Key forwarding: part 1 #222
Conversation
Create qos_nsm crate Get qos_nsm to compile in workspace WIP Refactor verify_attestation_doc_against_user_input to return errors Refactor cross check manifest WIP Factor out key forwarding to its own file Setup some mock test inputs WIP tests Fix broken tests Clean up linting
232cc95 to
9f01eb7
Compare
Remove cargo.lock from qos_nsm WIP works test outlined finish unit test for request_key_inner Add tests for boot_key_forward Add tests for validate manifest Remove todo comment
a13e017 to
dd80ff9
Compare
| @@ -0,0 +1,942 @@ | |||
| //! The services involved in the key forwarding flow. | |||
There was a problem hiding this comment.
GitHub is collapsing this diff - wanted to highlight since its the most important file
a03a5dd to
fc5c414
Compare
fc5c414 to
5b78f0e
Compare
| }, | ||
|
|
||
| /// Request a quorum key as part of the "key forwarding" flow. | ||
| RequestKeyRequest { |
There was a problem hiding this comment.
nit: RequestKeyRequest doesn't provide a whole lot of context. If this is related to the key forward flow maybe there's a better name?
BootKeyForwardRequest
BootKeyForwardResponse
BootKeyRequest
BootKeyResponse
?
There was a problem hiding this comment.
I left the Boot* prefix to refer to the route used to first boot an enclave. RequestKey{Request, Response} is the route to literally request a key.
the flow is
- BootKeyForward (boot a new enclave in key forwarding mode
- RequestKey (ask an old enclave for a quorum key)
- InjectKey (inject a quorum key into the new enclave)
Happy to brainstorm more on naming here
| request_key_internal(state, new_manifest_envelope, &attestation_doc) | ||
| } | ||
|
|
||
| // Primary of `request_key` pulled out to make testing easier. |
There was a problem hiding this comment.
nit: if the below functions are only used for testing, I'd move them into the mod test so it keeps the biz logic succinct
There was a problem hiding this comment.
The comment is poorly worded. Just updated to "Primary logic of request_key pulled out so it can be unit tested." In other words I extracted most of the logic to an "inner" function that can be easily tested.
The "outer" function is hard to test because it needs a valid attestation doc from a nitro secure module which we don't have the facilities to produce on the fly. So I pulled out all the logic that is not validating/extracting the attestation doc into the inner function. Unit tests are performed on the inner function.
This PR implements the key forwarding flow as described in
src/qos_core/KEY_FORWARDING.MD. Its worth the time to check that every check in step 4 of the routine is covered byfn validate_manifest(which is insrc/qos_core/src/protocol/services/key.rs).This PR contains the following changes:
qos_attestas a dependency ofqos_coreso we can attestation doc validation. Note, that this will bring in a bit of dependencies toqos_coresinceqos_attesthas some extra deps to parse the attestation doc and verify the cert chain.qos_core::protocol::attestorto its own crate,qos_nsm, to avoid cyclical dependencies when we include itqos_attestverify_attestation_doc_against_user_inputto not panic and instead return errors.src/qos_core/KEY_FORWARDING.MD- mostly type renamingTODO
Follow up work: