From 8cf765178171450ac006378f6b4ddc17d4f33789 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@matterlabs.dev>
Date: Thu, 6 Mar 2025 15:25:15 +0100
Subject: [PATCH] refactor: update collateral handling

- Simplify collateral handling by removing unnecessary references and matches.
- Add `collateral` field to `QuoteVerificationResult` for improved data clarity.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
---
 bin/vault-admin/src/main.rs                   |  2 +-
 bin/verify-attestation/src/main.rs            |  2 +-
 .../src/verification.rs                       |  2 +-
 crates/teepot/src/client/mod.rs               |  3 +--
 crates/teepot/src/quote/mod.rs                | 23 +++++++++++++++----
 crates/teepot/src/server/attestation.rs       |  6 +++--
 crates/teepot/tests/sgx_quote_verification.rs | 15 ++++++------
 7 files changed, 34 insertions(+), 19 deletions(-)

diff --git a/bin/vault-admin/src/main.rs b/bin/vault-admin/src/main.rs
index 1739313..d47e3bb 100644
--- a/bin/vault-admin/src/main.rs
+++ b/bin/vault-admin/src/main.rs
@@ -21,7 +21,7 @@ use teepot::{
     server::signatures::verify_sig,
     sgx::sign::Signature,
 };
-use tracing::{error, info, level_filters::LevelFilter};
+use tracing::{error, level_filters::LevelFilter};
 
 #[derive(Args, Debug)]
 struct SendArgs {
diff --git a/bin/verify-attestation/src/main.rs b/bin/verify-attestation/src/main.rs
index 74e9b7c..91e8219 100644
--- a/bin/verify-attestation/src/main.rs
+++ b/bin/verify-attestation/src/main.rs
@@ -127,7 +127,7 @@ fn verify_attestation_quote(attestation_quote_bytes: &[u8]) -> Result<QuoteVerif
     let unix_time: i64 = std::time::SystemTime::now()
         .duration_since(UNIX_EPOCH)?
         .as_secs() as _;
-    verify_quote_with_collateral(attestation_quote_bytes, Some(&collateral), unix_time)
+    verify_quote_with_collateral(attestation_quote_bytes, Some(collateral), unix_time)
         .context("Failed to verify quote with collateral")
 }
 
diff --git a/bin/verify-era-proof-attestation/src/verification.rs b/bin/verify-era-proof-attestation/src/verification.rs
index 5603fb2..a5c9331 100644
--- a/bin/verify-era-proof-attestation/src/verification.rs
+++ b/bin/verify-era-proof-attestation/src/verification.rs
@@ -129,7 +129,7 @@ pub fn verify_attestation_quote(attestation_quote_bytes: &[u8]) -> Result<QuoteV
     let unix_time: i64 = std::time::SystemTime::now()
         .duration_since(std::time::UNIX_EPOCH)?
         .as_secs() as _;
-    verify_quote_with_collateral(attestation_quote_bytes, Some(&collateral), unix_time)
+    verify_quote_with_collateral(attestation_quote_bytes, Some(collateral), unix_time)
         .context("Failed to verify quote with collateral!")
 }
 
diff --git a/crates/teepot/src/client/mod.rs b/crates/teepot/src/client/mod.rs
index dc76066..57ff4ae 100644
--- a/crates/teepot/src/client/mod.rs
+++ b/crates/teepot/src/client/mod.rs
@@ -201,8 +201,7 @@ impl TeeConnection {
                     advisories,
                     earliest_expiration_date,
                     ..
-                } = verify_quote_with_collateral(quote_bytes, collateral.as_ref(), current_time)
-                    .unwrap();
+                } = verify_quote_with_collateral(quote_bytes, collateral, current_time).unwrap();
 
                 let Report::SgxEnclave(report_body) = quote.report else {
                     return Err(Error::General("TDX quote and not SGX quote".into()));
diff --git a/crates/teepot/src/quote/mod.rs b/crates/teepot/src/quote/mod.rs
index 5f01993..b598e1d 100644
--- a/crates/teepot/src/quote/mod.rs
+++ b/crates/teepot/src/quote/mod.rs
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (c) 2023-2024 Matter Labs
+// Copyright (c) 2023-2025 Matter Labs
 
 // Parts of it are Copyright (c) 2024 Phala Network
 // and copied from https://github.com/Phala-Network/dcap-qvl
@@ -627,6 +627,8 @@ pub fn get_quote(report_data: &[u8]) -> Result<(TEEType, Box<[u8]>), QuoteError>
 
 /// The result of the quote verification
 pub struct QuoteVerificationResult {
+    /// the used collateral
+    pub collateral: Collateral,
     /// the raw result
     pub result: sgx_ql_qv_result_t,
     /// indicates if the collateral is expired
@@ -644,7 +646,7 @@ pub struct QuoteVerificationResult {
 /// Verifies a quote with optional collateral material
 pub fn verify_quote_with_collateral(
     quote: &[u8],
-    collateral: Option<&Collateral>,
+    collateral: Option<Collateral>,
     current_time: i64,
 ) -> Result<QuoteVerificationResult, QuoteError> {
     let mut supp_data: mem::MaybeUninit<sgx_ql_qv_supplemental_t> = mem::MaybeUninit::zeroed();
@@ -689,9 +691,19 @@ pub fn verify_quote_with_collateral(
 
     trace!("tee_verify_quote");
 
-    let (collateral_expiration_status, result) =
-        tee_verify_quote(quote, collateral, current_time, None, p_supplemental_data)
-            .context("tee_verify_quote")?;
+    let collateral = match collateral {
+        None => tee_qv_get_collateral(quote).context("tee_qv_get_collateral")?,
+        Some(c) => c,
+    };
+
+    let (collateral_expiration_status, result) = tee_verify_quote(
+        quote,
+        Some(&collateral),
+        current_time,
+        None,
+        p_supplemental_data,
+    )
+    .context("tee_verify_quote")?;
 
     trace!("tee_verify_quote end");
 
@@ -721,6 +733,7 @@ pub fn verify_quote_with_collateral(
     let quote = Quote::parse(quote)?;
 
     let res = QuoteVerificationResult {
+        collateral,
         collateral_expired: collateral_expiration_status != 0,
         earliest_expiration_date,
         tcb_level_date_tag,
diff --git a/crates/teepot/src/server/attestation.rs b/crates/teepot/src/server/attestation.rs
index 9cafb4d..7e3166c 100644
--- a/crates/teepot/src/server/attestation.rs
+++ b/crates/teepot/src/server/attestation.rs
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (c) 2023-2024 Matter Labs
+// Copyright (c) 2023-2025 Matter Labs
 
 //! Common attestation API for all TEEs
 
@@ -68,7 +68,9 @@ pub fn get_quote_and_collateral(
         tcb_level_date_tag,
         quote,
         advisories,
-    } = verify_quote_with_collateral(&myquote, Some(&collateral), unix_time.saturating_add(60))
+        collateral,
+        ..
+    } = verify_quote_with_collateral(&myquote, Some(collateral), unix_time.saturating_add(60))
         .context("Failed to verify own quote with collateral")?;
 
     debug!(tcb_level_date_tag);
diff --git a/crates/teepot/tests/sgx_quote_verification.rs b/crates/teepot/tests/sgx_quote_verification.rs
index 08c8198..6c113c9 100644
--- a/crates/teepot/tests/sgx_quote_verification.rs
+++ b/crates/teepot/tests/sgx_quote_verification.rs
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (c) 2024 Matter Labs
+// Copyright (c) 2024-2025 Matter Labs
 
 mod sgx {
     use anyhow::{Context, Result};
@@ -13,7 +13,7 @@ mod sgx {
 
     fn check_quote(
         quote: &[u8],
-        collateral: Option<&Collateral>,
+        collateral: Option<Collateral>,
         current_time: i64,
         expected_mrsigner: &[u8],
         expected_reportdata: &[u8],
@@ -26,6 +26,7 @@ mod sgx {
             quote,
             advisories,
             tcb_level_date_tag,
+            ..
         } = verify_quote_with_collateral(quote, collateral, current_time)?;
 
         if collateral_expired || result != sgx_ql_qv_result_t::SGX_QL_QV_RESULT_OK {
@@ -1140,7 +1141,7 @@ mod sgx {
 
         check_quote(
             &quote,
-            Some(&collateral),
+            Some(collateral),
             current_time,
             &mrsigner,
             &report_data,
@@ -2211,7 +2212,7 @@ mod sgx {
 
         check_quote(
             &quote,
-            Some(&collateral),
+            Some(collateral),
             current_time,
             &mrsigner,
             &report_data,
@@ -2594,7 +2595,7 @@ mod sgx {
 
         check_quote(
             &quote,
-            Some(&collateral),
+            Some(collateral),
             current_time,
             &mrsigner,
             &report_data,
@@ -3677,7 +3678,7 @@ mod sgx {
 
         check_quote(
             &quote,
-            Some(&collateral),
+            Some(collateral),
             current_time,
             &mrsigner,
             &report_data,
@@ -4805,7 +4806,7 @@ mod sgx {
 
         check_quote(
             &quote,
-            Some(&collateral),
+            Some(collateral),
             current_time as i64,
             &mrsigner,
             &report_data,