From 24ca8551a7803dc09eb9982167331c2ea9e3128a Mon Sep 17 00:00:00 2001 From: Leon Date: Tue, 24 May 2022 12:00:52 +0200 Subject: [PATCH 01/14] Add Idscp2 Connection Listener to retrieve peer information on new connections --- .../aisec/ids/camel/idscp2/ListenerManager.kt | 27 +++++++++++++++++ .../idscp2/client/Idscp2ClientEndpoint.kt | 3 ++ .../idscp2/listeners/ConnectionListener.kt | 29 +++++++++++++++++++ .../idscp2/server/Idscp2ServerEndpoint.kt | 3 ++ .../tlsv1_3/client/TLSClient.kt | 6 ++++ .../tlsv1_3/server/TLSServerThread.kt | 6 ++++ .../api/idscp_connection/Idscp2Connection.kt | 2 ++ .../idscp_connection/Idscp2ConnectionImpl.kt | 4 +++ .../drivers/SecureChannelEndpoint.kt | 5 ++++ .../aisec/ids/idscp2/idscp_core/fsm/FSM.kt | 4 +++ .../secure_channel/SecureChannel.kt | 4 +++ 11 files changed, 93 insertions(+) create mode 100644 camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/listeners/ConnectionListener.kt diff --git a/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/ListenerManager.kt b/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/ListenerManager.kt index ac63c17..6dfeb14 100644 --- a/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/ListenerManager.kt +++ b/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/ListenerManager.kt @@ -19,15 +19,20 @@ */ package de.fhg.aisec.ids.camel.idscp2 +import de.fhg.aisec.ids.camel.idscp2.client.Idscp2ClientEndpoint +import de.fhg.aisec.ids.camel.idscp2.listeners.ConnectionListener import de.fhg.aisec.ids.camel.idscp2.listeners.ExchangeListener import de.fhg.aisec.ids.camel.idscp2.listeners.TransferContractListener +import de.fhg.aisec.ids.camel.idscp2.server.Idscp2ServerEndpoint import de.fhg.aisec.ids.idscp2.app_layer.AppLayerConnection import org.apache.camel.Exchange +import org.apache.camel.support.DefaultEndpoint import java.net.URI object ListenerManager { private val exchangeListeners = HashSet() private val transferContractListeners = HashSet() + private val connectionListeners = HashSet() fun addExchangeListener(listener: ExchangeListener) { exchangeListeners += listener @@ -37,6 +42,10 @@ object ListenerManager { transferContractListeners += listener } + fun addConnectionListener(listener: ConnectionListener) { + connectionListeners += listener + } + fun removeExchangeListener(listener: ExchangeListener) { exchangeListeners -= listener } @@ -45,6 +54,10 @@ object ListenerManager { transferContractListeners -= listener } + fun removeConnectionListener(listener: ConnectionListener) { + connectionListeners -= listener + } + fun publishExchangeEvent(connection: AppLayerConnection, exchange: Exchange) { exchangeListeners.forEach { it.onExchange(connection, exchange) } } @@ -52,4 +65,18 @@ object ListenerManager { fun publishTransferContractEvent(connection: AppLayerConnection, contract: URI?) { transferContractListeners.forEach { it.onTransferContractChange(connection, contract) } } + + fun publishConnectionEvent(connection: AppLayerConnection, endpoint: DefaultEndpoint) { + when (endpoint) { + is Idscp2ClientEndpoint -> { + connectionListeners.forEach { it.onClientConnection(connection, endpoint) } + } + is Idscp2ServerEndpoint -> { + connectionListeners.forEach { it.onServerConnection(connection, endpoint) } + } + else -> { + // nothing to do + } + } + } } diff --git a/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/client/Idscp2ClientEndpoint.kt b/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/client/Idscp2ClientEndpoint.kt index 46c7ebb..54cfeb0 100644 --- a/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/client/Idscp2ClientEndpoint.kt +++ b/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/client/Idscp2ClientEndpoint.kt @@ -166,6 +166,9 @@ class Idscp2ClientEndpoint(uri: String?, private val remaining: String, componen header?.let { ListenerManager.publishTransferContractEvent(connection, it.transferContract) } } } + // notify connection listeners + + ListenerManager.publishConnectionEvent(c, this) c } } diff --git a/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/listeners/ConnectionListener.kt b/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/listeners/ConnectionListener.kt new file mode 100644 index 0000000..6d854df --- /dev/null +++ b/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/listeners/ConnectionListener.kt @@ -0,0 +1,29 @@ +/*- + * ========================LICENSE_START================================= + * camel-idscp2 + * %% + * Copyright (C) 2021 Fraunhofer AISEC + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * =========================LICENSE_END================================== + */ +package de.fhg.aisec.ids.camel.idscp2.listeners + +import de.fhg.aisec.ids.camel.idscp2.client.Idscp2ClientEndpoint +import de.fhg.aisec.ids.camel.idscp2.server.Idscp2ServerEndpoint +import de.fhg.aisec.ids.idscp2.app_layer.AppLayerConnection + +interface ConnectionListener { + fun onClientConnection(connection: AppLayerConnection, endpoint: Idscp2ClientEndpoint) + fun onServerConnection(connection: AppLayerConnection, endpoint: Idscp2ServerEndpoint) +} diff --git a/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/server/Idscp2ServerEndpoint.kt b/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/server/Idscp2ServerEndpoint.kt index 7b8c7f1..3b2e357 100644 --- a/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/server/Idscp2ServerEndpoint.kt +++ b/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/server/Idscp2ServerEndpoint.kt @@ -21,6 +21,7 @@ package de.fhg.aisec.ids.camel.idscp2.server +import de.fhg.aisec.ids.camel.idscp2.ListenerManager import de.fhg.aisec.ids.camel.idscp2.Utils import de.fhg.aisec.ids.idscp2.app_layer.AppLayerConnection import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.AisecDapsDriver @@ -187,6 +188,8 @@ class Idscp2ServerEndpoint(uri: String?, private val remaining: String, componen } else { consumers.forEach { connection.addGenericMessageListener(it) } } + // notify connection listeners + ListenerManager.publishConnectionEvent(connection, this) // Handle connection errors and closing connection.addConnectionListener(object : Idscp2ConnectionListener { override fun onError(t: Throwable) { diff --git a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/secure_channel/tlsv1_3/client/TLSClient.kt b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/secure_channel/tlsv1_3/client/TLSClient.kt index 0360018..7afec06 100644 --- a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/secure_channel/tlsv1_3/client/TLSClient.kt +++ b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/secure_channel/tlsv1_3/client/TLSClient.kt @@ -63,6 +63,7 @@ class TLSClient( private var dataOutputStream: DataOutputStream? = null private lateinit var inputListenerThread: InputListenerThread private val listenerPromise = CompletableFuture() + private var remotePeer = "NotConnected" /** * Connect to TLS server and start TLS Handshake. When an exception is thrown @@ -175,6 +176,10 @@ class TLSClient( override val isConnected: Boolean get() = clientSocket.isConnected + override fun remotePeer(): String { + return remotePeer + } + override fun handshakeCompleted(handshakeCompletedEvent: HandshakeCompletedEvent) { // start receiving listener after TLS Handshake was successful if (LOG.isTraceEnabled) { @@ -205,6 +210,7 @@ class TLSClient( if (LOG.isTraceEnabled) { LOG.trace("TLS session is valid") } + remotePeer = "${sslSession.peerHost}:${sslSession.peerPort}" // Create secure channel, register secure channel as message listener and notify IDSCP2 Configuration val secureChannel = SecureChannel(this, peerCert) diff --git a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/secure_channel/tlsv1_3/server/TLSServerThread.kt b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/secure_channel/tlsv1_3/server/TLSServerThread.kt index bd79db2..c96a198 100644 --- a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/secure_channel/tlsv1_3/server/TLSServerThread.kt +++ b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/secure_channel/tlsv1_3/server/TLSServerThread.kt @@ -66,6 +66,7 @@ class TLSServerThread internal constructor( private val out: DataOutputStream private val listenerPromise = CompletableFuture() private val tlsVerificationLatch = FastLatch() + private var remotePeer = "NotConnected" override fun run() { // first run the tls handshake to enforce catching every error occurred during the handshake @@ -154,6 +155,10 @@ class TLSServerThread internal constructor( override val isConnected: Boolean get() = sslSocket.isConnected + override fun remotePeer(): String { + TODO("Not yet implemented") + } + override fun handshakeCompleted(handshakeCompletedEvent: HandshakeCompletedEvent) { if (LOG.isTraceEnabled) { LOG.trace("TLS Handshake was successful") @@ -178,6 +183,7 @@ class TLSServerThread internal constructor( if (LOG.isTraceEnabled) { LOG.trace("TLS session is valid") } + remotePeer = "${sslSession.peerHost}:${sslSession.peerPort}" // provide secure channel to IDSCP2 Config and register secure channel as listener val secureChannel = SecureChannel(this, peerCert) diff --git a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/api/idscp_connection/Idscp2Connection.kt b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/api/idscp_connection/Idscp2Connection.kt index de9dc54..c2884cd 100644 --- a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/api/idscp_connection/Idscp2Connection.kt +++ b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/api/idscp_connection/Idscp2Connection.kt @@ -70,6 +70,8 @@ interface Idscp2Connection { fun onClose() + fun remotePeer(): String + /** * Check if the idscp connection is currently established * diff --git a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/api/idscp_connection/Idscp2ConnectionImpl.kt b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/api/idscp_connection/Idscp2ConnectionImpl.kt index 623073c..966a79c 100644 --- a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/api/idscp_connection/Idscp2ConnectionImpl.kt +++ b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/api/idscp_connection/Idscp2ConnectionImpl.kt @@ -193,6 +193,10 @@ class Idscp2ConnectionImpl( connectionListeners.forEach { l: Idscp2ConnectionListener -> l.onClose() } } + override fun remotePeer(): String { + return fsm.remotePeer() + } + /** * Check if the idscp connection is currently established * diff --git a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/drivers/SecureChannelEndpoint.kt b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/drivers/SecureChannelEndpoint.kt index 8756bbd..bd1451e 100644 --- a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/drivers/SecureChannelEndpoint.kt +++ b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/drivers/SecureChannelEndpoint.kt @@ -53,4 +53,9 @@ interface SecureChannelEndpoint { * check if the endpoint is connected */ val isConnected: Boolean + + /** + * The connected remote peer + */ + fun remotePeer(): String } diff --git a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/fsm/FSM.kt b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/fsm/FSM.kt index 6297728..1697967 100644 --- a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/fsm/FSM.kt +++ b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/fsm/FSM.kt @@ -189,6 +189,10 @@ class FSM( this.peerDat = dat } + fun remotePeer(): String { + return secureChannel.remotePeer() + } + private fun checkForFsmCycles() { // check if current thread holds already the fsm lock, then we have a circle // this runs into an issue: onControlMessage must be called only from other threads! diff --git a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/secure_channel/SecureChannel.kt b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/secure_channel/SecureChannel.kt index 58245e7..da2851d 100644 --- a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/secure_channel/SecureChannel.kt +++ b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/idscp_core/secure_channel/SecureChannel.kt @@ -45,6 +45,10 @@ class SecureChannel(private val endpoint: SecureChannelEndpoint, private val pee endpoint.close() } + fun remotePeer(): String { + return endpoint.remotePeer() + } + /* * Send data via the secure channel endpoint to the peer connector * From 7889794984a507410fdb79052f7970dc61e6da88 Mon Sep 17 00:00:00 2001 From: Leon Date: Tue, 24 May 2022 12:11:25 +0200 Subject: [PATCH 02/14] Add missing TlsServerThread.remotePeer() impl --- .../secure_channel/tlsv1_3/server/TLSServerThread.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/secure_channel/tlsv1_3/server/TLSServerThread.kt b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/secure_channel/tlsv1_3/server/TLSServerThread.kt index c96a198..aa6a612 100644 --- a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/secure_channel/tlsv1_3/server/TLSServerThread.kt +++ b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/secure_channel/tlsv1_3/server/TLSServerThread.kt @@ -156,7 +156,7 @@ class TLSServerThread internal constructor( get() = sslSocket.isConnected override fun remotePeer(): String { - TODO("Not yet implemented") + return remotePeer } override fun handshakeCompleted(handshakeCompletedEvent: HandshakeCompletedEvent) { From e90db5c41521de96ce6de35db2c4201b264dd98e Mon Sep 17 00:00:00 2001 From: Michael Lux Date: Wed, 25 May 2022 10:29:47 +0200 Subject: [PATCH 03/14] Native Image Demo --- build.gradle.kts | 29 +++++++++ idscp2-examples/build.gradle.kts | 22 ++++++- .../idscp2/example/Idscp2ClientInitiator.kt | 6 +- .../idscp2/example/Idscp2ServerInitiator.kt | 6 +- .../aisec/ids/idscp2/example/RunTLSClient.kt | 40 +++++++------ .../aisec/ids/idscp2/example/RunTLSServer.kt | 15 +++-- .../src/main/resources/reflect-config.json | 60 +++++++++++++++++++ .../src/main/resources/resource-config.json | 13 ++++ settings.gradle.kts | 7 +++ 9 files changed, 166 insertions(+), 32 deletions(-) create mode 100644 idscp2-examples/src/main/resources/reflect-config.json create mode 100644 idscp2-examples/src/main/resources/resource-config.json diff --git a/build.gradle.kts b/build.gradle.kts index 429bd8b..1b41754 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -84,6 +84,35 @@ subprojects { // Needed for kotlin modules, provided at runtime via kotlin-osgi-bundle in karaf-features-ids api("org.jetbrains.kotlin", "kotlin-stdlib-jdk8", libraryVersions["kotlin"]) + + // Some versions are downgraded for unknown reasons, fix this here + val groupPins = mapOf( + "org.jetbrains.kotlin" to mapOf( + "*" to "kotlin" + ) + ) + // We need to explicitly specify the kotlin version for all kotlin dependencies, + // because otherwise something (maybe a plugin) downgrades the kotlin version, + // which produces errors in the kotlin compiler. This is really nasty. + configurations.all { + resolutionStrategy.eachDependency { + groupPins[requested.group]?.let { pins -> + pins["*"]?.let { + // Pin all names when asterisk is set + useVersion( + libraryVersions[it] + ?: throw RuntimeException("Key \"$it\" not set in libraryVersions.yaml") + ) + } ?: pins[requested.name]?.let { pin -> + // Pin only for specific names given in map + useVersion( + libraryVersions[pin] + ?: throw RuntimeException("Key \"$pin\" not set in libraryVersions.yaml") + ) + } + } + } + } } tasks.withType { diff --git a/idscp2-examples/build.gradle.kts b/idscp2-examples/build.gradle.kts index 786a193..71fb119 100644 --- a/idscp2-examples/build.gradle.kts +++ b/idscp2-examples/build.gradle.kts @@ -1,5 +1,6 @@ plugins { application + id("org.graalvm.buildtools.native") version "0.9.11" } @Suppress("UNCHECKED_CAST") @@ -20,6 +21,25 @@ dependencies { application { mainClass.set( findProperty("mainClass")?.toString() - ?: "de.fhg.aisec.ids.idscp2.example.RunTLSServer" + ?: "de.fhg.aisec.ids.idscp2.example.RunTLSClient" ) } + +graalvmNative { + binaries { + named("main") { + imageName.set("idscp2-native") + mainClass.set( + findProperty("mainNativeClass")?.toString() + ?: "de.fhg.aisec.ids.idscp2.example.RunTLSClient" + ) + runtimeArgs.add("--report-unsupported-elements-at-runtime") + buildArgs.add("-H:ReflectionConfigurationFiles=../../../src/main/resources/reflect-config.json") + buildArgs.add("-H:ResourceConfigurationFiles=../../../src/main/resources/resource-config.json") +// buildArgs.add("-Ob") // Enables quick build, DISABLE THIS FOR PRODUCTION! +// verbose.set(true) +// debug.set(true) +// agent.set(true) + } + } +} diff --git a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ClientInitiator.kt b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ClientInitiator.kt index 82f88ba..a12d2ee 100644 --- a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ClientInitiator.kt +++ b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ClientInitiator.kt @@ -21,6 +21,8 @@ package de.fhg.aisec.ids.idscp2.example import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.demo.DemoRaProver import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.demo.DemoRaVerifier +import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.dummy.RaProverDummy2 +import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.dummy.RaVerifierDummy2 import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTLSDriver import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTlsConfiguration import de.fhg.aisec.ids.idscp2.idscp_core.api.configuration.Idscp2Configuration @@ -41,11 +43,11 @@ class Idscp2ClientInitiator { // register ra drivers RaProverDriverRegistry.registerDriver( - DemoRaProver.DEMO_RA_PROVER_ID, ::DemoRaProver, null + RaProverDummy2.RA_PROVER_DUMMY2_ID, ::RaProverDummy2, null ) RaVerifierDriverRegistry.registerDriver( - DemoRaVerifier.DEMO_RA_VERIFIER_ID, ::DemoRaVerifier, null + RaVerifierDummy2.RA_VERIFIER_DUMMY2_ID, ::RaVerifierDummy2, null ) // connect to idscp2 server diff --git a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ServerInitiator.kt b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ServerInitiator.kt index 0a8a375..8992518 100644 --- a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ServerInitiator.kt +++ b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ServerInitiator.kt @@ -21,6 +21,8 @@ package de.fhg.aisec.ids.idscp2.example import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.demo.DemoRaProver import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.demo.DemoRaVerifier +import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.dummy.RaProverDummy2 +import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.dummy.RaVerifierDummy2 import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTLSDriver import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTlsConfiguration import de.fhg.aisec.ids.idscp2.idscp_core.api.Idscp2EndpointListener @@ -42,11 +44,11 @@ class Idscp2ServerInitiator : Idscp2EndpointListener { // register ra drivers RaProverDriverRegistry.registerDriver( - DemoRaProver.DEMO_RA_PROVER_ID, ::DemoRaProver, null + RaProverDummy2.RA_PROVER_DUMMY2_ID, ::RaProverDummy2, null ) RaVerifierDriverRegistry.registerDriver( - DemoRaVerifier.DEMO_RA_VERIFIER_ID, ::DemoRaVerifier, null + RaVerifierDummy2.RA_VERIFIER_DUMMY2_ID, ::RaVerifierDummy2, null ) // create server config diff --git a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt index f7e4be7..a9923dd 100644 --- a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt +++ b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt @@ -23,35 +23,38 @@ import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.AisecDapsDriver import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.AisecDapsDriverConfig import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.SecurityProfile import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.SecurityRequirements -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.demo.DemoRaProver -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.demo.DemoRaVerifier +import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.dummy.RaProverDummy2 +import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.dummy.RaVerifierDummy2 import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTlsConfiguration import de.fhg.aisec.ids.idscp2.idscp_core.api.configuration.AttestationConfig import de.fhg.aisec.ids.idscp2.idscp_core.api.configuration.Idscp2Configuration import java.nio.file.Paths -import java.util.Objects object RunTLSClient { @JvmStatic fun main(args: Array) { - val keyStorePath = Paths.get( - Objects.requireNonNull( - RunTLSClient::class.java.classLoader - .getResource("ssl/consumer-keystore.p12") - ).path - ) +// val keyStorePath = Paths.get( +// Objects.requireNonNull( +// RunTLSClient::class.java.classLoader +// .getResource("ssl/localhost.p12") +// ).path +// ) +// +// val trustStorePath = Paths.get( +// Objects.requireNonNull( +// RunTLSClient::class.java.classLoader +// .getResource("ssl/truststore.p12") +// ).path +// ) - val trustStorePath = Paths.get( - Objects.requireNonNull( - RunTLSClient::class.java.classLoader - .getResource("ssl/truststore.p12") - ).path - ) + val keyStorePath = Paths.get("src/main/resources/ssl/localhost.p12") + + val trustStorePath = Paths.get("src/main/resources/ssl/truststore.p12") val localAttestationConfig = AttestationConfig.Builder() - .setSupportedRaSuite(arrayOf(DemoRaProver.DEMO_RA_PROVER_ID)) - .setExpectedRaSuite(arrayOf(DemoRaVerifier.DEMO_RA_VERIFIER_ID)) + .setSupportedRaSuite(arrayOf(RaProverDummy2.RA_PROVER_DUMMY2_ID)) + .setExpectedRaSuite(arrayOf(RaVerifierDummy2.RA_VERIFIER_DUMMY2_ID)) .setRaTimeoutDelay(300 * 1000L) // 300 seconds .build() @@ -64,7 +67,7 @@ object RunTLSClient { AisecDapsDriverConfig.Builder() .setKeyStorePath(keyStorePath) .setTrustStorePath(trustStorePath) - .setDapsUrl("https://daps-dev.aisec.fraunhofer.de") + .setDapsUrl("https://daps.aisec.fraunhofer.de") .setSecurityRequirements(securityRequirements) .build() ) @@ -82,7 +85,6 @@ object RunTLSClient { .setKeyStorePath(keyStorePath) .setTrustStorePath(trustStorePath) .setCertificateAlias("1.0.1") - .setHost("provider-core") .build() val initiator = Idscp2ClientInitiator() diff --git a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt index 52acf7f..08cb52e 100644 --- a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt +++ b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt @@ -23,13 +23,13 @@ import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.AisecDapsDriver import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.AisecDapsDriverConfig import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.SecurityProfile import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.SecurityRequirements -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.demo.DemoRaProver -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.demo.DemoRaVerifier +import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.dummy.RaProverDummy2 +import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.dummy.RaVerifierDummy2 import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTlsConfiguration import de.fhg.aisec.ids.idscp2.idscp_core.api.configuration.AttestationConfig import de.fhg.aisec.ids.idscp2.idscp_core.api.configuration.Idscp2Configuration import java.nio.file.Paths -import java.util.Objects +import java.util.* object RunTLSServer { @JvmStatic @@ -38,7 +38,7 @@ object RunTLSServer { val keyStorePath = Paths.get( Objects.requireNonNull( RunTLSServer::class.java.classLoader - .getResource("ssl/provider-keystore.p12") + .getResource("ssl/localhost.p12") ).path ) @@ -50,8 +50,8 @@ object RunTLSServer { ) val localAttestationConfig = AttestationConfig.Builder() - .setSupportedRaSuite(arrayOf(DemoRaProver.DEMO_RA_PROVER_ID)) - .setExpectedRaSuite(arrayOf(DemoRaVerifier.DEMO_RA_VERIFIER_ID)) + .setSupportedRaSuite(arrayOf(RaProverDummy2.RA_PROVER_DUMMY2_ID)) + .setExpectedRaSuite(arrayOf(RaVerifierDummy2.RA_VERIFIER_DUMMY2_ID)) .setRaTimeoutDelay(300 * 1000L) // 300 seconds .build() @@ -64,7 +64,7 @@ object RunTLSServer { AisecDapsDriverConfig.Builder() .setKeyStorePath(keyStorePath) .setTrustStorePath(trustStorePath) - .setDapsUrl("https://daps-dev.aisec.fraunhofer.de") + .setDapsUrl("https://daps.aisec.fraunhofer.de") .setSecurityRequirements(securityRequirements) .build() ) @@ -78,7 +78,6 @@ object RunTLSServer { .setKeyStorePath(keyStorePath) .setTrustStorePath(trustStorePath) .setCertificateAlias("1.0.1") - .setHost("consumer-core") .build() val initiator = Idscp2ServerInitiator() diff --git a/idscp2-examples/src/main/resources/reflect-config.json b/idscp2-examples/src/main/resources/reflect-config.json new file mode 100644 index 0000000..6581e8a --- /dev/null +++ b/idscp2-examples/src/main/resources/reflect-config.json @@ -0,0 +1,60 @@ +[ + { + "name": "kotlin.reflect.jvm.internal.ReflectionFactoryImpl", + "allDeclaredConstructors": true + }, + { + "name": "kotlin.KotlinVersion", + "allPublicMethods": true, + "allDeclaredFields": true, + "allDeclaredMethods": true, + "allDeclaredConstructors": true + }, + { + "name": "kotlin.KotlinVersion[]" + }, + { + "name": "kotlin.KotlinVersion$Companion" + }, + { + "name": "kotlin.KotlinVersion$Companion[]" + }, + { + "name": "com.fasterxml.jackson.databind.ext.Java7SupportImpl", + "methods": [ + { + "name": "", + "parameterTypes": [] + } + ] + }, + { + "name": "io.jsonwebtoken.impl.DefaultJwtBuilder", + "methods": [ + { + "name": "", + "parameterTypes": [] + } + ] + }, + { + "name": "io.ktor.utils.io.pool.DefaultPool", + "fields": [ + { + "name": "top" + } + ] + }, + { + "name": "kotlin.internal.jdk8.JDK8PlatformImplementations", + "methods": [ + { + "name": "", + "parameterTypes": [] + } + ] + } +] + + + diff --git a/idscp2-examples/src/main/resources/resource-config.json b/idscp2-examples/src/main/resources/resource-config.json new file mode 100644 index 0000000..faf2a5c --- /dev/null +++ b/idscp2-examples/src/main/resources/resource-config.json @@ -0,0 +1,13 @@ +{ + "resources": [ + { + "pattern": "META-INF/.*.kotlin_module$" + }, + { + "pattern": "META-INF/services/.*" + }, + { + "pattern": ".*.kotlin_builtins" + } + ] +} \ No newline at end of file diff --git a/settings.gradle.kts b/settings.gradle.kts index d323bcc..caf64aa 100644 --- a/settings.gradle.kts +++ b/settings.gradle.kts @@ -1,5 +1,12 @@ rootProject.name = "idscp2-jvm" +pluginManagement { + repositories { + mavenCentral() + gradlePluginPortal() + } +} + include("idscp2") include("idscp2-examples") include("idscp2-app-layer") From 50cf50aeb17aff806783c09a0f887ddf138351fd Mon Sep 17 00:00:00 2001 From: Andrei-Cosmin Aprodu Date: Tue, 31 Jan 2023 15:26:34 +0000 Subject: [PATCH 04/14] Finalize proof-of-concept for SGX remote attestation through Gramine --- .gitignore | 10 ++ Makefile | 44 ++++++ idscp2-examples/build.gradle.kts | 13 +- .../idscp2/example/Idscp2ClientInitiator.kt | 10 +- .../idscp2/example/Idscp2ServerInitiator.kt | 10 +- .../aisec/ids/idscp2/example/RunTLSClient.kt | 34 ++--- .../aisec/ids/idscp2/example/RunTLSServer.kt | 14 +- idscp2-native.manifest.template | 48 +++++++ .../gramine/GramineRaProver.kt | 89 +++++++++++++ .../gramine/GramineRaVerifier.kt | 126 ++++++++++++++++++ quote-verifier.sh | 27 ++++ 11 files changed, 378 insertions(+), 47 deletions(-) create mode 100644 Makefile create mode 100644 idscp2-native.manifest.template create mode 100644 idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaProver.kt create mode 100644 idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaVerifier.kt create mode 100755 quote-verifier.sh diff --git a/.gitignore b/.gitignore index b9f68e5..8790d0e 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,13 @@ +# Gramine +*.token +*.sig +*.manifest.sgx +*.manifest +idscp2-native-* + +# SSL +idscp2-examples/src/main/resources/ssl/localhost.p12 + # Gradle .gradle/ diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..c6f7d08 --- /dev/null +++ b/Makefile @@ -0,0 +1,44 @@ +ARCH_LIBDIR ?= /lib/$(shell $(CC) -dumpmachine) + +SGX_SIGNER_KEY ?= ~/.config/gramine/enclave-key.pem + +# This Makefile is targeted towards the client. The server is assumed to run outside SGX. + +.PHONY: client +client: + ./gradlew nativeBuild -PnativeImageName=idscp2-native-client -PmainNativeClass=de.fhg.aisec.ids.idscp2.example.RunTLSClient + cp idscp2-examples/build/native/nativeCompile/idscp2-native-client . + +.PHONY: gramine +gramine: idscp2-native.manifest idscp2-native.manifest.sgx idscp2-native.sig idscp2-native.token + +.PHONY: all +all: client gramine + +idscp2-native.manifest: idscp2-native.manifest.template + gramine-manifest \ + -Darch_libdir=$(ARCH_LIBDIR) \ + -Dentrypoint=idscp2-native-client \ + $< > $@ + +idscp2-native.manifest.sgx: idscp2-native.manifest + @test -s $(SGX_SIGNER_KEY) || \ + { echo "SGX signer private key was not found, please specify SGX_SIGNER_KEY!"; exit 1; } + gramine-sgx-sign \ + --key $(SGX_SIGNER_KEY) \ + --manifest $< \ + --output $@ + +idscp2-native.sig: idscp2-native.manifest.sgx + +idscp2-native.token: idscp2-native.sig + gramine-sgx-get-token --output $@ --sig $< + +clean-client: + $(RM) idscp2-native-client + +clean-gramine: + $(RM) *.token *.sig *.manifest.sgx *.manifest + +.PHONY: clean +clean: clean-client clean-gramine diff --git a/idscp2-examples/build.gradle.kts b/idscp2-examples/build.gradle.kts index 71fb119..333b0d7 100644 --- a/idscp2-examples/build.gradle.kts +++ b/idscp2-examples/build.gradle.kts @@ -21,25 +21,24 @@ dependencies { application { mainClass.set( findProperty("mainClass")?.toString() - ?: "de.fhg.aisec.ids.idscp2.example.RunTLSClient" + ?: "de.fhg.aisec.ids.idscp2.example.RunTLSServer" ) } graalvmNative { binaries { named("main") { - imageName.set("idscp2-native") + imageName.set( + findProperty("nativeImageName")?.toString() + ?: "idscp2-native" + ) mainClass.set( findProperty("mainNativeClass")?.toString() - ?: "de.fhg.aisec.ids.idscp2.example.RunTLSClient" + ?: "de.fhg.aisec.ids.idscp2.example.RunTLSServer" ) runtimeArgs.add("--report-unsupported-elements-at-runtime") buildArgs.add("-H:ReflectionConfigurationFiles=../../../src/main/resources/reflect-config.json") buildArgs.add("-H:ResourceConfigurationFiles=../../../src/main/resources/resource-config.json") -// buildArgs.add("-Ob") // Enables quick build, DISABLE THIS FOR PRODUCTION! -// verbose.set(true) -// debug.set(true) -// agent.set(true) } } } diff --git a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ClientInitiator.kt b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ClientInitiator.kt index a12d2ee..f18815d 100644 --- a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ClientInitiator.kt +++ b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ClientInitiator.kt @@ -19,10 +19,8 @@ */ package de.fhg.aisec.ids.idscp2.example -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.demo.DemoRaProver -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.demo.DemoRaVerifier -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.dummy.RaProverDummy2 -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.dummy.RaVerifierDummy2 +import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine.GramineRaProver +import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine.GramineRaVerifier import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTLSDriver import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTlsConfiguration import de.fhg.aisec.ids.idscp2.idscp_core.api.configuration.Idscp2Configuration @@ -43,11 +41,11 @@ class Idscp2ClientInitiator { // register ra drivers RaProverDriverRegistry.registerDriver( - RaProverDummy2.RA_PROVER_DUMMY2_ID, ::RaProverDummy2, null + GramineRaProver.GRAMINE_RA_PROVER_ID, ::GramineRaProver, "Client" ) RaVerifierDriverRegistry.registerDriver( - RaVerifierDummy2.RA_VERIFIER_DUMMY2_ID, ::RaVerifierDummy2, null + GramineRaVerifier.GRAMINE_RA_VERIFIER_ID, ::GramineRaVerifier, "Client" ) // connect to idscp2 server diff --git a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ServerInitiator.kt b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ServerInitiator.kt index 8992518..e45fcec 100644 --- a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ServerInitiator.kt +++ b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ServerInitiator.kt @@ -19,10 +19,8 @@ */ package de.fhg.aisec.ids.idscp2.example -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.demo.DemoRaProver -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.demo.DemoRaVerifier -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.dummy.RaProverDummy2 -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.dummy.RaVerifierDummy2 +import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine.GramineRaProver +import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine.GramineRaVerifier import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTLSDriver import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTlsConfiguration import de.fhg.aisec.ids.idscp2.idscp_core.api.Idscp2EndpointListener @@ -44,11 +42,11 @@ class Idscp2ServerInitiator : Idscp2EndpointListener { // register ra drivers RaProverDriverRegistry.registerDriver( - RaProverDummy2.RA_PROVER_DUMMY2_ID, ::RaProverDummy2, null + GramineRaProver.GRAMINE_RA_PROVER_ID, ::GramineRaProver, "Server" ) RaVerifierDriverRegistry.registerDriver( - RaVerifierDummy2.RA_VERIFIER_DUMMY2_ID, ::RaVerifierDummy2, null + GramineRaVerifier.GRAMINE_RA_VERIFIER_ID, ::GramineRaVerifier, "Server" ) // create server config diff --git a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt index a9923dd..30a363a 100644 --- a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt +++ b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt @@ -23,8 +23,8 @@ import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.AisecDapsDriver import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.AisecDapsDriverConfig import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.SecurityProfile import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.SecurityRequirements -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.dummy.RaProverDummy2 -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.dummy.RaVerifierDummy2 +import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine.GramineRaProver +import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine.GramineRaVerifier import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTlsConfiguration import de.fhg.aisec.ids.idscp2.idscp_core.api.configuration.AttestationConfig import de.fhg.aisec.ids.idscp2.idscp_core.api.configuration.Idscp2Configuration @@ -34,27 +34,14 @@ object RunTLSClient { @JvmStatic fun main(args: Array) { -// val keyStorePath = Paths.get( -// Objects.requireNonNull( -// RunTLSClient::class.java.classLoader -// .getResource("ssl/localhost.p12") -// ).path -// ) -// -// val trustStorePath = Paths.get( -// Objects.requireNonNull( -// RunTLSClient::class.java.classLoader -// .getResource("ssl/truststore.p12") -// ).path -// ) - - val keyStorePath = Paths.get("src/main/resources/ssl/localhost.p12") - - val trustStorePath = Paths.get("src/main/resources/ssl/truststore.p12") + // absolute paths to facilitate native-image compilation + // TODO: Key Store file 'localhost.p12' missing and must be provided! + val keyStorePath = Paths.get("idscp2-examples/src/main/resources/ssl/localhost.p12") + val trustStorePath = Paths.get("idscp2-examples/src/main/resources/ssl/truststore.p12") val localAttestationConfig = AttestationConfig.Builder() - .setSupportedRaSuite(arrayOf(RaProverDummy2.RA_PROVER_DUMMY2_ID)) - .setExpectedRaSuite(arrayOf(RaVerifierDummy2.RA_VERIFIER_DUMMY2_ID)) + .setSupportedRaSuite(arrayOf(GramineRaProver.GRAMINE_RA_PROVER_ID)) + .setExpectedRaSuite(arrayOf(GramineRaVerifier.GRAMINE_RA_VERIFIER_ID)) .setRaTimeoutDelay(300 * 1000L) // 300 seconds .build() @@ -74,8 +61,8 @@ object RunTLSClient { // create idscp2 config val settings = Idscp2Configuration.Builder() - .setAckTimeoutDelay(500) // 500 ms - .setHandshakeTimeoutDelay(5 * 1000L) // 5 seconds + .setAckTimeoutDelay(20 * 1000L) // 20 seconds + .setHandshakeTimeoutDelay(50 * 1000L) // 50 seconds .setAttestationConfig(localAttestationConfig) .setDapsDriver(dapsDriver) .build() @@ -85,6 +72,7 @@ object RunTLSClient { .setKeyStorePath(keyStorePath) .setTrustStorePath(trustStorePath) .setCertificateAlias("1.0.1") + .setServerPort(29292) .build() val initiator = Idscp2ClientInitiator() diff --git a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt index 08cb52e..e04c7fe 100644 --- a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt +++ b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt @@ -23,18 +23,19 @@ import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.AisecDapsDriver import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.AisecDapsDriverConfig import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.SecurityProfile import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.SecurityRequirements -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.dummy.RaProverDummy2 -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.dummy.RaVerifierDummy2 +import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine.GramineRaProver +import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine.GramineRaVerifier import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTlsConfiguration import de.fhg.aisec.ids.idscp2.idscp_core.api.configuration.AttestationConfig import de.fhg.aisec.ids.idscp2.idscp_core.api.configuration.Idscp2Configuration import java.nio.file.Paths -import java.util.* +import java.util.Objects object RunTLSServer { @JvmStatic fun main(argv: Array) { + // TODO: Key Store file 'localhost.p12' missing and must be provided! val keyStorePath = Paths.get( Objects.requireNonNull( RunTLSServer::class.java.classLoader @@ -50,8 +51,8 @@ object RunTLSServer { ) val localAttestationConfig = AttestationConfig.Builder() - .setSupportedRaSuite(arrayOf(RaProverDummy2.RA_PROVER_DUMMY2_ID)) - .setExpectedRaSuite(arrayOf(RaVerifierDummy2.RA_VERIFIER_DUMMY2_ID)) + .setSupportedRaSuite(arrayOf(GramineRaProver.GRAMINE_RA_PROVER_ID)) + .setExpectedRaSuite(arrayOf(GramineRaVerifier.GRAMINE_RA_VERIFIER_ID)) .setRaTimeoutDelay(300 * 1000L) // 300 seconds .build() @@ -70,6 +71,8 @@ object RunTLSServer { ) val settings = Idscp2Configuration.Builder() + .setAckTimeoutDelay(20 * 1000L) // 20 seconds + .setHandshakeTimeoutDelay(50 * 1000L) // 50 seconds .setAttestationConfig(localAttestationConfig) .setDapsDriver(dapsDriver) .build() @@ -78,6 +81,7 @@ object RunTLSServer { .setKeyStorePath(keyStorePath) .setTrustStorePath(trustStorePath) .setCertificateAlias("1.0.1") + .setServerPort(29292) .build() val initiator = Idscp2ServerInitiator() diff --git a/idscp2-native.manifest.template b/idscp2-native.manifest.template new file mode 100644 index 0000000..eadf4bc --- /dev/null +++ b/idscp2-native.manifest.template @@ -0,0 +1,48 @@ +libos.entrypoint = "{{ entrypoint }}" + +loader.entrypoint = "file:{{ gramine.libos }}" +loader.log_level = "error" +loader.argv0_override = "" + +#sys.stack.size = "256M" +#sys.brk.max_size = "512M" +sys.enable_sigterm_injection = true +sys.insecure__allow_eventfd = true + +loader.env.LD_LIBRARY_PATH = "/lib:{{ arch_libdir }}:/usr/lib:/usr/{{ arch_libdir }}" + +fs.mounts = [ + {type = "chroot", path = "/lib", uri = "file:{{ gramine.runtimedir() }}"}, + {type = "chroot", path = "{{ arch_libdir }}", uri = "file:{{ arch_libdir }}"}, + {type = "tmpfs", path = "/tmp", uri = "file:/tmp"}, + {path = "/etc/resolv.conf", uri = "file:/etc/resolv.conf"}, + {path = "/etc/nsswitch.conf", uri = "file:/etc/nsswitch.conf"}, + {path = "/etc/passwd", uri = "file:/etc/passwd"}, + {path = "/etc/timezone", uri = "file:/etc/timezone"}, + {path = "/etc/host.conf", uri = "file:/etc/host.conf"}, + {path = "/etc/hosts", uri = "file:/etc/hosts"}, +] + +sgx.thread_num = 32 +sgx.nonpie_binary = true +sgx.enclave_size = "512M" + +sgx.remote_attestation = "epid" +sgx.ra_client_linkable = true + +# Insert SPID from https://api.portal.trustedservices.intel.com/developer here! +sgx.ra_client_spid = "" + +sgx.trusted_files = [ + "file:{{ entrypoint }}", + "file:{{ gramine.libos }}", + "file:{{ gramine.runtimedir() }}/", + "file:{{ arch_libdir }}/", + "file:idscp2-examples/src/main/resources/ssl/", + "file:/etc/resolv.conf", + "file:/etc/nsswitch.conf", + "file:/etc/passwd", + "file:/etc/timezone", + "file:/etc/host.conf", + "file:/etc/hosts", +] diff --git a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaProver.kt b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaProver.kt new file mode 100644 index 0000000..8956f0b --- /dev/null +++ b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaProver.kt @@ -0,0 +1,89 @@ +/*- + * ========================LICENSE_START================================= + * idscp2 + * %% + * Copyright (C) 2022 Fraunhofer AISEC + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * =========================LICENSE_END================================== + */ +package de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine + +import de.fhg.aisec.ids.idscp2.idscp_core.drivers.RaProverDriver +import de.fhg.aisec.ids.idscp2.idscp_core.fsm.InternalControlMessage +import de.fhg.aisec.ids.idscp2.idscp_core.fsm.fsmListeners.RaProverFsmListener +import org.slf4j.LoggerFactory +import java.io.File +import java.util.concurrent.BlockingQueue +import java.util.concurrent.LinkedBlockingQueue + +/** + * An RaProver that, when ran by the client, produces an Intel SGX Attestation Report + * containing the nocne sent by the RaVerifier. + * + * @author Andrei-Cosmin Aprodu (andrei-cosmin.aprodu@aisec.fraunhofer.de) + */ +class GramineRaProver(fsmListener: RaProverFsmListener) : RaProverDriver(fsmListener) { + private val queue: BlockingQueue = LinkedBlockingQueue() + private lateinit var currentTarget: String + + override fun delegate(message: ByteArray) { + queue.add(message) + if (LOG.isDebugEnabled) { + LOG.debug("Delegated to prover") + } + } + + override fun setConfig(config: String) { + currentTarget = config + } + + override fun run() { + // Only the client can issue an attestation certificate, so we cannot consider + // the current authentication process symmatrical anymore. + if (currentTarget == "Server") { + fsmListener.onRaProverMessage(InternalControlMessage.RA_PROVER_OK) + return + } + + try { + val msg = queue.take().decodeToString() + if (LOG.isDebugEnabled) { + LOG.debug("Prover received nonce. Generating certificate...") + } + + // https://gramine.readthedocs.io/en/stable/attestation.html + File("/dev/attestation/user_report_data").writeText(msg) + val quote = File("/dev/attestation/quote").readBytes() + + if (LOG.isDebugEnabled) { + LOG.debug("Prover sends certificate...") + } + fsmListener.onRaProverMessage( + InternalControlMessage.RA_PROVER_MSG, + quote + ) + } catch (e: InterruptedException) { + if (running) { + fsmListener.onRaProverMessage(InternalControlMessage.RA_PROVER_FAILED) + } + return + } + fsmListener.onRaProverMessage(InternalControlMessage.RA_PROVER_OK) + } + + companion object { + const val GRAMINE_RA_PROVER_ID = "Gramine" + private val LOG = LoggerFactory.getLogger(GramineRaProver::class.java) + } +} diff --git a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaVerifier.kt b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaVerifier.kt new file mode 100644 index 0000000..1d01490 --- /dev/null +++ b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaVerifier.kt @@ -0,0 +1,126 @@ +/*- + * ========================LICENSE_START================================= + * idscp2 + * %% + * Copyright (C) 2022 Fraunhofer AISEC + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * =========================LICENSE_END================================== + */ +package de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine + +import de.fhg.aisec.ids.idscp2.idscp_core.drivers.RaVerifierDriver +import de.fhg.aisec.ids.idscp2.idscp_core.fsm.InternalControlMessage +import de.fhg.aisec.ids.idscp2.idscp_core.fsm.fsmListeners.RaVerifierFsmListener +import org.slf4j.LoggerFactory +import java.io.File +import java.lang.ProcessBuilder +import java.security.SecureRandom +import java.util.concurrent.BlockingQueue +import java.util.concurrent.LinkedBlockingQueue + +/** + * A RaVerifier that requires the client RaProver to present a valid Intel SGX Attestation Report + * containing a nonce it sends in the beginning. + * + * @author Andrei-Cosmin Aprodu (andrei-cosmin.aprodu@aisec.fraunhofer.de) + */ +class GramineRaVerifier(fsmListener: RaVerifierFsmListener) : RaVerifierDriver(fsmListener) { + private val queue: BlockingQueue = LinkedBlockingQueue() + private lateinit var currentTarget: String + + // Insert Primary Key corresponding to the current SPID here! + private val primaryKey = "" + + fun ByteArray.toHexString() = joinToString("") { "%02x".format(it) } + + override fun delegate(message: ByteArray) { + queue.add(message) + if (LOG.isDebugEnabled) { + LOG.debug("Delegated to Gramine Verifier") + } + } + + override fun setConfig(config: String) { + currentTarget = config + } + + override fun run() { + // Only the client can issue an attestation certificate, so we cannot consider + // the current authentication process symmatrical anymore. + if (currentTarget == "Client") { + fsmListener.onRaVerifierMessage(InternalControlMessage.RA_VERIFIER_OK) + return + } + + val nonceRaw = ByteArray(32) + SecureRandom().nextBytes(nonceRaw) + val nonce = nonceRaw.toHexString() + + try { + if (LOG.isDebugEnabled) { + LOG.debug("Verifier sends nonce \"${nonce}\"...") + } + fsmListener.onRaVerifierMessage( + InternalControlMessage.RA_VERIFIER_MSG, + nonce.toByteArray() + ) + if (LOG.isDebugEnabled) { + LOG.debug("Verifier waits....") + } + val msg = queue.take() + if (LOG.isDebugEnabled) { + LOG.debug("Verifier received response. Searching for nonce...") + } + + File("/tmp/QUOTE").writeBytes(msg) + + // 1st check: verify whether the quote is authentic + val quoteVerifierProcess = ProcessBuilder("../quote-verifier.sh", primaryKey).start() + quoteVerifierProcess.waitFor() + if (String(quoteVerifierProcess.getInputStream().readAllBytes()).trim().toInt() != 1) { + LOG.error("Check 1: Quote not authentic! Aborting...") + if (running) { + fsmListener.onRaVerifierMessage(InternalControlMessage.RA_VERIFIER_FAILED) + } + return + } else { + LOG.info("Check 1: Quote authentic.") + } + + // 2nd check: verify whether nonce is included in quote + // TODO: Include verification step into the Kotlin codebase in future update + val quoteContents = File("/tmp/QUOTE").readBytes() + if (!quoteContents.copyOfRange(368, 432).toString(Charsets.US_ASCII).equals(nonce)) { + LOG.error("Check 2: Quote does not contain nonce! Aborting...") + if (running) { + fsmListener.onRaVerifierMessage(InternalControlMessage.RA_VERIFIER_FAILED) + } + return + } else { + LOG.info("Check 2: Quote contains nonce.") + } + } catch (e: InterruptedException) { + if (running) { + fsmListener.onRaVerifierMessage(InternalControlMessage.RA_VERIFIER_FAILED) + } + return + } + fsmListener.onRaVerifierMessage(InternalControlMessage.RA_VERIFIER_OK) + } + + companion object { + const val GRAMINE_RA_VERIFIER_ID = "Gramine" + private val LOG = LoggerFactory.getLogger(GramineRaVerifier::class.java) + } +} diff --git a/quote-verifier.sh b/quote-verifier.sh new file mode 100755 index 0000000..2d009ff --- /dev/null +++ b/quote-verifier.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +report="/tmp/IAS_REPORT" +sig="/tmp/IAS_SIG" +quote="/tmp/QUOTE" + +touch $report +touch $sig + +if [ ! -f $quote ]; then + echo 2 + exit +fi + +# Use Linkable Primary Key +res1=$(gramine-sgx-ias-request report -q $quote -k $1 -r $report -s $sig) +res2=$(gramine-sgx-ias-verify-report -r $report -s $sig --allow-outdated-tcb) + +if [[ $res2 == *"IAS report: signature verified correctly"* ]]; then + echo 1 + exit +else + echo $res1 >> IAS_OUTPUT + echo $res2 > IAS_OUTPUT + echo 0 + exit +fi From 010d60e652317299403628e74ed01dabbd8ec413 Mon Sep 17 00:00:00 2001 From: Cosmin Aprodu Date: Tue, 31 Jan 2023 15:49:43 +0000 Subject: [PATCH 05/14] Check for the IAS primary key before launching verification --- .../remote_attestation/gramine/GramineRaVerifier.kt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaVerifier.kt b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaVerifier.kt index 1d01490..5cc7ac2 100644 --- a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaVerifier.kt +++ b/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaVerifier.kt @@ -62,6 +62,11 @@ class GramineRaVerifier(fsmListener: RaVerifierFsmListener) : RaVerifierDriver Date: Tue, 7 Feb 2023 09:19:36 +0000 Subject: [PATCH 06/14] Bring IDSCP2 SGX version up to date --- .../gramine/GramineRaProver.kt | 10 +++---- .../gramine/GramineRaVerifier.kt | 12 ++++---- .../idscp2/example/Idscp2ClientInitiator.kt | 22 ++++++--------- .../idscp2/example/Idscp2ServerInitiator.kt | 24 ++++++---------- .../aisec/ids/idscp2/example/RunTLSClient.kt | 28 ++++++++----------- .../aisec/ids/idscp2/example/RunTLSServer.kt | 28 ++++++++----------- idscp2-native.manifest.template | 2 +- 7 files changed, 50 insertions(+), 76 deletions(-) rename {idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation => idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation}/gramine/GramineRaProver.kt (91%) rename {idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation => idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation}/gramine/GramineRaVerifier.kt (92%) diff --git a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaProver.kt b/idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaProver.kt similarity index 91% rename from idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaProver.kt rename to idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaProver.kt index 8956f0b..21facd5 100644 --- a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaProver.kt +++ b/idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaProver.kt @@ -1,6 +1,6 @@ /*- * ========================LICENSE_START================================= - * idscp2 + * idscp2-core * %% * Copyright (C) 2022 Fraunhofer AISEC * %% @@ -17,11 +17,11 @@ * limitations under the License. * =========================LICENSE_END================================== */ -package de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine +package de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.gramine -import de.fhg.aisec.ids.idscp2.idscp_core.drivers.RaProverDriver -import de.fhg.aisec.ids.idscp2.idscp_core.fsm.InternalControlMessage -import de.fhg.aisec.ids.idscp2.idscp_core.fsm.fsmListeners.RaProverFsmListener +import de.fhg.aisec.ids.idscp2.api.drivers.RaProverDriver +import de.fhg.aisec.ids.idscp2.api.fsm.InternalControlMessage +import de.fhg.aisec.ids.idscp2.api.fsm.RaProverFsmListener import org.slf4j.LoggerFactory import java.io.File import java.util.concurrent.BlockingQueue diff --git a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaVerifier.kt b/idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaVerifier.kt similarity index 92% rename from idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaVerifier.kt rename to idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaVerifier.kt index 5cc7ac2..36ef6d9 100644 --- a/idscp2/src/main/kotlin/de/fhg/aisec/ids/idscp2/default_drivers/remote_attestation/gramine/GramineRaVerifier.kt +++ b/idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaVerifier.kt @@ -1,6 +1,6 @@ /*- * ========================LICENSE_START================================= - * idscp2 + * idscp2-core * %% * Copyright (C) 2022 Fraunhofer AISEC * %% @@ -17,11 +17,11 @@ * limitations under the License. * =========================LICENSE_END================================== */ -package de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine +package de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.gramine -import de.fhg.aisec.ids.idscp2.idscp_core.drivers.RaVerifierDriver -import de.fhg.aisec.ids.idscp2.idscp_core.fsm.InternalControlMessage -import de.fhg.aisec.ids.idscp2.idscp_core.fsm.fsmListeners.RaVerifierFsmListener +import de.fhg.aisec.ids.idscp2.api.drivers.RaVerifierDriver +import de.fhg.aisec.ids.idscp2.api.fsm.InternalControlMessage +import de.fhg.aisec.ids.idscp2.api.fsm.RaVerifierFsmListener import org.slf4j.LoggerFactory import java.io.File import java.lang.ProcessBuilder @@ -39,7 +39,7 @@ class GramineRaVerifier(fsmListener: RaVerifierFsmListener) : RaVerifierDriver = LinkedBlockingQueue() private lateinit var currentTarget: String - // Insert Primary Key corresponding to the current SPID here! + // TODO: Insert Primary Key corresponding to the current SPID here! private val primaryKey = "" fun ByteArray.toHexString() = joinToString("") { "%02x".format(it) } diff --git a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ClientInitiator.kt b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ClientInitiator.kt index b01b9ea..1dd0225 100644 --- a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ClientInitiator.kt +++ b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ClientInitiator.kt @@ -25,20 +25,10 @@ import de.fhg.aisec.ids.idscp2.api.connection.Idscp2ConnectionAdapter import de.fhg.aisec.ids.idscp2.api.raregistry.RaProverDriverRegistry import de.fhg.aisec.ids.idscp2.api.raregistry.RaVerifierDriverRegistry import de.fhg.aisec.ids.idscp2.core.connection.Idscp2ConnectionImpl -import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.demo.DemoRaProver -import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.demo.DemoRaVerifier +import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.gramine.GramineRaProver +import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.gramine.GramineRaVerifier import de.fhg.aisec.ids.idscp2.defaultdrivers.securechannel.tls13.NativeTLSDriver import de.fhg.aisec.ids.idscp2.defaultdrivers.securechannel.tls13.NativeTlsConfiguration -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine.GramineRaProver -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine.GramineRaVerifier -import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTLSDriver -import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTlsConfiguration -import de.fhg.aisec.ids.idscp2.idscp_core.api.configuration.Idscp2Configuration -import de.fhg.aisec.ids.idscp2.idscp_core.api.idscp_connection.Idscp2Connection -import de.fhg.aisec.ids.idscp2.idscp_core.api.idscp_connection.Idscp2ConnectionAdapter -import de.fhg.aisec.ids.idscp2.idscp_core.api.idscp_connection.Idscp2ConnectionImpl -import de.fhg.aisec.ids.idscp2.idscp_core.ra_registry.RaProverDriverRegistry -import de.fhg.aisec.ids.idscp2.idscp_core.ra_registry.RaVerifierDriverRegistry import org.slf4j.LoggerFactory import java.nio.charset.StandardCharsets @@ -50,11 +40,15 @@ class Idscp2ClientInitiator { // register ra drivers RaProverDriverRegistry.registerDriver( - GramineRaProver.GRAMINE_RA_PROVER_ID, ::GramineRaProver, "Client" + GramineRaProver.GRAMINE_RA_PROVER_ID, + ::GramineRaProver, + "Client" ) RaVerifierDriverRegistry.registerDriver( - GramineRaVerifier.GRAMINE_RA_VERIFIER_ID, ::GramineRaVerifier, "Client" + GramineRaVerifier.GRAMINE_RA_VERIFIER_ID, + ::GramineRaVerifier, + "Client" ) // connect to idscp2 server diff --git a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ServerInitiator.kt b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ServerInitiator.kt index 12c6e2e..99047e5 100644 --- a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ServerInitiator.kt +++ b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/Idscp2ServerInitiator.kt @@ -27,22 +27,10 @@ import de.fhg.aisec.ids.idscp2.api.raregistry.RaProverDriverRegistry import de.fhg.aisec.ids.idscp2.api.raregistry.RaVerifierDriverRegistry import de.fhg.aisec.ids.idscp2.api.server.Idscp2ServerFactory import de.fhg.aisec.ids.idscp2.core.connection.Idscp2ConnectionImpl -import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.demo.DemoRaProver -import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.demo.DemoRaVerifier +import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.gramine.GramineRaProver +import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.gramine.GramineRaVerifier import de.fhg.aisec.ids.idscp2.defaultdrivers.securechannel.tls13.NativeTLSDriver import de.fhg.aisec.ids.idscp2.defaultdrivers.securechannel.tls13.NativeTlsConfiguration -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine.GramineRaProver -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine.GramineRaVerifier -import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTLSDriver -import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTlsConfiguration -import de.fhg.aisec.ids.idscp2.idscp_core.api.Idscp2EndpointListener -import de.fhg.aisec.ids.idscp2.idscp_core.api.configuration.Idscp2Configuration -import de.fhg.aisec.ids.idscp2.idscp_core.api.idscp_connection.Idscp2Connection -import de.fhg.aisec.ids.idscp2.idscp_core.api.idscp_connection.Idscp2ConnectionAdapter -import de.fhg.aisec.ids.idscp2.idscp_core.api.idscp_connection.Idscp2ConnectionImpl -import de.fhg.aisec.ids.idscp2.idscp_core.api.idscp_server.Idscp2ServerFactory -import de.fhg.aisec.ids.idscp2.idscp_core.ra_registry.RaProverDriverRegistry -import de.fhg.aisec.ids.idscp2.idscp_core.ra_registry.RaVerifierDriverRegistry import org.slf4j.LoggerFactory import java.nio.charset.StandardCharsets @@ -53,11 +41,15 @@ class Idscp2ServerInitiator : Idscp2EndpointListener { // register ra drivers RaProverDriverRegistry.registerDriver( - GramineRaProver.GRAMINE_RA_PROVER_ID, ::GramineRaProver, "Server" + GramineRaProver.GRAMINE_RA_PROVER_ID, + ::GramineRaProver, + "Server" ) RaVerifierDriverRegistry.registerDriver( - GramineRaVerifier.GRAMINE_RA_VERIFIER_ID, ::GramineRaVerifier, "Server" + GramineRaVerifier.GRAMINE_RA_VERIFIER_ID, + ::GramineRaVerifier, + "Server" ) // create server config diff --git a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt index 0d47be3..3a58745 100644 --- a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt +++ b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt @@ -23,25 +23,17 @@ import de.fhg.aisec.ids.idscp2.api.configuration.AttestationConfig import de.fhg.aisec.ids.idscp2.api.configuration.Idscp2Configuration import de.fhg.aisec.ids.idscp2.daps.aisecdaps.AisecDapsDriver import de.fhg.aisec.ids.idscp2.daps.aisecdaps.AisecDapsDriverConfig -import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.demo.DemoRaProver -import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.demo.DemoRaVerifier +import de.fhg.aisec.ids.idscp2.daps.aisecdaps.SecurityProfile +import de.fhg.aisec.ids.idscp2.daps.aisecdaps.SecurityRequirements +import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.gramine.GramineRaProver +import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.gramine.GramineRaVerifier import de.fhg.aisec.ids.idscp2.defaultdrivers.securechannel.tls13.NativeTlsConfiguration import de.fhg.aisec.ids.idscp2.keystores.KeyStoreUtil.loadKeyStore -import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.AisecDapsDriver -import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.AisecDapsDriverConfig -import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.SecurityProfile -import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.SecurityRequirements -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine.GramineRaProver -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine.GramineRaVerifier -import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTlsConfiguration -import de.fhg.aisec.ids.idscp2.idscp_core.api.configuration.AttestationConfig -import de.fhg.aisec.ids.idscp2.idscp_core.api.configuration.Idscp2Configuration import java.nio.file.Paths object RunTLSClient { @JvmStatic fun main(args: Array) { - // absolute paths to facilitate native-image compilation // TODO: Key Store file 'localhost.p12' missing and must be provided! val keyStorePath = Paths.get("idscp2-examples/src/main/resources/ssl/localhost.p12") @@ -55,19 +47,21 @@ object RunTLSClient { val password = "password".toCharArray() - // Load certificates from local KeyStore - val ks = loadKeyStore(keyStorePath, password) + // create daps driver + val securityRequirements = SecurityRequirements.Builder() + .setRequiredSecurityLevel(SecurityProfile.INVALID) + .build() val dapsDriver = AisecDapsDriver( AisecDapsDriverConfig.Builder() .setKeyStorePath(keyStorePath) .setKeyStorePassword(password) .setKeyPassword(password) - .setKeyAlias("1") .setTrustStorePath(trustStorePath) .setTrustStorePassword(password) - .setDapsUrl("https://daps-dev.aisec.fraunhofer.de/v4") - .loadTransportCertsFromKeystore(ks) + .setKeyAlias("1") + .setDapsUrl("https://daps.aisec.fraunhofer.de") + .setSecurityRequirements(securityRequirements) .build() ) diff --git a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt index 1890dd0..65c7461 100644 --- a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt +++ b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt @@ -23,26 +23,18 @@ import de.fhg.aisec.ids.idscp2.api.configuration.AttestationConfig import de.fhg.aisec.ids.idscp2.api.configuration.Idscp2Configuration import de.fhg.aisec.ids.idscp2.daps.aisecdaps.AisecDapsDriver import de.fhg.aisec.ids.idscp2.daps.aisecdaps.AisecDapsDriverConfig -import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.demo.DemoRaProver -import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.demo.DemoRaVerifier +import de.fhg.aisec.ids.idscp2.daps.aisecdaps.SecurityProfile +import de.fhg.aisec.ids.idscp2.daps.aisecdaps.SecurityRequirements +import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.gramine.GramineRaProver +import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.gramine.GramineRaVerifier import de.fhg.aisec.ids.idscp2.defaultdrivers.securechannel.tls13.NativeTlsConfiguration import de.fhg.aisec.ids.idscp2.keystores.KeyStoreUtil.loadKeyStore -import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.AisecDapsDriver -import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.AisecDapsDriverConfig -import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.SecurityProfile -import de.fhg.aisec.ids.idscp2.default_drivers.daps.aisec_daps.SecurityRequirements -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine.GramineRaProver -import de.fhg.aisec.ids.idscp2.default_drivers.remote_attestation.gramine.GramineRaVerifier -import de.fhg.aisec.ids.idscp2.default_drivers.secure_channel.tlsv1_3.NativeTlsConfiguration -import de.fhg.aisec.ids.idscp2.idscp_core.api.configuration.AttestationConfig -import de.fhg.aisec.ids.idscp2.idscp_core.api.configuration.Idscp2Configuration import java.nio.file.Paths import java.util.Objects object RunTLSServer { @JvmStatic fun main(argv: Array) { - // TODO: Key Store file 'localhost.p12' missing and must be provided! val keyStorePath = Paths.get( Objects.requireNonNull( @@ -66,19 +58,21 @@ object RunTLSServer { val password = "password".toCharArray() - // Load certificates from local KeyStore - val ks = loadKeyStore(keyStorePath, password) + // create daps config + val securityRequirements = SecurityRequirements.Builder() + .setRequiredSecurityLevel(SecurityProfile.INVALID) + .build() val dapsDriver = AisecDapsDriver( AisecDapsDriverConfig.Builder() .setKeyStorePath(keyStorePath) .setKeyStorePassword(password) .setKeyPassword(password) - .setKeyAlias("1") .setTrustStorePath(trustStorePath) .setTrustStorePassword(password) - .setDapsUrl("https://daps-dev.aisec.fraunhofer.de/v4") - .loadTransportCertsFromKeystore(ks) + .setKeyAlias("1") + .setDapsUrl("https://daps.aisec.fraunhofer.de") + .setSecurityRequirements(securityRequirements) .build() ) diff --git a/idscp2-native.manifest.template b/idscp2-native.manifest.template index eadf4bc..9fb4a49 100644 --- a/idscp2-native.manifest.template +++ b/idscp2-native.manifest.template @@ -30,7 +30,7 @@ sgx.enclave_size = "512M" sgx.remote_attestation = "epid" sgx.ra_client_linkable = true -# Insert SPID from https://api.portal.trustedservices.intel.com/developer here! +# TODO: Insert SPID from https://api.portal.trustedservices.intel.com/developer here! sgx.ra_client_spid = "" sgx.trusted_files = [ From 09da7b5a9575ddfd4c4dd1a2ac31a718546a288b Mon Sep 17 00:00:00 2001 From: Cosmin Aprodu Date: Tue, 7 Feb 2023 12:56:22 +0000 Subject: [PATCH 07/14] Add configuration instructions for IDSCP2 via SGX --- README.md | 140 ++++++++++++++++++ .../de/fhg/aisec/ids/camel/idscp2/Utils.kt | 1 + 2 files changed, 141 insertions(+) diff --git a/README.md b/README.md index 979e1b6..d9ff06c 100644 --- a/README.md +++ b/README.md @@ -15,3 +15,143 @@ This is the official Kotlin-based implementation of the IDS Communication Protoc Maven artifacts are pushed to maven central and can be found here: https://search.maven.org/search?q=idscp2. More information about the usage can be found in the [IDSCP2 Documentation](https://github.com/industrial-data-space/idscp2-jvm/wiki). + +## Intel SGX Support + +IDSCP2 can make use of Intel SGX to attest Client nodes upon Server requests using the _Intel Attestation Services (IAS)_. Before the handshake is built, the Server sends the Client a nonce, which must be included in an SGX quote. When the Server receives the quote, it sends it to IAS and verifies whether the quote's payload corresponds to the initial nonce value. If both checks pass, the Server accepts the Client's handshake. + +### System Requirements + +- [Ubuntu 20.04](https://releases.ubuntu.com/focal/) or above +- [Intel SGX SDK](https://github.com/intel/linux-sgx) +- [GraalVM for Java 17](https://github.com/graalvm/graalvm-ce-builds/releases) +- [Gramine SGX](https://github.com/gramineproject/gramine) + +### Installation Guide + +In this section we detail the setup process for SGX support of a system running **Ubuntu 22.04**. + +#### Intel SGX SDK + +1. We start by setting up the SGX SDK. The current stable version is **2.18.1**. We first install all necessary dependencies: + ```bash + sudo apt-get install build-essential ocaml ocamlbuild automake autoconf libtool wget python-is-python3 \ + libssl-dev git cmake perl libssl-dev libcurl4-openssl-dev protobuf-compiler \ + libprotobuf-dev debhelper cmake reprepro unzip pkgconf libboost-dev libboost-system-dev libboost-thread-dev \ + protobuf-c-compiler libprotobuf-c-dev lsb-release libsystemd0 python2 + ``` + +2. We can now clone the SDK repository and start building it: + ```bash + git clone https://github.com/intel/linux-sgx.git + cd linux-sgx && make preparation + sudo cp external/toolset/ubuntu20.04/* /usr/local/bin + make sdk_install_pkg + ``` + +3. To be able to use Gramine SGX, we will also need the _Intel Platform SoftWare (PSW)_: + ```bash + make psw + make deb_psw_pkg + ``` + +4. Installing the SDK is first done through the generated installer. The PSW is composed of multiple `.deb` packages which will be installed individually afterward. + ```bash + cd linux/installer/bin + sudo ./sgx_linux_x64_sdk_2.18.101.1.bin --prefix /opt/intel + source /opt/intel/sgxsdk/environment + cd ../../../ && cd linux/installer/deb + ``` + + Note that the PSW packages cannot be installed in a random order, since many are the dependencies of others. Therefore, we choose the following order of installation: + - `libsgx-headers` + - `libsgx-launch` + - `libsgx-enclave-common` + - `libsgx-epid` + - `libsgx-quote-ex` + - `libsgx-uae-service` + - `libsgx-urts` + - `sgx-aesm-service/libsgx-ra-network` + - `sgx-aesm-service/libsgx-ra-uefi` + - `sgx-asem-service/libsgx-dcap-default-qpl` + - `sgx-aesm-service/libsgx-dcap-quote-verify` + - `sgx-aesm-service/libsgx-ae-*` + - `sgx-aesm-service/libsgx-pce-logic` + - `sgx-aesm-service/libsgx-qe3-logic` + - `sgx-asem-service/libsgx-dcap-ql` + - `sgx-aesm-service/sgx-aesm-service` + - `sgx-aesm-service/libsgx-aesm-*` + +#### GraalVM for Java 17 + +1. The latest version of GraalVM upon writing this document is **22.3.0**. We download the GraalVM archive using the following download [link](https://github.com/graalvm/graalvm-ce-builds/releases/download/vm-22.3.0/graalvm-ce-java17-linux-amd64-22.3.0.tar.gz). We then extract the contents using: + ```bash + tar -xzf graalvm-ce-java17-linux-amd64-22.3.0.tar.gz + ``` + +2. To be able to use Java, we need to adapt two global variables: `PATH` and `JAVA_HOME`. To accommodate this, we choose to include the following lines at the end of the `.bashrc` file: + ```bash + export PATH=/home/ubuntu/graalvm-ce-java17-22.3.0/bin:$PATH + export JAVA_HOME=/home/ubuntu/graalvm-ce-java17-22.3.0 + ``` + We now need to recompile it for the changes to take effect: + ```bash + source .bashrc + ``` + +3. To compile the Kotlin codebase, we need Native Image: + ```bash + gu install native-image + ``` + +#### Gramine SGX + +1. We start by installing all dependencies: + ```bash + sudo apt-get install -y build-essential \ + autoconf bison gawk nasm ninja-build pkg-config python3 python3-click meson \ + python3-jinja2 python3-pip python3-pyelftools wget libunwind8 musl-tools \ + python3-pytest libgmp-dev libmpfr-dev libmpc-dev libisl-dev python3-protobuf + ``` + +2. We can now clone Gramine. The version used for testing is **1.3.1**: + ```bash + git clone https://github.com/gramineproject/gramine.git + cd gramine && git checkout v1.3.1 + ``` + +3. We finally move on to the building and installation process: + ```bash + meson setup build/ --buildtype=release -Ddirect=enabled -Dsgx=enabled --prefix=/usr + ninja -C build/ + sudo ninja -C build/ install + ``` + + > Note that we use a custom installation path for installing Gramine. This is due to a bug in version **1.3.1** on Ubuntu 22.04 which prevents Python from finding `graminelibos`. If this does not solve the problem, try also exporting the global variable ``PYTHONPATH`` as follows: + > ```bash + > export PYTHONPATH=$PYTHONPATH:/usr/local/graminelibos + > ``` + +### Execution Instructions + +Before building and running either of the two parties, we must provide **3** pieces of information to the underlying codebase: +1. In [idscp2-native.manifest.template](idscp2-native.manifest.template), insert the **SPID** of the _Intel SGX Attestation Service (Linkable)_ subscription, +2. In [GramineRaVerifier.kt](idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaVerifier.kt), insert the corresponding **Primary Key**, +3. In the directory [idscp2-examples/src/main/resources/ssl](idscp2-examples/src/main/resources/ssl), the **Key Store** file named `localhost.p12`. + +Having configured our environment, we can now execute IDSCP2 using Intel SGX. From the root directory of this project, we first run the Server: +```bash +./gradlew build +``` + +From a separate command prompt, we build the Client using the given Makefile: +```bash +make all +``` + +After the build process is done, we run the Client: +```bash +sudo gramine-sgx idscp2-native +``` + +If all went well, both parties should display a successful handshake. diff --git a/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/Utils.kt b/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/Utils.kt index c9931f9..700aa0a 100644 --- a/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/Utils.kt +++ b/camel-idscp2/src/main/kotlin/de/fhg/aisec/ids/camel/idscp2/Utils.kt @@ -47,6 +47,7 @@ object Utils { lateinit var senderAgentProducer: () -> URI lateinit var issuerProducer: () -> URI + @Suppress("MemberVisibilityCanBePrivate") lateinit var infomodelVersion: String var dapsUrlProducer: () -> String = { Constants.DEFAULT_DAPS_URL } From 5952ef324ffd3a3531a5bda920a1329da319a44f Mon Sep 17 00:00:00 2001 From: Cosmin Aprodu Date: Tue, 7 Feb 2023 13:00:35 +0000 Subject: [PATCH 08/14] Cleanup unused imports --- .../main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt | 1 - .../main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt | 1 - 2 files changed, 2 deletions(-) diff --git a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt index 3a58745..a4fa27d 100644 --- a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt +++ b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSClient.kt @@ -28,7 +28,6 @@ import de.fhg.aisec.ids.idscp2.daps.aisecdaps.SecurityRequirements import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.gramine.GramineRaProver import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.gramine.GramineRaVerifier import de.fhg.aisec.ids.idscp2.defaultdrivers.securechannel.tls13.NativeTlsConfiguration -import de.fhg.aisec.ids.idscp2.keystores.KeyStoreUtil.loadKeyStore import java.nio.file.Paths object RunTLSClient { diff --git a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt index 65c7461..5ca188d 100644 --- a/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt +++ b/idscp2-examples/src/main/kotlin/de/fhg/aisec/ids/idscp2/example/RunTLSServer.kt @@ -28,7 +28,6 @@ import de.fhg.aisec.ids.idscp2.daps.aisecdaps.SecurityRequirements import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.gramine.GramineRaProver import de.fhg.aisec.ids.idscp2.defaultdrivers.remoteattestation.gramine.GramineRaVerifier import de.fhg.aisec.ids.idscp2.defaultdrivers.securechannel.tls13.NativeTlsConfiguration -import de.fhg.aisec.ids.idscp2.keystores.KeyStoreUtil.loadKeyStore import java.nio.file.Paths import java.util.Objects From 1b2db650cd4bc65514b55fd0a5b639405ea919c7 Mon Sep 17 00:00:00 2001 From: Cosmin Aprodu Date: Tue, 7 Feb 2023 13:08:50 +0000 Subject: [PATCH 09/14] Add missing license header --- .../aisec/ids/idscp2/api/FingerprintUtils.kt | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/idscp2-api/src/main/kotlin/de/fhg/aisec/ids/idscp2/api/FingerprintUtils.kt b/idscp2-api/src/main/kotlin/de/fhg/aisec/ids/idscp2/api/FingerprintUtils.kt index 80a8176..1dd49ff 100644 --- a/idscp2-api/src/main/kotlin/de/fhg/aisec/ids/idscp2/api/FingerprintUtils.kt +++ b/idscp2-api/src/main/kotlin/de/fhg/aisec/ids/idscp2/api/FingerprintUtils.kt @@ -1,3 +1,22 @@ +/*- + * ========================LICENSE_START================================= + * idscp2-api + * %% + * Copyright (C) 2023 Fraunhofer AISEC + * %% + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * =========================LICENSE_END================================== + */ package de.fhg.aisec.ids.idscp2.api import java.security.MessageDigest From 946f91af4d700a03412b75ac442d667226d01f6b Mon Sep 17 00:00:00 2001 From: Cosmin Aprodu Date: Tue, 7 Feb 2023 14:04:38 +0000 Subject: [PATCH 10/14] Test fixes and code polish --- .../remoteattestation/gramine/GramineRaProver.kt | 4 ++-- .../remoteattestation/gramine/GramineRaVerifier.kt | 6 +++--- .../de/fhg/aisec/ids/idscp2/tests/Idscp2Integration.kt | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaProver.kt b/idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaProver.kt index 21facd5..5f7aa0b 100644 --- a/idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaProver.kt +++ b/idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaProver.kt @@ -29,7 +29,7 @@ import java.util.concurrent.LinkedBlockingQueue /** * An RaProver that, when ran by the client, produces an Intel SGX Attestation Report - * containing the nocne sent by the RaVerifier. + * containing the nonce sent by the RaVerifier. * * @author Andrei-Cosmin Aprodu (andrei-cosmin.aprodu@aisec.fraunhofer.de) */ @@ -50,7 +50,7 @@ class GramineRaProver(fsmListener: RaProverFsmListener) : RaProverDriver override fun run() { // Only the client can issue an attestation certificate, so we cannot consider - // the current authentication process symmatrical anymore. + // the current authentication process symmetrical anymore. if (currentTarget == "Server") { fsmListener.onRaProverMessage(InternalControlMessage.RA_PROVER_OK) return diff --git a/idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaVerifier.kt b/idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaVerifier.kt index 36ef6d9..5801f13 100644 --- a/idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaVerifier.kt +++ b/idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaVerifier.kt @@ -42,7 +42,7 @@ class GramineRaVerifier(fsmListener: RaVerifierFsmListener) : RaVerifierDriver Date: Tue, 7 Feb 2023 14:08:23 +0000 Subject: [PATCH 11/14] Fix test imports --- .../kotlin/de/fhg/aisec/ids/idscp2/tests/Idscp2Integration.kt | 1 - 1 file changed, 1 deletion(-) diff --git a/idscp2-core/src/test/kotlin/de/fhg/aisec/ids/idscp2/tests/Idscp2Integration.kt b/idscp2-core/src/test/kotlin/de/fhg/aisec/ids/idscp2/tests/Idscp2Integration.kt index f13bad7..e65322e 100644 --- a/idscp2-core/src/test/kotlin/de/fhg/aisec/ids/idscp2/tests/Idscp2Integration.kt +++ b/idscp2-core/src/test/kotlin/de/fhg/aisec/ids/idscp2/tests/Idscp2Integration.kt @@ -45,7 +45,6 @@ import org.junit.Assert import org.junit.Test import java.nio.charset.StandardCharsets import java.nio.file.Paths -import java.security.cert.X509Certificate import java.util.Objects import java.util.concurrent.BlockingQueue import java.util.concurrent.CountDownLatch From f9f629148f4a1f52ce5507c16ff3487ea51300e9 Mon Sep 17 00:00:00 2001 From: Cosmin Aprodu Date: Tue, 7 Feb 2023 14:27:36 +0000 Subject: [PATCH 12/14] Fix README.md typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d9ff06c..d6b234a 100644 --- a/README.md +++ b/README.md @@ -141,7 +141,7 @@ Before building and running either of the two parties, we must provide **3** pie Having configured our environment, we can now execute IDSCP2 using Intel SGX. From the root directory of this project, we first run the Server: ```bash -./gradlew build +./gradlew run ``` From a separate command prompt, we build the Client using the given Makefile: From c875d55330c5add9054e774c94a565b9ba3c0bad Mon Sep 17 00:00:00 2001 From: Cosmin Aprodu Date: Mon, 13 Feb 2023 11:09:47 +0000 Subject: [PATCH 13/14] Update README.md information --- README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d6b234a..eefcb3d 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,11 @@ In this section we detail the setup process for SGX support of a system running - `sgx-aesm-service/sgx-aesm-service` - `sgx-aesm-service/libsgx-aesm-*` + The installation of a package can be performed with the following command: + ```bash + sudo apt install ./.deb + ``` + #### GraalVM for Java 17 1. The latest version of GraalVM upon writing this document is **22.3.0**. We download the GraalVM archive using the following download [link](https://github.com/graalvm/graalvm-ce-builds/releases/download/vm-22.3.0/graalvm-ce-java17-linux-amd64-22.3.0.tar.gz). We then extract the contents using: @@ -137,7 +142,7 @@ In this section we detail the setup process for SGX support of a system running Before building and running either of the two parties, we must provide **3** pieces of information to the underlying codebase: 1. In [idscp2-native.manifest.template](idscp2-native.manifest.template), insert the **SPID** of the _Intel SGX Attestation Service (Linkable)_ subscription, 2. In [GramineRaVerifier.kt](idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaVerifier.kt), insert the corresponding **Primary Key**, -3. In the directory [idscp2-examples/src/main/resources/ssl](idscp2-examples/src/main/resources/ssl), the **Key Store** file named `localhost.p12`. +3. In the directory [idscp2-examples/src/main/resources/ssl](idscp2-examples/src/main/resources/ssl), insert the **Key Store** file named `localhost.p12`. Having configured our environment, we can now execute IDSCP2 using Intel SGX. From the root directory of this project, we first run the Server: ```bash From 394e570df500de8da23569d6c83811e9304e4640 Mon Sep 17 00:00:00 2001 From: Cosmin Aprodu Date: Mon, 13 Feb 2023 14:20:42 +0000 Subject: [PATCH 14/14] Add 3rd protocol check: client MRENCLAVE verification --- README.md | 25 ++++++++++++++----- expected-client-mrenclave.txt | 1 + .../gramine/GramineRaVerifier.kt | 19 +++++++++++--- 3 files changed, 36 insertions(+), 9 deletions(-) create mode 100644 expected-client-mrenclave.txt diff --git a/README.md b/README.md index eefcb3d..5a65b7c 100644 --- a/README.md +++ b/README.md @@ -139,22 +139,35 @@ In this section we detail the setup process for SGX support of a system running ### Execution Instructions -Before building and running either of the two parties, we must provide **3** pieces of information to the underlying codebase: +Before building and running either of the two parties, we must provide **4** pieces of information to the underlying codebase: 1. In [idscp2-native.manifest.template](idscp2-native.manifest.template), insert the **SPID** of the _Intel SGX Attestation Service (Linkable)_ subscription, 2. In [GramineRaVerifier.kt](idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaVerifier.kt), insert the corresponding **Primary Key**, 3. In the directory [idscp2-examples/src/main/resources/ssl](idscp2-examples/src/main/resources/ssl), insert the **Key Store** file named `localhost.p12`. +4. In the file [expected-client-mrenclave.txt](expected-client-mrenclave.txt), insert the **MRENCLAVE** value obtained after compiling and signing the executable (see below). -Having configured our environment, we can now execute IDSCP2 using Intel SGX. From the root directory of this project, we first run the Server: +First, we build the Client using the given Makefile: ```bash -./gradlew run +make all +``` + +After it is finished, the output of the build process should contain the following lines: +``` +Attributes: + mr_enclave: <32-byte-string-in-hex-format> + ..... + ``` -From a separate command prompt, we build the Client using the given Makefile: +We copy the MRENCLAVE value and insert it into the [expected-client-mrenclave.txt](expected-client-mrenclave.txt) file. This will ensure that the server will not accept connections to clients with different builds or altered in any way. + +> Note that, in production, our goal is not to add the expected MRENCLAVE value to a file, but to **extract it directly from the DAT** (new field in the JWT body)! + +Having configured all our parameters, we can now execute IDSCP2 using Intel SGX. From the root directory of this project, we first run the Server: ```bash -make all +./gradlew run ``` -After the build process is done, we run the Client: +After the build process is done, we run the Client from a separate command prompt: ```bash sudo gramine-sgx idscp2-native ``` diff --git a/expected-client-mrenclave.txt b/expected-client-mrenclave.txt new file mode 100644 index 0000000..8904881 --- /dev/null +++ b/expected-client-mrenclave.txt @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaVerifier.kt b/idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaVerifier.kt index 5801f13..bad4d83 100644 --- a/idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaVerifier.kt +++ b/idscp2-core/src/main/kotlin/de/fhg/aisec/ids/idscp2/defaultdrivers/remoteattestation/gramine/GramineRaVerifier.kt @@ -85,7 +85,7 @@ class GramineRaVerifier(fsmListener: RaVerifierFsmListener) : RaVerifierDriver