Make it possible to extract measurements from an attested certificate without verifying

crates/attestation/src/azure/mod.rs

@@ -199,6 +199,15 @@ async fn verify_azure_attestation_with_given_timestamp(
     Ok(MultiMeasurements::from_pcrs(pcrs))
 }
 
+/// Extract the measurements from the attestation, but do not verify
+/// anything
+pub fn get_measurements(input: &[u8]) -> Result<MultiMeasurements, MaaError> {
+    let attestation_document: AttestationDocument = serde_json::from_slice(input)?;
+    let vtpm_quote = attestation_document.tpm_attestation.quote;
+    let pcrs = vtpm_quote.pcrs_sha256();
+    Ok(MultiMeasurements::from_pcrs(pcrs))
+}
+
 /// JSON Web Key used in [HclRuntimeClaims]
 #[derive(Debug, Deserialize)]
 struct Jwk {

crates/attestation/src/lib.rs

@@ -37,6 +37,39 @@ impl AttestationExchangeMessage {
     pub fn without_attestation() -> Self {
         Self { attestation_type: AttestationType::None, attestation: Vec::new() }
     }
+
+    /// Extract the measurements from the attestation, if present, but do
+    /// not verify
+    pub fn get_measurements(&self) -> Result<Option<MultiMeasurements>, AttestationError> {
+        match self.attestation_type {
+            AttestationType::None => Ok(None),
+            AttestationType::AzureTdx => {
+                #[cfg(feature = "azure")]
+                {
+                    Ok(Some(azure::get_measurements(&self.attestation)?))
+                }
+                #[cfg(not(feature = "azure"))]
+                {
+                    Err(AttestationError::AttestationTypeNotSupported)
+                }
+            }
+            _ => {
+                #[cfg(any(test, feature = "mock"))]
+                {
+                    let quote = tdx_quote::Quote::from_bytes(&self.attestation)
+                        .map_err(DcapVerificationError::from)?;
+                    Ok(Some(MultiMeasurements::from_tdx_quote(&quote)))
+                }
+
+                #[cfg(not(any(test, feature = "mock")))]
+                {
+                    let quote = dcap_qvl::verify::Quote::parse(&self.attestation)
+                        .map_err(DcapVerificationError::from)?;
+                    Ok(Some(MultiMeasurements::from_dcap_qvl_quote(&quote)?))
+                }
+            }
+        }
+    }
 }
 
 /// Type of attestation used

crates/attested-tls/src/lib.rs

@@ -455,13 +455,18 @@ impl AttestedCertificateVerifier {
     }
 
     /// Given a TLS certificate, return the embedded attestation
-    fn extract_custom_attestation_from_cert(
+    pub fn extract_custom_attestation_from_cert(
         cert: &CertificateDer<'_>,
     ) -> Result<AttestationExchangeMessage, rustls::Error> {
-        // First try to parse using ra_tls which assumes DCAP
         if let Ok(Some(attestation)) = ra_tls::attestation::from_der(cert.as_ref()) &&
             let AttestationQuote::DstackTdx(tdx_quote) = attestation.quote
         {
+            if let Ok(message) =
+                serde_json::from_slice::<AttestationExchangeMessage>(&tdx_quote.quote)
+            {
+                return Ok(message);
+            }
+
             return Ok(AttestationExchangeMessage {
                 attestation_type: AttestationType::DcapTdx,
                 attestation: tdx_quote.quote,