SKALE-3170-backup-keys

20466b87 · kladko · bdb3bd1c · 20466b87 · 20466b87
Unverified Commit 20466b87 authored Aug 26, 2020 by kladko
Show whitespace changes
Inline Side-by-side

Showing with 183 additions and 171 deletions

SEKManager.cpp SEKManager.cpp +182 -170

sgxwall.cpp sgxwall.cpp +1 -1

No files found.
--- a/SEKManager.cpp
+++ b/SEKManager.cpp
@@ -37,6 +37,8 @@
 #include "ServerDataChecker.h"
 #include "third_party/spdlog/spdlog.h"
+using namespace std;
 bool case_insensitive_match(string s1, string s2) {
    //convert s1 and s2 into lower case strings
    transform(s1.begin(), s1.end(), s1.begin(), ::tolower);
@@ -46,23 +48,23 @@ bool case_insensitive_match(string s1, string s2) {
 void create_test_key() {
    int errStatus = 0;
-  vector<char> errMsg(1024,0);
+    vector<char> errMsg(1024, 0);
    uint32_t enc_len;
    uint8_t encrypted_key[BUF_LEN];
    memset(encrypted_key, 0, BUF_LEN);
-  std::string key = TEST_VALUE;
+    string key = TEST_VALUE;
    status = trustedEncryptKeyAES(eid, &errStatus, errMsg.data(), key.c_str(), encrypted_key, &enc_len);
-  if ( status != SGX_SUCCESS ) {
+    if (status != SGX_SUCCESS) {
-    std::cerr << "encrypt test key failed with status " << status << std::endl;
+        cerr << "encrypt test key failed with status " << status << endl;
-    throw SGXException(status, errMsg.data()) ;
+        throw SGXException(status, errMsg.data());
    }
-  if ( errStatus != 0 ) {
+    if (errStatus != 0) {
-    std::cerr << "encrypt test key failed with status " << errStatus << std::endl;
+        cerr << "encrypt test key failed with status " << errStatus << endl;
-    throw SGXException(errStatus, errMsg.data()) ;
+        throw SGXException(errStatus, errMsg.data());
    }
    vector<char> hexEncrKey(2 * enc_len + 1, 0);
@@ -70,91 +72,91 @@ void create_test_key() {
    carray2Hex(encrypted_key, enc_len, hexEncrKey.data());
    uint64_t test_len;
-  vector<uint8_t>test_encr_key(1024, 0);
+    vector <uint8_t> test_encr_key(1024, 0);
    if (!hex2carray(hexEncrKey.data(), &test_len, test_encr_key.data())) {
-    std::cerr << "wrong encrypted test key" << std::endl;
+        cerr << "wrong encrypted test key" << endl;
    }
-  LevelDB::getLevelDb() -> writeDataUnique("TEST_KEY", hexEncrKey.data());
+    LevelDB::getLevelDb()->writeDataUnique("TEST_KEY", hexEncrKey.data());
 }
 #include <experimental/filesystem>
-bool check_SEK(const std::string& SEK) {
+bool check_SEK(const string &SEK) {
-  std::shared_ptr <std::string> test_key_ptr = LevelDB::getLevelDb() -> readString("TEST_KEY");
+    shared_ptr <string> test_key_ptr = LevelDB::getLevelDb()->readString("TEST_KEY");
-  vector<uint8_t> encr_test_key(BUF_LEN, 0);
+    vector <uint8_t> encr_test_key(BUF_LEN, 0);
    uint64_t len;
    if (!hex2carray(test_key_ptr->c_str(), &len, encr_test_key.data())) {
-    spdlog::error("wrong test key" );
+        spdlog::error("wrong test key");
        exit(-1);
    }
-  vector<char> decr_key(1024,0);
+    vector<char> decr_key(1024, 0);
-  vector<char> errMsg(1024,0);
+    vector<char> errMsg(1024, 0);
    int err_status = 0;
-  vector<uint8_t> encr_SEK(1024,0);
+    vector <uint8_t> encr_SEK(1024, 0);
    uint32_t l = len;
-  status = trustedSetSEK_backup(eid, &err_status, errMsg.data(), encr_SEK.data(), &l, SEK.c_str() );
+    status = trustedSetSEK_backup(eid, &err_status, errMsg.data(), encr_SEK.data(), &l, SEK.c_str());
    if (status != SGX_SUCCESS) {
        cerr << "RPCException thrown with status " << status << endl;
        throw SGXException(status, errMsg.data());
    }
-  if ( err_status != 0 ) {
+    if (err_status != 0) {
        cerr << "RPCException thrown with status " << err_status << endl;
        throw SGXException(err_status, errMsg.data());
    }
    status = trustedDecryptKeyAES(eid, &err_status, errMsg.data(), encr_test_key.data(), len, decr_key.data());
    if (status != SGX_SUCCESS || err_status != 0) {
-    spdlog::error("failed to decrypt test key" );
+        spdlog::error("failed to decrypt test key");
        spdlog::error(errMsg.data());
        exit(-1);
    }
-  std::string test_key = TEST_VALUE;
+    string test_key = TEST_VALUE;
    if (test_key.compare(decr_key.data()) != 0) {
-    std::cerr << "decrypted key is " << decr_key.data() << std::endl;
+        cerr << "decrypted key is " << decr_key.data() << endl;
-    spdlog::error("Invalid SEK" );
+        spdlog::error("Invalid SEK");
        return false;
    }
    return true;
 }
 void gen_SEK() {
-  vector<char> errMsg(1024,0);
+    vector<char> errMsg(1024, 0);
    int err_status = 0;
-  vector<uint8_t> encr_SEK(1024, 0);
+    vector <uint8_t> encr_SEK(1024, 0);
    uint32_t enc_len = 0;
    char SEK[65];
    memset(SEK, 0, 65);
-  spdlog::error("Generating backup key. Will be stored in backup_key.txt ... " );
+    spdlog::error("Generating backup key. Will be stored in backup_key.txt ... ");
    status = trustedGenerateSEK(eid, &err_status, errMsg.data(), encr_SEK.data(), &enc_len, SEK);
-  if ( status != SGX_SUCCESS ) {
+    if (status != SGX_SUCCESS) {
-    throw SGXException(status, errMsg.data()) ;
+        throw SGXException(status, errMsg.data());
    }
-  if ( err_status != 0 ) {
+    if (err_status != 0) {
-    throw SGXException(err_status, errMsg.data()) ;
+        throw SGXException(err_status, errMsg.data());
    }
-    if ( strnlen(SEK,33) != 32) {
+    if (strnlen(SEK, 33) != 32) {
-        throw SGXException(-1, "strnlen(SEK,33) != 32" ) ;
+        throw SGXException(-1, "strnlen(SEK,33) != 32");
    }
    vector<char> hexEncrKey(2 * enc_len + 1, 0);
    carray2Hex(encr_SEK.data(), enc_len, hexEncrKey.data());
-  std::ofstream sek_file("backup_key.txt");
+    ofstream sek_file("backup_key.txt");
    sek_file.clear();
    sek_file << SEK;
@@ -165,28 +167,24 @@ void gen_SEK() {
         "apt-get install secure-delete && srm -vz sgx_data/backup_key.txt" << endl;
    if (!autoconfirm) {
-    std::string confirm_str = "I confirm";
+        string confirm_str = "I confirm";
-    std::string buffer;
+        string buffer;
        do {
-      std::cout << " DO YOU CONFIRM THAT YOU COPIED THE KEY? (if you confirm type - I confirm)"
+            cout << " DO YOU CONFIRM THAT YOU COPIED THE KEY? (if you confirm type - I confirm)"
-                << std::endl;
+                 << endl;
-      std::getline(std::cin, buffer);
+            getline(cin, buffer);
        } while (case_insensitive_match(confirm_str, buffer));
    }
    LevelDB::getLevelDb()->writeDataUnique("SEK", hexEncrKey.data());
    create_test_key();
 }
-void trustedSetSEK(std::shared_ptr<std::string> hex_encr_SEK) {
+void trustedSetSEK(shared_ptr <string> hex_encr_SEK) {
-  vector<char> errMsg(1024,0);
+    vector<char> errMsg(1024, 0);
    int err_status = 0;
    uint8_t encr_SEK[BUF_LEN];
@@ -198,60 +196,74 @@ void trustedSetSEK(std::shared_ptr<std::string> hex_encr_SEK) {
        throw SGXException(INVALID_HEX, "Invalid encrypted SEK Hex");
    }
-  status = trustedSetSEK(eid, &err_status, errMsg.data(), encr_SEK );
+    status = trustedSetSEK(eid, &err_status, errMsg.data(), encr_SEK);
-  if ( status != SGX_SUCCESS ) {
+    if (status != SGX_SUCCESS) {
        cerr << "RPCException thrown" << endl;
-    throw SGXException(status, errMsg.data()) ;
+        throw SGXException(status, errMsg.data());
    }
-  if ( err_status != 0 ) {
+    if (err_status != 0) {
        cerr << "RPCException thrown" << endl;
-    throw SGXException(err_status, errMsg.data()) ;
+        throw SGXException(err_status, errMsg.data());
    }
 }
 void enter_SEK() {
-  vector<char> errMsg(1024,0);
+    vector<char> errMsg(1024, 0);
    int err_status = 0;
-  vector<uint8_t> encr_SEK(BUF_LEN, 0);
+    vector <uint8_t> encr_SEK(BUF_LEN, 0);
    uint32_t enc_len;
-  std::shared_ptr <std::string> test_key_ptr = LevelDB::getLevelDb() -> readString("TEST_KEY");
+    shared_ptr <string> test_key_ptr = LevelDB::getLevelDb()->readString("TEST_KEY");
    if (test_key_ptr == nullptr) {
-    spdlog::error("empty db" );
+        spdlog::error("empty db");
        exit(-1);
    }
-  std::string SEK;
+    ifstream sek_file("sgx_data/backup_key.txt");
-  std::cout << "ENTER BACKUP KEY" << std::endl;
-  std::cin >> SEK;
+    string SEK;
+    sek_file >> SEK;
+    spdlog::info("Reading backup key from file ...");
+    cin >> SEK;
    while (!checkHex(SEK, 16) || !check_SEK(SEK)) {
-    std::cout << "KEY IS INVALID.TRY ONCE MORE" << std::endl;
+        spdlog::error("Invalid key");
-    SEK = "";
+        throw SGXException(-1, "Invalid key");
-    std::cin >> SEK;
    }
+    spdlog::info("Setting backup key ...");
    status = trustedSetSEK_backup(eid, &err_status, errMsg.data(), encr_SEK.data(), &enc_len, SEK.c_str());
    if (status != SGX_SUCCESS) {
-    cerr << "RPCException thrown with status " << status << endl;
+        spdlog::error("RPCException thrown with status {}", status);
        throw SGXException(status, errMsg.data());
    }
-  if ( err_status != 0 ) {
+    if (err_status != 0) {
        cerr << "RPCException thrown" << endl;
-    throw SGXException(err_status, errMsg.data()) ;
+        throw SGXException(err_status, errMsg.data());
    }
    vector<char> hexEncrKey(2 * enc_len + 1, 0);
    carray2Hex(encr_SEK.data(), enc_len, hexEncrKey.data());
-  LevelDB::getLevelDb() -> deleteKey("SEK");
-  LevelDB::getLevelDb() -> writeDataUnique("SEK", hexEncrKey.data());
+    spdlog::info("Got sealed storage encryption key.");
+    LevelDB::getLevelDb()->deleteKey("SEK");
+    spdlog::info("Storing sealed storage encryption key in LevelDB ...");
+    LevelDB::getLevelDb()->writeDataUnique("SEK", hexEncrKey.data());
+    spdlog::info("Stored storage encryption key in LevelDB.");
 }
 void initSEK() {
-  std::shared_ptr<std::string> encr_SEK_ptr = LevelDB::getLevelDb()->readString("SEK");
+    shared_ptr <string> encr_SEK_ptr = LevelDB::getLevelDb()->readString("SEK");
    if (enterBackupKey) {
        enter_SEK();
    } else {

--- a/sgxwall.cpp
+++ b/sgxwall.cpp
@@ -49,7 +49,7 @@ void SGXWallet::printUsage() {
    cerr << "   -v  Verbose mode: turn on debug output\n";
    cerr << "   -vv Detailed verbose mode: turn on debug and trace outputs\n";
    cerr << "\nBackup, restore, update flags:\n\n";
-    cerr << "   -b  Restore from back up or software update. You will need to type in the backup key. \n";
+    cerr << "   -b  filename Restore from back up or software update. You will need to put backup key into a file in sgx_data dir. \n";
    cerr << "   -y  Do not ask user to acknowledge receipt of the backup key \n";
    cerr << "\nHTTPS flags:\n\n";
    cerr << "   -n  Launch sgxwallet using http. Default is to use https with a selg-signed server cert.  \n";