Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature/attest verifier mc seed bugfix #1943

Merged
merged 4 commits into from
May 10, 2022
Merged

Feature/attest verifier mc seed bugfix #1943

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4d624ec
check for previous seed file and regenerate if different
briancorbin May 9, 2022
ea1af8a
change ledger-dist dir to TARGET_DIR to enable volume sharing w/ docker
briancorbin May 9, 2022
efcd56d
regen files if mc_seed is set, always
briancorbin May 9, 2022
9647f45
using is_ok()
briancorbin May 9, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 18 additions & 3 deletions attest/verifier/build.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ use rand_hc::Hc128Rng;
use std::{
convert::TryFrom,
env,
fs::{read, remove_file, write},
fs::{read, read_to_string, remove_file, write},
path::{Path, PathBuf},
sync::{Arc, Mutex},
};
Expand Down Expand Up @@ -123,7 +123,7 @@ fn main() {
let mut signer_key_path = data_path.clone();
signer_key_path.push("signer.key");

let mut chain_path = data_path;
let mut chain_path = data_path.clone();
chain_path.push("chain.pem");

cargo_emit::rerun_if_env_changed!("MC_SEED");
Expand All @@ -140,7 +140,19 @@ fn main() {
purge_expired_cert(&root_anchor_path);
purge_expired_cert(&chain_path);

if !(root_anchor_path.exists() && signer_key_path.exists() && chain_path.exists()) {
let mut previous_seed_path = data_path;
previous_seed_path.push("previous_seed.txt");

let previous_seed = read_to_string(&previous_seed_path).unwrap_or_default();

let new_seed = match env::var("MC_SEED") {
Ok(seed_hex) => Some(seed_hex),
Err(_) => None,
};

if !(root_anchor_path.exists() && signer_key_path.exists() && chain_path.exists())
|| (new_seed.is_some() && new_seed != Some(previous_seed))
{
const ROOT_SUBJECT: &str = "C=US,ST=CA,L=Santa Clara,O=Intel Corporation,CN=Simulation Intel SGX Attestation Report Signing CA\0";
const SIGNER_SUBJECT: &str = "C=US,ST=CA,L=Santa Clara,O=Intel Corporation,CN=Simulation Intel SGX Attestation Report Signer\0";

Expand Down Expand Up @@ -267,6 +279,9 @@ fn main() {
.expect("Could not create PEM string of certificate");

write(chain_path, &(root_cert_pem + &signer_cert_pem)).expect("Unable to write cert chain");
if let Some(new_seed) = new_seed {
write(previous_seed_path, &new_seed).expect("Unable to write previous seed");
}
}

let env = Environment::default();
Expand Down
1 change: 1 addition & 0 deletions attest/verifier/data/sim/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
*.pem
*.crt
*.key
*.txt
2 changes: 1 addition & 1 deletion tools/local-network/local_network.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,7 @@ def __init__(self, name, node_num, client_port, peer_port, admin_port, admin_htt
self.ledger_distribution_process = None
self.admin_http_gateway_process = None
self.ledger_dir = os.path.join(WORK_DIR, f'node-ledger-{self.node_num}')
self.ledger_distribution_dir = os.path.join(WORK_DIR, f'node-ledger-distribution-{self.node_num}')
self.ledger_distribution_dir = os.path.join(TARGET_DIR, f'node-ledger-distribution-{self.node_num}')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why was this changed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To expose it to the shared docker volume

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is that needed? It it a weird hack to only put one of these things over there and not the others.
It also gets in the way of cleaning up past runs by deleting the work dir.
Why not move the entire work dir under target?

self.msg_signer_key_file = os.path.join(WORK_DIR, f'node-scp-{self.node_num}.pem')
self.tokens_config_file = os.path.join(WORK_DIR, f'node-tokens-{self.node_num}.json')
subprocess.check_output(f'openssl genpkey -algorithm ed25519 -out {self.msg_signer_key_file}', shell=True)
Expand Down