def update_sig_rl(): """ Update the revocation list """ global _epid_group global _sig_rl_update_time global _sig_rl_update_period if not _sig_rl_update_time \ or (time.time() - _sig_rl_update_time) > _sig_rl_update_period: sig_rl = "" if (not enclave.is_sgx_simulator()): if _epid_group is None: _epid_group = _pdo.get_epid_group() sig_rl = _ias.get_signature_revocation_lists(_epid_group) logger.debug("Received SigRl of {} bytes ".format(len(sig_rl))) _pdo.set_signature_revocation_list(sig_rl) _sig_rl_update_time = time.time()
def create_signup_info(originator_public_key_hash, nonce): # Part of what is returned with the signup data is an enclave quote, we # want to update the revocation list first. update_sig_rl() # Now, let the enclave create the signup data signup_data = enclave.create_enclave_data(originator_public_key_hash) if signup_data is None: return None # We don't really have any reason to call back down into the enclave # as we have everything we now need. For other objects such as wait # timer and certificate they are serialized into JSON down in C++ code. # # Start building up the signup info dictionary we will serialize signup_info = { 'verifying_key': signup_data['verifying_key'], 'encryption_key': signup_data['encryption_key'], 'proof_data': 'Not present', 'enclave_persistent_id': 'Not present' } # If we are not running in the simulator, we are going to go and get # an attestation verification report for our signup data. if not enclave.is_sgx_simulator(): response = \ _ias.post_verify_attestation( quote=signup_data['enclave_quote'], nonce=nonce) verification_report = response.get('verification_report') if verification_report is None: logger.warning('IAS response did not contain an AVR') logger.warning('isvEnclaveQuoteStatus: %s', response.get('isvEnclaveQuoteStatus')) return None signature = response.get('signature') if signature is None: logger.warning('IAS response did not contain an AVR signature') logger.warning('isvEnclaveQuoteStatus: %s', response.get('isvEnclaveQuoteStatus')) return None # Now put the proof data into the dictionary signup_info['proof_data'] = \ json.dumps({ 'verification_report': verification_report, 'signature': signature }) # Grab the EPID psuedonym and put it in the enclave-persistent ID for the # signup info verification_report_dict = json.loads(verification_report) signup_info['enclave_persistent_id'] = verification_report_dict.get('epidPseudonym') # Now we can finally serialize the signup info and create a corresponding # signup info object. Because we don't want the sealed signup data in the # serialized version, we set it separately. signup_info_obj = enclave.deserialize_signup_info(json.dumps(signup_info)) signup_info_obj.sealed_signup_data = signup_data['sealed_enclave_data'] # Now we can return the real object return signup_info_obj
def create_signup_info(originator_public_key_hash, nonce): # Part of what is returned with the signup data is an enclave quote, we # want to update the revocation list first. update_sig_rl() # Now, let the enclave create the signup data signup_data = enclave.create_enclave_data(originator_public_key_hash) if signup_data is None: return None # We don't really have any reason to call back down into the enclave # as we have everything we now need. For other objects such as wait # timer and certificate they are serialized into JSON down in C++ code. # # Start building up the signup info dictionary we will serialize signup_info = { 'interpreter': signup_data['interpreter'], 'verifying_key': signup_data['verifying_key'], 'encryption_key': signup_data['encryption_key'], 'proof_data': 'Not present', 'enclave_persistent_id': 'Not present' } # If we are not running in the simulator, we are going to go and get # an attestation verification report for our signup data. if not enclave.is_sgx_simulator(): logger.debug("posting verification to IAS") response = _ias.post_verify_attestation( quote=signup_data['enclave_quote'], nonce=nonce) logger.debug("posted verification to IAS") #check verification report if not _ias.verify_report_fields(signup_data['enclave_quote'], response['verification_report']): logger.debug("last error: " + _ias.last_verification_error()) if _ias.last_verification_error() == "GROUP_OUT_OF_DATE": logger.warning( "failure GROUP_OUT_OF_DATE (update your BIOS/microcode!!!) keep going" ) else: logger.error("invalid report fields") return None #ALL checks have passed logger.info("report fields verified") # Now put the proof data into the dictionary signup_info['proof_data'] = \ json.dumps({ 'verification_report': response['verification_report'], 'certificates': response['ias_certificates'], # Note: this is a list with certification path, signer first 'signature': response['ias_signature'] }) # Grab the EPID psuedonym and put it in the enclave-persistent ID for the # signup info verification_report_dict = json.loads(response['verification_report']) signup_info['enclave_persistent_id'] = verification_report_dict.get( 'epidPseudonym') # Now we can finally serialize the signup info and create a corresponding # signup info object. Because we don't want the sealed signup data in the # serialized version, we set it separately. signup_info_obj = enclave.deserialize_signup_info(json.dumps(signup_info)) signup_info_obj.sealed_signup_data = signup_data['sealed_enclave_data'] # Now we can return the real object return signup_info_obj