Skip to content

Posting a Session

We show how to interact with CAS s with the help of curl - this might be helpful during development since it simplifies quick tests.

We provide a scone command line interface that can be executed inside of an enclave itself. It can perform an attestation of CAS as well as creating and verifying policies. Hence, we recommend to use the scone CLI.

We assume that you already started a CAS instance and a LAS instance on your local host. Alternatively, you can use our public CAS instance at domain scone-cas.cf. Hence, we set the address of CAS as follows:

export SCONE_CAS_ADDR=127.0.0.1

If you use one of our public CAS instance, set it as follows:

export SCONE_CAS_ADDR=scone-cas.cf

Client Certificate

To interact with CAS, we need to create a client certificate. When we create a session, it is associated with the client certificate of the creator. Any access to this session requires that the client knows the private key of the client certificate.

Let's create a client certificate without a password. Note that you would typically add a password!

    mkdir -p conf
    if [[ ! -f conf/client.crt || ! -f conf/client-key.key  ]] ; then
      openssl req -x509 -newkey rsa:4096 -out conf/client.crt -keyout conf/client-key.key \
      -days 31 -nodes -sha256 \
      -subj "/C=US/ST=Dresden/L=Saxony/O=Scontain/OU=Org/CN=www.scontain.com" \
      -reqexts SAN -extensions SAN \
      -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:www.scontain.com'))
    fi

Hello World Session

Let's create a minimal session:

cat > session.yml <<EOF
name: blender
digest: create

services:
   - name: application
     image_name: sconecuratedimages/iexec:blender
     mrenclaves: [96936b6760d1f59b18f2c1a3fa2be205a91d6667dfc6635e8d0bbc1687bc03f2]
     command: blender -b /encryptedInputs/iexec-rlc.blend -o /encryptedOutputs/ -f 1
     pwd: /
     environment:
        SCONE_MODE: hw

images:
   - name: sconecuratedimages/iexec:blender
     mrenclaves: [96936b6760d1f59b18f2c1a3fa2be205a91d6667dfc6635e8d0bbc1687bc03f2]
     tags: [demo]
EOF

We can now upload the session as follows:

    curl -k -s --cert conf/client.crt --key conf/client-key.key --data-binary @session.yml -X POST https://$SCONE_CAS_ADDR:8081/session

This results in an output similar like this:

Created Session[id=00ed7ade-bba6-4d43-9135-51d0ca2da9ba, name=blender, status=Pending]

Session already exists

If the session with name "blender" already exists - which will be the case when you use scone-cas.cf - the following error message is issued: Could not create successor session. Invalid previous session digest: ...

In case the session with name blender already exists, you must chose a different session name.

We can read the session as follows:

curl -k -s --cert conf/client.crt --key conf/client-key.key https://$SCONE_CAS_ADDR:8081/session/blender

This will result in an output like this:

---
name: blender
digest: 313c6c3b824f0a560c445c8ef0cf69781345aae753bdbeaedbfff15c5a348099
board_members: []
board_policy:
  minimum: 0
  timeout: 30
images:
  - name: "sconecuratedimages/iexec:blender"
    mrenclaves:
      - 96936b6760d1f59b18f2c1a3fa2be205a91d6667dfc6635e8d0bbc1687bc03f2
    tags:
      - demo
services:
  - name: application
    image_name: "sconecuratedimages/iexec:blender"
    mrenclaves:
      - 96936b6760d1f59b18f2c1a3fa2be205a91d6667dfc6635e8d0bbc1687bc03f2
    environment:
      SCONE_MODE: hw
    command: blender -b /encryptedInputs/iexec-rlc.blend -o /encryptedOutputs/ -f 1
    pwd: /