Library for Cosmian MSE to bootstrap Flask application
Project description
MicroService Encryption Lib SGX
Overview
MSE lib SGX bootstraps the execution of an encrypted ASGI/WSGI Python web application for Gramine.
The library is responsible for:
- Configuring the SSL certificates with either:
- RA-TLS, a self-signed certificate including the Intel SGX quote in an X.509 v3 extension
- Custom, the private key and full keychain is provided by the application owner
- No SSL, the secure channel may be managed elsewhere by an SSL proxy
- Decrypting Python modules encrypted with XSala20-Poly1305 AEAD
- Running the ASGI/WSGI Python web application with hypercorn
Technical details
The flow to run an encrypted Python web application is the following:
- A first self-signed HTTPS server using RA-TLS is launched waiting to receive a JSON payload with:
- UUID, a unique application identifier provided to
mse-bootstrapas an argument - the decryption key of the code
- Optionally the private key corresponding to the certificate provided to
mse-bootstrap(for Custom certificate)
- UUID, a unique application identifier provided to
- If the UUID and decryption key are the expected one, the configuration server is stopped, the code is decrypted and finally run as a new server
Installation
$ pip install mse-lib-sgx
Usage
$ mse-bootstrap --help
usage: mse-bootstrap [-h] --host HOST --port PORT --app-dir APP_DIR --uuid
UUID [--version] [--debug]
(--self-signed EXPIRATION_DATE | --no-ssl | --certificate CERTIFICATE_PATH)
application
Bootstrap ASGI/WSGI Python web application for Gramine
positional arguments:
application ASGI application path (as module:app)
optional arguments:
-h, --help show this help message and exit
--host HOST hostname of the configuration server, also the
hostname of the app server if `--self-signed`
--port PORT port of the server
--app-dir APP_DIR path of the python web application
--uuid UUID unique application UUID
--version show program's version number and exit
--debug debug mode with more logging
--self-signed EXPIRATION_DATE
generate a self-signed certificate for the web app
with a specific expiration date (Unix time)
--no-ssl use HTTP without SSL
--certificate CERTIFICATE_PATH
custom certificate used for the SSL connection,
private key must be sent through the configuration
server
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
mse_lib_sgx-2.1.tar.gz
(13.9 kB
view details)
Built Distribution
mse_lib_sgx-2.1-py3-none-any.whl
(14.2 kB
view details)
File details
Details for the file mse_lib_sgx-2.1.tar.gz.
File metadata
- Download URL: mse_lib_sgx-2.1.tar.gz
- Upload date:
- Size: 13.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2ef6c08db5c82ff26865cad4f225ff810e1aee3ca35d98b36994ae9e511b7a41 |
|
| MD5 | 9a4ab2b8c26ad0dcd7f4e385031c3323 |
|
| BLAKE2b-256 | 2efd01ff9eb409ce8f1124a24d5e739803c12b0cd26da59c5c8df10e535cbcf8 |
File details
Details for the file mse_lib_sgx-2.1-py3-none-any.whl.
File metadata
- Download URL: mse_lib_sgx-2.1-py3-none-any.whl
- Upload date:
- Size: 14.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 85fe89f14aa69ce8575a5668bed7c15dad8a6129632bb5537287da0a082d8359 |
|
| MD5 | bbec2ebfabe4dab97f2d42b5e2071f52 |
|
| BLAKE2b-256 | 2201d4649b85f979a9f158b61c0aa8b85f9436e30013efbc016a48c1fd0abab9 |
