#attestation #tls #generate #rustls #sgx #tee #intel

nightly clique-sibyl-commonlib

Clique Sibyl Common Library, for generating and verifying TEE attestation (Intel SGX, Intel TDX) and providing customized TLS verification with TEE attestation

1 stable release

2.3.2 Oct 28, 2024

#569 in Hardware support

Download history 137/week @ 2024-10-23 82/week @ 2024-10-30 34/week @ 2024-11-06

253 downloads per month
Used in 2 crates (via clique-client-sdk)

Apache-2.0

230KB
2.5K SLoC

clique-sibyl-commonlib

Usage

[dependencies]
clique-sibyl-commonlib = { git = "https://github.com/CliqueOfficial/clique-sibyl-commonlib.git", tag = "v2.3.2" }

Features

Supports four features: rustls-0_20, rustls-0_21, rustls-0_22, rustls-0_23 and wasm. If you need to enable rustls, specify the corresponding feature based on the version of rustls you intend to use.

# use rustls-0_23
[dependencies]
clique-sibyl-commonlib = { git = "https://github.com/CliqueOfficial/clique-sibyl-commonlib.git", tag = "v2.3.2", features = "rustls-0_23" }

# use rustls-0_20
[dependencies]
clique-sibyl-commonlib = { git = "https://github.com/CliqueOfficial/clique-sibyl-commonlib.git", tag = "v2.3.2", features = "rustls-0_20" }

# use rustls-0_21
[dependencies]
clique-sibyl-commonlib = { git = "https://github.com/CliqueOfficial/clique-sibyl-commonlib.git", tag = "v2.3.2", features = "rustls-0_21" }

# use rustls-0_22
[dependencies]
clique-sibyl-commonlib = { git = "https://github.com/CliqueOfficial/clique-sibyl-commonlib.git", tag = "v2.3.2", features = "rustls-0_22" }

TLS Config

You can create a rustls tls server config like this:

use clique_sibyl_commonlib::tls::config::create_tls_server_config;

let tls_config = create_tls_server_config()?;

With this tls server config, you can start a TLS server using server framework like actix-web:

[dependencies]
clique-sibyl-commonlib = { git = "https://github.com/CliqueOfficial/clique-sibyl-commonlib.git", tag = "v2.3.2", features = "rustls-0_23" }

actix-web = { version = "4.6.0", features = ["rustls-0_23"] }
actix-rt = "2.9.0"
use clique_sibyl_commonlib::tls::config::create_tls_server_config;
use actix_web::{web, App, HttpResponse, HttpServer, Responder};

use std::env;

async fn status() -> impl Responder {
    HttpResponse::Ok().body("Server is running!")
}

#[actix_rt::main]
async fn main() {
    let tls_config = create_tls_server_config().unwrap();

    let server = HttpServer::new(|| {
        App::new().route("/status", web::get().to(status))
    })
    .bind_rustls_0_23("127.0.0.1:8080", tls_config)?
    .run()
    .await.unwrap();
}

And you can create a rustls tls client config like this:

use clique_sibyl_commonlib::tls::config::create_tls_client_config;

let tls_config = create_tls_client_config(None, None);

This tls client config can help you to verify the attestation in the certificate during TLS handshake.

Attestation Verifier

You can use clique_sibyl_commonlib::attestation::verify_attestation to verify the attestation.

WASM

Install WASM toolchains:

cargo install wasm-bindgen-cli
rustup target add wasm32-unknown-unknown

Build WASM:

cargo build --target wasm32-unknown-unknown --release --features wasm

# For node.js
wasm-bindgen target/wasm32-unknown-unknown/release/clique_sibyl_commonlib.wasm --out-dir ./wasm/pkg-node --target nodejs

# For ReactJS
wasm-bindgen target/wasm32-unknown-unknown/release/clique_sibyl_commonlib.wasm --out-dir ./wasm/pkg-web --target web

Install node.js:

sudo apt update
sudo apt install nodejs
sudo apt install npm

Test WASM for node.js:

cd wasm/wasm-node-test
node index.js

Tests

cargo t
cargo t actix -- --nocapture
cargo t actix --features "rustls-0_23" -- --nocapture

Examples

You can explore examples located in ./tests/actix and ./gramine-examples/actix-example to see how to integrate this crate with both Actix server and client.

Dependencies

~12–24MB
~353K SLoC