You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently we are using an unreleased commit of dcap-qvl, as it has a PR we rely on.
The new release v0.4.0 includes this but also has some breaking changes which effects our PCCS implementation.
The API for retrieving collateral has improved. It is now done through CollateralClient which allows re-using the HTTP client between collateral fetches which is a big plus.
The reasoning for this is that the PCK cert chain should be included in collateral since it is needed for verification and in some cases not included in the quote.
The exposed method for fetching collateral requires you to pass the full quote, fetches the collateral and then includes the PCK certificate chain from the quote in the returned collateral. Exposing the function to fetch collateral might mean callers forget to do this, giving incomplete collateral.
This is not a blocker for us, but it makes things less efficient because we have to deserialize the quote an extra time on collateral fetch. And for the PCCS, pre-warm we need a quote for each fmspc in order to fetch collateral for it. Which means we have to do something a bit hacky, building quotes just for calling this function.
So the options are:
Do a slightly hacky workaround and live with it.
Re-implement the collateral fetching ourselves. Since it anyway quite inefficient for the pre-warm, doing a lot of duplicate fetching. And if we wanted we could do synchronous fetching which would solve Calling async verify function from synchronous verify_server_cert function #2. But this means an extra burden of code to maintain.
Make a PR to dcap-qvl asking them to make it public again. They do have a good reason to make it private, so not sure how this would go.
Currently we are using an unreleased commit of dcap-qvl, as it has a PR we rely on.
The new release v0.4.0 includes this but also has some breaking changes which effects our PCCS implementation.
The API for retrieving collateral has improved. It is now done through
CollateralClientwhich allows re-using the HTTP client between collateral fetches which is a big plus.But the function to fetch collateral for a specific fmspc is now private. See: https://docs.rs/dcap-qvl/latest/src/dcap_qvl/collateral.rs.html#381-390
The reasoning for this is that the PCK cert chain should be included in collateral since it is needed for verification and in some cases not included in the quote.
The exposed method for fetching collateral requires you to pass the full quote, fetches the collateral and then includes the PCK certificate chain from the quote in the returned collateral. Exposing the function to fetch collateral might mean callers forget to do this, giving incomplete collateral.
This is not a blocker for us, but it makes things less efficient because we have to deserialize the quote an extra time on collateral fetch. And for the PCCS, pre-warm we need a quote for each fmspc in order to fetch collateral for it. Which means we have to do something a bit hacky, building quotes just for calling this function.
So the options are:
verify_server_certfunction #2. But this means an extra burden of code to maintain.