Merge pull request #338 from skalenetwork/feature/SKALE-4262-add-E-flag

Feature/skale 4262 add e flag

DockerfileBase

 FROM ubuntu:18.04
 
-RUN apt-get update && apt-get install  -y \
+RUN apt-get update && apt-get install -y \
     autoconf \
     automake \
     build-essential \
@@ -48,19 +48,19 @@ COPY . /usr/src/sdk
 RUN ls /usr/src/sdk/autoconf.bash
 WORKDIR /usr/src/sdk
 
-RUN    apt update && \
-       apt install -yq apt-utils && \
-       apt install -yq --no-install-recommends python-yaml vim \
-           telnet git ca-certificates perl \
-           reprepro libboost-all-dev alien uuid-dev libxml2-dev ccache \
-           yasm flex bison libprocps-dev ccache texinfo \
-           libjsonrpccpp-dev curl libjsonrpccpp-tools && \
-       ln -s /usr/bin/ccache /usr/local/bin/clang && \
-       ln -s /usr/bin/ccache /usr/local/bin/clang++ && \
-       ln -s /usr/bin/ccache /usr/local/bin/gcc && \
-       ln -s /usr/bin/ccache /usr/local/bin/g++ && \
-       ln -s /usr/bin/ccache /usr/local/bin/cc && \
-       ln -s /usr/bin/ccache /usr/local/bin/c++
+RUN apt update && \
+    apt install -yq apt-utils && \
+    apt install -yq --no-install-recommends python-yaml vim \
+        telnet git ca-certificates perl \
+        reprepro libboost-all-dev alien uuid-dev libxml2-dev ccache \
+        yasm flex bison libprocps-dev ccache texinfo \
+        libjsonrpccpp-dev curl libjsonrpccpp-tools && \
+    ln -s /usr/bin/ccache /usr/local/bin/clang && \
+    ln -s /usr/bin/ccache /usr/local/bin/clang++ && \
+    ln -s /usr/bin/ccache /usr/local/bin/gcc && \
+    ln -s /usr/bin/ccache /usr/local/bin/g++ && \
+    ln -s /usr/bin/ccache /usr/local/bin/cc && \
+    ln -s /usr/bin/ccache /usr/local/bin/c++
 
 RUN    cd scripts && ./build_deps.py && \
        wget --progress=dot:mega -O - https://github.com/intel/dynamic-application-loader-host-interface/archive/072d233296c15d0dcd1fb4570694d0244729f87b.tar.gz | tar -xz && \

LevelDB.h

@@ -14,7 +14,7 @@
     GNU Affero General Public License for more details.
 
     You should have received a copy of the GNU Affero General Public License
-    along with sgxwallet.  If not, see <https://www.gnu.org/licenses/>.
+    along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
 
     @file LevelDB.h
     @author Stan Kladko
@@ -54,7 +54,6 @@ class LevelDB {
 
     static string sgx_data_folder;
 
-
 public:
 
     static void initDataFolderAndDBs();
@@ -104,8 +103,6 @@ public:
     virtual ~LevelDB();
 
     static const string &getSgxDataFolder();
-
-
 };
 
 

SGXWalletServer.hpp

@@ -14,7 +14,7 @@
     GNU Affero General Public License for more details.
 
     You should have received a copy of the GNU Affero General Public License
-    along with sgxwallet.  If not, see <https://www.gnu.org/licenses/>.
+    along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
 
     @file SGXWalletServer.hpp
     @author Stan Kladko
@@ -48,12 +48,9 @@ class SGXWalletServer : public AbstractStubServer {
     static map<string,string> ecdsaRequests;
     static recursive_mutex ecdsaRequestsLock;
 
-
-
     static void checkForDuplicate(map <string, string> &_map, recursive_mutex &_m, const string &_key,
     const string &_value);
 
-
 public:
 
     static bool verifyCert(string& _certFileName);

ServerInit.cpp

@@ -14,7 +14,7 @@
     GNU Affero General Public License for more details.
 
     You should have received a copy of the GNU Affero General Public License
-    along with sgxwallet.  If not, see <https://www.gnu.org/licenses/>.
+    along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
 
     @file ServerInit.cpp
     @author Stan Kladko
@@ -160,7 +160,7 @@ uint64_t initEnclave() {
 }
 
 void initAll(uint32_t _logLevel, bool _checkCert,
-             bool _checkZMQSig, bool _autoSign, bool _generateTestKeys) {
+             bool _checkZMQSig, bool _autoSign, bool _generateTestKeys, bool _checkKeyOwnership) {
 
     static atomic<bool> sgxServerInited(false);
     static mutex initMutex;
@@ -209,7 +209,7 @@ void initAll(uint32_t _logLevel, bool _checkCert,
         SGXRegistrationServer::initRegistrationServer(_autoSign);
         CSRManagerServer::initCSRManagerServer();
         SGXInfoServer::initInfoServer(_logLevel, _checkCert, _autoSign, _generateTestKeys);
-        ZMQServer::initZMQServer(_checkZMQSig);
+        ZMQServer::initZMQServer(_checkZMQSig, _checkKeyOwnership);
 
         sgxServerInited = true;
     } catch (SGXException &_e) {

ServerInit.h

@@ -32,7 +32,7 @@
 #define EXTERNC
 #endif
 
-EXTERNC void initAll(uint32_t  _logLevel, bool _checkCert, bool _checkZMQSig, bool _autoSign, bool _generateTestKeys);
+EXTERNC void initAll(uint32_t  _logLevel, bool _checkCert, bool _checkZMQSig, bool _autoSign, bool _generateTestKeys, bool _checkKeyOwnership);
 
 void exitAll();
 

docker/start.sh

@@ -47,6 +47,6 @@ sleep 5
 ./testw.py
 else
 sleep 3
-./sgxwallet $1 $2 $3 $4 $5
+./sgxwallet $1 $2 $3 $4 $5 $6
 fi
 

run_sgx/docker-compose.yml

@@ -21,7 +21,7 @@ services:
       options:
         max-size: "10m"
         max-file: "4"
-    command: -s -y -d
+    command: -s -y -d -e
     healthcheck:
       test: ["CMD", "ls", "/dev/isgx", "/dev/mei0"]
 

run_sgx_sim/docker-compose.yml

@@ -18,4 +18,4 @@ services:
       options:
         max-size: "10m"
         max-file: "4"
-    command: -s -y
+    command: -s -y -e

scripts/install_packages.sh

@@ -2,4 +2,4 @@
 sudo apt update
 sudo apt install -y build-essential make gcc g++ yasm  python libprotobuf10 flex bison automake
 sudo apt install -y ccache cmake ccache autoconf texinfo libgcrypt20-dev libgnutls28-dev libtool pkg-config
-sudo apt install -y ocaml ocamlbuid
+sudo apt install -y ocaml ocamlbuild

secure_enclave/AESUtils.c

@@ -21,25 +21,19 @@
     @date 2020
 */
 
-
 #include "sgx_trts.h"
 #include "sgx_tcrypto.h"
 #include "stdlib.h"
 #include <string.h>
 
-
 #include "AESUtils.h"
 
 sgx_aes_gcm_128bit_key_t AES_key[1024];
 
-
 #define SAFE_CHAR_BUF(__X__, __Y__)  ;char __X__ [ __Y__ ]; memset(__X__, 0, __Y__);
 
-int AES_encrypt(char *message, uint8_t *encr_message, uint64_t encrBufLen, unsigned  char type,
+int AES_encrypt(char *message, uint8_t *encr_message, uint64_t encrBufLen, unsigned char type,
                 unsigned char exportable, uint64_t* resultLen) {
-
-
-
     if (!type) {
         LOG_ERROR("Null type in AES_encrypt");
         return -1;

secure_enclave/AESUtils.h

@@ -32,7 +32,6 @@ int AES_decrypt(uint8_t *encr_message, uint64_t length, char *message, uint64_t
                 uint8_t *type, uint8_t* exportable) ;
 
 
-
 #define ECDSA '1'
 #define BLS '2'
 #define DKG '3'
@@ -40,6 +39,4 @@ int AES_decrypt(uint8_t *encr_message, uint64_t length, char *message, uint64_t
 #define EXPORTABLE '1'
 #define NON_EXPORTABLE '2'
 
-
-
 #endif //SGXD_AESUTILS_H

secure_enclave/EnclaveCommon.cpp

@@ -171,7 +171,6 @@ void enclave_init() {
         return;
     inited = 1;
 
-
     LOG_INFO("Initing libff");
     try {
 

secure_enclave/secure_enclave.c

@@ -66,7 +66,6 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #define INIT_ERROR_STATE *errString = 0; *errStatus = UNKNOWN_ERROR;
 #define SET_SUCCESS *errStatus = 0;
 
-
 #define CHECK_STATE(_EXPRESSION_) \
     if (!(_EXPRESSION_)) {        \
         LOG_ERROR("State check failed::");LOG_ERROR(#_EXPRESSION_); \
@@ -91,7 +90,6 @@ LOG_ERROR(errString); \
 goto clean; \
 };
 
-
 #define CHECK_STATUS2(__ERRMESSAGE__) if (status != SGX_SUCCESS) { \
 snprintf(errString, BUF_LEN, __ERRMESSAGE__, status); \
 LOG_ERROR(errString); \
@@ -138,10 +136,8 @@ void trustedEnclaveInit(uint64_t _logLevel) {
 
     LOG_INFO("Calling enclave init");
 
-
     enclave_init();
 
-
     LOG_INFO("Reading random");
 
     globalRandom = calloc(32,1);
@@ -228,7 +224,6 @@ void get_global_random(unsigned char *_randBuff, uint64_t _size) {
     memcpy(_randBuff, globalRandom, _size);
 }
 
-
 void sealHexSEK(int *errStatus, char *errString,
                         uint8_t *encrypted_sek, uint64_t *enc_len, char *sek_hex) {
     CALL_ONCE

sgxwall.cpp

@@ -55,6 +55,7 @@ void SGXWallet::printUsage() {
     cerr << "   -n  Use http instead of https. Default is to use https with a selg-signed server cert.  Insecure! \n";
     cerr << "   -c  Disable client authentication using certificates. Insecure!\n";
     cerr << "   -s  Sign client certificates without human confirmation. Insecure! \n";
+    cerr << "   -e  Only owner of the key can access it.\n";
 }
 
 
@@ -100,6 +101,7 @@ int main(int argc, char *argv[]) {
     bool checkClientCertOption = true;
     bool autoSignClientCertOption = false;
     bool generateTestKeys = false;
+    bool checkKeyOwnership = true;
 
     std::signal(SIGABRT, SGXWallet::signalHandler);
 
@@ -110,7 +112,7 @@ int main(int argc, char *argv[]) {
         exit(-21);
     }
 
-    while ((opt = getopt(argc, argv, "cshd0abyvVnT")) != -1) {
+    while ((opt = getopt(argc, argv, "cshd0abyvVneT")) != -1) {
         switch (opt) {
             case 'h':
                 SGXWallet::printUsage();
@@ -136,7 +138,11 @@ int main(int argc, char *argv[]) {
                 break;
             case 'n':
                 useHTTPSOption = false;
-                break;                
+                checkKeyOwnership = false;
+                break;
+            case 'e':
+                checkKeyOwnership = true;
+                break;
             case 'a':
                 enterBackupKeyOption = false;
                 break;
@@ -179,7 +185,7 @@ int main(int argc, char *argv[]) {
     }
 
     cerr << "Calling initAll ..." << endl;
-    initAll(enclaveLogLevel, checkClientCertOption, checkClientCertOption, autoSignClientCertOption, generateTestKeys);
+    initAll(enclaveLogLevel, checkClientCertOption, checkClientCertOption, autoSignClientCertOption, generateTestKeys, checkKeyOwnership);
     cerr << "Completed initAll." << endl;
 
     //check if test keys already exist

testw.cpp

@@ -73,7 +73,7 @@ public:
     TestFixture() {
         TestUtils::resetDB();
         setOptions(L_INFO, false, true);
-        initAll(L_INFO, false, false, true, false);
+        initAll(L_INFO, false, false, true, false, false);
     }
 
     ~TestFixture() {
@@ -87,7 +87,7 @@ public:
     TestFixtureHTTPS() {
         TestUtils::resetDB();
         setOptions(L_INFO, true, true);
-        initAll(L_INFO, false, true, true, false);
+        initAll(L_INFO, false, true, true, false, true);
     }
 
     ~TestFixtureHTTPS() {
@@ -101,7 +101,7 @@ public:
     TestFixtureZMQSign() {
         TestUtils::resetDB();
         setOptions(L_INFO, false, true);
-        initAll(L_INFO, false, true, true, false);
+        initAll(L_INFO, false, true, true, false, false);
     }
 
     ~TestFixtureZMQSign() {
@@ -114,7 +114,7 @@ class TestFixtureNoResetFromBackup {
 public:
     TestFixtureNoResetFromBackup() {
         setFullOptions(L_INFO, false, true, true);
-        initAll(L_INFO, false, false, true, false);
+        initAll(L_INFO, false, false, true, false, false);
     }
 
     ~TestFixtureNoResetFromBackup() {
@@ -128,7 +128,7 @@ class TestFixtureNoReset {
 public:
     TestFixtureNoReset() {
         setOptions(L_INFO, false, true);
-        initAll(L_INFO, false, false, true, false);
+        initAll(L_INFO, false, false, true, false, false);
     }
 
     ~TestFixtureNoReset() {

zmq_src/BLSSignRspMessage.cpp

-/*
-  Copyright (C) 2018-2019 SKALE Labs
-
-  This file is part of sgxwallet.
-
-  sgxwallet is free software: you can redistribute it and/or modify
-  it under the terms of the GNU Affero General Public License as published
-  by the Free Software Foundation, either version 3 of the License, or
-  (at your option) any later version.
-
-  sgxwallet is distributed in the hope that it will be useful,
-  but WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-  GNU Affero General Public License for more details.
-
-  You should have received a copy of the GNU Affero General Public License
-  along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
-
-  @file BLSRspSignMessage.cpp
-  @author Stan Kladko
-  @date 2020
-*/
-
-#include "BLSSignRspMessage.h"
-#include "SGXWalletServer.hpp"
-
-
-Json::Value BLSSignRspMessage::process() {
-    assert(false);
-}
\ No newline at end of file

zmq_src/BLSSignRspMessage.h

-/*
-  Copyright (C) 2018-2019 SKALE Labs
-
-  This file is part of sgxwallet.
-
-  sgxwallet is free software: you can redistribute it and/or modify
-  it under the terms of the GNU Affero General Public License as published
-  by the Free Software Foundation, either version 3 of the License, or
-  (at your option) any later version.
-
-  sgxwallet is distributed in the hope that it will be useful,
-  but WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-  GNU Affero General Public License for more details.
-
-  You should have received a copy of the GNU Affero General Public License
-  along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
-
-  @file BLSRspSignMessage.h
-  @author Stan Kladko
-  @date 2020
-*/
-
-#ifndef SGXWALLET_BLSSIGNRSPMSG_H
-#define SGXWALLET_BLSSIGNRSPMSG_H
-
-#include "ZMQMessage.h"
-
-class BLSSignRspMessage : public ZMQMessage {
-public:
-
-    BLSSignRspMessage(shared_ptr<rapidjson::Document>& _d) : ZMQMessage(_d) {};
-
-    virtual Json::Value process();
-
-    string getSigShare() {
-        return getStringRapid("signatureShare");
-    }
-
-};
-
-
-#endif //SGXWALLET_BLSSIGNRSPMSG_H

zmq_src/ECDSASignRspMessage.cpp

-/*
-  Copyright (C) 2018- SKALE Labs
-
-  This file is part of sgxwallet.
-
-  sgxwallet is free software: you can redistribute it and/or modify
-  it under the terms of the GNU Affero General Public License as published
-  by the Free Software Foundation, either version 3 of the License, or
-  (at your option) any later version.
-
-  sgxwallet is distributed in the hope that it will be useful,
-  but WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-  GNU Affero General Public License for more details.
-
-  You should have received a copy of the GNU Affero General Public License
-  along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
-
-  @file ECDSARspSignMessage.cpp
-  @author Stan Kladko
-  @date 2020
-*/
-
-#include "SGXWalletServer.hpp"
-
-#include "ECDSASignRspMessage.h"
-
-
-
-Json::Value ECDSASignRspMessage::process() {
-    // never called
-    assert(false);
-}
-
-string ECDSASignRspMessage::getSignature() {
-
-
-
-    string r = getStringRapid( "signature_r" );
-    string v = getStringRapid( "signature_v" );
-    string s = getStringRapid("signature_s" );
-
-    auto ret = v + ":" + r.substr( 2 ) + ":" + s.substr( 2 );
-
-    return ret;
-}

zmq_src/ECDSASignRspMessage.h

-/*
-  Copyright (C) 2018- SKALE Labs
-
-  This file is part of sgxwallet.
-
-  sgxwallet is free software: you can redistribute it and/or modify
-  it under the terms of the GNU Affero General Public License as published
-  by the Free Software Foundation, either version 3 of the License, or
-  (at your option) any later version.
-
-  sgxwallet is distributed in the hope that it will be useful,
-  but WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-  GNU Affero General Public License for more details.
-
-  You should have received a copy of the GNU Affero General Public License
-  along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
-
-  @file ECDSARspSignMessage.h
-  @author Stan Kladko
-  @date 2020
-*/
-
-#ifndef SGXWALLET_ECDSASIGNRSPMESSAGE_H
-#define SGXWALLET_ECDSASIGNRSPMESSAGE_H
-
-#include "ZMQMessage.h"
-
-class ECDSASignRspMessage : public ZMQMessage {
-public:
-
-    ECDSASignRspMessage(shared_ptr <rapidjson::Document> &_d) : ZMQMessage(_d) {};
-
-    virtual Json::Value process();
-
-    string getSignature();
-
-
-};
-
-
-#endif //SGXWALLET_ECDSASIGNRSPMESSAGE_H

zmq_src/ReqMessage.cpp

@@ -10,7 +10,7 @@
 
   sgxwallet is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
   GNU Affero General Public License for more details.
 
   You should have received a copy of the GNU Affero General Public License
@@ -31,6 +31,9 @@ Json::Value ECDSASignReqMessage::process() {
     auto base = getInt64Rapid("base");
     auto keyName = getStringRapid("keyName");
     auto hash = getStringRapid("messageHash");
+    if (checkKeyOwnership && !isKeyByOwner(keyName, getStringRapid("cert"))) {
+        throw std::invalid_argument("Only owner of the key can access it");
+    }
     auto result = SGXWalletServer::ecdsaSignMessageHashImpl(base, keyName, hash);
     result["type"] = ZMQMessage::ECDSA_SIGN_RSP;
     return result;
@@ -41,6 +44,9 @@ Json::Value BLSSignReqMessage::process() {
     auto hash = getStringRapid("messageHash");
     auto t = getInt64Rapid("t");
     auto n = getInt64Rapid("n");
+    if (checkKeyOwnership && !isKeyByOwner(keyName, getStringRapid("cert"))) {
+        throw std::invalid_argument("Only owner of the key can access it");
+    }
     auto result = SGXWalletServer::blsSignMessageHashImpl(keyName, hash, t, n);
     result["type"] = ZMQMessage::BLS_SIGN_RSP;
     return result;
@@ -50,6 +56,10 @@ Json::Value importBLSReqMessage::process() {
     auto keyName = getStringRapid("keyShareName");
     auto keyShare = getStringRapid("keyShare");
     auto result = SGXWalletServer::importBLSKeyShareImpl(keyShare, keyName);
+    if (checkKeyOwnership && result["status"] == 0) {
+        auto cert = getStringRapid("cert");
+        addKeyByOwner(keyName, cert);
+    }
     result["type"] = ZMQMessage::IMPORT_BLS_RSP;
     return result;
 }
@@ -58,18 +68,30 @@ Json::Value importECDSAReqMessage::process() {
     auto keyName = getStringRapid("keyName");
     auto key = getStringRapid("key");
     auto result = SGXWalletServer::importECDSAKeyImpl(key, keyName);
+    if (checkKeyOwnership && result["status"] == 0) {
+        auto cert = getStringRapid("cert");
+        addKeyByOwner(keyName, cert);
+    }
     result["type"] = ZMQMessage::IMPORT_ECDSA_RSP;
     return result;
 }
 
 Json::Value generateECDSAReqMessage::process() {
     auto result = SGXWalletServer::generateECDSAKeyImpl();
+    string keyName = result["keyName"].asString();
+    if (checkKeyOwnership && result["status"] == 0) {
+        auto cert = getStringRapid("cert");
+        addKeyByOwner(keyName, cert);
+    }
     result["type"] = ZMQMessage::GENERATE_ECDSA_RSP;
     return result;
 }
 
 Json::Value getPublicECDSAReqMessage::process() {
     auto keyName = getStringRapid("keyName");
+    if (checkKeyOwnership && !isKeyByOwner(keyName, getStringRapid("cert"))) {
+        throw std::invalid_argument("Only owner of the key can access it");
+    }
     auto result = SGXWalletServer::getPublicECDSAKeyImpl(keyName);
     result["type"] = ZMQMessage::GET_PUBLIC_ECDSA_RSP;
     return result;
@@ -79,12 +101,19 @@ Json::Value generateDKGPolyReqMessage::process() {
     auto polyName = getStringRapid("polyName");
     auto t = getInt64Rapid("t");
     auto result = SGXWalletServer::generateDKGPolyImpl(polyName, t);
+    if (checkKeyOwnership && result["status"] == 0) {
+        auto cert = getStringRapid("cert");
+        addKeyByOwner(polyName, cert);
+    }
     result["type"] = ZMQMessage::GENERATE_DKG_POLY_RSP;
     return result;
 }
 
 Json::Value getVerificationVectorReqMessage::process() {
     auto polyName = getStringRapid("polyName");
+    if (checkKeyOwnership && !isKeyByOwner(polyName, getStringRapid("cert"))) {
+        throw std::invalid_argument("Only owner of the key can access it");
+    }
     auto t = getInt64Rapid("t");
     auto result = SGXWalletServer::getVerificationVectorImpl(polyName, t);
     result["type"] = ZMQMessage::GET_VV_RSP;
@@ -96,6 +125,9 @@ Json::Value getSecretShareReqMessage::process() {
     auto t = getInt64Rapid("t");
     auto n = getInt64Rapid("n");
     auto pubKeys = getJsonValueRapid("publicKeys");
+    if (checkKeyOwnership && !isKeyByOwner(polyName, getStringRapid("cert"))) {
+        throw std::invalid_argument("Only owner of the key can access it");
+    }
     auto result = SGXWalletServer::getSecretShareV2Impl(polyName, pubKeys, t, n);
     result["type"] = ZMQMessage::GET_SECRET_SHARE_RSP;
     return result;
@@ -108,6 +140,9 @@ Json::Value dkgVerificationReqMessage::process() {
     auto idx = getInt64Rapid("index");
     auto pubShares = getStringRapid("publicShares");
     auto secretShare = getStringRapid("secretShare");
+    if (checkKeyOwnership && !isKeyByOwner(ethKeyName, getStringRapid("cert"))) {
+        throw std::invalid_argument("Only owner of the key can access it");
+    }
     auto result = SGXWalletServer::dkgVerificationV2Impl(pubShares, ethKeyName, secretShare, t, n, idx);
     result["type"] = ZMQMessage::DKG_VERIFY_RSP;
     return result;
@@ -120,13 +155,22 @@ Json::Value createBLSPrivateKeyReqMessage::process() {
     auto secretShare = getStringRapid("secretShare");
     auto t = getInt64Rapid("t");
     auto n = getInt64Rapid("n");
+    if (checkKeyOwnership && (!isKeyByOwner(ethKeyName, getStringRapid("cert")) || !isKeyByOwner(polyName, getStringRapid("cert")))) {
+        throw std::invalid_argument("Only owner of the key can access it");
+    }
     auto result = SGXWalletServer::createBLSPrivateKeyV2Impl(blsKeyName, ethKeyName, polyName, secretShare, t, n);
+    if (checkKeyOwnership && result["status"] == 0) {
+        addKeyByOwner(blsKeyName, getStringRapid("cert"));
+    }
     result["type"] = ZMQMessage::CREATE_BLS_PRIVATE_RSP;
     return result;
 }
 
 Json::Value getBLSPublicReqMessage::process() {
     auto blsKeyName = getStringRapid("blsKeyName");
+    if (checkKeyOwnership && !isKeyByOwner(blsKeyName, getStringRapid("cert"))) {
+        throw std::invalid_argument("Only owner of the key can access it");
+    }
     auto result = SGXWalletServer::getBLSPublicKeyShareImpl(blsKeyName);
     result["type"] = ZMQMessage::GET_BLS_PUBLIC_RSP;
     return result;
@@ -146,6 +190,9 @@ Json::Value complaintResponseReqMessage::process() {
     auto t = getInt64Rapid("t");
     auto n = getInt64Rapid("n");
     auto idx = getInt64Rapid("ind");
+    if (checkKeyOwnership && !isKeyByOwner(polyName, getStringRapid("cert"))) {
+        throw std::invalid_argument("Only owner of the key can access it");
+    }
     auto result = SGXWalletServer::complaintResponseImpl(polyName, t, n, idx);
     result["type"] = ZMQMessage::COMPLAINT_RESPONSE_RSP;
     return result;
@@ -179,6 +226,9 @@ Json::Value getServerVersionReqMessage::process() {
 
 Json::Value deleteBLSKeyReqMessage::process() {
     auto blsKeyName = getStringRapid("blsKeyName");
+    if (checkKeyOwnership && !isKeyByOwner(blsKeyName, getStringRapid("cert"))) {
+        throw std::invalid_argument("Only owner of the key can access it");
+    }
     auto result = SGXWalletServer::deleteBlsKeyImpl(blsKeyName);
     result["type"] = ZMQMessage::DELETE_BLS_KEY_RSP;
     return result;

zmq_src/ZMQClient.cpp

@@ -67,7 +67,7 @@ shared_ptr <ZMQMessage> ZMQClient::doRequestReply(Json::Value &_req) {
         CHECK_STATE(resultStr.front() == '{')
         CHECK_STATE(resultStr.back() == '}')
 
-        return ZMQMessage::parse(resultStr.c_str(), resultStr.size(), false, false);
+        return ZMQMessage::parse(resultStr.c_str(), resultStr.size(), false, false, false);
     } catch (std::exception &e) {
         spdlog::error(string("Error in doRequestReply:") + e.what());
         throw;

zmq_src/ZMQMessage.cpp

@@ -28,6 +28,7 @@
 #include <fstream>
 
 #include "ZMQClient.h"
+#include "LevelDB.h"
 #include "SGXWalletServer.hpp"
 #include "ReqMessage.h"
 #include "RspMessage.h"
@@ -75,7 +76,7 @@ string ZMQMessage::getStringRapid(const char *_name) {
 
 shared_ptr <ZMQMessage> ZMQMessage::parse(const char *_msg,
                                           size_t _size, bool _isRequest,
-                                          bool _verifySig) {
+                                          bool _verifySig, bool _checkKeyOwnership) {
 
     CHECK_STATE(_msg);
     CHECK_STATE2(_size > 5, ZMQ_INVALID_MESSAGE_SIZE);
@@ -149,16 +150,15 @@ shared_ptr <ZMQMessage> ZMQMessage::parse(const char *_msg,
         }
     }
 
-    shared_ptr <ZMQMessage> result;
-
     if (_isRequest) {
-        return buildRequest(type, d);
+        return buildRequest(type, d, _checkKeyOwnership);
     } else {
-        return buildResponse(type, d);
+        return buildResponse(type, d, _checkKeyOwnership);
     }
 }
 
-shared_ptr <ZMQMessage> ZMQMessage::buildRequest(string &_type, shared_ptr <rapidjson::Document> _d) {
+shared_ptr <ZMQMessage> ZMQMessage::buildRequest(string &_type, shared_ptr <rapidjson::Document> _d,
+                                                bool _checkKeyOwnership) {
     Requests r;
     try {
         int t = requests.at( _type );
@@ -231,10 +231,13 @@ shared_ptr <ZMQMessage> ZMQMessage::buildRequest(string &_type, shared_ptr <rapi
             break;
     }
 
+    ret->setCheckKeyOwnership(_checkKeyOwnership);
+
     return ret;
 }
 
-shared_ptr <ZMQMessage> ZMQMessage::buildResponse(string &_type, shared_ptr <rapidjson::Document> _d) {
+shared_ptr <ZMQMessage> ZMQMessage::buildResponse(string &_type, shared_ptr <rapidjson::Document> _d,
+                                                bool _checkKeyOwnership) {
     Responses r;
     try {
         int t = responses.at( _type );
@@ -309,9 +312,22 @@ shared_ptr <ZMQMessage> ZMQMessage::buildResponse(string &_type, shared_ptr <rap
             break;
     }
 
+    ret->setCheckKeyOwnership(_checkKeyOwnership);
+
     return ret;
 }
 
+std::map<string, string> ZMQMessage::keysByOwners;
+
+bool ZMQMessage::isKeyByOwner(const string& keyName, const string& cert) {
+    auto value = LevelDB::getLevelDb()->readString(keyName);
+    return value && *value == cert;
+}
+
+void ZMQMessage::addKeyByOwner(const string& keyName, const string& cert) {
+    SGXWalletServer::writeDataToDB(keyName, cert);
+}
+
 cache::lru_cache<string, pair < EVP_PKEY * , X509 *>> ZMQMessage::verifiedCerts(256);
 
 const std::map<string, int> ZMQMessage::requests{

zmq_src/ZMQMessage.h

@@ -51,6 +51,15 @@ class ZMQMessage {
 
     static cache::lru_cache<string, pair<EVP_PKEY*, X509*>> verifiedCerts;
 
+protected:
+    bool checkKeyOwnership = true;
+
+    static std::map<string, string> keysByOwners;
+
+    static bool isKeyByOwner(const string& keyName, const string& cert);
+
+    static void addKeyByOwner(const string& keyName, const string& cert);
+
 public:
 
     static constexpr const char *BLS_SIGN_REQ = "BLSSignReq";
@@ -127,11 +136,15 @@ public:
     }
 
     static shared_ptr <ZMQMessage> parse(const char* _msg, size_t _size, bool _isRequest,
-                                         bool _verifySig);
+                                         bool _verifySig, bool _checkKeyOwnership);
 
-    static shared_ptr<ZMQMessage> buildRequest(string& type, shared_ptr<rapidjson::Document> _d);
-    static shared_ptr<ZMQMessage> buildResponse(string& type, shared_ptr<rapidjson::Document> _d);
+    static shared_ptr<ZMQMessage> buildRequest(string& type, shared_ptr<rapidjson::Document> _d,
+                                                bool _checkKeyOwnership);
+    static shared_ptr<ZMQMessage> buildResponse(string& type, shared_ptr<rapidjson::Document> _d,
+                                                bool _checkKeyOwnership);
 
     virtual Json::Value process() = 0;
 
+    void setCheckKeyOwnership(bool _check) { checkKeyOwnership = _check; }
+
 };

zmq_src/ZMQServer.cpp

@@ -38,8 +38,8 @@ using namespace std;
 
 shared_ptr <ZMQServer> ZMQServer::zmqServer = nullptr;
 
-ZMQServer::ZMQServer(bool _checkSignature, const string &_caCertFile)
-        : checkSignature(_checkSignature),
+ZMQServer::ZMQServer(bool _checkSignature, bool _checkKeyOwnership, const string &_caCertFile)
+        : checkSignature(_checkSignature), checkKeyOwnership(_checkKeyOwnership),
           caCertFile(_caCertFile), ctx(make_shared<zmq::context_t>(1)) {
 
     socket = make_shared<zmq::socket_t>(*ctx, ZMQ_ROUTER);
@@ -94,12 +94,13 @@ void ZMQServer::exitZMQServer() {
     spdlog::info("Exited zmq server.");
 }
 
-void ZMQServer::initZMQServer(bool _checkSignature) {
+void ZMQServer::initZMQServer(bool _checkSignature, bool _checkKeyOwnership) {
     static bool initedServer = false;
     CHECK_STATE(!initedServer)
     initedServer = true;
 
-    spdlog::info("Initing zmq server. checkSignature is set to {}", _checkSignature);
+    spdlog::info("Initing zmq server.\n checkSignature is set to {}.\n checkKeyOwnership is set to {}",
+                _checkSignature, _checkKeyOwnership);
 
     string rootCAPath = "";
 
@@ -109,7 +110,7 @@ void ZMQServer::initZMQServer(bool _checkSignature) {
         CHECK_STATE(access(rootCAPath.c_str(), F_OK) == 0);
     };
 
-    zmqServer = make_shared<ZMQServer>(_checkSignature, rootCAPath);
+    zmqServer = make_shared<ZMQServer>(_checkSignature, _checkKeyOwnership, rootCAPath);
 
     CHECK_STATE(zmqServer)
 
@@ -179,7 +180,7 @@ void ZMQServer::doOneServerLoop() {
         CHECK_STATE(stringToParse.back() == '}')
 
         auto parsedMsg = ZMQMessage::parse(
-                stringToParse.c_str(), stringToParse.size(), true, checkSignature);
+                stringToParse.c_str(), stringToParse.size(), true, checkSignature, checkKeyOwnership);
 
         CHECK_STATE2(parsedMsg, ZMQ_COULD_NOT_PARSE);
 

zmq_src/ZMQServer.h

@@ -14,7 +14,7 @@
     GNU Affero General Public License for more details.
 
     You should have received a copy of the GNU Affero General Public License
-    along with sgxwallet.  If not, see <https://www.gnu.org/licenses/>.
+    along with sgxwallet. If not, see <https://www.gnu.org/licenses/>.
 
     @file ZMQServer.h
     @author Stan Kladko
@@ -52,16 +52,18 @@ public:
 
     static shared_ptr<std::thread> serverThread;
 
-    ZMQServer(bool _checkSignature, const string& _caCertFile);
+    ZMQServer(bool _checkSignature, bool _checkKeyOwnership, const string& _caCertFile);
 
     ~ZMQServer();
 
     void run();
 
-    static void initZMQServer(bool _checkSignature);
+    static void initZMQServer(bool _checkSignature, bool _checkKeyOwnership);
     static void exitZMQServer();
 
 private:
+    bool checkKeyOwnership = true;
+
     shared_ptr<zmq::context_t> ctx;
     shared_ptr<zmq::socket_t> socket;