Skip to content

S
sgxwallet
Unverified Commit 41d00a8f authored by Oleh Nikolaiev's avatar Oleh Nikolaiev Committed by GitHub
Browse files
Options

Merge pull request #338 from skalenetwork/feature/SKALE-4262-add-E-flag 

Feature/skale 4262 add e flag
parents afbf4f0f 8a11d1f9
Hide whitespace changes
Inline Side-by-side
Showing with 142 additions and 236 deletions
DockerfileBase
View file @ 41d00a8f
FROM ubuntu:18.04
RUN apt-get update && apt-get install -y \
RUN apt-get update && apt-get install -y \
autoconf \
automake \
build-essential \
......@@ -48,19 +48,19 @@ COPY . /usr/src/sdk
RUN ls /usr/src/sdk/autoconf.bash
WORKDIR /usr/src/sdk
RUN apt update && \
apt install -yq apt-utils && \
apt install -yq --no-install-recommends python-yaml vim \
telnet git ca-certificates perl \
reprepro libboost-all-dev alien uuid-dev libxml2-dev ccache \
yasm flex bison libprocps-dev ccache texinfo \
libjsonrpccpp-dev curl libjsonrpccpp-tools && \
ln -s /usr/bin/ccache /usr/local/bin/clang && \
ln -s /usr/bin/ccache /usr/local/bin/clang++ && \
ln -s /usr/bin/ccache /usr/local/bin/gcc && \
ln -s /usr/bin/ccache /usr/local/bin/g++ && \
ln -s /usr/bin/ccache /usr/local/bin/cc && \
ln -s /usr/bin/ccache /usr/local/bin/c++
RUN apt update && \
apt install -yq apt-utils && \
apt install -yq --no-install-recommends python-yaml vim \
telnet git ca-certificates perl \
reprepro libboost-all-dev alien uuid-dev libxml2-dev ccache \
yasm flex bison libprocps-dev ccache texinfo \
libjsonrpccpp-dev curl libjsonrpccpp-tools && \
ln -s /usr/bin/ccache /usr/local/bin/clang && \
ln -s /usr/bin/ccache /usr/local/bin/clang++ && \
ln -s /usr/bin/ccache /usr/local/bin/gcc && \
ln -s /usr/bin/ccache /usr/local/bin/g++ && \
ln -s /usr/bin/ccache /usr/local/bin/cc && \
ln -s /usr/bin/ccache /usr/local/bin/c++
RUN cd scripts && ./build_deps.py && \
wget --progress=dot:mega -O - https://github.com/intel/dynamic-application-loader-host-interface/archive/072d233296c15d0dcd1fb4570694d0244729f87b.tar.gz | tar -xz && \
......
LevelDB.h
View file @ 41d00a8f
......@@ -14,7 +14,7 @@
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
@file LevelDB.h
@author Stan Kladko
......@@ -54,7 +54,6 @@ class LevelDB {
static string sgx_data_folder;
public:
static void initDataFolderAndDBs();
......@@ -104,8 +103,6 @@ public:
virtual ~LevelDB();
static const string &getSgxDataFolder();
};
......
SGXWalletServer.hpp
View file @ 41d00a8f
......@@ -14,7 +14,7 @@
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
@file SGXWalletServer.hpp
@author Stan Kladko
......@@ -48,12 +48,9 @@ class SGXWalletServer : public AbstractStubServer {
static map<string,string> ecdsaRequests;
static recursive_mutex ecdsaRequestsLock;
static void checkForDuplicate(map <string, string> &_map, recursive_mutex &_m, const string &_key,
const string &_value);
public:
static bool verifyCert(string& _certFileName);
......
ServerInit.cpp
View file @ 41d00a8f
......@@ -14,7 +14,7 @@
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
@file ServerInit.cpp
@author Stan Kladko
......@@ -160,7 +160,7 @@ uint64_t initEnclave() {
}
void initAll(uint32_t _logLevel, bool _checkCert,
bool _checkZMQSig, bool _autoSign, bool _generateTestKeys) {
bool _checkZMQSig, bool _autoSign, bool _generateTestKeys, bool _checkKeyOwnership) {
static atomic<bool> sgxServerInited(false);
static mutex initMutex;
......@@ -209,7 +209,7 @@ void initAll(uint32_t _logLevel, bool _checkCert,
SGXRegistrationServer::initRegistrationServer(_autoSign);
CSRManagerServer::initCSRManagerServer();
SGXInfoServer::initInfoServer(_logLevel, _checkCert, _autoSign, _generateTestKeys);
ZMQServer::initZMQServer(_checkZMQSig);
ZMQServer::initZMQServer(_checkZMQSig, _checkKeyOwnership);
sgxServerInited = true;
} catch (SGXException &_e) {
......
ServerInit.h
View file @ 41d00a8f
......@@ -32,7 +32,7 @@
#define EXTERNC
#endif
EXTERNC void initAll(uint32_t _logLevel, bool _checkCert, bool _checkZMQSig, bool _autoSign, bool _generateTestKeys);
EXTERNC void initAll(uint32_t _logLevel, bool _checkCert, bool _checkZMQSig, bool _autoSign, bool _generateTestKeys, bool _checkKeyOwnership);
void exitAll();
......
docker/start.sh
View file @ 41d00a8f
......@@ -47,6 +47,6 @@ sleep 5
./testw.py
else
sleep 3
./sgxwallet $1 $2 $3 $4 $5
./sgxwallet $1 $2 $3 $4 $5 $6
fi
run_sgx/docker-compose.yml
View file @ 41d00a8f
......@@ -21,7 +21,7 @@ services:
options:
max-size: "10m"
max-file: "4"
command: -s -y -d
command: -s -y -d -e
healthcheck:
test: ["CMD", "ls", "/dev/isgx", "/dev/mei0"]
run_sgx_sim/docker-compose.yml
View file @ 41d00a8f
......@@ -18,4 +18,4 @@ services:
options:
max-size: "10m"
max-file: "4"
command: -s -y
command: -s -y -e
scripts/install_packages.sh
View file @ 41d00a8f
......@@ -2,4 +2,4 @@
sudo apt update
sudo apt install -y build-essential make gcc g++ yasm python libprotobuf10 flex bison automake
sudo apt install -y ccache cmake ccache autoconf texinfo libgcrypt20-dev libgnutls28-dev libtool pkg-config
sudo apt install -y ocaml ocamlbuid
sudo apt install -y ocaml ocamlbuild
secure_enclave/AESUtils.c
View file @ 41d00a8f
......@@ -21,25 +21,19 @@
@date 2020
*/
#include "sgx_trts.h"
#include "sgx_tcrypto.h"
#include "stdlib.h"
#include <string.h>
#include "AESUtils.h"
sgx_aes_gcm_128bit_key_t AES_key[1024];
#define SAFE_CHAR_BUF(__X__, __Y__) ;char __X__ [ __Y__ ]; memset(__X__, 0, __Y__);
int AES_encrypt(char *message, uint8_t *encr_message, uint64_t encrBufLen, unsigned char type,
int AES_encrypt(char *message, uint8_t *encr_message, uint64_t encrBufLen, unsigned char type,
unsigned char exportable, uint64_t* resultLen) {
if (!type) {
LOG_ERROR("Null type in AES_encrypt");
return -1;
......
secure_enclave/AESUtils.h
View file @ 41d00a8f
......@@ -32,7 +32,6 @@ int AES_decrypt(uint8_t *encr_message, uint64_t length, char *message, uint64_t
uint8_t *type, uint8_t* exportable) ;
#define ECDSA '1'
#define BLS '2'
#define DKG '3'
......@@ -40,6 +39,4 @@ int AES_decrypt(uint8_t *encr_message, uint64_t length, char *message, uint64_t
#define EXPORTABLE '1'
#define NON_EXPORTABLE '2'
#endif //SGXD_AESUTILS_H
secure_enclave/EnclaveCommon.cpp
View file @ 41d00a8f
......@@ -171,7 +171,6 @@ void enclave_init() {
return;
inited = 1;
LOG_INFO("Initing libff");
try {
......
secure_enclave/secure_enclave.c
View file @ 41d00a8f
......@@ -66,7 +66,6 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#define INIT_ERROR_STATE *errString = 0; *errStatus = UNKNOWN_ERROR;
#define SET_SUCCESS *errStatus = 0;
#define CHECK_STATE(_EXPRESSION_) \
if (!(_EXPRESSION_)) { \
LOG_ERROR("State check failed::");LOG_ERROR(#_EXPRESSION_); \
......@@ -91,7 +90,6 @@ LOG_ERROR(errString); \
goto clean; \
};
#define CHECK_STATUS2(__ERRMESSAGE__) if (status != SGX_SUCCESS) { \
snprintf(errString, BUF_LEN, __ERRMESSAGE__, status); \
LOG_ERROR(errString); \
......@@ -138,10 +136,8 @@ void trustedEnclaveInit(uint64_t _logLevel) {
LOG_INFO("Calling enclave init");
enclave_init();
LOG_INFO("Reading random");
globalRandom = calloc(32,1);
......@@ -228,7 +224,6 @@ void get_global_random(unsigned char *_randBuff, uint64_t _size) {
memcpy(_randBuff, globalRandom, _size);
}
void sealHexSEK(int *errStatus, char *errString,
uint8_t *encrypted_sek, uint64_t *enc_len, char *sek_hex) {
CALL_ONCE
......
sgxwall.cpp
View file @ 41d00a8f
......@@ -55,6 +55,7 @@ void SGXWallet::printUsage() {
cerr << " -n Use http instead of https. Default is to use https with a selg-signed server cert. Insecure! \n";
cerr << " -c Disable client authentication using certificates. Insecure!\n";
cerr << " -s Sign client certificates without human confirmation. Insecure! \n";
cerr << " -e Only owner of the key can access it.\n";
}
......@@ -100,6 +101,7 @@ int main(int argc, char *argv[]) {
bool checkClientCertOption = true;
bool autoSignClientCertOption = false;
bool generateTestKeys = false;
bool checkKeyOwnership = true;
std::signal(SIGABRT, SGXWallet::signalHandler);
......@@ -110,7 +112,7 @@ int main(int argc, char *argv[]) {
exit(-21);
}
while ((opt = getopt(argc, argv, "cshd0abyvVnT")) != -1) {
while ((opt = getopt(argc, argv, "cshd0abyvVneT")) != -1) {
switch (opt) {
case 'h':
SGXWallet::printUsage();
......@@ -136,7 +138,11 @@ int main(int argc, char *argv[]) {
break;
case 'n':
useHTTPSOption = false;
break;
checkKeyOwnership = false;
break;
case 'e':
checkKeyOwnership = true;
break;
case 'a':
enterBackupKeyOption = false;
break;
......@@ -179,7 +185,7 @@ int main(int argc, char *argv[]) {
}
cerr << "Calling initAll ..." << endl;
initAll(enclaveLogLevel, checkClientCertOption, checkClientCertOption, autoSignClientCertOption, generateTestKeys);
initAll(enclaveLogLevel, checkClientCertOption, checkClientCertOption, autoSignClientCertOption, generateTestKeys, checkKeyOwnership);
cerr << "Completed initAll." << endl;
//check if test keys already exist
......
testw.cpp
View file @ 41d00a8f
......@@ -73,7 +73,7 @@ public:
TestFixture() {
TestUtils::resetDB();
setOptions(L_INFO, false, true);
initAll(L_INFO, false, false, true, false);
initAll(L_INFO, false, false, true, false, false);
}
~TestFixture() {
......@@ -87,7 +87,7 @@ public:
TestFixtureHTTPS() {
TestUtils::resetDB();
setOptions(L_INFO, true, true);
initAll(L_INFO, false, true, true, false);
initAll(L_INFO, false, true, true, false, true);
}
~TestFixtureHTTPS() {
......@@ -101,7 +101,7 @@ public:
TestFixtureZMQSign() {
TestUtils::resetDB();
setOptions(L_INFO, false, true);
initAll(L_INFO, false, true, true, false);
initAll(L_INFO, false, true, true, false, false);
}
~TestFixtureZMQSign() {
......@@ -114,7 +114,7 @@ class TestFixtureNoResetFromBackup {
public:
TestFixtureNoResetFromBackup() {
setFullOptions(L_INFO, false, true, true);
initAll(L_INFO, false, false, true, false);
initAll(L_INFO, false, false, true, false, false);
}
~TestFixtureNoResetFromBackup() {
......@@ -128,7 +128,7 @@ class TestFixtureNoReset {
public:
TestFixtureNoReset() {
setOptions(L_INFO, false, true);
initAll(L_INFO, false, false, true, false);
initAll(L_INFO, false, false, true, false, false);
}
~TestFixtureNoReset() {
......
zmq_src/BLSSignRspMessage.cpp deleted 100644 → 0
View file @ afbf4f0f
/*
Copyright (C) 2018-2019 SKALE Labs
This file is part of sgxwallet.
sgxwallet is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
sgxwallet is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
@file BLSRspSignMessage.cpp
@author Stan Kladko
@date 2020
*/
#include "BLSSignRspMessage.h"
#include "SGXWalletServer.hpp"
Json::Value BLSSignRspMessage::process() {
assert(false);
}
\ No newline at end of file
zmq_src/BLSSignRspMessage.h deleted 100644 → 0
View file @ afbf4f0f
/*
Copyright (C) 2018-2019 SKALE Labs
This file is part of sgxwallet.
sgxwallet is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
sgxwallet is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
@file BLSRspSignMessage.h
@author Stan Kladko
@date 2020
*/
#ifndef SGXWALLET_BLSSIGNRSPMSG_H
#define SGXWALLET_BLSSIGNRSPMSG_H
#include "ZMQMessage.h"
class BLSSignRspMessage : public ZMQMessage {
public:
BLSSignRspMessage(shared_ptr<rapidjson::Document>& _d) : ZMQMessage(_d) {};
virtual Json::Value process();
string getSigShare() {
return getStringRapid("signatureShare");
}
};
#endif //SGXWALLET_BLSSIGNRSPMSG_H
zmq_src/ECDSASignRspMessage.cpp deleted 100644 → 0
View file @ afbf4f0f
/*
Copyright (C) 2018- SKALE Labs
This file is part of sgxwallet.
sgxwallet is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
sgxwallet is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
@file ECDSARspSignMessage.cpp
@author Stan Kladko
@date 2020
*/
#include "SGXWalletServer.hpp"
#include "ECDSASignRspMessage.h"
Json::Value ECDSASignRspMessage::process() {
// never called
assert(false);
}
string ECDSASignRspMessage::getSignature() {
string r = getStringRapid( "signature_r" );
string v = getStringRapid( "signature_v" );
string s = getStringRapid("signature_s" );
auto ret = v + ":" + r.substr( 2 ) + ":" + s.substr( 2 );
return ret;
}
zmq_src/ECDSASignRspMessage.h deleted 100644 → 0
View file @ afbf4f0f
/*
Copyright (C) 2018- SKALE Labs
This file is part of sgxwallet.
sgxwallet is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
sgxwallet is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
@file ECDSARspSignMessage.h
@author Stan Kladko
@date 2020
*/
#ifndef SGXWALLET_ECDSASIGNRSPMESSAGE_H
#define SGXWALLET_ECDSASIGNRSPMESSAGE_H
#include "ZMQMessage.h"
class ECDSASignRspMessage : public ZMQMessage {
public:
ECDSASignRspMessage(shared_ptr <rapidjson::Document> &_d) : ZMQMessage(_d) {};
virtual Json::Value process();
string getSignature();
};
#endif //SGXWALLET_ECDSASIGNRSPMESSAGE_H
zmq_src/ReqMessage.cpp
View file @ 41d00a8f
......@@ -10,7 +10,7 @@
sgxwallet is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
......@@ -31,6 +31,9 @@ Json::Value ECDSASignReqMessage::process() {
auto base = getInt64Rapid("base");
auto keyName = getStringRapid("keyName");
auto hash = getStringRapid("messageHash");
if (checkKeyOwnership && !isKeyByOwner(keyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::ecdsaSignMessageHashImpl(base, keyName, hash);
result["type"] = ZMQMessage::ECDSA_SIGN_RSP;
return result;
......@@ -41,6 +44,9 @@ Json::Value BLSSignReqMessage::process() {
auto hash = getStringRapid("messageHash");
auto t = getInt64Rapid("t");
auto n = getInt64Rapid("n");
if (checkKeyOwnership && !isKeyByOwner(keyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::blsSignMessageHashImpl(keyName, hash, t, n);
result["type"] = ZMQMessage::BLS_SIGN_RSP;
return result;
......@@ -50,6 +56,10 @@ Json::Value importBLSReqMessage::process() {
auto keyName = getStringRapid("keyShareName");
auto keyShare = getStringRapid("keyShare");
auto result = SGXWalletServer::importBLSKeyShareImpl(keyShare, keyName);
if (checkKeyOwnership && result["status"] == 0) {
auto cert = getStringRapid("cert");
addKeyByOwner(keyName, cert);
}
result["type"] = ZMQMessage::IMPORT_BLS_RSP;
return result;
}
......@@ -58,18 +68,30 @@ Json::Value importECDSAReqMessage::process() {
auto keyName = getStringRapid("keyName");
auto key = getStringRapid("key");
auto result = SGXWalletServer::importECDSAKeyImpl(key, keyName);
if (checkKeyOwnership && result["status"] == 0) {
auto cert = getStringRapid("cert");
addKeyByOwner(keyName, cert);
}
result["type"] = ZMQMessage::IMPORT_ECDSA_RSP;
return result;
}
Json::Value generateECDSAReqMessage::process() {
auto result = SGXWalletServer::generateECDSAKeyImpl();
string keyName = result["keyName"].asString();
if (checkKeyOwnership && result["status"] == 0) {
auto cert = getStringRapid("cert");
addKeyByOwner(keyName, cert);
}
result["type"] = ZMQMessage::GENERATE_ECDSA_RSP;
return result;
}
Json::Value getPublicECDSAReqMessage::process() {
auto keyName = getStringRapid("keyName");
if (checkKeyOwnership && !isKeyByOwner(keyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::getPublicECDSAKeyImpl(keyName);
result["type"] = ZMQMessage::GET_PUBLIC_ECDSA_RSP;
return result;
......@@ -79,12 +101,19 @@ Json::Value generateDKGPolyReqMessage::process() {
auto polyName = getStringRapid("polyName");
auto t = getInt64Rapid("t");
auto result = SGXWalletServer::generateDKGPolyImpl(polyName, t);
if (checkKeyOwnership && result["status"] == 0) {
auto cert = getStringRapid("cert");
addKeyByOwner(polyName, cert);
}
result["type"] = ZMQMessage::GENERATE_DKG_POLY_RSP;
return result;
}
Json::Value getVerificationVectorReqMessage::process() {
auto polyName = getStringRapid("polyName");
if (checkKeyOwnership && !isKeyByOwner(polyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto t = getInt64Rapid("t");
auto result = SGXWalletServer::getVerificationVectorImpl(polyName, t);
result["type"] = ZMQMessage::GET_VV_RSP;
......@@ -96,6 +125,9 @@ Json::Value getSecretShareReqMessage::process() {
auto t = getInt64Rapid("t");
auto n = getInt64Rapid("n");
auto pubKeys = getJsonValueRapid("publicKeys");
if (checkKeyOwnership && !isKeyByOwner(polyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::getSecretShareV2Impl(polyName, pubKeys, t, n);
result["type"] = ZMQMessage::GET_SECRET_SHARE_RSP;
return result;
......@@ -108,6 +140,9 @@ Json::Value dkgVerificationReqMessage::process() {
auto idx = getInt64Rapid("index");
auto pubShares = getStringRapid("publicShares");
auto secretShare = getStringRapid("secretShare");
if (checkKeyOwnership && !isKeyByOwner(ethKeyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::dkgVerificationV2Impl(pubShares, ethKeyName, secretShare, t, n, idx);
result["type"] = ZMQMessage::DKG_VERIFY_RSP;
return result;
......@@ -120,13 +155,22 @@ Json::Value createBLSPrivateKeyReqMessage::process() {
auto secretShare = getStringRapid("secretShare");
auto t = getInt64Rapid("t");
auto n = getInt64Rapid("n");
if (checkKeyOwnership && (!isKeyByOwner(ethKeyName, getStringRapid("cert")) || !isKeyByOwner(polyName, getStringRapid("cert")))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::createBLSPrivateKeyV2Impl(blsKeyName, ethKeyName, polyName, secretShare, t, n);
if (checkKeyOwnership && result["status"] == 0) {
addKeyByOwner(blsKeyName, getStringRapid("cert"));
}
result["type"] = ZMQMessage::CREATE_BLS_PRIVATE_RSP;
return result;
}
Json::Value getBLSPublicReqMessage::process() {
auto blsKeyName = getStringRapid("blsKeyName");
if (checkKeyOwnership && !isKeyByOwner(blsKeyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::getBLSPublicKeyShareImpl(blsKeyName);
result["type"] = ZMQMessage::GET_BLS_PUBLIC_RSP;
return result;
......@@ -146,6 +190,9 @@ Json::Value complaintResponseReqMessage::process() {
auto t = getInt64Rapid("t");
auto n = getInt64Rapid("n");
auto idx = getInt64Rapid("ind");
if (checkKeyOwnership && !isKeyByOwner(polyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::complaintResponseImpl(polyName, t, n, idx);
result["type"] = ZMQMessage::COMPLAINT_RESPONSE_RSP;
return result;
......@@ -179,6 +226,9 @@ Json::Value getServerVersionReqMessage::process() {
Json::Value deleteBLSKeyReqMessage::process() {
auto blsKeyName = getStringRapid("blsKeyName");
if (checkKeyOwnership && !isKeyByOwner(blsKeyName, getStringRapid("cert"))) {
throw std::invalid_argument("Only owner of the key can access it");
}
auto result = SGXWalletServer::deleteBlsKeyImpl(blsKeyName);
result["type"] = ZMQMessage::DELETE_BLS_KEY_RSP;
return result;
......
zmq_src/ZMQClient.cpp
View file @ 41d00a8f
......@@ -67,7 +67,7 @@ shared_ptr <ZMQMessage> ZMQClient::doRequestReply(Json::Value &_req) {
CHECK_STATE(resultStr.front() == '{')
CHECK_STATE(resultStr.back() == '}')
return ZMQMessage::parse(resultStr.c_str(), resultStr.size(), false, false);
return ZMQMessage::parse(resultStr.c_str(), resultStr.size(), false, false, false);
} catch (std::exception &e) {
spdlog::error(string("Error in doRequestReply:") + e.what());
throw;
......
zmq_src/ZMQMessage.cpp
View file @ 41d00a8f
......@@ -28,6 +28,7 @@
#include <fstream>
#include "ZMQClient.h"
#include "LevelDB.h"
#include "SGXWalletServer.hpp"
#include "ReqMessage.h"
#include "RspMessage.h"
......@@ -75,7 +76,7 @@ string ZMQMessage::getStringRapid(const char *_name) {
shared_ptr <ZMQMessage> ZMQMessage::parse(const char *_msg,
size_t _size, bool _isRequest,
bool _verifySig) {
bool _verifySig, bool _checkKeyOwnership) {
CHECK_STATE(_msg);
CHECK_STATE2(_size > 5, ZMQ_INVALID_MESSAGE_SIZE);
......@@ -149,16 +150,15 @@ shared_ptr <ZMQMessage> ZMQMessage::parse(const char *_msg,
}
}
shared_ptr <ZMQMessage> result;
if (_isRequest) {
return buildRequest(type, d);
return buildRequest(type, d, _checkKeyOwnership);
} else {
return buildResponse(type, d);
return buildResponse(type, d, _checkKeyOwnership);
}
}
shared_ptr <ZMQMessage> ZMQMessage::buildRequest(string &_type, shared_ptr <rapidjson::Document> _d) {
shared_ptr <ZMQMessage> ZMQMessage::buildRequest(string &_type, shared_ptr <rapidjson::Document> _d,
bool _checkKeyOwnership) {
Requests r;
try {
int t = requests.at( _type );
......@@ -231,10 +231,13 @@ shared_ptr <ZMQMessage> ZMQMessage::buildRequest(string &_type, shared_ptr <rapi
break;
}
ret->setCheckKeyOwnership(_checkKeyOwnership);
return ret;
}
shared_ptr <ZMQMessage> ZMQMessage::buildResponse(string &_type, shared_ptr <rapidjson::Document> _d) {
shared_ptr <ZMQMessage> ZMQMessage::buildResponse(string &_type, shared_ptr <rapidjson::Document> _d,
bool _checkKeyOwnership) {
Responses r;
try {
int t = responses.at( _type );
......@@ -309,9 +312,22 @@ shared_ptr <ZMQMessage> ZMQMessage::buildResponse(string &_type, shared_ptr <rap
break;
}
ret->setCheckKeyOwnership(_checkKeyOwnership);
return ret;
}
std::map<string, string> ZMQMessage::keysByOwners;
bool ZMQMessage::isKeyByOwner(const string& keyName, const string& cert) {
auto value = LevelDB::getLevelDb()->readString(keyName);
return value && *value == cert;
}
void ZMQMessage::addKeyByOwner(const string& keyName, const string& cert) {
SGXWalletServer::writeDataToDB(keyName, cert);
}
cache::lru_cache<string, pair < EVP_PKEY * , X509 *>> ZMQMessage::verifiedCerts(256);
const std::map<string, int> ZMQMessage::requests{
......
zmq_src/ZMQMessage.h
View file @ 41d00a8f
......@@ -51,6 +51,15 @@ class ZMQMessage {
static cache::lru_cache<string, pair<EVP_PKEY*, X509*>> verifiedCerts;
protected:
bool checkKeyOwnership = true;
static std::map<string, string> keysByOwners;
static bool isKeyByOwner(const string& keyName, const string& cert);
static void addKeyByOwner(const string& keyName, const string& cert);
public:
static constexpr const char *BLS_SIGN_REQ = "BLSSignReq";
......@@ -127,11 +136,15 @@ public:
}
static shared_ptr <ZMQMessage> parse(const char* _msg, size_t _size, bool _isRequest,
bool _verifySig);
bool _verifySig, bool _checkKeyOwnership);
static shared_ptr<ZMQMessage> buildRequest(string& type, shared_ptr<rapidjson::Document> _d);
static shared_ptr<ZMQMessage> buildResponse(string& type, shared_ptr<rapidjson::Document> _d);
static shared_ptr<ZMQMessage> buildRequest(string& type, shared_ptr<rapidjson::Document> _d,
bool _checkKeyOwnership);
static shared_ptr<ZMQMessage> buildResponse(string& type, shared_ptr<rapidjson::Document> _d,
bool _checkKeyOwnership);
virtual Json::Value process() = 0;
void setCheckKeyOwnership(bool _check) { checkKeyOwnership = _check; }
};
zmq_src/ZMQServer.cpp
View file @ 41d00a8f
......@@ -38,8 +38,8 @@ using namespace std;
shared_ptr <ZMQServer> ZMQServer::zmqServer = nullptr;
ZMQServer::ZMQServer(bool _checkSignature, const string &_caCertFile)
: checkSignature(_checkSignature),
ZMQServer::ZMQServer(bool _checkSignature, bool _checkKeyOwnership, const string &_caCertFile)
: checkSignature(_checkSignature), checkKeyOwnership(_checkKeyOwnership),
caCertFile(_caCertFile), ctx(make_shared<zmq::context_t>(1)) {
socket = make_shared<zmq::socket_t>(*ctx, ZMQ_ROUTER);
......@@ -94,12 +94,13 @@ void ZMQServer::exitZMQServer() {
spdlog::info("Exited zmq server.");
}
void ZMQServer::initZMQServer(bool _checkSignature) {
void ZMQServer::initZMQServer(bool _checkSignature, bool _checkKeyOwnership) {
static bool initedServer = false;
CHECK_STATE(!initedServer)
initedServer = true;
spdlog::info("Initing zmq server. checkSignature is set to {}", _checkSignature);
spdlog::info("Initing zmq server.\n checkSignature is set to {}.\n checkKeyOwnership is set to {}",
_checkSignature, _checkKeyOwnership);
string rootCAPath = "";
......@@ -109,7 +110,7 @@ void ZMQServer::initZMQServer(bool _checkSignature) {
CHECK_STATE(access(rootCAPath.c_str(), F_OK) == 0);
};
zmqServer = make_shared<ZMQServer>(_checkSignature, rootCAPath);
zmqServer = make_shared<ZMQServer>(_checkSignature, _checkKeyOwnership, rootCAPath);
CHECK_STATE(zmqServer)
......@@ -179,7 +180,7 @@ void ZMQServer::doOneServerLoop() {
CHECK_STATE(stringToParse.back() == '}')
auto parsedMsg = ZMQMessage::parse(
stringToParse.c_str(), stringToParse.size(), true, checkSignature);
stringToParse.c_str(), stringToParse.size(), true, checkSignature, checkKeyOwnership);
CHECK_STATE2(parsedMsg, ZMQ_COULD_NOT_PARSE);
......
zmq_src/ZMQServer.h
View file @ 41d00a8f
......@@ -14,7 +14,7 @@
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
@file ZMQServer.h
@author Stan Kladko
......@@ -52,16 +52,18 @@ public:
static shared_ptr<std::thread> serverThread;
ZMQServer(bool _checkSignature, const string& _caCertFile);
ZMQServer(bool _checkSignature, bool _checkKeyOwnership, const string& _caCertFile);
~ZMQServer();
void run();
static void initZMQServer(bool _checkSignature);
static void initZMQServer(bool _checkSignature, bool _checkKeyOwnership);
static void exitZMQServer();
private:
bool checkKeyOwnership = true;
shared_ptr<zmq::context_t> ctx;
shared_ptr<zmq::socket_t> socket;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment