search

asterinas / trustflow-capsule-manager-sdk

a sdk tool to access capsule manager
Apache License 2.0
3 stars 3 forks source link

cms register-data-keys执行报错 #10

Closed zhouyou9505 closed 8 months ago

zhouyou9505 commented 8 months ago

File "/home/zhouyou/miniconda3/envs/tee/lib/python3.8/site-packages/grpc/_channel.py", line 1160, in call return _end_unary_response_blocking(state, call, False, None) File "/home/zhouyou/miniconda3/envs/tee/lib/python3.8/site-packages/grpc/_channel.py", line 1003, in _end_unary_response_blocking raise _InactiveRpcError(state) # pytype: disable=not-instantiable grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with: status = StatusCode.UNAVAILABLE details = "failed to connect to all addresses; last error: UNKNOWN: ipv4:127.0.0.1:0: Failed to connect to remote host: Connection refused" debug_error_string = "UNKNOWN:Error received from peer {created_time:"2024-02-19T17:40:14.803192399+08:00", grpc_status:14, grpc_message:"failed to connect to all addresses; last error: UNKNOWN: ipv4:127.0.0.1:0: Failed to connect to remote host: Connection refused"}"

cli.yaml host: 127.0.0.1 mr_enclave: '' private_key_file: alice.key register_data_keys: resource_uris:

./capsule_manager --enable-tls false config Config { port: Some( 8888, ), .... } [2024-02-19T08:31:07.269699699+00:00] [capsule_manager] [INFO] Server run at: 0.0.0.0:8888 mode Some("simulation")

ping 127.0.0.1 PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.037 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.077 ms

telnet 127.0.0.1 8888 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. @

zhouyou9505 commented 8 months ago

我没用cli,改为python触发,可以调用到docker的capsule-manager

Traceback (most recent call last): File "/home/zhouyou/PycharmProjects/tee_test/cms_util_test.py", line 46, in register_data_keys() File "/home/zhouyou/PycharmProjects/tee_test/cms_util_test.py", line 36, in register_data_keys auth_frame.create_data_keys( File "/home/zhouyou/miniconda3/envs/tee/lib/python3.8/site-packages/sdc/capsule_manager_frame.py", line 395, in create_data_keys raise CapsuleManagerError( sdc.error.CapsuleManagerError: CapsuleManager server error code: 13, error message: err code: Assert err; err detail: party_id BDEVTQ3U5WDPBGRLDPOIFIX7RV6MMUTI6DKAI4PX3733LYCC7BZA is wrong derived from public key; location: [line = 108, file = capsule-manager/src/server.rs]

auth_frame = CapsuleManagerFrame( "127.0.0.1:8888", None, None, True, ) def register_data_keys(): config = file.read_yaml_file("cli/cms/cli3.yaml") common = config["common"] party_id = common["party_id"] ownered = config["register_data_keys"] cert_pems, private_key = cms.read_rsa_keypair(common) data_keys = [base64.b64decode(data_key) for data_key in ownered["data_key_b64s"]] auth_frame.create_data_keys( party_id, ownered["resource_uris"], data_keys, cert_pems, private_key, )

if name == 'main': register_data_keys()

显示我的party_id有问题,我的party_id生成 cms_util generate-party-id --cert-pems-file alice.crt 生成 BDEVTQ3U5WDPBGRLDPOIFIX7RV6MMUTI6DKAI4PX3733LYCC7BZA

zheyang0825 commented 8 months ago

我没用cli,改为python触发,可以调用到docker的capsule-manager

Traceback (most recent call last): File "/home/zhouyou/PycharmProjects/tee_test/cms_util_test.py", line 46, in register_data_keys() File "/home/zhouyou/PycharmProjects/tee_test/cms_util_test.py", line 36, in register_data_keys auth_frame.create_data_keys( File "/home/zhouyou/miniconda3/envs/tee/lib/python3.8/site-packages/sdc/capsule_manager_frame.py", line 395, in create_data_keys raise CapsuleManagerError( sdc.error.CapsuleManagerError: CapsuleManager server error code: 13, error message: err code: Assert err; err detail: party_id BDEVTQ3U5WDPBGRLDPOIFIX7RV6MMUTI6DKAI4PX3733LYCC7BZA is wrong derived from public key; location: [line = 108, file = capsule-manager/src/server.rs]

auth_frame = CapsuleManagerFrame( "127.0.0.1:8888", None, None, True, ) def register_data_keys(): config = file.read_yaml_file("cli/cms/cli3.yaml") common = config["common"] party_id = common["party_id"] ownered = config["register_data_keys"] cert_pems, private_key = cms.read_rsa_keypair(common) data_keys = [base64.b64decode(data_key) for data_key in ownered["data_key_b64s"]] auth_frame.create_data_keys( party_id, ownered["resource_uris"], data_keys, cert_pems, private_key, )

if name == 'main': register_data_keys()

显示我的party_id有问题,我的party_id生成 cms_util generate-party-id --cert-pems-file alice.crt 生成 BDEVTQ3U5WDPBGRLDPOIFIX7RV6MMUTI6DKAI4PX3733LYCC7BZA

现在最新的配置文件是什么样的?

zhouyou9505 commented 8 months ago

cli3.txt 这里面是cli.yaml。格式限制, 我改为txt上传了

data.zip data.zip 是我的证书文件

zhouyou9505 commented 8 months ago

下面是我执行的步骤 docker run -it -d -p 8888:8888 secretflow/capsule-manager-sim-ubuntu20.04:latest bash ./capsule_manager --enable-tls false

cms_util generate-data-key-b64 数据秘钥 rffCcW2MvJcrkFo5BTAs1g==

生成加密文件 cms_util encrypt-file --source-file alice.csv --dest-file alice.csv.enc --data-key-b64 rffCcW2MvJcrkFo5BTAs1g== 【先用openssl生成私钥,证书等】 cms_config init --host 127.0.0.1 --sim true --private-key-file alice.key --cert-chain-file alice.crt --root-ca-file alice_ca.crt

cms_util generate-party-id --cert-pems-file alice.crt 生成 BDEVTQ3U5WDPBGRLDPOIFIX7RV6MMUTI6DKAI4PX3733LYCC7BZA

cms_config common --party-id BDEVTQ3U5WDPBGRLDPOIFIX7RV6MMUTI6DKAI4PX3733LYCC7BZA --scheme RSA

cms register-data-keys 【这里因为我自己的网络问题,所以没用cli 我把cli.yaml 手动python执行,报错 party_id 不是由public_key生成 】

zheyang0825 commented 8 months ago

cms_config init --host 127.0.0.1 网络访问不通应该是这里的问题 cms_config init --host 127.0.0.1:8888

zhouyou9505 commented 8 months ago

cms_config init --host 127.0.0.1 网络访问不通应该是这里的问题 cms_config init --host 127.0.0.1:8888

试了。也不太行。 估计是自签名的原因 https://stackoverflow.com/questions/69013587/grpc-python-client-authentication-throwing-ssl-error-ssl-error1000007dssl-rou 和这个报错一样 。我的证书都是自签名的

Even if it is self-signed, it is not the usual way for us to establish TLS connections. That can leave your applications to man-in-the-middle attack. You will want to have your client set a trust certificate that is issued by a CA

zhouyou9505 commented 8 months ago

放弃了自签名证书。 采用通过CA证书机构生成的证书文件来 cms register-data-keys,也是报错 Traceback (most recent call last): File "test.py", line 38, in register_data_keys() File "test.py", line 28, in register_data_keys auth_frame.create_data_keys( File "/root/miniconda3/lib/python3.8/site-packages/sdc/capsule_manager_frame.py", line 395, in create_data_keys raise CapsuleManagerError( sdc.error.CapsuleManagerError: CapsuleManager server error code: 13, error message: err code: Assert err; err detail: party_id CSDR4JQIYM46WQ34YORXE7P7B7WZ7C6Y2IF6LWBWHN5ZX7SPJGYA is wrong derived from public key; location: [line = 108, file = capsule-manager/src/server.rs]

cert_chain_file: certificate.crt common: cert_pems_file: certificate.crt party_id: "CSDR4JQIYM46WQ34YORXE7P7B7WZ7C6Y2IF6LWBWHN5ZX7SPJGYA" register_data_keys: data_key_b64s:

zhouyou9505 commented 8 months ago

请问 可以加个联系方式 ,线下沟通一下吗

zheyang0825 commented 8 months ago

下面是我执行的步骤 docker run -it -d -p 8888:8888 secretflow/capsule-manager-sim-ubuntu20.04:latest bash ./capsule_manager --enable-tls false

cms_util generate-data-key-b64 数据秘钥 rffCcW2MvJcrkFo5BTAs1g==

生成加密文件 cms_util encrypt-file --source-file alice.csv --dest-file alice.csv.enc --data-key-b64 rffCcW2MvJcrkFo5BTAs1g== 【先用openssl生成私钥,证书等】 cms_config init --host 127.0.0.1 --sim true --private-key-file alice.key --cert-chain-file alice.crt --root-ca-file alice_ca.crt

cms_util generate-party-id --cert-pems-file alice.crt 生成 BDEVTQ3U5WDPBGRLDPOIFIX7RV6MMUTI6DKAI4PX3733LYCC7BZA

cms_config common --party-id BDEVTQ3U5WDPBGRLDPOIFIX7RV6MMUTI6DKAI4PX3733LYCC7BZA --scheme RSA

cms register-data-keys 【这里因为我自己的网络问题,所以没用cli 我把cli.yaml 手动python执行,报错 party_id 不是由public_key生成 】

@yuki252111 帮忙看一下这个问题

yuki252111 commented 8 months ago

这个有个误区:cms_config init --host 127.0.0.1 --sim true --private-key-file alice.key --cert-chain-file alice.crt --root-ca-file alice_ca.crt 这里配置的是开启mtls的证书,这个证书的功能仅仅只是开启mtls,没有别的作用。 alice使用的证书在yaml文件中位于common的field下面: image party_id使用的也是common field下面的cert_pems_file,所以你要配置的是这个,而不是mtls那块的(mtls一般情况下也不需要开,因为本身通信就是数字信封加密的)

zhouyou9505 commented 8 months ago

那我现在 生成party_id 需要重新做一遍对吧? 但是我按照官网文档执行 cms_util generate-party-id --cert-pems-file alice.crt 会报错
`Usage: cms_util generate-party-id [OPTIONS] Try 'cms_util generate-party-id --help' for help.

Error: No such option: --cert-pems-file Did you mean --cert-file? ` 改成 cms_util generate-party-id --cert-file alice.crt BDEVTQ3U5WDPBGRLDPOIFIX7RV6MMUTI6DKAI4PX3733LYCC7BZA

Chrisdehe commented 8 months ago

@zhouyou9505 请添加隐语技术支持微信号:secertflow02

yuki252111 commented 8 months ago

这个应该是文档写的不太对,请使用cms_util generate-party-id --cert-file alice.crt为正确的指令。这个我们会修复一下

zhouyou9505 commented 8 months ago

common: cert_pems_file: