ae_error_t SigmaHelper::GetRLsFromServer
( /*out*/ upse::Buffer& sigRlOut,
/*out*/ upse::Buffer& privRlOut
)
{
//
// iKGF serves up binary (legacy) versions of EPID 1.1 RLs
// all we need to do is convey the GID in the URL itself
// for example, https://trustedservices.intel.com/content/crl/Signature_<GID>.crl
// so, we get url out of config file and concatenate with filename that's
// specific to the type of RL
ae_error_t sigRetValue = AE_FAILURE;
ae_error_t privRetValue = AE_FAILURE;
const char *url = EndpointSelectionInfo::instance().get_server_url(REVOCATION_LIST_RETRIEVAL);
if (url == NULL)
{
return OAL_CONFIG_FILE_ERROR;
}
uint8_t* p1 = const_cast<uint8_t*>(m_gid.getData());
do {
if ((m_gid.getSize() < 1) || (m_gid.getSize() > 4)) break;
char msg[9];
for (unsigned i = 0; i < m_gid.getSize(); i++)
{
sprintf_s((char*) msg+2*i, 3, "%02X", *(p1+m_gid.getSize()-1-i));
}
std::string gidString(msg);
unsigned numLeading0s = 8 - static_cast<unsigned>(gidString.length());
for (unsigned i = 0; i < numLeading0s; i++)
{
gidString = '0' + gidString;
}
//if config file entry doesn't have trailing "/" , add it.
std::string s_url = url;
if(s_url.size()>0&&s_url[s_url.size()-1]!='/')
s_url+='/';
std::string stringUrl = s_url + "Signature_" + gidString + ".crl";
uint8_t *recv=NULL;
uint32_t recv_size = 0;
sigRetValue = AESMNetworkEncoding::aesm_send_recv_msg(stringUrl.c_str(), NULL, 0, recv, recv_size, GET, false);
if (AE_SUCCESS != sigRetValue)
{
sigRlOut.Alloc(0);
}
else
{
sigRlOut.Alloc(recv_size);
upse::BufferWriter bw(sigRlOut);
bw.writeRaw(recv, recv_size);
AESMNetworkEncoding::aesm_free_response_msg(recv);
}
stringUrl = s_url + "Product_" + gidString + ".crl";
recv=NULL;
recv_size = 0;
privRetValue = AESMNetworkEncoding::aesm_send_recv_msg(stringUrl.c_str(), NULL, 0, recv, recv_size, GET, false);
if (AE_SUCCESS != privRetValue)
{
privRlOut.Alloc(0);
}
else
{
privRlOut.Alloc(recv_size);
upse::BufferWriter bw(privRlOut);
bw.writeRaw(recv, recv_size);
aesm_free_network_response_buffer(recv);
}
} while (0);
if (AE_FAILED(privRetValue))
{
SGX_DBGPRINT_PRINT_STRING_LTP("PrivRL not retrieved: continuing without PrivRL");
}
if (AE_FAILED(sigRetValue))
{
SGX_DBGPRINT_PRINT_STRING_LTP("SigRL not retrieved: continuing without SigRL");
}
if ((privRetValue == AE_SUCCESS) && (sigRetValue == AE_SUCCESS)) {
return AE_SUCCESS;
}
else if (sigRetValue != AE_SUCCESS) {
return AESM_PSE_PR_GET_SIGRL_ERROR;
}
else {
return AESM_PSE_PR_GET_PRIVRL_ERROR;
}
}
ae_error_t Helper::PrepareCertificateChainVLR( /*in*/ std::list<upse::Buffer>& certChain, /*out*/ upse::Buffer& certChainVLR)
{
ae_error_t status = AESM_PSE_PR_LOAD_VERIFIER_CERT_ERROR;
try
{
do
{
int nPaddedBytes = 0;
int nCertChain = 0;
#if !defined(LEAFTOROOT)
#error LEAFTOROOT not #defined
#endif
//
// spec'd behavior is to receive certs in leaft to root order
// then, it only makes sense to store them leaf to root
// but sigma wants them root to leaf
// we'll leave the #if here since, cumulatively, it shows how to traverse
// in both directions
//
#if !LEAFTOROOT
SGX_DBGPRINT_PRINT_STRING_LTP("leaf cert to root cert direction, padding");
std::list<upse::Buffer>::reverse_iterator it;
for (it = certChain.rbegin(); it != certChain.rend(); ++it)
{
int nSize = (*it).getSize();
nPaddedBytes += REQUIRED_PADDING_DWORD_ALIGNMENT(nSize);
nCertChain += nSize;
}
#else
SGX_DBGPRINT_PRINT_STRING_LTP("root cert to leaf cert direction, padding");
std::list<upse::Buffer>::iterator it;
for (it = certChain.begin(); it != certChain.end(); ++it)
{
int nSize = (*it).getSize();
nPaddedBytes += REQUIRED_PADDING_DWORD_ALIGNMENT(nSize);
nCertChain += nSize;
}
#endif
SGX_DBGPRINT_PRINT_STRING_LTP("less cert padding");
//NRG: This doesn't work, but should. It should replace the previous
nPaddedBytes = REQUIRED_PADDING_DWORD_ALIGNMENT(nCertChain);
if(UINT16_MAX - ((int)sizeof(SIGMA_VLR_HEADER) + nPaddedBytes) < nCertChain){
break;
}
int nLength = static_cast<int>(sizeof(SIGMA_VLR_HEADER)) + nPaddedBytes + nCertChain;
certChainVLR.Alloc(nLength);
upse::BufferWriter bw(certChainVLR);
VERIFIER_CERT_CHAIN_VLR* pVLR;
uint8_t* p;
if (AE_FAILED(bw.reserve(nLength, &p)))
break;
pVLR = (VERIFIER_CERT_CHAIN_VLR*)p;
pVLR->VlrHeader.ID = VERIFIER_CERTIFICATE_CHAIN_VLR_ID;
pVLR->VlrHeader.PaddedBytes = (UINT8)nPaddedBytes;
pVLR->VlrHeader.Length = (UINT16)nLength;
memset(pVLR->VerifierCertificateChain, 0, nPaddedBytes + nCertChain);
int ndx = 0;
//
// see above
//
#if (!LEAFTOROOT)
SGX_DBGPRINT_PRINT_STRING_LTP("leaf cert to root cert direction");
for (it = certChain.rbegin(); it != certChain.rend(); ++it)
{
memcpy_s(pVLR->VerifierCertificateChain + ndx, (*it).getSize(), (*it).getData(), (*it).getSize());
ndx += (*it).getSize();
}
#else
SGX_DBGPRINT_PRINT_STRING_LTP("root cert to leaf cert direction");
for (it = certChain.begin(); it != certChain.end(); ++it)
{
memcpy_s(pVLR->VerifierCertificateChain + ndx, (*it).getSize(), (*it).getData(), (*it).getSize());
ndx += (*it).getSize();
}
#endif
status = AE_SUCCESS;
} while (0);
} catch(...)
{
}
SGX_DBGPRINT_PRINT_FUNCTION_AND_RETURNVAL(__FUNCTION__, status);
return status;
}
ae_error_t SigmaHelper::GetOcspResponseFromServer
(
/*in */ const std::list<upse::Buffer>& certChain,
/*in */ const OCSP_REQ& ocspReq,
/*out*/ upse::Buffer& ocspResp
)
{
ae_error_t status = AE_FAILURE;
int nPaddedBytes = 0;
int nTotalOcspBytes = 0;
do
{
if (ocspReq.ReqType == NO_OCSP)
{
status = AE_SUCCESS;
break;
}
const char *url = EndpointSelectionInfo::instance().get_server_url( PSE_OCSP);
if (url == NULL){
return OAL_CONFIG_FILE_ERROR;
}
// Load the root certificate into a local buffer
upse::Buffer rootCert;
SigmaHelper::GetRootCA(rootCert);
std::list<upse::Buffer> ocspResponseList;
// loop through chain and get an OCSP Response for each certificate/issuer pair
bool fDone = false;
//
// certs were added leaf to root direction (assuming server functions according to spec)
//
std::list<upse::Buffer>::const_iterator itCertificate = certChain.begin();
do
{
if (itCertificate == certChain.end())
{
status = AE_FAILURE;
break;
}
upse::Buffer ocspResponse;
const upse::Buffer& verifierCertificate = *itCertificate;
++itCertificate;
int busy_loop = 0;
do
{
if (itCertificate != certChain.end())
{
const upse::Buffer& issuerCertificate = *itCertificate;
status = Get_OCSPResponse(url, &ocspReq.OcspNonce, verifierCertificate, issuerCertificate, ocspResponse);
}
else
{
fDone = true;
const upse::Buffer& issuerCertificate = rootCert;
status = Get_OCSPResponse(url, &ocspReq.OcspNonce, verifierCertificate, issuerCertificate, ocspResponse);
}
if (AESM_PSE_PR_OCSP_RESPONSE_STATUS_TRYLATER != status)
break;
se_sleep(OCSP_BUSY_RETRY_SLEEP_MILLISECONDS);
} while (busy_loop++ < MAX_OCSP_BUSY_RETRIES);
if (AE_FAILED(status))
break;
nPaddedBytes += REQUIRED_PADDING_DWORD_ALIGNMENT(ocspResponse.getSize());
nTotalOcspBytes += ocspResponse.getSize();
ocspResponseList.push_back(ocspResponse);
} while (!fDone);
if (AE_FAILED(status))
break;
if (0 == ocspResponseList.size())
{
status = AE_FAILURE;
break;
}
nPaddedBytes = REQUIRED_PADDING_DWORD_ALIGNMENT(nTotalOcspBytes);
if(UINT16_MAX-((int)sizeof(SIGMA_VLR_HEADER) + nPaddedBytes) < nTotalOcspBytes){
status = AE_FAILURE;
break;
}
int nLength = static_cast<int>(sizeof(SIGMA_VLR_HEADER)) + nPaddedBytes + nTotalOcspBytes;
ocspResp.Alloc(nLength);
upse::BufferWriter bw(ocspResp);
uint8_t* p;
status = bw.reserve(nLength, &p);
if (AE_FAILED(status))
break;
OCSP_RESPONSE_VLR* pVLR = (OCSP_RESPONSE_VLR*)p;
pVLR->VlrHeader.ID = OCSP_RESPONSE_VLR_ID;
pVLR->VlrHeader.PaddedBytes = (UINT8)nPaddedBytes;
pVLR->VlrHeader.Length = (UINT16)nLength;
memset(pVLR->OcspResponse, 0, nPaddedBytes + nTotalOcspBytes);
int nNext = 0;
//
// order above doesn't really matter since it's between verifier/host and ocsp responder
// and each request/response is independent
// spec basically says what's correct here
// but we'll leave condition to show how to traverse in either order
//
#if !defined(LEAFTOROOT)
#error LEAFTOROOT not defined
#endif
#if !LEAFTOROOT
//
// this clause adds responses from root to leaf
//
SGX_DBGPRINT_PRINT_STRING_LTP("root ocsp to leaf ocsp direction");
std::list<upse::Buffer>::reverse_iterator itRespList = ocspResponseList.rbegin();
for ( ; itRespList != ocspResponseList.rend(); ++itRespList)
{
const upse::Buffer& item = *itRespList;
memcpy_s(pVLR->OcspResponse + nNext, item.getSize(), item.getData(), item.getSize());
nNext += item.getSize();
}
#else
SGX_DBGPRINT_PRINT_STRING_LTP("leaf ocsp to root ocsp direction");
//
// this clause adds responses from leaf to root
//
std::list<upse::Buffer>::iterator itRespList = ocspResponseList.begin();
for ( ; itRespList != ocspResponseList.end(); ++itRespList)
{
const upse::Buffer& item = *itRespList;
memcpy_s(pVLR->OcspResponse + nNext, item.getSize(), item.getData(), item.getSize());
nNext += item.getSize();
}
#endif
Helper::write_ocsp_response_vlr(ocspResp);
status = AE_SUCCESS;
} while (0);
if (status == OAL_NETWORK_UNAVAILABLE_ERROR)
{
if (ocspReq.ReqType == CACHED && AE_SUCCEEDED(Helper::read_ocsp_response_vlr(ocspResp)))
{
status = AE_SUCCESS;
}
}
SGX_DBGPRINT_PRINT_FUNCTION_AND_RETURNVAL(__FUNCTION__, status);
return status;
}
