From c1351d485328733fd6b941b4cb139c74d82e1c9b Mon Sep 17 00:00:00 2001 From: Sascha Tommasone Date: Sat, 6 Jul 2024 13:28:46 +0200 Subject: [PATCH] [Assignment-7] hardcoded public key/signatures sizes; cleaned up unused code --- 7-SGX_Hands-on/src/enclave/enclave.c | 157 ++++++++++--------------- 7-SGX_Hands-on/src/enclave/enclave.edl | 8 +- 7-SGX_Hands-on/src/enclave/enclave.h | 11 +- 3 files changed, 71 insertions(+), 105 deletions(-) diff --git a/7-SGX_Hands-on/src/enclave/enclave.c b/7-SGX_Hands-on/src/enclave/enclave.c index fc5da89..050ed8b 100644 --- a/7-SGX_Hands-on/src/enclave/enclave.c +++ b/7-SGX_Hands-on/src/enclave/enclave.c @@ -41,6 +41,7 @@ #include #include + #ifndef SK_SIZE #define SK_SIZE SGX_ECP256_KEY_SIZE #endif @@ -49,15 +50,14 @@ #define PK_SIZE 2*SK_SIZE #endif -#ifndef SI_SIZE -#define SI_SIZE 2*SK_SIZE// + 8 +#ifndef DG_SIZE +#define DG_SIZE SK_SIZE +#endif + +#ifndef SI_SIZE +#define SI_SIZE 2*SK_SIZE #endif -#define SWAP_UINT32(x) \ - (((x) >> 24) & 0x000000FF) | \ - (((x) >> 8) & 0x0000FF00) | \ - (((x) << 8) & 0x00FF0000) | \ - (((x) << 24) & 0xFF000000) const sgx_ec256_public_t authorized[2] = { { @@ -70,6 +70,11 @@ const sgx_ec256_public_t authorized[2] = { } }; + +int get_digest_size() { + return DG_SIZE; +} + int get_sealed_size() { return sgx_calc_sealed_data_size(PK_SIZE, SK_SIZE); } @@ -86,27 +91,7 @@ int get_private_key_size() { return SK_SIZE; } -static inline void pk_little_to_big(uint8_t *pk) { - uint32_t i, j; - - for(i = 0, j = PK_SIZE / 2 - 1; i < j; i++, j--) { - uint8_t tmp = pk[i]; - pk[i] = pk[j]; - pk[j] = tmp; - } - - for(i = PK_SIZE / 2, j = PK_SIZE - 1; i < j; i++, j--) { - uint8_t tmp = pk[i]; - pk[i] = pk[j]; - pk[j] = tmp; - } -} - -static sgx_status_t seal_key_pair(sgx_ec256_private_t *private, sgx_ec256_public_t *public, uint8_t **sealed, uint32_t sealed_size) { - // invalid parameter handling - if((private == NULL) || (public == NULL)) - return SGX_ERROR_INVALID_PARAMETER; - +static sgx_status_t seal_key_pair(const sgx_ec256_private_t *private, const sgx_ec256_public_t *public, uint8_t **sealed) { // allocate temporary buffers on stack uint8_t pk[PK_SIZE] = {0}; uint8_t sk[SK_SIZE] = {0}; @@ -115,14 +100,8 @@ static sgx_status_t seal_key_pair(sgx_ec256_private_t *private, sgx_ec256_public memcpy(pk, public->gx, PK_SIZE); memcpy(sk, private->r, SK_SIZE); - // calculate needed size - uint32_t size = get_sealed_size(); - if(size > sealed_size) { - return SGX_ERROR_INVALID_PARAMETER; - } - // seal keypair - return sgx_seal_data(PK_SIZE, (const uint8_t *)pk, SK_SIZE, (const uint8_t *)sk, size, (sgx_sealed_data_t *) *sealed); + return sgx_seal_data(PK_SIZE, (const uint8_t *)pk, SK_SIZE, (const uint8_t *)sk, get_sealed_size(), (sgx_sealed_data_t *) *sealed); } static sgx_status_t unseal_key_pair(const uint8_t *sealed, sgx_ec256_private_t *private, sgx_ec256_public_t *public) { @@ -160,37 +139,54 @@ static sgx_status_t unseal_key_pair(const uint8_t *sealed, sgx_ec256_private_t * return status; } -sgx_status_t get_public_key(const uint8_t *sealed, uint32_t sealed_size, uint8_t *public_key, uint32_t public_key_size) { +sgx_status_t generate_key_pair(uint8_t *sealed, uint32_t sealed_size) { // invalid parameter handling - if((sealed == NULL) || (sealed_size == 0)) { + if((sealed == NULL) || (sealed_size != get_sealed_size())) { + return SGX_ERROR_INVALID_PARAMETER; + } + + // declare needed structs + sgx_ecc_state_handle_t ecc_handle; + sgx_ec256_private_t private; + sgx_ec256_public_t public; + sgx_status_t status; + + // open ecc handle + if((status = sgx_ecc256_open_context(&ecc_handle)) != SGX_SUCCESS) { + return status; + } + + // create ecc keypair + if((status = sgx_ecc256_create_key_pair(&private, &public, ecc_handle)) != SGX_SUCCESS) { + sgx_ecc256_close_context(ecc_handle); + return status; + } + + // return status of sealing + return seal_key_pair(&private, &public, &sealed); +} + +sgx_status_t get_public_key(const uint8_t *sealed, uint32_t sealed_size, uint8_t *public) { + // invalid parameter handling + if((sealed == NULL) || (sealed_size != get_sealed_size())) { + return SGX_ERROR_INVALID_PARAMETER; + } else if(public == NULL) { return SGX_ERROR_INVALID_PARAMETER; } // unseal public key sgx_status_t status; - sgx_ec256_public_t public; - if((status = unseal_key_pair(sealed, NULL, &public)) != SGX_SUCCESS) { + if((status = unseal_key_pair(sealed, NULL, (sgx_ec256_public_t *)public)) != SGX_SUCCESS) { return status; } - // copy public key into return buffer - // swap endianess - if((public_key != NULL) && (public_key != NULL) && (public_key_size == PK_SIZE)) { - memcpy(public_key, public.gx, SK_SIZE); - pk_little_to_big(public_key); - } - // return success return status; } -static sgx_status_t verify_signature(const uint8_t *data, const uint32_t data_size, const sgx_ec256_public_t *public, const sgx_ec256_signature_t* ecc_signature) { +static sgx_status_t verify_signature(const uint8_t *data, uint32_t data_size, const sgx_ec256_public_t *public, const sgx_ec256_signature_t* ecc_signature) { // invalid parameter handling - if((data == NULL) || (data_size == 0)) { - return SGX_ERROR_INVALID_PARAMETER; - } else if(public == NULL) { - return SGX_ERROR_INVALID_PARAMETER; - } else if(ecc_signature == NULL) { + if((data == NULL) || (data_size == 0) || (public == NULL) || (ecc_signature == NULL)) { return SGX_ERROR_INVALID_PARAMETER; } @@ -205,7 +201,6 @@ static sgx_status_t verify_signature(const uint8_t *data, const uint32_t data_si // verify signature uint8_t result; - // sgx_ecdsa_verify_hash sgx_status_t verification_status = sgx_ecdsa_verify(data, data_size, public, ecc_signature, &result, ecc_handle); // handle failed verification process @@ -218,19 +213,17 @@ static sgx_status_t verify_signature(const uint8_t *data, const uint32_t data_si return result; } -sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sealed, uint32_t sealed_size, uint8_t *public_key, uint32_t public_key_size, uint8_t *signature, uint32_t signature_size) { +sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, const uint8_t *sealed, uint32_t sealed_size, uint8_t *public_key, uint8_t *signature) { // invalid parameter handling - if((data == NULL) || (data_size == 0)) { + if((data == NULL) || (data_size == 0) || (public_key == NULL) || (signature == NULL)) { return SGX_ERROR_INVALID_PARAMETER; - } else if((sealed == NULL) || (sealed_size == 0)) { - return SGX_ERROR_INVALID_PARAMETER; - } else if((public_key == NULL) || (public_key_size != PK_SIZE)) { + } else if((sealed == NULL) || (sealed_size != get_sealed_size())) { return SGX_ERROR_INVALID_PARAMETER; } // verify public key for(size_t i = 0; i < sizeof(authorized)/sizeof(authorized[0]); i++) { - if(memcmp(public_key, authorized[i].gx, PK_SIZE) != 0) { + if(memcmp(public_key, authorized[i].gx, PK_SIZE) == 0) { continue; } goto sign; @@ -243,7 +236,6 @@ sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sea sgx_ec256_signature_t ecc_signature; sgx_ecc_state_handle_t ecc_handle; sgx_ec256_private_t private; - sgx_ec256_public_t public; // open ecc handle sgx_status_t status; @@ -260,78 +252,51 @@ sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sea // try unseal keypair sgx_status_t seal_status; - if(seal_status = unseal_key_pair(sealed, &private, NULL) != SGX_SUCCESS) { - if((status = sgx_ecc256_create_key_pair(&private, &public, ecc_handle)) != SGX_SUCCESS) { - sgx_ecc256_close_context(ecc_handle); - return status; - } + if(seal_status = unseal_key_pair(sealed, &private, (sgx_ec256_public_t *)public_key) != SGX_SUCCESS) { + sgx_ecc256_close_context(ecc_handle); + return seal_status; } // create signature - if((status = sgx_ecdsa_sign(data, data_size, &private, &ecc_signature, ecc_handle)) != SGX_SUCCESS) { + if((status = sgx_ecdsa_sign(data, DG_SIZE, &private, &ecc_signature, ecc_handle)) != SGX_SUCCESS) { sgx_ecc256_close_context(ecc_handle); return status; } - // TODO: possible wrong endianess for other programms // copy signature to return buffer - if((signature == NULL) || (signature_size != SI_SIZE)) { + if(signature == NULL) { sgx_ecc256_close_context(ecc_handle); return SGX_ERROR_INVALID_PARAMETER; } memcpy(signature, ecc_signature.x, SI_SIZE); - // seal the key - if((seal_status != SGX_SUCCESS) && (sealed != NULL)) { - seal_status = seal_key_pair(&private, &public, &sealed, sealed_size); - } - - // export pk - memcpy(public_key, public.gx, PK_SIZE); - pk_little_to_big(public_key); - // close ecc handle and return success sgx_ecc256_close_context(ecc_handle); - return seal_status; + return status; } -sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint8_t *sealed, uint32_t sealed_size, const uint8_t *public_key, uint32_t public_key_size, const uint8_t *signature, uint32_t signature_size) { +sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint8_t *sealed, uint32_t sealed_size, const uint8_t *public_key, const uint8_t *signature) { // invalid parameter handling - if((data == NULL) || (data_size == 0)) { + if((data == NULL) || (data_size == 0) || (signature == NULL)) { return SGX_ERROR_INVALID_PARAMETER; - } else if(((sealed == NULL) || (sealed_size == 0)) && ((public_key == NULL) || (public_key_size == 0))) { + } else if((sealed == NULL) && (public_key == NULL)) { return SGX_ERROR_INVALID_PARAMETER; } else if((sealed != NULL) && (public_key != NULL)) { return SGX_ERROR_INVALID_PARAMETER; - } else if((signature == NULL) || (signature_size == 0)) { - return SGX_ERROR_INVALID_PARAMETER; } // declare needed structures sgx_ec256_public_t public; sgx_status_t status; - // invalid signature - if(signature_size > SI_SIZE) { - return SGX_ERROR_INVALID_PARAMETER; - } - // verify signature from staff or enclave if(public_key != NULL) { - // invalid public key - if(public_key_size != PK_SIZE) { - return SGX_ERROR_INVALID_PARAMETER; - } - // verification only with authorized public keys for(size_t i = 0; i < sizeof(authorized)/sizeof(authorized[0]); i++) { } - // public key little to big - pk_little_to_big(public_key); - // copy public key into struct memcpy(public.gx, public_key, PK_SIZE); } else { diff --git a/7-SGX_Hands-on/src/enclave/enclave.edl b/7-SGX_Hands-on/src/enclave/enclave.edl index 6b9e803..c2647c7 100644 --- a/7-SGX_Hands-on/src/enclave/enclave.edl +++ b/7-SGX_Hands-on/src/enclave/enclave.edl @@ -41,12 +41,14 @@ enclave { trusted { public int get_sealed_size(); + public int get_digest_size(); public int get_signature_size(); public int get_public_key_size(); public int get_private_key_size(); - public sgx_status_t get_public_key([in, size=sealed_size]const uint8_t *sealed, uint32_t sealed_size, [out, size=public_key_size]uint8_t *public_key, uint32_t public_key_size); - public sgx_status_t sign_firmware([in, size=data_size]const uint8_t *data, uint32_t data_size, [in, out, size=sealed_size]uint8_t *sealed, uint32_t sealed_size, [in, out, size=public_key_size]uint8_t *public_key, uint32_t public_key_size, [in, out, size=signature_size]uint8_t *signature, uint32_t signature_size); - public sgx_status_t verify_firmware([in, size=data_size]const uint8_t *data, uint32_t data_size, [in, size=sealed_size]const uint8_t *sealed, uint32_t sealed_size, [in, size=public_key_size]const uint8_t *public_key, uint32_t public_key_size, [in, size=signature_size]const uint8_t *signature, uint32_t signature_size); + public sgx_status_t generate_key_pair([out, size=sealed_size]uint8_t *sealed, uint32_t sealed_size); + public sgx_status_t get_public_key([in, size=sealed_size]const uint8_t *sealed, uint32_t sealed_size, [out, size=64]uint8_t *public_key); + public sgx_status_t sign_firmware([in, size=data_size]const uint8_t *data, uint32_t data_size, [in, size=sealed_size]const uint8_t *sealed, uint32_t sealed_size, [in, out, size=64]uint8_t *public_key, [in, out, size=64]uint8_t *signature); + public sgx_status_t verify_firmware([in, size=data_size]const uint8_t *data, uint32_t data_size, [in, size=sealed_size]const uint8_t *sealed, uint32_t sealed_size, [in, size=64]const uint8_t *public_key, [in, size=64]const uint8_t *signature); }; /* diff --git a/7-SGX_Hands-on/src/enclave/enclave.h b/7-SGX_Hands-on/src/enclave/enclave.h index c7b017b..17ad535 100644 --- a/7-SGX_Hands-on/src/enclave/enclave.h +++ b/7-SGX_Hands-on/src/enclave/enclave.h @@ -33,19 +33,18 @@ #ifndef _ENCLAVE_H_ #define _ENCLAVE_H_ -#include #include -#include -#include #include int get_sealed_size(); +int get_digest_size(); int get_signature_size(); int get_public_key_size(); int get_private_key_size(); -sgx_status_t get_public_key(const uint8_t *sealed, const uint32_t sealed_size, uint8_t *public_key, uint32_t public_key_size); -sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sealed, uint32_t sealed_size, uint8_t *public_key, uint32_t public_key_size, uint8_t *signature, uint32_t signature_size); -sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint8_t *sealed, uint32_t sealed_size, const uint8_t *public_key, uint32_t public_key_size, const uint8_t *signature, uint32_t signature_size); +sgx_status_t generate_key_pair(uint8_t *sealed, uint32_t sealed_size); +sgx_status_t get_public_key(const uint8_t *sealed, const uint32_t sealed_size, uint8_t *public_key); +sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, const uint8_t *sealed, uint32_t sealed_size, uint8_t *public_key, uint8_t *signature); +sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint8_t *sealed, uint32_t sealed_size, const uint8_t *public_key, const uint8_t *signature); #endif /* !_ENCLAVE_H_ */ \ No newline at end of file