microsoft · achamayou · Nov 23, 2020 · Nov 18, 2020 · Nov 18, 2020 · Nov 19, 2020
diff --git a/python/ccf/proposal_generator.py b/python/ccf/proposal_generator.py
@@ -18,9 +18,6 @@
 from loguru import logger as LOG  # type: ignore
 
 
-CERT_OID_SGX_QUOTE = "1.2.840.113556.10.1.1"
-
-
 def dump_to_file(output_path: str, obj: dict, dump_args: dict):
     with open(output_path, "w") as f:
         json.dump(obj, f, **dump_args)
@@ -428,20 +425,12 @@ def update_ca_cert(cert_name, cert_path, skip_checks=False, **kwargs):
 
     if not skip_checks:
         try:
-            cert = x509.load_pem_x509_certificate(
+            x509.load_pem_x509_certificate(
                 cert_pem.encode(), crypto_backends.default_backend()
             )
         except Exception as exc:
             raise ValueError("Cannot parse PEM certificate") from exc
 
-        try:
-            oid = x509.ObjectIdentifier(CERT_OID_SGX_QUOTE)
-            _ = cert.extensions.get_extension_for_oid(oid)
-        except x509.ExtensionNotFound as exc:
-            raise ValueError(
-                "X.509 extension with SGX quote not found in certificate"
-            ) from exc
-
     args = {"name": cert_name, "cert": cert_pem}
     return build_proposal("update_ca_cert", args, **kwargs)
 
@@ -454,6 +443,8 @@ def set_jwt_issuer(json_path: str, **kwargs):
         "issuer": obj["issuer"],
         "key_filter": obj.get("key_filter", "all"),
         "key_policy": obj.get("key_policy"),
+        "ca_cert_name": obj.get("ca_cert_name"),
+        "auto_refresh": obj.get("auto_refresh", False),
         "jwks": obj.get("jwks"),
     }
     return build_proposal("set_jwt_issuer", args, **kwargs)

diff --git a/src/enclave/interface.h b/src/enclave/interface.h
@@ -80,6 +80,8 @@ struct CCFConfig
   std::string subject_name;
   std::vector<tls::SubjectAltName> subject_alternative_names;
 
+  size_t jwt_key_refresh_interval_s;
+
   MSGPACK_DEFINE(
     consensus_config,
     node_info_network,
@@ -90,7 +92,8 @@ struct CCFConfig
     genesis,
     joining,
     subject_name,
-    subject_alternative_names);
+    subject_alternative_names,
+    jwt_key_refresh_interval_s);
 };
 
 /// General administrative messages

diff --git a/src/host/main.cpp b/src/host/main.cpp
@@ -318,6 +318,14 @@ int main(int argc, char** argv)
     "Subject Alternative Name in node certificate. Can be either "
     "iPAddress:xxx.xxx.xxx.xxx, or dNSName:sub.domain.tld");
 
+  size_t jwt_key_refresh_interval_s = 1800;
+  app
+    .add_option(
+      "--jwt-key-refresh-interval-s",
+      jwt_key_refresh_interval_s,
+      "Interval in seconds for JWT public signing key refresh.")
+    ->capture_default_str();
+
   size_t memory_reserve_startup = 0;
   app
     .add_option(
@@ -653,6 +661,8 @@ int main(int argc, char** argv)
     ccf_config.subject_name = subject_name;
     ccf_config.subject_alternative_names = subject_alternative_names;
 
+    ccf_config.jwt_key_refresh_interval_s = jwt_key_refresh_interval_s;
+
     if (*start)
     {
       start_type = StartType::New;

diff --git a/src/http/http_parser.h b/src/http/http_parser.h
@@ -156,14 +156,46 @@ namespace http
       http_parser_parse_url(url.data(), url.size(), 0, &parser_url);
     if (err != 0)
     {
-      throw std::runtime_error(fmt::format("Error parsing url: {}", err));
+      throw std::invalid_argument(fmt::format("Error parsing url: {}", err));
     }
 
     return std::make_pair(
       extract_url_field(parser_url, UF_PATH, url),
       extract_url_field(parser_url, UF_QUERY, url));
   }
 
+  struct URL
+  {
+    std::string_view schema;
+    std::string_view host;
+    std::string_view port;
+    std::string_view path;
+    std::string_view query;
+    std::string_view fragment;
+  };
+
+  inline URL parse_url_full(const std::string& url)
+  {
+    LOG_TRACE_FMT("Received url to parse: {}", url);
+
+    http_parser_url parser_url;
+    http_parser_url_init(&parser_url);
+
+    const auto err =
+      http_parser_parse_url(url.data(), url.size(), 0, &parser_url);
+    if (err != 0)
+    {
+      throw std::invalid_argument(fmt::format("Error parsing url: {}", err));
+    }
+
+    return {extract_url_field(parser_url, UF_SCHEMA, url),
+            extract_url_field(parser_url, UF_HOST, url),
+            extract_url_field(parser_url, UF_PORT, url),
+            extract_url_field(parser_url, UF_PATH, url),
+            extract_url_field(parser_url, UF_QUERY, url),
+            extract_url_field(parser_url, UF_FRAGMENT, url)};
+  }
+
   class Parser
   {
   protected:

diff --git a/src/node/jwt.h b/src/node/jwt.h
@@ -41,13 +41,16 @@ namespace ccf
   {
     JwtIssuerKeyFilter key_filter;
     std::optional<JwtIssuerKeyPolicy> key_policy;
+    std::optional<std::string> ca_cert_name;
+    bool auto_refresh = false;
 
-    MSGPACK_DEFINE(key_filter, key_policy);
+    MSGPACK_DEFINE(key_filter, key_policy, ca_cert_name, auto_refresh);
   };
 
   DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(JwtIssuerMetadata);
   DECLARE_JSON_REQUIRED_FIELDS(JwtIssuerMetadata, key_filter);
-  DECLARE_JSON_OPTIONAL_FIELDS(JwtIssuerMetadata, key_policy);
+  DECLARE_JSON_OPTIONAL_FIELDS(
+    JwtIssuerMetadata, key_policy, ca_cert_name, auto_refresh);
 
   using JwtIssuer = std::string;
   using JwtKeyId = std::string;