Merge openenclave#3453

3453: Updated attested_tls with attestation plugin APIs. r=yentsanglee a=qiucwang Updated attested_tls sample with attestation plugin APIs: `oe_get_attestation_certificate_with_evidence` and `oe_verify_attestation_certificate_with_evidence()` The README file will be updated by @shants in another PR along with other sample updates. Signed-off-by: Qiucheng Wang <[email protected]> Co-authored-by: Qiucheng Wang <[email protected]>
BRMcLaren · Aug 29, 2020 · 8e8c5cb · 8e8c5cb
2 parents 1477e28 + 2ff26dc
commit 8e8c5cb
Show file tree

Hide file tree

Showing 12 changed files with 361 additions and 141 deletions.
diff --git a/samples/attested_tls/client/enc/cert_verifier.cpp b/samples/attested_tls/client/enc/cert_verifier.cpp
@@ -10,12 +10,12 @@
 #include <mbedtls/net_sockets.h>
 #include <mbedtls/platform.h>
 #include <mbedtls/ssl.h>
-#include <openenclave/enclave.h>
 #include <string.h>
 #include "../../common/utility.h"
 
-oe_result_t enclave_identity_verifier_callback(
-    oe_identity_t* identity,
+oe_result_t enclave_claims_verifier_callback(
+    oe_claim_t* claims,
+    size_t claims_length,
     void* arg);
 
 // If set, the verify callback is called for each certificate in the chain.
@@ -48,13 +48,13 @@ int cert_verify_callback(
     if (cert_size <= 0)
         goto exit;
 
-    result = oe_verify_attestation_certificate(
-        cert_buf, cert_size, enclave_identity_verifier_callback, NULL);
+    result = oe_verify_attestation_certificate_with_evidence(
+        cert_buf, cert_size, enclave_claims_verifier_callback, NULL);
     if (result != OE_OK)
     {
         printf(
-            TLS_CLIENT
-            "oe_verify_attestation_certificate failed with result = %s\n",
+            TLS_CLIENT "oe_verify_attestation_certificate_with_evidence failed "
+                       "with result = %s\n",
             oe_result_str(result));
         goto exit;
     }

diff --git a/samples/attested_tls/client/enc/client.cpp b/samples/attested_tls/client/enc/client.cpp
@@ -114,7 +114,7 @@ int handle_communication_until_done(mbedtls_ssl_context* ssl)
     int exit_code = MBEDTLS_EXIT_FAILURE;
 
     // Write client payload to the server
-    printf(TLS_CLIENT "Write to server-->:");
+    printf(TLS_CLIENT "-----> Write to server:\n");
     len = sprintf((char*)buf, CLIENT_PAYLOAD);
     while ((ret = mbedtls_ssl_write(ssl, buf, (size_t)len)) <= 0)
     {
@@ -130,7 +130,7 @@ int handle_communication_until_done(mbedtls_ssl_context* ssl)
     printf(TLS_CLIENT "%d bytes written:\n[%s]\n", len, (char*)buf);
 
     printf(TLS_CLIENT "Read the response from server:\n");
-    printf(TLS_CLIENT "<-- Read from server:\n");
+    printf(TLS_CLIENT "<---- Read from server:\n");
     do
     {
         len = sizeof(buf) - 1;
@@ -219,6 +219,7 @@ int launch_tls_client(char* server_name, char* server_port)
     mbedtls_ctr_drbg_init(&ctr_drbg);
     mbedtls_x509_crt_init(&client_cert);
     mbedtls_pk_init(&pkey);
+    oe_verifier_initialize();
 
 #ifdef ADD_TEST_CHECKING
     if (CLIENT_PAYLOAD_SIZE != strlen(CLIENT_PAYLOAD))
@@ -333,6 +334,7 @@ int launch_tls_client(char* server_name, char* server_port)
     mbedtls_ssl_config_free(&conf);
     mbedtls_ctr_drbg_free(&ctr_drbg);
     mbedtls_entropy_free(&entropy);
+    oe_verifier_shutdown();
 
     if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY)
         ret = 0;

diff --git a/samples/attested_tls/client/enc/identity_verifier.cpp b/samples/attested_tls/client/enc/identity_verifier.cpp
@@ -9,65 +9,117 @@
 #include "../../common/tls_server_enc_pubkey.h"
 #include "../../common/utility.h"
 
-oe_result_t enclave_identity_verifier_callback(
-    oe_identity_t* identity,
+oe_result_t enclave_claims_verifier_callback(
+    oe_claim_t* claims,
+    size_t claims_length,
     void* arg)
 {
     OE_UNUSED(arg);
 
     oe_result_t result = OE_VERIFY_FAILED;
+    const oe_claim_t* claim;
 
     printf(TLS_CLIENT
-           "Client:enclave_identity_verifier_callback is called with enclave "
-           "identity information:\n");
+           "enclave_claims_verifier_callback is called with enclave "
+           "identity information extracted from the evidence claims:\n");
 
-    // enclave's security version
-    printf(
-        TLS_CLIENT "identity->security_version = %d\n",
-        identity->security_version);
+    // Enclave's security version
+    if ((claim = find_claim(
+             claims, claims_length, OE_CLAIM_SECURITY_VERSION)) == nullptr)
+    {
+        printf(TLS_CLIENT "could not find OE_CLAIM_SECURITY_VERSION\n");
+        goto exit;
+    }
+    if (claim->value_size != sizeof(uint32_t))
+    {
+        printf(
+            TLS_CLIENT "security_version size(%lu) checking failed\n",
+            claim->value_size);
+        goto exit;
+    }
+    printf(TLS_CLIENT "\nsecurity_version = %d\n", *claim->value);
 
-    // the unique ID for the enclave, for SGX enclaves, this is the MRENCLAVE
+    // The unique ID for the enclave, for SGX enclaves, this is the MRENCLAVE
     // value
-    printf(TLS_CLIENT "Validating identity->unique_id(MRENCLAVE) :\n");
-    for (int i = 0; i < OE_UNIQUE_ID_SIZE; i++)
+    if ((claim = find_claim(claims, claims_length, OE_CLAIM_UNIQUE_ID)) ==
+        nullptr)
+    {
+        printf(TLS_CLIENT "could not find OE_CLAIM_UNIQUE_ID\n");
+        goto exit;
+    }
+    if (claim->value_size != OE_UNIQUE_ID_SIZE)
+    {
+        printf(
+            TLS_CLIENT "unique_id size(%lu) checking failed\n",
+            claim->value_size);
+        goto exit;
+    }
+    printf(TLS_CLIENT "\nverify unique_id:\n");
+    for (int i = 0; i < claim->value_size; i++)
     {
-        printf("0x%0x ", (uint8_t)identity->unique_id[i]);
-        if (SERVER_ENCLAVE_MRENCLAVE[i] != (uint8_t)identity->unique_id[i])
+        printf("0x%0x ", (uint8_t)claim->value[i]);
+        if (SERVER_ENCLAVE_MRENCLAVE[i] != (uint8_t)claim->value[i])
         {
             printf(
-                TLS_CLIENT
-                "identity->unique_id[%d] expected: 0x%0x  found: 0x%0x ",
+                TLS_CLIENT "\nunique_id[%d] expected: 0x%0x  found: 0x%0x ",
                 i,
                 SERVER_ENCLAVE_MRENCLAVE[i],
-                (uint8_t)identity->unique_id[i]);
-            printf(TLS_CLIENT "failed:unique_id not equal!\n");
+                (uint8_t)claim->value[i]);
+            printf(TLS_CLIENT "failed: unique_id not equal\n");
             goto exit;
         }
     }
     printf("\n" TLS_CLIENT "unique_id validation passed\n");
 
     // The signer ID for the enclave, for SGX enclaves, this is the MRSIGNER
     // value
-    printf(TLS_CLIENT "\nidentity->signer_id(MRSIGNER) :\n");
-    for (int i = 0; i < OE_SIGNER_ID_SIZE; i++)
-        printf("0x%0x ", (uint8_t)identity->signer_id[i]);
+    if ((claim = find_claim(claims, claims_length, OE_CLAIM_SIGNER_ID)) ==
+        nullptr)
+    {
+        printf(TLS_CLIENT "could not find OE_CLAIM_SIGNER_ID\n");
+        goto exit;
+    }
+    if (claim->value_size != OE_SIGNER_ID_SIZE)
+    {
+        printf(
+            TLS_CLIENT "signer_id size(%lu) checking failed\n",
+            claim->value_size);
+        goto exit;
+    }
+    printf(TLS_CLIENT "\nverify signer_id:\n");
+    for (int i = 0; i < claim->value_size; i++)
+        printf("0x%0x ", (uint8_t)claim->value[i]);
 
-    if (!verify_mrsigner(
+    if (!verify_signer_id(
             (char*)OTHER_ENCLAVE_PUBLIC_KEY,
             sizeof(OTHER_ENCLAVE_PUBLIC_KEY),
-            identity->signer_id,
-            sizeof(identity->signer_id)))
+            claim->value,
+            claim->value_size))
     {
-        printf(TLS_CLIENT "failed:mrsigner not equal!\n");
+        printf(TLS_CLIENT "failed: signer_id not equal\n");
         goto exit;
     }
-    printf(TLS_CLIENT "mrsigner id validation passed.\n");
+    printf(TLS_CLIENT "signer_id validation passed\n");
 
-    // The Product ID for the enclave, for SGX enclaves, this is the ISVPRODID
+    // The product ID for the enclave, for SGX enclaves, this is the ISVPRODID
     // value
-    printf(TLS_CLIENT "\nidentity->product_id :\n");
-    for (int i = 0; i < OE_PRODUCT_ID_SIZE; i++)
-        printf(TLS_CLIENT "0x%0x ", (uint8_t)identity->product_id[i]);
+    if ((claim = find_claim(claims, claims_length, OE_CLAIM_PRODUCT_ID)) ==
+        nullptr)
+    {
+        printf(TLS_CLIENT "could not find OE_CLAIM_PRODUCT_ID\n");
+        goto exit;
+    }
+    if (claim->value_size != OE_PRODUCT_ID_SIZE)
+    {
+        printf(
+            TLS_CLIENT "product_id size(%lu) checking failed\n",
+            claim->value_size);
+        goto exit;
+    }
+    printf(TLS_CLIENT "\nproduct_id:\n");
+    for (int i = 0; i < claim->value_size; i++)
+        printf("0x%0x ", (uint8_t)claim->value[i]);
+    printf("\n\n");
 
     result = OE_OK;
 exit:

diff --git a/samples/attested_tls/common/common.h b/samples/attested_tls/common/common.h
@@ -3,8 +3,8 @@
 //
 #define ADD_TEST_CHECKING
 
-#define TLS_CLIENT "TLS client:"
-#define TLS_SERVER "TLS server:"
+#define TLS_CLIENT "TLS client: "
+#define TLS_SERVER "TLS server: "
 
 #define CLIENT_PAYLOAD "GET / HTTP/1.0\r\n\r\n"
 #define SERVER_PAYLOAD                                   \

diff --git a/samples/attested_tls/common/utility.cpp b/samples/attested_tls/common/utility.cpp
@@ -2,8 +2,14 @@
 // Licensed under the MIT License.
 
 #include "utility.h"
+#include <openenclave/attestation/attester.h>
+#include <openenclave/attestation/sgx/evidence.h>
 #include <openenclave/attestation/sgx/report.h>
 #include <stdio.h>
+#include <string.h>
+
+// SGX Remote Attestation UUID.
+static oe_uuid_t sgx_remote_uuid = {OE_FORMAT_UUID_SGX_ECDSA_P256};
 
 // input: input_data and input_data_len
 // output: key, key_size
@@ -86,10 +92,12 @@ oe_result_t generate_certificate_and_pkey(
         goto exit;
     }
 
-    printf("public key used:\n[%s]", public_key_buf);
+    printf("public key used:\n%s\n", public_key_buf);
 
     // both ec key such ASYMMETRIC_KEY_EC_SECP256P1 or RSA key work
-    result = oe_generate_attestation_certificate(
+    oe_attester_initialize();
+    result = oe_get_attestation_certificate_with_evidence(
+        &sgx_remote_uuid,
         (const unsigned char*)"CN=Open Enclave SDK,O=OESDK TLS,C=US",
         private_key_buf,
         private_key_buf_size,
@@ -127,19 +135,20 @@ oe_result_t generate_certificate_and_pkey(
     }
 
 exit:
+    oe_attester_shutdown();
     oe_free_key(private_key_buf, private_key_buf_size, NULL, 0);
     oe_free_key(public_key_buf, public_key_buf_size, NULL, 0);
     oe_free_attestation_certificate(output_cert);
     return result;
 }
 
-bool verify_mrsigner(
+bool verify_signer_id(
     const char* siging_public_key_buf,
     size_t siging_public_key_buf_size,
     uint8_t* signer_id_buf,
     size_t signer_id_buf_size)
 {
-    printf("Verify connecting client's identity\n");
+    printf("\nverify connecting client's identity\n");
 
     uint8_t signer[OE_SIGNER_ID_SIZE];
     size_t signer_size = sizeof(signer);
@@ -152,7 +161,6 @@ bool verify_mrsigner(
         printf("oe_sgx_get_signer_id_from_public_key failed\n");
         return false;
     }
-
     if (memcmp(signer, signer_id_buf, signer_id_buf_size) != 0)
     {
         printf("mrsigner is not equal!\n");
@@ -163,6 +171,23 @@ bool verify_mrsigner(
         }
         return false;
     }
-
     return true;
 }
+
+/**
+ * Helper function used to make the claim-finding process more convenient. Given
+ * the claim name, claim list, and its size, returns the claim with that claim
+ * name in the list.
+ */
+const oe_claim_t* find_claim(
+    const oe_claim_t* claims,
+    size_t claims_size,
+    const char* name)
+{
+    for (size_t i = 0; i < claims_size; i++)
+    {
+        if (strcmp(claims[i].name, name) == 0)
+            return &(claims[i]);
+    }
+    return nullptr;
+}
diff --git a/samples/attested_tls/common/utility.h b/samples/attested_tls/common/utility.h
@@ -5,15 +5,21 @@
 #include <mbedtls/rsa.h>
 #include <mbedtls/sha256.h>
 #include <mbedtls/x509_crt.h>
+#include <openenclave/attestation/verifier.h>
 #include <openenclave/enclave.h>
 #include "common.h"
 
 oe_result_t generate_certificate_and_pkey(
     mbedtls_x509_crt* cert,
     mbedtls_pk_context* private_key);
 
-bool verify_mrsigner(
+bool verify_signer_id(
     const char* siging_public_key_buf,
     size_t siging_public_key_buf_size,
     uint8_t* signer_id_buf,
     size_t signer_id_buf_size);
+
+const oe_claim_t* find_claim(
+    const oe_claim_t* claims,
+    size_t claims_size,
+    const char* name);
diff --git a/samples/attested_tls/non_enc_client/Makefile b/samples/attested_tls/non_enc_client/Makefile
@@ -14,7 +14,7 @@ LDFLAGS=$(shell pkg-config oehost-$(CXX_COMPILER) --libs)
 all: build
 
 build:
-	$(CXX) -g -c $(CXXFLAGS) $(INCLUDES) -I/usr/include/openssl client.cpp verify_callback.cpp
+	$(CXX) -g -c $(CXXFLAGS) $(INCLUDES) -std=c++11 -I/usr/include/openssl client.cpp verify_callback.cpp
 	$(CXX) -o tls_non_enc_client client.o verify_callback.o $(LDFLAGS)
 
 clean: