Sync state from fellow validateer

Cargo.lock

@@ -2460,6 +2460,7 @@ dependencies = [
  "frame-support",
  "itp-enclave-api-ffi",
  "itp-settings",
+ "itp-types",
  "log 0.4.14 (registry+https://github.com/rust-lang/crates.io-index)",
  "mockall",
  "parity-scale-codec",

core-primitives/enclave-api/Cargo.toml

@@ -21,6 +21,7 @@ sp-runtime = { version = "4.0.0-dev", git = "https://github.com/paritytech/subst
 
 itp-enclave-api-ffi = { path = "ffi" }
 itp-settings = { path = "../settings" }
+itp-types = { path = "../types" }
 
 
 [dev-dependencies]

core-primitives/enclave-api/ffi/src/lib.rs

@@ -128,19 +128,21 @@ extern "C" {
 		unchecked_extrinsic_size: u32,
 	) -> sgx_status_t;
 
-	pub fn run_key_provisioning_server(
+	pub fn run_state_provisioning_server(
 		eid: sgx_enclave_id_t,
 		retval: *mut sgx_status_t,
 		socket_fd: c_int,
 		sign_type: sgx_quote_sign_type_t,
 		skip_ra: c_int,
 	) -> sgx_status_t;
 
-	pub fn request_key_provisioning(
+	pub fn request_state_provisioning(
 		eid: sgx_enclave_id_t,
 		retval: *mut sgx_status_t,
 		socket_fd: c_int,
 		sign_type: sgx_quote_sign_type_t,
+		shard: *const u8,
+		shard_size: u32,
 		skip_ra: c_int,
 	) -> sgx_status_t;
 }

core-primitives/enclave-api/src/remote_attestation.rs

@@ -17,9 +17,11 @@
 */
 
 use crate::{error::Error, utils, Enclave, EnclaveResult};
+use codec::Encode;
 use frame_support::ensure;
 use itp_enclave_api_ffi as ffi;
 use itp_settings::worker::EXTRINSIC_MAX_SIZE;
+use itp_types::ShardIdentifier;
 use sgx_types::*;
 
 /// general remote attestation methods
@@ -59,17 +61,18 @@ pub trait RemoteAttestationCallBacks {
 
 /// TLS remote attestations methods
 pub trait TlsRemoteAttestation {
-	fn run_key_provisioning_server(
+	fn run_state_provisioning_server(
 		&self,
 		socket_fd: c_int,
 		sign_type: sgx_quote_sign_type_t,
 		skip_ra: bool,
 	) -> EnclaveResult<()>;
 
-	fn request_key_provisioning(
+	fn request_state_provisioning(
 		&self,
 		socket_fd: c_int,
 		sign_type: sgx_quote_sign_type_t,
+		shard: &ShardIdentifier,
 		skip_ra: bool,
 	) -> EnclaveResult<()>;
 }
@@ -206,7 +209,7 @@ impl RemoteAttestationCallBacks for Enclave {
 }
 
 impl TlsRemoteAttestation for Enclave {
-	fn run_key_provisioning_server(
+	fn run_state_provisioning_server(
 		&self,
 		socket_fd: c_int,
 		sign_type: sgx_quote_sign_type_t,
@@ -215,7 +218,7 @@ impl TlsRemoteAttestation for Enclave {
 		let mut retval = sgx_status_t::SGX_SUCCESS;
 
 		let result = unsafe {
-			ffi::run_key_provisioning_server(
+			ffi::run_state_provisioning_server(
 				self.eid,
 				&mut retval,
 				socket_fd,
@@ -230,20 +233,25 @@ impl TlsRemoteAttestation for Enclave {
 		Ok(())
 	}
 
-	fn request_key_provisioning(
+	fn request_state_provisioning(
 		&self,
 		socket_fd: c_int,
 		sign_type: sgx_quote_sign_type_t,
+		shard: &ShardIdentifier,
 		skip_ra: bool,
 	) -> EnclaveResult<()> {
 		let mut retval = sgx_status_t::SGX_SUCCESS;
 
+		let encoded_shard = shard.encode();
+
 		let result = unsafe {
-			ffi::request_key_provisioning(
+			ffi::request_state_provisioning(
 				self.eid,
 				&mut retval,
 				socket_fd,
 				sign_type,
+				encoded_shard.as_ptr(),
+				encoded_shard.len() as u32,
 				skip_ra.into(),
 			)
 		};

core-primitives/sgx/crypto/Cargo.toml

@@ -11,16 +11,16 @@ ofb = { version = "0.4.0" }
 codec  = { package = "parity-scale-codec", version = "2.0.0", default-features = false, features = ["derive"] }
 derive_more = { version = "0.99.5" }
 log = { version = "0.4.14", default-features = false }
-serde = { version = "1.0", default-features = false, features = ["alloc"] , optional = true }
-serde_json = { version = "1.0", default-features = false, features = ["alloc"] , optional = true }
+serde = { version = "1.0", default-features = false, features = ["alloc"], optional = true }
+serde_json = { version = "1.0", default-features = false, features = ["alloc"], optional = true }
 
 # sgx deps
 sgx_types = { branch = "master", git = "https://github.com/apache/teaclave-sgx-sdk.git" }
 sgx_tstd = { branch = "master", git = "https://github.com/apache/teaclave-sgx-sdk.git", optional = true }
 sgx_rand = { branch = "master", git = "https://github.com/apache/teaclave-sgx-sdk.git", optional = true }
 sgx-crypto-helper = { branch = "master", git = "https://github.com/apache/teaclave-sgx-sdk.git", package = "sgx_crypto_helper", default-features = false, optional = true }
-serde-sgx = { package = "serde", tag = "sgx_1.1.3", git = "https://github.com/mesalock-linux/serde-sgx" , optional = true  }
-serde_json-sgx = { package = "serde_json", tag = "sgx_1.1.3", git = "https://github.com/mesalock-linux/serde-json-sgx" , optional = true  }
+serde-sgx = { package = "serde", tag = "sgx_1.1.3", git = "https://github.com/mesalock-linux/serde-sgx", optional = true  }
+serde_json-sgx = { package = "serde_json", tag = "sgx_1.1.3", git = "https://github.com/mesalock-linux/serde-json-sgx", optional = true  }
 
 # substrate deps
 sp-core = { version = "4.1.0-dev", default-features = false, git = "https://github.com/paritytech/substrate.git", branch = "master"}
@@ -29,7 +29,6 @@ sp-core = { version = "4.1.0-dev", default-features = false, git = "https://gith
 itp-settings = { path = "../../settings" }
 itp-sgx-io = { path = "../io", default-features = false }
 
-
 [features]
 default = ["std"]
 std = [
@@ -48,3 +47,4 @@ sgx = [
     "serde_json-sgx",
     "serde-sgx"
 ]
+mocks = []

core-primitives/sgx/crypto/src/lib.rs

@@ -32,3 +32,6 @@ pub use self::ed25519::*;
 pub use self::rsa3072::*;
 pub use error::*;
 pub use traits::*;
+
+#[cfg(all(feature = "mocks", feature = "sgx"))]
+pub mod mocks;

core-primitives/sgx/crypto/src/mocks.rs

@@ -0,0 +1,55 @@
+/*
+	Copyright 2021 Integritee AG and Supercomputing Systems AG
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+
+*/
+
+use crate::{
+	error::{Error, Result},
+	Aes,
+};
+use itp_sgx_io::SealedIO;
+use sgx_crypto_helper::rsa3072::Rsa3072KeyPair;
+
+#[derive(Default)]
+pub struct AesSealMock {}
+
+impl SealedIO for AesSealMock {
+	type Error = Error;
+	type Unsealed = Aes;
+
+	fn unseal() -> Result<Self::Unsealed> {
+		Ok(Aes::default())
+	}
+
+	fn seal(_unsealed: Self::Unsealed) -> Result<()> {
+		Ok(())
+	}
+}
+
+#[derive(Default)]
+pub struct Rsa3072SealMock {}
+
+impl SealedIO for Rsa3072SealMock {
+	type Error = Error;
+	type Unsealed = Rsa3072KeyPair;
+
+	fn unseal() -> Result<Self::Unsealed> {
+		Ok(Rsa3072KeyPair::default())
+	}
+
+	fn seal(_unsealed: Self::Unsealed) -> Result<()> {
+		Ok(())
+	}
+}

enclave-runtime/Cargo.toml

@@ -19,6 +19,7 @@ test = [
     "ita-stf/test",
     "itc-parentchain/mocks",
     "itp-extrinsics-factory/mocks",
+    "itp-sgx-crypto/mocks",
     "itp-stf-executor/test",
     "itp-stf-state-handler/test",
     "itp-storage/test",

enclave-runtime/Enclave.edl

@@ -94,8 +94,13 @@ enclave {
 
 		public sgx_status_t dump_ra_to_disk();
 
-		public sgx_status_t run_key_provisioning_server(int fd, sgx_quote_sign_type_t quote_type, int skip_ra);
-        public sgx_status_t request_key_provisioning(int fd, sgx_quote_sign_type_t quote_type, int skip_ra);
+		public sgx_status_t run_state_provisioning_server(int fd, sgx_quote_sign_type_t quote_type, int skip_ra);
+        public sgx_status_t request_state_provisioning(
+			int fd,
+			sgx_quote_sign_type_t quote_type,
+			[in, size=shard_size] uint8_t* shard, uint32_t shard_size,
+			int skip_ra
+		);
 
 		public sgx_status_t call_rpc_methods(
 			[in, size=request_len] uint8_t* request, uint32_t request_len,

enclave-runtime/src/lib.rs

@@ -100,7 +100,7 @@ pub mod cert;
 pub mod error;
 pub mod rpc;
 mod sync;
-pub mod tls_ra;
+mod tls_ra;
 pub mod top_pool_execution;
 
 #[cfg(feature = "test")]

enclave-runtime/src/tests.rs

@@ -23,6 +23,7 @@ use crate::{
 		cert_tests::*, fixtures::initialize_test_state::init_state,
 		mocks::rpc_responder_mock::RpcResponderMock, sidechain_aura_tests,
 	},
+	tls_ra,
 };
 use codec::{Decode, Encode};
 use ita_stf::{
@@ -130,6 +131,18 @@ pub extern "C" fn test_main_entrance() -> size_t {
 		stf_executor_tests::propose_state_update_executes_all_calls_given_enough_time,
 		// sidechain integration tests
 		sidechain_aura_tests::produce_sidechain_block_and_import_it,
+		// tls_ra unit tests
+		tls_ra::seal_handler::test::seal_shielding_key_works,
+		tls_ra::seal_handler::test::seal_shielding_key_fails_for_invalid_key,
+		tls_ra::seal_handler::test::unseal_seal_shielding_key_works,
+		tls_ra::seal_handler::test::seal_signing_key_works,
+		tls_ra::seal_handler::test::seal_signing_key_fails_for_invalid_key,
+		tls_ra::seal_handler::test::unseal_seal_signing_key_works,
+		tls_ra::seal_handler::test::seal_state_works,
+		tls_ra::seal_handler::test::seal_state_fails_for_invalid_state,
+		tls_ra::seal_handler::test::unseal_seal_state_works,
+		tls_ra::tests::test_tls_ra_server_client_networking,
+
 		// these unit test (?) need an ipfs node running..
 		// ipfs::test_creates_ipfs_content_struct_works,
 		// ipfs::test_verification_ok_for_correct_content,