This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
The following commit(s) were added to refs/heads/develop by this push:
new 82bd31c [attestation] Introduce AttestedTlsConfig to simplify
attestation
82bd31c is described below
commit 82bd31c31455f98f9f6db0ebc7420696318fcf7d
Author: Mingshen Sun <[email protected]>
AuthorDate: Fri Feb 21 16:33:57 2020 -0800
[attestation] Introduce AttestedTlsConfig to simplify attestation
---
attestation/src/attestation.rs | 42 ++++++++++++++++++++----------
attestation/src/lib.rs | 7 +++++
rpc/src/config.rs | 9 +++++++
services/access_control/enclave/src/lib.rs | 8 +++---
services/authentication/enclave/src/lib.rs | 35 +++++++++++++++----------
services/execution/enclave/src/lib.rs | 8 +++---
services/frontend/enclave/src/lib.rs | 14 +++++-----
services/management/enclave/src/lib.rs | 10 ++++---
services/storage/enclave/src/lib.rs | 8 +++---
9 files changed, 93 insertions(+), 48 deletions(-)
diff --git a/attestation/src/attestation.rs b/attestation/src/attestation.rs
index 0130fcd..0137c65 100644
--- a/attestation/src/attestation.rs
+++ b/attestation/src/attestation.rs
@@ -1,5 +1,6 @@
use crate::key;
use crate::AttestationConfig;
+use crate::AttestedTlsConfig;
use crate::EndorsedAttestationReport;
use anyhow::Result;
use std::prelude::v1::*;
@@ -7,19 +8,35 @@ use std::time::{self, SystemTime};
use std::untrusted::time::SystemTimeEx;
const ATTESTATION_VALIDITY_SECS: u64 = 86400u64;
+const CERT_ISSUER: &str = "Teaclave";
+const CERT_SUBJECT: &str = "CN=Teaclave";
pub struct RemoteAttestation {
- pub time: SystemTime,
- pub validity: time::Duration,
- pub cert: Vec<u8>,
- pub private_key: Vec<u8>,
pub config: AttestationConfig,
}
+impl Default for RemoteAttestation {
+ fn default() -> Self {
+ let config = AttestationConfig::NoAttestation;
+ Self { config }
+ }
+}
+
impl RemoteAttestation {
- pub fn generate_and_endorse(config: AttestationConfig) -> Result<Self> {
+ pub fn new() -> Self {
+ Self::default()
+ }
+
+ pub fn config(mut self, config: AttestationConfig) -> Self {
+ self.config = config;
+ Self {
+ config: self.config,
+ }
+ }
+
+ pub fn generate_and_endorse(&self) -> Result<AttestedTlsConfig> {
let key_pair = key::Secp256k1KeyPair::new()?;
- let report = match &config {
+ let report = match &self.config {
AttestationConfig::NoAttestation =>
EndorsedAttestationReport::default(),
AttestationConfig::WithAttestation(config) => {
EndorsedAttestationReport::new(&config, key_pair.pub_k)?
@@ -27,21 +44,18 @@ impl RemoteAttestation {
};
let cert_extension = serde_json::to_vec(&report)?;
-
- let issuer = "Teaclave";
- let subject = "CN=Teaclave";
- let cert_der = key_pair.create_cert_with_extension(issuer, subject,
&cert_extension);
+ let cert_der =
+ key_pair.create_cert_with_extension(CERT_ISSUER, CERT_SUBJECT,
&cert_extension);
let prv_key_der = key_pair.private_key_into_der();
let time = SystemTime::now();
let validity = time::Duration::from_secs(ATTESTATION_VALIDITY_SECS);
- Ok(Self {
- time,
- validity,
+ Ok(AttestedTlsConfig {
cert: cert_der,
private_key: prv_key_der,
- config,
+ time,
+ validity,
})
}
}
diff --git a/attestation/src/lib.rs b/attestation/src/lib.rs
index 11e13a5..d9c5ac0 100644
--- a/attestation/src/lib.rs
+++ b/attestation/src/lib.rs
@@ -98,6 +98,13 @@ pub(crate) struct EndorsedAttestationReport {
pub signing_cert: Vec<u8>,
}
+pub struct AttestedTlsConfig {
+ pub cert: Vec<u8>,
+ pub private_key: Vec<u8>,
+ pub time: std::time::SystemTime,
+ pub validity: std::time::Duration,
+}
+
#[macro_use]
mod cert;
pub mod report;
diff --git a/rpc/src/config.rs b/rpc/src/config.rs
index 7dddc04..361dad2 100644
--- a/rpc/src/config.rs
+++ b/rpc/src/config.rs
@@ -4,6 +4,7 @@ use std::prelude::v1::*;
use std::sync::Arc;
use teaclave_attestation::report::AttestationReport;
use teaclave_attestation::verifier::AttestationReportVerifier;
+use teaclave_attestation::AttestedTlsConfig;
use teaclave_types::EnclaveAttr;
pub struct SgxTrustedTlsServerConfig {
@@ -34,6 +35,10 @@ impl SgxTrustedTlsServerConfig {
})
}
+ pub fn from_attested_tls_config(attested_tls_config: &AttestedTlsConfig)
-> Result<Self> {
+ Self::new().server_cert(&attested_tls_config.cert,
&attested_tls_config.private_key)
+ }
+
pub fn attestation_report_verifier(
mut self,
accepted_enclave_attrs: Vec<EnclaveAttr>,
@@ -126,4 +131,8 @@ impl SgxTrustedTlsClientConfig {
config: self.config,
}
}
+
+ pub fn from_attested_tls_config(attested_tls_config: &AttestedTlsConfig)
-> Self {
+ Self::new().client_cert(&attested_tls_config.cert,
&attested_tls_config.private_key)
+ }
}
diff --git a/services/access_control/enclave/src/lib.rs
b/services/access_control/enclave/src/lib.rs
index 0dca770..5c2c437 100644
--- a/services/access_control/enclave/src/lib.rs
+++ b/services/access_control/enclave/src/lib.rs
@@ -57,7 +57,10 @@ fn start_service(config: &RuntimeConfig) ->
anyhow::Result<()> {
&as_config.key,
&as_config.spid,
);
- let attestation =
RemoteAttestation::generate_and_endorse(attestation_config).unwrap();
+ let attested_tls_config = RemoteAttestation::new()
+ .config(attestation_config)
+ .generate_and_endorse()
+ .unwrap();
let enclave_info = EnclaveInfo::verify_and_new(
config
.audit
@@ -79,8 +82,7 @@ fn start_service(config: &RuntimeConfig) ->
anyhow::Result<()> {
.expect("enclave_info")
})
.collect();
- let server_config = SgxTrustedTlsServerConfig::new()
- .server_cert(&attestation.cert, &attestation.private_key)
+ let server_config =
SgxTrustedTlsServerConfig::from_attested_tls_config(&attested_tls_config)
.unwrap()
.attestation_report_verifier(
accepted_enclave_attrs,
diff --git a/services/authentication/enclave/src/lib.rs
b/services/authentication/enclave/src/lib.rs
index 79cb9f2..8c2453e 100644
--- a/services/authentication/enclave/src/lib.rs
+++ b/services/authentication/enclave/src/lib.rs
@@ -28,7 +28,7 @@ use std::prelude::v1::*;
use std::sync::Arc;
use std::thread;
-use teaclave_attestation::{verifier, AttestationConfig, RemoteAttestation};
+use teaclave_attestation::{verifier, AttestationConfig, AttestedTlsConfig,
RemoteAttestation};
use teaclave_binder::proto::{
ECallCommand, FinalizeEnclaveInput, FinalizeEnclaveOutput,
InitEnclaveInput, InitEnclaveOutput,
StartServiceInput, StartServiceOutput,
@@ -59,11 +59,10 @@ fn start_internal_endpoint(
addr: std::net::SocketAddr,
db_client: user_db::DbClient,
jwt_secret: Vec<u8>,
- attestation: Arc<RemoteAttestation>,
+ attested_tls_config: Arc<AttestedTlsConfig>,
accepted_enclave_attrs: Vec<teaclave_types::EnclaveAttr>,
) {
- let server_config = SgxTrustedTlsServerConfig::new()
- .server_cert(&attestation.cert, &attestation.private_key)
+ let server_config =
SgxTrustedTlsServerConfig::from_attested_tls_config(&attested_tls_config)
.unwrap()
.attestation_report_verifier(
accepted_enclave_attrs,
@@ -92,16 +91,15 @@ fn start_api_endpoint(
addr: std::net::SocketAddr,
db_client: user_db::DbClient,
jwt_secret: Vec<u8>,
- attestation: Arc<RemoteAttestation>,
+ attested_tls_config: Arc<AttestedTlsConfig>,
) {
- let config = SgxTrustedTlsServerConfig::new()
- .server_cert(&attestation.cert, &attestation.private_key)
- .unwrap();
+ let server_config =
+
SgxTrustedTlsServerConfig::from_attested_tls_config(&attested_tls_config).unwrap();
let mut server = SgxTrustedTlsServer::<
TeaclaveAuthenticationApiResponse,
TeaclaveAuthenticationApiRequest,
- >::new(addr, &config);
+ >::new(addr, &server_config);
let service =
api_service::TeaclaveAuthenticationApiService::new(db_client, jwt_secret);
@@ -144,18 +142,27 @@ fn start_service(config: &RuntimeConfig) ->
anyhow::Result<()> {
&as_config.key,
&as_config.spid,
);
- let attestation =
-
Arc::new(RemoteAttestation::generate_and_endorse(attestation_config).unwrap());
+ let attested_tls_config = Arc::new(
+ RemoteAttestation::new()
+ .config(attestation_config)
+ .generate_and_endorse()
+ .unwrap(),
+ );
let database = user_db::Database::open()?;
let mut api_jwt_secret = vec![0; user_info::JWT_SECRET_LEN];
let mut rng = rand::thread_rng();
rng.fill_bytes(&mut api_jwt_secret);
let internal_jwt_secret = api_jwt_secret.to_owned();
- let attestation_ref = attestation.clone();
+ let attested_tls_config_ref = attested_tls_config.clone();
let client = database.get_client();
let api_endpoint_thread_handler = thread::spawn(move || {
- start_api_endpoint(api_listen_address, client, api_jwt_secret,
attestation_ref);
+ start_api_endpoint(
+ api_listen_address,
+ client,
+ api_jwt_secret,
+ attested_tls_config_ref,
+ );
});
let client = database.get_client();
@@ -164,7 +171,7 @@ fn start_service(config: &RuntimeConfig) ->
anyhow::Result<()> {
internal_listen_address,
client,
internal_jwt_secret,
- attestation,
+ attested_tls_config,
accepted_enclave_attrs,
);
});
diff --git a/services/execution/enclave/src/lib.rs
b/services/execution/enclave/src/lib.rs
index ece089a..620433a 100644
--- a/services/execution/enclave/src/lib.rs
+++ b/services/execution/enclave/src/lib.rs
@@ -51,10 +51,12 @@ fn start_service(config: &RuntimeConfig) ->
anyhow::Result<()> {
&as_config.key,
&as_config.spid,
);
- let attestation =
RemoteAttestation::generate_and_endorse(attestation_config).unwrap();
- let server_config = SgxTrustedTlsServerConfig::new()
- .server_cert(&attestation.cert, &attestation.private_key)
+ let attested_tls_config = RemoteAttestation::new()
+ .config(attestation_config)
+ .generate_and_endorse()
.unwrap();
+ let server_config =
+
SgxTrustedTlsServerConfig::from_attested_tls_config(&attested_tls_config).unwrap();
let mut server =
SgxTrustedTlsServer::<TeaclaveExecutionResponse,
TeaclaveExecutionRequest>::new(
diff --git a/services/frontend/enclave/src/lib.rs
b/services/frontend/enclave/src/lib.rs
index 54cc1e3..f9b3681 100644
--- a/services/frontend/enclave/src/lib.rs
+++ b/services/frontend/enclave/src/lib.rs
@@ -55,10 +55,12 @@ fn start_service(config: &RuntimeConfig) ->
anyhow::Result<()> {
&as_config.key,
&as_config.spid,
);
- let attestation =
RemoteAttestation::generate_and_endorse(attestation_config).unwrap();
- let server_config = SgxTrustedTlsServerConfig::new()
- .server_cert(&attestation.cert, &attestation.private_key)
+ let attested_tls_config = RemoteAttestation::new()
+ .config(attestation_config)
+ .generate_and_endorse()
.unwrap();
+ let server_config =
+
SgxTrustedTlsServerConfig::from_attested_tls_config(&attested_tls_config).unwrap();
let mut server = SgxTrustedTlsServer::<TeaclaveFrontendResponse,
TeaclaveFrontendRequest>::new(
listen_address,
@@ -70,8 +72,7 @@ fn start_service(config: &RuntimeConfig) ->
anyhow::Result<()> {
let enclave_attr = enclave_info
.get_enclave_attr("teaclave_authentication_service")
.expect("authentication");
- let client_config = SgxTrustedTlsClientConfig::new()
- .client_cert(&attestation.cert, &attestation.private_key)
+ let client_config =
SgxTrustedTlsClientConfig::from_attested_tls_config(&attested_tls_config)
.attestation_report_verifier(
vec![enclave_attr],
AS_ROOT_CA_CERT,
@@ -85,8 +86,7 @@ fn start_service(config: &RuntimeConfig) ->
anyhow::Result<()> {
let enclave_attr = enclave_info
.get_enclave_attr("teaclave_management_service")
.expect("management");
- let client_config = SgxTrustedTlsClientConfig::new()
- .client_cert(&attestation.cert, &attestation.private_key)
+ let client_config =
SgxTrustedTlsClientConfig::from_attested_tls_config(&attested_tls_config)
.attestation_report_verifier(
vec![enclave_attr],
AS_ROOT_CA_CERT,
diff --git a/services/management/enclave/src/lib.rs
b/services/management/enclave/src/lib.rs
index ff44826..a245d7e 100644
--- a/services/management/enclave/src/lib.rs
+++ b/services/management/enclave/src/lib.rs
@@ -55,13 +55,16 @@ const INBOUND_SERVICES: &[&str; INBOUND_SERVICES_LEN] =
BUILD_CONFIG.inbound.man
fn start_service(config: &RuntimeConfig) -> anyhow::Result<()> {
let listen_address = config.internal_endpoints.management.listen_address;
let as_config = &config.attestation;
- let attesation_config = AttestationConfig::new(
+ let attestation_config = AttestationConfig::new(
&as_config.algorithm,
&as_config.url,
&as_config.key,
&as_config.spid,
);
- let attestation =
RemoteAttestation::generate_and_endorse(attesation_config).unwrap();
+ let attested_tls_config = RemoteAttestation::new()
+ .config(attestation_config)
+ .generate_and_endorse()
+ .unwrap();
let enclave_info = EnclaveInfo::verify_and_new(
config
.audit
@@ -83,8 +86,7 @@ fn start_service(config: &RuntimeConfig) ->
anyhow::Result<()> {
.expect("enclave_info")
})
.collect();
- let server_config = SgxTrustedTlsServerConfig::new()
- .server_cert(&attestation.cert, &attestation.private_key)
+ let server_config =
SgxTrustedTlsServerConfig::from_attested_tls_config(&attested_tls_config)
.unwrap()
.attestation_report_verifier(
accepted_enclave_attrs,
diff --git a/services/storage/enclave/src/lib.rs
b/services/storage/enclave/src/lib.rs
index f20bf96..abdd417 100644
--- a/services/storage/enclave/src/lib.rs
+++ b/services/storage/enclave/src/lib.rs
@@ -60,7 +60,10 @@ fn start_service(config: &RuntimeConfig) ->
anyhow::Result<()> {
&as_config.key,
&as_config.spid,
);
- let attestation =
RemoteAttestation::generate_and_endorse(attestation_config).unwrap();
+ let attested_tls_config = RemoteAttestation::new()
+ .config(attestation_config)
+ .generate_and_endorse()
+ .unwrap();
let enclave_info = EnclaveInfo::verify_and_new(
config
.audit
@@ -82,8 +85,7 @@ fn start_service(config: &RuntimeConfig) ->
anyhow::Result<()> {
.expect("enclave_info")
})
.collect();
- let server_config = SgxTrustedTlsServerConfig::new()
- .server_cert(&attestation.cert, &attestation.private_key)
+ let server_config =
SgxTrustedTlsServerConfig::from_attested_tls_config(&attested_tls_config)
.unwrap()
.attestation_report_verifier(
accepted_enclave_attrs,
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
