Merge pull request #347 from skalenetwork/bug/SKALE-4522-exportable-keys

SKALE-4522 fix exportable keys, add tests

ECDSACrypto.cpp

@@ -59,9 +59,11 @@ vector <string> genECDSAKey() {
 
     sgx_status_t status = SGX_SUCCESS;
 
-    status = trustedGenerateEcdsaKey(eid, &errStatus,
-                               errMsg.data(), encr_pr_key.data(), &enc_len,
-                               pub_key_x.data(), pub_key_y.data());
+    int exportable = 0;
+
+    status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(),
+                                    &exportable, encr_pr_key.data(), &enc_len,
+                                    pub_key_x.data(), pub_key_y.data());
 
     HANDLE_TRUSTED_FUNCTION_ERROR(status, errStatus,errMsg.data());
 

secure_enclave/secure_enclave.c

@@ -358,7 +358,7 @@ void trustedSetSEKBackup(int *errStatus, char *errString,
     LOG_INFO("SGX call completed");
 }
 
-void trustedGenerateEcdsaKey(int *errStatus, char *errString,
+void trustedGenerateEcdsaKey(int *errStatus, char *errString, int *is_exportable,
                                 uint8_t *encryptedPrivateKey, uint64_t *enc_len, char *pub_key_x, char *pub_key_y) {
     LOG_INFO(__FUNCTION__);
     INIT_ERROR_STATE
@@ -409,8 +409,15 @@ void trustedGenerateEcdsaKey(int *errStatus, char *errString,
     strncpy(skey_str + n_zeroes, arr_skey_str, 65 - n_zeroes);
     snprintf(errString, BUF_LEN, "skey len is %d\n", (int) strlen(skey_str));
 
-    int status = AES_encrypt((char *) skey_str, encryptedPrivateKey, BUF_LEN,
+    int status = -1;
+
+    if ( *is_exportable ) {
+        status = AES_encrypt((char *) skey_str, encryptedPrivateKey, BUF_LEN,
+                             ECDSA, EXPORTABLE, enc_len);
+    } else {
+        status = AES_encrypt((char *) skey_str, encryptedPrivateKey, BUF_LEN,
                              ECDSA, NON_EXPORTABLE, enc_len);
+    }
     CHECK_STATUS("ecdsa private key encryption failed");
 
     uint8_t type = 0;
@@ -611,6 +618,8 @@ void trustedDecryptKey(int *errStatus, char *errString, uint8_t *encryptedPrivat
     if (exportable != EXPORTABLE) {
         *errStatus = -11;
         snprintf(errString, BUF_LEN, "Key is not exportable");
+        LOG_ERROR(errString);
+        goto clean;
     }
 
     if (status != 0) {
@@ -855,7 +864,9 @@ void trustedGetEncryptedSecretShare(int *errStatus, char *errString,
 
     SAFE_CHAR_BUF(pub_key_x, BUF_LEN);SAFE_CHAR_BUF(pub_key_y, BUF_LEN);
 
-    trustedGenerateEcdsaKey(&status, errString, encrypted_skey, &enc_len, pub_key_x, pub_key_y);
+    int is_exportable = 1;
+
+    trustedGenerateEcdsaKey(&status, errString, &is_exportable, encrypted_skey, &enc_len, pub_key_x, pub_key_y);
 
     CHECK_STATUS("trustedGenerateEcdsaKey failed");
 
@@ -929,7 +940,9 @@ void trustedGetEncryptedSecretShareV2(int *errStatus, char *errString,
     SAFE_CHAR_BUF(pub_key_x, BUF_LEN);
     SAFE_CHAR_BUF(pub_key_y, BUF_LEN);
 
-    trustedGenerateEcdsaKey(&status, errString, encrypted_skey, &enc_len, pub_key_x, pub_key_y);
+    int is_exportable = 1;
+
+    trustedGenerateEcdsaKey(&status, errString, &is_exportable, encrypted_skey, &enc_len, pub_key_x, pub_key_y);
 
     CHECK_STATUS("trustedGenerateEcdsaKey failed");
 

secure_enclave/secure_enclave.edl

@@ -35,6 +35,7 @@ enclave {
         public void trustedGenerateEcdsaKey (
                                 [out] int *errStatus,
                                 [out, count = SMALL_BUF_SIZE] char* err_string,
+                                [out] int *is_exportable,
                                 [out, count = SMALL_BUF_SIZE] uint8_t* encrypted_key,
                                 [out] uint64_t *enc_len,
                                 [out, count = SMALL_BUF_SIZE] char * pub_key_x,

testw.cpp

@@ -146,8 +146,9 @@ TEST_CASE_METHOD(TestFixture, "ECDSA AES keygen and signature test", "[ecdsa-aes
     vector<char> pubKeyY(BUF_LEN, 0);
 
     uint64_t encLen = 0;
+    int exportable = 0;
     PRINT_SRC_LINE
-    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), encrPrivKey.data(), &encLen,
+    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), &exportable, encrPrivKey.data(), &encLen,
                                           pubKeyX.data(),
                                           pubKeyY.data());
     REQUIRE(status == SGX_SUCCESS);
@@ -177,8 +178,9 @@ TEST_CASE_METHOD(TestFixture, "ECDSA AES key gen", "[ecdsa-aes-key-gen]") {
     vector<char> pubKeyX(BUF_LEN, 0);
     vector<char> pubKeyY(BUF_LEN, 0);
     uint64_t encLen = 0;
+    int exportable = 0;
     PRINT_SRC_LINE
-    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), encrPrivKey.data(), &encLen,
+    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), &exportable, encrPrivKey.data(), &encLen,
                                           pubKeyX.data(),
                                           pubKeyY.data());
 
@@ -194,9 +196,10 @@ TEST_CASE_METHOD(TestFixture, "ECDSA AES get public key", "[ecdsa-aes-get-pub-ke
     vector<char> pubKeyY(BUF_LEN, 0);
 
     uint64_t encLen = 0;
+    int exportable = 0;
 
     PRINT_SRC_LINE
-    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), encPrivKey.data(), &encLen, pubKeyX.data(),
+    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), &exportable, encPrivKey.data(), &encLen, pubKeyX.data(),
                                           pubKeyY.data());
 
     REQUIRE(status == SGX_SUCCESS);
@@ -1120,6 +1123,56 @@ TEST_CASE_METHOD(TestFixture, "AES encrypt/decrypt", "[aes-encrypt-decrypt]") {
     sleep(3);
 }
 
+TEST_CASE_METHOD(TestFixture, "Exportable / non-exportable keys", "[exportable-nonexportable-keys]") {
+    int errStatus = 0;
+    vector<char> errMsg(BUF_LEN, 0);
+    vector <uint8_t> encPrivKey(BUF_LEN, 0);
+    vector<char> pubKeyX(BUF_LEN, 0);
+    vector<char> pubKeyY(BUF_LEN, 0);
+
+    uint64_t encLen = 0;
+    int exportable = 0;
+
+    auto status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), &exportable, encPrivKey.data(), &encLen, pubKeyX.data(),
+                                          pubKeyY.data());
+
+    vector<char> decrypted_key(BUF_LEN, 0);
+    status = trustedDecryptKey(eid, &errStatus, errMsg.data(), encPrivKey.data(), encLen, decrypted_key.data());
+    REQUIRE( errStatus == -11 );
+
+    exportable = 1;
+
+    encPrivKey.clear();
+    errMsg.clear();
+    pubKeyX.clear();
+    pubKeyY.clear();
+
+    status = trustedGenerateEcdsaKey(eid, &errStatus, errMsg.data(), &exportable, encPrivKey.data(), &encLen, pubKeyX.data(),
+                                          pubKeyY.data());
+
+    decrypted_key.clear();
+    status = trustedDecryptKey(eid, &errStatus, errMsg.data(), encPrivKey.data(), encLen, decrypted_key.data());
+    REQUIRE( errStatus == 0 );
+    REQUIRE( status == SGX_SUCCESS );
+
+    string key = SAMPLE_AES_KEY;
+    vector <uint8_t> encrypted_key(BUF_LEN, 0);
+
+    status = trustedEncryptKey(eid, &errStatus, errMsg.data(), key.c_str(), encrypted_key.data(), &encLen);
+
+    REQUIRE(status == 0);
+    REQUIRE(errStatus == 0);
+
+    vector<char> decr_key(BUF_LEN, 0);
+    PRINT_SRC_LINE
+    status = trustedDecryptKey(eid, &errStatus, errMsg.data(), encrypted_key.data(), encLen, decr_key.data());
+
+    REQUIRE(status == 0);
+    REQUIRE(key.compare(decr_key.data()) == 0);
+    REQUIRE(errStatus == 0);
+    sleep(3);
+}
+
 TEST_CASE_METHOD(TestFixture, "Many threads ecdsa dkg v2 bls", "[many-threads-crypto-v2]") {
     vector <thread> threads;
     int num_threads = 4;

testw.py

@@ -60,6 +60,7 @@
              "[dkg-poly-exists-zmq]",
              "[dkg-aes-pub-shares]",
              "[aes-encrypt-decrypt]",
+             "[exportable-nonexportable-keys]",
              "[aes-dkg-v2]",
              "[aes-dkg-v2-zmq]",
              "[te-decryption-share]",