occlum-ratls 0.4.5

Lib for remote attestation between occlum instances
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128

use crate::{RaTlsConfigBuilder, RaTlsError};

#[cfg(feature = "occlum")]
use occlum_sgx::SGXQuote;

pub use occlum_sgx::SGXMeasurement;
use rustls::{ClientConfig, ServerConfig};

#[derive(Default)]
pub struct RaTlsConfig {
    #[cfg(feature = "occlum")]
    pub(crate) allowed_instances: Vec<InstanceMeasurement>,
}

#[cfg(feature = "occlum")]
#[derive(Default, Clone)]
pub struct InstanceMeasurement {
    pub(crate) mrsigners: Option<Vec<SGXMeasurement>>,
    pub(crate) mrenclaves: Option<Vec<SGXMeasurement>>,
    pub(crate) product_ids: Option<Vec<u16>>,
    pub(crate) versions: Option<Vec<u16>>,
}

#[cfg(feature = "occlum")]
impl InstanceMeasurement {
    pub fn new() -> Self {
        Self::default()
    }

    pub fn with_mrsigners(self, mrsigners: Vec<SGXMeasurement>) -> Self {
        Self {
            mrsigners: Some(mrsigners),
            ..self
        }
    }

    pub fn with_mrenclaves(self, mrenclaves: Vec<SGXMeasurement>) -> Self {
        Self {
            mrenclaves: Some(mrenclaves),
            ..self
        }
    }

    pub fn with_product_ids(self, product_ids: Vec<u16>) -> Self {
        Self {
            product_ids: Some(product_ids),
            ..self
        }
    }

    pub fn with_versions(self, versions: Vec<u16>) -> Self {
        Self {
            versions: Some(versions),
            ..self
        }
    }

    pub(crate) fn check_quote_measurements(&self, quote: &SGXQuote) -> bool {
        let mut result = false;
        if let Some(mrsigners) = &self.mrsigners {
            result = true;
            let value = quote.mrsigner();
            if !mrsigners.contains(&value) {
                return false;
            }
        }
        if let Some(mrenclaves) = &self.mrenclaves {
            result = true;
            let value = quote.mrenclave();
            if !mrenclaves.contains(&value) {
                return false;
            }
        }

        if let Some(product_ids) = &self.product_ids {
            result = true;
            let value = quote.product_id();
            if !product_ids.contains(&value) {
                return false;
            }
        }

        if let Some(versions) = &self.versions {
            result = true;
            let value = quote.version();
            if !versions.contains(&value) {
                return false;
            }
        }

        result
    }
}

impl RaTlsConfig {
    pub fn new() -> Self {
        Self::default()
    }

    #[cfg(feature = "occlum")]
    pub fn allow_instance_measurement(mut self, instance_measurement: InstanceMeasurement) -> Self {
        self.allowed_instances.push(instance_measurement);
        self
    }

    #[cfg(feature = "occlum")]
    pub(crate) fn is_allowed_quote(&self, quote: &SGXQuote) -> Result<(), RaTlsError> {
        match self
            .allowed_instances
            .iter()
            .any(|im| im.check_quote_measurements(quote))
        {
            true => Ok(()),
            false => Err(RaTlsError::QuoteVerifyError(format!(
                "{:?} is not allowed",
                quote
            ))),
        }
    }

    pub fn into_server_config(self) -> Result<ServerConfig, RaTlsError> {
        ServerConfig::from_ratls_config(self)
    }

    pub fn into_client_config(self) -> Result<ClientConfig, RaTlsError> {
        ClientConfig::from_ratls_config(self)
    }
}