|
@@ -45,26 +45,27 @@
|
|
|
#include "sgx_tseal.h"
|
|
|
|
|
|
// internal-internal
|
|
|
-uint32_t create_ecdsa_key_pair(sgx_ec256_public_t* pub_key, sgx_ec256_private_t* priv_key);
|
|
|
+uint32_t create_ec_key_pair(sgx_ec256_public_t* pub_key, sgx_ec256_private_t* priv_key);
|
|
|
void serialize_key_pair_to_string( sgx_ec256_public_t* pub_key, sgx_ec256_private_t* signing_priv_key, uint8_t* private_public_key_string);
|
|
|
void deserialize_string_to_key_pair(uint8_t* private_public_key_string, sgx_ec256_public_t* pub_key, sgx_ec256_private_t* priv_key);
|
|
|
-uint32_t create_and_sign_mitigator_header_value();
|
|
|
+uint32_t create_mitigator_header_value(uint8_t* signature_data, uint8_t* signature);
|
|
|
|
|
|
uint32_t calculate_sealed_data_size( uint32_t input_size) ;
|
|
|
uint32_t create_and_seal_ecdsa_signing_key_pair(__attribute__((unused)) sgx_ec256_public_t* pub_key, __attribute__((unused)) uint32_t* sealed_data_length, __attribute__((unused)) uint8_t* sealed_data);
|
|
|
uint32_t unseal_and_restore_sealed_signing_key_pair(__attribute__((unused)) sgx_ec256_public_t* pub_key, uint8_t* sealed_data, size_t* sgx_sealed_data_length);
|
|
|
-//uint32_t create_and_sign_mitigator_header_value();
|
|
|
+
|
|
|
uint32_t decrypt_verifiers_message_set_apache_mrsigner(uint8_t* ciphertext, uint8_t* tag);
|
|
|
-uint32_t encrypt_mitigator_header_to_apache(uint8_t* ciphertext, uint8_t* tag);
|
|
|
+//uint32_t create_and_encrypt_mitigator_header_value(uint8_t* signature_data, uint8_t* signature, uint8_t* tag);
|
|
|
+uint32_t create_and_encrypt_mitigator_header_value(uint8_t* plaintext_sign_data_and_sign, uint8_t* encrypted_sign_data_and_sign, uint8_t* tag);
|
|
|
|
|
|
|
|
|
uint32_t one_la_done=0;
|
|
|
-sgx_ec256_public_t short_term_pub_key;
|
|
|
-sgx_ec256_private_t short_term_priv_key;
|
|
|
-sgx_ec256_signature_t generated_signature;
|
|
|
-sgx_measurement_t apache_mr_signer;
|
|
|
-sgx_measurement_t verifier_mr_enclave;
|
|
|
-sgx_ec256_private_t signing_priv_key;
|
|
|
+static sgx_ec256_public_t short_term_pub_key;
|
|
|
+static sgx_ec256_private_t short_term_priv_key;
|
|
|
+sgx_ec256_signature_t generated_signature; // TODO: remove
|
|
|
+sgx_measurement_t apache_mr_signer; // TODO: remove
|
|
|
+sgx_measurement_t verifier_mr_enclave; // TODO: remove
|
|
|
+static sgx_ec256_private_t signing_priv_key;
|
|
|
|
|
|
extern "C" uint32_t verify_peer_enclave_trust(__attribute__((unused)) sgx_dh_session_enclave_identity_t* peer_enclave_identity)
|
|
|
{
|
|
@@ -105,34 +106,28 @@ return decrypt(ciphertext, 32, tag, (uint8_t*) &(apache_mr_signer.m));
|
|
|
// return mrsigner_decryption_successful;
|
|
|
}
|
|
|
|
|
|
-// ciphertext assumed to be at least 64 bytes, tag - at least 16 bytes
|
|
|
-uint32_t encrypt_mitigator_header_to_apache(uint8_t* ciphertext, uint8_t* tag)
|
|
|
+// signature_data - 96 bytes, encrypted_signature assumed to be at least 64 bytes, tag - at least 16 bytes
|
|
|
+uint32_t create_and_encrypt_mitigator_header_value(uint8_t* plaintext_sign_data_and_sign, uint8_t* encrypted_sign_data_and_sign, uint8_t* tag)
|
|
|
{
|
|
|
- uint32_t ret_status=create_and_sign_mitigator_header_value();
|
|
|
+ uint32_t count;
|
|
|
+ uint8_t sign_data_and_sign[160];
|
|
|
+ uint32_t ret_status=create_mitigator_header_value(sign_data_and_sign, sign_data_and_sign+96);
|
|
|
if(ret_status != SGX_SUCCESS)
|
|
|
{
|
|
|
// printf("Could not generate or sign another keypair for client-side, error:%x.\n", ret_status); fflush(stdout);
|
|
|
return 0xFFFFFFDD;
|
|
|
}
|
|
|
+ for(count=0; count<160; count++)
|
|
|
+ *(plaintext_sign_data_and_sign+count)=sign_data_and_sign[count];
|
|
|
|
|
|
- // serializing the weird signature string
|
|
|
- uint8_t mitigator_header_unencrypted[64];
|
|
|
- uint8_t *current_sig_byte = (uint8_t*)(&(generated_signature.x));
|
|
|
- uint32_t ecdsa_sig_count;
|
|
|
- for(ecdsa_sig_count=0;ecdsa_sig_count<32;ecdsa_sig_count++)
|
|
|
- mitigator_header_unencrypted[ecdsa_sig_count]=*(current_sig_byte+ecdsa_sig_count);
|
|
|
- current_sig_byte = (uint8_t*)(&(generated_signature.y));
|
|
|
- for(ecdsa_sig_count=0;ecdsa_sig_count<32;ecdsa_sig_count++)
|
|
|
- mitigator_header_unencrypted[ecdsa_sig_count+32]=*(current_sig_byte+ecdsa_sig_count);
|
|
|
-
|
|
|
- ret_status = encrypt_internal(mitigator_header_unencrypted, 64, tag, ciphertext);
|
|
|
+ ret_status = encrypt_internal(sign_data_and_sign, 160, tag, encrypted_sign_data_and_sign);
|
|
|
return ret_status;
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-uint32_t create_ecdsa_key_pair(sgx_ec256_public_t* pub_key, sgx_ec256_private_t* priv_key)
|
|
|
+uint32_t create_ec_key_pair(sgx_ec256_public_t* pub_key, sgx_ec256_private_t* priv_key)
|
|
|
{
|
|
|
sgx_status_t se_ret; sgx_status_t se_ret2;
|
|
|
//create ECC context
|
|
@@ -204,7 +199,7 @@ uint32_t create_and_seal_ecdsa_signing_key_pair(__attribute__((unused)) sgx_ec
|
|
|
__attribute__((unused)) uint8_t* sealed_data)
|
|
|
{
|
|
|
uint32_t ret_status; sgx_ec256_private_t private_key; uint32_t counter;
|
|
|
- ret_status=create_ecdsa_key_pair(pub_key, &private_key);
|
|
|
+ ret_status=create_ec_key_pair(pub_key, &private_key);
|
|
|
if(ret_status!=SGX_SUCCESS)
|
|
|
return ret_status;
|
|
|
for(counter=0;counter<SGX_ECP256_KEY_SIZE; counter++)
|
|
@@ -283,24 +278,24 @@ uint32_t unseal_and_restore_sealed_signing_key_pair(__attribute__((unused)) sgx_
|
|
|
return SGX_SUCCESS;
|
|
|
}
|
|
|
|
|
|
-uint32_t create_and_sign_mitigator_header_value()
|
|
|
+uint32_t create_mitigator_header_value(__attribute__((unused)) uint8_t* signature_data, __attribute__((unused)) uint8_t* signature)
|
|
|
{
|
|
|
// Otherwise: DoS or possible bypass (fake verifier does LA but real verifier mrenclave is given out by decryptor) - signature with junk verifier mrenclave or whatever is in the memory.
|
|
|
if(one_la_done < 1)
|
|
|
return 0xde; // This needs to be called at any point after the first local attestation is done - else, a junk verifier mrenclave will be included in the signature
|
|
|
// TODO: Comment this
|
|
|
- memset(&(verifier_mr_enclave.m), 0x01, 32);
|
|
|
+ // memset(&(verifier_mr_enclave.m), 0x55, 32);
|
|
|
|
|
|
// create key pair
|
|
|
- uint32_t ret_status = create_ecdsa_key_pair(&short_term_pub_key, &short_term_priv_key); uint32_t counter;
|
|
|
+ uint32_t ret_status = create_ec_key_pair(&short_term_pub_key, &short_term_priv_key); uint32_t counter;
|
|
|
uint32_t ret_status2;
|
|
|
if(ret_status!=SGX_SUCCESS)
|
|
|
return ret_status;
|
|
|
// serialize public key, append mr_enclave
|
|
|
- uint8_t* public_key_string = (uint8_t*) malloc(3*SGX_ECP256_KEY_SIZE); // for .edl file - size parameter for serialize is 96 and this fits coz we need to append the mr_enclave to the pub key
|
|
|
- serialize_key_pair_to_string(&short_term_pub_key, NULL, public_key_string);
|
|
|
+// uint8_t* public_key_string = (uint8_t*) malloc(3*SGX_ECP256_KEY_SIZE); // for .edl file - size parameter for serialize is 96 and this fits coz we need to append the mr_enclave to the pub key
|
|
|
+ serialize_key_pair_to_string(&short_term_pub_key, NULL, signature_data);
|
|
|
for(counter=32*2; counter<32*3; counter++) // appending mr_enclave
|
|
|
- *(public_key_string+counter)=verifier_mr_enclave.m[counter];
|
|
|
+ *(signature_data+counter)=0x55;//verifier_mr_enclave.m[counter]; TODO: uncomment verifier_mrenclave
|
|
|
// retrieve long-term private key from global variable - apparently, need to create a local copy or it crashes
|
|
|
sgx_ec256_private_t long_term_priv_key;
|
|
|
for(counter=0; counter<SGX_ECP256_KEY_SIZE; counter++)
|
|
@@ -311,22 +306,39 @@ uint32_t create_and_sign_mitigator_header_value()
|
|
|
ret_status = sgx_ecc256_open_context(&ecc_handle);
|
|
|
if(ret_status != SGX_SUCCESS)
|
|
|
return ret_status;
|
|
|
- ret_status = sgx_ecdsa_sign(public_key_string,2*SGX_ECP256_KEY_SIZE, &long_term_priv_key, &local_signature, ecc_handle);
|
|
|
+ ret_status = sgx_ecdsa_sign(signature_data,3*SGX_ECP256_KEY_SIZE, &long_term_priv_key, &local_signature, ecc_handle);
|
|
|
ret_status2 = sgx_ecc256_close_context(ecc_handle);
|
|
|
- free(public_key_string);
|
|
|
+// free(public_key_string);
|
|
|
if(ret_status == SGX_SUCCESS)
|
|
|
{
|
|
|
- for(counter=0;counter<SGX_NISTP_ECP256_KEY_SIZE/sizeof(uint32_t); counter++)
|
|
|
- {
|
|
|
- generated_signature.x[counter] = local_signature.x[counter];
|
|
|
- generated_signature.y[counter] = local_signature.y[counter];
|
|
|
- }
|
|
|
+ uint8_t *current_sig_byte = (uint8_t*)(&(local_signature.x));
|
|
|
+ uint32_t ecdsa_sig_count;
|
|
|
+ for(ecdsa_sig_count=0;ecdsa_sig_count<32;ecdsa_sig_count++)
|
|
|
+ signature[ecdsa_sig_count]=*(current_sig_byte+ecdsa_sig_count);
|
|
|
+ current_sig_byte = (uint8_t*)(&(local_signature.y));
|
|
|
+ for(ecdsa_sig_count=0;ecdsa_sig_count<32;ecdsa_sig_count++)
|
|
|
+ signature[ecdsa_sig_count+32]=*(current_sig_byte+ecdsa_sig_count);
|
|
|
}
|
|
|
if(ret_status != SGX_SUCCESS || ret_status2 != SGX_SUCCESS)
|
|
|
return 0xFFFFFFFF;
|
|
|
return 0;
|
|
|
}
|
|
|
|
|
|
+uint32_t verify_mitigator_header_value(uint8_t* signature_data, uint8_t* signature)
|
|
|
+{
|
|
|
+
|
|
|
+
|
|
|
+ return 0;
|
|
|
+
|
|
|
+
|
|
|
+}
|
|
|
+
|
|
|
+uint32_t derive_shared_secret_for_client()
|
|
|
+{
|
|
|
+ return 0;
|
|
|
+
|
|
|
+
|
|
|
+}
|
|
|
|
|
|
uint32_t calculate_sealed_data_size( uint32_t input_size)
|
|
|
{
|