Add Quorum Key Resharding Service

wip

wip

get to compile

Initial reshard provision and unit test

code clean up

fix n choose k

refactor n choose k

Finish tests for reshard

add test for boot reshard

Add generate reshard input

wip

wip

wip

wip

Get reshard-renencrypt working

Get post share working

lint

wip

Build get reshard output

Add new secrets for file key

get full thing working e2e

refactor wip

get qos core to compile

Get all of qos core working

refactor to not use quorumpubkey wrapper

wip

Get e2e tests working with new input

Add logic for checking that e2e share recombination works

finish integration test

lint stuff

Improve human verifiactions

clean up

Author: emostov

.gitignore

@@ -20,6 +20,7 @@ target/
 !src/integration/mock/boot-e2e/all-personal-dir/user2-dir/*
 !src/integration/mock/boot-e2e/all-personal-dir/user3-dir/*
 !src/integration/mock/boot-e2e/genesis-dir/*
+!src/integration/mock/new-share-set-secrets/*
 src/integration/mock/pivot-build-fingerprints.txt
 src/integration/pivot_ok2_works
 src/integration/pivot_ok_works

src/Cargo.lock

@@ -25,3 +25,4 @@ aws-nitro-enclaves-nsm-api = { version = "0.3", default-features = false }
 rand = "0.8"
 ureq = { version = "2.9", features = ["json"], default-features = false }
 serde = { version = "1", features = ["derive"] }
+serde_json = "1.0"

src/integration/Cargo.toml

@@ -0,0 +1 @@
+3

src/integration/mock/keys/new-share-set/quorum_threshold

@@ -0,0 +1 @@
+040ee9045f3718bd1345dccf88693c993626d08448fdeba8ecaf1b867f4d0572d439852ef460963a9e8fab08864a55994c0779216b44a165b4eaced98722ed3778041646e59014eaec046b2636d3943f446282363c26cf995320d5944b8b4d7af0aa588c208c13ded5c86c3e9a31af687c4027d4636173f405503e7b1baeeee7eaa5

src/integration/mock/keys/new-share-set/reshard-1.pub

@@ -0,0 +1 @@
+04c82672b2f8c4d520c5c7cda207b4a05f433e4db7f0daed9bbde6f54d42814af5aeabec191d2dda32ba4cdc6616aa3fda0a6711affa0d42efbe11144043028622044810d6d24626abfe6c31e884e674c870a2197c9e9cd80786b2fd3a087e2c38cad8376d9b7086901915d261ecb92bde5a757d27bbf1a20904120ff079b8a8ef71

src/integration/mock/keys/new-share-set/reshard-2.pub

@@ -0,0 +1 @@
+049872acc56bca90eea07e1e1185e3015be3b7295b4ba484299702489bf4858b1374928b335d3405a16221ec240e80817fbfd783c7052446a31bd1821a9a10ff9c0469361a228e22e7cad34774a50f7cd8f97e7d6542f3903bf9d14647302691ef9195ae2c08ec62dcd0e845bc75e94ef8b9fa45925199a2f7d94d00981d6d2e0d85

src/integration/mock/keys/new-share-set/reshard-3.pub

@@ -0,0 +1 @@
+0442993076a3b8345cb58b860477bce9db21bb6caceae8df298860410594ea08d4fc2ffec944fd7623a893b57037e0f20c44ff8eee6eff03110717efb9269181ed04bb495296212027597e2eb93ffbba07f0c41ae3018409b9ad2177e87b53a2729806f52ad6d0f6399ca3d37edddc81a687cd2a0a9f8aab914d76be2930ff8f5bba

src/integration/mock/keys/new-share-set/reshard-4.pub

@@ -0,0 +1 @@
+60dd1d44decfa12be68c49abdb47b02c7d03e63de8f6d61ac7d9c4a59e2bf381

src/integration/mock/new-share-set-secrets/reshard-1.secret

@@ -0,0 +1 @@
+1b28ba3a047709e4bac8f5911bd213dbeca7b7023a702ea5333837a80c2ed170

src/integration/mock/new-share-set-secrets/reshard-2.secret

@@ -0,0 +1 @@
+f37186894abb1f45ce0eb5b24b5184334d7d85278037d28af11423f50043d83b

src/integration/mock/new-share-set-secrets/reshard-3.secret

@@ -0,0 +1 @@
+ccb796f57e4a5f52f2ebd81af50a7c98d7576b5503b5dddc337e67b6217d1fa3

src/integration/mock/new-share-set-secrets/reshard-4.secret

@@ -0,0 +1 @@
+04c9434ba0a681ee7c21e17c7ce4f668360803686b198774c9362dac090f9995eeb68961319370969bd0d657167d9cfce13a7466ec47aba9845fbfc4fe9277866d04043daa777f57c1ebef21ff3eb71e00a681921da56186ac96b5d3b06b645c88c512fe8072d12971ce1f9592ef6bafd98b4982f8cf73cb6e80c8f6424294e54c71

src/integration/mock/reshard/user1/qkey1/quorum_key.pub

@@ -0,0 +1 @@
+04c9434ba0a681ee7c21e17c7ce4f668360803686b198774c9362dac090f9995eeb68961319370969bd0d657167d9cfce13a7466ec47aba9845fbfc4fe9277866d04043daa777f57c1ebef21ff3eb71e00a681921da56186ac96b5d3b06b645c88c512fe8072d12971ce1f9592ef6bafd98b4982f8cf73cb6e80c8f6424294e54c71

src/integration/mock/reshard/user2/qkey1/quorum_key.pub

@@ -0,0 +1 @@
+04c9434ba0a681ee7c21e17c7ce4f668360803686b198774c9362dac090f9995eeb68961319370969bd0d657167d9cfce13a7466ec47aba9845fbfc4fe9277866d04043daa777f57c1ebef21ff3eb71e00a681921da56186ac96b5d3b06b645c88c512fe8072d12971ce1f9592ef6bafd98b4982f8cf73cb6e80c8f6424294e54c71

src/integration/mock/reshard/user3/qkey1/quorum_key.pub

@@ -34,6 +34,8 @@ pub const LOCAL_HOST: &str = "127.0.0.1";
 pub const PCR3: &str = "78fce75db17cd4e0a3fb8dad3ad128ca5e77edbb2b2c7f75329dccd99aa5f6ef4fc1f1a452e315b9e98f9e312e6921e6";
 /// QOS dist directory.
 pub const QOS_DIST_DIR: &str = "../../dist";
+/// Mock pcr3 pre-image.
+pub const PCR3_PRE_IMAGE_PATH: &str = "./mock/namespaces/pcr3-preimage.txt";
 
 const MSG: &str = "msg";
 

src/integration/src/lib.rs

@@ -7,7 +7,8 @@ use std::{
 
 use borsh::de::BorshDeserialize;
 use integration::{
-	LOCAL_HOST, PIVOT_OK2_PATH, PIVOT_OK2_SUCCESS_FILE, QOS_DIST_DIR,
+	LOCAL_HOST, PCR3_PRE_IMAGE_PATH, PIVOT_OK2_PATH, PIVOT_OK2_SUCCESS_FILE,
+	QOS_DIST_DIR,
 };
 use qos_core::protocol::{
 	services::{
@@ -51,7 +52,6 @@ async fn standard_boot_e2e() {
 	let namespace = "quit-coding-to-vape";
 
 	let personal_dir = |user: &str| format!("{all_personal_dir}/{user}-dir");
-
 	let user1 = "user1";
 	let user2 = "user2";
 	let user3 = "user3";
@@ -81,7 +81,7 @@ async fn standard_boot_e2e() {
 			"--qos-release-dir",
 			QOS_DIST_DIR,
 			"--pcr3-preimage-path",
-			"./mock/namespaces/pcr3-preimage.txt",
+			PCR3_PRE_IMAGE_PATH,
 			"--manifest-path",
 			&cli_manifest_path,
 			"--pivot-args",
@@ -157,7 +157,7 @@ async fn standard_boot_e2e() {
 				"--manifest-approvals-dir",
 				&*boot_dir,
 				"--pcr3-preimage-path",
-				"./mock/namespaces/pcr3-preimage.txt",
+				PCR3_PRE_IMAGE_PATH,
 				"--pivot-hash-path",
 				PIVOT_HASH_PATH,
 				"--qos-release-dir",
@@ -306,7 +306,7 @@ async fn standard_boot_e2e() {
 			"--host-ip",
 			LOCAL_HOST,
 			"--pcr3-preimage-path",
-			"./mock/pcr3-preimage.txt",
+			PCR3_PRE_IMAGE_PATH,
 			"--unsafe-skip-attestation",
 		])
 		.spawn()
@@ -361,7 +361,7 @@ async fn standard_boot_e2e() {
 				"--manifest-envelope-path",
 				&manifest_envelope_path,
 				"--pcr3-preimage-path",
-				"./mock/namespaces/pcr3-preimage.txt",
+				PCR3_PRE_IMAGE_PATH,
 				"--manifest-set-dir",
 				"./mock/keys/manifest-set",
 				"--alias",
@@ -400,9 +400,9 @@ async fn standard_boot_e2e() {
 		stdin.write_all("yes\n".as_bytes()).expect("Failed to write to stdin");
 
 		assert_eq!(
-				&stdout.next().unwrap().unwrap(),
-				"Does this AWS IAM role belong to the intended organization: arn:aws:iam::123456789012:role/Webserver? (yes/no)"
-			);
+			&stdout.next().unwrap().unwrap(),
+			"Does this AWS IAM role belong to the intended organization: arn:aws:iam::123456789012:role/Webserver? (yes/no)"
+		);
 		stdin.write_all("yes\n".as_bytes()).expect("Failed to write to stdin");
 
 		assert_eq!(

src/integration/tests/boot.rs

@@ -6,7 +6,7 @@ use std::{
 };
 
 use borsh::de::BorshDeserialize;
-use integration::{LOCAL_HOST, QOS_DIST_DIR};
+use integration::{LOCAL_HOST, PCR3_PRE_IMAGE_PATH, QOS_DIST_DIR};
 use qos_core::protocol::services::genesis::GenesisOutput;
 use qos_crypto::{sha_512, shamir::shares_reconstruct};
 use qos_nsm::nitro::unsafe_attestation_doc_from_der;
@@ -153,7 +153,7 @@ async fn genesis_e2e() {
 			"--qos-release-dir",
 			QOS_DIST_DIR,
 			"--pcr3-preimage-path",
-			"./mock/pcr3-preimage.txt",
+			PCR3_PRE_IMAGE_PATH,
 			"--dr-key-path",
 			DR_KEY_PUBLIC_PATH,
 			"--unsafe-skip-attestation"
@@ -225,7 +225,7 @@ async fn genesis_e2e() {
 				"--qos-release-dir",
 				QOS_DIST_DIR,
 				"--pcr3-preimage-path",
-				"./mock/pcr3-preimage.txt",
+				PCR3_PRE_IMAGE_PATH,
 				"--unsafe-skip-attestation"
 			])
 			.spawn()

src/integration/tests/genesis.rs

@@ -1,6 +1,8 @@
 use std::{fs, process::Command};
 
-use integration::{LOCAL_HOST, PIVOT_LOOP_PATH, QOS_DIST_DIR};
+use integration::{
+	LOCAL_HOST, PCR3_PRE_IMAGE_PATH, PIVOT_LOOP_PATH, QOS_DIST_DIR,
+};
 use qos_crypto::sha_256;
 use qos_p256::{P256Pair, P256Public};
 use qos_test_primitives::{ChildWrapper, PathWrapper};
@@ -158,7 +160,7 @@ fn generate_manifest_envelope() {
 			"--restart-policy",
 			"always",
 			"--pcr3-preimage-path",
-			"./mock/namespaces/pcr3-preimage.txt",
+			PCR3_PRE_IMAGE_PATH,
 			"--pivot-hash-path",
 			PIVOT_HASH_PATH,
 			"--qos-release-dir",
@@ -196,7 +198,7 @@ fn generate_manifest_envelope() {
 				"--manifest-approvals-dir",
 				BOOT_DIR,
 				"--pcr3-preimage-path",
-				"./mock/namespaces/pcr3-preimage.txt",
+				PCR3_PRE_IMAGE_PATH,
 				"--pivot-hash-path",
 				PIVOT_HASH_PATH,
 				"--qos-release-dir",
@@ -293,7 +295,7 @@ fn boot_old_enclave(old_host_port: u16) -> (ChildWrapper, ChildWrapper) {
 			"--host-ip",
 			LOCAL_HOST,
 			"--pcr3-preimage-path",
-			"./mock/namespaces/pcr3-preimage.txt",
+			PCR3_PRE_IMAGE_PATH,
 			"--unsafe-skip-attestation",
 		])
 		.spawn()
@@ -343,7 +345,7 @@ fn boot_old_enclave(old_host_port: u16) -> (ChildWrapper, ChildWrapper) {
 				"--manifest-envelope-path",
 				MANIFEST_ENVELOPE_PATH,
 				"--pcr3-preimage-path",
-				"./mock/namespaces/pcr3-preimage.txt",
+				PCR3_PRE_IMAGE_PATH,
 				"--manifest-set-dir",
 				"./mock/keys/manifest-set",
 				"--alias",