SKALE-2003 Add entering back up key

b62cce03 · svetaro · 659c830a · b62cce03 · b62cce03 · b62cce03
Unverified Commit b62cce03 authored 5 years ago by svetaro
9 changed files
--- a/SEKManager.cpp
+++ b/SEKManager.cpp
@@ -33,6 +33,9 @@
 #include "common.h"
 #include "sgxwallet.h"

+#include "ServerDataChecker.h"
+#include "spdlog/spdlog.h"
+
 bool case_insensitive_match(string s1, string s2) {
  //convert s1 and s2 into lower case strings
  transform(s1.begin(), s1.end(), s1.begin(), ::tolower);
@@ -40,7 +43,7 @@ bool case_insensitive_match(string s1, string s2) {
  return s1.compare(s2);
 }

-void generate_SEK(){
+void gen_SEK(){

  vector<char> errMsg(1024,0);
  int err_status = 0;
@@ -56,7 +59,7 @@ void generate_SEK(){
    throw RPCException(status, errMsg.data()) ;
  }

-  vector<char> hexEncrKey(2*enc_len + 1, 0);
+  vector<char> hexEncrKey(2 * enc_len + 1, 0);

  carray2Hex(encr_SEK.data(), enc_len, hexEncrKey.data());

@@ -103,3 +106,47 @@ void set_SEK(std::shared_ptr<std::string> hex_encr_SEK){
 //  for ( uint32_t i = 0; i < 1024; i++)
 //     printf("%d ", errMsg[i]);
 }
+
+void enter_SEK(){
+  vector<char> errMsg(1024,0);
+  int err_status = 0;
+  vector<uint8_t> encr_SEK(BUF_LEN, 0);
+  uint32_t enc_len;
+
+  std::string SEK;
+  std::cout << "ENTER BACKUP KEY" << std::endl;
+  std::cin >> SEK;
+  while (!checkHex(SEK, 16)){
+    std::cout << "KEY IS INVALID.TRY ONCE MORE" << std::endl;
+    SEK = "";
+    std::cin >> SEK;
+  }
+  if (DEBUG_PRINT)
+    std::cerr << "your key is " << SEK << std::endl;
+
+  status = set_SEK_backup(eid, &err_status, errMsg.data(), encr_SEK.data(), &enc_len, SEK.c_str() );
+  if (status != SGX_SUCCESS){
+    cerr << "RPCException thrown with status " << status << endl;
+    throw RPCException(status, errMsg.data()) ;
+  }
+
+  vector<char> hexEncrKey(2 * enc_len + 1, 0);
+
+  carray2Hex(encr_SEK.data(), enc_len, hexEncrKey.data());
+
+  LevelDB::getLevelDb() -> deleteKey("SEK");
+  LevelDB::getLevelDb() -> writeDataUnique("SEK", hexEncrKey.data());
+}
+
+void init_SEK(){
+  std::shared_ptr<std::string> encr_SEK_ptr = LevelDB::getLevelDb()->readString("SEK");
+  if (encr_SEK_ptr == nullptr){
+    spdlog::info("SEK was not created yet. Going to create SEK");
+    gen_SEK();
+  }
+  else{
+    if (DEBUG_PRINT)
+      spdlog::info("going to set SEK from db" );
+    set_SEK(encr_SEK_ptr);
+  }
+}
--- a/SEKManager.h
+++ b/SEKManager.h
@@ -24,11 +24,29 @@
 #ifndef SGXD_SEKMANAGER_H
 #define SGXD_SEKMANAGER_H

+
+#ifdef __cplusplus
 #include <string>
 #include <memory>
+#endif
+

-void generate_SEK();

+void gen_SEK();
+
+#ifdef __cplusplus
 void set_SEK(std::shared_ptr<std::string> hex_encr_SEK);
+#endif
+
+#ifdef __cplusplus
+#define EXTERNC extern "C"
+#else
+#define EXTERNC
+#endif
+
+EXTERNC void enter_SEK();
+
+EXTERNC void init_SEK();
+

 #endif //SGXD_SEKMANAGER_H
--- a/ServerDataChecker.cpp
+++ b/ServerDataChecker.cpp
@@ -72,8 +72,8 @@ bool checkECDSAKeyName(const string& keyName) {

 bool checkHex(const string& hex, const uint32_t sizeInBytes){
  if ( hex.length() > sizeInBytes * 2 || hex.length() == 0){
-    spdlog::error("public key is too long or zero - ", hex.length());
-    std::cerr << "public key length is " << hex.length() << std::endl;
+    spdlog::error("key is too long or zero - ", hex.length());
+    std::cerr << "key length is " << hex.length() << std::endl;
    return false;
  }

@@ -81,7 +81,7 @@ bool checkHex(const string& hex, const uint32_t sizeInBytes){
  mpz_init(num);

  if ( mpz_set_str(num, hex.c_str(), 16) == -1){
-    spdlog::error("public key is not hex {}", hex);
+    spdlog::error("key is not hex {}", hex);
    mpz_clear(num);
    return false;
  }

--- a/ServerInit.cpp
+++ b/ServerInit.cpp
@@ -52,7 +52,7 @@
 #include "BLSCrypto.h"
 #include "ServerInit.h"

-#include "SEKManager.h"
+

 #include <iostream>

@@ -67,21 +67,13 @@

 //#include <system>

+
+
 void init_daemon() {

    libff::init_alt_bn128_params();

    LevelDB::initDataFolderAndDBs();
-
-    std::shared_ptr<std::string> encr_SEK_ptr = LevelDB::getLevelDb()->readString("SEK");
-    if (encr_SEK_ptr == nullptr){
-      spdlog::info("SEK was not created yet");
-      generate_SEK();
-    }
-    else{
-      std::cerr << "going to set SEK from db" << std::endl;
-      set_SEK(encr_SEK_ptr);
-    }
 }


@@ -137,13 +129,14 @@ void init_enclave() {

 int sgxServerInited = 0;

-void init_all(bool check_cert, bool sign_automatically) {
+void init_all(bool check_cert, bool sign_automatically, void (*SEK_func)()) {
    //spdlog::set_pattern("%c");
    if (sgxServerInited == 1)
        return;
    init_enclave();
    init_daemon();
-
+    //init_SEK();
+    SEK_func();

    sgxServerInited = 1;


--- a/ServerInit.h
+++ b/ServerInit.h
@@ -30,12 +30,12 @@
 #define EXTERNC
 #endif

-
-EXTERNC void init_all(bool check_cert, bool sign_automatically);
+EXTERNC void init_all(bool check_cert, bool sign_automatically, void (*func)());

 EXTERNC void init_daemon();

-EXTERNC  void init_enclave();
+EXTERNC void init_enclave();
+


 #endif //SGXWALLET_SERVERINIT_H
--- a/secure_enclave/secure_enclave.c
+++ b/secure_enclave/secure_enclave.c
@@ -955,6 +955,26 @@ void set_SEK(int *err_status, char *err_string, uint8_t *encrypted_SEK, uint64_t

 }

+void set_SEK_backup(int *err_status, char *err_string,
+                    uint8_t *encrypted_SEK, uint32_t *enc_len, const char* SEK_hex){
+
+  uint64_t len;
+  hex2carray(SEK_hex, &len, (uint8_t* )AES_key);
+
+  uint32_t sealedLen = sgx_calc_sealed_data_size(0, strlen(SEK_hex) + 1);
+
+  sgx_status_t status = sgx_seal_data(0, NULL, strlen(SEK_hex) + 1, SEK_hex, sealedLen,(sgx_sealed_data_t*)encrypted_SEK);
+  if( status !=  SGX_SUCCESS) {
+    snprintf(err_string, BUF_LEN, "seal SEK failed with status %d", status);
+    *err_status = status;
+    return;
+  }
+
+  //strncpy(SEK_hex, SEK, hex_aes_key_length);
+
+  *enc_len = sealedLen;
+}
+
 void generate_ecdsa_key_aes(int *err_status, char *err_string,
                        uint8_t *encrypted_key, uint32_t *enc_len, char * pub_key_x, char * pub_key_y) {


--- a/secure_enclave/secure_enclave.edl
+++ b/secure_enclave/secure_enclave.edl
@@ -178,6 +178,13 @@ enclave {
                                [in, count = 1024] uint8_t *encrypted_SEK,
                                uint64_t encr_len);

+                public void set_SEK_backup(
+                                [user_check] int *err_status,
+                                [out, count = 1024] char *err_string,
+                                [out, count = 1024] uint8_t *encrypted_SEK,
+                                [user_check] uint32_t *enc_len,
+                                [in, count = 65] const char* SEK_hex);
+
                public void generate_ecdsa_key_aes (
                                [user_check] int *err_status,
                                [out, count = 1024] char* err_string,

--- a/sgxwallet.c
+++ b/sgxwallet.c
@@ -38,9 +38,13 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #include "BLSCrypto.h"
 #include "ServerInit.h"

+#include "SEKManager.h"
+
+
 #include <stdbool.h>


+
 void usage() {
  fprintf(stderr, "usage: sgxwallet\n");
  exit(1);
@@ -52,7 +56,8 @@ sgx_status_t status;
 int updated;

 int main(int argc, char *argv[]) {
-
+  void (*SEK_initializer)();
+  SEK_initializer = init_SEK;
  bool check_client_cert = true;
  bool sign_automatically = false;
  int opt;
@@ -62,7 +67,7 @@ int main(int argc, char *argv[]) {
    exit(1);
  }

-  while ((opt = getopt(argc, argv, "cshd0a")) != -1) {
+  while ((opt = getopt(argc, argv, "cshd0ab")) != -1) {
    switch (opt) {
    case 'h':
      if (strlen(argv[1]) == 2 ) {
@@ -70,6 +75,7 @@ int main(int argc, char *argv[]) {
        fprintf(stderr, "-s  client certificate will be signed automatically\n");
        fprintf(stderr, "-d  turn on debug output\n");
        fprintf(stderr, "-0  SGXWalletServer will be launched on http (not https)\n");
+        fprintf(stderr, "-b  Enter backup key\n");
        exit(0);
      } else {
        fprintf(stderr, "unknown flag %s\n", argv[1]);
@@ -90,13 +96,16 @@ int main(int argc, char *argv[]) {
    case 'a':
      is_aes = 1;
      break;
+    case 'b':
+      SEK_initializer = enter_SEK;
+      break;
    case '?': // fprintf(stderr, "unknown flag\n");
      exit(1);
    default:
      break;
    }
  }
-  init_all(check_client_cert, sign_automatically);
+  init_all(check_client_cert, sign_automatically, SEK_initializer);

  while (true) {
      sleep(10);

--- a/testw.cpp
+++ b/testw.cpp
@@ -78,6 +78,8 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #include "BLSPublicKeyShare.h"
 #include "BLSPublicKey.h"

+#include "SEKManager.h"
+
 #include <thread>
 #include "common.h"

@@ -143,7 +145,7 @@ TEST_CASE("BLS key encrypt", "[bls-key-encrypt]") {

   DEBUG_PRINT = 1;
   is_sgx_https = 0;
-    init_all(false, false);
+    init_all(false, false, init_SEK);
    char* key = encryptTestKey();
    REQUIRE(key != nullptr);

@@ -156,7 +158,7 @@ TEST_CASE("BLS key encrypt/decrypt", "[bls-key-encrypt-decrypt]") {
      DEBUG_PRINT = 1;
      is_sgx_https = 0;

-      init_all(false, false);
+      init_all(false, false, init_SEK);
        //init_enclave();

        int errStatus =  -1;
@@ -680,7 +682,7 @@ TEST_CASE("BLS_DKG test", "[bls_dkg]") {
  is_sgx_https = 0;
  DEBUG_PRINT = 1;
  cerr<< "test started" << endl;
-  init_all(false, false);
+  init_all(false, false, init_SEK);
  cerr << "Server inited" << endl;
  HttpClient client("http://localhost:1029");
  StubClient c(client, JSONRPC_CLIENT_V2);
@@ -810,7 +812,7 @@ TEST_CASE("API test", "[api_test]") {
    is_sgx_https = 0;
  //cerr << __GNUC__ << endl;
    cerr << "API test started" << endl;
-    init_all(false, false);
+    init_all(false, false, init_SEK);
    //HttpServer httpserver(1025);
    //SGXWalletServer s(httpserver,
    //                JSONRPC_SERVER_V2); // hybrid server (json-rpc 1.0 & 2.0)
@@ -910,7 +912,7 @@ TEST_CASE("API test", "[api_test]") {

 TEST_CASE("getServerStatus test", "[getServerStatus_test]") {
  is_sgx_https = 0;
-  init_all( false, false );
+  init_all( false, false, init_SEK );
  HttpClient client("http://localhost:1029");
  StubClient c(client, JSONRPC_CLIENT_V2);
  REQUIRE(c.getServerStatus()["status"] == 0);
@@ -1035,7 +1037,7 @@ TEST_CASE("ManySimultaneousThreads", "[many_threads_test]") {
  DEBUG_PRINT = 1;
  is_aes = 1;

-  init_all( false, false );
+  init_all( false, false, init_SEK );

  vector<thread> threads;
  int num_threads = 4;
@@ -1056,7 +1058,7 @@ TEST_CASE("ecdsa API test", "[ecdsa_api_test]") {
  is_aes = 1;

  cerr << "ecdsa_api_test started" << endl;
-  init_all(false, false);
+  init_all(false, false, init_SEK);

  cerr << "Server inited" << endl;
  HttpClient client("http://localhost:1029");
@@ -1105,7 +1107,7 @@ TEST_CASE("dkg API test", "[dkg_api_test]") {
  is_sgx_https = 0;

  cerr << "dkg_api_test started" << endl;
-  init_all(false, false);
+  init_all(false, false, init_SEK);

  cerr << "Server inited" << endl;
  HttpClient client("http://localhost:1029");
@@ -1179,7 +1181,7 @@ TEST_CASE("isPolyExists test", "[is_poly_test]") {
  is_sgx_https = 0;

  cerr << "is_poly_test started" << endl;
-  init_all(false, false);
+  init_all(false, false, init_SEK);

  cerr << "Server inited" << endl;
  HttpClient client("http://localhost:1029");
@@ -1211,7 +1213,7 @@ TEST_CASE("AES_DKG test", "[aes_dkg]") {
  reset_db();

  std::cerr << "test started" << std::endl;
-  init_all(false, false);
+  init_all(false, false, init_SEK);
  cerr << "Server inited" << endl;
  HttpClient client("http://localhost:1029");
  StubClient c(client, JSONRPC_CLIENT_V2);
@@ -1339,7 +1341,7 @@ TEST_CASE("bls_sign_api test", "[bls_sign]") {
  is_aes = 1;

  std::cerr << "test started" << std::endl;
-  init_all(false, false);
+  init_all(false, false, init_SEK);
  cerr << "Server inited" << endl;
  HttpClient client("http://localhost:1029");
  StubClient c(client, JSONRPC_CLIENT_V2);