This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
The following commit(s) were added to refs/heads/develop by this push:
new 02d4407 [rpc] Update third-party to enalbe builder pattern for
SgxTrustedTlsServerConfig
02d4407 is described below
commit 02d44073ea1d4fad58d0b733ba473bdfeb25ff53
Author: Mingshen Sun <[email protected]>
AuthorDate: Fri Feb 21 15:48:09 2020 -0800
[rpc] Update third-party to enalbe builder pattern for
SgxTrustedTlsServerConfig
---
attestation/Cargo.toml | 4 +--
attestation/src/attestation.rs | 6 ++--
cmake/tomls/Cargo.sgx_trusted_lib.toml | 2 +-
dcap/Cargo.toml | 2 +-
rpc/src/config.rs | 39 +++++++++++++++----------
services/access_control/enclave/src/lib.rs | 23 ++++++++-------
services/authentication/enclave/src/lib.rs | 42 +++++++++++++--------------
services/execution/enclave/src/lib.rs | 14 ++++-----
services/frontend/enclave/src/lib.rs | 14 ++++-----
services/management/enclave/Cargo.toml | 2 +-
services/management/enclave/src/lib.rs | 23 ++++++++-------
services/storage/enclave/src/lib.rs | 23 ++++++++-------
tests/integration/enclave/src/teaclave_rpc.rs | 6 ++--
third_party/crates-io | 2 +-
third_party/crates-sgx | 2 +-
types/Cargo.toml | 2 +-
16 files changed, 107 insertions(+), 99 deletions(-)
diff --git a/attestation/Cargo.toml b/attestation/Cargo.toml
index 760e1de..849e20a 100644
--- a/attestation/Cargo.toml
+++ b/attestation/Cargo.toml
@@ -31,9 +31,9 @@ rustls = { version = "0.16.0", features =
["dangerous_configuration"]
serde = { version = "1.0.92", features = ["derive"] }
serde_json = { version = "1.0.39" }
thiserror = { version = "1.0.9" }
-uuid = { version = "0.7.4", features = ["v4"] }
+uuid = { version = "0.8.1", features = ["v4"] }
webpki = { version = "0.21.0" }
-webpki-roots = { version = "0.17.0" }
+webpki-roots = { version = "0.19.0" }
url = { version = "2.1.1" }
yasna = { version = "0.3.0", features = ["bit-vec", "num-bigint",
"chrono"] }
diff --git a/attestation/src/attestation.rs b/attestation/src/attestation.rs
index 193ede0..0130fcd 100644
--- a/attestation/src/attestation.rs
+++ b/attestation/src/attestation.rs
@@ -13,12 +13,13 @@ pub struct RemoteAttestation {
pub validity: time::Duration,
pub cert: Vec<u8>,
pub private_key: Vec<u8>,
+ pub config: AttestationConfig,
}
impl RemoteAttestation {
- pub fn generate_and_endorse(att_config: &AttestationConfig) ->
Result<Self> {
+ pub fn generate_and_endorse(config: AttestationConfig) -> Result<Self> {
let key_pair = key::Secp256k1KeyPair::new()?;
- let report = match att_config {
+ let report = match &config {
AttestationConfig::NoAttestation =>
EndorsedAttestationReport::default(),
AttestationConfig::WithAttestation(config) => {
EndorsedAttestationReport::new(&config, key_pair.pub_k)?
@@ -40,6 +41,7 @@ impl RemoteAttestation {
validity,
cert: cert_der,
private_key: prv_key_der,
+ config,
})
}
}
diff --git a/cmake/tomls/Cargo.sgx_trusted_lib.toml
b/cmake/tomls/Cargo.sgx_trusted_lib.toml
index 3eb79e1..da64eeb 100644
--- a/cmake/tomls/Cargo.sgx_trusted_lib.toml
+++ b/cmake/tomls/Cargo.sgx_trusted_lib.toml
@@ -63,7 +63,7 @@ quick-error = { git =
"https://github.com/mesalock-linux/quick-error-sgx";
rand = { git = "https://github.com/mesalock-linux/rand-sgx";, tag
= "v0.6.5_sgx1.1.0" }
regex = { git = "https://github.com/mesalock-linux/regex-sgx"; }
ring = { git = "https://github.com/mesalock-linux/ring-sgx";, tag
= "v0.16.5" }
-rustls = { git = "https://github.com/mesalock-linux/rustls";, branch
= "mesalock_sgx" }
+rustls = { git = "https://github.com/mesalock-linux/rustls";, branch
= "mesalock_sgx-client-cert-verifier-patch" }
# rusty-machine = { git =
"https://github.com/mesalock-linux/rusty-machine-sgx"; }
sct = { git = "https://github.com/mesalock-linux/sct.rs";, branch
= "mesalock_sgx" }
serde = { git = "https://github.com/mesalock-linux/serde-sgx"; }
diff --git a/dcap/Cargo.toml b/dcap/Cargo.toml
index 3ea423b..9f2eb07 100644
--- a/dcap/Cargo.toml
+++ b/dcap/Cargo.toml
@@ -16,7 +16,7 @@ libc = { version = "0.2.66" }
rand = { version = "0.7.3" }
ring = { version = "0.16.11" }
untrusted = { version = "0.7.0" }
-uuid = { version = "0.7.4", features = ["v4"] }
+uuid = { version = "0.8.1", features = ["v4"] }
chrono = { version = "0.4.10" }
lazy_static = { version = "1.4.0" }
percent-encoding = { version = "2.1.0" }
diff --git a/rpc/src/config.rs b/rpc/src/config.rs
index 3545e3b..7dddc04 100644
--- a/rpc/src/config.rs
+++ b/rpc/src/config.rs
@@ -10,37 +10,46 @@ pub struct SgxTrustedTlsServerConfig {
pub config: rustls::ServerConfig,
}
+impl Default for SgxTrustedTlsServerConfig {
+ fn default() -> Self {
+ let client_cert_verifier = rustls::NoClientAuth::new();
+ let config = rustls::ServerConfig::new(client_cert_verifier);
+
+ Self { config }
+ }
+}
+
impl SgxTrustedTlsServerConfig {
- pub fn new_without_verifier(cert: &[u8], key_der: &[u8]) -> Result<Self> {
+ pub fn new() -> Self {
+ Self::default()
+ }
+
+ pub fn server_cert(mut self, cert: &[u8], key_der: &[u8]) -> Result<Self> {
let cert_chain = vec![rustls::Certificate(cert.to_vec())];
let key_der = rustls::PrivateKey(key_der.to_vec());
- let client_cert_verifier = rustls::NoClientAuth::new();
- let mut config = rustls::ServerConfig::new(client_cert_verifier);
- config.set_single_cert(cert_chain, key_der)?;
+ self.config.set_single_cert(cert_chain, key_der)?;
- Ok(Self { config })
+ Ok(Self {
+ config: self.config,
+ })
}
- pub fn new_with_attestation_report_verifier(
+ pub fn attestation_report_verifier(
+ mut self,
accepted_enclave_attrs: Vec<EnclaveAttr>,
- cert: &[u8],
- key_der: &[u8],
root_ca: &[u8],
verifier: fn(&AttestationReport) -> bool,
) -> Result<Self> {
- let cert_chain = vec![rustls::Certificate(cert.to_vec())];
- let key_der = rustls::PrivateKey(key_der.to_vec());
-
let verifier = Arc::new(AttestationReportVerifier::new(
accepted_enclave_attrs,
root_ca,
verifier,
));
- let mut config = rustls::ServerConfig::new(verifier);
- config.set_single_cert(cert_chain, key_der)?;
-
- Ok(Self { config })
+ self.config.set_client_certificate_verifier(verifier);
+ Ok(Self {
+ config: self.config,
+ })
}
}
diff --git a/services/access_control/enclave/src/lib.rs
b/services/access_control/enclave/src/lib.rs
index 14ee3b8..0dca770 100644
--- a/services/access_control/enclave/src/lib.rs
+++ b/services/access_control/enclave/src/lib.rs
@@ -51,13 +51,13 @@ const INBOUND_SERVICES: &[&str; INBOUND_SERVICES_LEN] =
BUILD_CONFIG.inbound.acc
fn start_service(config: &RuntimeConfig) -> anyhow::Result<()> {
let listen_address =
config.internal_endpoints.access_control.listen_address;
let as_config = &config.attestation;
- let attestation =
RemoteAttestation::generate_and_endorse(&AttestationConfig::new(
+ let attestation_config = AttestationConfig::new(
&as_config.algorithm,
&as_config.url,
&as_config.key,
&as_config.spid,
- ))
- .unwrap();
+ );
+ let attestation =
RemoteAttestation::generate_and_endorse(attestation_config).unwrap();
let enclave_info = EnclaveInfo::verify_and_new(
config
.audit
@@ -79,14 +79,15 @@ fn start_service(config: &RuntimeConfig) ->
anyhow::Result<()> {
.expect("enclave_info")
})
.collect();
- let server_config =
SgxTrustedTlsServerConfig::new_with_attestation_report_verifier(
- accepted_enclave_attrs,
- &attestation.cert,
- &attestation.private_key,
- AS_ROOT_CA_CERT,
- verifier::universal_quote_verifier,
- )
- .unwrap();
+ let server_config = SgxTrustedTlsServerConfig::new()
+ .server_cert(&attestation.cert, &attestation.private_key)
+ .unwrap()
+ .attestation_report_verifier(
+ accepted_enclave_attrs,
+ AS_ROOT_CA_CERT,
+ verifier::universal_quote_verifier,
+ )
+ .unwrap();
acs::init_acs().unwrap();
let mut server = SgxTrustedTlsServer::<
diff --git a/services/authentication/enclave/src/lib.rs
b/services/authentication/enclave/src/lib.rs
index 642c229..79cb9f2 100644
--- a/services/authentication/enclave/src/lib.rs
+++ b/services/authentication/enclave/src/lib.rs
@@ -62,19 +62,20 @@ fn start_internal_endpoint(
attestation: Arc<RemoteAttestation>,
accepted_enclave_attrs: Vec<teaclave_types::EnclaveAttr>,
) {
- let config =
SgxTrustedTlsServerConfig::new_with_attestation_report_verifier(
- accepted_enclave_attrs,
- &attestation.cert,
- &attestation.private_key,
- AS_ROOT_CA_CERT,
- verifier::universal_quote_verifier,
- )
- .unwrap();
+ let server_config = SgxTrustedTlsServerConfig::new()
+ .server_cert(&attestation.cert, &attestation.private_key)
+ .unwrap()
+ .attestation_report_verifier(
+ accepted_enclave_attrs,
+ AS_ROOT_CA_CERT,
+ verifier::universal_quote_verifier,
+ )
+ .unwrap();
let mut server = SgxTrustedTlsServer::<
TeaclaveAuthenticationInternalResponse,
TeaclaveAuthenticationInternalRequest,
- >::new(addr, &config);
+ >::new(addr, &server_config);
let service =
internal_service::TeaclaveAuthenticationInternalService::new(db_client,
jwt_secret);
@@ -93,11 +94,9 @@ fn start_api_endpoint(
jwt_secret: Vec<u8>,
attestation: Arc<RemoteAttestation>,
) {
- let config = SgxTrustedTlsServerConfig::new_without_verifier(
- &attestation.cert,
- &attestation.private_key,
- )
- .unwrap();
+ let config = SgxTrustedTlsServerConfig::new()
+ .server_cert(&attestation.cert, &attestation.private_key)
+ .unwrap();
let mut server = SgxTrustedTlsServer::<
TeaclaveAuthenticationApiResponse,
@@ -139,15 +138,14 @@ fn start_service(config: &RuntimeConfig) ->
anyhow::Result<()> {
let api_listen_address =
config.api_endpoints.authentication.listen_address;
let internal_listen_address =
config.internal_endpoints.authentication.listen_address;
let as_config = &config.attestation;
- let attestation = Arc::new(
- RemoteAttestation::generate_and_endorse(&AttestationConfig::new(
- &as_config.algorithm,
- &as_config.url,
- &as_config.key,
- &as_config.spid,
- ))
- .unwrap(),
+ let attestation_config = AttestationConfig::new(
+ &as_config.algorithm,
+ &as_config.url,
+ &as_config.key,
+ &as_config.spid,
);
+ let attestation =
+
Arc::new(RemoteAttestation::generate_and_endorse(attestation_config).unwrap());
let database = user_db::Database::open()?;
let mut api_jwt_secret = vec![0; user_info::JWT_SECRET_LEN];
let mut rng = rand::thread_rng();
diff --git a/services/execution/enclave/src/lib.rs
b/services/execution/enclave/src/lib.rs
index e2699e8..ece089a 100644
--- a/services/execution/enclave/src/lib.rs
+++ b/services/execution/enclave/src/lib.rs
@@ -45,18 +45,16 @@ mod service;
fn start_service(config: &RuntimeConfig) -> anyhow::Result<()> {
let listen_address = config.internal_endpoints.execution.listen_address;
let as_config = &config.attestation;
- let attestation =
RemoteAttestation::generate_and_endorse(&AttestationConfig::new(
+ let attestation_config = AttestationConfig::new(
&as_config.algorithm,
&as_config.url,
&as_config.key,
&as_config.spid,
- ))
- .unwrap();
- let server_config = SgxTrustedTlsServerConfig::new_without_verifier(
- &attestation.cert,
- &attestation.private_key,
- )
- .unwrap();
+ );
+ let attestation =
RemoteAttestation::generate_and_endorse(attestation_config).unwrap();
+ let server_config = SgxTrustedTlsServerConfig::new()
+ .server_cert(&attestation.cert, &attestation.private_key)
+ .unwrap();
let mut server =
SgxTrustedTlsServer::<TeaclaveExecutionResponse,
TeaclaveExecutionRequest>::new(
diff --git a/services/frontend/enclave/src/lib.rs
b/services/frontend/enclave/src/lib.rs
index 1e55879..54cc1e3 100644
--- a/services/frontend/enclave/src/lib.rs
+++ b/services/frontend/enclave/src/lib.rs
@@ -49,18 +49,16 @@ const AS_ROOT_CA_CERT: &[u8] = BUILD_CONFIG.as_root_ca_cert;
fn start_service(config: &RuntimeConfig) -> anyhow::Result<()> {
let listen_address = config.api_endpoints.frontend.listen_address;
let as_config = &config.attestation;
- let attestation =
RemoteAttestation::generate_and_endorse(&AttestationConfig::new(
+ let attestation_config = AttestationConfig::new(
&as_config.algorithm,
&as_config.url,
&as_config.key,
&as_config.spid,
- ))
- .unwrap();
- let server_config = SgxTrustedTlsServerConfig::new_without_verifier(
- &attestation.cert,
- &attestation.private_key,
- )
- .unwrap();
+ );
+ let attestation =
RemoteAttestation::generate_and_endorse(attestation_config).unwrap();
+ let server_config = SgxTrustedTlsServerConfig::new()
+ .server_cert(&attestation.cert, &attestation.private_key)
+ .unwrap();
let mut server = SgxTrustedTlsServer::<TeaclaveFrontendResponse,
TeaclaveFrontendRequest>::new(
listen_address,
diff --git a/services/management/enclave/Cargo.toml
b/services/management/enclave/Cargo.toml
index d3230a0..3a6ef96 100644
--- a/services/management/enclave/Cargo.toml
+++ b/services/management/enclave/Cargo.toml
@@ -34,7 +34,7 @@ serde_json = { version = "1.0.39" }
thiserror = { version = "1.0.9" }
ring = { version = "0.16.5" }
rand = { version = "0.7.0" }
-uuid = { version = "0.7.4", features = ["v4"] }
+uuid = { version = "0.8.1", features = ["v4"] }
url = { version = "2.1.1", features = ["serde"]}
teaclave_attestation = { path = "../../../attestation" }
diff --git a/services/management/enclave/src/lib.rs
b/services/management/enclave/src/lib.rs
index 17018fe..ff44826 100644
--- a/services/management/enclave/src/lib.rs
+++ b/services/management/enclave/src/lib.rs
@@ -55,13 +55,13 @@ const INBOUND_SERVICES: &[&str; INBOUND_SERVICES_LEN] =
BUILD_CONFIG.inbound.man
fn start_service(config: &RuntimeConfig) -> anyhow::Result<()> {
let listen_address = config.internal_endpoints.management.listen_address;
let as_config = &config.attestation;
- let attestation =
RemoteAttestation::generate_and_endorse(&AttestationConfig::new(
+ let attesation_config = AttestationConfig::new(
&as_config.algorithm,
&as_config.url,
&as_config.key,
&as_config.spid,
- ))
- .unwrap();
+ );
+ let attestation =
RemoteAttestation::generate_and_endorse(attesation_config).unwrap();
let enclave_info = EnclaveInfo::verify_and_new(
config
.audit
@@ -83,14 +83,15 @@ fn start_service(config: &RuntimeConfig) ->
anyhow::Result<()> {
.expect("enclave_info")
})
.collect();
- let server_config =
SgxTrustedTlsServerConfig::new_with_attestation_report_verifier(
- accepted_enclave_attrs,
- &attestation.cert,
- &attestation.private_key,
- AS_ROOT_CA_CERT,
- verifier::universal_quote_verifier,
- )
- .unwrap();
+ let server_config = SgxTrustedTlsServerConfig::new()
+ .server_cert(&attestation.cert, &attestation.private_key)
+ .unwrap()
+ .attestation_report_verifier(
+ accepted_enclave_attrs,
+ AS_ROOT_CA_CERT,
+ verifier::universal_quote_verifier,
+ )
+ .unwrap();
let mut server =
SgxTrustedTlsServer::<TeaclaveManagementResponse,
TeaclaveManagementRequest>::new(
listen_address,
diff --git a/services/storage/enclave/src/lib.rs
b/services/storage/enclave/src/lib.rs
index bbdbc5b..f20bf96 100644
--- a/services/storage/enclave/src/lib.rs
+++ b/services/storage/enclave/src/lib.rs
@@ -54,13 +54,13 @@ const INBOUND_SERVICES: &[&str; INBOUND_SERVICES_LEN] =
BUILD_CONFIG.inbound.sto
fn start_service(config: &RuntimeConfig) -> anyhow::Result<()> {
let listen_address = config.internal_endpoints.storage.listen_address;
let as_config = &config.attestation;
- let attestation =
RemoteAttestation::generate_and_endorse(&AttestationConfig::new(
+ let attestation_config = AttestationConfig::new(
&as_config.algorithm,
&as_config.url,
&as_config.key,
&as_config.spid,
- ))
- .unwrap();
+ );
+ let attestation =
RemoteAttestation::generate_and_endorse(attestation_config).unwrap();
let enclave_info = EnclaveInfo::verify_and_new(
config
.audit
@@ -82,14 +82,15 @@ fn start_service(config: &RuntimeConfig) ->
anyhow::Result<()> {
.expect("enclave_info")
})
.collect();
- let server_config =
SgxTrustedTlsServerConfig::new_with_attestation_report_verifier(
- accepted_enclave_attrs,
- &attestation.cert,
- &attestation.private_key,
- AS_ROOT_CA_CERT,
- verifier::universal_quote_verifier,
- )
- .unwrap();
+ let server_config = SgxTrustedTlsServerConfig::new()
+ .server_cert(&attestation.cert, &attestation.private_key)
+ .unwrap()
+ .attestation_report_verifier(
+ accepted_enclave_attrs,
+ AS_ROOT_CA_CERT,
+ verifier::universal_quote_verifier,
+ )
+ .unwrap();
let (sender, receiver) = channel();
thread::spawn(move || {
diff --git a/tests/integration/enclave/src/teaclave_rpc.rs
b/tests/integration/enclave/src/teaclave_rpc.rs
index f12efa1..5dccbe9 100644
--- a/tests/integration/enclave/src/teaclave_rpc.rs
+++ b/tests/integration/enclave/src/teaclave_rpc.rs
@@ -103,9 +103,9 @@ fn start_echo_service() {
&pemfile::pkcs8_private_keys(&mut
io::BufReader::new(fs::File::open(END_KEY).unwrap()))
.unwrap()[0];
let addr = "127.0.0.1:12345".parse().unwrap();
- let config =
- SgxTrustedTlsServerConfig::new_without_verifier(&cert[0].as_ref(),
&private_key.0)
- .unwrap();
+ let config = SgxTrustedTlsServerConfig::new()
+ .server_cert(&cert[0].as_ref(), &private_key.0)
+ .unwrap();
let mut server = SgxTrustedTlsServer::<EchoResponse,
EchoRequest>::new(addr, &config);
server.start(EchoService).unwrap();
});
diff --git a/third_party/crates-io b/third_party/crates-io
index 6d7fe60..1203ee3 160000
--- a/third_party/crates-io
+++ b/third_party/crates-io
@@ -1 +1 @@
-Subproject commit 6d7fe60e437c067d991c3bfb3ad0f02e103e5971
+Subproject commit 1203ee3e1ce444f34bfce9d6d970ad20aa73bf23
diff --git a/third_party/crates-sgx b/third_party/crates-sgx
index d2497be..6b3b7cb 160000
--- a/third_party/crates-sgx
+++ b/third_party/crates-sgx
@@ -1 +1 @@
-Subproject commit d2497bedc00625a171179660c39107f648a80bfb
+Subproject commit 6b3b7cbbee9a9db7c6b0d143cb49643cc1ac8e76
diff --git a/types/Cargo.toml b/types/Cargo.toml
index 5e7e002..f590ca8 100644
--- a/types/Cargo.toml
+++ b/types/Cargo.toml
@@ -29,7 +29,7 @@ toml = { version = "0.5.3" }
ring = { version = "0.16.5" }
thiserror = { version = "1.0.9" }
url = { version = "2.1.1", features = ["serde"]}
-uuid = { version = "0.7.4", features = ["v4", "serde"] }
+uuid = { version = "0.8.1", features = ["v4", "serde"] }
teaclave_test_utils = { path = "../tests/utils", optional = true }
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
