refactoring MU RA functions for better readability. try to extract cl…

…ient pubkey form cert. builds but fails
integritee-network · brenzi · Oct 26, 2023 · Oct 11, 2023 · Oct 11, 2023 · Oct 11, 2023
commit d5ce0c7f01a2c3372332900766a66230609ee15a
diff --git a/core-primitives/attestation-handler/src/cert.rs b/core-primitives/attestation-handler/src/cert.rs
@@ -234,6 +234,31 @@ pub fn percent_decode(orig: String) -> EnclaveResult<String> {
 	Ok(ret)
 }
 
+pub fn parse_cert_issuer(cert_der: &[u8]) -> SgxResult<Vec<u8>> {
+	// Before we reach here, Webpki already verified the cert is properly signed
+
+	// Search for Public Key prime256v1 OID
+	let prime256v1_oid = &[0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07];
+	let mut offset = cert_der
+		.windows(prime256v1_oid.len())
+		.position(|window| window == prime256v1_oid)
+		.ok_or(sgx_status_t::SGX_ERROR_UNEXPECTED)?;
+	offset += 11; // 10 + TAG (0x03)
+
+	// Obtain Public Key length
+	let mut len = cert_der[offset] as usize;
+	if len > 0x80 {
+		len = (cert_der[offset + 1] as usize) * 0x100 + (cert_der[offset + 2] as usize);
+		offset += 2;
+	}
+
+	// Obtain Public Key
+	offset += 1;
+	let pub_k = cert_der[offset + 2..offset + len].to_vec(); // skip "00 04"
+
+	Ok(pub_k)
+}
+
 // FIXME: This code is redundant with the host call of the integritee-node
 pub fn verify_mra_cert<A>(
 	cert_der: &[u8],
@@ -346,6 +371,7 @@ where
 		verify_attn_report(attn_report_raw, pub_k, attestation_ocall)
 	} else {
 		// TODO Refactor state provisioning to not use MURA #1385
+		// TODO DCAP is currently just passed through! SECURITY!!!
 		Ok(())
 	}
 }

diff --git a/enclave-runtime/Cargo.lock b/enclave-runtime/Cargo.lock
@@ -4885,7 +4885,7 @@ version = "1.6.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "97fee6b57c6a41524a810daee9286c02d7752c4253064d0b05472833a438f675"
 dependencies = [
- "cfg-if 0.1.10",
+ "cfg-if 1.0.0",
  "digest 0.10.7",
  "static_assertions",
 ]

diff --git a/enclave-runtime/src/tls_ra/tls_ra_client.rs b/enclave-runtime/src/tls_ra/tls_ra_client.rs
@@ -270,7 +270,7 @@ fn tls_client_config<A: EnclaveAttestationOCallApi + 'static>(
 	#[cfg(feature = "dcap")]
 	let attestation_type = RemoteAttestationType::Dcap;
 
-	// report will be signed with enclave ed25519 signing key
+	// report will be signed with client enclave ed25519 signing key
 	let (key_der, cert_der) = create_ra_report_and_signature(
 		skip_ra,
 		attestation_type,
@@ -285,6 +285,7 @@ fn tls_client_config<A: EnclaveAttestationOCallApi + 'static>(
 	let privkey = rustls::PrivateKey(key_der);
 
 	cfg.set_single_client_cert(certs, privkey).unwrap();
+	// ServerAuth will perform MU RA as part of authentication process
 	cfg.dangerous()
 		.set_certificate_verifier(Arc::new(ServerAuth::new(true, skip_ra, ocall_api)));
 	cfg.versions.clear();

diff --git a/enclave-runtime/src/tls_ra/tls_ra_server.rs b/enclave-runtime/src/tls_ra/tls_ra_server.rs
@@ -29,13 +29,13 @@ use crate::{
 	tls_ra::seal_handler::UnsealStateAndKeys,
 	GLOBAL_STATE_HANDLER_COMPONENT,
 };
-use itp_attestation_handler::RemoteAttestationType;
+use itp_attestation_handler::{cert::parse_cert_issuer, RemoteAttestationType};
 use itp_component_container::ComponentGetter;
 use itp_ocall_api::EnclaveAttestationOCallApi;
 use itp_settings::worker_mode::{ProvideWorkerMode, WorkerMode, WorkerModeProvider};
 use itp_types::ShardIdentifier;
 use log::*;
-use rustls::{ServerConfig, ServerSession, StreamOwned};
+use rustls::{ServerConfig, ServerSession, Session, StreamOwned};
 use sgx_types::*;
 use std::{
 	backtrace::{self, PrintFormat},
@@ -82,25 +82,29 @@ where
 	}
 
 	/// Sends all relevant data of the specific shard to the client.
-	fn write_shard(&mut self) -> EnclaveResult<()> {
-		println!("    [Enclave] (MU-RA-Server) write_shard, calling read_shard()");
-		let shard = self.read_shard()?;
-		println!("    [Enclave] (MU-RA-Server) write_shard, read_shard() OK");
-		println!("    [Enclave] (MU-RA-Server) write_shard, write_all()");
-		self.write_all(&shard)
+	fn handle_shard_request_from_client(&mut self) -> EnclaveResult<()> {
+		println!(
+			"    [Enclave] (MU-RA-Server) handle_shard_request_from_client, calling read_shard()"
+		);
+		let shard = self.await_shard_request_from_client()?;
+		println!("    [Enclave] (MU-RA-Server) handle_shard_request_from_client, await_shard_request_from_client() OK");
+		println!("    [Enclave] (MU-RA-Server) handle_shard_request_from_client, write_all()");
+		self.write_provisioning_payloads(&shard)
 	}
 
 	/// Read the shard of the state the client wants to receive.
-	fn read_shard(&mut self) -> EnclaveResult<ShardIdentifier> {
+	fn await_shard_request_from_client(&mut self) -> EnclaveResult<ShardIdentifier> {
 		let mut shard_holder = ShardIdentifier::default();
 		let shard = shard_holder.as_fixed_bytes_mut();
-		println!("    [Enclave] (MU-RA-Server) read_shard, calling read_exact()");
+		println!(
+			"    [Enclave] (MU-RA-Server) await_shard_request_from_client, calling read_exact()"
+		);
 		self.tls_stream.read_exact(shard)?;
 		Ok(shard.into())
 	}
 
 	/// Sends all relevant data to the client.
-	fn write_all(&mut self, shard: &ShardIdentifier) -> EnclaveResult<()> {
+	fn write_provisioning_payloads(&mut self, shard: &ShardIdentifier) -> EnclaveResult<()> {
 		debug!("Provisioning is set to: {:?}", self.provisioning_payload);
 		match self.provisioning_payload {
 			ProvisioningPayload::Everything => {
@@ -248,14 +252,34 @@ pub(crate) fn run_state_provisioning_server_internal<
 		skip_ra == 1,
 	)?;
 	let (server_session, tcp_stream) = tls_server_session_stream(socket_fd, server_config)?;
+
+	let client_signer = if let Some(cert_chain) = server_session.get_peer_certificates() {
+		if !cert_chain.is_empty() {
+			// Assuming the leaf certificate is the first in the list
+			parse_cert_issuer(&cert_chain[0].0)?
+		} else {
+			return Err(EnclaveError::Other("no certificates found".into()))
+		}
+	} else {
+		return Err(EnclaveError::Other("get peer certificates failed".into()))
+	};
+	info!("client signer (issuer) is: 0x{}", hex::encode(client_signer.clone()));
+
+	// todo: verify client signer belongs to a registered enclave on integritee network with a
+	// matching or whitelisted MRENCLAVE as replacement for MU RA #1385
+
 	let provisioning = ProvisioningPayload::from(WorkerModeProvider::worker_mode());
 
 	let mut server =
 		TlsServer::new(StreamOwned::new(server_session, tcp_stream), seal_handler, provisioning);
 
 	println!("    [Enclave] (MU-RA-Server) MU-RA successful sending keys");
-	println!("    [Enclave] (MU-RA-Server) MU-RA successful, calling write_shard()");
-	server.write_shard()
+	println!(
+		"    [Enclave] (MU-RA-Server) MU-RA successful, calling handle_shard_request_from_client()"
+	);
+	server.handle_shard_request_from_client()
+
+	// todo! add client account as a proxy to shard vault account
 }
 
 fn tls_server_session_stream(
@@ -279,7 +303,7 @@ fn tls_server_config<A: EnclaveAttestationOCallApi + 'static>(
 	#[cfg(feature = "dcap")]
 	let attestation_type = RemoteAttestationType::Dcap;
 
-	// report will be signed with enclave ed25519 signing key
+	// report will be signed with server enclave ed25519 signing key
 	let (key_der, cert_der) = create_ra_report_and_signature(
 		skip_ra,
 		attestation_type,
@@ -288,6 +312,7 @@ fn tls_server_config<A: EnclaveAttestationOCallApi + 'static>(
 		quote_size,
 	)?;
 
+	// ClientAuth will perform MU RA as part of authentication process
 	let mut cfg = rustls::ServerConfig::new(Arc::new(ClientAuth::new(true, skip_ra, ocall_api)));
 	let certs = vec![rustls::Certificate(cert_der)];
 	let privkey = rustls::PrivateKey(key_der);