def test_create_wait_certificate(self): wait_timer = \ EnclaveWaitTimer( validator_address='1600 Pennsylvania Avenue NW', duration=3.14159, previous_certificate_id='Smart, Maxwell Smart', local_mean=2.71828) wait_certificate = \ EnclaveWaitCertificate.wait_certificate_with_wait_timer( wait_timer=wait_timer, nonce='Eeny, meeny, miny, moe.', block_hash='Indigestion. Pepto Bismol.') self.assertAlmostEqual(wait_timer.request_time, wait_certificate.request_time) self.assertAlmostEqual(wait_timer.duration, wait_certificate.duration) self.assertEqual(wait_timer.previous_certificate_id, wait_certificate.previous_certificate_id) self.assertAlmostEqual(wait_timer.local_mean, wait_certificate.local_mean) self.assertEqual(wait_timer.validator_address, wait_certificate.validator_address) self.assertEqual(wait_certificate.nonce, 'Eeny, meeny, miny, moe.') self.assertEqual(wait_certificate.block_hash, 'Indigestion. Pepto Bismol.') self.assertIsNone(wait_certificate.signature) # You probably wonder why I bother assigning # wait_certificate.previous_certificate_id to a local variable - # this is to simply get around PEP8. # If I don't, it complains about the line being too long. # If I do a line continuation, it complains about a space around the =. previous_certificate_id = wait_certificate.previous_certificate_id other_wait_certificate = \ EnclaveWaitCertificate( duration=wait_certificate.duration, previous_certificate_id=previous_certificate_id, local_mean=wait_certificate.local_mean, request_time=wait_certificate.request_time, validator_address='1600 Pennsylvania Avenue NW', nonce='Eeny, meeny, miny, moe.', block_hash=wait_certificate.block_hash) self.assertAlmostEqual(wait_certificate.duration, other_wait_certificate.duration) self.assertEqual(wait_certificate.previous_certificate_id, other_wait_certificate.previous_certificate_id) self.assertAlmostEqual(wait_certificate.local_mean, other_wait_certificate.local_mean) self.assertAlmostEqual(wait_certificate.request_time, other_wait_certificate.request_time) self.assertEqual(wait_certificate.validator_address, other_wait_certificate.validator_address) self.assertEqual(wait_certificate.nonce, other_wait_certificate.nonce) self.assertEqual(wait_certificate.block_hash, other_wait_certificate.block_hash) self.assertIsNone(other_wait_certificate.signature)
def test_deserialized_wait_certificate(self): wait_timer = \ EnclaveWaitTimer( validator_address='1600 Pennsylvania Avenue NW', duration=3.14159, previous_certificate_id='Smart, Maxwell Smart', local_mean=2.71828) wait_certificate = \ EnclaveWaitCertificate.wait_certificate_with_wait_timer( wait_timer=wait_timer, nonce='Eeny, meeny, miny, moe.', block_hash='Indigestion. Pepto Bismol.') serialized = wait_certificate.serialize() private_key = self._create_random_key() wait_certificate.signature = \ create_context('secp256k1').sign(serialized.encode(), private_key) copy_wait_certificate = \ EnclaveWaitCertificate.wait_certificate_from_serialized( serialized, wait_certificate.signature) self.assertAlmostEqual( wait_certificate.request_time, copy_wait_certificate.request_time) self.assertAlmostEqual( wait_certificate.duration, copy_wait_certificate.duration) self.assertEqual( wait_certificate.previous_certificate_id, copy_wait_certificate.previous_certificate_id) self.assertAlmostEqual( wait_certificate.local_mean, copy_wait_certificate.local_mean) self.assertEqual( wait_certificate.validator_address, copy_wait_certificate.validator_address) self.assertEqual( wait_certificate.nonce, copy_wait_certificate.nonce) self.assertEqual( wait_certificate.block_hash, copy_wait_certificate.block_hash) self.assertEqual( wait_certificate.signature, copy_wait_certificate.signature) self.assertEqual(serialized, copy_wait_certificate.serialize())
def test_deserialized_wait_certificate(self): wait_timer = \ EnclaveWaitTimer( validator_address='1600 Pennsylvania Avenue NW', duration=3.14159, previous_certificate_id='Smart, Maxwell Smart', local_mean=2.71828) wait_certificate = \ EnclaveWaitCertificate.wait_certificate_with_wait_timer( wait_timer=wait_timer, nonce='Eeny, meeny, miny, moe.', block_hash='Indigestion. Pepto Bismol.') serialized = wait_certificate.serialize() signing_key = self._create_random_key() wait_certificate.signature = \ signing.sign(serialized, signing_key) copy_wait_certificate = \ EnclaveWaitCertificate.wait_certificate_from_serialized( serialized, wait_certificate.signature) self.assertAlmostEqual( wait_certificate.request_time, copy_wait_certificate.request_time) self.assertAlmostEqual( wait_certificate.duration, copy_wait_certificate.duration) self.assertEqual( wait_certificate.previous_certificate_id, copy_wait_certificate.previous_certificate_id) self.assertAlmostEqual( wait_certificate.local_mean, copy_wait_certificate.local_mean) self.assertEqual( wait_certificate.validator_address, copy_wait_certificate.validator_address) self.assertEqual( wait_certificate.nonce, copy_wait_certificate.nonce) self.assertEqual( wait_certificate.block_hash, copy_wait_certificate.block_hash) self.assertEqual( wait_certificate.signature, copy_wait_certificate.signature) self.assertEqual(serialized, copy_wait_certificate.serialize())
def test_serialize_wait_certificate(self): wait_timer = \ EnclaveWaitTimer( validator_address='1600 Pennsylvania Avenue NW', duration=3.14159, previous_certificate_id='Smart, Maxwell Smart', local_mean=2.71828) wait_certificate = \ EnclaveWaitCertificate.wait_certificate_with_wait_timer( wait_timer=wait_timer, nonce='Eeny, meeny, miny, moe.', block_hash='Indigestion. Pepto Bismol.') self.assertIsNotNone(wait_certificate.serialize())
def deserialize_wait_certificate(cls, serialized_certificate, signature): return \ EnclaveWaitCertificate.wait_certificate_from_serialized( serialized_certificate=serialized_certificate, signature=signature)
def create_wait_certificate(cls, sealed_signup_data, wait_timer, block_hash): with cls._lock: # Extract keys from the 'sealed' signup data if sealed_signup_data is None: raise ValueError('Sealed Signup Data is None') signup_data = \ json2dict( base64.b64decode(sealed_signup_data.encode()).decode()) poet_private_key = signup_data['poet_private_key'] poet_public_key = signup_data['poet_public_key'] if poet_private_key is None or poet_public_key is None: raise \ ValueError( 'Invalid signup data. No poet key(s).') try: poet_public_key = Secp256k1PublicKey.from_hex(poet_public_key) poet_private_key = Secp256k1PrivateKey.from_hex( poet_private_key) except ParseError: raise \ ValueError( 'Invalid signup data. Badly formatted poet key(s).') # Several criteria need to be met before we can create a wait # certificate: # 1. This signup data was used to sign this timer. # i.e. the key sealed / unsealed by the TEE signed this # wait timer. # 2. This timer has expired # 3. This timer has not timed out # # In a TEE implementation we would check HW counter agreement. # We can't usefully simulate a HW counter though. # i.e. wait_timer.counter_value == signup_data.counter.value # # Note - we make a concession for the genesis block (i.e., a wait # timer for which the previous certificate ID is the Null # identifier) in that we don't require the timer to have expired # and we don't worry about the timer having timed out. if wait_timer is None or \ not cls._context.verify( wait_timer.signature, wait_timer.serialize().encode(), poet_public_key): raise \ ValueError( 'Validator is not using the current wait timer') is_not_genesis_block = \ (wait_timer.previous_certificate_id != NULL_BLOCK_IDENTIFIER) now = time.time() expire_time = \ wait_timer.request_time + \ wait_timer.duration if is_not_genesis_block and now < expire_time: raise \ ValueError( 'Cannot create wait certificate because timer has ' 'not expired') time_out_time = \ wait_timer.request_time + \ wait_timer.duration + \ TIMER_TIMEOUT_PERIOD if is_not_genesis_block and time_out_time < now: raise \ ValueError( 'Cannot create wait certificate because timer ' 'has timed out') # Create a random nonce for the certificate. For our "random" # nonce we will take the timer signature, concat that with the # current time, JSON-ize it and create a SHA-256 hash over it. # Probably not considered random by security professional # standards, but it is good enough for the simulator. random_string = \ dict2json({ 'wait_timer_signature': wait_timer.signature, 'now': datetime.datetime.utcnow().isoformat() }) nonce = hashlib.sha256(random_string.encode()).hexdigest() # First create a new enclave wait certificate using the data # provided and then sign the certificate with the PoET private key wait_certificate = \ EnclaveWaitCertificate.wait_certificate_with_wait_timer( wait_timer=wait_timer, nonce=nonce, block_hash=block_hash) wait_certificate.signature = \ cls._context.sign( wait_certificate.serialize().encode(), poet_private_key) # In a TEE implementation we would increment the HW counter here # to prevent replay. # We can't usefully simulate a HW counter though. return wait_certificate
def create_wait_certificate(cls, wait_timer, block_hash): with cls._lock: # If we don't have a PoET private key, then the enclave has not # been properly initialized (either by calling create_signup_info # or unseal_signup_data) if cls._poet_private_key is None: raise \ ValueError( 'Enclave must be initialized before attempting to ' 'create a wait certificate') # Several criteria need to be met before we can create a wait # certificate: # 1. We have an active timer # 2. The caller's wait timer is the active wait timer. We are not # going to rely the objects, being the same, but will compute # a signature over the object and verify that the signatures # are the same. # 3. The active timer has expired # 4. The active timer has not timed out # # Note - we make a concession for the genesis block (i.e., a wait # timer for which the previous certificate ID is the Null # identifier) in that we don't require the timer to have expired # and we don't worry about the timer having timed out. if cls._active_wait_timer is None: raise \ ValueError( 'There is not a current enclave active wait timer') if wait_timer is None or \ cls._active_wait_timer.signature != \ signing.sign( wait_timer.serialize(), cls._poet_private_key): raise \ ValueError( 'Validator is not using the current wait timer') is_not_genesis_block = \ (cls._active_wait_timer.previous_certificate_id != NULL_BLOCK_IDENTIFIER) now = time.time() expire_time = \ cls._active_wait_timer.request_time + \ cls._active_wait_timer.duration if is_not_genesis_block and now < expire_time: raise \ ValueError( 'Cannot create wait certificate because timer has ' 'not expired') time_out_time = \ cls._active_wait_timer.request_time + \ cls._active_wait_timer.duration + \ TIMER_TIMEOUT_PERIOD if is_not_genesis_block and time_out_time < now: raise \ ValueError( 'Cannot create wait certificate because timer ' 'has timed out') # Create a random nonce for the certificate. For our "random" # nonce we will take the timer signature, concat that with the # current time, JSON-ize it and create a SHA-256 hash over it. # Probably not considered random by security professional # standards, but it is good enough for the simulator. random_string = \ dict2json({ 'wait_timer_signature': cls._active_wait_timer.signature, 'now': datetime.datetime.utcnow().isoformat() }) nonce = hashlib.sha256(random_string.encode()).hexdigest() # First create a new enclave wait certificate using the data # provided and then sign the certificate with the PoET private key wait_certificate = \ EnclaveWaitCertificate.wait_certificate_with_wait_timer( wait_timer=cls._active_wait_timer, nonce=nonce, block_hash=block_hash) wait_certificate.signature = \ signing.sign( wait_certificate.serialize(), cls._poet_private_key) # Now that we have created the certificate, we no longer have an # active timer cls._active_wait_timer = None return wait_certificate
def test_create_wait_certificate(self): wait_timer = \ EnclaveWaitTimer( validator_address='1600 Pennsylvania Avenue NW', duration=3.14159, previous_certificate_id='Smart, Maxwell Smart', local_mean=2.71828) wait_certificate = \ EnclaveWaitCertificate.wait_certificate_with_wait_timer( wait_timer=wait_timer, nonce='Eeny, meeny, miny, moe.', block_hash='Indigestion. Pepto Bismol.') self.assertAlmostEqual( wait_timer.request_time, wait_certificate.request_time) self.assertAlmostEqual( wait_timer.duration, wait_certificate.duration) self.assertEqual( wait_timer.previous_certificate_id, wait_certificate.previous_certificate_id) self.assertAlmostEqual( wait_timer.local_mean, wait_certificate.local_mean) self.assertEqual( wait_timer.validator_address, wait_certificate.validator_address) self.assertEqual(wait_certificate.nonce, 'Eeny, meeny, miny, moe.') self.assertEqual( wait_certificate.block_hash, 'Indigestion. Pepto Bismol.') self.assertIsNone(wait_certificate.signature) # You probably wonder why I bother assigning # wait_certificate.previous_certificate_id to a local variable - # this is to simply get around PEP8. # If I don't, it complains about the line being too long. # If I do a line continuation, it complains about a space around the =. previous_certificate_id = wait_certificate.previous_certificate_id other_wait_certificate = \ EnclaveWaitCertificate( duration=wait_certificate.duration, previous_certificate_id=previous_certificate_id, local_mean=wait_certificate.local_mean, request_time=wait_certificate.request_time, validator_address='1600 Pennsylvania Avenue NW', nonce='Eeny, meeny, miny, moe.', block_hash=wait_certificate.block_hash) self.assertAlmostEqual( wait_certificate.duration, other_wait_certificate.duration) self.assertEqual( wait_certificate.previous_certificate_id, other_wait_certificate.previous_certificate_id) self.assertAlmostEqual( wait_certificate.local_mean, other_wait_certificate.local_mean) self.assertAlmostEqual( wait_certificate.request_time, other_wait_certificate.request_time) self.assertEqual( wait_certificate.validator_address, other_wait_certificate.validator_address) self.assertEqual(wait_certificate.nonce, other_wait_certificate.nonce) self.assertEqual( wait_certificate.block_hash, other_wait_certificate.block_hash) self.assertIsNone(other_wait_certificate.signature)