This of off topic, yet I want some guideline/help on integrating SGX demo ( for example sgxsdk/SampleCode/SampleEnclave) with PKCS#11 bases demo ( say crypto-api-toolkit/src/test)
Our current solution without PKCS#11 roughly does the following
1. SGX service running in machine-1
2. Client request for keys from machine-2
3. Client gets keys from the enclave running in m/c1
In the above scenario, how the PKCS#11 based approach will fit in?
what will be possible design ?
Thanks for any help
Please clarify your scenario.
The Crypto API Toolkit allows one to write any PKCS#11-compliant application and uses SGX enclaves in the background implementation without the developer having to worry about writing enclaves. So, write your PKCS#11 application as you normally would, and use the Crypto API Toolkit to build it.
Intel Customer Support
The current applications ( there are two applications) is designed in the following way
1. Sends REST request ( using JMeter) with <ClientID , Request_for_PUB_key> to SGX server
2. Receives <PUB key> in base64 format from SGX server
SGX server Application
1. The untrusted part of this application binds REST framework libulfius, and waits for request from client
2. On receiving REST request from Client, it does the following ( at the trusted part )
a) check if PUB key file for that client ID is present , if yes, then sends PUB key to client
b) For new/unseen client, it generates, saves and finally sends the PUB key to client; corresponding Private key is saved in encalave.
The SGX application is built using sgx_* apis ( like sgx_fopen_auto_key etc) , and openssl apis ( like EC_KEY_generate_key, BN_bn2bin etc). I am not very sure where the crypto-apis will be placed in the above design, any help will be appreciated.
I am bit confused who will be doing the above checking (like For new/unseen client do some specific task etc) if the above design is implemented using crypto-apis. My understanding is, if crypto-apis are used then there is no need to use SGX SDK apis or openssl apis, is this correct assumption?
TIA for any help
You are correct, you can use the PKCS#11 APIs without having to worry about the SGX or OpenSSL APIs. Use the PKCS#11 APIs for the key generation and management functions in your scenario and the CTK will use SGX under the hood. It is up to you how to use PKCS#11. We can help you with SGX-related questions, but PKCS#11 APIs and design is out of scope.
Intel Customer Support
This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.