Library to bootstrap WSGI/ASGI application for Gramine
Project description
Cosmian Enclave Lib SGX
Overview
Cosmian Enclave lib SGX bootstraps the execution of an encrypted ASGI/WSGI Python web application for Gramine.
The library is responsible for:
- Configuring the SSL certificates with either:
- RA-TLS, a self-signed certificate including the Intel SGX quote in an X.509 v3 extension
- Custom, the private key and full keychain is provided by the application owner
- No SSL, the secure channel may be managed elsewhere by an SSL proxy
- Decrypting Python modules encrypted with XSala20-Poly1305 AE
- Running the ASGI/WSGI Python web application with hypercorn
Technical details
The flow to run an encrypted Python web application is the following:
- A first self-signed HTTPS server using RA-TLS is launched waiting to receive a JSON payload with:
- UUID, a unique application identifier provided to
cenclave-bootstrapas an argument - the decryption key of the code
- Optionally the private key corresponding to the certificate provided to
cenclave-bootstrap(for Custom certificate)
- UUID, a unique application identifier provided to
- If the UUID and decryption key are the expected one, the configuration server is stopped, the code is decrypted and finally run as a new server
Installation
$ pip install cenclave-lib-sgx
Usage
$ cenclave-bootstrap --help
usage: cenclave-bootstrap [-h] [--host HOST] [--client-certificate CLIENT_CERTIFICATE] [--port PORT]
[--subject SUBJECT] [--san SAN] --app-dir APP_DIR --id ID [--timeout TIMEOUT]
[--version] [--debug]
(--ratls EXPIRATION_DATE | --no-ssl | --certificate CERTIFICATE_PATH)
application
Bootstrap ASGI/WSGI Python web application for Gramine
positional arguments:
application ASGI application path (as module:app)
options:
-h, --help show this help message and exit
--host HOST hostname of the server
--client-certificate CLIENT_CERTIFICATE
For client certificate authentication (PEM encoded)
--port PORT port of the server
--subject SUBJECT Subject as RFC 4514 string for the RA-TLS certificate
--san SAN Subject Alternative Name in the RA-TLS certificate
--app-dir APP_DIR path of the python web application
--id ID identifier of the application as UUID in RFC 4122
--timeout TIMEOUT seconds before closing the configuration server
--version show program's version number and exit
--debug debug mode with more logging
--ratls EXPIRATION_DATE
generate a self-signed certificate for RA-TLS with a specific expiration date (Unix time)
--no-ssl use HTTP without SSL
--certificate CERTIFICATE_PATH
custom certificate used for the SSL connection, private key must be sent through the
configuration server
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
cenclave_lib_sgx-1.1.1.tar.gz
(15.8 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file cenclave_lib_sgx-1.1.1.tar.gz.
File metadata
- Download URL: cenclave_lib_sgx-1.1.1.tar.gz
- Upload date:
- Size: 15.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.0.1 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
71c265081df33868fa6518f6e1ae29d04657c568568dac35f05807cd5fe647f9
|
|
| MD5 |
91c2617d9dc894d08651b343e10a3a4f
|
|
| BLAKE2b-256 |
de4a3cf080feeccaabce8799765f5d05371470f37ad786904f9fb3982cc24ae4
|
File details
Details for the file cenclave_lib_sgx-1.1.1-py3-none-any.whl.
File metadata
- Download URL: cenclave_lib_sgx-1.1.1-py3-none-any.whl
- Upload date:
- Size: 16.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.0.1 CPython/3.12.8
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
50376ef8499f9c3e44f4dda0171a856f3cca117e25e493098b539218d64da635
|
|
| MD5 |
2ea23a574ed3480463aba9ea7f38566f
|
|
| BLAKE2b-256 |
fcda8bb4ba611d8d6739c51b34740cd59f5f906a69214693ae7df306bb59003d
|