From 8550d7dc428aec1fb044cfdb9c178f461ee5a7bf Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Tue, 23 May 2023 15:17:57 +0200 Subject: [PATCH 01/25] [itp-sgx-crypto] add `ToPubkey` and `AccessPubkey` traits --- .../sgx/crypto/src/key_repository.rs | 25 ++++++++++++++++++- core-primitives/sgx/crypto/src/traits.rs | 7 ++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/core-primitives/sgx/crypto/src/key_repository.rs b/core-primitives/sgx/crypto/src/key_repository.rs index 626321d0f8..5a9106dae7 100644 --- a/core-primitives/sgx/crypto/src/key_repository.rs +++ b/core-primitives/sgx/crypto/src/key_repository.rs @@ -21,7 +21,10 @@ use std::sync::SgxRwLock as RwLock; #[cfg(feature = "std")] use std::sync::RwLock; -use crate::error::{Error, Result}; +use crate::{ + error::{Error, Result}, + ToPubkey, +}; use itp_sgx_io::SealedIO; use std::sync::Arc; @@ -32,6 +35,13 @@ pub trait AccessKey { fn retrieve_key(&self) -> Result; } +/// Access a cryptographic public key. +pub trait AccessPubkey { + type KeyType; + + fn retrieve_pubkey(&self) -> Result; +} + /// Mutate a cryptographic key. pub trait MutateKey { fn update_key(&self, key: KeyType) -> Result<()>; @@ -62,6 +72,19 @@ where } } +impl AccessPubkey for KeyRepository +where + Pair: ToPubkey + Clone, + SealedIo: SealedIO, +{ + type KeyType = ::Pubkey; + + fn retrieve_pubkey(&self) -> Result { + let pair = self.key_lock.read().map_err(|_| Error::LockPoisoning).map(|l| l.clone())?; + pair.pubkey() + } +} + impl MutateKey for KeyRepository where KeyType: Clone, diff --git a/core-primitives/sgx/crypto/src/traits.rs b/core-primitives/sgx/crypto/src/traits.rs index fde231ff33..1d0aef5798 100644 --- a/core-primitives/sgx/crypto/src/traits.rs +++ b/core-primitives/sgx/crypto/src/traits.rs @@ -33,3 +33,10 @@ pub trait ShieldingCryptoDecrypt { type Error: Debug; fn decrypt(&self, data: &[u8]) -> Result, Self::Error>; } + +pub trait ToPubkey { + type Error: Debug; + type Pubkey; + + fn pubkey(&self) -> Result; +} From 560c7870599a27b053e8c3344d789fa778b958ee Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Tue, 23 May 2023 15:19:13 +0200 Subject: [PATCH 02/25] [itp-sgx-crypto] refactor the Rsa3072 stuff to no longer use static file IO. --- core-primitives/sgx/crypto/src/rsa3072.rs | 108 ++++++++++++------- enclave-runtime/Cargo.lock | 1 + enclave-runtime/Cargo.toml | 5 + enclave-runtime/src/initialization/mod.rs | 14 +-- enclave-runtime/src/lib.rs | 15 ++- enclave-runtime/src/rpc/worker_api_direct.rs | 16 ++- enclave-runtime/src/test/direct_rpc_tests.rs | 9 +- local-setup/py/worker.py | 2 +- 8 files changed, 115 insertions(+), 55 deletions(-) diff --git a/core-primitives/sgx/crypto/src/rsa3072.rs b/core-primitives/sgx/crypto/src/rsa3072.rs index feb6d7204c..b4ce7c2a3e 100644 --- a/core-primitives/sgx/crypto/src/rsa3072.rs +++ b/core-primitives/sgx/crypto/src/rsa3072.rs @@ -20,6 +20,7 @@ use crate::sgx_reexport_prelude::*; use crate::{ error::{Error, Result}, traits::{ShieldingCryptoDecrypt, ShieldingCryptoEncrypt}, + ToPubkey, }; use sgx_crypto_helper::{ rsa3072::{Rsa3072KeyPair, Rsa3072PubKey}, @@ -64,56 +65,86 @@ impl ShieldingCryptoEncrypt for Rsa3072PubKey { } } +impl ToPubkey for Rsa3072KeyPair { + type Error = Error; + type Pubkey = Rsa3072PubKey; + + fn pubkey(&self) -> Result { + self.export_pubkey().map_err(|e| Error::Other(format!("{:?}", e).into())) + } +} + +pub trait RsaSealing { + fn unseal_pubkey(&self) -> Result; + + fn unseal_pair(&self) -> Result; + + fn exists(&self) -> bool; + + fn create_sealed_if_absent(&self) -> Result<()>; + + fn create_sealed(&self) -> Result<()>; +} + #[cfg(feature = "sgx")] pub mod sgx { use super::*; - use derive_more::Display; + use crate::key_repository::KeyRepository; use itp_settings::files::RSA3072_SEALED_KEY_FILE; - use itp_sgx_io::{seal, unseal, SealedIO, StaticSealedIO}; + use itp_sgx_io::{seal, unseal, SealedIO}; use log::*; - use std::sgxfs::SgxFile; + use std::{path::PathBuf, sgxfs::SgxFile}; + + pub fn get_rsa3072_repository( + path: PathBuf, + ) -> Result> { + let rsa_seal = Rsa3072Seal::new(path); + rsa_seal.create_sealed_if_absent()?; + let shielding_key = rsa_seal.unseal_pair()?; + Ok(KeyRepository::new(shielding_key, rsa_seal.into())) + } + + #[derive(Clone, Debug)] + pub struct Rsa3072Seal { + base_path: PathBuf, + } impl Rsa3072Seal { - pub fn unseal_pubkey() -> Result { - let pair = Self::unseal_from_static_file()?; - let pubkey = - pair.export_pubkey().map_err(|e| Error::Other(format!("{:?}", e).into()))?; - Ok(pubkey) + pub fn new(base_path: PathBuf) -> Self { + Self { base_path } } - } - pub fn create_sealed_if_absent() -> Result<()> { - if SgxFile::open(RSA3072_SEALED_KEY_FILE).is_err() { - info!("[Enclave] Keyfile not found, creating new! {}", RSA3072_SEALED_KEY_FILE); - return create_sealed() + pub fn path(&self) -> PathBuf { + self.base_path.join(RSA3072_SEALED_KEY_FILE) } - Ok(()) } - pub fn create_sealed() -> Result<()> { - let rsa_keypair = - Rsa3072KeyPair::new().map_err(|e| Error::Other(format!("{:?}", e).into()))?; - // println!("[Enclave] generated RSA3072 key pair. Cleartext: {}", rsa_key_json); - Rsa3072Seal::seal_to_static_file(&rsa_keypair) - } + impl RsaSealing for Rsa3072Seal { + fn unseal_pubkey(&self) -> Result { + self.unseal()?.pubkey() + } - #[derive(Copy, Clone, Debug, Display)] - pub struct Rsa3072Seal; + fn unseal_pair(&self) -> Result { + self.unseal() + } - impl StaticSealedIO for Rsa3072Seal { - type Error = Error; - type Unsealed = Rsa3072KeyPair; - fn unseal_from_static_file() -> Result { - let raw = unseal(RSA3072_SEALED_KEY_FILE)?; - let key: Rsa3072KeyPair = serde_json::from_slice(&raw) - .map_err(|e| Error::Other(format!("{:?}", e).into()))?; - Ok(key.into()) + fn exists(&self) -> bool { + SgxFile::open(self.path()).is_ok() } - fn seal_to_static_file(unsealed: &Self::Unsealed) -> Result<()> { - let key_json = serde_json::to_vec(&unsealed) - .map_err(|e| Error::Other(format!("{:?}", e).into()))?; - Ok(seal(&key_json, RSA3072_SEALED_KEY_FILE)?) + fn create_sealed_if_absent(&self) -> Result<()> { + if !self.exists() { + info!("Keyfile not found, creating new! {}", RSA3072_SEALED_KEY_FILE); + return self.create_sealed() + } + Ok(()) + } + + fn create_sealed(&self) -> Result<()> { + let rsa_keypair = + Rsa3072KeyPair::new().map_err(|e| Error::Other(format!("{:?}", e).into()))?; + // println!("[Enclave] generated RSA3072 key pair. Cleartext: {}", rsa_key_json); + self.seal(&rsa_keypair) } } @@ -122,11 +153,16 @@ pub mod sgx { type Unsealed = Rsa3072KeyPair; fn unseal(&self) -> Result { - Self::unseal_from_static_file() + let raw = unseal(self.path())?; + let key: Rsa3072KeyPair = serde_json::from_slice(&raw) + .map_err(|e| Error::Other(format!("{:?}", e).into()))?; + Ok(key.into()) } fn seal(&self, unsealed: &Self::Unsealed) -> Result<()> { - Self::seal_to_static_file(unsealed) + let key_json = serde_json::to_vec(&unsealed) + .map_err(|e| Error::Other(format!("{:?}", e).into()))?; + Ok(seal(&key_json, self.path())?) } } } diff --git a/enclave-runtime/Cargo.lock b/enclave-runtime/Cargo.lock index e0b665f47f..53ec4d4b40 100644 --- a/enclave-runtime/Cargo.lock +++ b/enclave-runtime/Cargo.lock @@ -701,6 +701,7 @@ dependencies = [ "itp-sgx-crypto", "itp-sgx-externalities", "itp-sgx-io", + "itp-sgx-temp-dir", "itp-stf-executor", "itp-stf-interface", "itp-stf-primitives", diff --git a/enclave-runtime/Cargo.toml b/enclave-runtime/Cargo.toml index f0e229c0e4..3faaa81fa0 100644 --- a/enclave-runtime/Cargo.toml +++ b/enclave-runtime/Cargo.toml @@ -34,6 +34,7 @@ test = [ "itp-attestation-handler/test", "itp-extrinsics-factory/mocks", "itp-sgx-crypto/mocks", + "itp-sgx-temp-dir", "itp-stf-executor/test", "itp-stf-executor/mocks", "itp-stf-state-handler/test", @@ -134,6 +135,10 @@ sp-core = { default-features = false, features = ["full_crypto"], git = "https:/ sp-runtime = { default-features = false, git = "https://github.com/paritytech/substrate.git", branch = "polkadot-v0.9.39" } sp-std = { default-features = false, git = "https://github.com/paritytech/substrate.git", branch = "polkadot-v0.9.39" } +# test-deps +itp-sgx-temp-dir = { version = "0.1", default-features = false, optional = true, path = "../core-primitives/sgx/temp-dir" } + + [patch.crates-io] env_logger = { git = "https://github.com/integritee-network/env_logger-sgx" } getrandom = { git = "https://github.com/integritee-network/getrandom-sgx", branch = "update-v2.3" } diff --git a/enclave-runtime/src/initialization/mod.rs b/enclave-runtime/src/initialization/mod.rs index aea45fcd23..8b4b049810 100644 --- a/enclave-runtime/src/initialization/mod.rs +++ b/enclave-runtime/src/initialization/mod.rs @@ -60,7 +60,7 @@ use itp_attestation_handler::IntelAttestationHandler; use itp_component_container::{ComponentGetter, ComponentInitializer}; use itp_primitives_cache::GLOBAL_PRIMITIVES_CACHE; use itp_settings::files::STATE_SNAPSHOTS_CACHE_SIZE; -use itp_sgx_crypto::{aes, ed25519, rsa3072, AesSeal, Ed25519Seal, Rsa3072Seal}; +use itp_sgx_crypto::{aes, ed25519, get_rsa3072_repository, AesSeal, Ed25519Seal}; use itp_sgx_io::StaticSealedIO; use itp_stf_state_handler::{ handle_state::HandleState, query_shard_state::QueryShardState, @@ -83,12 +83,7 @@ pub(crate) fn init_enclave(mu_ra_url: String, untrusted_worker_url: String) -> E let signer = Ed25519Seal::unseal_from_static_file().map_err(Error::Crypto)?; info!("[Enclave initialized] Ed25519 prim raw : {:?}", signer.public().0); - rsa3072::create_sealed_if_absent()?; - - let shielding_key = Rsa3072Seal::unseal_from_static_file()?; - - let shielding_key_repository = - Arc::new(EnclaveShieldingKeyRepository::new(shielding_key, Arc::new(Rsa3072Seal))); + let shielding_key_repository = Arc::new(get_rsa3072_repository(base_path.clone())?); GLOBAL_SHIELDING_KEY_REPOSITORY_COMPONENT.initialize(shielding_key_repository.clone()); // Create the aes key that is used for state encryption such that a key is always present in tests. @@ -153,12 +148,13 @@ pub(crate) fn init_enclave(mu_ra_url: String, untrusted_worker_url: String) -> E connection_registry.clone(), state_handler, ocall_api.clone(), - shielding_key_repository, + shielding_key_repository.clone(), ); GLOBAL_TOP_POOL_AUTHOR_COMPONENT.initialize(top_pool_author.clone()); let getter_executor = Arc::new(EnclaveGetterExecutor::new(state_observer)); - let io_handler = public_api_rpc_handler(top_pool_author, getter_executor); + let io_handler = + public_api_rpc_handler(top_pool_author, getter_executor, shielding_key_repository); let rpc_handler = Arc::new(RpcWsHandler::new(io_handler, watch_extractor, connection_registry)); GLOBAL_RPC_WS_HANDLER_COMPONENT.initialize(rpc_handler); diff --git a/enclave-runtime/src/lib.rs b/enclave-runtime/src/lib.rs index dbb83f5adb..c44e5d8550 100644 --- a/enclave-runtime/src/lib.rs +++ b/enclave-runtime/src/lib.rs @@ -33,7 +33,8 @@ use crate::{ error::{Error, Result}, initialization::global_components::{ GLOBAL_FULL_PARACHAIN_HANDLER_COMPONENT, GLOBAL_FULL_SOLOCHAIN_HANDLER_COMPONENT, - GLOBAL_SIDECHAIN_IMPORT_QUEUE_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, + GLOBAL_SHIELDING_KEY_REPOSITORY_COMPONENT, GLOBAL_SIDECHAIN_IMPORT_QUEUE_COMPONENT, + GLOBAL_STATE_HANDLER_COMPONENT, }, rpc::worker_api_direct::sidechain_io_handler, utils::{ @@ -50,7 +51,7 @@ use itp_component_container::ComponentGetter; use itp_node_api::metadata::NodeMetadata; use itp_nonce_cache::{MutateNonce, Nonce, GLOBAL_NONCE_CACHE}; use itp_settings::worker_mode::{ProvideWorkerMode, WorkerMode, WorkerModeProvider}; -use itp_sgx_crypto::{ed25519, Ed25519Seal, Rsa3072Seal}; +use itp_sgx_crypto::{ed25519, key_repository::AccessPubkey, Ed25519Seal}; use itp_sgx_io::StaticSealedIO; use itp_storage::StorageProof; use itp_types::{ShardIdentifier, SignedBlock}; @@ -119,7 +120,15 @@ pub unsafe extern "C" fn get_rsa_encryption_pubkey( pubkey: *mut u8, pubkey_size: u32, ) -> sgx_status_t { - let rsa_pubkey = match Rsa3072Seal::unseal_pubkey() { + let shielding_key_repository = match GLOBAL_SHIELDING_KEY_REPOSITORY_COMPONENT.get() { + Ok(s) => s, + Err(e) => { + error!("{:?}", e); + return sgx_status_t::SGX_ERROR_UNEXPECTED + }, + }; + + let rsa_pubkey = match shielding_key_repository.retrieve_pubkey() { Ok(key) => key, Err(e) => return e.into(), }; diff --git a/enclave-runtime/src/rpc/worker_api_direct.rs b/enclave-runtime/src/rpc/worker_api_direct.rs index 9a1624ba89..0a674e48ce 100644 --- a/enclave-runtime/src/rpc/worker_api_direct.rs +++ b/enclave-runtime/src/rpc/worker_api_direct.rs @@ -28,7 +28,7 @@ use ita_sgx_runtime::Runtime; use itc_parentchain::light_client::{concurrent_access::ValidatorAccess, ExtrinsicSender}; use itp_primitives_cache::{GetPrimitives, GLOBAL_PRIMITIVES_CACHE}; use itp_rpc::RpcReturnValue; -use itp_sgx_crypto::Rsa3072Seal; +use itp_sgx_crypto::key_repository::AccessPubkey; use itp_stf_executor::getter_executor::ExecuteGetter; use itp_top_pool_author::traits::AuthorApi; use itp_types::{DirectRequestStatus, Request, ShardIdentifier, H256}; @@ -36,6 +36,7 @@ use itp_utils::{FromHexPrefixed, ToHexPrefixed}; use its_primitives::types::block::SignedBlock; use its_sidechain::rpc_handler::{direct_top_pool_api, import_block_api}; use jsonrpc_core::{serde_json::json, IoHandler, Params, Value}; +use sgx_crypto_helper::rsa3072::Rsa3072PubKey; use sp_runtime::OpaqueExtrinsic; use std::{borrow::ToOwned, format, str, string::String, sync::Arc, vec::Vec}; @@ -53,10 +54,15 @@ fn get_all_rpc_methods_string(io_handler: &IoHandler) -> String { format!("methods: [{}]", method_string) } -pub fn public_api_rpc_handler(top_pool_author: Arc, getter_executor: Arc) -> IoHandler +pub fn public_api_rpc_handler( + top_pool_author: Arc, + getter_executor: Arc, + shielding_key: Arc, +) -> IoHandler where - R: AuthorApi + Send + Sync + 'static, - G: ExecuteGetter + Send + Sync + 'static, + Author: AuthorApi + Send + Sync + 'static, + GetterExecutor: ExecuteGetter + Send + Sync + 'static, + AccessShieldingKey: AccessPubkey + Send + Sync + 'static, { let io = IoHandler::new(); @@ -66,7 +72,7 @@ where // author_getShieldingKey let rsa_pubkey_name: &str = "author_getShieldingKey"; io.add_sync_method(rsa_pubkey_name, move |_: Params| { - let rsa_pubkey = match Rsa3072Seal::unseal_pubkey() { + let rsa_pubkey = match shielding_key.retrieve_pubkey() { Ok(key) => key, Err(status) => { let error_msg: String = format!("Could not get rsa pubkey due to: {}", status); diff --git a/enclave-runtime/src/test/direct_rpc_tests.rs b/enclave-runtime/src/test/direct_rpc_tests.rs index 2f2d8c54b4..a4d79eca8e 100644 --- a/enclave-runtime/src/test/direct_rpc_tests.rs +++ b/enclave-runtime/src/test/direct_rpc_tests.rs @@ -25,6 +25,8 @@ use itc_direct_rpc_server::{ }; use itc_tls_websocket_server::{ConnectionToken, WebSocketMessageHandler}; use itp_rpc::{RpcRequest, RpcReturnValue}; +use itp_sgx_crypto::get_rsa3072_repository; +use itp_sgx_temp_dir::TempDir; use itp_stf_executor::{getter_executor::GetterExecutor, mocks::GetStateMock}; use itp_stf_state_observer::mock::ObserveStateMock; use itp_top_pool_author::mocks::AuthorApiMock; @@ -37,15 +39,20 @@ use std::{string::ToString, sync::Arc, vec::Vec}; pub fn get_state_request_works() { type TestState = u64; + let temp_dir = TempDir::with_prefix("get_state_request_works").unwrap(); + let connection_registry = Arc::new(ConnectionRegistry::::new()); let watch_extractor = Arc::new(create_determine_watch::()); + let rsa_repository = get_rsa3072_repository(temp_dir.path().to_path_buf()).unwrap(); let state: TestState = 78234u64; let state_observer = Arc::new(ObserveStateMock::::new(state)); let getter_executor = Arc::new(GetterExecutor::<_, GetStateMock>::new(state_observer)); let top_pool_author = Arc::new(AuthorApiMock::default()); - let io_handler = public_api_rpc_handler(top_pool_author, getter_executor); + + let io_handler = + public_api_rpc_handler(top_pool_author, getter_executor, Arc::new(rsa_repository)); let rpc_handler = Arc::new(RpcWsHandler::new(io_handler, watch_extractor, connection_registry)); let getter = Getter::trusted(TrustedGetterSigned::new( diff --git a/local-setup/py/worker.py b/local-setup/py/worker.py index 132b3df9b0..3986f8a343 100644 --- a/local-setup/py/worker.py +++ b/local-setup/py/worker.py @@ -164,7 +164,7 @@ def run_in_background(self, log_file: TextIO, flags: [str] = None, subcommand_fl 'substrate_api_client=warn,' 'jsonrpsee_ws_client=warn,' 'jsonrpsee_ws_server=warn,' - 'enclave_runtime=warn,' + 'enclave_runtime=info,' 'integritee_service=warn,' 'ita_stf=debug') From 2906f8fd77f6d8eccc359f892b0e93e8532b94ef Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Tue, 23 May 2023 15:43:10 +0200 Subject: [PATCH 03/25] [itp-sgx-crypto] set-base-path to the PWD --- enclave-runtime/Cargo.lock | 1 + enclave-runtime/Cargo.toml | 1 + enclave-runtime/src/initialization/mod.rs | 13 +++++++------ enclave-runtime/src/lib.rs | 16 ++++++++++++++-- 4 files changed, 23 insertions(+), 8 deletions(-) diff --git a/enclave-runtime/Cargo.lock b/enclave-runtime/Cargo.lock index 53ec4d4b40..cbb5c81d2f 100644 --- a/enclave-runtime/Cargo.lock +++ b/enclave-runtime/Cargo.lock @@ -722,6 +722,7 @@ dependencies = [ "lazy_static", "log", "multibase", + "once_cell 1.4.0", "parity-scale-codec", "primitive-types", "rust-base58", diff --git a/enclave-runtime/Cargo.toml b/enclave-runtime/Cargo.toml index 3faaa81fa0..acf682e215 100644 --- a/enclave-runtime/Cargo.toml +++ b/enclave-runtime/Cargo.toml @@ -75,6 +75,7 @@ jsonrpc-core = { default-features = false, git = "https://github.com/scs/jsonrpc # mesalock env_logger = { git = "https://github.com/integritee-network/env_logger-sgx" } log = { git = "https://github.com/integritee-network/log-sgx" } +once_cell = { git = "https://github.com/mesalock-linux/once_cell-sgx" } rustls = { rev = "sgx_1.1.3", features = ["dangerous_configuration"], git = "https://github.com/mesalock-linux/rustls" } serde = { tag = "sgx_1.1.3", git = "https://github.com/mesalock-linux/serde-sgx", features = ["alloc", "mesalock_sgx"] } serde_derive = { git = "https://github.com/mesalock-linux/serde-sgx" } diff --git a/enclave-runtime/src/initialization/mod.rs b/enclave-runtime/src/initialization/mod.rs index 8b4b049810..29ba4440ff 100644 --- a/enclave-runtime/src/initialization/mod.rs +++ b/enclave-runtime/src/initialization/mod.rs @@ -73,17 +73,18 @@ use itp_types::ShardIdentifier; use its_sidechain::block_composer::BlockComposer; use log::*; use sp_core::crypto::Pair; -use std::{collections::HashMap, string::String, sync::Arc}; - -pub(crate) fn init_enclave(mu_ra_url: String, untrusted_worker_url: String) -> EnclaveResult<()> { - // Initialize the logging environment in the enclave. - env_logger::init(); +use std::{collections::HashMap, path::PathBuf, string::String, sync::Arc}; +pub(crate) fn init_enclave( + mu_ra_url: String, + untrusted_worker_url: String, + base_dir: PathBuf, +) -> EnclaveResult<()> { ed25519::create_sealed_if_absent().map_err(Error::Crypto)?; let signer = Ed25519Seal::unseal_from_static_file().map_err(Error::Crypto)?; info!("[Enclave initialized] Ed25519 prim raw : {:?}", signer.public().0); - let shielding_key_repository = Arc::new(get_rsa3072_repository(base_path.clone())?); + let shielding_key_repository = Arc::new(get_rsa3072_repository(base_dir.clone())?); GLOBAL_SHIELDING_KEY_REPOSITORY_COMPONENT.initialize(shielding_key_repository.clone()); // Create the aes key that is used for state encryption such that a key is always present in tests. diff --git a/enclave-runtime/src/lib.rs b/enclave-runtime/src/lib.rs index c44e5d8550..a9fefa935c 100644 --- a/enclave-runtime/src/lib.rs +++ b/enclave-runtime/src/lib.rs @@ -57,9 +57,10 @@ use itp_storage::StorageProof; use itp_types::{ShardIdentifier, SignedBlock}; use itp_utils::write_slice_and_whitespace_pad; use log::*; +use once_cell::sync::OnceCell; use sgx_types::sgx_status_t; use sp_core::crypto::Pair; -use std::{boxed::Box, slice, vec::Vec}; +use std::{boxed::Box, path::PathBuf, slice, vec::Vec}; mod attestation; mod empty_impls; @@ -83,6 +84,8 @@ pub mod test; pub type Hash = sp_core::H256; pub type AuthorityPair = sp_core::ed25519::Pair; +static BASE_PATH: OnceCell = OnceCell::new(); + /// Initialize the enclave. #[no_mangle] pub unsafe extern "C" fn init( @@ -91,6 +94,15 @@ pub unsafe extern "C" fn init( untrusted_worker_addr: *const u8, untrusted_worker_addr_size: u32, ) -> sgx_status_t { + // Initialize the logging environment in the enclave. + env_logger::init(); + + // Todo: This will be changed to be a param of the `init` ecall: + // https://github.com/integritee-network/worker/issues/1292 + let pwd = std::env::current_dir().expect("Works on all supported platforms; qed"); + info!("Setting base_dir to pwd: {}", pwd.display()); + BASE_PATH.set(pwd.clone()).expect("We only init this once here; qed."); + let mu_ra_url = match String::decode(&mut slice::from_raw_parts(mu_ra_addr, mu_ra_addr_size as usize)) .map_err(Error::Codec) @@ -109,7 +121,7 @@ pub unsafe extern "C" fn init( Err(e) => return e.into(), }; - match initialization::init_enclave(mu_ra_url, untrusted_worker_url) { + match initialization::init_enclave(mu_ra_url, untrusted_worker_url, pwd) { Err(e) => e.into(), Ok(()) => sgx_status_t::SGX_SUCCESS, } From e9dbe6ee0ae9dffa647e53a5ad708c91748e56e5 Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Tue, 23 May 2023 15:49:01 +0200 Subject: [PATCH 04/25] [enclave-runtime] more explanation about using the PWD --- enclave-runtime/src/lib.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/enclave-runtime/src/lib.rs b/enclave-runtime/src/lib.rs index a9fefa935c..bef40a5289 100644 --- a/enclave-runtime/src/lib.rs +++ b/enclave-runtime/src/lib.rs @@ -99,6 +99,9 @@ pub unsafe extern "C" fn init( // Todo: This will be changed to be a param of the `init` ecall: // https://github.com/integritee-network/worker/issues/1292 + // + // Until the above task is finished, we just fall back to the + // static behaviour, which uses the PWD already. let pwd = std::env::current_dir().expect("Works on all supported platforms; qed"); info!("Setting base_dir to pwd: {}", pwd.display()); BASE_PATH.set(pwd.clone()).expect("We only init this once here; qed."); From 177503d793c46f9643960fabe2bca320039a457f Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Tue, 23 May 2023 15:51:24 +0200 Subject: [PATCH 05/25] [enclave-runtime] add todo for replacing the once-cell. --- enclave-runtime/Cargo.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/enclave-runtime/Cargo.toml b/enclave-runtime/Cargo.toml index acf682e215..1ace0938ea 100644 --- a/enclave-runtime/Cargo.toml +++ b/enclave-runtime/Cargo.toml @@ -75,6 +75,7 @@ jsonrpc-core = { default-features = false, git = "https://github.com/scs/jsonrpc # mesalock env_logger = { git = "https://github.com/integritee-network/env_logger-sgx" } log = { git = "https://github.com/integritee-network/log-sgx" } +# Todo: use the `once_cell` included in rusts core library once we use rust v1.70.0 once_cell = { git = "https://github.com/mesalock-linux/once_cell-sgx" } rustls = { rev = "sgx_1.1.3", features = ["dangerous_configuration"], git = "https://github.com/mesalock-linux/rustls" } serde = { tag = "sgx_1.1.3", git = "https://github.com/mesalock-linux/serde-sgx", features = ["alloc", "mesalock_sgx"] } From 564542021cafd5bd6bb36dfdefc08e9ccef14056 Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Tue, 23 May 2023 15:52:04 +0200 Subject: [PATCH 06/25] taplo fmt --- enclave-runtime/Cargo.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/enclave-runtime/Cargo.toml b/enclave-runtime/Cargo.toml index 1ace0938ea..2824f0d4c8 100644 --- a/enclave-runtime/Cargo.toml +++ b/enclave-runtime/Cargo.toml @@ -140,7 +140,6 @@ sp-std = { default-features = false, git = "https://github.com/paritytech/substr # test-deps itp-sgx-temp-dir = { version = "0.1", default-features = false, optional = true, path = "../core-primitives/sgx/temp-dir" } - [patch.crates-io] env_logger = { git = "https://github.com/integritee-network/env_logger-sgx" } getrandom = { git = "https://github.com/integritee-network/getrandom-sgx", branch = "update-v2.3" } From 0c1d6b9b1b0736c415e4388f5cbc7d667bca73bc Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Tue, 23 May 2023 16:33:37 +0200 Subject: [PATCH 07/25] add some doc --- core-primitives/sgx/crypto/src/rsa3072.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/core-primitives/sgx/crypto/src/rsa3072.rs b/core-primitives/sgx/crypto/src/rsa3072.rs index b4ce7c2a3e..26aacac001 100644 --- a/core-primitives/sgx/crypto/src/rsa3072.rs +++ b/core-primitives/sgx/crypto/src/rsa3072.rs @@ -95,6 +95,8 @@ pub mod sgx { use log::*; use std::{path::PathBuf, sgxfs::SgxFile}; + /// Gets an key repository for an Rsa3072 keypair and initializes + /// a fresh key pair if it doesn't exist at `path`. pub fn get_rsa3072_repository( path: PathBuf, ) -> Result> { From 8ea4fff5315e73b30c4bdd2903fb52cbe093e30a Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Tue, 23 May 2023 16:38:13 +0200 Subject: [PATCH 08/25] typo --- core-primitives/sgx/crypto/src/rsa3072.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core-primitives/sgx/crypto/src/rsa3072.rs b/core-primitives/sgx/crypto/src/rsa3072.rs index 26aacac001..b5392e4839 100644 --- a/core-primitives/sgx/crypto/src/rsa3072.rs +++ b/core-primitives/sgx/crypto/src/rsa3072.rs @@ -95,7 +95,7 @@ pub mod sgx { use log::*; use std::{path::PathBuf, sgxfs::SgxFile}; - /// Gets an key repository for an Rsa3072 keypair and initializes + /// Gets a repository for an Rsa3072 keypair and initializes /// a fresh key pair if it doesn't exist at `path`. pub fn get_rsa3072_repository( path: PathBuf, From 7a381e452ee8d45ae141b9f3c8c01d5abd2b0b41 Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Wed, 24 May 2023 08:16:47 +0200 Subject: [PATCH 09/25] [sgx-crypto] log full path instead of just filename. --- core-primitives/sgx/crypto/src/rsa3072.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core-primitives/sgx/crypto/src/rsa3072.rs b/core-primitives/sgx/crypto/src/rsa3072.rs index b5392e4839..9e9ffa8f5f 100644 --- a/core-primitives/sgx/crypto/src/rsa3072.rs +++ b/core-primitives/sgx/crypto/src/rsa3072.rs @@ -136,7 +136,7 @@ pub mod sgx { fn create_sealed_if_absent(&self) -> Result<()> { if !self.exists() { - info!("Keyfile not found, creating new! {}", RSA3072_SEALED_KEY_FILE); + info!("Keyfile not found, creating new! {}", self.path().display()); return self.create_sealed() } Ok(()) From 33faf7d5795bcc23d22b6dab5bf9179f241d5ea9 Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Wed, 24 May 2023 08:25:30 +0200 Subject: [PATCH 10/25] [itp-sgx-io] fix standalone compilation --- core-primitives/sgx/io/Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core-primitives/sgx/io/Cargo.toml b/core-primitives/sgx/io/Cargo.toml index 57f64ec054..2f18915854 100644 --- a/core-primitives/sgx/io/Cargo.toml +++ b/core-primitives/sgx/io/Cargo.toml @@ -8,7 +8,7 @@ edition = "2021" [dependencies] # sgx deps -sgx_tstd = { branch = "master", git = "https://github.com/apache/teaclave-sgx-sdk.git", optional = true } +sgx_tstd = { optional = true, features = ["untrusted_fs"], branch = "master", git = "https://github.com/apache/teaclave-sgx-sdk.git" } [features] default = ["std"] From 19b873e4119e13a5ed37932a2dda85a6b8646f60 Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Wed, 24 May 2023 08:32:38 +0200 Subject: [PATCH 11/25] [itp-sgx-crypto] put some functions behind a trait. --- core-primitives/sgx/crypto/src/ed25519.rs | 114 ++++++++++++++-------- 1 file changed, 74 insertions(+), 40 deletions(-) diff --git a/core-primitives/sgx/crypto/src/ed25519.rs b/core-primitives/sgx/crypto/src/ed25519.rs index 07082d38ce..6df5101897 100644 --- a/core-primitives/sgx/crypto/src/ed25519.rs +++ b/core-primitives/sgx/crypto/src/ed25519.rs @@ -15,42 +15,92 @@ */ -use derive_more::Display; - -#[derive(Copy, Clone, Debug, Display)] -pub struct Ed25519Seal; +use crate::error::Result; +use sp_core::ed25519; #[cfg(feature = "sgx")] pub use sgx::*; +pub trait Ed25519Sealing { + fn unseal_pubkey(&self) -> Result; + + fn unseal_pair(&self) -> Result; + + fn exists(&self) -> bool; + + fn create_sealed_if_absent(&self) -> Result<()>; + + fn create_sealed(&self) -> Result<()>; +} + #[cfg(feature = "sgx")] pub mod sgx { - - use super::*; - use crate::error::{Error, Result}; + use crate::{ + error::{Error, Result}, + key_repository::KeyRepository, + Ed25519Sealing, + }; use codec::Encode; use itp_settings::files::SEALED_SIGNER_SEED_FILE; - use itp_sgx_io::{seal, unseal, SealedIO, StaticSealedIO}; + use itp_sgx_io::{seal, unseal, SealedIO}; use log::*; use sgx_rand::{Rng, StdRng}; use sp_core::{crypto::Pair, ed25519}; - use std::{path::Path, sgxfs::SgxFile}; + use std::{path::PathBuf, sgxfs::SgxFile}; + + /// Gets a repository for an Ed25519 keypair and initializes + /// a fresh key pair if it doesn't exist at `path`. + pub fn get_ed25519_repository( + path: PathBuf, + ) -> Result> { + let ed25519_seal = Ed25519Seal::new(path); + ed25519_seal.create_sealed_if_absent()?; + let signing_pair = ed25519_seal.unseal_pair()?; + Ok(KeyRepository::new(signing_pair, ed25519_seal.into())) + } - impl StaticSealedIO for Ed25519Seal { - type Error = Error; - type Unsealed = ed25519::Pair; + #[derive(Clone, Debug)] + pub struct Ed25519Seal { + base_path: PathBuf, + } - fn unseal_from_static_file() -> Result { - let raw = unseal(SEALED_SIGNER_SEED_FILE)?; + impl Ed25519Seal { + pub fn new(base_path: PathBuf) -> Self { + Self { base_path } + } - let key = ed25519::Pair::from_seed_slice(&raw) - .map_err(|e| Error::Other(format!("{:?}", e).into()))?; + pub fn path(&self) -> PathBuf { + self.base_path.join(SEALED_SIGNER_SEED_FILE) + } + } - Ok(key.into()) + impl Ed25519Sealing for Ed25519Seal { + fn unseal_pubkey(&self) -> Result { + self.unseal().map(Into::into) } - fn seal_to_static_file(unsealed: &Self::Unsealed) -> Result<()> { - Ok(unsealed.seed().using_encoded(|bytes| seal(bytes, SEALED_SIGNER_SEED_FILE))?) + fn unseal_pair(&self) -> Result { + self.unseal() + } + + fn exists(&self) -> bool { + SgxFile::open(self.path()).is_ok() + } + + fn create_sealed_if_absent(&self) -> Result<()> { + if !self.exists() { + info!("Keyfile not found, creating new! {}", self.path().display()); + return self.create_sealed() + } + Ok(()) + } + + fn create_sealed(&self) -> Result<()> { + let mut seed = [0u8; 32]; + let mut rand = StdRng::new()?; + rand.fill_bytes(&mut seed); + + Ok(seal(&seed, self.path())?) } } @@ -59,30 +109,14 @@ pub mod sgx { type Unsealed = ed25519::Pair; fn unseal(&self) -> Result { - Self::unseal_from_static_file() - } + let raw = unseal(self.path())?; - fn seal(&self, unsealed: &Self::Unsealed) -> Result<()> { - Self::seal_to_static_file(unsealed) + ed25519::Pair::from_seed_slice(&raw) + .map_err(|e| Error::Other(format!("{:?}", e).into())) } - } - pub fn create_sealed_if_absent() -> Result<()> { - if SgxFile::open(SEALED_SIGNER_SEED_FILE).is_err() { - if Path::new(SEALED_SIGNER_SEED_FILE).exists() { - panic!("[Enclave] Keyfile {} exists but can't be opened. has it been written by the same enclave?", SEALED_SIGNER_SEED_FILE); - } - info!("[Enclave] Keyfile not found, creating new! {}", SEALED_SIGNER_SEED_FILE); - return create_sealed_seed() + fn seal(&self, unsealed: &Self::Unsealed) -> Result<()> { + Ok(unsealed.seed().using_encoded(|bytes| seal(bytes, self.path()))?) } - Ok(()) - } - - pub fn create_sealed_seed() -> Result<()> { - let mut seed = [0u8; 32]; - let mut rand = StdRng::new()?; - rand.fill_bytes(&mut seed); - - Ok(seal(&seed, SEALED_SIGNER_SEED_FILE)?) } } From b5c5284770f619bce61940990d4f6ec405c5a865 Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Wed, 24 May 2023 09:05:06 +0200 Subject: [PATCH 12/25] [enclave-runtime/attestation_handler] add signing key repo to struct --- .../src/attestation_handler.rs | 29 +++++++++++-------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/core-primitives/attestation-handler/src/attestation_handler.rs b/core-primitives/attestation-handler/src/attestation_handler.rs index 9e5cde04d3..8b8401951d 100644 --- a/core-primitives/attestation-handler/src/attestation_handler.rs +++ b/core-primitives/attestation-handler/src/attestation_handler.rs @@ -39,9 +39,8 @@ use itp_settings::{ files::{RA_API_KEY_FILE, RA_DUMP_CERT_DER_FILE, RA_SPID_FILE}, worker::MR_ENCLAVE_SIZE, }; -use itp_sgx_crypto::Ed25519Seal; +use itp_sgx_crypto::key_repository::AccessKey; use itp_sgx_io as io; -use itp_sgx_io::StaticSealedIO; use itp_time_utils::now_as_secs; use log::*; use sgx_rand::{os, Rng}; @@ -51,7 +50,7 @@ use sgx_types::{ c_int, sgx_epid_group_id_t, sgx_quote_nonce_t, sgx_quote_sign_type_t, sgx_report_data_t, sgx_spid_t, sgx_status_t, sgx_target_info_t, SgxResult, *, }; -use sp_core::Pair; +use sp_core::{ed25519, Pair}; use std::{ borrow::ToOwned, env, format, @@ -115,13 +114,16 @@ pub trait AttestationHandler { ) -> EnclaveResult<(Vec, Vec)>; } -pub struct IntelAttestationHandler { +pub struct IntelAttestationHandler { pub(crate) ocall_api: Arc, + pub(crate) signing_key_repo: Arc, } -impl AttestationHandler for IntelAttestationHandler +impl AttestationHandler + for IntelAttestationHandler where OCallApi: EnclaveAttestationOCallApi, + AccessSigningKey: AccessKey, { fn generate_ias_ra_cert(&self, skip_ra: bool) -> EnclaveResult> { // Our certificate is unlinkable. @@ -195,7 +197,7 @@ where sign_type: sgx_quote_sign_type_t, skip_ra: bool, ) -> EnclaveResult<(Vec, Vec)> { - let chain_signer = Ed25519Seal::unseal_from_static_file()?; + let chain_signer = self.signing_key_repo.retrieve_key()?; info!("[Enclave Attestation] Ed25519 pub raw : {:?}", chain_signer.public().0); info!(" [Enclave] Generate keypair"); @@ -249,7 +251,7 @@ where quote_size: u32, skip_ra: bool, ) -> EnclaveResult<(Vec, Vec)> { - let chain_signer = Ed25519Seal::unseal_from_static_file()?; + let chain_signer = self.signing_key_repo.retrieve_key()?; info!("[Enclave Attestation] Ed25519 signer pub key: {:?}", chain_signer.public().0); let ecc_handle = SgxEccHandle::new(); @@ -291,14 +293,17 @@ where } } -impl IntelAttestationHandler +impl IntelAttestationHandler { + pub fn new(ocall_api: Arc, signing_key_repo: Arc) -> Self { + Self { ocall_api, signing_key_repo } + } +} + +impl IntelAttestationHandler where OCallApi: EnclaveAttestationOCallApi, + AccessSigningKey: AccessKey, { - pub fn new(ocall_api: Arc) -> Self { - Self { ocall_api } - } - fn parse_response_attn_report(&self, resp: &[u8]) -> EnclaveResult<(String, String, String)> { debug!(" [Enclave] Entering parse_response_attn_report"); let mut headers = [httparse::EMPTY_HEADER; 16]; From 6a716198d436c36ad49269b5942f557ae1812bfd Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Wed, 24 May 2023 09:05:38 +0200 Subject: [PATCH 13/25] [itp-sgx-crypto] impl `ToPubkey` for `ed25511::Pair` --- core-primitives/sgx/crypto/src/ed25519.rs | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/core-primitives/sgx/crypto/src/ed25519.rs b/core-primitives/sgx/crypto/src/ed25519.rs index 6df5101897..ac172b1cc8 100644 --- a/core-primitives/sgx/crypto/src/ed25519.rs +++ b/core-primitives/sgx/crypto/src/ed25519.rs @@ -15,7 +15,10 @@ */ -use crate::error::Result; +use crate::{ + error::{Error, Result}, + ToPubkey, +}; use sp_core::ed25519; #[cfg(feature = "sgx")] @@ -33,6 +36,15 @@ pub trait Ed25519Sealing { fn create_sealed(&self) -> Result<()>; } +impl ToPubkey for ed25519::Pair { + type Error = Error; + type Pubkey = ed25519::Public; + + fn pubkey(&self) -> Result { + Ok(self.clone().into()) + } +} + #[cfg(feature = "sgx")] pub mod sgx { use crate::{ From cc0be6ee30018e48e4672312b2cb780b117eb094 Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Wed, 24 May 2023 09:26:58 +0200 Subject: [PATCH 14/25] introduce `SigningKeyRepository` and remove all instances of `StaticFile` IO. --- .../src/initialization/global_components.rs | 13 ++++++--- enclave-runtime/src/initialization/mod.rs | 27 ++++++++++--------- .../src/initialization/parentchain/common.rs | 9 +++---- enclave-runtime/src/lib.rs | 25 +++++++++-------- enclave-runtime/src/top_pool_execution.rs | 9 +++---- 5 files changed, 47 insertions(+), 36 deletions(-) diff --git a/enclave-runtime/src/initialization/global_components.rs b/enclave-runtime/src/initialization/global_components.rs index 544aee95a6..e4197a43ba 100644 --- a/enclave-runtime/src/initialization/global_components.rs +++ b/enclave-runtime/src/initialization/global_components.rs @@ -62,7 +62,7 @@ use itp_node_api::{ metadata::{provider::NodeMetadataRepository, NodeMetadata}, }; use itp_nonce_cache::NonceCache; -use itp_sgx_crypto::{key_repository::KeyRepository, Aes, AesSeal, Rsa3072Seal}; +use itp_sgx_crypto::{key_repository::KeyRepository, Aes, AesSeal, Ed25519Seal, Rsa3072Seal}; use itp_stf_executor::{ enclave_signer::StfEnclaveSigner, executor::StfExecutor, getter_executor::GetterExecutor, state_getter::StfStateGetter, @@ -90,7 +90,7 @@ use its_sidechain::{ }; use sgx_crypto_helper::rsa3072::Rsa3072KeyPair; use sgx_tstd::vec::Vec; -use sp_core::ed25519::Pair; +use sp_core::{ed25519, ed25519::Pair}; pub type EnclaveParentchainSigner = itp_node_api::api_client::StaticExtrinsicSigner; @@ -100,6 +100,7 @@ pub type EnclaveTrustedCallSigned = TrustedCallSigned; pub type EnclaveStf = Stf; pub type EnclaveStateKeyRepository = KeyRepository; pub type EnclaveShieldingKeyRepository = KeyRepository; +pub type EnclaveSigningKeyRepository = KeyRepository; pub type EnclaveStateFileIo = SgxStateFileIo; pub type EnclaveStateSnapshotRepository = StateSnapshotRepository; pub type EnclaveStateObserver = StateObserver; @@ -119,7 +120,8 @@ pub type EnclaveStfEnclaveSigner = StfEnclaveSigner< EnclaveStf, EnclaveTopPoolAuthor, >; -pub type EnclaveAttestationHandler = IntelAttestationHandler; +pub type EnclaveAttestationHandler = + IntelAttestationHandler; pub type EnclaveRpcConnectionRegistry = ConnectionRegistry; pub type EnclaveRpcWsHandler = @@ -237,6 +239,11 @@ pub static GLOBAL_SHIELDING_KEY_REPOSITORY_COMPONENT: ComponentContainer< EnclaveShieldingKeyRepository, > = ComponentContainer::new("Shielding key repository"); +/// Signing key repository +pub static GLOBAL_SIGNING_KEY_REPOSITORY_COMPONENT: ComponentContainer< + EnclaveSigningKeyRepository, +> = ComponentContainer::new("Signing key repository"); + /// O-Call API pub static GLOBAL_OCALL_API_COMPONENT: ComponentContainer = ComponentContainer::new("O-call API"); diff --git a/enclave-runtime/src/initialization/mod.rs b/enclave-runtime/src/initialization/mod.rs index 29ba4440ff..239d78a982 100644 --- a/enclave-runtime/src/initialization/mod.rs +++ b/enclave-runtime/src/initialization/mod.rs @@ -32,9 +32,9 @@ use crate::{ GLOBAL_RPC_WS_HANDLER_COMPONENT, GLOBAL_SHIELDING_KEY_REPOSITORY_COMPONENT, GLOBAL_SIDECHAIN_BLOCK_COMPOSER_COMPONENT, GLOBAL_SIDECHAIN_BLOCK_SYNCER_COMPONENT, GLOBAL_SIDECHAIN_IMPORT_QUEUE_COMPONENT, GLOBAL_SIDECHAIN_IMPORT_QUEUE_WORKER_COMPONENT, - GLOBAL_STATE_HANDLER_COMPONENT, GLOBAL_STATE_KEY_REPOSITORY_COMPONENT, - GLOBAL_STATE_OBSERVER_COMPONENT, GLOBAL_TOP_POOL_AUTHOR_COMPONENT, - GLOBAL_WEB_SOCKET_SERVER_COMPONENT, + GLOBAL_SIGNING_KEY_REPOSITORY_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, + GLOBAL_STATE_KEY_REPOSITORY_COMPONENT, GLOBAL_STATE_OBSERVER_COMPONENT, + GLOBAL_TOP_POOL_AUTHOR_COMPONENT, GLOBAL_WEB_SOCKET_SERVER_COMPONENT, }, ocall::OcallApi, rpc::{rpc_response_channel::RpcResponseChannel, worker_api_direct::public_api_rpc_handler}, @@ -60,7 +60,9 @@ use itp_attestation_handler::IntelAttestationHandler; use itp_component_container::{ComponentGetter, ComponentInitializer}; use itp_primitives_cache::GLOBAL_PRIMITIVES_CACHE; use itp_settings::files::STATE_SNAPSHOTS_CACHE_SIZE; -use itp_sgx_crypto::{aes, ed25519, get_rsa3072_repository, AesSeal, Ed25519Seal}; +use itp_sgx_crypto::{ + aes, get_ed25519_repository, get_rsa3072_repository, key_repository::AccessKey, AesSeal, +}; use itp_sgx_io::StaticSealedIO; use itp_stf_state_handler::{ handle_state::HandleState, query_shard_state::QueryShardState, @@ -80,8 +82,9 @@ pub(crate) fn init_enclave( untrusted_worker_url: String, base_dir: PathBuf, ) -> EnclaveResult<()> { - ed25519::create_sealed_if_absent().map_err(Error::Crypto)?; - let signer = Ed25519Seal::unseal_from_static_file().map_err(Error::Crypto)?; + let signing_key_repository = Arc::new(get_ed25519_repository(base_dir.clone())?); + GLOBAL_SIGNING_KEY_REPOSITORY_COMPONENT.initialize(signing_key_repository.clone()); + let signer = signing_key_repository.retrieve_key()?; info!("[Enclave initialized] Ed25519 prim raw : {:?}", signer.public().0); let shielding_key_repository = Arc::new(get_rsa3072_repository(base_dir.clone())?); @@ -162,7 +165,8 @@ pub(crate) fn init_enclave( let sidechain_block_import_queue = Arc::new(EnclaveSidechainBlockImportQueue::default()); GLOBAL_SIDECHAIN_IMPORT_QUEUE_COMPONENT.initialize(sidechain_block_import_queue); - let attestation_handler = Arc::new(IntelAttestationHandler::new(ocall_api)); + let attestation_handler = + Arc::new(IntelAttestationHandler::new(ocall_api, signing_key_repository)); GLOBAL_ATTESTATION_HANDLER_COMPONENT.initialize(attestation_handler); Ok(()) @@ -187,12 +191,11 @@ pub(crate) fn init_enclave_sidechain_components() -> EnclaveResult<()> { let state_handler = GLOBAL_STATE_HANDLER_COMPONENT.get()?; let ocall_api = GLOBAL_OCALL_API_COMPONENT.get()?; let top_pool_author = GLOBAL_TOP_POOL_AUTHOR_COMPONENT.get()?; + let state_key_repository = GLOBAL_STATE_KEY_REPOSITORY_COMPONENT.get()?; let parentchain_block_import_dispatcher = get_triggered_dispatcher_from_solo_or_parachain()?; - let state_key_repository = GLOBAL_STATE_KEY_REPOSITORY_COMPONENT.get()?; - - let signer = Ed25519Seal::unseal_from_static_file()?; + let signer = GLOBAL_SIGNING_KEY_REPOSITORY_COMPONENT.get()?.retrieve_key()?; let sidechain_block_importer = Arc::new(EnclaveSidechainBlockImporter::new( state_handler, @@ -236,10 +239,10 @@ pub(crate) fn init_enclave_sidechain_components() -> EnclaveResult<()> { pub(crate) fn init_direct_invocation_server(server_addr: String) -> EnclaveResult<()> { let rpc_handler = GLOBAL_RPC_WS_HANDLER_COMPONENT.get()?; - let signing = Ed25519Seal::unseal_from_static_file()?; + let signer = GLOBAL_SIGNING_KEY_REPOSITORY_COMPONENT.get()?.retrieve_key()?; let cert = - ed25519_self_signed_certificate(signing, "Enclave").map_err(|e| Error::Other(e.into()))?; + ed25519_self_signed_certificate(signer, "Enclave").map_err(|e| Error::Other(e.into()))?; // Serialize certificate(s) and private key to PEM. // PEM format is needed as a certificate chain can only be serialized into PEM. diff --git a/enclave-runtime/src/initialization/parentchain/common.rs b/enclave-runtime/src/initialization/parentchain/common.rs index d3c0c20182..91ce1a12b4 100644 --- a/enclave-runtime/src/initialization/parentchain/common.rs +++ b/enclave-runtime/src/initialization/parentchain/common.rs @@ -26,16 +26,15 @@ use crate::{ EnclaveParentchainEventImportQueue, EnclaveParentchainSigner, EnclaveStfExecutor, EnclaveTriggeredParentchainBlockImportDispatcher, EnclaveValidatorAccessor, GLOBAL_OCALL_API_COMPONENT, GLOBAL_SHIELDING_KEY_REPOSITORY_COMPONENT, - GLOBAL_STATE_HANDLER_COMPONENT, GLOBAL_STATE_OBSERVER_COMPONENT, - GLOBAL_TOP_POOL_AUTHOR_COMPONENT, + GLOBAL_SIGNING_KEY_REPOSITORY_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, + GLOBAL_STATE_OBSERVER_COMPONENT, GLOBAL_TOP_POOL_AUTHOR_COMPONENT, }, EnclaveStfEnclaveSigner, }, }; use itp_component_container::ComponentGetter; use itp_nonce_cache::GLOBAL_NONCE_CACHE; -use itp_sgx_crypto::Ed25519Seal; -use itp_sgx_io::StaticSealedIO; +use itp_sgx_crypto::key_repository::AccessKey; use log::*; use sp_core::H256; use std::sync::Arc; @@ -75,7 +74,7 @@ pub(crate) fn create_extrinsics_factory( genesis_hash: H256, node_metadata_repository: Arc, ) -> Result> { - let signer = Ed25519Seal::unseal_from_static_file()?; + let signer = GLOBAL_SIGNING_KEY_REPOSITORY_COMPONENT.get()?.retrieve_key()?; Ok(Arc::new(EnclaveExtrinsicsFactory::new( genesis_hash, diff --git a/enclave-runtime/src/lib.rs b/enclave-runtime/src/lib.rs index 236e632ddb..bdd3ecee96 100644 --- a/enclave-runtime/src/lib.rs +++ b/enclave-runtime/src/lib.rs @@ -34,7 +34,7 @@ use crate::{ initialization::global_components::{ GLOBAL_FULL_PARACHAIN_HANDLER_COMPONENT, GLOBAL_FULL_SOLOCHAIN_HANDLER_COMPONENT, GLOBAL_SHIELDING_KEY_REPOSITORY_COMPONENT, GLOBAL_SIDECHAIN_IMPORT_QUEUE_COMPONENT, - GLOBAL_STATE_HANDLER_COMPONENT, + GLOBAL_SIGNING_KEY_REPOSITORY_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, }, rpc::worker_api_direct::sidechain_io_handler, utils::{ @@ -51,15 +51,13 @@ use itp_import_queue::PushToQueue; use itp_node_api::metadata::NodeMetadata; use itp_nonce_cache::{MutateNonce, Nonce, GLOBAL_NONCE_CACHE}; use itp_settings::worker_mode::{ProvideWorkerMode, WorkerMode, WorkerModeProvider}; -use itp_sgx_crypto::{ed25519, key_repository::AccessPubkey, Ed25519Seal}; -use itp_sgx_io::StaticSealedIO; +use itp_sgx_crypto::key_repository::AccessPubkey; use itp_storage::{StorageProof, StorageProofChecker}; use itp_types::{ShardIdentifier, SignedBlock}; use itp_utils::write_slice_and_whitespace_pad; use log::*; use once_cell::sync::OnceCell; use sgx_types::sgx_status_t; -use sp_core::crypto::Pair; use sp_runtime::traits::BlakeTwo256; use std::{boxed::Box, path::PathBuf, slice, vec::Vec}; @@ -170,18 +168,23 @@ pub unsafe extern "C" fn get_rsa_encryption_pubkey( #[no_mangle] pub unsafe extern "C" fn get_ecc_signing_pubkey(pubkey: *mut u8, pubkey_size: u32) -> sgx_status_t { - if let Err(e) = ed25519::create_sealed_if_absent().map_err(Error::Crypto) { - return e.into() - } + let signing_key_repository = match GLOBAL_SIGNING_KEY_REPOSITORY_COMPONENT.get() { + Ok(s) => s, + Err(e) => { + error!("{:?}", e); + return sgx_status_t::SGX_ERROR_UNEXPECTED + }, + }; - let signer = match Ed25519Seal::unseal_from_static_file().map_err(Error::Crypto) { - Ok(pair) => pair, + let signer_public = match signing_key_repository.retrieve_pubkey() { + Ok(s) => s, Err(e) => return e.into(), }; - debug!("Restored ECC pubkey: {:?}", signer.public()); + + debug!("Restored ECC pubkey: {:?}", signer_public); let pubkey_slice = slice::from_raw_parts_mut(pubkey, pubkey_size as usize); - pubkey_slice.clone_from_slice(&signer.public()); + pubkey_slice.clone_from_slice(&signer_public); sgx_status_t::SGX_SUCCESS } diff --git a/enclave-runtime/src/top_pool_execution.rs b/enclave-runtime/src/top_pool_execution.rs index 1dec62ad5b..b276513ff9 100644 --- a/enclave-runtime/src/top_pool_execution.rs +++ b/enclave-runtime/src/top_pool_execution.rs @@ -19,8 +19,8 @@ use crate::{ error::Result, initialization::global_components::{ GLOBAL_OCALL_API_COMPONENT, GLOBAL_SIDECHAIN_BLOCK_COMPOSER_COMPONENT, - GLOBAL_SIDECHAIN_IMPORT_QUEUE_WORKER_COMPONENT, GLOBAL_STATE_HANDLER_COMPONENT, - GLOBAL_TOP_POOL_AUTHOR_COMPONENT, + GLOBAL_SIDECHAIN_IMPORT_QUEUE_WORKER_COMPONENT, GLOBAL_SIGNING_KEY_REPOSITORY_COMPONENT, + GLOBAL_STATE_HANDLER_COMPONENT, GLOBAL_TOP_POOL_AUTHOR_COMPONENT, }, sync::{EnclaveLock, EnclaveStateRWLock}, utils::{ @@ -41,8 +41,7 @@ use itp_component_container::ComponentGetter; use itp_extrinsics_factory::CreateExtrinsics; use itp_ocall_api::{EnclaveOnChainOCallApi, EnclaveSidechainOCallApi}; use itp_settings::sidechain::SLOT_DURATION; -use itp_sgx_crypto::Ed25519Seal; -use itp_sgx_io::StaticSealedIO; +use itp_sgx_crypto::key_repository::AccessKey; use itp_stf_state_handler::query_shard_state::QueryShardState; use itp_time_utils::duration_now; use itp_types::{Block, OpaqueCall, H256}; @@ -130,7 +129,7 @@ fn execute_top_pool_trusted_calls_internal() -> Result<()> { let ocall_api = GLOBAL_OCALL_API_COMPONENT.get()?; - let authority = Ed25519Seal::unseal_from_static_file()?; + let authority = GLOBAL_SIGNING_KEY_REPOSITORY_COMPONENT.get()?.retrieve_key()?; match yield_next_slot( slot_beginning_timestamp, From f73b880cc979d8f86d9abe847a63f31321f344f1 Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Wed, 24 May 2023 11:50:44 +0200 Subject: [PATCH 15/25] [itp-sgx-crypto] add base path to AESSeal --- core-primitives/sgx/crypto/src/aes.rs | 100 ++++++++++++++-------- enclave-runtime/src/initialization/mod.rs | 15 ++-- 2 files changed, 70 insertions(+), 45 deletions(-) diff --git a/core-primitives/sgx/crypto/src/aes.rs b/core-primitives/sgx/crypto/src/aes.rs index d63bed35a2..d2bf3ceeb8 100644 --- a/core-primitives/sgx/crypto/src/aes.rs +++ b/core-primitives/sgx/crypto/src/aes.rs @@ -21,12 +21,15 @@ use crate::{ }; use aes::Aes128; use codec::{Decode, Encode}; -use derive_more::Display; +use itp_settings::files::AES_KEY_FILE_AND_INIT_V; use ofb::{ cipher::{NewStreamCipher, SyncStreamCipher}, Ofb, }; -use std::convert::{TryFrom, TryInto}; +use std::{ + convert::{TryFrom, TryInto}, + path::PathBuf, +}; type AesOfb = Ofb; @@ -42,8 +45,20 @@ impl Aes { } } -#[derive(Copy, Clone, Debug, Display)] -pub struct AesSeal; +#[derive(Clone, Debug)] +pub struct AesSeal { + base_path: PathBuf, +} + +impl AesSeal { + pub fn new(base_path: PathBuf) -> Self { + Self { base_path } + } + + pub fn path(&self) -> PathBuf { + self.base_path.join(AES_KEY_FILE_AND_INIT_V) + } +} impl StateCrypto for Aes { type Error = Error; @@ -70,29 +85,63 @@ pub fn de_or_encrypt(aes: &Aes, data: &mut [u8]) -> Result<()> { aes.try_into().map(|mut ofb: AesOfb| ofb.apply_keystream(data)) } +pub trait AesSealing { + fn unseal_key(&self) -> Result; + + fn exists(&self) -> bool; + + fn create_sealed_if_absent(&self) -> Result<()>; + + fn create_sealed(&self) -> Result<()>; +} + #[cfg(feature = "sgx")] pub use sgx::*; #[cfg(feature = "sgx")] pub mod sgx { - use super::*; - use itp_settings::files::AES_KEY_FILE_AND_INIT_V; - use itp_sgx_io::{seal, unseal, SealedIO, StaticSealedIO}; + use crate::key_repository::KeyRepository; + use itp_sgx_io::{seal, unseal, SealedIO}; use log::info; use sgx_rand::{Rng, StdRng}; use std::sgxfs::SgxFile; - impl StaticSealedIO for AesSeal { - type Error = Error; - type Unsealed = Aes; + /// Gets a repository for an AES key and initializes + /// a fresh key if it doesn't exist at `path`. + pub fn get_aes_repository(path: PathBuf) -> Result> { + let aes_seal = AesSeal::new(path); + aes_seal.create_sealed_if_absent()?; + let aes_key = aes_seal.unseal_key()?; + Ok(KeyRepository::new(aes_key, aes_seal.into())) + } + + impl AesSealing for AesSeal { + fn unseal_key(&self) -> Result { + self.unseal() + } - fn unseal_from_static_file() -> Result { - Ok(unseal(AES_KEY_FILE_AND_INIT_V).map(|b| Decode::decode(&mut b.as_slice()))??) + fn exists(&self) -> bool { + SgxFile::open(self.path()).is_ok() } - fn seal_to_static_file(unsealed: &Self::Unsealed) -> Result<()> { - Ok(unsealed.using_encoded(|bytes| seal(bytes, AES_KEY_FILE_AND_INIT_V))?) + fn create_sealed_if_absent(&self) -> Result<()> { + if !self.exists() { + info!("Keyfile not found, creating new! {}", self.path().display()); + return self.create_sealed() + } + Ok(()) + } + + fn create_sealed(&self) -> Result<()> { + let mut key = [0u8; 16]; + let mut iv = [0u8; 16]; + let mut rand = StdRng::new()?; + + rand.fill_bytes(&mut key); + rand.fill_bytes(&mut iv); + + Ok(self.seal(&Aes::new(key, iv))?) } } @@ -101,30 +150,11 @@ pub mod sgx { type Unsealed = Aes; fn unseal(&self) -> Result { - Self::unseal_from_static_file() + Ok(unseal(self.path()).map(|b| Decode::decode(&mut b.as_slice()))??) } fn seal(&self, unsealed: &Self::Unsealed) -> Result<()> { - Self::seal_to_static_file(&unsealed) + Ok(unsealed.using_encoded(|bytes| seal(bytes, self.path()))?) } } - - pub fn create_sealed_if_absent() -> Result<()> { - if SgxFile::open(AES_KEY_FILE_AND_INIT_V).is_err() { - info!("[Enclave] Keyfile not found, creating new! {}", AES_KEY_FILE_AND_INIT_V); - return create_sealed() - } - Ok(()) - } - - pub fn create_sealed() -> Result<()> { - let mut key = [0u8; 16]; - let mut iv = [0u8; 16]; - - let mut rand = StdRng::new()?; - - rand.fill_bytes(&mut key); - rand.fill_bytes(&mut iv); - AesSeal::seal_to_static_file(&Aes::new(key, iv)) - } } diff --git a/enclave-runtime/src/initialization/mod.rs b/enclave-runtime/src/initialization/mod.rs index 239d78a982..aa10dbabd2 100644 --- a/enclave-runtime/src/initialization/mod.rs +++ b/enclave-runtime/src/initialization/mod.rs @@ -26,9 +26,9 @@ use crate::{ EnclaveSidechainApi, EnclaveSidechainBlockImportQueue, EnclaveSidechainBlockImportQueueWorker, EnclaveSidechainBlockImporter, EnclaveSidechainBlockSyncer, EnclaveStateFileIo, EnclaveStateHandler, - EnclaveStateInitializer, EnclaveStateKeyRepository, EnclaveStateObserver, - EnclaveStateSnapshotRepository, EnclaveStfEnclaveSigner, EnclaveTopPool, - EnclaveTopPoolAuthor, GLOBAL_ATTESTATION_HANDLER_COMPONENT, GLOBAL_OCALL_API_COMPONENT, + EnclaveStateInitializer, EnclaveStateObserver, EnclaveStateSnapshotRepository, + EnclaveStfEnclaveSigner, EnclaveTopPool, EnclaveTopPoolAuthor, + GLOBAL_ATTESTATION_HANDLER_COMPONENT, GLOBAL_OCALL_API_COMPONENT, GLOBAL_RPC_WS_HANDLER_COMPONENT, GLOBAL_SHIELDING_KEY_REPOSITORY_COMPONENT, GLOBAL_SIDECHAIN_BLOCK_COMPOSER_COMPONENT, GLOBAL_SIDECHAIN_BLOCK_SYNCER_COMPONENT, GLOBAL_SIDECHAIN_IMPORT_QUEUE_COMPONENT, GLOBAL_SIDECHAIN_IMPORT_QUEUE_WORKER_COMPONENT, @@ -61,9 +61,8 @@ use itp_component_container::{ComponentGetter, ComponentInitializer}; use itp_primitives_cache::GLOBAL_PRIMITIVES_CACHE; use itp_settings::files::STATE_SNAPSHOTS_CACHE_SIZE; use itp_sgx_crypto::{ - aes, get_ed25519_repository, get_rsa3072_repository, key_repository::AccessKey, AesSeal, + get_aes_repository, get_ed25519_repository, get_rsa3072_repository, key_repository::AccessKey, }; -use itp_sgx_io::StaticSealedIO; use itp_stf_state_handler::{ handle_state::HandleState, query_shard_state::QueryShardState, state_snapshot_repository::VersionedStateAccess, @@ -92,11 +91,7 @@ pub(crate) fn init_enclave( // Create the aes key that is used for state encryption such that a key is always present in tests. // It will be overwritten anyway if mutual remote attestation is performed with the primary worker. - aes::create_sealed_if_absent().map_err(Error::Crypto)?; - - let state_key = AesSeal::unseal_from_static_file()?; - let state_key_repository = - Arc::new(EnclaveStateKeyRepository::new(state_key, Arc::new(AesSeal))); + let state_key_repository = Arc::new(get_aes_repository(base_dir.clone())?); GLOBAL_STATE_KEY_REPOSITORY_COMPONENT.initialize(state_key_repository.clone()); let state_file_io = Arc::new(EnclaveStateFileIo::new(state_key_repository)); From d0e5c3eb030ac50353895cd88ad462759d404fa4 Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Wed, 24 May 2023 11:53:23 +0200 Subject: [PATCH 16/25] [itp-state-handler] wip update tests --- Cargo.lock | 1 + core-primitives/stf-state-handler/Cargo.toml | 4 +++ .../stf-state-handler/src/test/sgx_tests.rs | 32 +++++++++++++------ enclave-runtime/Cargo.lock | 1 + 4 files changed, 28 insertions(+), 10 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e4919006bb..cfb3e2cb62 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3627,6 +3627,7 @@ dependencies = [ "itp-sgx-crypto", "itp-sgx-externalities", "itp-sgx-io", + "itp-sgx-temp-dir", "itp-stf-interface", "itp-stf-state-observer", "itp-time-utils", diff --git a/core-primitives/stf-state-handler/Cargo.toml b/core-primitives/stf-state-handler/Cargo.toml index 7b8d31b2b0..73f0f63e59 100644 --- a/core-primitives/stf-state-handler/Cargo.toml +++ b/core-primitives/stf-state-handler/Cargo.toml @@ -22,6 +22,9 @@ itp-stf-state-observer = { path = "../stf-state-observer", default-features = fa itp-time-utils = { path = "../../core-primitives/time-utils", default-features = false } itp-types = { path = "../types", default-features = false } +# for tests +itp-sgx-temp-dir = { version = "0.1", default-features = false, optional = true, path = "../../core-primitives/sgx/temp-dir" } + # sgx enabled external libraries rust-base58_sgx = { package = "rust-base58", rev = "sgx_1.1.3", git = "https://github.com/mesalock-linux/rust-base58-sgx", optional = true, default-features = false, features = ["mesalock_sgx"] } thiserror_sgx = { package = "thiserror", git = "https://github.com/mesalock-linux/thiserror-sgx", tag = "sgx_1.1.3", optional = true } @@ -71,4 +74,5 @@ sgx = [ test = [ "itp-sgx-crypto/mocks", "itp-stf-interface/mocks", + "itp-sgx-temp-dir" ] diff --git a/core-primitives/stf-state-handler/src/test/sgx_tests.rs b/core-primitives/stf-state-handler/src/test/sgx_tests.rs index 4ad8ff1947..b0e2b83166 100644 --- a/core-primitives/stf-state-handler/src/test/sgx_tests.rs +++ b/core-primitives/stf-state-handler/src/test/sgx_tests.rs @@ -33,16 +33,21 @@ use crate::{ use codec::{Decode, Encode}; use ita_stf::{State as StfState, StateType as StfStateType}; use itp_hashing::Hash; -use itp_sgx_crypto::{mocks::KeyRepositoryMock, Aes, AesSeal, StateCrypto}; +use itp_sgx_crypto::{ + get_aes_repository, + key_repository::{AccessKey, KeyRepository}, + Aes, AesSeal, StateCrypto, +}; use itp_sgx_externalities::{SgxExternalities, SgxExternalitiesTrait}; -use itp_sgx_io::{write, StaticSealedIO}; +use itp_sgx_io::write; +use itp_sgx_temp_dir::TempDir; use itp_stf_state_observer::state_observer::StateObserver; use itp_types::{ShardIdentifier, H256}; use std::{sync::Arc, thread, vec::Vec}; const STATE_SNAPSHOTS_CACHE_SIZE: usize = 3; -type StateKeyRepositoryMock = KeyRepositoryMock; +type StateKeyRepositoryMock = KeyRepository; type TestStateInitializer = InitializeStateMock; type TestStateFileIo = SgxStateFileIo; type TestStateRepository = StateSnapshotRepository; @@ -88,7 +93,12 @@ pub fn test_sgx_state_decode_encode_works() { pub fn test_encrypt_decrypt_state_type_works() { // given let state = given_hello_world_state(); - let state_key = AesSeal::unseal_from_static_file().unwrap(); + + let temp_dir = TempDir::with_prefix("test_encrypt_decrypt_state_type_works").unwrap(); + let state_key = get_aes_repository(temp_dir.path().to_path_buf()) + .unwrap() + .retrieve_key() + .unwrap(); // when let mut state_buffer = state.state.encode(); @@ -234,8 +244,8 @@ pub fn test_multiple_state_updates_create_snapshots_up_to_cache_size() { pub fn test_file_io_get_state_hash_works() { let shard: ShardIdentifier = [21u8; 32].into(); let _shard_dir_handle = ShardDirectoryHandle::new(shard).unwrap(); - let state_key_access = - Arc::new(StateKeyRepositoryMock::new(AesSeal::unseal_from_static_file().unwrap())); + let temp_dir = TempDir::with_prefix("test_file_io_get_state_hash_works").unwrap(); + let state_key_access = Arc::new(get_aes_repository(temp_dir.path().to_path_buf()).unwrap()); let file_io = TestStateFileIo::new(state_key_access); @@ -281,8 +291,9 @@ pub fn test_state_files_from_handler_can_be_loaded_again() { pub fn test_list_state_ids_ignores_files_not_matching_the_pattern() { let shard: ShardIdentifier = [21u8; 32].into(); let _shard_dir_handle = ShardDirectoryHandle::new(shard).unwrap(); - let state_key_access = - Arc::new(StateKeyRepositoryMock::new(AesSeal::unseal_from_static_file().unwrap())); + let temp_dir = + TempDir::with_prefix("test_list_state_ids_ignores_files_not_matching_the_pattern").unwrap(); + let state_key_access = Arc::new(get_aes_repository(temp_dir.path().to_path_buf()).unwrap()); let file_io = TestStateFileIo::new(state_key_access); @@ -321,8 +332,9 @@ fn initialize_state_handler_with_directory_handle( } fn initialize_state_handler() -> Arc { - let state_key_access = - Arc::new(StateKeyRepositoryMock::new(AesSeal::unseal_from_static_file().unwrap())); + let temp_dir = TempDir::with_prefix("initialize_state_handler").unwrap(); + let state_key_access = Arc::new(get_aes_repository(temp_dir.path().to_path_buf()).unwrap()); + let file_io = Arc::new(TestStateFileIo::new(state_key_access)); let state_initializer = Arc::new(TestStateInitializer::new(StfState::new(Default::default()))); let state_repository_loader = diff --git a/enclave-runtime/Cargo.lock b/enclave-runtime/Cargo.lock index e9367bf0c2..8e26c96c8c 100644 --- a/enclave-runtime/Cargo.lock +++ b/enclave-runtime/Cargo.lock @@ -2090,6 +2090,7 @@ dependencies = [ "itp-sgx-crypto", "itp-sgx-externalities", "itp-sgx-io", + "itp-sgx-temp-dir", "itp-stf-interface", "itp-stf-state-observer", "itp-time-utils", From 11a38525a74a1bbe657e7f1f9ad3d28dd05fb28e Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Wed, 24 May 2023 11:53:39 +0200 Subject: [PATCH 17/25] [itp-state-handler] add debug log for existing files in shard --- core-primitives/stf-state-handler/src/test/sgx_tests.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/core-primitives/stf-state-handler/src/test/sgx_tests.rs b/core-primitives/stf-state-handler/src/test/sgx_tests.rs index b0e2b83166..f9f31e1c1e 100644 --- a/core-primitives/stf-state-handler/src/test/sgx_tests.rs +++ b/core-primitives/stf-state-handler/src/test/sgx_tests.rs @@ -380,6 +380,10 @@ fn given_initialized_shard(shard: &ShardIdentifier) -> Result<()> { fn number_of_files_in_shard_dir(shard: &ShardIdentifier) -> Result { let shard_dir_path = shard_path(shard); - let files_in_dir = std::fs::read_dir(shard_dir_path).map_err(|e| Error::Other(e.into()))?; + let files_in_dir = + std::fs::read_dir(shard_dir_path.clone()).map_err(|e| Error::Other(e.into()))?; + + log::info!("File in shard dir: {:?}", files_in_dir); + Ok(files_in_dir.count()) } From a4d0a4197b086c4a5892396b7255c4e9d5367b90 Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Wed, 24 May 2023 14:49:31 +0200 Subject: [PATCH 18/25] [itp-state-handler] fix tests by creating a unique key-repo per test --- .../stf-state-handler/src/test/sgx_tests.rs | 63 +++++++++++++------ 1 file changed, 43 insertions(+), 20 deletions(-) diff --git a/core-primitives/stf-state-handler/src/test/sgx_tests.rs b/core-primitives/stf-state-handler/src/test/sgx_tests.rs index f9f31e1c1e..3d6d37c51a 100644 --- a/core-primitives/stf-state-handler/src/test/sgx_tests.rs +++ b/core-primitives/stf-state-handler/src/test/sgx_tests.rs @@ -75,6 +75,14 @@ impl Drop for ShardDirectoryHandle { } } +/// Gets a temporary key repository. +/// +/// We pass and ID such that it doesn't clash with other temp repositories. +fn temp_state_key_repository(id: &str) -> StateKeyRepositoryMock { + let temp_dir = TempDir::with_prefix(id).unwrap(); + get_aes_repository(temp_dir.path().to_path_buf()).unwrap() +} + // Fixme: Move this test to sgx-runtime: // // https://github.com/integritee-network/sgx-runtime/issues/23 @@ -94,9 +102,7 @@ pub fn test_encrypt_decrypt_state_type_works() { // given let state = given_hello_world_state(); - let temp_dir = TempDir::with_prefix("test_encrypt_decrypt_state_type_works").unwrap(); - let state_key = get_aes_repository(temp_dir.path().to_path_buf()) - .unwrap() + let state_key = temp_state_key_repository("test_encrypt_decrypt_state_type_works") .retrieve_key() .unwrap(); @@ -114,7 +120,9 @@ pub fn test_encrypt_decrypt_state_type_works() { pub fn test_write_and_load_state_works() { // given let shard: ShardIdentifier = [94u8; 32].into(); - let (state_handler, shard_dir_handle) = initialize_state_handler_with_directory_handle(&shard); + let state_key_access = Arc::new(temp_state_key_repository("test_write_and_load_state_works")); + let (state_handler, shard_dir_handle) = + initialize_state_handler_with_directory_handle(&shard, state_key_access); let state = given_hello_world_state(); @@ -134,7 +142,10 @@ pub fn test_write_and_load_state_works() { pub fn test_ensure_subsequent_state_loads_have_same_hash() { // given let shard: ShardIdentifier = [49u8; 32].into(); - let (state_handler, shard_dir_handle) = initialize_state_handler_with_directory_handle(&shard); + let state_key_access = + Arc::new(temp_state_key_repository("test_ensure_subsequent_state_loads_have_same_hash")); + let (state_handler, shard_dir_handle) = + initialize_state_handler_with_directory_handle(&shard, state_key_access); let (lock, initial_state) = state_handler.load_for_mutation(&shard).unwrap(); state_handler.write_after_mutation(initial_state.clone(), lock, &shard).unwrap(); @@ -153,7 +164,10 @@ pub fn test_write_access_locks_read_until_finished() { // given let shard: ShardIdentifier = [47u8; 32].into(); - let (state_handler, shard_dir_handle) = initialize_state_handler_with_directory_handle(&shard); + let state_key_access = + Arc::new(temp_state_key_repository("test_write_access_locks_read_until_finished")); + let (state_handler, shard_dir_handle) = + initialize_state_handler_with_directory_handle(&shard, state_key_access); let new_state_key = "my_new_state".encode(); let (lock, mut state_to_mutate) = state_handler.load_for_mutation(&shard).unwrap(); @@ -183,7 +197,10 @@ pub fn test_write_access_locks_read_until_finished() { pub fn test_state_handler_file_backend_is_initialized() { let shard: ShardIdentifier = [11u8; 32].into(); - let (state_handler, shard_dir_handle) = initialize_state_handler_with_directory_handle(&shard); + let state_key_access = + Arc::new(temp_state_key_repository("test_state_handler_file_backend_is_initialized")); + let (state_handler, shard_dir_handle) = + initialize_state_handler_with_directory_handle(&shard, state_key_access); assert!(state_handler.shard_exists(&shard).unwrap()); assert!(1 <= state_handler.list_shards().unwrap().len()); // only greater equal, because there might be other (non-test) shards present @@ -199,7 +216,11 @@ pub fn test_state_handler_file_backend_is_initialized() { pub fn test_multiple_state_updates_create_snapshots_up_to_cache_size() { let shard: ShardIdentifier = [17u8; 32].into(); - let (state_handler, _shard_dir_handle) = initialize_state_handler_with_directory_handle(&shard); + let state_key_access = Arc::new(temp_state_key_repository( + "test_multiple_state_updates_create_snapshots_up_to_cache_size", + )); + let (state_handler, _shard_dir_handle) = + initialize_state_handler_with_directory_handle(&shard, state_key_access); assert_eq!(1, number_of_files_in_shard_dir(&shard).unwrap()); @@ -244,8 +265,7 @@ pub fn test_multiple_state_updates_create_snapshots_up_to_cache_size() { pub fn test_file_io_get_state_hash_works() { let shard: ShardIdentifier = [21u8; 32].into(); let _shard_dir_handle = ShardDirectoryHandle::new(shard).unwrap(); - let temp_dir = TempDir::with_prefix("test_file_io_get_state_hash_works").unwrap(); - let state_key_access = Arc::new(get_aes_repository(temp_dir.path().to_path_buf()).unwrap()); + let state_key_access = Arc::new(temp_state_key_repository("test_file_io_get_state_hash_works")); let file_io = TestStateFileIo::new(state_key_access); @@ -261,7 +281,10 @@ pub fn test_file_io_get_state_hash_works() { pub fn test_state_files_from_handler_can_be_loaded_again() { let shard: ShardIdentifier = [15u8; 32].into(); - let (state_handler, _shard_dir_handle) = initialize_state_handler_with_directory_handle(&shard); + let state_key_access = + Arc::new(temp_state_key_repository("test_state_files_from_handler_can_be_loaded_again")); + let (state_handler, _shard_dir_handle) = + initialize_state_handler_with_directory_handle(&shard, state_key_access.clone()); update_state(state_handler.as_ref(), &shard, ("test_key_1".encode(), "value1".encode())); update_state(state_handler.as_ref(), &shard, ("test_key_2".encode(), "value2".encode())); @@ -273,7 +296,7 @@ pub fn test_state_files_from_handler_can_be_loaded_again() { update_state(state_handler.as_ref(), &shard, ("test_key_3".encode(), "value3".encode())); // We initialize another state handler to load the state from the changes we just made. - let updated_state_handler = initialize_state_handler(); + let updated_state_handler = initialize_state_handler(state_key_access); assert_eq!(STATE_SNAPSHOTS_CACHE_SIZE, number_of_files_in_shard_dir(&shard).unwrap()); assert_eq!( @@ -291,9 +314,9 @@ pub fn test_state_files_from_handler_can_be_loaded_again() { pub fn test_list_state_ids_ignores_files_not_matching_the_pattern() { let shard: ShardIdentifier = [21u8; 32].into(); let _shard_dir_handle = ShardDirectoryHandle::new(shard).unwrap(); - let temp_dir = - TempDir::with_prefix("test_list_state_ids_ignores_files_not_matching_the_pattern").unwrap(); - let state_key_access = Arc::new(get_aes_repository(temp_dir.path().to_path_buf()).unwrap()); + let state_key_access = Arc::new(temp_state_key_repository( + "test_list_state_ids_ignores_files_not_matching_the_pattern", + )); let file_io = TestStateFileIo::new(state_key_access); @@ -326,15 +349,15 @@ pub fn test_in_memory_state_initializes_from_shard_directory() { fn initialize_state_handler_with_directory_handle( shard: &ShardIdentifier, + state_key_access: Arc, ) -> (Arc, ShardDirectoryHandle) { let shard_dir_handle = ShardDirectoryHandle::new(*shard).unwrap(); - (initialize_state_handler(), shard_dir_handle) + (initialize_state_handler(state_key_access), shard_dir_handle) } -fn initialize_state_handler() -> Arc { - let temp_dir = TempDir::with_prefix("initialize_state_handler").unwrap(); - let state_key_access = Arc::new(get_aes_repository(temp_dir.path().to_path_buf()).unwrap()); - +fn initialize_state_handler( + state_key_access: Arc, +) -> Arc { let file_io = Arc::new(TestStateFileIo::new(state_key_access)); let state_initializer = Arc::new(TestStateInitializer::new(StfState::new(Default::default()))); let state_repository_loader = From d53ef306c0d5b814f61a1d8bcbefb2df5cba525f Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Fri, 26 May 2023 09:18:13 +0200 Subject: [PATCH 19/25] fix merge errors --- enclave-runtime/src/initialization/mod.rs | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/enclave-runtime/src/initialization/mod.rs b/enclave-runtime/src/initialization/mod.rs index b922b83f94..aa10dbabd2 100644 --- a/enclave-runtime/src/initialization/mod.rs +++ b/enclave-runtime/src/initialization/mod.rs @@ -62,9 +62,7 @@ use itp_primitives_cache::GLOBAL_PRIMITIVES_CACHE; use itp_settings::files::STATE_SNAPSHOTS_CACHE_SIZE; use itp_sgx_crypto::{ get_aes_repository, get_ed25519_repository, get_rsa3072_repository, key_repository::AccessKey, - AesSeal, }; -use itp_sgx_io::StaticSealedIO; use itp_stf_state_handler::{ handle_state::HandleState, query_shard_state::QueryShardState, state_snapshot_repository::VersionedStateAccess, @@ -88,7 +86,7 @@ pub(crate) fn init_enclave( let signer = signing_key_repository.retrieve_key()?; info!("[Enclave initialized] Ed25519 prim raw : {:?}", signer.public().0); - let shielding_key_repository = Arc::new(get_rsa3072_repository(base_dir)?); + let shielding_key_repository = Arc::new(get_rsa3072_repository(base_dir.clone())?); GLOBAL_SHIELDING_KEY_REPOSITORY_COMPONENT.initialize(shielding_key_repository.clone()); // Create the aes key that is used for state encryption such that a key is always present in tests. From df8c61f973683c6781e8712d6e09b7dc971c5e5d Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Fri, 26 May 2023 09:19:24 +0200 Subject: [PATCH 20/25] [itp-sgx-crypto] add tests for aes --- core-primitives/sgx/crypto/src/aes.rs | 41 ++++++++++++++++++++++++++ core-primitives/sgx/crypto/src/lib.rs | 4 +++ enclave-runtime/src/test/tests_main.rs | 2 ++ 3 files changed, 47 insertions(+) diff --git a/core-primitives/sgx/crypto/src/aes.rs b/core-primitives/sgx/crypto/src/aes.rs index d2bf3ceeb8..208f5d658a 100644 --- a/core-primitives/sgx/crypto/src/aes.rs +++ b/core-primitives/sgx/crypto/src/aes.rs @@ -158,3 +158,44 @@ pub mod sgx { } } } + +#[cfg(feature = "test")] +pub mod sgx_tests { + use super::sgx::*; + use crate::{key_repository::AccessKey, AesSeal, AesSealing}; + use itp_sgx_temp_dir::TempDir; + + pub fn using_get_aes_repository_twice_initializes_key_only_once() { + let temp_dir = + TempDir::with_prefix("using_get_aes_repository_twice_initializes_key_only_once") + .unwrap(); + let temp_path = temp_dir.path().to_path_buf(); + let key1 = get_aes_repository(temp_path.clone()).unwrap().retrieve_key().unwrap(); + let key2 = get_aes_repository(temp_path).unwrap().retrieve_key().unwrap(); + assert_eq!(key1, key2); + } + + pub fn aes_sealing_works() { + let temp_dir = TempDir::with_prefix("aes_sealing_works").unwrap(); + let seal = AesSeal::new(temp_dir.path().to_path_buf()); + + // Create new sealed keys and unseal them + assert!(!seal.exists()); + seal.create_sealed_if_absent().unwrap(); + let key = seal.unseal_key().unwrap(); + + assert!(seal.exists()); + + // Should not change anything because the key is already there. + seal.create_sealed_if_absent().unwrap(); + let key_same = seal.unseal_key().unwrap(); + + assert_eq!(key, key_same); + + // Should overwrite previous keys. + seal.create_sealed().unwrap(); + let key_different = seal.unseal_key().unwrap(); + + assert_ne!(key_different, key); + } +} diff --git a/core-primitives/sgx/crypto/src/lib.rs b/core-primitives/sgx/crypto/src/lib.rs index 2dcd271b31..b876b05203 100644 --- a/core-primitives/sgx/crypto/src/lib.rs +++ b/core-primitives/sgx/crypto/src/lib.rs @@ -57,4 +57,8 @@ pub mod tests { pub use super::rsa3072::sgx_tests::{ rsa3072_sealing_works, using_get_rsa3072_repository_twice_initializes_key_only_once, }; + + pub use super::aes::sgx_tests::{ + aes_sealing_works, using_get_aes_repository_twice_initializes_key_only_once, + }; } diff --git a/enclave-runtime/src/test/tests_main.rs b/enclave-runtime/src/test/tests_main.rs index b6d3874f27..777627c8b0 100644 --- a/enclave-runtime/src/test/tests_main.rs +++ b/enclave-runtime/src/test/tests_main.rs @@ -91,6 +91,8 @@ pub extern "C" fn test_main_entrance() -> size_t { itp_stf_state_handler::test::sgx_tests::test_file_io_get_state_hash_works, itp_stf_state_handler::test::sgx_tests::test_list_state_ids_ignores_files_not_matching_the_pattern, itp_stf_state_handler::test::sgx_tests::test_in_memory_state_initializes_from_shard_directory, + itp_sgx_crypto::tests::aes_sealing_works, + itp_sgx_crypto::tests::using_get_aes_repository_twice_initializes_key_only_once, itp_sgx_crypto::tests::ed25529_sealing_works, itp_sgx_crypto::tests::using_get_ed25519_repository_twice_initializes_key_only_once, itp_sgx_crypto::tests::rsa3072_sealing_works, From 4202a29246970390487a34c6576e4335a74600ec Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Fri, 26 May 2023 09:22:25 +0200 Subject: [PATCH 21/25] taplo fmt --- core-primitives/sgx/io/Cargo.toml | 2 +- core-primitives/stf-state-handler/Cargo.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/core-primitives/sgx/io/Cargo.toml b/core-primitives/sgx/io/Cargo.toml index 2f18915854..9c358d438b 100644 --- a/core-primitives/sgx/io/Cargo.toml +++ b/core-primitives/sgx/io/Cargo.toml @@ -8,7 +8,7 @@ edition = "2021" [dependencies] # sgx deps -sgx_tstd = { optional = true, features = ["untrusted_fs"], branch = "master", git = "https://github.com/apache/teaclave-sgx-sdk.git" } +sgx_tstd = { optional = true, features = ["untrusted_fs"], branch = "master", git = "https://github.com/apache/teaclave-sgx-sdk.git" } [features] default = ["std"] diff --git a/core-primitives/stf-state-handler/Cargo.toml b/core-primitives/stf-state-handler/Cargo.toml index 73f0f63e59..739473c96b 100644 --- a/core-primitives/stf-state-handler/Cargo.toml +++ b/core-primitives/stf-state-handler/Cargo.toml @@ -74,5 +74,5 @@ sgx = [ test = [ "itp-sgx-crypto/mocks", "itp-stf-interface/mocks", - "itp-sgx-temp-dir" + "itp-sgx-temp-dir", ] From bace8d61969efdd67ae75927e24efbec5494d89d Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Fri, 26 May 2023 09:25:26 +0200 Subject: [PATCH 22/25] clippy --- enclave-runtime/src/initialization/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/enclave-runtime/src/initialization/mod.rs b/enclave-runtime/src/initialization/mod.rs index aa10dbabd2..d7d971fa4d 100644 --- a/enclave-runtime/src/initialization/mod.rs +++ b/enclave-runtime/src/initialization/mod.rs @@ -91,7 +91,7 @@ pub(crate) fn init_enclave( // Create the aes key that is used for state encryption such that a key is always present in tests. // It will be overwritten anyway if mutual remote attestation is performed with the primary worker. - let state_key_repository = Arc::new(get_aes_repository(base_dir.clone())?); + let state_key_repository = Arc::new(get_aes_repository(base_dir)?); GLOBAL_STATE_KEY_REPOSITORY_COMPONENT.initialize(state_key_repository.clone()); let state_file_io = Arc::new(EnclaveStateFileIo::new(state_key_repository)); From 61688aa3558810b03218d9801d0991c9e9dd98c1 Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Fri, 26 May 2023 09:26:52 +0200 Subject: [PATCH 23/25] move aes key file name constant to the aes module --- core-primitives/settings/src/lib.rs | 1 - core-primitives/sgx/crypto/src/aes.rs | 4 +++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/core-primitives/settings/src/lib.rs b/core-primitives/settings/src/lib.rs index 1d569ac862..536949f983 100644 --- a/core-primitives/settings/src/lib.rs +++ b/core-primitives/settings/src/lib.rs @@ -42,7 +42,6 @@ pub mod files { pub static SIDECHAIN_PURGE_LIMIT: u64 = 100; // keep the last.. sidechainblocks when purging // used by enclave - pub const AES_KEY_FILE_AND_INIT_V: &str = "aes_key_sealed.bin"; pub const LIGHT_CLIENT_DB: &str = "light_client_db.bin"; pub const RA_DUMP_CERT_DER_FILE: &str = "ra_dump_cert.der"; diff --git a/core-primitives/sgx/crypto/src/aes.rs b/core-primitives/sgx/crypto/src/aes.rs index 208f5d658a..17f43c7ac2 100644 --- a/core-primitives/sgx/crypto/src/aes.rs +++ b/core-primitives/sgx/crypto/src/aes.rs @@ -21,7 +21,6 @@ use crate::{ }; use aes::Aes128; use codec::{Decode, Encode}; -use itp_settings::files::AES_KEY_FILE_AND_INIT_V; use ofb::{ cipher::{NewStreamCipher, SyncStreamCipher}, Ofb, @@ -33,6 +32,9 @@ use std::{ type AesOfb = Ofb; +/// File name of the sealed AES key data. +pub const AES_KEY_FILE_AND_INIT_V: &str = "aes_key_sealed.bin"; + #[derive(Debug, Default, Encode, Decode, Clone, Copy, PartialEq, Eq)] pub struct Aes { pub key: [u8; 16], From df29524b4a8fc74678fcf6256fa7c8111732c44a Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Fri, 26 May 2023 09:29:47 +0200 Subject: [PATCH 24/25] [stf-state-handle] rename `TestKeyRepositoryMock` to `TestKeyRepositoryMock` to reflect that it is no longer the mock --- .../stf-state-handler/src/test/sgx_tests.rs | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/core-primitives/stf-state-handler/src/test/sgx_tests.rs b/core-primitives/stf-state-handler/src/test/sgx_tests.rs index 3d6d37c51a..da659e06f9 100644 --- a/core-primitives/stf-state-handler/src/test/sgx_tests.rs +++ b/core-primitives/stf-state-handler/src/test/sgx_tests.rs @@ -47,9 +47,9 @@ use std::{sync::Arc, thread, vec::Vec}; const STATE_SNAPSHOTS_CACHE_SIZE: usize = 3; -type StateKeyRepositoryMock = KeyRepository; +type StateKeyRepository = KeyRepository; type TestStateInitializer = InitializeStateMock; -type TestStateFileIo = SgxStateFileIo; +type TestStateFileIo = SgxStateFileIo; type TestStateRepository = StateSnapshotRepository; type TestStateRepositoryLoader = StateSnapshotRepositoryLoader; @@ -78,7 +78,7 @@ impl Drop for ShardDirectoryHandle { /// Gets a temporary key repository. /// /// We pass and ID such that it doesn't clash with other temp repositories. -fn temp_state_key_repository(id: &str) -> StateKeyRepositoryMock { +fn temp_state_key_repository(id: &str) -> StateKeyRepository { let temp_dir = TempDir::with_prefix(id).unwrap(); get_aes_repository(temp_dir.path().to_path_buf()).unwrap() } @@ -349,15 +349,13 @@ pub fn test_in_memory_state_initializes_from_shard_directory() { fn initialize_state_handler_with_directory_handle( shard: &ShardIdentifier, - state_key_access: Arc, + state_key_access: Arc, ) -> (Arc, ShardDirectoryHandle) { let shard_dir_handle = ShardDirectoryHandle::new(*shard).unwrap(); (initialize_state_handler(state_key_access), shard_dir_handle) } -fn initialize_state_handler( - state_key_access: Arc, -) -> Arc { +fn initialize_state_handler(state_key_access: Arc) -> Arc { let file_io = Arc::new(TestStateFileIo::new(state_key_access)); let state_initializer = Arc::new(TestStateInitializer::new(StfState::new(Default::default()))); let state_repository_loader = From f77d48f26a956633515365a7a8a94dcf13d1f16b Mon Sep 17 00:00:00 2001 From: Christian Langenbacher Date: Fri, 26 May 2023 13:17:24 +0200 Subject: [PATCH 25/25] [itp-sgx-crypto] more accurate name for the AES key file --- core-primitives/sgx/crypto/src/aes.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core-primitives/sgx/crypto/src/aes.rs b/core-primitives/sgx/crypto/src/aes.rs index 17f43c7ac2..0c1414e84c 100644 --- a/core-primitives/sgx/crypto/src/aes.rs +++ b/core-primitives/sgx/crypto/src/aes.rs @@ -33,7 +33,7 @@ use std::{ type AesOfb = Ofb; /// File name of the sealed AES key data. -pub const AES_KEY_FILE_AND_INIT_V: &str = "aes_key_sealed.bin"; +pub const AES_KEY_FILE_AND_INIT_V: &str = "aes_key_and_iv_sealed_data.bin"; #[derive(Debug, Default, Encode, Decode, Clone, Copy, PartialEq, Eq)] pub struct Aes {