Mic.jan03.ias certificates

build/__tools__/clean.sh

@@ -24,10 +24,8 @@ check_python_version
 # -----------------------------------------------------------------
 
 yell --------------- COMMON ---------------
-cd $SRCDIR/common/crypto/verify_ias_report
-rm -f ias-certificates.cpp
-
 cd $SRCDIR/common
+cmake --build build --target clean
 rm -rf build
 
 yell --------------- BIN ---------------

build/cmake/ProjectVariables.cmake

@@ -17,7 +17,7 @@
 ################################################################################
 
 # These options apply to all PDO projects
-ADD_COMPILE_OPTIONS(-m64 -fvisibility=hidden -fpie -fPIC -fstack-protector -Wall)
+ADD_COMPILE_OPTIONS(-m64 -fvisibility=hidden -fpie -fPIC -fstack-protector)
 ADD_COMPILE_OPTIONS($<$<COMPILE_LANGUAGE:CXX>:-std=c++11>)
 
 OPTION(PDO_DEBUG_BUILD "Build with debugging turned on" FALSE)
@@ -35,3 +35,23 @@ ELSE()
   ADD_COMPILE_DEFINITIONS(PDO_DEBUG_BUILD=0)
   MESSAGE(STATUS "Compiling with optimizations (-O2). To use debug flags, set the DEBUG environment variable.")
 ENDIF()
+
+# The verbose build flag allows warning messages
+# to be turned off. This removes a lot of the verbosity
+# of the OpenSSL/SGXSSL deprecation warnings. In general
+# we do not want to ignore those messages to verbose is
+# set to true by default.
+OPTION(PDO_VERBOSE_BUILD "Build with all warnings turned on" TRUE)
+
+IF (DEFINED ENV{PDO_VERBOSE_BUILD})
+  SET(PDO_VERBOSE_BUILD $ENV{PDO_VERBOSE_BUILD})
+ENDIF()
+
+IF (${PDO_VERBOSE_BUILD})
+  ADD_COMPILE_OPTIONS(-Wall)
+ELSE()
+  # this should not be necessary (no -Wall), but make
+  # sure we don't pick up the OpenSSL/SGXSSL deprecation warnings
+  ADD_COMPILE_OPTIONS(-Wno-deprecated)
+  ADD_COMPILE_OPTIONS(-Wno-deprecated-declarations)
+ENDIF()

build/cmake/SGX.cmake

@@ -47,6 +47,8 @@ IF (NOT DEFINED CMAKE_LIBRARY_OUTPUT_DIRECTORY)
   MESSAGE(FATAL_ERROR "CMAKE_LIBRARY_OUTPUTDIRECTORY must be set")
 ENDIF()
 
+SET(IAS_CERTIFICATE_URL "https://certificates.trustedservices.intel.com/Intel_SGX_Attestation_RootCA.pem")
+
 ################################################################################
 # Internal SGX Variables
 ################################################################################

common/CMakeLists.txt

@@ -17,7 +17,7 @@ OPTION(BUILD_UNTRUSTED "Build modules for running with SGX outside an enclave" O
 OPTION(BUILD_CLIENT "Build modules for running clients without SGX" OFF)
 OPTION(BLOCK_STORE_DEBUG "Debug logging for block store operations" OFF)
 
-CMAKE_MINIMUM_REQUIRED(VERSION 3.10 FATAL_ERROR)
+CMAKE_MINIMUM_REQUIRED(VERSION 3.16 FATAL_ERROR)
 FIND_PACKAGE(PkgConfig REQUIRED)
 
 IF (NOT DEFINED ENV{PDO_SOURCE_ROOT})

common/crypto/CMakeLists.txt

@@ -39,18 +39,24 @@ ENDIF()
 # by the client (ias verification requires sgx).
 ################################################################################
 IF (BUILD_TRUSTED OR BUILD_UNTRUSTED)
-  SET(PROJECT_GENERATED_IAS_SOURCES ${CMAKE_CURRENT_SOURCE_DIR}/verify_ias_report/ias-certificates.cpp)
+  SET(PROJECT_GENERATED_IAS_SOURCES ${CMAKE_CURRENT_SOURCE_DIR}/verify_ias_report/ias-certificates.txt)
   SET_SOURCE_FILES_PROPERTIES(${PROJECT_GENERATED_IAS_SOURCES} PROPERTIES GENERATED TRUE)
+  SET(FETCH_IAS_CERTS ${CMAKE_CURRENT_SOURCE_DIR}/verify_ias_report/fetch_ias_certificates.sh)
 
   ADD_CUSTOM_COMMAND(
     OUTPUT  ${PROJECT_GENERATED_IAS_SOURCES}
-    COMMAND ./build_ias_certificates_cpp.sh
-    DEPENDS verify_ias_report/ias-certificates.template verify_ias_report/build_ias_certificates_cpp.sh
+    COMMAND ${FETCH_IAS_CERTS} ${IAS_CERTIFICATE_URL} ${PROJECT_GENERATED_IAS_SOURCES}
+    DEPENDS ${FETCH_IAS_CERTS}
     WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/verify_ias_report
   )
 
   ADD_CUSTOM_TARGET(generate-ias-files DEPENDS ${PROJECT_GENERATED_IAS_SOURCES})
 
+  SET_PROPERTY(
+    TARGET generate-ias-files
+    APPEND
+    PROPERTY ADDITIONAL_CLEAN_FILES ${PROJECT_GENERATED_IAS_SOURCE})
+
   IF (${SGX_MODE} STREQUAL "HW")
     SET(IAS_CA_CERT_REQUIRED "IAS_CA_CERT_REQUIRED=1")
   ENDIF()

common/crypto/crypto.h

@@ -31,6 +31,5 @@
 #include "skenc.h"
 #if _CLIENT_ONLY_
 #else
-#include "verify_ias_report/ias-certificates.h"
 #include "verify_ias_report/verify-report.h"
 #endif

common/crypto/crypto_shared.h

@@ -14,6 +14,14 @@
  */
 
 #pragma once
+
+#include <memory>
+#include <openssl/bio.h>
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+#include <openssl/ec.h>
+#include <openssl/rsa.h>
+
 namespace pdo
 {
 namespace crypto
@@ -23,5 +31,21 @@ namespace crypto
         // OpenSSL Error string buffer size
         const int ERR_BUF_LEN = 130;
     }
+
+    // Typedefs for memory management
+    // Specify type and destroy function type for unique_ptrs
+    typedef std::unique_ptr<BIGNUM, void (*)(BIGNUM*)> BIGNUM_ptr;
+    typedef std::unique_ptr<BN_CTX, void (*)(BN_CTX*)> BN_CTX_ptr;
+
+    typedef std::unique_ptr<BIO, void (*)(BIO*)> BIO_ptr;
+
+    typedef std::unique_ptr<EVP_CIPHER_CTX, void (*)(EVP_CIPHER_CTX*)> CTX_ptr;
+
+    typedef std::unique_ptr<EC_GROUP, void (*)(EC_GROUP*)> EC_GROUP_ptr;
+    typedef std::unique_ptr<EC_KEY, void (*)(EC_KEY*)> EC_KEY_ptr;
+    typedef std::unique_ptr<EC_POINT, void (*)(EC_POINT*)> EC_POINT_ptr;
+    typedef std::unique_ptr<ECDSA_SIG, void (*)(ECDSA_SIG*)> ECDSA_SIG_ptr;
+
+    typedef std::unique_ptr<RSA, void (*)(RSA*)> RSA_ptr;
 }
 }

common/crypto/pkenc_private_key.cpp

@@ -38,14 +38,6 @@
 namespace pcrypto = pdo::crypto;
 namespace constants = pdo::crypto::constants;
 
-// Typedefs for memory management
-// Specify type and destroy function type for unique_ptrs
-typedef std::unique_ptr<BIO, void (*)(BIO*)> BIO_ptr;
-typedef std::unique_ptr<EVP_CIPHER_CTX, void (*)(EVP_CIPHER_CTX*)> CTX_ptr;
-typedef std::unique_ptr<BN_CTX, void (*)(BN_CTX*)> BN_CTX_ptr;
-typedef std::unique_ptr<BIGNUM, void (*)(BIGNUM*)> BIGNUM_ptr;
-typedef std::unique_ptr<RSA, void (*)(RSA*)> RSA_ptr;
-
 // Error handling
 namespace Error = pdo::error;
 
@@ -54,7 +46,7 @@ namespace Error = pdo::error;
 // throws RuntimeError, ValueError
 RSA* deserializeRSAPrivateKey(const std::string& encoded)
 {
-    BIO_ptr bio(BIO_new_mem_buf(encoded.c_str(), -1), BIO_free_all);
+    pdo::crypto::BIO_ptr bio(BIO_new_mem_buf(encoded.c_str(), -1), BIO_free_all);
     if (!bio)
     {
         std::string msg("Crypto Error (deserializeRSAPrivateKey): Could not create BIO");
@@ -151,9 +143,9 @@ void pcrypto::pkenc::PrivateKey::Generate()
 {
     if (private_key_)
         RSA_free(private_key_);
-    
+
     unsigned long e = RSA_F4;
-    BIGNUM_ptr exp(BN_new(), BN_free);
+    pdo::crypto::BIGNUM_ptr exp(BN_new(), BN_free);
     private_key_ = nullptr;
 
     if (!exp)
@@ -170,7 +162,7 @@ void pcrypto::pkenc::PrivateKey::Generate()
         throw Error::RuntimeError(msg);
     }
 
-    RSA_ptr private_key(RSA_new(), RSA_free);
+    pdo::crypto::RSA_ptr private_key(RSA_new(), RSA_free);
     if (!private_key)
     {
         std::string msg("Crypto  Error (pkenc::PrivateKey()): Could not create new RSA key");
@@ -199,7 +191,7 @@ std::string pcrypto::pkenc::PrivateKey::Serialize() const
         std::string msg("Crypto Error (Serialize): PrivateKey is not initialized");
         throw Error::RuntimeError(msg);
     }
-    BIO_ptr bio(BIO_new(BIO_s_mem()), BIO_free_all);
+    pdo::crypto::BIO_ptr bio(BIO_new(BIO_s_mem()), BIO_free_all);
     if (!bio)
     {
         std::string msg("Crypto Error (Serialize): Could not create BIO\n");

common/crypto/pkenc_public_key.cpp

@@ -38,14 +38,6 @@
 namespace pcrypto = pdo::crypto;
 namespace constants = pdo::crypto::constants;
 
-// Typedefs for memory management
-// Specify type and destroy function type for unique_ptrs
-typedef std::unique_ptr<BIO, void (*)(BIO*)> BIO_ptr;
-typedef std::unique_ptr<EVP_CIPHER_CTX, void (*)(EVP_CIPHER_CTX*)> CTX_ptr;
-typedef std::unique_ptr<BN_CTX, void (*)(BN_CTX*)> BN_CTX_ptr;
-typedef std::unique_ptr<BIGNUM, void (*)(BIGNUM*)> BIGNUM_ptr;
-typedef std::unique_ptr<RSA, void (*)(RSA*)> RSA_ptr;
-
 // Error handling
 namespace Error = pdo::error;
 
@@ -54,7 +46,7 @@ namespace Error = pdo::error;
 // throws RuntimeError, ValueError
 RSA* deserializeRSAPublicKey(const std::string& encoded)
 {
-    BIO_ptr bio(BIO_new_mem_buf(encoded.c_str(), -1), BIO_free_all);
+    pdo::crypto::BIO_ptr bio(BIO_new_mem_buf(encoded.c_str(), -1), BIO_free_all);
     if (!bio)
     {
         std::string msg("Crypto Error (deserializeRSAPublicKey): Could not create BIO");
@@ -174,7 +166,7 @@ std::string pcrypto::pkenc::PublicKey::Serialize() const
         throw Error::RuntimeError(msg);
     }
 
-    BIO_ptr bio(BIO_new(BIO_s_mem()), BIO_free_all);
+    pdo::crypto::BIO_ptr bio(BIO_new(BIO_s_mem()), BIO_free_all);
     if (!bio)
     {
         std::string msg("Crypto Error (Serialize): Could not create BIO");

common/crypto/sig.cpp

@@ -41,18 +41,13 @@ unsigned int pcsig::Key::MaxSigSize() const
 void pcsig::Key::SetSigDetailsFromDeserializedKey()
 {
     int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(key_));
-    if(nid == NID_undef)
-    {
-        std::string msg("Crypto Error (sig::PrivateKey(const std::string& encoded): undefined nid");
-        throw Error::RuntimeError(msg);
-    }
+    Error::ThrowIf<Error::RuntimeError>(
+        nid == NID_undef, "Crypto Error (sig::PrivateKey(const std::string& encoded): undefined nid");
 
     auto mSigCurve = NidToSigCurveMap.find(nid);
-    if(mSigCurve == NidToSigCurveMap.end())
-    {
-        std::string msg("Crypto Error (sig::PrivateKey(const std::string& encoded):unsupported nid: " + nid);
-        throw Error::RuntimeError(msg);
-    }
+    Error::ThrowIf<Error::RuntimeError>(
+        mSigCurve == NidToSigCurveMap.end(),
+        "Crypto Error (sig::PrivateKey(const std::string& encoded):unsupported nid: " + nid);
 
     sigDetails_ = pcsig::SigDetails[static_cast<int>(mSigCurve->second)];
 }

common/crypto/sig.h

@@ -22,6 +22,12 @@
 
 #include "types.h"
 
+// Generally, this should be set in the makefile and provides
+// the default curve when no curve is explicitly set
+#ifndef PDO_DEFAULT_SIGCURVE
+#define PDO_DEFAULT_SIGCURVE SECP384R1
+#endif
+
 namespace pdo
 {
 namespace crypto