This is an automated email from the ASF dual-hosted git repository. hsun pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
commit 84e9a996162447efb76cd9df71ebd0afe0a4170d Author: sunhe05 <[email protected]> AuthorDate: Wed Jun 7 06:50:15 2023 +0000 Move the keys folder to the config directory --- .licenserc.yaml | 2 +- README.md | 25 ---------------------- attestation/src/service.rs | 2 +- cmake/scripts/prep.sh | 6 +++--- cmake/scripts/sgx_link_sign.sh | 2 +- config/README.md | 16 ++++++++++++++ config/build.config.toml | 12 +++++------ .../albus_dumbledore/albus_dumbledore.private.pem | 0 .../albus_dumbledore/albus_dumbledore.public.pem | 0 .../keys}/auditors/godzilla/godzilla.private.pem | 0 .../keys}/auditors/godzilla/godzilla.public.pem | 0 .../optimus_prime/optimus_prime.private.pem | 0 .../optimus_prime/optimus_prime.public.pem | 0 {keys => config/keys}/dcap_root_ca_cert.pem | 0 {keys => config/keys}/dcap_server_cert.pem | 0 {keys => config/keys}/dcap_server_key.pem | 0 {keys => config/keys}/enclave_signing_key.pem | 0 {keys => config/keys}/ias_root_ca_cert.pem | 0 docs/mutual-attestation.md | 2 +- examples/c/utils.h | 4 ++-- examples/python/utils.py | 4 ++-- examples/rust/builtin_echo/src/main.rs | 4 ++-- .../rust/builtin_ordered_set_intersect/src/main.rs | 4 ++-- keys/README.md | 19 ---------------- sdk/rust/src/lib.rs | 4 ++-- .../TeaclaveClientSDKTests.swift | 2 +- tests/scripts/functional_tests.py | 4 ++-- 27 files changed, 42 insertions(+), 70 deletions(-) diff --git a/.licenserc.yaml b/.licenserc.yaml index f493fe0b..3e314b25 100644 --- a/.licenserc.yaml +++ b/.licenserc.yaml @@ -38,7 +38,7 @@ header: - 'build/**' - 'cmake/tomls/Cargo.*.lock' - 'common/rusty_leveldb_sgx/**' - - 'keys' + - 'config/keys' - 'licenses' - 'release/**' - 'services/access_control/model.conf' diff --git a/README.md b/README.md index 7a6f6e52..9c270907 100644 --- a/README.md +++ b/README.md @@ -59,31 +59,6 @@ platform, making computation on privacy-sensitive data safe and simple. - [Rust Development Guideline](docs/rust-guideline.md) - [Development Tips](docs/development-tips.md) -### Codebase - -- [Attestation](attestation) -- [Binder](binder) -- [Built-in Functions](function) -- [Client SDK](sdk) -- [Command Line Tool](cli) -- [Common Libraries](common) -- [Configurations in Teaclave](config) -- [Crypto Primitives](crypto) -- [Data Center Attestation Service](dcap) -- [Dockerfile and Compose File](docker) -- [Examples](examples) -- [Executor Runtime](runtime) -- [File Agent](file_agent) -- [Function Executors](executor) -- [Keys and Certificates](keys) -- [RPC](rpc) -- [Teaclave Services](services) -- [Teaclave Worker](worker) -- [Test Harness and Test Cases](tests) -- [Third-Party Dependency Vendoring](third_party) -- [Tools](tools) -- [Types](types) - ### API References - [Teaclave SGX SDK](https://teaclave.apache.org/api-docs/sgx-sdk/) diff --git a/attestation/src/service.rs b/attestation/src/service.rs index b69be8ec..e65fb409 100644 --- a/attestation/src/service.rs +++ b/attestation/src/service.rs @@ -35,7 +35,7 @@ use sgx_crypto::ecc::EcPublicKey; /// Root certification of the DCAP attestation service provider. #[cfg(dcap)] -const DCAP_ROOT_CA_CERT: &str = include_str!("../../keys/dcap_root_ca_cert.pem"); +const DCAP_ROOT_CA_CERT: &str = include_str!("../../config/keys/dcap_root_ca_cert.pem"); /// URL path to get the report from the attestation service. const AS_REPORT_URL: &str = "/sgx/dev/attestation/v4/report"; diff --git a/cmake/scripts/prep.sh b/cmake/scripts/prep.sh index 050dec7b..31b0f8ef 100755 --- a/cmake/scripts/prep.sh +++ b/cmake/scripts/prep.sh @@ -41,11 +41,11 @@ mkdir -p ${TEACLAVE_OUT_DIR} ${TEACLAVE_TARGET_DIR} ${TEACLAVE_SERVICE_INSTALL_D if [ "$DCAP" == "ON" ]; then mkdir -p ${TEACLAVE_DCAP_INSTALL_DIR} cp ${CMAKE_SOURCE_DIR}/dcap/Rocket.toml ${TEACLAVE_DCAP_INSTALL_DIR}/Rocket.toml - cp ${CMAKE_SOURCE_DIR}/keys/dcap_server_cert.pem ${TEACLAVE_DCAP_INSTALL_DIR}/ - cp ${CMAKE_SOURCE_DIR}/keys/dcap_server_key.pem ${TEACLAVE_DCAP_INSTALL_DIR}/ + cp ${CMAKE_SOURCE_DIR}/config/keys/dcap_server_cert.pem ${TEACLAVE_DCAP_INSTALL_DIR}/ + cp ${CMAKE_SOURCE_DIR}/config/keys/dcap_server_key.pem ${TEACLAVE_DCAP_INSTALL_DIR}/ fi # copy auditors to install directory to make it easy to package all built things -cp -RT ${CMAKE_SOURCE_DIR}/keys/auditors/ ${TEACLAVE_AUDITORS_DIR}/ +cp -RT ${CMAKE_SOURCE_DIR}/config/keys/auditors/ ${TEACLAVE_AUDITORS_DIR}/ cp ${CMAKE_SOURCE_DIR}/config/runtime.config.toml ${TEACLAVE_SERVICE_INSTALL_DIR} cp ${CMAKE_SOURCE_DIR}/config/runtime.config.toml ${TEACLAVE_TEST_INSTALL_DIR} cp -r ${CMAKE_SOURCE_DIR}/tests/fixtures/ ${TEACLAVE_TEST_INSTALL_DIR} diff --git a/cmake/scripts/sgx_link_sign.sh b/cmake/scripts/sgx_link_sign.sh index 67184223..2b0225b1 100755 --- a/cmake/scripts/sgx_link_sign.sh +++ b/cmake/scripts/sgx_link_sign.sh @@ -68,7 +68,7 @@ cd ${TEACLAVE_OUT_DIR} ${CMAKE_C_COMPILER} "lib${edl_lib_name}.o" -o \ ${TEACLAVE_OUT_DIR}/${CUR_PKG_NAME}.so ${SGX_COMMON_CFLAGS} \ ${ENCLAVE_LINK_FLAGS} -${SGX_ENCLAVE_SIGNER} sign -key ${TEACLAVE_PROJECT_ROOT}/keys/enclave_signing_key.pem \ +${SGX_ENCLAVE_SIGNER} sign -key ${TEACLAVE_PROJECT_ROOT}/config/keys/enclave_signing_key.pem \ -enclave ${CUR_PKG_NAME}.so \ -out ${CUR_INSTALL_DIR}/${CUR_PKG_NAME}.signed.so \ -config ${TEACLAVE_PROJECT_ROOT}/${CUR_PKG_PATH}/Enclave.config.xml \ diff --git a/config/README.md b/config/README.md index a44157a9..3f27988a 100644 --- a/config/README.md +++ b/config/README.md @@ -45,3 +45,19 @@ Note that the runtime config will be loaded when launching the services. We *should not* trust the content and make sure maliciously crafted config from this file will not break any data confidentiality/integrity. Otherwise, the configuration must be defined as a build config. + +## Keys and Certificates in Teaclave + +Directory `keys` contains keys and certificates used in the Teaclave platform. +Note that these are only for demonstration. *DO NOT use them in production.* + +- `enclave_signing_key.pem`: private key to sign SGX enclaves +- `ias_root_ca_cert.pem`: attestation report root CA certificate for Intel SGX + Attestation Service, obtained from the + [service website](https://api.portal.trustedservices.intel.com/EPID-attestation) +- `dcap_root_ca_cert.pem`: root CA certificate used for connecting to the + reference DCAP attestation server and verifying ECDSA attestation reports. +- `dcap_server_cert.pem` and `dcap_server_key.pem`: DCAP attestation server + end-entity certificate and private key. Certificate is signed by DCAP root CA. +- `auditors`: contains auditors' keys to sign the *enclave info* for mutual + attestation diff --git a/config/build.config.toml b/config/build.config.toml index a4065e5d..e4f3c331 100644 --- a/config/build.config.toml +++ b/config/build.config.toml @@ -18,15 +18,15 @@ # Teaclave Build Config # Intel Attestation Service root CA certificate to verify attestation report -as_root_ca_cert = { path = "keys/ias_root_ca_cert.pem" } +as_root_ca_cert = { path = "config/keys/ias_root_ca_cert.pem" } # For DCAP, use the following cert -# as_root_ca_cert = { path = "keys/dcap_root_ca_cert.pem" } +# as_root_ca_cert = { path = "config/keys/dcap_root_ca_cert.pem" } # Auditors' public keys to verify their endorsement signatures auditor_public_keys = [ - { path = "keys/auditors/godzilla/godzilla.public.pem" }, - { path = "keys/auditors/optimus_prime/optimus_prime.public.pem" }, - { path = "keys/auditors/albus_dumbledore/albus_dumbledore.public.pem"}, + { path = "config/keys/auditors/godzilla/godzilla.public.pem" }, + { path = "config/keys/auditors/optimus_prime/optimus_prime.public.pem" }, + { path = "config/keys/auditors/albus_dumbledore/albus_dumbledore.public.pem"}, ] # RPC max message size @@ -51,4 +51,4 @@ access_control = ["teaclave_management_service"] authentication = ["teaclave_frontend_service"] storage = ["teaclave_management_service", "teaclave_scheduler_service"] management = ["teaclave_frontend_service"] -scheduler = ["teaclave_execution_service"] \ No newline at end of file +scheduler = ["teaclave_execution_service"] diff --git a/keys/auditors/albus_dumbledore/albus_dumbledore.private.pem b/config/keys/auditors/albus_dumbledore/albus_dumbledore.private.pem similarity index 100% rename from keys/auditors/albus_dumbledore/albus_dumbledore.private.pem rename to config/keys/auditors/albus_dumbledore/albus_dumbledore.private.pem diff --git a/keys/auditors/albus_dumbledore/albus_dumbledore.public.pem b/config/keys/auditors/albus_dumbledore/albus_dumbledore.public.pem similarity index 100% rename from keys/auditors/albus_dumbledore/albus_dumbledore.public.pem rename to config/keys/auditors/albus_dumbledore/albus_dumbledore.public.pem diff --git a/keys/auditors/godzilla/godzilla.private.pem b/config/keys/auditors/godzilla/godzilla.private.pem similarity index 100% rename from keys/auditors/godzilla/godzilla.private.pem rename to config/keys/auditors/godzilla/godzilla.private.pem diff --git a/keys/auditors/godzilla/godzilla.public.pem b/config/keys/auditors/godzilla/godzilla.public.pem similarity index 100% rename from keys/auditors/godzilla/godzilla.public.pem rename to config/keys/auditors/godzilla/godzilla.public.pem diff --git a/keys/auditors/optimus_prime/optimus_prime.private.pem b/config/keys/auditors/optimus_prime/optimus_prime.private.pem similarity index 100% rename from keys/auditors/optimus_prime/optimus_prime.private.pem rename to config/keys/auditors/optimus_prime/optimus_prime.private.pem diff --git a/keys/auditors/optimus_prime/optimus_prime.public.pem b/config/keys/auditors/optimus_prime/optimus_prime.public.pem similarity index 100% rename from keys/auditors/optimus_prime/optimus_prime.public.pem rename to config/keys/auditors/optimus_prime/optimus_prime.public.pem diff --git a/keys/dcap_root_ca_cert.pem b/config/keys/dcap_root_ca_cert.pem similarity index 100% rename from keys/dcap_root_ca_cert.pem rename to config/keys/dcap_root_ca_cert.pem diff --git a/keys/dcap_server_cert.pem b/config/keys/dcap_server_cert.pem similarity index 100% rename from keys/dcap_server_cert.pem rename to config/keys/dcap_server_cert.pem diff --git a/keys/dcap_server_key.pem b/config/keys/dcap_server_key.pem similarity index 100% rename from keys/dcap_server_key.pem rename to config/keys/dcap_server_key.pem diff --git a/keys/enclave_signing_key.pem b/config/keys/enclave_signing_key.pem similarity index 100% rename from keys/enclave_signing_key.pem rename to config/keys/enclave_signing_key.pem diff --git a/keys/ias_root_ca_cert.pem b/config/keys/ias_root_ca_cert.pem similarity index 100% rename from keys/ias_root_ca_cert.pem rename to config/keys/ias_root_ca_cert.pem diff --git a/docs/mutual-attestation.md b/docs/mutual-attestation.md index dc678047..75629ac9 100644 --- a/docs/mutual-attestation.md +++ b/docs/mutual-attestation.md @@ -44,7 +44,7 @@ before serving any requests. ## In the Repository -The [keys](https://github.com/apache/incubator-teaclave/tree/master/keys) +The [keys](https://github.com/apache/incubator-teaclave/tree/master/config/keys) directory in the source tree contain the key pairs of three fake auditing parties for PoC purposes. Private keys are also included to deliver a smooth build and test process. In production, builders of Teaclave should obtain the diff --git a/examples/c/utils.h b/examples/c/utils.h index 61f89376..17372ed5 100644 --- a/examples/c/utils.h +++ b/examples/c/utils.h @@ -22,9 +22,9 @@ const char *authentication_service_address = "https://localhost:7776";; const char *frontend_service_address = "https://localhost:7777";; const char *enclave_info_path = "../../release/services/enclave_info.toml"; #ifdef DCAP -const char *as_root_ca_cert_path = "../../keys/dcap_root_ca_cert.pem"; +const char *as_root_ca_cert_path = "../../config/keys/dcap_root_ca_cert.pem"; #else -const char *as_root_ca_cert_path = "../../keys/ias_root_ca_cert.pem"; +const char *as_root_ca_cert_path = "../../config/keys/ias_root_ca_cert.pem"; #endif int user_register(const char* admin_user_id, diff --git a/examples/python/utils.py b/examples/python/utils.py index 70115647..98f62176 100644 --- a/examples/python/utils.py +++ b/examples/python/utils.py @@ -32,11 +32,11 @@ else: if os.environ.get('TEACLAVE_PROJECT_ROOT'): AS_ROOT_CA_CERT_PATH = os.environ['TEACLAVE_PROJECT_ROOT'] + \ - "/keys/" + AS_ROOT_CERT_FILENAME + "/config/keys/" + AS_ROOT_CERT_FILENAME ENCLAVE_INFO_PATH = os.environ['TEACLAVE_PROJECT_ROOT'] + \ "/release/tests/enclave_info.toml" else: - AS_ROOT_CA_CERT_PATH = "../../keys/" + AS_ROOT_CERT_FILENAME + AS_ROOT_CA_CERT_PATH = "../../config/keys/" + AS_ROOT_CERT_FILENAME ENCLAVE_INFO_PATH = "../../release/examples/enclave_info.toml" diff --git a/examples/rust/builtin_echo/src/main.rs b/examples/rust/builtin_echo/src/main.rs index 6f3d1c1d..dd250fec 100644 --- a/examples/rust/builtin_echo/src/main.rs +++ b/examples/rust/builtin_echo/src/main.rs @@ -32,9 +32,9 @@ macro_rules! hashmap { const ENCLAVE_INFO_PATH: &str = "../../../release/services/enclave_info.toml"; #[cfg(dcap)] -const AS_ROOT_CA_CERT_PATH: &str = "../../../keys/dcap_root_ca_cert.pem"; +const AS_ROOT_CA_CERT_PATH: &str = "../../../config/keys/dcap_root_ca_cert.pem"; #[cfg(not(dcap))] -const AS_ROOT_CA_CERT_PATH: &str = "../../../keys/ias_root_ca_cert.pem"; +const AS_ROOT_CA_CERT_PATH: &str = "../../../config/keys/ias_root_ca_cert.pem"; const USER_ID: &str = "admin"; const USER_PASSWORD: &str = "teaclave"; diff --git a/examples/rust/builtin_ordered_set_intersect/src/main.rs b/examples/rust/builtin_ordered_set_intersect/src/main.rs index b09d0563..a55706c2 100644 --- a/examples/rust/builtin_ordered_set_intersect/src/main.rs +++ b/examples/rust/builtin_ordered_set_intersect/src/main.rs @@ -31,9 +31,9 @@ macro_rules! hashmap { const ENCLAVE_INFO_PATH: &str = "../../../release/services/enclave_info.toml"; #[cfg(dcap)] -const AS_ROOT_CA_CERT_PATH: &str = "../../../keys/dcap_root_ca_cert.pem"; +const AS_ROOT_CA_CERT_PATH: &str = "../../../config/keys/dcap_root_ca_cert.pem"; #[cfg(not(dcap))] -const AS_ROOT_CA_CERT_PATH: &str = "../../../keys/ias_root_ca_cert.pem"; +const AS_ROOT_CA_CERT_PATH: &str = "../../../config/keys/ias_root_ca_cert.pem"; struct UserData { user_id: String, diff --git a/keys/README.md b/keys/README.md deleted file mode 100644 index 2973b804..00000000 --- a/keys/README.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -permalink: /docs/codebase/keys ---- - -# Keys and Certificates in Teaclave - -This directory contains keys and certificates used in the Teaclave platform. -Note that these are only for demonstration. *DO NOT use them in production.* - -- `enclave_signing_key.pem`: private key to sign SGX enclaves -- `ias_root_ca_cert.pem`: attestation report root CA certificate for Intel SGX - Attestation Service, obtained from the - [service website](https://api.portal.trustedservices.intel.com/EPID-attestation) -- `dcap_root_ca_cert.pem`: root CA certificate used for connecting to the - reference DCAP attestation server and verifying ECDSA attestation reports. -- `dcap_server_cert.pem` and `dcap_server_key.pem`: DCAP attestation server - end-entity certificate and private key. Certificate is signed by DCAP root CA. -- `auditors`: contains auditors' keys to sign the *enclave info* for mutual - attestation diff --git a/sdk/rust/src/lib.rs b/sdk/rust/src/lib.rs index 0eb466cd..752e50f4 100644 --- a/sdk/rust/src/lib.rs +++ b/sdk/rust/src/lib.rs @@ -583,9 +583,9 @@ mod tests { const ENCLAVE_INFO_PATH: &str = "../../release/services/enclave_info.toml"; #[cfg(dcap)] - const AS_ROOT_CA_CERT_PATH: &str = "../../keys/dcap_root_ca_cert.pem"; + const AS_ROOT_CA_CERT_PATH: &str = "../../config/keys/dcap_root_ca_cert.pem"; #[cfg(not(dcap))] - const AS_ROOT_CA_CERT_PATH: &str = "../../keys/ias_root_ca_cert.pem"; + const AS_ROOT_CA_CERT_PATH: &str = "../../config/keys/ias_root_ca_cert.pem"; const USER_ID: &str = "rust_client_sdk_test_user"; const USER_PASSWORD: &str = "test_password"; const ADMIN_ID: &str = "admin"; diff --git a/sdk/swift/TeaclaveClientSDK/TeaclaveClientSDKTests/TeaclaveClientSDKTests.swift b/sdk/swift/TeaclaveClientSDK/TeaclaveClientSDKTests/TeaclaveClientSDKTests.swift index 413ddb42..f5cca16b 100644 --- a/sdk/swift/TeaclaveClientSDK/TeaclaveClientSDKTests/TeaclaveClientSDKTests.swift +++ b/sdk/swift/TeaclaveClientSDK/TeaclaveClientSDKTests/TeaclaveClientSDKTests.swift @@ -26,7 +26,7 @@ class TeaclaveClientSDKTests: XCTestCase { // Setup enclave info path e.g., /incubator-teaclave/enclave_info.toml let enclave_info_path = "" - // Setup AS CA certificate path e.g., /incubator-teaclave/keys/ias_root_ca_cert.pem + // Setup AS CA certificate path e.g., /incubator-teaclave/config/keys/ias_root_ca_cert.pem let as_root_ca_cert_path = "" func testBuiltinEcho() throws { diff --git a/tests/scripts/functional_tests.py b/tests/scripts/functional_tests.py index 04bb223c..d751cef4 100755 --- a/tests/scripts/functional_tests.py +++ b/tests/scripts/functional_tests.py @@ -52,11 +52,11 @@ else: if os.environ.get('TEACLAVE_PROJECT_ROOT'): AS_ROOT_CA_CERT_PATH = os.environ['TEACLAVE_PROJECT_ROOT'] + \ - "/keys/" + AS_ROOT_CERT_FILENAME + "/config/keys/" + AS_ROOT_CERT_FILENAME ENCLAVE_INFO_PATH = os.environ['TEACLAVE_PROJECT_ROOT'] + \ "/release/tests/enclave_info.toml" else: - AS_ROOT_CA_CERT_PATH = "../../keys/" + AS_ROOT_CERT_FILENAME + AS_ROOT_CA_CERT_PATH = "../../config/keys/" + AS_ROOT_CERT_FILENAME ENCLAVE_INFO_PATH = "../../release/tests/enclave_info.toml" --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
