added mRATLS to tonic examples

2024-08-24 03:41:56 +02:00 · 2024-08-24 03:41:56 +02:00 · f2f2d545b3
commit f2f2d545b3
parent e36329c4be
10 changed files with 366 additions and 2 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -19,6 +19,18 @@ ring = "0.17" # hash256
 rcgen = "0.13"
 log = "0.4"
 hex = "0.4"
 tokio-rustls = "0.26"
 tower = { version = "0.5", features = ["full"] }
 tower-http = { version = "0.5", features = ["full"] }
 hyper = "1.4.1"
 hyper-util = "0.1.7"
 hyper-rustls = { version = "0.27", features = ["http2"] }
 prost = "0.13"
 [dependencies.tonic]
 version = "0.12"
 #features = ["rustls-0_23"]
 optional = true
 [dependencies.actix-web]
 version = "4.3"
@ -52,17 +64,29 @@ version = "1"
 default-features = false
 features = ["precommit-hook", "run-cargo-test", "run-cargo-clippy"]
 [build-dependencies]
 tonic-build = "0.12"
 [features]
 default = []
 occlum = []
 reqwest = ["dep:reqwest"]
 actix-web = ["dep:actix-web", "actix-service", "actix-http"]
 tonic = ["dep:tonic"]
 [[example]]
-name = "server"
+name = "mratls_https_server"
 required-features = ["actix-web"]
 [[example]]
-name = "client"
+name = "mratls_https_client"
 required-features = ["reqwest"]
 [[example]]
 name = "mratls_grpcs_server"
 required-features = ["tonic"]
 [[example]]
 name = "mratls_grpcs_client"
 required-features = ["tonic"]
--- a/README.md
+++ b/README.md
@ -1,6 +1,7 @@
 # Occlum SGX Remote Attestation integrated in TLS connection
 Steps to test the project:
 ```
 occlum-cargo build --example server --features="occlum,actix-web"
 strip -s target/x86_64-unknown-linux-musl/debug/examples/server
@ -10,3 +11,23 @@ occlum-cargo build --example client --features="occlum,reqwest"
 strip -s target/x86_64-unknown-linux-musl/debug/examples/client
 ./build_client.sh
 ```
 ## Mutual RATLS examples
 Examples show how to use the mRATLS (Mutual Remote Attestation TLS) in different situations:
 * The first example shows how to create mRATLS HTTPS server and client
 * The second example shows how to create mRATLS GRPCs server and client
 Both the server and the client must be running inside the enclave.
 So during the remote attestation peers, acquire their RA certificates.
 And during the TLS handshake, they verify each other's RA certificates.
 The config allows to whitelist MRENCLAVE, MRSIGNER, PRODID, SVN of the peer.
 ## RATLS examples
 Example shows how to create RATLS HTTPS server and client.
 The server must be running inside the enclave.
 The client can be running anywhere.
 The server config allows to whitelist the public ec25519 key of the client.
 The client config allows to whitelist MRENCLAVE, MRSIGNER, PRODID, SVN of the server.
--- a/build.rs
+++ b/build.rs
@ -0,0 +1,6 @@
 fn main() {
    tonic_build::configure()
        .build_server(true)
        .compile(&["examples/echo.proto"], &["examples"])
        .unwrap_or_else(|e| panic!("Failed to compile protos {:?}", e));
 }
--- a/examples/echo.proto
+++ b/examples/echo.proto
@ -0,0 +1,37 @@
 /*
 *
 * Copyright 2018 gRPC authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 */
 syntax = "proto3";
 package grpc.examples.unaryecho;
 // EchoRequest is the request for echo.
 message EchoRequest {
  string message = 1;
 }
 // EchoResponse is the response for echo.
 message EchoResponse {
  string message = 1;
 }
 // Echo is the echo service.
 service Echo {
  // UnaryEcho is unary echo.
  rpc UnaryEcho(EchoRequest) returns (EchoResponse) {}
 }
--- a/examples/mratls_grpcs_client.rs
+++ b/examples/mratls_grpcs_client.rs
@ -0,0 +1,64 @@
 pub mod pb {
    tonic::include_proto!("/grpc.examples.unaryecho");
 }
 use hyper::Uri;
 use hyper_util::{client::legacy::connect::HttpConnector, rt::TokioExecutor};
 use occlum_ratls::prelude::*;
 use occlum_ratls::RaTlsConfigBuilder;
 use occlum_sgx::SGXMeasurement;
 use pb::{echo_client::EchoClient, EchoRequest};
 use tokio_rustls::rustls::ClientConfig;
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let mrsigner_hex = "83D719E77DEACA1470F6BAF62A4D774303C899DB69020F9C70EE1DFC08C7CE9E";
    let mut mrsigner = [0u8; 32];
    hex::decode_to_slice(mrsigner_hex, &mut mrsigner).expect("mrsigner decoding failed");
    let config = RaTlsConfig::new().allow_instance_measurement(
        InstanceMeasurement::new().with_mrsigners(vec![SGXMeasurement::new(mrsigner)]),
    );
    let tls = ClientConfig::from_ratls_config(config)
        .map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, format!("{}", e)))?;
    let mut http = HttpConnector::new();
    http.enforce_http(false);
    // We have to do some wrapping here to map the request type from
    // `https://example.com` -> `https://[::1]:50051` because `rustls`
    // doesn't accept ip's as `ServerName`.
    let connector = tower::ServiceBuilder::new()
        .layer_fn(move |s| {
            let tls = tls.clone();
            hyper_rustls::HttpsConnectorBuilder::new()
                .with_tls_config(tls)
                .https_or_http()
                .enable_http2()
                .wrap_connector(s)
        })
        // Since our cert is signed with `example.com` but we actually want to connect
        // to a local server we will override the Uri passed from the `HttpsConnector`
        // and map it to the correct `Uri` that will connect us directly to the local server.
        .map_request(|_| Uri::from_static("https://[::1]:50051"))
        .service(http);
    let client = hyper_util::client::legacy::Client::builder(TokioExecutor::new()).build(connector);
    // Using `with_origin` will let the codegenerated client set the `scheme` and
    // `authority` from the provided `Uri`.
    let uri = Uri::from_static("https://example.com");
    let mut client = EchoClient::with_origin(client, uri);
    let request = tonic::Request::new(EchoRequest {
        message: "hello".into(),
    });
    let response = client.unary_echo(request).await?;
    println!("RESPONSE={:?}", response);
    Ok(())
 }
--- a/examples/mratls_grpcs_server.rs
+++ b/examples/mratls_grpcs_server.rs
@ -0,0 +1,114 @@
 pub mod pb {
    tonic::include_proto!("/grpc.examples.unaryecho");
 }
 use hyper::server::conn::http2::Builder;
 use hyper_util::{
    rt::{TokioExecutor, TokioIo},
    service::TowerToHyperService,
 };
 use pb::{EchoRequest, EchoResponse};
 use std::sync::Arc;
 use tokio::net::TcpListener;
 use tokio_rustls::{
    rustls::{pki_types::CertificateDer, ServerConfig},
    TlsAcceptor,
 };
 use tonic::{body::boxed, service::Routes, Request, Response, Status};
 use tower::ServiceBuilder;
 use tower::ServiceExt;
 use occlum_ratls::prelude::*;
 use occlum_ratls::RaTlsConfigBuilder;
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let mrsigner_hex = "83D719E77DEACA1470F6BAF62A4D774303C899DB69020F9C70EE1DFC08C7CE9E";
    let mut mrsigner = [0u8; 32];
    hex::decode_to_slice(mrsigner_hex, &mut mrsigner).expect("mrsigner decoding failed");
    let config = RaTlsConfig::new().allow_instance_measurement(
        InstanceMeasurement::new().with_mrsigners(vec![SGXMeasurement::new(mrsigner)]),
    );
    let mut tls = ServerConfig::from_ratls_config(config)
        .map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, format!("{}", e)))?;
    tls.alpn_protocols = vec![b"h2".to_vec()];
    let server = EchoServer::default();
    let svc = Routes::new(pb::echo_server::EchoServer::new(server)).prepare();
    let http = Builder::new(TokioExecutor::new());
    let listener = TcpListener::bind("[::1]:50051").await?;
    let tls_acceptor = TlsAcceptor::from(Arc::new(tls));
    loop {
        let (conn, addr) = match listener.accept().await {
            Ok(incoming) => incoming,
            Err(e) => {
                eprintln!("Error accepting connection: {}", e);
                continue;
            }
        };
        let http = http.clone();
        let tls_acceptor = tls_acceptor.clone();
        let svc = svc.clone();
        tokio::spawn(async move {
            let mut certificates = Vec::new();
            let conn = tls_acceptor
                .accept_with(conn, |info| {
                    if let Some(certs) = info.peer_certificates() {
                        for cert in certs {
                            certificates.push(cert.clone());
                        }
                    }
                })
                .await
                .unwrap();
            let extension_layer =
                tower_http::add_extension::AddExtensionLayer::new(Arc::new(ConnInfo {
                    addr,
                    certificates,
                }));
            let svc = ServiceBuilder::new().layer(extension_layer).service(svc);
            http.serve_connection(
                TokioIo::new(conn),
                TowerToHyperService::new(svc.map_request(|req: hyper::Request<_>| req.map(boxed))),
            )
            .await
            .unwrap();
        });
    }
 }
 #[derive(Debug)]
 struct ConnInfo {
    addr: std::net::SocketAddr,
    certificates: Vec<CertificateDer<'static>>,
 }
 type EchoResult<T> = Result<Response<T>, Status>;
 #[derive(Default)]
 pub struct EchoServer {}
 #[tonic::async_trait]
 impl pb::echo_server::Echo for EchoServer {
    async fn unary_echo(&self, request: Request<EchoRequest>) -> EchoResult<EchoResponse> {
        let conn_info = request.extensions().get::<Arc<ConnInfo>>().unwrap();
        println!(
            "Got a request from: {:?} with certs: {:?}",
            conn_info.addr, conn_info.certificates
        );
        let message = request.into_inner().message;
        Ok(Response::new(EchoResponse { message }))
    }
 }
--- a/examples/mratls_https_client.rs
+++ b/examples/mratls_https_client.rs
--- a/examples/mratls_https_server.rs
+++ b/examples/mratls_https_server.rs
--- a/src/http/mod.rs
+++ b/src/http/mod.rs
@ -2,3 +2,4 @@
 pub mod actix_web;
 #[cfg(feature = "reqwest")]
 pub mod reqwest;
 //mod tonic_server;
--- a/src/http/tonic_server.rs
+++ b/src/http/tonic_server.rs
@ -0,0 +1,97 @@
 use hyper::server::conn::http2::Builder;
 use hyper_util::{
    rt::{TokioExecutor, TokioIo},
    service::TowerToHyperService,
 };
 use std::sync::Arc;
 use tokio::net::TcpListener;
 use tokio_rustls::{
    rustls::{pki_types::CertificateDer, ServerConfig},
    TlsAcceptor,
 };
 use tonic::transport::server::TcpIncoming;
 use tonic::{body::boxed, service::Routes, Request, Response, Status};
 use tower::ServiceExt;
 use tower_http::ServiceBuilderExt;
 use crate::{config::RaTlsConfig, RaTlsConfigBuilder};
 fn bind_ratls(config: RaTlsConfig) -> Result<(), std::io::Error> {
    let config = ServerConfig::from_ratls_config(config)
        .map_err(|e| std::io::Error::new(std::io::ErrorKind::Other, format!("{}", e)))?;
    let tls_acceptor = TlsAcceptor::from(Arc::new(config));
    // add tls_acceptor to the server
    let incoming = TcpIncoming::new("[::1]:50051".parse().unwrap(), true, None)?;
    let svc = tower::ServiceBuilder::new()
        .add_extension(Arc::new(ConnInfo { addr, certificates }))
        .service(svc);
    self.bind_rustls_0_23(addr, config)
 }
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let listener = TcpListener::bind("[::1]:50051").await?;
    let tls_acceptor = TlsAcceptor::from(Arc::new(tls));
    loop {
        let (conn, addr) = match listener.accept().await {
            Ok(incoming) => incoming,
            Err(e) => {
                eprintln!("Error accepting connection: {}", e);
                continue;
            }
        };
        let http = http.clone();
        let tls_acceptor = tls_acceptor.clone();
        let svc = svc.clone();
        tokio::spawn(async move {
            let mut certificates = Vec::new();
            let conn = tls_acceptor
                .accept_with(conn, |info| {
                    if let Some(certs) = info.peer_certificates() {
                        for cert in certs {
                            certificates.push(cert.clone());
                        }
                    }
                })
                .await
                .unwrap();
            http.serve_connection(
                TokioIo::new(conn),
                TowerToHyperService::new(svc.map_request(|req: http::Request<_>| req.map(boxed))),
            )
            .await
            .unwrap();
        });
    }
 }
 #[derive(Debug)]
 struct ConnInfo {
    addr: std::net::SocketAddr,
    certificates: Vec<CertificateDer<'static>>,
 }
 type EchoResult<T> = Result<Response<T>, Status>;
 #[derive(Default)]
 pub struct EchoServer {}
 #[tonic::async_trait]
 impl pb::echo_server::Echo for EchoServer {
    async fn unary_echo(&self, request: Request<EchoRequest>) -> EchoResult<EchoResponse> {
        let conn_info = request.extensions().get::<Arc<ConnInfo>>().unwrap();
        println!(
            "Got a request from: {:?} with certs: {:?}",
            conn_info.addr, conn_info.certificates
        );
        let message = request.into_inner().message;
        Ok(Response::new(EchoResponse { message }))
    }
 }