Skip to content

Commit

Permalink
Add support to Filesystem key manager (not suitable for production)
Browse files Browse the repository at this point in the history
  • Loading branch information
ssantos21 committed Dec 7, 2024
1 parent 07edd75 commit 07ff7b7
Show file tree
Hide file tree
Showing 11 changed files with 129 additions and 44 deletions.
12 changes: 9 additions & 3 deletions lockbox/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,9 @@ include(secp256k1_zkp)
add_library(LockboxLibrary
src/server.cpp
src/utils.cpp
src/key_manager.cpp
src/google_key_manager.cpp
src/hashicorp_key_manager.cpp
src/filesystem_key_manager.cpp
src/enclave.cpp
src/monocypher.c
src/db_manager.cpp)
Expand All @@ -52,7 +53,9 @@ target_link_libraries(LockboxLibrary
google-cloud-cpp::storage
google-cloud-cpp::kms
google-cloud-cpp::secretmanager
secp256k1_zkp)
secp256k1_zkp
OpenSSL::SSL
OpenSSL::Crypto)

include(FetchContent)
FetchContent_Declare(
Expand All @@ -75,6 +78,7 @@ find_package(cpr REQUIRED)
find_package(google_cloud_cpp_storage REQUIRED)
find_package(google_cloud_cpp_kms REQUIRED)
find_package(google_cloud_cpp_secretmanager REQUIRED)
find_package(OpenSSL REQUIRED)

target_include_directories(MercuryLockbox PRIVATE include)
# Link the library to the main executable
Expand All @@ -87,7 +91,9 @@ target_link_libraries(MercuryLockbox PRIVATE
google-cloud-cpp::storage
google-cloud-cpp::kms
google-cloud-cpp::secretmanager
secp256k1_zkp)
secp256k1_zkp
OpenSSL::SSL
OpenSSL::Crypto)

# Copy Settings.toml after building MercuryLockbox
add_custom_command(TARGET MercuryLockbox POST_BUILD
Expand Down
3 changes: 2 additions & 1 deletion lockbox/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,6 @@ $ mkdir -p build && cd build
$ cmake --preset=vcpkg ..
$ cmake --build .
```
4. Set the desired key manager in `Settings.toml`. Currently, there are 3 available: `google_kms`, `hashicorp`, `filesystem`.

4. Then, to run the server: `./MercuryLockbox --key_provider=google_kms` or `./MercuryLockbox --key_provider=hashicorp`.
5. Then, to run the server: `./MercuryLockbox`.
5 changes: 3 additions & 2 deletions lockbox/Settings.toml
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
[general]
database_connection_string = "postgresql://postgres:postgres@localhost/enclave"
server_port = 18080
replication_server_url = "http://localhost:18082"
seed_dir = "./seed"
key_manager = "filesystem" # "google_kms", "hashicorp", "filesystem"
[filesystem]
seed_filepath = "./seed"
[gcloud]
project_id = "mercury-441416"
project_number = "100600525477"
Expand Down
11 changes: 11 additions & 0 deletions lockbox/include/filesystem_key_manager.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
#ifndef FILESYSTEM_KEY_MANAGER_H
#define FILESYSTEM_KEY_MANAGER_H

#include <string>
#include <vector>

namespace filesystem_key_manager {
std::vector<uint8_t> get_seed();
} // namespace key_manager

#endif // FILESYSTEM_KEY_MANAGER_H
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
#ifndef KEY_MANAGER_H
#define KEY_MANAGER_H
#ifndef GOOGLE_KEY_MANAGER_H
#define GOOGLE_KEY_MANAGER_H

#include <string>
#include <vector>
Expand All @@ -10,4 +10,4 @@ namespace key_manager {
std::vector<uint8_t> get_seed();
} // namespace key_manager

#endif // KEY_MANAGER_H
#endif // GOOGLE_KEY_MANAGER_H
2 changes: 1 addition & 1 deletion lockbox/include/server.h
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
#include <string>

namespace lockbox {
void start_server(const std::string& key_provider);
void start_server();
} // namespace lockbox

#endif // SERVER_H
17 changes: 0 additions & 17 deletions lockbox/src/enclave.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -25,23 +25,6 @@ void encrypt_data(

encrypted_data->data_len = raw_data_size;
crypto_aead_lock(encrypted_data->data, encrypted_data->mac, seed, encrypted_data->nonce, ad, ad_size, raw_data, raw_data_size);

/* char* seed_hex = data_to_hex(seed, sizeof(seed));
ocall_print_string("seed:");
ocall_print_string(seed_hex);
char* mac_hex = data_to_hex(encrypted_data->mac, sizeof(encrypted_data->mac));
ocall_print_string("mac:");
ocall_print_string(mac_hex);
char* nonce_hex = data_to_hex(encrypted_data->nonce, sizeof(encrypted_data->nonce));
ocall_print_string("nonce:");
ocall_print_string(nonce_hex);
char* encrypted_hex = data_to_hex(encrypted_data->data, encrypted_data->data_len);
ocall_print_string("encrypted:");
ocall_print_string(encrypted_hex); */

}

int decrypt_data(
Expand Down
76 changes: 76 additions & 0 deletions lockbox/src/filesystem_key_manager.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
#include "hashicorp_key_manager.h"

#include <vector>
#include <stdexcept>
#include <openssl/rand.h>
#include <filesystem>
#include <fstream>
#include "utils.h"
#include <toml++/toml.h>

namespace filesystem_key_manager {

std::string getSeedFilePath() {
const char* value = std::getenv("SEED_FILEPATH");

if (value == nullptr) {
auto config = toml::parse_file("Settings.toml");
return config["filesystem"]["seed_filepath"].as_string()->get();
} else {
return std::string(value);
}
}

std::vector<uint8_t> get_seed() {
const std::string seed_file = getSeedFilePath();

if (std::filesystem::exists(seed_file)) {
// The seed file exists
std::ifstream seed_in(seed_file, std::ios::binary);
if (!seed_in) {
throw std::runtime_error("Error opening seed file for reading.");
}

// Read the contents into a vector
std::vector<uint8_t> key((std::istreambuf_iterator<char>(seed_in)),
std::istreambuf_iterator<char>());

// Check if the key is 32 bytes
if (key.size() != 32) {
throw std::runtime_error("Seed file has invalid size.");
}

return key;
} else {
// Seed file does not exist, generate a new seed
std::vector<uint8_t> key(32); // 256-bit key

// Generate cryptographically secure random bytes
if (RAND_bytes(key.data(), key.size()) != 1) {
throw std::runtime_error("Error generating random bytes.");
}

// Write the key to the seed file
std::ofstream seed_out(seed_file, std::ios::binary | std::ios::trunc);
if (!seed_out) {
throw std::runtime_error("Error opening seed file for writing.");
}

seed_out.write(reinterpret_cast<const char*>(key.data()), key.size());
if (!seed_out) {
throw std::runtime_error("Error writing seed to file.");
}

// Optionally, set file permissions to owner read/write only (platform-dependent)
#ifdef __unix__
seed_out.close(); // Close the file before changing permissions
std::filesystem::permissions(seed_file,
std::filesystem::perms::owner_read | std::filesystem::perms::owner_write,
std::filesystem::perm_options::replace);
#endif

return key;
}
}

}
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#include "key_manager.h"
#include "google_key_manager.h"

#include "google/cloud/kms/v1/key_management_client.h"
#include "google/cloud/secretmanager/v1/secret_manager_client.h"
Expand Down
14 changes: 2 additions & 12 deletions lockbox/src/main.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -7,19 +7,9 @@ int main(int argc, char *argv[]) {
CLI::App cli_app{"Lockbox Server"};
cli_app.set_version_flag("--version", std::string("0.0.1"));

// Add the mandatory key_provider option
std::string key_provider;
cli_app.add_option("--key_provider", key_provider, "Key provider (google_kms or hashicorp)")
->required() // Mark it as mandatory
->check(CLI::IsMember({"google_kms", "hashicorp"})); // Validate allowed values
CLI11_PARSE(cli_app, argc, argv);

try {
CLI11_PARSE(cli_app, argc, argv);
} catch (const CLI::ParseError &e) {
return cli_app.exit(e); // Exit gracefully on parse errors
}

lockbox::start_server(key_provider);
lockbox::start_server();

return 0;
}
25 changes: 21 additions & 4 deletions lockbox/src/server.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,11 @@
#include <openssl/rand.h>
#include "utils.h"
#include "enclave.h"
#include "key_manager.h"
#include "google_key_manager.h"
#include "hashicorp_key_manager.h"
#include "filesystem_key_manager.h"
#include "db_manager.h"
#include <toml++/toml.h>

namespace lockbox {

Expand Down Expand Up @@ -183,16 +185,31 @@ namespace lockbox {
return crow::response{result};
}

void start_server(const std::string& key_provider) {
std::string getKeyManager() {
const char* value = std::getenv("KEY_MANAGER");

if (value == nullptr) {
auto config = toml::parse_file("Settings.toml");
return config["general"]["key_manager"].as_string()->get();
} else {
return std::string(value);
}
}

void start_server() {

std::vector<uint8_t> seed;

if (key_provider == "google_kms") {
auto key_provider = getKeyManager();

if (key_provider == "filesystem") {
seed = filesystem_key_manager::get_seed();
} else if (key_provider == "google_kms") {
seed = key_manager::get_seed();
} else if (key_provider == "hashicorp") {
seed = hashicorp_key_manager::get_seed();
} else {
throw std::runtime_error("Invalid key provider: " + key_provider);
throw std::runtime_error("Invalid key manager: " + key_provider);
}

/* std::string seed_hex = utils::key_to_string(seed.data(), seed.size());
Expand Down

0 comments on commit 07ff7b7

Please sign in to comment.