Package com.r3.conclave.common


Link copied to clipboard
public class EnclaveConstraint

This utility class provides a template against which remote attestations may be matched. It defines a little domain specific language intended for use in configuration files, command line flags etc.

A constraint is intended to match a single logical enclave. A logical enclave may be made up of multiple instances on different machines, and multiple versions of the enclave software. Constraints can be as tight or as loose as you like, however, it's better for security when you're more specific about what you want, and more flexible/convenient when you leave it vague. The correct tradeoff depends on your app and is up to you.

You don't have to use this class: you can check the components of a EnclaveInstanceInfo yourself. However these checks are normally just boilerplate and thus it's convenient to use an EnclaveConstraint.

Every criteria must be satisfied for the constraint to be satisfied. Hashes and public keys are combined such that satisfying any one of them is sufficient:

(hash OR hash OR key) AND minRevocationLevel AND productID AND minSecurityLevel

Link copied to clipboard
public class EnclaveException extends RuntimeException

Exception that's thrown by the client if the enclave threw an exception.

Link copied to clipboard
public class EnclaveInfo

An EnclaveInfo consists of the hash of an enclave, as computed by the platform specific measurement algorithms, the public key that signed the enclave, a version number chosen by the enclave author and the mode the enclave runs in.

You would not normally create your own EnclaveInfo. Instead you get one from other platform classes. However, you can create one if you wish to use it as a convenient holder of data.

Link copied to clipboard
public interface EnclaveInstanceInfo

Contains serializable information about an instantiated enclave running on a specific machine, with the measurement and instance signing key verified by remote attestation. The remote attestation infrastructure backing all trusted computing schemes is what gives you confidence that the data in this object is correct and can be trusted, as long as securityInfo and enclaveInfo match what you expect.

An EnclaveInstanceInfo should be fetched from the host via some app specific mechanism, such as via an HTTP request, a directory service lookup, shared file etc.

Link copied to clipboard
public enum EnclaveMode extends Enum<EnclaveMode>

The mode that an enclave is running in, whether it's for safe for production, intended for debugging or uses simulated hardware.

Link copied to clipboard
public class EnclaveSecurityInfo

Information about how secure an enclave is from the perspective of the platform (no value judgements about code quality are made). As time goes by and people find attacks against the enclave platform the manufacturer may issue updates to re-secure it. This class exposes to what extent the host platform is out of date and allow the client to make privacy/security/availability tradeoffs suitable for its use cases.

Link copied to clipboard
public class InvalidEnclaveException extends Exception

Exception that is thrown by the EnclaveConstraint if an enclave violates its constraints.

Link copied to clipboard
public class MockConfiguration

A MockConfiguration is used to configure the environment the enclave runs in when using mock mode.

When you build an enclave in release, debug mode or simulation mode, some parameters of the enclave are defined by the system environment, hardware or are otherwise configured at build time in the enclave build configuration files. It is however, for testing purposes, convenient to be able to change these parameters programmatically when writing test cases. For instance, tests which check for correct behaviour during version increments and rollbacks. This class can be used to configure these parameters. Members are nullable and set to null by default. Setting a member to a non-null value will override the value specified in the build.gradle for your enclave target. In modes other than Mock mode, the mock configuration is ignored.

Link copied to clipboard
public class OpaqueBytes

A simple class that wraps a byte array and makes the equals/hashCode/toString methods work as you actually expect. In an ideal JVM this would be a value type and be completely overhead free.

Link copied to clipboard
public class SecureHash extends OpaqueBytes

Container for a cryptographically secure hash value. Currently only SHA-256 and SHA-512 are supported, represented by SHA256Hash and SHA512Hash respectively.

Link copied to clipboard
public class SGXEnclaveSecurityInfo extends EnclaveSecurityInfo

Provides lower level SGX-specific security info, useful only in specific scenarios.

Link copied to clipboard
public class SHA256Hash extends SecureHash

SHA-256 is part of the SHA-2 hash function family. Generated hash is fixed size, 256-bits (32-bytes).

Link copied to clipboard
public class SHA512Hash extends SecureHash

SHA-512 is part of the SHA-2 hash function family. Generated hash is fixed size, 512-bits (64-bytes).