Merge pull request #27 from brave/multihash

Use multihash for encoding the attestation user_data
brave · Feb 6, 2024 · c2dc43e · c2dc43e
2 parents 53210c4 + 0927df7
commit c2dc43e
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 16 deletions.
diff --git a/attestation.go b/attestation.go
@@ -10,17 +10,19 @@ import (
 )
 
 const (
-	hashPrefix    = "sha256:"
-	hashSeparator = ";"
+	nonceNumDigits = nonceLen * 2 // The number of hex digits in a nonce.
 )
 
 var (
 	errBadForm           = errors.New("failed to parse POST form data")
 	errNoNonce           = errors.New("could not find nonce in URL query parameters")
-	errBadNonceFormat    = fmt.Errorf("unexpected nonce format; must be %d-digit hex string", nonceLen*2)
+	errBadNonceFormat    = fmt.Errorf("unexpected nonce format; must be %d-digit hex string", nonceNumDigits)
 	errFailedAttestation = errors.New("failed to obtain attestation document from hypervisor")
 	errProfilingSet      = errors.New("attestation disabled because profiling is enabled")
 
+	// Multihash prefix marks the hash type and digest size
+	hashPrefix = []byte{0x12, sha256.Size}
+
 	// getPCRValues is a variable pointing to a function that returns PCR
 	// values.  Using a variable allows us to easily mock the function in our
 	// unit tests.
@@ -34,17 +36,14 @@ type AttestationHashes struct {
 	appKeyHash [sha256.Size]byte // Sometimes set, depending on application.
 }
 
-// Serialize returns a byte slice that contains our concatenated hashes.  Note
-// that all hashes are always present.  If a hash was not initialized, it's set
-// to 0-bytes.
+// Serialize returns a byte slice that contains our concatenated hashes.
+// hashPrefix defines the hash type and length.  Note that all hashes are
+// always present.  If a hash was not initialized, it's set to 0-bytes.
 func (a *AttestationHashes) Serialize() []byte {
-	str := fmt.Sprintf("%s%s%s%s%s",
-		hashPrefix,
-		a.tlsKeyHash,
-		hashSeparator,
-		hashPrefix,
-		a.appKeyHash)
-	return []byte(str)
+	ser := []byte{}
+	ser = append(ser, append(hashPrefix, a.tlsKeyHash[:]...)...)
+	ser = append(ser, append(hashPrefix, a.appKeyHash[:]...)...)
+	return ser
 }
 
 // _getPCRValues returns the enclave's platform configuration register (PCR)

diff --git a/attestation_test.go b/attestation_test.go
@@ -58,7 +58,7 @@ func TestAttestationHashes(t *testing.T) {
 	e.intSrv.Handler.ServeHTTP(rec, req)
 
 	s := e.hashes.Serialize()
-	expectedLen := sha256.Size*2 + len(hashPrefix)*2 + len(hashSeparator)
+	expectedLen := sha256.Size*2 + len(hashPrefix)*2
 	if len(s) != expectedLen {
 		t.Fatalf("Expected serialized hashes to be of length %d but got %d.",
 			expectedLen, len(s))
@@ -71,8 +71,7 @@ func TestAttestationHashes(t *testing.T) {
 	}
 
 	// Make sure that our previously-set hash is as expected.
-	expected := []byte(hashSeparator)
-	expected = append(expected, []byte(hashPrefix)...)
+	expected := []byte(hashPrefix)
 	expected = append(expected, appKeyHash[:]...)
 	offset := len(hashPrefix) + sha256.Size
 	if !bytes.Equal(s[offset:], expected) {