You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@teaclave.apache.org by ms...@apache.org on 2020/04/09 06:29:17 UTC
[incubator-teaclave] branch develop updated (5d8cf6e -> 45aa8fb)
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a change to branch develop
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git.
from 5d8cf6e [Execution] Add FileManager, TaskStatus and TaskResult (#261)
new 108823f [tests] Support attest endpoint in TLS in Python script
new 1f2b4c6 [docker] Update docker file for building teaclave
new 45aa8fb [tests] Fix Python attestation function under DCAP and SW
The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.drone.yml | 60 +++++++++---------
cmake/TeaclaveGenVars.cmake | 1 +
docker/build.ubuntu-1804.sgx-2.9.Dockerfile | 5 +-
docker/build.ubuntu-1804.sgx-dcap-1.5.Dockerfile | 5 +-
tests/scripts/functional_tests.py | 81 ++++++++++++++++++++++--
5 files changed, 115 insertions(+), 37 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org
[incubator-teaclave] 02/03: [docker] Update docker file for
building teaclave
Posted by ms...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
commit 1f2b4c6e0388b7ff7725f09a65db54776ec479bc
Author: Mingshen Sun <bo...@mssun.me>
AuthorDate: Wed Apr 8 21:28:09 2020 -0700
[docker] Update docker file for building teaclave
---
.drone.yml | 60 ++++++++++++------------
docker/build.ubuntu-1804.sgx-2.9.Dockerfile | 5 +-
docker/build.ubuntu-1804.sgx-dcap-1.5.Dockerfile | 5 +-
3 files changed, 38 insertions(+), 32 deletions(-)
diff --git a/.drone.yml b/.drone.yml
index cbd44ed..57728f8 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -3,23 +3,23 @@ name: sgx-debug-ubuntu-1804
steps:
- name: prepare
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- mkdir -p build
- cd build && cmake -DCMAKE_BUILD_TYPE=Debug -DTEST_MODE=ON ..
- name: check
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- cd build && make check
- name: compile
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- cd build && make VERBOSE=1 -j2
- name: test
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
environment:
AS_ALGO: sgx_epid
AS_URL: https://api.trustedservices.intel.com:443
@@ -55,25 +55,25 @@ name: sgx-dcap-debug-ubuntu-1804
steps:
- name: prepare
- image: teaclave/teaclave-build-ubuntu-1804-sgx-dcap-1.5:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-dcap-1.5:0.1.0
commands:
- . /root/.cargo/env
- mkdir -p build
- cd build && cmake -DCMAKE_BUILD_TYPE=Debug -DTEST_MODE=ON -DDCAP=ON ..
- name: check
- image: teaclave/teaclave-build-ubuntu-1804-sgx-dcap-1.5:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-dcap-1.5:0.1.0
commands:
- . /root/.cargo/env
- cd build && make check
- name: compile
- image: teaclave/teaclave-build-ubuntu-1804-sgx-dcap-1.5:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-dcap-1.5:0.1.0
commands:
- . /root/.cargo/env
- . /opt/sgxsdk/environment
- sed -i 's/ias_root_ca_cert/dcap_root_ca_cert/' config/build.config.toml
- cd build && make VERBOSE=1 -j2
- name: test
- image: teaclave/teaclave-build-ubuntu-1804-sgx-dcap-1.5:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-dcap-1.5:0.1.0
environment:
AS_ALGO: sgx_ecdsa
AS_URL: https://localhost:8080
@@ -121,23 +121,23 @@ name: sgx-release-ubuntu-1804
steps:
- name: prepare
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- mkdir -p build
- cd build && cmake -DTEST_MODE=ON ..
- name: check
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- cd build && make check
- name: compile
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- cd build && make VERBOSE=1 -j2
- name: test
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
privileged: true
environment:
AS_ALGO: sgx_epid
@@ -173,23 +173,23 @@ name: sim-debug-ubuntu-1804
steps:
- name: prepare
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- mkdir -p build
- cd build && cmake -DTEST_MODE=ON ..
- name: check
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- cd build && make check
- name: compile
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- cd build && cmake -DCMAKE_BUILD_TYPE=Debug -DSGX_SIM_MODE=ON .. && make VERBOSE=1 -j2
- name: test
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- cd build && make run-tests
@@ -204,23 +204,23 @@ name: sim-release-ubuntu-1804
steps:
- name: prepare
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- mkdir -p build
- cd build && cmake -DTEST_MODE=YES ..
- name: check
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- cd build && make check
- name: compile
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- cd build && cmake -DSGX_SIM_MODE=ON .. && make VERBOSE=1 -j2
- name: test
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- cd build && make run-tests
@@ -401,18 +401,18 @@ name: lint
steps:
- name: prepare
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- mkdir -p build
- cd build && cmake -DRUSTFLAGS="-D warnings" -DTEST_MODE=ON ..
- name: check
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- cd build && make check
- name: clippy
- image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+ image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
commands:
- . /root/.cargo/env
- cd build && make CLP=1
@@ -427,24 +427,24 @@ node:
# steps:
# - name: prepare
-# image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+# image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
# commands:
# - . /root/.cargo/env
# - mkdir -p build
# - cd build && cmake -DCMAKE_BUILD_TYPE=DEBUG -DCOV=ON -DTEST_MODE=ON ..
# - name: check
-# image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+# image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
# commands:
# - . /root/.cargo/env
# - cd build && make check
# - name: compile
-# image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+# image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
# commands:
# - . /root/.cargo/env
# - export RUSTFLAGS="-D warnings"
# - cd build && make VERBOSE=1 -j2
# - name: test
-# image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+# image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
# environment:
# AS_ALGO: sgx_epid
# AS_URL: https://api.trustedservices.intel.com:443
@@ -463,7 +463,7 @@ node:
# - cd build && make run-tests
# - name: coverage
# failure: ignore
-# image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+# image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
# commands:
# - cd build && make cov
# - bash -c "bash <(curl -s https://codecov.io/bash) -f intermediate/cov.info"
@@ -495,13 +495,13 @@ node:
# steps:
# - name: prepare
-# image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+# image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
# commands:
# - . /root/.cargo/env
# - mkdir -p build
# - cd build && cmake ..
# - name: doc
-# image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:latest
+# image: teaclave/teaclave-build-ubuntu-1804-sgx-2.9:0.1.0
# failure: ignore
# commands:
# - . /root/.cargo/env
diff --git a/docker/build.ubuntu-1804.sgx-2.9.Dockerfile b/docker/build.ubuntu-1804.sgx-2.9.Dockerfile
index c07d215..afd4d06 100644
--- a/docker/build.ubuntu-1804.sgx-2.9.Dockerfile
+++ b/docker/build.ubuntu-1804.sgx-2.9.Dockerfile
@@ -72,7 +72,10 @@ RUN apt-get update && apt-get install -q -y \
procps \
lcov \
llvm \
- curl
+ curl \
+ python3-pip
+
+RUN pip3 install pyopenssl toml cryptography
# clean up apt caches
diff --git a/docker/build.ubuntu-1804.sgx-dcap-1.5.Dockerfile b/docker/build.ubuntu-1804.sgx-dcap-1.5.Dockerfile
index 19d7cd8..bc719f9 100644
--- a/docker/build.ubuntu-1804.sgx-dcap-1.5.Dockerfile
+++ b/docker/build.ubuntu-1804.sgx-dcap-1.5.Dockerfile
@@ -74,7 +74,10 @@ RUN apt-get update && apt-get install -q -y \
lcov \
llvm \
curl \
- iproute2
+ iproute2 \
+ python3-pip
+
+RUN pip3 install pyopenssl toml cryptography
# clean up apt caches
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org
[incubator-teaclave] 01/03: [tests] Support attest endpoint in TLS
in Python script
Posted by ms...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
commit 108823fa7e42cce209c44cfe162110509b7b107f
Author: Mingshen Sun <bo...@mssun.me>
AuthorDate: Wed Apr 8 20:52:25 2020 -0700
[tests] Support attest endpoint in TLS in Python script
---
tests/scripts/functional_tests.py | 72 ++++++++++++++++++++++++++++++++++++---
1 file changed, 67 insertions(+), 5 deletions(-)
diff --git a/tests/scripts/functional_tests.py b/tests/scripts/functional_tests.py
index 9de5dfc..3a0ae14 100755
--- a/tests/scripts/functional_tests.py
+++ b/tests/scripts/functional_tests.py
@@ -5,10 +5,29 @@ import socket
import struct
import ssl
import json
+import base64
+import toml
+import os
-hostname = 'localhost'
-authentication_service_address = (hostname, 7776)
-context = ssl._create_unverified_context()
+from cryptography import x509
+from cryptography.hazmat.backends import default_backend
+
+from OpenSSL.crypto import load_certificate, FILETYPE_PEM, FILETYPE_ASN1
+from OpenSSL.crypto import X509Store, X509StoreContext
+from OpenSSL import crypto
+
+HOSTNAME = 'localhost'
+AUTHENTICATION_SERVICE_ADDRESS = (HOSTNAME, 7776)
+CONTEXT = ssl._create_unverified_context()
+
+if os.environ.get('TEACLAVE_PROJECT_ROOT'):
+ IAS_ROOT_CA_CERT_PATH = os.environ['TEACLAVE_PROJECT_ROOT'] + \
+ "/keys/ias_root_ca_cert.pem"
+ ENCLAVE_INFO_PATH = os.environ['TEACLAVE_PROJECT_ROOT'] + \
+ "/release/tests/enclave_info.toml"
+else:
+ IAS_ROOT_CA_CERT_PATH = "../../keys/ias_root_ca_cert.pem"
+ ENCLAVE_INFO_PATH = "../../release/tests/enclave_info.toml"
def write_message(sock, message):
@@ -24,11 +43,54 @@ def read_message(sock):
return response
+def verify_report(cert, endpoint_name):
+ cert = x509.load_der_x509_certificate(cert, default_backend())
+ ext = json.loads(cert.extensions[0].value.value)
+
+ report = bytes(ext["report"])
+ signature = bytes(ext["signature"])
+ signing_cert = bytes(ext["signing_cert"])
+ signing_cert = load_certificate(FILETYPE_ASN1, signing_cert)
+
+ # verify signing cert with IAS root cert
+ with open(IAS_ROOT_CA_CERT_PATH) as f:
+ ias_root_ca_cert = f.read()
+ ias_root_ca_cert = load_certificate(FILETYPE_PEM, ias_root_ca_cert)
+ store = X509Store()
+ store.add_cert(ias_root_ca_cert)
+ store_ctx = X509StoreContext(store, signing_cert)
+ store_ctx.verify_certificate()
+
+ # verify report's signature
+ crypto.verify(signing_cert, signature, bytes(ext["report"]), 'sha256')
+
+ report = json.loads(report)
+ quote = report['isvEnclaveQuoteBody']
+ quote = base64.b64decode(quote)
+
+ # get mr_enclave and mr_signer from the quote
+ mr_enclave = quote[112:112+32].hex()
+ mr_signer = quote[176:176+32].hex()
+
+ # get enclave_info
+ enclave_info = toml.load(ENCLAVE_INFO_PATH)
+
+ # verify mr_enclave and mr_signer
+ enclave_name = "teaclave_" + endpoint_name + "_service"
+ if mr_enclave != enclave_info[enclave_name]["mr_enclave"]:
+ raise Exception("mr_enclave error")
+
+ if mr_signer != enclave_info[enclave_name]["mr_signer"]:
+ raise Exception("mr_signer error")
+
+
class TestAuthenticationService(unittest.TestCase):
def setUp(self):
- sock = socket.create_connection(authentication_service_address)
- self.socket = context.wrap_socket(sock, server_hostname=hostname)
+ sock = socket.create_connection(AUTHENTICATION_SERVICE_ADDRESS)
+ self.socket = CONTEXT.wrap_socket(sock, server_hostname=HOSTNAME)
+ cert = self.socket.getpeercert(binary_form=True)
+ verify_report(cert, "authentication")
def tearDown(self):
self.socket.close()
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org
[incubator-teaclave] 03/03: [tests] Fix Python attestation function
under DCAP and SW
Posted by ms...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
commit 45aa8fb6804f540200fd4f4473b2129dc4b86518
Author: Mingshen Sun <bo...@mssun.me>
AuthorDate: Wed Apr 8 21:47:37 2020 -0700
[tests] Fix Python attestation function under DCAP and SW
---
cmake/TeaclaveGenVars.cmake | 1 +
tests/scripts/functional_tests.py | 27 ++++++++++++++++++---------
2 files changed, 19 insertions(+), 9 deletions(-)
diff --git a/cmake/TeaclaveGenVars.cmake b/cmake/TeaclaveGenVars.cmake
index d06df48..726b905 100644
--- a/cmake/TeaclaveGenVars.cmake
+++ b/cmake/TeaclaveGenVars.cmake
@@ -115,6 +115,7 @@ set(TEACLAVE_COMMON_ENVS
TEACLAVE_SYMLINKS=${TEACLAVE_SYMLINKS}
SGX_SDK=${SGX_SDK}
SGX_MODE=${SGX_MODE}
+ DCAP=${DCAP}
ENCLAVE_OUT_DIR=${ENCLAVE_OUT_DIR}
RUSTUP_TOOLCHAIN=${RUSTUP_TOOLCHAIN}
RUST_SGX_SDK=${RUST_SGX_SDK}
diff --git a/tests/scripts/functional_tests.py b/tests/scripts/functional_tests.py
index 3a0ae14..1cf4e2b 100755
--- a/tests/scripts/functional_tests.py
+++ b/tests/scripts/functional_tests.py
@@ -20,13 +20,18 @@ HOSTNAME = 'localhost'
AUTHENTICATION_SERVICE_ADDRESS = (HOSTNAME, 7776)
CONTEXT = ssl._create_unverified_context()
+if os.environ.get('DCAP'):
+ AS_ROOT_CERT_FILENAME = "dcap_root_ca_cert.pem"
+else:
+ AS_ROOT_CERT_FILENAME = "ias_root_ca_cert.pem"
+
if os.environ.get('TEACLAVE_PROJECT_ROOT'):
- IAS_ROOT_CA_CERT_PATH = os.environ['TEACLAVE_PROJECT_ROOT'] + \
- "/keys/ias_root_ca_cert.pem"
+ AS_ROOT_CA_CERT_PATH = os.environ['TEACLAVE_PROJECT_ROOT'] + \
+ "/keys/" + AS_ROOT_CERT_FILENAME
ENCLAVE_INFO_PATH = os.environ['TEACLAVE_PROJECT_ROOT'] + \
"/release/tests/enclave_info.toml"
else:
- IAS_ROOT_CA_CERT_PATH = "../../keys/ias_root_ca_cert.pem"
+ AS_ROOT_CA_CERT_PATH = "../../keys/" + AS_ROOT_CERT_FILENAME
ENCLAVE_INFO_PATH = "../../release/tests/enclave_info.toml"
@@ -44,6 +49,9 @@ def read_message(sock):
def verify_report(cert, endpoint_name):
+ if os.environ.get('SGX_MODE') == 'SW':
+ return
+
cert = x509.load_der_x509_certificate(cert, default_backend())
ext = json.loads(cert.extensions[0].value.value)
@@ -52,13 +60,14 @@ def verify_report(cert, endpoint_name):
signing_cert = bytes(ext["signing_cert"])
signing_cert = load_certificate(FILETYPE_ASN1, signing_cert)
- # verify signing cert with IAS root cert
- with open(IAS_ROOT_CA_CERT_PATH) as f:
- ias_root_ca_cert = f.read()
- ias_root_ca_cert = load_certificate(FILETYPE_PEM, ias_root_ca_cert)
+ # verify signing cert with AS root cert
+ with open(AS_ROOT_CA_CERT_PATH) as f:
+ as_root_ca_cert = f.read()
+ as_root_ca_cert = load_certificate(FILETYPE_PEM, as_root_ca_cert)
store = X509Store()
- store.add_cert(ias_root_ca_cert)
- store_ctx = X509StoreContext(store, signing_cert)
+ store.add_cert(as_root_ca_cert)
+ store.add_cert(signing_cert)
+ store_ctx = X509StoreContext(store, as_root_ca_cert)
store_ctx.verify_certificate()
# verify report's signature
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org