From 17e1bcd744390fda7a237a6e5d0c5b29c075c75f Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Mon, 16 May 2022 17:19:51 -0700
Subject: [PATCH 01/44] Try writing attestation to file

---
 Cargo.lock                   |  1 +
 qos-core/Cargo.toml          |  2 ++
 qos-core/src/protocol/mod.rs | 23 ++++++++++++++++++++---
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index e1d376ed..b041e9ce 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -516,6 +516,7 @@ version = "0.1.0"
 dependencies = [
  "aws-nitro-enclaves-nsm-api",
  "nix 0.24.1",
+ "openssl",
  "qos-crypto",
  "serde",
  "serde_bytes",
diff --git a/qos-core/Cargo.toml b/qos-core/Cargo.toml
index 382834d3..222c2095 100644
--- a/qos-core/Cargo.toml
+++ b/qos-core/Cargo.toml
@@ -6,6 +6,7 @@ edition = "2021"
 [dependencies]
 qos-crypto = { path = "../qos-crypto" }
 nix = { version = "0.24.1", features = ["socket"], default-features = false }
+openssl = "0.10.40"
 
 # For AWS Nitro
 aws-nitro-enclaves-nsm-api = { version = "0.2.1", default-features = false }
@@ -13,6 +14,7 @@ serde = "1.0"
 serde_cbor = "0.11"
 serde_bytes = "0.11"
 
+
 [features]
 default=["local"]
 local = []
diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index f7a263a1..c0e698f5 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -8,6 +8,7 @@ mod provisioner;
 pub use attestor::{MockNsm, Nsm, NsmProvider};
 pub use msg::*;
 pub use nitro_types::*;
+use openssl::rsa::Rsa;
 pub use provisioner::SECRET_FILE;
 use provisioner::*;
 
@@ -128,10 +129,26 @@ mod handlers {
 		req: &ProtocolMsg,
 		state: &mut ProtocolState,
 	) -> Option<ProtocolMsg> {
-		if let ProtocolMsg::NsmRequest(_nsmr) = req {
+		if let ProtocolMsg::NsmRequest(NsmRequest::Attestation { .. }) = req {
+			let attestation = NsmRequest::Attestation {
+				user_data: None,
+				nonce: None,
+				public_key: Some(
+					Rsa::generate(4096).unwrap().public_key_to_pem().unwrap(),
+				),
+			};
 			let fd = state.attestor.nsm_init();
-			let response =
-				state.attestor.nsm_process_request(fd, NsmRequest::DescribeNSM);
+			let response = state.attestor.nsm_process_request(fd, attestation);
+			match response {
+				NsmResponse::Attestation { document } => {
+					use std::fs::File;
+					use std::io::Write;
+					let mut file =
+						File::create("/home/tk/attest_document").unwrap();
+					file.write_all(&document).unwrap();
+				}
+				_ => panic!("Not an attestation response"),
+			}
 			println!("NSM process request: {:?}", response);
 			Some(ProtocolMsg::NsmResponse(response))
 		} else {

From 9d0e16b53170b6fcd98c3b19bb039d5a344dc67f Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Mon, 16 May 2022 17:21:46 -0700
Subject: [PATCH 02/44] Ignore nsm request

---
 qos-core/src/protocol/mod.rs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index c0e698f5..96a0b378 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -129,7 +129,8 @@ mod handlers {
 		req: &ProtocolMsg,
 		state: &mut ProtocolState,
 	) -> Option<ProtocolMsg> {
-		if let ProtocolMsg::NsmRequest(NsmRequest::Attestation { .. }) = req {
+		// if let ProtocolMsg::NsmRequest(NsmRequest::Attestation { .. }) = req {
+		if let ProtocolMsg::NsmRequest(_req) = req {
 			let attestation = NsmRequest::Attestation {
 				user_data: None,
 				nonce: None,

From 186a2a0cc1a45d2c62f7d8c77c43d79b2a3f7592 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Mon, 16 May 2022 17:33:31 -0700
Subject: [PATCH 03/44] Fix compiliation

---
 Dockerfile                   | 4 ++--
 qos-core/src/io/stream.rs    | 5 +++--
 qos-core/src/protocol/mod.rs | 2 +-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 049d1060..da98c9a4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,9 +1,9 @@
 FROM rust:1.60 as builder
 COPY ./ ./
-RUN cargo build --bin qos-core --features vm --no-default-features --release
+RUN cargo build --bin qos-core --features vm --no-default-features
 
 # We don't need the Rust toolchain to run the binary!
 FROM debian:buster-slim AS runtime
 WORKDIR app
-COPY --from=builder /target/release/qos-core /usr/local/bin
+COPY --from=builder /target/debug/qos-core /usr/local/bin
 ENTRYPOINT ["/usr/local/bin/qos-core", "--port", "6969", "--cid", "16"]
\ No newline at end of file
diff --git a/qos-core/src/io/stream.rs b/qos-core/src/io/stream.rs
index 3d5617f6..cf1328cc 100644
--- a/qos-core/src/io/stream.rs
+++ b/qos-core/src/io/stream.rs
@@ -9,7 +9,7 @@ use nix::sys::socket::VsockAddr;
 use nix::{
 	sys::socket::{
 		accept, bind, connect, listen, recv, send, shutdown, socket,
-		AddressFamily, MsgFlags, Shutdown, SockFlag, SockType, SockaddrLike
+		AddressFamily, MsgFlags, Shutdown, SockFlag, SockType, SockaddrLike,
 	},
 	unistd::close,
 };
@@ -33,6 +33,7 @@ impl SocketAddress {
 		Self::Unix(addr)
 	}
 
+	#[cfg(feature = "vm")]
 	pub fn new_vsock(cid: u32, port: u32) -> Self {
 		let addr = VsockAddr::new(cid, port);
 		Self::Vsock(addr)
@@ -305,7 +306,7 @@ mod test {
 			while let Some(stream) = listener.next() {
 				let req = stream.recv().unwrap();
 				stream.send(&req).unwrap();
-				break
+				break;
 			}
 		});
 
diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index 96a0b378..93f9afcc 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -141,7 +141,7 @@ mod handlers {
 			let fd = state.attestor.nsm_init();
 			let response = state.attestor.nsm_process_request(fd, attestation);
 			match response {
-				NsmResponse::Attestation { document } => {
+				NsmResponse::Attestation { ref document } => {
 					use std::fs::File;
 					use std::io::Write;
 					let mut file =

From 5b4fe61fe92d46cacec9e75b568690b5fcbf4e67 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Mon, 16 May 2022 18:36:21 -0700
Subject: [PATCH 04/44] Install libssl in dockerfile

---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile b/Dockerfile
index da98c9a4..019a46c0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,5 +5,6 @@ RUN cargo build --bin qos-core --features vm --no-default-features
 # We don't need the Rust toolchain to run the binary!
 FROM debian:buster-slim AS runtime
 WORKDIR app
+RUN apt-get update && apt-get install -y libssl-dev
 COPY --from=builder /target/debug/qos-core /usr/local/bin
 ENTRYPOINT ["/usr/local/bin/qos-core", "--port", "6969", "--cid", "16"]
\ No newline at end of file

From 89092a9148098b689407e7e55e6461003e5f9757 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Mon, 16 May 2022 18:44:23 -0700
Subject: [PATCH 05/44] client works

---
 qos-client/src/cli.rs        | 15 ++++++++++++++-
 qos-core/src/protocol/mod.rs | 20 ++++++++++----------
 2 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/qos-client/src/cli.rs b/qos-client/src/cli.rs
index 878a5a9a..31791b5c 100644
--- a/qos-client/src/cli.rs
+++ b/qos-client/src/cli.rs
@@ -110,7 +110,7 @@ impl CLI {
 }
 
 mod handlers {
-	use qos_core::protocol::NsmRequest;
+	use qos_core::protocol::{NsmRequest, NsmResponse};
 
 	use super::*;
 	use crate::request;
@@ -154,6 +154,19 @@ mod handlers {
 		.map_err(|e| println!("{:?}", e))
 		.expect("Echo message failed");
 
+		match response {
+			ProtocolMsg::NsmResponse(NsmResponse::Attestation {
+				ref document,
+			}) => {
+				use std::fs::File;
+				use std::io::Write;
+				let mut file =
+					File::create("/home/tk/attest_document").unwrap();
+				file.write_all(&document).unwrap();
+			}
+			_ => panic!("Not an attestation response"),
+		}
+
 		match response {
 			ProtocolMsg::NsmResponse(describe_nsm_response) => {
 				println!("{:?}", describe_nsm_response)
diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index 93f9afcc..2198029f 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -140,16 +140,16 @@ mod handlers {
 			};
 			let fd = state.attestor.nsm_init();
 			let response = state.attestor.nsm_process_request(fd, attestation);
-			match response {
-				NsmResponse::Attestation { ref document } => {
-					use std::fs::File;
-					use std::io::Write;
-					let mut file =
-						File::create("/home/tk/attest_document").unwrap();
-					file.write_all(&document).unwrap();
-				}
-				_ => panic!("Not an attestation response"),
-			}
+			// match response {
+			// 	NsmResponse::Attestation { ref document } => {
+			// 		// use std::fs::File;
+			// 		// use std::io::Write;
+			// 		// let mut file =
+			// 		// 	File::create("/home/tk/attest_document").unwrap();
+			// 		// file.write_all(&document).unwrap();
+			// 	}
+			// 	_ => panic!("Not an attestation response"),
+			// }
 			println!("NSM process request: {:?}", response);
 			Some(ProtocolMsg::NsmResponse(response))
 		} else {

From b46202ae91fc1910f1383b57d9a1d4b42e277b2c Mon Sep 17 00:00:00 2001
From: Jack Kearney <jack@turnkey.io>
Date: Tue, 17 May 2022 01:53:30 +0000
Subject: [PATCH 06/44] Add sample attestation document

---
 attest_document | Bin 0 -> 5194 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 attest_document

diff --git a/attest_document b/attest_document
new file mode 100644
index 0000000000000000000000000000000000000000..45ec108f484a3ba456713df05f685b4f20cc7cbe
GIT binary patch
literal 5194
zcmd6q2UHa27RT8_aiypbON@oYP8PnIEwgKRW*e|9u&~Qk>+I~zvTW}QkthZ=M(hR^
z8-lS!jlmvcjlCS(OMJm@lxRroiiwK6LD6W$_YUXey^}d-&e?ls|1;mt_xs;_w^+QG
z!h5$|7khq%+2%0%toR7CG1%M81Q?fxV|*iwAq0;H<2)vA#{k3w7-8TdI12%615Oyt
zCfwsCl&Jz1k8SpvZDfSnoSj2LC}WOo+_1#x#N3{*LbM>Hg$JeO5^BpOw3bWgTJZMr
zoh7R~jqX<S;faNtHyHS~-U7#xrAH4>7~W~r#|q)dq4uwBUfarrvv<ufNRLlV3vKyR
z!dfl~Z@DC*<&st{moQo`Y29*3WXmN{Etf>MToTiAi3P*mUNd3FP%o~djsat-qsWs|
zPNPz&)HaRI`Us(KZ*-JlY{N>x2#e@9KK1AzI*kU3ra-Mht1z019u`YgDWO=<wlRo^
zWN1)NuGwz#I_yvz5Z#yzj|^AhsMl-7p%@U=m|;YQ32bNq`ISiWu4JNhBu$`ELVSQU
zMzl!KOkqg$d6+or@iL)AG~h|Jo4syFW3jNJe%u4Pc8G#uz=03|aUd2~{~~0QAzu%Q
zX8tc0{0}hj*@8LEEV#K!_UexSe$XZ?{OL=jQo=$Lis&Kl(hMQ=i7P|ntvf1fmw6Mf
z6;F>pYz%)i<>OYjpP1O8lSUV6>w8R!s$1T1-o{o%>NyvpzA5iMwkFg2?TSlrr^HM4
zLZLmDeI$I`5LI&gejm%Q!|}n-Pl^0zB?}9#4>c|uRu}EwTG<7329e~-yTno`4Rk69
z0j(RO7&@Is4cqzhPSeaGfS^JlHR(AWW)}Nw!zQm?`|#J5==h)ZZoYO4KhFF|;?0$t
zj#O86UA1o=|JIdL{a63IW#_I<q-1Q2UpjMJm7%bQ>R7)W5l>b<I;vVUuB86n;*t~2
zDLYpZ8)JK(8a|-%UFQH~>p$xb=3=P9XE$2$VjcA@62!J(ET!}rjBP`HhkUu6r>(iv
zCHctuD_4J0zr02ueRXgD3uT=_r)Qhiu6d3iJ_KMM#DaN%LvqA^7P6m)f90dzu=$Uv
zIlnB8*mXD8`D5AXY1@-|@C=WAqO76LT|H4O%gU}{FR7|Kb9v`h?c4CCDt~zN`F5wu
z2G_=SCax-u6`nZPYJ?-!d9Oo+sQPRhO8k{$7^P1uLOkJMzM&Xo>>YfsQV2c(F)ubh
z6wpWpK$pfuG`&4NZd%U`QPrU-S4(%7K6EcQHh0AZS?N<FcZq3)g(QSB{^hs-oRG@V
zNz)e}+&28`X2YoVb55#gQ@YVazYoDy7)l25$9yJP+;!`Y!~v=wzP#aDzx&kcyCfkM
zcjvVaUF+=g`8ip+c>~3cuYYuY>cy}wdCE?s=bye`E!v7cPWXj(*l}a>d(^uZ>U7jy
zBp2JrQ`}Uf@cl;)X`;`zi5Yb1yHAOR1urk`uiUHW<pl;T7R+fXFI)ft_R|m;TSOoi
zu%8jgL=cpNLM()fpj?c{f?ll;e=c%wAm;qz$&xvMyMD0P+;h!`1Ll2K@s(ovC90a;
z=F_;`#CMXfgsmRe<Fd4Ta|AK+%%h3bx0a1su0ORs<>>aeXSVLXz-F2^BI8j8){oeE
z)cNr4?b@z!$16^!Z4vi45WOhAJW^O$^gSp#3EI72CIW<!D3DzObZgALNAC#Qk7*v9
zKe!s#IlN-^+4%;?`VLi$+ohNC3m+ePjVo*8{kqX{fC038MES7sLvp=dXaA%m(yGi?
zOFk2GTN6F3MD%GVX|yutuqBbnB-Fs>a{-1i5hItyWWxp{laKQWCWp^r@i20%BzWvZ
z@{2FSLNkQ`BNd=+7FBnZ%zm$%M{{e@hKdI@HEZS%+oEJ&`h`iIHI8w5+n4I2Wo;D!
z+3^cM81G%^Oa*Z>mWl$!vmY8oRfO|lZC6Bz<}xQn4eSIDjlG=ri177Ve7WjT>)}On
zD0}uE9^=!|I)JgXSd!tgCWeJOR_EQlKi5d)oU8E1Q1-mMtp5{O&++EMFpC_%o4O|q
z!_d<Z6itK%g8t8#WuX{?;RXzF2{vvpz=lM!k)ziCNbaBd{A&gJm06-Gh=`<W1h3B!
zZ|a%FBWphKbedH~yIHS{t5|s_tT$?(_k;6bap>LIeb$}W>^c2)b%%!{=DJl+$~Klh
zh~zH1HYp9)4gi%0F6<{}v3l7qmpEghu8*l%H`aXAHF?189wj@f4c9)umfSGEFMm~K
zQ7tIC+KdS(ub7}&%KtFI2etJNa^_E?mF*a?sA}Hc(zWd(zIn|AMPr`1ARh#PuiR7a
z8t-Uw0SPVh#TdkV-4l&|cyYZMXJ7=I!{wkjli<SylZ`<T6XhXXCiy>$Ao!4x#Wir=
z;Ea&TGtVSUKK$r+LG%E;KfCSl!iG<%fsBe(XRnO>?P7=IYwPxWFsoiRmtN?sou7B{
z3Kh7FqeJgRY+~>8Uss<Q5~mwlc0H>6r?r`<)JJ|kuzT%i@$TXi?|c;8et6KC>F=kz
z8g$em(iMf|Nq^>yINgxK`{z8pyYDONdt!Wj`1fmA3tt&d{#IN*_YgUOvS1i_K7sO@
z!oT0h{Dy8)9e!vUB`%6{ZSc88mu8HY%<vzaTfU~Si|oYlwvz_l9#Px(yYQ+}i;pb*
z_Wg0!zG^*f@SI(Rs_CisXZIt_Io;&*I?gP)b7cR%kqgWb3s$rz7|xP&DJNZ;2?v}D
zc)NB^HdgimJ({sm$g4J>(qArvP1QNZzv^7g&8$gNGS;Y$^r`P5*+jb%=sU6fj$;=!
z9SenJ{&TnIKFBx-Vf0OBPD-3)J%9h|{XyKt6<_dI4H+_U>XCN-smI@{oM!pn)^KwQ
z@3gsrHe$krAA66U7t?oXY5kUdgYuj{gVl_Uu;BSRT6bpSA(W&@GrMQ0gy~XIcbP=@
zG|9-2N=4E<L8j1TaphXfDf|Es3bG~10)bp4F!2P9*F`27`B@_H1@(#?sV`IDwFVU`
zHlpUIYZ;lo94%Y!x2QxmLLgKIv-5LpZkt>n!0cH`1x6h=SbzykUZ(=&sJXfJpibq=
zO0_5Wtt>*54pJ?QV76DT(PU`hpcS#@<=6m6?vtpDnbPcJk(8IhNoOYnSum#cDRe2U
zbXS_ml9?*YC-ee~+zRoOUWU%*l;-D4lALVRC?hz@8NwU~rp__tD3vLKOou?6mXs|I
z1}s^qMIl#uEVxsH<_dfW;#Q<tMOXpD8Bn+jv?5`$N1c;P<SLDbPht|KxV$PDvnvXc
z)IwW=xxngn+kr=eXuU?Q-kK1Af?3IVWQLQ*$V*0~r~ng+&6xz^GGqlYk(!PAZCuR8
zaiu9F={#<71_W#lE|80{AYUhA>14r7Bta<SD9l-A22Un6Th%PRONJX@n+1lYfS2rr
zQ&f<HQ2D(EyFB32>v2t%$6{hRV92a;m{PJunR<5ypKJG+7zSfDCk29Gj|7)nTvpVV
zZQ$W3q{kJwpS*EimQUwlJ0+<E?&gC4oMBO$)AEHmT5&q!MHD<MBcs6N)}#W+W`Om4
zL1r?Whw}=8dO{{QOAx=#<P!(P*{QZPGZzmcvQ(GMsW<A=(>V~X%(n1(2*aBqhd3UE
z)GfB#1S*rwnO6WQ)a*35N1g+x7}W)$fF{l93i{J6N`p8hDFc=lX!u$oD;HObHRe=?
zODq$iL4u=DYl%#kMkkf|{Bn~`tW7c#Ir=<AY~%#kSr$D4sf|j+YGe^udN3=&%9Rj0
zHfGl`SoumPUkwnD=Tmt_EH@CRrL+7Nksu%u2(kwaVmu{Yk|}=81ZJNHcaJclUbGIk
zJM0)<ryZ%A8sE-%XwoFs^mN;eO|>_Szdq?H8hFK_jL<=6SC^Lg{v};x4bX;`eR-hp
z4&~T`=pT#t!NRy<UwpP=IqN6xo_e_Y*M-tv@oOS4W_IBB{B(EhsJZ*<_J=J#op`lv
ISNEoW1N~^le*gdg

literal 0
HcmV?d00001


From 12e02afb777595ba6511d156882895150d94d483 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Mon, 16 May 2022 19:16:25 -0700
Subject: [PATCH 07/44] write string to file

---
 Dockerfile                                          |   4 ++++
 qos-client/src/cli.rs                               |   3 ++-
 qos-core/src/cli.rs                                 |   4 ++--
 .../src/protocol/attest_document                    | Bin
 qos-core/src/protocol/attestor.rs                   |   1 -
 qos-test/Cargo.toml                                 |   4 +++-
 qos-test/src/lib.rs                                 |   5 +++++
 7 files changed, 16 insertions(+), 5 deletions(-)
 rename attest_document => qos-core/src/protocol/attest_document (100%)

diff --git a/Dockerfile b/Dockerfile
index 019a46c0..76ddfb20 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,8 @@
 FROM rust:1.60 as builder
+COPY ./Cargo.toml ./Cargo.toml
+COPY ./Cargo.lock ./Cargo.lock
+RUN cargo build
+
 COPY ./ ./
 RUN cargo build --bin qos-core --features vm --no-default-features
 
diff --git a/qos-client/src/cli.rs b/qos-client/src/cli.rs
index 31791b5c..89756712 100644
--- a/qos-client/src/cli.rs
+++ b/qos-client/src/cli.rs
@@ -162,7 +162,8 @@ mod handlers {
 				use std::io::Write;
 				let mut file =
 					File::create("/home/tk/attest_document").unwrap();
-				file.write_all(&document).unwrap();
+				let output = format!("{:?}", document);
+				file.write_all(&output.as_bytes()).unwrap();
 			}
 			_ => panic!("Not an attestation response"),
 		}
diff --git a/qos-core/src/cli.rs b/qos-core/src/cli.rs
index 9d6e7872..103112e6 100644
--- a/qos-core/src/cli.rs
+++ b/qos-core/src/cli.rs
@@ -2,7 +2,7 @@ use std::env;
 
 use crate::{
 	io::SocketAddress,
-	protocol::{Executor, MockNsm, Nsm, NsmProvider},
+	protocol::{self, Executor, Nsm, NsmProvider},
 	server::SocketServer,
 };
 
@@ -97,7 +97,7 @@ impl EnclaveOptions {
 
 	pub fn nsm(&self) -> Box<dyn NsmProvider> {
 		if self.mock {
-			Box::new(MockNsm)
+			Box::new(protocol::MockNsm)
 		} else {
 			Box::new(Nsm)
 		}
diff --git a/attest_document b/qos-core/src/protocol/attest_document
similarity index 100%
rename from attest_document
rename to qos-core/src/protocol/attest_document
diff --git a/qos-core/src/protocol/attestor.rs b/qos-core/src/protocol/attestor.rs
index 2a5911d6..92ba72e8 100644
--- a/qos-core/src/protocol/attestor.rs
+++ b/qos-core/src/protocol/attestor.rs
@@ -31,7 +31,6 @@ impl NsmProvider for Nsm {
 /// TODO: - this should be moved to its own crate as it will likely need some
 /// additional deps like Serde
 pub struct MockNsm;
-
 impl NsmProvider for MockNsm {
 	fn nsm_process_request(
 		&self,
diff --git a/qos-test/Cargo.toml b/qos-test/Cargo.toml
index 7e9e8060..86a69aee 100644
--- a/qos-test/Cargo.toml
+++ b/qos-test/Cargo.toml
@@ -4,8 +4,10 @@ version = "0.1.0"
 edition = "2021"
 publish = false
 
-[dev-dependencies]
+[dependencies]
 qos-core = { path = "../qos-core" }
+
+[dev-dependencies]
 qos-client = { path = "../qos-client" }
 qos-host = { path = "../qos-host" }
 qos-crypto = { path = "../qos-crypto" }
diff --git a/qos-test/src/lib.rs b/qos-test/src/lib.rs
index 45278f22..842fad13 100644
--- a/qos-test/src/lib.rs
+++ b/qos-test/src/lib.rs
@@ -1 +1,6 @@
 #![forbid(unsafe_code)]
+
+use std::collections::BTreeSet;
+
+use qos_core::protocol::{NsmDigest, NsmProvider, NsmRequest, NsmResponse};
+

From 2b882a66ed5eddc33228ffe56e0d87698a212707 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Mon, 16 May 2022 19:17:19 -0700
Subject: [PATCH 08/44] update docker file

---
 Dockerfile | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 76ddfb20..019a46c0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,8 +1,4 @@
 FROM rust:1.60 as builder
-COPY ./Cargo.toml ./Cargo.toml
-COPY ./Cargo.lock ./Cargo.lock
-RUN cargo build
-
 COPY ./ ./
 RUN cargo build --bin qos-core --features vm --no-default-features
 

From 444665f58780b4782534ea66ac8f4b57672db4db Mon Sep 17 00:00:00 2001
From: Jack Kearney <jack@turnkey.io>
Date: Tue, 17 May 2022 02:20:05 +0000
Subject: [PATCH 09/44] Add new attest_document

---
 attest_document | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 attest_document

diff --git a/attest_document b/attest_document
new file mode 100644
index 00000000..a7187185
--- /dev/null
+++ b/attest_document
@@ -0,0 +1 @@
+[132, 68, 161, 1, 56, 34, 160, 89, 19, 220, 169, 105, 109, 111, 100, 117, 108, 101, 95, 105, 100, 120, 39, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 45, 101, 110, 99, 48, 49, 56, 48, 99, 102, 99, 102, 100, 99, 48, 54, 97, 51, 99, 97, 102, 100, 105, 103, 101, 115, 116, 102, 83, 72, 65, 51, 56, 52, 105, 116, 105, 109, 101, 115, 116, 97, 109, 112, 27, 0, 0, 1, 128, 207, 208, 6, 83, 100, 112, 99, 114, 115, 176, 0, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 88, 48, 26, 168, 192, 140, 173, 25, 127, 31, 229, 123, 209, 158, 184, 181, 98, 57, 109, 39, 65, 111, 164, 166, 206, 203, 135, 94, 25, 124, 131, 82, 66, 96, 92, 110, 185, 109, 116, 109, 171, 158, 151, 193, 146, 98, 73, 208, 143, 74, 5, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 13, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 14, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 107, 99, 101, 114, 116, 105, 102, 105, 99, 97, 116, 101, 89, 2, 126, 48, 130, 2, 122, 48, 130, 2, 1, 160, 3, 2, 1, 2, 2, 16, 1, 128, 207, 207, 220, 6, 163, 202, 0, 0, 0, 0, 98, 131, 6, 38, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 129, 142, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 19, 48, 17, 6, 3, 85, 4, 8, 12, 10, 87, 97, 115, 104, 105, 110, 103, 116, 111, 110, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 57, 48, 55, 6, 3, 85, 4, 3, 12, 48, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 50, 50, 48, 53, 49, 55, 48, 50, 49, 57, 49, 53, 90, 23, 13, 50, 50, 48, 53, 49, 55, 48, 53, 49, 57, 49, 56, 90, 48, 129, 147, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 19, 48, 17, 6, 3, 85, 4, 8, 12, 10, 87, 97, 115, 104, 105, 110, 103, 116, 111, 110, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 62, 48, 60, 6, 3, 85, 4, 3, 12, 53, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 45, 101, 110, 99, 48, 49, 56, 48, 99, 102, 99, 102, 100, 99, 48, 54, 97, 51, 99, 97, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 64, 233, 7, 173, 105, 145, 172, 7, 38, 139, 151, 196, 130, 50, 200, 176, 180, 184, 126, 63, 183, 108, 30, 73, 196, 122, 128, 168, 176, 139, 3, 56, 77, 29, 100, 31, 225, 249, 75, 2, 211, 49, 205, 94, 228, 238, 213, 160, 217, 110, 187, 2, 77, 105, 124, 86, 112, 175, 167, 83, 158, 182, 44, 94, 202, 245, 139, 23, 102, 176, 11, 80, 120, 167, 129, 115, 148, 230, 134, 116, 96, 94, 40, 110, 34, 21, 91, 75, 152, 235, 96, 199, 234, 169, 38, 7, 163, 29, 48, 27, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 6, 192, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 38, 61, 99, 118, 200, 165, 151, 107, 27, 135, 33, 126, 114, 241, 145, 19, 242, 162, 157, 210, 203, 38, 102, 251, 177, 229, 159, 29, 97, 177, 202, 40, 241, 131, 151, 5, 60, 32, 30, 60, 91, 23, 26, 43, 29, 129, 84, 162, 2, 48, 46, 121, 230, 144, 42, 154, 92, 26, 133, 154, 160, 159, 183, 44, 53, 253, 159, 165, 202, 165, 198, 126, 17, 255, 214, 6, 238, 208, 153, 20, 255, 166, 128, 213, 108, 67, 142, 25, 51, 216, 148, 204, 142, 67, 92, 143, 220, 191, 104, 99, 97, 98, 117, 110, 100, 108, 101, 132, 89, 2, 21, 48, 130, 2, 17, 48, 130, 1, 150, 160, 3, 2, 1, 2, 2, 17, 0, 249, 49, 117, 104, 27, 144, 175, 225, 29, 70, 204, 180, 228, 231, 248, 86, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 73, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 27, 48, 25, 6, 3, 85, 4, 3, 12, 18, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 49, 57, 49, 48, 50, 56, 49, 51, 50, 56, 48, 53, 90, 23, 13, 52, 57, 49, 48, 50, 56, 49, 52, 50, 56, 48, 53, 90, 48, 73, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 27, 48, 25, 6, 3, 85, 4, 3, 12, 18, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 252, 2, 84, 235, 166, 8, 193, 243, 104, 112, 226, 154, 218, 144, 190, 70, 56, 50, 146, 115, 110, 137, 75, 255, 246, 114, 217, 137, 68, 75, 80, 81, 229, 52, 164, 177, 246, 219, 227, 192, 188, 88, 26, 50, 183, 177, 118, 7, 14, 222, 18, 214, 154, 63, 234, 33, 27, 102, 231, 82, 207, 125, 209, 221, 9, 95, 111, 19, 112, 244, 23, 8, 67, 217, 220, 16, 1, 33, 228, 207, 99, 1, 40, 9, 102, 68, 135, 201, 121, 98, 132, 48, 77, 197, 63, 244, 163, 66, 48, 64, 48, 15, 6, 3, 85, 29, 19, 1, 1, 255, 4, 5, 48, 3, 1, 1, 255, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 144, 37, 181, 13, 217, 5, 71, 231, 150, 195, 150, 250, 114, 157, 207, 153, 169, 223, 75, 150, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 1, 134, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 105, 0, 48, 102, 2, 49, 0, 163, 127, 47, 145, 161, 201, 189, 94, 231, 184, 98, 124, 22, 152, 210, 85, 3, 142, 31, 3, 67, 249, 91, 99, 169, 98, 140, 61, 57, 128, 149, 69, 161, 30, 188, 191, 46, 59, 85, 216, 174, 238, 113, 180, 195, 214, 173, 243, 2, 49, 0, 162, 243, 155, 22, 5, 178, 112, 40, 165, 221, 75, 160, 105, 181, 1, 110, 101, 180, 251, 222, 143, 224, 6, 29, 106, 83, 25, 127, 156, 218, 245, 217, 67, 188, 97, 252, 43, 235, 3, 203, 111, 238, 141, 35, 2, 243, 223, 246, 89, 2, 193, 48, 130, 2, 189, 48, 130, 2, 68, 160, 3, 2, 1, 2, 2, 16, 101, 199, 204, 202, 87, 14, 220, 16, 15, 61, 225, 212, 138, 102, 255, 157, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 73, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 27, 48, 25, 6, 3, 85, 4, 3, 12, 18, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 50, 50, 48, 53, 49, 50, 48, 51, 51, 50, 53, 54, 90, 23, 13, 50, 50, 48, 54, 48, 49, 48, 52, 51, 50, 53, 54, 90, 48, 100, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 54, 48, 52, 6, 3, 85, 4, 3, 12, 45, 55, 55, 97, 53, 97, 49, 51, 55, 54, 55, 97, 54, 99, 56, 51, 49, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 222, 252, 141, 69, 152, 48, 54, 180, 63, 68, 105, 37, 175, 123, 59, 155, 212, 162, 176, 82, 168, 225, 2, 86, 52, 16, 138, 20, 104, 46, 28, 70, 228, 6, 173, 133, 36, 227, 73, 160, 184, 8, 102, 96, 219, 251, 137, 217, 240, 167, 124, 168, 90, 214, 190, 71, 206, 190, 26, 147, 11, 32, 157, 109, 103, 155, 95, 77, 251, 77, 99, 42, 102, 192, 206, 112, 250, 243, 241, 234, 30, 20, 208, 162, 218, 74, 186, 68, 36, 200, 14, 159, 33, 160, 12, 66, 163, 129, 213, 48, 129, 210, 48, 18, 6, 3, 85, 29, 19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2, 1, 2, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 144, 37, 181, 13, 217, 5, 71, 231, 150, 195, 150, 250, 114, 157, 207, 153, 169, 223, 75, 150, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 133, 27, 7, 162, 173, 220, 156, 98, 111, 180, 23, 177, 10, 241, 150, 225, 121, 125, 252, 202, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 1, 134, 48, 108, 6, 3, 85, 29, 31, 4, 101, 48, 99, 48, 97, 160, 95, 160, 93, 134, 91, 104, 116, 116, 112, 58, 47, 47, 97, 119, 115, 45, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 45, 99, 114, 108, 46, 115, 51, 46, 97, 109, 97, 122, 111, 110, 97, 119, 115, 46, 99, 111, 109, 47, 99, 114, 108, 47, 97, 98, 52, 57, 54, 48, 99, 99, 45, 55, 100, 54, 51, 45, 52, 50, 98, 100, 45, 57, 101, 57, 102, 45, 53, 57, 51, 51, 56, 99, 98, 54, 55, 102, 56, 52, 46, 99, 114, 108, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 97, 16, 159, 217, 30, 69, 151, 35, 31, 115, 87, 240, 159, 181, 162, 247, 229, 229, 175, 156, 93, 186, 83, 52, 225, 235, 45, 2, 148, 133, 10, 218, 189, 174, 86, 206, 154, 17, 82, 119, 75, 208, 223, 216, 100, 244, 223, 27, 2, 48, 20, 146, 166, 67, 119, 132, 151, 250, 100, 67, 177, 102, 112, 250, 234, 30, 55, 83, 97, 104, 45, 137, 13, 60, 25, 50, 92, 19, 227, 106, 251, 102, 117, 38, 161, 227, 177, 251, 11, 94, 129, 152, 1, 196, 197, 203, 128, 117, 89, 3, 23, 48, 130, 3, 19, 48, 130, 2, 154, 160, 3, 2, 1, 2, 2, 16, 66, 191, 173, 106, 243, 245, 153, 100, 102, 84, 221, 162, 118, 15, 1, 196, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 100, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 54, 48, 52, 6, 3, 85, 4, 3, 12, 45, 55, 55, 97, 53, 97, 49, 51, 55, 54, 55, 97, 54, 99, 56, 51, 49, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 50, 50, 48, 53, 49, 54, 50, 50, 51, 48, 49, 56, 90, 23, 13, 50, 50, 48, 53, 50, 50, 50, 49, 51, 48, 49, 56, 90, 48, 129, 137, 49, 60, 48, 58, 6, 3, 85, 4, 3, 12, 51, 97, 99, 55, 99, 101, 98, 99, 48, 54, 102, 52, 101, 98, 98, 50, 98, 46, 122, 111, 110, 97, 108, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 11, 48, 9, 6, 3, 85, 4, 8, 12, 2, 87, 65, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 132, 96, 229, 136, 115, 25, 148, 177, 3, 239, 253, 83, 20, 162, 171, 242, 6, 39, 97, 110, 155, 216, 112, 201, 132, 5, 243, 151, 40, 179, 209, 184, 115, 218, 185, 217, 23, 250, 67, 45, 179, 172, 254, 154, 182, 150, 247, 12, 54, 159, 232, 139, 74, 101, 88, 59, 48, 163, 200, 223, 199, 102, 148, 51, 38, 109, 227, 140, 112, 15, 13, 237, 128, 229, 179, 130, 105, 206, 113, 141, 59, 241, 36, 140, 191, 217, 98, 232, 165, 232, 70, 255, 156, 41, 57, 172, 163, 129, 234, 48, 129, 231, 48, 18, 6, 3, 85, 29, 19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2, 1, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 133, 27, 7, 162, 173, 220, 156, 98, 111, 180, 23, 177, 10, 241, 150, 225, 121, 125, 252, 202, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 64, 234, 253, 247, 84, 156, 144, 3, 154, 191, 59, 159, 177, 155, 197, 150, 178, 18, 8, 187, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 1, 134, 48, 129, 128, 6, 3, 85, 29, 31, 4, 121, 48, 119, 48, 117, 160, 115, 160, 113, 134, 111, 104, 116, 116, 112, 58, 47, 47, 99, 114, 108, 45, 117, 115, 45, 101, 97, 115, 116, 45, 49, 45, 97, 119, 115, 45, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 46, 115, 51, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 109, 97, 122, 111, 110, 97, 119, 115, 46, 99, 111, 109, 47, 99, 114, 108, 47, 99, 102, 52, 53, 54, 53, 97, 101, 45, 102, 57, 50, 102, 45, 52, 99, 49, 49, 45, 97, 56, 55, 54, 45, 101, 51, 55, 102, 102, 57, 49, 100, 51, 54, 98, 53, 46, 99, 114, 108, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 0, 141, 147, 219, 43, 141, 203, 251, 249, 65, 14, 59, 101, 58, 52, 17, 94, 125, 255, 136, 2, 119, 77, 162, 172, 220, 228, 96, 248, 224, 23, 70, 232, 179, 196, 64, 148, 253, 75, 153, 4, 125, 112, 234, 156, 106, 224, 228, 2, 48, 113, 100, 127, 5, 242, 8, 183, 52, 198, 118, 237, 86, 219, 91, 20, 89, 92, 154, 237, 13, 160, 230, 178, 78, 214, 86, 204, 233, 200, 195, 178, 149, 33, 114, 132, 209, 28, 126, 120, 190, 203, 61, 219, 145, 44, 76, 113, 255, 89, 2, 129, 48, 130, 2, 125, 48, 130, 2, 4, 160, 3, 2, 1, 2, 2, 20, 89, 91, 125, 245, 221, 115, 39, 32, 198, 129, 41, 209, 134, 253, 7, 213, 175, 51, 158, 192, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 129, 137, 49, 60, 48, 58, 6, 3, 85, 4, 3, 12, 51, 97, 99, 55, 99, 101, 98, 99, 48, 54, 102, 52, 101, 98, 98, 50, 98, 46, 122, 111, 110, 97, 108, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 11, 48, 9, 6, 3, 85, 4, 8, 12, 2, 87, 65, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 48, 30, 23, 13, 50, 50, 48, 53, 49, 55, 48, 49, 51, 50, 50, 55, 90, 23, 13, 50, 50, 48, 53, 49, 56, 48, 49, 51, 50, 50, 55, 90, 48, 129, 142, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 19, 48, 17, 6, 3, 85, 4, 8, 12, 10, 87, 97, 115, 104, 105, 110, 103, 116, 111, 110, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 57, 48, 55, 6, 3, 85, 4, 3, 12, 48, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 217, 7, 202, 144, 1, 20, 13, 53, 232, 63, 221, 159, 225, 146, 134, 69, 146, 118, 201, 153, 160, 175, 125, 29, 75, 209, 208, 17, 139, 60, 241, 95, 234, 41, 212, 7, 177, 124, 161, 204, 166, 194, 44, 133, 232, 176, 11, 144, 63, 152, 193, 125, 85, 145, 72, 245, 151, 42, 102, 105, 84, 31, 79, 155, 24, 147, 140, 242, 204, 199, 198, 96, 157, 105, 8, 157, 169, 22, 102, 10, 112, 140, 221, 71, 210, 113, 87, 135, 200, 112, 157, 56, 193, 192, 141, 100, 163, 38, 48, 36, 48, 18, 6, 3, 85, 29, 19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2, 1, 0, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 2, 4, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 15, 118, 172, 221, 229, 239, 80, 139, 142, 77, 175, 85, 204, 40, 253, 36, 69, 183, 3, 228, 119, 41, 137, 22, 191, 207, 224, 87, 24, 125, 66, 154, 118, 221, 241, 153, 247, 77, 201, 49, 99, 4, 183, 219, 210, 69, 112, 100, 2, 48, 44, 231, 245, 61, 54, 161, 162, 170, 57, 172, 91, 91, 60, 143, 204, 18, 118, 143, 208, 21, 163, 144, 107, 213, 109, 255, 239, 142, 56, 218, 105, 255, 3, 95, 135, 135, 226, 39, 127, 155, 15, 41, 166, 150, 253, 186, 42, 61, 106, 112, 117, 98, 108, 105, 99, 95, 107, 101, 121, 89, 3, 32, 45, 45, 45, 45, 45, 66, 69, 71, 73, 78, 32, 80, 85, 66, 76, 73, 67, 32, 75, 69, 89, 45, 45, 45, 45, 45, 10, 77, 73, 73, 67, 73, 106, 65, 78, 66, 103, 107, 113, 104, 107, 105, 71, 57, 119, 48, 66, 65, 81, 69, 70, 65, 65, 79, 67, 65, 103, 56, 65, 77, 73, 73, 67, 67, 103, 75, 67, 65, 103, 69, 65, 54, 115, 57, 103, 121, 102, 107, 77, 50, 69, 108, 53, 107, 50, 78, 99, 89, 70, 110, 100, 10, 105, 55, 49, 52, 106, 122, 77, 86, 79, 119, 85, 54, 80, 110, 75, 107, 43, 83, 122, 111, 101, 47, 83, 66, 104, 70, 49, 56, 111, 99, 106, 119, 85, 115, 47, 54, 57, 82, 86, 113, 71, 71, 48, 67, 69, 82, 88, 109, 55, 67, 114, 113, 70, 87, 89, 99, 51, 76, 57, 79, 79, 90, 52, 89, 10, 67, 119, 106, 66, 57, 112, 49, 57, 100, 83, 75, 74, 122, 50, 74, 113, 82, 88, 84, 99, 65, 43, 47, 66, 56, 47, 55, 57, 48, 98, 97, 110, 69, 109, 113, 106, 73, 53, 76, 66, 101, 56, 68, 118, 100, 102, 47, 112, 51, 100, 84, 118, 75, 49, 72, 47, 67, 89, 122, 111, 119, 86, 65, 115, 10, 117, 47, 111, 79, 99, 81, 84, 57, 119, 77, 67, 108, 48, 56, 56, 106, 101, 67, 118, 105, 54, 102, 89, 52, 113, 121, 75, 70, 101, 71, 98, 88, 67, 82, 71, 75, 84, 105, 81, 106, 122, 99, 103, 121, 80, 71, 57, 101, 52, 74, 121, 110, 74, 75, 118, 117, 77, 120, 81, 67, 112, 97, 52, 72, 10, 70, 117, 116, 65, 48, 73, 53, 98, 113, 108, 43, 68, 120, 80, 80, 106, 49, 87, 83, 99, 83, 72, 50, 85, 102, 70, 118, 120, 67, 118, 85, 115, 97, 115, 106, 102, 89, 114, 69, 43, 51, 97, 112, 101, 86, 72, 47, 55, 70, 68, 69, 106, 115, 52, 56, 86, 84, 47, 97, 48, 111, 74, 105, 98, 10, 82, 67, 71, 100, 48, 85, 70, 89, 83, 118, 66, 109, 66, 112, 115, 107, 76, 77, 121, 109, 66, 78, 48, 57, 102, 75, 118, 100, 90, 79, 112, 111, 105, 83, 78, 97, 48, 97, 90, 70, 119, 67, 116, 113, 121, 88, 54, 72, 48, 89, 109, 74, 120, 113, 111, 105, 113, 99, 111, 78, 78, 118, 47, 68, 10, 56, 116, 110, 65, 109, 120, 102, 73, 120, 114, 105, 73, 52, 116, 102, 90, 69, 73, 100, 107, 97, 78, 103, 88, 76, 89, 79, 102, 49, 99, 106, 117, 74, 83, 117, 74, 97, 111, 83, 66, 99, 72, 122, 48, 73, 98, 47, 82, 117, 86, 80, 100, 83, 85, 75, 104, 90, 83, 114, 121, 110, 84, 47, 102, 10, 72, 98, 106, 112, 120, 121, 103, 112, 97, 104, 110, 84, 49, 76, 43, 85, 101, 47, 68, 103, 110, 87, 75, 56, 67, 56, 83, 72, 84, 85, 99, 76, 122, 115, 81, 109, 68, 67, 68, 65, 43, 49, 54, 65, 106, 53, 98, 112, 55, 55, 43, 81, 80, 78, 47, 114, 85, 120, 88, 55, 69, 98, 88, 79, 10, 105, 119, 47, 73, 115, 114, 57, 114, 47, 74, 98, 98, 69, 107, 89, 47, 48, 89, 105, 88, 47, 113, 114, 56, 103, 98, 54, 81, 56, 89, 112, 90, 121, 82, 52, 97, 104, 56, 86, 49, 86, 87, 71, 82, 102, 122, 90, 49, 72, 49, 48, 53, 77, 67, 54, 107, 88, 107, 47, 66, 85, 120, 78, 121, 10, 76, 85, 86, 56, 111, 66, 65, 87, 89, 108, 52, 57, 47, 107, 120, 114, 109, 82, 73, 122, 90, 99, 48, 118, 120, 117, 70, 122, 54, 81, 122, 105, 113, 54, 108, 54, 74, 120, 49, 53, 98, 89, 50, 120, 103, 68, 122, 115, 48, 90, 74, 103, 54, 75, 67, 71, 112, 71, 48, 99, 106, 54, 117, 121, 10, 68, 57, 104, 82, 82, 52, 109, 118, 117, 77, 115, 75, 115, 47, 50, 105, 79, 49, 89, 85, 68, 99, 107, 48, 118, 65, 53, 101, 48, 81, 117, 84, 89, 67, 97, 89, 72, 69, 66, 74, 51, 110, 83, 73, 88, 83, 115, 76, 75, 76, 81, 101, 71, 57, 111, 99, 77, 74, 77, 88, 50, 105, 51, 103, 10, 110, 86, 105, 43, 86, 49, 82, 69, 83, 102, 75, 69, 101, 117, 102, 102, 90, 82, 75, 69, 112, 106, 69, 67, 65, 119, 69, 65, 65, 81, 61, 61, 10, 45, 45, 45, 45, 45, 69, 78, 68, 32, 80, 85, 66, 76, 73, 67, 32, 75, 69, 89, 45, 45, 45, 45, 45, 10, 105, 117, 115, 101, 114, 95, 100, 97, 116, 97, 246, 101, 110, 111, 110, 99, 101, 246, 88, 96, 174, 48, 177, 39, 24, 48, 211, 165, 107, 86, 21, 216, 93, 143, 22, 156, 203, 98, 163, 5, 213, 87, 210, 213, 90, 98, 93, 46, 150, 155, 75, 81, 186, 194, 134, 36, 254, 23, 84, 26, 185, 37, 248, 150, 72, 16, 193, 246, 96, 76, 65, 78, 5, 133, 136, 18, 42, 87, 137, 82, 56, 245, 113, 139, 121, 164, 201, 244, 237, 101, 116, 109, 204, 13, 116, 108, 58, 74, 181, 32, 208, 172, 36, 44, 187, 171, 138, 185, 80, 105, 171, 65, 177, 74, 136, 33]
\ No newline at end of file

From 37754fb4ef59c585656f17b35880834204ed625e Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Mon, 16 May 2022 19:25:32 -0700
Subject: [PATCH 10/44] Mock nsm attestation

---
 attest_document                       |   1 -
 attest_document.rs                    |   1 +
 qos-client/src/cli.rs                 |  12 +-
 qos-client/src/lib.rs                 |   3 +-
 qos-core/src/protocol/attest_document | Bin 5194 -> 0 bytes
 qos-core/src/protocol/attestor.rs     | 291 +++++++++++++++++++++++++-
 qos-crypto/src/lib.rs                 |  19 +-
 qos-crypto/src/shamir.rs              |   2 +-
 qos-test/src/lib.rs                   |   1 -
 9 files changed, 311 insertions(+), 19 deletions(-)
 delete mode 100644 attest_document
 create mode 100644 attest_document.rs
 delete mode 100644 qos-core/src/protocol/attest_document

diff --git a/attest_document b/attest_document
deleted file mode 100644
index a7187185..00000000
--- a/attest_document
+++ /dev/null
@@ -1 +0,0 @@
-[132, 68, 161, 1, 56, 34, 160, 89, 19, 220, 169, 105, 109, 111, 100, 117, 108, 101, 95, 105, 100, 120, 39, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 45, 101, 110, 99, 48, 49, 56, 48, 99, 102, 99, 102, 100, 99, 48, 54, 97, 51, 99, 97, 102, 100, 105, 103, 101, 115, 116, 102, 83, 72, 65, 51, 56, 52, 105, 116, 105, 109, 101, 115, 116, 97, 109, 112, 27, 0, 0, 1, 128, 207, 208, 6, 83, 100, 112, 99, 114, 115, 176, 0, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 88, 48, 26, 168, 192, 140, 173, 25, 127, 31, 229, 123, 209, 158, 184, 181, 98, 57, 109, 39, 65, 111, 164, 166, 206, 203, 135, 94, 25, 124, 131, 82, 66, 96, 92, 110, 185, 109, 116, 109, 171, 158, 151, 193, 146, 98, 73, 208, 143, 74, 5, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 13, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 14, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 107, 99, 101, 114, 116, 105, 102, 105, 99, 97, 116, 101, 89, 2, 126, 48, 130, 2, 122, 48, 130, 2, 1, 160, 3, 2, 1, 2, 2, 16, 1, 128, 207, 207, 220, 6, 163, 202, 0, 0, 0, 0, 98, 131, 6, 38, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 129, 142, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 19, 48, 17, 6, 3, 85, 4, 8, 12, 10, 87, 97, 115, 104, 105, 110, 103, 116, 111, 110, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 57, 48, 55, 6, 3, 85, 4, 3, 12, 48, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 50, 50, 48, 53, 49, 55, 48, 50, 49, 57, 49, 53, 90, 23, 13, 50, 50, 48, 53, 49, 55, 48, 53, 49, 57, 49, 56, 90, 48, 129, 147, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 19, 48, 17, 6, 3, 85, 4, 8, 12, 10, 87, 97, 115, 104, 105, 110, 103, 116, 111, 110, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 62, 48, 60, 6, 3, 85, 4, 3, 12, 53, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 45, 101, 110, 99, 48, 49, 56, 48, 99, 102, 99, 102, 100, 99, 48, 54, 97, 51, 99, 97, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 64, 233, 7, 173, 105, 145, 172, 7, 38, 139, 151, 196, 130, 50, 200, 176, 180, 184, 126, 63, 183, 108, 30, 73, 196, 122, 128, 168, 176, 139, 3, 56, 77, 29, 100, 31, 225, 249, 75, 2, 211, 49, 205, 94, 228, 238, 213, 160, 217, 110, 187, 2, 77, 105, 124, 86, 112, 175, 167, 83, 158, 182, 44, 94, 202, 245, 139, 23, 102, 176, 11, 80, 120, 167, 129, 115, 148, 230, 134, 116, 96, 94, 40, 110, 34, 21, 91, 75, 152, 235, 96, 199, 234, 169, 38, 7, 163, 29, 48, 27, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 6, 192, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 38, 61, 99, 118, 200, 165, 151, 107, 27, 135, 33, 126, 114, 241, 145, 19, 242, 162, 157, 210, 203, 38, 102, 251, 177, 229, 159, 29, 97, 177, 202, 40, 241, 131, 151, 5, 60, 32, 30, 60, 91, 23, 26, 43, 29, 129, 84, 162, 2, 48, 46, 121, 230, 144, 42, 154, 92, 26, 133, 154, 160, 159, 183, 44, 53, 253, 159, 165, 202, 165, 198, 126, 17, 255, 214, 6, 238, 208, 153, 20, 255, 166, 128, 213, 108, 67, 142, 25, 51, 216, 148, 204, 142, 67, 92, 143, 220, 191, 104, 99, 97, 98, 117, 110, 100, 108, 101, 132, 89, 2, 21, 48, 130, 2, 17, 48, 130, 1, 150, 160, 3, 2, 1, 2, 2, 17, 0, 249, 49, 117, 104, 27, 144, 175, 225, 29, 70, 204, 180, 228, 231, 248, 86, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 73, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 27, 48, 25, 6, 3, 85, 4, 3, 12, 18, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 49, 57, 49, 48, 50, 56, 49, 51, 50, 56, 48, 53, 90, 23, 13, 52, 57, 49, 48, 50, 56, 49, 52, 50, 56, 48, 53, 90, 48, 73, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 27, 48, 25, 6, 3, 85, 4, 3, 12, 18, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 252, 2, 84, 235, 166, 8, 193, 243, 104, 112, 226, 154, 218, 144, 190, 70, 56, 50, 146, 115, 110, 137, 75, 255, 246, 114, 217, 137, 68, 75, 80, 81, 229, 52, 164, 177, 246, 219, 227, 192, 188, 88, 26, 50, 183, 177, 118, 7, 14, 222, 18, 214, 154, 63, 234, 33, 27, 102, 231, 82, 207, 125, 209, 221, 9, 95, 111, 19, 112, 244, 23, 8, 67, 217, 220, 16, 1, 33, 228, 207, 99, 1, 40, 9, 102, 68, 135, 201, 121, 98, 132, 48, 77, 197, 63, 244, 163, 66, 48, 64, 48, 15, 6, 3, 85, 29, 19, 1, 1, 255, 4, 5, 48, 3, 1, 1, 255, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 144, 37, 181, 13, 217, 5, 71, 231, 150, 195, 150, 250, 114, 157, 207, 153, 169, 223, 75, 150, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 1, 134, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 105, 0, 48, 102, 2, 49, 0, 163, 127, 47, 145, 161, 201, 189, 94, 231, 184, 98, 124, 22, 152, 210, 85, 3, 142, 31, 3, 67, 249, 91, 99, 169, 98, 140, 61, 57, 128, 149, 69, 161, 30, 188, 191, 46, 59, 85, 216, 174, 238, 113, 180, 195, 214, 173, 243, 2, 49, 0, 162, 243, 155, 22, 5, 178, 112, 40, 165, 221, 75, 160, 105, 181, 1, 110, 101, 180, 251, 222, 143, 224, 6, 29, 106, 83, 25, 127, 156, 218, 245, 217, 67, 188, 97, 252, 43, 235, 3, 203, 111, 238, 141, 35, 2, 243, 223, 246, 89, 2, 193, 48, 130, 2, 189, 48, 130, 2, 68, 160, 3, 2, 1, 2, 2, 16, 101, 199, 204, 202, 87, 14, 220, 16, 15, 61, 225, 212, 138, 102, 255, 157, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 73, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 27, 48, 25, 6, 3, 85, 4, 3, 12, 18, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 50, 50, 48, 53, 49, 50, 48, 51, 51, 50, 53, 54, 90, 23, 13, 50, 50, 48, 54, 48, 49, 48, 52, 51, 50, 53, 54, 90, 48, 100, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 54, 48, 52, 6, 3, 85, 4, 3, 12, 45, 55, 55, 97, 53, 97, 49, 51, 55, 54, 55, 97, 54, 99, 56, 51, 49, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 222, 252, 141, 69, 152, 48, 54, 180, 63, 68, 105, 37, 175, 123, 59, 155, 212, 162, 176, 82, 168, 225, 2, 86, 52, 16, 138, 20, 104, 46, 28, 70, 228, 6, 173, 133, 36, 227, 73, 160, 184, 8, 102, 96, 219, 251, 137, 217, 240, 167, 124, 168, 90, 214, 190, 71, 206, 190, 26, 147, 11, 32, 157, 109, 103, 155, 95, 77, 251, 77, 99, 42, 102, 192, 206, 112, 250, 243, 241, 234, 30, 20, 208, 162, 218, 74, 186, 68, 36, 200, 14, 159, 33, 160, 12, 66, 163, 129, 213, 48, 129, 210, 48, 18, 6, 3, 85, 29, 19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2, 1, 2, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 144, 37, 181, 13, 217, 5, 71, 231, 150, 195, 150, 250, 114, 157, 207, 153, 169, 223, 75, 150, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 133, 27, 7, 162, 173, 220, 156, 98, 111, 180, 23, 177, 10, 241, 150, 225, 121, 125, 252, 202, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 1, 134, 48, 108, 6, 3, 85, 29, 31, 4, 101, 48, 99, 48, 97, 160, 95, 160, 93, 134, 91, 104, 116, 116, 112, 58, 47, 47, 97, 119, 115, 45, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 45, 99, 114, 108, 46, 115, 51, 46, 97, 109, 97, 122, 111, 110, 97, 119, 115, 46, 99, 111, 109, 47, 99, 114, 108, 47, 97, 98, 52, 57, 54, 48, 99, 99, 45, 55, 100, 54, 51, 45, 52, 50, 98, 100, 45, 57, 101, 57, 102, 45, 53, 57, 51, 51, 56, 99, 98, 54, 55, 102, 56, 52, 46, 99, 114, 108, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 97, 16, 159, 217, 30, 69, 151, 35, 31, 115, 87, 240, 159, 181, 162, 247, 229, 229, 175, 156, 93, 186, 83, 52, 225, 235, 45, 2, 148, 133, 10, 218, 189, 174, 86, 206, 154, 17, 82, 119, 75, 208, 223, 216, 100, 244, 223, 27, 2, 48, 20, 146, 166, 67, 119, 132, 151, 250, 100, 67, 177, 102, 112, 250, 234, 30, 55, 83, 97, 104, 45, 137, 13, 60, 25, 50, 92, 19, 227, 106, 251, 102, 117, 38, 161, 227, 177, 251, 11, 94, 129, 152, 1, 196, 197, 203, 128, 117, 89, 3, 23, 48, 130, 3, 19, 48, 130, 2, 154, 160, 3, 2, 1, 2, 2, 16, 66, 191, 173, 106, 243, 245, 153, 100, 102, 84, 221, 162, 118, 15, 1, 196, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 100, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 54, 48, 52, 6, 3, 85, 4, 3, 12, 45, 55, 55, 97, 53, 97, 49, 51, 55, 54, 55, 97, 54, 99, 56, 51, 49, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 50, 50, 48, 53, 49, 54, 50, 50, 51, 48, 49, 56, 90, 23, 13, 50, 50, 48, 53, 50, 50, 50, 49, 51, 48, 49, 56, 90, 48, 129, 137, 49, 60, 48, 58, 6, 3, 85, 4, 3, 12, 51, 97, 99, 55, 99, 101, 98, 99, 48, 54, 102, 52, 101, 98, 98, 50, 98, 46, 122, 111, 110, 97, 108, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 11, 48, 9, 6, 3, 85, 4, 8, 12, 2, 87, 65, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 132, 96, 229, 136, 115, 25, 148, 177, 3, 239, 253, 83, 20, 162, 171, 242, 6, 39, 97, 110, 155, 216, 112, 201, 132, 5, 243, 151, 40, 179, 209, 184, 115, 218, 185, 217, 23, 250, 67, 45, 179, 172, 254, 154, 182, 150, 247, 12, 54, 159, 232, 139, 74, 101, 88, 59, 48, 163, 200, 223, 199, 102, 148, 51, 38, 109, 227, 140, 112, 15, 13, 237, 128, 229, 179, 130, 105, 206, 113, 141, 59, 241, 36, 140, 191, 217, 98, 232, 165, 232, 70, 255, 156, 41, 57, 172, 163, 129, 234, 48, 129, 231, 48, 18, 6, 3, 85, 29, 19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2, 1, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 133, 27, 7, 162, 173, 220, 156, 98, 111, 180, 23, 177, 10, 241, 150, 225, 121, 125, 252, 202, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 64, 234, 253, 247, 84, 156, 144, 3, 154, 191, 59, 159, 177, 155, 197, 150, 178, 18, 8, 187, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 1, 134, 48, 129, 128, 6, 3, 85, 29, 31, 4, 121, 48, 119, 48, 117, 160, 115, 160, 113, 134, 111, 104, 116, 116, 112, 58, 47, 47, 99, 114, 108, 45, 117, 115, 45, 101, 97, 115, 116, 45, 49, 45, 97, 119, 115, 45, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 46, 115, 51, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 109, 97, 122, 111, 110, 97, 119, 115, 46, 99, 111, 109, 47, 99, 114, 108, 47, 99, 102, 52, 53, 54, 53, 97, 101, 45, 102, 57, 50, 102, 45, 52, 99, 49, 49, 45, 97, 56, 55, 54, 45, 101, 51, 55, 102, 102, 57, 49, 100, 51, 54, 98, 53, 46, 99, 114, 108, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 0, 141, 147, 219, 43, 141, 203, 251, 249, 65, 14, 59, 101, 58, 52, 17, 94, 125, 255, 136, 2, 119, 77, 162, 172, 220, 228, 96, 248, 224, 23, 70, 232, 179, 196, 64, 148, 253, 75, 153, 4, 125, 112, 234, 156, 106, 224, 228, 2, 48, 113, 100, 127, 5, 242, 8, 183, 52, 198, 118, 237, 86, 219, 91, 20, 89, 92, 154, 237, 13, 160, 230, 178, 78, 214, 86, 204, 233, 200, 195, 178, 149, 33, 114, 132, 209, 28, 126, 120, 190, 203, 61, 219, 145, 44, 76, 113, 255, 89, 2, 129, 48, 130, 2, 125, 48, 130, 2, 4, 160, 3, 2, 1, 2, 2, 20, 89, 91, 125, 245, 221, 115, 39, 32, 198, 129, 41, 209, 134, 253, 7, 213, 175, 51, 158, 192, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 129, 137, 49, 60, 48, 58, 6, 3, 85, 4, 3, 12, 51, 97, 99, 55, 99, 101, 98, 99, 48, 54, 102, 52, 101, 98, 98, 50, 98, 46, 122, 111, 110, 97, 108, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 11, 48, 9, 6, 3, 85, 4, 8, 12, 2, 87, 65, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 48, 30, 23, 13, 50, 50, 48, 53, 49, 55, 48, 49, 51, 50, 50, 55, 90, 23, 13, 50, 50, 48, 53, 49, 56, 48, 49, 51, 50, 50, 55, 90, 48, 129, 142, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 19, 48, 17, 6, 3, 85, 4, 8, 12, 10, 87, 97, 115, 104, 105, 110, 103, 116, 111, 110, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 57, 48, 55, 6, 3, 85, 4, 3, 12, 48, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 217, 7, 202, 144, 1, 20, 13, 53, 232, 63, 221, 159, 225, 146, 134, 69, 146, 118, 201, 153, 160, 175, 125, 29, 75, 209, 208, 17, 139, 60, 241, 95, 234, 41, 212, 7, 177, 124, 161, 204, 166, 194, 44, 133, 232, 176, 11, 144, 63, 152, 193, 125, 85, 145, 72, 245, 151, 42, 102, 105, 84, 31, 79, 155, 24, 147, 140, 242, 204, 199, 198, 96, 157, 105, 8, 157, 169, 22, 102, 10, 112, 140, 221, 71, 210, 113, 87, 135, 200, 112, 157, 56, 193, 192, 141, 100, 163, 38, 48, 36, 48, 18, 6, 3, 85, 29, 19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2, 1, 0, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 2, 4, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 15, 118, 172, 221, 229, 239, 80, 139, 142, 77, 175, 85, 204, 40, 253, 36, 69, 183, 3, 228, 119, 41, 137, 22, 191, 207, 224, 87, 24, 125, 66, 154, 118, 221, 241, 153, 247, 77, 201, 49, 99, 4, 183, 219, 210, 69, 112, 100, 2, 48, 44, 231, 245, 61, 54, 161, 162, 170, 57, 172, 91, 91, 60, 143, 204, 18, 118, 143, 208, 21, 163, 144, 107, 213, 109, 255, 239, 142, 56, 218, 105, 255, 3, 95, 135, 135, 226, 39, 127, 155, 15, 41, 166, 150, 253, 186, 42, 61, 106, 112, 117, 98, 108, 105, 99, 95, 107, 101, 121, 89, 3, 32, 45, 45, 45, 45, 45, 66, 69, 71, 73, 78, 32, 80, 85, 66, 76, 73, 67, 32, 75, 69, 89, 45, 45, 45, 45, 45, 10, 77, 73, 73, 67, 73, 106, 65, 78, 66, 103, 107, 113, 104, 107, 105, 71, 57, 119, 48, 66, 65, 81, 69, 70, 65, 65, 79, 67, 65, 103, 56, 65, 77, 73, 73, 67, 67, 103, 75, 67, 65, 103, 69, 65, 54, 115, 57, 103, 121, 102, 107, 77, 50, 69, 108, 53, 107, 50, 78, 99, 89, 70, 110, 100, 10, 105, 55, 49, 52, 106, 122, 77, 86, 79, 119, 85, 54, 80, 110, 75, 107, 43, 83, 122, 111, 101, 47, 83, 66, 104, 70, 49, 56, 111, 99, 106, 119, 85, 115, 47, 54, 57, 82, 86, 113, 71, 71, 48, 67, 69, 82, 88, 109, 55, 67, 114, 113, 70, 87, 89, 99, 51, 76, 57, 79, 79, 90, 52, 89, 10, 67, 119, 106, 66, 57, 112, 49, 57, 100, 83, 75, 74, 122, 50, 74, 113, 82, 88, 84, 99, 65, 43, 47, 66, 56, 47, 55, 57, 48, 98, 97, 110, 69, 109, 113, 106, 73, 53, 76, 66, 101, 56, 68, 118, 100, 102, 47, 112, 51, 100, 84, 118, 75, 49, 72, 47, 67, 89, 122, 111, 119, 86, 65, 115, 10, 117, 47, 111, 79, 99, 81, 84, 57, 119, 77, 67, 108, 48, 56, 56, 106, 101, 67, 118, 105, 54, 102, 89, 52, 113, 121, 75, 70, 101, 71, 98, 88, 67, 82, 71, 75, 84, 105, 81, 106, 122, 99, 103, 121, 80, 71, 57, 101, 52, 74, 121, 110, 74, 75, 118, 117, 77, 120, 81, 67, 112, 97, 52, 72, 10, 70, 117, 116, 65, 48, 73, 53, 98, 113, 108, 43, 68, 120, 80, 80, 106, 49, 87, 83, 99, 83, 72, 50, 85, 102, 70, 118, 120, 67, 118, 85, 115, 97, 115, 106, 102, 89, 114, 69, 43, 51, 97, 112, 101, 86, 72, 47, 55, 70, 68, 69, 106, 115, 52, 56, 86, 84, 47, 97, 48, 111, 74, 105, 98, 10, 82, 67, 71, 100, 48, 85, 70, 89, 83, 118, 66, 109, 66, 112, 115, 107, 76, 77, 121, 109, 66, 78, 48, 57, 102, 75, 118, 100, 90, 79, 112, 111, 105, 83, 78, 97, 48, 97, 90, 70, 119, 67, 116, 113, 121, 88, 54, 72, 48, 89, 109, 74, 120, 113, 111, 105, 113, 99, 111, 78, 78, 118, 47, 68, 10, 56, 116, 110, 65, 109, 120, 102, 73, 120, 114, 105, 73, 52, 116, 102, 90, 69, 73, 100, 107, 97, 78, 103, 88, 76, 89, 79, 102, 49, 99, 106, 117, 74, 83, 117, 74, 97, 111, 83, 66, 99, 72, 122, 48, 73, 98, 47, 82, 117, 86, 80, 100, 83, 85, 75, 104, 90, 83, 114, 121, 110, 84, 47, 102, 10, 72, 98, 106, 112, 120, 121, 103, 112, 97, 104, 110, 84, 49, 76, 43, 85, 101, 47, 68, 103, 110, 87, 75, 56, 67, 56, 83, 72, 84, 85, 99, 76, 122, 115, 81, 109, 68, 67, 68, 65, 43, 49, 54, 65, 106, 53, 98, 112, 55, 55, 43, 81, 80, 78, 47, 114, 85, 120, 88, 55, 69, 98, 88, 79, 10, 105, 119, 47, 73, 115, 114, 57, 114, 47, 74, 98, 98, 69, 107, 89, 47, 48, 89, 105, 88, 47, 113, 114, 56, 103, 98, 54, 81, 56, 89, 112, 90, 121, 82, 52, 97, 104, 56, 86, 49, 86, 87, 71, 82, 102, 122, 90, 49, 72, 49, 48, 53, 77, 67, 54, 107, 88, 107, 47, 66, 85, 120, 78, 121, 10, 76, 85, 86, 56, 111, 66, 65, 87, 89, 108, 52, 57, 47, 107, 120, 114, 109, 82, 73, 122, 90, 99, 48, 118, 120, 117, 70, 122, 54, 81, 122, 105, 113, 54, 108, 54, 74, 120, 49, 53, 98, 89, 50, 120, 103, 68, 122, 115, 48, 90, 74, 103, 54, 75, 67, 71, 112, 71, 48, 99, 106, 54, 117, 121, 10, 68, 57, 104, 82, 82, 52, 109, 118, 117, 77, 115, 75, 115, 47, 50, 105, 79, 49, 89, 85, 68, 99, 107, 48, 118, 65, 53, 101, 48, 81, 117, 84, 89, 67, 97, 89, 72, 69, 66, 74, 51, 110, 83, 73, 88, 83, 115, 76, 75, 76, 81, 101, 71, 57, 111, 99, 77, 74, 77, 88, 50, 105, 51, 103, 10, 110, 86, 105, 43, 86, 49, 82, 69, 83, 102, 75, 69, 101, 117, 102, 102, 90, 82, 75, 69, 112, 106, 69, 67, 65, 119, 69, 65, 65, 81, 61, 61, 10, 45, 45, 45, 45, 45, 69, 78, 68, 32, 80, 85, 66, 76, 73, 67, 32, 75, 69, 89, 45, 45, 45, 45, 45, 10, 105, 117, 115, 101, 114, 95, 100, 97, 116, 97, 246, 101, 110, 111, 110, 99, 101, 246, 88, 96, 174, 48, 177, 39, 24, 48, 211, 165, 107, 86, 21, 216, 93, 143, 22, 156, 203, 98, 163, 5, 213, 87, 210, 213, 90, 98, 93, 46, 150, 155, 75, 81, 186, 194, 134, 36, 254, 23, 84, 26, 185, 37, 248, 150, 72, 16, 193, 246, 96, 76, 65, 78, 5, 133, 136, 18, 42, 87, 137, 82, 56, 245, 113, 139, 121, 164, 201, 244, 237, 101, 116, 109, 204, 13, 116, 108, 58, 74, 181, 32, 208, 172, 36, 44, 187, 171, 138, 185, 80, 105, 171, 65, 177, 74, 136, 33]
\ No newline at end of file
diff --git a/attest_document.rs b/attest_document.rs
new file mode 100644
index 00000000..50cf4003
--- /dev/null
+++ b/attest_document.rs
@@ -0,0 +1 @@
+const MOCK_NSM: Vec<u8> = vec![132, 68, 161, 1, 56, 34, 160, 89, 19, 220, 169, 105, 109, 111, 100, 117, 108, 101, 95, 105, 100, 120, 39, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 45, 101, 110, 99, 48, 49, 56, 48, 99, 102, 99, 102, 100, 99, 48, 54, 97, 51, 99, 97, 102, 100, 105, 103, 101, 115, 116, 102, 83, 72, 65, 51, 56, 52, 105, 116, 105, 109, 101, 115, 116, 97, 109, 112, 27, 0, 0, 1, 128, 207, 208, 6, 83, 100, 112, 99, 114, 115, 176, 0, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 88, 48, 26, 168, 192, 140, 173, 25, 127, 31, 229, 123, 209, 158, 184, 181, 98, 57, 109, 39, 65, 111, 164, 166, 206, 203, 135, 94, 25, 124, 131, 82, 66, 96, 92, 110, 185, 109, 116, 109, 171, 158, 151, 193, 146, 98, 73, 208, 143, 74, 5, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 13, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 14, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 107, 99, 101, 114, 116, 105, 102, 105, 99, 97, 116, 101, 89, 2, 126, 48, 130, 2, 122, 48, 130, 2, 1, 160, 3, 2, 1, 2, 2, 16, 1, 128, 207, 207, 220, 6, 163, 202, 0, 0, 0, 0, 98, 131, 6, 38, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 129, 142, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 19, 48, 17, 6, 3, 85, 4, 8, 12, 10, 87, 97, 115, 104, 105, 110, 103, 116, 111, 110, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 57, 48, 55, 6, 3, 85, 4, 3, 12, 48, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 50, 50, 48, 53, 49, 55, 48, 50, 49, 57, 49, 53, 90, 23, 13, 50, 50, 48, 53, 49, 55, 48, 53, 49, 57, 49, 56, 90, 48, 129, 147, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 19, 48, 17, 6, 3, 85, 4, 8, 12, 10, 87, 97, 115, 104, 105, 110, 103, 116, 111, 110, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 62, 48, 60, 6, 3, 85, 4, 3, 12, 53, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 45, 101, 110, 99, 48, 49, 56, 48, 99, 102, 99, 102, 100, 99, 48, 54, 97, 51, 99, 97, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 64, 233, 7, 173, 105, 145, 172, 7, 38, 139, 151, 196, 130, 50, 200, 176, 180, 184, 126, 63, 183, 108, 30, 73, 196, 122, 128, 168, 176, 139, 3, 56, 77, 29, 100, 31, 225, 249, 75, 2, 211, 49, 205, 94, 228, 238, 213, 160, 217, 110, 187, 2, 77, 105, 124, 86, 112, 175, 167, 83, 158, 182, 44, 94, 202, 245, 139, 23, 102, 176, 11, 80, 120, 167, 129, 115, 148, 230, 134, 116, 96, 94, 40, 110, 34, 21, 91, 75, 152, 235, 96, 199, 234, 169, 38, 7, 163, 29, 48, 27, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 6, 192, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 38, 61, 99, 118, 200, 165, 151, 107, 27, 135, 33, 126, 114, 241, 145, 19, 242, 162, 157, 210, 203, 38, 102, 251, 177, 229, 159, 29, 97, 177, 202, 40, 241, 131, 151, 5, 60, 32, 30, 60, 91, 23, 26, 43, 29, 129, 84, 162, 2, 48, 46, 121, 230, 144, 42, 154, 92, 26, 133, 154, 160, 159, 183, 44, 53, 253, 159, 165, 202, 165, 198, 126, 17, 255, 214, 6, 238, 208, 153, 20, 255, 166, 128, 213, 108, 67, 142, 25, 51, 216, 148, 204, 142, 67, 92, 143, 220, 191, 104, 99, 97, 98, 117, 110, 100, 108, 101, 132, 89, 2, 21, 48, 130, 2, 17, 48, 130, 1, 150, 160, 3, 2, 1, 2, 2, 17, 0, 249, 49, 117, 104, 27, 144, 175, 225, 29, 70, 204, 180, 228, 231, 248, 86, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 73, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 27, 48, 25, 6, 3, 85, 4, 3, 12, 18, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 49, 57, 49, 48, 50, 56, 49, 51, 50, 56, 48, 53, 90, 23, 13, 52, 57, 49, 48, 50, 56, 49, 52, 50, 56, 48, 53, 90, 48, 73, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 27, 48, 25, 6, 3, 85, 4, 3, 12, 18, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 252, 2, 84, 235, 166, 8, 193, 243, 104, 112, 226, 154, 218, 144, 190, 70, 56, 50, 146, 115, 110, 137, 75, 255, 246, 114, 217, 137, 68, 75, 80, 81, 229, 52, 164, 177, 246, 219, 227, 192, 188, 88, 26, 50, 183, 177, 118, 7, 14, 222, 18, 214, 154, 63, 234, 33, 27, 102, 231, 82, 207, 125, 209, 221, 9, 95, 111, 19, 112, 244, 23, 8, 67, 217, 220, 16, 1, 33, 228, 207, 99, 1, 40, 9, 102, 68, 135, 201, 121, 98, 132, 48, 77, 197, 63, 244, 163, 66, 48, 64, 48, 15, 6, 3, 85, 29, 19, 1, 1, 255, 4, 5, 48, 3, 1, 1, 255, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 144, 37, 181, 13, 217, 5, 71, 231, 150, 195, 150, 250, 114, 157, 207, 153, 169, 223, 75, 150, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 1, 134, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 105, 0, 48, 102, 2, 49, 0, 163, 127, 47, 145, 161, 201, 189, 94, 231, 184, 98, 124, 22, 152, 210, 85, 3, 142, 31, 3, 67, 249, 91, 99, 169, 98, 140, 61, 57, 128, 149, 69, 161, 30, 188, 191, 46, 59, 85, 216, 174, 238, 113, 180, 195, 214, 173, 243, 2, 49, 0, 162, 243, 155, 22, 5, 178, 112, 40, 165, 221, 75, 160, 105, 181, 1, 110, 101, 180, 251, 222, 143, 224, 6, 29, 106, 83, 25, 127, 156, 218, 245, 217, 67, 188, 97, 252, 43, 235, 3, 203, 111, 238, 141, 35, 2, 243, 223, 246, 89, 2, 193, 48, 130, 2, 189, 48, 130, 2, 68, 160, 3, 2, 1, 2, 2, 16, 101, 199, 204, 202, 87, 14, 220, 16, 15, 61, 225, 212, 138, 102, 255, 157, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 73, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 27, 48, 25, 6, 3, 85, 4, 3, 12, 18, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 50, 50, 48, 53, 49, 50, 48, 51, 51, 50, 53, 54, 90, 23, 13, 50, 50, 48, 54, 48, 49, 48, 52, 51, 50, 53, 54, 90, 48, 100, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 54, 48, 52, 6, 3, 85, 4, 3, 12, 45, 55, 55, 97, 53, 97, 49, 51, 55, 54, 55, 97, 54, 99, 56, 51, 49, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 222, 252, 141, 69, 152, 48, 54, 180, 63, 68, 105, 37, 175, 123, 59, 155, 212, 162, 176, 82, 168, 225, 2, 86, 52, 16, 138, 20, 104, 46, 28, 70, 228, 6, 173, 133, 36, 227, 73, 160, 184, 8, 102, 96, 219, 251, 137, 217, 240, 167, 124, 168, 90, 214, 190, 71, 206, 190, 26, 147, 11, 32, 157, 109, 103, 155, 95, 77, 251, 77, 99, 42, 102, 192, 206, 112, 250, 243, 241, 234, 30, 20, 208, 162, 218, 74, 186, 68, 36, 200, 14, 159, 33, 160, 12, 66, 163, 129, 213, 48, 129, 210, 48, 18, 6, 3, 85, 29, 19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2, 1, 2, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 144, 37, 181, 13, 217, 5, 71, 231, 150, 195, 150, 250, 114, 157, 207, 153, 169, 223, 75, 150, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 133, 27, 7, 162, 173, 220, 156, 98, 111, 180, 23, 177, 10, 241, 150, 225, 121, 125, 252, 202, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 1, 134, 48, 108, 6, 3, 85, 29, 31, 4, 101, 48, 99, 48, 97, 160, 95, 160, 93, 134, 91, 104, 116, 116, 112, 58, 47, 47, 97, 119, 115, 45, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 45, 99, 114, 108, 46, 115, 51, 46, 97, 109, 97, 122, 111, 110, 97, 119, 115, 46, 99, 111, 109, 47, 99, 114, 108, 47, 97, 98, 52, 57, 54, 48, 99, 99, 45, 55, 100, 54, 51, 45, 52, 50, 98, 100, 45, 57, 101, 57, 102, 45, 53, 57, 51, 51, 56, 99, 98, 54, 55, 102, 56, 52, 46, 99, 114, 108, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 97, 16, 159, 217, 30, 69, 151, 35, 31, 115, 87, 240, 159, 181, 162, 247, 229, 229, 175, 156, 93, 186, 83, 52, 225, 235, 45, 2, 148, 133, 10, 218, 189, 174, 86, 206, 154, 17, 82, 119, 75, 208, 223, 216, 100, 244, 223, 27, 2, 48, 20, 146, 166, 67, 119, 132, 151, 250, 100, 67, 177, 102, 112, 250, 234, 30, 55, 83, 97, 104, 45, 137, 13, 60, 25, 50, 92, 19, 227, 106, 251, 102, 117, 38, 161, 227, 177, 251, 11, 94, 129, 152, 1, 196, 197, 203, 128, 117, 89, 3, 23, 48, 130, 3, 19, 48, 130, 2, 154, 160, 3, 2, 1, 2, 2, 16, 66, 191, 173, 106, 243, 245, 153, 100, 102, 84, 221, 162, 118, 15, 1, 196, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 100, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 54, 48, 52, 6, 3, 85, 4, 3, 12, 45, 55, 55, 97, 53, 97, 49, 51, 55, 54, 55, 97, 54, 99, 56, 51, 49, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 50, 50, 48, 53, 49, 54, 50, 50, 51, 48, 49, 56, 90, 23, 13, 50, 50, 48, 53, 50, 50, 50, 49, 51, 48, 49, 56, 90, 48, 129, 137, 49, 60, 48, 58, 6, 3, 85, 4, 3, 12, 51, 97, 99, 55, 99, 101, 98, 99, 48, 54, 102, 52, 101, 98, 98, 50, 98, 46, 122, 111, 110, 97, 108, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 11, 48, 9, 6, 3, 85, 4, 8, 12, 2, 87, 65, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 132, 96, 229, 136, 115, 25, 148, 177, 3, 239, 253, 83, 20, 162, 171, 242, 6, 39, 97, 110, 155, 216, 112, 201, 132, 5, 243, 151, 40, 179, 209, 184, 115, 218, 185, 217, 23, 250, 67, 45, 179, 172, 254, 154, 182, 150, 247, 12, 54, 159, 232, 139, 74, 101, 88, 59, 48, 163, 200, 223, 199, 102, 148, 51, 38, 109, 227, 140, 112, 15, 13, 237, 128, 229, 179, 130, 105, 206, 113, 141, 59, 241, 36, 140, 191, 217, 98, 232, 165, 232, 70, 255, 156, 41, 57, 172, 163, 129, 234, 48, 129, 231, 48, 18, 6, 3, 85, 29, 19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2, 1, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 133, 27, 7, 162, 173, 220, 156, 98, 111, 180, 23, 177, 10, 241, 150, 225, 121, 125, 252, 202, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 64, 234, 253, 247, 84, 156, 144, 3, 154, 191, 59, 159, 177, 155, 197, 150, 178, 18, 8, 187, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 1, 134, 48, 129, 128, 6, 3, 85, 29, 31, 4, 121, 48, 119, 48, 117, 160, 115, 160, 113, 134, 111, 104, 116, 116, 112, 58, 47, 47, 99, 114, 108, 45, 117, 115, 45, 101, 97, 115, 116, 45, 49, 45, 97, 119, 115, 45, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 46, 115, 51, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 109, 97, 122, 111, 110, 97, 119, 115, 46, 99, 111, 109, 47, 99, 114, 108, 47, 99, 102, 52, 53, 54, 53, 97, 101, 45, 102, 57, 50, 102, 45, 52, 99, 49, 49, 45, 97, 56, 55, 54, 45, 101, 51, 55, 102, 102, 57, 49, 100, 51, 54, 98, 53, 46, 99, 114, 108, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 0, 141, 147, 219, 43, 141, 203, 251, 249, 65, 14, 59, 101, 58, 52, 17, 94, 125, 255, 136, 2, 119, 77, 162, 172, 220, 228, 96, 248, 224, 23, 70, 232, 179, 196, 64, 148, 253, 75, 153, 4, 125, 112, 234, 156, 106, 224, 228, 2, 48, 113, 100, 127, 5, 242, 8, 183, 52, 198, 118, 237, 86, 219, 91, 20, 89, 92, 154, 237, 13, 160, 230, 178, 78, 214, 86, 204, 233, 200, 195, 178, 149, 33, 114, 132, 209, 28, 126, 120, 190, 203, 61, 219, 145, 44, 76, 113, 255, 89, 2, 129, 48, 130, 2, 125, 48, 130, 2, 4, 160, 3, 2, 1, 2, 2, 20, 89, 91, 125, 245, 221, 115, 39, 32, 198, 129, 41, 209, 134, 253, 7, 213, 175, 51, 158, 192, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 129, 137, 49, 60, 48, 58, 6, 3, 85, 4, 3, 12, 51, 97, 99, 55, 99, 101, 98, 99, 48, 54, 102, 52, 101, 98, 98, 50, 98, 46, 122, 111, 110, 97, 108, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 11, 48, 9, 6, 3, 85, 4, 8, 12, 2, 87, 65, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 48, 30, 23, 13, 50, 50, 48, 53, 49, 55, 48, 49, 51, 50, 50, 55, 90, 23, 13, 50, 50, 48, 53, 49, 56, 48, 49, 51, 50, 50, 55, 90, 48, 129, 142, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 19, 48, 17, 6, 3, 85, 4, 8, 12, 10, 87, 97, 115, 104, 105, 110, 103, 116, 111, 110, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 57, 48, 55, 6, 3, 85, 4, 3, 12, 48, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 217, 7, 202, 144, 1, 20, 13, 53, 232, 63, 221, 159, 225, 146, 134, 69, 146, 118, 201, 153, 160, 175, 125, 29, 75, 209, 208, 17, 139, 60, 241, 95, 234, 41, 212, 7, 177, 124, 161, 204, 166, 194, 44, 133, 232, 176, 11, 144, 63, 152, 193, 125, 85, 145, 72, 245, 151, 42, 102, 105, 84, 31, 79, 155, 24, 147, 140, 242, 204, 199, 198, 96, 157, 105, 8, 157, 169, 22, 102, 10, 112, 140, 221, 71, 210, 113, 87, 135, 200, 112, 157, 56, 193, 192, 141, 100, 163, 38, 48, 36, 48, 18, 6, 3, 85, 29, 19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2, 1, 0, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 2, 4, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 15, 118, 172, 221, 229, 239, 80, 139, 142, 77, 175, 85, 204, 40, 253, 36, 69, 183, 3, 228, 119, 41, 137, 22, 191, 207, 224, 87, 24, 125, 66, 154, 118, 221, 241, 153, 247, 77, 201, 49, 99, 4, 183, 219, 210, 69, 112, 100, 2, 48, 44, 231, 245, 61, 54, 161, 162, 170, 57, 172, 91, 91, 60, 143, 204, 18, 118, 143, 208, 21, 163, 144, 107, 213, 109, 255, 239, 142, 56, 218, 105, 255, 3, 95, 135, 135, 226, 39, 127, 155, 15, 41, 166, 150, 253, 186, 42, 61, 106, 112, 117, 98, 108, 105, 99, 95, 107, 101, 121, 89, 3, 32, 45, 45, 45, 45, 45, 66, 69, 71, 73, 78, 32, 80, 85, 66, 76, 73, 67, 32, 75, 69, 89, 45, 45, 45, 45, 45, 10, 77, 73, 73, 67, 73, 106, 65, 78, 66, 103, 107, 113, 104, 107, 105, 71, 57, 119, 48, 66, 65, 81, 69, 70, 65, 65, 79, 67, 65, 103, 56, 65, 77, 73, 73, 67, 67, 103, 75, 67, 65, 103, 69, 65, 54, 115, 57, 103, 121, 102, 107, 77, 50, 69, 108, 53, 107, 50, 78, 99, 89, 70, 110, 100, 10, 105, 55, 49, 52, 106, 122, 77, 86, 79, 119, 85, 54, 80, 110, 75, 107, 43, 83, 122, 111, 101, 47, 83, 66, 104, 70, 49, 56, 111, 99, 106, 119, 85, 115, 47, 54, 57, 82, 86, 113, 71, 71, 48, 67, 69, 82, 88, 109, 55, 67, 114, 113, 70, 87, 89, 99, 51, 76, 57, 79, 79, 90, 52, 89, 10, 67, 119, 106, 66, 57, 112, 49, 57, 100, 83, 75, 74, 122, 50, 74, 113, 82, 88, 84, 99, 65, 43, 47, 66, 56, 47, 55, 57, 48, 98, 97, 110, 69, 109, 113, 106, 73, 53, 76, 66, 101, 56, 68, 118, 100, 102, 47, 112, 51, 100, 84, 118, 75, 49, 72, 47, 67, 89, 122, 111, 119, 86, 65, 115, 10, 117, 47, 111, 79, 99, 81, 84, 57, 119, 77, 67, 108, 48, 56, 56, 106, 101, 67, 118, 105, 54, 102, 89, 52, 113, 121, 75, 70, 101, 71, 98, 88, 67, 82, 71, 75, 84, 105, 81, 106, 122, 99, 103, 121, 80, 71, 57, 101, 52, 74, 121, 110, 74, 75, 118, 117, 77, 120, 81, 67, 112, 97, 52, 72, 10, 70, 117, 116, 65, 48, 73, 53, 98, 113, 108, 43, 68, 120, 80, 80, 106, 49, 87, 83, 99, 83, 72, 50, 85, 102, 70, 118, 120, 67, 118, 85, 115, 97, 115, 106, 102, 89, 114, 69, 43, 51, 97, 112, 101, 86, 72, 47, 55, 70, 68, 69, 106, 115, 52, 56, 86, 84, 47, 97, 48, 111, 74, 105, 98, 10, 82, 67, 71, 100, 48, 85, 70, 89, 83, 118, 66, 109, 66, 112, 115, 107, 76, 77, 121, 109, 66, 78, 48, 57, 102, 75, 118, 100, 90, 79, 112, 111, 105, 83, 78, 97, 48, 97, 90, 70, 119, 67, 116, 113, 121, 88, 54, 72, 48, 89, 109, 74, 120, 113, 111, 105, 113, 99, 111, 78, 78, 118, 47, 68, 10, 56, 116, 110, 65, 109, 120, 102, 73, 120, 114, 105, 73, 52, 116, 102, 90, 69, 73, 100, 107, 97, 78, 103, 88, 76, 89, 79, 102, 49, 99, 106, 117, 74, 83, 117, 74, 97, 111, 83, 66, 99, 72, 122, 48, 73, 98, 47, 82, 117, 86, 80, 100, 83, 85, 75, 104, 90, 83, 114, 121, 110, 84, 47, 102, 10, 72, 98, 106, 112, 120, 121, 103, 112, 97, 104, 110, 84, 49, 76, 43, 85, 101, 47, 68, 103, 110, 87, 75, 56, 67, 56, 83, 72, 84, 85, 99, 76, 122, 115, 81, 109, 68, 67, 68, 65, 43, 49, 54, 65, 106, 53, 98, 112, 55, 55, 43, 81, 80, 78, 47, 114, 85, 120, 88, 55, 69, 98, 88, 79, 10, 105, 119, 47, 73, 115, 114, 57, 114, 47, 74, 98, 98, 69, 107, 89, 47, 48, 89, 105, 88, 47, 113, 114, 56, 103, 98, 54, 81, 56, 89, 112, 90, 121, 82, 52, 97, 104, 56, 86, 49, 86, 87, 71, 82, 102, 122, 90, 49, 72, 49, 48, 53, 77, 67, 54, 107, 88, 107, 47, 66, 85, 120, 78, 121, 10, 76, 85, 86, 56, 111, 66, 65, 87, 89, 108, 52, 57, 47, 107, 120, 114, 109, 82, 73, 122, 90, 99, 48, 118, 120, 117, 70, 122, 54, 81, 122, 105, 113, 54, 108, 54, 74, 120, 49, 53, 98, 89, 50, 120, 103, 68, 122, 115, 48, 90, 74, 103, 54, 75, 67, 71, 112, 71, 48, 99, 106, 54, 117, 121, 10, 68, 57, 104, 82, 82, 52, 109, 118, 117, 77, 115, 75, 115, 47, 50, 105, 79, 49, 89, 85, 68, 99, 107, 48, 118, 65, 53, 101, 48, 81, 117, 84, 89, 67, 97, 89, 72, 69, 66, 74, 51, 110, 83, 73, 88, 83, 115, 76, 75, 76, 81, 101, 71, 57, 111, 99, 77, 74, 77, 88, 50, 105, 51, 103, 10, 110, 86, 105, 43, 86, 49, 82, 69, 83, 102, 75, 69, 101, 117, 102, 102, 90, 82, 75, 69, 112, 106, 69, 67, 65, 119, 69, 65, 65, 81, 61, 61, 10, 45, 45, 45, 45, 45, 69, 78, 68, 32, 80, 85, 66, 76, 73, 67, 32, 75, 69, 89, 45, 45, 45, 45, 45, 10, 105, 117, 115, 101, 114, 95, 100, 97, 116, 97, 246, 101, 110, 111, 110, 99, 101, 246, 88, 96, 174, 48, 177, 39, 24, 48, 211, 165, 107, 86, 21, 216, 93, 143, 22, 156, 203, 98, 163, 5, 213, 87, 210, 213, 90, 98, 93, 46, 150, 155, 75, 81, 186, 194, 134, 36, 254, 23, 84, 26, 185, 37, 248, 150, 72, 16, 193, 246, 96, 76, 65, 78, 5, 133, 136, 18, 42, 87, 137, 82, 56, 245, 113, 139, 121, 164, 201, 244, 237, 101, 116, 109, 204, 13, 116, 108, 58, 74, 181, 32, 208, 172, 36, 44, 187, 171, 138, 185, 80, 105, 171, 65, 177, 74, 136, 33];
\ No newline at end of file
diff --git a/qos-client/src/cli.rs b/qos-client/src/cli.rs
index 89756712..b83ac3cc 100644
--- a/qos-client/src/cli.rs
+++ b/qos-client/src/cli.rs
@@ -158,12 +158,12 @@ mod handlers {
 			ProtocolMsg::NsmResponse(NsmResponse::Attestation {
 				ref document,
 			}) => {
-				use std::fs::File;
-				use std::io::Write;
-				let mut file =
-					File::create("/home/tk/attest_document").unwrap();
-				let output = format!("{:?}", document);
-				file.write_all(&output.as_bytes()).unwrap();
+				// TODO: delete this stuff
+				// use std::{fs::File, io::Write};
+				// let mut file =
+				// 	File::create("/home/tk/attest_document").unwrap();
+				// let output = format!("{:?}", document);
+				// file.write_all(&output.as_bytes()).unwrap();
 			}
 			_ => panic!("Not an attestation response"),
 		}
diff --git a/qos-client/src/lib.rs b/qos-client/src/lib.rs
index 540a9d30..537a2510 100644
--- a/qos-client/src/lib.rs
+++ b/qos-client/src/lib.rs
@@ -1,9 +1,10 @@
 pub mod cli;
 
 pub mod request {
-	use qos_core::protocol::{ProtocolMsg, Serialize};
 	use std::io::Read;
 
+	use qos_core::protocol::{ProtocolMsg, Serialize};
+
 	const MAX_SIZE: u64 = u32::MAX as u64;
 
 	pub fn post(url: &str, msg: ProtocolMsg) -> Result<ProtocolMsg, String> {
diff --git a/qos-core/src/protocol/attest_document b/qos-core/src/protocol/attest_document
deleted file mode 100644
index 45ec108f484a3ba456713df05f685b4f20cc7cbe..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 5194
zcmd6q2UHa27RT8_aiypbON@oYP8PnIEwgKRW*e|9u&~Qk>+I~zvTW}QkthZ=M(hR^
z8-lS!jlmvcjlCS(OMJm@lxRroiiwK6LD6W$_YUXey^}d-&e?ls|1;mt_xs;_w^+QG
z!h5$|7khq%+2%0%toR7CG1%M81Q?fxV|*iwAq0;H<2)vA#{k3w7-8TdI12%615Oyt
zCfwsCl&Jz1k8SpvZDfSnoSj2LC}WOo+_1#x#N3{*LbM>Hg$JeO5^BpOw3bWgTJZMr
zoh7R~jqX<S;faNtHyHS~-U7#xrAH4>7~W~r#|q)dq4uwBUfarrvv<ufNRLlV3vKyR
z!dfl~Z@DC*<&st{moQo`Y29*3WXmN{Etf>MToTiAi3P*mUNd3FP%o~djsat-qsWs|
zPNPz&)HaRI`Us(KZ*-JlY{N>x2#e@9KK1AzI*kU3ra-Mht1z019u`YgDWO=<wlRo^
zWN1)NuGwz#I_yvz5Z#yzj|^AhsMl-7p%@U=m|;YQ32bNq`ISiWu4JNhBu$`ELVSQU
zMzl!KOkqg$d6+or@iL)AG~h|Jo4syFW3jNJe%u4Pc8G#uz=03|aUd2~{~~0QAzu%Q
zX8tc0{0}hj*@8LEEV#K!_UexSe$XZ?{OL=jQo=$Lis&Kl(hMQ=i7P|ntvf1fmw6Mf
z6;F>pYz%)i<>OYjpP1O8lSUV6>w8R!s$1T1-o{o%>NyvpzA5iMwkFg2?TSlrr^HM4
zLZLmDeI$I`5LI&gejm%Q!|}n-Pl^0zB?}9#4>c|uRu}EwTG<7329e~-yTno`4Rk69
z0j(RO7&@Is4cqzhPSeaGfS^JlHR(AWW)}Nw!zQm?`|#J5==h)ZZoYO4KhFF|;?0$t
zj#O86UA1o=|JIdL{a63IW#_I<q-1Q2UpjMJm7%bQ>R7)W5l>b<I;vVUuB86n;*t~2
zDLYpZ8)JK(8a|-%UFQH~>p$xb=3=P9XE$2$VjcA@62!J(ET!}rjBP`HhkUu6r>(iv
zCHctuD_4J0zr02ueRXgD3uT=_r)Qhiu6d3iJ_KMM#DaN%LvqA^7P6m)f90dzu=$Uv
zIlnB8*mXD8`D5AXY1@-|@C=WAqO76LT|H4O%gU}{FR7|Kb9v`h?c4CCDt~zN`F5wu
z2G_=SCax-u6`nZPYJ?-!d9Oo+sQPRhO8k{$7^P1uLOkJMzM&Xo>>YfsQV2c(F)ubh
z6wpWpK$pfuG`&4NZd%U`QPrU-S4(%7K6EcQHh0AZS?N<FcZq3)g(QSB{^hs-oRG@V
zNz)e}+&28`X2YoVb55#gQ@YVazYoDy7)l25$9yJP+;!`Y!~v=wzP#aDzx&kcyCfkM
zcjvVaUF+=g`8ip+c>~3cuYYuY>cy}wdCE?s=bye`E!v7cPWXj(*l}a>d(^uZ>U7jy
zBp2JrQ`}Uf@cl;)X`;`zi5Yb1yHAOR1urk`uiUHW<pl;T7R+fXFI)ft_R|m;TSOoi
zu%8jgL=cpNLM()fpj?c{f?ll;e=c%wAm;qz$&xvMyMD0P+;h!`1Ll2K@s(ovC90a;
z=F_;`#CMXfgsmRe<Fd4Ta|AK+%%h3bx0a1su0ORs<>>aeXSVLXz-F2^BI8j8){oeE
z)cNr4?b@z!$16^!Z4vi45WOhAJW^O$^gSp#3EI72CIW<!D3DzObZgALNAC#Qk7*v9
zKe!s#IlN-^+4%;?`VLi$+ohNC3m+ePjVo*8{kqX{fC038MES7sLvp=dXaA%m(yGi?
zOFk2GTN6F3MD%GVX|yutuqBbnB-Fs>a{-1i5hItyWWxp{laKQWCWp^r@i20%BzWvZ
z@{2FSLNkQ`BNd=+7FBnZ%zm$%M{{e@hKdI@HEZS%+oEJ&`h`iIHI8w5+n4I2Wo;D!
z+3^cM81G%^Oa*Z>mWl$!vmY8oRfO|lZC6Bz<}xQn4eSIDjlG=ri177Ve7WjT>)}On
zD0}uE9^=!|I)JgXSd!tgCWeJOR_EQlKi5d)oU8E1Q1-mMtp5{O&++EMFpC_%o4O|q
z!_d<Z6itK%g8t8#WuX{?;RXzF2{vvpz=lM!k)ziCNbaBd{A&gJm06-Gh=`<W1h3B!
zZ|a%FBWphKbedH~yIHS{t5|s_tT$?(_k;6bap>LIeb$}W>^c2)b%%!{=DJl+$~Klh
zh~zH1HYp9)4gi%0F6<{}v3l7qmpEghu8*l%H`aXAHF?189wj@f4c9)umfSGEFMm~K
zQ7tIC+KdS(ub7}&%KtFI2etJNa^_E?mF*a?sA}Hc(zWd(zIn|AMPr`1ARh#PuiR7a
z8t-Uw0SPVh#TdkV-4l&|cyYZMXJ7=I!{wkjli<SylZ`<T6XhXXCiy>$Ao!4x#Wir=
z;Ea&TGtVSUKK$r+LG%E;KfCSl!iG<%fsBe(XRnO>?P7=IYwPxWFsoiRmtN?sou7B{
z3Kh7FqeJgRY+~>8Uss<Q5~mwlc0H>6r?r`<)JJ|kuzT%i@$TXi?|c;8et6KC>F=kz
z8g$em(iMf|Nq^>yINgxK`{z8pyYDONdt!Wj`1fmA3tt&d{#IN*_YgUOvS1i_K7sO@
z!oT0h{Dy8)9e!vUB`%6{ZSc88mu8HY%<vzaTfU~Si|oYlwvz_l9#Px(yYQ+}i;pb*
z_Wg0!zG^*f@SI(Rs_CisXZIt_Io;&*I?gP)b7cR%kqgWb3s$rz7|xP&DJNZ;2?v}D
zc)NB^HdgimJ({sm$g4J>(qArvP1QNZzv^7g&8$gNGS;Y$^r`P5*+jb%=sU6fj$;=!
z9SenJ{&TnIKFBx-Vf0OBPD-3)J%9h|{XyKt6<_dI4H+_U>XCN-smI@{oM!pn)^KwQ
z@3gsrHe$krAA66U7t?oXY5kUdgYuj{gVl_Uu;BSRT6bpSA(W&@GrMQ0gy~XIcbP=@
zG|9-2N=4E<L8j1TaphXfDf|Es3bG~10)bp4F!2P9*F`27`B@_H1@(#?sV`IDwFVU`
zHlpUIYZ;lo94%Y!x2QxmLLgKIv-5LpZkt>n!0cH`1x6h=SbzykUZ(=&sJXfJpibq=
zO0_5Wtt>*54pJ?QV76DT(PU`hpcS#@<=6m6?vtpDnbPcJk(8IhNoOYnSum#cDRe2U
zbXS_ml9?*YC-ee~+zRoOUWU%*l;-D4lALVRC?hz@8NwU~rp__tD3vLKOou?6mXs|I
z1}s^qMIl#uEVxsH<_dfW;#Q<tMOXpD8Bn+jv?5`$N1c;P<SLDbPht|KxV$PDvnvXc
z)IwW=xxngn+kr=eXuU?Q-kK1Af?3IVWQLQ*$V*0~r~ng+&6xz^GGqlYk(!PAZCuR8
zaiu9F={#<71_W#lE|80{AYUhA>14r7Bta<SD9l-A22Un6Th%PRONJX@n+1lYfS2rr
zQ&f<HQ2D(EyFB32>v2t%$6{hRV92a;m{PJunR<5ypKJG+7zSfDCk29Gj|7)nTvpVV
zZQ$W3q{kJwpS*EimQUwlJ0+<E?&gC4oMBO$)AEHmT5&q!MHD<MBcs6N)}#W+W`Om4
zL1r?Whw}=8dO{{QOAx=#<P!(P*{QZPGZzmcvQ(GMsW<A=(>V~X%(n1(2*aBqhd3UE
z)GfB#1S*rwnO6WQ)a*35N1g+x7}W)$fF{l93i{J6N`p8hDFc=lX!u$oD;HObHRe=?
zODq$iL4u=DYl%#kMkkf|{Bn~`tW7c#Ir=<AY~%#kSr$D4sf|j+YGe^udN3=&%9Rj0
zHfGl`SoumPUkwnD=Tmt_EH@CRrL+7Nksu%u2(kwaVmu{Yk|}=81ZJNHcaJclUbGIk
zJM0)<ryZ%A8sE-%XwoFs^mN;eO|>_Szdq?H8hFK_jL<=6SC^Lg{v};x4bX;`eR-hp
z4&~T`=pT#t!NRy<UwpP=IqN6xo_e_Y*M-tv@oOS4W_IBB{B(EhsJZ*<_J=J#op`lv
ISNEoW1N~^le*gdg

diff --git a/qos-core/src/protocol/attestor.rs b/qos-core/src/protocol/attestor.rs
index 92ba72e8..06360047 100644
--- a/qos-core/src/protocol/attestor.rs
+++ b/qos-core/src/protocol/attestor.rs
@@ -45,7 +45,9 @@ impl NsmProvider for MockNsm {
 			} => {
 				// TODO: this should be a CBOR-encoded AttestationDocument as
 				// the payload
-				NsmResponse::Attestation { document: Vec::new() }
+				NsmResponse::Attestation {
+					document: MOCK_NSM_ATTESTATION_DOCUMENT.to_vec(),
+				}
 			}
 			NsmRequest::DescribeNSM => NsmResponse::DescribeNSM {
 				version_major: 1,
@@ -80,3 +82,290 @@ impl NsmProvider for MockNsm {
 		println!("nsm_exit");
 	}
 }
+
+const MOCK_NSM_ATTESTATION_DOCUMENT: &[u8] = &[
+	132, 68, 161, 1, 56, 34, 160, 89, 19, 220, 169, 105, 109, 111, 100, 117,
+	108, 101, 95, 105, 100, 120, 39, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100,
+	50, 99, 55, 102, 56, 56, 50, 101, 56, 45, 101, 110, 99, 48, 49, 56, 48, 99,
+	102, 99, 102, 100, 99, 48, 54, 97, 51, 99, 97, 102, 100, 105, 103, 101,
+	115, 116, 102, 83, 72, 65, 51, 56, 52, 105, 116, 105, 109, 101, 115, 116,
+	97, 109, 112, 27, 0, 0, 1, 128, 207, 208, 6, 83, 100, 112, 99, 114, 115,
+	176, 0, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 1, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 2, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 3, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 88, 48, 26, 168, 192, 140, 173, 25, 127, 31,
+	229, 123, 209, 158, 184, 181, 98, 57, 109, 39, 65, 111, 164, 166, 206, 203,
+	135, 94, 25, 124, 131, 82, 66, 96, 92, 110, 185, 109, 116, 109, 171, 158,
+	151, 193, 146, 98, 73, 208, 143, 74, 5, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 88, 48, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 88, 48, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 88, 48, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 88, 48, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 88,
+	48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11,
+	88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 12, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 13, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 14, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 15, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+	0, 0, 0, 0, 0, 0, 0, 0, 0, 107, 99, 101, 114, 116, 105, 102, 105, 99, 97,
+	116, 101, 89, 2, 126, 48, 130, 2, 122, 48, 130, 2, 1, 160, 3, 2, 1, 2, 2,
+	16, 1, 128, 207, 207, 220, 6, 163, 202, 0, 0, 0, 0, 98, 131, 6, 38, 48, 10,
+	6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 129, 142, 49, 11, 48, 9, 6, 3, 85,
+	4, 6, 19, 2, 85, 83, 49, 19, 48, 17, 6, 3, 85, 4, 8, 12, 10, 87, 97, 115,
+	104, 105, 110, 103, 116, 111, 110, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7,
+	83, 101, 97, 116, 116, 108, 101, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6,
+	65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87,
+	83, 49, 57, 48, 55, 6, 3, 85, 4, 3, 12, 48, 105, 45, 48, 99, 54, 56, 101,
+	99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 46, 117, 115, 45, 101,
+	97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45,
+	101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 50, 50, 48, 53, 49,
+	55, 48, 50, 49, 57, 49, 53, 90, 23, 13, 50, 50, 48, 53, 49, 55, 48, 53, 49,
+	57, 49, 56, 90, 48, 129, 147, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83,
+	49, 19, 48, 17, 6, 3, 85, 4, 8, 12, 10, 87, 97, 115, 104, 105, 110, 103,
+	116, 111, 110, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116,
+	116, 108, 101, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122,
+	111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 62, 48,
+	60, 6, 3, 85, 4, 3, 12, 53, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50,
+	99, 55, 102, 56, 56, 50, 101, 56, 45, 101, 110, 99, 48, 49, 56, 48, 99,
+	102, 99, 102, 100, 99, 48, 54, 97, 51, 99, 97, 46, 117, 115, 45, 101, 97,
+	115, 116, 45, 49, 46, 97, 119, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72,
+	206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 64, 233, 7, 173, 105,
+	145, 172, 7, 38, 139, 151, 196, 130, 50, 200, 176, 180, 184, 126, 63, 183,
+	108, 30, 73, 196, 122, 128, 168, 176, 139, 3, 56, 77, 29, 100, 31, 225,
+	249, 75, 2, 211, 49, 205, 94, 228, 238, 213, 160, 217, 110, 187, 2, 77,
+	105, 124, 86, 112, 175, 167, 83, 158, 182, 44, 94, 202, 245, 139, 23, 102,
+	176, 11, 80, 120, 167, 129, 115, 148, 230, 134, 116, 96, 94, 40, 110, 34,
+	21, 91, 75, 152, 235, 96, 199, 234, 169, 38, 7, 163, 29, 48, 27, 48, 12, 6,
+	3, 85, 29, 19, 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3,
+	2, 6, 192, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100,
+	2, 48, 38, 61, 99, 118, 200, 165, 151, 107, 27, 135, 33, 126, 114, 241,
+	145, 19, 242, 162, 157, 210, 203, 38, 102, 251, 177, 229, 159, 29, 97, 177,
+	202, 40, 241, 131, 151, 5, 60, 32, 30, 60, 91, 23, 26, 43, 29, 129, 84,
+	162, 2, 48, 46, 121, 230, 144, 42, 154, 92, 26, 133, 154, 160, 159, 183,
+	44, 53, 253, 159, 165, 202, 165, 198, 126, 17, 255, 214, 6, 238, 208, 153,
+	20, 255, 166, 128, 213, 108, 67, 142, 25, 51, 216, 148, 204, 142, 67, 92,
+	143, 220, 191, 104, 99, 97, 98, 117, 110, 100, 108, 101, 132, 89, 2, 21,
+	48, 130, 2, 17, 48, 130, 1, 150, 160, 3, 2, 1, 2, 2, 17, 0, 249, 49, 117,
+	104, 27, 144, 175, 225, 29, 70, 204, 180, 228, 231, 248, 86, 48, 10, 6, 8,
+	42, 134, 72, 206, 61, 4, 3, 3, 48, 73, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19,
+	2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111,
+	110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 27, 48, 25, 6,
+	3, 85, 4, 3, 12, 18, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101,
+	110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 49, 57, 49, 48, 50, 56,
+	49, 51, 50, 56, 48, 53, 90, 23, 13, 52, 57, 49, 48, 50, 56, 49, 52, 50, 56,
+	48, 53, 90, 48, 73, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15,
+	48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10,
+	6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 27, 48, 25, 6, 3, 85, 4, 3, 12, 18,
+	97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118,
+	101, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129,
+	4, 0, 34, 3, 98, 0, 4, 252, 2, 84, 235, 166, 8, 193, 243, 104, 112, 226,
+	154, 218, 144, 190, 70, 56, 50, 146, 115, 110, 137, 75, 255, 246, 114, 217,
+	137, 68, 75, 80, 81, 229, 52, 164, 177, 246, 219, 227, 192, 188, 88, 26,
+	50, 183, 177, 118, 7, 14, 222, 18, 214, 154, 63, 234, 33, 27, 102, 231, 82,
+	207, 125, 209, 221, 9, 95, 111, 19, 112, 244, 23, 8, 67, 217, 220, 16, 1,
+	33, 228, 207, 99, 1, 40, 9, 102, 68, 135, 201, 121, 98, 132, 48, 77, 197,
+	63, 244, 163, 66, 48, 64, 48, 15, 6, 3, 85, 29, 19, 1, 1, 255, 4, 5, 48, 3,
+	1, 1, 255, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 144, 37, 181, 13, 217,
+	5, 71, 231, 150, 195, 150, 250, 114, 157, 207, 153, 169, 223, 75, 150, 48,
+	14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 1, 134, 48, 10, 6, 8, 42, 134,
+	72, 206, 61, 4, 3, 3, 3, 105, 0, 48, 102, 2, 49, 0, 163, 127, 47, 145, 161,
+	201, 189, 94, 231, 184, 98, 124, 22, 152, 210, 85, 3, 142, 31, 3, 67, 249,
+	91, 99, 169, 98, 140, 61, 57, 128, 149, 69, 161, 30, 188, 191, 46, 59, 85,
+	216, 174, 238, 113, 180, 195, 214, 173, 243, 2, 49, 0, 162, 243, 155, 22,
+	5, 178, 112, 40, 165, 221, 75, 160, 105, 181, 1, 110, 101, 180, 251, 222,
+	143, 224, 6, 29, 106, 83, 25, 127, 156, 218, 245, 217, 67, 188, 97, 252,
+	43, 235, 3, 203, 111, 238, 141, 35, 2, 243, 223, 246, 89, 2, 193, 48, 130,
+	2, 189, 48, 130, 2, 68, 160, 3, 2, 1, 2, 2, 16, 101, 199, 204, 202, 87, 14,
+	220, 16, 15, 61, 225, 212, 138, 102, 255, 157, 48, 10, 6, 8, 42, 134, 72,
+	206, 61, 4, 3, 3, 48, 73, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49,
+	15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48,
+	10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 27, 48, 25, 6, 3, 85, 4, 3, 12,
+	18, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97,
+	118, 101, 115, 48, 30, 23, 13, 50, 50, 48, 53, 49, 50, 48, 51, 51, 50, 53,
+	54, 90, 23, 13, 50, 50, 48, 54, 48, 49, 48, 52, 51, 50, 53, 54, 90, 48,
+	100, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3,
+	85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4,
+	11, 12, 3, 65, 87, 83, 49, 54, 48, 52, 6, 3, 85, 4, 3, 12, 45, 55, 55, 97,
+	53, 97, 49, 51, 55, 54, 55, 97, 54, 99, 56, 51, 49, 46, 117, 115, 45, 101,
+	97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45,
+	101, 110, 99, 108, 97, 118, 101, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72,
+	206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 222, 252, 141, 69,
+	152, 48, 54, 180, 63, 68, 105, 37, 175, 123, 59, 155, 212, 162, 176, 82,
+	168, 225, 2, 86, 52, 16, 138, 20, 104, 46, 28, 70, 228, 6, 173, 133, 36,
+	227, 73, 160, 184, 8, 102, 96, 219, 251, 137, 217, 240, 167, 124, 168, 90,
+	214, 190, 71, 206, 190, 26, 147, 11, 32, 157, 109, 103, 155, 95, 77, 251,
+	77, 99, 42, 102, 192, 206, 112, 250, 243, 241, 234, 30, 20, 208, 162, 218,
+	74, 186, 68, 36, 200, 14, 159, 33, 160, 12, 66, 163, 129, 213, 48, 129,
+	210, 48, 18, 6, 3, 85, 29, 19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2, 1, 2,
+	48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 144, 37, 181, 13, 217, 5,
+	71, 231, 150, 195, 150, 250, 114, 157, 207, 153, 169, 223, 75, 150, 48, 29,
+	6, 3, 85, 29, 14, 4, 22, 4, 20, 133, 27, 7, 162, 173, 220, 156, 98, 111,
+	180, 23, 177, 10, 241, 150, 225, 121, 125, 252, 202, 48, 14, 6, 3, 85, 29,
+	15, 1, 1, 255, 4, 4, 3, 2, 1, 134, 48, 108, 6, 3, 85, 29, 31, 4, 101, 48,
+	99, 48, 97, 160, 95, 160, 93, 134, 91, 104, 116, 116, 112, 58, 47, 47, 97,
+	119, 115, 45, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101,
+	115, 45, 99, 114, 108, 46, 115, 51, 46, 97, 109, 97, 122, 111, 110, 97,
+	119, 115, 46, 99, 111, 109, 47, 99, 114, 108, 47, 97, 98, 52, 57, 54, 48,
+	99, 99, 45, 55, 100, 54, 51, 45, 52, 50, 98, 100, 45, 57, 101, 57, 102, 45,
+	53, 57, 51, 51, 56, 99, 98, 54, 55, 102, 56, 52, 46, 99, 114, 108, 48, 10,
+	6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 97, 16,
+	159, 217, 30, 69, 151, 35, 31, 115, 87, 240, 159, 181, 162, 247, 229, 229,
+	175, 156, 93, 186, 83, 52, 225, 235, 45, 2, 148, 133, 10, 218, 189, 174,
+	86, 206, 154, 17, 82, 119, 75, 208, 223, 216, 100, 244, 223, 27, 2, 48, 20,
+	146, 166, 67, 119, 132, 151, 250, 100, 67, 177, 102, 112, 250, 234, 30, 55,
+	83, 97, 104, 45, 137, 13, 60, 25, 50, 92, 19, 227, 106, 251, 102, 117, 38,
+	161, 227, 177, 251, 11, 94, 129, 152, 1, 196, 197, 203, 128, 117, 89, 3,
+	23, 48, 130, 3, 19, 48, 130, 2, 154, 160, 3, 2, 1, 2, 2, 16, 66, 191, 173,
+	106, 243, 245, 153, 100, 102, 84, 221, 162, 118, 15, 1, 196, 48, 10, 6, 8,
+	42, 134, 72, 206, 61, 4, 3, 3, 48, 100, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19,
+	2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111,
+	110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 54, 48, 52, 6,
+	3, 85, 4, 3, 12, 45, 55, 55, 97, 53, 97, 49, 51, 55, 54, 55, 97, 54, 99,
+	56, 51, 49, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115,
+	46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48,
+	30, 23, 13, 50, 50, 48, 53, 49, 54, 50, 50, 51, 48, 49, 56, 90, 23, 13, 50,
+	50, 48, 53, 50, 50, 50, 49, 51, 48, 49, 56, 90, 48, 129, 137, 49, 60, 48,
+	58, 6, 3, 85, 4, 3, 12, 51, 97, 99, 55, 99, 101, 98, 99, 48, 54, 102, 52,
+	101, 98, 98, 50, 98, 46, 122, 111, 110, 97, 108, 46, 117, 115, 45, 101, 97,
+	115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101,
+	110, 99, 108, 97, 118, 101, 115, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3,
+	65, 87, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111,
+	110, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 11, 48, 9, 6, 3, 85,
+	4, 8, 12, 2, 87, 65, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97,
+	116, 116, 108, 101, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6,
+	5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 132, 96, 229, 136, 115, 25, 148, 177, 3,
+	239, 253, 83, 20, 162, 171, 242, 6, 39, 97, 110, 155, 216, 112, 201, 132,
+	5, 243, 151, 40, 179, 209, 184, 115, 218, 185, 217, 23, 250, 67, 45, 179,
+	172, 254, 154, 182, 150, 247, 12, 54, 159, 232, 139, 74, 101, 88, 59, 48,
+	163, 200, 223, 199, 102, 148, 51, 38, 109, 227, 140, 112, 15, 13, 237, 128,
+	229, 179, 130, 105, 206, 113, 141, 59, 241, 36, 140, 191, 217, 98, 232,
+	165, 232, 70, 255, 156, 41, 57, 172, 163, 129, 234, 48, 129, 231, 48, 18,
+	6, 3, 85, 29, 19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2, 1, 1, 48, 31, 6, 3,
+	85, 29, 35, 4, 24, 48, 22, 128, 20, 133, 27, 7, 162, 173, 220, 156, 98,
+	111, 180, 23, 177, 10, 241, 150, 225, 121, 125, 252, 202, 48, 29, 6, 3, 85,
+	29, 14, 4, 22, 4, 20, 64, 234, 253, 247, 84, 156, 144, 3, 154, 191, 59,
+	159, 177, 155, 197, 150, 178, 18, 8, 187, 48, 14, 6, 3, 85, 29, 15, 1, 1,
+	255, 4, 4, 3, 2, 1, 134, 48, 129, 128, 6, 3, 85, 29, 31, 4, 121, 48, 119,
+	48, 117, 160, 115, 160, 113, 134, 111, 104, 116, 116, 112, 58, 47, 47, 99,
+	114, 108, 45, 117, 115, 45, 101, 97, 115, 116, 45, 49, 45, 97, 119, 115,
+	45, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 46,
+	115, 51, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 109, 97, 122,
+	111, 110, 97, 119, 115, 46, 99, 111, 109, 47, 99, 114, 108, 47, 99, 102,
+	52, 53, 54, 53, 97, 101, 45, 102, 57, 50, 102, 45, 52, 99, 49, 49, 45, 97,
+	56, 55, 54, 45, 101, 51, 55, 102, 102, 57, 49, 100, 51, 54, 98, 53, 46, 99,
+	114, 108, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100,
+	2, 48, 0, 141, 147, 219, 43, 141, 203, 251, 249, 65, 14, 59, 101, 58, 52,
+	17, 94, 125, 255, 136, 2, 119, 77, 162, 172, 220, 228, 96, 248, 224, 23,
+	70, 232, 179, 196, 64, 148, 253, 75, 153, 4, 125, 112, 234, 156, 106, 224,
+	228, 2, 48, 113, 100, 127, 5, 242, 8, 183, 52, 198, 118, 237, 86, 219, 91,
+	20, 89, 92, 154, 237, 13, 160, 230, 178, 78, 214, 86, 204, 233, 200, 195,
+	178, 149, 33, 114, 132, 209, 28, 126, 120, 190, 203, 61, 219, 145, 44, 76,
+	113, 255, 89, 2, 129, 48, 130, 2, 125, 48, 130, 2, 4, 160, 3, 2, 1, 2, 2,
+	20, 89, 91, 125, 245, 221, 115, 39, 32, 198, 129, 41, 209, 134, 253, 7,
+	213, 175, 51, 158, 192, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48,
+	129, 137, 49, 60, 48, 58, 6, 3, 85, 4, 3, 12, 51, 97, 99, 55, 99, 101, 98,
+	99, 48, 54, 102, 52, 101, 98, 98, 50, 98, 46, 122, 111, 110, 97, 108, 46,
+	117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105,
+	116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 49, 12, 48, 10, 6,
+	3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6,
+	65, 109, 97, 122, 111, 110, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83,
+	49, 11, 48, 9, 6, 3, 85, 4, 8, 12, 2, 87, 65, 49, 16, 48, 14, 6, 3, 85, 4,
+	7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 48, 30, 23, 13, 50, 50, 48, 53,
+	49, 55, 48, 49, 51, 50, 50, 55, 90, 23, 13, 50, 50, 48, 53, 49, 56, 48, 49,
+	51, 50, 50, 55, 90, 48, 129, 142, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85,
+	83, 49, 19, 48, 17, 6, 3, 85, 4, 8, 12, 10, 87, 97, 115, 104, 105, 110,
+	103, 116, 111, 110, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97,
+	116, 116, 108, 101, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97,
+	122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 57,
+	48, 55, 6, 3, 85, 4, 3, 12, 48, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100,
+	50, 99, 55, 102, 56, 56, 50, 101, 56, 46, 117, 115, 45, 101, 97, 115, 116,
+	45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99,
+	108, 97, 118, 101, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1,
+	6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 217, 7, 202, 144, 1, 20, 13, 53, 232,
+	63, 221, 159, 225, 146, 134, 69, 146, 118, 201, 153, 160, 175, 125, 29, 75,
+	209, 208, 17, 139, 60, 241, 95, 234, 41, 212, 7, 177, 124, 161, 204, 166,
+	194, 44, 133, 232, 176, 11, 144, 63, 152, 193, 125, 85, 145, 72, 245, 151,
+	42, 102, 105, 84, 31, 79, 155, 24, 147, 140, 242, 204, 199, 198, 96, 157,
+	105, 8, 157, 169, 22, 102, 10, 112, 140, 221, 71, 210, 113, 87, 135, 200,
+	112, 157, 56, 193, 192, 141, 100, 163, 38, 48, 36, 48, 18, 6, 3, 85, 29,
+	19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2, 1, 0, 48, 14, 6, 3, 85, 29, 15,
+	1, 1, 255, 4, 4, 3, 2, 2, 4, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3,
+	3, 103, 0, 48, 100, 2, 48, 15, 118, 172, 221, 229, 239, 80, 139, 142, 77,
+	175, 85, 204, 40, 253, 36, 69, 183, 3, 228, 119, 41, 137, 22, 191, 207,
+	224, 87, 24, 125, 66, 154, 118, 221, 241, 153, 247, 77, 201, 49, 99, 4,
+	183, 219, 210, 69, 112, 100, 2, 48, 44, 231, 245, 61, 54, 161, 162, 170,
+	57, 172, 91, 91, 60, 143, 204, 18, 118, 143, 208, 21, 163, 144, 107, 213,
+	109, 255, 239, 142, 56, 218, 105, 255, 3, 95, 135, 135, 226, 39, 127, 155,
+	15, 41, 166, 150, 253, 186, 42, 61, 106, 112, 117, 98, 108, 105, 99, 95,
+	107, 101, 121, 89, 3, 32, 45, 45, 45, 45, 45, 66, 69, 71, 73, 78, 32, 80,
+	85, 66, 76, 73, 67, 32, 75, 69, 89, 45, 45, 45, 45, 45, 10, 77, 73, 73, 67,
+	73, 106, 65, 78, 66, 103, 107, 113, 104, 107, 105, 71, 57, 119, 48, 66, 65,
+	81, 69, 70, 65, 65, 79, 67, 65, 103, 56, 65, 77, 73, 73, 67, 67, 103, 75,
+	67, 65, 103, 69, 65, 54, 115, 57, 103, 121, 102, 107, 77, 50, 69, 108, 53,
+	107, 50, 78, 99, 89, 70, 110, 100, 10, 105, 55, 49, 52, 106, 122, 77, 86,
+	79, 119, 85, 54, 80, 110, 75, 107, 43, 83, 122, 111, 101, 47, 83, 66, 104,
+	70, 49, 56, 111, 99, 106, 119, 85, 115, 47, 54, 57, 82, 86, 113, 71, 71,
+	48, 67, 69, 82, 88, 109, 55, 67, 114, 113, 70, 87, 89, 99, 51, 76, 57, 79,
+	79, 90, 52, 89, 10, 67, 119, 106, 66, 57, 112, 49, 57, 100, 83, 75, 74,
+	122, 50, 74, 113, 82, 88, 84, 99, 65, 43, 47, 66, 56, 47, 55, 57, 48, 98,
+	97, 110, 69, 109, 113, 106, 73, 53, 76, 66, 101, 56, 68, 118, 100, 102, 47,
+	112, 51, 100, 84, 118, 75, 49, 72, 47, 67, 89, 122, 111, 119, 86, 65, 115,
+	10, 117, 47, 111, 79, 99, 81, 84, 57, 119, 77, 67, 108, 48, 56, 56, 106,
+	101, 67, 118, 105, 54, 102, 89, 52, 113, 121, 75, 70, 101, 71, 98, 88, 67,
+	82, 71, 75, 84, 105, 81, 106, 122, 99, 103, 121, 80, 71, 57, 101, 52, 74,
+	121, 110, 74, 75, 118, 117, 77, 120, 81, 67, 112, 97, 52, 72, 10, 70, 117,
+	116, 65, 48, 73, 53, 98, 113, 108, 43, 68, 120, 80, 80, 106, 49, 87, 83,
+	99, 83, 72, 50, 85, 102, 70, 118, 120, 67, 118, 85, 115, 97, 115, 106, 102,
+	89, 114, 69, 43, 51, 97, 112, 101, 86, 72, 47, 55, 70, 68, 69, 106, 115,
+	52, 56, 86, 84, 47, 97, 48, 111, 74, 105, 98, 10, 82, 67, 71, 100, 48, 85,
+	70, 89, 83, 118, 66, 109, 66, 112, 115, 107, 76, 77, 121, 109, 66, 78, 48,
+	57, 102, 75, 118, 100, 90, 79, 112, 111, 105, 83, 78, 97, 48, 97, 90, 70,
+	119, 67, 116, 113, 121, 88, 54, 72, 48, 89, 109, 74, 120, 113, 111, 105,
+	113, 99, 111, 78, 78, 118, 47, 68, 10, 56, 116, 110, 65, 109, 120, 102, 73,
+	120, 114, 105, 73, 52, 116, 102, 90, 69, 73, 100, 107, 97, 78, 103, 88, 76,
+	89, 79, 102, 49, 99, 106, 117, 74, 83, 117, 74, 97, 111, 83, 66, 99, 72,
+	122, 48, 73, 98, 47, 82, 117, 86, 80, 100, 83, 85, 75, 104, 90, 83, 114,
+	121, 110, 84, 47, 102, 10, 72, 98, 106, 112, 120, 121, 103, 112, 97, 104,
+	110, 84, 49, 76, 43, 85, 101, 47, 68, 103, 110, 87, 75, 56, 67, 56, 83, 72,
+	84, 85, 99, 76, 122, 115, 81, 109, 68, 67, 68, 65, 43, 49, 54, 65, 106, 53,
+	98, 112, 55, 55, 43, 81, 80, 78, 47, 114, 85, 120, 88, 55, 69, 98, 88, 79,
+	10, 105, 119, 47, 73, 115, 114, 57, 114, 47, 74, 98, 98, 69, 107, 89, 47,
+	48, 89, 105, 88, 47, 113, 114, 56, 103, 98, 54, 81, 56, 89, 112, 90, 121,
+	82, 52, 97, 104, 56, 86, 49, 86, 87, 71, 82, 102, 122, 90, 49, 72, 49, 48,
+	53, 77, 67, 54, 107, 88, 107, 47, 66, 85, 120, 78, 121, 10, 76, 85, 86, 56,
+	111, 66, 65, 87, 89, 108, 52, 57, 47, 107, 120, 114, 109, 82, 73, 122, 90,
+	99, 48, 118, 120, 117, 70, 122, 54, 81, 122, 105, 113, 54, 108, 54, 74,
+	120, 49, 53, 98, 89, 50, 120, 103, 68, 122, 115, 48, 90, 74, 103, 54, 75,
+	67, 71, 112, 71, 48, 99, 106, 54, 117, 121, 10, 68, 57, 104, 82, 82, 52,
+	109, 118, 117, 77, 115, 75, 115, 47, 50, 105, 79, 49, 89, 85, 68, 99, 107,
+	48, 118, 65, 53, 101, 48, 81, 117, 84, 89, 67, 97, 89, 72, 69, 66, 74, 51,
+	110, 83, 73, 88, 83, 115, 76, 75, 76, 81, 101, 71, 57, 111, 99, 77, 74, 77,
+	88, 50, 105, 51, 103, 10, 110, 86, 105, 43, 86, 49, 82, 69, 83, 102, 75,
+	69, 101, 117, 102, 102, 90, 82, 75, 69, 112, 106, 69, 67, 65, 119, 69, 65,
+	65, 81, 61, 61, 10, 45, 45, 45, 45, 45, 69, 78, 68, 32, 80, 85, 66, 76, 73,
+	67, 32, 75, 69, 89, 45, 45, 45, 45, 45, 10, 105, 117, 115, 101, 114, 95,
+	100, 97, 116, 97, 246, 101, 110, 111, 110, 99, 101, 246, 88, 96, 174, 48,
+	177, 39, 24, 48, 211, 165, 107, 86, 21, 216, 93, 143, 22, 156, 203, 98,
+	163, 5, 213, 87, 210, 213, 90, 98, 93, 46, 150, 155, 75, 81, 186, 194, 134,
+	36, 254, 23, 84, 26, 185, 37, 248, 150, 72, 16, 193, 246, 96, 76, 65, 78,
+	5, 133, 136, 18, 42, 87, 137, 82, 56, 245, 113, 139, 121, 164, 201, 244,
+	237, 101, 116, 109, 204, 13, 116, 108, 58, 74, 181, 32, 208, 172, 36, 44,
+	187, 171, 138, 185, 80, 105, 171, 65, 177, 74, 136, 33,
+];
diff --git a/qos-crypto/src/lib.rs b/qos-crypto/src/lib.rs
index 1205f585..f55e2d23 100644
--- a/qos-crypto/src/lib.rs
+++ b/qos-crypto/src/lib.rs
@@ -1,13 +1,16 @@
 mod shamir;
-pub use shamir::*;
-
-use openssl::hash::MessageDigest;
-use openssl::pkey::{PKey, Private, Public};
-use openssl::rsa::Rsa;
-use openssl::sign::{Signer, Verifier};
+use std::{
+	fs::File,
+	io::{Read, Write},
+};
 
-use std::fs::File;
-use std::io::{Read, Write};
+use openssl::{
+	hash::MessageDigest,
+	pkey::{PKey, Private, Public},
+	rsa::Rsa,
+	sign::{Signer, Verifier},
+};
+pub use shamir::*;
 
 pub enum CryptographyError {
 	IOError(std::io::Error),
diff --git a/qos-crypto/src/shamir.rs b/qos-crypto/src/shamir.rs
index efae2e24..f5d4ab30 100644
--- a/qos-crypto/src/shamir.rs
+++ b/qos-crypto/src/shamir.rs
@@ -192,7 +192,7 @@ pub fn shares_reconstruct<S: AsRef<[u8]>>(shares: &[S]) -> Vec<u8> {
 	// This matches the behavior of bad shares (random output) and simplifies
 	// consumers.
 	if len == 0 {
-		return vec![];
+		return vec![]
 	}
 
 	let mut secret = vec![];
diff --git a/qos-test/src/lib.rs b/qos-test/src/lib.rs
index 842fad13..d33331fe 100644
--- a/qos-test/src/lib.rs
+++ b/qos-test/src/lib.rs
@@ -3,4 +3,3 @@
 use std::collections::BTreeSet;
 
 use qos_core::protocol::{NsmDigest, NsmProvider, NsmRequest, NsmResponse};
-

From cf9539ee3abc5614bcacdbf33766d47ae20b11ec Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Mon, 16 May 2022 20:07:29 -0700
Subject: [PATCH 11/44] WIP

---
 Cargo.lock                     |  2 ++
 Makefile                       |  3 ++-
 qos-client/Cargo.toml          |  3 +++
 qos-client/src/cli.rs          | 23 ++++++++++++-----------
 qos-core/src/cli.rs            |  9 ++++++++-
 qos-core/src/protocol/mod.rs   |  1 +
 qos-test/tests/verification.rs |  4 ++--
 7 files changed, 30 insertions(+), 15 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index b041e9ce..91b771e9 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -505,8 +505,10 @@ dependencies = [
 name = "qos-client"
 version = "0.1.0"
 dependencies = [
+ "aws-nitro-enclaves-nsm-api",
  "qos-core",
  "qos-host",
+ "serde_cbor",
  "ureq",
 ]
 
diff --git a/Makefile b/Makefile
index 6d64c700..00fccb65 100644
--- a/Makefile
+++ b/Makefile
@@ -6,7 +6,8 @@ test:
 enclave:
 	cargo run --bin qos-core \
 		-- \
-		--usock ./dev.sock
+		--usock ./dev.sock \
+		--mock true
 
 .PHONY: local-host
 local-host:
diff --git a/qos-client/Cargo.toml b/qos-client/Cargo.toml
index 09317459..7cea5361 100644
--- a/qos-client/Cargo.toml
+++ b/qos-client/Cargo.toml
@@ -9,3 +9,6 @@ qos-host = { path = "../qos-host" }
 
 # Third party
 ureq = { version = "2.4", default-features = false }
+serde_cbor = "0.11"
+aws-nitro-enclaves-nsm-api = { version = "0.2.1", default-features = false }
+
diff --git a/qos-client/src/cli.rs b/qos-client/src/cli.rs
index b83ac3cc..1a5fd793 100644
--- a/qos-client/src/cli.rs
+++ b/qos-client/src/cli.rs
@@ -149,15 +149,23 @@ mod handlers {
 
 		let response = request::post(
 			path,
-			ProtocolMsg::NsmRequest(NsmRequest::DescribeNSM),
+			ProtocolMsg::NsmRequest(NsmRequest::Attestation {
+				user_data: None,
+				nonce: None,
+				public_key: None,
+			}),
 		)
 		.map_err(|e| println!("{:?}", e))
 		.expect("Echo message failed");
 
 		match response {
-			ProtocolMsg::NsmResponse(NsmResponse::Attestation {
-				ref document,
-			}) => {
+			ProtocolMsg::NsmResponse(NsmResponse::Attestation { document }) => {
+				println!("{:?}", document);
+				use aws_nitro_enclaves_nsm_api::api::AttestationDoc;
+
+				let doc = AttestationDoc::from_binary(&document[..]);
+				println!("doc={:?}", doc);
+
 				// TODO: delete this stuff
 				// use std::{fs::File, io::Write};
 				// let mut file =
@@ -167,12 +175,5 @@ mod handlers {
 			}
 			_ => panic!("Not an attestation response"),
 		}
-
-		match response {
-			ProtocolMsg::NsmResponse(describe_nsm_response) => {
-				println!("{:?}", describe_nsm_response)
-			}
-			_ => panic!("Unexpected describe nsm response"),
-		}
 	}
 }
diff --git a/qos-core/src/cli.rs b/qos-core/src/cli.rs
index 103112e6..9ed9e2bc 100644
--- a/qos-core/src/cli.rs
+++ b/qos-core/src/cli.rs
@@ -38,6 +38,7 @@ impl EnclaveOptions {
 		self.parse_cid(cmd, arg);
 		self.parse_port(cmd, arg);
 		self.parse_usock(cmd, arg);
+		self.parse_mock(cmd, arg)
 	}
 
 	pub fn parse_cid(&mut self, cmd: &str, arg: &str) {
@@ -77,7 +78,10 @@ impl EnclaveOptions {
 
 	pub fn parse_mock(&mut self, cmd: &str, arg: &str) {
 		match cmd {
-			"--mock" => self.mock = arg == "true",
+			"--mock" => {
+				println!("mock arg: {}", arg);
+				self.mock = arg == "true"
+			}
 			_ => {}
 		}
 	}
@@ -97,8 +101,11 @@ impl EnclaveOptions {
 
 	pub fn nsm(&self) -> Box<dyn NsmProvider> {
 		if self.mock {
+			println!("using mock");
 			Box::new(protocol::MockNsm)
 		} else {
+			println!("not using mock");
+
 			Box::new(Nsm)
 		}
 	}
diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index 2198029f..526db624 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -140,6 +140,7 @@ mod handlers {
 			};
 			let fd = state.attestor.nsm_init();
 			let response = state.attestor.nsm_process_request(fd, attestation);
+			println!("response={:?}", response);
 			// match response {
 			// 	NsmResponse::Attestation { ref document } => {
 			// 		// use std::fs::File;
diff --git a/qos-test/tests/verification.rs b/qos-test/tests/verification.rs
index 838d686b..e6385c1f 100644
--- a/qos-test/tests/verification.rs
+++ b/qos-test/tests/verification.rs
@@ -4,10 +4,10 @@ fn rsa_verify_payload() {
 	// - Verify each signature with known public keys
 
 	// Load RSA Pub key
-	let pub_key = RsaPub::from_file("path to file");
+	// let pub_key = RsaPub::from_file("path to file");
 
 	// Verify by hashing the payload
-	pub_key.verify("payload")
+	// pub_key.verify("payload")
 	// OR verify the pre-hashed payload
 	// pub_key.verify_raw(hash("payload"))
 }

From 230e9cc05a1c9a50c38a376180d57bbea8eb2626 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Tue, 17 May 2022 12:01:53 -0700
Subject: [PATCH 12/44] Very ugly attestation doc sig verification

---
 Cargo.lock                   | 379 +++++++++++++++++++++++++++++++++++
 qos-client/Cargo.toml        |   7 +
 qos-client/src/cli.rs        | 107 +++++++++-
 qos-core/src/protocol/mod.rs |  12 --
 4 files changed, 484 insertions(+), 21 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 91b771e9..cb1f5834 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -11,6 +11,45 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "asn1-rs"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "30ff05a702273012438132f449575dbc804e27b2f3cbe3069aa237d26c98fa33"
+dependencies = [
+ "asn1-rs-derive",
+ "asn1-rs-impl",
+ "displaydoc",
+ "nom",
+ "num-traits",
+ "rusticata-macros",
+ "thiserror",
+ "time",
+]
+
+[[package]]
+name = "asn1-rs-derive"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db8b7511298d5b7784b40b092d9e9dcd3a627a5707e4b5e507931ab0d44eeebf"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "synstructure",
+]
+
+[[package]]
+name = "asn1-rs-impl"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2777730b2039ac0f95f093556e61b6d26cebed5393ca6f152717777cec3a42ed"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "async-trait"
 version = "0.1.53"
@@ -28,6 +67,20 @@ version = "1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d468802bab17cbc0cc575e9b053f41e72aa36bfa6b7f55e3529ffa43161b97fa"
 
+[[package]]
+name = "aws-nitro-enclaves-cose"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4e2fe3e862758ef5bb5d89868141ab28781d96347522b60eb6abeaf7f9acd4bc"
+dependencies = [
+ "openssl",
+ "serde",
+ "serde_bytes",
+ "serde_cbor",
+ "serde_repr",
+ "serde_with",
+]
+
 [[package]]
 name = "aws-nitro-enclaves-nsm-api"
 version = "0.2.1"
@@ -97,6 +150,12 @@ version = "1.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
 
+[[package]]
+name = "bumpalo"
+version = "3.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4a45a46ab1f2412e53d3a0ade76ffad2025804294569aae387231a0cd6e0899"
+
 [[package]]
 name = "bytes"
 version = "1.1.0"
@@ -121,6 +180,43 @@ version = "1.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fff857943da45f546682664a79488be82e69e43c1a7a2307679ab9afb3a66d2e"
 
+[[package]]
+name = "data-encoding"
+version = "2.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3ee2393c4a91429dffb4bedf19f4d6abf27d8a732c8ce4980305d782e5426d57"
+
+[[package]]
+name = "der"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "13dd2ae565c0a381dde7fade45fce95984c568bdcb4700a4fdbe3175e0380b2f"
+
+[[package]]
+name = "der-parser"
+version = "7.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fe398ac75057914d7d07307bf67dc7f3f574a26783b4fc7805a20ffa9f506e82"
+dependencies = [
+ "asn1-rs",
+ "displaydoc",
+ "nom",
+ "num-bigint",
+ "num-traits",
+ "rusticata-macros",
+]
+
+[[package]]
+name = "displaydoc"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3bf95dc3f046b9da4f2d51833c0d3547d8564ef6910f5c1ed130306a75b92886"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "fnv"
 version = "1.0.7"
@@ -297,6 +393,15 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1aab8fc367588b89dcee83ab0fd66b72b50b72fa1904d7095045ace2b0c81c35"
 
+[[package]]
+name = "js-sys"
+version = "0.3.57"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "671a26f820db17c2a2750743f1dd03bafd15b98c9f30c7c2628c024c05d73397"
+dependencies = [
+ "wasm-bindgen",
+]
+
 [[package]]
 name = "lazy_static"
 version = "1.4.0"
@@ -351,6 +456,12 @@ version = "0.3.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2a60c7ce501c71e03a9c9c0d35b861413ae925bd979cc7a4e30d060069aaac8d"
 
+[[package]]
+name = "minimal-lexical"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+
 [[package]]
 name = "mio"
 version = "0.8.3"
@@ -387,6 +498,46 @@ dependencies = [
  "memoffset",
 ]
 
+[[package]]
+name = "nom"
+version = "7.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8903e5a29a317527874d0402f867152a3d21c908bb0b933e416c65e301d4c36"
+dependencies = [
+ "memchr",
+ "minimal-lexical",
+]
+
+[[package]]
+name = "num-bigint"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f"
+dependencies = [
+ "autocfg",
+ "num-integer",
+ "num-traits",
+]
+
+[[package]]
+name = "num-integer"
+version = "0.1.45"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
+dependencies = [
+ "autocfg",
+ "num-traits",
+]
+
+[[package]]
+name = "num-traits"
+version = "0.2.15"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd"
+dependencies = [
+ "autocfg",
+]
+
 [[package]]
 name = "num_cpus"
 version = "1.13.1"
@@ -397,6 +548,24 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "num_threads"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2819ce041d2ee131036f4fc9d6ae7ae125a3a40e97ba64d04fe799ad9dabbb44"
+dependencies = [
+ "libc",
+]
+
+[[package]]
+name = "oid-registry"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "38e20717fa0541f39bd146692035c37bedfa532b3e5071b35761082407546b2a"
+dependencies = [
+ "asn1-rs",
+]
+
 [[package]]
 name = "once_cell"
 version = "1.10.0"
@@ -505,11 +674,16 @@ dependencies = [
 name = "qos-client"
 version = "0.1.0"
 dependencies = [
+ "aws-nitro-enclaves-cose",
  "aws-nitro-enclaves-nsm-api",
+ "der",
+ "openssl",
  "qos-core",
  "qos-host",
  "serde_cbor",
  "ureq",
+ "webpki",
+ "x509-parser",
 ]
 
 [[package]]
@@ -612,6 +786,36 @@ version = "0.6.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f497285884f3fcff424ffc933e56d7cbca511def0c9831a7f9b5f6153e3cc89b"
 
+[[package]]
+name = "ring"
+version = "0.16.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc"
+dependencies = [
+ "cc",
+ "libc",
+ "once_cell",
+ "spin",
+ "untrusted",
+ "web-sys",
+ "winapi",
+]
+
+[[package]]
+name = "rusticata-macros"
+version = "4.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
+dependencies = [
+ "nom",
+]
+
+[[package]]
+name = "rustversion"
+version = "1.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2cc38e8fa666e2de3c4aba7edeb5ffc5246c1c2ed0e3d17e560aeeba736b23f"
+
 [[package]]
 name = "serde"
 version = "1.0.137"
@@ -651,6 +855,27 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "serde_repr"
+version = "0.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a2ad84e47328a31223de7fed7a4f5087f2d6ddfe586cf3ca25b7a165bc0a5aed"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "serde_with"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b827f2113224f3f19a665136f006709194bdfdcb1fdc1e4b2b5cbac8e0cced54"
+dependencies = [
+ "rustversion",
+ "serde",
+]
+
 [[package]]
 name = "socket2"
 version = "0.4.5"
@@ -661,6 +886,12 @@ dependencies = [
  "windows-sys",
 ]
 
+[[package]]
+name = "spin"
+version = "0.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
+
 [[package]]
 name = "syn"
 version = "1.0.92"
@@ -678,6 +909,56 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "20518fe4a4c9acf048008599e464deb21beeae3d3578418951a189c235a7a9a8"
 
+[[package]]
+name = "synstructure"
+version = "0.12.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "unicode-xid",
+]
+
+[[package]]
+name = "thiserror"
+version = "1.0.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bd829fe32373d27f76265620b5309d0340cb8550f523c1dda251d6298069069a"
+dependencies = [
+ "thiserror-impl",
+]
+
+[[package]]
+name = "thiserror-impl"
+version = "1.0.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0396bc89e626244658bef819e22d0cc459e795a5ebe878e6ec336d1674a8d79a"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "time"
+version = "0.3.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2702e08a7a860f005826c6815dcac101b19b5eb330c27fe4a5928fec1d20ddd"
+dependencies = [
+ "itoa",
+ "libc",
+ "num_threads",
+ "time-macros",
+]
+
+[[package]]
+name = "time-macros"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "42657b1a6f4d817cda8e7a0ace261fe0cc946cf3a80314390b22cc61ae080792"
+
 [[package]]
 name = "tinyvec"
 version = "1.6.0"
@@ -829,6 +1110,12 @@ version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "957e51f3646910546462e67d5f7599b9e4fb8acdd304b087a6494730f9eebf04"
 
+[[package]]
+name = "untrusted"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
+
 [[package]]
 name = "ureq"
 version = "2.4.0"
@@ -882,6 +1169,80 @@ version = "0.11.0+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
 
+[[package]]
+name = "wasm-bindgen"
+version = "0.2.80"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "27370197c907c55e3f1a9fbe26f44e937fe6451368324e009cba39e139dc08ad"
+dependencies = [
+ "cfg-if",
+ "wasm-bindgen-macro",
+]
+
+[[package]]
+name = "wasm-bindgen-backend"
+version = "0.2.80"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "53e04185bfa3a779273da532f5025e33398409573f348985af9a1cbf3774d3f4"
+dependencies = [
+ "bumpalo",
+ "lazy_static",
+ "log",
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-macro"
+version = "0.2.80"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "17cae7ff784d7e83a2fe7611cfe766ecf034111b49deb850a3dc7699c08251f5"
+dependencies = [
+ "quote",
+ "wasm-bindgen-macro-support",
+]
+
+[[package]]
+name = "wasm-bindgen-macro-support"
+version = "0.2.80"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "99ec0dc7a4756fffc231aab1b9f2f578d23cd391390ab27f952ae0c9b3ece20b"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+ "wasm-bindgen-backend",
+ "wasm-bindgen-shared",
+]
+
+[[package]]
+name = "wasm-bindgen-shared"
+version = "0.2.80"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d554b7f530dee5964d9a9468d95c1f8b8acae4f282807e7d27d4b03099a46744"
+
+[[package]]
+name = "web-sys"
+version = "0.3.57"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7b17e741662c70c8bd24ac5c5b18de314a2c26c32bf8346ee1e6f53de919c283"
+dependencies = [
+ "js-sys",
+ "wasm-bindgen",
+]
+
+[[package]]
+name = "webpki"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd"
+dependencies = [
+ "ring",
+ "untrusted",
+]
+
 [[package]]
 name = "winapi"
 version = "0.3.9"
@@ -946,3 +1307,21 @@ name = "windows_x86_64_msvc"
 version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c811ca4a8c853ef420abd8592ba53ddbbac90410fab6903b3e79972a631f7680"
+
+[[package]]
+name = "x509-parser"
+version = "0.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9fb9bace5b5589ffead1afb76e43e34cff39cd0f3ce7e170ae0c29e53b88eb1c"
+dependencies = [
+ "asn1-rs",
+ "base64",
+ "data-encoding",
+ "der-parser",
+ "lazy_static",
+ "nom",
+ "oid-registry",
+ "rusticata-macros",
+ "thiserror",
+ "time",
+]
diff --git a/qos-client/Cargo.toml b/qos-client/Cargo.toml
index 7cea5361..c9969358 100644
--- a/qos-client/Cargo.toml
+++ b/qos-client/Cargo.toml
@@ -6,9 +6,16 @@ edition = "2021"
 [dependencies]
 qos-core = { path = "../qos-core" }
 qos-host = { path = "../qos-host" }
+openssl = "0.10.40"
 
 # Third party
 ureq = { version = "2.4", default-features = false }
 serde_cbor = "0.11"
 aws-nitro-enclaves-nsm-api = { version = "0.2.1", default-features = false }
 
+
+# For handling Attestation Doc
+aws-nitro-enclaves-cose = "0.4.0"
+der = "0.6.0"
+webpki = "0.22.0"
+x509-parser = "0.13"
diff --git a/qos-client/src/cli.rs b/qos-client/src/cli.rs
index 1a5fd793..68545405 100644
--- a/qos-client/src/cli.rs
+++ b/qos-client/src/cli.rs
@@ -110,6 +110,11 @@ impl CLI {
 }
 
 mod handlers {
+	use openssl::{
+		bn::BigNumContext,
+		ec::{EcGroup, EcKey, EcPoint},
+		nid::Nid,
+	};
 	use qos_core::protocol::{NsmRequest, NsmResponse};
 
 	use super::*;
@@ -160,18 +165,102 @@ mod handlers {
 
 		match response {
 			ProtocolMsg::NsmResponse(NsmResponse::Attestation { document }) => {
-				println!("{:?}", document);
+				use aws_nitro_enclaves_cose::CoseSign1;
 				use aws_nitro_enclaves_nsm_api::api::AttestationDoc;
+				// TODO: semantic verification from: https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/main/docs/attestation_process.md
 
-				let doc = AttestationDoc::from_binary(&document[..]);
-				println!("doc={:?}", doc);
+				let cose_sign1 = CoseSign1::from_bytes(&document[..]).unwrap();
+				let encoded_document = cose_sign1.get_payload(None).unwrap();
+				let decoded_document =
+					AttestationDoc::from_binary(&encoded_document[..]).unwrap();
 
-				// TODO: delete this stuff
-				// use std::{fs::File, io::Write};
-				// let mut file =
-				// 	File::create("/home/tk/attest_document").unwrap();
-				// let output = format!("{:?}", document);
-				// file.write_all(&output.as_bytes()).unwrap();
+				let pcrs = decoded_document.pcrs;
+
+				let module = decoded_document.module_id;
+				// println!("module id: {:?}", module);
+
+				if let Some(public_key) = decoded_document.public_key {
+					// println!("public key: {:?}", public_key);
+				}
+
+				let cabundle = decoded_document.cabundle;
+				// println!("CA bundle: {:?}", cabundle);
+
+				// Target Certificate in
+				// let certificate = decoded_document.certificate;
+				// println!("Certificate: {:?}", certificate);
+
+				// let c = std::str::from_utf8(&certificate);
+				// println!("Certificate:");
+				// println!("{:?}", c);
+
+				//
+
+				// Trying to do... Certificate -> Public Key
+				// Certificate & CA bundle verification example: https://github.com/ppmag/aws-nitro-enclaves-attestation/blob/83ca87233298c302973a5bdbbb394c36cd7eb6e6/src/lib.rs#L233-L235
+				match x509_parser::parse_x509_certificate(
+					&decoded_document.certificate.clone(),
+				) {
+					Ok((remaining_input, certificate)) => {
+						assert!(
+							remaining_input.len() == 0,
+							"certificate was not valid DER encoding"
+						);
+
+						assert!(
+							certificate.tbs_certificate.version()
+								== x509_parser::x509::X509Version::V3,
+							"Wrong certificate version"
+						);
+
+						let extracted_key = {
+							let pub_key = certificate
+								.tbs_certificate
+								.subject_pki
+								.subject_public_key
+								.data;
+
+							let group =
+								EcGroup::from_curve_name(Nid::SECP384R1)
+									.unwrap();
+							let mut ctx = BigNumContext::new().unwrap();
+							let point =
+								EcPoint::from_bytes(&group, &pub_key, &mut ctx)
+									.unwrap();
+							let ec_key =
+								EcKey::from_public_key(&group, &point).unwrap();
+
+							openssl::pkey::PKey::try_from(ec_key).expect("EC Key could not be converted to open ssl primitive")
+						};
+
+						assert!(
+							cose_sign1.verify_signature(&extracted_key).unwrap(),
+							"Could not verify attestation document with target certificate"
+						);
+						println!("Verified att_doc target cert signature!")
+					}
+					Err(_) => panic!("Could not parse target certificate"),
+				}
+
+				// use openssl::ec::EcKey;
+				// let key = EcKey::public_key_from_der(&certificate);
+				// println!("Public Key: {:?}", key);
+
+				////
+				// Truths:
+				////
+
+				// 1. AWS Nitro Enclaves use ES384 algorithm to sign the document
+				// 2. Certificate is DER-encoded
+				//
+
+				// Verification Flow:
+				// 1. Check signature from the Certificate over the AttestationDocument
+				// 2. Verify the CA Bundle using the known root of trust and Certificate
+				//   - Assume ROT is known ahead of time
+				// 3. Business logic
+				//   - Is the application that is being run (as evidenced by the PCRs) the expected application to have possession of *this* key?
+				//   - (Human): How do I know that this build artifact is correct?
 			}
 			_ => panic!("Not an attestation response"),
 		}
diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index 526db624..c158e022 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -140,18 +140,6 @@ mod handlers {
 			};
 			let fd = state.attestor.nsm_init();
 			let response = state.attestor.nsm_process_request(fd, attestation);
-			println!("response={:?}", response);
-			// match response {
-			// 	NsmResponse::Attestation { ref document } => {
-			// 		// use std::fs::File;
-			// 		// use std::io::Write;
-			// 		// let mut file =
-			// 		// 	File::create("/home/tk/attest_document").unwrap();
-			// 		// file.write_all(&document).unwrap();
-			// 	}
-			// 	_ => panic!("Not an attestation response"),
-			// }
-			println!("NSM process request: {:?}", response);
 			Some(ProtocolMsg::NsmResponse(response))
 		} else {
 			None

From e429116e7d345eff17cf9d1cfb38027dd620ccda Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Tue, 17 May 2022 12:17:17 -0700
Subject: [PATCH 13/44] Delete unused code and outline validation steps

---
 qos-client/src/cli.rs        | 173 ++++++++++++++++++-----------------
 qos-core/src/io/stream.rs    |   2 +-
 qos-core/src/protocol/mod.rs |   3 +-
 3 files changed, 91 insertions(+), 87 deletions(-)

diff --git a/qos-client/src/cli.rs b/qos-client/src/cli.rs
index 68545405..8fe534b0 100644
--- a/qos-client/src/cli.rs
+++ b/qos-client/src/cli.rs
@@ -110,12 +110,15 @@ impl CLI {
 }
 
 mod handlers {
+	use std::time::Duration;
+
+	use aws_nitro_enclaves_nsm_api::api::Digest;
 	use openssl::{
 		bn::BigNumContext,
 		ec::{EcGroup, EcKey, EcPoint},
 		nid::Nid,
 	};
-	use qos_core::protocol::{NsmRequest, NsmResponse};
+	use qos_core::protocol::{NsmDigest, NsmRequest, NsmResponse};
 
 	use super::*;
 	use crate::request;
@@ -167,100 +170,100 @@ mod handlers {
 			ProtocolMsg::NsmResponse(NsmResponse::Attestation { document }) => {
 				use aws_nitro_enclaves_cose::CoseSign1;
 				use aws_nitro_enclaves_nsm_api::api::AttestationDoc;
-				// TODO: semantic verification from: https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/main/docs/attestation_process.md
-
-				let cose_sign1 = CoseSign1::from_bytes(&document[..]).unwrap();
-				let encoded_document = cose_sign1.get_payload(None).unwrap();
-				let decoded_document =
-					AttestationDoc::from_binary(&encoded_document[..]).unwrap();
+				////
+				// Truths:
+				////
 
-				let pcrs = decoded_document.pcrs;
+				// 1. AWS Nitro Enclaves use ES384 algorithm to sign the
+				// document 2. Certificate is DER-encoded
+				//
 
-				let module = decoded_document.module_id;
-				// println!("module id: {:?}", module);
+				// Verification Flow:
+				// 1. Check signature from the Certificate over the
+				// AttestationDocument 2. Verify the CA Bundle using the known
+				// root of trust and Certificate
+				//   - Assume ROT is known ahead of time
+				// 3. Business logic
+				//   - Is the application that is being run (as evidenced by the
+				//     PCRs) the expected application to have possession of
+				//     *this* key?
+				//   - (Human): How do I know that this build artifact is
+				//     correct?
+				// TODO: semantic verification from: https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/main/docs/attestation_process.md
 
-				if let Some(public_key) = decoded_document.public_key {
-					// println!("public key: {:?}", public_key);
+				let cose_sign1 = CoseSign1::from_bytes(&document[..]).unwrap();
+				let raw_attestation_doc = cose_sign1.get_payload(None).unwrap();
+				let attestation_doc =
+					AttestationDoc::from_binary(&raw_attestation_doc[..])
+						.expect("Attestation doc could not be decoded.");
+
+				// Basic syntactic validation
+				{
+					assert!(
+						attestation_doc.module_id.len() > 0,
+						"Invalid Module ID"
+					);
+					assert!(
+						attestation_doc.digest == Digest::SHA384,
+						"Invalid Digest"
+					);
+
+					// let ts_start = Utc.ymd(2020, 1, 1).and_hms(0, 0, 0);
+					// let ts_end = Utc::now() + Duration::days(1);
+					// (attestation_doc.timestamp > ts_start &&
+					// attestation_doc.timestamp < ts_end)
+
+					//TODO: add all validations as specified in https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/main/docs/attestation_process.md#32-syntactical-validation
 				}
 
-				let cabundle = decoded_document.cabundle;
-				// println!("CA bundle: {:?}", cabundle);
-
-				// Target Certificate in
-				// let certificate = decoded_document.certificate;
-				// println!("Certificate: {:?}", certificate);
-
-				// let c = std::str::from_utf8(&certificate);
-				// println!("Certificate:");
-				// println!("{:?}", c);
-
-				//
+				// CA bundle verification
+				{}
 
-				// Trying to do... Certificate -> Public Key
 				// Certificate & CA bundle verification example: https://github.com/ppmag/aws-nitro-enclaves-attestation/blob/83ca87233298c302973a5bdbbb394c36cd7eb6e6/src/lib.rs#L233-L235
-				match x509_parser::parse_x509_certificate(
-					&decoded_document.certificate.clone(),
-				) {
-					Ok((remaining_input, certificate)) => {
-						assert!(
-							remaining_input.len() == 0,
-							"certificate was not valid DER encoding"
-						);
-
-						assert!(
-							certificate.tbs_certificate.version()
-								== x509_parser::x509::X509Version::V3,
-							"Wrong certificate version"
-						);
-
-						let extracted_key = {
-							let pub_key = certificate
-								.tbs_certificate
-								.subject_pki
-								.subject_public_key
-								.data;
-
-							let group =
-								EcGroup::from_curve_name(Nid::SECP384R1)
-									.unwrap();
-							let mut ctx = BigNumContext::new().unwrap();
-							let point =
-								EcPoint::from_bytes(&group, &pub_key, &mut ctx)
-									.unwrap();
-							let ec_key =
-								EcKey::from_public_key(&group, &point).unwrap();
-
-							openssl::pkey::PKey::try_from(ec_key).expect("EC Key could not be converted to open ssl primitive")
-						};
-
-						assert!(
-							cose_sign1.verify_signature(&extracted_key).unwrap(),
+				{
+					let (remaining_input, certificate) =
+						x509_parser::parse_x509_certificate(
+							&attestation_doc.certificate,
+						)
+						.expect("Could not parse target certificate");
+
+					// Basic semantic checks
+					assert!(
+						remaining_input.len() == 0,
+						"certificate was not valid DER encoding"
+					);
+					assert!(
+						certificate.tbs_certificate.version()
+							== x509_parser::x509::X509Version::V3,
+						"Wrong certificate version"
+					);
+
+					// Get the public key the cose sign1 object was signed with
+					let extracted_key = {
+						let pub_key = certificate
+							.tbs_certificate
+							.subject_pki
+							.subject_public_key
+							.data;
+
+						let group =
+							EcGroup::from_curve_name(Nid::SECP384R1).unwrap();
+						let mut ctx = BigNumContext::new().unwrap();
+						let point =
+							EcPoint::from_bytes(&group, &pub_key, &mut ctx)
+								.unwrap();
+						let ec_key =
+							EcKey::from_public_key(&group, &point).unwrap();
+
+						openssl::pkey::PKey::try_from(ec_key).expect("EC Key could not be converted to open ssl primitive")
+					};
+
+					// Verify the signature against the extracted public key
+					assert!(
+							cose_sign1.verify_signature(&extracted_key).expect("Error with cose signature verification."),
 							"Could not verify attestation document with target certificate"
 						);
-						println!("Verified att_doc target cert signature!")
-					}
-					Err(_) => panic!("Could not parse target certificate"),
 				}
-
-				// use openssl::ec::EcKey;
-				// let key = EcKey::public_key_from_der(&certificate);
-				// println!("Public Key: {:?}", key);
-
-				////
-				// Truths:
-				////
-
-				// 1. AWS Nitro Enclaves use ES384 algorithm to sign the document
-				// 2. Certificate is DER-encoded
-				//
-
-				// Verification Flow:
-				// 1. Check signature from the Certificate over the AttestationDocument
-				// 2. Verify the CA Bundle using the known root of trust and Certificate
-				//   - Assume ROT is known ahead of time
-				// 3. Business logic
-				//   - Is the application that is being run (as evidenced by the PCRs) the expected application to have possession of *this* key?
-				//   - (Human): How do I know that this build artifact is correct?
 			}
 			_ => panic!("Not an attestation response"),
 		}
diff --git a/qos-core/src/io/stream.rs b/qos-core/src/io/stream.rs
index cf1328cc..afa92481 100644
--- a/qos-core/src/io/stream.rs
+++ b/qos-core/src/io/stream.rs
@@ -306,7 +306,7 @@ mod test {
 			while let Some(stream) = listener.next() {
 				let req = stream.recv().unwrap();
 				stream.send(&req).unwrap();
-				break;
+				break
 			}
 		});
 
diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index c158e022..2d6b7935 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -129,7 +129,8 @@ mod handlers {
 		req: &ProtocolMsg,
 		state: &mut ProtocolState,
 	) -> Option<ProtocolMsg> {
-		// if let ProtocolMsg::NsmRequest(NsmRequest::Attestation { .. }) = req {
+		// if let ProtocolMsg::NsmRequest(NsmRequest::Attestation { .. }) = req
+		// {
 		if let ProtocolMsg::NsmRequest(_req) = req {
 			let attestation = NsmRequest::Attestation {
 				user_data: None,

From 94ac9aaf659e4440361233d90191f77a05b0f861 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Tue, 17 May 2022 12:46:36 -0700
Subject: [PATCH 14/44] Wip cabundle verification

---
 qos-client/src/aws_root_cert.pem | 14 +++++++++++
 qos-client/src/cli.rs            | 41 +++++++++++++++++++++++---------
 2 files changed, 44 insertions(+), 11 deletions(-)
 create mode 100644 qos-client/src/aws_root_cert.pem

diff --git a/qos-client/src/aws_root_cert.pem b/qos-client/src/aws_root_cert.pem
new file mode 100644
index 00000000..03fd4544
--- /dev/null
+++ b/qos-client/src/aws_root_cert.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICETCCAZagAwIBAgIRAPkxdWgbkK/hHUbMtOTn+FYwCgYIKoZIzj0EAwMwSTEL
+MAkGA1UEBhMCVVMxDzANBgNVBAoMBkFtYXpvbjEMMAoGA1UECwwDQVdTMRswGQYD
+VQQDDBJhd3Mubml0cm8tZW5jbGF2ZXMwHhcNMTkxMDI4MTMyODA1WhcNNDkxMDI4
+MTQyODA1WjBJMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQL
+DANBV1MxGzAZBgNVBAMMEmF3cy5uaXRyby1lbmNsYXZlczB2MBAGByqGSM49AgEG
+BSuBBAAiA2IABPwCVOumCMHzaHDimtqQvkY4MpJzbolL//Zy2YlES1BR5TSksfbb
+48C8WBoyt7F2Bw7eEtaaP+ohG2bnUs990d0JX28TcPQXCEPZ3BABIeTPYwEoCWZE
+h8l5YoQwTcU/9KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkCW1DdkF
+R+eWw5b6cp3PmanfS5YwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2kAMGYC
+MQCjfy+Rocm9Xue4YnwWmNJVA44fA0P5W2OpYow9OYCVRaEevL8uO1XYru5xtMPW
+rfMCMQCi85sWBbJwKKXdS6BptQFuZbT73o/gBh1qUxl/nNr12UO8Yfwr6wPLb+6N
+IwLz3/Y=
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/qos-client/src/cli.rs b/qos-client/src/cli.rs
index 8fe534b0..5908ce4d 100644
--- a/qos-client/src/cli.rs
+++ b/qos-client/src/cli.rs
@@ -110,16 +110,6 @@ impl CLI {
 }
 
 mod handlers {
-	use std::time::Duration;
-
-	use aws_nitro_enclaves_nsm_api::api::Digest;
-	use openssl::{
-		bn::BigNumContext,
-		ec::{EcGroup, EcKey, EcPoint},
-		nid::Nid,
-	};
-	use qos_core::protocol::{NsmDigest, NsmRequest, NsmResponse};
-
 	use super::*;
 	use crate::request;
 
@@ -170,6 +160,14 @@ mod handlers {
 			ProtocolMsg::NsmResponse(NsmResponse::Attestation { document }) => {
 				use aws_nitro_enclaves_cose::CoseSign1;
 				use aws_nitro_enclaves_nsm_api::api::AttestationDoc;
+				use aws_nitro_enclaves_nsm_api::api::Digest;
+				use openssl::{
+					bn::BigNumContext,
+					ec::{EcGroup, EcKey, EcPoint},
+					nid::Nid,
+				};
+				use qos_core::protocol::{NsmDigest, NsmRequest, NsmResponse};
+				use x509_parser::pem::Pem;
 				////
 				// Truths:
 				////
@@ -217,7 +215,27 @@ mod handlers {
 				}
 
 				// CA bundle verification
-				{}
+				{
+					const AWS_ROOT_CERT: &'static [u8] =
+						std::include_bytes!("./aws_root_cert.pem");
+					// aws root cert checksum:
+					// 8cf60e2b2efca96c6a9e71e851d00c1b6991cc09eadbe64a6a1d1b1eb9faff7c
+
+					// Bundle starts with root certificate - we want to replace the root
+					// with our hardcoded known certificate, so we remove the root (first element)
+					let bundle: Vec<_> = attestation_doc.cabundle[1..]
+						.into_iter()
+						.map(|x| x.as_slice())
+						.collect();
+
+					let mut pem_iter = Pem::iter_from_buffer(AWS_ROOT_CERT)
+					let root_cert = pem_iter.next().expect("Hardcoded aws root cert should be valid PEM");
+					assert!(pem_iter.next().is_none(), "More then 1 cert detected in hardcoded aws root");
+
+					let anchor =
+						webpki::TrustAnchor::try_from_cert_der(x509_parser::pem_to_der(IGCA_PEM);)
+							.expect("Could not decode DER cabundle");
+				}
 
 				// Certificate & CA bundle verification example: https://github.com/ppmag/aws-nitro-enclaves-attestation/blob/83ca87233298c302973a5bdbbb394c36cd7eb6e6/src/lib.rs#L233-L235
 				{
@@ -239,6 +257,7 @@ mod handlers {
 					);
 
 					// Get the public key the cose sign1 object was signed with
+					// https://github.com/briansmith/webpki/issues/85
 					let extracted_key = {
 						let pub_key = certificate
 							.tbs_certificate

From 4a755e00ae45e6579d0587925da3da7de799a242 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Tue, 17 May 2022 13:54:38 -0700
Subject: [PATCH 15/44] Bundle verified

---
 qos-client/src/cli.rs | 64 +++++++++++++++++++++++++++++++++++++------
 1 file changed, 56 insertions(+), 8 deletions(-)

diff --git a/qos-client/src/cli.rs b/qos-client/src/cli.rs
index 5908ce4d..806e078d 100644
--- a/qos-client/src/cli.rs
+++ b/qos-client/src/cli.rs
@@ -3,6 +3,8 @@ use std::env;
 use qos_core::protocol::{Echo, ProtocolMsg};
 use qos_host::cli::HostOptions;
 
+use std::time::*;
+
 #[derive(Clone, PartialEq, Debug)]
 enum Command {
 	Health,
@@ -112,6 +114,7 @@ impl CLI {
 mod handlers {
 	use super::*;
 	use crate::request;
+	use qos_core::protocol::{NsmDigest, NsmRequest, NsmResponse};
 
 	pub(super) fn health(options: ClientOptions) {
 		let path = &options.host.path("health");
@@ -166,8 +169,22 @@ mod handlers {
 					ec::{EcGroup, EcKey, EcPoint},
 					nid::Nid,
 				};
-				use qos_core::protocol::{NsmDigest, NsmRequest, NsmResponse};
 				use x509_parser::pem::Pem;
+				static ALL_SIGALGS: &[&webpki::SignatureAlgorithm] = &[
+					&webpki::ECDSA_P256_SHA256,
+					&webpki::ECDSA_P256_SHA384,
+					&webpki::ECDSA_P384_SHA256,
+					&webpki::ECDSA_P384_SHA384,
+					&webpki::ED25519,
+					#[cfg(feature = "alloc")]
+					&webpki::RSA_PKCS1_2048_8192_SHA256,
+					#[cfg(feature = "alloc")]
+					&webpki::RSA_PKCS1_2048_8192_SHA384,
+					#[cfg(feature = "alloc")]
+					&webpki::RSA_PKCS1_2048_8192_SHA512,
+					#[cfg(feature = "alloc")]
+					&webpki::RSA_PKCS1_3072_8192_SHA384,
+				];
 				////
 				// Truths:
 				////
@@ -223,18 +240,49 @@ mod handlers {
 
 					// Bundle starts with root certificate - we want to replace the root
 					// with our hardcoded known certificate, so we remove the root (first element)
-					let bundle: Vec<_> = attestation_doc.cabundle[1..]
+					let intermediate_certs: Vec<_> = attestation_doc.cabundle
+						[1..]
 						.into_iter()
 						.map(|x| x.as_slice())
 						.collect();
 
-					let mut pem_iter = Pem::iter_from_buffer(AWS_ROOT_CERT)
-					let root_cert = pem_iter.next().expect("Hardcoded aws root cert should be valid PEM");
-					assert!(pem_iter.next().is_none(), "More then 1 cert detected in hardcoded aws root");
+					let mut pem_iter = Pem::iter_from_buffer(AWS_ROOT_CERT);
+					let root_cert = pem_iter
+						.next()
+						.expect("Hardcoded aws root cert should be valid PEM")
+						.expect("Hardcoded aws root cert should be valid PEM");
+					assert!(
+						pem_iter.next().is_none(),
+						"More then 1 cert detected in hardcoded aws root"
+					);
+
+					let anchor = webpki::TrustAnchor::try_from_cert_der(
+						&root_cert.contents[..],
+					)
+					.expect("Could not decode DER cabundle");
+					let anchors = vec![anchor];
+					let anchors = webpki::TlsServerTrustAnchors(&anchors);
+
+					// let second_since_epoch = std::time::SystemTime::now()
+					// 	.duration_since(std::time::SystemTime::UNIX_EPOCH)
+					// 	.unwrap().as_secs()
+					let seconds_since_epoch = 1652756400;
+					let time = webpki::Time::from_seconds_since_unix_epoch(
+						seconds_since_epoch,
+					);
 
-					let anchor =
-						webpki::TrustAnchor::try_from_cert_der(x509_parser::pem_to_der(IGCA_PEM);)
-							.expect("Could not decode DER cabundle");
+					// Cert
+					let ee_raw: &[u8] = attestation_doc.certificate.as_ref();
+					let cert = webpki::EndEntityCert::try_from(ee_raw)
+						.expect("Could not decode target cert");
+
+					cert.verify_is_valid_tls_server_cert(
+						ALL_SIGALGS,
+						&anchors,
+						&intermediate_certs,
+						time,
+					)
+					.expect("Invalid CA bundle");
 				}
 
 				// Certificate & CA bundle verification example: https://github.com/ppmag/aws-nitro-enclaves-attestation/blob/83ca87233298c302973a5bdbbb394c36cd7eb6e6/src/lib.rs#L233-L235

From 86622b551a629c9047f8fa06206af76174b46202 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Tue, 17 May 2022 14:40:29 -0700
Subject: [PATCH 16/44] Move attestation doc verification to its own module

---
 Cargo.lock                    |   7 --
 qos-client/Cargo.toml         |   1 -
 qos-client/src/attestation.rs | 158 ++++++++++++++++++++++++++++++++
 qos-client/src/cli.rs         | 168 +++-------------------------------
 qos-client/src/lib.rs         |   1 +
 qos-crypto/src/lib.rs         |   6 +-
 6 files changed, 178 insertions(+), 163 deletions(-)
 create mode 100644 qos-client/src/attestation.rs

diff --git a/Cargo.lock b/Cargo.lock
index cb1f5834..fa989db2 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -186,12 +186,6 @@ version = "2.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3ee2393c4a91429dffb4bedf19f4d6abf27d8a732c8ce4980305d782e5426d57"
 
-[[package]]
-name = "der"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "13dd2ae565c0a381dde7fade45fce95984c568bdcb4700a4fdbe3175e0380b2f"
-
 [[package]]
 name = "der-parser"
 version = "7.0.0"
@@ -676,7 +670,6 @@ version = "0.1.0"
 dependencies = [
  "aws-nitro-enclaves-cose",
  "aws-nitro-enclaves-nsm-api",
- "der",
  "openssl",
  "qos-core",
  "qos-host",
diff --git a/qos-client/Cargo.toml b/qos-client/Cargo.toml
index c9969358..fbe41a71 100644
--- a/qos-client/Cargo.toml
+++ b/qos-client/Cargo.toml
@@ -16,6 +16,5 @@ aws-nitro-enclaves-nsm-api = { version = "0.2.1", default-features = false }
 
 # For handling Attestation Doc
 aws-nitro-enclaves-cose = "0.4.0"
-der = "0.6.0"
 webpki = "0.22.0"
 x509-parser = "0.13"
diff --git a/qos-client/src/attestation.rs b/qos-client/src/attestation.rs
new file mode 100644
index 00000000..9d4b0bda
--- /dev/null
+++ b/qos-client/src/attestation.rs
@@ -0,0 +1,158 @@
+//! Attestation verification logic
+
+#[derive(Debug)]
+pub enum AttestationError {}
+
+pub mod nitro {
+	use aws_nitro_enclaves_cose::CoseSign1;
+	use aws_nitro_enclaves_nsm_api::api::AttestationDoc;
+	use openssl::{
+		bn::BigNumContext,
+		ec::{EcGroup, EcKey, EcPoint},
+		nid::Nid,
+	};
+	use x509_parser::pem::Pem;
+
+	use super::AttestationError;
+
+	// TODO: find out the exact algo we need and just use that
+	static ALL_SIGALGS: &[&webpki::SignatureAlgorithm] = &[
+		// &webpki::ECDSA_P256_SHA256,
+		// &webpki::ECDSA_P256_SHA384,
+		// &webpki::ECDSA_P384_SHA256,
+		&webpki::ECDSA_P384_SHA384,
+		// &webpki::ED25519,
+		// #[cfg(feature = "alloc")]
+		// &webpki::RSA_PKCS1_2048_8192_SHA256,
+		// #[cfg(feature = "alloc")]
+		// &webpki::RSA_PKCS1_2048_8192_SHA384,
+		// #[cfg(feature = "alloc")]
+		// &webpki::RSA_PKCS1_2048_8192_SHA512,
+		// #[cfg(feature = "alloc")]
+		// &webpki::RSA_PKCS1_3072_8192_SHA384,
+	];
+
+	// Corresponds to `MockNsm` attestation document response
+	pub(crate) const MOCK_SECONDS_SINCE_EPOCH: u64 = 1652756400;
+
+	// aws root cert checksum:
+	// 8cf60e2b2efca96c6a9e71e851d00c1b6991cc09eadbe64a6a1d1b1eb9faff7c
+	pub(crate) const AWS_ROOT_CERT: &'static [u8] =
+		std::include_bytes!("./aws_root_cert.pem");
+
+	pub(crate) fn root_cert_from_pem(pem: &[u8]) -> Vec<u8> {
+		let mut pem_iter = Pem::iter_from_buffer(pem);
+		let root_cert = pem_iter
+			.next()
+			.expect("Hardcoded aws root cert should be valid PEM")
+			.expect("Hardcoded aws root cert should be valid PEM");
+		assert!(
+			pem_iter.next().is_none(),
+			"More then 1 cert detected in hardcoded aws root"
+		);
+
+		root_cert.contents
+	}
+
+	/// Extract the DER encoded `AttestationDoc` from the nsm provided
+	/// attestation document. This function will verify the the root certificate
+	/// authority via the CA bundle and that verify "target" (aka "end entity")
+	/// certificate signed the COSE Sign1 message.
+	pub fn attestation_doc_from_der(
+		bytes: Vec<u8>,
+		root_cert: &[u8],
+		validation_time: u64, // seconds since unix epoch
+	) -> Result<AttestationDoc, AttestationError> {
+		let cose_sign1 = CoseSign1::from_bytes(&bytes[..]).unwrap();
+		let raw_attestation_doc = cose_sign1.get_payload(None).unwrap();
+		let attestation_doc =
+			AttestationDoc::from_binary(&raw_attestation_doc[..])
+				.expect("Attestation doc could not be decoded.");
+
+		// TODO: [now] basic syntactical validation as per nsm api docs
+
+		// CA bundle verification
+		{
+			// Bundle starts with root certificate - we want to replace the root
+			// with our hardcoded known certificate, so we remove the root
+			// (first element)
+			let intermediate_certs: Vec<_> = attestation_doc.cabundle[1..]
+				.into_iter()
+				.map(|x| x.as_slice())
+				.collect();
+
+			let anchor = webpki::TrustAnchor::try_from_cert_der(root_cert)
+				.expect("Could not decode DER cabundle root");
+			let anchors = vec![anchor];
+			let anchors = webpki::TlsServerTrustAnchors(&anchors);
+
+			// let second_since_epoch = std::time::SystemTime::now()
+			// 	.duration_since(std::time::SystemTime::UNIX_EPOCH)
+			// 	.unwrap().as_secs()
+
+			let time =
+				webpki::Time::from_seconds_since_unix_epoch(validation_time);
+
+			let ee_raw: &[u8] = attestation_doc.certificate.as_ref();
+			let cert = webpki::EndEntityCert::try_from(ee_raw)
+				.expect("Could not decode target cert");
+
+			cert.verify_is_valid_tls_server_cert(
+				ALL_SIGALGS,
+				&anchors,
+				&intermediate_certs,
+				time,
+			)
+			.expect("Invalid CA bundle");
+		}
+
+		{
+			let (remaining_input, certificate) =
+				x509_parser::parse_x509_certificate(
+					&attestation_doc.certificate,
+				)
+				.expect("Could not parse target certificate");
+
+			// Basic checks
+			assert!(
+				remaining_input.len() == 0,
+				"certificate was not valid DER encoding"
+			);
+			assert!(
+				certificate.tbs_certificate.version()
+					== x509_parser::x509::X509Version::V3,
+				"Wrong certificate version"
+			);
+
+			// Get the public key the cose sign1 object was signed with
+			// https://github.com/briansmith/webpki/issues/85
+			let extracted_key = {
+				let pub_key = certificate
+					.tbs_certificate
+					.subject_pki
+					.subject_public_key
+					.data;
+
+				let group = EcGroup::from_curve_name(Nid::SECP384R1).unwrap();
+				let mut ctx = BigNumContext::new().unwrap();
+				let point =
+					EcPoint::from_bytes(&group, &pub_key, &mut ctx).unwrap();
+				let ec_key = EcKey::from_public_key(&group, &point).unwrap();
+
+				openssl::pkey::PKey::try_from(ec_key).expect(
+					"EC Key could not be converted to open ssl primitive",
+				)
+			};
+
+			// Verify the signature against the extracted public key
+			assert!(
+				cose_sign1
+					.verify_signature(&extracted_key)
+					.expect("Error with cose signature verification."),
+				"Could not verify attestation document with target certificate"
+			);
+		}
+
+		Ok(attestation_doc)
+	}
+}
diff --git a/qos-client/src/cli.rs b/qos-client/src/cli.rs
index 806e078d..bc1a5485 100644
--- a/qos-client/src/cli.rs
+++ b/qos-client/src/cli.rs
@@ -3,8 +3,6 @@ use std::env;
 use qos_core::protocol::{Echo, ProtocolMsg};
 use qos_host::cli::HostOptions;
 
-use std::time::*;
-
 #[derive(Clone, PartialEq, Debug)]
 enum Command {
 	Health,
@@ -112,9 +110,10 @@ impl CLI {
 }
 
 mod handlers {
+	use qos_core::protocol::{NsmRequest, NsmResponse};
+
 	use super::*;
-	use crate::request;
-	use qos_core::protocol::{NsmDigest, NsmRequest, NsmResponse};
+	use crate::{attestation, request};
 
 	pub(super) fn health(options: ClientOptions) {
 		let path = &options.host.path("health");
@@ -161,34 +160,13 @@ mod handlers {
 
 		match response {
 			ProtocolMsg::NsmResponse(NsmResponse::Attestation { document }) => {
-				use aws_nitro_enclaves_cose::CoseSign1;
-				use aws_nitro_enclaves_nsm_api::api::AttestationDoc;
-				use aws_nitro_enclaves_nsm_api::api::Digest;
-				use openssl::{
-					bn::BigNumContext,
-					ec::{EcGroup, EcKey, EcPoint},
-					nid::Nid,
+				use attestation::nitro::{
+					attestation_doc_from_der, root_cert_from_pem,
+					AWS_ROOT_CERT, MOCK_SECONDS_SINCE_EPOCH,
 				};
-				use x509_parser::pem::Pem;
-				static ALL_SIGALGS: &[&webpki::SignatureAlgorithm] = &[
-					&webpki::ECDSA_P256_SHA256,
-					&webpki::ECDSA_P256_SHA384,
-					&webpki::ECDSA_P384_SHA256,
-					&webpki::ECDSA_P384_SHA384,
-					&webpki::ED25519,
-					#[cfg(feature = "alloc")]
-					&webpki::RSA_PKCS1_2048_8192_SHA256,
-					#[cfg(feature = "alloc")]
-					&webpki::RSA_PKCS1_2048_8192_SHA384,
-					#[cfg(feature = "alloc")]
-					&webpki::RSA_PKCS1_2048_8192_SHA512,
-					#[cfg(feature = "alloc")]
-					&webpki::RSA_PKCS1_3072_8192_SHA384,
-				];
 				////
 				// Truths:
 				////
-
 				// 1. AWS Nitro Enclaves use ES384 algorithm to sign the
 				// document 2. Certificate is DER-encoded
 				//
@@ -206,131 +184,15 @@ mod handlers {
 				//     correct?
 				// TODO: semantic verification from: https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/main/docs/attestation_process.md
 
-				let cose_sign1 = CoseSign1::from_bytes(&document[..]).unwrap();
-				let raw_attestation_doc = cose_sign1.get_payload(None).unwrap();
-				let attestation_doc =
-					AttestationDoc::from_binary(&raw_attestation_doc[..])
-						.expect("Attestation doc could not be decoded.");
-
-				// Basic syntactic validation
-				{
-					assert!(
-						attestation_doc.module_id.len() > 0,
-						"Invalid Module ID"
-					);
-					assert!(
-						attestation_doc.digest == Digest::SHA384,
-						"Invalid Digest"
-					);
-
-					// let ts_start = Utc.ymd(2020, 1, 1).and_hms(0, 0, 0);
-					// let ts_end = Utc::now() + Duration::days(1);
-					// (attestation_doc.timestamp > ts_start &&
-					// attestation_doc.timestamp < ts_end)
-
-					//TODO: add all validations as specified in https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/main/docs/attestation_process.md#32-syntactical-validation
-				}
-
-				// CA bundle verification
-				{
-					const AWS_ROOT_CERT: &'static [u8] =
-						std::include_bytes!("./aws_root_cert.pem");
-					// aws root cert checksum:
-					// 8cf60e2b2efca96c6a9e71e851d00c1b6991cc09eadbe64a6a1d1b1eb9faff7c
-
-					// Bundle starts with root certificate - we want to replace the root
-					// with our hardcoded known certificate, so we remove the root (first element)
-					let intermediate_certs: Vec<_> = attestation_doc.cabundle
-						[1..]
-						.into_iter()
-						.map(|x| x.as_slice())
-						.collect();
-
-					let mut pem_iter = Pem::iter_from_buffer(AWS_ROOT_CERT);
-					let root_cert = pem_iter
-						.next()
-						.expect("Hardcoded aws root cert should be valid PEM")
-						.expect("Hardcoded aws root cert should be valid PEM");
-					assert!(
-						pem_iter.next().is_none(),
-						"More then 1 cert detected in hardcoded aws root"
-					);
-
-					let anchor = webpki::TrustAnchor::try_from_cert_der(
-						&root_cert.contents[..],
-					)
-					.expect("Could not decode DER cabundle");
-					let anchors = vec![anchor];
-					let anchors = webpki::TlsServerTrustAnchors(&anchors);
-
-					// let second_since_epoch = std::time::SystemTime::now()
-					// 	.duration_since(std::time::SystemTime::UNIX_EPOCH)
-					// 	.unwrap().as_secs()
-					let seconds_since_epoch = 1652756400;
-					let time = webpki::Time::from_seconds_since_unix_epoch(
-						seconds_since_epoch,
-					);
-
-					// Cert
-					let ee_raw: &[u8] = attestation_doc.certificate.as_ref();
-					let cert = webpki::EndEntityCert::try_from(ee_raw)
-						.expect("Could not decode target cert");
-
-					cert.verify_is_valid_tls_server_cert(
-						ALL_SIGALGS,
-						&anchors,
-						&intermediate_certs,
-						time,
-					)
-					.expect("Invalid CA bundle");
-				}
-
-				// Certificate & CA bundle verification example: https://github.com/ppmag/aws-nitro-enclaves-attestation/blob/83ca87233298c302973a5bdbbb394c36cd7eb6e6/src/lib.rs#L233-L235
-				{
-					let (remaining_input, certificate) =
-						x509_parser::parse_x509_certificate(
-							&attestation_doc.certificate,
-						)
-						.expect("Could not parse target certificate");
-
-					// Basic semantic checks
-					assert!(
-						remaining_input.len() == 0,
-						"certificate was not valid DER encoding"
-					);
-					assert!(
-						certificate.tbs_certificate.version()
-							== x509_parser::x509::X509Version::V3,
-						"Wrong certificate version"
-					);
-
-					// Get the public key the cose sign1 object was signed with
-					// https://github.com/briansmith/webpki/issues/85
-					let extracted_key = {
-						let pub_key = certificate
-							.tbs_certificate
-							.subject_pki
-							.subject_public_key
-							.data;
-
-						let group =
-							EcGroup::from_curve_name(Nid::SECP384R1).unwrap();
-						let mut ctx = BigNumContext::new().unwrap();
-						let point =
-							EcPoint::from_bytes(&group, &pub_key, &mut ctx)
-								.unwrap();
-						let ec_key =
-							EcKey::from_public_key(&group, &point).unwrap();
-
-						openssl::pkey::PKey::try_from(ec_key).expect("EC Key could not be converted to open ssl primitive")
-					};
-
-					// Verify the signature against the extracted public key
-					assert!(
-							cose_sign1.verify_signature(&extracted_key).expect("Error with cose signature verification."),
-							"Could not verify attestation document with target certificate"
-						);
-				}
+				let root_cert = root_cert_from_pem(AWS_ROOT_CERT);
+				match attestation_doc_from_der(
+					document,
+					&root_cert[..],
+					MOCK_SECONDS_SINCE_EPOCH,
+				) {
+					Ok(_) => println!("Attestation doc verified!"),
+					Err(e) => panic!("{:?}", e),
+				};
 			}
 			_ => panic!("Not an attestation response"),
 		}
diff --git a/qos-client/src/lib.rs b/qos-client/src/lib.rs
index 537a2510..91149e29 100644
--- a/qos-client/src/lib.rs
+++ b/qos-client/src/lib.rs
@@ -1,3 +1,4 @@
+pub(crate) mod attestation;
 pub mod cli;
 
 pub mod request {
diff --git a/qos-crypto/src/lib.rs b/qos-crypto/src/lib.rs
index f55e2d23..9fc82f9f 100644
--- a/qos-crypto/src/lib.rs
+++ b/qos-crypto/src/lib.rs
@@ -8,7 +8,7 @@ use openssl::{
 	hash::MessageDigest,
 	pkey::{PKey, Private, Public},
 	rsa::Rsa,
-	sign::{Signer, Verifier},
+	sign::Signer,
 };
 pub use shamir::*;
 
@@ -24,7 +24,7 @@ impl From<std::io::Error> for CryptographyError {
 }
 
 impl From<openssl::error::ErrorStack> for CryptographyError {
-	fn from(err: openssl::error::ErrorStack) -> Self {
+	fn from(_: openssl::error::ErrorStack) -> Self {
 		CryptographyError::OpenSSLError(openssl::error::ErrorStack::get())
 	}
 }
@@ -65,6 +65,8 @@ pub fn sign_with_key(
 
 #[cfg(test)]
 mod test {
+	use openssl::sign::Verifier;
+
 	use super::*;
 
 	#[test]

From 6d7506bba9b19355c31fc6d1802aa1c97a6b8966 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Tue, 17 May 2022 15:07:21 -0700
Subject: [PATCH 17/44] outline validation

---
 qos-client/src/attestation.rs | 60 ++++++++++++++++++++++++++++++++++-
 1 file changed, 59 insertions(+), 1 deletion(-)

diff --git a/qos-client/src/attestation.rs b/qos-client/src/attestation.rs
index 9d4b0bda..0b7a00ec 100644
--- a/qos-client/src/attestation.rs
+++ b/qos-client/src/attestation.rs
@@ -71,7 +71,7 @@ pub mod nitro {
 
 		// TODO: [now] basic syntactical validation as per nsm api docs
 
-		// CA bundle verification
+		// CA bundle verification aka verify certificate chain with the root certificate
 		{
 			// Bundle starts with root certificate - we want to replace the root
 			// with our hardcoded known certificate, so we remove the root
@@ -155,4 +155,62 @@ pub mod nitro {
 
 		Ok(attestation_doc)
 	}
+
+	mod syntactic_validation {
+		/// Mandatory field
+		fn module_id() {
+			todo!()
+		}
+		/// Mandatory field
+		fn pcrs() {
+			todo!()
+		}
+		/// Mandatory field
+		fn cabundle() {
+			todo!()
+		}
+		/// Mandatory field
+		fn digest() {
+			todo!()
+		}
+		/// Mandatory field
+		fn timestamp() {
+			todo!()
+		}
+		/// Optional field
+		fn public_key() {
+			todo!()
+		}
+		/// Optional field
+		fn user_data() {
+			todo!()
+		}
+		/// Optional field
+		fn nonce() {
+			todo!()
+		}
+	}
+}
+
+#[cfg(test)]
+mod test {
+	mod nitro {
+		#[test]
+		fn attestation_doc_from_der_time_is_late() {}
+
+		#[test]
+		fn attestation_doc_from_der_time_is_early() {}
+
+		#[test]
+		fn attestation_doc_from_der_corrupt_cabundle() {}
+
+		#[test]
+		fn attestation_doc_from_der_corrupt_target_certificate() {}
+
+		#[test]
+		fn attestation_doc_from_der_bad_sign1_sig() {}
+
+		#[test]
+		fn attestation_doc_from_der_corrupt_root_certificate() {}
+	}
 }

From 45fa34a35f277d481b2766d5ff7678af3233fd70 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 12:15:02 -0700
Subject: [PATCH 18/44] Add syntactic verification

---
 Cargo.lock                    |   1 +
 qos-client/Cargo.toml         |   2 +-
 qos-client/src/attest.rs      | 320 ++++++++++++++++++++++++++++++++++
 qos-client/src/attestation.rs | 216 -----------------------
 qos-client/src/cli.rs         |  11 +-
 qos-client/src/lib.rs         |   2 +-
 6 files changed, 329 insertions(+), 223 deletions(-)
 create mode 100644 qos-client/src/attest.rs
 delete mode 100644 qos-client/src/attestation.rs

diff --git a/Cargo.lock b/Cargo.lock
index fa989db2..73978eba 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -673,6 +673,7 @@ dependencies = [
  "openssl",
  "qos-core",
  "qos-host",
+ "serde_bytes",
  "serde_cbor",
  "ureq",
  "webpki",
diff --git a/qos-client/Cargo.toml b/qos-client/Cargo.toml
index fbe41a71..91770de2 100644
--- a/qos-client/Cargo.toml
+++ b/qos-client/Cargo.toml
@@ -13,8 +13,8 @@ ureq = { version = "2.4", default-features = false }
 serde_cbor = "0.11"
 aws-nitro-enclaves-nsm-api = { version = "0.2.1", default-features = false }
 
-
 # For handling Attestation Doc
 aws-nitro-enclaves-cose = "0.4.0"
 webpki = "0.22.0"
 x509-parser = "0.13"
+serde_bytes = "0.11"
diff --git a/qos-client/src/attest.rs b/qos-client/src/attest.rs
new file mode 100644
index 00000000..ad35363c
--- /dev/null
+++ b/qos-client/src/attest.rs
@@ -0,0 +1,320 @@
+//! Attestation verification logic
+
+#[derive(Debug)]
+pub enum AttestError {
+	InvalidCertChain,
+	WebPki(webpki::Error),
+	OpenSSLError(openssl::error::ErrorStack),
+	InvalidPem,
+	PEMError(x509_parser::prelude::PEMError),
+	InvalidDigest,
+	InvalidModuleId,
+	InvalidPcr,
+	InvalidCABundle,
+	InvalidTimeStamp,
+	InvalidPubKey,
+	InvalidBytes,
+}
+
+impl From<webpki::Error> for AttestError {
+	fn from(e: webpki::Error) -> Self {
+		Self::WebPki(e)
+	}
+}
+
+impl From<openssl::error::ErrorStack> for AttestError {
+	fn from(_: openssl::error::ErrorStack) -> Self {
+		Self::OpenSSLError(openssl::error::ErrorStack::get())
+	}
+}
+
+impl From<x509_parser::prelude::PEMError> for AttestError {
+	fn from(e: x509_parser::prelude::PEMError) -> Self {
+		Self::PEMError(e)
+	}
+}
+
+pub mod nitro {
+	use aws_nitro_enclaves_cose::CoseSign1;
+	use aws_nitro_enclaves_nsm_api::api::AttestationDoc;
+	use openssl::{
+		bn::BigNumContext,
+		ec::{EcGroup, EcKey, EcPoint},
+		nid::Nid,
+	};
+	use x509_parser::pem::Pem;
+
+	use super::AttestError;
+
+	/// Signing algorithms we expect the certificates to use. Any other
+	/// algorithms will be considered invalid. NOTE: this list was deduced just
+	/// by trial and error and thus its unclear if it should include more types.
+	static AWS_NITRO_CERT_SIG_ALG: &[&webpki::SignatureAlgorithm] =
+		&[&webpki::ECDSA_P384_SHA384];
+
+	/// Corresponds to `MockNsm` attestation document response. This time is
+	/// valid for the mock and should only be used for testing.
+	pub(crate) const MOCK_SECONDS_SINCE_EPOCH: u64 = 1652756400;
+
+	/// AWS Nitro root CA certificate.
+	/// This should be validated against the below checksum:
+	/// `8cf60e2b2efca96c6a9e71e851d00c1b6991cc09eadbe64a6a1d1b1eb9faff7c`
+	pub(crate) const AWS_ROOT_CERT: &'static [u8] =
+		std::include_bytes!("./aws_root_cert.pem");
+
+	/// Extract a DER encoded certificate from bytes representing a PEM encoded
+	/// certificate.
+	pub(crate) fn cert_from_pem(pem: &[u8]) -> Result<Vec<u8>, AttestError> {
+		let mut pem_iter = Pem::iter_from_buffer(pem);
+		let root_cert = pem_iter.next().ok_or(AttestError::InvalidPem)??;
+		// Ensure there is only one cert in the given PEM
+		pem_iter.next().is_none().then(|| ()).ok_or(AttestError::InvalidPem)?;
+
+		Ok(root_cert.contents)
+	}
+
+	/// Extract the DER encoded `AttestationDoc` from the nsm provided
+	/// attestation document. This function will verify the the root certificate
+	/// authority via the CA bundle and that verify "target" (aka "end entity")
+	/// certificate signed the COSE Sign1 message.
+	///
+	/// # Arguments
+	///
+	/// * `bytes` - the DER encoded COSE Sign1 structure containing the
+	///   attestation document.
+	/// * `root_cert` - the DER encoded root certificate. This should be a
+	///   hardcoded root certificate from amazon and its authenticity should be
+	///   validated out of band.
+	/// * `validation_time` - a moment in time that the certificates should be
+	///   valid. This is measured in seconds since the unix epoch. Most likely
+	///   this will be the current time.
+	/// TODO: convert expects into Errors - this shouldn't panic
+	pub fn attestation_doc_from_der(
+		bytes: Vec<u8>,
+		root_cert: &[u8],
+		validation_time: u64, // seconds since unix epoch
+	) -> Result<AttestationDoc, AttestError> {
+		let cose_sign1 = CoseSign1::from_bytes(&bytes[..]).unwrap();
+		let raw_attestation_doc = cose_sign1.get_payload(None).unwrap();
+		let attestation_doc =
+			AttestationDoc::from_binary(&raw_attestation_doc[..])
+				.expect("Attestation doc could not be decoded.");
+
+		// Syntactical validation
+
+		syntactic_validation::module_id(&attestation_doc.module_id)?;
+		syntactic_validation::digest(attestation_doc.digest)?;
+		syntactic_validation::pcrs(&attestation_doc.pcrs)?;
+		syntactic_validation::cabundle(&attestation_doc.cabundle)?;
+		syntactic_validation::timestamp(attestation_doc.timestamp)?;
+		syntactic_validation::public_key(&attestation_doc.public_key)?;
+		syntactic_validation::user_data(&attestation_doc.user_data)?;
+		syntactic_validation::nonce(&attestation_doc.nonce)?;
+
+		// Semantic validation
+
+		// CA bundle verification, in other words verify certificate chain with
+		// the root certificate
+		{
+			// Bundle starts with root certificate - we want to replace the root
+			// with our hardcoded known certificate, so we remove the root
+			// (first element)
+			let intermediate_certs: Vec<_> = attestation_doc.cabundle[1..]
+				.into_iter()
+				.map(|x| x.as_slice())
+				.collect();
+
+			// The root CA
+			let anchors =
+				vec![webpki::TrustAnchor::try_from_cert_der(root_cert)?];
+			let anchors = webpki::TlsServerTrustAnchors(&anchors);
+
+			let time =
+				webpki::Time::from_seconds_since_unix_epoch(validation_time);
+
+			let cert_raw: &[u8] = attestation_doc.certificate.as_ref();
+			let cert = webpki::EndEntityCert::try_from(cert_raw)?;
+
+			// TODO: double check this is the correct verification
+			cert.verify_is_valid_tls_server_cert(
+				AWS_NITRO_CERT_SIG_ALG,
+				&anchors,
+				&intermediate_certs,
+				time,
+			)
+			.map_err(|_| AttestError::InvalidCertChain)?;
+		}
+
+		// Check that cose sign1 structure is signed with the key in the end
+		// entity certificate.
+		{
+			let (remaining_input, certificate) =
+				x509_parser::parse_x509_certificate(
+					&attestation_doc.certificate,
+				)
+				.expect("Could not parse target certificate");
+
+			// Basic checks
+			assert!(
+				remaining_input.len() == 0,
+				"certificate was not valid DER encoding"
+			);
+			assert!(
+				certificate.tbs_certificate.version()
+					== x509_parser::x509::X509Version::V3,
+				"Wrong certificate version"
+			);
+
+			// Get the public key the cose sign1 object was signed with
+			// https://github.com/briansmith/webpki/issues/85
+			let extracted_key = {
+				let pub_key = certificate
+					.tbs_certificate
+					.subject_pki
+					.subject_public_key
+					.data;
+
+				let group = EcGroup::from_curve_name(Nid::SECP384R1).unwrap();
+				let mut ctx = BigNumContext::new().unwrap();
+				let point =
+					EcPoint::from_bytes(&group, &pub_key, &mut ctx).unwrap();
+				let ec_key = EcKey::from_public_key(&group, &point).unwrap();
+
+				openssl::pkey::PKey::try_from(ec_key).expect(
+					"EC Key could not be converted to open ssl primitive",
+				)
+			};
+
+			// Verify the signature against the extracted public key
+			assert!(
+				cose_sign1
+					.verify_signature(&extracted_key)
+					.expect("Error with cose signature verification."),
+				"Could not verify attestation document with target certificate"
+			);
+		}
+
+		Ok(attestation_doc)
+	}
+
+	mod syntactic_validation {
+		use std::collections::BTreeMap;
+
+		use aws_nitro_enclaves_nsm_api::api::Digest;
+		use serde_bytes::ByteBuf;
+
+		use super::*;
+
+		/// Mandatory field
+		pub(super) fn module_id(id: &String) -> Result<(), AttestError> {
+			if id.len() < 1 {
+				Err(AttestError::InvalidModuleId)
+			} else {
+				Ok(())
+			}
+		}
+		/// Mandatory field
+		pub(super) fn pcrs(
+			pcrs: &BTreeMap<usize, ByteBuf>,
+		) -> Result<(), AttestError> {
+			let is_valid_pcr_count = pcrs.len() > 0 && pcrs.len() <= 32;
+
+			let is_valid_index_and_len = pcrs.iter().all(|(idx, pcr)| {
+				let is_valid_idx = *idx > 0 && *idx <= 32;
+				let is_valid_pcr_len = [32, 48, 64].contains(&pcr.len());
+				!is_valid_idx || !is_valid_pcr_len
+			});
+
+			if !is_valid_index_and_len || !is_valid_pcr_count {
+				Err(AttestError::InvalidPcr)
+			} else {
+				Ok(())
+			}
+		}
+		/// Mandatory field
+		pub(super) fn cabundle(
+			cabundle: &Vec<ByteBuf>,
+		) -> Result<(), AttestError> {
+			let is_valid_len = cabundle.len() > 0;
+			let is_valid_entries =
+				cabundle.iter().all(|cert| cert.len() < 1 || cert.len() > 1024);
+
+			if !is_valid_len || !is_valid_entries {
+				Err(AttestError::InvalidCABundle)
+			} else {
+				Ok(())
+			}
+		}
+		/// Mandatory field
+		pub(super) fn digest(d: Digest) -> Result<(), AttestError> {
+			if d != Digest::SHA384 {
+				Err(AttestError::InvalidDigest)
+			} else {
+				Ok(())
+			}
+		}
+		/// Mandatory field
+		pub(super) fn timestamp(t: u64) -> Result<(), AttestError> {
+			if t == 0 {
+				Err(AttestError::InvalidTimeStamp)
+			} else {
+				Ok(())
+			}
+		}
+		/// Optional field
+		pub(super) fn public_key(
+			pub_key: &Option<ByteBuf>,
+		) -> Result<(), AttestError> {
+			if let Some(key) = pub_key {
+				(key.len() >= 1 && key.len() <= 1024)
+					.then(|| ())
+					.ok_or(AttestError::InvalidPubKey)?
+			}
+
+			Ok(())
+		}
+		/// Optional field
+		pub(super) fn user_data(
+			data: &Option<ByteBuf>,
+		) -> Result<(), AttestError> {
+			bytes_512(data)
+		}
+		/// Optional field
+		pub(super) fn nonce(n: &Option<ByteBuf>) -> Result<(), AttestError> {
+			bytes_512(n)
+		}
+
+		fn bytes_512(val: &Option<ByteBuf>) -> Result<(), AttestError> {
+			if let Some(val) = val {
+				(val.len() <= 512)
+					.then(|| ())
+					.ok_or(AttestError::InvalidBytes)?
+			}
+
+			Ok(())
+		}
+	}
+}
+
+#[cfg(test)]
+mod test {
+	mod nitro {
+		#[test]
+		fn attestation_doc_from_der_time_is_late() {}
+
+		#[test]
+		fn attestation_doc_from_der_time_is_early() {}
+
+		#[test]
+		fn attestation_doc_from_der_corrupt_cabundle() {}
+
+		#[test]
+		fn attestation_doc_from_der_corrupt_target_certificate() {}
+
+		#[test]
+		fn attestation_doc_from_der_bad_sign1_sig() {}
+
+		#[test]
+		fn attestation_doc_from_der_corrupt_root_certificate() {}
+	}
+}
diff --git a/qos-client/src/attestation.rs b/qos-client/src/attestation.rs
deleted file mode 100644
index 0b7a00ec..00000000
--- a/qos-client/src/attestation.rs
+++ /dev/null
@@ -1,216 +0,0 @@
-//! Attestation verification logic
-
-#[derive(Debug)]
-pub enum AttestationError {}
-
-pub mod nitro {
-	use aws_nitro_enclaves_cose::CoseSign1;
-	use aws_nitro_enclaves_nsm_api::api::AttestationDoc;
-	use openssl::{
-		bn::BigNumContext,
-		ec::{EcGroup, EcKey, EcPoint},
-		nid::Nid,
-	};
-	use x509_parser::pem::Pem;
-
-	use super::AttestationError;
-
-	// TODO: find out the exact algo we need and just use that
-	static ALL_SIGALGS: &[&webpki::SignatureAlgorithm] = &[
-		// &webpki::ECDSA_P256_SHA256,
-		// &webpki::ECDSA_P256_SHA384,
-		// &webpki::ECDSA_P384_SHA256,
-		&webpki::ECDSA_P384_SHA384,
-		// &webpki::ED25519,
-		// #[cfg(feature = "alloc")]
-		// &webpki::RSA_PKCS1_2048_8192_SHA256,
-		// #[cfg(feature = "alloc")]
-		// &webpki::RSA_PKCS1_2048_8192_SHA384,
-		// #[cfg(feature = "alloc")]
-		// &webpki::RSA_PKCS1_2048_8192_SHA512,
-		// #[cfg(feature = "alloc")]
-		// &webpki::RSA_PKCS1_3072_8192_SHA384,
-	];
-
-	// Corresponds to `MockNsm` attestation document response
-	pub(crate) const MOCK_SECONDS_SINCE_EPOCH: u64 = 1652756400;
-
-	// aws root cert checksum:
-	// 8cf60e2b2efca96c6a9e71e851d00c1b6991cc09eadbe64a6a1d1b1eb9faff7c
-	pub(crate) const AWS_ROOT_CERT: &'static [u8] =
-		std::include_bytes!("./aws_root_cert.pem");
-
-	pub(crate) fn root_cert_from_pem(pem: &[u8]) -> Vec<u8> {
-		let mut pem_iter = Pem::iter_from_buffer(pem);
-		let root_cert = pem_iter
-			.next()
-			.expect("Hardcoded aws root cert should be valid PEM")
-			.expect("Hardcoded aws root cert should be valid PEM");
-		assert!(
-			pem_iter.next().is_none(),
-			"More then 1 cert detected in hardcoded aws root"
-		);
-
-		root_cert.contents
-	}
-
-	/// Extract the DER encoded `AttestationDoc` from the nsm provided
-	/// attestation document. This function will verify the the root certificate
-	/// authority via the CA bundle and that verify "target" (aka "end entity")
-	/// certificate signed the COSE Sign1 message.
-	pub fn attestation_doc_from_der(
-		bytes: Vec<u8>,
-		root_cert: &[u8],
-		validation_time: u64, // seconds since unix epoch
-	) -> Result<AttestationDoc, AttestationError> {
-		let cose_sign1 = CoseSign1::from_bytes(&bytes[..]).unwrap();
-		let raw_attestation_doc = cose_sign1.get_payload(None).unwrap();
-		let attestation_doc =
-			AttestationDoc::from_binary(&raw_attestation_doc[..])
-				.expect("Attestation doc could not be decoded.");
-
-		// TODO: [now] basic syntactical validation as per nsm api docs
-
-		// CA bundle verification aka verify certificate chain with the root certificate
-		{
-			// Bundle starts with root certificate - we want to replace the root
-			// with our hardcoded known certificate, so we remove the root
-			// (first element)
-			let intermediate_certs: Vec<_> = attestation_doc.cabundle[1..]
-				.into_iter()
-				.map(|x| x.as_slice())
-				.collect();
-
-			let anchor = webpki::TrustAnchor::try_from_cert_der(root_cert)
-				.expect("Could not decode DER cabundle root");
-			let anchors = vec![anchor];
-			let anchors = webpki::TlsServerTrustAnchors(&anchors);
-
-			// let second_since_epoch = std::time::SystemTime::now()
-			// 	.duration_since(std::time::SystemTime::UNIX_EPOCH)
-			// 	.unwrap().as_secs()
-
-			let time =
-				webpki::Time::from_seconds_since_unix_epoch(validation_time);
-
-			let ee_raw: &[u8] = attestation_doc.certificate.as_ref();
-			let cert = webpki::EndEntityCert::try_from(ee_raw)
-				.expect("Could not decode target cert");
-
-			cert.verify_is_valid_tls_server_cert(
-				ALL_SIGALGS,
-				&anchors,
-				&intermediate_certs,
-				time,
-			)
-			.expect("Invalid CA bundle");
-		}
-
-		{
-			let (remaining_input, certificate) =
-				x509_parser::parse_x509_certificate(
-					&attestation_doc.certificate,
-				)
-				.expect("Could not parse target certificate");
-
-			// Basic checks
-			assert!(
-				remaining_input.len() == 0,
-				"certificate was not valid DER encoding"
-			);
-			assert!(
-				certificate.tbs_certificate.version()
-					== x509_parser::x509::X509Version::V3,
-				"Wrong certificate version"
-			);
-
-			// Get the public key the cose sign1 object was signed with
-			// https://github.com/briansmith/webpki/issues/85
-			let extracted_key = {
-				let pub_key = certificate
-					.tbs_certificate
-					.subject_pki
-					.subject_public_key
-					.data;
-
-				let group = EcGroup::from_curve_name(Nid::SECP384R1).unwrap();
-				let mut ctx = BigNumContext::new().unwrap();
-				let point =
-					EcPoint::from_bytes(&group, &pub_key, &mut ctx).unwrap();
-				let ec_key = EcKey::from_public_key(&group, &point).unwrap();
-
-				openssl::pkey::PKey::try_from(ec_key).expect(
-					"EC Key could not be converted to open ssl primitive",
-				)
-			};
-
-			// Verify the signature against the extracted public key
-			assert!(
-				cose_sign1
-					.verify_signature(&extracted_key)
-					.expect("Error with cose signature verification."),
-				"Could not verify attestation document with target certificate"
-			);
-		}
-
-		Ok(attestation_doc)
-	}
-
-	mod syntactic_validation {
-		/// Mandatory field
-		fn module_id() {
-			todo!()
-		}
-		/// Mandatory field
-		fn pcrs() {
-			todo!()
-		}
-		/// Mandatory field
-		fn cabundle() {
-			todo!()
-		}
-		/// Mandatory field
-		fn digest() {
-			todo!()
-		}
-		/// Mandatory field
-		fn timestamp() {
-			todo!()
-		}
-		/// Optional field
-		fn public_key() {
-			todo!()
-		}
-		/// Optional field
-		fn user_data() {
-			todo!()
-		}
-		/// Optional field
-		fn nonce() {
-			todo!()
-		}
-	}
-}
-
-#[cfg(test)]
-mod test {
-	mod nitro {
-		#[test]
-		fn attestation_doc_from_der_time_is_late() {}
-
-		#[test]
-		fn attestation_doc_from_der_time_is_early() {}
-
-		#[test]
-		fn attestation_doc_from_der_corrupt_cabundle() {}
-
-		#[test]
-		fn attestation_doc_from_der_corrupt_target_certificate() {}
-
-		#[test]
-		fn attestation_doc_from_der_bad_sign1_sig() {}
-
-		#[test]
-		fn attestation_doc_from_der_corrupt_root_certificate() {}
-	}
-}
diff --git a/qos-client/src/cli.rs b/qos-client/src/cli.rs
index bc1a5485..b6a8b97d 100644
--- a/qos-client/src/cli.rs
+++ b/qos-client/src/cli.rs
@@ -113,7 +113,7 @@ mod handlers {
 	use qos_core::protocol::{NsmRequest, NsmResponse};
 
 	use super::*;
-	use crate::{attestation, request};
+	use crate::{attest, request};
 
 	pub(super) fn health(options: ClientOptions) {
 		let path = &options.host.path("health");
@@ -160,9 +160,9 @@ mod handlers {
 
 		match response {
 			ProtocolMsg::NsmResponse(NsmResponse::Attestation { document }) => {
-				use attestation::nitro::{
-					attestation_doc_from_der, root_cert_from_pem,
-					AWS_ROOT_CERT, MOCK_SECONDS_SINCE_EPOCH,
+				use attest::nitro::{
+					attestation_doc_from_der, cert_from_pem, AWS_ROOT_CERT,
+					MOCK_SECONDS_SINCE_EPOCH,
 				};
 				////
 				// Truths:
@@ -184,7 +184,8 @@ mod handlers {
 				//     correct?
 				// TODO: semantic verification from: https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/main/docs/attestation_process.md
 
-				let root_cert = root_cert_from_pem(AWS_ROOT_CERT);
+				let root_cert =
+					cert_from_pem(AWS_ROOT_CERT).expect("Invalid root cert");
 				match attestation_doc_from_der(
 					document,
 					&root_cert[..],
diff --git a/qos-client/src/lib.rs b/qos-client/src/lib.rs
index 91149e29..ce985978 100644
--- a/qos-client/src/lib.rs
+++ b/qos-client/src/lib.rs
@@ -1,4 +1,4 @@
-pub(crate) mod attestation;
+pub(crate) mod attest;
 pub mod cli;
 
 pub mod request {

From e8ed1a864bec6f1a6e82a4d77bf55541e4caf293 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 12:43:11 -0700
Subject: [PATCH 19/44] Remove all panics from attest logic

---
 qos-client/src/attest.rs | 86 +++++++++++++++++++++++++---------------
 1 file changed, 53 insertions(+), 33 deletions(-)

diff --git a/qos-client/src/attest.rs b/qos-client/src/attest.rs
index ad35363c..ebe82a44 100644
--- a/qos-client/src/attest.rs
+++ b/qos-client/src/attest.rs
@@ -2,11 +2,17 @@
 
 #[derive(Debug)]
 pub enum AttestError {
-	InvalidCertChain,
 	WebPki(webpki::Error),
 	OpenSSLError(openssl::error::ErrorStack),
-	InvalidPem,
 	PEMError(x509_parser::prelude::PEMError),
+	X509(x509_parser::nom::Err<x509_parser::prelude::X509Error>),
+	Nsm(aws_nitro_enclaves_nsm_api::api::Error),
+	CertKeyExtractionFailure,
+	InvalidEndEntityCert,
+	InvalidCOSESign1Signature,
+	InvalidCOSESign1Structure,
+	InvalidCertChain,
+	InvalidPem,
 	InvalidDigest,
 	InvalidModuleId,
 	InvalidPcr,
@@ -34,6 +40,20 @@ impl From<x509_parser::prelude::PEMError> for AttestError {
 	}
 }
 
+impl From<x509_parser::nom::Err<x509_parser::prelude::X509Error>>
+	for AttestError
+{
+	fn from(e: x509_parser::nom::Err<x509_parser::prelude::X509Error>) -> Self {
+		Self::X509(e)
+	}
+}
+
+impl From<aws_nitro_enclaves_nsm_api::api::Error> for AttestError {
+	fn from(e: aws_nitro_enclaves_nsm_api::api::Error) -> Self {
+		Self::Nsm(e)
+	}
+}
+
 pub mod nitro {
 	use aws_nitro_enclaves_cose::CoseSign1;
 	use aws_nitro_enclaves_nsm_api::api::AttestationDoc;
@@ -88,17 +108,18 @@ pub mod nitro {
 	/// * `validation_time` - a moment in time that the certificates should be
 	///   valid. This is measured in seconds since the unix epoch. Most likely
 	///   this will be the current time.
-	/// TODO: convert expects into Errors - this shouldn't panic
 	pub fn attestation_doc_from_der(
 		bytes: Vec<u8>,
 		root_cert: &[u8],
 		validation_time: u64, // seconds since unix epoch
 	) -> Result<AttestationDoc, AttestError> {
-		let cose_sign1 = CoseSign1::from_bytes(&bytes[..]).unwrap();
-		let raw_attestation_doc = cose_sign1.get_payload(None).unwrap();
+		let cose_sign1 = CoseSign1::from_bytes(&bytes[..])
+			.map_err(|_| AttestError::InvalidCOSESign1Structure)?;
+		let raw_attestation_doc = cose_sign1
+			.get_payload(None)
+			.map_err(|_| AttestError::InvalidCOSESign1Structure)?;
 		let attestation_doc =
-			AttestationDoc::from_binary(&raw_attestation_doc[..])
-				.expect("Attestation doc could not be decoded.");
+			AttestationDoc::from_binary(&raw_attestation_doc[..])?;
 
 		// Syntactical validation
 
@@ -151,19 +172,15 @@ pub mod nitro {
 			let (remaining_input, certificate) =
 				x509_parser::parse_x509_certificate(
 					&attestation_doc.certificate,
-				)
-				.expect("Could not parse target certificate");
+				)?;
 
 			// Basic checks
-			assert!(
-				remaining_input.len() == 0,
-				"certificate was not valid DER encoding"
-			);
-			assert!(
-				certificate.tbs_certificate.version()
-					== x509_parser::x509::X509Version::V3,
-				"Wrong certificate version"
-			);
+			if remaining_input.len() != 0
+				|| certificate.tbs_certificate.version()
+					!= x509_parser::x509::X509Version::V3
+			{
+				return Err(AttestError::InvalidEndEntityCert);
+			}
 
 			// Get the public key the cose sign1 object was signed with
 			// https://github.com/briansmith/webpki/issues/85
@@ -174,24 +191,27 @@ pub mod nitro {
 					.subject_public_key
 					.data;
 
-				let group = EcGroup::from_curve_name(Nid::SECP384R1).unwrap();
-				let mut ctx = BigNumContext::new().unwrap();
-				let point =
-					EcPoint::from_bytes(&group, &pub_key, &mut ctx).unwrap();
-				let ec_key = EcKey::from_public_key(&group, &point).unwrap();
-
-				openssl::pkey::PKey::try_from(ec_key).expect(
-					"EC Key could not be converted to open ssl primitive",
-				)
+				let group = EcGroup::from_curve_name(Nid::SECP384R1)
+					.map_err(|_| AttestError::CertKeyExtractionFailure)?;
+				let mut ctx = BigNumContext::new()
+					.map_err(|_| AttestError::CertKeyExtractionFailure)?;
+				let point = EcPoint::from_bytes(&group, &pub_key, &mut ctx)
+					.map_err(|_| AttestError::CertKeyExtractionFailure)?;
+				let ec_key = EcKey::from_public_key(&group, &point)
+					.map_err(|_| AttestError::CertKeyExtractionFailure)?;
+
+				openssl::pkey::PKey::try_from(ec_key)
+					.map_err(|_| AttestError::CertKeyExtractionFailure)?
 			};
 
 			// Verify the signature against the extracted public key
-			assert!(
-				cose_sign1
-					.verify_signature(&extracted_key)
-					.expect("Error with cose signature verification."),
-				"Could not verify attestation document with target certificate"
-			);
+
+			if !cose_sign1
+				.verify_signature(&extracted_key)
+				.map_err(|_| AttestError::InvalidCOSESign1Signature)?
+			{
+				return Err(AttestError::InvalidCOSESign1Signature);
+			}
 		}
 
 		Ok(attestation_doc)

From f295fe764d7020efdae4c51ecfa717f4b4c741dc Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 13:55:09 -0700
Subject: [PATCH 20/44] Add tests for corrupt CA bundle

---
 qos-client/src/attest.rs          | 194 ++++++++++++++++++++++++++----
 qos-client/src/cli.rs             |   2 +-
 qos-core/src/protocol/attestor.rs |   3 +-
 qos-core/src/protocol/mod.rs      |   2 +-
 4 files changed, 176 insertions(+), 25 deletions(-)

diff --git a/qos-client/src/attest.rs b/qos-client/src/attest.rs
index ebe82a44..036cfbf7 100644
--- a/qos-client/src/attest.rs
+++ b/qos-client/src/attest.rs
@@ -3,6 +3,7 @@
 #[derive(Debug)]
 pub enum AttestError {
 	WebPki(webpki::Error),
+	InvalidCertChain(webpki::Error),
 	OpenSSLError(openssl::error::ErrorStack),
 	PEMError(x509_parser::prelude::PEMError),
 	X509(x509_parser::nom::Err<x509_parser::prelude::X509Error>),
@@ -11,7 +12,6 @@ pub enum AttestError {
 	InvalidEndEntityCert,
 	InvalidCOSESign1Signature,
 	InvalidCOSESign1Structure,
-	InvalidCertChain,
 	InvalidPem,
 	InvalidDigest,
 	InvalidModuleId,
@@ -109,17 +109,19 @@ pub mod nitro {
 	///   valid. This is measured in seconds since the unix epoch. Most likely
 	///   this will be the current time.
 	pub fn attestation_doc_from_der(
-		bytes: Vec<u8>,
+		bytes: &[u8],
 		root_cert: &[u8],
 		validation_time: u64, // seconds since unix epoch
 	) -> Result<AttestationDoc, AttestError> {
 		let cose_sign1 = CoseSign1::from_bytes(&bytes[..])
 			.map_err(|_| AttestError::InvalidCOSESign1Structure)?;
-		let raw_attestation_doc = cose_sign1
-			.get_payload(None)
-			.map_err(|_| AttestError::InvalidCOSESign1Structure)?;
-		let attestation_doc =
-			AttestationDoc::from_binary(&raw_attestation_doc[..])?;
+		let attestation_doc = {
+			let raw_attestation_doc = cose_sign1
+				.get_payload(None)
+				.map_err(|_| AttestError::InvalidCOSESign1Structure)?;
+
+			AttestationDoc::from_binary(&raw_attestation_doc[..])?
+		};
 
 		// Syntactical validation
 
@@ -139,7 +141,8 @@ pub mod nitro {
 		{
 			// Bundle starts with root certificate - we want to replace the root
 			// with our hardcoded known certificate, so we remove the root
-			// (first element)
+			// (first element). Ordering is: root cert .. intermediate certs ..
+			// end entity cert.
 			let intermediate_certs: Vec<_> = attestation_doc.cabundle[1..]
 				.into_iter()
 				.map(|x| x.as_slice())
@@ -163,7 +166,7 @@ pub mod nitro {
 				&intermediate_certs,
 				time,
 			)
-			.map_err(|_| AttestError::InvalidCertChain)?;
+			.map_err(|e| AttestError::InvalidCertChain(e))?;
 		}
 
 		// Check that cose sign1 structure is signed with the key in the end
@@ -179,7 +182,7 @@ pub mod nitro {
 				|| certificate.tbs_certificate.version()
 					!= x509_parser::x509::X509Version::V3
 			{
-				return Err(AttestError::InvalidEndEntityCert);
+				return Err(AttestError::InvalidEndEntityCert)
 			}
 
 			// Get the public key the cose sign1 object was signed with
@@ -210,7 +213,7 @@ pub mod nitro {
 				.verify_signature(&extracted_key)
 				.map_err(|_| AttestError::InvalidCOSESign1Signature)?
 			{
-				return Err(AttestError::InvalidCOSESign1Signature);
+				return Err(AttestError::InvalidCOSESign1Signature)
 			}
 		}
 
@@ -240,9 +243,9 @@ pub mod nitro {
 			let is_valid_pcr_count = pcrs.len() > 0 && pcrs.len() <= 32;
 
 			let is_valid_index_and_len = pcrs.iter().all(|(idx, pcr)| {
-				let is_valid_idx = *idx > 0 && *idx <= 32;
+				let is_valid_idx = *idx <= 32;
 				let is_valid_pcr_len = [32, 48, 64].contains(&pcr.len());
-				!is_valid_idx || !is_valid_pcr_len
+				is_valid_idx && is_valid_pcr_len
 			});
 
 			if !is_valid_index_and_len || !is_valid_pcr_count {
@@ -256,8 +259,9 @@ pub mod nitro {
 			cabundle: &Vec<ByteBuf>,
 		) -> Result<(), AttestError> {
 			let is_valid_len = cabundle.len() > 0;
-			let is_valid_entries =
-				cabundle.iter().all(|cert| cert.len() < 1 || cert.len() > 1024);
+			let is_valid_entries = cabundle
+				.iter()
+				.all(|cert| cert.len() >= 1 || cert.len() <= 1024);
 
 			if !is_valid_len || !is_valid_entries {
 				Err(AttestError::InvalidCABundle)
@@ -314,19 +318,165 @@ pub mod nitro {
 			Ok(())
 		}
 	}
-}
 
-#[cfg(test)]
-mod test {
-	mod nitro {
+	#[cfg(test)]
+	mod test {
+		use aws_nitro_enclaves_cose::header_map::HeaderMap;
+		use openssl::pkey::{PKey, Private, Public};
+		use qos_core::protocol::MOCK_NSM_ATTESTATION_DOCUMENT;
+
+		use super::{AttestError, *};
+
+		/// Taken from aws-nitro-enclaves-cose-0.4.0
+		/// Randomly generate SECP521R1/P-512 key to use for validating signing
+		/// internally
+		fn generate_ec512_test_key() -> (PKey<Private>, PKey<Public>) {
+			let alg = openssl::ec::EcGroup::from_curve_name(
+				openssl::nid::Nid::SECP521R1,
+			)
+			.unwrap();
+			let ec_private = openssl::ec::EcKey::generate(&alg).unwrap();
+			let ec_public = openssl::ec::EcKey::from_public_key(
+				&alg,
+				ec_private.public_key(),
+			)
+			.unwrap();
+			(
+				PKey::from_ec_key(ec_private).unwrap(),
+				PKey::from_ec_key(ec_public).unwrap(),
+			)
+		}
+
 		#[test]
-		fn attestation_doc_from_der_time_is_late() {}
+		fn attestation_doc_from_der_time_is_late() {
+			let day_after = MOCK_SECONDS_SINCE_EPOCH + 86400;
+			let root_cert = cert_from_pem(AWS_ROOT_CERT).unwrap();
+			let err_result = attestation_doc_from_der(
+				MOCK_NSM_ATTESTATION_DOCUMENT,
+				&root_cert[..],
+				day_after,
+			);
+
+			match err_result {
+				Err(AttestError::InvalidCertChain(
+					webpki::Error::CertExpired,
+				)) => {}
+				_ => panic!("{:?}", err_result),
+			};
+		}
 
 		#[test]
-		fn attestation_doc_from_der_time_is_early() {}
+		fn attestation_doc_from_der_time_is_early() {
+			let day_before = MOCK_SECONDS_SINCE_EPOCH - 86400;
+			let root_cert = cert_from_pem(AWS_ROOT_CERT).unwrap();
+			let err_result = attestation_doc_from_der(
+				MOCK_NSM_ATTESTATION_DOCUMENT,
+				&root_cert[..],
+				day_before,
+			);
+
+			match err_result {
+				Err(AttestError::InvalidCertChain(
+					webpki::Error::CertNotValidYet,
+				)) => {}
+				_ => panic!("{:?}", err_result),
+			};
+		}
 
 		#[test]
-		fn attestation_doc_from_der_corrupt_cabundle() {}
+		fn attestation_doc_from_der_corrupt_cabundle() {
+			let (private, _) = generate_ec512_test_key();
+			let root_cert = cert_from_pem(AWS_ROOT_CERT).unwrap();
+			let attestation_doc = attestation_doc_from_der(
+				MOCK_NSM_ATTESTATION_DOCUMENT,
+				&root_cert[..],
+				MOCK_SECONDS_SINCE_EPOCH,
+			)
+			.unwrap();
+
+			{
+				let mut corrupt = attestation_doc.clone();
+				// Remove the end entity cert
+				corrupt.cabundle.pop();
+
+				let corrupt_cose_sign1 = CoseSign1::new(
+					&corrupt.to_binary(),
+					&HeaderMap::new(),
+					&private,
+				)
+				.unwrap();
+
+				let corrupt_document1 =
+					corrupt_cose_sign1.as_bytes(true).unwrap();
+				let err_result = attestation_doc_from_der(
+					&corrupt_document1,
+					&root_cert[..],
+					MOCK_SECONDS_SINCE_EPOCH,
+				);
+
+				match err_result {
+					Err(AttestError::InvalidCertChain(
+						webpki::Error::UnknownIssuer,
+					)) => {}
+					_ => panic!("{:?}", err_result),
+				};
+			}
+
+			{
+				let mut corrupt = attestation_doc.clone();
+				// Remove the root certificate, causing the verification flow to
+				// think the 2nd intermediate cert is the 1st
+				corrupt.cabundle.remove(0);
+
+				let corrupt_cose_sign1 = CoseSign1::new(
+					&corrupt.to_binary(),
+					&HeaderMap::new(),
+					&private,
+				)
+				.unwrap();
+
+				let corrupt_document1 =
+					corrupt_cose_sign1.as_bytes(true).unwrap();
+				let err_result = attestation_doc_from_der(
+					&corrupt_document1,
+					&root_cert[..],
+					MOCK_SECONDS_SINCE_EPOCH,
+				);
+
+				match err_result {
+					Err(AttestError::InvalidCertChain(
+						webpki::Error::UnknownIssuer,
+					)) => {}
+					_ => panic!("{:?}", err_result),
+				};
+			}
+
+			{
+				let valid = attestation_doc.clone();
+				// Don't pop anything, just want to sanity check that we get a
+				// corrupt signature on the cose sign1 structure.
+
+				let corrupt_cose_sign1 = CoseSign1::new(
+					&valid.to_binary(),
+					&HeaderMap::new(),
+					&private,
+				)
+				.unwrap();
+
+				let corrupt_document1 =
+					corrupt_cose_sign1.as_bytes(true).unwrap();
+				let err_result = attestation_doc_from_der(
+					&corrupt_document1,
+					&root_cert[..],
+					MOCK_SECONDS_SINCE_EPOCH,
+				);
+
+				match err_result {
+					Err(AttestError::InvalidCOSESign1Signature) => {}
+					_ => panic!("{:?}", err_result),
+				};
+			}
+		}
 
 		#[test]
 		fn attestation_doc_from_der_corrupt_target_certificate() {}
diff --git a/qos-client/src/cli.rs b/qos-client/src/cli.rs
index b6a8b97d..887c8776 100644
--- a/qos-client/src/cli.rs
+++ b/qos-client/src/cli.rs
@@ -187,7 +187,7 @@ mod handlers {
 				let root_cert =
 					cert_from_pem(AWS_ROOT_CERT).expect("Invalid root cert");
 				match attestation_doc_from_der(
-					document,
+					&document,
 					&root_cert[..],
 					MOCK_SECONDS_SINCE_EPOCH,
 				) {
diff --git a/qos-core/src/protocol/attestor.rs b/qos-core/src/protocol/attestor.rs
index 06360047..ad5b5fe4 100644
--- a/qos-core/src/protocol/attestor.rs
+++ b/qos-core/src/protocol/attestor.rs
@@ -83,7 +83,8 @@ impl NsmProvider for MockNsm {
 	}
 }
 
-const MOCK_NSM_ATTESTATION_DOCUMENT: &[u8] = &[
+/// DO NOT USE IN PRODUCTION - only for tests.
+pub const MOCK_NSM_ATTESTATION_DOCUMENT: &[u8] = &[
 	132, 68, 161, 1, 56, 34, 160, 89, 19, 220, 169, 105, 109, 111, 100, 117,
 	108, 101, 95, 105, 100, 120, 39, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100,
 	50, 99, 55, 102, 56, 56, 50, 101, 56, 45, 101, 110, 99, 48, 49, 56, 48, 99,
diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index 2d6b7935..45502563 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -5,7 +5,7 @@ mod msg;
 mod nitro_types;
 mod provisioner;
 
-pub use attestor::{MockNsm, Nsm, NsmProvider};
+pub use attestor::{MockNsm, Nsm, NsmProvider, MOCK_NSM_ATTESTATION_DOCUMENT};
 pub use msg::*;
 pub use nitro_types::*;
 use openssl::rsa::Rsa;

From cf703c7f24eda26d0716963ee0979c162355d1d9 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 14:28:10 -0700
Subject: [PATCH 21/44] Remove x509 parser dep

---
 Cargo.lock               | 212 ---------------------------------------
 qos-client/Cargo.toml    |   1 -
 qos-client/src/attest.rs | 109 ++++++++------------
 qos-client/src/cli.rs    |   4 +-
 4 files changed, 44 insertions(+), 282 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 73978eba..a66a7a43 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -11,45 +11,6 @@ dependencies = [
  "memchr",
 ]
 
-[[package]]
-name = "asn1-rs"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "30ff05a702273012438132f449575dbc804e27b2f3cbe3069aa237d26c98fa33"
-dependencies = [
- "asn1-rs-derive",
- "asn1-rs-impl",
- "displaydoc",
- "nom",
- "num-traits",
- "rusticata-macros",
- "thiserror",
- "time",
-]
-
-[[package]]
-name = "asn1-rs-derive"
-version = "0.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "db8b7511298d5b7784b40b092d9e9dcd3a627a5707e4b5e507931ab0d44eeebf"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
- "synstructure",
-]
-
-[[package]]
-name = "asn1-rs-impl"
-version = "0.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2777730b2039ac0f95f093556e61b6d26cebed5393ca6f152717777cec3a42ed"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "async-trait"
 version = "0.1.53"
@@ -180,37 +141,6 @@ version = "1.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fff857943da45f546682664a79488be82e69e43c1a7a2307679ab9afb3a66d2e"
 
-[[package]]
-name = "data-encoding"
-version = "2.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3ee2393c4a91429dffb4bedf19f4d6abf27d8a732c8ce4980305d782e5426d57"
-
-[[package]]
-name = "der-parser"
-version = "7.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fe398ac75057914d7d07307bf67dc7f3f574a26783b4fc7805a20ffa9f506e82"
-dependencies = [
- "asn1-rs",
- "displaydoc",
- "nom",
- "num-bigint",
- "num-traits",
- "rusticata-macros",
-]
-
-[[package]]
-name = "displaydoc"
-version = "0.2.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3bf95dc3f046b9da4f2d51833c0d3547d8564ef6910f5c1ed130306a75b92886"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
 [[package]]
 name = "fnv"
 version = "1.0.7"
@@ -450,12 +380,6 @@ version = "0.3.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2a60c7ce501c71e03a9c9c0d35b861413ae925bd979cc7a4e30d060069aaac8d"
 
-[[package]]
-name = "minimal-lexical"
-version = "0.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
-
 [[package]]
 name = "mio"
 version = "0.8.3"
@@ -492,46 +416,6 @@ dependencies = [
  "memoffset",
 ]
 
-[[package]]
-name = "nom"
-version = "7.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a8903e5a29a317527874d0402f867152a3d21c908bb0b933e416c65e301d4c36"
-dependencies = [
- "memchr",
- "minimal-lexical",
-]
-
-[[package]]
-name = "num-bigint"
-version = "0.4.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f93ab6289c7b344a8a9f60f88d80aa20032336fe78da341afc91c8a2341fc75f"
-dependencies = [
- "autocfg",
- "num-integer",
- "num-traits",
-]
-
-[[package]]
-name = "num-integer"
-version = "0.1.45"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "225d3389fb3509a24c93f5c29eb6bde2586b98d9f016636dff58d7c6f7569cd9"
-dependencies = [
- "autocfg",
- "num-traits",
-]
-
-[[package]]
-name = "num-traits"
-version = "0.2.15"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "578ede34cf02f8924ab9447f50c28075b4d3e5b269972345e7e0372b38c6cdcd"
-dependencies = [
- "autocfg",
-]
-
 [[package]]
 name = "num_cpus"
 version = "1.13.1"
@@ -542,24 +426,6 @@ dependencies = [
  "libc",
 ]
 
-[[package]]
-name = "num_threads"
-version = "0.1.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2819ce041d2ee131036f4fc9d6ae7ae125a3a40e97ba64d04fe799ad9dabbb44"
-dependencies = [
- "libc",
-]
-
-[[package]]
-name = "oid-registry"
-version = "0.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38e20717fa0541f39bd146692035c37bedfa532b3e5071b35761082407546b2a"
-dependencies = [
- "asn1-rs",
-]
-
 [[package]]
 name = "once_cell"
 version = "1.10.0"
@@ -677,7 +543,6 @@ dependencies = [
  "serde_cbor",
  "ureq",
  "webpki",
- "x509-parser",
 ]
 
 [[package]]
@@ -795,15 +660,6 @@ dependencies = [
  "winapi",
 ]
 
-[[package]]
-name = "rusticata-macros"
-version = "4.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "faf0c4a6ece9950b9abdb62b1cfcf2a68b3b67a10ba445b3bb85be2a293d0632"
-dependencies = [
- "nom",
-]
-
 [[package]]
 name = "rustversion"
 version = "1.0.6"
@@ -903,56 +759,6 @@ version = "0.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "20518fe4a4c9acf048008599e464deb21beeae3d3578418951a189c235a7a9a8"
 
-[[package]]
-name = "synstructure"
-version = "0.12.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
- "unicode-xid",
-]
-
-[[package]]
-name = "thiserror"
-version = "1.0.31"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bd829fe32373d27f76265620b5309d0340cb8550f523c1dda251d6298069069a"
-dependencies = [
- "thiserror-impl",
-]
-
-[[package]]
-name = "thiserror-impl"
-version = "1.0.31"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0396bc89e626244658bef819e22d0cc459e795a5ebe878e6ec336d1674a8d79a"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
-[[package]]
-name = "time"
-version = "0.3.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c2702e08a7a860f005826c6815dcac101b19b5eb330c27fe4a5928fec1d20ddd"
-dependencies = [
- "itoa",
- "libc",
- "num_threads",
- "time-macros",
-]
-
-[[package]]
-name = "time-macros"
-version = "0.2.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "42657b1a6f4d817cda8e7a0ace261fe0cc946cf3a80314390b22cc61ae080792"
-
 [[package]]
 name = "tinyvec"
 version = "1.6.0"
@@ -1301,21 +1107,3 @@ name = "windows_x86_64_msvc"
 version = "0.36.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c811ca4a8c853ef420abd8592ba53ddbbac90410fab6903b3e79972a631f7680"
-
-[[package]]
-name = "x509-parser"
-version = "0.13.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9fb9bace5b5589ffead1afb76e43e34cff39cd0f3ce7e170ae0c29e53b88eb1c"
-dependencies = [
- "asn1-rs",
- "base64",
- "data-encoding",
- "der-parser",
- "lazy_static",
- "nom",
- "oid-registry",
- "rusticata-macros",
- "thiserror",
- "time",
-]
diff --git a/qos-client/Cargo.toml b/qos-client/Cargo.toml
index 91770de2..e04cf515 100644
--- a/qos-client/Cargo.toml
+++ b/qos-client/Cargo.toml
@@ -16,5 +16,4 @@ aws-nitro-enclaves-nsm-api = { version = "0.2.1", default-features = false }
 # For handling Attestation Doc
 aws-nitro-enclaves-cose = "0.4.0"
 webpki = "0.22.0"
-x509-parser = "0.13"
 serde_bytes = "0.11"
diff --git a/qos-client/src/attest.rs b/qos-client/src/attest.rs
index 036cfbf7..61bde498 100644
--- a/qos-client/src/attest.rs
+++ b/qos-client/src/attest.rs
@@ -5,14 +5,11 @@ pub enum AttestError {
 	WebPki(webpki::Error),
 	InvalidCertChain(webpki::Error),
 	OpenSSLError(openssl::error::ErrorStack),
-	PEMError(x509_parser::prelude::PEMError),
-	X509(x509_parser::nom::Err<x509_parser::prelude::X509Error>),
+
 	Nsm(aws_nitro_enclaves_nsm_api::api::Error),
-	CertKeyExtractionFailure,
 	InvalidEndEntityCert,
 	InvalidCOSESign1Signature,
 	InvalidCOSESign1Structure,
-	InvalidPem,
 	InvalidDigest,
 	InvalidModuleId,
 	InvalidPcr,
@@ -34,20 +31,6 @@ impl From<openssl::error::ErrorStack> for AttestError {
 	}
 }
 
-impl From<x509_parser::prelude::PEMError> for AttestError {
-	fn from(e: x509_parser::prelude::PEMError) -> Self {
-		Self::PEMError(e)
-	}
-}
-
-impl From<x509_parser::nom::Err<x509_parser::prelude::X509Error>>
-	for AttestError
-{
-	fn from(e: x509_parser::nom::Err<x509_parser::prelude::X509Error>) -> Self {
-		Self::X509(e)
-	}
-}
-
 impl From<aws_nitro_enclaves_nsm_api::api::Error> for AttestError {
 	fn from(e: aws_nitro_enclaves_nsm_api::api::Error) -> Self {
 		Self::Nsm(e)
@@ -57,12 +40,6 @@ impl From<aws_nitro_enclaves_nsm_api::api::Error> for AttestError {
 pub mod nitro {
 	use aws_nitro_enclaves_cose::CoseSign1;
 	use aws_nitro_enclaves_nsm_api::api::AttestationDoc;
-	use openssl::{
-		bn::BigNumContext,
-		ec::{EcGroup, EcKey, EcPoint},
-		nid::Nid,
-	};
-	use x509_parser::pem::Pem;
 
 	use super::AttestError;
 
@@ -85,12 +62,7 @@ pub mod nitro {
 	/// Extract a DER encoded certificate from bytes representing a PEM encoded
 	/// certificate.
 	pub(crate) fn cert_from_pem(pem: &[u8]) -> Result<Vec<u8>, AttestError> {
-		let mut pem_iter = Pem::iter_from_buffer(pem);
-		let root_cert = pem_iter.next().ok_or(AttestError::InvalidPem)??;
-		// Ensure there is only one cert in the given PEM
-		pem_iter.next().is_none().then(|| ()).ok_or(AttestError::InvalidPem)?;
-
-		Ok(root_cert.contents)
+		Ok(openssl::x509::X509::from_pem(pem)?.to_der()?)
 	}
 
 	/// Extract the DER encoded `AttestationDoc` from the nsm provided
@@ -172,48 +144,22 @@ pub mod nitro {
 		// Check that cose sign1 structure is signed with the key in the end
 		// entity certificate.
 		{
-			let (remaining_input, certificate) =
-				x509_parser::parse_x509_certificate(
-					&attestation_doc.certificate,
-				)?;
-
-			// Basic checks
-			if remaining_input.len() != 0
-				|| certificate.tbs_certificate.version()
-					!= x509_parser::x509::X509Version::V3
-			{
-				return Err(AttestError::InvalidEndEntityCert)
+			let ee_cert =
+				openssl::x509::X509::from_der(&attestation_doc.certificate)?;
+
+			// Expect v3 (0 corresponds to v1 etc.)
+			if ee_cert.version() != 2 {
+				return Err(AttestError::InvalidEndEntityCert);
 			}
 
-			// Get the public key the cose sign1 object was signed with
-			// https://github.com/briansmith/webpki/issues/85
-			let extracted_key = {
-				let pub_key = certificate
-					.tbs_certificate
-					.subject_pki
-					.subject_public_key
-					.data;
-
-				let group = EcGroup::from_curve_name(Nid::SECP384R1)
-					.map_err(|_| AttestError::CertKeyExtractionFailure)?;
-				let mut ctx = BigNumContext::new()
-					.map_err(|_| AttestError::CertKeyExtractionFailure)?;
-				let point = EcPoint::from_bytes(&group, &pub_key, &mut ctx)
-					.map_err(|_| AttestError::CertKeyExtractionFailure)?;
-				let ec_key = EcKey::from_public_key(&group, &point)
-					.map_err(|_| AttestError::CertKeyExtractionFailure)?;
-
-				openssl::pkey::PKey::try_from(ec_key)
-					.map_err(|_| AttestError::CertKeyExtractionFailure)?
-			};
+			let ee_cert_pub_key = ee_cert.public_key()?;
 
 			// Verify the signature against the extracted public key
-
 			if !cose_sign1
-				.verify_signature(&extracted_key)
+				.verify_signature(&ee_cert_pub_key)
 				.map_err(|_| AttestError::InvalidCOSESign1Signature)?
 			{
-				return Err(AttestError::InvalidCOSESign1Signature)
+				return Err(AttestError::InvalidCOSESign1Signature);
 			}
 		}
 
@@ -479,8 +425,37 @@ pub mod nitro {
 		}
 
 		#[test]
-		fn attestation_doc_from_der_corrupt_target_certificate() {}
-
+		// fn attestation_doc_from_der_corrupt_end_entity_certificate() {
+		// 	let (private, _) = generate_ec512_test_key();
+		// 	let root_cert = cert_from_pem(AWS_ROOT_CERT).unwrap();
+		// 	let attestation_doc = attestation_doc_from_der(
+		// 		MOCK_NSM_ATTESTATION_DOCUMENT,
+		// 		&root_cert[..],
+		// 		MOCK_SECONDS_SINCE_EPOCH,
+		// 	)
+		// 	.unwrap();
+
+		// 	let (r, mut cert) = x509_parser::parse_x509_certificate(
+		// 		&attestation_doc.certificate,
+		// 	)
+		// 	.unwrap();
+		// 	assert_eq!(r.len(), 0);
+
+		// 	let mut corrupt_pub_key = cert
+		// 		.tbs_certificate
+		// 		.subject_pki
+		// 		.subject_public_key
+		// 		.data
+		// 		.to_vec();
+
+		// 	// Modify the pubkey by swapping out some random bytes.
+		// 	corrupt_pub_key.pop();
+		// 	corrupt_pub_key.push(0xff);
+		// 	cert.tbs_certificate.subject_pki.subject_public_key.data =
+		// 		&corrupt_pub_key;
+
+		// 	// attestation_doc.certificate = cert.
+		// }
 		#[test]
 		fn attestation_doc_from_der_bad_sign1_sig() {}
 
diff --git a/qos-client/src/cli.rs b/qos-client/src/cli.rs
index 887c8776..5fe733c5 100644
--- a/qos-client/src/cli.rs
+++ b/qos-client/src/cli.rs
@@ -173,7 +173,8 @@ mod handlers {
 
 				// Verification Flow:
 				// 1. Check signature from the Certificate over the
-				// AttestationDocument 2. Verify the CA Bundle using the known
+				// AttestationDocument
+				// 2. Verify the CA Bundle using the known
 				// root of trust and Certificate
 				//   - Assume ROT is known ahead of time
 				// 3. Business logic
@@ -183,7 +184,6 @@ mod handlers {
 				//   - (Human): How do I know that this build artifact is
 				//     correct?
 				// TODO: semantic verification from: https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/main/docs/attestation_process.md
-
 				let root_cert =
 					cert_from_pem(AWS_ROOT_CERT).expect("Invalid root cert");
 				match attestation_doc_from_der(

From 306f5928cb7be4f33fc41063b9894104b8a43351 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 14:35:32 -0700
Subject: [PATCH 22/44] Remove some default features

---
 qos-client/Cargo.toml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/qos-client/Cargo.toml b/qos-client/Cargo.toml
index e04cf515..061096ee 100644
--- a/qos-client/Cargo.toml
+++ b/qos-client/Cargo.toml
@@ -10,10 +10,10 @@ openssl = "0.10.40"
 
 # Third party
 ureq = { version = "2.4", default-features = false }
-serde_cbor = "0.11"
+serde_cbor = { version = "0.11", default-features = false }
 aws-nitro-enclaves-nsm-api = { version = "0.2.1", default-features = false }
 
 # For handling Attestation Doc
-aws-nitro-enclaves-cose = "0.4.0"
-webpki = "0.22.0"
-serde_bytes = "0.11"
+aws-nitro-enclaves-cose = { version = "0.4.0", default-features = false, features = ["key_openssl_pkey"] }
+webpki = { version =  "0.22.0", default-features = false }
+serde_bytes = { version = "0.11", default-features = false }

From 91155bc44ce059046429fa394a5347c8c7998632 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 15:45:12 -0700
Subject: [PATCH 23/44] Factor out cert chain & sign1 sig checks + add some
 tests

---
 qos-client/src/attest.rs | 234 ++++++++++++++++++++++++---------------
 1 file changed, 143 insertions(+), 91 deletions(-)

diff --git a/qos-client/src/attest.rs b/qos-client/src/attest.rs
index 61bde498..744f3d93 100644
--- a/qos-client/src/attest.rs
+++ b/qos-client/src/attest.rs
@@ -40,6 +40,7 @@ impl From<aws_nitro_enclaves_nsm_api::api::Error> for AttestError {
 pub mod nitro {
 	use aws_nitro_enclaves_cose::CoseSign1;
 	use aws_nitro_enclaves_nsm_api::api::AttestationDoc;
+	use serde_bytes::ByteBuf;
 
 	use super::AttestError;
 
@@ -81,11 +82,11 @@ pub mod nitro {
 	///   valid. This is measured in seconds since the unix epoch. Most likely
 	///   this will be the current time.
 	pub fn attestation_doc_from_der(
-		bytes: &[u8],
+		cose_sign1_der: &[u8],
 		root_cert: &[u8],
 		validation_time: u64, // seconds since unix epoch
 	) -> Result<AttestationDoc, AttestError> {
-		let cose_sign1 = CoseSign1::from_bytes(&bytes[..])
+		let cose_sign1 = CoseSign1::from_bytes(cose_sign1_der)
 			.map_err(|_| AttestError::InvalidCOSESign1Structure)?;
 		let attestation_doc = {
 			let raw_attestation_doc = cose_sign1
@@ -95,8 +96,6 @@ pub mod nitro {
 			AttestationDoc::from_binary(&raw_attestation_doc[..])?
 		};
 
-		// Syntactical validation
-
 		syntactic_validation::module_id(&attestation_doc.module_id)?;
 		syntactic_validation::digest(attestation_doc.digest)?;
 		syntactic_validation::pcrs(&attestation_doc.pcrs)?;
@@ -106,71 +105,81 @@ pub mod nitro {
 		syntactic_validation::user_data(&attestation_doc.user_data)?;
 		syntactic_validation::nonce(&attestation_doc.nonce)?;
 
-		// Semantic validation
+		verify_certificate_chain(
+			&attestation_doc.cabundle,
+			root_cert,
+			&attestation_doc.certificate,
+			validation_time,
+		)?;
+		verify_cose_sign1_sig(&attestation_doc.certificate, &cose_sign1)?;
 
-		// CA bundle verification, in other words verify certificate chain with
-		// the root certificate
-		{
-			// Bundle starts with root certificate - we want to replace the root
-			// with our hardcoded known certificate, so we remove the root
-			// (first element). Ordering is: root cert .. intermediate certs ..
-			// end entity cert.
-			let intermediate_certs: Vec<_> = attestation_doc.cabundle[1..]
-				.into_iter()
-				.map(|x| x.as_slice())
-				.collect();
-
-			// The root CA
-			let anchors =
-				vec![webpki::TrustAnchor::try_from_cert_der(root_cert)?];
-			let anchors = webpki::TlsServerTrustAnchors(&anchors);
-
-			let time =
-				webpki::Time::from_seconds_since_unix_epoch(validation_time);
-
-			let cert_raw: &[u8] = attestation_doc.certificate.as_ref();
-			let cert = webpki::EndEntityCert::try_from(cert_raw)?;
-
-			// TODO: double check this is the correct verification
-			cert.verify_is_valid_tls_server_cert(
-				AWS_NITRO_CERT_SIG_ALG,
-				&anchors,
-				&intermediate_certs,
-				time,
-			)
-			.map_err(|e| AttestError::InvalidCertChain(e))?;
-		}
+		Ok(attestation_doc)
+	}
 
-		// Check that cose sign1 structure is signed with the key in the end
-		// entity certificate.
-		{
-			let ee_cert =
-				openssl::x509::X509::from_der(&attestation_doc.certificate)?;
+	/// Verify the certificate chain against the root & end entity certificates.
+	fn verify_certificate_chain(
+		cabundle: &Vec<ByteBuf>,
+		root_cert: &[u8],
+		end_entity_certificate: &[u8],
+		validation_time: u64,
+	) -> Result<(), AttestError> {
+		// Bundle starts with root certificate - we want to replace the root
+		// with our hardcoded known certificate, so we remove the root
+		// (first element). Ordering is: root cert .. intermediate certs ..
+		// end entity cert.
+		let intermediate_certs: Vec<_> =
+			cabundle[1..].into_iter().map(|x| x.as_slice()).collect();
+
+		// The root CA
+		let anchors = vec![webpki::TrustAnchor::try_from_cert_der(root_cert)?];
+		let anchors = webpki::TlsServerTrustAnchors(&anchors);
+
+		let time = webpki::Time::from_seconds_since_unix_epoch(validation_time);
+
+		let cert = webpki::EndEntityCert::try_from(end_entity_certificate)?;
+
+		// TODO: double check this is the correct verification
+		cert.verify_is_valid_tls_server_cert(
+			AWS_NITRO_CERT_SIG_ALG,
+			&anchors,
+			&intermediate_certs,
+			time,
+		)
+		.map_err(|e| AttestError::InvalidCertChain(e))?;
+
+		Ok(())
+	}
 
-			// Expect v3 (0 corresponds to v1 etc.)
-			if ee_cert.version() != 2 {
-				return Err(AttestError::InvalidEndEntityCert);
-			}
+	// Check that cose sign1 structure is signed with the key in the end
+	// entity certificate.
+	fn verify_cose_sign1_sig(
+		end_entity_certificate: &[u8],
+		cose_sign1: &CoseSign1,
+	) -> Result<(), AttestError> {
+		let ee_cert = openssl::x509::X509::from_der(end_entity_certificate)?;
+
+		// Expect v3 (0 corresponds to v1 etc.)
+		if ee_cert.version() != 2 {
+			return Err(AttestError::InvalidEndEntityCert);
+		}
 
-			let ee_cert_pub_key = ee_cert.public_key()?;
+		let ee_cert_pub_key = ee_cert.public_key()?;
 
-			// Verify the signature against the extracted public key
-			if !cose_sign1
-				.verify_signature(&ee_cert_pub_key)
-				.map_err(|_| AttestError::InvalidCOSESign1Signature)?
-			{
-				return Err(AttestError::InvalidCOSESign1Signature);
-			}
+		// Verify the signature against the extracted public key
+		if !cose_sign1
+			.verify_signature(&ee_cert_pub_key)
+			.map_err(|_| AttestError::InvalidCOSESign1Signature)?
+		{
+			Err(AttestError::InvalidCOSESign1Signature)
+		} else {
+			Ok(())
 		}
-
-		Ok(attestation_doc)
 	}
 
 	mod syntactic_validation {
 		use std::collections::BTreeMap;
 
 		use aws_nitro_enclaves_nsm_api::api::Digest;
-		use serde_bytes::ByteBuf;
 
 		use super::*;
 
@@ -425,41 +434,84 @@ pub mod nitro {
 		}
 
 		#[test]
-		// fn attestation_doc_from_der_corrupt_end_entity_certificate() {
-		// 	let (private, _) = generate_ec512_test_key();
-		// 	let root_cert = cert_from_pem(AWS_ROOT_CERT).unwrap();
-		// 	let attestation_doc = attestation_doc_from_der(
-		// 		MOCK_NSM_ATTESTATION_DOCUMENT,
-		// 		&root_cert[..],
-		// 		MOCK_SECONDS_SINCE_EPOCH,
-		// 	)
-		// 	.unwrap();
-
-		// 	let (r, mut cert) = x509_parser::parse_x509_certificate(
-		// 		&attestation_doc.certificate,
-		// 	)
-		// 	.unwrap();
-		// 	assert_eq!(r.len(), 0);
-
-		// 	let mut corrupt_pub_key = cert
-		// 		.tbs_certificate
-		// 		.subject_pki
-		// 		.subject_public_key
-		// 		.data
-		// 		.to_vec();
-
-		// 	// Modify the pubkey by swapping out some random bytes.
-		// 	corrupt_pub_key.pop();
-		// 	corrupt_pub_key.push(0xff);
-		// 	cert.tbs_certificate.subject_pki.subject_public_key.data =
-		// 		&corrupt_pub_key;
-
-		// 	// attestation_doc.certificate = cert.
-		// }
-		#[test]
-		fn attestation_doc_from_der_bad_sign1_sig() {}
+		fn attestation_doc_from_der_corrupt_end_entity_certificate() {
+			let (private, _) = generate_ec512_test_key();
+			let root_cert = cert_from_pem(AWS_ROOT_CERT).unwrap();
+			let mut attestation_doc = attestation_doc_from_der(
+				MOCK_NSM_ATTESTATION_DOCUMENT,
+				&root_cert[..],
+				MOCK_SECONDS_SINCE_EPOCH,
+			)
+			.unwrap();
+
+			// Corrupt the end entity certificate
+			attestation_doc.certificate.pop();
+			attestation_doc.certificate.push(0xff);
+
+			let corrupt_cose_sign1 = CoseSign1::new(
+				&attestation_doc.to_binary(),
+				&HeaderMap::new(),
+				&private,
+			)
+			.unwrap();
+
+			let corrupt_document1 = corrupt_cose_sign1.as_bytes(true).unwrap();
+			let err_result = attestation_doc_from_der(
+				&corrupt_document1,
+				&root_cert[..],
+				MOCK_SECONDS_SINCE_EPOCH,
+			);
+
+			match err_result {
+				Err(AttestError::InvalidCertChain(
+					webpki::Error::UnknownIssuer,
+				)) => {}
+				_ => panic!("{:?}", err_result),
+			};
+		}
 
 		#[test]
-		fn attestation_doc_from_der_corrupt_root_certificate() {}
+		fn attestation_doc_from_der_bad_sign1_sig() {
+			let root_cert = cert_from_pem(AWS_ROOT_CERT).unwrap();
+			let (private, _) = generate_ec512_test_key();
+			let document =
+				CoseSign1::from_bytes(MOCK_NSM_ATTESTATION_DOCUMENT).unwrap();
+
+			let unprotected = document.get_unprotected();
+			let (_protected, payload) =
+				document.get_protected_and_payload(None).unwrap();
+
+			// Sign the document with a private key that isn't in the end entity
+			// certificate
+
+			let corrupt_document =
+				CoseSign1::new(&payload, unprotected, &private).unwrap();
+			let err_result = attestation_doc_from_der(
+				&corrupt_document.as_bytes(true).unwrap(),
+				&root_cert[..],
+				MOCK_SECONDS_SINCE_EPOCH,
+			);
+
+			match err_result {
+				Err(AttestError::InvalidCOSESign1Signature) => {}
+				_ => panic!("{:?}", err_result),
+			}
+		}
+
+		// #[test]
+		// fn attestation_doc_from_der_corrupt_root_certificate() {
+		// 	let root_cert =
+		// 		openssl::x509::X509::from_pem(AWS_ROOT_CERT).unwrap();
+
+		// 	let builder = openssl::x509::X509Builder::new().unwrap();
+		// 	builder.set_subject_name(root_cert.subject_name()).unwrap();
+		// 	builder.set_not_before(root_cert.not_before());
+		// 	builder.set_not_after(root_cert.not_after());
+		// 	builder.set_version(root_cert.version());
+		// 	builder.set_serial_number(root_cert.serial_number());
+		// 	builder.set_issuer_name(root_cert.issuer_name());
+		// 	builder.set_subject_name(root_cert.subject_name());
+		// 	builder.set_pubkey(&root_cert.public_key().unwrap());
+		// }
 	}
 }

From fdc887dcbdaef40437b8ef755eaa2775e42de201 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 16:08:36 -0700
Subject: [PATCH 24/44] Add test for malformed root certificate

---
 qos-client/src/attest.rs | 47 +++++++++++++++++++++++++++-------------
 1 file changed, 32 insertions(+), 15 deletions(-)

diff --git a/qos-client/src/attest.rs b/qos-client/src/attest.rs
index 744f3d93..6832a836 100644
--- a/qos-client/src/attest.rs
+++ b/qos-client/src/attest.rs
@@ -105,6 +105,8 @@ pub mod nitro {
 		syntactic_validation::user_data(&attestation_doc.user_data)?;
 		syntactic_validation::nonce(&attestation_doc.nonce)?;
 
+		// TODO: Ensure verification conforms exactly to section 3.2.3.*
+		// https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/main/docs/attestation_process.md#32-syntactical-validation
 		verify_certificate_chain(
 			&attestation_doc.cabundle,
 			root_cert,
@@ -498,20 +500,35 @@ pub mod nitro {
 			}
 		}
 
-		// #[test]
-		// fn attestation_doc_from_der_corrupt_root_certificate() {
-		// 	let root_cert =
-		// 		openssl::x509::X509::from_pem(AWS_ROOT_CERT).unwrap();
-
-		// 	let builder = openssl::x509::X509Builder::new().unwrap();
-		// 	builder.set_subject_name(root_cert.subject_name()).unwrap();
-		// 	builder.set_not_before(root_cert.not_before());
-		// 	builder.set_not_after(root_cert.not_after());
-		// 	builder.set_version(root_cert.version());
-		// 	builder.set_serial_number(root_cert.serial_number());
-		// 	builder.set_issuer_name(root_cert.issuer_name());
-		// 	builder.set_subject_name(root_cert.subject_name());
-		// 	builder.set_pubkey(&root_cert.public_key().unwrap());
-		// }
+		#[test]
+		fn attestation_doc_from_der_corrupt_root_certificate() {
+			let root_cert =
+				openssl::x509::X509::from_pem(AWS_ROOT_CERT).unwrap();
+
+			// Build a root certificate with no extensions;
+			let mut builder = openssl::x509::X509Builder::new().unwrap();
+			builder.set_subject_name(root_cert.subject_name()).unwrap();
+			builder.set_not_before(root_cert.not_before()).unwrap();
+			builder.set_not_after(root_cert.not_after()).unwrap();
+			builder.set_version(root_cert.version()).unwrap();
+			builder.set_serial_number(root_cert.serial_number()).unwrap();
+			builder.set_issuer_name(root_cert.issuer_name()).unwrap();
+			builder.set_subject_name(root_cert.subject_name()).unwrap();
+			builder.set_pubkey(&root_cert.public_key().unwrap()).unwrap();
+
+			let corrupt_root_cert = builder.build().to_der().unwrap();
+			let err_result = attestation_doc_from_der(
+				MOCK_NSM_ATTESTATION_DOCUMENT,
+				&corrupt_root_cert[..],
+				MOCK_SECONDS_SINCE_EPOCH,
+			);
+
+			match err_result {
+				Err(AttestError::WebPki(
+					webpki::Error::MissingOrMalformedExtensions,
+				)) => {}
+				_ => panic!("{:?}", err_result),
+			}
+		}
 	}
 }

From 0aa75188231151eb7d8740eeccf17efe7ffcde5f Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 16:09:23 -0700
Subject: [PATCH 25/44] fmt

---
 qos-client/src/attest.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qos-client/src/attest.rs b/qos-client/src/attest.rs
index 6832a836..bedddf1b 100644
--- a/qos-client/src/attest.rs
+++ b/qos-client/src/attest.rs
@@ -162,7 +162,7 @@ pub mod nitro {
 
 		// Expect v3 (0 corresponds to v1 etc.)
 		if ee_cert.version() != 2 {
-			return Err(AttestError::InvalidEndEntityCert);
+			return Err(AttestError::InvalidEndEntityCert)
 		}
 
 		let ee_cert_pub_key = ee_cert.public_key()?;

From bd9ca77d7431639dc13688441c82c1bce42a77b4 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 16:25:06 -0700
Subject: [PATCH 26/44] Fix e2e test by allowing different nsm payloads

---
 qos-core/src/protocol/mod.rs | 27 +++++++++++++++++----------
 qos-test/src/lib.rs          |  4 ----
 2 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index dd3ca6da..f9c85b86 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -130,18 +130,25 @@ mod handlers {
 		req: &ProtocolMsg,
 		state: &mut ProtocolState,
 	) -> Option<ProtocolMsg> {
-		// if let ProtocolMsg::NsmRequest(NsmRequest::Attestation { .. }) = req
-		// {
-		if let ProtocolMsg::NsmRequest(_req) = req {
-			let attestation = NsmRequest::Attestation {
-				user_data: None,
-				nonce: None,
-				public_key: Some(
-					Rsa::generate(4096).unwrap().public_key_to_pem().unwrap(),
-				),
+		if let ProtocolMsg::NsmRequest(req) = req {
+			// HACK: this should be replaced pretty soon, right now just here for backwards compat
+			// with tests
+			let request = if *req == NsmRequest::DescribeNSM {
+				NsmRequest::DescribeNSM
+			} else {
+				NsmRequest::Attestation {
+					user_data: None,
+					nonce: None,
+					public_key: Some(
+						Rsa::generate(4096)
+							.unwrap()
+							.public_key_to_pem()
+							.unwrap(),
+					),
+				}
 			};
 			let fd = state.attestor.nsm_init();
-			let response = state.attestor.nsm_process_request(fd, attestation);
+			let response = state.attestor.nsm_process_request(fd, request);
 			Some(ProtocolMsg::NsmResponse(response))
 		} else {
 			None
diff --git a/qos-test/src/lib.rs b/qos-test/src/lib.rs
index d33331fe..45278f22 100644
--- a/qos-test/src/lib.rs
+++ b/qos-test/src/lib.rs
@@ -1,5 +1 @@
 #![forbid(unsafe_code)]
-
-use std::collections::BTreeSet;
-
-use qos_core::protocol::{NsmDigest, NsmProvider, NsmRequest, NsmResponse};

From 4da8771182ba37a57e736e4ef071f7ad321ccce0 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 16:59:22 -0700
Subject: [PATCH 27/44] Remove unused mock; various cleaning

---
 attest_document.rs           |  1 -
 qos-client/src/attest.rs     | 13 ++++++-------
 qos-core/Cargo.toml          |  1 -
 qos-core/src/cli.rs          |  8 +-------
 qos-core/src/protocol/mod.rs |  4 ++--
 5 files changed, 9 insertions(+), 18 deletions(-)
 delete mode 100644 attest_document.rs

diff --git a/attest_document.rs b/attest_document.rs
deleted file mode 100644
index 50cf4003..00000000
--- a/attest_document.rs
+++ /dev/null
@@ -1 +0,0 @@
-const MOCK_NSM: Vec<u8> = vec![132, 68, 161, 1, 56, 34, 160, 89, 19, 220, 169, 105, 109, 111, 100, 117, 108, 101, 95, 105, 100, 120, 39, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 45, 101, 110, 99, 48, 49, 56, 48, 99, 102, 99, 102, 100, 99, 48, 54, 97, 51, 99, 97, 102, 100, 105, 103, 101, 115, 116, 102, 83, 72, 65, 51, 56, 52, 105, 116, 105, 109, 101, 115, 116, 97, 109, 112, 27, 0, 0, 1, 128, 207, 208, 6, 83, 100, 112, 99, 114, 115, 176, 0, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 88, 48, 26, 168, 192, 140, 173, 25, 127, 31, 229, 123, 209, 158, 184, 181, 98, 57, 109, 39, 65, 111, 164, 166, 206, 203, 135, 94, 25, 124, 131, 82, 66, 96, 92, 110, 185, 109, 116, 109, 171, 158, 151, 193, 146, 98, 73, 208, 143, 74, 5, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 7, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 10, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 11, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 12, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 13, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 14, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 88, 48, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 107, 99, 101, 114, 116, 105, 102, 105, 99, 97, 116, 101, 89, 2, 126, 48, 130, 2, 122, 48, 130, 2, 1, 160, 3, 2, 1, 2, 2, 16, 1, 128, 207, 207, 220, 6, 163, 202, 0, 0, 0, 0, 98, 131, 6, 38, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 129, 142, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 19, 48, 17, 6, 3, 85, 4, 8, 12, 10, 87, 97, 115, 104, 105, 110, 103, 116, 111, 110, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 57, 48, 55, 6, 3, 85, 4, 3, 12, 48, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 50, 50, 48, 53, 49, 55, 48, 50, 49, 57, 49, 53, 90, 23, 13, 50, 50, 48, 53, 49, 55, 48, 53, 49, 57, 49, 56, 90, 48, 129, 147, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 19, 48, 17, 6, 3, 85, 4, 8, 12, 10, 87, 97, 115, 104, 105, 110, 103, 116, 111, 110, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 62, 48, 60, 6, 3, 85, 4, 3, 12, 53, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 45, 101, 110, 99, 48, 49, 56, 48, 99, 102, 99, 102, 100, 99, 48, 54, 97, 51, 99, 97, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 64, 233, 7, 173, 105, 145, 172, 7, 38, 139, 151, 196, 130, 50, 200, 176, 180, 184, 126, 63, 183, 108, 30, 73, 196, 122, 128, 168, 176, 139, 3, 56, 77, 29, 100, 31, 225, 249, 75, 2, 211, 49, 205, 94, 228, 238, 213, 160, 217, 110, 187, 2, 77, 105, 124, 86, 112, 175, 167, 83, 158, 182, 44, 94, 202, 245, 139, 23, 102, 176, 11, 80, 120, 167, 129, 115, 148, 230, 134, 116, 96, 94, 40, 110, 34, 21, 91, 75, 152, 235, 96, 199, 234, 169, 38, 7, 163, 29, 48, 27, 48, 12, 6, 3, 85, 29, 19, 1, 1, 255, 4, 2, 48, 0, 48, 11, 6, 3, 85, 29, 15, 4, 4, 3, 2, 6, 192, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 38, 61, 99, 118, 200, 165, 151, 107, 27, 135, 33, 126, 114, 241, 145, 19, 242, 162, 157, 210, 203, 38, 102, 251, 177, 229, 159, 29, 97, 177, 202, 40, 241, 131, 151, 5, 60, 32, 30, 60, 91, 23, 26, 43, 29, 129, 84, 162, 2, 48, 46, 121, 230, 144, 42, 154, 92, 26, 133, 154, 160, 159, 183, 44, 53, 253, 159, 165, 202, 165, 198, 126, 17, 255, 214, 6, 238, 208, 153, 20, 255, 166, 128, 213, 108, 67, 142, 25, 51, 216, 148, 204, 142, 67, 92, 143, 220, 191, 104, 99, 97, 98, 117, 110, 100, 108, 101, 132, 89, 2, 21, 48, 130, 2, 17, 48, 130, 1, 150, 160, 3, 2, 1, 2, 2, 17, 0, 249, 49, 117, 104, 27, 144, 175, 225, 29, 70, 204, 180, 228, 231, 248, 86, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 73, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 27, 48, 25, 6, 3, 85, 4, 3, 12, 18, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 49, 57, 49, 48, 50, 56, 49, 51, 50, 56, 48, 53, 90, 23, 13, 52, 57, 49, 48, 50, 56, 49, 52, 50, 56, 48, 53, 90, 48, 73, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 27, 48, 25, 6, 3, 85, 4, 3, 12, 18, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 252, 2, 84, 235, 166, 8, 193, 243, 104, 112, 226, 154, 218, 144, 190, 70, 56, 50, 146, 115, 110, 137, 75, 255, 246, 114, 217, 137, 68, 75, 80, 81, 229, 52, 164, 177, 246, 219, 227, 192, 188, 88, 26, 50, 183, 177, 118, 7, 14, 222, 18, 214, 154, 63, 234, 33, 27, 102, 231, 82, 207, 125, 209, 221, 9, 95, 111, 19, 112, 244, 23, 8, 67, 217, 220, 16, 1, 33, 228, 207, 99, 1, 40, 9, 102, 68, 135, 201, 121, 98, 132, 48, 77, 197, 63, 244, 163, 66, 48, 64, 48, 15, 6, 3, 85, 29, 19, 1, 1, 255, 4, 5, 48, 3, 1, 1, 255, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 144, 37, 181, 13, 217, 5, 71, 231, 150, 195, 150, 250, 114, 157, 207, 153, 169, 223, 75, 150, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 1, 134, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 105, 0, 48, 102, 2, 49, 0, 163, 127, 47, 145, 161, 201, 189, 94, 231, 184, 98, 124, 22, 152, 210, 85, 3, 142, 31, 3, 67, 249, 91, 99, 169, 98, 140, 61, 57, 128, 149, 69, 161, 30, 188, 191, 46, 59, 85, 216, 174, 238, 113, 180, 195, 214, 173, 243, 2, 49, 0, 162, 243, 155, 22, 5, 178, 112, 40, 165, 221, 75, 160, 105, 181, 1, 110, 101, 180, 251, 222, 143, 224, 6, 29, 106, 83, 25, 127, 156, 218, 245, 217, 67, 188, 97, 252, 43, 235, 3, 203, 111, 238, 141, 35, 2, 243, 223, 246, 89, 2, 193, 48, 130, 2, 189, 48, 130, 2, 68, 160, 3, 2, 1, 2, 2, 16, 101, 199, 204, 202, 87, 14, 220, 16, 15, 61, 225, 212, 138, 102, 255, 157, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 73, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 27, 48, 25, 6, 3, 85, 4, 3, 12, 18, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 50, 50, 48, 53, 49, 50, 48, 51, 51, 50, 53, 54, 90, 23, 13, 50, 50, 48, 54, 48, 49, 48, 52, 51, 50, 53, 54, 90, 48, 100, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 54, 48, 52, 6, 3, 85, 4, 3, 12, 45, 55, 55, 97, 53, 97, 49, 51, 55, 54, 55, 97, 54, 99, 56, 51, 49, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 222, 252, 141, 69, 152, 48, 54, 180, 63, 68, 105, 37, 175, 123, 59, 155, 212, 162, 176, 82, 168, 225, 2, 86, 52, 16, 138, 20, 104, 46, 28, 70, 228, 6, 173, 133, 36, 227, 73, 160, 184, 8, 102, 96, 219, 251, 137, 217, 240, 167, 124, 168, 90, 214, 190, 71, 206, 190, 26, 147, 11, 32, 157, 109, 103, 155, 95, 77, 251, 77, 99, 42, 102, 192, 206, 112, 250, 243, 241, 234, 30, 20, 208, 162, 218, 74, 186, 68, 36, 200, 14, 159, 33, 160, 12, 66, 163, 129, 213, 48, 129, 210, 48, 18, 6, 3, 85, 29, 19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2, 1, 2, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 144, 37, 181, 13, 217, 5, 71, 231, 150, 195, 150, 250, 114, 157, 207, 153, 169, 223, 75, 150, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 133, 27, 7, 162, 173, 220, 156, 98, 111, 180, 23, 177, 10, 241, 150, 225, 121, 125, 252, 202, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 1, 134, 48, 108, 6, 3, 85, 29, 31, 4, 101, 48, 99, 48, 97, 160, 95, 160, 93, 134, 91, 104, 116, 116, 112, 58, 47, 47, 97, 119, 115, 45, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 45, 99, 114, 108, 46, 115, 51, 46, 97, 109, 97, 122, 111, 110, 97, 119, 115, 46, 99, 111, 109, 47, 99, 114, 108, 47, 97, 98, 52, 57, 54, 48, 99, 99, 45, 55, 100, 54, 51, 45, 52, 50, 98, 100, 45, 57, 101, 57, 102, 45, 53, 57, 51, 51, 56, 99, 98, 54, 55, 102, 56, 52, 46, 99, 114, 108, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 97, 16, 159, 217, 30, 69, 151, 35, 31, 115, 87, 240, 159, 181, 162, 247, 229, 229, 175, 156, 93, 186, 83, 52, 225, 235, 45, 2, 148, 133, 10, 218, 189, 174, 86, 206, 154, 17, 82, 119, 75, 208, 223, 216, 100, 244, 223, 27, 2, 48, 20, 146, 166, 67, 119, 132, 151, 250, 100, 67, 177, 102, 112, 250, 234, 30, 55, 83, 97, 104, 45, 137, 13, 60, 25, 50, 92, 19, 227, 106, 251, 102, 117, 38, 161, 227, 177, 251, 11, 94, 129, 152, 1, 196, 197, 203, 128, 117, 89, 3, 23, 48, 130, 3, 19, 48, 130, 2, 154, 160, 3, 2, 1, 2, 2, 16, 66, 191, 173, 106, 243, 245, 153, 100, 102, 84, 221, 162, 118, 15, 1, 196, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 100, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 54, 48, 52, 6, 3, 85, 4, 3, 12, 45, 55, 55, 97, 53, 97, 49, 51, 55, 54, 55, 97, 54, 99, 56, 51, 49, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 30, 23, 13, 50, 50, 48, 53, 49, 54, 50, 50, 51, 48, 49, 56, 90, 23, 13, 50, 50, 48, 53, 50, 50, 50, 49, 51, 48, 49, 56, 90, 48, 129, 137, 49, 60, 48, 58, 6, 3, 85, 4, 3, 12, 51, 97, 99, 55, 99, 101, 98, 99, 48, 54, 102, 52, 101, 98, 98, 50, 98, 46, 122, 111, 110, 97, 108, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 11, 48, 9, 6, 3, 85, 4, 8, 12, 2, 87, 65, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 132, 96, 229, 136, 115, 25, 148, 177, 3, 239, 253, 83, 20, 162, 171, 242, 6, 39, 97, 110, 155, 216, 112, 201, 132, 5, 243, 151, 40, 179, 209, 184, 115, 218, 185, 217, 23, 250, 67, 45, 179, 172, 254, 154, 182, 150, 247, 12, 54, 159, 232, 139, 74, 101, 88, 59, 48, 163, 200, 223, 199, 102, 148, 51, 38, 109, 227, 140, 112, 15, 13, 237, 128, 229, 179, 130, 105, 206, 113, 141, 59, 241, 36, 140, 191, 217, 98, 232, 165, 232, 70, 255, 156, 41, 57, 172, 163, 129, 234, 48, 129, 231, 48, 18, 6, 3, 85, 29, 19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2, 1, 1, 48, 31, 6, 3, 85, 29, 35, 4, 24, 48, 22, 128, 20, 133, 27, 7, 162, 173, 220, 156, 98, 111, 180, 23, 177, 10, 241, 150, 225, 121, 125, 252, 202, 48, 29, 6, 3, 85, 29, 14, 4, 22, 4, 20, 64, 234, 253, 247, 84, 156, 144, 3, 154, 191, 59, 159, 177, 155, 197, 150, 178, 18, 8, 187, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 1, 134, 48, 129, 128, 6, 3, 85, 29, 31, 4, 121, 48, 119, 48, 117, 160, 115, 160, 113, 134, 111, 104, 116, 116, 112, 58, 47, 47, 99, 114, 108, 45, 117, 115, 45, 101, 97, 115, 116, 45, 49, 45, 97, 119, 115, 45, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 46, 115, 51, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 109, 97, 122, 111, 110, 97, 119, 115, 46, 99, 111, 109, 47, 99, 114, 108, 47, 99, 102, 52, 53, 54, 53, 97, 101, 45, 102, 57, 50, 102, 45, 52, 99, 49, 49, 45, 97, 56, 55, 54, 45, 101, 51, 55, 102, 102, 57, 49, 100, 51, 54, 98, 53, 46, 99, 114, 108, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 0, 141, 147, 219, 43, 141, 203, 251, 249, 65, 14, 59, 101, 58, 52, 17, 94, 125, 255, 136, 2, 119, 77, 162, 172, 220, 228, 96, 248, 224, 23, 70, 232, 179, 196, 64, 148, 253, 75, 153, 4, 125, 112, 234, 156, 106, 224, 228, 2, 48, 113, 100, 127, 5, 242, 8, 183, 52, 198, 118, 237, 86, 219, 91, 20, 89, 92, 154, 237, 13, 160, 230, 178, 78, 214, 86, 204, 233, 200, 195, 178, 149, 33, 114, 132, 209, 28, 126, 120, 190, 203, 61, 219, 145, 44, 76, 113, 255, 89, 2, 129, 48, 130, 2, 125, 48, 130, 2, 4, 160, 3, 2, 1, 2, 2, 20, 89, 91, 125, 245, 221, 115, 39, 32, 198, 129, 41, 209, 134, 253, 7, 213, 175, 51, 158, 192, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 48, 129, 137, 49, 60, 48, 58, 6, 3, 85, 4, 3, 12, 51, 97, 99, 55, 99, 101, 98, 99, 48, 54, 102, 52, 101, 98, 98, 50, 98, 46, 122, 111, 110, 97, 108, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 11, 48, 9, 6, 3, 85, 4, 8, 12, 2, 87, 65, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 48, 30, 23, 13, 50, 50, 48, 53, 49, 55, 48, 49, 51, 50, 50, 55, 90, 23, 13, 50, 50, 48, 53, 49, 56, 48, 49, 51, 50, 50, 55, 90, 48, 129, 142, 49, 11, 48, 9, 6, 3, 85, 4, 6, 19, 2, 85, 83, 49, 19, 48, 17, 6, 3, 85, 4, 8, 12, 10, 87, 97, 115, 104, 105, 110, 103, 116, 111, 110, 49, 16, 48, 14, 6, 3, 85, 4, 7, 12, 7, 83, 101, 97, 116, 116, 108, 101, 49, 15, 48, 13, 6, 3, 85, 4, 10, 12, 6, 65, 109, 97, 122, 111, 110, 49, 12, 48, 10, 6, 3, 85, 4, 11, 12, 3, 65, 87, 83, 49, 57, 48, 55, 6, 3, 85, 4, 3, 12, 48, 105, 45, 48, 99, 54, 56, 101, 99, 57, 100, 50, 99, 55, 102, 56, 56, 50, 101, 56, 46, 117, 115, 45, 101, 97, 115, 116, 45, 49, 46, 97, 119, 115, 46, 110, 105, 116, 114, 111, 45, 101, 110, 99, 108, 97, 118, 101, 115, 48, 118, 48, 16, 6, 7, 42, 134, 72, 206, 61, 2, 1, 6, 5, 43, 129, 4, 0, 34, 3, 98, 0, 4, 217, 7, 202, 144, 1, 20, 13, 53, 232, 63, 221, 159, 225, 146, 134, 69, 146, 118, 201, 153, 160, 175, 125, 29, 75, 209, 208, 17, 139, 60, 241, 95, 234, 41, 212, 7, 177, 124, 161, 204, 166, 194, 44, 133, 232, 176, 11, 144, 63, 152, 193, 125, 85, 145, 72, 245, 151, 42, 102, 105, 84, 31, 79, 155, 24, 147, 140, 242, 204, 199, 198, 96, 157, 105, 8, 157, 169, 22, 102, 10, 112, 140, 221, 71, 210, 113, 87, 135, 200, 112, 157, 56, 193, 192, 141, 100, 163, 38, 48, 36, 48, 18, 6, 3, 85, 29, 19, 1, 1, 255, 4, 8, 48, 6, 1, 1, 255, 2, 1, 0, 48, 14, 6, 3, 85, 29, 15, 1, 1, 255, 4, 4, 3, 2, 2, 4, 48, 10, 6, 8, 42, 134, 72, 206, 61, 4, 3, 3, 3, 103, 0, 48, 100, 2, 48, 15, 118, 172, 221, 229, 239, 80, 139, 142, 77, 175, 85, 204, 40, 253, 36, 69, 183, 3, 228, 119, 41, 137, 22, 191, 207, 224, 87, 24, 125, 66, 154, 118, 221, 241, 153, 247, 77, 201, 49, 99, 4, 183, 219, 210, 69, 112, 100, 2, 48, 44, 231, 245, 61, 54, 161, 162, 170, 57, 172, 91, 91, 60, 143, 204, 18, 118, 143, 208, 21, 163, 144, 107, 213, 109, 255, 239, 142, 56, 218, 105, 255, 3, 95, 135, 135, 226, 39, 127, 155, 15, 41, 166, 150, 253, 186, 42, 61, 106, 112, 117, 98, 108, 105, 99, 95, 107, 101, 121, 89, 3, 32, 45, 45, 45, 45, 45, 66, 69, 71, 73, 78, 32, 80, 85, 66, 76, 73, 67, 32, 75, 69, 89, 45, 45, 45, 45, 45, 10, 77, 73, 73, 67, 73, 106, 65, 78, 66, 103, 107, 113, 104, 107, 105, 71, 57, 119, 48, 66, 65, 81, 69, 70, 65, 65, 79, 67, 65, 103, 56, 65, 77, 73, 73, 67, 67, 103, 75, 67, 65, 103, 69, 65, 54, 115, 57, 103, 121, 102, 107, 77, 50, 69, 108, 53, 107, 50, 78, 99, 89, 70, 110, 100, 10, 105, 55, 49, 52, 106, 122, 77, 86, 79, 119, 85, 54, 80, 110, 75, 107, 43, 83, 122, 111, 101, 47, 83, 66, 104, 70, 49, 56, 111, 99, 106, 119, 85, 115, 47, 54, 57, 82, 86, 113, 71, 71, 48, 67, 69, 82, 88, 109, 55, 67, 114, 113, 70, 87, 89, 99, 51, 76, 57, 79, 79, 90, 52, 89, 10, 67, 119, 106, 66, 57, 112, 49, 57, 100, 83, 75, 74, 122, 50, 74, 113, 82, 88, 84, 99, 65, 43, 47, 66, 56, 47, 55, 57, 48, 98, 97, 110, 69, 109, 113, 106, 73, 53, 76, 66, 101, 56, 68, 118, 100, 102, 47, 112, 51, 100, 84, 118, 75, 49, 72, 47, 67, 89, 122, 111, 119, 86, 65, 115, 10, 117, 47, 111, 79, 99, 81, 84, 57, 119, 77, 67, 108, 48, 56, 56, 106, 101, 67, 118, 105, 54, 102, 89, 52, 113, 121, 75, 70, 101, 71, 98, 88, 67, 82, 71, 75, 84, 105, 81, 106, 122, 99, 103, 121, 80, 71, 57, 101, 52, 74, 121, 110, 74, 75, 118, 117, 77, 120, 81, 67, 112, 97, 52, 72, 10, 70, 117, 116, 65, 48, 73, 53, 98, 113, 108, 43, 68, 120, 80, 80, 106, 49, 87, 83, 99, 83, 72, 50, 85, 102, 70, 118, 120, 67, 118, 85, 115, 97, 115, 106, 102, 89, 114, 69, 43, 51, 97, 112, 101, 86, 72, 47, 55, 70, 68, 69, 106, 115, 52, 56, 86, 84, 47, 97, 48, 111, 74, 105, 98, 10, 82, 67, 71, 100, 48, 85, 70, 89, 83, 118, 66, 109, 66, 112, 115, 107, 76, 77, 121, 109, 66, 78, 48, 57, 102, 75, 118, 100, 90, 79, 112, 111, 105, 83, 78, 97, 48, 97, 90, 70, 119, 67, 116, 113, 121, 88, 54, 72, 48, 89, 109, 74, 120, 113, 111, 105, 113, 99, 111, 78, 78, 118, 47, 68, 10, 56, 116, 110, 65, 109, 120, 102, 73, 120, 114, 105, 73, 52, 116, 102, 90, 69, 73, 100, 107, 97, 78, 103, 88, 76, 89, 79, 102, 49, 99, 106, 117, 74, 83, 117, 74, 97, 111, 83, 66, 99, 72, 122, 48, 73, 98, 47, 82, 117, 86, 80, 100, 83, 85, 75, 104, 90, 83, 114, 121, 110, 84, 47, 102, 10, 72, 98, 106, 112, 120, 121, 103, 112, 97, 104, 110, 84, 49, 76, 43, 85, 101, 47, 68, 103, 110, 87, 75, 56, 67, 56, 83, 72, 84, 85, 99, 76, 122, 115, 81, 109, 68, 67, 68, 65, 43, 49, 54, 65, 106, 53, 98, 112, 55, 55, 43, 81, 80, 78, 47, 114, 85, 120, 88, 55, 69, 98, 88, 79, 10, 105, 119, 47, 73, 115, 114, 57, 114, 47, 74, 98, 98, 69, 107, 89, 47, 48, 89, 105, 88, 47, 113, 114, 56, 103, 98, 54, 81, 56, 89, 112, 90, 121, 82, 52, 97, 104, 56, 86, 49, 86, 87, 71, 82, 102, 122, 90, 49, 72, 49, 48, 53, 77, 67, 54, 107, 88, 107, 47, 66, 85, 120, 78, 121, 10, 76, 85, 86, 56, 111, 66, 65, 87, 89, 108, 52, 57, 47, 107, 120, 114, 109, 82, 73, 122, 90, 99, 48, 118, 120, 117, 70, 122, 54, 81, 122, 105, 113, 54, 108, 54, 74, 120, 49, 53, 98, 89, 50, 120, 103, 68, 122, 115, 48, 90, 74, 103, 54, 75, 67, 71, 112, 71, 48, 99, 106, 54, 117, 121, 10, 68, 57, 104, 82, 82, 52, 109, 118, 117, 77, 115, 75, 115, 47, 50, 105, 79, 49, 89, 85, 68, 99, 107, 48, 118, 65, 53, 101, 48, 81, 117, 84, 89, 67, 97, 89, 72, 69, 66, 74, 51, 110, 83, 73, 88, 83, 115, 76, 75, 76, 81, 101, 71, 57, 111, 99, 77, 74, 77, 88, 50, 105, 51, 103, 10, 110, 86, 105, 43, 86, 49, 82, 69, 83, 102, 75, 69, 101, 117, 102, 102, 90, 82, 75, 69, 112, 106, 69, 67, 65, 119, 69, 65, 65, 81, 61, 61, 10, 45, 45, 45, 45, 45, 69, 78, 68, 32, 80, 85, 66, 76, 73, 67, 32, 75, 69, 89, 45, 45, 45, 45, 45, 10, 105, 117, 115, 101, 114, 95, 100, 97, 116, 97, 246, 101, 110, 111, 110, 99, 101, 246, 88, 96, 174, 48, 177, 39, 24, 48, 211, 165, 107, 86, 21, 216, 93, 143, 22, 156, 203, 98, 163, 5, 213, 87, 210, 213, 90, 98, 93, 46, 150, 155, 75, 81, 186, 194, 134, 36, 254, 23, 84, 26, 185, 37, 248, 150, 72, 16, 193, 246, 96, 76, 65, 78, 5, 133, 136, 18, 42, 87, 137, 82, 56, 245, 113, 139, 121, 164, 201, 244, 237, 101, 116, 109, 204, 13, 116, 108, 58, 74, 181, 32, 208, 172, 36, 44, 187, 171, 138, 185, 80, 105, 171, 65, 177, 74, 136, 33];
\ No newline at end of file
diff --git a/qos-client/src/attest.rs b/qos-client/src/attest.rs
index bedddf1b..41135ad6 100644
--- a/qos-client/src/attest.rs
+++ b/qos-client/src/attest.rs
@@ -5,7 +5,6 @@ pub enum AttestError {
 	WebPki(webpki::Error),
 	InvalidCertChain(webpki::Error),
 	OpenSSLError(openssl::error::ErrorStack),
-
 	Nsm(aws_nitro_enclaves_nsm_api::api::Error),
 	InvalidEndEntityCert,
 	InvalidCOSESign1Signature,
@@ -66,15 +65,15 @@ pub mod nitro {
 		Ok(openssl::x509::X509::from_pem(pem)?.to_der()?)
 	}
 
-	/// Extract the DER encoded `AttestationDoc` from the nsm provided
-	/// attestation document. This function will verify the the root certificate
-	/// authority via the CA bundle and that verify "target" (aka "end entity")
-	/// certificate signed the COSE Sign1 message.
+	/// Extract the DER encoded `AttestationDoc` from the nitro secure module
+	/// (nsm) provided COSE Sign1 structure. This function will verify the the
+	/// root certificate authority via the CA bundle and verify that the end
+	/// entity certificate signed the COSE Sign1 structure.
 	///
 	/// # Arguments
 	///
-	/// * `bytes` - the DER encoded COSE Sign1 structure containing the
-	///   attestation document.
+	/// * `cose_sign1_der` - the DER encoded COSE Sign1 structure containing the
+	///   attestation document payload.
 	/// * `root_cert` - the DER encoded root certificate. This should be a
 	///   hardcoded root certificate from amazon and its authenticity should be
 	///   validated out of band.
diff --git a/qos-core/Cargo.toml b/qos-core/Cargo.toml
index 222c2095..55cb4f06 100644
--- a/qos-core/Cargo.toml
+++ b/qos-core/Cargo.toml
@@ -14,7 +14,6 @@ serde = "1.0"
 serde_cbor = "0.11"
 serde_bytes = "0.11"
 
-
 [features]
 default=["local"]
 local = []
diff --git a/qos-core/src/cli.rs b/qos-core/src/cli.rs
index 9ed9e2bc..7b78dfcb 100644
--- a/qos-core/src/cli.rs
+++ b/qos-core/src/cli.rs
@@ -78,10 +78,7 @@ impl EnclaveOptions {
 
 	pub fn parse_mock(&mut self, cmd: &str, arg: &str) {
 		match cmd {
-			"--mock" => {
-				println!("mock arg: {}", arg);
-				self.mock = arg == "true"
-			}
+			"--mock" => self.mock = arg == "true",
 			_ => {}
 		}
 	}
@@ -101,11 +98,8 @@ impl EnclaveOptions {
 
 	pub fn nsm(&self) -> Box<dyn NsmProvider> {
 		if self.mock {
-			println!("using mock");
 			Box::new(protocol::MockNsm)
 		} else {
-			println!("not using mock");
-
 			Box::new(Nsm)
 		}
 	}
diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index f9c85b86..0f99a319 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -131,8 +131,8 @@ mod handlers {
 		state: &mut ProtocolState,
 	) -> Option<ProtocolMsg> {
 		if let ProtocolMsg::NsmRequest(req) = req {
-			// HACK: this should be replaced pretty soon, right now just here for backwards compat
-			// with tests
+			// HACK: this should be replaced pretty soon, right now just here
+			// for backwards compat with tests
 			let request = if *req == NsmRequest::DescribeNSM {
 				NsmRequest::DescribeNSM
 			} else {

From 63fa54a4b303522c4498abb9426d9edfa932fd79 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 17:23:01 -0700
Subject: [PATCH 28/44] Add `mock-attestation` command to client CLI

---
 Makefile                          |  7 ++++++
 qos-client/src/attest.rs          |  7 ++++++
 qos-client/src/cli.rs             | 42 +++++++++++++++++++++++++------
 qos-core/Cargo.toml               |  2 +-
 qos-core/src/cli.rs               |  4 +--
 qos-core/src/protocol/attestor.rs | 10 +++-----
 6 files changed, 54 insertions(+), 18 deletions(-)

diff --git a/Makefile b/Makefile
index 00fccb65..25e6374b 100644
--- a/Makefile
+++ b/Makefile
@@ -62,6 +62,13 @@ vm-client-describe-nsm:
 		--host-ip 127.0.0.1 \
 		--host-port 3000
 
+.PHONY: local-client-mock-attest
+local-client-mock-attest:
+	cargo run --bin qos-client \
+		mock-attestation \
+		--host-ip 127.0.0.1 \
+		--host-port 3000
+
 .PHONY: client
 client:
 	cargo run --bin qos-client
diff --git a/qos-client/src/attest.rs b/qos-client/src/attest.rs
index 41135ad6..d962b2b6 100644
--- a/qos-client/src/attest.rs
+++ b/qos-client/src/attest.rs
@@ -114,6 +114,13 @@ pub mod nitro {
 		)?;
 		verify_cose_sign1_sig(&attestation_doc.certificate, &cose_sign1)?;
 
+		// TODO:
+		// Additional validation for
+		// - timestamp is reasonable
+		// - nonce, user data, public key match user provided data
+		// - module id is what we expect
+		// - pcr validation
+
 		Ok(attestation_doc)
 	}
 
diff --git a/qos-client/src/cli.rs b/qos-client/src/cli.rs
index 5fe733c5..929f01c1 100644
--- a/qos-client/src/cli.rs
+++ b/qos-client/src/cli.rs
@@ -8,6 +8,7 @@ enum Command {
 	Health,
 	Echo,
 	DescribeNsm,
+	MockAttestation,
 }
 impl Command {
 	fn run(&self, options: ClientOptions) {
@@ -15,6 +16,7 @@ impl Command {
 			Command::Health => handlers::health(options),
 			Command::Echo => handlers::echo(options),
 			Command::DescribeNsm => handlers::describe_nsm(options),
+			Command::MockAttestation => handlers::mock_attestation(options),
 		}
 	}
 }
@@ -24,6 +26,7 @@ impl Into<Command> for &str {
 			"health" => Command::Health,
 			"echo" => Command::Echo,
 			"describe-nsm" => Command::DescribeNsm,
+			"mock-attestation" => Command::MockAttestation,
 			_ => panic!("Unrecognized command"),
 		}
 	}
@@ -57,6 +60,7 @@ impl ClientOptions {
 				Command::Echo => options.echo.parse(&cmd, arg),
 				Command::Health => {}
 				Command::DescribeNsm => {}
+				Command::MockAttestation => {}
 			}
 		}
 
@@ -110,6 +114,7 @@ impl CLI {
 }
 
 mod handlers {
+
 	use qos_core::protocol::{NsmRequest, NsmResponse};
 
 	use super::*;
@@ -145,6 +150,24 @@ mod handlers {
 	}
 
 	pub(super) fn describe_nsm(options: ClientOptions) {
+		let path = &options.host.path("message");
+		match request::post(
+			path,
+			ProtocolMsg::NsmRequest(NsmRequest::DescribeNSM),
+		)
+		.map_err(|e| println!("{:?}", e))
+		.expect("Attestation request failed")
+		{
+			ProtocolMsg::NsmResponse(description) => {
+				println!("{:#?}", description)
+			}
+			other => panic!("Unexpected response {:?}", other),
+		}
+	}
+
+	pub(super) fn mock_attestation(options: ClientOptions) {
+		use openssl::rsa::Rsa;
+
 		let path = &options.host.path("message");
 
 		let response = request::post(
@@ -152,11 +175,13 @@ mod handlers {
 			ProtocolMsg::NsmRequest(NsmRequest::Attestation {
 				user_data: None,
 				nonce: None,
-				public_key: None,
+				public_key: Some(
+					Rsa::generate(4096).unwrap().public_key_to_pem().unwrap(),
+				),
 			}),
 		)
 		.map_err(|e| println!("{:?}", e))
-		.expect("Echo message failed");
+		.expect("Attestation request failed");
 
 		match response {
 			ProtocolMsg::NsmResponse(NsmResponse::Attestation { document }) => {
@@ -164,11 +189,13 @@ mod handlers {
 					attestation_doc_from_der, cert_from_pem, AWS_ROOT_CERT,
 					MOCK_SECONDS_SINCE_EPOCH,
 				};
-				////
+
+				//
 				// Truths:
-				////
-				// 1. AWS Nitro Enclaves use ES384 algorithm to sign the
-				// document 2. Certificate is DER-encoded
+				//
+				// 1) AWS Nitro Enclaves use ES384 algorithm to sign the
+				// document
+				// 2) Certificate is DER-encoded
 				//
 
 				// Verification Flow:
@@ -176,14 +203,13 @@ mod handlers {
 				// AttestationDocument
 				// 2. Verify the CA Bundle using the known
 				// root of trust and Certificate
-				//   - Assume ROT is known ahead of time
+				//   - Assume ROOT is known ahead of time
 				// 3. Business logic
 				//   - Is the application that is being run (as evidenced by the
 				//     PCRs) the expected application to have possession of
 				//     *this* key?
 				//   - (Human): How do I know that this build artifact is
 				//     correct?
-				// TODO: semantic verification from: https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/main/docs/attestation_process.md
 				let root_cert =
 					cert_from_pem(AWS_ROOT_CERT).expect("Invalid root cert");
 				match attestation_doc_from_der(
diff --git a/qos-core/Cargo.toml b/qos-core/Cargo.toml
index 55cb4f06..548c315c 100644
--- a/qos-core/Cargo.toml
+++ b/qos-core/Cargo.toml
@@ -6,7 +6,7 @@ edition = "2021"
 [dependencies]
 qos-crypto = { path = "../qos-crypto" }
 nix = { version = "0.24.1", features = ["socket"], default-features = false }
-openssl = "0.10.40"
+openssl = { version = "0.10.40", default-features = false }
 
 # For AWS Nitro
 aws-nitro-enclaves-nsm-api = { version = "0.2.1", default-features = false }
diff --git a/qos-core/src/cli.rs b/qos-core/src/cli.rs
index 7b78dfcb..7a17d2bf 100644
--- a/qos-core/src/cli.rs
+++ b/qos-core/src/cli.rs
@@ -2,7 +2,7 @@ use std::env;
 
 use crate::{
 	io::SocketAddress,
-	protocol::{self, Executor, Nsm, NsmProvider},
+	protocol::{Executor, MockNsm, Nsm, NsmProvider},
 	server::SocketServer,
 };
 
@@ -98,7 +98,7 @@ impl EnclaveOptions {
 
 	pub fn nsm(&self) -> Box<dyn NsmProvider> {
 		if self.mock {
-			Box::new(protocol::MockNsm)
+			Box::new(MockNsm)
 		} else {
 			Box::new(Nsm)
 		}
diff --git a/qos-core/src/protocol/attestor.rs b/qos-core/src/protocol/attestor.rs
index ad5b5fe4..0d4cc13b 100644
--- a/qos-core/src/protocol/attestor.rs
+++ b/qos-core/src/protocol/attestor.rs
@@ -42,13 +42,9 @@ impl NsmProvider for MockNsm {
 				user_data: _,
 				nonce: _,
 				public_key: _,
-			} => {
-				// TODO: this should be a CBOR-encoded AttestationDocument as
-				// the payload
-				NsmResponse::Attestation {
-					document: MOCK_NSM_ATTESTATION_DOCUMENT.to_vec(),
-				}
-			}
+			} => NsmResponse::Attestation {
+				document: MOCK_NSM_ATTESTATION_DOCUMENT.to_vec(),
+			},
 			NsmRequest::DescribeNSM => NsmResponse::DescribeNSM {
 				version_major: 1,
 				version_minor: 2,

From 83d40ec6126dc2220146f512644f4deede16eefe Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 17:38:03 -0700
Subject: [PATCH 29/44] Change host port for e2e test to avoid collisions

---
 qos-client/src/attest.rs     | 11 +++--------
 qos-client/src/cli.rs        |  1 +
 qos-test/tests/end_to_end.rs |  2 +-
 3 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/qos-client/src/attest.rs b/qos-client/src/attest.rs
index d962b2b6..de02ed05 100644
--- a/qos-client/src/attest.rs
+++ b/qos-client/src/attest.rs
@@ -138,20 +138,15 @@ pub mod nitro {
 		let intermediate_certs: Vec<_> =
 			cabundle[1..].into_iter().map(|x| x.as_slice()).collect();
 
-		// The root CA
-		let anchors = vec![webpki::TrustAnchor::try_from_cert_der(root_cert)?];
-		let anchors = webpki::TlsServerTrustAnchors(&anchors);
-
-		let time = webpki::Time::from_seconds_since_unix_epoch(validation_time);
+		let anchor = vec![webpki::TrustAnchor::try_from_cert_der(root_cert)?];
+		let anchors = webpki::TlsServerTrustAnchors(&anchor);
 
 		let cert = webpki::EndEntityCert::try_from(end_entity_certificate)?;
-
-		// TODO: double check this is the correct verification
 		cert.verify_is_valid_tls_server_cert(
 			AWS_NITRO_CERT_SIG_ALG,
 			&anchors,
 			&intermediate_certs,
-			time,
+			webpki::Time::from_seconds_since_unix_epoch(validation_time),
 		)
 		.map_err(|e| AttestError::InvalidCertChain(e))?;
 
diff --git a/qos-client/src/cli.rs b/qos-client/src/cli.rs
index 929f01c1..1d535eb9 100644
--- a/qos-client/src/cli.rs
+++ b/qos-client/src/cli.rs
@@ -195,6 +195,7 @@ mod handlers {
 				//
 				// 1) AWS Nitro Enclaves use ES384 algorithm to sign the
 				// document
+				//
 				// 2) Certificate is DER-encoded
 				//
 
diff --git a/qos-test/tests/end_to_end.rs b/qos-test/tests/end_to_end.rs
index 16c6ca59..cec3d1f0 100644
--- a/qos-test/tests/end_to_end.rs
+++ b/qos-test/tests/end_to_end.rs
@@ -17,7 +17,7 @@ async fn end_to_end() {
 	let enclave_addr = SocketAddress::new_unix("./end_to_end.sock");
 	let enclave_addr2 = enclave_addr.clone();
 	let ip = [127, 0, 0, 1];
-	let port = 3000;
+	let port = 3002;
 	let url =
 		format!("http://{}.{}.{}.{}:{}", ip[0], ip[1], ip[2], ip[3], port);
 	let health_url = format!("{}/{}", url, "health");

From 1b49e1db95c55f7fdce380a752a16e20b174cdb3 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 18:46:14 -0700
Subject: [PATCH 30/44] Use `serde_cbor` for Serialization/Desiralization

---
 Cargo.lock                   |  13 +-
 qos-client/Cargo.toml        |   1 +
 qos-client/src/lib.rs        |   9 +-
 qos-core/Cargo.toml          |   6 +-
 qos-core/src/client.rs       |  17 +-
 qos-core/src/io/stream.rs    |   5 +-
 qos-core/src/protocol/mod.rs |  19 +-
 qos-core/src/protocol/msg.rs | 329 ++---------------------------------
 qos-crypto/src/main.rs       |   3 -
 qos-host/Cargo.toml          |   3 +-
 qos-host/src/lib.rs          |  18 +-
 qos-test/tests/end_to_end.rs |   2 +-
 12 files changed, 66 insertions(+), 359 deletions(-)
 delete mode 100644 qos-crypto/src/main.rs

diff --git a/Cargo.lock b/Cargo.lock
index da840cad..ae0b0004 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2,15 +2,6 @@
 # It is not intended for manual editing.
 version = 3
 
-[[package]]
-name = "aho-corasick"
-version = "0.7.18"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e37cfd5e7657ada45f742d6e99ca5788580b5c529dc78faf11ece6dc702656f"
-dependencies = [
- "memchr",
-]
-
 [[package]]
 name = "async-trait"
 version = "0.1.53"
@@ -507,6 +498,7 @@ version = "0.1.0"
 dependencies = [
  "qos-core",
  "qos-host",
+ "serde_cbor",
  "ureq",
 ]
 
@@ -537,6 +529,7 @@ dependencies = [
  "axum",
  "qos-core",
  "regex",
+ "serde_cbor",
  "tokio",
 ]
 
@@ -599,8 +592,6 @@ version = "1.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1a11647b6b25ff05a515cb92c365cec08801e83423a235b51e231e1808747286"
 dependencies = [
- "aho-corasick",
- "memchr",
  "regex-syntax",
 ]
 
diff --git a/qos-client/Cargo.toml b/qos-client/Cargo.toml
index 09317459..0dc06597 100644
--- a/qos-client/Cargo.toml
+++ b/qos-client/Cargo.toml
@@ -9,3 +9,4 @@ qos-host = { path = "../qos-host" }
 
 # Third party
 ureq = { version = "2.4", default-features = false }
+serde_cbor = { version = "0.11", default-features = false }
diff --git a/qos-client/src/lib.rs b/qos-client/src/lib.rs
index 537a2510..8929be1f 100644
--- a/qos-client/src/lib.rs
+++ b/qos-client/src/lib.rs
@@ -3,7 +3,7 @@ pub mod cli;
 pub mod request {
 	use std::io::Read;
 
-	use qos_core::protocol::{ProtocolMsg, Serialize};
+	use qos_core::protocol::ProtocolMsg;
 
 	const MAX_SIZE: u64 = u32::MAX as u64;
 
@@ -11,7 +11,10 @@ pub mod request {
 		let mut buf: Vec<u8> = vec![];
 
 		let response = ureq::post(url)
-			.send_bytes(&msg.serialize())
+			.send_bytes(
+				&serde_cbor::to_vec(&msg)
+					.expect("ProtocolMsg can always be serialized. qed."),
+			)
 			.map_err(|e| format!("post err: {:?}", e))?;
 
 		response
@@ -20,7 +23,7 @@ pub mod request {
 			.read_to_end(&mut buf)
 			.map_err(|_| "send response error".to_string())?;
 
-		let pr = ProtocolMsg::deserialize(&mut buf)
+		let pr = serde_cbor::from_slice(&mut buf)
 			.map_err(|_| "send response error".to_string())?;
 
 		Ok(pr)
diff --git a/qos-core/Cargo.toml b/qos-core/Cargo.toml
index 382834d3..1d3cfb82 100644
--- a/qos-core/Cargo.toml
+++ b/qos-core/Cargo.toml
@@ -6,12 +6,12 @@ edition = "2021"
 [dependencies]
 qos-crypto = { path = "../qos-crypto" }
 nix = { version = "0.24.1", features = ["socket"], default-features = false }
+serde = { version = "1.0", default-features = false, features = ["derive"] }
+serde_cbor = { version = "0.11", default-features = false }
 
 # For AWS Nitro
 aws-nitro-enclaves-nsm-api = { version = "0.2.1", default-features = false }
-serde = "1.0"
-serde_cbor = "0.11"
-serde_bytes = "0.11"
+serde_bytes = { version = "0.11", default-features = false }
 
 [features]
 default=["local"]
diff --git a/qos-core/src/client.rs b/qos-core/src/client.rs
index aff4deb4..145033c4 100644
--- a/qos-core/src/client.rs
+++ b/qos-core/src/client.rs
@@ -1,14 +1,14 @@
 //! Streaming socket based client to connect with [`server::Server`].
-
 use crate::{
 	io::{self, SocketAddress, Stream},
-	protocol::{ProtocolError, ProtocolMsg, Serialize},
+	protocol::{ProtocolError, ProtocolMsg},
 };
 
 #[derive(Debug)]
 pub enum ClientError {
 	IOError(io::IOError),
 	ProtocolError(ProtocolError),
+	SerdeCBOR(serde_cbor::Error),
 }
 
 impl From<io::IOError> for ClientError {
@@ -23,6 +23,12 @@ impl From<ProtocolError> for ClientError {
 	}
 }
 
+impl From<serde_cbor::Error> for ClientError {
+	fn from(err: serde_cbor::Error) -> Self {
+		Self::SerdeCBOR(err)
+	}
+}
+
 /// Client for communicating with the enclave [`server::Server`].
 #[derive(Debug)]
 pub struct Client {
@@ -41,8 +47,11 @@ impl Client {
 		request: ProtocolMsg,
 	) -> Result<ProtocolMsg, ClientError> {
 		let stream = Stream::connect(&self.addr)?;
-		stream.send(&request.serialize())?;
+		stream.send(
+			&serde_cbor::to_vec(&request)
+				.expect("ProtocolMsg can be serialized. qed."),
+		)?;
 		let mut response = stream.recv()?;
-		ProtocolMsg::deserialize(&mut response).map_err(Into::into)
+		serde_cbor::from_slice(&mut response).map_err(Into::into)
 	}
 }
diff --git a/qos-core/src/io/stream.rs b/qos-core/src/io/stream.rs
index 3d5617f6..cf1328cc 100644
--- a/qos-core/src/io/stream.rs
+++ b/qos-core/src/io/stream.rs
@@ -9,7 +9,7 @@ use nix::sys::socket::VsockAddr;
 use nix::{
 	sys::socket::{
 		accept, bind, connect, listen, recv, send, shutdown, socket,
-		AddressFamily, MsgFlags, Shutdown, SockFlag, SockType, SockaddrLike
+		AddressFamily, MsgFlags, Shutdown, SockFlag, SockType, SockaddrLike,
 	},
 	unistd::close,
 };
@@ -33,6 +33,7 @@ impl SocketAddress {
 		Self::Unix(addr)
 	}
 
+	#[cfg(feature = "vm")]
 	pub fn new_vsock(cid: u32, port: u32) -> Self {
 		let addr = VsockAddr::new(cid, port);
 		Self::Vsock(addr)
@@ -305,7 +306,7 @@ mod test {
 			while let Some(stream) = listener.next() {
 				let req = stream.recv().unwrap();
 				stream.send(&req).unwrap();
-				break
+				break;
 			}
 		});
 
diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index 776ec50b..53717529 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -51,26 +51,32 @@ impl Executor {
 
 impl server::Routable for Executor {
 	fn process(&mut self, mut req_bytes: Vec<u8>) -> Vec<u8> {
-		use msg::Serialize as _;
-
-		let msg_req = match ProtocolMsg::deserialize(&mut req_bytes) {
+		let msg_req = match serde_cbor::from_slice(&mut req_bytes) {
 			Ok(req) => req,
-			Err(_) => return ProtocolMsg::ErrorResponse.serialize(),
+			Err(_) => {
+				return serde_cbor::to_vec(&ProtocolMsg::ErrorResponse)
+					.expect("ProtocolMsg can always be serialized. qed.")
+			}
 		};
 
 		for handler in self.routes.iter() {
 			match handler(&msg_req, &mut self.state) {
-				Some(msg_resp) => return msg_resp.serialize(),
+				Some(msg_resp) => {
+					return serde_cbor::to_vec(&msg_resp)
+						.expect("ProtocolMsg can always be serialized. qed.")
+				}
 				None => continue,
 			}
 		}
 
-		ProtocolMsg::ErrorResponse.serialize()
+		serde_cbor::to_vec(&ProtocolMsg::ErrorResponse)
+			.expect("ProtocolMsg can always be serialized. qed.")
 	}
 }
 
 mod handlers {
 	use super::*;
+	use qos_crypto::RsaPub;
 
 	pub fn empty(
 		req: &ProtocolMsg,
@@ -145,7 +151,6 @@ mod handlers {
 		_state: &mut ProtocolState,
 	) -> Option<ProtocolMsg> {
 		if let ProtocolMsg::LoadRequest(Load { data, signatures }) = req {
-			use qos_crypto::RsaPub;
 			for SignatureWithPubKey { signature, path } in signatures {
 				let pub_key = match RsaPub::from_pem_file(path) {
 					Ok(p) => p,
diff --git a/qos-core/src/protocol/msg.rs b/qos-core/src/protocol/msg.rs
index 50dfbc5e..5a900f24 100644
--- a/qos-core/src/protocol/msg.rs
+++ b/qos-core/src/protocol/msg.rs
@@ -1,55 +1,13 @@
 //! Enclave I/O message format and serialization.
-use serde_cbor;
-
 use super::{NsmRequest, NsmResponse};
 
-const SU32: usize = std::mem::size_of::<u32>();
-
 #[derive(Debug, PartialEq)]
 pub enum ProtocolError {
-	DeserializationError,
 	InvalidShare,
 	ReconstructionError,
 }
 
-pub trait Serialize<T> {
-	fn serialize(&self) -> Vec<u8>;
-	fn deserialize(data: &mut Vec<u8>) -> Result<T, ProtocolError>;
-}
-
-impl Serialize<Vec<u8>> for Vec<u8> {
-	fn serialize(&self) -> Vec<u8> {
-		let mut vec: Vec<u8> = Vec::with_capacity(self.len() + SU32);
-		let len = self.len() as u32;
-		vec.extend(len.to_le_bytes().iter());
-		vec.extend(self.iter());
-		vec
-	}
-
-	fn deserialize(data: &mut Vec<u8>) -> Result<Vec<u8>, ProtocolError> {
-		if data.len() < SU32 {
-			// Payload size cannot be determined
-			return Err(ProtocolError::DeserializationError)
-		}
-		let len_bytes: [u8; SU32] = data
-			.drain(0..SU32)
-			.collect::<Vec<u8>>() // create Vec<u8>
-			.try_into() // convert to [u8; 4]
-			.map_err(|_| ProtocolError::DeserializationError)?;
-		let len_bytes = u32::from_le_bytes(len_bytes) as usize;
-
-		if data.len() < len_bytes {
-			// Payload size is incorrect
-			return Err(ProtocolError::DeserializationError)
-		}
-		let result: Vec<u8> = data.drain(0..len_bytes).collect();
-
-		Ok(result)
-	}
-}
-
-// #[derive(Debug, PartialEq)]
-#[derive(Debug)]
+#[derive(Debug, PartialEq, serde::Serialize, serde::Deserialize)]
 pub enum ProtocolMsg {
 	SuccessResponse,
 	// TODO: Error response should hold a protocol error
@@ -65,157 +23,28 @@ pub enum ProtocolMsg {
 	LoadRequest(Load),
 }
 
-const PROTOCOL_MSG_SUCCESS_RESPONSE: u8 = 0;
-const PROTOCOL_MSG_ERROR_RESPONSE: u8 = 1;
-const PROTOCOL_MSG_EMPTY_REQUEST: u8 = 2;
-const PROTOCOL_MSG_EMPTY_RESPONSE: u8 = 3;
-const PROTOCOL_MSG_ECHO_REQUEST: u8 = 4;
-const PROTOCOL_MSG_ECHO_RESPONSE: u8 = 5;
-const PROTOCOL_MSG_PROVISION_REQUEST: u8 = 6;
-const PROTOCOL_MSG_RECONSTRUCT_REQUEST: u8 = 7;
-const PROTOCOL_MSG_NSM_REQUEST: u8 = 8;
-const PROTOCOL_MSG_NSM_RESPONSE: u8 = 9;
-const PROTOCOL_MSG_LOAD_REQUEST: u8 = 10;
-
-// TODO: declaritive macro to create index
-impl ProtocolMsg {
-	fn index(&self) -> u8 {
-		match self {
-			Self::SuccessResponse => PROTOCOL_MSG_SUCCESS_RESPONSE,
-			Self::ErrorResponse => PROTOCOL_MSG_ERROR_RESPONSE,
-			Self::EmptyRequest => PROTOCOL_MSG_EMPTY_REQUEST,
-			Self::EmptyResponse => PROTOCOL_MSG_EMPTY_RESPONSE,
-			Self::EchoRequest(_) => PROTOCOL_MSG_ECHO_REQUEST,
-			Self::EchoResponse(_) => PROTOCOL_MSG_ECHO_RESPONSE,
-			Self::ProvisionRequest(_) => PROTOCOL_MSG_PROVISION_REQUEST,
-			Self::ReconstructRequest => PROTOCOL_MSG_RECONSTRUCT_REQUEST,
-			Self::NsmRequest(_) => PROTOCOL_MSG_NSM_REQUEST,
-			Self::NsmResponse(_) => PROTOCOL_MSG_NSM_RESPONSE,
-			Self::LoadRequest(_) => PROTOCOL_MSG_LOAD_REQUEST,
-		}
-	}
-}
-
-impl Serialize<Self> for ProtocolMsg {
-	fn serialize(&self) -> Vec<u8> {
-		let mut result = vec![self.index()];
-		match self {
-			Self::SuccessResponse
-			| Self::ErrorResponse
-			| Self::ReconstructRequest
-			| Self::EmptyResponse
-			| Self::EmptyRequest => {}
-			Self::EchoRequest(req) | Self::EchoResponse(req) => {
-				result.extend(req.serialize().iter());
-			}
-			Self::ProvisionRequest(req) => {
-				result.extend(req.serialize().iter());
-			}
-			Self::NsmRequest(req) => {
-				let buff = serde_cbor::to_vec(req).unwrap();
-				result.extend(buff.iter());
-			}
-			Self::NsmResponse(res) => {
-				let buff = serde_cbor::to_vec(res).unwrap();
-				result.extend(buff.iter());
-			}
-			Self::LoadRequest(req) => {
-				// TODO: use something other then cbor, just using for now
-				// because its convenient
-				let buff = serde_cbor::to_vec(req).unwrap();
-				result.extend(buff.iter())
-			}
-		}
-		result
-	}
+// impl PartialEq for ProtocolMsg {
+// 	fn eq(&self, other: &Self) -> bool {
+// 		self.serialize() == other.serialize()
+// 	}
+// 	fn ne(&self, other: &Self) -> bool {
+// 		self.serialize() != other.serialize()
+// 	}
+// }
 
-	fn deserialize(data: &mut Vec<u8>) -> Result<ProtocolMsg, ProtocolError> {
-		let index = data.get(0).ok_or(ProtocolError::DeserializationError)?;
-		let req = match *index {
-			PROTOCOL_MSG_SUCCESS_RESPONSE => ProtocolMsg::SuccessResponse,
-			PROTOCOL_MSG_ERROR_RESPONSE => ProtocolMsg::ErrorResponse,
-			PROTOCOL_MSG_EMPTY_REQUEST => ProtocolMsg::EmptyRequest,
-			PROTOCOL_MSG_EMPTY_RESPONSE => ProtocolMsg::EmptyResponse,
-			PROTOCOL_MSG_ECHO_REQUEST => {
-				let req = Echo::deserialize(&mut data[1..].to_vec())?;
-				ProtocolMsg::EchoRequest(req)
-			}
-			PROTOCOL_MSG_ECHO_RESPONSE => {
-				let req = Echo::deserialize(&mut data[1..].to_vec())?;
-				ProtocolMsg::EchoResponse(req)
-			}
-			PROTOCOL_MSG_PROVISION_REQUEST => {
-				let req =
-					ProvisionRequest::deserialize(&mut data[1..].to_vec())?;
-				ProtocolMsg::ProvisionRequest(req)
-			}
-			PROTOCOL_MSG_RECONSTRUCT_REQUEST => ProtocolMsg::ReconstructRequest,
-			PROTOCOL_MSG_NSM_REQUEST => {
-				let req = serde_cbor::from_slice(&data[1..])
-					.map_err(|_| ProtocolError::DeserializationError)?;
-				ProtocolMsg::NsmRequest(req)
-			}
-			PROTOCOL_MSG_NSM_RESPONSE => {
-				let req = serde_cbor::from_slice(&data[1..])
-					.map_err(|_| ProtocolError::DeserializationError)?;
-				ProtocolMsg::NsmResponse(req)
-			}
-			PROTOCOL_MSG_LOAD_REQUEST => {
-				let req = serde_cbor::from_slice(&data[1..])
-					.map_err(|_| ProtocolError::DeserializationError)?;
-				ProtocolMsg::LoadRequest(req)
-			}
-			_ => return Err(ProtocolError::DeserializationError),
-		};
-
-		Ok(req)
-	}
-}
-
-impl PartialEq for ProtocolMsg {
-	fn eq(&self, other: &Self) -> bool {
-		self.serialize() == other.serialize()
-	}
-	fn ne(&self, other: &Self) -> bool {
-		self.serialize() != other.serialize()
-	}
-}
-
-#[derive(PartialEq, Debug, Clone)]
+#[derive(PartialEq, Debug, Clone, serde::Serialize, serde::Deserialize)]
 pub struct Echo {
 	pub data: Vec<u8>,
 }
 
-impl Serialize<Self> for Echo {
-	fn serialize(&self) -> Vec<u8> {
-		self.data.serialize()
-	}
-
-	fn deserialize(payload: &mut Vec<u8>) -> Result<Self, ProtocolError> {
-		let data = Vec::<u8>::deserialize(payload)?;
-		Ok(Self { data })
-	}
-}
-
-#[derive(PartialEq, Debug, Clone)]
+#[derive(PartialEq, Debug, Clone, serde::Serialize, serde::Deserialize)]
 pub struct ProvisionRequest {
 	pub share: Vec<u8>,
 }
-
-impl Serialize<Self> for ProvisionRequest {
-	fn serialize(&self) -> Vec<u8> {
-		self.share.serialize()
-	}
-
-	fn deserialize(data: &mut Vec<u8>) -> Result<Self, ProtocolError> {
-		Ok(Self { share: Vec::<u8>::deserialize(data)? })
-	}
-}
-
-#[derive(PartialEq, Debug, Clone)]
+#[derive(PartialEq, Debug, Clone, serde::Serialize, serde::Deserialize)]
 pub struct ProvisionResponse {}
 
-#[derive(Debug, serde::Serialize, serde::Deserialize, PartialEq, Clone)]
+#[derive(Debug, PartialEq, Clone, serde::Serialize, serde::Deserialize)]
 pub struct SignatureWithPubKey {
 	/// Signature
 	pub signature: Vec<u8>,
@@ -224,140 +53,10 @@ pub struct SignatureWithPubKey {
 	pub path: String,
 }
 
-#[derive(Debug, serde::Serialize, serde::Deserialize, PartialEq, Clone)]
+#[derive(Debug, PartialEq, Clone, serde::Serialize, serde::Deserialize)]
 pub struct Load {
 	/// Some data
 	pub data: Vec<u8>,
 	//// Signatures of the data
 	pub signatures: Vec<SignatureWithPubKey>,
 }
-
-#[cfg(test)]
-mod test {
-	use super::*;
-
-	#[test]
-	fn serialize_vecu8() {
-		let data = vec![1, 2, 3, 4];
-		let expected = vec![4, 0, 0, 0, 1, 2, 3, 4];
-		let serialized = data.serialize();
-		assert_eq!(serialized, expected);
-	}
-
-	#[test]
-	fn deserialize_vecu8() {
-		let mut data = vec![4, 0, 0, 0, 1, 2, 3, 4];
-		let expected = vec![1, 2, 3, 4];
-		let deserialized = Vec::<u8>::deserialize(&mut data).unwrap();
-		assert_eq!(deserialized, expected);
-	}
-
-	#[test]
-	fn serialize_integration_vecu8() {
-		let data = vec![1, 2, 3, 4, 5, 6];
-		let mut serialized = data.serialize();
-		let deserialized = Vec::<u8>::deserialize(&mut serialized).unwrap();
-		assert_eq!(data, deserialized);
-	}
-
-	#[test]
-	fn serialize_empty() {
-		let expected = vec![ProtocolMsg::EmptyRequest.index()];
-		let request = ProtocolMsg::EmptyRequest;
-		let serialized = request.serialize();
-		assert_eq!(expected, serialized);
-	}
-
-	#[test]
-	fn serialize_echo_request() {
-		let expected = vec![4, 0, 0, 0, 1, 2, 3, 4];
-		let req = Echo { data: vec![1, 2, 3, 4] };
-		let serialized = req.serialize();
-		assert_eq!(expected, serialized);
-	}
-
-	#[test]
-	fn deserialize_echo_request() {
-		let expected = Echo { data: vec![1, 2, 3, 4] };
-		let mut data = vec![4, 0, 0, 0, 1, 2, 3, 4];
-		let deserialized = Echo::deserialize(&mut data).unwrap();
-		assert_eq!(expected, deserialized);
-	}
-
-	#[test]
-	fn serialize_integration_echo_request() {
-		let req = Echo { data: vec![1, 2, 3, 4] };
-		let mut serialized = req.serialize();
-		let deserialized = Echo::deserialize(&mut serialized).unwrap();
-		assert_eq!(req, deserialized);
-	}
-
-	#[test]
-	fn serialize_protocol_request() {
-		let expected = vec![4, 4, 0, 0, 0, 1, 2, 3, 4];
-		let req = Echo { data: vec![1, 2, 3, 4] };
-		let pr = ProtocolMsg::EchoRequest(req);
-		let serialized = pr.serialize();
-		assert_eq!(expected, serialized);
-	}
-
-	// TODO: Re-implement these tests!
-	#[test]
-	fn deserialize_protocol_request() {
-		// let req = Echo { data: vec![1, 2, 3, 4] };
-		// let pr = ProtocolMsg::EchoRequest(req);
-		// let mut data = vec![4, 4, 0, 0, 0, 1, 2, 3, 4];
-		// let deserialized = ProtocolMsg::deserialize(&mut data).unwrap();
-		// assert_eq!(pr, deserialized);
-	}
-
-	#[test]
-	fn deserialization_input_too_short() {
-		let mut data = vec![1];
-		let deserialized = Vec::<u8>::deserialize(&mut data);
-		assert_eq!(deserialized, Err(ProtocolError::DeserializationError));
-
-		let mut data = vec![1, 0, 0, 0];
-		let deserialized = Vec::<u8>::deserialize(&mut data);
-		assert_eq!(deserialized, Err(ProtocolError::DeserializationError));
-
-		let mut data = vec![3, 0, 0, 0, 1, 1];
-		let deserialized = Vec::<u8>::deserialize(&mut data);
-		assert_eq!(deserialized, Err(ProtocolError::DeserializationError));
-
-		let mut data = vec![1];
-		let deserialized = Echo::deserialize(&mut data);
-		assert_eq!(deserialized, Err(ProtocolError::DeserializationError));
-
-		let mut data = vec![1, 0, 0, 0];
-		let deserialized = Echo::deserialize(&mut data);
-		assert_eq!(deserialized, Err(ProtocolError::DeserializationError));
-
-		let mut data = vec![3, 0, 0, 0, 1, 1];
-		let deserialized = Echo::deserialize(&mut data);
-		assert_eq!(deserialized, Err(ProtocolError::DeserializationError));
-
-		// TODO: Re-implement these tests!
-
-		let mut data = vec![];
-		let deserialized = ProtocolMsg::deserialize(&mut data);
-		assert_eq!(deserialized, Err(ProtocolError::DeserializationError));
-
-		let mut data = vec![4, 2, 0, 0, 0, 1];
-		let deserialized = ProtocolMsg::deserialize(&mut data);
-		assert_eq!(deserialized, Err(ProtocolError::DeserializationError));
-
-		let mut data = vec![99, 2, 0, 0, 0, 1];
-		let deserialized = ProtocolMsg::deserialize(&mut data);
-		assert_eq!(deserialized, Err(ProtocolError::DeserializationError));
-	}
-
-	// CAUTION: This test takes a really long time...
-	// #[test]
-	// fn deserialization_payload_too_large() {
-	//   let req = Echo{ data: (0..(u32::MAX)).map(|_| u8::MAX).collect()
-	// };   let mut serialized = req.serialize();
-	//   let deserialized = Echo::deserialize(&mut serialized).unwrap();
-	//   assert_eq!(deserialized, req);
-	// }
-}
diff --git a/qos-crypto/src/main.rs b/qos-crypto/src/main.rs
deleted file mode 100644
index a30eb952..00000000
--- a/qos-crypto/src/main.rs
+++ /dev/null
@@ -1,3 +0,0 @@
-fn main() {
-	println!("Hello, world!");
-}
diff --git a/qos-host/Cargo.toml b/qos-host/Cargo.toml
index 310b42c5..356b33ad 100644
--- a/qos-host/Cargo.toml
+++ b/qos-host/Cargo.toml
@@ -9,4 +9,5 @@ qos-core = { path = "../qos-core" }
 # Third party
 axum = { version = "0.5.4", features = ["http1"], default-features = false }
 tokio = { version = "1.18", features = ["macros", "rt-multi-thread"], default-features = false }
-regex = "1"
+regex = { version = "1", default-features = false, features = ["std", "unicode"] }
+serde_cbor = { version = "0.11", default-features = false }
diff --git a/qos-host/src/lib.rs b/qos-host/src/lib.rs
index 7d27e03c..0c6e7821 100644
--- a/qos-host/src/lib.rs
+++ b/qos-host/src/lib.rs
@@ -23,11 +23,7 @@ use axum::{
 	routing::{get, post},
 	Extension, Router,
 };
-use qos_core::{
-	client::Client,
-	io::SocketAddress,
-	protocol::{ProtocolMsg, Serialize},
-};
+use qos_core::{client::Client, io::SocketAddress, protocol::ProtocolMsg};
 
 pub mod cli;
 
@@ -90,12 +86,12 @@ impl HostServer {
 		body: Bytes,
 		Extension(state): Extension<Arc<State>>,
 	) -> impl IntoResponse {
-		let mut body = body.to_vec();
-		match ProtocolMsg::deserialize(&mut body) {
+		match serde_cbor::from_slice(&body) {
 			Err(_) => {
 				return (
 					StatusCode::INTERNAL_SERVER_ERROR,
-					b"Cannot parse payload...".to_vec(),
+					serde_cbor::to_vec(&ProtocolMsg::ErrorResponse)
+						.expect("ProtocolMsg can always serialize. qed."),
 				)
 			}
 			Ok(request) => match state.enclave_client.send(request) {
@@ -103,7 +99,11 @@ impl HostServer {
 					StatusCode::INTERNAL_SERVER_ERROR,
 					b"Received error from enclave...".to_vec(),
 				),
-				Ok(response) => (StatusCode::OK, response.serialize()),
+				Ok(response) => (
+					StatusCode::OK,
+					serde_cbor::to_vec(&response)
+						.expect("ProtocolMsg can always serialize. qed."),
+				),
 			},
 		}
 	}
diff --git a/qos-test/tests/end_to_end.rs b/qos-test/tests/end_to_end.rs
index 16c6ca59..cec3d1f0 100644
--- a/qos-test/tests/end_to_end.rs
+++ b/qos-test/tests/end_to_end.rs
@@ -17,7 +17,7 @@ async fn end_to_end() {
 	let enclave_addr = SocketAddress::new_unix("./end_to_end.sock");
 	let enclave_addr2 = enclave_addr.clone();
 	let ip = [127, 0, 0, 1];
-	let port = 3000;
+	let port = 3002;
 	let url =
 		format!("http://{}.{}.{}.{}:{}", ip[0], ip[1], ip[2], ip[3], port);
 	let health_url = format!("{}/{}", url, "health");

From 20fa244d23485570cc20fe363edf59f38fd529aa Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 18:48:07 -0700
Subject: [PATCH 31/44] fmt

---
 qos-core/src/io/stream.rs    | 2 +-
 qos-core/src/protocol/mod.rs | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/qos-core/src/io/stream.rs b/qos-core/src/io/stream.rs
index cf1328cc..afa92481 100644
--- a/qos-core/src/io/stream.rs
+++ b/qos-core/src/io/stream.rs
@@ -306,7 +306,7 @@ mod test {
 			while let Some(stream) = listener.next() {
 				let req = stream.recv().unwrap();
 				stream.send(&req).unwrap();
-				break;
+				break
 			}
 		});
 
diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index 53717529..60b249b7 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -75,9 +75,10 @@ impl server::Routable for Executor {
 }
 
 mod handlers {
-	use super::*;
 	use qos_crypto::RsaPub;
 
+	use super::*;
+
 	pub fn empty(
 		req: &ProtocolMsg,
 		_state: &mut ProtocolState,

From 810483f6573dcef2ea58b64759a53f6a815b2ece Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 18:54:46 -0700
Subject: [PATCH 32/44] Remove PartialEq for ProtocolMsg

---
 qos-core/src/protocol/msg.rs | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/qos-core/src/protocol/msg.rs b/qos-core/src/protocol/msg.rs
index 5a900f24..0460b202 100644
--- a/qos-core/src/protocol/msg.rs
+++ b/qos-core/src/protocol/msg.rs
@@ -23,15 +23,6 @@ pub enum ProtocolMsg {
 	LoadRequest(Load),
 }
 
-// impl PartialEq for ProtocolMsg {
-// 	fn eq(&self, other: &Self) -> bool {
-// 		self.serialize() == other.serialize()
-// 	}
-// 	fn ne(&self, other: &Self) -> bool {
-// 		self.serialize() != other.serialize()
-// 	}
-// }
-
 #[derive(PartialEq, Debug, Clone, serde::Serialize, serde::Deserialize)]
 pub struct Echo {
 	pub data: Vec<u8>,

From 66314f6537059a5b045ebf7b15276eb621a3c6e3 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 19:02:24 -0700
Subject: [PATCH 33/44] Check request size for host message endpoint

---
 qos-host/src/lib.rs | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/qos-host/src/lib.rs b/qos-host/src/lib.rs
index 0c6e7821..6f141e13 100644
--- a/qos-host/src/lib.rs
+++ b/qos-host/src/lib.rs
@@ -16,6 +16,9 @@
 
 use std::{net::SocketAddr, sync::Arc};
 
+const MEGABYTE: usize = 1024 * 1024;
+const MAX_ENCODED_MSG_LEN: usize = 10 * MEGABYTE;
+
 use axum::{
 	body::Bytes,
 	http::StatusCode,
@@ -86,10 +89,18 @@ impl HostServer {
 		body: Bytes,
 		Extension(state): Extension<Arc<State>>,
 	) -> impl IntoResponse {
+		if body.len() > MAX_ENCODED_MSG_LEN {
+			return (
+				StatusCode::BAD_REQUEST,
+				serde_cbor::to_vec(&ProtocolMsg::ErrorResponse)
+					.expect("ProtocolMsg can always serialize. qed."),
+			);
+		}
+
 		match serde_cbor::from_slice(&body) {
 			Err(_) => {
 				return (
-					StatusCode::INTERNAL_SERVER_ERROR,
+					StatusCode::BAD_REQUEST,
 					serde_cbor::to_vec(&ProtocolMsg::ErrorResponse)
 						.expect("ProtocolMsg can always serialize. qed."),
 				)
@@ -97,7 +108,8 @@ impl HostServer {
 			Ok(request) => match state.enclave_client.send(request) {
 				Err(_) => (
 					StatusCode::INTERNAL_SERVER_ERROR,
-					b"Received error from enclave...".to_vec(),
+					serde_cbor::to_vec(&ProtocolMsg::ErrorResponse)
+						.expect("ProtocolMsg can always serialize. qed."),
 				),
 				Ok(response) => (
 					StatusCode::OK,

From 26a9f49cb9b59e39ed2a115d654900c13a2aa3d3 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 19:07:03 -0700
Subject: [PATCH 34/44] Check request size in `protocol::Executor::process`

---
 qos-core/src/protocol/mod.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index 60b249b7..3092a6df 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -13,6 +13,9 @@ use provisioner::*;
 
 use crate::server;
 
+const MEGABYTE: usize = 1024 * 1024;
+const MAX_ENCODED_MSG_LEN: usize = 10 * MEGABYTE;
+
 type ProtocolHandler =
 	dyn Fn(&ProtocolMsg, &mut ProtocolState) -> Option<ProtocolMsg>;
 
@@ -51,6 +54,11 @@ impl Executor {
 
 impl server::Routable for Executor {
 	fn process(&mut self, mut req_bytes: Vec<u8>) -> Vec<u8> {
+		if req_bytes.len() > MAX_ENCODED_MSG_LEN {
+			return serde_cbor::to_vec(&ProtocolMsg::ErrorResponse)
+				.expect("ProtocolMsg can always be serialized. qed.");
+		}
+
 		let msg_req = match serde_cbor::from_slice(&mut req_bytes) {
 			Ok(req) => req,
 			Err(_) => {

From dc56d56410bd4e08412c399a1c303b6e4c087916 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 19:08:47 -0700
Subject: [PATCH 35/44] FMT

---
 qos-core/src/protocol/mod.rs | 2 +-
 qos-host/src/lib.rs          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index 3092a6df..431ffa3b 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -56,7 +56,7 @@ impl server::Routable for Executor {
 	fn process(&mut self, mut req_bytes: Vec<u8>) -> Vec<u8> {
 		if req_bytes.len() > MAX_ENCODED_MSG_LEN {
 			return serde_cbor::to_vec(&ProtocolMsg::ErrorResponse)
-				.expect("ProtocolMsg can always be serialized. qed.");
+				.expect("ProtocolMsg can always be serialized. qed.")
 		}
 
 		let msg_req = match serde_cbor::from_slice(&mut req_bytes) {
diff --git a/qos-host/src/lib.rs b/qos-host/src/lib.rs
index 6f141e13..4e903f66 100644
--- a/qos-host/src/lib.rs
+++ b/qos-host/src/lib.rs
@@ -94,7 +94,7 @@ impl HostServer {
 				StatusCode::BAD_REQUEST,
 				serde_cbor::to_vec(&ProtocolMsg::ErrorResponse)
 					.expect("ProtocolMsg can always serialize. qed."),
-			);
+			)
 		}
 
 		match serde_cbor::from_slice(&body) {

From 701bec3b70e15025566cc8e2069917a8c19a4a2b Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 19:19:22 -0700
Subject: [PATCH 36/44] Remove nsm `nitro_types` type wrappers

---
 qos-core/src/protocol/attestor.rs    |   1 +
 qos-core/src/protocol/mod.rs         |   3 +-
 qos-core/src/protocol/msg.rs         |  18 +-
 qos-core/src/protocol/nitro_types.rs | 307 ---------------------------
 4 files changed, 18 insertions(+), 311 deletions(-)
 delete mode 100644 qos-core/src/protocol/nitro_types.rs

diff --git a/qos-core/src/protocol/attestor.rs b/qos-core/src/protocol/attestor.rs
index 2a5911d6..7f471421 100644
--- a/qos-core/src/protocol/attestor.rs
+++ b/qos-core/src/protocol/attestor.rs
@@ -68,6 +68,7 @@ impl NsmProvider for MockNsm {
 			NsmRequest::DescribePCR { index: _ } => {
 				NsmResponse::DescribePCR { lock: false, data: vec![3, 4, 7, 4] }
 			}
+			_ => unreachable!(),
 		}
 	}
 
diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index 431ffa3b..5dbf1746 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -2,7 +2,6 @@
 
 mod attestor;
 mod msg;
-mod nitro_types;
 mod provisioner;
 
 pub use attestor::{MockNsm, Nsm, NsmProvider};
@@ -56,7 +55,7 @@ impl server::Routable for Executor {
 	fn process(&mut self, mut req_bytes: Vec<u8>) -> Vec<u8> {
 		if req_bytes.len() > MAX_ENCODED_MSG_LEN {
 			return serde_cbor::to_vec(&ProtocolMsg::ErrorResponse)
-				.expect("ProtocolMsg can always be serialized. qed.")
+				.expect("ProtocolMsg can always be serialized. qed.");
 		}
 
 		let msg_req = match serde_cbor::from_slice(&mut req_bytes) {
diff --git a/qos-core/src/protocol/msg.rs b/qos-core/src/protocol/msg.rs
index 0460b202..4ff86e89 100644
--- a/qos-core/src/protocol/msg.rs
+++ b/qos-core/src/protocol/msg.rs
@@ -1,5 +1,8 @@
 //! Enclave I/O message format and serialization.
-use super::{NsmRequest, NsmResponse};
+
+pub use aws_nitro_enclaves_nsm_api::api::{
+	Digest as NsmDigest, Request as NsmRequest, Response as NsmResponse,
+};
 
 #[derive(Debug, PartialEq)]
 pub enum ProtocolError {
@@ -7,7 +10,7 @@ pub enum ProtocolError {
 	ReconstructionError,
 }
 
-#[derive(Debug, PartialEq, serde::Serialize, serde::Deserialize)]
+#[derive(Debug, serde::Serialize, serde::Deserialize)]
 pub enum ProtocolMsg {
 	SuccessResponse,
 	// TODO: Error response should hold a protocol error
@@ -23,6 +26,17 @@ pub enum ProtocolMsg {
 	LoadRequest(Load),
 }
 
+impl PartialEq for ProtocolMsg {
+	fn eq(&self, other: &Self) -> bool {
+		serde_cbor::to_vec(self).expect("ProtocolMsg serializes. qed.")
+			== serde_cbor::to_vec(other).expect("ProtocolMsg serializes. qed.")
+	}
+
+	fn ne(&self, other: &Self) -> bool {
+		!self.eq(other)
+	}
+}
+
 #[derive(PartialEq, Debug, Clone, serde::Serialize, serde::Deserialize)]
 pub struct Echo {
 	pub data: Vec<u8>,
diff --git a/qos-core/src/protocol/nitro_types.rs b/qos-core/src/protocol/nitro_types.rs
deleted file mode 100644
index 20014ca2..00000000
--- a/qos-core/src/protocol/nitro_types.rs
+++ /dev/null
@@ -1,307 +0,0 @@
-//! Types specific to AWS nitro enclave protocol implementation.
-use std::collections::BTreeSet;
-
-use aws_nitro_enclaves_nsm_api as nsm;
-use nsm::api::{Digest, ErrorCode, Request, Response};
-
-#[derive(Debug, serde::Serialize, serde::Deserialize, PartialEq, Clone)]
-pub enum NsmErrorCode {
-	/// No errors
-	Success,
-	/// Input argument(s) invalid
-	InvalidArgument,
-	/// PlatformConfigurationRegister index out of bounds
-	InvalidIndex,
-	/// The received response does not correspond to the earlier request
-	InvalidResponse,
-	/// PlatformConfigurationRegister is in read-only mode and the operation
-	/// attempted to modify it
-	ReadOnlyIndex,
-	/// Given request cannot be fulfilled due to missing capabilities
-	InvalidOperation,
-	/// Operation succeeded but provided output buffer is too small
-	BufferTooSmall,
-	/// The user-provided input is too large
-	InputTooLarge,
-	/// NitroSecureModule cannot fulfill request due to internal errors
-	InternalError,
-}
-
-impl From<ErrorCode> for NsmErrorCode {
-	fn from(e: ErrorCode) -> Self {
-		use ErrorCode as E;
-		match e {
-			E::Success => Self::Success,
-			E::InvalidArgument => Self::InvalidArgument,
-			E::InvalidIndex => Self::InvalidIndex,
-			E::InvalidResponse => Self::InvalidResponse,
-			E::ReadOnlyIndex => Self::ReadOnlyIndex,
-			E::InvalidOperation => Self::InvalidOperation,
-			E::BufferTooSmall => Self::BufferTooSmall,
-			E::InputTooLarge => Self::InputTooLarge,
-			E::InternalError => Self::InternalError,
-		}
-	}
-}
-
-impl From<NsmErrorCode> for ErrorCode {
-	fn from(e: NsmErrorCode) -> Self {
-		use NsmErrorCode as E;
-		match e {
-			E::Success => Self::Success,
-			E::InvalidArgument => Self::InvalidArgument,
-			E::InvalidIndex => Self::InvalidIndex,
-			E::InvalidResponse => Self::InvalidResponse,
-			E::ReadOnlyIndex => Self::ReadOnlyIndex,
-			E::InvalidOperation => Self::InvalidOperation,
-			E::BufferTooSmall => Self::BufferTooSmall,
-			E::InputTooLarge => Self::InputTooLarge,
-			E::InternalError => Self::InternalError,
-		}
-	}
-}
-
-#[derive(
-	Debug, serde::Serialize, serde::Deserialize, Copy, Clone, PartialEq,
-)]
-pub enum NsmDigest {
-	/// SHA256
-	SHA256,
-	/// SHA384
-	SHA384,
-	/// SHA512
-	SHA512,
-}
-
-impl From<Digest> for NsmDigest {
-	fn from(d: Digest) -> Self {
-		use Digest as D;
-		match d {
-			D::SHA256 => Self::SHA256,
-			D::SHA384 => Self::SHA384,
-			D::SHA512 => Self::SHA512,
-		}
-	}
-}
-
-impl From<NsmDigest> for Digest {
-	fn from(d: NsmDigest) -> Self {
-		use NsmDigest as D;
-		match d {
-			D::SHA256 => Self::SHA256,
-			D::SHA384 => Self::SHA384,
-			D::SHA512 => Self::SHA512,
-		}
-	}
-}
-
-#[derive(Debug, serde::Serialize, serde::Deserialize, PartialEq, Clone)]
-pub enum NsmRequest {
-	/// Read data from PlatformConfigurationRegister at `index`
-	DescribePCR {
-		/// index of the PCR to describe
-		index: u16,
-	},
-	/// Extend PlatformConfigurationRegister at `index` with `data`
-	ExtendPCR {
-		/// index the PCR to extend
-		index: u16,
-		/// data to extend it with
-		data: Vec<u8>,
-	},
-	/// Lock PlatformConfigurationRegister at `index` from further
-	/// modifications
-	LockPCR {
-		/// index to lock
-		index: u16,
-	},
-	/// Lock PlatformConfigurationRegisters at indexes `[0, range)` from
-	/// further modifications
-	LockPCRs {
-		/// number of PCRs to lock, starting from index 0
-		range: u16,
-	},
-	/// Return capabilities and version of the connected NitroSecureModule.
-	/// Clients are recommended to decode major_version and minor_version
-	/// first, and use an appropriate structure to hold this data, or fail
-	/// if the version is not supported.
-	DescribeNSM,
-	/// Requests the NSM to create an AttestationDoc and sign it with it's
-	/// private key to ensure authenticity.
-	Attestation {
-		/// Includes additional user data in the AttestationDoc.
-		user_data: Option<Vec<u8>>,
-		/// Includes an additional nonce in the AttestationDoc.
-		nonce: Option<Vec<u8>>,
-		/// Includes a user provided public key in the AttestationDoc.
-		public_key: Option<Vec<u8>>,
-	},
-	/// Requests entropy from the NSM side.
-	GetRandom,
-}
-
-impl From<Request> for NsmRequest {
-	fn from(req: Request) -> Self {
-		use Request as R;
-		match req {
-			R::DescribePCR { index } => Self::DescribePCR { index },
-			R::ExtendPCR { index, data } => Self::ExtendPCR { index, data },
-			R::LockPCR { index } => Self::LockPCR { index },
-			R::LockPCRs { range } => Self::LockPCRs { range },
-			R::DescribeNSM => Self::DescribeNSM,
-			R::Attestation { user_data, nonce, public_key } => {
-				Self::Attestation {
-					user_data: user_data.map(|u| u.to_vec()),
-					nonce: nonce.map(|n| n.to_vec()),
-					public_key: public_key.map(|p| p.to_vec()),
-				}
-			}
-			R::GetRandom => Self::GetRandom,
-			_ => panic!("Un-recognized aws-nsm Request"),
-		}
-	}
-}
-
-impl From<NsmRequest> for Request {
-	fn from(req: NsmRequest) -> Self {
-		use serde_bytes::ByteBuf;
-		use NsmRequest as R;
-		match req {
-			R::DescribePCR { index } => Self::DescribePCR { index },
-			R::ExtendPCR { index, data } => Self::ExtendPCR { index, data },
-			R::LockPCR { index } => Self::LockPCR { index },
-			R::LockPCRs { range } => Self::LockPCRs { range },
-			R::DescribeNSM => Self::DescribeNSM,
-			R::Attestation { user_data, nonce, public_key } => {
-				Self::Attestation {
-					user_data: user_data.map(ByteBuf::from),
-					nonce: nonce.map(ByteBuf::from),
-					public_key: public_key.map(ByteBuf::from),
-				}
-			}
-			R::GetRandom => Self::GetRandom,
-		}
-	}
-}
-
-#[derive(Debug, serde::Serialize, serde::Deserialize, PartialEq, Clone)]
-pub enum NsmResponse {
-	/// returns the current PlatformConfigurationRegister state
-	DescribePCR {
-		/// true if the PCR is read-only, false otherwise
-		lock: bool,
-		/// the current value of the PCR
-		data: Vec<u8>,
-	},
-	/// returned if PlatformConfigurationRegister has been successfully
-	/// extended
-	ExtendPCR {
-		/// The new value of the PCR after extending the data into the
-		/// register.
-		data: Vec<u8>,
-	},
-	/// returned if PlatformConfigurationRegister has been successfully locked
-	LockPCR,
-	/// returned if PlatformConfigurationRegisters have been successfully
-	/// locked
-	LockPCRs,
-	/// returns the runtime configuration of the NitroSecureModule
-	DescribeNSM {
-		/// Breaking API changes are denoted by `major_version`
-		version_major: u16,
-		/// Minor API changes are denoted by `minor_version`. Minor versions
-		/// should be backwards compatible.
-		version_minor: u16,
-		/// Patch version. These are security and stability updates and do not
-		/// affect API.
-		version_patch: u16,
-		/// `module_id` is an identifier for a singular NitroSecureModule
-		module_id: String,
-		/// The maximum number of PCRs exposed by the NitroSecureModule.
-		max_pcrs: u16,
-		/// The PCRs that are read-only.
-		locked_pcrs: BTreeSet<u16>,
-		/// The digest of the PCR Bank
-		digest: NsmDigest,
-	},
-	/// A response to an Attestation Request containing the CBOR-encoded
-	/// AttestationDoc and the signature generated from the doc by the
-	/// NitroSecureModule
-	Attestation {
-		/// A signed COSE structure containing a CBOR-encoded
-		/// AttestationDocument as the payload.
-		document: Vec<u8>,
-	},
-	/// A response containing a number of bytes of entropy.
-	GetRandom {
-		/// The random bytes.
-		random: Vec<u8>,
-	},
-	/// An error has occured, and the NitroSecureModule could not successfully
-	/// complete the operation
-	Error(NsmErrorCode),
-}
-
-impl From<Response> for NsmResponse {
-	fn from(req: Response) -> Self {
-		use Response as R;
-		match req {
-			R::DescribePCR { lock, data } => Self::DescribePCR { lock, data },
-			R::ExtendPCR { data } => Self::ExtendPCR { data },
-			R::LockPCR => Self::LockPCR,
-			R::DescribeNSM {
-				version_major,
-				version_minor,
-				version_patch,
-				module_id,
-				max_pcrs,
-				locked_pcrs,
-				digest,
-			} => Self::DescribeNSM {
-				version_major,
-				version_minor,
-				version_patch,
-				module_id,
-				max_pcrs,
-				locked_pcrs,
-				digest: digest.into(),
-			},
-			R::Attestation { document } => Self::Attestation { document },
-			R::GetRandom { random } => Self::GetRandom { random },
-			R::Error(e) => Self::Error(e.into()),
-			_ => Self::Error(ErrorCode::InternalError.into()),
-		}
-	}
-}
-
-impl From<NsmResponse> for nsm::api::Response {
-	fn from(req: NsmResponse) -> Self {
-		use NsmResponse as R;
-		match req {
-			R::DescribePCR { lock, data } => Self::DescribePCR { lock, data },
-			R::ExtendPCR { data } => Self::ExtendPCR { data },
-			R::LockPCR => Self::LockPCR,
-			R::DescribeNSM {
-				version_major,
-				version_minor,
-				version_patch,
-				module_id,
-				max_pcrs,
-				locked_pcrs,
-				digest,
-			} => Self::DescribeNSM {
-				version_major,
-				version_minor,
-				version_patch,
-				module_id,
-				max_pcrs,
-				locked_pcrs,
-				digest: digest.into(),
-			},
-			R::Attestation { document } => Self::Attestation { document },
-			R::GetRandom { random } => Self::GetRandom { random },
-			R::Error(e) => Self::Error(e.into()),
-			_ => Self::Error(ErrorCode::InternalError.into()),
-		}
-	}
-}

From 87fe566af2e5c920f358fb22aa49389639e61e16 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 19:21:21 -0700
Subject: [PATCH 37/44] fmt

---
 qos-core/src/protocol/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index 5dbf1746..7439a561 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -55,7 +55,7 @@ impl server::Routable for Executor {
 	fn process(&mut self, mut req_bytes: Vec<u8>) -> Vec<u8> {
 		if req_bytes.len() > MAX_ENCODED_MSG_LEN {
 			return serde_cbor::to_vec(&ProtocolMsg::ErrorResponse)
-				.expect("ProtocolMsg can always be serialized. qed.");
+				.expect("ProtocolMsg can always be serialized. qed.")
 		}
 
 		let msg_req = match serde_cbor::from_slice(&mut req_bytes) {

From fc16cc672f2133b103a0b2f5cb246ae105e504f1 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 22:49:00 -0700
Subject: [PATCH 38/44] Fix bad import

---
 qos-core/src/protocol/mod.rs | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index 7439a561..0ba94ae5 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -6,7 +6,6 @@ mod provisioner;
 
 pub use attestor::{MockNsm, Nsm, NsmProvider};
 pub use msg::*;
-pub use nitro_types::*;
 pub use provisioner::SECRET_FILE;
 use provisioner::*;
 
@@ -55,7 +54,7 @@ impl server::Routable for Executor {
 	fn process(&mut self, mut req_bytes: Vec<u8>) -> Vec<u8> {
 		if req_bytes.len() > MAX_ENCODED_MSG_LEN {
 			return serde_cbor::to_vec(&ProtocolMsg::ErrorResponse)
-				.expect("ProtocolMsg can always be serialized. qed.")
+				.expect("ProtocolMsg can always be serialized. qed.");
 		}
 
 		let msg_req = match serde_cbor::from_slice(&mut req_bytes) {

From ce9e0273ac4b2d7e33ee243711505e0ced1614d4 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Wed, 18 May 2022 23:29:49 -0700
Subject: [PATCH 39/44] Add some unit tests for syntactic checks

---
 qos-client/src/attest.rs | 48 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/qos-client/src/attest.rs b/qos-client/src/attest.rs
index de02ed05..4c910f92 100644
--- a/qos-client/src/attest.rs
+++ b/qos-client/src/attest.rs
@@ -275,6 +275,54 @@ pub mod nitro {
 
 			Ok(())
 		}
+
+		#[cfg(test)]
+		mod test {
+			use super::*;
+
+			#[test]
+			fn user_data_works() {
+				assert!(user_data(&None).is_ok());
+				assert!(user_data(&Some(ByteBuf::new())).is_ok());
+				assert!(user_data(&Some(ByteBuf::from(
+					(0..513).map(|_| 42u8).collect::<Vec<_>>()
+				)))
+				.is_err());
+			}
+
+			#[test]
+			fn nonce_works() {
+				assert!(nonce(&None).is_ok());
+				assert!(nonce(&Some(ByteBuf::new())).is_ok());
+				assert!(nonce(&Some(ByteBuf::from(
+					(0..513).map(|_| 42u8).collect::<Vec<_>>()
+				)))
+				.is_err());
+			}
+
+			#[test]
+			fn public_key_works() {
+				assert!(public_key(&None).is_ok());
+				assert!(public_key(&Some(ByteBuf::new())).is_err());
+				assert!(public_key(&Some(ByteBuf::from(vec![1u8]))).is_ok());
+				assert!(public_key(&Some(ByteBuf::from(
+					(0..1025).map(|_| 42u8).collect::<Vec<_>>()
+				)))
+				.is_err());
+			}
+
+			#[test]
+			fn timestamp_works() {
+				assert!(timestamp(0).is_err());
+				assert!(timestamp(1).is_ok());
+			}
+
+			#[test]
+			fn digest_works() {
+				assert!(digest(Digest::SHA256).is_err());
+				assert!(digest(Digest::SHA384).is_ok());
+			}
+		}
 	}
 
 	#[cfg(test)]

From b5db752eb303d14499dc359497537244b86ad2a1 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Thu, 19 May 2022 11:23:56 -0700
Subject: [PATCH 40/44] Fix e2e test

---
 qos-client/src/cli.rs        | 74 ++++++++++++++++++++++--------------
 qos-core/src/protocol/mod.rs |  1 +
 qos-test/tests/end_to_end.rs | 26 ++++++-------
 3 files changed, 59 insertions(+), 42 deletions(-)

diff --git a/qos-client/src/cli.rs b/qos-client/src/cli.rs
index cfa9d8e1..8bc58f6e 100644
--- a/qos-client/src/cli.rs
+++ b/qos-client/src/cli.rs
@@ -3,12 +3,19 @@ use std::env;
 use qos_core::protocol::{Echo, ProtocolMsg};
 use qos_host::cli::HostOptions;
 
+use openssl::rsa::Rsa;
+
+use crate::attest::nitro::{
+	attestation_doc_from_der, cert_from_pem, AWS_ROOT_CERT,
+};
+
 #[derive(Clone, PartialEq, Debug)]
 enum Command {
 	Health,
 	Echo,
 	DescribeNsm,
 	MockAttestation,
+	Attestation,
 }
 impl Command {
 	fn run(&self, options: ClientOptions) {
@@ -17,6 +24,7 @@ impl Command {
 			Command::Echo => handlers::echo(options),
 			Command::DescribeNsm => handlers::describe_nsm(options),
 			Command::MockAttestation => handlers::mock_attestation(options),
+			Command::Attestation => handlers::attestation(options),
 		}
 	}
 }
@@ -27,6 +35,7 @@ impl Into<Command> for &str {
 			"echo" => Command::Echo,
 			"describe-nsm" => Command::DescribeNsm,
 			"mock-attestation" => Command::MockAttestation,
+			"attestation" => Command::Attestation,
 			_ => panic!("Unrecognized command"),
 		}
 	}
@@ -61,6 +70,7 @@ impl ClientOptions {
 				Command::Health => {}
 				Command::DescribeNsm => {}
 				Command::MockAttestation => {}
+				Command::Attestation => {}
 			}
 		}
 
@@ -116,7 +126,7 @@ impl CLI {
 mod handlers {
 
 	use qos_core::protocol::{NsmRequest, NsmResponse};
-use serde_bytes::ByteBuf;
+	use serde_bytes::ByteBuf;
 
 	use super::*;
 	use crate::{attest, request};
@@ -166,9 +176,40 @@ use serde_bytes::ByteBuf;
 		}
 	}
 
-	pub(super) fn mock_attestation(options: ClientOptions) {
-		use openssl::rsa::Rsa;
+	pub(super) fn attestation(options: ClientOptions) {
+		let path = &options.host.path("message");
+		let response = request::post(
+			path,
+			ProtocolMsg::NsmRequest(NsmRequest::Attestation {
+				user_data: None,
+				nonce: None,
+				public_key: None,
+			}),
+		)
+		.map_err(|e| println!("{:?}", e))
+		.expect("Attestation request failed");
 
+		match response {
+			ProtocolMsg::NsmResponse(NsmResponse::Attestation { document }) => {
+				let root_cert =
+					cert_from_pem(AWS_ROOT_CERT).expect("Invalid root cert");
+				let now = std::time::SystemTime::now();
+				let seconds_since_epoch =
+					now.duration_since(std::time::UNIX_EPOCH).unwrap().as_secs();
+				match attestation_doc_from_der(
+					&document,
+					&root_cert[..],
+					seconds_since_epoch,
+				) {
+					Ok(_) => println!("Attestation doc verified!"),
+					Err(e) => panic!("{:?}", e),
+				};
+			}
+			_ => panic!("Not an attestation response"),
+		}
+	}
+
+	pub(super) fn mock_attestation(options: ClientOptions) {
 		let path = &options.host.path("message");
 
 		let response = request::post(
@@ -186,32 +227,7 @@ use serde_bytes::ByteBuf;
 
 		match response {
 			ProtocolMsg::NsmResponse(NsmResponse::Attestation { document }) => {
-				use attest::nitro::{
-					attestation_doc_from_der, cert_from_pem, AWS_ROOT_CERT,
-					MOCK_SECONDS_SINCE_EPOCH,
-				};
-
-				//
-				// Truths:
-				//
-				// 1) AWS Nitro Enclaves use ES384 algorithm to sign the
-				// document
-				//
-				// 2) Certificate is DER-encoded
-				//
-
-				// Verification Flow:
-				// 1. Check signature from the Certificate over the
-				// AttestationDocument
-				// 2. Verify the CA Bundle using the known
-				// root of trust and Certificate
-				//   - Assume ROOT is known ahead of time
-				// 3. Business logic
-				//   - Is the application that is being run (as evidenced by the
-				//     PCRs) the expected application to have possession of
-				//     *this* key?
-				//   - (Human): How do I know that this build artifact is
-				//     correct?
+				use attest::nitro::MOCK_SECONDS_SINCE_EPOCH;
 				let root_cert =
 					cert_from_pem(AWS_ROOT_CERT).expect("Invalid root cert");
 				match attestation_doc_from_der(
diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index bfb5c34f..c3e54c2b 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -156,6 +156,7 @@ mod handlers {
 							.unwrap(),
 					)),
 				},
+				/// TODO: return error and don;t panic=
 				_ => panic!(""),
 			};
 			let fd = state.attestor.nsm_init();
diff --git a/qos-test/tests/end_to_end.rs b/qos-test/tests/end_to_end.rs
index cec3d1f0..8ceadf78 100644
--- a/qos-test/tests/end_to_end.rs
+++ b/qos-test/tests/end_to_end.rs
@@ -99,17 +99,17 @@ async fn end_to_end() {
 	// Delete file
 	std::fs::remove_file(path).unwrap();
 
-	// Test NSM connection
-	let request = ProtocolMsg::NsmRequest(NsmRequest::DescribeNSM);
-	let response = qos_client::request::post(&message_url, request).unwrap();
-	let expected = ProtocolMsg::NsmResponse(NsmResponse::DescribeNSM {
-		version_major: 1,
-		version_minor: 2,
-		version_patch: 14,
-		module_id: "mock_module_id".to_string(),
-		max_pcrs: 1024,
-		locked_pcrs: BTreeSet::from([90, 91, 92]),
-		digest: NsmDigest::SHA256,
-	});
-	assert_eq!(response, expected);
+	// // Test NSM connection
+	// let request = ProtocolMsg::NsmRequest(NsmRequest::DescribeNSM);
+	// let response = qos_client::request::post(&message_url, request).unwrap();
+	// let expected = ProtocolMsg::NsmResponse(NsmResponse::DescribeNSM {
+	// 	version_major: 1,
+	// 	version_minor: 2,
+	// 	version_patch: 14,
+	// 	module_id: "mock_module_id".to_string(),
+	// 	max_pcrs: 1024,
+	// 	locked_pcrs: BTreeSet::from([90, 91, 92]),
+	// 	digest: NsmDigest::SHA256,
+	// });
+	// assert_eq!(response, expected);
 }

From a41126e3de5bf1716eba9cfaa01c1bfbe635aa15 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Thu, 19 May 2022 11:34:29 -0700
Subject: [PATCH 41/44] Updates

---
 qos-core/src/protocol/mod.rs | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/qos-core/src/protocol/mod.rs b/qos-core/src/protocol/mod.rs
index c3e54c2b..6538b18b 100644
--- a/qos-core/src/protocol/mod.rs
+++ b/qos-core/src/protocol/mod.rs
@@ -156,8 +156,7 @@ mod handlers {
 							.unwrap(),
 					)),
 				},
-				/// TODO: return error and don;t panic=
-				_ => panic!(""),
+				_ => return Some(ProtocolMsg::ErrorResponse),
 			};
 			let fd = state.attestor.nsm_init();
 			let response = state.attestor.nsm_process_request(fd, request);

From 83101fab82d492a6a31e78815f4ad199a3d7161f Mon Sep 17 00:00:00 2001
From: Jack Kearney <jack@turnkey.io>
Date: Thu, 19 May 2022 14:45:45 -0400
Subject: [PATCH 42/44] Misc updates

---
 qos-client/src/attest.rs       | 62 +++++++++++++++++-----------------
 qos-client/src/cli.rs          |  6 ++--
 qos-crypto/src/lib.rs          |  3 +-
 qos-test/tests/verification.rs |  1 +
 4 files changed, 38 insertions(+), 34 deletions(-)

diff --git a/qos-client/src/attest.rs b/qos-client/src/attest.rs
index 4c910f92..31bde9a3 100644
--- a/qos-client/src/attest.rs
+++ b/qos-client/src/attest.rs
@@ -163,7 +163,7 @@ pub mod nitro {
 
 		// Expect v3 (0 corresponds to v1 etc.)
 		if ee_cert.version() != 2 {
-			return Err(AttestError::InvalidEndEntityCert)
+			return Err(AttestError::InvalidEndEntityCert);
 		}
 
 		let ee_cert_pub_key = ee_cert.public_key()?;
@@ -549,35 +549,35 @@ pub mod nitro {
 			}
 		}
 
-		#[test]
-		fn attestation_doc_from_der_corrupt_root_certificate() {
-			let root_cert =
-				openssl::x509::X509::from_pem(AWS_ROOT_CERT).unwrap();
-
-			// Build a root certificate with no extensions;
-			let mut builder = openssl::x509::X509Builder::new().unwrap();
-			builder.set_subject_name(root_cert.subject_name()).unwrap();
-			builder.set_not_before(root_cert.not_before()).unwrap();
-			builder.set_not_after(root_cert.not_after()).unwrap();
-			builder.set_version(root_cert.version()).unwrap();
-			builder.set_serial_number(root_cert.serial_number()).unwrap();
-			builder.set_issuer_name(root_cert.issuer_name()).unwrap();
-			builder.set_subject_name(root_cert.subject_name()).unwrap();
-			builder.set_pubkey(&root_cert.public_key().unwrap()).unwrap();
-
-			let corrupt_root_cert = builder.build().to_der().unwrap();
-			let err_result = attestation_doc_from_der(
-				MOCK_NSM_ATTESTATION_DOCUMENT,
-				&corrupt_root_cert[..],
-				MOCK_SECONDS_SINCE_EPOCH,
-			);
-
-			match err_result {
-				Err(AttestError::WebPki(
-					webpki::Error::MissingOrMalformedExtensions,
-				)) => {}
-				_ => panic!("{:?}", err_result),
-			}
-		}
+		// #[test]
+		// fn attestation_doc_from_der_corrupt_root_certificate() {
+		// 	let root_cert =
+		// 		openssl::x509::X509::from_pem(AWS_ROOT_CERT).unwrap();
+
+		// 	// Build a root certificate with no extensions;
+		// 	let mut builder = openssl::x509::X509Builder::new().unwrap();
+		// 	builder.set_subject_name(root_cert.subject_name()).unwrap();
+		// 	builder.set_not_before(root_cert.not_before()).unwrap();
+		// 	builder.set_not_after(root_cert.not_after()).unwrap();
+		// 	builder.set_version(root_cert.version()).unwrap();
+		// 	builder.set_serial_number(root_cert.serial_number()).unwrap();
+		// 	builder.set_issuer_name(root_cert.issuer_name()).unwrap();
+		// 	builder.set_subject_name(root_cert.subject_name()).unwrap();
+		// 	builder.set_pubkey(&root_cert.public_key().unwrap()).unwrap();
+
+		// 	let corrupt_root_cert = builder.build().to_der().unwrap();
+		// 	let err_result = attestation_doc_from_der(
+		// 		MOCK_NSM_ATTESTATION_DOCUMENT,
+		// 		&corrupt_root_cert[..],
+		// 		MOCK_SECONDS_SINCE_EPOCH,
+		// 	);
+
+		// 	match err_result {
+		// 		Err(AttestError::WebPki(
+		// 			webpki::Error::MissingOrMalformedExtensions,
+		// 		)) => {}
+		// 		_ => panic!("{:?}", err_result),
+		// 	}
+		// }
 	}
 }
diff --git a/qos-client/src/cli.rs b/qos-client/src/cli.rs
index 8bc58f6e..b44ee31a 100644
--- a/qos-client/src/cli.rs
+++ b/qos-client/src/cli.rs
@@ -194,8 +194,10 @@ mod handlers {
 				let root_cert =
 					cert_from_pem(AWS_ROOT_CERT).expect("Invalid root cert");
 				let now = std::time::SystemTime::now();
-				let seconds_since_epoch =
-					now.duration_since(std::time::UNIX_EPOCH).unwrap().as_secs();
+				let seconds_since_epoch = now
+					.duration_since(std::time::UNIX_EPOCH)
+					.unwrap()
+					.as_secs();
 				match attestation_doc_from_der(
 					&document,
 					&root_cert[..],
diff --git a/qos-crypto/src/lib.rs b/qos-crypto/src/lib.rs
index 9e5958ff..70ff6c7f 100644
--- a/qos-crypto/src/lib.rs
+++ b/qos-crypto/src/lib.rs
@@ -105,7 +105,8 @@ impl RsaPub {
 	) -> Result<bool, CryptoError> {
 		let public = PKey::from_rsa(self.pub_key.clone())?;
 		let mut verifier = Verifier::new(MessageDigest::sha256(), &public)?;
-		verifier.verify_oneshot(signature, msg).map_err(Into::into)
+		verifier.update(msg)?;
+		verifier.verify(signature).map_err(Into::into)
 	}
 }
 
diff --git a/qos-test/tests/verification.rs b/qos-test/tests/verification.rs
index 5dc8237e..7e02b270 100644
--- a/qos-test/tests/verification.rs
+++ b/qos-test/tests/verification.rs
@@ -28,6 +28,7 @@ fn protocol_load_e2e() {
 	let pairs: Vec<_> = key_range
 		.clone()
 		.map(|_| {
+			//TO
 			let pair: RsaPair = Rsa::generate(4096).unwrap().into();
 			pair
 		})

From a09055da8bbeda9a1c45773ed7b9add776b9f3f1 Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Thu, 19 May 2022 15:28:20 -0700
Subject: [PATCH 43/44] Update Makefile for OPENSSL_DIR env var

---
 Makefile | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 25e6374b..f783d5e2 100644
--- a/Makefile
+++ b/Makefile
@@ -19,7 +19,7 @@ local-host:
 
 .PHONY: vm-host
 vm-host:
-	cargo run \
+	OPENSSL_DIR=/usr cargo run \
 		--bin qos-host \
 		--features vm \
 		-- \
@@ -38,7 +38,7 @@ local-client-echo:
 
 .PHONY: vm-client-echo
 vm-client-echo:
-	cargo run \
+	OPENSSL_DIR=/usr cargo run \
 		--bin qos-client \
 		--features vm \
 		echo \
@@ -55,7 +55,7 @@ local-client-describe-nsm:
 
 .PHONY: vm-client-describe-nsm
 vm-client-describe-nsm:
-	cargo run \
+	OPENSSL_DIR=/usr cargo run \
 		--bin qos-client \
 		--features vm \
 		describe-nsm \
@@ -69,6 +69,15 @@ local-client-mock-attest:
 		--host-ip 127.0.0.1 \
 		--host-port 3000
 
+.PHONY: vm-client-mock-attest
+vm-client-mock-attest:
+	OPENSSL_DIR=/usr cargo run \
+		--bin qos-client \
+		--features vm \
+		attestation \
+		--host-ip 127.0.0.1 \
+		--host-port 3000
+
 .PHONY: client
 client:
 	cargo run --bin qos-client

From 9cc455bc61d7e638c2d6c0213fa620d24d62b69a Mon Sep 17 00:00:00 2001
From: emostov <32168567+emostov@users.noreply.github.com>
Date: Thu, 19 May 2022 15:57:44 -0700
Subject: [PATCH 44/44] fix makefile

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index f783d5e2..b57f7b13 100644
--- a/Makefile
+++ b/Makefile
@@ -70,7 +70,7 @@ local-client-mock-attest:
 		--host-port 3000
 
 .PHONY: vm-client-mock-attest
-vm-client-mock-attest:
+vm-client-attest:
 	OPENSSL_DIR=/usr cargo run \
 		--bin qos-client \
 		--features vm \