Untrusted-Enclave Remote Attestation code sample
This code sample contains an implementation of Integrating Remote Attestation with Transport Layer Security, with the modification of the untrusted side.
Requirements
To use this code sample, one needs to register at Intel website for dev IAS service access. Once the registration is finished, the following stuff should be ready:
- An SPID assigned by Intel
- IAS API Key assigned by Intel
Both of these information could be found in the new Intel Trusted Services API Management Portal. Please log into this portal and switch to "Manage subscriptions" page on the top right corner to see your SPID and API keys. Either primary key or secondary key works.
Save them to ue-ra-server's bin/spid.txt
and bin/key.txt
respectively. Size of these two files should be 32 or 33.
Custom CA/client setup
To establish a TLS channel, we need a CA and generates a client cert for mutual authentication. We store them at cert
.
-
Generate CA private key
openssl ecparam -genkey -name prime256v1 -out ca.key
-
Generate CA cert
openssl req -x509 -new -SHA256 -nodes -key ca.key -days 3650 -out ca.crt
-
Generate Client private key
openssl ecparam -genkey -name prime256v1 -out client.key
-
Export the keys to pkcs8 unencrypted format
openssl pkcs8 -topk8 -nocrypt -in client.key -out client.pkcs8
-
Generate Client CSR
openssl req -new -SHA256 -key client.key -nodes -out client.csr
-
Generate Client Cert
openssl x509 -req -extfile <(printf "subjectAltName=DNS:localhost,DNS:www.example.com") -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
-
Intel CA report signing pem. Download and uncompress:
https://software.intel.com/sites/default/files/managed/7b/de/RK_PUB.zip
Embedding IAS credentials to ue-ra-server
enclave/src/lib.rs
contains two funcs load_spid
and get_ias_api_key
. These two functions are configured to load spid/api key from spid.txt
and key.txt
from bin
directory respectively. One can either adjust the file paths/names or copy the spid/key to bin
. spid.txt
and key.txt
should only contain one line of 32 chars such as DEADBEAFDEADBEAFDEADBEAFDEADBEAF
.
Run
Start server
cd ue-ra-server
make
cd bin
./app (add --unlink if your spid's type is unlinkable)
Start client
cd ue-ra-client
cargo run
Start client-go (golang should be installed)
cd ue-ra-client-go
make
cd bin
./app
Start client-java (Java:1.8+, mvn)
cd ue-ra-client-java
mvn install
java -jar target/ue-ra-client-java-0.0.1-SNAPSHOT.jar