From 0b526f1813ac3a90f14295e39bd5fea9560d902a Mon Sep 17 00:00:00 2001 From: Gavin Uhma Date: Tue, 12 Jul 2022 16:13:56 -0300 Subject: [PATCH 1/6] WIP: Replace Tink with Circl/hpke --- crypto/enclave_encrypt.go | 32 +++++++++++++++++++++----------- go.mod | 1 + go.sum | 8 ++++++++ 3 files changed, 30 insertions(+), 11 deletions(-) diff --git a/crypto/enclave_encrypt.go b/crypto/enclave_encrypt.go index ba3cc437..5a19fedb 100644 --- a/crypto/enclave_encrypt.go +++ b/crypto/enclave_encrypt.go @@ -1,32 +1,42 @@ package crypto import ( - "bytes" "fmt" - "github.com/google/tink/go/hybrid" - "github.com/google/tink/go/keyset" + "crypto/rand" + "github.com/cloudflare/circl/hpke" "github.com/capeprivacy/cli/attest" ) func LocalEncrypt(doc attest.AttestationDoc, plaintext []byte) ([]byte, error) { - buf := bytes.NewBuffer(doc.PublicKey) - reader := keyset.NewBinaryReader(buf) - khPub, err := keyset.ReadWithNoSecrets(reader) + + kemID := hpke.KEM_X25519_HKDF_SHA256 + kdfID := hpke.KDF_HKDF_SHA256 + aeadID := hpke.AEAD_ChaCha20Poly1305 + suite := hpke.NewSuite(kemID, kdfID, aeadID) + + kemPublicKey, err := kemID.Scheme().UnmarshalBinaryPublicKey(doc.PublicKey) + if err != nil { + fmt.Println(err) + } + + sender, err := suite.NewSender(kemPublicKey, nil) if err != nil { - return nil, fmt.Errorf("read pubic key %s", err) + return nil, fmt.Errorf("unable to encrypt %s", err) } - encrypt, err := hybrid.NewHybridEncrypt(khPub) + encapsulatedKey, sealer, err := sender.Setup(rand.Reader) if err != nil { - return nil, err + return nil, fmt.Errorf("unable to encrypt %s", err) } - ciphertext, err := encrypt.Encrypt(plaintext, nil) + ciphertext, err := sealer.Seal(plaintext, nil) if err != nil { return nil, fmt.Errorf("unable to encrypt %s", err) } - return ciphertext, nil + payload := append(encapsulatedKey, ciphertext...) + + return payload, nil } diff --git a/go.mod b/go.mod index 65581044..74baeeb9 100644 --- a/go.mod +++ b/go.mod @@ -13,6 +13,7 @@ require ( ) require ( + github.com/cloudflare/circl v1.2.0 // indirect github.com/fatih/color v1.13.0 // indirect github.com/fsnotify/fsnotify v1.5.1 // indirect github.com/golang/protobuf v1.5.2 // indirect diff --git a/go.sum b/go.sum index 4e9c51f6..85bd462d 100644 --- a/go.sum +++ b/go.sum @@ -46,6 +46,7 @@ github.com/aws/aws-sdk-go v1.36.29/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2z github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/briandowns/spinner v1.18.1 h1:yhQmQtM1zsqFsouh09Bk/jCjd50pC3EOGsh28gLVvwY= github.com/briandowns/spinner v1.18.1/go.mod h1:mQak9GHqbspjC/5iUx3qMlIho8xBS/ppAL/hX5SmPJU= +github.com/bwesterb/go-ristretto v1.2.1/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/capeprivacy/go-kit v0.0.0-20220420152147-667383169b7a h1:d0C9zbqj8swi59Ggj/G2bpKtSKLan7aU385bl4OEQYQ= github.com/capeprivacy/go-kit v0.0.0-20220420152147-667383169b7a/go.mod h1:OptX4dMqL/8r+LhanI9Eoif5Tf6sQPqiIcpx955QhTo= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -53,6 +54,8 @@ github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWR github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cloudflare/circl v1.2.0 h1:NheeISPSUcYftKlfrLuOo4T62FkmD4t4jviLfFFYaec= +github.com/cloudflare/circl v1.2.0/go.mod h1:Ch2UgYr6ti2KTtlejELlROl0YIYj7SLjAC8M+INXlMk= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= @@ -280,6 +283,7 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= +golang.org/x/crypto v0.0.0-20220315160706-3147a52a75dd/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 h1:kUhD7nTDoI3fVd9G4ORWrbV5NY0liEs/Jg2pv5f+bBA= golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -347,6 +351,7 @@ golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -405,10 +410,12 @@ golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220315194320-039c03cc5b86/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220412211240-33da011f77ad h1:ntjMns5wyP/fN65tdBD4g8J5w8n015+iIIs9rtjXkY0= golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= @@ -419,6 +426,7 @@ golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5f golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From 8b144cca8e700aea75b32c27975708bdc4e906cc Mon Sep 17 00:00:00 2001 From: Gavin Uhma Date: Tue, 12 Jul 2022 16:29:23 -0300 Subject: [PATCH 2/6] Fix lint error --- crypto/enclave_encrypt.go | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/crypto/enclave_encrypt.go b/crypto/enclave_encrypt.go index 5a19fedb..044e508c 100644 --- a/crypto/enclave_encrypt.go +++ b/crypto/enclave_encrypt.go @@ -10,7 +10,6 @@ import ( ) func LocalEncrypt(doc attest.AttestationDoc, plaintext []byte) ([]byte, error) { - kemID := hpke.KEM_X25519_HKDF_SHA256 kdfID := hpke.KDF_HKDF_SHA256 aeadID := hpke.AEAD_ChaCha20Poly1305 @@ -35,8 +34,6 @@ func LocalEncrypt(doc attest.AttestationDoc, plaintext []byte) ([]byte, error) { if err != nil { return nil, fmt.Errorf("unable to encrypt %s", err) } - - payload := append(encapsulatedKey, ciphertext...) - - return payload, nil + + return append(encapsulatedKey, ciphertext...), nil } From 8cc4ddb69ed52de4b3b49874770969405e27446d Mon Sep 17 00:00:00 2001 From: Gavin Uhma Date: Tue, 12 Jul 2022 16:43:35 -0300 Subject: [PATCH 3/6] Fix lint errors --- crypto/enclave_encrypt.go | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/crypto/enclave_encrypt.go b/crypto/enclave_encrypt.go index 044e508c..b158f024 100644 --- a/crypto/enclave_encrypt.go +++ b/crypto/enclave_encrypt.go @@ -1,12 +1,11 @@ package crypto import ( - "fmt" - "crypto/rand" - "github.com/cloudflare/circl/hpke" + "fmt" "github.com/capeprivacy/cli/attest" + "github.com/cloudflare/circl/hpke" ) func LocalEncrypt(doc attest.AttestationDoc, plaintext []byte) ([]byte, error) { @@ -16,9 +15,9 @@ func LocalEncrypt(doc attest.AttestationDoc, plaintext []byte) ([]byte, error) { suite := hpke.NewSuite(kemID, kdfID, aeadID) kemPublicKey, err := kemID.Scheme().UnmarshalBinaryPublicKey(doc.PublicKey) - if err != nil { - fmt.Println(err) - } + if err != nil { + fmt.Println(err) + } sender, err := suite.NewSender(kemPublicKey, nil) if err != nil { @@ -34,6 +33,6 @@ func LocalEncrypt(doc attest.AttestationDoc, plaintext []byte) ([]byte, error) { if err != nil { return nil, fmt.Errorf("unable to encrypt %s", err) } - + return append(encapsulatedKey, ciphertext...), nil } From d224f746562f2a373f9e8fab8a98c5a4505169cc Mon Sep 17 00:00:00 2001 From: Gavin Uhma Date: Tue, 12 Jul 2022 17:37:09 -0300 Subject: [PATCH 4/6] fix goimports --- crypto/enclave_encrypt.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/crypto/enclave_encrypt.go b/crypto/enclave_encrypt.go index b158f024..c8672c87 100644 --- a/crypto/enclave_encrypt.go +++ b/crypto/enclave_encrypt.go @@ -4,8 +4,9 @@ import ( "crypto/rand" "fmt" - "github.com/capeprivacy/cli/attest" "github.com/cloudflare/circl/hpke" + + "github.com/capeprivacy/cli/attest" ) func LocalEncrypt(doc attest.AttestationDoc, plaintext []byte) ([]byte, error) { From cee42005b7ba63cf1ece1408c8bf9009c0aa23b3 Mon Sep 17 00:00:00 2001 From: eric-capeprivacy <86608848+eric-capeprivacy@users.noreply.github.com> Date: Wed, 13 Jul 2022 16:08:07 -0400 Subject: [PATCH 5/6] have CLI process error values returned by error-sentinel and sentinel (#88) add http resp parsing --- capetest/capetest.go | 17 ++++++++++++++++- cmd/cape/cmd/deploy.go | 13 ++++++++++++- cmd/cape/cmd/run.go | 19 +++++++++++++++++-- 3 files changed, 45 insertions(+), 4 deletions(-) diff --git a/capetest/capetest.go b/capetest/capetest.go index 79aa3fca..a55bd8c5 100644 --- a/capetest/capetest.go +++ b/capetest/capetest.go @@ -2,8 +2,11 @@ package capetest import ( "crypto/tls" + "encoding/json" "net/http" + log "github.com/sirupsen/logrus" + "github.com/gorilla/websocket" "github.com/capeprivacy/cli/attest" @@ -31,6 +34,11 @@ type Message struct { Message []byte `json:"message"` } +// TODO -- cmd package also defines this +type ErrorMsg struct { + Error string `json:"error"` +} + // TODO -- cmd package also defines this func websocketDial(url string, insecure bool) (*websocket.Conn, *http.Response, error) { if insecure { @@ -43,8 +51,15 @@ func websocketDial(url string, insecure bool) (*websocket.Conn, *http.Response, } func CapeTest(testReq TestRequest, endpoint string, insecure bool) (*RunResults, error) { - conn, _, err := websocketDial(endpoint, insecure) + conn, resp, err := websocketDial(endpoint, insecure) + defer resp.Body.Close() if err != nil { + log.Error("error dialing websocket", err) + var e ErrorMsg + if err := json.NewDecoder(resp.Body).Decode(&e); err != nil { + return nil, err + } + log.Errorf("error code: %d, reason: %s", resp.StatusCode, e.Error) return nil, err } diff --git a/cmd/cape/cmd/deploy.go b/cmd/cape/cmd/deploy.go index 3161e29c..5ef0c6e8 100644 --- a/cmd/cape/cmd/deploy.go +++ b/cmd/cape/cmd/deploy.go @@ -4,6 +4,7 @@ import ( "archive/zip" "bytes" "crypto/tls" + "encoding/json" "fmt" "io" "net/http" @@ -24,6 +25,10 @@ import ( czip "github.com/capeprivacy/cli/zip" ) +type ErrorMsg struct { + Error string `json:"error"` +} + type DeployRequest struct { Nonce string `json:"nonce"` AuthToken string `json:"auth_token"` @@ -172,9 +177,15 @@ func doDeploy(url string, name string, reader io.Reader, insecure bool) (string, s.Prefix = "Deploying function to Cape " s.Start() - conn, _, err := websocketDial(endpoint, insecure) + conn, res, err := websocketDial(endpoint, insecure) + defer res.Body.Close() if err != nil { log.Error("error dialing websocket", err) + var e ErrorMsg + if err := json.NewDecoder(res.Body).Decode(&e); err != nil { + return "", err + } + log.Errorf("error code: %d, reason: %s", res.StatusCode, e.Error) return "", err } diff --git a/cmd/cape/cmd/run.go b/cmd/cape/cmd/run.go index 58db992d..bfa195f2 100644 --- a/cmd/cape/cmd/run.go +++ b/cmd/cape/cmd/run.go @@ -2,6 +2,7 @@ package cmd import ( "bytes" + "encoding/json" "fmt" "io" "io/ioutil" @@ -113,11 +114,16 @@ func doRun(url string, functionID string, data []byte, insecure bool) ([]byte, e endpoint := fmt.Sprintf("%s/v1/run/%s", url, functionID) c, res, err := websocketDial(endpoint, insecure) + defer res.Body.Close() if err != nil { - log.Println("error dialing websocket", res) + log.Error("error dialing websocket", err) + var e ErrorMsg + if err := json.NewDecoder(res.Body).Decode(&e); err != nil { + return nil, err + } + log.Errorf("error code: %d, reason: %s", res.StatusCode, e.Error) return nil, err } - nonce, err := crypto.GetNonce() if err != nil { return nil, err @@ -134,6 +140,15 @@ func doRun(url string, functionID string, data []byte, insecure bool) ([]byte, e log.Println("error writing deploy request") return nil, err } + // Try to read message + t, socketMsg, err := c.ReadMessage() + if err != nil { + log.Error("failed to fetch response", err) + } + + if t == websocket.CloseMessage { + log.Errorf("failed to run with: %s", string(socketMsg)) + } var msg Message err = c.ReadJSON(&msg) From 245113c85d92a220f6f50c5e45b461390f2ecf3e Mon Sep 17 00:00:00 2001 From: Gavin Uhma Date: Thu, 14 Jul 2022 10:35:33 -0300 Subject: [PATCH 6/6] go mod tidy --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 74baeeb9..32f75fc3 100644 --- a/go.mod +++ b/go.mod @@ -6,6 +6,7 @@ require ( github.com/avast/retry-go v3.0.0+incompatible github.com/briandowns/spinner v1.18.1 github.com/capeprivacy/go-kit v0.0.0-20220420152147-667383169b7a + github.com/cloudflare/circl v1.2.0 github.com/fxamacker/cbor/v2 v2.4.0 github.com/google/tink/go v1.6.1 github.com/jedib0t/go-pretty/v6 v6.3.1 @@ -13,7 +14,6 @@ require ( ) require ( - github.com/cloudflare/circl v1.2.0 // indirect github.com/fatih/color v1.13.0 // indirect github.com/fsnotify/fsnotify v1.5.1 // indirect github.com/golang/protobuf v1.5.2 // indirect