Calling into thim agent to get collateral. #149
Conversation
src/Linux/curl_easy.cpp
Outdated
| @@ -70,7 +70,7 @@ char const* curl_easy::error::what() const noexcept | |||
| /////////////////////////////////////////////////////////////////////////////// | |||
| // curl_easy implementation | |||
| /////////////////////////////////////////////////////////////////////////////// | |||
| std::unique_ptr<curl_easy> curl_easy::create(const std::string& url, const std::string* const p_body) | |||
| std::unique_ptr<curl_easy> curl_easy::create(const std::string& url, const std::string* const p_body, LPCWSTR httpVerb)) | |||
There was a problem hiding this comment.
Just curious, why use LPCWSTR instead of const std::string& ?
There was a problem hiding this comment.
The main reason for this file is to keep the structure consistent with the other curl_easy.cpp file(in src/Windows). The variable is used by "WinHttpOpenRequest" in src/Windows/curl_easy.cpp file.
There was a problem hiding this comment.
This file is Linux specific. Other parameters are std::string, so not appreciating the need for consistency with the windows version
There was a problem hiding this comment.
This parameter is used by "WinHttpOpenRequest" and the data type is supposed to be "LPCWSTR". Either I can pass a string to the function and then convert it inside the function or just pass the desired data type. I chose the latter one because I thought that's the better out of the two. I can update if required.
src/Linux/curl_easy.cpp
Outdated
| if (httpVerb == L"POST") { | ||
| easy->set_opt_or_throw(CURLOPT_POST, 1L); | ||
| } | ||
| else { |
There was a problem hiding this comment.
I don't know if we have a style checker integrated into the VS solution. If we do and it passes, then ignore this comment. The convention I see in other parts of the file is to throw opening curly braces on the line after the if/else statement. We should probably keep doing that to stay consistent.
There was a problem hiding this comment.
I dont think we have a style checker. Let me try to add one.
| static char DEFAULT_CERT_URL[] = | ||
| "https://global.acccache.azure.net/sgx/certificates"; | ||
| "https://global.acccache.azure.net/sgx/certificates/"; |
There was a problem hiding this comment.
Once THIM Service deploys new controller to align with Intel, this should be updated. The final URL will be like:
https://global.acccache.azure.net/sgx/certification/v3/pckcert?qeid={}&cpusvn={}&pcesvn={}&pceid={}&encrypted_ppid={}
There was a problem hiding this comment.
Agreed! I coded this based on the current prod code. Will update this
There was a problem hiding this comment.
The new URL is available now.
There was a problem hiding this comment.
Hey guys -- I see we've changed from certificates to "certification" -- in the last correspondence I read I saw
The ask was Thim agent to use "certificates" like THIM Service did.
-- Do I need to make a change to thim agent to stay consistent here then? I wasn't aware of this. Apologies if I missed something
There was a problem hiding this comment.
No change needed, certificates is fine here.
| @@ -54,12 +54,15 @@ static const std::map<std::string, std::string> default_values = { | |||
| // New API version used to request PEM encoded CRLs | |||
| constexpr char API_VERSION_LEGACY[] = "api-version=2018-10-01-preview"; | |||
| constexpr char API_VERSION[] = "api-version=2020-02-12-preview"; | |||
There was a problem hiding this comment.
We have a new API version for the THIM Agent APIs. However, I want to confirm -- what format CRL does Azure DCAP want now? It says 'New API version used to request PEM encoded CRLs', but I recall Shiv saying the new versions of DCAP expect DER, so I'm a bit confused.
| constexpr char API_VERSION[] = "api-version=2020-02-12-preview"; | |
| constexpr char API_VERSION[] = "api-version=2021-07-22-preview"; |
There was a problem hiding this comment.
Scratch that. I think what you might want to do is:
constexpr char API_VERSION_THIM_AGENT[] = "api-version=2021-07-22-preview";
You can use the new API version for the GetCert calls, and the existing API versions for the other collateral.
| @@ -135,6 +138,25 @@ static std::string get_collateral_version() | |||
| } | |||
| } | |||
|
|
|||
| static std::string get_agent_base_url() | |||
There was a problem hiding this comment.
Is this function necessary? It made sense with THIM cloud service because we could test different cloud endpoints (e.g. Europe vs. Americas). But THIM Agent will always be hosted at the same local IP address.
There was a problem hiding this comment.
I think this will be useful for dev box testing with IMDS and THIM agent running on the dev box.
| static char DEFAULT_CERT_URL[] = | ||
| "https://global.acccache.azure.net/sgx/certificates"; | ||
| "https://global.acccache.azure.net/sgx/certificates/"; |
There was a problem hiding this comment.
Hey guys -- I see we've changed from certificates to "certification" -- in the last correspondence I read I saw
The ask was Thim agent to use "certificates" like THIM Service did.
-- Do I need to make a change to thim agent to stay consistent here then? I wasn't aware of this. Apologies if I missed something
src/dcap_provider.cpp
Outdated
| const std::string cert_url = build_pck_cert_url(*p_pck_cert_id); | ||
| if (auto cache_hit = try_cache_get(cert_url)) | ||
| collateral_fetch_url collateral_url; | ||
| build_pck_cert_url(*p_pck_cert_id, &collateral_url); |
There was a problem hiding this comment.
Is there a reason this was done as a pointer instead of just as a reference?
You currently have it as:
build_pck_cert_url(..., &collateral_url) -- To satisfy ---- build_pck_cert_url(...., collateral_fetch_url* url)
Why not just use it as a reference?
build_pck_cert_url(..., collateral_url) -- To satisfy ---- build_pck_cert_url(...., collateral_fetch_url& url)
Your end result is the same but you don't end up having to worry about NULL issues and it seems like your goal is to update the existing variable here so my recommendation is to pass by reference.
There was a problem hiding this comment.
This part of code was already there. I don't want to change whats already there, just adding functionality to call into THIM agent in this PR
There was a problem hiding this comment.
I've added another comment above to indicate what I think you're adding in. Please let me know if I have some misunderstanding.
src/dcap_provider.cpp
Outdated
| static std::string build_pck_cert_url(const sgx_ql_pck_cert_id_t& pck_cert_id) | ||
| static void build_pck_cert_url( | ||
| const sgx_ql_pck_cert_id_t& pck_cert_id, | ||
| collateral_fetch_url* collateral_url) |
There was a problem hiding this comment.
This is the part im referencing below. It doesn't seem legacy, it seems like you've introduced it?
Testing: