Asylo
sgx_intel_ecdsa_qe_remote_assertion_verifier.h
Go to the documentation of this file.
1 /*
2  *
3  * Copyright 2020 Asylo authors
4  *
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  *
17  */
18 
19 #ifndef ASYLO_IDENTITY_ATTESTATION_SGX_SGX_INTEL_ECDSA_QE_REMOTE_ASSERTION_VERIFIER_H_
20 #define ASYLO_IDENTITY_ATTESTATION_SGX_SGX_INTEL_ECDSA_QE_REMOTE_ASSERTION_VERIFIER_H_
21 
22 #include <memory>
23 #include <string>
24 #include <string_view>
25 #include <utility>
26 #include <vector>
27 
28 #include "asylo/crypto/certificate_interface.h"
29 #include "asylo/identity/additional_authenticated_data_generator.h"
30 #include "asylo/identity/attestation/enclave_assertion_verifier.h"
31 #include "asylo/identity/attestation/sgx/sgx_intel_ecdsa_qe_remote_assertion_authority_config.pb.h"
32 #include "asylo/identity/enclave_assertion_authority.h"
33 #include "asylo/identity/identity.pb.h"
34 #include "asylo/identity/sgx/code_identity_constants.h"
35 #include "asylo/platform/common/static_map.h"
36 #include "asylo/util/mutex_guarded.h"
37 #include "asylo/util/status.h"
38 #include "asylo/util/statusor.h"
39 
40 namespace asylo {
41 
42 /// Implementation of `EnclaveAssertionVerifier` that verifiers assertions
43 /// generated by the Intel ECDSA quoting enclave. These assertions attest,
44 /// to a remote party, properties about both the enclave's code as well as
45 /// the Intel platform properties.
47  public:
48  /// Constructs a new `SgxIntelEcdsaQeAssertionVerifier` that generates
49  /// assertions suitable for use with EKEP.
51 
52  /// Constructs a new `SgxIntelEcdsaQeAssertionVerifier` that uses
53  /// `aad_generator` to generate the expected additional authenticated data to
54  /// be matched with quotes.
56  std::unique_ptr<AdditionalAuthenticatedDataGenerator> aad_generator);
57 
58  Status Initialize(const std::string &serialized_config) override;
59 
60  bool IsInitialized() const override;
61 
62  EnclaveIdentityType IdentityType() const override;
63 
64  std::string AuthorityType() const override;
65 
67 
68  StatusOr<bool> CanVerify(const AssertionOffer &offer) const override;
69 
71  EnclaveIdentity *peer_identity) const override;
72 
73  private:
74  // Type that holds members for mutex-synchronized access.
75  struct Members {
76  explicit Members(
77  std::unique_ptr<AdditionalAuthenticatedDataGenerator> generator)
78  : aad_generator(std::move(generator)) {}
79 
80  bool is_initialized = false;
81  std::vector<std::unique_ptr<CertificateInterface>> root_certificates;
82  std::unique_ptr<AdditionalAuthenticatedDataGenerator> aad_generator;
83  };
84 
85  Status CheckInitialization(absl::string_view caller) const;
86 
87  MutexGuarded<Members> members_;
88 };
89 
90 } // namespace asylo
91 
92 #endif // ASYLO_IDENTITY_ATTESTATION_SGX_SGX_INTEL_ECDSA_QE_REMOTE_ASSERTION_VERIFIER_H_
bool IsInitialized() const override
Indicates whether this assertion authority has been initialized successfully via a call to Initialize...
SgxIntelEcdsaQeRemoteAssertionVerifier()
Constructs a new SgxIntelEcdsaQeAssertionVerifier that generates assertions suitable for use with EKE...
Status Initialize(const std::string &serialized_config) override
Initializes this assertion authority using the provided config.
ABSL_CONST_INIT const char kStatusMoveAssignmentMsg[]
StatusOr< bool > CanVerify(const AssertionOffer &offer) const override
Indicates whether the assertion offered in offer can be verified by this verifier.
EnclaveIdentityType IdentityType() const override
Gets the enclave identity type handled by this assertion authority.
Implementation of EnclaveAssertionVerifier that verifiers assertions generated by the Intel ECDSA quo...
Definition: sgx_intel_ecdsa_qe_remote_assertion_verifier.h:46
Status CreateAssertionRequest(AssertionRequest *request) const override
Creates an assertion request compatible with this verifier&#39;s identity type and authority type and pla...
SgxIntelEcdsaQeRemoteAssertionVerifier(std::unique_ptr< AdditionalAuthenticatedDataGenerator > aad_generator)
Constructs a new SgxIntelEcdsaQeAssertionVerifier that uses aad_generator to generate the expected ad...
Status Verify(const std::string &user_data, const Assertion &assertion, EnclaveIdentity *peer_identity) const override
Verifies an assertion that is compatible with this verifier&#39;s identity type and authority type...
std::string AuthorityType() const override
Gets the type of this assertion authority.