improved handling of IAS certificates (hyperledger-labs#131)

* improved handling of debug in build and docker

Signed-off-by: Michael Steiner <[email protected]>

* - more robust error handling,
- pass ias-certs in registration request for clean verification based on IAS root CA cert
- implement clean CA-based verification in pservice enclave (but not yet in PDO-TP!)
- improved documentation regarding IAS certs & proof_data

Signed-off-by: Michael Steiner <[email protected]>

.gitignore

@@ -2,3 +2,5 @@ __pycache__
 docker/validator-keys
 docker/sgx
 make.log
+cscope.files
+cscope.out

build/__tools__/build.sh

@@ -66,10 +66,11 @@ if [ "$NUM_CORES " == " " ]; then
     NUM_CORES=4
 fi
 
+CMAKE_ARGS=
 # allow opting out of running tests, primarily so we can skip
 # sgx hw-mode based tests which fail in docker test
 if [ ! -z "${NO_SGX_RUN_DURING_BUILD}" ]; then
-    CMAKE_ARGS="-D DISABLE_TESTS=true"
+    CMAKE_ARGS+=" -D DISABLE_TESTS=true"
 fi
 
 # -----------------------------------------------------------------

build/common-config.sh

@@ -100,9 +100,11 @@ var_set() {
 	env_desc[PDO_IAS_KEY_PEM]="
 		The path of the PEM file containing the public key used to verify
 		attestation verification reports from the Intel Attestation Service.
-		Note this is _not_ the IAS root CA's key but the key of the intermediary
-		certificate
-		You can get it from the sawtooth poet git repo as https://raw.githubusercontent.com/hyperledger/sawtooth-poet/master/sgx/packaging/ias_rk_pub.pem
+		Note this is _not_ the IAS root CA's key but directly the key of the
+		signing authority, i.e., the key contained in the first certificate
+		contained in the 'x-iasreport-signing-certificate' header of the
+		response from IAS.
+		Easiest way to get it is from the sawtooth poet git repo as https://raw.githubusercontent.com/hyperledger/sawtooth-poet/master/sgx/packaging/ias_rk_pub.pem
 	"
 	env_key_sort[$i]="PDO_IAS_KEY_PEM"; i=$i+1; export PDO_IAS_KEY_PEM=${env_val[PDO_IAS_KEY_PEM]}
 

common/CMakeLists.txt

@@ -37,7 +37,7 @@ SET(PROJECT_GENERATED_IAS_SOURCES ${CMAKE_CURRENT_BINARY_DIR}/../crypto/verify_i
 set_source_files_properties(${PROJECT_GENERATED_IAS_SOURCES} PROPERTIES GENERATED TRUE)
 add_custom_command(OUTPUT  ${PROJECT_GENERATED_IAS_SOURCES}
                      COMMAND ./build_ias_certificates_cpp.sh
-                     DEPENDS crypto/verify_ias_report/ias-certificates-sim.template crypto/verify_ias_report/ias-certificates-hw.template crypto/verify_ias_report/build_ias_certificates_cpp.sh
+                     DEPENDS crypto/verify_ias_report/ias-certificates.template crypto/verify_ias_report/build_ias_certificates_cpp.sh
                      WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/../crypto/verify_ias_report
 )
 add_custom_target(generate-ias-files DEPENDS ${PROJECT_GENERATED_IAS_SOURCES})

common/crypto/verify_ias_report/build_ias_certificates_cpp.sh

@@ -20,7 +20,7 @@
 if [ -f ias-certificates.cpp ]; then rm ias-certificates.cpp; fi
 
 if [ "${SGX_MODE}" != "HW" ]; then
-    cp ias-certificates-sim.template ias-certificates.cpp
+    cp ias-certificates.template ias-certificates.cpp || exit 1
     # Note: use cp instead of ln or ln -s so timestamps work properly for dependencies in makefile
     exit 0
 fi
@@ -29,43 +29,24 @@ Cleanup () {
     echo "Cleaning up"
     rm ias-certificates.cpp.tmp -f
     rm RK_PUB.zip -f
-    rm AttestationReportSigningCACert.pem.der -f
     rm AttestationReportSigningCACert.pem -f
-    rm AttestationReportSigningCACert.pem.der.hex -f
-    rm AttestationReportSigningCACert.pem.der.size -f
 }
 
 trap 'echo "**ERROR - line $LINENO**"; Cleanup; exit 1' HUP INT QUIT PIPE TERM ERR
 
 #get certificate from Intel
 wget https://software.intel.com/sites/default/files/managed/7b/de/RK_PUB.zip
-test -e RK_PUB.zip && echo "Zipped certificated downloaded"
-
-#decompress certificate
-unzip -o RK_PUB.zip
 test -e RK_PUB.zip
+echo "Zipped certificated downloaded"
 
-openssl x509 -outform der -in AttestationReportSigningCACert.pem -out AttestationReportSigningCACert.pem.der
-test -e AttestationReportSigningCACert.pem.der
-echo "Der certificate derived"
-
-#hexdump the der certificate and remove last comma
-hexdump -ve '1/1 "0x%.2x, "' AttestationReportSigningCACert.pem.der| sed 's/, $//' > AttestationReportSigningCACert.pem.der.hex
-test -e AttestationReportSigningCACert.pem.der.hex
-echo "Der certificate hexdumped"
-#grab the size of the der certificate
-stat --printf="%s" AttestationReportSigningCACert.pem.der > AttestationReportSigningCACert.pem.der.size
-test -e AttestationReportSigningCACert.pem.der.size
-echo "Der certificate size retrieved"
+unzip -o RK_PUB.zip
+test -e AttestationReportSigningCACert.pem
 
 echo ""
 echo -n "Building ias-certificates.cpp ... "
 #replace the placemark in the template with the der certificate
-cmd=`echo "sed 's/IAS_REPORT_SIGNING_CA_CERT_DER_PLACEMARK/\`cat AttestationReportSigningCACert.pem.der.hex\`/' < ias-certificates-hw.template > ias-certificates.cpp.tmp"`
-eval $cmd
-#repplace the second placemark in the updated template with the der certificate size
-cmd=`echo "sed 's/IAS_REPORT_SIGNING_CA_CERT_DER_LEN_PLACEMARK/\`cat AttestationReportSigningCACert.pem.der.size\`/' < ias-certificates.cpp.tmp > ias-certificates.cpp"`
-eval $cmd
+sed -e '/IAS_REPORT_SIGNING_CA_CERT_PEM_PLACEMARK/ r ./AttestationReportSigningCACert.pem' -e 's/IAS_REPORT_SIGNING_CA_CERT_PEM_PLACEMARK//' < ias-certificates.template > ias-certificates.cpp
+test -e ias-certificates.cpp
 echo "done"
 
 Cleanup