Skip to main content

Library for Cosmian MSE to bootstrap Flask application

Project description

MicroService Encryption Lib SGX

Overview

MSE lib SGX bootstraps the execution of an encrypted ASGI/WSGI Python web application for Gramine.

The library is responsible for:

  • Configuring SSL certificates with either:
    • RA-TLS, a self-signed certificate containing SGX quote to be verified with remote attestation
    • Custom, the private key and full keychain is provided by the application owner
    • No SSL, the secure channel may be managed elsewhere by an SSL proxy
  • Decrypting Python modules encrypted with XSala20-Poly1305 AEAD transparently thanks to an import hook
  • Running the ASGI/WSGI Python web application with hypercorn

Technical details

The flow to deploy a Python web application is the following:

  1. A first self-signed HTTPS server using RA-TLS is launched waiting to receive a JSON payload with:
    • UUID, a unique application identifier provided to mse-bootstrap as an argument
    • the decryption key of the code
    • Optionally the private key corresponding to the certificate provided to mse-bootstrap (for custom certificate)
  2. If the UUID and decryption key are the expected one, the configuration server is stopped, the code is decrypted and finally run as a new server

Installation

$ pip install . 

Usage

$ mse-bootstrap --help
usage: mse-bootstrap [-h] --host HOST --port PORT --app-dir APP_DIR --uuid UUID [--version]
                     [--debug]
                     (--self-signed EXPIRATION_DATE | --no-ssl | --certificate CERTIFICATE_PATH)
                     application

Bootstrap ASGI/WSGI Python web application for Gramine

positional arguments:
  application           Application to dispatch to as path.to.module:instance.path

optional arguments:
  -h, --help            show this help message and exit
  --host HOST           Hostname of the configuration serverIf `--self-signed`, it's also the
                        hostname of the app server
  --port PORT           Port of the server
  --app-dir APP_DIR     Path the microservice application. Read only directory.
  --uuid UUID           Unique application UUID.
  --version             show program's version number and exit
  --debug               Debug mode without SGX
  --self-signed EXPIRATION_DATE
                        Generate a self-signed certificate for the app. Specify the expiration
                        date of the certificate as a timestamp since Epoch
  --no-ssl              Don't use HTTPS connection
  --certificate CERTIFICATE_PATH
                        Use the given certificate for the SSL connection. the private key will
                        be sent using the configuration server

Project details


Release history Release notifications | RSS feed

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

mse_lib_sgx-0.12.1-py3-none-any.whl (10.9 kB view details)

Uploaded Python 3

File details

Details for the file mse_lib_sgx-0.12.1-py3-none-any.whl.

File metadata

  • Download URL: mse_lib_sgx-0.12.1-py3-none-any.whl
  • Upload date:
  • Size: 10.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.8.16

File hashes

Hashes for mse_lib_sgx-0.12.1-py3-none-any.whl
Algorithm Hash digest
SHA256 7d1cbffb623fb41dfee6fcbaaee445457da380e7d320d29b1a7876ed77c0a489
MD5 0c4d6819d6c03522a71ae2c3af36e5bc
BLAKE2b-256 f677503ddc3f59972f5d4e1f154ca0941c5d6c3327499402e48d65df9fc4725f

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page