-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvcek_cache.cpp
More file actions
123 lines (97 loc) · 3.42 KB
/
vcek_cache.cpp
File metadata and controls
123 lines (97 loc) · 3.42 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#include "vcek_cache.h"
#include <curl/curl.h>
#include <nlohmann/json.hpp>
#include <stdexcept>
#include <string>
namespace accless::attestation::snp {
namespace {
constexpr const char *THIM_URL =
"http://169.254.169.254/metadata/THIM/amd/certification";
constexpr const char *THIM_METADATA_HEADER = "Metadata:true";
struct VcekCache {
std::once_flag once;
std::string vcekCert;
std::string certChain;
std::string bundle;
std::string error;
};
VcekCache g_cache;
size_t curlWriteCallback(char *ptr, size_t size, size_t nmemb, void *userdata) {
auto *out = static_cast<std::string *>(userdata);
if (!out)
return 0;
const size_t total = size * nmemb;
out->append(ptr, total);
return total;
}
// Perform one-time VCEK fetch, but *never throw*. If unavailable, returns empty
// PEM strings.
void initVcekCache() {
CURL *curl = curl_easy_init();
if (!curl) {
g_cache.error = "failed to init curl for VCEK fetch";
return;
}
std::string response;
char errbuf[CURL_ERROR_SIZE] = {0};
curl_easy_setopt(curl, CURLOPT_URL, THIM_URL);
curl_easy_setopt(curl, CURLOPT_HTTPGET, 1L);
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, curlWriteCallback);
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response);
curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, errbuf);
curl_easy_setopt(curl, CURLOPT_TIMEOUT_MS, 500L); // do not block
curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT_MS, 300L);
// Add Metadata:true header
struct curl_slist *headers = nullptr;
headers = curl_slist_append(headers, THIM_METADATA_HEADER);
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
CURLcode res = curl_easy_perform(curl);
long status = 0;
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &status);
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, nullptr);
curl_slist_free_all(headers);
curl_easy_cleanup(curl);
// IMDS unreachable → not a CVM → silently return empty values
if (res != CURLE_OK) {
g_cache.error = std::string("VCEK fetch failed: curl error: ") +
(errbuf[0] ? errbuf : curl_easy_strerror(res));
return;
}
if (status != 200) {
g_cache.error =
"VCEK fetch failed: HTTP status " + std::to_string(status);
return;
}
// Parse JSON.
try {
auto json = nlohmann::json::parse(response);
g_cache.vcekCert = json.value("vcekCert", "");
g_cache.certChain = json.value("certificateChain", "");
// Normalize newlines
if (!g_cache.vcekCert.empty() && g_cache.vcekCert.back() != '\n')
g_cache.vcekCert.push_back('\n');
if (!g_cache.certChain.empty() && g_cache.certChain.back() != '\n')
g_cache.certChain.push_back('\n');
g_cache.bundle = g_cache.vcekCert + g_cache.certChain;
} catch (const std::exception &e) {
g_cache.error = std::string("VCEK fetch JSON parse error: ") + e.what();
// Leave empty certs
return;
}
}
void ensureInitialized() { std::call_once(g_cache.once, initVcekCache); }
} // namespace
// --- Public API ---
const std::string &getVcekPemBundle() {
ensureInitialized();
return g_cache.bundle;
}
const std::string &getVcekCertPem() {
ensureInitialized();
return g_cache.vcekCert;
}
const std::string &getVcekChainPem() {
ensureInitialized();
return g_cache.certChain;
}
} // namespace accless::attestation::snp