_with(
410 "https://api.trustedservices.intel.com/sgx/certification/v4/tcb",
411 "aabbccddeeff",
412 "rot-certificate"
413 )
414 self.validate_tcb_info.assert_not_called()
415 self.get_qeid_info.assert_not_called()
416 self.validate_qeid_info.assert_not_called()
418 def test_verify_attestation_verify_tcb_err(self, get_sgx_root_of_trust, load_pubkeys,
419 HSMCertificate, get_tcb_info,
420 validate_tcb_info,
421 get_qeid_info, validate_qeid_info,
422 head, _):
423 self.configure_mocks(get_sgx_root_of_trust, load_pubkeys, HSMCertificate,
424 get_tcb_info, validate_tcb_info,
425 get_qeid_info, validate_qeid_info, head)
426 self.validate_tcb_info.return_value = {
427 "valid": False,
428 "reason": "This is the verification error",
429 }
431 with self.assertRaises(AdminError) as e:
432 do_verify_attestation(self.options)
433 self.assertIn("While trying to verify TCB", str(e.exception))
434 self.assertIn("the verification error", str(e.exception))
436 get_sgx_root_of_trust.assert_called_with(DEFAULT_ROOT_AUTHORITY)
437 self.root_of_trust.is_valid.assert_called_with(self.root_of_trust)
438 load_pubkeys.assert_called_with(self.pubkeys_path)
439 HSMCertificate.from_jsonfile.assert_called_with(self.certification_path)
440 self.mock_certificate.validate_and_get_values \
441 .assert_called_with(self.root_of_trust)
442 self.get_tcb_info.assert_called_with(
443 "https://api.trustedservices.intel.com/sgx/certification/v4/tcb",
444 "aabbccddeeff",
445 "rot-certificate"
446 )
447 self.validate_tcb_info.assert_called_with(
448 self.mock_pck_collateral, "the tcb info")
449 self.get_qeid_info.assert_not_called()
450 self.validate_qeid_info.assert_not_called()
452 def test_verify_attestation_get_qeid_err(self, get_sgx_root_of_trust, load_pubkeys,
453 HSMCertificate, get_tcb_info,
454 validate_tcb_info,
455 get_qeid_info, validate_qeid_info, head, _):
456 self.configure_mocks(get_sgx_root_of_trust, load_pubkeys, HSMCertificate,
457 get_tcb_info, validate_tcb_info,
458 get_qeid_info, validate_qeid_info, head)
459 self.get_qeid_info.side_effect = RuntimeError("oops qeid info")
461 with self.assertRaises(AdminError) as e:
462 do_verify_attestation(self.options)
463 self.assertIn("While trying to verify QE ID", str(e.exception))
464 self.assertIn("oops qeid info", str(e.exception))
466 get_sgx_root_of_trust.assert_called_with(DEFAULT_ROOT_AUTHORITY)
467 self.root_of_trust.is_valid.assert_called_with(self.root_of_trust)
468 load_pubkeys.assert_called_with(self.pubkeys_path)
469 HSMCertificate.from_jsonfile.assert_called_with(self.certification_path)
470 self.mock_certificate.validate_and_get_values \
471 .assert_called_with(self.root_of_trust)
472 self.get_tcb_info.assert_called_with(
473 "https://api.trustedservices.intel.com/sgx/certification/v4/tcb",
474 "aabbccddeeff",
475 "rot-certificate"
476 )
477 self.validate_tcb_info.assert_called_with(
478 self.mock_pck_collateral, "the tcb info")
479 self.get_qeid_info.assert_called_with(
480 "https://api.trustedservices.intel.com/sgx/certification/v4/qe/identity",
481 "rot-certificate"
482 )
483 self.validate_qeid_info.assert_not_called()
485 def test_verify_attestation_verify_qeid_err(self, get_sgx_root_of_trust, load_pubkeys,
486 HSMCertificate, get_tcb_info,
487 validate_tcb_info,
488 get_qeid_info, validate_qeid_info,
489 head, _):
490 self.configure_mocks(get_sgx_root_of_trust, load_pubkeys, HSMCertificate,
491 get_tcb_info, validate_tcb_info,
492 get_qeid_info, validate_qeid_info, head)
493 self.validate_qeid_info.return_value = {
494 "valid": False,
495 "reason": "This is the verification error",
496 }
498 with self.assertRaises(AdminError) as e:
499 do_verify_attestation(self.options)
500 self.assertIn("While trying to verify QE ID", str(e.exception))
501 self.assertIn("the verification error", str(e.exception))
503 get_sgx_root_of_trust.assert_called_with(DEFAULT_ROOT_AUTHORITY)
504 self.root_of_trust.is_valid.assert_called_with(self.root_of_trust)
505 load_pubkeys.assert_called_with(self.pubkeys_path)
506 HSMCertificate.from_jsonfile.assert_called_with(self.certification_path)
507 self.mock_certificate.validate_and_get_values \
508 .assert_called_with(self.root_of_trust)
509 self.get_tcb_info.assert_called_with(
510 "https://api.trustedservices.intel.com/sgx/certification/v4/tcb",
511 "aabbccddeeff",
512 "rot-certificate"
513 )
514 self.validate_tcb_info.assert_called_with(
515 self.mock_pck_collateral, "the tcb info")
516 self.get_qeid_info.assert_called_with(
517 "https://api.trustedservices.intel.com/sgx/certification/v4/qe/identity",
518 "rot-certificate"
519 )
520 self.validate_qeid_info.assert_called_with(
521 self.mock_qe_collateral, "the enclave identity")
523 def test_verify_attestation_invalid_header(self, get_sgx_root_of_trust, load_pubkeys,
524 HSMCertificate, get_tcb_info,
525 validate_tcb_info,
526 get_qeid_info, validate_qeid_info,
527 head, _):
528 self.configure_mocks(get_sgx_root_of_trust, load_pubkeys, HSMCertificate,
529 get_tcb_info, validate_tcb_info,
530 get_qeid_info, validate_qeid_info, head)
531 self.validate_result["quote"]["value"]["message"] = "aabbccdd"
533 with self.assertRaises(AdminError) as e:
534 do_verify_attestation(self.options)
535 self.assertIn("message header", str(e.exception))
537 get_sgx_root_of_trust.assert_called_with(DEFAULT_ROOT_AUTHORITY)
538 self.root_of_trust.is_valid.assert_called_with(self.root_of_trust)
539 load_pubkeys.assert_called_with(self.pubkeys_path)
540 HSMCertificate.from_jsonfile.assert_called_with(self.certification_path)
541 self.mock_certificate.validate_and_get_values \
542 .assert_called_with(self.root_of_trust)
543 self.get_tcb_info.assert_called_with(
544 "https://api.trustedservices.intel.com/sgx/certification/v4/tcb",
545 "aabbccddeeff",
546 "rot-certificate"
547 )
548 self.validate_tcb_info.assert_called_with(
549 self.mock_pck_collateral, "the tcb info")
550 self.get_qeid_info.assert_called_with(
551 "https://api.trustedservices.intel.com/sgx/certification/v4/qe/identity",
552 "rot-certificate"
553 )
554 self.validate_qeid_info.assert_called_with(
555 self.mock_qe_collateral, "the enclave identity")
557 def test_verify_attestation_invalid_message(self, get_sgx_root_of_trust, load_pubkeys,
558 HSMCertificate, get_tcb_info,
559 validate_tcb_info,
560 get_qeid_info, validate_qeid_info,
561 head, _):
562 self.configure_mocks(get_sgx_root_of_trust, load_pubkeys, HSMCertificate,
563 get_tcb_info, validate_tcb_info,
564 get_qeid_info, validate_qeid_info, head)
565 self.validate_result["quote"]["value"]["message"] = b"POWHSM:5.6::plf".hex()
567 with self.assertRaises(AdminError) as e:
568 do_verify_attestation(self.options)
569 self.assertIn("parsing", str(e.exception))
571 get_sgx_root_of_trust.assert_called_with(DEFAULT_ROOT_AUTHORITY)
572 self.root_of_trust.is_valid.assert_called_with(self.root_of_trust)
573 load_pubkeys.assert_called_with(self.pubkeys_path)
574 HSMCertificate.from_jsonfile.assert_called_with(self.certification_path)
575 self.mock_certificate.validate_and_get_values \
576 .assert_called_with(self.root_of_trust)
577 self.get_tcb_info.assert_called_with(
578 "https://api.trustedservices.intel.com/sgx/certification/v4/tcb",
579 "aabbccddeeff",
580 "rot-certificate"
581 )
582 self.validate_tcb_info.assert_called_with(
583 self.mock_pck_collateral, "the tcb info")
584 self.get_qeid_info.assert_called_with(
585 "https://api.trustedservices.intel.com/sgx/certification/v4/qe/identity",
586 "rot-certificate"
587 )
588 self.validate_qeid_info.assert_called_with(
589 self.mock_qe_collateral, "the enclave identity")
591 def test_verify_attestation_pkh_mismatch(self, get_sgx_root_of_trust, load_pubkeys,
592 HSMCertificate, get_tcb_info,
593 validate_tcb_info,
594 get_qeid_info, validate_qeid_info, head, _):
595 self.configure_mocks(get_sgx_root_of_trust, load_pubkeys, HSMCertificate,
596 get_tcb_info, validate_tcb_info,
597 get_qeid_info, validate_qeid_info, head)
598 self.public_keys.popitem()
600 with self.assertRaises(AdminError) as e:
601 do_verify_attestation(self.options)
602 self.assertIn("hash mismatch", str(e.exception))
604 get_sgx_root_of_trust.assert_called_with(DEFAULT_ROOT_AUTHORITY)
605 self.root_of_trust.is_valid.assert_called_with(self.root_of_trust)
606 load_pubkeys.assert_called_with(self.pubkeys_path)
607 HSMCertificate.from_jsonfile.assert_called_with(self.certification_path)
608 self.mock_certificate.validate_and_get_values \
609 .assert_called_with(self.root_of_trust)
610 self.get_tcb_info.assert_called_with(
611 "https://api.trustedservices.intel.com/sgx/certification/v4/tcb",
612 "aabbccddeeff",
613 "rot-certificate"
614 )
615 self.validate_tcb_info.assert_called_with(
616 self.mock_pck_collateral, "the tcb info")
617 self.get_qeid_info.assert_called_with(
618 "https://api.trustedservices.intel.com/sgx/certification/v4/qe/identity",
619 "rot-certificate"
620 )
621 self.validate_qeid_info.assert_called_with(
622 self.mock_qe_collateral, "the enclave identity")