Release v0.0.1 🎉

.github/workflows/go.yml

@@ -0,0 +1,25 @@
+# This workflow will build a golang project
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-go
+
+name: Go
+
+on:
+  push:
+    branches: [ "develop" ]
+  pull_request:
+    branches: [ "develop" ]
+
+jobs:
+
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: '1.21.5'
+
+    - name: Test
+      run: sh .github/workflows/test.sh

.github/workflows/test.sh

@@ -0,0 +1,5 @@
+cd test && go test .
+cd ..
+cd verifier/api && go test .
+cd ../../
+cd verifier/monitor && go test .

.gitignore

@@ -1,5 +1,5 @@
 # If you prefer the allow list template instead of the deny list, see community template:
-# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
+# hverifiers://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore
 #
 # Binaries for programs and plugins
 *.exe
@@ -19,3 +19,24 @@
 
 # Go workspace file
 go.work
+/verifier/verifier
+/verifier/serv/serv
+ta/certificate.pem
+ta/private.key
+ta/example/example
+verifier/ca_test.json
+
+**/repo
+service/cmd/cmd
+opt/domain-owner/example/config.yaml
+opt/domain-owner/example/example
+**/*.env
+
+**/*.db
+**/*.sqlite3
+
+**/last.txt
+ta/example/private.pem
+ta/example/public.pem
+verifier/serv/last.log
+verifier/serv/first-log.txt

README.md

@@ -1,2 +1,4 @@
 # RA-WEBs
+[![Go](https://github.com/akakou/ra-webs/actions/workflows/go.yml/badge.svg)](https://github.com/akakou/ra-webs/actions/workflows/go.yml)
+
 RA-WEBs: Remote Attestation for WEB services

compose.test.yaml

@@ -0,0 +1,46 @@
+version: '3'
+services:
+  ta_example:
+    tty: true
+    build: ./docker
+    network_mode: host
+    volumes:
+      - ./ta:/ta
+      - ./core:/core
+      - ./test:/test
+      - /dev:/dev
+    working_dir: /ta/example
+    command: bash -c 'mount -o remount,exec /dev && ego-go build -buildvcs=false -trimpath=true && ego sign example && source /test/issue_service.sh && ego run example'
+    privileged: true
+    environment:
+      - OE_SIMULATION=0
+    env_file:
+      - test/env/ta.env
+      - test/env/common.env
+    profiles:
+      - ta
+
+  verifier:
+    build: ./docker
+    volumes:
+      - ./verifier:/verifier
+      - ./core:/core
+      - /var/run/docker.sock:/var/run/docker.sock
+    working_dir: /verifier/serv
+    command: bash -c 'go mod tidy && go run main.go'
+    env_file:
+      - test/env/verifier.env
+      - test/env/common.env
+    privileged: true
+    tty: true
+    profiles:
+      - verifier
+
+  tunnel:
+    restart: unless-stopped
+    image: cloudflare/cloudflared
+    command: tunnel --url http://verifier:8080 
+    env_file:
+      - test/env/tunnel.env
+    profiles:
+      - verifier

core/attest.go

@@ -0,0 +1,58 @@
+package core
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+
+	"github.com/edgelesssys/ego/attestation"
+	"github.com/edgelesssys/ego/enclave"
+)
+
+const SECURITY_VERSION = 1
+
+var AttestByAzure = attestByAzure
+var VerifyByAzure = verifyByAzure
+
+func AttestServer(publicKey []byte, token string) (string, error) {
+	buf := append([]byte(token), publicKey...)
+	quote, err := AttestByAzure(buf)
+	return quote, err
+}
+
+func VerifyServer(quote string, publicKey []byte, token string) (*attestation.Report, error) {
+	buf := append([]byte(token), publicKey...)
+	report, err := VerifyByAzure(quote, []byte(buf))
+	return report, err
+}
+
+func attestByAzure(data []byte) (string, error) {
+	if DEBUG {
+		return "", nil
+	}
+
+	// publicKeyHash := hashPublicKey(publicKey)
+	token, err := enclave.CreateAzureAttestationToken(data, ATTEST_PROVIDER_URL)
+	if err != nil {
+		return "", fmt.Errorf("%s: %w", ERROR_CREATE_ATTESTATION, err)
+	}
+
+	return token, nil
+}
+
+func verifyByAzure(quote string, data []byte) (*attestation.Report, error) {
+	report, err := attestation.VerifyAzureAttestationToken(quote, ATTEST_PROVIDER_URL)
+	if err != nil {
+		return nil, fmt.Errorf("%s: %w", ERROR_VERIFY_ATTESTATION, err)
+	}
+
+	if report.SecurityVersion < SECURITY_VERSION {
+		return nil, errors.New(ERROR_INVALID_SECURITY_VERSION_IN_ATTESTATION)
+	}
+
+	if !bytes.Equal(report.Data, data) {
+		return nil, errors.New(ERROR_INVALID_REPORT_DATA_IN_ATTESTATION)
+	}
+
+	return &report, nil
+}

core/debug.go

@@ -0,0 +1,23 @@
+package core
+
+import "github.com/edgelesssys/ego/attestation"
+
+func debugAttestByAzure(data []byte) (string, error) {
+	return "", nil
+}
+
+func debugVerifyByAzure(token string, data []byte) (*attestation.Report, error) {
+	return &attestation.Report{
+		UniqueID: []byte{1, 2, 3},
+		Data:     []byte{4, 5, 6},
+	}, nil
+}
+
+const DEBUG_TOKEN = "this-is-ra-webs-debug-token-138484039348"
+
+func EnableDebug() {
+	DEBUG = true
+
+	AttestByAzure = debugAttestByAzure
+	VerifyByAzure = debugVerifyByAzure
+}

core/errors.go

@@ -0,0 +1,8 @@
+package core
+
+const (
+	ERROR_INVALID_SECURITY_VERSION_IN_ATTESTATION = "invalid security version in attestation"
+	ERROR_INVALID_REPORT_DATA_IN_ATTESTATION      = "invalid report data in attestation"
+	ERROR_CREATE_ATTESTATION                      = "failed to create attestation"
+	ERROR_VERIFY_ATTESTATION                      = "failed to verify attestation"
+)

core/go.mod

@@ -0,0 +1,10 @@
+module github.com/akakou/ra_webs/core
+
+go 1.21.4
+
+require github.com/edgelesssys/ego v1.5.0
+
+require (
+	golang.org/x/crypto v0.21.0 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
+)

core/go.sum

@@ -0,0 +1,20 @@
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/edgelesssys/ego v1.4.1 h1:Ef2UQvGVEf0RqarDidWywhOVLik/LnZbJG0ygdVJDAA=
+github.com/edgelesssys/ego v1.4.1/go.mod h1:8xFWTj9hcHyYL7s7fMmKgdYTi5zETPy6PeZip7OBTNA=
+github.com/edgelesssys/ego v1.5.0 h1:euwXc69GRGlxpklIaVZtyh0v27YXzf9ow3iODE7CrPc=
+github.com/edgelesssys/ego v1.5.0/go.mod h1:N58b0J+s3U4sxXeNUT5uiQV9Q9M/U2KsILC44Ku5dnw=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
+golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
+gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
+gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

core/param.go

@@ -0,0 +1,13 @@
+package core
+
+const ATTEST_PROVIDER_URL = "https://shareduks.uks.attest.azure.net"
+
+var X509_EXTENSION_LABEL = []int{1, 3, 6, 1, 4, 1, 11129, 2, 4, 5}
+
+var DEBUG = false
+
+var VerifierPort = ":8000"
+var ServicePort = ":8001"
+var TAPort = ":443"
+
+const API_ROOT = "/api"

core/struct.go

@@ -0,0 +1,16 @@
+package core
+
+type CodeRequest struct {
+	Repository string `json:"repository"`
+}
+
+type ServerRequest struct {
+	PublicKey []byte `json:"public_key"`
+	Domain    string `json:"domain"`
+	Quote     string `json:"quote"`
+}
+
+type RegisterRequest struct {
+	CodeRequest   `json:"code"`
+	ServerRequest `json:"server"`
+}

docker/Dockerfile

@@ -0,0 +1,36 @@
+FROM ubuntu:20.04
+
+ENV GOROOT=/usr/local/go
+ENV GOPATH=$HOME/go
+ENV PATH=$GOPATH/bin:$GOROOT/bin:$PATH
+
+ENV TZ=Asia/Tokyo
+RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
+
+RUN apt-get update -y && apt-get install -y wget gnupg2 docker docker.io
+
+RUN echo 'deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main' | tee /etc/apt/sources.list.d/intel-sgx.list
+RUN wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add -
+
+RUN echo "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-11 main" | tee /etc/apt/sources.list.d/llvm-toolchain-focal-11.list
+RUN wget -qO - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -
+
+RUN echo "deb [arch=amd64] https://packages.microsoft.com/ubuntu/20.04/prod focal main" | tee /etc/apt/sources.list.d/msprod.list
+RUN wget -qO - https://packages.microsoft.com/keys/microsoft.asc | apt-key add -
+
+RUN wget https://go.dev/dl/go1.22.2.linux-amd64.tar.gz
+RUN rm -rf /usr/local/go && tar -C /usr/local -xzf go1.22.2.linux-amd64.tar.gz
+
+RUN apt-get update -y
+RUN apt-get install -qq -y snapd build-essential libssl-dev clang-11 libssl-dev gdb libsgx-enclave-common libsgx-quote-ex libprotobuf17 libsgx-dcap-ql libsgx-dcap-ql-dev az-dcap-client open-enclave software-properties-common 
+
+RUN wget https://github.com/edgelesssys/ego/releases/download/v1.5.3/ego_1.5.3_amd64_ubuntu-20.04.deb
+RUN apt-get install ./ego_1.5.3_amd64_ubuntu-20.04.deb
+
+RUN apt-get install -y ca-certificates curl
+
+
+
+
+# if you do not use azure
+# ego install libsgx-dcap-default-qpl

ta/acme.go

@@ -0,0 +1,81 @@
+package ta
+
+import (
+	"crypto"
+	"crypto/rsa"
+	"crypto/rand"
+	"log"
+
+	"github.com/go-acme/lego/v4/certificate"
+	"github.com/go-acme/lego/v4/challenge/tlsalpn01"
+	"github.com/go-acme/lego/v4/lego"
+	"github.com/go-acme/lego/v4/registration"
+)
+
+var acmeURL = lego.LEDirectoryProduction
+//var acmeURL = lego.LEDirectoryStaging
+
+type MyUser struct {
+	Email        string
+	Registration *registration.Resource
+	key          crypto.PrivateKey
+}
+
+func (u *MyUser) GetEmail() string {
+	return u.Email
+}
+func (u MyUser) GetRegistration() *registration.Resource {
+	return u.Registration
+}
+func (u *MyUser) GetPrivateKey() crypto.PrivateKey {
+	return u.key
+}
+
+func IssueCertificate(key crypto.PrivateKey, domain, email string) *certificate.Resource {
+	// Create a user. New accounts need an email and private key to start.
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	myUser := MyUser{
+		Email: email,
+		key:   privateKey,
+	}
+
+	config := lego.NewConfig(&myUser)
+
+	// This CA URL is configured for a local dev instance of Boulder running in Docker in a VM.
+	config.CADirURL = acmeURL
+	// config.Certificate.KeyType = certcrypto.RSA2048
+
+	// A client facilitates communication with the CA server.
+	client, err := lego.NewClient(config)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	client.Challenge.SetTLSALPN01Provider(tlsalpn01.NewProviderServer("", "443"))
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	// New users will need to register
+	reg, err := client.Registration.Register(registration.RegisterOptions{TermsOfServiceAgreed: true})
+	if err != nil {
+		log.Fatal(err)
+	}
+	myUser.Registration = reg
+
+	request := certificate.ObtainRequest{
+		Domains:    []string{domain},
+		PrivateKey: key,
+	}
+
+	certificates, err := client.Certificate.Obtain(request)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	return certificates
+}