search

ccc-certifier-framework / certifier-framework-for-confidential-computing

The Confidential Computing Certifier Framework consists of a client API called the Certifier-API and server-based policy evaluation called the Certifier Service. It simplifies and unifies programming and operations support for multi-vendor Confidential Computing platforms by providing support for scalable, policy-driven trust management including
Apache License 2.0
56 stars 16 forks source link

Rework handling of private-key in simple_app_python #214

Closed gapisback closed 1 year ago

gapisback commented 1 year ago

As part of the commit @ SHA 68b0376, simple_app_python/example_app.py has been enhanced to implement secure SSL channel communication between client and server "apps", which use certificate and private-keys generated by the Certifier Framework.

In order to conform to Python's SSL interfaces, these certificate & keys need to be stored in files which the interfaces uses as below (from above sample program):

237 ###############################################################################
238 def server_dispatch(data_dir, server_app_host, server_app_port):
239     """
240     Start a server process listening on a SSL socket waiting for client input.
241     """
242     print(fnl(), 'Start server process ...\n')
[...]
249     key_outfilename  = os.path.join(data_dir, APPLN_KEYF_SIGNED_BY_ROOT_CA)
250     context.load_cert_chain(certfile = cert_outfilename, keyfile = key_outfilename)

The client-side code looks similar.

In order to call context.load_cert_chain(), on L250, the private-key for the certificate is stashed away on a file in the filesystem, here:

337 ###############################################################################
338 def dump_private_key_to_file(cctm, outfile, print_all):
[...]
349     result = cctm.write_private_key_to_file(outfile)

Writing out the private-key to a disk-resident file is a short-term implementation just to get an end-to-end working demo of this simple_app using Python SSL interfaces.

Under this issue, figure out a secure way to rework the handling of this private key.

A related issue to be covered in this issue is the following: Currently, the certificate & Key are persisted to disk as part of the get-certified target. The scenario to also cover is this one:

173     elif operation == 'run-app-as-server':
174         print(operation)
175
176         result = cctm.warm_restart()
177         if result is False:
178             print(fnl(), 'warm_restart() failed\n')
179             sys.exit(1)
180
181         result = server_dispatch(PROVISIONING_DIR,
182                                  server_app_host, server_app_port)

After cctm.warm_restart() the application should still be able to access the required certificate / private-key so that the SSL-channel is still established correctly.

gapisback commented 1 year ago

HI, @jlmucb @yelvmw @rgerganov - I have done some [ more ] investigation on the Python SSL support to invoke interfaces using certificates & keys from in-memory data, rather than from files.

My findings are documented in this file in our internal engg repository: 2023-11-CF-In-Memory-Private-Key-Support

In summary, the only solution available seems to be use a NamedTemporaryFile to which we will write-out the private-key and use that file's name to invoke the SSL interfaces.

I'm airing this out so you can review the final (workaround) solution proposed in above write-up, extracted from the gitHub Python issue mentioned in above doc.