You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@teaclave.apache.org by ms...@apache.org on 2020/06/15 17:33:53 UTC

[incubator-teaclave] branch master updated: [cli] Add verify subcommand to verify enclave info signatures (#354)

This is an automated email from the ASF dual-hosted git repository.

mssun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git


The following commit(s) were added to refs/heads/master by this push:
     new a66758d  [cli] Add verify subcommand to verify enclave info signatures (#354)
a66758d is described below

commit a66758df9284650482aed6795d4cdef7624b8965
Author: Mingshen Sun <bo...@mssun.me>
AuthorDate: Mon Jun 15 10:33:47 2020 -0700

    [cli] Add verify subcommand to verify enclave info signatures (#354)
---
 cli/Cargo.toml           |  2 ++
 cli/README.md            | 10 +++++++---
 cli/src/main.rs          | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 cmake/scripts/test.sh    |  6 ++++++
 examples/python/utils.py |  2 +-
 5 files changed, 63 insertions(+), 4 deletions(-)

diff --git a/cli/Cargo.toml b/cli/Cargo.toml
index 19eff35..afd8757 100644
--- a/cli/Cargo.toml
+++ b/cli/Cargo.toml
@@ -11,3 +11,5 @@ anyhow = { version = "1.0.26" }
 structopt = "0.3"
 teaclave_crypto = { path = "../crypto" }
 hex = { version = "0.4.0" }
+teaclave_types = { path = "../types" }
+pem = "0.7.0"
diff --git a/cli/README.md b/cli/README.md
index 31eaeb3..8ce913c 100644
--- a/cli/README.md
+++ b/cli/README.md
@@ -5,8 +5,12 @@ permalink: /cli
 # Teaclave Command Line Tool
 
 The Teaclave command line tool (`teaclave_cli`) provides utilities to
-interactive with the platform. The command line tool has several subcommands:
+interactive with the platform. The command line tool has several sub-commands:
 
-- encrypt/decrypt: These two subcommands are to encrypt/decrypt data used on the
-  platform. Supported algorithms include AES-GCM (128bit and 256 bit), and
+- `encrypt`/`decrypt`: These two subcommands are to encrypt/decrypt data used on
+  the platform. Supported algorithms include AES-GCM (128bit and 256 bit), and
   Teaclave File (128bit).
+- `verify`: Verify the signatures of the enclave info (which contains `MRSIGNER`
+  and `MRENCLAVE`) signed by auditors with their public keys. The enclave info
+  is used for remote attestation, Please verify it before connecting the
+  platform with the client SDK.
diff --git a/cli/src/main.rs b/cli/src/main.rs
index ff94e41..b38c3b2 100644
--- a/cli/src/main.rs
+++ b/cli/src/main.rs
@@ -60,6 +60,21 @@ struct EncryptDecryptOpt {
 }
 
 #[derive(Debug, StructOpt)]
+struct VerifyOpt {
+    /// Path of enclave info
+    #[structopt(short, long = "enclave-info")]
+    enclave_info: PathBuf,
+
+    /// Path of signatures
+    #[structopt(required = true, short, long)]
+    signatures: Vec<PathBuf>,
+
+    /// Path of auditor's public key
+    #[structopt(required = true, short, long = "public-keys")]
+    public_keys: Vec<PathBuf>,
+}
+
+#[derive(Debug, StructOpt)]
 enum Command {
     /// Encrypt file
     #[structopt(name = "encrypt")]
@@ -68,6 +83,10 @@ enum Command {
     /// Decrypt file
     #[structopt(name = "decrypt")]
     Decrypt(EncryptDecryptOpt),
+
+    /// Verify signatures of enclave info with auditors' public keys
+    #[structopt(name = "verify")]
+    Verify(VerifyOpt),
 }
 
 #[derive(Debug, StructOpt)]
@@ -142,6 +161,27 @@ fn encrypt(opt: EncryptDecryptOpt) -> Result<CMac> {
     Ok(cmac)
 }
 
+fn verify(opt: VerifyOpt) -> Result<bool> {
+    let enclave_info = fs::read(opt.enclave_info)?;
+    let mut public_keys = Vec::new();
+    let mut signatures = Vec::new();
+    for p in opt.public_keys {
+        let content = fs::read(p)?;
+        let pem = pem::parse(content).expect("Expect a valid PEM file");
+        public_keys.push(pem.contents);
+    }
+
+    for s in opt.signatures {
+        signatures.push(fs::read(s)?);
+    }
+
+    Ok(teaclave_types::EnclaveInfo::verify(
+        &enclave_info,
+        &public_keys,
+        &signatures,
+    ))
+}
+
 fn main() -> Result<()> {
     let args = Opt::from_args();
     match args.command {
@@ -161,6 +201,13 @@ fn main() -> Result<()> {
                 println!("{}", cmac_string);
             }
         }
+        Command::Verify(opt) => match verify(opt) {
+            Ok(false) | Err(_) => bail!("Failed to verify signatures."),
+            Ok(true) => {
+                println!("Verify successfully.");
+                return Ok(());
+            }
+        },
     };
 
     Ok(())
diff --git a/cmake/scripts/test.sh b/cmake/scripts/test.sh
index f437d02..316e612 100755
--- a/cmake/scripts/test.sh
+++ b/cmake/scripts/test.sh
@@ -138,6 +138,12 @@ run_examples() {
 
   echo_title "examples"
   mkdir -p /tmp/fusion_data
+  pushd ${TEACLAVE_CLI_INSTALL_DIR}
+  ./teaclave_cli verify \
+                 --enclave-info ../examples/enclave_info.toml \
+                 --public-keys $(find ../examples -name "*.public.pem") \
+                 --signatures $(find ../examples -name "*.sign.sha256")
+  popd
   pushd ${TEACLAVE_SERVICE_INSTALL_DIR}
   ./teaclave_authentication_service &
   ./teaclave_storage_service &
diff --git a/examples/python/utils.py b/examples/python/utils.py
index ee085de..dd01766 100644
--- a/examples/python/utils.py
+++ b/examples/python/utils.py
@@ -19,4 +19,4 @@ if os.environ.get('TEACLAVE_PROJECT_ROOT'):
         "/release/tests/enclave_info.toml"
 else:
     AS_ROOT_CA_CERT_PATH = "../../keys/" + AS_ROOT_CERT_FILENAME
-    ENCLAVE_INFO_PATH = "../../release/tests/enclave_info.toml"
+    ENCLAVE_INFO_PATH = "../../release/examples/enclave_info.toml"


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org