Skip to content

feat: change to gcp attestation verification #959

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Sep 17, 2025
Merged

feat: change to gcp attestation verification #959

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a67fbd1
feat: change to gcp attestation verification
Nesopie Aug 26, 2025
8e4aadb
lint
Nesopie Aug 26, 2025
cbe77f6
fix e2e test
transphorm Aug 27, 2025
ac17f78
chore: don't check PCR0 mapping if building the app locally
Nesopie Aug 27, 2025
52a63ae
chore: merge dev
Nesopie Sep 9, 2025
afb87f0
Merge remote-tracking branch 'origin/dev' into feat/gcp
Nesopie Sep 17, 2025
c28f03e
fmt:fix
Nesopie Sep 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 25 additions & 9 deletions app/src/utils/proving/provingMachine.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,10 @@ import {
getCircuitNameFromPassportData,
getSolidityPackedUserContextData,
} from '@selfxyz/common/utils';
import { getPublicKey, verifyAttestation } from '@selfxyz/common/utils/attest';
import {
checkPCR0Mapping,
validatePKIToken,
} from '@selfxyz/common/utils/attest';
import {
generateTEEInputsDiscloseStateless,
generateTEEInputsDSC,
Expand Down Expand Up @@ -539,9 +542,25 @@ export const useProvingStore = create<ProvingState>((set, get) => {

const attestationData = result.result.attestation;
set({ attestation: attestationData });
const attestationToken =
Buffer.from(attestationData).toString('utf-8');

const { userPubkey, serverPubkey, imageHash, verified } =
validatePKIToken(attestationToken, __DEV__);

const pcr0Mapping = await checkPCR0Mapping(imageHash);

if (!__DEV__ && !pcr0Mapping) {
console.error('PCR0 mapping not found');
actor!.send({ type: 'CONNECT_ERROR' });
return;
}

const serverPubkey = getPublicKey(attestationData);
const verified = await verifyAttestation(attestationData);
if (clientPublicKeyHex !== userPubkey.toString('hex')) {
console.error('User public key does not match');
actor!.send({ type: 'CONNECT_ERROR' });
return;
}
Copy link

@cursor cursor bot Sep 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Key Format Mismatch Blocks TEE Connections

The public key comparison at line 559 can incorrectly fail because clientPublicKeyHex is in a compressed format, while userPubkey from the attestation token may be uncompressed. This format mismatch prevents successful TEE connections, even when the keys are cryptographically equivalent.

Fix in Cursor Fix in Web


if (!verified) {
logProofEvent('error', 'Attestation verification failed', context, {
Expand All @@ -556,11 +575,11 @@ export const useProvingStore = create<ProvingState>((set, get) => {
selfClient?.trackEvent(ProofEvents.ATTESTATION_VERIFIED);
logProofEvent('info', 'Attestation verified', context);

const serverKey = ec.keyFromPublic(serverPubkey as string, 'hex');
const serverKey = ec.keyFromPublic(serverPubkey, 'hex');
Copy link

@cursor cursor bot Sep 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Public Key Buffer Parsing Error

The ec.keyFromPublic() method receives serverPubkey as a Buffer from validatePKIToken, but expects a hex string when the 'hex' encoding is specified. This type mismatch prevents elliptic curve key parsing.

Fix in Cursor Fix in Web

const derivedKey = clientKey.derive(serverKey.getPublic());

set({
serverPublicKey: serverPubkey,
serverPublicKey: serverKey.getPublic(true, 'hex'),
sharedKey: Buffer.from(derivedKey.toArray('be', 32)),
});
selfClient?.trackEvent(ProofEvents.SHARED_KEY_DERIVED);
Expand Down Expand Up @@ -809,10 +828,7 @@ export const useProvingStore = create<ProvingState>((set, get) => {
method: 'openpassport_hello',
id: 1,
params: {
user_pubkey: [
4,
...Array.from(Buffer.from(clientPublicKeyHex, 'hex')),
],
user_pubkey: [...Array.from(Buffer.from(clientPublicKeyHex, 'hex'))],
uuid: connectionUuid,
},
};
Expand Down
2 changes: 1 addition & 1 deletion common/src/constants/constants.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ export const MAX_PADDED_SIGNED_ATTR_LEN_FOR_TESTS: Record<(typeof hashAlgos)[num
export const MAX_PADDED_SIGNED_ATTR_LEN: Record<(typeof hashAlgos)[number], number> = {
sha1: 128,
sha224: 128,
sha256: 128,
sha256: 256,
sha384: 256,
sha512: 256,
};
Expand Down
Loading
Loading