def decrypt_work_order_data_json(self,
data_objects,
session_key,
session_iv=None):
"""
Function to decrypt inData/outData of workorder
Function iterate through the inData/outData items and
decrypt the data using DataEncryptionKey/Session key.
inData/outData data field is updated with decrypted data.
Parameters:
data_objects: inData/outData elements within the
work order request or response as per Trusted Compute
EEA API 6.1.7 Work Order Data Formats.
session_key: The key used to decrypt the encrypted data
of the response.
session_iv: initialization vector corresponding
to session_key.
"""
i = 0
do_decrypt = True
for item in data_objects:
data = item['data']
if 'encryptedDataEncryptionKey' in item:
e_key = item['encryptedDataEncryptionKey']
else:
e_key = None
if not e_key or (e_key == "null"):
data_key = session_key
iv = session_iv
elif e_key == "-":
do_decrypt = False
else:
if 'iv' in item:
iv = item['iv']
else:
iv = None
# Decrypt data key
data_key = self.decrypt_data_encryption_key(
e_key, iv, sesssion_key)
if not do_decrypt:
item['data'] = crypto_utility.base64_to_byte_array(data)
else:
# Decrypt output data
item_data_bytes = crypto_utility.base64_to_byte_array(data)
data_in_plain = self.decrypt_data(item_data_bytes, data_key,
iv)
item['data'] = data_in_plain
i = i + 1
return data_objects
def verify_create_receipt_signature(self, input_json):
"""
Function to verify the signature of work order receipt create
Parameters:
input_json: Dictionary which contains request payload of
WorkOrderReceiptRetrieve API as define EEA spec 7.2.2
Returns:
enum type SignatureStatus
"""
input_json_params = input_json['params']
concat_string = input_json_params["workOrderId"] + \
input_json_params["workerServiceId"] + \
input_json_params["workerId"] + \
input_json_params["requesterId"] + \
str(input_json_params["receiptCreateStatus"]) + \
input_json_params["workOrderRequestHash"] + \
input_json_params["requesterGeneratedNonce"]
concat_hash = bytes(concat_string, "UTF-8")
final_hash = bytes(crypto_utility.compute_message_hash(concat_hash))
signature = input_json_params["requesterSignature"]
verification_key = \
input_json_params["receiptVerificationKey"].encode("ascii")
decoded_signature = crypto_utility.base64_to_byte_array(signature)
return self.verify_signature_from_pubkey(decoded_signature, final_hash,
verification_key)
def _verify_wo_verification_key_signature(self, wo_response,
wo_verification_key,
requester_nonce):
"""
Function to verify the work order response signature
Parameters:
wo_response : Dictionary which contains work order response
as per Trusted Compute EEA API 6.1.2 Work Order Result Payload
wo_verification_key : ECDSA/SECP256K1 public key used
to verify work order verification key signature.
requester_nonce : requester generated nonce passed in work
order request. Required in 2 step verification.
Returns:
enum type SignatureStatus
"""
if requester_nonce is None:
logger.error("Missing requester_nonce argument")
return SignatureStatus.FAILED
concat_string = wo_response["extVerificationKey"] + requester_nonce
v_key_sig = wo_response["extVerificationKeySignature"]
v_key_hash = crypto_utility.compute_message_hash(
bytes(concat_string, 'UTF-8'))
decoded_v_key_sig = crypto_utility.base64_to_byte_array(v_key_sig)
return self.verify_signature_from_pubkey(decoded_v_key_sig, v_key_hash,
wo_verification_key)
def _verify_wo_response_signature(self, wo_response,
wo_res_verification_key):
"""
Function to verify the work order response signature
Parameters:
@param wo_response - dictionary contains work order response
as per Trusted Compute EEA API 6.1.2 Work Order Result Payload
@param wo_res_verification_key - ECDSA/SECP256K1 public key
used to verify work order response signature.
Returns enum type SignatureStatus
"""
worker_nonce = wo_response["workerNonce"]
signature = wo_response['workerSignature']
response_hash = self.calculate_response_hash(wo_response)
try:
_verifying_key = VerifyingKey.from_pem(wo_res_verification_key)
except Exception as error:
logger.error("Error in verification key of "
"work order response : %s",
error)
return SignatureStatus.INVALID_VERIFICATION_KEY
decoded_signature = crypto_utility.base64_to_byte_array(signature)
try:
sig_result = _verifying_key.verify_digest(decoded_signature,
response_hash,
sigdecode=sigdecode_der)
if sig_result:
return SignatureStatus.PASSED
except Exception as er:
if("Malformed formatting of signature" in str(er)):
return SignatureStatus.INVALID_SIGNATURE_FORMAT
return SignatureStatus.FAILED
def execute(self):
serialized_byte_array = crypto.string_to_byte_array(self.work_order)
encrypted_request = crypto.byte_array_to_base64(serialized_byte_array)
logger.info(
"------------------------sgx_work_order_request1------------------------------------"
)
try:
encoded_encrypted_response = self.enclave.HandleWorkOrderRequest(
encrypted_request, self.ext_data)
logger.info(
"------------------------sgx_work_order_request2------------------------------------"
)
assert encoded_encrypted_response
except Exception as err:
logger.info(
"------------------------sgx_work_order_request3------------------------------------"
)
logger.exception('workorder request invocation failed: %s',
str(err))
raise
logger.info(
"------------------------sgx_work_order_request4------------------------------------"
)
try:
decrypted_response = crypto.base64_to_byte_array(
encoded_encrypted_response)
response_string = crypto.byte_array_to_string(decrypted_response)
response_parsed = json.loads(response_string[0:-1])
except Exception as err:
logger.exception('workorder response is invalid: %s', str(err))
raise
return response_parsed
def test_verify_encryption_key_signature():
enc_key_sig_byte = crypto_utility.string_to_byte_array(worker_enc_key)
enc_key_hash = crypto_utility.compute_message_hash(enc_key_sig_byte)
try:
# sign encryption key
status, enc_key_signature = \
sig_obj.generate_signature(enc_key_hash, worker_signing_key)
enc_key_signature = \
crypto_utility.base64_to_byte_array(enc_key_signature)
enc_key_signature_hex = \
crypto_utility.byte_array_to_hex(enc_key_signature)
status = sig_obj.verify_encryption_key_signature(
enc_key_signature_hex, worker_enc_key, worker_verifying_key)
if status == SignatureStatus.PASSED:
logging.info("PASSED: verify_encryption_key_signature")
return 0
else:
logging.info("FAILED: verify_encryption_key_signature")
return 1
except Exception as err:
logging.info("FAILED: verify_encryption_key_signature")
return 1
def calculate_wo_pre_proc_keys_hash(self, pre_proc_json):
"""
Computes hash on pre-processed work order keys(by KME worker)
Parameters:
pre_proc_json: Pre processed JSON(by KME worker) having work order
keys needed in encrypted format to process client
work order request
Returns:
Computed hash of pre-processed work order keys in bytes
"""
concat_hash = crypto_utility.byte_array_to_base64(
self.encrypted_sym_key) + \
crypto_utility.byte_array_to_base64(self.encrypted_wo_key) + \
crypto_utility.byte_array_to_base64(self.encrypted_sig_key)
hash_1 = worker_hash.WorkerHash().compute_message_hash(
concat_hash.encode("utf-8"))
hash_1_str = crypto_utility.byte_array_to_base64(hash_1)
# Compute hash of input-data-keys
in_data_key_hash_str = ""
for key in pre_proc_json['input-data-keys']:
in_data_key_hash_str += crypto_utility.byte_array_to_base64(
worker_hash.WorkerHash().compute_message_hash(
crypto_utility.base64_to_byte_array(
key['encrypted-data-key'])))
# Compute hash on output-data-keys
out_data_key_hash_str = ""
for key in pre_proc_json['output-data-keys']:
out_data_key_hash_str += crypto_utility.byte_array_to_base64(
worker_hash.WorkerHash().compute_message_hash(
crypto_utility.base64_to_byte_array(
key['encrypted-data-key'])))
final_hash = hash_1_str.encode("utf-8") + \
in_data_key_hash_str.encode("utf-8") + \
out_data_key_hash_str.encode("utf-8")
return worker_hash.WorkerHash().compute_message_hash(final_hash)
def _verify_wo_verification_key_signature(self,
wo_response,
wo_verification_key,
requester_nonce):
"""
Function to verify the work order response signature
Parameters:
@param wo_response - dictionary contains work order response
as per Trusted Compute EEA API 6.1.2 Work Order Result Payload
@param wo_verification_key - ECDSA/SECP256K1 public key used
to verify work order verification key signature.
@param requester_nonce - requester generated nonce passed in work
order request. Required in 2 step verification.
Returns enum type SignatureStatus
"""
if requester_nonce is None:
logger.error("Missing requester_nonce argument")
return SignatureStatus.FAILED
concat_string = wo_response["extVerificationKey"] + requester_nonce
v_key_sig = wo_response["extVerificationKeySignature"]
v_key_hash = crypto_utility.compute_message_hash(
bytes(concat_string, 'UTF-8'))
try:
_verifying_key = VerifyingKey.from_pem(wo_verification_key)
except Exception as error:
logger.error("Error in verification key of"
"verification key signature : %s", error)
return SignatureStatus.INVALID_VERIFICATION_KEY
decoded_v_key_sig = crypto_utility.base64_to_byte_array(v_key_sig)
try:
sig_result = _verifying_key.verify_digest(
decoded_v_key_sig,
bytes(v_key_hash),
sigdecode=sigdecode_der)
if sig_result:
return SignatureStatus.PASSED
except Exception as er:
if("Malformed formatting of signature" in str(er)):
return SignatureStatus.INVALID_SIGNATURE_FORMAT
return SignatureStatus.FAILED
def _verify_wo_response_signature(self, wo_response,
wo_res_verification_key):
"""
Function to verify the work order response signature
Parameters:
@param wo_response - dictionary contains work order response
as per Trusted Compute EEA API 6.1.2 Work Order Result Payload
@param wo_res_verification_key - ECDSA/SECP256K1 public key
used to verify work order response signature.
Returns enum type SignatureStatus
"""
if "workerSignature" not in wo_response:
logger.error("workerSignature not present in reponse json")
return False
signature = wo_response['workerSignature']
response_hash = worker_hash.WorkerHash().calculate_response_hash(
wo_response)
decoded_signature = crypto_utility.base64_to_byte_array(signature)
return self.verify_signature_from_pubkey(decoded_signature,
response_hash,
wo_res_verification_key)
def verify_create_receipt_signature(self, input_json):
"""
Function to verify the signature of work order receipt create
Parameters:
- input_json is dictionary contains request payload of
WorkOrderReceiptRetrieve API as define EEA spec 7.2.2
Returns enum type SignatureStatus
"""
input_json_params = input_json['params']
concat_string = input_json_params["workOrderId"] + \
input_json_params["workerServiceId"] + \
input_json_params["workerId"] + \
input_json_params["requesterId"] + \
str(input_json_params["receiptCreateStatus"]) + \
input_json_params["workOrderRequestHash"] + \
input_json_params["requesterGeneratedNonce"]
concat_hash = bytes(concat_string, "UTF-8")
final_hash = bytes(crypto_utility.compute_message_hash(concat_hash))
signature = input_json_params["requesterSignature"]
verification_key = \
input_json_params["receiptVerificationKey"].encode("ascii")
try:
_verifying_key = VerifyingKey.from_pem(verification_key)
except Exception as error:
logger.info("Error in verification key : %s", error)
return SignatureStatus.INVALID_VERIFICATION_KEY
decoded_signature = crypto_utility.base64_to_byte_array(signature)
try:
sig_result = _verifying_key.verify_digest(decoded_signature,
bytes(final_hash),
sigdecode=sigdecode_der)
if sig_result:
return SignatureStatus.PASSED
except Exception as er:
if("Malformed formatting of signature" in str(er)):
return SignatureStatus.INVALID_SIGNATURE_FORMAT
return SignatureStatus.FAILED
def _verify_wo_response_signature(self, wo_response,
wo_res_verification_key):
"""
Function to verify the work order response signature
Parameters:
@param wo_response - dictionary contains work order response
as per Trusted Compute EEA API 6.1.2 Work Order Result Payload
@param wo_res_verification_key - ECDSA/SECP256K1 public key
used to verify work order response signature.
Returns enum type SignatureStatus
"""
worker_nonce = (wo_response["workerNonce"]).encode('UTF-8')
signature = wo_response['workerSignature']
hash_string_1 = self.__calculate_hash_on_concatenated_string(
wo_response, worker_nonce)
data_objects = wo_response['outData']
hash_string_2 = self.calculate_datahash(data_objects)
concat_string = hash_string_1 + hash_string_2
concat_hash = bytes(concat_string, 'UTF-8')
final_hash = crypto_utility.compute_message_hash(concat_hash)
try:
_verifying_key = VerifyingKey.from_pem(wo_res_verification_key)
except Exception as error:
logger.error(
"Error in verification key of "
"work order response : %s", error)
return SignatureStatus.INVALID_VERIFICATION_KEY
decoded_signature = crypto_utility.base64_to_byte_array(signature)
try:
sig_result = _verifying_key.verify_digest(decoded_signature,
bytes(final_hash),
sigdecode=sigdecode_der)
if sig_result:
return SignatureStatus.PASSED
except Exception as er:
if ("Malformed formatting of signature" in str(er)):
return SignatureStatus.INVALID_SIGNATURE_FORMAT
return SignatureStatus.FAILED
def verify_update_receipt_signature(self, input_json):
"""
Function to verify the signature of work order receipt update
Parameters:
- input_json is dictionary contains payload returned by the
WorkOrderReceiptUpdateRetrieve API as define EEA spec 7.2.7
Returns enum type SignatureStatus
"""
input_json_params = input_json
concat_string = input_json_params["workOrderId"] + \
str(input_json_params["updateType"]) + \
input_json_params["updateData"]
concat_hash = bytes(concat_string, 'UTF-8')
final_hash = worker_hash.WorkerHash().compute_message_hash(concat_hash)
signature = input_json_params["updateSignature"]
verification_key = \
input_json_params["receiptVerificationKey"].encode("ascii")
decoded_signature = crypto_utility.base64_to_byte_array(signature)
return self.verify_signature_from_pubkey(decoded_signature, final_hash,
verification_key)
