You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The certificate decoding procedure in the attestation API should consider using a more robust implementation, possibly based on CURL lib (see https://curl.se/libcurl/c/curl_unescape.html).
Problem: IAS certificates are downloaded and saved in URL encoded form, then passed the attestation API in C++, where they are decoded. The decoder uses an optimistic procedure, which is not robust. A better approach would require libcurl. However, this is currently not available inside FPC enclaves.
The text was updated successfully, but these errors were encountered:
Interesting problem. My understanding is that the certificate decoding happens in the verify_evidence path of our attestation API, which is used by ERCC when registerEnclave is called. Is that correct?
In that case, the entire verify_evidence logic is actually not executed inside an FPC enclave. That said, the use of libcurl should be possible. However, maybe the code is currently structured that this logic also compiles for FPC enclaves and, thus, would require some refactoring.
Another solution I can imagine is to provide a pure-go implementation of verify_evidence, this seems similar to our recent efforts to cut the cgo dependency for the FPC Client SDK. That is, we should be able to have a pure-go ERCC implementation, which will simplify its deployment as we get rid of the requirement to use external service model here.
Interesting problem. My understanding is that the certificate decoding happens in the verify_evidence path of our attestation API, which is used by ERCC when registerEnclave is called. Is that correct?
Right.
In that case, the entire verify_evidence logic is actually not executed inside an FPC enclave. That said, the use of libcurl should be possible.
Good point.
However, maybe the code is currently structured that this logic also compiles for FPC enclaves and, thus, would require some refactoring.
That's what I was thinking, so I would not attempt the libcurl path right away.
Yet another approach to consider is to do the decoding at conversion time in the attestation api.
The certificate decoding procedure in the attestation API should consider using a more robust implementation, possibly based on CURL lib (see https://curl.se/libcurl/c/curl_unescape.html).
Problem: IAS certificates are downloaded and saved in URL encoded form, then passed the attestation API in C++, where they are decoded. The decoder uses an optimistic procedure, which is not robust. A better approach would require libcurl. However, this is currently not available inside FPC enclaves.
The text was updated successfully, but these errors were encountered: