tls_client_conf module

class tls_client_conf.CLI(url: str = 'https://127.0.0.1:443', session_resumption: bool = False, reconnect: bool = True, auto_start_cs: bool = False, freshness: str = 'sha256', ephemeral_method='cs_generated', debug: bool = False, test_vector_mode=None, test_vector_file=None, connectivity: str = 'lib_cs', host: str = '127.0.0.1', port: int = 9400, sig_scheme: str = 'ed25519', supported_ecdhe_groups: str = ['x25519'], key: str = None, cert: str = None)

Bases: CLI

__init__(url: str = 'https://127.0.0.1:443', session_resumption: bool = False, reconnect: bool = True, auto_start_cs: bool = False, freshness: str = 'sha256', ephemeral_method='cs_generated', debug: bool = False, test_vector_mode=None, test_vector_file=None, connectivity: str = 'lib_cs', host: str = '127.0.0.1', port: int = 9400, sig_scheme: str = 'ed25519', supported_ecdhe_groups: str = ['x25519'], key: str = None, cert: str = None)

generates a conf file from argument provided by en user

This is an alternative to provide a configuration file. The intent is to make a TLS client accessible using command line aand to remain compatible with what openssl is providing.

Compatibility with the s_client command line is not a goal, but when we can we try to reuse it.

Note that the configuration template DOES NOT consider variables that are related to the environement or the behavior of the tls client. Such parameters ARE NOT part of the configuration parameters necessary to instantiate the tls client.

This Class however, defines a parser that takes such behavioral and behavioral parameter. This is a convenience to more generic cli that will implement the behavior and the environement parameter provided by the end user.

get_cs()
get_destination_and_sent_data()
get_lurk_client()
get_parser(env: bool = False, conf_dir: str = './', parser=None)

This function returns a parser to start the CS

The CS can be started as a regular library in which case only library related parameters are provided. On the other hand, the CS MAY also requires some speciifc OS configuration to start the service. These parameters are not handled by the CS library itself, but actually defines how the library is started.

Parameters:

  • env (bool) – library parameters are provided. When set to True, this includes OS specific environement configuration parameters.

  • conf_dir (str) – The path to the CS directory. It is expected to contain the CS enclave as well as some parameters such as the keys, certificate.

get_template()

generates the template

Note that log is set to None and redirects the messages to the outputs. We define such value as to prevent writing an external file when teh server runs in an SGX enclave. We should define –log_level –log_file and force these values when SGX is enabled.

get_tls13_client()
init_from_args(args)

takes from arguments the non env and non behavioral param

parse_url(url)

initializes various parameters provided in url

url can take the various forms:

with host being an ip address or a hostname.

We manually parse this as urlparse does not parse properly in th eabscence of a scheme.

class tls_client_conf.Configuration

Bases: Configuration

__init__()

generates the client configuration

Note that we define the configuration inside the calls to ensure the scope of the tempate only remains within the class. As python does not enable to protect the variable, it was very difficult to make sure the template was not modified externally.

update_cs_conf()

derives the cs configuration from the tls client’s configuration

Note that the tls client configuration is taken as the base to configure the CS. This means that necessary parameters MUST be defined in the tls client configuration. The connectivity parameters MUST be defined for the lurk_client (as part of the tls client configuration). This connectivity parameter is used to determine if a complete CS needs to be instantiated by the TLS client (with a connectivity type set to ‘lib_cs’) or if the CS is instead configured as a separated entity (with a connectivity type set to any other value). When connectivity type is set to ‘lib_cs’, connectivity and debug parameters of the CS are aligned to those defined for the tls client. For cryptographic parameters, the CS MUST be configured with a private key and a public key. When connectivity type is set to another value, such configuration parameters are left out of scope of the TLS client. For cryptographic parameters, the CS MUST be configured only with a public key. These are the only parameters that is needed and it will be used to generate some internal values necessry to build the Certificate message as well as optimize the communication between the lurk_client and the CS.