Metadata-Version: 2.1
Name: mse-lib-sgx
Version: 2.3.0
Summary: Library to bootstrap WSGI/ASGI application for Gramine
Author-email: Cosmian Tech <tech@cosmian.com>
License: MIT
Classifier: Development Status :: 6 - Mature
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: POSIX :: Linux
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: Implementation :: CPython
Requires-Python: >=3.10
Description-Content-Type: text/markdown
Requires-Dist: cryptography<43.0.0,>=42.0.5
Requires-Dist: intel-sgx-ra==2.2.1
Requires-Dist: hypercorn[uvloop]<0.17.0,>=0.16.0
Requires-Dist: h2<4.2.0,>=4.1.0
Requires-Dist: mse-lib-crypto<2.0,>=1.4
Provides-Extra: dev
Requires-Dist: black<25.0.0,>=24.3.0; extra == "dev"
Requires-Dist: isort<6.0.0,>=5.13.2; extra == "dev"
Requires-Dist: pylint<4.0.0,>=3.1.0; extra == "dev"
Requires-Dist: pycodestyle<3.0.0,>=2.11.1; extra == "dev"
Requires-Dist: pydocstyle<7.0.0,>=6.3.0; extra == "dev"
Requires-Dist: mypy<2.0.0,>=1.9.0; extra == "dev"
Requires-Dist: pytest<9.0.0,>=8.1.1; extra == "dev"
Provides-Extra: deploy
Requires-Dist: build<2.0.0,>=1.1.1; extra == "deploy"
Requires-Dist: wheel<0.44.0,>=0.43.0; extra == "deploy"

# MicroService Encryption Lib SGX

## Overview

MSE lib SGX bootstraps the execution of an encrypted ASGI/WSGI Python web application for [Gramine](https://gramine.readthedocs.io/).

The library is responsible for:

- Configuring the SSL certificates with either:
  - *RA-TLS*, a self-signed certificate including the Intel SGX quote in an X.509 v3 extension
  - *Custom*, the private key and full keychain is provided by the application owner
  - *No SSL*, the secure channel may be managed elsewhere by an SSL proxy
- Decrypting Python modules encrypted with XSala20-Poly1305 AE
- Running the ASGI/WSGI Python web application with [hypercorn](https://pgjones.gitlab.io/hypercorn/)

## Technical details

The flow to run an encrypted Python web application is the following:

1. A first self-signed HTTPS server using RA-TLS is launched waiting to receive a JSON payload with:
   - UUID, a unique application identifier provided to `mse-bootstrap` as an argument
   - the decryption key of the code
   - Optionally the private key corresponding to the certificate provided to `mse-bootstrap` (for *Custom* certificate)
2. If the UUID and decryption key are the expected one, the configuration server is stopped, the code is decrypted and finally run as a new server


## Installation 

```console
$ pip install mse-lib-sgx
```

## Usage

```console
$ mse-bootstrap --help
usage: mse-bootstrap [-h] [--host HOST] [--port PORT] [--subject SUBJECT] [--san SAN] --app-dir APP_DIR --id ID [--plaincode]
                     [--timeout TIMEOUT] [--version] [--debug]
                     (--ratls EXPIRATION_DATE | --no-ssl | --certificate CERTIFICATE_PATH)
                     application

Bootstrap ASGI/WSGI Python web application for Gramine

positional arguments:
  application           ASGI application path (as module:app)

optional arguments:
  -h, --help            show this help message and exit
  --host HOST           hostname of the server
  --port PORT           port of the server
  --subject SUBJECT     Subject as RFC 4514 string for the RA-TLS certificate
  --san SAN             Subject Alternative Name in the RA-TLS certificate
  --app-dir APP_DIR     path of the python web application
  --id ID               identifier of the application as UUID in RFC 4122
  --plaincode           unencrypted python web application
  --timeout TIMEOUT     seconds before closing the configuration server
  --version             show program's version number and exit
  --debug               debug mode with more logging
  --ratls EXPIRATION_DATE
                        generate a self-signed certificate for RA-TLS with a specific expiration date (Unix time)
  --no-ssl              use HTTP without SSL
  --certificate CERTIFICATE_PATH
                        custom certificate used for the SSL connection, private key must be sent through the configuration server

```
