feat: two-phase verify with Policy trait

[kvinwang]

Summary

Introduces two-phase quote verification: crypto verification (signature chain, TCB matching) followed by policy validation (business rules).

Built-in policy options:

• SimplePolicy — Rust-native builder API for straightforward use without external dependencies
• RegoPolicy / RegoPolicySet — evaluates Intel's qal_script.rego with Intel QAL JSON policies for compatibility with Intel's Quote Appraisal framework

This PR also exposes RegoPolicy / RegoPolicySet to Python and WASM/JS bindings.

Examples

SimplePolicy (Rust-native, no Rego)

use dcap_qvl::{QuoteVerifier, SimplePolicy, TcbStatus};
use std::time::Duration;

let policy = SimplePolicy::strict(now)
    .allow_status(TcbStatus::SWHardeningNeeded)
    .allow_status(TcbStatus::OutOfDate)
    .collateral_grace_period(Duration::from_secs(90 * 24 * 3600))  // 90 days
    .reject_advisory("INTEL-SA-00334")
    .reject_advisories(&["INTEL-SA-00615", "INTEL-SA-00809"])
    .allow_smt(true)
    .accepted_sgx_types(&[0, 1]);

let report = QuoteVerifier::new_prod_default_crypto()
    .verify(&quote, collateral, now)?
    .validate(&policy)?;
println!("MRENCLAVE: {:?}", report.report);

RegoPolicy (Intel QAL JSON, feature rego)

use dcap_qvl::{QuoteVerifier, RegoPolicySet};

let platform_policy = r#"{
    "environment": {
        "class_id": "3123ec35-8d38-4ea5-87a5-d6c48b567570"
    },
    "reference": {
        "accepted_tcb_status": ["UpToDate", "SWHardeningNeeded", "OutOfDate"],
        "collateral_grace_period": 7776000,
        "rejected_advisory_ids": ["INTEL-SA-00999"],
        "allow_dynamic_platform": false,
        "allow_cached_keys": false,
        "allow_smt_enabled": true,
        "accepted_sgx_types": [0, 1]
    }
}"#;

let enclave_policy = r#"{
    "environment": {
        "class_id": "bef7cb8c-31aa-42c1-854c-10db005d5c41"
    },
    "reference": {
        "sgx_mrenclave": "a1b2c3d4...",
        "sgx_mrsigner": "e5f6a7b8..."
    }
}"#;

let policies = RegoPolicySet::new(&[platform_policy, enclave_policy])?;
let report = QuoteVerifier::new_prod_default_crypto()
    .verify(&quote, collateral, now)?
    .validate(&policies)?;

Core Architecture

• Policy trait — pluggable validation interface for SupplementalData
• SimplePolicy — built-in Rust-native policy covering the common appraisal checks without requiring a Rego engine: TCB status, advisory ID blacklist, collateral grace period, platform grace period, QE grace period, min eval number, dynamic platform, cached keys, SMT, and SGX types
• Two-phase flow: QuoteVerifier::verify() → QuoteVerificationResult (crypto only) → validate(&policy) → VerifiedReport
• QuoteVerificationResult::supplemental() exposes the computed supplemental data for inspection before committing to a policy

Rego Policy Support (rego feature)

• RegoPolicy — evaluates Intel's qal_script.rego via the regorus Rego interpreter
• RegoPolicySet — multi-measurement appraisal matching Intel's QAL structure
  • SGX quotes → 2 entries (platform TCB + enclave)
  • TDX quotes → 3 entries (platform TCB + QE identity + TD)
  • each entry matched to its policy by class_id
• rand.intn extension — RNG + memoization matching OPA semantics
• final_appraisal_result query — uses Intel's standard appraisal output format
• Exposed in Rust, Python, and WASM/JS bindings

SupplementalData

• 1:1 parity with Intel's sgx_ql_qv_supplemental_t fields, plus qe_report and qe_tcb_eval_data_number for multi-measurement support
• QE Identity-specific time fields (qe_iden_earliest_issue_date, qe_iden_latest_issue_date, qe_iden_earliest_expiration_date) matching Intel's qve_get_collateral_dates() behavior
• Separate measurement generators for unmerged status:
  • platform measurement uses unmerged platform_tcb_level
  • QE measurement uses qe_tcb_level + QE-specific dates
  • SGX enclave tenant measurement includes KSS field extraction
  • TDX TD10/TD15 tenant measurements supported

Other Changes

• TcbStatus merge uses Intel's exact convergeTcbStatusWithQeTcbStatus logic
• SupplementalData time window computed from 8 sources
• root_key_id computed as SHA-384 of raw public key bytes
• Verified PCK chain preserved for supplemental-data construction
• Platform flags (dynamic_platform, cached_keys, smt_enabled) distinguish False from Undefined
• JS/WASM API now follows the two-phase flow with QuoteVerifier, SimplePolicy, and QuoteVerificationResult
• Extracted src/policy/ as dedicated module with mod.rs, simple.rs, rego.rs

Test plan

• cargo test --all-features
• cargo clippy --all-features -- -D warnings
• cargo build --target wasm32-unknown-unknown --features js
• Python bindings updated for two-phase API and Rego policy exposure
• JS/WASM examples and tests updated for two-phase API and Rego policy exposure
• Added coverage for RegoPolicy / RegoPolicySet bindings and SimplePolicy advisory blacklist behavior

[sentry]

Bug: The Rego rule accepted_tcb_level_date_tag_ok uses an incorrect path, causing the min_tcb_level_date policy validation to be bypassed entirely.
_{Severity: HIGH}

Suggested Fix

In rego/qal_script.rego, change the path bundle.policy.sgx_platform.reference.min_tcb_level_date to bundle.policy.reference.min_tcb_level_date to match the correct policy data structure.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: rego/qal_script.rego#L438-L440

Potential issue: In the Rego script, the rule `accepted_tcb_level_date_tag_ok` uses an
incorrect object path `bundle.policy.sgx_platform.reference.min_tcb_level_date` to
access a policy setting. The correct path is
`bundle.policy.reference.min_tcb_level_date`. Because the incorrect path is always
undefined in Rego, the `not` expression always evaluates to true. This causes the rule
to always succeed, effectively disabling the policy constraint that is supposed to
enforce a minimum TCB level date. As a result, platform TCB measurements with outdated
dates will pass validation when they should be rejected.

[sentry]

Bug: The Rego script uses incorrect paths (item.report.*) to access fields for unmatched reports, leading to malformed diagnostic output.
_{Severity: MEDIUM}

Suggested Fix

In the appraisal_result rule that handles report_not_in_policy, change the output mapping from {"environment": item.report.environment, "measurement": item.report.measurement} to {"environment": item.environment, "measurement": item.measurement}.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: rego/qal_script.rego#L282-L283

Potential issue: When generating an appraisal result for a report that does not match
any policy, the Rego script attempts to access `item.report.environment` and
`item.report.measurement`. However, the `item` in this context is a raw report entry
from `report_not_in_policy` and does not have a nested `report` field. The correct paths
are `item.environment` and `item.measurement`. This error causes the resulting
`appraisal_output` object to contain an incomplete or empty `report` field, breaking the
diagnostic reporting for unmatched reports.

[sentry]

Bug: The isvfamilyid_ok rule performs a case-sensitive comparison by failing to apply lower() to the policy value, unlike other similar rules.
_{Severity: MEDIUM}

Suggested Fix

In the isvfamilyid_ok rule, apply the lower() function to the policy value to ensure a case-insensitive comparison. Change bundle.policy.reference.sgx_isvfamilyid to lower(bundle.policy.reference.sgx_isvfamilyid).

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: rego/qal_script.rego#L797-L801

Potential issue: The Rego rule `isvfamilyid_ok` performs a case-sensitive comparison
between the `sgx_isvfamilyid` from the report and the policy. It converts the report
value to lowercase using `lower()` but fails to do the same for the policy value
`bundle.policy.reference.sgx_isvfamilyid`. This is inconsistent with all other similar
hexadecimal field comparisons in the same file, which apply `lower()` to both sides.
This will cause validation to fail incorrectly if a user provides an uppercase or
mixed-case `sgx_isvfamilyid` in their policy, as the report value is always uppercase
before being lowercased for comparison.

[sentry]

Bug: The pce_id is parsed as big-endian using from_be_bytes, but the Intel specification defines it as little-endian, leading to incorrect ID values.
_{Severity: HIGH}

Suggested Fix

In src/verify.rs, change the pce_id conversion from u16::from_be_bytes to u16::from_le_bytes to correctly parse the little-endian value as defined by the Intel specification.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: src/verify.rs#L769-L773

Potential issue: The `pce_id` field from the PCK certificate is parsed as a big-endian
value using `u16::from_be_bytes`. However, the Intel specification and comments
elsewhere in the codebase confirm that `pce_id` is encoded in little-endian format. This
discrepancy will cause an incorrect `pce_id` value to be calculated and stored in the
`QuoteVerificationResult` for any certificate where the ID is not symmetrical (e.g., a
little-endian value of 1, `[0x01, 0x00]`, would be incorrectly parsed as 256). This
incorrect data is then exposed to consumers and could cause failures in Rego policy
evaluations that rely on this value.

[sentry]

Bug: RegoPolicy::validate() incorrectly uses a merged TCB status for evaluation, rather than selecting the appropriate measurement based on the policy's class_id, causing inconsistent validation results.
_{Severity: HIGH}

Suggested Fix

Modify RegoPolicy::validate() to check the self.class_id and invoke the appropriate measurement builder function (build_platform_measurement, build_qe_measurement, or tenant_measurement), mirroring the logic currently used in to_rego_qvl_result.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: src/policy/rego.rs#L560-L567

Potential issue: The `RegoPolicy::validate()` function incorrectly uses a merged TCB
status for all policy evaluations by always calling `build_merged_measurement(data)`.
This function combines the platform and QE TCB statuses. However, the validation should
be specific to the policy's `class_id`, as is correctly handled in
`RegoPolicySet::validate()`, which uses different measurement builders
(`build_platform_measurement`, `build_qe_measurement`) accordingly. This discrepancy
leads to incorrect validation outcomes. For example, a platform policy requiring an
`UpToDate` status will be incorrectly rejected if the platform TCB is `UpToDate` but the
QE TCB is `OutOfDate`, because the merged status will be `OutOfDate`. This creates
inconsistent behavior between the `RegoPolicy` and `RegoPolicySet` APIs.