This crate implements the quote verification logic for DCAP (Data Center Attestation Primitives) in pure Rust. It supports both SGX (Software Guard Extensions) and TDX (Trust Domain Extensions) quotes.
- Verify SGX and TDX quotes
- Get collateral from PCCS or Intel PCS
- Extract information from quotes
- Default PCCS: Phala Network (
https://pccs.phala.network) - recommended for better availability and lower rate limits
Add the following dependency to your Cargo.toml file to use this crate:
[dependencies]
dcap-qvl = "0.1.0"This crate supports two crypto backends: ring (optimized, uses assembly) and rustcrypto (pure Rust).
| Backend | Gas Consumption |
|---|---|
| ring | ~175 Tgas |
| rustcrypto | ~288 Tgas |
Ring saves ~113 Tgas (~39%) compared to rustcrypto.
# Default: both backends enabled, ring takes priority
dcap-qvl = "0.3.11"
# For WASM/NEAR (recommended for gas efficiency):
dcap-qvl = { version = "0.3.11", default-features = false, features = ["std", "ring"] }
# For pure Rust / no-assembly environments:
dcap-qvl = { version = "0.3.11", default-features = false, features = ["std", "rustcrypto"] }The top-level verify() function selects backend based on enabled features:
ring enabled |
rustcrypto enabled |
verify() uses |
|---|---|---|
| ✓ | ✓ | ring |
| ✓ | ✗ | ring |
| ✗ | ✓ | rustcrypto |
| ✗ | ✗ | compile error |
ring feature, the top-level verify() will use ring. This can lead to unexpected behavior in complex projects.
For predictable behavior, especially in complex projects, use explicit backend modules:
// Explicitly use ring backend
use dcap_qvl::verify::ring::verify;
// Explicitly use rustcrypto backend
use dcap_qvl::verify::rustcrypto::verify;use dcap_qvl::collateral::get_collateral;
// Use explicit backend for predictable behavior
use dcap_qvl::verify::ring::verify;
use dcap_qvl::PHALA_PCCS_URL;
#[tokio::main]
async fn main() {
let quote = std::fs::read("quote").expect("quote file not found");
// Use default Phala PCCS, or override with custom URL
let pccs_url = std::env::var("PCCS_URL").unwrap_or_else(|_| PHALA_PCCS_URL.to_string());
let collateral = get_collateral(&pccs_url, "e).await.expect("failed to get collateral");
let now = std::time::SystemTime::now().duration_since(std::time::UNIX_EPOCH).unwrap().as_secs();
let report = verify("e, &collateral, now).expect("failed to verify quote");
println!("{:?}", report);
}Python bindings are available for this crate, providing a Pythonic interface to the DCAP quote verification functionality.
# Build and test Python bindings
make build_python
make test_python
# Test across Python versions (3.8-3.12)
make test_python_versionsimport asyncio
import dcap_qvl
async def main():
quote_data = open("quote.bin", "rb").read()
# Get collateral and verify in one step (defaults to Phala PCCS)
result = await dcap_qvl.get_collateral_and_verify(quote_data)
print(f"Status: {result.status}")
asyncio.run(main())See python-bindings/ for complete documentation, examples, and testing information.
This crate is licensed under the MIT license. See the LICENSE file for details.