diff --git a/interfaces/multiproof/tee/INitroEnclaveVerifier.sol b/interfaces/multiproof/tee/INitroEnclaveVerifier.sol index a3edb91c..2b286bc0 100644 --- a/interfaces/multiproof/tee/INitroEnclaveVerifier.sol +++ b/interfaces/multiproof/tee/INitroEnclaveVerifier.sol @@ -165,42 +165,6 @@ interface INitroEnclaveVerifier { */ function getZkConfig(ZkCoProcessorType _zkCoProcessor) external view returns (ZkCoProcessorConfig memory); - /** - * @dev Returns all supported verifier program IDs for a coprocessor - * @param _zkCoProcessor Type of ZK coprocessor - * @return Array of all supported verifier program IDs - */ - function getVerifierIds(ZkCoProcessorType _zkCoProcessor) external view returns (bytes32[] memory); - - /** - * @dev Returns all supported aggregator program IDs for a coprocessor - * @param _zkCoProcessor Type of ZK coprocessor - * @return Array of all supported aggregator program IDs - */ - function getAggregatorIds(ZkCoProcessorType _zkCoProcessor) external view returns (bytes32[] memory); - - /** - * @dev Checks if a verifier program ID is in the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _verifierId Verifier program ID to check - * @return True if the ID is supported - */ - function isVerifierIdSupported(ZkCoProcessorType _zkCoProcessor, bytes32 _verifierId) external view returns (bool); - - /** - * @dev Checks if an aggregator program ID is in the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _aggregatorId Aggregator program ID to check - * @return True if the ID is supported - */ - function isAggregatorIdSupported( - ZkCoProcessorType _zkCoProcessor, - bytes32 _aggregatorId - ) - external - view - returns (bool); - /** * @dev Gets the verifier address for a specific route * @param _zkCoProcessor Type of ZK coprocessor @@ -317,30 +281,6 @@ interface INitroEnclaveVerifier { */ function updateAggregatorId(ZkCoProcessorType _zkCoProcessor, bytes32 _newAggregatorId) external; - /** - * @dev Removes a verifier program ID from the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _verifierId Verifier program ID to remove - * - * Requirements: - * - Only callable by contract owner - * - Cannot remove the currently active (latest) verifier ID - * - ID must exist in the supported set - */ - function removeVerifierId(ZkCoProcessorType _zkCoProcessor, bytes32 _verifierId) external; - - /** - * @dev Removes an aggregator program ID from the supported set - * @param _zkCoProcessor Type of ZK coprocessor - * @param _aggregatorId Aggregator program ID to remove - * - * Requirements: - * - Only callable by contract owner - * - Cannot remove the currently active (latest) aggregator ID - * - ID must exist in the supported set - */ - function removeAggregatorId(ZkCoProcessorType _zkCoProcessor, bytes32 _aggregatorId) external; - /** * @dev Adds a route-specific verifier override * @param _zkCoProcessor Type of ZK coprocessor diff --git a/snapshots/abi/NitroEnclaveVerifier.json b/snapshots/abi/NitroEnclaveVerifier.json index 78b69950..d5808bde 100644 --- a/snapshots/abi/NitroEnclaveVerifier.json +++ b/snapshots/abi/NitroEnclaveVerifier.json @@ -242,44 +242,6 @@ "stateMutability": "nonpayable", "type": "function" }, - { - "inputs": [ - { - "internalType": "enum ZkCoProcessorType", - "name": "zkCoProcessor", - "type": "uint8" - } - ], - "name": "getAggregatorIds", - "outputs": [ - { - "internalType": "bytes32[]", - "name": "", - "type": "bytes32[]" - } - ], - "stateMutability": "view", - "type": "function" - }, - { - "inputs": [ - { - "internalType": "enum ZkCoProcessorType", - "name": "zkCoProcessor", - "type": "uint8" - } - ], - "name": "getVerifierIds", - "outputs": [ - { - "internalType": "bytes32[]", - "name": "", - "type": "bytes32[]" - } - ], - "stateMutability": "view", - "type": "function" - }, { "inputs": [ { @@ -364,54 +326,6 @@ "stateMutability": "view", "type": "function" }, - { - "inputs": [ - { - "internalType": "enum ZkCoProcessorType", - "name": "zkCoProcessor", - "type": "uint8" - }, - { - "internalType": "bytes32", - "name": "aggregatorId", - "type": "bytes32" - } - ], - "name": "isAggregatorIdSupported", - "outputs": [ - { - "internalType": "bool", - "name": "", - "type": "bool" - } - ], - "stateMutability": "view", - "type": "function" - }, - { - "inputs": [ - { - "internalType": "enum ZkCoProcessorType", - "name": "zkCoProcessor", - "type": "uint8" - }, - { - "internalType": "bytes32", - "name": "verifierId", - "type": "bytes32" - } - ], - "name": "isVerifierIdSupported", - "outputs": [ - { - "internalType": "bool", - "name": "", - "type": "bool" - } - ], - "stateMutability": "view", - "type": "function" - }, { "inputs": [], "name": "maxTimeDiff", @@ -470,42 +384,6 @@ "stateMutability": "view", "type": "function" }, - { - "inputs": [ - { - "internalType": "enum ZkCoProcessorType", - "name": "zkCoProcessor", - "type": "uint8" - }, - { - "internalType": "bytes32", - "name": "aggregatorId", - "type": "bytes32" - } - ], - "name": "removeAggregatorId", - "outputs": [], - "stateMutability": "nonpayable", - "type": "function" - }, - { - "inputs": [ - { - "internalType": "enum ZkCoProcessorType", - "name": "zkCoProcessor", - "type": "uint8" - }, - { - "internalType": "bytes32", - "name": "verifierId", - "type": "bytes32" - } - ], - "name": "removeVerifierId", - "outputs": [], - "stateMutability": "nonpayable", - "type": "function" - }, { "inputs": [], "name": "renounceOwnership", @@ -980,31 +858,6 @@ "name": "OwnershipTransferred", "type": "event" }, - { - "anonymous": false, - "inputs": [ - { - "indexed": true, - "internalType": "enum ZkCoProcessorType", - "name": "zkCoProcessor", - "type": "uint8" - }, - { - "indexed": true, - "internalType": "bytes32", - "name": "programId", - "type": "bytes32" - }, - { - "indexed": false, - "internalType": "bool", - "name": "isAggregator", - "type": "bool" - } - ], - "name": "ProgramIdRemoved", - "type": "event" - }, { "anonymous": false, "inputs": [ @@ -1152,22 +1005,6 @@ "name": "CallerNotProofSubmitter", "type": "error" }, - { - "inputs": [ - { - "internalType": "enum ZkCoProcessorType", - "name": "zkCoProcessor", - "type": "uint8" - }, - { - "internalType": "bytes32", - "name": "identifier", - "type": "bytes32" - } - ], - "name": "CannotRemoveLatestProgramId", - "type": "error" - }, { "inputs": [ { @@ -1181,17 +1018,17 @@ }, { "inputs": [], - "name": "NewOwnerIsZeroAddress", + "name": "InvalidVerifierAddress", "type": "error" }, { "inputs": [], - "name": "NoHandoverRequest", + "name": "NewOwnerIsZeroAddress", "type": "error" }, { "inputs": [], - "name": "NotImplemented", + "name": "NoHandoverRequest", "type": "error" }, { @@ -1210,22 +1047,6 @@ "name": "ProgramIdAlreadyLatest", "type": "error" }, - { - "inputs": [ - { - "internalType": "enum ZkCoProcessorType", - "name": "zkCoProcessor", - "type": "uint8" - }, - { - "internalType": "bytes32", - "name": "identifier", - "type": "bytes32" - } - ], - "name": "ProgramIdNotFound", - "type": "error" - }, { "inputs": [ { diff --git a/snapshots/semver-lock.json b/snapshots/semver-lock.json index 9bbd41e6..90cf0989 100644 --- a/snapshots/semver-lock.json +++ b/snapshots/semver-lock.json @@ -248,16 +248,16 @@ "sourceCodeHash": "0xfa0464c07c06fddc98ba20e9a362ba10ecf94496556d0f7ac88d1986f79a8a6b" }, "src/multiproof/tee/NitroEnclaveVerifier.sol:NitroEnclaveVerifier": { - "initCodeHash": "0xf7659c1a42a51292c1e4be84ade2bbe76bca784152335fc9cb98a38f042a1eed", - "sourceCodeHash": "0xd0e5da001f950a9d7325b0ecdffd46ef1c361eb749133c30689853dbf9886ff5" + "initCodeHash": "0xb1c7f759bc88fb6e108c7ea4740228e3faa7915673b5897212e7dceb61967674", + "sourceCodeHash": "0x19364958672085b709d7475e06145ab997512b79184f287d7d7bbfe0e8c81dfc" }, "src/multiproof/tee/TEEProverRegistry.sol:TEEProverRegistry": { - "initCodeHash": "0x4c89ecad0d48b6da64ef7f489326aae63b7fbcd33f4fed949a496afd1be49009", - "sourceCodeHash": "0x71a4016022b8a15f5ceddf2d597700046fcbe9ce4dbc7d7f2174d68606b3c614" + "initCodeHash": "0x95bf7d37bd7218dc48a176d443599af7dffcb83b57ed63226bd84a3facd8d5f2", + "sourceCodeHash": "0x4435163589299d9b0bc42a80258ebb3eee12ef94e6f1bd439d144b6628b366c8" }, "src/multiproof/tee/TEEProverRegistry.sol:TEEProverRegistry:dispute": { - "initCodeHash": "0xfd56342b83d37499a848961ec12f982cee40297a4c59c5d448ed5a78795d3751", - "sourceCodeHash": "0x71a4016022b8a15f5ceddf2d597700046fcbe9ce4dbc7d7f2174d68606b3c614" + "initCodeHash": "0x3a50409059ad8313df38cd76747defa6ae976dcc8ca37b8333c78ef85c7661cd", + "sourceCodeHash": "0x4435163589299d9b0bc42a80258ebb3eee12ef94e6f1bd439d144b6628b366c8" }, "src/multiproof/tee/TEEVerifier.sol:TEEVerifier": { "initCodeHash": "0xeab3964cb2e6bbf3b660a8dedcd01286b74894bf76cf979d0b415fc7ca140ade", diff --git a/snapshots/storageLayout/NitroEnclaveVerifier.json b/snapshots/storageLayout/NitroEnclaveVerifier.json index 0feab09c..317f1a1e 100644 --- a/snapshots/storageLayout/NitroEnclaveVerifier.json +++ b/snapshots/storageLayout/NitroEnclaveVerifier.json @@ -34,32 +34,18 @@ "slot": "4", "type": "bytes32" }, - { - "bytes": "32", - "label": "_verifierIdSet", - "offset": 0, - "slot": "5", - "type": "mapping(enum ZkCoProcessorType => struct EnumerableSet.Bytes32Set)" - }, - { - "bytes": "32", - "label": "_aggregatorIdSet", - "offset": 0, - "slot": "6", - "type": "mapping(enum ZkCoProcessorType => struct EnumerableSet.Bytes32Set)" - }, { "bytes": "32", "label": "_zkVerifierRoutes", "offset": 0, - "slot": "7", + "slot": "5", "type": "mapping(enum ZkCoProcessorType => mapping(bytes4 => address))" }, { "bytes": "32", "label": "_verifierProofIds", "offset": 0, - "slot": "8", + "slot": "6", "type": "mapping(enum ZkCoProcessorType => mapping(bytes32 => bytes32))" } ] \ No newline at end of file diff --git a/src/multiproof/tee/NitroEnclaveVerifier.sol b/src/multiproof/tee/NitroEnclaveVerifier.sol index 48a038fa..2fb1e746 100644 --- a/src/multiproof/tee/NitroEnclaveVerifier.sol +++ b/src/multiproof/tee/NitroEnclaveVerifier.sol @@ -2,7 +2,6 @@ pragma solidity ^0.8.0; import { Ownable } from "@solady/auth/Ownable.sol"; -import { EnumerableSet } from "@openzeppelin/contracts/utils/structs/EnumerableSet.sol"; import { INitroEnclaveVerifier, ZkCoProcessorType, @@ -44,8 +43,6 @@ import { ISemver } from "interfaces/universal/ISemver.sol"; * - Timestamp validation prevents replay attacks within the configured time window */ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver { - using EnumerableSet for EnumerableSet.Bytes32Set; - /// @dev Sentinel address to indicate a route has been permanently frozen address private constant FROZEN = address(0xdead); @@ -64,12 +61,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver { /// @dev Hash of the trusted AWS Nitro Enclave root certificate bytes32 public rootCert; - /// @dev Set of all supported verifier program IDs per coprocessor - mapping(ZkCoProcessorType => EnumerableSet.Bytes32Set) private _verifierIdSet; - - /// @dev Set of all supported aggregator program IDs per coprocessor - mapping(ZkCoProcessorType => EnumerableSet.Bytes32Set) private _aggregatorIdSet; - /// @dev Route-specific verifier overrides (selector -> verifier address) mapping(ZkCoProcessorType => mapping(bytes4 => address)) private _zkVerifierRoutes; @@ -81,9 +72,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver { /// @dev Error thrown when an unsupported or unknown ZK coprocessor type is used error Unknown_Zk_Coprocessor(); - /// @dev Error thrown when attempting to remove the currently active (latest) program ID - error CannotRemoveLatestProgramId(ZkCoProcessorType zkCoProcessor, bytes32 identifier); - /// @dev Error thrown when a ZK route has been permanently frozen error ZkRouteFrozen(ZkCoProcessorType zkCoProcessor, bytes4 selector); @@ -102,9 +90,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver { /// @dev Thrown when attempting to set a program ID that is already the latest error ProgramIdAlreadyLatest(ZkCoProcessorType zkCoProcessor, bytes32 identifier); - /// @dev Thrown when attempting to remove or operate on a program ID that does not exist in the set - error ProgramIdNotFound(ZkCoProcessorType zkCoProcessor, bytes32 identifier); - /// @dev Thrown when a zero address is provided where a verifier address is required error ZeroVerifierAddress(); @@ -117,12 +102,12 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver { /// @dev Thrown when the first certificate in a chain does not match the stored root certificate error RootCertMismatch(bytes32 expected, bytes32 actual); - /// @dev Thrown when calling verifyWithProgramId or batchVerifyWithProgramId, which are intentionally disabled - error NotImplemented(); - /// @dev Error thrown when a zero maxTimeDiff is provided error ZeroMaxTimeDiff(); + /// @dev Thrown when a zero address is provided for the verifier + error InvalidVerifierAddress(); + // ============ Events ============ /// @dev Emitted when a new verifier program ID is added/updated @@ -131,9 +116,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver { /// @dev Emitted when a new aggregator program ID is added/updated event AggregatorIdUpdated(ZkCoProcessorType indexed zkCoProcessor, bytes32 indexed newId); - /// @dev Emitted when a program ID is removed from the supported set - event ProgramIdRemoved(ZkCoProcessorType indexed zkCoProcessor, bytes32 indexed programId, bool isAggregator); - /// @dev Emitted when a route-specific verifier is added event ZkRouteAdded(ZkCoProcessorType indexed zkCoProcessor, bytes4 indexed selector, address verifier); @@ -204,51 +186,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver { return zkConfig[zkCoProcessor]; } - /** - * @dev Returns all supported verifier program IDs for a coprocessor - * @param zkCoProcessor Type of ZK coprocessor - * @return Array of all supported verifier program IDs - */ - function getVerifierIds(ZkCoProcessorType zkCoProcessor) external view returns (bytes32[] memory) { - return _verifierIdSet[zkCoProcessor].values(); - } - - /** - * @dev Returns all supported aggregator program IDs for a coprocessor - * @param zkCoProcessor Type of ZK coprocessor - * @return Array of all supported aggregator program IDs - */ - function getAggregatorIds(ZkCoProcessorType zkCoProcessor) external view returns (bytes32[] memory) { - return _aggregatorIdSet[zkCoProcessor].values(); - } - - /** - * @dev Checks if a verifier program ID is in the supported set - * @param zkCoProcessor Type of ZK coprocessor - * @param verifierId Verifier program ID to check - * @return True if the ID is supported - */ - function isVerifierIdSupported(ZkCoProcessorType zkCoProcessor, bytes32 verifierId) external view returns (bool) { - return _verifierIdSet[zkCoProcessor].contains(verifierId); - } - - /** - * @dev Checks if an aggregator program ID is in the supported set - * @param zkCoProcessor Type of ZK coprocessor - * @param aggregatorId Aggregator program ID to check - * @return True if the ID is supported - */ - function isAggregatorIdSupported( - ZkCoProcessorType zkCoProcessor, - bytes32 aggregatorId - ) - external - view - returns (bool) - { - return _aggregatorIdSet[zkCoProcessor].contains(aggregatorId); - } - /** * @dev Gets the verifier address for a specific route * @param zkCoProcessor Type of ZK coprocessor @@ -410,7 +347,6 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver { } zkConfig[zkCoProcessor].verifierId = newVerifierId; - _verifierIdSet[zkCoProcessor].add(newVerifierId); _verifierProofIds[zkCoProcessor][newVerifierId] = newVerifierProofId; emit VerifierIdUpdated(zkCoProcessor, newVerifierId, newVerifierProofId); @@ -428,50 +364,10 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver { } zkConfig[zkCoProcessor].aggregatorId = newAggregatorId; - _aggregatorIdSet[zkCoProcessor].add(newAggregatorId); emit AggregatorIdUpdated(zkCoProcessor, newAggregatorId); } - /** - * @dev Removes a verifier program ID from the supported set - * @param zkCoProcessor Type of ZK coprocessor - * @param verifierId Verifier program ID to remove - */ - function removeVerifierId(ZkCoProcessorType zkCoProcessor, bytes32 verifierId) external onlyOwner { - if (!_verifierIdSet[zkCoProcessor].contains(verifierId)) { - revert ProgramIdNotFound(zkCoProcessor, verifierId); - } - - // Cannot remove the latest verifier ID - must update to a new one first - if (zkConfig[zkCoProcessor].verifierId == verifierId) { - revert CannotRemoveLatestProgramId(zkCoProcessor, verifierId); - } - - _verifierIdSet[zkCoProcessor].remove(verifierId); - delete _verifierProofIds[zkCoProcessor][verifierId]; - emit ProgramIdRemoved(zkCoProcessor, verifierId, false); - } - - /** - * @dev Removes an aggregator program ID from the supported set - * @param zkCoProcessor Type of ZK coprocessor - * @param aggregatorId Aggregator program ID to remove - */ - function removeAggregatorId(ZkCoProcessorType zkCoProcessor, bytes32 aggregatorId) external onlyOwner { - if (!_aggregatorIdSet[zkCoProcessor].contains(aggregatorId)) { - revert ProgramIdNotFound(zkCoProcessor, aggregatorId); - } - - // Cannot remove the latest aggregator ID - must update to a new one first - if (zkConfig[zkCoProcessor].aggregatorId == aggregatorId) { - revert CannotRemoveLatestProgramId(zkCoProcessor, aggregatorId); - } - - _aggregatorIdSet[zkCoProcessor].remove(aggregatorId); - emit ProgramIdRemoved(zkCoProcessor, aggregatorId, true); - } - /** * @dev Adds a route-specific verifier override * @param zkCoProcessor Type of ZK coprocessor @@ -480,6 +376,7 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver { */ function addVerifyRoute(ZkCoProcessorType zkCoProcessor, bytes4 selector, address verifier) external onlyOwner { if (verifier == address(0)) revert ZeroVerifierAddress(); + if (verifier == FROZEN) revert InvalidVerifierAddress(); if (_zkVerifierRoutes[zkCoProcessor][selector] == FROZEN) { revert ZkRouteFrozen(zkCoProcessor, selector); @@ -624,12 +521,8 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver { // Auto-add program IDs to the version sets and store verifierProofId mapping if (config.verifierId != bytes32(0)) { - _verifierIdSet[zkCoProcessor].add(config.verifierId); _verifierProofIds[zkCoProcessor][config.verifierId] = verifierProofId; } - if (config.aggregatorId != bytes32(0)) { - _aggregatorIdSet[zkCoProcessor].add(config.aggregatorId); - } emit ZKConfigurationUpdated(zkCoProcessor, config, verifierProofId); } @@ -688,7 +581,7 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver { } } uint64 timestamp = journal.timestamp / 1000; - if (timestamp + maxTimeDiff < block.timestamp || timestamp > block.timestamp) { + if (timestamp + maxTimeDiff <= block.timestamp || timestamp >= block.timestamp) { journal.result = VerificationResult.InvalidTimestamp; return journal; } diff --git a/src/multiproof/tee/TEEProverRegistry.sol b/src/multiproof/tee/TEEProverRegistry.sol index d52e260d..51de6782 100644 --- a/src/multiproof/tee/TEEProverRegistry.sol +++ b/src/multiproof/tee/TEEProverRegistry.sol @@ -142,6 +142,8 @@ contract TEEProverRegistry is OwnableManagedUpgradeable, ISemver { if (journal.result != VerificationResult.Success) revert AttestationVerificationFailed(); + // We allow attestations up to MAX_AGE old. This means a cert may be expired between when + // the attestation is generated and when it is submitted to this contract. if (journal.timestamp / MS_PER_SECOND + MAX_AGE <= block.timestamp) revert AttestationTooOld(); // Validate PCR0 against the current AggregateVerifier's TEE_IMAGE_HASH @@ -155,7 +157,8 @@ contract TEEProverRegistry is OwnableManagedUpgradeable, ISemver { if (pubKey.length != 65) revert InvalidPublicKey(); bytes32 publicKeyHash; assembly { - publicKeyHash := keccak256(add(pubKey, 0x21), sub(mload(pubKey), 1)) + // Length is hardcoded to 64 to skip the 0x04 prefix and hash only the x and y coordinates + publicKeyHash := keccak256(add(pubKey, 0x21), 64) } address enclaveAddress = address(uint160(uint256(publicKeyHash))); diff --git a/test/multiproof/NitroEnclaveVerifier.t.sol b/test/multiproof/NitroEnclaveVerifier.t.sol index d6d77574..6744628d 100644 --- a/test/multiproof/NitroEnclaveVerifier.t.sol +++ b/test/multiproof/NitroEnclaveVerifier.t.sol @@ -149,8 +149,6 @@ contract NitroEnclaveVerifierTest is Test { assertEq(stored.aggregatorId, AGGREGATOR_ID); assertEq(stored.zkVerifier, mockRiscZeroVerifier); - assertTrue(verifier.isVerifierIdSupported(ZkCoProcessorType.RiscZero, VERIFIER_ID)); - assertTrue(verifier.isAggregatorIdSupported(ZkCoProcessorType.RiscZero, AGGREGATOR_ID)); assertEq(verifier.getVerifierProofId(ZkCoProcessorType.RiscZero, VERIFIER_ID), VERIFIER_PROOF_ID); } @@ -195,8 +193,6 @@ contract NitroEnclaveVerifierTest is Test { ZkCoProcessorConfig memory config = verifier.getZkConfig(ZkCoProcessorType.RiscZero); assertEq(config.verifierId, newVerifierId); - assertTrue(verifier.isVerifierIdSupported(ZkCoProcessorType.RiscZero, newVerifierId)); - assertTrue(verifier.isVerifierIdSupported(ZkCoProcessorType.RiscZero, VERIFIER_ID)); assertEq(verifier.getVerifierProofId(ZkCoProcessorType.RiscZero, newVerifierId), newVerifierProofId); } @@ -233,8 +229,6 @@ contract NitroEnclaveVerifierTest is Test { ZkCoProcessorConfig memory config = verifier.getZkConfig(ZkCoProcessorType.RiscZero); assertEq(config.aggregatorId, newAggregatorId); - assertTrue(verifier.isAggregatorIdSupported(ZkCoProcessorType.RiscZero, newAggregatorId)); - assertTrue(verifier.isAggregatorIdSupported(ZkCoProcessorType.RiscZero, AGGREGATOR_ID)); } function testUpdateAggregatorIdRevertsIfZero() public { @@ -260,90 +254,6 @@ contract NitroEnclaveVerifierTest is Test { verifier.updateAggregatorId(ZkCoProcessorType.RiscZero, keccak256("new")); } - // ============ removeVerifierId Tests ============ - - function testRemoveVerifierId() public { - _setUpRiscZeroConfig(); - - bytes32 newId = keccak256("new-verifier-id"); - verifier.updateVerifierId(ZkCoProcessorType.RiscZero, newId, keccak256("proof")); - - verifier.removeVerifierId(ZkCoProcessorType.RiscZero, VERIFIER_ID); - assertFalse(verifier.isVerifierIdSupported(ZkCoProcessorType.RiscZero, VERIFIER_ID)); - assertTrue(verifier.isVerifierIdSupported(ZkCoProcessorType.RiscZero, newId)); - } - - function testRemoveVerifierIdRevertsIfLatest() public { - _setUpRiscZeroConfig(); - - vm.expectRevert( - abi.encodeWithSelector( - NitroEnclaveVerifier.CannotRemoveLatestProgramId.selector, ZkCoProcessorType.RiscZero, VERIFIER_ID - ) - ); - verifier.removeVerifierId(ZkCoProcessorType.RiscZero, VERIFIER_ID); - } - - function testRemoveVerifierIdRevertsIfNotExists() public { - _setUpRiscZeroConfig(); - bytes32 nonexistent = keccak256("nonexistent"); - vm.expectRevert( - abi.encodeWithSelector( - NitroEnclaveVerifier.ProgramIdNotFound.selector, ZkCoProcessorType.RiscZero, nonexistent - ) - ); - verifier.removeVerifierId(ZkCoProcessorType.RiscZero, nonexistent); - } - - function testRemoveVerifierIdRevertsIfNotOwner() public { - _setUpRiscZeroConfig(); - vm.prank(submitter); - vm.expectRevert(); - verifier.removeVerifierId(ZkCoProcessorType.RiscZero, VERIFIER_ID); - } - - // ============ removeAggregatorId Tests ============ - - function testRemoveAggregatorId() public { - _setUpRiscZeroConfig(); - - bytes32 newId = keccak256("new-aggregator-id"); - verifier.updateAggregatorId(ZkCoProcessorType.RiscZero, newId); - - verifier.removeAggregatorId(ZkCoProcessorType.RiscZero, AGGREGATOR_ID); - assertFalse(verifier.isAggregatorIdSupported(ZkCoProcessorType.RiscZero, AGGREGATOR_ID)); - assertTrue(verifier.isAggregatorIdSupported(ZkCoProcessorType.RiscZero, newId)); - } - - function testRemoveAggregatorIdRevertsIfLatest() public { - _setUpRiscZeroConfig(); - - vm.expectRevert( - abi.encodeWithSelector( - NitroEnclaveVerifier.CannotRemoveLatestProgramId.selector, ZkCoProcessorType.RiscZero, AGGREGATOR_ID - ) - ); - verifier.removeAggregatorId(ZkCoProcessorType.RiscZero, AGGREGATOR_ID); - } - - function testRemoveAggregatorIdRevertsIfNotExists() public { - _setUpRiscZeroConfig(); - bytes32 nonexistent = keccak256("nonexistent"); - vm.expectRevert( - abi.encodeWithSelector( - NitroEnclaveVerifier.ProgramIdNotFound.selector, ZkCoProcessorType.RiscZero, nonexistent - ) - ); - verifier.removeAggregatorId(ZkCoProcessorType.RiscZero, nonexistent); - } - - function testRemoveAggregatorIdRevertsIfNotOwner() public { - _setUpRiscZeroConfig(); - vm.prank(submitter); - vm.expectRevert(); - verifier.removeAggregatorId(ZkCoProcessorType.RiscZero, AGGREGATOR_ID); - } - // ============ addVerifyRoute / freezeVerifyRoute Tests ============ function testAddVerifyRoute() public { @@ -359,6 +269,11 @@ contract NitroEnclaveVerifierTest is Test { verifier.addVerifyRoute(ZkCoProcessorType.RiscZero, bytes4(uint32(0x01)), address(0)); } + function testAddVerifyRouteRevertsIfFrozenSentinel() public { + vm.expectRevert(NitroEnclaveVerifier.InvalidVerifierAddress.selector); + verifier.addVerifyRoute(ZkCoProcessorType.RiscZero, bytes4(uint32(0x01)), address(0xdead)); + } + function testAddVerifyRouteRevertsIfNotOwner() public { vm.prank(submitter); vm.expectRevert(); @@ -814,7 +729,7 @@ contract NitroEnclaveVerifierTest is Test { return VerifierJournal({ result: VerificationResult.Success, trustedCertsPrefixLen: 2, - timestamp: uint64(block.timestamp) * 1000, + timestamp: uint64(block.timestamp - 1) * 1000, certs: certs, userData: "", nonce: "",