feat(nitro-verifier): add revoker role for automated cert revocation

interfaces/multiproof/tee/INitroEnclaveVerifier.sol

@@ -160,6 +160,12 @@ interface INitroEnclaveVerifier {
      */
     function proofSubmitter() external view returns (address);
 
+    /**
+     * @dev Returns the address authorized to revoke intermediate certificates
+     * @return Address of the revoker (address(0) if disabled)
+     */
+    function revoker() external view returns (address);
+
     /**
      * @dev Retrieves the configuration for a specific coprocessor
      * @param _zkCoProcessor Type of ZK coprocessor (RiscZero or Succinct)
@@ -227,6 +233,15 @@ interface INitroEnclaveVerifier {
      */
     function setProofSubmitter(address _proofSubmitter) external;
 
+    /**
+     * @dev Updates the revoker address
+     * @param _newRevoker New revoker address (can be address(0) to disable the revoker role)
+     *
+     * Requirements:
+     * - Only callable by contract owner
+     */
+    function setRevoker(address _newRevoker) external;
+
     /**
      * @dev Configures the zero-knowledge verification parameters for a specific coprocessor
      * @param _zkCoProcessor Type of ZK coprocessor (RiscZero or Succinct)
@@ -249,7 +264,7 @@ interface INitroEnclaveVerifier {
      * @param _certHash Hash of the certificate to revoke
      *
      * Requirements:
-     * - Only callable by contract owner
+     * - Only callable by contract owner or revoker
      * - Certificate must exist in the trusted set
      */
     function revokeCert(bytes32 _certHash) external;

scripts/multiproof/DeployRiscZeroStack.s.sol

@@ -131,13 +131,15 @@ contract DeployRiscZeroStack is Script {
 
         // Use owner as placeholder proofSubmitter; must be updated to TEEProverRegistry
         // address after deployment via setProofSubmitter().
+        // Revoker starts as address(0); must be set via setRevoker() after deployment.
         NitroEnclaveVerifier nev = new NitroEnclaveVerifier(
             owner,
             NITRO_MAX_TIME_DIFF,
             trustedCerts,
             trustedCertExpiries,
             nitroRootCert,
             owner,
+            address(0),
             ZkCoProcessorType.RiscZero,
             zkConfig,
             bytes32(0)

snapshots/abi/NitroEnclaveVerifier.json

@@ -31,6 +31,11 @@
         "name": "initialProofSubmitter",
         "type": "address"
       },
+      {
+        "internalType": "address",
+        "name": "initialRevoker",
+        "type": "address"
+      },
       {
         "internalType": "enum ZkCoProcessorType",
         "name": "zkCoProcessor",
@@ -416,6 +421,19 @@
     "stateMutability": "nonpayable",
     "type": "function"
   },
+  {
+    "inputs": [],
+    "name": "revoker",
+    "outputs": [
+      {
+        "internalType": "address",
+        "name": "",
+        "type": "address"
+      }
+    ],
+    "stateMutability": "view",
+    "type": "function"
+  },
   {
     "inputs": [],
     "name": "rootCert",
@@ -455,6 +473,19 @@
     "stateMutability": "nonpayable",
     "type": "function"
   },
+  {
+    "inputs": [
+      {
+        "internalType": "address",
+        "name": "newRevoker",
+        "type": "address"
+      }
+    ],
+    "name": "setRevoker",
+    "outputs": [],
+    "stateMutability": "nonpayable",
+    "type": "function"
+  },
   {
     "inputs": [
       {
@@ -881,6 +912,19 @@
     "name": "ProofSubmitterChanged",
     "type": "event"
   },
+  {
+    "anonymous": false,
+    "inputs": [
+      {
+        "indexed": true,
+        "internalType": "address",
+        "name": "newRevoker",
+        "type": "address"
+      }
+    ],
+    "name": "RevokerUpdated",
+    "type": "event"
+  },
   {
     "anonymous": false,
     "inputs": [
@@ -1010,6 +1054,11 @@
     "name": "AlreadyInitialized",
     "type": "error"
   },
+  {
+    "inputs": [],
+    "name": "CallerNotOwnerOrRevoker",
+    "type": "error"
+  },
   {
     "inputs": [],
     "name": "CallerNotProofSubmitter",

snapshots/semver-lock.json

@@ -236,8 +236,8 @@
     "sourceCodeHash": "0x032f11e23c188b939ba6cbdc446271b0caad2f4da00535b164a3489291162762"
   },
   "src/multiproof/tee/NitroEnclaveVerifier.sol:NitroEnclaveVerifier": {
-    "initCodeHash": "0xac14e4b9130c476ba4ab77ecf70b36153921a9fe6ef3ab96c825aba8d9d18473",
-    "sourceCodeHash": "0x03614e89919c06e56e91b217702345edf74755c12c082475c4c742f45c201415"
+    "initCodeHash": "0xe94739c3fe1d693ea3022804cea2a0d063ed954fbdbbf1d60d79090e8edbdc64",
+    "sourceCodeHash": "0x9f9ac5cdff6e537cf1ac70700e060a4c984c17aa3bd50e2f44cee4448dda1a88"
   },
   "src/multiproof/tee/TEEProverRegistry.sol:TEEProverRegistry": {
     "initCodeHash": "0xfaec22f48eeef0f4ee0575b0e91028a1330fbf6faf52c2fce0f68b500a023970",

snapshots/storageLayout/NitroEnclaveVerifier.json

@@ -6,46 +6,53 @@
     "slot": "0",
     "type": "address"
   },
+  {
+    "bytes": "20",
+    "label": "revoker",
+    "offset": 0,
+    "slot": "1",
+    "type": "address"
+  },
   {
     "bytes": "32",
     "label": "zkConfig",
     "offset": 0,
-    "slot": "1",
+    "slot": "2",
     "type": "mapping(enum ZkCoProcessorType => struct ZkCoProcessorConfig)"
   },
   {
     "bytes": "32",
     "label": "trustedIntermediateCerts",
     "offset": 0,
-    "slot": "2",
+    "slot": "3",
     "type": "mapping(bytes32 => uint64)"
   },
   {
     "bytes": "8",
     "label": "maxTimeDiff",
     "offset": 0,
-    "slot": "3",
+    "slot": "4",
     "type": "uint64"
   },
   {
     "bytes": "32",
     "label": "rootCert",
     "offset": 0,
-    "slot": "4",
+    "slot": "5",
     "type": "bytes32"
   },
   {
     "bytes": "32",
     "label": "_zkVerifierRoutes",
     "offset": 0,
-    "slot": "5",
+    "slot": "6",
     "type": "mapping(enum ZkCoProcessorType => mapping(bytes4 => address))"
   },
   {
     "bytes": "32",
     "label": "_verifierProofIds",
     "offset": 0,
-    "slot": "6",
+    "slot": "7",
     "type": "mapping(enum ZkCoProcessorType => bytes32)"
   }
 ]

src/multiproof/tee/NitroEnclaveVerifier.sol

@@ -49,6 +49,9 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver {
     /// @dev Address that can submit proofs
     address public proofSubmitter;
 
+    /// @dev Address authorized to revoke intermediate certificates (in addition to owner)
+    address public revoker;
+
     /// @dev Configuration mapping for each supported ZK coprocessor type
     mapping(ZkCoProcessorType => ZkCoProcessorConfig) public zkConfig;
 
@@ -108,6 +111,9 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver {
     /// @dev Thrown when a zero address is provided for the verifier
     error InvalidVerifierAddress();
 
+    /// @dev Thrown when caller is neither the owner nor the revoker
+    error CallerNotOwnerOrRevoker();
+
     // ============ Events ============
 
     /// @dev Emitted when a new verifier program ID is added/updated
@@ -143,9 +149,18 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver {
     /// @dev Event emitted when the maximum time difference is updated
     event MaxTimeDiffUpdated(uint64 newMaxTimeDiff);
 
+    /// @dev Event emitted when the revoker address is updated
+    event RevokerUpdated(address indexed newRevoker);
+
     /// @dev Thrown when initializeTrustedCerts and initializeTrustedCertExpiries have different lengths
     error CertExpiriesLengthMismatch(uint256 certsLen, uint256 expiriesLen);
 
+    /// @dev Restricts access to the owner or the revoker
+    modifier onlyOwnerOrRevoker() {
+        if (msg.sender != owner() && msg.sender != revoker) revert CallerNotOwnerOrRevoker();
+        _;
+    }
+
     /**
      * @dev Initializes the contract with owner, time tolerance and initial trusted certificates
      * @param owner Address to be set as the contract owner
@@ -154,6 +169,7 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver {
      * @param initializeTrustedCertExpiries Array of notAfter timestamps (seconds) for each initial cert
      * @param initialRootCert Hash of the AWS Nitro Enclave root certificate
      * @param initialProofSubmitter Address that is authorized to submit proofs
+     * @param initialRevoker Address authorized to revoke intermediate certificates (can be address(0) to disable)
      * @param zkCoProcessor Type of ZK coprocessor to configure (RiscZero or Succinct)
      * @param config Configuration parameters for the ZK coprocessor
      * @param verifierProofId The verifierProofId corresponding to the verifierId in config
@@ -165,6 +181,7 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver {
         uint64[] memory initializeTrustedCertExpiries,
         bytes32 initialRootCert,
         address initialProofSubmitter,
+        address initialRevoker,
         ZkCoProcessorType zkCoProcessor,
         ZkCoProcessorConfig memory config,
         bytes32 verifierProofId
@@ -180,6 +197,7 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver {
         _initializeOwner(owner);
         _setRootCert(initialRootCert);
         _setProofSubmitter(initialProofSubmitter);
+        revoker = initialRevoker;
         _setZkConfiguration(zkCoProcessor, config, verifierProofId);
     }
 
@@ -321,13 +339,13 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver {
      * @param certHash Hash of the certificate to revoke
      *
      * Requirements:
-     * - Only callable by contract owner
+     * - Only callable by contract owner or revoker
      * - Certificate must exist in the trusted intermediate certificates set
      *
-     * This function allows the owner to revoke compromised intermediate certificates
+     * This function allows the owner or revoker to revoke compromised intermediate certificates
      * without affecting the root certificate or other trusted certificates.
      */
-    function revokeCert(bytes32 certHash) external onlyOwner {
+    function revokeCert(bytes32 certHash) external onlyOwnerOrRevoker {
         if (trustedIntermediateCerts[certHash] == 0) {
             revert CertificateNotFound(certHash);
         }
@@ -424,6 +442,18 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver {
         _setProofSubmitter(submitter);
     }
 
+    /**
+     * @dev Updates the revoker address
+     * @param newRevoker New revoker address (can be address(0) to disable the revoker role)
+     *
+     * Requirements:
+     * - Only callable by contract owner
+     */
+    function setRevoker(address newRevoker) external onlyOwner {
+        revoker = newRevoker;
+        emit RevokerUpdated(newRevoker);
+    }
+
     // ============ Verification Functions ============
 
     /**
@@ -662,8 +692,8 @@ contract NitroEnclaveVerifier is Ownable, INitroEnclaveVerifier, ISemver {
     }
 
     /// @notice Semantic version.
-    /// @custom:semver 0.2.0
+    /// @custom:semver 0.3.0
     function version() public pure virtual returns (string memory) {
-        return "0.2.0";
+        return "0.3.0";
     }
 }