manage proxied vault account per shard #1467
Conversation
…ient pubkey form cert. builds but fails
…n't behave as expected. punkeys don't match and fill all 64 bytes
brenzi
added
A0-core
| verify_attn_report(attn_report_raw, pub_k, attestation_ocall) | ||
| } else { | ||
| // TODO Refactor state provisioning to not use MURA #1385 | ||
| // TODO DCAP is currently just passed through! SECURITY!!! |
There was a problem hiding this comment.
I wasn't aware that our MU RA is insecure for DCAP. Increases the urgency for #1385
| Ok(ret) | ||
| } | ||
|
|
||
| pub fn parse_cert_issuer(cert_der: &[u8]) -> SgxResult<Vec<u8>> { |
There was a problem hiding this comment.
this is currently not used. I wrote it because I tried to derive the MU RA client from the TLS certificate. fell back to passing it as a payload instead. Still, I think this fn might be useful on its own. webpki and rustls hide the issuer all too well behind private fields
| ExtrinsicsFactory { genesis_hash, signer, nonce_cache, node_metadata_repository } | ||
| } | ||
|
|
||
| pub fn with_signer(&self, signer: Signer, nonce_cache: Arc<NonceCache>) -> Self { |
There was a problem hiding this comment.
this allows the enclave to send extrinsics using arbitrary signers (closes #1466)
| &self, | ||
| extrinsics: Vec<OpaqueExtrinsic>, | ||
| parentchain_id: &ParentchainId, | ||
| await_each_inclusion: bool, |
There was a problem hiding this comment.
necessary to wait for vault to be created before trying to send an extrinsic as vault
clangenb
left a comment
clangenb
left a comment
There was a problem hiding this comment.
Nice, looks good to me in general, only minor stuff!
closes #1253
closes #1466
Register a shard vault account on Integritee parentchain (no multichain option yet for this) and register every new shard worker as a proxy
Also added draft doc diagrams on the way that helped me find my way
testing
run node:
./target/release/integritee-node --dev --unsafe-ws-external --rpc-cors allbuild worker as sidechain
SGX_MODE=SW WORKER_MODE=sidechain WORKER_FEATURES=dcap makerun first worker
verify the following events are issued:
teerex.AddedSgxEnclavebalances.Endowedcreating the vault accountproxy.ProxyAddedregistering enclave signer as a proxy of vaultYou'll also see plenty of
enclaveBridge.ProcessedParentchainBlockandsidechain.FinalizedSidechainBlock. don't care!now, run second worker provisioning
./integritee-service -u ws://172.17.0.1 -r 3444 -P 2100 -h 2110 -w 2101 -i 8788 -c -d /tmp/worker2 request-state --skip-ra &> worker2.logverify the following events are issued:
proxy.ProxyAddedadding the second worker enclave account as a proxy for vaultthen, test unshielding (replace mrenclave with yours)
verify the following events are issued:
enclaveBridge.ShieldFundsthen unshield:
./integritee-cli -u ws://172.17.0.1 trusted --mrenclave $MRENCLAVE --direct unshield-funds //Alice //Alice 1000000000000verify the following events are issued:
proxy.ProxyExecuteddon't care this fails because we're unshielding funds which never went into the vault account. to be solved later safely unshield using balances.transfer on parentchain #1257