Library for Cosmian MSE to bootstrap Flask application
Project description
MicroService Encryption Lib SGX
Overview
MSE lib SGX bootstraps the execution of an encrypted ASGI/WSGI Python web application for Gramine.
The library is responsible for:
- Configuring the SSL certificates with either:
- RA-TLS, a self-signed certificate including the Intel SGX quote in an X.509 v3 extension
- Custom, the private key and full keychain is provided by the application owner
- No SSL, the secure channel may be managed elsewhere by an SSL proxy
- Decrypting Python modules encrypted with XSala20-Poly1305 AEAD
- Running the ASGI/WSGI Python web application with hypercorn
Technical details
The flow to run an encrypted Python web application is the following:
- A first self-signed HTTPS server using RA-TLS is launched waiting to receive a JSON payload with:
- UUID, a unique application identifier provided to
mse-bootstrap
as an argument - the decryption key of the code
- Optionally the private key corresponding to the certificate provided to
mse-bootstrap
(for Custom certificate)
- UUID, a unique application identifier provided to
- If the UUID and decryption key are the expected one, the configuration server is stopped, the code is decrypted and finally run as a new server
Installation
$ pip install mse-lib-sgx
Usage
$ mse-bootstrap --help
usage: mse-bootstrap [-h] --host HOST --port PORT --app-dir APP_DIR --uuid UUID [--version]
[--debug]
(--self-signed EXPIRATION_DATE | --no-ssl | --certificate CERTIFICATE_PATH)
application
Bootstrap ASGI/WSGI Python web application for Gramine
positional arguments:
application Application to dispatch to as path.to.module:instance.path
optional arguments:
-h, --help show this help message and exit
--host HOST Hostname of the configuration serverIf `--self-signed`, it's also the
hostname of the app server
--port PORT Port of the server
--app-dir APP_DIR Path the microservice application. Read only directory.
--uuid UUID Unique application UUID.
--version show program's version number and exit
--debug Debug mode without SGX
--self-signed EXPIRATION_DATE
Generate a self-signed certificate for the app. Specify the expiration
date of the certificate as a timestamp since Epoch
--no-ssl Don't use HTTPS connection
--certificate CERTIFICATE_PATH
Use the given certificate for the SSL connection. the private key will
be sent using the configuration server
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
mse_lib_sgx-1.1a1.tar.gz
(11.6 kB
view hashes)
Built Distribution
Close
Hashes for mse_lib_sgx-1.1a1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | a4b4c994a985de64c5b2b3dd5656e7ae6c28a5cb197e24a247efd9e8e2dd4211 |
|
MD5 | cda08069072da30073869ec31471ee58 |
|
BLAKE2b-256 | 91fd9845c46920be760eafa93f55d0add5f72729d4d045f3416b11fa9d6b2431 |