DO NOT USE THIS IN PRODUCTION.
Non-SGX platform is sufficient, tested with Ubuntu 18.04 and Ubuntu 20.04
For easier setup use docker, however it can be run manually without containers.
With self-signed certs, scripts and docker image
Requirements:
- Docker (tested with version 20.10.11)
$ curl -fsSL https://get.docker.com -o get-docker.sh
$ sudo sh ./get-docker.sh
# Build sss:latest docker image
./build.sh
# Create self-signed certs
./prepareCerts.sh
# Run SSS
./runSSS.sh
Healthcheck is performed automatically to ensure SSS is operable.
Requirements:
In order to use the service, we need to generate 2 key pairs and corresponding self-signed certificates: one for HTTPS, second for signing Attestation Report.
First, let’s create a key and self-signed cert for HTTPS enabling:
openssl genrsa -out key.pem
openssl req -new -key key.pem -out csr.pem
openssl x509 -req -days 9999 -in csr.pem -signkey key.pem -out cert.pem
rm csr.pem
Finally, let’s create a key and self-signed cert for signing Attestation Report:
openssl genrsa -out sign-key.pem 3072
openssl req -new -key sign-key.pem -out csr.pem
openssl x509 -req -days 9999 -in csr.pem -signkey sign-key.pem -out sign-cert.pem
rm csr.pem
Sample simple-signing-service is configured by default to support MTLS.
To allow requests from Quote Verification Service, QVS client certificate has to be added to SSS's trusted CA. It's configured by QVS_VCS_CLIENT_CERT_FILE configuration variable.
To do so, please create QVS Client certificate. Expected result is that qvs-to-sss-client-cert.pem copy is located in SSS's directory.
Build simple-signing-service:
npm install
and start:
npm start
or node simple-signing-service.js
This service will run with two ports enabled:
Server Started: https://localhost:8797
Server Started: http://localhost:8796
In order to use HTTPS (default port: 8797) please create qvs-to-sss-client key and cert first, following: ../../configuration-default/certificates/README.md
curl http://localhost:8796/health
curl --cacert ../../configuration-default/certificates/internal_ca/sss-mtls-cert.pem --key ../../configuration-default/certificates/qvs-to-sss-client-key.pem --cert ../../configuration-default/certificates/qvs-to-sss-client-cert.pem https://localhost:8797/health
Read the log and get information from the line below:
Signing Certificate in URL encoded:<SIGNING_KEY_CERTIFCATE_URL_ENCODED>
That will be required to start Quote Verification Service.