[keys] Cleanup keys/certs and consolidate keys with auditors (#145)

.gitignore

@@ -1,26 +1,14 @@
-**/ias_*
 **/Cargo.lock
 **/target
-**/Enclave_u*
-**/Enclave_t*
 **/*.o
 **/*.pyc
 **/*.a
 **/*.so
 **/*.swp
 **/.DS_Store
-bin
-out
 cov.info
 cov_report
-# Makefile will help use to prepare a proper Cargo.toml and .cargo/config
-/Cargo.toml
-.cargo
 /**/pkg_name
-examples/**/*.log
-*.sha256
-/examples/image_resizing/logo.jpg
-/cert/spid.txt
 .vscode/*
 # ignore the build dir which usually for cmake
 /build

cmake/scripts/prep.sh

@@ -18,7 +18,7 @@ mkdir -p ${MESATEE_OUT_DIR} ${MESATEE_TARGET_DIR} ${MESATEE_SERVICE_INSTALL_DIR}
     ${MESATEE_EXAMPLE_INSTALL_DIR} ${MESATEE_BIN_INSTALL_DIR} ${MESATEE_LIB_INSTALL_DIR} \
     ${MESATEE_TEST_INSTALL_DIR} ${MESATEE_AUDITORS_DIR} ${MESATEE_EXAMPLE_AUDITORS_DIR}
 # copy auditors to install directory to make it easy to package all built things
-cp -RT ${CMAKE_SOURCE_DIR}/auditors/ ${MESATEE_AUDITORS_DIR}/
+cp -RT ${CMAKE_SOURCE_DIR}/keys/auditors/ ${MESATEE_AUDITORS_DIR}/
 cp ${CMAKE_SOURCE_DIR}/teaclave_config/runtime.config.toml ${MESATEE_SERVICE_INSTALL_DIR}
 cp ${CMAKE_SOURCE_DIR}/teaclave_config/runtime.config.toml ${MESATEE_TEST_INSTALL_DIR}
 # create the following symlinks to make remapped paths accessible and avoid repeated building

cmake/scripts/sgx_link_sign.sh

@@ -33,7 +33,7 @@ ${CMAKE_C_COMPILER} libEnclave_t.o -o \
     -Wl,--defsym,__ImageBase=0 \
     -Wl,--gc-sections \
     -Wl,--version-script=${MESATEE_PROJECT_ROOT}/cmake/scripts/Enclave.lds
-${SGX_ENCLAVE_SIGNER} sign -key ${MESATEE_PROJECT_ROOT}/cert/Enclave_private.pem \
+${SGX_ENCLAVE_SIGNER} sign -key ${MESATEE_PROJECT_ROOT}/keys/enclave_signing_key.pem \
     -enclave ${CUR_MODULE_NAME}.enclave.so \
     -out ${CUR_INSTALL_DIR}/${CUR_MODULE_NAME}.enclave.signed.so \
     -config ${MESATEE_PROJECT_ROOT}/${CUR_MODULE_PATH}/Enclave.config.xml \

keys/sp_root_ca_key.pem

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIYNTGhDVj0XKpNhlaHZhv8R8kZopjQg+3lLUiKWJpe2oAoGCCqGSM49
+AwEHoUQDQgAEbVU0oGETuO9OYCGAPIyyN5i3RrFZqWBaBPBCFj8VsjoAMOagumK+
+FxY7ULghfAjmAmvEERHmA2U0fcb6rHWU9A==
+-----END EC PRIVATE KEY-----

teaclave_config/build.config.toml

@@ -1,16 +1,16 @@
 # Teaclave Build Config
 
 # Service provider's root CA certificate to verify clients
-sp_root_ca_cert = { path = "../cert/ca.crt" }
+sp_root_ca_cert = { path = "../keys/sp_root_ca_cert.pem" }
 
 # Intel Attestation Service root CA certificate to verify attestation report
-ias_root_ca_cert = { path = "../cert/AttestationReportSigningCACert.pem" }
+ias_root_ca_cert = { path = "../keys/ias_root_ca_cert.pem" }
 
 # Auditors' public keys to verify their endorsement signatures
 auditor_public_keys = [
-    { path = "../auditors/godzilla/godzilla.public.der" },
-    { path = "../auditors/optimus_prime/optimus_prime.public.der" },
-    { path = "../auditors/albus_dumbledore/albus_dumbledore.public.der"},
+    { path = "../keys/auditors/godzilla/godzilla.public.der" },
+    { path = "../keys/auditors/optimus_prime/optimus_prime.public.der" },
+    { path = "../keys/auditors/albus_dumbledore/albus_dumbledore.public.der"},
 ]
 
 # RPC max message size

teaclave_config/build.rs

@@ -1,6 +1,7 @@
 use std::env;
 use std::path::Path;
 use std::process::Command;
+use std::str;
 
 fn main() {
     let is_sim = env::var("SGX_MODE").unwrap_or_else(|_| "HW".to_string());
@@ -22,5 +23,11 @@ fn main() {
         ])
         .output()
         .expect("Cannot generate build_config.rs");
-    assert!(c.status.success());
+    if !c.status.success() {
+        panic!(
+            "stdout: {:?}, stderr: {:?}",
+            str::from_utf8(&c.stderr).unwrap(),
+            str::from_utf8(&c.stderr).unwrap()
+        );
+    }
 }

teaclave_config/config_gen/main.rs

@@ -24,7 +24,7 @@ enum ConfigSource {
 fn display_config_source(config: &ConfigSource) -> String {
     match config {
         ConfigSource::Path(p) => {
-            let content = &fs::read(p).unwrap();
+            let content = &fs::read(p).expect(&format!("Failed to read file: {}", p.display()));
             let mut output = String::new();
             output.push_str("&[");
             for b in content {
@@ -43,7 +43,7 @@ fn main() {
         panic!("Please specify the path of build config toml and output path.");
     }
     let contents = fs::read_to_string(&args[1]).expect("Something went wrong reading the file");
-    let config: BuildConfigToml = toml::from_str(&contents).unwrap();
+    let config: BuildConfigToml = toml::from_str(&contents).expect("Failed to parse the config.");
 
     let sp_root_ca_cert = display_config_source(&config.sp_root_ca_cert);
     let ias_root_ca_cert = display_config_source(&config.ias_root_ca_cert);
@@ -81,6 +81,8 @@ fn main() {
     ));
 
     let dest_path = Path::new(&args[2]);
-    let mut f = File::create(&dest_path).unwrap();
-    f.write_all(build_config_generated.as_bytes()).unwrap();
+    let mut f =
+        File::create(&dest_path).expect(&format!("Failed to create file: {}", dest_path.display()));
+    f.write_all(build_config_generated.as_bytes())
+        .expect(&format!("Failed to write file: {}", dest_path.display()));
 }