diff --git a/rune/libenclave/attestation/sgx/ias/api.go b/rune/libenclave/attestation/sgx/ias/api.go index 2d10737ade1998fbead3c9bee14cac792d2a5cac..aa19075b4fc3fb39504f112f5baccd4c83d9d29e 100644 --- a/rune/libenclave/attestation/sgx/ias/api.go +++ b/rune/libenclave/attestation/sgx/ias/api.go @@ -1,7 +1,12 @@ package ias const ( - apiVersion = 3 + apiV3 = 3 + apiV4 = 4 +) + +var ( + apiVersion uint64 = apiV4 ) type evidencePayload struct { @@ -22,4 +27,8 @@ type verificationReport struct { PlatformInfoBlob string `json:"platformInfoBlob,omitempty"` Nonce string `json:"nonce,omitempty"` EpidPseudonym string `json:"epidPseudonym,omitempty"` + + // V4 fields + AdvisoryIds string `json:"advisoryURL,omitempty"` + AdvisoryUrl []string `json:"advisoryIDs,omitempty"` } diff --git a/rune/libenclave/attestation/sgx/ias/ias.go b/rune/libenclave/attestation/sgx/ias/ias.go index 7729773cd97c98cc363c85cd4d4d0a4c13698932..c3314d62501b387be3e6811863e0c451f45fda1c 100644 --- a/rune/libenclave/attestation/sgx/ias/ias.go +++ b/rune/libenclave/attestation/sgx/ias/ias.go @@ -86,7 +86,17 @@ func (reg *iasRegistry) Create(p map[string]string) (*attest.Service, error) { if !isProduct { url += "/dev" } - url += "/attestation/v3/report" + + apiVer := attest.GetParameter("apiVer", p) + if apiVer != "" { + apiVersion, err = strconv.ParseUint(apiVer, 10, 32) + if err != nil { + return nil, fmt.Errorf("Invalid IAS API Version: %s", err) + } else if apiVersion != apiV3 && apiVersion != apiV4 { + return nil, fmt.Errorf("Unsupported IAS API Version: %s", apiVer) + } + } + url += fmt.Sprintf("/attestation/v%d/report", apiVersion) ias := &iasService{ reportApiUrl: url, @@ -335,7 +345,7 @@ func checkVerificationReport(resp *http.Response, quote []byte, nonce string) (* status.timestamp = report.Timestamp status.quoteStatus = report.IsvEnclaveQuoteStatus - if report.Version != apiVersion { + if report.Version != (uint32)(apiVersion) { return status, fmt.Errorf("Unsupported attestation API version %d in attesation verification report", report.Version) } @@ -354,9 +364,12 @@ func checkVerificationReport(resp *http.Response, quote []byte, nonce string) (* if report.IsvEnclaveQuoteStatus == "GROUP_OUT_OF_DATE" || report.IsvEnclaveQuoteStatus == "CONFIGURATION_NEEDED" { - if resp.Header.Get("Advisory-Ids") == "" || - resp.Header.Get("Advisory-Url") == "" { - return status, fmt.Errorf("Advisory-Ids or Advisory-Url is not present in response header") + if report.Version == apiV3 { + if resp.Header.Get("Advisory-Ids") == "" || resp.Header.Get("Advisory-Url") == "" { + return status, fmt.Errorf("Advisory-Ids or Advisory-Url is not present in response header") + } + } else if report.Version == apiV4 && (report.AdvisoryIds == "" || report.AdvisoryUrl == nil) { + return status, fmt.Errorf("Advisory-Ids or Advisory-Url is not present in attestation verification report") } }