From f308e683d4bc7c10904eb50fe2c9a2f8c478de16 Mon Sep 17 00:00:00 2001 From: "S. Santos" Date: Tue, 2 Apr 2024 20:15:22 -0300 Subject: [PATCH] [WIP] Add Sealing Key --- enclave/App/App.cpp | 22 +++--- enclave/App/database/db_manager.cpp | 104 +++++++++++++++++++++++++++- enclave/App/database/db_manager.h | 2 +- enclave/Enclave/Enclave.cpp | 25 ++++++- enclave/Enclave/Enclave.edl | 3 +- 5 files changed, 139 insertions(+), 17 deletions(-) diff --git a/enclave/App/App.cpp b/enclave/App/App.cpp index a059a742..191cc1df 100644 --- a/enclave/App/App.cpp +++ b/enclave/App/App.cpp @@ -20,6 +20,7 @@ #include "../utils/include_secp256k1_zkp_lib.h" #include "../utils/strencodings.h" #include "utilities/utilities.h" +#include "database/db_manager.h" #include "sealing_key_manager/sealing_key_manager.h" #include "App.h" @@ -274,7 +275,7 @@ void ocall_print_hex(const unsigned char** key, const int *keylen) printf("%s\n", key_to_string(*key, *keylen).c_str()); } -void initialize_encrypted_data(chacha20_poly1305_encrypted_data& encrypted_data, size_t data_len, sealing_key_manager::SealingKeyManager& sealing_key_manager) { +void initialize_encrypted_data(chacha20_poly1305_encrypted_data& encrypted_data, size_t data_len) { // initialize encrypted_data encrypted_data.data_len = data_len; @@ -283,12 +284,6 @@ void initialize_encrypted_data(chacha20_poly1305_encrypted_data& encrypted_data, memset(encrypted_data.mac, 0, sizeof(encrypted_data.mac)); memset(encrypted_data.nonce, 0, sizeof(encrypted_data.nonce)); - - // copy sealed seed - encrypted_data.sealed_key_len = sealing_key_manager.sealed_seed_size; - encrypted_data.sealed_key = new char[encrypted_data.sealed_key_len]; - memcpy(encrypted_data.sealed_key, sealing_key_manager.sealed_seed, encrypted_data.sealed_key_len); - } int SGX_CDECL main(int argc, char *argv[]) @@ -362,14 +357,21 @@ int SGX_CDECL main(int argc, char *argv[]) } // new encryption scheme - chacha20_poly1305_encrypted_data encrypted_data; - initialize_encrypted_data(encrypted_data, sizeof(secp256k1_keypair), sealing_key_manager); + /* chacha20_poly1305_encrypted_data encrypted_data; + initialize_encrypted_data(encrypted_data, sizeof(secp256k1_keypair)); size_t server_pubkey_size2 = 33; // serialized compressed public keys are 33-byte array unsigned char server_pubkey2[server_pubkey_size2]; sgx_status_t ecall_ret2; - generate_new_keypair2(enclave_id, &ecall_ret2, server_pubkey2, server_pubkey_size2, &encrypted_data); + generate_new_keypair2(enclave_id, &ecall_ret2, + server_pubkey2, server_pubkey_size2, + sealing_key_manager.sealed_seed, sealing_key_manager.sealed_seed_size, + &encrypted_data); + + std::string error_message2; + db_manager::save_generated_public_key(encrypted_data, server_pubkey2, server_pubkey_size2, statechain_id, error_message2); + */ auto server_seckey_hex = key_to_string(server_pubkey, server_pubkey_size); diff --git a/enclave/App/database/db_manager.cpp b/enclave/App/database/db_manager.cpp index 5885398b..1725592b 100644 --- a/enclave/App/database/db_manager.cpp +++ b/enclave/App/database/db_manager.cpp @@ -2,6 +2,8 @@ #include "../Enclave_u.h" #include "../lib/toml.hpp" +#include "../../utils/strencodings.h" +#include #include #include @@ -98,8 +100,64 @@ namespace db_manager { } // get_sealed_seed + // Assumes the buffer is large enough. In a real application, ensure buffer safety. + void serialize(const chacha20_poly1305_encrypted_data* src, unsigned char* buffer, size_t* serialized_len) { + // Copy `data_len`, `nonce`, and `mac` directly + size_t offset = 0; + memcpy(buffer + offset, &src->data_len, sizeof(src->data_len)); + offset += sizeof(src->data_len); + + memcpy(buffer + offset, src->nonce, sizeof(src->nonce)); + offset += sizeof(src->nonce); + + memcpy(buffer + offset, src->mac, sizeof(src->mac)); + offset += sizeof(src->mac); + + // Now copy dynamic `data` + memcpy(buffer + offset, src->data, src->data_len); + offset += src->data_len; + + *serialized_len = offset; + } + + // Returns a newly allocated structure that must be freed by the caller. + bool deserialize(const unsigned char* buffer, size_t serialized_len, chacha20_poly1305_encrypted_data* dest) { + + // chacha20_poly1305_encrypted_data* dest = new chacha20_poly1305_encrypted_data; + // if (!dest) return NULL; + + if (!dest) return false; + + size_t offset = 0; + memcpy(&dest->data_len, buffer + offset, sizeof(dest->data_len)); + offset += sizeof(dest->data_len); + + memcpy(dest->nonce, buffer + offset, sizeof(dest->nonce)); + offset += sizeof(dest->nonce); + + memcpy(dest->mac, buffer + offset, sizeof(dest->mac)); + offset += sizeof(dest->mac); + + dest->data = new unsigned char[dest->data_len]; + if (!dest->data) { + return false; // NULL; + } + memcpy(dest->data, buffer + offset, dest->data_len); + // offset += dest->data_len; // Not needed unless you're reading more data after this + + // return dest; + return true; + } + + void print_encrypted_data(const chacha20_poly1305_encrypted_data* data) { + std::cout << "data_len: " << data->data_len << std::endl; + std::cout << "nonce: " << key_to_string(data->nonce, sizeof(data->nonce)) << std::endl; + std::cout << "mac: " << key_to_string(data->mac, sizeof(data->mac)) << std::endl; + std::cout << "data: " << key_to_string(data->data, data->data_len) << std::endl; + } + bool save_generated_public_key( - chacha20_poly1305_encrypted_data& encrypted_data, + const chacha20_poly1305_encrypted_data& encrypted_keypair, unsigned char* server_public_key, size_t server_public_key_size, std::string& statechain_id, std::string& error_message) { @@ -126,6 +184,50 @@ namespace db_manager { txn.exec(create_table_query); txn.commit(); + + size_t serialized_len = 0; + + size_t bufferSize = sizeof(encrypted_keypair.data_len) + sizeof(encrypted_keypair.nonce) + sizeof(encrypted_keypair.mac) + encrypted_keypair.data_len; + unsigned char* buffer = (unsigned char*) malloc(bufferSize); + + if (!buffer) { + error_message = "Failed to allocate memory for serialization!"; + return false; + } + + serialize(&encrypted_keypair, buffer, &serialized_len); + assert(serialized_len == bufferSize); + + /* auto buffer_hex = key_to_string(buffer, serialized_len); + + std::cout << "---- " << std::endl; + print_encrypted_data(&encrypted_keypair); + std::cout << "---- " << std::endl; + std::cout << "buffer: " << buffer_hex << std::endl; + + // chacha20_poly1305_encrypted_data* dest = new chacha20_poly1305_encrypted_keypair; + auto dest = std::make_unique(); + bool res = deserialize(buffer, serialized_len, dest.get()); + + std::cout << "---- " << std::endl; + std::cout << "res: " << res << std::endl; + print_encrypted_data(dest.get()); + + free(buffer); */ + + std::basic_string_view sealed_data_view(reinterpret_cast(buffer), bufferSize); + std::basic_string_view public_key_data_view(reinterpret_cast(server_public_key), server_public_key_size); + + std::string insert_query = + "INSERT INTO generated_public_key (sealed_keypair, public_key, statechain_id) VALUES ($1, $2, $3);"; + pqxx::work txn2(conn); + + txn2.exec_params(insert_query, sealed_data_view, public_key_data_view, statechain_id); + txn2.commit(); + + conn.close(); + return true; + return true; } else { error_message = "Failed to connect to the database!"; diff --git a/enclave/App/database/db_manager.h b/enclave/App/database/db_manager.h index 1f48452f..6d1ba7ea 100644 --- a/enclave/App/database/db_manager.h +++ b/enclave/App/database/db_manager.h @@ -13,7 +13,7 @@ namespace db_manager { bool get_sealed_seed(char* sealed_secret, size_t sealed_secret_size, std::string& error_message); bool save_generated_public_key( - chacha20_poly1305_encrypted_data& encrypted_data, + const chacha20_poly1305_encrypted_data& encrypted_data, unsigned char* server_public_key, size_t server_public_key_size, std::string& statechain_id, std::string& error_message); diff --git a/enclave/Enclave/Enclave.cpp b/enclave/Enclave/Enclave.cpp index 30e05f30..048097fe 100644 --- a/enclave/Enclave/Enclave.cpp +++ b/enclave/Enclave/Enclave.cpp @@ -30,12 +30,13 @@ char* data_to_hex(uint8_t* in, size_t insz) void encrypt_data( chacha20_poly1305_encrypted_data *encrypted_data, + char* sealed_seed, size_t sealed_seed_len, uint8_t* raw_data, size_t raw_data_size) { unsigned char seed[32]; memset(seed, 0, 32); - unseal(encrypted_data->sealed_key, encrypted_data->sealed_key_len, seed, sizeof(seed)); + unseal(sealed_seed, sealed_seed_len, seed, sizeof(seed)); // Associated data (optional, can be NULL if not used) uint8_t *ad = NULL; @@ -45,11 +46,29 @@ void encrypt_data( assert(encrypted_data->data_len == raw_data_size); crypto_aead_lock(encrypted_data->data, encrypted_data->mac, seed, encrypted_data->nonce, ad, ad_size, raw_data, raw_data_size); + + /* char* seed_hex = data_to_hex(seed, sizeof(seed)); + ocall_print_string("seed:"); + ocall_print_string(seed_hex); + + char* mac_hex = data_to_hex(encrypted_data->mac, sizeof(encrypted_data->mac)); + ocall_print_string("mac:"); + ocall_print_string(mac_hex); + + char* nonce_hex = data_to_hex(encrypted_data->nonce, sizeof(encrypted_data->nonce)); + ocall_print_string("nonce:"); + ocall_print_string(nonce_hex); + + char* encrypted_hex = data_to_hex(encrypted_data->data, encrypted_data->data_len); + ocall_print_string("encrypted:"); + ocall_print_string(encrypted_hex); */ + } sgx_status_t generate_new_keypair2( unsigned char *compressed_server_pubkey, size_t compressed_server_pubkey_size, + char* sealed_seed, size_t sealed_seed_len, chacha20_poly1305_encrypted_data *encrypted_data) { @@ -88,7 +107,7 @@ sgx_status_t generate_new_keypair2( secp256k1_context_destroy(ctx); - encrypt_data(encrypted_data, server_keypair.data, sizeof(secp256k1_keypair::data)); + encrypt_data(encrypted_data, sealed_seed, sealed_seed_len, server_keypair.data, sizeof(secp256k1_keypair::data)); return ret; } @@ -469,7 +488,7 @@ sgx_status_t recover_seed( uint8_t* shares[threshold]; - uint32_t unsealed_data_size = key_share_data_size; + uint32_t unsealed_data_size = (uint32_t) key_share_data_size; for (size_t i = 0; i < num_key_shares; ++i) { shares[i] = new uint8_t[key_share_data_size]; diff --git a/enclave/Enclave/Enclave.edl b/enclave/Enclave/Enclave.edl index 843b6354..f0794272 100644 --- a/enclave/Enclave/Enclave.edl +++ b/enclave/Enclave/Enclave.edl @@ -13,8 +13,6 @@ enclave { [size=data_len] unsigned char* data; unsigned char nonce[24]; unsigned char mac[16]; - size_t sealed_key_len; - [size=sealed_key_len] char* sealed_key; }; trusted { @@ -22,6 +20,7 @@ enclave { public sgx_status_t generate_new_keypair2( [out, size=compressed_server_pubkey_size] unsigned char *compressed_server_pubkey, size_t compressed_server_pubkey_size, + [in, size=sealed_seed_len] char* sealed_seed, size_t sealed_seed_len, [in, out] struct chacha20_poly1305_encrypted_data* encrypted_data); public sgx_status_t generate_new_keypair(