harald/teepot
1
0
Fork 0
mirror of https://github.com/matter-labs/teepot.git synced 2025-07-22 07:24:48 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: split-out vault code from teepot in teepot-vault

Browse source 
Signed-off-by: Harald Hoyer <harald@matterlabs.dev>
This commit is contained in:
Harald Hoyer 2025-02-18 13:37:34 +01:00
parent 63c16b1177
commit f8bd9e6a08
Signed by: harald
GPG key ID: F519A1143B3FBE32
61 changed files with 450 additions and 308 deletions
Download patch file Download diff file Expand all files Collapse all files

309
crates/teepot-vault/src/client/mod.rs Normal file
View file

@ -0,0 +1,309 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2024 Matter Labs
//! Helper functions for CLI clients to verify Intel SGX enclaves and other TEEs.
#![deny(missing_docs)]
#![deny(clippy::all)]
pub mod vault;
use crate::server::pki::{RaTlsCollateralExtension, RaTlsQuoteExtension};
use actix_web::http::header;
use anyhow::Result;
use awc::{Client, Connector};
use clap::Args;
use const_oid::AssociatedOid;
use intel_tee_quote_verification_rs::Collateral;
use rustls::{
client::{
danger::{HandshakeSignatureValid, ServerCertVerifier},
WebPkiServerVerifier,
},
pki_types::{CertificateDer, ServerName, UnixTime},
ClientConfig, DigitallySignedStruct, Error, SignatureScheme,
};
use sha2::{Digest, Sha256};
use std::{sync::Arc, time, time::Duration};
use teepot::{quote::Report, sgx::Quote};
pub use teepot::{
quote::{verify_quote_with_collateral, QuoteVerificationResult},
sgx::{parse_tcb_levels, sgx_ql_qv_result_t, EnumSet, TcbLevel},
};
use tracing::{debug, error, info, trace, warn};
use x509_cert::{
der::{Decode as _, Encode as _},
Certificate,
};
/// Options and arguments needed to attest a TEE
#[derive(Args, Debug, Clone)]
pub struct AttestationArgs {
/// hex encoded SGX mrsigner of the enclave to attest
#[arg(long)]
pub sgx_mrsigner: Option<String>,
/// hex encoded SGX mrenclave of the enclave to attest
#[arg(long)]
pub sgx_mrenclave: Option<String>,
/// URL of the server
#[arg(long, required = true)]
pub server: String,
/// allowed TCB levels, comma separated:
/// Ok, ConfigNeeded, ConfigAndSwHardeningNeeded, SwHardeningNeeded, OutOfDate, OutOfDateConfigNeeded
#[arg(long, value_parser = parse_tcb_levels)]
pub sgx_allowed_tcb_levels: Option<EnumSet<TcbLevel>>,
}
/// A connection to a TEE, which implements the `teepot` attestation API
pub struct TeeConnection {
/// Options and arguments needed to attest a TEE
server: String,
client: Client,
}
impl TeeConnection {
/// Create a new connection to a TEE
///
/// This will verify the attestation report and check that the enclave
/// is running the expected code.
pub fn new(args: &AttestationArgs) -> Self {
let _ = rustls::crypto::ring::default_provider().install_default();
let tls_config = Arc::new(
ClientConfig::builder()
.dangerous()
.with_custom_certificate_verifier(Arc::new(Self::make_verifier(args.clone())))
.with_no_client_auth(),
);
let agent = Client::builder()
.add_default_header((header::USER_AGENT, "teepot/1.0"))
// a "connector" wraps the stream into an encrypted connection
.connector(Connector::new().rustls_0_23(tls_config))
.timeout(Duration::from_secs(12000))
.finish();
Self {
server: args.server.clone(),
client: agent,
}
}
/// Create a new connection to a TEE
///
/// # Safety
/// This function is unsafe, because it does not verify the attestation report.
pub unsafe fn new_from_client_without_attestation(server: String, client: Client) -> Self {
Self { server, client }
}
/// Get a reference to the agent, which can be used to make requests to the TEE
///
/// Note, that it will refuse to connect to any other TLS server than the one
/// specified in the `AttestationArgs` of the `Self::new` function.
pub fn client(&self) -> &Client {
&self.client
}
/// Get a reference to the server URL
pub fn server(&self) -> &str {
&self.server
}
/// Save the hash of the public server key to `REPORT_DATA` to check
/// the attestations against it and it does not change on reconnect.
pub fn make_verifier(args: AttestationArgs) -> impl ServerCertVerifier {
#[derive(Debug)]
struct V {
args: AttestationArgs,
server_verifier: Arc<WebPkiServerVerifier>,
}
impl ServerCertVerifier for V {
fn verify_server_cert(
&self,
end_entity: &CertificateDer,
_intermediates: &[CertificateDer],
_server_name: &ServerName,
_ocsp_response: &[u8],
_now: UnixTime,
) -> Result<rustls::client::danger::ServerCertVerified, rustls::Error> {
let cert = Certificate::from_der(end_entity.as_ref())
.map_err(|e| Error::General(format!("Failed get certificate {e:?}")))?;
let pub_key = cert
.tbs_certificate
.subject_public_key_info
.to_der()
.unwrap();
let hash = Sha256::digest(pub_key);
let exts = cert
.tbs_certificate
.extensions
.ok_or_else(|| Error::General("Failed get quote in certificate".into()))?;
trace!("Get quote bytes!");
let quote_bytes = exts
.iter()
.find(|ext| ext.extn_id == RaTlsQuoteExtension::OID)
.ok_or_else(|| Error::General("Failed get quote in certificate".into()))?
.extn_value
.as_bytes();
trace!("Get collateral bytes!");
let collateral = exts
.iter()
.find(|ext| ext.extn_id == RaTlsCollateralExtension::OID)
.and_then(|ext| {
serde_json::from_slice::<Collateral>(ext.extn_value.as_bytes())
.map_err(|e| {
debug!("Failed to get collateral in certificate {e:?}");
trace!(
"Failed to get collateral in certificate {:?}",
String::from_utf8_lossy(ext.extn_value.as_bytes())
);
})
.ok()
});
if collateral.is_none() {
debug!("Failed to get collateral in certificate");
}
let quote = Quote::try_from_bytes(quote_bytes).map_err(|e| {
Error::General(format!("Failed get quote in certificate {e:?}"))
})?;
if &quote.report_body.reportdata[..32] != hash.as_slice() {
error!("Report data mismatch");
return Err(Error::General("Report data mismatch".to_string()));
} else {
info!(
"Report data matches `{}`",
hex::encode(&quote.report_body.reportdata[..32])
);
}
let current_time: i64 = time::SystemTime::now()
.duration_since(time::UNIX_EPOCH)
.unwrap()
.as_secs() as _;
let QuoteVerificationResult {
collateral_expired,
result,
quote,
advisories,
earliest_expiration_date,
..
} = verify_quote_with_collateral(quote_bytes, collateral.as_ref(), current_time)
.unwrap();
let Report::SgxEnclave(report_body) = quote.report else {
return Err(Error::General("TDX quote and not SGX quote".into()));
};
if collateral_expired || result != sgx_ql_qv_result_t::SGX_QL_QV_RESULT_OK {
if collateral_expired {
error!(
"Collateral is out of date! Expired {}",
earliest_expiration_date
);
return Err(Error::General(format!(
"Collateral is out of date! Expired {}",
earliest_expiration_date
)));
}
let tcblevel = TcbLevel::from(result);
if self
.args
.sgx_allowed_tcb_levels
.map_or(true, |levels| !levels.contains(tcblevel))
{
error!("Quote verification result: {}", tcblevel);
return Err(Error::General(format!(
"Quote verification result: {}",
tcblevel
)));
}
info!("TcbLevel is allowed: {}", tcblevel);
}
for advisory in advisories {
warn!("Info: Advisory ID: {advisory}");
}
if let Some(mrsigner) = &self.args.sgx_mrsigner {
let mrsigner_bytes = hex::decode(mrsigner)
.map_err(|e| Error::General(format!("Failed to decode mrsigner: {}", e)))?;
if report_body.mr_signer[..] != mrsigner_bytes {
return Err(Error::General(format!(
"mrsigner mismatch: got {}, expected {}",
hex::encode(report_body.mr_signer),
&mrsigner
)));
} else {
info!("mrsigner `{mrsigner}` matches");
}
}
if let Some(mrenclave) = &self.args.sgx_mrenclave {
let mrenclave_bytes = hex::decode(mrenclave).map_err(|e| {
Error::General(format!("Failed to decode mrenclave: {}", e))
})?;
if report_body.mr_enclave[..] != mrenclave_bytes {
return Err(Error::General(format!(
"mrenclave mismatch: got {}, expected {}",
hex::encode(report_body.mr_enclave),
&mrenclave
)));
} else {
info!("mrenclave `{mrenclave}` matches");
}
}
info!("Quote verified! Connection secure!");
Ok(rustls::client::danger::ServerCertVerified::assertion())
}
fn verify_tls12_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &DigitallySignedStruct,
) -> std::result::Result<HandshakeSignatureValid, Error> {
self.server_verifier
.verify_tls12_signature(message, cert, dss)
}
fn verify_tls13_signature(
&self,
message: &[u8],
cert: &CertificateDer<'_>,
dss: &DigitallySignedStruct,
) -> std::result::Result<HandshakeSignatureValid, Error> {
self.server_verifier
.verify_tls13_signature(message, cert, dss)
}
fn supported_verify_schemes(&self) -> Vec<SignatureScheme> {
self.server_verifier.supported_verify_schemes()
}
}
let mut root_store = rustls::RootCertStore::empty();
root_store.extend(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
let server_verifier = WebPkiServerVerifier::builder(Arc::new(root_store))
.build()
.unwrap();
V {
args,
server_verifier,
}
}
}

376
crates/teepot-vault/src/client/vault.rs Normal file
View file

@ -0,0 +1,376 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2025 Matter Labs
//! Helper functions for CLI clients to verify Intel SGX enclaves and other TEEs.
#![deny(missing_docs)]
#![deny(clippy::all)]
use super::{AttestationArgs, TeeConnection};
use crate::{
json::http::{AuthRequest, AuthResponse},
server::{pki::make_self_signed_cert, AnyHowResponseError, HttpResponseError, Status},
};
use actix_http::error::PayloadError;
use actix_web::{http::header, ResponseError};
use anyhow::{anyhow, bail, Context, Result};
use awc::{
error::{SendRequestError, StatusCode},
Client, ClientResponse, Connector,
};
use bytes::Bytes;
use futures_core::Stream;
use intel_tee_quote_verification_rs::tee_qv_get_collateral;
use rustls::ClientConfig;
use serde_json::{json, Value};
use std::{
fmt::{Display, Formatter},
sync::Arc,
time,
};
use teepot::quote::error::QuoteContext;
pub use teepot::{
quote::{verify_quote_with_collateral, QuoteVerificationResult},
sgx::{
parse_tcb_levels, sgx_gramine_get_quote, sgx_ql_qv_result_t, Collateral, EnumSet, TcbLevel,
},
};
use tracing::{debug, error, info, trace};
const VAULT_TOKEN_HEADER: &str = "X-Vault-Token";
/// Error returned when sending a request to Vault
#[derive(Debug, thiserror::Error)]
pub enum VaultSendError {
/// Error sending the request
SendRequest(String),
/// Error returned by the Vault API
#[error(transparent)]
Vault(#[from] HttpResponseError),
}
impl Display for VaultSendError {
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
match self {
VaultSendError::SendRequest(e) => write!(f, "VaultSendError: {}", e),
VaultSendError::Vault(e) => write!(f, "VaultSendError: {}", e),
}
}
}
const _: () = {
fn assert_send<T: Send>() {}
let _ = assert_send::<VaultSendError>;
};
impl From<VaultSendError> for HttpResponseError {
fn from(value: VaultSendError) -> Self {
match value {
VaultSendError::SendRequest(e) => HttpResponseError::Anyhow(AnyHowResponseError {
status_code: StatusCode::BAD_GATEWAY,
error: anyhow!(e),
}),
VaultSendError::Vault(e) => e,
}
}
}
/// A connection to a Vault TEE, which implements the `teepot` attestation API
/// called by a TEE itself. This authenticates the TEE to Vault and gets a token,
/// which can be used to access the Vault API.
pub struct VaultConnection {
/// Options and arguments needed to attest Vault
pub conn: TeeConnection,
key_hash: [u8; 64],
client_token: String,
name: String,
}
impl VaultConnection {
/// Create a new connection to Vault
///
/// This will verify the attestation report and check that the enclave
/// is running the expected code.
pub async fn new(args: &AttestationArgs, name: String) -> Result<Self> {
let (key_hash, rustls_certificate, rustls_pk) =
make_self_signed_cert("CN=localhost", None)?;
let tls_config = Arc::new(
ClientConfig::builder()
.dangerous()
.with_custom_certificate_verifier(Arc::new(TeeConnection::make_verifier(
args.clone(),
)))
.with_client_auth_cert(vec![rustls_certificate], rustls_pk)?,
);
let client = Client::builder()
.add_default_header((header::USER_AGENT, "teepot/1.0"))
// a "connector" wraps the stream into an encrypted connection
.connector(Connector::new().rustls_0_23(tls_config))
.timeout(time::Duration::from_secs(12000))
.finish();
let mut this = Self {
name,
key_hash,
conn: unsafe {
TeeConnection::new_from_client_without_attestation(args.server.clone(), client)
},
client_token: Default::default(),
};
this.client_token = this.auth().await?.auth.client_token;
trace!("Got Token: {:#?}", &this.client_token);
Ok(this)
}
/// create a new [`VaultConnection`] to Vault from an existing connection
///
/// # Safety
/// This function is unsafe, because it does not verify the attestation report.
pub unsafe fn new_from_client_without_attestation(
server: String,
client: Client,
name: String,
client_token: String,
) -> Self {
Self {
name,
client_token,
conn: unsafe { TeeConnection::new_from_client_without_attestation(server, client) },
key_hash: [0u8; 64],
}
}
/// Get a reference to the agent, which can be used to make requests to the TEE
///
/// Note, that it will refuse to connect to any other TLS server than the one
/// specified in the `AttestationArgs` of the `Self::new` function.
pub fn agent(&self) -> &Client {
self.conn.client()
}
async fn auth(&self) -> Result<AuthResponse> {
info!("Getting attestation report");
let attestation_url = AuthRequest::URL;
let quote = sgx_gramine_get_quote(&self.key_hash).context("Failed to get own quote")?;
let collateral = tee_qv_get_collateral(&quote).context("Failed to get own collateral")?;
let auth_req = AuthRequest {
name: self.name.clone(),
tee_type: "sgx".to_string(),
quote,
collateral: serde_json::to_string(&collateral)?,
challenge: None,
};
let mut response = self
.agent()
.post(&format!(
"{server}{attestation_url}",
server = self.conn.server,
))
.send_json(&auth_req)
.await
.map_err(|e| anyhow!("Error sending attestation request: {}", e))?;
let status_code = response.status();
if !status_code.is_success() {
error!("Failed to login to vault: {}", status_code);
if let Ok(r) = response.json::<Value>().await {
eprintln!("Failed to login to vault: {}", r);
}
bail!("failed to login to vault: {}", status_code);
}
let auth_response: Value = response.json().await.context("failed to login to vault")?;
trace!(
"Got AuthResponse: {:?}",
serde_json::to_string(&auth_response)
);
let auth_response: AuthResponse =
serde_json::from_value(auth_response).context("Failed to parse AuthResponse")?;
trace!("Got AuthResponse: {:#?}", &auth_response);
Ok(auth_response)
}
/// Send a put request to the vault
pub async fn vault_put(
&self,
action: &str,
url: &str,
json: &Value,
) -> std::result::Result<(StatusCode, Option<Value>), VaultSendError> {
let full_url = format!("{}{url}", self.conn.server);
info!("{action} via put {full_url}");
debug!(
"sending json: {:?}",
serde_json::to_string(json).unwrap_or_default()
);
let res = self
.agent()
.put(full_url)
.insert_header((VAULT_TOKEN_HEADER, self.client_token.clone()))
.send_json(json)
.await;
Self::handle_client_response(action, res).await
}
/// Send a get request to the vault
pub async fn vault_get(
&self,
action: &str,
url: &str,
) -> std::result::Result<(StatusCode, Option<Value>), VaultSendError> {
let full_url = format!("{}{url}", self.conn.server);
info!("{action} via get {full_url}");
let res = self
.agent()
.get(full_url)
.insert_header((VAULT_TOKEN_HEADER, self.client_token.clone()))
.send()
.await;
Self::handle_client_response(action, res).await
}
async fn handle_client_response<S>(
action: &str,
res: std::result::Result<ClientResponse<S>, SendRequestError>,
) -> std::result::Result<(StatusCode, Option<Value>), VaultSendError>
where
S: Stream<Item = Result<Bytes, PayloadError>>,
{
match res {
Ok(mut r) => {
let status_code = r.status();
if status_code.is_success() {
let msg = r.json().await.ok();
debug!(
"{action}: status code: {status_code} {:?}",
serde_json::to_string(&msg)
);
Ok((status_code, msg))
} else {
let err = HttpResponseError::from_proxy(r).await;
error!("{action}: {err:?}");
Err(err.into())
}
}
Err(e) => {
error!("{}: {}", action, e);
Err(VaultSendError::SendRequest(e.to_string()))
}
}
}
/// Revoke the token
pub async fn revoke_token(&self) -> std::result::Result<(), VaultSendError> {
self.vault_put(
"Revoke the token",
"/v1/auth/token/revoke-self",
&Value::default(),
)
.await?;
Ok(())
}
fn check_rel_path(rel_path: &str) -> Result<(), HttpResponseError> {
if !rel_path.is_ascii() {
return Err(anyhow!("path is not ascii")).status(StatusCode::BAD_REQUEST);
}
// check if rel_path is alphanumeric
if !rel_path
.chars()
.all(|c| c.is_alphanumeric() || c == '_' || c == '/')
{
return Err(anyhow!("path is not alphanumeric")).status(StatusCode::BAD_REQUEST);
}
Ok(())
}
/// set a secret in the vault
pub async fn store_secret<'de, T: serde::Serialize>(
&self,
val: T,
rel_path: &str,
) -> Result<(), HttpResponseError> {
self.store_secret_for_tee(&self.name, val, rel_path).await
}
/// set a secret in the vault for a different TEE
pub async fn store_secret_for_tee<'de, T: serde::Serialize>(
&self,
tee_name: &str,
val: T,
rel_path: &str,
) -> Result<(), HttpResponseError> {
Self::check_rel_path(rel_path)?;
let value = serde_json::to_value(val)
.context("converting value to json")
.status(StatusCode::INTERNAL_SERVER_ERROR)?;
let value = json!({ "data" : { "_" : value } });
self.vault_put(
"Setting secret",
&format!("/v1/secret/data/tee/{}/{}", tee_name, rel_path),
&value,
)
.await?;
Ok(())
}
/// get a secret from the vault
pub async fn load_secret<'de, T: serde::de::DeserializeOwned>(
&self,
rel_path: &str,
) -> Result<Option<T>, HttpResponseError> {
self.load_secret_for_tee(&self.name, rel_path).await
}
/// get a secret from the vault for a specific TEE
pub async fn load_secret_for_tee<'de, T: serde::de::DeserializeOwned>(
&self,
tee_name: &str,
rel_path: &str,
) -> Result<Option<T>, HttpResponseError> {
Self::check_rel_path(rel_path)?;
let v = self
.vault_get(
"Getting secret",
&format!("/v1/secret/data/tee/{}/{}", tee_name, rel_path),
)
.await
.or_else(|e| match e {
VaultSendError::Vault(ref se) => {
if se.status_code() == StatusCode::NOT_FOUND {
debug!("Secret not found: {}", rel_path);
Ok((StatusCode::OK, None))
} else {
Err(e)
}
}
VaultSendError::SendRequest(_) => Err(e),
})?
.1
.as_ref()
.and_then(|v| v.get("data"))
.and_then(|v| v.get("data"))
.and_then(|v| v.get("_"))
.and_then(|v| serde_json::from_value(v.clone()).transpose())
.transpose()
.context("Error getting value from vault")
.status(StatusCode::INTERNAL_SERVER_ERROR)?
.flatten();
Ok(v)
}
}

265
crates/teepot-vault/src/json/http.rs Normal file
View file

@ -0,0 +1,265 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2025 Matter Labs
//! Common types for the teepot http JSON API
use serde::{Deserialize, Serialize};
use serde_json::Value;
use serde_with::{base64::Base64, serde_as};
use std::fmt::Display;
/// The unseal request data
#[derive(Debug, Serialize, Deserialize)]
pub struct Unseal {
/// The unseal key
pub key: String,
}
impl Unseal {
/// The unseal URL
pub const URL: &'static str = "/v1/sys/unseal";
}
/// The init request data
#[serde_as]
#[derive(Debug, Serialize, Deserialize)]
pub struct Init {
/// PGP keys to encrypt the unseal keys with
pub pgp_keys: Vec<String>,
/// number of secret shares
pub secret_shares: usize,
/// secret threshold
pub secret_threshold: usize,
/// PGP keys to sign commands for the admin tee
#[serde_as(as = "Box<[Base64]>")]
pub admin_pgp_keys: Box<[Box<[u8]>]>,
/// admin threshold
pub admin_threshold: usize,
/// admin TEE mrenclave
pub admin_tee_mrenclave: String,
}
impl Init {
/// The init URL
pub const URL: &'static str = "/v1/sys/init";
}
/// The init request data
#[derive(Debug, Serialize, Deserialize)]
pub struct VaultInitRequest {
/// PGP keys to encrypt the unseal keys with
pub pgp_keys: Vec<String>,
/// number of secret shares
pub secret_shares: usize,
/// secret threshold
pub secret_threshold: usize,
}
/// The init response data
#[derive(Debug, Serialize, Deserialize)]
pub struct InitResponse {
/// The unseal keys (gpg encrypted)
pub unseal_keys: Vec<String>,
}
/// The Vault TEE auth request data
#[serde_as]
#[derive(Debug, Serialize, Deserialize)]
pub struct AuthRequest {
/// The name of the TEE
pub name: String,
/// The type of the TEE
#[serde(rename = "type")]
pub tee_type: String,
/// The attestation report data base64 encoded
#[serde_as(as = "Base64")]
pub quote: Box<[u8]>,
/// The attestation collateral json encoded
pub collateral: String,
/// The vault attestation challenge (hex encoded)
#[serde_as(as = "Option<serde_with::hex::Hex>")]
#[serde(skip_serializing_if = "Option::is_none", default = "Option::default")]
pub challenge: Option<[u8; 32]>,
}
impl AuthRequest {
/// The auth URL
pub const URL: &'static str = "/v1/auth/tee/login";
}
/// Vault auth metadata
#[derive(Debug, Default, Serialize, Deserialize)]
pub struct AuthMetadataField {
collateral_expiration_date: String,
tee_name: String,
}
/// Vault auth data
#[serde_as]
#[derive(Debug, Default, Serialize, Deserialize)]
pub struct AuthDataField {
/// The attestation report data base64 encoded
#[serde_as(as = "Base64")]
#[serde(default)]
pub quote: Box<[u8]>,
/// The attestation collateral json encoded
#[serde(default)]
pub collateral: String,
}
/// Vault auth
#[derive(Debug, Default, Serialize, Deserialize)]
pub struct AuthField {
/// if the auth token is renewable
pub renewable: bool,
/// the lease duration of the auth token
pub lease_duration: isize,
/// the policies of the auth token
pub policies: Vec<String>,
/// the accessor of the auth token
pub accessor: String,
/// the client token
pub client_token: String,
/// additional metadata
pub metadata: AuthMetadataField,
}
/// The Vault TEE auth response data
#[derive(Debug, Default, Serialize, Deserialize)]
pub struct AuthResponse {
/// vault auth
pub auth: AuthField,
/// vault auth data
pub data: AuthDataField,
}
/// One command datum
#[derive(Debug, Serialize, Deserialize, PartialEq)]
pub struct VaultCommand {
/// The command to execute
pub url: String,
/// The command to execute
pub data: Value,
}
impl Display for VaultCommand {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
if f.alternate() {
f.write_str(
serde_json::to_string_pretty(self)
.unwrap_or("{}".into())
.as_str(),
)
} else {
f.write_str(serde_json::to_string(self).unwrap_or("{}".into()).as_str())
}
}
}
/// Multiple command data
#[derive(Debug, Serialize, Deserialize, PartialEq)]
pub struct VaultCommands {
/// The sha-256 hash of the last command hex encoded
pub last_digest: String,
/// The actual commands
pub commands: Vec<VaultCommand>,
}
/// The command request data
#[derive(Debug, Serialize, Deserialize)]
pub struct VaultCommandRequest {
/// The commands to execute
///
/// The commands are json serialized `VaultCommands`,
/// because they are signed with multiple signatures.
///
/// The commands are executed in order.
pub commands: String,
/// The signatures of the commands
pub signatures: Vec<String>,
}
impl VaultCommandRequest {
/// The command request URL
pub const URL: &'static str = "/v1/command";
}
/// The command response
#[derive(Debug, Serialize, Deserialize)]
pub struct VaultCommandResponse {
/// The status code
pub status_code: u16,
/// The response body
pub value: Option<Value>,
}
/// The command response
#[derive(Debug, Serialize, Deserialize)]
pub struct VaultCommandsResponse {
/// The stored digest for the execution
pub digest: String,
/// The results of the individual commands
pub results: Vec<VaultCommandResponse>,
}
impl Display for VaultCommandResponse {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
if f.alternate() {
f.write_str(
serde_json::to_string_pretty(self)
.unwrap_or("{}".into())
.as_str(),
)
} else {
f.write_str(serde_json::to_string(self).unwrap_or("{}".into()).as_str())
}
}
}
/// The command request URL
pub const DIGEST_URL: &str = "/v1/digest";
/// The signing request
#[derive(Debug, Serialize, Deserialize)]
pub struct SignRequest {
/// json serialized `SignRequestData`, because it is signed with multiple signatures.
pub sign_request_data: String,
/// The signatures of the SignRequestData
pub signatures: Vec<String>,
}
impl SignRequest {
/// The sign request URL
pub const URL: &'static str = "/v1/sign";
}
/// The signing request data
#[serde_as]
#[derive(Debug, Default, Serialize, Deserialize)]
pub struct SignRequestData {
/// The sha-256 hash of the last command hex encoded
pub last_digest: String,
/// The name of the TEE
pub tee_name: String,
/// The type of the TEE
#[serde(rename = "type")]
pub tee_type: String,
/// The TEE security version number
pub tee_svn: u16,
/// The data to be signed.
///
/// In case of `tee_type == "sgx"`, it's the SGX Sigstruct Body
#[serde_as(as = "Base64")]
pub data: Vec<u8>,
}
/// The signing request
#[derive(Debug, Serialize, Deserialize)]
pub struct SignResponse {
/// The stored digest for the execution
pub digest: String,
/// The signed data for the tee.
///
/// In case of `tee_type == "sgx"`, it's the SGX Sigstruct
pub signed_data: Vec<u8>,
}

10
crates/teepot-vault/src/json/mod.rs Normal file
View file

@ -0,0 +1,10 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023 Matter Labs
//! Common types for the teepot JSON API
#![deny(missing_docs)]
#![deny(clippy::all)]
pub mod http;
pub mod secrets;

34
crates/teepot-vault/src/json/secrets.rs Normal file
View file

@ -0,0 +1,34 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2025 Matter Labs
//! Common types for the teepot secrets JSON API
use serde::{Deserialize, Serialize};
use serde_with::base64::Base64;
use serde_with::serde_as;
use teepot::sgx::sign::Zeroizing;
/// Configuration for the admin tee
#[serde_as]
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct AdminConfig {
/// PGP keys to sign commands for the admin tee
#[serde_as(as = "Box<[Base64]>")]
pub admin_pgp_keys: Box<[Box<[u8]>]>,
/// admin threshold
pub admin_threshold: usize,
}
/// Configuration for the admin tee
#[derive(Debug, Default, Clone, Serialize, Deserialize)]
pub struct AdminState {
/// last digest of executed commands
pub last_digest: String,
}
/// Configuration for the admin tee
#[derive(Debug, Default, Clone, Serialize, Deserialize)]
pub struct SGXSigningKey {
/// private key in PEM format
pub pem_pk: Zeroizing<String>,
}

24
crates/teepot-vault/src/lib.rs Normal file
View file

@ -0,0 +1,24 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2025 Matter Labs
//! Helper functions to verify Intel SGX enclaves and other TEEs.
#![deny(missing_docs)]
#![deny(clippy::all)]
pub mod client;
pub mod json;
pub mod server;
pub mod tdx;
/// pad a byte slice to a fixed sized array
pub fn pad<const T: usize>(input: &[u8]) -> [u8; T] {
let mut output = [0; T];
let len = input.len();
if len > T {
output.copy_from_slice(&input[..T]);
} else {
output[..len].copy_from_slice(input);
}
output
}

56
crates/teepot-vault/src/server/attestation.rs Normal file
View file

@ -0,0 +1,56 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2025 Matter Labs
//! Common attestation API for all TEEs
use crate::client::AttestationArgs;
use clap::Args;
use serde::{Deserialize, Serialize};
pub use teepot::{
quote::{
attestation::get_quote_and_collateral, error::QuoteContext, get_quote,
verify_quote_with_collateral, QuoteVerificationResult,
},
sgx::{parse_tcb_levels, Collateral, EnumSet, TcbLevel},
};
/// Options and arguments needed to attest a TEE
#[derive(Args, Debug, Clone, Serialize, Deserialize, Default)]
pub struct VaultAttestationArgs {
/// hex encoded SGX mrsigner of the enclave to attest
#[arg(long, env = "VAULT_SGX_MRSIGNER")]
pub vault_sgx_mrsigner: Option<String>,
/// hex encoded SGX mrenclave of the enclave to attest
#[arg(long, env = "VAULT_SGX_MRENCLAVE")]
pub vault_sgx_mrenclave: Option<String>,
/// URL of the server
#[arg(long, required = true, env = "VAULT_ADDR")]
pub vault_addr: String,
/// allowed TCB levels, comma separated:
/// Ok, ConfigNeeded, ConfigAndSwHardeningNeeded, SwHardeningNeeded, OutOfDate, OutOfDateConfigNeeded
#[arg(long, value_parser = parse_tcb_levels, env = "VAULT_SGX_ALLOWED_TCB_LEVELS")]
pub vault_sgx_allowed_tcb_levels: Option<EnumSet<TcbLevel>>,
}
impl From<VaultAttestationArgs> for AttestationArgs {
fn from(value: VaultAttestationArgs) -> Self {
AttestationArgs {
sgx_mrsigner: value.vault_sgx_mrsigner,
sgx_mrenclave: value.vault_sgx_mrenclave,
server: value.vault_addr,
sgx_allowed_tcb_levels: value.vault_sgx_allowed_tcb_levels,
}
}
}
impl From<&VaultAttestationArgs> for AttestationArgs {
fn from(value: &VaultAttestationArgs) -> Self {
AttestationArgs {
sgx_mrsigner: value.vault_sgx_mrsigner.clone(),
sgx_mrenclave: value.vault_sgx_mrenclave.clone(),
server: value.vault_addr.clone(),
sgx_allowed_tcb_levels: value.vault_sgx_allowed_tcb_levels,
}
}
}

188
crates/teepot-vault/src/server/mod.rs Normal file
View file

@ -0,0 +1,188 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2025 Matter Labs
//! # tee-server
#![deny(missing_docs)]
#![deny(clippy::all)]
pub mod attestation;
pub mod signatures;
use actix_web::{
error, http::StatusCode, web::Bytes, HttpMessage, HttpRequest, HttpResponse, ResponseError,
};
use anyhow::anyhow;
use awc::{
error::{PayloadError, SendRequestError},
ClientResponse,
};
use futures_core::Stream;
use std::fmt::{Debug, Display, Formatter};
pub use teepot::pki;
use tracing::error;
/// Anyhow error with an HTTP status code
pub struct AnyHowResponseError {
/// error message
pub error: anyhow::Error,
/// HTTP status code
pub status_code: StatusCode,
}
/// Proxy response error
pub struct ProxyResponseError {
/// HTTP status code
pub status_code: StatusCode,
/// HTTP body
pub body: Option<Bytes>,
/// HTTP content type
pub content_type: String,
}
/// custom HTTP response error
pub enum HttpResponseError {
/// Anyhow error
Anyhow(AnyHowResponseError),
/// Proxy error
Proxy(ProxyResponseError),
}
impl std::error::Error for HttpResponseError {}
/// Attach an HTTP status code to an anyhow error turning it into an HttpResponseError
pub trait Status {
/// The Ok type
type Ok;
/// Attach an HTTP status code to an anyhow error turning it into an HttpResponseError
fn status(self, status: StatusCode) -> Result<Self::Ok, HttpResponseError>;
}
impl<T> Status for Result<T, anyhow::Error> {
type Ok = T;
fn status(self, status: StatusCode) -> Result<T, HttpResponseError> {
match self {
Ok(value) => Ok(value),
Err(error) => Err(HttpResponseError::new(error, status)),
}
}
}
impl HttpResponseError {
fn new(error: anyhow::Error, status_code: StatusCode) -> Self {
Self::Anyhow(AnyHowResponseError { error, status_code })
}
/// Create a new HTTP response error from a proxy response
pub async fn from_proxy<S>(mut response: ClientResponse<S>) -> Self
where
S: Stream<Item = Result<Bytes, PayloadError>>,
{
let status_code = response.status();
let body = response.body().await.ok();
let content_type = response.content_type().to_string();
error!(
"Vault returned server error: {status_code} {}",
body.as_ref()
.map_or("", |b| std::str::from_utf8(b).unwrap_or(""))
);
Self::Proxy(ProxyResponseError {
status_code,
body,
content_type,
})
}
}
impl From<&str> for HttpResponseError {
fn from(value: &str) -> Self {
error!("{}", value);
HttpResponseError::new(
anyhow!(value.to_string()),
StatusCode::INTERNAL_SERVER_ERROR,
)
}
}
impl From<SendRequestError> for HttpResponseError {
fn from(error: SendRequestError) -> Self {
error!("Error sending request: {:?}", error);
HttpResponseError::new(
anyhow!(error.to_string()),
StatusCode::INTERNAL_SERVER_ERROR,
)
}
}
impl Debug for HttpResponseError {
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
if let Self::Anyhow(e) = self {
if f.alternate() {
write!(f, "{:#?}", e.error)
} else {
write!(f, "{:?}", e.error)
}
} else {
write!(f, "HttpResponseError")
}
}
}
impl Display for HttpResponseError {
fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
if let Self::Anyhow(e) = self {
if f.alternate() {
write!(f, "{:#}", e.error)
} else {
write!(f, "{}", e.error)
}
} else {
write!(f, "HttpResponseError")
}
}
}
impl ResponseError for HttpResponseError {
fn status_code(&self) -> StatusCode {
match self {
HttpResponseError::Anyhow(e) => e.status_code,
HttpResponseError::Proxy(e) => e.status_code,
}
}
fn error_response(&self) -> HttpResponse {
match self {
HttpResponseError::Anyhow(e) => HttpResponse::build(self.status_code())
.content_type("application/json")
.body(format!(r#"{{"error":"{}"}}"#, e.error)),
HttpResponseError::Proxy(e) => {
if let Some(ref body) = e.body {
HttpResponse::build(self.status_code())
.content_type(e.content_type.clone())
.body(body.clone())
} else {
HttpResponse::new(self.status_code())
}
}
}
}
}
/// Create a new json config
pub fn new_json_cfg() -> actix_web::web::JsonConfig {
actix_web::web::JsonConfig::default()
.limit(1024 * 1024)
.error_handler(json_error_handler)
}
fn json_error_handler(err: error::JsonPayloadError, _: &HttpRequest) -> actix_web::Error {
error::InternalError::from_response(
"",
HttpResponse::BadRequest()
.content_type("application/json")
.body(format!(r#"{{"error":"json error: {}"}}"#, err)),
)
.into()
}

120
crates/teepot-vault/src/server/signatures.rs Normal file
View file

@ -0,0 +1,120 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2024 Matter Labs
//! Signature checking utilities
use crate::json::secrets::AdminConfig;
use crate::server::{HttpResponseError, Status as _};
use actix_web::http::StatusCode;
use anyhow::{anyhow, bail, Context, Result};
use pgp::types::PublicKeyTrait;
use pgp::{Deserializable, SignedPublicKey, StandaloneSignature};
use tracing::debug;
/// Verify a pgp signature for some message given some public keys
pub fn verify_sig(sig: &str, msg: &[u8], keys: &[SignedPublicKey]) -> anyhow::Result<usize> {
let (signatures, _) =
StandaloneSignature::from_string_many(sig).context(format!("reading signature {}", sig))?;
for signature in signatures {
let signature = match signature {
Ok(s) => s,
Err(e) => {
debug!("Failed to parse signature: {}", e);
continue;
}
};
for (pos, key) in keys.iter().enumerate() {
let actual_key = &key.primary_key;
if actual_key.is_signing_key() && signature.verify(&actual_key, msg).is_ok() {
return Ok(pos);
}
for sub_key in &key.public_subkeys {
if sub_key.is_signing_key() && signature.verify(sub_key, msg).is_ok() {
return Ok(pos);
}
}
}
}
eprintln!("Failed to verify signature for `{sig}`");
bail!("Failed to verify signature for `{sig}`");
}
/// Verify pgp signatures for a message with some threshold
pub fn check_sigs(
pgp_keys: &[Box<[u8]>],
threshold: usize,
signatures: &[String],
msg: &[u8],
) -> Result<(), HttpResponseError> {
let mut keys = Vec::new();
for bytes in pgp_keys {
let key = SignedPublicKey::from_bytes(bytes.as_ref())
.context("parsing public key")
.status(StatusCode::INTERNAL_SERVER_ERROR)?;
keys.push(key);
}
let mut verified: usize = 0;
for sig in signatures {
if let Ok(pos) = verify_sig(sig, msg, &keys) {
keys.remove(pos);
verified += 1;
}
if verified >= threshold {
break;
}
}
if verified < threshold {
return Err(anyhow!("not enough valid signatures")).status(StatusCode::BAD_REQUEST);
}
Ok(())
}
/// Verify pgp signatures for a message
pub trait VerifySig {
/// Verify pgp signatures for a message
fn check_sigs(&self, signatures: &[String], msg: &[u8]) -> Result<(), HttpResponseError>;
}
impl VerifySig for AdminConfig {
fn check_sigs(&self, signatures: &[String], msg: &[u8]) -> Result<(), HttpResponseError> {
check_sigs(&self.admin_pgp_keys, self.admin_threshold, signatures, msg)
}
}
#[cfg(test)]
mod tests {
use super::verify_sig;
use base64::{engine::general_purpose, Engine as _};
use pgp::{Deserializable, SignedPublicKey};
const TEST_DATA: &str = include_str!("../../tests/data/test.json");
// gpg --armor --local-user test@example.com --detach-sign bin/tee-vault-admin/tests/data/test.json
const TEST_SIG: &str = include_str!("../../tests/data/test.json.asc");
// gpg --armor --export 81A312C59D679D930FA9E8B06D728F29A2DBABF8 > bin/tee-vault-admin/tests/data/pub-81A312C59D679D930FA9E8B06D728F29A2DBABF8.asc
const TEST_KEY: &str =
include_str!("../../tests/data/pub-81A312C59D679D930FA9E8B06D728F29A2DBABF8.asc");
const TEST_KEY_BASE64: &str =
include_str!("../../tests/data/pub-81A312C59D679D930FA9E8B06D728F29A2DBABF8.b64");
#[test]
fn test_sig() {
let test_key = SignedPublicKey::from_string(TEST_KEY).unwrap().0;
verify_sig(TEST_SIG, TEST_DATA.as_bytes(), &[test_key]).unwrap();
}
#[test]
fn test_key_import() {
let str = TEST_KEY_BASE64.lines().collect::<String>();
let bytes = general_purpose::STANDARD.decode(str).unwrap();
let _ = SignedPublicKey::from_bytes(bytes.as_slice()).unwrap();
}
}

32
crates/teepot-vault/src/tdx/mod.rs Normal file
View file

@ -0,0 +1,32 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023-2025 Matter Labs
//! Intel TDX helper functions.
pub mod rtmr;
pub use intel_tee_quote_verification_rs::Collateral;
use tdx_attest_rs::{tdx_att_get_quote, tdx_attest_error_t, tdx_report_data_t};
pub use teepot::sgx::tcblevel::{parse_tcb_levels, EnumSet, TcbLevel};
use teepot::sgx::QuoteError;
/// Get a TDX quote
pub fn tgx_get_quote(report_data_bytes: &[u8; 64]) -> Result<Box<[u8]>, QuoteError> {
let mut tdx_report_data = tdx_report_data_t { d: [0; 64usize] };
tdx_report_data.d.copy_from_slice(report_data_bytes);
let (error, quote) = tdx_att_get_quote(Some(&tdx_report_data), None, None, 0);
if error == tdx_attest_error_t::TDX_ATTEST_SUCCESS {
if let Some(quote) = quote {
Ok(quote.into())
} else {
Err(QuoteError::TdxAttGetQuote {
msg: "tdx_att_get_quote: No quote returned".into(),
inner: error,
})
}
} else {
Err(error.into())
}
}

90
crates/teepot-vault/src/tdx/rtmr.rs Normal file
View file

@ -0,0 +1,90 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2024-2025 Matter Labs
//! rtmr event data
use teepot::sgx::QuoteError;
/// The actual rtmr event data handled in DCAP
#[repr(C, packed)]
pub struct TdxRtmrEvent {
/// Always 1
version: u32,
/// The RTMR that will be extended. As defined in
/// https://github.com/confidential-containers/td-shim/blob/main/doc/tdshim_spec.md#td-measurement
/// we will use RTMR 3 for guest application code and configuration.
rtmr_index: u64,
/// Data that will be used to extend RTMR
extend_data: [u8; 48usize],
/// Not used in DCAP
event_type: u32,
/// Always 0
event_data_size: u32,
/// Not used in DCAP
event_data: Vec<u8>,
}
impl Default for TdxRtmrEvent {
fn default() -> Self {
Self {
extend_data: [0; 48],
version: 1,
rtmr_index: 3,
event_type: 0,
event_data_size: 0,
event_data: Vec::new(),
}
}
}
impl TdxRtmrEvent {
/// use the extend data
pub fn with_extend_data(mut self, extend_data: [u8; 48]) -> Self {
self.extend_data = extend_data;
self
}
/// extend the rtmr index
pub fn with_rtmr_index(mut self, rtmr_index: u64) -> Self {
self.rtmr_index = rtmr_index;
self
}
/// extending the index, consuming self
pub fn extend(self) -> Result<(), QuoteError> {
let event: Vec<u8> = self.into();
match tdx_attest_rs::tdx_att_extend(&event) {
tdx_attest_rs::tdx_attest_error_t::TDX_ATTEST_SUCCESS => Ok(()),
error_code => Err(error_code.into()),
}
}
}
impl From<TdxRtmrEvent> for Vec<u8> {
fn from(val: TdxRtmrEvent) -> Self {
let event_ptr = &val as *const TdxRtmrEvent as *const u8;
let event_data_size = std::mem::size_of::<u8>() * val.event_data_size as usize;
let res_size = std::mem::size_of::<u32>() * 3
+ std::mem::size_of::<u64>()
+ std::mem::size_of::<[u8; 48]>()
+ event_data_size;
let mut res = vec![0; res_size];
unsafe {
for (i, chunk) in res.iter_mut().enumerate().take(res_size - event_data_size) {
*chunk = *event_ptr.add(i);
}
}
let event_data = val.event_data;
for i in 0..event_data_size {
res[i + res_size - event_data_size] = event_data[i];
}
res
}
}