Skip to content

S
sgxwallet
Unverified Commit 88d3322b authored by Oleh Nikolaiev's avatar Oleh Nikolaiev Committed by GitHub
Browse files
Options

Merge branch 'develop' into feature/SKALE-4110-use-latest-sgx

parents 1d9d36d0 4bcbcf5f
Hide whitespace changes
Inline Side-by-side
Showing with 48 additions and 57 deletions
.github/workflows/dockerimage.yml
View file @ 88d3322b
......@@ -22,7 +22,7 @@ jobs:
- name: deploy docker image
if: |
contains(github.ref, 'develop') || contains(github.ref, 'beta') ||
contains(github.ref, 'master') || contains(github.ref, 'stable') ||
contains(github.ref, 'master') ||
contains(github.ref, 'SECURE_ENCLAVE_CHANGES')
run : |
export BRANCH=${GITHUB_REF##*/}
......@@ -39,7 +39,7 @@ jobs:
env:
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
- name: Create Release
if: contains(github.ref, 'develop') || contains(github.ref, 'beta') || contains(github.ref, 'master') || contains(github.ref, 'stable')
if: contains(github.ref, 'develop') || contains(github.ref, 'beta') || contains(github.ref, 'master')
id: create_release
uses: actions/create-release@latest
env:
......
.github/workflows/dockerimagesim.yml
View file @ 88d3322b
......@@ -23,10 +23,6 @@ jobs:
- name: test
run: python3 scripts/docker_test.py DockerfileSimulation sgxwallet_sim
- name: build and deploy docker image
if: |
contains(github.ref, 'develop') || contains(github.ref, 'beta') ||
contains(github.ref, 'master') || contains(github.ref, 'stable') ||
contains(github.ref, 'SECURE_ENCLAVE_CHANGES')
run : |
sudo rm -rf /home/runner/work/sgxwallet/sgxwallet/sgx_data
export BRANCH=${GITHUB_REF##*/}
......
ServerWorker.cpp
View file @ 88d3322b
......@@ -82,30 +82,12 @@ void ServerWorker::doOneServerLoop() noexcept {
}
} while (pollResult == 0);
zmq::message_t msg;
zmq::message_t copied_msg;
worker->recv(&identity);
copied_id.copy(&identity);
worker->recv(&msg);
int64_t more;
size_t more_size = sizeof(more);
auto rc = zmq_getsockopt(*worker, ZMQ_RCVMORE, &more, &more_size);
CHECK_STATE2(rc == 0, ZMQ_COULD_NOT_GET_SOCKOPT);
vector <uint8_t> msgData(msg.size() + 1, 0);
memcpy(msgData.data(), msg.data(), msg.size());
CHECK_STATE2(msg.size() > 5 || msgData.at(0) == '{' || msgData[msg.size()] == '}',
ZMQ_INVALID_MESSAGE);
memcpy(msgData.data(), msg.data(), msg.size());
string stringToParse = s_recv(*worker);
auto parsedMsg = ZMQMessage::parse(
(const char *) msgData.data(), msg.size(), true, checkSignature);
stringToParse.c_str(), stringToParse.size(), true, checkSignature);
CHECK_STATE2(parsedMsg, ZMQ_COULD_NOT_PARSE);
......@@ -133,17 +115,16 @@ void ServerWorker::doOneServerLoop() noexcept {
try {
Json::FastWriter fastWriter;
fastWriter.omitEndingLineFeed();
replyStr = fastWriter.write(result);
replyStr = replyStr.substr(0, replyStr.size() - 1);
CHECK_STATE(replyStr.size() > 2);
CHECK_STATE(replyStr.front() == '{');
CHECK_STATE(replyStr.back() == '}');
zmq::message_t replyMsg(replyStr.c_str(), replyStr.size() + 1);
worker->send(copied_id, ZMQ_SNDMORE);
worker->send(replyMsg);
s_send(*worker, replyStr);
} catch (std::exception &e) {
if (isExitRequested) {
......
ZMQClient.cpp
View file @ 88d3322b
......@@ -112,9 +112,7 @@ string ZMQClient::doZmqRequestReply(string &_req) {
// If we got a reply, process it
if (items[0].revents & ZMQ_POLLIN) {
string reply = s_recv(*clientSocket);
CHECK_STATE(reply.size() > 5);
reply = reply.substr(0, reply.size() - 1);
spdlog::debug("ZMQ client received reply:{}", reply);
CHECK_STATE(reply.front() == '{');
CHECK_STATE(reply.back() == '}');
......@@ -285,28 +283,28 @@ ZMQClient::ZMQClient(const string &ip, uint16_t port, bool _sign, const string &
}
void ZMQClient::reconnect() {
lock_guard <recursive_mutex> lock(mutex);
lock_guard< recursive_mutex > lock( mutex );
auto pid = getProcessID();
if (clientSockets.count(pid) > 0) {
clientSockets.erase(pid);
if ( clientSockets.count( pid ) > 0 ) {
clientSockets.erase( pid );
}
uint64_t randNumber;
CHECK_STATE(getrandom( &randNumber, sizeof(uint64_t), 0 ) == sizeof(uint64_t));
char identity[10];
getrandom(identity, 10, 0);
auto clientSocket = make_shared<zmq::socket_t>(ctx, ZMQ_DEALER);
clientSocket->setsockopt(ZMQ_IDENTITY, identity, 10);
string identity = to_string(135) + ":" + to_string(randNumber);
auto clientSocket = make_shared< zmq::socket_t >( ctx, ZMQ_DEALER );
clientSocket->setsockopt( ZMQ_IDENTITY, identity.c_str(), identity.size() + 1);
// Configure socket to not wait at close time
int linger = 0;
clientSocket->setsockopt(ZMQ_LINGER, &linger, sizeof(linger));
clientSocket->connect(url);
clientSockets.insert({pid, clientSocket});
clientSocket->setsockopt( ZMQ_LINGER, &linger, sizeof( linger ) );
clientSocket->connect( url );
clientSockets.insert( { pid, clientSocket } );
}
string ZMQClient::blsSignMessageHash(const std::string &keyShareName, const std::string &messageHash, int t, int n) {
Json::Value p;
p["type"] = ZMQMessage::BLS_SIGN_REQ;
......
ZMQServer.cpp
View file @ 88d3322b
......@@ -49,7 +49,7 @@ ZMQServer::ZMQServer(bool _checkSignature, const string &_caCertFile)
workerThreads = 4; // do four threads for now
workerThreads = 1; // do one thread for now
if (_checkSignature) {
CHECK_STATE(!_caCertFile.empty());
......@@ -107,6 +107,9 @@ void ZMQServer::run() {
throw SGXException(ZMQ_COULD_NOT_CREATE_WORKERS, "Could not create zmq server workers.");
};
spdlog::info("Created {} zmq server workers ...", workerThreads);
spdlog::info("Creating zmq proxy.");
try {
zmq::proxy(static_cast<void *>(*frontend), static_cast<void *>(*backend), nullptr);
......
common.h
View file @ 88d3322b
......@@ -103,14 +103,12 @@ inline int getValue() { //Note: this value is in KB!
#define CHECK_STATE(_EXPRESSION_) \
if (!(_EXPRESSION_)) { \
auto __msg__ = std::string("State check failed::") + #_EXPRESSION_ + " " + std::string(__FILE__) + ":" + std::to_string(__LINE__); \
print_stack(__LINE__); \
\
BOOST_THROW_EXCEPTION(SGXException(-100, string(__CLASS_NAME__) + ":" + __msg__));}
#define CHECK_STATE2(_EXPRESSION_, __STATUS__) \
if (!(_EXPRESSION_)) { \
auto __msg__ = std::string("State check failed::") + #_EXPRESSION_ + " " + std::string(__FILE__) + ":" + std::to_string(__LINE__); \
print_stack(__LINE__); \
\
BOOST_THROW_EXCEPTION(SGXException(__STATUS__, string(__CLASS_NAME__) + ":" + __msg__));}
......
docs/healthchecks.md
View file @ 88d3322b
......@@ -10,11 +10,11 @@
To verify JSON-RPC server inside SGXWallet is up running execute one of the following commands:
```bash
curl --cert PATH_TO_CERTS/file.crt --key PATH_TO_CERTS/file.key -X POST --data '{"jsonrpc":"2.0","id":1,"method":"getServerStatus","params":{}}' -H 'content-type:application/json;' YOUR_SGX_SERVER_URL -k
curl --cert <PATH_TO_CERTS>/file.crt --key <PATH_TO_CERTS>/file.key -X POST --data '{"jsonrpc":"2.0","id":1,"method":"getServerStatus","params":{}}' -H 'content-type:application/json;' <YOUR_SGX_SERVER_URL> -k
```
```bash
curl --cert PATH_TO_CERTS/file.crt --key PATH_TO_CERTS/file.key -X POST --data '{"jsonrpc":"2.0","id":2,"method":"getServerVersion","params":{}}' -H 'content-type:application/json;' YOUR_SGX_SERVER_URL -k
curl --cert <PATH_TO_CERTS>/file.crt --key <PATH_TO_CERTS>/file.key -X POST --data '{"jsonrpc":"2.0","id":2,"method":"getServerVersion","params":{}}' -H 'content-type:application/json;' <YOUR_SGX_SERVER_URL> -k
```
If server does not respond or response contains error message than you should restart your SGXWallet.
......@@ -25,20 +25,20 @@ To verify Secure Enclave part of SGXWallet is configured and initialized in a pr
1.
```bash
curl --cert PATH_TO_CERTS/file.crt --key PATH_TO_CERTS/file.key -X POST --data '{"jsonrpc":"2.0","id":3,"method":"importBLSKeyShare","params":{"keyShare":"0xe632f7fde2c90a073ec43eaa90dca7b82476bf28815450a11191484934b9c3f", "keyShareName":"BLS_KEY:SCHAIN_ID:123456789:NODE_ID:0:DKG_ID:0"}}' -H 'content-type:application/json;' YOUR_SGX_SERVER_URL -k
curl --cert <PATH_TO_CERTS>/file.crt --key <PATH_TO_CERTS>/file.key -X POST --data '{"jsonrpc":"2.0","id":3,"method":"importBLSKeyShare","params":{"keyShare":"0xe632f7fde2c90a073ec43eaa90dca7b82476bf28815450a11191484934b9c3f", "keyShareName":"BLS_KEY:SCHAIN_ID:123456789:NODE_ID:0:DKG_ID:0"}}' -H 'content-type:application/json;' <YOUR_SGX_SERVER_URL> -k
```
```bash
curl --cert PATH_TO_CERTS/file.crt --key PATH_TO_CERTS/file.key -X POST --data '{"jsonrpc":"2.0","id":4,"method":"blsSignMessageHash","params":{"keyShareName":"BLS_KEY:SCHAIN_ID:123456789:NODE_ID:0:DKG_ID:0", "t":1, "n":1, "messageHash":"09c6137b97cdf159b9950f1492ee059d1e2b10eaf7d51f3a97d61f2eee2e81db"}}' -H 'content-type:application/json;' YOUR_SGX_SERVER_URL -k
curl --cert <PATH_TO_CERTS>/file.crt --key <PATH_TO_CERTS>/file.key -X POST --data '{"jsonrpc":"2.0","id":4,"method":"blsSignMessageHash","params":{"keyShareName":"BLS_KEY:SCHAIN_ID:123456789:NODE_ID:0:DKG_ID:0", "t":1, "n":1, "messageHash":"09c6137b97cdf159b9950f1492ee059d1e2b10eaf7d51f3a97d61f2eee2e81db"}}' -H 'content-type:application/json;' <YOUR_SGX_SERVER_URL> -k
```
2.
```bash
curl --cert PATH_TO_CERTS/file.crt --key PATH_TO_CERTS/file.key -X POST --data '{"jsonrpc":"2.0","id":5,"method":"importECDSAKey","params":{"key":"0xe632f7fde2c90a073ec43eaa90dca7b82476bf28815450a11191484934b9c3f", "keyName":"NEK:abcdef"}}' -H 'content-type:application/json;' YOUR_SGX_SERVER_URL -k
curl --cert <PATH_TO_CERTS>/file.crt --key <PATH_TO_CERTS>/file.key -X POST --data '{"jsonrpc":"2.0","id":5,"method":"importECDSAKey","params":{"key":"0xe632f7fde2c90a073ec43eaa90dca7b82476bf28815450a11191484934b9c3f", "keyName":"NEK:abcdef"}}' -H 'content-type:application/json;' <YOUR_SGX_SERVER_URL> -k
```
```bash
curl --cert PATH_TO_CERTS/file.crt --key PATH_TO_CERTS/file.key -X POST --data '{"jsonrpc":"2.0","id":6,"method":"ecdsaSignMessageHash","params":{"keyName":"NEK:abcdef", "base":16, "messageHash":"09c6137b97cdf159b9950f1492ee059d1e2b10eaf7d51f3a97d61f2eee2e81db"}}' -H 'content-type:application/json;' YOUR_SGX_SERVER_URL -k
curl --cert <PATH_TO_CERTS>/file.crt --key <PATH_TO_CERTS>/file.key -X POST --data '{"jsonrpc":"2.0","id":6,"method":"ecdsaSignMessageHash","params":{"keyName":"NEK:abcdef", "base":16, "messageHash":"09c6137b97cdf159b9950f1492ee059d1e2b10eaf7d51f3a97d61f2eee2e81db"}}' -H 'content-type:application/json;' <YOUR_SGX_SERVER_URL> -k
```
Any error during one of the calls means that SGXWallet is misconfigured and will not work as you expect. Please try to run SGXWallet in backup mode.
run_sgx/docker-compose.yml
View file @ 88d3322b
version: '3'
services:
sgxwallet:
image: skalenetwork/sgxwallet_signed:latest
image: skalenetwork/sgxwallet_release:latest
restart: unless-stopped
ports:
- "1026:1026"
......@@ -9,6 +9,7 @@ services:
- "1028:1028"
- "1029:1029"
- "1030:1030"
- "1031:1031"
devices:
- "/dev/isgx"
- "/dev/mei0"
......
run_sgx_sim/docker-compose.yml
View file @ 88d3322b
......@@ -9,6 +9,7 @@ services:
- "1028:1028"
- "1029:1029"
- "1030:1030"
- "1031:1031"
volumes:
- ./sgx_data:/usr/src/sdk/sgx_data
- /dev/urandom:/dev/random
......
secure_enclave/secure_enclave.c
View file @ 88d3322b
......@@ -155,7 +155,7 @@ void trustedEnclaveInit(uint64_t _logLevel) {
}
LOG_INFO("Successfully inited enclave. Signed enclave version:" SIGNED_ENCLAVE_VERSION );
#ifndef SGX_DEBUG
#ifdef SGX_DEBUG
LOG_INFO("SECURITY WARNING: sgxwallet is running in INSECURE DEBUG MODE! NEVER USE IN PRODUCTION!");
#endif
......
sgxwall.cpp
View file @ 88d3322b
......@@ -178,11 +178,24 @@ int main(int argc, char *argv[]) {
enclaveLogLevel = L_TRACE;
}
cerr << "Calling initAll ..." << endl;
initAll(enclaveLogLevel, checkClientCertOption, checkClientCertOption, autoSignClientCertOption, generateTestKeys);
cerr << "Completed initAll." << endl;
ifstream is("sgx_data/4node.json");
if (generateTestKeys && !is.good() && !!ExitHandler::shouldExit()) {
//check if test keys already exist
string TEST_KEYS_4_NODE = "sgx_data/4node.json";
ifstream is(TEST_KEYS_4_NODE);
auto keysExist = is.good();
if (keysExist) {
cerr << "Found test keys." << endl;
}
if (generateTestKeys && !keysExist && !ExitHandler::shouldExit()) {
cerr << "Generating test keys ..." << endl;
HttpClient client(RPC_ENDPOINT);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment