TEE OverviewTEE VerifiersIntel SGX/TDX DCAPAutomata Onchain PCCS

Automata PCS DAO

Summary

The PcsDao contract is the core contract for managing Intel PCS (Provisioning Certification Service) collateral onchain. It handles essential certificates including the Intel SGX Root CA, intermediate CAs (PCK Platform CA, PCK Processor CA, TCB Signing CA), and their corresponding CRLs (Certificate Revocation Lists). All other DAO contracts depend on this contract to fetch issuer certificates and CRLs for signature verification.

Methods

getCertificateById

function getCertificateById(CA ca) external view returns (bytes memory cert, bytes memory crl)

Gets the certificate and its corresponding CRL for the specified Certificate Authority type.

Parameters:

  • ca (CA): Certificate Authority type - CA.ROOT, CA.SIGNING, CA.PROCESSOR, or CA.PLATFORM

Returns:

  • cert (bytes): DER-encoded certificate
  • crl (bytes): DER-encoded CRL signed by the certificate

upsertPcsCertificates

function upsertPcsCertificates(CA ca, bytes calldata cert) external returns (bytes32 attestationId)

Upserts (inserts or updates) a PCS certificate onchain with signature verification, revocation checking, and rollback protection.

Parameters:

  • ca (CA): Certificate Authority type - CA.ROOT, CA.SIGNING, CA.PROCESSOR, or CA.PLATFORM
  • cert (bytes): DER-encoded certificate

Returns:

  • attestationId (bytes32): The attestation ID returned by the resolver

upsertPckCrl

function upsertPckCrl(CA ca, bytes calldata crl) external returns (bytes32 attestationId)

Upserts (inserts or updates) a PCK Certificate Revocation List onchain with signature verification and rollback protection.

Parameters:

  • ca (CA): Certificate Authority type - CA.PROCESSOR or CA.PLATFORM
  • crl (bytes): DER-encoded CRL

Returns:

  • attestationId (bytes32): The attestation ID returned by the resolver

upsertRootCACrl

function upsertRootCACrl(bytes calldata rootcacrl) external returns (bytes32 attestationId)

Upserts (inserts or updates) the Root CA Certificate Revocation List onchain with signature verification and rollback protection.

Parameters:

  • rootcacrl (bytes): DER-encoded Root CA CRL

Returns:

  • attestationId (bytes32): The attestation ID returned by the resolver

Reverts

ErrorSelectorNotes
Missing_Certificate(CA ca)33247a8aCertificate not found for the specified CA
Invalid_PCK_CA(CA ca)9849e774Invalid CA parameter for PCK CRL operations
Root_Key_Mismatch()e1406f79Root CA public key does not match expected Intel key
Certificate_Revoked(CA ca, uint256 serialNum)291990cdCertificate has been revoked
Certificate_Expired(CA ca)5f066611Certificate has expired
Crl_Expired(CA ca)6d8932adCRL has expired
Invalid_Issuer_Name()1e7ab599Certificate/CRL issuer name does not match expected value
Invalid_Subject_Name()92ec707eCertificate subject name does not match expected value
Expired_Certificates()e6612a12Certificate/CRL timestamps are invalid
TCB_Mismatch()4a629e24TCB values do not match
Missing_Issuer()cd69d374Issuer certificate not found
Invalid_Signature()e7ef341fSignature verification failed
Certificate_Out_Of_Date()9f4daa9eAttempting to upsert older certificate/CRL

Contract Addresses

Contracts shown here are compatible with both v1.0 and v1.1 deployments.

Contract Addresses

Contracts shown here are compatible with both v1.0 and v1.1 deployments.

On this page

SummaryMethodsgetCertificateByIdupsertPcsCertificatesupsertPckCrlupsertRootCACrlReverts