diff --git a/Cargo.lock b/Cargo.lock index 4d30a7d..2fbed56 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1578,17 +1578,6 @@ dependencies = [ "windows-sys 0.59.0", ] -[[package]] -name = "hostname" -version = "0.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c731c3e10504cc8ed35cfe2f1db4c9274c3d35fa486e3b31df46f068ef3e867" -dependencies = [ - "libc", - "match_cfg", - "winapi", -] - [[package]] name = "http" version = "1.2.0" @@ -2504,19 +2493,16 @@ dependencies = [ [[package]] name = "ic_tee_agent" -version = "0.2.0" +version = "0.2.1" dependencies = [ "axum", "base64 0.22.1", "bytes", "candid", "ciborium", - "const-hex", "ed25519-consensus", "ic-agent", "ic-canister-sig-creation", - "ic-crypto-ed25519", - "ic-crypto-secp256k1", "ic-crypto-standalone-sig-verifier", "ic-types", "ic_cose", @@ -2531,12 +2517,11 @@ dependencies = [ "structured-logger", "thiserror 2.0.9", "tokio", - "x25519-dalek", ] [[package]] name = "ic_tee_cdk" -version = "0.2.0" +version = "0.2.1" dependencies = [ "candid", "ciborium", @@ -2544,12 +2529,11 @@ dependencies = [ "ic-canister-sig-creation", "serde", "serde_bytes", - "sha3", ] [[package]] name = "ic_tee_cli" -version = "0.2.0" +version = "0.2.1" dependencies = [ "anyhow", "candid", @@ -2572,11 +2556,10 @@ dependencies = [ [[package]] name = "ic_tee_host_daemon" -version = "0.2.0" +version = "0.2.1" dependencies = [ "anyhow", "clap", - "futures", "libc", "log", "structured-logger", @@ -2586,7 +2569,7 @@ dependencies = [ [[package]] name = "ic_tee_identity" -version = "0.2.0" +version = "0.2.1" dependencies = [ "candid", "ciborium", @@ -2604,7 +2587,7 @@ dependencies = [ [[package]] name = "ic_tee_logtail" -version = "0.2.0" +version = "0.2.1" dependencies = [ "anyhow", "clap", @@ -2615,7 +2598,7 @@ dependencies = [ [[package]] name = "ic_tee_nitro_attestation" -version = "0.2.0" +version = "0.2.1" dependencies = [ "candid", "ciborium", @@ -2631,7 +2614,7 @@ dependencies = [ [[package]] name = "ic_tee_nitro_gateway" -version = "0.2.0" +version = "0.2.1" dependencies = [ "anyhow", "aws-nitro-enclaves-nsm-api", @@ -2644,6 +2627,8 @@ dependencies = [ "ed25519-consensus", "hyper-util", "ic-agent", + "ic-crypto-ed25519", + "ic-crypto-secp256k1", "ic_cose", "ic_cose_types", "ic_tee_agent", @@ -2652,12 +2637,10 @@ dependencies = [ "log", "reqwest", "rustls", - "serde", "serde_bytes", "structured-logger", "tokio", "tokio-util", - "xid", ] [[package]] @@ -3012,24 +2995,12 @@ version = "1.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3e2e65a1a2e43cfcb47a895c4c8b10d1f4a61097f9f254f183aee60cad9c651d" -[[package]] -name = "match_cfg" -version = "0.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffbee8634e0d45d258acb448e7eaab3fce7a0a467395d4d9f228e3c1f01fb2e4" - [[package]] name = "matchit" version = "0.7.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0e7465ac9959cc2b1404e8e2367b43684a6d13790fe23056cc8c6c5a6b7bcb94" -[[package]] -name = "md5" -version = "0.7.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "490cc448043f947bae3cbee9c203358d62dbee0db12107a74be5c30ccfd09771" - [[package]] name = "memchr" version = "2.7.4" @@ -3936,15 +3907,6 @@ version = "1.0.18" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f" -[[package]] -name = "same-file" -version = "1.0.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502" -dependencies = [ - "winapi-util", -] - [[package]] name = "schannel" version = "0.1.27" @@ -4480,19 +4442,6 @@ dependencies = [ "syn 2.0.95", ] -[[package]] -name = "sysctl" -version = "0.4.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "225e483f02d0ad107168dc57381a8a40c3aeea6abe47f37506931f861643cfa8" -dependencies = [ - "bitflags 1.3.2", - "byteorder", - "libc", - "thiserror 1.0.69", - "walkdir", -] - [[package]] name = "system-configuration" version = "0.6.1" @@ -4632,9 +4581,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.42.0" +version = "1.43.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5cec9b21b0450273377fc97bd4c33a8acffc8c996c987a7c5b319a0083707551" +checksum = "3d61fa4ffa3de412bfea335c6ecff681de2b609ba3c77ef3e00e521813a9ed9e" dependencies = [ "backtrace", "bytes", @@ -4650,9 +4599,9 @@ dependencies = [ [[package]] name = "tokio-macros" -version = "2.4.0" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "693d596312e88961bc67d7f1f97af8a70227d9f90c31bba5806eec004978d752" +checksum = "6e06d43f1345a3bcd39f6a56dbb7dcab2ba47e68e8ac134855e7e2bdbaf8cab8" dependencies = [ "proc-macro2", "quote", @@ -4935,16 +4884,6 @@ dependencies = [ "nix 0.29.0", ] -[[package]] -name = "walkdir" -version = "2.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b" -dependencies = [ - "same-file", - "winapi-util", -] - [[package]] name = "want" version = "0.3.1" @@ -5081,37 +5020,6 @@ dependencies = [ "rustix", ] -[[package]] -name = "winapi" -version = "0.3.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419" -dependencies = [ - "winapi-i686-pc-windows-gnu", - "winapi-x86_64-pc-windows-gnu", -] - -[[package]] -name = "winapi-i686-pc-windows-gnu" -version = "0.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" - -[[package]] -name = "winapi-util" -version = "0.1.9" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb" -dependencies = [ - "windows-sys 0.59.0", -] - -[[package]] -name = "winapi-x86_64-pc-windows-gnu" -version = "0.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f" - [[package]] name = "windows-core" version = "0.52.0" @@ -5233,15 +5141,6 @@ version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" -[[package]] -name = "winreg" -version = "0.8.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d107f8c6e916235c4c01cabb3e8acf7bea8ef6a63ca2e7fa0527c049badfc48c" -dependencies = [ - "winapi", -] - [[package]] name = "write16" version = "1.0.0" @@ -5284,22 +5183,6 @@ dependencies = [ "time", ] -[[package]] -name = "xid" -version = "1.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3752a194518cdee5d019812fb7978c51d8f0b7cfe9ace5983df1780964bb84c0" -dependencies = [ - "crc32fast", - "hostname", - "md5", - "once_cell", - "rand", - "sysctl", - "thiserror 1.0.69", - "winreg", -] - [[package]] name = "yansi" version = "1.0.1" diff --git a/Cargo.toml b/Cargo.toml index c8b4e17..94df290 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -18,7 +18,7 @@ strip = true opt-level = 's' [workspace.package] -version = "0.2.0" +version = "0.2.1" edition = "2021" repository = "https://github.com/ldclabs/ic-tee" keywords = ["tee", "canister", "icp", "nitro"] @@ -43,13 +43,11 @@ clap = { version = "4.5", features = ["derive"] } candid = "0.10" ciborium = "0.2" const-hex = "1" -futures = "0.3" lazy_static = "1.5" serde = "1" serde_json = "1" serde_bytes = "0.11" sha2 = "0.10" -sha3 = "0.10" ic-cdk = "0.17" ic-stable-structures = "0.6" ic-canister-sig-creation = "1.1" @@ -61,7 +59,6 @@ getrandom = { version = "0.2", features = ["custom"] } coset = "0.3" x509-parser = { version = "0.16" } ed25519-consensus = "2.1" -x25519-dalek = { version = "2", features = ["static_secrets"] } rand = "0.8" tokio = { version = "1", features = ["full"] } tokio-util = "0.7" @@ -83,7 +80,6 @@ reqwest = { version = "0.12", features = [ ], default-features = true } libc = "0.2" thiserror = "2" -xid = "1.1" ic-types = { git = "https://github.com/dfinity/ic/", rev = "5d202894864f4db4a5a46f44422aebc80c3d321b" } ic-crypto-standalone-sig-verifier = { git = "https://github.com/dfinity/ic/", rev = "5d202894864f4db4a5a46f44422aebc80c3d321b" } ic-crypto-secp256k1 = { git = "https://github.com/dfinity/ic/", rev = "5d202894864f4db4a5a46f44422aebc80c3d321b" } diff --git a/canister_ids.json b/canister_ids.json index a91238b..9a87b7f 100644 --- a/canister_ids.json +++ b/canister_ids.json @@ -1,5 +1,9 @@ { + "__Candid_UI": { + "local": "bw4dl-smaaa-aaaaa-qaacq-cai" + }, "ic_tee_identity": { - "ic": "e7tgb-6aaaa-aaaap-akqfa-cai" + "ic": "e7tgb-6aaaa-aaaap-akqfa-cai", + "local": "e7tgb-6aaaa-aaaap-akqfa-cai" } } \ No newline at end of file diff --git a/src/ic_tee_agent/Cargo.toml b/src/ic_tee_agent/Cargo.toml index 1d3bf21..785f413 100644 --- a/src/ic_tee_agent/Cargo.toml +++ b/src/ic_tee_agent/Cargo.toml @@ -14,7 +14,6 @@ ic_tee_cdk = { path = "../ic_tee_cdk", version = "0.2" } base64 = { workspace = true } candid = { workspace = true } ed25519-consensus = { workspace = true } -x25519-dalek = { workspace = true } ciborium = { workspace = true } serde = { workspace = true } serde_json = { workspace = true } @@ -32,9 +31,6 @@ ic_cose_types = { workspace = true } ic-types = { workspace = true } ic-canister-sig-creation = { workspace = true } ic-crypto-standalone-sig-verifier = { workspace = true } -ic-crypto-secp256k1 = { workspace = true } -ic-crypto-ed25519 = { workspace = true } [dev-dependencies] -const-hex = { workspace = true } structured-logger = { workspace = true } diff --git a/src/ic_tee_agent/src/agent.rs b/src/ic_tee_agent/src/agent.rs index 4753b57..cbbc7f7 100644 --- a/src/ic_tee_agent/src/agent.rs +++ b/src/ic_tee_agent/src/agent.rs @@ -10,21 +10,20 @@ use ic_cose_types::{ cose::format_error, types::{ setting::{CreateSettingInput, CreateSettingOutput, SettingInfo}, - ECDHInput, ECDHOutput, SettingPath, SignDelegationInput, + SettingPath, SignDelegationInput, }, }; use ic_tee_cdk::{Delegation, SignInResponse, SignedDelegation}; -use serde_bytes::{ByteArray, ByteBuf}; +use serde_bytes::ByteBuf; use std::sync::Arc; use tokio::sync::RwLock; -use crate::{crypto, BasicIdentity, TEEIdentity}; +use crate::{BasicIdentity, TEEIdentity}; #[derive(Clone)] pub struct TEEAgent { agents: Arc>, auth_canister: Principal, - root_secret: [u8; 48], } struct Agents { @@ -47,7 +46,6 @@ impl TEEAgent { host: &str, authentication_canister: Principal, configuration_canister: Principal, - root_secret: [u8; 48], ) -> Result { let identity = TEEIdentity::new(); let agent = Agent::builder() @@ -68,85 +66,9 @@ impl TEEAgent { Ok(Self { auth_canister: authentication_canister, agents: Arc::new(RwLock::new(agents)), - root_secret, }) } - pub fn set_root_secret(&mut self, root_secret: [u8; 48]) { - self.root_secret = root_secret; - } - - pub fn a256gcm_key(&self, derivation_path: Vec) -> ByteArray<32> { - crypto::a256gcm_key( - &self.root_secret, - derivation_path.into_iter().map(|v| v.into_vec()).collect(), - ) - } - - pub fn a256gcm_ecdh_key( - &self, - derivation_path: Vec, - ecdh: &ECDHInput, - ) -> ECDHOutput { - crypto::a256gcm_ecdh_key( - &self.root_secret, - derivation_path.into_iter().map(|v| v.into_vec()).collect(), - ecdh, - ) - } - - pub fn ed25519_sign_message(&self, derivation_path: Vec, msg: &[u8]) -> ByteArray<64> { - crypto::ed25519_sign_message( - &self.root_secret, - derivation_path.into_iter().map(|v| v.into_vec()).collect(), - msg, - ) - } - - pub fn ed25519_public_key( - &self, - derivation_path: Vec, - ) -> (ByteArray<32>, ByteArray<32>) { - crypto::ed25519_public_key( - &self.root_secret, - derivation_path.into_iter().map(|v| v.into_vec()).collect(), - ) - } - - pub fn secp256k1_sign_message_bip340( - &self, - derivation_path: Vec, - msg: &[u8], - ) -> ByteArray<64> { - crypto::secp256k1_sign_message_bip340( - &self.root_secret, - derivation_path.into_iter().map(|v| v.into_vec()).collect(), - msg, - ) - } - - pub fn secp256k1_sign_message_ecdsa( - &self, - derivation_path: Vec, - msg: &[u8], - ) -> ByteArray<64> { - crypto::secp256k1_sign_message_ecdsa( - &self.root_secret, - derivation_path.into_iter().map(|v| v.into_vec()).collect(), - msg, - ) - } - - pub fn secp256k1_public_key( - &self, - derivation_path: Vec, - ) -> (ByteArray<33>, ByteArray<32>) { - crypto::secp256k1_public_key( - &self.root_secret, - derivation_path.into_iter().map(|v| v.into_vec()).collect(), - ) - } - pub async fn get_principal(&self) -> Principal { self.agents.read().await.identity.get_principal() } diff --git a/src/ic_tee_agent/src/lib.rs b/src/ic_tee_agent/src/lib.rs index b2d29a6..19f066a 100644 --- a/src/ic_tee_agent/src/lib.rs +++ b/src/ic_tee_agent/src/lib.rs @@ -2,7 +2,6 @@ use serde::{Deserialize, Serialize}; use serde_bytes::ByteBuf; pub mod agent; -pub mod crypto; pub mod http; pub mod identity; pub mod setting; diff --git a/src/ic_tee_cdk/Cargo.toml b/src/ic_tee_cdk/Cargo.toml index 4a6d1e3..190f4c7 100644 --- a/src/ic_tee_cdk/Cargo.toml +++ b/src/ic_tee_cdk/Cargo.toml @@ -14,7 +14,6 @@ candid = { workspace = true } ciborium = { workspace = true } serde = { workspace = true } serde_bytes = { workspace = true } -sha3 = { workspace = true } ic-canister-sig-creation = { workspace = true } [dev-dependencies] diff --git a/src/ic_tee_host_daemon/Cargo.toml b/src/ic_tee_host_daemon/Cargo.toml index ab38159..b5b4ccc 100644 --- a/src/ic_tee_host_daemon/Cargo.toml +++ b/src/ic_tee_host_daemon/Cargo.toml @@ -9,7 +9,6 @@ categories.workspace = true license.workspace = true [dependencies] -futures = { workspace = true } tokio = { workspace = true } tokio-vsock = { workspace = true } anyhow = { workspace = true } diff --git a/src/ic_tee_nitro_gateway/Cargo.toml b/src/ic_tee_nitro_gateway/Cargo.toml index 9bbbc4e..56d9a4b 100644 --- a/src/ic_tee_nitro_gateway/Cargo.toml +++ b/src/ic_tee_nitro_gateway/Cargo.toml @@ -19,7 +19,6 @@ ciborium = { workspace = true } tokio = { workspace = true } tokio-util = { workspace = true } candid = { workspace = true } -serde = { workspace = true } serde_bytes = { workspace = true } aws-nitro-enclaves-nsm-api = { workspace = true } log = { workspace = true } @@ -30,7 +29,8 @@ ic_cose_types = { workspace = true } ic-agent = { workspace = true } ed25519-consensus = { workspace = true } rustls = { workspace = true, features = ["ring"] } -xid = { workspace = true } +ic-crypto-secp256k1 = { workspace = true } +ic-crypto-ed25519 = { workspace = true } ic_tee_cdk = { path = "../ic_tee_cdk", version = "0.2" } ic_tee_agent = { path = "../ic_tee_agent", version = "0.2" } ic_tee_nitro_attestation = { path = "../ic_tee_nitro_attestation", version = "0.2" } diff --git a/src/ic_tee_agent/src/crypto.rs b/src/ic_tee_nitro_gateway/src/crypto.rs similarity index 100% rename from src/ic_tee_agent/src/crypto.rs rename to src/ic_tee_nitro_gateway/src/crypto.rs diff --git a/src/ic_tee_nitro_gateway/src/handler.rs b/src/ic_tee_nitro_gateway/src/handler.rs index cd3f238..1995e11 100644 --- a/src/ic_tee_nitro_gateway/src/handler.rs +++ b/src/ic_tee_nitro_gateway/src/handler.rs @@ -6,7 +6,10 @@ use axum::{ }; use ciborium::from_reader; use hyper_util::{client::legacy::connect::HttpConnector, rt::TokioExecutor}; -use ic_cose_types::{format_error, to_cbor_bytes, types::ECDHInput}; +use ic_cose_types::{ + format_error, to_cbor_bytes, + types::{ECDHInput, ECDHOutput}, +}; use ic_tee_agent::{ agent::TEEAgent, http::{ @@ -21,11 +24,11 @@ use ic_tee_cdk::{ CanisterRequest, TEEAppInformation, TEEAppInformationJSON, TEEAttestation, TEEAttestationJSON, }; use ic_tee_nitro_attestation::AttestationRequest; -use serde_bytes::ByteBuf; +use serde_bytes::{ByteArray, ByteBuf}; use std::sync::Arc; use structured_logger::unix_ms; -use crate::{attestation::sign_attestation, TEE_KIND}; +use crate::{attestation::sign_attestation, crypto, TEE_KIND}; type Client = hyper_util::client::legacy::Client; @@ -36,10 +39,100 @@ pub fn new_client() -> Client { #[derive(Clone)] pub struct AppState { - pub info: Arc, - pub http_client: Arc, - pub tee_agent: Arc, - pub upstream_port: Option, + info: Arc, + http_client: Arc, + tee_agent: Arc, + root_secret: [u8; 48], + upstream_port: Option, +} + +impl AppState { + pub fn new( + info: Arc, + http_client: Arc, + tee_agent: Arc, + root_secret: [u8; 48], + upstream_port: Option, + ) -> Self { + Self { + info, + http_client, + tee_agent, + root_secret, + upstream_port, + } + } + + pub fn a256gcm_key(&self, derivation_path: Vec) -> ByteArray<32> { + crypto::a256gcm_key( + &self.root_secret, + derivation_path.into_iter().map(|v| v.into_vec()).collect(), + ) + } + + pub fn a256gcm_ecdh_key( + &self, + derivation_path: Vec, + ecdh: &ECDHInput, + ) -> ECDHOutput { + crypto::a256gcm_ecdh_key( + &self.root_secret, + derivation_path.into_iter().map(|v| v.into_vec()).collect(), + ecdh, + ) + } + + pub fn ed25519_sign_message(&self, derivation_path: Vec, msg: &[u8]) -> ByteArray<64> { + crypto::ed25519_sign_message( + &self.root_secret, + derivation_path.into_iter().map(|v| v.into_vec()).collect(), + msg, + ) + } + + pub fn ed25519_public_key( + &self, + derivation_path: Vec, + ) -> (ByteArray<32>, ByteArray<32>) { + crypto::ed25519_public_key( + &self.root_secret, + derivation_path.into_iter().map(|v| v.into_vec()).collect(), + ) + } + + pub fn secp256k1_sign_message_bip340( + &self, + derivation_path: Vec, + msg: &[u8], + ) -> ByteArray<64> { + crypto::secp256k1_sign_message_bip340( + &self.root_secret, + derivation_path.into_iter().map(|v| v.into_vec()).collect(), + msg, + ) + } + + pub fn secp256k1_sign_message_ecdsa( + &self, + derivation_path: Vec, + msg: &[u8], + ) -> ByteArray<64> { + crypto::secp256k1_sign_message_ecdsa( + &self.root_secret, + derivation_path.into_iter().map(|v| v.into_vec()).collect(), + msg, + ) + } + + pub fn secp256k1_public_key( + &self, + derivation_path: Vec, + ) -> (ByteArray<33>, ByteArray<32>) { + crypto::secp256k1_public_key( + &self.root_secret, + derivation_path.into_iter().map(|v| v.into_vec()).collect(), + ) + } } /// local_server: GET /information @@ -209,7 +302,7 @@ pub async fn local_call_keys( ) -> impl IntoResponse { match ct { Content::CBOR(req, _) => { - let res = handle_keys_request(&req, app.tee_agent.as_ref()); + let res = handle_keys_request(&req, &app); Content::CBOR(res, None).into_response() } _ => StatusCode::UNSUPPORTED_MEDIA_TYPE.into_response(), @@ -308,48 +401,48 @@ pub async fn proxy( } } -fn handle_keys_request(req: &RPCRequest, agent: &TEEAgent) -> RPCResponse { +fn handle_keys_request(req: &RPCRequest, app: &AppState) -> RPCResponse { match req.method.as_str() { "a256gcm_key" => { let params: (Vec,) = from_reader(req.params.as_slice()).map_err(format_error)?; - let res = agent.a256gcm_key(params.0); + let res = app.a256gcm_key(params.0); Ok(to_cbor_bytes(&res).into()) } "a256gcm_ecdh_key" => { let params: (Vec, ECDHInput) = from_reader(req.params.as_slice()).map_err(format_error)?; - let res = agent.a256gcm_ecdh_key(params.0, ¶ms.1); + let res = app.a256gcm_ecdh_key(params.0, ¶ms.1); Ok(to_cbor_bytes(&res).into()) } "ed25519_sign_message" => { let params: (Vec, ByteBuf) = from_reader(req.params.as_slice()).map_err(format_error)?; - let res = agent.ed25519_sign_message(params.0, ¶ms.1); + let res = app.ed25519_sign_message(params.0, ¶ms.1); Ok(to_cbor_bytes(&res).into()) } "ed25519_public_key" => { let params: (Vec,) = from_reader(req.params.as_slice()).map_err(format_error)?; - let res = agent.ed25519_public_key(params.0); + let res = app.ed25519_public_key(params.0); Ok(to_cbor_bytes(&res).into()) } "secp256k1_sign_message_bip340" => { let params: (Vec, ByteBuf) = from_reader(req.params.as_slice()).map_err(format_error)?; - let res = agent.secp256k1_sign_message_bip340(params.0, ¶ms.1); + let res = app.secp256k1_sign_message_bip340(params.0, ¶ms.1); Ok(to_cbor_bytes(&res).into()) } "secp256k1_sign_message_ecdsa" => { let params: (Vec, ByteBuf) = from_reader(req.params.as_slice()).map_err(format_error)?; - let res = agent.secp256k1_sign_message_ecdsa(params.0, ¶ms.1); + let res = app.secp256k1_sign_message_ecdsa(params.0, ¶ms.1); Ok(to_cbor_bytes(&res).into()) } "secp256k1_public_key" => { let params: (Vec,) = from_reader(req.params.as_slice()).map_err(format_error)?; - let res = agent.secp256k1_public_key(params.0); + let res = app.secp256k1_public_key(params.0); Ok(to_cbor_bytes(&res).into()) } _ => Err(format!("unsupported method {}", req.method)), @@ -374,13 +467,14 @@ fn forbid_canister_request(req: &CanisterRequest, info: &TEEAppInformation) -> b #[cfg(test)] mod tests { use super::*; + use crate::crypto::decrypt_ecdh; use candid::{decode_args, encode_args, Principal}; use ic_cose::rand_bytes; use ic_cose_types::{ cose::ecdh, types::{state::StateInfo, ECDHOutput, SettingPath}, }; - use ic_tee_agent::{crypto::decrypt_ecdh, http::CONTENT_TYPE_CBOR}; + use ic_tee_agent::http::CONTENT_TYPE_CBOR; use ic_tee_cdk::CanisterResponse; static TEE_HOST: &str = "http://127.0.0.1:8080"; diff --git a/src/ic_tee_nitro_gateway/src/main.rs b/src/ic_tee_nitro_gateway/src/main.rs index 3c63150..c49fb3b 100644 --- a/src/ic_tee_nitro_gateway/src/main.rs +++ b/src/ic_tee_nitro_gateway/src/main.rs @@ -28,6 +28,7 @@ use tokio::{net::TcpStream, signal}; use tokio_util::sync::CancellationToken; mod attestation; +mod crypto; mod handler; use attestation::sign_attestation; @@ -129,7 +130,7 @@ async fn bootstrap(cli: Cli) -> Result<()> { .map_err(|err| anyhow::anyhow!("invalid identity_canister id: {}", err))?; let cose_canister = Principal::from_text(cli.cose_canister) .map_err(|err| anyhow::anyhow!("invalid cose_canister id: {}", err))?; - let mut tee_agent = TEEAgent::new(&cli.ic_host, identity_canister, cose_canister, [0u8; 48]) + let tee_agent = TEEAgent::new(&cli.ic_host, identity_canister, cose_canister) .await .map_err(anyhow::Error::msg)?; @@ -226,7 +227,6 @@ async fn bootstrap(cli: Cli) -> Result<()> { log::info!(target: LOG_TARGET, "start to get_or_set_root_secret"); let root_secret = get_or_set_root_secret(&tee_agent, &start, namespace.clone(), &master_secret).await?; - tee_agent.set_root_secret(root_secret); let info = TEEAppInformation { id: principal, @@ -310,12 +310,13 @@ async fn bootstrap(cli: Cli) -> Result<()> { routing::post(handler::local_update_canister), ) .route("/keys", routing::post(handler::local_call_keys)) - .with_state(handler::AppState { - info: info.clone(), - http_client: http_client.clone(), - tee_agent: tee_agent.clone(), - upstream_port: None, - }); + .with_state(handler::AppState::new( + info.clone(), + http_client.clone(), + tee_agent.clone(), + root_secret, + None, + )); let addr: SocketAddr = LOCAL_HTTP_ADDR.parse().map_err(anyhow::Error::new)?; let listener = tokio::net::TcpListener::bind(&addr) .await @@ -340,12 +341,13 @@ async fn bootstrap(cli: Cli) -> Result<()> { routing::get(handler::get_attestation), ) .route("/*any", routing::any(handler::proxy)) - .with_state(handler::AppState { - info: info.clone(), - http_client: http_client.clone(), - tee_agent: tee_agent.clone(), - upstream_port: cli.upstream_port, - }); + .with_state(handler::AppState::new( + info.clone(), + http_client.clone(), + tee_agent.clone(), + [0u8; 48], + None, + )); let addr: SocketAddr = PUBLIC_HTTP_ADDR.parse().map_err(anyhow::Error::new)?; if is_local {