SKALE-3170-backup-keys

20466b87 · kladko · bdb3bd1c · 20466b87 · 20466b87
Unverified Commit 20466b87 authored Aug 26, 2020 by kladko
Hide whitespace changes
Inline Side-by-side

Showing with 183 additions and 171 deletions

SEKManager.cpp SEKManager.cpp +182 -170

sgxwall.cpp sgxwall.cpp +1 -1

No files found.
--- a/SEKManager.cpp
+++ b/SEKManager.cpp
@@ -37,127 +37,129 @@
 #include "ServerDataChecker.h"
 #include "third_party/spdlog/spdlog.h"

+using namespace std;
+
 bool case_insensitive_match(string s1, string s2) {
-  //convert s1 and s2 into lower case strings
-  transform(s1.begin(), s1.end(), s1.begin(), ::tolower);
-  transform(s2.begin(), s2.end(), s2.begin(), ::tolower);
-  return s1.compare(s2);
+    //convert s1 and s2 into lower case strings
+    transform(s1.begin(), s1.end(), s1.begin(), ::tolower);
+    transform(s2.begin(), s2.end(), s2.begin(), ::tolower);
+    return s1.compare(s2);
 }

 void create_test_key() {
-  int errStatus =  0;
-  vector<char> errMsg(1024,0);
-  uint32_t enc_len;
+    int errStatus = 0;
+    vector<char> errMsg(1024, 0);
+    uint32_t enc_len;

-  uint8_t encrypted_key[BUF_LEN];
-  memset(encrypted_key, 0, BUF_LEN);
+    uint8_t encrypted_key[BUF_LEN];
+    memset(encrypted_key, 0, BUF_LEN);

-  std::string key = TEST_VALUE;
+    string key = TEST_VALUE;

-  status = trustedEncryptKeyAES(eid, &errStatus, errMsg.data(), key.c_str(), encrypted_key, &enc_len);
-  if ( status != SGX_SUCCESS ) {
-    std::cerr << "encrypt test key failed with status " << status << std::endl;
-    throw SGXException(status, errMsg.data()) ;
-  }
+    status = trustedEncryptKeyAES(eid, &errStatus, errMsg.data(), key.c_str(), encrypted_key, &enc_len);
+    if (status != SGX_SUCCESS) {
+        cerr << "encrypt test key failed with status " << status << endl;
+        throw SGXException(status, errMsg.data());
+    }

-  if ( errStatus != 0 ) {
-    std::cerr << "encrypt test key failed with status " << errStatus << std::endl;
-    throw SGXException(errStatus, errMsg.data()) ;
-  }
+    if (errStatus != 0) {
+        cerr << "encrypt test key failed with status " << errStatus << endl;
+        throw SGXException(errStatus, errMsg.data());
+    }

-  vector<char> hexEncrKey(2 * enc_len + 1, 0);
+    vector<char> hexEncrKey(2 * enc_len + 1, 0);

-  carray2Hex(encrypted_key, enc_len, hexEncrKey.data());
+    carray2Hex(encrypted_key, enc_len, hexEncrKey.data());

-  uint64_t test_len;
-  vector<uint8_t>test_encr_key(1024, 0);
-  if (!hex2carray(hexEncrKey.data(), &test_len, test_encr_key.data())) {
-    std::cerr << "wrong encrypted test key" << std::endl;
-  }
+    uint64_t test_len;
+    vector <uint8_t> test_encr_key(1024, 0);
+    if (!hex2carray(hexEncrKey.data(), &test_len, test_encr_key.data())) {
+        cerr << "wrong encrypted test key" << endl;
+    }

-  LevelDB::getLevelDb() -> writeDataUnique("TEST_KEY", hexEncrKey.data());
+    LevelDB::getLevelDb()->writeDataUnique("TEST_KEY", hexEncrKey.data());
 }


 #include <experimental/filesystem>

-bool check_SEK(const std::string& SEK) {
-  std::shared_ptr <std::string> test_key_ptr = LevelDB::getLevelDb() -> readString("TEST_KEY");
-  vector<uint8_t> encr_test_key(BUF_LEN, 0);
-  uint64_t len;
-  if (!hex2carray(test_key_ptr->c_str(), &len, encr_test_key.data())) {
-    spdlog::error("wrong test key" );
-    exit(-1);
-  }
-
-  vector<char> decr_key(1024,0);
-  vector<char> errMsg(1024,0);
-  int err_status = 0;
-
-  vector<uint8_t> encr_SEK(1024,0);
-
-  uint32_t l = len;
-
-  status = trustedSetSEK_backup(eid, &err_status, errMsg.data(), encr_SEK.data(), &l, SEK.c_str() );
-  if (status != SGX_SUCCESS) {
-    cerr << "RPCException thrown with status " << status << endl;
-    throw SGXException(status, errMsg.data());
-  }
-
-  if ( err_status != 0 ) {
-    cerr << "RPCException thrown with status " << err_status << endl;
-    throw SGXException(err_status, errMsg.data());
-  }
-
-  status = trustedDecryptKeyAES(eid, &err_status, errMsg.data(), encr_test_key.data(), len, decr_key.data());
-  if (status != SGX_SUCCESS || err_status != 0) {
-    spdlog::error("failed to decrypt test key" );
-    spdlog::error(errMsg.data());
-    exit(-1);
-  }
-
-  std::string test_key = TEST_VALUE;
-  if (test_key.compare(decr_key.data()) != 0) {
-    std::cerr << "decrypted key is " << decr_key.data() << std::endl;
-    spdlog::error("Invalid SEK" );
-    return false;
-  }
-  return true;
+bool check_SEK(const string &SEK) {
+    shared_ptr <string> test_key_ptr = LevelDB::getLevelDb()->readString("TEST_KEY");
+    vector <uint8_t> encr_test_key(BUF_LEN, 0);
+    uint64_t len;
+    if (!hex2carray(test_key_ptr->c_str(), &len, encr_test_key.data())) {
+        spdlog::error("wrong test key");
+        exit(-1);
+    }
+
+    vector<char> decr_key(1024, 0);
+    vector<char> errMsg(1024, 0);
+    int err_status = 0;
+
+    vector <uint8_t> encr_SEK(1024, 0);
+
+    uint32_t l = len;
+
+    status = trustedSetSEK_backup(eid, &err_status, errMsg.data(), encr_SEK.data(), &l, SEK.c_str());
+    if (status != SGX_SUCCESS) {
+        cerr << "RPCException thrown with status " << status << endl;
+        throw SGXException(status, errMsg.data());
+    }
+
+    if (err_status != 0) {
+        cerr << "RPCException thrown with status " << err_status << endl;
+        throw SGXException(err_status, errMsg.data());
+    }
+
+    status = trustedDecryptKeyAES(eid, &err_status, errMsg.data(), encr_test_key.data(), len, decr_key.data());
+    if (status != SGX_SUCCESS || err_status != 0) {
+        spdlog::error("failed to decrypt test key");
+        spdlog::error(errMsg.data());
+        exit(-1);
+    }
+
+    string test_key = TEST_VALUE;
+    if (test_key.compare(decr_key.data()) != 0) {
+        cerr << "decrypted key is " << decr_key.data() << endl;
+        spdlog::error("Invalid SEK");
+        return false;
+    }
+    return true;
 }

 void gen_SEK() {
-  vector<char> errMsg(1024,0);
-  int err_status = 0;
-  vector<uint8_t> encr_SEK(1024, 0);
-  uint32_t enc_len = 0;
+    vector<char> errMsg(1024, 0);
+    int err_status = 0;
+    vector <uint8_t> encr_SEK(1024, 0);
+    uint32_t enc_len = 0;

-  char SEK[65];
-  memset(SEK, 0, 65);
+    char SEK[65];
+    memset(SEK, 0, 65);

-  spdlog::error("Generating backup key. Will be stored in backup_key.txt ... " );
+    spdlog::error("Generating backup key. Will be stored in backup_key.txt ... ");

-  status = trustedGenerateSEK(eid, &err_status, errMsg.data(), encr_SEK.data(), &enc_len, SEK);
+    status = trustedGenerateSEK(eid, &err_status, errMsg.data(), encr_SEK.data(), &enc_len, SEK);

-  if ( status != SGX_SUCCESS ) {
-    throw SGXException(status, errMsg.data()) ;
-  }
+    if (status != SGX_SUCCESS) {
+        throw SGXException(status, errMsg.data());
+    }

-  if ( err_status != 0 ) {
-    throw SGXException(err_status, errMsg.data()) ;
-  }
+    if (err_status != 0) {
+        throw SGXException(err_status, errMsg.data());
+    }

-    if ( strnlen(SEK,33) != 32) {
-        throw SGXException(-1, "strnlen(SEK,33) != 32" ) ;
+    if (strnlen(SEK, 33) != 32) {
+        throw SGXException(-1, "strnlen(SEK,33) != 32");
    }

-  vector<char> hexEncrKey(2 * enc_len + 1, 0);
+    vector<char> hexEncrKey(2 * enc_len + 1, 0);

-  carray2Hex(encr_SEK.data(), enc_len, hexEncrKey.data());
+    carray2Hex(encr_SEK.data(), enc_len, hexEncrKey.data());

-  std::ofstream sek_file("backup_key.txt");
-  sek_file.clear();
-  
-  sek_file << SEK;
+    ofstream sek_file("backup_key.txt");
+    sek_file.clear();
+
+    sek_file << SEK;


    cout << "ATTENTION! YOUR BACKUP KEY HAS BEEN WRITTEN INTO sgx_data/backup_key.txt \n" <<
@@ -165,103 +167,113 @@ void gen_SEK() {
         "apt-get install secure-delete && srm -vz sgx_data/backup_key.txt" << endl;


+    if (!autoconfirm) {
+        string confirm_str = "I confirm";
+        string buffer;
+        do {
+            cout << " DO YOU CONFIRM THAT YOU COPIED THE KEY? (if you confirm type - I confirm)"
+                 << endl;
+            getline(cin, buffer);
+        } while (case_insensitive_match(confirm_str, buffer));
+    }


-    if (!autoconfirm) {
-    std::string confirm_str = "I confirm";
-    std::string buffer;
-    do {
-      std::cout << " DO YOU CONFIRM THAT YOU COPIED THE KEY? (if you confirm type - I confirm)"
-                << std::endl;
-      std::getline(std::cin, buffer);
-    } while (case_insensitive_match(confirm_str, buffer));
-  }
+    LevelDB::getLevelDb()->writeDataUnique("SEK", hexEncrKey.data());

+    create_test_key();
+}

+void trustedSetSEK(shared_ptr <string> hex_encr_SEK) {
+    vector<char> errMsg(1024, 0);
+    int err_status = 0;

+    uint8_t encr_SEK[BUF_LEN];
+    memset(encr_SEK, 0, BUF_LEN);

-  LevelDB::getLevelDb()->writeDataUnique("SEK", hexEncrKey.data());
+    uint64_t len;

-  create_test_key();
+    if (!hex2carray(hex_encr_SEK->c_str(), &len, encr_SEK)) {
+        throw SGXException(INVALID_HEX, "Invalid encrypted SEK Hex");
+    }
+
+    status = trustedSetSEK(eid, &err_status, errMsg.data(), encr_SEK);
+    if (status != SGX_SUCCESS) {
+        cerr << "RPCException thrown" << endl;
+        throw SGXException(status, errMsg.data());
+    }
+
+    if (err_status != 0) {
+        cerr << "RPCException thrown" << endl;
+        throw SGXException(err_status, errMsg.data());
+    }
 }

-void trustedSetSEK(std::shared_ptr<std::string> hex_encr_SEK) {
-  vector<char> errMsg(1024,0);
-  int err_status = 0;
+void enter_SEK() {
+    vector<char> errMsg(1024, 0);
+    int err_status = 0;
+    vector <uint8_t> encr_SEK(BUF_LEN, 0);
+    uint32_t enc_len;
+
+    shared_ptr <string> test_key_ptr = LevelDB::getLevelDb()->readString("TEST_KEY");
+    if (test_key_ptr == nullptr) {
+        spdlog::error("empty db");
+        exit(-1);
+    }

-  uint8_t encr_SEK[BUF_LEN];
-  memset(encr_SEK, 0, BUF_LEN);
+    ifstream sek_file("sgx_data/backup_key.txt");

-  uint64_t len;
+    string SEK;
+    sek_file >> SEK;
+    spdlog::info("Reading backup key from file ...");
+    cin >> SEK;
+    while (!checkHex(SEK, 16) || !check_SEK(SEK)) {
+        spdlog::error("Invalid key");
+        throw SGXException(-1, "Invalid key");
+    }

-  if (!hex2carray(hex_encr_SEK->c_str(), &len, encr_SEK)) {
-    throw SGXException(INVALID_HEX, "Invalid encrypted SEK Hex");
-  }
+    spdlog::info("Setting backup key ...");

-  status = trustedSetSEK(eid, &err_status, errMsg.data(), encr_SEK );
-  if ( status != SGX_SUCCESS ) {
-    cerr << "RPCException thrown" << endl;
-    throw SGXException(status, errMsg.data()) ;
-  }
+    status = trustedSetSEK_backup(eid, &err_status, errMsg.data(), encr_SEK.data(), &enc_len, SEK.c_str());
+    if (status != SGX_SUCCESS) {
+        spdlog::error("RPCException thrown with status {}", status);
+        throw SGXException(status, errMsg.data());
+    }

-  if ( err_status != 0 ) {
-    cerr << "RPCException thrown" << endl;
-    throw SGXException(err_status, errMsg.data()) ;
-  }
-}
+    if (err_status != 0) {
+        cerr << "RPCException thrown" << endl;
+        throw SGXException(err_status, errMsg.data());
+    }

-void enter_SEK() {
-  vector<char> errMsg(1024,0);
-  int err_status = 0;
-  vector<uint8_t> encr_SEK(BUF_LEN, 0);
-  uint32_t enc_len;
-
-  std::shared_ptr <std::string> test_key_ptr = LevelDB::getLevelDb() -> readString("TEST_KEY");
-  if (test_key_ptr == nullptr) {
-    spdlog::error("empty db" );
-    exit(-1);
-  }
-
-  std::string SEK;
-  std::cout << "ENTER BACKUP KEY" << std::endl;
-  std::cin >> SEK;
-  while (!checkHex(SEK, 16) || !check_SEK(SEK)) {
-    std::cout << "KEY IS INVALID.TRY ONCE MORE" << std::endl;
-    SEK = "";
-    std::cin >> SEK;
-  }
-
-  status = trustedSetSEK_backup(eid, &err_status, errMsg.data(), encr_SEK.data(), &enc_len, SEK.c_str());
-  if (status != SGX_SUCCESS) {
-    cerr << "RPCException thrown with status " << status << endl;
-    throw SGXException(status, errMsg.data());
-  }
-
-  if ( err_status != 0 ) {
-    cerr << "RPCException thrown" << endl;
-    throw SGXException(err_status, errMsg.data()) ;
-  }
-
-  vector<char> hexEncrKey(2 * enc_len + 1, 0);
-
-  carray2Hex(encr_SEK.data(), enc_len, hexEncrKey.data());
-
-  LevelDB::getLevelDb() -> deleteKey("SEK");
-  LevelDB::getLevelDb() -> writeDataUnique("SEK", hexEncrKey.data());
+
+
+    vector<char> hexEncrKey(2 * enc_len + 1, 0);
+
+    carray2Hex(encr_SEK.data(), enc_len, hexEncrKey.data());
+
+
+    spdlog::info("Got sealed storage encryption key.");
+
+    LevelDB::getLevelDb()->deleteKey("SEK");
+
+    spdlog::info("Storing sealed storage encryption key in LevelDB ...");
+
+    LevelDB::getLevelDb()->writeDataUnique("SEK", hexEncrKey.data());
+
+    spdlog::info("Stored storage encryption key in LevelDB.");
 }

 void initSEK() {
-  std::shared_ptr<std::string> encr_SEK_ptr = LevelDB::getLevelDb()->readString("SEK");
-  if (enterBackupKey) {
-    enter_SEK();
-  } else {
-      if (encr_SEK_ptr == nullptr) {
-          spdlog::warn("SEK was not created yet. Going to create SEK");
-          gen_SEK();
-      } else {
-          trustedSetSEK(encr_SEK_ptr);
-      }
-  }
+    shared_ptr <string> encr_SEK_ptr = LevelDB::getLevelDb()->readString("SEK");
+    if (enterBackupKey) {
+        enter_SEK();
+    } else {
+        if (encr_SEK_ptr == nullptr) {
+            spdlog::warn("SEK was not created yet. Going to create SEK");
+            gen_SEK();
+        } else {
+            trustedSetSEK(encr_SEK_ptr);
+        }
+    }
 }

 //a002e7ca685d46a32771d16fe2518e58
--- a/sgxwall.cpp
+++ b/sgxwall.cpp
@@ -49,7 +49,7 @@ void SGXWallet::printUsage() {
    cerr << "   -v  Verbose mode: turn on debug output\n";
    cerr << "   -vv Detailed verbose mode: turn on debug and trace outputs\n";
    cerr << "\nBackup, restore, update flags:\n\n";
-    cerr << "   -b  Restore from back up or software update. You will need to type in the backup key. \n";
+    cerr << "   -b  filename Restore from back up or software update. You will need to put backup key into a file in sgx_data dir. \n";
    cerr << "   -y  Do not ask user to acknowledge receipt of the backup key \n";
    cerr << "\nHTTPS flags:\n\n";
    cerr << "   -n  Launch sgxwallet using http. Default is to use https with a selg-signed server cert.  \n";