Peer Assistance Utility

* handles so far attestations to evidence conversion, stubs but
  no implementation yet for client request and response processing
* peer assistance utility integrated in peer for initEnclave
* some refactoring of managment api to make above easier and more consistent
* credentials are now also base64 encoded on initEnclave return flow (as in spec)
* client_sdk is now also included into global make
* a few missing gitignores

Signed-off-by: michael steiner <[email protected]>

Author: g2flyer

Makefile

@@ -6,7 +6,7 @@
 TOP = .
 include $(TOP)/build.mk
 
-SUB_DIRS = protos common internal ercc ecc_enclave ecc tlcc_enclave tlcc fabric examples utils integration # demo # docs
+SUB_DIRS = protos common internal ercc ecc_enclave ecc tlcc_enclave tlcc fabric client_sdk examples utils integration # demo # docs
 
 FPC_SDK_DEP_DIRS = protos utils/fabric common ecc_enclave ecc
 FPC_PEER_DEP_DIRS = protos common ercc tlcc_enclave tlcc fabric ecc_enclave ecc

client_sdk/Makefile

@@ -0,0 +1,11 @@
+# Copyright IBM Corp. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+TOP = ..
+include $(TOP)/build.mk
+
+SUB_DIRS = go
+
+all build test clean clobber:
+	$(foreach DIR, $(SUB_DIRS), $(MAKE) -C $(DIR) $@ || exit ;)

client_sdk/go/Makefile

@@ -0,0 +1,11 @@
+# Copyright IBM Corp. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+TOP = ../..
+include $(TOP)/build.mk
+
+SUB_DIRS = fpc test
+
+all build test clean clobber:
+	$(foreach DIR, $(SUB_DIRS), $(MAKE) -C $(DIR) $@ || exit ;)

client_sdk/go/fpc/Makefile

@@ -0,0 +1,16 @@
+# Copyright 2019 Intel Corporation
+# Copyright IBM Corp. All Rights Reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+TOP = ../../..
+include $(TOP)/build.mk
+
+build:
+	$(GO) build
+
+test:
+	$(GO) test $(GOTAGS) -v ./...
+
+clean:
+	$(GO) clean

client_sdk/go/fpc/management.go

@@ -12,7 +12,6 @@ import (
 	"fmt"
 	"log"
 
-	"github.com/golang/protobuf/proto"
 	"github.com/hyperledger-labs/fabric-private-chaincode/client_sdk/go/fpc/attestation"
 	"github.com/hyperledger-labs/fabric-private-chaincode/internal/protos"
 	pbatt "github.com/hyperledger-labs/fabric-private-chaincode/internal/protos/attestation"
@@ -76,28 +75,39 @@ func (c *managementState) InitEnclave(peerEndpoint string, attestationParams ...
 	}
 
 	log.Printf("calling __initEnclave\n")
-	credentialsBytes, err := txn.Evaluate(utils.ProtoAsBase64(initMsg))
+	credentialsBytes, err := txn.Evaluate(utils.MarshallProto(initMsg))
 	if err != nil {
 		return fmt.Errorf("evaluation error: %s", err)
 	}
 
-	credentials := &protos.Credentials{}
-	err = proto.Unmarshal(credentialsBytes, credentials)
+	var convertedCredentials string
+	convertedCredentials, err = ConvertCredentials(string(credentialsBytes))
 	if err != nil {
-		return fmt.Errorf("cannot unmarshal credentials: %s", err)
+		return fmt.Errorf("evaluation error: %s", err)
 	}
 
-	// perform attestation evidence transformation
-	credentials, err = attestation.ToEvidence(credentials)
+	log.Printf("calling registerEnclave\n")
+	_, err = c.ercc.SubmitTransaction("registerEnclave", convertedCredentials)
 	if err != nil {
 		return err
 	}
 
-	log.Printf("calling registerEnclave\n")
-	_, err = c.ercc.SubmitTransaction("registerEnclave", utils.ProtoAsBase64(credentials))
+	return nil
+}
+
+// perform attestation evidence transformation
+func ConvertCredentials(credentialsOnlyAttestation string) (credentialsWithEvidence string, err error) {
+	log.Printf("Received Credential: '%s'", credentialsOnlyAttestation)
+	credentials, err := utils.UnmarshalCredentials(credentialsOnlyAttestation)
 	if err != nil {
-		return err
+		return "", fmt.Errorf("cannot decode credentials: %s", err)
 	}
 
-	return nil
+	credentials, err = attestation.ToEvidence(credentials)
+	if err != nil {
+		return "", err
+	}
+	credentialsOnlyAttestation = utils.MarshallProto(credentials)
+	log.Printf("Converted to Credential: '%s'", credentialsOnlyAttestation)
+	return credentialsOnlyAttestation, nil
 }

client_sdk/go/test/.gitignore

@@ -0,0 +1,4 @@
+# SPDX-License-Identifier: Apache-2.0
+test
+wallet
+keystore

ecc_mock/chaincode/ecc.go

@@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0
 package chaincode
 
 import (
+	"encoding/base64"
 	"fmt"
 
 	"github.com/golang/protobuf/ptypes"
@@ -72,7 +73,7 @@ func (t *EnclaveChaincode) initEnclave(stub shim.ChaincodeStubInterface) pb.Resp
 	}
 
 	// return credentials
-	return shim.Success(credentialsBytes)
+	return shim.Success([]byte(base64.StdEncoding.EncodeToString(credentialsBytes)))
 }
 
 func (t *EnclaveChaincode) invoke(stub shim.ChaincodeStubInterface) pb.Response {

ercc/registry/registry.go

@@ -229,9 +229,9 @@ func (rs *Contract) RegisterEnclave(ctx contractapi.TransactionContextInterface,
 		return err
 	}
 
-	// TODO check if this enclave is already registered
+	// TODO check if this enclave is already registered (MVP)
 
-	// TODO perform the (enclave) endorsement policy specific tests:
+	// TODO perform the (enclave) endorsement policy specific tests (MVP/Post-MVP)
 	// - MVP (designated chaincode): verify no other enclave (of other peers) is registered or fail
 	// - Post-MVP: check consistency with potentially existing enclaves
 
@@ -288,10 +288,10 @@ func checkAttestedData(ctx contractapi.TransactionContextInterface, v attestatio
 		return fmt.Errorf("creator identity evaluation failed: %s", err)
 	}
 
-	// TODO add more checks
-	// channel_hash should correspond to peers view of channel id (POST-MVP)
-	// TLCC_MRENCLAVE matches the version baked into ERCC (POST-MVP)
-	// validate FPC deployment (restriction) policy (POST-MVP)
+	// TODO add more checks (POST-MVP)
+	// - channel_hash should correspond to peers view of channel id
+	// - TLCC_MRENCLAVE matches the version baked into ERCC
+	// - validate FPC deployment (restriction) policy
 
 	return nil
 }
@@ -300,25 +300,23 @@ func checkAttestedData(ctx contractapi.TransactionContextInterface, v attestatio
 // This method is used during the key generation and key distribution protocol. In particular, during key generation,
 // this call sets the chaincode_ek for a chaincode if no chaincode_ek is set yet.
 func (rs *Contract) RegisterCCKeys(ctx contractapi.TransactionContextInterface, ccKeyRegistrationMessageBase64 string) error {
-	// TODO: Implement me for MVP
+	// TODO: Implement me once we remove spec-short-cut,see QueryChaincodeEncryptionKey (Post-MVP)
 
 	//input msg CCKeyRegistrationMessage
 
-	// TODO needs to be implemented for tx args/response encryption
-
 	return fmt.Errorf("not implemented yet")
 }
 
 // key distribution (Post-MVP features)
 func (rs *Contract) PutKeyExport(ctx contractapi.TransactionContextInterface, exportMessageBase64 string) error {
 	// input msg ExportMessage
-	// TODO implement me
+	// TODO implement me (Post-MVP)
 	return fmt.Errorf("not implemented yet")
 }
 
 func (rs *Contract) GetKeyExport(ctx contractapi.TransactionContextInterface, chaincodeId, enclaveId string) (string, error) {
 	//input chaincodeId string, enclaveId string
 	//return *ExportMessage or  error
-	// TODO implement me
+	// TODO implement me (Post-MVP)
 	return "", fmt.Errorf("not implemented yet")
 }

fabric/bin/lib/common_ledger.sh

@@ -13,6 +13,7 @@
 
 : ${FABRIC_PATH:="${FPC_TOP_DIR}/../../hyperledger/fabric/"}
 : ${FABRIC_BIN_DIR:="${FABRIC_PATH}/build/bin"}
+: ${FABRIC_UTIL_BIN_DIR:="${FPC_TOP_DIR}/utils/fabric"}
 
 FABRIC_SCRIPTDIR="${FPC_TOP_DIR}/fabric/bin/"
 
@@ -27,6 +28,7 @@ ledger_precond_check() {
 	[ -x "${FABRIC_BIN_DIR}/peer" ] || die "peer command does not exist in '${FABRIC_BIN_DIR}'"
 	[ -x "${FABRIC_BIN_DIR}/orderer" ] || die "orderer command does not exist in '${FABRIC_BIN_DIR}'"
 	[ -x "${FABRIC_BIN_DIR}/configtxgen" ] || die "configtxgen command does not exist in '${FABRIC_BIN_DIR}'"
+	[ -x "${FABRIC_UTIL_BIN_DIR}/peer-cli-assist" ] || die "peer-cli-assist command does not exist in '${FABRIC_UTIL_BIN_DIR}'"
 	[ ! -z "${FABRIC_STATE_DIR}" ] || die "Undefined fabric ledger state directory '${FABRIC_STATE_DIR}'"
 }
 
@@ -38,6 +40,7 @@ define_common_vars() {
     # use our wrapper for commands, so provide convience functions ..
     # note: as we might have defined FABRIC_CFG_PATH in this script, we have the pass it along!
     PEER_CMD="env FABRIC_CFG_PATH=${FABRIC_CFG_PATH} ${FABRIC_SCRIPTDIR}/peer.sh"
+    PEER_ASSIST_CMD="${FABRIC_UTIL_BIN_DIR}/peer-cli-assist"
     ORDERER_CMD="env FABRIC_CFG_PATH=${FABRIC_CFG_PATH} ${FABRIC_SCRIPTDIR}/orderer.sh"
     CONFIGTXGEN_CMD="env FABRIC_CFG_PATH=${FABRIC_CFG_PATH} ${FABRIC_SCRIPTDIR}/configtxgen.sh"
 

fabric/bin/peer.sh

@@ -442,8 +442,6 @@ handle_lifecycle_chaincode_initEnclave() {
         # set the default attestation params
         ATTESTATION_PARAMS=$(jq -c -n --arg atype "simulated" '{attestation_type: $atype}' | base64 --wrap=0)
     else
-        die "initEnclave unavailable in HW mode -- need format fix in attestation conversion"
-
         SPID_FILE_PATH="${SGX_CREDENTIALS_PATH}/spid.txt"
         SPID_TYPE_FILE_PATH="${SGX_CREDENTIALS_PATH}/spid_type.txt"
         [ -f "${SPID_FILE_PATH}" ] || die "no spid file ${SPID_FILE_PATH}"
@@ -483,25 +481,11 @@ handle_lifecycle_chaincode_initEnclave() {
     say "initEnclave response (decoded): $(echo "${B64CREDS}" | base64 -d)"
 
     say "Convert credentials"
-    TMPCREDSFILE=$(mktemp)
-    say "temp file: ${TMPCREDSFILE}"
-    echo ${B64CREDS} | base64 -d | protoc --decode fpc.Credentials --proto_path=${FPC_TOP_DIR}/protos/fpc --proto_path=${FPC_TOP_DIR}/protos/fabric ${FPC_TOP_DIR}/protos/fpc/fpc.proto > ${TMPCREDSFILE}
-    DECODED_CREDENTIALS=$(cat ${TMPCREDSFILE})
-    ATTESTATION=${DECODED_CREDENTIALS##*attestation: \"}
-    ATTESTATION=${ATTESTATION%%\"}
-    ATTESTATION=$(echo ${ATTESTATION} | sed 's/\\//g')
-    source ${FPC_TOP_DIR}/common/crypto/attestation-api/conversion/attestation_to_evidence.sh
-    attestation_to_evidence ${ATTESTATION}
-    # escape non-escaped quotes: (i) escape all quotes, replace double-escaped quotes with single-escaped quotes
-    EVIDENCE=$(echo ${EVIDENCE} | sed 's/\"/\\\"/g')
-    EVIDENCE=$(echo ${EVIDENCE} | sed 's/\\\\\"/\\\"/g')
-    echo "evidence: \"${EVIDENCE}\"" >> ${TMPCREDSFILE}
-    DECODED_CREDENTIALS=$(cat ${TMPCREDSFILE})
-    B64CREDS=$(echo ${DECODED_CREDENTIALS} | protoc --encode fpc.Credentials --proto_path=${FPC_TOP_DIR}/protos/fpc --proto_path=${FPC_TOP_DIR}/protos/fabric ${FPC_TOP_DIR}/protos/fpc/fpc.proto | base64 --wrap=0)
-    say "initEnclave converted response (b64): ${B64CREDS}"
+    B64CONVCREDS=$(echo "${B64CREDS}" | ${PEER_ASSIST_CMD} attestation2Evidence) || die "could not convert credentials"
+    say "initEnclave converted response (b64): ${B64CONVCREDS}"
 
     say "Registering with Enclave Registry"
-    try $RUN ${FABRIC_BIN_DIR}/peer chaincode invoke -o ${ORDERER_ADDR} -C ${CHAN_ID} -n ${ERCC_ID} -c '{"Args":["RegisterEnclave", "'${B64CREDS}'"]}' --waitForEvent
+    try $RUN ${FABRIC_BIN_DIR}/peer chaincode invoke -o ${ORDERER_ADDR} -C ${CHAN_ID} -n ${ERCC_ID} -c '{"Args":["RegisterEnclave", "'${B64CONVCREDS}'"]}' --waitForEvent
 
     # NOTE: the chaincode encryption key is retrieved here for testing purposes
     say "Querying Chaincode Encryption Key"

internal/utils/proto.go

@@ -19,26 +19,10 @@ import (
 	"github.com/hyperledger/fabric/protoutil"
 )
 
-func ProtoAsBase64(msg proto.Message) string {
+func MarshallProto(msg proto.Message) string {
 	return base64.StdEncoding.EncodeToString(protoutil.MarshalOrPanic(msg))
 }
 
-// returns enclave_id as hex-encoded string of SHA256 hash over enclave_vk.
-func GetEnclaveId(attestedData *protos.AttestedData) string {
-	h := sha256.Sum256(attestedData.EnclaveVk)
-	return hex.EncodeToString(h[:])
-}
-
-func ExtractEndpoint(credentials *protos.Credentials) (string, error) {
-	attestedData := &protos.AttestedData{}
-	err := ptypes.UnmarshalAny(credentials.SerializedAttestedData, attestedData)
-	if err != nil {
-		return "", err
-	}
-
-	return attestedData.HostParams.PeerEndpoint, nil
-}
-
 func UnmarshalCredentials(credentialsBase64 string) (*protos.Credentials, error) {
 	credentialsBytes, err := base64.StdEncoding.DecodeString(credentialsBase64)
 	if err != nil {
@@ -56,3 +40,19 @@ func UnmarshalCredentials(credentialsBase64 string) (*protos.Credentials, error)
 	}
 	return credentials, nil
 }
+
+// returns enclave_id as hex-encoded string of SHA256 hash over enclave_vk.
+func GetEnclaveId(attestedData *protos.AttestedData) string {
+	h := sha256.Sum256(attestedData.EnclaveVk)
+	return hex.EncodeToString(h[:])
+}
+
+func ExtractEndpoint(credentials *protos.Credentials) (string, error) {
+	attestedData := &protos.AttestedData{}
+	err := ptypes.UnmarshalAny(credentials.SerializedAttestedData, attestedData)
+	if err != nil {
+		return "", err
+	}
+
+	return attestedData.HostParams.PeerEndpoint, nil
+}

utils/fabric/.gitignore

@@ -1,2 +1,3 @@
 # SPDX-License-Identifier: Apache-2.0
 get-fabric-container-name
+peer-cli-assist

utils/fabric/Makefile

@@ -6,14 +6,14 @@
 TOP = ../..
 include $(TOP)/build.mk
 
-GO_CMDS= get-fabric-container-name
+GO_CMDS= get-fabric-container-name peer-cli-assist
 
-build: ${GO_CMDS}
+build: $(GO_CMDS)
 
-${GO_CMDS}: ${GO_CMDS:=.go}
-	$(GO) build $(GOTAGS) $@.go
+$(GO_CMDS): 
+	$(GO) build $(GOTAGS) ./$@.src/$@.go 
 
 test: build
 
 clean: 
-	$(GO) clean
+	$(RM) $(GO_CMDS)

utils/fabric/get-fabric-container-name.go renamed to utils/fabric/get-fabric-container-name.src/get-fabric-container-name.go

@@ -0,0 +1,61 @@
+/*
+* Copyright 2019 Intel Corporation
+*
+* SPDX-License-Identifier: Apache-2.0
+ */
+
+package main
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/hyperledger-labs/fabric-private-chaincode/client_sdk/go/fpc"
+)
+
+func printHelp() {
+	fmt.Printf(
+		`Usage: %s [attestation2Evidence | createEncryptRequest | processEncryptedResponse]
+- attestation2Evidence: convert attestation to evidence in (base64-encoded) Credentials protobuf
+- createEncryptRequest: create a (base64-encoded) encrypted fpc chaincode request protobuf
+- processEncryptedResponse: decrypt and validate an (base64-encoded) encrypted fpc chaincode response protobuf
+Input and outpus are via stdin and stdout, respectively.`,
+		os.Args[0])
+}
+
+func main() {
+
+	if len(os.Args) < 2 {
+		fmt.Fprintf(os.Stderr, "ERROR: expected a subcommand\n")
+		printHelp()
+		os.Exit(1)
+	}
+
+	switch os.Args[1] {
+	case "attestation2Evidence":
+		credentialsIn, err := ioutil.ReadAll(os.Stdin)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "ERROR: couldn't read stdin: %v\n", err)
+			os.Exit(1)
+		}
+		credentialsStringOut, err := fpc.ConvertCredentials(string(credentialsIn))
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "ERROR: couldn't convert credentials: %v\n", err)
+			os.Exit(1)
+		}
+		fmt.Printf("%s\n", credentialsStringOut)
+	case "createEncryptRequest":
+		fmt.Fprintf(os.Stderr, "FATAL: command %s not yet implemented\n", os.Args[1])
+		os.Exit(1)
+	case "processEncryptedResponse":
+		fmt.Fprintf(os.Stderr, "FATAL: command %s not yet implemented\n", os.Args[1])
+		os.Exit(1)
+	default:
+		fmt.Fprintf(os.Stderr, "ERROR: Illegal command '%s'\n", os.Args[1])
+		printHelp()
+		os.Exit(1)
+	}
+
+	os.Exit(0)
+}