Switch from NitroProver to nitro-validator library

.gitmodules

@@ -4,6 +4,6 @@
 [submodule "lib/optimism"]
 	path = lib/optimism
 	url = https://github.com/ethereum-optimism/optimism
-[submodule "lib/NitroProver"]
-	path = lib/NitroProver
-	url = https://github.com/mdehoog/NitroProver
+[submodule "lib/nitro-validator"]
+	path = lib/nitro-validator
+	url = https://github.com/base-org/nitro-validator

Makefile

@@ -10,9 +10,9 @@ bindings:
 	abigen --abi out/Portal.sol/Portal.abi.json --pkg bindings --type Portal --out bindings/portal.go
 	abigen --abi out/DeployChain.sol/DeployChain.abi.json --pkg bindings --type DeployChain --out bindings/deploy_chain.go
 
-.PHONY: deploy-nitro-validator
-deploy-nitro-validator: guard-IMPL_SALT guard-DEPLOY_PRIVATE_KEY guard-RPC_URL
-	@forge script DeployNitroValidator --rpc-url $(RPC_URL) \
+.PHONY: deploy-cert-manager
+deploy-cert-manager: guard-IMPL_SALT guard-DEPLOY_PRIVATE_KEY guard-RPC_URL
+	@forge script DeployCertManager --rpc-url $(RPC_URL) \
 		--private-key $(DEPLOY_PRIVATE_KEY) --broadcast
 
 .PHONY: deploy

deployments/84532-certmanager.json

@@ -0,0 +1,3 @@
+{
+  "CertManager": "0x6775BB4C4b0D32f07EeE370369ceED41029A5352"
+}

remappings.txt

@@ -11,5 +11,4 @@ src/libraries/=lib/optimism/packages/contracts-bedrock/src/libraries/
 src/universal/=lib/optimism/packages/contracts-bedrock/src/universal/
 src/vendor/=lib/optimism/packages/contracts-bedrock/src/vendor/
 scripts/=lib/optimism/packages/contracts-bedrock/scripts/
-@marlinprotocol/=lib/NitroProver/src/
-@solidity-cbor/=lib/NitroProver/lib/solidity-cbor/packages/solidity-cbor/contracts/
+@nitro-validator/=lib/nitro-validator/src/

script/DeployNitroValidator.s.sol → script/DeployCertManager.s.sol

@@ -4,24 +4,20 @@ pragma solidity 0.8.24;
 import {Script} from "forge-std/Script.sol";
 import {console2 as console} from "forge-std/console2.sol";
 import {Config} from "@eth-optimism-bedrock/scripts/libraries/Config.sol";
-import {CertManager} from "@marlinprotocol/CertManager.sol";
-import {NitroValidator} from "../src/NitroValidator.sol";
+import {CertManager} from "@nitro-validator/CertManager.sol";
 
-/// @notice will deploy the singleton NitroValidatorContract to a deterministic address
-contract DeployNitroValidator is Script {
+/// @notice will deploy the singleton CertManager to a deterministic address
+contract DeployCertManager is Script {
     function run() public {
         vm.startBroadcast();
 
         CertManager manager = new CertManager{salt: _implSalt()}();
-        NitroValidator validator = new NitroValidator{salt: _implSalt()}(manager);
 
         console.log("CertManager deployed at:", address(manager));
-        console.log("NitroValidator deployed at:", address(validator));
 
         string memory deploymentOutfile =
-            string.concat(vm.projectRoot(), "/deployments/", vm.toString(block.chainid), "-validator.json");
+            string.concat(vm.projectRoot(), "/deployments/", vm.toString(block.chainid), "-certmanager.json");
         vm.writeJson({json: vm.serializeAddress("", "CertManager", address(manager)), path: deploymentOutfile});
-        vm.writeJson({json: vm.serializeAddress("", "NitroValidator", address(validator)), path: deploymentOutfile});
 
         vm.stopBroadcast();
     }

script/DeploySystem.s.sol

@@ -21,7 +21,7 @@ import {DeployChain} from "src/DeployChain.sol";
 import {Constants} from "@eth-optimism-bedrock/src/libraries/Constants.sol";
 import {ResourceMetering} from "@eth-optimism-bedrock/src/L1/ResourceMetering.sol";
 import {IResourceMetering} from "@eth-optimism-bedrock/src/L1/interfaces/IResourceMetering.sol";
-import "../src/INitroValidator.sol";
+import {ICertManager} from "@nitro-validator/ICertManager.sol";
 
 import {console2 as console} from "forge-std/console2.sol";
 
@@ -49,7 +49,7 @@ contract DeploySystem is Deploy {
     function setupSystemConfigGlobal() public {
         console.log("Setting up SystemConfigGlobal");
 
-        checkNitroValidator();
+        checkCertManager();
 
         deployERC1967Proxy("SystemConfigGlobalProxy");
         deploySystemConfigGlobal();
@@ -119,26 +119,22 @@ contract DeploySystem is Deploy {
         initializeOutputOracle();
     }
 
-    function checkNitroValidator() public {
-        console.log("Retrieving NitroValidator deploy");
+    function checkCertManager() public {
+        console.log("Retrieving CertManager deploy");
         string memory deploymentOutfile =
-            string.concat(vm.projectRoot(), "/deployments/", vm.toString(block.chainid), "-validator.json");
-        address nitroValidatorAddress = vm.parseJsonAddress(vm.readFile(deploymentOutfile), ".NitroValidator");
-        save("NitroValidator", nitroValidatorAddress);
+            string.concat(vm.projectRoot(), "/deployments/", vm.toString(block.chainid), "-certmanager.json");
+        address certManagerAddress = vm.parseJsonAddress(vm.readFile(deploymentOutfile), ".CertManager");
+        save("CertManager", certManagerAddress);
 
-        INitroValidator validator = INitroValidator(nitroValidatorAddress);
-        bytes memory attestation =
-            vm.readFileBinary(string.concat(vm.projectRoot(), "/test/nitro-attestation/sample_attestation.bin"));
+        bytes memory parent =
+            hex"3082021130820196a003020102021100f93175681b90afe11d46ccb4e4e7f856300a06082a8648ce3d0403033049310b3009060355040613025553310f300d060355040a0c06416d617a6f6e310c300a060355040b0c03415753311b301906035504030c126177732e6e6974726f2d656e636c61766573301e170d3139313032383133323830355a170d3439313032383134323830355a3049310b3009060355040613025553310f300d060355040a0c06416d617a6f6e310c300a060355040b0c03415753311b301906035504030c126177732e6e6974726f2d656e636c617665733076301006072a8648ce3d020106052b8104002203620004fc0254eba608c1f36870e29ada90be46383292736e894bfff672d989444b5051e534a4b1f6dbe3c0bc581a32b7b176070ede12d69a3fea211b66e752cf7dd1dd095f6f1370f4170843d9dc100121e4cf63012809664487c9796284304dc53ff4a3423040300f0603551d130101ff040530030101ff301d0603551d0e041604149025b50dd90547e796c396fa729dcf99a9df4b96300e0603551d0f0101ff040403020186300a06082a8648ce3d0403030369003066023100a37f2f91a1c9bd5ee7b8627c1698d255038e1f0343f95b63a9628c3d39809545a11ebcbf2e3b55d8aeee71b4c3d6adf3023100a2f39b1605b27028a5dd4ba069b5016e65b4fbde8fe0061d6a53197f9cdaf5d943bc61fc2beb03cb6fee8d2302f3dff6";
+        bytes memory cert =
+            hex"308202bf30820244a00302010202100b93e39c65609c59e8144a2ad34ba3a0300a06082a8648ce3d0403033049310b3009060355040613025553310f300d060355040a0c06416d617a6f6e310c300a060355040b0c03415753311b301906035504030c126177732e6e6974726f2d656e636c61766573301e170d3234313132333036333235355a170d3234313231333037333235355a3064310b3009060355040613025553310f300d060355040a0c06416d617a6f6e310c300a060355040b0c034157533136303406035504030c2d353133623665666332313639303264372e75732d656173742d312e6177732e6e6974726f2d656e636c617665733076301006072a8648ce3d020106052b8104002203620004ee78108039725a03e0b63a5d7d1244f6294eb7631f305e360997c8e5c06c779f23cfaeb64cb9aeac8a031bfac9f4dafc3621b4367f003c08c0ce410c2118396cc5d56ec4e92e1b17f9709b2bffcef462f7bcb97d6ca11325c4a30156c9720de7a381d53081d230120603551d130101ff040830060101ff020102301f0603551d230418301680149025b50dd90547e796c396fa729dcf99a9df4b96301d0603551d0e041604142b3d75d274a3cdd61b2c13f539e08c960ce757dd300e0603551d0f0101ff040403020186306c0603551d1f046530633061a05fa05d865b687474703a2f2f6177732d6e6974726f2d656e636c617665732d63726c2e73332e616d617a6f6e6177732e636f6d2f63726c2f61623439363063632d376436332d343262642d396539662d3539333338636236376638342e63726c300a06082a8648ce3d0403030369003066023100fce7a6c2b38e0a8ebf0d28348d74463458b84bfe8b2b95315dd4da665e8e83d4ab911852a4e92a8263ecf571d2df3b89023100ab92be511136be76aa313018f9f4825eaad602d0342d268e6da632767f68f55f761fa9fd2a7ee716c481c67f26e3f8f4";
 
         uint256 timestamp = vm.getBlockTimestamp();
-        vm.warp(1708930774);
-        (bytes memory enclavePubKey, bytes memory pcr0) = validator.validateAttestation(attestation, 365 days);
+        vm.warp(1732580000);
+        ICertManager(certManagerAddress).verifyCert(cert, false, keccak256(parent));
         vm.warp(timestamp);
-
-        vm.assertEq(enclavePubKey, hex"d239fd059dd0e0a01e280bec44903bb8143bae7e578b9844c6df5fd6351eddc0");
-        vm.assertEq(
-            pcr0, hex"17BF8F048519797BE90497001A7559A3D555395937117D76F8BAAEDF56CA6D97952DE79479BC0C76E5D176D20F663790"
-        );
     }
 
     function deploySystemConfigOwnable() public broadcast returns (address addr_) {
@@ -161,7 +157,7 @@ contract DeploySystem is Deploy {
 
     function deploySystemConfigGlobal() public broadcast returns (address addr_) {
         console.log("Deploying SystemConfigGlobal implementation");
-        addr_ = address(new SystemConfigGlobal{salt: _implSalt()}(INitroValidator(mustGetAddress("NitroValidator"))));
+        addr_ = address(new SystemConfigGlobal{salt: _implSalt()}(ICertManager(mustGetAddress("CertManager"))));
         save("SystemConfigGlobal", addr_);
         console.log("SystemConfigGlobal deployed at %s", addr_);
     }

src/SystemConfigGlobal.sol

@@ -4,11 +4,14 @@ pragma solidity ^0.8.0;
 
 import {OwnableUpgradeable} from "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
 import {ISemver} from "@eth-optimism-bedrock/src/universal/interfaces/ISemver.sol";
-import "./INitroValidator.sol";
+import {NitroValidator} from "@nitro-validator/NitroValidator.sol";
+import {CborDecode} from "@nitro-validator/CborDecode.sol";
+import {ICertManager} from "@nitro-validator/ICertManager.sol";
 
-contract SystemConfigGlobal is OwnableUpgradeable, ISemver {
-    /// @notice The AWS Nitro validator.
-    INitroValidator public immutable nitroValidator;
+contract SystemConfigGlobal is OwnableUpgradeable, ISemver, NitroValidator {
+    using CborDecode for bytes;
+
+    uint256 public constant MAX_AGE = 60 minutes;
 
     /// @notice The address of the proposer.
     address public proposer;
@@ -25,8 +28,7 @@ contract SystemConfigGlobal is OwnableUpgradeable, ISemver {
         return "0.0.1";
     }
 
-    constructor(INitroValidator _nitroValidator) {
-        nitroValidator = _nitroValidator;
+    constructor(ICertManager certManager) NitroValidator(certManager) {
         initialize({_owner: address(0xdEaD)});
     }
 
@@ -47,11 +49,15 @@ contract SystemConfigGlobal is OwnableUpgradeable, ISemver {
         delete validPCR0s[keccak256(pcr0)];
     }
 
-    function registerSigner(bytes calldata attestation) external onlyOwner {
-        (bytes memory enclavePublicKey, bytes memory pcr0) = nitroValidator.validateAttestation(attestation, 10 minutes);
-        require(validPCR0s[keccak256(pcr0)], "invalid pcr0 in attestation");
+    function registerSigner(bytes calldata attestationTbs, bytes calldata signature) external onlyOwner {
+        Ptrs memory ptrs = validateAttestation(attestationTbs, signature);
+        bytes32 pcr0 = attestationTbs.keccak(ptrs.pcrs[0]);
+        require(validPCR0s[pcr0], "invalid pcr0 in attestation");
+
+        require(ptrs.timestamp + MAX_AGE > block.timestamp, "attestation too old");
 
-        address enclaveAddress = address(uint160(uint256(keccak256(enclavePublicKey))));
+        bytes memory publicKey = attestationTbs.slice(ptrs.publicKey);
+        address enclaveAddress = address(uint160(uint256(keccak256(publicKey))));
         validSigners[enclaveAddress] = true;
     }
 

test/SystemConfigGlobal.t.sol

@@ -0,0 +1,32 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.15;
+
+import {Test, console} from "forge-std/Test.sol";
+import {CertManager} from "@nitro-validator/CertManager.sol";
+
+import "../src/SystemConfigGlobal.sol";
+
+contract SystemConfigGlobalTest is Test {
+    SystemConfigGlobal systemConfigGlobal;
+
+    function setUp() public {
+        vm.warp(1708930774);
+        CertManager certManager = new CertManager();
+        systemConfigGlobal = new SystemConfigGlobal(certManager);
+    }
+
+    function test_validateAttestation() public {
+        vm.startPrank(systemConfigGlobal.owner());
+
+        systemConfigGlobal.registerPCR0(
+            hex"17BF8F048519797BE90497001A7559A3D555395937117D76F8BAAEDF56CA6D97952DE79479BC0C76E5D176D20F663790"
+        );
+
+        bytes memory attestation = vm.readFileBinary("./test/nitro-attestation/sample_attestation.bin");
+        (bytes memory attestationTbs, bytes memory signature) = systemConfigGlobal.decodeAttestationTbs(attestation);
+        systemConfigGlobal.registerSigner(attestationTbs, signature);
+
+        address expectedSigner = 0xe04d808785d2BBdE18E9D0C01c05FB8CE0711f2d;
+        assertTrue(systemConfigGlobal.validSigners(expectedSigner));
+    }
+}