This code sample contains an implementation of Integrating Remote Attestation with Transport Layer Security, with the modification of the untrusted side.
To use this code sample, one needs to register at Intel website for dev IAS service access. Once the registration is finished, the following stuff should be ready:
Both of these information could be found in the new Intel Trusted Services API Management Portal. Please log into this portal and switch to “Manage subscriptions” page on the top right corner to see your SPID and API keys. Either primary key or secondary key works.
Save them to ue-ra-server's bin/spid.txt
and bin/key.txt
respectively. Size of these two files should be 32 or 33.
To establish a TLS channel, we need a CA and generates a client cert for mutual authentication. We store them at cert
.
Generate CA private key openssl ecparam -genkey -name prime256v1 -out ca.key
Generate CA cert openssl req -x509 -new -SHA256 -nodes -key ca.key -days 3650 -out ca.crt
Generate Client private key openssl ecparam -genkey -name prime256v1 -out client.key
Export the keys to pkcs8 unencrypted format openssl pkcs8 -topk8 -nocrypt -in client.key -out client.pkcs8
Generate Client CSR openssl req -new -SHA256 -key client.key -nodes -out client.csr
Generate Client Cert openssl x509 -req -extfile <(printf “subjectAltName=DNS:localhost,DNS:www.example.com”) -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
Intel CA report signing pem. Download and uncompress: https://software.intel.com/sites/default/files/managed/7b/de/RK_PUB.zip
enclave/src/lib.rs
contains two funcs load_spid
and get_ias_api_key
. These two functions are configured to load spid/api key from spid.txt
and key.txt
from bin
directory respectively. One can either adjust the file paths/names or copy the spid/key to bin
. spid.txt
and key.txt
should only contain one line of 32 chars such as DEADBEAFDEADBEAFDEADBEAFDEADBEAF
.
Start server
cd ue-ra-server make cd bin ./app (add --unlink if your spid's type is unlinkable)
Start client
cd ue-ra-client cargo run
Start client-go (golang should be installed)
cd ue-ra-client-go make cd bin ./app
Start client-java (Java:1.8+, mvn)
cd ue-ra-client-java mvn install java -jar target/ue-ra-client-java-0.0.1-SNAPSHOT.jar