feat(auth): add messages used to set access key, use rtc_types in protected channel

Author: longtomjr

rtc_tenclave/src/dh/protected_channel.rs

@@ -4,6 +4,8 @@ use secrecy::{ExposeSecret, Secret};
 use sgx_tcrypto::{rsgx_rijndael128GCM_decrypt, rsgx_rijndael128GCM_encrypt};
 use sgx_types::*;
 
+use rtc_types::enclave_messages::{EncryptedEnclaveMessage, RecommendedAesGcmIv};
+
 use super::types::AlignedKey;
 use crate::util::concat_u8;
 
@@ -12,9 +14,6 @@ use super::enclave;
 #[cfg(not(test))]
 use sgx_tstd::enclave;
 
-// NIST AES-GCM recommended IV size
-type RecommendedAesGcmIv = [u8; 12];
-
 pub struct ProtectedChannel {
     iv_constructor: DeterministicAesGcmIvConstructor,
     key: Secret<AlignedKey>,
@@ -70,13 +69,6 @@ impl ProtectedChannel {
     }
 }
 
-pub struct EncryptedEnclaveMessage<const MESSAGE_SIZE: usize, const AAD_SIZE: usize> {
-    tag: sgx_aes_gcm_128bit_tag_t,
-    ciphertext: [u8; MESSAGE_SIZE],
-    aad: [u8; AAD_SIZE],
-    nonce: RecommendedAesGcmIv,
-}
-
 /// Implement the deterministic construction of AES-GCM IVs, as described in section 8.2.1 of [NIST SP 800-38D],
 /// "Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC".
 ///

rtc_types/src/enclave_messages.rs

@@ -0,0 +1,71 @@
+use sgx_types::*;
+use std::mem;
+
+use rkyv::{Archive, Deserialize, Serialize};
+
+// NIST AES-GCM recommended IV size
+pub type RecommendedAesGcmIv = [u8; 12];
+
+#[repr(C)]
+pub struct EncryptedEnclaveMessage<const MESSAGE_SIZE: usize, const AAD_SIZE: usize> {
+    pub tag: sgx_aes_gcm_128bit_tag_t,
+    pub ciphertext: [u8; MESSAGE_SIZE],
+    pub aad: [u8; AAD_SIZE],
+    pub nonce: RecommendedAesGcmIv,
+}
+
+// TODO: Macro?
+pub mod set_access_key {
+    use super::*;
+
+    #[derive(Archive, Deserialize, Serialize, Debug, PartialEq, Clone)]
+    pub struct Request {
+        // XXX: Technically this only needs to be available inside of enclave contexts.
+        //      It might make sense to conditionally export this as public.
+        pub uuid: [u8; 16],       // TODO: Use UUID crate?
+        pub access_key: [u8; 24], // [u8; ACCESS_KEY_BYTES]
+    }
+
+    pub const REQUEST_SIZE: usize = mem::size_of::<<Request as Archive>::Archived>();
+
+    pub type EncryptedRequest = EncryptedEnclaveMessage<REQUEST_SIZE, 0>;
+
+    #[derive(Archive, Deserialize, Serialize, Debug, PartialEq)]
+    pub struct Response {
+        success: bool,
+    }
+
+    pub const RESPONSE_SIZE: usize = mem::size_of::<<Response as Archive>::Archived>();
+
+    pub type EncryptedResponse = EncryptedEnclaveMessage<RESPONSE_SIZE, 0>;
+}
+
+#[cfg(test)]
+mod test {
+    use rkyv::{
+        archived_root,
+        ser::{serializers::BufferSerializer, Serializer},
+        Aligned, Deserialize, Infallible,
+    };
+
+    use super::*;
+
+    #[test]
+    fn test_set_access_key_msg() {
+        let request = set_access_key::Request {
+            uuid: [5u8; 16],
+            access_key: [2u8; 24],
+        };
+
+        let mut serializer = BufferSerializer::new(Aligned([0u8; set_access_key::REQUEST_SIZE]));
+        serializer.serialize_value(&request.clone()).unwrap();
+        let buf = serializer.into_inner();
+        let archived = unsafe { archived_root::<set_access_key::Request>(buf.as_ref()) };
+        let deserialized = archived.deserialize(&mut Infallible).unwrap();
+
+        assert_eq!(
+            request, deserialized,
+            "Deserialized request should match initial request"
+        );
+    }
+}

rtc_types/src/lib.rs

@@ -25,6 +25,8 @@ pub use exec_token::*;
 mod ecall_result;
 pub use ecall_result::*;
 
+pub mod enclave_messages;
+
 #[repr(C)]
 #[derive(Clone, Debug)]
 pub struct EncryptedMessage {