diff --git a/Assignment 7 - SGX Hands-on/src/enclave/enclave.c b/Assignment 7 - SGX Hands-on/src/enclave/enclave.c index 2e36ba8..9fd9d9f 100644 --- a/Assignment 7 - SGX Hands-on/src/enclave/enclave.c +++ b/Assignment 7 - SGX Hands-on/src/enclave/enclave.c @@ -202,3 +202,65 @@ sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sea sgx_ecc256_close_context(ecc_handle); return seal_status; } + +sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint8_t *sealed, uint32_t sealed_size, const uint8_t *public_key, uint32_t public_key_size, const uint8_t *signature, uint32_t signature_size) { + // invalid parameter handling + if((data == NULL) || (data_size == 0)) { + return SGX_ERROR_INVALID_PARAMETER; + } else if(((sealed == NULL) || (sealed_size == 0)) && ((public_key == NULL) || (public_key_size == 0))) { + return SGX_ERROR_INVALID_PARAMETER; + } else if((sealed != NULL) && (public_key != NULL)) { + return SGX_ERROR_INVALID_PARAMETER; + } else if((signature == NULL) || (signature_size == 0)) { + return SGX_ERROR_INVALID_PARAMETER; + } + + // declare need structures + sgx_ec256_signature_t ecc_signature; + sgx_ecc_state_handle_t ecc_handle; + sgx_ec256_public_t public; + + // invalid signature + if(signature_size > SI_SIZE) { + return SGX_ERROR_INVALID_PARAMETER; + } + + // open ecc handle + sgx_status_t status; + if((status = sgx_ecc256_open_context(&ecc_handle)) != SGX_SUCCESS) { + return status; + } + + // copy signature into struct + memcpy(ecc_signature.x, signature, SI_SIZE); + + // verify signature from staff or enclave + if(public_key != NULL) { + // invalid public key + if(public_key_size != PK_SIZE) { + return SGX_ERROR_INVALID_PARAMETER; + } + + // copy public key into struct + memcpy(public.gx, public_key, PK_SIZE); + } else { + // unseal public key + if(unseal_key_pair(sealed, NULL, &public) != SGX_SUCCESS) { + sgx_ecc256_close_context(ecc_handle); + return SGX_ERROR_UNEXPECTED; + } + } + + // verify signature + uint8_t result; + sgx_status_t verification_status = sgx_ecdsa_verify((const uint8_t *)data, data_size, (const sgx_ec256_public_t *)&public, (const sgx_ec256_signature_t *)&ecc_signature, &result, ecc_handle); + + // handle failed verification process + if(verification_status != SGX_SUCCESS) { + result = verification_status; + } + + // close handle and return result + sgx_ecc256_close_context(ecc_handle); + return result; +} \ No newline at end of file diff --git a/Assignment 7 - SGX Hands-on/src/enclave/enclave.edl b/Assignment 7 - SGX Hands-on/src/enclave/enclave.edl index 978b9d7..590207b 100644 --- a/Assignment 7 - SGX Hands-on/src/enclave/enclave.edl +++ b/Assignment 7 - SGX Hands-on/src/enclave/enclave.edl @@ -46,6 +46,7 @@ enclave { public int get_private_key_size(); public sgx_status_t get_public_key([in, size=sealed_size]const uint8_t *sealed, uint32_t sealed_size, [out, size=gx_size]uint8_t *gx, uint32_t gx_size, [out, size=gx_size]uint8_t *gy, uint32_t gy_size); public sgx_status_t sign_firmware([in, size=data_size]const uint8_t *data, uint32_t data_size, [in, out, size=sealed_size]uint8_t *sealed, uint32_t sealed_size, [out, size=signature_size]uint8_t *signature, uint32_t signature_size); + public sgx_status_t verify_firmware([in, size=data_size]const uint8_t *data, uint32_t data_size, [in, size=sealed_size]const uint8_t *sealed, uint32_t sealed_size, [in, size=public_key_size]const uint8_t *public_key, uint32_t public_key_size, [in, size=signature_size]const uint8_t *signature, uint32_t signature_size); }; /* diff --git a/Assignment 7 - SGX Hands-on/src/enclave/enclave.h b/Assignment 7 - SGX Hands-on/src/enclave/enclave.h index 1901aba..37a1efb 100644 --- a/Assignment 7 - SGX Hands-on/src/enclave/enclave.h +++ b/Assignment 7 - SGX Hands-on/src/enclave/enclave.h @@ -46,5 +46,6 @@ int get_private_key_size(); sgx_status_t get_public_key(const uint8_t *sealed, const uint32_t sealed_size, uint8_t *gx, uint32_t gx_size, uint8_t *gy, uint32_t gy_size); sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sealed, uint32_t sealed_size, uint8_t *signature, uint32_t signature_size); +sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint8_t *sealed, uint32_t sealed_size, const uint8_t *public_key, uint32_t public_key_size, const uint8_t *signature, uint32_t signature_size); #endif /* !_ENCLAVE_H_ */ \ No newline at end of file