search

intel / trusted-certificate-issuer

Trusted Certificate Service (TCS) is a K8s service to protect signing keys using Intel's SGX technology. K8s CSR and cert-manager CR APIs are both supported. TCS also contains integration samples for Istio service mesh and Key Management Reference Application (KMRA).
Apache License 2.0
29 stars 15 forks source link

QuoteAttestation: Add new field for request type #27

Closed avalluri closed 2 years ago

avalluri commented 2 years ago

New field 'type' is added to hold the type of attestation request. This is to support initiating the QuoteAttestation from CSR only quote validation. In this case, the quote attestation controller does not proceed with key wrapping.

avalluri commented 2 years ago

Shall we make PublicKey and SignerNames as optional?

Make sense to make them optional, in case of simple quote verification, but KMRA does not support quote verification without them.

irisdingbj commented 2 years ago

Shall we make PublicKey and SignerNames as optional?

Make sense to make them optional, in case of simple quote verification, but KMRA does not support quote verification without them.

yes, km-attest requires a pubkey. So at least make SignerNames as optional?

avalluri commented 2 years ago

Make sense to make them optional, in case of simple quote verification, but KMRA does not support quote verification without them.

yes, km-attest requires a pubkey. So at least make SignerNames as optional?

What I remember is that their whole logic was tied with the 'SignerName', to validate if a client request (quote verify / key wrap) is valid. By the way, I made a proposal to move SingerNames -> SignerName: https://github.com/intel/trusted-certificate-issuer/issues/20. @irisdingbj Would please provide your opinion.

avalluri commented 2 years ago

@irisdingbj Can we merge this change?

avalluri commented 2 years ago

I am merging this change as it is needed for further changes. Let's take it as a follow-up PR if needs any further API changes.