testnet/detee-cli
3
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

moved keys out of config

Browse Source 
I believe we are currently not expecting users to change keys.
If we do, I believe we should think about the UX of changing sensitive
data in the CLI.

Also changed "signing key" to "mrsigner key", since all keys are used
for signing.
This commit is contained in:
ghe0 2025-03-21 02:38:20 +02:00
parent 53a654577d
commit 422e04a538
Signed by: ghe0
GPG Key ID: 451028EE56A0FBB4
5 changed files with 46 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
src/config.rs
View File

@ -16,6 +16,10 @@ pub struct AccountData {
locked_funds: f64,
wallet_address: String,
wallet_path: String,
hratls_pubkey: String,
hratls_path: String,
mrsigner: String,
mrsigner_key_path: String,
}
impl super::HumanOutput for AccountData {
@ -45,13 +49,7 @@ impl super::HumanOutput for AccountData {
#[derive(Serialize, Deserialize, Debug, Default)]
pub struct Config {
ssh_key_path: String,
default_dtrfs: String,
default_kernel: String,
brain_url: String,
pub hratls_pubkey: String,
pub hratls_path: String,
pub mrsigner: String,
pub signing_key_path: String,
}
#[derive(thiserror::Error, Debug)]
@ -186,25 +184,25 @@ impl Config {
pub fn init_config() -> Self {
// TODO: create if it does not exist
match Self::load_config_from_file() {
let mut config = match Self::load_config_from_file() {
Ok(config) => config,
Err(e) => {
debug!("Could not load config due to error: {e}");
eprintln!("Config file not found. Creating new config file!");
let config = Self {
hratls_pubkey: Self::get_hratls_pubkey_hex(),
hratls_path: Self::hratls_private_key_path(),
mrsigner: Self::get_mr_signer(),
signing_key_path: Self::signing_key_path(),
..Default::default()
};
let config = Self::default();
if let Err(e) = config.save_to_disk() {
log::error!("Could not save config to disk: {e}");
panic!("Could not initialize config.");
};
config
}
};
// default to testnet if there is no brain_url
// TODO: remove instruction from docs to set brain_url, since it defaults now
if config.brain_url.is_empty() {
config.brain_url = "http://164.92.249.180:31337".to_string();
}
config
}
fn create_wallet_key() -> Result<(), Error> {
@ -294,6 +292,11 @@ impl Config {
}
pub fn set_brain_url(brain_url: &str) {
let brain_url = match brain_url {
"testnet" => "http://164.92.249.180:31337",
"staging" => "http://159.65.58.38:31337",
something_else => something_else,
};
let mut config = Self::init_config();
info!("Setting brain URL to {brain_url}");
config.brain_url = brain_url.to_string();
@ -342,6 +345,12 @@ impl Config {
Err(_) => log::error!("This error should never happen. Please report this bug."),
}
// TODO: Also populate these fields:
// hratls_pubkey: String,
// hratls_path: String,
// mrsigner: String,
// signing_key_path: String,
account_data
}
}
@ -372,14 +381,14 @@ impl Config {
pubkey.iter().fold(String::new(), |acc, x| acc + &format!("{:02X?}", x))
}
fn hratls_private_key_path() -> String {
pub fn hratls_private_key_path() -> String {
Self::path_dir().unwrap() + ("/hratls_private_key.pem")
}
}
impl Config {
pub fn get_mr_signer() -> String {
let mut signing_key_mod = Self::get_signing_key().n().to_vec();
pub fn get_mrsigner() -> String {
let mut signing_key_mod = Self::get_mrsigner_rsa_key().n().to_vec();
signing_key_mod.reverse(); // make it little endian
let mut hasher = Hasher::new(MessageDigest::sha256()).unwrap();
@ -393,17 +402,17 @@ impl Config {
mr_signer.iter().fold(String::new(), |acc, x| acc + &format!("{:02X?}", x))
}
fn get_signing_key() -> Rsa<Private> {
let signing_key_pem_str =
std::fs::read_to_string(Self::signing_key_path()).unwrap_or_else(|_| {
Self::create_signing_key().expect("Failed to create enclave signing key")
fn get_mrsigner_rsa_key() -> Rsa<Private> {
let signing_key_pem_str = std::fs::read_to_string(Self::mrsigner_key_path())
.unwrap_or_else(|_| {
Self::create_mrsigner_rsa_key().expect("Failed to create enclave signing key")
});
Rsa::private_key_from_pem(signing_key_pem_str.as_ref()).unwrap()
}
fn create_signing_key() -> Result<String, Box<dyn std::error::Error>> {
let signing_key_path = Self::signing_key_path();
fn create_mrsigner_rsa_key() -> Result<String, Box<dyn std::error::Error>> {
let signing_key_path = Self::mrsigner_key_path();
if Path::new(&signing_key_path).exists() {
log::debug!("Found signing_key at {signing_key_path}");
return Err("Key already exists.".into());
@ -415,21 +424,11 @@ impl Config {
Ok(String::from_utf8(pem_pkcs8)?)
}
fn signing_key_path() -> String {
pub fn mrsigner_key_path() -> String {
Self::path_dir().unwrap() + ("/app_signing_key.pem")
}
}
pub fn get_unified_command_output(output: &std::process::Output) -> String {
format!(
"!!! stdout:\n{}\n!!! stderr:\n{}",
String::from_utf8(output.stdout.clone())
.unwrap_or("Could not grab stdout from installation script.".to_string()),
String::from_utf8(output.stderr.clone())
.unwrap_or("Could not grab stderr from installation script.".to_string())
)
}
#[cfg(test)]
mod tests {
use super::*;
@ -442,7 +441,7 @@ mod tests {
#[test]
fn test_mr_signer() {
let mr_signer = Config::get_mr_signer();
let mr_signer = Config::get_mrsigner();
println!("mr_signer: {mr_signer}",);
}
}

4
src/sgx/grpc_brain.rs
View File

@ -38,8 +38,8 @@ pub async fn new_app(app_deploy_config: AppDeployConfig) -> Result<NewAppRes> {
req.uuid = "".to_string();
req.locked_nano = locked_nano;
req.admin_pubkey = Config::get_detee_wallet().expect("No wallet found");
req.hratls_pubkey = Config::init_config().hratls_pubkey;
req.admin_pubkey = Config::get_detee_wallet()?;
req.hratls_pubkey = Config::get_hratls_pubkey_hex();
let mut daemon_serivce = BrainAppCliClient::connect(Config::get_brain_url()).await?;
let res = daemon_serivce.deploy_app(sign_request(req)?).await?;

2
src/sgx/grpc_dtpm.rs
View File

@ -39,7 +39,7 @@ pub async fn connect_dtpm_grpc_client(
) -> Result<DtpmConfigManagerClient<Channel>> {
let private_key_pem = Config::get_hratls_private_key();
let mut mr_signer = [0u8; 32];
hex::decode_to_slice(Config::init_config().mrsigner, &mut mr_signer)?;
hex::decode_to_slice(Config::get_mrsigner(), &mut mr_signer)?;
let mr_signers = vec![mr_signer];
let _ = rustls::crypto::aws_lc_rs::default_provider().install_default();

4
src/sgx/packaging.rs
View File

@ -11,8 +11,8 @@ pub fn package_enclave(
.collect::<Vec<_>>()
.join(" ");
let signing_key_path = Config::init_config().signing_key_path;
let hratls_key_path = Config::init_config().hratls_path;
let signing_key_path = Config::mrsigner_key_path();
let hratls_key_path = Config::hratls_private_key_path();
let docker_package_str = if package_type == "public" {
format!(

8
src/snp/injector.rs
View File

@ -64,7 +64,13 @@ impl Args {
if !script_result.status.success() {
return Err(Error::FailedExecution(format!(
"sev-snp-measure.py failed: {}",
crate::config::get_unified_command_output(&script_result)
format!(
"!!! stdout:\n{}\n!!! stderr:\n{}",
String::from_utf8(script_result.stdout.clone())
.unwrap_or("Could not grab stdout from installation script.".to_string()),
String::from_utf8(script_result.stderr.clone())
.unwrap_or("Could not grab stderr from installation script.".to_string())
)
)));
}
Ok(String::from_utf8(script_result.stdout)