Initial commit

.github/workflows/python.yml

@@ -0,0 +1,74 @@
+name: Python CI
+
+on: [push]
+
+env:
+  PYTHON_SRC: "src"
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        python-version: ["3.10"]
+    environment:
+      name: release
+      url: https://pypi.org/p/cenclave-lib-sgx
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install package with dependencies
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install ".[dev]"
+
+      - name: Package metadata
+        id: metadata
+        run: |
+          echo "PACKAGE_VERSION=$(python -c 'import cenclave_lib_sgx; print(cenclave_lib_sgx.__version__)')" >> $GITHUB_OUTPUT
+
+      - name: Code format with black
+        run: |
+          python -m black --check $PYTHON_SRC
+
+      - name: Import check with isort
+        run: |
+          python -m isort --check $PYTHON_SRC
+
+      - name: Lint check with pylint
+        run: |
+          python -m pylint $PYTHON_SRC
+
+      - name: Lint check with pycodestyle
+        run: |
+          python -m pycodestyle $PYTHON_SRC
+
+      - name: Lint check with pydocstyle
+        run: |
+          python -m pydocstyle $PYTHON_SRC
+
+      - name: Typecheck with MyPy
+        run: |
+          python -m mypy $PYTHON_SRC
+
+      - name: Test with pytest
+        run: |
+          python -m pytest
+
+      - name: Build package
+        if: ${{ startsWith(github.ref, 'refs/tags') && endsWith(github.ref, steps.metadata.outputs.PACKAGE_VERSION) }}
+        run: python -m build
+
+      - name: Publish package to PyPi
+        if: ${{ startsWith(github.ref, 'refs/tags') && endsWith(github.ref, steps.metadata.outputs.PACKAGE_VERSION) }}
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          attestations: false

.gitignore

@@ -0,0 +1,142 @@
+.vscode/
+.idea/
+.python-version
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/

README.md

@@ -0,0 +1,67 @@
+# Cosmian Enclave Lib SGX
+
+## Overview
+
+Cosmian Enclave lib SGX bootstraps the execution of an encrypted ASGI/WSGI Python web application for [Gramine](https://gramine.readthedocs.io/).
+
+The library is responsible for:
+
+- Configuring the SSL certificates with either:
+  - *RA-TLS*, a self-signed certificate including the Intel SGX quote in an X.509 v3 extension
+  - *Custom*, the private key and full keychain is provided by the application owner
+  - *No SSL*, the secure channel may be managed elsewhere by an SSL proxy
+- Decrypting Python modules encrypted with XSala20-Poly1305 AE
+- Running the ASGI/WSGI Python web application with [hypercorn](https://pgjones.gitlab.io/hypercorn/)
+
+## Technical details
+
+The flow to run an encrypted Python web application is the following:
+
+1. A first self-signed HTTPS server using RA-TLS is launched waiting to receive a JSON payload with:
+   - UUID, a unique application identifier provided to `enclave-bootstrap` as an argument
+   - the decryption key of the code
+   - Optionally the private key corresponding to the certificate provided to `enclave-bootstrap` (for *Custom* certificate)
+2. If the UUID and decryption key are the expected one, the configuration server is stopped, the code is decrypted and finally run as a new server
+
+
+## Installation 
+
+```console
+$ pip install cenclave-lib-sgx
+```
+
+## Usage
+
+```console
+$ cenclave-bootstrap --help
+usage: cenclave-bootstrap [-h] [--host HOST] [--port PORT] [--subject SUBJECT] [--san SAN] --app-dir
+                          APP_DIR --id ID [--plaincode] [--timeout TIMEOUT] [--version] [--debug]
+                          (--ratls EXPIRATION_DATE | --no-ssl | --certificate CERTIFICATE_PATH)
+                          application
+
+Bootstrap ASGI/WSGI Python web application for Gramine
+
+positional arguments:
+  application           ASGI application path (as module:app)
+
+options:
+  -h, --help            show this help message and exit
+  --host HOST           hostname of the server
+  --port PORT           port of the server
+  --subject SUBJECT     Subject as RFC 4514 string for the RA-TLS certificate
+  --san SAN             Subject Alternative Name in the RA-TLS certificate
+  --app-dir APP_DIR     path of the python web application
+  --id ID               identifier of the application as UUID in RFC 4122
+  --plaincode           unencrypted python web application
+  --timeout TIMEOUT     seconds before closing the configuration server
+  --version             show program's version number and exit
+  --debug               debug mode with more logging
+  --ratls EXPIRATION_DATE
+                        generate a self-signed certificate for RA-TLS with a specific expiration date
+                        (Unix time)
+  --no-ssl              use HTTP without SSL
+  --certificate CERTIFICATE_PATH
+                        custom certificate used for the SSL connection, private key must be sent through
+                        the configuration server
+
+```

pyproject.toml

@@ -0,0 +1,64 @@
+[build-system]
+requires = ["setuptools>=68.0.0,<76.0.0"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "cenclave-lib-sgx"
+authors = [
+    { name = "Cosmian Tech", email = "[email protected]" },
+]
+description = "Library to bootstrap WSGI/ASGI application for Gramine"
+readme = "README.md"
+requires-python = ">=3.10"
+license = { text = "MIT" }
+classifiers = [
+    "Development Status :: 6 - Mature",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: POSIX :: Linux",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: Implementation :: CPython"
+]
+dependencies = [
+    "cryptography>=43.0.3,<44.0.0",
+    "intel-sgx-ra>=2.3.1,<2.4.0",
+    "hypercorn[uvloop]>=0.17.3,<0.18.0",
+    "h2>=4.1.0,<4.2.0",
+    "cenclave-lib-crypto>=1.0.0,<1.1.0"
+]
+dynamic = ["version"]
+
+[tool.setuptools.dynamic]
+version = { attr = "cenclave_lib_sgx.__version__" }
+
+[project.optional-dependencies]
+dev = [
+    "black>=24.10.0,<25.0.0",
+    "isort>=5.13.2,<6.0.0",
+    "pylint>=3.3.1,<4.0.0",
+    "pycodestyle>=2.12.1,<3.0.0",
+    "pydocstyle>=6.3.0,<7.0.0",
+    "mypy>=1.13.0,<2.0.0",
+    "pytest>=8.3.3,<9.0.0",
+    "build>=1.2.2,<1.3.0",
+    "wheel>=0.45.0,<0.50.0"
+]
+
+[project.scripts]
+cenclave-bootstrap = "cenclave_lib_sgx.cli:run"
+
+[tool.pylint.MAIN]
+disable = [
+    "C0103", # invalid-name
+    "R0913", # too-many-arguments
+    "R0902", # too-many-instance-attributes
+    "R0914", # too-many-locals
+    "R0903", # too-few-public-methods
+    "R0917"  # too-many-positional-arguments
+]
+
+[tool.isort]
+profile = "black"
+
+[tool.pytest]
+testpaths = "tests"
+pythonpath = "src"

setup.cfg

@@ -0,0 +1,2 @@
+[pycodestyle]
+max-line-length = 90

src/cenclave_lib_sgx/__init__.py

@@ -0,0 +1,3 @@
+"""cenclave_lib_sgx module."""
+
+__version__ = "1.0.0"