Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhance certificate decoding in attestation API #651

Open
bvavala opened this issue Jan 26, 2022 · 3 comments
Open

Enhance certificate decoding in attestation API #651

bvavala opened this issue Jan 26, 2022 · 3 comments
Labels
enhancement New feature or request feature

Comments

@bvavala
Copy link
Contributor

bvavala commented Jan 26, 2022

The certificate decoding procedure in the attestation API should consider using a more robust implementation, possibly based on CURL lib (see https://curl.se/libcurl/c/curl_unescape.html).

Problem: IAS certificates are downloaded and saved in URL encoded form, then passed the attestation API in C++, where they are decoded. The decoder uses an optimistic procedure, which is not robust. A better approach would require libcurl. However, this is currently not available inside FPC enclaves.
@bvavala bvavala mentioned this issue Jan 26, 2022
Merged
@bvavala bvavala added the enhancement New feature or request label Jan 26, 2022
@mbrandenburger
Copy link
Contributor

mbrandenburger commented Jan 27, 2022
edited

Interesting problem. My understanding is that the certificate decoding happens in the verify_evidence path of our attestation API, which is used by ERCC when registerEnclave is called. Is that correct?

In that case, the entire verify_evidence logic is actually not executed inside an FPC enclave. That said, the use of libcurl should be possible. However, maybe the code is currently structured that this logic also compiles for FPC enclaves and, thus, would require some refactoring.

@mbrandenburger
Copy link
Contributor

Another solution I can imagine is to provide a pure-go implementation of verify_evidence, this seems similar to our recent efforts to cut the cgo dependency for the FPC Client SDK. That is, we should be able to have a pure-go ERCC implementation, which will simplify its deployment as we get rid of the requirement to use external service model here.

@bvavala
Copy link
Contributor Author

bvavala commented Jan 31, 2022

Interesting problem. My understanding is that the certificate decoding happens in the verify_evidence path of our attestation API, which is used by ERCC when registerEnclave is called. Is that correct?

Right.

In that case, the entire verify_evidence logic is actually not executed inside an FPC enclave. That said, the use of libcurl should be possible.

Good point.

However, maybe the code is currently structured that this logic also compiles for FPC enclaves and, thus, would require some refactoring.

That's what I was thinking, so I would not attempt the libcurl path right away.

Yet another approach to consider is to do the decoding at conversion time in the attestation api.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mbrandenburger @bvavala