Asylo
enclave_assertion_verifier.h
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2017 Asylo authors
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef ASYLO_IDENTITY_ENCLAVE_ASSERTION_VERIFIER_H_
20 #define ASYLO_IDENTITY_ENCLAVE_ASSERTION_VERIFIER_H_
21 
22 #include <string>
23 
24 #include "asylo/identity/enclave_assertion_authority.h"
25 #include "asylo/identity/identity.pb.h"
26 #include "asylo/platform/common/static_map.h"
27 #include "asylo/util/status.h"
28 #include "asylo/util/statusor.h"
29 
30 namespace asylo {
31 
32 /// Defines an interface for assertion authorities that generate assertion
33 /// requests and verify assertions.
34 ///
35 /// EnclaveAssertionVerifier cannot be instantiated; it is intended to be
36 /// derived from by classes that implement the EnclaveAssertionVerifier
37 /// interface for a particular identity type and authority type.
38 ///
39 /// Derived classes of EnclaveAssertionVerifier must:
40 /// * Be marked final
41 /// * Be trivially default-constructible
42 ///
43 /// Derived classes of EnclaveAssertionVerifier must also implement virtual
44 /// methods presented by EnclaveAssertionAuthority.
46  public:
47  /// Creates an assertion request compatible with this verifier's identity type
48  /// and authority type and places the result in `request`.
49  ///
50  /// \param[out] request The generated request.
51  /// \return A Status indicating whether the request was created. Returns a
52  /// non-OK Status if this verifier is not initialized or if an
53  /// internal error occurs while attempting the operation.
55 
56  /// Indicates whether the assertion offered in `offer` can be verified by this
57  /// verifier.
58  ///
59  /// \return True if the offer can be verified, and false if no errors occurred
60  /// during the operation but `offer` cannot be fulfilled. Returns a
61  /// non-OK Status if the verifier is not initialized or if an internal
62  /// error occurs while attempting the operation.
63  virtual StatusOr<bool> CanVerify(const AssertionOffer &offer) const = 0;
64 
65  /// Verifies an assertion that is compatible with this verifier's identity
66  /// type and authority type.
67  ///
68  /// The verification operation verifies that the `assertion`'s identity claim
69  /// is valid, and also checks that the assertion is bound to `user_data`. If
70  /// verification succeeds, returns an OK Status and extracts the peer's
71  /// identity into `peer_identity`. The caller cannot make any assumptions
72  /// about the contents of `peer_identity` if verification fails.
73  ///
74  /// \param user_data User-provided binding data.
75  /// \param assertion An assertion to verify.
76  /// \param[out] peer_identity The identity extracted from the assertion.
77  /// \return A Status indicating whether the assertion was verified
78  /// successfully. Returns a non-OK Status if this verifier is not
79  /// initialized or if an internal error occurs while attempting the
80  /// operation.
81  virtual Status Verify(const std::string &user_data, const Assertion &assertion,
82  EnclaveIdentity *peer_identity) const = 0;
83 };
84 
85 // \cond Internal
86 template <>
87 struct Namer<EnclaveAssertionVerifier> {
88  std::string operator()(const EnclaveAssertionVerifier &verifier) {
89  return EnclaveAssertionAuthority::GenerateAuthorityId(
90  verifier.IdentityType(), verifier.AuthorityType())
91  .ValueOrDie();
92  }
93 };
94 
95 DEFINE_STATIC_MAP_OF_BASE_TYPE(AssertionVerifierMap, EnclaveAssertionVerifier);
96 // \endcond
97 
98 } // namespace asylo
99 
100 #endif // ASYLO_IDENTITY_ENCLAVE_ASSERTION_VERIFIER_H_
virtual Status CreateAssertionRequest(AssertionRequest *request) const =0
Creates an assertion request compatible with this verifier&#39;s identity type and authority type and pla...
virtual StatusOr< bool > CanVerify(const AssertionOffer &offer) const =0
Indicates whether the assertion offered in offer can be verified by this verifier.
Definition: aes_gcm_siv.h:37
virtual Status Verify(const std::string &user_data, const Assertion &assertion, EnclaveIdentity *peer_identity) const =0
Verifies an assertion that is compatible with this verifier&#39;s identity type and authority type...
Defines an interface for assertion authorities that generate assertion requests and verify assertions...
Definition: enclave_assertion_verifier.h:45