From c2de015d9a8d34c1316906a787a5c46d9b0655ff Mon Sep 17 00:00:00 2001 From: Aditya Gurajada Date: Mon, 4 Dec 2023 12:35:47 -0800 Subject: [PATCH] Fix lists of public- and symmetric-key algorithms. - Finalize list of supported public-key and authenticated symmetric-key algorithms. - Adjust some token / variable names to introduce term 'authenticated' - Add RESOLVEs to run_example.sh:run_test-crypto_algorithms() documenting the cases where choice of these algorithm names is running into errors. --- include/certifier_algorithms.h | 2 +- sample_apps/common/example_app.cc | 35 ++++++++++++++++++------------- sample_apps/run_example.sh | 22 ++++++++++++------- src/cc_helpers.cc | 2 +- src/certifier_algorithms.cc | 15 +++++++++---- 5 files changed, 47 insertions(+), 29 deletions(-) diff --git a/include/certifier_algorithms.h b/include/certifier_algorithms.h index c8fa04e2..d807ae76 100644 --- a/include/certifier_algorithms.h +++ b/include/certifier_algorithms.h @@ -69,7 +69,7 @@ extern const char *Integrity_method_aes_256_gcm; extern const char *Integrity_method_hmac_sha256; extern const char *Enc_public_key_algorithms[]; -extern const char *Enc_symmetric_key_algorithms[]; +extern const char *Enc_authenticated_symmetric_key_algorithms[]; extern const int Num_public_key_algorithms; extern const int Num_symmetric_key_algorithms; diff --git a/sample_apps/common/example_app.cc b/sample_apps/common/example_app.cc index c2b1e9cd..8287e076 100644 --- a/sample_apps/common/example_app.cc +++ b/sample_apps/common/example_app.cc @@ -55,10 +55,11 @@ DEFINE_string(platform_attest_endorsement, "platform endorsement of attest key"); DEFINE_string(attest_key_file, "attest_key_file.bin", "attest key"); DEFINE_string(measurement_file, "example_app.measurement", "measurement"); + DEFINE_string(public_key_alg, Enc_method_rsa_2048, "public key algorithm"); -DEFINE_string(symmetric_key_alg, +DEFINE_string(auth_symmetric_key_alg, Enc_method_aes_256_cbc_hmac_sha256, - "symmetric key algorithm"); + "authenticated symmetric key algorithm"); static string enclave_type("simulated-enclave"); @@ -333,19 +334,23 @@ int main(int an, char **av) { "run-app-as-client, run-app-as-server\n"); #ifdef SIMPLE_APP + + // clang-format off printf("\nFor the simple_app, you can additionally drive 'cold-init' with different pairs of:\n"); printf("\n\ - --public_key_alg=public-key-algorigthm-name : %s\n\ - --symmetric_key_alg=symmetric-key-algorigthm-name : %s\n", - FLAGS_public_key_alg.c_str(), - FLAGS_symmetric_key_alg.c_str()); + --public_key_alg=public-key-algorigthm-name : %s\n\ + --auth_symmetric_key_alg=authenticated-symmetric-key-algorigthm-name : %s\n", + FLAGS_public_key_alg.c_str(), + FLAGS_auth_symmetric_key_alg.c_str()); + // clang-format on + printf("\nPublic-key algorithms supported:\n"); for (int i = 0; i < Num_public_key_algorithms; i++) { - printf(" %s\n", Enc_public_key_algorithms[i]); + printf(" %s\n", Enc_public_key_algorithms[i]); } printf("\nSymmetric-key algorithms supported:\n"); for (int i = 0; i < Num_symmetric_key_algorithms; i++) { - printf(" %s\n", Enc_symmetric_key_algorithms[i]); + printf(" %s\n", Enc_authenticated_symmetric_key_algorithms[i]); } #endif // SIMPLE_APP @@ -394,31 +399,31 @@ int main(int an, char **av) { // Use specified algorithms for the enclave Defaults: #ifdef SIMPLE_APP - // We support --public_key_alg and --symmetric_key_alg only for simple_app + // We support --public_key_alg and --auth_symmetric_key_alg only for simple_app // (as a way to exercise tests w/ different pairs of algorithms). - string public_key_alg(FLAGS_public_key_alg); // Enc_method_rsa_2048 - string symmetric_key_alg(FLAGS_symmetric_key_alg); // Enc_method_aes_256_cbc_hmac_sha256 + string public_key_alg(FLAGS_public_key_alg); // Enc_method_rsa_2048 + string auth_symmetric_key_alg(FLAGS_auth_symmetric_key_alg); // Enc_method_aes_256_cbc_hmac_sha256 if (FLAGS_print_all) { printf("measurement file='%s', ", FLAGS_measurement_file.c_str()); } #else string public_key_alg(Enc_method_rsa_2048); - string symmetric_key_alg(Enc_method_aes_256_cbc_hmac_sha256); + string auth_symmetric_key_alg(Enc_method_aes_256_cbc_hmac_sha256); #endif // SIMPLE_APP // clang-format on if (FLAGS_print_all && (FLAGS_operation == "cold-init")) { - printf("public_key_alg='%s', symmetric_key_alg='%s\n", + printf("public_key_alg='%s', authenticated_symmetric_key_alg='%s\n", public_key_alg.c_str(), - symmetric_key_alg.c_str()); + auth_symmetric_key_alg.c_str()); } // Carry out operation int ret = 0; if (FLAGS_operation == "cold-init") { if (!trust_mgr->cold_init(public_key_alg, - symmetric_key_alg, + auth_symmetric_key_alg, "simple-app-home_domain", FLAGS_policy_host, FLAGS_policy_port, diff --git a/sample_apps/run_example.sh b/sample_apps/run_example.sh index 04f9f332..590c0b76 100755 --- a/sample_apps/run_example.sh +++ b/sample_apps/run_example.sh @@ -109,7 +109,7 @@ CC_vcek_key_file_SIM_SEV="/etc/certifier-snp-sim/ec-secp384r1-pub-key.pem" # arguments while running 'cold-init' for simple_app. # --------------------------------------------------------------------------- Simple_app_public_key_algo="" -Simple_app_symmetric_key_algo="" +Simple_app_symmetric_key_algo="" # Authenticated symmetric-key alg name # ########################################################################### # Set trap handlers for all errors. Needs -E (-o errtrace): Ensures that ERR @@ -2242,9 +2242,9 @@ function run_app_by_name_as_server_talk_to_Cert_Service() { public_key_algo_arg="--public_key_alg=${Simple_app_public_key_algo}" fi if [ "${Simple_app_symmetric_key_algo}" != "" ]; then - symmetric_key_algo_arg="--symmetric_key_alg=${Simple_app_symmetric_key_algo}" + symmetric_key_algo_arg="--auth_symmetric_key_alg=${Simple_app_symmetric_key_algo}" fi - echo "${Me}: Public-key algorithm: '${public_key_algo_arg}', Symmetric-key algorithm: '${symmetric_key_algo_arg}'" + echo "${Me}: Public-key algorithm: '${public_key_algo_arg}', Authenticated Symmetric-key algorithm: '${symmetric_key_algo_arg}'" fi run_cmd "${EXAMPLE_DIR}/${app_name_exe}" \ @@ -2443,9 +2443,9 @@ function run_app_by_name_as_client_talk_to_Cert_Service() { public_key_algo_arg="--public_key_alg=${Simple_app_public_key_algo}" fi if [ "${Simple_app_symmetric_key_algo}" != "" ]; then - symmetric_key_algo_arg="--symmetric_key_alg=${Simple_app_symmetric_key_algo}" + symmetric_key_algo_arg="--auth_symmetric_key_alg=${Simple_app_symmetric_key_algo}" fi - echo "${Me}: Public-key algorithm: '${public_key_algo_arg}', Symmetric-key algorithm: '${symmetric_key_algo_arg}'" + echo "${Me}: Public-key algorithm: '${public_key_algo_arg}', Authenticated Symmetric-key algorithm: '${symmetric_key_algo_arg}'" fi run_cmd "${EXAMPLE_DIR}/${app_name_exe}" \ @@ -3211,9 +3211,14 @@ function run_test-crypto_algorithms() { # public-key algo 'ecc-384' is failing ... Comment out for now ... # for public_key_algo in rsa-3072 rsa-4096 ecc-384; do for public_key_algo in rsa-3072 rsa-4096; do - # for symmetric_key_algo in aes-256-cbc-hmac-sha256; do - symmetric_key_algo="aes-256-cbc-hmac-sha256" - + # RESOLVE: Investigate & fix these limitations: + # - generate_symmetric_key() does not support + # Enc_method_aes_128_cbc_hmac_sha256; i.e., "aes-128-cbc-hmac-sha256"; + # - unprotect_blob() only allows Enc_method_aes_256_cbc_hmac_sha256 + # - These two should also be supported in loop below: + # - aes-256-cbc-hmac-sha384, aes-256-gcm + for symmetric_key_algo in aes-256-cbc-hmac-sha256; + do Simple_app_public_key_algo="${public_key_algo}" Simple_app_symmetric_key_algo="${symmetric_key_algo}" @@ -3228,6 +3233,7 @@ function run_test-crypto_algorithms() { run_app_as_client_talk_to_Cert_Service run_app_as_server_offers_trusted_service run_app_as_client_make_trusted_request + done done if [ "${DoCleanup}" = 1 ]; then diff --git a/src/cc_helpers.cc b/src/cc_helpers.cc index 9e7ecddc..a3024148 100644 --- a/src/cc_helpers.cc +++ b/src/cc_helpers.cc @@ -1077,7 +1077,7 @@ bool certifier::framework::cc_trust_manager::generate_symmetric_key( if (cc_symmetric_key_initialized_ && !regen) return true; - // Make up symmetric keys (e.g.-for sealing)for app + // Make up symmetric keys (e.g.-for sealing) for app int num_key_bytes; if (symmetric_key_algorithm_ == Enc_method_aes_256_cbc_hmac_sha256 || symmetric_key_algorithm_ == Enc_method_aes_256_cbc_hmac_sha384 diff --git a/src/certifier_algorithms.cc b/src/certifier_algorithms.cc index 19c55343..25a24d15 100644 --- a/src/certifier_algorithms.cc +++ b/src/certifier_algorithms.cc @@ -21,12 +21,15 @@ * Encryption algorithms supported. */ const char * Enc_method_aes_128 = "aes-128"; -const char * Enc_method_aes_128_cbc_hmac_sha256 = "aes-128-cbc-hmac-sha256"; const char * Enc_method_aes_256 = "aes-256"; const char * Enc_method_aes_256_cbc = "aes-256-cbc"; + +// Authenticated symmetric-key algorithms +const char * Enc_method_aes_128_cbc_hmac_sha256 = "aes-128-cbc-hmac-sha256"; const char * Enc_method_aes_256_cbc_hmac_sha256 = "aes-256-cbc-hmac-sha256"; const char * Enc_method_aes_256_cbc_hmac_sha384 = "aes-256-cbc-hmac-sha384"; const char * Enc_method_aes_256_gcm = "aes-256-gcm"; + const char * Enc_method_ecc_256_private = "ecc-256-private"; const char * Enc_method_ecc_256_public = "ecc-256-public"; const char * Enc_method_ecc_256_sha256_pkcs_sign = "ecc-256-sha256-pkcs-sign"; @@ -60,11 +63,15 @@ const char *Enc_public_key_algorithms[] = const int Num_public_key_algorithms = ARRAY_LEN(Enc_public_key_algorithms); -const char *Enc_symmetric_key_algorithms[] = - { Enc_method_aes_256_cbc_hmac_sha256 +// Names of Authenticated symmetric-key algorithms +const char *Enc_authenticated_symmetric_key_algorithms[] = + { Enc_method_aes_128_cbc_hmac_sha256 + , Enc_method_aes_256_cbc_hmac_sha256 + , Enc_method_aes_256_cbc_hmac_sha384 + , Enc_method_aes_256_gcm }; -const int Num_symmetric_key_algorithms = ARRAY_LEN(Enc_symmetric_key_algorithms); +const int Num_symmetric_key_algorithms = ARRAY_LEN(Enc_authenticated_symmetric_key_algorithms); /* * Cryptographic hash algorithms supported.