Open Enclave  0.17.0

◆ oe_verify_evidence()

oe_result_t oe_verify_evidence ( const oe_uuid_t format_id,
const uint8_t *  evidence_buffer,
size_t  evidence_buffer_size,
const uint8_t *  endorsements_buffer,
size_t  endorsements_buffer_size,
const oe_policy_t policies,
size_t  policies_size,
oe_claim_t **  claims,
size_t *  claims_length 
)

oe_verify_evidence

Verifies the attestation evidence and returns well known and custom claims. This is available in the enclave and host.

The following base claims will be returned at the minimum:

  • id_version (uint32_t)
    • Version number.
  • security_version (uint32_t)
    • Security version of the enclave. (ISVN for SGX).
  • attributes (uint64_t)
    • Attributes flags for the evidence:
      • OE_EVIDENCE_ATTRIBUTES_SGX_DEBUG: The evidence is for a debug mode SGX enclave.
      • OE_EVIDENCE_ATTRIBUTES_SGX_REMOTE: The evidence can be used for remote attestation of an SGX enclave.
  • unique_id (uint8_t[32])
    • The unique ID for the enclave (MRENCLAVE for SGX).
  • signer_id (uint8_t[32])
    • The signer ID for the enclave (MRSIGNER for SGX).
  • product_id (uint8_t[32])
    • The product ID for the enclave (ISVPRODID for SGX).
  • validity_from (oe_datetime_t, optional)
    • Overall datetime from which the evidence and endorsements are valid.
  • validity_until (oe_datetime_t, optional)
    • Overall datetime at which the evidence and endorsements expire.
  • format_uuid (uint8_t[16])
    • The format id of the verified evidence.
This feature is marked as experimental:
Parameters
[in]format_idThe optional format id of the evidence to be verified. If this parameter is NULL, the evidence_buffer (and endorsement_buffer if not NULL) must either contain data with an attestation header holding a valid format id, or be an oe report generated by the legacy API function oe_get_report(). Otherwise, this parameter must hold a valid format id, and the envidence and endorsements data must not be wrapped with an attestation header.
[in]evidence_bufferThe evidence buffer.
[in]evidence_buffer_sizeThe size of evidence_buffer in bytes.
[in]endorsements_bufferThe optional endorsements buffer.
[in]endorsements_buffer_sizeThe size of endorsements_buffer in bytes.
[in]policiesAn optional list of policies to use.
[in]policies_sizeThe size of the policy list.
[out]claimsIf not NULL, an output pointer that will be assigned the address of the dynamically allocated list of claims (including base and custom).
[out]claims_lengthIf not NULL, the length of the claims list.
Return values
OE_OKThe function succeeded.
OE_TCB_LEVEL_INVALIDThe function succeeded. The TCB is not considered up-to-date, and the claims OE_CLAIM_TCB_STATUS and OE_TCB_DATE contain more information.
OE_INVALID_PARAMETERAt least one of the parameters is invalid.
otherappropriate error code.