Build a RUST Server/Client EDP Application Using Confidential Computing Manager Issued Certificates and Trusted CA

Last Updated: May 25, 2021 12:49

Overview

This example shows how certificates can be used for authenticating other parties.

In em-app/examples/ there are 2 folders:

server - holds an example that listens on a hardcoded address.
client - holds an example that connects to the hardcoded address.

Both applications use a hardcoded certificate authority public key for peer verifications. This is obtained through the './register_and_run.sh' script from the account where they are added. This can be done manually as well.

The register_and_run.sh script above is only meant as an example and the script automates the following steps:

Building the SGX application
Registering the EDP application with Fortanix Confidential Computing Manager (CCM), and
Running the EDP application

To do the above steps manually, refer to the article Bringing EDP RUST Apps to Fortanix Confidential Computing Manager.

Example for Good Weather Usage

Server-side operations

Update ./config file in https://github.com/fortanix/rust-sgx/tree/master/em-app/examples/server folder with credentials, the desired account, and application names.
Run ./register_and_run.sh' script which automates the steps for building the SGX application/Registering the EDP application with Fortanix CCM, and Running the EDP application.

Logs:

em-app/examples/server$ ./register_and_run.sh ./config
Logged in
    export token=Q3SxmoKzaq8sW6vl6HoDL4Qs2xNxSdotwFobt2LRSxeyjaP-AB0Lh5UfJ0UcZ0KSX9dGZOlDvgo-3mPPKVcQuQ
    export em_url=https://localhost:9090
Account selected
Building application.
   Compiling get-certificate v0.1.0 (/home/acruceru/work/rust-sgx-patch/em-app/examples/server)
    Finished dev [unoptimized + debuginfo] target(s) in 0.35s
Signing application.
Application configuration finished.
Domain whitelisting finished.
Build configuration finished
Build whitelist result: SUCCESS
Build whitelisting finished
Application: obtained signed certificate from EM: {
  "task_id": "807ec66f-4c03-41e5-a374-15786a7812ef",
  "task_status": "SUCCESS",
  "certificate": "-----BEGIN CERTIFICATE-----\nMIIEljCCAv6gAwIBAgIUc4vW9ugcTYTEeq7+fAmpmuDICFQwDQYJKoZIhvcNAQEL\nBQAwgZIxNTAzBgsrBgEEAYOEGgEDAQwkZGFhMTJjNDctMGRhNy00OGU5LTlhMjUt\nOTUzMjc3NGI4N2Q4MTUwMwYLKwYBBAGDhBoBAwIMJGRjYjNjNDM5LWYyYWEtNGMz\nOS05ODMzLTkzNjYzYjY2NjQ1MDEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpv\nbmUgUm9vdDAeFw0yMDA2MjExNzU1MzlaFw0yMDA5MTkxNzU1MzlaMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOPY\n2/Ai+5a+yT7lFKdQcw8THWoJrbBPEXgyZxSyTONwtVYzjl7MN/lCGXa4z4FsjYtA\ndcz25egTYuo6tAQVxzfI3d1Ol/jPnlP2rRbjSQNOWzFoF249lX8TotUdeoc1gf3k\nYLw9sXWho9T82yL+tEIlVsAb9yHIS0H4ngrPGMTxHONA+GUEZMa0xTdtDAWXCe4a\nco0YfYAtvc9PioSSqKvRBq8VtSeiV0jm5+pPUEybMDrJl/Yf6OP9ybM7H9pKrSR0\nidcDPmNqS25Rb7/vv5njJl4Z5PeWY8fSYnQuwx3znXMVkZiuO967u3XKjrdhoEsG\nMoStqyfz2DfntVrrxMX1dN80WHXMtMsY1Hb/6aAcqng7lSnj6CwA4ck2QuG/GKZk\nZb60+mgM55zEx3tRWrgrfjDnDR5NZO1i746J8z7/Sv9oWOxKZb2gK1dxFCnJAKqz\nBlf8mHaPsc9aZNRjYuGE+bM0hmEM9MpGvJvm6nqOA8drJpRB0zrKv8Zz0Z+rxwID\nAQABo2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHoAAwHwYDVR0jBBgw\nFoAU9zdN/tMOiA5RVvoamoRa+lSEVW4wHQYDVR0OBBYEFMnPfxebGaSdtvltsT85\nHV/kqT3BMA0GCSqGSIb3DQEBCwUAA4IBgQAGLpuMrqVaU0VdLVZ3eQudN+z5I/nw\n/6QsL6lnLq+pKxfhZbmp7KcD5om6LpV2JxBWxurrSdU0s7UfKLPk0KASiNOHvX2D\nHNnQO05OZWNG+23Z1rUvQU8Le74D8vCU6UDnUOh/lqWRrGLywZ08eBcmIa/08SwD\nrLdlJ5ZOUqzyUlPFaAxeaHTi8D0U/8mSGtsZXMHSYNkxWgJh7kn4G77Okii6mM72\nXqMMf0xfyNjAAKi8+HmMvzGgKgAfKmiXiERxl27spZ7KIhC0QW9EHo4E3jZh1nFr\ncMR8UyFw0IWf9xzgbkvL2Tl6kdq2FJc6X4usIl3mtz4o0U/4sYIKTckKR1hRsQqB\nKLZFrmjXkMzLBCq1Jwcytgcdoqv6si/Aze5qWUUasiqqWQ3g75500tePXhOvgBlH\n0yyTNxbCiIua8loJG8khfpPyFN+zcxyXzIbJEYYabrRR8uCu6Q3ULF3RuTAb/X1N\nf66F1T4vMauDwNSsa72LmrnwYsrKbprhvcQ=\n-----END CERTIFICATE-----\n"
}
Waiting for clients on: "localhost:21000"
Handled client: V4(127.0.0.1:33426)

Client-Side Operations

Update ./config file in https://github.com/fortanix/rust-sgx/tree/master/em-app/examples/client folder with credentials, the desired account, and application names.
Run './register_and_run.sh' script which automates the steps for building the SGX application/Registering the EDP application with Fortanix CCM, and Running the EDP application.

Logs:

em-app/examples/client$ ./register_and_run.sh ./config
Logged in
    export token=SiMxMNM7-_qcTvOxRyesVrnINfsvz09rtlY2Niw7KQNPI16FZoBBtd1W-Glkt2A5ASbwXp0xhwb3lFh-ITE6_g
    export em_url=https://localhost:9090
Account selected
Building application.
   Compiling get-certificate v0.1.0 (/home/acruceru/work/rust-sgx-patch/em-app/examples/client)
    Finished dev [unoptimized + debuginfo] target(s) in 0.31s
Signing application.
Application configuration finished.
Domain whitelisting finished.
Build configuration finished
Build whitelisting finished
Application: obtained signed certificate from EM: {
  "task_id": "1e72abe6-f12d-4123-a00a-4b9513caa0c6",
  "task_status": "SUCCESS",
  "certificate": "-----BEGIN CERTIFICATE-----\nMIIEljCCAv6gAwIBAgIUGsKTopB4hHT1yqL+PLeYT/JkVPkwDQYJKoZIhvcNAQEL\nBQAwgZIxNTAzBgsrBgEEAYOEGgEDAQwkZGFhMTJjNDctMGRhNy00OGU5LTlhMjUt\nOTUzMjc3NGI4N2Q4MTUwMwYLKwYBBAGDhBoBAwIMJGRjYjNjNDM5LWYyYWEtNGMz\nOS05ODMzLTkzNjYzYjY2NjQ1MDEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpv\nbmUgUm9vdDAeFw0yMDA2MjExNzU1NThaFw0yMDA5MTkxNzU1NThaMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAM2T\no1EQ+UicqPDiWJqy7hZsL/6LfKx1egNeoK1fgjD5TRZSMLy4muUGEauL8aXSJijS\nfsV7G6NK6zyGaKWnF3hY36uuHdSPJ+E3f4WUP0aw3EGGmiHCNmRUlZAGq/ZhCM9G\nTiKka42lnECbKR9+s3QAQFZZobs8OF47uDGyiDBnT7skNOGEj/RBtiPOq0UUSgKD\nqsDLkopgIdqwMpU1Ra0fROw7k4fYb+yPfkalCBNSgl+WJS4iSio2Ssbt5/UOAKPt\nIYavhP4DvHO+/VdQ6yd9X5Up3vJXQsY8nPoSXSSTUZXMvq1PPCp7WHwexI3qil14\nDdaBbiqmZmK74pr3MF+S/sOI9Mi1/NCnleB33RwKvgcQSFbDua3Q2EqvBBh/nsUq\nqlycxzKoVVLzHjg2vQ24NF6hRe41YzLCb627FN/aMBn4GC7NSczYFz8KDEmAgOqC\npJoKWl/84lSHVy05dlkTgjKYqrDaz4E8VY9XIWy+8EEh1D9SVi+tgAZH8cqzgwID\nAQABo2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHoAAwHwYDVR0jBBgw\nFoAU9zdN/tMOiA5RVvoamoRa+lSEVW4wHQYDVR0OBBYEFNxG/pSKpB0U86WVQlUG\nr5/ULwoPMA0GCSqGSIb3DQEBCwUAA4IBgQCh3NRZ7ac09kQJpmCKlhjzK5kIeBCa\nxi/34vf+EePTb1x8+Zsj9NscyW+POyZy3wwLJ+ELHGVD/hX92kHHsIa10U0WjULu\nTfIcBe/c70EiVNt+j8Awu46wO++P9QWu5Pu/oGpXRPKf/CyBW7+y8rNUZnVOCHDi\nIbrgil6KHMc35jt8TVuVxn8nH2Am8Iz7IEYjoq1pnDVYItf/OcsKsF9xuumDYS04\nhB79KDeemkhc/gX2lzdO1BGlL85A+lQO+pVIa6C0tsgndHB/P3qsCVkj/6zK83We\nHeOHhQd47u+q3eb0HUjueShPuk+cfCkn54kaOzKYlVni4Pcv8bJsKmPrpVNPFpiw\n5zX8T+bylkJygbVf32zfft10vxqWZtOUV0GRHjbvNo4Kfp+BPfkNK87M136Y7C7/\nFmaU+pbRoZZH8Enl8VWkL2O9JlbShwF/vjkUlS1USxzFhK4tHF03mIl0boe2ijo1\nyddDuwUFmTVlZNPPz0NVz5bjgYWLclgsBg8=\n-----END CERTIFICATE-----\n"
}
Application: received data from server: "Hello world from server".
Client finished

Example for Bad Actor Server

A properly configured client attempts to connect to a server that does not have a certificate signed by the expected CA:

Client sees an error:

Error: "Error in client: \"TLS Session error: X509CertVerifyFailed\""

Full Log:

$ ./register_and_run.sh ./config
Logged in
    export token=YFOUM4UFazRrkhruZMTIjeSTMAS_0Cy5b110TFF7i_LE6LgzvX8zTtArFhZA7I5-BPQI2vT2lwb2sE7jQ2OyOw
    export em_url=https://localhost:9090
Account selected
Building application.
   Compiling get-certificate v0.1.0 (/home/acruceru/work/rust-sgx-patch/em-app/examples/client)
    Finished dev [unoptimized + debuginfo] target(s) in 0.32s
Signing application.
Creating application
Application configuration finished.
Domain whitelist result: SUCCESS
Domain whitelisting finished.
Build configuration finished
Build whitelist result: SUCCESS
Build whitelisting finished
Application: obtained signed certificate from EM: {
  "task_id": "bd661840-1d9f-45ed-898b-0ad30bc5229d",
  "task_status": "SUCCESS",
  "certificate": "-----BEGIN CERTIFICATE-----\nMIIEljCCAv6gAwIBAgIUIn4xxQzzZ0/qCP7D+71O+cMuWX8wDQYJKoZIhvcNAQEL\nBQAwgZIxNTAzBgsrBgEEAYOEGgEDAQwkNTkzNTdiZTMtOTJlMC00MzA0LWE4NGUt\nZWVmZWU5ZDU0ZTRkMTUwMwYLKwYBBAGDhBoBAwIMJDBkNTUxMDk5LWViZjEtNDQz\nYy05Yzk5LTRkMDJkYWI3MTUyNzEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpv\nbmUgUm9vdDAeFw0yMDA2MjExODIzMTVaFw0yMDA5MTkxODIzMTVaMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALbS\nRi2T0jbm6+YrVvibNARhI7qeSwqtLWmFYVcDLC3dRz/9Q32gl9ttS0WjIg5fcv78\ninCx5hzNhltVTCAoubl6NvA8paIBy0k7xdFAlsmueN0xdn0MssXEwEru63ZBI3uk\nicf92fsO2VBZE4jHz0J0VB887y4+lzi9u4om7p+HtC8y43fadORoG29zucG8D59h\nvJ+pJ2UunVC+AoF9L6cMEhYZspuwXhKTF3r9dStJYUP4KyVSW8eeXgGbj5rkDh1N\ncUkstaABQAiSkKjrBGIHQowlyTkjVo7xckmyhpST48kPI4JIIILvpYZpg/I9ziUh\nJEJ05O6pXbdQ5Y/n55e5092vdIpuduCiFHYO072OaxaPJla3Z3OTgxNdhD8OYhHQ\nUzlVy0EEXu0ZqQ/XCKFWGgydjb3yr3XgL4nO25WM2/93ijlWcvZj1zDc0dSuHx4f\n3go0PEaHFMwjL4zH8S5eDrmZvLecEMjyTT1+dk3YgHpz1MZmb0/xsBkXQR8VoQID\nAQABo2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHoAAwHwYDVR0jBBgw\nFoAUzbLRZO5mx4TsGKKIMUDuW29w8vowHQYDVR0OBBYEFI7dCHXF0l2xExuk4gYX\nutA2GFE8MA0GCSqGSIb3DQEBCwUAA4IBgQBJdFE96hVlSljxOM1dy9la7GZ23J8r\nMKO/YqAcAAPP60BtDZDA2Vb5jjX2zp9G8kJfbfZzQmZSaVIhuDcsYwD5uighXuU+\nBG14szMAfn18rh+NUreG+fImVRbKKzRbikuC4KEpZOGzlhvtzv1HnS+lk2EkAZl7\nbSqdzk1nrfDG3aWhNwzl8ij/yN3ezrmW1euUtcyPXmJMmuxbSeFigL1G/lpDSNqg\naHzJn9YZuImZ7ewF1ioqg8kU+P/rHG2ZbCWJdKJTafJ0zwHL42rMKle0ZY8Ky1V2\n3HwmqELWKCrP8MeJdK25jPwGqOzfIL6XLGscxS10/7DCS9zS7aGepT1/Ed1VvsIF\noyrcgkCDo5xn09+1rRImae23+dRZGUxG6hgW8jEcACeediD3Y/PTmYTxMNmSNhSY\n6G17HC9zhGPjqUECMtQ1R9dpyKoDylDP2Oi23qHuk0ZFfMfxEaahCmsongrrJ0Iv\nbHmpVUXgBBF5CiTvHvqY7zcnGgdTWB9U+8c=\n-----END CERTIFICATE-----\n"
}
Error: "Error in client: \"TLS Session error: X509CertVerifyFailed\""

Example for Bad Actor Client

A client with a certificate that is not issued by a proper Fortanix CCM account will result in server error:

Connection failed: X509CertVerifyFailed