2022-06-15 01:15:33 +00:00
|
|
|
// Copyright 2020-2022 Signal Messenger, LLC
|
|
|
|
// SPDX-License-Identifier: AGPL-3.0-only
|
|
|
|
/* eslint-disable no-bitwise */
|
|
|
|
|
|
|
|
import pProps from 'p-props';
|
|
|
|
import { compact } from 'lodash';
|
|
|
|
import Long from 'long';
|
|
|
|
import { createVerify } from 'crypto';
|
|
|
|
import { pki } from 'node-forge';
|
|
|
|
|
|
|
|
import {
|
|
|
|
constantTimeEqual,
|
|
|
|
decryptAesGcm,
|
|
|
|
deriveSecrets,
|
|
|
|
encryptCdsDiscoveryRequest,
|
|
|
|
splitUuids,
|
|
|
|
} from '../../Crypto';
|
|
|
|
import { calculateAgreement, generateKeyPair } from '../../Curve';
|
|
|
|
import * as Bytes from '../../Bytes';
|
|
|
|
import { strictAssert } from '../../util/assert';
|
|
|
|
import { UUID } from '../../types/UUID';
|
|
|
|
import type { CDSBaseOptionsType } from './CDSBase';
|
|
|
|
import { CDSBase } from './CDSBase';
|
|
|
|
import type {
|
|
|
|
CDSRequestOptionsType,
|
|
|
|
CDSResponseType,
|
|
|
|
CDSAuthType,
|
|
|
|
CDSResponseEntryType,
|
|
|
|
} from './Types.d';
|
|
|
|
|
|
|
|
export type LegacyCDSPutAttestationResponseType = Readonly<{
|
|
|
|
attestations: Record<
|
|
|
|
string,
|
|
|
|
{
|
|
|
|
ciphertext: string;
|
|
|
|
iv: string;
|
|
|
|
quote: string;
|
|
|
|
serverEphemeralPublic: string;
|
|
|
|
serverStaticPublic: string;
|
|
|
|
signature: string;
|
|
|
|
signatureBody: string;
|
|
|
|
tag: string;
|
|
|
|
certificates: string;
|
|
|
|
}
|
|
|
|
>;
|
|
|
|
}>;
|
|
|
|
|
|
|
|
export type LegacyCDSPutAttestationResultType = Readonly<{
|
|
|
|
cookie?: string;
|
|
|
|
responseBody: LegacyCDSPutAttestationResponseType;
|
|
|
|
}>;
|
|
|
|
|
|
|
|
export type LegacyCDSDiscoveryResponseType = Readonly<{
|
|
|
|
requestId: Uint8Array;
|
|
|
|
iv: Uint8Array;
|
|
|
|
data: Uint8Array;
|
|
|
|
mac: Uint8Array;
|
|
|
|
}>;
|
|
|
|
|
|
|
|
export type LegacyCDSOptionsType = Readonly<{
|
|
|
|
directoryEnclaveId: string;
|
|
|
|
directoryTrustAnchor: string;
|
|
|
|
|
|
|
|
putAttestation: (
|
|
|
|
auth: CDSAuthType,
|
|
|
|
publicKey: Uint8Array
|
|
|
|
) => Promise<LegacyCDSPutAttestationResultType>;
|
|
|
|
fetchDiscoveryData: (
|
|
|
|
auth: CDSAuthType,
|
|
|
|
data: Record<string, unknown>,
|
|
|
|
cookie?: string
|
|
|
|
) => Promise<LegacyCDSDiscoveryResponseType>;
|
|
|
|
}> &
|
|
|
|
CDSBaseOptionsType;
|
|
|
|
|
|
|
|
type AttestationMapType = Readonly<{
|
|
|
|
cookie?: string;
|
|
|
|
attestations: Record<
|
|
|
|
string,
|
|
|
|
Readonly<{
|
|
|
|
clientKey: Uint8Array;
|
|
|
|
serverKey: Uint8Array;
|
|
|
|
requestId: Uint8Array;
|
|
|
|
}>
|
|
|
|
>;
|
|
|
|
}>;
|
|
|
|
|
|
|
|
type SgxConstantsType = {
|
|
|
|
SGX_FLAGS_INITTED: Long;
|
|
|
|
SGX_FLAGS_DEBUG: Long;
|
|
|
|
SGX_FLAGS_MODE64BIT: Long;
|
|
|
|
SGX_FLAGS_PROVISION_KEY: Long;
|
|
|
|
SGX_FLAGS_EINITTOKEN_KEY: Long;
|
|
|
|
SGX_FLAGS_RESERVED: Long;
|
|
|
|
SGX_XFRM_LEGACY: Long;
|
|
|
|
SGX_XFRM_AVX: Long;
|
|
|
|
SGX_XFRM_RESERVED: Long;
|
|
|
|
};
|
|
|
|
|
|
|
|
let sgxConstantCache: SgxConstantsType | null = null;
|
|
|
|
|
|
|
|
function makeLong(value: string): Long {
|
|
|
|
return Long.fromString(value);
|
|
|
|
}
|
|
|
|
function getSgxConstants() {
|
|
|
|
if (sgxConstantCache) {
|
|
|
|
return sgxConstantCache;
|
|
|
|
}
|
|
|
|
|
|
|
|
sgxConstantCache = {
|
|
|
|
SGX_FLAGS_INITTED: makeLong('x0000000000000001L'),
|
|
|
|
SGX_FLAGS_DEBUG: makeLong('x0000000000000002L'),
|
|
|
|
SGX_FLAGS_MODE64BIT: makeLong('x0000000000000004L'),
|
|
|
|
SGX_FLAGS_PROVISION_KEY: makeLong('x0000000000000004L'),
|
|
|
|
SGX_FLAGS_EINITTOKEN_KEY: makeLong('x0000000000000004L'),
|
|
|
|
SGX_FLAGS_RESERVED: makeLong('xFFFFFFFFFFFFFFC8L'),
|
|
|
|
SGX_XFRM_LEGACY: makeLong('x0000000000000003L'),
|
|
|
|
SGX_XFRM_AVX: makeLong('x0000000000000006L'),
|
|
|
|
SGX_XFRM_RESERVED: makeLong('xFFFFFFFFFFFFFFF8L'),
|
|
|
|
};
|
|
|
|
|
|
|
|
return sgxConstantCache;
|
|
|
|
}
|
|
|
|
|
|
|
|
export class LegacyCDS extends CDSBase<LegacyCDSOptionsType> {
|
|
|
|
public override async request({
|
|
|
|
e164s,
|
|
|
|
acis,
|
|
|
|
accessKeys,
|
|
|
|
}: CDSRequestOptionsType): Promise<CDSResponseType> {
|
|
|
|
strictAssert(!acis && !accessKeys, 'LegacyCDS does not support PNP');
|
|
|
|
|
|
|
|
const directoryAuth = await this.getAuth();
|
|
|
|
const attestationResult = await this.putAttestation(directoryAuth);
|
|
|
|
|
|
|
|
// Encrypt data for discovery
|
|
|
|
const data = await encryptCdsDiscoveryRequest(
|
|
|
|
attestationResult.attestations,
|
|
|
|
e164s
|
|
|
|
);
|
|
|
|
const { cookie } = attestationResult;
|
|
|
|
|
|
|
|
// Send discovery request
|
|
|
|
const discoveryResponse = await this.options.fetchDiscoveryData(
|
|
|
|
directoryAuth,
|
|
|
|
data,
|
|
|
|
cookie
|
|
|
|
);
|
|
|
|
|
|
|
|
const returnedAttestation = Object.values(
|
|
|
|
attestationResult.attestations
|
|
|
|
).find(at => constantTimeEqual(at.requestId, discoveryResponse.requestId));
|
|
|
|
if (!returnedAttestation) {
|
|
|
|
throw new Error('No known attestations returned from CDS');
|
|
|
|
}
|
|
|
|
|
|
|
|
// Decrypt discovery response
|
|
|
|
const decryptedDiscoveryData = decryptAesGcm(
|
|
|
|
returnedAttestation.serverKey,
|
|
|
|
discoveryResponse.iv,
|
|
|
|
Bytes.concatenate([discoveryResponse.data, discoveryResponse.mac])
|
|
|
|
);
|
|
|
|
|
|
|
|
// Process and return result
|
|
|
|
const uuids = splitUuids(decryptedDiscoveryData);
|
|
|
|
|
|
|
|
if (uuids.length !== e164s.length) {
|
|
|
|
throw new Error(
|
|
|
|
'Returned set of UUIDs did not match returned set of e164s!'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
const result = new Map<string, CDSResponseEntryType>();
|
|
|
|
|
|
|
|
for (const [i, e164] of e164s.entries()) {
|
|
|
|
const uuid = uuids[i];
|
|
|
|
result.set(e164, {
|
|
|
|
aci: undefined,
|
|
|
|
pni: uuid ? UUID.cast(uuid) : undefined,
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
//
|
|
|
|
// Private
|
|
|
|
//
|
|
|
|
|
|
|
|
private async putAttestation(auth: CDSAuthType): Promise<AttestationMapType> {
|
|
|
|
const { privKey, pubKey } = generateKeyPair();
|
|
|
|
// Remove first "key type" byte from public key
|
|
|
|
const slicedPubKey = pubKey.slice(1);
|
|
|
|
// Do request
|
|
|
|
const { cookie, responseBody } = await this.options.putAttestation(
|
|
|
|
auth,
|
|
|
|
slicedPubKey
|
|
|
|
);
|
|
|
|
|
|
|
|
const attestationsLength = Object.keys(responseBody.attestations).length;
|
|
|
|
if (attestationsLength > 3) {
|
|
|
|
throw new Error(
|
|
|
|
'Got more than three attestations from the Contact Discovery Service'
|
|
|
|
);
|
|
|
|
}
|
|
|
|
if (attestationsLength < 1) {
|
|
|
|
throw new Error('Got no attestations from the Contact Discovery Service');
|
|
|
|
}
|
|
|
|
|
|
|
|
// Decode response
|
|
|
|
return {
|
|
|
|
cookie,
|
|
|
|
attestations: await pProps(
|
|
|
|
responseBody.attestations,
|
|
|
|
async attestation => {
|
|
|
|
const decoded = {
|
|
|
|
...attestation,
|
|
|
|
ciphertext: Bytes.fromBase64(attestation.ciphertext),
|
|
|
|
iv: Bytes.fromBase64(attestation.iv),
|
|
|
|
quote: Bytes.fromBase64(attestation.quote),
|
|
|
|
serverEphemeralPublic: Bytes.fromBase64(
|
|
|
|
attestation.serverEphemeralPublic
|
|
|
|
),
|
|
|
|
serverStaticPublic: Bytes.fromBase64(
|
|
|
|
attestation.serverStaticPublic
|
|
|
|
),
|
|
|
|
signature: Bytes.fromBase64(attestation.signature),
|
|
|
|
tag: Bytes.fromBase64(attestation.tag),
|
|
|
|
};
|
|
|
|
|
|
|
|
// Validate response
|
|
|
|
this.validateAttestationQuote(decoded);
|
|
|
|
validateAttestationSignatureBody(
|
|
|
|
JSON.parse(decoded.signatureBody),
|
|
|
|
attestation.quote
|
|
|
|
);
|
|
|
|
await this.validateAttestationSignature(
|
|
|
|
decoded.signature,
|
|
|
|
decoded.signatureBody,
|
|
|
|
decoded.certificates
|
|
|
|
);
|
|
|
|
|
|
|
|
// Derive key
|
|
|
|
const ephemeralToEphemeral = calculateAgreement(
|
|
|
|
decoded.serverEphemeralPublic,
|
|
|
|
privKey
|
|
|
|
);
|
|
|
|
const ephemeralToStatic = calculateAgreement(
|
|
|
|
decoded.serverStaticPublic,
|
|
|
|
privKey
|
|
|
|
);
|
|
|
|
const masterSecret = Bytes.concatenate([
|
|
|
|
ephemeralToEphemeral,
|
|
|
|
ephemeralToStatic,
|
|
|
|
]);
|
|
|
|
const publicKeys = Bytes.concatenate([
|
|
|
|
slicedPubKey,
|
|
|
|
decoded.serverEphemeralPublic,
|
|
|
|
decoded.serverStaticPublic,
|
|
|
|
]);
|
|
|
|
const [clientKey, serverKey] = deriveSecrets(
|
|
|
|
masterSecret,
|
|
|
|
publicKeys,
|
|
|
|
new Uint8Array(0)
|
|
|
|
);
|
|
|
|
|
|
|
|
// Decrypt ciphertext into requestId
|
|
|
|
const requestId = decryptAesGcm(
|
|
|
|
serverKey,
|
|
|
|
decoded.iv,
|
|
|
|
Bytes.concatenate([decoded.ciphertext, decoded.tag])
|
|
|
|
);
|
|
|
|
|
|
|
|
return {
|
|
|
|
clientKey,
|
|
|
|
serverKey,
|
|
|
|
requestId,
|
|
|
|
};
|
|
|
|
}
|
|
|
|
),
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
|
|
|
private async validateAttestationSignature(
|
|
|
|
signature: Uint8Array,
|
|
|
|
signatureBody: string,
|
|
|
|
certificates: string
|
|
|
|
) {
|
|
|
|
const CERT_PREFIX = '-----BEGIN CERTIFICATE-----';
|
|
|
|
const pem = compact(
|
|
|
|
certificates.split(CERT_PREFIX).map(match => {
|
|
|
|
if (!match) {
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
|
|
|
return `${CERT_PREFIX}${match}`;
|
|
|
|
})
|
|
|
|
);
|
|
|
|
if (pem.length < 2) {
|
|
|
|
throw new Error(
|
|
|
|
`validateAttestationSignature: Expect two or more entries; got ${pem.length}`
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
const verify = createVerify('RSA-SHA256');
|
|
|
|
verify.update(Buffer.from(Bytes.fromString(signatureBody)));
|
|
|
|
const isValid = verify.verify(pem[0], Buffer.from(signature));
|
|
|
|
if (!isValid) {
|
|
|
|
throw new Error('Validation of signature across signatureBody failed!');
|
|
|
|
}
|
|
|
|
|
|
|
|
const caStore = pki.createCaStore([this.options.directoryTrustAnchor]);
|
|
|
|
const chain = compact(pem.map(cert => pki.certificateFromPem(cert)));
|
|
|
|
const isChainValid = pki.verifyCertificateChain(caStore, chain);
|
|
|
|
if (!isChainValid) {
|
|
|
|
throw new Error('Validation of certificate chain failed!');
|
|
|
|
}
|
|
|
|
|
|
|
|
const leafCert = chain[0];
|
|
|
|
const fieldCN = leafCert.subject.getField('CN');
|
|
|
|
if (!fieldCN || fieldCN.value !== 'Intel SGX Attestation Report Signing') {
|
|
|
|
throw new Error('Leaf cert CN field had unexpected value');
|
|
|
|
}
|
|
|
|
const fieldO = leafCert.subject.getField('O');
|
|
|
|
if (!fieldO || fieldO.value !== 'Intel Corporation') {
|
|
|
|
throw new Error('Leaf cert O field had unexpected value');
|
|
|
|
}
|
|
|
|
const fieldL = leafCert.subject.getField('L');
|
|
|
|
if (!fieldL || fieldL.value !== 'Santa Clara') {
|
|
|
|
throw new Error('Leaf cert L field had unexpected value');
|
|
|
|
}
|
|
|
|
const fieldST = leafCert.subject.getField('ST');
|
|
|
|
if (!fieldST || fieldST.value !== 'CA') {
|
|
|
|
throw new Error('Leaf cert ST field had unexpected value');
|
|
|
|
}
|
|
|
|
const fieldC = leafCert.subject.getField('C');
|
|
|
|
if (!fieldC || fieldC.value !== 'US') {
|
|
|
|
throw new Error('Leaf cert C field had unexpected value');
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
private validateAttestationQuote({
|
|
|
|
serverStaticPublic,
|
|
|
|
quote: quoteBytes,
|
|
|
|
}: {
|
|
|
|
serverStaticPublic: Uint8Array;
|
|
|
|
quote: Uint8Array;
|
|
|
|
}): void {
|
|
|
|
const SGX_CONSTANTS = getSgxConstants();
|
|
|
|
const quote = Buffer.from(quoteBytes);
|
|
|
|
|
|
|
|
const quoteVersion = quote.readInt16LE(0) & 0xffff;
|
|
|
|
if (quoteVersion < 0 || quoteVersion > 2) {
|
|
|
|
throw new Error(`Unknown version ${quoteVersion}`);
|
|
|
|
}
|
|
|
|
|
|
|
|
const miscSelect = quote.slice(64, 64 + 4);
|
|
|
|
if (!miscSelect.every(byte => byte === 0)) {
|
|
|
|
throw new Error('Quote miscSelect invalid!');
|
|
|
|
}
|
|
|
|
|
|
|
|
const reserved1 = quote.slice(68, 68 + 28);
|
|
|
|
if (!reserved1.every(byte => byte === 0)) {
|
|
|
|
throw new Error('Quote reserved1 invalid!');
|
|
|
|
}
|
|
|
|
|
|
|
|
const flags = Long.fromBytesLE(
|
|
|
|
Array.from(quote.slice(96, 96 + 8).values())
|
|
|
|
);
|
|
|
|
if (
|
|
|
|
flags.and(SGX_CONSTANTS.SGX_FLAGS_RESERVED).notEquals(0) ||
|
|
|
|
flags.and(SGX_CONSTANTS.SGX_FLAGS_INITTED).equals(0) ||
|
|
|
|
flags.and(SGX_CONSTANTS.SGX_FLAGS_MODE64BIT).equals(0)
|
|
|
|
) {
|
|
|
|
throw new Error(`Quote flags invalid ${flags.toString()}`);
|
|
|
|
}
|
|
|
|
|
|
|
|
const xfrm = Long.fromBytesLE(
|
|
|
|
Array.from(quote.slice(104, 104 + 8).values())
|
|
|
|
);
|
|
|
|
if (xfrm.and(SGX_CONSTANTS.SGX_XFRM_RESERVED).notEquals(0)) {
|
|
|
|
throw new Error(`Quote xfrm invalid ${xfrm}`);
|
|
|
|
}
|
|
|
|
|
|
|
|
const mrenclave = quote.slice(112, 112 + 32);
|
|
|
|
const enclaveIdBytes = Bytes.fromHex(this.options.directoryEnclaveId);
|
|
|
|
if (mrenclave.compare(enclaveIdBytes) !== 0) {
|
|
|
|
throw new Error('Quote mrenclave invalid!');
|
|
|
|
}
|
|
|
|
|
|
|
|
const reserved2 = quote.slice(144, 144 + 32);
|
|
|
|
if (!reserved2.every(byte => byte === 0)) {
|
|
|
|
throw new Error('Quote reserved2 invalid!');
|
|
|
|
}
|
|
|
|
|
|
|
|
const reportData = quote.slice(368, 368 + 64);
|
|
|
|
const serverStaticPublicBytes = serverStaticPublic;
|
|
|
|
if (
|
|
|
|
!reportData.every((byte, index) => {
|
|
|
|
if (index >= 32) {
|
|
|
|
return byte === 0;
|
|
|
|
}
|
|
|
|
return byte === serverStaticPublicBytes[index];
|
|
|
|
})
|
|
|
|
) {
|
|
|
|
throw new Error('Quote report_data invalid!');
|
|
|
|
}
|
|
|
|
|
|
|
|
const reserved3 = quote.slice(208, 208 + 96);
|
|
|
|
if (!reserved3.every(byte => byte === 0)) {
|
|
|
|
throw new Error('Quote reserved3 invalid!');
|
|
|
|
}
|
|
|
|
|
|
|
|
const reserved4 = quote.slice(308, 308 + 60);
|
|
|
|
if (!reserved4.every(byte => byte === 0)) {
|
|
|
|
throw new Error('Quote reserved4 invalid!');
|
|
|
|
}
|
|
|
|
|
|
|
|
const signatureLength = quote.readInt32LE(432) >>> 0;
|
|
|
|
if (signatureLength !== quote.byteLength - 436) {
|
|
|
|
throw new Error(`Bad signatureLength ${signatureLength}`);
|
|
|
|
}
|
|
|
|
|
|
|
|
// const signature = quote.slice(436, 436 + signatureLength);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
function validateAttestationSignatureBody(
|
|
|
|
signatureBody: {
|
|
|
|
timestamp: string;
|
|
|
|
version: number;
|
|
|
|
isvEnclaveQuoteBody: string;
|
|
|
|
isvEnclaveQuoteStatus: string;
|
2022-08-09 01:09:44 +00:00
|
|
|
advisoryIDs: ReadonlyArray<string>;
|
2022-06-15 01:15:33 +00:00
|
|
|
},
|
|
|
|
encodedQuote: string
|
|
|
|
) {
|
|
|
|
// Parse timestamp as UTC
|
|
|
|
const { timestamp } = signatureBody;
|
|
|
|
const utcTimestamp = timestamp.endsWith('Z') ? timestamp : `${timestamp}Z`;
|
|
|
|
const signatureTime = new Date(utcTimestamp).getTime();
|
|
|
|
|
|
|
|
const now = Date.now();
|
2022-08-09 01:09:44 +00:00
|
|
|
if (signatureBody.version !== 4) {
|
2022-06-15 01:15:33 +00:00
|
|
|
throw new Error('Attestation signature invalid version!');
|
|
|
|
}
|
|
|
|
if (!encodedQuote.startsWith(signatureBody.isvEnclaveQuoteBody)) {
|
|
|
|
throw new Error('Attestion signature mismatches quote!');
|
|
|
|
}
|
2022-08-09 01:09:44 +00:00
|
|
|
if (signatureBody.isvEnclaveQuoteStatus !== 'SW_HARDENING_NEEDED') {
|
|
|
|
throw new Error('Attestation signature status not "SW_HARDENING_NEEDED"!');
|
|
|
|
}
|
|
|
|
if (
|
|
|
|
signatureBody.advisoryIDs.length !== 1 ||
|
|
|
|
signatureBody.advisoryIDs[0] !== 'INTEL-SA-00334'
|
|
|
|
) {
|
|
|
|
throw new Error('Attestation advisory ids are incorrect');
|
2022-06-15 01:15:33 +00:00
|
|
|
}
|
|
|
|
if (signatureTime < now - 24 * 60 * 60 * 1000) {
|
|
|
|
throw new Error('Attestation signature timestamp older than 24 hours!');
|
|
|
|
}
|
|
|
|
}
|