Merge pull request #346 from skalenetwork/bug/SKALE-4522-non-exportab…

…le-keys

Bug/skale 4522 non exportable keys

ECDSACrypto.cpp

@@ -59,8 +59,10 @@ vector <string> genECDSAKey() {
 
     sgx_status_t status = SGX_SUCCESS;
 
-    status = trustedGenerateEcdsaKey(eid, &errStatus,
-                               errMsg.data(), encr_pr_key.data(), &enc_len,
+    int exportable = 0;
+
+    status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(),
+                                &exportable, encr_pr_key.data(), &enc_len,
                                pub_key_x.data(), pub_key_y.data());
 
     HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus,errMsg.data());

secure_enclave/secure_enclave.c

@@ -362,7 +362,7 @@ void trustedSetSEKBackup(int *errStatus, char *errString,
     LOG_INFO("SGX call completed");
 }
 
-void trustedGenerateEcdsaKey(int *errStatus, char *errString,
+void trustedGenerateEcdsaKey(int *errStatus, char *errString, int *is_exportable,
                                 uint8_t *encryptedPrivateKey, uint64_t *enc_len, char *pub_key_x, char *pub_key_y) {
     LOG_INFO(__FUNCTION__);
     INIT_ERROR_STATE
@@ -413,8 +413,15 @@ void trustedGenerateEcdsaKey(int *errStatus, char *errString,
     strncpy(skey_str + n_zeroes, arr_skey_str, 65 - n_zeroes);
     snprintf(errString, BUF_LEN, "skey len is %d\n", (int) strlen(skey_str));
 
-    int status = AES_encrypt((char *) skey_str, encryptedPrivateKey, BUF_LEN,
+    int status = -1;
+
+    if ( *is_exportable ) {
+        status = AES_encrypt((char *) skey_str, encryptedPrivateKey, BUF_LEN,
+                             ECDSA, EXPORTABLE, enc_len);
+    } else {
+        status = AES_encrypt((char *) skey_str, encryptedPrivateKey, BUF_LEN,
                              ECDSA, NON_EXPORTABLE, enc_len);
+    }
     CHECK_STATUS("ecdsa private key encryption failed");
 
     uint8_t type = 0;
@@ -613,8 +620,13 @@ void trustedDecryptKey(int *errStatus, char *errString, uint8_t *encryptedPrivat
                              &type, &exportable);
 
     if (exportable != EXPORTABLE) {
+        while (*key != '\0') {
+            *key++ = '0';
+        }
         *errStatus = -11;
         snprintf(errString, BUF_LEN, "Key is not exportable");
+        LOG_ERROR(errString);
+        goto clean;
     }
 
     if (status != 0) {
@@ -859,7 +871,9 @@ void trustedGetEncryptedSecretShare(int *errStatus, char *errString,
 
     SAFE_CHAR_BUF(pub_key_x, BUF_LEN);SAFE_CHAR_BUF(pub_key_y, BUF_LEN);
 
-    trustedGenerateEcdsaKey(&status, errString, encrypted_skey, &enc_len, pub_key_x, pub_key_y);
+    int is_exportable = 1;
+
+    trustedGenerateEcdsaKey(&status, errString, &is_exportable, encrypted_skey, &enc_len, pub_key_x, pub_key_y);
 
     CHECK_STATUS("trustedGenerateEcdsaKey failed");
 
@@ -933,7 +947,9 @@ void trustedGetEncryptedSecretShareV2(int *errStatus, char *errString,
     SAFE_CHAR_BUF(pub_key_x, BUF_LEN);
     SAFE_CHAR_BUF(pub_key_y, BUF_LEN);
 
-    trustedGenerateEcdsaKey(&status, errString, encrypted_skey, &enc_len, pub_key_x, pub_key_y);
+    int is_exportable = 1;
+
+    trustedGenerateEcdsaKey(&status, errString, &is_exportable, encrypted_skey, &enc_len, pub_key_x, pub_key_y);
 
     CHECK_STATUS("trustedGenerateEcdsaKey failed");
 

secure_enclave/secure_enclave.edl

@@ -35,6 +35,7 @@ enclave {
         public void trustedGenerateEcdsaKey (
                                 [out] int *errStatus,
                                 [out, count = SMALL_BUF_SIZE] char* err_string,
+                                [out] int *is_exportable,
                                 [out, count = SMALL_BUF_SIZE] uint8_t* encrypted_key,
                                 [out] uint64_t *enc_len,
                                 [out, count = SMALL_BUF_SIZE] char * pub_key_x,

testw.cpp

@@ -149,8 +149,9 @@ TEST_CASE_METHOD(TestFixture, "ECDSA AES keygen and signature test", "[ecdsa-aes
     vector<char> pubKeyY(BUF_LEN, 0);
 
     uint64_t encLen = 0;
+    int exportable = 0;
     PRINT_SRC_LINE
-    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), encrPrivKey.data(), &encLen,
+    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), &exportable, encrPrivKey.data(), &encLen,
                                           pubKeyX.data(),
                                           pubKeyY.data());
     REQUIRE(status == SGX_SUCCESS);
@@ -182,8 +183,9 @@ TEST_CASE_METHOD(TestFixture, "ECDSA AES key gen", "[ecdsa-aes-key-gen]") {
     vector<char> pubKeyX(BUF_LEN, 0);
     vector<char> pubKeyY(BUF_LEN, 0);
     uint64_t encLen = 0;
+    int exportable = 0;
     PRINT_SRC_LINE
-    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), encrPrivKey.data(), &encLen,
+    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), &exportable, encrPrivKey.data(), &encLen,
                                           pubKeyX.data(),
                                           pubKeyY.data());
 
@@ -200,9 +202,10 @@ TEST_CASE_METHOD(TestFixture, "ECDSA AES get public key", "[ecdsa-aes-get-pub-ke
     vector<char> pubKeyY(BUF_LEN, 0);
 
     uint64_t encLen = 0;
+    int exportable = 0;
 
     PRINT_SRC_LINE
-    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), encPrivKey.data(), &encLen, pubKeyX.data(),
+    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), &exportable, encPrivKey.data(), &encLen, pubKeyX.data(),
                                           pubKeyY.data());
 
     REQUIRE(status == SGX_SUCCESS);
@@ -902,6 +905,56 @@ TEST_CASE_METHOD(TestFixture, "AES encrypt/decrypt", "[aes-encrypt-decrypt]") {
     sleep(3);
 }
 
+TEST_CASE_METHOD(TestFixture, "Exportable / non-exportable keys", "[exportable-nonexportable-keys]") {
+    int errStatus = 0;
+    vector<char> errMsg(BUF_LEN, 0);
+    vector <uint8_t> encPrivKey(BUF_LEN, 0);
+    vector<char> pubKeyX(BUF_LEN, 0);
+    vector<char> pubKeyY(BUF_LEN, 0);
+
+    uint64_t encLen = 0;
+    int exportable = 0;
+
+    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), &exportable, encPrivKey.data(), &encLen, pubKeyX.data(),
+                                          pubKeyY.data());
+
+    vector<char> decrypted_key(BUF_LEN, 0);
+    status = trustedDecryptKey(eid, &errStatus, errMsg.data(), encPrivKey.data(), encLen, decrypted_key.data());
+    REQUIRE( errStatus == -11 );
+
+    exportable = 1;
+
+    encPrivKey.clear();
+    errMsg.clear();
+    pubKeyX.clear();
+    pubKeyY.clear();
+
+    status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), &exportable, encPrivKey.data(), &encLen, pubKeyX.data(),
+                                          pubKeyY.data());
+
+    decrypted_key.clear();
+    status = trustedDecryptKey(eid, &errStatus, errMsg.data(), encPrivKey.data(), encLen, decrypted_key.data());
+    REQUIRE( errStatus == 0 );
+    REQUIRE( status == SGX_SUCCESS );
+
+    string key = SAMPLE_AES_KEY;
+    vector <uint8_t> encrypted_key(BUF_LEN, 0);
+
+    status = trustedEncryptKey(eid, &errStatus, errMsg.data(), key.c_str(), encrypted_key.data(), &encLen);
+
+    REQUIRE(status == 0);
+    REQUIRE(errStatus == 0);
+
+    vector<char> decr_key(BUF_LEN, 0);
+    PRINT_SRC_LINE
+    status = trustedDecryptKey(eid, &errStatus, errMsg.data(), encrypted_key.data(), encLen, decr_key.data());
+
+    REQUIRE(status == 0);
+    REQUIRE(key.compare(decr_key.data()) == 0);
+    REQUIRE(errStatus == 0);
+    sleep(3);
+}
+
 
 
 TEST_CASE_METHOD(TestFixture, "Many threads ecdsa dkg v2 bls", "[many-threads-crypto-v2]") {

testw.py

@@ -56,6 +56,7 @@
             "[dkg-poly-exists]",
             "[dkg-aes-pub-shares]",
             "[aes-encrypt-decrypt]",
+            "[exportable-nonexportable-keys]",
             "[aes-dkg]",
             "[aes-dkg-v2]"
             ]