Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Proxy Attestation Service example #1860

Closed
ipetr0v opened this issue Feb 2, 2021 · 0 comments · Fixed by #1849
Closed

Implement Proxy Attestation Service example #1860

ipetr0v opened this issue Feb 2, 2021 · 0 comments · Fixed by #1849
Assignees
@ipetr0v
Labels
lang/Rust P1

Comments

@ipetr0v
Copy link
Contributor

ipetr0v commented Feb 2, 2021
edited
Loading

We need to implement a new experimental example called Proxy Attestation Service.

Proxy Attestation Service works as a Certificate Authority for TEE applications. It attests applications and creates signed certificates for TEE applications, which they use to create TLS connections with clients.

The work cycle of the proxy is represented in 2 stages.
First stage corresponds to the backend server attestation:

  • TEE application connects to the proxy
  • Proxy attests the application using a corresponding remote attestation protocol
  • Application sends the proxy a certificate signing request that contains TEE measurements
  • Proxy sings it using its private key and sends the signature back to the application

Second stage corresponds to the client connection:

  • Client remotely attests the proxy using a corresponding attestation protocol
  • Proxy sends the client its root certificate
    • Client trusts that this is a correct certificate, since it was sent via a secure channel created during the attestation process
  • Client connects to the application using TLS, and the application uses a TLS certificate previously signed by the proxy
  • Client checks that the certificate was signed by the root certificate and establishes a secure connection
@ipetr0v ipetr0v self-assigned this Feb 2, 2021
This was referenced Feb 2, 2021
Merged
Closed
Closed
Closed
ipetr0v added a commit that referenced this issue Feb 11, 2021
@ipetr0v
Add Proxy Attestation example (#1849)
a32e7b0 
This change adds Proxy Attestation example.
It consists of:
- `experimental/proxy_attestation`: CA that can create signed certificates based on certificate signing requests
- `examples/proxy_attestation/client`: Client that can request the CA root certificate and use it to connect to an Oak application
- `examples/proxy_attestation/module`: Simple example Oak application
Certificate signing requests are created by `oak_loader`.

Fixes #1860
Ref #1374
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ipetr0v ipetr0v

Labels
lang/Rust P1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add Proxy Attestation example ipetr0v/oak
1 participant
@ipetr0v