mirror of
https://github.com/corda/corda.git
synced 2025-01-04 20:24:17 +00:00
2725f53ef5
* Initial WIP. * Configure IAS host via system properties. * Create separate Gretty configurations for testing and for IAS. * (WIP) Separate configuration values from WAR; Add msg3 -> msg4 handling. * Check the IAS report's cryptographic signature. * Accept CertPath from IAS instead of a Certificate. * Validate the certificate chain for the IAS report. * Refactor response handling, and add a secret to Message4. * Append public DH keys to generated shared secret. * Use DH secret to generate a 256 bit AES key. * Fix runISV Gradle task so that it creates WAR file. * Migrate MockIAS service into a separate package. * Remove unused aesCMAC field from Message3. * Configure HTTP sessions to expire after 10 idle minutes. * Ensure we select the "isv" key for MTLS with Intel Attestation Service. * Set key alias for Intel's public certificate. * Implement GET /attest/provision endpoint. * Use elliptic curves for Diffie-Hellman keys. * Pass public keys as Little Endian byte arrays without ASN.1 encoding. * Add AES-CMAC signature to Message2. * Remove signature fields from QUOTE body for sending to IAS. * Add a dummy AES-CMAC field to Message3 for later validation. * Generate AEC-CMAC for Message 3, and refactor crypto functionality. * Calculate AES-CMAC using AES/CBC/PKCS5Padding algorithm. * Use BouncyCastle's AESCMAC algorithm for MAC calculation. * Include standard crypto test vectors to the unit tests. * Encrypt MSG3 secret using AES/GCM/NoPadding with 128 bit key. * Hash shared key with Little Endian versions of public keys. * Refactor so that hexToBytes() is a utility. * Simplify signing of MocKIAS report. * Separate AES/GCM authentication tag from the encrypted data. * Create /ias/report endpoint for ISV which proxies IAS. * Remove unnecessary @Throws from MockIAS handlers. * Log HTTP error status from IAS. * Replace runISV task with startISV and stopISV tasks. * Refactor tests to use CryptoProvider @Rule instead of @Suite. * Move Web server for integration tests to use non-production ports. * Add proxy endpoint for IAS revocation list. * Generate an ECDSA "service key" for signing (gb|ga). * Generate a persistent key-pair for the ISV to sign with. * Verify the (Gb|Ga) signature from Message2. * Add debugging aids. * Fix Gradle warning. * Remove TLV header from Platform Info Body for MSG4. * Small tidy-up. * Use SPID "as-is" when calculating CMAC for MSG2. * Add DEBUG messages for MSG2's KDK and SMK values (AES-CMAC). * Add DEBUG logging for ECDH shared secret. * More DEBUG logging. * The ECDH shared secret *is* the x-coordinate: no need to subrange. * Adjust MockIAS to return an empty revocationList for GID 0000000b. * Fix ArrayOutOfBoundsException for "small" integer values. * Test MSG1 with empty revocation list. * Add extra logging for IAS report request. * ReportResponse object cannot be null. * Fix misreading of spec - don't remove quote's signature when requesting report from IAS. * Log invalid contents of X-IAS-Report-Signing-Certificate HTTP header. * Build CertPath for IAS from explicit list of Certificates. * Rename quote fields on IAS ReportResponse to match Intel. * Log report ID and quote status from IAS. * Add a revocation list checker to the certificate path validator. * Tweak revocation list options, depending on IAS vs MockIAS. * Extract Intel's certificate specifically by alias for PKIX. * Tune quote body returned by MockIAS. * Add AES-CMAC field to Message4 for validation. * Increase GCM authentication tag to 128 bits. * Receive platformInfoBlob from IAS as hexadecimal string. * Generate secret encryption key using KDK and SK values. * Marshall platformInfoBlob between Base16 string and ByteArray. * Interpret status results from IAS as enums. * Use lateinit for HttpServletRequest field. * Refactor ExceptionHandler out of messages package. * Alias is for ISV, so rename it. * Refactor classes into more correct packages. * Use random 96 bit IV for GCM encryption. * Parameterise HTTP/HTTPS ports via Gradle. * Do not forward a securityManifest containing only zeros to IAS. * Address review comments. * Review comment: Use NativePRNGNonBlocking for SecureRandom. * Rename isv.pfx to isv-svc.pfx * Rename keystore to isv.pfx, for clarity. * Update scripts so that they no longer require user input. * Generate isv.pfx from the key and certificates. * Remove private key from repository. * Declare an empty PSE Manifest to be invalid. * Generate keystores "on the fly". * Rename integration tests to end in "IT" instead of "Test". * Add README * Turn remote-attestation into a separate Gradle project.
173 lines
5.2 KiB
Bash
Executable File
173 lines
5.2 KiB
Bash
Executable File
#!/usr/bin/env sh
|
|
|
|
##############################################################################
|
|
##
|
|
## Gradle start up script for UN*X
|
|
##
|
|
##############################################################################
|
|
|
|
# Attempt to set APP_HOME
|
|
# Resolve links: $0 may be a link
|
|
PRG="$0"
|
|
# Need this for relative symlinks.
|
|
while [ -h "$PRG" ] ; do
|
|
ls=`ls -ld "$PRG"`
|
|
link=`expr "$ls" : '.*-> \(.*\)$'`
|
|
if expr "$link" : '/.*' > /dev/null; then
|
|
PRG="$link"
|
|
else
|
|
PRG=`dirname "$PRG"`"/$link"
|
|
fi
|
|
done
|
|
SAVED="`pwd`"
|
|
cd "`dirname \"$PRG\"`/" >/dev/null
|
|
APP_HOME="`pwd -P`"
|
|
cd "$SAVED" >/dev/null
|
|
|
|
APP_NAME="Gradle"
|
|
APP_BASE_NAME=`basename "$0"`
|
|
|
|
# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
|
|
DEFAULT_JVM_OPTS=""
|
|
|
|
# Use the maximum available, or set MAX_FD != -1 to use that value.
|
|
MAX_FD="maximum"
|
|
|
|
warn () {
|
|
echo "$*"
|
|
}
|
|
|
|
die () {
|
|
echo
|
|
echo "$*"
|
|
echo
|
|
exit 1
|
|
}
|
|
|
|
# OS specific support (must be 'true' or 'false').
|
|
cygwin=false
|
|
msys=false
|
|
darwin=false
|
|
nonstop=false
|
|
case "`uname`" in
|
|
CYGWIN* )
|
|
cygwin=true
|
|
;;
|
|
Darwin* )
|
|
darwin=true
|
|
;;
|
|
MINGW* )
|
|
msys=true
|
|
;;
|
|
NONSTOP* )
|
|
nonstop=true
|
|
;;
|
|
esac
|
|
|
|
CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
|
|
|
|
# Determine the Java command to use to start the JVM.
|
|
if [ -n "$JAVA_HOME" ] ; then
|
|
if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
|
|
# IBM's JDK on AIX uses strange locations for the executables
|
|
JAVACMD="$JAVA_HOME/jre/sh/java"
|
|
else
|
|
JAVACMD="$JAVA_HOME/bin/java"
|
|
fi
|
|
if [ ! -x "$JAVACMD" ] ; then
|
|
die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
|
|
|
|
Please set the JAVA_HOME variable in your environment to match the
|
|
location of your Java installation."
|
|
fi
|
|
else
|
|
JAVACMD="java"
|
|
which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
|
|
|
|
Please set the JAVA_HOME variable in your environment to match the
|
|
location of your Java installation."
|
|
fi
|
|
|
|
# Increase the maximum file descriptors if we can.
|
|
if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
|
|
MAX_FD_LIMIT=`ulimit -H -n`
|
|
if [ $? -eq 0 ] ; then
|
|
if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
|
|
MAX_FD="$MAX_FD_LIMIT"
|
|
fi
|
|
ulimit -n $MAX_FD
|
|
if [ $? -ne 0 ] ; then
|
|
warn "Could not set maximum file descriptor limit: $MAX_FD"
|
|
fi
|
|
else
|
|
warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
|
|
fi
|
|
fi
|
|
|
|
# For Darwin, add options to specify how the application appears in the dock
|
|
if $darwin; then
|
|
GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
|
|
fi
|
|
|
|
# For Cygwin, switch paths to Windows format before running java
|
|
if $cygwin ; then
|
|
APP_HOME=`cygpath --path --mixed "$APP_HOME"`
|
|
CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
|
|
JAVACMD=`cygpath --unix "$JAVACMD"`
|
|
|
|
# We build the pattern for arguments to be converted via cygpath
|
|
ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
|
|
SEP=""
|
|
for dir in $ROOTDIRSRAW ; do
|
|
ROOTDIRS="$ROOTDIRS$SEP$dir"
|
|
SEP="|"
|
|
done
|
|
OURCYGPATTERN="(^($ROOTDIRS))"
|
|
# Add a user-defined pattern to the cygpath arguments
|
|
if [ "$GRADLE_CYGPATTERN" != "" ] ; then
|
|
OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
|
|
fi
|
|
# Now convert the arguments - kludge to limit ourselves to /bin/sh
|
|
i=0
|
|
for arg in "$@" ; do
|
|
CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
|
|
CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option
|
|
|
|
if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition
|
|
eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
|
|
else
|
|
eval `echo args$i`="\"$arg\""
|
|
fi
|
|
i=$((i+1))
|
|
done
|
|
case $i in
|
|
(0) set -- ;;
|
|
(1) set -- "$args0" ;;
|
|
(2) set -- "$args0" "$args1" ;;
|
|
(3) set -- "$args0" "$args1" "$args2" ;;
|
|
(4) set -- "$args0" "$args1" "$args2" "$args3" ;;
|
|
(5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
|
|
(6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
|
|
(7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
|
|
(8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
|
|
(9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
|
|
esac
|
|
fi
|
|
|
|
# Escape application args
|
|
save () {
|
|
for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
|
|
echo " "
|
|
}
|
|
APP_ARGS=$(save "$@")
|
|
|
|
# Collect all arguments for the java command, following the shell quoting and substitution rules
|
|
eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
|
|
|
|
# by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong
|
|
if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then
|
|
cd "$(dirname "$0")"
|
|
fi
|
|
|
|
exec "$JAVACMD" "$@"
|