mirror of https://github.com/matter-labs/vault-auth-tee.git synced 2025-07-21 07:43:57 +02:00

Hashicorp Vault plugin for authenticating Trusted Execution Environments (TEE) like SGX enclaves

Find a file

Harald Hoyer ee1781ffc7 chore(deps): update trufflesecurity/trufflehog action to v3.68.5 (#44 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [trufflesecurity/trufflehog](https://togithub.com/trufflesecurity/trufflehog) \| action \| patch \| `v3.68.2` -> `v3.68.5` \| --- ### Release Notes <details> <summary>trufflesecurity/trufflehog (trufflesecurity/trufflehog)</summary> ### [`v3.68.5`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.68.5) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.68.4...v3.68.5) #### What's Changed - Create basic escaped unicode decoder by [@rgmz](https://togithub.com/rgmz) in [https://github.com/trufflesecurity/trufflehog/pull/2456](https://togithub.com/trufflesecurity/trufflehog/pull/2456) - fix(deps): update module github.com/aws/aws-sdk-go to v1.50.30 by [@renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2529](https://togithub.com/trufflesecurity/trufflehog/pull/2529) - fix(deps): update module github.com/felixge/fgprof to v0.9.4 by [@renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2532](https://togithub.com/trufflesecurity/trufflehog/pull/2532) - fix(deps): update module cloud.google.com/go/storage to v1.39.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2533](https://togithub.com/trufflesecurity/trufflehog/pull/2533) - fix(deps): update module github.com/stretchr/testify to v1.9.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2534](https://togithub.com/trufflesecurity/trufflehog/pull/2534) - Add naive S3 ignorelist by [@rosecodym](https://togithub.com/rosecodym) in [https://github.com/trufflesecurity/trufflehog/pull/2536](https://togithub.com/trufflesecurity/trufflehog/pull/2536) - Redact secret in git command output by [@rosecodym](https://togithub.com/rosecodym) in [https://github.com/trufflesecurity/trufflehog/pull/2539](https://togithub.com/trufflesecurity/trufflehog/pull/2539) - Fix timeout param, DB is not needed for ping command by [@dustin-decker](https://togithub.com/dustin-decker) in [https://github.com/trufflesecurity/trufflehog/pull/2540](https://togithub.com/trufflesecurity/trufflehog/pull/2540) Full Changelog: https://github.com/trufflesecurity/trufflehog/compare/v3.68.4...v3.68.5 ### [`v3.68.4`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.68.4) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.68.3...v3.68.4) #### What's Changed - Improve Gitlab default URL handling by [@trufflesteeeve](https://togithub.com/trufflesteeeve) in [https://github.com/trufflesecurity/trufflehog/pull/2491](https://togithub.com/trufflesecurity/trufflehog/pull/2491) - fix(deps): update module github.com/golang-jwt/jwt/v4 to v5 by [@renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2513](https://togithub.com/trufflesecurity/trufflehog/pull/2513) - fix(deps): update module github.com/aws/aws-sdk-go to v1.50.28 by [@renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2520](https://togithub.com/trufflesecurity/trufflehog/pull/2520) - fix(deps): update module github.com/googleapis/gax-go/v2 to v2.12.2 by [@renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2521](https://togithub.com/trufflesecurity/trufflehog/pull/2521) - fix(deps): update module github.com/prometheus/client_golang to v1.19.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2522](https://togithub.com/trufflesecurity/trufflehog/pull/2522) - fix(deps): update module golang.org/x/crypto to v0.20.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2523](https://togithub.com/trufflesecurity/trufflehog/pull/2523) - Remove one filter word by [@dustin-decker](https://togithub.com/dustin-decker) in [https://github.com/trufflesecurity/trufflehog/pull/2525](https://togithub.com/trufflesecurity/trufflehog/pull/2525) - Fix minor typo by [@jamesgol](https://togithub.com/jamesgol) in [https://github.com/trufflesecurity/trufflehog/pull/2527](https://togithub.com/trufflesecurity/trufflehog/pull/2527) - Ignore canary IDs in notifications by [@dxa4481](https://togithub.com/dxa4481) in [https://github.com/trufflesecurity/trufflehog/pull/2526](https://togithub.com/trufflesecurity/trufflehog/pull/2526) - \[feat] - Make the client configurable by [@ahrav](https://togithub.com/ahrav) in [https://github.com/trufflesecurity/trufflehog/pull/2528](https://togithub.com/trufflesecurity/trufflehog/pull/2528) #### New Contributors - [@jamesgol](https://togithub.com/jamesgol) made their first contribution in [https://github.com/trufflesecurity/trufflehog/pull/2527](https://togithub.com/trufflesecurity/trufflehog/pull/2527) Full Changelog: https://github.com/trufflesecurity/trufflehog/compare/v3.68.3...v3.68.4 ### [`v3.68.3`](https://togithub.com/trufflesecurity/trufflehog/releases/tag/v3.68.3) [Compare Source](https://togithub.com/trufflesecurity/trufflehog/compare/v3.68.2...v3.68.3) #### What's Changed - fix(deps): update module github.com/google/go-github/v57 to v59 by [@renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2464](https://togithub.com/trufflesecurity/trufflehog/pull/2464) - fix(deps): update module github.com/golang-jwt/jwt/v4 to v5 by [@renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2455](https://togithub.com/trufflesecurity/trufflehog/pull/2455) - fix(deps): update golang.org/x/exp digest to [`814bf88`](`814bf88`) by [@renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2508](https://togithub.com/trufflesecurity/trufflehog/pull/2508) - fix(deps): update module github.com/aws/aws-sdk-go to v1.50.25 by [@renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2509](https://togithub.com/trufflesecurity/trufflehog/pull/2509) - fix(deps): update module github.com/xanzy/go-gitlab to v0.98.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2511](https://togithub.com/trufflesecurity/trufflehog/pull/2511) - fix(deps): update module google.golang.org/api to v0.167.0 by [@renovate](https://togithub.com/renovate) in [https://github.com/trufflesecurity/trufflehog/pull/2512](https://togithub.com/trufflesecurity/trufflehog/pull/2512) - Improve monogo and snowflake detectors by [@dustin-decker](https://togithub.com/dustin-decker) in [https://github.com/trufflesecurity/trufflehog/pull/2518](https://togithub.com/trufflesecurity/trufflehog/pull/2518) - JDBC test and parsing improvements by [@dustin-decker](https://togithub.com/dustin-decker) in [https://github.com/trufflesecurity/trufflehog/pull/2516](https://togithub.com/trufflesecurity/trufflehog/pull/2516) Full Changelog: https://github.com/trufflesecurity/trufflehog/compare/v3.68.2...v3.68.3 </details> --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/matter-labs/vault-auth-tee). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMTIuMCIsInVwZGF0ZWRJblZlciI6IjM3LjIyNy4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->		2024-03-07 10:13:23 +01:00
.github	chore(deps): update trufflesecurity/trufflehog action to v3.68.5	2024-03-07 04:16:49 +00:00
cmd/vault-auth-tee	feat: restructure project and fix vault/sdk version	2024-02-12 17:12:24 +01:00
packages	chore: add nix subpackage with shasum of plugin	2024-02-22 09:57:39 +01:00
shells/vault-auth-tee	chore: use snowfall lib for nix flake	2024-02-15 11:08:13 +01:00
test-fixtures/keys	feat: restructure project and fix vault/sdk version	2024-02-12 17:12:24 +01:00
.gitignore	feat: initial commit	2023-10-26 14:15:52 +02:00
backend.go	feat: restructure project and fix vault/sdk version	2024-02-12 17:12:24 +01:00
backend_test.go	feat: get current unix time for verification with NTS	2024-02-13 10:26:45 +01:00
CONTRIBUTING.md	feat: initial commit	2023-10-26 14:15:52 +02:00
Dockerfile	feat: build the container image with nix	2024-02-13 13:21:23 +01:00
flake.lock	chore: use snowfall lib for nix flake	2024-02-15 11:08:13 +01:00
flake.nix	chore: use snowfall lib for nix flake	2024-02-15 11:08:13 +01:00
go.mod	fix(deps): update module github.com/hashicorp/vault/api to v1.12.0	2024-02-13 12:04:10 +00:00
go.sum	feat: build the container image with nix	2024-02-13 13:21:23 +01:00
LICENSE	feat: initial commit	2023-10-26 14:15:52 +02:00
path_info.go	feat: restructure project and fix vault/sdk version	2024-02-12 17:12:24 +01:00
path_login.go	feat: get current unix time for verification with NTS	2024-02-13 10:26:45 +01:00
path_login_test.go	feat: get current unix time for verification with NTS	2024-02-13 10:26:45 +01:00
path_tees.go	fix: enable clearing the `sgx_mrsigner` and `sgx_mrenclave` field	2024-02-27 11:58:55 +01:00
README.md	feat: initial commit	2023-10-26 14:15:52 +02:00
renovate.json	feat: initial commit	2023-10-26 14:15:52 +02:00
roughntstime.go	feat: get current unix time for verification with NTS	2024-02-13 10:26:45 +01:00
SECURITY.md	feat: initial commit	2023-10-26 14:15:52 +02:00
sgxquote.go	feat: restructure project and fix vault/sdk version	2024-02-12 17:12:24 +01:00
sgxquote_test.go	feat: restructure project and fix vault/sdk version	2024-02-12 17:12:24 +01:00
test_responder.go	feat: restructure project and fix vault/sdk version	2024-02-12 17:12:24 +01:00
version.go	feat: restructure project and fix vault/sdk version	2024-02-12 17:12:24 +01:00

README.md

vault-auth-tee

TEE remote attestation plugin for Hashicorp Vault

⚠️☢️☣️ WARNING: not yet for production use ☣️☢️⚠️

License

All of the code is licensed under the Mozilla Public License 2.0 unless otherwise specified. Most of the vault plugin code is based on the vault builtin/credential/cert plugin.

Build Setup

$ wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo apt-key add -
$ sudo bash -c 'echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu focal main" > /etc/apt/sources.list.d/intel-sgx.list'
$ sudo apt update
$ sudo apt install -y --no-install-recommends \
    libsgx-headers \
    libsgx-enclave-common \
    libsgx-urts \
    libsgx-dcap-quote-verify \
    libsgx-dcap-quote-verify-dev

Configuration

Create or Update via the ${plugin}/tees/$name endpoint

{
    "name": "TEE_role_name",
    "token_policies": "policy1,policy2,...",
    "types": "sgx",
    "sgx_mrsigner": "298037d88782e022e019b3020745b78aa40ed95c77da4bf7f3253d3a44c4fd7e",
    "sgx_mrenclave": "18946b3547d3ca036f4df7b516857e28fd512d69fed3411dc660537912faabf8",
    "sgx_isv_prodid": 0,
    "sgx_min_isv_svn": 0,
    "sgx_allowed_tcb_levels": "Ok,ConfigNeeded,OutOfDate,OutOfDateConfigNeeded,SwHardeningNeeded,ConfigAndSwHardeningNeeded"
}

At least one of sgx_mrsigner or sgx_mrenclave must be set. If both are set, both are used for matching.
sgx_isv_prodid is optional and defaults to 0.
sgx_min_isv_svn is optional and defaults to 0.
sgx_allowed_tcb_levels is optional and defaults to Ok.

Authentication

Client TEE generates a self-signed TLS client certificate
Client TEE generates an attestation report, which includes the hash of the public key of the client certificate (in case of SGX, a sha256 sum of the public key)
Client TEE fetches all collateral material via e.g. Intel DCAP (tee_qv_get_collateral)
Client TEE sends POST request with a TLS connection using the client certificate to Vault via the ${plugin}/login endpoint with the name, attestation report and the attestation collateral material
An optional challenge can be included in the POST request, which is then included in the attestation report of the vault response

{
    "name": "The name of the TEE role to authenticate against.",
    "quote": "The quote Base64 encoded.",
    "collateral": "The collateral Json string encoded.",
    "challenge": "An optional challenge hex encoded."
}

The response contains the Vault token and, if a challenge was included, the vault attestation report, which must contain the challenge bytes in the report_data of the quote.

{
    "auth": {
        "client_token": "The Vault token.",
        "....": "...."
    },
    "data": {
        "quote": "The vault quote Base64 encoded.",
        "collateral": "The vault collateral Json string encoded."
    }
}

Collateral Json encoding

See sgx_ql_lib_common.h

{
    "major_version": uint16,
    "minor_version": uint16,
    "tee_type": uint32,
    "pck_crl_issuer_chain": []byte,
    "root_ca_crl": []byte,
    "pck_crl": []byte,
    "tcb_info_issuer_chain": []byte,
    "tcb_info": []byte,
    "qe_identity_issuer_chain": []byte,
    "qe_identity": []byte
}