def create_signup_info(originator_public_key_hash, nonce):
# Part of what is returned with the signup data is an enclave quote, we
# want to update the revocation list first.
update_sig_rl()
# Now, let the enclave create the signup data
signup_data = enclave.create_enclave_data(originator_public_key_hash)
if signup_data is None:
return None
# We don't really have any reason to call back down into the enclave
# as we have everything we now need. For other objects such as wait
# timer and certificate they are serialized into JSON down in C++ code.
#
# Start building up the signup info dictionary we will serialize
signup_info = {
'verifying_key': signup_data['verifying_key'],
'encryption_key': signup_data['encryption_key'],
'proof_data': 'Not present',
'enclave_persistent_id': 'Not present'
}
# If we are not running in the simulator, we are going to go and get
# an attestation verification report for our signup data.
if not enclave.is_sgx_simulator():
response = \
_ias.post_verify_attestation(
quote=signup_data['enclave_quote'],
nonce=nonce)
verification_report = response.get('verification_report')
if verification_report is None:
logger.warning('IAS response did not contain an AVR')
logger.warning('isvEnclaveQuoteStatus: %s', response.get('isvEnclaveQuoteStatus'))
return None
signature = response.get('signature')
if signature is None:
logger.warning('IAS response did not contain an AVR signature')
logger.warning('isvEnclaveQuoteStatus: %s', response.get('isvEnclaveQuoteStatus'))
return None
# Now put the proof data into the dictionary
signup_info['proof_data'] = \
json.dumps({
'verification_report': verification_report,
'signature': signature
})
# Grab the EPID psuedonym and put it in the enclave-persistent ID for the
# signup info
verification_report_dict = json.loads(verification_report)
signup_info['enclave_persistent_id'] = verification_report_dict.get('epidPseudonym')
# Now we can finally serialize the signup info and create a corresponding
# signup info object. Because we don't want the sealed signup data in the
# serialized version, we set it separately.
signup_info_obj = enclave.deserialize_signup_info(json.dumps(signup_info))
signup_info_obj.sealed_signup_data = signup_data['sealed_enclave_data']
# Now we can return the real object
return signup_info_obj
def create_signup_info(originator_public_key_hash, nonce):
# Part of what is returned with the signup data is an enclave quote, we
# want to update the revocation list first.
update_sig_rl()
# Now, let the enclave create the signup data
signup_data = enclave.create_enclave_data(originator_public_key_hash)
if signup_data is None:
return None
# We don't really have any reason to call back down into the enclave
# as we have everything we now need. For other objects such as wait
# timer and certificate they are serialized into JSON down in C++ code.
#
# Start building up the signup info dictionary we will serialize
signup_info = {
'interpreter': signup_data['interpreter'],
'verifying_key': signup_data['verifying_key'],
'encryption_key': signup_data['encryption_key'],
'proof_data': 'Not present',
'enclave_persistent_id': 'Not present'
}
# If we are not running in the simulator, we are going to go and get
# an attestation verification report for our signup data.
if not enclave.is_sgx_simulator():
logger.debug("posting verification to IAS")
response = _ias.post_verify_attestation(
quote=signup_data['enclave_quote'], nonce=nonce)
logger.debug("posted verification to IAS")
#check verification report
if not _ias.verify_report_fields(signup_data['enclave_quote'],
response['verification_report']):
logger.debug("last error: " + _ias.last_verification_error())
if _ias.last_verification_error() == "GROUP_OUT_OF_DATE":
logger.warning(
"failure GROUP_OUT_OF_DATE (update your BIOS/microcode!!!) keep going"
)
else:
logger.error("invalid report fields")
return None
#ALL checks have passed
logger.info("report fields verified")
# Now put the proof data into the dictionary
signup_info['proof_data'] = \
json.dumps({
'verification_report': response['verification_report'],
'certificates': response['ias_certificates'], # Note: this is a list with certification path, signer first
'signature': response['ias_signature']
})
# Grab the EPID psuedonym and put it in the enclave-persistent ID for the
# signup info
verification_report_dict = json.loads(response['verification_report'])
signup_info['enclave_persistent_id'] = verification_report_dict.get(
'epidPseudonym')
# Now we can finally serialize the signup info and create a corresponding
# signup info object. Because we don't want the sealed signup data in the
# serialized version, we set it separately.
signup_info_obj = enclave.deserialize_signup_info(json.dumps(signup_info))
signup_info_obj.sealed_signup_data = signup_data['sealed_enclave_data']
# Now we can return the real object
return signup_info_obj