Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem: no proof that a keypair was generated inside NE (fixes #92) #95

Merged
merged 1 commit into from
Jun 22, 2021
Merged

Problem: no proof that a keypair was generated inside NE (fixes #92) #95

merged 1 commit into from
Jun 22, 2021

Conversation

tomtau
Copy link

@tomtau tomtau commented Jun 17, 2021

Solution:

  • extended response for keygen in the helper + extra comments/small refactor
  • nitro enclave returns an attestation doc for the generated pubkey + used AWS KMS key id
  • added a small Python verification script to illustrate how the attestation doc payload can be processed

sonatype-lift[bot]
sonatype-lift bot reviewed Jun 17, 2021
View reviewed changes
script/tmkms-nitro/verify.py
from cose.keys.ec2 import EC2
from cose.keys.curves import P384
from cose.messages import Sign1Message
from Crypto.Util.number import long_to_bytes
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

blacklist: The pyCrypto library and its module long_to_bytes are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
(at-me in a reply with help or ignore)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sonatype-lift ignore

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've recorded this as ignored for this pull request. If you change your mind, just comment @sonatype-lift unignore.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(this script is only for illustration -- when there's an official AWS verification functionality in AWS Rust API, it can potentially be used instead)

linfeng-crypto
linfeng-crypto reviewed Jun 18, 2021
View reviewed changes
Copy link

@linfeng-crypto linfeng-crypto left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe we can translate the python script to rust, so that we can check directly after the keypair generated instead of running the script manually. can create a new issue.

@tomtau
Copy link
Author

tomtau commented Jun 18, 2021
edited
Loading

maybe we can translate the python script to rust, so that we can check directly after the keypair generated instead of running the script manually. can create a new issue.

yeah, at least basic processing should be possible with https://crates.io/crates/aws-nitro-enclaves-cose + https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/main/nsm-io/src/lib.rs#L298 -- I can open an issue for it

@tomtau
Problem: no proof that a keypair was generated inside NE (fixes #92)
2c60558 
Solution:
- extended response for keygen in the helper + extra comments/small refactor
- nitro enclave returns an attestation doc for the generated pubkey + used AWS KMS key id
- added a small Python verification script to illustrate how the attestation doc payload can be processed
@tomtau tomtau force-pushed the fix/nitro-attest branch from 8ef8afe to 2c60558 Compare June 22, 2021 02:53
allthatjazzleo
allthatjazzleo approved these changes Jun 22, 2021
View reviewed changes
Copy link

@allthatjazzleo allthatjazzleo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tomtau tomtau merged commit 05c2a48 into crypto-com:main Jun 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@linfeng-crypto linfeng-crypto linfeng-crypto left review comments

@sonatype-lift sonatype-lift[bot] sonatype-lift[bot] left review comments

@allthatjazzleo allthatjazzleo allthatjazzleo approved these changes

@brianatcrypto brianatcrypto Awaiting requested review from brianatcrypto

@borischeuk-crypto borischeuk-crypto Awaiting requested review from borischeuk-crypto

@calvinaco calvinaco Awaiting requested review from calvinaco

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tomtau @allthatjazzleo @linfeng-crypto