// When overridden in a derived class, performs enclave attestation, generates a symmetric key for the session, creates a an enclave session and stores the session information in the cache.
public override void CreateEnclaveSession(byte[] attestationInfo, ECDiffieHellmanCng clientDHKey, string attestationUrl, string servername, out SqlEnclaveSession sqlEnclaveSession, out long counter)
{
sqlEnclaveSession = null;
counter = 0;
try
{
AttestationInfoCacheItem attestationInfoCacheItem = AttestationInfoCache.Remove(Thread.CurrentThread.ManagedThreadId.ToString()) as AttestationInfoCacheItem;
sqlEnclaveSession = GetEnclaveSessionFromCache(servername, attestationUrl, out counter);
if (sqlEnclaveSession == null)
{
if (attestationInfoCacheItem != null)
{
byte[] nonce = attestationInfoCacheItem.AttestNonce;
IdentityModelEventSource.ShowPII = true;
// Deserialize the payload
AzureAttestationInfo attestInfo = new AzureAttestationInfo(attestationInfo);
// Validate the attestation info
VerifyAzureAttestationInfo(attestationUrl, attestInfo.EnclaveType, attestInfo.AttestationToken.AttestationToken, attestInfo.Identity, nonce);
// Set up shared secret and validate signature
byte[] sharedSecret = GetSharedSecret(attestInfo.Identity, nonce, attestInfo.EnclaveType, attestInfo.EnclaveDHInfo, clientDHKey);
// add session to cache
sqlEnclaveSession = AddEnclaveSessionToCache(attestationUrl, servername, sharedSecret, attestInfo.SessionId, out counter);
}
else
{
throw new AlwaysEncryptedAttestationException(SR.FailToCreateEnclaveSession);
}
}
}
finally
{
// As per current design, we want to minimize the number of create session calls. To acheive this we block all the GetEnclaveSession calls until the first call to
// GetEnclaveSession -> GetAttestationParameters -> CreateEnclaveSession completes or the event timeout happen.
// Case 1: When the first request successfully creates the session, then all outstanding GetEnclaveSession will use the current session.
// Case 2: When the first request unable to create the encalve session (may be due to some error or the first request doesn't require enclave computation) then in those case we set the event timeout to 0.
UpdateEnclaveSessionLockStatus(sqlEnclaveSession);
}
}
// When overridden in a derived class, performs enclave attestation, generates a symmetric key for the session, creates a an enclave session and stores the session information in the cache.
public override void CreateEnclaveSession(byte[] attestationInfo, ECDiffieHellmanCng clientDHKey, string attestationUrl, string servername, out SqlEnclaveSession sqlEnclaveSession, out long counter)
{
sqlEnclaveSession = null;
counter = 0;
try
{
AttestationInfoCacheItem attestationInfoCacheItem = AttestationInfoCache.Remove(Thread.CurrentThread.ManagedThreadId.ToString()) as AttestationInfoCacheItem;
sqlEnclaveSession = GetEnclaveSessionFromCache(servername, attestationUrl, out counter);
if (sqlEnclaveSession == null)
{
if (attestationInfoCacheItem != null)
{
// Deserialize the payload
AttestationInfo info = new AttestationInfo(attestationInfo);
// Verify enclave policy matches expected policy
VerifyEnclavePolicy(info.EnclaveReportPackage);
// Perform Attestation per VSM protocol
VerifyAttestationInfo(attestationUrl, info.HealthReport, info.EnclaveReportPackage);
// Set up shared secret and validate signature
byte[] sharedSecret = GetSharedSecret(info.Identity, info.EnclaveDHInfo, clientDHKey);
// add session to cache
sqlEnclaveSession = AddEnclaveSessionToCache(attestationUrl, servername, sharedSecret, info.SessionId, out counter);
}
else
{
throw new AlwaysEncryptedAttestationException(SR.FailToCreateEnclaveSession);
}
}
}
finally
{
UpdateEnclaveSessionLockStatus(sqlEnclaveSession);
}
}
