ExternalVendorCode/corda
1
0
Fork 0
mirror of https://github.com/corda/corda.git synced 2025-01-03 19:54:13 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
83efd33fc7
corda/sgx-jvm/remote-attestation/attestation-server/build.gradle

174 lines
5.5 KiB
Groovy
Raw Normal View History

ENT-1074 - Proof-of-concept ISV for SGX remote attestation (#161) * Initial WIP. * Configure IAS host via system properties. * Create separate Gretty configurations for testing and for IAS. * (WIP) Separate configuration values from WAR; Add msg3 -> msg4 handling. * Check the IAS report's cryptographic signature. * Accept CertPath from IAS instead of a Certificate. * Validate the certificate chain for the IAS report. * Refactor response handling, and add a secret to Message4. * Append public DH keys to generated shared secret. * Use DH secret to generate a 256 bit AES key. * Fix runISV Gradle task so that it creates WAR file. * Migrate MockIAS service into a separate package. * Remove unused aesCMAC field from Message3. * Configure HTTP sessions to expire after 10 idle minutes. * Ensure we select the "isv" key for MTLS with Intel Attestation Service. * Set key alias for Intel's public certificate. * Implement GET /attest/provision endpoint. * Use elliptic curves for Diffie-Hellman keys. * Pass public keys as Little Endian byte arrays without ASN.1 encoding. * Add AES-CMAC signature to Message2. * Remove signature fields from QUOTE body for sending to IAS. * Add a dummy AES-CMAC field to Message3 for later validation. * Generate AEC-CMAC for Message 3, and refactor crypto functionality. * Calculate AES-CMAC using AES/CBC/PKCS5Padding algorithm. * Use BouncyCastle's AESCMAC algorithm for MAC calculation. * Include standard crypto test vectors to the unit tests. * Encrypt MSG3 secret using AES/GCM/NoPadding with 128 bit key. * Hash shared key with Little Endian versions of public keys. * Refactor so that hexToBytes() is a utility. * Simplify signing of MocKIAS report. * Separate AES/GCM authentication tag from the encrypted data. * Create /ias/report endpoint for ISV which proxies IAS. * Remove unnecessary @Throws from MockIAS handlers. * Log HTTP error status from IAS. * Replace runISV task with startISV and stopISV tasks. * Refactor tests to use CryptoProvider @Rule instead of @Suite. * Move Web server for integration tests to use non-production ports. * Add proxy endpoint for IAS revocation list. * Generate an ECDSA "service key" for signing (gb|ga). * Generate a persistent key-pair for the ISV to sign with. * Verify the (Gb|Ga) signature from Message2. * Add debugging aids. * Fix Gradle warning. * Remove TLV header from Platform Info Body for MSG4. * Small tidy-up. * Use SPID "as-is" when calculating CMAC for MSG2. * Add DEBUG messages for MSG2's KDK and SMK values (AES-CMAC). * Add DEBUG logging for ECDH shared secret. * More DEBUG logging. * The ECDH shared secret *is* the x-coordinate: no need to subrange. * Adjust MockIAS to return an empty revocationList for GID 0000000b. * Fix ArrayOutOfBoundsException for "small" integer values. * Test MSG1 with empty revocation list. * Add extra logging for IAS report request. * ReportResponse object cannot be null. * Fix misreading of spec - don't remove quote's signature when requesting report from IAS. * Log invalid contents of X-IAS-Report-Signing-Certificate HTTP header. * Build CertPath for IAS from explicit list of Certificates. * Rename quote fields on IAS ReportResponse to match Intel. * Log report ID and quote status from IAS. * Add a revocation list checker to the certificate path validator. * Tweak revocation list options, depending on IAS vs MockIAS. * Extract Intel's certificate specifically by alias for PKIX. * Tune quote body returned by MockIAS. * Add AES-CMAC field to Message4 for validation. * Increase GCM authentication tag to 128 bits. * Receive platformInfoBlob from IAS as hexadecimal string. * Generate secret encryption key using KDK and SK values. * Marshall platformInfoBlob between Base16 string and ByteArray. * Interpret status results from IAS as enums. * Use lateinit for HttpServletRequest field. * Refactor ExceptionHandler out of messages package. * Alias is for ISV, so rename it. * Refactor classes into more correct packages. * Use random 96 bit IV for GCM encryption. * Parameterise HTTP/HTTPS ports via Gradle. * Do not forward a securityManifest containing only zeros to IAS. * Address review comments. * Review comment: Use NativePRNGNonBlocking for SecureRandom. * Rename isv.pfx to isv-svc.pfx * Rename keystore to isv.pfx, for clarity. * Update scripts so that they no longer require user input. * Generate isv.pfx from the key and certificates. * Remove private key from repository. * Declare an empty PSE Manifest to be invalid. * Generate keystores "on the fly". * Rename integration tests to end in "IT" instead of "Test". * Add README * Turn remote-attestation into a separate Gradle project.
2017-12-12 13:34:26 +00:00
buildscript {
repositories {
mavenLocal()
mavenCentral()
jcenter()
}
dependencies {
classpath 'org.akhikhl.gretty:gretty:2.0.0'
}
ext.keyStoreDir = "$buildDir/keystore"
ext.httpsKeyStoreDir = "$buildDir/https-keystore"
// Port numbers to launch the different components on.
ext.isvHttpPort = 8080
ext.isvTestHttpPort = 9080
ext.iasTestHttpsPort = 9443
}
apply plugin: 'kotlin'
apply plugin: 'war'
apply plugin: 'org.akhikhl.gretty'
description 'Server side of SGX remote attestation process'
import org.akhikhl.gretty.AppStartTask
import org.akhikhl.gretty.AppStopTask
configurations {
integrationTestCompile.extendsFrom testCompile
integrationTestRuntime.extendsFrom testRuntime
}
sourceSets {
integrationTest {
kotlin {
compileClasspath += main.compileClasspath + test.compileClasspath
runtimeClasspath += main.runtimeClasspath + test.runtimeClasspath
//noinspection GroovyAssignabilityCheck
srcDir file('src/integration-test/kotlin')
}
}
}
dependencies {
compile "org.jetbrains.kotlin:kotlin-stdlib-jre8:$kotlin_version"
compile "org.jetbrains.kotlin:kotlin-reflect:$kotlin_version"
testCompile "org.jetbrains.kotlin:kotlin-test:$kotlin_version"
testCompile "junit:junit:$junit_version"
compile "org.bouncycastle:bcpkix-jdk15on:$bouncycastle_version"
compile "org.jboss.resteasy:resteasy-jaxrs:$resteasy_version"
compile "org.jboss.resteasy:resteasy-jackson2-provider:$resteasy_version"
compile "org.jboss.resteasy:resteasy-servlet-initializer:$resteasy_version"
compile "com.fasterxml.jackson.core:jackson-core:$jackson_version"
compile "com.fasterxml.jackson.core:jackson-databind:$jackson_version"
compile "com.fasterxml.jackson.core:jackson-annotations:$jackson_version"
compile "com.fasterxml.jackson.datatype:jackson-datatype-jsr310:$jackson_version"
compile "org.apache.logging.log4j:log4j-slf4j-impl:$log4j_version"
compile "org.apache.logging.log4j:log4j-core:$log4j_version"
runtime "org.apache.logging.log4j:log4j-web:$log4j_version"
compile "org.slf4j:jcl-over-slf4j:$slf4j_version"
}
tasks.withType(Test) {
// Enable "unlimited" encryption.
systemProperties["java.security.properties"] = "$projectDir/src/integration-test/security.properties"
// Set logging directory for all tests.
systemProperties["attestation.home"] = "$buildDir/logs"
}
task intelKeyStores(type: Exec) {
doFirst {
mkdir keyStoreDir
}
inputs.dir "$projectDir/src/main/ssl/intel-ssl"
outputs.dir keyStoreDir
workingDir keyStoreDir
commandLine "$projectDir/src/main/ssl/intel-ssl/generate-keystores.sh"
}
task serviceKeyStore(type: Exec) {
doFirst {
mkdir keyStoreDir
}
inputs.dir "$projectDir/src/main/ssl/service-key"
outputs.dir keyStoreDir
workingDir keyStoreDir
commandLine "$projectDir/src/main/ssl/service-key/generate-keystore.sh"
}
processResources {
dependsOn = [ intelKeyStores, serviceKeyStore ]
from keyStoreDir
}
task integrationTest(type: Test) {
testClassesDirs = sourceSets.integrationTest.output.classesDirs
classpath = sourceSets.integrationTest.runtimeClasspath
systemProperties["javax.net.ssl.keyStore"] = "$httpsKeyStoreDir/keystore"
systemProperties["javax.net.ssl.keyStorePassword"] = "attestation"
systemProperties["test.isv.httpPort"] = isvTestHttpPort
}
task httpsKeyStores(type: Exec) {
doFirst {
mkdir httpsKeyStoreDir
}
inputs.dir "$projectDir/src/integration-test/ssl"
outputs.dir httpsKeyStoreDir
workingDir httpsKeyStoreDir
commandLine "$projectDir/src/integration-test/ssl/generate-ssl.sh"
}
project.afterEvaluate {
appBeforeIntegrationTest.dependsOn httpsKeyStores
}
gretty {
httpPort = isvTestHttpPort
contextPath = "/"
servletContainer = 'tomcat8'
logDir = "$buildDir/logs"
logFileName = "gretty-test"
integrationTestTask = 'integrationTest'
jvmArgs = [
"-Dorg.jboss.logging.provider=slf4j",
"-Djava.security.properties=$projectDir/src/integration-test/security.properties",
"-Djavax.net.ssl.keyStore=$httpsKeyStoreDir/keystore",
"-Djavax.net.ssl.keyStorePassword=attestation",
"-Djavax.net.ssl.trustStore=$httpsKeyStoreDir/truststore",
"-Djavax.net.ssl.trustStorePassword=attestation",
"-Dattestation.home=$buildDir/logs",
"-Dias.host=localhost:$iasTestHttpsPort",
]
httpsPort = iasTestHttpsPort
httpsEnabled = true
sslNeedClientAuth = true
sslKeyStorePath = "$httpsKeyStoreDir/keystore"
sslKeyStorePassword = 'attestation'
sslKeyManagerPassword = 'attestation'
}
task('startISV', type: AppStartTask, dependsOn: war) {
prepareServerConfig {
httpPort = isvHttpPort
servletContainer = 'tomcat8'
logDir = "$buildDir/logs"
logFileName = "gretty-isv"
jvmArgs = [
"-Dorg.jboss.logging.provider=slf4j",
"-Djava.security.properties=$projectDir/src/main/security.properties",
"-Djavax.net.ssl.keyStore=$keyStoreDir/isv.pfx",
"-Djavax.net.ssl.keyStorePassword=attestation",
"-Dias.host=test-as.sgx.trustedservices.intel.com",
"-Dattestation.home=$buildDir/logs",
]
httpsEnabled = false
}
prepareWebAppConfig {
contextPath = "/"
inplace = false
}
interactive = false
}
task("stopISV", type: AppStopTask)
Reference in New Issue Copy Permalink