Build a RUST Server/Client EDP Application Using Confidential Computing Manager Issued Certificates and Trusted CA

Overview

This example shows how certificates can be used for authenticating other parties.

In em-app/examples/ there are 2 folders:

server - holds an example that listens on a hardcoded address.
client - holds an example that connects to the hardcoded address.

Both applications use a hardcoded certificate authority public key for peer verifications. This is obtained through the './register_and_run.sh' script from the account where they are added. This can be done manually as well.

The register_and_run.sh script above is only meant as an example and the script automates the following steps:

Building the SGX application
Registering the EDP application with Fortanix Confidential Computing Manager (CCM), and
Running the EDP application

To do the above steps manually, refer to the article Bringing EDP RUST Apps to Fortanix Confidential Computing Manager.

Example for Good Weather Usage

Server-side operations

Update ./config file in https://github.com/fortanix/rust-sgx/tree/master/em-app/examples/server folder with credentials, the desired account, and application names.
Run ./register_and_run.sh' script which automates the steps for building the SGX application/Registering the EDP application with Fortanix CCM, and Running the EDP application.

Logs:

em-app/examples/server$ ./register_and_run.sh ./config
Logged in
    export token=Q3SxmoKzaq8sW6vl6HoDL4Qs2xNxSdotwFobt2LRSxeyjaP-AB0Lh5UfJ0UcZ0KSX9dGZOlDvgo-3mPPKVcQuQ
    export em_url=https://localhost:9090
Account selected
Building application.
   Compiling get-certificate v0.1.0 (/home/acruceru/work/rust-sgx-patch/em-app/examples/server)
    Finished dev [unoptimized + debuginfo] target(s) in 0.35s
Signing application.
Application configuration finished.
Domain whitelisting finished.
Build configuration finished
Build whitelist result: SUCCESS
Build whitelisting finished
Application: obtained signed certificate from EM: {
  "task_id": "807ec66f-4c03-41e5-a374-15786a7812ef",
  "task_status": "SUCCESS",
  "certificate": "-----BEGIN CERTIFICATE-----\nMIIEljCCAv6gAwIBAgIUc4vW9ugcTYTEeq7+fAmpmuDICFQwDQYJKoZIhvcNAQEL\nBQAwgZIxNTAzBgsrBgEEAYOEGgEDAQwkZGFhMTJjNDctMGRhNy00OGU5LTlhMjUt\nOTUzMjc3NGI4N2Q4MTUwMwYLKwYBBAGDhBoBAwIMJGRjYjNjNDM5LWYyYWEtNGMz\nOS05ODMzLTkzNjYzYjY2NjQ1MDEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpv\nbmUgUm9vdDAeFw0yMDA2MjExNzU1MzlaFw0yMDA5MTkxNzU1MzlaMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOPY\n2/Ai+5a+yT7lFKdQcw8THWoJrbBPEXgyZxSyTONwtVYzjl7MN/lCGXa4z4FsjYtA\ndcz25egTYuo6tAQVxzfI3d1Ol/jPnlP2rRbjSQNOWzFoF249lX8TotUdeoc1gf3k\nYLw9sXWho9T82yL+tEIlVsAb9yHIS0H4ngrPGMTxHONA+GUEZMa0xTdtDAWXCe4a\nco0YfYAtvc9PioSSqKvRBq8VtSeiV0jm5+pPUEybMDrJl/Yf6OP9ybM7H9pKrSR0\nidcDPmNqS25Rb7/vv5njJl4Z5PeWY8fSYnQuwx3znXMVkZiuO967u3XKjrdhoEsG\nMoStqyfz2DfntVrrxMX1dN80WHXMtMsY1Hb/6aAcqng7lSnj6CwA4ck2QuG/GKZk\nZb60+mgM55zEx3tRWrgrfjDnDR5NZO1i746J8z7/Sv9oWOxKZb2gK1dxFCnJAKqz\nBlf8mHaPsc9aZNRjYuGE+bM0hmEM9MpGvJvm6nqOA8drJpRB0zrKv8Zz0Z+rxwID\nAQABo2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHoAAwHwYDVR0jBBgw\nFoAU9zdN/tMOiA5RVvoamoRa+lSEVW4wHQYDVR0OBBYEFMnPfxebGaSdtvltsT85\nHV/kqT3BMA0GCSqGSIb3DQEBCwUAA4IBgQAGLpuMrqVaU0VdLVZ3eQudN+z5I/nw\n/6QsL6lnLq+pKxfhZbmp7KcD5om6LpV2JxBWxurrSdU0s7UfKLPk0KASiNOHvX2D\nHNnQO05OZWNG+23Z1rUvQU8Le74D8vCU6UDnUOh/lqWRrGLywZ08eBcmIa/08SwD\nrLdlJ5ZOUqzyUlPFaAxeaHTi8D0U/8mSGtsZXMHSYNkxWgJh7kn4G77Okii6mM72\nXqMMf0xfyNjAAKi8+HmMvzGgKgAfKmiXiERxl27spZ7KIhC0QW9EHo4E3jZh1nFr\ncMR8UyFw0IWf9xzgbkvL2Tl6kdq2FJc6X4usIl3mtz4o0U/4sYIKTckKR1hRsQqB\nKLZFrmjXkMzLBCq1Jwcytgcdoqv6si/Aze5qWUUasiqqWQ3g75500tePXhOvgBlH\n0yyTNxbCiIua8loJG8khfpPyFN+zcxyXzIbJEYYabrRR8uCu6Q3ULF3RuTAb/X1N\nf66F1T4vMauDwNSsa72LmrnwYsrKbprhvcQ=\n-----END CERTIFICATE-----\n"
}
Waiting for clients on: "localhost:21000"
Handled client: V4(127.0.0.1:33426)

Client-Side Operations

Update ./config file in https://github.com/fortanix/rust-sgx/tree/master/em-app/examples/client folder with credentials, the desired account, and application names.
Run './register_and_run.sh' script which automates the steps for building the SGX application/Registering the EDP application with Fortanix CCM, and Running the EDP application.

Logs:

em-app/examples/client$ ./register_and_run.sh ./config
Logged in
    export token=SiMxMNM7-_qcTvOxRyesVrnINfsvz09rtlY2Niw7KQNPI16FZoBBtd1W-Glkt2A5ASbwXp0xhwb3lFh-ITE6_g
    export em_url=https://localhost:9090
Account selected
Building application.
   Compiling get-certificate v0.1.0 (/home/acruceru/work/rust-sgx-patch/em-app/examples/client)
    Finished dev [unoptimized + debuginfo] target(s) in 0.31s
Signing application.
Application configuration finished.
Domain whitelisting finished.
Build configuration finished
Build whitelisting finished
Application: obtained signed certificate from EM: {
  "task_id": "1e72abe6-f12d-4123-a00a-4b9513caa0c6",
  "task_status": "SUCCESS",
  "certificate": "-----BEGIN CERTIFICATE-----\nMIIEljCCAv6gAwIBAgIUGsKTopB4hHT1yqL+PLeYT/JkVPkwDQYJKoZIhvcNAQEL\nBQAwgZIxNTAzBgsrBgEEAYOEGgEDAQwkZGFhMTJjNDctMGRhNy00OGU5LTlhMjUt\nOTUzMjc3NGI4N2Q4MTUwMwYLKwYBBAGDhBoBAwIMJGRjYjNjNDM5LWYyYWEtNGMz\nOS05ODMzLTkzNjYzYjY2NjQ1MDEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpv\nbmUgUm9vdDAeFw0yMDA2MjExNzU1NThaFw0yMDA5MTkxNzU1NThaMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAM2T\no1EQ+UicqPDiWJqy7hZsL/6LfKx1egNeoK1fgjD5TRZSMLy4muUGEauL8aXSJijS\nfsV7G6NK6zyGaKWnF3hY36uuHdSPJ+E3f4WUP0aw3EGGmiHCNmRUlZAGq/ZhCM9G\nTiKka42lnECbKR9+s3QAQFZZobs8OF47uDGyiDBnT7skNOGEj/RBtiPOq0UUSgKD\nqsDLkopgIdqwMpU1Ra0fROw7k4fYb+yPfkalCBNSgl+WJS4iSio2Ssbt5/UOAKPt\nIYavhP4DvHO+/VdQ6yd9X5Up3vJXQsY8nPoSXSSTUZXMvq1PPCp7WHwexI3qil14\nDdaBbiqmZmK74pr3MF+S/sOI9Mi1/NCnleB33RwKvgcQSFbDua3Q2EqvBBh/nsUq\nqlycxzKoVVLzHjg2vQ24NF6hRe41YzLCb627FN/aMBn4GC7NSczYFz8KDEmAgOqC\npJoKWl/84lSHVy05dlkTgjKYqrDaz4E8VY9XIWy+8EEh1D9SVi+tgAZH8cqzgwID\nAQABo2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHoAAwHwYDVR0jBBgw\nFoAU9zdN/tMOiA5RVvoamoRa+lSEVW4wHQYDVR0OBBYEFNxG/pSKpB0U86WVQlUG\nr5/ULwoPMA0GCSqGSIb3DQEBCwUAA4IBgQCh3NRZ7ac09kQJpmCKlhjzK5kIeBCa\nxi/34vf+EePTb1x8+Zsj9NscyW+POyZy3wwLJ+ELHGVD/hX92kHHsIa10U0WjULu\nTfIcBe/c70EiVNt+j8Awu46wO++P9QWu5Pu/oGpXRPKf/CyBW7+y8rNUZnVOCHDi\nIbrgil6KHMc35jt8TVuVxn8nH2Am8Iz7IEYjoq1pnDVYItf/OcsKsF9xuumDYS04\nhB79KDeemkhc/gX2lzdO1BGlL85A+lQO+pVIa6C0tsgndHB/P3qsCVkj/6zK83We\nHeOHhQd47u+q3eb0HUjueShPuk+cfCkn54kaOzKYlVni4Pcv8bJsKmPrpVNPFpiw\n5zX8T+bylkJygbVf32zfft10vxqWZtOUV0GRHjbvNo4Kfp+BPfkNK87M136Y7C7/\nFmaU+pbRoZZH8Enl8VWkL2O9JlbShwF/vjkUlS1USxzFhK4tHF03mIl0boe2ijo1\nyddDuwUFmTVlZNPPz0NVz5bjgYWLclgsBg8=\n-----END CERTIFICATE-----\n"
}
Application: received data from server: "Hello world from server".
Client finished

Example for Bad Actor Server

A properly configured client attempts to connect to a server that does not have a certificate signed by the expected CA:

Client sees an error:

Error: "Error in client: \"TLS Session error: X509CertVerifyFailed\""

Full Log:

$ ./register_and_run.sh ./config
Logged in
    export token=YFOUM4UFazRrkhruZMTIjeSTMAS_0Cy5b110TFF7i_LE6LgzvX8zTtArFhZA7I5-BPQI2vT2lwb2sE7jQ2OyOw
    export em_url=https://localhost:9090
Account selected
Building application.
   Compiling get-certificate v0.1.0 (/home/acruceru/work/rust-sgx-patch/em-app/examples/client)
    Finished dev [unoptimized + debuginfo] target(s) in 0.32s
Signing application.
Creating application
Application configuration finished.
Domain whitelist result: SUCCESS
Domain whitelisting finished.
Build configuration finished
Build whitelist result: SUCCESS
Build whitelisting finished
Application: obtained signed certificate from EM: {
  "task_id": "bd661840-1d9f-45ed-898b-0ad30bc5229d",
  "task_status": "SUCCESS",
  "certificate": "-----BEGIN CERTIFICATE-----\nMIIEljCCAv6gAwIBAgIUIn4xxQzzZ0/qCP7D+71O+cMuWX8wDQYJKoZIhvcNAQEL\nBQAwgZIxNTAzBgsrBgEEAYOEGgEDAQwkNTkzNTdiZTMtOTJlMC00MzA0LWE4NGUt\nZWVmZWU5ZDU0ZTRkMTUwMwYLKwYBBAGDhBoBAwIMJDBkNTUxMDk5LWViZjEtNDQz\nYy05Yzk5LTRkMDJkYWI3MTUyNzEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpv\nbmUgUm9vdDAeFw0yMDA2MjExODIzMTVaFw0yMDA5MTkxODIzMTVaMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALbS\nRi2T0jbm6+YrVvibNARhI7qeSwqtLWmFYVcDLC3dRz/9Q32gl9ttS0WjIg5fcv78\ninCx5hzNhltVTCAoubl6NvA8paIBy0k7xdFAlsmueN0xdn0MssXEwEru63ZBI3uk\nicf92fsO2VBZE4jHz0J0VB887y4+lzi9u4om7p+HtC8y43fadORoG29zucG8D59h\nvJ+pJ2UunVC+AoF9L6cMEhYZspuwXhKTF3r9dStJYUP4KyVSW8eeXgGbj5rkDh1N\ncUkstaABQAiSkKjrBGIHQowlyTkjVo7xckmyhpST48kPI4JIIILvpYZpg/I9ziUh\nJEJ05O6pXbdQ5Y/n55e5092vdIpuduCiFHYO072OaxaPJla3Z3OTgxNdhD8OYhHQ\nUzlVy0EEXu0ZqQ/XCKFWGgydjb3yr3XgL4nO25WM2/93ijlWcvZj1zDc0dSuHx4f\n3go0PEaHFMwjL4zH8S5eDrmZvLecEMjyTT1+dk3YgHpz1MZmb0/xsBkXQR8VoQID\nAQABo2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHoAAwHwYDVR0jBBgw\nFoAUzbLRZO5mx4TsGKKIMUDuW29w8vowHQYDVR0OBBYEFI7dCHXF0l2xExuk4gYX\nutA2GFE8MA0GCSqGSIb3DQEBCwUAA4IBgQBJdFE96hVlSljxOM1dy9la7GZ23J8r\nMKO/YqAcAAPP60BtDZDA2Vb5jjX2zp9G8kJfbfZzQmZSaVIhuDcsYwD5uighXuU+\nBG14szMAfn18rh+NUreG+fImVRbKKzRbikuC4KEpZOGzlhvtzv1HnS+lk2EkAZl7\nbSqdzk1nrfDG3aWhNwzl8ij/yN3ezrmW1euUtcyPXmJMmuxbSeFigL1G/lpDSNqg\naHzJn9YZuImZ7ewF1ioqg8kU+P/rHG2ZbCWJdKJTafJ0zwHL42rMKle0ZY8Ky1V2\n3HwmqELWKCrP8MeJdK25jPwGqOzfIL6XLGscxS10/7DCS9zS7aGepT1/Ed1VvsIF\noyrcgkCDo5xn09+1rRImae23+dRZGUxG6hgW8jEcACeediD3Y/PTmYTxMNmSNhSY\n6G17HC9zhGPjqUECMtQ1R9dpyKoDylDP2Oi23qHuk0ZFfMfxEaahCmsongrrJ0Iv\nbHmpVUXgBBF5CiTvHvqY7zcnGgdTWB9U+8c=\n-----END CERTIFICATE-----\n"
}
Error: "Error in client: \"TLS Session error: X509CertVerifyFailed\""

Example for Bad Actor Client

A client with a certificate that is not issued by a proper Fortanix CCM account will result in server error:

Connection failed: X509CertVerifyFailed

Full Log:

$ ./register_and_run.sh ./config
Logged in
    export token=Q3SxmoKzaq8sW6vl6HoDL4Qs2xNxSdotwFobt2LRSxeyjaP-AB0Lh5UfJ0UcZ0KSX9dGZOlDvgo-3mPPKVcQuQ
    export em_url=https://localhost:9090
Account selected
Building application.
   Compiling get-certificate v0.1.0 (/home/acruceru/work/rust-sgx-patch/em-app/examples/server)
    Finished dev [unoptimized + debuginfo] target(s) in 0.35s
Signing application.
Application configuration finished.
Domain whitelisting finished.
Build configuration finished
Build whitelist result: SUCCESS
Build whitelisting finished
Application: obtained signed certificate from EM: {
  "task_id": "807ec66f-4c03-41e5-a374-15786a7812ef",
  "task_status": "SUCCESS",
  "certificate": "-----BEGIN CERTIFICATE-----\nMIIEljCCAv6gAwIBAgIUc4vW9ugcTYTEeq7+fAmpmuDICFQwDQYJKoZIhvcNAQEL\nBQAwgZIxNTAzBgsrBgEEAYOEGgEDAQwkZGFhMTJjNDctMGRhNy00OGU5LTlhMjUt\nOTUzMjc3NGI4N2Q4MTUwMwYLKwYBBAGDhBoBAwIMJGRjYjNjNDM5LWYyYWEtNGMz\nOS05ODMzLTkzNjYzYjY2NjQ1MDEiMCAGA1UEAwwZRGVmYXVsdCBFbmNsYXZlIFpv\nbmUgUm9vdDAeFw0yMDA2MjExNzU1MzlaFw0yMDA5MTkxNzU1MzlaMBQxEjAQBgNV\nBAMMCWxvY2FsaG9zdDCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOPY\n2/Ai+5a+yT7lFKdQcw8THWoJrbBPEXgyZxSyTONwtVYzjl7MN/lCGXa4z4FsjYtA\ndcz25egTYuo6tAQVxzfI3d1Ol/jPnlP2rRbjSQNOWzFoF249lX8TotUdeoc1gf3k\nYLw9sXWho9T82yL+tEIlVsAb9yHIS0H4ngrPGMTxHONA+GUEZMa0xTdtDAWXCe4a\nco0YfYAtvc9PioSSqKvRBq8VtSeiV0jm5+pPUEybMDrJl/Yf6OP9ybM7H9pKrSR0\nidcDPmNqS25Rb7/vv5njJl4Z5PeWY8fSYnQuwx3znXMVkZiuO967u3XKjrdhoEsG\nMoStqyfz2DfntVrrxMX1dN80WHXMtMsY1Hb/6aAcqng7lSnj6CwA4ck2QuG/GKZk\nZb60+mgM55zEx3tRWrgrfjDnDR5NZO1i746J8z7/Sv9oWOxKZb2gK1dxFCnJAKqz\nBlf8mHaPsc9aZNRjYuGE+bM0hmEM9MpGvJvm6nqOA8drJpRB0zrKv8Zz0Z+rxwID\nAQABo2EwXzAMBgNVHRMBAf8EAjAAMA8GA1UdDwEB/wQFAwMHoAAwHwYDVR0jBBgw\nFoAU9zdN/tMOiA5RVvoamoRa+lSEVW4wHQYDVR0OBBYEFMnPfxebGaSdtvltsT85\nHV/kqT3BMA0GCSqGSIb3DQEBCwUAA4IBgQAGLpuMrqVaU0VdLVZ3eQudN+z5I/nw\n/6QsL6lnLq+pKxfhZbmp7KcD5om6LpV2JxBWxurrSdU0s7UfKLPk0KASiNOHvX2D\nHNnQO05OZWNG+23Z1rUvQU8Le74D8vCU6UDnUOh/lqWRrGLywZ08eBcmIa/08SwD\nrLdlJ5ZOUqzyUlPFaAxeaHTi8D0U/8mSGtsZXMHSYNkxWgJh7kn4G77Okii6mM72\nXqMMf0xfyNjAAKi8+HmMvzGgKgAfKmiXiERxl27spZ7KIhC0QW9EHo4E3jZh1nFr\ncMR8UyFw0IWf9xzgbkvL2Tl6kdq2FJc6X4usIl3mtz4o0U/4sYIKTckKR1hRsQqB\nKLZFrmjXkMzLBCq1Jwcytgcdoqv6si/Aze5qWUUasiqqWQ3g75500tePXhOvgBlH\n0yyTNxbCiIua8loJG8khfpPyFN+zcxyXzIbJEYYabrRR8uCu6Q3ULF3RuTAb/X1N\nf66F1T4vMauDwNSsa72LmrnwYsrKbprhvcQ=\n-----END CERTIFICATE-----\n"
}
Waiting for clients on: "localhost:21000"
Connection failed: X509CertVerifyFailed

Build a RUST Server/Client EDP Application Using Confidential Computing Manager Issued Certificates and Trusted CA

Overview

Example for Good Weather Usage

Server-side operations

Client-Side Operations

Example for Bad Actor Server

Example for Bad Actor Client

PLATFORM

Key Insight

Data Security Manager™

Confidential Computing Manager

Enclave Development Platform®

Request A demo

Contact Us

Free Trial

SOLUTIONS

AWS KMS External Key Store (XKS)

Google External Key Manager

Bring Your Own Key (BYOK)

HSM Modernization

Multicloud Key Management

Post Quantum Cryptography

Code Signing

Secrets Management

Tokenization Transparent

Database Encryption

Filesystem Encryption

Confidential Data Search

Confidential AI

Healthcare

Banking & Financial Services

Fintech

Manufacturing

Web 3.0

Federal Government

RESOURCES

Blog

Whitepapers

Datasheets

Solution Briefs

Ebooks

Reports

Case Studies

Webinars

University

Media Kit

Newsletters

COMPANY

About

Careerswe’re hiring

Customers

Partners

Awards

Events

Press

News

Services

Support

FAQ

4.6