harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-21 07:03:56 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(teepot-vault): use ring as CryptoProvider for rustls

Browse source 
New `rustls` needs global install of default `CryptoProvider`.

Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
This commit is contained in:
Harald Hoyer 2025-02-28 14:14:57 +01:00
parent 0a73ed5012
commit d6061c35a8
Signed by: harald
GPG key ID: F519A1143B3FBE32
6 changed files with 70 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Cargo.toml
View file

@ -48,7 +48,7 @@ pgp = "0.15"
pkcs8 = { version = "0.10" } pkcs8 = { version = "0.10" }
reqwest = { version = "0.12", features = ["json"] } reqwest = { version = "0.12", features = ["json"] }
rsa = { version = "0.9.6", features = ["sha2", "pem"] } rsa = { version = "0.9.6", features = ["sha2", "pem"] }
rustls = { version = "0.23.20" } rustls = { version = "0.23.20", default-features = false, features = ["std", "logging", "tls12", "ring"] }
secp256k1 = { version = "0.30", features = ["rand", "global-context"] } secp256k1 = { version = "0.30", features = ["rand", "global-context"] }
serde = { version = "1", features = ["derive", "rc"] } serde = { version = "1", features = ["derive", "rc"] }
serde_json = "1" serde_json = "1"

29
bin/tee-vault-admin/src/main.rs
View file

@ -1,5 +1,5 @@
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2024 Matter Labs // Copyright (c) 2023-2025 Matter Labs
//! Server to handle requests to the Vault TEE //! Server to handle requests to the Vault TEE
@ -9,26 +9,27 @@ mod command;
mod digest; mod digest;
mod sign; mod sign;
use actix_web::web::Data; use actix_web::{web, web::Data, App, HttpServer};
use actix_web::{web, App, HttpServer};
use anyhow::{Context, Result}; use anyhow::{Context, Result};
use clap::Parser; use clap::Parser;
use command::post_command; use command::post_command;
use digest::get_digest; use digest::get_digest;
use rustls::ServerConfig; use rustls::ServerConfig;
use sign::post_sign; use sign::post_sign;
use std::net::Ipv6Addr; use std::{net::Ipv6Addr, sync::Arc};
use std::sync::Arc; use teepot::{
use teepot::json::http::{SignRequest, VaultCommandRequest, DIGEST_URL}; json::http::{SignRequest, VaultCommandRequest, DIGEST_URL},
use teepot::server::attestation::{get_quote_and_collateral, VaultAttestationArgs}; server::{
use teepot::server::new_json_cfg; attestation::{get_quote_and_collateral, VaultAttestationArgs},
use teepot::server::pki::make_self_signed_cert; new_json_cfg,
use teepot::sgx::{parse_tcb_levels, EnumSet, TcbLevel}; pki::make_self_signed_cert,
},
sgx::{parse_tcb_levels, EnumSet, TcbLevel},
};
use tracing::{error, info}; use tracing::{error, info};
use tracing_actix_web::TracingLogger; use tracing_actix_web::TracingLogger;
use tracing_log::LogTracer; use tracing_log::LogTracer;
use tracing_subscriber::Registry; use tracing_subscriber::{fmt, prelude::*, EnvFilter, Registry};
use tracing_subscriber::{fmt, prelude::*, EnvFilter};
/// Server state /// Server state
pub struct ServerState { pub struct ServerState {
@ -70,6 +71,8 @@ async fn main() -> Result<()> {
// don't return for now, we can still serve requests but we won't be able to attest // don't return for now, we can still serve requests but we won't be able to attest
} }
let _ = rustls::crypto::ring::default_provider().install_default();
// init server config builder with safe defaults // init server config builder with safe defaults
let config = ServerConfig::builder() let config = ServerConfig::builder()
.with_no_client_auth() .with_no_client_auth()
@ -78,8 +81,6 @@ async fn main() -> Result<()> {
info!("Starting HTTPS server at port {}", args.port); info!("Starting HTTPS server at port {}", args.port);
info!("Quote verified! Connection secure!");
let server_state = Arc::new(ServerState { let server_state = Arc::new(ServerState {
report_data, report_data,
vault_attestation: args.attestation, vault_attestation: args.attestation,

42
bin/tee-vault-unseal/src/main.rs
View file

@ -1,5 +1,5 @@
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2024 Matter Labs // Copyright (c) 2023-2025 Matter Labs
//! Server to initialize and unseal the Vault TEE. //! Server to initialize and unseal the Vault TEE.
@ -9,27 +9,33 @@
mod init; mod init;
mod unseal; mod unseal;
use actix_web::rt::time::sleep; use actix_web::{rt::time::sleep, web, web::Data, App, HttpServer};
use actix_web::web::Data;
use actix_web::{web, App, HttpServer};
use anyhow::{bail, Context, Result}; use anyhow::{bail, Context, Result};
use awc::Client; use awc::Client;
use clap::Parser; use clap::Parser;
use init::post_init; use init::post_init;
use rustls::ServerConfig; use rustls::ServerConfig;
use std::fmt::Debug; use std::{
use std::io::Read; fmt::Debug,
use std::net::Ipv6Addr; io::Read,
use std::path::PathBuf; net::Ipv6Addr,
use std::sync::{Arc, RwLock}; path::PathBuf,
use std::time::Duration; sync::{Arc, RwLock},
use teepot::client::{AttestationArgs, TeeConnection}; time::Duration,
use teepot::json::http::{Init, Unseal}; };
use teepot::json::secrets::AdminConfig; use teepot::{
use teepot::server::attestation::{get_quote_and_collateral, VaultAttestationArgs}; client::{AttestationArgs, TeeConnection},
use teepot::server::new_json_cfg; json::{
use teepot::server::pki::make_self_signed_cert; http::{Init, Unseal},
use teepot::sgx::{parse_tcb_levels, EnumSet, TcbLevel}; secrets::AdminConfig,
},
server::{
attestation::{get_quote_and_collateral, VaultAttestationArgs},
new_json_cfg,
pki::make_self_signed_cert,
},
sgx::{parse_tcb_levels, EnumSet, TcbLevel},
};
use tracing::{error, info}; use tracing::{error, info};
use tracing_log::LogTracer; use tracing_log::LogTracer;
use tracing_subscriber::{fmt, prelude::*, EnvFilter, Registry}; use tracing_subscriber::{fmt, prelude::*, EnvFilter, Registry};
@ -136,6 +142,8 @@ async fn main() -> Result<()> {
let (report_data, cert_chain, priv_key) = make_self_signed_cert("CN=localhost", None)?; let (report_data, cert_chain, priv_key) = make_self_signed_cert("CN=localhost", None)?;
let _ = rustls::crypto::ring::default_provider().install_default();
// init server config builder with safe defaults // init server config builder with safe defaults
let config = ServerConfig::builder() let config = ServerConfig::builder()
.with_no_client_auth() .with_no_client_auth()

2
bin/vault-admin/README.md
View file

@ -9,7 +9,7 @@
Verified signature for `81A312C59D679D930FA9E8B06D728F29A2DBABF8` Verified signature for `81A312C59D679D930FA9E8B06D728F29A2DBABF8`
RUST_LOG=info cargo run -p vault-admin -- \ RUST_LOG=info cargo run -p vault-admin -- \
send \ command \
--sgx-mrsigner c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d \ --sgx-mrsigner c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d \
--sgx-allowed-tcb-levels SwHardeningNeeded \ --sgx-allowed-tcb-levels SwHardeningNeeded \
--server https://127.0.0.1:8444 \ --server https://127.0.0.1:8444 \

4
bin/vault-admin/src/main.rs
View file

@ -1,5 +1,5 @@
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2024 Matter Labs // Copyright (c) 2023-2025 Matter Labs
use anyhow::{anyhow, bail, Context, Result}; use anyhow::{anyhow, bail, Context, Result};
use clap::{Args, Parser, Subcommand}; use clap::{Args, Parser, Subcommand};
@ -117,8 +117,6 @@ async fn main() -> Result<()> {
&args.log_level, &args.log_level,
)?)?; )?)?;
info!("Quote verified! Connection secure!");
match args.cmd { match args.cmd {
SubCommands::Command(args) => send_commands(args).await?, SubCommands::Command(args) => send_commands(args).await?,
SubCommands::SignTee(args) => send_sig_request(args).await?, SubCommands::SignTee(args) => send_sig_request(args).await?,

43
crates/teepot/src/client/mod.rs
View file

@ -1,5 +1,5 @@
// SPDX-License-Identifier: Apache-2.0 // SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2024 Matter Labs // Copyright (c) 2023-2025 Matter Labs
//! Helper functions for CLI clients to verify Intel SGX enclaves and other TEEs. //! Helper functions for CLI clients to verify Intel SGX enclaves and other TEEs.
@ -8,29 +8,36 @@
pub mod vault; pub mod vault;
pub use crate::quote::verify_quote_with_collateral; use crate::{
pub use crate::quote::QuoteVerificationResult; quote::Report,
use crate::quote::Report; server::pki::{RaTlsCollateralExtension, RaTlsQuoteExtension},
use crate::server::pki::{RaTlsCollateralExtension, RaTlsQuoteExtension}; sgx::Quote,
use crate::sgx::Quote; };
pub use crate::sgx::{parse_tcb_levels, sgx_ql_qv_result_t, EnumSet, TcbLevel}; pub use crate::{
quote::{verify_quote_with_collateral, QuoteVerificationResult},
sgx::{parse_tcb_levels, sgx_ql_qv_result_t, EnumSet, TcbLevel},
};
use actix_web::http::header; use actix_web::http::header;
use anyhow::Result; use anyhow::Result;
use awc::{Client, Connector}; use awc::{Client, Connector};
use clap::Args; use clap::Args;
use const_oid::AssociatedOid; use const_oid::AssociatedOid;
use intel_tee_quote_verification_rs::Collateral; use intel_tee_quote_verification_rs::Collateral;
use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerifier}; use rustls::{
use rustls::client::WebPkiServerVerifier; client::{
use rustls::pki_types::{CertificateDer, ServerName, UnixTime}; danger::{HandshakeSignatureValid, ServerCertVerifier},
use rustls::{ClientConfig, DigitallySignedStruct, Error, SignatureScheme}; WebPkiServerVerifier,
},
pki_types::{CertificateDer, ServerName, UnixTime},
ClientConfig, DigitallySignedStruct, Error, SignatureScheme,
};
use sha2::{Digest, Sha256}; use sha2::{Digest, Sha256};
use std::sync::Arc; use std::{sync::Arc, time, time::Duration};
use std::time;
use std::time::Duration;
use tracing::{debug, error, info, trace, warn}; use tracing::{debug, error, info, trace, warn};
use x509_cert::der::{Decode as _, Encode as _}; use x509_cert::{
use x509_cert::Certificate; der::{Decode as _, Encode as _},
Certificate,
};
/// Options and arguments needed to attest a TEE /// Options and arguments needed to attest a TEE
#[derive(Args, Debug, Clone)] #[derive(Args, Debug, Clone)]
@ -63,6 +70,8 @@ impl TeeConnection {
/// This will verify the attestation report and check that the enclave /// This will verify the attestation report and check that the enclave
/// is running the expected code. /// is running the expected code.
pub fn new(args: &AttestationArgs) -> Self { pub fn new(args: &AttestationArgs) -> Self {
let _ = rustls::crypto::ring::default_provider().install_default();
let tls_config = Arc::new( let tls_config = Arc::new(
ClientConfig::builder() ClientConfig::builder()
.dangerous() .dangerous()
@ -260,6 +269,8 @@ impl TeeConnection {
} }
} }
info!("Quote verified! Connection secure!");
Ok(rustls::client::danger::ServerCertVerified::assertion()) Ok(rustls::client::danger::ServerCertVerified::assertion())
} }