adapt to occlum 0.14

shim/config/config.go

@@ -4,6 +4,10 @@ type Containerd struct {
 	Socket string `toml:"socket"`
 }
 
+type Signature struct {
+	ServerAddress string `toml:"server_address"`
+}
+
 type Occlum struct {
 	BuildImage         string `toml:"build_image"`
 	EnclaveRuntimePath string `toml:"enclave_runtime_path"`
@@ -21,5 +25,6 @@ type Config struct {
 	LogLevel       string         `toml:"log_level"`
 	SgxToolSign    string         `toml:"sgx_tool_sign"`
 	Containerd     Containerd     `toml:"containerd"`
+	Signature      Signature      `toml:"signature"`
 	EnclaveRuntime EnclaveRuntime `toml:"enclave_runtime"`
 }

shim/runtime/carrier/constants/constants.go

@@ -169,6 +169,13 @@ function buildUnsignedEnclave(){
   /bin/bash ${base_dir}/replace_occlum_image.sh ${rootfs} image
   # occlum build
   occlum build
+  if [ ! -f .occlum/build/lib/libocclum-libos.so ]; then
+    if [ -f .occlum/build/lib/libocclum-libos.so.0 ]; then
+      pushd .occlum/build/lib/
+      ln -s libocclum-libos.so.0 libocclum-libos.so
+      popd
+    fi
+  fi
   mkdir -p ${rootfs}/${work_dir} || true
   /bin/cp -fr .occlum ${rootfs}/${work_dir}
   /bin/cp -f Enclave.xml ${rootfs}/${work_dir}

shim/runtime/signature/server/api/api.go

@@ -18,11 +18,12 @@ func (s *ApiServer) installRoutes() {
 		{
 			g.POST("/pkcs1", s.pkcs1Handler)
 		}
+		r.Use(loggerHandleFunc).GET("/api/v1/publickey", s.publicKeyHandler)
 	}
 }
 
 func (s ApiServer) installHealthz() {
 	r := s.router
-	r.GET("/ping", func(c *gin.Context) { c.String(http.StatusOK, "pong") })
+	r.GET("/ping", func(c *gin.Context) { c.String(http.StatusOK, "ping") })
 	r.GET("/healthz", func(c *gin.Context) { c.String(http.StatusOK, "ok") })
 }

shim/runtime/signature/server/api/handler.go

@@ -5,8 +5,6 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
-	"crypto/x509"
-	"encoding/pem"
 	"io/ioutil"
 	"net/http"
 
@@ -37,9 +35,22 @@ func (s *ApiServer) pkcs1Handler(c *gin.Context) {
 	}
 
 	payload.Signature = string(signedBytes)
-	payload.PublicKey = string(pem.EncodeToMemory(&pem.Block{
-		Type:  "RSA PUBLIC KEY",
-		Bytes: x509.MarshalPKCS1PublicKey(s.publicKey),
-	}))
+	bytes, err := ioutil.ReadFile(s.publicKeyFilePath)
+	if err != nil {
+		glog.Errorf("failed to parse public key, public key path: %s, err:%v", s.publicKeyFilePath, err.Error())
+		c.AbortWithStatus(http.StatusInternalServerError)
+		return
+	}
+	payload.PublicKey = string(bytes)
 	c.JSON(http.StatusOK, payload)
 }
+
+func (s *ApiServer) publicKeyHandler(c *gin.Context) {
+	bytes, err := ioutil.ReadFile(s.publicKeyFilePath)
+	if err != nil {
+		glog.Errorf("failed to parse public key, public key path: %s, err:%v", s.publicKeyFilePath, err.Error())
+		c.AbortWithStatus(http.StatusInternalServerError)
+		return
+	}
+	c.JSON(http.StatusOK, string(bytes))
+}

shim/runtime/signature/server/api/server.go

@@ -10,11 +10,13 @@ import (
 )
 
 type ApiServer struct {
-	router      *gin.Engine
-	listenAddr  string
-	privateKey  *rsa.PrivateKey
-	publicKey   *rsa.PublicKey
-	certificate *x509.Certificate
+	router             *gin.Engine
+	listenAddr         string
+	privateKey         *rsa.PrivateKey
+	publicKey          *rsa.PublicKey
+	certificate        *x509.Certificate
+	publicKeyFilePath  string
+	privateKeyFilePath string
 }
 
 func NewApiServer(listenAddr string, conf *conf.Config) (*ApiServer, error) {
@@ -27,10 +29,12 @@ func NewApiServer(listenAddr string, conf *conf.Config) (*ApiServer, error) {
 		return nil, err
 	}
 	s := &ApiServer{
-		router:     gin.Default(),
-		listenAddr: listenAddr,
-		privateKey: privateKey,
-		publicKey:  publicKey,
+		router:             gin.Default(),
+		listenAddr:         listenAddr,
+		privateKey:         privateKey,
+		publicKey:          publicKey,
+		publicKeyFilePath:  conf.PublicKeyPath,
+		privateKeyFilePath: conf.PrivateKeyPath,
 	}
 	s.installRoutes()
 	return s, nil

shim/runtime/v2/rune/v2/rune.go

 package v2
 
 import (
+	"fmt"
 	"io/ioutil"
 	"net/url"
 	"os"
@@ -8,12 +9,13 @@ import (
 	"path"
 	"path/filepath"
 
-	"github.com/alibaba/inclavare-containers/shim/runtime/config"
-
+	"github.com/BurntSushi/toml"
+	shim_config "github.com/alibaba/inclavare-containers/shim/config"
 	"github.com/alibaba/inclavare-containers/shim/runtime/carrier"
 	emptycarrier "github.com/alibaba/inclavare-containers/shim/runtime/carrier/empty"
 	"github.com/alibaba/inclavare-containers/shim/runtime/carrier/graphene"
 	"github.com/alibaba/inclavare-containers/shim/runtime/carrier/occlum"
+	"github.com/alibaba/inclavare-containers/shim/runtime/config"
 	signclient "github.com/alibaba/inclavare-containers/shim/runtime/signature/client"
 	"github.com/alibaba/inclavare-containers/shim/runtime/v2/rune"
 	"github.com/alibaba/inclavare-containers/shim/runtime/v2/rune/constants"
@@ -86,19 +88,32 @@ func (s *service) carrierMain(req *taskAPI.CreateTaskRequest) (carrier.Carrier,
 	var signatureFile string
 	if carrierKind != rune.Empty {
 		//TODO: Retry on failture.
-		/*publicKey, signature, err := remoteSign("https://10.0.8.126:8443/api/v1/signature", commonArgs.Enclave)
-		defer os.RemoveAll(path.Dir(publicKey))*/
-		//FIXME mock signature
+		var cfg shim_config.Config
+		var publicKey, signature string
+		if _, err := toml.DecodeFile(constants.ConfigurationPath, &cfg); err != nil {
+			return carr, err
+		}
 		materialRealPath := signingMaterial
 		if carrierKind == rune.Occlum {
 			materialRealPath = filepath.Join(req.Bundle, signingMaterial)
 		}
-		publicKey, signature, err := mockSign(materialRealPath)
-		if err != nil {
-			logrus.Errorf("carrierMain: mock sign failed. error: %++v", err)
-			return carr, err
+		if cfg.Signature.ServerAddress == "" {
+			publicKey, signature, err = mockSign(materialRealPath)
+			if err != nil {
+				logrus.Errorf("carrierMain: mock sign failed. error: %++v", err)
+				return carr, err
+			}
+			defer os.RemoveAll(path.Dir(publicKey))
+		} else {
+			publicKey, signature, err = remoteSign(fmt.Sprintf("%s/api/v1/signature",
+				cfg.Signature.ServerAddress), materialRealPath)
+			if err != nil {
+				logrus.Errorf("carrierMain: get signature failed. server address: %s. error: %++v",
+					cfg.Signature.ServerAddress, err)
+				return carr, err
+			}
+			defer os.RemoveAll(path.Dir(publicKey))
 		}
-		defer os.RemoveAll(path.Dir(publicKey))
 		commonArgs.Key = publicKey
 		signatureFile = signature
 	}