SKALE-4522 fix exportable keys, add tests

28de93d1 · Oleh · a81f0874 · 28de93d1 · 28de93d1 · 28de93d1
Unverified Commit 28de93d1 authored Aug 30, 2021 by Oleh
Showing with 80 additions and 10 deletions

ECDSACrypto.cpp ECDSACrypto.cpp +5 -3

secure_enclave.c secure_enclave/secure_enclave.c +17 -4

secure_enclave.edl secure_enclave/secure_enclave.edl +1 -0

testw.cpp testw.cpp +56 -3

testw.py testw.py +1 -0

No files found.
--- a/ECDSACrypto.cpp
+++ b/ECDSACrypto.cpp
@@ -59,8 +59,10 @@ vector <string> genECDSAKey() {
    sgx_status_t status = SGX_SUCCESS;
-    status = trustedGenerateEcdsaKey(eid, &errStatus,
+    int exportable = 0;
-                               errMsg.data(), encr_pr_key.data(), &enc_len,
+    status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(),
+                                    &exportable, encr_pr_key.data(), &enc_len,
                                    pub_key_x.data(), pub_key_y.data());
    HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus,errMsg.data());

--- a/secure_enclave/secure_enclave.c
+++ b/secure_enclave/secure_enclave.c
@@ -358,7 +358,7 @@ void trustedSetSEKBackup(int *errStatus, char *errString,
    LOG_INFO("SGX call completed");
 }
-void trustedGenerateEcdsaKey(int *errStatus, char *errString,
+void trustedGenerateEcdsaKey(int *errStatus, char *errString, int *is_exportable,
                                uint8_t *encryptedPrivateKey, uint64_t *enc_len, char *pub_key_x, char *pub_key_y) {
    LOG_INFO(__FUNCTION__);
    INIT_ERROR_STATE
@@ -409,8 +409,15 @@ void trustedGenerateEcdsaKey(int *errStatus, char *errString,
    strncpy(skey_str + n_zeroes, arr_skey_str, 65 - n_zeroes);
    snprintf(errString, BUF_LEN, "skey len is %d\n", (int) strlen(skey_str));
-    int status = AES_encrypt((char *) skey_str, encryptedPrivateKey, BUF_LEN,
+    int status = -1;
+    if ( *is_exportable ) {
+        status = AES_encrypt((char *) skey_str, encryptedPrivateKey, BUF_LEN,
+                             ECDSA, EXPORTABLE, enc_len);
+    } else {
+        status = AES_encrypt((char *) skey_str, encryptedPrivateKey, BUF_LEN,
                             ECDSA, NON_EXPORTABLE, enc_len);
+    }
    CHECK_STATUS("ecdsa private key encryption failed");
    uint8_t type = 0;
@@ -611,6 +618,8 @@ void trustedDecryptKey(int *errStatus, char *errString, uint8_t *encryptedPrivat
    if (exportable != EXPORTABLE) {
        *errStatus = -11;
        snprintf(errString, BUF_LEN, "Key is not exportable");
+        LOG_ERROR(errString);
+        goto clean;
    }
    if (status != 0) {
@@ -855,7 +864,9 @@ void trustedGetEncryptedSecretShare(int *errStatus, char *errString,
    SAFE_CHAR_BUF(pub_key_x, BUF_LEN);SAFE_CHAR_BUF(pub_key_y, BUF_LEN);
-    trustedGenerateEcdsaKey(&status, errString, encrypted_skey, &enc_len, pub_key_x, pub_key_y);
+    int is_exportable = 1;
+    trustedGenerateEcdsaKey(&status, errString, &is_exportable, encrypted_skey, &enc_len, pub_key_x, pub_key_y);
    CHECK_STATUS("trustedGenerateEcdsaKey failed");
@@ -929,7 +940,9 @@ void trustedGetEncryptedSecretShareV2(int *errStatus, char *errString,
    SAFE_CHAR_BUF(pub_key_x, BUF_LEN);
    SAFE_CHAR_BUF(pub_key_y, BUF_LEN);
-    trustedGenerateEcdsaKey(&status, errString, encrypted_skey, &enc_len, pub_key_x, pub_key_y);
+    int is_exportable = 1;
+    trustedGenerateEcdsaKey(&status, errString, &is_exportable, encrypted_skey, &enc_len, pub_key_x, pub_key_y);
    CHECK_STATUS("trustedGenerateEcdsaKey failed");

--- a/secure_enclave/secure_enclave.edl
+++ b/secure_enclave/secure_enclave.edl
@@ -35,6 +35,7 @@ enclave {
        public void trustedGenerateEcdsaKey (
                                [out] int *errStatus,
                                [out, count = SMALL_BUF_SIZE] char* err_string,
+                                [out] int *is_exportable,
                                [out, count = SMALL_BUF_SIZE] uint8_t* encrypted_key,
                                [out] uint64_t *enc_len,
                                [out, count = SMALL_BUF_SIZE] char * pub_key_x,

--- a/testw.cpp
+++ b/testw.cpp
@@ -146,8 +146,9 @@ TEST_CASE_METHOD(TestFixture, "ECDSA AES keygen and signature test", "[ecdsa-aes
    vector<char> pubKeyY(BUF_LEN, 0);
    uint64_t encLen = 0;
+    int exportable = 0;
    PRINT_SRC_LINE
-    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), encrPrivKey.data(), &encLen,
+    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), &exportable, encrPrivKey.data(), &encLen,
                                          pubKeyX.data(),
                                          pubKeyY.data());
    REQUIRE(status == SGX_SUCCESS);
@@ -177,8 +178,9 @@ TEST_CASE_METHOD(TestFixture, "ECDSA AES key gen", "[ecdsa-aes-key-gen]") {
    vector<char> pubKeyX(BUF_LEN, 0);
    vector<char> pubKeyY(BUF_LEN, 0);
    uint64_t encLen = 0;
+    int exportable = 0;
    PRINT_SRC_LINE
-    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), encrPrivKey.data(), &encLen,
+    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), &exportable, encrPrivKey.data(), &encLen,
                                          pubKeyX.data(),
                                          pubKeyY.data());
@@ -194,9 +196,10 @@ TEST_CASE_METHOD(TestFixture, "ECDSA AES get public key", "[ecdsa-aes-get-pub-ke
    vector<char> pubKeyY(BUF_LEN, 0);
    uint64_t encLen = 0;
+    int exportable = 0;
    PRINT_SRC_LINE
-    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), encPrivKey.data(), &encLen, pubKeyX.data(),
+    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), &exportable, encPrivKey.data(), &encLen, pubKeyX.data(),
                                          pubKeyY.data());
    REQUIRE(status == SGX_SUCCESS);
@@ -1120,6 +1123,56 @@ TEST_CASE_METHOD(TestFixture, "AES encrypt/decrypt", "[aes-encrypt-decrypt]") {
    sleep(3);
 }
+TEST_CASE_METHOD(TestFixture, "Exportable / non-exportable keys", "[exportable-nonexportable-keys]") {
+    int errStatus = 0;
+    vector<char> errMsg(BUF_LEN, 0);
+    vector <uint8_t> encPrivKey(BUF_LEN, 0);
+    vector<char> pubKeyX(BUF_LEN, 0);
+    vector<char> pubKeyY(BUF_LEN, 0);
+    uint64_t encLen = 0;
+    int exportable = 0;
+    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), &exportable, encPrivKey.data(), &encLen, pubKeyX.data(),
+                                          pubKeyY.data());
+    vector<char> decrypted_key(BUF_LEN, 0);
+    status = trustedDecryptKey(eid, &errStatus, errMsg.data(), encPrivKey.data(), encLen, decrypted_key.data());
+    REQUIRE( errStatus == -11 );
+    exportable = 1;
+    encPrivKey.clear();
+    errMsg.clear();
+    pubKeyX.clear();
+    pubKeyY.clear();
+    status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), &exportable, encPrivKey.data(), &encLen, pubKeyX.data(),
+                                          pubKeyY.data());
+    decrypted_key.clear();
+    status = trustedDecryptKey(eid, &errStatus, errMsg.data(), encPrivKey.data(), encLen, decrypted_key.data());
+    REQUIRE( errStatus == 0 );
+    REQUIRE( status == SGX_SUCCESS );
+    string key = SAMPLE_AES_KEY;
+    vector <uint8_t> encrypted_key(BUF_LEN, 0);
+    status = trustedEncryptKey(eid, &errStatus, errMsg.data(), key.c_str(), encrypted_key.data(), &encLen);
+    REQUIRE(status == 0);
+    REQUIRE(errStatus == 0);
+    vector<char> decr_key(BUF_LEN, 0);
+    PRINT_SRC_LINE
+    status = trustedDecryptKey(eid, &errStatus, errMsg.data(), encrypted_key.data(), encLen, decr_key.data());
+    REQUIRE(status == 0);
+    REQUIRE(key.compare(decr_key.data()) == 0);
+    REQUIRE(errStatus == 0);
+    sleep(3);
+}
 TEST_CASE_METHOD(TestFixture, "Many threads ecdsa dkg v2 bls", "[many-threads-crypto-v2]") {
    vector <thread> threads;
    int num_threads = 4;

--- a/testw.py
+++ b/testw.py
@@ -60,6 +60,7 @@ testList = [ "[zmq-ecdsa]",
             "[dkg-poly-exists-zmq]",
             "[dkg-aes-pub-shares]",
             "[aes-encrypt-decrypt]",
+             "[exportable-nonexportable-keys]",
             "[aes-dkg-v2]",
             "[aes-dkg-v2-zmq]",
             "[te-decryption-share]",