/
policy_sgx.go
48 lines (38 loc) · 1.65 KB
/
policy_sgx.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
package api
import (
"github.com/oasisprotocol/oasis-core/go/common"
"github.com/oasisprotocol/oasis-core/go/common/crypto/signature"
"github.com/oasisprotocol/oasis-core/go/common/sgx"
)
// PolicySGXSignatureContext is the context used to sign PolicySGX documents.
// removed var statement
// PolicySGX is a key manager access control policy for the replicated
// SGX key manager.
type PolicySGX struct {
// Serial is the monotonically increasing policy serial number.
Serial uint32 `json:"serial"`
// ID is the runtime ID that this policy is valid for.
ID common.Namespace `json:"id"`
// Enclaves is the per-key manager enclave ID access control policy.
Enclaves map[sgx.EnclaveIdentity]*EnclavePolicySGX `json:"enclaves"`
}
// EnclavePolicySGX is the per-SGX key manager enclave ID access control policy.
type EnclavePolicySGX struct {
// MayQuery is the map of runtime IDs to the vector of enclave IDs that
// may query private key material.
//
// TODO: This could be made more sophisticated and seggregate based on
// contract ID as well, but for now punt on the added complexity.
MayQuery map[common.Namespace][]sgx.EnclaveIdentity `json:"may_query"`
// MayReplicate is the vector of enclave IDs that may retrieve the master
// secret (Note: Each enclave ID may always implicitly replicate from other
// instances of itself).
MayReplicate []sgx.EnclaveIdentity `json:"may_replicate"`
}
// SignedPolicySGX is a signed SGX key manager access control policy.
type SignedPolicySGX struct {
Policy PolicySGX `json:"policy"`
Signatures []signature.Signature `json:"signatures"`
}
// SanityCheckSignedPolicySGX verifies a SignedPolicySGX.
// removed func