Use SVR3 staging domains and enclaves

2024-09-19 19:42:19 +02:00 · 2024-01-18 13:37:28 -08:00 · 2024-01-18 13:37:28 -08:00 · 16631a88ca
commit 16631a88ca
parent b31ca0781c
7 changed files with 37 additions and 37 deletions
--- a/rust/attest/src/nitro.rs
+++ b/rust/attest/src/nitro.rs
@ -15,7 +15,6 @@ use prost::{DecodeError, Message};
 use sha2::{Digest, Sha384};
 use subtle::ConstantTimeEq;

-use crate::dcap::MREnclave;
 use crate::enclave::{self, Claims, Handshake};
 use crate::proto;
 use crate::svr2::{expected_raft_config, RaftConfig};
@ -31,13 +30,13 @@ type Pcr = [u8; 48];
 // We only ever validate PCRs 0, 1, and 2.
 type PcrMap = SmallMap<usize, Pcr, 3>;

-const EXPECTED_PCRS: SmallMap<MREnclave, PcrMap, 1>  = SmallMap::new([
+const EXPECTED_PCRS: SmallMap<&'static [u8], PcrMap, 1>  = SmallMap::new([
    (
-        hex!("17e1cb662572d28e0eb5a492ed8df949bc2cfcf3f2098b710e7b637759d6dcb3"),
+        b"cc8f7cb1.52b91975.61d0bcb0",
        SmallMap::new([
-            (0, hex!("67fdc91606ca9d5e73c35412f7d22397deb3f56ff2365803c66f0924f1dbeb29517fa4a62014b0bf49bd59541e4bcdd7")),
-            (1, hex!("52b919754e1643f4027eeee8ec39cc4a2cb931723de0c93ce5cc8d407467dc4302e86490c01c0d755acfe10dbf657546")),
-            (2, hex!("18e034916997b8e97edfc79e743f70ddcef21a45841a7a8727e2b6d094b1941bd6f988d806df1471025bcccfe35c4572")),
+             (0, hex!("cc8f7cb1206285b1d07d1c390fee96d98c6373b2006aee6764f45c8acde7abc7a87b9af665ff0b2b14f4b20717f3f356")),
+             (1, hex!("52b919754e1643f4027eeee8ec39cc4a2cb931723de0c93ce5cc8d407467dc4302e86490c01c0d755acfe10dbf657546")),
+             (2, hex!("61d0bcb015dc32cded08c17ec0e9de008682d3a16082f59a6b60de00a0fba4aebbb26447c67378c924afe74bc9654738")),
        ]),
    ),
 ]);
@ -51,7 +50,7 @@ impl Handshake {
    ) -> Result<Self, enclave::Error> {
        let expected_pcrs =
            EXPECTED_PCRS
-                .get(enclave)
+                .get(&enclave)
                .ok_or_else(|| enclave::Error::AttestationDataError {
                    reason: format!("unknown enclave {:?}", enclave),
                })?;
--- a/rust/attest/src/svr2.rs
+++ b/rust/attest/src/svr2.rs
@ -14,7 +14,7 @@ use crate::util::SmallMap;

 /// Map from MREnclave to intel SW advisories that are known to be mitigated in the
 /// build with that MREnclave value
-const ACCEPTABLE_SW_ADVISORIES: &SmallMap<MREnclave, &'static [&'static str], 4> =
+const ACCEPTABLE_SW_ADVISORIES: &SmallMap<MREnclave, &'static [&'static str], 5> =
    &SmallMap::new([
        (
            hex!("a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95"),
@ -32,6 +32,10 @@ const ACCEPTABLE_SW_ADVISORIES: &SmallMap<MREnclave, &'static [&'static str], 4>
            hex!("a6622ad4656e1abcd0bc0ff17c229477747d2ded0495c4ebee7ed35c1789fa97"),
            &["INTEL-SA-00615", "INTEL-SA-00657"] as &[&str],
        ),
+        (
+            hex!("5db9423ed5a0b0bef374eac3a8251839e1f63ed40a2537415b63656b26912d92"),
+            &["INTEL-SA-00615", "INTEL-SA-00657"] as &[&str],
+        ),
    ]);

 /// SW advisories known to be mitigated by default. If an MREnclave is provided that
@ -57,7 +61,7 @@ impl PartialEq<svr2::RaftGroupConfig> for RaftConfig {
 }

 /// Expected raft configuration for a given enclave.
-static EXPECTED_RAFT_CONFIG: SmallMap<MREnclave, &'static RaftConfig, 4> = SmallMap::new([
+static EXPECTED_RAFT_CONFIG: SmallMap<MREnclave, &'static RaftConfig, 5> = SmallMap::new([
    (
        hex!("a8a261420a6bb9b61aa25bf8a79e8bd20d7652531feb3381cbffd446d270be95"),
        &RaftConfig {
@ -94,6 +98,16 @@ static EXPECTED_RAFT_CONFIG: SmallMap<MREnclave, &'static RaftConfig, 4> = Small
            group_id: 1230918306983775578,
        },
    ),
+    (
+        // svr3 staging
+        hex!("5db9423ed5a0b0bef374eac3a8251839e1f63ed40a2537415b63656b26912d92"),
+        &RaftConfig {
+            min_voting_replicas: 3,
+            max_voting_replicas: 5,
+            super_majority: 0,
+            group_id: 13862729870901000330,
+        },
+    ),
 ]);

 pub(crate) fn expected_raft_config(
--- a/rust/attest/src/util.rs
+++ b/rust/attest/src/util.rs
@ -16,7 +16,7 @@ pub(crate) struct SmallMap<K, V, const N: usize>([(K, V); N]);

 impl<K, V, const N: usize> SmallMap<K, V, N> {
    /// The maximum number of elements allowed in a `SmallMap`.
-    const MAX_SIZE: usize = 4;
+    const MAX_SIZE: usize = 5;

    /// Checks at compile-time (via `const`) that `N` is small enough.
    const CHECK_MAX_SIZE: () = assert!(
--- a/rust/net/examples/svr3.rs
+++ b/rust/net/examples/svr3.rs
@ -22,23 +22,13 @@ use libsignal_net::infra::TcpSslTransportConnector;
 use libsignal_net::svr::{Auth, SvrConnection};
 use libsignal_net::svr3::{OpaqueMaskedShareSet, PpssOps};

-const SGX_TEST_SERVER_CERT_DER: &[u8] = include_bytes!("../res/sgx_test_server_cert.cer");
-const SGX_TEST_RAFT_CONFIG: RaftConfig = RaftConfig {
-    min_voting_replicas: 1,
-    max_voting_replicas: 3,
-    super_majority: 0,
-    group_id: 5873791967879921865,
-};
-
 const NITRO_TEST_RAFT_CONFIG: RaftConfig = RaftConfig {
-    group_id: 14613281978079894749,
-    min_voting_replicas: 1,
+    group_id: 2058019258222238426,
+    min_voting_replicas: 3,
    max_voting_replicas: 5,
    super_majority: 0,
 };

-const NITRO_TEST_SERVER_CERT_DER: &[u8] = include_bytes!("../res/nitro_test_server_cert.cer");
-
 #[derive(Parser, Debug)]
 struct Args {
    /// base64 encoding of the auth secret for SGX
@ -70,13 +60,8 @@ async fn main() {
    };

    let connect = || async {
-        let connection_a = EndpointConnection::with_custom_properties(
-            env.sgx(),
-            Duration::from_secs(10),
-            TcpSslTransportConnector,
-            RootCertificates::FromDer(SGX_TEST_SERVER_CERT_DER.to_vec()),
-            Some(&SGX_TEST_RAFT_CONFIG),
-        );
+        let connection_a =
+            EndpointConnection::new(env.sgx(), Duration::from_secs(10), TcpSslTransportConnector);
        let sgx_auth = Auth {
            uid: uid.to_string(),
            secret: sgx_secret,
@ -89,7 +74,7 @@ async fn main() {
            env.nitro(),
            Duration::from_secs(10),
            TcpSslTransportConnector,
-            RootCertificates::FromDer(NITRO_TEST_SERVER_CERT_DER.to_vec()),
+            RootCertificates::Signal,
            Some(&NITRO_TEST_RAFT_CONFIG),
        );
        let nitro_auth = Auth {
--- a/rust/net/res/nitro_test_server_cert.cer
+++ b/rust/net/res/nitro_test_server_cert.cer
--- a/rust/net/src/enclave.rs
+++ b/rust/net/src/enclave.rs
@ -45,7 +45,11 @@ impl EnclaveKind for Sgx {

 impl EnclaveKind for Nitro {
    fn url_path(enclave: &[u8]) -> PathAndQuery {
-        PathAndQuery::try_from(format!("/v1/{}", hex::encode(enclave))).unwrap()
+        PathAndQuery::try_from(format!(
+            "/v1/{}",
+            std::str::from_utf8(enclave).expect("valid utf8")
+        ))
+        .unwrap()
    }
 }

--- a/rust/net/src/env.rs
+++ b/rust/net/src/env.rs
@ -50,16 +50,14 @@ pub const STAGING: Env<'static, Svr3Env> = Env {
    },
    svr3: Svr3Env(
        EnclaveEndpoint {
-            host: "backend1.svr3.test.signal.org",
+            host: "backend1.svr3.staging.signal.org",
            mr_enclave: MrEnclave::new(&hex!(
-                "acb1973aa0bbbd14b3b4e06f145497d948fd4a98efc500fcce363b3b743ec482"
+                "5db9423ed5a0b0bef374eac3a8251839e1f63ed40a2537415b63656b26912d92"
            )),
        },
        EnclaveEndpoint {
-            host: "backend2.svr3.test.signal.org",
-            mr_enclave: MrEnclave::new(&hex!(
-                "17e1cb662572d28e0eb5a492ed8df949bc2cfcf3f2098b710e7b637759d6dcb3"
-            )),
+            host: "backend2.svr3.staging.signal.org",
+            mr_enclave: MrEnclave::new(b"cc8f7cb1.52b91975.61d0bcb0"),
        },
    ),
 };