chore: notary now uses k1 curve

Author: maceip

crates/notary/server/build.rs

@@ -2,7 +2,6 @@ use std::{env, process::Command};
 
 fn main() {
     if env::var("GIT_COMMIT_HASH").is_ok() && env::var("GIT_COMMIT_TIMESTAMP").is_ok() {
-        return;
     } else {
         // Used to extract latest HEAD commit hash and timestamp for the /info endpoint
         let output = Command::new("git")

crates/notary/server/src/server.rs

@@ -49,7 +49,8 @@ use crate::{
 #[cfg(feature = "tee_quote")]
 use crate::tee::{ephemeral_keypair, quote};
 
-/// Start a TCP server (with or without TLS) to accept notarization request for both TCP and WebSocket clients
+/// Start a TCP server (with or without TLS) to accept notarization request for
+/// both TCP and WebSocket clients
 #[tracing::instrument(skip(config))]
 pub async fn run_server(config: &NotaryServerProperties) -> Result<(), NotaryServerError> {
     // tee uses ephemeral key

crates/notary/server/src/tee.rs

@@ -1,10 +1,11 @@
+use base64::{engine::general_purpose::STANDARD, Engine};
 use mc_sgx_dcap_types::QlError;
 use once_cell::sync::OnceCell;
 use serde::{Deserialize, Serialize};
 use std::fs;
 
 use crate::signing::AttestationKey;
-use p256::{ecdsa::SigningKey, PublicKey, elliptic_curve::sec1::ToEncodedPoint};
+use k256::ecdsa::{SigningKey, VerifyingKey as PublicKey};
 use pkcs8::{DecodePrivateKey, EncodePrivateKey, LineEnding};
 use rand_chacha::{
     rand_core::{OsRng, SeedableRng},
@@ -86,10 +87,15 @@ async fn gramine_quote() -> Result<Quote, QuoteError> {
     // Write to `/dev/attestation/target_info`
     fs::write("/dev/attestation/target_info", my_target_info)?;
 
-    //// Writing the pubkey to bind the instance to the hw (note: this is not mrsigner)
+    //// Writing the pubkey to bind the instance to the hw (note: this is not
+    //// mrsigner)
     fs::write(
         "/dev/attestation/user_report_data",
-        PUBLIC_KEY.get().expect("pub_key_get").to_encoded_point(true).as_bytes()
+        PUBLIC_KEY
+            .get()
+            .expect("pub_key_get")
+            .to_encoded_point(true)
+            .as_bytes(),
     )?;
 
     //// Reading from the gramine quote pseudo-hardware `/dev/attestation/quote`
@@ -102,8 +108,8 @@ async fn gramine_quote() -> Result<Quote, QuoteError> {
         return Err(QuoteError::IntelQuoteLibrary(QlError::InvalidReport));
     }
 
-    //// Extract mrenclave: enclave image,  and mrsigner: identity key bound to enclave
-    //// https://github.com/intel/linux-sgx/blob/main/common/inc/sgx_quote.h
+    //// Extract mrenclave: enclave image,  and mrsigner: identity key bound to
+    //// enclave https://github.com/intel/linux-sgx/blob/main/common/inc/sgx_quote.h
     let mrenclave = hex::encode(&quote[112..144]);
     let mrsigner = hex::encode(&quote[176..208]);
 
@@ -124,16 +130,23 @@ pub fn ephemeral_keypair() -> (AttestationKey, String) {
     let signing_key = SigningKey::random(&mut rng);
     let pem_string = signing_key
         .clone()
-        .to_pkcs8_pem(LineEnding::default())
+        .to_pkcs8_pem(LineEnding::LF)
         .expect("to pem");
     let attkey = AttestationKey::from_pkcs8_pem(&pem_string).expect("from pem");
+    let derk = signing_key
+        .verifying_key()
+        .to_encoded_point(true)
+        .to_bytes();
+    let b64k = STANDARD.encode(derk.as_ref());
+    let pem = format!(
+        "-----BEGIN PUBLIC KEY-----\n{}\n-----END PUBLIC KEY-----\n",
+        b64k
+    );
+
     let _ = PUBLIC_KEY
-        .set(PublicKey::from(*signing_key.verifying_key()))
+        .set(*signing_key.verifying_key())
         .map_err(|_| "Public key has already been set");
-    return (
-        attkey,
-        PublicKey::from(*signing_key.verifying_key()).to_string(),
-    );
+    return (attkey, pem);
 }
 
 pub async fn quote() -> Quote {

crates/notary/server/tee/config/config.yaml

@@ -1,13 +1,13 @@
 server:
-  name: "tee.notary.codes"
+  name: "notary.codes"
   host: "0.0.0.0"
   port: 7047
   html-info: |
     <head>
     <meta charset="UTF-8">
     <meta name="description" content="mpc-tls">
     <meta name="keywords" content="tlsnotary, mpc, free">
-    <meta name="author" content="tlsnotary">
+    <meta name="author" content="notary">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     </head>
     <body>
@@ -17,11 +17,11 @@ server:
     <path d="M63.871 76.7012H72.3871V34.2207H76.6452V76.7012H85.1613V25.7246H63.871V76.7012Z" fill="#243F5F"/>
     <path d="M38.3226 25.7246H59.6129V34.2207H46.8387V46.9649H59.6129V76.7012H38.3226V68.2051H51.0968V55.4609H38.3226V25.7246Z" fill="#243F5F"/>
     </svg>
-    <h1>trusted execution environment based notary server</h1>
+    <h1>notary server :: at your service</h1>
     <h3>tlsnotary {version}</h3>
     <blink>{public_key}</blink>
     <h4>remote attestation</h4>
-    <a href="/{version}/info">available here</a>
+    <a href="/v{version}/info">available here</a>
     </body>
 
 notarization: