key-manager: new unsecret state key

.buildkite/pipeline.yml

@@ -178,6 +178,16 @@ steps:
   ###############
   # E2E test jobs
   ###############
+  - label: Dummy key manager tests
+    timeout_in_minutes: 5
+    command:
+      - .buildkite/scripts/download_e2e_test_artifacts.sh
+      - .buildkite/scripts/test_dummy_keymanager.sh
+    agents:
+      buildkite_agent_size: large
+    plugins:
+      <<: *docker_plugin_configuration
+
   - label: E2E tests (%n)
     parallelism: 4
     timeout_in_minutes: 20

.buildkite/scripts/test_dummy_keymanager.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+############################################################
+# This script tests the Ekiden dummy key manager.
+#
+# Usage:
+# test_dummy_keymanager.sh [-w <workdir>]
+############################################################
+
+# Defaults.
+WORKDIR=$(pwd)
+
+#########################
+# Process test arguments.
+#########################
+while getopts 'f:t:' arg
+do
+    case ${arg} in
+        w) WORKDIR=${OPTARG};;
+        *)
+            echo "Usage: $0 [-w <workdir>]"
+            exit 1
+    esac
+done
+
+# Helpful tips on writing build scripts:
+# https://buildkite.com/docs/pipelines/writing-build-scripts
+set -euxo pipefail
+
+source .buildkite/scripts/common.sh
+source .buildkite/scripts/common_e2e.sh
+source .buildkite/rust/common.sh
+
+# Test the key manager node.
+test_keymanager() {
+    sleep 3
+
+    ${WORKDIR}/target/debug/ekiden-keymanager-test-client \
+        --mrenclave $(cat ${WORKDIR}/target/enclave/ekiden-keymanager-trusted.mrenclave) \
+        --tls-certificate ${WORKDIR}/tests/keymanager/km.pem
+}
+
+# Test minimal configuration.
+run_keymanager_node
+test_keymanager
+cleanup
+
+# Test with provided internal keys.
+run_keymanager_node --internal-keys "${WORKDIR}/tests/keymanager/internal-keys.cbor"
+test_keymanager
+cleanup

.buildkite/scripts/test_e2e.sh

@@ -68,15 +68,6 @@ scenario_discrepancy() {
     set_epoch 1
 }
 
-# Test the key manager node.
-test_keymanager() {
-    sleep 3
-
-    ${WORKDIR}/target/debug/ekiden-keymanager-test-client \
-        --mrenclave $(cat ${WORKDIR}/target/enclave/ekiden-keymanager-trusted.mrenclave) \
-        --tls-certificate ${WORKDIR}/tests/keymanager/km.pem
-}
-
 # Assert that the logger works.
 assert_logger_works() {
     assert_basic_success
@@ -123,8 +114,7 @@ test_suite() {
         name="e2e-${backend_name}-basic-db-encryption" \
         backend_runner=$backend_runner \
         runtime=test-db-encryption \
-        client=test-db-encryption \
-        post_km_hook=test_keymanager
+        client=test-db-encryption
 
     # Enclave logger test.
     run_test \

Cargo.toml

@@ -85,7 +85,9 @@ members = [
     "key-manager/api",
     "key-manager/common",
     "key-manager/client",
+    "key-manager/dummy/edl",
     "key-manager/dummy/enclave",
+    "key-manager/dummy/keygen",
     "key-manager/dummy/untrusted",
     "key-manager/node",
 ]

key-manager/common/src/lib.rs

@@ -158,3 +158,12 @@ impl ContractKey {
         }
     }
 }
+
+/// A set of keys for internal use by the dummy key manager.
+#[derive(Serialize, Deserialize)]
+pub struct DummyInternalKeys {
+    #[serde(with = "BigArray")]
+    pub keystore_encryption_key: StateKeyType,
+    /// Ed25519 keypair in PKCS8 format.
+    pub signing_key: Vec<u8>,
+}

key-manager/dummy/edl/Cargo.toml

@@ -0,0 +1,13 @@
+[package]
+name = "ekiden-keymanager-edl"
+version = "0.2.0-alpha"
+authors = ["Oasis Labs Inc. <[email protected]>"]
+edition = "2018"
+description = "EDL additions for the dummy key manager"
+keywords = ["ekiden"]
+repository = "https://github.com/oasislabs/ekiden"
+
+[dependencies]
+sgx_edl = { git = "https://github.com/oasislabs/rust-sgx-sdk", tag = "v1.0.5-ekiden1" }
+
+ekiden-edl = { path = "../../../core/edl" }

key-manager/dummy/edl/src/keymanager.edl

@@ -0,0 +1,12 @@
+enclave {
+    trusted {
+        /**
+         * Use the given internal keys, provided as a CBOR-serialized ekiden_keymanager_common::DummyInternalKeys
+         * structure.
+         */
+        public void set_internal_keys(
+            [in, size=internal_keys_length] uint8_t *internal_keys,
+            size_t internal_keys_length
+        );
+    };
+};

key-manager/dummy/edl/src/lib.rs

@@ -0,0 +1,10 @@
+extern crate sgx_edl;
+use sgx_edl::define_edl;
+
+extern crate ekiden_edl;
+
+define_edl! {
+    use ekiden_edl;
+
+    "keymanager.edl"
+}

key-manager/dummy/enclave/Cargo.toml

@@ -26,4 +26,4 @@ byteorder = "1"
 
 [build-dependencies]
 ekiden-tools = { path = "../../../tools", version = "0.2.0-alpha" }
-ekiden-edl = { path = "../../../core/edl", version = "0.2.0-alpha" }
+ekiden-keymanager-edl = { path = "../edl", version = "0.2.0-alpha" }

key-manager/dummy/enclave/build.rs

@@ -1,6 +1,6 @@
-extern crate ekiden_edl;
+extern crate ekiden_keymanager_edl;
 extern crate ekiden_tools;
 
 fn main() {
-    ekiden_tools::build_trusted(ekiden_edl::get_edls().unwrap());
+    ekiden_tools::build_trusted(ekiden_keymanager_edl::get_edls().unwrap());
 }

key-manager/dummy/enclave/src/key_store.rs

@@ -16,8 +16,19 @@ use ekiden_keymanager_common::{
 };
 use ekiden_trusted::db::{Database, DatabaseHandle};
 
+/// A dummy key for use in tests where confidentiality is not needed.
+const UNSECRET_ENCRYPTION_KEY: StateKeyType = [
+    119, 206, 190, 82, 117, 21, 62, 84, 119, 212, 117, 60, 32, 158, 183, 32, 68, 55, 131, 112, 38,
+    169, 217, 219, 58, 109, 194, 211, 89, 39, 198, 204, 254, 104, 202, 114, 203, 213, 89, 44, 192,
+    168, 42, 136, 220, 230, 66, 74, 197, 220, 22, 146, 84, 121, 175, 216, 144, 182, 40, 179, 6, 73,
+    177, 9,
+];
+
 /// Key store, which actually stores the key manager keys.
-pub struct KeyStore;
+pub struct KeyStore {
+    /// Dummy encryption key
+    encryption_key: StateKeyType,
+}
 
 lazy_static! {
     // Global key store object.
@@ -26,7 +37,9 @@ lazy_static! {
 
 impl KeyStore {
     fn new() -> Self {
-        let mut key_store = KeyStore;
+        let mut key_store = KeyStore {
+            encryption_key: UNSECRET_ENCRYPTION_KEY,
+        };
         // for testing purpose, insert a special key at address 0
         key_store
             .get_or_create_keys(ContractId::from_str(&"0".repeat(64)).unwrap())
@@ -83,11 +96,10 @@ impl KeyStore {
 
     /// Dummy encryption key
     pub fn encryption_key(&self) -> StateKeyType {
-        [
-            255, 135, 103, 97, 49, 33, 200, 139, 130, 186, 54, 177, 83, 2, 162, 146, 160, 234, 231,
-            218, 124, 160, 72, 113, 26, 177, 100, 40, 135, 129, 195, 50, 161, 220, 212, 120, 240,
-            163, 240, 23, 9, 74, 150, 87, 253, 60, 105, 170, 133, 134, 109, 248, 100, 43, 4, 19,
-            39, 25, 13, 138, 28, 49, 71, 49,
-        ]
+        self.encryption_key
+    }
+
+    pub fn set_encryption_key(&mut self, encryption_key: StateKeyType) {
+        self.encryption_key = encryption_key;
     }
 }

key-manager/dummy/enclave/src/lib.rs

@@ -5,6 +5,10 @@ extern crate lazy_static;
 extern crate protobuf;
 extern crate serde_cbor;
 extern crate sodalite;
+#[cfg(not(target_env = "sgx"))]
+use std::sync::Mutex;
+#[cfg(target_env = "sgx")]
+use std::sync::SgxMutex as Mutex;
 
 extern crate ekiden_core;
 extern crate ekiden_keymanager_api;
@@ -104,6 +108,20 @@ pub fn long_term_public_key(
     Ok(Some(response))
 }
 
+/// ECALL, see edl
+#[cfg(target_env = "sgx")]
+#[no_mangle]
+pub extern "C" fn set_internal_keys(internal_keys: *const u8, internal_keys_length: usize) {
+    let internal_keys_buf =
+        unsafe { std::slice::from_raw_parts(internal_keys, internal_keys_length) };
+    let internal_keys: ekiden_keymanager_common::DummyInternalKeys =
+        serde_cbor::from_slice(internal_keys_buf).unwrap();
+
+    key_store::KeyStore::get().set_encryption_key(internal_keys.keystore_encryption_key);
+
+    *(SIGNER_KEY_PKCS8.lock().unwrap()) = internal_keys.signing_key;
+}
+
 fn sign_public_key(public_key: PublicKeyType, timestamp: Option<u64>) -> Result<B512> {
     let signer = dummy_signer()?;
     let digest = public_key_digest(public_key, timestamp);
@@ -120,21 +138,28 @@ fn public_key_digest(public_key: PublicKeyType, timestamp: Option<u64>) -> H256
     hash::from_bytes(hash_data.as_slice())
 }
 
+/// A dummy key for use in tests where integrity is not needed.
+/// Public Key: 0x9d41a874b80e39a40c9644e964f0e4f967100c91654bfd7666435fe906af060f
+const UNSECRET_SIGNING_KEY_PKCS8: [u8; 85] = [
+    48, 83, 2, 1, 1, 48, 5, 6, 3, 43, 101, 112, 4, 34, 4, 32, 109, 124, 181, 54, 35, 91, 34, 238,
+    29, 127, 17, 115, 64, 41, 135, 165, 19, 211, 246, 106, 37, 136, 149, 157, 187, 145, 157, 192,
+    170, 25, 201, 141, 161, 35, 3, 33, 0, 157, 65, 168, 116, 184, 14, 57, 164, 12, 150, 68, 233,
+    100, 240, 228, 249, 103, 16, 12, 145, 101, 75, 253, 118, 102, 67, 95, 233, 6, 175, 6, 15,
+];
+
+lazy_static! {
+    // Global key store object.
+    static ref SIGNER_KEY_PKCS8: Mutex<Vec<u8>> = Mutex::new(UNSECRET_SIGNING_KEY_PKCS8.to_vec());
+}
+
 /// Returns a dummy signer used by the KeyManager to sign public keys.
-/// Public Key: 0x51d5e24342ae2c4a951e24a2ba45a68106bcb7986198817331889264fd10f1bf
 ///
 /// This should be replaced as part of the following issue:
 /// https://github.com/oasislabs/ekiden/issues/1291
 fn dummy_signer() -> Result<InMemorySigner> {
-    let pkc8s = [
-        48, 83, 2, 1, 1, 48, 5, 6, 3, 43, 101, 112, 4, 34, 4, 32, 255, 135, 103, 97, 49, 33, 200,
-        139, 130, 186, 54, 177, 83, 2, 162, 146, 160, 234, 231, 218, 124, 160, 72, 113, 26, 177,
-        100, 40, 135, 129, 195, 50, 161, 35, 3, 33, 0, 81, 213, 226, 67, 66, 174, 44, 74, 149, 30,
-        36, 162, 186, 69, 166, 129, 6, 188, 183, 152, 97, 152, 129, 115, 49, 136, 146, 100, 253,
-        16, 241, 191,
-    ];
-    let pkc8s_input = untrusted::Input::from(&pkc8s);
-    let keypair = signature::Ed25519KeyPair::from_pkcs8_maybe_unchecked(pkc8s_input)
+    let guard = SIGNER_KEY_PKCS8.lock().unwrap();
+    let pkcs8_input = untrusted::Input::from(guard.as_slice());
+    let keypair = signature::Ed25519KeyPair::from_pkcs8_maybe_unchecked(pkcs8_input)
         .expect("Should always derive a keypair from the given pkc8s");
 
     Ok(InMemorySigner::new(keypair))

key-manager/dummy/keygen/Cargo.toml

@@ -0,0 +1,17 @@
+[package]
+name = "ekiden-keymanager-keygen"
+version = "0.2.0-alpha"
+authors = ["Oasis Labs Inc. <[email protected]>"]
+edition = "2018"
+description = "A tool for generating a set of internal keys used by the Ekiden dummy key manager"
+keywords = ["ekiden"]
+repository = "https://github.com/oasislabs/ekiden"
+
+[dependencies]
+protobuf = "~2.0"
+ring = { git = "https://github.com/oasislabs/ring", default-features = false, features = ["use_heap"], branch = "0.14.0-ekiden" }
+serde_cbor = { git = "https://github.com/oasislabs/cbor", tag = "v0.9.0-ekiden1" }
+untrusted = "0.6.2"
+
+ekiden-keymanager-api = { path = "../../api", version = "0.2.0-alpha" }
+ekiden-keymanager-common = { path = "../../common", version = "0.2.0-alpha" }

key-manager/dummy/keygen/src/main.rs

@@ -0,0 +1,34 @@
+extern crate ring;
+use ring::{rand::SecureRandom, signature::KeyPair};
+extern crate serde_cbor;
+extern crate untrusted;
+
+extern crate ekiden_keymanager_common;
+
+fn main() {
+    let rng = ring::rand::SystemRandom::new();
+
+    // Generate keystore encryption key.
+    let mut keystore_encryption_sym: ekiden_keymanager_common::StateKeyType = [0; 64];
+    rng.fill(&mut keystore_encryption_sym).unwrap();
+    println!("keystore encryption {:?}", &keystore_encryption_sym[..]);
+
+    // Generate signing key.
+    let signing_pkcs8_doc = ring::signature::Ed25519KeyPair::generate_pkcs8(&rng).unwrap();
+    println!("signing pkcs8 {:?}", signing_pkcs8_doc.as_ref());
+    let signing_pair = ring::signature::Ed25519KeyPair::from_pkcs8(untrusted::Input::from(
+        signing_pkcs8_doc.as_ref(),
+    ))
+    .unwrap();
+    let signing_public = signing_pair.public_key();
+    println!("signing public {:?}", signing_public.as_ref());
+
+    let keys = ekiden_keymanager_common::DummyInternalKeys {
+        keystore_encryption_key: keystore_encryption_sym,
+        signing_key: signing_pkcs8_doc.as_ref().to_owned(),
+    };
+    println!(
+        "serialized InternalKeys {:?}",
+        serde_cbor::to_vec(&keys).unwrap().as_slice()
+    );
+}

key-manager/dummy/untrusted/Cargo.toml

@@ -9,6 +9,7 @@ repository = "https://github.com/oasislabs/ekiden"
 [dependencies]
 ekiden-common = { path = "../../../common", version = "0.2.0-alpha" }
 ekiden-core = { path = "../../../core/common", version = "0.2.0-alpha" }
+ekiden-keymanager-api = { path = "../../api", version = "0.2.0-alpha" }
 ekiden-untrusted = { path = "../../../core/untrusted", version = "0.2.0-alpha" }
 ekiden-db-trusted = { path = "../../../db/trusted", version = "0.2.0-alpha" }
 ekiden-tools = { path = "../../../tools", version = "0.2.0-alpha" }