Skip to content

I
inclavare-containers

openanolis / inclavare-containers

通知 4
Star 7
Fork 0
I
inclavare-containers
提交 a29c5c58 编写于 作者: Y YiLin.Li 提交者: jia zhang
浏览文件
操作

rune/libenclave: support IAS V4 API 

Both Support IAS API V3 and V4.
Signed-off-by: NYilin Li <YiLin.Li@linux.alibaba.com>
上级 c5c43d6a
隐藏空白更改
内联 并排
Showing with 28 addition and 6 deletion
rune/libenclave/attestation/sgx/ias/api.go
浏览文件 @ a29c5c58
package ias package ias
const ( const (
apiVersion = 3 apiV3 = 3
apiV4 = 4
)
var (
apiVersion uint64 = apiV4
) )
type evidencePayload struct { type evidencePayload struct {
...@@ -22,4 +27,8 @@ type verificationReport struct { ...@@ -22,4 +27,8 @@ type verificationReport struct {
PlatformInfoBlob string `json:"platformInfoBlob,omitempty"` PlatformInfoBlob string `json:"platformInfoBlob,omitempty"`
Nonce string `json:"nonce,omitempty"` Nonce string `json:"nonce,omitempty"`
EpidPseudonym string `json:"epidPseudonym,omitempty"` EpidPseudonym string `json:"epidPseudonym,omitempty"`
// V4 fields
AdvisoryIds string `json:"advisoryURL,omitempty"`
AdvisoryUrl []string `json:"advisoryIDs,omitempty"`
} }
rune/libenclave/attestation/sgx/ias/ias.go
浏览文件 @ a29c5c58
...@@ -86,7 +86,17 @@ func (reg *iasRegistry) Create(p map[string]string) (*attest.Service, error) { ...@@ -86,7 +86,17 @@ func (reg *iasRegistry) Create(p map[string]string) (*attest.Service, error) {
if !isProduct { if !isProduct {
url += "/dev" url += "/dev"
} }
url += "/attestation/v3/report"
apiVer := attest.GetParameter("apiVer", p)
if apiVer != "" {
apiVersion, err = strconv.ParseUint(apiVer, 10, 32)
if err != nil {
return nil, fmt.Errorf("Invalid IAS API Version: %s", err)
} else if apiVersion != apiV3 && apiVersion != apiV4 {
return nil, fmt.Errorf("Unsupported IAS API Version: %s", apiVer)
}
}
url += fmt.Sprintf("/attestation/v%d/report", apiVersion)
ias := &iasService{ ias := &iasService{
reportApiUrl: url, reportApiUrl: url,
...@@ -335,7 +345,7 @@ func checkVerificationReport(resp *http.Response, quote []byte, nonce string) (* ...@@ -335,7 +345,7 @@ func checkVerificationReport(resp *http.Response, quote []byte, nonce string) (*
status.timestamp = report.Timestamp status.timestamp = report.Timestamp
status.quoteStatus = report.IsvEnclaveQuoteStatus status.quoteStatus = report.IsvEnclaveQuoteStatus
if report.Version != apiVersion { if report.Version != (uint32)(apiVersion) {
return status, fmt.Errorf("Unsupported attestation API version %d in attesation verification report", return status, fmt.Errorf("Unsupported attestation API version %d in attesation verification report",
report.Version) report.Version)
} }
...@@ -354,9 +364,12 @@ func checkVerificationReport(resp *http.Response, quote []byte, nonce string) (* ...@@ -354,9 +364,12 @@ func checkVerificationReport(resp *http.Response, quote []byte, nonce string) (*
if report.IsvEnclaveQuoteStatus == "GROUP_OUT_OF_DATE" || if report.IsvEnclaveQuoteStatus == "GROUP_OUT_OF_DATE" ||
report.IsvEnclaveQuoteStatus == "CONFIGURATION_NEEDED" { report.IsvEnclaveQuoteStatus == "CONFIGURATION_NEEDED" {
if resp.Header.Get("Advisory-Ids") == "" || if report.Version == apiV3 {
resp.Header.Get("Advisory-Url") == "" { if resp.Header.Get("Advisory-Ids") == "" || resp.Header.Get("Advisory-Url") == "" {
return status, fmt.Errorf("Advisory-Ids or Advisory-Url is not present in response header") return status, fmt.Errorf("Advisory-Ids or Advisory-Url is not present in response header")
}
} else if report.Version == apiV4 && (report.AdvisoryIds == "" || report.AdvisoryUrl == nil) {
return status, fmt.Errorf("Advisory-Ids or Advisory-Url is not present in attestation verification report")
} }
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册