Overview
This example shows how certificates can be used for authenticating other parties.
In em-app/examples/ there are 2 folders:
server
- holds an example that listens on a hardcoded address.client
- holds an example that connects to the hardcoded address.
Both applications use a hardcoded certificate authority public key for peer verifications. This is obtained through the './register_and_run.sh' script from the account where they are added. This can be done manually as well.
The register_and_run.sh
script above is only meant as an example and the script automates the following steps:
Building the SGX application
Registering the EDP application with Fortanix Confidential Computing Manager (CCM), and
Running the EDP application
To do the above steps manually, refer to the article Bringing EDP RUST Apps to Fortanix Confidential Computing Manager.
Example for Good Weather Usage
Server-side operations
Update
./config
file in https://github.com/fortanix/rust-sgx/tree/master/em-app/examples/server folder with credentials, the desired account, and application names.Run
./register_and_run.sh'
script which automates the steps for building the SGX application/Registering the EDP application with Fortanix CCM, and Running the EDP application.Logs:
em-app/examples/server$ ./register_and_run.sh ./config Logged in export token=Q3SxmoKzaq8sW6vl6HoDL4Qs2xNxSdotwFobt2LRSxeyjaP-AB0Lh5UfJ0UcZ0KSX9dGZOlDvgo-3mPPKVcQuQ export em_url=https://localhost:9090 Account selected Building application. Compiling get-certificate v0.1.0 (/home/acruceru/work/rust-sgx-patch/em-app/examples/server) Finished dev [unoptimized + debuginfo] target(s) in 0.35s Signing application. Application configuration finished. Domain whitelisting finished. Build configuration finished Build whitelist result: SUCCESS Build whitelisting finished Application: obtained signed certificate from EM: { "task_id": "807ec66f-4c03-41e5-a374-15786a7812ef", "task_status": "SUCCESS", "certificate": "-----BEGIN CERTIFICATE-----\nMIIEljCCAv6gAwIBAgIUc4vW9ugcTYTEeq7+fAmpmuDICFQwDQYJKoZIhvcNAQEL\nBQAwgZIxNTAzBgsrBgEEAYOEGgEDAQwkZGFhMTJjNDctMGRhNy00OGU5LTlhMjUt\nOTUzMjc3NGI4N2Q4MTUwMwYLKwYBBAGDhBoBAwIMJGRjYjNjNDM5LWYyYWEtNGMz\nOS05ODMzLTkzNjYzYjY2NjQ1MDEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpv\nbmUgUm9vdDAeFw0yMDA2MjExNzU1MzlaFw0yMDA5MTkxNzU1MzlaMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOPY\n2/Ai+5a+yT7lFKdQcw8THWoJrbBPEXgyZxSyTONwtVYzjl7MN/lCGXa4z4FsjYtA\ndcz25egTYuo6tAQVxzfI3d1Ol/jPnlP2rRbjSQNOWzFoF249lX8TotUdeoc1gf3k\nYLw9sXWho9T82yL+tEIlVsAb9yHIS0H4ngrPGMTxHONA+GUEZMa0xTdtDAWXCe4a\nco0YfYAtvc9PioSSqKvRBq8VtSeiV0jm5+pPUEybMDrJl/Yf6OP9ybM7H9pKrSR0\nidcDPmNqS25Rb7/vv5njJl4Z5PeWY8fSYnQuwx3znXMVkZiuO967u3XKjrdhoEsG\nMoStqyfz2DfntVrrxMX1dN80WHXMtMsY1Hb/6aAcqng7lSnj6CwA4ck2QuG/GKZk\nZb60+mgM55zEx3tRWrgrfjDnDR5NZO1i746J8z7/Sv9oWOxKZb2gK1dxFCnJAKqz\nBlf8mHaPsc9aZNRjYuGE+bM0hmEM9MpGvJvm6nqOA8drJpRB0zrKv8Zz0Z+rxwID\nAQABo2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHoAAwHwYDVR0jBBgw\nFoAU9zdN/tMOiA5RVvoamoRa+lSEVW4wHQYDVR0OBBYEFMnPfxebGaSdtvltsT85\nHV/kqT3BMA0GCSqGSIb3DQEBCwUAA4IBgQAGLpuMrqVaU0VdLVZ3eQudN+z5I/nw\n/6QsL6lnLq+pKxfhZbmp7KcD5om6LpV2JxBWxurrSdU0s7UfKLPk0KASiNOHvX2D\nHNnQO05OZWNG+23Z1rUvQU8Le74D8vCU6UDnUOh/lqWRrGLywZ08eBcmIa/08SwD\nrLdlJ5ZOUqzyUlPFaAxeaHTi8D0U/8mSGtsZXMHSYNkxWgJh7kn4G77Okii6mM72\nXqMMf0xfyNjAAKi8+HmMvzGgKgAfKmiXiERxl27spZ7KIhC0QW9EHo4E3jZh1nFr\ncMR8UyFw0IWf9xzgbkvL2Tl6kdq2FJc6X4usIl3mtz4o0U/4sYIKTckKR1hRsQqB\nKLZFrmjXkMzLBCq1Jwcytgcdoqv6si/Aze5qWUUasiqqWQ3g75500tePXhOvgBlH\n0yyTNxbCiIua8loJG8khfpPyFN+zcxyXzIbJEYYabrRR8uCu6Q3ULF3RuTAb/X1N\nf66F1T4vMauDwNSsa72LmrnwYsrKbprhvcQ=\n-----END CERTIFICATE-----\n" } Waiting for clients on: "localhost:21000" Handled client: V4(127.0.0.1:33426)
Client-Side Operations
Update
./config
file in https://github.com/fortanix/rust-sgx/tree/master/em-app/examples/client folder with credentials, the desired account, and application names.Run
'./register_and_run.sh'
script which automates the steps for building the SGX application/Registering the EDP application with Fortanix CCM, and Running the EDP application.Logs:
em-app/examples/client$ ./register_and_run.sh ./config Logged in export token=SiMxMNM7-_qcTvOxRyesVrnINfsvz09rtlY2Niw7KQNPI16FZoBBtd1W-Glkt2A5ASbwXp0xhwb3lFh-ITE6_g export em_url=https://localhost:9090 Account selected Building application. Compiling get-certificate v0.1.0 (/home/acruceru/work/rust-sgx-patch/em-app/examples/client) Finished dev [unoptimized + debuginfo] target(s) in 0.31s Signing application. Application configuration finished. Domain whitelisting finished. Build configuration finished Build whitelisting finished Application: obtained signed certificate from EM: { "task_id": "1e72abe6-f12d-4123-a00a-4b9513caa0c6", "task_status": "SUCCESS", "certificate": "-----BEGIN CERTIFICATE-----\nMIIEljCCAv6gAwIBAgIUGsKTopB4hHT1yqL+PLeYT/JkVPkwDQYJKoZIhvcNAQEL\nBQAwgZIxNTAzBgsrBgEEAYOEGgEDAQwkZGFhMTJjNDctMGRhNy00OGU5LTlhMjUt\nOTUzMjc3NGI4N2Q4MTUwMwYLKwYBBAGDhBoBAwIMJGRjYjNjNDM5LWYyYWEtNGMz\nOS05ODMzLTkzNjYzYjY2NjQ1MDEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpv\nbmUgUm9vdDAeFw0yMDA2MjExNzU1NThaFw0yMDA5MTkxNzU1NThaMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAM2T\no1EQ+UicqPDiWJqy7hZsL/6LfKx1egNeoK1fgjD5TRZSMLy4muUGEauL8aXSJijS\nfsV7G6NK6zyGaKWnF3hY36uuHdSPJ+E3f4WUP0aw3EGGmiHCNmRUlZAGq/ZhCM9G\nTiKka42lnECbKR9+s3QAQFZZobs8OF47uDGyiDBnT7skNOGEj/RBtiPOq0UUSgKD\nqsDLkopgIdqwMpU1Ra0fROw7k4fYb+yPfkalCBNSgl+WJS4iSio2Ssbt5/UOAKPt\nIYavhP4DvHO+/VdQ6yd9X5Up3vJXQsY8nPoSXSSTUZXMvq1PPCp7WHwexI3qil14\nDdaBbiqmZmK74pr3MF+S/sOI9Mi1/NCnleB33RwKvgcQSFbDua3Q2EqvBBh/nsUq\nqlycxzKoVVLzHjg2vQ24NF6hRe41YzLCb627FN/aMBn4GC7NSczYFz8KDEmAgOqC\npJoKWl/84lSHVy05dlkTgjKYqrDaz4E8VY9XIWy+8EEh1D9SVi+tgAZH8cqzgwID\nAQABo2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHoAAwHwYDVR0jBBgw\nFoAU9zdN/tMOiA5RVvoamoRa+lSEVW4wHQYDVR0OBBYEFNxG/pSKpB0U86WVQlUG\nr5/ULwoPMA0GCSqGSIb3DQEBCwUAA4IBgQCh3NRZ7ac09kQJpmCKlhjzK5kIeBCa\nxi/34vf+EePTb1x8+Zsj9NscyW+POyZy3wwLJ+ELHGVD/hX92kHHsIa10U0WjULu\nTfIcBe/c70EiVNt+j8Awu46wO++P9QWu5Pu/oGpXRPKf/CyBW7+y8rNUZnVOCHDi\nIbrgil6KHMc35jt8TVuVxn8nH2Am8Iz7IEYjoq1pnDVYItf/OcsKsF9xuumDYS04\nhB79KDeemkhc/gX2lzdO1BGlL85A+lQO+pVIa6C0tsgndHB/P3qsCVkj/6zK83We\nHeOHhQd47u+q3eb0HUjueShPuk+cfCkn54kaOzKYlVni4Pcv8bJsKmPrpVNPFpiw\n5zX8T+bylkJygbVf32zfft10vxqWZtOUV0GRHjbvNo4Kfp+BPfkNK87M136Y7C7/\nFmaU+pbRoZZH8Enl8VWkL2O9JlbShwF/vjkUlS1USxzFhK4tHF03mIl0boe2ijo1\nyddDuwUFmTVlZNPPz0NVz5bjgYWLclgsBg8=\n-----END CERTIFICATE-----\n" } Application: received data from server: "Hello world from server". Client finished
Example for Bad Actor Server
A properly configured client attempts to connect to a server that does not have a certificate signed by the expected CA:
Client sees an error:
Error: "Error in client: \"TLS Session error: X509CertVerifyFailed\""
Full Log:
$ ./register_and_run.sh ./config
Logged in
export token=YFOUM4UFazRrkhruZMTIjeSTMAS_0Cy5b110TFF7i_LE6LgzvX8zTtArFhZA7I5-BPQI2vT2lwb2sE7jQ2OyOw
export em_url=https://localhost:9090
Account selected
Building application.
Compiling get-certificate v0.1.0 (/home/acruceru/work/rust-sgx-patch/em-app/examples/client)
Finished dev [unoptimized + debuginfo] target(s) in 0.32s
Signing application.
Creating application
Application configuration finished.
Domain whitelist result: SUCCESS
Domain whitelisting finished.
Build configuration finished
Build whitelist result: SUCCESS
Build whitelisting finished
Application: obtained signed certificate from EM: {
"task_id": "bd661840-1d9f-45ed-898b-0ad30bc5229d",
"task_status": "SUCCESS",
"certificate": "-----BEGIN CERTIFICATE-----\nMIIEljCCAv6gAwIBAgIUIn4xxQzzZ0/qCP7D+71O+cMuWX8wDQYJKoZIhvcNAQEL\nBQAwgZIxNTAzBgsrBgEEAYOEGgEDAQwkNTkzNTdiZTMtOTJlMC00MzA0LWE4NGUt\nZWVmZWU5ZDU0ZTRkMTUwMwYLKwYBBAGDhBoBAwIMJDBkNTUxMDk5LWViZjEtNDQz\nYy05Yzk5LTRkMDJkYWI3MTUyNzEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpv\nbmUgUm9vdDAeFw0yMDA2MjExODIzMTVaFw0yMDA5MTkxODIzMTVaMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALbS\nRi2T0jbm6+YrVvibNARhI7qeSwqtLWmFYVcDLC3dRz/9Q32gl9ttS0WjIg5fcv78\ninCx5hzNhltVTCAoubl6NvA8paIBy0k7xdFAlsmueN0xdn0MssXEwEru63ZBI3uk\nicf92fsO2VBZE4jHz0J0VB887y4+lzi9u4om7p+HtC8y43fadORoG29zucG8D59h\nvJ+pJ2UunVC+AoF9L6cMEhYZspuwXhKTF3r9dStJYUP4KyVSW8eeXgGbj5rkDh1N\ncUkstaABQAiSkKjrBGIHQowlyTkjVo7xckmyhpST48kPI4JIIILvpYZpg/I9ziUh\nJEJ05O6pXbdQ5Y/n55e5092vdIpuduCiFHYO072OaxaPJla3Z3OTgxNdhD8OYhHQ\nUzlVy0EEXu0ZqQ/XCKFWGgydjb3yr3XgL4nO25WM2/93ijlWcvZj1zDc0dSuHx4f\n3go0PEaHFMwjL4zH8S5eDrmZvLecEMjyTT1+dk3YgHpz1MZmb0/xsBkXQR8VoQID\nAQABo2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHoAAwHwYDVR0jBBgw\nFoAUzbLRZO5mx4TsGKKIMUDuW29w8vowHQYDVR0OBBYEFI7dCHXF0l2xExuk4gYX\nutA2GFE8MA0GCSqGSIb3DQEBCwUAA4IBgQBJdFE96hVlSljxOM1dy9la7GZ23J8r\nMKO/YqAcAAPP60BtDZDA2Vb5jjX2zp9G8kJfbfZzQmZSaVIhuDcsYwD5uighXuU+\nBG14szMAfn18rh+NUreG+fImVRbKKzRbikuC4KEpZOGzlhvtzv1HnS+lk2EkAZl7\nbSqdzk1nrfDG3aWhNwzl8ij/yN3ezrmW1euUtcyPXmJMmuxbSeFigL1G/lpDSNqg\naHzJn9YZuImZ7ewF1ioqg8kU+P/rHG2ZbCWJdKJTafJ0zwHL42rMKle0ZY8Ky1V2\n3HwmqELWKCrP8MeJdK25jPwGqOzfIL6XLGscxS10/7DCS9zS7aGepT1/Ed1VvsIF\noyrcgkCDo5xn09+1rRImae23+dRZGUxG6hgW8jEcACeediD3Y/PTmYTxMNmSNhSY\n6G17HC9zhGPjqUECMtQ1R9dpyKoDylDP2Oi23qHuk0ZFfMfxEaahCmsongrrJ0Iv\nbHmpVUXgBBF5CiTvHvqY7zcnGgdTWB9U+8c=\n-----END CERTIFICATE-----\n"
}
Error: "Error in client: \"TLS Session error: X509CertVerifyFailed\""
Example for Bad Actor Client
A client with a certificate that is not issued by a proper Fortanix CCM account will result in server error:
Connection failed: X509CertVerifyFailed
Full Log:
$ ./register_and_run.sh ./config
Logged in
export token=Q3SxmoKzaq8sW6vl6HoDL4Qs2xNxSdotwFobt2LRSxeyjaP-AB0Lh5UfJ0UcZ0KSX9dGZOlDvgo-3mPPKVcQuQ
export em_url=https://localhost:9090
Account selected
Building application.
Compiling get-certificate v0.1.0 (/home/acruceru/work/rust-sgx-patch/em-app/examples/server)
Finished dev [unoptimized + debuginfo] target(s) in 0.35s
Signing application.
Application configuration finished.
Domain whitelisting finished.
Build configuration finished
Build whitelist result: SUCCESS
Build whitelisting finished
Application: obtained signed certificate from EM: {
"task_id": "807ec66f-4c03-41e5-a374-15786a7812ef",
"task_status": "SUCCESS",
"certificate": "-----BEGIN CERTIFICATE-----\nMIIEljCCAv6gAwIBAgIUc4vW9ugcTYTEeq7+fAmpmuDICFQwDQYJKoZIhvcNAQEL\nBQAwgZIxNTAzBgsrBgEEAYOEGgEDAQwkZGFhMTJjNDctMGRhNy00OGU5LTlhMjUt\nOTUzMjc3NGI4N2Q4MTUwMwYLKwYBBAGDhBoBAwIMJGRjYjNjNDM5LWYyYWEtNGMz\nOS05ODMzLTkzNjYzYjY2NjQ1MDEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpv\nbmUgUm9vdDAeFw0yMDA2MjExNzU1MzlaFw0yMDA5MTkxNzU1MzlaMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOPY\n2/Ai+5a+yT7lFKdQcw8THWoJrbBPEXgyZxSyTONwtVYzjl7MN/lCGXa4z4FsjYtA\ndcz25egTYuo6tAQVxzfI3d1Ol/jPnlP2rRbjSQNOWzFoF249lX8TotUdeoc1gf3k\nYLw9sXWho9T82yL+tEIlVsAb9yHIS0H4ngrPGMTxHONA+GUEZMa0xTdtDAWXCe4a\nco0YfYAtvc9PioSSqKvRBq8VtSeiV0jm5+pPUEybMDrJl/Yf6OP9ybM7H9pKrSR0\nidcDPmNqS25Rb7/vv5njJl4Z5PeWY8fSYnQuwx3znXMVkZiuO967u3XKjrdhoEsG\nMoStqyfz2DfntVrrxMX1dN80WHXMtMsY1Hb/6aAcqng7lSnj6CwA4ck2QuG/GKZk\nZb60+mgM55zEx3tRWrgrfjDnDR5NZO1i746J8z7/Sv9oWOxKZb2gK1dxFCnJAKqz\nBlf8mHaPsc9aZNRjYuGE+bM0hmEM9MpGvJvm6nqOA8drJpRB0zrKv8Zz0Z+rxwID\nAQABo2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHoAAwHwYDVR0jBBgw\nFoAU9zdN/tMOiA5RVvoamoRa+lSEVW4wHQYDVR0OBBYEFMnPfxebGaSdtvltsT85\nHV/kqT3BMA0GCSqGSIb3DQEBCwUAA4IBgQAGLpuMrqVaU0VdLVZ3eQudN+z5I/nw\n/6QsL6lnLq+pKxfhZbmp7KcD5om6LpV2JxBWxurrSdU0s7UfKLPk0KASiNOHvX2D\nHNnQO05OZWNG+23Z1rUvQU8Le74D8vCU6UDnUOh/lqWRrGLywZ08eBcmIa/08SwD\nrLdlJ5ZOUqzyUlPFaAxeaHTi8D0U/8mSGtsZXMHSYNkxWgJh7kn4G77Okii6mM72\nXqMMf0xfyNjAAKi8+HmMvzGgKgAfKmiXiERxl27spZ7KIhC0QW9EHo4E3jZh1nFr\ncMR8UyFw0IWf9xzgbkvL2Tl6kdq2FJc6X4usIl3mtz4o0U/4sYIKTckKR1hRsQqB\nKLZFrmjXkMzLBCq1Jwcytgcdoqv6si/Aze5qWUUasiqqWQ3g75500tePXhOvgBlH\n0yyTNxbCiIua8loJG8khfpPyFN+zcxyXzIbJEYYabrRR8uCu6Q3ULF3RuTAb/X1N\nf66F1T4vMauDwNSsa72LmrnwYsrKbprhvcQ=\n-----END CERTIFICATE-----\n"
}
Waiting for clients on: "localhost:21000"
Connection failed: X509CertVerifyFailed