Chris Rankin 2725f53ef5
ENT-1074 - Proof-of-concept ISV for SGX remote attestation (#161)
* Initial WIP.
* Configure IAS host via system properties.
* Create separate Gretty configurations for testing and for IAS.
* (WIP) Separate configuration values from WAR; Add msg3 -> msg4 handling.
* Check the IAS report's cryptographic signature.
* Accept CertPath from IAS instead of a Certificate.
* Validate the certificate chain for the IAS report.
* Refactor response handling, and add a secret to Message4.
* Append public DH keys to generated shared secret.
* Use DH secret to generate a 256 bit AES key.
* Fix runISV Gradle task so that it creates WAR file.
* Migrate MockIAS service into a separate package.
* Remove unused aesCMAC field from Message3.
* Configure HTTP sessions to expire after 10 idle minutes.
* Ensure we select the "isv" key for MTLS with Intel Attestation Service.
* Set key alias for Intel's public certificate.
* Implement GET /attest/provision endpoint.
* Use elliptic curves for Diffie-Hellman keys.
* Pass public keys as Little Endian byte arrays without ASN.1 encoding.
* Add AES-CMAC signature to Message2.
* Remove signature fields from QUOTE body for sending to IAS.
* Add a dummy AES-CMAC field to Message3 for later validation.
* Generate AEC-CMAC for Message 3, and refactor crypto functionality.
* Calculate AES-CMAC using AES/CBC/PKCS5Padding algorithm.
* Use BouncyCastle's AESCMAC algorithm for MAC calculation.
* Include standard crypto test vectors to the unit tests.
* Encrypt MSG3 secret using AES/GCM/NoPadding with 128 bit key.
* Hash shared key with Little Endian versions of public keys.
* Refactor so that hexToBytes() is a utility.
* Simplify signing of MocKIAS report.
* Separate AES/GCM authentication tag from the encrypted data.
* Create /ias/report endpoint for ISV which proxies IAS.
* Remove unnecessary @Throws from MockIAS handlers.
* Log HTTP error status from IAS.
* Replace runISV task with startISV and stopISV tasks.
* Refactor tests to use CryptoProvider @Rule instead of @Suite.
* Move Web server for integration tests to use non-production ports.
* Add proxy endpoint for IAS revocation list.
* Generate an ECDSA "service key" for signing (gb|ga).
* Generate a persistent key-pair for the ISV to sign with.
* Verify the (Gb|Ga) signature from Message2.
* Add debugging aids.
* Fix Gradle warning.
* Remove TLV header from Platform Info Body for MSG4.
* Small tidy-up.
* Use SPID "as-is" when calculating CMAC for MSG2.
* Add DEBUG messages for MSG2's KDK and SMK values (AES-CMAC).
* Add DEBUG logging for ECDH shared secret.
* More DEBUG logging.
* The ECDH shared secret *is* the x-coordinate: no need to subrange.
* Adjust MockIAS to return an empty revocationList for GID 0000000b.
* Fix ArrayOutOfBoundsException for "small" integer values.
* Test MSG1 with empty revocation list.
* Add extra logging for IAS report request.
* ReportResponse object cannot be null.
* Fix misreading of spec - don't remove quote's signature when requesting report from IAS.
* Log invalid contents of X-IAS-Report-Signing-Certificate HTTP header.
* Build CertPath for IAS from explicit list of Certificates.
* Rename quote fields on IAS ReportResponse to match Intel.
* Log report ID and quote status from IAS.
* Add a revocation list checker to the certificate path validator.
* Tweak revocation list options, depending on IAS vs MockIAS.
* Extract Intel's certificate specifically by alias for PKIX.
* Tune quote body returned by MockIAS.
* Add AES-CMAC field to Message4 for validation.
* Increase GCM authentication tag to 128 bits.
* Receive platformInfoBlob from IAS as hexadecimal string.
* Generate secret encryption key using KDK and SK values.
* Marshall platformInfoBlob between Base16 string and ByteArray.
* Interpret status results from IAS as enums.
* Use lateinit for HttpServletRequest field.
* Refactor ExceptionHandler out of messages package.
* Alias is for ISV, so rename it.
* Refactor classes into more correct packages.
* Use random 96 bit IV for GCM encryption.
* Parameterise HTTP/HTTPS ports via Gradle.
* Do not forward a securityManifest containing only zeros to IAS.
* Address review comments.
* Review comment: Use NativePRNGNonBlocking for SecureRandom.
* Rename isv.pfx to isv-svc.pfx
* Rename keystore to isv.pfx, for clarity.
* Update scripts so that they no longer require user input.
* Generate isv.pfx from the key and certificates.
* Remove private key from repository.
* Declare an empty PSE Manifest to be invalid.
* Generate keystores "on the fly".
* Rename integration tests to end in "IT" instead of "Test".
* Add README
* Turn remote-attestation into a separate Gradle project.
2017-12-12 13:34:26 +00:00

174 lines
5.5 KiB
Groovy

buildscript {
repositories {
mavenLocal()
mavenCentral()
jcenter()
}
dependencies {
classpath 'org.akhikhl.gretty:gretty:2.0.0'
}
ext.keyStoreDir = "$buildDir/keystore"
ext.httpsKeyStoreDir = "$buildDir/https-keystore"
// Port numbers to launch the different components on.
ext.isvHttpPort = 8080
ext.isvTestHttpPort = 9080
ext.iasTestHttpsPort = 9443
}
apply plugin: 'kotlin'
apply plugin: 'war'
apply plugin: 'org.akhikhl.gretty'
description 'Server side of SGX remote attestation process'
import org.akhikhl.gretty.AppStartTask
import org.akhikhl.gretty.AppStopTask
configurations {
integrationTestCompile.extendsFrom testCompile
integrationTestRuntime.extendsFrom testRuntime
}
sourceSets {
integrationTest {
kotlin {
compileClasspath += main.compileClasspath + test.compileClasspath
runtimeClasspath += main.runtimeClasspath + test.runtimeClasspath
//noinspection GroovyAssignabilityCheck
srcDir file('src/integration-test/kotlin')
}
}
}
dependencies {
compile "org.jetbrains.kotlin:kotlin-stdlib-jre8:$kotlin_version"
compile "org.jetbrains.kotlin:kotlin-reflect:$kotlin_version"
testCompile "org.jetbrains.kotlin:kotlin-test:$kotlin_version"
testCompile "junit:junit:$junit_version"
compile "org.bouncycastle:bcpkix-jdk15on:$bouncycastle_version"
compile "org.jboss.resteasy:resteasy-jaxrs:$resteasy_version"
compile "org.jboss.resteasy:resteasy-jackson2-provider:$resteasy_version"
compile "org.jboss.resteasy:resteasy-servlet-initializer:$resteasy_version"
compile "com.fasterxml.jackson.core:jackson-core:$jackson_version"
compile "com.fasterxml.jackson.core:jackson-databind:$jackson_version"
compile "com.fasterxml.jackson.core:jackson-annotations:$jackson_version"
compile "com.fasterxml.jackson.datatype:jackson-datatype-jsr310:$jackson_version"
compile "org.apache.logging.log4j:log4j-slf4j-impl:$log4j_version"
compile "org.apache.logging.log4j:log4j-core:$log4j_version"
runtime "org.apache.logging.log4j:log4j-web:$log4j_version"
compile "org.slf4j:jcl-over-slf4j:$slf4j_version"
}
tasks.withType(Test) {
// Enable "unlimited" encryption.
systemProperties["java.security.properties"] = "$projectDir/src/integration-test/security.properties"
// Set logging directory for all tests.
systemProperties["attestation.home"] = "$buildDir/logs"
}
task intelKeyStores(type: Exec) {
doFirst {
mkdir keyStoreDir
}
inputs.dir "$projectDir/src/main/ssl/intel-ssl"
outputs.dir keyStoreDir
workingDir keyStoreDir
commandLine "$projectDir/src/main/ssl/intel-ssl/generate-keystores.sh"
}
task serviceKeyStore(type: Exec) {
doFirst {
mkdir keyStoreDir
}
inputs.dir "$projectDir/src/main/ssl/service-key"
outputs.dir keyStoreDir
workingDir keyStoreDir
commandLine "$projectDir/src/main/ssl/service-key/generate-keystore.sh"
}
processResources {
dependsOn = [ intelKeyStores, serviceKeyStore ]
from keyStoreDir
}
task integrationTest(type: Test) {
testClassesDirs = sourceSets.integrationTest.output.classesDirs
classpath = sourceSets.integrationTest.runtimeClasspath
systemProperties["javax.net.ssl.keyStore"] = "$httpsKeyStoreDir/keystore"
systemProperties["javax.net.ssl.keyStorePassword"] = "attestation"
systemProperties["test.isv.httpPort"] = isvTestHttpPort
}
task httpsKeyStores(type: Exec) {
doFirst {
mkdir httpsKeyStoreDir
}
inputs.dir "$projectDir/src/integration-test/ssl"
outputs.dir httpsKeyStoreDir
workingDir httpsKeyStoreDir
commandLine "$projectDir/src/integration-test/ssl/generate-ssl.sh"
}
project.afterEvaluate {
appBeforeIntegrationTest.dependsOn httpsKeyStores
}
gretty {
httpPort = isvTestHttpPort
contextPath = "/"
servletContainer = 'tomcat8'
logDir = "$buildDir/logs"
logFileName = "gretty-test"
integrationTestTask = 'integrationTest'
jvmArgs = [
"-Dorg.jboss.logging.provider=slf4j",
"-Djava.security.properties=$projectDir/src/integration-test/security.properties",
"-Djavax.net.ssl.keyStore=$httpsKeyStoreDir/keystore",
"-Djavax.net.ssl.keyStorePassword=attestation",
"-Djavax.net.ssl.trustStore=$httpsKeyStoreDir/truststore",
"-Djavax.net.ssl.trustStorePassword=attestation",
"-Dattestation.home=$buildDir/logs",
"-Dias.host=localhost:$iasTestHttpsPort",
]
httpsPort = iasTestHttpsPort
httpsEnabled = true
sslNeedClientAuth = true
sslKeyStorePath = "$httpsKeyStoreDir/keystore"
sslKeyStorePassword = 'attestation'
sslKeyManagerPassword = 'attestation'
}
task('startISV', type: AppStartTask, dependsOn: war) {
prepareServerConfig {
httpPort = isvHttpPort
servletContainer = 'tomcat8'
logDir = "$buildDir/logs"
logFileName = "gretty-isv"
jvmArgs = [
"-Dorg.jboss.logging.provider=slf4j",
"-Djava.security.properties=$projectDir/src/main/security.properties",
"-Djavax.net.ssl.keyStore=$keyStoreDir/isv.pfx",
"-Djavax.net.ssl.keyStorePassword=attestation",
"-Dias.host=test-as.sgx.trustedservices.intel.com",
"-Dattestation.home=$buildDir/logs",
]
httpsEnabled = false
}
prepareWebAppConfig {
contextPath = "/"
inplace = false
}
interactive = false
}
task("stopISV", type: AppStopTask)