forked from openenclave/openenclave
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtls_cert.c
270 lines (247 loc) · 8.82 KB
/
tls_cert.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
// Copyright (c) Open Enclave SDK contributors.
// Licensed under the MIT License.
#include <openenclave/attestation/attester.h>
#include <openenclave/bits/defs.h>
#include <openenclave/bits/sgx/sgxtypes.h>
#include <openenclave/enclave.h>
#include <openenclave/internal/cert.h>
#include <openenclave/internal/crypto/sha.h>
#include <openenclave/internal/evidence.h>
#include <openenclave/internal/print.h>
#include <openenclave/internal/raise.h>
#include <openenclave/internal/report.h>
#include <openenclave/internal/safecrt.h>
#include <openenclave/internal/utils.h>
#include <stdio.h>
#include "../common/common.h"
// Todo: consider set CN with enclave's MRENCLAVE values
#define SUBJECT_NAME "CN=Open Enclave SDK,O=OESDK TLS,C=US"
#define DATE_NOT_VALID_BEFORE "20190501000000"
#define DATE_NOT_VALID_AFTER "20501231235959"
static const unsigned char oid_oe_report[] = X509_OID_FOR_NEW_QUOTE_EXT;
static const unsigned char oid_oe_evidence[] = X509_OID_FOR_NEW_OE_EVIDENCE_EXT;
// Input: an issuer and subject key pair
// Output: a self-signed certificate embedded critical extension with quote
// information as its content
static oe_result_t generate_x509_self_signed_certificate(
const unsigned char* oid,
size_t oid_size,
const unsigned char* subject_name,
uint8_t* private_key_buf,
size_t private_key_buf_size,
uint8_t* public_key_buf,
size_t public_key_buf_size,
uint8_t* remote_report_buf,
size_t remote_report_buf_size,
uint8_t** output_cert,
size_t* output_cert_size)
{
oe_result_t result = OE_FAILURE;
size_t bytes_written = 0;
uint8_t* cert_buf = NULL;
oe_cert_config_t config = {0};
size_t oe_cert_size = 0;
config.private_key_buf = private_key_buf;
config.private_key_buf_size = private_key_buf_size;
config.public_key_buf = public_key_buf;
config.public_key_buf_size = public_key_buf_size;
config.subject_name = (subject_name != NULL)
? subject_name
: (const unsigned char*)SUBJECT_NAME;
config.issuer_name = config.subject_name;
config.date_not_valid_before = (unsigned char*)DATE_NOT_VALID_BEFORE;
config.date_not_valid_after = (unsigned char*)DATE_NOT_VALID_AFTER;
config.ext_data_buf = remote_report_buf;
config.ext_data_buf_size = remote_report_buf_size;
config.ext_oid = (char*)oid;
config.ext_oid_size = oid_size;
// allocate memory for cert output buffer and leave room for paddings
oe_cert_size =
remote_report_buf_size + public_key_buf_size + OE_MIN_CERT_SIZE;
cert_buf = (uint8_t*)oe_malloc(oe_cert_size);
if (cert_buf == NULL)
goto done;
result = oe_gen_custom_x509_cert(
&config, cert_buf, oe_cert_size, &bytes_written);
OE_CHECK_MSG(
result,
"oe_gen_custom_x509_cert failed with %s",
oe_result_str(result));
OE_TRACE_VERBOSE("certificate: bytes_written = 0x%x", bytes_written);
*output_cert_size = (size_t)bytes_written;
*output_cert = cert_buf;
result = OE_OK;
cert_buf = NULL;
done:
oe_free(cert_buf);
return result;
}
/**
* oe_generate_attestation_certificate.
*
* This function generates a self-signed x.509 certificate with an embedded
* quote from the underlying enclave.
*
* @param[in] subject_name a string contains an X.509 distinguished
* name (DN) for customizing the generated certificate. This name is also used
* as the issuer name because this is a self-signed certificate
* See RFC5280 (https://tools.ietf.org/html/rfc5280) specification for details
* Example value "CN=Open Enclave SDK,O=OESDK TLS,C=US"
*
* @param[in] private_key a private key used to sign this certificate
* @param[in] private_key_size The size of the private_key buffer
* @param[in] public_key a public key used as the certificate's subject key
* @param[in] public_key_size The size of the public_key buffer.
*
* @param[out] output_cert a pointer to buffer pointer
* @param[out] output_cert_size size of the buffer above
*
* @return OE_OK on success
*/
oe_result_t oe_generate_attestation_certificate(
const unsigned char* subject_name,
uint8_t* private_key,
size_t private_key_size,
uint8_t* public_key,
size_t public_key_size,
uint8_t** output_cert,
size_t* output_cert_size)
{
oe_result_t result = OE_FAILURE;
oe_sha256_context_t sha256_ctx = {0};
OE_SHA256 sha256 = {0};
uint8_t* remote_report_buf = NULL;
size_t remote_report_buf_size = OE_MAX_REPORT_SIZE;
OE_TRACE_VERBOSE("Calling oe_generate_attestation_certificate");
// generate quote with hash(cert's subject key) and set it as report data
OE_TRACE_VERBOSE(
"generate quote with hash from public_key_size=%d public_key key "
"=\n[%s]\n",
public_key_size,
public_key);
oe_memset_s(sha256.buf, OE_SHA256_SIZE, 0, OE_SHA256_SIZE);
OE_CHECK(oe_sha256_init(&sha256_ctx));
OE_CHECK(oe_sha256_update(&sha256_ctx, public_key, public_key_size));
OE_CHECK(oe_sha256_final(&sha256_ctx, &sha256));
OE_TRACE_VERBOSE("Report data with hash of public key:");
for (size_t i = 0; i < OE_SHA256_SIZE; i++)
OE_TRACE_VERBOSE(
"Report data with hash of public key[%d]=0x%x", i, sha256.buf[i]);
result = oe_get_report(
OE_REPORT_FLAGS_REMOTE_ATTESTATION,
(const uint8_t*)&sha256,
OE_SHA256_SIZE,
NULL,
0,
&remote_report_buf,
&remote_report_buf_size);
OE_CHECK_MSG(
result, "oe_get_report failed with %s\n", oe_result_str(result));
result = generate_x509_self_signed_certificate(
oid_oe_report,
sizeof(oid_oe_report),
subject_name,
private_key,
private_key_size,
public_key,
public_key_size,
remote_report_buf,
remote_report_buf_size,
output_cert,
output_cert_size);
OE_CHECK_MSG(
result,
"generate_x509_self_signed_certificate failed : %s",
oe_result_str(result));
OE_TRACE_VERBOSE("self-signed certificate size = %d", *output_cert_size);
result = OE_OK;
done:
oe_free_report(remote_report_buf);
return result;
}
/**
* oe_get_attestation_certificate_with_evidence.
*
* This function generates a self-signed x.509 certificate with embedded
* evidence generated by an attester plugin for the enclave.
*
* @param[in] format_id The format ID of the evidence to be generated.
*
* @param[in] subject_name a string containing an X.509 distinguished
* name (DN) for customizing the generated certificate. This name is also used
* as the issuer name because this is a self-signed certificate
* See RFC5280 (https://tools.ietf.org/html/rfc5280) for details
* Example value "CN=Open Enclave SDK,O=OESDK TLS,C=US"
*
* @param[in] private_key a private key used to sign this certificate
* @param[in] private_key_size The size of the private_key buffer
* @param[in] public_key a public key used as the certificate's subject key
* @param[in] public_key_size The size of the public_key buffer.
*
* @param[out] output_cert a pointer to buffer pointer
* @param[out] output_cert_size size of the buffer above
*
* @return OE_OK on success
*/
oe_result_t oe_get_attestation_certificate_with_evidence(
const oe_uuid_t* format_id,
const unsigned char* subject_name,
uint8_t* private_key,
size_t private_key_size,
uint8_t* public_key,
size_t public_key_size,
uint8_t** output_cert,
size_t* output_cert_size)
{
oe_result_t result = OE_FAILURE;
uint8_t* evidence_buf = NULL;
size_t evidence_buf_size = 0;
OE_TRACE_VERBOSE("Calling oe_get_attestation_certificate_with_evidence");
OE_TRACE_VERBOSE(
"generate evidence with hash from public_key_size=%d public_key key "
"=\n[%s]\n",
public_key_size,
public_key);
result = oe_get_evidence(
format_id,
OE_EVIDENCE_FLAGS_EMBED_FORMAT_ID,
public_key,
public_key_size,
NULL,
0,
&evidence_buf,
&evidence_buf_size,
NULL,
0);
OE_CHECK_MSG(
result, "oe_get_evidence failed with %s\n", oe_result_str(result));
result = generate_x509_self_signed_certificate(
oid_oe_evidence,
sizeof(oid_oe_evidence),
subject_name,
private_key,
private_key_size,
public_key,
public_key_size,
evidence_buf,
evidence_buf_size,
output_cert,
output_cert_size);
OE_CHECK_MSG(
result,
"generate_x509_self_signed_certificate failed : %s",
oe_result_str(result));
OE_TRACE_VERBOSE("self-signed certificate size = %d", *output_cert_size);
result = OE_OK;
done:
oe_free_evidence(evidence_buf);
return result;
}
void oe_free_attestation_certificate(uint8_t* cert)
{
if (cert)
{
OE_TRACE_VERBOSE("Calling oe_free_attestation_certificate=0x%p", cert);
oe_free(cert);
}
}