Build a RUST Server/Client EDP Application Using Confidential Computing Manager Issued Certificates and Trusted CA

Overview

This example shows how certificates can be used for authenticating other parties.

In em-app/examples/ there are 2 folders: 

• server - holds an example that listens on a hardcoded address.

• client - holds an example that connects to the hardcoded address.

Both applications use a hardcoded certificate authority public key for peer verifications. This is obtained through the './register_and_run.sh' script from the account where they are added. This can be done manually as well.

The register_and_run.sh script above is only meant as an example and the script automates the following steps:

• Building the SGX application

• Registering the EDP application with Fortanix Confidential Computing Manager (CCM), and

• Running the EDP application

To do the above steps manually, refer to the article Bringing EDP RUST Apps to Fortanix Confidential Computing Manager.

Example for Good Weather Usage

Server-side operations

• Update ./config file in https://github.com/fortanix/rust-sgx/tree/master/em-app/examples/server folder with credentials, the desired account, and application names.

• Run ./register_and_run.sh' script which automates the steps for building the SGX application/Registering the EDP application with Fortanix CCM, and Running the EDP application.

• Logs:

  em-app/examples/server$ ./register_and_run.sh ./config
  Logged in
      export token=Q3SxmoKzaq8sW6vl6HoDL4Qs2xNxSdotwFobt2LRSxeyjaP-AB0Lh5UfJ0UcZ0KSX9dGZOlDvgo-3mPPKVcQuQ
      export em_url=https://localhost:9090
  Account selected
  Building application.
     Compiling get-certificate v0.1.0 (/home/acruceru/work/rust-sgx-patch/em-app/examples/server)
      Finished dev [unoptimized + debuginfo] target(s) in 0.35s
  Signing application.
  Application configuration finished.
  Domain whitelisting finished.
  Build configuration finished
  Build whitelist result: SUCCESS
  Build whitelisting finished
  Application: obtained signed certificate from EM: {
    "task_id": "807ec66f-4c03-41e5-a374-15786a7812ef",
    "task_status": "SUCCESS",
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIEljCCAv6gAwIBAgIUc4vW9ugcTYTEeq7+fAmpmuDICFQwDQYJKoZIhvcNAQEL\nBQAwgZIxNTAzBgsrBgEEAYOEGgEDAQwkZGFhMTJjNDctMGRhNy00OGU5LTlhMjUt\nOTUzMjc3NGI4N2Q4MTUwMwYLKwYBBAGDhBoBAwIMJGRjYjNjNDM5LWYyYWEtNGMz\nOS05ODMzLTkzNjYzYjY2NjQ1MDEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpv\nbmUgUm9vdDAeFw0yMDA2MjExNzU1MzlaFw0yMDA5MTkxNzU1MzlaMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOPY\n2/Ai+5a+yT7lFKdQcw8THWoJrbBPEXgyZxSyTONwtVYzjl7MN/lCGXa4z4FsjYtA\ndcz25egTYuo6tAQVxzfI3d1Ol/jPnlP2rRbjSQNOWzFoF249lX8TotUdeoc1gf3k\nYLw9sXWho9T82yL+tEIlVsAb9yHIS0H4ngrPGMTxHONA+GUEZMa0xTdtDAWXCe4a\nco0YfYAtvc9PioSSqKvRBq8VtSeiV0jm5+pPUEybMDrJl/Yf6OP9ybM7H9pKrSR0\nidcDPmNqS25Rb7/vv5njJl4Z5PeWY8fSYnQuwx3znXMVkZiuO967u3XKjrdhoEsG\nMoStqyfz2DfntVrrxMX1dN80WHXMtMsY1Hb/6aAcqng7lSnj6CwA4ck2QuG/GKZk\nZb60+mgM55zEx3tRWrgrfjDnDR5NZO1i746J8z7/Sv9oWOxKZb2gK1dxFCnJAKqz\nBlf8mHaPsc9aZNRjYuGE+bM0hmEM9MpGvJvm6nqOA8drJpRB0zrKv8Zz0Z+rxwID\nAQABo2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHoAAwHwYDVR0jBBgw\nFoAU9zdN/tMOiA5RVvoamoRa+lSEVW4wHQYDVR0OBBYEFMnPfxebGaSdtvltsT85\nHV/kqT3BMA0GCSqGSIb3DQEBCwUAA4IBgQAGLpuMrqVaU0VdLVZ3eQudN+z5I/nw\n/6QsL6lnLq+pKxfhZbmp7KcD5om6LpV2JxBWxurrSdU0s7UfKLPk0KASiNOHvX2D\nHNnQO05OZWNG+23Z1rUvQU8Le74D8vCU6UDnUOh/lqWRrGLywZ08eBcmIa/08SwD\nrLdlJ5ZOUqzyUlPFaAxeaHTi8D0U/8mSGtsZXMHSYNkxWgJh7kn4G77Okii6mM72\nXqMMf0xfyNjAAKi8+HmMvzGgKgAfKmiXiERxl27spZ7KIhC0QW9EHo4E3jZh1nFr\ncMR8UyFw0IWf9xzgbkvL2Tl6kdq2FJc6X4usIl3mtz4o0U/4sYIKTckKR1hRsQqB\nKLZFrmjXkMzLBCq1Jwcytgcdoqv6si/Aze5qWUUasiqqWQ3g75500tePXhOvgBlH\n0yyTNxbCiIua8loJG8khfpPyFN+zcxyXzIbJEYYabrRR8uCu6Q3ULF3RuTAb/X1N\nf66F1T4vMauDwNSsa72LmrnwYsrKbprhvcQ=\n-----END CERTIFICATE-----\n"
  }
  Waiting for clients on: "localhost:21000"
  Handled client: V4(127.0.0.1:33426)

  Bash

  Copy

Client-Side Operations

• Update ./config file in https://github.com/fortanix/rust-sgx/tree/master/em-app/examples/client folder with credentials, the desired account, and application names.

• Run './register_and_run.sh' script which automates the steps for building the SGX application/Registering the EDP application with Fortanix CCM, and Running the EDP application.

• Logs:

  em-app/examples/client$ ./register_and_run.sh ./config
  Logged in
      export token=SiMxMNM7-_qcTvOxRyesVrnINfsvz09rtlY2Niw7KQNPI16FZoBBtd1W-Glkt2A5ASbwXp0xhwb3lFh-ITE6_g
      export em_url=https://localhost:9090
  Account selected
  Building application.
     Compiling get-certificate v0.1.0 (/home/acruceru/work/rust-sgx-patch/em-app/examples/client)
      Finished dev [unoptimized + debuginfo] target(s) in 0.31s
  Signing application.
  Application configuration finished.
  Domain whitelisting finished.
  Build configuration finished
  Build whitelisting finished
  Application: obtained signed certificate from EM: {
    "task_id": "1e72abe6-f12d-4123-a00a-4b9513caa0c6",
    "task_status": "SUCCESS",
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIEljCCAv6gAwIBAgIUGsKTopB4hHT1yqL+PLeYT/JkVPkwDQYJKoZIhvcNAQEL\nBQAwgZIxNTAzBgsrBgEEAYOEGgEDAQwkZGFhMTJjNDctMGRhNy00OGU5LTlhMjUt\nOTUzMjc3NGI4N2Q4MTUwMwYLKwYBBAGDhBoBAwIMJGRjYjNjNDM5LWYyYWEtNGMz\nOS05ODMzLTkzNjYzYjY2NjQ1MDEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpv\nbmUgUm9vdDAeFw0yMDA2MjExNzU1NThaFw0yMDA5MTkxNzU1NThaMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAM2T\no1EQ+UicqPDiWJqy7hZsL/6LfKx1egNeoK1fgjD5TRZSMLy4muUGEauL8aXSJijS\nfsV7G6NK6zyGaKWnF3hY36uuHdSPJ+E3f4WUP0aw3EGGmiHCNmRUlZAGq/ZhCM9G\nTiKka42lnECbKR9+s3QAQFZZobs8OF47uDGyiDBnT7skNOGEj/RBtiPOq0UUSgKD\nqsDLkopgIdqwMpU1Ra0fROw7k4fYb+yPfkalCBNSgl+WJS4iSio2Ssbt5/UOAKPt\nIYavhP4DvHO+/VdQ6yd9X5Up3vJXQsY8nPoSXSSTUZXMvq1PPCp7WHwexI3qil14\nDdaBbiqmZmK74pr3MF+S/sOI9Mi1/NCnleB33RwKvgcQSFbDua3Q2EqvBBh/nsUq\nqlycxzKoVVLzHjg2vQ24NF6hRe41YzLCb627FN/aMBn4GC7NSczYFz8KDEmAgOqC\npJoKWl/84lSHVy05dlkTgjKYqrDaz4E8VY9XIWy+8EEh1D9SVi+tgAZH8cqzgwID\nAQABo2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHoAAwHwYDVR0jBBgw\nFoAU9zdN/tMOiA5RVvoamoRa+lSEVW4wHQYDVR0OBBYEFNxG/pSKpB0U86WVQlUG\nr5/ULwoPMA0GCSqGSIb3DQEBCwUAA4IBgQCh3NRZ7ac09kQJpmCKlhjzK5kIeBCa\nxi/34vf+EePTb1x8+Zsj9NscyW+POyZy3wwLJ+ELHGVD/hX92kHHsIa10U0WjULu\nTfIcBe/c70EiVNt+j8Awu46wO++P9QWu5Pu/oGpXRPKf/CyBW7+y8rNUZnVOCHDi\nIbrgil6KHMc35jt8TVuVxn8nH2Am8Iz7IEYjoq1pnDVYItf/OcsKsF9xuumDYS04\nhB79KDeemkhc/gX2lzdO1BGlL85A+lQO+pVIa6C0tsgndHB/P3qsCVkj/6zK83We\nHeOHhQd47u+q3eb0HUjueShPuk+cfCkn54kaOzKYlVni4Pcv8bJsKmPrpVNPFpiw\n5zX8T+bylkJygbVf32zfft10vxqWZtOUV0GRHjbvNo4Kfp+BPfkNK87M136Y7C7/\nFmaU+pbRoZZH8Enl8VWkL2O9JlbShwF/vjkUlS1USxzFhK4tHF03mIl0boe2ijo1\nyddDuwUFmTVlZNPPz0NVz5bjgYWLclgsBg8=\n-----END CERTIFICATE-----\n"
  }
  Application: received data from server: "Hello world from server".
  Client finished

  Bash

  Copy

Example for Bad Actor Server

A properly configured client attempts to connect to a server that does not have a certificate signed by the expected CA:

Client sees an error:

Error: "Error in client: \"TLS Session error: X509CertVerifyFailed\""

Full Log:

$ ./register_and_run.sh ./config
Logged in
    export token=YFOUM4UFazRrkhruZMTIjeSTMAS_0Cy5b110TFF7i_LE6LgzvX8zTtArFhZA7I5-BPQI2vT2lwb2sE7jQ2OyOw
    export em_url=https://localhost:9090
Account selected
Building application.
   Compiling get-certificate v0.1.0 (/home/acruceru/work/rust-sgx-patch/em-app/examples/client)
    Finished dev [unoptimized + debuginfo] target(s) in 0.32s
Signing application.
Creating application
Application configuration finished.
Domain whitelist result: SUCCESS
Domain whitelisting finished.
Build configuration finished
Build whitelist result: SUCCESS
Build whitelisting finished
Application: obtained signed certificate from EM: {
  "task_id": "bd661840-1d9f-45ed-898b-0ad30bc5229d",
  "task_status": "SUCCESS",
  "certificate": "-----BEGIN CERTIFICATE-----\nMIIEljCCAv6gAwIBAgIUIn4xxQzzZ0/qCP7D+71O+cMuWX8wDQYJKoZIhvcNAQEL\nBQAwgZIxNTAzBgsrBgEEAYOEGgEDAQwkNTkzNTdiZTMtOTJlMC00MzA0LWE4NGUt\nZWVmZWU5ZDU0ZTRkMTUwMwYLKwYBBAGDhBoBAwIMJDBkNTUxMDk5LWViZjEtNDQz\nYy05Yzk5LTRkMDJkYWI3MTUyNzEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpv\nbmUgUm9vdDAeFw0yMDA2MjExODIzMTVaFw0yMDA5MTkxODIzMTVaMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALbS\nRi2T0jbm6+YrVvibNARhI7qeSwqtLWmFYVcDLC3dRz/9Q32gl9ttS0WjIg5fcv78\ninCx5hzNhltVTCAoubl6NvA8paIBy0k7xdFAlsmueN0xdn0MssXEwEru63ZBI3uk\nicf92fsO2VBZE4jHz0J0VB887y4+lzi9u4om7p+HtC8y43fadORoG29zucG8D59h\nvJ+pJ2UunVC+AoF9L6cMEhYZspuwXhKTF3r9dStJYUP4KyVSW8eeXgGbj5rkDh1N\ncUkstaABQAiSkKjrBGIHQowlyTkjVo7xckmyhpST48kPI4JIIILvpYZpg/I9ziUh\nJEJ05O6pXbdQ5Y/n55e5092vdIpuduCiFHYO072OaxaPJla3Z3OTgxNdhD8OYhHQ\nUzlVy0EEXu0ZqQ/XCKFWGgydjb3yr3XgL4nO25WM2/93ijlWcvZj1zDc0dSuHx4f\n3go0PEaHFMwjL4zH8S5eDrmZvLecEMjyTT1+dk3YgHpz1MZmb0/xsBkXQR8VoQID\nAQABo2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHoAAwHwYDVR0jBBgw\nFoAUzbLRZO5mx4TsGKKIMUDuW29w8vowHQYDVR0OBBYEFI7dCHXF0l2xExuk4gYX\nutA2GFE8MA0GCSqGSIb3DQEBCwUAA4IBgQBJdFE96hVlSljxOM1dy9la7GZ23J8r\nMKO/YqAcAAPP60BtDZDA2Vb5jjX2zp9G8kJfbfZzQmZSaVIhuDcsYwD5uighXuU+\nBG14szMAfn18rh+NUreG+fImVRbKKzRbikuC4KEpZOGzlhvtzv1HnS+lk2EkAZl7\nbSqdzk1nrfDG3aWhNwzl8ij/yN3ezrmW1euUtcyPXmJMmuxbSeFigL1G/lpDSNqg\naHzJn9YZuImZ7ewF1ioqg8kU+P/rHG2ZbCWJdKJTafJ0zwHL42rMKle0ZY8Ky1V2\n3HwmqELWKCrP8MeJdK25jPwGqOzfIL6XLGscxS10/7DCS9zS7aGepT1/Ed1VvsIF\noyrcgkCDo5xn09+1rRImae23+dRZGUxG6hgW8jEcACeediD3Y/PTmYTxMNmSNhSY\n6G17HC9zhGPjqUECMtQ1R9dpyKoDylDP2Oi23qHuk0ZFfMfxEaahCmsongrrJ0Iv\nbHmpVUXgBBF5CiTvHvqY7zcnGgdTWB9U+8c=\n-----END CERTIFICATE-----\n"
}
Error: "Error in client: \"TLS Session error: X509CertVerifyFailed\""

Example for Bad Actor Client

A client with a certificate that is not issued by a proper Fortanix CCM account will result in server error:

Connection failed: X509CertVerifyFailed

Full Log:

$ ./register_and_run.sh ./config
Logged in
    export token=Q3SxmoKzaq8sW6vl6HoDL4Qs2xNxSdotwFobt2LRSxeyjaP-AB0Lh5UfJ0UcZ0KSX9dGZOlDvgo-3mPPKVcQuQ
    export em_url=https://localhost:9090
Account selected
Building application.
   Compiling get-certificate v0.1.0 (/home/acruceru/work/rust-sgx-patch/em-app/examples/server)
    Finished dev [unoptimized + debuginfo] target(s) in 0.35s
Signing application.
Application configuration finished.
Domain whitelisting finished.
Build configuration finished
Build whitelist result: SUCCESS
Build whitelisting finished
Application: obtained signed certificate from EM: {
  "task_id": "807ec66f-4c03-41e5-a374-15786a7812ef",
  "task_status": "SUCCESS",
  "certificate": "-----BEGIN CERTIFICATE-----\nMIIEljCCAv6gAwIBAgIUc4vW9ugcTYTEeq7+fAmpmuDICFQwDQYJKoZIhvcNAQEL\nBQAwgZIxNTAzBgsrBgEEAYOEGgEDAQwkZGFhMTJjNDctMGRhNy00OGU5LTlhMjUt\nOTUzMjc3NGI4N2Q4MTUwMwYLKwYBBAGDhBoBAwIMJGRjYjNjNDM5LWYyYWEtNGMz\nOS05ODMzLTkzNjYzYjY2NjQ1MDEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpv\nbmUgUm9vdDAeFw0yMDA2MjExNzU1MzlaFw0yMDA5MTkxNzU1MzlaMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOPY\n2/Ai+5a+yT7lFKdQcw8THWoJrbBPEXgyZxSyTONwtVYzjl7MN/lCGXa4z4FsjYtA\ndcz25egTYuo6tAQVxzfI3d1Ol/jPnlP2rRbjSQNOWzFoF249lX8TotUdeoc1gf3k\nYLw9sXWho9T82yL+tEIlVsAb9yHIS0H4ngrPGMTxHONA+GUEZMa0xTdtDAWXCe4a\nco0YfYAtvc9PioSSqKvRBq8VtSeiV0jm5+pPUEybMDrJl/Yf6OP9ybM7H9pKrSR0\nidcDPmNqS25Rb7/vv5njJl4Z5PeWY8fSYnQuwx3znXMVkZiuO967u3XKjrdhoEsG\nMoStqyfz2DfntVrrxMX1dN80WHXMtMsY1Hb/6aAcqng7lSnj6CwA4ck2QuG/GKZk\nZb60+mgM55zEx3tRWrgrfjDnDR5NZO1i746J8z7/Sv9oWOxKZb2gK1dxFCnJAKqz\nBlf8mHaPsc9aZNRjYuGE+bM0hmEM9MpGvJvm6nqOA8drJpRB0zrKv8Zz0Z+rxwID\nAQABo2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHoAAwHwYDVR0jBBgw\nFoAU9zdN/tMOiA5RVvoamoRa+lSEVW4wHQYDVR0OBBYEFMnPfxebGaSdtvltsT85\nHV/kqT3BMA0GCSqGSIb3DQEBCwUAA4IBgQAGLpuMrqVaU0VdLVZ3eQudN+z5I/nw\n/6QsL6lnLq+pKxfhZbmp7KcD5om6LpV2JxBWxurrSdU0s7UfKLPk0KASiNOHvX2D\nHNnQO05OZWNG+23Z1rUvQU8Le74D8vCU6UDnUOh/lqWRrGLywZ08eBcmIa/08SwD\nrLdlJ5ZOUqzyUlPFaAxeaHTi8D0U/8mSGtsZXMHSYNkxWgJh7kn4G77Okii6mM72\nXqMMf0xfyNjAAKi8+HmMvzGgKgAfKmiXiERxl27spZ7KIhC0QW9EHo4E3jZh1nFr\ncMR8UyFw0IWf9xzgbkvL2Tl6kdq2FJc6X4usIl3mtz4o0U/4sYIKTckKR1hRsQqB\nKLZFrmjXkMzLBCq1Jwcytgcdoqv6si/Aze5qWUUasiqqWQ3g75500tePXhOvgBlH\n0yyTNxbCiIua8loJG8khfpPyFN+zcxyXzIbJEYYabrRR8uCu6Q3ULF3RuTAb/X1N\nf66F1T4vMauDwNSsa72LmrnwYsrKbprhvcQ=\n-----END CERTIFICATE-----\n"
}
Waiting for clients on: "localhost:21000"
Connection failed: X509CertVerifyFailed