Skip to content
This repository has been archived by the owner on Sep 23, 2024. It is now read-only.

This is a wrapper service written on top of EPID SDK to perform EPID signature verification over REST end-points. This service is used by both FDO as well as SDO components.

License

Notifications You must be signed in to change notification settings

fido-device-onboard/epid-verification-service

Repository files navigation

Table of Contents

  1. About
  2. System Requirements
  3. Build EPID Verification service Jar File
  4. Generate keystores
  5. Run EPID Verification service

About

This document can be used as a quick guide to build and run the FIDO Device Onboard (FDO) EPID Verification service. FDO EPID Verification service is a software service that assists FDO Rendezvous service and FDO Owner service to perform device signature verification for devices using EPID based device attestation.

System Requirements

  • Ubuntu (22.04, 20.04) / RHEL 8.4 / Debian 11.4. +
  • Maven.
  • Java 11.
  • Curl.
  • GCC 4.9.
  • Cmake.
  • Make.
  • Swig.
  • Unzip.
  • Docker Engine 20.10.X / Podman Engine. (Optional)
  • Docker-compose 1.21.2 / Podman-compose 0.1.5. (Optional)

+Supported Host operating Systems.

NOTE: Use the following commands to enable EPID Verification Service support on RHEL.

bash ./enable_rhel_support.sh
grep -qxF 'export PODMAN_USERNS=keep-id' ~/.bashrc || echo $'\nexport PODMAN_USERNS=keep-id' >> ~/.bashrc
grep -qxF 'export BUILDAH_FORMAT=docker' ~/.bashrc || echo $'\nexport BUILDAH_FORMAT=docker' >> ~/.bashrc
source ~/.bashrc

Source Layout

For the instructions in this document, refers to the path of the EPID Verification Service source folder epid-verification-service.

EPID Verification Service source code is organized into the following sub-folders.

  • Jenkins : It contains files for building service and running smoke test on the repo.

  • Native : It contains JNI implementation for utilizing epid-sdk for performing EPID signature verification.

  • certs : It contains sample key, certificate and keystore for running the service.

  • src : It contains the springboot application for EPID Verification service.

Build EPID Verification Service Jar File

Setup JAVA HOME

export JAVA_HOME=<path-to-java-11-jdk>

Pre-requisites for Building Dependencies

The external dependencies are built in <epid-verification-service>/Native/src/service/dependencies folder. This folder needs to be created, if it doesn't exist.

Build EPID SDK

EPID Verification service uses EPID SDK for performing signature verification of EPID based devices. Switch to <epid-verification-service>/Native/src/service/dependencies and run following commands to build EPID SDK.

NOTE: The latest version of EPID SDK compatible with EPID Verification service is v7.0.1.

$ git clone -b v7.0.1 https://github.com/Intel-EPID-SDK/epid-sdk
$ cd epid-sdk
$ chmod +x configure
$ ./configure
$ make all
$ make check
$ make install

Build Google Test

EPID Verification service uses Google Test framework for performing sanity test of EPID JNI framework. Switch to \<epid-verification-service\>/Native/src/service/dependencies and run following commands to build Google Test framework.

NOTE: The latest version of Google Test framework compatible with epid-verification-service is release-1.7.0.

$ git clone -b release-1.7.0 https://github.com/google/googletest
$ cd googletest/make
$ make

Build EPID Verification Service

To build EPID verification service, execute the following command.

$ mvn install

NOTE Maven build triggers the build script for JNI Native library.

To build only the JNI Native library, execute the following command.

$ cd <epid-verification-service>/Native
$ ./build.sh

To clean files generated by previous build, execute the following command.

$ mvn clean

To clean the files generated in previous build in the Native JNI library, execute the following command.

$ cd <epid-verification-service>/Native
$ ./build.sh --clean

To generate unit test metrics, execute the following command.

$ mvn clean verify

The code coverage report is stored in the directory ./target/site/jacoco/test/html

Generate Keystores

Keystore is used to store SSL certificates in the Java* programming language.

The example of keystore can be found in the directory 'certs'

keystore - "verification-service-keystore.p12"

Default passwords for keystore: ver!f!c@t!0n

Visit page for instructions on how to generate keystore and truststore.

Important:

  • The keystore provided in this repository is for demonstration purpose only. This must be changed while performing production deployment.

Run EPID Verification Service

EPID Verification Service Settings

JVM options can be set to configure EPID Verification Service:

Java Option Description
Hosts
server.port EPID Verification service host port (default: 1180).
Keystores You can use default keystore or you can generate your own, please review section keystores
server.ssl.key-store Keystore file (default: verification-service-keystore.p12)
server.ssl.key-store-password Keystore password (default: ver!f!c@t!0n)
Miscellaneous
crypto-material.path Path to EPID Cryptomaterials
java.library.path Location of JNI .so files
(default: ./Native/build/epid_verifier:./Native/build/epid_verifier_wrap
spring.profiles.active Spring profile for EPID Verification service (values: production, development)

Proxy Settings

  • To use external Verification Service from behind proxy, set the following JVM flags, more info here:
https.proxyPort
https.proxyHost
http.proxyPort
http.proxyHost

Run EPID Verification Service

To run the EPID Verification Service, you can use epidVerificationService.sh.

$ bash epidVerificationService.sh

To check whether the EPID Verification Service is working properly run the following command:

$ curl --cacert ./certs/ca.cert.pem https://localhost:1180/health

Expected result:

{
	"version": "1.1.9"
}

About

This is a wrapper service written on top of EPID SDK to perform EPID signature verification over REST end-points. This service is used by both FDO as well as SDO components.

Topics

Resources

License

Security policy

Stars

Watchers

Forks