Intel Trust Authority Client provides a set of C libraries for attesting different TEEs with Intel Trust Authority. Users can link the C libraries within their application and make REST calls to Intel Trust Authority for fetching token containing information about the TEE attested that can be verified.
Use Ubuntu 20.04.
Install the latest version of the library with following commands:
Follow the build instructions of library from builds.md
Installation steps:
- Copy the libraries built from above steps to application path and export them to LD_LIBRARY_PATH.
- LD_LIBRARY_PATH=$LD_LIBRARY_PATH:
- export LD_LIBRARY_PATH
If User has interface to get the quote/evidence and want to attest it with Intel Trust Authority:
Create a new Intel Trust Authority client, then use the exposed services to access different parts of the Intel Trust Authority API.
trust_authority_connector *connector = NULL;
/**
* Creates a new connector client to connect to Intel Trust Authority
* connector[output] - provides an HTTPClient interface to communicate with Intel Trust Authority via REST APIs.
* ta_key[input] - API key for Intel Trust Authority
* ta_api_url[input] - Intel Trust Authority URL https://api.trustauthority.intel.com
* retry_max[input] - Maximum retires allowed
* retry_wait_sec[input] - Waiting time in seconds between retries
*/
status = trust_authority_connector_new(&connector, ta_key, ta_api_url, retry_max, retry_wait_sec);Create SGX/TDX adapter using
Use the adapter created with following piece of code:
token token = {0};
policies policies = {0};
collect_token_args token_args ={0};
evidence_adapter *adapter = NULL;
char *ids[] = {policy_id};
policies.ids = ids;
policies.count = //Number of policies provided
token_args.polices = policies;
/**
* Gets the token from Intel Trust Authority
* connector[input] - an HTTPClient interface to communicate with Intel Trust Authority via REST APIs(created using above code)
* header[output] - parameter containing all response headers from Intel Trust Authority
* token[output] - token struct that will contain the token recieved from Intel Trust Authority
* args[input] - request paramater that will part of token request
* adapter[input] - sgx/tdx adapter created.
* user_data[input] - any additional data user wants to embed into the quote
* user_data_len[input] - length of user data
* */
status = collect_token(connector,
&header,
&token,
&args,
adapter, // recieved from adapter
user_data, // any extra data user wants to send.
user_data_len); // length of user data.
if (STATUS_OK != status)
{
printf("Failed to collect token: 0x%04x\n", status);
return status;
} char * jwks_data is optional in this function.
If user sends NULL, jwks will be downloaded from INTEL Trust authority server.
Else user can send the whole jwks_data json in char * format.
/**
* Verifies the token recieved from Intel Trust Authority
* token[input] - token to be verified
* base_url[input] - Intel Trust Authority URL
* jwks_data[input] - optional value containing JWKS signing certificate
* parsed_token[output] - token to be verified
* retry_max[input] - maximum retires allowed.
* retry_wait_sec[input] - waiting time in seconds between retries
* */
status = verify_token(&token,
base_url, // Intel Trust Authority API URL
jwks_data,
&parsed_token,
retry_max,
retry_wait_sec);
if (STATUS_OK != status)
{
printf("Error: Failed to verify token: 0x%04x\n", status);
return status;
} /**
* Gets token sigining certificate from Intel Trust Authority
* jwks_url[input] - Intel Trust Authority URL to get certificates - https://portal.trustauthority.intel.com/certs
* jwks_resp[output] - response from Intel Trust Authority
* retry_max[input] - maximum retires allowed
* retry_wait_sec[input] - waiting time in seconds between retries
* */
result = get_token_signing_certificate(jwks_url,
&jwks_resp,
retry_max,
retry_wait_sec);
if (result != STATUS_OK || jwks_resp == NULL)
{
return STATUS_GET_SIGNING_CERT_ERROR;
} SGX: SGX Sample App TDX: TDX Sample App
This library is distributed under the BSD-style license found in the LICENSE file.