This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
The following commit(s) were added to refs/heads/develop by this push:
new 7696710 [services] Use config with verifier for services to enable
mutual attestation
7696710 is described below
commit 7696710d11522a717db519c31209dbbe2032a755
Author: Mingshen Sun <[email protected]>
AuthorDate: Mon Feb 10 14:55:19 2020 -0800
[services] Use config with verifier for services to enable mutual
attestation
---
attestation/src/verifier.rs | 7 ++++
services/access_control/enclave/src/lib.rs | 33 +++++++++++++++++--
services/authentication/enclave/src/lib.rs | 24 +++++---------
services/management/enclave/src/lib.rs | 53 +++++++++++++++++++++---------
services/storage/enclave/src/lib.rs | 39 ++++++++++++++++++----
5 files changed, 116 insertions(+), 40 deletions(-)
diff --git a/attestation/src/verifier.rs b/attestation/src/verifier.rs
index 4648762..8c94887 100644
--- a/attestation/src/verifier.rs
+++ b/attestation/src/verifier.rs
@@ -28,6 +28,7 @@ pub struct AttestationReportVerifier {
}
pub fn universal_quote_verifier(report: &AttestationReport) -> bool {
+ debug!("report.sgx_quote_status: {:?}", report.sgx_quote_status);
report.sgx_quote_status != crate::report::SgxQuoteStatus::UnknownBadStatus
}
@@ -93,6 +94,7 @@ impl rustls::ServerCertVerifier for AttestationReportVerifier
{
_ocsp: &[u8],
) -> std::result::Result<rustls::ServerCertVerified, rustls::TLSError> {
// This call automatically verifies certificate signature
+ debug!("verify server cert");
if certs.len() != 1 {
return Err(rustls::TLSError::NoCertificatesPresented);
}
@@ -107,6 +109,10 @@ impl rustls::ServerCertVerifier for
AttestationReportVerifier {
}
impl rustls::ClientCertVerifier for AttestationReportVerifier {
+ fn offer_client_auth(&self) -> bool {
+ !cfg!(test_mode)
+ }
+
fn client_auth_root_subjects(&self) -> rustls::DistinguishedNames {
rustls::DistinguishedNames::new()
}
@@ -116,6 +122,7 @@ impl rustls::ClientCertVerifier for
AttestationReportVerifier {
certs: &[rustls::Certificate],
) -> std::result::Result<rustls::ClientCertVerified, rustls::TLSError> {
// This call automatically verifies certificate signature
+ debug!("verify client cert");
if certs.len() != 1 {
return Err(rustls::TLSError::NoCertificatesPresented);
}
diff --git a/services/access_control/enclave/src/lib.rs
b/services/access_control/enclave/src/lib.rs
index 294e93a..3f4e947 100644
--- a/services/access_control/enclave/src/lib.rs
+++ b/services/access_control/enclave/src/lib.rs
@@ -24,19 +24,20 @@ extern crate sgx_tstd as std;
extern crate log;
use std::prelude::v1::*;
-use teaclave_attestation::{AttestationConfig, RemoteAttestation};
+use teaclave_attestation::{verifier, AttestationConfig, RemoteAttestation};
use teaclave_binder::proto::{
ECallCommand, FinalizeEnclaveInput, FinalizeEnclaveOutput,
InitEnclaveInput, InitEnclaveOutput,
StartServiceInput, StartServiceOutput,
};
use teaclave_binder::{handle_ecall, register_ecall_handler};
+use teaclave_config::BUILD_CONFIG;
use teaclave_proto::teaclave_access_control_service::{
TeaclaveAccessControlRequest, TeaclaveAccessControlResponse,
};
use teaclave_rpc::config::SgxTrustedTlsServerConfig;
use teaclave_rpc::server::SgxTrustedTlsServer;
use teaclave_service_enclave_utils::ServiceEnclave;
-use teaclave_types::{TeeServiceError, TeeServiceResult};
+use teaclave_types::{EnclaveInfo, TeeServiceError, TeeServiceResult};
mod acs;
mod service;
@@ -51,9 +52,35 @@ fn start_service(args: &StartServiceInput) ->
anyhow::Result<()> {
&as_config.spid,
))
.unwrap();
- let config = SgxTrustedTlsServerConfig::new_without_verifier(
+ let enclave_info = EnclaveInfo::verify_and_new(
+ args.config
+ .audit
+ .enclave_info_bytes
+ .as_ref()
+ .expect("enclave_info"),
+ BUILD_CONFIG.auditor_public_keys,
+ args.config
+ .audit
+ .auditor_signatures_bytes
+ .as_ref()
+ .expect("auditor signatures"),
+ )?;
+ let accepted_enclave_attrs: Vec<teaclave_types::EnclaveAttr> = BUILD_CONFIG
+ .inbound
+ .access_control
+ .iter()
+ .map(|service| {
+ enclave_info
+ .get_enclave_attr(service)
+ .expect("enclave_info")
+ })
+ .collect();
+ let config =
SgxTrustedTlsServerConfig::new_with_attestation_report_verifier(
+ accepted_enclave_attrs,
&attestation.cert,
&attestation.private_key,
+ BUILD_CONFIG.as_root_ca_cert,
+ verifier::universal_quote_verifier,
)
.unwrap();
diff --git a/services/authentication/enclave/src/lib.rs
b/services/authentication/enclave/src/lib.rs
index b2b337b..2bd5d7e 100644
--- a/services/authentication/enclave/src/lib.rs
+++ b/services/authentication/enclave/src/lib.rs
@@ -27,8 +27,7 @@ use rand::RngCore;
use std::prelude::v1::*;
use std::sync::Arc;
use std::thread;
-use teaclave_attestation::verifier;
-use teaclave_attestation::{AttestationConfig, RemoteAttestation};
+use teaclave_attestation::{verifier, AttestationConfig, RemoteAttestation};
use teaclave_binder::proto::{
ECallCommand, FinalizeEnclaveInput, FinalizeEnclaveOutput,
InitEnclaveInput, InitEnclaveOutput,
StartServiceInput, StartServiceOutput,
@@ -56,19 +55,14 @@ fn start_internal_endpoint(
attestation: Arc<RemoteAttestation>,
accepted_enclave_attrs: Vec<teaclave_types::EnclaveAttr>,
) {
- let config = if cfg!(test_mode) {
- SgxTrustedTlsServerConfig::new_without_verifier(&attestation.cert,
&attestation.private_key)
- .unwrap()
- } else {
- SgxTrustedTlsServerConfig::new_with_attestation_report_verifier(
- accepted_enclave_attrs,
- &attestation.cert,
- &attestation.private_key,
- BUILD_CONFIG.as_root_ca_cert,
- verifier::universal_quote_verifier,
- )
- .unwrap()
- };
+ let config =
SgxTrustedTlsServerConfig::new_with_attestation_report_verifier(
+ accepted_enclave_attrs,
+ &attestation.cert,
+ &attestation.private_key,
+ BUILD_CONFIG.as_root_ca_cert,
+ verifier::universal_quote_verifier,
+ )
+ .unwrap();
let mut server = SgxTrustedTlsServer::<
TeaclaveAuthenticationInternalResponse,
diff --git a/services/management/enclave/src/lib.rs
b/services/management/enclave/src/lib.rs
index d911849..1d78230 100644
--- a/services/management/enclave/src/lib.rs
+++ b/services/management/enclave/src/lib.rs
@@ -24,8 +24,7 @@ extern crate sgx_tstd as std;
extern crate log;
use std::prelude::v1::*;
-use teaclave_attestation::verifier;
-use teaclave_attestation::{AttestationConfig, RemoteAttestation};
+use teaclave_attestation::{verifier, AttestationConfig, RemoteAttestation};
use teaclave_binder::proto::{
ECallCommand, FinalizeEnclaveInput, FinalizeEnclaveOutput,
InitEnclaveInput, InitEnclaveOutput,
StartServiceInput, StartServiceOutput,
@@ -35,12 +34,11 @@ use teaclave_config::BUILD_CONFIG;
use teaclave_proto::teaclave_management_service::{
TeaclaveManagementRequest, TeaclaveManagementResponse,
};
-use teaclave_rpc::config::SgxTrustedTlsClientConfig;
-use teaclave_rpc::config::SgxTrustedTlsServerConfig;
+use teaclave_rpc::config::{SgxTrustedTlsClientConfig,
SgxTrustedTlsServerConfig};
use teaclave_rpc::endpoint::Endpoint;
use teaclave_rpc::server::SgxTrustedTlsServer;
use teaclave_service_enclave_utils::ServiceEnclave;
-use teaclave_types::{TeeServiceError, TeeServiceResult};
+use teaclave_types::{EnclaveInfo, TeeServiceError, TeeServiceResult};
mod file;
mod fusion_data;
mod service;
@@ -55,34 +53,57 @@ fn start_service(args: &StartServiceInput) ->
anyhow::Result<()> {
&as_config.spid,
))
.unwrap();
- let config = SgxTrustedTlsServerConfig::new_without_verifier(
+ let enclave_info = EnclaveInfo::verify_and_new(
+ args.config
+ .audit
+ .enclave_info_bytes
+ .as_ref()
+ .expect("enclave_info"),
+ BUILD_CONFIG.auditor_public_keys,
+ args.config
+ .audit
+ .auditor_signatures_bytes
+ .as_ref()
+ .expect("auditor signatures"),
+ )?;
+ let accepted_enclave_attrs: Vec<teaclave_types::EnclaveAttr> = BUILD_CONFIG
+ .inbound
+ .management
+ .iter()
+ .map(|service| {
+ enclave_info
+ .get_enclave_attr(service)
+ .expect("enclave_info")
+ })
+ .collect();
+ let config =
SgxTrustedTlsServerConfig::new_with_attestation_report_verifier(
+ accepted_enclave_attrs,
&attestation.cert,
&attestation.private_key,
+ BUILD_CONFIG.as_root_ca_cert,
+ verifier::universal_quote_verifier,
)
.unwrap();
-
let mut server =
SgxTrustedTlsServer::<TeaclaveManagementResponse,
TeaclaveManagementRequest>::new(
listen_address,
&config,
);
- let enclave_info = teaclave_types::EnclaveInfo::from_bytes(
- &args.config.audit.enclave_info_bytes.as_ref().unwrap(),
- );
- let enclave_attr = enclave_info
+ let storage_service_enclave_attrs = enclave_info
.get_enclave_attr("teaclave_storage_service")
- .expect("storage");
- let config = SgxTrustedTlsClientConfig::new()
- .client_cert(&attestation.cert, &attestation.private_key)
+ .expect("enclave_info");
+ let storage_service_client_config = SgxTrustedTlsClientConfig::new()
.attestation_report_verifier(
- vec![enclave_attr],
+ vec![storage_service_enclave_attrs],
BUILD_CONFIG.as_root_ca_cert,
verifier::universal_quote_verifier,
);
+
let storage_service_address =
&args.config.internal_endpoints.storage.advertised_address;
- let storage_service_endpoint =
Endpoint::new(storage_service_address).config(config);
+ let storage_service_endpoint =
+
Endpoint::new(storage_service_address).config(storage_service_client_config);
let service =
service::TeaclaveManagementService::new(storage_service_endpoint)?;
match server.start(service) {
diff --git a/services/storage/enclave/src/lib.rs
b/services/storage/enclave/src/lib.rs
index 990bcf6..cddaba5 100644
--- a/services/storage/enclave/src/lib.rs
+++ b/services/storage/enclave/src/lib.rs
@@ -30,21 +30,22 @@ use teaclave_binder::proto::{
};
use teaclave_binder::{handle_ecall, register_ecall_handler};
use teaclave_service_enclave_utils::ServiceEnclave;
-use teaclave_types::{TeeServiceError, TeeServiceResult};
+use teaclave_types::{EnclaveInfo, TeeServiceError, TeeServiceResult};
use rusty_leveldb::DB;
-use teaclave_attestation::{AttestationConfig, RemoteAttestation};
+use teaclave_attestation::{verifier, AttestationConfig, RemoteAttestation};
+use teaclave_config::BUILD_CONFIG;
use teaclave_proto::teaclave_storage_service::{TeaclaveStorageRequest,
TeaclaveStorageResponse};
use teaclave_rpc::config::SgxTrustedTlsServerConfig;
use teaclave_rpc::server::SgxTrustedTlsServer;
-mod proxy;
-mod service;
-
use std::cell::RefCell;
use std::sync::mpsc::channel;
use std::thread;
+mod proxy;
+mod service;
+
fn start_service(args: &StartServiceInput) -> anyhow::Result<()> {
let listen_address = args.config.internal_endpoints.storage.listen_address;
let as_config = &args.config.attestation;
@@ -55,9 +56,35 @@ fn start_service(args: &StartServiceInput) ->
anyhow::Result<()> {
&as_config.spid,
))
.unwrap();
- let config = SgxTrustedTlsServerConfig::new_without_verifier(
+ let enclave_info = EnclaveInfo::verify_and_new(
+ args.config
+ .audit
+ .enclave_info_bytes
+ .as_ref()
+ .expect("enclave_info"),
+ BUILD_CONFIG.auditor_public_keys,
+ args.config
+ .audit
+ .auditor_signatures_bytes
+ .as_ref()
+ .expect("auditor signatures"),
+ )?;
+ let accepted_enclave_attrs: Vec<teaclave_types::EnclaveAttr> = BUILD_CONFIG
+ .inbound
+ .storage
+ .iter()
+ .map(|service| {
+ enclave_info
+ .get_enclave_attr(service)
+ .expect("enclave_info")
+ })
+ .collect();
+ let config =
SgxTrustedTlsServerConfig::new_with_attestation_report_verifier(
+ accepted_enclave_attrs,
&attestation.cert,
&attestation.private_key,
+ BUILD_CONFIG.as_root_ca_cert,
+ verifier::universal_quote_verifier,
)
.unwrap();
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
