integritee-network · brenzi · Aug 7, 2023
diff --git a/primitives/teerex/src/lib.rs b/primitives/teerex/src/lib.rs
@@ -42,7 +42,7 @@ impl Default for SgxBuildMode {
 #[derive(Encode, Decode, Copy, Clone, PartialEq, Eq, sp_core::RuntimeDebug, TypeInfo)]
 pub enum SgxAttestationMethod {
 	Skip { proxied: bool },
-	Ias,
+	Ias { proxied: bool },
 	Dcap { proxied: bool },
 }
 
@@ -147,7 +147,8 @@ where
 			MultiEnclave::Sgx(enclave) => matches!(
 				enclave.attestation_method,
 				SgxAttestationMethod::Skip { proxied: true } |
-					SgxAttestationMethod::Dcap { proxied: true }
+					SgxAttestationMethod::Dcap { proxied: true } |
+					SgxAttestationMethod::Ias { proxied: true }
 			),
 		}
 	}
@@ -194,7 +195,7 @@ impl<Url> SgxEnclave<Url> {
 			Ok(p) => match self.attestation_method {
 				SgxAttestationMethod::Dcap { proxied: false } |
 				SgxAttestationMethod::Skip { proxied: false } |
-				SgxAttestationMethod::Ias => Some(p),
+				SgxAttestationMethod::Ias { proxied: false } => Some(p),
 				_ => None,
 			},
 			Err(_) => None,

diff --git a/sidechain/src/tests.rs b/sidechain/src/tests.rs
@@ -379,7 +379,7 @@ fn register_ias_enclave(signer_pub_key: &MrSigner, cert: &[u8]) {
 		RuntimeOrigin::signed(signer.clone()),
 		cert.to_vec(),
 		Some(URL.to_vec()),
-		SgxAttestationMethod::Ias,
+		SgxAttestationMethod::Ias { proxied: false },
 	));
 	assert!(Teerex::<Test>::sovereign_enclaves(signer).is_some());
 }

diff --git a/teeracle/src/benchmarking.rs b/teeracle/src/benchmarking.rs
@@ -49,7 +49,7 @@ benchmarks! {
 			RawOrigin::Signed(signer.clone()).into(),
 			TEST4_SETUP.cert.to_vec(),
 			Some(URL.to_vec()),
-			SgxAttestationMethod::Ias,
+			SgxAttestationMethod::Ias { proxied: false },
 		).unwrap();
 		let fingerprint = Teerex::<T>::sovereign_enclaves(&signer).unwrap().fingerprint();
 		Teeracle::<T>::add_to_whitelist(RawOrigin::Root.into(), data_source.clone(), fingerprint).unwrap();
@@ -72,7 +72,7 @@ benchmarks! {
 			RawOrigin::Signed(signer.clone()).into(),
 			TEST4_SETUP.cert.to_vec(),
 			Some(URL.to_vec()),
-			SgxAttestationMethod::Ias,
+			SgxAttestationMethod::Ias { proxied: false },
 		).unwrap();
 		let fingerprint = Teerex::<T>::sovereign_enclaves(&signer).unwrap().fingerprint();
 		Teeracle::<T>::add_to_whitelist(RawOrigin::Root.into(), data_source.clone(), fingerprint).unwrap();

diff --git a/teeracle/src/tests.rs b/teeracle/src/tests.rs
@@ -44,7 +44,7 @@ fn register_ias_enclave_and_add_oracle_to_whitelist_ok(src: &str) {
 		RuntimeOrigin::signed(signer.clone()),
 		TEST4_CERT.to_vec(),
 		Some(URL.to_vec()),
-		SgxAttestationMethod::Ias,
+		SgxAttestationMethod::Ias { proxied: false },
 	));
 	let fingerprint = Teerex::sovereign_enclaves(&signer).unwrap().fingerprint();
 	assert_ok!(Teeracle::add_to_whitelist(RuntimeOrigin::root(), src.to_owned(), fingerprint));
@@ -228,7 +228,7 @@ fn update_exchange_rate_from_not_whitelisted_oracle_fails() {
 			RuntimeOrigin::signed(signer.clone()),
 			TEST4_CERT.to_vec(),
 			Some(URL.to_vec()),
-			SgxAttestationMethod::Ias,
+			SgxAttestationMethod::Ias { proxied: false },
 		));
 
 		let rate = U32F32::from_num(43.65);
@@ -253,7 +253,7 @@ fn update_oracle_from_not_whitelisted_oracle_fails() {
 			RuntimeOrigin::signed(signer.clone()),
 			TEST4_CERT.to_vec(),
 			Some(URL.to_vec()),
-			SgxAttestationMethod::Ias,
+			SgxAttestationMethod::Ias { proxied: false },
 		));
 
 		assert_noop!(

diff --git a/teerex/src/lib.rs b/teerex/src/lib.rs
@@ -204,7 +204,7 @@ pub mod pallet {
 			log::debug!(target: TEEREX, "parameter length ok");
 
 			let enclave = match attestation_method {
-				SgxAttestationMethod::Ias => {
+				SgxAttestationMethod::Ias { proxied } => {
 					let report = sgx_verify::verify_ias_report(&proof)
 						.map_err(|_| <Error<T>>::RemoteAttestationVerificationFailed)?;
 					log::debug!(target: TEEREX, "IAS report successfully verified");
@@ -219,14 +219,15 @@ pub mod pallet {
 						report.build_mode,
 						report.status,
 					)
-					.with_attestation_method(SgxAttestationMethod::Ias);
-
-					ensure!(
-						Ok(sender.clone()) ==
-							T::AccountId::decode(&mut report.report_data.lower32().as_ref()),
-						<Error<T>>::SenderIsNotAttestedEnclave
-					);
+					.with_attestation_method(SgxAttestationMethod::Ias { proxied });
 
+					if !proxied {
+						ensure!(
+							Ok(sender.clone()) ==
+								T::AccountId::decode(&mut report.report_data.lower32().as_ref()),
+							<Error<T>>::SenderIsNotAttestedEnclave
+						);
+					};
 					// TODO: activate state checks as soon as we've fixed our setup #83
 					// ensure!((report.status == SgxStatus::Ok) | (report.status == SgxStatus::ConfigurationNeeded),
 					//     "RA status is insufficient");

diff --git a/teerex/src/tests/test_cases.rs b/teerex/src/tests/test_cases.rs
@@ -333,7 +333,7 @@ fn add_enclave_works() {
 			RuntimeOrigin::signed(signer.clone()),
 			TEST4_CERT.to_vec(),
 			Some(URL.to_vec()),
-			SgxAttestationMethod::Ias
+			SgxAttestationMethod::Ias { proxied: false }
 		));
 		assert!(<SovereignEnclaves<Test>>::contains_key(&signer));
 	})
@@ -349,7 +349,7 @@ fn add_and_remove_enclave_works() {
 			RuntimeOrigin::signed(signer.clone()),
 			TEST4_CERT.to_vec(),
 			Some(URL.to_vec()),
-			SgxAttestationMethod::Ias
+			SgxAttestationMethod::Ias { proxied: false }
 		));
 		assert!(<SovereignEnclaves<Test>>::contains_key(&signer));
 		Timestamp::set_timestamp(TEST4_TIMESTAMP + <MaxAttestationRenewalPeriod>::get() + 1);
@@ -371,7 +371,7 @@ fn add_enclave_without_timestamp_fails() {
 			RuntimeOrigin::signed(signer.clone()),
 			TEST4_CERT.to_vec(),
 			Some(URL.to_vec()),
-			SgxAttestationMethod::Ias
+			SgxAttestationMethod::Ias { proxied: false }
 		)
 		.is_err());
 		assert!(!<SovereignEnclaves<Test>>::contains_key(&signer));
@@ -390,14 +390,14 @@ fn list_enclaves_works() {
 			url: Some(URL.to_vec()),
 			build_mode: SgxBuildMode::Debug,
 			mr_signer: TEST4_MRSIGNER,
-			attestation_method: SgxAttestationMethod::Ias,
+			attestation_method: SgxAttestationMethod::Ias { proxied: false },
 			status: SgxStatus::ConfigurationNeeded,
 		};
 		assert_ok!(Teerex::register_sgx_enclave(
 			RuntimeOrigin::signed(signer.clone()),
 			TEST4_CERT.to_vec(),
 			Some(URL.to_vec()),
-			SgxAttestationMethod::Ias,
+			SgxAttestationMethod::Ias { proxied: false },
 		));
 		assert!(<SovereignEnclaves<Test>>::contains_key(&signer));
 		let enclaves = list_sovereign_enclaves();
@@ -415,7 +415,7 @@ fn register_ias_enclave_with_different_signer_fails() {
 				RuntimeOrigin::signed(signer),
 				TEST5_CERT.to_vec(),
 				Some(URL.to_vec()),
-				SgxAttestationMethod::Ias
+				SgxAttestationMethod::Ias { proxied: false }
 			),
 			Error::<Test>::SenderIsNotAttestedEnclave
 		);
@@ -432,7 +432,7 @@ fn register_ias_enclave_with_to_old_attestation_report_fails() {
 				RuntimeOrigin::signed(signer),
 				TEST7_CERT.to_vec(),
 				Some(URL.to_vec()),
-				SgxAttestationMethod::Ias
+				SgxAttestationMethod::Ias { proxied: false }
 			),
 			Error::<Test>::RemoteAttestationTooOld
 		);
@@ -448,11 +448,26 @@ fn register_ias_enclave_with_almost_too_old_report_works() {
 			RuntimeOrigin::signed(signer),
 			TEST7_CERT.to_vec(),
 			Some(URL.to_vec()),
-			SgxAttestationMethod::Ias
+			SgxAttestationMethod::Ias { proxied: false }
 		));
 	})
 }
 
+#[test]
+fn register_ias_enclave_proxied_works() {
+	new_test_ext().execute_with(|| {
+		Timestamp::set_timestamp(TEST7_TIMESTAMP + TWENTY_FOUR_HOURS - 1);
+		let signer = get_signer(TEST7_SIGNER_PUB);
+		assert_ok!(Teerex::register_sgx_enclave(
+			RuntimeOrigin::signed(signer),
+			TEST7_CERT.to_vec(),
+			Some(URL.to_vec()),
+			SgxAttestationMethod::Ias { proxied: true }
+		));
+		assert_eq!(list_proxied_enclaves().len(), 1);
+	})
+}
+
 #[test]
 fn update_enclave_url_works() {
 	new_test_ext().execute_with(|| {
@@ -467,23 +482,23 @@ fn update_enclave_url_works() {
 			url: None,
 			build_mode: SgxBuildMode::Debug,
 			mr_signer: TEST4_MRSIGNER,
-			attestation_method: SgxAttestationMethod::Ias,
+			attestation_method: SgxAttestationMethod::Ias { proxied: false },
 			status: SgxStatus::ConfigurationNeeded,
 		};
 
 		assert_ok!(Teerex::register_sgx_enclave(
 			RuntimeOrigin::signed(signer.clone()),
 			TEST4_CERT.to_vec(),
 			Some(URL.to_vec()),
-			SgxAttestationMethod::Ias
+			SgxAttestationMethod::Ias { proxied: false }
 		));
 		assert_eq!(Teerex::sovereign_enclaves(&signer).unwrap().instance_url(), Some(URL.to_vec()));
 
 		assert_ok!(Teerex::register_sgx_enclave(
 			RuntimeOrigin::signed(signer.clone()),
 			TEST4_CERT.to_vec(),
 			Some(url2.to_vec()),
-			SgxAttestationMethod::Ias
+			SgxAttestationMethod::Ias { proxied: false }
 		));
 		assert_eq!(
 			Teerex::sovereign_enclaves(&signer).unwrap().instance_url(),
@@ -504,7 +519,7 @@ fn debug_mode_enclave_attest_works_when_sgx_debug_mode_is_allowed() {
 			url: Some(URL.to_vec()),
 			build_mode: SgxBuildMode::Debug,
 			mr_signer: TEST4_MRSIGNER,
-			attestation_method: SgxAttestationMethod::Ias,
+			attestation_method: SgxAttestationMethod::Ias { proxied: false },
 			status: SgxStatus::ConfigurationNeeded,
 		};
 
@@ -513,7 +528,7 @@ fn debug_mode_enclave_attest_works_when_sgx_debug_mode_is_allowed() {
 			RuntimeOrigin::signed(signer4.clone()),
 			TEST4_CERT.to_vec(),
 			Some(URL.to_vec()),
-			SgxAttestationMethod::Ias
+			SgxAttestationMethod::Ias { proxied: false }
 		));
 		assert!(<SovereignEnclaves<Test>>::contains_key(&signer4));
 		let enclaves = list_sovereign_enclaves();
@@ -534,7 +549,7 @@ fn production_mode_enclave_attest_works_when_sgx_debug_mode_is_allowed() {
 				url: Some(URL.to_vec()),
 				build_mode: SgxBuildMode::Production,
 				mr_signer: TEST8_MRSIGNER,
-				attestation_method: SgxAttestationMethod::Ias,
+				attestation_method: SgxAttestationMethod::Ias { proxied: false },
 				status: SgxStatus::Invalid,
 			};
 
@@ -543,7 +558,7 @@ fn production_mode_enclave_attest_works_when_sgx_debug_mode_is_allowed() {
 				RuntimeOrigin::signed(signer8.clone()),
 				TEST8_CERT.to_vec(),
 				Some(URL.to_vec()),
-				SgxAttestationMethod::Ias
+				SgxAttestationMethod::Ias { proxied: false }
 			));
 			assert!(<SovereignEnclaves<Test>>::contains_key(&signer8));
 			let enclaves = list_sovereign_enclaves();
@@ -563,7 +578,7 @@ fn debug_mode_enclave_attest_fails_when_sgx_debug_mode_not_allowed() {
 				RuntimeOrigin::signed(signer4.clone()),
 				TEST4_CERT.to_vec(),
 				Some(URL.to_vec()),
-				SgxAttestationMethod::Ias
+				SgxAttestationMethod::Ias { proxied: false }
 			),
 			Error::<Test>::SgxModeNotAllowed
 		);
@@ -582,7 +597,7 @@ fn production_mode_enclave_attest_works_when_sgx_debug_mode_not_allowed() {
 			url: Some(URL.to_vec()),
 			build_mode: SgxBuildMode::Production,
 			mr_signer: TEST8_MRSIGNER,
-			attestation_method: SgxAttestationMethod::Ias,
+			attestation_method: SgxAttestationMethod::Ias { proxied: false },
 			status: SgxStatus::Invalid,
 		};
 
@@ -591,7 +606,7 @@ fn production_mode_enclave_attest_works_when_sgx_debug_mode_not_allowed() {
 			RuntimeOrigin::signed(signer8.clone()),
 			TEST8_CERT.to_vec(),
 			Some(URL.to_vec()),
-			SgxAttestationMethod::Ias
+			SgxAttestationMethod::Ias { proxied: false }
 		));
 		assert!(<SovereignEnclaves<Test>>::contains_key(&signer8));
 		let enclaves = list_sovereign_enclaves();