Skip to content

Commit

Permalink
feat: WIP new multisig threshold scheme
Browse files Browse the repository at this point in the history
with a tree like structure allowing nested m of n schemes.

Signed-off-by: Harald Hoyer <[email protected]>
  • Loading branch information
haraldh committed Aug 9, 2024
1 parent 1cac5b9 commit a8a3d4e
Show file tree
Hide file tree
Showing 19 changed files with 1,139 additions and 174 deletions.
108 changes: 106 additions & 2 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ sha2 = "0.10.8"
signature = "2.2.0"
teepot = { path = "crates/teepot" }
testaso = "0.1.0"
test-log = "0.2.16"
thiserror = "1.0.59"
tokio = { version = "1", features = ["sync", "macros", "rt-multi-thread", "fs", "time"] }
tracing = "0.1"
Expand Down
3 changes: 3 additions & 0 deletions bin/tee-vault-admin/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,6 @@ tracing.workspace = true
tracing-actix-web.workspace = true
tracing-log.workspace = true
tracing-subscriber.workspace = true

[dev-dependencies]
test-log.workspace = true
8 changes: 5 additions & 3 deletions bin/tee-vault-admin/src/command.rs
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023 Matter Labs
// Copyright (c) 2023-2024 Matter Labs

//! post commands
Expand All @@ -14,7 +14,7 @@ use teepot::json::http::{
VaultCommandRequest, VaultCommandResponse, VaultCommands, VaultCommandsResponse,
};
use teepot::json::secrets::{AdminConfig, AdminState};
use teepot::server::{signatures::VerifySig, HttpResponseError, Status};
use teepot::server::{HttpResponseError, Status};
use tracing::instrument;

/// Post command
Expand Down Expand Up @@ -52,7 +52,9 @@ pub async fn post_command(
.await?
.context("empty admin config")
.status(StatusCode::BAD_GATEWAY)?;
admin_config.check_sigs(&item.signatures, item.commands.as_bytes())?;
admin_config
.policy
.check_sigs(&item.signatures, item.commands.as_bytes())?;

let mut hasher = Sha256::new();
hasher.update(item.commands.as_bytes());
Expand Down
1 change: 1 addition & 0 deletions bin/tee-vault-admin/src/main.rs
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@ async fn main() -> Result<()> {
mod tests {
use serde_json::json;
use teepot::json::http::{VaultCommand, VaultCommands};
use test_log::test;

const TEST_DATA: &str = include_str!("../../../crates/teepot/tests/data/test.json");

Expand Down
7 changes: 4 additions & 3 deletions bin/tee-vault-admin/src/sign.rs
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2023 Matter Labs
// Copyright (c) 2023-2024 Matter Labs

//! post signing request
Expand All @@ -12,7 +12,6 @@ use std::sync::Arc;
use teepot::client::vault::VaultConnection;
use teepot::json::http::{SignRequest, SignRequestData, SignResponse};
use teepot::json::secrets::{AdminConfig, AdminState, SGXSigningKey};
use teepot::server::signatures::VerifySig as _;
use teepot::server::{HttpResponseError, Status};
use teepot::sgx::sign::PrivateKey as _;
use teepot::sgx::sign::{Author, Signature};
Expand Down Expand Up @@ -76,7 +75,9 @@ pub async fn post_sign(
.await?
.context("empty admin config")
.status(StatusCode::BAD_GATEWAY)?;
admin_config.check_sigs(&item.signatures, item.sign_request_data.as_bytes())?;
admin_config
.policy
.check_sigs(&item.signatures, item.sign_request_data.as_bytes())?;

let mut hasher = Sha256::new();
hasher.update(item.sign_request_data.as_bytes());
Expand Down
26 changes: 6 additions & 20 deletions bin/tee-vault-unseal/src/init.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,11 @@
// Copyright (c) 2023-2024 Matter Labs

use crate::{get_vault_status, UnsealServerState, Worker};
use actix_web::error::ErrorBadRequest;
use actix_web::{web, HttpResponse};
use anyhow::{anyhow, Context, Result};
use awc::http::StatusCode;
use serde_json::json;
use teepot::client::TeeConnection;
use teepot::json::http::{Init, InitResponse, VaultInitRequest};
use teepot::json::secrets::AdminConfig;
use teepot::server::{HttpResponseError, Status};
use tracing::{debug, error, info, instrument, trace};

Expand All @@ -22,8 +19,7 @@ pub async fn post_init(
pgp_keys,
secret_shares,
secret_threshold,
admin_pgp_keys,
admin_threshold,
admin_config,
admin_tee_mrenclave,
} = init.into_inner();
let conn = TeeConnection::new(&worker.vault_attestation);
Expand All @@ -36,17 +32,10 @@ pub async fn post_init(
secret_threshold,
};

if admin_threshold < 1 {
return Ok(HttpResponse::from_error(ErrorBadRequest(
json!({"error": "admin_threshold must be at least 1"}),
)));
}

if admin_threshold > admin_pgp_keys.len() {
return Ok(HttpResponse::from_error(ErrorBadRequest(
json!({"error": "admin_threshold must be less than or equal to the number of admin_pgp_keys"}),
)));
}
admin_config
.validate()
.context("Invalid admin config")
.status(StatusCode::BAD_REQUEST)?;

loop {
let current_state = worker.state.read().unwrap().clone();
Expand Down Expand Up @@ -123,10 +112,7 @@ pub async fn post_init(
*/

*worker.state.write().unwrap() = UnsealServerState::VaultInitialized {
admin_config: AdminConfig {
admin_pgp_keys,
admin_threshold,
},
admin_config,
admin_tee_mrenclave,
root_token,
};
Expand Down
1 change: 0 additions & 1 deletion bin/vault-unseal/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ repository.workspace = true
[dependencies]
actix-web.workspace = true
anyhow.workspace = true
base64.workspace = true
clap.workspace = true
serde_json.workspace = true
teepot.workspace = true
Expand Down
Loading

0 comments on commit a8a3d4e

Please sign in to comment.