From 6dec5341060fba2c5d8d53df32352a7dca40244c Mon Sep 17 00:00:00 2001
From: Mic Bowman <mic.bowman@intel.com>
Date: Thu, 4 Jan 2024 08:33:29 -0800
Subject: [PATCH] Clean up the configuration of the IAS certificates

Replace the template expansion that is causing periodic file
corruption errors with a more resilient method for downloading the IAS
certificate. This approach removes the template completely and uses a
file system move to atomically update the certificate file.

Also uses the cmake clean to remove any generated files. We were
leaving extra files in the common directory tree.

Signed-off-by: Mic Bowman <mic.bowman@intel.com>
---
 build/__tools__/clean.sh                      |  4 +-
 build/cmake/SGX.cmake                         |  2 +
 common/CMakeLists.txt                         |  2 +-
 common/crypto/CMakeLists.txt                  | 12 +++-
 common/crypto/crypto.h                        |  1 -
 common/crypto/verify_ias_report/.gitignore    |  2 +-
 .../build_ias_certificates_cpp.sh             | 49 -------------
 .../fetch_ias_certificates.sh                 | 68 +++++++++++++++++++
 .../verify_ias_report/ias-certificates.h      | 32 ---------
 .../ias-certificates.template                 | 29 --------
 .../verify_ias_report/verify-report.cpp       |  7 +-
 .../crypto/verify_ias_report/verify-report.h  |  4 +-
 .../wawaka_wasm/WasmCryptoExtensions.cpp      |  1 -
 common/tests/crypto/testCrypto.cpp            |  2 +-
 14 files changed, 91 insertions(+), 124 deletions(-)
 delete mode 100755 common/crypto/verify_ias_report/build_ias_certificates_cpp.sh
 create mode 100755 common/crypto/verify_ias_report/fetch_ias_certificates.sh
 delete mode 100644 common/crypto/verify_ias_report/ias-certificates.h
 delete mode 100644 common/crypto/verify_ias_report/ias-certificates.template

diff --git a/build/__tools__/clean.sh b/build/__tools__/clean.sh
index 07679ad6..58bce307 100755
--- a/build/__tools__/clean.sh
+++ b/build/__tools__/clean.sh
@@ -24,10 +24,8 @@ check_python_version
 # -----------------------------------------------------------------
 
 yell --------------- COMMON ---------------
-cd $SRCDIR/common/crypto/verify_ias_report
-rm -f ias-certificates.cpp
-
 cd $SRCDIR/common
+cmake --build build --target clean
 rm -rf build
 
 yell --------------- BIN ---------------
diff --git a/build/cmake/SGX.cmake b/build/cmake/SGX.cmake
index 78701653..f9b3665e 100644
--- a/build/cmake/SGX.cmake
+++ b/build/cmake/SGX.cmake
@@ -47,6 +47,8 @@ IF (NOT DEFINED CMAKE_LIBRARY_OUTPUT_DIRECTORY)
   MESSAGE(FATAL_ERROR "CMAKE_LIBRARY_OUTPUTDIRECTORY must be set")
 ENDIF()
 
+SET(IAS_CERTIFICATE_URL "https://certificates.trustedservices.intel.com/Intel_SGX_Attestation_RootCA.pem")
+
 ################################################################################
 # Internal SGX Variables
 ################################################################################
diff --git a/common/CMakeLists.txt b/common/CMakeLists.txt
index 1de70597..be521335 100644
--- a/common/CMakeLists.txt
+++ b/common/CMakeLists.txt
@@ -17,7 +17,7 @@ OPTION(BUILD_UNTRUSTED "Build modules for running with SGX outside an enclave" O
 OPTION(BUILD_CLIENT "Build modules for running clients without SGX" OFF)
 OPTION(BLOCK_STORE_DEBUG "Debug logging for block store operations" OFF)
 
-CMAKE_MINIMUM_REQUIRED(VERSION 3.10 FATAL_ERROR)
+CMAKE_MINIMUM_REQUIRED(VERSION 3.16 FATAL_ERROR)
 FIND_PACKAGE(PkgConfig REQUIRED)
 
 IF (NOT DEFINED ENV{PDO_SOURCE_ROOT})
diff --git a/common/crypto/CMakeLists.txt b/common/crypto/CMakeLists.txt
index 0397d1fd..42b712d1 100644
--- a/common/crypto/CMakeLists.txt
+++ b/common/crypto/CMakeLists.txt
@@ -39,18 +39,24 @@ ENDIF()
 # by the client (ias verification requires sgx).
 ################################################################################
 IF (BUILD_TRUSTED OR BUILD_UNTRUSTED)
-  SET(PROJECT_GENERATED_IAS_SOURCES ${CMAKE_CURRENT_SOURCE_DIR}/verify_ias_report/ias-certificates.cpp)
+  SET(PROJECT_GENERATED_IAS_SOURCES ${CMAKE_CURRENT_SOURCE_DIR}/verify_ias_report/ias-certificates.txt)
   SET_SOURCE_FILES_PROPERTIES(${PROJECT_GENERATED_IAS_SOURCES} PROPERTIES GENERATED TRUE)
+  SET(FETCH_IAS_CERTS ${CMAKE_CURRENT_SOURCE_DIR}/verify_ias_report/fetch_ias_certificates.sh)
 
   ADD_CUSTOM_COMMAND(
     OUTPUT  ${PROJECT_GENERATED_IAS_SOURCES}
-    COMMAND ./build_ias_certificates_cpp.sh
-    DEPENDS verify_ias_report/ias-certificates.template verify_ias_report/build_ias_certificates_cpp.sh
+    COMMAND ${FETCH_IAS_CERTS} ${IAS_CERTIFICATE_URL} ${PROJECT_GENERATED_IAS_SOURCES}
+    DEPENDS ${FETCH_IAS_CERTS}
     WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/verify_ias_report
   )
 
   ADD_CUSTOM_TARGET(generate-ias-files DEPENDS ${PROJECT_GENERATED_IAS_SOURCES})
 
+  SET_PROPERTY(
+    TARGET generate-ias-files
+    APPEND
+    PROPERTY ADDITIONAL_CLEAN_FILES ${PROJECT_GENERATED_IAS_SOURCE})
+
   IF (${SGX_MODE} STREQUAL "HW")
     SET(IAS_CA_CERT_REQUIRED "IAS_CA_CERT_REQUIRED=1")
   ENDIF()
diff --git a/common/crypto/crypto.h b/common/crypto/crypto.h
index f23b9c34..2ebca147 100644
--- a/common/crypto/crypto.h
+++ b/common/crypto/crypto.h
@@ -31,6 +31,5 @@
 #include "skenc.h"
 #if _CLIENT_ONLY_
 #else
-#include "verify_ias_report/ias-certificates.h"
 #include "verify_ias_report/verify-report.h"
 #endif
diff --git a/common/crypto/verify_ias_report/.gitignore b/common/crypto/verify_ias_report/.gitignore
index 7979a60c..00a145a5 100644
--- a/common/crypto/verify_ias_report/.gitignore
+++ b/common/crypto/verify_ias_report/.gitignore
@@ -1 +1 @@
-ias-certificates.cpp
+ias-certificates.txt
diff --git a/common/crypto/verify_ias_report/build_ias_certificates_cpp.sh b/common/crypto/verify_ias_report/build_ias_certificates_cpp.sh
deleted file mode 100755
index a36af612..00000000
--- a/common/crypto/verify_ias_report/build_ias_certificates_cpp.sh
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/bin/bash
-
-# Copyright 2018 Intel Corporation
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# if we are not running in hardware mode then we can just copy
-# the simulator version and use it
-
-if [ -f ias-certificates.cpp ]; then rm ias-certificates.cpp; fi
-
-if [ "${SGX_MODE}" != "HW" ]; then
-    cp ias-certificates.template ias-certificates.cpp || exit 1
-    # Note: use cp instead of ln or ln -s so timestamps work properly for dependencies in makefile
-    exit 0
-fi
-
-Cleanup () {
-    echo "Cleaning up"
-    rm ias-certificates.cpp.tmp -f
-    rm Intel_SGX_Attestation_RootCA.pem -f
-}
-
-trap 'echo "**ERROR - line $LINENO**"; Cleanup; exit 1' HUP INT QUIT PIPE TERM ERR
-
-#get certificate from Intel
-wget https://certificates.trustedservices.intel.com/Intel_SGX_Attestation_RootCA.pem
-test -e Intel_SGX_Attestation_RootCA.pem
-echo "Certificate downloaded"
-
-echo ""
-echo -n "Building ias-certificates.cpp ... "
-#replace the placemark in the template with the der certificate
-sed -e '/IAS_REPORT_SIGNING_CA_CERT_PEM_PLACEMARK/ r ./Intel_SGX_Attestation_RootCA.pem' -e 's/IAS_REPORT_SIGNING_CA_CERT_PEM_PLACEMARK//' < ias-certificates.template > ias-certificates.cpp
-test -e ias-certificates.cpp
-echo "done"
-
-Cleanup
-exit 0
diff --git a/common/crypto/verify_ias_report/fetch_ias_certificates.sh b/common/crypto/verify_ias_report/fetch_ias_certificates.sh
new file mode 100755
index 00000000..dd2918eb
--- /dev/null
+++ b/common/crypto/verify_ias_report/fetch_ias_certificates.sh
@@ -0,0 +1,68 @@
+#!/bin/bash
+# Copyright 2023 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script sets up the IAS root certificate for inclusing in the
+# verification module.
+#
+# Two parameters:
+# $1 -- the URL where the IAS certificate can be retrieved
+# $2 -- the file where the certificate should be written
+
+# -----------------------------------------------------------------
+# -----------------------------------------------------------------
+source ${PDO_SOURCE_ROOT}/bin/lib/common.sh
+
+IAS_CERTIFICATE_URL=$1
+
+# -----------------------------------------------------------------
+# set up the temporary files
+# -----------------------------------------------------------------
+SAVE_FILE=$(mktemp /tmp/pdo-ias-certificate.XXXXXXXXX)
+STRING_FILE=$(mktemp /tmp/pdo-ias-certificate-string.XXXXXXXXX)
+
+function cleanup {
+    rm -f ${SAVE_FILE} ${STRING_FILE}
+}
+
+trap 'echo "**ERROR - line $LINENO**"; cleanup; exit 1' HUP INT QUIT PIPE TERM ERR
+
+# If there is no requirement for HW support, then we don't need
+# a valid certificate; just generate a dummy string
+if [ "${SGX_MODE}" != "HW" ]; then
+    echo 'R"IASCERT(' > ${STRING_FILE}
+    echo 'NO CERTIFICATE REQUIRED' >> ${STRING_FILE}
+    echo ')IASCERT"' >> ${STRING_FILE}
+
+    try mv ${STRING_FILE} $2
+fi
+
+# -----------------------------------------------------------------
+# get the certificate and format it as needed
+# -----------------------------------------------------------------
+
+# This is a small hack to make the script work for people
+# who would otherwise attempt to retrieve the certficiates
+# without a proxy server
+if [ "${PDO_FORCE_IAS_PROXY}" == "true" ]; then
+    try curl --noproxy '' --retry 3 --max-time 10 -sL --output ${SAVE_FILE} ${IAS_CERTIFICATE_URL}
+else
+    try curl --retry 3 --max-time 10 -sL --output ${SAVE_FILE} ${IAS_CERTIFICATE_URL}
+fi
+
+echo 'R"IASCERT(' > ${STRING_FILE}
+cat ${SAVE_FILE} >> ${STRING_FILE}
+echo ')IASCERT"' >> ${STRING_FILE}
+
+try mv ${STRING_FILE} $2
diff --git a/common/crypto/verify_ias_report/ias-certificates.h b/common/crypto/verify_ias_report/ias-certificates.h
deleted file mode 100644
index 85166334..00000000
--- a/common/crypto/verify_ias_report/ias-certificates.h
+++ /dev/null
@@ -1,32 +0,0 @@
-/* Copyright 2018 Intel Corporation
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef IAS_CA_CERT_H
-#define IAS_CA_CERT_H
-
-//IAS attestation verification report signing certification authority certificate
-/*
-This certificate is the root of trust for enclave attestation verification.
-This is in PEM format of the SGX root certificate as can be downloaded from
-https://software.intel.com/sites/default/files/managed/7b/de/RK_PUB.zip
-*/
-#ifdef __cplusplus
-extern "C" {
-#endif
-extern const char ias_report_signing_ca_cert_pem[];
-#ifdef __cplusplus
-}
-#endif
-#endif
diff --git a/common/crypto/verify_ias_report/ias-certificates.template b/common/crypto/verify_ias_report/ias-certificates.template
deleted file mode 100644
index 33ca37c7..00000000
--- a/common/crypto/verify_ias_report/ias-certificates.template
+++ /dev/null
@@ -1,29 +0,0 @@
-/* Copyright 2018 Intel Corporation
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-extern const char ias_report_signing_ca_cert_pem[] =
-#ifdef IAS_CA_CERT_REQUIRED
-R"MLT(IAS_REPORT_SIGNING_CA_CERT_PEM_PLACEMARK
-)MLT"
-#else
-    "NO SUCH CA CERTIFICATE"
-#endif
-;
-#ifdef __cplusplus
-}
-#endif
diff --git a/common/crypto/verify_ias_report/verify-report.cpp b/common/crypto/verify_ias_report/verify-report.cpp
index 6d731a41..5c42641a 100644
--- a/common/crypto/verify_ias_report/verify-report.cpp
+++ b/common/crypto/verify_ias_report/verify-report.cpp
@@ -22,9 +22,12 @@
 #include <string.h>
 
 #include "c11_support.h"
-#include "ias-certificates.h"
 #include "parson.h"
 
+const char* const ias_report_signing_ca_cert_pem =
+#include "ias-certificates.txt"
+    ;
+
 //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 //########### INTERNAL FUNCTIONS #########################################
 //########################################################################
@@ -211,7 +214,7 @@ verify_status_t verify_ias_report_signature(const char* ias_attestation_signing_
     return VERIFY_FAILURE;
 }
 
-verify_status_t verify_ias_certificate_chain(const char* cert_pem)
+verify_status_t verify_ias_certificate_chain(const char* const cert_pem)
 #ifndef IAS_CA_CERT_REQUIRED
 {
     return VERIFY_FAILURE;  // fail (conservative approach for simulator-mode and in absence of CA
diff --git a/common/crypto/verify_ias_report/verify-report.h b/common/crypto/verify_ias_report/verify-report.h
index 267a1a54..d6ad1611 100644
--- a/common/crypto/verify_ias_report/verify-report.h
+++ b/common/crypto/verify_ias_report/verify-report.h
@@ -18,6 +18,8 @@
 
 #include <sgx_quote.h>
 
+extern const char* const ias_report_signing_ca_cert_pem;
+
 typedef enum
 {
     VERIFY_SUCCESS,
@@ -52,7 +54,7 @@ verify_status_t verify_enclave_quote_status(const char* ias_report,
                                             unsigned int ias_report_len,
                                             unsigned int quote_status_flags);
 verify_status_t verify_ias_certificate_chain(const char* cert_pem);
-verify_status_t verify_ias_report_signature(const char* ias_attestation_signing_cert_pem,
+verify_status_t verify_ias_report_signature(const char* const ias_attestation_signing_cert_pem,
                                             const char* ias_report,
                                             const unsigned int ias_report_len,
                                             const char* ias_signature,
diff --git a/common/interpreter/wawaka_wasm/WasmCryptoExtensions.cpp b/common/interpreter/wawaka_wasm/WasmCryptoExtensions.cpp
index 13f1781b..9a4e3b8a 100644
--- a/common/interpreter/wawaka_wasm/WasmCryptoExtensions.cpp
+++ b/common/interpreter/wawaka_wasm/WasmCryptoExtensions.cpp
@@ -24,7 +24,6 @@
 #include "packages/parson/parson.h"
 
 #include "crypto.h"
-#include "crypto/verify_ias_report/ias-certificates.h"
 #include "error.h"
 #include "jsonvalue.h"
 #include "log.h"
diff --git a/common/tests/crypto/testCrypto.cpp b/common/tests/crypto/testCrypto.cpp
index 917442b2..e47a67fa 100644
--- a/common/tests/crypto/testCrypto.cpp
+++ b/common/tests/crypto/testCrypto.cpp
@@ -21,7 +21,7 @@
 
 #include "c11_support.h"
 #include "crypto.h"
-#include "crypto/verify_ias_report/ias-certificates.h"
+#include "crypto/verify_ias_report/verify-report.h"
 #include "error.h"
 #include "log.h"
 #include "packages/parson/parson.h"