TPM verifier qualifying_data uses old nonce formula (disagrees with provider)

[imran-siddique]

Summary

The TPM attestation verifier checks qualifying_data against the old nonce formula SHA-256(tee_public_key || session_id), which disagrees with the TPM provider and the rest of the verifier.

Details

• Provider (src/cmcp_runtime/tee/tpm.py:104) commits TPM2B_DATA(nonce[:32]) into the quote's qualifying_data — i.e. the first 32 bytes of the §3.3 nonce, the RFC 7638 JWK thumbprint of the TEE key.
• Verifier (src/cmcp_verify/tpm.py, _parse_tpm2b_attest) computed SHA-256(bytes.fromhex(tee_public_key_hex) + session_id) and compared that.
• Worse, the dispatcher (src/cmcp_verify/verify.py) passed cnf.jwk.x (base64url) into the param fed to bytes.fromhex(...), so the check raised ValueError and qualifying_data was never verified.

Net effect: provider and verifier disagree, and the TPM qualifying_data binding was dead.

Fix

Re-derive the JWK thumbprint from cnf.jwk.x in the dispatcher and compare it (constant-time) to the quote's qualifying_data, matching the generic CRYPTO-001 key binding and the SEV-SNP/TDX verifiers.

Remaining (needs real TPM hardware)

EK certificate-chain validation to the manufacturer CA is still stubbed (unverified_fields) and out of scope here.