Established encrypted channel between tenant and enclave using DHKE.

Author: lkatalin

intel-sgx/Cargo.lock

@@ -4,3 +4,4 @@ members = ['attestation-enclave', 'attestation-daemon', 'attestation-tenant']
 [patch.crates-io]
 dcap-ql = { git = "https://github.com/lkatalin/rust-sgx", branch = "serde-pck", rev = "aa81839e714ad7501e6ef44b2d4e61c8574548d4" }
 sgx-isa = { git = "https://github.com/lkatalin/rust-sgx", branch = "serde-pck", rev = "aa81839e714ad7501e6ef44b2d4e61c8574548d4" }
+mbedtls = { git = "https://github.com/haraldh/rust-mbedtls", branch = "upstream_bindgen" }

intel-sgx/Cargo.toml

@@ -1,6 +1,7 @@
+use serde_json::{from_reader, to_writer};
 use std::error::Error;
 use std::io::Write;
-use std::net::{TcpListener, TcpStream};
+use std::net::{Shutdown, TcpListener, TcpStream};
 
 const LISTENER_CONN: &'static str = "localhost:1034";
 const ENCLAVE_CONN: &'static str = "localhost:1032";
@@ -19,24 +20,24 @@ fn main() -> Result<(), Box<dyn Error>> {
         // used as the target for the enclave's attestation Report.
         let qe_ti = dcap_ql::target_info().expect("Could not retrieve QE target info.");
 
-        // Serialize the Target Info onto the stream to the enclave
         let mut enclave_stream = TcpStream::connect(ENCLAVE_CONN)?;
-        serde_json::to_writer(&mut enclave_stream, &qe_ti)?;
-        enclave_stream.shutdown(std::net::Shutdown::Write)?;
+        to_writer(&mut enclave_stream, &qe_ti)?;
+        enclave_stream.shutdown(Shutdown::Write)?;
 
         // The attestation daemon receives the Report back from the attesting enclave.
-        let report: sgx_isa::Report = serde_json::from_reader(&mut enclave_stream)?;
+        let report: sgx_isa::Report = from_reader(enclave_stream)?;
 
         // The attestation daemon gets a Quote from the Quoting Enclave for the Report.
         // The Quoting Enclave verifies the Report's MAC as a prerequisite for generating
         // the Quote. The Quote is signed with the Quoting Enclave's Attestation Key.
         let quote = dcap_ql::quote(&report).expect("Could not generate quote.");
 
-        // The attestation daemon sends the Quote to the tenant.
+        // The attestation daemon sends the Quote to the tenant. The Quote is already a Vec<u8>
+        // and does not need serialization.
         let mut tenant_stream = incoming_tenant_stream?;
         tenant_stream.write(&quote)?;
 
-        println!("\nQuote successfully generated and sent to tenant...");
+        println!("\nQuote successfully generated and sent to tenant.");
     }
     Ok(())
 }

intel-sgx/attestation-daemon/src/main.rs

@@ -8,7 +8,7 @@ edition = "2018"
 serde_json = "1.0"
 bufstream = "0.1.4"
 
-# The sgx-isa crate allows the use of Fortanix's data structures
+# The sgx-isa crate allows the use of Fortanix's data structures 
 # relating to SGX, ex. Report, TargetInfo. The sgxstd feature
 # should be enabled when using std::os::fortanix_sgx functionality,
 # ex. ENCLU[EGETKEY] and ENCLU[EREPORT]. Serde_support allows for the
@@ -17,3 +17,10 @@ bufstream = "0.1.4"
 [dependencies.sgx-isa]
 version = "0.3.1"
 features = ["serde_support", "sgxstd"]
+
+[dependencies.mbedtls]
+git = "https://github.com/haraldh/rust-mbedtls"
+branch = "upstream_bindgen"
+package = "mbedtls"
+default-features = false
+features = ["rdrand", "sgx"]

intel-sgx/attestation-enclave/Cargo.toml

@@ -1,34 +1,164 @@
+use mbedtls::{
+    cipher::*,
+    ecp::{EcGroup, EcPoint},
+    hash::{Md, Type::Sha256},
+    pk::{EcGroupId, Pk},
+    rng::{CtrDrbg, Rdseed},
+};
+use serde_json::{from_reader, to_writer, Deserializer};
 use sgx_isa::Report;
-use std::error::Error;
-use std::net::TcpListener;
+use std::{error::Error, net::TcpListener};
 
-const LISTENER_ADDR: &'static str = "localhost:1032";
+const DAEMON_LISTENER_ADDR: &'static str = "localhost:1032";
+const TENANT_LISTENER_ADDR: &'static str = "localhost:1066";
+
+// This copies the enclave key to the report data
+fn from_slice(bytes: &[u8]) -> [u8; 64] {
+    let mut array = [0; 64];
+    let bytes = &bytes[..array.len()]; // panics if not enough data
+    array.copy_from_slice(bytes);
+    array
+}
+
+// Creates an AES 256 CTR cipher instance with the symmetric key and initialization vector
+// set for each decryption operation.
+fn new_aes256ctr_decrypt_cipher(
+    symm_key: &[u8],
+    iv: &[u8],
+) -> Result<Cipher<Decryption, Traditional, CipherData>, Box<dyn Error>> {
+    let c = Cipher::<_, Traditional, _>::new(
+        raw::CipherId::Aes,
+        raw::CipherMode::CTR,
+        (symm_key.len() * 8) as _,
+    )
+    .unwrap();
+
+    Ok(c.set_key_iv(&symm_key, &iv)?)
+}
+
+// Creates an AES 256 CTR cipher instance with the symmetric key and initialization vector
+// set for each encryption operation.
+// TODO: This is redundant, but I can't return a Cipher<_, Traditional, CipherData> so I need two separate
+// functions. How to fix?
+fn new_aes256ctr_encrypt_cipher(
+    symm_key: &[u8],
+    iv: &[u8],
+) -> Result<Cipher<Encryption, Traditional, CipherData>, Box<dyn Error>> {
+    let c = Cipher::<_, Traditional, _>::new(
+        raw::CipherId::Aes,
+        raw::CipherMode::CTR,
+        (symm_key.len() * 8) as _,
+    )
+    .unwrap();
+
+    Ok(c.set_key_iv(&symm_key, &iv)?)
+}
 
 fn main() -> Result<(), Box<dyn Error>> {
-    println!("\nListening on {}....\n", LISTENER_ADDR);
+    println!(
+        "\nListening on {} and {}....\n",
+        DAEMON_LISTENER_ADDR, TENANT_LISTENER_ADDR
+    );
+
+    let daemon_streams = TcpListener::bind(DAEMON_LISTENER_ADDR).unwrap();
+    let tenant_streams = TcpListener::bind(TENANT_LISTENER_ADDR).unwrap();
+
+    // TODO: Is there a way to use RDRAND even though it's not a public module in mbedtls?
+    let mut entropy = Rdseed;
+    let mut rng = CtrDrbg::new(&mut entropy, None)?;
+    let curve = EcGroup::new(EcGroupId::SecP256R1)?;
+
+    // The enclave generates an EC key pair. The public key is inserted into the ReportData
+    // field of the enclave's attestation Report, which will be transmitted to the tenant.
+    let mut ec_key = Pk::generate_ec(&mut rng, curve.clone())?;
+    let ec_pub = ec_key.ec_public()?;
 
     // The enclave handles each incoming connection from attestation daemon.
-    for stream in TcpListener::bind(LISTENER_ADDR).unwrap().incoming() {
+    for stream in daemon_streams.incoming() {
         let mut stream = stream?;
 
         // The enclave receives the identity of the Quoting Enclave from the
-        // attestation daemon, in the form of a (serialized) TargetInfo
+        // attestation daemon, in the form of a serialized TargetInfo
         // structure. The TargetInfo contains the measurement and attribute flags
         // of the Quoting Enclave.
-        let qe_id: sgx_isa::Targetinfo = serde_json::from_reader(&mut stream)?;
+        let qe_id: sgx_isa::Targetinfo = from_reader(&mut stream)?;
+
+        // The enclave's public key will be transmitted to the tenant in the ReportData field
+        // of the enclave's attesation Report. It must be a &[u8; 64].
+        // The compressed public key is 33 bytes long and must be extended by 31 bytes.
+        let mut report_data = ec_pub.to_binary(&curve, true)?;
+        report_data.extend(&[0u8; 31]);
+        let report_data = from_slice(&report_data);
 
         // The enclave creates a Report attesting its identity, with the Quoting
         // Enclave (whose identity was just received) as the Report's target. The
-        // blank ReportData field must be passed in as a &[u8; 64].
-        let report = {
-            let report_data = [0u8; 64];
-            Report::for_target(&qe_id, &report_data)
-        };
+        // ReportData field contains the enclave's public key.
+        let report = Report::for_target(&qe_id, &report_data);
 
         // The enclave sends its attestation Report back to the attestation daemon.
-        serde_json::to_writer(&mut stream, &report)?;
+        to_writer(&mut stream, &report)?;
 
         println!("Successfully sent report to daemon.");
+
+        break;
+    }
+
+    // The enclave handles each incoming connection from the tenant. These channels between the tenant
+    // and enclave are established after attestation is verified and all data exchanged between the tenant
+    // and enclave after public keys are exchanged is encrypted with a shared symmetric key.
+    for stream in tenant_streams.incoming() {
+        let mut stream = stream?;
+
+        // The enclave receives and deserializes tenant pub key, iv, ciphertext.
+        let deserializer = Deserializer::from_reader(stream.try_clone().unwrap());
+        let mut iterator = deserializer.into_iter::<Vec<u8>>();
+
+        let tenant_key = iterator.next().unwrap()?;
+        let iv = iterator.next().unwrap()?;
+        let ciphertext1 = iterator.next().unwrap()?;
+        let ciphertext2 = iterator.next().unwrap()?;
+
+        // The enclave generates a shared secret with the tenant. A SHA256 hash of this shared secret
+        // is used as the symmetric key for encryption and decryption of data.
+        let tenant_pubkey_ecpoint = EcPoint::from_binary(&curve, &tenant_key)?;
+        let tenant_pubkey = Pk::public_from_ec_components(curve.clone(), tenant_pubkey_ecpoint)?;
+
+        let mut shared_secret = [0u8; 32]; // 256 / 8
+        ec_key.agree(&tenant_pubkey, &mut shared_secret, &mut rng)?;
+
+        let mut symm_key = [0u8; 32];
+        Md::hash(Sha256, &shared_secret, &mut symm_key)?;
+
+        // These cipher instances are used for decryption operations and one encryption operation.
+        // TODO: Can the same cipher be used for these? Cipher doesn't implement clone().
+        let decrypt_cipher_1 = new_aes256ctr_decrypt_cipher(&symm_key, &iv)?;
+        let decrypt_cipher_2 = new_aes256ctr_decrypt_cipher(&symm_key, &iv)?;
+        let encrypt_cipher = new_aes256ctr_encrypt_cipher(&symm_key, &iv)?;
+
+        let mut plaintext1 = [0u8; 32];
+        let mut plaintext2 = [0u8; 32];
+        let _ = decrypt_cipher_1.decrypt(&ciphertext1, &mut plaintext1)?;
+        let _ = decrypt_cipher_2.decrypt(&ciphertext2, &mut plaintext2)?;
+
+        // TODO: Not have to index into this?
+        let plaintext1 = plaintext1[0];
+        let plaintext2 = plaintext2[0];
+
+        // The sum of the two plaintexts is calculated. The sum is encrypted and sent back to the tenant.
+        let mut sum: Vec<u8> = Vec::new();
+        sum.push(plaintext1 + plaintext2);
+
+        println!("\n{} + {} = {}", plaintext1, plaintext2, sum[0]);
+
+        let mut ciphersum = [0u8; 32];
+        let _ = encrypt_cipher.encrypt(&sum, &mut ciphersum)?;
+        let ciphersum = ciphersum[0];
+
+        to_writer(&mut stream, &ciphersum)?;
+
+        // TODO: This line exits the program after one run. Otherwise, it appears as though the tenant can be run
+        // again, but instead the program just hangs the second time. Why?
+        break;
     }
 
     Ok(())

intel-sgx/attestation-enclave/src/main.rs

@@ -11,3 +11,4 @@ openssl = "0.10.23"
 hex = "0.3.1"
 failure = "0.1.5"
 bufstream = "0.1.4"
+serde_json = "1.0"

intel-sgx/attestation-tenant/Cargo.toml

@@ -54,7 +54,6 @@ impl CertChain {
                 panic!("Invalid issuer relationship in certificate chain.");
             }
         }
-        println!("Issuer relationships in PCK cert chain are valid...");
         Ok(())
     }
 
@@ -85,7 +84,6 @@ impl CertChain {
         // verified.
         context.init(&store, &self.leaf, &chain, |c| c.verify_cert())?;
 
-        println!("Signatures on certificate chain are valid...");
         Ok(())
     }
 }

intel-sgx/attestation-tenant/src/cert_chain.rs

@@ -1,9 +1,10 @@
 use openssl::{
     bn::BigNum,
+    derive::Deriver,
     ec::{EcGroup, EcKey},
     hash::MessageDigest,
     nid::Nid,
-    pkey::{PKey, Public},
+    pkey::{PKey, Private, Public},
     sha,
     sign::Verifier,
 };
@@ -27,37 +28,114 @@ impl Display for HashError {
     }
 }
 
-/// This is a wrapper for an openssl::PKey<Public> value that adds methods to create
-/// the key from raw x and y coordinates and verify a signature and SHA256 hash.
+/// This Key is a wrapper for an openssl::PKey<Public> and openssl::EcKey<Private> key pair
+/// with extra functionality, ex. the PKey can be created from raw x and y coordinates and verify
+/// a signature and SHA256 hash. The curve for all keys is SECP256R1 (known as PRIME256V1).
 pub struct Key {
-    pkey: PKey<Public>,
+    curve: EcGroup,
+    pubkey: PKey<Public>,
+    privkey: Option<EcKey<Private>>,
 }
 
 impl Key {
-    /// This creates a new Key from raw x and y coordinates for the SECP256R1 curve.
+    /// This creates a new public PKey from raw x and y coordinates for the SECP256R1 curve.
+    /// The private key is not known or needed.
     pub fn new_from_xy(xy_coords: &[u8]) -> Result<Self, Box<dyn Error>> {
-        let group = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1)?;
+        // TODO: Is it possible to give the Key a reference to this curve without instantiating it in each
+        // Key instance? Rust doesn't do runtime-generated global variables.
+        let curve = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1)?;
         let mut x: [u8; 32] = Default::default();
         let mut y: [u8; 32] = Default::default();
         x.copy_from_slice(&xy_coords[0..32]);
         y.copy_from_slice(&xy_coords[32..64]);
         let xbn = BigNum::from_slice(&x)?;
         let ybn = BigNum::from_slice(&y)?;
-        let ec_key = EcKey::from_public_key_affine_coordinates(&group, &xbn, &ybn)?;
+        let ec_key = EcKey::from_public_key_affine_coordinates(&curve, &xbn, &ybn)?;
         let pkey = PKey::from_ec_key(ec_key)?;
 
-        Ok(Key { pkey: pkey })
+        Ok(Key {
+            curve: curve,
+            pubkey: pkey,
+            privkey: None,
+        })
+    }
+
+    /// This creates a new public PKey from bytes. This can reconstruct a public key sent
+    /// from an enclave, which uses mbedtls rather than openssl.
+    pub fn new_from_bytes(bytes: &[u8]) -> Result<Self, Box<dyn Error>> {
+        let mut ctx = openssl::bn::BigNumContext::new()?;
+        let curve = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1)?;
+        let pub_ecpoint = openssl::ec::EcPoint::from_bytes(curve.as_ref(), &bytes, &mut *ctx)?;
+        let pub_eckey = openssl::ec::EcKey::from_public_key(curve.as_ref(), pub_ecpoint.as_ref())?;
+        let pub_pkey = openssl::pkey::PKey::from_ec_key(pub_eckey)?;
+
+        Ok(Key {
+            curve: curve,
+            pubkey: pub_pkey,
+            privkey: None,
+        })
     }
 
     /// This creates a new Key from existing PKey value.
     pub fn new_from_pubkey(pkey: PKey<Public>) -> Self {
-        Key { pkey: pkey }
+        Key {
+            curve: EcGroup::from_curve_name(Nid::X9_62_PRIME256V1).unwrap(),
+            pubkey: pkey,
+            privkey: None,
+        }
+    }
+
+    /// This creates a new elliptic curve key pair for the SECP256R1 curve with no other inputs.
+    /// These are then converted to PKeys, which can be used for a DH key exchange according to
+    /// https://github.com/sfackler/rust-openssl/blob/master/openssl/src/pkey.rs#L16. The EcKey type
+    /// as the private key allows the public key to be returned as bytes in return_pubkey_bytes().
+    // TODO: Is this a good curve to use for ECDH keys?
+    pub fn new_pair_secp256r1() -> Result<Self, Box<dyn Error>> {
+        let curve = EcGroup::from_curve_name(Nid::X9_62_PRIME256V1)?;
+        let eckey_priv = EcKey::generate(&curve)?;
+        //let pkey_priv = PKey::from_ec_key(eckey_priv.clone())?;
+        let eckey_pub = EcKey::from_public_key(&curve, eckey_priv.as_ref().public_key())?;
+        let pkey_pub = PKey::from_ec_key(eckey_pub)?;
+        Ok(Key {
+            curve: curve,
+            pubkey: pkey_pub,
+            privkey: Some(eckey_priv),
+        })
+    }
+
+    /// Returns the Key's public key as a PKey<Public>
+    pub fn return_pubkey(&self) -> &PKey<Public> {
+        &self.pubkey
+    }
+
+    /// Returns the Key's public key as bytes. This is useful for transmitting to the enclave, which
+    /// can reconstruct the key with mbedtls.
+    pub fn return_pubkey_bytes(&self) -> Result<Vec<u8>, Box<dyn Error>> {
+        let mut new_ctx = openssl::bn::BigNumContext::new()?;
+        let priv_key = self.privkey.as_ref().unwrap();
+
+        let tenant_pubkey_bytes = priv_key.public_key().to_bytes(
+            &self.curve,
+            openssl::ec::PointConversionForm::UNCOMPRESSED,
+            &mut *new_ctx,
+        )?;
+
+        Ok(tenant_pubkey_bytes)
+    }
+
+    /// DHKE deriving shared secret between self's private key and peer's public key.
+    pub fn derive_shared_secret(&self, peer_key: &PKey<Public>) -> Result<Vec<u8>, Box<dyn Error>> {
+        let ec_priv_key = self.privkey.as_ref().unwrap();
+        let pkey_priv_key = PKey::from_ec_key(ec_priv_key.clone())?;
+        let mut deriver = Deriver::new(pkey_priv_key.as_ref())?;
+        deriver.set_peer(peer_key)?;
+        Ok(deriver.derive_to_vec()?)
     }
 
     /// Given a signature and material that was signed with the Key's PKey value, this
     /// verifies the given signature.
     pub fn verify_sig(&self, signed: &[u8], sig: &Vec<u8>) -> Result<(), Box<dyn Error>> {
-        let mut verifier = Verifier::new(MessageDigest::sha256(), &self.pkey)?;
+        let mut verifier = Verifier::new(MessageDigest::sha256(), &self.pubkey)?;
         verifier.update(signed)?;
         verifier.verify(sig)?;
         Ok(())