distributed-lab
diff --git a/‎examples/kms/Dockerfile.enclave‎
Lines changed: 48 additions & 0 deletions b/‎examples/kms/Dockerfile.enclave‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎examples/kms/README.md‎
Lines changed: 1 addition & 0 deletions b/‎examples/kms/README.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎examples/kms/go.mod‎
Lines changed: 29 additions & 0 deletions b/‎examples/kms/go.mod‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎examples/kms/go.sum‎
Lines changed: 40 additions & 0 deletions b/‎examples/kms/go.sum‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎examples/kms/main.go‎
Lines changed: 244 additions & 0 deletions b/‎examples/kms/main.go‎
Lines changed: 244 additions & 0 deletions
@@ -0,0 +1,48 @@
+FROM debian:bookworm-slim AS socat-builder
+RUN export DEBIAN_FRONTEND=noninteractive && \
+    apt-get update && \
+    apt-get install -y \
+    wget make gcc
+RUN wget http://www.dest-unreach.org/socat/download/socat-1.7.4.4.tar.gz
+RUN echo "0f8f4b9d5c60b8c53d17b60d79ababc4a0f51b3bb6d2bd3ae8a6a4b9d68f195e socat-1.7.4.4.tar.gz" | sha256sum -c -
+RUN tar -xzf socat-1.7.4.4.tar.gz && \
+    cd socat-1.7.4.4 && \
+    ./configure && \
+    make && \
+    make install
+
+
+FROM rust:1.81.0-slim-bookworm AS nsmlib-builder
+WORKDIR /workspace
+RUN export DEBIAN_FRONTEND=noninteractive && \
+    apt-get update && \
+    apt-get install -y git
+RUN git clone https://github.com/aws/aws-nitro-enclaves-nsm-api.git && \
+    cd aws-nitro-enclaves-nsm-api && \
+    git checkout v0.4.0 && \
+    mkdir -p /workspace/target/lib && \
+    cargo build --release --manifest-path Cargo.toml -p nsm-lib && \
+    install target/release/libnsm.a /workspace/target/lib/libnsm.a
+
+
+FROM golang:1.23.1-bookworm AS example-builder
+WORKDIR /workspace
+COPY go.mod ./
+RUN go mod download
+COPY . ./
+COPY --from=nsmlib-builder /workspace/target/ target/
+RUN mkdir -p target/bin
+RUN go build -o target/bin/example .
+
+
+FROM debian:bookworm-slim
+COPY --from=socat-builder /usr/local/bin/socat /usr/local/bin/
+COPY --from=example-builder /workspace/target/bin/example /usr/local/bin/
+COPY runeif.sh /root
+RUN chmod +x /root/runeif.sh
+RUN export DEBIAN_FRONTEND=noninteractive && \
+    apt-get update && \
+    apt-get install -y \
+    iproute2 \
+    apt-get clean
+ENTRYPOINT [ "/root/runeif.sh" ]
@@ -0,0 +1 @@
+TODO
@@ -0,0 +1,29 @@
+module github.com/distributed-lab/enclave-extras/examples/kms
+
+go 1.23.4
+
+require (
+	github.com/aws/aws-sdk-go-v2 v1.36.3
+	github.com/aws/aws-sdk-go-v2/config v1.29.9
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.62
+	github.com/aws/aws-sdk-go-v2/service/iam v1.40.1
+	github.com/aws/aws-sdk-go-v2/service/kms v1.38.1
+	github.com/distributed-lab/enclave-extras/attestation v0.0.0-20250304172112-7fb654ddb809
+	github.com/distributed-lab/enclave-extras/nsm v0.0.0-20250304172112-7fb654ddb809
+	github.com/ethereum/go-ethereum v1.15.4
+)
+
+require (
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 // indirect
+	github.com/aws/smithy-go v1.22.2 // indirect
+	github.com/holiman/uint256 v1.3.2 // indirect
+	golang.org/x/crypto v0.35.0 // indirect
+)
@@ -0,0 +1,40 @@
+github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM=
+github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg=
+github.com/aws/aws-sdk-go-v2/config v1.29.9 h1:Kg+fAYNaJeGXp1vmjtidss8O2uXIsXwaRqsQJKXVr+0=
+github.com/aws/aws-sdk-go-v2/config v1.29.9/go.mod h1:oU3jj2O53kgOU4TXq/yipt6ryiooYjlkqqVaZk7gY/U=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.62 h1:fvtQY3zFzYJ9CfixuAQ96IxDrBajbBWGqjNTCa79ocU=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.62/go.mod h1:ElETBxIQqcxej++Cs8GyPBbgMys5DgQPTwo7cUPDKt8=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
+github.com/aws/aws-sdk-go-v2/service/iam v1.40.1 h1:PaHCkW8rtLrA89xM/0LsY/NSIQETqmN+f1vt70EmpB8=
+github.com/aws/aws-sdk-go-v2/service/iam v1.40.1/go.mod h1:mPJkGQzeCoPs82ElNILor2JzZgYENr4UaSKUT8K27+c=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY=
+github.com/aws/aws-sdk-go-v2/service/kms v1.38.1 h1:tecq7+mAav5byF+Mr+iONJnCBf4B4gon8RSp4BrweSc=
+github.com/aws/aws-sdk-go-v2/service/kms v1.38.1/go.mod h1:cQn6tAF77Di6m4huxovNM7NVAozWTZLsDRp9t8Z/WYk=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 h1:8JdC7Gr9NROg1Rusk25IcZeTO59zLxsKgE0gkh5O6h0=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.1/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 h1:KwuLovgQPcdjNMfFt9OhUd9a2OwcOKhxfvF4glTzLuA=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 h1:PZV5W8yk4OtH1JAuhV2PXwwO9v5G5Aoj+eMCn4T+1Kc=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.17/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
+github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
+github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
+github.com/distributed-lab/enclave-extras/attestation v0.0.0-20250304172112-7fb654ddb809 h1:wDjryjLEKn9WtZ7CiQMbTIPEUE7m+jyTKlSIztl9PHE=
+github.com/distributed-lab/enclave-extras/attestation v0.0.0-20250304172112-7fb654ddb809/go.mod h1:KZDHZ4yaV8pPbwxph1js4TL1/U9pdiyaqNirRRl2tR4=
+github.com/distributed-lab/enclave-extras/nsm v0.0.0-20250304172112-7fb654ddb809 h1:yAGCcKd6hPxfK/PJSNy1m5I/MES1KVplswH9FOY01S8=
+github.com/distributed-lab/enclave-extras/nsm v0.0.0-20250304172112-7fb654ddb809/go.mod h1:B6Wi/qX+DTjfmRjelkyn0OoeDUu7fcPSH9teOIfsMbw=
+github.com/ethereum/go-ethereum v1.15.4 h1:a0P+AalZaosp97rfKoYXHYWzyK3+jXWZrciM9S7XFrI=
+github.com/ethereum/go-ethereum v1.15.4/go.mod h1:1LG2LnMOx2yPRHR/S+xuipXH29vPr6BIH6GElD8N/fo=
+github.com/holiman/uint256 v1.3.2 h1:a9EgMPSC1AAaj1SZL5zIQD3WbwTuHrMGOerLjGmM/TA=
+github.com/holiman/uint256 v1.3.2/go.mod h1:EOMSn4q6Nyt9P6efbI3bueV4e1b3dGlUCXeiRV4ng7E=
+golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
+golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
@@ -0,0 +1,244 @@
+package main
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/distributed-lab/enclave-extras/attestation/kmshelpers"
+	"github.com/distributed-lab/enclave-extras/nsm"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/aws/arn"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/service/iam"
+	"github.com/aws/aws-sdk-go-v2/service/kms"
+	kmstypes "github.com/aws/aws-sdk-go-v2/service/kms/types"
+	"github.com/ethereum/go-ethereum/common/hexutil"
+	"github.com/ethereum/go-ethereum/log"
+)
+
+const (
+	region    = "you_region"
+	accessKey = "iam_access_key"
+	secretKey = "iam_secret_key"
+)
+
+func main() {
+	time.Sleep(15 * time.Second)
+
+	awsConfig, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region), config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(accessKey, secretKey, "")))
+	if err != nil {
+		panic(fmt.Errorf("failed to load default aws config: %w", err))
+	}
+
+	fmt.Println("All pcrs values: should be zeros at start")
+	for i := 0; i < 32; i++ {
+		_, pcrData, err := nsm.DescribePCR(i)
+		if err != nil {
+			panic(fmt.Errorf("failed to get pcr0 data: %w", err))
+		}
+		fmt.Printf("PCR%d data: %s\n", i, hexutil.Encode(pcrData))
+	}
+
+	_, pcr0Data, err := nsm.DescribePCR(0)
+	if err != nil {
+		panic(fmt.Errorf("failed to get pcr0 data: %w", err))
+	}
+
+	keyID, err := CreateKMSEnclaveKey(awsConfig, map[string]string{
+		"kms:RecipientAttestation:PCR0": hex.EncodeToString(pcr0Data),
+	})
+	if err != nil {
+		panic(fmt.Errorf("failed to create kms key: %w", err))
+	}
+	fmt.Printf("KeyID: %s\n", keyID)
+
+	rsaPrivateKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		panic(fmt.Errorf("failed to generate rsa 4096 private key: %w", err))
+	}
+	fmt.Printf("PrivateKey: %s\n", hexutil.Encode(x509.MarshalPKCS1PrivateKey(rsaPrivateKey)))
+	fmt.Printf("PublicKey: %s\n", hexutil.Encode(x509.MarshalPKCS1PublicKey(&rsaPrivateKey.PublicKey)))
+
+	derEncodedPublicKey, err := x509.MarshalPKIXPublicKey(&rsaPrivateKey.PublicKey)
+	if err != nil {
+		panic(fmt.Errorf("faield to encode public key in DER format: %w", err))
+	}
+	fmt.Printf("DEREncodedPublicKey: %s\n", hexutil.Encode(derEncodedPublicKey))
+
+	attestationDoc, err := nsm.GetAttestationDoc(nil, nil, derEncodedPublicKey)
+	if err != nil {
+		panic(fmt.Errorf("faield to get attestatiokn doc: %w", err))
+	}
+	fmt.Printf("AttestationDoc: %s\n", hexutil.Encode(attestationDoc))
+
+	awsKMSEnclaveClient := kmshelpers.NewFromConfig(awsConfig)
+
+	encryptResp, err := awsKMSEnclaveClient.Encrypt(context.TODO(), &kms.EncryptInput{
+		KeyId:     aws.String(keyID),
+		Plaintext: []byte("Hello world"),
+	})
+	if err != nil {
+		panic(fmt.Errorf("failed to encrypt plaintext: %w", err))
+	}
+	fmt.Printf("Ciphertext: %s\n", hexutil.Encode(encryptResp.CiphertextBlob))
+
+	decryptResp, err := awsKMSEnclaveClient.Decrypt(context.TODO(), &kms.DecryptInput{
+		KeyId:          aws.String(keyID),
+		CiphertextBlob: encryptResp.CiphertextBlob,
+		Recipient: &kmstypes.RecipientInfo{
+			AttestationDocument:    attestationDoc,
+			KeyEncryptionAlgorithm: kmstypes.KeyEncryptionMechanismRsaesOaepSha256,
+		},
+	}, rsaPrivateKey)
+	if err != nil {
+		panic(fmt.Errorf("failed to decrypt ciphertext on KMS: %w", err))
+	}
+	fmt.Printf("Plaintext(decrypt): %s\n", string(decryptResp.Plaintext))
+
+	generateDataKeyResp, err := awsKMSEnclaveClient.GenerateDataKey(context.TODO(), &kms.GenerateDataKeyInput{
+		KeyId:   aws.String(keyID),
+		KeySpec: kmstypes.DataKeySpecAes256,
+		Recipient: &kmstypes.RecipientInfo{
+			AttestationDocument:    attestationDoc,
+			KeyEncryptionAlgorithm: kmstypes.KeyEncryptionMechanismRsaesOaepSha256,
+		},
+	}, rsaPrivateKey)
+	if err != nil {
+		panic(fmt.Errorf("failed to generate data key on KMS: %w", err))
+	}
+	fmt.Printf("Plaintext(generate-data-key): %s\n", hexutil.Encode(generateDataKeyResp.Plaintext))
+
+	generateDataKeyPairResp, err := awsKMSEnclaveClient.GenerateDataKeyPair(context.TODO(), &kms.GenerateDataKeyPairInput{
+		KeyId:       aws.String(keyID),
+		KeyPairSpec: kmstypes.DataKeyPairSpecEccNistP521,
+		Recipient: &kmstypes.RecipientInfo{
+			AttestationDocument:    attestationDoc,
+			KeyEncryptionAlgorithm: kmstypes.KeyEncryptionMechanismRsaesOaepSha256,
+		},
+	}, rsaPrivateKey)
+	if err != nil {
+		panic(fmt.Errorf("failed to generate data key pair on KMS: %w", err))
+	}
+	fmt.Printf("PrivateKeyPlaintext(generate-data-key-pair): %s\n", hexutil.Encode(generateDataKeyPairResp.PrivateKeyPlaintext))
+	fmt.Printf("PublicKey: %s\n", hexutil.Encode(generateDataKeyPairResp.PublicKey))
+
+	generateRandomResp, err := awsKMSEnclaveClient.GenerateRandom(context.TODO(), &kms.GenerateRandomInput{
+		NumberOfBytes: aws.Int32(128),
+		Recipient: &kmstypes.RecipientInfo{
+			AttestationDocument:    attestationDoc,
+			KeyEncryptionAlgorithm: kmstypes.KeyEncryptionMechanismRsaesOaepSha256,
+		},
+	}, rsaPrivateKey)
+	if err != nil {
+		panic(fmt.Errorf("failed to genearate random on KMS: %w", err))
+	}
+	fmt.Printf("Plaintext(generate-random): %s\n", hexutil.Encode(generateRandomResp.Plaintext))
+}
+
+func CreateKMSEnclaveKey(cfg aws.Config, pcrs map[string]string) (string, error) {
+	callerARN, err := getCallerARN(cfg)
+	if err != nil {
+		return "", fmt.Errorf("failed to get arn of active user: %w", err)
+	}
+
+	log.Debug("Create KMS Restricted key: Caller ARN", callerARN)
+
+	rootARN, err := arn.Parse(callerARN)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse arn: %w", err)
+	}
+	rootARN.Resource = "root"
+
+	log.Debug("Create KMS Restricted key: Root ARN", rootARN.String())
+
+	keyPolicy := map[string]interface{}{
+		"Version": "2012-10-17",
+		"Id":      "key-default-1",
+		"Statement": []map[string]interface{}{
+			{
+				"Sid":    "Allow access for Key Administrators",
+				"Effect": "Allow",
+				"Principal": map[string]interface{}{
+					"AWS": rootARN.String(),
+				},
+				"Action": []string{
+					"kms:CancelKeyDeletion",
+					"kms:DescribeKey",
+					"kms:DisableKey",
+					"kms:EnableKey",
+					"kms:GetKeyPolicy",
+					"kms:ScheduleKeyDeletion",
+				},
+				"Resource": "*",
+			},
+			// should be removed if you want to
+			// trust private key generated in enclave
+			{
+				"Sid":    "Enable encrypt from instance",
+				"Effect": "Allow",
+				"Principal": map[string]interface{}{
+					"AWS": callerARN,
+				},
+				"Action":   "kms:Encrypt",
+				"Resource": "*",
+			},
+			{
+				"Sid":    "Enable decrypt from enclave",
+				"Effect": "Allow",
+				"Principal": map[string]interface{}{
+					"AWS": callerARN,
+				},
+				"Action": []string{
+					"kms:Decrypt",
+					"kms:GenerateRandom",
+					"kms:GenerateDataKey",
+					"kms:GenerateDataKeyPair",
+				},
+				"Resource": "*",
+				"Condition": map[string]interface{}{
+					"StringEqualsIgnoreCase": pcrs,
+				},
+			},
+		},
+	}
+
+	policyBytes, err := json.Marshal(keyPolicy)
+	if err != nil {
+		return "", fmt.Errorf("failed to marshal policy: %w", err)
+	}
+
+	log.Debug("Create KMS Restricted key: Key policy", string(policyBytes))
+
+	awsKMSClient := kms.NewFromConfig(cfg)
+	resp, err := awsKMSClient.CreateKey(context.TODO(), &kms.CreateKeyInput{
+		// DANGER: The key may become unmanageable
+		BypassPolicyLockoutSafetyCheck: true,
+		Description:                    aws.String("Nitro Enclave Key"),
+		Policy:                         aws.String(string(policyBytes)),
+	})
+	if err != nil {
+		return "", fmt.Errorf("failed to create kms key")
+	}
+
+	// Should never be nil
+	return *resp.KeyMetadata.KeyId, nil
+}
+
+func getCallerARN(cfg aws.Config) (string, error) {
+	awsIAMClient := iam.NewFromConfig(cfg)
+	resp, err := awsIAMClient.GetUser(context.TODO(), &iam.GetUserInput{})
+	if err != nil {
+		return "", err
+	}
+
+	// Should never be nil
+	return *resp.User.Arn, nil
+}