This repo consists of Solidity implementation for an on-chain PCCS (Provisioning Certificate Caching Service) used in Intel DCAP (Data Center Attestation Primitives).
On-chain PCCS provides an open and permissionless service where users can freely contribute and be given easy access to collaterals for quote verification.
There are two sets of contracts, i.e. the Helper and Base.
The Helper contracts provide APIs for parsing collaterals and converting into Solidity structs, i.e. QEIdentity.json, TCBInfo.json, basic DER-decoder for PCK X509 leaf certificate and extensions and X509 CRLs.
The base contracts are libraries that provide the Data Access Object (DAO) APIs with similar designs inspired from the Design Guide for Intel SGX PCCS.
Base contracts are dependent on Helper contracts to parse collaterals, and contains implementation of basic collateral authenticity check functions for upserts. Smart contract developers are encouraged to extend the base contracts to build their own custom implementation of on-chain PCCS.
Our DAO implementation can be found in the automata_pccs directory.
This list contains the deployment info for the versions that we are currently supporting.
To install the Automata Onchain PCCS contracts as a dependency for your project, you can either run:
forge install automata-network/automata-on-chain-pccsOR
npm install @automata-network/on-chain-pccsIf you are using Foundry, make sure to include the following to your remappings:
# Foundry Submodule:
automata-network/on-chain-pccs/=lib/automata-on-chain-pccs/src/
# NPM
automata-network/on-chain-pccs/=node_modules/@automata-network/on-chain-pccs/src/
-
Install Foundry
-
Install the dependencies
forge install- Compile the contracts
forge build- Run tests
forge testTo view gas report, pass the --gas-report flag.
Before you begin, it is HIGHLY recommended that you store and encrypt wallet keys using Cast.
cast wallet import --keystore-dir ./keystore dcap_prod --interactiveIf you had decided against taking the .env pledge, you can (but shouldn't) pass your wallet key to the PRIVATE_KEY environmental variable.
Once you have set up your wallet, you may run the following script to deploy the PCCS Contracts.
make deploy-all RPC_URL=<rpc-url>You may also pass SIMULATE=true at the end of the command to run the script without broadcasting the transactions.
After deploying the contracts, run the commands below to verify contracts on the explorer.
Etherscan:
make verify-all RPC_URL=<rpc-url> ETHERSCAN_API_KEY=<etherscan-api-key>Blockscout:
make verify-all RPC_URL=<rpc-url> VERIFIER=blockscout VERIFIER_URL=<explorer-api-url>To see all available commands, run:
make help