RubNoobs/Systemsicherheit
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[Assignment-7] app restructure and cleanup

Browse source
This commit is contained in:
Paul Zinselmeyer 2024-07-06 17:25:06 +02:00 committed by saschato
parent 9cd7ef8703
commit feb0bd1b73
10 changed files with 304 additions and 345 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
7-SGX_Hands-on/README.md Normal file
View file

@ -0,0 +1,13 @@
# Usage
## Setup
Initialize the Enclave keypair by executing:
`./signatureproxy proxysetup -pkey <sealed_proxy_key.bin> > <proxy_public_key.pem>`
## Sign
1. Create employee signature using `./signatureproxy employee -firm <firmware.bin> -ekey <employee_privat_key.pem> > <employee_signature.der>`
This step can also be done using OpenSSL: `openssl dgst -sha256 -sign <employee_private_key.pem> -out <employee_signature.der> -in <firmware.bin>`
2. Use the signature proxy to resign the firmware using `./signatureproxy proxy -pkey <sealed_proxy_key.bin> -epub <employee_public_key.der> -firm <firmware.bin> > <proxy_signature.der>`
The enclave verifies the employee signature and signs the firmware if the signature is valid.
3. Verify signature using `cat <proxy_signature.der> | ./signatureproxy embedded -firm <firmware.bin> -ppub <proxy_public_key.pem>`
This step can also be done using OpenSSL: `openssl dgst -sha256 -verify <proxy_public_key.pem> -signature <proxy-signature.der> <firmware.bin>`

2
7-SGX_Hands-on/src/Makefile
View file

@ -74,7 +74,7 @@ else
Urts_Library_Name := sgx_urts Urts_Library_Name := sgx_urts
endif endif
App_C_Files := app/main.c app/proxy.c app/proxysetup.c app/intermediary.c app/util.c App_C_Files := app/main.c app/proxy.c app/proxysetup.c app/employee.c app/util.c
App_Include_Paths := -IInclude -Iapp -I$(SGX_SDK)/include App_Include_Paths := -IInclude -Iapp -I$(SGX_SDK)/include
App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths) App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths)

136
7-SGX_Hands-on/src/app/employee.c Normal file
View file

@ -0,0 +1,136 @@
#include <errno.h>
#include <sgx_urts.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "employee.h"
#include "util.h"
#include <openssl/core_names.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#define HASH_BYTES 32
#define HASH_CHUNK_BYTES 32
#define KEY_BYTES 32
struct EmployeeArgs {
char* key_path;
char* firmware_path;
};
char* employee_syntax(void) {
return
"employee mock up implementation of the employee binary\n"
" outputs signature on stdout\n"
" WARNING: output is in binary format, may mess up terminal\n"
" -ekey <path> file path of the PEM encoded private key of the employee\n"
" -firm <path> path of the firmware\n";
}
int handle_employee(int argc, char** argv) {
struct EmployeeArgs args = {
NULL,
NULL
};
FILE* key_file = NULL;
uint8_t* firmware_buf;
size_t firmware_len;
EVP_PKEY* key = NULL;
EVP_MD_CTX *mdctx = NULL;
size_t sig_len;
unsigned char* sig = NULL;
/*
* Parse Input
*/
int i = 0;
while(i < argc) {
if(strcmp(argv[i], "-ekey")==0 && argc-i >=2){
args.key_path = argv[i+1];
i += 2;
}else if(strcmp(argv[i], "-firm")==0 && argc-i >=2){
args.firmware_path = argv[i+1];
i += 2;
}else
syntax_exit();
}
if(args.key_path == NULL)
syntax_exit();
/*
* Load Signing Key
*/
key_file = fopen(args.key_path, "rb");
if(key_file == NULL){
perror("Error opening key file");
exit (EXIT_FAILURE);
}
key = PEM_read_PrivateKey(key_file, &key, NULL, NULL);
if(key == NULL) {
fprintf(stderr, "failed to read key\n");
exit (EXIT_FAILURE);
}
fclose(key_file);
/*
* Sign Firmware
*/
mdctx = EVP_MD_CTX_new();
if (EVP_DigestSignInit(mdctx, NULL, EVP_sha256(), NULL, key) != 1) {
fprintf(stderr, "Message digest initialization failed.\n");
exit (EXIT_FAILURE);
}
if (load_file(args.firmware_path, &firmware_buf, &firmware_len) != 0) {
fprintf(stderr, "failed to read firmware\n");
exit (EXIT_FAILURE);
}
if (EVP_DigestSignUpdate(mdctx, firmware_buf, firmware_len) != 1) {
printf("Message digest update failed.\n");
exit(EXIT_FAILURE);
}
free(firmware_buf);
// call with empty sig to get length
if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) != 1) {
printf("Message digest finalization failed.\n");
exit (EXIT_FAILURE);
}
// allocate signature buffer
sig = malloc(sizeof(unsigned char) * sig_len);
if(sig == NULL){
perror("could not initialize digest buffer");
exit (EXIT_FAILURE);
}
// load signature into buffer
if (EVP_DigestSignFinal(mdctx, sig, &sig_len) != 1) {
printf("Message digest finalization failed.\n");
exit (EXIT_FAILURE);
}
fwrite(sig, sig_len, 1, stdout);
if (ferror(stdout) != 0) {
fprintf(stdout, "failed to write signature to stdout\n");
exit (EXIT_FAILURE);
}
fflush(stdout);
// free all allocated resources
free(sig);
EVP_MD_CTX_free(mdctx);
EVP_PKEY_free(key);
exit (EXIT_SUCCESS);
}

23
7-SGX_Hands-on/src/app/employee.h Normal file
View file

@ -0,0 +1,23 @@
#ifndef _APP_INTERMEDIARY_H_
#define _APP_INTERMEDIARY_H_
/*
* @brief getter for employee subcommand syntax string
*
* @returns null-terminated syntax string
*/
char* employee_syntax(void);
/*
* @brief CLI implementation for the "employee" subcommand
*
* @param argc number of arguments with command and subcommand stripped
* @param argv arguments with command and subcommand stripped
*
* @returns 0 on success, else error with output on stderr
*/
int handle_employee(int argc, char** argv);
#endif

6
7-SGX_Hands-on/src/app/main.c
View file

@ -1,7 +1,7 @@
#include <errno.h> #include <errno.h>
#include <string.h> #include <string.h>
#include "intermediary.h" #include "employee.h"
#include "proxy.h" #include "proxy.h"
#include "proxysetup.h" #include "proxysetup.h"
#include "util.h" #include "util.h"
@ -16,8 +16,8 @@ int main(int argc, char** argv) {
char* command = argv[1]; char* command = argv[1];
if(strcmp(command, "intermediary")==0) if(strcmp(command, "employee")==0)
handle_intermediary(argc-2, argv+2); handle_employee(argc-2, argv+2);
else if (strcmp(command, "proxy")==0) else if (strcmp(command, "proxy")==0)
handle_proxy(argc-2, argv+2); handle_proxy(argc-2, argv+2);
else if (strcmp(command, "proxysetup")==0) else if (strcmp(command, "proxysetup")==0)

128
7-SGX_Hands-on/src/app/proxy.c
View file

@ -5,18 +5,13 @@
#include <string.h> #include <string.h>
#include <openssl/core_names.h> #include <openssl/core_names.h>
#include <openssl/sha.h>
#include <openssl/ec.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/param_build.h>
#include <openssl/pem.h>
#include <sgx_tcrypto.h> #include <sgx_tcrypto.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include "enclave_u.h" #include "enclave_u.h"
#include "proxy.h" #include "proxy.h"
@ -36,10 +31,10 @@ char* proxy_syntax(void) {
" expects intermediary signature on stdin\n" " expects intermediary signature on stdin\n"
" outputs proxied signature on stdout\n" " outputs proxied signature on stdout\n"
" WARNING: output is binary format, may mess up terminal\n" " WARNING: output is binary format, may mess up terminal\n"
" -s <path> file path of the sealed proxy key\n" " -pkey <path> file path of the sealed proxy key\n"
" -t <path> file path of the sgx token\n"
" -epub <path> path of the PEM encoded employee public key\n" " -epub <path> path of the PEM encoded employee public key\n"
" -firm <path> path of the firmware\n"; " -firm <path> path of the firmware\n"
" -token <path> (optional) file path of the sgx token\n";
} }
static EVP_PKEY *sgx_public_to_EVP_PKEY(const sgx_ec256_public_t *p_public) static EVP_PKEY *sgx_public_to_EVP_PKEY(const sgx_ec256_public_t *p_public)
@ -208,18 +203,18 @@ cleanup:
} }
static int ECDSA_SIG_to_sgx_signature(ECDSA_SIG* ecdsa_sig, sgx_ec256_signature_t* sgx_signature) { static int ECDSA_SIG_to_sgx_signature(ECDSA_SIG* ecdsa_sig, sgx_ec256_signature_t* sgx_signature) {
BIGNUM* r = NULL; const BIGNUM* r = NULL;
BIGNUM* s = NULL; const BIGNUM* s = NULL;
int ret; int ret;
r = ECDSA_SIG_get0_r(ecdsa_sig); r = ECDSA_SIG_get0_r(ecdsa_sig);
s = ECDSA_SIG_get0_s(ecdsa_sig); s = ECDSA_SIG_get0_s(ecdsa_sig);
ret = BN_bn2lebinpad(r, sgx_signature->x, SGX_ECP256_KEY_SIZE); ret = BN_bn2lebinpad(r, (unsigned char*)sgx_signature->x, SGX_ECP256_KEY_SIZE);
if (ret == -1) if (ret == -1)
return (1); return (1);
ret = BN_bn2lebinpad(s, sgx_signature->y, SGX_ECP256_KEY_SIZE); ret = BN_bn2lebinpad(s, (unsigned char*)sgx_signature->y, SGX_ECP256_KEY_SIZE);
if (ret == -1) if (ret == -1)
return (2); return (2);
@ -286,10 +281,10 @@ int handle_proxy(int argc, char** argv) {
NULL, NULL,
NULL NULL
}; };
FILE* sealed_file; uint8_t* sealed;
FILE* firmware_file; size_t sealed_len;
uint8_t *sealed; uint8_t* firmware;
int sealed_size; size_t firmware_len;
unsigned char* ecdsa_signature_data; unsigned char* ecdsa_signature_data;
size_t ecdsa_signature_size = 0; size_t ecdsa_signature_size = 0;
uint8_t signature[70]; uint8_t signature[70];
@ -303,10 +298,10 @@ int handle_proxy(int argc, char** argv) {
int i = 0; int i = 0;
while(i < argc) { while(i < argc) {
if(strcmp(argv[i], "-s")==0 && argc-i >=2){ if(strcmp(argv[i], "-pkey")==0 && argc-i >=2){
args.sealed_key_file_path = argv[i+1]; args.sealed_key_file_path = argv[i+1];
i += 2; i += 2;
}else if(strcmp(argv[i], "-t")==0 && argc-i >=2){ }else if(strcmp(argv[i], "-token")==0 && argc-i >=2){
args.sgx_token_path = argv[i+1]; args.sgx_token_path = argv[i+1];
i += 2; i += 2;
}else if(strcmp(argv[i], "-epub")==0 && argc-i >=2){ }else if(strcmp(argv[i], "-epub")==0 && argc-i >=2){
@ -322,7 +317,6 @@ int handle_proxy(int argc, char** argv) {
if(args.sealed_key_file_path == NULL || args.employee_public_key_path == NULL || args.firmware_path == NULL) if(args.sealed_key_file_path == NULL || args.employee_public_key_path == NULL || args.firmware_path == NULL)
syntax_exit(); syntax_exit();
/* /*
* Read Signature Input * Read Signature Input
*/ */
@ -330,27 +324,27 @@ int handle_proxy(int argc, char** argv) {
ecdsa_signature_data = malloc(1024); ecdsa_signature_data = malloc(1024);
if (ecdsa_signature_data == NULL) { if (ecdsa_signature_data == NULL) {
perror("failed to allocate signature"); perror("failed to allocate signature");
exit(1); exit (EXIT_FAILURE);
} }
ecdsa_signature_size = fread(ecdsa_signature_data, 1, 1024, stdin); ecdsa_signature_size = fread(ecdsa_signature_data, 1, 1024, stdin);
if (ferror(stdin) != 0) { if (ferror(stdin) != 0) {
fprintf(stderr, "failed to read signature from stdin\n"); fprintf(stderr, "failed to read signature from stdin\n");
exit(1); exit (EXIT_FAILURE);
} }
ecdsa_signature = ECDSA_SIG_new(); ecdsa_signature = ECDSA_SIG_new();
ecdsa_signature = d2i_ECDSA_SIG(&ecdsa_signature, &ecdsa_signature_data, ecdsa_signature_size); ecdsa_signature = d2i_ECDSA_SIG(&ecdsa_signature, (const unsigned char**)&ecdsa_signature_data, ecdsa_signature_size);
ecdsa_signature_data = NULL; ecdsa_signature_data = NULL;
if (ecdsa_signature == NULL) { if (ecdsa_signature == NULL) {
fprintf(stderr, "failed to read signature"); fprintf(stderr, "failed to read signature\n");
exit(1); exit (EXIT_FAILURE);
} }
if (ECDSA_SIG_to_sgx_signature(ecdsa_signature, &sgx_signature) != 0) { if (ECDSA_SIG_to_sgx_signature(ecdsa_signature, &sgx_signature) != 0) {
fprintf(stderr, "failed to transform signature\n"); fprintf(stderr, "failed to transform signature\n");
exit(1); exit (EXIT_FAILURE);
} }
ECDSA_SIG_free(ecdsa_signature); ECDSA_SIG_free(ecdsa_signature);
ecdsa_signature = NULL; ecdsa_signature = NULL;
@ -372,90 +366,42 @@ int handle_proxy(int argc, char** argv) {
} }
key = PEM_read_PUBKEY(key_file, &key, NULL, NULL); key = PEM_read_PUBKEY(key_file, &key, NULL, NULL);
if(key == NULL) { if(key == NULL) {
fprintf(stderr, "failed to read employee public key"); fprintf(stderr, "failed to read employee public key\n");
exit(1); exit (EXIT_FAILURE);
} }
fclose(key_file); fclose(key_file);
sgx_ec256_public_t sgx_public; sgx_ec256_public_t sgx_public;
if (EVP_PKEY_to_sgx_public(key, &sgx_public) != 0) { if (EVP_PKEY_to_sgx_public(key, &sgx_public) != 0) {
fprintf(stderr, "failed transform employee public key"); fprintf(stderr, "failed transform employee public key\n");
exit(1);
}
/*
* Read Sealed Proxy Keypair
*/
sealed_file = fopen(args.sealed_key_file_path, "rb");
if(sealed_file == NULL){
perror("Error opening sealed_key_file file");
exit(1);
}
ret = get_sealed_size(get_global_eid(), &sealed_size);
if (ret != SGX_SUCCESS) {
print_error_message(ret);
exit (1);
}
sealed = malloc(sizeof(uint8_t)*sealed_size);
if (sealed == NULL) {
fprintf(stderr, "failed to allocate for sealed key");
exit(1);
}
size_t sealed_read = fread(sealed, sealed_size, 1, sealed_file);
if (sealed_read != 1) {
fprintf(stderr, "failed to read sealed private key");
exit (EXIT_FAILURE); exit (EXIT_FAILURE);
} }
fclose(sealed_file); //Read Sealed Proxy Keypair
if (load_file(args.sealed_key_file_path, &sealed, &sealed_len)!=0){
/* fprintf(stderr, "failed to read sealed key\n");
* Read Firmware
*/
int firmware_file_des = open(args.firmware_path, O_RDWR);
if(firmware_file_des == 0){
perror("Error opening firmware file");
exit(EXIT_FAILURE);
}
struct stat stat;
if (fstat(firmware_file_des, &stat) != 0) {
perror("failed to get firmware size");
exit (EXIT_FAILURE); exit (EXIT_FAILURE);
} }
firmware_file = fopen(args.firmware_path, "rb"); // Read Firmware
if(firmware_file == NULL){ if (load_file(args.firmware_path, &firmware, &firmware_len)!=0){
perror("Error opening firmware file");
exit(EXIT_FAILURE);
}
size_t firmware_size = stat.st_size;
uint8_t* firmware_buf = malloc(firmware_size);
if (firmware_buf == NULL) {
perror("failed to allocate firmware buffer");
exit (EXIT_FAILURE);
}
if (fread(firmware_buf, firmware_size, 1, firmware_file) != 1 || ferror(firmware_file) != 0) {
fprintf(stderr, "failed to read firmware\n"); fprintf(stderr, "failed to read firmware\n");
exit (EXIT_FAILURE); exit (EXIT_FAILURE);
} }
fclose(firmware_file);
/* /*
* Use Enclave To Resign the Firmware * Use Enclave To Resign the Firmware
*/ */
sign_firmware(get_global_eid(), &ret, firmware_buf, firmware_size, sealed, sealed_size, (uint8_t*)&sgx_public, (uint8_t*)&sgx_signature); sign_firmware(get_global_eid(), &ret, firmware, firmware_len, sealed, sealed_len, (uint8_t*)&sgx_public, (uint8_t*)&sgx_signature);
if (ret != SGX_SUCCESS) { if (ret != SGX_SUCCESS) {
print_error_message(ret); sgx_print_error_message(ret);
exit (1); exit (1);
} }
free(sealed);
free(firmware);
/* /*
* Output Signature * Output Signature
*/ */
@ -483,9 +429,5 @@ int handle_proxy(int argc, char** argv) {
free(ecdsa_signature_data); free(ecdsa_signature_data);
ECDSA_SIG_free(ecdsa_signature); ECDSA_SIG_free(ecdsa_signature);
free(sealed); exit (EXIT_SUCCESS);
exit(0);
} }

270
7-SGX_Hands-on/src/app/proxysetup.c
View file

@ -5,16 +5,14 @@
#include <string.h> #include <string.h>
#include <openssl/core_names.h> #include <openssl/core_names.h>
#include <openssl/sha.h>
#include <openssl/ec.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include <openssl/evp.h> #include <openssl/evp.h>
#include <openssl/param_build.h>
#include <openssl/pem.h>
#include <sgx_tcrypto.h> #include <sgx_tcrypto.h>
#include "enclave_u.h" #include "enclave_u.h"
#include "proxy.h" #include "proxysetup.h"
#include "util.h" #include "util.h"
struct ProxysetupArgs { struct ProxysetupArgs {
@ -24,14 +22,12 @@ struct ProxysetupArgs {
char* proxysetup_syntax(void) { char* proxysetup_syntax(void) {
return return
"proxysetup implementation of the enclave-powered SignatureProxy\n" "proxysetup implementation of the enclave-powered SignatureProxy\n"
" outputs public key on stdout\n" " outputs public key on stdout\n"
" -s <path> file path of the sealed proxy key\n" " -pkey <path> file path of the sealed proxy key\n"
" -t <path> file path of the sgx token\n"; " -token <path> (optional) file path of the sgx token\n";
} }
static EVP_PKEY *sgx_public_to_EVP_PKEY(const sgx_ec256_public_t *p_public) static EVP_PKEY *sgx_public_to_EVP_PKEY(const sgx_ec256_public_t *p_public)
{ {
EVP_PKEY *evp_key = NULL; EVP_PKEY *evp_key = NULL;
@ -133,217 +129,16 @@ static EVP_PKEY *sgx_public_to_EVP_PKEY(const sgx_ec256_public_t *p_public)
return evp_key; return evp_key;
} }
static int EVP_PKEY_to_sgx_public(EVP_PKEY* ecdsa_key, sgx_ec256_public_t* sgx_public) {
EC_GROUP* group = NULL;
EC_POINT *point = NULL;
BIGNUM* pub_x = NULL;
BIGNUM* pub_y = NULL;
size_t ec_key_buf_len = 0;
unsigned char ec_key_buf[1024];
int ret;
int retval;
group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
if (group == NULL)
return 1;
point = EC_POINT_new(group);
if (point == NULL)
return 2;
ret = EVP_PKEY_get_octet_string_param(ecdsa_key, OSSL_PKEY_PARAM_PUB_KEY, ec_key_buf, 1024, &ec_key_buf_len);
if (ret != 1)
return 3;
ret = EC_POINT_oct2point(group, point, ec_key_buf, ec_key_buf_len, NULL);
if (ret != 1){
retval = 4;
goto cleanup;
}
pub_x = BN_new();
pub_y = BN_new();
ret = EC_POINT_get_affine_coordinates(group, point, pub_x, pub_y, NULL);
if (ret != 1){
retval = 5;
goto cleanup;
}
ret = BN_bn2lebinpad(pub_x, sgx_public->gx, SGX_ECP256_KEY_SIZE);
if (ret == -1){
retval = 6;
goto cleanup;
}
ret = BN_bn2lebinpad(pub_y, sgx_public->gy, SGX_ECP256_KEY_SIZE);
if (ret == -1){
retval = 7;
goto cleanup;
}
cleanup:
if (pub_x != NULL)
BN_clear_free(pub_x);
if (pub_y != NULL)
BN_clear_free(pub_y);
if (point != NULL)
EC_POINT_clear_free(point);
if (group != NULL)
EC_GROUP_free(group);
return (retval);
}
/*
sgx_status_t pfz_ecdsa_verify_hash(const uint8_t *p_data,
const sgx_ec256_public_t *p_public,
const sgx_ec256_signature_t *p_signature,
uint8_t *p_result,
sgx_ecc_state_handle_t ecc_handle)
{
if ((ecc_handle == NULL) || (p_public == NULL) || (p_signature == NULL) ||
(p_data == NULL) || (p_result == NULL)) {
return SGX_ERROR_INVALID_PARAMETER;
}
EVP_PKEY_CTX *ctx = NULL;
EVP_PKEY *public_key = NULL;
BIGNUM *bn_r = NULL;
BIGNUM *bn_s = NULL;
ECDSA_SIG *ecdsa_sig = NULL;
unsigned char *sig_data = NULL;
size_t sig_size = 0;
sgx_status_t retval = SGX_ERROR_UNEXPECTED;
int ret = -1;
*p_result = SGX_EC_INVALID_SIGNATURE;
do {
public_key = pfz_get_pub_key_from_coords(p_public, ecc_handle);
if(NULL == public_key) {
break;
}
// converts the x value of the signature, represented as positive integer in little-endian into a BIGNUM
//
bn_r = BN_lebin2bn((unsigned char*)p_signature->x, sizeof(p_signature->x), 0);
if (NULL == bn_r) {
break;
}
// converts the y value of the signature, represented as positive integer in little-endian into a BIGNUM
//
bn_s = BN_lebin2bn((unsigned char*)p_signature->y, sizeof(p_signature->y), 0);
if (NULL == bn_s) {
break;
}
// allocates a new ECDSA_SIG structure (note: this function also allocates the BIGNUMs) and initialize it
//
ecdsa_sig = ECDSA_SIG_new();
if (NULL == ecdsa_sig) {
retval = SGX_ERROR_OUT_OF_MEMORY;
break;
}
// setes the r and s values of ecdsa_sig
// calling this function transfers the memory management of the values to the ECDSA_SIG object,
// and therefore the values that have been passed in should not be freed directly after this function has been called
//
if (1 != ECDSA_SIG_set0(ecdsa_sig, bn_r, bn_s)) {
ECDSA_SIG_free(ecdsa_sig);
ecdsa_sig = NULL;
break;
}
sig_size = i2d_ECDSA_SIG(ecdsa_sig, &sig_data);
if (sig_size <= 0) {
break;
}
ctx = EVP_PKEY_CTX_new(public_key, NULL);
if (!ctx) {
break;
}
if (1 != EVP_PKEY_verify_init(ctx)) {
break;
}
if (1 != EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256())) {
break;
}
ret = EVP_PKEY_verify(ctx, sig_data, sig_size, p_data, SGX_SHA256_HASH_SIZE);
if (ret < 0) {
break;
}
// sets the p_result based on verification result
//
if (ret == 1)
*p_result = SGX_EC_VALID;
retval = SGX_SUCCESS;
} while(0);
if (ecdsa_sig) {
ECDSA_SIG_free(ecdsa_sig);
bn_r = NULL;
bn_s = NULL;
}
if (ctx)
EVP_PKEY_CTX_free(ctx);
if (public_key)
EVP_PKEY_free(public_key);
if (bn_r)
BN_clear_free(bn_r);
if (bn_s)
BN_clear_free(bn_s);
return retval;
}
sgx_status_t pfz_ecc256_open_context(sgx_ecc_state_handle_t* p_ecc_handle)
{
if (p_ecc_handle == NULL) {
return SGX_ERROR_INVALID_PARAMETER;
}
sgx_status_t retval = SGX_SUCCESS;
EC_GROUP* ec_group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
if (NULL == ec_group) {
retval = SGX_ERROR_UNEXPECTED;
} else {
*p_ecc_handle = (void*)ec_group;
}
return retval;
}
sgx_status_t pfz_ecdsa_verify(const uint8_t *p_data,
uint32_t data_size,
const sgx_ec256_public_t *p_public,
const sgx_ec256_signature_t *p_signature,
uint8_t *p_result,
sgx_ecc_state_handle_t ecc_handle)
{
if ((ecc_handle == NULL) || (p_public == NULL) || (p_signature == NULL) ||
(p_data == NULL) || (data_size < 1) || (p_result == NULL)) {
return SGX_ERROR_INVALID_PARAMETER;
}
unsigned char digest[SGX_SHA256_HASH_SIZE] = { 0 };
SHA256((const unsigned char *)p_data, data_size, (unsigned char *)digest);
return (pfz_ecdsa_verify_hash(digest, p_public, p_signature, p_result, ecc_handle));
}
*/
int handle_proxysetup(int argc, char** argv) { int handle_proxysetup(int argc, char** argv) {
struct ProxysetupArgs args = { struct ProxysetupArgs args = {
NULL, NULL,
NULL NULL
}; };
FILE* sealed_file; FILE* sealed_file;
int sealed_size;
uint8_t* sealed;
sgx_ec256_public_t sgx_public_key;
EVP_PKEY* public_key;
sgx_status_t sgx_ret; sgx_status_t sgx_ret;
/* /*
@ -352,10 +147,10 @@ int handle_proxysetup(int argc, char** argv) {
int i = 0; int i = 0;
while(i < argc) { while(i < argc) {
if(strcmp(argv[i], "-s")==0 && argc-i >=2){ if(strcmp(argv[i], "-pkey")==0 && argc-i >=2){
args.sealed_key_file_path = argv[i+1]; args.sealed_key_file_path = argv[i+1];
i += 2; i += 2;
}else if(strcmp(argv[i], "-t")==0 && argc-i >=2){ }else if(strcmp(argv[i], "-token")==0 && argc-i >=2){
args.sgx_token_path = argv[i+1]; args.sgx_token_path = argv[i+1];
i += 2; i += 2;
}else }else
@ -370,7 +165,7 @@ int handle_proxysetup(int argc, char** argv) {
*/ */
if (initialize_enclave(args.sgx_token_path) != 0) if (initialize_enclave(args.sgx_token_path) != 0)
exit(1); exit (EXIT_FAILURE);
/* /*
* Setup Sealed Keypair * Setup Sealed Keypair
@ -379,19 +174,18 @@ int handle_proxysetup(int argc, char** argv) {
sealed_file = fopen(args.sealed_key_file_path, "wb"); sealed_file = fopen(args.sealed_key_file_path, "wb");
if(sealed_file == NULL){ if(sealed_file == NULL){
perror("Error opening sealed_key_file file"); perror("Error opening sealed_key_file file");
exit(1); exit (EXIT_FAILURE);
} }
int sealed_size;
sgx_ret = get_sealed_size(get_global_eid(), &sealed_size); sgx_ret = get_sealed_size(get_global_eid(), &sealed_size);
if (sgx_ret != SGX_SUCCESS) { if (sgx_ret != SGX_SUCCESS) {
print_error_message(sgx_ret); sgx_print_error_message(sgx_ret);
exit (1); exit (EXIT_FAILURE);
} }
uint8_t* sealed = malloc(sizeof(uint8_t)*sealed_size); sealed = malloc(sizeof(uint8_t)*sealed_size);
if (sealed == NULL) { if (sealed == NULL) {
fprintf(stderr, "failed to allocate for sealed key"); fprintf(stderr, "failed to allocate for sealed key");
exit(1); exit (EXIT_FAILURE);
} }
/* /*
@ -400,8 +194,8 @@ int handle_proxysetup(int argc, char** argv) {
generate_key_pair(get_global_eid(), &sgx_ret, sealed, sealed_size); generate_key_pair(get_global_eid(), &sgx_ret, sealed, sealed_size);
if (sgx_ret != SGX_SUCCESS) { if (sgx_ret != SGX_SUCCESS) {
print_error_message(sgx_ret); sgx_print_error_message(sgx_ret);
exit (1); exit (EXIT_FAILURE);
} }
/* /*
@ -410,7 +204,7 @@ int handle_proxysetup(int argc, char** argv) {
if (fwrite(sealed, sealed_size, 1, sealed_file) != 1 || ferror(sealed_file) != 0) { if (fwrite(sealed, sealed_size, 1, sealed_file) != 1 || ferror(sealed_file) != 0) {
fprintf(stderr, "failed to write sealed key"); fprintf(stderr, "failed to write sealed key");
exit(1); exit (EXIT_FAILURE);
} }
fflush(sealed_file); fflush(sealed_file);
fclose(sealed_file); fclose(sealed_file);
@ -419,27 +213,21 @@ int handle_proxysetup(int argc, char** argv) {
* Fetch Public Key From Enclave And Print * Fetch Public Key From Enclave And Print
*/ */
sgx_ec256_public_t sgx_public_key;
get_public_key(get_global_eid(), &sgx_ret, sealed, sealed_size, (uint8_t*)&sgx_public_key); get_public_key(get_global_eid(), &sgx_ret, sealed, sealed_size, (uint8_t*)&sgx_public_key);
if (sgx_ret != SGX_SUCCESS) { if (sgx_ret != SGX_SUCCESS) {
print_error_message(sgx_ret); sgx_print_error_message(sgx_ret);
exit (1);
}
EVP_PKEY* public_key = sgx_public_to_EVP_PKEY(&sgx_public_key);
if (PEM_write_PUBKEY(stdout, public_key, NULL, NULL) != 1) {
fprintf(stderr, "could not write publickey\n");
exit (EXIT_FAILURE); exit (EXIT_FAILURE);
} }
public_key = sgx_public_to_EVP_PKEY(&sgx_public_key);
if (PEM_write_PUBKEY(stdout, public_key) != 1) {
fprintf(stderr, "could not write publickey\n");
exit (EXIT_FAILURE);
}
fflush(stdout); fflush(stdout);
EVP_PKEY_free(public_key); EVP_PKEY_free(public_key);
free(sealed); free(sealed);
exit(0); exit (EXIT_SUCCESS);
} }

4
7-SGX_Hands-on/src/app/proxysetup.h
View file

@ -1,5 +1,5 @@
#ifndef _APP_PROXY_H_ #ifndef _APP_PROXYSETUP_H_
#define _APP_PROXY_H_ #define _APP_PROXYSETUP_H_
/* /*

55
7-SGX_Hands-on/src/app/util.c
View file

@ -1,11 +1,16 @@
#include <errno.h> #include <errno.h>
#include <fcntl.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include "employee.h"
#include "util.h" #include "util.h"
#include "proxy.h" #include "proxy.h"
#include "proxysetup.h" #include "proxysetup.h"
#include "intermediary.h"
static char* BIN_NAME = "SignatureProxy"; static char* BIN_NAME = "SignatureProxy";
@ -24,8 +29,8 @@ void syntax_exit(void) {
"\n" "\n"
"%s"; "%s";
printf(syntax, BIN_NAME, intermediary_syntax(), proxy_syntax(), proxysetup_syntax()); printf(syntax, BIN_NAME, employee_syntax(), proxy_syntax(), proxysetup_syntax());
exit(1); exit (EXIT_FAILURE);
} }
void set_bin_name(char* bin_name) { void set_bin_name(char* bin_name) {
@ -118,7 +123,7 @@ static sgx_errlist_t sgx_errlist[] = {
}; };
/* Check error conditions for loading enclave */ /* Check error conditions for loading enclave */
void print_error_message(sgx_status_t ret) void sgx_print_error_message(sgx_status_t ret)
{ {
size_t idx = 0; size_t idx = 0;
size_t ttl = sizeof sgx_errlist/sizeof sgx_errlist[0]; size_t ttl = sizeof sgx_errlist/sizeof sgx_errlist[0];
@ -161,7 +166,7 @@ int initialize_enclave(char* token_path) {
ret = sgx_create_enclave("enclave.signed.so", SGX_DEBUG_FLAG, &token, &updated, &global_eid, NULL); ret = sgx_create_enclave("enclave.signed.so", SGX_DEBUG_FLAG, &token, &updated, &global_eid, NULL);
if (ret != SGX_SUCCESS) { if (ret != SGX_SUCCESS) {
print_error_message(ret); sgx_print_error_message(ret);
return (1); return (1);
} }
@ -183,3 +188,43 @@ int initialize_enclave(char* token_path) {
sgx_enclave_id_t get_global_eid(void){ sgx_enclave_id_t get_global_eid(void){
return global_eid; return global_eid;
} }
int load_file(const char* path, uint8_t** data, size_t* data_len) {
FILE* file;
size_t file_size;
uint8_t* buf;
int file_des = open(path, O_RDWR);
if(file_des == 0)
return (1);
struct stat stat;
if (fstat(file_des, &stat) != 0){
close(file_des);
return (2);
}
close(file_des);
file_size = stat.st_size;
buf = malloc(file_size);
if (buf == NULL)
return (3);
file = fopen(path, "rb");
if(file == NULL){
free(buf);
return (4);
}
if (fread(buf, file_size, 1, file) != 1 || ferror(file) != 0) {
free(buf);
fclose(file);
return (5);
}
fclose(file);
*data = buf;
*data_len = file_size;
return (0);
}

12
7-SGX_Hands-on/src/app/util.h
View file

@ -18,4 +18,16 @@ int initialize_enclave(char* token_path);
sgx_enclave_id_t get_global_eid(void); sgx_enclave_id_t get_global_eid(void);
/*
* @brief loads a file completely into the HEAP
*
* Loads a File into HEAP and returns a dynamically allocated buffer.
*
* @param path path of the file
* @param data allocated buffer output
* @param data_len length of the allocated buffer
* @returns 0 on success, non zero on error
*/
int load_file(const char* path, uint8_t** data, size_t* data_len);
#endif #endif