corda/sgx-jvm/remote-attestation/attestation-server
Chris Rankin c545a58c1d
Remote Attestation Phase 2 (#235)
* Initial host server skeleton.
* Create IASProxy project, and skeleton for attestation host.
* Fix up tests
* Extend attestation host skeleton, and make test ports configurable.
* Enhance MockIAS to make pseManifestStatus optional.
* Make IASProxy endpoints asynchronous.
* Add sub-modules for challenger and for common code.
* Create integration test for host's provisioning endpoint.
* Flesh out attestation challenger WAR.
* Package refactoring, to be more Java9 friendly.
* Refactor more messages into attestation-common.
* Remove our private key from the repository.
* Declare an empty PSE Manifest to be invalid.
* Fix basic integration test issues for challenger and host.
* Integrate keystore scripts into the build properly.
* Name keystore targets explicitly for Gradle.
* Allow HTTP conversation between Challenger, Host and ISV using session ID.
* Add MockHost for challenger's integration tests.
* Reconcile HTTP port numbers between Phase1 and Phase2 components.
* Remove elements that can be inherited from root project.
* Add placeholder README.
* Add convenient extension functions to ObjectMapper.
* Extend integration test coverage for challenger/host/isv.
* Catch IOException from HttpClient for challenger.
* Integrate host sub-module with remote-attestation project.
* Begin integrating host/enclave code from Phase I.
* Rename challenger's HTTP endpoint.
* Generate keystore for challenger "on the fly".
* Add native JNI code for accessing the SGX enclave.
* Point Gradle to the correct enclave object.
* Fixes for generating a Quote for this enclave.
* Return the IAS report to the challenger for verification.
* Begin populating the challenger's AttestationResponse message.
* Enable the challenger to pass encrypted secrets into the enclave.
* Align challenger, host and isv ports.
* Refactor challenger as a fat-jar application.
* AttestationResponse is not shared, so refactor into challenger.
* Move HttpClientContext objects into HttpClient blocks.
* Remove unused Message2 and Message3 objects.
* Add realistic dummy value for reportID from IAS.
* Small tidy-up on attestation host.
* First set of review comments.
* Add missing exception message.
* Update location of environment file.
* Use empty mock revocation lists by default.
* Improve logging and add "happy path" test for provisioning secrets.
* Update Gradle files so that we can run attestation-host from IntelliJ.
* The platformInfo field from IAS can be null, so allow this.
Also protect other JNI pointer parameters from NPE.
* Allow Gradle to build hardware enclave.
2017-12-22 14:42:42 +00:00
..
src Remote Attestation Phase 2 (#235) 2017-12-22 14:42:42 +00:00
build.gradle Remote Attestation Phase 2 (#235) 2017-12-22 14:42:42 +00:00
README.md ENT-1074 - Proof-of-concept ISV for SGX remote attestation (#161) 2017-12-12 13:34:26 +00:00

Remote Attestation ISV: Proof-Of-Concept

This initial version of the ISV expects to communicate with the Attestation Host, which should run on hardware with a SGX enclave. The ISV also communicates with the Intel Attestation Service (IAS) over HTTPS with mutual TLS, which requires it to contain our development private key. (We have already shared this key's public key with Intel, and IAS expects to use it to authenticate us.)

Please install this private key in PEM formt as src/main/ssl/intel-ssl/client.key.

This ISV runs as a WAR file within Tomcat8, and implements the message flow as described in Intel's end-to-end example using JSON and HTTP. The use of HTTP here is mere convenience for our proof-of-concept; we anticipate using something completely different when we integrate with Corda.

Gradle/Tomcat integration is achieved using the Gretty plugin.

You will need OpenSSL installed so that Gradle can generate the keystores and truststores required by HTTPS and Mutual TLS.

Building the ISV

From this project directory, execute the command:

$ ../gradlew build integrationTest

Running the ISV

To launch the ISV as a daemon process listening on TCP/8080, execute:

$ nohup ../gradlew startISV &

The ISV can then be shutdown using:

$ ../gradlew stopISV

It will log messages to build/logs/attestation-server.log.