Add: --client-certificate option to cenclave-run.sh

Cosmian · Dec 19, 2024 · 33ad6f6 · 33ad6f6
1 parent 7e20039
commit 33ad6f6
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/cenclave-run.sh b/cenclave-run.sh
@@ -3,7 +3,7 @@
 set -e
 
 usage() {
-    echo "cenclave-run usage: $0 --application <module:application> --size <size> --san <domain_name> --id <uuid> [--host <host>] [--port <port>] [--subject <subject>] [--expiration <expiration_timestamp>] [--timeout <seconds>] [--dry-run] [--memory] [--force] [--debug]"
+    echo "cenclave-run usage: $0 --application <module:application> --size <size> --san <domain_name> --id <uuid> [--host <host>] [--port <port>] [--subject <subject>] [--expiration <expiration_timestamp>] [--timeout <seconds>] [--client-certificate <pem_certificate>] [--dry-run] [--memory] [--force] [--debug]"
     echo ""
     echo "The code tarball [mandatory] (app.tar) and the SSL certificate [optional] (fullchain.pem) should be placed in $PACKAGE_DIR"
     echo ""
@@ -19,6 +19,7 @@ usage() {
     echo -e "\t--subject            subject of the RA-TLS certificate as an RFC 4514 string (default: $SUBJECT)"
     echo -e "\t--expiration         expiration date of the RA-TLS certificate (unix timestamp)"
     echo -e "\t--timeout            time before stopping the configuration server (in seconds)"
+    echo -e "\t--client-certificate certificate for client certificate authentication (PEM-encoded)"
     echo -e "\t--dry-run            compute MRENCLAVE hash digest (no SGX processor required)"
     echo -e "\t--memory             print expected memory usage of the application"
     echo -e "\t--force              clean before compilation for Gramine"
@@ -44,6 +45,7 @@ set_default_variables() {
     HOST="0.0.0.0"
     PORT="443"
     SUBJECT="CN=cosmian.io,O=Cosmian Tech,C=FR,L=Paris,ST=Ile-de-France"
+    CLIENT_CERT=""
 
     # Constant variables
     PACKAGE_DIR="/opt/input" # Location of the src package
@@ -120,6 +122,12 @@ parse_args() {
             shift # past value
             ;;
 
+            --client-certificate)
+            CLIENT_CERT="$2"
+            shift # past argument
+            shift # past value
+            ;;
+
             --dry-run)
             DRY_RUN=1
             shift # past argument
@@ -225,6 +233,11 @@ if [ ! -f $MANIFEST_SGX ] || [ $FORCE -eq 1 ]; then
         TIMEOUT_OPT="--timeout"
     fi
 
+    CLIENT_CERT_OPT=""
+    if [ -n "$CLIENT_CERT" ]; then
+        CLIENT_CERT_OPT="--client-certificate"
+    fi
+
     # Prepare gramine argv
     # /!\ no double quote around $SSL_APP_VALUE which might be empty
     # otherwise it will be serialized by gramine
@@ -237,6 +250,7 @@ if [ ! -f $MANIFEST_SGX ] || [ $FORCE -eq 1 ]; then
         "--san" "$SUBJECT_ALTERNATIVE_NAME" \
         "--id" "$ID" \
         $TIMEOUT_OPT $TIMEOUT \
+        $CLIENT_CERT_OPT $CLIENT_CERT \
         "$APPLICATION" > args
 
     echo "Generating the enclave..."