mirror of
https://github.com/corda/corda.git
synced 2024-12-30 17:57:02 +00:00
2725f53ef5
* Initial WIP. * Configure IAS host via system properties. * Create separate Gretty configurations for testing and for IAS. * (WIP) Separate configuration values from WAR; Add msg3 -> msg4 handling. * Check the IAS report's cryptographic signature. * Accept CertPath from IAS instead of a Certificate. * Validate the certificate chain for the IAS report. * Refactor response handling, and add a secret to Message4. * Append public DH keys to generated shared secret. * Use DH secret to generate a 256 bit AES key. * Fix runISV Gradle task so that it creates WAR file. * Migrate MockIAS service into a separate package. * Remove unused aesCMAC field from Message3. * Configure HTTP sessions to expire after 10 idle minutes. * Ensure we select the "isv" key for MTLS with Intel Attestation Service. * Set key alias for Intel's public certificate. * Implement GET /attest/provision endpoint. * Use elliptic curves for Diffie-Hellman keys. * Pass public keys as Little Endian byte arrays without ASN.1 encoding. * Add AES-CMAC signature to Message2. * Remove signature fields from QUOTE body for sending to IAS. * Add a dummy AES-CMAC field to Message3 for later validation. * Generate AEC-CMAC for Message 3, and refactor crypto functionality. * Calculate AES-CMAC using AES/CBC/PKCS5Padding algorithm. * Use BouncyCastle's AESCMAC algorithm for MAC calculation. * Include standard crypto test vectors to the unit tests. * Encrypt MSG3 secret using AES/GCM/NoPadding with 128 bit key. * Hash shared key with Little Endian versions of public keys. * Refactor so that hexToBytes() is a utility. * Simplify signing of MocKIAS report. * Separate AES/GCM authentication tag from the encrypted data. * Create /ias/report endpoint for ISV which proxies IAS. * Remove unnecessary @Throws from MockIAS handlers. * Log HTTP error status from IAS. * Replace runISV task with startISV and stopISV tasks. * Refactor tests to use CryptoProvider @Rule instead of @Suite. * Move Web server for integration tests to use non-production ports. * Add proxy endpoint for IAS revocation list. * Generate an ECDSA "service key" for signing (gb|ga). * Generate a persistent key-pair for the ISV to sign with. * Verify the (Gb|Ga) signature from Message2. * Add debugging aids. * Fix Gradle warning. * Remove TLV header from Platform Info Body for MSG4. * Small tidy-up. * Use SPID "as-is" when calculating CMAC for MSG2. * Add DEBUG messages for MSG2's KDK and SMK values (AES-CMAC). * Add DEBUG logging for ECDH shared secret. * More DEBUG logging. * The ECDH shared secret *is* the x-coordinate: no need to subrange. * Adjust MockIAS to return an empty revocationList for GID 0000000b. * Fix ArrayOutOfBoundsException for "small" integer values. * Test MSG1 with empty revocation list. * Add extra logging for IAS report request. * ReportResponse object cannot be null. * Fix misreading of spec - don't remove quote's signature when requesting report from IAS. * Log invalid contents of X-IAS-Report-Signing-Certificate HTTP header. * Build CertPath for IAS from explicit list of Certificates. * Rename quote fields on IAS ReportResponse to match Intel. * Log report ID and quote status from IAS. * Add a revocation list checker to the certificate path validator. * Tweak revocation list options, depending on IAS vs MockIAS. * Extract Intel's certificate specifically by alias for PKIX. * Tune quote body returned by MockIAS. * Add AES-CMAC field to Message4 for validation. * Increase GCM authentication tag to 128 bits. * Receive platformInfoBlob from IAS as hexadecimal string. * Generate secret encryption key using KDK and SK values. * Marshall platformInfoBlob between Base16 string and ByteArray. * Interpret status results from IAS as enums. * Use lateinit for HttpServletRequest field. * Refactor ExceptionHandler out of messages package. * Alias is for ISV, so rename it. * Refactor classes into more correct packages. * Use random 96 bit IV for GCM encryption. * Parameterise HTTP/HTTPS ports via Gradle. * Do not forward a securityManifest containing only zeros to IAS. * Address review comments. * Review comment: Use NativePRNGNonBlocking for SecureRandom. * Rename isv.pfx to isv-svc.pfx * Rename keystore to isv.pfx, for clarity. * Update scripts so that they no longer require user input. * Generate isv.pfx from the key and certificates. * Remove private key from repository. * Declare an empty PSE Manifest to be invalid. * Generate keystores "on the fly". * Rename integration tests to end in "IT" instead of "Test". * Add README * Turn remote-attestation into a separate Gradle project.
174 lines
5.5 KiB
Groovy
174 lines
5.5 KiB
Groovy
buildscript {
|
|
repositories {
|
|
mavenLocal()
|
|
mavenCentral()
|
|
jcenter()
|
|
}
|
|
|
|
dependencies {
|
|
classpath 'org.akhikhl.gretty:gretty:2.0.0'
|
|
}
|
|
|
|
ext.keyStoreDir = "$buildDir/keystore"
|
|
ext.httpsKeyStoreDir = "$buildDir/https-keystore"
|
|
|
|
// Port numbers to launch the different components on.
|
|
ext.isvHttpPort = 8080
|
|
ext.isvTestHttpPort = 9080
|
|
ext.iasTestHttpsPort = 9443
|
|
}
|
|
|
|
apply plugin: 'kotlin'
|
|
apply plugin: 'war'
|
|
apply plugin: 'org.akhikhl.gretty'
|
|
|
|
description 'Server side of SGX remote attestation process'
|
|
|
|
import org.akhikhl.gretty.AppStartTask
|
|
import org.akhikhl.gretty.AppStopTask
|
|
|
|
configurations {
|
|
integrationTestCompile.extendsFrom testCompile
|
|
integrationTestRuntime.extendsFrom testRuntime
|
|
}
|
|
|
|
sourceSets {
|
|
integrationTest {
|
|
kotlin {
|
|
compileClasspath += main.compileClasspath + test.compileClasspath
|
|
runtimeClasspath += main.runtimeClasspath + test.runtimeClasspath
|
|
//noinspection GroovyAssignabilityCheck
|
|
srcDir file('src/integration-test/kotlin')
|
|
}
|
|
}
|
|
}
|
|
|
|
dependencies {
|
|
compile "org.jetbrains.kotlin:kotlin-stdlib-jre8:$kotlin_version"
|
|
compile "org.jetbrains.kotlin:kotlin-reflect:$kotlin_version"
|
|
testCompile "org.jetbrains.kotlin:kotlin-test:$kotlin_version"
|
|
testCompile "junit:junit:$junit_version"
|
|
|
|
compile "org.bouncycastle:bcpkix-jdk15on:$bouncycastle_version"
|
|
compile "org.jboss.resteasy:resteasy-jaxrs:$resteasy_version"
|
|
compile "org.jboss.resteasy:resteasy-jackson2-provider:$resteasy_version"
|
|
compile "org.jboss.resteasy:resteasy-servlet-initializer:$resteasy_version"
|
|
compile "com.fasterxml.jackson.core:jackson-core:$jackson_version"
|
|
compile "com.fasterxml.jackson.core:jackson-databind:$jackson_version"
|
|
compile "com.fasterxml.jackson.core:jackson-annotations:$jackson_version"
|
|
compile "com.fasterxml.jackson.datatype:jackson-datatype-jsr310:$jackson_version"
|
|
compile "org.apache.logging.log4j:log4j-slf4j-impl:$log4j_version"
|
|
compile "org.apache.logging.log4j:log4j-core:$log4j_version"
|
|
runtime "org.apache.logging.log4j:log4j-web:$log4j_version"
|
|
compile "org.slf4j:jcl-over-slf4j:$slf4j_version"
|
|
}
|
|
|
|
tasks.withType(Test) {
|
|
// Enable "unlimited" encryption.
|
|
systemProperties["java.security.properties"] = "$projectDir/src/integration-test/security.properties"
|
|
|
|
// Set logging directory for all tests.
|
|
systemProperties["attestation.home"] = "$buildDir/logs"
|
|
}
|
|
|
|
task intelKeyStores(type: Exec) {
|
|
doFirst {
|
|
mkdir keyStoreDir
|
|
}
|
|
inputs.dir "$projectDir/src/main/ssl/intel-ssl"
|
|
outputs.dir keyStoreDir
|
|
workingDir keyStoreDir
|
|
commandLine "$projectDir/src/main/ssl/intel-ssl/generate-keystores.sh"
|
|
}
|
|
|
|
task serviceKeyStore(type: Exec) {
|
|
doFirst {
|
|
mkdir keyStoreDir
|
|
}
|
|
inputs.dir "$projectDir/src/main/ssl/service-key"
|
|
outputs.dir keyStoreDir
|
|
workingDir keyStoreDir
|
|
commandLine "$projectDir/src/main/ssl/service-key/generate-keystore.sh"
|
|
}
|
|
|
|
processResources {
|
|
dependsOn = [ intelKeyStores, serviceKeyStore ]
|
|
from keyStoreDir
|
|
}
|
|
|
|
task integrationTest(type: Test) {
|
|
testClassesDirs = sourceSets.integrationTest.output.classesDirs
|
|
classpath = sourceSets.integrationTest.runtimeClasspath
|
|
systemProperties["javax.net.ssl.keyStore"] = "$httpsKeyStoreDir/keystore"
|
|
systemProperties["javax.net.ssl.keyStorePassword"] = "attestation"
|
|
systemProperties["test.isv.httpPort"] = isvTestHttpPort
|
|
}
|
|
|
|
task httpsKeyStores(type: Exec) {
|
|
doFirst {
|
|
mkdir httpsKeyStoreDir
|
|
}
|
|
inputs.dir "$projectDir/src/integration-test/ssl"
|
|
outputs.dir httpsKeyStoreDir
|
|
workingDir httpsKeyStoreDir
|
|
commandLine "$projectDir/src/integration-test/ssl/generate-ssl.sh"
|
|
}
|
|
|
|
project.afterEvaluate {
|
|
appBeforeIntegrationTest.dependsOn httpsKeyStores
|
|
}
|
|
|
|
gretty {
|
|
httpPort = isvTestHttpPort
|
|
contextPath = "/"
|
|
servletContainer = 'tomcat8'
|
|
logDir = "$buildDir/logs"
|
|
logFileName = "gretty-test"
|
|
integrationTestTask = 'integrationTest'
|
|
jvmArgs = [
|
|
"-Dorg.jboss.logging.provider=slf4j",
|
|
"-Djava.security.properties=$projectDir/src/integration-test/security.properties",
|
|
"-Djavax.net.ssl.keyStore=$httpsKeyStoreDir/keystore",
|
|
"-Djavax.net.ssl.keyStorePassword=attestation",
|
|
"-Djavax.net.ssl.trustStore=$httpsKeyStoreDir/truststore",
|
|
"-Djavax.net.ssl.trustStorePassword=attestation",
|
|
"-Dattestation.home=$buildDir/logs",
|
|
"-Dias.host=localhost:$iasTestHttpsPort",
|
|
]
|
|
|
|
httpsPort = iasTestHttpsPort
|
|
httpsEnabled = true
|
|
sslNeedClientAuth = true
|
|
sslKeyStorePath = "$httpsKeyStoreDir/keystore"
|
|
sslKeyStorePassword = 'attestation'
|
|
sslKeyManagerPassword = 'attestation'
|
|
}
|
|
|
|
task('startISV', type: AppStartTask, dependsOn: war) {
|
|
prepareServerConfig {
|
|
httpPort = isvHttpPort
|
|
servletContainer = 'tomcat8'
|
|
logDir = "$buildDir/logs"
|
|
logFileName = "gretty-isv"
|
|
jvmArgs = [
|
|
"-Dorg.jboss.logging.provider=slf4j",
|
|
"-Djava.security.properties=$projectDir/src/main/security.properties",
|
|
"-Djavax.net.ssl.keyStore=$keyStoreDir/isv.pfx",
|
|
"-Djavax.net.ssl.keyStorePassword=attestation",
|
|
"-Dias.host=test-as.sgx.trustedservices.intel.com",
|
|
"-Dattestation.home=$buildDir/logs",
|
|
]
|
|
|
|
httpsEnabled = false
|
|
}
|
|
|
|
prepareWebAppConfig {
|
|
contextPath = "/"
|
|
inplace = false
|
|
}
|
|
|
|
interactive = false
|
|
}
|
|
|
|
task("stopISV", type: AppStopTask)
|