Clean up the configuration of the IAS certificates (#459)

Replace the template expansion that is causing periodic file corruption errors with a more resilient method for downloading the IAS certificate. This approach removes the template completely and uses a file system move to atomically update the certificate file. Also uses the cmake clean to remove any generated files. We were leaving extra files in the common directory tree. Signed-off-by: Mic Bowman <[email protected]>
hyperledger-labs · Jan 12, 2024 · e62be5e · e62be5e
1 parent 0fc4201
commit e62be5e
Show file tree

Hide file tree

Showing 14 changed files with 92 additions and 125 deletions.
diff --git a/build/__tools__/clean.sh b/build/__tools__/clean.sh
@@ -24,10 +24,8 @@ check_python_version
 # -----------------------------------------------------------------
 
 yell --------------- COMMON ---------------
-cd $SRCDIR/common/crypto/verify_ias_report
-rm -f ias-certificates.cpp
-
 cd $SRCDIR/common
+cmake --build build --target clean
 rm -rf build
 
 yell --------------- BIN ---------------

diff --git a/build/cmake/SGX.cmake b/build/cmake/SGX.cmake
@@ -47,6 +47,8 @@ IF (NOT DEFINED CMAKE_LIBRARY_OUTPUT_DIRECTORY)
   MESSAGE(FATAL_ERROR "CMAKE_LIBRARY_OUTPUTDIRECTORY must be set")
 ENDIF()
 
+SET(IAS_CERTIFICATE_URL "https://certificates.trustedservices.intel.com/Intel_SGX_Attestation_RootCA.pem")
+
 ################################################################################
 # Internal SGX Variables
 ################################################################################

diff --git a/common/CMakeLists.txt b/common/CMakeLists.txt
@@ -17,7 +17,7 @@ OPTION(BUILD_UNTRUSTED "Build modules for running with SGX outside an enclave" O
 OPTION(BUILD_CLIENT "Build modules for running clients without SGX" OFF)
 OPTION(BLOCK_STORE_DEBUG "Debug logging for block store operations" OFF)
 
-CMAKE_MINIMUM_REQUIRED(VERSION 3.10 FATAL_ERROR)
+CMAKE_MINIMUM_REQUIRED(VERSION 3.16 FATAL_ERROR)
 FIND_PACKAGE(PkgConfig REQUIRED)
 
 IF (NOT DEFINED ENV{PDO_SOURCE_ROOT})

diff --git a/common/crypto/CMakeLists.txt b/common/crypto/CMakeLists.txt
@@ -39,18 +39,24 @@ ENDIF()
 # by the client (ias verification requires sgx).
 ################################################################################
 IF (BUILD_TRUSTED OR BUILD_UNTRUSTED)
-  SET(PROJECT_GENERATED_IAS_SOURCES ${CMAKE_CURRENT_SOURCE_DIR}/verify_ias_report/ias-certificates.cpp)
+  SET(PROJECT_GENERATED_IAS_SOURCES ${CMAKE_CURRENT_SOURCE_DIR}/verify_ias_report/ias-certificates.txt)
   SET_SOURCE_FILES_PROPERTIES(${PROJECT_GENERATED_IAS_SOURCES} PROPERTIES GENERATED TRUE)
+  SET(FETCH_IAS_CERTS ${CMAKE_CURRENT_SOURCE_DIR}/verify_ias_report/fetch_ias_certificates.sh)
 
   ADD_CUSTOM_COMMAND(
     OUTPUT  ${PROJECT_GENERATED_IAS_SOURCES}
-    COMMAND ./build_ias_certificates_cpp.sh
-    DEPENDS verify_ias_report/ias-certificates.template verify_ias_report/build_ias_certificates_cpp.sh
+    COMMAND ${FETCH_IAS_CERTS} ${IAS_CERTIFICATE_URL} ${PROJECT_GENERATED_IAS_SOURCES}
+    DEPENDS ${FETCH_IAS_CERTS}
     WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/verify_ias_report
   )
 
   ADD_CUSTOM_TARGET(generate-ias-files DEPENDS ${PROJECT_GENERATED_IAS_SOURCES})
 
+  SET_PROPERTY(
+    TARGET generate-ias-files
+    APPEND
+    PROPERTY ADDITIONAL_CLEAN_FILES ${PROJECT_GENERATED_IAS_SOURCE})
+
   IF (${SGX_MODE} STREQUAL "HW")
     SET(IAS_CA_CERT_REQUIRED "IAS_CA_CERT_REQUIRED=1")
   ENDIF()

diff --git a/common/crypto/crypto.h b/common/crypto/crypto.h
@@ -31,6 +31,5 @@
 #include "skenc.h"
 #if _CLIENT_ONLY_
 #else
-#include "verify_ias_report/ias-certificates.h"
 #include "verify_ias_report/verify-report.h"
 #endif
diff --git a/common/crypto/verify_ias_report/.gitignore b/common/crypto/verify_ias_report/.gitignore
@@ -1 +1 @@
-ias-certificates.cpp
+ias-certificates.txt
diff --git a/common/crypto/verify_ias_report/build_ias_certificates_cpp.sh b/common/crypto/verify_ias_report/build_ias_certificates_cpp.sh
diff --git a/common/crypto/verify_ias_report/fetch_ias_certificates.sh b/common/crypto/verify_ias_report/fetch_ias_certificates.sh
@@ -0,0 +1,69 @@
+#!/bin/bash
+# Copyright 2023 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This script sets up the IAS root certificate for inclusing in the
+# verification module.
+#
+# Two parameters:
+# $1 -- the URL where the IAS certificate can be retrieved
+# $2 -- the file where the certificate should be written
+
+# -----------------------------------------------------------------
+# -----------------------------------------------------------------
+source ${PDO_SOURCE_ROOT}/bin/lib/common.sh
+
+IAS_CERTIFICATE_URL=$1
+
+# -----------------------------------------------------------------
+# set up the temporary files
+# -----------------------------------------------------------------
+SAVE_FILE=$(mktemp /tmp/pdo-ias-certificate.XXXXXXXXX)
+STRING_FILE=$(mktemp /tmp/pdo-ias-certificate-string.XXXXXXXXX)
+
+function cleanup {
+    rm -f ${SAVE_FILE} ${STRING_FILE}
+}
+
+trap 'echo "**ERROR - line $LINENO**"; cleanup; exit 1' HUP INT QUIT PIPE TERM ERR
+
+# If there is no requirement for HW support, then we don't need
+# a valid certificate; just generate a dummy string
+if [ "${SGX_MODE}" != "HW" ]; then
+    echo 'R"IASCERT(' > ${STRING_FILE}
+    echo 'NO CERTIFICATE REQUIRED' >> ${STRING_FILE}
+    echo ')IASCERT"' >> ${STRING_FILE}
+
+    try mv ${STRING_FILE} $2
+    exit
+fi
+
+# -----------------------------------------------------------------
+# get the certificate and format it as needed
+# -----------------------------------------------------------------
+
+# This is a small hack to make the script work for people
+# who would otherwise attempt to retrieve the certficiates
+# without a proxy server
+if [ "${PDO_FORCE_IAS_PROXY}" == "true" ]; then
+    try curl --noproxy '' --retry 3 --max-time 10 -sL --output ${SAVE_FILE} ${IAS_CERTIFICATE_URL}
+else
+    try curl --retry 3 --max-time 10 -sL --output ${SAVE_FILE} ${IAS_CERTIFICATE_URL}
+fi
+
+echo 'R"IASCERT(' > ${STRING_FILE}
+cat ${SAVE_FILE} >> ${STRING_FILE}
+echo ')IASCERT"' >> ${STRING_FILE}
+
+try mv ${STRING_FILE} $2
diff --git a/common/crypto/verify_ias_report/ias-certificates.h b/common/crypto/verify_ias_report/ias-certificates.h
diff --git a/common/crypto/verify_ias_report/ias-certificates.template b/common/crypto/verify_ias_report/ias-certificates.template
diff --git a/common/crypto/verify_ias_report/verify-report.cpp b/common/crypto/verify_ias_report/verify-report.cpp
@@ -22,9 +22,12 @@
 #include <string.h>
 
 #include "c11_support.h"
-#include "ias-certificates.h"
 #include "parson.h"
 
+const char* const ias_report_signing_ca_cert_pem =
+#include "ias-certificates.txt"
+    ;
+
 //<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 //########### INTERNAL FUNCTIONS #########################################
 //########################################################################
@@ -211,7 +214,7 @@ verify_status_t verify_ias_report_signature(const char* ias_attestation_signing_
     return VERIFY_FAILURE;
 }
 
-verify_status_t verify_ias_certificate_chain(const char* cert_pem)
+verify_status_t verify_ias_certificate_chain(const char* const cert_pem)
 #ifndef IAS_CA_CERT_REQUIRED
 {
     return VERIFY_FAILURE;  // fail (conservative approach for simulator-mode and in absence of CA

diff --git a/common/crypto/verify_ias_report/verify-report.h b/common/crypto/verify_ias_report/verify-report.h
@@ -18,6 +18,8 @@
 
 #include <sgx_quote.h>
 
+extern const char* const ias_report_signing_ca_cert_pem;
+
 typedef enum
 {
     VERIFY_SUCCESS,
@@ -52,7 +54,7 @@ verify_status_t verify_enclave_quote_status(const char* ias_report,
                                             unsigned int ias_report_len,
                                             unsigned int quote_status_flags);
 verify_status_t verify_ias_certificate_chain(const char* cert_pem);
-verify_status_t verify_ias_report_signature(const char* ias_attestation_signing_cert_pem,
+verify_status_t verify_ias_report_signature(const char* const ias_attestation_signing_cert_pem,
                                             const char* ias_report,
                                             const unsigned int ias_report_len,
                                             const char* ias_signature,

diff --git a/common/interpreter/wawaka_wasm/WasmCryptoExtensions.cpp b/common/interpreter/wawaka_wasm/WasmCryptoExtensions.cpp
@@ -24,8 +24,6 @@
 #include "packages/parson/parson.h"
 
 #include "crypto.h"
-#include "crypto_shared.h"
-#include "crypto/verify_ias_report/ias-certificates.h"
 #include "error.h"
 #include "jsonvalue.h"
 #include "log.h"

diff --git a/common/tests/crypto/testCrypto.cpp b/common/tests/crypto/testCrypto.cpp
@@ -21,7 +21,7 @@
 
 #include "c11_support.h"
 #include "crypto.h"
-#include "crypto/verify_ias_report/ias-certificates.h"
+#include "crypto/verify_ias_report/verify-report.h"
 #include "error.h"
 #include "log.h"
 #include "packages/parson/parson.h"