From a29c5c582281145bdd20f5e9a2343a8eb7ebbeb5 Mon Sep 17 00:00:00 2001
From: "YiLin.Li" <YiLin.Li@linux.alibaba.com>
Date: Wed, 8 Jul 2020 14:05:52 +0000
Subject: [PATCH] rune/libenclave: support IAS V4 API

Both Support IAS API V3 and V4.

Signed-off-by: Yilin Li <YiLin.Li@linux.alibaba.com>
---
 rune/libenclave/attestation/sgx/ias/api.go | 11 ++++++++++-
 rune/libenclave/attestation/sgx/ias/ias.go | 23 +++++++++++++++++-----
 2 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/rune/libenclave/attestation/sgx/ias/api.go b/rune/libenclave/attestation/sgx/ias/api.go
index 2d10737..aa19075 100644
--- a/rune/libenclave/attestation/sgx/ias/api.go
+++ b/rune/libenclave/attestation/sgx/ias/api.go
@@ -1,7 +1,12 @@
 package ias
 
 const (
-	apiVersion = 3
+	apiV3 = 3
+	apiV4 = 4
+)
+
+var (
+	apiVersion uint64 = apiV4
 )
 
 type evidencePayload struct {
@@ -22,4 +27,8 @@ type verificationReport struct {
 	PlatformInfoBlob      string `json:"platformInfoBlob,omitempty"`
 	Nonce                 string `json:"nonce,omitempty"`
 	EpidPseudonym         string `json:"epidPseudonym,omitempty"`
+
+	// V4 fields
+	AdvisoryIds string   `json:"advisoryURL,omitempty"`
+	AdvisoryUrl []string `json:"advisoryIDs,omitempty"`
 }
diff --git a/rune/libenclave/attestation/sgx/ias/ias.go b/rune/libenclave/attestation/sgx/ias/ias.go
index 7729773..c3314d6 100644
--- a/rune/libenclave/attestation/sgx/ias/ias.go
+++ b/rune/libenclave/attestation/sgx/ias/ias.go
@@ -86,7 +86,17 @@ func (reg *iasRegistry) Create(p map[string]string) (*attest.Service, error) {
 	if !isProduct {
 		url += "/dev"
 	}
-	url += "/attestation/v3/report"
+
+	apiVer := attest.GetParameter("apiVer", p)
+	if apiVer != "" {
+		apiVersion, err = strconv.ParseUint(apiVer, 10, 32)
+		if err != nil {
+			return nil, fmt.Errorf("Invalid IAS API Version: %s", err)
+		} else if apiVersion != apiV3 && apiVersion != apiV4 {
+			return nil, fmt.Errorf("Unsupported IAS API Version: %s", apiVer)
+		}
+	}
+	url += fmt.Sprintf("/attestation/v%d/report", apiVersion)
 
 	ias := &iasService{
 		reportApiUrl: url,
@@ -335,7 +345,7 @@ func checkVerificationReport(resp *http.Response, quote []byte, nonce string) (*
 	status.timestamp = report.Timestamp
 	status.quoteStatus = report.IsvEnclaveQuoteStatus
 
-	if report.Version != apiVersion {
+	if report.Version != (uint32)(apiVersion) {
 		return status, fmt.Errorf("Unsupported attestation API version %d in attesation verification report",
 			report.Version)
 	}
@@ -354,9 +364,12 @@ func checkVerificationReport(resp *http.Response, quote []byte, nonce string) (*
 
 	if report.IsvEnclaveQuoteStatus == "GROUP_OUT_OF_DATE" ||
 		report.IsvEnclaveQuoteStatus == "CONFIGURATION_NEEDED" {
-		if resp.Header.Get("Advisory-Ids") == "" ||
-			resp.Header.Get("Advisory-Url") == "" {
-			return status, fmt.Errorf("Advisory-Ids or Advisory-Url is not present in response header")
+		if report.Version == apiV3 {
+			if resp.Header.Get("Advisory-Ids") == "" || resp.Header.Get("Advisory-Url") == "" {
+				return status, fmt.Errorf("Advisory-Ids or Advisory-Url is not present in response header")
+			}
+		} else if report.Version == apiV4 && (report.AdvisoryIds == "" || report.AdvisoryUrl == nil) {
+			return status, fmt.Errorf("Advisory-Ids or Advisory-Url is not present in attestation verification report")
 		}
 	}
 
-- 
GitLab