Fix lists of public- and symmetric-key algorithms.

- Finalize list of supported public-key and authenticated
  symmetric-key algorithms.

- Adjust some token / variable names to introduce term
  'authenticated'

- Add RESOLVEs to run_example.sh:run_test-crypto_algorithms()
  documenting the cases where choice of these algorithm
  names is running into errors.

include/certifier_algorithms.h

@@ -69,7 +69,7 @@ extern const char *Integrity_method_aes_256_gcm;
 extern const char *Integrity_method_hmac_sha256;
 
 extern const char *Enc_public_key_algorithms[];
-extern const char *Enc_symmetric_key_algorithms[];
+extern const char *Enc_authenticated_symmetric_key_algorithms[];
 extern const int   Num_public_key_algorithms;
 extern const int   Num_symmetric_key_algorithms;
 

sample_apps/common/example_app.cc

@@ -55,10 +55,11 @@ DEFINE_string(platform_attest_endorsement,
               "platform endorsement of attest key");
 DEFINE_string(attest_key_file, "attest_key_file.bin", "attest key");
 DEFINE_string(measurement_file, "example_app.measurement", "measurement");
+
 DEFINE_string(public_key_alg, Enc_method_rsa_2048, "public key algorithm");
-DEFINE_string(symmetric_key_alg,
+DEFINE_string(auth_symmetric_key_alg,
               Enc_method_aes_256_cbc_hmac_sha256,
-              "symmetric key algorithm");
+              "authenticated symmetric key algorithm");
 
 static string enclave_type("simulated-enclave");
 
@@ -333,19 +334,23 @@ int main(int an, char **av) {
            "run-app-as-client, run-app-as-server\n");
 
 #ifdef SIMPLE_APP
+
+    // clang-format off
     printf("\nFor the simple_app, you can additionally drive 'cold-init' with different pairs of:\n");
     printf("\n\
-                  --public_key_alg=public-key-algorigthm-name             : %s\n\
-                  --symmetric_key_alg=symmetric-key-algorigthm-name       : %s\n",
-                  FLAGS_public_key_alg.c_str(),
-                  FLAGS_symmetric_key_alg.c_str());
+    --public_key_alg=public-key-algorigthm-name                          : %s\n\
+    --auth_symmetric_key_alg=authenticated-symmetric-key-algorigthm-name : %s\n",
+            FLAGS_public_key_alg.c_str(),
+            FLAGS_auth_symmetric_key_alg.c_str());
+    // clang-format on
+
     printf("\nPublic-key algorithms supported:\n");
     for (int i = 0; i < Num_public_key_algorithms; i++) {
-        printf("  %s\n", Enc_public_key_algorithms[i]);
+      printf("  %s\n", Enc_public_key_algorithms[i]);
     }
     printf("\nSymmetric-key algorithms supported:\n");
     for (int i = 0; i < Num_symmetric_key_algorithms; i++) {
-        printf("  %s\n", Enc_symmetric_key_algorithms[i]);
+      printf("  %s\n", Enc_authenticated_symmetric_key_algorithms[i]);
     }
 
 #endif  // SIMPLE_APP
@@ -394,31 +399,31 @@ int main(int an, char **av) {
 
   // Use specified algorithms for the enclave            Defaults:
 #ifdef SIMPLE_APP
-  // We support --public_key_alg and --symmetric_key_alg only for simple_app
+  // We support --public_key_alg and --auth_symmetric_key_alg only for simple_app
   // (as a way to exercise tests w/ different pairs of algorithms).
-  string public_key_alg(FLAGS_public_key_alg);        // Enc_method_rsa_2048
-  string symmetric_key_alg(FLAGS_symmetric_key_alg);  // Enc_method_aes_256_cbc_hmac_sha256
+  string public_key_alg(FLAGS_public_key_alg);                  // Enc_method_rsa_2048
+  string auth_symmetric_key_alg(FLAGS_auth_symmetric_key_alg);  // Enc_method_aes_256_cbc_hmac_sha256
   if (FLAGS_print_all) {
       printf("measurement file='%s', ", FLAGS_measurement_file.c_str());
   }
 #else
   string public_key_alg(Enc_method_rsa_2048);
-  string symmetric_key_alg(Enc_method_aes_256_cbc_hmac_sha256);
+  string auth_symmetric_key_alg(Enc_method_aes_256_cbc_hmac_sha256);
 #endif  // SIMPLE_APP
 
   // clang-format on
 
   if (FLAGS_print_all && (FLAGS_operation == "cold-init")) {
-    printf("public_key_alg='%s', symmetric_key_alg='%s\n",
+    printf("public_key_alg='%s', authenticated_symmetric_key_alg='%s\n",
            public_key_alg.c_str(),
-           symmetric_key_alg.c_str());
+           auth_symmetric_key_alg.c_str());
   }
 
   // Carry out operation
   int ret = 0;
   if (FLAGS_operation == "cold-init") {
     if (!trust_mgr->cold_init(public_key_alg,
-                              symmetric_key_alg,
+                              auth_symmetric_key_alg,
                               "simple-app-home_domain",
                               FLAGS_policy_host,
                               FLAGS_policy_port,

sample_apps/run_example.sh

@@ -109,7 +109,7 @@ CC_vcek_key_file_SIM_SEV="/etc/certifier-snp-sim/ec-secp384r1-pub-key.pem"
 # arguments while running 'cold-init' for simple_app.
 # ---------------------------------------------------------------------------
 Simple_app_public_key_algo=""
-Simple_app_symmetric_key_algo=""
+Simple_app_symmetric_key_algo=""    # Authenticated symmetric-key alg name
 
 # ###########################################################################
 # Set trap handlers for all errors. Needs -E (-o errtrace): Ensures that ERR
@@ -2242,9 +2242,9 @@ function run_app_by_name_as_server_talk_to_Cert_Service() {
             public_key_algo_arg="--public_key_alg=${Simple_app_public_key_algo}"
         fi
         if [ "${Simple_app_symmetric_key_algo}" != "" ]; then
-            symmetric_key_algo_arg="--symmetric_key_alg=${Simple_app_symmetric_key_algo}"
+            symmetric_key_algo_arg="--auth_symmetric_key_alg=${Simple_app_symmetric_key_algo}"
         fi
-        echo "${Me}: Public-key algorithm: '${public_key_algo_arg}', Symmetric-key algorithm: '${symmetric_key_algo_arg}'"
+        echo "${Me}: Public-key algorithm: '${public_key_algo_arg}', Authenticated Symmetric-key algorithm: '${symmetric_key_algo_arg}'"
     fi
 
     run_cmd "${EXAMPLE_DIR}/${app_name_exe}"                    \
@@ -2443,9 +2443,9 @@ function run_app_by_name_as_client_talk_to_Cert_Service() {
             public_key_algo_arg="--public_key_alg=${Simple_app_public_key_algo}"
         fi
         if [ "${Simple_app_symmetric_key_algo}" != "" ]; then
-            symmetric_key_algo_arg="--symmetric_key_alg=${Simple_app_symmetric_key_algo}"
+            symmetric_key_algo_arg="--auth_symmetric_key_alg=${Simple_app_symmetric_key_algo}"
         fi
-        echo "${Me}: Public-key algorithm: '${public_key_algo_arg}', Symmetric-key algorithm: '${symmetric_key_algo_arg}'"
+        echo "${Me}: Public-key algorithm: '${public_key_algo_arg}', Authenticated Symmetric-key algorithm: '${symmetric_key_algo_arg}'"
     fi
 
     run_cmd "${EXAMPLE_DIR}/${app_name_exe}"                    \
@@ -3211,9 +3211,14 @@ function run_test-crypto_algorithms() {
     # public-key algo 'ecc-384' is failing ... Comment out for now ...
     # for public_key_algo in rsa-3072 rsa-4096 ecc-384; do
     for public_key_algo in rsa-3072 rsa-4096; do
-        # for symmetric_key_algo in aes-256-cbc-hmac-sha256; do
-        symmetric_key_algo="aes-256-cbc-hmac-sha256"
-
+        # RESOLVE: Investigate & fix these limitations:
+        #  - generate_symmetric_key() does not support
+        #    Enc_method_aes_128_cbc_hmac_sha256; i.e., "aes-128-cbc-hmac-sha256";
+        # - unprotect_blob() only allows Enc_method_aes_256_cbc_hmac_sha256
+        # - These two should also be supported in loop below:
+        #   - aes-256-cbc-hmac-sha384, aes-256-gcm
+        for symmetric_key_algo in aes-256-cbc-hmac-sha256;
+        do
             Simple_app_public_key_algo="${public_key_algo}"
             Simple_app_symmetric_key_algo="${symmetric_key_algo}"
 
@@ -3228,6 +3233,7 @@ function run_test-crypto_algorithms() {
             run_app_as_client_talk_to_Cert_Service
             run_app_as_server_offers_trusted_service
             run_app_as_client_make_trusted_request
+        done
     done
 
     if [ "${DoCleanup}" = 1 ]; then

src/cc_helpers.cc

@@ -1077,7 +1077,7 @@ bool certifier::framework::cc_trust_manager::generate_symmetric_key(
   if (cc_symmetric_key_initialized_ && !regen)
     return true;
 
-  // Make up symmetric keys (e.g.-for sealing)for app
+  // Make up symmetric keys (e.g.-for sealing) for app
   int num_key_bytes;
   if (symmetric_key_algorithm_ == Enc_method_aes_256_cbc_hmac_sha256
       || symmetric_key_algorithm_ == Enc_method_aes_256_cbc_hmac_sha384

src/certifier_algorithms.cc

@@ -21,12 +21,15 @@
  * Encryption algorithms supported.
  */
 const char * Enc_method_aes_128                   = "aes-128";
-const char * Enc_method_aes_128_cbc_hmac_sha256   = "aes-128-cbc-hmac-sha256";
 const char * Enc_method_aes_256                   = "aes-256";
 const char * Enc_method_aes_256_cbc               = "aes-256-cbc";
+
+// Authenticated symmetric-key algorithms
+const char * Enc_method_aes_128_cbc_hmac_sha256   = "aes-128-cbc-hmac-sha256";
 const char * Enc_method_aes_256_cbc_hmac_sha256   = "aes-256-cbc-hmac-sha256";
 const char * Enc_method_aes_256_cbc_hmac_sha384   = "aes-256-cbc-hmac-sha384";
 const char * Enc_method_aes_256_gcm               = "aes-256-gcm";
+
 const char * Enc_method_ecc_256_private           = "ecc-256-private";
 const char * Enc_method_ecc_256_public            = "ecc-256-public";
 const char * Enc_method_ecc_256_sha256_pkcs_sign  = "ecc-256-sha256-pkcs-sign";
@@ -60,11 +63,15 @@ const char *Enc_public_key_algorithms[] =
 
 const int Num_public_key_algorithms = ARRAY_LEN(Enc_public_key_algorithms);
 
-const char *Enc_symmetric_key_algorithms[] =
-                    {   Enc_method_aes_256_cbc_hmac_sha256
+// Names of Authenticated symmetric-key algorithms
+const char *Enc_authenticated_symmetric_key_algorithms[] =
+                    {   Enc_method_aes_128_cbc_hmac_sha256
+                      , Enc_method_aes_256_cbc_hmac_sha256
+                      , Enc_method_aes_256_cbc_hmac_sha384
+                      , Enc_method_aes_256_gcm
                     };
 
-const int Num_symmetric_key_algorithms = ARRAY_LEN(Enc_symmetric_key_algorithms);
+const int Num_symmetric_key_algorithms = ARRAY_LEN(Enc_authenticated_symmetric_key_algorithms);
 
 /*
  * Cryptographic hash algorithms supported.