Skip to content

Create a policy with a private and a public value

The next assignment focuses on creating a policy in the namespace that created in a previous assignment. This policy should create a public value and a secret. We want to retrieve the public value and show that we fail to retrieve the secret - even if we use the client certificate used to create the policy.

Task 1

Create a policy named private_public_values within the namespace that you created. In this policy, you create two secrets:

  • public_value: which can be read via CAS by any entity that can communicate with the CAS instance.
  • private_value: a private value that cannot be read - even when knowing the private key of the policy creator.

You solution should

  • retrieve the public value using curl
  • try to retrieve the private value using curl - without a client certificate
  • try to retrieve the private value using curl - using the client certificate and private key used to create the policy.

Background

The name of a policy needs to define the absolute path. This means that if a policy PolicyName is defined a namespace MyNameSpace, then we need to define the name of the policy to be:

name: MyNameSpace/PolicyName

You can define secrets as part of a policy as follows:

secrets:
  - name: public_value
    kind: ascii
    value: "42"
    export_public: true
  - name: private_value
    kind: ascii
    value: "007"

Note that export_public is typically used to export certificates - which are public. However, it can also be used to export public values like MRENCLAVE of a confidential service.

Right now, secret values cannot be retrieved via the CAS REST API. In a future version of the session language, we might permit this to happen if a session explicitly states which clients can access secrets via the REST API. Right now, attempts to read these secrets will fail.

Solution

A solution for this task for bash is available at assignment 5.

Screencast

Troubleshooting

  • Please have a look at the troubleshooting hints from the previous assignments. If you experience any additional issues, please let us know via email. We will add the issue and a proposed solution to this troubleshooting section.