RubNoobs/Systemsicherheit
RubNoobs/Systemsicherheit
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[Assignment-7] app restructure and cleanup
Some checks failed
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (push) Successful in 1m2s
Details
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (push) Successful in 1m2s
Details
Latex Build / build-latex (Assignment 6 - Software Security - Teil 2) (push) Has been cancelled
Details
Latex Build / build-latex (Assignment 4 - Protokollsicherheit (Praxis)) (pull_request) Successful in 30s
Details
Latex Build / build-latex (Assignment 5 - Software Security - Teil 1) (pull_request) Successful in 8s
Details
Latex Build / build-latex (Assignment 6 - Software Security - Teil 2) (pull_request) Successful in 35s
Details

Browse source
This commit is contained in:
Paul Zinselmeyer 2024-07-06 17:25:06 +02:00
parent 5a12559f5d
commit a9d894a97d
Signed by: pfzetto
GPG key ID: B471A1AF06C895FD
10 changed files with 304 additions and 345 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
7-SGX_Hands-on/README.md Normal file
View file

@ -0,0 +1,13 @@
# Usage
## Setup
Initialize the Enclave keypair by executing:
`./signatureproxy proxysetup -pkey <sealed_proxy_key.bin> > <proxy_public_key.pem>`
## Sign
1. Create employee signature using `./signatureproxy employee -firm <firmware.bin> -ekey <employee_privat_key.pem> > <employee_signature.der>`
This step can also be done using OpenSSL: `openssl dgst -sha256 -sign <employee_private_key.pem> -out <employee_signature.der> -in <firmware.bin>`
2. Use the signature proxy to resign the firmware using `./signatureproxy proxy -pkey <sealed_proxy_key.bin> -epub <employee_public_key.der> -firm <firmware.bin> > <proxy_signature.der>`
The enclave verifies the employee signature and signs the firmware if the signature is valid.
3. Verify signature using `cat <proxy_signature.der> | ./signatureproxy embedded -firm <firmware.bin> -ppub <proxy_public_key.pem>`
This step can also be done using OpenSSL: `openssl dgst -sha256 -verify <proxy_public_key.pem> -signature <proxy-signature.der> <firmware.bin>`

2
7-SGX_Hands-on/src/Makefile
View file

@ -74,7 +74,7 @@ else
Urts_Library_Name := sgx_urts Urts_Library_Name := sgx_urts
endif endif
App_C_Files := app/main.c app/proxy.c app/proxysetup.c app/intermediary.c app/util.c App_C_Files := app/main.c app/proxy.c app/proxysetup.c app/employee.c app/util.c
App_Include_Paths := -IInclude -Iapp -I$(SGX_SDK)/include App_Include_Paths := -IInclude -Iapp -I$(SGX_SDK)/include
App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths) App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)

136
7-SGX_Hands-on/src/app/employee.c Normal file
View file

@ -0,0 +1,136 @@
#include <errno.h>
#include <sgx_urts.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "employee.h"
#include "util.h"
#include <openssl/core_names.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#define HASH_BYTES 32
#define HASH_CHUNK_BYTES 32
#define KEY_BYTES 32
struct EmployeeArgs {
char* key_path;
char* firmware_path;
};
char* employee_syntax(void) {
return
"employee mock up implementation of the employee binary\n"
" outputs signature on stdout\n"
" WARNING: output is in binary format, may mess up terminal\n"
" -ekey <path> file path of the PEM encoded private key of the employee\n"
" -firm <path> path of the firmware\n";
}
int handle_employee(int argc, char** argv) {
struct EmployeeArgs args = {
NULL,
NULL
};
FILE* key_file = NULL;
uint8_t* firmware_buf;
size_t firmware_len;
EVP_PKEY* key = NULL;
EVP_MD_CTX *mdctx = NULL;
size_t sig_len;
unsigned char* sig = NULL;
/*
* Parse Input
*/
int i = 0;
while(i < argc) {
if(strcmp(argv[i], "-ekey")==0 && argc-i >=2){
args.key_path = argv[i+1];
i += 2;
}else if(strcmp(argv[i], "-firm")==0 && argc-i >=2){
args.firmware_path = argv[i+1];
i += 2;
}else
syntax_exit();
}
if(args.key_path == NULL)
syntax_exit();
/*
* Load Signing Key
*/
key_file = fopen(args.key_path, "rb");
if(key_file == NULL){
perror("Error opening key file");
exit (EXIT_FAILURE);
}
key = PEM_read_PrivateKey(key_file, &key, NULL, NULL);
if(key == NULL) {
fprintf(stderr, "failed to read key\n");
exit (EXIT_FAILURE);
}
fclose(key_file);
/*
* Sign Firmware
*/
mdctx = EVP_MD_CTX_new();
if (EVP_DigestSignInit(mdctx, NULL, EVP_sha256(), NULL, key) != 1) {
fprintf(stderr, "Message digest initialization failed.\n");
exit (EXIT_FAILURE);
}
if (load_file(args.firmware_path, &firmware_buf, &firmware_len) != 0) {
fprintf(stderr, "failed to read firmware\n");
exit (EXIT_FAILURE);
}
if (EVP_DigestSignUpdate(mdctx, firmware_buf, firmware_len) != 1) {
printf("Message digest update failed.\n");
exit(EXIT_FAILURE);
}
free(firmware_buf);
// call with empty sig to get length
if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) != 1) {
printf("Message digest finalization failed.\n");
exit (EXIT_FAILURE);
}
// allocate signature buffer
sig = malloc(sizeof(unsigned char) * sig_len);
if(sig == NULL){
perror("could not initialize digest buffer");
exit (EXIT_FAILURE);
}
// load signature into buffer
if (EVP_DigestSignFinal(mdctx, sig, &sig_len) != 1) {
printf("Message digest finalization failed.\n");
exit (EXIT_FAILURE);
}
fwrite(sig, sig_len, 1, stdout);
if (ferror(stdout) != 0) {
fprintf(stdout, "failed to write signature to stdout\n");
exit (EXIT_FAILURE);
}
fflush(stdout);
// free all allocated resources
free(sig);
EVP_MD_CTX_free(mdctx);
EVP_PKEY_free(key);
exit (EXIT_SUCCESS);
}

23
7-SGX_Hands-on/src/app/employee.h Normal file
View file

@ -0,0 +1,23 @@
#ifndef _APP_INTERMEDIARY_H_
#define _APP_INTERMEDIARY_H_
/*
* @brief getter for employee subcommand syntax string
*
* @returns null-terminated syntax string
*/
char* employee_syntax(void);
/*
* @brief CLI implementation for the "employee" subcommand
*
* @param argc number of arguments with command and subcommand stripped
* @param argv arguments with command and subcommand stripped
*
* @returns 0 on success, else error with output on stderr
*/
int handle_employee(int argc, char** argv);
#endif

6
7-SGX_Hands-on/src/app/main.c
View file

@ -1,7 +1,7 @@
#include <errno.h> #include <errno.h>
#include <string.h> #include <string.h>
#include "intermediary.h" #include "employee.h"
#include "proxy.h" #include "proxy.h"
#include "proxysetup.h" #include "proxysetup.h"
#include "util.h" #include "util.h"
@ -16,8 +16,8 @@ int main(int argc, char** argv) {
char* command = argv[1]; char* command = argv[1];
if(strcmp(command, "intermediary")==0) if(strcmp(command, "employee")==0)
handle_intermediary(argc-2, argv+2); handle_employee(argc-2, argv+2);
else if (strcmp(command, "proxy")==0) else if (strcmp(command, "proxy")==0)
handle_proxy(argc-2, argv+2); handle_proxy(argc-2, argv+2);
else if (strcmp(command, "proxysetup")==0) else if (strcmp(command, "proxysetup")==0)

128
7-SGX_Hands-on/src/app/proxy.c
View file

@ -5,18 +5,13 @@
#include <string.h> #include <string.h>
#include <openssl/core_names.h> #include <openssl/core_names.h>
#include <openssl/sha.h>
#include <openssl/ec.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/param_build.h>
#include <openssl/pem.h>
#include <sgx_tcrypto.h> #include <sgx_tcrypto.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include "enclave_u.h" #include "enclave_u.h"
#include "proxy.h" #include "proxy.h"
@ -36,10 +31,10 @@ char* proxy_syntax(void) {
" expects intermediary signature on stdin\n" " expects intermediary signature on stdin\n"
" outputs proxied signature on stdout\n" " outputs proxied signature on stdout\n"
" WARNING: output is binary format, may mess up terminal\n" " WARNING: output is binary format, may mess up terminal\n"
" -s <path> file path of the sealed proxy key\n" " -pkey <path> file path of the sealed proxy key\n"
" -t <path> file path of the sgx token\n"
" -epub <path> path of the PEM encoded employee public key\n" " -epub <path> path of the PEM encoded employee public key\n"
" -firm <path> path of the firmware\n"; " -firm <path> path of the firmware\n"
" -token <path> (optional) file path of the sgx token\n";
} }
static EVP_PKEY *sgx_public_to_EVP_PKEY(const sgx_ec256_public_t *p_public) static EVP_PKEY *sgx_public_to_EVP_PKEY(const sgx_ec256_public_t *p_public)
@ -208,18 +203,18 @@ cleanup:
} }
static int ECDSA_SIG_to_sgx_signature(ECDSA_SIG* ecdsa_sig, sgx_ec256_signature_t* sgx_signature) { static int ECDSA_SIG_to_sgx_signature(ECDSA_SIG* ecdsa_sig, sgx_ec256_signature_t* sgx_signature) {
BIGNUM* r = NULL; const BIGNUM* r = NULL;
BIGNUM* s = NULL; const BIGNUM* s = NULL;
int ret; int ret;
r = ECDSA_SIG_get0_r(ecdsa_sig); r = ECDSA_SIG_get0_r(ecdsa_sig);
s = ECDSA_SIG_get0_s(ecdsa_sig); s = ECDSA_SIG_get0_s(ecdsa_sig);
ret = BN_bn2lebinpad(r, sgx_signature->x, SGX_ECP256_KEY_SIZE); ret = BN_bn2lebinpad(r, (unsigned char*)sgx_signature->x, SGX_ECP256_KEY_SIZE);
if (ret == -1) if (ret == -1)
return (1); return (1);
ret = BN_bn2lebinpad(s, sgx_signature->y, SGX_ECP256_KEY_SIZE); ret = BN_bn2lebinpad(s, (unsigned char*)sgx_signature->y, SGX_ECP256_KEY_SIZE);
if (ret == -1) if (ret == -1)
return (2); return (2);
@ -286,10 +281,10 @@ int handle_proxy(int argc, char** argv) {
NULL, NULL,
NULL NULL
}; };
FILE* sealed_file; uint8_t* sealed;
FILE* firmware_file; size_t sealed_len;
uint8_t *sealed; uint8_t* firmware;
int sealed_size; size_t firmware_len;
unsigned char* ecdsa_signature_data; unsigned char* ecdsa_signature_data;
size_t ecdsa_signature_size = 0; size_t ecdsa_signature_size = 0;
uint8_t signature[70]; uint8_t signature[70];
@ -303,10 +298,10 @@ int handle_proxy(int argc, char** argv) {
int i = 0; int i = 0;
while(i < argc) { while(i < argc) {
if(strcmp(argv[i], "-s")==0 && argc-i >=2){ if(strcmp(argv[i], "-pkey")==0 && argc-i >=2){
args.sealed_key_file_path = argv[i+1]; args.sealed_key_file_path = argv[i+1];
i += 2; i += 2;
}else if(strcmp(argv[i], "-t")==0 && argc-i >=2){ }else if(strcmp(argv[i], "-token")==0 && argc-i >=2){
args.sgx_token_path = argv[i+1]; args.sgx_token_path = argv[i+1];
i += 2; i += 2;
}else if(strcmp(argv[i], "-epub")==0 && argc-i >=2){ }else if(strcmp(argv[i], "-epub")==0 && argc-i >=2){
@ -322,7 +317,6 @@ int handle_proxy(int argc, char** argv) {
if(args.sealed_key_file_path == NULL || args.employee_public_key_path == NULL || args.firmware_path == NULL) if(args.sealed_key_file_path == NULL || args.employee_public_key_path == NULL || args.firmware_path == NULL)
syntax_exit(); syntax_exit();
/* /*
* Read Signature Input * Read Signature Input
*/ */
@ -330,27 +324,27 @@ int handle_proxy(int argc, char** argv) {
ecdsa_signature_data = malloc(1024); ecdsa_signature_data = malloc(1024);
if (ecdsa_signature_data == NULL) { if (ecdsa_signature_data == NULL) {
perror("failed to allocate signature"); perror("failed to allocate signature");
exit(1); exit (EXIT_FAILURE);
} }
ecdsa_signature_size = fread(ecdsa_signature_data, 1, 1024, stdin); ecdsa_signature_size = fread(ecdsa_signature_data, 1, 1024, stdin);
if (ferror(stdin) != 0) { if (ferror(stdin) != 0) {
fprintf(stderr, "failed to read signature from stdin\n"); fprintf(stderr, "failed to read signature from stdin\n");
exit(1); exit (EXIT_FAILURE);
} }
ecdsa_signature = ECDSA_SIG_new(); ecdsa_signature = ECDSA_SIG_new();
ecdsa_signature = d2i_ECDSA_SIG(&ecdsa_signature, &ecdsa_signature_data, ecdsa_signature_size); ecdsa_signature = d2i_ECDSA_SIG(&ecdsa_signature, (const unsigned char**)&ecdsa_signature_data, ecdsa_signature_size);
ecdsa_signature_data = NULL; ecdsa_signature_data = NULL;
if (ecdsa_signature == NULL) { if (ecdsa_signature == NULL) {
fprintf(stderr, "failed to read signature"); fprintf(stderr, "failed to read signature\n");
exit(1); exit (EXIT_FAILURE);
} }
if (ECDSA_SIG_to_sgx_signature(ecdsa_signature, &sgx_signature) != 0) { if (ECDSA_SIG_to_sgx_signature(ecdsa_signature, &sgx_signature) != 0) {
fprintf(stderr, "failed to transform signature\n"); fprintf(stderr, "failed to transform signature\n");
exit(1); exit (EXIT_FAILURE);
} }
ECDSA_SIG_free(ecdsa_signature); ECDSA_SIG_free(ecdsa_signature);
ecdsa_signature = NULL; ecdsa_signature = NULL;
@ -372,90 +366,42 @@ int handle_proxy(int argc, char** argv) {
} }
key = PEM_read_PUBKEY(key_file, &key, NULL, NULL); key = PEM_read_PUBKEY(key_file, &key, NULL, NULL);
if(key == NULL) { if(key == NULL) {
fprintf(stderr, "failed to read employee public key"); fprintf(stderr, "failed to read employee public key\n");
exit(1); exit (EXIT_FAILURE);
} }
fclose(key_file); fclose(key_file);
sgx_ec256_public_t sgx_public; sgx_ec256_public_t sgx_public;
if (EVP_PKEY_to_sgx_public(key, &sgx_public) != 0) { if (EVP_PKEY_to_sgx_public(key, &sgx_public) != 0) {
fprintf(stderr, "failed transform employee public key"); fprintf(stderr, "failed transform employee public key\n");
exit(1);
}
/*
* Read Sealed Proxy Keypair
*/
sealed_file = fopen(args.sealed_key_file_path, "rb");
if(sealed_file == NULL){
perror("Error opening sealed_key_file file");
exit(1);
}
ret = get_sealed_size(get_global_eid(), &sealed_size);
if (ret != SGX_SUCCESS) {
print_error_message(ret);
exit (1);
}
sealed = malloc(sizeof(uint8_t)*sealed_size);
if (sealed == NULL) {
fprintf(stderr, "failed to allocate for sealed key");
exit(1);
}
size_t sealed_read = fread(sealed, sealed_size, 1, sealed_file);
if (sealed_read != 1) {
fprintf(stderr, "failed to read sealed private key");
exit (EXIT_FAILURE); exit (EXIT_FAILURE);
} }
fclose(sealed_file); //Read Sealed Proxy Keypair
if (load_file(args.sealed_key_file_path, &sealed, &sealed_len)!=0){
/* fprintf(stderr, "failed to read sealed key\n");
* Read Firmware
*/
int firmware_file_des = open(args.firmware_path, O_RDWR);
if(firmware_file_des == 0){
perror("Error opening firmware file");
exit(EXIT_FAILURE);
}
struct stat stat;
if (fstat(firmware_file_des, &stat) != 0) {
perror("failed to get firmware size");
exit (EXIT_FAILURE); exit (EXIT_FAILURE);
} }
firmware_file = fopen(args.firmware_path, "rb"); // Read Firmware
if(firmware_file == NULL){ if (load_file(args.firmware_path, &firmware, &firmware_len)!=0){
perror("Error opening firmware file");
exit(EXIT_FAILURE);
}
size_t firmware_size = stat.st_size;
uint8_t* firmware_buf = malloc(firmware_size);
if (firmware_buf == NULL) {
perror("failed to allocate firmware buffer");
exit (EXIT_FAILURE);
}
if (fread(firmware_buf, firmware_size, 1, firmware_file) != 1 || ferror(firmware_file) != 0) {
fprintf(stderr, "failed to read firmware\n"); fprintf(stderr, "failed to read firmware\n");
exit (EXIT_FAILURE); exit (EXIT_FAILURE);
} }
fclose(firmware_file);
/* /*
* Use Enclave To Resign the Firmware * Use Enclave To Resign the Firmware
*/ */
sign_firmware(get_global_eid(), &ret, firmware_buf, firmware_size, sealed, sealed_size, (uint8_t*)&sgx_public, (uint8_t*)&sgx_signature); sign_firmware(get_global_eid(), &ret, firmware, firmware_len, sealed, sealed_len, (uint8_t*)&sgx_public, (uint8_t*)&sgx_signature);
if (ret != SGX_SUCCESS) { if (ret != SGX_SUCCESS) {
print_error_message(ret); sgx_print_error_message(ret);
exit (1); exit (1);
} }
free(sealed);
free(firmware);
/* /*
* Output Signature * Output Signature
*/ */
@ -483,9 +429,5 @@ int handle_proxy(int argc, char** argv) {
free(ecdsa_signature_data); free(ecdsa_signature_data);
ECDSA_SIG_free(ecdsa_signature); ECDSA_SIG_free(ecdsa_signature);
free(sealed); exit (EXIT_SUCCESS);
exit(0);
} }

270
7-SGX_Hands-on/src/app/proxysetup.c
View file

@ -5,16 +5,14 @@
#include <string.h> #include <string.h>
#include <openssl/core_names.h> #include <openssl/core_names.h>
#include <openssl/sha.h>
#include <openssl/ec.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/param_build.h>
#include <openssl/pem.h>
#include <sgx_tcrypto.h> #include <sgx_tcrypto.h>
#include "enclave_u.h" #include "enclave_u.h"
#include "proxy.h" #include "proxysetup.h"
#include "util.h" #include "util.h"
struct ProxysetupArgs { struct ProxysetupArgs {
@ -24,14 +22,12 @@ struct ProxysetupArgs {
char* proxysetup_syntax(void) { char* proxysetup_syntax(void) {
return return
"proxysetup implementation of the enclave-powered SignatureProxy\n" "proxysetup implementation of the enclave-powered SignatureProxy\n"
" outputs public key on stdout\n" " outputs public key on stdout\n"
" -s <path> file path of the sealed proxy key\n" " -pkey <path> file path of the sealed proxy key\n"
" -t <path> file path of the sgx token\n"; " -token <path> (optional) file path of the sgx token\n";
} }
static EVP_PKEY *sgx_public_to_EVP_PKEY(const sgx_ec256_public_t *p_public) static EVP_PKEY *sgx_public_to_EVP_PKEY(const sgx_ec256_public_t *p_public)
{ {
EVP_PKEY *evp_key = NULL; EVP_PKEY *evp_key = NULL;
@ -133,217 +129,16 @@ static EVP_PKEY *sgx_public_to_EVP_PKEY(const sgx_ec256_public_t *p_public)
return evp_key; return evp_key;
} }
static int EVP_PKEY_to_sgx_public(EVP_PKEY* ecdsa_key, sgx_ec256_public_t* sgx_public) {
EC_GROUP* group = NULL;
EC_POINT *point = NULL;
BIGNUM* pub_x = NULL;
BIGNUM* pub_y = NULL;
size_t ec_key_buf_len = 0;
unsigned char ec_key_buf[1024];
int ret;
int retval;
group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
if (group == NULL)
return 1;
point = EC_POINT_new(group);
if (point == NULL)
return 2;
ret = EVP_PKEY_get_octet_string_param(ecdsa_key, OSSL_PKEY_PARAM_PUB_KEY, ec_key_buf, 1024, &ec_key_buf_len);
if (ret != 1)
return 3;
ret = EC_POINT_oct2point(group, point, ec_key_buf, ec_key_buf_len, NULL);
if (ret != 1){
retval = 4;
goto cleanup;
}
pub_x = BN_new();
pub_y = BN_new();
ret = EC_POINT_get_affine_coordinates(group, point, pub_x, pub_y, NULL);
if (ret != 1){
retval = 5;
goto cleanup;
}
ret = BN_bn2lebinpad(pub_x, sgx_public->gx, SGX_ECP256_KEY_SIZE);
if (ret == -1){
retval = 6;
goto cleanup;
}
ret = BN_bn2lebinpad(pub_y, sgx_public->gy, SGX_ECP256_KEY_SIZE);
if (ret == -1){
retval = 7;
goto cleanup;
}
cleanup:
if (pub_x != NULL)
BN_clear_free(pub_x);
if (pub_y != NULL)
BN_clear_free(pub_y);
if (point != NULL)
EC_POINT_clear_free(point);
if (group != NULL)
EC_GROUP_free(group);
return (retval);
}
/*
sgx_status_t pfz_ecdsa_verify_hash(const uint8_t *p_data,
const sgx_ec256_public_t *p_public,
const sgx_ec256_signature_t *p_signature,
uint8_t *p_result,
sgx_ecc_state_handle_t ecc_handle)
{
if ((ecc_handle == NULL) || (p_public == NULL) || (p_signature == NULL) ||
(p_data == NULL) || (p_result == NULL)) {
return SGX_ERROR_INVALID_PARAMETER;
}
EVP_PKEY_CTX *ctx = NULL;
EVP_PKEY *public_key = NULL;
BIGNUM *bn_r = NULL;
BIGNUM *bn_s = NULL;
ECDSA_SIG *ecdsa_sig = NULL;
unsigned char *sig_data = NULL;
size_t sig_size = 0;
sgx_status_t retval = SGX_ERROR_UNEXPECTED;
int ret = -1;
*p_result = SGX_EC_INVALID_SIGNATURE;
do {
public_key = pfz_get_pub_key_from_coords(p_public, ecc_handle);
if(NULL == public_key) {
break;
}
// converts the x value of the signature, represented as positive integer in little-endian into a BIGNUM
//
bn_r = BN_lebin2bn((unsigned char*)p_signature->x, sizeof(p_signature->x), 0);
if (NULL == bn_r) {
break;
}
// converts the y value of the signature, represented as positive integer in little-endian into a BIGNUM
//
bn_s = BN_lebin2bn((unsigned char*)p_signature->y, sizeof(p_signature->y), 0);
if (NULL == bn_s) {
break;
}
// allocates a new ECDSA_SIG structure (note: this function also allocates the BIGNUMs) and initialize it
//
ecdsa_sig = ECDSA_SIG_new();
if (NULL == ecdsa_sig) {
retval = SGX_ERROR_OUT_OF_MEMORY;
break;
}
// setes the r and s values of ecdsa_sig
// calling this function transfers the memory management of the values to the ECDSA_SIG object,
// and therefore the values that have been passed in should not be freed directly after this function has been called
//
if (1 != ECDSA_SIG_set0(ecdsa_sig, bn_r, bn_s)) {
ECDSA_SIG_free(ecdsa_sig);
ecdsa_sig = NULL;
break;
}
sig_size = i2d_ECDSA_SIG(ecdsa_sig, &sig_data);
if (sig_size <= 0) {
break;
}
ctx = EVP_PKEY_CTX_new(public_key, NULL);
if (!ctx) {
break;
}
if (1 != EVP_PKEY_verify_init(ctx)) {
break;
}
if (1 != EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256())) {
break;
}
ret = EVP_PKEY_verify(ctx, sig_data, sig_size, p_data, SGX_SHA256_HASH_SIZE);
if (ret < 0) {
break;
}
// sets the p_result based on verification result
//
if (ret == 1)
*p_result = SGX_EC_VALID;
retval = SGX_SUCCESS;
} while(0);
if (ecdsa_sig) {
ECDSA_SIG_free(ecdsa_sig);
bn_r = NULL;
bn_s = NULL;
}
if (ctx)
EVP_PKEY_CTX_free(ctx);
if (public_key)
EVP_PKEY_free(public_key);
if (bn_r)
BN_clear_free(bn_r);
if (bn_s)
BN_clear_free(bn_s);
return retval;
}
sgx_status_t pfz_ecc256_open_context(sgx_ecc_state_handle_t* p_ecc_handle)
{
if (p_ecc_handle == NULL) {
return SGX_ERROR_INVALID_PARAMETER;
}
sgx_status_t retval = SGX_SUCCESS;
EC_GROUP* ec_group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
if (NULL == ec_group) {
retval = SGX_ERROR_UNEXPECTED;
} else {
*p_ecc_handle = (void*)ec_group;
}
return retval;
}
sgx_status_t pfz_ecdsa_verify(const uint8_t *p_data,
uint32_t data_size,
const sgx_ec256_public_t *p_public,
const sgx_ec256_signature_t *p_signature,
uint8_t *p_result,
sgx_ecc_state_handle_t ecc_handle)
{
if ((ecc_handle == NULL) || (p_public == NULL) || (p_signature == NULL) ||
(p_data == NULL) || (data_size < 1) || (p_result == NULL)) {
return SGX_ERROR_INVALID_PARAMETER;
}
unsigned char digest[SGX_SHA256_HASH_SIZE] = { 0 };
SHA256((const unsigned char *)p_data, data_size, (unsigned char *)digest);
return (pfz_ecdsa_verify_hash(digest, p_public, p_signature, p_result, ecc_handle));
}
*/
int handle_proxysetup(int argc, char** argv) { int handle_proxysetup(int argc, char** argv) {
struct ProxysetupArgs args = { struct ProxysetupArgs args = {
NULL, NULL,
NULL NULL
}; };
FILE* sealed_file; FILE* sealed_file;
int sealed_size;
uint8_t* sealed;
sgx_ec256_public_t sgx_public_key;
EVP_PKEY* public_key;
sgx_status_t sgx_ret; sgx_status_t sgx_ret;
/* /*
@ -352,10 +147,10 @@ int handle_proxysetup(int argc, char** argv) {
int i = 0; int i = 0;
while(i < argc) { while(i < argc) {
if(strcmp(argv[i], "-s")==0 && argc-i >=2){ if(strcmp(argv[i], "-pkey")==0 && argc-i >=2){
args.sealed_key_file_path = argv[i+1]; args.sealed_key_file_path = argv[i+1];
i += 2; i += 2;
}else if(strcmp(argv[i], "-t")==0 && argc-i >=2){ }else if(strcmp(argv[i], "-token")==0 && argc-i >=2){
args.sgx_token_path = argv[i+1]; args.sgx_token_path = argv[i+1];
i += 2; i += 2;
}else }else
@ -370,7 +165,7 @@ int handle_proxysetup(int argc, char** argv) {
*/ */
if (initialize_enclave(args.sgx_token_path) != 0) if (initialize_enclave(args.sgx_token_path) != 0)
exit(1); exit (EXIT_FAILURE);
/* /*
* Setup Sealed Keypair * Setup Sealed Keypair
@ -379,19 +174,18 @@ int handle_proxysetup(int argc, char** argv) {
sealed_file = fopen(args.sealed_key_file_path, "wb"); sealed_file = fopen(args.sealed_key_file_path, "wb");
if(sealed_file == NULL){ if(sealed_file == NULL){
perror("Error opening sealed_key_file file"); perror("Error opening sealed_key_file file");
exit(1); exit (EXIT_FAILURE);
} }
int sealed_size;
sgx_ret = get_sealed_size(get_global_eid(), &sealed_size); sgx_ret = get_sealed_size(get_global_eid(), &sealed_size);
if (sgx_ret != SGX_SUCCESS) { if (sgx_ret != SGX_SUCCESS) {
print_error_message(sgx_ret); sgx_print_error_message(sgx_ret);
exit (1); exit (EXIT_FAILURE);
} }
uint8_t* sealed = malloc(sizeof(uint8_t)*sealed_size); sealed = malloc(sizeof(uint8_t)*sealed_size);
if (sealed == NULL) { if (sealed == NULL) {
fprintf(stderr, "failed to allocate for sealed key"); fprintf(stderr, "failed to allocate for sealed key");
exit(1); exit (EXIT_FAILURE);
} }
/* /*
@ -400,8 +194,8 @@ int handle_proxysetup(int argc, char** argv) {
generate_key_pair(get_global_eid(), &sgx_ret, sealed, sealed_size); generate_key_pair(get_global_eid(), &sgx_ret, sealed, sealed_size);
if (sgx_ret != SGX_SUCCESS) { if (sgx_ret != SGX_SUCCESS) {
print_error_message(sgx_ret); sgx_print_error_message(sgx_ret);
exit (1); exit (EXIT_FAILURE);
} }
/* /*
@ -410,7 +204,7 @@ int handle_proxysetup(int argc, char** argv) {
if (fwrite(sealed, sealed_size, 1, sealed_file) != 1 || ferror(sealed_file) != 0) { if (fwrite(sealed, sealed_size, 1, sealed_file) != 1 || ferror(sealed_file) != 0) {
fprintf(stderr, "failed to write sealed key"); fprintf(stderr, "failed to write sealed key");
exit(1); exit (EXIT_FAILURE);
} }
fflush(sealed_file); fflush(sealed_file);
fclose(sealed_file); fclose(sealed_file);
@ -419,27 +213,21 @@ int handle_proxysetup(int argc, char** argv) {
* Fetch Public Key From Enclave And Print * Fetch Public Key From Enclave And Print
*/ */
sgx_ec256_public_t sgx_public_key;
get_public_key(get_global_eid(), &sgx_ret, sealed, sealed_size, (uint8_t*)&sgx_public_key); get_public_key(get_global_eid(), &sgx_ret, sealed, sealed_size, (uint8_t*)&sgx_public_key);
if (sgx_ret != SGX_SUCCESS) { if (sgx_ret != SGX_SUCCESS) {
print_error_message(sgx_ret); sgx_print_error_message(sgx_ret);
exit (1);
}
EVP_PKEY* public_key = sgx_public_to_EVP_PKEY(&sgx_public_key);
if (PEM_write_PUBKEY(stdout, public_key, NULL, NULL) != 1) {
fprintf(stderr, "could not write publickey\n");
exit (EXIT_FAILURE); exit (EXIT_FAILURE);
} }
public_key = sgx_public_to_EVP_PKEY(&sgx_public_key);
if (PEM_write_PUBKEY(stdout, public_key) != 1) {
fprintf(stderr, "could not write publickey\n");
exit (EXIT_FAILURE);
}
fflush(stdout); fflush(stdout);
EVP_PKEY_free(public_key); EVP_PKEY_free(public_key);
free(sealed); free(sealed);
exit(0); exit (EXIT_SUCCESS);
} }

4
7-SGX_Hands-on/src/app/proxysetup.h
View file

@ -1,5 +1,5 @@
#ifndef _APP_PROXY_H_ #ifndef _APP_PROXYSETUP_H_
#define _APP_PROXY_H_ #define _APP_PROXYSETUP_H_
/* /*

55
7-SGX_Hands-on/src/app/util.c
View file

@ -1,11 +1,16 @@
#include <errno.h> #include <errno.h>
#include <fcntl.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include "employee.h"
#include "util.h" #include "util.h"
#include "proxy.h" #include "proxy.h"
#include "proxysetup.h" #include "proxysetup.h"
#include "intermediary.h"
static char* BIN_NAME = "SignatureProxy"; static char* BIN_NAME = "SignatureProxy";
@ -24,8 +29,8 @@ void syntax_exit(void) {
"\n" "\n"
"%s"; "%s";
printf(syntax, BIN_NAME, intermediary_syntax(), proxy_syntax(), proxysetup_syntax()); printf(syntax, BIN_NAME, employee_syntax(), proxy_syntax(), proxysetup_syntax());
exit(1); exit (EXIT_FAILURE);
} }
void set_bin_name(char* bin_name) { void set_bin_name(char* bin_name) {
@ -118,7 +123,7 @@ static sgx_errlist_t sgx_errlist[] = {
}; };
/* Check error conditions for loading enclave */ /* Check error conditions for loading enclave */
void print_error_message(sgx_status_t ret) void sgx_print_error_message(sgx_status_t ret)
{ {
size_t idx = 0; size_t idx = 0;
size_t ttl = sizeof sgx_errlist/sizeof sgx_errlist[0]; size_t ttl = sizeof sgx_errlist/sizeof sgx_errlist[0];
@ -161,7 +166,7 @@ int initialize_enclave(char* token_path) {
ret = sgx_create_enclave("enclave.signed.so", SGX_DEBUG_FLAG, &token, &updated, &global_eid, NULL); ret = sgx_create_enclave("enclave.signed.so", SGX_DEBUG_FLAG, &token, &updated, &global_eid, NULL);
if (ret != SGX_SUCCESS) { if (ret != SGX_SUCCESS) {
print_error_message(ret); sgx_print_error_message(ret);
return (1); return (1);
} }
@ -183,3 +188,43 @@ int initialize_enclave(char* token_path) {
sgx_enclave_id_t get_global_eid(void){ sgx_enclave_id_t get_global_eid(void){
return global_eid; return global_eid;
} }
int load_file(const char* path, uint8_t** data, size_t* data_len) {
FILE* file;
size_t file_size;
uint8_t* buf;
int file_des = open(path, O_RDWR);
if(file_des == 0)
return (1);
struct stat stat;
if (fstat(file_des, &stat) != 0){
close(file_des);
return (2);
}
close(file_des);
file_size = stat.st_size;
buf = malloc(file_size);
if (buf == NULL)
return (3);
file = fopen(path, "rb");
if(file == NULL){
free(buf);
return (4);
}
if (fread(buf, file_size, 1, file) != 1 || ferror(file) != 0) {
free(buf);
fclose(file);
return (5);
}
fclose(file);
*data = buf;
*data_len = file_size;
return (0);
}

12
7-SGX_Hands-on/src/app/util.h
View file

@ -18,4 +18,16 @@ int initialize_enclave(char* token_path);
sgx_enclave_id_t get_global_eid(void); sgx_enclave_id_t get_global_eid(void);
/*
* @brief loads a file completely into the HEAP
*
* Loads a File into HEAP and returns a dynamically allocated buffer.
*
* @param path path of the file
* @param data allocated buffer output
* @param data_len length of the allocated buffer
* @returns 0 on success, non zero on error
*/
int load_file(const char* path, uint8_t** data, size_t* data_len);
#endif #endif