Assignment 7 #4

Merged
saschato merged 75 commits from Assignment-7 into master 2024-07-08 11:19:51 +02:00
3 changed files with 71 additions and 105 deletions
Showing only changes of commit 9a8a5cca5a - Show all commits

View file

@ -41,6 +41,7 @@
#include <sgx_error.h> #include <sgx_error.h>
#include <sgx_tcrypto.h> #include <sgx_tcrypto.h>
#ifndef SK_SIZE #ifndef SK_SIZE
#define SK_SIZE SGX_ECP256_KEY_SIZE #define SK_SIZE SGX_ECP256_KEY_SIZE
#endif #endif
@ -49,15 +50,14 @@
#define PK_SIZE 2*SK_SIZE #define PK_SIZE 2*SK_SIZE
#endif #endif
#ifndef SI_SIZE #ifndef DG_SIZE
#define SI_SIZE 2*SK_SIZE// + 8 #define DG_SIZE SK_SIZE
#endif
#ifndef SI_SIZE
#define SI_SIZE 2*SK_SIZE
#endif #endif
#define SWAP_UINT32(x) \
(((x) >> 24) & 0x000000FF) | \
(((x) >> 8) & 0x0000FF00) | \
(((x) << 8) & 0x00FF0000) | \
(((x) << 24) & 0xFF000000)
const sgx_ec256_public_t authorized[2] = { const sgx_ec256_public_t authorized[2] = {
{ {
@ -70,6 +70,11 @@ const sgx_ec256_public_t authorized[2] = {
} }
}; };
int get_digest_size() {
return DG_SIZE;
}
int get_sealed_size() { int get_sealed_size() {
return sgx_calc_sealed_data_size(PK_SIZE, SK_SIZE); return sgx_calc_sealed_data_size(PK_SIZE, SK_SIZE);
} }
@ -86,27 +91,7 @@ int get_private_key_size() {
return SK_SIZE; return SK_SIZE;
} }
static inline void pk_little_to_big(uint8_t *pk) { static sgx_status_t seal_key_pair(const sgx_ec256_private_t *private, const sgx_ec256_public_t *public, uint8_t **sealed) {
uint32_t i, j;
for(i = 0, j = PK_SIZE / 2 - 1; i < j; i++, j--) {
uint8_t tmp = pk[i];
pk[i] = pk[j];
pk[j] = tmp;
}
for(i = PK_SIZE / 2, j = PK_SIZE - 1; i < j; i++, j--) {
uint8_t tmp = pk[i];
pk[i] = pk[j];
pk[j] = tmp;
}
}
static sgx_status_t seal_key_pair(sgx_ec256_private_t *private, sgx_ec256_public_t *public, uint8_t **sealed, uint32_t sealed_size) {
// invalid parameter handling
if((private == NULL) || (public == NULL))
return SGX_ERROR_INVALID_PARAMETER;
// allocate temporary buffers on stack // allocate temporary buffers on stack
uint8_t pk[PK_SIZE] = {0}; uint8_t pk[PK_SIZE] = {0};
uint8_t sk[SK_SIZE] = {0}; uint8_t sk[SK_SIZE] = {0};
@ -115,14 +100,8 @@ static sgx_status_t seal_key_pair(sgx_ec256_private_t *private, sgx_ec256_public
memcpy(pk, public->gx, PK_SIZE); memcpy(pk, public->gx, PK_SIZE);
memcpy(sk, private->r, SK_SIZE); memcpy(sk, private->r, SK_SIZE);
// calculate needed size
uint32_t size = get_sealed_size();
if(size > sealed_size) {
return SGX_ERROR_INVALID_PARAMETER;
}
// seal keypair // seal keypair
return sgx_seal_data(PK_SIZE, (const uint8_t *)pk, SK_SIZE, (const uint8_t *)sk, size, (sgx_sealed_data_t *) *sealed); return sgx_seal_data(PK_SIZE, (const uint8_t *)pk, SK_SIZE, (const uint8_t *)sk, get_sealed_size(), (sgx_sealed_data_t *) *sealed);
} }
static sgx_status_t unseal_key_pair(const uint8_t *sealed, sgx_ec256_private_t *private, sgx_ec256_public_t *public) { static sgx_status_t unseal_key_pair(const uint8_t *sealed, sgx_ec256_private_t *private, sgx_ec256_public_t *public) {
@ -160,37 +139,54 @@ static sgx_status_t unseal_key_pair(const uint8_t *sealed, sgx_ec256_private_t *
return status; return status;
} }
sgx_status_t get_public_key(const uint8_t *sealed, uint32_t sealed_size, uint8_t *public_key, uint32_t public_key_size) { sgx_status_t generate_key_pair(uint8_t *sealed, uint32_t sealed_size) {
// invalid parameter handling // invalid parameter handling
if((sealed == NULL) || (sealed_size == 0)) { if((sealed == NULL) || (sealed_size != get_sealed_size())) {
return SGX_ERROR_INVALID_PARAMETER;
}
// declare needed structs
sgx_ecc_state_handle_t ecc_handle;
sgx_ec256_private_t private;
sgx_ec256_public_t public;
sgx_status_t status;
// open ecc handle
if((status = sgx_ecc256_open_context(&ecc_handle)) != SGX_SUCCESS) {
return status;
}
// create ecc keypair
if((status = sgx_ecc256_create_key_pair(&private, &public, ecc_handle)) != SGX_SUCCESS) {
sgx_ecc256_close_context(ecc_handle);
return status;
}
// return status of sealing
return seal_key_pair(&private, &public, &sealed);
}
sgx_status_t get_public_key(const uint8_t *sealed, uint32_t sealed_size, uint8_t *public) {
// invalid parameter handling
if((sealed == NULL) || (sealed_size != get_sealed_size())) {
return SGX_ERROR_INVALID_PARAMETER;
} else if(public == NULL) {
return SGX_ERROR_INVALID_PARAMETER; return SGX_ERROR_INVALID_PARAMETER;
} }
// unseal public key // unseal public key
sgx_status_t status; sgx_status_t status;
sgx_ec256_public_t public; if((status = unseal_key_pair(sealed, NULL, (sgx_ec256_public_t *)public)) != SGX_SUCCESS) {
if((status = unseal_key_pair(sealed, NULL, &public)) != SGX_SUCCESS) {
return status; return status;
} }
// copy public key into return buffer
// swap endianess
if((public_key != NULL) && (public_key != NULL) && (public_key_size == PK_SIZE)) {
memcpy(public_key, public.gx, SK_SIZE);
pk_little_to_big(public_key);
}
// return success // return success
return status; return status;
} }
static sgx_status_t verify_signature(const uint8_t *data, const uint32_t data_size, const sgx_ec256_public_t *public, const sgx_ec256_signature_t* ecc_signature) { static sgx_status_t verify_signature(const uint8_t *data, uint32_t data_size, const sgx_ec256_public_t *public, const sgx_ec256_signature_t* ecc_signature) {
// invalid parameter handling // invalid parameter handling
if((data == NULL) || (data_size == 0)) { if((data == NULL) || (data_size == 0) || (public == NULL) || (ecc_signature == NULL)) {
return SGX_ERROR_INVALID_PARAMETER;
} else if(public == NULL) {
return SGX_ERROR_INVALID_PARAMETER;
} else if(ecc_signature == NULL) {
return SGX_ERROR_INVALID_PARAMETER; return SGX_ERROR_INVALID_PARAMETER;
} }
@ -205,7 +201,6 @@ static sgx_status_t verify_signature(const uint8_t *data, const uint32_t data_si
// verify signature // verify signature
uint8_t result; uint8_t result;
// sgx_ecdsa_verify_hash
sgx_status_t verification_status = sgx_ecdsa_verify(data, data_size, public, ecc_signature, &result, ecc_handle); sgx_status_t verification_status = sgx_ecdsa_verify(data, data_size, public, ecc_signature, &result, ecc_handle);
// handle failed verification process // handle failed verification process
@ -218,19 +213,17 @@ static sgx_status_t verify_signature(const uint8_t *data, const uint32_t data_si
return result; return result;
} }
sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sealed, uint32_t sealed_size, uint8_t *public_key, uint32_t public_key_size, uint8_t *signature, uint32_t signature_size) { sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, const uint8_t *sealed, uint32_t sealed_size, uint8_t *public_key, uint8_t *signature) {
// invalid parameter handling // invalid parameter handling
if((data == NULL) || (data_size == 0)) { if((data == NULL) || (data_size == 0) || (public_key == NULL) || (signature == NULL)) {
return SGX_ERROR_INVALID_PARAMETER; return SGX_ERROR_INVALID_PARAMETER;
} else if((sealed == NULL) || (sealed_size == 0)) { } else if((sealed == NULL) || (sealed_size != get_sealed_size())) {
return SGX_ERROR_INVALID_PARAMETER;
} else if((public_key == NULL) || (public_key_size != PK_SIZE)) {
return SGX_ERROR_INVALID_PARAMETER; return SGX_ERROR_INVALID_PARAMETER;
} }
// verify public key // verify public key
for(size_t i = 0; i < sizeof(authorized)/sizeof(authorized[0]); i++) { for(size_t i = 0; i < sizeof(authorized)/sizeof(authorized[0]); i++) {
if(memcmp(public_key, authorized[i].gx, PK_SIZE) != 0) { if(memcmp(public_key, authorized[i].gx, PK_SIZE) == 0) {
continue; continue;
} }
goto sign; goto sign;
@ -243,7 +236,6 @@ sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sea
sgx_ec256_signature_t ecc_signature; sgx_ec256_signature_t ecc_signature;
sgx_ecc_state_handle_t ecc_handle; sgx_ecc_state_handle_t ecc_handle;
sgx_ec256_private_t private; sgx_ec256_private_t private;
sgx_ec256_public_t public;
// open ecc handle // open ecc handle
sgx_status_t status; sgx_status_t status;
@ -260,78 +252,51 @@ sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sea
// try unseal keypair // try unseal keypair
sgx_status_t seal_status; sgx_status_t seal_status;
if(seal_status = unseal_key_pair(sealed, &private, NULL) != SGX_SUCCESS) { if(seal_status = unseal_key_pair(sealed, &private, (sgx_ec256_public_t *)public_key) != SGX_SUCCESS) {
if((status = sgx_ecc256_create_key_pair(&private, &public, ecc_handle)) != SGX_SUCCESS) {
sgx_ecc256_close_context(ecc_handle); sgx_ecc256_close_context(ecc_handle);
return status; return seal_status;
}
} }
// create signature // create signature
if((status = sgx_ecdsa_sign(data, data_size, &private, &ecc_signature, ecc_handle)) != SGX_SUCCESS) { if((status = sgx_ecdsa_sign(data, DG_SIZE, &private, &ecc_signature, ecc_handle)) != SGX_SUCCESS) {
sgx_ecc256_close_context(ecc_handle); sgx_ecc256_close_context(ecc_handle);
return status; return status;
} }
// TODO: possible wrong endianess for other programms
// copy signature to return buffer // copy signature to return buffer
if((signature == NULL) || (signature_size != SI_SIZE)) { if(signature == NULL) {
sgx_ecc256_close_context(ecc_handle); sgx_ecc256_close_context(ecc_handle);
return SGX_ERROR_INVALID_PARAMETER; return SGX_ERROR_INVALID_PARAMETER;
} }
memcpy(signature, ecc_signature.x, SI_SIZE); memcpy(signature, ecc_signature.x, SI_SIZE);
// seal the key
if((seal_status != SGX_SUCCESS) && (sealed != NULL)) {
seal_status = seal_key_pair(&private, &public, &sealed, sealed_size);
}
// export pk
memcpy(public_key, public.gx, PK_SIZE);
pk_little_to_big(public_key);
// close ecc handle and return success // close ecc handle and return success
sgx_ecc256_close_context(ecc_handle); sgx_ecc256_close_context(ecc_handle);
return seal_status; return status;
} }
sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint8_t *sealed, uint32_t sealed_size, const uint8_t *public_key, uint32_t public_key_size, const uint8_t *signature, uint32_t signature_size) { sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint8_t *sealed, uint32_t sealed_size, const uint8_t *public_key, const uint8_t *signature) {
// invalid parameter handling // invalid parameter handling
if((data == NULL) || (data_size == 0)) { if((data == NULL) || (data_size == 0) || (signature == NULL)) {
return SGX_ERROR_INVALID_PARAMETER; return SGX_ERROR_INVALID_PARAMETER;
} else if(((sealed == NULL) || (sealed_size == 0)) && ((public_key == NULL) || (public_key_size == 0))) { } else if((sealed == NULL) && (public_key == NULL)) {
return SGX_ERROR_INVALID_PARAMETER; return SGX_ERROR_INVALID_PARAMETER;
} else if((sealed != NULL) && (public_key != NULL)) { } else if((sealed != NULL) && (public_key != NULL)) {
return SGX_ERROR_INVALID_PARAMETER; return SGX_ERROR_INVALID_PARAMETER;
} else if((signature == NULL) || (signature_size == 0)) {
return SGX_ERROR_INVALID_PARAMETER;
} }
// declare needed structures // declare needed structures
sgx_ec256_public_t public; sgx_ec256_public_t public;
sgx_status_t status; sgx_status_t status;
// invalid signature
if(signature_size > SI_SIZE) {
return SGX_ERROR_INVALID_PARAMETER;
}
// verify signature from staff or enclave // verify signature from staff or enclave
if(public_key != NULL) { if(public_key != NULL) {
// invalid public key
if(public_key_size != PK_SIZE) {
return SGX_ERROR_INVALID_PARAMETER;
}
// verification only with authorized public keys // verification only with authorized public keys
for(size_t i = 0; i < sizeof(authorized)/sizeof(authorized[0]); i++) { for(size_t i = 0; i < sizeof(authorized)/sizeof(authorized[0]); i++) {
} }
// public key little to big
pk_little_to_big(public_key);
// copy public key into struct // copy public key into struct
memcpy(public.gx, public_key, PK_SIZE); memcpy(public.gx, public_key, PK_SIZE);
} else { } else {

View file

@ -41,12 +41,14 @@ enclave {
trusted { trusted {
public int get_sealed_size(); public int get_sealed_size();
public int get_digest_size();
public int get_signature_size(); public int get_signature_size();
public int get_public_key_size(); public int get_public_key_size();
public int get_private_key_size(); public int get_private_key_size();
public sgx_status_t get_public_key([in, size=sealed_size]const uint8_t *sealed, uint32_t sealed_size, [out, size=public_key_size]uint8_t *public_key, uint32_t public_key_size); public sgx_status_t generate_key_pair([out, size=sealed_size]uint8_t *sealed, uint32_t sealed_size);
public sgx_status_t sign_firmware([in, size=data_size]const uint8_t *data, uint32_t data_size, [in, out, size=sealed_size]uint8_t *sealed, uint32_t sealed_size, [in, out, size=public_key_size]uint8_t *public_key, uint32_t public_key_size, [in, out, size=signature_size]uint8_t *signature, uint32_t signature_size); public sgx_status_t get_public_key([in, size=sealed_size]const uint8_t *sealed, uint32_t sealed_size, [out, size=64]uint8_t *public_key);
public sgx_status_t verify_firmware([in, size=data_size]const uint8_t *data, uint32_t data_size, [in, size=sealed_size]const uint8_t *sealed, uint32_t sealed_size, [in, size=public_key_size]const uint8_t *public_key, uint32_t public_key_size, [in, size=signature_size]const uint8_t *signature, uint32_t signature_size); public sgx_status_t sign_firmware([in, size=data_size]const uint8_t *data, uint32_t data_size, [in, size=sealed_size]const uint8_t *sealed, uint32_t sealed_size, [in, out, size=64]uint8_t *public_key, [in, out, size=64]uint8_t *signature);
public sgx_status_t verify_firmware([in, size=data_size]const uint8_t *data, uint32_t data_size, [in, size=sealed_size]const uint8_t *sealed, uint32_t sealed_size, [in, size=64]const uint8_t *public_key, [in, size=64]const uint8_t *signature);
}; };
/* /*

View file

@ -33,19 +33,18 @@
#ifndef _ENCLAVE_H_ #ifndef _ENCLAVE_H_
#define _ENCLAVE_H_ #define _ENCLAVE_H_
#include <stdlib.h>
#include <stdint.h> #include <stdint.h>
#include <assert.h>
#include <stdio.h>
#include <sgx_error.h> #include <sgx_error.h>
int get_sealed_size(); int get_sealed_size();
int get_digest_size();
int get_signature_size(); int get_signature_size();
int get_public_key_size(); int get_public_key_size();
int get_private_key_size(); int get_private_key_size();
sgx_status_t get_public_key(const uint8_t *sealed, const uint32_t sealed_size, uint8_t *public_key, uint32_t public_key_size); sgx_status_t generate_key_pair(uint8_t *sealed, uint32_t sealed_size);
sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, uint8_t *sealed, uint32_t sealed_size, uint8_t *public_key, uint32_t public_key_size, uint8_t *signature, uint32_t signature_size); sgx_status_t get_public_key(const uint8_t *sealed, const uint32_t sealed_size, uint8_t *public_key);
sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint8_t *sealed, uint32_t sealed_size, const uint8_t *public_key, uint32_t public_key_size, const uint8_t *signature, uint32_t signature_size); sgx_status_t sign_firmware(const uint8_t *data, uint32_t data_size, const uint8_t *sealed, uint32_t sealed_size, uint8_t *public_key, uint8_t *signature);
sgx_status_t verify_firmware(const uint8_t *data, uint32_t data_size, const uint8_t *sealed, uint32_t sealed_size, const uint8_t *public_key, const uint8_t *signature);
#endif /* !_ENCLAVE_H_ */ #endif /* !_ENCLAVE_H_ */