Global Trust Authority API参考手册RESTful接口详解与调用示例【免费下载链接】global-trust-authorityA framework to support remote attestation of trusted computing and confidential computing,making remote attestation flow unified and simpler项目地址: https://gitcode.com/openeuler/global-trust-authority前往项目官网免费下载https://ar.openeuler.org/ar/Global Trust Authority (GTA) 是一个统一远程证明框架支持可信计算和机密计算的远程证明流程。本API参考手册详细介绍了GTA的RESTful接口帮助开发者快速集成和使用远程证明服务。 文章概览章节内容简介核心功能1. 快速入门API基础与认证机制请求头、认证方式2. Agent API客户端证明接口获取Token、获取证据3. Service API服务端管理接口基线管理、证书管理、策略管理4. 远程证明流程完整证明工作流挑战请求、证据报告、Token验证5. 最佳实践开发指南与示例代码示例、错误处理1. 快速入门Global Trust Authority API基础Global Trust Authority API采用RESTful设计支持JSON格式的数据交换。所有接口都遵循统一的认证和错误处理机制。1.1 请求头规范每个API请求都需要包含以下请求头字段类型必填描述Content-Typestring是固定为application/jsonAcceptstring否接受的内容类型API-Keystring否API认证密钥User-Idstring是用户标识符User-Namestring否用户名Request-Idstring否请求ID用于追踪1.2 认证机制GTA支持两种认证方式API-Key认证使用主密钥m.前缀或子密钥s.前缀用户认证通过User-Id标识用户身份1.3 基础URLAgent API:/global-trust-authority/agent/v1/Service API:/global-trust-authority/service/v1/Key Manager API:/v1/vault/2. Agent API客户端证明接口Agent API是证明代理Attestation Agent的核心接口负责收集硬件证据和生成证明Token。2.1 获取Token接口接口地址:POST /global-trust-authority/agent/v1/tokens功能描述: 获取证明Token支持多种证明类型TPM、VirtCCA、iTrustee等请求示例:{ attester_info: [ { attester_type: tpm_boot, policy_ids: [] } ], challenge: true, token_fmt: eat, attester_data: {test_key: test_value} }关键参数说明:attester_type: 证明器类型支持tpm_boot、tpm、tpm_ima、virt_cca、ascend_npu、itrustee、cca、dicetoken_fmt: Token格式支持eat实体证明Token或ear实体证明结果2.2 获取证据接口接口地址:POST /global-trust-authority/agent/v1/evidences功能描述: 获取封装后的证据数据支持Nonce验证请求示例:{ attesters: [ { attester_type: tpm_boot, log_types: [boot_log] } ], nonce_type: verifier, nonce: eyJpYXQiOjE3NTY5ODAwNjMsInZhbHVlIjoiZjMrYVc0cm1vWHUxSjNjaGlJZWNkMkJUWWYrdS84WXU0Q2VTZWYwUmt4MXYzeHJhNHZNYkNrc1locC9UaTRVWW9wN1ZvMm5XNXlsMGs4VXNQNnZrTkE9PSIsInNpZ25hdHVyZSI6Im9Mc09WbTh2OHY3ZllUTW9SZHdySjBrbWl4blFmRXIwTVliNExDa2NyZUpveUFDZmFBdlpGdmJiYURHTFJjOW9ndWkycVhMbnUwWFgvZDhEc1hhK2xwQzg2dXhSeWZtYklSdVpza2xscHd5WVV4TXlEbmFZQS9SSlFGaEtEakJjYUp0Ri9sQnpZYWMzVVNzQmFkNE5tMVE1cnBEb3RscFpHbHd5akhhdGtxUENPVzZORG9wbU9pZWtzM3RNVXpJV0NyNVZPVGhhRnpZdUdIZUZJMHdhdVdMWHY4TnlwRnlIbnllay8zdWhjdEhIc2gyRExZZUVBZW1keWQ2VnVDWmNqNjBzSjNyenF5ME9LTUFIQVRuOWhhZjk0M0k3SllDUlkvTU0xQ08rWmk1MHNTUXV1UHllVUpuTERpMGxwQmdDZmwyeWgyQ2phcU9QdE15ckhTREJwRlNNaC8xVW5xdDBlaXFzcFRESDNtNm81TXd3dUFQWGJmRFZvaDArR2dPaUowaENLUnhLY3NXSXVHNythemNoS0U3U1kyakIxWWg0NjlpSTN2MUpQRWhobnVtdC9YWENhRXBYd29aVENLRUN6NjJMYnByOWp3SzZXVVZyS2t5L3hmbkdKTlR3NWxHNGFBS1hlOFdzSldtYnpXK0Yvd0JFa0E2amdHK1hWT1J6In0, token_fmt: eat, attester_data: {test_key: test_value} }3. ️ Service API服务端管理接口Service API提供了完整的证明服务管理功能包括基线管理、证书管理、策略管理等。3.1 基线管理Reference Value Management基线是证明验证的参考标准用于验证设备状态的完整性。3.1.1 添加基线POST /global-trust-authority/service/v1/ref_value请求参数:{ name: tpm_ima_baseline, description: TPM IMA基线配置, attester_type: tpm_ima, content: 基线内容..., is_default: false }3.1.2 查询基线GET /global-trust-authority/service/v1/ref_value?ids2b0ead4b-6a15-4239-bf68-b1413df538bb3.2 证书管理Certificate Management证书管理接口支持证书的增删改查操作包括根证书、策略证书等。3.2.1 添加证书POST /global-trust-authority/service/v1/cert支持证书类型:refvalue: 参考值证书policy: 策略证书tpm_boot: TPM启动证书tpm: TPM证书tpm_ima: TPM IMA证书crl: 证书吊销列表ascend_npu: Ascend NPU证书3.3 挑战相关接口Challenge Related3.3.1 请求NonceGET /global-trust-authority/service/v1/challenge响应示例:{ service_version: 1.0, nonce: eyJpYXQiOjE3NTQ1NTIzNjQsInZhbHVlIjoiR3dvL3Z4WUZCYU5ZMWZlUGJUNytYdVZ2QXZ1ck9qU1JBTEx0bWg2OTZVcGFDR21qM1RrT1NRK3pqYkVBSWlkbUNvSmlySVF0RFAyZkJKdHFlNVFnT0E9PSIsInNpZ25hdHVyZSI6Im9VOFYwVnZYenhEbFJQRG56UzdnTGF4bkQvVEticGVwcytUNEpmenBPQkZ2ekR0b0NmOEEwRTF3RVB0dVVGajJmYjVSQkVsZkoxajc3WXQya1lQWFU5ZjIzWExOeXhFejRDZnZmQnZKQ2NFVjZCT0hYcVNTd3RKN25PUjZZN1JjekhoWnJ5UnhYd093N3dzcU9ZYVdRSGl0aW52ZGtRYzNjSDhUS1JzUjFaaS9FeFhHNHNYMXl6LzZ4eW9tbFRFOC9rYVZTY1dZSkI5K3A3ZnBMZTQ0S29MQXN5N3ZxcWhob1JYZXhaZXRzOUlLaE5FMmNXNityWHYxTFBOYzdXT3RWT2ZOQm1ZNUhrTW5hOHRIbUVHM0Z1SUNaVDdadjI3V3IxNmh1V2s5SEh6T1BDZjlhVHk5SnkvcnV0UUVRenZTOEhhbitweGZjZThQV0greFpKUFFVSFpZZkI3SmFZZVkwb1ltUWIzbDFHZ3RVWmc2TjZmVHFTRWdRMzBhL1BEMjVaNkNzb3Njdi9zb1B2b0NSZzNUQ2xwKzM0cFVpSXM2c2Z2OG56ZzZFQ2ZtOXBKazhKS2p3ZlNtcHA2N2VUWDVUN1cyNjFGdGlRcDNMQnVKbzF6Y1pZWmxXVlpFRCtqUDdYdk1OZnB1Ulg3emlJMFFUbVhVelBmSldoY3pzbUFTIn0 }3.3.2 远程证明核心接口接口地址:POST /global-trust-authority/service/v1/attest功能描述: 接收证据报告并进行验证返回证明Token请求结构:{ agent_version: 0.1.0, measurements: [ { node_id: TPM AK, nonce_type: ignore, token_fmt: eat, evidences: [ { attester_type: tpm_boot, evidence: { ak_cert: -----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----, quote: { quote_data: ..., signature: ... }, pcrs: { hash_alg: sha256, pcr_values: [...] }, logs: [...] } } ] } ] }3.4 策略管理Policy Management策略定义了证明验证的规则和条件支持Rego策略语言。3.4.1 添加策略POST /global-trust-authority/service/v1/policy策略内容示例Base64编码的Rego策略:{ name: tpm_ima_policy, description: TPM IMA验证策略, attester_type: [tpm_ima], content_type: text, content: cGFja2FnZSB2ZXJpZmljYXRpb24KCiMgRXh0cmFjdCBpc19sb2dfdmFsaWQgZnJvbSBmaXJzdCB0cG1faW1hIGxvZwppc19sb2dfdmFsaWQgPSB2YWxpZCB7CiAgICBzb21lIGkKICAgIGxvZ3MgOj0gaW5wdXQuZXZpZGVuY2UubG9ncwogICAgbG9nc1tpXS5sb2dfdHlwZSA9PSAiSW1hTG9nIgogICAgdmFsaWQgOj0gbG9nc1tpXS5pc19sb2dfdmFsaWQKfQoKIyBDaGVjayBpZiBwY3JzIDEwIGlzIHByZXNlbnQgaW4gYW55IGhhc2ggYWxnb3JpdGhtIChzaGExLCBzaGEyNTYsIHNoYTM4NCwgc2hhNTEyKQpwY3JfcHJlc2VudCB7CiAgICBhbGwgOj0ge3ggfCB4IDo9IFsxMF1bX10gfQogICAgbWVhc3VyZWQgOj0ge3Bjci5wY3JfaW5kZXggfCBwY3IgOj0gaW5wdXQuZXZpZGVuY2UucGNycy5wY3JfdmFsdWVzW19dfQogICAgYWxsX3BjcnNfc3Vic2V0IDo9IGFsbCAtIG1lYXN1cmVkCiAgICBjb3VudChhbGxfcGNyc19zdWJzZXQpID09IDAKfQoKIyBBdHRlc3RhdGlvbiB2YWxpZCBpZiBhbGwgY29uZGl0aW9ucyBtZXQKZGVmYXVsdCBhdHRlc3RhdGlvbl92YWxpZCA9IGZhbHNlCmF0dGVzdGF0aW9uX3ZhbGlkIHsKICAgIGlzX2xvZ192YWxpZCA9PSB0cnVlCiAgICBwY3JfcHJlc2VudAp9CgojIE91dHB1dCByZXN1bHQKcmVzdWx0ID0gewogICAgInBvbGljeV9tYXRjaGVkIjogYXR0ZXN0YXRpb25fdmFsaWQsCiAgICAiY3VzdG9tX2RhdGEiOiB7CiAgICAgICAgImhhc2hfYWxnIjogaW5wdXQuZXZpZGVuY2UucGNycy5oYXNoX2FsZwogICAgfQp9, is_default: true }3.5 Token验证接口接口地址:POST /global-trust-authority/service/v1/token/verify功能描述: 验证Token的有效性和完整性请求示例:{ token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... }响应示例:{ verification_pass: true, token_body: { nonce_type: ignore, intuse: generic, ueid: a4e7c719-6b05-4ac6-b95a-7e71a9d6f9d5, virt_cca: { attestation_status: unknown, vcca_ccel_log_status: replay_success, vcca_cvm_token_hash_alg: sha-256 }, iat: 1755672484, exp: 1756272484, iss: iss, jti: 6d981d6b-7fae-479b-9fd5-ea6395f3b2ae, ver: 1.0, nbf: 1755672484, eat_profile: eat_profile }, token_header: { typ: JWT, alg: RS256, jku: jku, kid: kid } }3.6 API密钥注册接口地址:GET /global-trust-authority/service/v1/register功能描述: 注册或刷新API密钥认证机制:无认证信息生成新的凭证集提供User-Id和API-Key验证后刷新凭证API-Key前缀m.主密钥刷新密钥和盐值s.子密钥仅刷新子密钥响应示例:{ User-Id: 1d7f7ceb-edf2-443d-8c03-ceeb9d9ead85, Main-API-Key: m.N7r6cL3dZPZHjGhNQo5XqGjzdfK43Hhx, Sub-API-Key: s.HUmsAsUhNVR18qSxMTNDezyCRIUFGn5E }4. 远程证明工作流程4.1 完整证明流程1. 客户端请求Nonce ↓ 2. Agent收集硬件证据 ↓ 3. 发送证据到Service ↓ 4. Service验证证据 ↓ 5. 应用策略验证 ↓ 6. 生成证明Token ↓ 7. 返回Token给客户端4.2 支持的证明类型证明类型描述适用场景tpm_bootTPM启动证明系统启动完整性验证tpmTPM标准证明通用TPM证明tpm_imaTPM IMA证明完整性度量架构virt_cca虚拟CCA证明机密计算证明ascend_npuAscend NPU证明AI加速器证明itrusteeiTrustee证明可信执行环境ccaCCA证明机密计算架构diceDICE证明设备身份组合引擎4.3 Token格式详解4.3.1 EAT格式Entity Attestation Token{ nonce_type: verifier, intuse: generic, ueid: 设备唯一标识, secure_boot: true, dbgstat: disabled, matched_policy: [...], unmatched_policy: [...], status: pass, tpm_boot: { attestation_status: pass, policy_info: [...], raw_evidence: {...}, mode: host } }4.3.2 EAR格式Entity Attestation Result{ matched_policy: [...], unmatched_policy: [...], ueid: 设备唯一标识, secure_boot: true, dbgstat: disabled, ear.verifier-id: { developer: gta, version: 1.0 }, submods: [ { tpm_boot: { ear.status: affirming, ear.trustworthiness-vector: [...], ear.appraisal-policy-id: policy_id, mode: host } } ], status: pass }5. 最佳实践与开发指南5.1 错误处理GTA API使用标准HTTP状态码状态码描述处理建议200成功正常处理响应400请求参数错误检查请求参数格式401认证失败检查API-Key和User-Id403权限不足检查用户权限404资源不存在检查资源ID429请求过多等待后重试500服务器内部错误联系管理员5.2 性能优化建议连接复用: 使用HTTP连接池减少连接建立开销批量操作: 批量查询和更新减少请求次数缓存策略: 缓存频繁访问的证书和策略异步处理: 对耗时操作使用异步调用5.3 安全注意事项密钥管理: 定期轮换API密钥传输安全: 始终使用HTTPS协议输入验证: 验证所有输入参数日志记录: 记录关键操作日志访问控制: 实施最小权限原则5.4 代码示例Python示例获取证明Tokenimport requests import json def get_attestation_token(agent_url, user_id, api_key): headers { Content-Type: application/json, User-Id: user_id, API-Key: api_key } payload { attester_info: [ { attester_type: tpm_boot, policy_ids: [] } ], challenge: True, token_fmt: eat } response requests.post( f{agent_url}/global-trust-authority/agent/v1/tokens, headersheaders, jsonpayload ) if response.status_code 200: return response.json()[token] else: raise Exception(fFailed to get token: {response.text})Go示例验证证明Tokenpackage main import ( bytes encoding/json fmt net/http ) func verifyToken(serviceURL, token string) (bool, error) { payload : map[string]string{ token: token, } jsonData, _ : json.Marshal(payload) req, err : http.NewRequest(POST, serviceURL/global-trust-authority/service/v1/token/verify, bytes.NewBuffer(jsonData)) if err ! nil { return false, err } req.Header.Set(Content-Type, application/json) client : http.Client{} resp, err : client.Do(req) if err ! nil { return false, err } defer resp.Body.Close() var result map[string]interface{} json.NewDecoder(resp.Body).Decode(result) if verificationPass, ok : result[verification_pass].(bool); ok { return verificationPass, nil } return false, fmt.Errorf(verification failed) }6. API响应时间与限制6.1 性能指标接口类型平均响应时间最大并发数速率限制Token获取 500ms100100次/分钟证据收集1-5秒5050次/分钟证明验证 1秒200200次/分钟管理操作 2秒5050次/分钟6.2 限制说明请求大小限制: 单个请求最大10MB策略大小限制: 单个策略最大500KB证书大小限制: 单个证书最大1MB批量操作限制: 最多支持10个ID批量查询7. 故障排除7.1 常见问题认证失败检查API-Key格式是否正确确认User-Id与API-Key匹配验证密钥是否已过期证据验证失败检查证明器类型是否支持验证基线配置是否正确确认策略配置匹配性能问题检查网络连接质量验证服务器负载状态确认客户端资源充足7.2 调试建议启用详细日志使用Request-Id追踪请求分步骤验证流程检查中间状态8. 监控与告警8.1 关键指标监控指标阈值告警级别API成功率 99%警告平均响应时间 2秒警告错误率 1%紧急并发连接数 80%警告8.2 健康检查# 检查服务状态 curl -X GET https://gta-service:8080/health # 检查数据库连接 curl -X GET https://gta-service:8080/health/db # 检查缓存状态 curl -X GET https://gta-service:8080/health/cache总结Global Trust Authority API提供了完整的远程证明解决方案支持多种硬件证明类型和灵活的验证策略。通过本文的详细指南您可以快速上手并集成GTA到您的可信计算应用中。核心优势:✅ 统一的证明框架✅ 多硬件平台支持✅ 灵活的验证策略✅ 标准化的Token格式✅ 完善的安全机制开始使用Global Trust Authority为您的应用构建可信的计算环境【免费下载链接】global-trust-authorityA framework to support remote attestation of trusted computing and confidential computing,making remote attestation flow unified and simpler项目地址: https://gitcode.com/openeuler/global-trust-authority创作声明：本文部分内容由AI辅助生成（AIGC），仅供参考