Skip to content

Approving the computation

Approve the list of participants as a Computation Owner

Cosmian generates the enclave identity asynchronously, you need to wait the end of the generation which can take a few minutes after all the participants send their public keys and the code provider sent his code.

import time
from cosmian_secure_computation_client import ComputationOwnerAPI

computation_owner = ComputationOwnerAPI(cosmian_token)

while True:
    computation = computation_owner.get_computation(computation_uuid)
    if computation.enclave.identity is None:
        print("Waiting 5s the generation of the enclave identity…")
        time.sleep(5)
    else:
        break

When the enclave identity is generated, you can check it:

  • verify that the quote is a quote from an Intel SGX enclave thanks to DCAP
  • verify that the quote and public key match (todo)
  • verify the list of participants in the serialized args (todo)
  • verify that the entrypoint hash from the manifest is the same as the computed hash of the entrypoint content (todo)
computation_owner.remote_attestation(computation.enclave.identity.quote)

If everything is correct, you can sign the quote. Once done, each participant will see that you approved the computation and they can check your signature with your provided public key.

computation_owner.approve_participants(computation.uuid, public_key, "quote signature with your private PGP key")

Computation Owner signature

Cosmian doesn’t provide a way for the Computation Owner to sign the quote yet, nor provide a way for other participants to check this signature. You can use your own code/tool or juste send a fake signature since the computation owner doesn’t take part of the computation inside the enclave everything stays secure anyway.

Approve the computation as a code provider

Cosmian generates the enclave identity asynchronously, you need to wait the end of the generation which can take a few minutes after all the participants send their public keys and the code provider sent his code.

import time
from cosmian_secure_computation_client import CodeProviderAPI

code_provider = CodeProviderAPI(cosmian_token)

while True:
    computation = code_provider.get_computation(computation_uuid)
    if computation.enclave.identity is None:
        print("Waiting 5s the generation of the enclave identity…")
        time.sleep(5)
    else:
        break

When the enclave identity is generated, you can check it:

  • verify that the quote is a quote from an Intel SGX enclave thanks to DCAP
  • verify that the quote and public key match (todo)
  • verify the list of participants in the serialized args (todo)
  • verify that the entrypoint hash from the manifest is the same as the computed hash of the entrypoint content (todo)
code_provider.remote_attestation(computation.enclave.identity.quote)

To approve the computation, send your symmetric key sealed with the enclave’s public key.

The symmetric key must be the one you used to encrypt your code before sending it.

from cosmian_secure_computation_client.crypto.helper import seal
sealed_symmetric_key = seal(symmetric_key, computation.enclave.identity.public_key)

code_provider.key_provisioning(computation.uuid, sealed_symmetric_key)