From 4302640e11856ec1f4c1dc00e1abc1ebe975942c Mon Sep 17 00:00:00 2001 From: peg Date: Thu, 19 Mar 2026 14:54:16 +0100 Subject: [PATCH 1/2] Make public the method to extract attestation from cert and add a method to extract measurements --- crates/attestation/src/azure/mod.rs | 9 +++++++++ crates/attestation/src/lib.rs | 23 +++++++++++++++++++++++ crates/attested-tls/src/lib.rs | 2 +- 3 files changed, 33 insertions(+), 1 deletion(-) diff --git a/crates/attestation/src/azure/mod.rs b/crates/attestation/src/azure/mod.rs index 7d3a7ab..119de9d 100644 --- a/crates/attestation/src/azure/mod.rs +++ b/crates/attestation/src/azure/mod.rs @@ -199,6 +199,15 @@ async fn verify_azure_attestation_with_given_timestamp( Ok(MultiMeasurements::from_pcrs(pcrs)) } +/// Extract the measurements from the attestation, but do not verify +/// anything +pub fn get_measurements(input: &[u8]) -> Result { + let attestation_document: AttestationDocument = serde_json::from_slice(&input)?; + let vtpm_quote = attestation_document.tpm_attestation.quote; + let pcrs = vtpm_quote.pcrs_sha256(); + Ok(MultiMeasurements::from_pcrs(pcrs)) +} + /// JSON Web Key used in [HclRuntimeClaims] #[derive(Debug, Deserialize)] struct Jwk { diff --git a/crates/attestation/src/lib.rs b/crates/attestation/src/lib.rs index df5c5ae..cf1c2d9 100644 --- a/crates/attestation/src/lib.rs +++ b/crates/attestation/src/lib.rs @@ -38,6 +38,29 @@ impl AttestationExchangeMessage { pub fn without_attestation() -> Self { Self { attestation_type: AttestationType::None, attestation: Vec::new() } } + + /// Extract the measurements from the attestation, if present, but do + /// not verify + pub fn get_measurements(&self) -> Result, AttestationError> { + match self.attestation_type { + AttestationType::None => Ok(None), + AttestationType::AzureTdx => { + #[cfg(feature = "azure")] + { + Ok(Some(azure::get_measurements(&self.attestation)?)) + } + #[cfg(not(feature = "azure"))] + { + Err(AttestationError::AttestationTypeNotSupported) + } + } + _ => { + let quote = dcap_qvl::verify::Quote::parse(&self.attestation) + .map_err(DcapVerificationError::from)?; + Ok(Some(MultiMeasurements::from_dcap_qvl_quote("e)?)) + } + } + } } /// Type of attestaion used diff --git a/crates/attested-tls/src/lib.rs b/crates/attested-tls/src/lib.rs index ff7a5a0..e7821cb 100644 --- a/crates/attested-tls/src/lib.rs +++ b/crates/attested-tls/src/lib.rs @@ -438,7 +438,7 @@ impl AttestedCertificateVerifier { } /// Given a TLS certificate, return the embedded attestation - fn extract_custom_attestation_from_cert( + pub fn extract_custom_attestation_from_cert( cert: &CertificateDer<'_>, ) -> Result { // First try to parse using ra_tls which assumes DCAP From f503773fab3bdfdad02991d75c398c5327f21745 Mon Sep 17 00:00:00 2001 From: peg Date: Thu, 19 Mar 2026 15:01:45 +0100 Subject: [PATCH 2/2] Clippy --- crates/attestation/src/azure/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/attestation/src/azure/mod.rs b/crates/attestation/src/azure/mod.rs index 119de9d..59faf51 100644 --- a/crates/attestation/src/azure/mod.rs +++ b/crates/attestation/src/azure/mod.rs @@ -202,7 +202,7 @@ async fn verify_azure_attestation_with_given_timestamp( /// Extract the measurements from the attestation, but do not verify /// anything pub fn get_measurements(input: &[u8]) -> Result { - let attestation_document: AttestationDocument = serde_json::from_slice(&input)?; + let attestation_document: AttestationDocument = serde_json::from_slice(input)?; let vtpm_quote = attestation_document.tpm_attestation.quote; let pcrs = vtpm_quote.pcrs_sha256(); Ok(MultiMeasurements::from_pcrs(pcrs))