occlum
diff --git a/‎client/cpp_occlum/bom_aecs_client_gnu.yaml‎
Lines changed: 1 addition & 0 deletions b/‎client/cpp_occlum/bom_aecs_client_gnu.yaml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎client/cpp_occlum/occlum_aecs_client_lib/occlum_aecs_client_main.cpp‎
Lines changed: 8 additions & 4 deletions b/‎client/cpp_occlum/occlum_aecs_client_lib/occlum_aecs_client_main.cpp‎
Lines changed: 8 additions & 4 deletions
diff --git a/‎client/cpp_occlum/occlum_aecs_client_lib/src/occlum_aecs_client_lib.cpp‎
Lines changed: 28 additions & 10 deletions b/‎client/cpp_occlum/occlum_aecs_client_lib/src/occlum_aecs_client_lib.cpp‎
Lines changed: 28 additions & 10 deletions
diff --git a/‎client/cpp_occlum/occlum_aecs_client_lib/src/occlum_aecs_client_lib.h‎
Lines changed: 4 additions & 0 deletions b/‎client/cpp_occlum/occlum_aecs_client_lib/src/occlum_aecs_client_lib.h‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎client/cpp_occlum/occlum_aecs_client_lib/src/occlum_aecs_client_lib_c.h‎
Lines changed: 4 additions & 0 deletions b/‎client/cpp_occlum/occlum_aecs_client_lib/src/occlum_aecs_client_lib_c.h‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎client/cpp_occlum/occlum_aecs_client_lib/src/public_aecs_client_lib.cpp‎
Lines changed: 21 additions & 7 deletions b/‎client/cpp_occlum/occlum_aecs_client_lib/src/public_aecs_client_lib.cpp‎
Lines changed: 21 additions & 7 deletions
diff --git a/‎client/cpp_occlum/occlum_aecs_client_lib/src/public_aecs_client_lib.h‎
Lines changed: 23 additions & 1 deletion b/‎client/cpp_occlum/occlum_aecs_client_lib/src/public_aecs_client_lib.h‎
Lines changed: 23 additions & 1 deletion
diff --git a/‎client/cpp_occlum/occlum_aecs_client_lib/src/public_aecs_client_lib_c.h‎
Lines changed: 4 additions & 0 deletions b/‎client/cpp_occlum/occlum_aecs_client_lib/src/public_aecs_client_lib_c.h‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎client/cpp_occlum/occlum_run_aecs_client.sh‎
Lines changed: 2 additions & 2 deletions b/‎client/cpp_occlum/occlum_run_aecs_client.sh‎
Lines changed: 2 additions & 2 deletions
@@ -23,3 +23,4 @@ targets:
       - from: ../../../deployment/conf/
         files:
           - service_secret_policy.yaml
+          - ta_secret_policy.yaml
@@ -40,7 +40,7 @@ DEFINE_string(output, "", "output file to save secret when get/getpub");
 //=============================================================
 static int DoCreateSecret() {
   std::string aecs_ra_policy = "";
-  printf("[Get secret public key]\n");
+  printf("[Create Secret]\n");
   printf("  AECS Server: %s\n", FLAGS_endpoint.c_str());
   printf("  Template File: %s\n", FLAGS_policy.c_str());
 
@@ -57,7 +57,7 @@ static int DoCreateSecret() {
 
 static int DoDestroySecret() {
   std::string aecs_ra_policy = "";
-  printf("[Get secret public key]\n");
+  printf("[Destroy Secret]\n");
   printf("  AECS Server: %s\n", FLAGS_endpoint.c_str());
   printf("  Secret Name: %s\n", FLAGS_secret.c_str());
 
@@ -74,6 +74,7 @@ static int DoDestroySecret() {
 
 static int DoGetSecret() {
   std::string aecs_ra_policy = "";
+  std::string secret_policy = "{}";
   printf("[Get secret]\n");
   printf("  AECS Server: %s\n", FLAGS_endpoint.c_str());
   printf("  Service Name: %s\n", FLAGS_action.c_str());
@@ -84,7 +85,8 @@ static int DoGetSecret() {
   // Use the C-ABI interface to get secret
   int ret = aecs_client_get_secret_and_save_file(
       FLAGS_endpoint.c_str(), aecs_ra_policy.c_str(), FLAGS_service.c_str(),
-      FLAGS_secret.c_str(), FLAGS_nonce.c_str(), FLAGS_output.c_str());
+      FLAGS_secret.c_str(), secret_policy.data(), FLAGS_nonce.c_str(),
+      FLAGS_output.c_str());
   if (ret != 0) {
     printf("Fail to get secret from aecs: %d!\n", ret);
     return ret;
@@ -106,6 +108,7 @@ static int DoGetSecret() {
 
 static int DoGetSecretPublic() {
   std::string aecs_ra_policy = "";
+  std::string secret_policy = "";
   printf("[Get secret public key]\n");
   printf("  AECS Server: %s\n", FLAGS_endpoint.c_str());
   printf("  Service Name: %s\n", FLAGS_action.c_str());
@@ -116,7 +119,8 @@ static int DoGetSecretPublic() {
   // Use the C-ABI interface to get secret public key
   int ret = aecs_client_get_public_secret_and_save_file(
       FLAGS_endpoint.c_str(), aecs_ra_policy.c_str(), FLAGS_service.c_str(),
-      FLAGS_secret.c_str(), FLAGS_nonce.c_str(), FLAGS_output.c_str());
+      FLAGS_secret.c_str(), secret_policy.data(), FLAGS_nonce.c_str(),
+      FLAGS_output.c_str());
   if (ret != 0) {
     printf("Fail to get secret public key from aecs: %d!\n", ret);
     return ret;
 
@@ -41,12 +41,13 @@ TeeErrorCode aecs_client_get_secret_to_file(
     const std::string& aecs_server_policy,
     const std::string& secret_service,
     const std::string& secret_name,
+    const std::string& secret_policy,
     const std::string& nonce,
     const std::string& save_file_name) {
   std::string secret_str;
-  TEE_CHECK_RETURN(aecs_client_get_secret(aecs_server_endpoint,
-                                          aecs_server_policy, secret_service,
-                                          secret_name, nonce, &secret_str));
+  TEE_CHECK_RETURN(aecs_client_get_secret(
+      aecs_server_endpoint, aecs_server_policy, secret_service, secret_name,
+      secret_policy, nonce, &secret_str));
   // Save the secret string into local file system
   // For occlum,  it should be secure filesytem to avoid secret leak
   using kubetee::utils::FsWriteString;
@@ -59,6 +60,7 @@ TeeErrorCode aecs_client_get_secret(const std::string& aecs_server_endpoint,
                                     const std::string& aecs_server_policy,
                                     const std::string& secret_service,
                                     const std::string& secret_name,
+                                    const std::string& secret_policy,
                                     const std::string& nonce,
                                     std::string* secret_str) {
   kubetee::GetEnclaveSecretRequest req;
@@ -86,8 +88,21 @@ TeeErrorCode aecs_client_get_secret(const std::string& aecs_server_endpoint,
   TEE_CHECK_RETURN(VerifyAecsEnclave(res.auth_ra_report(), aecs_server_policy));
 
   // Decrypt and verify the digital envelope encrypted identity keys
-  TEE_CHECK_RETURN(EnvelopeDecryptAndVerify(res, nonce, secret_str));
+  std::string enclave_secret_str;
+  kubetee::EnclaveSecret secret;
+  TEE_CHECK_RETURN(EnvelopeDecryptAndVerify(res, nonce, &enclave_secret_str));
+  JSON2PB(enclave_secret_str, &secret);
+
+  // Verify secret policy if necessary
+  if (!secret_policy.empty() && secret_policy != "{}") {
+    const kubetee::UnifiedAttestationPolicy& policy =
+        secret.spec().policy().policy();
+    kubetee::UnifiedAttestationPolicy expected_policy;
+    JSON2PB(secret_policy, &expected_policy);
+    TEE_CHECK_RETURN(UaVerifyPolicy(policy, expected_policy));
+  }
 
+  secret_str->assign(secret.data());
   return TEE_SUCCESS;
 }
 
@@ -113,8 +128,9 @@ TeeErrorCode aecs_client_create_secret(const std::string& aecs_server_endpoint,
   for (int i = 0; i < result.secrets_size(); i++) {
     std::string secret_name = result.secrets()[i].spec().secret_name();
     TEE_LOG_INFO("Create the secret[%d]: %s", i, secret_name.c_str());
-    req.mutable_secret()->CopyFrom(result.secrets()[i]);
-    req.mutable_secret()->mutable_spec()->mutable_policy()->Clear();
+    kubetee::EnclaveSecret* secret = req.mutable_secret();
+    secret->CopyFrom(result.secrets()[i]);
+    secret->mutable_spec()->mutable_policy()->mutable_policy()->Clear();
     int ret = aecs_client.CreateTaSecret(req, &res);
     if (ret != TEE_SUCCESS) {
       TEE_LOG_ERROR("Fail to create secret: %s", secret_name.c_str());
@@ -154,19 +170,21 @@ int aecs_client_get_secret_and_save_file(const char* aecs_server_endpoint,
                                          const char* aecs_server_policy,
                                          const char* secret_service,
                                          const char* secret_name,
+                                         const char* secret_policy,
                                          const char* nonce,
                                          const char* save_file_name) {
   TEE_CHECK_RETURN(aecs_client_get_secret_to_file(
       SAFESTR(aecs_server_endpoint), SAFESTR(aecs_server_policy),
-      SAFESTR(secret_service), SAFESTR(secret_name), SAFESTR(nonce),
-      SAFESTR(save_file_name)));
+      SAFESTR(secret_service), SAFESTR(secret_name), SAFESTR(secret_policy),
+      SAFESTR(nonce), SAFESTR(save_file_name)));
   return 0;
 }
 
 int aecs_client_get_secret_by_buffer(const char* aecs_server_endpoint,
                                      const char* aecs_server_policy,
                                      const char* secret_service,
                                      const char* secret_name,
+                                     const char* secret_policy,
                                      const char* nonce,
                                      char* secret_outbuf,
                                      int* secret_outbuf_len) {
@@ -175,8 +193,8 @@ int aecs_client_get_secret_by_buffer(const char* aecs_server_endpoint,
   std::string secret_str;
   TEE_CHECK_RETURN(aecs_client_get_secret(
       SAFESTR(aecs_server_endpoint), SAFESTR(aecs_server_policy),
-      SAFESTR(secret_service), SAFESTR(secret_name), SAFESTR(nonce),
-      &secret_str));
+      SAFESTR(secret_service), SAFESTR(secret_name), SAFESTR(secret_policy),
+      SAFESTR(nonce), &secret_str));
   if (*secret_outbuf_len <= secret_str.size()) {
     return TEE_ERROR_SMALL_BUFFER;
   }
 
@@ -15,6 +15,7 @@ extern "C" {
  * @param[in] aecs_server_policy
  * @param[in] secret_service
  * @param[in] secret_name
+ * @param[in] secret_policy
  * @param[in] nonce
  * @param[in] save_file_name
  * @return int Error code
@@ -24,6 +25,7 @@ TeeErrorCode aecs_client_get_secret_to_file(
     const std::string& aecs_server_policy,
     const std::string& secret_service,
     const std::string& secret_name,
+    const std::string& secret_policy,
     const std::string& nonce,
     const std::string& save_file_name);
 
@@ -34,6 +36,7 @@ TeeErrorCode aecs_client_get_secret_to_file(
  * @param[in] aecs_server_policy
  * @param[in] secret_service
  * @param[in] secret_name
+ * @param[in] secret_policy
  * @param[in] nonce
  * @param[out] secret Json-format secret
  * @return int Error code
@@ -42,6 +45,7 @@ TeeErrorCode aecs_client_get_secret(const std::string& aecs_server_endpoint,
                                     const std::string& aecs_server_policy,
                                     const std::string& secret_service,
                                     const std::string& secret_name,
+                                    const std::string& secret_policy,
                                     const std::string& nonce,
                                     std::string* secret);
 
 
@@ -13,6 +13,7 @@ extern "C" {
  * @param[in] aecs_server_policy
  * @param[in] secret_service
  * @param[in] secret_name
+ * @param[in] secret_policy
  * @param[in] nonce
  * @param[in] file name to save secret
  * @return int Error code
@@ -21,6 +22,7 @@ int aecs_client_get_secret_and_save_file(const char* aecs_server_endpoint,
                                          const char* aecs_server_policy,
                                          const char* secret_service,
                                          const char* secret_name,
+                                         const char* secret_policy,
                                          const char* nonce,
                                          const char* save_file_name);
 
@@ -31,6 +33,7 @@ int aecs_client_get_secret_and_save_file(const char* aecs_server_endpoint,
  * @param[in] aecs_server_policy
  * @param[in] secret_service
  * @param[in] secret_name
+ * @param[in] secret_policy
  * @param[in] nonce
  * @param[out] secret_outbuf output buffer which includes the secret
  * @param[inout] secret_outbuf_len max len as input/real len as output
@@ -40,6 +43,7 @@ int aecs_client_get_secret_by_buffer(const char* aecs_server_endpoint,
                                      const char* aecs_server_policy,
                                      const char* secret_service,
                                      const char* secret_name,
+                                     const char* secret_policy,
                                      const char* nonce,
                                      char* secret_outbuf,
                                      int* secret_outbuf_len);
 
@@ -26,12 +26,13 @@ TeeErrorCode aecs_client_get_public_secret_to_file(
     const std::string& aecs_server_policy,
     const std::string& secret_service,
     const std::string& secret_name,
+    const std::string& secret_policy,
     const std::string& nonce,
     const std::string& save_file_name) {
   std::string secret_public_str;
   TEE_CHECK_RETURN(aecs_client_get_public_secret(
       aecs_server_endpoint, aecs_server_policy, secret_service, secret_name,
-      nonce, &secret_public_str));
+      secret_policy, nonce, &secret_public_str));
   // Save the secret string into local file system
   // For occlum,  it should be secure filesytem to avoid secret leak
   using kubetee::utils::FsWriteString;
@@ -45,8 +46,9 @@ TeeErrorCode aecs_client_get_public_secret(
     const std::string& aecs_server_policy,
     const std::string& secret_service,
     const std::string& secret_name,
+    const std::string& secret_policy,
     const std::string& nonce,
-    std::string* secret) {
+    std::string* secret_public) {
   // Create the authentication remote attestation report
   aecs::untrusted::AecsClient aecs_client(aecs_server_endpoint);
   kubetee::GetEnclaveSecretPublicRequest req;
@@ -70,8 +72,18 @@ TeeErrorCode aecs_client_get_public_secret(
   TEE_CHECK_RETURN(
       kubetee::common::RsaCrypto::Verify(verify_pubkey, sig_str, signature));
 
-  *secret = res.secret_public();
+  // Verify secret policy if necessary
+  kubetee::EnclaveSecret secret;
+  JSON2PB(res.secret_public(), &secret);
+  if (!secret_policy.empty() && secret_policy != "{}") {
+    const kubetee::UnifiedAttestationPolicy& policy =
+        secret.spec().policy().policy();
+    kubetee::UnifiedAttestationPolicy expected_policy;
+    JSON2PB(secret_policy, &expected_policy);
+    TEE_CHECK_RETURN(UaVerifyPolicy(policy, expected_policy));
+  }
 
+  secret_public->assign(secret.data());
   return TEE_SUCCESS;
 }
 
@@ -84,19 +96,21 @@ int aecs_client_get_public_secret_and_save_file(
     const char* aecs_server_policy,
     const char* secret_service,
     const char* secret_name,
+    const char* secret_policy,
     const char* nonce,
     const char* save_file_name) {
   TEE_CHECK_RETURN(aecs_client_get_public_secret_to_file(
       SAFESTR(aecs_server_endpoint), SAFESTR(aecs_server_policy),
-      SAFESTR(secret_service), SAFESTR(secret_name), SAFESTR(nonce),
-      SAFESTR(save_file_name)));
+      SAFESTR(secret_service), SAFESTR(secret_name), SAFESTR(secret_policy),
+      SAFESTR(nonce), SAFESTR(save_file_name)));
   return 0;
 }
 
 int aecs_client_get_public_secret_by_buffer(const char* aecs_server_endpoint,
                                             const char* aecs_server_policy,
                                             const char* secret_service,
                                             const char* secret_name,
+                                            const char* secret_policy,
                                             const char* nonce,
                                             const char* secret_outbuf,
                                             int* secret_outbuf_len) {
@@ -105,8 +119,8 @@ int aecs_client_get_public_secret_by_buffer(const char* aecs_server_endpoint,
   std::string secret_str;
   TEE_CHECK_RETURN(aecs_client_get_public_secret(
       SAFESTR(aecs_server_endpoint), SAFESTR(aecs_server_policy),
-      SAFESTR(secret_service), SAFESTR(secret_name), SAFESTR(nonce),
-      &secret_str));
+      SAFESTR(secret_service), SAFESTR(secret_name), SAFESTR(secret_policy),
+      SAFESTR(nonce), &secret_str));
   if (*secret_outbuf_len <= secret_str.size()) {
     return TEE_ERROR_SMALL_BUFFER;
   }
 
@@ -14,21 +14,43 @@ TeeErrorCode VerifyAecsEnclave(
 extern "C" {
 #endif
 
+/// @brief Get secret public key or cert-chain and save it to file
+///
+/// @param aecs_server_endpoint
+/// @param aecs_server_policy
+/// @param secret_service
+/// @param secret_name
+/// @param secret_policy
+/// @param nonce
+/// @param save_file_name
+/// @return
 TeeErrorCode aecs_client_get_public_secret_to_file(
     const std::string& aecs_server_endpoint,
     const std::string& aecs_server_policy,
     const std::string& secret_service,
     const std::string& secret_name,
+    const std::string& secret_policy,
     const std::string& nonce,
     const std::string& save_file_name);
 
+/// @brief Get secret public key or cert-chain if it exists andis allowed
+///
+/// @param aecs_server_endpoint
+/// @param aecs_server_policy
+/// @param secret_service
+/// @param secret_name
+/// @param secret_policy
+/// @param nonce
+/// @param secret_public
+/// @return
 TeeErrorCode aecs_client_get_public_secret(
     const std::string& aecs_server_endpoint,
     const std::string& aecs_server_policy,
     const std::string& secret_service,
     const std::string& secret_name,
+    const std::string& secret_policy,
     const std::string& nonce,
-    std::string* secret);
+    std::string* secret_public);
 
 #ifdef __cplusplus
 }
 
@@ -13,6 +13,7 @@ extern "C" {
  * @param[in] aecs_server_policy
  * @param[in] secret_service
  * @param[in] secret_name
+ * @param[in] secret_policy
  * @param[in] nonce
  * @param[in] file name to save secret public key
  * @return int Error code
@@ -22,6 +23,7 @@ int aecs_client_get_public_secret_and_save_file(
     const char* aecs_server_policy,
     const char* secret_service,
     const char* secret_name,
+    const char* secret_policy,
     const char* nonce,
     const char* save_file_name);
 
@@ -32,6 +34,7 @@ int aecs_client_get_public_secret_and_save_file(
  * @param[in] aecs_server_policy
  * @param[in] secret_service
  * @param[in] secret_name
+ * @param[in] secret_policy
  * @param[in] nonce
  * @param[out] secret_outbuf output buffer which includes the secret public key
  * @param[inout] secret_outbuf_len max len as input/real len as output
@@ -41,6 +44,7 @@ int aecs_client_get_public_secret_by_buffer(const char* aecs_server_endpoint,
                                             const char* aecs_server_policy,
                                             const char* secret_service,
                                             const char* secret_name,
+                                            const char* secret_policy,
                                             const char* nonce,
                                             const char* secret_outbuf,
                                             int* secret_outbuf_len);
 
@@ -78,7 +78,7 @@ if [ "$ACTIONS" == "all" -o "$ACTIONS" == "run" ] ; then
       --nonce nonce_2 \
       --output saved_secret_aes_256 && \
   OCCLUM_LOG_LEVEL=$LOGLEVEL occlum run /bin/aecs_client_get_secret \
-      --action get \
+      --action getpub \
       --endpoint localhost:19527 \
       --service $SERVICE_NAME \
       --secret $SECRET_RSA_NAME \
@@ -87,7 +87,7 @@ if [ "$ACTIONS" == "all" -o "$ACTIONS" == "run" ] ; then
   OCCLUM_LOG_LEVEL=$LOGLEVEL occlum run /bin/aecs_client_get_secret \
       --action create \
       --endpoint localhost:19527 \
-      --policy /etc/kubetee/service_secret_policy.yaml && \
+      --policy /etc/kubetee/ta_secret_policy.yaml && \
   OCCLUM_LOG_LEVEL=$LOGLEVEL occlum run /bin/aecs_client_get_secret \
       --action get \
       --endpoint localhost:19527 \