SafeKeeper Server Side Application in GoLang
This repository hosts the SafeKeeper password protection service that runs within an Intel SGX enclave and hashes passwords using the enclave's secret key. The application is written in golang using the EGo SDK. The enclave application is within the enclaveServer directory.
To run the SafeKeeper service on a system with Intel SGX support and the EGo SDK installed, run the following commands after cloning the repository:
sudo ego-go build enclaveServer
sudo ego sign enclaveServer
sudo ego run enclaveServer
We have also included the SGX quote verification service to verify the remote attestation quote generated by the SafeKeeper service written in GoLang in the quoteVerify directory. The service does not require Intel-SGX support provided that the required Intel DCAP libraries are installed. These libraries can be installed through the Linux package manager or by downloading the packages from the Intel website.
A detailed walkthrough on how to set up a system with Intel DCAP is provided at https://www.intel.com/content/www/us/en/developer/articles/guide/intel-software-guard-extensions-data-center-attestation-primitives-quick-install-guide.html
The latest Intel DCAP libraries that are needed for this application to run are available at https://download.01.org/intel-sgx/latest/dcap-latest/linux/
We have implemented the SafeKeeper password protection service on our Intel-SGX-supported server and also hosted the website which serves as the front-end interface to the user. The SafeKeeper service is an executable that runs inside an Intel SGX enclave through the EGo SDK. The executable spins up an HTTP server on port 8080 to handle client requests. The server runs an Apache server which routes the requests made to the '/safekeeper' endpoint to the service running at port 8080. The website is written in basic HTML, CSS, and vanilla Javascript. It's hosted using a simple Flask server that serves the webpages along with necessary CORS headers and most importantly CSP headers required by Code Verify. We've also added an endpoint on the Flask server that generates the manifest for Code Verify and is used by the developer when publishing the website to production. This endpoint is enabled now for testing and demonstration, but in a real-world scenario, it would be disabled and only be accessible to the developer. On another machine, we have set up the mock Cloudflare audit endpoint for Code Verify and the quote verification endpoint. Similar to the previous machine, we are running an Apache server to route the requests made to each service. The quote verification service is a go-executable that spins up an HTTP server on port 8085 with an endpoint used by the client to verify SGX quotes. The mock Cloudflare audit endpoint that serves the root hash of the manifest required by Code Verify runs on port 8080. Using the Apache server, we have routed requests to the '/quoteverify' endpoint to port 8085 and '/codeverify' to port 8080 respectively.