Occlum SGX Remote Attestation integrated in TLS connection

The MRSIGNER of the example/signing_key.pem is hardcoded in the enclave code:

83E8A0C3ED045D9747ADE06C3BFC70FCA661A4A65FF79A800223621162A88B76

You can generate your own signing key. Just use the following command:

openssl genrsa -3 -out signing_key.pem 3072

To get the MRSIGNER of the key, compile this project and use the following command:

./mrsigner signing_key.pem
# For the example/signing_key.pem the output is:
6871A831CED408CD99F0ED31587CC2B5C728C99D4A0A1ADF2F0C5574EBBB00DC
# FIXME: Which is different from the real MRSIGNER by Occlum:
83E8A0C3ED045D9747ADE06C3BFC70FCA661A4A65FF79A800223621162A88B76

Running Examples

Before running make sure you have installed the Occlum and the SGX driver. You should also have the Occlum Rust toolchain installed to get occlum-cargo. To test the project just run client and server scripts in different terminals:

./build_server.sh
./build_client.sh

Mutual RATLS examples

Examples show how to use the mRATLS (Mutual Remote Attestation TLS) in different situations:

• The first example shows how to create mRATLS HTTPS server and client
• The second example shows how to create mRATLS GRPCs server and client

Both the server and the client must be running inside the enclave. So during the remote attestation peers, acquire their RA certificates. And during the TLS handshake, they verify each other's RA certificates. The config allows to whitelist MRENCLAVE, MRSIGNER, PRODID, SVN of the peer.

RATLS examples

Example shows how to create RATLS HTTPS server and client. The server must be running inside the enclave. The client can be running anywhere. The server config allows to whitelist the public ec25519 key of the client. The client config allows to whitelist MRENCLAVE, MRSIGNER, PRODID, SVN of the server.