Library for Cosmian MSE to bootstrap Flask application
Project description
MicroService Encryption Lib SGX
Overview
MSE lib SGX bootstraps the execution of an encrypted ASGI/WSGI Python web application for Gramine.
The library is responsible for:
- Configuring SSL certificates with either:
- RA-TLS, a self-signed certificate containing SGX quote to be verified with remote attestation
- Custom, the private key and full keychain is provided by the application owner
- No SSL, the secure channel may be managed elsewhere by an SSL proxy
- Decrypting Python modules encrypted with XSala20-Poly1305 AEAD transparently thanks to an import hook
- Running the ASGI/WSGI Python web application with hypercorn
Technical details
The flow to deploy a Python web application is the following:
- A first self-signed HTTPS server using RA-TLS is launched waiting to receive a JSON payload with:
- UUID, a unique application identifier provided to
mse-bootstrap
as an argument - the decryption key of the code
- Optionally the private key corresponding to the certificate provided to
mse-bootstrap
(for custom certificate)
- UUID, a unique application identifier provided to
- If the UUID and decryption key are the expected one, the configuration server is stopped, the code is decrypted and finally run as a new server
Installation
$ pip install .
Usage
$ mse-bootstrap --help
usage: mse-bootstrap [-h] --host HOST --port PORT --app-dir APP_DIR --uuid UUID [--version]
[--debug]
(--self-signed EXPIRATION_DATE | --no-ssl | --certificate CERTIFICATE_PATH)
application
Bootstrap ASGI/WSGI Python web application for Gramine
positional arguments:
application Application to dispatch to as path.to.module:instance.path
optional arguments:
-h, --help show this help message and exit
--host HOST Hostname of the configuration serverIf `--self-signed`, it's also the
hostname of the app server
--port PORT Port of the server
--app-dir APP_DIR Path the microservice application. Read only directory.
--uuid UUID Unique application UUID.
--version show program's version number and exit
--debug Debug mode without SGX
--self-signed EXPIRATION_DATE
Generate a self-signed certificate for the app. Specify the expiration
date of the certificate as a timestamp since Epoch
--no-ssl Don't use HTTPS connection
--certificate CERTIFICATE_PATH
Use the given certificate for the SSL connection. the private key will
be sent using the configuration server
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
No source distribution files available for this release.See tutorial on generating distribution archives.
Built Distribution
File details
Details for the file mse_lib_sgx-0.14a1-py3-none-any.whl
.
File metadata
- Download URL: mse_lib_sgx-0.14a1-py3-none-any.whl
- Upload date:
- Size: 11.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.8.16
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 82d7defefd31acc84961010fad157e784cb7af692c4969fb4cde4f1a622b984b |
|
MD5 | e14653f486e645bfe97137ea2ac56945 |
|
BLAKE2b-256 | 4514dbf13b405b9508db36c8af8e87f1a924b78228cff81f71fde1931dd25e8a |